Exploit the possiblities

zkill.c

zkill.c
Posted Apr 2, 2003
Authored by netric, Ilja van Sprundel | Site netric.org

A small utility that allows you to kill zombie processes on x86 Linux.

tags | x86
systems | linux
MD5 | 55e6a019d44fdf3d61df054b250927c9

zkill.c

Change Mirror Download
/*
* zkill 0.1 By Ilja van Sprundel
* works ONLY on x86 linux (only tested on 2.4.x kernels)
* the inject part was taken out of an elf infector by eSDee
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <ctype.h>
#include <sys/ptrace.h>
#include <errno.h>

struct
regs_struct
{
unsigned long r_ebx;
unsigned long r_ecx;
unsigned long r_edx;
unsigned long r_esi;
unsigned long r_edi;
unsigned long r_ebp;
unsigned long r_eax;
unsigned long r_ds;
unsigned long r_es;
unsigned long r_fs;
unsigned long r_gs;
unsigned long r_orig_eax;
unsigned long r_eip;
unsigned long r_cs;
unsigned long r_eflags;
unsigned long r_esp;
unsigned long r_ss;
} regs;

// does a waitpid(pid, NULL, WNOHANG);
unsigned const static char code[] = "\x60" // pusha
"\xbb" // movl pid, %ebx
"\xb9\x00\x00\x00\x00" // movl $0x00000000, %ecx
"\xba\x01\x00\x00\x00" // movl $0x00000001, %edx
"\xb8\x07\x00\x00\x00" // movl $0x00000007, %eax
"\xcd\x80" // int $0x80
"\x61"; // popa


int main(int argc, char **argv)
{
// state : 0 -> no state yet, 1 -> zombie, 2 -> no zombie
int state = 0, i;
FILE *fp;
pid_t pid, parentpid = 0;
uid_t myuid, fileuid;
char filename[128], buffer[256], *p;
unsigned char code2[25];
struct stat statbuf;

if (argc <= 1)
{
// need decent usage() function
printf("blah blah blah\n"); exit(1);
}
pid = (pid_t) atol(argv[1]);
memset(buffer, 0x00, sizeof(buffer));
memset(filename, 0x00, sizeof(filename) );
snprintf(filename, sizeof(filename) -1 - strlen("status") , "/proc/%u/", pid);
if ( (stat(filename, &statbuf)) )
{
perror("stat"); exit(1);
}
if(getuid() != statbuf.st_uid && getuid() != 0)
{
printf("Can't do that, you don't OWN the process !!!! \n"); exit(1);
}
strcat(filename, "status");
if (stat(filename, &statbuf ))
{
perror("stat"); exit(1);
}
if( (fp = fopen(filename, "r")) == NULL)
{
perror("fopen()"); exit(1);
}
do
{
fgets(buffer,sizeof(buffer)-1 ,fp);
if (state == 0 && (p = strstr(buffer, "State:")) != NULL )
{
p = p + strlen("State:");
while(*p != '\0')
{
if (isspace(*p))
*p++;
else if (*p == 'Z')
{
state = 1; break;
}
else
{
state = 2; break ;
}
}
}
else if (parentpid == 0 && (p = strstr(buffer, "PPid:")) != NULL )
{
p = p + strlen("Ppid:");
while(*p != '\0')
{
if (isspace(*p))
*p++;
else
{
parentpid = (pid_t) atol(p); break;
}
}
}
} while(!(feof(fp)) && (state == 0 || parentpid == 0) ) ;
memcpy(code2, code, 2);
memcpy(code2 + 2, &pid, 4);
memcpy(code2 + 2 + 4, code + 2, sizeof(code) - 2 );
inject_shellcode(parentpid, code2, sizeof(code) + 4);
}


int
inject_shellcode(pid_t pid, char *shellcode, size_t sc_len)
{
pid_t wpid = 0;
int i = 0;
int status = 0;
int cur_ins = 0;

unsigned long ori_eip = 0;

if ((ptrace(PT_ATTACH, pid, 0, 0)) < 0) {
fprintf(stderr, "Error: PT_ATTACH failed!\n");
return -1;
}

wait(0);


if (ptrace(PT_GETREGS, pid, 0, (char *) &regs) < 0) {
fprintf(stderr, "Error: PT_GETREGS failed!\n");
return -1;
}


for(i = 0; i < sc_len; i++) {

ptrace(PT_WRITE_I, pid, ((regs.r_esp - 8000000) + i), shellcode[i]);

if (errno) {
fprintf(stderr, "Error: PT_WRITE_I failed!\n");
return -1;
}
}


ori_eip = regs.r_eip;

regs.r_eip = regs.r_esp - 8000000;


if (ptrace(PT_SETREGS, pid, 0, (char *) &regs) < 0) {
fprintf(stderr, "Error: PT_SETREGS failed!\n");
return -1;
}

while (1) {

if (ptrace(PT_STEP, pid, (caddr_t)1, NULL) < 0) {
fprintf(stderr, "Error: PT_STEP failed!\n");
return -1;
}

do {
wpid = waitpid(-1, &status, 0);

if (wpid == -1) {
fprintf(stderr, "Error: waitpid failed.\n");
return -1;
}


} while (wpid != pid);

cur_ins++;

if (cur_ins > sc_len) {

regs.r_eip = ori_eip;

if (ptrace(PT_SETREGS, pid, 0, (char *) &regs) < 0) {
fprintf(stderr, "Error: PT_SETREGS failed!\n");
return -1;
}

break;
}
}

if ((ptrace(PT_DETACH, pid, 0, 0)) < 0) {
fprintf(stderr, "Error: PT_DETACH failed!\n");
return -1;
}

return 0;
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    28 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close