/Pegasus_mailslot_decrypt.py
Created Jul 23, 2018
Pegasus trojan from 2018 source code leak SMB Mailslot credentials broadcasting.
| import struct | |
| import hashlib | |
| _SERIALIZED_CREDS_BUFFER_LEN = 22 | |
| def decrypt_envelop(xored): | |
| dwKey = struct.unpack("<I", xored[:4])[0] | |
| print "dwKey: %08x" % dwKey | |
| data = map(ord, xored[4:]) | |
| for i in range(len(data)): | |
| #print "%02x^%02x=%02x"%(data[i], dwKey, data[i] ^ (dwKey & 0xFF)) | |
| data[i] ^= (dwKey & 0xFF) | |
| dwKey = (dwKey >> 5) | (dwKey << (32 - 5)); | |
| dwKey &= 0xFFFFFFFF | |
| decData = ''.join("%c"%x for x in data) | |
| print "hash: "+decData[:20].encode('hex') | |
| print "id: "+decData[20].encode('hex') | |
| print "Data: "+decData[21:].encode('hex') | |
| temp = "\0"*20+decData[20:] | |
| calcedHash = hashlib.sha1(temp).hexdigest() | |
| print "Calced Hash: "+calcedHash | |
| if(calcedHash == decData[:20].encode('hex')): | |
| print "Success" | |
| else: | |
| print "Fail" | |
| return decData[21:] | |
| def decrypt_mailslot(xored): | |
| dwKey = xored[4:8] + xored[:4] | |
| print "dwKey: %s" % dwKey.encode('hex') | |
| data = xored[8:] | |
| dwKey = dwKey * (len(data)/len(dwKey) + 1) | |
| dwKey = dwKey[:len(data)] | |
| decData = [ord(a) ^ ord(b) for a,b in zip(dwKey,data)] | |
| if _SERIALIZED_CREDS_BUFFER_LEN + decData[10] + decData[11] + decData[12] + decData[13] == len(xored): | |
| print "Mailslot decode Good" | |
| else: | |
| print "Mailslot decode BAD" | |
| decData = ''.join("%c"%x for x in decData) | |
| print decData.encode('hex') | |
| return decData | |
| def decrypt_strings(mailslot): | |
| def decrypt_packed_string(xored): | |
| dwKey1 = struct.unpack("<I", xored[:4])[0] | |
| dwKey2 = struct.unpack("<I", xored[4:8])[0] | |
| #print "dwKey1: %08x" % dwKey1 | |
| #print "dwKey2: %08x" % dwKey2 | |
| data = map(ord, xored[8:]) | |
| for i in range(len(data)): | |
| #print "*pOut = %02x ^ %02x ^ %02x"%(data[i], dwKey1 & 0xFF, dwKey2 & 0xFF) | |
| data[i] ^= (dwKey1 & 0xFF) ^ (dwKey2 & 0xFF) | |
| dwKey1 = (dwKey1 >> 3) | (dwKey1 << (32 - 3)) | |
| dwKey2 = (dwKey2 >> 2) | |
| dwKey1 &= 0xFFFFFFFF | |
| dwKey2 &= 0xFFFFFFFF | |
| return ''.join(map(chr, data)) | |
| computer_name_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 0]) | |
| domain_name_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 1]) | |
| username_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 2]) | |
| password_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 3]) | |
| index = _SERIALIZED_CREDS_BUFFER_LEN - 8 | |
| computer_name_xored = mailslot[index: index + computer_name_len] | |
| index += computer_name_len | |
| domain_name_xored = mailslot[index: index + domain_name_len] | |
| index += domain_name_len | |
| username_xored = mailslot[index: index + username_len] | |
| index += username_len | |
| password_xored = mailslot[index: index + password_len] | |
| computer_name = decrypt_packed_string(computer_name_xored) | |
| domain_name = decrypt_packed_string(domain_name_xored) | |
| username = decrypt_packed_string(username_xored) | |
| password = decrypt_packed_string(password_xored) | |
| print "Computer name:\t%s\nDomain:\t\t%s\nUsername:\t%s\nPassword:\t%s" % (computer_name, domain_name, username, password) | |
| data = open('cipher.txt', 'rb').read() | |
| data2 = decrypt_envelop(data) | |
| data3 = decrypt_mailslot(data2) | |
| data4 = decrypt_strings(data3) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment