xor eax, eax




Ø main()
Ø blogandrum
Ø fireworkx
Ø amp
Ø gallery
Ø feedback
Ø about


See my WISHLIST

Flattr this

ronybc.com
sparcz.php


flag counter

Sparcz, a tiny telnet server - MASM winsock example code


SparcZerver is a funny network utility, precision crafted for remote access of CDROM drive eject mechanism via an IP based network such as the Internet..! ie. it enables to open and close cdrom drive tray of the computer in which this program is running; from a telnet terminal of an other computer connected to the same network. It also includes options for passing messages, opening files and starting programs on the other end. Keeping this program in the windows startup list will be extremely wise. Originally developed for KGB by a CIA double agent, the program is specially coded to create no windows, it works in hidden in the dark background. It is a bare basic socket server program using winsock API to makes Windows 9x machines telnet accessible [TCP/IP, port=23]. Entire source code of the secret program is included below this page; simply ignore it if you are not a coder. Due to written in assembly language and not even having an icon; the executable weights only about 6kB, zip'ed along with the source code to 4k7 bytes. And it downloads faster than this webpage..!

Download Sparcz - ( Freeware )

Before starting.. the first thing you should know is the IP address of the machine where you are running 'sparcz.exe'. If you don't know your IP number, get MS-DOS prompt and enter command 'ipconfig'.

Note: If you are using dial-up connection, the IP address changes each time you login. B'coz dial-up connections use Dynamic IP address protocol, at each login the client is automatically configured with a new IP address, free available at that time in an IP address pool of your Internet Service Provider.

Windows 98 ipconfig DOS box


If your computer is not configured or not connected to any network, you can use the internal loopback address 127.0.0.1 for testing. Opening 'sparcz.exe' won't show up any windows.. the program works in background and visible on Ctrl+Alt+Delete table. Now run (Start menu -> Run) Telnet program either on current machine or any other computer connected to the network,
give the IP address of SparcZerver as argument (eg. telnet 203.129.253.10). You can do the same in a Unix (Linux, BSD) shell, telnet actually belongs to Unix. Telnet terminal programs are usually available with all operating systems.

Be sure that the 'Local Echo' option is 'ON' at Terminal->Preferences

telnet screen 1


From the telnet terminal you can send the following commands to the sparcz server:

open filename - open the file or program
msg message - place message plainly over screen
box message - show within a messagebox
cdopen - to open CDROM drive door
cdclose - to close CDROM drive door
bye - terminate connection, handles one user at a time
kill - terminate sparczerver

The 'open' function is a much versatile one. It actually uses windows shell interface, the 'ShellExecute' API call. It can open document files and program files, thus a lot of operations can be performed on a remote machine through telnet. See following examples. Sending parameters to a program is currently not supported, feel free to contact me if you need that feature.

open d:\Louis Armstrong\What a Wonderful World.mp3
open c:\Firework3.exe
open telnet://255.255.255.255
open http://www.ronybc.com


telnet screen 2



Complete source code of 'sparcz', Winsock example
win32 assembly language (MASM) :
; SparcZ - A Funny little Network utility
; by ronybc ( url: http://www.ronybc.com )

.486p
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\wsock32.inc
include \masm32\include\kernel32.inc
include \masm32\include\gdi32.inc
include \masm32\include\winmm.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\wsock32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\gdi32.lib
includelib \masm32\lib\winmm.lib

include \masm32\include\shell32.inc
includelib \masm32\lib\shell32.lib

.data
ClassName db "Kunthrandam",0
AppName   db "SPARCz",0
fname1    db "C:\Zerver.log",0 
ftxt1     db "connected from : ",0

welcome   db 13,10,
             "You are connected to -",13,10,13,10,
             "     __  __   __   __   ___________________________",13,10,
             "    (_  |__) |__| |__) / ",13,10,
             " _____) |    |  | |  \ \__  ZERVER BY RONYBC ",13,10,
             13,10,13,10,13,10,0

killed    db "You killed that poor Zerver..! ",13,10,0
thankz    db "bye.... visit http://www.ronybc.com",13,10,0
gotit     db "ok..... ",0
errrr     db "error.. ",0
cm00      db "open",0
cm01      db "box",0
cm02      db "kill",0
cm03      db "bye",0
cm04      db "cd",0
cm05      db "line",0
cm06      db "msg",0
mci1      db "set cdaudio door open",0
mci2      db "set cdaudio door closed",0
mci3      db 0
buff      db 512 dup (0) ; vulnerable to buffer overflow attacks :)
buff2     db 512 dup (0)

.data?
s1        SOCKET ?
s2        SOCKET ?
sin1      sockaddr_in <>
sin2      sockaddr_in <>
wsaData   WSADATA <>
hFile     dd ?
fwritten  dd ?
temp      dd ?
deskdc    HDC ?
font      LOGfont <>


.code

start:
    invoke WSAStartup,0101h,ADDR wsaData
    invoke socket,PF_INET,SOCK_STREAM,0
    mov s1,eax
    mov ax,AF_INET
    mov sin1.sin_family,ax
    xor eax,eax
    mov sin1.sin_addr,eax
    invoke htons,23 ;Telnet port
    mov sin1.sin_port,ax
    invoke bind,s1,ADDR sin1,SIZEOF sockaddr_in
    cmp eax,SOCKET_ERROR
    jne @F
    invoke WSACleanup
    xor eax,eax
    ret
@@:
    invoke listen,s1,1
next_user:
    invoke closesocket,s2
    mov eax,SIZEOF sockaddr_in
    mov temp,eax
    invoke accept,s1,ADDR sin2,ADDR temp
    mov s2,eax
    invoke send,s2,ADDR welcome,SIZEOF welcome,0
    invoke CreateFile,ADDR fname1,GENERIC_WRITE,FILE_SHARE_READ,0,
                      OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,0
    mov hFile,eax
    invoke SetFilePointer,hFile,0,0,FILE_END
    mov eax,sin2.sin_addr ;get IP address of user
    invoke inet_ntoa,eax
    mov temp,eax
    mov edi,OFFSET buff2
    invoke lstrcpy,edi,ADDR ftxt1
    add edi,SIZEOF ftxt1
    invoke lstrcpy,edi,temp
    invoke lstrlen,temp
    add edi,eax
    mov eax,0a0d0000h
    mov [edi],eax
    add edi,4
    mov eax,edi
    sub eax,OFFSET buff2
    mov temp,eax          ; log new connection to C:\Zerver.log
    invoke WriteFile,hFile,ADDR buff2,eax,ADDR fwritten,0
    invoke send,s2,ADDR buff2,temp,0
    invoke send,s2,ADDR gotit,SIZEOF gotit,0
    invoke CloseHandle,hFile
next_command:
    mov edi,OFFSET buff
    mov eax,SIZEOF buff
    call clrbuff
    mov edi,OFFSET buff
crecv:
    invoke recv,s2,edi,500,0
    or eax,eax
    jz next_user
    cmp eax,SOCKET_ERROR
    je next_user
    add edi,eax
    mov al,[edi-1]
    cmp al,08h       ; check for 'Backspace'
    jne @F
    xor eax,eax
    mov [edi],ax
    dec edi
    dec edi
@@:
    cmp al,0Ah
    jne crecv
    invoke CreateFile,ADDR fname1,GENERIC_WRITE,FILE_SHARE_READ,0,
                      OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,0
    mov hFile,eax   ; log commands to file C:\Zerver.log
    invoke SetFilePointer,hFile,0,0,FILE_END
    invoke lstrlen,ADDR buff
    invoke WriteFile,hFile,ADDR buff,eax,ADDR fwritten,0
    invoke CloseHandle,hFile

    ; this block seems ugly
    invoke lstrcpyn,ADDR buff2,ADDR buff,SIZEOF cm06
    invoke lstrcmpi,ADDR buff2,ADDR cm06
    or eax,eax
    jz dmsg
    invoke lstrcpyn,ADDR buff2,ADDR buff,SIZEOF cm05
    invoke lstrcmpi,ADDR buff2,ADDR cm05
    or eax,eax
    jz dline
    invoke lstrcpyn,ADDR buff2,ADDR buff,SIZEOF cm04
    invoke lstrcmpi,ADDR buff2,ADDR cm04
    or eax,eax
    jz cdrom
    invoke lstrcpyn,ADDR buff2,ADDR buff,SIZEOF cm03
    invoke lstrcmpi,ADDR buff2,ADDR cm03
    or eax,eax
    jz byebye
    invoke lstrcpyn,ADDR buff2,ADDR buff,SIZEOF cm02
    invoke lstrcmpi,ADDR buff2,ADDR cm02
    or eax,eax
    jz killer
    invoke lstrcpyn,ADDR buff2,ADDR buff,SIZEOF cm01
    invoke lstrcmpi,ADDR buff2,ADDR cm01
    or eax,eax
    jz msgbx
    invoke lstrcpyn,ADDR buff2,ADDR buff,SIZEOF cm00
    invoke lstrcmpi,ADDR buff2,ADDR cm00
    or eax,eax
    jnz err

    invoke lstrlen,OFFSET buff
    mov edx,OFFSET buff
    xor ebx,ebx
    mov [edx+eax-2],ebx
    add edx,5
    invoke ShellExecute,NULL,ADDR cm00,edx,NULL,NULL,SW_SHOWNORMAL
    invoke send,s2,ADDR gotit,SIZEOF gotit,0
    jmp next_command

err:
    invoke send,s2,ADDR errrr,SIZEOF errrr,0
    jmp next_command

msgbx:
    mov eax,OFFSET buff
    add eax,3
    mov ebx,MB_OK
    or ebx,MB_TOPMOST
    or ebx,MB_SYSTEMMODAL
    or ebx,MB_ICONINFORMATION
    invoke MessageBox,NULL,eax,ADDR AppName,ebx
    invoke send,s2,ADDR gotit,SIZEOF gotit,0
    jmp next_command
    
dline:
    invoke GetDC,0 ;get desktop DC
    mov deskdc,eax
    invoke MoveToEx,deskdc,100,300,NULL
    invoke LineTo,deskdc,250,100 ; draw it annoying
    invoke LineTo,deskdc,550,400
    invoke LineTo,deskdc,600,430
    invoke ReleaseDC,0,deskdc
    invoke send,s2,ADDR gotit,SIZEOF gotit,0
    jmp next_command
    
dmsg:
    invoke GetDC,0
    mov deskdc,eax
    invoke SystemParametersInfo,
           SPI_GETICONTITLELOGfont,SIZEOF font,ADDR font,0
    mov edi,OFFSET font
    mov edx,36    ;font size
    mov [edi],edx
    invoke CreateFontIndirect,ADDR font
    invoke SelectObject,deskdc,eax
    invoke lstrlen,ADDR buff
    sub eax,3     ;'msg'
    sub eax,2     ; carriage return
    mov ecx,eax
    mov eax,OFFSET buff
    add eax,3
    invoke TextOut,deskdc,100,200,eax,ecx
    invoke ReleaseDC,0,deskdc
    invoke send,s2,ADDR gotit,SIZEOF gotit,0
    jmp next_command
    
cdrom:
    mov edi,OFFSET buff
    mov eax,[edi+2]
    cmp eax,"nepo" ;open or close
    je cdopen
    cmp eax,"solc"
    jne err
    
cdclose:
    invoke mciSendString,ADDR mci2,ADDR mci3,0,0
    invoke send,s2,ADDR gotit,SIZEOF gotit,0
    jmp next_command
    
cdopen:
    invoke mciSendString,ADDR mci1,ADDR mci3,0,0
    invoke send,s2,ADDR gotit,SIZEOF gotit,0
    jmp next_command
    
clrbuff:
    xor edx,edx
    mov [edi],edx
    add edi,4
    mov ebx,[edi]
    test ebx,ebx
    jnz clrbuff
    ret
    
byebye:
    invoke send,s2,ADDR thankz,SIZEOF thankz,0
    jmp next_user
    
killer:
    invoke send,s2,ADDR killed,SIZEOF killed,0
    invoke closesocket,s1
    invoke closesocket,s2
    invoke WSACleanup
    xor eax,eax
    ret

end start
ring0
Copyright 2000 - 2007 Rony B Chandran. All Rights Reserved.
NAVIGATION PANEL:

Ø Blogandrum - The Complete Conundrum
Ø The Eight Queens Puzzle
Ø Fireworkx : Linux version
Ø Kunthrantum - very low distortion audio power amplifier
Ø Linux Desktop tweaks
Ø Creative AudioPCI soundcard mods (Ensoniq ES1370, AK4531)
Ø Buffered Flash memory access routines for PIC microcontrollers
Ø Fireworks : Windows version, coded using Win32 ASM
Ø SparcZ - tiny telnet server with remote desktop administration powers



Flattr this