路由器刷机突破校园网限制

admin管理员组

文章数量:1532188

2024年1月9日发(作者：)

完成抓包四、解析数据1.此处提供 drcom_p_ 与 的代码drcom_p_

# -*- coding: utf-8 -*-from binascii import hexlifyimport redef hexed(s): ret = '' for i in s: ret += 'x' + hex(ord(i))[2:].rjust(2, '0') return retfilename = ''f = open(filename, 'rb')text = ()offset = ('xF0x00xF0x00[x00-xFF]{4}[x03x07]x01', text).start() + 8#print hexlify(text[offset:offset+330])#print hexlify(text[offset:offset+338])# print text[offset+334:offset+338].encode('hex')if ('x00x00[x00-xFF]{2}', text[offset+334:offset+338]): ror_version = Trueelse : ror_version = False# print ror_versionusername_len = ord(text[offset+3]) - 20username = text[offset+20:offset+20+username_len]print 'server = '%s'' % '.'.join([str(ord(i)) for i in text[offset-12:offset-8]])print 'username='%s'' % usernameprint 'password='''print 'CONTROLCHECKSTATUS = '%s'' % hexed(text[offset+56])print 'ADAPTERNUM = '%s'' % hexed(text[offset+57])print 'host_ip = '%s'' % '.'.join(map(lambda x: str(ord(x)), text[offset+81:offset+85]))print 'IPDOG = '%s'' % hexed(text[offset+105])print 'host_name = '%s'' % 'GILIGILIEYE'print 'PRIMARY_DNS = '%s'' % '.'.join(map(lambda x: str(ord(x)), text[offset+142:offset+146]))print 'dhcp_server = '%s'' % '.'.join(map(lambda x: str(ord(x)), text[offset+146:offset+150]))print 'AUTH_VERSION = '%s'' % hexed(text[offset+310:offset+312])if ror_version: print 'mac = 0x%s' % hexlify(text[offset+328:offset+334])else: print 'mac = 0x%s' % hexlify(text[offset+320:offset+326])print 'host_os = '%s'' % 'NOTE7'KEEP_ALIVE_VERSION = [i for i in l('07.x5cx28x00x0bx01(..)', text) if i != 'x0fx27'][0]print 'KEEP_ALIVE_VERSION = '%s'' % hexed(KEEP_ALIVE_VERSION)print 'ror_version = %s ' % ror_#!/usr/bin/env python# -*- coding: utf-8 -*-import socketimport structimport timeimport hashlibimport sysimport osimport randomimport traceback# CONFIG'''server = "192.168.100.150"username = ""password = ""host_name = "LIYUANYUAN"host_os = "8089D"host_ip = "10.30.22.17"

host_ip = "10.30.22.17"PRIMARY_DNS = "114.114.114.114"dhcp_server = "0.0.0.0"mac = 0xb888e3051680CONTROLCHECKSTATUS = 'x20'ADAPTERNUM = 'x01'KEEP_ALIVE_VERSION = 'xdcx02''''server = '10.1.1.254'username='nic'password='123456'CONTROLCHECKSTATUS = 'x20'ADAPTERNUM = 'x07'host_ip = '172.17.19.107'IPDOG = 'x01'host_name = 'GILIGILIEYE'PRIMARY_DNS = '218.196.40.9'dhcp_server = '172.17.19.252'AUTH_VERSION = 'x27x00'mac = 0x2cf05db2b380host_os = 'NOTE7'KEEP_ALIVE_VERSION = 'xdcx02'ror_version = True

'''AUTH_VERSION: unsigned char ClientVerInfoAndInternetMode; unsigned char DogVersion;'''AUTH_VERSION = 'x0ax00'IPDOG = 'x01'ror_version = False# CONFIG_ENDkeep_alive1_mod = False #If you have trouble at KEEPALIVE1, turn this value to Truenic_name = '' #Indicate your nic, e.g. 'eth0.2'.nic_namebind_ip = '0.0.0.0'class ChallengeException (Exception): def __init__(self): passclass LoginException (Exception): def __init__(self): passdef bind_nic(): try: import fcntl def get_ip_address(ifname): s = (_INET, _DGRAM) return _ntoa(( (), 0x8915, # SIOCGIFADDR ('256s', ifname[:15]) )[20:24]) return get_ip_address(nic_name) except ImportError as e: print('Indicate nic feature need to be run under Unix based system.') return '0.0.0.0' except IOError as e: print(nic_name + 'is unacceptable !') return '0.0.0.0' finally: return '0.0.0.0'if nic_name != '':

bind_ip = bind_nic()s = (_INET, _DGRAM)# kopt(_SOCKET, _REUSEADDR, 1)((bind_ip, 61440))eout(3)SALT = ''IS_TEST = True# specified fields based on versionCONF = "/etc/"UNLIMITED_RETRY = TrueEXCEPTION = FalseDEBUG = False #log saves to fileLOG_PATH = '/var/log/drcom_'if IS_TEST: DEBUG = True LOG_PATH = 'drcom_'def log(*args, **kwargs): s = ' '.join(args) print s if DEBUG: with open(LOG_PATH,'a') as f: (s + 'n')def challenge(svr,ran): while True: t = ("

if address == (svr, 61440): break else: continue log('[DEBUG] challenge:n' + ('hex')) if data[0] != 'x02': raise ChallengeException log('[challenge] challenge packet sent.') return data[4:8]def md5sum(s): m = 5() (s) return ()def dump(n): s = '%x' % n if len(s) & 1: s = '0' + s return ('hex')def ror(md5, pwd): ret = '' for i in range(len(pwd)): x = ord(md5[i]) ^ ord(pwd[i]) ret += chr(((x<<3)&0xFF) + (x>>5)) return ret

# def packet_CRC(s):# ret = 0# for i in l('..', s):# ret ^= ('>h', i)[0]# ret &= 0xFFFF# ret = ret * 0x2c7# return retdef keep_alive2(*args): #first keep_alive: #number = number (mod 7) #status = 1: first packet user sended # 2: first packet user recieved # 3: 2nd packet user sended # 4: 2nd packet user recieved # Codes for test tail = '' packet = '' svr = server ran = t(0,0xFFFF) ran += t(1,10)

# 2014/10/15 add by latyas, maybe svr sends back a file packet svr_num = 0 packet = keep_alive_package_builder(svr_num,dump(ran),'x00'*4,1,True) while True: log('[keep-alive2] send1',('hex')) (packet, (svr, 61440)) data, address = om(1024) log('[keep-alive2] recv1',('hex')) if with('x07x00x28x00') or with('x07' + chr(svr_num) + 'x28x00'): break elif data[0] == 'x07' and data[2] == 'x10': log('[keep-alive2] recv file, resending..') svr_num = svr_num + 1 # packet = keep_alive_package_builder(svr_num,dump(ran),'x00'*4,1, False) break else: log('[keep-alive2] recv1/unexpected',('hex')) #log('[keep-alive2] recv1',('hex'))

ran += t(1,10)

packet = keep_alive_package_builder(svr_num, dump(ran),'x00'*4,1,False) log('[keep-alive2] send2',('hex')) (packet, (svr, 61440)) while True: data, address = om(1024) if data[0] == 'x07': svr_num = svr_num + 1 break else: log('[keep-alive2] recv2/unexpected',('hex')) log('[keep-alive2] recv2',('hex')) tail = data[16:20] ran += t(1,10)

packet = keep_alive_package_builder(svr_num,dump(ran),tail,3,False) log('[keep-alive2] send3',('hex')) (packet, (svr, 61440)) while True: data, address = om(1024) if data[0] == 'x07': svr_num = svr_num + 1 break else:

else: log('[keep-alive2] recv3/unexpected',('hex')) log('[keep-alive2] recv3',('hex')) tail = data[16:20] log("[keep-alive2] keep-alive2 loop was in daemon.")

i = svr_num while True: try: (20) keep_alive1(*args) ran += t(1,10)

packet = keep_alive_package_builder(i,dump(ran),tail,1,False) #log('DEBUG: keep_alive2,packet 4n',('hex')) log('[keep_alive2] send',str(i),('hex')) (packet, (svr, 61440)) data, address = om(1024) log('[keep_alive2] recv',('hex')) tail = data[16:20] #log('DEBUG: keep_alive2,packet 4 returnn',('hex'))

ran += t(1,10)

packet = keep_alive_package_builder(i+1,dump(ran),tail,3,False) #log('DEBUG: keep_alive2,packet 5n',('hex')) (packet, (svr, 61440)) log('[keep_alive2] send',str(i+1),('hex')) data, address = om(1024) log('[keep_alive2] recv',('hex')) tail = data[16:20] #log('DEBUG: keep_alive2,packet 5 returnn',('hex')) i = (i+2) % 0xFF except: breakdef checksum(s): ret = 1234 x = 0 for i in [x*4 for x in range(0, -(-len(s)//4))]: ret ^= int(s[i:i+4].ljust(4, 'x00')[::-1].encode('hex'), 16) ret = (1968 * ret) & 0xffffffff return ('

data += dump(int(data[4:10].encode('hex'),16)^mac).rjust(6, 'x00') #mac xor md51 data += md5sum("x01" + pwd + salt + 'x00' * 4) #md52 data += 'x01' # number of ip data += ''.join([chr(int(i)) for i in host_('.')]) # ->

data += '00' * 4 #your ipaddress 2 data += '00' * 4 #your ipaddress 3 data += '00' * 4 #your ipaddress 4 data += md5sum(data + 'x14x00x07x0B')[:8] #md53 data += IPDOG data += 'x00'*4 # unknown2 ''' struct _tagOSVERSIONINFO { unsigned int OSVersionInfoSize; unsigned int MajorVersion; unsigned int MinorVersion; unsigned int BuildNumber; unsigned int PlatformID; char ServicePack[128]; }; struct _tagHostInfo { char HostName[HOST_NAME_MAX_LEN]; unsigned int DNSIP1; unsigned int DHCPServerIP; unsigned int DNSIP2; unsigned int WINSIP1; unsigned int WINSIP2; struct _tagDrCOM_OSVERSIONINFO OSVersion; }; ''' data += host_(32, 'x00') # _me data += ''.join([chr(int(i)) for i in PRIMARY_('.')]) # _1 data += ''.join([chr(int(i)) for i in dhcp_('.')]) # _rverIP data += 'x00x00x00x00' # _2 data += 'x00' * 4 # _1 data += 'x00' * 4 # _2 data += 'x94x00x00x00' # _ionInfoSize data += 'x05x00x00x00' # _ersion data += 'x01x00x00x00' # _ersion data += 'x28x0Ax00x00' # _umber data += 'x02x00x00x00' # _rmID # _ePack data += host_(32, 'x00') data += 'x00' * 96 # END OF _tagHostInfo data += AUTH_VERSION if ror_version: ''' struct _tagLDAPAuth { unsigned char Code; unsigned char PasswordLen; unsigned char Password[MD5_LEN]; }; ''' data += 'x00' # _ data += chr(len(pwd)) # _rdLen data += ror(md5sum('x03x01' + salt + pwd), pwd) # _rd ''' struct _tagDrcomAuthExtData { unsigned char Code; unsigned char Len; unsigned long CRC; unsigned short Option; unsigned char AdapterAddress[MAC_LEN]; }; ''' data += 'x02' # _ data += 'x0C' # _

data += 'x0C' # _ data += checksum(data + 'x01x26x07x11x00x00' + dump(mac)) # _ data += 'x00x00' # _ data += dump(mac) # _rAddress # END OF _tagDrcomAuthExtData if ror_version: data += 'x00' * (8 - len(pwd)) if len(pwd)%2: data += 'x00' else: data += 'x00' # auto logout / default: False data += 'x00' # broadcast mode / default : False data += 'xE9x13' #unknown, filled numbers randomly =w= log('[mkpkt]',('hex')) return datadef login(usr, pwd, svr): global SALT global AUTH_INFO i = 0 timeoutcount = 0 while True: salt = challenge(svr,()+t(0xF,0xFF)) SALT = salt packet = mkpkt(salt, usr, pwd, mac) log('[login] send',('hex')) (packet, (svr, 61440)) log('[login] packet sent.') try: data, address = om(1024) log('[login] recv',('hex')) if address == (svr, 61440) : if data[0] == 'x04': log('[login] loged in') AUTH_INFO = data[23:39] break else: log('[login] login failed.') if IS_TEST: (3) else: (30) continue else: if i >= 5 and UNLIMITED_RETRY == False : log('[login] exception occured.') (1) else: i += 1 continue except t as e: print(e) log('[login] recv timeout.') timeoutcount += 1 if timeoutcount >= 5: log('[login] recv timeout exception occured 5 times.') (1) else: continue log('[login] login sent') #0.8 changed: return data[23:39] #return data[-22:-6]

#return data[-22:-6]def logout(usr, pwd, svr, mac, auth_info): salt = challenge(svr, ()+t(0xF, 0xFF)) if salt: data = 'x06x01x00' + chr(len(usr) + 20) data += md5sum('x03x01' + salt + pwd) data += (36, 'x00') data += CONTROLCHECKSTATUS data += ADAPTERNUM data += dump(int(data[4:10].encode('hex'),16)^mac).rjust(6, 'x00') # data += 'x44x72x63x6F' # Drco data += auth_info (data) data, address = om(1024) if data[:1] == 'x04': log('[logout_auth] logouted.')def keep_alive1(salt,tail,pwd,svr): if keep_alive1_mod: res='' while True: ('x07' + ('!B',int(())%0xFF) + 'x08x00x01x00x00x00', (svr, 61440)) log('[keep_alive1_challenge] keep_alive1_challenge packet sent.') try: res, address = om(1024) log('[keep_alive1_challenge] recv', ('hex')) except: log('[keep_alive1_challenge] timeout, ') continue if address == (svr, 61440): if res[0] == 'x07': break else: raise ChallengeException else: continue seed = res[8:12] # encrypt_type = int(res[5].encode('hex')) encrypt_type = ('

本文标签： 解析数据抓包限制