aixiao/tunnel
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

初始提交

Browse Source
This commit is contained in:
aixiao
2023-02-13 18:09:13 +08:00
commit 764a8a3911
10 changed files with 1131 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
README.md Normal file
View File

@@ -0,0 +1,39 @@
# db_tunnel
结合TELEPORT堡垒机使用的DB SSH数据库隧道工具
数据库配置文件、tp_decrypt bin请放到/etc或者与bin文件同一路径
# build
git clone https://git.aixiao.me/aixiao/db_tunnel.git
cd db_tunnel
bash bash build.sh可能会提示安装包
# test
root@NIUYULING:/mnt/c/Users/niuyuling/Desktop/db_tunnel# ./db_tunnel -h
flag needs an argument: -h
Usage of ./db_tunnel:
-d run in daemon
-f run forever
-h string
DB服务器SSH IP地址
-l string
本地监听端口(或者堡垒机监听端口)
-p string
DB服务器SSH PORT
-r string
DB服务器端口如: 3306、1521 ...
-u string
DB服务器SSH USER用户
root@NIUYULING:/mnt/c/Users/niuyuling/Desktop/db_tunnel#
root@NIUYULING:/mnt/c/Users/niuyuling/Desktop/db_tunnel/bin# ./db_tunnel -d -f -h 39.104.27.21 -l 3308 -r 3306 -p 22 -u app
[*] Daemon running in PID: 12918 PPID: 67
root@NIUYULING:/mnt/c/Users/niuyuling/Desktop/db_tunnel/bin# [*] Forever running in PID: 12922 PPID: 1
[*] Service running in PID: 12927 PPID: 12922
39.104.27.21 22 app 3306 3308
39.104.27.21 app 22
数据库连接成功
39.104.27.21 22 app 6+sNDSN4QL7VCLSr+Vt/fNSAX1XsTUwf6fYRTf3pGS8rYBn8Ik
I9EKbb
设置SSH配置服务器:39.104.27.21:22; 用户/密码: app/I9EKbbH; 远程:0.0.0.0:3306; 本地:0.0.0.0:3308
root@NIUYULING:/mnt/c/Users/niuyuling/Desktop/db_tunnel/bin#

BIN
bin/db_tunnel Normal file
View File

Binary file not shown.

BIN
bin/tp_decrypt Normal file
View File

Binary file not shown.

2
build.sh Normal file
View File

@@ -0,0 +1,2 @@
CGO_ENABLED=0 go build -ldflags '-w -s' -o bin/db_tunnel src/main.go && upx -9 bin/db_tunnel

3
etc/tunnel.ini Normal file
View File

@@ -0,0 +1,3 @@
[global]
# "用户名:密码@[连接方式](主机名:端口号)/数据库名"
MYSQL_INFO="root:1234@(43.142.66.71:3306)/teleport";

14
go.mod Normal file
View File

@@ -0,0 +1,14 @@
module db_tunnel
go 1.19
require github.com/docker/docker v23.0.0+incompatible
require (
gitee.com/dtapps/go-ssh-tunnel v1.0.4 // indirect
github.com/CodyGuo/godaemon v0.0.0-20200413142854-c36b39fdd071 // indirect
github.com/go-sql-driver/mysql v1.7.0 // indirect
golang.org/x/crypto v0.3.0 // indirect
golang.org/x/sys v0.2.0 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
)

23
go.sum Normal file
View File

@@ -0,0 +1,23 @@
gitee.com/dtapps/go-ssh-tunnel v1.0.4 h1:jQfS6WeoSWmMz+hSBxopUcgb0xi3fssMjHUYpF1BnYY=
gitee.com/dtapps/go-ssh-tunnel v1.0.4/go.mod h1:VzlCBrBerVEL1fgikHzApbRU5/Ru+KrzktRjnDfxu1M=
github.com/CodyGuo/godaemon v0.0.0-20200413142854-c36b39fdd071 h1:GFI7Rs86D4qip+tBvMcv0ux5kHbngC0rNWfgpTeVoAQ=
github.com/CodyGuo/godaemon v0.0.0-20200413142854-c36b39fdd071/go.mod h1:VBC/JvjvRkcgE7wMjDJs7Y94Ta6KSpCWDquUKW+WbJo=
github.com/docker/docker v23.0.0+incompatible h1:L6c28tNyqZ4/ub9AZC9d5QUuunoHHfEH4/Ue+h/E5nE=
github.com/docker/docker v23.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/go-sql-driver/mysql v1.7.0 h1:ueSltNNllEqE3qcWBTD0iQd3IpL/6U+mJxLkazJ7YPc=
github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.3.0 h1:a06MkbcxBrEFc0w0QIZWXrH/9cCX6KJyWbBOIwAn+7A=
golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=

342
src/main.go Normal file
View File

@@ -0,0 +1,342 @@
package main
import (
"database/sql"
"flag"
"fmt"
"io"
"io/ioutil"
"log"
"net"
"os"
"os/exec"
"path/filepath"
"strconv"
"strings"
"syscall"
"time"
_ "github.com/go-sql-driver/mysql"
"golang.org/x/crypto/ssh"
"gopkg.in/ini.v1"
)
// 转发
func sForward(serverAddr string, remoteAddr string, localConn net.Conn, config *ssh.ClientConfig) {
// 设置sshClientConn
sshClientConn, err := ssh.Dial("tcp", serverAddr, config)
if err != nil {
fmt.Printf("ssh.Dial failed: %s", err)
os.Exit(1)
}
// 设置Connection
sshConn, _ := sshClientConn.Dial("tcp", remoteAddr)
/*
// 将localConn.Reader复制到sshConn.Writer
go func() {
_, err = io.Copy(sshConn, localConn)
if err != nil {
fmt.Printf("io.Copy failed: %v", err)
os.Exit(1)
}
}()
// 将sshConn.Reader复制到localConn.Writer
go func() {
_, err = io.Copy(localConn, sshConn)
if err != nil {
fmt.Printf("io.Copy failed: %v", err)
os.Exit(1)
}
}()
*/
copyConn := func(writer, reader net.Conn) {
_, err := io.Copy(writer, reader)
if err != nil {
fmt.Printf(" io.Copy error: %s", err)
}
}
go copyConn(localConn, sshConn)
go copyConn(sshConn, localConn)
}
func Tunnel(username string, password string, serverAddr string, remoteAddr string, localAddr string) {
// 设置SSH配置
fmt.Printf("%s服务器:%s; 用户/密码: %s; 远程:%s; 本地:%s\n", "设置SSH配置", serverAddr, username+"/"+password, remoteAddr, localAddr)
config := &ssh.ClientConfig{
User: username,
Auth: []ssh.AuthMethod{
ssh.Password(password),
},
Timeout: 7 * time.Second,
HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
return nil
},
}
// 设置本地监听器
localListener, err := net.Listen("tcp", localAddr)
if err != nil {
fmt.Printf("net.Listen failed: %v\n", err)
os.Exit(1)
}
for {
// 设置本地
localConn, err := localListener.Accept()
if err != nil {
fmt.Printf("localListener.Accept failed: %v\n", err)
os.Exit(1)
}
go sForward(serverAddr, remoteAddr, localConn, config)
}
}
type user struct {
id string
host_id string
host_ip string
router_ip string
router_port string
protocol_type string
protocol_port string
state string
acc_auth_id string
auth_type string
username string
username_prompt string
password_prompt string
password string
pri_key string
creator_id string
create_time string
last_secret string
}
func ExecCommand(strCommand string) string {
cmd := exec.Command("/bin/bash", "-c", strCommand)
stdout, _ := cmd.StdoutPipe()
if err := cmd.Start(); err != nil {
fmt.Println("Execute failed when Start: " + err.Error())
return ""
}
out_bytes, _ := ioutil.ReadAll(stdout)
stdout.Close()
if err := cmd.Wait(); err != nil {
fmt.Println("Execute failed when Wait: " + err.Error())
return ""
}
return string(out_bytes)
}
func ssh_tunnel(host_ip string, host_port string, host_name string, remote_ip string, local_ip string, mysql_info string) {
fmt.Println(host_ip, host_name, host_port)
//"用户名:密码@[连接方式](主机名:端口号)/数据库名"
var db *sql.DB
db, _ = sql.Open("mysql", mysql_info) // 设置连接数据库的参数
defer db.Close() //关闭数据库
err := db.Ping() //连接数据库
if err != nil {
fmt.Println("数据库连接失败")
// 退出
syscall.Kill(os.Getppid(), syscall.SIGKILL)
syscall.Kill(os.Getpid(), syscall.SIGKILL)
} else {
fmt.Println("数据库连接成功")
}
sqlStr := "select host_ip, username, protocol_port, password from tp_acc where host_ip = ? and username = ? and protocol_port = ?"
rows, err := db.Query(sqlStr, host_ip, host_name, host_port)
if err != nil {
fmt.Printf("query failed, err:%v\n", err)
return
}
// 非常重要关闭rows释放持有的数据库链接
defer rows.Close()
var u user
// 循环读取结果集中的数据
for rows.Next() {
err := rows.Scan(&u.host_ip, &u.username, &u.protocol_port, &u.password)
if err != nil {
fmt.Printf("scan failed, err:%v\n", err)
return
}
fmt.Printf("%s %s %s %s\n", u.host_ip, u.protocol_port, u.username, u.password)
}
// 解密密钥
command := "./tp_decrypt "
command = command + u.password
strData := ExecCommand(command)
strData = strings.Replace(strData, "\n", "", -1)
fmt.Println(strData)
if strData == "" {
// 判断密码是否解密成功,不成功退出
syscall.Kill(os.Getppid(), syscall.SIGKILL)
syscall.Kill(os.Getpid(), syscall.SIGKILL)
}
Tunnel(host_name, strData, u.host_ip+":"+u.protocol_port, "0.0.0.0:"+remote_ip, "0.0.0.0:"+local_ip)
}
func StripSlice(slice []string, element string) []string {
for i := 0; i < len(slice); {
if slice[i] == element && i != len(slice)-1 {
slice = append(slice[:i], slice[i+1:]...)
} else if slice[i] == element && i == len(slice)-1 {
slice = slice[:i]
} else {
i++
}
}
return slice
}
func SubProcess(args []string) *exec.Cmd {
cmd := exec.Command(args[0], args[1:]...)
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
err := cmd.Start()
if err != nil {
fmt.Fprintf(os.Stderr, "[-] Error: %s\n", err)
}
return cmd
}
const (
DAEMON = "d"
FOREVER = "f"
HOST_IP = "h"
HOST_PORT = "p"
HOST_USER = "u"
HOST_REMOTE = "r"
HOST_LOCAL = "l"
)
// Check if a port is available
func Check(port int) (status bool, err error) {
// Concatenate a colon and the port
host := ":" + strconv.Itoa(port)
// Try to create a server with the port
server, err := net.Listen("tcp", host)
// if it fails then the port is likely taken
if err != nil {
return false, err
}
// close the server
server.Close()
// we successfully used and closed the port
// so it's now available to be used again
return true, nil
}
func GetCurrentDirectory() string {
dir, err := filepath.Abs(filepath.Dir(os.Args[0])) //返回绝对路径 filepath.Dir(os.Args[0])去除最后一个元素的路径
if err != nil {
log.Fatal(err)
}
return strings.Replace(dir, "\\", "/", -1) //将\替换成/
}
func PathExists(path string) (bool, error) {
_, err := os.Stat(path)
if err == nil {
return true, nil
}
if os.IsNotExist(err) {
return false, nil
}
return false, err
}
func main() {
// 判断配置文件是否存在
INIFILE := GetCurrentDirectory() + "/" + "tunnel.ini"
b, _ := PathExists(INIFILE)
if !b {
INIFILE = "/etc/tunnel.ini"
}
// 读取配置文件
cfg, inierr := ini.Load(INIFILE)
if inierr != nil {
fmt.Printf("Fail to read file: %v", inierr)
os.Exit(1)
}
// 读取数据库连接信息
MYSQL_INFO := cfg.Section("global").Key("MYSQL_INFO").String()
daemon := flag.Bool(DAEMON, false, "run in daemon")
forever := flag.Bool(FOREVER, false, "run forever")
host_ip := flag.String(HOST_IP, "", "DB服务器SSH IP地址")
host_port := flag.String(HOST_PORT, "", "DB服务器SSH PORT")
host_user := flag.String(HOST_USER, "", "DB服务器SSH USER用户")
remote_port := flag.String(HOST_REMOTE, "", "DB服务器端口如: 3306、1521 ...")
local_port := flag.String(HOST_LOCAL, "", "本地监听端口(或者堡垒机监听端口)")
flag.Parse()
if *daemon {
SubProcess(StripSlice(os.Args, "-"+DAEMON))
fmt.Printf("[*] Daemon running in PID: %d PPID: %d\n", os.Getpid(), os.Getppid())
os.Exit(0)
} else if *forever {
for {
cmd := SubProcess(StripSlice(os.Args, "-"+FOREVER))
fmt.Printf("[*] Forever running in PID: %d PPID: %d\n", os.Getpid(), os.Getppid())
time.Sleep(time.Second * 5)
cmd.Wait()
}
os.Exit(0)
} else {
fmt.Printf("[*] Service running in PID: %d PPID: %d\n", os.Getpid(), os.Getppid())
}
if 0 == 0 {
fmt.Println(*host_ip, *host_port, *host_user, *remote_port, *local_port)
//
local_port_, _ := strconv.Atoi(*local_port)
r, _ := Check(local_port_)
//fmt.Println(r)
if r {
ssh_tunnel(*host_ip, *host_port, *host_user, *remote_port, *local_port, MYSQL_INFO)
} else {
fmt.Println(local_port_, "端口不可用!", r, "退出!")
fp, _ := os.OpenFile("./pid.log", os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0644)
log.SetOutput(fp)
log.Printf("DoSomething running in PPID: %d\n", os.Getppid())
syscall.Kill(os.Getppid(), syscall.SIGKILL)
time.Sleep(time.Second * 10)
os.Exit(0)
}
}
time.Sleep(time.Second * 5)
os.Exit(0)
}

55
tp_decrypt/tp_decrypt.py Normal file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/python3
# cython: language_level=3
import base64
import sys
from Crypto.Cipher import AES
def main():
enc_password = sys.argv[1]
# base64 decode
enc_bin = base64.b64decode(enc_password.encode(), validate=True)
if len(enc_bin) <= 16:
print('Error: invalid encrypted password, bad length.')
return
# prepare key and iv
key = [0xd6, 0xb6, 0x6e, 0x3b, 0x41, 0xc4, 0x33, 0x13, 0xaa, 0x61, 0xc9, 0x47, 0x82, 0xfc, 0x84, 0x50,
0x85, 0x53, 0x3a, 0x01, 0x97, 0x2d, 0xca, 0xba, 0x87, 0xbc, 0x27, 0x20, 0x29, 0xde, 0x87, 0x67,
]
iv = [0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]
aes = AES.new(bytearray(key), AES.MODE_CBC, bytearray(iv))
# do decrypt
try:
dec_bin = aes.decrypt(enc_bin)
except Exception as e:
print('Error: got exception when decrypt.')
return
# check #pkcs7 padding
length = len(dec_bin)
pad = int(dec_bin[length-1])
if pad > 16:
print('Error: can not decrypt, invalid encrypted data.')
return
for i in range(pad):
if dec_bin[length-i - 1] != pad:
print('Error: can not decrypt, invalid encrypted data.')
return
# remove padding
dec_bin = dec_bin[:length-pad]
# remove random data
dec_password = dec_bin[16:].decode()
# output decrypted result
print(dec_password)
if __name__ == '__main__':
main()

653
tp_decrypt/tp_decrypt.py.c Normal file
View File

@@ -0,0 +1,653 @@
char Encrypted_data[]="A09282E69616D602020202A0A372F5F5E69616D6F5F57202D3D302F5F556D616E6F5F5026696A0A0A0924627F67737371607F53656468247E696270702020202A047C65737562702465647079727365646024757074757F6023202020202A0A092825646F6365646E2D5A36313B5E69626F536564602D3024627F67737371607F536564602020202A01647164602D6F646E61627025667F6D65627023202020202A0A0D5461607D2864776E656C6A3B5E69626F536564602D302E69626F536564602020202A076E69646461607025667F6D65627023202020202A0A0E62757475627020202020202020202020202A09272E2164716460246564707972736E656024696C61667E69602C2470797273656460247F6E602E6163602A327F6272754728247E6962707020202020202020202020202A0A346160702D31202D51302D20296D2864776E656C6B5E69626F53656460266960202020202020202A0A392461607825676E6162702E69602960227F66602020202A0E627574756270202020202020202A09272E2164716460246564707972736E656024696C61667E69602C2470797273656460247F6E602E6163602A327F6272754728247E69627070202020202020202A0A3631302E30246160702669602020202A092D513D2864776E656C6B5E69626F53656468247E69602D30246160702020202A092E69626F536564682E656C602D302864776E656C602020202A076E6964646160702733736B6073202B636568636023202020202A0A0E627574756270202020202020202A09272E24707972736564602E656867702E6F6964707563687560247F67602A327F6272754728247E69627070202020202020202A0A35602371602E6F6964707563687540247075636875602020202A092E69626F536E6568247079727365646E237561602D302E69626F53656460202020202020202A0A397274702020202A04707972736564602F646023202020202A0A0929267968297162727165647972602C2342434F55444F4D4E235541402C2929756B682971627271656479726827756E6E235541402D30237561602020202A0D50303870302C20303870302C20303870302C20303870302C20303870302C20303870302C20303870302C20303870302C20303870302C20303870302C20303870302C20303870302C20303870302C20303870302C20303870302C203038703B502D302679602020202A0D50202020202020202020202A0C27363870302C27383870302C25646870302C29323870302C20323870302C27323870302C23626870302C27383870302C21626870302C21636870302C24623870302C27393870302C21303870302C21633870302C23353870302C2538387030202020202020202020202A0C20353870302C24383870302C23666870302C22383870302C27343870302C29336870302C21363870302C21616870302C23313870302C23333870302C24336870302C21343870302C22633870302C25663870302C26326870302C263468703B502D3029756B602020202A067960246E616029756B60256271607562707023202020202A0A0E627574756270202020202020202A09272E2864776E656C60246162602C24627F677373716070246564707972736E656024696C61667E69602A327F6272754728247E69627070202020202020202A0A3631302D3C30292E69626F536E65682E656C602669602020202A09256572745D35647164696C6166702C292825646F636E656E24627F67737371607F536E656825646F6365646436326E243635637162602D302E69626F536E65602020202A05646F636564602436356371626023202020202A0A0D513B567762716E237973702D3024627F67737371607F536E65602020202A0A0A39282E69616D602665646A0A0A0355414024727F607D69602275686079634E2F6470797273402D6F62766A0A0379737024727F607D696A0436356371626024727F607D696A033D3C6566756C6F55676165776E616C602A3E6F6864797360232A033E68FC2B73B010CD805CF9D1CE1A8C64BC2";
int encrypted_text_len=1483;
const char key[16] = "aixiao.me";
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <ctype.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdbool.h>
#define CBC 1
#define CTR 1
#define ECB 1
#ifndef _AES_H_
#define _AES_H_
#include <stdint.h>
#include <stddef.h>
#ifndef CBC
#define CBC 1
#endif
#ifndef ECB
#define ECB 1
#endif
#ifndef CTR
#define CTR 1
#endif
#define AES128 1
//#define AES192 1
//#define AES256 1
#define AES_BLOCKLEN 16 // Block length in bytes - AES is 128b block only
#if defined(AES256) && (AES256 == 1)
#define AES_KEYLEN 32
#define AES_keyExpSize 240
#elif defined(AES192) && (AES192 == 1)
#define AES_KEYLEN 24
#define AES_keyExpSize 208
#else
#define AES_KEYLEN 16 // Key length in bytes
#define AES_keyExpSize 176
#endif
struct AES_ctx {
uint8_t RoundKey[AES_keyExpSize];
#if (defined(CBC) && (CBC == 1)) || (defined(CTR) && (CTR == 1))
uint8_t Iv[AES_BLOCKLEN];
#endif
};
void AES_init_ctx(struct AES_ctx *ctx, const uint8_t * key);
#if (defined(CBC) && (CBC == 1)) || (defined(CTR) && (CTR == 1))
void AES_init_ctx_iv(struct AES_ctx *ctx, const uint8_t * key, const uint8_t * iv);
void AES_ctx_set_iv(struct AES_ctx *ctx, const uint8_t * iv);
#endif
#if defined(ECB) && (ECB == 1)
void AES_ECB_encrypt(const struct AES_ctx *ctx, uint8_t * buf);
void AES_ECB_decrypt(const struct AES_ctx *ctx, uint8_t * buf);
#endif // #if defined(ECB) && (ECB == !)
#if defined(CBC) && (CBC == 1)
void AES_CBC_encrypt_buffer(struct AES_ctx *ctx, uint8_t * buf, size_t length);
void AES_CBC_decrypt_buffer(struct AES_ctx *ctx, uint8_t * buf, size_t length);
#endif // #if defined(CBC) && (CBC == 1)
#if defined(CTR) && (CTR == 1)
void AES_CTR_xcrypt_buffer(struct AES_ctx *ctx, uint8_t * buf, size_t length);
#endif // #if defined(CTR) && (CTR == 1)
#endif // _AES_H_
#define Nb 4
#if defined(AES256) && (AES256 == 1)
#define Nk 8
#define Nr 14
#elif defined(AES192) && (AES192 == 1)
#define Nk 6
#define Nr 12
#else
#define Nk 4 // The number of 32 bit words in a key.
#define Nr 10 // The number of rounds in AES Cipher.
#endif
#ifndef MULTIPLY_AS_A_FUNCTION
#define MULTIPLY_AS_A_FUNCTION 0
#endif
typedef uint8_t state_t[4][4];
static const uint8_t sbox[256] = {
0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
};
#if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
static const uint8_t rsbox[256] = {
0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
};
#endif
static const uint8_t Rcon[11] = {
0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36
};
#define getSBoxValue(num) (sbox[(num)])
static void KeyExpansion(uint8_t * RoundKey, const uint8_t * Key)
{
unsigned i, j, k;
uint8_t tempa[4]; // Used for the column/row operations
for (i = 0; i < Nk; ++i) {
RoundKey[(i * 4) + 0] = Key[(i * 4) + 0];
RoundKey[(i * 4) + 1] = Key[(i * 4) + 1];
RoundKey[(i * 4) + 2] = Key[(i * 4) + 2];
RoundKey[(i * 4) + 3] = Key[(i * 4) + 3];
}
for (i = Nk; i < Nb * (Nr + 1); ++i) {
{
k = (i - 1) * 4;
tempa[0] = RoundKey[k + 0];
tempa[1] = RoundKey[k + 1];
tempa[2] = RoundKey[k + 2];
tempa[3] = RoundKey[k + 3];
}
if (i % Nk == 0) {
{
const uint8_t u8tmp = tempa[0];
tempa[0] = tempa[1];
tempa[1] = tempa[2];
tempa[2] = tempa[3];
tempa[3] = u8tmp;
}
{
tempa[0] = getSBoxValue(tempa[0]);
tempa[1] = getSBoxValue(tempa[1]);
tempa[2] = getSBoxValue(tempa[2]);
tempa[3] = getSBoxValue(tempa[3]);
}
tempa[0] = tempa[0] ^ Rcon[i / Nk];
}
#if defined(AES256) && (AES256 == 1)
if (i % Nk == 4) {
{
tempa[0] = getSBoxValue(tempa[0]);
tempa[1] = getSBoxValue(tempa[1]);
tempa[2] = getSBoxValue(tempa[2]);
tempa[3] = getSBoxValue(tempa[3]);
}
}
#endif
j = i * 4;
k = (i - Nk) * 4;
RoundKey[j + 0] = RoundKey[k + 0] ^ tempa[0];
RoundKey[j + 1] = RoundKey[k + 1] ^ tempa[1];
RoundKey[j + 2] = RoundKey[k + 2] ^ tempa[2];
RoundKey[j + 3] = RoundKey[k + 3] ^ tempa[3];
}
}
void AES_init_ctx(struct AES_ctx *ctx, const uint8_t * key)
{
KeyExpansion(ctx->RoundKey, key);
}
#if (defined(CBC) && (CBC == 1)) || (defined(CTR) && (CTR == 1))
void AES_init_ctx_iv(struct AES_ctx *ctx, const uint8_t * key, const uint8_t * iv)
{
KeyExpansion(ctx->RoundKey, key);
memcpy(ctx->Iv, iv, AES_BLOCKLEN);
}
void AES_ctx_set_iv(struct AES_ctx *ctx, const uint8_t * iv)
{
memcpy(ctx->Iv, iv, AES_BLOCKLEN);
}
#endif
static void AddRoundKey(uint8_t round, state_t * state, const uint8_t * RoundKey)
{
uint8_t i, j;
for (i = 0; i < 4; ++i) {
for (j = 0; j < 4; ++j) {
(*state)[i][j] ^= RoundKey[(round * Nb * 4) + (i * Nb) + j];
}
}
}
static void SubBytes(state_t * state)
{
uint8_t i, j;
for (i = 0; i < 4; ++i) {
for (j = 0; j < 4; ++j) {
(*state)[j][i] = getSBoxValue((*state)[j][i]);
}
}
}
static void ShiftRows(state_t * state)
{
uint8_t temp;
temp = (*state)[0][1];
(*state)[0][1] = (*state)[1][1];
(*state)[1][1] = (*state)[2][1];
(*state)[2][1] = (*state)[3][1];
(*state)[3][1] = temp;
temp = (*state)[0][2];
(*state)[0][2] = (*state)[2][2];
(*state)[2][2] = temp;
temp = (*state)[1][2];
(*state)[1][2] = (*state)[3][2];
(*state)[3][2] = temp;
temp = (*state)[0][3];
(*state)[0][3] = (*state)[3][3];
(*state)[3][3] = (*state)[2][3];
(*state)[2][3] = (*state)[1][3];
(*state)[1][3] = temp;
}
static uint8_t xtime(uint8_t x)
{
return ((x << 1) ^ (((x >> 7) & 1) * 0x1b));
}
static void MixColumns(state_t * state)
{
uint8_t i;
uint8_t Tmp, Tm, t;
for (i = 0; i < 4; ++i) {
t = (*state)[i][0];
Tmp = (*state)[i][0] ^ (*state)[i][1] ^ (*state)[i][2] ^ (*state)[i][3];
Tm = (*state)[i][0] ^ (*state)[i][1];
Tm = xtime(Tm);
(*state)[i][0] ^= Tm ^ Tmp;
Tm = (*state)[i][1] ^ (*state)[i][2];
Tm = xtime(Tm);
(*state)[i][1] ^= Tm ^ Tmp;
Tm = (*state)[i][2] ^ (*state)[i][3];
Tm = xtime(Tm);
(*state)[i][2] ^= Tm ^ Tmp;
Tm = (*state)[i][3] ^ t;
Tm = xtime(Tm);
(*state)[i][3] ^= Tm ^ Tmp;
}
}
#if MULTIPLY_AS_A_FUNCTION
static uint8_t Multiply(uint8_t x, uint8_t y)
{
return (((y & 1) * x) ^ ((y >> 1 & 1) * xtime(x)) ^ ((y >> 2 & 1) * xtime(xtime(x))) ^ ((y >> 3 & 1) * xtime(xtime(xtime(x)))) ^ ((y >> 4 & 1) * xtime(xtime(xtime(xtime(x)))))); /* this last call to xtime() can be omitted */
}
#else
#define Multiply(x, y) \
( ((y & 1) * x) ^ \
((y>>1 & 1) * xtime(x)) ^ \
((y>>2 & 1) * xtime(xtime(x))) ^ \
((y>>3 & 1) * xtime(xtime(xtime(x)))) ^ \
((y>>4 & 1) * xtime(xtime(xtime(xtime(x)))))) \
#endif
#if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
#define getSBoxInvert(num) (rsbox[(num)])
static void InvMixColumns(state_t * state)
{
int i;
uint8_t a, b, c, d;
for (i = 0; i < 4; ++i) {
a = (*state)[i][0];
b = (*state)[i][1];
c = (*state)[i][2];
d = (*state)[i][3];
(*state)[i][0] = Multiply(a, 0x0e) ^ Multiply(b, 0x0b) ^ Multiply(c, 0x0d) ^ Multiply(d, 0x09);
(*state)[i][1] = Multiply(a, 0x09) ^ Multiply(b, 0x0e) ^ Multiply(c, 0x0b) ^ Multiply(d, 0x0d);
(*state)[i][2] = Multiply(a, 0x0d) ^ Multiply(b, 0x09) ^ Multiply(c, 0x0e) ^ Multiply(d, 0x0b);
(*state)[i][3] = Multiply(a, 0x0b) ^ Multiply(b, 0x0d) ^ Multiply(c, 0x09) ^ Multiply(d, 0x0e);
}
}
static void InvSubBytes(state_t * state)
{
uint8_t i, j;
for (i = 0; i < 4; ++i) {
for (j = 0; j < 4; ++j) {
(*state)[j][i] = getSBoxInvert((*state)[j][i]);
}
}
}
static void InvShiftRows(state_t * state)
{
uint8_t temp;
temp = (*state)[3][1];
(*state)[3][1] = (*state)[2][1];
(*state)[2][1] = (*state)[1][1];
(*state)[1][1] = (*state)[0][1];
(*state)[0][1] = temp;
temp = (*state)[0][2];
(*state)[0][2] = (*state)[2][2];
(*state)[2][2] = temp;
temp = (*state)[1][2];
(*state)[1][2] = (*state)[3][2];
(*state)[3][2] = temp;
temp = (*state)[0][3];
(*state)[0][3] = (*state)[1][3];
(*state)[1][3] = (*state)[2][3];
(*state)[2][3] = (*state)[3][3];
(*state)[3][3] = temp;
}
#endif // #if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
static void Cipher(state_t * state, const uint8_t * RoundKey)
{
uint8_t round = 0;
AddRoundKey(0, state, RoundKey);
for (round = 1;; ++round) {
SubBytes(state);
ShiftRows(state);
if (round == Nr) {
break;
}
MixColumns(state);
AddRoundKey(round, state, RoundKey);
}
AddRoundKey(Nr, state, RoundKey);
}
#if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
static void InvCipher(state_t * state, const uint8_t * RoundKey)
{
uint8_t round = 0;
AddRoundKey(Nr, state, RoundKey);
for (round = (Nr - 1);; --round) {
InvShiftRows(state);
InvSubBytes(state);
AddRoundKey(round, state, RoundKey);
if (round == 0) {
break;
}
InvMixColumns(state);
}
}
#endif // #if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
#if defined(ECB) && (ECB == 1)
void AES_ECB_encrypt(const struct AES_ctx *ctx, uint8_t * buf)
{
Cipher((state_t *) buf, ctx->RoundKey);
}
void AES_ECB_decrypt(const struct AES_ctx *ctx, uint8_t * buf)
{
// The next function call decrypts the PlainText with the Key using AES algorithm.
InvCipher((state_t *) buf, ctx->RoundKey);
}
#endif // #if defined(ECB) && (ECB == 1)
#if defined(CBC) && (CBC == 1)
static void XorWithIv(uint8_t * buf, const uint8_t * Iv)
{
uint8_t i;
for (i = 0; i < AES_BLOCKLEN; ++i) // The block in AES is always 128bit no matter the key size
{
buf[i] ^= Iv[i];
}
}
void AES_CBC_encrypt_buffer(struct AES_ctx *ctx, uint8_t * buf, size_t length)
{
size_t i;
uint8_t *Iv = ctx->Iv;
for (i = 0; i < length; i += AES_BLOCKLEN) {
XorWithIv(buf, Iv);
Cipher((state_t *) buf, ctx->RoundKey);
Iv = buf;
buf += AES_BLOCKLEN;
}
/* store Iv in ctx for next call */
memcpy(ctx->Iv, Iv, AES_BLOCKLEN);
}
void AES_CBC_decrypt_buffer(struct AES_ctx *ctx, uint8_t * buf, size_t length)
{
size_t i;
uint8_t storeNextIv[AES_BLOCKLEN];
for (i = 0; i < length; i += AES_BLOCKLEN) {
memcpy(storeNextIv, buf, AES_BLOCKLEN);
InvCipher((state_t *) buf, ctx->RoundKey);
XorWithIv(buf, ctx->Iv);
memcpy(ctx->Iv, storeNextIv, AES_BLOCKLEN);
buf += AES_BLOCKLEN;
}
}
#endif // #if defined(CBC) && (CBC == 1)
#if defined(CTR) && (CTR == 1)
void AES_CTR_xcrypt_buffer(struct AES_ctx *ctx, uint8_t * buf, size_t length)
{
uint8_t buffer[AES_BLOCKLEN];
size_t i;
int bi;
for (i = 0, bi = AES_BLOCKLEN; i < length; ++i, ++bi) {
if (bi == AES_BLOCKLEN) { /* we need to regen xor compliment in buffer */
memcpy(buffer, ctx->Iv, AES_BLOCKLEN);
Cipher((state_t *) buffer, ctx->RoundKey);
/* Increment Iv and handle overflow */
for (bi = (AES_BLOCKLEN - 1); bi >= 0; --bi) {
/* inc will overflow */
if (ctx->Iv[bi] == 255) {
ctx->Iv[bi] = 0;
continue;
}
ctx->Iv[bi] += 1;
break;
}
bi = 0;
}
buf[i] = (buf[i] ^ buffer[bi]);
}
}
#endif // #if defined(CTR) && (CTR == 1)
static int oneHexChar2Hex(char hex)
{
int outHex = 0;
if (isdigit(hex)) {
outHex = hex - '0';
} else if (isupper(hex)) {
outHex = hex - 'A' + 10;
} else {
outHex = hex - 'a' + 10;
}
return outHex;
}
static int HexString2Hex(char *inHexString, char *outHex, int count)
{
int ret = -1;
int len = 0;
int i;
char ch1, ch2;
if (NULL == inHexString)
return -1;
len = count;
if (len < 1)
return -1;
len &= ~1;
for (i = 0; i < len; i += 2) {
ch1 = inHexString[i];
ch2 = inHexString[i + 1];
outHex[i / 2 + 1] = 0;
if (isxdigit(ch1) && isxdigit(ch2)) {
ch1 = oneHexChar2Hex(ch1);
ch2 = oneHexChar2Hex(ch2);
outHex[i / 2] = (ch1 << 4) | ch2;
} else {
goto EXIT;
}
}
return 0;
EXIT:
return ret;
}
static int is_Resolver(char *shll_text, char *shbin)
{
char *p, *p1;
char temp[270];
p = strstr(shll_text, "\n");
memcpy(shbin, shll_text, p - shll_text);
if (0 == strncmp(shbin, "#!", 2))
{
p1 = strchr(shbin, '/');
strcpy(shbin, p1);
}
else if (0 == strncmp(shbin, ":", 1))
{
strcpy(shbin, getenv("SHELL"));
}
else
{
printf("unknown shell!\n");
return -1;
}
memset(temp, 0, 270);
strcpy(temp, "which ");
strcat(temp, shbin);
strcat(temp, " 1> /dev/null");
if (0 != system(temp)) // 不存在解析器
{
printf("not found shell!\n");
return -1;
}
return 0;
}
void reverse_string(char *str, int len)
{
char *p1;
char *p2;
p1 = str;
p2 = str + len - 1; //p2指向字符串尾地址
if (str == NULL) {
printf("Null pointer error!");
return;
}
while (p1 < p2) //当p1地址小于p2地址时执行循环
{
char c = *p1;
*p1 = *p2; //完成指针指向地址的值的交换
*p2 = c;
p1++; //交换完毕后p1指针指向下一个字符地址
p2--; //交换完毕后p2指针指向上一个字符地址
}
}
#define BUFFER_SIZE 270
int main(int argc, char *argv[])
{
char *argvs[BUFFER_SIZE];
int l=1;
int i=4;
//static uint8_t key[16] = "aixiao.me";
struct AES_ctx ctx;
uint8_t *Hex_string = (uint8_t *) malloc(encrypted_text_len*2);
char *shbin = NULL;
reverse_string((char *)Encrypted_data, encrypted_text_len*2);
memset(Hex_string, 0, encrypted_text_len*2);
AES_init_ctx(&ctx, key);
HexString2Hex((char *)Encrypted_data, (char *)Hex_string, sizeof(Encrypted_data));
AES_ECB_decrypt(&ctx, Hex_string);
//printf("%s\n", Hex_string);
shbin = (char *) malloc(BUFFER_SIZE);
memset(shbin, 0, BUFFER_SIZE);
if (-1 == is_Resolver((char *)Hex_string, shbin))
{
goto EXIT;
}
//printf("%s\n", shbin);
argvs[0] = argv[0];
argvs[1] = "-c";
argvs[2] = (char *)Hex_string;
//argvs[3] = argv[0];
for(i=3; i<=argc-1+3; i++)
{
argvs[i] = argv[l];
l++;
}
/*
for (int i=0; i<=argc-1+3; i++)
{
printf("%s", argvs[i]);
}
*/
execvp(shbin, argvs);
EXIT:
free(Hex_string);
free(shbin);
return 0;
}