[TOOL] Msndump - MSN Messenger Sniffer

From: SecuriTeam (support_at_securiteam.com)
Date: 11/17/04

Next message: SecuriTeam: "[UNIX] Multiple up-imapproxy DoS Vulnerabilities"

Previous message: SecuriTeam: "[NT] Norton Anti-Virus VB Scripting Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 17 Nov 2004 15:58:27 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Msndump - MSN Messenger Sniffer
------------------------------------------------------------------------

SUMMARY

DETAILS

The Perl script presented here parse MSN Messenger message packets or P2P
traffic and displays their contents. The script uses PCap to capture and
parse the packets. The tool can be modified to parse other headers like
'TypingUser:'

Example usage:
To capture live traffic from device eth0 run:
msndump.pl -i eth0

To capture from tcpdump traffic.pcap file run:
msndump.pl -r traffic.pcap

Source Code:
#!/usr/bin/perl -w
# quick dirty msn sniffer
# http://miscname.com/
# $Id: msndump.pl,v 1.3 2004/11/17 10:00:33 meh Exp $

# you need Net::Pcap and Net::Packet
# use cpan or get manually
# http://search.cpan.org/CPAN/authors/id/A/AT/ATRAK/NetPacket-0.04.tar.gz
# http://search.cpan.org/CPAN/authors/id/K/KC/KCARNUT/Net-Pcap-0.05.tar.gz

my $lowuid='1001';
my $lowgid='1001';

my $filter = 'tcp and port 1863';

# no modify below
use Getopt::Std;
use Net::Pcap;
use NetPacket::IP;
use NetPacket::Ethernet qw (:strip);
use Fcntl;
$|=1;
my $flags |= O_NONBLOCK;

my %opts;
getopt("wicr",\%opts);
if ( (!($opts{i})) && (!($opts{r})) ) {
print "[ msndump - miscname.com ]\n Usage:\n\t-i rl0 || -r
file.pcap\n\t-c X - capture X packets\n\t-w freshIMz.txt\n\n";
exit;
}

if ((!$opts{r}) && ($> != '0')) {
die ("you need uid 0\n");
}

# main loop
my $exitvar = '0';
while ($exitvar == '0') {

# create pcap
my $pcap = &cap_pkt;
if (!($pcap)) {
die ("cant capture\n");
}

# drop privs
my $GID="$lowgid";
my $UID="$lowuid";
my $EGID="$lowgid $lowgid";

# -w if set
if ($opts{w}) {
open (FILEOUT,">$opts{w}") || die ("cant open $opts{w} ($!)\n");
fcntl(FILEOUT, F_SETFL, $flags) or die ("couldn't set nonblock for
$opts{w} ($!)\n");
}

# capture loop
if (($opts{c}) && ($opts{c} =~ /(\d+)/)) {
  print "stopping after $1 packets\n";
         Net::Pcap::loop($pcap, $1, \&proc_pkt, 0);
  $exitvar = '1';
} else {
         Net::Pcap::loop($pcap, -1, \&proc_pkt, 0);
  my %stats;
  Net::Pcap::stats($pcap, \%stats);
  print "saw $stats{ps_recv} packets, dropped $stats{ps_drop}\n";
}

# free it
print "cleaning up\n";
Net::Pcap::close($pcap);
# close fh
if ($opts{w}) {
print "wrote $opts{w}.\n";
close FILEOUT;
}
}

# sub procs below
sub cap_pkt {

my ($pcap,$dev,$err,$mask,$net,$filter2);
my $snaplen = 14096; # seen some big im's :(
my $promisc = 1; # promisc of course
my $timeout = 0; # timeout

# file.pcap?
if ($opts{r}) {
  print "reading from '$opts{r}'\n";
  $pcap = Net::Pcap::open_offline($opts{r}, \$err);
  if (!($pcap)) {
   die("error opening $opts{r} ($err)\n");
      }
} else {

  # set dev from cmdline
  $dev = $opts{i};
  print "dumping on '$opts{i}'\n";

  # get netmask for filter
  if ((Net::Pcap::lookupnet($dev, \$net, \$mask, \$err)) == -1 ) {
          die ("Net::Pcap::lookupnet failed ($err)\n");
      }

  # open it
  $pcap = Net::Pcap::open_live($dev, $snaplen, $promisc, $timeout, \$err);
  if (!($pcap)) {
   die ("can't create packet fd ($err)\n");
  }
}

# sanity check
if (!($pcap)) {
  die ("sanity check failed - \$pcap null\n");
} elsif (!($mask)) {
  $mask = '0'; # for open_offline
}

# make filter struct
if (Net::Pcap::compile($pcap, \$filter2, $filter, 1, $mask) != '0') {
die ("broken filter ($filter)\n");
}
# apply
Net::Pcap::setfilter($pcap, $filter2);

return $pcap;
}

sub proc_pkt {

my($user_data, $hdr, $pkt) = @_;
my ($user,$msg);

my $ip_obj = NetPacket::IP->decode(eth_strip($pkt));
#my $ip_obj = NetPacket::IP::strip($pkt);

# check if its a message (or a p2p file transfer)
# if your reading this, include 'P2P-Dest:' in your message body to avoid
sniffer ;)
if (($ip_obj->{data} !~ /MSG/m) || ($ip_obj->{data} =~ /P2P-Dest:/m)) {
  ;
} else {
  print $ip_obj->{data};
  # extract goodies
  if ( (($ip_obj->{data} =~ /MSG (.*)\@(.*)/)) || (($ip_obj->{data} =~
/P4-Context: (.*)/)) ) {
   $user = "$1\@$2";
  }

  if ($ip_obj->{data} =~ /X-MMS-IM-Format:\s.*\r(.*)/s) {
#\s\w+\=\w+\;\s\w+\=\w+\;\s\w+\=\w+\;\s\w+\=\w+\;\s\w+\=\w+\;(.*)/m) {
   $msg = $1;
  }

  # display if we have both
  if (($user) || ($msg))
  {
   if(!$user)
   {
    $user = "unknown user";
   }
   if (!($opts{w})) {
    print "\n----------------------------------------------------\n";
    print "src_ip($ip_obj->{src_ip}) dst_ip($ip_obj->{dest_ip})\n";
    print "TO/FROM: $user\nMESSAGE:\n$msg\n";
   } else {
    print FILEOUT
"\n----------------------------------------------------\n";
    print FILEOUT "src_ip($ip_obj->{src_ip})
dst_ip($ip_obj->{dest_ip})\n";
    print FILEOUT "TO/FROM: $user\nMESSAGE: \n$msg\n\n";
   }
  }
}
}

#e0f

ADDITIONAL INFORMATION

The information has been provided by <mailto:rocco.s@telstra.com>
rocco.s.
To keep updated with the tool visit the project's homepage at:
<miscname.com> miscname.com

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[UNIX] Multiple up-imapproxy DoS Vulnerabilities"

Previous message: SecuriTeam: "[NT] Norton Anti-Virus VB Scripting Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[TOOL] Multimap - Multithreaded Wrapper for NMap
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... concurrent NMap scans and
speed up the scan of large networks. ... Writes the results to an HTML file ...
sub getDate { ... (Securiteam)
[NEWS] Apple OSX Fetchmail Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Apple OSX Fetchmail Buffer
Overflow ... alarm $timeout; ... sub ERR ... (Securiteam)
[EXPL] I-Mall Commerce i-mall.cgi Arbitrary Command Execution (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A remote command execution
vulnerability has been discovered in the I-Mall ... sub intro { ... chomp
$host; ... (Securiteam)
[TOOL] WebRoot - Web Server Brute Forcer
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... CIRT.DK WebRoot is a Webserver
auditing tools, ... # cpan> install Bundle::LWP ... sub ChkUpdates ...
(Securiteam)
[TOOL] Flawseeker - Runtime Address Overflow Seeker
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... sub exploit_adjacent {
... printf <<EOF ... sub execmenu() { ... (Securiteam)