/
fiesta-payload-decrypter.py
69 lines (52 loc) · 2.15 KB
/
fiesta-payload-decrypter.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#!/usr/bin/python
"""
Created by Yonathan Klijnsma
- http://blog.0x3a.com/
- http://twitter.com/ydklijnsma
Code comes from an article I've written about the Fiesta exploit kit.
This Python script is able to decrypt the payloads retrieved from the
Fiesta exploit kit after successful exploitation of some kind.
Shellcode based and non shellcode based payloads are supported.
This script was tested against payloads dropped in January 2015.
If it stops working please file a bug report at the Github repo!
Github repository URL: https://github.com/0x3a/tools/
"""
import sys
def ShellcodeDecrypt(data):
return NonShellcodeDecrypt(data[16:])[25:-1]
def NonShellcodeDecrypt(data):
key_offset = 256
ldata = list(data[key_offset:])
lkey = list(data[:key_offset])
c_index_s1 = 0
c_index_s2 = 0
decrypted_data = ''
for i in xrange(0, len(ldata)):
c_index_s1 = c_index_s1 + 1 & 0xFF;
c_index_s2 = c_index_s2 + ord(lkey[c_index_s1]) & 0xFF;
j = lkey[c_index_s1];
lkey[c_index_s1] = lkey[c_index_s2];
lkey[c_index_s2] = j;
k = ord(lkey[c_index_s1]) + ord(lkey[c_index_s2]) & 0xFF;
decrypted_data += chr(ord(ldata[i]) ^ ord(lkey[k]));
return decrypted_data
def DecryptFiestaPyload(inputfile, outputfile):
fdata = open(inputfile, "rb").read()
print '[+] Encrypted file size %d' % len(fdata)
decrypted_fdata = NonShellcodeDecrypt(fdata)
if decrypted_fdata[:2] != 'MZ':
decrypted_fdata = ShellcodeDecrypt(fdata)
if decrypted_fdata[:2] != 'MZ':
print '[!] Unable to decrypt data!'
return
else:
print '[+] Payload was used by a shellcode based exploit, decrypted successfully!'
else:
print '[+] Payload was used for a non-shellcode based exploit, decrypted successfully!'
print '[+] Decrypted file size %d' % len(decrypted_fdata)
open(outputfile, "wb").write(decrypted_fdata)
if __name__ == "__main__":
if len(sys.argv) != 3:
print '%s <input filename> <output filename>' % sys.argv[0]
else:
sys.exit(DecryptFiestaPyload(sys.argv[1], sys.argv[2]))