[1] | 1 | #include "config_xor.h"
|
---|
| 2 |
|
---|
| 3 | #ifdef HAVE_BROKEN_INCLUDES
|
---|
| 4 | #define _ANSI_C_SOURCE
|
---|
| 5 | #define _POSIX_SOURCE
|
---|
| 6 | #endif
|
---|
| 7 |
|
---|
| 8 | #include <stdio.h>
|
---|
| 9 | #include <stdlib.h>
|
---|
| 10 | #include <string.h>
|
---|
| 11 | #include <ctype.h>
|
---|
| 12 |
|
---|
| 13 | #include <unistd.h>
|
---|
| 14 | #include <sys/types.h>
|
---|
| 15 | #include <sys/stat.h>
|
---|
| 16 | #include <fcntl.h>
|
---|
| 17 | #include <time.h>
|
---|
| 18 |
|
---|
| 19 |
|
---|
| 20 | #ifdef SH_STEALTH
|
---|
| 21 | char * globber(const char * string);
|
---|
| 22 | #define _(string) globber(string)
|
---|
| 23 | #define N_(string) string
|
---|
| 24 | #else
|
---|
| 25 | #define _(string) string
|
---|
| 26 | #define N_(string) string
|
---|
| 27 | #endif
|
---|
| 28 |
|
---|
| 29 | #ifdef SH_STEALTH
|
---|
| 30 | #ifndef SH_MAX_GLOBS
|
---|
| 31 | #define SH_MAX_GLOBS 32
|
---|
| 32 | #endif
|
---|
| 33 | char * globber(const char * str)
|
---|
| 34 | {
|
---|
| 35 | register int i, j;
|
---|
| 36 | static int count = -1;
|
---|
| 37 | static char glob[SH_MAX_GLOBS][128];
|
---|
| 38 |
|
---|
| 39 | ++count; if (count > (SH_MAX_GLOBS-1) ) count = 0;
|
---|
| 40 | j = strlen(str);
|
---|
| 41 | if (j > 127) j = 127;
|
---|
| 42 |
|
---|
| 43 | for (i = 0; i < j; ++i)
|
---|
| 44 | {
|
---|
| 45 | if (str[i] != '\n' && str[i] != '\t')
|
---|
| 46 | glob[count][i] = str[i] ^ XOR_CODE;
|
---|
| 47 | else
|
---|
| 48 | glob[count][i] = str[i];
|
---|
| 49 | }
|
---|
| 50 | glob[count][j] = '\0';
|
---|
| 51 | return glob[count];
|
---|
| 52 | }
|
---|
| 53 | #endif
|
---|
| 54 |
|
---|
| 55 | /* This is a very inefficient algorithm, but there is really no
|
---|
| 56 | * need for anything more elaborated here. Can handle NULL's in haystack
|
---|
| 57 | * (not in needle), which strstr() apparently cannot.
|
---|
| 58 | */
|
---|
| 59 | char * my_strstr (char * haystack, char * needle, int haystack_size)
|
---|
| 60 | {
|
---|
| 61 | register int i = 0, j = 0;
|
---|
| 62 | register int siz;
|
---|
| 63 | register char * ptr = haystack;
|
---|
| 64 | register int len;
|
---|
| 65 |
|
---|
| 66 | siz = strlen(needle);
|
---|
| 67 | len = haystack_size - siz;
|
---|
| 68 |
|
---|
| 69 | while (j < len)
|
---|
| 70 | {
|
---|
| 71 | i = 0;
|
---|
| 72 | while (i < siz)
|
---|
| 73 | {
|
---|
| 74 | if (needle[i] != ptr[i]) break;
|
---|
| 75 | if (i == (siz-1))
|
---|
| 76 | return ptr;
|
---|
| 77 | ++i;
|
---|
| 78 | }
|
---|
| 79 | ++ptr; ++j;
|
---|
| 80 | }
|
---|
| 81 | return NULL;
|
---|
| 82 | }
|
---|
| 83 |
|
---|
| 84 | /* fread() does not return the number of chars read, thus we need to
|
---|
| 85 | * read only a small number of bytes, in order not to expand the binary
|
---|
| 86 | * too much with the last fwrite(). Too lazy to fix this now.
