From 6cd1593061e702b37118d86234863a2ba3967592 Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Sun, 15 Jul 2018 14:16:37 +0000
Subject: [PATCH] Add support for HTTP POST and Basic Auth to psnuffle

---
 data/exploits/psnuffle/url.rb | 33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/data/exploits/psnuffle/url.rb b/data/exploits/psnuffle/url.rb
index d90f254caa..d387b69c50 100755
--- a/data/exploits/psnuffle/url.rb
+++ b/data/exploits/psnuffle/url.rb
@@ -1,22 +1,24 @@
-# Psnuffle password sniffer add-on class for HTTP GET URL's
+# Psnuffle password sniffer add-on class for HTTP URLs
 # part of psnuffle sniffer auxiliary module
-#
-# Very simple example how to write sniffer extensions
-#
 
-# Sniffer class for GET URL's
+#
+# Sniffer class for GET/POST URLs.
+# Also extracts HTTP Basic authentication credentials.
+#
 class SnifferURL < BaseProtocolParser
   def register_sigs
     self.sigs = {
-      :get		=> /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
-      :webhost	=> /^HOST\:\s+([^\n\r]+)/i,
+      :get        => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
+      :post       => /^POST\s+([^\n]+)\s+HTTP\/\d\.\d/i,
+      :webhost	  => /^HOST:\s+([^\n\r]+)/i,
+      :basic_auth => /^Authorization:\s+Basic\s+([^\n\r]+)/i,
     }
   end
 
   def parse(pkt)
-    # We want to return immediantly if	we do not have a packet which is handled by us
+    # We want to return immediatly if	we do not have a packet which is handled by us
     return unless pkt.is_tcp?
-    return if (pkt.tcp_sport != 80 and pkt.tcp_dport != 80)
+    return if (pkt.tcp_sport != 80 && pkt.tcp_dport != 80)
     s = find_session((pkt.tcp_sport == 80) ? get_session_src(pkt) : get_session_dst(pkt))
 
     self.sigs.each_key do |k|
@@ -34,10 +36,16 @@ class SnifferURL < BaseProtocolParser
       case matched
       when :webhost
         sessions[s[:session]].merge!({k => matches})
-        if(s[:get])
+        if s[:get]
           print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")
-          sessions.delete(s[:session])
-          return
+        end
+        if s[:post]
+          print_status("HTTP POST: #{s[:session]} http://#{s[:webhost]}#{s[:post]}")
+        end
+        if s[:basic_auth]
+          s[:user], s[:pass] = Rex::Text.decode_base64(s[:basic_auth]).split(':', 2)
+          report_auth_info s
+          print_status "HTTP Basic Authentication: #{s[:session]} >> #{s[:user]} / #{s[:pass]}"
         end
       when nil
         # No matches, no saved state
@@ -45,4 +53,3 @@ class SnifferURL < BaseProtocolParser
     end # end of each_key
   end # end of parse
 end # end of URL sniffer
-