2018-03-01 06:27:12 +08:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
|
|
|
|
import logging
|
|
|
|
import binascii
|
|
|
|
import hashlib
|
|
|
|
import random
|
|
|
|
|
2018-11-15 06:13:51 +08:00
|
|
|
import aes
|
2018-03-01 06:27:12 +08:00
|
|
|
from kmsBase import kmsBase
|
|
|
|
from structure import Structure
|
|
|
|
from formatText import justify, shell_message, byterize
|
|
|
|
|
|
|
|
class kmsRequestV5(kmsBase):
|
|
|
|
class RequestV5(Structure):
|
|
|
|
class Message(Structure):
|
|
|
|
commonHdr = ()
|
|
|
|
structure = (
|
|
|
|
('salt', '16s'),
|
2018-11-15 06:13:51 +08:00
|
|
|
('encrypted', '240s'), #kmsBase.kmsRequestStruct
|
2018-03-01 06:27:12 +08:00
|
|
|
('padding', ':'),
|
|
|
|
)
|
|
|
|
|
|
|
|
commonHdr = ()
|
|
|
|
structure = (
|
|
|
|
('bodyLength1', '<I'),
|
|
|
|
('bodyLength2', '<I'),
|
|
|
|
('versionMinor', '<H'),
|
|
|
|
('versionMajor', '<H'),
|
|
|
|
('message', ':', Message),
|
|
|
|
)
|
|
|
|
|
|
|
|
class DecryptedRequest(Structure):
|
|
|
|
commonHdr = ()
|
|
|
|
structure = (
|
|
|
|
('salt', '16s'),
|
|
|
|
('request', ':', kmsBase.kmsRequestStruct),
|
|
|
|
)
|
|
|
|
|
|
|
|
class ResponseV5(Structure):
|
|
|
|
commonHdr = ()
|
|
|
|
structure = (
|
2018-11-15 06:13:51 +08:00
|
|
|
('bodyLength1', '<I'),
|
2018-03-01 06:27:12 +08:00
|
|
|
('unknown', '!I=0x00000200'),
|
2018-11-15 06:13:51 +08:00
|
|
|
('bodyLength2', '<I'),
|
2018-03-01 06:27:12 +08:00
|
|
|
('versionMinor', '<H'),
|
|
|
|
('versionMajor', '<H'),
|
|
|
|
('salt', '16s'),
|
|
|
|
('encrypted', ':'), #DecryptedResponse
|
|
|
|
('padding', ':'),
|
|
|
|
)
|
|
|
|
|
|
|
|
class DecryptedResponse(Structure):
|
|
|
|
commonHdr = ()
|
|
|
|
structure = (
|
|
|
|
('response', ':', kmsBase.kmsResponseStruct),
|
|
|
|
('keys', '16s'),
|
|
|
|
('hash', '32s'),
|
|
|
|
)
|
|
|
|
|
|
|
|
key = bytearray([ 0xCD, 0x7E, 0x79, 0x6F, 0x2A, 0xB2, 0x5D, 0xCB, 0x55, 0xFF, 0xC8, 0xEF, 0x83, 0x64, 0xC4, 0x70 ])
|
|
|
|
|
|
|
|
v6 = False
|
|
|
|
|
|
|
|
ver = 5
|
|
|
|
|
|
|
|
def executeRequestLogic(self):
|
2018-11-15 06:13:51 +08:00
|
|
|
requestData = self.RequestV5(self.data)
|
2018-03-01 06:27:12 +08:00
|
|
|
|
2018-11-15 06:13:51 +08:00
|
|
|
decrypted = self.decryptRequest(requestData)
|
2018-03-01 06:27:12 +08:00
|
|
|
|
|
|
|
responseBuffer = self.serverLogic(decrypted['request'])
|
|
|
|
|
2018-11-15 06:13:51 +08:00
|
|
|
iv, encrypted = self.encryptResponse(requestData, decrypted, responseBuffer)
|
|
|
|
|
|
|
|
responseData = self.generateResponse(iv, encrypted, requestData)
|
2018-03-01 06:27:12 +08:00
|
|
|
|
2018-11-15 06:13:51 +08:00
|
|
|
return responseData
|
2018-03-01 06:27:12 +08:00
|
|
|
|
|
|
|
def decryptRequest(self, request):
|
2018-11-15 06:13:51 +08:00
|
|
|
encrypted = bytearray(str(request['message']).encode('latin-1'))
