├── README.md
└── fiesta-payload-decrypter.py


/README.md:
--------------------------------------------------------------------------------
1 | # Tools
2 | A collection of tools mostly written in Python. Some of the tools *might* be related to my blog articles at http://blog.0x3a.com/.
3 | 


--------------------------------------------------------------------------------
/fiesta-payload-decrypter.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | """
 4 |     Created by Yonathan Klijnsma
 5 |     - http://blog.0x3a.com/
 6 |     - http://twitter.com/ydklijnsma
 7 | 
 8 |     Code comes from an article I've written about the Fiesta exploit kit.
 9 |     This Python script is able to decrypt the payloads retrieved from the
10 |     Fiesta exploit kit after successful exploitation of some kind.
11 |     Shellcode based and non shellcode based payloads are supported.
12 | 
13 |     This script was tested against payloads dropped in January 2015.
14 |     If it stops working please file a bug report at the Github repo!
15 | 
16 |     Github repository URL: https://github.com/0x3a/tools/
17 | """
18 | 
19 | import sys
20 | 
21 | def ShellcodeDecrypt(data):
22 |     return NonShellcodeDecrypt(data[16:])[25:-1]
23 | 
24 | def NonShellcodeDecrypt(data):
25 |     key_offset = 256
26 |     ldata = list(data[key_offset:])
27 |     lkey = list(data[:key_offset])
28 | 
29 |     c_index_s1 = 0
30 |     c_index_s2 = 0
31 |     decrypted_data = ''
32 | 
33 |     for i in xrange(0, len(ldata)):
34 |         c_index_s1 = c_index_s1 + 1 & 0xFF;
35 |         c_index_s2 = c_index_s2 + ord(lkey[c_index_s1]) & 0xFF;
36 |         j = lkey[c_index_s1];
37 |         lkey[c_index_s1] = lkey[c_index_s2];
38 |         lkey[c_index_s2] = j;
39 |         k = ord(lkey[c_index_s1]) + ord(lkey[c_index_s2]) & 0xFF;
40 |         decrypted_data += chr(ord(ldata[i]) ^ ord(lkey[k]));
41 | 
42 |     return decrypted_data
43 | 
44 | def DecryptFiestaPyload(inputfile, outputfile):
45 |     fdata = open(inputfile, "rb").read()
46 |     print '[+] Encrypted file size %d' % len(fdata)
47 | 
48 |     decrypted_fdata = NonShellcodeDecrypt(fdata)
49 | 
50 |     if decrypted_fdata[:2] != 'MZ':
51 |         decrypted_fdata = ShellcodeDecrypt(fdata)
52 | 
53 |         if decrypted_fdata[:2] != 'MZ':
54 |             print '[!] Unable to decrypt data!'
55 |             return
56 |         else:
57 |             print '[+] Payload was used by a shellcode based exploit, decrypted successfully!'
58 |     else:
59 |         print '[+] Payload was used for a non-shellcode based exploit, decrypted successfully!'
60 | 
61 |     print '[+] Decrypted file size %d' % len(decrypted_fdata)
62 | 
63 |     open(outputfile, "wb").write(decrypted_fdata)
64 | 
65 | if __name__ == "__main__":
66 |     if len(sys.argv) != 3:
67 |         print '%s <input filename> <output filename>' % sys.argv[0]
68 |     else:
69 |         sys.exit(DecryptFiestaPyload(sys.argv[1], sys.argv[2]))


--------------------------------------------------------------------------------