1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
|
/*
* bscan, restore.c
* this is the buggies part of the entire scanner :>
* many buffer overflows in here
*/
#include <bscan/bscan.h>
#include <bscan/system.h>
#include <bscan/module.h>
#include <string.h>
extern struct _opt *opt;
#define RESTORE_FILE "restore.bscan"
#define R_ARGVLIST "argvlist"
#define R_MODARG "modarg"
#define R_LIMIT "limit"
#define R_FLAGS "flags"
#define R_DELAY "delay"
#define R_PSCANSTAT "pscanstat"
#define R_IPSCAN_COUNT "ipscan_count"
#define R_IPTOTSCAN_C "iptotscan_count"
#define R_BSENT_COUNT "bsent_count"
#define R_IP_OFFSET "ip_offset"
#define R_IP_BLKLEN "ip_blklen"
#define R_IP_POS "ip_pos"
#define R_SCAN_TIME "scan_time"
#define R_SPF_SIP "spf_sip"
#define R_SPF_SMAC "spf_smac"
#define R_SNARFICMP_C "snarf.icmp_c"
#define R_SNARFCLOSE_C "snarf.close_c"
#define R_SNARFOPEN_C "snarf.open_c"
#define R_SNARFREFUSED_C "snarf.refused_c"
#define R_IDEV "lnet.device"
#define R_HOSTFILE "hostfile"
/*
* save everything that is required to restore/restart an inter session
*/
int
write_restore ()
{
u_char *p = (u_char *) opt->spf_smac;
FILE *fptr;
char **myargv = opt->argvlist;
struct timeval tv;
#ifdef HAVE_DLSYM
int c=0;
extern const int modcount;
extern const struct _mods mods[MAX_MODULES];
#endif
if (opt->flags & OPT_VERB)
fprintf (stderr, "Writing restore file '%s'\n", RESTORE_FILE);
if ((fptr = fopen (RESTORE_FILE, "w+")) == NULL)
return (-1);
fprintf (fptr, "# bscan restore file. This is an automatic generated\n");
fprintf (fptr, "# file. Don't edit.\n");
fprintf (fptr, "#\n");
fprintf (fptr, R_ARGVLIST ": ");
if ((opt->target != NULL) && !(opt->flags & OPT_HOSTFILE))
fprintf (fptr, "\"%s\" ", opt->target);
while (*myargv != NULL)
fprintf (fptr, "\"%s\" ", *myargv++);
fprintf (fptr, "\n");
#ifdef HAVE_DLSYM
for (c = 0; c < modcount; c++)
fprintf(fptr, R_MODARG ": %s\n", mods[c].modarg);
#endif
fprintf (fptr, R_LIMIT ": %u\n", opt->limit);
fprintf (fptr, R_DELAY ": %u\n", opt->delay);
fprintf (fptr, R_PSCANSTAT ": %u\n", opt->pscanstat);
fprintf (fptr, R_IPSCAN_COUNT ": %lu\n", opt->ipscan_count);
fprintf (fptr, R_IPTOTSCAN_C ": %lu\n", opt->iptotscan_count);
fprintf (fptr, R_BSENT_COUNT ": %lu\n", opt->bsent_count);
fprintf (fptr, R_IP_OFFSET ": %lu\n", opt->ip_offset);
fprintf (fptr, R_IP_BLKLEN ": %lu\n", opt->ip_blklen);
fprintf (fptr, R_IP_POS ": %lu\n", opt->ip_pos);
fprintf (fptr, R_FLAGS ": %4.4x\n", opt->flags);
memcpy(&tv, &opt->tv2, sizeof(tv));
time_diff (&opt->scan_start, &tv);
fprintf (fptr, R_SCAN_TIME ": %ld\n", (long)tv.tv_sec);
fprintf (fptr, R_SPF_SIP ": %s\n", int_ntoa (opt->nt.src));
fprintf (fptr, R_SPF_SMAC ": %2.2x:%2.2x:%2.2x:%2.2x:%2.2x:%2.2x\n",
p[0], p[1], p[2], p[3], p[4], p[5]);
fprintf (fptr, R_SNARFICMP_C ": %lu\n", opt->snarf.icmp_c);
fprintf (fptr, R_SNARFCLOSE_C ": %lu\n", opt->snarf.close_c);
fprintf (fptr, R_SNARFOPEN_C ": %lu\n", opt->snarf.open_c);
fprintf (fptr, R_SNARFREFUSED_C ": %lu\n", opt->snarf.refused_c);
if (opt->lnet.device != NULL)
fprintf (fptr, R_IDEV ": %s\n", opt->lnet.device);
else
fprintf (fptr, R_IDEV ": \n");
if (opt->hostfile != NULL)
fprintf (fptr, R_HOSTFILE ": %s\n", opt->hostfile);
else
fprintf (fptr, R_HOSTFILE ": \n");
fclose (fptr);
return (0);
}
int
restore_processtag (char *tag, char *arg)
{
char *ptr = arg;
int c = 0;
if ((arg == NULL) || (tag == NULL))
return (-1);
if (!strcmp (R_ARGVLIST, tag))
if (strlen (arg) > 0)
{
int toggle = 0;
while (*ptr != '\0')
if (*ptr++ == '"')
c++;
ptr = arg;
c = c / 2;
if (c <= 0)
return (-1); /* this should not happen */
if ((opt->argvlist = malloc ((c + 1) * sizeof (char *))) == NULL)
return (-1);
for (toggle = 0; toggle < c + 1; toggle++)
opt->argvlist[toggle] = NULL;
toggle = 0;
ptr = arg;
c = 0;
while (*ptr != '\0')
if (*ptr++ == '"')
{
*(ptr - 1) = '\0';
if (toggle++ == 1)
{
toggle = 0;
continue;
}
opt->argvlist[c++] = ptr;
}
/* strings are ready + \0 terminated here */
for (toggle = 0; toggle < c; toggle++)
opt->argvlist[toggle] = strdup (opt->argvlist[toggle]);
return (0);
}
if (!strcmp (R_MODARG, tag))
loadinit_mod(arg);
if (!strcmp (R_DELAY, tag))
opt->delay = atoi (arg);
if (!strcmp (R_LIMIT, tag))
opt->limit = atoi (arg);
if (!strcmp (R_PSCANSTAT, tag))
opt->pscanstat = atoi (arg);
if (!strcmp (R_IPSCAN_COUNT, tag))
opt->ipscan_count = strtoul (arg, NULL, 10);
if (!strcmp (R_IPTOTSCAN_C, tag))
opt->iptotscan_count = strtoul (arg, NULL, 10);
if (!strcmp (R_BSENT_COUNT, tag))
opt->bsent_count = strtoul (arg, NULL, 10);
if (!strcmp (R_IP_OFFSET, tag))
opt->ip_offset = strtoul (arg, NULL, 10);
if (!strcmp (R_IP_BLKLEN, tag))
opt->ip_blklen = strtoul (arg, NULL, 10);
if (!strcmp (R_IP_POS, tag))
opt->ip_pos = strtoul (arg, NULL, 10);
if (!strcmp (R_SCAN_TIME, tag))
{ /* doing the date trick ..we had a scannerdowntime.. */
gettimeofday (&opt->scan_start, NULL);
opt->scan_start.tv_sec =
opt->scan_start.tv_sec - strtoul (arg, NULL, 10);
}
if (!strcmp (R_SPF_SIP, tag))
opt->nt.src = inet_addr (arg);
if (!strcmp (R_SPF_SMAC, tag))
{
unsigned short int sp[6];
sscanf (arg, "%hx:%hx:%hx:%hx:%hx:%hx", &sp[0], &sp[1], &sp[2],
&sp[3], &sp[4], &sp[5]);
for (c = 0; c < 6; c++)
opt->spf_smac[c] = (u_char) sp[c];
}
if (!strcmp (R_FLAGS, tag))
{
sscanf (arg, "%hx", &opt->flags);
opt->flags &= ~OPT_ABRT;
opt->flags &= ~OPT_REST;
}
if (!strcmp (R_SNARFICMP_C, tag))
opt->snarf.icmp_c = strtoul (arg, NULL, 10);
if (!strcmp (R_SNARFCLOSE_C, tag))
opt->snarf.close_c = strtoul (arg, NULL, 10);
if (!strcmp (R_SNARFOPEN_C, tag))
opt->snarf.open_c = strtoul (arg, NULL, 10);
if (!strcmp (R_SNARFREFUSED_C, tag))
opt->snarf.refused_c = strtoul (arg, NULL, 10);
if (!strcmp (R_IDEV, tag))
if (strlen (arg) > 0)
opt->lnet.device = strdup (arg);
if (!strcmp (R_HOSTFILE, tag))
if (strlen (arg) > 0)
opt->hostfile = strdup (arg);
return (0);
}
/*
* read restore-file
* return 0 on success, -1 on failure
* sscanf is exploitable. have fun. What kind of stupid admin
* who set a +s on this programm. harhar
*/
int
read_restore (char *filename)
{
FILE *fptr;
char buf[1024];
char tag[1024], arg[1024];
if (opt->flags & OPT_VERB)
fprintf (stderr, "Reading restore file '%s'.\n", filename);
if ((fptr = fopen (filename, "rb")) == NULL)
{
printf ("OPEN FAILED\n");
return (-1);
}
while (fgets (buf, sizeof (buf), fptr) != NULL)
{
if (strchr (buf, '#') != NULL)
continue;
tag[0] = arg[0] = '\0';
sscanf (buf, "%[^: ]%*[: \t]%[^#\n]%*[\n]", tag, arg);
if (restore_processtag (tag, arg) == -1)
{
fprintf (stderr, "error while processing restore file with '%s:%s' \n ", tag, arg);
exit (-1);
}
}
fclose (fptr);
return (0);
}
|
