hack.lu 2014 - douchemac exploit

douchemac.py

import dbus

def xor(s1, s2):
    return "".join([chr(ord(s1[i]) ^ ord(s2[i])) for i in range(len(s1))])

bus = dbus.bus.BusConnection("tcp:host=wildwildweb.fluxfingers.net,port=1420")
p = bus.get_object('test.test123.Server', '/Server')
server_iface = dbus.Interface(
    p,
    dbus_interface='test.test123.Server'
)

# POSSIBLE METHODS:
# dbus_genrnd(id)
# dbus_authc(id, msg, iv, tag)
# dbus_auths(id, msg)
# dbus_time(id)
# dbus_list(id)
# dbus_put(id, filename, text)
# dbus_get(id, filename)
# dbus_start()

resp = server_iface.dbus_start()
print resp

uid = resp.split("Use ID: ")[1].split()[0]
print "UID =", repr(uid)

nonce = resp.split("Use Nonce: ")[1].split()[0]
print "NONCE =", repr(nonce)

initial_msg = ("A" * 16).encode('base64').strip()
resp = server_iface.dbus_auths(uid, initial_msg)
print resp

iv = resp.split("\n")[0].split(":")[1].strip()
msg = resp.split("\n")[1].split(":")[1].strip()
tag = resp.split("\n")[2].split(":")[1].strip()

msg = initial_msg.decode('base64') + xor(xor(initial_msg.decode('base64'), tag.decode('base64')), iv.decode('base64'))
msg = msg.encode('base64').strip()
print "======= AUTHC ======="
resp = server_iface.dbus_authc(uid, msg, iv, tag)
print resp
print "====================="

print server_iface.dbus_list(uid).decode('base64')
print server_iface.dbus_get(uid, "secret.txt".encode('base64').strip())