Imported Upstream version 0.7+git20131211
Hugo Lefeuvre
7 years ago
0 | [ 0.7 ] | |
1 | - resolved the need for a hardcoded plugin list | |
2 | - added max requests option to allow parallel execution (easier than hacking in thread support) | |
3 | - added sigpipe handler to prevent silent exit if server unexpectedly closes the connection | |
4 | - added http proxy module | |
5 | - added more ftp test cases | |
6 | - added more rtsp test cases | |
7 | - added more http test cases | |
8 | - added more irc test cases | |
9 | - fixed a long standing BED bug where two test strings where accidentally concatenated | |
10 | - fixed a long standing BED bug where a hex representation of a 32bit integer was not max value as intended | |
11 | - aliased -m to -s (-s is getting deprecated/reassigned) | |
12 | - renamed plugins to modules (-m is for module) | |
13 | - removed directory traversal testing code from ftp module | |
14 | - rewrote/broke misc testing procedure to test specific edge cases, needs redesign | |
15 | - added support for multiple setup/prefix/verbs, ie: fuzzing Host headers with GET/POST/HEAD requests | |
16 | - fixed long standing BED bug in the smtp module where it wouldn't greet the mail server correctly with HELO | |
17 | - added more smtp test cases | |
18 | - fixed long standing BED bug in escaped Unicode strings | |
19 | - added more large integer and formatstring fuzz strings | |
20 | - fixed column alignment in the progress output | |
21 | ||
22 | ||
23 | [ 0.6 first doona release ] | |
24 | - added rtsp module | |
25 | - added tftp module | |
26 | - added whois module | |
27 | - added more irc test cases | |
28 | - added more finger test cases | |
29 | - added more http test cases | |
30 | - added more ftp test cases | |
31 | - added progress indicator count to fuzz cases | |
32 | - added resume feature (uses test case number) | |
33 | - added crash indicators for test case number | |
34 | - added signal handlers (displays testcase number on crtl^c or kill) | |
35 | - added feature to dump what a test case number would send | |
36 | - ftp module now uses anonymous login if username password not provided | |
37 | - changed the order test cases are executed to allow corner cases to be tested earlier | |
38 | - changed diagnostic output | |
39 | - new and improved help text | |
40 | - some code cleanup | |
41 | ||
42 | [ 0.5 ] | |
43 | - fixed port for smtp module | |
44 | - added a check for some "random" numbers | |
45 | - added some more misc strings | |
46 | - added some commands to ftp, pop and imap | |
47 | ||
48 | [ 0.42 ] | |
49 | - added unicode testing ( untested! ) | |
50 | - added some stuff to the ftp directory traversal, inspired by Dennis Rand Platinum FTP Advisory | |
51 | - started to write a socks5 plugin but then realized this is pretty boring, because | |
52 | you have to provide the nessecairy lengths on your own... | |
53 | so only buffer underuns are checked here... | |
54 | - added a new option -o to specify the timeOut... this is useful if a server bans | |
55 | for too fast connection retries, or when simply sending the latest two testcases | |
56 | after crashing dont reproduce the crash | |
57 | - new module, socks4... yeah I _am_ bored :) | |
58 | - new module: lpd ( unfinished... ) | |
59 | - new, lame module: finger :) | |
60 | - beautified the code | |
61 | - new module: PJL | |
62 | - added a status bar ( pls, dont look how i did it... ) | |
63 | - fixed some errors with udp | |
64 | - reniced some output... :) | |
65 | - local tcp/udp port can now be specified too | |
66 | ||
67 | ||
68 | [ 0.3 ] | |
69 | - new modules: HTTP, IRC | |
70 | - a new method to check whether server is still alive | |
71 | - possibility to use udp and tcp | |
72 | ||
73 | ||
74 | [ 0.2 ] | |
75 | - new structure of bed, simple modules for each service | |
76 | - new services support: SMTP, POP | |
77 |
0 | ||
1 | [ Frequently Asked Questions ] | |
2 | ||
3 | Bruteforce Exploit Detector | |
4 | written by mjm ( www.codito.de ) and snakebyte ( www.kryptocrew.de/snakebyte/ ) | |
5 | ||
6 | ||
7 | 1.) Why test at all? | |
8 | ||
9 | Security is necessary, I think we agree on that. | |
10 | Due to the fact that there are other programs, | |
11 | and ways to test software ( see question 2 ), | |
12 | I think this one is the easiest. Simply sending | |
13 | the stuff to a server, which is known to | |
14 | cause problems. Verification of wheter a test failed | |
15 | or not is also pretty simple. | |
16 | So this collection of scripts does not verify that your | |
17 | code has no problems at all, but it can make sure, that | |
18 | you made your way around the most common ones. | |
19 | ||
20 | ||
21 | 2.) Which other tools exists for security testing? | |
22 | ||
23 | Splint ( www.splint.org ) | |
24 | checks the source code of a program for problems | |
25 | ||
26 | BFBTester ( bfbtester.sourceforge.net ) | |
27 | checks command line and environment problems of binaries | |
28 | ||
29 | l0phtwatch ( www.l0pht.com ) | |
30 | detects temp file problems | |
31 | ||
32 | screamingcobra ( www.dachb0den.com ) | |
33 | checks php and perl scripts for problems, wich can lead to acces files on the server | |
34 | ||
35 | wpoison ( wpoison.sourceforge.net ) | |
36 | checks websites for SQL injection problems | |
37 | ||
38 | webtest ( martynov.org/webtest/ ) | |
39 | tests scripts on your website | |
40 | ||
41 | ...or you could hire a bunch of programmers, which check the code | |
42 | manually :) | |
43 | ||
44 | ||
45 | 3.) What is ''XAXAX''? | |
46 | ||
47 | XAXAX is the result of Snakebyte drinking beer and thinking about | |
48 | a good place-holder. XAXAX is replaced by the exploit string while | |
49 | testing. | |
50 | ||
51 | ||
52 | 4.) How can i write a plugin ? | |
53 | ||
54 | Check 'dummy.pm' for details.. |
0 | ||
1 | Howto use BED? | |
2 | ||
3 | ||
4 | Using BED is quit simple :) Decide which protocol you want to stress test | |
5 | and start bed using the commandline | |
6 | ||
7 | perl bed.pl -m module -t 192.168.0.1 | |
8 | ||
9 | BED will then run for a while, any maybe report to you that a connection attempt | |
10 | to the service failed. If this is the case you might have detected a bug. Next step | |
11 | is to run BED again with a higher timeout between the testcases, depending on the | |
12 | duration of your coffee break, values of 5 to 30 seconds are fine. So restart the | |
13 | daemon or box and run BED again, using the -o switch. If BED reports a crash at the | |
14 | same place again, take a look at the module you where using ( in bedmod/xxxx.pm ) and | |
15 | search for the testcase, then run it by hand ( either using netcat and perl or write | |
16 | your own script ) agains the daemon, if you can reproduce the problem, its time to look | |
17 | at the sources, coredump or using a disassembler and debugger to find out whats really | |
18 | happening in there. If BED reports the crash at another test, just increase the timeout | |
19 | a bit more until you found the testcase which produces the crash, just do some trial and | |
20 | error stuff, because sometimes the crash happens much later than you sending the data. | |
21 | I had wait times up to 2 Minutes with a Lexmark T522 printer, until the box finally | |
22 | crashed and called for service :) | |
23 | ||
24 | Thats about it... enjoy |
0 | alot of plugins, feel free to write some :) | |
1 | Fix FTP module to still fuzz public commands if login fails | |
2 | Add support for ping feature to see is service is still alive (better crash detection) | |
3 | Fix modules that insists on connecting when not necessary |
0 | package bedmod::dummy; | |
1 | use Socket; | |
2 | ||
3 | # Example plugin for bed2 | |
4 | # | |
5 | # Feel free to fill in the gaps ... :) | |
6 | # | |
7 | # search bed.pl for "dummy" to see what you need to | |
8 | # change to include your module | |
9 | # (just one entry ... no need to be scared *g* ) | |
10 | # | |
11 | ||
12 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
13 | # create a new instance of this object | |
14 | sub new{ | |
15 | my $this = {}; | |
16 | ||
17 | # define everything you might need | |
18 | $this->{dummy} = undef; | |
19 | bless $this; | |
20 | return $this; | |
21 | } | |
22 | ||
23 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
24 | # initialise some parameters | |
25 | sub init{ | |
26 | my $this = shift; | |
27 | %special_cfg=@_; | |
28 | ||
29 | # Set protocol tcp/udp | |
30 | $this->{proto} = "tcp"; | |
31 | ||
32 | # insert your default port here... | |
33 | if ($special_cfg{'p'} eq "") { $this->{port}='110'; } | |
34 | else { $this->{port} = $special_cfg{'p'}; } | |
35 | ||
36 | # verify you got everything you need, | |
37 | # $special_cfg will provide you the commandline | |
38 | # switches from u, v, w and x | |
39 | if ( $special_cfg{'u'} eq "") { | |
40 | print qq~ | |
41 | Parameters for the dummy plugin: | |
42 | ||
43 | -u <description what the user should provide> | |
44 | ||
45 | ~; | |
46 | exit(1); | |
47 | } | |
48 | ||
49 | # set info nessecairy for for your module.. | |
50 | $this->{dummy} = $special_cfg{'u'}; | |
51 | ||
52 | # how can bed check that the server is still alive | |
53 | # This string will simply be send to the server | |
54 | # ( server should reply something to this ) | |
55 | $this->{vrfy} = "HELP\r\n"; | |
56 | } | |
57 | ||
58 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
59 | # how to quit ? | |
60 | sub getQuit{ | |
61 | # what to send to close the connection the right way | |
62 | return("QUIT\r\n"); | |
63 | } | |
64 | ||
65 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
66 | # what to test without doing a login before | |
67 | # ..mainly the login stuff *g* | |
68 | sub getLoginarray { | |
69 | my $this = shift; | |
70 | @Loginarray = ( | |
71 | "USER XAXAX\r\n", | |
72 | "USER $this->{username}\r\nPASS XAXAX\r\n" | |
73 | ) | |
74 | return (@Loginarray); | |
75 | } | |
76 | ||
77 | ||
78 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
79 | # which commands does this protocol know ? | |
80 | sub getCommandarray { | |
81 | my $this = shift; | |
82 | # the XAXAX will be replaced with the buffer overflow / format string data | |
83 | # place every command in this array you want to test | |
84 | @cmdArray = ( | |
85 | "foo XAXAX\r\n", | |
86 | "bar XAXAX\r\n", | |
87 | "XAXAX\r\n" | |
88 | ); | |
89 | return(@cmdArray); | |
90 | } | |
91 | ||
92 | ||
93 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
94 | # what to send to login ? | |
95 | sub getLogin{ # login procedure | |
96 | my $this = shift; | |
97 | @login = ( | |
98 | "Hi, I am a dummy\r\n", | |
99 | "This is my pass: foobar\r\n" | |
100 | ); | |
101 | return(@login); | |
102 | } | |
103 | ||
104 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
105 | # here we can test everything besides buffer overflows and format strings | |
106 | sub testMisc{ | |
107 | # Insert your favourite directory traversal bug here :) | |
108 | my $this = shift; | |
109 | return(); | |
110 | } | |
111 | ||
112 | # Module specific help goes here | |
113 | # Leave an empty sub if there is no module specific help | |
114 | sub usage { | |
115 | print qq~ Module spacific help: | |
116 | ~; | |
117 | } | |
118 | ||
119 | 1; |
0 | GNU GENERAL PUBLIC LICENSE | |
1 | Version 2, June 1991 | |
2 | ||
3 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. | |
4 | 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
5 | Everyone is permitted to copy and distribute verbatim copies | |
6 | of this license document, but changing it is not allowed. | |
7 | ||
8 | Preamble | |
9 | ||
10 | The licenses for most software are designed to take away your | |
11 | freedom to share and change it. By contrast, the GNU General Public | |
12 | License is intended to guarantee your freedom to share and change free | |
13 | software--to make sure the software is free for all its users. This | |
14 | General Public License applies to most of the Free Software | |
15 | Foundation's software and to any other program whose authors commit to | |
16 | using it. (Some other Free Software Foundation software is covered by | |
17 | the GNU Library General Public License instead.) You can apply it to | |
18 | your programs, too. | |
19 | ||
20 | When we speak of free software, we are referring to freedom, not | |
21 | price. Our General Public Licenses are designed to make sure that you | |
22 | have the freedom to distribute copies of free software (and charge for | |
23 | this service if you wish), that you receive source code or can get it | |
24 | if you want it, that you can change the software or use pieces of it | |
25 | in new free programs; and that you know you can do these things. | |
26 | ||
27 | To protect your rights, we need to make restrictions that forbid | |
28 | anyone to deny you these rights or to ask you to surrender the rights. | |
29 | These restrictions translate to certain responsibilities for you if you | |
30 | distribute copies of the software, or if you modify it. | |
31 | ||
32 | For example, if you distribute copies of such a program, whether | |
33 | gratis or for a fee, you must give the recipients all the rights that | |
34 | you have. You must make sure that they, too, receive or can get the | |
35 | source code. And you must show them these terms so they know their | |
36 | rights. | |
37 | ||
38 | We protect your rights with two steps: (1) copyright the software, and | |
39 | (2) offer you this license which gives you legal permission to copy, | |
40 | distribute and/or modify the software. | |
41 | ||
42 | Also, for each author's protection and ours, we want to make certain | |
43 | that everyone understands that there is no warranty for this free | |
44 | software. If the software is modified by someone else and passed on, we | |
45 | want its recipients to know that what they have is not the original, so | |
46 | that any problems introduced by others will not reflect on the original | |
47 | authors' reputations. | |
48 | ||
49 | Finally, any free program is threatened constantly by software | |
50 | patents. We wish to avoid the danger that redistributors of a free | |
51 | program will individually obtain patent licenses, in effect making the | |
52 | program proprietary. To prevent this, we have made it clear that any | |
53 | patent must be licensed for everyone's free use or not licensed at all. | |
54 | ||
55 | The precise terms and conditions for copying, distribution and | |
56 | modification follow. | |
57 | ||
58 | GNU GENERAL PUBLIC LICENSE | |
59 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION | |
60 | ||
61 | 0. This License applies to any program or other work which contains | |
62 | a notice placed by the copyright holder saying it may be distributed | |
63 | under the terms of this General Public License. The "Program", below, | |
64 | refers to any such program or work, and a "work based on the Program" | |
65 | means either the Program or any derivative work under copyright law: | |
66 | that is to say, a work containing the Program or a portion of it, | |
67 | either verbatim or with modifications and/or translated into another | |
68 | language. (Hereinafter, translation is included without limitation in | |
69 | the term "modification".) Each licensee is addressed as "you". | |
70 | ||
71 | Activities other than copying, distribution and modification are not | |
72 | covered by this License; they are outside its scope. The act of | |
73 | running the Program is not restricted, and the output from the Program | |
74 | is covered only if its contents constitute a work based on the | |
75 | Program (independent of having been made by running the Program). | |
76 | Whether that is true depends on what the Program does. | |
77 | ||
78 | 1. You may copy and distribute verbatim copies of the Program's | |
79 | source code as you receive it, in any medium, provided that you | |
80 | conspicuously and appropriately publish on each copy an appropriate | |
81 | copyright notice and disclaimer of warranty; keep intact all the | |
82 | notices that refer to this License and to the absence of any warranty; | |
83 | and give any other recipients of the Program a copy of this License | |
84 | along with the Program. | |
85 | ||
86 | You may charge a fee for the physical act of transferring a copy, and | |
87 | you may at your option offer warranty protection in exchange for a fee. | |
88 | ||
89 | 2. You may modify your copy or copies of the Program or any portion | |
90 | of it, thus forming a work based on the Program, and copy and | |
91 | distribute such modifications or work under the terms of Section 1 | |
92 | above, provided that you also meet all of these conditions: | |
93 | ||
94 | a) You must cause the modified files to carry prominent notices | |
95 | stating that you changed the files and the date of any change. | |
96 | ||
97 | b) You must cause any work that you distribute or publish, that in | |
98 | whole or in part contains or is derived from the Program or any | |
99 | part thereof, to be licensed as a whole at no charge to all third | |
100 | parties under the terms of this License. | |
101 | ||
102 | c) If the modified program normally reads commands interactively | |
103 | when run, you must cause it, when started running for such | |
104 | interactive use in the most ordinary way, to print or display an | |
105 | announcement including an appropriate copyright notice and a | |
106 | notice that there is no warranty (or else, saying that you provide | |
107 | a warranty) and that users may redistribute the program under | |
108 | these conditions, and telling the user how to view a copy of this | |
109 | License. (Exception: if the Program itself is interactive but | |
110 | does not normally print such an announcement, your work based on | |
111 | the Program is not required to print an announcement.) | |
112 | ||
113 | These requirements apply to the modified work as a whole. If | |
114 | identifiable sections of that work are not derived from the Program, | |
115 | and can be reasonably considered independent and separate works in | |
116 | themselves, then this License, and its terms, do not apply to those | |
117 | sections when you distribute them as separate works. But when you | |
118 | distribute the same sections as part of a whole which is a work based | |
119 | on the Program, the distribution of the whole must be on the terms of | |
120 | this License, whose permissions for other licensees extend to the | |
121 | entire whole, and thus to each and every part regardless of who wrote it. | |
122 | ||
123 | Thus, it is not the intent of this section to claim rights or contest | |
124 | your rights to work written entirely by you; rather, the intent is to | |
125 | exercise the right to control the distribution of derivative or | |
126 | collective works based on the Program. | |
127 | ||
128 | In addition, mere aggregation of another work not based on the Program | |
129 | with the Program (or with a work based on the Program) on a volume of | |
130 | a storage or distribution medium does not bring the other work under | |
131 | the scope of this License. | |
132 | ||
133 | 3. You may copy and distribute the Program (or a work based on it, | |
134 | under Section 2) in object code or executable form under the terms of | |
135 | Sections 1 and 2 above provided that you also do one of the following: | |
136 | ||
137 | a) Accompany it with the complete corresponding machine-readable | |
138 | source code, which must be distributed under the terms of Sections | |
139 | 1 and 2 above on a medium customarily used for software interchange; or, | |
140 | ||
141 | b) Accompany it with a written offer, valid for at least three | |
142 | years, to give any third party, for a charge no more than your | |
143 | cost of physically performing source distribution, a complete | |
144 | machine-readable copy of the corresponding source code, to be | |
145 | distributed under the terms of Sections 1 and 2 above on a medium | |
146 | customarily used for software interchange; or, | |
147 | ||
148 | c) Accompany it with the information you received as to the offer | |
149 | to distribute corresponding source code. (This alternative is | |
150 | allowed only for noncommercial distribution and only if you | |
151 | received the program in object code or executable form with such | |
152 | an offer, in accord with Subsection b above.) | |
153 | ||
154 | The source code for a work means the preferred form of the work for | |
155 | making modifications to it. For an executable work, complete source | |
156 | code means all the source code for all modules it contains, plus any | |
157 | associated interface definition files, plus the scripts used to | |
158 | control compilation and installation of the executable. However, as a | |
159 | special exception, the source code distributed need not include | |
160 | anything that is normally distributed (in either source or binary | |
161 | form) with the major components (compiler, kernel, and so on) of the | |
162 | operating system on which the executable runs, unless that component | |
163 | itself accompanies the executable. | |
164 | ||
165 | If distribution of executable or object code is made by offering | |
166 | access to copy from a designated place, then offering equivalent | |
167 | access to copy the source code from the same place counts as | |
168 | distribution of the source code, even though third parties are not | |
169 | compelled to copy the source along with the object code. | |
170 | ||
171 | 4. You may not copy, modify, sublicense, or distribute the Program | |
172 | except as expressly provided under this License. Any attempt | |
173 | otherwise to copy, modify, sublicense or distribute the Program is | |
174 | void, and will automatically terminate your rights under this License. | |
175 | However, parties who have received copies, or rights, from you under | |
176 | this License will not have their licenses terminated so long as such | |
177 | parties remain in full compliance. | |
178 | ||
179 | 5. You are not required to accept this License, since you have not | |
180 | signed it. However, nothing else grants you permission to modify or | |
181 | distribute the Program or its derivative works. These actions are | |
182 | prohibited by law if you do not accept this License. Therefore, by | |
183 | modifying or distributing the Program (or any work based on the | |
184 | Program), you indicate your acceptance of this License to do so, and | |
185 | all its terms and conditions for copying, distributing or modifying | |
186 | the Program or works based on it. | |
187 | ||
188 | 6. Each time you redistribute the Program (or any work based on the | |
189 | Program), the recipient automatically receives a license from the | |
190 | original licensor to copy, distribute or modify the Program subject to | |
191 | these terms and conditions. You may not impose any further | |
192 | restrictions on the recipients' exercise of the rights granted herein. | |
193 | You are not responsible for enforcing compliance by third parties to | |
194 | this License. | |
195 | ||
196 | 7. If, as a consequence of a court judgment or allegation of patent | |
197 | infringement or for any other reason (not limited to patent issues), | |
198 | conditions are imposed on you (whether by court order, agreement or | |
199 | otherwise) that contradict the conditions of this License, they do not | |
200 | excuse you from the conditions of this License. If you cannot | |
201 | distribute so as to satisfy simultaneously your obligations under this | |
202 | License and any other pertinent obligations, then as a consequence you | |
203 | may not distribute the Program at all. For example, if a patent | |
204 | license would not permit royalty-free redistribution of the Program by | |
205 | all those who receive copies directly or indirectly through you, then | |
206 | the only way you could satisfy both it and this License would be to | |
207 | refrain entirely from distribution of the Program. | |
208 | ||
209 | If any portion of this section is held invalid or unenforceable under | |
210 | any particular circumstance, the balance of the section is intended to | |
211 | apply and the section as a whole is intended to apply in other | |
212 | circumstances. | |
213 | ||
214 | It is not the purpose of this section to induce you to infringe any | |
215 | patents or other property right claims or to contest validity of any | |
216 | such claims; this section has the sole purpose of protecting the | |
217 | integrity of the free software distribution system, which is | |
218 | implemented by public license practices. Many people have made | |
219 | generous contributions to the wide range of software distributed | |
220 | through that system in reliance on consistent application of that | |
221 | system; it is up to the author/donor to decide if he or she is willing | |
222 | to distribute software through any other system and a licensee cannot | |
223 | impose that choice. | |
224 | ||
225 | This section is intended to make thoroughly clear what is believed to | |
226 | be a consequence of the rest of this License. | |
227 | ||
228 | 8. If the distribution and/or use of the Program is restricted in | |
229 | certain countries either by patents or by copyrighted interfaces, the | |
230 | original copyright holder who places the Program under this License | |
231 | may add an explicit geographical distribution limitation excluding | |
232 | those countries, so that distribution is permitted only in or among | |
233 | countries not thus excluded. In such case, this License incorporates | |
234 | the limitation as if written in the body of this License. | |
235 | ||
236 | 9. The Free Software Foundation may publish revised and/or new versions | |
237 | of the General Public License from time to time. Such new versions will | |
238 | be similar in spirit to the present version, but may differ in detail to | |
239 | address new problems or concerns. | |
240 | ||
241 | Each version is given a distinguishing version number. If the Program | |
242 | specifies a version number of this License which applies to it and "any | |
243 | later version", you have the option of following the terms and conditions | |
244 | either of that version or of any later version published by the Free | |
245 | Software Foundation. If the Program does not specify a version number of | |
246 | this License, you may choose any version ever published by the Free Software | |
247 | Foundation. | |
248 | ||
249 | 10. If you wish to incorporate parts of the Program into other free | |
250 | programs whose distribution conditions are different, write to the author | |
251 | to ask for permission. For software which is copyrighted by the Free | |
252 | Software Foundation, write to the Free Software Foundation; we sometimes | |
253 | make exceptions for this. Our decision will be guided by the two goals | |
254 | of preserving the free status of all derivatives of our free software and | |
255 | of promoting the sharing and reuse of software generally. | |
256 | ||
257 | NO WARRANTY | |
258 | ||
259 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY | |
260 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN | |
261 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES | |
262 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED | |
263 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF | |
264 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS | |
265 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE | |
266 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, | |
267 | REPAIR OR CORRECTION. | |
268 | ||
269 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING | |
270 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR | |
271 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, | |
272 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING | |
273 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED | |
274 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY | |
275 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER | |
276 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE | |
277 | POSSIBILITY OF SUCH DAMAGES. | |
278 | ||
279 | END OF TERMS AND CONDITIONS | |
280 | ||
281 | How to Apply These Terms to Your New Programs | |
282 | ||
283 | If you develop a new program, and you want it to be of the greatest | |
284 | possible use to the public, the best way to achieve this is to make it | |
285 | free software which everyone can redistribute and change under these terms. | |
286 | ||
287 | To do so, attach the following notices to the program. It is safest | |
288 | to attach them to the start of each source file to most effectively | |
289 | convey the exclusion of warranty; and each file should have at least | |
290 | the "copyright" line and a pointer to where the full notice is found. | |
291 | ||
292 | <one line to give the program's name and a brief idea of what it does.> | |
293 | Copyright (C) <year> <name of author> | |
294 | ||
295 | This program is free software; you can redistribute it and/or modify | |
296 | it under the terms of the GNU General Public License as published by | |
297 | the Free Software Foundation; either version 2 of the License, or | |
298 | (at your option) any later version. | |
299 | ||
300 | This program is distributed in the hope that it will be useful, | |
301 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
302 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
303 | GNU General Public License for more details. | |
304 | ||
305 | You should have received a copy of the GNU General Public License | |
306 | along with this program; if not, write to the Free Software | |
307 | Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
308 | ||
309 | ||
310 | Also add information on how to contact you by electronic and paper mail. | |
311 | ||
312 | If the program is interactive, make it output a short notice like this | |
313 | when it starts in an interactive mode: | |
314 | ||
315 | Gnomovision version 69, Copyright (C) year name of author | |
316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. | |
317 | This is free software, and you are welcome to redistribute it | |
318 | under certain conditions; type `show c' for details. | |
319 | ||
320 | The hypothetical commands `show w' and `show c' should show the appropriate | |
321 | parts of the General Public License. Of course, the commands you use may | |
322 | be called something other than `show w' and `show c'; they could even be | |
323 | mouse-clicks or menu items--whatever suits your program. | |
324 | ||
325 | You should also get your employer (if you work as a programmer) or your | |
326 | school, if any, to sign a "copyright disclaimer" for the program, if | |
327 | necessary. Here is a sample; alter the names: | |
328 | ||
329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program | |
330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. | |
331 | ||
332 | <signature of Ty Coon>, 1 April 1989 | |
333 | Ty Coon, President of Vice | |
334 | ||
335 | This General Public License does not permit incorporating your program into | |
336 | proprietary programs. If your program is a subroutine library, you may | |
337 | consider it more useful to permit linking proprietary applications with the | |
338 | library. If this is what you want to do, use the GNU Library General | |
339 | Public License instead of this License. |
0 | ||
1 | [ Doona - Network fuzzing tool ] | |
2 | ||
3 | .:: About ::. | |
4 | ||
5 | Doona is a fork of the Bruteforce Exploit Detector Tool (BED). | |
6 | BED is a program which is designed to check daemons for | |
7 | potential buffer overflows, format string bugs etc. | |
8 | ||
9 | Doona is Australian for duvet. It adds a significant enough number | |
10 | of features/changes to BED that I renamed it to avoid confusion. | |
11 | ||
12 | I hope you'll find it useful. | |
13 | ||
14 | @Wireghoul | |
15 | ||
16 | .:: Version ::. | |
17 | ||
18 | 0.7 - Multi verb support, more fuzz cases and bug fixes | |
19 | 0.6 - First official doona release | |
20 | 0.5 - Fork from BED | |
21 | ||
22 | See 'Docs/CHANGES' for the full changelog. | |
23 | ||
24 | .:: License ::. | |
25 | ||
26 | This program is free software; you can redistribute it and/or modify | |
27 | it under the terms of the GNU General Public License as published by | |
28 | the Free Software Foundation; either version 2 of the License, or | |
29 | any later version. | |
30 | ||
31 | ||
32 | See 'Docs/gpl.txt' for more information. | |
33 | ||
34 | .:: Authors ::. | |
35 | ||
36 | Doona: | |
37 | Eldar Marcussen aka, 'Wireghoul' | |
38 | http://www.justanotherhacker.com | |
39 | ||
40 | BED was written by: | |
41 | Eric Sesterhenn aka. 'Snakebyte' | |
42 | -Mail: snakebyte@gmx.de | |
43 | -Web: www.snake-basket.de | |
44 | ||
45 | Martin J. Muench aka. 'mjm' | |
46 | -Mail: mjm@codito.de | |
47 | -Web: www.codito.de | |
48 |
0 | package bedmod::finger; | |
1 | use Socket; | |
2 | ||
3 | # lame finger plugin :) | |
4 | ||
5 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
6 | # create a new instance of this object | |
7 | sub new { | |
8 | my $this = {}; | |
9 | bless $this; | |
10 | return $this; | |
11 | } | |
12 | ||
13 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
14 | # initialise some parameters | |
15 | sub init { | |
16 | my $this = shift; | |
17 | %special_cfg=@_; | |
18 | ||
19 | # Set protocol tcp/udp | |
20 | $this->{proto} = "tcp"; | |
21 | ||
22 | if ($special_cfg{'p'} eq "") { $this->{port}='79'; } | |
23 | else { $this->{port} = $special_cfg{'p'}; } | |
24 | $this->{sport} = 0; | |
25 | $this->{vrfy} = "root\n"; | |
26 | } | |
27 | ||
28 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
29 | # how to quit ? | |
30 | sub getQuit { | |
31 | return(""); | |
32 | } | |
33 | ||
34 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
35 | # what to test without doing a login before | |
36 | # ..mainly the login stuff *g* | |
37 | sub getLoginarray { | |
38 | my $this = shift; | |
39 | @Loginarray = (""); | |
40 | return (@Loginarray); | |
41 | } | |
42 | ||
43 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
44 | # which commands does this protocol know ? | |
45 | sub getCommandarray { | |
46 | my $this = shift; | |
47 | ||
48 | # the XAXAX will be replaced with the buffer overflow / format string | |
49 | # place every command in this array you want to test | |
50 | @cmdArray = ( | |
51 | "XAXAX\r\n", | |
52 | "\@XAXAX\r\n", | |
53 | "XAXAX\@\r\n", | |
54 | "XAXAX\@XAXAX\r\n" | |
55 | ); | |
56 | return(@cmdArray); | |
57 | } | |
58 | ||
59 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
60 | # what to send to login ? | |
61 | sub getLogin { # login procedure | |
62 | my $this = shift; | |
63 | @login = (""); | |
64 | return(@login); | |
65 | } | |
66 | ||
67 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
68 | # here we can test everything besides buffer overflows and format strings | |
69 | sub testMisc { | |
70 | my $this = shift; | |
71 | return(); | |
72 | } | |
73 | ||
74 | sub usage { | |
75 | } | |
76 | ||
77 | 1; |
0 | package bedmod::ftp; | |
1 | use Socket; | |
2 | ||
3 | # This package is an extension to bed, to check | |
4 | # for ftp server vulnerabilities. | |
5 | ||
6 | sub new { | |
7 | my $this = {}; | |
8 | $this->{username} = 'anonymous'; # specific for just this | |
9 | $this->{password} = 'user@this.bed'; # module | |
10 | bless $this; | |
11 | return $this; | |
12 | } | |
13 | ||
14 | sub init { | |
15 | my $this = shift; | |
16 | %special_cfg=@_; | |
17 | ||
18 | # Specify protocol to use | |
19 | $this->{proto}="tcp"; | |
20 | # check for missing args, set target and host | |
21 | if ($special_cfg{'p'} eq "") { $this->{port}='21'; } | |
22 | else { $this->{port} = $special_cfg{'p'}; } | |
23 | ||
24 | # get info nessecairy for FTP | |
25 | $this->{username} = $special_cfg{'u'} if $special_cfg{'u'}; | |
26 | $this->{password} = $special_cfg{'v'} if $special_cfg{'v'}; | |
27 | $this->{vrfy} = "PWD\r\n"; | |
28 | ||
29 | # let's see if we got a correct login (skip if dump mode is set) | |
30 | if ($special_cfg{'d'}) { return; } | |
31 | $iaddr = inet_aton($this->{target}) || die "Unknown host: $host\n"; | |
32 | $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; | |
33 | $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; | |
34 | socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; | |
35 | connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; | |
36 | send(SOCKET, "USER $this->{username}\r\n", 0) || die "USER failed: $!\n"; | |
37 | $recvbuf = <SOCKET>; | |
38 | sleep(1); # some ftp's need some time to reply | |
39 | send(SOCKET, "PASS $this->{password}\r\n", 0) || die "PASS failed: $!\n"; | |
40 | do { | |
41 | $recvbuf = <SOCKET>; | |
42 | #print ($recvbuf); | |
43 | if ( $recvbuf =~ "530" ){ | |
