ROP Gadgets

This page contains a collection of rop gadgets that can be found in commonly used Windows OS dll’s and common applications. All gadget text files were generated with pvefindaddr. If you are building a rop based exploit and want to use rop gadgets from one of those dll’s, you can simply download the text files (instead of having to create them yourself).

Note : if your exploit takes advantage of a SEH overwrite, you’ll need to find a stack pivot pointer from a non safeseh module.  Most of the OS dll’s are safeseh protected.

If you want to contribute your own rop gadgets, look here

Windows OS

Module XP SP3 Professional
– English
Server 2003 SP2
Std – English
Server 2003 R2
Std – English
Windows 7
Ultimate – Fr
(aslr)
advapi32.dll v5.1.2600.5755 v5.2.3790.4555
comctl32.dll v6.0.2900.5512
comdlg32.dll v6.0.2900.5512
cryptdll.dll v5.1.2600.5512
d3d8thk.dll v5.03.2600.5512
dciman32.dll v5.2.3790.0
dnsapi.dll v5.1.2600.5625 v5.2.3790.4318
dot3api.dll v5.1.2600.5512
eappprxy.dll v5.1.2600.5512
gdi32.dll v5.1.2600.5698 v5.2.3790.4396 v5.2.3790.4396
imm32.dll v5.1.2600.5512 v5.2.3790.3959
kernel32.dll v5.1.2600.5781 v5.2.3790.4480 v5.2.3790.4480 v6.1.7100.0
msacm32.dll v5.1.2600.5512
msctf.dll v5.1.2600.5512
msctfime.ime v5.1.2600.5512
msvcrt.dll v7.0.2600.5512 v7.0.3790.3959
ntdll.dll v5.1.2600.5755
odbcint.dll v3.525.1132.0
ole32.dll v5.1.2600.5512 v5.2.3790.3959
oleaut32.dll v5.1.2600.5512 v5.2.3790.4202
riched20.dll v5.30.23.1230 v5.31.23.1225
rpcrt4.dll v5.1.2600.5795 v5.2.3790.4502
secur32.dll v5.1.2600.5834 v5.2.3790.4530
sensapi.dll v5.1.2600.5512
shell32.dll v6.0.2900.5622 v6.00.3790.4315
shimeng.dll v5.1.2600.5512
shlwapi.dll v6.0.2900.5912
slbiop.dll v5.1.2600.2095
user32.dll v5.1.2600.5512 v5.2.3790.4033 v5.2.3790.4033
userenv.dll v5.1.2600.5512 v5.2.3790.3959 v5.2.3790.3959
uxtheme.dll v6.0.2900.5512 v6.00.3790.3959
version.dll v5.1.2600.5512 v5.2.3790.3959 v5.2.3790.3959
wdmaud.drv v5.1.2600.5512
winspool.drv v5.1.2600.5512
winmm.dll v5.1.2600.5512
winscard.dll v5.1.2600.5512
winsta.dll v5.2.3790.3959

Q : why is the kernel32.dll from Win7 in the list ? A : well, since you probably will try to grab/find a pointer into kernel32.dll anyway in order to bypass ASLR & DEP, you may be able to use a useful gadget in kernel32.dll at the same time.

Common applications

Firefox 3.6.6

Module Vista Business
SP2
Win7 Ultimate
x86 English
Server 2008
R2 English
freebl3.dll v3.12.4.0
nspr4.dll v4.8.3.0 v4.8.3.0
nss3.dll v3.12.6.2 v3.12.6.2 v3.12.6.2
nssckbi.dll v1.78.0.0
nssdbm3.dll v3.12.4.0
nssutil3.dll v3.12.6.2 v3.12.6.2
plc4.dll v4.8.3.0 v4.8.3.0
plds4.dll v4.8.3.0 v4.8.3.0
smime3.dll v3.12.6.2 v3.12.6.2
softokn3.dll v3.12.4.0
ssl3.dll v3.12.6.2 v3.12.6.2

Acrobat Reader 9.3.3

Module Win7 Ultimate
x86 English
Windows 2008 R2
logsession.dll v2.0.0.238 v2.0.0.238
logtransport2.dll v2.0.0.327 v2.0.0.327
eula.exe v9.3.3.177

Microsoft Office 2010 (14.0.4734.1000)

Module Win7 Ultimate
x86 English
msgr3en.dll
(loaded with Word)
v3.1.0.15506

Java SDK 1.6 update 21

Module Win7 Ultimate
x86 English
jp2ssv.dll
(loaded in IE by default)
v6.0.21.0.6

iTunes 9.2.0.61

Module Win XP SP3
English
Win7 x86
English
corefp.dll v1.8.20 v1.8.20
libdispatch.dll v1.109.4.1 v1.109.4.1

7zip 4.65

Module Win7 Ultimate
x86 English
7zfm.exe v4.65

Foxit Reader 4.0.0.0619

Module Win7 Ultimate
x86 English
foxit reader.exe v4.0.0.069

Orbit 3.0.0.5

Module Win7 Ultimate
x86 English
grabkernel.dll v?
grabxpcom.dll v?
winfile.txt v1.0.0.1

VirtualBox (guest environment, guest addition tools installed)

Module Win7 Ultimate
x86 English
vboxmrxnp.dll v3.2.6.63112

DEP Bypass Function Pointers

This table lists function pointers to commonly used DEP bypass functions. If the OS is ASLR aware, then the offset to the base address of the corresponding module is listed.

Module XP SP3 Prof
English
kernel32 :
5.1.2600.5781
ntdll :
5.1.2600.5755
Server 2008 SP2
Std – English
(ASLR)
kernel32 : 6.0.6002.18005
ntdll : 6.0.6002.18005
Vista Business SP2 (ASLR)
kernel32 : 6.0.6002.18005
ntdll : 6.0.6002.18005
Windows 7 Prof
English (ASLR)
kernel32 : 6.1.7600.16481
ntdll : 6.1.7600.16386
VirtualAlloc (kernel32.dll) 0x7C809AF1 0x0217AD55 0x0105ad55 0x02810614
HeapAlloc (kernel32.dll) 0x7C8090F6 0x021F9AEA 0x010d9aea 0x0287f026
HeapCreate (kernel32.dll) 0x7C812C56 0x02159D0B 0x01039d0b 0x02812a57
SetProcessDEPPolicy (kernel32.dll) 0x7C8622A4 0x021C5980 0x010a5980 0x027f85a7
NtSetInformationProcess (ntdll.dll) 0x7C90DC9E 0x002c5324 0x00d55324 0x00d85ac0
VirtualProtect (kernel32.dll) 0x7C801AD4 0x02131DC3 0x01011dc3 0x028050ab
WriteProcessMemory (kernel32.dll) 0x7C802213 0x02131CB8 0x01011cb8 0x028085c1
memcpy (ntdll.dll) 0x7C901DB3 0x002a9720 0x00d39720 0x00d740f0
(offsets) (offsets) (offsets)

Contribute

If you want to share the output of a !pvefindaddr rop, ran against an OS module or application module (non aslr), please feel free send me the rop.txt file, the name of the application (if applicable), the dll version, the OS you built the rop.txt file on, and I’ll post all relevant info on this page.  (Make sure to restrict the rop.txt file to just one dll, and leave the loaded modules table, which sits at the top of the rop.txt file, intact.)

How to create a rop file ?

1. Make sure you have the latest version of pvefindaddr installed

2. Attach Immunity Debugger to an application that has a non aslr module

3. run  !pvefindaddr rop   (where is the name of the non aslr aware dll)

4. wait until the process completes, and send me an email with the rop.txt file, the name of the module, the version of the module, and the exact OS you used to create the rop file.

Thanks to the following people who have contributed so far : corelanc0d3r, _rs, dmc, sud0, Edi, Nicolas Krassas, dookie2000ca, Amirreza Aminsalehi

  Copyright secured by Digiprove © 2011 Peter Van Eeckhoutte

Corelan Live training

Since 2011, Corelan GCV has been teaching live win32 exploit dev classes at various security cons and private companies & organizations.

You can read more about the training and schedules here

Demand Global Change

The world needs your help !

Please take a few moments to read the "Demand Global Change Call For Action" document at
http://bit.ly/demandglobalchange
Read the full document at
http://bit.ly/demandglobalchange_full and share the message with as many people as possible.

Like the Facebook page, and SHARE it with everyone you know.



Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Protected by Copyscape Web Plagiarism Tool

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Corelan on IRC

You can chat with us and our friends on #corelan (freenode IRC)

Categories