arisada/poisonivy.py

## poisonivy.py
#!/usr/bin/env python

#https://github.com/aris_ada/libctf
from libctf import *
import camellia
from struct import unpack
#https://github.com/MITRECND/chopshop/blob/master/ext_libs/lznt1.py
import lznt1

def crack():
	cleartext=open("cleartext").read()[:16]
	ciphertext=open("camellia").read()[:16]
	wordlist=open("/home/aris/wordlists/uniq.txt")

	print "Cleartext:"
	hexdump(cleartext)
	print "Ciphertext:"
	hexdump(ciphertext)

	for w in wordlist.readlines():
		w = w.replace("\n","").replace("\r","")
		w = w[:32]
		w = w + "\x00" * (32 - len(w))
		c = camellia.CamelliaCipher(key=w, mode=camellia.MODE_ECB)
		encrypted = c.encrypt(cleartext)
		if (encrypted == ciphertext):
			print "Found key !",repr(w)

key = "admin" + "\x00" * (32 - 5)
c = camellia.CamelliaCipher(key=key, mode=camellia.MODE_ECB)
stream = open("stream")
#bypass handshake
stream.read(512)
def print_payload(name):
	size = unpack("<I", stream.read(4))[0]
	print "size: %d %x"%(size, size)
	data = stream.read(size)
	padding = (16-(len(data)%16) % 16)
	data += "\x00" * padding
	data = c.decrypt(data)
	print name
	hexdump(data,highlight="\x00")

def unpack_multiple(data):
	data = list(chunkstring(data, 4))
	return map(lambda x: unpack("<I", x)[0], data)

img = ""
def decode_header(name):
	print name
	data = stream.read(0x20)
	header = c.decrypt(data)
	hexdump(header)
	cmd,id,datalen,realdatalen,uncompressedlen,totalstreamsize,padding1,padding2 = unpack_multiple(header)
	print "cmd:",hex(cmd),"id:",id,"len:",datalen,realdatalen,uncompressedlen,"total:", \
		totalstreamsize, padding1,padding2
	if(uncompressedlen > realdatalen):
		print "compressed"
	data = stream.read(datalen)
	data = c.decrypt(data)
	if(uncompressedlen > realdatalen):
		data = lznt1.dCompressBuf(data[:realdatalen])
	#hexdump(data)
	if(cmd == 0x19):
		return data
	else:
		return ""
print_payload("payload 1")
print "unknown data 1"
hexdump(stream.read(4))
print_payload("payload 2")
for i in xrange(226):
	img += decode_header("header" + str(i))
open("img.bmp","w").write(img[457:])
	#!/usr/bin/env python

	#https://github.com/aris_ada/libctf
	from libctf import *
	import camellia
	from struct import unpack
	#https://github.com/MITRECND/chopshop/blob/master/ext_libs/lznt1.py
	import lznt1

	def crack():
	cleartext=open("cleartext").read()[:16]
	ciphertext=open("camellia").read()[:16]
	wordlist=open("/home/aris/wordlists/uniq.txt")

	print "Cleartext:"
	hexdump(cleartext)
	print "Ciphertext:"
	hexdump(ciphertext)

	for w in wordlist.readlines():
	w = w.replace("\n","").replace("\r","")
	w = w[:32]
	w = w + "\x00" * (32 - len(w))
	c = camellia.CamelliaCipher(key=w, mode=camellia.MODE_ECB)
	encrypted = c.encrypt(cleartext)
	if (encrypted == ciphertext):
	print "Found key !",repr(w)

	key = "admin" + "\x00" * (32 - 5)
	c = camellia.CamelliaCipher(key=key, mode=camellia.MODE_ECB)
	stream = open("stream")
	#bypass handshake
	stream.read(512)
	def print_payload(name):
	size = unpack("<I", stream.read(4))[0]
	print "size: %d %x"%(size, size)
	data = stream.read(size)
	padding = (16-(len(data)%16) % 16)
	data += "\x00" * padding
	data = c.decrypt(data)
	print name
	hexdump(data,highlight="\x00")

	def unpack_multiple(data):
	data = list(chunkstring(data, 4))
	return map(lambda x: unpack("<I", x)[0], data)

	img = ""
	def decode_header(name):
	print name
	data = stream.read(0x20)
	header = c.decrypt(data)
	hexdump(header)
	cmd,id,datalen,realdatalen,uncompressedlen,totalstreamsize,padding1,padding2 = unpack_multiple(header)
	print "cmd:",hex(cmd),"id:",id,"len:",datalen,realdatalen,uncompressedlen,"total:", \
	totalstreamsize, padding1,padding2
	if(uncompressedlen > realdatalen):
	print "compressed"
	data = stream.read(datalen)
	data = c.decrypt(data)
	if(uncompressedlen > realdatalen):
	data = lznt1.dCompressBuf(data[:realdatalen])
	#hexdump(data)
	if(cmd == 0x19):
	return data
	else:
	return ""
	print_payload("payload 1")
	print "unknown data 1"
	hexdump(stream.read(4))
	print_payload("payload 2")
	for i in xrange(226):
	img += decode_header("header" + str(i))
	open("img.bmp","w").write(img[457:])