![]() ![]() write ( image_data ) for command in commands : print commandĪfter executing the script, we are presented with the picture being sent back to the mother ship (and the answer to the second question). append ( decoded ) with open ( 'picture', 'wb' ) as f : f. replace ( 'FILE:', '' ) image = True continue # Only append commands that don't have FILE in the command commands. b64decode ( data ) if 'JFIF' in decoded or image : image_data += decoded. for packet in pkts : if DNSQR in packet : if packet. The second bullet can be accomplished in Python very easily: data = data.replace('FILE:', '').Ĭombining these two bullets, we should be able to extract the image with the following script:įrom scapy.all import * import base64 pkts = rdpcap ( 'gnome.pcap' ) commands = image = False image_data = '' # For each packet in the pcap, check for the DSN Transaction ID of 0x1337 # This was identified via manual analysis of the pcap itself # Each of these packets contains a base64 encoded string containing # command information. After that point, all data will be added to a buffer that will be written to a file after the parsing has completed. In order to accomplish the first bullet, we will simply have a global flag that will be set to true once we see the JFIF fly by. ![]() Remove the FILE: indicator prepending each line.In order to extract the image, we need to do the following: The other annoying bit is that there is FILE: prepending all of the data in the transmission. We can use this as indication that we are looking at the image data. jpg, which has the interesting file signature of JFIF in the first few bytes of its header. FILE:START_STATE,NAME=/root/Pictures/snapshot_CURRENT.jpg ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |