Created
July 23, 2018 11:50
-
-
Save kirillwow/3ed4e475dab2e906d94561c7b1798d58 to your computer and use it in GitHub Desktop.
Pegasus trojan from 2018 source code leak SMB Mailslot credentials broadcasting.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import struct | |
| import hashlib | |
| _SERIALIZED_CREDS_BUFFER_LEN = 22 | |
| def decrypt_envelop(xored): | |
| dwKey = struct.unpack("<I", xored[:4])[0] | |
| print "dwKey: %08x" % dwKey | |
| data = map(ord, xored[4:]) | |
| for i in range(len(data)): | |
| #print "%02x^%02x=%02x"%(data[i], dwKey, data[i] ^ (dwKey & 0xFF)) | |
| data[i] ^= (dwKey & 0xFF) | |
| dwKey = (dwKey >> 5) | (dwKey << (32 - 5)); | |
| dwKey &= 0xFFFFFFFF | |
| decData = ''.join("%c"%x for x in data) | |
| print "hash: "+decData[:20].encode('hex') | |
| print "id: "+decData[20].encode('hex') | |
| print "Data: "+decData[21:].encode('hex') | |
| temp = "\0"*20+decData[20:] | |
| calcedHash = hashlib.sha1(temp).hexdigest() | |
| print "Calced Hash: "+calcedHash | |
| if(calcedHash == decData[:20].encode('hex')): | |
| print "Success" | |
| else: | |
| print "Fail" | |
| return decData[21:] | |
| def decrypt_mailslot(xored): | |
| dwKey = xored[4:8] + xored[:4] | |
| print "dwKey: %s" % dwKey.encode('hex') | |
| data = xored[8:] | |
| dwKey = dwKey * (len(data)/len(dwKey) + 1) | |
| dwKey = dwKey[:len(data)] | |
| decData = [ord(a) ^ ord(b) for a,b in zip(dwKey,data)] | |
| if _SERIALIZED_CREDS_BUFFER_LEN + decData[10] + decData[11] + decData[12] + decData[13] == len(xored): | |
| print "Mailslot decode Good" | |
| else: | |
| print "Mailslot decode BAD" | |
| decData = ''.join("%c"%x for x in decData) | |
| print decData.encode('hex') | |
| return decData | |
| def decrypt_strings(mailslot): | |
| def decrypt_packed_string(xored): | |
| dwKey1 = struct.unpack("<I", xored[:4])[0] | |
| dwKey2 = struct.unpack("<I", xored[4:8])[0] | |
| #print "dwKey1: %08x" % dwKey1 | |
| #print "dwKey2: %08x" % dwKey2 | |
| data = map(ord, xored[8:]) | |
| for i in range(len(data)): | |
| #print "*pOut = %02x ^ %02x ^ %02x"%(data[i], dwKey1 & 0xFF, dwKey2 & 0xFF) | |
| data[i] ^= (dwKey1 & 0xFF) ^ (dwKey2 & 0xFF) | |
| dwKey1 = (dwKey1 >> 3) | (dwKey1 << (32 - 3)) | |
| dwKey2 = (dwKey2 >> 2) | |
| dwKey1 &= 0xFFFFFFFF | |
| dwKey2 &= 0xFFFFFFFF | |
| return ''.join(map(chr, data)) | |
| computer_name_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 0]) | |
| domain_name_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 1]) | |
| username_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 2]) | |
| password_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 3]) | |
| index = _SERIALIZED_CREDS_BUFFER_LEN - 8 | |
| computer_name_xored = mailslot[index: index + computer_name_len] | |
| index += computer_name_len | |
| domain_name_xored = mailslot[index: index + domain_name_len] | |
| index += domain_name_len | |
| username_xored = mailslot[index: index + username_len] | |
| index += username_len | |
| password_xored = mailslot[index: index + password_len] | |
| computer_name = decrypt_packed_string(computer_name_xored) | |
| domain_name = decrypt_packed_string(domain_name_xored) | |
| username = decrypt_packed_string(username_xored) | |
| password = decrypt_packed_string(password_xored) | |
| print "Computer name:\t%s\nDomain:\t\t%s\nUsername:\t%s\nPassword:\t%s" % (computer_name, domain_name, username, password) | |
| data = open('cipher.txt', 'rb').read() | |
| data2 = decrypt_envelop(data) | |
| data3 = decrypt_mailslot(data2) | |
| data4 = decrypt_strings(data3) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment