search

drcoms / drcom-generic

Dr.COM/DrCOM 现已覆盖 d p x三版。
GNU Affero General Public License v3.0
1.14k stars 268 forks source link

中南大学使用latest-wired.py无法联网,且保持在keep_alive2的循环中 #243

Closed Yuki-Nagato closed 7 years ago

Yuki-Nagato commented 7 years ago

附上日志、抓包和学校客户端 drcom-generic.zip

ly0 commented 7 years ago

尝试注释掉keep_alive1的循环只跑keep_alive2看看

Yuki-Nagato commented 7 years ago

还是不行 注释掉的部分

def keep_alive1(salt, tail, pwd, svr):
    foo = struct.pack('!H', int(time.time()) % 0xFFFF)
    data = '\xff' + md5sum('\x03\x01' + salt + pwd) + '\x00\x00\x00'
    data += tail
    data += foo + '\x00\x00\x00\x00'
    log('[keep_alive1] send', data.encode('hex'))
    s.sendto(data, (svr, 61440))
    ''' while True:
        try:
            data, address = s.recvfrom(1024)
            if data[0] == '\x07':
                break
            else:
                log('[keep-alive1]recv/not expected', data.encode('hex'))
        except:
            log('[keep_alive1] error', 'raise Exception to main() or keep_alive2()')
            raise '''
    log('[keep-alive1] recv', data.encode('hex'))

日志

auth svr: 119.39.119.2
username: 020000000000@zndx
password: 23333333
mac: 0xea38020c9016
bind ip: 0.0.0.0
[challenge] recv 0202f7ea0aff3f000a000100f303e8f0000000000a000729f000a8a6000070cda0a300000000d802000000000000000000000000000000000000000000000000000000000000000000000000
[DEBUG] challenge:
0202f7ea0aff3f000a000100f303e8f0000000000a000729f000a8a6000070cda0a300000000d802000000000000000000000000000000000000000000000000000000000000000000000000
[challenge] challenge packet sent.
[mkpkt] 030100254aa0ed003c9ff47a9e5c01434eb928fe303230393032313630333139407a6e6478000000000000000000000000000000000000002005a098ef0cac89815bb8d009ae546dba69e14b21c15342010a00072900000000000000000000000062345336c83afdf3010000000047494c4947494c494559450000000000000000000000000000000000000000003a147faa77277702000000000000000000000000940000000500000001000000280a0000020000004e4f5445370000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002d00020c80237eaa0000ea38020c90160000e913
[login] send 030100254aa0ed003c9ff47a9e5c01434eb928fe303230393032313630333139407a6e6478000000000000000000000000000000000000002005a098ef0cac89815bb8d009ae546dba69e14b21c15342010a00072900000000000000000000000062345336c83afdf3010000000047494c4947494c494559450000000000000000000000000000000000000000003a147faa77277702000000000000000000000000940000000500000001000000280a0000020000004e4f5445370000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002d00020c80237eaa0000ea38020c90160000e913
[login] packet sent.
[login] recv 0400000500a0000000d2630300ffffffffff00000000004472636f772777026dab0a0007290127b00500030100
[login] loged in
[login] login sent
package_tail 4472636f772777026dab0a0007290127
starting to empty socket buffer
exception in empty_socket_buffer
emptyed
[keep_alive1] send ff4aa0ed003c9ff47a9e5c01434eb928fe0000004472636f772777026dab0a0007290127ea9200000000
[keep-alive1] recv ff4aa0ed003c9ff47a9e5c01434eb928fe0000004472636f772777026dab0a0007290127ea9200000000
[keep-alive2] send1 070028000b010f272f12000000000000000000000000000000000000000000000000000000000000
[keep-alive2] recv1 070110000600ea92465c490a0a000729a8a6000070cda0a300000000d8020000030000000000000000000000a0000000d2630300ffffffffffffffffffffffff
[keep-alive2] recv file, resending..
[keep-alive2] send2 070128000b01d8022f12000000000000000000000000000000000000000000000000000000000000
[keep-alive2] recv2 070010010b06d8022f12000000000000a8a6000070cda0a300000000d80200004d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000080100000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000be4ff959fa2e970afa2e970afa2e970aa30d840af82e970a81329b0afe2e970a7926ca0af02e970a7932990af82e970a95319c0afb2e970a95319d0aff2e970a9531930af82e970afa2e960a492e970acc08930af92e970acc089c0af22e970a3d28910afb2e970a050e930af92e970a
[keep-alive2] send3 070228000b03d8022f12000000000000a8a6000000000000000000000a0007290000000000000000
[keep-alive2] recv3 070128000b02d8022f12000000000000465c490a0000000000000000000000000000000000000000
[keep-alive2] keep-alive2 loop was in daemon.
[keep_alive1] send ff4aa0ed003c9ff47a9e5c01434eb928fe0000004472636f772777026dab0a0007290127eaa600000000
[keep-alive1] recv ff4aa0ed003c9ff47a9e5c01434eb928fe0000004472636f772777026dab0a0007290127eaa600000000
[keep_alive2] send 3 070328000b01d8022f12000000000000465c490a0000000000000000000000000000000000000000
[keep_alive2] recv 070110000600eaa60e5d490a0a000729a8a6000070cda0a300000000d8020000170000000000000000000000a0000000d2630300ffffffffffffffffffffffff
[keep_alive2] send 4 070428000b03d8022f12000000000000a8a6000000000000000000000a0007290000000000000000
[keep_alive2] recv 070328000b02d8022f120000000000000e5d490a0000000000000000000000000000000000000000
[keep_alive1] send ff4aa0ed003c9ff47a9e5c01434eb928fe0000004472636f772777026dab0a0007290127eaba00000000
[keep-alive1] recv ff4aa0ed003c9ff47a9e5c01434eb928fe0000004472636f772777026dab0a0007290127eaba00000000
[keep_alive2] send 5 070528000b01d8022f120000000000000e5d490a0000000000000000000000000000000000000000
[keep_alive2] recv 070110000600eabad55d490a0a000729a8a6000070cda0a300000000d80200002b0000000000000002000000a0000000d2630300ffffffffffffffffffffffff
[keep_alive2] send 6 070628000b03d8022f12000000000000a8a6000000000000000000000a0007290000000000000000
[keep_alive2] recv 070528000b02d8022f12000000000000d55d490a0000000000000000000000000000000000000000
[keep_alive1] send ff4aa0ed003c9ff47a9e5c01434eb928fe0000004472636f772777026dab0a0007290127eace00000000
[keep-alive1] recv ff4aa0ed003c9ff47a9e5c01434eb928fe0000004472636f772777026dab0a0007290127eace00000000
[keep_alive2] send 7 070728000b01d8022f12000000000000d55d490a0000000000000000000000000000000000000000
[keep_alive2] recv 070110000600eace9d5e490a0a000729a8a6000070cda0a300000000d80200003f0000000000000013000000a0000000d2630300ffffffffffffffffffffffff
[keep_alive2] send 8 070828000b03d8022f12000000000000a8a6000000000000000000000a0007290000000000000000
[keep_alive2] recv 070728000b02d8022f120000000000009d5e490a0000000000000000000000000000000000000000
[keep_alive1] send ff4aa0ed003c9ff47a9e5c01434eb928fe0000004472636f772777026dab0a0007290127eae200000000
[keep-alive1] recv ff4aa0ed003c9ff47a9e5c01434eb928fe0000004472636f772777026dab0a0007290127eae200000000
[keep_alive2] send 9 070928000b01d8022f120000000000009d5e490a0000000000000000000000000000000000000000
[keep_alive2] recv 070110000600eae2655f490a0a000729a8a6000070cda0a300000000d802000053000000000000001b000000a0000000d2630300ffffffffffffffffffffffff
[keep_alive2] send 10 070a28000b03d8022f12000000000000a8a6000000000000000000000a0007290000000000000000
[keep_alive2] recv 070928000b02d8022f12000000000000655f490a0000000000000000000000000000000000000000
[keep_alive1] send ff4aa0ed003c9ff47a9e5c01434eb928fe0000004472636f772777026dab0a0007290127eaf600000000
[keep-alive1] recv ff4aa0ed003c9ff47a9e5c01434eb928fe0000004472636f772777026dab0a0007290127eaf600000000
[keep_alive2] send 11 070b28000b01d8022f12000000000000655f490a0000000000000000000000000000000000000000
[keep_alive2] recv 070110000600eaf62d60490a0a000729a8a6000070cda0a300000000d802000067000000000000001f000000a0000000d2630300ffffffffffffffffffffffff
[keep_alive2] send 12 070c28000b03d8022f12000000000000a8a6000000000000000000000a0007290000000000000000
[keep_alive2] recv 070b28000b02d8022f120000000000002d60490a0000000000000000000000000000000000000000
Yuki-Nagato commented 7 years ago

可能有一点是值得注意的:一般没有登录的时候打开网页都会跳转到一个特定的页面,但是运行脚本后再打开网页就不会跳转到那个页面了,而是连接超时。

ly0 commented 7 years ago

你这还是 keep_alive1呀, 直接

def keep_alive1(salt, tail, pwd, svr):
    return
Yuki-Nagato commented 7 years ago

还是不行 日志

auth svr: 119.39.119.2
username: 020000000000@zndx
password: 23333333
mac: 0xea38020c9016
bind ip: 0.0.0.0
[challenge] recv 02024069a90840000a000100f303e8f0000000000a0005d9f000a8a6000070cda0a300000000d802000000000000000000000000000000000000000000000000000000000000000000000000
[DEBUG] challenge:
02024069a90840000a000100f303e8f0000000000a0005d9f000a8a6000070cda0a300000000d802000000000000000000000000000000000000000000000000000000000000000000000000
[challenge] challenge packet sent.
[mkpkt] 03010025a9c45a5edb2faec345dfb5269d79b0bc303230393032313630333139407a6e647800000000000000000000000000000000000000200543fc58524b39958a08c5f053bc5cf8ea32f691acec64010a0007290000000000000000000000005945a601a4fd1382010000000047494c4947494c494559450000000000000000000000000000000000000000003a147faa77277702000000000000000000000000940000000500000001000000280a0000020000004e4f5445370000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002d00020ce0c0c7890000ea38020c90160000e913
[login] send 03010025a9c45a5edb2faec345dfb5269d79b0bc303230393032313630333139407a6e647800000000000000000000000000000000000000200543fc58524b39958a08c5f053bc5cf8ea32f691acec64010a0007290000000000000000000000005945a601a4fd1382010000000047494c4947494c494559450000000000000000000000000000000000000000003a147faa77277702000000000000000000000000940000000500000001000000280a0000020000004e4f5445370000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002d00020ce0c0c7890000ea38020c90160000e913
[login] packet sent.
[login] recv 0400000500eb00000087db0700ffffffffff00000000004472636f7727770266b20a0005d90120b00500030100
[login] loged in
[login] login sent
package_tail 4472636f7727770266b20a0005d90120
starting to empty socket buffer
exception in empty_socket_buffer
emptyed
[keep-alive2] send1 070028000b010f272f12000000000000000000000000000000000000000000000000000000000000
[keep-alive2] recv1 070010010b06d8022f12000000000000a8a6000070cda0a300000000d80200004d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000080100000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000be4ff959fa2e970afa2e970afa2e970aa30d840af82e970a81329b0afe2e970a7926ca0af02e970a7932990af82e970a95319c0afb2e970a95319d0aff2e970a9531930af82e970afa2e960a492e970acc08930af92e970acc089c0af22e970a3d28910afb2e970a050e930af92e970a
[keep-alive2] recv file, resending..
[keep-alive2] send2 070128000b01d8022f12000000000000000000000000000000000000000000000000000000000000
[keep-alive2] recv2 070128000b02d8022f1200000000000089424e0a0000000000000000000000000000000000000000
[keep-alive2] send3 070228000b03d8022f1200000000000089424e0a00000000000000000a0007290000000000000000
[keep-alive2] recv3 070228000b04d8022f1200000000000089424e0a0000000000000000000000000000000000000000
[keep-alive2] keep-alive2 loop was in daemon.
[keep_alive2] send 3 070328000b01d8022f1200000000000089424e0a0000000000000000000000000000000000000000
[keep_alive2] recv 070328000b02d8022f1200000000000050434e0a0000000000000000000000000000000000000000
[keep_alive2] send 4 070428000b03d8022f1200000000000050434e0a00000000000000000a0007290000000000000000
[keep_alive2] recv 070428000b04d8022f1200000000000050434e0a0000000000000000000000000000000000000000
[keep_alive2] send 5 070528000b01d8022f1200000000000050434e0a0000000000000000000000000000000000000000
[keep_alive2] recv 070528000b02d8022f1200000000000018444e0a0000000000000000000000000000000000000000
[keep_alive2] send 6 070628000b03d8022f1200000000000018444e0a00000000000000000a0007290000000000000000
[keep_alive2] recv 070628000b04d8022f1200000000000018444e0a0000000000000000000000000000000000000000
[keep_alive2] send 7 070728000b01d8022f1200000000000018444e0a0000000000000000000000000000000000000000
[keep_alive2] recv 070728000b02d8022f12000000000000e0444e0a0000000000000000000000000000000000000000
[keep_alive2] send 8 070828000b03d8022f12000000000000e0444e0a00000000000000000a0007290000000000000000
[keep_alive2] recv 070828000b04d8022f12000000000000e0444e0a0000000000000000000000000000000000000000
ly0 commented 7 years ago

?日志看上去很正常

mchome commented 7 years ago 
server = '119.39.119.2'
username = '020902160319@zndx'
password = '密码填上'
CONTROLCHECKSTATUS = '\x20'
ADAPTERNUM = '\x05'
host_ip = '10.0.7.41'
IPDOG = '\x01'
host_name = 'fuyumi'
PRIMARY_DNS = '58.20.127.170'
dhcp_server = '119.39.119.2'
AUTH_VERSION = '\x2d\x00'
mac = 0xa08cfd1d8fc8
host_os = 'Windows 10'
KEEP_ALIVE_VERSION = '\xd8\x02'
ror_version = True
Yuki-Nagato commented 7 years ago

嗯……还是不行

我又重新抓了一个包,里面的数据似乎有些不同。不知道有没有用。 test3.zip

archanes commented 7 years ago

同中南本部也是同样情况,server = '119.39.119.66' username = '02171612192@zndx' password = '' CONTROLCHECKSTATUS = '\x20' ADAPTERNUM = '\x04' host_ip = '10.0.8.103' IPDOG = '\x01' host_name = 'fuyumi' PRIMARY_DNS = '58.20.127.170' dhcp_server = '119.39.119.66' AUTH_VERSION = '\x2d\x00' mac = 0xb8a6020c10f6 host_os = 'Windows 10' KEEP_ALIVE_VERSION = '\xff\xfd'

archanes commented 7 years ago

DRCOM.zip drcom版本是6.0

dantmnf commented 7 years ago

现在 mac 要跟进行认证的设备对上,之前是可以乱填的

ShanStone commented 7 years ago

亲测把mac地址换一下就可以上网了,把mac = 0x后的字符按照格式换成你设备的mac地址

mchome commented 7 years ago

host_os后部分

data += AUTH_VERSION
data += '\x00' # _tagLDAPAuth.Code
data += chr(len(pwd)) # _tagLDAPAuth.PasswordLen
data += ror(md5sum('\x03\x01' + salt + pwd), pwd) # _tagLDAPAuth.Password (长度不定)
data += '\x02' # _tagDrcomAuthExtData.Code
data += '\x0C' # _tagDrcomAuthExtData.Len
data += checksum(data + '\x01\x26\x07\x11\x00\x00' + dump(mac)) # _tagDrcomAuthExtData.CRC
data += '\x00\x00' # _tagDrcomAuthExtData.Option
data += dump(mac) # _tagDrcomAuthExtData.AdapterAddress
data += '\xde\x3f' #unknown, filled numbers randomly =w=
archanes commented 7 years ago

谢谢各位老司机,改了MAC就能用了

mchome commented 7 years ago

6.0d的mac在配置器里面尿歪了

dantmnf commented 7 years ago

我感觉全都歪了,发的包比客户端多两个字节(

MrLongan commented 7 years ago

@Yuki-Nagato 大佬,可以帮我折腾一下我的路由器吗?我不会让脚本在路由器上跑起来。我在升华13栋,给你拿去也行。谢谢大佬