Donncha Ó Cearbhaill DonnchaC

## gist:fbb7a9959c8352ab15d4
INFO: Downloaded from Router[torgozza (130.211.66.254:9001)]

rendezvous-service-descriptor utjk4arxqg6s6zzo7n6cjnq6ot34udhr
version 2
permanent-key
-----BEGIN RSA PUBLIC KEY-----
MIGKAoGBAL7zXRnwSycHlKSqK+B8PFvy7RhkQ+OytYtxBwOLzhD82oY7zbpjSHY4
BZ+hsnceXVjB+f1mXGjvLY6pnYxuufV4wsMsk7a58aJOqUvZFFI2vXhJtnLICxoZ
AEHWzajz4ULagahB1Vi62loQE84OEcuFBekTvnHca1ZTxwp16aZtAgQvoiLZ
-----END RSA PUBLIC KEY-----

## monitor.py
# -*- coding: utf-8 -*-
"""Polls the Tor HS log file and records all INTRODUCTION
cells seen to a database.
"""
import re
import time
import datetime


def parse_introduce_from_log(log_line):

## gist:46b123d62fc3a658f54e
rendezvous-service-descriptor unwuduahxm6zfxpjjiivihifj6gdoerl
version 2
permanent-key
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBALfng/krEfrBcvblDiM3PAkowkiAKxLoTsXt3nPEzyTP6Cw+Gdr0ODje
hmxTngN1pKiH7szk4Q1p2RabOrUHWwXmGXeDDNs00fcyU6HupgqsCoKOqCsmPac6
/58apC64A7xHeS02wtfWJp6qiZ8i6GGu6xWXRWux+ShPgcHvkajRAgMahU8=
-----END RSA PUBLIC KEY-----
secret-id-part ml7grvzrml2n4e7euczhkkcdvinlyasi
publication-time 2015-01-27 20:00:00

## tor-hs-descriptor-calculate.py
import unittest
import hashlib
import struct
import binascii

from base64 import b32decode, b64decode

import Crypto.Util
from Crypto.PublicKey import RSA
from Crypto.Cipher import AES

## gist:b76d934b8601ca9b3be0
# nc 127.0.0.1 9051
AUTHENTICATE
250 OK
SETEVENTS HS_DESC
250 OK
SETEVENTS HS_DESC_CONTENT
250 OK
HSFETCH v2-riwvyw6njgvs4koel4heqs7w4bssnmlw SERVER=8A30C9E8F5954EE286D29BD65CADEA6991200804
250 OK
650 HS_DESC_CONTENT facebookcorewwwi riwvyw6njgvs4koel4heqs7w4bssnmlw $8A30C9E8F5954EE286D29BD65CADEA6991200804~YorkshireTOR

## gist:03ad5cd0b8ead0ae9e30

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              4 stars
            
          
                DonnchaC
                / gist:03ad5cd0b8ead0ae9e30
            
            
              Last active
              March 3, 2018 17:26
            
              
                Tor Summer of Privacy Proposal: Load Balancing/High Availability Onion Services
              
          
    What project would you like to work on? Use our ideas lists as a starting point or make up your own idea. Your proposal should include high-level descriptions of what you're going to do, with more details about the parts you expect to be tricky. Your proposal should also try to break down the project into tasks of a fairly fine granularity, and convince us you have a plan for finishing it. A timeline for what you will be doing throughout the summer is highly recommended.

