1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
/* ulogd_PWSNIFF.c, Version $Revision: 1.2 $
*
* ulogd logging interpreter for POP3 / FTP like plaintext passwords.
*
* (C) 2000 by Harald Welte <laforge@gnumonks.org>
* This software is released under the terms of GNU GPL
*
* $Id: ulogd_PWSNIFF.c,v 1.2 2000/09/22 06:54:33 laforge Exp $
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <ulogd.h>
#include <string.h>
#include <linux/ip.h>
#include <linux/in.h>
#include <linux/tcp.h>
#ifdef DEBUG
#define DEBUGP ulogd_error
#else
#define DEBUGP(format, args...)
#endif
#define PORT_POP3 110
#define PORT_FTP 21
static u_int16_t pwsniff_ports[] = {
__constant_htons(PORT_POP3),
__constant_htons(PORT_FTP),
};
#define PWSNIFF_MAX_PORTS 2
static char *_get_next_blank(char* begp, char *endp)
{
char *ptr;
for (ptr = begp; ptr < endp; ptr++) {
if (*ptr == ' ' || *ptr == '\n' || *ptr == '\r') {
return ptr-1;
}
}
return NULL;
}
static ulog_iret_t *_interp_pwsniff(ulog_interpreter_t *ip, ulog_packet_msg_t *pkt)
{
struct iphdr *iph = (struct iphdr *) pkt->payload;
void *protoh = (u_int32_t *)iph + iph->ihl;
struct tcphdr *tcph = protoh;
u_int32_t tcplen = ntohs(iph->tot_len) - iph->ihl * 4;
unsigned char *ptr, *begp, *pw_begp, *endp, *pw_endp;
ulog_iret_t *ret = ip->result;
int len, pw_len, i, cont = 0;
len = pw_len = 0;
begp = pw_begp = NULL;
if (iph->protocol != IPPROTO_TCP)
return NULL;
for (i = 0; i <= PWSNIFF_MAX_PORTS; i++)
{
if (tcph->dest == pwsniff_ports[i]) {
cont = 1;
break;
}
}
if (!cont)
return NULL;
DEBUGP("----> pwsniff detected, tcplen=%d, struct=%d, iphtotlen=%d, ihl=%d\n", tcplen, sizeof(struct tcphdr), ntohs(iph->tot_len), iph->ihl);
for (ptr = (unsigned char *) tcph + sizeof(struct tcphdr);
ptr < (unsigned char *) tcph + tcplen; ptr++)
{
if (!strncasecmp(ptr, "USER ", 5)) {
begp = ptr+5;
endp = _get_next_blank(begp, (char *)tcph + tcplen);
if (endp)
len = endp - begp + 1;
}
if (!strncasecmp(ptr, "PASS ", 5)) {
pw_begp = ptr+5;
pw_endp = _get_next_blank(pw_begp,
(char *)tcph + tcplen);
if (pw_endp)
pw_len = pw_endp - pw_begp + 1;
}
}
if (len) {
ret[0].value.ptr = (char *) malloc(len+1);
ret[0].flags |= ULOGD_RETF_VALID;
if (!ret[0].value.ptr) {
ulogd_error("_interp_pwsniff: OOM (size=%u)\n", len);
return NULL;
}
strncpy(ret[0].value.ptr, begp, len);
*((char *)ret[0].value.ptr + len + 1) = '\0';
}
if (pw_len) {
ret[1].value.ptr = (char *) malloc(pw_len+1);
ret[1].flags |= ULOGD_RETF_VALID;
if (!ret[1].value.ptr){
ulogd_error("_interp_pwsniff: OOM (size=%u)\n", pw_len);
return NULL;
}
strncpy(ret[1].value.ptr, pw_begp, pw_len);
*((char *)ret[1].value.ptr + pw_len + 1) = '\0';
}
return ret;
}
static ulog_iret_t pwsniff_rets[] = {
{ NULL, NULL, 0, ULOGD_RET_STRING, ULOGD_RETF_FREE, "pwsniff.user", 0 },
{ NULL, NULL, 0, ULOGD_RET_STRING, ULOGD_RETF_FREE, "pwsniff.pass", 0 },
};
static ulog_interpreter_t base_ip[] = {
{ NULL, "pwsniff", 0, &_interp_pwsniff, 2, &pwsniff_rets },
{ NULL, "", NULL },
};
void _base_reg_ip(void)
{
ulog_interpreter_t *ip = base_ip;
ulog_interpreter_t *p;
for (p = ip; p->interp; p++)
register_interpreter(p);
}
void _init(void)
{
_base_reg_ip();
}
|
