Codebase list doona / 0f29a52
Imported Upstream version 0.7+git20131211 Hugo Lefeuvre 7 years ago
23 changed file(s) with 2667 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+78
-0
Docs/CHANGES less more
0 [ 0.7 ]
1 - resolved the need for a hardcoded plugin list
2 - added max requests option to allow parallel execution (easier than hacking in thread support)
3 - added sigpipe handler to prevent silent exit if server unexpectedly closes the connection
4 - added http proxy module
5 - added more ftp test cases
6 - added more rtsp test cases
7 - added more http test cases
8 - added more irc test cases
9 - fixed a long standing BED bug where two test strings where accidentally concatenated
10 - fixed a long standing BED bug where a hex representation of a 32bit integer was not max value as intended
11 - aliased -m to -s (-s is getting deprecated/reassigned)
12 - renamed plugins to modules (-m is for module)
13 - removed directory traversal testing code from ftp module
14 - rewrote/broke misc testing procedure to test specific edge cases, needs redesign
15 - added support for multiple setup/prefix/verbs, ie: fuzzing Host headers with GET/POST/HEAD requests
16 - fixed long standing BED bug in the smtp module where it wouldn't greet the mail server correctly with HELO
17 - added more smtp test cases
18 - fixed long standing BED bug in escaped Unicode strings
19 - added more large integer and formatstring fuzz strings
20 - fixed column alignment in the progress output
21
22
23 [ 0.6 first doona release ]
24 - added rtsp module
25 - added tftp module
26 - added whois module
27 - added more irc test cases
28 - added more finger test cases
29 - added more http test cases
30 - added more ftp test cases
31 - added progress indicator count to fuzz cases
32 - added resume feature (uses test case number)
33 - added crash indicators for test case number
34 - added signal handlers (displays testcase number on crtl^c or kill)
35 - added feature to dump what a test case number would send
36 - ftp module now uses anonymous login if username password not provided
37 - changed the order test cases are executed to allow corner cases to be tested earlier
38 - changed diagnostic output
39 - new and improved help text
40 - some code cleanup
41
42 [ 0.5 ]
43 - fixed port for smtp module
44 - added a check for some "random" numbers
45 - added some more misc strings
46 - added some commands to ftp, pop and imap
47
48 [ 0.42 ]
49 - added unicode testing ( untested! )
50 - added some stuff to the ftp directory traversal, inspired by Dennis Rand Platinum FTP Advisory
51 - started to write a socks5 plugin but then realized this is pretty boring, because
52 you have to provide the nessecairy lengths on your own...
53 so only buffer underuns are checked here...
54 - added a new option -o to specify the timeOut... this is useful if a server bans
55 for too fast connection retries, or when simply sending the latest two testcases
56 after crashing dont reproduce the crash
57 - new module, socks4... yeah I _am_ bored :)
58 - new module: lpd ( unfinished... )
59 - new, lame module: finger :)
60 - beautified the code
61 - new module: PJL
62 - added a status bar ( pls, dont look how i did it... )
63 - fixed some errors with udp
64 - reniced some output... :)
65 - local tcp/udp port can now be specified too
66
67
68 [ 0.3 ]
69 - new modules: HTTP, IRC
70 - a new method to check whether server is still alive
71 - possibility to use udp and tcp
72
73
74 [ 0.2 ]
75 - new structure of bed, simple modules for each service
76 - new services support: SMTP, POP
77
+55
-0
Docs/FAQ less more
0
1 [ Frequently Asked Questions ]
2
3 Bruteforce Exploit Detector
4 written by mjm ( www.codito.de ) and snakebyte ( www.kryptocrew.de/snakebyte/ )
5
6
7 1.) Why test at all?
8
9 Security is necessary, I think we agree on that.
10 Due to the fact that there are other programs,
11 and ways to test software ( see question 2 ),
12 I think this one is the easiest. Simply sending
13 the stuff to a server, which is known to
14 cause problems. Verification of wheter a test failed
15 or not is also pretty simple.
16 So this collection of scripts does not verify that your
17 code has no problems at all, but it can make sure, that
18 you made your way around the most common ones.
19
20
21 2.) Which other tools exists for security testing?
22
23 Splint ( www.splint.org )
24 checks the source code of a program for problems
25
26 BFBTester ( bfbtester.sourceforge.net )
27 checks command line and environment problems of binaries
28
29 l0phtwatch ( www.l0pht.com )
30 detects temp file problems
31
32 screamingcobra ( www.dachb0den.com )
33 checks php and perl scripts for problems, wich can lead to acces files on the server
34
35 wpoison ( wpoison.sourceforge.net )
36 checks websites for SQL injection problems
37
38 webtest ( martynov.org/webtest/ )
39 tests scripts on your website
40
41 ...or you could hire a bunch of programmers, which check the code
42 manually :)
43
44
45 3.) What is ''XAXAX''?
46
47 XAXAX is the result of Snakebyte drinking beer and thinking about
48 a good place-holder. XAXAX is replaced by the exploit string while
49 testing.
50
51
52 4.) How can i write a plugin ?
53
54 Check 'dummy.pm' for details..
+25
-0
Docs/HOWTO less more
0
1 Howto use BED?
2
3
4 Using BED is quit simple :) Decide which protocol you want to stress test
5 and start bed using the commandline
6
7 perl bed.pl -m module -t 192.168.0.1
8
9 BED will then run for a while, any maybe report to you that a connection attempt
10 to the service failed. If this is the case you might have detected a bug. Next step
11 is to run BED again with a higher timeout between the testcases, depending on the
12 duration of your coffee break, values of 5 to 30 seconds are fine. So restart the
13 daemon or box and run BED again, using the -o switch. If BED reports a crash at the
14 same place again, take a look at the module you where using ( in bedmod/xxxx.pm ) and
15 search for the testcase, then run it by hand ( either using netcat and perl or write
16 your own script ) agains the daemon, if you can reproduce the problem, its time to look
17 at the sources, coredump or using a disassembler and debugger to find out whats really
18 happening in there. If BED reports the crash at another test, just increase the timeout
19 a bit more until you found the testcase which produces the crash, just do some trial and
20 error stuff, because sometimes the crash happens much later than you sending the data.
21 I had wait times up to 2 Minutes with a Lexmark T522 printer, until the box finally
22 crashed and called for service :)
23
24 Thats about it... enjoy
+4
-0
Docs/TODO less more
0 alot of plugins, feel free to write some :)
1 Fix FTP module to still fuzz public commands if login fails
2 Add support for ping feature to see is service is still alive (better crash detection)
3 Fix modules that insists on connecting when not necessary
+120
-0
Docs/dummy.pm less more
0 package bedmod::dummy;
1 use Socket;
2
3 # Example plugin for bed2
4 #
5 # Feel free to fill in the gaps ... :)
6 #
7 # search bed.pl for "dummy" to see what you need to
8 # change to include your module
9 # (just one entry ... no need to be scared *g* )
10 #
11
12 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
13 # create a new instance of this object
14 sub new{
15 my $this = {};
16
17 # define everything you might need
18 $this->{dummy} = undef;
19 bless $this;
20 return $this;
21 }
22
23 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
24 # initialise some parameters
25 sub init{
26 my $this = shift;
27 %special_cfg=@_;
28
29 # Set protocol tcp/udp
30 $this->{proto} = "tcp";
31
32 # insert your default port here...
33 if ($special_cfg{'p'} eq "") { $this->{port}='110'; }
34 else { $this->{port} = $special_cfg{'p'}; }
35
36 # verify you got everything you need,
37 # $special_cfg will provide you the commandline
38 # switches from u, v, w and x
39 if ( $special_cfg{'u'} eq "") {
40 print qq~
41 Parameters for the dummy plugin:
42
43 -u <description what the user should provide>
44
45 ~;
46 exit(1);
47 }
48
49 # set info nessecairy for for your module..
50 $this->{dummy} = $special_cfg{'u'};
51
52 # how can bed check that the server is still alive
53 # This string will simply be send to the server
54 # ( server should reply something to this )
55 $this->{vrfy} = "HELP\r\n";
56 }
57
58 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
59 # how to quit ?
60 sub getQuit{
61 # what to send to close the connection the right way
62 return("QUIT\r\n");
63 }
64
65 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
66 # what to test without doing a login before
67 # ..mainly the login stuff *g*
68 sub getLoginarray {
69 my $this = shift;
70 @Loginarray = (
71 "USER XAXAX\r\n",
72 "USER $this->{username}\r\nPASS XAXAX\r\n"
73 )
74 return (@Loginarray);
75 }
76
77
78 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
79 # which commands does this protocol know ?
80 sub getCommandarray {
81 my $this = shift;
82 # the XAXAX will be replaced with the buffer overflow / format string data
83 # place every command in this array you want to test
84 @cmdArray = (
85 "foo XAXAX\r\n",
86 "bar XAXAX\r\n",
87 "XAXAX\r\n"
88 );
89 return(@cmdArray);
90 }
91
92
93 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
94 # what to send to login ?
95 sub getLogin{ # login procedure
96 my $this = shift;
97 @login = (
98 "Hi, I am a dummy\r\n",
99 "This is my pass: foobar\r\n"
100 );
101 return(@login);
102 }
103
104 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
105 # here we can test everything besides buffer overflows and format strings
106 sub testMisc{
107 # Insert your favourite directory traversal bug here :)
108 my $this = shift;
109 return();
110 }
111
112 # Module specific help goes here
113 # Leave an empty sub if there is no module specific help
114 sub usage {
115 print qq~ Module spacific help:
116 ~;
117 }
118
119 1;
+340
-0
Docs/gpl.txt less more
0 GNU GENERAL PUBLIC LICENSE
1 Version 2, June 1991
2
3 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
4 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
5 Everyone is permitted to copy and distribute verbatim copies
6 of this license document, but changing it is not allowed.
7
8 Preamble
9
10 The licenses for most software are designed to take away your
11 freedom to share and change it. By contrast, the GNU General Public
12 License is intended to guarantee your freedom to share and change free
13 software--to make sure the software is free for all its users. This
14 General Public License applies to most of the Free Software
15 Foundation's software and to any other program whose authors commit to
16 using it. (Some other Free Software Foundation software is covered by
17 the GNU Library General Public License instead.) You can apply it to
18 your programs, too.
19
20 When we speak of free software, we are referring to freedom, not
21 price. Our General Public Licenses are designed to make sure that you
22 have the freedom to distribute copies of free software (and charge for
23 this service if you wish), that you receive source code or can get it
24 if you want it, that you can change the software or use pieces of it
25 in new free programs; and that you know you can do these things.
26
27 To protect your rights, we need to make restrictions that forbid
28 anyone to deny you these rights or to ask you to surrender the rights.
29 These restrictions translate to certain responsibilities for you if you
30 distribute copies of the software, or if you modify it.
31
32 For example, if you distribute copies of such a program, whether
33 gratis or for a fee, you must give the recipients all the rights that
34 you have. You must make sure that they, too, receive or can get the
35 source code. And you must show them these terms so they know their
36 rights.
37
38 We protect your rights with two steps: (1) copyright the software, and
39 (2) offer you this license which gives you legal permission to copy,
40 distribute and/or modify the software.
41
42 Also, for each author's protection and ours, we want to make certain
43 that everyone understands that there is no warranty for this free
44 software. If the software is modified by someone else and passed on, we
45 want its recipients to know that what they have is not the original, so
46 that any problems introduced by others will not reflect on the original
47 authors' reputations.
48
49 Finally, any free program is threatened constantly by software
50 patents. We wish to avoid the danger that redistributors of a free
51 program will individually obtain patent licenses, in effect making the
52 program proprietary. To prevent this, we have made it clear that any
53 patent must be licensed for everyone's free use or not licensed at all.
54
55 The precise terms and conditions for copying, distribution and
56 modification follow.
57
58 GNU GENERAL PUBLIC LICENSE
59 TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
60
61 0. This License applies to any program or other work which contains
62 a notice placed by the copyright holder saying it may be distributed
63 under the terms of this General Public License. The "Program", below,
64 refers to any such program or work, and a "work based on the Program"
65 means either the Program or any derivative work under copyright law:
66 that is to say, a work containing the Program or a portion of it,
67 either verbatim or with modifications and/or translated into another
68 language. (Hereinafter, translation is included without limitation in
69 the term "modification".) Each licensee is addressed as "you".
70
71 Activities other than copying, distribution and modification are not
72 covered by this License; they are outside its scope. The act of
73 running the Program is not restricted, and the output from the Program
74 is covered only if its contents constitute a work based on the
75 Program (independent of having been made by running the Program).
76 Whether that is true depends on what the Program does.
77
78 1. You may copy and distribute verbatim copies of the Program's
79 source code as you receive it, in any medium, provided that you
80 conspicuously and appropriately publish on each copy an appropriate
81 copyright notice and disclaimer of warranty; keep intact all the
82 notices that refer to this License and to the absence of any warranty;
83 and give any other recipients of the Program a copy of this License
84 along with the Program.
85
86 You may charge a fee for the physical act of transferring a copy, and
87 you may at your option offer warranty protection in exchange for a fee.
88
89 2. You may modify your copy or copies of the Program or any portion
90 of it, thus forming a work based on the Program, and copy and
91 distribute such modifications or work under the terms of Section 1
92 above, provided that you also meet all of these conditions:
93
94 a) You must cause the modified files to carry prominent notices
95 stating that you changed the files and the date of any change.
96
97 b) You must cause any work that you distribute or publish, that in
98 whole or in part contains or is derived from the Program or any
99 part thereof, to be licensed as a whole at no charge to all third
100 parties under the terms of this License.
101
102 c) If the modified program normally reads commands interactively
103 when run, you must cause it, when started running for such
104 interactive use in the most ordinary way, to print or display an
105 announcement including an appropriate copyright notice and a
106 notice that there is no warranty (or else, saying that you provide
107 a warranty) and that users may redistribute the program under
108 these conditions, and telling the user how to view a copy of this
109 License. (Exception: if the Program itself is interactive but
110 does not normally print such an announcement, your work based on
111 the Program is not required to print an announcement.)
112
113 These requirements apply to the modified work as a whole. If
114 identifiable sections of that work are not derived from the Program,
115 and can be reasonably considered independent and separate works in
116 themselves, then this License, and its terms, do not apply to those
117 sections when you distribute them as separate works. But when you
118 distribute the same sections as part of a whole which is a work based
119 on the Program, the distribution of the whole must be on the terms of
120 this License, whose permissions for other licensees extend to the
121 entire whole, and thus to each and every part regardless of who wrote it.
122
123 Thus, it is not the intent of this section to claim rights or contest
124 your rights to work written entirely by you; rather, the intent is to
125 exercise the right to control the distribution of derivative or
126 collective works based on the Program.
127
128 In addition, mere aggregation of another work not based on the Program
129 with the Program (or with a work based on the Program) on a volume of
130 a storage or distribution medium does not bring the other work under
131 the scope of this License.
132
133 3. You may copy and distribute the Program (or a work based on it,
134 under Section 2) in object code or executable form under the terms of
135 Sections 1 and 2 above provided that you also do one of the following:
136
137 a) Accompany it with the complete corresponding machine-readable
138 source code, which must be distributed under the terms of Sections
139 1 and 2 above on a medium customarily used for software interchange; or,
140
141 b) Accompany it with a written offer, valid for at least three
142 years, to give any third party, for a charge no more than your
143 cost of physically performing source distribution, a complete
144 machine-readable copy of the corresponding source code, to be
145 distributed under the terms of Sections 1 and 2 above on a medium
146 customarily used for software interchange; or,
147
148 c) Accompany it with the information you received as to the offer
149 to distribute corresponding source code. (This alternative is
150 allowed only for noncommercial distribution and only if you
151 received the program in object code or executable form with such
152 an offer, in accord with Subsection b above.)
153
154 The source code for a work means the preferred form of the work for
155 making modifications to it. For an executable work, complete source
156 code means all the source code for all modules it contains, plus any
157 associated interface definition files, plus the scripts used to
158 control compilation and installation of the executable. However, as a
159 special exception, the source code distributed need not include
160 anything that is normally distributed (in either source or binary
161 form) with the major components (compiler, kernel, and so on) of the
162 operating system on which the executable runs, unless that component
163 itself accompanies the executable.
164
165 If distribution of executable or object code is made by offering
166 access to copy from a designated place, then offering equivalent
167 access to copy the source code from the same place counts as
168 distribution of the source code, even though third parties are not
169 compelled to copy the source along with the object code.
170
171 4. You may not copy, modify, sublicense, or distribute the Program
172 except as expressly provided under this License. Any attempt
173 otherwise to copy, modify, sublicense or distribute the Program is
174 void, and will automatically terminate your rights under this License.
175 However, parties who have received copies, or rights, from you under
176 this License will not have their licenses terminated so long as such
177 parties remain in full compliance.
178
179 5. You are not required to accept this License, since you have not
180 signed it. However, nothing else grants you permission to modify or
181 distribute the Program or its derivative works. These actions are
182 prohibited by law if you do not accept this License. Therefore, by
183 modifying or distributing the Program (or any work based on the
184 Program), you indicate your acceptance of this License to do so, and
185 all its terms and conditions for copying, distributing or modifying
186 the Program or works based on it.
187
188 6. Each time you redistribute the Program (or any work based on the
189 Program), the recipient automatically receives a license from the
190 original licensor to copy, distribute or modify the Program subject to
191 these terms and conditions. You may not impose any further
192 restrictions on the recipients' exercise of the rights granted herein.
193 You are not responsible for enforcing compliance by third parties to
194 this License.
195
196 7. If, as a consequence of a court judgment or allegation of patent
197 infringement or for any other reason (not limited to patent issues),
198 conditions are imposed on you (whether by court order, agreement or
199 otherwise) that contradict the conditions of this License, they do not
200 excuse you from the conditions of this License. If you cannot
201 distribute so as to satisfy simultaneously your obligations under this
202 License and any other pertinent obligations, then as a consequence you
203 may not distribute the Program at all. For example, if a patent
204 license would not permit royalty-free redistribution of the Program by
205 all those who receive copies directly or indirectly through you, then
206 the only way you could satisfy both it and this License would be to
207 refrain entirely from distribution of the Program.
208
209 If any portion of this section is held invalid or unenforceable under
210 any particular circumstance, the balance of the section is intended to
211 apply and the section as a whole is intended to apply in other
212 circumstances.
213
214 It is not the purpose of this section to induce you to infringe any
215 patents or other property right claims or to contest validity of any
216 such claims; this section has the sole purpose of protecting the
217 integrity of the free software distribution system, which is
218 implemented by public license practices. Many people have made
219 generous contributions to the wide range of software distributed
220 through that system in reliance on consistent application of that
221 system; it is up to the author/donor to decide if he or she is willing
222 to distribute software through any other system and a licensee cannot
223 impose that choice.
224
225 This section is intended to make thoroughly clear what is believed to
226 be a consequence of the rest of this License.
227
228 8. If the distribution and/or use of the Program is restricted in
229 certain countries either by patents or by copyrighted interfaces, the
230 original copyright holder who places the Program under this License
231 may add an explicit geographical distribution limitation excluding
232 those countries, so that distribution is permitted only in or among
233 countries not thus excluded. In such case, this License incorporates
234 the limitation as if written in the body of this License.
235
236 9. The Free Software Foundation may publish revised and/or new versions
237 of the General Public License from time to time. Such new versions will
238 be similar in spirit to the present version, but may differ in detail to
239 address new problems or concerns.
240
241 Each version is given a distinguishing version number. If the Program
242 specifies a version number of this License which applies to it and "any
243 later version", you have the option of following the terms and conditions
244 either of that version or of any later version published by the Free
245 Software Foundation. If the Program does not specify a version number of
246 this License, you may choose any version ever published by the Free Software
247 Foundation.
248
249 10. If you wish to incorporate parts of the Program into other free
250 programs whose distribution conditions are different, write to the author
251 to ask for permission. For software which is copyrighted by the Free
252 Software Foundation, write to the Free Software Foundation; we sometimes
253 make exceptions for this. Our decision will be guided by the two goals
254 of preserving the free status of all derivatives of our free software and
255 of promoting the sharing and reuse of software generally.
256
257 NO WARRANTY
258
259 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
260 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
261 OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
262 PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
263 OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
264 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
265 TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
266 PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
267 REPAIR OR CORRECTION.
268
269 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
270 WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
271 REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
272 INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
273 OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
274 TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
275 YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
276 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
277 POSSIBILITY OF SUCH DAMAGES.
278
279 END OF TERMS AND CONDITIONS
280
281 How to Apply These Terms to Your New Programs
282
283 If you develop a new program, and you want it to be of the greatest
284 possible use to the public, the best way to achieve this is to make it
285 free software which everyone can redistribute and change under these terms.
286
287 To do so, attach the following notices to the program. It is safest
288 to attach them to the start of each source file to most effectively
289 convey the exclusion of warranty; and each file should have at least
290 the "copyright" line and a pointer to where the full notice is found.
291
292 <one line to give the program's name and a brief idea of what it does.>
293 Copyright (C) <year> <name of author>
294
295 This program is free software; you can redistribute it and/or modify
296 it under the terms of the GNU General Public License as published by
297 the Free Software Foundation; either version 2 of the License, or
298 (at your option) any later version.
299
300 This program is distributed in the hope that it will be useful,
301 but WITHOUT ANY WARRANTY; without even the implied warranty of
302 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
303 GNU General Public License for more details.
304
305 You should have received a copy of the GNU General Public License
306 along with this program; if not, write to the Free Software
307 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
308
309
310 Also add information on how to contact you by electronic and paper mail.
311
312 If the program is interactive, make it output a short notice like this
313 when it starts in an interactive mode:
314
315 Gnomovision version 69, Copyright (C) year name of author
316 Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317 This is free software, and you are welcome to redistribute it
318 under certain conditions; type `show c' for details.
319
320 The hypothetical commands `show w' and `show c' should show the appropriate
321 parts of the General Public License. Of course, the commands you use may
322 be called something other than `show w' and `show c'; they could even be
323 mouse-clicks or menu items--whatever suits your program.
324
325 You should also get your employer (if you work as a programmer) or your
326 school, if any, to sign a "copyright disclaimer" for the program, if
327 necessary. Here is a sample; alter the names:
328
329 Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330 `Gnomovision' (which makes passes at compilers) written by James Hacker.
331
332 <signature of Ty Coon>, 1 April 1989
333 Ty Coon, President of Vice
334
335 This General Public License does not permit incorporating your program into
336 proprietary programs. If your program is a subroutine library, you may
337 consider it more useful to permit linking proprietary applications with the
338 library. If this is what you want to do, use the GNU Library General
339 Public License instead of this License.
+49
-0
README less more
0
1 [ Doona - Network fuzzing tool ]
2
3 .:: About ::.
4
5 Doona is a fork of the Bruteforce Exploit Detector Tool (BED).
6 BED is a program which is designed to check daemons for
7 potential buffer overflows, format string bugs etc.
8
9 Doona is Australian for duvet. It adds a significant enough number
10 of features/changes to BED that I renamed it to avoid confusion.
11
12 I hope you'll find it useful.
13
14 @Wireghoul
15
16 .:: Version ::.
17
18 0.7 - Multi verb support, more fuzz cases and bug fixes
19 0.6 - First official doona release
20 0.5 - Fork from BED
21
22 See 'Docs/CHANGES' for the full changelog.
23
24 .:: License ::.
25
26 This program is free software; you can redistribute it and/or modify
27 it under the terms of the GNU General Public License as published by
28 the Free Software Foundation; either version 2 of the License, or
29 any later version.
30
31
32 See 'Docs/gpl.txt' for more information.
33
34 .:: Authors ::.
35
36 Doona:
37 Eldar Marcussen aka, 'Wireghoul'
38 http://www.justanotherhacker.com
39
40 BED was written by:
41 Eric Sesterhenn aka. 'Snakebyte'
42 -Mail: snakebyte@gmx.de
43 -Web: www.snake-basket.de
44
45 Martin J. Muench aka. 'mjm'
46 -Mail: mjm@codito.de
47 -Web: www.codito.de
48
+78
-0
bedmod/finger.pm less more
0 package bedmod::finger;
1 use Socket;
2
3 # lame finger plugin :)
4
5 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
6 # create a new instance of this object
7 sub new {
8 my $this = {};
9 bless $this;
10 return $this;
11 }
12
13 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
14 # initialise some parameters
15 sub init {
16 my $this = shift;
17 %special_cfg=@_;
18
19 # Set protocol tcp/udp
20 $this->{proto} = "tcp";
21
22 if ($special_cfg{'p'} eq "") { $this->{port}='79'; }
23 else { $this->{port} = $special_cfg{'p'}; }
24 $this->{sport} = 0;
25 $this->{vrfy} = "root\n";
26 }
27
28 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
29 # how to quit ?
30 sub getQuit {
31 return("");
32 }
33
34 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
35 # what to test without doing a login before
36 # ..mainly the login stuff *g*
37 sub getLoginarray {
38 my $this = shift;
39 @Loginarray = ("");
40 return (@Loginarray);
41 }
42
43 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
44 # which commands does this protocol know ?
45 sub getCommandarray {
46 my $this = shift;
47
48 # the XAXAX will be replaced with the buffer overflow / format string
49 # place every command in this array you want to test
50 @cmdArray = (
51 "XAXAX\r\n",
52 "\@XAXAX\r\n",
53 "XAXAX\@\r\n",
54 "XAXAX\@XAXAX\r\n"
55 );
56 return(@cmdArray);
57 }
58
59 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
60 # what to send to login ?
61 sub getLogin { # login procedure
62 my $this = shift;
63 @login = ("");
64 return(@login);
65 }
66
67 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
68 # here we can test everything besides buffer overflows and format strings
69 sub testMisc {
70 my $this = shift;
71 return();
72 }
73
74 sub usage {
75 }
76
77 1;
+219
-0
bedmod/ftp.pm less more
0 package bedmod::ftp;
1 use Socket;
2
3 # This package is an extension to bed, to check
4 # for ftp server vulnerabilities.
5
6 sub new {
7 my $this = {};
8 $this->{username} = 'anonymous'; # specific for just this
9 $this->{password} = 'user@this.bed'; # module
10 bless $this;
11 return $this;
12 }
13
14 sub init {
15 my $this = shift;
16 %special_cfg=@_;
17
18 # Specify protocol to use
19 $this->{proto}="tcp";
20 # check for missing args, set target and host
21 if ($special_cfg{'p'} eq "") { $this->{port}='21'; }
22 else { $this->{port} = $special_cfg{'p'}; }
23
24 # get info nessecairy for FTP
25 $this->{username} = $special_cfg{'u'} if $special_cfg{'u'};
26 $this->{password} = $special_cfg{'v'} if $special_cfg{'v'};
27 $this->{vrfy} = "PWD\r\n";
28
29 # let's see if we got a correct login (skip if dump mode is set)
30 if ($special_cfg{'d'}) { return; }
31 $iaddr = inet_aton($this->{target}) || die "Unknown host: $host\n";
32 $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n";
33 $proto = getprotobyname('tcp') || die "getprotobyname: $!\n";
34 socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n";
35 connect(SOCKET, $paddr) || die "connection attempt failed: $!\n";
36 send(SOCKET, "USER $this->{username}\r\n", 0) || die "USER failed: $!\n";
37 $recvbuf = <SOCKET>;
38 sleep(1); # some ftp's need some time to reply
39 send(SOCKET, "PASS $this->{password}\r\n", 0) || die "PASS failed: $!\n";
40 do {
41 $recvbuf = <SOCKET>;
42 #print ($recvbuf);
43 if ( $recvbuf =~ "530" ){
44 print ("Username or Password incorrect, can't login\n");
45 exit(1);
46 }
47 sleep(0.2);
48 } until ( $recvbuf =~ "230" );
49 send(SOCKET, "QUIT\r\n", 0);
50 close(SOCKET);
51 }
52
53 sub getQuit {
54 return("QUIT\r\n");
55 }
56
57 sub getLoginarray {
58 my $this = shift;
59 @Loginarray = (
60 "XAXAX\r\n",
61 "USER XAXAX\r\n",
62 "USER XAXAX\r\nPASS password\r\n",
63 "USER anonymous\r\nPASS XAXAX\r\n",
64 "USER XAXAX\r\nPASS password\r\nUSER $this->{username}\r\nPASS XAXAX\r\n",
65 "USER $this->{username}\r\nPASS XAXAX\r\n",
66 "PASS XAXAX\r\n"
67 );
68 return (@Loginarray);
69 }
70
71 sub getCommandarray {
72 my $this = shift;
73
74 # the XAXAX will be replaced with the buffer overflow / format string
75 # just comment them out if you don't like them..
76 @cmdArray = (
77 "XAXAX\r\n",
78 "XAXAX 123\r\n",
79 "ABOR XAXAX\r\n",
80 "ACCL XAXAX\r\n",
81 "ACCT XAXAX\r\n",
82 "ALLO XAXAX\r\n",
83 "APPE XAXAX\r\n",
84 "APPE /XAXAX\r\n",
85 "CDUP XAXAX\r\n",
86 "CWD XAXAX\r\n",
87 "CEL XAXAX\r\n",
88 "DELE XAXAX\r\n",
89 "EPRT XAXAX\r\n",
90 "EPRT |XAXAX|127.0.0.1|6275|\r\n",
91 "EPRT |1|XAXAX|6275|\r\n",
92 "EPRT |1|127.0.0.1|XAXAX|\r\n",
93 "EPSV XAXAX\r\n",
94 "FEAT XAXAX\r\n",
95 "HELP XAXAX\r\n",
96 "LIST XAXAX\r\n",
97 "LIST -XAXAX\r\n",
98 "LIST *XAXAX\r\n",
99 "LOCK XAXAX\r\n",
100 "LOCK / XAXAX\r\n",
101 "MDTM XAXAX\r\n",
102 "MDTM XAXAX file.txt\r\n",
103 "MDTM 19990929043300 XAXAX\r\n",
104 "MDTM 20031111111111+ XAXAX\r\n",
105 "MLST XAXAX\r\n",
106 "MODE XAXAX\r\n",
107 "MKD XAXAX\r\n",
108 "MKD XAXAX\r\nCWD XAXAX\r\n",
109 "MKD XAXAX\r\nDELE XAXAX\r\n",
110 "MKD XAXAX\r\nRMD XAXAX\r\n",
111 "MKD XAXAX\r\nXRMD XAXAX\r\n",
112 "NLST XAXAX\r\n",
113 "NLST ~XAXAX\r\n",
114 "NOOP XAXAX\r\n",
115 "OPTS XAXAX\r\n",
116 "PASS XAXAX\r\n",
117 "PASV XAXAX\r\n",
118 "PORT XAXAX\r\n",
119 "PWD XAXAX\r\n",
120 "REIN XAXAX\r\n",
121 "REST XAXAX\r\n",
122 "RETR XAXAX\r\n",
123 "RMD XAXAX\r\n",
124 "RNFR XAXAX\r\n",
125 "RNTO XAXAX\r\n",
126 "RNFR XAXAX\r\nRNTO XAXAX\r\n",
127 "SITE XAXAX\r\n",
128 "SITE EXEC XAXAX\r\n",
129 "SITE GROUPS XAXAX\r\n",
130 "SITE CDPATH XAXAX\r\n",
131 "SITE ALIAS XAXAX\r\n",
132 "SITE INDEX XAXAX\r\n",
133 "SITE MINFO 20001010101010 XAXAX\r\n",
134 "SITE NEWER 20001010101010 XAXAX\r\n",
135 "SITE GPASS XAXAX\r\n",
136 "SITE GROUP XAXAX\r\n",
137 "SITE HELP XAXAX\r\n",
138 "SITE IDLE XAXAX\r\n",
139 "SITE CHMOD XAXAX\r\n",
140 "SITE CHMOD 777 XAXAX\r\n",
141 "SITE UMASK XAXAX\r\n",
142 "SIZE XAXAX\r\n",
143 "SIZE /XAXAX\r\n",
144 "SMNT XAXAX\r\n",
145 "STOU XAXAX\r\n",
146 "STRU XAXAX\r\n",
147 "STOR XAXAX\r\n",
148 "STAT XAXAX\r\n",
149 "SYST XAXAX\r\n",
150 "TYPE XAXAX\r\n",
151 "USER XAXAX\r\n",
152 "UNLOCK XAXAX\r\n",
153 "UNLOCK / XAXAX\r\n",
154 "XCUP XAXAX\r\n",
155 "XCWD XAXAX\r\n",
156 "XMD5 XAXAX\r\n",
157 "XMKD XAXAX\r\n",
158 "XPWD XAXAX\r\n",
159 "XRMD XAXAX\r\n",
160 );
161 return(@cmdArray);
162 }
163
164 sub getLogin { # login procedure
165 my $this = shift;
166 @login = ("USER $this->{username}\r\nPASS $this->{password}\r\n");
167 return(@login);
168 }
169
170 sub testMisc {
171 my $this = shift;
172 return; # Directory traversal code is buggy an not really what I want
173 # test for bof in login / user ?
174 # test for the availability to abuse this host for portscanning ?
175
176 # test for possible directory traversal bugs...
177 print ("*Directory traversal\n");
178
179 @traversal = ("...", "%5c..%5c", ,"%5c%2e%2e%5c", "/././..", "/...", "/......", "\\...", "...\\", "....", "*", "\\*", "\\....", "*\\\\.....", "/..../", "/../../../", "\\..\\..\\..\\", "\@/..\@/..");
180 foreach $Directory (@traversal){
181 $iaddr = inet_aton($this->{target}) || die "Unknown host: $host\n";
182 $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n";
183 $proto = getprotobyname('tcp') || die "getprotobyname: $!\n";
184 socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n";
185 connect(SOCKET, $paddr) || die "connection attempt failed: $!\n";
186 send(SOCKET, "USER $this->{username}\r\n", 0) || die "USER failed: $!\n";
187 sleep(2); # some ftp's need some time to reply
188 $recvbuf = <SOCKET>;
189 send(SOCKET, "PASS $this->{password}\r\n", 0) || die "PASS failed: $!\n";
190 sleep(2); # some ftp's need some time to reply
191 $recvbuf = <SOCKET> || die "Login failed $!\n";
192 send(SOCKET, "PWD\r\n", 0); # get old directory
193 sleep(1);
194 $curDir = <SOCKET>;
195 send(SOCKET, "CWD $Directory\r\n", 0); # send the traversal string
196 # clear the buffer, by waiting for :
197 # 501 550 250 553
198 do { $recvbuf = <SOCKET>; } while( ($recvbuf !~ /550/) && ($recvbuf !~ /250/) && ($recvbuf !~ /553/) && ($recvbuf !~ /501/)); # receive answer
199 send(SOCKET, "PWD\r\n", 0); # get new directory
200 $newDir = <SOCKET>;
201
202 # compare the directories, and report a problem if they are not equal
203 if ( $curDir ne $newDir ){ print ("Directory Traversal ($curDir => $newDir) possible with $Directory \n"); }
204 send(SOCKET,"QUIT\r\n", 0); # logout
205 close (SOCKET); # close connection
206 }
207 return();
208 }
209
210 sub usage {
211 print qq~ FTP Module specific options:
212 -u <username> = Username to use for authentication (default: anonymous)
213 -v <password> = Password to use for authentication (default: user\@this.bed)
214
215 ~;
216 }
217
218 1;
+152
-0
bedmod/http.pm less more
0 package bedmod::http;
1 use Socket;
2
3 # This package is an extension to bed, to check
4 # for http server vulnerabilities.
5
6 sub new {
7 my $this = {};
8 bless $this;
9 return $this;
10 }
11
12 sub init {
13 my $this = shift;
14 %special_cfg=@_;
15
16 $this->{proto}="tcp";
17
18 if ($special_cfg{'p'} eq "") {
19 $this->{port}='80';
20 } else {
21 $this->{port} = $special_cfg{'p'};
22 }
23
24 if ($special_cfg{'d'}) { return; }
25 $iaddr = inet_aton($this->{target}) || die "Unknown host: $host\n";
26 $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n";
27 $proto = getprotobyname('tcp') || die "getprotobyname: $!\n";
28 socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n";
29 connect(SOCKET, $paddr) || die "connection attempt failed: $!\n";
30 send(SOCKET, "HEAD / HTTP/1.0\r\n\r\n", 0) || die "HTTP request failed: $!\n";
31 }
32
33 sub getQuit {
34 return("\r\n\r\n");
35 }
36
37 sub getLoginarray {
38 my $this = shift;
39 @Loginarray = (
40 "XAXAX\r\n\r\n",
41 "XAXAX / HTTP/1.0\r\n\r\n",
42 "HEAD XAXAX HTTP/1.0\r\n\r\n",
43 "HEAD /XAXAX HTTP/1.0\r\n\r\n",
44 "HEAD /?XAXAX HTTP/1.0\r\n\r\n",
45 "HEAD / XAXAX\r\n\r\n",
46 "GET XAXAX HTTP/1.0\r\n\r\n",
47 "GET /XAXAX HTTP/1.0\r\n\r\n",
48 "GET /XAXAX.html HTTP/1.0\r\n\r\n",
49 "GET /index.XAXAX HTTP/1.0\r\n\r\n",
50 "GET /~XAXAX HTTP/1.0\r\n\r\n",
51 "GET /?XAXAX HTTP/1.0\r\n\r\n",
52 "GET /?XAXAX=x HTTP/1.0\r\n\r\n",
53 "GET /?x=XAXAX HTTP/1.0\r\n\r\n",
54 "GET / XAXAX\r\n\r\n",
55 "GET / HTTP/XAXAX\r\n\r\n",
56 "GET /XAXAX\r\n\r\n",
57 "POST XAXAX HTTP/1.0\r\n\r\n",
58 "POST /XAXAX HTTP/1.0\r\n\r\n",
59 "POST /?XAXAX HTTP/1.0\r\n\r\n",
60 "POST / XAXAX\r\n\r\n",
61 "POST /XAXAX\r\n\r\n",
62 "POST / HTTP/1.0\r\n\r\nXAXAX\r\n\r\n",
63 "POST / HTTP/1.0\r\nContent-length: 10\r\n\r\nXAXAX\r\n\r\n",
64 "POST / HTTP/1.0\r\nContent-Type: multipart/form-data; boundary=---XAXAX\r\n\r\n---XAXAX--\r\n\r\n",
65 "POST / HTTP/1.0\r\nContent-Type: multipart/form-data; boundary=---AAAAA\r\n\r\n---AAAAA\r\nContent-Disposition: form-data; name=\"XAXAX\"\r\n\r\ntest\r\n---AAAAA--\r\n\r\n",
66 "POST / HTTP/1.0\r\nContent-Type: multipart/form-data; boundary=---AAAAA\r\n\r\n---AAAAA\r\nContent-Disposition: form-data; name=\"test\"\r\n\r\nXAXAX\r\n---AAAAA--\r\n\r\n",
67 "OPTIONS XAXAX HTTP/1.0\r\n\r\n",
68 "OPTIONS /XAXAX HTTP/1.0\r\n\r\n",
69 "OPTIONS / XAXAX\r\n\r\n",
70 "PUT XAXAX HTTP/1.0\r\n\r\n",
71 "PUT /XAXAX HTTP/1.0\r\n\r\n",
72 "PUT / XAXAX\r\n\r\n",
73 "TRACE XAXAX HTTP/1.0\r\n\r\n",
74 "TRACE /XAXAX HTTP/1.0\r\n\r\n",
75 "TRACE / XAXAX\r\n\r\n",
76 "TRACK XAXAX HTTP/1.0\r\n\r\n",
77 );
78 return (@Loginarray);
79 }
80
81 sub getCommandarray {
82 my $this = shift;
83
84 @cmdArray = (
85 "XAXAX: XAXAX\r\n\r\n",
86 "User-Agent: XAXAX\r\n\r\n",
87 "Host: XAXAX\r\n\r\n",
88 "Host: XAXAX:80\r\n\r\n",
89 "Host: somehost:XAXAX\r\n\r\n",
90 "Accept: XAXAX\r\n\r\n",
91 "Accept-Encoding: XAXAX\r\n\r\n",
92 "Accept-Language: XAXAX\r\n\r\n",
93 "Accept-Charset: XAXAX\r\n\r\n",
94 "Connection: XAXAX\r\n\r\n",
95 "Referer: XAXAX\r\n\r\n",
96 "Referer: XAXAX://somehost.com/\r\n\r\n",
97 "Referer: http://XAXAX/\r\n\r\n",
98 "Referer: http://somehost.com/XAXAX\r\n\r\n",
99 "Authorization: XAXAX\r\n\r\n",
100 "From: XAXAX\r\n\r\n",
101 "Charge-To: XAXAX\r\n\r\n",
102 "Authorization: XAXAX",
103 "Authorization: XAXAX : foo\r\n\r\n",
104 "Authorization: foo : XAXAX\r\n\r\n",
105 "If-Modified-Since: XAXAX\r\n\r\n",
106 "If-Match: XAXAX\r\n\r\n",
107 "If-None-Match: XAXAX\r\n\r\n",
108 "If-Range: XAXAX\r\n\r\n",
109 "If-Unmodified-Since: XAXAX\r\n\r\n",
110 "Max-Forwards: XAXAX\r\n\r\n",
111 "Proxy-Authorization: XAXAX\r\n\r\n",
112 "ChargeTo: XAXAX\r\n\r\n",
113 "Pragma: XAXAX\r\n\r\n",
114 "Expect: XAXAX\r\n\r\n",
115 "Range: XAXAX\r\n\r\n",
116 "Range: bytes=1-XAXAX\r\n\r\n",
117 "Range: bytes=0-1,XAXAX\r\n",
118 "Content-Length: XAXAX\r\n\r\n",
119 "Cookie: XAXAX\r\n\r\n",
120 "TE: XAXAX\r\n\r\n",
121 "Upgrade: XAXAX\r\nConnection: upgrade\r\n\r\n",
122 );
123 return(@cmdArray);
124 }
125
126 sub getLogin {
127 my $this = shift;
128 @login = (
129 "GET / HTTP/1.0\r\n",
130 "POST / HTTP/1.0\r\n",
131 "HEAD / HTTP/1.0\r\n",
132 "GET / HTTP/1.1\r\n",
133 "OPTIONS / HTTP/1.0\r\n",
134 "PUT / HTTP/1.0\r\n",
135 "TRACE / HTTP/1.0\r\n",
136 );
137 return(@login);
138 }
139
140 sub testMisc { #Put your corner case tests here
141 my $this = shift;
142 @cmdArray = (
143 "GET / HTTP/1.0\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n"
144 );
145 return(@cmdArray);
146 }
147
148 sub usage {
149 }
150
151 1;
+132
-0
bedmod/imap.pm less more
0 package bedmod::imap;
1 use Socket;
2
3 # imap plugin for bed2
4
5 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
6 # create a new instance of this object
7 sub new {
8 my $this = {};
9
10 # imap defines
11 $this->{user} = undef;
12 $this->{pass} = undef;
13 bless $this;
14 return $this;
15 }
16
17 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
18 # initialise some parameters
19 sub init {
20 my $this = shift;
21 %special_cfg = @_;
22
23 # Set protocol tcp/udp
24 $this->{proto} = "tcp";
25
26 if ( $special_cfg{'p'} eq "" ) { $this->{port} = '143'; }
27 else { $this->{port} = $special_cfg{'p'}; }
28
29 if ( ( $special_cfg{'u'} eq "" ) || ( $special_cfg{'v'} eq "" ) ) {
30 &usage();
31 exit(1);
32 }
33
34 $this->{user} = $special_cfg{'u'};
35 $this->{pass} = $special_cfg{'v'};
36
37 # how can bed check that the server is still alive
38 $this->{vrfy} = "A001 NOOP\r\n";
39 }
40
41 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
42 # how to quit ?
43 sub getQuit {
44 return ("A001 LOGOUT\r\n");
45 }
46
47 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
48 # what to test without doing a login before
49 # ..mainly the login stuff *g*
50 sub getLoginarray {
51 my $this = shift;
52 @Loginarray = (
53 "A001 AUTHENTICATE XAXAX\r\n",
54 "A001 LOGIN XAXAX\r\n",
55 "A001 LOGIN $this->{user} XAXAX\r\n"
56 );
57 return (@Loginarray);
58 }
59
60 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
61 # which commands does this protocol know ?
62 sub getCommandarray {
63 my $this = shift;
64
65 # the XAXAX will be replaced with the buffer overflow / format string
66 # place every command in this array you want to test
67 @cmdArray = (
68 "A001 CREATE myTest\r\n", # just for testing...
69 "FXXZ CHECK XAXAX\r\n",
70 "LIST XAXAX\r\n",
71 "A001 SELECT XAXAX\r\n",
72 "A001 EXAMINE XAXAX\r\n",
73 "A001 CREATE XAXAX\r\n",
74 "A001 DELETE XAXAX\r\n",
75 "A001 RENAME XAXAX\r\n",
76 "A001 CREATE test\r\nA001RENAME test XAXAX\r\n",
77 "A001 SUBSCRIBE XAXAX\r\n",
78 "A001 UNSUBSCRIBE XAXAX\r\n",
79 "A001 LIST XAXAX aa \r\n",
80 "A001 LIST aa XAXAX\r\n",
81 "A001 LIST * XAXAX\r\n",
82 "A001 LSUB aa XAXAX\r\n",
83 "A001 LSUB XAXAX aa \r\n", # aa should be ""
84 "A001 STATUS XAXAX\r\n",
85 "A001 STATUS inbox (XAXAX)\r\n",
86 "A001 APPEND XAXAX\r\n",
87 "A001 SELECT myTest\r\nA001 SEARCH XAXAX\r\n",
88 "A001 SELECT myTest\r\nA001 FETCH XAXAX\r\n",
89 "A001 SELECT myTest\r\nA001 FETCH 1:2 XAXAX\r\n",
90 "A001 SELECT myTest\r\nA001 STORE XAXAX\r\n",
91 "A001 SELECT myTest\r\nA001 STORE 1:2 XAXAX\r\n",
92 "A001 SELECT myTest\r\nA001 COPY XAXAX\r\n",
93 "A001 SELECT myTest\r\nA001 COPY 1:2 XAXAX\r\n",
94 "A001 SELECT myTest\r\nA001 UID XAXAX\r\n",
95 "A001 SELECT myTest\r\nA001 UID FETCH XAXAX\r\n",
96 "A001 UID XAXAX\r\n",
97 "A001 CAPABILITY XAXAX\r\n",
98 "A001 DELETEACL XAXAX\r\n",
99 "A001 GETACL XAXAX\r\n",
100 "A001 LISTRIGHTS XAXAX\r\n",
101 "A001 MYRIGHTS XAXAX\r\n",
102 "A001 XAXAX\r\n"
103 );
104 return (@cmdArray);
105 }
106
107 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
108 # what to send to login ?
109 sub getLogin { # login procedure
110 my $this = shift;
111 @login = ("A001 LOGIN $this->{user} $this->{pass}\r\n");
112 return (@login);
113 }
114
115 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
116 # here we can test everything besides buffer overflows and format strings
117 sub testMisc {
118 my $this = shift;
119 return ();
120 }
121
122 sub usage {
123 print qq~ Parameters for the imap plugin:
124
125 -u <username>
126 -v <password>
127
128 ~;
129 }
130
131 1;
+138
-0
bedmod/irc.pm less more
0 package bedmod::irc;
1 use Socket;
2
3 # This package is an extension to bed, to check
4 # for irc server vulnerabilities.
5
6 sub new {
7 my $this = {};
8 bless $this;
9 return $this;
10 }
11
12 sub init {
13 my $this = shift;
14 %special_cfg=@_;
15
16 $this->{proto}="tcp";
17
18 if ($special_cfg{'p'} eq "") { $this->{port}='6667'; }
19 else { $this->{port} = $special_cfg{'p'}; }
20 $this->{vrfy} = "uk\r\n"; # server should reply with unknown command
21 }
22
23 sub getQuit {
24 return("QUIT\r\n");
25 }
26
27 sub getLoginarray {
28 my $this = shift;
29 @Loginarray = (
30 "XAXAX\r\n",
31 "USER XAXAX 0 cc :dd\r\n",
32 "USER aa XAXAX cc :dd\r\n",
33 "USER aa 0 XAXAX :dd\r\n",
34 "USER aa 0 cc :XAXAX\r\n",
35 "USER aa 0 cc XAXAX\r\n",
36 "USER aa 0 cc :dd XAXAX\r\n", # realname may contain spaces
37 "USER aa 0 cc :dd\r\nNICK XAXAX\r\n",
38 "NICK XAXAX\r\n",
39 "PASS XAXAX\r\n",
40 "PASS aa\r\nPASS XAXAX\r\n",
41 "PASS XAXAX\r\nUSER aa 0 cc :dd\r\n",
42 "PASS XAXAX\r\nNICK XAXAX\r\nUSER XAXAX XAXAX XAXAX XAXAX\r\n",
43 "PASS XAXAX\r\nSERVER aa bb cc\r\n",
44 "SERVER XAXAX bb cc\r\n",
45 "SERVER aa XAXAX cc\r\n",
46 "SERVER aa bb XAXAX\r\n",
47 );
48 return (@Loginarray);
49 }
50
51 sub getCommandarray {
52 my $this = shift;
53
54 # the XAXAX will be replaced with the buffer overflow / format string
55 # just comment them out if you don't like them..
56 @cmdArray = (
57 "XAXAX\r\n",
58 "NICK XAXAX\r\n",
59 "JOIN XAXAX\r\n",
60 "PART XAXAX\r\n",
61 "SERVER XAXAX 1 :foobar\r\n",
62 "SERVER test XAXAX :foobar\r\n",
63 "SERVER test 1 :XAXAX\r\n",
64 "OPER XAXAX\r\n",
65 "OPER test XAXAX\r\n",
66 "JOIN #XAXAX\r\n",
67 "JOIN #test XAXAX\r\n",
68 "JOIN \&XAXAX\r\n",
69 "JOIN \&test XAXAX\r\n",
70 "PART #XAXAX\r\n",
71 "PART #foo XAXAX\r\n",
72 "JOIN #XAXAX\r\nPART#XAXAX\r\n",
73 "LIST XAXAX\r\n",
74 "INVITE XAXAX #test\r\n",
75 "INVITE foo #XAXAX\r\n",
76 "KICK #XAXAX bar\r\n",
77 "VERSION XAXAX\r\n",
78 "MOTD XAXAX\r\n",
79 "MODE XAXAX\r\n",
80 "MODE XAXAX foo\r\n",
81 "MODE foo XAXAX\r\n",
82 "NAMES XAXAX\r\n",
83 "STATS XAXAX\r\n",
84 "STATS c XAXAX\r\n",
85 "STATS h XAXAX\r\n",
86 "STATS i XAXAX\r\n",
87 "STATS k XAXAX\r\n",
88 "STATS l XAXAX\r\n",
89 "STATS m XAXAX\r\n",
90 "STATS o XAXAX\r\n",
91 "STATS y XAXAX\r\n",
92 "STATS u XAXAX\r\n",
93 "LINKS XAXAX\r\n",
94 "TIME XAXAX\r\n",
95 "CONNECT XAXAX\r\n",
96 "TRACE XAXAX\r\n",
97 "ADMIN XAXAX\r\n",
98 "INFO XAXAX\r\n",
99 "PRIVMSG foo XAXAX\r\n",
100 "PRIVMSG XAXAX bar\r\n",
101 "NOTICE foo XAXAX\r\n",
102 "NOTICE XAXAX bar\r\n",
103 "TOPIC XAXAX foo\r\n",
104 "WHO XAXAX\r\n",
105 "WHOIS XAXAX\r\n",
106 "WHOWAS XAXAX\r\n",
107 "WHOWAS foo 1 XAXAX\r\n",
108 "KILL foo XAXAX\r\n",
109 "KILL XAXAX bar\r\n",
110 "PING XAXAX\r\n",
111 "PONG XAXAX\r\n",
112 "ERROR XAXAX\r\n",
113 "AWAY XAXAX\r\n",
114 "SUMMON XAXAX\r\n",
115 "SUMMON foo XAXAX\r\n",
116 "USERS XAXAX\r\n",
117 "WALLOPS XAXAX\r\n",
118 "USERHOST XAXAX\r\n",
119 "ISON XAXAX\r\n"
120 );
121 return(@cmdArray);
122 }
123
124 sub getLogin {
125 my $this = shift;
126 @login = ("USER aaa bbb ccc :ddd\r\n", "NICK EEEEEE\r\n");
127 return(@login);
128 }
129
130 sub testMisc {
131 return();
132 }
133
134 sub usage {
135 }
136
137 1;
+97
-0
bedmod/lpd.pm less more
0 #
1 # Quickly hacked Module to test some LPD Stuff,
2 # not everything ... yeah I am lazy too :)
3 #
4 package bedmod::lpd;
5 use Socket;
6
7
8 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
9 # create a new instance of this object
10 sub new{
11 my $this = {};
12
13 # these ones must be defined
14 $this->{sport} = 721;
15 bless $this;
16 return $this;
17 }
18
19 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
20 # initialise some parameters
21 sub init{
22 my $this = shift;
23 %special_cfg=@_;
24
25 # Set protocol tcp/udp
26 $this->{proto} = "tcp";
27
28
29 if ($special_cfg{'p'} eq "") { $this->{port}='515'; }
30 else { $this->{port} = $special_cfg{'p'}; }
31
32 $this->{vrfy} = "";
33 }
34
35 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
36 # how to quit ?
37 sub getQuit{
38 return("\1\n");
39 }
40
41 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
42 # what to test without doing a login before
43 # ..mainly the login stuff *g*
44 sub getLoginarray {
45 my $this = shift;
46 @Loginarray = (
47 "XAXAX",
48 "\01XAXAX\n",
49 "\02XAXAX\n",
50 "\03XAXAX all\n",
51 "\03default XAXAX\n",
52 "\04XAXAX all\n",
53 "\04default XAXAX\n",
54 "\05XAXAX root all\n",
55 "\05default XAXAX all\n",
56 "\05default root XAXAX\n"
57 );
58 return (@Loginarray);
59 }
60
61
62 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
63 # which commands does this protocol know ?
64 sub getCommandarray {
65 my $this = shift;
66 # the XAXAX will be replaced with the buffer overflow / format string
67 # place every command in this array you want to test
68 @cmdArray = (
69 "\0294XAXAX001test\n",
70 "\0294cfA001XAXAX\n",
71 "\0394XAXAX001test\n",
72 "\0394cfA001XAXAX\n",
73 );
74 return(@cmdArray);
75 }
76
77
78 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
79 # what to send to login ?
80 sub getLogin{ # login procedure
81 my $this = shift;
82 @login = ("\02default\n");
83 return(@login);
84 }
85
86 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
87 # here we can test everything besides buffer overflows and format strings
88 sub testMisc{
89 my $this = shift;
90 return();
91 }
92
93 sub usage {
94 }
95
96 1;
+114
-0
bedmod/pjl.pm less more
0 package bedmod::pjl;
1 use Socket;
2
3 # Plugin to check PJL Printer
4 # written to test a Lexmark T522
5 #
6 # i didnt read the pjl rfc or whatever just included
7 # the stuff if found by a quick google search :)
8
9 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
10 # create a new instance of this object
11 sub new {
12 my $this = {};
13 bless $this;
14 return $this;
15 }
16
17 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
18 # initialise some parameters
19 sub init {
20 my $this = shift;
21 %special_cfg = @_;
22
23 # Set protocol tcp/udp
24 $this->{proto} = "tcp";
25
26 # check for missing args, set target and host
27 if ( $special_cfg{'p'} eq "" ) { $this->{port} = '9100'; }
28 else { $this->{port} = $special_cfg{'p'}; }
29
30 $this->{vrfy} = "";
31 }
32
33 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
34 # how to quit ?
35 sub getQuit {
36 return ("\33%-12345X\n");
37 }
38
39 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
40 # we got no login procedure...
41 sub getLoginarray {
42 my $this = shift;
43 @Loginarray = ("");
44 return (@Loginarray);
45 }
46
47 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
48 # which commands does this protocol know ?
49 sub getCommandarray {
50 my $this = shift;
51
52 # the XAXAX will be replaced with the buffer overflow / format string
53 # here we go with our commands
54 $PI = "\33%-12345X\@PJL"; # \n\@PJL
55 @cmdArray = (
56 $PI . " ENTER XAXAX\n",
57 $PI . " ENTER LANGUAGE = XAXAX\n",
58 $PI . " JOB XAXAX\n",
59 $PI . " JOB NAME = XAXAX\n",
60 $PI . " JOB NAME = \"foo\" START = XAXAX\n",
61 $PI . " JOB NAME = \"foo\" END = XAXAX\n",
62 $PI . " JOB NAME = \"foo\" PASSWORD = XAXAX\n",
63 $PI . " EOJ XAXAX\n",
64 $PI . " EOJ NAME = XAXAX\n",
65 $PI . " DEFAULT XAXAX\n",
66 $PI . " DEFAULT LPARM: XAXAX\n",
67 $PI . " DEFAULT IPARM: XAXAX\n",
68 $PI . " SET XAXAX\n",
69 $PI . " SET LPARM: XAXAX\n",
70 $PI . " SET IPARM: XAXAX\n",
71 $PI . " INQUIRE XAXAX\n",
72 $PI . " INQUIRE LPARM: XAXAX\n",
73 $PI . " INQUIRE IPARM: XAXAX\n",
74 $PI . " DINQUIRE XAXAX\n",
75 $PI . " DINQUIRE LPARM: XAXAX\n",
76 $PI . " DINQUIRE IPARM: XAXAX\n",
77 $PI . " INFO XAXAX\n",
78 $PI . " ECHO XAXAX\n",
79 $PI . " USTATUS XAXAX\n",
80 $PI . " USTATUS A = XAXAX\n",
81 $PI . " OPMSG DISPLAY = XAXAX\n",
82 $PI . " RDYMSG DISPLAY = XAXAX\n",
83 $PI . " STMSG DISPLAY = XAXAX\n",
84 $PI . " COMMENT XAXAX\n",
85 $PI . " SET PAGEPROTECT = XAXAX\n",
86 $PI . " SET LIMAGEENHANCE = XAXAX\n",
87 $PI . " LDPARM : PCL LCOLOREXTENSIONS = XAXAX\n",
88 $PI . " LJOBINFO XAXAX\n",
89 $PI . " LJOBINFO USERID = XAXAX\n",
90 $PI . " LJOBINFO HOSTID = XAXAX\n"
91 );
92 return (@cmdArray);
93 }
94
95 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
96 # what to send to login ?
97 sub getLogin { # login procedure
98 my $this = shift;
99 @login = ("");
100 return (@login);
101 }
102
103 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
104 # here we can test everything besides buffer overflows and format strings
105 sub testMisc {
106 my $this = shift;
107 return ();
108 }
109
110 sub usage {
111 }
112
113 1;
+105
-0
bedmod/pop.pm less more
0 package bedmod::pop;
1 use Socket;
2
3 # This package is an extension to bed, to check
4 # for pop server vulnerabilities.
