Threaded Mode | Linear Mode

ev1lut10n · (This post was last modified: 02-22-2012 07:17 AM by ev1lut10n.)

gopher://sdf.org/0/users/wisdomc0/code_asm/merikenin.asm
==============================================================
;merikenin.asm - Merikenin TCP/IP Stack Hardening and Basic Rootkit Checker version 1.0
;The programmer : ev1lut10n
;dedicated to Merikenin
;thanks to : X-hack,Danzel,Superman,Cakill, nofia fitri,Dedy, Chaer, Paulus ;gandung,Tian,Zendy,Hendra, Wenkhairu and all my bro and friends
;current big project : "Making a linux botnet and windows botnet that can work synergy (my own ;idea)"
;website : http://www.jasaplus.com
;gopher://sdf.org/1/users/wisdomc0
section .bss
pilih_on_heap resb 6
file: resd 1
section .data
t00lname db ".::Merikenin TCP/IP Stack Hardening and Basic Rootkit Checker::.",13,10
pjg_t00lname equ $-t00lname
c0d3r db "c0der : ev1lut10n",13,10
pjg_c0d3r equ $-c0d3r
g0tr00t db "we got root access",13,10
pjg_g0tr00t equ $-g0tr00t
n0tr00t db "we dont have root priv,sorry y0u can not use this t00l baby",13,10
pjg_n0tr00t equ $-n0tr00t
;define jynx rootkit checker
jynx_ld_preload_poison_string db "ld_poison.so",0x00
jynx_ld_preload_so_path db "/etc/ld.so.preload",0x00
;define haxpath checker for kbeast lkm
_H4X_PATH_ db "/usr/_h4x_",0x00
;software menu
m3nu1 db "sys1 - Enable source validation by reversed path (checkin the source addr at ip datagram via route back to check whether it's valid or not)",13,10
pjg_m3nu1 equ $-m3nu1
m3nu2 db "sys2 - Enable TCP Syn Cookies (protection against syn attack)",13,10
pjg_m3nu2 equ $-m3nu2
m3nu3 db "sys3 - Ignore ICMP Echo Broadcast Requests - (no smurf amplification)!!!",13,10
pjg_m3nu3 equ $-m3nu3
b0nus db "Some bonuses functions :"
pjg_b0nus equ $-b0nus
m3nu5 db "rkc1 - Checking Possible Jynx LD_Preload Rootkit",13,10
pjg_m3nu5 equ $-m3nu5
m3nu6 db "rkc2 - Checking Possible Kernel Beast Ver #1.0 LKM Rootkit -> _H4X_PATH_ /usr/_h4x_",13,10
pjg_m3nu6 equ $-m3nu6
m3nu7 db "quit - quit this t00l",13,10
pjg_m3nu7 equ $-m3nu7
;eof software menu
c0ns0l3 db "cmd:"
pjg_c0ns0l3 equ $-c0ns0l3
pilih db "%s", 0
teks_continue db "/etc/ld.so.preload found beware ! Sorry i'm lazy it's your job to check for ld_poison.so at /etc/ld.so.preload, on exist means you're being infected",13,10
pjg_teks_continue equ $-teks_continue
teks_dont_continue db "No /etc/ld.so.preload found ! Seems like your system is clean from jynx rootkit",13,10
pjg_teks_dont_continue equ $-teks_dont_continue

teks_continuex db "/usr/_h4x_ found ! Please wait !!! You're being infected with Kernel Beast Ver #1.0, why u install kernel headers ???",13,10
pjg_teks_continuex equ $-teks_continuex
teks_dont_continuex db "No /usr/_h4x_ found ! Seems like your system is clean from Kernel Beast Ver #1.0",13,10
pjg_teks_dont_continuex equ $-teks_dont_continuex

section .text
global _start
_start:
;jmp _merikenin_sysc
jmp long _merikenin_start

;starting jynx rootkit checking routine
_merikenin_jynx:
push ebp
mov ebp,esp

xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx

call the_cek
mov ebx,jynx_ld_preload_so_path
int 0x80

mov dword [file],eax
cmp dword [file],0
jle dont_continue
je continue

mov esp,ebp
pop ebp

continue:
push ebp
mov ebp,esp

mov ecx,teks_continue
mov edx,pjg_teks_continue
call _merikenin_writeln
jmp long _merikenin_out
mov esp,ebp
pop ebp

dont_continue:
push ebp
mov ebp,esp

mov ecx,teks_dont_continue
mov edx,pjg_teks_dont_continue
call _merikenin_writeln
jmp long _merikenin_out
mov esp,ebp
pop ebp

the_cek:
push ebp
mov ebp,esp
mov eax,5
xor ecx,0
mov edx,0x100
mov esp,ebp
pop ebp
ret

;eof jynx rootkit checking

;start ipsecs kbeast checking
_merikenin_ipsecs:
push ebp
mov ebp,esp
xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
call the_cek2
mov ebx,_H4X_PATH_
int 0x80
mov dword [file],eax
cmp dword [file],0
jle dont_continuex
je continuex

mov esp,ebp
pop ebp

continuex:
push ebp
mov ebp,esp
mov ecx,teks_continuex
mov edx,pjg_teks_continuex
call _merikenin_writeln
jmp long _merikenin_out
mov esp,ebp
pop ebp

dont_continuex:
push ebp
mov ebp,esp
mov ecx,teks_dont_continuex
mov edx,pjg_teks_dont_continuex
call _merikenin_writeln
jmp long _merikenin_out
mov esp,ebp
pop ebp

the_cek2:
push ebp
mov ebp,esp
mov eax,5
xor ecx,0
mov edx,0x100
mov esp,ebp
pop ebp
ret

;eof ipsecs kbeast checking

;getpriv.s
_merikenin_pr3p4r3_0pt:
push ebx
push esi
push edi

_merikenin_get_privilege:
push ebp
mov ebp, esp
mov eax, 18h
push eax
int 80h

cmp al,0
jz _merikenin_g0tr00t
jmp _merikenin_n0tr00t
mov esp, ebp
pop ebp

;eof getpriv.s
_merikenin_g0tr00t:
push ebp
mov ebp, esp
mov ecx,g0tr00t
mov edx,pjg_g0tr00t
call _merikenin_writeln
mov esp, ebp
pop ebp
jmp _merikenin_jmpmania

_merikenin_n0tr00t:
push ebp
mov ebp,esp
mov ecx,n0tr00t
mov edx,pjg_n0tr00t
call _merikenin_writeln
mov esp,ebp
pop ebp
jmp _merikenin_out

_merikenin_writeln:
push ebp
mov ebp,esp
mov ebx,0x1
mov eax,0x4
int 80h
;mov ah,09h
;mov dx,offset str1ng
;int 21h
mov esp,ebp
pop ebp
ret

_merikenin_banner:
push ebp
mov ebp,esp
mov ecx,t00lname
mov edx,pjg_t00lname
call _merikenin_writeln

mov ecx,c0d3r
mov edx,pjg_c0d3r
call _merikenin_writeln
mov esp,ebp
pop ebp
ret

_merikenin_do:
mov eax, 11
int 80h
ret

_merikenin_net.ipv4.icmp_echo_ignore_broadcasts_1:
push ebp
mov ebp, esp

xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx

push 0xb
pop eax
push edx

push 0x313d ;=1
push 0x73747361 ;stsa
push 0x6364616f ;cdao
push 0x72625f65 ;rb_e
push 0x726f6e67 ;rong
push 0x695f6f68 ;i_oh
push 0x63655f70 ;ce_p
push 0x6d63692e ;mci.
push 0x34767069 ;4vpi
push 0x2e74656e ; .ten

mov esi,esp
push edx

push 0x772d ;w-
mov ecx,esp

push edx
push 0x6c746373
push 0x79732f6e
push 0x6962732f
mov ebx,esp

push edx
push esi
push ecx
push ebx
mov ecx,esp
int 80h

mov esp,ebp
pop ebp
jmp long _merikenin_out

_merikenin_net.ipv4.tcp_syncookies_1:
push ebp
mov ebp, esp

xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx

push 0xb
pop eax
push edx

push 0x2031 ;1
push 0x3d736569 ;=sei
push 0x6b6f6f63 ;kooc
push 0x6e79735f ;nys_
push 0x7063742e ;pct.
push 0x34767069 ;4vpi
push 0x2e74656e ; .ten

mov esi,esp
push edx

push 0x772d ;w-
mov ecx,esp

push edx
push 0x6c746373
push 0x79732f6e
push 0x6962732f
mov ebx,esp

push edx
push esi
push ecx
push ebx
mov ecx,esp
int 80h

xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx

mov esp,ebp
pop ebp
jmp long _merikenin_out

_merikenin_sysctl_w_net.ipv4.conf.all.rp_filter_1:
push ebp
mov ebp, esp

xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx

push 0xb
pop eax
push edx

push 0x2031 ;1
push 0x3d726574 ;=ret
push 0x6c69665f ;lif_
push 0x70722e6c ;pr.l
push 0x6c612e66 ;la.f
push 0x6e6f632e ;noc.
push 0x34767069 ;4vpi
push 0x2e74656e ; .ten

mov esi,esp
push edx

push 0x772d ;w-
mov ecx,esp

push edx
push 0x6c746373
push 0x79732f6e
push 0x6962732f
mov ebx,esp

push edx
push esi
push ecx
push ebx
mov ecx,esp
int 80h

xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
mov esp,ebp
pop ebp
jmp long _merikenin_out

