Overview of http_keepalive.inc

Automatic Includes

These files are automatically included by the library.

Private Variable Summary

Private variables are not intended to be accessed by the code that imports this library. There is no functional difference between private and public variables, only convention, and they may be accessed as normal.

Name Summary
__ka_enabled
__ka_last_request
__ka_port
__ka_socket

Public Function Summary

Public functions are intended to be called by the code that imports this library.

Name Summary
check_win_dir_trav_ka
enable_keepalive
exploit_commands
get_http_page
http_check_remote_code
http_get_cache
http_get_req
http_keepalive_check_connection
http_keepalive_enabled
http_keepalive_recv_body
http_keepalive_send_recv
http_post_req
http_vuln_check
is_cgi_installed_ka
on_exit
report_vuln_url
traversal_files

Private Variable Details

__ka_enabled

top

__ka_last_request

top

__ka_port

top

__ka_socket

top

Public Function Details

check_win_dir_trav_ka

Named Parameters

port
url

Code

function check_win_dir_trav_ka( port, url ) {

  local_var soc, req, cod, buf;

  if( ! port ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#port#-#check_win_dir_trav_ka" );
  if( ! url ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#url#-#check_win_dir_trav_ka" );

  req = http_get( item:url, port:port );
  buf = http_keepalive_send_recv( port:port, data:req );

  if( "; for 16-bit app support" >< buf || "[boot loader]" >< buf ) {
    return( 1 );
  }
  return( 0 );
}

function is_cgi_installed_ka( item, port, embedded ) {

		
top

enable_keepalive

Named Parameters

port

Code

function enable_keepalive( port ) {

  if( ! port ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#port#-#enable_keepalive" );

  __ka_enabled = 1;
  __ka_port    = port;
  __ka_socket  = http_open_socket( port );
}

#

		
top

exploit_commands

Named Parameters

Code

function exploit_commands() {

  res = host_runs( "windows" );

  if( res == "yes" ) {

    return make_array( "Windows.IP..onfiguration", "ipconfig" );

  } else if( res == "no" ) {

    return make_array( "uid=[0-9]+.*gid=[0-9]+", "id" );

  }

  # unknown
  return make_array( "uid=[0-9]+.*gid=[0-9]+", "id",
                     "Windows.IP..onfiguration", "ipconfig" );

}

function report_vuln_url( port, url, url_only ) {

		
top

get_http_page

Named Parameters

port
redirect
url

Code

function get_http_page( port, url, redirect ) {

  local_var r, u, v, i, l, seen_loc, n;

  if( ! port ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#port#-#get_http_page" );
  if( ! port ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#url#-#get_http_page" );

  if( isnull( redirect ) ) {
    n = 32;
  } else if( redirect <= 0 ) {
    n = 1;
  } else {
    n = redirect + 1;
  }

  seen_loc = make_list();
  u = url;
  for( i = 0; i < n; i ++ ) { # Limited iterations to avoid traps
    seen_loc[u] = 1;
    r = http_keepalive_send_recv( port:port, data:http_get( port:port, item:u ) );
    if( isnull( r ) ) return NULL;

    if( r =~ "^HTTP/1\.[01] +30[0-9] .*" ) {
      v = eregmatch( pattern:'\r\nLocation: *([^ \t\r\n]+)[ \t]*[\r\n]+', string:r, icase:TRUE );
      if( isnull( v ) ) return NULL; # Big problem
      l = v[1];
      if( seen_loc[l] ) return NULL;
      seen_loc[l] = 1;
    } else if( r =~ "^HTTP/1\.[01] +200 " ) {
      r = strstr( r, '\r\n\r\n' );
      r = substr( r, 4 );
      return r;
    } else { # Code 4xx or 5xx
      return NULL;
    }
  }
  # Loop?
  return NULL;
}

function http_get_cache( port, item ) {

		
top

http_check_remote_code

Named Parameters

check_request
check_result
command
default_port
embedded
extra_check
extra_dirs
port
unique_dir

