ROP Gadgets
This page contains a collection of rop gadgets that can be found in commonly used Windows OS dll’s and common applications. All gadget text files were generated with pvefindaddr. If you are building a rop based exploit and want to use rop gadgets from one of those dll’s, you can simply download the text files (instead of having to create them yourself).
Note : if your exploit takes advantage of a SEH overwrite, you’ll need to find a stack pivot pointer from a non safeseh module. Most of the OS dll’s are safeseh protected.
If you want to contribute your own rop gadgets, look here
Windows OS
Q : why is the kernel32.dll from Win7 in the list ? A : well, since you probably will try to grab/find a pointer into kernel32.dll anyway in order to bypass ASLR & DEP, you may be able to use a useful gadget in kernel32.dll at the same time.
Common applications
Firefox 3.6.6
| Module | Vista Business SP2 |
Win7 Ultimate x86 English |
Server 2008 R2 English |
| freebl3.dll | v3.12.4.0 | ||
| nspr4.dll | v4.8.3.0 | v4.8.3.0 | |
| nss3.dll | v3.12.6.2 | v3.12.6.2 | v3.12.6.2 |
| nssckbi.dll | v1.78.0.0 | ||
| nssdbm3.dll | v3.12.4.0 | ||
| nssutil3.dll | v3.12.6.2 | v3.12.6.2 | |
| plc4.dll | v4.8.3.0 | v4.8.3.0 | |
| plds4.dll | v4.8.3.0 | v4.8.3.0 | |
| smime3.dll | v3.12.6.2 | v3.12.6.2 | |
| softokn3.dll | v3.12.4.0 | ||
| ssl3.dll | v3.12.6.2 | v3.12.6.2 |
Acrobat Reader 9.3.3
| Module | Win7 Ultimate x86 English |
Windows 2008 R2 |
| logsession.dll | v2.0.0.238 | v2.0.0.238 |
| logtransport2.dll | v2.0.0.327 | v2.0.0.327 |
| eula.exe | v9.3.3.177 |
Microsoft Office 2010 (14.0.4734.1000)
| Module | Win7 Ultimate x86 English |
| msgr3en.dll (loaded with Word) |
v3.1.0.15506 |
Java SDK 1.6 update 21
| Module | Win7 Ultimate x86 English |
| jp2ssv.dll (loaded in IE by default) |
v6.0.21.0.6 |
iTunes 9.2.0.61
| Module | Win XP SP3 English |
Win7 x86 English |
| corefp.dll | v1.8.20 | v1.8.20 |
| libdispatch.dll | v1.109.4.1 | v1.109.4.1 |
7zip 4.65
| Module | Win7 Ultimate x86 English |
| 7zfm.exe | v4.65 |
Foxit Reader 4.0.0.0619
| Module | Win7 Ultimate x86 English |
| foxit reader.exe | v4.0.0.069 |
Orbit 3.0.0.5
| Module | Win7 Ultimate x86 English |
| grabkernel.dll | v? |
| grabxpcom.dll | v? |
| winfile.txt | v1.0.0.1 |
VirtualBox (guest environment, guest addition tools installed)
| Module | Win7 Ultimate x86 English |
| vboxmrxnp.dll | v3.2.6.63112 |
DEP Bypass Function Pointers
This table lists function pointers to commonly used DEP bypass functions. If the OS is ASLR aware, then the offset to the base address of the corresponding module is listed.
| Module | XP SP3 Prof English kernel32 : 5.1.2600.5781 ntdll : 5.1.2600.5755 |
Server 2008 SP2 Std – English (ASLR) kernel32 : 6.0.6002.18005 ntdll : 6.0.6002.18005 |
Vista Business SP2 (ASLR) kernel32 : 6.0.6002.18005 ntdll : 6.0.6002.18005 |
Windows 7 Prof English (ASLR) kernel32 : 6.1.7600.16481 ntdll : 6.1.7600.16386 |
| VirtualAlloc (kernel32.dll) | 0x7C809AF1 | 0x0217AD55 | 0x0105ad55 | 0x02810614 |
| HeapAlloc (kernel32.dll) | 0x7C8090F6 | 0x021F9AEA | 0x010d9aea | 0x0287f026 |
| HeapCreate (kernel32.dll) | 0x7C812C56 | 0x02159D0B | 0x01039d0b | 0x02812a57 |
| SetProcessDEPPolicy (kernel32.dll) | 0x7C8622A4 | 0x021C5980 | 0x010a5980 | 0x027f85a7 |
| NtSetInformationProcess (ntdll.dll) | 0x7C90DC9E | 0x002c5324 | 0x00d55324 | 0x00d85ac0 |
| VirtualProtect (kernel32.dll) | 0x7C801AD4 | 0x02131DC3 | 0x01011dc3 | 0x028050ab |
| WriteProcessMemory (kernel32.dll) | 0x7C802213 | 0x02131CB8 | 0x01011cb8 | 0x028085c1 |
| memcpy (ntdll.dll) | 0x7C901DB3 | 0x002a9720 | 0x00d39720 | 0x00d740f0 |
| (offsets) | (offsets) | (offsets) |
Contribute
If you want to share the output of a !pvefindaddr rop, ran against an OS module or application module (non aslr), please feel free send me the rop.txt file, the name of the application (if applicable), the dll version, the OS you built the rop.txt file on, and I’ll post all relevant info on this page. (Make sure to restrict the rop.txt file to just one dll, and leave the loaded modules table, which sits at the top of the rop.txt file, intact.)
How to create a rop file ?
1. Make sure you have the latest version of pvefindaddr installed
2. Attach Immunity Debugger to an application that has a non aslr module
3. run !pvefindaddr rop
4. wait until the process completes, and send me an email with the rop.txt file, the name of the module, the version of the module, and the exact OS you used to create the rop file.
Thanks to the following people who have contributed so far : corelanc0d3r, _rs, dmc, sud0, Edi, Nicolas Krassas, dookie2000ca, Amirreza Aminsalehi
Donate
Your donation will help funding server hosting.
