scandlg.cpp

基于端口的漏洞扫描源程序

// scanDlg.cpp : implementation file
//

#include "stdafx.h"
#include "scan.h"
#include "scanDlg.h"
#include "Hyperlink.h"
#include <winsock.h>

struct cgi{
		char *rmt_host;
		CScanDlg *mydlg;
		char *url;
		int n;
};
char rmt_host[100];
HWND hWnd;
CEvent fEvent;
CWinThread* pThread;
CWinThread* runThread;
CWinThread* Thread[10];
HANDLE hThread[10];

/////////////////////////////////////////////////////////////////////////////
// CScanDlg dialog

CScanDlg::CScanDlg(CWnd* pParent /*=NULL*/)
	: CDialog(CScanDlg::IDD, pParent)
{
	//{{AFX_DATA_INIT(CScanDlg)
	m_checkcgi = TRUE;
	m_checkfinger = TRUE;
	m_checkftp = TRUE;
	m_checksmtp = TRUE;
	m_res = _T("");
	m_ip = _T("localhost");
	//}}AFX_DATA_INIT
	// Note that LoadIcon does not require a subsequent DestroyIcon in Win32
	m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}

void CScanDlg::DoDataExchange(CDataExchange* pDX)
{
	CDialog::DoDataExchange(pDX);
	//{{AFX_DATA_MAP(CScanDlg)
	DDX_Control(pDX, IDC_SCAN, m_scan);
	DDX_Control(pDX, IDC_ABOUT, m_about);
	DDX_Control(pDX, IDC_LOG, m_log);
	DDX_Check(pDX, IDC_CHECKCGI, m_checkcgi);
	DDX_Check(pDX, IDC_CHECKFINGER, m_checkfinger);
	DDX_Check(pDX, IDC_CHECKFTP, m_checkftp);
	DDX_Check(pDX, IDC_CHECKSMTP, m_checksmtp);
	DDX_Text(pDX, IDC_RES, m_res);
	DDX_Text(pDX, IDC_IP, m_ip);
	//}}AFX_DATA_MAP
}

BEGIN_MESSAGE_MAP(CScanDlg, CDialog)
	//{{AFX_MSG_MAP(CScanDlg)
	ON_WM_PAINT()
	ON_WM_QUERYDRAGICON()
	ON_BN_CLICKED(IDC_ABOUT, OnAbout)
	ON_BN_CLICKED(IDC_LOG, OnLog)
	ON_BN_CLICKED(IDC_SCAN, OnScan)
	ON_BN_CLICKED(IDC_CLEAR, OnClear)
	ON_BN_CLICKED(IDC_STOP, OnStop)
	ON_MESSAGE(WM_DISPLAY,OnDisplay)
	//}}AFX_MSG_MAP
END_MESSAGE_MAP()

/////////////////////////////////////////////////////////////////////////////
// CScanDlg message handlers

BOOL CScanDlg::OnInitDialog()
{
	CDialog::OnInitDialog();

	// Set the icon for this dialog.  The framework does this automatically
	//  when the application's main window is not a dialog
	SetIcon(m_hIcon, TRUE);			// Set big icon
	SetIcon(m_hIcon, FALSE);		// Set small icon
	
	// TODO: Add extra initialization here
	m_HistoryEdit.SubclassDlgItem (IDC_RES, this);
	return TRUE;  // return TRUE  unless you set the focus to a control
}

// If you add a minimize button to your dialog, you will need the code below
//  to draw the icon.  For MFC applications using the document/view model,
//  this is automatically done for you by the framework.

void CScanDlg::OnPaint() 
{
	if (IsIconic())
	{
		CPaintDC dc(this); // device context for painting

		SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0);

		// Center icon in client rectangle
		int cxIcon = GetSystemMetrics(SM_CXICON);
		int cyIcon = GetSystemMetrics(SM_CYICON);
		CRect rect;
		GetClientRect(&rect);
		int x = (rect.Width() - cxIcon + 1) / 2;
		int y = (rect.Height() - cyIcon + 1) / 2;

		// Draw the icon
		dc.DrawIcon(x, y, m_hIcon);
	}
	else
	{
		CDialog::OnPaint();
	}
}

// The system calls this to obtain the cursor to display while the user drags
//  the minimized window.
HCURSOR CScanDlg::OnQueryDragIcon()
{
	return (HCURSOR) m_hIcon;
}

class CAboutDlg : public CDialog
{
public:
	CAboutDlg();

// Dialog Data
	//{{AFX_DATA(CAboutDlg)
	enum { IDD = IDD_DIALOG1 };
	CHyperLink	m_stcURL;
	//}}AFX_DATA

	// ClassWizard generated virtual function overrides
	//{{AFX_VIRTUAL(CAboutDlg)
	protected:
	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV support
	//}}AFX_VIRTUAL

// Implementation
protected:
	virtual BOOL OnInitDialog();
	//{{AFX_MSG(CAboutDlg)
		// No message handlers
	//}}AFX_MSG
	DECLARE_MESSAGE_MAP()
};

CAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD)
{
	//{{AFX_DATA_INIT(CAboutDlg)
	//}}AFX_DATA_INIT
}

BOOL CAboutDlg::OnInitDialog()
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
{
	CDialog::OnInitDialog();
	m_stcURL.SetWindowText("http://isno.yeah.net");
	m_stcURL.SetAutoSize(FALSE);
	m_stcURL.SetURL("http://isno.yeah.net");
	m_stcURL.SetColours( RGB(128,128,128), RGB(128,128,128) ,RGB(128,128,128));

	return TRUE;  // return TRUE  unless you set the focus to a control
}

void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
	DDX_Control(pDX, IDC_STATIC_URL, m_stcURL);
	CDialog::DoDataExchange(pDX);
	//{{AFX_DATA_MAP(CAboutDlg)
	//}}AFX_DATA_MAP
}

BEGIN_MESSAGE_MAP(CAboutDlg, CDialog)
	//{{AFX_MSG_MAP(CAboutDlg)
		// No message handlers
	//}}AFX_MSG_MAP
END_MESSAGE_MAP()

// App command to run the dialog
void CScanDlg::OnAbout()
{
	CAboutDlg aboutDlg;
	aboutDlg.DoModal();
}

void CScanDlg::OnLog() 
{
	CFileDialog dlg(FALSE,"txt",m_ip+".txt",OFN_HIDEREADONLY|OFN_OVERWRITEPROMPT,"Findoor scanner 扫描记录",this);
	if(dlg.DoModal()==IDOK){
		UpdateData(TRUE);
		CFile file;
		file.Open(dlg.GetPathName(),CFile::modeCreate|CFile::modeWrite);
		file.Write((void*)(LPCTSTR)m_res,m_res.GetLength());
		file.Close();
}
}

void CScanDlg::OnScan() 
{
	hWnd=GetSafeHwnd();
	pThread=AfxBeginThread(wScan,this);
}

void CScanDlg::OnClear() 
{
	SetDlgItemText (IDC_RES, "");
}

void CScanDlg::OnStop() 
{
	if(pThread!=NULL)
	{
		TerminateThread(pThread->m_hThread,0);
	}
	if(runThread!=NULL)
	{
		TerminateThread(runThread->m_hThread,0);
	}
	GetDlgItem(IDC_SCAN)->EnableWindow(TRUE);
	GetDlgItem(IDC_IP)->EnableWindow(TRUE);
	m_HistoryEdit.AppendString ("扫描中断......");
}

LONG CScanDlg::OnDisplay(LONG lParam, UINT wParam)
{
	LPSERVENT bar;
	CString open;
	int p=lParam;
	bar = getservbyport(htons(p),"tcp");
	open.Format("\t%d号端口(%s)开放!\r\n",p,(bar == NULL) ? "未知" :
               bar->s_name);
	m_HistoryEdit.AppendString (open);
	return 0;
}

//扫描的总辅助线程
UINT wScan(LPVOID pParam) 
{
	int port[60]={7,9,11,13,15,17,19,21,23,25,37,43,53,70,77,79,80,81,87,88,103,104,109,110,111,113,
            115,119,123,135,137,138,139,143,144,443,512,513,514,515,520,
            530,540,544,749,750,751,754,1024,1025,1026,1080,1234,1600,2003,2049,6000,6667,8080,0};
	CScanDlg* dlg=(CScanDlg*)pParam;
	CString res;
	(dlg->GetDlgItem(IDC_SCAN))->EnableWindow(FALSE);
	(dlg->GetDlgItem(IDC_IP))->EnableWindow(FALSE);
	dlg->UpdateData();
	res="[Findo0r Scanner]\r\n\r\n";
	res+="扫描目标：";
	res+=(dlg->m_ip);
	res+="\r\n\r\n";
	res+="扫描选项：\r\n";
	if(dlg->m_checkftp){res+="\tFTP漏洞\r\n";}
	if(dlg->m_checksmtp){res+="\tSMTP漏洞\r\n";}
	if(dlg->m_checkfinger){res+="\tFINGER漏洞\r\n";}
	if(dlg->m_checkcgi){res+="\tCGI漏洞\r\n";}
	res+="\r\n开始扫描......\r\n";
	(dlg->m_HistoryEdit).AppendString (res);
	LPHOSTENT lpstHost;
	lpstHost = gethostbyname(dlg->m_ip);
	if (lpstHost == NULL)
    {
      (dlg->m_HistoryEdit).AppendString ("无法得到IP地址!");
	  (dlg->GetDlgItem(IDC_SCAN))->EnableWindow(TRUE);
	  (dlg->GetDlgItem(IDC_IP))->EnableWindow(TRUE);
	  return 0;
    }
	sprintf(rmt_host,"%d.%d.%d.%d",(unsigned char )lpstHost->h_addr_list[0][0],
              (unsigned char ) lpstHost->h_addr_list[0][1], 
              (unsigned char ) lpstHost->h_addr_list[0][2], 
              (unsigned char ) lpstHost->h_addr_list[0][3]);
	res="目标IP地址为：";
	res+=rmt_host;
	res+="\r\n";
	(dlg->m_HistoryEdit).AppendString (res);
	(dlg->m_HistoryEdit).AppendString ("扫描目标主机开放的端口：\r\n");
	struct port theport[10];
	for(int i=0;i<6;i++)
	{
		for(int j=0;j<10;j++)
		{
			theport[j].rmt_host=rmt_host;
			theport[j].p=port[i*10+j];
			theport[j].n=j;
			Thread[j]=AfxBeginThread(pScan,(LPVOID)&theport[j]);
			hThread[j]=Thread[j]->m_hThread;
			Sleep(1);
		}
		WaitForMultipleObjects(10,hThread,TRUE,120000);
	}
	Sleep(1000);
	if((dlg->m_checkftp)==TRUE)
	{
		(dlg->m_HistoryEdit).AppendString ("开始扫描FTP漏洞：\r\n");
		runThread=AfxBeginThread(fScan,(LPVOID)dlg);
		if(::WaitForSingleObject(fEvent,120000)==WAIT_TIMEOUT)
			(dlg->m_HistoryEdit).AppendString ("超时错误！");
	}
	fEvent.ResetEvent();
	Sleep(1000);
	if((dlg->m_checksmtp)==TRUE)
	{
		(dlg->m_HistoryEdit).AppendString ("\r\n开始扫描SMTP漏洞：\r\n");
		runThread=AfxBeginThread(sScan,(LPVOID)dlg);
		if(::WaitForSingleObject(fEvent,120000)==WAIT_TIMEOUT)
			(dlg->m_HistoryEdit).AppendString ("超时错误！");
	}
	fEvent.ResetEvent();
	Sleep(1000);
	if((dlg->m_checkfinger)==TRUE)
	{
		(dlg->m_HistoryEdit).AppendString ("\r\n开始扫描FINGER漏洞：\r\n");
		runThread=AfxBeginThread(fingerScan,(LPVOID)dlg);
		if(::WaitForSingleObject(fEvent,120000)==WAIT_TIMEOUT)
			(dlg->m_HistoryEdit).AppendString ("超时错误！");
	}
	Sleep(1000);
	fEvent.ResetEvent();
	if((dlg->m_checkcgi)==TRUE)
	{
		(dlg->m_HistoryEdit).AppendString ("\r\n开始扫描CGI漏洞：\r\n");
		runThread=AfxBeginThread(cgiScan,(LPVOID)dlg);
		if(::WaitForSingleObject(fEvent,120000)==WAIT_TIMEOUT)
			(dlg->m_HistoryEdit).AppendString ("超时错误！");
	}
	Sleep(1000);
	(dlg->m_HistoryEdit).AppendString ("扫描完毕！！！");
	(dlg->GetDlgItem(IDC_SCAN))->EnableWindow(TRUE);
	(dlg->GetDlgItem(IDC_IP))->EnableWindow(TRUE);
	return 0;
}

//端口扫描线程
UINT pScan(LPVOID pParam)
{
	struct port* tport=(struct port *)pParam;
	int port=tport->p;
	int num=tport->n;
	char *rmt_host=tport->rmt_host;
	SOCKET sockfd;
	SOCKADDR_IN addr;
	sockfd = socket(AF_INET, SOCK_STREAM, 0);
    if (sockfd < 0) 
	{
		exit(0);
	}
    addr.sin_family = AF_INET;
    addr.sin_port = htons(port);
    addr.sin_addr.s_addr = inet_addr(rmt_host);
    int r = connect(sockfd,(struct sockaddr *) &addr, sizeof(addr));
	closesocket(sockfd);
	if (r!=-1)
	{
		::PostMessage(hWnd,WM_DISPLAY,port,0);
	}
	return 0;
}

//FTP漏洞扫描线程
UINT fScan(LPVOID pParam)
{
	int port=21;
	char rbuff[1024];
	CScanDlg* dlg=(CScanDlg*)pParam;
	SOCKET sockfd;
	SOCKADDR_IN addr;
	sockfd = socket(AF_INET, SOCK_STREAM, 0);
    if (sockfd < 0) 
	{
		(dlg->m_HistoryEdit).AppendString ("无法建立Socket\r\n");
		return 0;
	}
    addr.sin_family = AF_INET;
    addr.sin_port = htons(port);
    addr.sin_addr.s_addr = inet_addr(rmt_host);
	if(connect(sockfd,(struct sockaddr *) &addr, sizeof(addr))<0)
	{
		(dlg->m_HistoryEdit).AppendString ("目标没有开放FTP服务...\r\n");
		fEvent.SetEvent();
		return 0;
	}
	(dlg->m_HistoryEdit).AppendString ("FTP服务器的Banner：");
	memset(rbuff,0,1024);
	recv(sockfd,rbuff,sizeof(rbuff),0);
	Sleep(1000);
	(dlg->m_HistoryEdit).AppendString (rbuff);
	send(sockfd,"USER anonymous\r\n",sizeof("USER anonymous\r\n"),0);
	Sleep(1000);
	recv(sockfd,rbuff,sizeof(rbuff),0);
	Sleep(1000);
	(dlg->m_HistoryEdit).AppendString ("测试匿名用户\r\n");
	if(strstr(rbuff,"331")==NULL)
    {
		(dlg->m_HistoryEdit).AppendString ("没有匿名用户\r\n");
		fEvent.SetEvent();
		return 0;
	}
	memset(rbuff,0,1024);
	send(sockfd,"PASS hacker@hacker.com\r\n",sizeof("PASS hacker@hacker.com\r\n"),0);
	Sleep(1000);
	recv(sockfd,rbuff,sizeof(rbuff),0);
	Sleep(1000);
	(dlg->m_HistoryEdit).AppendString (rbuff);
	memset(rbuff,0,1024);
	(dlg->m_HistoryEdit).AppendString ("根目录列表：");
	send(sockfd,"LIST\r\n",sizeof("LIST\r\n"),0);
	Sleep(1000);
	recv(sockfd,rbuff,sizeof(rbuff),0);
	Sleep(1000);
	(dlg->m_HistoryEdit).AppendString (rbuff);
	memset(rbuff,0,1024);
	(dlg->m_HistoryEdit).AppendString ("尝试改变主目录属性为可写：");
	send(sockfd,"SITE chmod 777 /\r\n",sizeof("SITE chmod 777 /\r\n"),0);
	Sleep(1000);
	recv(sockfd,rbuff,sizeof(rbuff),0);
	Sleep(1000);
	(dlg->m_HistoryEdit).AppendString (rbuff);
	memset(rbuff,0,1024);
	(dlg->m_HistoryEdit).AppendString ("尝试建立目录：");