|
---|
| 87 | */
|
---|
| 88 | #define GRAB_SIZE 1024
|
---|
| 89 |
|
---|
| 90 | int readhexchar ( char c )
|
---|
| 91 | {
|
---|
| 92 | if ( c >= '0' && c <= '9' )
|
---|
| 93 | return c - '0';
|
---|
| 94 | else if ( c >= 'a' && c <= 'f' )
|
---|
| 95 | return c - 'a' + 10;
|
---|
| 96 | else if ( c >= 'A' && c <= 'F' )
|
---|
| 97 | return c - 'A' + 10;
|
---|
| 98 | else return -1;
|
---|
| 99 | }
|
---|
| 100 |
|
---|
| 101 | int main (int argc, char * argv[])
|
---|
| 102 | {
|
---|
| 103 | /* the default password
|
---|
| 104 | */
|
---|
| 105 | unsigned char TcpFlag[9] = { 0xF7,0xC3,0x12,0xAA,0xAA,0x12,0xC3,0xF7 };
|
---|
| 106 | unsigned char BadFlag[9] = { 0xFF,0xC3,0x12,0xAA,0xAA,0x12,0xC3,0xFF };
|
---|
| 107 |
|
---|
| 108 | char * found_it;
|
---|
| 109 | int i;
|
---|
| 110 | int suc = 0;
|
---|
| 111 | int badcnt = 0;
|
---|
| 112 |
|
---|
| 113 | char * newn;
|
---|
| 114 | int oldf;
|
---|
| 115 | int newf;
|
---|
| 116 |
|
---|
| 117 | unsigned long bytecount;
|
---|
| 118 |
|
---|
| 119 | char in[9];
|
---|
| 120 | int j, k;
|
---|
| 121 | char ccd;
|
---|
| 122 | char * str;
|
---|
| 123 |
|
---|
| 124 | char * buf = (char *) malloc(GRAB_SIZE);
|
---|
| 125 | size_t dat;
|
---|
| 126 | char * newpwd = (char *) malloc(5 * 8 + 2);
|
---|
| 127 | char * oldpwd = (char *) malloc(5 * 8 + 2);
|
---|
| 128 |
|
---|
| 129 | memset (newpwd, '\0', 5 * 8 + 2);
|
---|
| 130 | memset (oldpwd, '\0', 5 * 8 + 2);
|
---|
| 131 |
|
---|
| 132 |
|
---|
| 133 | if (argc < 4)
|
---|
| 134 | {
|
---|
| 135 | fprintf (stderr, _("\nUsage: samhain_setpwd <filename> <suffix> "\
|
---|
| 136 | "<new_password>\n\n"));
|
---|
| 137 | fprintf (stderr, _(" This program is a utility that will:\n"));
|
---|
| 138 | fprintf (stderr, _(" - search in the binary executable <filename> "\
|
---|
| 139 | "for samhain's\n"));
|
---|
| 140 | fprintf (stderr, _(" compiled-in default password,\n"));
|
---|
| 141 | fprintf (stderr, _(" - change it to <new_password>,\n"));
|
---|
| 142 | fprintf (stderr, _(" - and output the modified binary to "\
|
---|
| 143 | "<filename>.<suffix>\n\n"));
|
---|
| 144 | fprintf (stderr, _(" To allow for non-printable chars, "\
|
---|
| 145 | "<new_password> must be\n"));
|
---|
| 146 | fprintf (stderr, _(" a 16-digit hexadecimal "\
|
---|
| 147 | "number (only 0-9,A-F allowed in input),\n"));
|
---|
| 148 | fprintf (stderr, _(" thus corresponding"\
|
---|
| 149 | " to an 8-byte password.\n\n"));
|
---|
| 150 | fprintf (stderr, _(" Example: 'samhain_setpwd samhain new "\
|
---|
| 151 | "4142434445464748'\n"));
|
---|
| 152 | fprintf (stderr, _(" takes the file 'samhain', sets the password to "\
|
---|
| 153 | "'ABCDEFGH'\n"));
|
---|
| 154 | fprintf (stderr, _(" ('A' = 41 hex, 'B' = 42 hex, ...) "\
|
---|
| 155 | "and outputs the result\n"));
|
---|
| 156 | fprintf (stderr, _(" to 'samhain.new'.\n"));
|
---|
| 157 | return EXIT_FAILURE;
|
---|
| 158 | }
|
---|
| 159 |
|
---|
| 160 | if (strlen(argv[3]) != 16)
|
---|
| 161 | {
|
---|
| 162 | fprintf (stdout, _("ERROR <new_password> %s has not exactly 16 chars\n"),
|
---|
| 163 | argv[0]);
|
---|
| 164 | fflush(stdout);
|
---|
| 165 | return EXIT_FAILURE;
|
---|
| 166 | }
|
---|
| 167 |
|
---|
| 168 |
|
---|
| 169 | str = &argv[3][0];
|
---|
| 170 | i = 0;
|
---|
| 171 | while (i < 16)
|
---|
| 172 | {
|
---|
| 173 | k = i/2; j = 0;
|
---|
| 174 | if (2*k == i) in[k] = 0;
|
---|
| 175 | while (j < 16)
|
---|
| 176 | {
|
---|
| 177 | if (-1 != readhexchar(str[i]))
|
---|
| 178 | {
|
---|
| 179 | in[k] += readhexchar(str[i]) * (i == 2*k ? 16 : 1);
|
---|
| 180 | break;
|
---|
| 181 | }
|
---|
| 182 | ++j;
|
---|
| 183 | if (j == 16)
|
---|
| 184 | {
|
---|
| 185 | fprintf(stdout, _("ERROR Invalid char %c\n"), str[i]);
|
---|
| 186 | fflush(stdout);
|
---|
| 187 | return EXIT_FAILURE;
|
---|
| 188 | }
|
---|
| 189 | }
|
---|
| 190 | ++i;
|
---|
| 191 | }
|
---|
| 192 | in[8] = '\0';
|
---|
| 193 |
|
---|
| 194 | /* ---- initialize -----
|
---|
| 195 | */
|
---|
| 196 | (void) umask (0);
|
---|
| 197 |
|
---|
| 198 | srand(time(NULL) ^ getpid());
|
---|
| 199 |
|
---|
| 200 | bytecount = 0;
|
---|
| 201 |
|
---|
| 202 |
|
---|
| 203 | /* ---- open files -----
|
---|
| 204 | */
|
---|
| 205 |
|
---|
| 206 | oldf = open(argv[1], O_RDONLY);
|
---|
| 207 |
|
---|
| 208 | newn = (char *) malloc (strlen(argv[1])+strlen(argv[2])+2);
|
---|
| 209 | strcpy(newn, argv[1]);
|
---|
| 210 | strcat(newn, ".");
|
---|
| 211 | strcat(newn, argv[2]);
|
---|
| 212 | newf = open(newn, O_WRONLY|O_CREAT|O_TRUNC, S_IRWXU);
|
---|
| 213 |
|
---|
| 214 | if (oldf < 0)
|
---|
| 215 | {
|
---|
| 216 | fprintf(stdout, _("ERROR Cannot open input file %s.\n"), argv[1]);
|
---|
| 217 | fflush(stdout);
|
---|
| 218 | return EXIT_FAILURE;
|
---|
| 219 | }
|
---|
| 220 | if (newf < 0)
|
---|
| 221 | {
|
---|
| 222 | fprintf(stdout, _("ERROR Cannot open output file %s.\n"), newn);
|
---|
| 223 | fflush(stdout);
|
---|
| 224 | return EXIT_FAILURE;
|
---|
| 225 | }
|
---|
| 226 |
|
---|
| 227 | /* ---- scan file -----
|
---|
| 228 | */
|
---|
| 229 |
|
---|
| 230 |
|
---|
| 231 | while (1)
|
---|
| 232 | {
|
---|
| 233 | dat = read (oldf, buf, GRAB_SIZE);
|
---|
| 234 | if (dat == 0)
|
---|
| 235 | break;
|
---|
| 236 |
|
---|
| 237 | bytecount += dat;
|
---|
| 238 |
|
---|
| 239 | while ( (found_it = my_strstr(buf, (char *) TcpFlag, GRAB_SIZE)) != NULL)
|
---|
| 240 | {
|
---|
| 241 | suc = 1;
|
---|
| 242 | fprintf (stdout, _("INFO old password found\n"));
|
---|
| 243 | fflush(stdout);
|
---|
| 244 | for (i = 0; i < 8; ++i)
|
---|
| 245 | {
|
---|
| 246 | sprintf(&oldpwd[i*2], _("%02x"),
|
---|
| 247 | (unsigned char) *found_it);
|
---|
| 248 | sprintf(&newpwd[i*2], _("%02x"),
|
---|
| 249 | (unsigned char) in[i]);
|
---|
| 250 | *found_it = in[i];
|
---|
| 251 | ++found_it;
|
---|
| 252 | }
|
---|
| 253 | fprintf (stdout, _("INFO replaced: %s by: %s\n"),
|
---|
| 254 | oldpwd, newpwd);
|
---|
| 255 | fflush(stdout);
|
---|
| 256 | }
|
---|
| 257 |
|
---|
| 258 | while ( (found_it = my_strstr(buf, (char *) BadFlag, GRAB_SIZE)) != NULL)
|
---|
| 259 | {
|
---|
| 260 | badcnt++;
|
---|
| 261 | /* fprintf (stderr, _("INFO old filler found\n")); */
|
---|
| 262 | for (i = 0; i < 8; ++i)
|
---|
| 263 | {
|
---|
| 264 | sprintf(&oldpwd[i*2], _("%02x"),
|
---|
| 265 | (unsigned char) *found_it);
|
---|
| 266 |
|
---|
| 267 | ccd = (unsigned char) (256.0 * rand()/(RAND_MAX+1.0));
|
---|
| 268 | sprintf(&newpwd[i*2], _("%02x"),
|
---|
| 269 | (unsigned char) ccd);
|
---|
| 270 | *found_it = ccd;
|
---|
| 271 |
|
---|
| 272 | ++found_it;
|
---|
| 273 | }
|
---|
| 274 | /* fprintf (stderr, _("INFO replaced: %s by: %s\n"),
|
---|
| 275 | oldpwd, newpwd);
|
---|
| 276 | */
|
---|
| 277 | }
|
---|
| 278 |
|
---|
| 279 |
|
---|
| 280 | write (newf, buf, dat);
|
---|
| 281 | }
|
---|
| 282 |
|
---|
| 283 | if (suc == 1 && badcnt == 7)
|
---|
| 284 | {
|
---|
| 285 | fprintf (stdout, _("INFO finished\n"));
|
---|
| 286 | close (newf);
|
---|
| 287 | close (oldf);
|
---|
| 288 | fflush(stdout);
|
---|
| 289 | return (0);
|
---|
| 290 | }
|
---|
| 291 |
|
---|
| 292 | lseek (oldf, 0, SEEK_SET);
|
---|
| 293 | lseek (newf, 0, SEEK_SET);
|
---|
| 294 |
|
---|
| 295 | fprintf (stdout, _("INFO Not found in first pass.\n"));
|
---|
| 296 | fprintf (stdout, _("INFO Second pass ..\n"));
|
---|
| 297 |
|
---|
| 298 | /* offset the start point
|
---|
| 299 | */
|
---|
| 300 |
|
---|
| 301 | dat = read (oldf, buf, (GRAB_SIZE / 2));
|
---|
| 302 | write (newf, buf, dat);
|
---|
| 303 |
|
---|
| 304 | bytecount = 0;
|
---|
| 305 | suc = 0;
|
---|
| 306 | badcnt = 0;
|
---|
| 307 |
|
---|
| 308 | while (1)
|
---|
| 309 | {
|
---|
| 310 | dat = read (oldf, buf, GRAB_SIZE);
|
---|
| 311 | if (dat == 0)
|
---|
| 312 | break;
|
---|
| 313 |
|
---|
| 314 | bytecount += dat;
|
---|
| 315 |
|
---|
| 316 | while ( (found_it = my_strstr(buf, (char *) TcpFlag, GRAB_SIZE)) != NULL)
|
---|
| 317 | {
|
---|
| 318 | suc = 1;
|
---|
| 319 | fprintf (stdout, _("INFO old password found\n"));
|
---|
| 320 | for (i = 0; i < 8; ++i)
|
---|
| 321 | {
|
---|
| 322 | sprintf(&oldpwd[i*2], _("%02x"),
|
---|
| 323 | (unsigned char) *found_it);
|
---|
| 324 | sprintf(&newpwd[i*2], _("%02x"),
|
---|
| 325 | (unsigned char) in[i]);
|
---|
| 326 | *found_it = in[i];
|
---|
| 327 | ++found_it;
|
---|
| 328 | }
|
---|
| 329 | fprintf (stdout, _("INFO Replaced: %s by: %s\n"),
|
---|
| 330 | oldpwd, newpwd);
|
---|
| 331 | }
|
---|
| 332 |
|
---|
| 333 | while ( (found_it = my_strstr(buf, (char *) BadFlag, GRAB_SIZE)) != NULL)
|
---|
| 334 | {
|
---|
| 335 | badcnt++;
|
---|
| 336 | /* fprintf (stderr, _("INFO old filler found\n")); */
|
---|
| 337 | for (i = 0; i < 8; ++i)
|
---|
| 338 | {
|
---|
| 339 | sprintf(&oldpwd[i*2], _("%02x"),
|
---|
| 340 | (unsigned char) *found_it);
|
---|
| 341 |
|
---|
| 342 | ccd = (unsigned char) (256.0 * rand()/(RAND_MAX+1.0));
|
---|
| 343 | sprintf(&newpwd[i*2], _("%02x"),
|
---|
| 344 | (unsigned char) ccd);
|
---|
| 345 | *found_it = ccd;
|
---|
| 346 |
|
---|
| 347 | ++found_it;
|
---|
| 348 | }
|
---|
| 349 | /* fprintf (stderr, _("INFO Replaced: %s by: %s\n"),
|
---|
| 350 | oldpwd, newpwd);*/
|
---|
| 351 | }
|
---|
| 352 |
|
---|
| 353 | write (newf, buf, dat);
|
---|
| 354 | }
|
---|
| 355 |
|
---|
| 356 | close (newf);
|
---|
| 357 | close (oldf);
|
---|
| 358 |
|
---|
| 359 | if (suc == 1 && badcnt == 7)
|
---|
| 360 | {
|
---|
| 361 | fprintf (stdout, _("INFO finished\n"));
|
---|
| 362 | fflush(stdout);
|
---|
| 363 | return 0;
|
---|
| 364 | }
|
---|
| 365 |
|
---|
| 366 | if (suc == 0 || badcnt < 7)
|
---|
| 367 | {
|
---|
| 368 | fprintf (stdout, _("ERROR incomplete replacement\n"));
|
---|
| 369 | }
|
---|
| 370 | else
|
---|
| 371 | {
|
---|
| 372 | fprintf (stdout, _("ERROR bad replacement\n"));
|
---|
| 373 | }
|
---|
| 374 | fflush(stdout);
|
---|
| 375 | return EXIT_FAILURE;
|
---|
| 376 | }
|
---|