Code for the poison ivy challenge, TMCTF2015
#!/usr/bin/env python | |
#https://github.com/aris_ada/libctf | |
from libctf import * | |
import camellia | |
from struct import unpack | |
#https://github.com/MITRECND/chopshop/blob/master/ext_libs/lznt1.py | |
import lznt1 | |
def crack(): | |
cleartext=open("cleartext").read()[:16] | |
ciphertext=open("camellia").read()[:16] | |
wordlist=open("/home/aris/wordlists/uniq.txt") | |
print "Cleartext:" | |
hexdump(cleartext) | |
print "Ciphertext:" | |
hexdump(ciphertext) | |
for w in wordlist.readlines(): | |
w = w.replace("\n","").replace("\r","") | |
w = w[:32] | |
w = w + "\x00" * (32 - len(w)) | |
c = camellia.CamelliaCipher(key=w, mode=camellia.MODE_ECB) | |
encrypted = c.encrypt(cleartext) | |
if (encrypted == ciphertext): | |
print "Found key !",repr(w) | |
key = "admin" + "\x00" * (32 - 5) | |
c = camellia.CamelliaCipher(key=key, mode=camellia.MODE_ECB) | |
stream = open("stream") | |
#bypass handshake | |
stream.read(512) | |
def print_payload(name): | |
size = unpack("<I", stream.read(4))[0] | |
print "size: %d %x"%(size, size) | |
data = stream.read(size) | |
padding = (16-(len(data)%16) % 16) | |
data += "\x00" * padding | |
data = c.decrypt(data) | |
print name | |
hexdump(data,highlight="\x00") | |
def unpack_multiple(data): | |
data = list(chunkstring(data, 4)) | |
return map(lambda x: unpack("<I", x)[0], data) | |
img = "" | |
def decode_header(name): | |
print name | |
data = stream.read(0x20) | |
header = c.decrypt(data) | |
hexdump(header) | |
cmd,id,datalen,realdatalen,uncompressedlen,totalstreamsize,padding1,padding2 = unpack_multiple(header) | |
print "cmd:",hex(cmd),"id:",id,"len:",datalen,realdatalen,uncompressedlen,"total:", \ | |
totalstreamsize, padding1,padding2 | |
if(uncompressedlen > realdatalen): | |
print "compressed" | |
data = stream.read(datalen) | |
data = c.decrypt(data) | |
if(uncompressedlen > realdatalen): | |
data = lznt1.dCompressBuf(data[:realdatalen]) | |
#hexdump(data) | |
if(cmd == 0x19): | |
return data | |
else: | |
return "" | |
print_payload("payload 1") | |
print "unknown data 1" | |
hexdump(stream.read(4)) | |
print_payload("payload 2") | |
for i in xrange(226): | |
img += decode_header("header" + str(i)) | |
open("img.bmp","w").write(img[457:]) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment