API tools faq
paste
tux_mind

dSploitd draft

tux_mind
Apr 18th, 2014
81
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 9.68 KB | None | 0 0
raw download clone embed print report
  1. /**
  2.  * handlers can be one of these types.
  3.  */
  4. typedef enum {
  5.     NONE, // blind command, no I/O, only exit value returned.
  6.     RAW, // RAW I/O, executa a command and redirect stdin and stdout to Java
  7.     NMAP, // nmap executable
  8.     ETTERCAP, // ettercap...
  9.     HYDRA, // ...
  10.     HTTP_SNIFFER // ...
  11. } handler_type;
  12.  
  13. /**
  14.  * commands sent from client to server and viceversa
  15.  */
  16. typedef enum {
  17.     START_CMD,
  18.     STOP_CMD,
  19.     CMD_STARTED,
  20.     CMD_END,
  21.     // others like restart server, stop server...
  22. } action;
  23.  
  24. /**
  25.  * internal struct for manage
  26.  * handler data and functions.
  27.  *
  28.  * @id handler id
  29.  * @tid thread id associated to this handler
  30.  * @output_parser the process stdout parser function
  31.  * @input_parser the process stdin parser function
  32.  */
  33. typedef struct {
  34.     unsigned char id;
  35.     unsigned char tid;
  36.     const char *(* output_parser)(char *line);
  37.     const char *(* input_parser)(char *line);
  38. } handler_t;
  39.  
  40. /**
  41.  * this is the header of a message
  42.  * @handler_id id of the handler that generate this message
  43.  * @bytes_count the number of following bytes to read
  44.  */
  45.  
  46. typedef struct {
  47.     unsigned char handler_id;
  48.     unsigned char bytes_count;
  49. } message_header;
  50.  
  51. /**
  52.  * request for a new program execution.
  53.  * this is followed by the argv for the program.
  54.  * @type type of the new program
  55.  */
  56.  
  57. typedef struct {
  58.     handler_type type;
  59. } new_process_request;
  60.  
  61. /**
  62.  * this info is sent to Java when a new
  63.  * process is created.
  64.  *
  65.  * @id the id of the new handler
  66.  * @type type of running handler
  67.  */
  68. typedef struct {
  69.     unsigned char id;
  70.     handler_type type;
  71. } new_process_info;
  72.  
  73. /**
  74.  * this info is sent to Java when a
  75.  * process ends.
  76.  *
  77.  * @id the id of the handler
  78.  * @exit_code the code returned by the sub process
  79.  */
  80. typedef struct {
  81.     unsigned char id;
  82.     int exit_code
  83. } end_process_info;
  84.  
  85. #define JAVA_HANDLER_ID 0
  86.  
  87. int main(int argc, char **argv) {
  88.     static unsigned long uid = 1;
  89.     // lot of things here
  90.  
  91.     // on new command
  92.     handler_t h = malloc(sizeof(handler_t));
  93.     new_process_info info;
  94.  
  95.     if(!h)
  96.         //OOM
  97.  
  98.     h.id = uid++;
  99.     switch(new_process_type) {
  100.         case NMAP:
  101.             h.output_parser = &nmap_output_parser;
  102.             h.input_parser = &nmap_input_parser;
  103.             break;
  104.         case ETTERCAP:
  105.             h.output_parser = &ettercap_output_parser;
  106.             h.input_parser = &ettercap_input_parser;
  107.             break;
  108.         // others...
  109.  
  110.         default:
  111.             h.output_parser = NULL;
  112.             h.input_parser = NULL;
  113.     }
  114.  
  115.     info.id = h.id;
  116.     info.type = new_process_type;
  117.    
  118.     send_to_Java(JAVA_HANDLER_ID,(void *) &info, sizeof(info));
  119. }
  120.  
  121.  
  122. //this function run inside a thread
  123. void process_handler(void *arg) {
  124.     char cancel = 0;
  125.     char *output_buffer;
  126.     char *input_buffer;
  127.     char *old;
  128.     int outfd, infd;
  129.     pid_t pid;
  130.     handler_t h;
  131.     unsigned long tid;
  132.     unsigned long count;
  133.     char c;
  134.     end_process_info einfo;
  135.  
  136.     h = *((handler_t *)arg);
  137.     tid = h.tid;
  138.  
  139.     pthread_mutex_lock(&(tpool[tid].lock));
  140.     cancel = tpool[tid].cancel;
  141.     outfd = tpool[tid].stdout_fd;
  142.     infd = tpool[tid].stdin_fd;
  143.     pid = tpool[tid].pid;
  144.     tpool[tid].started = 1;
  145.     pthread_mutex_unlock(&(tpool[tid].lock));
  146.  
  147.     output_size = 1;
  148.     input_size = 0;
  149.     read_size = (h.output_parser != NULL ? 1 : BUFFER_SIZE);
  150.     write_size = (h.input_parser != NULL ? 1 : BUFFER_SIZE);
  151.     output_buffer = malloc(read_size);
  152.     input_buffer = malloc(write_size);
  153.  
  154.     while(!cancel) {
  155.  
  156.         // non blocking file descriptor
  157.         if((read_count = read(outfd, output_buffer, read_size)) > 0) {
  158.             // use output buffer only if we have to parse
  159.             if(h.output_parser != NULL) {
  160.                 output_buffer = realloc(output_buffer, ++output_size);
  161.                 output_buffer[output_size-1] = c;
  162.  
  163.                 if(c=='\n') {
  164.                     parsed_output = h.output_parser(output_buffer);
  165.                    
  166.                     if(parsed_output) {
  167.                         send_to_Java(h.id, parsed_output, strlen(parsed_output));
  168.                     }
  169.  
  170.                     output_size = 1;
  171.                     output_buffer = realloc(output_buffer,1);
  172.                 }
  173.             } else {
  174.                 // send everything to java
  175.                 send_to_Java(h.id, (void *) output_buffer, read_count);
  176.             }
  177.         } else if(read_count < 0 && errno != EAGAIN && errno != EWOULDBLOCK) {
  178.             // error...
  179.         }
  180.        
  181.        
  182.  
  183.         pthread_mutex_lock(&(tpool[tid].input_lock));
  184.         if(tpool[tid].input_bytes_count > 0) {
  185.            
  186.             if(h.input_parser) {
  187.                
  188.                 for(count=0;count<tpool[tid].input_bytes_count;count++) {
  189.                     input_buffer = realloc(input_buffer, ++input_size);
  190.                     input_buffer[input_size -1] = *ptr;
  191.                    
  192.                     if(*ptr == '\n') {
  193.                         parsed_input = h.input_parser(input_buffer);
  194.                        
  195.                         if(parsed_input) {
  196.                             send_to_Java(h.id, parsed_input, strlen(parsed_input));
  197.                         }
  198.  
  199.                         input_size = 1;
  200.                         output_buffer = realloc(input_buffer, 1);
  201.                     }
  202.                 }
  203.             } else {
  204.                 do {
  205.                     res = write(infd, tpool[tid].input_buffer, tpool[tid].input_bytes_count);
  206.                    
  207.                     pthread_mutex_lock(tpool[id].lock);
  208.                     cancel = tpool[id].cancel;
  209.                     pthread_mutex_unlock(tpool[id].lock);
  210.                 } while(!cancel && (res > 0 || errno == EAGAIN));
  211.             }
  212.         }
  213.         pthread_mutex_unlock(tpool[id].input_lock);
  214.        
  215.        
  216.         waitpid(pid, &status, WNOHANG);
  217.        
  218.         if(WIFEXITED(status)) {
  219.             einfo.id = h.id;
  220.             einfo.exit_code = WEXITSTATUS(status);
  221.            
  222.             send_to_Java(JAVA_HANDLER_ID, (void *)&einfo, sizeof(einfo));
  223.            
  224.             return; // TODO: free()
  225.         }
  226.        
  227.        
  228.  
  229.         pthread_mutex_lock(tpool[id].lock);
  230.         cancel = tpool[id].cancel;
  231.         pthread_mutex_unlock(tpool[id].lock);
  232.     }
  233. }
  234.  
  235. void send_to_Java(unsigned long id, void *data, unsigned long data_length) {
  236.     message_header header;
  237.    
  238.     header.id = id;
  239.     header.bytes_count = data_length;
  240.    
  241.     // write into IPC header + data
  242. }
  243.  
  244. void send_action_to_Java(
  245.  
  246.  
  247.  
  248.  
  249. /**
  250.  * PROTOCOL SUMMARY
  251.  * ================
  252.  *
  253.  * a message is composed as follow
  254.  *
  255.  * +----+-----+----------------------+
  256.  * | id | len |         data         |
  257.  * +----+-----+----------------------+
  258.  *
  259.  * where
  260.  *   - @id: is the id of the receiver
  261.  *   - @len: is the length of the data section
  262.  *   - @data: is the data to trasfer to the receiver
  263.  *
  264.  * NOTE:    if @id is 0 the receiver is the dSploitd server or the Java main thread.
  265.  *              if @id is 0, the first byte of @ðata is an action that describe what comes next.
  266.  *              if @len is 0, the handler must close the stream.
  267.  * LIMITS:      maximum 254 handlers can run in parallel ( @id is an 8 bit char )
  268.  *              maximum len of data is 255 chars
  269.  *              these limits can be expanded using `unsigned int` or `unsigned long` instead of `unsigned char`.
  270.  *
  271.  *
  272.  * EXAMPLES
  273.  * ========
  274.  *
  275.  * execute a blind command
  276.  * -----------------------
  277.  *
  278.  * Java:
  279.  * "\x00\x35\x00\x00rm -rf /data/data/it.evilsocket.dsploit/files/fifos"
  280.  *
  281.  * @id   = \x00
  282.  * @len  = \x35 = 53
  283.  * @data = \x00\x00rm -rf /data/data/it.evilsocket.dsploit/files/fifos
  284.  *       = START_CMD + NONE + "rm -rf /data/data/it.evilsocket.dsploit/files/fifos"
  285.  *
  286.  * C:
  287.  * "\x00\x03\x02\x01\x01"
  288.  *
  289.  * @id   = \x00
  290.  * @len  = \x03
  291.  * @data = \x02\x01\x00 = CMD_STARTED + new_process_info =
  292.  *       = CMD_STARTED + handler_id + NONE
  293.  *
  294.  * C:
  295.  * "\x00\x03\x03\x01\x00"
  296.  *
  297.  * @id   = \x00
  298.  * @len  = \x03
  299.  * @data = \x03\x01\x00 = CMD_END + end_process_info = CMD_END + handler_id + exit_code
  300.  *
  301.  *
  302.  * execute a RAW command
  303.  * ---------------------
  304.  *
  305.  * Java:
  306.  * "\x00\x06\x00\x01date"
  307.  *
  308.  * @id   = \x00
  309.  * @len  = \x06
  310.  * @data = \x00\x01date = START_CMD + RAW + argv = START_CMD + RAW + "date"
  311.  *
  312.  * C:
  313.  * "\x00\x03\x02\x01\x01"
  314.  *
  315.  * @id   = \x00
  316.  * @len  = \x03
  317.  * @data = \x02\x01\x01 = CMD_STARTED + new_process_info =
  318.  *       = CMD_STARTED + handler_id + RAW
  319.  *
  320.  * C:
  321.  * "\x01\x1Fven 18 apr 2014, 02.17.41, CEST"
  322.  *
  323.  * @id   = \x01 // handler_id
  324.  * @len  = \x1F
  325.  * @data = "ven 18 apr 2014, 02.17.41, CEST"
  326.  *
  327.  * C:
  328.  * "\x00\x03\x03\x01\x00"
  329.  *
  330.  * @id   = \x00
  331.  * @len  = \x03
  332.  * @data = \x03\x01\x00 = CMD_END + end_process_info = CMD_END + handler_id + exit_code
  333.  *
  334.  *
  335.  * execute a RAW command and write to it's stdin
  336.  * ---------------------------------------------
  337.  *
  338.  * Java:
  339.  * "\x00\x0C\x00\x01tar\x00-xf\x00-\x00"
  340.  *
  341.  * @id   = \x00
  342.  * @len  = \x0C
  343.  * @data = \x00\x01tar\x00-xf\x00-\x00 = START_CMD + RAW + argv =
  344.  *       = START_CMD + RAW + "tar" + "-xf" + "-"
  345.  *
  346.  * C:
  347.  * "\x00\x03\x02\x02\x01"
  348.  *
  349.  * @id   = \x00
  350.  * @len  = \x03
  351.  * @data = \x02\x02\x01 = CMD_STARTED + new_process_info =
  352.  *       = CMD_STARTED + handler_id + RAW
  353.  *
  354.  * Java:
  355.  * "\x02\xFFtar archive here..."
  356.  *
  357.  * @id   = \x02
  358.  * @len  = \xFF
  359.  * @data = "tar archive here..."
  360.  *
  361.  *
  362.  * // close stdin
  363.  *
  364.  * Java:
  365.  * "\x02\x00"
  366.  *
  367.  * @id   = \x02
  368.  * @len  = \x00
  369.  *
  370.  * C:
  371.  * "\x00\x03\x03\x02\x00"
  372.  *
  373.  * @id   = \x00
  374.  * @len  = \x03
  375.  * @data = \x03\x02\x00 = CMD_END + end_process_info = CMD_END + handler_id + exit_code
  376.  *
  377.  *
  378.  * execute nmap
  379.  * ------------
  380.  *
  381.  * Java:
  382.  * "\x00\x22\x00\x02-sV\x00-T4\x00-F\x00-O\x00192.168.0.100\x00"
  383.  *
  384.  * @id   = \x00
  385.  * @len  = \x22
  386.  * @data = \x00\x02-sV\x00-T4\x00-F\x00-O\x00192.168.0.100\x00 =
  387.  *       = START_CMD + NMAP + argv =
  388.  *       = START_CMD + NMAP + "-sV" + "-T4" + "-F" + "-O" + "192.168.0.100"
  389.  *
  390.  * C:
  391.  * "\x00\x03\x02\x02\x01"
  392.  *
  393.  * @id   = \x00
  394.  * @len  = \x03
  395.  * @data = \x02\x03\x02 = CMD_STARTED + new_process_info =
  396.  *       = CMD_STARTED + handler_id + NMAP
  397.  *
  398.  * C:
  399.  * "\x03\x27starting synScan for host 192.168.0.100"
  400.  *
  401.  * @id   = \x03
  402.  * @len  = \x27
  403.  * @data = "starting synScan for host 192.168.0.100"
  404.  *
  405.  * C:
  406.  * "\x03\x14TCP\x0022\x00OpenSSH\x005.9p1"
  407.  *
  408.  * @id   = \x03
  409.  * @len  = \x14
  410.  * @data = "TCP\x0022\x00OpenSSH\x005.9p1" =
  411.  *       = protocol + number + service + version
  412.  *
  413.  * C:
  414.  * "\x00\x03\x03\x03\x00"
  415.  *
  416.  * @id   = \x00
  417.  * @len  = \x03
  418.  * @data = \x03\x03\x00 = CMD_END + end_process_info = CMD_END + handler_id + exit_code
  419.  *
  420.  */
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!