New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updates to JSON code #198

Merged
merged 6 commits into from Mar 3, 2017

Conversation

Projects
None yet
2 participants
@veggiespam
Contributor

veggiespam commented Mar 2, 2017

  • One bug (doh! JSON comma in wrong spot)
  • Mixed up the JSON "success message" response per comments from a few people (we're still beta, so it's okay to break things right now).
  • Added a section to the README about -b and JSON
  • Apple now calls it MacOS instead of OSX. Just being persnickety here.

@vanhauser-thc vanhauser-thc merged commit 2e1b0c2 into vanhauser-thc:master Mar 3, 2017

@vanhauser-thc

This comment has been minimized.

Show comment
Hide comment
@vanhauser-thc

vanhauser-thc Mar 3, 2017

Owner

thanks, np

Owner

vanhauser-thc commented Mar 3, 2017

thanks, np

@veggiespam

This comment has been minimized.

Show comment
Hide comment
@veggiespam

veggiespam Mar 3, 2017

Contributor

Also, my git-foo is weak and there was an accidental commit to this that I wasn't finished with. It looks acceptable after I completed debugging it last night, so my commit is fine. Please review.

Commit 795e9c7 fixed a buffer overrun in the debug functions. I was having network issues, turned on debugging, and got an occasional core dump. Here is the behavior in the hydra_report_debug function that shows memory corruption. I suspect a really good hacker could turn this into an RCE attack, by crafting a website that returns login response pages in a certain manner to the person using Hydra with the -d flag, but the Hydra user is only testing approved websites, right. :-)

HTTP request sent:[0A]POST /c/portal_public/login HTTP/1.0[0D][0A]Host: 127.0.0.1[0D][0A]User-Agent: Mozilla/5.0 (Hydra)[0D][0A]Content-Length: 126[0D][0A]Content-Type: application/x-www-form-urlencoded[0D][0A]Cookie: JSESSIONID=9B6B0B52AA9E6C84E4AF7900AB01D415; SHARED_SESSION_ID=P7BESW28FTVV[0D][0A][0D][0A]my_account_cmd=auth&referer=%2Fc&my_account_r_m=false&password=bill&my_account_login=bill@example.org&[0A][95][98]h|7[C9][BB][10][94][EF][[FF][7F][B8][86]-t[FF][7F]o[A3][D3][03][01][FF][FF][FF][FF][FF][FF][FF][FF][F0][93][EF][[FF][7F][C1]Vo[88][FF][7F]BodVisib[F0][96][EF][[FF][7F]etTimeout( "dotMt( "dotMakeBodVisible",2000);[0A][09][0A][09]</script>[0D][0A][0D][0A][0D][0A][0A][95][98]h|7[C9][BB]@[FF][FF][FF][FF][FF][FF][FF][FF]P[97][EF][[FF][7F][B8][86]-t[FF][7F][F0][95][EF][[FF][7F][0D][99]m[88][FF][7F]o[A3][D3][03][01]h[97][EF][[FF][7F]'[08][02][FF][FF]P[97][EF][[FF][7F]?[C8]5[0C]e[FF][7F]`[97][EF][[FF][7F][90][94][EF][[FF][7F][E2] [0A]e[FF][7F]H.[0C]e[FF][7F][C8]5[0C]e[FF][7F][A2][AB][AA]2[03][95][98]h|7[C9][BB]H[93]-t[FF][7F]H[93]-t[FF][7F][B8][86]-t[FF][7F]$[DC][A4][D3][03][01][A0][95][EF][[FF][7F][8D][B3]l[88][FF][7F]H[93]-t[FF][7F][07][DC][A4][D3][03][01][95][98]h|7[C9][BB][A0][96][EF][[FF][7F][1C][92]l[88][FF][7F]P[97][EF][[FF][7F][18][02][84][A3][D3][03][01]o[A3][D3][03][01]@0[96][EF][[FF][7F] ... Tons more data...

I made some changes in hydra-mod.c and now it prints as:

HTTP request sent:[0A]POST /c/portal_public/login HTTP/1.0[0D][0A]Host: 127.0.0.1[0D][0A]User-Agent: Mozilla/5.0 (Hydra)[0D][0A]Content-Length: 126[0D][0A]Content-Type: application/x-www-form-urlencoded[0D][0A]Cookie: JSESSIONID=970911342D87ED153D415A6BA5F5AED2; SHARED_SESSION_ID=J3W12XKDXS36[0D][0A][0D][0A]my_account_cmd=auth&referer=%2Fc&my_account_r_m=false&password=bill&my_account_login=bill@example.org&[0A]

I also changed > to >= so that \0 displays as [00] too instead of directly as \0 to stdio. Read the return value of vsnprintf to see now many chars are printed - this should also allow %c with null chars to be included in the output from a hydra_report_debug print call.

Sorry about this. It was meant to be a separate commit as it fixed a bug in the software. Keep up the good work.

Contributor

veggiespam commented Mar 3, 2017

Also, my git-foo is weak and there was an accidental commit to this that I wasn't finished with. It looks acceptable after I completed debugging it last night, so my commit is fine. Please review.

Commit 795e9c7 fixed a buffer overrun in the debug functions. I was having network issues, turned on debugging, and got an occasional core dump. Here is the behavior in the hydra_report_debug function that shows memory corruption. I suspect a really good hacker could turn this into an RCE attack, by crafting a website that returns login response pages in a certain manner to the person using Hydra with the -d flag, but the Hydra user is only testing approved websites, right. :-)

HTTP request sent:[0A]POST /c/portal_public/login HTTP/1.0[0D][0A]Host: 127.0.0.1[0D][0A]User-Agent: Mozilla/5.0 (Hydra)[0D][0A]Content-Length: 126[0D][0A]Content-Type: application/x-www-form-urlencoded[0D][0A]Cookie: JSESSIONID=9B6B0B52AA9E6C84E4AF7900AB01D415; SHARED_SESSION_ID=P7BESW28FTVV[0D][0A][0D][0A]my_account_cmd=auth&referer=%2Fc&my_account_r_m=false&password=bill&my_account_login=bill@example.org&[0A][95][98]h|7[C9][BB][10][94][EF][[FF][7F][B8][86]-t[FF][7F]o[A3][D3][03][01][FF][FF][FF][FF][FF][FF][FF][FF][F0][93][EF][[FF][7F][C1]Vo[88][FF][7F]BodVisib[F0][96][EF][[FF][7F]etTimeout( "dotMt( "dotMakeBodVisible",2000);[0A][09][0A][09]</script>[0D][0A][0D][0A][0D][0A][0A][95][98]h|7[C9][BB]@[FF][FF][FF][FF][FF][FF][FF][FF]P[97][EF][[FF][7F][B8][86]-t[FF][7F][F0][95][EF][[FF][7F][0D][99]m[88][FF][7F]o[A3][D3][03][01]h[97][EF][[FF][7F]'[08][02][FF][FF]P[97][EF][[FF][7F]?[C8]5[0C]e[FF][7F]`[97][EF][[FF][7F][90][94][EF][[FF][7F][E2] [0A]e[FF][7F]H.[0C]e[FF][7F][C8]5[0C]e[FF][7F][A2][AB][AA]2[03][95][98]h|7[C9][BB]H[93]-t[FF][7F]H[93]-t[FF][7F][B8][86]-t[FF][7F]$[DC][A4][D3][03][01][A0][95][EF][[FF][7F][8D][B3]l[88][FF][7F]H[93]-t[FF][7F][07][DC][A4][D3][03][01][95][98]h|7[C9][BB][A0][96][EF][[FF][7F][1C][92]l[88][FF][7F]P[97][EF][[FF][7F][18][02][84][A3][D3][03][01]o[A3][D3][03][01]@0[96][EF][[FF][7F] ... Tons more data...

I made some changes in hydra-mod.c and now it prints as:

HTTP request sent:[0A]POST /c/portal_public/login HTTP/1.0[0D][0A]Host: 127.0.0.1[0D][0A]User-Agent: Mozilla/5.0 (Hydra)[0D][0A]Content-Length: 126[0D][0A]Content-Type: application/x-www-form-urlencoded[0D][0A]Cookie: JSESSIONID=970911342D87ED153D415A6BA5F5AED2; SHARED_SESSION_ID=J3W12XKDXS36[0D][0A][0D][0A]my_account_cmd=auth&referer=%2Fc&my_account_r_m=false&password=bill&my_account_login=bill@example.org&[0A]

I also changed > to >= so that \0 displays as [00] too instead of directly as \0 to stdio. Read the return value of vsnprintf to see now many chars are printed - this should also allow %c with null chars to be included in the output from a hydra_report_debug print call.

Sorry about this. It was meant to be a separate commit as it fixed a bug in the software. Keep up the good work.

@vanhauser-thc

This comment has been minimized.

Show comment
Hide comment
@vanhauser-thc

vanhauser-thc Mar 4, 2017

Owner

so is the current state of the thc-hydra repository OK or does it need a fix?

Owner

vanhauser-thc commented Mar 4, 2017

so is the current state of the thc-hydra repository OK or does it need a fix?

@veggiespam

This comment has been minimized.

Show comment
Hide comment
@veggiespam

veggiespam Mar 4, 2017

Contributor

It is fine. My change log was just inaccurate and missed this bug report.

Contributor

veggiespam commented Mar 4, 2017

It is fine. My change log was just inaccurate and missed this bug report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment