Wednesday, April 16, 2014
Python - base64 Decode and XOR brute force Config File Leading to C2 Server
This script is the same as the below one however it brute forces the XOR key that is used verses knowing that the XOR key is 0xe8.
#!/usr/bin/python
# Malware found on virus total
# Modified variant of the Project Hook point-of-sale malware
# Fetches an obfuscated file containing additional C&C domains:
# http://www.localhost0x2.net/config/config_01.bin
# File content is XOR'ed using 0xE8, then Base64 encoded.
# Original File Content - config_01.bin
# gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2c
# gJycmNLHx4Sdi4ORxYydhZibxoqBkg==
import base64
# Take the base64 given and decode it and add it to a list
base64info = "gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2cgJycmNLHx4Sdi4ORxYydhZibxoqBkg=="
decodedInfo = base64.b64decode(base64info)
infoDecoded = decodedInfo.encode("hex")
# Take the list and make the values of the list a hex number as a string
info = []
counter = 1
for letter in infoDecoded:
if (counter == 1):
listItem = '0x' + letter
counter = 2
elif (counter == 2):
listItem = listItem + letter
info.append(listItem)
counter = 1
#xorKey = 0xe8
# Redesigned to brute force the xorKey
for xorValue in range(0,256):
# Define the new list of where the hex will go after XORed with the xorKey
newInfo = []
xorKey = hex(xorValue)
#print xorKey
for counter in range(0,len(info)):
# Append to the list and remove from the hex 0x68 so it is represented as 68 in the list
#newInfo.append(hex(int(info[counter], 16) ^ int(xorKey))[2:])
newInfo.append(hex(int(info[counter], 16) ^ int(xorKey, 16))[2:])
# Print the list joined together as a string and then decode the hex to ascii
#print str(hex(xorKey)) + ' ' + ''.join(e for e in newInfo).decode("hex")
try:
if xorValue <> 144 | xorValue <> 145:
print str(xorKey) + ' ' + ''.join(e for e in newInfo).decode("hex")
except IOError:
print str(xorKey) + ' Failed to decode Hex'
finally:
print str(xorKey) + ' Failed to decode Hex'
Subscribe to:
Post Comments (Atom)
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist... -
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them... -
I ran a Nikto scan and found the following vulnerability in the report that it produces: "OSVDB-637: Enumeration of users is possible...
-
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th... -
Recently, I stumbled across a webshell that was impersonating a 404 page not found error. The original filename was "404.php.gif"...
No comments:
Post a Comment