44 | print ("Username or Password incorrect, can't login\n"); | |
45 | exit(1); | |
46 | } | |
47 | sleep(0.2); | |
48 | } until ( $recvbuf =~ "230" ); | |
49 | send(SOCKET, "QUIT\r\n", 0); | |
50 | close(SOCKET); | |
51 | } | |
52 | ||
53 | sub getQuit { | |
54 | return("QUIT\r\n"); | |
55 | } | |
56 | ||
57 | sub getLoginarray { | |
58 | my $this = shift; | |
59 | @Loginarray = ( | |
60 | "XAXAX\r\n", | |
61 | "USER XAXAX\r\n", | |
62 | "USER XAXAX\r\nPASS password\r\n", | |
63 | "USER anonymous\r\nPASS XAXAX\r\n", | |
64 | "USER XAXAX\r\nPASS password\r\nUSER $this->{username}\r\nPASS XAXAX\r\n", | |
65 | "USER $this->{username}\r\nPASS XAXAX\r\n", | |
66 | "PASS XAXAX\r\n" | |
67 | ); | |
68 | return (@Loginarray); | |
69 | } | |
70 | ||
71 | sub getCommandarray { | |
72 | my $this = shift; | |
73 | ||
74 | # the XAXAX will be replaced with the buffer overflow / format string | |
75 | # just comment them out if you don't like them.. | |
76 | @cmdArray = ( | |
77 | "XAXAX\r\n", | |
78 | "XAXAX 123\r\n", | |
79 | "ABOR XAXAX\r\n", | |
80 | "ACCL XAXAX\r\n", | |
81 | "ACCT XAXAX\r\n", | |
82 | "ALLO XAXAX\r\n", | |
83 | "APPE XAXAX\r\n", | |
84 | "APPE /XAXAX\r\n", | |
85 | "CDUP XAXAX\r\n", | |
86 | "CWD XAXAX\r\n", | |
87 | "CEL XAXAX\r\n", | |
88 | "DELE XAXAX\r\n", | |
89 | "EPRT XAXAX\r\n", | |
90 | "EPRT |XAXAX|127.0.0.1|6275|\r\n", | |
91 | "EPRT |1|XAXAX|6275|\r\n", | |
92 | "EPRT |1|127.0.0.1|XAXAX|\r\n", | |
93 | "EPSV XAXAX\r\n", | |
94 | "FEAT XAXAX\r\n", | |
95 | "HELP XAXAX\r\n", | |
96 | "LIST XAXAX\r\n", | |
97 | "LIST -XAXAX\r\n", | |
98 | "LIST *XAXAX\r\n", | |
99 | "LOCK XAXAX\r\n", | |
100 | "LOCK / XAXAX\r\n", | |
101 | "MDTM XAXAX\r\n", | |
102 | "MDTM XAXAX file.txt\r\n", | |
103 | "MDTM 19990929043300 XAXAX\r\n", | |
104 | "MDTM 20031111111111+ XAXAX\r\n", | |
105 | "MLST XAXAX\r\n", | |
106 | "MODE XAXAX\r\n", | |
107 | "MKD XAXAX\r\n", | |
108 | "MKD XAXAX\r\nCWD XAXAX\r\n", | |
109 | "MKD XAXAX\r\nDELE XAXAX\r\n", | |
110 | "MKD XAXAX\r\nRMD XAXAX\r\n", | |
111 | "MKD XAXAX\r\nXRMD XAXAX\r\n", | |
112 | "NLST XAXAX\r\n", | |
113 | "NLST ~XAXAX\r\n", | |
114 | "NOOP XAXAX\r\n", | |
115 | "OPTS XAXAX\r\n", | |
116 | "PASS XAXAX\r\n", | |
117 | "PASV XAXAX\r\n", | |
118 | "PORT XAXAX\r\n", | |
119 | "PWD XAXAX\r\n", | |
120 | "REIN XAXAX\r\n", | |
121 | "REST XAXAX\r\n", | |
122 | "RETR XAXAX\r\n", | |
123 | "RMD XAXAX\r\n", | |
124 | "RNFR XAXAX\r\n", | |
125 | "RNTO XAXAX\r\n", | |
126 | "RNFR XAXAX\r\nRNTO XAXAX\r\n", | |
127 | "SITE XAXAX\r\n", | |
128 | "SITE EXEC XAXAX\r\n", | |
129 | "SITE GROUPS XAXAX\r\n", | |
130 | "SITE CDPATH XAXAX\r\n", | |
131 | "SITE ALIAS XAXAX\r\n", | |
132 | "SITE INDEX XAXAX\r\n", | |
133 | "SITE MINFO 20001010101010 XAXAX\r\n", | |
134 | "SITE NEWER 20001010101010 XAXAX\r\n", | |
135 | "SITE GPASS XAXAX\r\n", | |
136 | "SITE GROUP XAXAX\r\n", | |
137 | "SITE HELP XAXAX\r\n", | |
138 | "SITE IDLE XAXAX\r\n", | |
139 | "SITE CHMOD XAXAX\r\n", | |
140 | "SITE CHMOD 777 XAXAX\r\n", | |
141 | "SITE UMASK XAXAX\r\n", | |
142 | "SIZE XAXAX\r\n", | |
143 | "SIZE /XAXAX\r\n", | |
144 | "SMNT XAXAX\r\n", | |
145 | "STOU XAXAX\r\n", | |
146 | "STRU XAXAX\r\n", | |
147 | "STOR XAXAX\r\n", | |
148 | "STAT XAXAX\r\n", | |
149 | "SYST XAXAX\r\n", | |
150 | "TYPE XAXAX\r\n", | |
151 | "USER XAXAX\r\n", | |
152 | "UNLOCK XAXAX\r\n", | |
153 | "UNLOCK / XAXAX\r\n", | |
154 | "XCUP XAXAX\r\n", | |
155 | "XCWD XAXAX\r\n", | |
156 | "XMD5 XAXAX\r\n", | |
157 | "XMKD XAXAX\r\n", | |
158 | "XPWD XAXAX\r\n", | |
159 | "XRMD XAXAX\r\n", | |
160 | ); | |
161 | return(@cmdArray); | |
162 | } | |
163 | ||
164 | sub getLogin { # login procedure | |
165 | my $this = shift; | |
166 | @login = ("USER $this->{username}\r\nPASS $this->{password}\r\n"); | |
167 | return(@login); | |
168 | } | |
169 | ||
170 | sub testMisc { | |
171 | my $this = shift; | |
172 | return; # Directory traversal code is buggy an not really what I want | |
173 | # test for bof in login / user ? | |
174 | # test for the availability to abuse this host for portscanning ? | |
175 | ||
176 | # test for possible directory traversal bugs... | |
177 | print ("*Directory traversal\n"); | |
178 | ||
179 | @traversal = ("...", "%5c..%5c", ,"%5c%2e%2e%5c", "/././..", "/...", "/......", "\\...", "...\\", "....", "*", "\\*", "\\....", "*\\\\.....", "/..../", "/../../../", "\\..\\..\\..\\", "\@/..\@/.."); | |
180 | foreach $Directory (@traversal){ | |
181 | $iaddr = inet_aton($this->{target}) || die "Unknown host: $host\n"; | |
182 | $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; | |
183 | $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; | |
184 | socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; | |
185 | connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; | |
186 | send(SOCKET, "USER $this->{username}\r\n", 0) || die "USER failed: $!\n"; | |
187 | sleep(2); # some ftp's need some time to reply | |
188 | $recvbuf = <SOCKET>; | |
189 | send(SOCKET, "PASS $this->{password}\r\n", 0) || die "PASS failed: $!\n"; | |
190 | sleep(2); # some ftp's need some time to reply | |
191 | $recvbuf = <SOCKET> || die "Login failed $!\n"; | |
192 | send(SOCKET, "PWD\r\n", 0); # get old directory | |
193 | sleep(1); | |
194 | $curDir = <SOCKET>; | |
195 | send(SOCKET, "CWD $Directory\r\n", 0); # send the traversal string | |
196 | # clear the buffer, by waiting for : | |
197 | # 501 550 250 553 | |
198 | do { $recvbuf = <SOCKET>; } while( ($recvbuf !~ /550/) && ($recvbuf !~ /250/) && ($recvbuf !~ /553/) && ($recvbuf !~ /501/)); # receive answer | |
199 | send(SOCKET, "PWD\r\n", 0); # get new directory | |
200 | $newDir = <SOCKET>; | |
201 | ||
202 | # compare the directories, and report a problem if they are not equal | |
203 | if ( $curDir ne $newDir ){ print ("Directory Traversal ($curDir => $newDir) possible with $Directory \n"); } | |
204 | send(SOCKET,"QUIT\r\n", 0); # logout | |
205 | close (SOCKET); # close connection | |
206 | } | |
207 | return(); | |
208 | } | |
209 | ||
210 | sub usage { | |
211 | print qq~ FTP Module specific options: | |
212 | -u <username> = Username to use for authentication (default: anonymous) | |
213 | -v <password> = Password to use for authentication (default: user\@this.bed) | |
214 | ||
215 | ~; | |
216 | } | |
217 | ||
218 | 1; |
0 | package bedmod::http; | |
1 | use Socket; | |
2 | ||
3 | # This package is an extension to bed, to check | |
4 | # for http server vulnerabilities. | |
5 | ||
6 | sub new { | |
7 | my $this = {}; | |
8 | bless $this; | |
9 | return $this; | |
10 | } | |
11 | ||
12 | sub init { | |
13 | my $this = shift; | |
14 | %special_cfg=@_; | |
15 | ||
16 | $this->{proto}="tcp"; | |
17 | ||
18 | if ($special_cfg{'p'} eq "") { | |
19 | $this->{port}='80'; | |
20 | } else { | |
21 | $this->{port} = $special_cfg{'p'}; | |
22 | } | |
23 | ||
24 | if ($special_cfg{'d'}) { return; } | |
25 | $iaddr = inet_aton($this->{target}) || die "Unknown host: $host\n"; | |
26 | $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; | |
27 | $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; | |
28 | socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; | |
29 | connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; | |
30 | send(SOCKET, "HEAD / HTTP/1.0\r\n\r\n", 0) || die "HTTP request failed: $!\n"; | |
31 | } | |
32 | ||
33 | sub getQuit { | |
34 | return("\r\n\r\n"); | |
35 | } | |
36 | ||
37 | sub getLoginarray { | |
38 | my $this = shift; | |
39 | @Loginarray = ( | |
40 | "XAXAX\r\n\r\n", | |
41 | "XAXAX / HTTP/1.0\r\n\r\n", | |
42 | "HEAD XAXAX HTTP/1.0\r\n\r\n", | |
43 | "HEAD /XAXAX HTTP/1.0\r\n\r\n", | |
44 | "HEAD /?XAXAX HTTP/1.0\r\n\r\n", | |
45 | "HEAD / XAXAX\r\n\r\n", | |
46 | "GET XAXAX HTTP/1.0\r\n\r\n", | |
47 | "GET /XAXAX HTTP/1.0\r\n\r\n", | |
48 | "GET /XAXAX.html HTTP/1.0\r\n\r\n", | |
49 | "GET /index.XAXAX HTTP/1.0\r\n\r\n", | |
50 | "GET /~XAXAX HTTP/1.0\r\n\r\n", | |
51 | "GET /?XAXAX HTTP/1.0\r\n\r\n", | |
52 | "GET /?XAXAX=x HTTP/1.0\r\n\r\n", | |
53 | "GET /?x=XAXAX HTTP/1.0\r\n\r\n", | |
54 | "GET / XAXAX\r\n\r\n", | |
55 | "GET / HTTP/XAXAX\r\n\r\n", | |
56 | "GET /XAXAX\r\n\r\n", | |
57 | "POST XAXAX HTTP/1.0\r\n\r\n", | |
58 | "POST /XAXAX HTTP/1.0\r\n\r\n", | |
59 | "POST /?XAXAX HTTP/1.0\r\n\r\n", | |
60 | "POST / XAXAX\r\n\r\n", | |
61 | "POST /XAXAX\r\n\r\n", | |
62 | "POST / HTTP/1.0\r\n\r\nXAXAX\r\n\r\n", | |
63 | "POST / HTTP/1.0\r\nContent-length: 10\r\n\r\nXAXAX\r\n\r\n", | |
64 | "POST / HTTP/1.0\r\nContent-Type: multipart/form-data; boundary=---XAXAX\r\n\r\n---XAXAX--\r\n\r\n", | |
65 | "POST / HTTP/1.0\r\nContent-Type: multipart/form-data; boundary=---AAAAA\r\n\r\n---AAAAA\r\nContent-Disposition: form-data; name=\"XAXAX\"\r\n\r\ntest\r\n---AAAAA--\r\n\r\n", | |
66 | "POST / HTTP/1.0\r\nContent-Type: multipart/form-data; boundary=---AAAAA\r\n\r\n---AAAAA\r\nContent-Disposition: form-data; name=\"test\"\r\n\r\nXAXAX\r\n---AAAAA--\r\n\r\n", | |
67 | "OPTIONS XAXAX HTTP/1.0\r\n\r\n", | |
68 | "OPTIONS /XAXAX HTTP/1.0\r\n\r\n", | |
69 | "OPTIONS / XAXAX\r\n\r\n", | |
70 | "PUT XAXAX HTTP/1.0\r\n\r\n", | |
71 | "PUT /XAXAX HTTP/1.0\r\n\r\n", | |
72 | "PUT / XAXAX\r\n\r\n", | |
73 | "TRACE XAXAX HTTP/1.0\r\n\r\n", | |
74 | "TRACE /XAXAX HTTP/1.0\r\n\r\n", | |
75 | "TRACE / XAXAX\r\n\r\n", | |
76 | "TRACK XAXAX HTTP/1.0\r\n\r\n", | |
77 | ); | |
78 | return (@Loginarray); | |
79 | } | |
80 | ||
81 | sub getCommandarray { | |
82 | my $this = shift; | |
83 | ||
84 | @cmdArray = ( | |
85 | "XAXAX: XAXAX\r\n\r\n", | |
86 | "User-Agent: XAXAX\r\n\r\n", | |
87 | "Host: XAXAX\r\n\r\n", | |
88 | "Host: XAXAX:80\r\n\r\n", | |
89 | "Host: somehost:XAXAX\r\n\r\n", | |
90 | "Accept: XAXAX\r\n\r\n", | |
91 | "Accept-Encoding: XAXAX\r\n\r\n", | |
92 | "Accept-Language: XAXAX\r\n\r\n", | |
93 | "Accept-Charset: XAXAX\r\n\r\n", | |
94 | "Connection: XAXAX\r\n\r\n", | |
95 | "Referer: XAXAX\r\n\r\n", | |
96 | "Referer: XAXAX://somehost.com/\r\n\r\n", | |
97 | "Referer: http://XAXAX/\r\n\r\n", | |
98 | "Referer: http://somehost.com/XAXAX\r\n\r\n", | |
99 | "Authorization: XAXAX\r\n\r\n", | |
100 | "From: XAXAX\r\n\r\n", | |
101 | "Charge-To: XAXAX\r\n\r\n", | |
102 | "Authorization: XAXAX", | |
103 | "Authorization: XAXAX : foo\r\n\r\n", | |
104 | "Authorization: foo : XAXAX\r\n\r\n", | |
105 | "If-Modified-Since: XAXAX\r\n\r\n", | |
106 | "If-Match: XAXAX\r\n\r\n", | |
107 | "If-None-Match: XAXAX\r\n\r\n", | |
108 | "If-Range: XAXAX\r\n\r\n", | |
109 | "If-Unmodified-Since: XAXAX\r\n\r\n", | |
110 | "Max-Forwards: XAXAX\r\n\r\n", | |
111 | "Proxy-Authorization: XAXAX\r\n\r\n", | |
112 | "ChargeTo: XAXAX\r\n\r\n", | |
113 | "Pragma: XAXAX\r\n\r\n", | |
114 | "Expect: XAXAX\r\n\r\n", | |
115 | "Range: XAXAX\r\n\r\n", | |
116 | "Range: bytes=1-XAXAX\r\n\r\n", | |
117 | "Range: bytes=0-1,XAXAX\r\n", | |
118 | "Content-Length: XAXAX\r\n\r\n", | |
119 | "Cookie: XAXAX\r\n\r\n", | |
120 | "TE: XAXAX\r\n\r\n", | |
121 | "Upgrade: XAXAX\r\nConnection: upgrade\r\n\r\n", | |
122 | ); | |
123 | return(@cmdArray); | |
124 | } | |
125 | ||
126 | sub getLogin { | |
127 | my $this = shift; | |
128 | @login = ( | |
129 | "GET / HTTP/1.0\r\n", | |
130 | "POST / HTTP/1.0\r\n", | |
131 | "HEAD / HTTP/1.0\r\n", | |
132 | "GET / HTTP/1.1\r\n", | |
133 | "OPTIONS / HTTP/1.0\r\n", | |
134 | "PUT / HTTP/1.0\r\n", | |
135 | "TRACE / HTTP/1.0\r\n", | |
136 | ); | |
137 | return(@login); | |
138 | } | |
139 | ||
140 | sub testMisc { #Put your corner case tests here | |
141 | my $this = shift; | |
142 | @cmdArray = ( | |
143 | "GET / HTTP/1.0\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n" | |
144 | ); | |
145 | return(@cmdArray); | |
146 | } | |
147 | ||
148 | sub usage { | |
149 | } | |
150 | ||
151 | 1; |
0 | package bedmod::imap; | |
1 | use Socket; | |
2 | ||
3 | # imap plugin for bed2 | |
4 | ||
5 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
6 | # create a new instance of this object | |
7 | sub new { | |
8 | my $this = {}; | |
9 | ||
10 | # imap defines | |
11 | $this->{user} = undef; | |
12 | $this->{pass} = undef; | |
13 | bless $this; | |
14 | return $this; | |
15 | } | |
16 | ||
17 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
18 | # initialise some parameters | |
19 | sub init { | |
20 | my $this = shift; | |
21 | %special_cfg = @_; | |
22 | ||
23 | # Set protocol tcp/udp | |
24 | $this->{proto} = "tcp"; | |
25 | ||
26 | if ( $special_cfg{'p'} eq "" ) { $this->{port} = '143'; } | |
27 | else { $this->{port} = $special_cfg{'p'}; } | |
28 | ||
29 | if ( ( $special_cfg{'u'} eq "" ) || ( $special_cfg{'v'} eq "" ) ) { | |
30 | &usage(); | |
31 | exit(1); | |
32 | } | |
33 | ||
34 | $this->{user} = $special_cfg{'u'}; | |
35 | $this->{pass} = $special_cfg{'v'}; | |
36 | ||
37 | # how can bed check that the server is still alive | |
38 | $this->{vrfy} = "A001 NOOP\r\n"; | |
39 | } | |
40 | ||
41 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
42 | # how to quit ? | |
43 | sub getQuit { | |
44 | return ("A001 LOGOUT\r\n"); | |
45 | } | |
46 | ||
47 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
48 | # what to test without doing a login before | |
49 | # ..mainly the login stuff *g* | |
50 | sub getLoginarray { | |
51 | my $this = shift; | |
52 | @Loginarray = ( | |
53 | "A001 AUTHENTICATE XAXAX\r\n", | |
54 | "A001 LOGIN XAXAX\r\n", | |
55 | "A001 LOGIN $this->{user} XAXAX\r\n" | |
56 | ); | |
57 | return (@Loginarray); | |
58 | } | |
59 | ||
60 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
61 | # which commands does this protocol know ? | |
62 | sub getCommandarray { | |
63 | my $this = shift; | |
64 | ||
65 | # the XAXAX will be replaced with the buffer overflow / format string | |
66 | # place every command in this array you want to test | |
67 | @cmdArray = ( | |
68 | "A001 CREATE myTest\r\n", # just for testing... | |
69 | "FXXZ CHECK XAXAX\r\n", | |
70 | "LIST XAXAX\r\n", | |
71 | "A001 SELECT XAXAX\r\n", | |
72 | "A001 EXAMINE XAXAX\r\n", | |
73 | "A001 CREATE XAXAX\r\n", | |
74 | "A001 DELETE XAXAX\r\n", | |
75 | "A001 RENAME XAXAX\r\n", | |
76 | "A001 CREATE test\r\nA001RENAME test XAXAX\r\n", | |
77 | "A001 SUBSCRIBE XAXAX\r\n", | |
78 | "A001 UNSUBSCRIBE XAXAX\r\n", | |
79 | "A001 LIST XAXAX aa \r\n", | |
80 | "A001 LIST aa XAXAX\r\n", | |
81 | "A001 LIST * XAXAX\r\n", | |
82 | "A001 LSUB aa XAXAX\r\n", | |
83 | "A001 LSUB XAXAX aa \r\n", # aa should be "" | |
84 | "A001 STATUS XAXAX\r\n", | |
85 | "A001 STATUS inbox (XAXAX)\r\n", | |
86 | "A001 APPEND XAXAX\r\n", | |
87 | "A001 SELECT myTest\r\nA001 SEARCH XAXAX\r\n", | |
88 | "A001 SELECT myTest\r\nA001 FETCH XAXAX\r\n", | |
89 | "A001 SELECT myTest\r\nA001 FETCH 1:2 XAXAX\r\n", | |
90 | "A001 SELECT myTest\r\nA001 STORE XAXAX\r\n", | |
91 | "A001 SELECT myTest\r\nA001 STORE 1:2 XAXAX\r\n", | |
92 | "A001 SELECT myTest\r\nA001 COPY XAXAX\r\n", | |
93 | "A001 SELECT myTest\r\nA001 COPY 1:2 XAXAX\r\n", | |
94 | "A001 SELECT myTest\r\nA001 UID XAXAX\r\n", | |
95 | "A001 SELECT myTest\r\nA001 UID FETCH XAXAX\r\n", | |
96 | "A001 UID XAXAX\r\n", | |
97 | "A001 CAPABILITY XAXAX\r\n", | |
98 | "A001 DELETEACL XAXAX\r\n", | |
99 | "A001 GETACL XAXAX\r\n", | |
100 | "A001 LISTRIGHTS XAXAX\r\n", | |
101 | "A001 MYRIGHTS XAXAX\r\n", | |
102 | "A001 XAXAX\r\n" | |
103 | ); | |
104 | return (@cmdArray); | |
105 | } | |
106 | ||
107 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
108 | # what to send to login ? | |
109 | sub getLogin { # login procedure | |
110 | my $this = shift; | |
111 | @login = ("A001 LOGIN $this->{user} $this->{pass}\r\n"); | |
112 | return (@login); | |
113 | } | |
114 | ||
115 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
116 | # here we can test everything besides buffer overflows and format strings | |
117 | sub testMisc { | |
118 | my $this = shift; | |
119 | return (); | |
120 | } | |
121 | ||
122 | sub usage { | |
123 | print qq~ Parameters for the imap plugin: | |
124 | ||
125 | -u <username> | |
126 | -v <password> | |
127 | ||
128 | ~; | |
129 | } | |
130 | ||
131 | 1; |
0 | package bedmod::irc; | |
1 | use Socket; | |
2 | ||
3 | # This package is an extension to bed, to check | |
4 | # for irc server vulnerabilities. | |
5 | ||
6 | sub new { | |
7 | my $this = {}; | |
8 | bless $this; | |
9 | return $this; | |
10 | } | |
11 | ||
12 | sub init { | |
13 | my $this = shift; | |
14 | %special_cfg=@_; | |
15 | ||
16 | $this->{proto}="tcp"; | |
17 | ||
18 | if ($special_cfg{'p'} eq "") { $this->{port}='6667'; } | |
19 | else { $this->{port} = $special_cfg{'p'}; } | |
20 | $this->{vrfy} = "uk\r\n"; # server should reply with unknown command | |
21 | } | |
22 | ||
23 | sub getQuit { | |
24 | return("QUIT\r\n"); | |
25 | } | |
26 | ||
27 | sub getLoginarray { | |
28 | my $this = shift; | |
29 | @Loginarray = ( | |
30 | "XAXAX\r\n", | |
31 | "USER XAXAX 0 cc :dd\r\n", | |
32 | "USER aa XAXAX cc :dd\r\n", | |
33 | "USER aa 0 XAXAX :dd\r\n", | |
34 | "USER aa 0 cc :XAXAX\r\n", | |
35 | "USER aa 0 cc XAXAX\r\n", | |
36 | "USER aa 0 cc :dd XAXAX\r\n", # realname may contain spaces | |
37 | "USER aa 0 cc :dd\r\nNICK XAXAX\r\n", | |
38 | "NICK XAXAX\r\n", | |
39 | "PASS XAXAX\r\n", | |
40 | "PASS aa\r\nPASS XAXAX\r\n", | |
41 | "PASS XAXAX\r\nUSER aa 0 cc :dd\r\n", | |
42 | "PASS XAXAX\r\nNICK XAXAX\r\nUSER XAXAX XAXAX XAXAX XAXAX\r\n", | |
43 | "PASS XAXAX\r\nSERVER aa bb cc\r\n", | |
44 | "SERVER XAXAX bb cc\r\n", | |
45 | "SERVER aa XAXAX cc\r\n", | |
46 | "SERVER aa bb XAXAX\r\n", | |
47 | ); | |
48 | return (@Loginarray); | |
49 | } | |
50 | ||
51 | sub getCommandarray { | |
52 | my $this = shift; | |
53 | ||
54 | # the XAXAX will be replaced with the buffer overflow / format string | |
55 | # just comment them out if you don't like them.. | |
56 | @cmdArray = ( | |
57 | "XAXAX\r\n", | |
58 | "NICK XAXAX\r\n", | |
59 | "JOIN XAXAX\r\n", | |
60 | "PART XAXAX\r\n", | |
61 | "SERVER XAXAX 1 :foobar\r\n", | |
62 | "SERVER test XAXAX :foobar\r\n", | |
63 | "SERVER test 1 :XAXAX\r\n", | |
64 | "OPER XAXAX\r\n", | |
65 | "OPER test XAXAX\r\n", | |
66 | "JOIN #XAXAX\r\n", | |
67 | "JOIN #test XAXAX\r\n", | |
68 | "JOIN \&XAXAX\r\n", | |
69 | "JOIN \&test XAXAX\r\n", | |
70 | "PART #XAXAX\r\n", | |
71 | "PART #foo XAXAX\r\n", | |
72 | "JOIN #XAXAX\r\nPART#XAXAX\r\n", | |
73 | "LIST XAXAX\r\n", | |
74 | "INVITE XAXAX #test\r\n", | |
75 | "INVITE foo #XAXAX\r\n", | |
76 | "KICK #XAXAX bar\r\n", | |
77 | "VERSION XAXAX\r\n", | |
78 | "MOTD XAXAX\r\n", | |
79 | "MODE XAXAX\r\n", | |
80 | "MODE XAXAX foo\r\n", | |
81 | "MODE foo XAXAX\r\n", | |
82 | "NAMES XAXAX\r\n", | |
83 | "STATS XAXAX\r\n", | |
84 | "STATS c XAXAX\r\n", | |
85 | "STATS h XAXAX\r\n", | |
86 | "STATS i XAXAX\r\n", | |
87 | "STATS k XAXAX\r\n", | |
88 | "STATS l XAXAX\r\n", | |
89 | "STATS m XAXAX\r\n", | |
90 | "STATS o XAXAX\r\n", | |
91 | "STATS y XAXAX\r\n", | |
92 | "STATS u XAXAX\r\n", | |
93 | "LINKS XAXAX\r\n", | |
94 | "TIME XAXAX\r\n", | |
95 | "CONNECT XAXAX\r\n", | |
96 | "TRACE XAXAX\r\n", | |
97 | "ADMIN XAXAX\r\n", | |
98 | "INFO XAXAX\r\n", | |
99 | "PRIVMSG foo XAXAX\r\n", | |
100 | "PRIVMSG XAXAX bar\r\n", | |
101 | "NOTICE foo XAXAX\r\n", | |
102 | "NOTICE XAXAX bar\r\n", | |
103 | "TOPIC XAXAX foo\r\n", | |
104 | "WHO XAXAX\r\n", | |
105 | "WHOIS XAXAX\r\n", | |
106 | "WHOWAS XAXAX\r\n", | |
107 | "WHOWAS foo 1 XAXAX\r\n", | |
108 | "KILL foo XAXAX\r\n", | |
109 | "KILL XAXAX bar\r\n", | |
110 | "PING XAXAX\r\n", | |
111 | "PONG XAXAX\r\n", | |
112 | "ERROR XAXAX\r\n", | |
113 | "AWAY XAXAX\r\n", | |
114 | "SUMMON XAXAX\r\n", | |
115 | "SUMMON foo XAXAX\r\n", | |
116 | "USERS XAXAX\r\n", | |
117 | "WALLOPS XAXAX\r\n", | |
118 | "USERHOST XAXAX\r\n", | |
119 | "ISON XAXAX\r\n" | |
120 | ); | |
121 | return(@cmdArray); | |
122 | } | |
123 | ||
124 | sub getLogin { | |
125 | my $this = shift; | |
126 | @login = ("USER aaa bbb ccc :ddd\r\n", "NICK EEEEEE\r\n"); | |
127 | return(@login); | |
128 | } | |
129 | ||
130 | sub testMisc { | |
131 | return(); | |
132 | } | |
133 | ||
134 | sub usage { | |
135 | } | |
136 | ||
137 | 1; |
0 | # | |
1 | # Quickly hacked Module to test some LPD Stuff, | |
2 | # not everything ... yeah I am lazy too :) | |
3 | # | |
4 | package bedmod::lpd; | |
5 | use Socket; | |
6 | ||
7 | ||
8 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
9 | # create a new instance of this object | |
10 | sub new{ | |
11 | my $this = {}; | |
12 | ||
13 | # these ones must be defined | |
14 | $this->{sport} = 721; | |
15 | bless $this; | |
16 | return $this; | |
17 | } | |
18 | ||
19 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
20 | # initialise some parameters | |
21 | sub init{ | |
22 | my $this = shift; | |
23 | %special_cfg=@_; | |
24 | ||
25 | # Set protocol tcp/udp | |
26 | $this->{proto} = "tcp"; | |
27 | ||
28 | ||
29 | if ($special_cfg{'p'} eq "") { $this->{port}='515'; } | |
30 | else { $this->{port} = $special_cfg{'p'}; } | |
31 | ||
32 | $this->{vrfy} = ""; | |
33 | } | |
34 | ||
35 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
36 | # how to quit ? | |
37 | sub getQuit{ | |
38 | return("\1\n"); | |
39 | } | |
40 | ||
41 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
42 | # what to test without doing a login before | |
43 | # ..mainly the login stuff *g* | |
44 | sub getLoginarray { | |
45 | my $this = shift; | |
46 | @Loginarray = ( | |
47 | "XAXAX", | |
48 | "\01XAXAX\n", | |
49 | "\02XAXAX\n", | |
50 | "\03XAXAX all\n", | |
51 | "\03default XAXAX\n", | |
52 | "\04XAXAX all\n", | |
53 | "\04default XAXAX\n", | |
54 | "\05XAXAX root all\n", | |
55 | "\05default XAXAX all\n", | |
56 | "\05default root XAXAX\n" | |
57 | ); | |
58 | return (@Loginarray); | |
59 | } | |
60 | ||
61 | ||
62 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
63 | # which commands does this protocol know ? | |
64 | sub getCommandarray { | |
65 | my $this = shift; | |
66 | # the XAXAX will be replaced with the buffer overflow / format string | |
67 | # place every command in this array you want to test | |
68 | @cmdArray = ( | |
69 | "\0294XAXAX001test\n", | |
70 | "\0294cfA001XAXAX\n", | |
71 | "\0394XAXAX001test\n", | |
72 | "\0394cfA001XAXAX\n", | |
73 | ); | |
74 | return(@cmdArray); | |
75 | } | |
76 | ||
77 | ||
78 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
79 | # what to send to login ? | |
80 | sub getLogin{ # login procedure | |
81 | my $this = shift; | |
82 | @login = ("\02default\n"); | |
83 | return(@login); | |
84 | } | |
85 | ||
86 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
87 | # here we can test everything besides buffer overflows and format strings | |
88 | sub testMisc{ | |
89 | my $this = shift; | |
90 | return(); | |
91 | } | |
92 | ||
93 | sub usage { | |
94 | } | |
95 | ||
96 | 1; |
0 | package bedmod::pjl; | |
1 | use Socket; | |
2 | ||
3 | # Plugin to check PJL Printer | |
4 | # written to test a Lexmark T522 | |
5 | # | |
6 | # i didnt read the pjl rfc or whatever just included | |
7 | # the stuff if found by a quick google search :) | |
8 | ||
9 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
10 | # create a new instance of this object | |
11 | sub new { | |
12 | my $this = {}; | |
13 | bless $this; | |
14 | return $this; | |
15 | } | |
16 | ||
17 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
18 | # initialise some parameters | |
19 | sub init { | |
20 | my $this = shift; | |
21 | %special_cfg = @_; | |
22 | ||
23 | # Set protocol tcp/udp | |
24 | $this->{proto} = "tcp"; | |
25 | ||
26 | # check for missing args, set target and host | |
27 | if ( $special_cfg{'p'} eq "" ) { $this->{port} = '9100'; } | |
28 | else { $this->{port} = $special_cfg{'p'}; } | |
29 | ||
30 | $this->{vrfy} = ""; | |
31 | } | |
32 | ||
33 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
34 | # how to quit ? | |
35 | sub getQuit { | |
36 | return ("\33%-12345X\n"); | |
37 | } | |
38 | ||
39 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
40 | # we got no login procedure... | |
41 | sub getLoginarray { | |
42 | my $this = shift; | |
43 | @Loginarray = (""); | |
44 | return (@Loginarray); | |
45 | } | |
46 | ||
47 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
48 | # which commands does this protocol know ? | |
49 | sub getCommandarray { | |
50 | my $this = shift; | |
51 | ||
52 | # the XAXAX will be replaced with the buffer overflow / format string | |
53 | # here we go with our commands | |
54 | $PI = "\33%-12345X\@PJL"; # \n\@PJL | |
55 | @cmdArray = ( | |
56 | $PI . " ENTER XAXAX\n", | |
57 | $PI . " ENTER LANGUAGE = XAXAX\n", | |
58 | $PI . " JOB XAXAX\n", | |
59 | $PI . " JOB NAME = XAXAX\n", | |
60 | $PI . " JOB NAME = \"foo\" START = XAXAX\n", | |
61 | $PI . " JOB NAME = \"foo\" END = XAXAX\n", | |
62 | $PI . " JOB NAME = \"foo\" PASSWORD = XAXAX\n", | |
63 | $PI . " EOJ XAXAX\n", | |
64 | $PI . " EOJ NAME = XAXAX\n", | |
65 | $PI . " DEFAULT XAXAX\n", | |
66 | $PI . " DEFAULT LPARM: XAXAX\n", | |
67 | $PI . " DEFAULT IPARM: XAXAX\n", | |
68 | $PI . " SET XAXAX\n", | |
69 | $PI . " SET LPARM: XAXAX\n", | |
70 | $PI . " SET IPARM: XAXAX\n", | |
71 | $PI . " INQUIRE XAXAX\n", | |
72 | $PI . " INQUIRE LPARM: XAXAX\n", | |
73 | $PI . " INQUIRE IPARM: XAXAX\n", | |
74 | $PI . " DINQUIRE XAXAX\n", | |
75 | $PI . " DINQUIRE LPARM: XAXAX\n", | |
76 | $PI . " DINQUIRE IPARM: XAXAX\n", | |
77 | $PI . " INFO XAXAX\n", | |
78 | $PI . " ECHO XAXAX\n", | |
79 | $PI . " USTATUS XAXAX\n", | |
80 | $PI . " USTATUS A = XAXAX\n", | |
81 | $PI . " OPMSG DISPLAY = XAXAX\n", | |
82 | $PI . " RDYMSG DISPLAY = XAXAX\n", | |
83 | $PI . " STMSG DISPLAY = XAXAX\n", | |
84 | $PI . " COMMENT XAXAX\n", | |
85 | $PI . " SET PAGEPROTECT = XAXAX\n", | |
86 | $PI . " SET LIMAGEENHANCE = XAXAX\n", | |
87 | $PI . " LDPARM : PCL LCOLOREXTENSIONS = XAXAX\n", | |
88 | $PI . " LJOBINFO XAXAX\n", | |
89 | $PI . " LJOBINFO USERID = XAXAX\n", | |
90 | $PI . " LJOBINFO HOSTID = XAXAX\n" | |
91 | ); | |
92 | return (@cmdArray); | |
93 | } | |
94 | ||
95 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
96 | # what to send to login ? | |
97 | sub getLogin { # login procedure | |
98 | my $this = shift; | |
99 | @login = (""); | |
100 | return (@login); | |
101 | } | |
102 | ||
103 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
104 | # here we can test everything besides buffer overflows and format strings | |
105 | sub testMisc { | |
106 | my $this = shift; | |
107 | return (); | |
108 | } | |
109 | ||
110 | sub usage { | |
111 | } | |
112 | ||
113 | 1; |
0 | package bedmod::pop; | |
1 | use Socket; | |
2 | ||
3 | # This package is an extension to bed, to check | |
4 | # for pop server vulnerabilities. | |
5 | ||
6 | sub new { | |
7 | my $this = {}; | |
8 | $this->{username} = undef; # specific for just this | |
9 | $this->{password} = undef; # module | |
10 | bless $this; | |
11 | return $this; | |
12 | } | |
13 | ||
14 | sub init { | |
15 | my $this = shift; | |
16 | %special_cfg = @_; | |
17 | ||
18 | $this->{proto} = "tcp"; | |
19 | ||
20 | if ( $special_cfg{'p'} eq "" ) { $this->{port} = '110'; } | |
21 | else { $this->{port} = $special_cfg{'p'}; } | |
22 | ||
23 | if ( ( $special_cfg{'u'} eq "" ) || ( $special_cfg{'v'} eq "" ) ) { | |
24 | &usage(); | |
25 | exit(1); | |
26 | } | |
27 | ||
28 | $this->{username} = $special_cfg{'u'}; | |
29 | $this->{password} = $special_cfg{'v'}; | |
30 | $this->{vrfy} = "NOOP\r\n"; | |
31 | $iaddr = inet_aton( $this->{target} ) || die "Unknown host: $host\n"; | |
32 | $paddr = sockaddr_in( $this->{port}, $iaddr ) || die "getprotobyname: $!\n"; | |
33 | $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; | |
34 | socket( SOCKET, PF_INET, SOCK_STREAM, $proto ) || die "socket: $!\n"; | |
35 | connect( SOCKET, $paddr ) || die "connection attempt failed: $!\n"; | |
36 | send( SOCKET, "USER $this->{username}\r\n", 0 ) || die "USER failed: $!\n"; | |
37 | $recvbuf = <SOCKET>; | |
38 | sleep(1); | |
39 | send( SOCKET, "PASS $this->{password}\r\n", 0 ) || die "PASS failed: $!\n"; | |
40 | ||
41 | $recvbuf = <SOCKET>; | |
42 | if ( $recvbuf =~ "-ERR" ) { | |
43 | print("Username or Password incorrect, can't login\n"); | |
44 | exit(1); | |
45 | } | |
46 | send( SOCKET, "QUIT\r\n", 0 ) | |
47 | ||
48 | } | |
49 | ||
50 | sub getQuit { | |
51 | return ("QUIT\r\n"); | |
52 | } | |
53 | ||
54 | sub getLoginarray { | |
55 | my $this = shift; | |
56 | @Loginarray = ( | |
57 | "USER XAXAX\r\n", | |
58 | "USER $this->{username}\r\nPASS XAXAX\r\n", | |
59 | "APOP XAXAX aaa\r\n", | |
60 | "APOP $this->{username} XAXAX\r\n" | |
61 | ); | |
62 | return (@Loginarray); | |
63 | } | |
64 | ||
65 | sub getCommandarray { | |
66 | my $this = shift; | |
67 | ||
68 | # the XAXAX will be replaced with the buffer overflow / format string | |
69 | # just comment them out if you don't like them.. | |
70 | @cmdArray = ( | |
71 | "LIST XAXAX\r\n", | |
72 | "STAT XAXAX\r\n", | |
73 | "NOOP XAXAX\r\n", | |
74 | "APOP XAXAX\r\n", | |
75 | "RSET XAXAX\r\n", | |
76 | "RETR XAXAX\r\n", | |
77 | "DELE XAXAX\r\n", | |
78 | "TOP XAXAX 1\r\n", | |
79 | "TOP 1 XAXAX\r\n", | |
80 | "UIDL XAXAX\r\n", | |
81 | ); | |
82 | return (@cmdArray); | |
83 | } | |
84 | ||
85 | sub getLogin { # login procedure | |
86 | my $this = shift; | |
87 | @login = ( "USER $this->{username}\r\n", "PASS $this->{password}\r\n" ); | |
88 | return (@login); | |
89 | } | |
90 | ||
91 | sub testMisc { | |
92 | return (); | |
93 | } | |
94 | ||
95 | sub usage { | |
96 | print qq~ Parameters for the POP plugin: | |
97 | ||
98 | -u <username> | |
99 | -v <password> | |
100 | ||
101 | ~; | |
102 | } | |
103 | ||
104 | 1; |
0 | package bedmod::proxy; | |
1 | use Socket; | |
2 | ||
3 | # This package is an extension to bed, to check | |
4 | # for http proxy server vulnerabilities. | |
5 | ||
6 | sub new { | |
7 | my $this = {}; | |
8 | bless $this; | |
9 | return $this; | |
10 | } | |
11 | ||
12 | sub init { | |
13 | my $this = shift; | |
14 | %special_cfg=@_; | |
15 | ||
16 | $this->{proto}="tcp"; | |
17 | ||
18 | if ($special_cfg{'p'} eq "") { | |
19 | $this->{port}='8080'; | |
20 | } else { | |
21 | $this->{port} = $special_cfg{'p'}; | |
22 | } | |
23 | ||
24 | if ($special_cfg{'d'}) { return; } | |
25 | $iaddr = inet_aton($this->{target}) || die "Unknown host: $host\n"; | |
26 | $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; | |
27 | $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; | |
28 | socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; | |
29 | connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; | |
30 | send(SOCKET, "HEAD / HTTP/1.0\r\n\r\n", 0) || die "HTTP request failed: $!\n"; | |
31 | } | |
32 | ||
33 | sub getQuit { | |
34 | return("\r\n\r\n"); | |
35 | } | |
36 | ||
37 | sub getLoginarray { | |
38 | my $this = shift; | |
39 | @Loginarray = ( | |
40 | "XAXAX\r\n\r\n", | |
41 | "XAXAX http://127.0.0.2/ HTTP/1.0\r\n\r\n", | |
42 | "HEAD http://XAXAX/ HTTP/1.0\r\n\r\n", | |
43 | "HEAD http://127.0.0.2:XAXAX/ HTTP/1.0\r\n\r\n", | |
44 | "HEAD http://127.0.0.2/XAXAX HTTP/1.0\r\n\r\n", | |
45 | "HEAD http://127.0.0.2/ XAXAX\r\n\r\n", | |
46 | "GET http://XAXAX/ HTTP/1.0\r\n\r\n", | |
47 | "GET http://127.0.0.2:XAXAX/ HTTP/1.0\r\n\r\n", | |
48 | "GET http://127.0.0.2/XAXAX HTTP/1.0\r\n\r\n", | |
49 | "GET http://127.0.0.2/ XAXAX\r\n\r\n", | |
50 | "CONNECT XAXAX HTTP/1.0\r\n\r\n", | |
51 | "CONNECT XAXAX:80 HTTP/1.0\r\n\r\n", | |
52 | "CONNECT 127.0.0.2:XAXAX HTTP/1.0\r\n\r\n", | |
53 | "CONNECT 127.0.0.2:80 XAXAX\r\n\r\n", | |
54 | ); | |
55 | return (@Loginarray); | |
56 | } | |
57 | ||
58 | sub getCommandarray { | |
59 | my $this = shift; | |
60 | ||
61 | @cmdArray = ( | |
62 | "XAXAX: XAXAX\r\n\r\n", | |
63 | "User-Agent: XAXAX\r\n\r\n", | |
64 | "Host: XAXAX\r\n\r\n", | |
65 | "Host: XAXAX:80\r\n\r\n", | |
66 | "Host: somehost:XAXAX\r\n\r\n", | |
67 | "Accept: XAXAX\r\n\r\n", | |
68 | "Accept-Encoding: XAXAX\r\n\r\n", | |
69 | "Accept-Language: XAXAX\r\n\r\n", | |
70 | "Accept-Charset: XAXAX\r\n\r\n", | |
71 | "Connection: XAXAX\r\n\r\n", | |
72 | "Referer: XAXAX\r\n\r\n", | |
73 | "Referer: XAXAX://somehost.com/\r\n\r\n", | |
74 | "Referer: http://XAXAX/\r\n\r\n", | |
75 | "Referer: http://somehost.com/XAXAX\r\n\r\n", | |
76 | "Authorization: XAXAX\r\n\r\n", | |
77 | "From: XAXAX\r\n\r\n", | |
78 | "Charge-To: XAXAX\r\n\r\n", | |
79 | "Authorization: XAXAX", | |
80 | "Authorization: XAXAX : foo\r\n\r\n", | |
81 | "Authorization: foo : XAXAX\r\n\r\n", | |
82 | "If-Modified-Since: XAXAX\r\n\r\n", | |
83 | "If-Match: XAXAX\r\n\r\n", | |
84 | "If-None-Match: XAXAX\r\n\r\n", | |
85 | "If-Range: XAXAX\r\n\r\n", | |
86 | "If-Unmodified-Since: XAXAX\r\n\r\n", | |
87 | "Max-Forwards: XAXAX\r\n\r\n", | |
88 | "Proxy-Authorization: XAXAX\r\n\r\n", | |
89 | "ChargeTo: XAXAX\r\n\r\n", | |
90 | "Pragma: XAXAX\r\n\r\n", | |
91 | "Expect: XAXAX\r\n\r\n", | |
92 | "Range: XAXAX\r\n\r\n", | |
93 | "Range: bytes=1-XAXAX\r\n\r\n", | |
94 | "Range: bytes=0-1,XAXAX\r\n", | |
95 | "Content-Length: XAXAX\r\n\r\n", | |
96 | "Cookie: XAXAX\r\n\r\n", | |
97 | "TE: XAXAX\r\n\r\n", | |
98 | "Upgrade: XAXAX\r\nConnection: upgrade\r\n\r\n", | |
99 | ); | |
100 | return(@cmdArray); | |
101 | } | |
102 | ||
103 | sub getLogin { | |
104 | my $this = shift; | |
105 | @login = ( | |
106 | "GET http://127.0.0.2/ HTTP/1.0\r\n", | |
107 | "POST http://127.0.0.2/ HTTP/1.0\r\n", | |
108 | ); | |
109 | return(@login); | |
110 | } | |
111 | ||
112 | sub testMisc { #Put your corner case tests here... | |
113 | my $this = shift; | |
114 | @cmdArray = ( | |
115 | "GET / HTTP/1.0\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n" | |
116 | ); | |
117 | return(@cmdArray); | |
118 | } | |
119 | ||
120 | sub usage { | |
121 | } | |
122 | ||
123 | 1; |
0 | package bedmod::rtsp; | |
1 | use Socket; | |
2 | ||
3 | # This package is an extension to bed, to check | |
4 | # for http server vulnerabilities. | |
5 | ||
6 | sub new{ | |
7 | my $this = {}; | |
8 | bless $this; | |
9 | return $this; | |
10 | } | |
11 | ||
12 | sub init{ | |
13 | my $this = shift; | |
14 | %special_cfg=@_; | |
15 | ||
16 | $this->{proto}="tcp"; | |
17 | ||
18 | if ($special_cfg{'p'} eq "") { | |
19 | $this->{port}='80'; | |
20 | } else { | |
21 | $this->{port} = $special_cfg{'p'}; | |
22 | } | |
23 | ||
24 | $iaddr = inet_aton($this->{target}) || die "Unknown host: $host\n"; | |
25 | $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; | |
26 | $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; | |
27 | socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; | |
28 | connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; | |
29 | send(SOCKET, "HEAD / HTTP/1.0\r\n\r\n", 0) || die "HTTP request failed: $!\n"; | |
30 | } | |
31 | ||
32 | sub getQuit{ | |
33 | return("\r\n\r\n"); | |
34 | } | |
35 | ||
36 | sub getLoginarray { | |
37 | my $this = shift; | |
38 | @Loginarray = ( | |
39 | "XAXAX\r\n\r\n", | |
40 | "XAXAX / RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
41 | "XAXAX rtsp://localhost/file.mpg\r\nCSeq: 1\r\n\r\n", | |
42 | "OPTIONS XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
43 | "OPTIONS /XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
44 | "OPTIONS * XAXAX\r\nCSeq: 1\r\n\r\n", | |
45 | "OPTIONS * RTSP/1.0\r\nXAXAX: 1\r\n\r\n", | |
46 | "OPTIONS * RTSP/1.0\r\nCSeq: XAXAX\r\n\r\n", | |
47 | "DESCRIBE XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
48 | "DESCRIBE XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
49 | "DESCRIBE rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
50 | "DESCRIBE rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
51 | "SETUP XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
52 | "SETUP XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
53 | "SETUP rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
54 | "SETUP rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
55 | "PLAY XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
56 | "PLAY XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
57 | "PLAY rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
58 | "PLAY rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
59 | "PAUSE XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
60 | "PAUSE XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
61 | "PAUSE rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
62 | "PAUSE rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
63 | "RECORD XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
64 | "RECORD XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
65 | "RECORD rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
66 | "RECORD rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
67 | "ANNOUNCE XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
68 | "ANNOUNCE XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
69 | "ANNOUNCE rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
70 | "ANNOUNCE rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
71 | "TEARDOWN XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
72 | "TEARDOWN XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
73 | "TEARDOWN rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
74 | "TEARDOWN rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
75 | "GET_PARAMETER XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
76 | "GET_PARAMETER XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
77 | "GET_PARAMETER rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
78 | "GET_PARAMETER rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
79 | "SET_PARAMETER XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
80 | "SET_PARAMETER XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
81 | "SET_PARAMETER rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
82 | "SET_PARAMETER rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", | |
83 | "SET_PARAMETER rtsp://localhost/ RTSP/1.0\r\nCSeq: 1\r\nContent-type: text/parameters\r\n\r\nXAXAX: XAXAX\r\n", | |
84 | ); | |
85 | return (@Loginarray); | |
86 | } | |
87 | ||
88 | sub getCommandarray { | |
89 | my $this = shift; | |
90 | ||
91 | @cmdArray = ( | |
92 | "XAXAX: XAXAX\r\n\r\n", | |
93 | "Accept: XAXAX\r\n\r\n", | |
94 | "Accept-Encoding: XAXAX\r\n\r\n", | |
95 | "Accept-Language: XAXAX\r\n\r\n", | |
96 | "Accept-Charset: XAXAX\r\n\r\n", | |
97 | "Authorization: XAXAX\r\n\r\n", | |
98 | "Authorization: XAXAX", | |
99 | "Authorization: XAXAX:foo\r\n\r\n", | |
100 | "Authorization: foo:XAXAX\r\n\r\n", | |
101 | "Content-length: XAXAX\r\n", | |
102 | "Content-Type: text/parameters\r\n\r\nXAXAX: XAXAX\r\n\r\n", | |
103 | "CSeq: XAXAX\r\n\r\n", | |
104 | "From: XAXAX\r\n\r\n", | |
105 | "If-Modified-Since: XAXAX\r\n\r\n", | |
106 | "Proxy-Require: XAXAX\r\n", | |
107 | "Range: XAXAX\r\n\r\n", | |
108 | "Range: clock=XAXAX-XAXAX\r\n\r\n", | |
109 | "Referer: XAXAX\r\n\r\n", | |
110 | "Require: XAXAX\r\n\r\n", | |
111 | "Transport: XAXAX\r\n\r\n", | |
112 | "Session: XAXAX\r\n\r\n", | |
113 | "User-Agent: XAXAX\r\n\r\n", | |
114 | ); | |
115 | return(@cmdArray); | |
116 | } | |
117 | ||
118 | sub getLogin{ | |
119 | my $this = shift; | |
120 | @login = ("DESCRIBE rtsp://localhost/media.mp4 RTSP/1.0\r\nCSeq: 1\r\n"); | |
121 | return(@login); | |
122 | } | |
123 | ||
124 | sub testMisc{ | |
125 | return(); | |
126 | } | |
127 | ||
128 | sub usage { | |
129 | } | |
130 | ||
131 | 1; |
0 | package bedmod::smtp; | |
1 | use Socket; | |
2 | ||
3 | # This package is an extension to bed, to check | |
4 | # for smtp server vulnerabilities. | |
5 | ||
6 | sub new { | |
7 | my $this = {}; | |
8 | bless $this; | |
9 | return $this; | |
10 | } | |
11 | ||
12 | sub init { | |
13 | my $this = shift; | |
14 | %special_cfg=@_; | |
15 | ||
16 | $this->{proto}="tcp"; | |
17 | ||
18 | # check for missing args, set target and host | |
19 | if ($special_cfg{'p'} eq "") { $this->{port}='25'; } | |
20 | else { $this->{port} = $special_cfg{'p'}; } | |
21 | ||
22 | if ( $special_cfg{'u'} eq "") { | |
23 | &usage(); | |
24 | exit(1); | |
25 | } | |
26 | ||
27 | # get info nessecairy for FTP | |
28 | $this->{mail} = $special_cfg{'u'}; | |
29 | $this->{vrfy} = "HELP\r\n"; | |
30 | } | |
31 | ||
32 | sub getQuit{ | |
33 | return("QUIT\r\n"); | |
34 | } | |
35 | ||
36 | sub getLoginarray { | |
37 | return( | |
38 | "XAXAX\r\n", | |
39 | "HELO XAXAX\r\n", | |
40 | "EHLO XAXAX\r\n", | |
41 | "HELP XAXAX\r\n", | |
42 | ); | |
43 | } | |
44 | ||
45 | sub getCommandarray { | |
46 | my $this = shift; | |
47 | ||
48 | # the XAXAX will be replaced with the buffer overflow / format string | |
49 | # just comment them out if you don't like them.. | |
50 | @cmdArray = ( | |
51 | "EXPN XAXAX\r\n", | |
52 | "MAIL FROM: XAXAX\r\n", | |
53 | "MAIL FROM: <XAXAX>\r\n", | |
54 | "MAIL FROM: <$this->{mail}> XAXAX\r\n", | |
55 | "MAIL FROM: <$this->{mail}> RET=XAXAX\r\n", | |
56 | "MAIL FROM: <$this->{mail}> ENVID=XAXAX\r\n", | |
57 | "ETRN XAXAX\r\n", | |
58 | "ETRN \@XAXAX\r\n", | |
59 | "MAIL FROM: <$this->{mail}>\r\nRCPT TO: <XAXAX>\r\n", | |
60 | "MAIL FROM: <$this->{mail}>\r\nRCPT TO: <$mailaccount> XAXAX\r\n", | |
61 | "MAIL FROM: <$this->{mail}>\r\nRCPT TO: <$mailaccount> NOTIFY=XAXAX\r\n", | |
62 | "MAIL FROM: <$this->{mail}>\r\nRCPT TO: <$mailaccount> ORCPT=XAXAX\r\n", | |
63 | "HELP XAXAX\r\n", | |
64 | "VRFY XAXAX\r\n", | |
65 | "RCTP TO: XAXAX\r\n", | |
66 | "RCTP TO: <XAXAX>\r\n", | |
67 | "RCPT TO: <$mailaccount> XAXAX\r\n", | |
68 | "RCPT TO: <$mailaccount> NOTIFY=XAXAX\r\n", | |
69 | "RCPT TO: <$mailaccount> ORCPT=XAXAX\r\n", | |
70 | "RSET XAXAX\r\n", | |
71 | "AUTH mechanism XAXAX\r\n", | |
72 | "DATA XAXAX\r\n", | |
73 | "DATA\r\nXAXAX\r\n.", | |
74 | "XAXAX\r\n" | |
75 | ); | |
76 | return(@cmdArray); | |
77 | } | |
78 | ||
79 | sub getLogin { | |
80 | my $this = shift; | |
81 | @login = ( | |
82 | "HELO doona.pl\r\n", | |
83 | "EHLO doona.pl\r\n", | |
84 | ); | |
85 | return(@login); | |
86 | } | |
87 | ||
88 | sub testMisc { | |
89 | my $this = shift; | |
90 | return(); | |
91 | } | |
92 | ||
93 | sub usage { | |
94 | print qq~ Parameters for the SMTP plugin: | |
95 | ||
96 | -u <valid mail address at target host> | |
97 | ||
98 | ~; | |
99 | } | |
100 | ||
101 | 1; |
0 | package bedmod::socks4; | |
1 | use Socket; | |
2 | ||
3 | # socks4 plugin (anyone still using this?) | |
4 | # pretty few to test, i did not even find an rfc for this | |
5 | # protocol *yuck* | |
6 | ||
7 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
8 | # create a new instance of this object | |
9 | sub new { | |
10 | my $this = {}; | |
11 | $this->{username} = undef; | |
12 | bless $this; | |
13 | return $this; | |
14 | } | |
15 | ||
16 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
17 | # initialise some parameters | |
18 | sub init { | |
19 | my $this = shift; | |
20 | %special_cfg = @_; | |
21 | ||
22 | # Set protocol tcp/udp | |
23 | $this->{proto} = "tcp"; | |
24 | ||
25 | # check for missing args, set target and host | |
26 | # every module has to do this | |
27 | if ( $special_cfg{'p'} eq "" ) { | |
28 | $this->{port} = '1080'; | |
29 | } | |
30 | else { | |
31 | $this->{port} = $special_cfg{'p'}; | |
32 | } | |
33 | $this->{sport} = 0; | |
34 | $this->{vrfy} = ""; | |
35 | ||
36 | if ( $special_cfg{'u'} eq "" ) { | |
37 | &usage(); | |
38 | exit(1); | |
39 | } | |
40 | ||
41 | $this->{username} = $special_cfg{'u'}; | |
42 | ||
43 | } | |
44 | ||
45 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
46 | # how to quit ? | |
47 | sub getQuit { | |
48 | return (""); | |
49 | } | |
50 | ||
51 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
52 | # what to test without doing a login before | |
53 | # ..mainly the login stuff *g* | |
54 | sub getLoginarray { | |
55 | my $this = shift; | |
56 | @Loginarray = (""); | |
57 | return (@Loginarray); | |
58 | } | |
59 | ||
60 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
61 | # which commands does this protocol know ? | |
62 | sub getCommandarray { | |
63 | my $this = shift; | |
64 | ||
65 | # all there is to test is the username as far as it seems... | |
66 | @cmdArray = ( | |
67 | ||
68 | "XAXAX\n", | |
69 | # we use protocol version 04 | |
70 | # destination port is 6668 | |
71 | # destination ip is 192.168.0.1 | |
72 | "\x04\x01\x1a\x0c\xc0\xA8\x00\x01XAXAX\x00", # connect | |
73 | "\x04\x02\x1a\x0c\xc0\xA8\x00\x01XAXAX\x00", # bind | |
74 | "\x04\x01\x1a\x0c\x00\x00\x00\x01$this->{username}\x00XAXAX", # connect socks4a | |
75 | "\x04\x02\x1a\x0c\x00\x00\x00\x01$this->{username}\x00XAXAX" # bind socks4a | |
76 | ||
77 | ); | |
78 | return (@cmdArray); | |
79 | } | |
80 | ||
81 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
82 | # what to send to login ? | |
83 | sub getLogin { # login procedure | |
84 | my $this = shift; | |
85 | @login = (""); | |
86 | return (@login); | |
87 | } | |
88 | ||
89 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
90 | # here we can test everything besides buffer overflows and format strings | |
91 | sub testMisc { | |
92 | my $this = shift; | |
93 | return (); | |
94 | } | |
95 | ||
96 | sub usage { | |
97 | print qq~ Parameters for the Socks4 plugin: | |
98 | -u <username> | |
99 | ~; | |
100 | } | |
101 | ||
102 | 1; |
0 | package bedmod::socks5; | |
1 | use Socket; | |
2 | ||
3 | # socks5 plugin | |
4 | # | |
5 | # not yet tested, got bored just by looking at the protocol | |
6 | ||
7 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
8 | # create a new instance of this object | |
9 | sub new { | |
10 | my $this = {}; | |
11 | $this->{username} = undef; | |
12 | $this->{password} = undef; | |
13 | bless $this; | |
14 | return $this; | |
15 | } | |
16 | ||
17 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
18 | # initialise some parameters | |
19 | sub init { | |
20 | my $this = shift; | |
21 | %special_cfg = @_; | |
22 | ||
23 | # Set protocol tcp/udp | |
24 | $this->{proto} = "tcp"; | |
25 | ||
26 | # check for missing args, set target and host | |
27 | # every module has to do this | |
28 | if ( $special_cfg{'p'} eq "" ) { $this->{port} = '1080'; } | |
29 | else { $this->{port} = $special_cfg{'p'}; } | |
30 | $this->{sport} = 0; | |
31 | $this->{vrfy} = ""; | |
32 | ||
33 | if ( ( $special_cfg{'u'} eq "" ) || ( $special_cfg{'v'} eq "" ) ) { | |
34 | &usage(); | |
35 | exit(1); | |
36 | } | |
37 | ||
38 | $this->{username} = $special_cfg{'u'}; | |
39 | $this->{password} = $special_cfg{'v'}; | |
40 | } | |
41 | ||
42 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
43 | # how to quit ? | |
44 | sub getQuit { | |
45 | return (""); | |
46 | } | |
47 | ||
48 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
49 | # what to test without doing a login before | |
50 | # ..mainly the login stuff *g* | |
51 | sub getLoginarray { | |
52 | my $this = shift; | |
53 | @Loginarray = (""); | |
54 | return (@Loginarray); | |
55 | } | |
56 | ||
57 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
58 | # which commands does this protocol know ? | |
59 | sub getCommandarray { | |
60 | my $this = shift; | |
61 | ||
62 | # all there is to test is the username as far as it seems... | |
63 | @cmdArray = ( | |
64 | "XAXAX\n", | |
65 | ||
66 | # if the programmer is clever enough he always receives the packet | |
67 | # in a buffer which is bigger than ~0x128 :) | |
68 | "\x05\x01\x00\x04\xFF\x10" | |
69 | , # check for buffer access which should give a gpf | |
70 | "\x05\x01\x00\x04\x50\x10" # same here different value... lame :) | |
71 | ||
72 | ); | |
73 | return (@cmdArray); | |
74 | } | |
75 | ||
76 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
77 | # what to send to login ? | |
78 | sub getLogin { # login procedure | |
79 | my $this = shift; | |
80 | $count1 = length( $this->{username} ); | |
81 | $count2 = length( $this->{password} ); | |
82 | ||
83 | @login = ( | |
84 | ||
85 | #protocol version #nr. of authentication methods #username+password | |
86 | "\x05\x01\x02", | |
87 | ||
88 | #protocol #username len #username #pass len #password | |
89 | "\x05$count1$this->{username}$count2$this->{password}", | |
90 | ); | |
91 | return (@login); | |
92 | } | |
93 | ||
94 | # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
95 | # here we can test everything besides buffer overflows and format strings | |
96 | sub testMisc { | |
97 | my $this = shift; | |
98 | return (); | |
99 | } | |
100 | ||
101 | sub usage { | |
102 | print qq~ Parameters for the Socks5 plugin: | |
103 | -u <username> | |
104 | -v <password> | |
105 | ~; | |
106 | } | |
107 | ||
108 | 1; |
0 | package bedmod::tftp; | |
1 | use Socket; | |
2 | ||
3 | # lame tftp plugin :) | |
4 | ||
5 | # create a new instance of this object | |
6 | sub new { | |
7 | my $this = {}; | |
8 | bless $this; | |
9 | return $this; | |
10 | } | |
11 | ||
12 | # initialise some parameters | |
13 | sub init{ | |
14 | my $this = shift; | |
15 | %special_cfg=@_; | |
16 | ||
17 | # Set protocol tcp/udp | |
18 | $this->{proto} = "udp"; | |
19 | ||
20 | if ($special_cfg{'p'} eq "") { $this->{port}='69'; } | |
21 | else { $this->{port} = $special_cfg{'p'}; } | |
22 | $this->{sport} = 0; | |
23 | $this->{vrfy} = ""; | |
24 | } | |
25 | ||
26 | # how to quit ? | |
27 | sub getQuit { | |
28 | return(""); | |
29 | } | |
30 | ||
31 | # what to test without doing a login before | |
32 | sub getLoginarray { | |
33 | my $this = shift; | |
34 | @Loginarray = (""); | |
35 | return (@Loginarray); | |
36 | } | |
37 | ||
38 | # which commands does this protocol know ? | |
39 | sub getCommandarray { | |
40 | my $this = shift; | |
41 | ||
42 | # the XAXAX will be replaced with the buffer overflow / format string | |
43 | # place every command in this array you want to test | |
44 | @cmdArray = ( | |
45 | "XAXAX", # B0F | |
46 | "\x00\x01XAXAX\x00netascii\x00", #RRQ | |
47 | "\x00\x01XAXAX\x00octet\x000", #RRQ | |
48 | "\x00\x01XAXAX\x00mail\x00", #RRQ | |
49 | "\x00\x01fuzz\x00XAXAX\x00", #RRQ | |
50 | "\x00\x02\x41\x00XAXAX\x00", #WRQ | |
51 | "\x00\x03\x41\x00XAXAX\x00", #DATA? | |
52 | ); | |
53 | return(@cmdArray); | |
54 | } | |
55 | ||
56 | # what to send to login ? | |
57 | sub getLogin { | |
58 | my $this = shift; | |
59 | @login = (""); | |
60 | return(@login); | |
61 | } | |
62 | ||
63 | # here we can test everything besides buffer overflows and format strings | |
64 | sub testMisc { | |
65 | my $this = shift; | |
66 | return(); | |
67 | } | |
68 | ||
69 | sub usage { | |
70 | } | |
71 | ||
72 | 1; |
0 | package bedmod::whois; | |
1 | use Socket; | |
2 | ||
3 | # lame whois plugin :) | |
4 | ||
5 | # create a new instance of this object | |
6 | sub new { | |
7 | my $this = {}; | |
8 | bless $this; | |
9 | return $this; | |
10 | } | |
11 | ||
12 | # initialise some parameters | |
13 | sub init { | |
14 | my $this = shift; | |
15 | %special_cfg=@_; | |
16 | ||
17 | # Set protocol tcp/udp | |
18 | $this->{proto} = "tcp"; | |
19 | ||
20 | if ($special_cfg{'p'} eq "") { $this->{port}='43'; } | |
21 | else { $this->{port} = $special_cfg{'p'}; } | |
22 | $this->{sport} = 0; | |
23 | $this->{vrfy} = ""; | |
24 | } | |
25 | ||
26 | # how to quit ? | |
27 | sub getQuit { | |
28 | return(""); | |
29 | } | |
30 | ||
31 | # what to test without doing a login before | |
32 | sub getLoginarray { | |
33 | my $this = shift; | |
34 | @Loginarray = (""); | |
35 | return (@Loginarray); | |
36 | } | |
37 | ||
38 | # which commands does this protocol know ? | |
39 | sub getCommandarray { | |
40 | my $this = shift; | |
41 | ||
42 | # the XAXAX will be replaced with the buffer overflow / format string | |
43 | # place every command in this array you want to test | |
44 | @cmdArray = ( | |
45 | "XAXAX\r\n", | |
46 | "?XAXAX\r\n", | |
47 | "!XAXAX\r\n", | |
48 | ".XAXAX\r\n", | |
49 | "XAXAX...\r\n", | |
50 | "*XAXAX\r\n", | |
51 | "XAXAX.tld\r\n", | |
52 | "domain.XAXAX\r\n" | |
53 | ); | |
54 | return(@cmdArray); | |
55 | } | |
56 | ||
57 | # what to send to login ? | |
58 | sub getLogin { | |
59 | my $this = shift; | |
60 | return(""); | |
61 | } | |
62 | ||
63 | sub testMisc { | |
64 | my $this = shift; | |
65 | return(); | |
66 | } | |
67 | ||
68 | sub usage { | |
69 | } | |
70 | ||
71 | 1; |
0 | #!/usr/bin/perl | |
1 | # | |
2 | # This program comes with ABSOLUTELY NO WARRANTY. | |
3 | # This is free software, and you are welcome to redistribute it | |
4 | # under certain conditions. See docs/GPL.txt for details. | |
5 | # | |
6 | # Doona is a BED fork maintained by wireghoul ( www.justanotherhacker.com ) | |
7 | # BED was written by mjm ( www.codito.de ) and snakebyte ( www.snake-basket.de ) | |
8 | use Getopt::Std; | |
9 | use Socket; | |
10 | use Config; | |
11 | ||
12 | #use strict; | |
13 | #use warnings; | |
14 | my $SOCKET; | |
15 | my $VERSION = '0.7'; | |
16 | ||
17 | $SIG{'INT'} = \&sigHandler; | |
18 | $SIG{'TERM'} = \&sigHandler; | |
19 | $SIG{'PIPE'} = \&sigHandler; | |
20 | ||
21 | my @modules = map { s!bedmod/(.*)\.pm!$1!; $_ } glob("bedmod/*.pm"); | |
22 | ||
23 | # the hope is to overwrite a return pointer on the stack, | |
24 | # making the server execute invalid code and crash | |
25 | my @overflowstrings = ("A" x 33, "A" x 254, "A" x 255, "A" x 1023, "A" x 1024, "A" x 2047, "A" x 2048, "A" x 5000, "A" x 10000, "\\" x 200, "/" x 200, " " x 9000, "AA " x 200); | |
26 | my @formatstrings = ("%s" x 4, "%s%p%x%d", "%s" x 8, "%s" x 15, "%s" x 30, "%.1024d", "%.2048d", "%.4096d", '%@' x 53, "%.16i705u%2\$hn", "%#123456x"); | |
27 | ||
28 | # three ansi overflows, two ansi format strings, two OEM Format Strings | |
29 | my @unicodestrings = ("\x99" x 4, "\x99" x 512, "\x99" x 1024, "\xCD" x 10, "\xCD" x 40, "\xCB" x 10, "\xCB"x40); | |
30 | my @largenumbers = ( | |
31 | "255", "256", "257", | |
32 | "65535", "65536", "65537", | |
33 | "16777215", "16777216", "16777217", | |
34 | "2147483647", "2147483648", "2147483649", | |
35 | "0xfffffffe", "0xffffffff", "4294967295", | |
36 | "9223372036854775807", "18446744073709551615", | |
37 | "-1", "-268435455", "-20", | |
38 | "2.2250738585072011e-308", | |
39 | ); | |
40 | my @miscstrings = ("/", "\\", "%0xa", " ", "+", "<", ">", "<>", "%", "-", "+", "*", ".", ":", "&", "%u000", "\t", "\r", "\r\n", "\n"); | |
41 | my $idx = 0; | |
42 | my $prevfuzz = ''; | |
43 | print "\n Doona $VERSION by Wireghoul (www.justanotherhacker.com) based on BED by mjm and snakebyte\n\n"; | |
44 | ||
45 | # get the parameters we need for every test | |
46 | getopts('m:s:t:o:p:r:u:v:w:x:M:dh'); | |
47 | $opt_s = $opt_m if ($opt_m); | |
48 | &usage unless($opt_s); | |
49 | $opt_s = lc($opt_s); # convert it to lowercase | |
50 | ||
51 | # load the specified module | |
52 | my $module = undef; | |
53 | if ( -f "bedmod/$opt_s.pm") { | |
54 | eval("use bedmod::$opt_s;"); | |
55 | $a = "bedmod::$opt_s"; | |
56 | $module = new $a; | |
57 | } | |
58 | ||
59 | &usage unless(defined $module); | |
60 | &usage if ($opt_h); | |
61 | ||
62 | my %special_cfg=( | |
63 | "t" => "$opt_t", # target | |
64 | "o" => "$opt_o", # timeOut | |
65 | "p" => "$opt_p", # port | |
66 | "r" => "$opt_r", # resume test case number | |
67 | 'M' => "$opt_M", # Max requests to perform | |
68 | 'd' => "$opt_d", # Print fuzz case to screen and quit | |
69 | "u" => "$opt_u", # special parameters for the module... | |
70 | "v" => "$opt_v", | |
71 | "w" => "$opt_w", | |
72 | "x" => "$opt_x" | |
73 | ); | |
74 | ||
75 | $module->{proto} = undef; | |
76 | $module->{target} = undef; | |
77 | $module->{port} = undef; | |
78 | $module->{vrfy} = ""; | |
79 | $module->{timeout} = undef; | |
80 | $module->{sport} = 0; | |
81 | ||
82 | if ($special_cfg{'t'} eq "") { $module->{target}='127.0.0.1'; } | |
83 | else { $module->{target} = $special_cfg{'t'}; } | |
84 | if ($special_cfg{'o'} eq "") { $module->{timeout}='2'; } | |
85 | else { $module->{timeout} = $special_cfg{'o'}; } | |
86 | ||
87 | $module->init(%special_cfg); | |
88 | ||
89 | # $num_threads = 4; # Wishlist: Run with 4 threads by defaults | |
90 | ||
91 | # test stuff that might happen during login | |
92 | my @cmdArray = $module->getLoginarray; # which login stuff do we test | |
93 | my @login = (""); | |
94 | if ( $cmdArray[0] ne "" ){ | |
95 | print " + Buffer overflow testing\n"; | |
96 | &testThis(@overflowstrings); | |
97 | print " + Formatstring testing\n"; | |
98 | &testThis(@formatstrings); | |
99 | } | |
100 | ||
101 | # test the stuff that might happen during normal protocol events ( after login ) | |
102 | print "* Normal tests\n"; | |
103 | @cmdArray = $module->getCommandarray; | |
104 | @login = $module->getLogin; | |
105 | print " + Buffer overflow testing\n"; | |
106 | &testThis(@overflowstrings); | |
107 | print " + Formatstring testing\n"; | |
108 | &testThis(@formatstrings); | |
109 | print " + Unicode testing:\n"; | |
110 | &testThis(@unicodestrings); | |
111 | print " + random number testing\n"; | |
112 | &testThis(@largenumbers); | |
113 | ||
114 | # make the module test all other stuff | |
115 | #print " + Other tests\n"; | |
116 | #$module->testMisc(); | |
117 | ||
118 | # test different sizes | |
119 | for (my $i = 1; $i < 20; $i++ ) { | |
120 | print " + testing misc strings $i\n"; | |
121 | &testThis(@miscstrings); | |
122 | for (my $j = 0; $j < @miscstrings; $j++) { | |
123 | $miscstrings[$j] = $miscstrings[$j].$miscstrings[$j]; | |
124 | } | |
125 | } | |
126 | ||
127 | print "* All tests done.\n"; | |
128 | exit(0); | |
129 | ||
130 | # this function tests each of the two arrays ( buffer overflow and format string ) | |
131 | sub testThis() { | |
132 | my $count = 0; | |
133 | foreach my $log (@login) { | |
134 | my @testArray = @_; | |
135 | my $command; | |
136 | my $socktype; | |
137 | if ( $module->{proto} eq "udp" ) {i | |
138 | $socktype = SOCK_DGRAM; | |
139 | } else { | |
140 | $socktype = SOCK_STREAM; | |
141 | } | |
142 | $|=1; #Auto flush output for more timely screen updates | |
143 | # my $count = 0; | |
144 | my $quit = $module->getQuit; | |
145 | my $total = scalar(@cmdArray)*scalar(@login); | |
146 | foreach my $cmd (@cmdArray) { | |
147 | $count++; | |
148 | ||
149 | my $cmd2 = $cmd; | |
150 | $cmd2 =~ s/\n|\r|[\00-\33]//ig; # remove \r and \n for nice displaying | |
151 | $cmd2 = substr($cmd2, 0, 30); | |
152 | ||
153 | my $log2 = $log; | |
154 | $log2 =~ s/\n|\r|[\00-\33]//ig; | |
155 | $log2 = substr($log2, 0, 20); | |
156 | ||
157 | printf "%5d/$total $log2 [$cmd2] ", $count; | |
158 | foreach my $LS (@testArray){ | |
159 | print "."; | |
160 | $idx++; | |
161 | if ($special_cfg{'r'} > $idx) { next; } | |
162 | if ($opt_M) { $special_cfg{'M'}--; } | |
163 | if ($special_cfg{'M'} < 0) { print "\nMax requests ($opt_M) completed, index: ". ($idx - 1) ."\n"; exit } | |
164 | $prevfuzz = $command; | |
165 | $command = $cmd; | |
166 | $command =~ s/XAXAX/$LS/ig; # prepare the string | |
167 | if ($special_cfg{'d'}) { | |
168 | print "\nFuzz case: --copy--\n"; | |
169 | } else { | |
170 | my $iaddr = inet_aton($module->{target}) || die "Unknown host: $module->{target}\n"; | |
171 | my $paddr = sockaddr_in($module->{port}, $iaddr) || die "getprotobyname: $!\n"; | |
172 | my $proto = getprotobyname($module->{proto}) || die "getprotobyname: $!\n"; | |
173 | socket(SOCKET, PF_INET, $socktype, $proto) || die "socket: $!\n"; | |
174 | my $sockaddr = sockaddr_in($module->{sport}, INADDR_ANY); | |
175 | while ( !bind(SOCKET, $sockaddr) ) {} # we need to bind for LPD for example | |
176 | connect(SOCKET, $paddr) || die "connection attempt failed: $!, during $cmd2 ($idx)\n"; | |
177 | } | |
178 | ||
179 | # login | |
180 | if ( $log ne "" ) { | |
181 | if ($special_cfg{'d'}) { | |
182 | print "$log"; | |
183 | } else { | |
184 | send(SOCKET, $log, 0); | |
185 | sleep(1); # some daemons need some time to reply | |
186 | } | |
187 | } | |
188 | ||
189 | #} | |
190 | if ($special_cfg{'d'}) { print "$command\\r\\n\n--cut--\n"; exit; } | |
191 | send(SOCKET, $command, 0); # send the attack and verify that the server is still alive | |
192 | # Is there a possibility to check within connection? | |
193 | if ($module->{vrfy} ne "") { | |
194 | send(SOCKET, $module->{vrfy},0) || die "Problem (1) occured with $cmd2 ($idx)\n"; | |
195 | my $recvbuf = <SOCKET> || die "Problem (2) occured with $cmd2 ($idx)\n"; | |
196 | send(SOCKET, $quit, 0); # close the connection | |
197 | close SOCKET; | |
198 | } else { | |
199 | close SOCKET; | |
200 | my $iaddr = inet_aton($module->{target}) || die "Unknown host: $module->{target}\n"; | |
201 | my $paddr = sockaddr_in($module->{port}, $iaddr) || die "getprotobyname: $!\n"; | |
202 | my $proto = getprotobyname($module->{proto}) || die "getprotobyname: $!\n"; | |
203 | socket(SOCKET, PF_INET, $socktype, $proto) || die "socket: $!\n"; | |
204 | connect(SOCKET, $paddr) || die "Problem (3) occured with $cmd2 ($idx)\n"; | |
205 | close SOCKET; | |
206 | } | |
207 | ||
208 | sleep($module->{timeout}); # some servers would kick us for too fast rogins | |
209 | } | |
210 | print " ($idx)\n"; | |
211 | } | |
212 | } | |
213 | } | |
214 | ||
215 | # how to use these scripts... | |
216 | sub usage { | |
217 | print qq~Usage: | |
218 | ||
219 | $0 -m [module] <options> | |
220 | ||
221 | -m <module> = ~ . join('/', map(uc, @modules)). qq~ | |
222 | -t <target> = Host to check (default: localhost) | |
223 | -p <port> = Port to connect to (default: module specific standard port) | |
224 | -o <timeout> = seconds to wait after each test (default: 2 seconds) | |
225 | -r <index> = Resumes fuzzing at test case index | |
226 | -d = Dump test case to stdout (use in combination with -r) | |
227 | -M <num> = Exit after executing <num> number of fuzz cases | |
228 | -h = Help (this text) | |
229 | use "$0 -m [module] -h" for module specific option. | |
230 | ||
231 | Only -m is a mandatory switch. | |
232 | ||
233 | ~; | |
234 | if ($opt_h) { | |
235 | $module->usage() if $module; | |
236 | } | |
237 | exit(1); | |
238 | } | |
239 | ||
240 | sub sigHandler { | |
241 | print "\n\nSignal INT/TERM/PIPE caught!"; | |
242 | print " - current test case index: ($idx)" if $idx; | |
243 | print "\n"; | |
244 | exit; | |
245 | } |