Botnet_Research
/
hostage


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175
							package de.tudarmstadt.informatik.hostage.protocol;

import java.nio.ByteBuffer;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.List;

import de.tudarmstadt.informatik.hostage.commons.HelperUtils;
import de.tudarmstadt.informatik.hostage.wrapper.Packet;

/**
 * MySQL protocol
 * @author Wulf Pfeiffer
 */
public class MySQL implements Protocol {
	/**
	 * Represents the states of the protocol
	 */
	private enum STATE {
		NONE, CONNECTED, LOGIN_INFO, CLOSED
	}
	
	/**
	 * Denotes in which state the protocol is right now
	 */
	private STATE state = STATE.NONE;
		
	/** last request from client */ 
	private byte[] lastMessage;
	
	@Override
	public List<Packet> processMessage(Packet packet) {
		byte[] request = null;
		if (packet != null) {
			request = packet.getMessage();
		}
		List<Packet> response = new ArrayList<Packet>();
		if(request != null)
			lastMessage = request;
				
		switch(state) {
		case NONE:
			response.add(greeting());
			state = STATE.CONNECTED;
			break;
		case CONNECTED:
			response.add(responseOK());
			state = STATE.LOGIN_INFO;
			break;
		case LOGIN_INFO:
			if(this.lastMessage[4] == 0x01) {
				state = STATE.CLOSED;
			} else {
				response.add(responseError());
			}
			break;
		default:
			state = STATE.CLOSED;
			break;
		}
		
		return response;
	}
	
	@Override
	public TALK_FIRST whoTalksFirst() {
		return TALK_FIRST.SERVER;
	}

	@Override
	public String toString(){
		return "MySQL";		
	}
	
	@Override
	public int getDefaultPort() {
		return 3306;
	}
	
	@Override
	public boolean isClosed() {
		return state == STATE.CLOSED;
	}
	
	@Override
	public boolean isSecure() {
		return false;
	}

	@Override
	public Class<byte[]> getType() {
		return byte[].class;
	}

	/**
	 * Wraps the response packet with the packet length and number
	 * @param packet that is wrapped
	 * @return wrapped packet
	 */
	private Packet wrapPacket(byte[] packet) {
		byte[] buffer = ByteBuffer.allocate(4).putInt(packet.length).array();
		byte[] packetLength = {buffer[3], buffer[2], buffer[1]};
		byte[] packetNumber = new byte[1];
		if(lastMessage != null) packetNumber[0] = (byte) (lastMessage[3] + 1);
		else packetNumber[0] = 0x00;
		
		byte[] response = HelperUtils.concat(packetLength, packetNumber, packet);
		return new Packet(response);
	}
	
	/**
	 * Builds the greeting packet that the server sends as first packet
	 * @return greeting packet
	 */
	private Packet greeting() {
		byte[] protocol = {0x0a};
		byte[] version = serverVersion.getBytes();
		byte[] versionFin = {0x00};
		byte[] thread = {0x2a, 0x00, 0x00, 0x00};
		byte[] salt = {0x44, 0x64, 0x49, 0x7e, 0x60, 0x48, 0x25, 0x7e, 0x00};
		byte[] capabilities = {(byte) 0xff, (byte) 0xf7};
		byte[] language = {0x08};
		byte[] status = {0x02, 0x00};
		byte[] unused = {0x0f, (byte) 0x80, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
		byte[] salt2 = {0x6c, 0x26, 0x71, 0x2c, 0x25, 0x72, 0x31, 0x3d, 0x7d, 0x21, 0x26, 0x3b, 0x00};
		String payload = "mysql_native_password";
		byte[] fin = {0x00};
		
		byte[] response = HelperUtils.concat(protocol, version,versionFin, thread, salt, capabilities, language, status, unused, salt2, payload.getBytes(), fin);
		return wrapPacket(response);
	}
	
	/**
	 * Builds the ok-response packet
	 * @return ok-response packet
	 */
	private Packet responseOK() {
		byte[] affectedRows = {0x00, 0x00, 0x00};
		byte[] status = {0x02, 0x00};
		byte[] warnings = {0x00, 0x00};
		
		byte[] response = HelperUtils.concat(affectedRows, status, warnings);
		return wrapPacket(response);
	}
		
	/**
	 * Builds the error-response packet
	 * @return error-response packet
	 */
	private Packet responseError() {
		byte[] fill1 = {(byte) 0xff};
		byte[] code = {0x17, 0x04};
		byte[] fill2 = {0x23};
		String state = "08S01";
		String msg = "Unknown command";
		
		byte[] response = HelperUtils.concat(fill1, code, fill2, state.getBytes(), msg.getBytes());		
		return wrapPacket(response);
	}
	
	//version stuff
	private static String[][][] possibleMysqlVersions = {
		{{"5.7."},{"1","2"}},
		{{"5.6."},{"2","3","4","5","6","7","8","9","10","11","12","13","14"}},
		{{"5.5."},{"27","28","29","30","31","32","33","34"}}
	};
	
	private static String initMysqlVersion() {
		SecureRandom rndm = new SecureRandom();
		int majorVersion = rndm.nextInt(possibleMysqlVersions.length);
		return possibleMysqlVersions[majorVersion][0][0] + possibleMysqlVersions[majorVersion][1][rndm.nextInt(possibleMysqlVersions[majorVersion][1].length)];
	}
	
	private static String serverVersion = initMysqlVersion();
}