write ( image_data ) for command in commands : print commandĪfter executing the script, we are presented with the picture being sent back to the mother ship (and the answer to the second question).
append ( decoded ) with open ( 'picture', 'wb' ) as f : f. replace ( 'FILE:', '' ) image = True continue # Only append commands that don't have FILE in the command commands.
b64decode ( data ) if 'JFIF' in decoded or image : image_data += decoded. for packet in pkts : if DNSQR in packet : if packet. The second bullet can be accomplished in Python very easily: data = data.replace('FILE:', '').Ĭombining these two bullets, we should be able to extract the image with the following script:įrom scapy.all import * import base64 pkts = rdpcap ( 'gnome.pcap' ) commands = image = False image_data = '' # For each packet in the pcap, check for the DSN Transaction ID of 0x1337 # This was identified via manual analysis of the pcap itself # Each of these packets contains a base64 encoded string containing # command information. After that point, all data will be added to a buffer that will be written to a file after the parsing has completed.
In order to accomplish the first bullet, we will simply have a global flag that will be set to true once we see the JFIF fly by.
FILE:START_STATE,NAME=/root/Pictures/snapshot_CURRENT.jpg
0 kommentar(er)
