Awwyeah, decrypted an alarm
This commit is contained in:
Wilco Baan Hofman
parent
9fa2ebb4a9
commit
3925f4f244
4 changed files with 258 additions and 9 deletions
104
chiron-2nd.log
Normal file
104
chiron-2nd.log
Normal file
|
|
@ -0,0 +1,104 @@
|
|||
Mon Nov 21 20:41:35 2016: ./build/chirond(15512): Log level 0, at ../chirond.c:308 in function handle_message():
|
||||
chiron message: struct chiron_message
|
||||
msg_type : CHIRON_ACCOUNT (65)
|
||||
seq : 0x02 (2)
|
||||
flags : 0xa8 (168)
|
||||
msg : union chiron_msg_union(case 65)
|
||||
account: struct chiron_msg_account
|
||||
length : 0x04 (4)
|
||||
account_code: ARRAY(4)
|
||||
[0] : 0x33 (51)
|
||||
[1] : 0x35 (53)
|
||||
[2] : 0x30 (48)
|
||||
[3] : 0x30 (48)
|
||||
|
||||
Mon Nov 21 20:41:35 2016: ./build/chirond(15512): Log level 0, at ../chirond.c:210 in function send_chiron_msg_challenge():
|
||||
Sending out a challenge
|
||||
Mon Nov 21 20:41:35 2016: ./build/chirond(15512): Log level 0, at ../chirond.c:278 in function send_chiron_msg_challenge():
|
||||
The expected md5sum for the next entry is 67305652133a689bb99b3d7e953b30f7
|
||||
Mon Nov 21 20:41:35 2016: ./build/chirond(15512): Log level 0, at ../chirond.c:308 in function handle_message():
|
||||
chiron message: struct chiron_message
|
||||
msg_type : CHIRON_RESPONSE (82)
|
||||
seq : 0x02 (2)
|
||||
flags : 0xa8 (168)
|
||||
msg : union chiron_msg_union(case 82)
|
||||
response: struct chiron_msg_response
|
||||
length : 0x46 (70)
|
||||
md5_check: ARRAY(16)
|
||||
[0] : 0xc8 (200)
|
||||
[1] : 0xa8 (168)
|
||||
[2] : 0xb6 (182)
|
||||
[3] : 0x50 (80)
|
||||
[4] : 0x34 (52)
|
||||
[5] : 0xd5 (213)
|
||||
[6] : 0x7a (122)
|
||||
[7] : 0x26 (38)
|
||||
[8] : 0x90 (144)
|
||||
[9] : 0x63 (99)
|
||||
[10] : 0x92 (146)
|
||||
[11] : 0x56 (86)
|
||||
[12] : 0xe5 (229)
|
||||
[13] : 0x4d (77)
|
||||
[14] : 0xde (222)
|
||||
[15] : 0xa0 (160)
|
||||
payload: ARRAY(54)
|
||||
[0] : 0x6a (106)
|
||||
[1] : 0x60 (96)
|
||||
[2] : 0x19 (25)
|
||||
[3] : 0xdc (220)
|
||||
[4] : 0x67 (103)
|
||||
[5] : 0xbb (187)
|
||||
[6] : 0xe8 (232)
|
||||
[7] : 0x9e (158)
|
||||
[8] : 0x8e (142)
|
||||
[9] : 0xfc (252)
|
||||
[10] : 0x79 (121)
|
||||
[11] : 0x55 (85)
|
||||
[12] : 0xed (237)
|
||||
[13] : 0x66 (102)
|
||||
[14] : 0x26 (38)
|
||||
[15] : 0x21 (33)
|
||||
[16] : 0x1a (26)
|
||||
[17] : 0x6b (107)
|
||||
[18] : 0x4a (74)
|
||||
[19] : 0x9c (156)
|
||||
[20] : 0x7c (124)
|
||||
[21] : 0xe6 (230)
|
||||
[22] : 0x1d (29)
|
||||
[23] : 0x01 (1)
|
||||
[24] : 0xab (171)
|
||||
[25] : 0x57 (87)
|
||||
[26] : 0xfb (251)
|
||||
[27] : 0xd9 (217)
|
||||
[28] : 0x6d (109)
|
||||
[29] : 0x15 (21)
|
||||
[30] : 0xbd (189)
|
||||
[31] : 0xe6 (230)
|
||||
[32] : 0xe3 (227)
|
||||
[33] : 0x94 (148)
|
||||
[34] : 0xd6 (214)
|
||||
[35] : 0xe7 (231)
|
||||
[36] : 0xde (222)
|
||||
[37] : 0xc3 (195)
|
||||
[38] : 0x89 (137)
|
||||
[39] : 0x52 (82)
|
||||
[40] : 0x65 (101)
|
||||
[41] : 0x5f (95)
|
||||
[42] : 0x0c (12)
|
||||
[43] : 0x97 (151)
|
||||
[44] : 0x4e (78)
|
||||
[45] : 0x4f (79)
|
||||
[46] : 0x6d (109)
|
||||
[47] : 0x9f (159)
|
||||
[48] : 0x5a (90)
|
||||
[49] : 0xb9 (185)
|
||||
[50] : 0xc2 (194)
|
||||
[51] : 0x12 (18)
|
||||
[52] : 0xdd (221)
|
||||
[53] : 0x74 (116)
|
||||
|
||||
Mon Nov 21 20:41:35 2016: ./build/chirond(15512): Log level 0, at ../chirond.c:167 in function handle_chiron_msg_response():
|
||||
MD5 does not match!
|
||||
|
||||
Decrypted outgoing payload:
|
||||
ZERO LENGTH
|
||||
111
chiron-initial.log
Normal file
111
chiron-initial.log
Normal file
|
|
@ -0,0 +1,111 @@
|
|||
Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 0, at ../chirond.c:308 in function handle_message():
|
||||
chiron message: struct chiron_message
|
||||
msg_type : CHIRON_ACCOUNT (65)
|
||||
seq : 0x01 (1)
|
||||
flags : 0xa8 (168)
|
||||
msg : union chiron_msg_union(case 65)
|
||||
account: struct chiron_msg_account
|
||||
length : 0x04 (4)
|
||||
account_code: ARRAY(4)
|
||||
[0] : 0x33 (51)
|
||||
[1] : 0x35 (53)
|
||||
[2] : 0x30 (48)
|
||||
[3] : 0x30 (48)
|
||||
|
||||
Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 0, at ../chirond.c:210 in function send_chiron_msg_challenge():
|
||||
Sending out a challenge
|
||||
Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 0, at ../chirond.c:278 in function send_chiron_msg_challenge():
|
||||
The expected md5sum for the next entry is 627fd0b8bc706a21442115b494206298
|
||||
Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 0, at ../chirond.c:308 in function handle_message():
|
||||
chiron message: struct chiron_message
|
||||
msg_type : CHIRON_RESPONSE (82)
|
||||
seq : 0x01 (1)
|
||||
flags : 0xa8 (168)
|
||||
msg : union chiron_msg_union(case 82)
|
||||
response: struct chiron_msg_response
|
||||
length : 0x37 (55)
|
||||
md5_check: ARRAY(16)
|
||||
[0] : 0x62 (98)
|
||||
[1] : 0x7f (127)
|
||||
[2] : 0xd0 (208)
|
||||
[3] : 0xb8 (184)
|
||||
[4] : 0xbc (188)
|
||||
[5] : 0x70 (112)
|
||||
[6] : 0x6a (106)
|
||||
[7] : 0x44 (68)
|
||||
[8] : 0x44 (68)
|
||||
[9] : 0x21 (33)
|
||||
[10] : 0x15 (21)
|
||||
[11] : 0xb4 (180)
|
||||
[12] : 0x94 (148)
|
||||
[13] : 0x20 (32)
|
||||
[14] : 0x62 (98)
|
||||
[15] : 0x98 (152)
|
||||
payload: ARRAY(39)
|
||||
[0] : 0x7a (122)
|
||||
[1] : 0xe2 (226)
|
||||
[2] : 0xde (222)
|
||||
[3] : 0xc2 (194)
|
||||
[4] : 0xed (237)
|
||||
[5] : 0x76 (118)
|
||||
[6] : 0x84 (132)
|
||||
[7] : 0x5f (95)
|
||||
[8] : 0xe6 (230)
|
||||
[9] : 0x16 (22)
|
||||
[10] : 0x2b (43)
|
||||
[11] : 0x6b (107)
|
||||
[12] : 0xb9 (185)
|
||||
[13] : 0x10 (16)
|
||||
[14] : 0xa3 (163)
|
||||
[15] : 0x6c (108)
|
||||
[16] : 0x14 (20)
|
||||
[17] : 0x44 (68)
|
||||
[18] : 0x56 (86)
|
||||
[19] : 0xca (202)
|
||||
[20] : 0x45 (69)
|
||||
[21] : 0xc6 (198)
|
||||
[22] : 0xc2 (194)
|
||||
[23] : 0xeb (235)
|
||||
[24] : 0xec (236)
|
||||
[25] : 0x1b (27)
|
||||
[26] : 0xd8 (216)
|
||||
[27] : 0x7a (122)
|
||||
[28] : 0xa4 (164)
|
||||
[29] : 0x4c (76)
|
||||
[30] : 0xc0 (192)
|
||||
[31] : 0xb4 (180)
|
||||
[32] : 0x88 (136)
|
||||
[33] : 0x64 (100)
|
||||
[34] : 0x6e (110)
|
||||
[35] : 0x2b (43)
|
||||
[36] : 0xee (238)
|
||||
[37] : 0x11 (17)
|
||||
[38] : 0x54 (84)
|
||||
|
||||
Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 0, at ../chirond.c:170 in function handle_chiron_msg_response():
|
||||
Handling the response
|
||||
Decrypted:
|
||||
0000 00 ad c7 0c 04 a8 de fe ff 20 01 01 21 01 63 17 ......... ..!.c.