Code

function http_check_remote_code( default_port, extra_dirs, unique_dir, check_request, extra_check, check_result, command, port, embedded ) {

  local_var list, req, txt_result, txt_desc, extra, dir, buf;

  if( get_kb_item( "Settings/disable_cgi_scanning" ) ) exit( 0 );

  if( ! check_request ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#check_request#-#http_check_remote_code" );
  if( ! check_result ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#check_result#-#http_check_remote_code" );
  if( ! command ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#command#-#http_check_remote_code" );

  if( ! port ) {
    if( default_port ) {
      port = get_http_port( default:default_port );
    } else {
      port = get_http_port( default:80 );
   }
  }

  if( ! get_port_state( port ) ) exit( 0 );

  if( unique_dir ) {
    list = make_list( unique_dir );
  } else {
    if( ! isnull( extra_dirs ) ) {
      list = make_list( cgi_dirs( port:port ), extra_dirs );
    } else {
      list = make_list( cgi_dirs( port:port ) );
    }
  }

  foreach dir( list ) {

    req = string( dir, check_request );
    req = http_get( item:req, port:port );
    buf = http_keepalive_send_recv( port:port, data:req );
    if( buf == NULL ) exit( 0 ); #TBD: Really exit?

    txt_result = egrep( pattern:check_result, string:buf );
    if( extra_check ) {
      extra = 0;
      if( egrep( pattern:extra_check, string:buf ) ) {
        extra = 1;
      }
    } else {
      extra = 1;
    }

    if( txt_result && extra ) {
      txt_desc = 'It was possible to execute the command "' + command + '" on the remote host, which produces the following output:\n\n' + txt_result;
      security_message( port:port, data:txt_desc );
      exit( 0 );
    }
  }
}

function http_vuln_check( port, url, pattern, check_header, debug, extra_check, hostname, cookie, check_nomatch ) {

		
top

http_get_cache

Named Parameters

item
port

Code

function http_get_cache( port, item ) {

  local_var req, res;

  if( ! port ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#port#-#http_get_cache" );
  if( ! item ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#item#-#http_get_cache" );

  res = get_kb_item( "Cache/" + port + "/URL_" + item );
  if( res ) return res;

  req = http_get( port:port, item:item );
  res = http_keepalive_send_recv( port:port, data:req, embedded:TRUE );
  if( ! res ) return NULL;

  replace_kb_item( name:"Cache/" + port + "/URL_" + item, value:res );

  return res;
}

function http_check_remote_code( default_port, extra_dirs, unique_dir, check_request, extra_check, check_result, command, port, embedded ) {

		
top

http_get_req

Named Parameters

add_headers
port
url

Code

function http_get_req( port, url, add_headers ) {

  local_var req, port, add_headers, header, url;

  if( typeof( add_headers ) != "array" ) {
    set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#add_headers_no-array#-#http_get_req" );
    return;
  }

  if( ! port ) {
    set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#port#-#http_get_req" );
    return;
  }

  if( ! url ) url = "/";

  host = http_host_name( port:port );

  req = 'GET ' + url + ' HTTP/1.1\r\n' +
        'Connection: Close\r\n' +
        'Host: ' + host + '\r\n' +
        'Pragma: no-cache\r\n' +
        'Cache-Control: no-cache\r\n' +
        'User-Agent: ' + OPENVAS_HTTP_USER_AGENT + '\r\n' +
        'Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r\n' +
        'Accept-Language: en\r\n' +
        'Accept-Charset: iso-8859-1,*,utf-8\r\n';

  foreach header( keys( add_headers ) )
    req += header +': ' + add_headers[header] + '\r\n';

  req += '\r\n';

  return req;
}


		
top

http_keepalive_check_connection

Named Parameters

headers

Code

function http_keepalive_check_connection( headers ) {

  local_var tmp;

  if( ! headers ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#headers#-#http_keepalive_check_connection" );

  tmp = egrep( pattern:"^Connection: Close", string:headers, icase:TRUE );
  if( tmp ) {
    if( __ka_socket ) {
      http_close_socket( __ka_socket );
    }
    __ka_socket = http_open_socket( __ka_port );
  }
}

function enable_keepalive( port ) {

		
top

http_keepalive_enabled

Named Parameters

port

Code

function http_keepalive_enabled( port ) {

  local_var req, soc, r, kb;

  if( ! port ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#port#-#http_keepalive_enabled" );

  kb = get_kb_item( strcat( "www/", port, "/keepalive" ) );

  if( kb == "yes" ) {
    enable_keepalive( port:port );
    return( 1 );
  } else if( kb == "no" ) {
    return( 0 );
  }

  host = http_host_name( port:port );

  req = strcat( 'GET / HTTP/1.1\r\n',
                'Connection: Keep-Alive\r\n',
                'Host: ', host, '\r\n',
                'Pragma: no-cache\r\n',
                'User-Agent: ' + OPENVAS_HTTP_USER_AGENT + '\r\n\r\n' );

  soc = http_open_socket( port );
  if( ! soc ) return -2;
  send( socket:soc, data:req );
  r = http_recv( socket:soc );

  # Apache
  if( egrep( pattern:"^Keep-Alive:.*", string:r, icase:TRUE ) ) {
    http_close_socket( soc );
    set_kb_item( name:strcat( 'www/', port, '/keepalive' ), value:"yes" );
    enable_keepalive( port:port );
    return( 1 );
  } else {
    # IIS
    send( socket:soc, data:req );
    r = http_recv( socket:soc );
    http_close_socket( soc );
    if( strlen( r ) ) {
      set_kb_item( name:strcat( "www/", port, "/keepalive" ), value:"yes" );
      enable_keepalive( port:port );
      return( 1 );
    }
  }

  set_kb_item( name:strcat( "www/", port, "/keepalive" ), value:"no" );
  return( 0 );
}

#

		
top

http_keepalive_recv_body

Named Parameters

bodyonly
headers

Code

function http_keepalive_recv_body( headers, bodyonly ) {

  local_var body, length, tmp, chunked, killme, gzip;

  if( ! headers ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#headers#-#http_keepalive_recv_body" );

  killme = 0;
  length = -1;

  if( ereg( pattern:"^HEAD.*HTTP/.*", string:__ka_last_request ) ) {
    # HEAD does not return a body
    http_keepalive_check_connection( headers:headers );
    if( bodyonly ) {
      return( "" );
    } else {
      return( headers );
    }
  }

  if( "content-length" >< tolower( headers ) ) {
    tmp = egrep( string:headers, pattern:"^Content-Length: *[0-9]+", icase:TRUE );
    if( tmp ) length = int( ereg_replace( string:tmp, pattern:"^Content-Length: *([0-9]*) *", replace:"\1", icase:TRUE ) );
  }

  if( "content-encoding: gzip" >< tolower( headers ) ) gzip = TRUE;

  if( ( length < 0 ) && ( egrep( pattern:"transfer-encoding: chunked", string:headers, icase:TRUE ) ) ) {
    while( 1 ) {
      tmp = recv_line( socket:__ka_socket, length:4096 );
      length = hex2dec( xvalue:tmp );
      if( length > 1048576 ) {
        length = 1048576;
        killme = 1;
      }
      body  = strcat( body, recv( socket:__ka_socket, length:length, min:length ) );
      # "\r\n"
      recv( socket:__ka_socket, length:2, min:2 );
      if( strlen( body ) > 1048576 ) killme = 1;

      if( length == 0 || killme ) {
        http_keepalive_check_connection( headers:headers );
        # This is expected - don't put this line before the previous
        if( gzip )
          body = http_gunzip( buf:body, onlybody:TRUE );

        if( bodyonly ) {
          return( body );
        } else {
          return( strcat( headers, '\r\n', body ) );
        }
      }
    }
  }

  if( length >= 0 ) {
    # Don't receive more than 1 MB
    if( length > 1048576 ) length = 1048576;

    body = recv( socket:__ka_socket, length:length, min:length );
  } else {
    # If we don't have the length, we close the connection to make sure
    # the next request won't mix up the replies.

    #display("ERROR - Keep Alive, but no length!!!\n", __ka_last_request);
    body = recv( socket:__ka_socket, length:16384, min:0 );
    if( body =~ '<html[^>]*>' && body !~ '</html>' ) { # case insensitive
      repeat {
        tmp = recv( socket:__ka_socket, length:16384 );
        body += tmp;
      }
      until( ! tmp || body =~ "</html>" );
      if( debug_level && body !~ "</html>" ) display( "http_keepalive_recv_body: incomplete body?\n------------\n", body, "\n------------\n" );
    }
    http_close_socket( __ka_socket );
    __ka_socket = http_open_socket( __ka_port );
  }

  http_keepalive_check_connection( headers:headers );

  if( gzip )
    body = http_gunzip( buf:body, onlybody:TRUE );

  if( bodyonly ) {
    return( body );
  } else {
    return( strcat( headers, '\r\n', body ) );
  }
}

# We close our socket on exit.

		
top

http_keepalive_send_recv

Named Parameters

bodyonly
data
embedded
fetch404
port

Code

function http_keepalive_send_recv( port, data, bodyonly, embedded, fetch404 ) {

  local_var id, n, ret, headers;
  local_var soc, r, body;

  if( ! port ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#port#-#http_keepalive_send_recv" );
  if( ! data ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#data#-#http_keepalive_send_recv" );

  if( debug_level > 1 )
    display( "http_keepalive_send_recv( port: ", port, ", data: ", data, ", bodyonly: ", bodyonly, " )\n" );

  if( ! data ) return NULL;

  if( __ka_enabled == -1 ) __ka_enabled = http_keepalive_enabled( port:port );
  if( __ka_enabled == -2 ) return NULL;

  if( __ka_enabled == 0 ) {
    soc = http_open_socket( port );
    if( ! soc ) return NULL;
    if( send( socket:soc, data:data ) <= 0 ) {
      http_close_socket( soc );
      return NULL;
    }
    headers = http_recv_headers2( socket:soc );
    # If the headers are not HTTP compliant, just return right away
    if( headers && ! ereg( pattern:"^HTTP/.* [0-9]+", string:headers ) )
      return headers;

    if( headers && ( ! ereg( pattern:"^HTTP/.* 404", string:headers ) || fetch404 == TRUE ) )
      body = http_recv_body( socket:soc, headers:headers, length:0 );

    http_close_socket( soc );

    if( "content-encoding: gzip" >< tolower( headers ) )
      body = http_gunzip( buf:body, onlybody:TRUE );

    if( bodyonly ) {
      return( body );
    } else {
      return( strcat( headers, '\r\n', body ) );
    }
  }

  if( ( port != __ka_port ) || ( ! __ka_socket ) ) {
    if( __ka_socket ) http_close_socket( __ka_socket );
    __ka_port = port;
    __ka_socket = http_open_socket( port );
    if( ! __ka_socket ) return NULL;
  }

  id = stridx( data, '\r\n\r\n' );
  data = str_replace( string:data, find:"Connection: Close", replace:"Connection: Keep-Alive", count:1 );
  __ka_last_request = data;
  n = send( socket:__ka_socket, data:data );
  if( n >= strlen( data ) )
    headers = http_recv_headers2( socket:__ka_socket );
  if( ! headers ) {
    http_close_socket( __ka_socket );
    __ka_socket = http_open_socket( __ka_port );
    if( __ka_socket == 0 ) return NULL;
    if( send( socket:__ka_socket, data:data ) < strlen( data ) ) {
      http_close_socket( __ka_socket );
      __ka_socket = NULL;
      return NULL;
    }
    headers = http_recv_headers2( socket:__ka_socket );
  }
  return http_keepalive_recv_body( headers:headers, bodyonly:bodyonly );
}

#

		
top

http_post_req

Named Parameters

accept_header
add_headers
data
port
url

Code

function http_post_req( port, url, data, add_headers, accept_header ) {

  local_var req, port, data, add_headers, header, accept_header;

  if( typeof( add_headers ) != "array" ) {
    set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#add_headers_no-array#-#http_post_req" );
    return;
  }

  if( ! port ) {
    set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#port#-#http_post_req" );
    return;
  }

  if( ! url ) url = "/";

  if( data ) len = strlen( data );

  host = http_host_name( port:port );
  if( ! accept_header ) accept_header = '*/*';

  req = 'POST ' + url + ' HTTP/1.1\r\n' +
        'Host: ' + host + '\r\n' +
        'Pragma: no-cache\r\n' +
        'User-Agent: ' + OPENVAS_HTTP_USER_AGENT + '\r\n' +
        'Accept-Language: en\r\n' +
        'Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r\n' +
        'Accept: ' + accept_header + '\r\n' +
        'Accept-Encoding: identity\r\n';

  if( data ) req += 'Content-Length: ' + len + '\r\n';

  foreach header( keys( add_headers ) )
    req += header +': ' + add_headers[header] + '\r\n';

  req += '\r\n';

  if( data ) req += data;

  return req;
}

function http_get_req( port, url, add_headers ) {

		
top

http_vuln_check

Named Parameters

check_header
check_nomatch
cookie
debug
extra_check
hostname
pattern
port
url

Code

function http_vuln_check( port, url, pattern, check_header, debug, extra_check, hostname, cookie, check_nomatch ) {

  local_var port, url, pattern, req, buf, debug, bodyonly, check_header, cookie, check_nomatch;

  if( ! url ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#url#-#http_vuln_check" );
  if( ! port ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#port#-#http_vuln_check" );

  if( isnull( pattern ) || pattern == "" ) {
    set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#pattern#-#http_vuln_check" );
    return FALSE;
  }

  req = http_get( item:url, port:port );

  if( COMMAND_LINE ) { # set hostname for vhosts on command line if hostname parameter was given.
    if( hostname ) {
      req = ereg_replace( string:req, pattern:"Host:.*" + get_host_ip(), replace: "Host: " + hostname );
    }
  }

  if( cookie && ! isnull( cookie ) )
    req = ereg_replace( string:req, pattern:'\r\n\r\n', replace: '\r\nCookie: ' + cookie + '\r\n\r\n' );

  buf = http_keepalive_send_recv( port:port, data:req );
  if( buf == NULL ) return FALSE;

  __ka_last_request = req;

  if( debug ) {
    display( "\nContent:\n", buf, "\n" );
  }

  if( check_header == TRUE ) {
    if( ! ereg( pattern:"^HTTP/[0-9]\.[0-9] 200.*", string:buf ) ) {
      return FALSE;
    }
  }

  ## Extra check for Strings to match in the buf
  if( extra_check ) {
    if( typeof( extra_check ) != "array" ) {
      extra_check = make_list( extra_check );
    }

    foreach ec( extra_check ) {
      if( ! egrep( pattern:ec, string:buf, icase:TRUE ) ) {
        return FALSE;
      }
    }
  }

