From 04d1dfbf9620463adaff0b596fc141e3ea5a04b3 Mon Sep 17 00:00:00 2001
From: michael <michael@82007160-df01-0410-b94d-b575c5fd34c7>
Date: Thu, 28 May 2015 14:59:47 +0000
Subject: [PATCH] - HOPM can now detect Dreamboxes with default root passwords.
 Patch by Gavin Hanover (EFnet)

git-svn-id: svn://svn.ircd-hybrid.org/svnroot/hopm/trunk@5998 82007160-df01-0410-b94d-b575c5fd34c7
---
 doc/reference.conf         |  2 ++
 src/config-lexer.l         |  6 ++++++
 src/libopm/src/libopm.c    |  3 ++-
 src/libopm/src/opm_types.h |  1 +
 src/libopm/src/proxy.c     | 31 +++++++++++++++++++++++++++++++
 src/libopm/src/proxy.h     |  1 +
 src/scan.c                 |  3 ++-
 src/stats.c                |  3 ++-
 8 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/doc/reference.conf b/doc/reference.conf
index 7e6b5cd..4319bb3 100644
--- a/doc/reference.conf
+++ b/doc/reference.conf
@@ -476,6 +476,8 @@ scanner {
 	 */
 	protocol = WINGATE:23;
 
+	protocol = DREAMBOX:23;
+
 	/*
 	 * The HTTP POST protocol, often dismissed when writing the access
 	 * controls for proxies, but sadly can still be used to abused.
diff --git a/src/config-lexer.l b/src/config-lexer.l
index 1d17e2d..c5ae27f 100644
--- a/src/config-lexer.l
+++ b/src/config-lexer.l
@@ -192,6 +192,12 @@ ROUTER                  {
                           return PROTOCOLTYPE;
                         }
 
+DREAMBOX                {
+                          yylval.number = OPM_TYPE_DREAMBOX;
+                          return PROTOCOLTYPE;
+                        }
+
+
 
 [0-9]+                  {
                            yylval.number=atoi(yytext);
diff --git a/src/libopm/src/libopm.c b/src/libopm/src/libopm.c
index e91594e..45984bc 100644
--- a/src/libopm/src/libopm.c
+++ b/src/libopm/src/libopm.c
@@ -89,7 +89,8 @@ static OPM_PROTOCOL_T OPM_PROTOCOLS[] =
   { OPM_TYPE_SOCKS5,   libopm_proxy_socks5_write,   NULL },
   { OPM_TYPE_ROUTER,   libopm_proxy_router_write,   NULL },
   { OPM_TYPE_WINGATE,  libopm_proxy_wingate_write,  NULL },
-  { OPM_TYPE_HTTPPOST, libopm_proxy_httppost_write, NULL }
+  { OPM_TYPE_HTTPPOST, libopm_proxy_httppost_write, NULL },
+  { OPM_TYPE_DREAMBOX, libopm_proxy_dreambox_write, NULL }
 };
 
 /* opm_create
diff --git a/src/libopm/src/opm_types.h b/src/libopm/src/opm_types.h
index b83a40a..d01ccaa 100644
--- a/src/libopm/src/opm_types.h
+++ b/src/libopm/src/opm_types.h
@@ -24,6 +24,7 @@
 #define OPM_TYPE_WINGATE         4
 #define OPM_TYPE_ROUTER          5
 #define OPM_TYPE_HTTPPOST        6
+#define OPM_TYPE_DREAMBOX        7
 
 /* States */
 #define OPM_STATE_UNESTABLISHED  1
diff --git a/src/libopm/src/proxy.c b/src/libopm/src/proxy.c
index 92a770f..e69a622 100644
--- a/src/libopm/src/proxy.c
+++ b/src/libopm/src/proxy.c
@@ -239,3 +239,34 @@ libopm_proxy_httppost_write(OPM_T *scanner, OPM_SCAN_T *scan, OPM_CONNECTION_T *
 
   return OPM_SUCCESS;
 }
+
+/*
+ * Dreambox scanning
+ *
+ * Some dreambox machines have 'dreambox' as the password, and would allow
+ * full root access to telnet or install bouncers.
+ */
+int
+libopm_proxy_dreambox_write(OPM_T *scanner, OPM_SCAN_T *scan, OPM_CONNECTION_T *conn)
+{
+  size_t len;
+  int scan_port;
+  char *scan_ip;
+
+  scan_ip = (char *)libopm_config(scanner->config, OPM_CONFIG_SCAN_IP);
+  scan_port = *(int *)libopm_config(scanner->config, OPM_CONFIG_SCAN_PORT);
+
+  len = snprintf(SENDBUF, SENDBUFLEN, "root\r\n");
+  send(conn->fd, SENDBUF, len, 0);
+
+  len = snprintf(SENDBUF, SENDBUFLEN, "dreambox\r\n");
+  send(conn->fd, SENDBUF, len, 0);
+
+  len = snprintf(SENDBUF, SENDBUFLEN, "telnet %s %d\r\n", scan_ip, scan_port);
+  send(conn->fd, SENDBUF, len, 0);
+
+  len = snprintf(SENDBUF, SENDBUFLEN, "nc %s %d\r\n", scan_ip, scan_port);
+  send(conn->fd, SENDBUF, len, 0);
+
+  return OPM_SUCCESS;
+}
diff --git a/src/libopm/src/proxy.h b/src/libopm/src/proxy.h
index dae8bc3..4fbc1e8 100644
--- a/src/libopm/src/proxy.h
+++ b/src/libopm/src/proxy.h
@@ -9,4 +9,5 @@ int libopm_proxy_socks5_write(OPM_T *, OPM_SCAN_T *, OPM_CONNECTION_T *);
 int libopm_proxy_wingate_write(OPM_T *, OPM_SCAN_T *, OPM_CONNECTION_T *);
 int libopm_proxy_router_write(OPM_T *, OPM_SCAN_T *, OPM_CONNECTION_T *);
 int libopm_proxy_httppost_write(OPM_T *, OPM_SCAN_T *, OPM_CONNECTION_T *);
+int libopm_proxy_dreambox_write(OPM_T *, OPM_SCAN_T *, OPM_CONNECTION_T *);
 #endif /* PROXY_H */
diff --git a/src/scan.c b/src/scan.c
index 5faf222..1e9df65 100644
--- a/src/scan.c
+++ b/src/scan.c
@@ -150,7 +150,8 @@ scan_gettype(int protocol)
     { OPM_TYPE_SOCKS4,   "SOCKS4"   },
     { OPM_TYPE_SOCKS5,   "SOCKS5"   },
     { OPM_TYPE_WINGATE,  "WINGATE"  },
-    { OPM_TYPE_ROUTER,   "ROUTER"   }
+    { OPM_TYPE_ROUTER,   "ROUTER"   },
+    { OPM_TYPE_DREAMBOX, "DREAMBOX" }
   };
 
   for (unsigned int i = 0; i < (sizeof(protocols) / sizeof(struct protocol_assoc)); ++i)
diff --git a/src/stats.c b/src/stats.c
index 1f490b6..3bb096b 100644
--- a/src/stats.c
+++ b/src/stats.c
@@ -52,7 +52,8 @@ static struct StatsHash STATS_PROXIES[] =
   { OPM_TYPE_SOCKS4,   0, "SOCKS4"   },
   { OPM_TYPE_SOCKS5,   0, "SOCKS5"   },
   { OPM_TYPE_ROUTER,   0, "ROUTER"   },
-  { OPM_TYPE_WINGATE,  0, "WINGATE"  }
+  { OPM_TYPE_WINGATE,  0, "WINGATE"  },
+  { OPM_TYPE_DREAMBOX, 0, "DREAMBOX" }
 };
 
 
-- 
2.30.2