synscan.c

漏洞扫描源码,可以扫描linux,windows,交换机路由器

#include <includes.h>
#include <nessusraw.h>




#undef DEBUG 
#undef SHOW_RETRIES
#undef SHOW_RTT_REMOVAL

#define NUM_RETRIES 2
#define SCAN_FATAL_ERR (void*)(-1)

#ifndef ipci
#define ipci()
#define ipcd()
#define ipcc() ( 0 == 1 )
#define cct(x,y) ( 1 == 1 )
#endif

/*----------------------------------------------------------------------------*/
struct pseudohdr {
	struct in_addr  saddr;
	struct in_addr  daddr;
	u_char          zero;
	u_char          protocol;
	u_short         length;
	struct tcphdr   tcpheader;
};


#ifndef IPV6_SUPPORT
#define sockaddr_in6 sockaddr
#define in_addr6     in_addr
#ifndef AF_INET6
#define AF_INET6     AF_INET
#endif
#endif


static int is_ipv6 = 0;



static int 
in_cksum(p, n)
	u_short        *p;
	int             n;
{
	register u_short answer;
	register unsigned long sum = 0;
	u_short         odd_byte = 0;

	while (n > 1) {
		sum += *p++;
		n -= 2;
	}

	/* mop up an odd byte, if necessary */
	if (n == 1) {
		*(u_char *) (&odd_byte) = *(u_char *) p;
		sum += odd_byte;
	}
	sum = (sum >> 16) + (sum & 0xffff);	/* add hi 16 to low 16 */
	sum += (sum >> 16);	/* add carry */
	answer = (int) ~sum;	/* ones-complement, truncate */
	return (answer);
}



unsigned long 
maketime()
{
	struct timeval  tv;
	unsigned long   ret;

	gettimeofday(&tv, NULL);



	ret = ((tv.tv_sec & 0x0000000F) << 28) | (((tv.tv_usec) & 0xFFFFFFF0) >> 4);


	return htonl(ret);
}


struct timeval 
timeval(unsigned long val)
{
	struct timeval  ret;
	unsigned int h, l;

	val = ntohl(val);

	h = ( val & 0xF0000000 ) >> 28;
	l = ( val & 0x0FFFFFFF)  << 4;
     
	ret.tv_sec = h;
	ret.tv_usec = l;
	while ( ret.tv_usec >= 1000000 ) 
	 {
	  ret.tv_usec -= 1000000;
	  ret.tv_sec ++;
	 }

	if ( ret.tv_sec > 2 ) {
	 ret.tv_sec = 2;
	 ret.tv_usec = 0;
	}
	return ret;
}







unsigned long 
compute_rtt(unsigned long then)
{
	unsigned long   now = maketime();
	unsigned long   res;
	unsigned long   a, b;

	a = (unsigned long) ntohl(now);
	b = (unsigned long) ntohl(then);


	if (b > a) {
		return 0;
	}
	res = a - b;
	if ( res >= (1 << 28) ) 
		res = 1 << 28;

        return htonl(res);
}


int 
packetdead(unsigned long then, unsigned long rtt, unsigned long now)
{
	then = ntohl(then);
	now = ntohl(now);
	rtt = ntohl(rtt);



	if ((now - then) >= 2 << 28 ) {
		return 1;
	} else {
		return 0;
	}
}

int 
rawsocket()
{
	int             soc = -1;
	int             opt = 1;


	if ( is_ipv6 == 0 )
 	{
	 soc = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
	 if (soc < 0) {
		perror("socket ");
		return -1;
	 }
#ifdef IP_HDRINCL
	 if (setsockopt(soc, IPPROTO_IP, IP_HDRINCL, (char *) &opt, sizeof(opt)) < 0) {
		perror("setsockopt ");
		close(soc);
		return -1;
	 }
#endif
	}
	else
  		soc = socket(AF_INET6, SOCK_RAW, IPPROTO_TCP);

	return soc;
}


int 
openbpf(struct in_addr dst, struct in_addr * src, int magic)
{
	char           *iface;
	char            filter[255];
	int             bpf;

	iface = routethrough(&dst, src);
	snprintf(filter, sizeof(filter), "tcp and src host %s and dst port %d", inet_ntoa(dst), magic);
	bpf = bpf_open_live(iface, filter);
	return bpf;
}

#ifdef IPV6_SUPPORT
int 
openbpf6(struct sockaddr_in6 * dst, int magic)
{
	char           *iface;
	char            filter[255];
	char 		buf[512];
	int             bpf;
	struct 	in6_addr src;

	
	iface = routethrough6(dst, &src);
	inet_ntop(AF_INET6, &dst->sin6_addr, buf, sizeof(buf));
	snprintf(filter, sizeof(filter), "ip6 and tcp and src host %s and dst port %d", buf, magic);
	bpf = bpf_open_live(iface, filter);
	return bpf;
}
#else
int 
openbpf6(struct sockaddr_in6 * dst, int magic)
{
 return -1;
}
#endif


/*----------------------------------------------------------------------------*/

struct list {
	unsigned short  dport;
	unsigned long   when;
	int             retries;
	struct list    *prev;
	struct list    *next;
};

struct list    *
get_packet(struct list * l, unsigned short dport)
{
	if ( l == SCAN_FATAL_ERR ) return NULL;
	while (l != NULL) {
		if (l->dport == dport)
			return l;
		else
			l = l->next;
	}
	return NULL;
}


struct list    *
add_packet(struct list * l, unsigned short dport, unsigned long ack)
{
	struct list    *ret;

	if ( l == SCAN_FATAL_ERR ) return NULL;
	ret = get_packet(l, dport);
	if (ret != NULL) {
#ifdef SHOW_RETRIES
		printf("RETRIES FOR %d = %d\n", dport, ret->retries);
#endif
		ret->retries++;
		ret->when = ack;
		return l;
	}
	ret = emalloc(sizeof(struct list));


	ret->next = l;
	ret->prev = NULL;
	if (ret->next != NULL)
		ret->next->prev = ret;

	ret->dport = dport;
	ret->when = ack;
	ret->retries = 0;
	return ret;
}



struct list    *
rm_packet(struct list * l, unsigned short dport)
{
	struct list    *ret = l;
	struct list    *p = get_packet(l, dport);

	if ( l == SCAN_FATAL_ERR ) return NULL;
	if (p == NULL) {
#if DEBUG > 1
		fprintf(stderr, "Odd - no entry for %d - RTT too low ?!\n", dport);
#endif
		return l;
	}
	if (p->next != NULL)
		p->next->prev = p->prev;

	if (p->prev != NULL)
		p->prev->next = p->next;
	else
		ret = p->next;

	efree(&p);
	return ret;
}

struct list    *
rm_dead_packets(struct list * l, unsigned long rtt, int *retry)
{
	struct list    *ret = l;
	struct list    *p = l;
	unsigned long now = maketime();


	if ( l == SCAN_FATAL_ERR ) return NULL;
	*retry = 0;
	while (p != NULL) {
		struct list    *next = p->next;
		if (packetdead(p->when, rtt, now)) {
			if (p->retries < NUM_RETRIES) {
#ifdef SHOW_RETRIES
				printf("Will retry port %d\n", p->dport);
#endif
				*retry = p->dport;
				return ret;
			} else {
#ifdef SHOW_RTT_REMOVAL
				printf("Removing port %d (RTT elapsed)\n", p->dport);
#endif
				ipcd();
				if (p->next != NULL)
					p->next->prev = p->prev;

				if (p->prev != NULL)
					p->prev->next = p->next;
				else
					ret = p->next;
				efree(&p);
			}
		}
		p = next;
	}
	return ret;
}




/*-----------------------------------------------------------------------------*/


struct tcphdr * extracttcp(char * pkt, int len)
{
 struct ip * ip;
 struct tcphdr  *tcp;
 unsigned long   ret;
 

 if ( is_ipv6 == 0 && ( pkt[0] & 0xF0 ) != 0x40 ) return NULL;
 else if ( is_ipv6 != 0 && ( pkt[0] & 0xF0 ) != 0x60 ) return NULL;


 if ( is_ipv6 == 0 )
 {
  ip = (struct ip*)pkt;
  if(ip->ip_hl * 4 + sizeof(struct tcphdr) > len)
   return NULL;
  tcp = (struct tcphdr*)(pkt + ip->ip_hl * 4);
 }
 else
 {
  if ( pkt[6] != IPPROTO_TCP || len < 60 ) return NULL; 
  
  tcp = (struct tcphdr*)( pkt + 40 );
 }
 
  
 return tcp;
}

unsigned long 
extractack(char *pkt, int len)
{
 unsigned long   ret;
 struct tcphdr * tcp = extracttcp(pkt, len);
 
 if( tcp == NULL )
  return -1;
 
 ret = htonl(ntohl(tcp->th_ack) - 1);
	return ret;
}

unsigned long 
extractseq(char *pkt, int len)
{
 unsigned long   ret;
 struct tcphdr * tcp = extracttcp(pkt, len);
 
 if( tcp == NULL )
  return -1;
 
 ret = tcp->th_seq;
	return ret;
}

int
extractttl(char * pkt, int len )
{
 struct ip * ip;

 if ( len < sizeof(struct ip) ) return;
 ip = (struct ip*) pkt;
 return ip->ip_ttl;
}


unsigned short 
extractsport(char *pkt, int len)
{
 struct tcphdr  *tcp = extracttcp(pkt, len);
 unsigned long   ret;
 if(tcp == NULL)return 0;
 
	return ntohs(tcp->th_sport);
}

int 
issynack(char *pkt, int len)
{
	struct tcphdr  *tcp = extracttcp(pkt, len); 
	unsigned long   ret;
 
 if(tcp == NULL)return 0;

	return (tcp->th_flags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK) &&
               (tcp->th_flags  & (TH_RST|TH_FIN)) == 0;
}

char *
mktcp(struct in_addr src, int sport, struct in_addr dst, int dport, unsigned long th_seq, unsigned long th_ack, unsigned char flag, int * len)
{
	static char     pkt[sizeof(struct ip) + sizeof(struct tcphdr)];
	struct ip      *ip;
	struct tcphdr  *tcp;
	struct pseudohdr pseudohdr;
	char            tcpsumdata[sizeof(pseudohdr)];

	ip = (struct ip *) (&pkt);
	ip->ip_hl = 5;
	ip->ip_v = 4;
	ip->ip_tos = 0;
	ip->ip_len = FIX(sizeof(struct ip) + sizeof(struct tcphdr));
	ip->ip_id = rand();
	ip->ip_off = 0;
	ip->ip_ttl = 64;
	ip->ip_p = IPPROTO_TCP;
	ip->ip_sum = 0;
	ip->ip_src.s_addr = src.s_addr;
	ip->ip_dst.s_addr = dst.s_addr;
	ip->ip_sum = in_cksum((u_short *) pkt, sizeof(struct ip));

	tcp = (struct tcphdr *) (&(pkt[sizeof(struct ip)]));
	tcp->th_sport = htons(sport);
	tcp->th_dport = htons(dport);
	tcp->th_seq = th_seq;
	tcp->th_ack = th_ack;
	tcp->th_x2 = 0;
	tcp->th_off = 5;
	tcp->th_flags = flag;
	tcp->th_win = 4096;
	tcp->th_sum = 0;
	tcp->th_urp = 0;

	bzero(&pseudohdr, 12);
	pseudohdr.saddr.s_addr = src.s_addr;
	pseudohdr.daddr.s_addr = dst.s_addr;
	pseudohdr.protocol = IPPROTO_TCP;
	pseudohdr.length = htons(sizeof(struct tcphdr));
	bcopy((char *) tcp, (char *) &pseudohdr.tcpheader, sizeof(struct tcphdr));
	bcopy(&pseudohdr, tcpsumdata, sizeof(struct pseudohdr));
	tcp->th_sum = in_cksum((unsigned short *) tcpsumdata, 12 + sizeof(struct tcphdr));
	*len = 40;
	return pkt;
}
/*--------------------------------------------------------------------*/
#ifdef IPV6_SUPPORT
char * mktcp6(struct sockaddr_in6 * dst, int sport, int dport, unsigned long th_seq, unsigned long th_ack, unsigned char flag, int * len)