📄 561.htm
字号:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center"> ● UNIX网络编程 (BM: clown) </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="15.htm">上一层</a>][<a href="562.htm">下一篇</a>]
<hr><p align="left"><small>发信人: cloudsky (小四), 信区: Security <br>
标 题: RPC/XDR/NFS系列之----RPC编程初战(3) <br>
发信站: 武汉白云黄鹤站 (Wed Feb 23 17:20:06 2000), 站内信件 <br>
标题:RPC/XDR/NFS系列之----RPC编程初战(3) <br>
概述: <br>
对(2)中代码修改后得到的rpcscan.c <br>
参看本系列之 <br>
<< RPC/XDR/NFS系列之----rpcinfo利用 >> <br>
<< RPC/XDR/NFS系列之----RPC编程初战(2) >> <br>
测试: <br>
RedHat6.0 <br>
程序: <br>
/* <br>
File Name: rpcscan.c <br>
Author : unknown <br>
Test : Linux 2.2.5 <br>
Compile : gcc -pipe -O3 -o rpcscan rpcscan.c <br>
Usage : rpcscan <startIp> <endIp> <rpcServerNumber> <br>
Date : 2000/02/23 <br>
*/ <br>
#include <sys/types.h> <br>
#include <unistd.h> <br>
#include <malloc.h> <br>
#include <stdio.h> <br>
#include <netdb.h> <br>
#include <stdlib.h> <br>
#include <signal.h> <br>
#include <rpc/rpc.h> <br>
#include <arpa/inet.h> <br>
#include <sys/socket.h> <br>
#include <netinet/in.h> <br>
#include <netinet/ip.h> <br>
#include <rpc/pmap_prot.h> <br>
#include <rpc/pmap_clnt.h> <br>
#define MAX_IP_LEN 15 /* xxx.xxx.xxx.xxx 长度15个字节 */ <br>
struct ipoctet <br>
{ <br>
char a[4]; <br>
char b[4]; <br>
char c[4]; <br>
char d[4]; <br>
}; <br>
struct ipocteti <br>
{ <br>
int a; <br>
int a; <br>
int b; <br>
int c; <br>
int d; <br>
}; <br>
void doNothing ( int arg ) <br>
{ <br>
return; <br>
} /* end of doNothing */ <br>
u_long resolveHost ( char * host ) <br>
{ <br>
struct hostent * he; <br>
unsigned long ip; <br>
if( ( he = gethostbyname( host ) ) == NULL ) <br>
{ <br>
ip = inet_addr( host ); /* 网络字节顺序 */ <br>
if ( ip == INADDR_NONE ) <br>
{ <br>
ip = 0; <br>
} <br>
} <br>
else <br>
{ <br>
{ <br>
bcopy( he->h_addr_list[0], &ip, sizeof( unsigned long ) ); <br>
} <br>
return( ip ); <br>
} /* end of resolveHost */ <br>
int rpcServerDump ( char * host, int rpcServerNumber ) <br>
{ <br>
struct sockaddr_in server_addr; <br>
struct pmaplist * head = NULL; <br>
int rpcsocket = RPC_ANYSOCK; <br>
struct timeval minutetimeout; <br>
register CLIENT * clientHandle; <br>
struct rpcent * rpc; <br>
server_addr.sin_addr.s_addr = resolveHost( host ); /* 获得远程主机IP地址 <br>
*/ <br>
server_addr.sin_family = AF_INET; /* 只能是这个地址族 <br>
*/ <br>
server_addr.sin_port = htons( PMAPPORT ); /* 111端口 */ <br>
minutetimeout.tv_sec = 15; <br>
minutetimeout.tv_usec = 0; <br>
/* cause clnttcp_create uses connect() */ <br>
signal( SIGALRM, doNothing ); <br>
alarm( 15 ); <br>
/* 创建句柄 */ <br>
if ( ( clientHandle = clnttcp_create( &server_addr, <br>
PMAPPROG, PMAPVERS, &rpcsocket, 50, 500 ) ) == NULL ) <br>
{ <br>
alarm( 0 ); <br>
signal( SIGALRM, SIG_DFL ); <br>
return( 0 ); <br>
} <br>
alarm( 0 ); <br>
signal( SIGALRM, SIG_DFL ); <br>
/* portmapper本身是一个rpc server,提供远程过程PMAPPROC_DUMP */ <br>
if ( clnt_call( clientHandle, PMAPPROC_DUMP, ( xdrproc_t )xdr_void, NULL <br>
, <br>
( xdrproc_t )xdr_pmaplist, ( caddr_t )&head, minutetimeout ) <br>
!= RPC_SUCCESS ) <br>
{ <br>
return( 0 ); <br>
} <br>
if ( head != NULL ) <br>
{ <br>
for ( ; head != NULL; head = head->pml_next ) <br>
{ <br>
{ <br>
if ( head->pml_map.pm_prog == rpcServerNumber ) <br>
{ <br>
return( 1 ); <br>
} <br>
} <br>
} <br>
return( 0 ); <br>
} /* end of rpcServerDump */ <br>
int main ( int argc, char * argv[] ) <br>
{ <br>
int i, j, a, b, c, d; <br>
int progNumber = PMAPPROG; <br>
char * targetIp; <br>
struct ipoctet *ipstart, *ipend; <br>
struct ipocteti ipstarti, ipendi; <br>
if ( argc < 4 ) <br>
{ <br>
fprintf( stderr, "Usage: %s <startIp> <endIp> <rpcServerNumber>\n", <br>
argv <br>
[0] ); <br>
exit( -1 ); <br>
} <br>
} <br>
/* 简单地检查一下命令行参数是否合法 */ <br>
if ( ( strlen( argv[1] ) > MAX_IP_LEN ) || ( strlen( argv[2] ) > MAX_IP_ <br>
LEN <br>
) ) <br>
{ <br>
fprintf( stderr, "Usage: %s <startIp> <endIp> <rpcServerNumber>\n", <br>
argv <br>
[0] ); <br>
exit( -1 ); <br>
} <br>
/* 初始化 */ <br>
progNumber = atoi( argv[3] ); <br>
i = 0; <br>
j = 0; <br>
ipstart = ( struct ipoctet * )malloc( sizeof( struct ipoctet ) ); <br>
ipend = ( struct ipoctet * )malloc( sizeof( struct ipoctet ) ); <br>
while ( argv[1][i] != '.' ) <br>
{ <br>
ipstart->a[ j++ ] = argv[1][ i++ ]; <br>
} <br>
ipstart->a[j] = '\0'; <br>
j = 0; <br>
j = 0; <br>
i++; <br>
while ( argv[1][i] != '.' ) <br>
{ <br>
ipstart->b[ j++ ] = argv[1][ i++ ]; <br>
} <br>
ipstart->b[j] = '\0'; <br>
j = 0; <br>
i++; <br>
while ( argv[1][i] != '.' ) <br>
{ <br>
ipstart->c[ j++ ] = argv[1][ i++ ]; <br>
} <br>
ipstart->c[j] = '\0'; <br>
j = 0; <br>
i++; <br>
while ( argv[1][i] != '\0' ) <br>
{ <br>
ipstart->d[ j++ ] = argv[1][ i++ ]; <br>
} <br>
ipstart->d[j] = '\0'; <br>
i = 0; <br>
j = 0; <br>
j = 0; <br>
while ( argv[2][i] != '.' ) <br>
{ <br>
ipend->a[ j++ ] = argv[2][ i++ ]; <br>
} <br>
ipend->a[j] = '\0'; <br>
j = 0; <br>
i++; <br>
while ( argv[2][i] != '.' ) <br>
{ <br>
ipend->b[ j++ ] = argv[2][ i++ ]; <br>
} <br>
ipend->b[j] = '\0'; <br>
j = 0; <br>
i++; <br>
while ( argv[2][i] != '.' ) <br>
{ <br>
ipend->c[ j++ ] = argv[2][ i++ ]; <br>
} <br>
ipend->c[j] = '\0'; <br>
j = 0; <br>
i++; <br>
while ( argv[2][i] != '\0' ) <br>
{ <br>
ipend->d[ j++ ] = argv[2][ i++ ]; <br>
} <br>
ipend->d[j] = '\0'; <br>
/* Convert to integer values and store in struct */ <br>
if ( ipstart->a != NULL ) <br>
{ <br>
ipstarti.a = atoi( ipstart->a ); <br>
} <br>
if ( ipstart->b != NULL ) <br>
{ <br>
ipstarti.b = atoi( ipstart->b ); <br>
} <br>
if ( ipstart->c != NULL ) <br>
{ <br>
ipstarti.c = atoi( ipstart->c ); <br>
} <br>
if ( ipstart->d != NULL ) <br>
{ <br>
ipstarti.d = atoi( ipstart->d ); <br>
} <br>
if ( ipend->a != NULL ) <br>
{ <br>
ipendi.a = atoi( ipend->a ); <br>
} <br>
if ( ipend->b != NULL ) <br>
{ <br>
ipendi.b = atoi( ipend->b ); <br>
} <br>
if ( ipend->c != NULL ) <br>
{ <br>
ipendi.c = atoi( ipend->c ); <br>
} <br>
if ( ipend->d != NULL ) <br>
{ <br>
ipendi.d = atoi( ipend->d ); <br>
} <br>
free( ipend ); <br>
free( ipstart ); <br>
fprintf( stderr, "[ Scanning from %d.%d.%d.%d --> %d.%d.%d.%d ]\n", <br>
ipstarti.a, ipstarti.b, ipstarti.c, ipstarti.d, <br>
ipendi.a, ipendi.b, ipendi.c, ipendi.d ); <br>
for ( a = ipstarti.a; a <= ipendi.a; a++ ) <br>
{ <br>
{ <br>
for ( b = ipstarti.b; b <= ipendi.b; b++ ) <br>
{ <br>
for ( c = ipstarti.c; c <= ipendi.c; c++ ) <br>
{ <br>
for ( d = ipstarti.d; d <= ipendi.d; d++ ) <br>
{ <br>
targetIp = ( char * )malloc( 17 ); <br>
sprintf( targetIp, "%d.%d.%d.%d", a, b, c, d ); <br>
fprintf( stderr, "." ); <br>
if ( rpcServerDump( targetIp, progNumber ) ) <br>
{ <br>
fprintf( stderr, "\n[ %s found ]\n", targetIp ); <br>
} <br>
free( targetIp ); <br>
} <br>
} <br>
} <br>
} <br>
fprintf( stderr, "\n[ Scan finished ]\n" ); <br>
return( 0 ); <br>
} /* end of main */ <br>
[scz@ /home/scz/src/rpc]> gcc -pipe -O3 -o rpcscan rpcscan.c <br>
[scz@ /home/scz/src/rpc]> strip rpcscan <br>
[scz@ /home/scz/src/rpc]> ./rpcscan <br>
Usage: ./rpcscan <startIp> <endIp> <rpcServerNumber> <br>
[scz@ /home/scz/src/rpc]> ./rpcscan 192.168.67.100 192.168.67.110 100000 <br>
[ Scanning from 192.168.67.100 --> 192.168.67.110 ] <br>
........ <br>
[ 192.168.67.107 found ] <br>
. <br>
[ 192.168.67.108 found ] <br>
.. <br>
[ Scan finished ] <br>
[scz@ /home/scz/src/rpc]> <br>
讨论: <br>
通过向portmapper查询而不是直接向rpc server发起远程过程调用来进行rpc scan <br>
,因 <br>
为 <br>
你可能并不知道目标rpc server的当前版本号。其次这种扫描技术可以不用考虑rp <br>
c se <br>
rver <br>
在UDP支持下还是TCP支持下。但是,这种扫描技术非常耗时,针对一个C类网的扫描 <br>
足 <br>
以 <br>
以 <br>
等到你当祖父。 <br>
使用远程程序号进行rpc scan比使用rpc server name进行扫描要好些,因为远程程 <br>
序 <br>
号 <br>
相对比较固定统一,而rpc server name就不那么统一了。 <br>
远程程序号100068,嘿,就是rpc.cmsd呀,可以用上面提供的这个程序进行广域网 <br>
上的 <br>
rpc.cmsd搜索,接下来就是http://oliver.efri.hr/~crv/security/bugs/SunOS/r <br>
pccm <br>
sd2.html <br>
的事情了。虽然很多现成rpc远程攻击程序是针对solaris平台的,需要在Sun工作站 <br>
上 <br>
编 <br>
译运行,但是如果你足够清醒的话,完全可以修改程序使得从Linux平台上远 <br>
程攻击 <br>
solaris平台,这是不冲突的。有时间的话,我会给出一个这样的rpc.cmsd攻击程序 <br>
。 <br>
程序可以修改成另外的方式,比如给出一个rpc server number list,然后扫描。 <br>
<br>
下面是以前提过的一个演示用shell script,没有过多技术意义,纯粹是好玩: <br>
#! /bin/sh <br>
rm -rf rpcinfo.txt <br>
/usr/sbin/rpcinfo -p $1 &> rpcinfo.txt <br>
cat rpcinfo.txt | grep "100002" &> /dev/null <br>
if [ $? -eq 0 ]; then <br>
echo "rusersd" <br>
fi <br>
cat rpcinfo.txt | grep "100003" &> /dev/null <br>
if [ $? -eq 0 ]; then <br>
echo "nfs" <br>
fi <br>
rm -rf rpcinfo.txt <br>
可以修改这个shell script,然后和<< RPC/XDR/NFS系列之----rpcinfo利用 >> <br>
中的rpcscan相结合,于是就完成了针对一段IP地址扫描一批rpc server的功能。 <br>
从前面的系列文章中可以看出,RPC不是什么神秘的东西,虽然总有人企图让你畏惧 <br>
它 <br>
, <br>
让你认为核武器只能掌握在超级大国手中,我只是想吐。这个系列,目的很 <br>
简单,给你 <br>
一点自信,走上Unix程序员该走的路,师父引入门修行在个人,不要怕。虽然我很 <br>
水, <br>
可我不希望身后的少年们象我这样水。 <br>
scz < mailto: cloudsky@263.net > <br>
2000.02.23 13:52 (待续) <br>
-- <br>
我问飘逝的风:来迟了? <br>
风感慨:是的,他们已经宣战。 <br>
我问苏醒的大地:还有希望么? <br>
大地揉了揉眼睛:还有,还有无数代的少年。 <br>
我问长空中的英魂:你们相信? <br>
英魂带着笑意离去:相信,希望还在。 <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="15.htm">上一层</a>][<a href="562.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -