Wednesday, April 16, 2014

Python - base64 Decode and XOR brute force Config File Leading to C2 Server


This script is the same as the below one however it brute forces the XOR key that is used verses knowing that the XOR key is 0xe8.

#!/usr/bin/python

# Malware found on virus total
# Modified variant of the Project Hook point-of-sale malware
# Fetches an obfuscated file containing additional C&C domains:
# http://www.localhost0x2.net/config/config_01.bin
# File content is XOR'ed using 0xE8, then Base64 encoded.

# Original File Content - config_01.bin
# gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2c
# gJycmNLHx4Sdi4ORxYydhZibxoqBkg==

import base64

# Take the base64 given and decode it and add it to a list
base64info = "gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2cgJycmNLHx4Sdi4ORxYydhZibxoqBkg=="
decodedInfo = base64.b64decode(base64info)
infoDecoded = decodedInfo.encode("hex")

# Take the list and make the values of the list a hex number as a string
info = []
counter = 1
for letter in infoDecoded:
    if (counter == 1):
        listItem = '0x' + letter
        counter = 2
    elif (counter == 2):
        listItem = listItem + letter
        info.append(listItem)
        counter = 1



#xorKey = 0xe8
# Redesigned to brute force the xorKey
for xorValue in range(0,256):
    # Define the new list of where the hex will go after XORed with the xorKey
    newInfo = []
    xorKey = hex(xorValue)
    #print xorKey
    for counter in range(0,len(info)):
        # Append to the list and remove from the hex 0x68 so it is represented as 68 in the list
        #newInfo.append(hex(int(info[counter], 16) ^ int(xorKey))[2:])
        newInfo.append(hex(int(info[counter], 16) ^ int(xorKey, 16))[2:])

    # Print the list joined together as a string and then decode the hex to ascii
    #print str(hex(xorKey)) + ' ' + ''.join(e for e in newInfo).decode("hex")
    try:
        if xorValue <> 144 | xorValue <> 145:
            print str(xorKey) + ' ' + ''.join(e for e in newInfo).decode("hex")
    except IOError:
        print str(xorKey) + ' Failed to decode Hex'
    finally:
        print str(xorKey) + ' Failed to decode Hex'

No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...