|
||||
0010 16 49 52 49 53 20 54 6f 75 63 68 20 34 32 30 20 .IRIS Touch 420
|
||||
0020 76 31 2e 31 34 2e 33 v1.14.3
|
||||
Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 1, at ../chirond.c:192 in function handle_chiron_msg_response():
|
||||
Type: 12, Length: 4
|
||||
Data:
|
||||
0000 a8 de fe ff ....
|
||||
Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 1, at ../chirond.c:192 in function handle_chiron_msg_response():
|
||||
Type: 32, Length: 1
|
||||
Data:
|
||||
0000 01 .
|
||||
Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 1, at ../chirond.c:192 in function handle_chiron_msg_response():
|
||||
Type: 33, Length: 1
|
||||
Data:
|
||||
0000 63 c
|
||||
Mon Nov 21 20:40:07 2016: ./build/chirond(15477): Log level 1, at ../chirond.c:192 in function handle_chiron_msg_response():
|
||||
Type: 23, Length: 22
|
||||
Data:
|
||||
0000 49 52 49 53 20 54 6f 75 63 68 20 34 32 30 20 76 IRIS Touch 420 v
|
||||
0010 31 2e 31 34 2e 33 1.14.3
|
||||
Crypted outgoing payload:
|
||||
0000 5d 4f 2b ce f1 de 77 a1 ]O+...w.
|
||||
Decrypted outgoing payload:
|
||||
0000 27 00 32 00 18 00 2d 00 '.2...-.
|
||||
10
chiron.idl
10
chiron.idl
|
|
@ -9,12 +9,9 @@ interface chiron
|
|||
CHIRON_CHALLENGE = 0x43, /* 'C' */
|
||||
CHIRON_RESPONSE = 0x52, /* 'R' */
|
||||
CHIRON_HANDSHAKE1 = 0x4B, /* 'K' */
|
||||
0x48 & 0x3 ?
|
||||
0x48 + 0x3 ?
|
||||
0x48 ^ 0x3 ?
|
||||
CHIRON_HANDSHAKE2 = 0x48, /* 'H' */
|
||||
CHIRON_HANDSHAKE2 = 0x48, /* 'H' = Set new key */
|
||||
CHIRON_ACK = 0x55, /* 'U' */
|
||||
CHIRON_TRANSPARENT = 0x54 /* 'T' */
|
||||
CHIRON_TRANSPARENT = 0x54, /* 'T' */
|
||||
CHIRON_UNKNOWN_IN = 0x53 /* 'S' */
|
||||
} chiron_msg_type;
|
||||
|
||||
|
|
@ -68,7 +65,7 @@ interface chiron
|
|||
|
||||
typedef [public,flag(LIBNDR_FLAG_NOALIGN)] struct {
|
||||
uint8 length;
|
||||
uint8 data[length];
|
||||
uint8 data[length+6];
|
||||
} chiron_msg_unknown;
|
||||
|
||||
typedef [nodiscriminant,public,flag(LIBNDR_FLAG_NOALIGN)] union {
|
||||
|
|
@ -78,6 +75,7 @@ interface chiron
|
|||
[case(CHIRON_HANDSHAKE1)] chiron_msg_handshake1 handshake1;
|
||||
[case(CHIRON_HANDSHAKE2)] chiron_msg_handshake2 handshake2;
|
||||
[case(CHIRON_ACK)] chiron_msg_ack ack;
|
||||
[case(CHIRON_UNKNOWN_IN)] chiron_msg_unknown unknown_in;
|
||||
[default] chiron_msg_unknown unknown;
|
||||
} chiron_msg_union;
|
||||
|
||||
|
|
|
|||
42
chirond.c
42
chirond.c
|
|
@ -321,6 +321,25 @@ STATUS handle_chiron_msg_account(struct chiron_context *ctx, struct chiron_msg_a
|
|||
return ST_OK;
|
||||
}
|
||||
|
||||
STATUS handle_chiron_msg_unknown(struct chiron_context *ctx, struct chiron_msg_unknown *unknown) {
|
||||
DATA_BLOB crypted, decrypted;
|
||||
struct arcfour_ctx rc4;
|
||||
|
||||
/* Copy packet to crypted data blob */
|
||||
crypted.length = unknown->length+6;
|
||||
crypted.data = talloc_memdup(unknown, unknown->data, crypted.length);
|
||||
NO_MEM_RETURN(crypted.data);
|
||||
decrypted.data = talloc_array(unknown, uint8_t, crypted.length);
|
||||
NO_MEM_RETURN(decrypted.data);
|
||||
decrypted.length = crypted.length;
|
||||
|
||||
arcfour_set_key(&rc4, MD5_HASH_LEN, ctx->rc4key);
|
||||
arcfour_crypt(&rc4, crypted.length, decrypted.data, crypted.data);
|
||||
hexdump("Decrypted", decrypted.data, decrypted.length);
|
||||
|
||||
return ST_OK;
|
||||
}
|
||||
|
||||
STATUS handle_message(struct chiron_context *ctx, DATA_BLOB data) {
|
||||
|
||||
struct chiron_message *msg = talloc(data.data, struct chiron_message);
|
||||
|
|
@ -385,6 +404,17 @@ STATUS handle_message(struct chiron_context *ctx, DATA_BLOB data) {
|
|||
status = handle_chiron_msg_ack(ctx, ack);
|
||||
break;
|
||||
}
|
||||
case CHIRON_UNKNOWN_IN: {
|
||||
struct chiron_msg_unknown *unknown;
|
||||
if (ctx->alt_format) {
|
||||
unknown = talloc_memdup(alt_msg, &alt_msg->msg.unknown_in, sizeof(struct chiron_msg_unknown));
|
||||
} else {
|
||||
unknown = talloc_memdup(msg, &msg->msg.unknown_in, sizeof(struct chiron_msg_unknown));
|
||||
}
|
||||
status = handle_chiron_msg_unknown(ctx, unknown);
|
||||
|
||||
break;
|
||||
}
|
||||
default:
|
||||
DEBUG(0, "Got unexpected message type: %s.",
|
||||
ndr_print_chiron_msg_type_enum(msg, msg->msg_type));
|
||||
|
|
@ -612,21 +642,21 @@ int main (int argc, char **argv) {
|
|||
0x10, 0x39, 0xcc, 0x35, 0xb9, 0x08, 0x5a, 0x92,
|
||||
0xd7, 0x2a, 0xd3, 0x07, 0x10, 0xae, 0x0d, 0xfc,
|
||||
0x20, 0x01, 0x01 };
|
||||
// Send handshake message
|
||||
// Send new encryption key, apparently (why again?)
|
||||
// Encrypted payload?: 07 2f b9 81 3d 0f 14 ac 59
|
||||
const uint8_t out_message2[] = {
|
||||
0x01, 0x01, 0x02, 0x00, 0x00, 0x0b, 0x48, 0x09,
|
||||
0x75, 0x4a, 0x65, 0x60, 0x4a, 0x44, 0x3a, 0x6c,
|
||||
0x5e };
|
||||
|
||||
// Receive something..
|
||||
// Receive some shit.
|
||||
const uint8_t in_message3[] = {
|
||||
0x01, 0x01, 0x02, 0x01, 0x00, 0x1a, 0x53, 0x18,
|
||||
0x51, 0x56, 0xe9, 0xd1, 0x47, 0x37, 0x60, 0x94,
|
||||
0x46, 0xaa, 0x5d, 0x6b, 0x93, 0x63, 0x37, 0x6b,
|
||||
0x81, 0xf4, 0xa3, 0x23, 0xab, 0x3f, 0xe4, 0x25,
|
||||
0xdf, 0xd3, 0x2b, 0xb7, 0x2d, 0x82 };
|
||||
//
|
||||
|
||||
const uint8_t out_message3[] = {
|
||||
0x01, 0x01, 0x02, 0x01, 0x00, 0x02, 0x41, 0x00 };
|
||||
|
||||
|
|
@ -641,12 +671,18 @@ int main (int argc, char **argv) {
|
|||
handle_message(client_ctx, data);
|
||||
talloc_free(data.data);
|
||||
|
||||
/* Attempt at parsing out_message2 */
|
||||
struct arcfour_ctx rc4;
|
||||
arcfour_set_key(&rc4, MD5_HASH_LEN, client_ctx->rc4key);
|
||||
uint8_t buf[sizeof(out_message2)] = {0};
|
||||
arcfour_crypt(&rc4, sizeof(out_message2) - 8, buf, out_message2 + 8);
|
||||
hexdump("Decrypted outgoing payload", buf, sizeof(out_message2) - 8);
|
||||
|
||||
data.data = talloc_memdup(client_ctx, in_message3, sizeof(in_message3));
|
||||
data.length = sizeof(in_message3);
|
||||
printf("%x %x\n", sizeof(in_message3), data.length);
|
||||
handle_message(client_ctx, data);
|
||||
talloc_free(data.data);
|
||||
|
||||
/*
|
||||
* Open up a TCP socket the Chiron port
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue