posted on Dec, 1 2011 @ 04:56 AM
Interesting puzzle, OP.
Thanks for bringing it to members' attention.
Some of the following I found in half an hour's digging on the web, but other parts (for example, the second half of the shell code), I was able to
file and solve this fairly quickly.
To begin, you first need to extract the first half of the shellcode by copying the actual bytes of the crypt.png image, but as it's only half of the
code you won't get anywhere if you try to run it. The other half of the required shell code is in the "comment" for the image. You can obtain it by
hex edit, but it's far easier to just drop the crypt.png image (or its url) into an EXIF viewer.
I used Jeffrey's exif viewer
to do the job as
it's reliable and I've never had issues with it. (The link shows the actual .png image and the readings for it. Scroll down to see the vital bit,
namely the "comment" at the end.)
As you'll see in the above linky, the "comment" reads:
That's a base64 encoded string.
So, just use a base64 decoder (such as this one at
opinionatedgeek [dot] com
) and you'll find it begins with BBBB (actually BBBB2, but it's the BBBB that's most important here). Now you use a
concat to join this pice of shellcode with the first half of the shellcode. Then, run through the code and you'll find a GET request.