From ebbd664e07e083b13637d2f285825ed7f5ef1495 Mon Sep 17 00:00:00 2001 From: vanhauser-thc Date: Mon, 28 Apr 2014 11:04:38 +0200 Subject: [PATCH] pre-8.0 fixes --- hydra-afp.c | 10 +-- hydra-cisco-enable.c | 2 + hydra-cisco.c | 3 + hydra-http-form.c | 4 +- hydra-http-proxy-urlenum.c | 1 + hydra-http-proxy.c | 141 ++++++++++++++++++++++++------------- hydra-http.c | 65 ++++++++--------- hydra-irc.c | 4 +- hydra-mysql.c | 28 ++++---- hydra-pcanywhere.c | 9 +-- hydra-postgres.c | 6 +- hydra-rlogin.c | 7 +- hydra-rsh.c | 4 +- hydra-sip.c | 3 +- hydra-smb.c | 8 ++- hydra-xmpp.c | 27 ++++--- hydra.c | 2 +- sasl.c | 4 +- 18 files changed, 199 insertions(+), 129 deletions(-) diff --git a/hydra-afp.c b/hydra-afp.c index a3faf19..ffb24fe 100644 --- a/hydra-afp.c +++ b/hydra-afp.c @@ -44,7 +44,7 @@ static int server_subconnect(struct afp_url url) { struct afp_server *server = NULL; conn_req = malloc(sizeof(struct afp_connection_request)); - server = malloc(sizeof(struct afp_server)); +// server = malloc(sizeof(struct afp_server)); memset(conn_req, 0, sizeof(struct afp_connection_request)); @@ -97,10 +97,10 @@ int start_afp(int s, char *ip, int port, unsigned char options, char *miscptr, F strncpy(tmpurl.servername, hydra_address2string(ip), AFP_SERVER_NAME_LEN - 1); tmpurl.servername[AFP_SERVER_NAME_LEN] = 0; - strncpy(mlogin, login, AFP_MAX_USERNAME_LEN); - mlogin[AFP_MAX_USERNAME_LEN] = 0; - strncpy(mpass, pass, AFP_MAX_PASSWORD_LEN); - mpass[AFP_MAX_PASSWORD_LEN] = 0; + strncpy(mlogin, login, AFP_MAX_USERNAME_LEN - 1); + mlogin[AFP_MAX_USERNAME_LEN - 1] = 0; + strncpy(mpass, pass, AFP_MAX_PASSWORD_LEN - 1); + mpass[AFP_MAX_PASSWORD_LEN - 1] = 0; memcpy(&tmpurl.username, mlogin, AFP_MAX_USERNAME_LEN); memcpy(&tmpurl.password, mpass, AFP_MAX_PASSWORD_LEN); diff --git a/hydra-cisco-enable.c b/hydra-cisco-enable.c index bd62ada..0e194dc 100644 --- a/hydra-cisco-enable.c +++ b/hydra-cisco-enable.c @@ -120,6 +120,8 @@ void service_cisco_enable(char *ip, int sp, unsigned char options, char *miscptr } } + if (buf != NULL) + free(buf); buf = hydra_receive_line(sock); if (hydra_strcasestr(buf, "ress ENTER") != NULL) { hydra_send(sock, "\r\n", 2, 0); diff --git a/hydra-cisco.c b/hydra-cisco.c index e97919d..dac825d 100644 --- a/hydra-cisco.c +++ b/hydra-cisco.c @@ -58,6 +58,7 @@ int start_cisco(int s, char *ip, int port, unsigned char options, char *miscptr, if (buf != NULL && strstr(buf, "assw") != NULL) { hydra_completed_pair(); free(buf); + buf = NULL; if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; if (strlen(pass = hydra_get_next_password()) == 0) @@ -73,6 +74,8 @@ int start_cisco(int s, char *ip, int port, unsigned char options, char *miscptr, return 1; } do { + if (buf != NULL) + free(buf); buf = hydra_receive_line(s); if (buf != NULL) { if (buf[strlen(buf) - 1] == '\n') diff --git a/hydra-http-form.c b/hydra-http-form.c index 8157230..d0d68bc 100644 --- a/hydra-http-form.c +++ b/hydra-http-form.c @@ -399,8 +399,8 @@ int start_http_form(int s, char *ip, int port, unsigned char options, char *misc str3[strlen(str) - strlen(str2) - 1] = 0; } } else { - strncpy(str2, webtarget, sizeof(str2)); - str2[sizeof(str2)] = 0; + strncpy(str2, webtarget, sizeof(str2) - 1); + str2[sizeof(str2) - 1] = 0; if (redirected_url_buff[0] != '/') { //it's a relative path, so we have to concatenate it //with the path from the first url given diff --git a/hydra-http-proxy-urlenum.c b/hydra-http-proxy-urlenum.c index 7f39fc3..c9c4252 100644 --- a/hydra-http-proxy-urlenum.c +++ b/hydra-http-proxy-urlenum.c @@ -176,6 +176,7 @@ int start_http_proxy_urlenum(int s, char *ip, int port, unsigned char options, c if (hydra_send(s, buffer2, strlen(buffer2), 0) < 0) return 1; + free(buf); buf = hydra_receive_line(s); while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) { free(buf); diff --git a/hydra-http-proxy.c b/hydra-http-proxy.c index 9b0ee80..344a864 100644 --- a/hydra-http-proxy.c +++ b/hydra-http-proxy.c @@ -2,8 +2,8 @@ #include "sasl.h" extern char *HYDRA_EXIT; -char *buf; static int http_proxy_auth_mechanism = AUTH_ERROR; +char *http_proxy_buf = NULL; int start_http_proxy(int s, char *ip, int port, unsigned char options, char *miscptr, FILE * fp) { char *empty = ""; @@ -31,21 +31,42 @@ int start_http_proxy(int s, char *ip, int port, unsigned char options, char *mis strcat(host, "\r\n"); } - if (http_proxy_auth_mechanism == AUTH_ERROR) { + if (http_proxy_auth_mechanism != AUTH_BASIC && (http_proxy_auth_mechanism == AUTH_ERROR || http_proxy_buf == NULL)) { //send dummy request sprintf(buffer, "GET %s HTTP/1.0\r\n%sUser-Agent: Mozilla/4.0 (Hydra)\r\n%s\r\n", url, host, header); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) - return 1; + return 3; //receive first 40x - buf = hydra_receive_line(s); - while (buf != NULL && strstr(buf, "HTTP/") == NULL) { - free(buf); - buf = hydra_receive_line(s); + http_proxy_buf = hydra_receive_line(s); + while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/") == NULL) { + free(http_proxy_buf); + http_proxy_buf = hydra_receive_line(s); + } + + if (http_proxy_buf == NULL) { + if (verbose) + hydra_report(stderr, "[ERROR] Server did not answer\n"); + return 3; } if (debug) - hydra_report(stderr, "S:%s\n", buf); + hydra_report(stderr, "S:%s\n", http_proxy_buf); + + http_proxy_buf = hydra_receive_line(s); + while (http_proxy_buf != NULL && hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:") == NULL) { + free(http_proxy_buf); + http_proxy_buf = hydra_receive_line(s); + } + + if (http_proxy_buf == NULL) { + if (verbose) + hydra_report(stderr, "[ERROR] Proxy seems not to require authentication\n"); + return 3; + } + + if (debug) + hydra_report(stderr, "S:%s\n", http_proxy_buf); //after the first query we should have been disconnected from web server s = hydra_disconnect(s); @@ -56,7 +77,7 @@ int start_http_proxy(int s, char *ip, int port, unsigned char options, char *mis } } - if (hydra_strcasestr(buf, "Proxy-Authenticate: Basic") != NULL) { + if (http_proxy_auth_mechanism == AUTH_BASIC || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Basic") != NULL) { http_proxy_auth_mechanism = AUTH_BASIC; sprintf(buffer2, "%.50s:%.50s", login, pass); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); @@ -64,25 +85,26 @@ int start_http_proxy(int s, char *ip, int port, unsigned char options, char *mis if (debug) hydra_report(stderr, "C:%s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) - return 1; - buf = hydra_receive_line(s); - while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) { - free(buf); - buf = hydra_receive_line(s); + return 3; + free(http_proxy_buf); + http_proxy_buf = hydra_receive_line(s); + while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) { + free(http_proxy_buf); + http_proxy_buf = hydra_receive_line(s); } //if server cut the connection, just exit cleanly or //this will be an infinite loop - if (buf == NULL) { + if (http_proxy_buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); return 3; } if (debug) - hydra_report(stderr, "S:%s\n", buf); + hydra_report(stderr, "S:%s\n", http_proxy_buf); } else { - if (hydra_strcasestr(buf, "Proxy-Authenticate: NTLM") != NULL) { + if (http_proxy_auth_mechanism == AUTH_NTLM || hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM") != NULL) { unsigned char buf1[4096]; unsigned char buf2[4096]; @@ -98,13 +120,14 @@ int start_http_proxy(int s, char *ip, int port, unsigned char options, char *mis //send the first.. sprintf(buffer, "GET %s HTTP/1.0\r\n%sProxy-Authorization: NTLM %s\r\nUser-Agent: Mozilla/4.0 (Hydra)\r\nProxy-Connection: keep-alive\r\n%s\r\n", url, host, buf1, header); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) - return 1; + return 3; //receive challenge - buf = hydra_receive_line(s); - while (buf != NULL && (pos = hydra_strcasestr(buf, "Proxy-Authenticate: NTLM ")) == NULL) { - free(buf); - buf = hydra_receive_line(s); + free(http_proxy_buf); + http_proxy_buf = hydra_receive_line(s); + while (http_proxy_buf != NULL && (pos = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: NTLM ")) == NULL) { + free(http_proxy_buf); + http_proxy_buf = hydra_receive_line(s); } if (pos != NULL) { char *str; @@ -118,9 +141,11 @@ int start_http_proxy(int s, char *ip, int port, unsigned char options, char *mis } } //recover challenge - if (buf != NULL && strlen(buf) >= 4) { + if (http_proxy_buf != NULL && strlen(http_proxy_buf) >= 4) { from64tobits((char *) buf1, pos); - free(buf); + free(http_proxy_buf); + http_proxy_buf = NULL; + return 3; } //Send response buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); @@ -129,24 +154,26 @@ int start_http_proxy(int s, char *ip, int port, unsigned char options, char *mis if (debug) hydra_report(stderr, "C:%s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) - return 1; + return 3; - buf = hydra_receive_line(s); - while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) { - free(buf); - buf = hydra_receive_line(s); + if (http_proxy_buf != NULL) + free(http_proxy_buf); + http_proxy_buf = hydra_receive_line(s); + while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) { + free(http_proxy_buf); + http_proxy_buf = hydra_receive_line(s); } - if (buf == NULL) - return 1; + if (http_proxy_buf == NULL) + return 3; } else { #ifdef LIBOPENSSL - if (hydra_strcasestr(buf, "Proxy-Authenticate: Digest") != NULL) { + if (hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest") != NULL) { char *pbuffer; http_proxy_auth_mechanism = AUTH_DIGESTMD5; - pbuffer = hydra_strcasestr(buf, "Proxy-Authenticate: Digest "); + pbuffer = hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate: Digest "); strncpy(buffer, pbuffer + strlen("Proxy-Authenticate: Digest "), sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; pbuffer = NULL; @@ -159,26 +186,29 @@ int start_http_proxy(int s, char *ip, int port, unsigned char options, char *mis if (debug) hydra_report(stderr, "C:%s\n", buffer2); if (hydra_send(s, buffer2, strlen(buffer2), 0) < 0) - return 1; + return 3; - buf = hydra_receive_line(s); - while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) { - free(buf); - buf = hydra_receive_line(s); + free(http_proxy_buf); + http_proxy_buf = hydra_receive_line(s); + while (http_proxy_buf != NULL && strstr(http_proxy_buf, "HTTP/1.") == NULL) { + free(http_proxy_buf); + http_proxy_buf = hydra_receive_line(s); } - if (debug && buf != NULL) - hydra_report(stderr, "S:%s\n", buf); + if (debug && http_proxy_buf != NULL) + hydra_report(stderr, "S:%s\n", http_proxy_buf); - if (buf == NULL) - return 1; + if (http_proxy_buf == NULL) + return 3; } else #endif { - if (buf != NULL) { - buf[strlen(buf) - 1] = '\0'; - hydra_report(stderr, "Unsupported Auth type:\n%s\n", buf); + if (http_proxy_buf != NULL) { +// buf[strlen(http_proxy_buf) - 1] = '\0'; + hydra_report(stderr, "Unsupported Auth type:\n%s\n", http_proxy_buf); + free(http_proxy_buf); + http_proxy_buf = NULL; } else { hydra_report(stderr, "Unsupported Auth type\n"); } @@ -187,23 +217,32 @@ int start_http_proxy(int s, char *ip, int port, unsigned char options, char *mis } } - ptr = ((char *) index(buf, ' ')) + 1; + ptr = ((char *) index(http_proxy_buf, ' ')) + 1; if (*ptr == '2' || (*ptr == '3' && *(ptr + 2) == '1') || (*ptr == '3' && *(ptr + 2) == '2')) { hydra_report_found_host(port, ip, "http-proxy", fp); hydra_completed_pair_found(); + free(http_proxy_buf); + http_proxy_buf = NULL; } else { if (*ptr != '4') - hydra_report(stderr, "[INFO] Unusual return code: %c for %s:%s\n", (char) *(index(buf, ' ') + 1), login, pass); + hydra_report(stderr, "[INFO] Unusual return code: %c for %s:%s\n", (char) *(index(http_proxy_buf, ' ') + 1), login, pass); else if (verbose && *(ptr + 2) == '3') hydra_report(stderr, "[INFO] Potential success, could be false positive: %s:%s\n", login, pass); hydra_completed_pair(); + free(http_proxy_buf); + http_proxy_buf = hydra_receive_line(s); + while (http_proxy_buf != NULL && hydra_strcasestr(http_proxy_buf, "Proxy-Authenticate:") == NULL) { + free(http_proxy_buf); + http_proxy_buf = hydra_receive_line(s); + } } - free(buf); - if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; - return 1; + if (http_proxy_buf != NULL) + return 2; + else + return 1; } void service_http_proxy(char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { @@ -219,6 +258,8 @@ void service_http_proxy(char *ip, int sp, unsigned char options, char *miscptr, switch (run) { case 1: /* connect and service init function */ { + if (http_proxy_buf != NULL) + free(http_proxy_buf); if (sock >= 0) sock = hydra_disconnect(sock); // usleep(275000); diff --git a/hydra-http.c b/hydra-http.c index 8440412..42ccc6f 100644 --- a/hydra-http.c +++ b/hydra-http.c @@ -4,6 +4,7 @@ extern char *HYDRA_EXIT; char *webtarget = NULL; char *slash = "/"; +char *http_buf = NULL; int webport, freemischttp = 0; int http_auth_mechanism = AUTH_BASIC; @@ -12,7 +13,7 @@ int start_http(int s, char *ip, int port, unsigned char options, char *miscptr, char *empty = ""; char *login, *pass, buffer[500], buffer2[500]; char *header = ""; /* XXX TODO */ - char *ptr, *fooptr, *buf; + char *ptr, *fooptr; if (strlen(login = hydra_get_next_login()) == 0) login = empty; @@ -20,7 +21,7 @@ int start_http(int s, char *ip, int port, unsigned char options, char *miscptr, pass = empty; // we must reset this if buf is NULL and we do MD5 digest - if (buf == NULL && http_auth_mechanism == AUTH_DIGESTMD5) + if (http_buf == NULL && http_auth_mechanism == AUTH_DIGESTMD5) http_auth_mechanism = AUTH_BASIC; switch (http_auth_mechanism) { @@ -47,7 +48,7 @@ int start_http(int s, char *ip, int port, unsigned char options, char *miscptr, case AUTH_DIGESTMD5:{ char *pbuffer; - pbuffer = hydra_strcasestr(buf, "WWW-Authenticate: Digest "); + pbuffer = hydra_strcasestr(http_buf, "WWW-Authenticate: Digest "); strncpy(buffer, pbuffer + strlen("WWW-Authenticate: Digest "), sizeof(buffer)); buffer[sizeof(buffer) - 1] = '\0'; @@ -93,15 +94,15 @@ int start_http(int s, char *ip, int port, unsigned char options, char *miscptr, return 1; //receive challenge - if (buf != NULL) - free(buf); - buf = hydra_receive_line(s); - while (buf != NULL && (pos = hydra_strcasestr(buf, "WWW-Authenticate: NTLM ")) == NULL) { - free(buf); - buf = hydra_receive_line(s); + if (http_buf != NULL) + free(http_buf); + http_buf = hydra_receive_line(s); + while (http_buf != NULL && (pos = hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM ")) == NULL) { + free(http_buf); + http_buf = hydra_receive_line(s); } - if (buf == NULL) + if (http_buf == NULL) return 1; if (pos != NULL) { @@ -117,8 +118,8 @@ int start_http(int s, char *ip, int port, unsigned char options, char *miscptr, } //recover challenge from64tobits((char *) buf1, pos); - free(buf); - buf = NULL; + free(http_buf); + http_buf = NULL; //Send response buildAuthResponse((tSmbNtlmAuthChallenge *) buf1, (tSmbNtlmAuthResponse *) buf2, 0, login, pass, NULL, NULL); @@ -148,63 +149,63 @@ int start_http(int s, char *ip, int port, unsigned char options, char *miscptr, return 1; } - if (buf != NULL) - free(buf); - buf = hydra_receive_line(s); - while (buf != NULL && strstr(buf, "HTTP/1.") == NULL) { - free(buf); - buf = hydra_receive_line(s); + if (http_buf != NULL) + free(http_buf); + http_buf = hydra_receive_line(s); + while (http_buf != NULL && strstr(http_buf, "HTTP/1.") == NULL) { + free(http_buf); + http_buf = hydra_receive_line(s); } //if server cut the connection, just exit cleanly or //this will be an infinite loop - if (buf == NULL) { + if (http_buf == NULL) { if (verbose) hydra_report(stderr, "[ERROR] Server did not answer\n"); return 3; } if (debug) - hydra_report(stderr, "S:%s\n", buf); + hydra_report(stderr, "S:%s\n", http_buf); - ptr = ((char *) index(buf, ' ')) + 1; + ptr = ((char *) index(http_buf, ' ')) + 1; if (ptr != NULL && (*ptr == '2' || *ptr == '3' || strncmp(ptr, "403", 3) == 0 || strncmp(ptr, "404", 3) == 0)) { hydra_report_found_host(port, ip, "www", fp); hydra_completed_pair_found(); - if (buf != NULL) { - free(buf); - buf = NULL; + if (http_buf != NULL) { + free(http_buf); + http_buf = NULL; } } else { if (ptr != NULL && *ptr != '4') - fprintf(stderr, "[WARNING] Unusual return code: %c for %s:%s\n", (char) *(index(buf, ' ') + 1), login, pass); + fprintf(stderr, "[WARNING] Unusual return code: %c for %s:%s\n", (char) *(index(http_buf, ' ') + 1), login, pass); //the first authentication type failed, check the type from server header - if ((hydra_strcasestr(buf, "WWW-Authenticate: Basic") == NULL) && (http_auth_mechanism == AUTH_BASIC)) { + if ((hydra_strcasestr(http_buf, "WWW-Authenticate: Basic") == NULL) && (http_auth_mechanism == AUTH_BASIC)) { //seems the auth supported is not Basic shceme so testing further int find_auth = 0; - if (hydra_strcasestr(buf, "WWW-Authenticate: NTLM") != NULL) { + if (hydra_strcasestr(http_buf, "WWW-Authenticate: NTLM") != NULL) { http_auth_mechanism = AUTH_NTLM; find_auth = 1; } #ifdef LIBOPENSSL - if (hydra_strcasestr(buf, "WWW-Authenticate: Digest") != NULL) { + if (hydra_strcasestr(http_buf, "WWW-Authenticate: Digest") != NULL) { http_auth_mechanism = AUTH_DIGESTMD5; find_auth = 1; } #endif if (find_auth) { -// free(buf); -// buf = NULL; +// free(http_buf); +// http_buf = NULL; return 1; } } hydra_completed_pair(); } -// free(buf); -// buf = NULL; +// free(http_buf); +// http_buf = NULL; if (memcmp(hydra_get_next_pair(), &HYDRA_EXIT, sizeof(HYDRA_EXIT)) == 0) return 3; return 1; diff --git a/hydra-irc.c b/hydra-irc.c index bc41673..0008200 100644 --- a/hydra-irc.c +++ b/hydra-irc.c @@ -144,7 +144,9 @@ void service_irc(char *ip, int sp, unsigned char options, char *miscptr, FILE * hydra_child_exit(1); } - ret = hydra_recv(sock, buffer, sizeof(buffer)); + buffer[0] = 0; + if ((ret = hydra_recv(sock, buffer, sizeof(buffer))) >= 0) + buffer[ret] = 0; /* ERROR :Bad password */ #ifdef HAVE_PCRE diff --git a/hydra-mysql.c b/hydra-mysql.c index 2b8e4b5..0c045e0 100644 --- a/hydra-mysql.c +++ b/hydra-mysql.c @@ -39,9 +39,9 @@ char mysqlsalt[9]; /* modified hydra_receive_line, I've striped code which changed every 0x00 to 0x20 */ char *hydra_mysql_receive_line(int socket) { char buf[300], *buff, *buff2; - int i = 0, j = 0; + int i = 0, j = 0, buff_size = 300; - buff = malloc(sizeof(buf)); + buff = malloc(buff_size); if (buff == NULL) return NULL; memset(buff, 0, sizeof(buf)); @@ -63,13 +63,17 @@ char *hydra_mysql_receive_line(int socket) { j = 1; while (hydra_data_ready(socket) > 0 && j > 0) { j = internal__hydra_recv(socket, buf, sizeof(buf)); - if (j > 65535 || i + j > 65535 || (buff2 = realloc(buff, i + j)) == NULL) { - free(buff); - return NULL; - } else - buff = buff2; - memcpy(buff + i, &buf, j); - i = i + j; + if (j > 0) { + if (i + j > buff_size || (buff2 = realloc(buff, i + j)) == NULL) { + free(buff); + return NULL; + } else { + buff = buff2; + buff_size = i + j; + } + memcpy(buff + i, &buf, j); + i += j; + } } if (debug) @@ -177,13 +181,13 @@ int start_mysql(int sock, char *ip, int port, unsigned char options, char *miscp pass = hydra_get_next_password(); if (miscptr) - strncpy(database, miscptr, sizeof(database)); + strncpy(database, miscptr, sizeof(database) - 1); else { - strncpy(database, DEFAULT_DB, sizeof(database)); + strncpy(database, DEFAULT_DB, sizeof(database) - 1); if (verbose) hydra_report(stderr, "[VERBOSE] using default db 'mysql'\n"); } - database[sizeof(database)] = 0; + database[sizeof(database) - 1] = 0; /* read server greeting */ res = hydra_mysql_init(sock); diff --git a/hydra-pcanywhere.c b/hydra-pcanywhere.c index a9ef910..0f4f93c 100644 --- a/hydra-pcanywhere.c +++ b/hydra-pcanywhere.c @@ -62,8 +62,8 @@ void pca_encrypt(char *cleartxt) { char passwd[128]; int i; - strncpy(passwd, cleartxt, sizeof(passwd)); - passwd[sizeof(passwd)] = 0; + strncpy(passwd, cleartxt, sizeof(passwd) - 1); + passwd[sizeof(passwd) - 1] = 0; if (strlen(cleartxt) > 0) { passwd[0] = (passwd[0] ^ 0xab); for (i = 1; i < strlen(passwd); i++) @@ -192,9 +192,10 @@ int start_pcanywhere(int s, char *ip, int port, unsigned char options, char *mis } ret = hydra_recv(s, buffer, sizeof(buffer)); - if (ret == -1) { + if (ret < 0) return 1; - } + else + buffer[ret] = 0; clean_buffer(buffer, ret); /*show_buffer(buffer,ret); */ diff --git a/hydra-postgres.c b/hydra-postgres.c index 8b8e8e0..e1754ad 100644 --- a/hydra-postgres.c +++ b/hydra-postgres.c @@ -29,10 +29,10 @@ int start_postgres(int s, char *ip, int port, unsigned char options, char *miscp PGconn *pgconn; if (miscptr) - strncpy(database, miscptr, sizeof(database)); + strncpy(database, miscptr, sizeof(database) - 1); else - strncpy(database, DEFAULT_DB, sizeof(database)); - database[sizeof(database)] = 0; + strncpy(database, DEFAULT_DB, sizeof(database) - 1); + database[sizeof(database) - 1] = 0; if (strlen(login = hydra_get_next_login()) == 0) login = empty; diff --git a/hydra-rlogin.c b/hydra-rlogin.c index f8f696c..be6b645 100644 --- a/hydra-rlogin.c +++ b/hydra-rlogin.c @@ -40,8 +40,11 @@ int start_rlogin(int s, char *ip, int port, unsigned char options, char *miscptr } ret = hydra_recv(s, buffer, sizeof(buffer)); /* 0x00 is sent but hydra_recv transformed it */ - if (strlen(buffer) == 0) - ret = hydra_recv(s, buffer, sizeof(buffer)); + if (strlen(buffer) == 0) { + ret = hydra_recv(s, buffer, sizeof(buffer) - 1); + if (ret >= 0) + buffer[ret] = 0; + } if (ret > 0 && (strstr(buffer, "rlogind:") != NULL)) return 1; diff --git a/hydra-rsh.c b/hydra-rsh.c index 5e7bedc..0fc93af 100644 --- a/hydra-rsh.c +++ b/hydra-rsh.c @@ -36,7 +36,9 @@ int start_rsh(int s, char *ip, int port, unsigned char options, char *miscptr, F return 4; } - ret = hydra_recv(s, buffer, sizeof(buffer)); + buffer[0] = 0; + if ((ret = hydra_recv(s, buffer, sizeof(buffer))) >= 0) + buffer[ret] = 0; /* 0x00 is sent but hydra_recv transformed it */ if (strlen(buffer) == 0) ret = hydra_recv(s, buffer, sizeof(buffer) - 1); diff --git a/hydra-sip.c b/hydra-sip.c index 09c5bca..a071e81 100644 --- a/hydra-sip.c +++ b/hydra-sip.c @@ -152,7 +152,8 @@ int start_sip(int s, char *ip, char *lip, int port, int lport, unsigned char opt try++; if (hydra_data_ready_timed(s, 5, 0) > 0) { memset(buf, 0, sizeof(buf)); - i = hydra_recv(s, (char *) buf, sizeof(buf)); + if ((i = hydra_recv(s, (char *) buf, sizeof(buf))) >= 0) + buf[i] = 0; if (verbose) hydra_report(stderr, "[INFO] S: %s\n", buf); sip_code = get_sip_code(buf); diff --git a/hydra-smb.c b/hydra-smb.c index b3c7175..0c1c2f9 100644 --- a/hydra-smb.c +++ b/hydra-smb.c @@ -977,8 +977,10 @@ unsigned long SMBSessionSetup(int s, char *szLogin, char *szPassword, char *misc memset(LMhash, 0, 24); ret = HashLM(&LMhash, (unsigned char *) szPassword, (unsigned char *) challenge); - if (ret == -1) + if (ret == -1) { + free(LMv2hash); return -1; + } memcpy(buf + iOffset, LMhash, 24); free(LMhash); @@ -1053,8 +1055,10 @@ unsigned long SMBSessionSetup(int s, char *szLogin, char *szPassword, char *misc memset(LMv2hash, 0, 24); ret = HashLMv2(&LMv2hash, (unsigned char *) szLogin, (unsigned char *) szPassword); - if (ret == -1) + if (ret == -1) { + free(LMv2hash); return -1; + } memcpy(buf + iOffset, LMv2hash, 24); free(LMv2hash); diff --git a/hydra-xmpp.c b/hydra-xmpp.c index 038f2c9..c800f57 100644 --- a/hydra-xmpp.c +++ b/hydra-xmpp.c @@ -4,7 +4,6 @@ /* david: ref http://xmpp.org/rfcs/rfc3920.html */ extern char *HYDRA_EXIT; -char *buf; static char *domain = NULL; int xmpp_auth_mechanism = AUTH_ERROR; @@ -22,7 +21,7 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, char *CHALLENGE_END_STR = ""; char *RESPONSE_STR = ""; char *RESPONSE_END_STR = ""; - char *fooptr; + char *fooptr, *buf; if (strlen(login = hydra_get_next_login()) == 0) login = empty; @@ -49,9 +48,10 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, hydra_send(s, buffer, strlen(buffer), 0); usleep(300000); - buf = hydra_receive_line(s); + if ((buf = hydra_receive_line(s)) == NULL) + return 3; - if (verbose) + if (debug) hydra_report(stderr, "DEBUG S: %s\n", buf); if ((strstr(buf, CHALLENGE_STR) != NULL) || (strstr(buf, CHALLENGE_STR2) != NULL)) { @@ -72,7 +72,7 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, buffer2[chglen] = '\0'; memset(buffer, 0, sizeof(buffer)); from64tobits((char *) buffer, buffer2); - if (verbose) + if (debug) hydra_report(stderr, "DEBUG S: %s\n", buffer); } @@ -84,7 +84,7 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); - if (verbose) + if (debug) hydra_report(stderr, "DEBUG C: %s\n", buffer); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { free(buf); @@ -126,7 +126,7 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, memset(buffer2, 0, sizeof(buffer)); sasl_plain(buffer2, login, pass); sprintf(buffer, "%s%.250s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); - if (verbose) + if (debug) hydra_report(stderr, "DEBUG C: %s\n", buffer); } @@ -140,11 +140,12 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { + free(buf); return 3; } sprintf(buffer, "%.200s %.250s", preplogin, buffer2); - if (verbose) + if (debug) hydra_report(stderr, "DEBUG C: %s\n", buffer); hydra_tobase64((unsigned char *) buffer, strlen(buffer), sizeof(buffer)); sprintf(buffer2, "%s%.250s%s", RESPONSE_STR, buffer, RESPONSE_END_STR); @@ -157,9 +158,11 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, memset(buffer2, 0, sizeof(buffer2)); fooptr = buffer2; sasl_digest_md5(fooptr, login, pass, buffer, domain, "xmpp", NULL, 0, NULL); - if (fooptr == NULL) + if (fooptr == NULL) { + free(buf); return 3; - if (verbose) + } + if (debug) hydra_report(stderr, "DEBUG C: %s\n", buffer2); hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); @@ -172,6 +175,7 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, int rc = sasl_saslprep(login, SASL_ALLOW_UNASSIGNED, &preplogin); if (rc) { + free(buf); return 3; } @@ -181,6 +185,7 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, hydra_tobase64((unsigned char *) buffer2, strlen(buffer2), sizeof(buffer2)); snprintf(buffer, sizeof(buffer), "%s%s%s", RESPONSE_STR, buffer2, RESPONSE_END_STR); + free(buf); if (hydra_send(s, buffer, strlen(buffer), 0) < 0) { return 1; } @@ -274,7 +279,7 @@ int start_xmpp(int s, char *ip, int port, unsigned char options, char *miscptr, void service_xmpp(char *target, char *ip, int sp, unsigned char options, char *miscptr, FILE * fp, int port) { int run = 1, next_run = 1, sock = -1, tls = 0; - char buffer[500]; + char buffer[500], *buf = NULL; int myport = PORT_XMPP, mysslport = PORT_XMPP_SSL, disable_tls = 0; char *enddomain = NULL; diff --git a/hydra.c b/hydra.c index 29e1180..3a40f45 100644 --- a/hydra.c +++ b/hydra.c @@ -302,7 +302,7 @@ void help(int ext) { #ifdef HAVE_MATH_H " [-x MIN:MAX:CHARSET]" #endif - " [-SuvV46] " + " [-SuvVd46] " //"[server service [OPT]]|" "[service://server[:PORT][/OPT]]\n"); printf("\nOptions:\n"); diff --git a/sasl.c b/sasl.c index 13f1c70..43e142d 100644 --- a/sasl.c +++ b/sasl.c @@ -641,7 +641,7 @@ void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, cha } /*client-final-message */ - if (verbose) + if (debug) hydra_report(stderr, "DEBUG S: %s\n", serverfirstmessage); //r=hydra28Bo7kduPpAZLzhRQiLxc8Y9tiwgw+yP,s=ldDgevctH+Kg7b8RnnA3qA==,i=4096 @@ -711,7 +711,7 @@ void sasl_scram_sha1(char *result, char *pass, char *clientfirstmessagebare, cha to64frombits(clientproof_b64, (const unsigned char *) ClientProof, 20); snprintf(result, 500, "%s,p=%s", clientfinalmessagewithoutproof, clientproof_b64); - if (verbose) + if (debug) hydra_report(stderr, "DEBUG C: %s\n", result); free(preppasswd); }