PPaste!

exfil

Home - All the pastes - Authored by Thooms

Raw version

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#!/usr/bin/env ruby

require 'rubygems'
require 'base32'
require 'pcap'
require 'pcap/pcaplet'
require 'net/dns'
require 'pp'

include Pcap

pcaplet = Pcaplet.new("-r dump.pcap")
def decode(txt)
  xs = txt.split('.')
  txt = xs[0,xs.size-2].join()
  bin = Base32.decode(txt)
# pp bin[0,6].unpack('SSS')
  bin[0,6] = ''
  return bin
end

harvesting = false
data_doc = ''
data_key = ''
seen = {}

pcaplet.each_packet do |pkt|
  next if !pkt.is_a? UDPPacket
  next if pkt.sport != 53  # Only look at answers

  req = Net::DNS::Packet::parse(pkt.udp_data)
  req.each_cname do |cn|
    bin = decode(cn)
    if (bin.include? '-----BEGIN PGP PUBLIC KEY BLOCK-----' or harvesting) and not seen[bin] then
      harvesting = !(bin.include? '-----END PGP PRIVATE KEY BLOCK-----')
      data_key += bin
      seen[bin] = true
    end
  end
  req.question.each do |q|
    bin = decode(cn)
    if (bin.include? 'START_OF_FILE' or harvesting) and not seen[bin] then
      harvesting = !(bin.include? 'END_OF_FILE')
      data_doc += bin
      seen[bin] = true
    end
  end
end

File.open('flag.docx.gpg', 'wb') do |f| f.write data_doc end
File.open('key', 'wb') do |f| f.write data_key end