Buffer Overflow Bypass DEP using ROP
That's the English version about this topic where I manually adjust the gadgets into the memory in order to execute VirtualAlloc function to change memory's properties to execute so it can execute a shellcode to get back a reverse shell.
Was used the CloudMe Sync 1.11.2 vulnerable version.
00:00 Intro
00:55 Pre-reqs
01:25 Review Stack Buffer Overflow
02:43 Theory - DEP - Data Execution Prevention
03:00 Theory - ROP - Return-Oriented Programing
05:00 Theory - Change Memory Protection
06:15 How VirtualAlloc base address
06:45 What modules should you use?
07:30 RP++
08:10 Organize the gadgets with custom tool
08:50 Demo time
09:12 CloudMe Sync version check
09:20 Code overview
10:10 Checking VirtualAlloc signature
11:17 Using Ida Pro to get VirtualAlloc base address
12:25 Payload Walkthough
13:27 Starting Windbg
13:38 Load Narly, get loaded modules
14:10 Generate modules list and execute RP++
15:18 Organize RP++ output into simpler gadgets groups
16:15 Add the first breakpoint
17:05 Debug started
17:40 Visualize stack and the placeholders
18:52 Get a copy of ESP
20:00 Move to first placeholder
22:26 Pop VirtualAlloc base address
23:04 Check POI(EAX)
23:29 Dereference VirtualAlloc base address
23:55 VirtualAlloc patching
24:33 Increment ECX
25:30 Find a place to store the reverse shell
26:40 Return address patching
27:15 lpAddress patching
28:25 dwSize patching
29:45 flAllocationType patching
30:33 flProtect patching
30:56 Check stack with VirtualAlloc function and its parameters setup
32:03 Update ESP to point to VirtualAlloc address
32:48 Check protection memory before execution
33:23 Get reverse shell
33:40 Check protection memory after execution
34:20 Bye!
Links:
-----------
https://www.exploit-db.com/exploits/46250
https://www.exploit-db.com/apps/f0534b12cd51fefd44002862918801ab-CloudMe_1112.exe
Credits:
-------------------
Music Promoted by Music & Gene at YouTube:
https://www.youtube.com/c/MusicGene
https://geniemindcreation.wixsite.com...
Music by MBB | https://soundcloud.com/mbbofficial
https://www.youtube.com/c/mbbmusic
https://www.instagram.com/mbb_music
Buy Music Licenses at www.mbb-music.com
---------------------
-
14:33
Robbi On The Record
2 hours ago $1.97 earnedNPC Girls & The Digital Dehumanization of Women
12.6K7 -
53:25
Simply Bitcoin
1 day ago $0.64 earnedThe Bitcoin Crucible w/ Alex Stanczyk & Tomer Strolight - Episode 13
15K1 -
59:21
The Rubin Report
2 hours agoIs This the Real Reason Bongino Is Leaving the FBI?
28.8K35 -
LIVE
LFA TV
14 hours agoLIVE & BREAKING NEWS! | THURSDAY 12/18/25
3,785 watching -
LIVE
The Mel K Show
1 hour agoMORNINGS WITH MEL K- America is Mad As Hell And We’re Not Going to Take it Anymore! - 12-18-25
915 watching -
LIVE
The Shannon Joy Show
2 hours ago🔥SJ LIVE Dec 18 - Exclusive With Peter Schiff On Trumpflation, The Affordability Crisis, AI Bubbles & Bitcoin Collapse. Will Metals Become The Global Hedge Against Financial Chaos?🔥
144 watching -
45:19
Grant Stinchfield
1 hour agoKeystone Cops of the Ivy League... It Gets Worse Every Day as Brown Suspect Still on the Run!
1.72K3 -
1:02:26
VINCE
4 hours agoIt's Official: Dan Bongino To Leave FBI | Episode 191 - 12/18/25 VINCE
224K256 -
1:04:17
Chad Prather
2 hours agoTrump FOOLS Fake News, Touts Accomplishments + Trans Surgeries For Minors BANNED & BONGINO IS BACK!
34.7K7 -
2:04:25
Benny Johnson
2 hours ago🚨Trump BREAKS Internet With Primetime Address, TROLLS Media Into Covering His WINS | 2025 IN REVIEW
55.3K41