Adding upstream version 7.94+git20230807.3be01efb1+dfsg.upstream/7.94+git20230807.3be01efb1+dfsgupstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 314 insertions, 0 deletions

diff --git a/nselib/proxy.lua b/nselib/proxy.lua
new file mode 100644
index 0000000..87a15ee
--- /dev/null
+++ b/nselib/proxy.lua
@@ -0,0 +1,314 @@
+---
+-- Functions for proxy testing.
+--
+-- @args proxy.url Url that will be requested to the proxy
+-- @args proxy.pattern Pattern that will be searched inside the request results
+--
+-- @author Joao Correa <joao@livewire.com.br>
+-- @copyright Same as Nmap--See https://nmap.org/book/man-legal.html
+
+local dns = require "dns"
+local ipOps = require "ipOps"
+local nmap = require "nmap"
+local stdnse = require "stdnse"
+local string = require "string"
+local stringaux = require "stringaux"
+_ENV = stdnse.module("proxy", stdnse.seeall)
+
+-- Start of local functions
+
+--- check function, checks for all valid returned status
+--- If any of the HTTP status below is found, the proxy is potentially open
+--- The script tries to split header from body before checking for status
+--@param result connection result
+--@return true if any of the status is found, otherwise false
+local function check_code(result)
+  if result then
+    local header
+    if result:match( "\r?\n\r?\n" ) then
+      result = result:match( "^(.-)\r?\n\r?\n(.*)$" )
+    end
+    if result:lower():match("^http/%d%.%d%s*200") then return true end
+    if result:lower():match("^http/%d%.%d%s*30[12]") then return true end
+  end
+  return false
+end
+
+--- check pattern, searches a pattern inside a response with multiple lines
+--@param result Connection result
+--@param pattern The pattern to be searched
+--@return true if pattern is found, otherwise false
+local function check_pattern(result, pattern)
+  local lines = stringaux.strsplit("\n", result)
+  for i, line in ipairs(lines) do
+    if line:lower():match(pattern:lower()) then return true end
+  end
+  return false
+end
+
+--- check, decides what kind of check should be done on the response,
+--- depending if a specific pattern is being used
+--@param result Connection result
+--@param pattern The pattern that should be checked (must be false, in case of
+--code check)
+--@return true, if the performed check returns true, otherwise false
+local function check(result, pattern)
+  local s_pattern = false
+  local s_code = check_code(result)
+  if s_code and pattern then
+    s_pattern = check_pattern(result, pattern)
+  end
+  return s_code, s_pattern
+end
+
+--- Performs a request to the web server and calls check to check if
+--  the response is a valid result
+--
+--@param socket The socket to send the request through
+--@param req  The request to be sent
+--@param pattern The pattern to check for valid result
+--@return check_status True or false. If pattern was used, depends on pattern check result. If not, depends on code check result.
+--@return result The result of the request
+--@return code_status True or false. If pattern was used, returns the result of code checking for the same result. If pattern was not used, is nil.
+local function test(socket, req, pattern)
+  local status, result = socket:send(req)
+  if not status then
+    socket:close()
+    return false, result
+  end
+  status, result = socket:receive()
+  if not status then
+    socket:close()
+    return false, result
+  end
+  socket:close()
+  local s_code, s_pattern = check(result, pattern)
+  if result and pattern then return s_pattern, result, s_code end
+  if result then return s_code, result, nil end
+  return false, nil, nil
+end
+
+--- Builds the GET request and calls test
+-- @param host The host table
+-- @param port The port table
+-- @param proxyType The proxy type to be tested, might be 'socks4', 'socks5' or 'http'
+-- @param test_url The url to send the request
+-- @param hostname The hostname of the server to send the request
+-- @param pattern The pattern to check for valid result
+-- @return the result of the function test (status and the request result)
+function test_get(host, port, proxyType, test_url, hostname, pattern)
+  local status, socket = connectProxy(host, port, proxyType, hostname)
+  if not status then
+    return false, socket
+  end
+  local req = "GET " .. test_url .. " HTTP/1.0\r\nHost: " .. hostname .. "\r\n\r\n"
+  stdnse.debug1("GET Request: %s", req)
+  return test(socket, req, pattern)
+end
+
+--- Builds the HEAD request and calls test
+-- @param host The host table
+-- @param port The port table
+-- @param proxyType The proxy type to be tested, might be 'socks4', 'socks5' or 'http'
+-- @param test_url The url te send the request
+-- @param hostname The hostname of the server to send the request
+-- @param pattern The pattern to check for valid result
+-- @return the result of the function test (status and the request result)
+function test_head(host, port, proxyType, test_url, hostname, pattern)
+  local status, socket = connectProxy(host, port, proxyType, hostname)
+  if not status then
+    return false, socket
+  end
+  local req = "HEAD " .. test_url .. " HTTP/1.0\r\nHost: " .. hostname .. "\r\n\r\n"
+  stdnse.debug1("HEAD Request: %s", req)
+  return test(socket, req, pattern)
+end
+
+--- Builds the CONNECT request and calls test
+-- @param host The host table
+-- @param port The port table
+-- @param proxyType The proxy type to be tested, might be 'socks4', 'socks5' or 'http'
+-- @param hostname The hostname of the server to send the request
+-- @return the result of the function test (status and the request result)
+function test_connect(host, port, proxyType, hostname)
+  local status, socket = connectProxy(host, port, proxyType, hostname)
+  if not status then
+    return false, socket
+  end
+  local req = "CONNECT " .. hostname .. ":80 HTTP/1.0\r\n\r\n"
+  stdnse.debug1("CONNECT Request: %s", req)
+  return test(socket, req, false)
+end
+
+--- Checks if any parameter was used in old or new syntax
+--  and return the parameters
+--  @return url the proxy.url parameter
+--  @return pattern the proxy.pattern parameter
+function return_args()
+  local url = false
+  local pattern = false
+  if nmap.registry.args['proxy.url']
+    then url = nmap.registry.args['proxy.url']
+  elseif nmap.registry.args.proxy and nmap.registry.args.proxy.url
+    then url = nmap.registry.args.proxy.url
+  end
+  if nmap.registry.args['proxy.pattern']
+    then pattern = nmap.registry.args['proxy.pattern']
+  elseif nmap.registry.args.proxy and nmap.registry.args.proxy.url
+    then pattern = nmap.registry.args.proxy.pattern
+  end
+  return url, pattern
+end
+
+--- Creates a socket, performs proxy handshake if necessary
+--- and returns it
+--  @param host The host table
+--  @param port The port table
+--  @param proxyType A string with the proxy type. Might be "http","socks4" or "socks5"
+--  @param hostname The proxy destination hostname
+--  @return status True if handshake succeeded, false otherwise
+--  @return socket A socket with the handshake already done, or an error if
+function connectProxy(host, port, proxyType, hostname)
+  local socket = nmap.new_socket()
+  socket:set_timeout(10000)
+  local status, err = socket:connect(host, port)
+  if not status then
+    socket:close()
+    return false, err
+  end
+  if proxyType == "http" then return true, socket end
+  if proxyType == "socks4" then return socksHandshake(socket, 4, hostname) end
+  if proxyType == "socks5" then return socksHandshake(socket, 5, hostname) end
+  socket:close()
+  return false, "Invalid proxyType"
+end
+
+--- Performs a socks handshake on a socket and returns it
+--  @param socket The socket where the handshake will be performed
+--  @param version The socks version (might be 4 or 5)
+--  @param hostname The proxy destination hostname
+--  @return status True if handshake succeeded, false otherwise
+--  @return socket A socket with the handshake already done, or an error if
+--                 status is false
+function socksHandshake(socket, version, hostname)
+  local status, ip = dns.query(hostname)
+  if not status then
+    return false, "Unable to resolve hostname"
+  end
+  if version == 4 then
+    local payload = '\x04\x01\x00\x50' .. ipOps.ip_to_str(ip) .. '\x6e\x6d\x61\x70\x00'
+    local status, response = socket:send(payload)
+    if not status then
+      socket:close()
+      return false, response
+    end
+    status, response = socket:receive()
+    if not status then
+      socket:close()
+      return false, response
+    end
+    if #response < 2 then
+      socket:close()
+      return false, "Invalid or unknown SOCKS response"
+    end
+    local request_status = string.byte(response, 2)
+    local err = string.format("Unknown response (0x%02x)", request_status)
+    if(request_status == 0x5a) then
+      stdnse.debug1('Socks4: Received "Request Granted" from proxy server')
+      return true, socket
+    end
+    if(request_status == 0x5b) then
+      err = "Request rejected or failed"
+    elseif (request_status == 0x5c) then
+      err = "request failed because client is not running identd"
+    elseif (request_status == 0x5d) then
+      err = "request failed because client program and identd report different user-ids"
+    end
+    stdnse.debug1('Socks4: Received "%s" from proxy server', err)
+    return false, err
+  end
+  if version == 5 then
+    local payload = '\x05\x01\x00'
+    local status, err = socket:send(payload)
+    if not status then
+      socket:close()
+      return false, err
+    end
+    local auth
+    status, auth = socket:receive()
+    local r2 = string.byte(auth,2)
+
+    -- If Auth is required, proxy is closed, skip next test
+    if(r2 ~= 0x00) then
+      err = "Authentication Required"
+    else
+      -- If no Auth is required, try to establish connection
+      stdnse.debug1("Socks5: No authentication required")
+      -- Socks5 second payload: Version, Command, Null, Address type, Ip-Address, Port number
+      payload = '\x05\x01\x00\x01' .. ipOps.ip_to_str(ip) .. '\x00\x50'
+      status, err = socket:send(payload)
+      if not status then
+        socket:close()
+        return false, err
+      end
+      local z
+      status, z = socket:receive()
+      if not status then
+        socket:close()
+        return false, z
+      end
+      local request_status = string.byte(z, 2)
+      err = string.format("Unknown response (0x%02x)", request_status)
+      if (request_status == 0x00) then
+        stdnse.debug1('Socks5: Received "Request Granted" from proxy server')
+        return true, socket
+      elseif(request_status == 0x01) then
+        err = "General Failure"
+      elseif (request_status == 0x02) then
+        err = "Connection not allowed by ruleset"
+      elseif (request_status == 0x03) then
+        err = "Network unreachable"
+      elseif (request_status == 0x04) then
+        err = "Host unreachable"
+      elseif (request_status == 0x05) then
+        err = "Connection refused by destination host"
+      elseif (request_status == 0x06) then
+        err = "TTL Expired"
+      elseif (request_status == 0x07) then
+        err = "command not supported / protocol error"
+      elseif (request_status == 0x08) then
+        err = "Address type not supported"
+      end
+    end
+    stdnse.debug1('Socks5: Received "%s" from proxy server', err)
+    return false, err
+  end
+  return false, "Invalid SOCKS version"
+end
+
+--- Checks if two different responses are equal,
+--  if true, the proxy server might be redirecting the requests
+--  to a default page
+--
+--  Functions splits body from head before comparing, to avoid session
+--  variables, cookies...
+--
+--  @param resp1 A string with the response for the first request
+--  @param resp2 A string with the response for the second request
+--  @return bool true if both responses are equal, otherwise false
+function redirectCheck(resp1, resp2)
+  local body1, body2, _
+  if resp1:match( "\r?\n\r?\n" ) then
+    local body1
+    _, body1 = resp1:match( "^(.-)\r?\n\r?\n(.*)$" )
+    if resp2:match( "\r?\n\r?\n" ) then
+      _, body2 = resp2:match( "^(.-)\r?\n\r?\n(.*)$" )
+      if body1 == body2 then
+        return true
+      end
+    end
+  end
+  return false
+end
+
+return _ENV;