大家好。朋友們可能都知道wu-ftp的格式化漏洞吧,呵呵,網路上的破壞程序多的是。有了破壞程序,可是怎麼找目標一試身手呢。因為我的工作平台是linux,所以掃描程序豐富程度比起windows下的遜多了。看著那些簡單操作的軟體,口水都流下來了(太誇張了!@~!#@!#)。所以,我只好自己動手寫了一個掃描匿名ftp伺服器的掃描器,是一個多線程的程序(不過掃描部分是從書上copy來的,可還是費了我不少工夫,總算學會了多線程編程)。可惜,它很傻,不能分辨是微軟的ftp還是unix的ftp。哎,我現在比較忙,先寫出來用了在說,等以後有時間我在加些像流光那樣的ftp簡單探測功能吧。以下是源程序。參數s是開始的ip,參數e是結束的ip,參數o是掃描結果存放的文件,如果不加的話,默認的文件名是host。因為比較懶,所以沒有寫ip的轉換函數,也就是大家只能寫數字ip了。不過大家有源碼,可以自己加嗎。順便附加一個在www.hack.co.za上找到的wu-ftp的exploit程序。針對linux(版本<=6.2)和freebsd的。
eg. #./scanftp -s 127.0.0.1 -e 127.0.65.255 -o host1
#include<pthread.h>
#include<sys/time.h>
#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<arpa/inet.h>
#include<unistd.h>
#include<fcntl.h>
#include<string.h>
#include<errno.h>
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#define BUF_LEN 255
#define THREADNUM 100 /*你想開的線程數,我的貓是56k的,memory是64,cpu比較慘超頻的賽揚450,我開*/ /*100個線程時,cpu已全力運行,memory還有的剩,如果大家的機器比較爽,帶寬*/ /* 較大,那就可以多開了。視你自己的情況而定了。*/
#define NORM "\033[0m"
#define GREEN "\033[32m"
#define RED "\033[31m"
#define BLUE "\033[34m"
#define BROWN "\033[33m"
#define time 10
extern int errno;
uint32_t startip,endip,k;
pthread_t thread[THREADNUM];
pthread_mutex_t mut=PTHREAD_MUTEX_INITIALIZER;
pthread_mutex_t file=PTHREAD_MUTEX_INITIALIZER;
char *filename="host";
void usage(char *progname)
{
printf(BLUE " Scananonymousftp is beta 1.0\n\n"
RED " 2001 by Tang Jing biao and cpu\n\n"
GREEN "usage: " NORM "%s [-s startip] [-e endip] [-o filename] [-h help]\n\n",
progname
);
exit(-1);
}
void filewrite(char *name,char *ip)
{
char *p1,*p2,*p3;
FILE *fd;
int len1,len2;
p1=name;
p2=ip;
p3="\n";
printf("Ip is written!\n");
if((fd=fopen(p1,"r+t"))==NULL)
{
printf("Reading file was failed!\n");
exit(0);
}
fseek(fd,0L,SEEK_END);
len1=strlen(p2);
len2=strlen(p3);
fwrite(p2,sizeof(char),len1,fd);
fwrite(p3,sizeof(char),len2,fd);
if(fclose(fd))
printf("The file is not closed!\n");
}
void *scanhost()
{
struct sockaddr_in saddr;
int sockfd,flags,len,error,status,temp;
char buf[BUF_LEN],*hostip;
struct timeval timeout={time,0};
fd_set wmask,rmask;
saddr.sin_port=htons(21);
saddr.sin_family=AF_INET;
pthread_mutex_lock(&mut);
while(k<=endip)
{
saddr.sin_addr.s_addr=htonl((uint32_t)k);
pthread_mutex_unlock(&mut);
if((sockfd=socket(AF_INET,SOCK_STREAM,0))<0)
{
printf("Socket error!\n");
exit(-1);
}
printf("scanthread%d is scanning...%s at %d\n",pthread_self(),inet_ntoa(saddr.sin_addr),sockfd);
fflush(stdout);
FD_ZERO(&wmask);
FD_SET(sockfd,&wmask);
rmask=wmask;
timeout.tv_sec=time;
timeout.tv_usec=0;
status=fcntl(sockfd,F_GETFL);
fcntl(sockfd,F_SETFL,status|O_NONBLOCK);
temp=connect(sockfd,(struct sockaddr *)&saddr,sizeof(saddr));
if(temp<0)
{
flags=select(sockfd+1,&rmask,&wmask,(fd_set *)NULL,&timeout);
if(flags<=0)
{
close(sockfd);
pthread_mutex_lock(&mut);
k++;
continue;
}
if(FD_ISSET(sockfd,&rmask)||FD_ISSET(sockfd,&wmask))
{
if(FD_ISSET(sockfd,&rmask)&&FD_ISSET(sockfd,&wmask))
{
len=sizeof(error);
temp=getsockopt(sockfd,SOL_SOCKET,SO_ERROR,&error,&len);
if((temp!=0)||(error!=0))
{
close(sockfd);
pthread_mutex_lock(&mut);
k++;
continue;
}
}
}
}
bzero(buf,BUF_LEN);
fcntl(sockfd,F_SETFL,status);
if((len=read(sockfd,buf,BUF_LEN))>=0)
{
if(strncmp(buf,"220",3)==0)
{
write(sockfd,"user anonymous\n",15);
if((len=read(sockfd,buf,BUF_LEN))>=0)
{
if(strncmp(buf,"331",3)==0)
{
write(sockfd,"pass shit@\n",11);
if((len=read(sockfd,buf,BUF_LEN))>=0)
{
if(strncmp(buf,"230",3)==0)
{
printf("%d HaHa! find ! Ip is %s\n",pthread_self(),inet_ntoa(saddr.sin_addr));
hostip=inet_ntoa(saddr.sin_addr);
pthread_mutex_lock(&file);
filewrite(filename,hostip);
pthread_mutex_unlock(&file);
fflush(stdout);
close(sockfd);
}
}
}
}
}
}
close(sockfd);
pthread_mutex_lock(&mut);
k++;
}
pthread_mutex_unlock(&mut);
pthread_exit(NULL);
}
int create_thread()
{
int i=0,temp;
for(i=0;i<THREADNUM;i++)
{
pthread_mutex_lock(&mut);
if(k>endip)
{
pthread_mutex_unlock(&mut);
break;
}
pthread_mutex_unlock(&mut);
pthread_create(&thread[i],NULL,scanhost,NULL);
pthread_mutex_lock(&mut);
k++;
pthread_mutex_unlock(&mut);
}
temp=i;
for(i=0;i<temp;i++)
{
pthread_join(thread[i],NULL);
printf("scanthread %d is closed!\n",i);
}
return i;
}
int main(int argc,char *argv[])
{
char c ;
FILE *fdmain;
int thnum;
if(argc<2)
{
printf("Please input parameter! Type -h\n");
exit(0);
}
while ((c = getopt(argc, argv, "s:e:o:h")) != EOF)
{
switch (c)
{
case 's':
startip=ntohl(inet_addr(optarg));
break;
case 'e':
endip=ntohl(inet_addr(optarg));
break;
case 'o':
filename = optarg;
break;
case 'h':
usage(argv[0]);
break;
default:
break;
}
}
if(startip>endip)
{
k=startip;
startip=endip;
endip=k;
}
k=startip;
if((fdmain=fopen(filename,"w+t"))==NULL)
{
printf("The file was not opened!!!!!\n");
exit(0);
}
fclose(fdmain);
printf("The main process created %d thread \n",THREADNUM);
pthread_mutex_init(&mut,NULL);
pthread_mutex_init(&file,NULL);
thnum=create_thread();
printf("The main process is closed.\n");
}
原作者:cpu(處理器)
來 源:http://www.redleague.net
