信息来源:lion
复制内容到剪贴板
代码:
/*
************************************************************************************
*
* Scanssl.c - Microsoft Windows 2000 PCT over SSL vulnerability scanner.
*
* Copyright (C) 2000-2004 HUC All Rights Reserved.
*
* Author : lion
* : lion#cnhonker.net
* : [url]http://www.cnhonker.com[/url]
* :
* Notice : Thx to bkbll (bkbll#cnhonker.net), writted a nice PCT over SSL exploit.
* :
* Date : 2004-04-22
* :
* Complie : cl scanssl.c
* :
* Usage :E:\>scanssl
* :IIS SSL PCT Protocol Scanner V1.0 (2004-04-22)
* :Code by lion (lion#cnhonker.net), [url]http://www.cnhonker.com[/url]
* :
* :Usage: scanssl <Options>
* :
* :[Options:]
* : -s Start IP
* : -e End IP
* : -p Scan Port Default: 443
* : -t Scan Thread Default: 100
* : -l Log file Default: pctscan.txt
* : -n Note
*
************************************************************************************
*/
#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "ws2_32")
#define SCANPORT 443
#define DEFTHREAD 100
#define DEFLOGFILE "pctscan.txt"
#define VERSION "1.0"
// PCT on SSL
char clienthello[]=
"\x80\x62" //size
"\x01" //client hello
"\x80\x01" //PCT 1.0
"\x00" //PAD
//CH_SESSION_ID_DATA[32]
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
//CH_CHALLENGE_DATA[32]
"\xd4\x42\x2b\x54\x8e\x81\x87\xe9\xb7\x85\x11\x92\x56\x89\xcb\x94\xeb\x1b\xcf\x57\xb1\x6b\x0d\xa6\x62\x21\x35\x52\xa7\x9e\xd3\xd4"
"\x00\x0a" //CH_OFFSET
"\x00\x08" //CH_CIPHER_SPECS_LENGTH
"\x00\x04" //CH_HASH_SPECS_LENGTH
"\x00\x04" //CH_CERT_SPECS_LENGTH
"\x00\x02" //CH_EXCH_SPECS_LENGTH
"\x00\x00" //CH_KEY_ARG_LENGTH
"\x00\x04\x80\x40\x00\x04\x28\x40" //CH_CIPHER_SPECS_DATA
"\x00\x01\x00\x03" //CH_HASH_SPECS_DATA
"\x00\x03\x00\x01" //CH_CERT_SPECS_DATA
"\x00\x01" //CH_EXCH_SPECS_DATA
;
int iPort=SCANPORT,iThread=DEFTHREAD,found=0,foundport=0,patched=0,disable=0,maxthread=0,scanned=0,scannum=0;
char *filename=DEFLOGFILE;
FILE *fp;
void usage(char *p)
{
printf( "Usage:\t%s\t<Options>\n\n"
"[Options:]\n"
"\t-s\tStart IP\n"
"\t-e\tEnd IP\n"
"\t-p\tScan Port Default: %d\n"
"\t-t\tScan Thread Default: %d\n"
"\t-l\tLog file Default: %s\n"
"\t-n\tNote\n\n"
, p, SCANPORT, DEFTHREAD, DEFLOGFILE);
}
void WaitThreadEnd()
{
int i;
printf("\r\n");
for(i=0;i<=100;i++)
{
printf("[+] Please wait %d Thread end... \r", maxthread);
if (maxthread != 0)
{
Sleep(100);
continue;
}
else break;
}
return;
}
void TestThread(int thread)
{
for (;;)
{
printf("[+] %2d%% Complete... \r", scanned*100/scannum);
if (maxthread >= thread)
{
Sleep(200);
}
else break;
}
return;
}
DWORD WINAPI sslscan(LPVOID ip)
{
int ipaddr= (int)ip;
int l;
unsigned long flag;
unsigned long ul[2];
char recvbuf[100];
SOCKET s;
struct sockaddr_in server;
struct fd_set mask;
struct timeval timeout;
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ipaddr);
server.sin_port=htons((USHORT)iPort);
s=socket(AF_INET,SOCK_STREAM,0);
timeout.tv_sec=3; // set timeout 2s
timeout.tv_usec=0;
flag=1;
if(connect(s,(struct sockaddr *)&server,sizeof(server)) == 0)
{
foundport ++;
if(ioctlsocket(s,FIONBIO,&flag)!=0)
{
maxthread --;
closesocket(s);
return -1;
}
if(send(s, clienthello, sizeof(clienthello)-1, 0))
{
ul[0] = 1;
ul[1] = s;
l = select (0, (fd_set *)&ul, NULL, NULL, &timeout);
if(l == 1)
{
l = recv (s, recvbuf, sizeof(recvbuf), 0);
if (l >= 0)
{
if(recvbuf[2] == '\x00')
{
patched ++;
printf("[-] %s patched.\r\n",inet_ntoa(server.sin_addr));
}
else
if(recvbuf[2] == '\x02')
{
found ++;
printf("[+] %s found!!!\r\n",inet_ntoa(server.sin_addr));
fprintf(fp, "%s\r\n", inet_ntoa(server.sin_addr));
fflush(fp);
}
else
if(recvbuf[2] == '\x05')
{
disable ++;
printf("[+] %s disable.\r\n",inet_ntoa(server.sin_addr));
}
else
{
//printf("[-] %s failed.\r\n",inet_ntoa(server.sin_addr));
}
}
}
}
}
Sleep(50);
closesocket(s);
maxthread --;
return 1;
}
int main(int argc, char **argv)
{
int i;
char *startip=NULL,*endip=NULL,*note=NULL;
int portip,ipstart,ipstop,hoststart,hoststop;
WSADATA wsadata;
printf( "IIS SSL PCT Protocol Scanner V%s (2004-04-22)\r\n"
"Code by lion (lion#cnhonker.net), [url]http://www.cnhonker.com[/url]\r\n\n"
, VERSION);
//printf("%d\n", sizeof(clienthello)-1);
if(argc < 2)
{
usage(argv[0]);
return -1;
}
for(i=1;i<argc;i+=2)
{
if(strlen(argv[i]) != 2)
{
usage(argv[0]);
return -1;
}
// check parameter
if(i == argc-1)
{
usage(argv[0]);
return -1;
}
switch(argv[i][1])
{
case 's':
startip = argv[i+1];
break;
case 'e':
endip = argv[i+1];
break;
case 'p':
iPort = atoi(argv[i+1]);
break;
case 't':
iThread = atoi(argv[i+1]);
break;
case 'l':
filename = argv[i+1];
break;
case 'n':
note = argv[i+1];
break;
}
}
if(startip == NULL || endip == NULL)
{
printf("[-] Please enter start and end ip!\r\n");
return -1;
}
if(iPort <1 || iPort >65535)
{
usage(argv[0]);
printf("[-] Invalid port.\n");
return -1;
}
if(iThread <10 || iThread >300)
{
usage(argv[0]);
printf("[-] Invalid thread.\n");
return -1;
}
fp = fopen(filename, "a+");
if(fp == NULL)
{
printf("[-] Open log file:%s error!\r\n", filename);
return -1;
}
fprintf(fp, "%s-%s %s\r\n", startip, endip, note);
fflush(fp);
if (WSAStartup(MAKEWORD(1,1),&wsadata)!=0)
{
printf("wsatartup error");
return -1;
}
ipstart=inet_addr(startip);
ipstop=inet_addr(endip);
hoststart=ntohl(ipstart);
hoststop=ntohl(ipstop);
scannum=hoststop-hoststart+1;
for(portip=hoststart;portip<=hoststop;portip++,maxthread++)
{
if ((portip%256)==0) {scannum--;maxthread--;continue;} // ingore localhost addr
if ((portip%256)==255) {scannum--;maxthread--;continue;} // ingore broadcast addr
TestThread(iThread);
CreateThread(0, 0, sslscan, (void*)portip, 0, 0);
Sleep(20);
scanned ++;
}
Sleep(5000);
WaitThreadEnd();
fclose(fp);
printf("[+] Host search %d host complete.\r\n", scannum);
printf("[+] Found %d port, %d vlun host!\r\n", foundport, found);
return 1;
}
