Again we’ll be commenting the ASM code to make it more clear and obvious what’s being used for several function, parameters and calls.
Used functions:
– Create –> syscall 0x8: Craft the string and set the mode
– Write –> syscall 0x4: Write to path with FD, buffer and size
– Close –> syscall 0x6: Close the writestream
– Exit → syscall 0x1: Exit gracefully
Compiling:
$ ../compile_asm.sh asm_linx86_aslr-disable_shellstorm_sample2-alt
[+] Assembling with Nasm ...
[+] Linking ...
[+] Done!Running with strace:
When we run our just compiled binary, it segfaults due to no permissions of a regular user. The code has to run as root to be successful.
$ strace ./asm_linx86_aslr-disable_shellstorm_sample2-alt
execve("./asm_linx86_aslr-disable_shellstorm_sample2-alt", ["./asm_linx86_aslr-disable_shells"...], [/* 29 vars */]) = 0
creat("//proc/sys/kernel/randomize_va_space", 01274) = -1 EACCES (Permission denied)
syscall_4294967044(0xfffffff3, 0xbff19fa2, 0x1, 0, 0, 0, 0xffffffda, 0x7b, 0x7b, 0, 0, 0xffffff04, 0x80480ac, 0x73, 0x202, 0xbff19fa2, 0x7b, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) = -1 (errno 38)
syscall_4294967046(0xfffffff3, 0xbff19fa2, 0x1, 0, 0, 0, 0xffffffda, 0x7b, 0x7b, 0, 0, 0xffffff06, 0x80480b0, 0x73, 0x202, 0xbff19fa2, 0x7b, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) = -1 (errno 38)
syscall_4294967259(0xfffffff3, 0xbff19fa2, 0x1, 0, 0, 0, 0xffffffda, 0x7b, 0x7b, 0, 0, 0xffffffdb, 0x80480b3, 0x73, 0x286, 0xbff19fa2, 0x7b, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) = -1 (errno 38)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)Checking current value of “/proc/sys/kernel/randomize_va_space”:
$ cat /proc/sys/kernel/randomize_va_space
0Setting it to “1” as root to enable ASLR:
# ./asm_linx86_aslr-disable_shellstorm_sample2-alt
# cat /proc/sys/kernel/randomize_va_space
0Running binary as root:
When we run as root, no errors seem to occur and the variable of randomize_va_space has the value of 0, which means disabled.
# ./asm_linx86_aslr-disable_shellstorm_sample2-alt
# cat /proc/sys/kernel/randomize_va_space
0Again, with strace as root:
# echo 1 > /proc/sys/kernel/randomize_va_space
# strace ./asm_linx86_aslr-disable_shellstorm_sample2-alt
execve("./asm_linx86_aslr-disable_shellstorm_sample2-alt", ["./asm_linx86_aslr-disable_shells"...], [/* 22 vars */]) = 0
creat("//proc/sys/kernel/randomize_va_space", 01274) = 3
write(3, "0", 1) = 1
close(3) = 0
_exit(3) = ?
# cat /proc/sys/kernel/randomize_va_space
0