Estudiando sobre creación de exploit, no me he percatado de la existencia de un plugins para OllyDbg que se encargue de mostrar Rop gadgets en todos los módulos executables cargados por el PE, por lo que me animé a crear un script:
El script se encarga de analizar todos los módulos executables del PE, verificando si se encuentran rutinas ROP Gadgets (estas deben ser especificadas por el usuario), tras terminar el script, se crea un archivo con una lista de todas las instrucciones de forma ordenada.
se puede buscar una o varias instrucciones:
PUSH EAX Busca esta instrucciones y la agrega al log si al menos en las
6 siguientes instrucciones existe una instrucción
RETN N.
PUSH EAX;PUSH ECX Busca estas dos instrucciones y se agrega al log si almenos las siguientes 6 instrucciones existe una instrucción RETN N.
Se pueden usar:
R32, R16, R8, CONSTEj:
PUSH R32 busca todos los PUSH con registre de propósito general de 32 bits que en donde al menos las siguientes 6 instrucciones existe una instrucción RETN N.
EJ:
MOV EAX,CONST busca todos MOV EAX con constantes, que en donde al menos las siguientes 6 instrucciones existe una instrucción RETN N.
*N = RETN hasta RETN 0x30VAR V_ANY
VAR V_COUNT
VAR V_COUNT_REFERENCE
VAR V_COUNT_OPCODE
VAR V_OPCODE
VAR V_ADDRESS
VAR V_ROP_GADGET
VAR V_MODULE_ADDRESS
VAR V_MODULE_NAME
VAR V_MODULE_MBASE
VAR V_MODULE_CBASE
VAR V_MODULE_SIZE
VAR V_UNICODE
VAR V_INSTRUCTION
VAR V_INPUT_NAME
VAR V_OUTPUT_NAME
ASK "Enter instruction(s) EX: "PUSH EAX;PUSH ECX" , "PUSH R32;RETN" , "PUSH CONST", etc."
MOV V_INSTRUCTION,$RESULT
ASK "Only Unicode address finder?: (Y)/(N)"
MOV V_UNICODE,$RESULT
ASK "Output filename without extension EX: ROP1"
MOV V_INPUT_NAME,$RESULT
EVAL "ROPGadgets-{V_INPUT_NAME}.log"
MOV V_OUTPUT_NAME,$RESULT
MOV V_ANY,6
WRT V_OUTPUT_NAME," ------------------------------------ ROP Gadgets v1.0 ------------------------------------"
L_ENTRY_POINT:
FINDMEM #546869732070726F6772616D#,V_MODULE_ADDRESS
MOV V_MODULE_ADDRESS,$RESULT
CMP V_MODULE_ADDRESS,0
JE L_EXIT
GMI V_MODULE_ADDRESS,NAME
MOV V_MODULE_NAME,$RESULT
GMI V_MODULE_ADDRESS,MODULEBASE
MOV V_MODULE_MBASE,$RESULT
GMI V_MODULE_ADDRESS,CODEBASE
MOV V_MODULE_CBASE,$RESULT
GMI V_MODULE_ADDRESS,MODULESIZE
MOV V_MODULE_SIZE,$RESULT
WRTA V_OUTPUT_NAME,"/--------------------------------------------------------------------------------------------\"
EVAL "| Module address:[{V_MODULE_MBASE}] | Module size:[{V_MODULE_SIZE}] | Name:[{V_MODULE_NAME}]"
WRTA V_OUTPUT_NAME,$RESULT
WRTA V_OUTPUT_NAME,"----------------------------------------------------------------------------------------------"
FINDCMD V_MODULE_CBASE,V_INSTRUCTION
CALL L_FIND_GADGET
INC V_MODULE_ADDRESS
JMP L_ENTRY_POINT
L_EXIT:
RET
L_FIND_GADGET:
GREF
MOV V_COUNT_REFERENCE,$RESULT
INC V_COUNT_REFERENCE
L_NEXT_REFERENCE:
XOR V_COUNT_OPCODE,V_COUNT_OPCODE
CMP V_COUNT,V_COUNT_REFERENCE
JAE L_RETURN
GREF V_COUNT
INC V_COUNT
MOV V_ADDRESS,$RESULT
CMP V_ADDRESS,eip
JE L_NEXT_REFERENCE
CMP V_UNICODE,"Y"
JE L_UNICODE_CHECK
L_UNICODE_CONTINUE:
OPCODE V_ADDRESS
ITOA V_ADDRESS
LEN $RESULT
CMP $RESULT,6
JE L_ADD1_2
CMP $RESULT,7
JE L_ADD1_1
L_ADD1_0:
EVAL "|{V_ADDRESS} | {$RESULT_1}\r\n|"
JMP L_ADD_CONTINUE1
L_ADD1_1:
EVAL "|0{V_ADDRESS} | {$RESULT_1}\r\n|"
JMP L_ADD_CONTINUE1
L_ADD1_2:
EVAL "|00{V_ADDRESS} | {$RESULT_1}\r\n|"
L_ADD_CONTINUE1:
MOV V_ROP_GADGET,$RESULT
L_NEXT_OPCODE:
ADD V_ADDRESS,$RESULT_2
OPCODE V_ADDRESS
MOV V_OPCODE,$RESULT
ITOA V_ADDRESS
LEN $RESULT
CMP $RESULT,6
JE L_ADD2_2
CMP $RESULT,7
JE L_ADD2_1
L_ADD2_0:
EVAL "{V_ADDRESS} | {$RESULT_1}\r\n|"
JMP L_ADD_CONTINUE2
L_ADD2_1:
EVAL "0{V_ADDRESS} | {$RESULT_1}\r\n|"
JMP L_ADD_CONTINUE2
L_ADD2_2:
EVAL "00{V_ADDRESS} | {$RESULT_1}\r\n|"
L_ADD_CONTINUE2:
ADD V_ROP_GADGET,$RESULT
CMP "C3",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 0400",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 0800",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 0C00",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 1000",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 1400",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 1800",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 1C00",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 2000",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 4000",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 8000",V_OPCODE
JE L_LOG_OPCODE
CMP "C2 C000",V_OPCODE
JE L_LOG_OPCODE
CMP "C3 0000",V_OPCODE
JE L_LOG_OPCODE
INC V_COUNT_OPCODE
CMP V_COUNT_OPCODE,V_ANY
JA L_NEXT_REFERENCE
JMP L_NEXT_OPCODE
L_LOG_OPCODE:
WRTA V_OUTPUT_NAME,V_ROP_GADGET
JMP L_NEXT_REFERENCE
L_UNICODE_CHECK:
TEST V_ADDRESS,FF00FF00
JNE L_NEXT_REFERENCE
JMP L_UNICODE_CONTINUE
L_RETURN:
WRTA V_OUTPUT_NAME,"\--------------------------------------------------------------------------------------------/" + "\r\n\r\n\r\n\r\n"
XOR V_COUNT,V_COUNT
RET
Ejemplo de búsqueda:
------------------------------------ ROP Gadgets v1.0 ------------------------------------
/--------------------------------------------------------------------------------------------\
| Module address:[400000] | Module size:[BE000] | Name:[RM2MP3Co]
----------------------------------------------------------------------------------------------
|0040A7A7 | PUSH EAX
|0040A7A8 | PUSH ECX
|0040A7A9 | CALL DWORD PTR DS:[0x43C064]
|0040A7AF | RETN 0x4
|
|0040A7C7 | PUSH EAX
|0040A7C8 | PUSH ECX
|0040A7C9 | CALL DWORD PTR DS:[0x43C898]
|0040A7CF | PUSH EAX
|0040A7D0 | CALL 004372E6
|0040A7D5 | RETN 0x4
|
|0040A835 | PUSH EAX
|0040A836 | PUSH ECX
|0040A837 | CALL DWORD PTR DS:[0x43C0D0]
|0040A83D | RETN 0x1C
|
|0040BA2E | PUSH EAX
|0040BA2F | PUSH ECX
|0040BA30 | CALL 004094D0
|0040BA35 | ADD ESP,0xC
|0040BA38 | POP EDI
|0040BA39 | POP ESI
|0040BA3A | RETN 0xC
|
|0041270C | PUSH EAX
|0041270D | PUSH ECX
|0041270E | CALL DWORD PTR DS:[0x43C840]
|00412714 | MOV ECX,ESI
|00412716 | CALL 00437142
|0041271B | POP ESI
|0041271C | RETN
|
|0041668F | PUSH EAX
|00416690 | PUSH ECX
|00416691 | CALL DWORD PTR DS:[0x43C7A4]
|00416697 | POP EDI
|00416698 | POP ESI
|00416699 | ADD ESP,0x30
|0041669C | RETN 0xC
|
|00425F44 | PUSH EAX
|00425F45 | PUSH ECX
|00425F46 | CALL DWORD PTR DS:[0x43C01C]
|00425F4C | RETN 0x8
|
|00436077 | PUSH EAX
|00436078 | PUSH ECX
|00436079 | CALL DWORD PTR DS:[0x43C840]
|0043607F | RETN 0x4
|
|0043799C | PUSH EAX
|0043799D | PUSH ECX
|0043799E | CALL 004379BE
|004379A3 | POP ECX
|004379A4 | POP ECX
|004379A5 | RETN
|
\--------------------------------------------------------------------------------------------/
/--------------------------------------------------------------------------------------------\
| Module address:[58C30000] | Module size:[97000] | Name:[comctl32]
----------------------------------------------------------------------------------------------
|58C3E87E | PUSH EAX
|58C3E87F | PUSH ECX
|58C3E880 | PUSH DWORD PTR SS:[EBP+0x10]
|58C3E883 | PUSH DWORD PTR SS:[EBP+0xC]
|58C3E886 | CALL DWORD PTR DS:[0x58C314D0]
|58C3E88C | POP EBP
|58C3E88D | RETN 0x10
|
|58C4237D | PUSH EAX
|58C4237E | PUSH ECX
|58C4237F | CALL 58C41198
|58C42384 | XOR EAX,EAX
|58C42386 | INC EAX
|58C42387 | POP ESI
|58C42388 | POP EBP
|58C42389 | RETN 0x8
|
|58C646C5 | PUSH EAX
|58C646C6 | PUSH ECX
|58C646C7 | CALL 58C5070D
|58C646CC | ADD ESP,0xC
|58C646CF | POP EDI
|58C646D0 | POP ESI
|58C646D1 | POP EBP
|58C646D2 | RETN 0x8
|
|58C6982D | PUSH EAX
|58C6982E | PUSH ECX
|58C6982F | CALL 58C3C278
|58C69834 | POP EBP
|58C69835 | RETN 0xC
|
\--------------------------------------------------------------------------------------------/
/--------------------------------------------------------------------------------------------\
| Module address:[5B150000] | Module size:[38000] | Name:[uxtheme]
----------------------------------------------------------------------------------------------