5
6 sub new {
7 my $this = {};
8 $this->{username} = undef; # specific for just this
9 $this->{password} = undef; # module
10 bless $this;
11 return $this;
12 }
13
14 sub init {
15 my $this = shift;
16 %special_cfg = @_;
17
18 $this->{proto} = "tcp";
19
20 if ( $special_cfg{'p'} eq "" ) { $this->{port} = '110'; }
21 else { $this->{port} = $special_cfg{'p'}; }
22
23 if ( ( $special_cfg{'u'} eq "" ) || ( $special_cfg{'v'} eq "" ) ) {
24 &usage();
25 exit(1);
26 }
27
28 $this->{username} = $special_cfg{'u'};
29 $this->{password} = $special_cfg{'v'};
30 $this->{vrfy} = "NOOP\r\n";
31 $iaddr = inet_aton( $this->{target} ) || die "Unknown host: $host\n";
32 $paddr = sockaddr_in( $this->{port}, $iaddr ) || die "getprotobyname: $!\n";
33 $proto = getprotobyname('tcp') || die "getprotobyname: $!\n";
34 socket( SOCKET, PF_INET, SOCK_STREAM, $proto ) || die "socket: $!\n";
35 connect( SOCKET, $paddr ) || die "connection attempt failed: $!\n";
36 send( SOCKET, "USER $this->{username}\r\n", 0 ) || die "USER failed: $!\n";
37 $recvbuf = <SOCKET>;
38 sleep(1);
39 send( SOCKET, "PASS $this->{password}\r\n", 0 ) || die "PASS failed: $!\n";
40
41 $recvbuf = <SOCKET>;
42 if ( $recvbuf =~ "-ERR" ) {
43 print("Username or Password incorrect, can't login\n");
44 exit(1);
45 }
46 send( SOCKET, "QUIT\r\n", 0 )
47
48 }
49
50 sub getQuit {
51 return ("QUIT\r\n");
52 }
53
54 sub getLoginarray {
55 my $this = shift;
56 @Loginarray = (
57 "USER XAXAX\r\n",
58 "USER $this->{username}\r\nPASS XAXAX\r\n",
59 "APOP XAXAX aaa\r\n",
60 "APOP $this->{username} XAXAX\r\n"
61 );
62 return (@Loginarray);
63 }
64
65 sub getCommandarray {
66 my $this = shift;
67
68 # the XAXAX will be replaced with the buffer overflow / format string
69 # just comment them out if you don't like them..
70 @cmdArray = (
71 "LIST XAXAX\r\n",
72 "STAT XAXAX\r\n",
73 "NOOP XAXAX\r\n",
74 "APOP XAXAX\r\n",
75 "RSET XAXAX\r\n",
76 "RETR XAXAX\r\n",
77 "DELE XAXAX\r\n",
78 "TOP XAXAX 1\r\n",
79 "TOP 1 XAXAX\r\n",
80 "UIDL XAXAX\r\n",
81 );
82 return (@cmdArray);
83 }
84
85 sub getLogin { # login procedure
86 my $this = shift;
87 @login = ( "USER $this->{username}\r\n", "PASS $this->{password}\r\n" );
88 return (@login);
89 }
90
91 sub testMisc {
92 return ();
93 }
94
95 sub usage {
96 print qq~ Parameters for the POP plugin:
97
98 -u <username>
99 -v <password>
100
101 ~;
102 }
103
104 1;
+124
-0
bedmod/proxy.pm less more
0 package bedmod::proxy;
1 use Socket;
2
3 # This package is an extension to bed, to check
4 # for http proxy server vulnerabilities.
5
6 sub new {
7 my $this = {};
8 bless $this;
9 return $this;
10 }
11
12 sub init {
13 my $this = shift;
14 %special_cfg=@_;
15
16 $this->{proto}="tcp";
17
18 if ($special_cfg{'p'} eq "") {
19 $this->{port}='8080';
20 } else {
21 $this->{port} = $special_cfg{'p'};
22 }
23
24 if ($special_cfg{'d'}) { return; }
25 $iaddr = inet_aton($this->{target}) || die "Unknown host: $host\n";
26 $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n";
27 $proto = getprotobyname('tcp') || die "getprotobyname: $!\n";
28 socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n";
29 connect(SOCKET, $paddr) || die "connection attempt failed: $!\n";
30 send(SOCKET, "HEAD / HTTP/1.0\r\n\r\n", 0) || die "HTTP request failed: $!\n";
31 }
32
33 sub getQuit {
34 return("\r\n\r\n");
35 }
36
37 sub getLoginarray {
38 my $this = shift;
39 @Loginarray = (
40 "XAXAX\r\n\r\n",
41 "XAXAX http://127.0.0.2/ HTTP/1.0\r\n\r\n",
42 "HEAD http://XAXAX/ HTTP/1.0\r\n\r\n",
43 "HEAD http://127.0.0.2:XAXAX/ HTTP/1.0\r\n\r\n",
44 "HEAD http://127.0.0.2/XAXAX HTTP/1.0\r\n\r\n",
45 "HEAD http://127.0.0.2/ XAXAX\r\n\r\n",
46 "GET http://XAXAX/ HTTP/1.0\r\n\r\n",
47 "GET http://127.0.0.2:XAXAX/ HTTP/1.0\r\n\r\n",
48 "GET http://127.0.0.2/XAXAX HTTP/1.0\r\n\r\n",
49 "GET http://127.0.0.2/ XAXAX\r\n\r\n",
50 "CONNECT XAXAX HTTP/1.0\r\n\r\n",
51 "CONNECT XAXAX:80 HTTP/1.0\r\n\r\n",
52 "CONNECT 127.0.0.2:XAXAX HTTP/1.0\r\n\r\n",
53 "CONNECT 127.0.0.2:80 XAXAX\r\n\r\n",
54 );
55 return (@Loginarray);
56 }
57
58 sub getCommandarray {
59 my $this = shift;
60
61 @cmdArray = (
62 "XAXAX: XAXAX\r\n\r\n",
63 "User-Agent: XAXAX\r\n\r\n",
64 "Host: XAXAX\r\n\r\n",
65 "Host: XAXAX:80\r\n\r\n",
66 "Host: somehost:XAXAX\r\n\r\n",
67 "Accept: XAXAX\r\n\r\n",
68 "Accept-Encoding: XAXAX\r\n\r\n",
69 "Accept-Language: XAXAX\r\n\r\n",
70 "Accept-Charset: XAXAX\r\n\r\n",
71 "Connection: XAXAX\r\n\r\n",
72 "Referer: XAXAX\r\n\r\n",
73 "Referer: XAXAX://somehost.com/\r\n\r\n",
74 "Referer: http://XAXAX/\r\n\r\n",
75 "Referer: http://somehost.com/XAXAX\r\n\r\n",
76 "Authorization: XAXAX\r\n\r\n",
77 "From: XAXAX\r\n\r\n",
78 "Charge-To: XAXAX\r\n\r\n",
79 "Authorization: XAXAX",
80 "Authorization: XAXAX : foo\r\n\r\n",
81 "Authorization: foo : XAXAX\r\n\r\n",
82 "If-Modified-Since: XAXAX\r\n\r\n",
83 "If-Match: XAXAX\r\n\r\n",
84 "If-None-Match: XAXAX\r\n\r\n",
85 "If-Range: XAXAX\r\n\r\n",
86 "If-Unmodified-Since: XAXAX\r\n\r\n",
87 "Max-Forwards: XAXAX\r\n\r\n",
88 "Proxy-Authorization: XAXAX\r\n\r\n",
89 "ChargeTo: XAXAX\r\n\r\n",
90 "Pragma: XAXAX\r\n\r\n",
91 "Expect: XAXAX\r\n\r\n",
92 "Range: XAXAX\r\n\r\n",
93 "Range: bytes=1-XAXAX\r\n\r\n",
94 "Range: bytes=0-1,XAXAX\r\n",
95 "Content-Length: XAXAX\r\n\r\n",
96 "Cookie: XAXAX\r\n\r\n",
97 "TE: XAXAX\r\n\r\n",
98 "Upgrade: XAXAX\r\nConnection: upgrade\r\n\r\n",
99 );
100 return(@cmdArray);
101 }
102
103 sub getLogin {
104 my $this = shift;
105 @login = (
106 "GET http://127.0.0.2/ HTTP/1.0\r\n",
107 "POST http://127.0.0.2/ HTTP/1.0\r\n",
108 );
109 return(@login);
110 }
111
112 sub testMisc { #Put your corner case tests here...
113 my $this = shift;
114 @cmdArray = (
115 "GET / HTTP/1.0\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n"
116 );
117 return(@cmdArray);
118 }
119
120 sub usage {
121 }
122
123 1;
+132
-0
bedmod/rtsp.pm less more
0 package bedmod::rtsp;
1 use Socket;
2
3 # This package is an extension to bed, to check
4 # for http server vulnerabilities.
5
6 sub new{
7 my $this = {};
8 bless $this;
9 return $this;
10 }
11
12 sub init{
13 my $this = shift;
14 %special_cfg=@_;
15
16 $this->{proto}="tcp";
17
18 if ($special_cfg{'p'} eq "") {
19 $this->{port}='80';
20 } else {
21 $this->{port} = $special_cfg{'p'};
22 }
23
24 $iaddr = inet_aton($this->{target}) || die "Unknown host: $host\n";
25 $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n";
26 $proto = getprotobyname('tcp') || die "getprotobyname: $!\n";
27 socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n";
28 connect(SOCKET, $paddr) || die "connection attempt failed: $!\n";
29 send(SOCKET, "HEAD / HTTP/1.0\r\n\r\n", 0) || die "HTTP request failed: $!\n";
30 }
31
32 sub getQuit{
33 return("\r\n\r\n");
34 }
35
36 sub getLoginarray {
37 my $this = shift;
38 @Loginarray = (
39 "XAXAX\r\n\r\n",
40 "XAXAX / RTSP/1.0\r\nCSeq: 1\r\n\r\n",
41 "XAXAX rtsp://localhost/file.mpg\r\nCSeq: 1\r\n\r\n",
42 "OPTIONS XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
43 "OPTIONS /XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
44 "OPTIONS * XAXAX\r\nCSeq: 1\r\n\r\n",
45 "OPTIONS * RTSP/1.0\r\nXAXAX: 1\r\n\r\n",
46 "OPTIONS * RTSP/1.0\r\nCSeq: XAXAX\r\n\r\n",
47 "DESCRIBE XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
48 "DESCRIBE XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
49 "DESCRIBE rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
50 "DESCRIBE rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
51 "SETUP XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
52 "SETUP XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
53 "SETUP rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
54 "SETUP rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
55 "PLAY XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
56 "PLAY XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
57 "PLAY rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
58 "PLAY rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
59 "PAUSE XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
60 "PAUSE XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
61 "PAUSE rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
62 "PAUSE rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
63 "RECORD XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
64 "RECORD XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
65 "RECORD rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
66 "RECORD rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
67 "ANNOUNCE XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
68 "ANNOUNCE XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
69 "ANNOUNCE rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
70 "ANNOUNCE rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
71 "TEARDOWN XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
72 "TEARDOWN XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
73 "TEARDOWN rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
74 "TEARDOWN rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
75 "GET_PARAMETER XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
76 "GET_PARAMETER XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
77 "GET_PARAMETER rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
78 "GET_PARAMETER rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
79 "SET_PARAMETER XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
80 "SET_PARAMETER XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
81 "SET_PARAMETER rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n",
82 "SET_PARAMETER rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n",
83 "SET_PARAMETER rtsp://localhost/ RTSP/1.0\r\nCSeq: 1\r\nContent-type: text/parameters\r\n\r\nXAXAX: XAXAX\r\n",
84 );
85 return (@Loginarray);
86 }
87
88 sub getCommandarray {
89 my $this = shift;
90
91 @cmdArray = (
92 "XAXAX: XAXAX\r\n\r\n",
93 "Accept: XAXAX\r\n\r\n",
94 "Accept-Encoding: XAXAX\r\n\r\n",
95 "Accept-Language: XAXAX\r\n\r\n",
96 "Accept-Charset: XAXAX\r\n\r\n",
97 "Authorization: XAXAX\r\n\r\n",
98 "Authorization: XAXAX",
99 "Authorization: XAXAX:foo\r\n\r\n",
100 "Authorization: foo:XAXAX\r\n\r\n",
101 "Content-length: XAXAX\r\n",
102 "Content-Type: text/parameters\r\n\r\nXAXAX: XAXAX\r\n\r\n",
103 "CSeq: XAXAX\r\n\r\n",
104 "From: XAXAX\r\n\r\n",
105 "If-Modified-Since: XAXAX\r\n\r\n",
106 "Proxy-Require: XAXAX\r\n",
107 "Range: XAXAX\r\n\r\n",
108 "Range: clock=XAXAX-XAXAX\r\n\r\n",
109 "Referer: XAXAX\r\n\r\n",
110 "Require: XAXAX\r\n\r\n",
111 "Transport: XAXAX\r\n\r\n",
112 "Session: XAXAX\r\n\r\n",
113 "User-Agent: XAXAX\r\n\r\n",
114 );
115 return(@cmdArray);
116 }
117
118 sub getLogin{
119 my $this = shift;
120 @login = ("DESCRIBE rtsp://localhost/media.mp4 RTSP/1.0\r\nCSeq: 1\r\n");
121 return(@login);
122 }
123
124 sub testMisc{
125 return();
126 }
127
128 sub usage {
129 }
130
131 1;
+102
-0
bedmod/smtp.pm less more
0 package bedmod::smtp;
1 use Socket;
2
3 # This package is an extension to bed, to check
4 # for smtp server vulnerabilities.
5
6 sub new {
7 my $this = {};
8 bless $this;
9 return $this;
10 }
11
12 sub init {
13 my $this = shift;
14 %special_cfg=@_;
15
16 $this->{proto}="tcp";
17
18 # check for missing args, set target and host
19 if ($special_cfg{'p'} eq "") { $this->{port}='25'; }
20 else { $this->{port} = $special_cfg{'p'}; }
21
22 if ( $special_cfg{'u'} eq "") {
23 &usage();
24 exit(1);
25 }
26
27 # get info nessecairy for FTP
28 $this->{mail} = $special_cfg{'u'};
29 $this->{vrfy} = "HELP\r\n";
30 }
31
32 sub getQuit{
33 return("QUIT\r\n");
34 }
35
36 sub getLoginarray {
37 return(
38 "XAXAX\r\n",
39 "HELO XAXAX\r\n",
40 "EHLO XAXAX\r\n",
41 "HELP XAXAX\r\n",
42 );
43 }
44
45 sub getCommandarray {
46 my $this = shift;
47
48 # the XAXAX will be replaced with the buffer overflow / format string
49 # just comment them out if you don't like them..
50 @cmdArray = (
51 "EXPN XAXAX\r\n",
52 "MAIL FROM: XAXAX\r\n",
53 "MAIL FROM: <XAXAX>\r\n",
54 "MAIL FROM: <$this->{mail}> XAXAX\r\n",
55 "MAIL FROM: <$this->{mail}> RET=XAXAX\r\n",
56 "MAIL FROM: <$this->{mail}> ENVID=XAXAX\r\n",
57 "ETRN XAXAX\r\n",
58 "ETRN \@XAXAX\r\n",
59 "MAIL FROM: <$this->{mail}>\r\nRCPT TO: <XAXAX>\r\n",
60 "MAIL FROM: <$this->{mail}>\r\nRCPT TO: <$mailaccount> XAXAX\r\n",
61 "MAIL FROM: <$this->{mail}>\r\nRCPT TO: <$mailaccount> NOTIFY=XAXAX\r\n",
62 "MAIL FROM: <$this->{mail}>\r\nRCPT TO: <$mailaccount> ORCPT=XAXAX\r\n",
63 "HELP XAXAX\r\n",
64 "VRFY XAXAX\r\n",
65 "RCTP TO: XAXAX\r\n",
66 "RCTP TO: <XAXAX>\r\n",
67 "RCPT TO: <$mailaccount> XAXAX\r\n",
68 "RCPT TO: <$mailaccount> NOTIFY=XAXAX\r\n",
69 "RCPT TO: <$mailaccount> ORCPT=XAXAX\r\n",
70 "RSET XAXAX\r\n",
71 "AUTH mechanism XAXAX\r\n",
72 "DATA XAXAX\r\n",
73 "DATA\r\nXAXAX\r\n.",
74 "XAXAX\r\n"
75 );
76 return(@cmdArray);
77 }
78
79 sub getLogin {
80 my $this = shift;
81 @login = (
82 "HELO doona.pl\r\n",
83 "EHLO doona.pl\r\n",
84 );
85 return(@login);
86 }
87
88 sub testMisc {
89 my $this = shift;
90 return();
91 }
92
93 sub usage {
94 print qq~ Parameters for the SMTP plugin:
95
96 -u <valid mail address at target host>
97
98 ~;
99 }
100
101 1;
+103
-0
bedmod/socks4.pm less more
0 package bedmod::socks4;
1 use Socket;
2
3 # socks4 plugin (anyone still using this?)
4 # pretty few to test, i did not even find an rfc for this
5 # protocol *yuck*
6
7 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
8 # create a new instance of this object
9 sub new {
10 my $this = {};
11 $this->{username} = undef;
12 bless $this;
13 return $this;
14 }
15
16 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
17 # initialise some parameters
18 sub init {
19 my $this = shift;
20 %special_cfg = @_;
21
22 # Set protocol tcp/udp
23 $this->{proto} = "tcp";
24
25 # check for missing args, set target and host
26 # every module has to do this
27 if ( $special_cfg{'p'} eq "" ) {
28 $this->{port} = '1080';
29 }
30 else {
31 $this->{port} = $special_cfg{'p'};
32 }
33 $this->{sport} = 0;
34 $this->{vrfy} = "";
35
36 if ( $special_cfg{'u'} eq "" ) {
37 &usage();
38 exit(1);
39 }
40
41 $this->{username} = $special_cfg{'u'};
42
43 }
44
45 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
46 # how to quit ?
47 sub getQuit {
48 return ("");
49 }
50
51 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
52 # what to test without doing a login before
53 # ..mainly the login stuff *g*
54 sub getLoginarray {
55 my $this = shift;
56 @Loginarray = ("");
57 return (@Loginarray);
58 }
59
60 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
61 # which commands does this protocol know ?
62 sub getCommandarray {
63 my $this = shift;
64
65 # all there is to test is the username as far as it seems...
66 @cmdArray = (
67
68 "XAXAX\n",
69 # we use protocol version 04
70 # destination port is 6668
71 # destination ip is 192.168.0.1
72 "\x04\x01\x1a\x0c\xc0\xA8\x00\x01XAXAX\x00", # connect
73 "\x04\x02\x1a\x0c\xc0\xA8\x00\x01XAXAX\x00", # bind
74 "\x04\x01\x1a\x0c\x00\x00\x00\x01$this->{username}\x00XAXAX", # connect socks4a
75 "\x04\x02\x1a\x0c\x00\x00\x00\x01$this->{username}\x00XAXAX" # bind socks4a
76
77 );
78 return (@cmdArray);
79 }
80
81 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
82 # what to send to login ?
83 sub getLogin { # login procedure
84 my $this = shift;
85 @login = ("");
86 return (@login);
87 }
88
89 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
90 # here we can test everything besides buffer overflows and format strings
91 sub testMisc {
92 my $this = shift;
93 return ();
94 }
95
96 sub usage {
97 print qq~ Parameters for the Socks4 plugin:
98 -u <username>
99 ~;
100 }
101
102 1;
+109
-0
bedmod/socks5.pm less more
0 package bedmod::socks5;
1 use Socket;
2
3 # socks5 plugin
4 #
5 # not yet tested, got bored just by looking at the protocol
6
7 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
8 # create a new instance of this object
9 sub new {
10 my $this = {};
11 $this->{username} = undef;
12 $this->{password} = undef;
13 bless $this;
14 return $this;
15 }
16
17 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
18 # initialise some parameters
19 sub init {
20 my $this = shift;
21 %special_cfg = @_;
22
23 # Set protocol tcp/udp
24 $this->{proto} = "tcp";
25
26 # check for missing args, set target and host
27 # every module has to do this
28 if ( $special_cfg{'p'} eq "" ) { $this->{port} = '1080'; }
29 else { $this->{port} = $special_cfg{'p'}; }
30 $this->{sport} = 0;
31 $this->{vrfy} = "";
32
33 if ( ( $special_cfg{'u'} eq "" ) || ( $special_cfg{'v'} eq "" ) ) {
34 &usage();
35 exit(1);
36 }
37
38 $this->{username} = $special_cfg{'u'};
39 $this->{password} = $special_cfg{'v'};
40 }
41
42 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
43 # how to quit ?
44 sub getQuit {
45 return ("");
46 }
47
48 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
49 # what to test without doing a login before
50 # ..mainly the login stuff *g*
51 sub getLoginarray {
52 my $this = shift;
53 @Loginarray = ("");
54 return (@Loginarray);
55 }
56
57 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
58 # which commands does this protocol know ?
59 sub getCommandarray {
60 my $this = shift;
61
62 # all there is to test is the username as far as it seems...
63 @cmdArray = (
64 "XAXAX\n",
65
66 # if the programmer is clever enough he always receives the packet
67 # in a buffer which is bigger than ~0x128 :)
68 "\x05\x01\x00\x04\xFF\x10"
69 , # check for buffer access which should give a gpf
70 "\x05\x01\x00\x04\x50\x10" # same here different value... lame :)
71
72 );
73 return (@cmdArray);
74 }
75
76 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
77 # what to send to login ?
78 sub getLogin { # login procedure
79 my $this = shift;
80 $count1 = length( $this->{username} );
81 $count2 = length( $this->{password} );
82
83 @login = (
84
85 #protocol version #nr. of authentication methods #username+password
86 "\x05\x01\x02",
87
88 #protocol #username len #username #pass len #password
89 "\x05$count1$this->{username}$count2$this->{password}",
90 );
91 return (@login);
92 }
93
94 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
95 # here we can test everything besides buffer overflows and format strings
96 sub testMisc {
97 my $this = shift;
98 return ();
99 }
100
101 sub usage {
102 print qq~ Parameters for the Socks5 plugin:
103 -u <username>
104 -v <password>
105 ~;
106 }
107
108 1;
+73
-0
bedmod/tftp.pm less more
0 package bedmod::tftp;
1 use Socket;
2
3 # lame tftp plugin :)
4
5 # create a new instance of this object
6 sub new {
7 my $this = {};
8 bless $this;
9 return $this;
10 }
11
12 # initialise some parameters
13 sub init{
14 my $this = shift;
15 %special_cfg=@_;
16
17 # Set protocol tcp/udp
18 $this->{proto} = "udp";
19
20 if ($special_cfg{'p'} eq "") { $this->{port}='69'; }
21 else { $this->{port} = $special_cfg{'p'}; }
22 $this->{sport} = 0;
23 $this->{vrfy} = "";
24 }
25
26 # how to quit ?
27 sub getQuit {
28 return("");
29 }
30
31 # what to test without doing a login before
32 sub getLoginarray {
33 my $this = shift;
34 @Loginarray = ("");
35 return (@Loginarray);
36 }
37
38 # which commands does this protocol know ?
39 sub getCommandarray {
40 my $this = shift;
41
42 # the XAXAX will be replaced with the buffer overflow / format string
43 # place every command in this array you want to test
44 @cmdArray = (
45 "XAXAX", # B0F
46 "\x00\x01XAXAX\x00netascii\x00", #RRQ
47 "\x00\x01XAXAX\x00octet\x000", #RRQ
48 "\x00\x01XAXAX\x00mail\x00", #RRQ
49 "\x00\x01fuzz\x00XAXAX\x00", #RRQ
50 "\x00\x02\x41\x00XAXAX\x00", #WRQ
51 "\x00\x03\x41\x00XAXAX\x00", #DATA?
52 );
53 return(@cmdArray);
54 }
55
56 # what to send to login ?
57 sub getLogin {
58 my $this = shift;
59 @login = ("");
60 return(@login);
61 }
62
63 # here we can test everything besides buffer overflows and format strings
64 sub testMisc {
65 my $this = shift;
66 return();
67 }
68
69 sub usage {
70 }
71
72 1;
+72
-0
bedmod/whois.pm less more
0 package bedmod::whois;
1 use Socket;
2
3 # lame whois plugin :)
4
5 # create a new instance of this object
6 sub new {
7 my $this = {};
8 bless $this;
9 return $this;
10 }
11
12 # initialise some parameters
13 sub init {
14 my $this = shift;
15 %special_cfg=@_;
16
17 # Set protocol tcp/udp
18 $this->{proto} = "tcp";
19
20 if ($special_cfg{'p'} eq "") { $this->{port}='43'; }
21 else { $this->{port} = $special_cfg{'p'}; }
22 $this->{sport} = 0;
23 $this->{vrfy} = "";
24 }
25
26 # how to quit ?
27 sub getQuit {
28 return("");
29 }
30
31 # what to test without doing a login before
32 sub getLoginarray {
33 my $this = shift;
34 @Loginarray = ("");
35 return (@Loginarray);
36 }
37
38 # which commands does this protocol know ?
39 sub getCommandarray {
40 my $this = shift;
41
42 # the XAXAX will be replaced with the buffer overflow / format string
43 # place every command in this array you want to test
44 @cmdArray = (
45 "XAXAX\r\n",
46 "?XAXAX\r\n",
47 "!XAXAX\r\n",
48 ".XAXAX\r\n",
49 "XAXAX...\r\n",
50 "*XAXAX\r\n",
51 "XAXAX.tld\r\n",
52 "domain.XAXAX\r\n"
53 );
54 return(@cmdArray);
55 }
56
57 # what to send to login ?
58 sub getLogin {
59 my $this = shift;
60 return("");
61 }
62
63 sub testMisc {
64 my $this = shift;
65 return();
66 }
67
68 sub usage {
69 }
70
71 1;
+246
-0
doona.pl less more
0 #!/usr/bin/perl
1 #
2 # This program comes with ABSOLUTELY NO WARRANTY.
3 # This is free software, and you are welcome to redistribute it
4 # under certain conditions. See docs/GPL.txt for details.
5 #
6 # Doona is a BED fork maintained by wireghoul ( www.justanotherhacker.com )
7 # BED was written by mjm ( www.codito.de ) and snakebyte ( www.snake-basket.de )
8 use Getopt::Std;
9 use Socket;
10 use Config;
11
12 #use strict;
13 #use warnings;
14 my $SOCKET;
15 my $VERSION = '0.7';
16
17 $SIG{'INT'} = \&sigHandler;
18 $SIG{'TERM'} = \&sigHandler;
19 $SIG{'PIPE'} = \&sigHandler;
20
21 my @modules = map { s!bedmod/(.*)\.pm!$1!; $_ } glob("bedmod/*.pm");
22
23 # the hope is to overwrite a return pointer on the stack,
24 # making the server execute invalid code and crash
25 my @overflowstrings = ("A" x 33, "A" x 254, "A" x 255, "A" x 1023, "A" x 1024, "A" x 2047, "A" x 2048, "A" x 5000, "A" x 10000, "\\" x 200, "/" x 200, " " x 9000, "AA " x 200);
26 my @formatstrings = ("%s" x 4, "%s%p%x%d", "%s" x 8, "%s" x 15, "%s" x 30, "%.1024d", "%.2048d", "%.4096d", '%@' x 53, "%.16i705u%2\$hn", "%#123456x");
27
28 # three ansi overflows, two ansi format strings, two OEM Format Strings
29 my @unicodestrings = ("\x99" x 4, "\x99" x 512, "\x99" x 1024, "\xCD" x 10, "\xCD" x 40, "\xCB" x 10, "\xCB"x40);
30 my @largenumbers = (
31 "255", "256", "257",
32 "65535", "65536", "65537",
33 "16777215", "16777216", "16777217",
34 "2147483647", "2147483648", "2147483649",
35 "0xfffffffe", "0xffffffff", "4294967295",
36 "9223372036854775807", "18446744073709551615",
37 "-1", "-268435455", "-20",
38 "2.2250738585072011e-308",
39 );
40 my @miscstrings = ("/", "\\", "%0xa", " ", "+", "<", ">", "<>", "%", "-", "+", "*", ".", ":", "&", "%u000", "\t", "\r", "\r\n", "\n");
41 my $idx = 0;
42 my $prevfuzz = '';
43 print "\n Doona $VERSION by Wireghoul (www.justanotherhacker.com) based on BED by mjm and snakebyte\n\n";
44
45 # get the parameters we need for every test
46 getopts('m:s:t:o:p:r:u:v:w:x:M:dh');
47 $opt_s = $opt_m if ($opt_m);
48 &usage unless($opt_s);
49 $opt_s = lc($opt_s); # convert it to lowercase
50
51 # load the specified module
52 my $module = undef;
53 if ( -f "bedmod/$opt_s.pm") {
54 eval("use bedmod::$opt_s;");
55 $a = "bedmod::$opt_s";
56 $module = new $a;
57 }
58
59 &usage unless(defined $module);
60 &usage if ($opt_h);
61
62 my %special_cfg=(
63 "t" => "$opt_t", # target
64 "o" => "$opt_o", # timeOut
65 "p" => "$opt_p", # port
66 "r" => "$opt_r", # resume test case number
67 'M' => "$opt_M", # Max requests to perform
68 'd' => "$opt_d", # Print fuzz case to screen and quit
69 "u" => "$opt_u", # special parameters for the module...
70 "v" => "$opt_v",
71 "w" => "$opt_w",
72 "x" => "$opt_x"
73 );
74
75 $module->{proto} = undef;
76 $module->{target} = undef;
77 $module->{port} = undef;
78 $module->{vrfy} = "";
79 $module->{timeout} = undef;
80 $module->{sport} = 0;
81
82 if ($special_cfg{'t'} eq "") { $module->{target}='127.0.0.1'; }
83 else { $module->{target} = $special_cfg{'t'}; }
84 if ($special_cfg{'o'} eq "") { $module->{timeout}='2'; }
85 else { $module->{timeout} = $special_cfg{'o'}; }
86
87 $module->init(%special_cfg);
88
89 # $num_threads = 4; # Wishlist: Run with 4 threads by defaults
90
91 # test stuff that might happen during login
92 my @cmdArray = $module->getLoginarray; # which login stuff do we test
93 my @login = ("");
94 if ( $cmdArray[0] ne "" ){
95 print " + Buffer overflow testing\n";
96 &testThis(@overflowstrings);
97 print " + Formatstring testing\n";
98 &testThis(@formatstrings);
99 }
100
101 # test the stuff that might happen during normal protocol events ( after login )
102 print "* Normal tests\n";
103 @cmdArray = $module->getCommandarray;
104 @login = $module->getLogin;
105 print " + Buffer overflow testing\n";
106 &testThis(@overflowstrings);
107 print " + Formatstring testing\n";
108 &testThis(@formatstrings);
109 print " + Unicode testing:\n";
110 &testThis(@unicodestrings);
111 print " + random number testing\n";
112 &testThis(@largenumbers);
113
114 # make the module test all other stuff
115 #print " + Other tests\n";
116 #$module->testMisc();
117
118 # test different sizes
119 for (my $i = 1; $i < 20; $i++ ) {
120 print " + testing misc strings $i\n";
121 &testThis(@miscstrings);
122 for (my $j = 0; $j < @miscstrings; $j++) {
123 $miscstrings[$j] = $miscstrings[$j].$miscstrings[$j];
124 }
125 }
126
127 print "* All tests done.\n";
128 exit(0);
129
130 # this function tests each of the two arrays ( buffer overflow and format string )
131 sub testThis() {
132 my $count = 0;
133 foreach my $log (@login) {
134 my @testArray = @_;
135 my $command;
136 my $socktype;
137 if ( $module->{proto} eq "udp" ) {i
138 $socktype = SOCK_DGRAM;
139 } else {
140 $socktype = SOCK_STREAM;
141 }
142 $|=1; #Auto flush output for more timely screen updates
143 # my $count = 0;
144 my $quit = $module->getQuit;
145 my $total = scalar(@cmdArray)*scalar(@login);
146 foreach my $cmd (@cmdArray) {
147 $count++;
148
149 my $cmd2 = $cmd;
150 $cmd2 =~ s/\n|\r|[\00-\33]//ig; # remove \r and \n for nice displaying
151 $cmd2 = substr($cmd2, 0, 30);
152
153 my $log2 = $log;
154 $log2 =~ s/\n|\r|[\00-\33]//ig;
155 $log2 = substr($log2, 0, 20);
156
157 printf "%5d/$total $log2 [$cmd2] ", $count;
158 foreach my $LS (@testArray){
159 print ".";
160 $idx++;
161 if ($special_cfg{'r'} > $idx) { next; }
162 if ($opt_M) { $special_cfg{'M'}--; }
163 if ($special_cfg{'M'} < 0) { print "\nMax requests ($opt_M) completed, index: ". ($idx - 1) ."\n"; exit }
164 $prevfuzz = $command;
165 $command = $cmd;
166 $command =~ s/XAXAX/$LS/ig; # prepare the string
167 if ($special_cfg{'d'}) {
168 print "\nFuzz case: --copy--\n";
169 } else {
170 my $iaddr = inet_aton($module->{target}) || die "Unknown host: $module->{target}\n";
171 my $paddr = sockaddr_in($module->{port}, $iaddr) || die "getprotobyname: $!\n";
172 my $proto = getprotobyname($module->{proto}) || die "getprotobyname: $!\n";
173 socket(SOCKET, PF_INET, $socktype, $proto) || die "socket: $!\n";
174 my $sockaddr = sockaddr_in($module->{sport}, INADDR_ANY);
175 while ( !bind(SOCKET, $sockaddr) ) {} # we need to bind for LPD for example
176 connect(SOCKET, $paddr) || die "connection attempt failed: $!, during $cmd2 ($idx)\n";
177 }
178
179 # login
180 if ( $log ne "" ) {
181 if ($special_cfg{'d'}) {
182 print "$log";
183 } else {
184 send(SOCKET, $log, 0);
185 sleep(1); # some daemons need some time to reply
186 }
187 }
188
189 #}
190 if ($special_cfg{'d'}) { print "$command\\r\\n\n--cut--\n"; exit; }
191 send(SOCKET, $command, 0); # send the attack and verify that the server is still alive
192 # Is there a possibility to check within connection?
193 if ($module->{vrfy} ne "") {
194 send(SOCKET, $module->{vrfy},0) || die "Problem (1) occured with $cmd2 ($idx)\n";
195 my $recvbuf = <SOCKET> || die "Problem (2) occured with $cmd2 ($idx)\n";
196 send(SOCKET, $quit, 0); # close the connection
197 close SOCKET;
198 } else {
199 close SOCKET;
200 my $iaddr = inet_aton($module->{target}) || die "Unknown host: $module->{target}\n";
201 my $paddr = sockaddr_in($module->{port}, $iaddr) || die "getprotobyname: $!\n";
202 my $proto = getprotobyname($module->{proto}) || die "getprotobyname: $!\n";
203 socket(SOCKET, PF_INET, $socktype, $proto) || die "socket: $!\n";
204 connect(SOCKET, $paddr) || die "Problem (3) occured with $cmd2 ($idx)\n";
205 close SOCKET;
206 }
207
208 sleep($module->{timeout}); # some servers would kick us for too fast rogins
209 }
210 print " ($idx)\n";
211 }
212 }
213 }
214
215 # how to use these scripts...
216 sub usage {
217 print qq~Usage:
218
219 $0 -m [module] <options>
220
221 -m <module> = ~ . join('/', map(uc, @modules)). qq~
222 -t <target> = Host to check (default: localhost)
223 -p <port> = Port to connect to (default: module specific standard port)
224 -o <timeout> = seconds to wait after each test (default: 2 seconds)
225 -r <index> = Resumes fuzzing at test case index
226 -d = Dump test case to stdout (use in combination with -r)
227 -M <num> = Exit after executing <num> number of fuzz cases
228 -h = Help (this text)
229 use "$0 -m [module] -h" for module specific option.
230
231 Only -m is a mandatory switch.
232
233 ~;
234 if ($opt_h) {
235 $module->usage() if $module;
236 }
237 exit(1);
238 }
239
240 sub sigHandler {
241 print "\n\nSignal INT/TERM/PIPE caught!";
242 print " - current test case index: ($idx)" if $idx;
243 print "\n";
244 exit;
245 }