|
|
|
|
iv = bytearray(request['message']['salt'].encode('latin-1'))
|
|
|
|
|
2018-03-01 06:27:12 +08:00
|
|
|
moo = aes.AESModeOfOperation()
|
|
|
|
moo.aes.v6 = self.v6
|
|
|
|
decrypted = moo.decrypt(encrypted, 256, moo.ModeOfOperation["CBC"], self.key, moo.aes.KeySize["SIZE_128"], iv) #*2to3*
|
|
|
|
decrypted = aes.strip_PKCS7_padding(decrypted)
|
2018-11-15 06:13:51 +08:00
|
|
|
decrypted = bytes(decrypted)
|
2018-03-01 06:27:12 +08:00
|
|
|
|
|
|
|
return self.DecryptedRequest(decrypted)
|
|
|
|
|
|
|
|
def encryptResponse(self, request, decrypted, response):
|
|
|
|
randomSalt = self.getRandomSalt()
|
2018-11-15 06:13:51 +08:00
|
|
|
result = hashlib.sha256(randomSalt).digest()
|
|
|
|
iv = bytearray(request['message']['salt'].encode('latin-1'))
|
2018-03-01 06:27:12 +08:00
|
|
|
|
|
|
|
randomStuff = bytearray(16)
|
|
|
|
for i in range(0,16):
|
2018-11-15 06:13:51 +08:00
|
|
|
randomStuff[i] = (bytearray(decrypted['salt'].encode('latin-1'))[i] ^ iv[i] ^ randomSalt[i]) & 0xff
|
2018-03-01 06:27:12 +08:00
|
|
|
|
|
|
|
responsedata = self.DecryptedResponse()
|
|
|
|
responsedata['response'] = response
|
2018-11-15 06:13:51 +08:00
|
|
|
responsedata['keys'] = randomStuff
|
2018-03-01 06:27:12 +08:00
|
|
|
responsedata['hash'] = result
|
|
|
|
|
2018-11-15 06:13:51 +08:00
|
|
|
padded = aes.append_PKCS7_padding(str(responsedata).encode('latin-1'))
|
2018-03-01 06:27:12 +08:00
|
|
|
moo = aes.AESModeOfOperation()
|
|
|
|
moo.aes.v6 = self.v6
|
2018-11-15 06:13:51 +08:00
|
|
|
mode, orig_len, crypted = moo.encrypt(padded, moo.ModeOfOperation["CBC"], self.key, moo.aes.KeySize["SIZE_128"], iv)
|
2018-03-01 06:27:12 +08:00
|
|
|
|
2018-11-15 06:13:51 +08:00
|
|
|
return iv.decode('latin-1').encode('latin-1'), crypted
|
2018-03-01 06:27:12 +08:00
|
|
|
|
|
|
|
def decryptResponse(self, response):
|
2018-11-15 06:13:51 +08:00
|
|
|
paddingLength = self.getPadding(response['bodyLength1'])
|
|
|
|
|
|
|
|
iv = bytearray(response['salt'].encode('latin-1'))
|
|
|
|
encrypted = bytearray(response['encrypted'][:-paddingLength].encode('latin-1'))
|
2018-03-01 06:27:12 +08:00
|
|
|
moo = aes.AESModeOfOperation()
|
|
|
|
moo.aes.v6 = self.v6
|
2018-11-15 06:13:51 +08:00
|
|
|
decrypted = moo.decrypt(encrypted, 256, moo.ModeOfOperation["CBC"], self.key, moo.aes.KeySize["SIZE_128"], iv)
|
2018-03-01 06:27:12 +08:00
|
|
|
decrypted = aes.strip_PKCS7_padding(decrypted)
|
2018-11-15 06:13:51 +08:00
|
|
|
decrypted = bytes(decrypted)
|
2018-03-01 06:27:12 +08:00
|
|
|
|
|
|
|
return self.DecryptedResponse(decrypted)
|
|
|
|
|
|
|
|
def getRandomSalt(self):
|
|
|
|
return bytearray(random.getrandbits(8) for i in range(16))
|
|
|
|
|
2018-11-15 06:13:51 +08:00
|
|
|
def generateResponse(self, iv, encryptedResponse, requestData):
|
2018-03-01 06:27:12 +08:00
|
|
|
response = self.ResponseV5()
|
2018-11-15 06:13:51 +08:00
|
|
|
bodyLength = 2 + 2 + len(iv) + len(encryptedResponse)
|
|
|
|
response['bodyLength1'] = bodyLength
|
|
|
|
response['bodyLength2'] = bodyLength
|
|
|
|
response['versionMinor'] = requestData['versionMinor']
|
|
|
|
response['versionMajor'] = requestData['versionMajor']
|
2018-03-01 06:27:12 +08:00
|
|
|
response['salt'] = iv
|
2018-11-15 06:13:51 +08:00
|
|
|
response['encrypted'] = bytes(encryptedResponse)
|
|
|
|
response['padding'] = bytearray(self.getPadding(bodyLength)).decode('latin-1').encode('latin-1')
|
2018-03-01 06:27:12 +08:00
|
|
|
|
|
|
|
shell_message(nshell = 16)
|
|
|
|
response = byterize(response)
|
|
|
|
logging.info("KMS V%d Response: \n%s\n" % (self.ver, justify(response.dump(print_to_stdout = False))))
|
2018-11-15 06:13:51 +08:00
|
|
|
logging.info("KMS V%d Structure Bytes: \n%s\n" % (self.ver, justify(binascii.b2a_hex(str(response).encode('latin-1')).decode('utf-8'))))
|
2018-03-01 06:27:12 +08:00
|
|
|
|
|
|
|
return str(response)
|
|
|
|
|
|
|
|
def generateRequest(self, requestBase):
|
|
|
|
esalt = self.getRandomSalt()
|
|
|
|
|
|
|
|
moo = aes.AESModeOfOperation()
|
|
|
|
moo.aes.v6 = self.v6
|
2018-11-15 06:13:51 +08:00
|
|
|
dsalt = moo.decrypt(esalt, 16, moo.ModeOfOperation["CBC"], self.key, moo.aes.KeySize["SIZE_128"], esalt)
|
2018-03-01 06:27:12 +08:00
|
|
|
dsalt = bytearray(dsalt)
|
|
|
|
|
|
|
|
decrypted = self.DecryptedRequest()
|
2018-11-15 06:13:51 +08:00
|
|
|
decrypted['salt'] = dsalt
|
2018-03-01 06:27:12 +08:00
|
|
|
decrypted['request'] = requestBase
|
|
|
|
|
2018-11-15 06:13:51 +08:00
|
|
|
padded = aes.append_PKCS7_padding(str(decrypted).encode('latin-1'))
|
|
|
|
mode, orig_len, crypted = moo.encrypt(padded, moo.ModeOfOperation["CBC"], self.key, moo.aes.KeySize["SIZE_128"], esalt)
|
2018-03-01 06:27:12 +08:00
|
|
|
|
2018-11-15 06:13:51 +08:00
|
|
|
message = self.RequestV5.Message(bytes(crypted))
|
2018-03-01 06:27:12 +08:00
|
|
|
|
|
|
|
request = self.RequestV5()
|
2018-11-15 06:13:51 +08:00
|
|
|
bodyLength = 2 + 2 + len(message)
|
2018-03-01 06:27:12 +08:00
|
|
|
request['bodyLength1'] = bodyLength
|
|
|
|
request['bodyLength2'] = bodyLength
|
|
|
|
request['versionMinor'] = requestBase['versionMinor']
|
|
|
|
request['versionMajor'] = requestBase['versionMajor']
|
|
|
|
request['message'] = message
|
|
|
|
|
|
|
|
shell_message(nshell = 10)
|
|
|
|
request = byterize(request)
|
|
|
|
logging.info("Request V%d Data: \n%s\n" % (self.ver, justify(request.dump(print_to_stdout = False))))
|
2018-11-15 06:13:51 +08:00
|
|
|
logging.info("Request V%d: \n%s\n" % (self.ver, justify(binascii.b2a_hex(str(request).encode('latin-1')).decode('utf-8'))))
|
2018-03-01 06:27:12 +08:00
|
|
|
|
|
|
|
return request
|