Ftpdse scans a list of IP addresses for FTP servers, logs the version, and can optionally see if site exec accepts format strings.
2203a1227b7895400cdfbf6ab6e306613fc5af3eea72148088c3760eb25d6eaf
/*
* ftpdse 0.1b - by vENOMOUS of rdC - 25/jul/00 - https://www.rdcrew.com.ar
*
* This will open a specific file [-f file], get the IPs from it,
* then, check if FTP port [ -p 21 ] is open and log the version.
* If you specify the [ -s ] flag it will try log into the FTP
* and execute the command 'site exec %p' for see if is vulnerable,
* you can specific -o flag to execute that command only in wuftpd2.6.0
*
* Greets: elbruj0 / den0 / ka0z / meengo / #rdC / #flatline
*
*/
#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#include <unistd.h>
#include <signal.h>
char rdcopenfile(char g0d[257]);
void usage(char *damn);
void RDCconnect2(char host[1000], int puerto);
void sigh();
int ftp_command(int sox, char comando[1024]);
int checkresponse(char comando[1024], char respuesta[1024]);
FILE *file;
char ipsfile[256],
bleh[10000][200],
homer[256];
int sockfd,
leen2=0,
login=0,
only2600=0,
guia=0,
heh=0,
xx=0;
int main(int argc, char **argv)
{
char arg;
int p0rt=21;
if ( argc < 3 )
usage(argv[0]);
while ((arg = getopt(argc, argv, "f:p:os")) != EOF)
{
switch(arg)
{
case 'f':
strncpy(ipsfile,optarg,128);
break;
case 'p':
p0rt = atoi (optarg);
break;
case 's':
login = 1;
break;
case 'o':
only2600 = 1;
break;
default:
usage(argv[0]);
break;
}
}
if (only2600 && !login)
usage(argv[0]);
fprintf(stdout,"starting scan... \n");
fflush(stdout);
rdcopenfile(ipsfile);
for (xx = 0 ; xx < leen2 ; xx++)
RDCconnect2(bleh[xx], p0rt);
fprintf(stdout,"---------------------------------------------------------<[ end of scan\n");
}
char rdcopenfile(char g0d[257])
{
int x;
if ((file=fopen(g0d,"r")) == NULL)
{
printf("\nftpdse 0.1b by vENOMOUS of rdC - venomous@rdcrew.com.ar - 25/jul/00\n");
printf("\nCannot open file %s for reading\n\n", g0d);
exit(1);
}
for ( ; fgets(bleh[leen2], 190, file) != NULL ; leen2++);
fclose(file);
}
void RDCconnect2(char host[1000], int puerto)
{
char versi0n[5000];
int nmb;
struct sockaddr_in beb;
struct hostent *d0h;
// struct timeval timev;
beb.sin_family = AF_INET;
beb.sin_port = htons(puerto);
d0h = gethostbyname(host);
if (!d0h)
{
if ( (beb.sin_addr.s_addr = inet_addr(host)) == INADDR_NONE)
{
printf("\nftpdse 0.1b by vENOMOUS of rdC - venomous@rdcrew.com.ar - 25/jul/00\n");
printf("\nPut a correct address\n\n");
exit(0);
}
} else
{
bcopy( d0h->h_addr, (struct in_addr *) &beb.sin_addr, d0h->h_length);
}
strcpy(homer,"unable to connect: connection refused");
sockfd = socket(AF_INET, SOCK_STREAM,0);
fprintf(stdout,"\n---------------------------------------------------------<[ ip %s",host);
fflush(stdout);
signal(SIGALRM, sigh);
alarm(10);
if(connect(sockfd, (struct sockaddr *)&beb, sizeof(struct sockaddr)) < 0)
{
fprintf(stdout,"%s\n\n",homer);
fflush(stdout);
return;
}
alarm(0);
bzero(versi0n, sizeof(versi0n));
if ((nmb = recv(sockfd, versi0n, 5000, 0)) == -1)
{
fprintf(stdout,"Connection reset by peer?\n\n");
fflush(stdout);
return;
}
if (strlen(versi0n) == 0)
{
close(sockfd);
return;
}
if ((heh=checkresponse("versioncheck",versi0n)) != 1) return;
fprintf(stdout,"server's banner...\n%s\n",versi0n);
fflush(stdout);
if (only2600) // si es 1
{
if (strstr(versi0n,"2.6.0"))
login=1;
else login=0;
}
if (login)
{
int n;
fprintf(stdout,"login as ftp\n");
if ((n=ftp_command(sockfd,"USER ftp\n")) != 1) return;
fprintf(stdout,"sending password\n");
if ((n=ftp_command(sockfd, "PASS windows@2000.com\n")) != 1) return;
fprintf(stdout,"executing site exec...\n");
ftp_command(sockfd, "site exec %p\n");
fprintf(stdout,"disconnecting\n");
ftp_command(sockfd, "quit\n");
}
close(sockfd);
}
int ftp_command(int sox, char comando[1024])
{
char answer[5012]="";
send(sox,comando,strlen(comando),0);
sleep(1);
read(sox,answer,sizeof(answer));
fprintf(stdout,"response: \n%s\n", answer);
guia = checkresponse(comando,answer);
return guia;
}
int checkresponse(char com[1024], char respuesta[1024])
{
char *not_anon[128]= { "denied", "unknown", "not found", "USER anonymous" };
char *pass[128] = { "Can't set" };
char *version[128] = { "Microsoft", "WinSock", "NetWare", "Proxy Server" };
int x=0,
m=0;
if (strstr(com,"USER"))
{
for (x=0 ; x < sizeof(not_anon) ; x++)
{
if (not_anon[x] == NULL)
break;
}
for (m=0 ; m < x ; m++)
{
if (strstr(respuesta,not_anon[m]))
{
fprintf(stdout,"\nanonymous access not allowed in this host.\n\n");
close(sockfd);
return 0;
}
}
return 1;
}
if (strstr(com,"PASS"))
{
for (x=0 ; x < sizeof(pass) ; x++)
{
if (pass[x] == NULL)
break;
}
for (m=0 ; m < x ; m++)
{
if (strstr(respuesta,pass[m]))
{
fprintf(stdout,"\nincorrect password\n\n");
close(sockfd);
return 0;
}
}
return 1;
}
if (strstr(com,"versioncheck"))
{
for (x=0 ; x < sizeof(version) ; x++)
{
if (version[x] == NULL)
break;
}
for (m=0 ; m < x ; m++)
{
if (strstr(respuesta,version[m]))
{
fprintf(stdout,"skipping host cuz is running %s\n\n",version[m]);
close(sockfd);
return 0;
}
}
return 1;
}
}
void sigh()
{
strcpy(homer,"unable to connect: timeout");
close(sockfd);
}
void usage(char *damn)
{
printf("\n<[( ftpse 0.1b by vENOMOUS of rdC - venomous@rdcrew.com.ar - 25/jul/00 )]>\n");
printf("<[( usage:\n");
printf("<[( %s -f file [-p port] [-o] [-s] \n\n",damn);
printf("<[( -f file: file is the IPs file.\n");
printf("<[( -p port: port to connect to, default 21.\n");
printf("<[( -s: login and check site exec command\n");
printf("<[( -o: Only check siteexec command on wuftpd2.6.0\n");
exit(0);
}