Decrypt the payload of ebay clear.png data exfiltration
#!/usr/bin/env python3 | |
import itertools | |
import urllib.parse | |
import sys | |
def encrypt(message, key): | |
alpha = "0123456789abcdef" | |
concat = str(len(message)) + '&' + message | |
encrypted = [] | |
for char, keychar in zip(concat, itertools.cycle(key)): | |
crypt = ord(char) ^ ord(keychar) & 10 | |
encrypted.append(alpha[(crypt >> 4) & 15]) | |
encrypted.append(alpha[crypt & 15]) | |
return ''.join(encrypted) | |
def cycle_twice(iterable): | |
# cycle('ABCD') --> A B C D A B C D A B C D ... | |
saved = [] | |
for element in iterable: | |
yield element | |
yield element | |
saved.append(element) | |
while saved: | |
for element in saved: | |
yield element | |
yield element | |
def decrypt(encr, key): | |
alpha = "0123456789abcdef" | |
message = [] | |
last = None | |
for idx, (char, keychar) in enumerate(zip(encr, cycle_twice(key))): | |
if idx % 2 == 0: | |
last = char | |
continue | |
crypt = alpha.index(last) << 4 | alpha.index(char) | |
message.append(chr(crypt ^ ord(keychar) & 10)) | |
concat = ''.join(message) | |
length, sep, msg = concat.partition('&') | |
if len(length) == 0: | |
return concat | |
if len(msg) != int(length): | |
raise ValueError("Error decoding message") | |
return msg | |
def parse_clear_png_url(url): | |
query = urllib.parse.urlparse(url).query | |
parsed = urllib.parse.parse_qs(query) | |
if not 'session_id' in parsed: | |
raise ValueError('unable to find session_id query parameter') | |
encr = None | |
for key, value in parsed.items(): | |
if key[0] == 'j': | |
encr = value[0] | |
if encr is None: | |
raise ValueError('unable to find encrypted message query parameter') | |
return decrypt(encr, parsed['session_id'][0]) | |
if __name__ == '__main__': | |
if len(sys.argv) < 2: | |
print('First argument must be "https://src.ebay-us.com/fp/clear.png" URL') | |
print('USAGE: python3 decrypt_ebay.py "https://src.ebay-us.com/fp/clear.png?org_id=usllpic0&session_id=46ab9c371710a4e926a88ae2fffe6d35&nonce=4b4aa5f76ec76448&jac=1&je=983468573629384792837493287429847293847..."') | |
sys.exit(1) | |
print(parse_clear_png_url(sys.argv[1])) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment