Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NULL PTR Issue (Bit Strange Windows 7) #11

Closed
ghost opened this issue Jan 24, 2019 · 5 comments
Closed

NULL PTR Issue (Bit Strange Windows 7) #11

ghost opened this issue Jan 24, 2019 · 5 comments

Comments

@ghost
Copy link

ghost commented Jan 24, 2019
edited by ghost

Hello! Was hoping you'd have an idea to this

Your project is awesome btw, so I thought I'd try to use it in my own. However, one issue occurs on Windows 7 (x64). When running gargoyle.exe, itll pop the two messagebox's (the initial two) then immediate after the APC is queued, hop to a NULL address. This issue does not appear on any operating system. I tried debugging myself/finding the issue but unable to find it/fix it, so wanted to ask if you have an idea of how one could fix it?

Anyhow, I appreciate you're response, & thank you!
@ghost ghost changed the title NULL PTR Issue (Bit Strange) NULL PTR Issue (Bit Strange Windows 7) Jan 24, 2019
@JLospinoso
Copy link
Owner

Hi, thanks for posting! Sorry you're having trouble. Can you please post the command line output?

@ghost
Copy link
Author

ghost commented Jan 25, 2019

Sure yes, I can do that
image

Result of just running Gargoyle.exe.

PS C:\Users\AJH\Downloads\gargoyle-master\Release> .\Gargoyle.exe
[ ] Allocating executable memory for "setup.pic".
[+] Allocated 149 bytes for PIC.
[ ] Configuring ROP gadget.
[ ] Loading "mshtml.dll" system DLL.
[+] Loaded "mshtml.dll" at 0x62720000.
[ ] Found executable section ".text" at 0x62721000.
[-] Didn't find ROP gadget in "mshtml.dll".
[ ] Allocating executable memory for "gadget.pic".
[+] Allocated 3 bytes for gadget PIC.
[+] ROP gadget configured.
[ ] Allocating read/write memory for config, stack, and trampoline.
[+] Allocated 65628 bytes for scratch memory.
[ ] Building stack trampoline.
[+] Stack trampoline built.
[ ] Building configuration.
[+] Configuration built.
[+] Success!
    ================================
    Gargoyle PIC @ -----> 0x00140000
    ROP gadget @ -------> 0x00150000
    Configuration @ ----> 0x00190000
    Top of stack @ -----> 0x00190038
    Bottom of stack @ --> 0x001A0037
    Stack trampoline @ -> 0x001A0038

First execution runs the messagebox, awesome. I click the two initial ones that pop after immediate execution. APC is queued, 15 seconds later, the APC executes and checking with a debugger for the crash shows its jumping to NULL (bit weird)

image

@JLospinoso

@JLospinoso
Copy link
Owner

Hmm, it's not immediately obvious to me what's wrong. Your version of mshtml.dll doesn't have the correct ROP gadget, but this shouldn't matter since it's creating one for you.

Could you attach a debugger and step through the assembly? You'll want to see where the APC callback is, put a breakpoint there, then pay attention to what's happening when the ROP gadget redirects execution (it should point to VirtualProtectEx).

@ghost
Copy link
Author

ghost commented Jan 30, 2019

Nada. Debugged, the APC callback wasnt null which was strange. yeah looks like the issue is with the stack pivot @JLospinoso

@JLospinoso
Copy link
Owner

Eh, weird. Since I can't reproduce it, it's hard for me to say much else about what could be wrong. I'll keep the issue open, please let me know if you figure out what's going on!

@ghost ghost closed this as completed Oct 26, 2019
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JLospinoso