I'm particularly interested in Tor onion services. I hope that they can facilitate widely deployed self-authenticating encrypted communication channels at scale.
Anecdotal reports suggest that the current onion services infrastructure does not scale well [1, #8902]. In particular onion service introduction points are susceptible to hammering by clients and malicious attackers. Denial of service attacks where a single Tor process is overloaded by an attackers have also been experienced recently [#15463].
In contrast to modern distribute

  
## torrent-file-size.py
import os
import sys
import bencodepy
import humanize
import argparse


def total_size_files_torrent(file_name):
    try:
        parsed = bencodepy.decode_from_file(file_name)

## remote-exploit.py
#!/usr/bin/env python2
try:
    import binexpect
except ImportError:
    exit("""
pexpect sucks for sending binary data. binexpect fixes this and can be
found at this url: http:#darksaber.tk/wapiflapi/binexpect.py Not sure
if the file will be there for ever, but you don't need this anyway.
""")

## hola-rce-poc.html
<!--
This proof-of-concepts exploits a file move command, and an execute-with-controlled-arguemnts command to get code execution on a remote system. Only an executable in app/vlc.exe can be executed with controlled argument. This binary could be replaced with cmd.exe to be able to pass a /C argument for code execution. However due to lack of permission it is not possible to directly move cmd.exe. Instead a copy-like operation is needed to replace vlc.exe with cmd.exe. A 7-zip binary is shipped with Hola and located in the application directory. After replacing vlc.exe with 7za.exe it is possible to call 7zip to create and archive containing cmd.exe, extract the archive and move cmd.exe to vlc.exe. Commands can then be executed by calling vlc.exe with the /C option.

I'd be interested in hearing any other methods people can think of to get code execution from these issues.
-->
<!doctype html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <title>Hola Vulnerability Proof-of-Concept</title>

## logilab-common-1.0.0-crash
Successfully installed pluggy-0.3.0 tox-2.1.1 virtualenv-13.0.3
travis_time:end:02c07eb8:start=1435681975354987862,finish=1435681976720017413,duration=1365029551
[0Ktravis_fold:end:install
[0Ktravis_time:start:01a7769f
[0K$ tox
[1mGLOB sdist-make: /home/travis/build/DonnchaC/onionbalance/setup.py[0m
[1mstyle create: /home/travis/build/DonnchaC/onionbalance/.tox/style[0m
[1mstyle installdeps: pylint, flake8[0m
[1mstyle inst: /home/travis/build/DonnchaC/onionbalance/.tox/dist/OnionBalance-0.1.0.dev0.zip[0m
[1mstyle installed: astroid==1.3.6,flake8==2.4.1,future==0.14.3,logilab-common==1.0.0,mccabe==0.3.1,OnionBalance==0.1.0.dev0,pep8==1.5.7,pycrypto==2.6.1,pyflakes==0.8.1,pylint==1.4.3,PyYAML==3.11,schedule==0.3.1,six==1.9.0,stem==1.4.1,wheel==0.24.0[0m
	INFO: Downloaded from Router[torgozza (130.211.66.254:9001)]

	rendezvous-service-descriptor utjk4arxqg6s6zzo7n6cjnq6ot34udhr
	version 2
	permanent-key
	-----BEGIN RSA PUBLIC KEY-----
	MIGKAoGBAL7zXRnwSycHlKSqK+B8PFvy7RhkQ+OytYtxBwOLzhD82oY7zbpjSHY4
	BZ+hsnceXVjB+f1mXGjvLY6pnYxuufV4wsMsk7a58aJOqUvZFFI2vXhJtnLICxoZ
	AEHWzajz4ULagahB1Vi62loQE84OEcuFBekTvnHca1ZTxwp16aZtAgQvoiLZ
	-----END RSA PUBLIC KEY-----
	# -- coding: utf-8 --
	"""Polls the Tor HS log file and records all INTRODUCTION
	cells seen to a database.
	"""
	import re
	import time
	import datetime


	def parse_introduce_from_log(log_line):
	rendezvous-service-descriptor unwuduahxm6zfxpjjiivihifj6gdoerl
	version 2
	permanent-key
	-----BEGIN RSA PUBLIC KEY-----
	MIGJAoGBALfng/krEfrBcvblDiM3PAkowkiAKxLoTsXt3nPEzyTP6Cw+Gdr0ODje
	hmxTngN1pKiH7szk4Q1p2RabOrUHWwXmGXeDDNs00fcyU6HupgqsCoKOqCsmPac6
	/58apC64A7xHeS02wtfWJp6qiZ8i6GGu6xWXRWux+ShPgcHvkajRAgMahU8=
	-----END RSA PUBLIC KEY-----
	secret-id-part ml7grvzrml2n4e7euczhkkcdvinlyasi
	publication-time 2015-01-27 20:00:00
	import unittest
	import hashlib
	import struct
	import binascii

	from base64 import b32decode, b64decode

	import Crypto.Util
	from Crypto.PublicKey import RSA
	from Crypto.Cipher import AES
	# nc 127.0.0.1 9051
	AUTHENTICATE
	250 OK
	SETEVENTS HS_DESC
	250 OK
	SETEVENTS HS_DESC_CONTENT
	250 OK
	HSFETCH v2-riwvyw6njgvs4koel4heqs7w4bssnmlw SERVER=8A30C9E8F5954EE286D29BD65CADEA6991200804
	250 OK
	650 HS_DESC_CONTENT facebookcorewwwi riwvyw6njgvs4koel4heqs7w4bssnmlw $8A30C9E8F5954EE286D29BD65CADEA6991200804~YorkshireTOR
	import os
	import sys
	import bencodepy
	import humanize
	import argparse


	def total_size_files_torrent(file_name):
	try:
	parsed = bencodepy.decode_from_file(file_name)
	#!/usr/bin/env python2
	try:
	import binexpect
	except ImportError:
	exit("""
	pexpect sucks for sending binary data. binexpect fixes this and can be
	found at this url: http:#darksaber.tk/wapiflapi/binexpect.py Not sure
	if the file will be there for ever, but you don't need this anyway.
	""")
	<!--
	This proof-of-concepts exploits a file move command, and an execute-with-controlled-arguemnts command to get code execution on a remote system. Only an executable in app/vlc.exe can be executed with controlled argument. This binary could be replaced with cmd.exe to be able to pass a /C argument for code execution. However due to lack of permission it is not possible to directly move cmd.exe. Instead a copy-like operation is needed to replace vlc.exe with cmd.exe. A 7-zip binary is shipped with Hola and located in the application directory. After replacing vlc.exe with 7za.exe it is possible to call 7zip to create and archive containing cmd.exe, extract the archive and move cmd.exe to vlc.exe. Commands can then be executed by calling vlc.exe with the /C option.

	I'd be interested in hearing any other methods people can think of to get code execution from these issues.
	-->
	<!doctype html>
	<html lang="en">
	<head>
	<meta charset="utf-8">
	<title>Hola Vulnerability Proof-of-Concept</title>
	Successfully installed pluggy-0.3.0 tox-2.1.1 virtualenv-13.0.3
	travis_time:end:02c07eb8:start=1435681975354987862,finish=1435681976720017413,duration=1365029551
	[0Ktravis_fold:end:install
	[0Ktravis_time:start:01a7769f
	[0K$ tox
	[1mGLOB sdist-make: /home/travis/build/DonnchaC/onionbalance/setup.py[0m
	[1mstyle create: /home/travis/build/DonnchaC/onionbalance/.tox/style[0m
	[1mstyle installdeps: pylint, flake8[0m
	[1mstyle inst: /home/travis/build/DonnchaC/onionbalance/.tox/dist/OnionBalance-0.1.0.dev0.zip[0m
	[1mstyle installed: astroid==1.3.6,flake8==2.4.1,future==0.14.3,logilab-common==1.0.0,mccabe==0.3.1,OnionBalance==0.1.0.dev0,pep8==1.5.7,pycrypto==2.6.1,pyflakes==0.8.1,pylint==1.4.3,PyYAML==3.11,schedule==0.3.1,six==1.9.0,stem==1.4.1,wheel==0.24.0[0m