编写Wu-ftp漏洞扫描器

大家好。朋友们可能都知道wu-ftp的格式化漏洞吧，呵呵，网络上的破坏程序多的是。有了破坏程序，可是怎么找目标一试身手呢。因为我的工作平台是linux，所以扫描程序丰富程度比起windows下的逊多了。看着那些简单操作的软件，口水都流下来了（太夸张了!@~!#@!#)。所以，我只好自己动手写了一个扫描匿名ftp服务器的扫描器，是一个多线程的程序（不过扫描部分是从书上copy来的，可还是费了我不少工夫，总算学会了多线程编程）。可惜，它很傻，不能分辨是微软的ftp还是unix的ftp。哎，我现在比较忙，先写出来用了在说，等以后有时间我在加些像流光那样的ftp简单探测功能吧。以下是源程序。参数s是开始的ip,参数e是结束的ip,参数o是扫描结果存放的文件，如果不加的话，默认的文件名是host。因为比较懒，所以没有写ip的转换函数，也就是大家只能写数字ip了。不过大家有源码，可以自己加吗。顺便附加一个在www.hack.co.za上找到的wu-ftp的exploit程序。针对linux(版本<=6.2)和freebsd的。
eg. #./scanftp -s 127.0.0.1 -e 127.0.65.255 -o host1

#include<pthread.h>
#include<sys/time.h>
#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<arpa/inet.h>
#include<unistd.h>
#include<fcntl.h>
#include<string.h>
#include<errno.h>
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#define BUF_LEN 255
#define THREADNUM 100 /*你想开的线程数，我的猫是56k的，memory是64，cpu比较惨超频的赛扬450，我开*/ /*100个线程时，cpu已全力运行，memory还有的剩，如果大家的机器比较爽，带宽*/ /* 较大，那就可以多开了。视你自己的情况而定了。*/
#define NORM ""
#define GREEN ""
#define RED ""
#define BLUE ""
#define BROWN ""
#define time 10
extern int errno;
uint32_t startip,endip,k;
pthread_t thread[THREADNUM];
pthread_mutex_t mut=PTHREAD_MUTEX_INITIALIZER;
pthread_mutex_t file=PTHREAD_MUTEX_INITIALIZER;
char *filename="host";
void usage(char *progname)
{
printf(BLUE " Scananonymousftp is beta 1.0 "
RED " 2001 by Tang Jing biao and cpu "
GREEN "usage: " NORM "%s [-s startip] [-e endip] [-o filename] [-h help] ",
progname
);

exit(-1);
}
void filewrite(char *name,char *ip)
{
char *p1,*p2,*p3;
FILE *fd;
int len1,len2;
p1=name;
p2=ip;
p3=" ";
printf("Ip is written! ");
if((fd=fopen(p1,"r+t"))==NULL)
{
printf("Reading file was failed! ");
exit(0);
}
fseek(fd,0L,SEEK_END);
len1=strlen(p2);
len2=strlen(p3);
fwrite(p2,sizeof(char),len1,fd);
fwrite(p3,sizeof(char),len2,fd);
if(fclose(fd))
printf("The file is not closed! ");
}
void *scanhost()
{
struct sockaddr_in saddr;
int sockfd,flags,len,error,status,temp;
char buf[BUF_LEN],*hostip;
struct timeval timeout={time,0};
fd_set wmask,rmask;
saddr.sin_port=htons(21);
saddr.sin_family=AF_INET;
pthread_mutex_lock(&mut);
while(k<=endip)
{
saddr.sin_addr.s_addr=htonl((uint32_t)k);
pthread_mutex_unlock(&mut);
if((sockfd=socket(AF_INET,SOCK_STREAM,0))<0)
{
printf("Socket error! ");
exit(-1);
}
printf("scanthread%d is scanning...%s at %d ",pthread_self(),inet_ntoa(saddr.sin_addr),sockfd);
fflush(stdout);
FD_ZERO(&wmask);
FD_SET(sockfd,&wmask);
rmask=wmask;
timeout.tv_sec=time;
timeout.tv_usec=0;
status=fcntl(sockfd,F_GETFL);
fcntl(sockfd,F_SETFL,status|O_NONBLOCK);
temp=connect(sockfd,(struct sockaddr *)&saddr,sizeof(saddr));

if(temp<0)
{
flags=select(sockfd+1,&rmask,&wmask,(fd_set *)NULL,&timeout);
if(flags<=0)
{
close(sockfd);
pthread_mutex_lock(&mut);
k++;
continue;
}
if(FD_ISSET(sockfd,&rmask)||FD_ISSET(sockfd,&wmask))
{
if(FD_ISSET(sockfd,&rmask)&&FD_ISSET(sockfd,&wmask))
{
len=sizeof(error);
temp=getsockopt(sockfd,SOL_SOCKET,SO_ERROR,&error,&len);
if((temp!=0)||(error!=0))
{
close(sockfd);
pthread_mutex_lock(&mut);
k++;
continue;
}
}
}
}
bzero(buf,BUF_LEN);
fcntl(sockfd,F_SETFL,status);
if((len=read(sockfd,buf,BUF_LEN))>=0)
{
if(strncmp(buf,"220",3)==0)
{
write(sockfd,"user anonymous ",15);
if((len=read(sockfd,buf,BUF_LEN))>=0)
{
if(strncmp(buf,"331",3)==0)
{
write(sockfd,"pass shit@ ",11);
if((len=read(sockfd,buf,BUF_LEN))>=0)
{
if(strncmp(buf,"230",3)==0)
{
printf("%d HaHa! find ! Ip is %s ",pthread_self(),inet_ntoa(saddr.sin_addr));
hostip=inet_ntoa(saddr.sin_addr);
pthread_mutex_lock(&file);
filewrite(filename,hostip);
pthread_mutex_unlock(&file);
fflush(stdout);
close(sockfd);
}
}
}
}
}
}

close(sockfd);
pthread_mutex_lock(&mut);
k++;
}
pthread_mutex_unlock(&mut);
pthread_exit(NULL);

}

int create_thread()
{
int i=0,temp;
for(i=0;i<THREADNUM;i++)
{
pthread_mutex_lock(&mut);
if(k>endip)
{
pthread_mutex_unlock(&mut);
break;
}
pthread_mutex_unlock(&mut);
pthread_create(&thread[i],NULL,scanhost,NULL);
pthread_mutex_lock(&mut);
k++;
pthread_mutex_unlock(&mut);
}
temp=i;
for(i=0;i<temp;i++)
{
pthread_join(thread[i],NULL);
printf("scanthread %d is closed! ",i);
}
return i;
}

int main(int argc,char *argv[])
{
char c ;
FILE *fdmain;
int thnum;
if(argc<2)
{
printf("Please input parameter! Type -h ");
exit(0);
}
while ((c = getopt(argc, argv, "s:e:o:h")) != EOF)
{
switch (c)
{
case ''s'':
startip=ntohl(inet_addr(optarg));
break;
case ''e'':
endip=ntohl(inet_addr(optarg));
break;
case ''o'':
filename = optarg;
break;
case ''h'':
usage(argv[0]);
break;
default:
break;
}
}
if(startip>endip)
{
k=startip;
startip=endip;
endip=k;
}
k=startip;
if((fdmain=fopen(filename,"w+t"))==NULL)
{
printf("The file was not opened!!!!! ");
exit(0);
}
fclose(fdmain);
printf("The main process created %d thread ",THREADNUM);
pthread_mutex_init(&mut,NULL);
pthread_mutex_init(&file,NULL);
thnum=create_thread();
printf("The main process is closed. ");
}



原作者：cpu(处理器)
来 源：http://www.redleague.net