Nuevo Ransomware-shellcode que recrea la escena de Jurassic Park

vie 15-dic-2017 04:59:18 ART #949197

 

Why pop calc when you can use pop Nedry? This tool contains an x86-64 payload that recreates the Jurassic Park scene in which Dennis Nedry locks Ray Arnold out of his terminal, explains Jim Gil, a computer security expert at the International Institute of Cyber ​​Security (IICS) about pop Nedry When it runs, the following happens:

 

1. Assign a window in the console with call to AllocConsole

2. There is a notice that says "You have not said the magic word!" Repetitively with calls to WriteConsoleA

3. At the same time download winmm.dll and get the procedure address for PlaySound

4. Download the audio "No, no, no ... you did not say the magic word!" From the memory using PlaySound

5. Download shell32.dll and get the process address for ShellExecuteA

6. Open the search engine of the target in a web page that has in infamous Nedry GIF using ShellExecuteA

7. It goes into sleep mode for a while for the audio to play

8. Restore the stack's and ret's

 

Building

Python script (Windows) is used

 

The Python Script was made for Windows. To activate it, make sure both nasm and Python 2 are installed and added to the PATHenvironment variable. Start the following command from the project's parent directory to generate the position independent of the binary code:

 

> python build.py --outfile nedry.bin --url http://127.0.0.1:8080/nedry.html

 

This will gather the weapon, release the binary in. \ Build, and write to the Nedry URL page

Manual construction (Any operating system)

You can also build the shellcode manually for any operating system with nasm

> cd. \ src
> nasm -f bin -o pop-nedry.bin pop-nedry.asm

Once you have built the binary, you need a patch in your URL. To do this, open a hex editor and look for 0x1dd. Re-write the NULL bytes with your URL. Make sure you start with http: // or https: //. Do not use a URL of more than 63 characters to ensure that there is at least one NULL left to finish the string.

Test use

Build the shellcode binary

> python build.py --outfile nedry.bin --url http://127.0.0.1:8080/nedry.html
 

Start a Python web server to install the Nedry HTML page

> cd. \ html
> python -m SimpleHTTPServer 8080
 

Test the shellcode with included ShellcodeTester.exe (or your favorite browser).

> cd. \ utils
> ShellcodeTester.exe .. \ build \ nedry.bin

Source: https://github.com/zznop/pop-nedry

 


Abrir la página seguridad informática

Contactar al anunciante

David Thomas Autor de Nuevo Ransomware-shellcode que recrea la escena de Jurassic Park
David Thomas

Por favor, califique este anuncio.

Iniciar sesión para ver el perfil.

Vendedor: David Thomas
Precio: $1 consultar
Válido hasta;
Condición: consultar.
Disponibilidad: En stock.

New Delhi, Delhi, India 120.59.126.237


Sino, haga una pregunta directamente (sin necesidad de crear cuenta ó iniciar sesión):



Atención:
¡Evite ser engañado!

Preguntas al anunciante

No hay preguntas todavía. Sea el primero!

Coméntalo en tu Facebook