cobbweb/main.c

## main.c
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <time.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/utsname.h>

static char part1[] = {
    0xeb, 0x04, 0xaf, 0xc2, 0xbf, 0xa3, 0x81, 0xec,   0x00, 0x01, 0x00, 0x00, 0x31, 0xc9, 0x88, 0x0c,
    0x0c, 0xfe, 0xc1, 0x75, 0xf9, 0x31, 0xc0, 0xba,   0xef, 0xbe, 0xad, 0xde, 0x02, 0x04, 0x0c, 0x00,
    0xd0, 0xc1, 0xca, 0x08, 0x8a, 0x1c, 0x0c, 0x8a,   0x3c, 0x04, 0x88, 0x1c, 0x04, 0x88, 0x3c, 0x0c,
    0xfe, 0xc1, 0x75, 0xe8, 0xe9, 0x5c, 0x00, 0x00,   0x00, 0x89, 0xe3, 0x81, 0xc3, 0x04, 0x00, 0x00,
    0x00, 0x5c, 0x58, 0x3d, 0x41, 0x41, 0x41, 0x41,   0x75, 0x43, 0x58, 0x3d, 0x42, 0x42, 0x42, 0x42,
    0x75, 0x3b, 0x5a, 0x89, 0xd1, 0x89, 0xe6, 0x89,   0xdf, 0x29, 0xcf, 0xf3, 0xa4, 0x89, 0xde, 0x89,
    0xd1, 0x89, 0xdf, 0x29, 0xcf, 0x31, 0xc0, 0x31,   0xdb, 0x31, 0xd2, 0xfe, 0xc0, 0x02, 0x1c, 0x06,
    0x8a, 0x14, 0x06, 0x8a, 0x34, 0x1e, 0x88, 0x34,   0x06, 0x88, 0x14, 0x1e, 0x00, 0xf2, 0x30, 0xf6,
    0x8a, 0x1c, 0x16, 0x8a, 0x17, 0x30, 0xda, 0x88,   0x17, 0x47, 0x49, 0x75, 0xde, 0x31, 0xdb, 0x89,
    0xd8, 0xfe, 0xc0, 0xcd, 0x80, 0x90, 0x90, 0xe8,   0x9d, 0xff, 0xff, 0xff, 0x41, 0x41, 0x41, 0x41,
};

static char part2[] = {
    0x42, 0x42, 0x42, 0x42, 0x32, 0x00, 0x00, 0x00,   0x91, 0xd8, 0xf1, 0x6d, 0x70, 0x20, 0x3a, 0xab,
    0x67, 0x9a, 0x0b, 0xc4, 0x91, 0xfb, 0xc7, 0x66,   0x0f, 0xfc, 0xcd, 0xcc, 0xb4, 0x02, 0xfa, 0xd7,
    0x77, 0xb4, 0x54, 0x38, 0xab, 0x1f, 0x0e, 0xe3,   0x8e, 0xd3, 0x0d, 0xeb, 0x99, 0xc3, 0x93, 0xfe,
    0xd1, 0x2b, 0x1b, 0x11, 0xc6, 0x11, 0xef, 0xc8,   0xca, 0x2f,
};

// code to dump the decrypted memory:
static const char dump_mem[] = {
    0xba, 0x31, 0x00, 0x00, 0x00,   // mov    edx, 0x40
    0x8d, 0x4f, 0xce,               // lea    ecx, [edi-0x32]
    0x31, 0xdb,                     // xor    ebx, ebx
    0x43,                           // inc    ebx (stdout)
    0x31, 0xc0,                     // xor    eax, eax
    0xb0, 0x04,                     // add    al, 0x4           - sys_write
    0xcd, 0x80,                     // int    0x80
    0x31, 0xdb,                     // xor    ebx,ebx
    0x43,                           // inc    ebx
    0x31, 0xd2,                     // xor    edx,edx
    0x42,                           // inc    edx
    0x68, 0x0a, 0x00,0x00, 0x00,    // push   0xa
    0x8d, 0x0c, 0x24,               // lea    ecx,[esp]
    0xb8, 0x04, 0x00,0x00, 0x00,    // mov    eax, 0x4
    0xcd, 0x80,                     // int    0x80              - sys_write
    0x31, 0xdb,                     // xor    ebx,ebx
    0x31, 0xc0,                     // xor    eax,eax
    0x40,                           // inc    eax
    0xcd, 0x80,                     // int    0x80              - sys_exit
};

