;merikenin.asm - Merikenin TCP/IP Stack Hardening and Basic Rootkit Checker version 1.0
;The programmer : ev1lut10n
;dedicated to Merikenin
;thanks to : X-hack,Danzel,Superman,Cakill, nofia fitri,Dedy, Chaer, Paulus gandung,Tian,Zendy,Hendra, Wenkhairu and all my bro and friends
;current big project : "Making a linux botnet and windows botnet that can work synergy (my own idea)"
;website :
http://www.jasaplus.com
;
gopher://sdf.org/1/users/wisdomc0
section .bss
pilih_on_heap resb 6
file: resd 1
section .data
t00lname db ".::Merikenin TCP/IP Stack Hardening and Basic Rootkit Checker::.",13,10
pjg_t00lname equ $-t00lname
c0d3r db "c0der : ev1lut10n",13,10
pjg_c0d3r equ $-c0d3r
g0tr00t db "we got root access",13,10
pjg_g0tr00t equ $-g0tr00t
n0tr00t db "we dont have root priv,sorry y0u can not use this t00l baby",13,10
pjg_n0tr00t equ $-n0tr00t
;define jynx rootkit checker
jynx_ld_preload_poison_string db "ld_poison.so",0x00
jynx_ld_preload_so_path db "/etc/ld.so.preload",0x00
;define haxpath checker for kbeast lkm
_H4X_PATH_ db "/usr/_h4x_",0x00
;software menu
m3nu1 db "sys1 - Enable source validation by reversed path (checkin the source addr at ip datagram)",13,10
pjg_m3nu1 equ $-m3nu1
m3nu2 db "sys2 - Enable TCP Syn Cookies (protection against syn attack)",13,10
pjg_m3nu2 equ $-m3nu2
m3nu3 db "sys3 - Ignore ICMP Echo Broadcast Requests - (no smurf amplification)!!!",13,10
pjg_m3nu3 equ $-m3nu3
b0nus db "Some bonuses functions :"
pjg_b0nus equ $-b0nus
m3nu5 db "rkc1 - Checking Possible Jynx LD_Preload Rootkit",13,10
pjg_m3nu5 equ $-m3nu5
m3nu6 db "rkc2 - Checking Possible Kernel Beast Ver #1.0 LKM Rootkit -> _H4X_PATH_ /usr/_h4x_",13,10
pjg_m3nu6 equ $-m3nu6
m3nu7 db "quit - quit this t00l",13,10
pjg_m3nu7 equ $-m3nu7
;eof software menu
c0ns0l3 db "cmd:"
pjg_c0ns0l3 equ $-c0ns0l3
pilih db "%s", 0
teks_continue db "/etc/ld.so.preload found beware ! Sorry i'm lazy it's your job to check for ld_poison.so at /etc/ld.so.preload",13,10
pjg_teks_continue equ $-teks_continue
teks_dont_continue db "No /etc/ld.so.preload found ! Seems like your system is clean from jynx rootkit",13,10
pjg_teks_dont_continue equ $-teks_dont_continue
teks_continuex db "/usr/_h4x_ found ! Please wait !!! You're being infected with Kernel Beast Ver #1.0, why u install kernel headers ???",13,10
pjg_teks_continuex equ $-teks_continuex
teks_dont_continuex db "No /usr/_h4x_ found ! Seems like your system is clean from Kernel Beast Ver #1.0",13,10
pjg_teks_dont_continuex equ $-teks_dont_continuex
section .text
global _start
_start:
;jmp _merikenin_sysc
jmp long _merikenin_start
;starting jynx rootkit checking routine
_merikenin_jynx:
push ebp
mov ebp,esp
xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
call the_cek
mov ebx,jynx_ld_preload_so_path
int 0x80
mov dword [file],eax
cmp dword [file],0
jle dont_continue
je continue
mov esp,ebp
pop ebp
continue:
push ebp
mov ebp,esp
mov ecx,teks_continue
mov edx,pjg_teks_continue
call _merikenin_writeln
jmp long _merikenin_out
mov esp,ebp
pop ebp
dont_continue:
push ebp
mov ebp,esp
mov ecx,teks_dont_continue
mov edx,pjg_teks_dont_continue
call _merikenin_writeln
jmp long _merikenin_out
mov esp,ebp
pop ebp
the_cek:
push ebp
mov ebp,esp
mov eax,5
xor ecx,0
mov edx,0x100
mov esp,ebp
pop ebp
ret
;eof jynx rootkit checking
;start ipsecs kbeast checking
_merikenin_ipsecs:
push ebp
mov ebp,esp
xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
call the_cek2
mov ebx,_H4X_PATH_
int 0x80
mov dword [file],eax
cmp dword [file],0
jle dont_continuex
je continuex
mov esp,ebp
pop ebp
continuex:
push ebp
mov ebp,esp
mov ecx,teks_continuex
mov edx,pjg_teks_continuex
call _merikenin_writeln
jmp long _merikenin_out
mov esp,ebp
pop ebp
dont_continuex:
push ebp
mov ebp,esp
mov ecx,teks_dont_continuex
mov edx,pjg_teks_dont_continuex
call _merikenin_writeln
jmp long _merikenin_out
mov esp,ebp
pop ebp
the_cek2:
push ebp
mov ebp,esp
mov eax,5
xor ecx,0
mov edx,0x100
mov esp,ebp
pop ebp
ret
;eof ipsecs kbeast checking
;getpriv.s
_merikenin_pr3p4r3_0pt:
push ebx
push esi
push edi
_merikenin_get_privilege:
push ebp
mov ebp, esp
mov eax, 18h
push eax
int 80h
cmp al,0
jz _merikenin_g0tr00t
jmp _merikenin_n0tr00t
mov esp, ebp
pop ebp
;eof getpriv.s
_merikenin_g0tr00t:
push ebp
mov ebp, esp
mov ecx,g0tr00t
mov edx,pjg_g0tr00t
call _merikenin_writeln
mov esp, ebp
pop ebp
jmp _merikenin_jmpmania
_merikenin_n0tr00t:
push ebp
mov ebp,esp
mov ecx,n0tr00t
mov edx,pjg_n0tr00t
call _merikenin_writeln
mov esp,ebp
pop ebp
jmp _merikenin_out
_merikenin_writeln:
push ebp
mov ebp,esp
mov ebx,0x1
mov eax,0x4
int 80h
;mov ah,09h
;mov dx,offset str1ng
;int 21h
mov esp,ebp
pop ebp
ret
_merikenin_banner:
push ebp
mov ebp,esp
mov ecx,t00lname
mov edx,pjg_t00lname
call _merikenin_writeln
mov ecx,c0d3r
mov edx,pjg_c0d3r
call _merikenin_writeln
mov esp,ebp
pop ebp
ret
_merikenin_do:
mov eax, 11
int 80h
ret
_merikenin_net.ipv4.icmp_echo_ignore_broadcasts_1:
push ebp
mov ebp, esp
xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
push 0xb
pop eax
push edx
push 0x313d ;=1
push 0x73747361 ;stsa
push 0x6364616f ;cdao
push 0x72625f65 ;rb_e
push 0x726f6e67 ;rong
push 0x695f6f68 ;i_oh
push 0x63655f70 ;ce_p
push 0x6d63692e ;mci.
push 0x34767069 ;4vpi
push 0x2e74656e ; .ten
mov esi,esp
push edx
push 0x772d ;w-
mov ecx,esp
push edx
push 0x6c746373
push 0x79732f6e
push 0x6962732f
mov ebx,esp
push edx
push esi
push ecx
push ebx
mov ecx,esp
int 80h
mov esp,ebp
pop ebp
jmp long _merikenin_out
_merikenin_net.ipv4.tcp_syncookies_1:
push ebp
mov ebp, esp
xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
push 0xb
pop eax
push edx
push 0x2031 ;1
push 0x3d736569 ;=sei
push 0x6b6f6f63 ;kooc
push 0x6e79735f ;nys_
push 0x7063742e ;pct.
push 0x34767069 ;4vpi
push 0x2e74656e ; .ten
mov esi,esp
push edx
push 0x772d ;w-
mov ecx,esp
push edx
push 0x6c746373
push 0x79732f6e
push 0x6962732f
mov ebx,esp
push edx
push esi
push ecx
push ebx
mov ecx,esp
int 80h
xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
mov esp,ebp
pop ebp
jmp long _merikenin_out
_merikenin_sysctl_w_net.ipv4.conf.all.rp_filter_1:
push ebp
mov ebp, esp
xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
push 0xb
pop eax
push edx
push 0x2031 ;1
push 0x3d726574 ;=ret
push 0x6c69665f ;lif_
push 0x70722e6c ;pr.l
push 0x6c612e66 ;la.f
push 0x6e6f632e ;noc.
push 0x34767069 ;4vpi
push 0x2e74656e ; .ten
mov esi,esp
push edx
push 0x772d ;w-
mov ecx,esp
push edx
push 0x6c746373
push 0x79732f6e
push 0x6962732f
mov ebx,esp
push edx
push esi
push ecx
push ebx
mov ecx,esp
int 80h
xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
mov esp,ebp
pop ebp
jmp long _merikenin_out
_merikenin_jmpmania:
push ebp
mov ebp, esp
jmp _merikenin_start2
mov esp,ebp
pop ebp
_merikenin_start:
push ebp
mov ebp,esp
call (_merikenin_banner)
jmp _merikenin_pr3p4r3_0pt
mov esp,ebp
pop ebp
_merikenin_start2:
push ebp
mov ebp, esp
mov ecx,m3nu1
mov edx,pjg_m3nu1
call (_merikenin_writeln)
mov ecx,m3nu2
mov edx,pjg_m3nu2
call (_merikenin_writeln)
mov ecx,m3nu3
mov edx,pjg_m3nu3
call (_merikenin_writeln)
mov ecx,m3nu5
mov edx,pjg_m3nu5
call (_merikenin_writeln)
mov ecx,m3nu6
mov edx,pjg_m3nu6
call (_merikenin_writeln)
mov ecx,c0ns0l3
mov edx,pjg_c0ns0l3
call (_merikenin_writeln)
mov eax,3
mov ebx,0
mov ecx,pilih_on_heap
int 80h
push eax
xor eax,eax
mov eax, dword [pilih_on_heap]
cmp eax,'sys1'
je _merikenin_sysctl_w_net.ipv4.conf.all.rp_filter_1
cmp eax,'sys2'
je _merikenin_net.ipv4.tcp_syncookies_1
cmp eax,'sys3'
je _merikenin_net.ipv4.icmp_echo_ignore_broadcasts_1
cmp eax,'rkc1'
je _merikenin_jynx
cmp eax,'rkc2'
je _merikenin_ipsecs
jmp _merikenin_out
mov esp,ebp
pop ebp
_merikenin_out:
nop
mov eax,0x01
int 80h