-
Notifications
You must be signed in to change notification settings - Fork 1
/
kick.py
112 lines (89 loc) · 2.66 KB
/
kick.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
import os, sys
import time
from pwn import *
HOST = 'localhost'
PORT = 5000
def login(p):
print("Valid header!")
print('Authenticating ...')
handler = 0x80000000 # handler starts at this value
data = b'<?xml version="1.0"?>'
data += b'<methodCall>'
data += b'<methodName>Authenticate</methodName>' # call the Authenticate method
data += b'<params>'
data += b'<param><value>SuperAdmin</value></param>' # username: SuperAdmin
data += b'<param><value>SuperAdmin</value></param>' # password: SuperAdmin
data += b'</params>'
data += b'</methodCall>'
## build the packet
### pack handler, 4 bytes int, big endian
handlerBytes = p32(handler)
### pack method call, xml structure
### compile packet
packet = bytes()
#### packet length
packetLen = len(data)
packet += p32(packetLen)
#### handler
packet += handlerBytes
#### data
packet += data
### Send the authentication call
p.send(packet)
## recieve authentication response
### recieve response header, 8 bytes
header = p.recv(8)
#### unpack response size, 4 bytes int
size = u32(header[:4])
#### unpack handler, 4 bytes int
responseHandler = u32(header[4:])
##### the response must have the same handler value
if responseHandler != handler:
print('Response handler does not match!')
exit(0)
#### recieve response data
response = p.recv(size)
# connect
def throw(contents):
p = remote(HOST, PORT)
# recieve and validate header the gbx header
data = p.recv(4)
headerLength = u32(data)
## header data, bytes of length n=headerLength
data = p.recv(headerLength)
header = data.decode() # decode bytes to string
## the header should equal "GBXRemote 2"
if header != "GBXRemote 2":
print('Invalid header.')
exit(0)
login(p)
return
handler = 0x80000001 # handler starts at this value
## build the packet
### pack handler, 4 bytes int, big endian
handlerBytes = p32(handler)
### pack method call, xml structure
### compile packet
packet = bytes()
#### packet length
packetLen = len(contents)
packet += p32(packetLen)
#### handler
packet += handlerBytes
#### data
packet += contents
### Send the authentication call
p.send(packet)
header = p.recv(8)
size = u32(header[:4])
#### unpack handler, 4 bytes int
responseHandler = u32(header[4:])
#### recieve response data
response = p.recv(size*5)
try:
print(response.decode().replace('\r', ''))
except:
print(response)
p.close()
if __name__ == "__main__":
throw("AAAABBBBCCCC")