/*
Login-parsing Faux Server
The Meanwhile Project
This is a tool to aide in reverse engineering different types of
authentication schemes.
Christopher O'Brien <siege@preoccupied.net>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <unistd.h>
#include <glib.h>
#include <glib/glist.h>
#include <mw_cipher.h>
#include <mw_common.h>
#include <mw_message.h>
/** the server socket or the connected socket */
static int sock;
/** the io channel */
static GIOChannel *chan;
/** the listening event on the io channel */
static int chan_io;
static guchar *sbuf;
static gsize sbuf_size;
static gsize sbuf_recv;
struct mwMpi *private, *public;
static void hexout(const char *txt, const guchar *buf, gsize len) {
FILE *fp;
if(txt) fprintf(stdout, "\n%s\n", txt);
fflush(stdout);
fp = popen("hexdump -C", "w");
fwrite(buf, len, 1, fp);
fflush(fp);
pclose(fp);
}
static void send_msg(struct mwMessage *msg) {
struct mwPutBuffer *b;
struct mwOpaque o = { 0, 0 };
b = mwPutBuffer_new();
mwMessage_put(b, msg);
mwPutBuffer_finalize(&o, b);
b = mwPutBuffer_new();
mwOpaque_put(b, &o);
mwOpaque_clear(&o);
mwPutBuffer_finalize(&o, b);
if(sock) write(sock, o.data, o.len);
hexout("sent:", o.data, o.len);
mwOpaque_clear(&o);
}
static void handshake_ack() {
struct mwMsgHandshakeAck *msg;
msg = (struct mwMsgHandshakeAck *)
mwMessage_new(mwMessage_HANDSHAKE_ACK);
msg->major = 0x1e;
msg->minor = 0x1d;
mwMpi_randDHKeypair(private, public);
mwMpi_export(public, &msg->data);
msg->magic = 0x01234567;
hexout("sending pubkey:", msg->data.data, msg->data.len);
send_msg(MW_MESSAGE(msg));
mwMessage_free(MW_MESSAGE(msg));
}
static void handle_login(struct mwMsgLogin *msg) {
struct mwGetBuffer *gb;
struct mwOpaque a, b, c;
guint16 z;
struct mwMpi *remote, *shared;
guchar iv[8];
remote = mwMpi_new();
shared = mwMpi_new();
mwIV_init(iv);
gb = mwGetBuffer_wrap(&msg->auth_data);
guint16_get(gb, &z);
mwOpaque_get(gb, &a);
mwOpaque_get(gb, &b);
mwGetBuffer_free(gb);
mwMpi_import(remote, &a);
mwOpaque_clear(&a);
mwMpi_calculateDHShared(shared, remote, private);
mwMpi_export(shared, &a);
hexout("shared key:", a.data, a.len);
mwDecrypt(a.data+(a.len-16), 16, iv, &b, &c);
hexout("decrypted to:", c.data, c.len);
mwOpaque_clear(&a);
mwOpaque_clear(&b);
mwOpaque_clear(&c);
mwMpi_free(remote);
mwMpi_free(shared);
}
static void done() {
close(sock);
exit(0);
}
static void side_process(const guchar *buf, gsize len) {
struct mwOpaque o = { .len = len, .data = (guchar *) buf };
struct mwGetBuffer *b;
guint16 type;
if(! len) return;
b = mwGetBuffer_wrap(&o);
type = guint16_peek(b);
hexout("received:", buf, len);
switch(type) {
case mwMessage_HANDSHAKE:
printf("got handshake, sending handshake_ack\n");
handshake_ack();
break;
case mwMessage_LOGIN:
printf("got login, attempting to decipher\n");
{
struct mwMsgLogin *msg = (struct mwMsgLogin *) mwMessage_get(b);
handle_login(msg);
mwMessage_free(MW_MESSAGE(msg));
done();
}
break;
case mwMessage_CHANNEL_DESTROY:
printf("channel destroy\n");
done();
break;
default:
;
}
mwGetBuffer_free(b);
}
static void sbuf_free() {
g_free(sbuf);
sbuf = NULL;
sbuf_size = 0;
sbuf_recv = 0;
}
#define ADVANCE(b, n, count) { b += count; n -= count; }
/* handle input to complete an existing buffer */
static gsize side_recv_cont(const guchar *b, gsize n) {
gsize x = sbuf_size - sbuf_recv;
if(n < x) {
memcpy(sbuf + sbuf_recv, b, n);
sbuf_recv += n;
return 0;
} else {
memcpy(sbuf + sbuf_recv, b, x);
ADVANCE(b, n, x);
if(sbuf_size == 4) {
struct mwOpaque o = { .len = 4, .data = sbuf };
struct mwGetBuffer *gb = mwGetBuffer_wrap(&o);
x = guint32_peek(gb);
mwGetBuffer_free(gb);
if(n < x) {
guchar *t;
x += 4;
t = (guchar *) g_malloc(x);
memcpy(t, sbuf, 4);
memcpy(t+4, b, n);
sbuf_free();
sbuf = t;
sbuf_size = x;
sbuf_recv = n + 4;
return 0;
} else {
sbuf_free();
side_process(b, x);
ADVANCE(b, n, x);
}
} else {
side_process(sbuf+4, sbuf_size-4);
sbuf_free();
}
}
return n;
}
/* handle input when there's nothing previously buffered */
static gsize side_recv_empty(const guchar *b, gsize n) {
struct mwOpaque o = { .len = n, .data = (guchar *) b };
struct mwGetBuffer *gb;
gsize x;
if(n < 4) {
sbuf = (guchar *) g_malloc0(4);
memcpy(sbuf, b, n);
sbuf_size = 4;
sbuf_recv = n;
return 0;
}
gb = mwGetBuffer_wrap(&o);
x = guint32_peek(gb);
mwGetBuffer_free(gb);
if(! x) return n - 4;
if(n < (x + 4)) {
x += 4;
sbuf = (guchar *) g_malloc(x);
memcpy(sbuf, b, n);
sbuf_size = x;
sbuf_recv = n;
return 0;
} else {
ADVANCE(b, n, 4);
side_process(b, x);
ADVANCE(b, n, x);
return n;
}
}
static gsize side_recv(const guchar *b, gsize n) {
if(n && (sbuf_size == 0) && (*b & 0x80)) {
ADVANCE(b, n, 1);
}
if(n == 0) {
return 0;
} else if(sbuf_size > 0) {
return side_recv_cont(b, n);
} else {
return side_recv_empty(b, n);
}
}
static void feed_buf(const guchar *buf, gsize n) {
guchar *b = (guchar *) buf;
gsize remain = 0;
while(n > 0) {
remain = side_recv(b, n);
b += (n - remain);
n = remain;
}
}
static int read_recv() {
guchar buf[2048];
int len;
len = read(sock, buf, 2048);
if(len > 0) feed_buf(buf, (gsize) len);
return len;
}
static gboolean read_cb(GIOChannel *chan,
GIOCondition cond,
gpointer data) {
int ret = 0;
if(cond & G_IO_IN) {
ret = read_recv();
if(ret > 0) return TRUE;
}
if(sock) {
g_source_remove(chan_io);
close(sock);
sock = 0;
chan = NULL;
chan_io = 0;
}
done();
return FALSE;
}
static gboolean listen_cb(GIOChannel *chan,
GIOCondition cond,
gpointer data) {
struct sockaddr_in rem;
guint len = sizeof(rem);
printf("accepting connection\n");
sock = accept(sock, (struct sockaddr *) &rem, &len);
g_assert(sock > 0);
g_source_remove(chan_io);
chan = g_io_channel_unix_new(sock);
chan_io = g_io_add_watch(chan, G_IO_IN | G_IO_ERR | G_IO_HUP,
read_cb, NULL);
return FALSE;
}
static void init_socket(int port) {
/* start listening on the local port specifier */
struct sockaddr_in sin;
sock = socket(PF_INET, SOCK_STREAM, 0);
g_assert(sock >= 0);
memset(&sin, 0, sizeof(struct sockaddr_in));
sin.sin_family = PF_INET;
sin.sin_port = htons(port);
sin.sin_addr.s_addr = htonl(INADDR_ANY);
if(bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
g_assert_not_reached();
if(listen(sock, 1) < 0)
g_assert_not_reached();
chan = g_io_channel_unix_new(sock);
chan_io = g_io_add_watch(chan, G_IO_IN | G_IO_ERR | G_IO_HUP,
listen_cb, NULL);
}
int main(int argc, char *argv[]) {
int port = 0;
private = mwMpi_new();
public = mwMpi_new();
if(argc > 1) {
port = atoi(argv[1]);
}
if(!port) {
fprintf(stderr,
( " Usage: %s local_port\n"
" Creates a locally-running sametime server which prints"
" login information to stdout\n" ),
argv[0]);
exit(1);
}
/* @todo create signal handlers to cleanup socket */
init_socket(port);
g_main_loop_run(g_main_loop_new(NULL, FALSE));
return 0;
}