[TOOL] HTTP Request Packet Injection
From: support@securiteam.comDate: 01/16/02
- Previous message: support@securiteam.com: "[EXPL] UPNP Denial of Service (Joint code, Chargen, Initiator)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 16 Jan 2002 19:52:09 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
HTTP Request Packet Injection
------------------------------------------------------------------------
DETAILS
This is a little program written in C, allows you to generate small HTTP
headers and use all methods Apache supports.
Tool source code:
/*
* webi.c - HTTP Request Packet Injection
* (c) 2002 Condor <condor@stz-bg.com>
* version 3.00 (02.01.2002)
* Idas has getting from silk.c written by obecian
<obecian@packetninja.net>
* If you use -d (data) method POST and other method use -d
'test=test&bla=bla'
* if method is different you can use uri to put data with out -d
* like this -u /cgi-bin/script.cgi?test=test
* !WARNING! If in you data contains symbol -> &, you must use ''
* Sorry of my BAD english :(
*/
#define TITLE "webi.c - HTTP Request Packet Injection"
#define CODER "(c) 2002 Condor (condor@stz-bg.com)"
#define MAXA 129
#include <stdio.h>
#include <strings.h>
#include <stdlib.h>
#include <ctype.h>
#include <netdb.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <limits.h>
#if INT_MAX > 2147483647
#error need to increase size of buffer
#endif
void
usage(char *arg)
{
printf("%s usage:\n"
" -s <target web server> (eg. 127.0.0.1, localhost)\n"
" -u <URI> (eg. /cgi-bin/script.cgi)\n"
" [-p port (default: 80)]\n"
" [-m method {GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT,
OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK,
TRACE}]\n"
" [-h virtual host]\n"
" [-r referer]\n"
" [-v version]\n"
" [-a user agent]\n"
" [-o add content type x-www-form-urlencoded]\n"
" [-t use proxy (eg. proxy:port)]\n"
" [-d data]\n\n", arg);
exit(-1);
}
/* Here are function itoa to convert int to char strings
* this function are missing in some UNIX like OS */
static char buf[12];
char *itoa(int i)
{
char *pos = buf + sizeof(buf) - 1;
unsigned int u;
int negative = 0;
if (i < 0) {
negative = 1;
u = ((unsigned int)(-(1+i))) + 1;
} else {
u = i;
}
*pos = 0;
do {
*--pos = '0' + (u % 10);
u /= 10;
} while (u);
if (negative) {
*--pos = '-';
}
return pos;
}
int
main(int argc, char **argv)
{
int opt, i, sock;
extern char *optarg;
extern int opterr;
struct sockaddr_in sin;
struct hostent *he;
char buffer[1024];
int port = 80;
size_t len, dlen = 0;
char *number = "ico";
char *method = "GET"; /* Default method */
char header[2048];
char *server = "www.stz-bg.com";
char *vhost = "www.stz-bg.com";
char *referer = "http://402686256/";
char *agent = "Mozilla/4.79 [en] (X11; U; OpenBSD 3.0 i386)";
char *version = "HTTP/1.0";
char *proxy = NULL;
char tproxy[128];
int prport = 3128;
char *uri = "/";
char *dob, *last;
char *dod[MAXA];
char *all = "Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, image/png, */*\r\nAccept-Encoding: gzip\r\nAccept-Language:
en, bg\r\nAccept-Charset: iso-8859-1,*,utf-8\r\n";
char *data = "test";
char *enca = "rr";
char *enc = "Content-type:
application/x-www-form-urlencoded\r\nContent-length: ";
putchar('\n');
puts(TITLE);
puts(CODER);
putchar('\n');
if (argc < 2)
usage(argv[0]);
opterr = 0;
while ((opt = getopt(argc, argv, "h:u:v:r:s:p:a:m:ot:d:")) != EOF) {
switch (opt) {
case 's': server = optarg; break;
case 'p': port = atoi(optarg); break;
case 'm': method = optarg; break;
case 'h': vhost = optarg; break;
case 'r': referer = optarg; break;
case 'a': agent = optarg; break;
case 'v': version = optarg; break;
case 'u': uri = optarg; break;
case 'o': enca = "test"; break;
case 't': proxy = optarg; break;
case 'd': data = optarg; break;
case '?': usage(argv[0]); break;
}
}
/* Generating header data */
len = strlen(method);
strncpy(header, method, len);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
exit(-1);
}
if (proxy != NULL) {
snprintf(tproxy, sizeof(tproxy), proxy);
for ((dob = strtok_r(tproxy, ":", &last)); dob;
(dob = strtok_r(NULL, " ", &last)), dlen++) {
if (dlen < MAXA - 1)
dod[dlen] = dob;
}
dod[dlen] = NULL;
proxy = dod[0];
dob = dod[1];
port = atoi(dob);
if ((he = gethostbyname(proxy)) == NULL) {
herror("gethostbyname");
exit(-1);
}
strncat(header, " http://", 8);
len = strlen(server);
strncat(header, server, len);
len = strlen(uri);
strncat(header, uri, len);
} else {
he = gethostbyname(server);
if (he == NULL) {
herror("gethostbyname");
exit(-1);
}
len = strlen(uri);
strncat(header, " ", 1);
strncat(header, uri, len);
}
len = strlen(version);
strncat(header, " ", 1);
strncat(header, version, len);
strncat(header, "\r\nReferer: ", 13);
len = strlen(referer);
strncat(header, referer, len);
strncat(header, "\r\nUser-Agent: ", 16);
len = strlen(agent);
strncat(header, agent, len);
len = strlen(vhost);
strncat(header, "\r\nHost: ", 10);
strncat(header, vhost, len);
strncat(header, "\r\n", 4);
len = strlen(all);
strncat(header, all, len);
if (!strcmp (enca, "test")) {
len = strlen(enc);
strncat(header, enc, len);
len = strlen(data);
number = itoa(len);
dlen = strlen(number);
strncat(header, number, dlen);
}
strncat(header, "\r\n\r\n", 8);
/* End header data */
sin.sin_family = AF_INET;
sin.sin_port = htons(port);
sin.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(sin.sin_zero), 8);
if (connect(sock, (struct sockaddr *)&sin, sizeof(struct sockaddr)) ==
-1) {
perror("connect");
exit(-1);
}
if (!strcmp (data, "test")) {
snprintf(buffer, sizeof(buffer), "%s\n", header);
} else {
snprintf(buffer, sizeof(buffer), "%s%s\n", header, data);
}
if ((write(sock, buffer, sizeof(buffer))) < 0) {
perror("write");
exit(-1);
}
bzero(&buffer, sizeof(buffer));
while((i=read(sock, buffer, sizeof(buffer))) != 0)
write(1, buffer, i);
close(sock);
putchar('\n');
exit(0);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:condor@stz-bg.com> Condor.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[EXPL] UPNP Denial of Service (Joint code, Chargen, Initiator)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- Re: Cannot return values of char variable
... - buffer = ... Since you seem to be trying to return a char pointer ...
int id = random; ... content is interpreted as a string. ... (comp.lang.c) - [KGDB PATCH][2/7] Serial updates, take 2
... Also make put_packet look at the char it reads, ... * Empty the receive buffer
first, then look at the interface hardware. ... * This is the receiver interrupt routine
for the GDB stub. ... -extern volatile int kgdb_connected; ... (Linux-Kernel) - Re: Write to file
... fwrite, outfile); ... This will repeatedly try to print the first character
in buffer as ... int main(int argc, char *argv) ... (comp.lang.c) - Re: Write to file
... int main(int argc, char *argv) ... I intended you you use c here not
read another character! ... You reuse the buffer. ... (comp.lang.c) - [EXPL] ELOG Remote Shell Exploit
... char content; ... static int content_length; ... static unsigned
char boundary; ... void get_server_version; ... (Securiteam)
