Google 'exploit' - TCPUtil pt III
Results 1 to 7 of 7

Thread: Google 'exploit' - TCPUtil pt III

  1. #1
    Senior Member
    Join Date
    Apr 2002

    Google 'exploit' - TCPUtil pt III


    This article is the third in a series of articles about my open source TCPUtil code which enables socket programming from withing the Windows Scripting Host. If you have not already done so I recommend that you have a look at the first two articles before attempting this one, as I will skip some of the basic explainations here that I made there. The first article discussed Scripting Internet Connections Under Window$ and the second demonstrated the use of the code with a Search Engine submission 'exploit' .

    This time I'm going to show how to use socket programming to create a command line translation tool using the translation service from Google.

    Web Based Translation Services

    You will have seen many web based translation services springing up around the Internet. The one that I am going to use here will be the one on Google however, as most of us will be familiar with this site. (See langauge tool on the top right of their page). Google offers a translation service that consists of a form posting to a script and displaying the outputted translation on a html page.

    So with the TCPutil control I can write a socket application that POSTs the appropriate variables to the script and parses the returned HTML for the translation. Simple


    This is a proof of concept. DON'T try writing a commercial application with this code - that would be a theft of service from Google. I'm posting this because I can't imagine many commercial applictions that would require command line translation and I am certainly not about to write an ActiveX control to explot this loophole from within an application. So the code, as far as it goes here, is a nice little curiosity with little actual value. But with a bit of spit and polish a less ethical programmer could integrate this into almost anything - maybe have auto translated web pages for international customers - whatever.

    How it works

    You can enter the text you want translating in two ways:
    1...Typed at a command line using standard input streams
    (Three carrige returns closes the session)
    2...From an external text file using the -f option
    (See usage)

    The script also needs to know what language to translate to (I have assumed for the purposes of this article that the language to be translated from is English). The language is set using the -l or -langauge switch, and accepts the following parameters:

    german - de
    italian - it
    french - fr
    portuguese - pt
    spanish - es

    Usage: Babel.vbs <--Langauge|-l [Translate to de|fr|it|es|pt]>"
    [--Delay|-d] Page Time Out delay (in seconds) Default: 5 Seconds"
    [--file|-f] Translate from a text file."
    An Example

    So this is what it does when you run it...

    C:\tcputil>babel -l es
    Microsoft (R) Windows Script Host Version 5.1 for Windows
    Copyright (C) Microsoft Corporation 1996-1999. All rights reserved.

    --Babel Fish Utility.
    --July 2002 by NTSA.

    Type the text you wish to be translated:
    :>this is a test
    :>for all of the good
    :>people at AntiOnline
    :>I can include carrige returns.
    :>I finish input with 3 <returns>.
    esto es una prueba para toda la buena gente en AntiOnline que puedo incluir vuel
    tas del carrige. Acabo la entrada con 3 &lt; vueltas &gt;.
    The Code

    NOTE: There may be a few unused routines in here (left over from the main TCPUtil code) but I only had a couple of hours to write the code and the tutorial so this'll just have to do.

    dim buffer,blncon,blnSkip,wtresp,secwait,blnLastcmdnull 'Program Vars
    DIM blnbuff,blnifile,lang,sdelay,Verbose,debug,iFile,Ofile,str 'User Vars
    Dim oArgs, ArgNum 'Argument vars
    Const sckTCPProtocol=0 
    Const sckUDPProtocol=1
    const FlgDebug =1
    const flgVerbose =2
    const flgEcho =3
    Const ForReading = 1
    const ForWriting = 2
    WScript.Echo "--Babel Fish Utility."
    WScript.Echo "--July 2002 by NTSA."
    WScript.Echo ""
    WScript.Echo ""
    'Create a FSO for file I/O operations
    Set fso = CreateObject("Scripting.FileSystemObject")
    'Create the winsock object and pass the event handler tp wsPop_
    on error resume next
    Set tcpClient=WScript.CreateObject("sbWinsck.winsock","wsPop_")
    if err.number > 0 then 
    out "Could not create an instance of the SBWinsck control.",flgEcho
    out "You need to register SBWinsck.ocx using the regsvr32",flgEcho
    out "command. (ie regsvr32 c:\path\sbWinsck.ocx where c:\path",flgEcho
    out "is the full path to the ocx file.",flgEcho
    end if
    tcpClient.Protocol = sckTCPProtocol
    tcpClient.RemoteHost = "" 
    tcpClient.RemotePort =  80
    str = ""
    'No input file set so retreive the str 
    'translation string from the command line.
    if iFile & "" = "" then
    twice = 0
    cmd = ""
    str = ""
    wscript.echo "Type the text you wish to be translated:"
    	cmd = input("")
    	if cmd = "" then 
    		twice = twice + 1
    		twice = 0
    	end if
    	str = str & replace(cmd," ","+")
    	if twice < 2 then str = str & "%0D%0A"
    	out "cmd=" & cmd & " | twice=" & twice & " | " & "str=" & str,flgdebug
    loop until cmd = "" and twice > 1
    'Load the str value from a file
    Set f = fso.OpenTextFile(ifile, ForReading)
    while not f.atendofstream			 
    	t = f.readline
    	str = str & t & "%0D%0A"
    end if
    str = "text="& str &"&langpair=en%7C"& lang &_
    tio = 0
    do until blncon = true or blnskip = true or tio = sdelay *2
    out "Waiting for connection...",FlgDebug
    tio = tio + 1
    'Timed out - Could not connect
    if tio = sdelay *2 and blnskip =false then 
    out "Could not connect to: " & tcpClient.RemoteHost & _
    " on port: " & tcpClient.RemotePort & ".",FlgEcho
    end if
    tio = 0
    do until blncon = false or tio = sdelay *2
    out "Waiting for disconnection...",FlgDebug
    tio = tio + 1
    h = split(buffer,"<textarea name=q")
    ht = split(h(1),"</textarea>")
    htm = split(ht(0),">")
    if blnbuff = true then
    'Output buffer to screen
    out htm(1),FlgEcho
    end if
    Sub wsPop_DataArrival(Byval b)
    dim strdata
    out "Data Arrival...",flgverbose	
    '/* Get the data and add it to the buffer...
    tcpClient.GetData strData,vbstring
    if blnbuff = true then
    buffer = buffer &  strdata
    out strdata,Flgverbose
    end if
    'Data has just arrived - wait some 
    'more to see if anything further comes
    secwait = 100
    blnskip = true
    end sub
    Sub wsPop_Connected()
    blncon = true
    blnskip = true
    out "Connected...",flgverbose
    'sending data to the host
    out "Sending data...",flgverbose
    sendandlog "POST /translate_t HTTP/1.1"
    sendandlog "Accept: image/gif, image/x-xbitmap, image/jpeg, " & _
    "image/pjpeg, application/, " & _
    "application/, application/msword, */*"
    sendandlog "Accept-Language: en-gb"
    sendandlog "Content-Type: application/x-www-form-urlencoded"
    sendandlog "Accept-Encoding: gzip, deflate"
    sendandlog "User-Agent: Mozilla/4.0 " & _ 
    (compatible; MSIE 5.01; Windows NT 5.0)"
    sendandlog "Host:"
    sendandlog "Content-Length: " & cstr(len(str))
    sendandlog "Connection: Keep-Alive"
    sendandlog ""
    sendandlog str
    out "Data sent.",flgverbose
    End Sub
    sub sendandlog(data)
    tcpclient.SendData data & vbCrLf
    end sub
    sub scriptInput
    '# Script Interpreter
    '# Lines with * begin interactive user input session
    '# Interactive sessions are ended with a !
    '# Lines beginning with # are comments
    '# Values in [name] format will be requested from user
    'Open Script file
    Set f = fso.OpenTextFile(ifile, ForReading)
    while not f.atendofstream			 
    	t = f.readline
    	if t <> "*" then
    		if left(trim(t),1) = "#" then
    			'Comment - Ignore.
    			out t,flgDebug
    			'Request User Input
    			if instr(t,"[") > 0 then t = BuildStr(t)
    			tcpclient.SendData t & vbCrLf 
    		end if
    		'Drop out to command line
    	end if
    end sub
    function BuildStr(t)
    a = split(t,"[")
    b = split(a(1),"]")
    Intxt = b(0)
    buildstr = a(0) & input("Enter " & intxt) & b(1)
    end function
    sub GetInput
    	'If there has already been a reponse to the
    	'Last request (blnskip) then set smaller wait.
    	if blnskip = true then 
    		n = sdelay * 50
    		n = sdelay * 1000
    	end if
    	if blnLastcmdnull = false and port <> 43 then
    		for secwait = n to 0 step -1
    			out "wait to see if any more data is coming "& _
    			secwait &"...",flgverbose
    			'before returning to cmd promt
    	end if
    	out "Data stream from remote host terminated (probably!).",flgVerbose
    	cmd = input("Send Data (Quit with '!')")
    	IF cmd <> "" or port = 80 then
    		if lcase(cmd) <> "!" and blncon = true then 
    			on error resume next
    			tcpclient.SendData cmd & vbcrlf
    			if err.number >0 then
    				out "Connection Failed.",flgEcho
    			end if
    		end if
    	end if
    	if cmd = "" then 
    		blnLastcmdnull = true
    		blnLastcmdnull = false
    	end if
    	'Wait 1/2 second to see if server quits
    IF CMD = "" and port = 80 then cmd = "!"
    loop until lcase(cmd) = "!" or blncon = false	
    end sub
    sub LogDataSend(poststr)
    if port = 80 then
    	out "Sending:> " & poststr,Flgverbose
    	'out "Sending:> " & poststr,FlgEcho
    end if
    end sub
    Sub wsPop_Close()
    blncon = false
    out "Disconnected...",flgverbose
    End Sub
    function RemoveDel(str)
    RemoveDel = replace(str,"/","")
    RemoveDel = replace(RemoveDel,"-","")
    RemoveDel = replace(RemoveDel,"--","")
    end function
    function IsEmpty(str)
    if str & "" = "" then 
    	isempty = true
    	isempty = false
    end if
    end function
    function iCount(str,del)
    icount =0
    for i = 1 to len(str)
    	if mid(str,i,1) = del then
    		icount = icount +1
    	end if
    icount = icount - 1
    end function
    function input(quest)
    WScript.StdOut.Write(quest & ":>")
    input = WScript.StdIn.ReadLine()
    end function
    sub out(str,flg)
    select case flg
    	case flgEcho
    		wscript.echo str
    	case flgVerbose
    		if verbose = true or debug = true then
    			wscript.echo str
    		end if
    	case FlgDebug
    		if debug = true then
    			wscript.echo str
    		end if
    end select
    end sub
    sub GetUserParams
    buffset = 0
    Set oArgs = WScript.Arguments
    ArgNum = 0
    While ArgNum < oArgs.Count
    	Select Case RemoveDel(LCase(oArgs(ArgNum)))
    		case "language","lang","l":
    			ArgNum = ArgNum + 1
    			select case lcase(oArgs(ArgNum))
    				case "german","de":
    					lang = "de"
    				case "italian","it":
    					lang = "it"
    				case "french","fr":
    					lang = "fr"
    				case "portuguese","pt":
    					lang = "pt"
    				case "spanish","es":
    					lang = "es"
    			end select
    		Case "file","f":
    			ArgNum = ArgNum + 1
    			If (fso.FileExists(oArgs(ArgNum))) Then
    				iFile = oArgs(ArgNum)
    				blnIfile = true
    				out "Error! The file " & oArgs(ArgNum) & _
    				" was not found.",FlgEcho
    				out "",FlgEcho
    			end if
    		Case "delay","d":
    			ArgNum = ArgNum + 1
    			sdelay = oArgs(ArgNum)
    		Case "help","?":
    			Call DisplayUsage
    		Case "verbose", "v":
    			Verbose = true
    		Case "debug","vv":
    			debug = true
    		Case Else:
    			WScript.Echo "Unknown argument "& oArgs(ArgNum)
    			Call DisplayUsage
    	End Select	
    	ArgNum = ArgNum + 1
    if buffset = 0 then
    	select case port 
    		case 80,43
    			blnbuff = true
    		case else
    			blnbuff = false
    	end select
    end if
    blnbuff = true
    buffset = 1
    if isempty(sdelay) then
    	'Set default as 3 second delay before breaking connection
    	sdelay = 5
    end if
    if isempty(lang) then
    	out "You must specify a language.",flgecho
    end if
    end sub
    Sub DisplayUsage
    WScript.Echo "Usage: Babel.vbs <--Langauge|-l [Translate to de|fr|it|es|pt]>"
    WScript.Echo "        [--Port|-p [Port Number or www|ftp|smtp|pop3|whois] Default: 80"
    WScript.Echo "        [--Delay|-d] Page Time Out delay (in seconds) Default: 3 Seconds"
    WScript.Echo "        [--file|-f] Translate from a text file."
    WScript.Echo "        [--Verbose|-v]"
    WScript.Echo "        [--debug|-vv]"
    WScript.Echo "        [--Help|/?]>"
    WScript.Echo ""
    WScript.Quit (1)	
    End Sub
    Just in case my line ends have died I have included the code (and sbwinsock control) in the zip file below.

    If you enjoyed this thread you may also enjoy these others:
    Open Source FTP Control
    Web based classes
    Backing up the IIS metabase.
    What port is that?
    Building your own IDS tripwire.
    Credit card security
    Dumping SQL data to a text file
    Hunting down skript kiddies
    Search Engine submission 'exploit'
    Forced shutdown of a remote nt/2k server
    Securing an installation of IIS 4. (No, seriously)
    Remote DSN Connections, using WinAPIs and the registry
    Scripting Internet Connections Under Window$
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Questions? Comments?
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  3. #3
    AO Antique pwaring's Avatar
    Join Date
    Aug 2001
    It's an excellent and well thought out tutorial, and you are to be congratulated for it. Unfortunately I work with Unix-based systems most of the time so I can't really comment on how useful/effective etc. it is in practice, but reading the text I can be sure that anyone who does use the windows scripting host will find it extremely useful, especially in conjunction with your other articles. I wish I could give a bit more constructive comments, but it's outside my field of expertise I'm afraid.

    Keep up the good work!
    Paul Waring - Web site design and development.

  4. #4
    I always almost cry for the almost perfect tutorials made by you man. You are always one of the best at explaning different subjects and have contributed loads of tutorials. This just prove's it and Thanks for the tutorial.

  5. #5
    Senior Member
    Join Date
    Apr 2002
    wow - thanks fellas!
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  6. #6
    Senior Member
    Join Date
    Aug 2001
    well done man...

    "Knowledge is the Real Power"
    \"Knowledge is the Real Power\"

  7. #7
    Senior Member
    Join Date
    Apr 2002
    Well done! Great tutorial. /me congraluates ntsa
    [gloworange]Die, or surrender, either way won\'t work.[/gloworange]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts