1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
|
/*
* decode_mmxp.c
*
* Meeting Maker.
*
* Thanks for Matt Power <mhpower@MIT.EDU> for his BUGTRAQ post
* on Meeting Maker encryption, and for providing me with traffic traces.
*
* The encryption algorithm seems to be much simpler than what Matt
* reversed - see below...
*
* Copyright (c) 2000 Dug Song <dugsong@monkey.org>
*
* $Id: decode_mmxp.c,v 1.8 2001/03/15 08:33:01 dugsong Exp $
*/
#include "config.h"
#include <sys/types.h>
#include <arpa/nameser.h>
#include <stdio.h>
#include <string.h>
#include "buf.h"
#include "decode.h"
#define MM_SECRET "Thisisastupidwasteoftimeandspace"
static u_char *mm_xor = MM_SECRET;
int
decode_mmxp(u_char *buf, int len, u_char *obuf, int olen)
{
struct buf inbuf, outbuf;
u_char *p, c;
u_int32_t i;
int encrypt;
buf_init(&inbuf, buf, len);
buf_init(&outbuf, obuf, len);
while ((i = buf_index(&inbuf, "\x00\x00\x24\x55", 4)) != -1) {
buf_skip(&inbuf, i + 4);
if (buf_cmp(&inbuf, "\x7f\xff", 2) == 0)
encrypt = 1;
else if (buf_cmp(&inbuf, "\xff\xff", 2) == 0)
encrypt = 0;
else continue;
buf_skip(&inbuf, 4);
/* LPPPg? */
if (buf_get(&inbuf, &i, sizeof(i)) < 0)
break;
i = ntohl(i);
if (buf_skip(&inbuf, i + 4 + 4) < 0)
continue;
/* Server. */
if (buf_get(&inbuf, &c, 1) != 1) break;
if (buf_len(&inbuf) < c) break;
buf_put(&outbuf, buf_ptr(&inbuf), c);
buf_put(&outbuf, "\n", 1);
buf_skip(&inbuf, c + 4);
/* Username. */
if (buf_get(&inbuf, &c, 1) != 1) break;
if (buf_len(&inbuf) < c) break;
buf_put(&outbuf, buf_ptr(&inbuf), c);
buf_put(&outbuf, "\n", 1);
buf_skip(&inbuf, c + 4);
/* Password. */
if (buf_get(&inbuf, &c, 1) != 1) break;
if (buf_len(&inbuf) < c) break;
p = buf_ptr(&inbuf);
if (encrypt) {
for (i = 0; i < c; i++)
p[i] ^= mm_xor[i % (sizeof(MM_SECRET) - 1)];
}
buf_put(&outbuf, p, c);
buf_put(&outbuf, "\n", 1);
}
buf_end(&outbuf);
return (buf_len(&outbuf));
}
|