Navigation

← Previous Changeset
Next Changeset →

Changeset 722

Timestamp:

12/29/06 08:23:08 (2 years ago)

Author:

common

Message:

nepenthes

vuln-sav, works

Files:

nepenthes/trunk/modules/vuln-sav/Makefile.am (modified) (1 diff)
nepenthes/trunk/modules/vuln-sav/vuln-sav.cpp (moved) (moved from nepenthes/trunk/modules/vuln-sav/x-2.cpp) (9 diffs)
nepenthes/trunk/modules/vuln-sav/vuln-sav.hpp (moved) (moved from nepenthes/trunk/modules/vuln-sav/x-2.hpp) (2 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

nepenthes/trunk/modules/vuln-sav/Makefile.am

r556	r722
8	8	AM_CXXFLAGS = -Wall -Werror
9	9
	10	pkglib_LTLIBRARIES = vulnsav.la
10	11
11		pkglib_LTLIBRARIES = x2.la
	12	vulnsav_la_SOURCES = vuln-sav.cpp vuln-sav.hpp
12	13
13		x2_la_SOURCES = x-2.cpp x-2.hpp x-2.conf.dist
14
15		x2_la_LDFLAGS = -module -no-undefined -avoid-version
	14	vulnsav_la_LDFLAGS = -module -no-undefined -avoid-version

nepenthes/trunk/modules/vuln-sav/vuln-sav.cpp

r721	r722
30	30	#include <ctype.h>
31	31
32		#include "~~x-2~~.hpp"
	32	#include "vuln-sav.hpp"
33	33
34	34	#include "SocketManager.hpp"
…	…
69	69	/**
70	70	* The Constructor
71		* creates a new X2 Module,
72		* X2 is an example for binding a socket & setting up the Dialogue & DialogueFactory
	71	* creates a new VulnSAV Module,
	72	* VulnSAV is an example for binding a socket & setting up the Dialogue & DialogueFactory
73	73	*
74	74	*
…	…
82	82	* @param nepenthes the pointer to our Nepenthes
83	83	*/
84		~~X2::X2~~(Nepenthes *nepenthes)
85		{
86		m_ModuleName = "~~x-2~~";
87		m_ModuleDescription = "e~~Xample Module 2 -binding sockets & setting up a dialogue example-~~";
	84	VulnSAV::VulnSAV(Nepenthes *nepenthes)
	85	{
	86	m_ModuleName = "vuln-sav";
	87	m_ModuleDescription = "emulate the bug in symantec antivirus product";
88	88	m_ModuleRevision = "$Rev$";
89	89	m_Nepenthes = nepenthes;
90	90
91		m_DialogueFactoryName = "~~x-2~~ Factory";
92		m_DialogueFactoryDescription = "~~eXample~~ Dialogue Factory";
	91	m_DialogueFactoryName = "SAV Factory";
	92	m_DialogueFactoryDescription = "Symantec Antivirus Client Dialogue Factory";
93	93
94	94	g_Nepenthes = nepenthes;
95	95	}
96	96
97		~~X2::~X2~~()
	97	VulnSAV::~VulnSAV()
98	98	{
99	99
…	…
109	109	* false indicates a fatal error
110	110	*/
111		bool X2::Init()
112		{
113		if ( m_Config == NULL )
	111	bool VulnSAV::Init()
	112	{
	113	/* if ( m_Config == NULL )
114	114	{
115	115	logCrit("I need a config\n");
116	116	return false;
117	117	}
118
119		StringList sList;
120		int32_t timeout;
121		try
122		{
123		sList = *m_Config->getValStringList("x-2.ports");
124		timeout = m_Config->getValInt("x-2.accepttimeout");
125		} catch ( ... )
126		{
127		logCrit("Error setting needed vars, check your config\n");
128		return false;
129		}
130
131		uint32_t i = 0;
132		while (i < sList.size())
133		{
134		m_Nepenthes->getSocketMgr()->bindTCPSocket(0,atoi(sList[i]),0,timeout,this);
135		i++;
136		}
	118	*/
	119	m_Nepenthes->getSocketMgr()->bindTCPSocket(0,2967,0,30,this);
137	120	return true;
138	121	}
139	122
140		bool X2::Exit()
	123	bool VulnSAV::Exit()
141	124	{
142	125	return true;
…	…
146	129	* DialogueFactory::createDialogue(Socket *)
147	130	*
148		* creates a new X2Dialogue
	131	* creates a new SAVDialogue
149	132	*
150	133	* @param socket the socket the DIalogue has to use, can be NULL if the Dialogue can handle it
…	…
152	135	* @return returns the new created dialogue
153	136	*/
154		Dialogue X2::createDialogue(Socket socket)
155		{
156		return new X2Dialogue(socket);
	137	Dialogue VulnSAV::createDialogue(Socket socket)
	138	{
	139	return new SAVDialogue(socket);
157	140	// return g_Nepenthes->getFactoryMgr()->getFactory("WinNTShell DialogueFactory")->createDialogue(socket);
158	141	}
…	…
166	149	/**
167	150	* Dialogue::Dialogue(Socket *)
168		* construktor for the ~~X2Dialogue, creates a new X2~~Dialogue
	151	* construktor for the SAVDialogue, creates a new SAVDialogue
169	152	*
170	153	* replies some crap to the socket
…	…
172	155	* @param socket the Socket the Dialogue has to use
173	156	*/
174		~~X2Dialogue::X2~~Dialogue(Socket *socket)
	157	SAVDialogue::SAVDialogue(Socket *socket)
175	158	{
176	159	m_Socket = socket;
177		m_DialogueName = "X2Dialogue";
178		m_DialogueDescription = "~~eXample~~ Dialogue";
	160	m_DialogueName = "SAVDialogue";
	161	m_DialogueDescription = "Symantec Antivirus Dialogue";
179	162
180	163	m_ConsumeLevel = CL_ASSIGN;
181	164
182		m_Socket->doRespond("Welcome to dong Shell\n",strlen("Welcome to dong Shell\n"));
183
184		m_Buffer = new Buffer(512);
185		}
186
187		X2Dialogue::~X2Dialogue()
	165	m_Buffer = new Buffer(512);
	166	}
	167
	168	SAVDialogue::~SAVDialogue()
188	169	{
189	170	delete m_Buffer;
…	…
202	183	* @return CL_ASSIGN
203	184	*/
204		ConsumeLevel X2Dialogue::incomingData(Message *msg)
205		{
206		/*
	185	ConsumeLevel SAVDialogue::incomingData(Message *msg)
	186	{
	187
207	188	m_Buffer->add(msg->getMsg(),msg->getSize());
208	189
209		Message Msg = new Message((char )m_Buffer->getData(), m_Buffer->getSize(),m_Socket->getLocalPort(), m_Socket->getRemotePort(),
210		m_Socket->getLocalHost(), m_Socket->getRemoteHost(), m_Socket, m_Socket);
211		if ( g_Nepenthes->getShellcodeMgr()->handleShellcode(&Msg) == SCH_DONE )
212		{
213		msg->getResponder()->doRespond("found encrypt0r\n",strlen("found encrypt0r\n"));
214		m_Buffer->clear();
	190	if ( m_Buffer->getSize() > 0xcd0 )
	191	{
	192	Message Msg = new Message((char )m_Buffer->getData(), m_Buffer->getSize(),m_Socket->getLocalPort(), m_Socket->getRemotePort(),
	193	m_Socket->getLocalHost(), m_Socket->getRemoteHost(), m_Socket, m_Socket);
	194	sch_result sch;
	195	sch = g_Nepenthes->getShellcodeMgr()->handleShellcode(&Msg);
	196	delete Msg;
	197
	198	if ( sch == SCH_DONE )
	199	{
	200	m_Buffer->clear();
	201	return CL_ASSIGN_AND_DONE;
	202	}
	203
215	204	}
216		~~delete Msg;~~
217	205
218	206	return CL_ASSIGN;
219		*/
220
221		char message = (char )malloc(msg->getSize()+1);
222		memset(message,0,msg->getSize()+1);
223		memcpy(message,msg->getMsg(),msg->getSize());
224
225		for(uint32_t i=0;i < strlen(message);i++)
226		{
227		if(!isgraph(message[i]) && message[i] != ' ')
228		{
229		message[i] = ' ';
230		}
	207	}
	208
	209	/**
	210	* Dialogue::outgoingData(Message *)
	211	* as we are not interested in these socket actions
	212	* we simply return CL_DROP to show the socket
	213	*
	214	* @param msg
	215	*
	216	* @return CL_DROP
	217	*/
	218	ConsumeLevel SAVDialogue::outgoingData(Message *msg)
	219	{
	220	return CL_ASSIGN;
	221	}
	222
	223	/**
	224	* Dialogue::handleTimeout(Message *)
	225	* as we are not interested in these socket actions
	226	* we simply return CL_DROP to show the socket
	227	*
	228	* @param msg
	229	*
	230	* @return CL_DROP
	231	*/
	232	ConsumeLevel SAVDialogue::handleTimeout(Message *msg)
	233	{
	234	return CL_DROP;
	235	}
	236
	237	/**
	238	* Dialogue::connectionLost(Message *)
	239	* as we are not interested in these socket actions
	240	* we simply return CL_DROP to show the socket
	241	*
	242	* @param msg
	243	*
	244	* @return CL_DROP
	245	*/
	246	ConsumeLevel SAVDialogue::connectionLost(Message *msg)
	247	{
	248	return CL_DROP;
	249	}
	250
	251	/**
	252	* Dialogue::connectionShutdown(Message *)
	253	* as we are not interested in these socket actions
	254	* we simply return CL_DROP to show the socket
	255	*
	256	* @param msg
	257	*
	258	* @return CL_DROP
	259	*/
	260	ConsumeLevel SAVDialogue::connectionShutdown(Message *msg)
	261	{
	262	return CL_DROP;
	263	}
	264
	265
	266
	267
	268	extern "C" int32_t module_init(int32_t version, Module *module, Nepenthes nepenthes)
	269	{
	270	if ( version == MODULE_IFACE_VERSION )
	271	{
	272	*module = new VulnSAV(nepenthes);
	273	return (1);
	274	} else
	275	{
	276	return (0);
231	277	}
232
233		#ifdef WIN32
234		char *cmd = message;
235		#else
236		char *cmd = strsep(&message, " ");
237		#endif
238
239		if( !strncmp(cmd, "download",8) )
240		{
241
242		uint8_t downloadflags=0;
243		if (strcmp(cmd,"downloadbinary") == 0)
244		{
245		downloadflags \|= DF_TYPE_BINARY;
246		}
247
248		#ifdef WIN32
249		char *url = "http://test.de/";
250		#else
251		char *url = strsep(&message, " ");
252		#endif
253		logCrit("Downloading file from \"%s\"\n", url);
254
255		msg->getSocket()->getNepenthes()->getDownloadMgr()->downloadUrl(msg->getLocalHost(),url, msg->getRemoteHost(), msg->getMsg(),downloadflags);
256
257		string sDeineMutter("trying to download file\n");
258		msg->getResponder()->doRespond((char *)sDeineMutter.c_str(),sDeineMutter.size());
259
260		}
261
262		// msg->getResponder()->doRespond("deine mutter\n",strlen("deine mutter\n"));
263		return CL_ASSIGN;
264
265		/*
266		string command(msg->getMsg(),msg->getSize());
267
268		unsigned int offset;
269		if (((offset = command.find("list"))) < command.size() )
270		{
271		int fd;
272
273		for (fd=0;fd<64*1024;fd++)
274		{
275		int32_t iError = 0;
276		int32_t iSize = sizeof(iError);
277
278
279		if (getsockopt(fd,SOL_SOCKET, SO_ERROR, &iError,(socklen_t *) &iSize) == 0 )
280		{
281		if (iError != 0)
282		continue;
283
284		struct sockaddr_in addrLocal;
285		iSize = sizeof(addrLocal);
286
287		if ( getsockname(fd, (struct sockaddr ) &addrLocal, (socklen_t ) &iSize) != 0 )
288		continue;
289
290		struct sockaddr_in addrRemote;
291		iSize = sizeof(addrRemote);
292		if ( getpeername(fd, (struct sockaddr ) &addrRemote, (socklen_t ) &iSize) != 0 )
293		continue;
294
295
296		string localhost,remotehost;
297
298		localhost = inet_ntoa((struct in_addr )&((sockaddr_in)addrLocal).sin_addr);
299		remotehost = inet_ntoa((struct in_addr )&((sockaddr_in)addrRemote).sin_addr);
300
301		logInfo("%i %-15s -> %-15s\n",fd,localhost.c_str(),remotehost.c_str());
302
303		close(fd);
304		}
305		}
306		}
307
308		return CL_ASSIGN;
309		*/
310		}
311
312		/**
313		* Dialogue::outgoingData(Message *)
314		* as we are not interested in these socket actions
315		* we simply return CL_DROP to show the socket
316		*
317		* @param msg
318		*
319		* @return CL_DROP
320		*/
321		ConsumeLevel X2Dialogue::outgoingData(Message *msg)
322		{
323		return CL_ASSIGN;
324		}
325
326		/**
327		* Dialogue::handleTimeout(Message *)
328		* as we are not interested in these socket actions
329		* we simply return CL_DROP to show the socket
330		*
331		* @param msg
332		*
333		* @return CL_DROP
334		*/
335		ConsumeLevel X2Dialogue::handleTimeout(Message *msg)
336		{
337		return CL_DROP;
338		}
339
340		/**
341		* Dialogue::connectionLost(Message *)
342		* as we are not interested in these socket actions
343		* we simply return CL_DROP to show the socket
344		*
345		* @param msg
346		*
347		* @return CL_DROP
348		*/
349		ConsumeLevel X2Dialogue::connectionLost(Message *msg)
350		{
351		return CL_DROP;
352		}
353
354		/**
355		* Dialogue::connectionShutdown(Message *)
356		* as we are not interested in these socket actions
357		* we simply return CL_DROP to show the socket
358		*
359		* @param msg
360		*
361		* @return CL_DROP
362		*/
363		ConsumeLevel X2Dialogue::connectionShutdown(Message *msg)
364		{
365		return CL_DROP;
366		}
367
368
369
370
371		#ifdef WIN32
372		extern "C" int32_t __declspec(dllexport) module_init(int32_t version, Module *module, Nepenthes nepenthes)
373		#else
374		extern "C" int32_t module_init(int32_t version, Module *module, Nepenthes nepenthes)
375		#endif
376
377		{
378		if (version == MODULE_IFACE_VERSION) {
379		*module = new X2(nepenthes);
380		return 1;
381		} else {
382		return 0;
383		}
384		}
	278	}

nepenthes/trunk/modules/vuln-sav/vuln-sav.hpp

r318	r722
43	43	class Buffer;
44	44
45		class X2 : public Module , public DialogueFactory
	45	class VulnSAV : public Module , public DialogueFactory
46	46	{
47	47	public:
48		X2(Nepenthes *);
49		~X2();
	48	VulnSAV(Nepenthes *);
	49	~VulnSAV();
50	50	Dialogue createDialogue(Socket socket);
51	51	bool Init();
…	…
53	53	};
54	54
55		class X2Dialogue : public Dialogue
	55	class SAVDialogue : public Dialogue
56	56	{
57	57	public:
58		X2Dialogue(Socket *socket);
59		~X2Dialogue();
	58	SAVDialogue(Socket *socket);
	59	~SAVDialogue();
60	60	ConsumeLevel incomingData(Message *msg);
61	61	ConsumeLevel outgoingData(Message *msg);

Download in other formats: