Nuevo Ransomware-shellcode que recrea la escena de Jurassic Park

vie 15-dic-2017 04:59:18 ART


Why pop calc when you can use pop Nedry? This tool contains an x86-64 payload that recreates the Jurassic Park scene in which Dennis Nedry locks Ray Arnold out of his terminal, explains Jim Gil, a computer security expert at the International Institute of Cyber ​​Security (IICS) about pop Nedry When it runs, the following happens:


1. Assign a window in the console with call to AllocConsole

2. There is a notice that says "You have not said the magic word!" Repetitively with calls to WriteConsoleA

3. At the same time download winmm.dll and get the procedure address for PlaySound

4. Download the audio "No, no, no ... you did not say the magic word!" From the memory using PlaySound

5. Download shell32.dll and get the process address for ShellExecuteA

6. Open the search engine of the target in a web page that has in infamous Nedry GIF using ShellExecuteA

7. It goes into sleep mode for a while for the audio to play

8. Restore the stack's and ret's



Python script (Windows) is used


The Python Script was made for Windows. To activate it, make sure both nasm and Python 2 are installed and added to the PATHenvironment variable. Start the following command from the project's parent directory to generate the position independent of the binary code:


> python --outfile nedry.bin --url


This will gather the weapon, release the binary in. \ Build, and write to the Nedry URL page

Manual construction (Any operating system)

You can also build the shellcode manually for any operating system with nasm

> cd. \ src
> nasm -f bin -o pop-nedry.bin pop-nedry.asm

Once you have built the binary, you need a patch in your URL. To do this, open a hex editor and look for 0x1dd. Re-write the NULL bytes with your URL. Make sure you start with http: // or https: //. Do not use a URL of more than 63 characters to ensure that there is at least one NULL left to finish the string.

Test use

Build the shellcode binary

> python --outfile nedry.bin --url

Start a Python web server to install the Nedry HTML page

> cd. \ html
> python -m SimpleHTTPServer 8080

Test the shellcode with included ShellcodeTester.exe (or your favorite browser).

> cd. \ utils
> ShellcodeTester.exe .. \ build \ nedry.bin



Contactar al anunciante

David Thomas Autor de Nuevo Ransomware-shellcode que recrea la escena de Jurassic Park

David Thomas

Precio: $1 consultar
Válido hasta:
Condición: consultar.
Disponibilidad: En stock.

New Delhi, Delhi, India

Atención: ¡Evite ser engañado!

O aga una pregunta al anunciante sin iniciar sesión:

Por favor, califique este anuncio.

Preguntas al anunciante

No hay preguntas todavía

No sea tímida/o y ...

Comentarios en Facebook

¿Contenido inapropiado?

Copyright (c) 1996-2016, Grippo S.A. All rights reserved. Acerca de. Ashburn, United States. Volver arriba -