From 9f75ddad8b3c9cbec611d15a25e9f626fa79735d Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Sun, 27 Apr 2014 13:49:33 +0200 Subject: [PATCH] pre-8.0 --- hydra-afp.c | 12 +++++++---- hydra-asterisk.c | 2 +- hydra-cisco.c | 12 ++++++----- hydra-firebird.c | 1 + hydra-http-form.c | 4 +++- hydra-http-proxy-urlenum.c | 8 ++++--- hydra-http-proxy.c | 10 +++++---- hydra-http.c | 8 +++---- hydra-imap.c | 18 ++++++++++------ hydra-irc.c | 8 +++++-- hydra-ldap.c | 14 +++++++----- hydra-mod.c | 12 +++++++---- hydra-mysql.c | 3 ++- hydra-nntp.c | 15 ++++++++----- hydra-oracle-listener.c | 9 +++++--- hydra-pcanywhere.c | 3 ++- hydra-pop3.c | 9 ++++---- hydra-postgres.c | 1 + hydra-rdp.c | 3 ++- hydra-rlogin.c | 6 ++++-- hydra-rsh.c | 4 +++- hydra-sip.c | 1 - hydra-smb.c | 41 ++++++++++++++++++++--------------- hydra-smtp-enum.c | 2 +- hydra-smtp.c | 19 ++++++++-------- hydra-snmp.c | 28 +++++++++++++++--------- hydra-vmauthd.c | 2 +- hydra-vnc.c | 2 +- hydra-xmpp.c | 17 +++++++++------ hydra.c | 44 ++++++++++++++++++++++++-------------- ntlm.c | 5 +++-- sasl.c | 14 ++++++------ 32 files changed, 208 insertions(+), 129 deletions(-) diff --git a/hydra-afp.c b/hydra-afp.c index 8309abe..a3faf19 100644 --- a/hydra-afp.c +++ b/hydra-afp.c @@ -67,7 +67,7 @@ static int server_subconnect(struct afp_url url) { //fprintf(stderr, "Initiating connection attempt.\n"); if ((server = afp_server_full_connect(NULL, conn_req)) == NULL) { FREE(conn_req); - FREE(server); +// FREE(server); return -1; } //fprintf(stderr, "Connected to server: %s via UAM: %s\n", server->server_name_printable, uam_bitmap_to_string(server->using_uam)); @@ -80,7 +80,7 @@ static int server_subconnect(struct afp_url url) { int start_afp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; - char *login, *pass; + char *login, *pass, mlogin[AFP_MAX_USERNAME_LEN], mpass[AFP_MAX_PASSWORD_LEN]; struct afp_url tmpurl; /* Build AFP authentication request */ @@ -97,8 +97,12 @@ int start_afp(int s, char *ip, int port, unsigned char options, char *miscptr, F strncpy(tmpurl.servername, hydra_address2string(ip), AFP_SERVER_NAME_LEN - 1); tmpurl.servername[AFP_SERVER_NAME_LEN] = 0; - memcpy(&tmpurl.username, login, AFP_MAX_USERNAME_LEN); - memcpy(&tmpurl.password, pass, AFP_MAX_PASSWORD_LEN); + strncpy(mlogin, login, AFP_MAX_USERNAME_LEN); + mlogin[AFP_MAX_USERNAME_LEN] = 0; + strncpy(mpass, pass, AFP_MAX_PASSWORD_LEN); + mpass[AFP_MAX_PASSWORD_LEN] = 0; + memcpy(&tmpurl.username, mlogin, AFP_MAX_USERNAME_LEN); + memcpy(&tmpurl.password, mpass, AFP_MAX_PASSWORD_LEN); if (server_subconnect(tmpurl) == 0) { hydra_report_found_host(port, ip, "afp", fp); diff --git a/hydra-asterisk.c b/hydra-asterisk.c index 7c369cc..f93209b 100644 --- a/hydra-asterisk.c +++ b/hydra-asterisk.c @@ -84,7 +84,7 @@ void service_asterisk(char *ip, int sp, unsigned char options, char *miscptr, FI if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); - port = myport; + port = mysslport; } if (sock < 0) { diff --git a/hydra-cisco.c b/hydra-cisco.c index 7be2e0f..e97919d 100644 --- a/hydra-cisco.c +++ b/hydra-cisco.c @@ -74,11 +74,13 @@ int start_cisco(int s, char *ip, int port, unsigned char options, char *miscptr, } do { buf = hydra_receive_line(s); - if (buf[strlen(buf) - 1] == '\n') - buf[strlen(buf) - 1] = 0; - if (buf[strlen(buf) - 1] == '\r') - buf[strlen(buf) - 1] = 0; - } while (strlen(buf) <= 1); + if (buf != NULL) { + if (buf[strlen(buf) - 1] == '\n') + buf[strlen(buf) - 1] = 0; + if (buf[strlen(buf) - 1] == '\r') + buf[strlen(buf) - 1] = 0; + } + } while (buf != NULL && strlen(buf) <= 1); } } diff --git a/hydra-firebird.c b/hydra-firebird.c index 6f2a889..b482149 100644 --- a/hydra-firebird.c +++ b/hydra-firebird.c @@ -43,6 +43,7 @@ int start_firebird(int s, char *ip, int port, unsigned char options, char *miscp strncpy(database, miscptr, sizeof(database)); else strncpy(database, DEFAULT_DB, sizeof(database)); + database[sizeof(database) - 1] = 0; if (strlen(login = hydra_get_next_login()) == 0) login = empty; diff --git a/hydra-http-form.c b/hydra-http-form.c index 20bcb3a..8157230 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -382,7 +382,8 @@ int start_http_form(int s, char *ip, int port, unsigned char options, char *misc if ((endloc = strchr(startloc, '\n')) != NULL) { startloc[endloc - startloc] = 0; } - strcpy(str, startloc); + strncpy(str, startloc, sizeof(str)); + str[sizeof(str) - 1] = 0; endloc = strchr(str, '/'); if (endloc != NULL) { @@ -399,6 +400,7 @@ int start_http_form(int s, char *ip, int port, unsigned char options, char *misc } } else { strncpy(str2, webtarget, sizeof(str2)); + str2[sizeof(str2)] = 0; if (redirected_url_buff[0] != '/') { //it's a relative path, so we have to concatenate it //with the path from the first url given diff --git a/hydra-http-proxy-urlenum.c b/hydra-http-proxy-urlenum.c index 3fa1e47..7f39fc3 100644 --- a/hydra-http-proxy-urlenum.c +++ b/hydra-http-proxy-urlenum.c @@ -134,7 +134,8 @@ int start_http_proxy_urlenum(int s, char *ip, int port, unsigned char options, c } //recover challenge if (buf != NULL) { - from64tobits((char *) buf1, pos); + if (strlen(buf) >= 4) + from64tobits((char *) buf1, pos); free(buf); } //Send response @@ -165,8 +166,9 @@ int start_http_proxy_urlenum(int s, char *ip, int port, unsigned char options, c strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; - sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "proxy", host, 0, header); - if (buffer2 == NULL) + pbuffer = buffer2; + sasl_digest_md5(pbuffer, login, pass, buffer, miscptr, "proxy", host, 0, header); + if (pbuffer == NULL) return 3; if (debug) diff --git a/hydra-http-proxy.c b/hydra-http-proxy.c index 79c6cdb..9b0ee80 100644 --- a/hydra-http-proxy.c +++ b/hydra-http-proxy.c @@ -10,7 +10,7 @@ int start_http_proxy(int s, char *ip, int port, unsigned char options, char *mis char *login, *pass, buffer[500], buffer2[500]; char url[210], host[30]; char *header = ""; /* XXX TODO */ - char *ptr; + char *ptr, *fooptr; if (strlen(login = hydra_get_next_login()) == 0) login = empty; @@ -118,7 +118,7 @@ int start_http_proxy(int s, char *ip, int port, unsigned char options, char *mis } } //recover challenge - if (buf != NULL) { + if (buf != NULL && strlen(buf) >= 4) { from64tobits((char *) buf1, pos); free(buf); } @@ -149,9 +149,11 @@ int start_http_proxy(int s, char *ip, int port, unsigned char options, char *mis pbuffer = hydra_strcasestr(buf, "Proxy-Authenticate: Digest "); strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; + pbuffer = NULL; - sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "proxy", host, 0, header); - if (buffer2 == NULL) + fooptr = buffer2; + sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "proxy", host, 0, header); + if (fooptr == NULL) return 3; if (debug) diff --git a/hydra-http.c b/hydra-http.c index 1d54d31..8440412 100644 --- a/hydra-http.c +++ b/hydra-http.c @@ -2,7 +2,6 @@ #include "sasl.h" extern char *HYDRA_EXIT; -char *buf = NULL; char *webtarget = NULL; char *slash = "/"; int webport, freemischttp = 0; @@ -13,7 +12,7 @@ int start_http(int s, char *ip, int port, unsigned char options, char *miscptr, char *empty = ""; char *login, *pass, buffer[500], buffer2[500]; char *header = ""; /* XXX TODO */ - char *ptr; + char *ptr, *fooptr, *buf; if (strlen(login = hydra_get_next_login()) == 0) login = empty; @@ -52,8 +51,9 @@ int start_http(int s, char *ip, int port, unsigned char options, char *miscptr, strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; - sasl_digest_md5(buffer2, login, pass, buffer, miscptr, type, webtarget, webport, header); - if (buffer2 == NULL) { + fooptr = buffer2; + sasl_digest_md5(fooptr, login, pass, buffer, miscptr, type, webtarget, webport, header); + if (fooptr == NULL) { return 3; } diff --git a/hydra-imap.c b/hydra-imap.c index 3f73bee..1668a2e 100644 --- a/hydra-imap.c +++ b/hydra-imap.c @@ -41,7 +41,7 @@ char *imap_read_server_capacity(int sock) { int start_imap(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; - char *login, *pass, buffer[500], buffer2[500]; + char *login, *pass, buffer[500], buffer2[500], *fooptr; if (strlen(login = hydra_get_next_login()) == 0) login = empty; @@ -201,8 +201,9 @@ int start_imap(int s, char *ip, int port, unsigned char options, char *miscptr, if (verbose) hydra_report(stderr, "DEBUG S: %s\n", buffer); - sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "imap", NULL, 0, NULL); - if (buffer2 == NULL) + fooptr = buffer2; + sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "imap", NULL, 0, NULL); + if (fooptr == NULL) return 3; if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer2); @@ -261,8 +262,9 @@ int start_imap(int s, char *ip, int port, unsigned char options, char *miscptr, serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0'; memset(buffer2, 0, sizeof(buffer2)); - sasl_scram_sha1(buffer2, pass, clientfirstmessagebare, serverfirstmessage); - if (buffer2 == NULL) { + fooptr = buffer2; + sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage); + if (fooptr == NULL) { hydra_report(stderr, "[ERROR] Can't compute client response\n"); return 1; } @@ -299,7 +301,11 @@ int start_imap(int s, char *ip, int port, unsigned char options, char *miscptr, if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; if ((buf = hydra_receive_line(s)) == NULL) - return (1); + return 1; + if (strlen(buf) < 6) { + free(buf); + return 1; + } //recover challenge from64tobits((char *) buf1, buf + 2); diff --git a/hydra-irc.c b/hydra-irc.c index f68936d..bc41673 100644 --- a/hydra-irc.c +++ b/hydra-irc.c @@ -25,7 +25,9 @@ int start_oper_irc(int s, char *ip, int port, unsigned char options, char *miscp if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 3; } - ret = hydra_recv(s, buffer, sizeof(buffer)); + ret = hydra_recv(s, buffer, sizeof(buffer) - 1); + if (ret >= 0) + buffer[ret] = 0; /* :irc.debian.org 381 koma :You are now an IRC Operator */ /* :irc.debian.org 464 koma :Invalid password */ if ((ret > 0) && (strstr(buffer, " 381 ") != NULL)) { @@ -94,7 +96,9 @@ int start_pass_irc(int s, char *ip, int port, unsigned char options, char *miscp return 3; } - ret = hydra_recv(s, buffer, sizeof(buffer)); + ret = hydra_recv(s, buffer, sizeof(buffer) - 1); + if (ret >= 0) + buffer[ret] = 0; #ifdef HAVE_PCRE if ((ret > 0) && (!hydra_string_match(buffer, "ERROR\\s.*password"))) { #else diff --git a/hydra-ldap.c b/hydra-ldap.c index 8546fa0..e61ab43 100644 --- a/hydra-ldap.c +++ b/hydra-ldap.c @@ -9,7 +9,7 @@ int tls_required = 0; int start_ldap(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp, char version, int auth_method) { char *empty = ""; - char *login = "", *pass; + char *login = "", *pass, *fooptr = ""; unsigned char buffer[512]; int length = 0; int ldap_auth_mechanism = auth_method; @@ -27,6 +27,8 @@ int start_ldap(int s, char *ip, int port, unsigned char options, char *miscptr, if (strlen(login = hydra_get_next_login()) == 0) login = empty; } + if (miscptr == NULL) + miscptr = fooptr; if (strlen(pass = hydra_get_next_password()) == 0) pass = empty; @@ -120,8 +122,9 @@ int start_ldap(int s, char *ip, int port, unsigned char options, char *miscptr, char buf2[32]; ptr = strstr((char *) buf, "<"); - sasl_cram_md5(buf2, pass, ptr); - if (buf2 == NULL) + fooptr = buf2; + sasl_cram_md5(fooptr, pass, ptr); + if (fooptr == NULL) return 1; counter++; if (strstr(miscptr, "^USER^") != NULL) { @@ -176,8 +179,9 @@ int start_ldap(int s, char *ip, int port, unsigned char options, char *miscptr, miscptr = hydra_strrep(miscptr, "^USER^", login); } - sasl_digest_md5(buffer2, login, pass, ptr, miscptr, "ldap", NULL, 0, NULL); - if (buffer2 == NULL) { + fooptr = buffer2; + sasl_digest_md5(fooptr, login, pass, ptr, miscptr, "ldap", NULL, 0, NULL); + if (fooptr == NULL) { free(buf); return 3; } diff --git a/hydra-mod.c b/hydra-mod.c index d78c475..2276bc9 100644 --- a/hydra-mod.c +++ b/hydra-mod.c @@ -144,6 +144,7 @@ int internal__hydra_connect(char *host, int port, int protocol, int type) { } else { if (errno == EACCES && (getuid() > 0)) { fprintf(stderr, "[ERROR] You need to be root to test this service\n"); + close(s); return -1; } } @@ -218,6 +219,7 @@ int internal__hydra_connect(char *host, int port, int protocol, int type) { * hydra_child_exit(1); */ extern_socket = -1; + close(s); ret = -1; return ret; } @@ -230,6 +232,7 @@ int internal__hydra_connect(char *host, int port, int protocol, int type) { if (use_proxy == 2) { if ((buf = malloc(4096)) == NULL) { fprintf(stderr, "[ERROR] could not malloc()\n"); + close(s); return -1; } memset(&target, 0, sizeof(target)); @@ -270,10 +273,10 @@ int internal__hydra_connect(char *host, int port, int protocol, int type) { fprintf(stderr, "[ERROR] CONNECT call to proxy failed with code %c%c%c\n", *tmpptr, *(tmpptr + 1), *(tmpptr + 2)); err = 1; } - free(buf); +// free(buf); } else { if (hydra_strcasestr(proxy_string_type, "socks5")) { - char buf[1024]; +// char buf[1024]; size_t cnt, wlen; /* socks v5 support */ @@ -376,7 +379,7 @@ int internal__hydra_connect(char *host, int port, int protocol, int type) { hydra_report(stderr, "[ERROR] SOCKS4 proxy does not support IPv6\n"); err = 1; } else { - char buf[1024]; +// char buf[1024]; size_t cnt, wlen; /* socks v4 support */ @@ -412,12 +415,13 @@ int internal__hydra_connect(char *host, int port, int protocol, int type) { } } } + free(buf); } if (err) { close(s); extern_socket = -1; ret = -1; - free(buf); + close(s); return ret; } fail = 0; diff --git a/hydra-mysql.c b/hydra-mysql.c index 09ef045..2b8e4b5 100644 --- a/hydra-mysql.c +++ b/hydra-mysql.c @@ -63,7 +63,7 @@ char *hydra_mysql_receive_line(int socket) { j = 1; while (hydra_data_ready(socket) > 0 && j > 0) { j = internal__hydra_recv(socket, buf, sizeof(buf)); - if ((buff2 = realloc(buff, i + j)) == NULL) { + if (j > 65535 || i + j > 65535 || (buff2 = realloc(buff, i + j)) == NULL) { free(buff); return NULL; } else @@ -183,6 +183,7 @@ int start_mysql(int sock, char *ip, int port, unsigned char options, char *miscp if (verbose) hydra_report(stderr, "[VERBOSE] using default db 'mysql'\n"); } + database[sizeof(database)] = 0; /* read server greeting */ res = hydra_mysql_init(sock); diff --git a/hydra-nntp.c b/hydra-nntp.c index 3d025f5..9cb759c 100644 --- a/hydra-nntp.c +++ b/hydra-nntp.c @@ -49,7 +49,7 @@ char *nntp_read_server_capacity(int sock) { int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = "\"\""; - char *login, *pass, buffer[300], buffer2[500]; + char *login, *pass, buffer[500], buffer2[500], *fooptr; int i = 1; if (strlen(login = hydra_get_next_login()) == 0) @@ -60,6 +60,10 @@ int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr, while (i > 0 && hydra_data_ready(s) > 0) i = hydra_recv(s, buffer, 300); + if (i < 0) + i = 0; + buffer[i] = 0; + switch (nntp_auth_mechanism) { case AUTH_LOGIN: sprintf(buffer, "AUTHINFO SASL LOGIN\r\n"); @@ -156,7 +160,7 @@ int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr, //receive if ((buf = hydra_receive_line(s)) == NULL) return 1; - if (buf == NULL || strstr(buf, "383") == NULL) { + if (buf == NULL || strstr(buf, "383") == NULL || strlen(buf) < 8) { hydra_report(stderr, "[ERROR] NNTP DIGEST-MD5 AUTH : %s\n", buf); free(buf); return 3; @@ -167,8 +171,9 @@ int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr, if (verbose) hydra_report(stderr, "DEBUG S: %s\n", buffer); - sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL); - if (buffer2 == NULL) + fooptr = buffer2; + sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "nntp", NULL, 0, NULL); + if (fooptr == NULL) return 3; if (verbose) @@ -193,7 +198,7 @@ int start_nntp(int s, char *ip, int port, unsigned char options, char *miscptr, } if ((buf = hydra_receive_line(s)) == NULL) return 1; - if (buf == NULL || strstr(buf, "383") == NULL) { + if (buf == NULL || strstr(buf, "383") == NULL || strlen(buf) < 8) { hydra_report(stderr, "[ERROR] NNTP NTLM AUTH : %s\n", buf); free(buf); return 3; diff --git a/hydra-oracle-listener.c b/hydra-oracle-listener.c index a4f5208..242bd61 100644 --- a/hydra-oracle-listener.c +++ b/hydra-oracle-listener.c @@ -38,12 +38,12 @@ int initial_permutation(unsigned char **result, char *p_str, int *sz) { } *sz = 2 * i; - if ((buff = malloc(i)) == NULL) { + if ((buff = malloc(i + 4)) == NULL) { hydra_report(stderr, "[ERROR] Can't allocate memory\n"); return 1; } - memset(buff, 0, i); - strncpy(buff, p_str, strlen(p_str)); + memset(buff, 0, i + 4); + strcpy(buff, p_str); //swap the order of every byte pair for (k = 0; k < i; k += 2) { @@ -158,15 +158,18 @@ int ora_hash_password(char *pass) { if (convert_byteorder(&result, siz)) { hydra_report(stderr, "[ERROR] ora_hash_password: in convert_byteorder\n"); + free(result); return 1; } if (ora_descrypt(&desresult, result, siz)) { hydra_report(stderr, "[ERROR] ora_hash_password: in DES crypt\n"); + free(result); return 1; } free(result); if (ora_hash(&result, desresult, siz)) { hydra_report(stderr, "[ERROR] ora_hash_password: in extracting Oracle hash\n"); + free(desresult); return 1; } diff --git a/hydra-pcanywhere.c b/hydra-pcanywhere.c index 389311f..a9ef910 100644 --- a/hydra-pcanywhere.c +++ b/hydra-pcanywhere.c @@ -62,7 +62,8 @@ void pca_encrypt(char *cleartxt) { char passwd[128]; int i; - strcpy(passwd, cleartxt); + strncpy(passwd, cleartxt, sizeof(passwd)); + passwd[sizeof(passwd)] = 0; if (strlen(cleartxt) > 0) { passwd[0] = (passwd[0] ^ 0xab); for (i = 1; i < strlen(passwd); i++) diff --git a/hydra-pop3.c b/hydra-pop3.c index df94272..66c1f27 100644 --- a/hydra-pop3.c +++ b/hydra-pop3.c @@ -119,7 +119,7 @@ STLS int start_pop3(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = "\"\""; - char *login, *pass, buffer[500], buffer2[500]; + char *login, *pass, buffer[500], buffer2[500], *fooptr; if (strlen(login = hydra_get_next_login()) == 0) login = empty; @@ -304,8 +304,9 @@ int start_pop3(int s, char *ip, int port, unsigned char options, char *miscptr, if (verbose) hydra_report(stderr, "[VERBOSE] S: %s\n", buffer); - sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "pop", NULL, 0, NULL); - if (buffer2 == NULL) + fooptr = buffer2; + sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "pop", NULL, 0, NULL); + if (fooptr == NULL) return 3; if (verbose) @@ -342,7 +343,7 @@ int start_pop3(int s, char *ip, int port, unsigned char options, char *miscptr, sprintf(buffer, "%s\r\n", buf1); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) return 1; - if ((buf = hydra_receive_line(s)) == NULL) + if ((buf = hydra_receive_line(s)) == NULL || strlen(buf) < 6) return 4; //recover challenge diff --git a/hydra-postgres.c b/hydra-postgres.c index 75cb0ae..8b8e8e0 100644 --- a/hydra-postgres.c +++ b/hydra-postgres.c @@ -32,6 +32,7 @@ int start_postgres(int s, char *ip, int port, unsigned char options, char *miscp strncpy(database, miscptr, sizeof(database)); else strncpy(database, DEFAULT_DB, sizeof(database)); + database[sizeof(database)] = 0; if (strlen(login = hydra_get_next_login()) == 0) login = empty; diff --git a/hydra-rdp.c b/hydra-rdp.c index 02f19ba..f01ee96 100644 --- a/hydra-rdp.c +++ b/hydra-rdp.c @@ -2424,7 +2424,8 @@ int start_rdp(int s, char *ip, int port, unsigned char options, char *miscptr, F strcpy(server, hydra_address2string(ip)); if ((miscptr != NULL) && (strlen(miscptr) > 0)) { - strncpy(domain, miscptr, sizeof(domain)); + strncpy(domain, miscptr, sizeof(domain) - 1); + domain[sizeof(domain) - 1] = 0; } if (!rdp_connect(server, flags, domain, login, pass, shell, directory, g_redirect)) diff --git a/hydra-rlogin.c b/hydra-rlogin.c index 2488ccf..f8f696c 100644 --- a/hydra-rlogin.c +++ b/hydra-rlogin.c @@ -47,7 +47,7 @@ int start_rlogin(int s, char *ip, int port, unsigned char options, char *miscptr return 1; if (ret > 0 && (strstr(buffer, "ssword") != NULL)) { - if (strlen(pass = hydra_get_next_password()) == 0) + if (strlen((pass = hydra_get_next_password())) == 0) pass = empty; sprintf(buffer2, "%s\r", pass); if (hydra_send(s, buffer2, 1 + strlen(pass), 0) < 0) { @@ -56,7 +56,9 @@ int start_rlogin(int s, char *ip, int port, unsigned char options, char *miscptr memset(buffer, 0, sizeof(buffer)); ret = hydra_recv(s, buffer, sizeof(buffer)); if (strcmp(buffer, "\r\n")) - ret = hydra_recv(s, buffer, sizeof(buffer)); + ret = hydra_recv(s, buffer, sizeof(buffer) - 1); + if (ret >= 0) + buffer[ret] = 0; } /* Authentication failure */ diff --git a/hydra-rsh.c b/hydra-rsh.c index 1a44e16..5e7bedc 100644 --- a/hydra-rsh.c +++ b/hydra-rsh.c @@ -39,7 +39,9 @@ int start_rsh(int s, char *ip, int port, unsigned char options, char *miscptr, F ret = hydra_recv(s, buffer, sizeof(buffer)); /* 0x00 is sent but hydra_recv transformed it */ if (strlen(buffer) == 0) - ret = hydra_recv(s, buffer, sizeof(buffer)); + ret = hydra_recv(s, buffer, sizeof(buffer) - 1); + if (ret >= 0) + buffer[ret] = 0; #ifdef HAVE_PCRE if (ret > 0 && (!hydra_string_match(buffer, "\\s(failure|incorrect|denied)"))) { #else diff --git a/hydra-sip.c b/hydra-sip.c index 767a2d3..09c5bca 100644 --- a/hydra-sip.c +++ b/hydra-sip.c @@ -245,7 +245,6 @@ void service_sip(char *ip, int sp, unsigned char options, char *miscptr, FILE * } char *get_iface_ip(unsigned long int ip) { - int sfd; sfd = socket(AF_INET, SOCK_DGRAM, 0); diff --git a/hydra-smb.c b/hydra-smb.c index 3827a32..b3c7175 100644 --- a/hydra-smb.c +++ b/hydra-smb.c @@ -9,6 +9,9 @@ void dummy_smb() { #include "hmacmd5.h" #include "sasl.h" +// FIXME XXX BUG: several malloc()s without return code checking + + /* http://technet.microsoft.com/en-us/library/cc960646.aspx @@ -453,7 +456,8 @@ int HashLMv2(unsigned char **LMv2hash, unsigned char *szLogin, unsigned char *sz hmac_md5_final(lmv2_response, &ctx); /* --- 24-byte LMv2 Response Complete --- */ - *LMv2hash = malloc(24); + if ((*LMv2hash = malloc(24)) == NULL) + return -1; memset(*LMv2hash, 0, 24); memcpy(*LMv2hash, lmv2_response, 16); memcpy(*LMv2hash + 16, client_challenge, 8); @@ -630,7 +634,8 @@ int HashNTLMv2(unsigned char **NTLMv2hash, int *iByteCount, unsigned char *szLog hmac_md5_final(ntlmv2_response, &ctx); *iByteCount = 48 + iTargetLen + 4; - *NTLMv2hash = malloc(*iByteCount); + if ((*NTLMv2hash = malloc(*iByteCount)) == NULL) + return -1; memset(*NTLMv2hash, 0, *iByteCount); memcpy(*NTLMv2hash, ntlmv2_response, *iByteCount); @@ -678,6 +683,7 @@ int NBSSessionRequest(int s) { unsigned char rqbuf[7] = { 0x81, 0x00, 0x00, 0x44, 0x20, 0x00, 0x20 }; char *buf; unsigned char rbuf[400]; + int k; /* if we are running in native mode (aka port 445) don't do netbios */ if (protoFlag == WIN2000_NATIVEMODE) @@ -689,7 +695,8 @@ int NBSSessionRequest(int s) { memcpy(nb_name, "CKFDENECFDEFFCFGEFFCCACACACACACA", 32); /* *SMBSERVER */ memcpy(nb_local, "EIFJEEFCEBCACACACACACACACACACACA", 32); /* HYDRA */ - buf = (char *) malloc(100); + if ((buf = (char *) malloc(100)) == NULL) + return -1; memset(buf, 0, 100); memcpy(buf, (char *) rqbuf, 5); memcpy(buf + 5, nb_name, 32); @@ -701,10 +708,9 @@ int NBSSessionRequest(int s) { free(buf); memset(rbuf, 0, 400); - hydra_recv(s, (char *) rbuf, sizeof(rbuf)); + k = hydra_recv(s, (char *) rbuf, sizeof(rbuf)); - - if ((rbuf != NULL) && (rbuf[0] == 0x82)) + if (k > 0 && (rbuf[0] == 0x82)) return 0; /* success */ else return -1; /* failed */ @@ -772,7 +778,7 @@ int SMBNegProt(int s) { unsigned char rbuf[400]; unsigned char sess_key[2]; unsigned char userid[2] = { 0xCD, 0xEF }; - int i = 0, j = 0; + int i = 0, j = 0, k; int iLength = 194; int iResponseOffset = 73; @@ -784,8 +790,6 @@ int SMBNegProt(int s) { memcpy(buf + 30, sess_key, 2); memcpy(buf + 32, userid, 2); - - if (smb_auth_mechanism == AUTH_LM) { if (verbose) hydra_report(stderr, "[VERBOSE] Setting Negotiate Protocol Response for LM.\n"); @@ -797,8 +801,8 @@ int SMBNegProt(int s) { hydra_send(s, (char *) buf, iLength, 0); - hydra_recv(s, (char *) rbuf, sizeof(rbuf)); - if (rbuf == NULL) + k = hydra_recv(s, (char *) rbuf, sizeof(rbuf)); + if (k == 0) return 3; /* retrieve the security mode */ @@ -968,7 +972,8 @@ unsigned long SMBSessionSetup(int s, char *szLogin, char *szPassword, char *misc memcpy(buf + 36, szSessionRequest, 23); /* Calculate and set LAN Manager password hash */ - LMhash = (unsigned char *) malloc(24); + if ((LMhash = (unsigned char *) malloc(24)) == NULL) + return -1; memset(LMhash, 0, 24); ret = HashLM(&LMhash, (unsigned char *) szPassword, (unsigned char *) challenge); @@ -1005,7 +1010,8 @@ unsigned long SMBSessionSetup(int s, char *szLogin, char *szPassword, char *misc memcpy(buf + 36, szSessionRequest, 29); /* Calculate and set NTLM password hash */ - NTLMhash = (unsigned char *) malloc(24); + if ((NTLMhash = (unsigned char *) malloc(24)) == NULL) + return -1; memset(NTLMhash, 0, 24); /* We don't need to actually calculated a LM hash for this mode, only NTLM */ @@ -1042,7 +1048,8 @@ unsigned long SMBSessionSetup(int s, char *szLogin, char *szPassword, char *misc memcpy(buf + 36, szSessionRequest, 29); /* Calculate and set LMv2 response hash */ - LMv2hash = (unsigned char *) malloc(24); + if ((LMv2hash = (unsigned char *) malloc(24)) == NULL) + return -1; memset(LMv2hash, 0, 24); ret = HashLMv2(&LMv2hash, (unsigned char *) szLogin, (unsigned char *) szPassword); @@ -1177,9 +1184,8 @@ unsigned long SMBSessionSetup(int s, char *szLogin, char *szPassword, char *misc hydra_send(s, (char *) buf, iOffset + iByteCount, 0); - nReceiveBufferSize = 0; nReceiveBufferSize = hydra_recv(s, bufReceive, sizeof(bufReceive)); - if ((bufReceive == NULL) || (nReceiveBufferSize == 0)) + if (/*(bufReceive == NULL) ||*/ (nReceiveBufferSize == 0)) return -1; /* 41 - Action (Guest/Non-Guest Account) */ @@ -1316,7 +1322,8 @@ void service_smb(char *ip, int sp, unsigned char options, char *miscptr, FILE * //split the string after the domain if there are other values strtok(tmpdom, " "); if (tmpdom) { - strncpy((char *) domain, (char *) tmpdom, 16); + strncpy((char *) domain, (char *) tmpdom, sizeof(domain) - 1); + domain[sizeof(domain) - 1] = 0; } else { err = 1; } diff --git a/hydra-smtp-enum.c b/hydra-smtp-enum.c index e13a193..456dabc 100644 --- a/hydra-smtp-enum.c +++ b/hydra-smtp-enum.c @@ -172,7 +172,7 @@ void service_smtp_enum(char *ip, int sp, unsigned char options, char *miscptr, F if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); - port = myport; + port = mysslport; } if (sock < 0) { hydra_report(stderr, "[ERROR] Child with pid %d terminating, can not connect\n", (int) getpid()); diff --git a/hydra-smtp.c b/hydra-smtp.c index 9c31f3e..11f95ae 100644 --- a/hydra-smtp.c +++ b/hydra-smtp.c @@ -2,8 +2,6 @@ #include "sasl.h" extern char *HYDRA_EXIT; -char *buf; - int smtp_auth_mechanism = AUTH_LOGIN; char *smtp_read_server_capacity(int sock) { @@ -40,7 +38,7 @@ char *smtp_read_server_capacity(int sock) { int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; - char *login, *pass, buffer[500], buffer2[500]; + char *login, *pass, buffer[500], buffer2[500], *fooptr, *buf; if (strlen(login = hydra_get_next_login()) == 0) login = empty; @@ -91,7 +89,7 @@ int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr, //get the one-time BASE64 encoded challenge if ((buf = hydra_receive_line(s)) == NULL) return 1; - if (strstr(buf, "334") == NULL) { + if (strstr(buf, "334") == NULL || strlen(buf) < 8) { hydra_report(stderr, "[ERROR] SMTP CRAM-MD5 AUTH : %s\n", buf); free(buf); return 3; @@ -130,8 +128,9 @@ int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr, if (verbose) hydra_report(stderr, "DEBUG S: %s\n", buffer); - sasl_digest_md5(buffer2, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL); - if (buffer2 == NULL) + fooptr = buffer2; + sasl_digest_md5(fooptr, login, pass, buffer, miscptr, "smtp", NULL, 0, NULL); + if (fooptr == NULL) return 3; if (verbose) @@ -155,7 +154,7 @@ int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr, } if ((buf = hydra_receive_line(s)) == NULL) return 1; - if (strstr(buf, "334") == NULL) { + if (strstr(buf, "334") == NULL || strlen(buf) < 8) { hydra_report(stderr, "[ERROR] SMTP NTLM AUTH : %s\n", buf); free(buf); return 3; @@ -215,7 +214,7 @@ int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr, #ifdef LIBOPENSSL if (smtp_auth_mechanism == AUTH_DIGESTMD5) { - if (strstr(buf, "334") != NULL) { + if (strstr(buf, "334") != NULL && strlen(buf) >= 8) { memset(buffer2, 0, sizeof(buffer2)); from64tobits((char *) buffer2, buf + 4); if (strstr(buffer2, "rspauth=") != NULL) { @@ -250,7 +249,7 @@ int start_smtp(int s, char *ip, int port, unsigned char options, char *miscptr, void service_smtp(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run = 1, sock = -1, i = 0; int myport = PORT_SMTP, mysslport = PORT_SMTP_SSL, disable_tls = 1; - + char *buf; char *buffer1 = "EHLO hydra\r\n"; char *buffer2 = "HELO hydra\r\n"; @@ -271,7 +270,7 @@ void service_smtp(char *ip, int sp, unsigned char options, char *miscptr, FILE * if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); - port = myport; + port = mysslport; } if (sock < 0) { if (verbose || debug) diff --git a/hydra-snmp.c b/hydra-snmp.c index 0f1b49c..4a7150d 100644 --- a/hydra-snmp.c +++ b/hydra-snmp.c @@ -101,7 +101,13 @@ void password_to_key_md5(u_char * password, /* IN */ u_char * key) { /* OUT - pointer to caller 16-octet buffer */ MD5_CTX MD; u_char *cp, password_buf[80], *mypass = password, bpass[17]; - u_long password_index = 0, count = 0, i, mylen = passwordlen, myelen = engineLength; + u_long password_index = 0, count = 0, i, mylen, myelen = engineLength; + + if (strlen(password) > passwordlen) + passwordlen = strlen(password); + if (passwordlen > sizeof(bpass) - 1) + passwordlen = sizeof(bpass) - 1; + mylen = passwordlen; if (mylen < 8) { memset(bpass, 0, sizeof(bpass)); @@ -191,7 +197,7 @@ void password_to_key_sha(u_char * password, /* IN */ #endif int start_snmp(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { - char *empty = "\"\"", *ptr, *login, *pass, buffer[1024], buf[1024], hash[64], key[256], salt[8]; + char *empty = "\"\"", *ptr, *login, *pass, buffer[1024], buf[1024], hash[64], key[256] = "", salt[8] = ""; int i, j, k, size, off = 0, off2 = 0, done = 0; unsigned char initVect[8], privacy_params[8]; int engine_boots = 0; @@ -523,16 +529,18 @@ void service_snmp(char *ip, int sp, unsigned char options, char *miscptr, FILE * hydra_send(sock, snmpv3_init, sizeof(snmpv3_init), 0); if (hydra_data_ready_timed(sock, 5, 0) > 0) { if ((i = hydra_recv(sock, (char *) snmpv3buf, sizeof(snmpv3buf))) > 30) { - if (snmpv3buf[4] == 3 && snmpv3buf[5] == 0x30); { + if (snmpv3buf[4] == 3 && snmpv3buf[5] == 0x30) { snmpv3info = snmpv3buf + 7 + snmpv3buf[6]; snmpv3infolen = snmpv3info[3] + 4; - while (snmpv3info[snmpv3infolen - 2] == 4 && snmpv3info[snmpv3infolen - 1] == 0) - snmpv3infolen -= 2; - if (debug) - hydra_dump_asciihex(snmpv3info, snmpv3infolen); - if (snmpv3info[10] == 3 && child_head_no == 0) - printf("[INFO] Remote device MAC address is %02x:%02x:%02x:%02x:%02x:%02x\n", (unsigned char) snmpv3info[12], (unsigned char) snmpv3info[13], - (unsigned char) snmpv3info[14], (unsigned char) snmpv3info[15], (unsigned char) snmpv3info[16], (unsigned char) snmpv3info[12]); + if (snmpv3info + snmpv3infolen <= snmpv3buf + sizeof(snmpv3buf)) { + while (snmpv3info[snmpv3infolen - 2] == 4 && snmpv3info[snmpv3infolen - 1] == 0 && snmpv3infolen > 1) + snmpv3infolen -= 2; + if (debug) + hydra_dump_asciihex(snmpv3info, snmpv3infolen); + if (snmpv3info[10] == 3 && child_head_no == 0) + printf("[INFO] Remote device MAC address is %02x:%02x:%02x:%02x:%02x:%02x\n", (unsigned char) snmpv3info[12], (unsigned char) snmpv3info[13], + (unsigned char) snmpv3info[14], (unsigned char) snmpv3info[15], (unsigned char) snmpv3info[16], (unsigned char) snmpv3info[12]); + } } } } diff --git a/hydra-vmauthd.c b/hydra-vmauthd.c index 5b0d38e..5a2a92f 100644 --- a/hydra-vmauthd.c +++ b/hydra-vmauthd.c @@ -87,7 +87,7 @@ void service_vmauthd(char *ip, int sp, unsigned char options, char *miscptr, FIL if (port != 0) mysslport = port; sock = hydra_connect_ssl(ip, mysslport); - port = myport; + port = mysslport; } if (sock < 0) { diff --git a/hydra-vnc.c b/hydra-vnc.c index b5c0fd7..5707fbf 100644 --- a/hydra-vnc.c +++ b/hydra-vnc.c @@ -58,7 +58,7 @@ int start_vnc(int s, char *ip, int port, unsigned char options, char *miscptr, F int i; //fprintf(stderr,"number of security types supported: %d\n", buf2[0]); - if (buf2[0] == 0) { + if (buf2[0] == 0 || buf2[0] > CHALLENGESIZE + 4) { hydra_report(stderr, "[ERROR] VNC server connection failed\n"); hydra_child_exit(0); } diff --git a/hydra-xmpp.c b/hydra-xmpp.c index 6c26148..038f2c9 100644 --- a/hydra-xmpp.c +++ b/hydra-xmpp.c @@ -22,6 +22,7 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, char *CHALLENGE_END_STR = ""; char *RESPONSE_STR = ""; char *RESPONSE_END_STR = ""; + char *fooptr; if (strlen(login = hydra_get_next_login()) == 0) login = empty; @@ -95,7 +96,6 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, /* server now would ask for the password */ if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) { char *ptr = strstr(buf, CHALLENGE_STR); - if (!ptr) ptr = strstr(buf, CHALLENGE_STR2); char *ptr_end = strstr(ptr, CHALLENGE_END_STR); @@ -117,7 +117,6 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, free(buf); return 1; } - free(buf); } } } @@ -156,8 +155,9 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, break; case AUTH_DIGESTMD5:{ memset(buffer2, 0, sizeof(buffer2)); - sasl_digest_md5(buffer2, login, pass, buffer, domain, "xmpp", NULL, 0, NULL); - if (buffer2 == NULL) + fooptr = buffer2; + sasl_digest_md5(fooptr, login, pass, buffer, domain, "xmpp", NULL, 0, NULL); + if (fooptr == NULL) return 3; if (verbose) hydra_report(stderr, "DEBUG C: %s\n", buffer2); @@ -213,8 +213,9 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, serverfirstmessage[sizeof(serverfirstmessage) - 1] = '\0'; memset(buffer2, 0, sizeof(buffer2)); - sasl_scram_sha1(buffer2, pass, clientfirstmessagebare, serverfirstmessage); - if (buffer2 == NULL) { + fooptr = buffer2; + sasl_scram_sha1(fooptr, pass, clientfirstmessagebare, serverfirstmessage); + if (fooptr == NULL) { hydra_report(stderr, "[ERROR] Can't compute client response\n"); free(buf); return 1; @@ -227,12 +228,13 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, free(buf); return 1; } - free(buf); } break; #endif + ptr = 0; } + free(buf); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } @@ -266,6 +268,7 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, if (strstr(buf, "" #define AUTHOR2 "David Maciejak" @@ -867,6 +867,8 @@ void hydra_restore_read() { hydra_targets[j]->redo_pass[i] = malloc(strlen(out) + 1); strcpy(hydra_targets[j]->redo_pass[i], out); } + if (hydra_targets[j]->skipcnt >= hydra_brains.countlogin) + hydra_targets[j]->skipcnt = 0; if (hydra_targets[j]->skipcnt > 0) for (i = 0; i < hydra_targets[j]->skipcnt; i++) { sck = fgets(out, sizeof(out), f); @@ -879,7 +881,7 @@ void hydra_restore_read() { hydra_targets[j]->use_count = 0; hydra_targets[j]->failed = 0; } - hydra_heads = malloc(hydra_options.max_use * sizeof(hydra_heads)); + hydra_heads = malloc((hydra_options.max_use + 2 ) * sizeof(int) + 8); for (j = 0; j < hydra_options.max_use; j++) { hydra_heads[j] = malloc(sizeof(hydra_head)); fck = (int) fread(hydra_heads[j], sizeof(hydra_head), 1, f); @@ -982,7 +984,7 @@ unsigned long int countlines(FILE * fp, int colonmode) { } rewind(fp); free(buf); - fstat(fileno(fp), &st); + (void)fstat(fileno(fp), &st); size_of_data = st.st_size + 1; return lines; } @@ -1356,7 +1358,7 @@ int hydra_spawn_head(int head_no, int target_no) { child_head_no = -1; if (hydra_heads[head_no]->pid > 0) { fck = write(hydra_heads[head_no]->sp[1], "n", 1); // yes, a small "n" - this way we can distinguish later if the client successfully tested a pair and is requesting a new one or the mother did that - fcntl(hydra_heads[head_no]->sp[0], F_SETFL, O_NONBLOCK); + (void)fcntl(hydra_heads[head_no]->sp[0], F_SETFL, O_NONBLOCK); if (hydra_heads[head_no]->redo != 1) hydra_heads[head_no]->target_no = target_no; hydra_heads[head_no]->active = 1; @@ -1597,14 +1599,20 @@ int hydra_send_next_pair(int target_no, int head_no) { snp_is_redo = 0; snpdont = 0; loop_cnt++; - if (hydra_targets[target_no]->sent >= hydra_brains.todo + hydra_targets[target_no]->redo) { - if (hydra_targets[target_no]->done == 0) { - hydra_targets[target_no]->done = 1; - hydra_brains.finished++; - if (verbose) - printf("[STATUS] attack finished for %s (waiting for children to complete tests)\n", hydra_targets[target_no]->target); + if (hydra_heads[head_no]->redo && hydra_heads[head_no]->current_login_ptr != NULL && hydra_heads[head_no]->current_pass_ptr != NULL) { + hydra_heads[head_no]->redo = 0; + snp_is_redo = 1; + snpdone = 1; + } else { + if (hydra_targets[target_no]->sent >= hydra_brains.todo + hydra_targets[target_no]->redo) { + if (hydra_targets[target_no]->done == 0) { + hydra_targets[target_no]->done = 1; + hydra_brains.finished++; + if (verbose) + printf("[STATUS] attack finished for %s (waiting for children to complete tests)\n", hydra_targets[target_no]->target); + } + return -1; } - return -1; } if (loop_cnt > (hydra_brains.countlogin * 2) + 1 && loop_cnt > (hydra_brains.countpass * 2) + 1) { if (debug) @@ -2605,7 +2613,7 @@ int main(int argc, char *argv[]) { } if (strcmp(hydra_options.service, "ssh") == 0 || strcmp(hydra_options.service, "sshkey") == 0) { if (hydra_options.tasks > 8) - fprintf(stderr, "[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 or -t 8\n"); + fprintf(stderr, "[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n"); #ifdef LIBSSH i = 1; #else @@ -2945,6 +2953,9 @@ int main(int argc, char *argv[]) { exit(-1); } + if (hydra_options.ssl == 1 && strncmp(hydra_options.service, "http-", 5 == 0) && hydra_options.port == 443) + fprintf(stderr, "[WARNING] you specified port 443 for attacking a http service, however did not specify the -S ssl switch nor used https-..., therefore using plain HTTP\n"); + if (hydra_options.loop_mode && hydra_options.colonfile != NULL) bail("The loop mode option (-u) works with all modes - except colon files (-C)\n"); if (strncmp(hydra_options.service, "http-", strlen("http-")) != 0 && strcmp(hydra_options.service, "http-head") != 0 && getenv("HYDRA_PROXY_HTTP") != NULL) @@ -3118,7 +3129,7 @@ int main(int argc, char *argv[]) { hydra_brains.targets = countservers = countinfile = countlines(ifp, 0); if (countinfile == 0) bail("File for IP addresses is empty!"); - hydra_targets = malloc(sizeof(hydra_targets) * (countservers + 1) + 8); + hydra_targets = malloc(sizeof(hydra_targets) * (countservers + 2) + 8); if (hydra_targets == NULL) bail("Could not allocate enough memory for target data"); sizeinfile = size_of_data; @@ -3146,7 +3157,7 @@ int main(int argc, char *argv[]) { } } else { countservers = hydra_brains.targets = 1; - hydra_targets = malloc(sizeof(hydra_targets)); + hydra_targets = malloc(sizeof(int) * 4); hydra_targets[0] = malloc(sizeof(hydra_target)); memset(hydra_targets[0], 0, sizeof(hydra_target)); hydra_targets[0]->target = servers_ptr = hydra_options.server; @@ -3183,7 +3194,8 @@ int main(int argc, char *argv[]) { if (dslash) { proxy_string[dslash - proxy_string] = 0; - strncpy(proxy_string_type, proxy_string, sizeof(proxy_string_type)); + strncpy(proxy_string_type, proxy_string, sizeof(proxy_string_type) - 1); + proxy_string_type[sizeof(proxy_string_type) - 1] = 0; } proxy_string = dslash; @@ -3622,7 +3634,7 @@ int main(int argc, char *argv[]) { hydra_brains.sent, // tries (long unsigned int) ((elapsed_status - starttime) / 3600), // hours (long unsigned int) (((elapsed_status - starttime) % 3600) / 60), // minutes - hydra_brains.todo_all - hydra_brains.sent < 0 ? 1 : hydra_brains.todo_all - hydra_brains.sent, // left todo + hydra_brains.todo_all - hydra_brains.sent <= 0 ? 1 : hydra_brains.todo_all - hydra_brains.sent, // left todo (long unsigned int) (((double) hydra_brains.todo_all - hydra_brains.sent) / ((double) hydra_brains.sent / (elapsed_status - starttime)) ) / 3600, // hours (((long unsigned int) (((double) hydra_brains.todo_all - hydra_brains.sent) / ((double) hydra_brains.sent / (elapsed_status - starttime)) diff --git a/ntlm.c b/ntlm.c index e854b38..6d5ea9b 100644 --- a/ntlm.c +++ b/ntlm.c @@ -1,4 +1,3 @@ - /* $Id$ Single file NTLM system to create and parse authentication messages. @@ -1244,7 +1243,7 @@ void buildAuthRequest(tSmbNtlmAuthRequest * request, long flags, char *host, cha free(h); } -void buildAuthResponse(tSmbNtlmAuthChallenge * challenge, tSmbNtlmAuthResponse * response, long flags, char *user, char *password, char *domainname, char *host) { +void buildAuthResponse(tSmbNtlmAuthChallenge *challenge, tSmbNtlmAuthResponse * response, long flags, char *user, char *password, char *domainname, char *host) { uint8 lmRespData[24]; uint8 ntRespData[24]; char *u = strdup(user); @@ -1288,6 +1287,8 @@ void buildAuthResponse(tSmbNtlmAuthChallenge * challenge, tSmbNtlmAuthResponse * challenge->flags = flags; /* Overide flags! */ response->flags = challenge->flags; + if (w) + free(w); if (d) free(d); if (u) diff --git a/sasl.c b/sasl.c index dd16bc7..13f1c70 100644 --- a/sasl.c +++ b/sasl.c @@ -363,10 +363,12 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char * } while ((pbuffer[0] != '\0') && (pbuffer[0] > 31) && (ind < array_size)); //save the latest one - array[ind] = malloc(currentpos + 1); - strncpy(array[ind], buffer + lastpos, currentpos); - array[ind][currentpos] = '\0'; - ind++; + if (ind < array_size) { + array[ind] = malloc(currentpos + 1); + strncpy(array[ind], buffer + lastpos, currentpos); + array[ind][currentpos] = '\0'; + ind++; + } for (i = 0; i < ind; i++) { //removing space chars between comma separated value if any @@ -498,7 +500,7 @@ void sasl_digest_md5(char *result, char *login, char *pass, char *buffer, char * //for MD5-sess if (strstr(algo, "5-sess") != NULL) { - memset(buffer, 0, sizeof(buffer)); + buffer[0] = 0; //memset(buffer, 0, sizeof(buffer)); => buffer is char*! /* per RFC 2617 Errata ID 1649 */ if ((strstr(type, "proxy") != NULL) || (strstr(type, "GET") != NULL) || (strstr(type, "HEAD") != NULL)) { @@ -673,7 +675,7 @@ void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, cha return; } - if ((salt != NULL) && (strlen(salt) > 2)) + if ((salt != NULL) && (strlen(salt) > 2) && (strlen(salt) <= sizeof(buffer))) //s=ghgIAfLl1+yUy/Xl1WD5Tw== remove the header s= strcpy(buffer, salt + 2); else {