\--------------------------------------------------------------------------------------------/
/--------------------------------------------------------------------------------------------\
| Module address:[5CF60000] | Module size:[26000] | Name:[shimeng]
----------------------------------------------------------------------------------------------
\--------------------------------------------------------------------------------------------/
/--------------------------------------------------------------------------------------------\
| Module address:[61DF0000] | Module size:[E000] | Name:[mfc42loc]
----------------------------------------------------------------------------------------------
\--------------------------------------------------------------------------------------------/
/--------------------------------------------------------------------------------------------\
| Module address:[6FDB0000] | Module size:[1CA000] | Name:[AcGenral]
----------------------------------------------------------------------------------------------
\--------------------------------------------------------------------------------------------/
/--------------------------------------------------------------------------------------------\
| Module address:[73D50000] | Module size:[FE000] | Name:[mfc42]
----------------------------------------------------------------------------------------------
|73D60192 | PUSH EAX
|73D60193 | PUSH ECX
|73D60194 | CALL DWORD PTR DS:[EDX+0x28]
|73D60197 | POP ESI
|73D60198 | RETN 0x4
|
|73D88F8C | PUSH EAX
|73D88F8D | PUSH ECX
|73D88F8E | MOV ECX,ESI
|73D88F90 | CALL 73DCB5A6
|73D88F95 | POP ESI
|73D88F96 | RETN 0x4
|
|73DAAAB9 | PUSH EAX
|73DAAABA | PUSH ECX
|73DAAABB | CALL DWORD PTR DS:[0x73DF66E0]
|73DAAAC1 | ADD ESP,0xC
|73DAAAC4 | SUB DWORD PTR DS:[ESI+0x8],EDI
|73DAAAC7 | POP EDI
|73DAAAC8 | POP ESI
|73DAAAC9 | RETN 0x8
|
|73DCCA4B | PUSH EAX
|73DCCA4C | PUSH ECX
|73DCCA4D | PUSH ESI
|73DCCA4E | CALL 73DC914B
|73DCCA53 | POP ESI
|73DCCA54 | RETN 0x8
|
\--------------------------------------------------------------------------------------------/
/--------------------------------------------------------------------------------------------\
| Module address:[76030000] | Module size:[65000] | Name:[msvcp60]
----------------------------------------------------------------------------------------------
\--------------------------------------------------------------------------------------------/
/--------------------------------------------------------------------------------------------\
| Module address:[76360000] | Module size:[4A000] | Name:[comdlg32]
----------------------------------------------------------------------------------------------
|7638A193 | PUSH EAX
|7638A194 | PUSH ECX
|7638A195 | CALL DWORD PTR DS:[0x763613D8]
|7638A19B | POP EBP
|7638A19C | RETN 0xC
|
\--------------------------------------------------------------------------------------------/
/--------------------------------------------------------------------------------------------\
| Module address:[76630000] | Module size:[B4000] | Name:[userenv]
----------------------------------------------------------------------------------------------
\--------------------------------------------------------------------------------------------/
/--------------------------------------------------------------------------------------------\
| Module address:[76B00000] | Module size:[2E000] | Name:[winmm]
----------------------------------------------------------------------------------------------
\--------------------------------------------------------------------------------------------/
/--------------------------------------------------------------------------------------------\
| Module address:[770F0000] | Module size:[8C000] | Name:[oleaut32]
----------------------------------------------------------------------------------------------