Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Vulnerable code analysis
- Below is the psuedocode created from the disassembly of the binary. I have
- renamed the function to “bxc_backdoor” to visually identify it more easily.
- struct passwd *__fastcall bxc_backdoor(const char *a1, const char *a2)
- {
- const char *v2; // r5@1
- const char *v3; // r4@1
- struct passwd *result; // r0@4
- FILE *v5; // r6@5
- struct passwd *v6; // r5@7
- const char *v7; // r0@9
- size_t v8; // r0@10
- int v9; // [sp+0h] [bp-1090h]@1
- char s; // [sp+1000h] [bp-90h]@1
- char dest; // [sp+1040h] [bp-50h]@1
- v2 = a2;
- v3 = a1;
- memset(&s, 0, 0x40u);
- memset(&dest, 0, 0x40u);
- memset(&v9, 0, 0x1000u);
- if ( *v2 )
- {
- v8 = strlen(v2);
- _b64_pton(v2, (u_char *)&v9, v8);
- if ( dword_2C2E4 )
- {
- sub_1194C((const char *)&unk_1B1A4, v2);
- sub_1194C(“pwd decode[%s]\n”, &v9);
- }
- }
- if (!strcmp(v3, “mydlink”)
- && !strcmp((const char *)&v9, “abc12345cba”) )
- {
- result = (struct passwd *)1;
- }
- else
- {
- v5 = (FILE *)fopen64(“/etc/shadow”, “r”);
- while ( 1 )
- {
- result = fgetpwent(v5);
- v6 = result;
- if ( !result )
- break;
- if ( !strcmp(result->pw_name, v3) )
- {
- strcpy(&s, v6->pw_passwd);
- fclose(v5);
- strcpy(&dest, (const char *)&v9);
- v7 = (const char *)sub_1603C(&dest, &s);
- return (struct passwd *)(strcmp(v7, &s) == 0);
- }
- }
- }
- return result;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
