Instantly share code, notes, and snippets.

Embed
What would you like to do?
Code for the poison ivy challenge, TMCTF2015
#!/usr/bin/env python
#https://github.com/aris_ada/libctf
from libctf import *
import camellia
from struct import unpack
#https://github.com/MITRECND/chopshop/blob/master/ext_libs/lznt1.py
import lznt1
def crack():
cleartext=open("cleartext").read()[:16]
ciphertext=open("camellia").read()[:16]
wordlist=open("/home/aris/wordlists/uniq.txt")
print "Cleartext:"
hexdump(cleartext)
print "Ciphertext:"
hexdump(ciphertext)
for w in wordlist.readlines():
w = w.replace("\n","").replace("\r","")
w = w[:32]
w = w + "\x00" * (32 - len(w))
c = camellia.CamelliaCipher(key=w, mode=camellia.MODE_ECB)
encrypted = c.encrypt(cleartext)
if (encrypted == ciphertext):
print "Found key !",repr(w)
key = "admin" + "\x00" * (32 - 5)
c = camellia.CamelliaCipher(key=key, mode=camellia.MODE_ECB)
stream = open("stream")
#bypass handshake
stream.read(512)
def print_payload(name):
size = unpack("<I", stream.read(4))[0]
print "size: %d %x"%(size, size)
data = stream.read(size)
padding = (16-(len(data)%16) % 16)
data += "\x00" * padding
data = c.decrypt(data)
print name
hexdump(data,highlight="\x00")
def unpack_multiple(data):
data = list(chunkstring(data, 4))
return map(lambda x: unpack("<I", x)[0], data)
img = ""
def decode_header(name):
print name
data = stream.read(0x20)
header = c.decrypt(data)
hexdump(header)
cmd,id,datalen,realdatalen,uncompressedlen,totalstreamsize,padding1,padding2 = unpack_multiple(header)
print "cmd:",hex(cmd),"id:",id,"len:",datalen,realdatalen,uncompressedlen,"total:", \
totalstreamsize, padding1,padding2
if(uncompressedlen > realdatalen):
print "compressed"
data = stream.read(datalen)
data = c.decrypt(data)
if(uncompressedlen > realdatalen):
data = lznt1.dCompressBuf(data[:realdatalen])
#hexdump(data)
if(cmd == 0x19):
return data
else:
return ""
print_payload("payload 1")
print "unknown data 1"
hexdump(stream.read(4))
print_payload("payload 2")
for i in xrange(226):
img += decode_header("header" + str(i))
open("img.bmp","w").write(img[457:])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment