📄 553.htm
字号:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center"> ● UNIX网络编程 (BM: clown) </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="15.htm">上一层</a>][<a href="554.htm">下一篇</a>]
<hr><p align="left"><small>发信人: cloudsky (小四), 信区: Security <br>
标 题: RPC/XDR/NFS系列之----rpcinfo利用 <br>
发信站: 武汉白云黄鹤站 (Wed Feb 23 17:15:02 2000), 站内信件 <br>
标题:RPC/XDR/NFS系列之----rpcinfo利用 <br>
原 作:(C) 1996 Jake V. Bouvrie <br>
来 源:http://packetstorm.securify.com/archives.shtml <br>
概述: <br>
前面我们提到完全可以编写shell script调用rpcinfo进行 <br>
rpc scan,这个程序不过是C程序版而已。虽然没有什么技 <br>
术新意,但有这么个工具还是不错的。原程序中有点小毛 <br>
病,已经修正过来,太简单,都懒得加注释。 <br>
测试: <br>
RedHat6.0 <br>
程序: <br>
/* <br>
* rpcscan - An rpc port scanner. <br>
* Usage: rpcscan <startingIP> <endingIP> <br>
* where endingIP >= startingIP <br>
* (c) 1996 Swarthy <br>
* Latest revision: 11.10.96 <br>
*/ <br>
#include <sys/wait.h> <br>
#include <sys/types.h> <br>
#include <unistd.h> <br>
#include <malloc.h> <br>
#include <stdio.h> <br>
#include <stdlib.h> <br>
#define MAX_IP_LEN 15 /* xxx.xxx.xxx.xxx 长度15个字节 */ <br>
struct ipoctet <br>
{ <br>
char a[4]; <br>
char b[4]; <br>
char c[4]; <br>
char d[4]; <br>
}; <br>
struct ipocteti <br>
{ <br>
int a; <br>
int b; <br>
int c; <br>
int d; <br>
}; <br>
int main ( int argc, char * argv[] ) <br>
{ <br>
int i, j, a, b, c, d; <br>
pid_t pid; <br>
char * arg; <br>
struct ipoctet *ipstart, *ipend; <br>
struct ipocteti ipstarti, ipendi; <br>
/* 简单地检查一下命令行参数是否合法 */ <br>
if ( argv[1] == NULL || argv[2] == NULL || ( strlen( argv[1] ) > MAX_IP_ <br>
LEN <br>
) <br>
|| ( strlen( argv[2] ) > MAX_IP_LEN ) ) <br>
{ <br>
fprintf( stderr, "Usage: %s <startingIP> <endingIP>\n", argv[0] ); <br>
exit( -1 ); <br>
} <br>
/* 初始化 */ <br>
i = 0; <br>
j = 0; <br>
ipstart = ( struct ipoctet * )malloc( sizeof( struct ipoctet ) ); <br>
ipend = ( struct ipoctet * )malloc( sizeof( struct ipoctet ) ); <br>
while ( argv[1][i] != '.' ) <br>
{ <br>
ipstart->a[ j++ ] = argv[1][ i++ ]; <br>
} <br>
} <br>
ipstart->a[j] = '\0'; <br>
j = 0; <br>
i++; <br>
while ( argv[1][i] != '.' ) <br>
{ <br>
ipstart->b[ j++ ] = argv[1][ i++ ]; <br>
} <br>
ipstart->b[j] = '\0'; <br>
j = 0; <br>
i++; <br>
while ( argv[1][i] != '.' ) <br>
{ <br>
ipstart->c[ j++ ] = argv[1][ i++ ]; <br>
} <br>
ipstart->c[j] = '\0'; <br>
j = 0; <br>
i++; <br>
while ( argv[1][i] != '\0' ) <br>
{ <br>
ipstart->d[ j++ ] = argv[1][ i++ ]; <br>
} <br>
ipstart->d[j] = '\0'; <br>
i = 0; <br>
j = 0; <br>
while ( argv[2][i] != '.' ) <br>
{ <br>
ipend->a[ j++ ] = argv[2][ i++ ]; <br>
} <br>
ipend->a[j] = '\0'; <br>
j = 0; <br>
i++; <br>
while ( argv[2][i] != '.' ) <br>
{ <br>
ipend->b[ j++ ] = argv[2][ i++ ]; <br>
} <br>
ipend->b[j] = '\0'; <br>
j = 0; <br>
i++; <br>
while ( argv[2][i] != '.' ) <br>
{ <br>
ipend->c[ j++ ] = argv[2][ i++ ]; <br>
} <br>
ipend->c[j] = '\0'; <br>
j = 0; <br>
j = 0; <br>
i++; <br>
while ( argv[2][i] != '\0' ) <br>
{ <br>
ipend->d[ j++ ] = argv[2][ i++ ]; <br>
} <br>
ipend->d[j] = '\0'; <br>
/* Convert to integer values and store in struct */ <br>
if ( ipstart->a != NULL ) <br>
{ <br>
ipstarti.a = atoi( ipstart->a ); <br>
} <br>
if ( ipstart->b != NULL ) <br>
{ <br>
ipstarti.b = atoi( ipstart->b ); <br>
} <br>
if ( ipstart->c != NULL ) <br>
{ <br>
ipstarti.c = atoi( ipstart->c ); <br>
} <br>
if ( ipstart->d != NULL ) <br>
{ <br>
ipstarti.d = atoi( ipstart->d ); <br>
} <br>
if ( ipend->a != NULL ) <br>
{ <br>
ipendi.a = atoi( ipend->a ); <br>
} <br>
if ( ipend->b != NULL ) <br>
{ <br>
ipendi.b = atoi( ipend->b ); <br>
} <br>
if ( ipend->c != NULL ) <br>
{ <br>
ipendi.c = atoi( ipend->c ); <br>
} <br>
if ( ipend->d != NULL ) <br>
{ <br>
ipendi.d = atoi( ipend->d ); <br>
} <br>
free( ipend ); <br>
free( ipstart ); <br>
fprintf( stderr, "[ Scanning from %d.%d.%d.%d --> %d.%d.%d.%d ]\n", <br>
ipstarti.a, ipstarti.b, ipstarti.c, ipstarti.d, <br>
ipendi.a, ipendi.b, ipendi.c, ipendi.d ); <br>
for ( a = ipstarti.a; a <= ipendi.a; a++ ) <br>
{ <br>
for ( b = ipstarti.b; b <= ipendi.b; b++ ) <br>
{ <br>
for ( c = ipstarti.c; c <= ipendi.c; c++ ) <br>
{ <br>
for ( d = ipstarti.d; d <= ipendi.d; d++ ) <br>
{ <br>
arg = ( char * )malloc( 17 ); <br>
sprintf( arg, "%d.%d.%d.%d", a, b, c, d ); <br>
fprintf( stderr, "[ /usr/sbin/rpcinfo -p %s ]\n", arg ); <br>
<br>
/* fprintf( stderr, "[ rpcinfo -p %s ]\n", arg ); */ <br>
pid = fork(); <br>
if ( pid == 0 ) /* 子进程 */ <br>
{ <br>
execl( "/usr/sbin/rpcinfo", "/usr/sbin/rpcinfo", "-p <br>
", a <br>
rg, NULL ); <br>
/* execlp( "rpcinfo", "rpcinfo", "-p", arg, NULL ); <br>
*/ <br>
exit( 0 ); <br>
} <br>
waitpid( pid, NULL, 0 ); <br>
free( arg ); <br>
} <br>
} <br>
} <br>
} <br>
return( 0 ); <br>
} /* end of main */ <br>
[scz@ /home/scz/src/rpc]> gcc -pipe -O3 -o rpcscan rpcscan.c <br>
[scz@ /home/scz/src/rpc]> strip rpcscan <br>
[scz@ /home/scz/src/rpc]> ./rpcscan 192.168.67.107 192.168.67.108 <br>
[ Scanning from 192.168.67.107 --> 192.168.67.108 ] <br>
[ /usr/sbin/rpcinfo -p 192.168.67.107 ] <br>
program vers proto port <br>
... ... <br>
[scz@ /home/scz/src/rpc]> <br>
这些信息的获得对于发起RPC远程攻击相当重要,在本系列的后面我们会 <br>
给出针对特定RPC Server的扫描程序。事实上这个程序适当修改后也可以 <br>
针对特定RPC Server进行扫描,需要利用grep或者sed这种程序,但效率 <br>
未免太低,还是等等,看我们后面提供的程序吧。 <br>
注意到这个程序实际上可以用来针对一段IP地址执行同一个网络命令, <br>
只需要简单修改就可以进行showmount -e扫描,调用ping、land、igmp <br>
等等进行大范围网络攻击。当然,你在做这些动作的同时暴露了自己, <br>
建议不要玩这种低级游戏。 <br>
scz < mailto: cloudsky@263.net > <br>
2000.02.23 11:29 (待续) <br>
-- <br>
我问飘逝的风:来迟了? <br>
风感慨:是的,他们已经宣战。 <br>
我问苏醒的大地:还有希望么? <br>
大地揉了揉眼睛:还有,还有无数代的少年。 <br>
我问长空中的英魂:你们相信? <br>
英魂带着笑意离去:相信,希望还在。 <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="15.htm">上一层</a>][<a href="554.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -