[TOOL] Msndump - MSN Messenger Sniffer

From: SecuriTeam (support_at_securiteam.com)
Date: 11/17/04

  • Next message: SecuriTeam: "[UNIX] Multiple up-imapproxy DoS Vulnerabilities"
    To: list@securiteam.com
    Date: 17 Nov 2004 15:58:27 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Msndump - MSN Messenger Sniffer
    ------------------------------------------------------------------------

    SUMMARY

    DETAILS

    The Perl script presented here parse MSN Messenger message packets or P2P
    traffic and displays their contents. The script uses PCap to capture and
    parse the packets. The tool can be modified to parse other headers like
    'TypingUser:'

    Example usage:
    To capture live traffic from device eth0 run:
    msndump.pl -i eth0

    To capture from tcpdump traffic.pcap file run:
    msndump.pl -r traffic.pcap

    Source Code:
    #!/usr/bin/perl -w
    # quick dirty msn sniffer
    # http://miscname.com/
    # $Id: msndump.pl,v 1.3 2004/11/17 10:00:33 meh Exp $

    # you need Net::Pcap and Net::Packet
    # use cpan or get manually
    # http://search.cpan.org/CPAN/authors/id/A/AT/ATRAK/NetPacket-0.04.tar.gz
    # http://search.cpan.org/CPAN/authors/id/K/KC/KCARNUT/Net-Pcap-0.05.tar.gz

    my $lowuid='1001';
    my $lowgid='1001';

    my $filter = 'tcp and port 1863';

    # no modify below
    use Getopt::Std;
    use Net::Pcap;
    use NetPacket::IP;
    use NetPacket::Ethernet qw (:strip);
    use Fcntl;
    $|=1;
    my $flags |= O_NONBLOCK;

    my %opts;
    getopt("wicr",\%opts);
    if ( (!($opts{i})) && (!($opts{r})) ) {
     print "[ msndump - miscname.com ]\n Usage:\n\t-i rl0 || -r
    file.pcap\n\t-c X - capture X packets\n\t-w freshIMz.txt\n\n";
     exit;
    }

    if ((!$opts{r}) && ($> != '0')) {
     die ("you need uid 0\n");
    }

    # main loop
    my $exitvar = '0';
    while ($exitvar == '0') {

     # create pcap
     my $pcap = &cap_pkt;
     if (!($pcap)) {
      die ("cant capture\n");
     }

     # drop privs
     my $GID="$lowgid";
     my $UID="$lowuid";
     my $EGID="$lowgid $lowgid";

     # -w if set
     if ($opts{w}) {
      open (FILEOUT,">$opts{w}") || die ("cant open $opts{w} ($!)\n");
      fcntl(FILEOUT, F_SETFL, $flags) or die ("couldn't set nonblock for
    $opts{w} ($!)\n");
     }

     # capture loop
     if (($opts{c}) && ($opts{c} =~ /(\d+)/)) {
      print "stopping after $1 packets\n";
             Net::Pcap::loop($pcap, $1, \&proc_pkt, 0);
      $exitvar = '1';
     } else {
             Net::Pcap::loop($pcap, -1, \&proc_pkt, 0);
      my %stats;
      Net::Pcap::stats($pcap, \%stats);
      print "saw $stats{ps_recv} packets, dropped $stats{ps_drop}\n";
     }

     # free it
     print "cleaning up\n";
     Net::Pcap::close($pcap);
     # close fh
     if ($opts{w}) {
      print "wrote $opts{w}.\n";
      close FILEOUT;
     }
    }

    # sub procs below
    sub cap_pkt {

     my ($pcap,$dev,$err,$mask,$net,$filter2);
     my $snaplen = 14096; # seen some big im's :(
     my $promisc = 1; # promisc of course
     my $timeout = 0; # timeout

     # file.pcap?
     if ($opts{r}) {
      print "reading from '$opts{r}'\n";
      $pcap = Net::Pcap::open_offline($opts{r}, \$err);
      if (!($pcap)) {
       die("error opening $opts{r} ($err)\n");
          }
     } else {

      # set dev from cmdline
      $dev = $opts{i};
      print "dumping on '$opts{i}'\n";
     
      # get netmask for filter
      if ((Net::Pcap::lookupnet($dev, \$net, \$mask, \$err)) == -1 ) {
              die ("Net::Pcap::lookupnet failed ($err)\n");
          }
        
      # open it
      $pcap = Net::Pcap::open_live($dev, $snaplen, $promisc, $timeout, \$err);
      if (!($pcap)) {
       die ("can't create packet fd ($err)\n");
      }
     }
       
     # sanity check
     if (!($pcap)) {
      die ("sanity check failed - \$pcap null\n");
     } elsif (!($mask)) {
      $mask = '0'; # for open_offline
     }

     # make filter struct
     if (Net::Pcap::compile($pcap, \$filter2, $filter, 1, $mask) != '0') {
       die ("broken filter ($filter)\n");
     }
     # apply
     Net::Pcap::setfilter($pcap, $filter2);

     return $pcap;
    }

    sub proc_pkt {

     my($user_data, $hdr, $pkt) = @_;
     my ($user,$msg);

     my $ip_obj = NetPacket::IP->decode(eth_strip($pkt));
     #my $ip_obj = NetPacket::IP::strip($pkt);

     # check if its a message (or a p2p file transfer)
     # if your reading this, include 'P2P-Dest:' in your message body to avoid
    sniffer ;)
     if (($ip_obj->{data} !~ /MSG/m) || ($ip_obj->{data} =~ /P2P-Dest:/m)) {
      ;
     } else {
      print $ip_obj->{data};
      # extract goodies
      if ( (($ip_obj->{data} =~ /MSG (.*)\@(.*)/)) || (($ip_obj->{data} =~
    /P4-Context: (.*)/)) ) {
       $user = "$1\@$2";
      }

      if ($ip_obj->{data} =~ /X-MMS-IM-Format:\s.*\r(.*)/s) {
    #\s\w+\=\w+\;\s\w+\=\w+\;\s\w+\=\w+\;\s\w+\=\w+\;\s\w+\=\w+\;(.*)/m) {
       $msg = $1;
      }

      # display if we have both
      if (($user) || ($msg))
      {
       if(!$user)
       {
        $user = "unknown user";
       }
       if (!($opts{w})) {
        print "\n----------------------------------------------------\n";
        print "src_ip($ip_obj->{src_ip}) dst_ip($ip_obj->{dest_ip})\n";
        print "TO/FROM: $user\nMESSAGE:\n$msg\n";
       } else {
        print FILEOUT
    "\n----------------------------------------------------\n";
        print FILEOUT "src_ip($ip_obj->{src_ip})
    dst_ip($ip_obj->{dest_ip})\n";
        print FILEOUT "TO/FROM: $user\nMESSAGE: \n$msg\n\n";
       }
      }
     }
    }

    #e0f

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:rocco.s@telstra.com>
    rocco.s.
    To keep updated with the tool visit the project's homepage at:
    <miscname.com> miscname.com

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] Multiple up-imapproxy DoS Vulnerabilities"

    Relevant Pages

    • [TOOL] Multimap - Multithreaded Wrapper for NMap
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... concurrent NMap scans and speed up the scan of large networks. ... Writes the results to an HTML file ... sub getDate { ...
      (Securiteam)
    • [NEWS] Apple OSX Fetchmail Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Apple OSX Fetchmail Buffer Overflow ... alarm $timeout; ... sub ERR ...
      (Securiteam)
    • [EXPL] I-Mall Commerce i-mall.cgi Arbitrary Command Execution (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A remote command execution vulnerability has been discovered in the I-Mall ... sub intro { ... chomp $host; ...
      (Securiteam)
    • [TOOL] WebRoot - Web Server Brute Forcer
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... CIRT.DK WebRoot is a Webserver auditing tools, ... # cpan> install Bundle::LWP ... sub ChkUpdates ...
      (Securiteam)
    • [TOOL] Flawseeker - Runtime Address Overflow Seeker
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... sub exploit_adjacent { ... printf <<EOF ... sub execmenu() { ...
      (Securiteam)