  ## Check for Strings that should not match in buf
  if( check_nomatch ) {
    if( typeof( check_nomatch ) != "array" ) {
      check_nomatch = make_list( check_nomatch );
    }

    foreach nm( check_nomatch ) {
      if( egrep( pattern:nm, string:buf, icase:TRUE ) ) {
        return FALSE;
      }
    }
  }

  if( egrep( pattern:pattern, string:buf, icase:TRUE ) ) {
    return buf;
  }
  return FALSE;
}

function traversal_files() {

		
top

is_cgi_installed_ka

Named Parameters

embedded
item
port

Code

function is_cgi_installed_ka( item, port, embedded ) {

  local_var r, no404, dir, slash, dirs, banner;

  if( ! port ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#port#-#is_cgi_installed_ka" );

  if( get_kb_item( "Settings/disable_cgi_scanning" ) ) return 0;

  banner = get_http_banner( port:port );

  if( item[0] != "/" ) {
    dirs = cgi_dirs( port:port );
    slash = "/";
  } else {
    dirs = make_list( "" );
    slash = "";
  }

  no404 = get_kb_item( strcat( "www/no404/", port ) );
  if( strlen( no404 ) >= 1 ) return NULL;

  foreach dir( dirs ) {

    if( dir == "/" ) dir = "";

    if( dir != "" ) {
      # some server return a 404 for / but sometimes not for all subdirs. so check again...
      ti = 'openvas_' + rand() + '.html';
      t =  http_keepalive_send_recv( port:port, data:http_get( item:dir + slash + ti, port:port ) );

      if( t =~ "^HTTP/1\.[0-9.] +200" ) continue;
    }

    r = http_keepalive_send_recv( port:port, data:http_get( item:dir + slash + item, port:port ) );
    if( r == NULL ) continue;

    if( r =~ "^HTTP/1\.[0-9.] +200 +" && "Proxy-Agent: IWSS" >!< r ) {
      if( no404 && tolower( no404 ) >< tolower( r ) ) {
        continue;
      } else {
        return( 1 );
      }
    }
  }
  return( 0 );
}

function get_http_page( port, url, redirect ) {

		
top

on_exit

Named Parameters

Code

function on_exit() {
  if( __ka_socket ) {
    http_close_socket( __ka_socket );
    __ka_socket = 0;
  }
}

if( 0 ) on_exit(); #TBD: Whats the purpose of this?

		
top

report_vuln_url

Named Parameters

port
url
url_only

Code

function report_vuln_url( port, url, url_only ) {

  local_var proto, host, report, port, url, url_only;

  if( ! port ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#port#-#report_vuln_url" );
  if( ! url ) set_kb_item( name: "nvt_debug_empty/" + get_script_oid(), value:get_script_oid() + "#-#url#-#report_vuln_url" );

  proto = 'http';
  if( get_port_transport( port ) > 1 ) proto = 'https';

  host = http_host_name( port:port );

  if( url_only ) {
    report = proto + '://' + host + url;
  } else {
    report = 'Vulnerable url: ' + proto + '://' + host + url;
  }

  return report;
}

# req = http_post_req( port:port, url:"/", data:data, accept_header:"application/json", add_headers: make_array( "Content-Type", "application/x-www-form-urlencoded" ) );

		
top

traversal_files

Named Parameters

Code

function traversal_files() {

  if( _FCT_ANON_ARGS[0] ) {

    if( tolower( _FCT_ANON_ARGS[0] ) == "windows" ) {
      res = "yes";
    } else if( tolower( _FCT_ANON_ARGS[0] ) == "linux" ) {
      res = "no";
    }
  } else {
    if( ! defined_func( "host_runs" ) ) include( "host_details.inc" );
    res = host_runs( "windows" );
  }

  if( res == "yes" ) {

    return make_array( "\[boot loader\]", "boot.ini",
                       "; for 16-bit app supporT", "winnt/win.ini",
                       "; for 16-bit app support", "windows/win.ini" );

  } else if( res == "no" ) {

    return make_array( "root:.*:0:[01]:", "etc/passwd" ); # TBD: Also check e.g. etc/hosts for basic IDS?

  }

  # "unknown"
  return make_array( "root:.*:0:[01]:", "etc/passwd",
                     "\[boot loader\]", "boot.ini",
                     "; for 16-bit app supporT", "winnt/win.ini",
                     "; for 16-bit app support", "windows/win.ini" );
}

function exploit_commands() {

		
top