nasl_packet_forgery.c

大国补丁后的nessus2.2.8的源代码

  else if(!strcmp(elem, "icmp_seq"))value = ntohs(icmp->icmp_seq);
  else if(!strcmp(elem, "icmp_cksum"))value = ntohs(icmp->icmp_cksum);
  else if(!strcmp(elem, "data"))
  {
   retc = alloc_tree_cell(0, NULL);
   retc->type = CONST_DATA;
   retc->size = get_var_size_by_name(lexic, "icmp") - (ip->ip_hl * 4) - 8;
   if ( retc->size > 0 )
     retc->x.str_val = nasl_strndup( &(p[ip->ip_hl*4+8]), retc->size);
   else {
     retc->x.str_val = NULL;
     retc->size = 0;
   }
   return retc;
  }
  else return NULL;
  
  retc = alloc_tree_cell(0, NULL);
  retc->type = CONST_INT;
  retc->x.i_val = value;
  return retc;
  }

 return NULL;
}
  
  
  


  
  
  
  
  
/*--------------[  IGMP  ]--------------------------------------------*/







struct igmp {
 	unsigned char type;
	unsigned char code;
	unsigned short cksum;
	struct in_addr group;
	};
	
tree_cell * forge_igmp_packet(lex_ctxt * lexic)
{
 struct ip * ip = (struct ip*) get_str_local_var_by_name(lexic, "ip");
 
 if( ip != NULL )
 {
  char * data = get_str_local_var_by_name(lexic, "data");
  int len = data ? get_local_var_size_by_name(lexic, "data"):0;
  u_char * pkt = emalloc(sizeof(struct igmp)+ ip->ip_hl * 4 + len);
  struct ip * ip_igmp = (struct ip*)pkt;
  struct igmp * igmp;
  char * p;
  char * grp;
  tree_cell * retc;
  int ipsz = get_local_var_size_by_name(lexic, "ip");
  
  bcopy(ip, ip_igmp, ipsz);
  
  
  if(UNFIX(ip_igmp->ip_len) <= ip_igmp->ip_hl * 4)
   {
   int v = get_int_local_var_by_name(lexic, "update_ip_len", 1);
   if(v != 0)
    {
    ip_igmp->ip_len = FIX(ip->ip_hl * 4 + sizeof(struct igmp) + len);
    ip_igmp->ip_sum = 0;
    ip_igmp->ip_sum = np_in_cksum((u_short*)ip_igmp, ip->ip_hl * 4);
    }
   }
  p = (char*)(pkt + ip_igmp->ip_hl*4);
  igmp = (struct igmp *)p;
  
  igmp->code = get_int_local_var_by_name(lexic, "code", 0);
  igmp->type = get_int_local_var_by_name(lexic, "type", 0);
  grp = get_str_local_var_by_name(lexic, "group");
  
  if( grp != NULL )
  {
   inet_aton(grp, &igmp->group);
  }
  
  igmp->cksum = np_in_cksum((u_short*)igmp, sizeof(struct igmp));
  if(data != NULL)
  {
   char * p = (char*)(pkt + ip->ip_hl * 4 + sizeof(struct igmp));
   bcopy(p, data, len);
  }
   retc = alloc_tree_cell(0, NULL);
   retc->type = CONST_DATA;
   retc->x.str_val = (char*)pkt;
   retc->size = ip->ip_hl * 4 + sizeof(struct igmp) + len;
   return retc;
  }
 
  return NULL;
}
  
  
/*---------------------------------------------------------------------------*/

tree_cell * nasl_tcp_ping(lex_ctxt * lexic)
{
 int port;
 u_char packet[sizeof(struct ip)+sizeof(struct tcphdr)];
 int soc;
 struct ip * ip = (struct ip *)packet;
 struct tcphdr * tcp = (struct tcphdr *)(packet + sizeof(struct ip));
 struct arglist *  script_infos = lexic->script_infos;
 struct in_addr * dst = plug_get_host_ip(script_infos);
 struct in_addr src;
 struct sockaddr_in soca;
 int flag = 0;
 int i = 0;
 int bpf;
 char filter[255];
 u_char * pk = NULL;
 tree_cell * retc;
 int opt = 1;
 struct timeval tv;
 int len;
#define rnd_tcp_port() (rand() % 65535 + 1024)
 int sports[]= { 0,     0,   0,  0,  0, 1023, 0,  0,    0,    0,  0,   0,    0,    0,    0,  0,   0,   0,    0,    0, 53,   0,    0,    20,   0,  25,   0,    0, 0};
 int ports[] = { 139, 135, 445, 80, 22, 515, 23, 21, 6000, 1025, 25, 111, 1028, 9100, 1029, 79, 497, 548, 5000, 1917, 53, 161, 9001, 65535, 443, 113, 993, 8080, 0};
 int num_ports = 0;
 
 
 if( dst == NULL ) 
  	return NULL;
	
 for(i=0;i < sizeof(sports) / sizeof(int); i ++)
 {
  if ( sports[i] == 0 ) sports[i] = rnd_tcp_port();
 }
 

 
 
 for(i=0;ports[i];i++)num_ports ++;
 i = 0;
 
 
 soc = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
 if(soc < 0)
  return NULL;
#ifdef IP_HDRINCL 
 if(setsockopt(soc, IPPROTO_IP, IP_HDRINCL, (char*)&opt, sizeof(opt))<0)
	perror("setsockopt ");
#endif



 port = get_int_local_var_by_name(lexic, "port", -1);
 if(port == -1)
	 port = plug_get_host_open_port(script_infos);
 
 if(islocalhost(dst) > 0 )src.s_addr = dst->s_addr;
  else 
   {
    bzero(&src, sizeof(src));
    routethrough(dst, &src);
   }
 
 snprintf(filter, sizeof(filter), "ip and src host %s", inet_ntoa(*dst));
 bpf = init_capture_device(*dst, src, filter);
 
 
 if(islocalhost(dst) != 0)flag++;
 else
 {
  for(i = 0; i < sizeof(sports) / sizeof(int) && ! flag; i ++)
  {
   bzero(packet, sizeof(packet));
  /* IP */
  ip->ip_hl  = 5;	ip->ip_off = FIX(0);
  ip->ip_v   = 4;	ip->ip_len = FIX(40);
  ip->ip_tos = 0;	ip->ip_p   = IPPROTO_TCP;
  ip->ip_id  = rand();	ip->ip_ttl = 0x40;
  ip->ip_src = src; 	ip->ip_dst = *dst;
  ip->ip_sum = 0;	ip->ip_sum = np_in_cksum((u_short *)ip, 20);
  
  
  /* TCP */ 
  tcp->th_sport = port ? htons(rnd_tcp_port()) : htons(sports[i%num_ports]);  tcp->th_flags = TH_SYN;
  tcp->th_dport = port ? htons(port):htons(ports[i%num_ports]);  
  tcp->th_seq = rand();
  tcp->th_ack = 0;	tcp->th_x2  = 0;
  tcp->th_off = 5;	tcp->th_win = 2048;
  tcp->th_urp = 0;	tcp->th_sum = 0;
 
 /* CKsum */
  {
    struct in_addr source, dest;
    struct pseudohdr pseudoheader;
    source.s_addr = ip->ip_src.s_addr;
    dest.s_addr = ip->ip_dst.s_addr;
   
    bzero(&pseudoheader, 12+sizeof(struct tcphdr));
    pseudoheader.saddr.s_addr=source.s_addr;
    pseudoheader.daddr.s_addr=dest.s_addr;

    pseudoheader.protocol=6;
    pseudoheader.length=htons(sizeof(struct tcphdr));
    bcopy((char *) tcp,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
    tcp->th_sum = np_in_cksum((unsigned short *)&pseudoheader,12+sizeof(struct tcphdr));
  } 

 bzero(&soca, sizeof(soca));
 soca.sin_family = AF_INET;
 soca.sin_addr = ip->ip_dst;
 sendto(soc, (const void*)ip, 40, 0, (struct sockaddr *)&soca, sizeof(soca));
 tv.tv_sec = 0;
 tv.tv_usec = 100000;
 if(bpf >= 0 && (pk = bpf_next_tv(bpf, &len, &tv)))flag++;	
  }
 }


 retc = alloc_tree_cell(0, NULL);
 retc->type = CONST_INT;
 retc->x.i_val = flag;
 if(bpf >= 0)bpf_close(bpf);
 close(soc);
 return retc;
}

/*---------------------------------------------------------------------------*/

tree_cell*	nasl_send_packet(lex_ctxt* lexic)
{
  tree_cell	*retc = FAKE_CELL;
  int		bpf = -1;
  u_char	* answer;
  int	 	answer_sz;
  struct sockaddr_in	sockaddr;
  char		*ip = NULL;
  struct ip	*sip = NULL;
  int		vi = 0, b, len = 0;
  int		soc;
  int		use_pcap = get_int_local_var_by_name(lexic, "pcap_active", 1);
  int		to = get_int_local_var_by_name(lexic, "pcap_timeout", 5);
  char		*filter = get_str_local_var_by_name(lexic, "pcap_filter");
  int		dfl_len = get_int_local_var_by_name(lexic, "length", -1);
  int	        i = 1;
  struct arglist	*script_infos = lexic->script_infos;
  struct in_addr	*dstip = plug_get_host_ip(script_infos);


 soc = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
 if(soc < 0)
  return NULL;
#ifdef IP_HDRINCL 
 if(setsockopt(soc, IPPROTO_IP, IP_HDRINCL, (char*)&i, sizeof(i))<0)
	perror("setsockopt ");
#endif


 
  while ((ip = get_str_var_by_num(lexic, vi)) != NULL)
    {
      int sz = get_var_size_by_num(lexic, vi);
      vi ++;
      
      if ( sz < sizeof(struct ip) )
      {
       nasl_perror(lexic, "send_packet(): packet is too short!\n");
       continue;
      }
      
      sip = (struct ip *)ip;
      if( use_pcap != 0 && bpf < 0)
	bpf = init_capture_device(sip->ip_dst, sip->ip_src, filter);
     

      bzero(&sockaddr, sizeof(struct sockaddr_in));
      sockaddr.sin_family = AF_INET;
      sockaddr.sin_addr = sip->ip_dst;
      if (dstip != NULL && sockaddr.sin_addr.s_addr != dstip->s_addr)
	{
	  char	txt1[64], txt2[64];
	  strncpy(txt1, inet_ntoa(sockaddr.sin_addr), sizeof(txt1));
 	  txt1[sizeof(txt1)-1] = '\0';
	  strncpy(txt2, inet_ntoa(*dstip), sizeof(txt2));
 	  txt2[sizeof(txt2)-1] = '\0';
	  nasl_perror(lexic, "send_packet: malicious or buggy script is trying to send packet to %s instead of designated target %s\n", txt1, txt2);
#if 1
          if(bpf >= 0)bpf_close(bpf);  
          close(soc);
	  return NULL;
#else
	  sip->ip_dst = *dstip;
	  sip->ip_sum = np_in_cksum((u_short *)sip, sizeof(struct ip));
#endif
	}
      
      if(dfl_len > 0 && dfl_len < sz)
	len = dfl_len;
      else
	len = sz;
	
    	
   
      b = sendto(soc, (u_char*)ip, len, 0, (struct sockaddr *)&sockaddr, sizeof(sockaddr));
      /* if(b < 0) perror("sendto "); */
      if(b >= 0 && use_pcap != 0 && bpf >= 0)
	{
	  if(islocalhost(&sip->ip_dst))
	    {
	      answer = (u_char*) capture_next_packet(bpf, to, &answer_sz);
	      while(answer != NULL && (!memcmp(answer, (char*)ip, sizeof(struct ip))))
		{
		  efree(&answer);
		  answer = (u_char*)capture_next_packet( bpf, to, &answer_sz);
		}
	      	
	    }
	  else 
	    answer = (u_char*)capture_next_packet(bpf, to, &answer_sz);
	
	  if(answer)
	    {
  	      retc = alloc_tree_cell(0, NULL);
  	      retc->type = CONST_DATA;
	      retc->x.str_val = (char*)answer;
	      retc->size = answer_sz;
              break;
	    }
	}
    }
  if(bpf >= 0)bpf_close(bpf);  
  close(soc);
  return retc;
}
   
   
/*---------------------------------------------------------------------------*/
   
tree_cell * nasl_pcap_next(lex_ctxt* lexic)
{
 char * interface = get_str_local_var_by_name(lexic, "interface");
 int bpf = -1;
 static char errbuf[PCAP_ERRBUF_SIZE];
 int is_ip = 0;
 struct ip * ret = NULL;
 char *filter = get_str_local_var_by_name(lexic, "pcap_filter");
 int timeout = get_int_local_var_by_name(lexic, "timeout", 5);
 tree_cell * retc;
 int sz;
 struct in_addr * dst = plug_get_host_ip(lexic->script_infos);

 if(interface == NULL )
 	{
	struct in_addr src;
	bzero(&src, sizeof(src));
    	interface = routethrough(dst, &src);
	if( interface == NULL )interface = pcap_lookupdev(errbuf);
	}
	
 if(interface != NULL)
  bpf = bpf_open_live(interface, filter);
 
 
 if(bpf < 0)
  {
   nasl_perror(lexic, "pcap_next: Could not get a bpf\n");
   return NULL;
  }
 else
 {
  int len;
  int dl_len = get_datalink_size(bpf_datalink(bpf));
  char * packet;
  struct timeval then, now;
  
  
  gettimeofday(&then, NULL);
  for(;;)
  {
  packet = (char*)bpf_next(bpf, &len);
  
  if(packet != NULL)
  	break;
	
  if(timeout != 0)
   {
    gettimeofday(&now, NULL);
    if(now.tv_sec - then.tv_sec >= timeout)break;
   }
  }

  if(packet)
  {
   struct ip * ip;   
   ip = (struct ip*)(packet + dl_len);
   sz = UNFIX(ip->ip_len);
   ret = emalloc(sz);
  
   is_ip = (ip->ip_v == 4);
   if(is_ip)
   {
	
	 bcopy(ip, ret, sz);
   }
   else {
	   sz = len - dl_len;
	   bcopy(ip, ret, sz);
   }
  }
  else {
    bpf_close(bpf);
    return NULL;
  }
 }
 bpf_close(bpf);
 retc = alloc_tree_cell(0, NULL);
 
 retc->type = CONST_DATA;
 retc->x.str_val = (char*)ret;
 retc->size = sz;
 
 return retc;
}

tree_cell * nasl_send_capture(lex_ctxt* lexic)
{
 char * interface = get_str_local_var_by_name(lexic, "interface");
 int bpf = -1;
 static char errbuf[PCAP_ERRBUF_SIZE];
 int is_ip = 0;
 struct ip * ret = NULL;
 char *filter = get_str_local_var_by_name(lexic, "pcap_filter");
 int timeout = get_int_local_var_by_name(lexic, "timeout", 5);
 tree_cell * retc;
 int sz;
 struct in_addr * dst = plug_get_host_ip(lexic->script_infos);

 if(interface == NULL )
 	{
	struct in_addr src;
	bzero(&src, sizeof(src));
    	interface = routethrough(dst, &src);
	if( interface == NULL )interface = pcap_lookupdev(errbuf);
	}
	
 if(interface != NULL)
  bpf = bpf_open_live(interface, filter);
 
 
 if(bpf < 0)
  {
   nasl_perror(lexic, "pcap_next: Could not get a bpf\n");
   return NULL;
  }
 else
 {
  int len;
  int dl_len = get_datalink_size(bpf_datalink(bpf));
  char * packet;
  struct timeval then, now;
  
  
  retc = nasl_send(lexic); 
  efree(&retc);

  gettimeofday(&then, NULL);
  for(;;)
  {
  packet = (char*)bpf_next(bpf, &len);
  
  if(packet != NULL)
  	break;
	
  if(timeout != 0)
   {
    gettimeofday(&now, NULL);
    if(now.tv_sec - then.tv_sec >= timeout)break;
   }
  }

  if(packet)
  {
   struct ip * ip;   
   ip = (struct ip*)(packet + dl_len);
   sz = UNFIX(ip->ip_len);
   ret = emalloc(sz);
  
   is_ip = (ip->ip_v == 4);
   if(is_ip)
   {
	
	 bcopy(ip, ret, sz);
   }
   else {
	   sz = len - dl_len;
	   bcopy(ip, ret, sz);
   }
  }
  else {
    bpf_close(bpf);
    return NULL;
  }
 }
 bpf_close(bpf);
 retc = alloc_tree_cell(0, NULL);
 
 retc->type = CONST_DATA;
 retc->x.str_val = (char*)ret;
 retc->size = sz;
 
 return retc;
}