大家好。朋友们可能都知道wu-ftp的格式化漏洞吧,呵呵,网络上的破坏程序多的是。有了破坏程序,可是怎么找目标一试身手呢。因为我的工作平台是linux,所以扫描程序丰富程度比起windows下的逊多了。看着那些简单操作的软件,口水都流下来了(太夸张了!@~!#@!#)。所以,我只好自己动手写了一个扫描匿名ftp服务器的扫描器,是一个多线程的程序(不过扫描部分是从书上copy来的,可还是费了我不少工夫,总算学会了多线程编程)。可惜,它很傻,不能分辨是微软的ftp还是unix的ftp。哎,我现在比较忙,先写出来用了在说,等以后有时间我在加些像流光那样的ftp简单探测功能吧。以下是源程序。参数s是开始的ip,参数e是结束的ip,参数o是扫描结果存放的文件,如果不加的话,默认的文件名是host。因为比较懒,所以没有写ip的转换函数,也就是大家只能写数字ip了。不过大家有源码,可以自己加吗。顺便附加一个在上找到的wu-ftp的exploit程序。针对linux(版本<=6.2)和freebsd的。eg. #./scanftp -s 127.0.0.1 -e 127.0.65.255 -o host1#include<pthread.h>#include<sys/time.h>#include<sys/types.h>#include<sys/socket.h>#include<netinet/in.h>#include<arpa/inet.h>#include<unistd.h>#include<fcntl.h>#include<string.h>#include<errno.h>#include<stdio.h>#include<stdlib.h>#include<string.h>#define BUF_LEN 255#define THREADNUM 100 /*你想开的线程数,,我的猫是56k的,memory是64,cpu比较惨超频的赛扬450,我开*/ /*100个线程时,cpu已全力运行,memory还有的剩,如果大家的机器比较爽,带宽*/ /* 较大,那就可以多开了。视你自己的情况而定了。*/#define NORM "\033[0m"#define GREEN "\033[32m"#define RED "\033[31m"#define BLUE "\033[34m"#define BROWN "\033[33m"#define time 10 extern int errno;uint32_t startip,endip,k;pthread_t thread[THREADNUM];pthread_mutex_t mut=PTHREAD_MUTEX_INITIALIZER;pthread_mutex_t file=PTHREAD_MUTEX_INITIALIZER;char *filename="host";void usage(char *progname){printf(BLUE " Scananonymousftp is beta 1.0\n\n"RED " 2001 by Tang Jing biao and cpu\n\n"GREEN "usage: " NORM "%s [-s startip] [-e endip] [-o filename] [-h help]\n\n",progname);exit(-1);}void filewrite(char *name,char *ip){char *p1,*p2,*p3;FILE *fd;int len1,len2;p1=name;p2=ip;p3="\n";printf("Ip is written!\n");if((fd=fopen(p1,"r+t"))==NULL){printf("Reading file was failed!\n");exit(0);}fseek(fd,0L,SEEK_END);len1=strlen(p2);len2=strlen(p3);fwrite(p2,sizeof(char),len1,fd);fwrite(p3,sizeof(char),len2,fd);if(fclose(fd))printf("The file is not closed!\n");}void *scanhost(){struct sockaddr_in saddr;int sockfd,flags,len,error,status,temp;char buf[BUF_LEN],*hostip;struct timeval timeout={time,0};fd_set wmask,rmask;saddr.sin_port=htons(21);saddr.sin_family=AF_INET;pthread_mutex_lock(&mut);while(k<=endip){saddr.sin_addr.s_addr=htonl((uint32_t)k);pthread_mutex_unlock(&mut);if((sockfd=socket(AF_INET,SOCK_STREAM,0))<0){printf("Socket error!\n");exit(-1);}printf("scanthread%d is scanning…%s at %d\n",pthread_self(),inet_ntoa(saddr.sin_addr),sockfd);fflush(stdout);FD_ZERO(&wmask);FD_SET(sockfd,&wmask);rmask=wmask;timeout.tv_sec=time;timeout.tv_usec=0;status=fcntl(sockfd,F_GETFL);fcntl(sockfd,F_SETFL,status|O_NONBLOCK);temp=connect(sockfd,(struct sockaddr *)&saddr,sizeof(saddr));if(temp<0){ flags=select(sockfd+1,&rmask,&wmask,(fd_set *)NULL,&timeout);if(flags<=0){close(sockfd);pthread_mutex_lock(&mut);k++;continue;}if(FD_ISSET(sockfd,&rmask)||FD_ISSET(sockfd,&wmask)){if(FD_ISSET(sockfd,&rmask)&&FD_ISSET(sockfd,&wmask)){len=sizeof(error);temp=getsockopt(sockfd,SOL_SOCKET,SO_ERROR,&error,&len);if((temp!=0)||(error!=0)){close(sockfd);pthread_mutex_lock(&mut);k++;continue;}}}}bzero(buf,BUF_LEN);fcntl(sockfd,F_SETFL,status);if((len=read(sockfd,buf,BUF_LEN))>=0){if(strncmp(buf,"220",3)==0){write(sockfd,"user anonymous\n",15);if((len=read(sockfd,buf,BUF_LEN))>=0){if(strncmp(buf,"331",3)==0){write(sockfd,"pass shit@\n",11);if((len=read(sockfd,buf,BUF_LEN))>=0){if(strncmp(buf,"230",3)==0){printf("%d HaHa! find ! Ip is %s\n",pthread_self(),inet_ntoa(saddr.sin_addr));hostip=inet_ntoa(saddr.sin_addr);pthread_mutex_lock(&file);filewrite(filename,hostip);pthread_mutex_unlock(&file);fflush(stdout);close(sockfd);}}}}}}close(sockfd);pthread_mutex_lock(&mut);k++;}pthread_mutex_unlock(&mut);pthread_exit(NULL);}int create_thread(){int i=0,temp;for(i=0;i<THREADNUM;i++){pthread_mutex_lock(&mut);if(k>endip){pthread_mutex_unlock(&mut);break;}pthread_mutex_unlock(&mut);pthread_create(&thread[i],NULL,scanhost,NULL);pthread_mutex_lock(&mut);k++;pthread_mutex_unlock(&mut);}temp=i;for(i=0;i<temp;i++){pthread_join(thread[i],NULL);printf("scanthread %d is closed!\n",i);}return i;}int main(int argc,char *argv[]){char c ;FILE *fdmain;int thnum;if(argc<2){printf("Please input parameter! Type -h\n");exit(0);}while ((c = getopt(argc, argv, "s:e:o:h")) != EOF){switch (c){case ‘s’:startip=ntohl(inet_addr(optarg));break;case ‘e’:endip=ntohl(inet_addr(optarg));break;case ‘o’:filename = optarg;break;case ‘h’:usage(argv[0]);break;default:break;}}if(startip>endip){k=startip;startip=endip;endip=k;}k=startip;if((fdmain=fopen(filename,"w+t"))==NULL){printf("The file was not opened!!!!!\n");exit(0);}fclose(fdmain);printf("The main process created %d thread \n",THREADNUM);pthread_mutex_init(&mut,NULL);pthread_mutex_init(&file,NULL);thnum=create_thread();printf("The main process is closed.\n");} 原作者:cpu(处理器)来 源:上帝助自助者。
编写Wu-ftp漏洞扫描器
