-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 /* ▐▄∙ ▄ ▄▄▄ . ▐ ▄ ∙ ▌ ▄ ·. ▄∙ ▄▌ ▄▄▄▄▄ ▄▄▄· █▌█▌■ ▀▄.▀· ∙█▌▐█ ■ ·██ ▐███■ █■██▌ ∙██ ▐█ ▀█ ·██· ▐▀▀■▄ ▐█▐▐▌ ▄█▀▄ ▐█ ▌▐▌▐█· █▌▐█▌ ▐█.■ ▄█▀▀█ ■▐█·█▌ ▐█▄▄▌ ██▐█▌ ▐█▌.▐▌ ██ ██▌▐█▌ ▐█▄█▌ ▐█▌· ▐█ ■▐▌ ∙▀▀ ▀▀ ▀▀▀ ▀▀ █■ ▀█▄▀■ ▀▀ █■▀▀▀ ▀▀▀ ▀▀▀ ▀ ▀ Ho' Detector (Promiscuous mode detector shellcode) by XenoMuta http://xenomuta.tuxfamily.org/ This shellcode uses a stupid, yet effective way to detect promiscuous mode on linux 2.4/2.6 kernels. Parsing /proc/net/packet, which contains libpcap's stats and only one line (57 bytes) when not sniffing. greetz: c3lc1uz, garay, emra */ char sc[]= "\x31\xc0" //xor %eax,%eax "\x31\xc9" //xor %ecx,%ecx "\x50" //push %eax ; \x00 "\x68\x63\x6b\x65\x74" //push $0x74656b63 ; tekc "\x68\x74\x2f\x70\x61" //push $0x61702f74 ; ap/t "\x68\x63\x2f\x6e\x65" //push $0x656e2f63 ; en/c "\x68\x2f\x70\x72\x6f" //push $0x6f72702fa ; orp/ "\xb0\x05" //mov $0x5,%al ; sys_open "\x89\xe3" //mov %esp,%ebx "\xcd\x80" //int $0x80 "\x93" //xchg %eax,%ebx "\x6a\x03" //push $0x3 ; sys_read "\x58" //pop %eax "\x89\xe1" //mov %esp,%ecx "\x6a\x39" //push $0x39 ; read at most 57 bytes "\x5a" //pop %edx ; if not sniffing only 56 "\xcd\x80" //int $0x80 ; will be read. "\x2c\x08" //sub $0x8,%al ; eax=read bytes - 8 "\xb1\x0a" //mov $0xa,%cl ; so eax will be '0' or '1' "\x66\xc1\xe1\x08" //shl $0x8,%cx ; (ascii 48 or 49) "\x66\x01\xc1" //add %ax,%cx "\x51" //push %ecx "\x89\xe1" //mov %esp,%ecx "\xb0\x04" //mov $0x4,%al ; sys_write eax to "\xb3\x01" //mov $0x1,%bl ; stdout "\xb2\x02" //mov $0x2,%dl ; (2 bytes, eax and 0xa) "\xcd\x80" //int $0x80 "\x66\x93" //xchg %ax,%bx ; sys_exit "\xcd\x80"; //int $0x80 main(){(*(void (*)()) sc)();} -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAkgBhjoACgkQ2LnNaOYR/B3IEACgxAS+PsrjMslt1WmvUsV9gdZ2 xfYAoKqUXBKuDoJPofpy7OAJq8hP16TG =zoAm -----END PGP SIGNATURE-----