data/exploits/psnuffle/url.rb

# Psnuffle password sniffer add-on class for HTTP GET URL's
# part of psnuffle sniffer auxiliary module
#
# Very simple example how to write sniffer extensions
#

# Sniffer class for GET URL's
class SnifferURL < BaseProtocolParser
	def register_sigs
		self.sigs = {
			:get		=> /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/si,
			:webhost	=> /^HOST\:\s+([^\n\r]+)/si,
		}
	end

	def parse(pkt)
		# We want to return immediantly if	we do not have a packet which is handled by us
		return if not pkt[:tcp]
		return if (pkt[:tcp].dst_port != 80)
		s = find_session((pkt[:tcp].dst_port == 80) ? get_session_dst(pkt) : get_session_src(pkt))

		self.sigs.each_key do |k|
		
			# There is only one pattern per run to test
			matched = nil
			matches = nil

			if(pkt[:tcp].payload_data =~ self.sigs[k])
				matched = k
				matches = $1
				sessions[s[:session]].merge!({k => matches})
			end

			case matched
			when :webhost
				sessions[s[:session]].merge!({k => matches})
				if(s[:get])
					print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")
					sessions.delete(s[:session])
					return 
				end
			when nil
				# No matches, no saved state
			end # end case matched
		end # end of each_key
	end # end of parse
end # end of URL sniffer
Updated pSnuffle sniffer code from _MAX_ 2009-08-19 14:07:33 +00:00			`# Psnuffle password sniffer add-on class for HTTP GET URL's`
			`# part of psnuffle sniffer auxiliary module`
			`#`
			`# Very simple example how to write sniffer extensions`
			`#`

Psnuffle modules 2009-07-17 20:39:06 +00:00			`# Sniffer class for GET URL's`
			`class SnifferURL < BaseProtocolParser`
			`def register_sigs`
Updated pSnuffle sniffer code from _MAX_ 2009-08-19 14:07:33 +00:00			`self.sigs = {`
			`:get => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/si,`
			`:webhost => /^HOST\:\s+([^\n\r]+)/si,`
Psnuffle modules 2009-07-17 20:39:06 +00:00			`}`
			`end`

			`def parse(pkt)`
Updated pSnuffle sniffer code from _MAX_ 2009-08-19 14:07:33 +00:00			`# We want to return immediantly if we do not have a packet which is handled by us`
Psnuffle modules 2009-07-17 20:39:06 +00:00			`return if not pkt[:tcp]`
			`return if (pkt[:tcp].dst_port != 80)`
Updated pSnuffle sniffer code from _MAX_ 2009-08-19 14:07:33 +00:00			`s = find_session((pkt[:tcp].dst_port == 80) ? get_session_dst(pkt) : get_session_src(pkt))`
Psnuffle modules 2009-07-17 20:39:06 +00:00
			`self.sigs.each_key do \|k\|`

			`# There is only one pattern per run to test`
			`matched = nil`
			`matches = nil`

Update psnuffle modules to use payload_data 2009-07-25 14:11:55 +00:00			`if(pkt[:tcp].payload_data =~ self.sigs[k])`
Psnuffle modules 2009-07-17 20:39:06 +00:00			`matched = k`
			`matches = $1`
Updated pSnuffle sniffer code from _MAX_ 2009-08-19 14:07:33 +00:00			`sessions[s[:session]].merge!({k => matches})`
Psnuffle modules 2009-07-17 20:39:06 +00:00			`end`

			`case matched`
Updated pSnuffle sniffer code from _MAX_ 2009-08-19 14:07:33 +00:00			`when :webhost`
			`sessions[s[:session]].merge!({k => matches})`
Psnuffle modules 2009-07-17 20:39:06 +00:00			`if(s[:get])`
Updated pSnuffle sniffer code from _MAX_ 2009-08-19 14:07:33 +00:00			`print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")`
Psnuffle modules 2009-07-17 20:39:06 +00:00			`sessions.delete(s[:session])`
			`return`
			`end`
			`when nil`
			`# No matches, no saved state`
			`end # end case matched`
			`end # end of each_key`
			`end # end of parse`
			`end # end of URL sniffer`