1 /********************************************************************************
2  *                              Nepenthes
3  *                        - finest collection -
4  *
5  *
6  *
7  * Copyright (C) 2005  Paul Baecher & Markus Koetter
8  *
9  * This program is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU General Public License
11  * as published by the Free Software Foundation; either version 2
12  * of the License, or (at your option) any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program; if not, write to the Free Software
21  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
22  *
23  *
24  *             contact nepenthesdev@users.sourceforge.net
25  *
26  *******************************************************************************/
27 
28  /* $Id: MSSQLDialogue.cpp 836 2007-02-06 15:16:50Z common $ */
29 
30 #include <cctype>
31 #include <cstring>
32 
33 #include "MSSQLDialogue.hpp"
34 #include "vuln-mssql.hpp"
35 #include "mssql-shellcodes.h"
36 
37 #include "SocketManager.hpp"
38 #include "Message.hpp"
39 #include "DownloadManager.hpp"
40 #include "LogManager.hpp"
41 #include "DialogueFactoryManager.hpp"
42 
43 #include "Utilities.hpp"
44 
45 #include "EventManager.hpp"
46 #include "SocketEvent.hpp"
47 
48 #ifdef STDTAGS
49 #undef STDTAGS
50 #endif
51 #define STDTAGS l_dia
52 
53 using namespace nepenthes;
54 
55 /**
56  * Dialogue::Dialogue(Socket *)
57  * construktor for the MSSQLDialogue, creates a new MSSQLDialogue
58  *
59  * replies some crap to the socket
60  *
61  * @param socket the Socket the Dialogue has to use
62  */
MSSQLDialogue(Socket * socket)63 MSSQLDialogue::MSSQLDialogue(Socket *socket)
64 {
65 	m_Socket = socket;
66     m_DialogueName = "MSSQLDialogue";
67 	m_DialogueDescription = "talking to MS02-061 exploiters";
68 
69 	m_ConsumeLevel = CL_ASSIGN;
70 }
71 
~MSSQLDialogue()72 MSSQLDialogue::~MSSQLDialogue()
73 {
74 
75 }
76 
77 /**
78  * Dialogue::incomingData(Message *)
79  *
80  * a small and ugly shell where we can use
81  * "download protocol://localction:port/path/to/file
82  * to trigger a download
83  *
84  * @param msg the Message the Socker received.
85  *
86  *
87  * @return CL_ASSIGN
88  */
incomingData(Message * msg)89 ConsumeLevel MSSQLDialogue::incomingData(Message *msg)
90 {
91 //	logWarn(" UDP MSG '%.*s'\n",msg->getSize(), msg->getMsg());
92 	uint32_t ip=msg->getRemoteHost();
93 
94 	if (msg->getSize() >= sizeof(thc_badbuffer)-1 &&
95 		memcmp(msg->getMsg(),thc_badbuffer,sizeof(thc_badbuffer)-1) == 0
96 		)
97 	{
98 		logInfo("THCSql bindport 31337 from %s:%i \n",inet_ntoa(*(in_addr *)&ip),msg->getRemotePort());
99         Socket *socket;
100 		if ((socket = g_Nepenthes->getSocketMgr()->bindTCPSocket(0,31337,60,30)) == NULL)
101 		{
102 			logCrit("Could not bind socket 31337 \n");
103 			return CL_DROP;
104 		}
105 
106 		DialogueFactory *diaf;
107 		if ((diaf = g_Nepenthes->getFactoryMgr()->getFactory("WinNTShell DialogueFactory")) == NULL)
108 		{
109 			logCrit("No WinNTShell DialogueFactory availible \n");
110 			return CL_DROP;
111 		}
112 
113 		socket->addDialogueFactory(diaf);
114 	}else
115 	if ( msg->getSize() >= sizeof(sql_slammer)-1 && memcmp(msg->getMsg(),sql_slammer,sizeof(sql_slammer)-1) == 0 )
116 	{
117 
118 		logInfo("%s:%i asked us to join his SQLSlammer Party \n",inet_ntoa(*(in_addr *)&ip),msg->getRemotePort());
119 	}
120 	else
121 	{	// hexdump it
122 		HEXDUMP(m_Socket,(byte*)msg->getMsg(),msg->getSize());
123 
124 	}
125 
126 	return CL_DROP;
127 }
128 
129 /**
130  * Dialogue::outgoingData(Message *)
131  * as we are not interested in these socket actions
132  * we simply return CL_DROP to show the socket
133  *
134  * @param msg
135  *
136  * @return CL_DROP
137  */
outgoingData(Message * msg)138 ConsumeLevel MSSQLDialogue::outgoingData(Message *msg)
139 {
140 	return CL_ASSIGN;
141 }
142 
143 /**
144  * Dialogue::handleTimeout(Message *)
145  * as we are not interested in these socket actions
146  * we simply return CL_DROP to show the socket
147  *
148  * @param msg
149  *
150  * @return CL_DROP
151  */
handleTimeout(Message * msg)152 ConsumeLevel MSSQLDialogue::handleTimeout(Message *msg)
153 {
154 	return CL_DROP;
155 }
156 
157 /**
158  * Dialogue::connectionLost(Message *)
159  * as we are not interested in these socket actions
160  * we simply return CL_DROP to show the socket
161  *
162  * @param msg
163  *
164  * @return CL_DROP
165  */
connectionLost(Message * msg)166 ConsumeLevel MSSQLDialogue::connectionLost(Message *msg)
167 {
168 	return CL_DROP;
169 }
170 
171 /**
172  * Dialogue::connectionShutdown(Message *)
173  * as we are not interested in these socket actions
174  * we simply return CL_DROP to show the socket
175  *
176  * @param msg
177  *
178  * @return CL_DROP
179  */
connectionShutdown(Message * msg)180 ConsumeLevel MSSQLDialogue::connectionShutdown(Message *msg)
181 {
182 	return CL_DROP;
183 }
184 
185 
186 
187 
188 
189 
190