1 /********************************************************************************
2 * Nepenthes
3 * - finest collection -
4 *
5 *
6 *
7 * Copyright (C) 2005 Paul Baecher & Markus Koetter
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * as published by the Free Software Foundation; either version 2
12 * of the License, or (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
22 *
23 *
24 * contact nepenthesdev@users.sourceforge.net
25 *
26 *******************************************************************************/
27
28 /* $Id: MSSQLDialogue.cpp 836 2007-02-06 15:16:50Z common $ */
29
30 #include <cctype>
31 #include <cstring>
32
33 #include "MSSQLDialogue.hpp"
34 #include "vuln-mssql.hpp"
35 #include "mssql-shellcodes.h"
36
37 #include "SocketManager.hpp"
38 #include "Message.hpp"
39 #include "DownloadManager.hpp"
40 #include "LogManager.hpp"
41 #include "DialogueFactoryManager.hpp"
42
43 #include "Utilities.hpp"
44
45 #include "EventManager.hpp"
46 #include "SocketEvent.hpp"
47
48 #ifdef STDTAGS
49 #undef STDTAGS
50 #endif
51 #define STDTAGS l_dia
52
53 using namespace nepenthes;
54
55 /**
56 * Dialogue::Dialogue(Socket *)
57 * construktor for the MSSQLDialogue, creates a new MSSQLDialogue
58 *
59 * replies some crap to the socket
60 *
61 * @param socket the Socket the Dialogue has to use
62 */
MSSQLDialogue(Socket * socket)63 MSSQLDialogue::MSSQLDialogue(Socket *socket)
64 {
65 m_Socket = socket;
66 m_DialogueName = "MSSQLDialogue";
67 m_DialogueDescription = "talking to MS02-061 exploiters";
68
69 m_ConsumeLevel = CL_ASSIGN;
70 }
71
~MSSQLDialogue()72 MSSQLDialogue::~MSSQLDialogue()
73 {
74
75 }
76
77 /**
78 * Dialogue::incomingData(Message *)
79 *
80 * a small and ugly shell where we can use
81 * "download protocol://localction:port/path/to/file
82 * to trigger a download
83 *
84 * @param msg the Message the Socker received.
85 *
86 *
87 * @return CL_ASSIGN
88 */
incomingData(Message * msg)89 ConsumeLevel MSSQLDialogue::incomingData(Message *msg)
90 {
91 // logWarn(" UDP MSG '%.*s'\n",msg->getSize(), msg->getMsg());
92 uint32_t ip=msg->getRemoteHost();
93
94 if (msg->getSize() >= sizeof(thc_badbuffer)-1 &&
95 memcmp(msg->getMsg(),thc_badbuffer,sizeof(thc_badbuffer)-1) == 0
96 )
97 {
98 logInfo("THCSql bindport 31337 from %s:%i \n",inet_ntoa(*(in_addr *)&ip),msg->getRemotePort());
99 Socket *socket;
100 if ((socket = g_Nepenthes->getSocketMgr()->bindTCPSocket(0,31337,60,30)) == NULL)
101 {
102 logCrit("Could not bind socket 31337 \n");
103 return CL_DROP;
104 }
105
106 DialogueFactory *diaf;
107 if ((diaf = g_Nepenthes->getFactoryMgr()->getFactory("WinNTShell DialogueFactory")) == NULL)
108 {
109 logCrit("No WinNTShell DialogueFactory availible \n");
110 return CL_DROP;
111 }
112
113 socket->addDialogueFactory(diaf);
114 }else
115 if ( msg->getSize() >= sizeof(sql_slammer)-1 && memcmp(msg->getMsg(),sql_slammer,sizeof(sql_slammer)-1) == 0 )
116 {
117
118 logInfo("%s:%i asked us to join his SQLSlammer Party \n",inet_ntoa(*(in_addr *)&ip),msg->getRemotePort());
119 }
120 else
121 { // hexdump it
122 HEXDUMP(m_Socket,(byte*)msg->getMsg(),msg->getSize());
123
124 }
125
126 return CL_DROP;
127 }
128
129 /**
130 * Dialogue::outgoingData(Message *)
131 * as we are not interested in these socket actions
132 * we simply return CL_DROP to show the socket
133 *
134 * @param msg
135 *
136 * @return CL_DROP
137 */
outgoingData(Message * msg)138 ConsumeLevel MSSQLDialogue::outgoingData(Message *msg)
139 {
140 return CL_ASSIGN;
141 }
142
143 /**
144 * Dialogue::handleTimeout(Message *)
145 * as we are not interested in these socket actions
146 * we simply return CL_DROP to show the socket
147 *
148 * @param msg
149 *
150 * @return CL_DROP
151 */
handleTimeout(Message * msg)152 ConsumeLevel MSSQLDialogue::handleTimeout(Message *msg)
153 {
154 return CL_DROP;
155 }
156
157 /**
158 * Dialogue::connectionLost(Message *)
159 * as we are not interested in these socket actions
160 * we simply return CL_DROP to show the socket
161 *
162 * @param msg
163 *
164 * @return CL_DROP
165 */
connectionLost(Message * msg)166 ConsumeLevel MSSQLDialogue::connectionLost(Message *msg)
167 {
168 return CL_DROP;
169 }
170
171 /**
172 * Dialogue::connectionShutdown(Message *)
173 * as we are not interested in these socket actions
174 * we simply return CL_DROP to show the socket
175 *
176 * @param msg
177 *
178 * @return CL_DROP
179 */
connectionShutdown(Message * msg)180 ConsumeLevel MSSQLDialogue::connectionShutdown(Message *msg)
181 {
182 return CL_DROP;
183 }
184
185
186
187
188
189
190