uint32_t patch_mem(char *ptr, size_t size)
{
    uint32_t i;

    for (i = 0; i < size; i++) {
        if (*(uint16_t *)&ptr[i] == 0x80cd) {
            *(uint16_t *)&ptr[i] = 0x45eb;
            return 0;
        }
    }
    return 1;
}

uint32_t check_arch(void)
{
    struct utsname kernel_info;

    uname(&kernel_info);
    return strcmp(kernel_info.machine, "i686") ? 1 : 0;
}

int main(int argc, char **argv)
{
    void *mem;

    if (check_arch()) {
        printf("[-] this program must run on a 32-bit architecture\n");
        return 1;
    }

    printf("[*] allocating page aligned memory\n");
    mem = memalign(4096, 4096);
    if (!mem) {
        printf("[-] error: %s\n", strerror(errno));
        return 1;
    }
    memset(mem, 0, 4096);

    printf("[*] setting page permissions\n");
    if (mprotect(mem, 4096, PROT_READ | PROT_WRITE | PROT_EXEC)) {
        printf("[-] error: %s\n", strerror(errno));
        return 1;
    }

    printf("[*] copying payload\n");

    memcpy(mem, part1, sizeof(part1));
    memcpy(mem + sizeof(part1), part2, sizeof(part2));
    memcpy(mem + sizeof(part1) + sizeof(part2), dump_mem, sizeof(dump_mem));

    printf("[*] adding dump_mem payload\n");
    if (patch_mem(mem, sizeof(part1))) {
        printf("[-] failed to patch memory\n");
        return 0;
    }

    printf("[*] executing payload..\n\n");

    ((int(*)(void))mem)();

    return 0;
}
	#include <stdio.h>
	#include <stdint.h>
	#include <stdlib.h>
	#include <errno.h>
	#include <string.h>
	#include <time.h>
	#include <sys/types.h>
	#include <sys/mman.h>
	#include <sys/utsname.h>

	static char part1[] = {
	0xeb, 0x04, 0xaf, 0xc2, 0xbf, 0xa3, 0x81, 0xec, 0x00, 0x01, 0x00, 0x00, 0x31, 0xc9, 0x88, 0x0c,
	0x0c, 0xfe, 0xc1, 0x75, 0xf9, 0x31, 0xc0, 0xba, 0xef, 0xbe, 0xad, 0xde, 0x02, 0x04, 0x0c, 0x00,
	0xd0, 0xc1, 0xca, 0x08, 0x8a, 0x1c, 0x0c, 0x8a, 0x3c, 0x04, 0x88, 0x1c, 0x04, 0x88, 0x3c, 0x0c,
	0xfe, 0xc1, 0x75, 0xe8, 0xe9, 0x5c, 0x00, 0x00, 0x00, 0x89, 0xe3, 0x81, 0xc3, 0x04, 0x00, 0x00,
	0x00, 0x5c, 0x58, 0x3d, 0x41, 0x41, 0x41, 0x41, 0x75, 0x43, 0x58, 0x3d, 0x42, 0x42, 0x42, 0x42,
	0x75, 0x3b, 0x5a, 0x89, 0xd1, 0x89, 0xe6, 0x89, 0xdf, 0x29, 0xcf, 0xf3, 0xa4, 0x89, 0xde, 0x89,
	0xd1, 0x89, 0xdf, 0x29, 0xcf, 0x31, 0xc0, 0x31, 0xdb, 0x31, 0xd2, 0xfe, 0xc0, 0x02, 0x1c, 0x06,
	0x8a, 0x14, 0x06, 0x8a, 0x34, 0x1e, 0x88, 0x34, 0x06, 0x88, 0x14, 0x1e, 0x00, 0xf2, 0x30, 0xf6,
	0x8a, 0x1c, 0x16, 0x8a, 0x17, 0x30, 0xda, 0x88, 0x17, 0x47, 0x49, 0x75, 0xde, 0x31, 0xdb, 0x89,
	0xd8, 0xfe, 0xc0, 0xcd, 0x80, 0x90, 0x90, 0xe8, 0x9d, 0xff, 0xff, 0xff, 0x41, 0x41, 0x41, 0x41,
	};

	static char part2[] = {
	0x42, 0x42, 0x42, 0x42, 0x32, 0x00, 0x00, 0x00, 0x91, 0xd8, 0xf1, 0x6d, 0x70, 0x20, 0x3a, 0xab,
	0x67, 0x9a, 0x0b, 0xc4, 0x91, 0xfb, 0xc7, 0x66, 0x0f, 0xfc, 0xcd, 0xcc, 0xb4, 0x02, 0xfa, 0xd7,
	0x77, 0xb4, 0x54, 0x38, 0xab, 0x1f, 0x0e, 0xe3, 0x8e, 0xd3, 0x0d, 0xeb, 0x99, 0xc3, 0x93, 0xfe,
	0xd1, 0x2b, 0x1b, 0x11, 0xc6, 0x11, 0xef, 0xc8, 0xca, 0x2f,
	};

	// code to dump the decrypted memory:
	static const char dump_mem[] = {
	0xba, 0x31, 0x00, 0x00, 0x00, // mov edx, 0x40
	0x8d, 0x4f, 0xce, // lea ecx, [edi-0x32]
	0x31, 0xdb, // xor ebx, ebx
	0x43, // inc ebx (stdout)
	0x31, 0xc0, // xor eax, eax
	0xb0, 0x04, // add al, 0x4 - sys_write
	0xcd, 0x80, // int 0x80
	0x31, 0xdb, // xor ebx,ebx
	0x43, // inc ebx
	0x31, 0xd2, // xor edx,edx
	0x42, // inc edx
	0x68, 0x0a, 0x00,0x00, 0x00, // push 0xa
	0x8d, 0x0c, 0x24, // lea ecx,[esp]
	0xb8, 0x04, 0x00,0x00, 0x00, // mov eax, 0x4
	0xcd, 0x80, // int 0x80 - sys_write
	0x31, 0xdb, // xor ebx,ebx
	0x31, 0xc0, // xor eax,eax
	0x40, // inc eax
	0xcd, 0x80, // int 0x80 - sys_exit
	};

	uint32_t patch_mem(char *ptr, size_t size)
	{
	uint32_t i;

	for (i = 0; i < size; i++) {
	if ((uint16_t )&ptr[i] == 0x80cd) {
	(uint16_t )&ptr[i] = 0x45eb;
	return 0;
	}
	}
	return 1;
	}

	uint32_t check_arch(void)
	{
	struct utsname kernel_info;

	uname(&kernel_info);
	return strcmp(kernel_info.machine, "i686") ? 1 : 0;
	}

	int main(int argc, char **argv)
	{
	void *mem;

	if (check_arch()) {
	printf("[-] this program must run on a 32-bit architecture\n");
	return 1;
	}

	printf("[*] allocating page aligned memory\n");
	mem = memalign(4096, 4096);
	if (!mem) {
	printf("[-] error: %s\n", strerror(errno));
	return 1;
	}
	memset(mem, 0, 4096);

	printf("[*] setting page permissions\n");
	if (mprotect(mem, 4096, PROT_READ \| PROT_WRITE \| PROT_EXEC)) {
	printf("[-] error: %s\n", strerror(errno));
	return 1;
	}

	printf("[*] copying payload\n");

	memcpy(mem, part1, sizeof(part1));
	memcpy(mem + sizeof(part1), part2, sizeof(part2));
	memcpy(mem + sizeof(part1) + sizeof(part2), dump_mem, sizeof(dump_mem));

	printf("[*] adding dump_mem payload\n");
	if (patch_mem(mem, sizeof(part1))) {
	printf("[-] failed to patch memory\n");
	return 0;
	}

	printf("[*] executing payload..\n\n");

	((int(*)(void))mem)();

	return 0;
	}