_merikenin_jmpmania:
push ebp
mov ebp, esp
jmp _merikenin_start2
mov esp,ebp
pop ebp

_merikenin_start:
push ebp
mov ebp,esp
call (_merikenin_banner)
jmp _merikenin_pr3p4r3_0pt
mov esp,ebp
pop ebp

_merikenin_start2:
push ebp
mov ebp, esp

mov ecx,m3nu1
mov edx,pjg_m3nu1
call (_merikenin_writeln)

mov ecx,m3nu2
mov edx,pjg_m3nu2
call (_merikenin_writeln)

mov ecx,m3nu3
mov edx,pjg_m3nu3
call (_merikenin_writeln)

mov ecx,m3nu5
mov edx,pjg_m3nu5
call (_merikenin_writeln)

mov ecx,m3nu6
mov edx,pjg_m3nu6
call (_merikenin_writeln)

mov ecx,c0ns0l3
mov edx,pjg_c0ns0l3
call (_merikenin_writeln)

mov eax,3
mov ebx,0
mov ecx,pilih_on_heap
int 80h

push eax

xor eax,eax
mov eax, dword [pilih_on_heap]

cmp eax,'sys1'
je _merikenin_sysctl_w_net.ipv4.conf.all.rp_filter_1

cmp eax,'sys2'
je _merikenin_net.ipv4.tcp_syncookies_1

cmp eax,'sys3'
je _merikenin_net.ipv4.icmp_echo_ignore_broadcasts_1

cmp eax,'rkc1'
je _merikenin_jynx

cmp eax,'rkc2'
je _merikenin_ipsecs

jmp _merikenin_out
mov esp,ebp
pop ebp

_merikenin_out:
nop
mov eax,0x01
int 80h

;Seandainya hatimu adalah sebuah sistem, maka aku akan scan kamu untuk mengetahui port ;mana yang terbuka.

;Seandainya hatimu adalah sebuah sistem maka akan kulakukan traceroute untuk mengetahui ;berapa router (hop)
;menuju hatimu yang bisa dengan mudah kuguncang untuk membuat gejolak trafik di dalam ;hatimu.

;Seandainya hatimu adalah sebuah sistem maka kumohon matikanlah ipsecmu agar aku bisa ;lebih leluasa melakukan penetrasi ke hatimu

;Aku berharap dirimu adalah BSD yang dengan iklas menerima payload remote exploitku di ;hatimu agar
;hatimu terbuka untukku dan memberikan spawn shell harapan padaku agar tanpa ragu ;kulakukan $nc hatimu pada port yang terbuka.

;Seandainya hatimu adalah sebuah sistem yang bisa kumasuki maka ijinkanlah aku untuk ;memiliki hatimu
;seutuhnya dengan mengeksekusi exploit2 ku untuk mengaet root di hatimu tanpa perlu ;menyanyikan lagu bon jovi.

;Seandainya hatimu adalah sebuah sistem yang telah kukuasai ijinkanlah aku
;menanamkan userspace dan kernelspace rootkit agar keberadaanku di hatimu abadi

;Janganlah melupakanku seperti wanita2 lain yang telah melupakanku

;Tapi sayang hatimu bukanlah sebuah system, kamu adalah sang bidadari impianku, yang telah ;mengacaukan sistemku!

;Suatu saat nanti aku akan datang dan mengatakan kalau di MBR ku telah terinfeksi
;virus yang menghanyutkan. Ga ada anti virus yang dapat menangkalnya selain ...kamu.

cyrus · 02-22-2012, 08:10 AM

ini apa ya oms ?

nubi neh om, bisa dijelaskan om smangat

Possibly Related Threads...
Thread:		Author	Replies:	Views:	Last Post
	Basic Software Reverse Engineering	uchiha_sasuke	10	207	04-28-2013 06:24 AM Last Post: root31