Instantly share code, notes, and snippets.

Embed
What would you like to do?
Pegasus trojan from 2018 source code leak SMB Mailslot credentials broadcasting.
import struct
import hashlib
_SERIALIZED_CREDS_BUFFER_LEN = 22
def decrypt_envelop(xored):
dwKey = struct.unpack("<I", xored[:4])[0]
print "dwKey: %08x" % dwKey
data = map(ord, xored[4:])
for i in range(len(data)):
#print "%02x^%02x=%02x"%(data[i], dwKey, data[i] ^ (dwKey & 0xFF))
data[i] ^= (dwKey & 0xFF)
dwKey = (dwKey >> 5) | (dwKey << (32 - 5));
dwKey &= 0xFFFFFFFF
decData = ''.join("%c"%x for x in data)
print "hash: "+decData[:20].encode('hex')
print "id: "+decData[20].encode('hex')
print "Data: "+decData[21:].encode('hex')
temp = "\0"*20+decData[20:]
calcedHash = hashlib.sha1(temp).hexdigest()
print "Calced Hash: "+calcedHash
if(calcedHash == decData[:20].encode('hex')):
print "Success"
else:
print "Fail"
return decData[21:]
def decrypt_mailslot(xored):
dwKey = xored[4:8] + xored[:4]
print "dwKey: %s" % dwKey.encode('hex')
data = xored[8:]
dwKey = dwKey * (len(data)/len(dwKey) + 1)
dwKey = dwKey[:len(data)]
decData = [ord(a) ^ ord(b) for a,b in zip(dwKey,data)]
if _SERIALIZED_CREDS_BUFFER_LEN + decData[10] + decData[11] + decData[12] + decData[13] == len(xored):
print "Mailslot decode Good"
else:
print "Mailslot decode BAD"
decData = ''.join("%c"%x for x in decData)
print decData.encode('hex')
return decData
def decrypt_strings(mailslot):
def decrypt_packed_string(xored):
dwKey1 = struct.unpack("<I", xored[:4])[0]
dwKey2 = struct.unpack("<I", xored[4:8])[0]
#print "dwKey1: %08x" % dwKey1
#print "dwKey2: %08x" % dwKey2
data = map(ord, xored[8:])
for i in range(len(data)):
#print "*pOut = %02x ^ %02x ^ %02x"%(data[i], dwKey1 & 0xFF, dwKey2 & 0xFF)
data[i] ^= (dwKey1 & 0xFF) ^ (dwKey2 & 0xFF)
dwKey1 = (dwKey1 >> 3) | (dwKey1 << (32 - 3))
dwKey2 = (dwKey2 >> 2)
dwKey1 &= 0xFFFFFFFF
dwKey2 &= 0xFFFFFFFF
return ''.join(map(chr, data))
computer_name_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 0])
domain_name_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 1])
username_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 2])
password_len = ord(mailslot[_SERIALIZED_CREDS_BUFFER_LEN - 12 + 3])
index = _SERIALIZED_CREDS_BUFFER_LEN - 8
computer_name_xored = mailslot[index: index + computer_name_len]
index += computer_name_len
domain_name_xored = mailslot[index: index + domain_name_len]
index += domain_name_len
username_xored = mailslot[index: index + username_len]
index += username_len
password_xored = mailslot[index: index + password_len]
computer_name = decrypt_packed_string(computer_name_xored)
domain_name = decrypt_packed_string(domain_name_xored)
username = decrypt_packed_string(username_xored)
password = decrypt_packed_string(password_xored)
print "Computer name:\t%s\nDomain:\t\t%s\nUsername:\t%s\nPassword:\t%s" % (computer_name, domain_name, username, password)
data = open('cipher.txt', 'rb').read()
data2 = decrypt_envelop(data)
data3 = decrypt_mailslot(data2)
data4 = decrypt_strings(data3)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment