Created
February 28, 2019 16:34
-
-
Save netscylla/9c14da340706d553920edc18bc7c308a to your computer and use it in GitHub Desktop.
An old script that is still useful - semi-automated script to disassemble shell code and fingerprint its functionality
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| ########################################## | |
| # | |
| # Disass.sh (c) 2014 | |
| # Leveraging other OS disassembly and AV tools to fingerprint potential malware | |
| # | |
| # License : | |
| # http://www.gnu.org/licenses/agpl-3.0.txt | |
| # | |
| # Author: Andy @ Netscylla | |
| # | |
| ########################################### | |
| echo -en "Testing for dependancies\n==============\n" | |
| if [ ! -f "/usr/bin/md5" ]; then | |
| export MD5_PROG="openssl dgst -md5" | |
| echo -en "Using OpenSSL for MD5\n" | |
| else | |
| export MD5_PROG="/usr/bin/md5" | |
| echo -en "Found md5\n" | |
| fi | |
| export SHA_PROG="openssl dgst -sha1" | |
| echo -en "Using OpenSSL for SHA1\n" | |
| if [ "$1" != "" ]; then | |
| echo -en "\nFile Info\n==============\n" | |
| echo "Filename: $1" | |
| echo "Date: `date`" | |
| md5=`$MD5_PROG $1` | |
| echo "$md5" | |
| sha=`$SHA_PROG $1` | |
| echo "$sha" | |
| magic=`file $1` | |
| echo "magic: $magic" | |
| if [ "$magic" == "$1: ASCII text, with very long lines" ]; then | |
| echo "FOUND ASCII FILE.... ANALYSING..." | |
| base64 -D -i $1 -o $1.data | |
| magic=`file $1.data` | |
| echo "magic: $magic" | |
| fi | |
| if [ ! -f $1.data ]; then | |
| echo "creating data file $1.data" | |
| cp $1 $1.data | |
| magic=`file $1.data` | |
| echo "magic: $magic" | |
| fi | |
| if [ "$magic" == "$1.data: data" ]; then | |
| if [ ! -f $1.data ]; then | |
| cp $1 $1.data | |
| fi | |
| echo -en "\n.text extracted\n==============\n" | |
| md5=`$MD5_PROG $1.data` | |
| echo "$md5" | |
| sha=`$SHA_PROG $1.data` | |
| echo "$sha" | |
| header=`xxd $1.data |head -n 1|cut -b 10-48` | |
| if [ "$header" == "fcbb 07f3 38b3 eb0c 5e56 311e ad01 c385" ]; then | |
| echo "FOUND JMP_ADDITIVE XOR" | |
| fi | |
| cat $1.data |xxd -pr|awk '{printf "%s", $0}'|xargs rasm2 -a x86 -D |sed -e 's/push 0xe553a458/push 0xe553a458 ; hash("kernel32.dll","VirtualAlloc")/g'| sed -e 's/push 0x5fc8d902/push 0x5fc8d902 ; hash("ws2_32.dll","recv")/g'|sed -e 's/push 0x300f2f0b /push 0x300f2f0b ; hash("kernel32.dll","VirtualFree")/g'| sed -e 's/push 0x56a2b5f0/push 0x56a2b5f0 ; hash("kernel32.dll","ExitProcess")/g'|sed -e 's/push 0x614d6e75/push 0x614d6e75 ; hash("ws2_32.dll","closesocket")/g'|sed -e 's/mov ebx, 0x56a2b5f0/mov ebx, 0x56a2b5f0 ; hash("kernel32.dll","ExitProcess")/g'|sed -e 's/push 0x6174a599/push 0x6174a599 ; hash("ws2_32.dll","connect")/g'|sed -e 's/push 0xe0df0fea/push 0xe0df0fea ; hash("ws2_32.dll","WSASocketA")/g'|sed -e 's/push 0x5f327377/push 0x5f327377 ; push 'ws2_32',0,0/g'|sed -e 's/push 0x726774c/push 0x726774c ; hash("kernel32.dll","LoadLibraryA")/g'|sed -e 's/push 0x300f2f0b/push 0x300f2f0b ; hash("kernel32.dll","VirtualFree")/g'|sed -e 's/push 0x6b8029/push 0x6b8029 ; hash("ws2_32.dll", "WSAStartupA")/g'|sed -e 's/mov ebx, 0x6f721347/mov ebx, 0x6f721347 ; hash("ntdll.dll","RtlExitUserThread")/g'|sed -e s'/push 0x9dbd95a6/push 0x9dbd95a6 ; hash("kernel32.dll","GetVersion")/g'|sed -e 's/push 0x863fcc79/push 0x863fcc79 ; hash("kernel32.dll","CreateProcessA")/g'|sed -e 's/push 0x601d8708/push 0x601d8708 ; hash("kernel32.dll","WaitForSingleObject")/g'|sed -e 's/push 0xe13bec74/push 0xe13bec74 ; hash("ws2_32.dll","accept")/g'|sed -e 's/push 0xff38e9b7/push 0xff38e9b7 ; hash("ws2_32.dll","listen")/g'|sed -e 's/push 0x6737dbc2/push 0x6737dbc2 ; hash("ws2_32.dll","bind")/g'|sed -e 's/add byte \[ebx + 0x56a2b5f0\], bh/add byte \[ebx + 0x56a2b5f0\], bh ; hash("kernel32.dll","ExitProcess")/g'|sed -e 's/push 0xe2899612/push 0xe2899612 ; hash("wininet.dll","InternetReadFile")/g'|sed -e 's/push 0x7b18062d/push 0x7b18062d ; hash("wininet.dll","HttpSendRequestA")/g'|sed -e 's/push 0x696e6977/push 0x696e6977 ; 'wininet',0/g'|sed -e 's/push 0xa779563a/push 0xa779563a ; hash("wininet.dll","InternetOpenA")/g'|sed -e 's/push 0x3b2e55eb/push 0x3b2e55eb ; hash("wininet.dll","HttpOpenRequestA")/g' |sed -e 's/push 0xe7bdd8c5/push 0xe7bdd8c5 ; hash("kernel32.dll","WriteProcessMemory”)/g' |sed -e 's/push 0xe035f044/push 0xe035f044 ; hash("kernel32.dll","Sleep”)/g'|sed -e 's/push 0x799aacc6/push 0x799aacc6 ; hash("kernel32.dll","CreateRemoteThread”)/g'|sed -e 's/push 0x3f9287ae/push 0x3f9287ae ; hash("kernel32.dll","VirtualAllocEx”)/g'|sed -e 's/push 0xb16b4ab1/push 0xb16b4ab1 ; hash("kernel32.dll","GetStartupInfoA”)/g'|sed -e 's/push 0x863fcc79/push 0x863fcc79 ; hash("kernel32.dll","CreateProcessA”)/g'|sed -e 's/push 0x869e4675/push 0x869e4675 ; hash("wininet.dll", "InternetSetOptionA”)/g' |sed -e 's/push 0x84e03200/push 0x84e03200 ; hash("wininet.dll", "HttpOpenRequestA”)/g' |sed -e 's/push 0x709d8805/push 0x709d8805 ; hash("winhttp.dll","WinHttpReceiveResponse")/g' |sed -e 's/push 0x91bb5895/push 0x91bb5895 ; hash("winhttp.dll","WinHttpSendRequest")/g'|sed -e 's/push 0xce9d58d3/push 0xce9d58d3 ; hash("winhttp.dll","WinHttpSetOption")/g' |sed -e 's/push 0xc69f8957/push 0xc69f8957 ; hash("wininet.dll","InternetConnectA")/g' |sed -e 's/push 0x61736e64/push 0x61736e64 ; hash("dnsapi.dll","DNSAPI")/g' |sed -e 's/push 0xc99cc96a/push 0xc99cc96a ; hash("dnsapi.dll","DnsQuery_A")/g' | sed -e 's/push 0x90020/push 0x90020 ; Shellcode of Death!/g' | sed -e 's/push 0xbb5f9ead/push 0xbb5f9ead ; hash("kernel32.dll","ReadFile")/g'| sed -e 's/push 0xc0000000/push 0xc0000000 ; hash("dwDesiredAccess","GENERIC_READ | GENERIC_WRITE")/g'> $1.asm | |
| cat $1.asm | |
| echo -en "\nPossible Sockets?\n==============\n" | |
| octets=($(cat $1.asm |grep -B 11 "; hash(\"ws2_32.dll\",\"WSASocketA\")"|head -n 1 |awk '$4 == "push" {print $3}'|sed 's/../0x& /g' | tr ' ' '\n' )) | |
| ip=`printf "%d.%d.%d.%d" ${octets[1]} ${octets[2]} ${octets[3]} ${octets[4]} | sed 's/\.$//'` | |
| port=($(cat $1.asm |grep -B 10 "; hash(\"ws2_32.dll\",\"WSASocketA\")"|head -n 1|awk '$4 == "push" {print $3}'|cut -b 5- |sed 's/../0x& /g' | tr ' ' '\n')) | |
| port2=`printf "%x" ${port[1]} ${port[2]}` | |
| port=`printf "%d\n" 0x${port2}` | |
| echo "Connection string: $ip:$port" | |
| #another possibility for ip & port | |
| octets=($(cat $1.asm |grep -B 6 "; hash(\"ws2_32.dll\",\"connect\")"|head -n 1 |awk '$4 == "push" {print $3}'|sed 's/../0x& /g' | tr ' ' '\n' )) | |
| ip=`printf "%d.%d.%d.%d" ${octets[1]} ${octets[2]} ${octets[3]} ${octets[4]} | sed 's/\.$//'` | |
| port=($(cat $1.asm |grep -B 5 "; hash(\"ws2_32.dll\",\"connect\")"|head -n 1|awk '$4 == "push" {print $3}'|cut -b 5- |sed 's/../0x& /g' | tr ' ' '\n')) | |
| port2=`printf "%x" ${port[1]} ${port[2]}` | |
| port=`printf "%d\n" 0x${port2}` | |
| echo "Connection string: $ip:$port" | |
| #pull connection string from #windows/meterpreter/reverse_ord_tcp | |
| conn=$(cat $1.asm |sed -n '/68.*push/p'|awk '{print $3 }' |awk '!(NR%2){print$0p}{p=$0}') | |
| port2=$(echo $conn|cut -b 7-10) | |
| port=`printf "%d\n" 0x${port2}` | |
| octets=($(echo $conn|cut -b 13-22| sed 's/../0x& /g' | tr ' ' '\n')) | |
| ip=`printf "%d.%d.%d.%d" ${octets[0]} ${octets[1]} ${octets[2]} ${octets[3]}` | |
| echo "Connection string: $ip:$port" | |
| echo -en "\nStrings\n==============\n" | |
| my_strings=`strings $1.data` | |
| echo "$my_strings" | |
| echo -en "\nClamav\n==============\n" | |
| my_avscan=`clamscan $1.data|head -n 2` | |
| echo "$my_avscan" | |
| echo -en "\nMSF/Sample Fingerprint\n=====================\n" | |
| cat $1.asm|grep ";"|cut -f 2 -d";" > $1.msff | |
| msfmd5=`$MD5_PROG $1.msff` | |
| echo "$msfmd5" | |
| msfsha=`$SHA_PROG $1.msff` | |
| echo "$msfsha" | |
| sqlite3 msf.db "select payload from payload where hash = '`echo $msfmd5|awk {'print $2}'`'" | |
| echo -en "\n" | |
| echo "Cleaning up temporary files..." | |
| #rm $1.b64 $1.data $1.asm | |
| fi | |
| else | |
| echo "Missing data file parameter" | |
| fi | |
| #stagers | |
| #windows/meterpreter/reverse_tcp | |
| #MD5 (rev_tcp.msff) = 92f42265acf057eab58a7ae8b35ededa | |
| #SHA (rev_tcp.msff) = fdbccfbd1fd4af350c2f12b15f3c814062c86189 | |
| #windows/meterpreter/reverse_winhttp | |
| #MD5 (rev_winhttp.msff) = 0788013f645e9babbda67f6f8c22a864 | |
| #SHA (rev_winhttp.msff) = c2e1fdd60e29fdacfdbe72d7256680486f09b30b | |
| #windows/meterpreter/reverse_http | |
| #MD5 (rev_http.msff) = 032d23c74678327d7394714b85535381 | |
| #SHA (rev_http.msff) = 84116e59095e45e0b2a116b68fa840c81e8308d7 | |
| #windows/meterpreter/reverse_https | |
| #MD5 (rev_https.msff) = 5177617c7a83619da2528e99bdd89fe2 | |
| #SHA (rev_https.msff) = e5b3222b9607531bd69e416a96094e5eb63b1cda | |
| #windows/meterpreter/reverse_tcp_dns | |
| #MD5 (rev_dns.msff) = 582d3ca7ae0b1c5bd8f85f934e1d6dba | |
| #SHA (rev_dns.msff) = a0f6ed463dc3a0359c6497687d77701eab395bf3 | |
| #windows/meterpreter/reverse_tcp_rc4 | |
| #MD5 (rev_rc4.msff) = 582d3ca7ae0b1c5bd8f85f934e1d6dba | |
| #SHA (rev_rc4.msff) = a0f6ed463dc3a0359c6497687d77701eab395bf3 | |
| #windows/meterpreter/reverse_tcp_allports | |
| #MD5 (rev_tcp_all.msff) = a7dbe5bdc9acbf0a8bd49dd19e8f7650 | |
| #SHA (rev_tcp_all.msff) = e875f1296e18e81df7f5e51e4bd4f7788b860fcd | |
| #windows/meterpreter/reverse_ord_tcp (blanksig) | |
| #MD5 (rev_ord_tcp.msff) = d41d8cd98f00b204e9800998ecf8427e | |
| #SHA (rev_ord_tcp.msff) = da39a3ee5e6b4b0d3255bfef95601890afd80709 | |
| #windows/meterpreter/reverse_nonx_tcp (almost blanksig) | |
| #MD5 (rev_nonx_tcp.msff) = ea7696e4c98fd30c29f03e99980b4621 | |
| #SHA (rev_nonx_tcp.msff) = a373b9bd6be632f7843102e425278a7793e9fbdf | |
| #windows/meterpreter/reverse_tcp_rc4_dns | |
| #MD5 (rev_rc4_dns.msff) = 582d3ca7ae0b1c5bd8f85f934e1d6dba | |
| #SHA (rev_rc4_dns.msff) = a0f6ed463dc3a0359c6497687d77701eab395bf3 | |
| #windows/meterpreter/reverse_tcp_uuid | |
| #MD5 (rev_uuid.msff) = 92f42265acf057eab58a7ae8b35ededa | |
| #SHA (rev_uuid.msff) = fdbccfbd1fd4af350c2f12b15f3c814062c86189 | |
| #windows/meterpreter/reverse_hop_http | |
| #MD5 (rev_hop.msff) = 4e14d3183a3714e231e7f66568740245 | |
| #SHA (rev_hop.msff) = 4ae9f1b5ad15b684d5e325bdc978de8efdd6fe3f | |
| #windows/meterpreter/reverse_http_proxy_pstore | |
| #MD5 (rev_hop.msff) = 52196da700efa0b93dbd4a19f34d2375 | |
| #SHA (rev_hop.msff) = 919b5684739a45adaf33714cfb2352e3a0d54901 | |
| #windows/shell_reverse_tcp | |
| #MD5 (data2.msff) = 8e1a942139b139258adb2be8aca054dd | |
| #SHA (data2.msff) = eac9209b102cca4c6119a12b287818c72e71ea4e |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment