» sourcecode

Firefox account data extractor and SkypeTap

carrumba — Thu, 28 Jan 2010 08:00:32 +0000

The new code that extracts the Firefox account data out of the SQLite database is more or less done. If everything goes well I’ll upload the new sourcecode tonight (Swiss time) in a new version of the FFPasswordRecovery tool.

During spring I plan to conduct some tests with the SkypeTap plugin and other instant messengers. If you have some minutes spare and want to see how these apps and the plugin work together don’t hesitate to conduct these tests yourself and inform me afterwards and tell me what happened. Unfortunately my time is rather limited at the moment and school keeps me busy. Therefore hings are moving more slowly than usual.

FBI RAT source code.

carrumba — Sun, 24 Jan 2010 14:30:53 +0000


Name	FBI RAT

Type	RAT

Author	Albinoskunk

Written in	C

Description	After calling for your submissions this is the first RAT source that reached me. It was coded by Albinoskunk. The source is based on Aryan v0.5, it was improved at some places and contains all relevant components of a RAT, client, server, GUI and what I consider as the most interesting part in this RAT is the process injection function. Albinoskunk already documented its features in the forum but to sum it up here the main characteristics : File Manager System Manager Keylogger Screen capture Webcam Packet Sniffer!

Questions	In case you have a question just register at the Megapanzer forum and leave an entry in the according board. Your question will be answerd as soon as possible.

Downloads	Source

Screenshot

W32.Blaster.Worm source code.

carrumba — Fri, 13 Nov 2009 20:15:14 +0000


Name	Win32/Blaster/Worm (Lovsan, Lovesan)

Type	Spreader, Worm

Author	Unknown

Written in	C

Description	This worm was very active in 2003. It spreaded via an RPC vulnerability and executed a DoS attack on a specific date. It’s a well structured code, easy to read and understand. The intresting paragraphs are the spreader which attacks new victim system to learn and see how (easily) it is done and the usage of raw sockets in the payload which is in charge of the SYN flood attack.

Questions	In case you have a question just register at the Megapanzer forum and leave an entry in the according board. Your question will be answerd as soon as possible.

Downloads	Source

Information	Wikipedia

Win32/ogw0rm source code.

carrumba — Sun, 08 Nov 2009 15:02:55 +0000


Name	Win32/ogw0rm

Type	Spreader, Worm

Author	Unknown

Written in	C

Description	Ogw0rm is a good example how malware propagates itself via Instant Messaging apps. It checks the process list for running IM applications and propagates itself by sending messages to new victims. It shows how to enumerate Windows, send key strokes to the OS, Registry stuff and a little networking stuff. A simple malware source to read on a rainy sunday afternoon.

Questions	In case you have a question just register at the Megapanzer forum and leave an entry in the according board. Your question will be answerd as soon as possible.

Downloads	Source

Win32/Rbot source code.

carrumba — Fri, 16 Oct 2009 21:13:31 +0000


Name	Win32/Rbot

Malware type	RAT, Worm

Author	Unknown

Written in	C

Description	Rbot is an IRC controlled backdoor (or “bot”) that can be used to gain unauthorized access to a victim’s machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively developed, however the core functionality is quite consistent between variants. Most instances of Rbot are compressed and/or encrypted with one or more run-time executable packers. Rbot variants are able to spread in a number of different ways. Propagation is launched manually through backdoor control, rather than happening automatically. Not all variants support all propagation mechanisms. Each spreading method begins with scanning for target machines. The worm can generate random values for all or part of each IP address it targets. Each attack vector is associated with a particular TCP port. Via Network Shares (TCP ports 139 and 445) Via LSASS buffer overflow vuln. (TCP port 445) Via WebDav vuln. (TCP port 80) Via RPC msgbuffer overflow vuln. (TCP ports 135, 445, 1025) Via RPCSS DCOM msg buffer overflow vuln. (TCP port 135) Via Exploiting weak passwords on MS SQL servers Via UPnP NOTIFY buffer overflow (TCP port 5000) … Rbot’s main function is to act as an IRC controlled backdoor. It attempts to connect to a predefined IRC server and join a specific channel so that the victim’s computer can be controlled. The IRC server, port number, channel and password differ with each variant. Rbot also listens on TCP port 113 to provide ident services, which are required by some IRC servers. Once the victim’s computer is under control, the overseer is able to instruct Win32.Rbot to attempt to perform malicious operations such as spreading via administrative shares with weak passwords or the DCOM RPC exploit.

Questions	In case you have a question just register at the Megapanzer forum and leave an entry in the according board. Your question will be answerd as soon as possible.

Downloads	Source

Sources	www.ca.com

Source : Firewall bypassing by OLE Automation

carrumba — Sun, 29 Mar 2009 15:28:44 +0000

Below, you can find a link to the example source code to bypass a desktop firewall with the OLE Automation technique. The principle is to start a hidden instance of the Internet Explorer and to control it via the OLE Automation technique.

ole_automation.cpp

Source : How to make a program to delete itself

carrumba — Sat, 07 Mar 2009 15:32:01 +0000

Below, you can find a link to the source code with the function(s) to make a binary delete itself. Under Microsoft Windows it’s not possible to make an executable delete itself. That’s the reason why the function first creates a batch script that deletes the binary file and afterwards itself.

panzer_selfdelete.cpp

Source : Modifying the hosts entry on Windows

carrumba — Fri, 06 Mar 2009 20:13:15 +0000

Below, you can find a link to the source code with the function(s) to add and remove entries in the Windows hosts file.

panzer_modifyhostsfile.cpp

Source : Change DNS server settings

carrumba — Fri, 06 Mar 2009 19:21:51 +0000

Below, you can find a link to the source code with the function(s) to modify the DNS server settings on a Windows system.

panzer_setdnsserver.cpp