/poisonivy.py
Created Sep 27, 2015
Code for the poison ivy challenge, TMCTF2015
| #!/usr/bin/env python | |
| #https://github.com/aris_ada/libctf | |
| from libctf import * | |
| import camellia | |
| from struct import unpack | |
| #https://github.com/MITRECND/chopshop/blob/master/ext_libs/lznt1.py | |
| import lznt1 | |
| def crack(): | |
| cleartext=open("cleartext").read()[:16] | |
| ciphertext=open("camellia").read()[:16] | |
| wordlist=open("/home/aris/wordlists/uniq.txt") | |
| print "Cleartext:" | |
| hexdump(cleartext) | |
| print "Ciphertext:" | |
| hexdump(ciphertext) | |
| for w in wordlist.readlines(): | |
| w = w.replace("\n","").replace("\r","") | |
| w = w[:32] | |
| w = w + "\x00" * (32 - len(w)) | |
| c = camellia.CamelliaCipher(key=w, mode=camellia.MODE_ECB) | |
| encrypted = c.encrypt(cleartext) | |
| if (encrypted == ciphertext): | |
| print "Found key !",repr(w) | |
| key = "admin" + "\x00" * (32 - 5) | |
| c = camellia.CamelliaCipher(key=key, mode=camellia.MODE_ECB) | |
| stream = open("stream") | |
| #bypass handshake | |
| stream.read(512) | |
| def print_payload(name): | |
| size = unpack("<I", stream.read(4))[0] | |
| print "size: %d %x"%(size, size) | |
| data = stream.read(size) | |
| padding = (16-(len(data)%16) % 16) | |
| data += "\x00" * padding | |
| data = c.decrypt(data) | |
| print name | |
| hexdump(data,highlight="\x00") | |
| def unpack_multiple(data): | |
| data = list(chunkstring(data, 4)) | |
| return map(lambda x: unpack("<I", x)[0], data) | |
| img = "" | |
| def decode_header(name): | |
| print name | |
| data = stream.read(0x20) | |
| header = c.decrypt(data) | |
| hexdump(header) | |
| cmd,id,datalen,realdatalen,uncompressedlen,totalstreamsize,padding1,padding2 = unpack_multiple(header) | |
| print "cmd:",hex(cmd),"id:",id,"len:",datalen,realdatalen,uncompressedlen,"total:", \ | |
| totalstreamsize, padding1,padding2 | |
| if(uncompressedlen > realdatalen): | |
| print "compressed" | |
| data = stream.read(datalen) | |
| data = c.decrypt(data) | |
| if(uncompressedlen > realdatalen): | |
| data = lznt1.dCompressBuf(data[:realdatalen]) | |
| #hexdump(data) | |
| if(cmd == 0x19): | |
| return data | |
| else: | |
| return "" | |
| print_payload("payload 1") | |
| print "unknown data 1" | |
| hexdump(stream.read(4)) | |
| print_payload("payload 2") | |
| for i in xrange(226): | |
| img += decode_header("header" + str(i)) | |
| open("img.bmp","w").write(img[457:]) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment