/* * WUFTPD 2.6.0 VULNERABILITY SCANNER * by rasch [Adr017 crew] * adr017@inorbit.com * * This program will check for the presence of wu-ftpd 2.6.0 on * a single host or a number of hosts listed in a file. If the * -f [get_ips_from_file] option is given it will dump the ips * of the hosts running wu-ftpd 2.6.0 to the output file you've * specified. Otherwise if -s [ for single host scan ] is given * it will print the result of the scan on the screen. * * * BTW a remote root exploit for Wuftpd 2.6.0 is available by tf8 * so you may find this scanner very useful. * * Greetz go to my crew! * <-nj0y! */ #include <stdio.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #define PORT 21 #define MAXDATASIZE 1200 #define LIGHT_BLUE "\033[36m" #define NORMAL "\033[0m" char opt; void usage (char *progname) { printf("\n\t\twu-ftpd-2.6.0 scan by rasch / "LIGHT_BLUE"Adr017"NORMAL"(c)rew"); printf("\n Usage: \n"); printf(" %s -s 192.168.5.1 [single host scan] \n", progname); printf(" %s -f infile outfile [get the IPs from a file] \n\n", progname); exit(1); } int if_vuln(char *host) { int sockfd,reccnt; char buffer[MAXDATASIZE]; struct sockaddr_in address; struct hostent *he; if ((he=gethostbyname(host)) == NULL) { if (opt == 's') { printf("\nHost name lookup failure\n\n"); exit(1); } return 0; } sockfd = socket(AF_INET, SOCK_STREAM, 0); if(sockfd < 0) { printf("\nSocket error\n\n"); exit(1); } address.sin_family = AF_INET; address.sin_addr = *((struct in_addr *)he->h_addr); address.sin_port = htons(PORT); bzero(&(address.sin_zero), 8); if(connect(sockfd, (struct sockaddr *)&address, sizeof(address)) == -1) { if (opt == 's') { printf(" \nError connecting to host or service not available\n\n"); exit(1); } close(sockfd); return 0; } reccnt=recv(sockfd, buffer, MAXDATASIZE, 0); buffer[reccnt] = '\0'; close(sockfd); if(strstr(buffer, "wu-2.6.0")) return 1; else return 0; } void read_n_write(char *infile, char *outfile) { FILE *iff, *of; char linebuf[512]; if((iff=fopen(infile,"r")) == NULL) return; while(fgets(linebuf,512,iff) != NULL) { if(linebuf[strlen(linebuf)-1]=='\n') linebuf[strlen(linebuf)-1]=0; if(if_vuln(linebuf) == 1 && (of=fopen(outfile,"a")) != NULL) { linebuf[strlen(linebuf)+1]=0; linebuf[strlen(linebuf)]='\n'; fputs(linebuf,of); fclose(of); } } fclose(iff); } int main(int argc, char *argv[]) { if (argc < 3) usage(argv[0]); if (argv[1][0] != '-') { printf("\nPlease pass an argument preceded with a - \n\n"); exit(1); } opt = argv[1][1]; if (opt != 's' && opt != 'f') { printf("\nUnknown option!\n\n"); exit(1); } if (opt == 's') { if (if_vuln(argv[2]) == 1) { printf("\nHost "LIGHT_BLUE"VULNERABLE"NORMAL" .. enJoy!\n"); printf(" ^^^^^^^^^^\n"); exit(0); } else { printf("\nHost NOT vulnerable .. sorry \n\n"); exit(0); } } if (opt == 'f') { read_n_write(argv[2],argv[3]); return 1; } }