PageRenderTime 46ms CodeModel.GetById 16ms RepoModel.GetById 1ms app.codeStats 0ms

/ettercap/src/dissectors/ec_pop.c

#
C | 443 lines | 200 code | 103 blank | 140 comment | 55 complexity | 8f0895fc5aafeb7f2f8a4946f2eea017 MD5 | raw file
Possible License(s): AGPL-3.0, LGPL-2.1, GPL-2.0 
    

  1. /*
    2. 

  2.     ettercap -- dissector POP3 -- TCP 110
    3. 

    4. 

  4.     Copyright (C) ALoR & NaGA
    5. 

    6. 

  6.     This program is free software; you can redistribute it and/or modify
    7. 

  7.     it under the terms of the GNU General Public License as published by
    8. 

  8.     the Free Software Foundation; either version 2 of the License, or
    9. 

  9.     (at your option) any later version.
    10. 

    11. 

  11.     This program is distributed in the hope that it will be useful,
    12. 

  12.     but WITHOUT ANY WARRANTY; without even the implied warranty of
    13. 

  13.     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    14. 

  14.     GNU General Public License for more details.
    15. 

    16. 

  16.     You should have received a copy of the GNU General Public License
    17. 

  17.     along with this program; if not, write to the Free Software
    18. 

  18.     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
    19. 

    20. 

  20.     $Id: ec_pop.c,v 1.33 2004/06/25 14:24:29 alor Exp $
    21. 

  21. */
    22. 

  22. 

  23. /*
    24. 

  24.  * The authentication schema can be found here:
    25. 

  25.  * 
    26. 

  26.  * ftp://ftp.rfc-editor.org/in-notes/std/std53.txt
    27. 

  27.  *
    28. 

  28.  * we currently support:
    29. 

  29.  *    - USER & PASS
    30. 

  30.  *    - APOP
    31. 

  31.  *    - AUTH LOGIN (SASL)
    32. 

  32.  */
    33. 

  33. 

  34. #include <ec.h>
    35. 

  35. #include <ec_decode.h>
    36. 

  36. #include <ec_dissect.h>
    37. 

  37. #include <ec_session.h>
    38. 

  38. #include <ec_sslwrap.h>
    39. 

  39. 

  40. /* protos */
    41. 

  41. 

  42. FUNC_DECODER(dissector_pop);
    43. 

  43. void pop_init(void);
    44. 

  44. 

  45. /************************************************/
    46. 

  46. 

  47. /*
    48. 

  48.  * this function is the initializer.
    49. 

  49.  * it adds the entry in the table of registered decoder
    50. 

  50.  */
    51. 

  51. 

  52. void __init pop_init(void)
    53. 

  53. {
    54. 

  54.    dissect_add("pop3", APP_LAYER_TCP, 110, dissector_pop);
    55. 

  55.    sslw_dissect_add("pop3s", 995, dissector_pop, SSL_ENABLED);
    56. 

  56. }
    57. 

  57. 

  58. FUNC_DECODER(dissector_pop)
    59. 

  59. {
    60. 

  60.    DECLARE_DISP_PTR_END(ptr, end);
    61. 

  61.    struct ec_session *s = NULL;
    62. 

  62.    void *ident = NULL;
    63. 

  63.    char tmp[MAX_ASCII_ADDR_LEN];
    64. 

  64.    
    65. 

  65.    /* the connection is starting... create the session */
    66. 

  66.    CREATE_SESSION_ON_SYN_ACK("pop3", s, dissector_pop);
    67. 

  67.    /* create the session even if we are into an ssl tunnel */
    68. 

  68.    CREATE_SESSION_ON_SYN_ACK("pop3s", s, dissector_pop);
    69. 

  69.    
    70. 

  70.    /* check if it is the first packet sent by the server */
    71. 

  71.    if ((FROM_SERVER("pop3", PACKET) || FROM_SERVER("pop3s", PACKET)) && PACKET->L4.flags & TH_PSH) {  
    72. 

  72.       dissect_create_ident(&ident, PACKET, DISSECT_CODE(dissector_pop));
    73. 

  73.       /* the session exist */
    74. 

  74.       if (session_get(&s, ident, DISSECT_IDENT_LEN) != -ENOTFOUND) { 
    75. 

  75.          /* prevent the deletion of session created for the user and pass */
    76. 

  76.          if (s->data == NULL) { 
    77. 

  77.             
    78. 

  78.             /* get the banner */
    79. 

  79.             if (!strncmp(ptr, "+OK", 3))
    80. 

  80.                PACKET->DISSECTOR.banner = strdup(ptr + 4);
    81. 

  81.             else {
    82. 

  82.                SAFE_FREE(ident);
    83. 

  83.                return NULL;
    84. 

  84.             }
    85. 

  85. 

  86.             DEBUG_MSG("\tdissector_pop BANNER");
    87. 

  87. 

  88.             /* remove the \r\n */
    89. 

  89.             if ( (ptr = strchr(PACKET->DISSECTOR.banner, '\r')) != NULL )
    90. 

  90.                *ptr = '\0';
    91. 

  91.             
    92. 

  92.             /* remove the trailing msg-id <...> */
    93. 

  93.             if ( (ptr = strchr(PACKET->DISSECTOR.banner, '<')) != NULL ) {
    94. 

  94.                /* save the msg-id for APOP authentication */
    95. 

  95.                s->data = strdup(ptr);
    96. 

  96.                /* save the session */
    97. 

  97.                *(ptr - 1) = '\0';
    98. 

  98.             } else {
    99. 

  99.                /* fake the msgid if it does not exist */
    100. 

  100.                s->data = strdup("");
    101. 

  101.             }
    102. 

  102.          } else if (!strcmp(s->data, "AUTH")) {
    103. 

  103.             /* 
    104. 

  104.              * the client has requested AUTH LOGIN, 
    105. 

  105.              * check if the server support it 
    106. 

  106.              * else delete the session
    107. 

  107.              */
    108. 

  108.             if (strstr(ptr, "-ERR"))
    109. 

  109.                dissect_wipe_session(PACKET, DISSECT_CODE(dissector_pop));
    110. 

  110.          }
    111. 

  111.       }                         
    112. 

  112.       SAFE_FREE(ident);         
    113. 

  113.       return NULL;              
    114. 

  114.    }  
    115. 

  115.    
    116. 

  116.    /* skip empty packets (ACK packets) */
    117. 

  117.    if (PACKET->DATA.len == 0)
    118. 

  118.       return NULL;
    119. 

  119.  
    120. 

  120.    DEBUG_MSG("POP --> TCP dissector_pop");
    121. 

  121.    
    122. 

  122.    /* skip the whitespaces at the beginning */
    123. 

  123.    while(*ptr == ' ' && ptr != end) ptr++;
    124. 

  124. 

  125.    /* reached the end */
    126. 

  126.    if (ptr == end) return NULL;
    127. 

  127. 

  128. /*
    129. 

  129.  * USER & PASS authentication:
    130. 

  130.  *
    131. 

  131.  * USER user
    132. 

  132.  * PASS pass
    133. 

  133.  */
    134. 

  134.    if ( !strncasecmp(ptr, "USER ", 5) ) {
    135. 

  135. 

  136.       DEBUG_MSG("\tDissector_POP USER");
    137. 

  137. 

  138.       /* destroy any previous session */
    139. 

  139.       dissect_wipe_session(PACKET, DISSECT_CODE(dissector_pop));
    140. 

  140.       
    141. 

  141.       /* create the new session */
    142. 

  142.       dissect_create_session(&s, PACKET, DISSECT_CODE(dissector_pop));
    143. 

  143.       
    144. 

  144.       ptr += 5;
    145. 

  145.       
    146. 

  146.       /* if not null, free it */
    147. 

  147.       SAFE_FREE(s->data);
    148. 

  148. 

  149.       /* fill the session data */
    150. 

  150.       s->data = strdup(ptr);
    151. 

  151.       s->data_len = strlen(ptr);
    152. 

  152.       
    153. 

  153.       if ( (ptr = strchr(s->data,'\r')) != NULL )
    154. 

  154.          *ptr = '\0';
    155. 

  155.       
    156. 

  156.       /* save the session */
    157. 

  157.       session_put(s);
    158. 

  158. 

  159.       return NULL;
    160. 

  160.    }
    161. 

  161. 

  162.    /* harvest the password */
    163. 

  163.    if ( !strncasecmp(ptr, "PASS ", 5) ) {
    164. 

  164. 

  165.       DEBUG_MSG("\tDissector_POP PASS");
    166. 

  166.       
    167. 

  167.       ptr += 5;
    168. 

  168.       
    169. 

  169.       /* create an ident to retrieve the session */
    170. 

  170.       dissect_create_ident(&ident, PACKET, DISSECT_CODE(dissector_pop));
    171. 

  171.       
    172. 

  172.       /* retrieve the session and delete it */
    173. 

  173.       if (session_get_and_del(&s, ident, DISSECT_IDENT_LEN) == -ENOTFOUND) {
    174. 

  174.          SAFE_FREE(ident);
    175. 

  175.          return NULL;
    176. 

  176.       }
    177. 

  177.       
    178. 

  178.       SAFE_FREE(ident);
    179. 

  179. 

  180.       /* check that the user was sent before the pass */
    181. 

  181.       if (s->data == NULL) {
    182. 

  182.          return NULL;
    183. 

  183.       }
    184. 

  184.      
    185. 

  185.       /* 
    186. 

  186.        * if the PASS command is issued before the USER one, we have to APOP
    187. 

  187.        * digest in the s->data. we can check it on the first char. who has an
    188. 

  188.        * username beginning with '<' ??? :)
    189. 

  189.        */
    190. 

  190.       if (*(char *)(s->data) == '<') {
    191. 

  191.          return NULL;
    192. 

  192.       }
    193. 

  193.       
    194. 

  194.       /* fill the structure */
    195. 

  195.       PACKET->DISSECTOR.user = strdup(s->data);
    196. 

  196.       
    197. 

  197.       PACKET->DISSECTOR.pass = strdup(ptr);
    198. 

  198.       if ( (ptr = strchr(PACKET->DISSECTOR.pass, '\r')) != NULL )
    199. 

  199.          *ptr = '\0';
    200. 

  200. 

  201.       /* free the session */
    202. 

  202.       session_free(s);
    203. 

  203. 

  204.       /* print the message */
    205. 

  205.       DISSECT_MSG("POP : %s:%d -> USER: %s  PASS: %s\n", ip_addr_ntoa(&PACKET->L3.dst, tmp),
    206. 

  206.                                     ntohs(PACKET->L4.dst), 
    207. 

  207.                                     PACKET->DISSECTOR.user,
    208. 

  208.                                     PACKET->DISSECTOR.pass);
    209. 

  209. 

  210.       return NULL;
    211. 

  211.    }
    212. 

  212.    
    213. 

  213. /* 
    214. 

  214.  * APOP authentication :
    215. 

  215.  *
    216. 

  216.  * APOP user md5-digest
    217. 

  217.  *
    218. 

  218.  * MD5-diges is computed on "<msg-id>pass"
    219. 

  219.  */
    220. 

  220.    if ( !strncasecmp(ptr, "APOP ", 5) ) {
    221. 

  221.      
    222. 

  222.       DEBUG_MSG("\tDissector_POP APOP");
    223. 

  223.       
    224. 

  224.       /* create an ident to retrieve the session */
    225. 

  225.       dissect_create_ident(&ident, PACKET, DISSECT_CODE(dissector_pop));
    226. 

  226.       
    227. 

  227.       /* retrieve the session and delete it */
    228. 

  228.       if (session_get_and_del(&s, ident, DISSECT_IDENT_LEN) == -ENOTFOUND) {
    229. 

  229.          SAFE_FREE(ident);
    230. 

  230.          return NULL;
    231. 

  231.       }
    232. 

  232. 

  233.       /* check that the digest was sent before APOP */
    234. 

  234.       if (s->data == NULL) {
    235. 

  235.          SAFE_FREE(ident);
    236. 

  236.          return NULL;
    237. 

  237.       }
    238. 

  238.       
    239. 

  239.       /* move the pointers to "user" */
    240. 

  240.       ptr += 5;
    241. 

  241.       PACKET->DISSECTOR.user = strdup(ptr);
    242. 

  242.      
    243. 

  243.       /* split the string */
    244. 

  244.       if ( (ptr = strchr(PACKET->DISSECTOR.user, ' ')) != NULL )
    245. 

  245.          *ptr = '\0';
    246. 

  246.       else {
    247. 

  247.          /* malformed string */
    248. 

  248.          SAFE_FREE(PACKET->DISSECTOR.user);
    249. 

  249.          session_free(s);
    250. 

  250.          SAFE_FREE(ident);
    251. 

  251.          return NULL;
    252. 

  252.       }
    253. 

  253.          
    254. 

  254.      
    255. 

  255.       /* skip the \0 */
    256. 

  256.       ptr += 1;
    257. 

  257.       
    258. 

  258.       /* save the user */
    259. 

  259.       PACKET->DISSECTOR.pass = strdup(ptr);
    260. 

  260.       if ( (ptr = strchr(PACKET->DISSECTOR.pass, '\r')) != NULL )
    261. 

  261.          *ptr = '\0';
    262. 

  262.          
    263. 

  263.       /* set the info */
    264. 

  264.       PACKET->DISSECTOR.info = strdup(s->data);
    265. 

  265. 

  266.       /* free the session */
    267. 

  267.       session_free(s);
    268. 

  268.       SAFE_FREE(ident);
    269. 

  269. 

  270.       /* print the message */
    271. 

  271.       DISSECT_MSG("POP : %s:%d -> USER: %s  MD5-digest: %s  %s\n", ip_addr_ntoa(&PACKET->L3.dst, tmp),
    272. 

  272.                                     ntohs(PACKET->L4.dst), 
    273. 

  273.                                     PACKET->DISSECTOR.user,
    274. 

  274.                                     PACKET->DISSECTOR.pass,
    275. 

  275.                                     PACKET->DISSECTOR.info);
    276. 

  276.       return NULL;
    277. 

  277.    }
    278. 

  278.    
    279. 

  279. /* 
    280. 

  280.  * AUTH LOGIN
    281. 

  281.  *
    282. 

  282.  * digest(user)
    283. 

  283.  * digest(pass)
    284. 

  284.  *
    285. 

  285.  * the digests are in base64
    286. 

  286.  */
    287. 

  287.    if ( !strncasecmp(ptr, "AUTH LOGIN", 10) ) {
    288. 

  288.       
    289. 

  289.       DEBUG_MSG("\tDissector_POP AUTH LOGIN");
    290. 

  290. 

  291.       /* destroy any previous session */
    292. 

  292.       dissect_wipe_session(PACKET, DISSECT_CODE(dissector_pop));
    293. 

  293.       
    294. 

  294.       /* create the new session */
    295. 

  295.       dissect_create_session(&s, PACKET, DISSECT_CODE(dissector_pop));
    296. 

  296.      
    297. 

  297.       /* remember the state (used later) */
    298. 

  298.       s->data = strdup("AUTH");
    299. 

  299.       
    300. 

  300.       /* save the session */
    301. 

  301.       session_put(s);
    302. 

  302. 

  303.       /* username is in the next packet */
    304. 

  304.       return NULL;
    305. 

  305.    }
    306. 

  306.    
    307. 

  307.    /* search the session (if it exist) */
    308. 

  308.    dissect_create_ident(&ident, PACKET, DISSECT_CODE(dissector_pop));
    309. 

  309.    if (session_get(&s, ident, DISSECT_IDENT_LEN) == -ENOTFOUND) {
    310. 

  310.       SAFE_FREE(ident);
    311. 

  311.       return NULL;
    312. 

  312.    }
    313. 

  313. 

  314.    SAFE_FREE(ident);
    315. 

  315.    
    316. 

  316.    /* the session is invalid */
    317. 

  317.    if (s->data == NULL) {
    318. 

  318.       dissect_wipe_session(PACKET, DISSECT_CODE(dissector_pop));
    319. 

  319.       return NULL;
    320. 

  320.    }
    321. 

  321. 

  322. /* collect the user */   
    323. 

  323.    if (!strcmp(s->data, "AUTH")) {
    324. 

  324.       char *user;
    325. 

  325.       int i;
    326. 

  326.      
    327. 

  327.       DEBUG_MSG("\tDissector_POP AUTH LOGIN USER");
    328. 

  328.      
    329. 

  329.       SAFE_CALLOC(user, strlen(ptr), sizeof(char));
    330. 

  330.      
    331. 

  331.       /* username is encoded in base64 */
    332. 

  332.       i = base64_decode(user, ptr);
    333. 

  333.      
    334. 

  334.       SAFE_FREE(s->data);
    335. 

  335. 

  336.       /* store the username in the session */
    337. 

  337.       SAFE_CALLOC(s->data, strlen("AUTH USER ") + i + 1, sizeof(char) );
    338. 

  338.       
    339. 

  339.       snprintf(s->data, strlen("AUTH USER ") + i + 1, "AUTH USER %s", user);
    340. 

  340.       
    341. 

  341.       SAFE_FREE(user);
    342. 

  342. 

  343.       /* pass is in the next packet */
    344. 

  344.       return NULL;
    345. 

  345.    }
    346. 

  346.    
    347. 

  347. /* collect the pass */     
    348. 

  348.    if (!strncmp(s->data, "AUTH USER", 9)) {
    349. 

  349.       char *pass;
    350. 

  350.       int i;
    351. 

  351.      
    352. 

  352.       DEBUG_MSG("\tDissector_POP AUTH LOGIN PASS");
    353. 

  353.       
    354. 

  354.       SAFE_CALLOC(pass, strlen(ptr), sizeof(char));
    355. 

  355.       
    356. 

  356.       /* password is encoded in base64 */
    357. 

  357.       i = base64_decode(pass, ptr);
    358. 

  358.      
    359. 

  359.       /* fill the structure */
    360. 

  360.       PACKET->DISSECTOR.user = strdup(s->data + strlen("AUTH USER "));
    361. 

  361.       PACKET->DISSECTOR.pass = strdup(pass);
    362. 

  362.       
    363. 

  363.       SAFE_FREE(pass);
    364. 

  364.       /* destroy the session */
    365. 

  365.       dissect_wipe_session(PACKET, DISSECT_CODE(dissector_pop));
    366. 

  366.       
    367. 

  367.       /* print the message */
    368. 

  368.       DISSECT_MSG("POP : %s:%d -> USER: %s  PASS: %s\n", ip_addr_ntoa(&PACKET->L3.dst, tmp),
    369. 

  369.                                     ntohs(PACKET->L4.dst), 
    370. 

  370.                                     PACKET->DISSECTOR.user,
    371. 

  371.                                     PACKET->DISSECTOR.pass);
    372. 

  372.       return NULL;
    373. 

  373.    }
    374. 

  374.    
    375. 

  375. /* 
    376. 

  376.  * AUTH PLAIN
    377. 

  377.  *
    378. 

  378.  * digest(<NULL>user<NULL>pass)
    379. 

  379.  *
    380. 

  380.  * the digests are in base64
    381. 

  381.  */
    382. 

  382.    if ( !strncasecmp(ptr, "AUTH PLAIN", 10) ) {
    383. 

  383.       
    384. 

  384.       DEBUG_MSG("\tDissector_POP AUTH PLAIN");
    385. 

  385. 

  386.       /* destroy any previous session */
    387. 

  387.       dissect_wipe_session(PACKET, DISSECT_CODE(dissector_pop));
    388. 

  388.       
    389. 

  389.       /* create the new session */
    390. 

  390.       dissect_create_session(&s, PACKET, DISSECT_CODE(dissector_pop));
    391. 

  391.      
    392. 

  392.       /* remember the state (used later) */
    393. 

  393.       s->data = strdup("AUTH PLAIN");
    394. 

  394.       
    395. 

  395.       /* save the session */
    396. 

  396.       session_put(s);
    397. 

  397. 

  398.       /* username is in the next packet */
    399. 

  399.       return NULL;
    400. 

  400.    }
    401. 

  401.    
    402. 

  402. /* collect the user and pass (the session was retrived above) */   
    403. 

  403.    if (!strcmp(s->data, "AUTH PLAIN")) {
    404. 

  404.       char *decode;
    405. 

  405.       int i;
    406. 

  406.      
    407. 

  407.       DEBUG_MSG("\tDissector_POP AUTH PLAIN USER and PASS");
    408. 

  408.      
    409. 

  409.       SAFE_CALLOC(decode, strlen(ptr) + 1, sizeof(char));
    410. 

  410.      
    411. 

  411.       /* username is encoded in base64 */
    412. 

  412.       i = base64_decode(decode, ptr);
    413. 

  413.       decode[i] = 0;
    414. 

  414.      
    415. 

  415.       SAFE_FREE(s->data);
    416. 

  416. 

  417.       /* store the username (skip the null)*/
    418. 

  418.       PACKET->DISSECTOR.user = strdup(decode + 1);
    419. 

  419.       /* store the password (skip the null)*/
    420. 

  420.       PACKET->DISSECTOR.pass = strdup(decode + 2 + strlen(decode + 1) );
    421. 

  421.       
    422. 

  422.       SAFE_FREE(decode);
    423. 

  423.       
    424. 

  424.       dissect_wipe_session(PACKET, DISSECT_CODE(dissector_pop));
    425. 

  425.       
    426. 

  426.       /* print the message */
    427. 

  427.       DISSECT_MSG("POP : %s:%d -> USER: %s  PASS: %s\n", ip_addr_ntoa(&PACKET->L3.dst, tmp),
    428. 

  428.                                     ntohs(PACKET->L4.dst), 
    429. 

  429.                                     PACKET->DISSECTOR.user,
    430. 

  430.                                     PACKET->DISSECTOR.pass);
    431. 

  431. 

  432.       return NULL;
    433. 

  433.    }
    434. 

  434.    
    435. 

  435.    
    436. 

  436.    return NULL;
    437. 

  437. }
    438. 

  438. 

  439. 

  440. /* EOF */
    441. 

  441. 

  442. // vim:ts=3:expandtab
    443. 

  443. 

  444.