A small utility that allows you to kill zombie processes on x86 Linux.
a2a77ba73f71c96c56aca603232fa0dd92eeb9a87f9c1116df3870f77bfabbd3/*
* zkill 0.1 By Ilja van Sprundel
* works ONLY on x86 linux (only tested on 2.4.x kernels)
* the inject part was taken out of an elf infector by eSDee
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <ctype.h>
#include <sys/ptrace.h>
#include <errno.h>
struct
regs_struct
{
unsigned long r_ebx;
unsigned long r_ecx;
unsigned long r_edx;
unsigned long r_esi;
unsigned long r_edi;
unsigned long r_ebp;
unsigned long r_eax;
unsigned long r_ds;
unsigned long r_es;
unsigned long r_fs;
unsigned long r_gs;
unsigned long r_orig_eax;
unsigned long r_eip;
unsigned long r_cs;
unsigned long r_eflags;
unsigned long r_esp;
unsigned long r_ss;
} regs;
// does a waitpid(pid, NULL, WNOHANG);
unsigned const static char code[] = "\x60" // pusha
"\xbb" // movl pid, %ebx
"\xb9\x00\x00\x00\x00" // movl $0x00000000, %ecx
"\xba\x01\x00\x00\x00" // movl $0x00000001, %edx
"\xb8\x07\x00\x00\x00" // movl $0x00000007, %eax
"\xcd\x80" // int $0x80
"\x61"; // popa
int main(int argc, char **argv)
{
// state : 0 -> no state yet, 1 -> zombie, 2 -> no zombie
int state = 0, i;
FILE *fp;
pid_t pid, parentpid = 0;
uid_t myuid, fileuid;
char filename[128], buffer[256], *p;
unsigned char code2[25];
struct stat statbuf;
if (argc <= 1)
{
// need decent usage() function
printf("blah blah blah\n"); exit(1);
}
pid = (pid_t) atol(argv[1]);
memset(buffer, 0x00, sizeof(buffer));
memset(filename, 0x00, sizeof(filename) );
snprintf(filename, sizeof(filename) -1 - strlen("status") , "/proc/%u/", pid);
if ( (stat(filename, &statbuf)) )
{
perror("stat"); exit(1);
}
if(getuid() != statbuf.st_uid && getuid() != 0)
{
printf("Can't do that, you don't OWN the process !!!! \n"); exit(1);
}
strcat(filename, "status");
if (stat(filename, &statbuf ))
{
perror("stat"); exit(1);
}
if( (fp = fopen(filename, "r")) == NULL)
{
perror("fopen()"); exit(1);
}
do
{
fgets(buffer,sizeof(buffer)-1 ,fp);
if (state == 0 && (p = strstr(buffer, "State:")) != NULL )
{
p = p + strlen("State:");
while(*p != '\0')
{
if (isspace(*p))
*p++;
else if (*p == 'Z')
{
state = 1; break;
}
else
{
state = 2; break ;
}
}
}
else if (parentpid == 0 && (p = strstr(buffer, "PPid:")) != NULL )
{
p = p + strlen("Ppid:");
while(*p != '\0')
{
if (isspace(*p))
*p++;
else
{
parentpid = (pid_t) atol(p); break;
}
}
}
} while(!(feof(fp)) && (state == 0 || parentpid == 0) ) ;
memcpy(code2, code, 2);
memcpy(code2 + 2, &pid, 4);
memcpy(code2 + 2 + 4, code + 2, sizeof(code) - 2 );
inject_shellcode(parentpid, code2, sizeof(code) + 4);
}
int
inject_shellcode(pid_t pid, char *shellcode, size_t sc_len)
{
pid_t wpid = 0;
int i = 0;
int status = 0;
int cur_ins = 0;
unsigned long ori_eip = 0;
if ((ptrace(PT_ATTACH, pid, 0, 0)) < 0) {
fprintf(stderr, "Error: PT_ATTACH failed!\n");
return -1;
}
wait(0);
if (ptrace(PT_GETREGS, pid, 0, (char *) ®s) < 0) {
fprintf(stderr, "Error: PT_GETREGS failed!\n");
return -1;
}
for(i = 0; i < sc_len; i++) {
ptrace(PT_WRITE_I, pid, ((regs.r_esp - 8000000) + i), shellcode[i]);
if (errno) {
fprintf(stderr, "Error: PT_WRITE_I failed!\n");
return -1;
}
}
ori_eip = regs.r_eip;
regs.r_eip = regs.r_esp - 8000000;
if (ptrace(PT_SETREGS, pid, 0, (char *) ®s) < 0) {
fprintf(stderr, "Error: PT_SETREGS failed!\n");
return -1;
}
while (1) {
if (ptrace(PT_STEP, pid, (caddr_t)1, NULL) < 0) {
fprintf(stderr, "Error: PT_STEP failed!\n");
return -1;
}
do {
wpid = waitpid(-1, &status, 0);
if (wpid == -1) {
fprintf(stderr, "Error: waitpid failed.\n");
return -1;
}
} while (wpid != pid);
cur_ins++;
if (cur_ins > sc_len) {
regs.r_eip = ori_eip;
if (ptrace(PT_SETREGS, pid, 0, (char *) ®s) < 0) {
fprintf(stderr, "Error: PT_SETREGS failed!\n");
return -1;
}
break;
}
}
if ((ptrace(PT_DETACH, pid, 0, 0)) < 0) {
fprintf(stderr, "Error: PT_DETACH failed!\n");
return -1;
}
return 0;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed