def main(): nc = Netcat('140.112.31.96', 10154) nc.read_until('>') nc.write('2\n') nc.read_until('>') nc.read_until('>') nc.write('1\n') token = nc.read_until('>') token = token.split('Token: ')[1].split('===')[0][:-1] ori_data = '&BALSN_Coin=1' app_data = '&BALSN_Coin=100000000000' is_invalid = '' length = 44 while 'Here is your flag!' not in is_invalid: nc.write('3\n') nc.read_until('>') nc.read_until('>') tmp = hashpumpy.hashpump(token, ori_data, app_data, length) nc.write(base64.b64encode(tmp[1].split('Coin=', 1)[1]) + '\n') nc.read_until('>') nc.write(tmp[0] + '\n') is_invalid = nc.read_until('>') if 'Here is your flag!' in is_invalid: print is_invalid.split('Here is your flag!')[1][1:].split( '\n===')[0] exit(1) length += 1 if length > 54: break exit(0)
def calibrate_flappers(text): txt = text[:4] print "** calibrate flappers ", txt nc = Netcat(flappers_host, flappers_port) nc.write('$iread ' + txt + '\n') nc.close() return "True"
def send_to_flappers(text): txt = text[:4] print "** send to flappers ", txt nc = Netcat(flappers_host, flappers_port) nc.write(txt + '\n') sleep(10) nc.write('@@@@\n') nc.close() return "True"
def listen(): ip = raw_input("týrnak icinde ip adresi gir:") port = raw_input("port gir:") nc = Netcat(ip, port) nc.read_until('>') nc.write('new' + '\n') nc.read_until('>') nc.write('set' + '\n') nc.read_until('id:')
def encrypt(msg): nc = Netcat(host, port) nc.read(1024) nc.read(1024) nc.write(msg.encode('hex') + '\n') data = nc.read(1024) nc.read(1024) nc.write('n') nc.close() # print block(data[12:]) return data[12:]
def encrypt2(msg): nc = Netcat(host, port) nc.read_until('\n') nc.read_until('\n') # print "[1]", nc.read_until('\n') # print "[2]", nc.read_until('\n') nc.write(msg.encode('hex') + '\n') print msg #.encode('hex') data = nc.read_until('\n').strip() # print "[+]", data nc.read_until('\n') # print "[3]", nc.read_until('\n') nc.write('n\n') nc.close() # print block(data[12:]) return data[12:]
return data consumer = KafkaConsumer(conf.ka_queue,bootstrap_servers=conf.ka_host, auto_offset_reset='latest') for m in consumer: cdr = m.value print cdr nc.write(cdr+'\n') d = logpar(cdr) dt = datetime.datetime.now() day = dt.day month = dt.month year = dt.year session.execute("""INSERT INTO statwork.phone_log (id,source,datetime_call,year,month,day,call_a,call_b,call_c,duration,call_inner,in_out) VALUES(UUID(),%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s) USING TTL 31536000;""", (conf.pref,dt,year,month,day,d["call_a"],d["call_b"],d["call_c"],d["duration"],d["inner"],d["in_out"]))
# below is a extract from a sample exploit that # interfaces with a tcp socket from netcat import Netcat # start a new Netcat() instance nc = Netcat('127.0.0.1', 5150) # [ENQ] nc.write('\005') # [ACK] nc.read_until('\006') # STX-CR-ETX-CR-LF nc.write('\0021H|^~\&| | | | | | | | | | |A.2|200508041154\015\00332\015\012') # [ACK] nc.read_until('\006') # STX-CR-ETX-CR-LF nc.write( '\0022P|1| | | |^| | |U| | | | | | | | | | | | | | | | |^ | | | | | | |\015\00354\015\012' ) # [ACK] nc.read_until('\006') # STX-CR-ETX-CR-LF nc.write('\0023C|1\015\00333\015\012') # [ACK]
data["in_out"] = True if len(data["call_a"]) > 4 and len( data["call_c"]) == 4 else False data["inner"] = True if len(data["call_a"]) == 4 and len( data["call_c"]) == 4 else False return data while True: line = sys.stdin.readline().strip() if line == "": break else: ## Отправка в flume nc.write((line + '\n').encode("utf-8")) dt = datetime.datetime.now() + h4 day = dt.day month = dt.month year = dt.year d = logpar(line) if isInt(d["call_c"]): session.execute( """INSERT INTO statwork.phone_log (id,source,datetime_call,year,month,day,call_a,call_b,call_c,duration,call_inner,in_out) VALUES(UUID(),%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s) USING TTL 31536000;""", (conf.pref, dt, year, month, day, d["call_a"], "", d["call_c"], d["duration"], d["inner"], d["in_out"]))
# below is a extract from a sample exploit that # interfaces with a tcp socket from netcat import Netcat # start a new Netcat() instance nc = Netcat('127.0.0.1', 5150) # [ENQ] nc.write('\005') # [ACK] nc.read_until('\006') # STX-CR-ETX-CR-LF # 2 STX (Ctrl-B) START OF TEXT # 3 ETX (Ctrl-C) END OF TEXT # 4 EOT (Ctrl-D) END OF TRANSMISSION # 5 ENQ (Ctrl-E) ENQUIRY # 10 LF (Ctrl-J) LINE FEED # 11 VT (Ctrl-K) VERTICAL TAB # 12 FF (Ctrl-L) FORM FEED # 13 CR (Ctrl-M) CARRIAGE RETURN # 14 SO (Ctrl-N) SHIFT OUT # 15 SI (Ctrl-O) SHIFT IN # 16 DLE (Ctrl-P) DATA LINK ESCAPE # 17 DC1 (Ctrl-Q) DEVICE CONTROL 1 (XON) # 18 DC2 (Ctrl-R) DEVICE CONTROL 2 # 19 DC3 (Ctrl-S) DEVICE CONTROL 3 (XOFF) # 20 DC4 (Ctrl-T) DEVICE CONTROL 4 # 21 NAK (Ctrl-U) NEGATIVE ACKNOWLEDGE # 22 SYN (Ctrl-V) SYNCHRONOUS IDLE
# start a new Netcat() instance nc = Netcat(host, port) print 'Connected' # get to the prompt nc.read_until('>') print "Got prompt" # buy a sword buy_item_in_shop(1) print 'Bought a sword' # complete a journey to earn money for more powerful weapon complete_journey() print 'Completed the journey' # buy a missle launcer buy_item_in_shop(4) print 'Bought a missle launcher' fight_dragon() # check status try: nc.write('2\n') print nc.read_until(b'Weapon level') buy_item_in_shop(5) nc.write('1' + '\n') print nc.read(4096) except: print 'Exception occured' print 'Got the flag!!!'
data["inner"] = True if len(data["call_a"]) == 4 and len( data["call_c"]) == 4 else False return data consumer = KafkaConsumer(conf.ka_queue2, bootstrap_servers=conf.ka_host, auto_offset_reset='latest') for m in consumer: cdr = m.value print cdr nc.write((cdr + '\n').encode("utf-8")) dt = datetime.datetime.now() day = dt.day month = dt.month year = dt.year d = logpar(cdr) if isInt(d["call_c"]): session.execute( """INSERT INTO statwork.phone_log (id,source,datetime_call,year,month,day,call_a,call_b,call_c,duration,call_inner,in_out) VALUES(UUID(),%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s) USING TTL 31536000;""", (conf.pref2, dt, year, month, day, d["call_a"], "", d["call_c"], d["duration"], d["inner"], d["in_out"]))
# lines = [line.rstrip() for line in f.readlines()] # for l in lines: # call_a = l[20:32].strip() # call_c = l[54:66].strip() # duration = 0 if l[67:72].strip() == "" else int(l[67:72].strip(),10) # print(l, call_a, call_c, duration) # sys.exit() while True: line = sys.stdin.readline().strip() if line == "": break else: ## Отправка в flume nc.write(line + '\n') dt = datetime.datetime.now() + h4 day = dt.day month = dt.month year = dt.year d = logpar(line) if isInt(d["call_c"]) and isInt(d["call_a"]): session.execute( """INSERT INTO statwork.phone_log (id,source,datetime_call,year,month,day,call_a,call_b,call_c,duration,call_inner,in_out) VALUES(UUID(),%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s) USING TTL 31536000;""", (conf.pref2, dt, year, month, day, d["call_a"], "", d["call_c"], d["duration"], d["inner"], d["in_out"]))
mac = binascii.unhexlify(mac[:64]) ivd = mac[:16] t = mac[16:] BLOCK_SIZE = 16 m = welcome m = split(m, BLOCK_SIZE) m[6] = strxor(t, strxor(md[0], ivd)) iv = strxor(long_to_bytes(14, BLOCK_SIZE), strxor(md[0], ivd)) m_united = b'' for mi in m: #print(mi) m_united = m_united + binascii.hexlify(mi) assert len(binascii.unhexlify(binascii.hexlify(iv + t))) == 32 nc.write(m_united + b'\n') print('[+] ' + nc.read_until(b': ').decode('utf-8')) nc.write(binascii.hexlify(iv + t) + b'\n') sleep(1) flag = nc.read() print('[+] ' + flag.decode('utf-8')) # ''' m = pad(binascii.unhexlify(m_united), BLOCK_SIZE) m = split(m, BLOCK_SIZE) m.insert(0, long_to_bytes(len(m), BLOCK_SIZE)) assert strxor(m[0], iv) == strxor(md[0], ivd) assert strxor(m[7], t) == strxor(ivd, md[0]) assert m[-1] == md[-1] print(m) # '''
# below is a extract from a sample exploit that # interfaces with a tcp socket from netcat import Netcat # start a new Netcat() instance nc = Netcat('127.0.0.1', 5150) # [ENQ] nc.write('\005') # [ACK] nc.read_until('\006') # STX-CR-ETX-CR-LF # bar code is sample id nc.write( '\002D1UpocH-100i^02318729^ 201710230 IJA31600000005900473001160036900780202452031400457107261*0000*000000430*0000*00000385001380009800095001670\003' ) # [ACK] nc.read_until('\006') # STX-CR-ETX-CR-LF nc.write( '\002D20102050504020000072C6164370D01010304070808060505050607070707070605040303020101000001000000000000000008100B040101010203060B182D485D64563D25130A0604030303030303030303020201010100000000000000000000000000D304091A3857645E4F3E2D2117100B08050403030203030303040404040506080A0B0C1015171D272E060E0E3104310117JINO \003' ) # [ACK] nc.read_until('\006') # [EOT]
last_number = remaining_sum[i] + last_number if (len(remaining_sum) > 37): last_number = remaining_sum[y] + last_number return long(last_number) loop = 0 while (loop < 10): print "LOOP: " + str(loop) if (loop == 0): # connect to the server thrugh netcat lib nc = Netcat('39.96.8.114', 9999) nc.read_until('Please input your number to guess the coeff:') nc.write(str(guess_number) + '\n') data = nc.read_until("It is your time to guess the coeff!") data = data.replace("This is the sum: ", "") data = data.replace("It is your time to guess the coeff!", "") sum = data cof = "" for i in range(0, 120): if long(sum) == 0 or long(sum) == -1: continue last_number = get_last_number(sum) cof = str(last_number) + str(" ") + cof # eliminate last number by subtract it from the sum then divide by guess number sum = str(long(long(sum) - long(last_number)) / long(guess_number)) print cof nc.write(cof + "\n")
while 1: if 1 == 2: break wait(.5) ncString1 = nc.read() print(ncString1) wait(.5) ncString2 = ncString1.decode("utf-8") # wait(.5) num = re.sub(r'\D', "", ncString2) #wait(.5) num2 = str.encode(num) #wait(.5) nc.write(num2) print(num2) wait(.5) nc.read() ''' filter(r.match, out) out2 = out.decode("utf-8") num = re.sub(r'\D', "", out2) # start a new note nc.write('num'+'\n') nc.read_until('>') # set note 0 with the payload nc.write('set' + '\n') nc.read_until('id:')
def main2(argv): if len(argv) != 2: print "usage: %s url" % argv[0]; sys.exit(1); # Load config file, if available cfgfile = ".knxmonitor.cson" try: print "Trying: %s" %cfgfile cfg = cson.loads(open("%s" %cfgfile).read()) print "Loaded: %s" %cfgfile except IOError: try: print "Trying: ~/%s" %cfgfile cfg = cson.loads(open(expanduser("~/%s" % cfgfile)).read()) print "Loaded: ~/%s" %cfgfile except IOError: print "No .knxmonitor.cson file found, using default values for config" cfg = { 'unitfile' : 'enheter.xml', 'groupfile' : 'groupaddresses.csv' } #loadGroupAddrs(cfg['groupfile']) #loadDeviceAddrs(cfg['unitfile']) devDict = KnxAddressCollection() groupDict = KnxAddressCollection() dptDict = KnxAddressCollection() # Load device and address info groupDict.loadGroupAddrs(open(cfg['groupfile'])) devDict.loadDeviceAddrs(open(cfg['unitfile'])) if 'dptfile' in cfg.keys(): dptDict.loadDptTable(open(cfg['dptfile'])) # Should we push to an InfluxDB instance? if 'push2influx' in cfg.keys(): host, port = cfg['push2influx'].split(":") print "Pushing to InfluxDB: %s:%d" %(host,int(port)) if argv[1] != "simul": try: con = EIBConnection() except: print "Could not instantiate EIBConnection"; sys.exit(1); tries = 1 connected = False while (not connected) and (tries < 5): try: if con.EIBSocketURL(argv[1]) != 0: print "Could not connect to: %s" %argv[1] sys.exit(1) else: connected = True except socket.error: print "failed to connect, retrying in 5 sec..." time.sleep(5) tries += 1 if not connected: print "Unable to connect, tried %d times, giving up." % tries sys.exit(1) if con.EIBOpenVBusmonitorText() != 0: # For some reason this always "fails" with EBUSY, # hence just ignore that particular error if con.errno != errno.EBUSY: print "Could not open bus monitor"; sys.exit(1) log = KnxLogFileHandler() buf = EIBBuffer() while 1: length = con.EIBGetBusmonitorPacket (buf) if length == 0: print "Read failed" sys.exit(1) ts = time.localtime() b = "" for x in buf.buffer: b += chr(x) print time.asctime(ts) + ":" + b outfile = log.getFileToUse() outfile.write(time.asctime(ts) + ":" + b + "\n") outfile.flush() if 'push2influx' in cfg.keys(): # Best effort decode... try: pdu = KnxPdu(devDict, groupDict, b) tim = time.mktime(ts) to = pdu.getTo() info,typ = dptDict[to] val = float(pdu.getValue(typ)) json_line = json.dumps( { "name" : "KNX", info : val, "tim" : tim } ) print json_line #continue try: nc = Netcat(host, int(port)) nc.write(json_line) nc.close() except Exception as e: print "Failed to netcat: %s" %e except: # Ignore problems for now... #print "failed to decode: %s" %b pass con.EIBClose()
# below is a extract from a sample exploit that # interfaces with a tcp socket from netcat import Netcat # start a new Netcat() instance nc = Netcat('127.0.0.1', 5150) # [ENQ] nc.write('\005') # [ACK] nc.read_until('\006') # STX-CR-ETX-CR-LF # bar code is sample id nc.write('\0021H|\^&|||XS^00-20^69652^^^^05342311||||||||E1394-97\015\00332\015\012') # [ACK] nc.read_until('\006') # STX-CR-ETX-CR-LF nc.write('\0022P|1|||100926|^Turinawe^ROBERT||19831013|M|||||||||||||||||^^^MHC\015\00354\015\012') # . # . # . Practice assigned patient id # [ACK] nc.read_until('\006') # STX-CR-ETX-CR-LF nc.write('\0023C|1\015\00333\015\012')
''' Ok, this problem had a netcat interface and I wasn't very happy. However, the PRF was short and easy to read; the first idea was to send some Xs with only one 1 and the rest 0s, in order to get a[i] by solving a discrete log. The idea wasn't bad, but the server required the inputs to be at least 2^64; so I took the opposite approach and asked for Xs with all ones but one 0 in the needed. The discrete log wasn't hard, because g always had an order of ~200. ''' nc = Netcat('167.71.62.250', 23549) # read PoW request print(nc.read()) # send PoW pwd = input("Inserisci la pass") nc.write(pwd + '\n') # read parameters header = nc.read_until('[Q]uit') print(header) nums = re.findall(r"\(p, g\) = \((.*?), (.*?)\)", header) N = int(re.findall(r"for n = (\d*)", header)[0]) p = int(nums[0][0], 16) g = int(nums[0][1], 16) print(p, g) # compute a table of all powers of g, and its order logs = {1: 0} x = g
# This could def be more automated buuuuuut no. for z in range(0, 95, 20): nc = Netcat('2018shell1.picoctf.com', 31123) nc.read() # Hello nc.read() # enter report wrap_start = 'z' * 11 + 'a' * 16 wrap_end = 'a' * (16 + 11) + '\n' # picoCTF{@g3nt6_1$_th3_c00l3$t_3355197} inputs = [ 'c00l3$t_3355197' + y for y in ['_'] + list(string.printable[z:min(z + 20, 95)]) ] nc.write(wrap_start + ''.join(inputs) + wrap_end) resp = nc.read() # output def splitn(line, n=32): return [line[i:i + n] for i in range(0, len(line), n)] # split on the 'a' * 16 # print('\n'.join(splitn(resp))) prefix, queries, postfix = resp.split('99908ad37adef3fb5a94680c5a64c6ca') pm = list(splitn(postfix)) # ignore prefix