Pegasus trojan from 2018 source code leak SMB Mailslot credentials broadcasting.
import struct | |
import hashlib | |
_SERIALIZED_CREDS_BUFFER_LEN = 22 | |
def decrypt_envelop(xored): | |
dwKey = struct.unpack("<I", xored[:4])[0] | |
print "dwKey: %08x" % dwKey | |
data = map(ord, xored[4:]) | |
for i in range(len(data)): | |
#print "%02x^%02x=%02x"%(data[i], dwKey, data[i] ^ (dwKey & 0xFF)) | |
data[i] ^= (dwKey & 0xFF) | |
dwKey = (dwKey >> 5) | (dwKey << (32 - 5)); | |
dwKey &= 0xFFFFFFFF | |
decData = ''.join("%c"%x for x in data) | |
print "hash: "+decData[:20].encode('hex') | |
print "id: "+decData[20].encode('hex') | |
print "Data: "+decData[21:].encode('hex') | |
temp = "\0"*20+decData[20:] | |
calcedHash = hashlib.sha1(temp).hexdigest() | |
print "Calced Hash: "+calcedHash | |
if(calcedHash == decData[:20].encode('hex')): | |
print "Success" | |
else: | |
print "Fail" | |
return decData[21:] | |
def decrypt_mailslot(xored): | |
dwKey = xored[4:8] + xored[:4] | |
print "dwKey: %s" % dwKey.encode('hex') | |
data = xored[8:] | |
dwKey = dwKey * (len(data)/len(dwKey) + 1) | |
dwKey = dwKey[:len(data)] | |
decData = [ord(a) ^ ord(b) for a,b in zip(dwKey,data)] | |
if _SERIALIZED_CREDS_BUFFER_LEN + decData[10] + decData[11] + decData[12] + decData[13] == len(xored): | |
print "Mailslot decode Good" | |
else: | |
print "Mailslot decode BAD" | |
decData = ''.join("%c"%x for x in decData) | |
print decData.encode('hex') | |
return decData | |
def decrypt_strings(mailslot): | |
def decrypt_packed_string(xored): | |
dwKey1 = struct.unpack("<I", xored[:4])[0] | |
dwKey2 = struct.unpack("<I", xored[4:8])[0] | |
#print "dwKey1: %08x" % dwKey1 | |
#print "dwKey2: %08x" % dwKey2 | |
data = map(ord, xored[8:]) | |
for i in range(len(data)): | |
#print "*pOut = %02x ^ %02x ^ %02x"%(data[i], dwKey1 & 0xFF, dwKey2 & 0xFF) | |
data[i] ^= (dwKey1 & 0xFF) ^ (dwKey2 & 0xFF) | |
dwKey1 = (dwKey1 >> 3) | (dwKey1 << (32 - 3)) | |
dwKey2 = (dwKey2 >> 2) | |
dwKey1 &= 0xFFFFFFFF | |
dwKey2 &= 0xFFFFFFFF | |
return ''.join(map(chr, data)) | |
computer_name_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 0]) | |
domain_name_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 1]) | |
username_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 2]) | |
password_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 3]) | |
index = _SERIALIZED_CREDS_BUFFER_LEN - 8 | |
computer_name_xored = mailslot[index: index + computer_name_len] | |
index += computer_name_len | |
domain_name_xored = mailslot[index: index + domain_name_len] | |
index += domain_name_len | |
username_xored = mailslot[index: index + username_len] | |
index += username_len | |
password_xored = mailslot[index: index + password_len] | |
computer_name = decrypt_packed_string(computer_name_xored) | |
domain_name = decrypt_packed_string(domain_name_xored) | |
username = decrypt_packed_string(username_xored) | |
password = decrypt_packed_string(password_xored) | |
print "Computer name:\t%s\nDomain:\t\t%s\nUsername:\t%s\nPassword:\t%s" % (computer_name, domain_name, username, password) | |
data = open('cipher.txt', 'rb').read() | |
data2 = decrypt_envelop(data) | |
data3 = decrypt_mailslot(data2) | |
data4 = decrypt_strings(data3) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment