[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] IDS Evasion
- To: <rnunez@cpiu.us>
- Subject: RE: [Full-Disclosure] IDS Evasion
- From: <indianz@indianz.ch>
- Date: Thu, 30 Oct 2003 13:14:33 +0100 (CET)
The ANTI-IDS Tactics from Whisker exist as single Tool too,
have a look at the attached mutate2.c...
GreetZ from IndianZ
mailto:indianz@indianz.ch
http://www.indianz.ch
>
> Check this out, it's for the last year but still being useful
>
> IDS Evasion Techniques and Tactics
>
> http://www.securityfocus.com/infocus/1577
>
>
> R-
> www.cpiu.us
>
>
>
> -----Mensaje original-----
> De: full-disclosure-admin@lists.netsys.com
> [mailto:full-disclosure-admin@lists.netsys.com] En nombre de simon
> Enviado el: Miércoles, 29 de Octubre de 2003 06:19 p.m.
> Para: full-disclosure@lists.netsys.com
> Asunto: [Full-Disclosure] IDS Evasion
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> All,
> I am interested in learning about IDS evasion tricks and tools for
> both
> host based IDS systems and network based IDS systems. Is there a place
> where I can find a list that either gives technoligical details or tools
> that I could study to learn more about this? I already have a very
> detailed understanding of the evasion theories, but I want to put some
> of them to the test on my own product(s). Pointers, advice?
>
>
> - --
>
> Regards,
> -simon-
>
>
> "When a shepherd goes to kill a wolf, and takes his dog along to see the
> sport, he should take care to avoid mistakes. The dog has certain
> relationships to the wolf the sheperd may have forgotten."
>
>
> - -------------------------------------------------------
> Secure Network Operations Strategic Reconnaissance Team
> http://www.secnetops.com || http://www.snosoft.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQE/oDy/f3Elv1PhzXgRAq3FAKCtZOR9RgTT1CLcg34wfjV973UI4wCgzubm
> FpRxGZg8DSKHLwQHQqCunj0=
> =jHat
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
/*
** [MUTATE 2] ANTI-NIDS PROXY
** by ET LoWNOISE
** BUGS,IDEAS,etc plz email: et@cyberspace.org
**
**
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/wait.h>
#include <signal.h>
#include <time.h>
#define MYPORT 7000 //the listening mutate server port
//CLIENTE
#define MAXDATASIZE 10000 // max number of bytes we can get at once
// Enough to work with http headers
#define BACKLOG 20 //number connections queue
/*======DEFINE FOR TACTICS, be carefull with MAXDATASIZE=====*/
#define MAXS 4
#define MAXT 3
#define MAXR 4
#define MAXP 5
#define MAXO 3
#define MAXW 4
#define MINSECONDS 1 //TB1
#define MAXSECONDS 20 //TB1
#define SIZEFRAG 3
/*===========================================================*/
void
sigchld_handler(int s);
void
usage(void);
void
service(int sersocket, char *host, int port, int argc, char **argv);
/*===========================================================
ANTI-IDS TACTICS
=============================================================*/
/*====== Knowledge Based ======*/
/*Method matching (Taken from RFP whisker) but expanded by me :)*/
char *
TK0_Method_Matching(char *string, char newmethod);
/*URL encoding (Taken from RFP whisker) say slash=1 if you want
not to encode '/'s , apache needs slash=1*/
char *
TK1_URL_encoding(char *string, char slash);
/*This is just the basic Double Slashes method but is expanded so
you can replace slashes with any number of slashes you want*/
char *
TK2_Multiple_Slashes(char *string,int num);
/*REVERSE TRAVERSAL Get [/docs/..]/cgi-bin[/docs/..]/test HTTP/1.0
use num to create more references the example is if num=2
then the string will look like:
GET /docs/../docs/../cgi-bin/docs/../docs/../test HTTP/1.0*/
char *
TK3_Reverse_traversal(char *string,int num);
/*SELF-REFERENCE DIRECTORIES
use num to create more references. ex num=2
GET /././cgi-bin/././test HTTP/1.0 */
char *
TK4_Self_reference(char *string,int num);
/*PREMATURE REQUEST ENDING*/
char *
TK5_Premrequest_ending(char *string,int num);
/*HTTP MIS-FORMATING replace the url spaces whit multiple TABS, works
in Apache*/
char *
TK6_Http_misformat(char *string,int num);
/*NULL method , works on IIS (rfp)*/
char *
TK7_NULL_method(char *string);
/*DOS/WIN directory syntax , for simplicity sake you can use the num to
replace '\' for num-times '/' , this only work on IIS*/
char *
TK8_DOSWIN_dir(char *string,int num);
/*CASE SENSITIVITY works on IIS win based web servers*/
char *
TK9_Case_sensitivity(char *string);
/*SPACE GARBAGE works on Apache , it just add a space and garbage to the end of
the URI*/
char *
TK10_Space_Garbage(char *string);
/*DIR BROWSING add /?/blah/blah to the end of URI
ONLY for Dir browsing*/
char *
TK11_Dir_browsing(char *string);
/*====== Behavior Based ======*/
/* Its easy to see a pattern in a automated cgi scanning, thats because the
connections come one after the other, so lets wait random times from min-
seconds to max-seconds. Some NIDS relate time, and alarms, to
generate a cgi scanning alarm .So lets play with time.
MAYBE YOU NEED TO CHANGE THE TIMEOUT ON YOUR CGI SCANNER , OR EXPLOIT
IF YOU ARE USING ONE.*/
void
TB1_gotosleep(int minsecs, int maxsecs, int verbose); //verbose 0 no 1 yes
/*===========================================================
THE MAIN
=============================================================*/
int
main(int argc, char *argv[]){
int main_fd,
new_fd; // listen on main_fd, new connection on new_fd
int PORT; //target port
struct sockaddr_in my_addr;
struct sockaddr_in their_addr;
int sin_size;
struct sigaction sa;
int yes=1;
if(argc < 3){
usage();
}
if((main_fd = socket(PF_INET, SOCK_STREAM, 0)) == -1){
perror("socket");
exit(1);
}
if(setsockopt(main_fd,SOL_SOCKET,SO_REUSEADDR,&yes,sizeof(int)) == -1){
perror("setsockopt");
exit(1);
}
my_addr.sin_family = PF_INET; // host byte order
my_addr.sin_port = htons(MYPORT); // short, network byte order
my_addr.sin_addr.s_addr = INADDR_ANY; // automatically fill with my IP
bzero(&(my_addr.sin_zero), 8); // zero the rest of the struct
if(bind(main_fd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr))==
-1) {
perror("bind");
exit(1);
}
if(listen(main_fd, BACKLOG) == -1){
perror("listen");
exit(1);
}
sa.sa_handler = sigchld_handler; // reap all dead processes
sigemptyset(&sa.sa_mask);
sa.sa_flags = SA_RESTART;
if(sigaction(SIGCHLD, &sa, NULL) == -1){
perror("sigaction");
exit(1);
}
printf("[MUTATE 2] Listening on port %d ...\n",MYPORT);
while(1){ // main accept() loop
sin_size = sizeof(struct sockaddr_in);
if((new_fd = accept(main_fd, (struct sockaddr
*)&their_addr,&sin_size)) == -1){
perror("accept");
continue;
}
printf("\nMUTATE: Connection from %s\n",
inet_ntoa(their_addr.sin_addr));
if (!fork()) { // this is the child process
close(main_fd); // child doesn't need the listener
/*SERVICE*/
service(new_fd, argv[1], atoi(argv[2]), argc, argv);
/*END*/
close(new_fd);
exit(0);
}
close(new_fd); // parent doesn't need this
}
return 0;
}
/*===========================================================
ADITIONAL FUNTIONS
=============================================================*/
void
sigchld_handler(int s){
wait(NULL);
}
void
usage(void){
system("clear");
printf("\n [ MUTATE 2 ]");
printf("\n ANTI NIDS/FW Simple PROXY by ET LoWNOISE \n");
printf("\n Usage: mutate <target> <port> Normal boring operation
mode");
printf("\n : mutate <target> <port> [flags] Anti-NIDS Tactics\n");
printf("\n Actual MUTATE listening port: %d\n\n",MYPORT);
printf(" Flags
-----------------------------------------------------------\n\n");
printf(" [-h ] This SHORT help\n");
printf(" [-v ] Verbose\n");
printf(" ====== Knowledge Based Anti-IDS ======\n\n");
printf(" [-mM] METHOD MATCHING (expanded)\n");
printf(" M: 0 HEAD\n");
printf(" 1 GET\n");
printf(" 2 POST\n");
printf(" 3 PUT\n");
printf(" 4 DELETE\n");
printf(" 5 PATCH\n");
printf(" 6 PROPFIND\n");
printf(" 7 PROPPATCH\n");
printf(" 8 MKCOL\n");
printf(" 9 COPY\n");
printf(" a MOVE\n");
printf(" b LOCK\n");
printf(" c UNLOCK\n");
printf(" d Remove the method. On some platforms the method is
even\n");
printf(" ignored. Should be the last flag used.\n\n");
printf(" On some web servers like apache, you can use multiple\n");
printf(" methods to see if a file exists or not. If a file exist
the\n");
printf(" common response is a [200 OK] or [405 Method Not
Allowed].\n");
printf(" Check the -f flag.\n");
printf(" [-f ] Change any response from 405 to 200,usefull for
cgi-scanners\n");
printf(" [-eS] URL ENCODING (expanded)\n");
printf(" S: 0 Encode everything\n");
printf(" 1 Do NOT encode '/'s chars\n\n");
printf(" ex. Apache needs -e1\n");
printf(" [-s ] DOUBLE/MULTIPLE SLASHES METHOD (expanded)\n");
printf(" define MAXS How many MAXS>=1\n");
printf(" [-t ] REVERSE TRAVERSAL (expanded)\n");
printf(" : define MAXT How many MAXT>=1\n");
printf(" [-r ] SELF-REFERENCE DIRECTORIES (expanded)\n");
printf(" define MAXR How many MAXR>=1\n");
printf(" [-p ] PREMATURE REQUEST ENDING (expanded) \n");
printf(" define MAXP How many MAXP>=1\n");
printf(" [-o ] HTTP MIS-FORMATING (expanded)\n");
printf(" define MAXO How many MAXO>=1\n");
printf(" [-n ] NULL METHOD\n");
printf(" [-w ] DOS/WIN DIRECTORY SYNTAX (expanded)\n");
printf(" define MAXW How many MAXW>=1\n");
printf(" [-c ] CASE SENSITIVITY\n");
printf(" [-g ] SPACE GARBAGE \n");
printf(" [-b ] DIRECTORY BROWSING \n");
printf(" ====== Behavior Based Anti-IDS ======\n\n");
printf(" [-k ] It Waits from Random MINSECONDS to MAXSECONDS to send.\n");
printf("\n Its easy to see a pattern in a automated cgi scanning, thats \n");
printf(" because the connections come one after the other, so you can
wait\n");
printf(" random time from MINSECONDS to MAXSECONDS.\n");
printf("\n ====== Network Based Anti-IDS ======\n\n");
printf(" [-F ] Fragment initial string in mutiple packets of SIZEFRAG.\n");
printf("\n ====== Note ======");
printf("\n (expanded) Taken from whisker (RFP) but with new details. Please
\n");
printf(" read the doc 'A look at whisker's anti-IDS tactics' by RFP for more
\n");
printf(" info on the basic anti-ids tactics. And check the MUTATE source
code.\n");
printf(" Use many flags at the same time.I recommend to use -e for the LAST
flag.\n");
printf("
-----------------------------------------------------------------\n\n");
printf(" I have added some new tactics, expanded old ones and
implemented\n");
printf(" many tactics taken from RFP 'A look at whisker's anti-IDS
tactics'\n");
printf(" The Idea is simple but powerful, is necesary a tool with
this\n");
printf(" characteristics:\n\n");
printf(" - Anti-IDS capabilities transparent to the client\n");
printf(" - Easy to update or modify to any necesity\n");
printf(" - Transparent redirection capabilities to bypass firewalls\n");
printf(" - Protect Identity when testing\n");
printf(" - Simple configuration\n\n");
printf(" MUTATE will help you test NIDS, and it will help you
understand\n");
printf(" that Static NIDS (Rule Based),have many limitations (they
sucks).\n");
printf(" MUTATE is focused to security scanners and cgi-scanners, but is
\n");
printf(" easy to modify it to any requirement you have.\n\n");
printf(" Remember to choose the right port on the client side so it can\n");
printf(" connect to MUTATE.\n");
printf(" New ideas are welcome.\n\n");
printf(" -Efrain 'ET'
Torres\n");
printf(" -------------------[ ET LoWNOISE Colombia 2001
et@cyberspace.org\n");
printf(" :X500.000PoK\n");
printf("\n");
exit(0);
}
void
service(int sersocket, char *host, int port, int argc, char **argv){
int sockfd, numbytes,i,j,k,l,tam;
int FIXR=0; /*This will just change the response code from 405 to 200*/
int VERBOSE=0;
int SLEEP=0;
int FRAG=0;
char *fixp;
char buf[MAXDATASIZE];
char *temp;
char cadena[MAXDATASIZE];
char cadenita[SIZEFRAG+1];
struct hostent *he,*gethostbyname();
struct sockaddr_in targetaddr; // target address information
if ((he=gethostbyname(host)) == NULL) {
fprintf(stderr,"ERROR target gethostbyname\n");
if (send(sersocket, "MUTATE ERROR target gethostbyname\n", 34,
0) == -1){
fprintf(stderr,"ERROR cant send to MUTATE Client\n");
}
exit(1);
}
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
fprintf(stderr,"ERROR socket to target\n");
if (send(sersocket, "MUTATE ERROR socket to target\n", 30, 0) ==
-1){
fprintf(stderr,"ERROR cant send to MUTATE Client\n");
}
exit(1);
}
//RECIBIR DE CLIENTE
bzero(buf,MAXDATASIZE);
if ((numbytes=recv(sersocket, buf, MAXDATASIZE, 0)) == -1) {
fprintf(stderr,"ERROR cant recv from MUTATE Client\n");
exit(1);
}
//CONECTARSE
targetaddr.sin_family = PF_INET; // host byte order
targetaddr.sin_port = htons(port); // short, network byte order
targetaddr.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(targetaddr.sin_zero), 8); // zero the rest of the struct
if(connect(sockfd, (struct sockaddr *)&targetaddr,sizeof(struct
sockaddr)) == -1){
fprintf(stderr,"ERROR Cant connect to target\n");
if (send(sersocket, "MUTATE ERROR couldnt connect to target\n",
39, 0) == -1){
fprintf(stderr,"ERROR Cant send to MUTATE Client\n");
}
exit(1);
}
//ACA COMPONER CADENA ANTI_IDS======================================
for(i=0;i<argc;i++){ if(argv[i][0] == '-') {
for(j=1;j<strlen(argv[i]);j++){
switch(argv[i][j])
{
case 'h':
//THE HELP
usage();
break;
case 'v':
//Verbose
VERBOSE=1;
break;
case 'm':
//Method matching (Taken from RFP
whisker) but expanded by me :)
strcpy(buf,TK0_Method_Matching(buf,
argv[i][j+1]));
break;
case 'e':
//URL encoding (Taken from RFP whisker)
strcpy(buf,TK1_URL_encoding(buf,argv[i][j+1]));
break;
case 'f':
/*This will just change the response
code from 405 to 200 so when you play
with the method matching, the client
side, (ex. cgi-scanner) will get the nice
result*/
FIXR=1;
break;
case 's':
//Multiple slashes
strcpy(buf,TK2_Multiple_Slashes(buf,MAXS));
break;
case 't':
//Reverse Traversal
strcpy(buf,TK3_Reverse_traversal(buf,MAXT));
break;
case 'r':
//Self reference directories
strcpy(buf,TK4_Self_reference(buf,MAXR));
break;
case 'p':
//Premature request ending
strcpy(buf,TK5_Premrequest_ending(buf,MAXP));
break;
case 'o':
//HTTP mis-formating
strcpy(buf,TK6_Http_misformat(buf,MAXO));
break;
case 'n':
//NULL method
strcpy(buf,TK7_NULL_method(buf));
break;
case 'w':
//DOS-WIN directory syntax
strcpy(buf,TK8_DOSWIN_dir(buf,MAXW));
break;
case 'c':
//CASE SENSITIVITY
strcpy(buf,TK9_Case_sensitivity(buf));
break;
case 'g':
//SPACE GARBAGE
strcpy(buf,TK10_Space_Garbage(buf));
break;
case 'b':
//DIR BROWSING
strcpy(buf,TK11_Dir_browsing(buf));
break;
case 'k':
//RANDOM SLEEP SEND TIME
SLEEP=1;
break;
case 'F':
//FRAGMENT SIZEFRAG
FRAG=1;
break;
default:
break;
}
}
}
}
//fprintf(stderr,"OK passed\n");
//==================================================================
//if(SLEEP==1){
//TB1_gotosleep(MINSECONDS,MAXSECONDS,VERBOSE);
//}
//SEND TO TARGET
if(FRAG==0){
if(SLEEP==1){
TB1_gotosleep(MINSECONDS,MAXSECONDS,VERBOSE);
}
if (send(sockfd, buf, strlen(buf)+1, 0) == -1){
fprintf(stderr,"ERROR send to Target\n");
if (send(sersocket, "MUTATE ERROR couldnt send to target\n", 39,
0) == -1){
fprintf(stderr,"ERROR cant send to MUTATE Client\n");
}
exit(1);
}
}
else{
//FRAG (SIZEFRAG)
tam=strlen(buf)+1;
bzero(cadena,MAXDATASIZE);
strcpy(cadena,buf);
k=0;
l=0;
while(k<tam){
bzero(cadenita,SIZEFRAG+1);
strncpy(cadenita,cadena,SIZEFRAG);
if(VERBOSE==1){
printf("- Fragment: %s\n",cadenita);
}
if(SLEEP==1){
TB1_gotosleep(MINSECONDS,MAXSECONDS,VERBOSE);
}
if (send(sockfd, cadenita, strlen(cadenita)+1, 0) == -1){
fprintf(stderr,"ERROR send to Target\n");
if (send(sersocket, "MUTATE ERROR couldnt send to target\n",
39, 0) == -1){
fprintf(stderr,"ERROR cant send to MUTATE Client\n");
}
exit(1);
}
bzero(cadenita,SIZEFRAG+1);
k=k+SIZEFRAG;
temp=cadena+SIZEFRAG;
strcpy(cadena,temp);
}
}
//FOR DEBUG PURPOSES
if(VERBOSE==1){
fprintf(stderr,"RESENDING C-T: %s \nBYTES: %d\n",buf,strlen(buf));
}
//RECIBIR RESPUESTA DE TARGET
bzero(buf,MAXDATASIZE);
if ((numbytes=recv(sockfd, buf, MAXDATASIZE, 0)) == -1) {
fprintf(stderr,"ERROR cant recv from Target\n");
if (send(sersocket, "MUTATE ERROR couldnt recv from target\n",
38, 0) == -1){
fprintf(stderr,"ERROR cant send to MUTATE Client\n");
}
exit(1);
}
if(FIXR==1){
if((fixp=strstr(buf,"405"))!= NULL){
fixp[0]='2';
fixp[1]='0';
fixp[2]='0';
}
}
//FOR DEBUG PURPOSES
if(VERBOSE==1){
fprintf(stderr,"RESENDING T-C: %s \nBYTES: %d\n",buf,strlen(buf));
}
//ENVIAR RESPUESTA A CLIENT
if (send(sersocket, buf, strlen(buf), 0) == -1){
fprintf(stderr,"ERROR send to Target\n");
exit(1);
}
}
/*===========================================================
ANTI-IDS TACTICS
=============================================================*/
/*====== Knowledge Based ======*/
//Method matching (Taken from RFP whisker) but expanded by me :)
char *
TK0_Method_Matching(char *string,char newmethod){
/*This will only search for the method and change it to
newmethod
On some web servers like apache, you can use multiple
methods to see if a file exists or not. If a file exist the
common response is a [200 OK] or [405 Method Not Allowed], if
the file dont exist then the response is just a [404 Not Found]*/
char temp[MAXDATASIZE];
char *ptr;
if(ptr=strchr(string,0x20)){
//looking for first space
switch(newmethod){
case '0':
strcpy(temp,"HEAD");
break;
case '1':
strcpy(temp,"GET");
break;
case '2':
strcpy(temp,"POST");
break;
case '3':
strcpy(temp,"PUT");
break;
case '4':
strcpy(temp,"DELETE");
break;
case '5':
strcpy(temp,"PATCH");
break;
case '6':
strcpy(temp,"PROPFIND");
break;
case '7':
strcpy(temp,"PROPPATCH");
break;
case '8':
strcpy(temp,"MKCOL");
break;
case '9':
strcpy(temp,"COPY");
break;
case 'a':
strcpy(temp,"MOVE");
break;
case 'b':
strcpy(temp,"LOCK");
break;
case 'c':
strcpy(temp,"UNLOCK");
break;
case 'd':
strcpy(temp,""); //Remove the method.On some
platforms,the
break; //method is even ignored.(RFP)
default:
break;
}
strcat(temp,ptr);
return temp;
}
return NULL;
}
//URL encoding (Taken from RFP whisker) OBSOLETE
/*if slash=1 the the char '/' is not encoded, some web servers fuck with that*/
char *
TK1_URL_encoding(char *string,char slash){
/*This will just encode the URI with it's escaped
equivalent. OBSOLETE FOR TODAYS NIDS (but try :) )*/
int i;
char method[30],
tail[30],
temp[MAXDATASIZE],
temp1[MAXDATASIZE],
coded[5] ;
sscanf(string,"%s %s %s\n\n",method,temp,tail);
strcpy(temp1,method);
strcat(temp1," ");
i=0;
while(i<strlen(temp)){
bzero(coded,5);
if(temp[i]==0x2f && slash=='1'){
sprintf(coded,"%c",temp[i]);
}
else{
sprintf(coded,"%%%x",temp[i]);
}
printf(" \b");
strcat(temp1,coded);
i++;
}
strcat(temp1," ");
strcat(temp1,tail);
strcat(temp1,"\n\n");
return temp1;
}
/*This is just the basic Double Slashes method but is
expanded so you can replace slashes with any number of
slashes you want*/
char *
TK2_Multiple_Slashes(char *string,int num){
/* ( try num > 2 :) )*/
int i,j;
char method[30],
tail[30],
temp[MAXDATASIZE],
temp1[MAXDATASIZE],
coded[5] ;
/*num has to be >= 1 dont be dumb*/
if(num < 1){
num=1;
}
sscanf(string,"%s %s %s",method,temp,tail);
strcpy(temp1,method);
strcat(temp1," ");
i=0;
while(i<strlen(temp)){
if(temp[i]==0x2f){
j=0;
while(j < num){
strcat(temp1,"/");
j++;
}
i++;
}
bzero(coded,5);
sprintf(coded,"%c",temp[i]);
printf(" \b");
strcat(temp1,coded);
i++;
}
strcat(temp1," ");
strcat(temp1,tail);
return temp1;
}
/*REVERSE TRAVERSAL Get [/docs/..]/cgi-bin[/docs/..]/test HTTP/1.0
use num to create more references the example is if num=2
then the string will look like:
GET /docs/../docs/../cgi-bin/docs/../docs/../test HTTP/1.0
*/
char *
TK3_Reverse_traversal(char *string,int num){
/* ( try num > 2 :) )*/
int i,j;
char method[30],
tail[30],
temp[MAXDATASIZE],
temp1[MAXDATASIZE],
coded[5] ;
sscanf(string,"%s %s %s",method,temp,tail);
strcpy(temp1,method);
strcat(temp1," ");
i=0;
while(i<strlen(temp)){
if(temp[i]==0x2f){
j=0;
while(j < num){
strcat(temp1,"/docs/..");
j++;
}
i++;
strcat(temp1,"/");
}
bzero(coded,5);
sprintf(coded,"%c",temp[i]);
printf(" \b");
strcat(temp1,coded);
i++;
}
strcat(temp1," ");
strcat(temp1,tail);
return temp1;
}
/*SELF-REFERENCE DIRECTORIES
use num to create more references. ex num=2
GET /././cgi-bin/././test HTTP/1.0
*/
char *
TK4_Self_reference(char *string,int num){
/* ( try num > 2 :) )*/
int i,j;
char method[30],
tail[30],
temp[MAXDATASIZE],
temp1[MAXDATASIZE],
coded[5] ;
sscanf(string,"%s %s %s",method,temp,tail);
strcpy(temp1,method);
strcat(temp1," ");
i=0;
while(i<strlen(temp)){
if(temp[i]==0x2f){
j=0;
while(j < num){
strcat(temp1,"/.");
j++;
}
i++;
strcat(temp1,"/");
}
bzero(coded,5);
sprintf(coded,"%c",temp[i]);
printf(" \b");
strcat(temp1,coded);
i++;
}
strcat(temp1," ");
strcat(temp1,tail);
return temp1;
}
/*PREMATURE REQUEST ENDING*/
char *
TK5_Premrequest_ending(char *string,int num){
/* ( try num > 2 :) )*/
int i,j;
char method[30],
tail[30],
temp[MAXDATASIZE],
temp1[MAXDATASIZE],
coded[5] ;
sscanf(string,"%s %s %s",method,temp,tail);
strcpy(temp1,method);
strcat(temp1," ");
i=0;
while(i<strlen(temp)){
if(temp[i]==0x2f){
j=0;
while(j < num){
strcat(temp1,"/%20HTTP/1.0%0d%0aHeader:%20/../..");
j++;
}
i++;
strcat(temp1,"/");
}
bzero(coded,5);
sprintf(coded,"%c",temp[i]);
printf(" \b");
strcat(temp1,coded);
i++;
}
strcat(temp1," ");
strcat(temp1,tail);
return temp1;
}
/*HTTP MIS-FORMATING replace the url spaces whit multiple TABS, works
in Apache, be carefull when you use this tactic in combination with others,
remember that the spaces will be replaced with TABS so any other tactic will
die because there are no spaces to cut the string*/
char *
TK6_Http_misformat(char *string,int num){
/* ( try num > 2 :) )*/
int j;
char method[30],
tail[30],
temp[MAXDATASIZE],
temp1[MAXDATASIZE],
coded[3];
sscanf(string,"%s %s %s",method,temp,tail);
strcpy(coded,"x");
coded[0]=0x9;
printf(" \b");
strcpy(temp1,method);
j=0;
while(j < num){
strcat(temp1,coded);
j++;
}
strcat(temp1,temp);
j=0;
while(j < num){
strcat(temp1,coded);
j++;
}
strcat(temp1,tail);
return temp1;
}
/*NULL method , works on IIS (rfp)*/
char *
TK7_NULL_method(char *string){
/* ( try num > 2 :) )*/
char method[30],
tail[30],
temp[MAXDATASIZE],
temp1[MAXDATASIZE],
coded[3];
int j;
sscanf(string,"%s %s %s",method,temp,tail);
printf(" \b");
strcpy(temp1,method);
strcat(temp1,"%00");
strcat(temp1," ");
strcat(temp1,temp);
strcat(temp1," ");
strcat(temp1,tail);
return temp1;
}
/*DOS/WIN directory syntax , for simplicity sake you can use the num to
replace '\' for num-times '/' , this only work on IIS*/
char *
TK8_DOSWIN_dir(char *string,int num){
/* ( try num > 2 :) )*/
int i,j,first;
char method[30],
tail[30],
temp[MAXDATASIZE],
temp1[MAXDATASIZE],
coded[5] ;
/*num has to be >= 1 dont be dumb*/
if(num < 1){
num=1;
}
sscanf(string,"%s %s %s",method,temp,tail);
strcpy(temp1,method);
strcat(temp1," ");
first=0;
i=0;
while(i<strlen(temp)){
if(temp[i]==0x2f && first==0){
first=1;
}
else{
if(temp[i]==0x2f && first==1){
j=0;
while(j < num){
strcat(temp1,"\\");
j++;
}
i++;
}
}
bzero(coded,5);
sprintf(coded,"%c",temp[i]);
printf(" \b");
strcat(temp1,coded);
i++;
}
strcat(temp1," ");
strcat(temp1,tail);
return temp1;
}
/*CASE SENSITIVITY works on IIS win based web servers*/
char *
TK9_Case_sensitivity(char *string){
/* ( try num > 2 :) )*/
int i,j,first;
char method[30],
tail[30],
temp[MAXDATASIZE],
temp1[MAXDATASIZE],
coded[5] ;
sscanf(string,"%s %s %s",method,temp,tail);
strcpy(temp1,method);
strcat(temp1," ");
first=0;
i=0;
while(i<strlen(temp)){
bzero(coded,5);
sprintf(coded,"%c",toupper(temp[i]));
printf(" \b");
strcat(temp1,coded);
i++;
}
strcat(temp1," ");
strcat(temp1,tail);
return temp1;
}
/*SPACE GARBAGE works on Apache , it just add a space and garbage to the end of
the URI*/
char *
TK10_Space_Garbage(char *string){
/* ( try num > 2 :) )*/
int i,j,first;
char method[30],
tail[30],
temp[MAXDATASIZE],
temp1[MAXDATASIZE],
coded[5] ;
sscanf(string,"%s %s %s",method,temp,tail);
printf(" \b");
strcpy(temp1,method);
strcat(temp1," ");
strcat(temp1,temp);
strcat(temp1," ");
strcat(temp1,"/help/docs/rules/blah/blah/blah/");
strcat(temp1," ");
strcat(temp1,tail);
return temp1;
}
/*DIR BROWSING add /?/blah/blah to the end of URI
ONLY for Dir browsing*/
char *
TK11_Dir_browsing(char *string){
/* ( try num > 2 :) )*/
int i,j,first;
char method[30],
tail[30],
temp[MAXDATASIZE],
temp1[MAXDATASIZE],
coded[5] ;
sscanf(string,"%s %s %s",method,temp,tail);
printf(" \b");
strcpy(temp1,method);
strcat(temp1," ");
strcat(temp1,temp);
strcat(temp1,"/?/extend/blah/");
strcat(temp1," ");
strcat(temp1,tail);
return temp1;
}
/*====== Behavior Based ======*/
void
TB1_gotosleep(int minsecs, int maxsecs, int verbose){
int secs;
srand((unsigned)time(NULL));
secs= minsecs+(rand()% maxsecs);
if(verbose==1){
fprintf(stderr,"\nMUTATE: Sleeping %d secs..\n",secs);
}
sleep(secs);
}
/*===============================================================*/