ROP Gadgets finder for OdbgScript

Iniciado por .:UND3R:., 9 Julio 2013, 07:33 AM

0 Miembros y 1 Visitante están viendo este tema.

Imprimir
Ir Abajo Páginas1
Acciones del Usuario

.:UND3R:.

9 Julio 2013, 07:33 AM
Estudiando sobre creación de exploit, no me he percatado de la existencia de un plugins para OllyDbg que se encargue de mostrar Rop gadgets en todos los módulos executables cargados por el PE, por lo que me animé a crear un script:

El script se encarga de analizar todos los módulos executables del PE, verificando si se encuentran rutinas ROP Gadgets (estas deben ser especificadas por el usuario), tras terminar el script, se crea un archivo con una lista de todas las instrucciones de forma ordenada.

se puede buscar una o varias instrucciones:

PUSH EAX Busca esta instrucciones y la agrega al log si al menos en las 6 siguientes instrucciones existe una instrucción RETN N.

PUSH EAX;PUSH ECX Busca estas dos instrucciones y se agrega al log si almenos las siguientes 6 instrucciones existe una instrucción RETN N.

Se pueden usar:

R32, R16, R8, CONST

Ej: PUSH R32  busca todos los PUSH con registre de propósito general de 32 bits que en donde al menos las siguientes 6 instrucciones existe una instrucción RETN N.

EJ: MOV EAX,CONST busca todos MOV EAX con constantes, que en donde al menos las siguientes 6 instrucciones existe una instrucción RETN N.

*N = RETN hasta RETN 0x30

Código (asm) [Seleccionar]
VAR V_ANY
VAR V_COUNT
VAR V_COUNT_REFERENCE
VAR V_COUNT_OPCODE
VAR V_OPCODE
VAR V_ADDRESS
VAR V_ROP_GADGET
VAR V_MODULE_ADDRESS
VAR V_MODULE_NAME
VAR V_MODULE_MBASE
VAR V_MODULE_CBASE
VAR V_MODULE_SIZE
VAR V_UNICODE
VAR V_INSTRUCTION
VAR V_INPUT_NAME
VAR V_OUTPUT_NAME

ASK "Enter instruction(s) EX: "PUSH EAX;PUSH ECX" , "PUSH R32;RETN" , "PUSH CONST", etc."
MOV V_INSTRUCTION,$RESULT

ASK "Only Unicode address finder?: (Y)/(N)"
MOV V_UNICODE,$RESULT

ASK "Output filename without extension EX: ROP1"
MOV V_INPUT_NAME,$RESULT

EVAL "ROPGadgets-{V_INPUT_NAME}.log"
MOV V_OUTPUT_NAME,$RESULT

MOV V_ANY,6

WRT V_OUTPUT_NAME,"  ------------------------------------ ROP Gadgets v1.0 ------------------------------------"

L_ENTRY_POINT:
FINDMEM #546869732070726F6772616D#,V_MODULE_ADDRESS
MOV V_MODULE_ADDRESS,$RESULT
CMP V_MODULE_ADDRESS,0
JE L_EXIT

GMI V_MODULE_ADDRESS,NAME
MOV V_MODULE_NAME,$RESULT

GMI V_MODULE_ADDRESS,MODULEBASE
MOV V_MODULE_MBASE,$RESULT

GMI V_MODULE_ADDRESS,CODEBASE
MOV V_MODULE_CBASE,$RESULT

GMI V_MODULE_ADDRESS,MODULESIZE
MOV V_MODULE_SIZE,$RESULT

WRTA V_OUTPUT_NAME,"/--------------------------------------------------------------------------------------------\"
EVAL "| Module address:[{V_MODULE_MBASE}]  |  Module size:[{V_MODULE_SIZE}]  |  Name:[{V_MODULE_NAME}]"
WRTA V_OUTPUT_NAME,$RESULT
WRTA V_OUTPUT_NAME,"----------------------------------------------------------------------------------------------"

FINDCMD V_MODULE_CBASE,V_INSTRUCTION
CALL L_FIND_GADGET

INC V_MODULE_ADDRESS
JMP L_ENTRY_POINT

L_EXIT:
RET

L_FIND_GADGET:
GREF
MOV V_COUNT_REFERENCE,$RESULT
INC V_COUNT_REFERENCE

L_NEXT_REFERENCE:
XOR V_COUNT_OPCODE,V_COUNT_OPCODE
CMP V_COUNT,V_COUNT_REFERENCE
JAE L_RETURN

GREF V_COUNT
INC V_COUNT
MOV V_ADDRESS,$RESULT
CMP V_ADDRESS,eip
JE L_NEXT_REFERENCE
CMP V_UNICODE,"Y"
JE L_UNICODE_CHECK
L_UNICODE_CONTINUE:
OPCODE V_ADDRESS
ITOA V_ADDRESS
LEN $RESULT
CMP $RESULT,6
JE L_ADD1_2
CMP $RESULT,7
JE L_ADD1_1

L_ADD1_0:
EVAL "|{V_ADDRESS} | {$RESULT_1}\r\n|"
JMP L_ADD_CONTINUE1

L_ADD1_1:
EVAL "|0{V_ADDRESS} | {$RESULT_1}\r\n|"
JMP L_ADD_CONTINUE1

L_ADD1_2:
EVAL "|00{V_ADDRESS} | {$RESULT_1}\r\n|"

L_ADD_CONTINUE1:
MOV V_ROP_GADGET,$RESULT

L_NEXT_OPCODE:
ADD V_ADDRESS,$RESULT_2
OPCODE V_ADDRESS
MOV V_OPCODE,$RESULT
ITOA V_ADDRESS
LEN $RESULT
CMP $RESULT,6
JE L_ADD2_2
CMP $RESULT,7
JE L_ADD2_1

L_ADD2_0:
EVAL "{V_ADDRESS} | {$RESULT_1}\r\n|"
JMP L_ADD_CONTINUE2

L_ADD2_1:
EVAL "0{V_ADDRESS} | {$RESULT_1}\r\n|"
JMP L_ADD_CONTINUE2

L_ADD2_2:
EVAL "00{V_ADDRESS} | {$RESULT_1}\r\n|"

L_ADD_CONTINUE2:
ADD V_ROP_GADGET,$RESULT

CMP "C3",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 0400",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 0800",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 0C00",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 1000",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 1400",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 1800",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 1C00",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 2000",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 4000",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 8000",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 C000",V_OPCODE
JE L_LOG_OPCODE
CMP "C3 0000",V_OPCODE
JE L_LOG_OPCODE
INC V_COUNT_OPCODE
CMP V_COUNT_OPCODE,V_ANY
JA L_NEXT_REFERENCE
JMP L_NEXT_OPCODE

L_LOG_OPCODE:
WRTA V_OUTPUT_NAME,V_ROP_GADGET
JMP L_NEXT_REFERENCE

L_UNICODE_CHECK:
TEST V_ADDRESS,FF00FF00
JNE L_NEXT_REFERENCE
JMP L_UNICODE_CONTINUE

L_RETURN:
WRTA V_OUTPUT_NAME,"\--------------------------------------------------------------------------------------------/" + "\r\n\r\n\r\n\r\n"
XOR V_COUNT,V_COUNT
RET

Ejemplo de búsqueda:

Código [Seleccionar]
  ------------------------------------ ROP Gadgets v1.0 ------------------------------------
/--------------------------------------------------------------------------------------------\
| Module address:[400000]  |  Module size:[BE000]  |  Name:[RM2MP3Co]
----------------------------------------------------------------------------------------------
|0040A7A7 | PUSH EAX
|0040A7A8 | PUSH ECX
|0040A7A9 | CALL DWORD PTR DS:[0x43C064]
|0040A7AF | RETN 0x4
|
|0040A7C7 | PUSH EAX
|0040A7C8 | PUSH ECX
|0040A7C9 | CALL DWORD PTR DS:[0x43C898]
|0040A7CF | PUSH EAX
|0040A7D0 | CALL 004372E6
|0040A7D5 | RETN 0x4
|
|0040A835 | PUSH EAX
|0040A836 | PUSH ECX
|0040A837 | CALL DWORD PTR DS:[0x43C0D0]
|0040A83D | RETN 0x1C
|
|0040BA2E | PUSH EAX
|0040BA2F | PUSH ECX
|0040BA30 | CALL 004094D0
|0040BA35 | ADD ESP,0xC
|0040BA38 | POP EDI
|0040BA39 | POP ESI
|0040BA3A | RETN 0xC
|
|0041270C | PUSH EAX
|0041270D | PUSH ECX
|0041270E | CALL DWORD PTR DS:[0x43C840]
|00412714 | MOV ECX,ESI
|00412716 | CALL 00437142
|0041271B | POP ESI
|0041271C | RETN
|
|0041668F | PUSH EAX
|00416690 | PUSH ECX
|00416691 | CALL DWORD PTR DS:[0x43C7A4]
|00416697 | POP EDI
|00416698 | POP ESI
|00416699 | ADD ESP,0x30
|0041669C | RETN 0xC
|
|00425F44 | PUSH EAX
|00425F45 | PUSH ECX
|00425F46 | CALL DWORD PTR DS:[0x43C01C]
|00425F4C | RETN 0x8
|
|00436077 | PUSH EAX
|00436078 | PUSH ECX
|00436079 | CALL DWORD PTR DS:[0x43C840]
|0043607F | RETN 0x4
|
|0043799C | PUSH EAX
|0043799D | PUSH ECX
|0043799E | CALL 004379BE
|004379A3 | POP ECX
|004379A4 | POP ECX
|004379A5 | RETN
|
\--------------------------------------------------------------------------------------------/




/--------------------------------------------------------------------------------------------\
| Module address:[58C30000]  |  Module size:[97000]  |  Name:[comctl32]
----------------------------------------------------------------------------------------------
|58C3E87E | PUSH EAX
|58C3E87F | PUSH ECX
|58C3E880 | PUSH DWORD PTR SS:[EBP+0x10]
|58C3E883 | PUSH DWORD PTR SS:[EBP+0xC]
|58C3E886 | CALL DWORD PTR DS:[0x58C314D0]
|58C3E88C | POP EBP
|58C3E88D | RETN 0x10
|
|58C4237D | PUSH EAX
|58C4237E | PUSH ECX
|58C4237F | CALL 58C41198
|58C42384 | XOR EAX,EAX
|58C42386 | INC EAX
|58C42387 | POP ESI
|58C42388 | POP EBP
|58C42389 | RETN 0x8
|
|58C646C5 | PUSH EAX
|58C646C6 | PUSH ECX
|58C646C7 | CALL 58C5070D
|58C646CC | ADD ESP,0xC
|58C646CF | POP EDI
|58C646D0 | POP ESI
|58C646D1 | POP EBP
|58C646D2 | RETN 0x8
|
|58C6982D | PUSH EAX
|58C6982E | PUSH ECX
|58C6982F | CALL 58C3C278
|58C69834 | POP EBP
|58C69835 | RETN 0xC
|
\--------------------------------------------------------------------------------------------/




/--------------------------------------------------------------------------------------------\
| Module address:[5B150000]  |  Module size:[38000]  |  Name:[uxtheme]
----------------------------------------------------------------------------------------------
\--------------------------------------------------------------------------------------------/




/--------------------------------------------------------------------------------------------\
| Module address:[5CF60000]  |  Module size:[26000]  |  Name:[shimeng]
----------------------------------------------------------------------------------------------
\--------------------------------------------------------------------------------------------/




/--------------------------------------------------------------------------------------------\
| Module address:[61DF0000]  |  Module size:[E000]  |  Name:[mfc42loc]
----------------------------------------------------------------------------------------------
\--------------------------------------------------------------------------------------------/




/--------------------------------------------------------------------------------------------\
| Module address:[6FDB0000]  |  Module size:[1CA000]  |  Name:[AcGenral]
----------------------------------------------------------------------------------------------
\--------------------------------------------------------------------------------------------/




/--------------------------------------------------------------------------------------------\
| Module address:[73D50000]  |  Module size:[FE000]  |  Name:[mfc42]
----------------------------------------------------------------------------------------------
|73D60192 | PUSH EAX
|73D60193 | PUSH ECX
|73D60194 | CALL DWORD PTR DS:[EDX+0x28]
|73D60197 | POP ESI
|73D60198 | RETN 0x4
|
|73D88F8C | PUSH EAX
|73D88F8D | PUSH ECX
|73D88F8E | MOV ECX,ESI
|73D88F90 | CALL 73DCB5A6
|73D88F95 | POP ESI
|73D88F96 | RETN 0x4
|
|73DAAAB9 | PUSH EAX
|73DAAABA | PUSH ECX
|73DAAABB | CALL DWORD PTR DS:[0x73DF66E0]
|73DAAAC1 | ADD ESP,0xC
|73DAAAC4 | SUB DWORD PTR DS:[ESI+0x8],EDI
|73DAAAC7 | POP EDI
|73DAAAC8 | POP ESI
|73DAAAC9 | RETN 0x8
|
|73DCCA4B | PUSH EAX
|73DCCA4C | PUSH ECX
|73DCCA4D | PUSH ESI
|73DCCA4E | CALL 73DC914B
|73DCCA53 | POP ESI
|73DCCA54 | RETN 0x8
|
\--------------------------------------------------------------------------------------------/




/--------------------------------------------------------------------------------------------\
| Module address:[76030000]  |  Module size:[65000]  |  Name:[msvcp60]
----------------------------------------------------------------------------------------------
\--------------------------------------------------------------------------------------------/




/--------------------------------------------------------------------------------------------\
| Module address:[76360000]  |  Module size:[4A000]  |  Name:[comdlg32]
----------------------------------------------------------------------------------------------
|7638A193 | PUSH EAX
|7638A194 | PUSH ECX
|7638A195 | CALL DWORD PTR DS:[0x763613D8]
|7638A19B | POP EBP
|7638A19C | RETN 0xC
|
\--------------------------------------------------------------------------------------------/




/--------------------------------------------------------------------------------------------\
| Module address:[76630000]  |  Module size:[B4000]  |  Name:[userenv]
----------------------------------------------------------------------------------------------
\--------------------------------------------------------------------------------------------/




/--------------------------------------------------------------------------------------------\
| Module address:[76B00000]  |  Module size:[2E000]  |  Name:[winmm]
----------------------------------------------------------------------------------------------
\--------------------------------------------------------------------------------------------/




/--------------------------------------------------------------------------------------------\
| Module address:[770F0000]  |  Module size:[8C000]  |  Name:[oleaut32]
----------------------------------------------------------------------------------------------

Solicitudes de crack, keygen, serial solo a través de mensajes privados (PM)
Imprimir
Ir Arriba Páginas1
Acciones del Usuario