Created
June 27, 2014 21:23
-
-
Save truekonrads/267845e1d9c74459e9ac to your computer and use it in GitHub Desktop.
udpchecksumbrute.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Solution to DRG Challenge at FIRSTCON 2014 | |
| # Two bytes from a UDP packet NUL'ed, need to find them so that checksum matches | |
| import sys | |
| from timeit import timeit | |
| from scapy.all import * | |
| pref="\x00\x03\x00\x01XtG8hI" | |
| targetchecksum=0x808c | |
| #targetchecksum=0x8549 | |
| #targetchecksum=0x8555 | |
| checksums=[0x808c,0x8549,0x8555] | |
| pcap=rdpcap("/mnt/hgfs/DRG/tftp.pcap") | |
| outer_from=32 | |
| outer_to=127 | |
| if len(sys.argv)>1: | |
| (outer_from,outer_to)=sys.arv[1].split("-") | |
| def updchksum(p): | |
| # print "DBEUG: checksum was: " + str(p[UDP].chksum) | |
| del p[UDP].chksum | |
| #print "lalal" | |
| newp=p.__class__(str(p)) | |
| # print "DBEUG: checksum now is : " + str(newp[UDP].chksum) | |
| #newp.show2() | |
| #sys.exit(-1) | |
| return newp | |
| for b1 in range(outer_from,outer_to): | |
| # print "Outer is: %i" % b1 | |
| sys.stderr.write(".") | |
| for b2 in range(32,127): | |
| candidate=pref+chr(b1)+chr(b2) | |
| pcap[3][UDP].load=candidate+"\r\n" | |
| newp=updchksum(pcap[3]) | |
| #print "LOAD: %s CHKSUM: %s"% (newp[UDP].load.strip(),hex(newp[UDP].chksum)) | |
| if newp[UDP].chksum in checksums: | |
| newp.show2() | |
| wrpcap("brute-%i-%i.pcap" % (b1,b2),[newp]) | |
| # raise Exception("Winner - %s %s: %s" % (chr(b1),chr(b2),str(newp[UDP].load))) | |
| #done | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment