[unisog] MS04-007/011 scanner

Daniel Bidwell bidwell at andrews.edu
Tue May 4 20:58:26 GMT 2004


On Tue, 2004-05-04 at 13:59, Chris Russel wrote:
> I know I'm late to the party, but I've updated 007scan to find MS04-011
> vulnerable systems as well.
> 
> - scans our class B+ in around 5-10 min
> - quiet mode for use in netreg/resnet systems with automated vulnerability
> scanning
> - checks NETBIOS port if SMB port is not open (NT, some 2k)
> - fixed NTsp6a inconclusive result
> 
> Hope this is useful. If you find problems with it let me know!

Does anyone have a netreg dns configuration what will let widowsupdate
work?  I would like to allow windowsupdate to work from the registration
zone.

> 
> -- 
> Chris Russel
> Manager, CNS Information Security
> York University, Toronto, Canada
> russel at yorku.ca
> ----
> 

> /*
> *  MS04-007/011 Scanner
> *  Chris Russel, York University
> *  original TCP network code by Russell Fulton, Univeristy of Auckland
> *  
> *  2004/02/19: added NETBIOS/SMB check if IP/SMB is not active
> *  2004/02/20: added -s for non-forking scan of single host with return code
> *              indicating vulnerable
> *  2004/05/03: added MS04-011 check
> *
> */
> 
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <errno.h>
> #include <string.h>
> #include <netdb.h>
> #include <sys/types.h>
> #include <netinet/in.h>
> #include <sys/socket.h>
> #include <sys/time.h>
> #include <sys/select.h>
> 
> #include <unistd.h>
> #include <fcntl.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
> 
> #define DEST_PORT 445
> 
> int errno, quiet;
> 
> char neg_prot[] = {
>    0x00, 0x00, 0x00, 0xa4, 0xff, 0x53, 0x4d, 0x42, 0x72, 0x00, 0x00, 0x00,
>    0x00, 0x08, 0x01, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
>    0x00, 0x00, 0x4d, 0x0b, 0x00, 0x00, 0x1f, 0x63, 0x00, 0x81, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4e,
>    0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x20, 0x31,
>    0x2e, 0x30, 0x00, 0x02, 0x4d, 0x49, 0x43, 0x52, 0x4f, 0x53, 0x4f, 0x46, 0x54, 0x20, 0x4e, 0x45,
>    0x54, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x20, 0x31, 0x2e, 0x30, 0x33, 0x00, 0x02, 0x4d, 0x49, 0x43,
>    0x52, 0x4f, 0x53, 0x4f, 0x46, 0x54, 0x20, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x53, 0x20,
>    0x33, 0x2e, 0x30, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, 0x30, 0x00, 0x02,
>    0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x53, 0x61, 0x6d, 0x62, 0x61,
>    0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x20, 0x31, 0x2e, 0x30, 0x00,
>    0x02, 0x4e, 0x54, 0x20, 0x4c, 0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00
> };
> 
> char blob[] = {
>    0x00, 0x00, 0x00, 0xc2, 0xff, 0x53, 0x4d, 0x42, 0x73, 0x00, 0x00, 0x00,
>    0x00, 0x08, 0x01, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
>    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
>    0x00, 0x00, 0x0c, 0xff, 0x00, 0x00, 0x00, 0x01, 0x40, 0x02, 0x00,
>    0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x00,
>    0x00, 0x5c, 0x00, 0x00, 0x80, 0x87, 0x00, 0x60, 0x84, 0x00, 0x00,
>    0x00, 0x62, 0x06, 0x83, 0x00, 0x00, 0x06, 0x2b, 0x06, 0x01, 0x05,
>    0x05, 0x02, 0xa0, 0x82, 0x00, 0x53, 0x30, 0x81, 0x50, 0xa0, 0x0e,
>    0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37,
>    0x02, 0x02, 0x0a, 0xa3, 0x3e, 0x30, 0x3c, 0xa0, 0x30, 0x3b, 0x2e,
>    0x04, 0x81, 0x01, 0x25, 0x24, 0x81, 0x27, 0x04, 0x01, 0x05, 0x24,
>    0x22, 0x24, 0x20, 0x24, 0x18, 0x24, 0x16, 0x24, 0x14, 0x24, 0x12,
>    0x24, 0x10, 0x24, 0x0e, 0x24, 0x0c, 0x24, 0x0a, 0x24, 0x08, 0x24,
>    0x06, 0x24, 0x04, 0x24, 0x02, 0x04, 0x00, 0x04, 0x82, 0x00, 0x02,
>    0x39, 0x25, 0xa1, 0x08, 0x04, 0x06, 0xe5, 0xc5, 0xf9, 0xe5, 0x20,
>    0x04, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f, 0x00,
>    0x77, 0x00, 0x73, 0x00, 0x00, 0x00, 0x4e, 0x00, 0x65, 0x00, 0x73,
>    0x00, 0x73, 0x00, 0x75, 0x00, 0x73, 0x00, 0x00, 0x00, 0x00
> };
> 
> char blob2[] = {
>    0x00, 0x00, 0x00, 0xb1, 0xff, 0x53, 0x4d, 0x42, 0x73, 0x00,
>    0x00, 0x00, 0x00, 0x08, 0x01, 0xc8, 0x00, 0x00, 0x00, 0x00,
>    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
>    0x00, 0x00, 0x00, 0x00, 0xf3, 0x88, 0x0c, 0xff, 0x00, 0x00,
>    0x00, 0x01, 0x40, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
>    0x00, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5c, 0x00, 0x00,
>    0x80, 0x76, 0x00, 0x60, 0x58, 0x06, 0xff, 0x06, 0xff, 0x06,
>    0x0f, 0x05, 0x0f, 0x02, 0xff, 0x06, 0xff, 0xff, 0xff, 0xff,
>    0x06, 0x00, 0x06, 0x00, 0x2a, 0x00, 0x00, 0x00, 0x0a, 0x00,
>    0x0a, 0x00, 0x20, 0x00, 0x00, 0x00, 0x42, 0x4c, 0x49, 0x4e,
>    0x47, 0x42, 0x4c, 0x49, 0x4e, 0x47, 0x4d, 0x53, 0x48, 0x4f,
>    0x4d, 0x45, 0x2a, 0xff, 0x7f, 0x74, 0x6f, 0xff, 0x0a, 0x0b,
>    0x9e, 0xff, 0xe6, 0x56, 0x73, 0x37, 0x57, 0x37, 0x0a, 0x0b,
>    0x0c, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x6f,
>    0x00, 0x77, 0x00, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
>    0x00, 0x19, 0x00, 0x02, 0x00, 0x4e, 0x00, 0x65, 0x00, 0x73,
>    0x00, 0x73, 0x00, 0x75, 0x00, 0x73, 0x00, 0x00, 0x00, 0x00,
>    0x00, 0x00, 0x00, 0x00, 0x00, 0x19, 0x00, 0x02, 0x00, 0x00,
>    0x00
> };
> 
> char netbios_nr[] = {
>    0x74, 0x25, 0x00, 0x00,
>    0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x43, 0x4b, 0x41, 0x41,
>    0x41, 0x41, 0x41,
>    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
>    0x41, 0x41, 0x41,
>    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x21, 0x00,
>    0x01,
> };
> 
> char smb_sreq[] = {
>    0x81, 0x00, 0x00, 0x44, 0x20, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43,
>    0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41,
>    0x43, 0x41, 0x43,
>    0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x00, 0x20, 0x43, 0x41,
>    0x43, 0x41, 0x43,
>    0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41,
>    0x43, 0x41, 0x43,
>    0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x41, 0x41, 0x00,
> };
> 
> int argNumber;
> 
> int count[] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0, 262144, 131072, 65536, 32768,
>    16384, 8192, 4096,
>    2048, 1024, 512, 256, 128, 64, 32, 16, 8, 4, 2, 1};
> int x[] = { 1024, 2048, 4096, 8192, 16384, 32768, 65536 };
> 
> int checkVulnerable();
> char *name;
> 
> int errno;
> 
> int *procs,
>    nprocs = 10,
>    freeprocs;
> 
> char *ip;
> 
> void usage () {
>    fprintf(stderr,"usage: %s  [options] <target-ip/cidr-block ....>\n", name); 
>    fprintf(stderr,"\t-s test first IP given, return positive for vulnerable\n");
>    fprintf(stderr,"\t-c <milliseconds>\t socket connect() will timeout "
>          "after this many milliseconds, default is 600\n");
>    fprintf(stderr,"\t-r <milliseconds>\t socket recv() will timeout after "
>          "this many milliseconds, default is 1800\n");
>    fprintf(stderr, "\t-p <number> Number of processes to use while scanning"
>          " defaults to 10\n");
>    fprintf(stderr,"\t-h \t\t displays this\n");
>    fprintf(stderr,"EX: > %s  10.5.10.1  --  scan single IP with default timeout\n"
>          "EX: > %s 10.5.10.1 10.5.10.3  -- scan two IPs \n"
>          "EX: > %s -c 5000 10.5.10.0/24 -- scan class C(/24) with timeout 5 seconds\n"
>          ,name, name, name);
>    exit(1);
> }
> 
> 
> int connectTo(struct sockaddr_in *dest_addr, u_long remoteAddress,
>       struct timeval *timeout)
> {
>    int flags;
>    int newSockfd;
>    fd_set writefds;
>    struct in_addr raddr;
>    struct timeval xtimeout =  *timeout;
> 
>    raddr.s_addr = remoteAddress;
> 
>    if( (newSockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
>       if( ! quiet ) { printf("error getting socket\n"); }
>       return -1;
>    }
> 
>    /* Set socket to non-blocking */
> 
>    if ((flags = fcntl(newSockfd, F_GETFL, 0)) < 0) {
>       if( ! quiet) { printf("error getting getting flags\n"); }
>       return -1;    
>    }
> 
>    if (fcntl(newSockfd, F_SETFL, flags | O_NONBLOCK) < 0) {
>       if( ! quiet) { printf("error getting getting flags\n"); }
>       return -1;    
> 
>    }
> 
>    if( connect(newSockfd, (struct sockaddr *) dest_addr,
>             sizeof(struct sockaddr)) < 0) {
>       if( errno == EINPROGRESS ) {
>          FD_ZERO(&writefds);
>          FD_SET(newSockfd, &writefds);
>          if( select(newSockfd+1, 0, &writefds, 0, &xtimeout) ) {
>             if( FD_ISSET(newSockfd, &writefds) ) {
>                return newSockfd;
>             } else {
>                if( ! quiet ) { printf ("Connect/select:%s\n", strerror(errno)); }
>                close(newSockfd);
>                return -1;
>             }   
>          }  else {
>             if( ! quiet ) { printf ("Connect: Timeout\n"); }
>             close(newSockfd);
>             return -1;
>          }
>       } else {
>          if( ! quiet ) { printf( "Connect: Error %s\n", strerror(errno)); }
>          close(newSockfd);
>          return -1;
>       } 
> 
>    }
>    return newSockfd;
> }
> 
> char *getResponseTo(int sfd, char query[], int qrySize, char buffer[],
>       struct timeval *timeout)
> {
>    struct timeval xtimeout =  *timeout;
>    fd_set rdrfds;
> 
>    if( send(sfd, query, qrySize, 0) < 0 ) { 
>       if( ! quiet ) { printf("%s: %s\n", errno == ECONNREFUSED ? "Connect" : "Send",
>             strerror(errno) ); }
>       return NULL; 
>    }
> 
>    if( errno == EINPROGRESS ) {
>       FD_ZERO(&rdrfds);
>       FD_SET(sfd, &rdrfds);
>       select(sfd+1, &rdrfds, 0, 0, &xtimeout);
>       if( ! FD_ISSET(sfd, &rdrfds) ) {
>          if( ! quiet ) { printf("receiving error %s\n",strerror(errno) ); }
>          close(sfd);
>          return NULL; 
>       }
>    } 
> 
>    if( recv(sfd, buffer, 1024, 0) < 0 ) {
>       if( ! quiet ) { printf("receiving error %s\n", strerror(errno)); }
>       close(sfd);
>       return NULL; 
>    }
>    return buffer;
> }
> 
> 
> char *nbname_u16( unsigned char *b, unsigned char *c )
> {
>    int i;
> 
>    for( i=0; i<strlen(b); i=i+1 ) {
>       c[i<<1] = (b[i] >> 4) + 0x41;
>       c[(i<<1)+1] = (b[i] & 0x0F) + 0x41;
>    }
>    c[(i<<1)]=0;
>    return c;
> }
> 
> 
> 
> char *get_nbname( u_long remoteAddress, unsigned char buffer[] )
> {
>    int flags, rc, nbsock, offset, length;
>    unsigned char std[1024];
>    struct timeval nbtimeout;
>    struct sockaddr_in nbto;
>    struct sockaddr nbfrom;
>    fd_set readfds;
> 
>    nbtimeout.tv_sec = 0;
>    nbtimeout.tv_usec = 250000;
>    nbto.sin_family = AF_INET;
>    nbto.sin_port = htons(137);
>    nbto.sin_addr.s_addr = remoteAddress;
>    bzero(&(nbto.sin_zero), 8);
> 
>    if( (nbsock = socket( PF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0 ) { return NULL; }
>    if ((flags = fcntl(nbsock, F_GETFL, 0)) < 0) {
>       if( ! quiet) { printf("error getting getting flags\n"); }
>       return NULL;
>    }
> 
>    if (fcntl(nbsock, F_SETFL, flags | O_NONBLOCK) < 0) {
>       if( ! quiet) { printf("error getting getting flags\n"); }
>       return NULL;
>    }
> 
>    memset(std, 0x0, 1024);
>    if ( sendto( nbsock, netbios_nr, sizeof(netbios_nr), 0, (struct sockaddr *) &nbto, sizeof(struct sockaddr_in) ) < 0 ) { return NULL; }
> 
>    FD_ZERO(&readfds);
>    FD_SET(nbsock, &readfds);
> 
>    if( select(nbsock+1, &readfds, 0, 0, &nbtimeout) ) {
>       recvfrom( nbsock, &std, 1024, 0, (struct sockaddr *) &nbfrom, &length);
>    } else {
>       close(nbsock);
>       return NULL;
>    }
> 
>    close(nbsock);
>    if( std[3] != 0x0 ) { return NULL; }
>    strncpy(buffer, std+0x39, 15);
>    /*printf("NETBIOS NAME[%s] ", buffer);*/
>    return buffer;
> }
> 
> 
> 
> 
> int checkVulnerable( u_long remoteAddress, struct timeval *ctimeout,
>       struct timeval *rtimeout ) {
> 
>    unsigned char buf1[1024];
>    unsigned char buf2[1024];
>    unsigned char buf3[1024];
>    unsigned char buf4[1024];
>    unsigned char nbname[16], nb16[33];
>    int sockfd;
>    int vulnflag;
>    struct sockaddr_in dest_addr;   /* hold dest addy */
>    struct in_addr    printip;
> 
>    printip.s_addr = remoteAddress;
>    dest_addr.sin_family = AF_INET;
>    dest_addr.sin_port = htons(DEST_PORT);
>    dest_addr.sin_addr.s_addr = remoteAddress;
>    bzero(&(dest_addr.sin_zero), 8);   /* zero rest of struct */
> 
>    ip = inet_ntoa(printip);
> 
>    if( ! quiet ) { printf ("%s %d ", ip, DEST_PORT); }
>    if( ! (((sockfd = connectTo(&dest_addr, remoteAddress, ctimeout )) >= 0) 
>             && getResponseTo(sockfd, neg_prot, sizeof(neg_prot), buf1, rtimeout)) ){ 
>       // NETBIOS CHECK
>       if( ! quiet ) { printf("%s %d ", ip, 139 ); }
>       if( get_nbname( remoteAddress, nbname ) == NULL ) { 
>          printf("NBNS: no reply\n");
>          return; 
>       }
>       nbname_u16( nbname, nb16);
>       memcpy(smb_sreq+5, nb16, 30);
>       dest_addr.sin_port = htons(139);
>       if( (sockfd = connectTo(&dest_addr, remoteAddress, ctimeout)) < 0 ) {
>          return;
>       }
>       if( ! getResponseTo(sockfd, smb_sreq, sizeof(smb_sreq), buf3, rtimeout) ) { return; }
>       if ( buf3[0] != 0x82 ) { 
>          if( ! quiet ) { printf("NetBIOS Session Refused\n"); }
>          return; 
>       }
>       if( ! getResponseTo(sockfd, neg_prot, sizeof(neg_prot), buf1, rtimeout) ) { return; }
>    }
>    if( !(getResponseTo(sockfd, blob, sizeof(blob), buf2, rtimeout)) ){ return; }
>    if( !(getResponseTo(sockfd, blob2, sizeof(blob2), buf4, rtimeout)) ) { return; }
>    close(sockfd);
> 
>    vulnflag = 0;
>    //SECURE 
>    if( (buf2[9]==0x0d) 
>          && (buf2[10] == 0x00) 
>          && (buf2[11]==0x00)  
>          && (buf2[12]==0xc0) ) {
>       if( ! quiet ) { printf ("MS04-007 SECURE:"); }
>    }
> 
>    else if( (buf2[9]==0x02) 
>          && (buf2[10] == 0x00) 
>          && (buf2[11]==0x01)  
>          && (buf2[12]==0x00) ) {
>       if( ! quiet ) { printf ("MS04-007 SECURE:"); }
>    }
>    //VULNERABLE
>    else if( (buf2[9]==0x16) &&
>          (buf2[10] == 0x00) &&
>          (buf2[11]==0x00)  &&
>          (buf2[12]==0xc0)
>          ){
>       if( ! quiet ) { printf ("MS04-007 VULNERABLE:"); }
>       vulnflag = 1;
>    } else { 
>       if( ! quiet ) { printf("MS04-007 INCONCLUSIVE [%02x%02x%02x%02x]:", buf2[9], buf2[10], buf2[11], buf2[12]); }
>    }
> 
>    if( (buf4[9]==0x0d)
>          && (buf4[10] == 0x00)
>          && (buf4[11]==0x00)
>          && (buf4[12]==0xc0) ) {
>       if( ! quiet ) { printf ("MS04-011 SECURE\n"); }
>    }
>    else if( (buf4[9]==0x02)
>          && (buf4[10] == 0x00)
>          && (buf4[11]==0x01)
>          && (buf4[12]==0x00) ) {
>       if( ! quiet ) { printf ("MS04-011 SECURE\n"); }
>    }
> 
>    else if( (buf4[9]==0x16) &&
>          (buf4[10] == 0x00) &&
>          (buf4[11]==0x00)  &&
>          (buf4[12]==0xc0)
>          ){
>       if( ! quiet ) { printf ("MS04-011 VULNERABLE\n"); }
>       vulnflag = 1;
>    } else { 
>       if( ! quiet ) { printf("MS04-011 INCONCLUSIVE [%02x%02x%02x%02x]\n", buf4[9], buf4[10], buf4[11], buf4[12]); }
>    }
> 
>    return vulnflag;
> }
> 
> 
> void wait_on_procs() {
>    int status;
>    int pid, i;
> 
>    if( pid = wait( &status ) < 0 ) {
>       perror ("wait");
>       return;
>    }
> 
>    for( i=0; i<nprocs && procs[i]==pid; i++ ) ;
>    if( i == nprocs ) {
>       fprintf(stderr, "cant find pid in proc array");
>       exit (10);
>    }
>    procs[i] = 0;
>    freeprocs++;
> 
> }
> 
> 
> int main(int argc, char **argv)
> {
>    char *firstAddr;
>    char *p;
>    int block;
>    u_long RemoteAddr, First;
>    int i,j,k;
>    int pid,
>    timeout,
>    bigendian = 1;
>    struct hostent *host;
>    struct timeval ctimeout, rtimeout;
>    int t;
> 
>    //connect timeout
>    ctimeout.tv_sec = 0;
>    ctimeout.tv_usec = 600000;
>    // receive timeout
>    rtimeout.tv_sec = 1;
>    rtimeout.tv_usec = 800000;
> 
>    name = argv[0];
> 
>    if (argc < 2)  usage();
> 
>    while ( --argc && (*++argv)[0] == '-' ) {
>       switch ( (*argv)[1] ) {
>          case 'h' :
>             usage();
>          case 'p' :
>             if( (*argv)[2] ) {
>                nprocs = atoi(*argv+3);
>             } else {
>                nprocs = atoi(argv[1]);
>                argv++; argc--;
>             }
>             break;
>          case 'c':
>             if( (*argv)[2] ) {
>                t  = atoi((*argv)+2) * 1000;
>             } else {
>                t = atoi(argv[1]) * 1000;
>                argv++; argc--;
>             }
>             ctimeout.tv_sec = t/1000000;
>             ctimeout.tv_usec = t % 1000000;
>             break;
>          case 'r':
>             if( (*argv)[2] ) {
>                t = atoi((*argv)+2) * 1000;
>             } else {
>                t = atoi(argv[1]) * 1000;
>                argv++; argc--;
>             }
>             rtimeout.tv_sec = t/1000000;
>             rtimeout.tv_usec = t % 1000000;
>             break;
>          case 's':
>             quiet = 1;
>             break;
>          default:
>             fprintf(stderr, "invalid flag %s\n", argv[1]);
>             usage();
>       }
>    }
> 
>    procs = calloc(nprocs, sizeof(int));
>    for( i=0; i<nprocs; i++) procs[i]=0;
> 
>    if (procs == 0x00) {
>       fprintf(stderr, "failed to allocate proc array");
>       exit(10);
>    } 
> 
> 
>    // is network order same as int:
>    bigendian = (u_long)(0x08) << 24 != inet_addr("8.0.0.0") ;
> 
>    do{  // while there are addresses 
>       firstAddr = argv[0];
>       //  is it address or dn
>       if( (p = strchr(firstAddr, '/')) == 0 ) {  // no CIDR width
>          block = 32;
>       } else {
>          *p =  0x0;
>          block = atoi(++p);
>       }
> 
>       if( host = gethostbyname( firstAddr) ) {
>          memcpy( &First,  (*host).h_addr_list[0], 4 );
>       } else { 
>          fprintf(stderr, "host does not exist '%s'\n", firstAddr);
>          goto end_loop;
>       }
> 
>       First = ntohl(First);   // get the address in host order
>       freeprocs = nprocs;
>       RemoteAddr = First;
> 
>       if( quiet ) {
>          exit( checkVulnerable(htonl(RemoteAddr), &ctimeout, &rtimeout) );
>       }
> 
>       for( j = 0;  j < count[block]  ; j++ ) {
>          if( freeprocs == 0 ) {
>             wait_on_procs();
>          } else if ( freeprocs < 0 ) {
>             exit(10);
>          }
>          if( (pid = fork()) == 0 ) { //child 
>             checkVulnerable(htonl(RemoteAddr), &ctimeout, &rtimeout);
>             exit(0);
>          } else { // parent 
>             if ( pid > 0 )  {  // fork OK
>                for( i=0; i<nprocs; i++ ) {
>                   if( procs[i]==0 ) {
>                      procs[i] = pid;
>                      pid =0;       
>                      freeprocs--;
>                      break;
>                   }
>                }
>                if( pid ) { // did not find space in procs
>                   fprintf(stderr, "proc array error!\n");
>                   exit(10);
>                }
> 
>             } else { // fork failed
>                perror("fork");
>                exit(10); 
>             }
>          }
>          RemoteAddr++;
>       }
> 
>       if( nprocs > 1 ) {  //wait for processes to terminate
>          while( freeprocs < nprocs ) wait_on_procs();
>       }
> end_loop:
>       argv++;
>    }   while ( --argc );
> 
>    exit(0);
> 
> }
> 
> ----
> 

> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
-- 
Daniel R. Bidwell	|	bidwell at andrews.edu
Andrews University	|	Information Technology Services
If two always agree, one of them is unnecessary
"Friends don't let friends do DOS"
"In theory, theory and practice are the same.
In practice, however, they are not."




More information about the unisog mailing list