| 1 |
// Copyright (C) 2003-2005 Stephane Thiell |
| 2 |
// |
| 3 |
// This file is part of pxyscand (from pxys) |
| 4 |
// |
| 5 |
// This program is free software; you can redistribute it and/or |
| 6 |
// modify it under the terms of the GNU General Public License |
| 7 |
// as published by the Free Software Foundation; either version 2 |
| 8 |
// of the License, or (at your option) any later version. |
| 9 |
// |
| 10 |
// This program is distributed in the hope that it will be useful, |
| 11 |
// but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 12 |
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 13 |
// GNU General Public License for more details. |
| 14 |
// |
| 15 |
// You should have received a copy of the GNU General Public License |
| 16 |
// along with this program; if not, write to the Free Software |
| 17 |
// Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
| 18 |
// |
| 19 |
#define RCSID "$Id: PXMHttpProxy.cc,v 1.3 2005/05/19 00:49:38 mbuna Exp $" |
| 20 |
|
| 21 |
#ifdef HAVE_CONFIG_H |
| 22 |
#include "config.h" |
| 23 |
#endif |
| 24 |
|
| 25 |
#define HTTPPROXY_SHORTNAME "HttpProxy" |
| 26 |
|
| 27 |
#define HTTPPROXY_DESCR "Vulnerable http proxy" |
| 28 |
|
| 29 |
|
| 30 |
#define MAX_LINES_TRY 2 |
| 31 |
#define CRLF "\r\n" |
| 32 |
|
| 33 |
#include "PXMHttpProxy.h" |
| 34 |
|
| 35 |
#include <iostream> |
| 36 |
#include <cassert> |
| 37 |
#include <cerrno> |
| 38 |
#include <cstring> |
| 39 |
#include <arpa/inet.h> |
| 40 |
|
| 41 |
using std::clog; |
| 42 |
using std::endl; |
| 43 |
|
| 44 |
map<uint16_t, uint32_t*> PXMHttpProxy::sConnCountMap; |
| 45 |
map<uint16_t, uint32_t*> PXMHttpProxy::sProxyCountMap; |
| 46 |
|
| 47 |
PXMHttpProxy::PXMHttpProxy(PXScan *inScan, int inPort) |
| 48 |
: PXScanModule(inScan), mLinesTry(0), mPort(inPort), mIsProxy(false) |
| 49 |
{ |
| 50 |
if (sConnCountMap.find(mPort) == sConnCountMap.end()) |
| 51 |
{ |
| 52 |
sConnCountMap[mPort] = new uint32_t; |
| 53 |
*sConnCountMap[mPort] = 0; |
| 54 |
sProxyCountMap[mPort] = new uint32_t; |
| 55 |
*sProxyCountMap[mPort] = 0; |
| 56 |
} |
| 57 |
} |
| 58 |
|
| 59 |
PXMHttpProxy::~PXMHttpProxy() |
| 60 |
{ |
| 61 |
} |
| 62 |
|
| 63 |
void |
| 64 |
PXMHttpProxy::InitModule() |
| 65 |
{ |
| 66 |
RegisterPXM(HTTPPROXY_SHORTNAME, mPort, sConnCountMap[mPort], sProxyCountMap[mPort]); |
| 67 |
} |
| 68 |
|
| 69 |
bool |
| 70 |
PXMHttpProxy::StartScan() |
| 71 |
{ |
| 72 |
peak_task task = peak_task_self(); |
| 73 |
|
| 74 |
struct sockaddr_in sin; |
| 75 |
memset(&sin, 0, sizeof(struct sockaddr_in)); |
| 76 |
sin.sin_family = AF_INET; |
| 77 |
sin.sin_addr = this->GetAddress(); |
| 78 |
sin.sin_port = htons((uint16_t)mPort); |
| 79 |
|
| 80 |
mStream = peak_stream_socket_create((struct sockaddr *)&sin, sizeof(sin), |
| 81 |
PEAK_STREAM_OPT_LINEMODE, |
| 82 |
EventCallback, |
| 83 |
this); |
| 84 |
|
| 85 |
if (!mStream) |
| 86 |
return false; |
| 87 |
|
| 88 |
if (this->IsLocalAddressSet()) |
| 89 |
{ |
| 90 |
sockaddr_in local_sin; |
| 91 |
memset(&local_sin, 0, sizeof(local_sin)); |
| 92 |
local_sin.sin_family = AF_INET; |
| 93 |
local_sin.sin_addr = this->GetLocalAddress(); |
| 94 |
local_sin.sin_port = htons(0); |
| 95 |
|
| 96 |
peak_stream_set_address(mStream, (sockaddr*)&local_sin, sizeof(local_sin)); |
| 97 |
} |
| 98 |
|
| 99 |
/* Enable built-in timeout option, this is so useful here. */ |
| 100 |
peak_stream_set_timeout(mStream, GetTimeout()); |
| 101 |
|
| 102 |
/* Connect (don't block) */ |
| 103 |
if (peak_stream_connect(mStream) == -1) |
| 104 |
{ |
| 105 |
this->Cleanup(); |
| 106 |
this->ProxyNotFound(); |
| 107 |
} |
| 108 |
else |
| 109 |
peak_stream_schedule(mStream, task); |
| 110 |
return true; |
| 111 |
} |
| 112 |
|
| 113 |
void |
| 114 |
PXMHttpProxy::Cleanup() |
| 115 |
{ |
| 116 |
assert(mStream != NULL); |
| 117 |
peak_release(mStream); |
| 118 |
mStream = NULL; |
| 119 |
} |
| 120 |
|
| 121 |
void |
| 122 |
PXMHttpProxy::SendConnectRequest(peak_stream s) |
| 123 |
{ |
| 124 |
in_addr targetAddr = GetTargetAddress(); |
| 125 |
char uriHostname[16]; |
| 126 |
int uriPort = GetTargetPort(); |
| 127 |
|
| 128 |
inet_ntop(AF_INET, &targetAddr, uriHostname, sizeof(uriHostname)); |
| 129 |
|
| 130 |
peak_stream_set_buffered(s, 1, 64, 64*2, NULL); |
| 131 |
|
| 132 |
peak_stream_msgbuf_make(s, "CONNECT %s:%d HTTP/1.0" CRLF, |
| 133 |
uriHostname, uriPort); |
| 134 |
peak_stream_msgbuf_make(s, "User-Agent: pxyscand/" VERSION CRLF CRLF); |
| 135 |
} |
| 136 |
|
| 137 |
void |
| 138 |
PXMHttpProxy::CommitFound() |
| 139 |
{ |
| 140 |
(*sProxyCountMap[mPort])++; |
| 141 |
this->Cleanup(); |
| 142 |
this->ProxyFound(OPAS_PROXY_TYPE_HTTPPROXY, mPort, HTTPPROXY_DESCR); |
| 143 |
} |
| 144 |
|
| 145 |
void |
| 146 |
PXMHttpProxy::ProcessEvent(peak_stream s, int type) |
| 147 |
{ |
| 148 |
char *line; |
| 149 |
int err; |
| 150 |
|
| 151 |
switch (type) |
| 152 |
{ |
| 153 |
case PEAK_STREAM_EVT_OPEN: |
| 154 |
(*sConnCountMap[mPort])++; |
| 155 |
this->SendConnectRequest(s); |
| 156 |
break; |
| 157 |
case PEAK_STREAM_EVT_READ: |
| 158 |
line = peak_stream_get_line(s); |
| 159 |
#if 0 |
| 160 |
clog << "PXMHttpProxy:: line: " << line << endl; |
| 161 |
#endif |
| 162 |
// The algorithm used here looks like a bit weird at the first time, |
| 163 |
// but that's because we try to log the httpd/proxy agent for stats |
| 164 |
// purpose. |
| 165 |
if (!strncmp(line, "HTTP/1.0 200 Connection established", 35) |
| 166 |
|| !strncmp(line, "HTTP/1.1 200 Connection established", 35)) |
| 167 |
mIsProxy = true; // Confirmed |
| 168 |
else if (!strncmp(line, "HTTP/1.0 2", 10) |
| 169 |
|| !strncmp(line, "HTTP/1.1 2", 10)) |
| 170 |
clog << "PXMHttpProxy:: HTTP 2xx reply: " << line << endl; |
| 171 |
else if (!strncmp(line, "Proxy-agent:", 12) |
| 172 |
|| !strncmp(line, "User-agent:", 11) |
| 173 |
|| !strncmp(line, "Server:", 7)) |
| 174 |
{ |
| 175 |
if (LogAgent()) |
| 176 |
{ |
| 177 |
char buf[16], *p; |
| 178 |
in_addr addr = GetAddress(); |
| 179 |
inet_ntop(AF_INET, &addr, buf, sizeof(buf)); |
| 180 |
while (*line++ != ':') |
| 181 |
; |
| 182 |
if (*line == ' ') |
| 183 |
line++; |
| 184 |
if ((p = strchr(line, ','))) |
| 185 |
*p = '\0'; |
| 186 |
mLogMutex.Lock(); |
| 187 |
GetFAgent() << peak_time() << ',' << buf << ',' << mPort |
| 188 |
<< ',' << line << endl; |
| 189 |
mLogMutex.Unlock(); |
| 190 |
} |
| 191 |
} |
| 192 |
else if (mLinesTry++ < MAX_LINES_TRY) |
| 193 |
break; |
| 194 |
|
| 195 |
/* fall through */ |
| 196 |
case PEAK_STREAM_EVT_ERROR: |
| 197 |
case PEAK_STREAM_EVT_TIMEDOUT: |
| 198 |
if (mIsProxy) |
| 199 |
{ |
| 200 |
this->CommitFound(); |
| 201 |
return; /* done! */ |
| 202 |
} |
| 203 |
this->Cleanup(); |
| 204 |
this->ProxyNotFound(); |
| 205 |
break; |
| 206 |
case PEAK_STREAM_EVT_END: |
| 207 |
if (mIsProxy) |
| 208 |
{ |
| 209 |
this->CommitFound(); |
| 210 |
return; /* done! */ |
| 211 |
} |
| 212 |
err = peak_stream_get_error(s); |
| 213 |
this->Cleanup(); |
| 214 |
if (err == ENETUNREACH) |
| 215 |
this->ScanError(OPAS_ERROR_NETUNREACH); // Can't scan ! |
| 216 |
else if (err == ENETDOWN) |
| 217 |
this->ScanError(OPAS_ERROR_NETDOWN); // Even worst ! |
| 218 |
else |
| 219 |
this->ProxyNotFound(); |
| 220 |
break; |
| 221 |
default: |
| 222 |
break; |
| 223 |
} |
| 224 |
} |
| 225 |
|
| 226 |
void |
| 227 |
PXMHttpProxy::EventCallback(peak_stream s, int type, void *context) |
| 228 |
{ |
| 229 |
PXMHttpProxy *pxm = reinterpret_cast<PXMHttpProxy*>(context); |
| 230 |
pxm->ProcessEvent(s, type); |
| 231 |
} |
Parent Directory
| 
Revision Log