doona-1.0+git20190108/0000755000175000017500000000000013415160327012162 5ustar hlehledoona-1.0+git20190108/README0000644000175000017500000000232313415160327013042 0ustar hlehle [ Doona - Network fuzzing tool ] .:: About ::. Doona is a fork of the Bruteforce Exploit Detector Tool (BED). BED is a program which is designed to check daemons for potential buffer overflows, format string bugs etc. Doona is Australian for duvet. It adds a significant enough number of features/changes to BED that I renamed it to avoid confusion. I hope you'll find it useful. @Wireghoul .:: Version ::. 1.0 - New command line switches, more fuzz data and fuzz cases 0.9 - Bugfixes, more fuzz cases and new modules 0.8 - Bugfixes and more fuzz cases 0.7 - Multi verb support, more fuzz cases and bug fixes 0.6 - First official doona release 0.5 - Fork from BED See 'Docs/CHANGES' for the full changelog. .:: License ::. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or any later version. See 'Docs/gpl.txt' for more information. .:: Authors ::. Doona: Eldar Marcussen aka, 'Wireghoul' http://www.justanotherhacker.com BED was written by: Eric Sesterhenn aka. 'Snakebyte' Martin J. Muench aka. 'mjm' doona-1.0+git20190108/Docs/0000755000175000017500000000000013415160327013052 5ustar hlehledoona-1.0+git20190108/Docs/CHANGES0000644000175000017500000000707113415160327014052 0ustar hlehle[ Coming in 1.0 ] - Added health check support (-c flag) - Added keep trying support (-k flag) - Added more fuzz cases (http, rtsp, tftp, proxy) - Added more fuzz data [ 0.9 ] - Added NNTP module (from @bcoles) - Added DICT module (from @bcoles) - More http fuzz cases - Fixed bug in test case dump [ 0.8 ] - Fixed some bugs in the smtp module - Fixed faulty error messages in pop, http, ftp, rtsp and proxy modules - Added more ftp test cases [ 0.7 ] - resolved the need for a hardcoded plugin list - added max requests option to allow parallel execution (easier than hacking in thread support) - added sigpipe handler to prevent silent exit if server unexpectedly closes the connection - added http proxy module - added more ftp test cases - added more rtsp test cases - added more http test cases - added more irc test cases - fixed a long standing BED bug where two test strings where accidentally concatenated - fixed a long standing BED bug where a hex representation of a 32bit integer was not max value as intended - aliased -m to -s (-s is getting deprecated/reassigned) - renamed plugins to modules (-m is for module) - removed directory traversal testing code from ftp module - rewrote/broke misc testing procedure to test specific edge cases, needs redesign - added support for multiple setup/prefix/verbs, ie: fuzzing Host headers with GET/POST/HEAD requests - fixed long standing BED bug in the smtp module where it wouldn't greet the mail server correctly with HELO - added more smtp test cases - fixed long standing BED bug in escaped Unicode strings - added more large integer and formatstring fuzz strings - fixed column alignment in the progress output [ 0.6 first doona release ] - added rtsp module - added tftp module - added whois module - added more irc test cases - added more finger test cases - added more http test cases - added more ftp test cases - added progress indicator count to fuzz cases - added resume feature (uses test case number) - added crash indicators for test case number - added signal handlers (displays testcase number on crtl^c or kill) - added feature to dump what a test case number would send - ftp module now uses anonymous login if username password not provided - changed the order test cases are executed to allow corner cases to be tested earlier - changed diagnostic output - new and improved help text - some code cleanup [ 0.5 ] - fixed port for smtp module - added a check for some "random" numbers - added some more misc strings - added some commands to ftp, pop and imap [ 0.42 ] - added unicode testing ( untested! ) - added some stuff to the ftp directory traversal, inspired by Dennis Rand Platinum FTP Advisory - started to write a socks5 plugin but then realized this is pretty boring, because you have to provide the nessecairy lengths on your own... so only buffer underuns are checked here... - added a new option -o to specify the timeOut... this is useful if a server bans for too fast connection retries, or when simply sending the latest two testcases after crashing dont reproduce the crash - new module, socks4... yeah I _am_ bored :) - new module: lpd ( unfinished... ) - new, lame module: finger :) - beautified the code - new module: PJL - added a status bar ( pls, dont look how i did it... ) - fixed some errors with udp - reniced some output... :) - local tcp/udp port can now be specified too [ 0.3 ] - new modules: HTTP, IRC - a new method to check whether server is still alive - possibility to use udp and tcp [ 0.2 ] - new structure of bed, simple modules for each service - new services support: SMTP, POP doona-1.0+git20190108/Docs/HOWTO0000644000175000017500000000247013415160327013700 0ustar hlehle Howto use BED? Using BED is quit simple :) Decide which protocol you want to stress test and start bed using the commandline perl bed.pl -m module -t 192.168.0.1 BED will then run for a while, any maybe report to you that a connection attempt to the service failed. If this is the case you might have detected a bug. Next step is to run BED again with a higher timeout between the testcases, depending on the duration of your coffee break, values of 5 to 30 seconds are fine. So restart the daemon or box and run BED again, using the -o switch. If BED reports a crash at the same place again, take a look at the module you where using ( in bedmod/xxxx.pm ) and search for the testcase, then run it by hand ( either using netcat and perl or write your own script ) agains the daemon, if you can reproduce the problem, its time to look at the sources, coredump or using a disassembler and debugger to find out whats really happening in there. If BED reports the crash at another test, just increase the timeout a bit more until you found the testcase which produces the crash, just do some trial and error stuff, because sometimes the crash happens much later than you sending the data. I had wait times up to 2 Minutes with a Lexmark T522 printer, until the box finally crashed and called for service :) Thats about it... enjoy doona-1.0+git20190108/Docs/dummy.pm0000644000175000017500000000503013415160327014541 0ustar hlehlepackage bedmod::dummy; use Socket; # Example plugin for a doona module # Replace the use of "dummy" with your module name # Copy the file to bedmod as # # create a new instance of this object sub new{ my $this = {}; # define everything you might need $this->{something} = undef; bless $this; return $this; } # initialise some parameters sub init{ my $this = shift; %special_cfg=@_; # Set protocol tcp/udp $this->{proto} = "tcp"; # insert your default port here... if ($special_cfg{'p'} eq "") { $this->{port}='110'; } else { $this->{port} = $special_cfg{'p'}; } # verify you got everything you need, # $special_cfg will provide you the commandline # switches from u, v, w and x if ( $special_cfg{'u'} eq "") { &usage; } # set info necessary for for your module.. $this->{u} = $special_cfg{'u'}; # check that the server is still alive die "Server failed health check!\n" unless($this->health_check()); } # Perform a common action such as authenticating here # if it this check assume it has crashed sub health_check { # Should send/receive packet and match expected behaviour to be considered healthy # return true to continue fuzzing return 1; } # how to quit ? sub getQuit{ # what to send to close the connection the right way return("QUIT\r\n"); } # what to test without authenticating # Typically the login stuff sub getLoginarray { my $this = shift; @Loginarray = ( "USER XAXAX\r\n", "USER $this->{username}\r\nPASS XAXAX\r\n" ); return (@Loginarray); } # which commands does this protocol know ? sub getCommandarray { my $this = shift; # the XAXAX will be replaced with the buffer overflow / format string data # place every command in this array you want to test @cmdArray = ( "foo XAXAX\r\n", "bar XAXAX\r\n", "XAXAX\r\n" ); return(@cmdArray); } # what to send to login ? sub getLogin{ # login procedure my $this = shift; @login = ( "Hi, I am a dummy\r\n", "This is my pass: foobar\r\n" ); return(@login); } # here we can test everything besides buffer overflows and format strings sub testMisc{ # Insert your favourite directory traversal bug here :) my $this = shift; return(); } # Module specific help goes here # Leave an empty sub if there is no module specific help sub usage { print qq~ Parameters for the dummy plugin: -u ~; exit(1); } 1; doona-1.0+git20190108/Docs/TODO0000644000175000017500000000037113415160327013543 0ustar hlehlealot of plugins, feel free to write some :) Fix FTP module to still fuzz public commands if login fails Add support for ping feature to see is service is still alive (better crash detection) Fix modules that insists on connecting when not necessary doona-1.0+git20190108/Docs/gpl.txt0000644000175000017500000004313113415160327014377 0ustar hlehle GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. doona-1.0+git20190108/Docs/FAQ0000644000175000017500000000313313415160327013404 0ustar hlehle [ Frequently Asked Questions ] Bruteforce Exploit Detector written by mjm ( www.codito.de ) and snakebyte ( www.kryptocrew.de/snakebyte/ ) 1.) Why test at all? Security is necessary, I think we agree on that. Due to the fact that there are other programs, and ways to test software ( see question 2 ), I think this one is the easiest. Simply sending the stuff to a server, which is known to cause problems. Verification of wheter a test failed or not is also pretty simple. So this collection of scripts does not verify that your code has no problems at all, but it can make sure, that you made your way around the most common ones. 2.) Which other tools exists for security testing? Splint ( www.splint.org ) checks the source code of a program for problems BFBTester ( bfbtester.sourceforge.net ) checks command line and environment problems of binaries l0phtwatch ( www.l0pht.com ) detects temp file problems screamingcobra ( www.dachb0den.com ) checks php and perl scripts for problems, wich can lead to acces files on the server wpoison ( wpoison.sourceforge.net ) checks websites for SQL injection problems webtest ( martynov.org/webtest/ ) tests scripts on your website ...or you could hire a bunch of programmers, which check the code manually :) 3.) What is ''XAXAX''? XAXAX is the result of Snakebyte drinking beer and thinking about a good place-holder. XAXAX is replaced by the exploit string while testing. 4.) How can i write a plugin ? Check 'dummy.pm' for details.. doona-1.0+git20190108/bedmod/0000755000175000017500000000000013415160327013414 5ustar hlehledoona-1.0+git20190108/bedmod/finger.pm0000644000175000017500000000337713415160327015236 0ustar hlehlepackage bedmod::finger; use Socket; # lame finger plugin :) # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # create a new instance of this object sub new { my $this = {}; bless $this; return $this; } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # initialise some parameters sub init { my $this = shift; %special_cfg=@_; # Set protocol tcp/udp $this->{proto} = "tcp"; if ($special_cfg{'p'} eq "") { $this->{port}='79'; } else { $this->{port} = $special_cfg{'p'}; } $this->{sport} = 0; $this->{vrfy} = "root\n"; } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # how to quit ? sub getQuit { return(""); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # what to test without doing a login before # ..mainly the login stuff *g* sub getLoginarray { my $this = shift; @Loginarray = (""); return (@Loginarray); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # which commands does this protocol know ? sub getCommandarray { my $this = shift; # the XAXAX will be replaced with the buffer overflow / format string # place every command in this array you want to test @cmdArray = ( "XAXAX\r\n", "\@XAXAX\r\n", "XAXAX\@\r\n", "XAXAX\@XAXAX\r\n" ); return(@cmdArray); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # what to send to login ? sub getLogin { # login procedure my $this = shift; @login = (""); return(@login); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # here we can test everything besides buffer overflows and format strings sub testMisc { my $this = shift; return(); } sub usage { } 1; doona-1.0+git20190108/bedmod/smtp.pm0000644000175000017500000000442613415160327014743 0ustar hlehlepackage bedmod::smtp; use Socket; # This package is an extension to bed, to check # for smtp server vulnerabilities. sub new { my $this = {}; bless $this; return $this; } sub init { my $this = shift; %special_cfg=@_; $this->{proto}="tcp"; # check for missing args, set target and host if ($special_cfg{'p'} eq "") { $this->{port}='25'; } else { $this->{port} = $special_cfg{'p'}; } if ( $special_cfg{'u'} eq "") { &usage(); exit(1); } # get info nessecairy for FTP $this->{mail} = $special_cfg{'u'}; $this->{vrfy} = "HELP\r\n"; } sub getQuit{ return("QUIT\r\n"); } sub getLoginarray { return( "XAXAX\r\n", "HELO XAXAX\r\n", "EHLO XAXAX\r\n", "HELP XAXAX\r\n", ); } sub getCommandarray { my $this = shift; # the XAXAX will be replaced with the buffer overflow / format string # just comment them out if you don't like them.. @cmdArray = ( "EXPN XAXAX\r\n", "MAIL FROM: XAXAX\r\n", "MAIL FROM: \r\n", "MAIL FROM: <$this->{mail}> XAXAX\r\n", "MAIL FROM: <$this->{mail}> RET=XAXAX\r\n", "MAIL FROM: <$this->{mail}> ENVID=XAXAX\r\n", "ETRN XAXAX\r\n", "ETRN \@XAXAX\r\n", "MAIL FROM: <$this->{mail}>\r\nRCPT TO: \r\n", "MAIL FROM: <$this->{mail}>\r\nRCPT TO: <$this->{mail}> XAXAX\r\n", "MAIL FROM: <$this->{mail}>\r\nRCPT TO: <$this->{mail}> NOTIFY=XAXAX\r\n", "MAIL FROM: <$this->{mail}>\r\nRCPT TO: <$this->{mail}> ORCPT=XAXAX\r\n", "HELP XAXAX\r\n", "VRFY XAXAX\r\n", "RCTP TO: XAXAX\r\n", "RCTP TO: \r\n", "RCPT TO: <$this->{mail}> XAXAX\r\n", "RCPT TO: <$this->{mail}> NOTIFY=XAXAX\r\n", "RCPT TO: <$this->{mail}> ORCPT=XAXAX\r\n", "RSET XAXAX\r\n", "AUTH mechanism XAXAX\r\n", "DATA XAXAX\r\n", "DATA\r\nXAXAX\r\n.", "XAXAX\r\n" ); return(@cmdArray); } sub getLogin { my $this = shift; @login = ( "HELO doona.pl\r\n", "EHLO doona.pl\r\n", ); return(@login); } sub testMisc { my $this = shift; return(); } sub usage { print qq~ Parameters for the SMTP plugin: -u ~; } 1; doona-1.0+git20190108/bedmod/socks4.pm0000644000175000017500000000467413415160327015173 0ustar hlehlepackage bedmod::socks4; use Socket; # socks4 plugin (anyone still using this?) # pretty few to test, i did not even find an rfc for this # protocol *yuck* # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # create a new instance of this object sub new { my $this = {}; $this->{username} = undef; bless $this; return $this; } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # initialise some parameters sub init { my $this = shift; %special_cfg = @_; # Set protocol tcp/udp $this->{proto} = "tcp"; # check for missing args, set target and host # every module has to do this if ( $special_cfg{'p'} eq "" ) { $this->{port} = '1080'; } else { $this->{port} = $special_cfg{'p'}; } $this->{sport} = 0; $this->{vrfy} = ""; if ( $special_cfg{'u'} eq "" ) { &usage(); exit(1); } $this->{username} = $special_cfg{'u'}; } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # how to quit ? sub getQuit { return (""); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # what to test without doing a login before # ..mainly the login stuff *g* sub getLoginarray { my $this = shift; @Loginarray = (""); return (@Loginarray); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # which commands does this protocol know ? sub getCommandarray { my $this = shift; # all there is to test is the username as far as it seems... @cmdArray = ( "XAXAX\n", # we use protocol version 04 # destination port is 6668 # destination ip is 192.168.0.1 "\x04\x01\x1a\x0c\xc0\xA8\x00\x01XAXAX\x00", # connect "\x04\x02\x1a\x0c\xc0\xA8\x00\x01XAXAX\x00", # bind "\x04\x01\x1a\x0c\x00\x00\x00\x01$this->{username}\x00XAXAX", # connect socks4a "\x04\x02\x1a\x0c\x00\x00\x00\x01$this->{username}\x00XAXAX" # bind socks4a ); return (@cmdArray); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # what to send to login ? sub getLogin { # login procedure my $this = shift; @login = (""); return (@login); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # here we can test everything besides buffer overflows and format strings sub testMisc { my $this = shift; return (); } sub usage { print qq~ Parameters for the Socks4 plugin: -u ~; } 1; doona-1.0+git20190108/bedmod/pjl.pm0000644000175000017500000000632213415160327014542 0ustar hlehlepackage bedmod::pjl; use Socket; # Plugin to check PJL Printer # written to test a Lexmark T522 # # i didnt read the pjl rfc or whatever just included # the stuff if found by a quick google search :) # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # create a new instance of this object sub new { my $this = {}; bless $this; return $this; } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # initialise some parameters sub init { my $this = shift; %special_cfg = @_; # Set protocol tcp/udp $this->{proto} = "tcp"; # check for missing args, set target and host if ( $special_cfg{'p'} eq "" ) { $this->{port} = '9100'; } else { $this->{port} = $special_cfg{'p'}; } $this->{vrfy} = ""; } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # how to quit ? sub getQuit { return ("\33%-12345X\n"); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # we got no login procedure... sub getLoginarray { my $this = shift; @Loginarray = (""); return (@Loginarray); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # which commands does this protocol know ? sub getCommandarray { my $this = shift; # the XAXAX will be replaced with the buffer overflow / format string # here we go with our commands $PI = "\33%-12345X\@PJL"; # \n\@PJL @cmdArray = ( $PI . " ENTER XAXAX\n", $PI . " ENTER LANGUAGE = XAXAX\n", $PI . " JOB XAXAX\n", $PI . " JOB NAME = XAXAX\n", $PI . " JOB NAME = \"foo\" START = XAXAX\n", $PI . " JOB NAME = \"foo\" END = XAXAX\n", $PI . " JOB NAME = \"foo\" PASSWORD = XAXAX\n", $PI . " EOJ XAXAX\n", $PI . " EOJ NAME = XAXAX\n", $PI . " DEFAULT XAXAX\n", $PI . " DEFAULT LPARM: XAXAX\n", $PI . " DEFAULT IPARM: XAXAX\n", $PI . " SET XAXAX\n", $PI . " SET LPARM: XAXAX\n", $PI . " SET IPARM: XAXAX\n", $PI . " INQUIRE XAXAX\n", $PI . " INQUIRE LPARM: XAXAX\n", $PI . " INQUIRE IPARM: XAXAX\n", $PI . " DINQUIRE XAXAX\n", $PI . " DINQUIRE LPARM: XAXAX\n", $PI . " DINQUIRE IPARM: XAXAX\n", $PI . " INFO XAXAX\n", $PI . " ECHO XAXAX\n", $PI . " USTATUS XAXAX\n", $PI . " USTATUS A = XAXAX\n", $PI . " OPMSG DISPLAY = XAXAX\n", $PI . " RDYMSG DISPLAY = XAXAX\n", $PI . " STMSG DISPLAY = XAXAX\n", $PI . " COMMENT XAXAX\n", $PI . " SET PAGEPROTECT = XAXAX\n", $PI . " SET LIMAGEENHANCE = XAXAX\n", $PI . " LDPARM : PCL LCOLOREXTENSIONS = XAXAX\n", $PI . " LJOBINFO XAXAX\n", $PI . " LJOBINFO USERID = XAXAX\n", $PI . " LJOBINFO HOSTID = XAXAX\n" ); return (@cmdArray); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # what to send to login ? sub getLogin { # login procedure my $this = shift; @login = (""); return (@login); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # here we can test everything besides buffer overflows and format strings sub testMisc { my $this = shift; return (); } sub usage { } 1; doona-1.0+git20190108/bedmod/http.pm0000644000175000017500000002215513415160327014736 0ustar hlehlepackage bedmod::http; use Socket; # This package is an extension to bed, to check # for http server vulnerabilities. sub new { my $this = {}; bless $this; return $this; } sub init { my $this = shift; %special_cfg=@_; $this->{proto}="tcp"; $this->{healthy}=undef; if ($special_cfg{'p'} eq "") { $this->{port}='80'; } else { $this->{port} = $special_cfg{'p'}; } if ($special_cfg{'d'}) { return; } die "HTTP server failed health check!\n" unless($this->health_check()); } sub health_check { my $this = shift; $iaddr = inet_aton($this->{target}) || die "Unknown host: $this->{target}\n"; $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; send(SOCKET, "HEAD / HTTP/1.0\r\n\r\n", 0) || die "HTTP request failed: $!\n"; my $resp = ; if (!$this->{healthy}) { if ($resp =~ /HTTP/) { $this->{healthy}=$resp; } # print "Set healthy: $resp"; } return $resp =~ m/^$this->{healthy}$/; } sub getQuit { return("\r\n\r\n"); } sub getLoginarray { my $this = shift; @Loginarray = ( "XAXAX\r\n\r\n", "XAXAX / HTTP/1.0\r\n\r\n", "HEAD XAXAX HTTP/1.0\r\n\r\n", "HEAD /XAXAX HTTP/1.0\r\n\r\n", "HEAD /?XAXAX HTTP/1.0\r\n\r\n", "HEAD / XAXAX\r\n\r\n", "HEADXAXAX / HTTP/1.0\r\n\r\n", "GET XAXAX HTTP/1.0\r\n\r\n", "GET /XAXAX HTTP/1.0\r\n\r\n", "GET /XAXAX.html HTTP/1.0\r\n\r\n", "GET /index.XAXAX HTTP/1.0\r\n\r\n", "GET /~XAXAX HTTP/1.0\r\n\r\n", "GET /?XAXAX HTTP/1.0\r\n\r\n", "GET /?XAXAX=x HTTP/1.0\r\n\r\n", "GET /?x=XAXAX HTTP/1.0\r\n\r\n", "GET / XAXAX\r\n\r\n", "GET / HTTP/XAXAX\r\n\r\n", "GET /XAXAX\r\n\r\n", "GETXAXAX / HTTP/1.0\r\n\r\n", "POST XAXAX HTTP/1.0\r\n\r\n", "POST /XAXAX HTTP/1.0\r\n\r\n", "POST /?XAXAX HTTP/1.0\r\n\r\n", "POST / XAXAX\r\n\r\n", "POST /XAXAX\r\n\r\n", "POST / HTTP/1.0\r\n\r\nXAXAX\r\n\r\n", "POST / HTTP/1.0\r\nContent-length: 10\r\n\r\nXAXAX\r\n\r\n", "POST / HTTP/1.0\r\nContent-Type: multipart/form-data; boundary=---XAXAX\r\n\r\n---XAXAX--\r\n\r\n", "POST / HTTP/1.0\r\nContent-Type: multipart/form-data; boundary=---AAAAA\r\n\r\n---AAAAA\r\nContent-Disposition: form-data; name=\"XAXAX\"\r\n\r\ntest\r\n---AAAAA--\r\n\r\n", "POST / HTTP/1.0\r\nContent-Type: multipart/form-data; boundary=---AAAAA\r\n\r\n---AAAAA\r\nContent-Disposition: form-data; name=\"test\"\r\n\r\nXAXAX\r\n---AAAAA--\r\n\r\n", "OPTIONS XAXAX HTTP/1.0\r\n\r\n", "OPTIONS /XAXAX HTTP/1.0\r\n\r\n", "OPTIONS / XAXAX\r\n\r\n", "PUT XAXAX HTTP/1.0\r\n\r\n", "PUT /XAXAX HTTP/1.0\r\n\r\n", "PUT / XAXAX\r\n\r\n", "TRACE XAXAX HTTP/1.0\r\n\r\n", "TRACE /XAXAX HTTP/1.0\r\n\r\n", "TRACE / XAXAX\r\n\r\n", "TRACK XAXAX HTTP/1.0\r\n\r\n", ); return (@Loginarray); } sub getCommandarray { my $this = shift; @cmdArray = ( "XAXAX: XAXAX\r\n\r\n", "User-Agent: XAXAX\r\n\r\n", "Host: XAXAX\r\n\r\n", "Host: XAXAX:80\r\n\r\n", "Host: somehost:XAXAX\r\n\r\n", "Accept: XAXAX\r\n\r\n", "Accept-Encoding: XAXAX\r\n\r\n", "Accept-Language: XAXAX\r\n\r\n", "Accept-Charset: XAXAX\r\n\r\n", "Connection: XAXAX\r\n\r\n", "Date: XAXAX\r\n\r\n", "Referer: XAXAX\r\n\r\n", "Referer: XAXAX://somehost.com/\r\n\r\n", "Referer: http://XAXAX/\r\n\r\n", "Referer: http://somehost.com/XAXAX\r\n\r\n", "Authorization: XAXAX\r\n\r\n", "From: XAXAX\r\n\r\n", "Charge-To: XAXAX\r\n\r\n", "Authorization: XAXAX\r\n\r\n", "Authorization: Basic XAXAX\r\n\r\n", "Authorization XAXAX: Basic AAAAAA\r\n\r\n", "Authorization: Digest XAXAX\r\n\r\n", "Authorization: Digest username=\"XAXAX\",realm=\"d\@ona.com\",nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\",uri=\"/index.html\",qop=auth,nc=00000001,cnonce=\"0a4f113b\",response=\"6629fae49393a05397450978507c4ef1\",opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"\r\n\r\n", "Authorization: Digest username=\"doona\",realm=\"XAXAX\",nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\",uri=\"/index.html\",qop=auth,nc=00000001,cnonce=\"0a4f113b\",response=\"6629fae49393a05397450978507c4ef1\",opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"\r\n\r\n", "Authorization: Digest username=\"doona\",realm=\"d\@ona.com\",nonce=\"XAXAX\",uri=\"/index.html\",qop=auth,nc=00000001,cnonce=\"0a4f113b\",response=\"6629fae49393a05397450978507c4ef1\",opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"\r\n\r\n", "Authorization: Digest username=\"doona\",realm=\"d\@ona.com\",nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\",uri=\"XAXAX\",qop=auth,nc=00000001,cnonce=\"0a4f113b\",response=\"6629fae49393a05397450978507c4ef1\",opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"\r\n\r\n", "Authorization: Digest username=\"doona\",realm=\"d\@ona.com\",nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\",uri=\"/index.html\",qop=XAXAX,nc=00000001,cnonce=\"0a4f113b\",response=\"6629fae49393a05397450978507c4ef1\",opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"\r\n\r\n", "Authorization: Digest username=\"doona\",realm=\"d\@ona.com\",nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\",uri=\"/index.html\",qop=auth,nc=XAXAX,cnonce=\"0a4f113b\",response=\"6629fae49393a05397450978507c4ef1\",opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"\r\n\r\n", "Authorization: Digest username=\"doona\",realm=\"d\@ona.com\",nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\",uri=\"/index.html\",qop=auth,nc=00000001,cnonce=\"XAXAX\",response=\"6629fae49393a05397450978507c4ef1\",opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"\r\n\r\n", "Authorization: Digest username=\"doona\",realm=\"d@ona.com\",nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\",uri=\"/index.html\",qop=auth,nc=00000001,cnonce=\"0a4f113b\",response=\"XAXAX\",opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"\r\n\r\n", "Authorization: Digest username=\"doona\",realm=\"d@ona.com\",nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\",uri=\"/index.html\",qop=auth,nc=00000001,cnonce=\"0a4f113b\",response=\"6629fae49393a05397450978507c4ef1\",opaque=\"XAXAX\"\r\n\r\n", "Authorization: XAXAX : foo\r\n\r\n", "Authorization: foo : XAXAX\r\n\r\n", "If-Modified-Since: XAXAX\r\n\r\n", "If-Match: XAXAX\r\n\r\n", "If-None-Match: XAXAX\r\n\r\n", "If-Range: XAXAX\r\n\r\n", "If-Unmodified-Since: XAXAX\r\n\r\n", "Max-Forwards: XAXAX\r\n\r\n", "Proxy-Authorization: XAXAX\r\n\r\n", "ChargeTo: XAXAX\r\n\r\n", "Pragma: XAXAX\r\n\r\n", "Expect: XAXAX\r\n\r\n", "Range: XAXAX\r\n\r\n", "Range: bytes=1-XAXAX\r\n\r\n", "Range: bytes=0-1,XAXAX\r\n", "Content-Length: XAXAX\r\n\r\n", "Content-Type: XAXAX\r\n\r\n", "Content-Type: text/html; XAXAX\r\n\r\n", "Content-Type: XAXAX/html; charset=ISO-8859-4\r\n\r\n", "Content-Type: text/XAXAX; charset=ISO-8859-4\r\n\r\n", "Content-Type: text/html; XAXAX=ISO-8859-4\r\n\r\n", "Content-Type: text/html; charset=XAXAX\r\n\r\n", "Content-Encoding: XAXAX\r\n\r\n", "Content-Encoding: XAXAX\r\nCache-control: no-transform\r\n\r\n", "Content-Language: XAXAX\r\n\r\n", "Cache-control: XAXAX\r\n\r\n", "Cache-control: max-age=XAXAX\r\n\r\n", "Cache-control: min-fresh=XAXAX\r\n\r\n", "Cache-control: max-stale=XAXAX\r\n\r\n", "Cookie: XAXAX\r\n\r\n", "Cookie: XAXAX=abc\r\n\r\n", "Cookie: abc=XAXAX\r\n\r\n", # The meaning of the Content-Location header in PUT or POST requests is # undefined; servers are free to ignore it in those cases. "Content-Location: XAXAX\r\n\r\n", "Content-Language: XAXAX\r\n\r\n", "Content-MD5: XAXAX\r\n\r\n", "Content-Range: 0-XAXAX/1024\r\n\r\n", "Content-Range: XAXAX-500/1024\r\n\r\n", "Content-Range: 0-500/XAXAX\r\n\r\n", "X-Headr: XAXAX\r\n XAXAX\r\n\r\n", "TE: XAXAX\r\n\r\n", "Trailer: XAXAX\r\n\r\n", "Transfer-Encoding: XAXAX\r\n\r\n", "Via: XAXAX\r\n\r\n", "X-Forwarded-For: XAXAX\r\n\r\n", "Upgrade: XAXAX/1.0\r\nConnection: upgrade\r\n\r\n", ); return(@cmdArray); } sub getLogin { my $this = shift; @login = ( "GET / HTTP/1.0\r\n", "POST / HTTP/1.0\r\n", "HEAD / HTTP/1.0\r\n", "GET / HTTP/1.1\r\n", "OPTIONS / HTTP/1.0\r\n", "PUT / HTTP/1.0\r\n", "TRACE / HTTP/1.0\r\n", ); return(@login); } sub testMisc { #Put your corner case tests here my $this = shift; @cmdArray = ( "GET / HTTP/1.0\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n" ); return(@cmdArray); } sub usage { } 1; doona-1.0+git20190108/bedmod/nntp.pm0000644000175000017500000001057213415160327014736 0ustar hlehlepackage bedmod::nntp; use Socket; # This package is an extension to bed, to check # for NNTP server vulnerabilities. sub new { my $this = {}; $this->{username} = 'anonymous'; # specific for just this $this->{password} = 'password'; # module bless $this; return $this; } sub init { my $this = shift; %special_cfg=@_; $this->{proto}="tcp"; if ($special_cfg{'p'} eq "") { $this->{port}='119'; } else { $this->{port} = $special_cfg{'p'}; } $this->{vrfy} = "HELP\r\n"; $this->{username} = $special_cfg{'u'} if $special_cfg{'u'}; $this->{password} = $special_cfg{'v'} if $special_cfg{'v'}; # let's see if we got a correct login (skip if dump mode is set) if ($special_cfg{'d'}) { return; } $iaddr = inet_aton($this->{target}) || die "Unknown host: $this->{target}\n"; $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; send(SOCKET, "authinfo user $this->{username}\r\n", 0) || die "Username failed: $!\n"; $recvbuf = ; sleep(1); send(SOCKET, "authinfo pass $this->{password}\r\n", 0) || die "Password failed: $!\n"; do { $recvbuf = ; print ($recvbuf); if ( $recvbuf =~ "452" ) { print ("Username or password incorrect, can't login\n"); exit(1); } sleep(0.2); # 281 Authorization accepted } until ( $recvbuf =~ "281" ); send(SOCKET, "QUIT\r\n", 0); close(SOCKET); } sub getQuit { return("QUIT\r\n"); } sub getLoginarray { my $this = shift; @Loginarray = ( "XAXAX\r\n", "authinfo XAXAX\r\n", "authinfo XAXAX XAXAX\r\n", "authinfo user XAXAX\r\nXAXAX\r\n", "authinfo user XAXAX\r\nauthinfo pass XAXAX\r\n", "authinfo user $this->{username}\r\nauthinfo pass XAXAX\r\n", "authinfo pass XAXAX\r\n", "authinfo simple XAXAX\r\n", "authinfo simple\r\nXAXAX XAXAX\r\n", "authinfo simple\r\n$this->{username} XAXAX\r\n", "authinfo generic XAXAX\r\n", "authinfo generic XAXAX XAXAX\r\n" ); return (@Loginarray); } sub getCommandarray { my $this = shift; # the XAXAX will be replaced with the buffer overflow / format string # just comment them out if you don't like them.. @cmdArray = ( "XAXAX\r\n", "authinfo XAXAX\r\n", "authinfo XAXAX XAXAX\r\n", "authinfo user XAXAX\r\nXAXAX\r\n", "authinfo user XAXAX\r\nauthinfo pass XAXAX\r\n", "authinfo user $this->{username}\r\nauthinfo pass XAXAX\r\n", "authinfo pass XAXAX\r\n", "authinfo simple XAXAX\r\n", "authinfo simple\r\nXAXAX XAXAX\r\n", "authinfo simple\r\n$this->{username} XAXAX\r\n", "authinfo generic XAXAX\r\n", "authinfo generic XAXAX XAXAX\r\n", "article XAXAX\r\n", "body XAXAX\r\n", "charset XAXAX\r\n", "check XAXAX\r\n", "group XAXAX\r\n", "head XAXAX\r\n", "help XAXAX\r\n", "ihave XAXAX\r\n", "list XAXAX\r\n", "list active XAXAX\r\n", "list newsgroups XAXAX\r\n", "listgroup XAXAX\r\n", "mode XAXAX\r\n", "mode stream XAXAX\r\n", "mode reader XAXAX\r\n", "newgroups XAXAX XAXAX XAXAX XAXAX\r\n", "newnews XAXAX XAXAX XAXAX XAXAX XAXAX\r\n", "stat XAXAX\r\n", "takethis XAXAX\r\n", "xgtitle XAXAX\r\n", "xhdr XAXAX\r\n", "xhdr header XAXAX\r\n", "xindex XAXAX\r\n", "xover XAXAX\r\n", "xover XAXAX\r\n", "xpat XAXAX XAXAX XAXAX XAXAX\r\n", "xpath XAXAX\r\n", "xreplic XAXAX\r\n", "xthread XAXAX\r\n", "xgtitle\r\n" ); return(@cmdArray); } sub getLogin { # login procedure my $this = shift; @login = ("authinfo user $this->{username}\r\nauthinfo pass $this->{password}\r\n"); return(@login); } sub testMisc { return(); } sub usage { print qq~ NNTP module specific options: -u = Username to use for authentication (default: anonymous) -v = Password to use for authentication (default: password) ~; } 1; doona-1.0+git20190108/bedmod/tftp.pm0000644000175000017500000000271513415160327014734 0ustar hlehlepackage bedmod::tftp; use Socket; # lame tftp plugin :) # create a new instance of this object sub new { my $this = {}; bless $this; return $this; } # initialise some parameters sub init{ my $this = shift; %special_cfg=@_; # Set protocol tcp/udp $this->{proto} = "udp"; if ($special_cfg{'p'} eq "") { $this->{port}='69'; } else { $this->{port} = $special_cfg{'p'}; } $this->{sport} = 0; $this->{vrfy} = ""; } # how to quit ? sub getQuit { return(""); } # what to test without doing a login before sub getLoginarray { my $this = shift; @Loginarray = (""); return (@Loginarray); } # which commands does this protocol know ? sub getCommandarray { my $this = shift; # the XAXAX will be replaced with the buffer overflow / format string # place every command in this array you want to test @cmdArray = ( "XAXAX", # B0F "\x00\x01XAXAX\x00netascii\x00", #RRQ "\x00\x01XAXAX\x00octet\x000", #RRQ "\x00\x01XAXAX\x00mail\x00", #RRQ "\x00\x01"."fuzz\x00XAXAX\x00", #RRQ "\x00\x02\x41\x00XAXAX\x00", #WRQ "\x00\x03\x41\x00XAXAX\x00", #DATA? "\x0c\x0dXAXAX\x00", ); return(@cmdArray); } # what to send to login ? sub getLogin { my $this = shift; @login = (""); return(@login); } # here we can test everything besides buffer overflows and format strings sub testMisc { my $this = shift; return(); } sub usage { } 1; doona-1.0+git20190108/bedmod/whois.pm0000644000175000017500000000235513415160327015110 0ustar hlehlepackage bedmod::whois; use Socket; # lame whois plugin :) # create a new instance of this object sub new { my $this = {}; bless $this; return $this; } # initialise some parameters sub init { my $this = shift; %special_cfg=@_; # Set protocol tcp/udp $this->{proto} = "tcp"; if ($special_cfg{'p'} eq "") { $this->{port}='43'; } else { $this->{port} = $special_cfg{'p'}; } $this->{sport} = 0; $this->{vrfy} = ""; } # how to quit ? sub getQuit { return(""); } # what to test without doing a login before sub getLoginarray { my $this = shift; @Loginarray = (""); return (@Loginarray); } # which commands does this protocol know ? sub getCommandarray { my $this = shift; # the XAXAX will be replaced with the buffer overflow / format string # place every command in this array you want to test @cmdArray = ( "XAXAX\r\n", "?XAXAX\r\n", "!XAXAX\r\n", ".XAXAX\r\n", "XAXAX...\r\n", "*XAXAX\r\n", "XAXAX.tld\r\n", "domain.XAXAX\r\n" ); return(@cmdArray); } # what to send to login ? sub getLogin { my $this = shift; return(""); } sub testMisc { my $this = shift; return(); } sub usage { } 1; doona-1.0+git20190108/bedmod/http_more.pm0000644000175000017500000001024413415160327015754 0ustar hlehlepackage bedmod::http_more; use Socket; # This package is an extension to doona, to check # for http server vulnerabilities. # # Tests for request methods and request fields not tested in the standard http module # Written by Grid sub new { my $this = {}; bless $this; return $this; } sub init { my $this = shift; %special_cfg=@_; $this->{proto}="tcp"; if ($special_cfg{'p'} eq "") { $this->{port}='80'; } else { $this->{port} = $special_cfg{'p'}; } if ($special_cfg{'d'}) { return; } $iaddr = inet_aton($this->{target}) || die "Unknown host: $host\n"; $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; send(SOCKET, "HEAD / HTTP/1.0\r\n\r\n", 0) || die "HTTP request failed: $!\n"; } sub health_check { my $this = shift; $iaddr = inet_aton($this->{target}) || die "Unknown host: $this->{target}\n"; $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; send(SOCKET, "HEAD / HTTP/1.0\r\n\r\n", 0) || die "HTTP request failed: $!\n"; my $resp = ; if (!$this->{healthy}) { if ($resp =~ /HTTP/) { $this->{healthy}=$resp; } # print "Set healthy: $resp"; } return $resp =~ m/^$this->{healthy}$/; } sub getQuit { return("\r\n\r\n"); } sub getLoginarray { my $this = shift; @Loginarray = ( "GET /default.XAXAX HTTP/1.1\r\nHost: 192.168.43.128\r\n\r\n", "GET /XAXAX.html HTTP/1.1\r\nHost: 192.168.43.128\r\n\r\n", "CONNECT XAXAX:80 HTTP/1.1\r\n\r\n", "CONNECT 192.168.43.128/home:XAXAX HTTP/1.1\r\n\r\n", "PATCH /XAXAX HTTP/1.1\r\nHost: 192.168.43.128\r\n\r\n", ); return (@Loginarray); } sub getCommandarray { my $this = shift; @cmdArray = ( "Accept-Datetime: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "Cache-Control: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "Content-MD5: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "Content-Type: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "Date: XAXAX\r\n\r\n", "Forwarded: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "Origin: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "Via: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "Warning: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-Requested-With: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "DNT: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-Forwarded-For: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-Forwarded-Host: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-Forwarded-Proto: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "Front-End-Https: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-Http-Method-Override: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-Att-Deviceid: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-Wap-Profile: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "Proxy-Connection: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-UIDH: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-Csrf-Token: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", ); return(@cmdArray); } sub getLogin { my $this = shift; @login = ( "CONNECT 192.168.43.128:80 HTTP/1.1\r\n", "PATCH /default.html HTTP/1.1\r\n", ); return(@login); } sub testMisc { #Put your corner case tests here my $this = shift; @cmdArray = ( "CONNECT 192.168.43.128:80 HTTP/1.1\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "PATCH / HTTP/1.1\r\nHost: 192.168.43.128\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", ); return(@cmdArray); } sub usage { } 1; doona-1.0+git20190108/bedmod/rtsp.pm0000644000175000017500000001700013415160327014740 0ustar hlehlepackage bedmod::rtsp; use Socket; # This package is an extension to bed, to check # for http server vulnerabilities. sub new{ my $this = {}; $this->{healthy}=undef; bless $this; return $this; } sub init{ my $this = shift; %special_cfg=@_; $this->{proto}="tcp"; if ($special_cfg{'p'} eq "") { $this->{port}='554'; } else { $this->{port} = $special_cfg{'p'}; } if ($special_cfg{'d'}) { return; } die "RTSP server failed health check!\n" unless($this->health_check()); } sub health_check { my $this = shift; $iaddr = inet_aton($this->{target}) || die "Unknown host: $this->{target}\n"; $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; send(SOCKET, "DESCRIBE / RTSP/1.0\r\n\r\n", 0) || die "HTTP request failed: $!\n"; my $resp = ; if (!$this->{healthy}) { if ($resp =~ /RTSP/) { $this->{healthy}=$resp; } # print "Set healthy: $resp"; } #print "DBG: Health resp: $resp\n"; return $resp =~ m/^$this->{healthy}$/; } sub getQuit{ return("\r\n\r\n"); } sub getLoginarray { my $this = shift; @Loginarray = ( "XAXAX\r\n\r\n", " XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "XAXAX / RTSP/1.0\r\nCSeq: 1\r\n\r\n", "XAXAX rtsp://localhost/file.mpg\r\nCSeq: 1\r\n\r\n", "XAXAX rtsp://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "OPTIONS XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "OPTIONS /XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "OPTIONS * XAXAX\r\nCSeq: 1\r\n\r\n", "OPTIONS * RTSP/1.0\r\nXAXAX: 1\r\n\r\n", "OPTIONS * RTSP/1.0\r\nCSeq: XAXAX\r\n\r\n", "DESCRIBE XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "DESCRIBE XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "DESCRIBE rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "DESCRIBE rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "DESCRIBE rtsp://localhost/XAXAX=0 RTSP/1.0\r\nCSeq: 1\r\n\r\n", "DESCRIBE rtsp://localhost/trackID=XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "DESCRIBE rtsp://XAXAX\@localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "DESCRIBE rtsp://XAXAX:pass\@localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "DESCRIBE rtsp://user:XAXAX\@localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "DESCRIBE rtsp://XAXAX:XAXAX\@localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "DESCRIBE rtsp://localhost/file.mpg XAXAX\r\nCSeq: 1\r\n\r\n", "DESCRIBE rtsp://localhost/file.mpg RTSP/XAXAX\r\nCSeq: 1\r\n\r\n", "SETUP XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "SETUP XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "SETUP rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "SETUP rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "SETUP rtsp://localhost/file.mpg RTSP/1.0\r\nCSeq: 7\r\nContent-length: 3200\r\n\r\nXAXAX\r\n\r\n", "PLAY XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "PLAY XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "PLAY rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "PLAY rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "PLAY rtsp://localhost/XAXAX=0 RTSP/1.0\r\nCSeq: 1\r\n\r\n", "PLAY rtsp://localhost/trackID=XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "PLAY rtsp://XAXAX\@localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "PLAY rtsp://XAXAX:pass\@localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "PLAY rtsp://user:XAXAX\@localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "PLAY rtsp://XAXAX:XAXAX\@localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "PLAY rtsp://localhost/file.mpg XAXAX\r\nCSeq: 1\r\n\r\n", "PLAY rtsp://localhost/file.mpg RTSP/XAXAX\r\nCSeq: 1\r\n\r\n", "PLAY rtsp://localhost/file.mpg RTSP/1.0\r\nCSeq: 7\r\nContent-length: 3200\r\n\r\nXAXAX\r\n\r\n", "PAUSE XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "PAUSE XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "PAUSE rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "PAUSE rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "RECORD XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "RECORD XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "RECORD rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "RECORD rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "ANNOUNCE XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "ANNOUNCE XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "ANNOUNCE rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "ANNOUNCE rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "TEARDOWN XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "TEARDOWN XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "TEARDOWN rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "TEARDOWN rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "GET_PARAMETER XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "GET_PARAMETER XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "GET_PARAMETER rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "GET_PARAMETER rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "SET_PARAMETER XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "SET_PARAMETER XAXAX://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "SET_PARAMETER rtsp://XAXAX/file.mpg RTSP/1.0\r\nCSeq: 1\r\n\r\n", "SET_PARAMETER rtsp://localhost/XAXAX RTSP/1.0\r\nCSeq: 1\r\n\r\n", "SET_PARAMETER rtsp://localhost/ RTSP/1.0\r\nCSeq: 1\r\nContent-type: text/parameters\r\n\r\nXAXAX: XAXAX\r\n", ); return (@Loginarray); } sub getCommandarray { my $this = shift; @cmdArray = ( "XAXAX: XAXAX\r\n\r\n", "Accept: XAXAX\r\n\r\n", "Accept-Encoding: XAXAX\r\n\r\n", "Accept-Language: XAXAX\r\n\r\n", "Accept-Charset: XAXAX\r\n\r\n", "Authorization: XAXAX\r\n\r\n", "Authorization: XAXAX\r\n\r\n", "Authorization: Basic XAXAX\r\n\r\n", "Authorization XAXAX: Basic AAAAAA\r\n\r\n", "Authorization: XAXAX:foo\r\n\r\n", "Authorization: foo:XAXAX\r\n\r\n", "Content-length: XAXAX\r\n", "Content-type: XAXAX\r\n", "Content-Type: text/parameters\r\n\r\nXAXAX: XAXAX\r\n\r\n", "CSeq: XAXAX\r\n\r\n", "From: XAXAX\r\n\r\n", "If-Modified-Since: XAXAX\r\n\r\n", "Proxy-Require: XAXAX\r\n", "Range: XAXAX\r\n\r\n", "Range: clock=XAXAX-XAXAX\r\n\r\n", "Referer: XAXAX\r\n\r\n", "Require: XAXAX\r\n\r\n", "Transport: XAXAX\r\n\r\n", "Session: XAXAX\r\n\r\n", "User-Agent: XAXAX\r\n\r\n", ); return(@cmdArray); } sub getLogin{ my $this = shift; @login = ( "ANNOUNCE rtsp://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n", "DESCRIBE rtsp://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n", "DESCRIBE rtsp://localhost/file.mpg RTSP/1.0\r\n", "PLAY rtsp://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n", "PAUSE rtsp://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n", "SETUP rtsp://localhost/file.mpg RTSP/1.0\r\nCSeq: 1\r\n", ); return(@login); } sub testMisc{ return(); } sub usage { } 1; doona-1.0+git20190108/bedmod/proxy.pm0000644000175000017500000001133413415160327015135 0ustar hlehlepackage bedmod::proxy; use Socket; # This package is an extension to bed, to check # for http proxy server vulnerabilities. sub new { my $this = {}; bless $this; return $this; } sub init { my $this = shift; %special_cfg=@_; $this->{proto}="tcp"; $this->{healthy}=undef; if ($special_cfg{'p'} eq "") { $this->{port}='8080'; } else { $this->{port} = $special_cfg{'p'}; } if ($special_cfg{'d'}) { return; } die "Proxy server failed health check!\n" unless($this->health_check()); # $iaddr = inet_aton($this->{target}) || die "Unknown host: $this->{target}\n"; # $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; # $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; # socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; # connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; # send(SOCKET, "HEAD / HTTP/1.0\r\n\r\n", 0) || die "HTTP request failed: $!\n"; } sub health_check { my $this = shift; $iaddr = inet_aton($this->{target}) || die "Unknown host: $this->{target}\n"; $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; send(SOCKET, "HEAD / HTTP/1.0\r\n\r\n", 0) || die "HTTP request failed: $!\n"; my $resp = ; if (!$this->{healthy}) { if ($resp =~ /HTTP/) { $this->{healthy}=$resp; } # print "Set healthy: $resp"; } return $resp =~ m/$this->{healthy}/; } sub getQuit { return("\r\n\r\n"); } sub getLoginarray { my $this = shift; @Loginarray = ( "XAXAX\r\n\r\n", "XAXAX http://127.0.0.2/ HTTP/1.0\r\n\r\n", "HEAD http://XAXAX/ HTTP/1.0\r\n\r\n", "HEAD http://127.0.0.2:XAXAX/ HTTP/1.0\r\n\r\n", "HEAD http://127.0.0.2/XAXAX HTTP/1.0\r\n\r\n", "HEAD http://127.0.0.2/ XAXAX\r\n\r\n", "GET http://XAXAX/ HTTP/1.0\r\n\r\n", "GET http://127.0.0.2:XAXAX/ HTTP/1.0\r\n\r\n", "GET http://127.0.0.2/XAXAX HTTP/1.0\r\n\r\n", "GET http://127.0.0.2/ XAXAX\r\n\r\n", "CONNECT XAXAX HTTP/1.0\r\n\r\n", "CONNECT XAXAX:80 HTTP/1.0\r\n\r\n", "CONNECT 127.0.0.2:XAXAX HTTP/1.0\r\n\r\n", "CONNECT 127.0.0.2:80 XAXAX\r\n\r\n", ); return (@Loginarray); } sub getCommandarray { my $this = shift; @cmdArray = ( "XAXAX: XAXAX\r\n\r\n", "User-Agent: XAXAX\r\n\r\n", "Host: XAXAX\r\n\r\n", "Host: XAXAX:80\r\n\r\n", "Host: somehost:XAXAX\r\n\r\n", "Accept: XAXAX\r\n\r\n", "Accept-Encoding: XAXAX\r\n\r\n", "Accept-Language: XAXAX\r\n\r\n", "Accept-Charset: XAXAX\r\n\r\n", "Connection: XAXAX\r\n\r\n", "Referer: XAXAX\r\n\r\n", "Referer: XAXAX://somehost.com/\r\n\r\n", "Referer: http://XAXAX/\r\n\r\n", "Referer: http://somehost.com/XAXAX\r\n\r\n", "Authorization: XAXAX\r\n\r\n", "From: XAXAX\r\n\r\n", "Charge-To: XAXAX\r\n\r\n", "Authorization: XAXAX", "Authorization: XAXAX : foo\r\n\r\n", "Authorization: foo : XAXAX\r\n\r\n", "If-Modified-Since: XAXAX\r\n\r\n", "If-Match: XAXAX\r\n\r\n", "If-None-Match: XAXAX\r\n\r\n", "If-Range: XAXAX\r\n\r\n", "If-Unmodified-Since: XAXAX\r\n\r\n", "Max-Forwards: XAXAX\r\n\r\n", "Proxy-Authorization: XAXAX\r\n\r\n", "ChargeTo: XAXAX\r\n\r\n", "Pragma: XAXAX\r\n\r\n", "Proxy-Connection: XAXAX\r\n\r\n", "Expect: XAXAX\r\n\r\n", "Range: XAXAX\r\n\r\n", "Range: bytes=1-XAXAX\r\n\r\n", "Range: bytes=0-1,XAXAX\r\n", "Content-Length: XAXAX\r\n\r\n", "Cookie: XAXAX\r\n\r\n", "TE: XAXAX\r\n\r\n", "Upgrade: XAXAX\r\nConnection: upgrade\r\n\r\n", ); return(@cmdArray); } sub getLogin { my $this = shift; @login = ( "GET http://127.0.0.2/ HTTP/1.0\r\n", "POST http://127.0.0.2/ HTTP/1.0\r\n", "CONNECT 127.0.0.1:80 HTTP/1.1\r\n", "GET http://127.0.0.2/ HTTP/1.1\r\n", "POST http://127.0.0.2/ HTTP/1.1\r\n", "CONNECT 127.0.0.2:80 HTTP/1.0\r\n", ); return(@login); } sub testMisc { #Put your corner case tests here... my $this = shift; @cmdArray = ( "GET / HTTP/1.0\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n" ); return(@cmdArray); } sub usage { } 1; doona-1.0+git20190108/bedmod/lpd.pm0000644000175000017500000000455713415160327014544 0ustar hlehle# # Quickly hacked Module to test some LPD Stuff, # not everything ... yeah I am lazy too :) # package bedmod::lpd; use Socket; # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # create a new instance of this object sub new{ my $this = {}; # these ones must be defined $this->{sport} = 721; bless $this; return $this; } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # initialise some parameters sub init{ my $this = shift; %special_cfg=@_; # Set protocol tcp/udp $this->{proto} = "tcp"; if ($special_cfg{'p'} eq "") { $this->{port}='515'; } else { $this->{port} = $special_cfg{'p'}; } $this->{vrfy} = ""; } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # how to quit ? sub getQuit{ return("\1\n"); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # what to test without doing a login before # ..mainly the login stuff *g* sub getLoginarray { my $this = shift; @Loginarray = ( "XAXAX", "\01XAXAX\n", "\02XAXAX\n", "\03XAXAX all\n", "\03default XAXAX\n", "\04XAXAX all\n", "\04default XAXAX\n", "\05XAXAX root all\n", "\05default XAXAX all\n", "\05default root XAXAX\n" ); return (@Loginarray); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # which commands does this protocol know ? sub getCommandarray { my $this = shift; # the XAXAX will be replaced with the buffer overflow / format string # place every command in this array you want to test @cmdArray = ( "\0294XAXAX001test\n", "\0294cfA001XAXAX\n", "\0394XAXAX001test\n", "\0394cfA001XAXAX\n", ); return(@cmdArray); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # what to send to login ? sub getLogin{ # login procedure my $this = shift; @login = ("\02default\n"); return(@login); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # here we can test everything besides buffer overflows and format strings sub testMisc{ my $this = shift; return(); } sub usage { } 1; doona-1.0+git20190108/bedmod/irc.pm0000644000175000017500000000664713415160327014544 0ustar hlehlepackage bedmod::irc; use Socket; # This package is an extension to bed, to check # for irc server vulnerabilities. sub new { my $this = {}; bless $this; return $this; } sub init { my $this = shift; %special_cfg=@_; $this->{proto}="tcp"; if ($special_cfg{'p'} eq "") { $this->{port}='6667'; } else { $this->{port} = $special_cfg{'p'}; } $this->{vrfy} = "uk\r\n"; # server should reply with unknown command } sub getQuit { return("QUIT\r\n"); } sub getLoginarray { my $this = shift; @Loginarray = ( "XAXAX\r\n", "USER XAXAX 0 cc :dd\r\n", "USER aa XAXAX cc :dd\r\n", "USER aa 0 XAXAX :dd\r\n", "USER aa 0 cc :XAXAX\r\n", "USER aa 0 cc XAXAX\r\n", "USER aa 0 cc :dd XAXAX\r\n", # realname may contain spaces "USER aa 0 cc :dd\r\nNICK XAXAX\r\n", "NICK XAXAX\r\n", "PASS XAXAX\r\n", "PASS aa\r\nPASS XAXAX\r\n", "PASS XAXAX\r\nUSER aa 0 cc :dd\r\n", "PASS XAXAX\r\nNICK XAXAX\r\nUSER XAXAX XAXAX XAXAX XAXAX\r\n", "PASS XAXAX\r\nSERVER aa bb cc\r\n", "SERVER XAXAX bb cc\r\n", "SERVER aa XAXAX cc\r\n", "SERVER aa bb XAXAX\r\n", ); return (@Loginarray); } sub getCommandarray { my $this = shift; # the XAXAX will be replaced with the buffer overflow / format string # just comment them out if you don't like them.. @cmdArray = ( "XAXAX\r\n", "NICK XAXAX\r\n", "JOIN XAXAX\r\n", "PART XAXAX\r\n", "SERVER XAXAX 1 :foobar\r\n", "SERVER test XAXAX :foobar\r\n", "SERVER test 1 :XAXAX\r\n", "OPER XAXAX\r\n", "OPER test XAXAX\r\n", "JOIN #XAXAX\r\n", "JOIN #test XAXAX\r\n", "JOIN \&XAXAX\r\n", "JOIN \&test XAXAX\r\n", "PART #XAXAX\r\n", "PART #foo XAXAX\r\n", "JOIN #XAXAX\r\nPART#XAXAX\r\n", "LIST XAXAX\r\n", "INVITE XAXAX #test\r\n", "INVITE foo #XAXAX\r\n", "KICK #XAXAX bar\r\n", "VERSION XAXAX\r\n", "MOTD XAXAX\r\n", "MODE XAXAX\r\n", "MODE XAXAX foo\r\n", "MODE foo XAXAX\r\n", "NAMES XAXAX\r\n", "STATS XAXAX\r\n", "STATS c XAXAX\r\n", "STATS h XAXAX\r\n", "STATS i XAXAX\r\n", "STATS k XAXAX\r\n", "STATS l XAXAX\r\n", "STATS m XAXAX\r\n", "STATS o XAXAX\r\n", "STATS y XAXAX\r\n", "STATS u XAXAX\r\n", "LINKS XAXAX\r\n", "TIME XAXAX\r\n", "CONNECT XAXAX\r\n", "TRACE XAXAX\r\n", "ADMIN XAXAX\r\n", "INFO XAXAX\r\n", "PRIVMSG foo XAXAX\r\n", "PRIVMSG XAXAX bar\r\n", "NOTICE foo XAXAX\r\n", "NOTICE XAXAX bar\r\n", "TOPIC XAXAX foo\r\n", "WHO XAXAX\r\n", "WHOIS XAXAX\r\n", "WHOWAS XAXAX\r\n", "WHOWAS foo 1 XAXAX\r\n", "KILL foo XAXAX\r\n", "KILL XAXAX bar\r\n", "PING XAXAX\r\n", "PONG XAXAX\r\n", "ERROR XAXAX\r\n", "AWAY XAXAX\r\n", "SUMMON XAXAX\r\n", "SUMMON foo XAXAX\r\n", "USERS XAXAX\r\n", "WALLOPS XAXAX\r\n", "USERHOST XAXAX\r\n", "ISON XAXAX\r\n" ); return(@cmdArray); } sub getLogin { my $this = shift; @login = ("USER aaa bbb ccc :ddd\r\n", "NICK EEEEEE\r\n"); return(@login); } sub testMisc { return(); } sub usage { } 1; doona-1.0+git20190108/bedmod/pop.pm0000644000175000017500000000502513415160327014552 0ustar hlehlepackage bedmod::pop; use Socket; # This package is an extension to bed, to check # for pop server vulnerabilities. sub new { my $this = {}; $this->{username} = undef; # specific for just this $this->{password} = undef; # module bless $this; return $this; } sub init { my $this = shift; %special_cfg = @_; $this->{proto} = "tcp"; if ( $special_cfg{'p'} eq "" ) { $this->{port} = '110'; } else { $this->{port} = $special_cfg{'p'}; } if ( ( $special_cfg{'u'} eq "" ) || ( $special_cfg{'v'} eq "" ) ) { &usage(); exit(1); } $this->{username} = $special_cfg{'u'}; $this->{password} = $special_cfg{'v'}; $this->{vrfy} = "NOOP\r\n"; $iaddr = inet_aton( $this->{target} ) || die "Unknown host: $this->{target}\n"; $paddr = sockaddr_in( $this->{port}, $iaddr ) || die "getprotobyname: $!\n"; $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; socket( SOCKET, PF_INET, SOCK_STREAM, $proto ) || die "socket: $!\n"; connect( SOCKET, $paddr ) || die "connection attempt failed: $!\n"; send( SOCKET, "USER $this->{username}\r\n", 0 ) || die "USER failed: $!\n"; $recvbuf = ; sleep(1); send( SOCKET, "PASS $this->{password}\r\n", 0 ) || die "PASS failed: $!\n"; $recvbuf = ; if ( $recvbuf =~ "-ERR" ) { print("Username or Password incorrect, can't login\n"); exit(1); } send( SOCKET, "QUIT\r\n", 0 ) } sub getQuit { return ("QUIT\r\n"); } sub getLoginarray { my $this = shift; @Loginarray = ( "USER XAXAX\r\n", "USER $this->{username}\r\nPASS XAXAX\r\n", "APOP XAXAX aaa\r\n", "APOP $this->{username} XAXAX\r\n" ); return (@Loginarray); } sub getCommandarray { my $this = shift; # the XAXAX will be replaced with the buffer overflow / format string # just comment them out if you don't like them.. @cmdArray = ( "LIST XAXAX\r\n", "STAT XAXAX\r\n", "NOOP XAXAX\r\n", "APOP XAXAX\r\n", "RSET XAXAX\r\n", "RETR XAXAX\r\n", "DELE XAXAX\r\n", "TOP XAXAX 1\r\n", "TOP 1 XAXAX\r\n", "UIDL XAXAX\r\n", ); return (@cmdArray); } sub getLogin { # login procedure my $this = shift; @login = ( "USER $this->{username}\r\n", "PASS $this->{password}\r\n" ); return (@login); } sub testMisc { return (); } sub usage { print qq~ Parameters for the POP plugin: -u -v ~; } 1; doona-1.0+git20190108/bedmod/socks5.pm0000644000175000017500000000537013415160327015166 0ustar hlehlepackage bedmod::socks5; use Socket; # socks5 plugin # # not yet tested, got bored just by looking at the protocol # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # create a new instance of this object sub new { my $this = {}; $this->{username} = undef; $this->{password} = undef; bless $this; return $this; } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # initialise some parameters sub init { my $this = shift; %special_cfg = @_; # Set protocol tcp/udp $this->{proto} = "tcp"; # check for missing args, set target and host # every module has to do this if ( $special_cfg{'p'} eq "" ) { $this->{port} = '1080'; } else { $this->{port} = $special_cfg{'p'}; } $this->{sport} = 0; $this->{vrfy} = ""; if ( ( $special_cfg{'u'} eq "" ) || ( $special_cfg{'v'} eq "" ) ) { &usage(); exit(1); } $this->{username} = $special_cfg{'u'}; $this->{password} = $special_cfg{'v'}; } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # how to quit ? sub getQuit { return (""); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # what to test without doing a login before # ..mainly the login stuff *g* sub getLoginarray { my $this = shift; @Loginarray = (""); return (@Loginarray); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # which commands does this protocol know ? sub getCommandarray { my $this = shift; # all there is to test is the username as far as it seems... @cmdArray = ( "XAXAX\n", # if the programmer is clever enough he always receives the packet # in a buffer which is bigger than ~0x128 :) "\x05\x01\x00\x04\xFF\x10" , # check for buffer access which should give a gpf "\x05\x01\x00\x04\x50\x10" # same here different value... lame :) ); return (@cmdArray); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # what to send to login ? sub getLogin { # login procedure my $this = shift; $count1 = length( $this->{username} ); $count2 = length( $this->{password} ); @login = ( #protocol version #nr. of authentication methods #username+password "\x05\x01\x02", #protocol #username len #username #pass len #password "\x05$count1$this->{username}$count2$this->{password}", ); return (@login); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # here we can test everything besides buffer overflows and format strings sub testMisc { my $this = shift; return (); } sub usage { print qq~ Parameters for the Socks5 plugin: -u -v ~; } 1; doona-1.0+git20190108/bedmod/http_sp.pm0000644000175000017500000000772313415160327015444 0ustar hlehlepackage bedmod::http_sp; use Socket; # This package is an extension to doona, to check # for http server vulnerabilities. Works as an extension to BED too # # Tests for request methods and request fields specific to SharePoint # # The displayed output may not show particularly long commands but # the right stuff is being sent # # Might want to mod, depending on desired results. For example, do a GET on an existing resource # # Written by Grid sub new { my $this = {}; bless $this; return $this; } sub init { my $this = shift; %special_cfg=@_; $this->{proto}="tcp"; if ($special_cfg{'p'} eq "") { $this->{port}='80'; } else { $this->{port} = $special_cfg{'p'}; } if ($special_cfg{'d'}) { return; } $iaddr = inet_aton($this->{target}) || die "Unknown host: $host\n"; $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; send(SOCKET, "HEAD / HTTP/1.0\r\n\r\n", 0) || die "HTTP request failed: $!\n"; } sub health_check { my $this = shift; $iaddr = inet_aton($this->{target}) || die "Unknown host: $this->{target}\n"; $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; send(SOCKET, "HEAD / HTTP/1.0\r\n\r\n", 0) || die "HTTP request failed: $!\n"; my $resp = ; if (!$this->{healthy}) { if ($resp =~ /HTTP/) { $this->{healthy}=$resp; } # print "Set healthy: $resp"; } return $resp =~ m/^$this->{healthy}$/; } sub getQuit { return("\r\n\r\n"); } sub getLoginarray { my $this = shift; @Loginarray = ( "GET /default.XAXAX HTTP/1.1\r\nHost: 192.168.43.128\r\n\r\n", "GET /XAXAX.html HTTP/1.1\r\nHost: 192.168.43.128\r\n\r\n", ); return (@Loginarray); } sub getCommandarray { my $this = shift; @cmdArray = ( "x-virus-infected: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "x-irm-cantdecrypt: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "x-irm-rejected: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "x-irm-notowner: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "x-irm-timeout: XAXAX\r\nHost: 192.168.43.128\r\n", "x-irm-crashed: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "x-irm-unknown-failure: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "SharePointError: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-RequestDigest: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-Forms_Based_Auth_Required: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-Forms_Based_Auth_Return_Url: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-MS-File-Checked-Out: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-RequestToken: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "SPRequestGuid: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-UseWebLanguage: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-RequestForceAuthentication: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-SharePointHealthScore: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", "X-MS-InvokeApp: XAXAX\r\nHost: 192.168.43.128\r\n\r\n", ); return(@cmdArray); } sub getLogin { my $this = shift; @login = ( "GET / HTTP/1.1\r\n", ); return(@login); } sub testMisc { #Put your corner case tests here my $this = shift; @cmdArray = ( "GET / HTTP/1.1\r\nHost: 192.168.43.128\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", ); return(@cmdArray); } sub usage { } 1; doona-1.0+git20190108/bedmod/http_webdav.pm0000644000175000017500000001750613415160327016272 0ustar hlehlepackage bedmod::http_webdav; use Socket; # This package is an extension to doona, to check # for http server vulnerabilities. Works as an extension to BED too # # Tests for WebDAV-specific request methods and request fields # These aren't tested in the standard HTTP module. # # Modify as needed: might want to ensure the BCOPY requests a resource that exists # # The displayed output may not show particularly long commands (e.g. BPROPFIND /webpage.aspx) but # the right stuff is being sent # # Written by Grid sub new { my $this = {}; bless $this; return $this; } sub init { my $this = shift; %special_cfg=@_; $this->{proto}="tcp"; if ($special_cfg{'p'} eq "") { $this->{port}='80'; } else { $this->{port} = $special_cfg{'p'}; } if ($special_cfg{'d'}) { return; } $iaddr = inet_aton($this->{target}) || die "Unknown host: $host\n"; $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; send(SOCKET, "HEAD / HTTP/1.0\r\n\r\n", 0) || die "HTTP request failed: $!\n"; } sub health_check { my $this = shift; $iaddr = inet_aton($this->{target}) || die "Unknown host: $this->{target}\n"; $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; send(SOCKET, "HEAD / HTTP/1.0\r\n\r\n", 0) || die "HTTP request failed: $!\n"; my $resp = ; if (!$this->{healthy}) { if ($resp =~ /HTTP/) { $this->{healthy}=$resp; } # print "Set healthy: $resp"; } return $resp =~ m/^$this->{healthy}$/; } sub getQuit { return("\r\n\r\n"); } sub getLoginarray { my $this = shift; @Loginarray = ( "BCOPY /XAXAX/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "BDELETE /XAXAX/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "BMOVE /XAXAX/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "BPROPFIND /XAXAX/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "BPROPPATCH /XAXAX/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "COPY /XAXAX.XAXAX HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "DELETE /XAXAX.XAXAX HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "LOCK /XAXAX.XAXAX HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "MKCOL /XAXAX/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "MOVE /XAXAX/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "NOTIFY http://XAXAX:80 HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "POLL /XAXAX/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "PROPFIND /XAXAX.XAXAX HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "PROPPATCH /XAXAX.XAXAX HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "SEARCH /XAXAX/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "SUBSCRIBE /XAXAX HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "UNLOCK /XAXAX.XAXAX HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "UNSUBSCRIBE /XAXAX HTTP/1.1\r\nHost: myserver.com\r\n\r\n", "X-MS-ENUMATTS /XAXAX.XAXAX HTTP/1.1\r\nHost: myserver.com\r\n\r\n", ); return (@Loginarray); } sub getCommandarray { my $this = shift; @cmdArray = ( # These are commands specific to webdav. "Destination: XAXAX\r\nHost: myserver.com\r\n", "Depth: XAXAX\r\nHost: myserver.com\r\n\r\n", "Brief: XAXAX\r\nHost: myserver.com\r\n\r\n", "Overwrite: XAXAX\r\nHost: myserver.com\r\n\r\n", "Timeout: XAXAX\r\nHost: myserver.com\r\n\r\n", "Location: XAXAX\r\nHost: myserver.com\r\n\r\n", "Subscription-id: XAXAX\r\nHost: myserver.com\r\n\r\n", "Translate: XAXAX\r\nHost: myserver.com\r\n\r\n", "Call-Back: XAXAX\r\nHost: myserver.com\r\n\r\n", "Lock-Token: XAXAX\r\nHost: myserver.com\r\n\r\n", ); return(@cmdArray); } sub getLogin { my $this = shift; @login = ( "BCOPY /webpage.aspx/ HTTP/1.1\r\n", "BDELETE /webpage.aspx/ HTTP/1.1\r\n", "BMOVE /webpage.aspx/ HTTP/1.1\r\n", "BPROPFIND /webpage.aspx/ HTTP/1.1\r\n", "BPROPPATCH /webpage.aspx/ HTTP/1.1\r\n", "COPY /webpage.aspx HTTP/1.1\r\n", "DELETE /webpage.aspx HTTP/1.1\r\n", "LOCK /webpage.aspx HTTP/1.1\r\n", "MKCOL /webpage.aspx HTTP/1.1\r\n", "MOVE /webpage.aspx HTTP/1.1\r\n", "NOTIFY http://myserver.com:80 HTTP/1.1\r\n", "POLL /webpage.aspx/ HTTP/1.1\r\n", "PROPFIND /webpage.aspx HTTP/1.1\r\n", "PROPPATCH /webpage.aspx HTTP/1.1\r\n", "SEARCH /webpage.aspx/ HTTP/1.1\r\n", "SUBSCRIBE /webpage.aspx HTTP/1.1\r\n", "UNLOCK /webpage.aspx HTTP/1.1\r\n", "UNSUBSCRIBE /webpage.aspx HTTP/1.1\r\n", "X-MS-ENUMATTS /webpage.aspx HTTP/1.1\r\n", ); return(@login); } sub testMisc { #Put your corner case tests here my $this = shift; @cmdArray = ( "BCOPY /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "BDELETE /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "BMOVE /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "BPROPFIND /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "COPY /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "DELETE /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "LOCK /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "MKCOL /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "MOVE /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "NOTIFY /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "POLL /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "PROPFIND /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "PROPPATCH /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "SEARCH /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "SUBSCRIBE /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "UNLOCK /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "UNSUBSCRIBE /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", "X-MS-ENUMATTS /webpage.aspx/ HTTP/1.1\r\nHost: myserver.com\r\n\r\n" . "Lotsofheaders: XAXAX\r\n" x 1024 . "\r\n", ); return(@cmdArray); } sub usage { } 1; doona-1.0+git20190108/bedmod/dict.pm0000644000175000017500000001013713415160327014677 0ustar hlehlepackage bedmod::dict; use Socket; # This package is an extension to BED, to check # for DICT server vulnerabilities. # Authentication is not implemented for this module. # There's a bunch of placeholders which will help # should you wish to implement authentication. # For more information, review: # - RFC 2229 (DICT) - section 3.11 - The AUTH Command # - RFC 1939 (POP) - section 4 - The AUTHORIZATION State sub new { my $this = {}; # Authentication is not implemented for this module. # These default values are used to fuzz auth verbs: $this->{username} = 'anonymous'; $this->{password} = 'password'; bless $this; return $this; } sub init { my $this = shift; %special_cfg=@_; $this->{proto}="tcp"; if ($special_cfg{'p'} eq "") { $this->{port}='2628'; } else { $this->{port} = $special_cfg{'p'}; } $this->{vrfy} = "HELP\r\n"; # Authentication is not implemented for this module. # This is a placeholder $this->{username} = $special_cfg{'u'} if $special_cfg{'u'}; $this->{password} = $special_cfg{'v'} if $special_cfg{'v'}; # Test connection to target (skip if dump mode is set) if ($special_cfg{'d'}) { return; } $iaddr = inet_aton($this->{target}) || die "Unknown host: $this->{target}\n"; $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; # Authentication is not implemented for this module. # so we grab the banner instead send(SOCKET, "\r\n", 0); $recvbuf = ; print ($recvbuf); # The psuedo-code below checks if the server requires authentication. #send(SOCKET, "AUTH $this->{username} md5($this->{password})\r\n", 0) || die "Authentication failed: $!\n"; #do { # $recvbuf = ; # print ($recvbuf); # if ( $recvbuf =~ "530" ) { # print ("Access is denied, can't login\n"); # exit(1); # } # if ( $recvbuf =~ "531" ) { # print ("Username or password incorrect, can't login\n"); # exit(1); # } # sleep(0.2); ## 230 Authentication successful #} until ( $recvbuf =~ "230" ); #send(SOCKET, "QUIT\r\n", 0); close(SOCKET); } sub getQuit { return("QUIT\r\n"); } sub getLoginarray { my $this = shift; # Authentication is not implemented for this module. # so we return an empty string return (""); # This is a placeholder @Loginarray = ( "XAXAX\r\n", "AUTH XAXAX\r\n", "AUTH XAXAX XAXAX\r\n", "AUTH $this->{username} XAXAX\r\n", "SASLAUTH XAXAX\r\nSASLRESP XAXAX\r\n", "SASLAUTH XAXAX XAXAX\r\nSASLRESP XAXAX\r\n" ); return (@Loginarray); } sub getCommandarray { my $this = shift; # the XAXAX will be replaced with the buffer overflow / format string # just comment them out if you don't like them. @cmdArray = ( "XAXAX\r\n", "AUTH XAXAX\r\n", "AUTH XAXAX XAXAX\r\n", "AUTH $this->{username} XAXAX\r\n", "SASLAUTH XAXAX\r\nSASLRESP XAXAX\r\n", "SASLAUTH XAXAX XAXAX\r\nSASLRESP XAXAX\r\n", "DEFINE ! XAXAX\r\n", "DEFINE XAXAX XAXAX\r\n", "MATCH ! XAXAX XAXAX\r\n", "MATCH XAXAX XAXAX XAXAX\r\n", "SHOW XAXAX\r\n", "SHOW INFO XAXAX\r\n", "CLIENT XAXAX\r\n", "OPTION XAXAX\r\n" ); return(@cmdArray); } sub getLogin { my $this = shift; # Authentication is not implemented for this module. # so we return an empty string @login = ""; return(@login); # This is a placeholder @login = ("AUTH $this->{username} $this->{password}\r\n"); return(@login); } sub testMisc { return(); } sub usage { print qq~ DICT module specific options: -u = Username to use for authentication (default: anonymous) -v = Password to use for authentication (default: password) ~; } 1; doona-1.0+git20190108/bedmod/ftp.pm0000644000175000017500000002112313415160327014542 0ustar hlehlepackage bedmod::ftp; use Socket; # This package is an extension to bed, to check # for ftp server vulnerabilities. sub new { my $this = {}; $this->{'healthy'} = undef; $this->{username} = 'anonymous'; # specific for just this $this->{password} = 'user@this.bed'; # module bless $this; return $this; } sub init { my $this = shift; %special_cfg=@_; # Specify protocol to use $this->{proto}="tcp"; # check for missing args, set target and host if ($special_cfg{'p'} eq "") { $this->{port}='21'; } else { $this->{port} = $special_cfg{'p'}; } # get info nessecairy for FTP $this->{username} = $special_cfg{'u'} if $special_cfg{'u'}; $this->{password} = $special_cfg{'v'} if $special_cfg{'v'}; $this->{vrfy} = "PWD\r\n"; # let's see if we got a correct login (skip if dump mode is set) if ($special_cfg{'d'}) { return; } die "FTP server failed health check!\n" unless($this->health_check()); $iaddr = inet_aton($this->{target}) || die "Unknown host: $this->{target}\n"; $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; send(SOCKET, "USER $this->{username}\r\n", 0) || die "USER failed: $!\n"; $recvbuf = ; sleep(1); # some ftp's need some time to reply send(SOCKET, "PASS $this->{password}\r\n", 0) || die "PASS failed: $!\n"; do { $recvbuf = ; #print ($recvbuf); if ( $recvbuf =~ "530" ){ print ("Username or Password incorrect, can't login\n"); exit(1); } sleep(0.2); } until ( $recvbuf =~ "230" ); send(SOCKET, "QUIT\r\n", 0); close(SOCKET); } sub health_check { my $this = shift; $iaddr = inet_aton($this->{target}) || die "Unknown host: $this->{target}\n"; $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; do { $recv=; sleep(0.2); } until $recv =~ /^220/; send(SOCKET, "PASS\r\n", 0); $recv=; if (!$this->{'healthy'}) { $this->{'healthy'} = $recv if ($recv =~ /^\d\d\d/); } return $recv =~ /^$this->{'healthy'}$/; } sub getQuit { return("QUIT\r\n"); } sub getLoginarray { my $this = shift; @Loginarray = ( "XAXAX\r\n", "USER XAXAX\r\n", "USER XAXAX\r\nPASS password\r\n", "USER anonymous\r\nPASS XAXAX\r\n", "USER XAXAX\r\nPASS password\r\nUSER $this->{username}\r\nPASS XAXAX\r\n", "USER $this->{username}\r\nPASS XAXAX\r\n", "PASS XAXAX\r\n" ); return (@Loginarray); } sub getCommandarray { my $this = shift; # the XAXAX will be replaced with the buffer overflow / format string # just comment them out if you don't like them.. @cmdArray = ( "XAXAX\r\n", "XAXAX 123\r\n", "ABOR XAXAX\r\n", "ACCL XAXAX\r\n", "ACCT XAXAX\r\n", "ADAT XAXAX\r\n", "ALLO XAXAX\r\n", "APPE XAXAX\r\n", "APPE /XAXAX\r\n", "CCC XAXAX\r\n", "CDUP XAXAX\r\n", "CONF XAXAX\r\n", "CWD XAXAX\r\n", "CEL XAXAX\r\n", "DELE XAXAX\r\n", "ENC XAXA\r\n", "EPRT XAXAX\r\n", "EPRT |XAXAX|127.0.0.1|6275|\r\n", "EPRT |1|XAXAX|6275|\r\n", "EPRT |1|127.0.0.1|XAXAX|\r\n", "EPSV XAXAX\r\n", "FEAT XAXAX\r\n", "HELP XAXAX\r\n", "LANG XAXAX\r\n", "LIST XAXAX\r\n", "LIST -XAXAX\r\n", "LIST *XAXAX\r\n", "LOCK XAXAX\r\n", "LOCK / XAXAX\r\n", "LPRT XAXAX\r\n", "LPSV XAXAX\r\n", "MDTM XAXAX\r\n", "MDTM XAXAX file.txt\r\n", "MDTM 19990929043300 XAXAX\r\n", "MDTM 20031111111111+ XAXAX\r\n", "MIC XAXAX\r\n", "MLST XAXAX\r\n", "MODE XAXAX\r\n", "MKD XAXAX\r\n", "MKD XAXAX\r\nCWD XAXAX\r\n", "MKD XAXAX\r\nDELE XAXAX\r\n", "MKD XAXAX\r\nRMD XAXAX\r\n", "MKD XAXAX\r\nXRMD XAXAX\r\n", "NLST XAXAX\r\n", "NLST ~XAXAX\r\n", "NOOP XAXAX\r\n", "OPTS XAXAX\r\n", "PASS XAXAX\r\n", "PASV XAXAX\r\n", "PBSZ XAXAX\r\n", "PORT XAXAX\r\n", "PWD XAXAX\r\n", "QUOTE XAXAX\r\n", "REIN XAXAX\r\n", "REST XAXAX\r\n", "RETR XAXAX\r\n", "RMD XAXAX\r\n", "RNFR XAXAX\r\n", "RNTO XAXAX\r\n", "RNFR XAXAX\r\nRNTO XAXAX\r\n", "SITE XAXAX\r\n", "SITE EXEC XAXAX\r\n", "SITE GROUPS XAXAX\r\n", "SITE CDPATH XAXAX\r\n", "SITE ALIAS XAXAX\r\n", "SITE INDEX XAXAX\r\n", "SITE MINFO 20001010101010 XAXAX\r\n", "SITE NEWER 20001010101010 XAXAX\r\n", "SITE GPASS XAXAX\r\n", "SITE GROUP XAXAX\r\n", "SITE HELP XAXAX\r\n", "SITE IDLE XAXAX\r\n", "SITE CHMOD XAXAX\r\n", "SITE CHMOD 777 XAXAX\r\n", "SITE UMASK XAXAX\r\n", "SIZE XAXAX\r\n", "SIZE /XAXAX\r\n", "SMNT XAXAX\r\n", "STOU XAXAX\r\n", "STRU XAXAX\r\n", "STOR XAXAX\r\n", "STAT XAXAX\r\n", "SYST XAXAX\r\n", "TYPE XAXAX\r\n", "USER XAXAX\r\n", "UNLOCK XAXAX\r\n", "UNLOCK / XAXAX\r\n", "XCUP XAXAX\r\n", "XCWD XAXAX\r\n", "XMD5 XAXAX\r\n", "XMKD XAXAX\r\n", "XPWD XAXAX\r\n", "XRCP XAXAX\r\n", "XRMD XAXAX\r\n", "XRSQ XAXAX\r\n", "XSEM XAXAX\r\n", "XSEN XAXAX\r\n", ); return(@cmdArray); } sub getLogin { # login procedure my $this = shift; @login = ("USER $this->{username}\r\nPASS $this->{password}\r\n"); return(@login); } sub testMisc { my $this = shift; return; # Directory traversal code is buggy an not really what I want # test for bof in login / user ? # test for the availability to abuse this host for portscanning ? # test for possible directory traversal bugs... print ("*Directory traversal\n"); @traversal = ("...", "%5c..%5c", ,"%5c%2e%2e%5c", "/././..", "/...", "/......", "\\...", "...\\", "....", "*", "\\*", "\\....", "*\\\\.....", "/..../", "/../../../", "\\..\\..\\..\\", "\@/..\@/.."); foreach $Directory (@traversal){ $iaddr = inet_aton($this->{target}) || die "Unknown host: $this->{target}\n"; $paddr = sockaddr_in($this->{port}, $iaddr) || die "getprotobyname: $!\n"; $proto = getprotobyname('tcp') || die "getprotobyname: $!\n"; socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die "socket: $!\n"; connect(SOCKET, $paddr) || die "connection attempt failed: $!\n"; send(SOCKET, "USER $this->{username}\r\n", 0) || die "USER failed: $!\n"; sleep(2); # some ftp's need some time to reply $recvbuf = ; send(SOCKET, "PASS $this->{password}\r\n", 0) || die "PASS failed: $!\n"; sleep(2); # some ftp's need some time to reply $recvbuf = || die "Login failed $!\n"; send(SOCKET, "PWD\r\n", 0); # get old directory sleep(1); $curDir = ; send(SOCKET, "CWD $Directory\r\n", 0); # send the traversal string # clear the buffer, by waiting for : # 501 550 250 553 do { $recvbuf = ; } while( ($recvbuf !~ /550/) && ($recvbuf !~ /250/) && ($recvbuf !~ /553/) && ($recvbuf !~ /501/)); # receive answer send(SOCKET, "PWD\r\n", 0); # get new directory $newDir = ; # compare the directories, and report a problem if they are not equal if ( $curDir ne $newDir ){ print ("Directory Traversal ($curDir => $newDir) possible with $Directory \n"); } send(SOCKET,"QUIT\r\n", 0); # logout close (SOCKET); # close connection } return(); } sub usage { print qq~ FTP Module specific options: -u = Username to use for authentication (default: anonymous) -v = Password to use for authentication (default: user\@this.bed) ~; } 1; doona-1.0+git20190108/bedmod/imap.pm0000644000175000017500000000723113415160327014703 0ustar hlehlepackage bedmod::imap; use Socket; # imap plugin for bed2 # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # create a new instance of this object sub new { my $this = {}; # imap defines $this->{user} = undef; $this->{pass} = undef; bless $this; return $this; } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # initialise some parameters sub init { my $this = shift; %special_cfg = @_; # Set protocol tcp/udp $this->{proto} = "tcp"; if ( $special_cfg{'p'} eq "" ) { $this->{port} = '143'; } else { $this->{port} = $special_cfg{'p'}; } if ( ( $special_cfg{'u'} eq "" ) || ( $special_cfg{'v'} eq "" ) ) { &usage(); exit(1); } $this->{user} = $special_cfg{'u'}; $this->{pass} = $special_cfg{'v'}; # how can bed check that the server is still alive $this->{vrfy} = "A001 NOOP\r\n"; } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # how to quit ? sub getQuit { return ("A001 LOGOUT\r\n"); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # what to test without doing a login before # ..mainly the login stuff *g* sub getLoginarray { my $this = shift; @Loginarray = ( "A001 AUTHENTICATE XAXAX\r\n", "A001 LOGIN XAXAX\r\n", "A001 LOGIN $this->{user} XAXAX\r\n" ); return (@Loginarray); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # which commands does this protocol know ? sub getCommandarray { my $this = shift; # the XAXAX will be replaced with the buffer overflow / format string # place every command in this array you want to test @cmdArray = ( "A001 CREATE myTest\r\n", # just for testing... "FXXZ CHECK XAXAX\r\n", "LIST XAXAX\r\n", "A001 SELECT XAXAX\r\n", "A001 EXAMINE XAXAX\r\n", "A001 CREATE XAXAX\r\n", "A001 DELETE XAXAX\r\n", "A001 RENAME XAXAX\r\n", "A001 CREATE test\r\nA001RENAME test XAXAX\r\n", "A001 SUBSCRIBE XAXAX\r\n", "A001 UNSUBSCRIBE XAXAX\r\n", "A001 LIST XAXAX aa \r\n", "A001 LIST aa XAXAX\r\n", "A001 LIST * XAXAX\r\n", "A001 LSUB aa XAXAX\r\n", "A001 LSUB XAXAX aa \r\n", # aa should be "" "A001 STATUS XAXAX\r\n", "A001 STATUS inbox (XAXAX)\r\n", "A001 APPEND XAXAX\r\n", "A001 SELECT myTest\r\nA001 SEARCH XAXAX\r\n", "A001 SELECT myTest\r\nA001 FETCH XAXAX\r\n", "A001 SELECT myTest\r\nA001 FETCH 1:2 XAXAX\r\n", "A001 SELECT myTest\r\nA001 STORE XAXAX\r\n", "A001 SELECT myTest\r\nA001 STORE 1:2 XAXAX\r\n", "A001 SELECT myTest\r\nA001 COPY XAXAX\r\n", "A001 SELECT myTest\r\nA001 COPY 1:2 XAXAX\r\n", "A001 SELECT myTest\r\nA001 UID XAXAX\r\n", "A001 SELECT myTest\r\nA001 UID FETCH XAXAX\r\n", "A001 UID XAXAX\r\n", "A001 CAPABILITY XAXAX\r\n", "A001 DELETEACL XAXAX\r\n", "A001 GETACL XAXAX\r\n", "A001 LISTRIGHTS XAXAX\r\n", "A001 MYRIGHTS XAXAX\r\n", "A001 XAXAX\r\n" ); return (@cmdArray); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # what to send to login ? sub getLogin { # login procedure my $this = shift; @login = ("A001 LOGIN $this->{user} $this->{pass}\r\n"); return (@login); } # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # here we can test everything besides buffer overflows and format strings sub testMisc { my $this = shift; return (); } sub usage { print qq~ Parameters for the imap plugin: -u -v ~; } 1; doona-1.0+git20190108/doona.pl0000755000175000017500000002533313415160327013630 0ustar hlehle#!/usr/bin/perl # # This program comes with ABSOLUTELY NO WARRANTY. # This is free software, and you are welcome to redistribute it # under certain conditions. See docs/GPL.txt for details. # # Doona is a BED fork maintained by wireghoul ( www.justanotherhacker.com ) # BED was written by mjm ( www.codito.de ) and snakebyte ( www.snake-basket.de ) use Getopt::Std; use Socket; use Config; #use strict; #use warnings; my $SOCKET; my $VERSION = '1.0'; $SIG{'INT'} = \&sigHandler; $SIG{'TERM'} = \&sigHandler; $SIG{'PIPE'} = \&sigHandler; my @modules = map { s!bedmod/(.*)\.pm!$1!; $_ } glob("bedmod/*.pm"); # the hope is to overwrite a return pointer on the stack, # making the server execute invalid code and crash my @overflowstrings = ( "A" x 33, "A" x 254, "A" x 255, "A" x 256, "A" x 257, "A" x 1023, "A" x 1024, "A" x 1025, "A" x 1026, "A" x 1044, "A" x 2047, "A" x 2048, "A" x 2049, "A" x 2068, "A" x 3092, "A" x 4116, "A" x 5140, "A" x 6164, "A" x 7188, "A" x 8212, "A" x 9236, "A" x 10260, "A" x 11284, "A" x 12308, "A" x 13332, "A" x 14356, "A" x 15380, "\\" x 200, "\\" x 255, "\\" x 256, "\\" x 9000, "/" x 200, "/" x 255, "/" x 256, "/" x 9000, "A/" x 256, "AA/" x 256, "AAA/" x 256, "AAAA/" x 256, "." x 200, "." x 255, "." x 256, "." x 9000, " " x 9000, "AA " x 200, ); my @formatstrings = ( "%s" x 4, "%s%p%x%d", "%s" x 8, "%s" x 15, "%s" x 30, "%.1024d", "%.2048d", "%.4096d", '%@' x 53, "%.16i705u%2\$hn", "%#123456x" ); # three ansi overflows, two ansi format strings, two OEM Format Strings my @unicodestrings = ("\x99" x 4, "\x99" x 512, "\x99" x 1024, "\xCD" x 10, "\xCD" x 40, "\xCB" x 10, "\xCB"x40); my @largenumbers = ( "255", "256", "257", "65535", "65536", "65537", "16777215", "16777216", "16777217", "2147483647", "2147483648", "2147483649", "0xfffffffe", "0xffffffff", "4294967295", "9223372036854775807", "18446744073709551615", "0", "-1", "-268435455", "-20", "2.2250738585072011e-308", ); my @miscstrings = ( "/", "\\", "%0xa", " ", "+", "<", ">", "<>", "%", "-", "+", "*", ".", ":", ";", "&", "%u000", "%xx", "\\x41", "%00", "\x00", "\x01\x01\x01\x01", "A\@A.COM","AAAA.ABCD","AAAA://AAAAA.AAAAA/AAAA", "\t", "\r", "\r\n", "\n" ); my $idx = 0; my $prevfuzz = ''; print "\n Doona $VERSION by Wireghoul (www.justanotherhacker.com)\n\n"; # get the parameters we need for every test getopts('m:s:t:o:p:r:u:v:w:x:M:c:dhk'); $opt_s = $opt_m if ($opt_m); &usage unless($opt_s); $opt_s = lc($opt_s); # convert it to lowercase # load the specified module my $module = undef; if ( -f "bedmod/$opt_s.pm") { eval("use bedmod::$opt_s;"); $a = "bedmod::$opt_s"; $module = new $a; } &usage unless(defined $module); &usage if ($opt_h); my %special_cfg=( "t" => "$opt_t", # target "o" => "$opt_o", # timeOut "p" => "$opt_p", # port "r" => "$opt_r", # resume test case number 'M' => "$opt_M", # Max requests to perform 'c' => "$opt_c", # How often do we call health_check 'k' => "$opt_k", # Keep trying until a healt check passes 'd' => "$opt_d", # Print fuzz case to screen and quit "u" => "$opt_u", # special parameters for the module... "v" => "$opt_v", "w" => "$opt_w", "x" => "$opt_x" ); $module->{proto} = undef; $module->{target} = undef; $module->{port} = undef; $module->{vrfy} = ""; $module->{timeout} = undef; $module->{sport} = 0; if ($special_cfg{'t'} eq "") { $module->{target}='127.0.0.1'; } else { $module->{target} = $special_cfg{'t'}; } if ($special_cfg{'o'} eq "") { $module->{timeout}='2'; } else { $module->{timeout} = $special_cfg{'o'}; } $module->init(%special_cfg); # $num_threads = 4; # Wishlist: Run with 4 threads by defaults # test stuff that might happen during login my @cmdArray = $module->getLoginarray; # which login stuff do we test my @login = (""); if ( $cmdArray[0] ne "" ){ print " + Buffer overflow testing\n"; &testThis(@overflowstrings); print " + Formatstring testing\n"; &testThis(@formatstrings); } # test the stuff that might happen during normal protocol events ( after login ) print "* Normal tests\n"; @cmdArray = $module->getCommandarray; @login = $module->getLogin; print " + Buffer overflow testing\n"; &testThis(@overflowstrings); print " + Formatstring testing\n"; &testThis(@formatstrings); print " + Unicode testing:\n"; &testThis(@unicodestrings); print " + random number testing\n"; &testThis(@largenumbers); # make the module test all other stuff #print " + Other tests\n"; #$module->testMisc(); # test different sizes for (my $i = 1; $i < 20; $i++ ) { print " + testing misc strings $i\n"; &testThis(@miscstrings); for (my $j = 0; $j < @miscstrings; $j++) { $miscstrings[$j] = $miscstrings[$j].$miscstrings[$j]; } } print "* All tests done.\n"; exit(0); # this function tests each of the two arrays ( buffer overflow and format string ) sub testThis() { my $count = 0; foreach my $log (@login) { my @testArray = @_; my $command; my $socktype; if ( $module->{proto} eq "udp" ) { $socktype = SOCK_DGRAM; } else { $socktype = SOCK_STREAM; } $|=1; #Auto flush output for more timely screen updates # my $count = 0; my $quit = $module->getQuit; my $total = scalar(@cmdArray)*scalar(@login); foreach my $cmd (@cmdArray) { $count++; my $cmd2 = $cmd; $cmd2 =~ s/\n|\r|[\00-\33]//ig; # remove \r and \n for nice displaying $cmd2 = substr($cmd2, 0, 30); my $log2 = $log; $log2 =~ s/\n|\r|[\00-\33]//ig; $log2 = substr($log2, 0, 20); printf "%5d/$total $log2 [$cmd2] ", $count; foreach my $LS (@testArray){ print "."; $idx++; if ($special_cfg{'r'} > $idx) { next; } if ($opt_M) { $special_cfg{'M'}--; } if ($special_cfg{'M'} < 0) { print "\nMax requests ($opt_M) completed, index: ". ($idx - 1) ."\n"; exit } $prevfuzz = $command; $command = $cmd; $command =~ s/XAXAX/$LS/ig; # prepare the string if ($special_cfg{'d'}) { print "\nFuzz case ($idx)\n--copy--\n"; } else { my $iaddr = inet_aton($module->{target}) || die "Unknown host: $module->{target}\n"; my $paddr = sockaddr_in($module->{port}, $iaddr) || die "getprotobyname: $!\n"; my $proto = getprotobyname($module->{proto}) || die "getprotobyname: $!\n"; socket(SOCKET, PF_INET, $socktype, $proto) || die "socket: $!\n"; my $sockaddr = sockaddr_in($module->{sport}, INADDR_ANY); while ( !bind(SOCKET, $sockaddr) ) {} # we need to bind for LPD for example connect(SOCKET, $paddr) || die "connection attempt failed: $!, during $cmd2 ($idx)\n"; } # login if ( $log ne "" ) { if ($special_cfg{'d'}) { print "$log"; } else { send(SOCKET, $log, 0); sleep(1); # some daemons need some time to reply } } #} if ($special_cfg{'d'}) { $command =~ s/\n/\\n/g;$command =~ s/\r/\\r/g; print "$command\n--cut--\n"; exit; } send(SOCKET, $command, 0); # send the attack and verify that the server is still alive # Is there a possibility to check within connection? if ($module->{vrfy} ne "") { send(SOCKET, $module->{vrfy},0) || die "Problem (1) occured with $cmd2 ($idx)\n"; my $recvbuf = || die "Problem (2) occured with $cmd2 ($idx)\n"; send(SOCKET, $quit, 0); # close the connection close SOCKET; } else { close SOCKET; my $iaddr = inet_aton($module->{target}) || die "Unknown host: $module->{target}\n"; my $paddr = sockaddr_in($module->{port}, $iaddr) || die "getprotobyname: $!\n"; my $proto = getprotobyname($module->{proto}) || die "getprotobyname: $!\n"; socket(SOCKET, PF_INET, $socktype, $proto) || die "socket: $!\n"; connect(SOCKET, $paddr) || die "Problem (3) occured with $cmd2 ($idx)\n"; close SOCKET; } sleep($module->{timeout}); # some servers would kick us for too fast rogins if ($special_cfg{'c'} && $idx % $special_cfg{'c'} == 0) { # Health check if ($special_cfg{'k'}) { do { print "\r---Waiting for server to pass health check ($idx)---"; sleep 1; } until $module->health_check() } else { die "Health check failed! ($idx)\n" unless($module->health_check()); } print ':' } } print " ($idx)\n"; } } } # how to use these scripts... sub usage { print qq~Usage: $0 -m [module] -m = ~ . join('/', map(uc, @modules)). qq~ -c = Execute a health check after every fuzz cases -t = Host to check (default: localhost) -p = Port to connect to (default: module specific standard port) -o = seconds to wait after each test (default: 2 seconds) -r = Resumes fuzzing at test case index -k = Keep trying until server passes a health check -d = Dump test case to stdout (use in combination with -r) -M = Exit after executing number of fuzz cases -h = Help (this text) use "$0 -m [module] -h" for module specific option. Only -m is a mandatory switch. ~; if ($opt_h) { $module->usage() if $module; } exit(1); } sub sigHandler { print "\n\nSignal INT/TERM/PIPE caught!"; print " - current test case index: ($idx)" if $idx; print "\n"; exit; }