Donncha Ó Cearbhaill DonnchaC

## tor-hs-cell-patterns.txt
Circuit 6 - HS_DESC facebookcorewwwi [OPEN]
Circuit events:
  - EXTENDED ['0CA305E63C99FB8E2E1C6CA11CD1E569E780C691', '51BD833B86D556EE968CDFFFD79592BE56761238', 'FC9AC8EA0160D88BCCFDE066940D7DD9FA45495B', '2F5E1DAAD1388F7DBECCF6C4E839098C88BA3D2A']
  - BUILT ['0CA305E63C99FB8E2E1C6CA11CD1E569E780C691', '51BD833B86D556EE968CDFFFD79592BE56761238', 'FC9AC8EA0160D88BCCFDE066940D7DD9FA45495B', '2F5E1DAAD1388F7DBECCF6C4E839098C88BA3D2A']
Cells:
  - <Cell RELAY_EARLY OUT 2016-05-07 17:10:27.954415>
  - <Cell RELAY IN 2016-05-07 17:10:28.485182>
  - <Cell RELAY_EARLY OUT 2016-05-07 17:10:28.485466>
  - <Cell RELAY_EARLY OUT 2016-05-07 17:10:28.485479>
  - <Cell RELAY IN 2016-05-07 17:10:28.995197>

## fetch-hs-descriptor.py
import sys
import argparse

import stem
from stem.control import Controller

def main():

    parser = argparse.ArgumentParser(description="%s fetches a Tor hidden "
                                     "service descriptor." % sys.argv[0])

## relay-monitor.py
# -*- coding: utf-8 -*-
"""
Monitors Tor control port and sends email notifications for
log events NOTICE, WARN, and ERROR.
"""
import os
import time
import datetime
import argparse
import logging

## onion-address-calculate.py
import hashlib
import base64
import argparse
import sys

from Crypto.PublicKey import RSA


def calculate_onion(pem_key):
    key = RSA.importKey(pem_key)

## sni-proxy.py
#!/usr/bin/env python
"""
Proxy an SSL connection to a Twisted endpoint based on the SNI extension

Allows for end-to-end encrypted connections from a browser to a Tor hidden
service.

Proxy code based on
http://blog.laplante.io/2013/08/a-basic-man-in-the-middle-proxy-with-twisted/

## ip-selection.txt
3   introduction-point g246pla6g23cvhlpgmfl5nqbfot7bvaa
    ip-address 37.187.22.87
    onion-port 9001
    onion-key
    -----BEGIN RSA PUBLIC KEY-----
    MIGJAoGBAMdEmLQDuMItvkVj43VzG/gyOR9bgJ5l32+ZlwXxwbBSIaGqD5dRZf+I
    RCY1g44V/LDjgFykM0WaTYF3u4zZCZtqX3z8PymLozQIxdRW0rSQZWaStJ2XOt0p
    h7dK9ONxWNt5EALzT6uxIOmfMllF0FWVJ1Tx9R0ylxxdJ5S95sC3AgMBAAE=
    -----END RSA PUBLIC KEY-----
    service-key

## onionbalance-ip-counts
python descriptor-fetcher.py --onion-list onion-list.txt
2015-07-03 23:58:01,916 [DEBUG]: Successfully connected to the Tor control port
2015-07-03 23:58:06,924 [INFO]: Sending HS descriptor fetch for eujuuws2nacz4xw4.onion
2015-07-03 23:58:07,863 [INFO]: Storing new descriptor with 10 introduction points for HS eujuuws2nacz4xw4
2015-07-03 23:58:11,937 [INFO]: Sending HS descriptor fetch for nkcoog3avb3iwels.onion
2015-07-03 23:58:12,982 [INFO]: Storing new descriptor with 3 introduction points for HS nkcoog3avb3iwels
2015-07-03 23:58:16,945 [INFO]: Sending HS descriptor fetch for le3jeksfogq2zrpx.onion
2015-07-03 23:58:17,474 [INFO]: Storing new descriptor with 3 introduction points for HS le3jeksfogq2zrpx
2015-07-03 23:58:21,953 [INFO]: Sending HS descriptor fetch for ymiwfpbw32xai4ko .onion
2015-07-03 23:58:22,475 [INFO]: Storing new descriptor with 3 introduction points for HS ymiwfpbw32xai4ko

## logilab-common-1.0.0-crash
Successfully installed pluggy-0.3.0 tox-2.1.1 virtualenv-13.0.3
travis_time:end:02c07eb8:start=1435681975354987862,finish=1435681976720017413,duration=1365029551
[0Ktravis_fold:end:install
[0Ktravis_time:start:01a7769f
[0K$ tox
[1mGLOB sdist-make: /home/travis/build/DonnchaC/onionbalance/setup.py[0m
[1mstyle create: /home/travis/build/DonnchaC/onionbalance/.tox/style[0m
[1mstyle installdeps: pylint, flake8[0m
[1mstyle inst: /home/travis/build/DonnchaC/onionbalance/.tox/dist/OnionBalance-0.1.0.dev0.zip[0m
[1mstyle installed: astroid==1.3.6,flake8==2.4.1,future==0.14.3,logilab-common==1.0.0,mccabe==0.3.1,OnionBalance==0.1.0.dev0,pep8==1.5.7,pycrypto==2.6.1,pyflakes==0.8.1,pylint==1.4.3,PyYAML==3.11,schedule==0.3.1,six==1.9.0,stem==1.4.1,wheel==0.24.0[0m

## hola-rce-poc.html
<!--
This proof-of-concepts exploits a file move command, and an execute-with-controlled-arguemnts command to get code execution on a remote system. Only an executable in app/vlc.exe can be executed with controlled argument. This binary could be replaced with cmd.exe to be able to pass a /C argument for code execution. However due to lack of permission it is not possible to directly move cmd.exe. Instead a copy-like operation is needed to replace vlc.exe with cmd.exe. A 7-zip binary is shipped with Hola and located in the application directory. After replacing vlc.exe with 7za.exe it is possible to call 7zip to create and archive containing cmd.exe, extract the archive and move cmd.exe to vlc.exe. Commands can then be executed by calling vlc.exe with the /C option.

I'd be interested in hearing any other methods people can think of to get code execution from these issues.
-->
<!doctype html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <title>Hola Vulnerability Proof-of-Concept</title>

## remote-exploit.py
#!/usr/bin/env python2
try:
    import binexpect
except ImportError:
    exit("""
pexpect sucks for sending binary data. binexpect fixes this and can be
found at this url: http:#darksaber.tk/wapiflapi/binexpect.py Not sure
if the file will be there for ever, but you don't need this anyway.
""")
	Circuit 6 - HS_DESC facebookcorewwwi [OPEN]
	Circuit events:
	- EXTENDED ['0CA305E63C99FB8E2E1C6CA11CD1E569E780C691', '51BD833B86D556EE968CDFFFD79592BE56761238', 'FC9AC8EA0160D88BCCFDE066940D7DD9FA45495B', '2F5E1DAAD1388F7DBECCF6C4E839098C88BA3D2A']
	- BUILT ['0CA305E63C99FB8E2E1C6CA11CD1E569E780C691', '51BD833B86D556EE968CDFFFD79592BE56761238', 'FC9AC8EA0160D88BCCFDE066940D7DD9FA45495B', '2F5E1DAAD1388F7DBECCF6C4E839098C88BA3D2A']
	Cells:
	- <Cell RELAY_EARLY OUT 2016-05-07 17:10:27.954415>
	- <Cell RELAY IN 2016-05-07 17:10:28.485182>
	- <Cell RELAY_EARLY OUT 2016-05-07 17:10:28.485466>
	- <Cell RELAY_EARLY OUT 2016-05-07 17:10:28.485479>
	- <Cell RELAY IN 2016-05-07 17:10:28.995197>
	import sys
	import argparse

	import stem
	from stem.control import Controller

	def main():

	parser = argparse.ArgumentParser(description="%s fetches a Tor hidden "
	"service descriptor." % sys.argv[0])
	# -- coding: utf-8 --
	"""
	Monitors Tor control port and sends email notifications for
	log events NOTICE, WARN, and ERROR.
	"""
	import os
	import time
	import datetime
	import argparse
	import logging
	import hashlib
	import base64
	import argparse
	import sys

	from Crypto.PublicKey import RSA


	def calculate_onion(pem_key):
	key = RSA.importKey(pem_key)
	#!/usr/bin/env python
	"""
	Proxy an SSL connection to a Twisted endpoint based on the SNI extension

	Allows for end-to-end encrypted connections from a browser to a Tor hidden
	service.

	Proxy code based on
	http://blog.laplante.io/2013/08/a-basic-man-in-the-middle-proxy-with-twisted/
	3 introduction-point g246pla6g23cvhlpgmfl5nqbfot7bvaa
	ip-address 37.187.22.87
	onion-port 9001
	onion-key
	-----BEGIN RSA PUBLIC KEY-----
	MIGJAoGBAMdEmLQDuMItvkVj43VzG/gyOR9bgJ5l32+ZlwXxwbBSIaGqD5dRZf+I
	RCY1g44V/LDjgFykM0WaTYF3u4zZCZtqX3z8PymLozQIxdRW0rSQZWaStJ2XOt0p
	h7dK9ONxWNt5EALzT6uxIOmfMllF0FWVJ1Tx9R0ylxxdJ5S95sC3AgMBAAE=
	-----END RSA PUBLIC KEY-----
	service-key
	python descriptor-fetcher.py --onion-list onion-list.txt
	2015-07-03 23:58:01,916 [DEBUG]: Successfully connected to the Tor control port
	2015-07-03 23:58:06,924 [INFO]: Sending HS descriptor fetch for eujuuws2nacz4xw4.onion
	2015-07-03 23:58:07,863 [INFO]: Storing new descriptor with 10 introduction points for HS eujuuws2nacz4xw4
	2015-07-03 23:58:11,937 [INFO]: Sending HS descriptor fetch for nkcoog3avb3iwels.onion
	2015-07-03 23:58:12,982 [INFO]: Storing new descriptor with 3 introduction points for HS nkcoog3avb3iwels
	2015-07-03 23:58:16,945 [INFO]: Sending HS descriptor fetch for le3jeksfogq2zrpx.onion
	2015-07-03 23:58:17,474 [INFO]: Storing new descriptor with 3 introduction points for HS le3jeksfogq2zrpx
	2015-07-03 23:58:21,953 [INFO]: Sending HS descriptor fetch for ymiwfpbw32xai4ko .onion
	2015-07-03 23:58:22,475 [INFO]: Storing new descriptor with 3 introduction points for HS ymiwfpbw32xai4ko
	Successfully installed pluggy-0.3.0 tox-2.1.1 virtualenv-13.0.3
	travis_time:end:02c07eb8:start=1435681975354987862,finish=1435681976720017413,duration=1365029551
	[0Ktravis_fold:end:install
	[0Ktravis_time:start:01a7769f
	[0K$ tox
	[1mGLOB sdist-make: /home/travis/build/DonnchaC/onionbalance/setup.py[0m
	[1mstyle create: /home/travis/build/DonnchaC/onionbalance/.tox/style[0m
	[1mstyle installdeps: pylint, flake8[0m
	[1mstyle inst: /home/travis/build/DonnchaC/onionbalance/.tox/dist/OnionBalance-0.1.0.dev0.zip[0m
	[1mstyle installed: astroid==1.3.6,flake8==2.4.1,future==0.14.3,logilab-common==1.0.0,mccabe==0.3.1,OnionBalance==0.1.0.dev0,pep8==1.5.7,pycrypto==2.6.1,pyflakes==0.8.1,pylint==1.4.3,PyYAML==3.11,schedule==0.3.1,six==1.9.0,stem==1.4.1,wheel==0.24.0[0m
	<!--
	This proof-of-concepts exploits a file move command, and an execute-with-controlled-arguemnts command to get code execution on a remote system. Only an executable in app/vlc.exe can be executed with controlled argument. This binary could be replaced with cmd.exe to be able to pass a /C argument for code execution. However due to lack of permission it is not possible to directly move cmd.exe. Instead a copy-like operation is needed to replace vlc.exe with cmd.exe. A 7-zip binary is shipped with Hola and located in the application directory. After replacing vlc.exe with 7za.exe it is possible to call 7zip to create and archive containing cmd.exe, extract the archive and move cmd.exe to vlc.exe. Commands can then be executed by calling vlc.exe with the /C option.

	I'd be interested in hearing any other methods people can think of to get code execution from these issues.
	-->
	<!doctype html>
	<html lang="en">
	<head>
	<meta charset="utf-8">
	<title>Hola Vulnerability Proof-of-Concept</title>
	#!/usr/bin/env python2
	try:
	import binexpect
	except ImportError:
	exit("""
	pexpect sucks for sending binary data. binexpect fixes this and can be
	found at this url: http:#darksaber.tk/wapiflapi/binexpect.py Not sure
	if the file will be there for ever, but you don't need this anyway.
	""")