1
/* priv8 ssdp scanner. lel */
2

3
#include <pthread.h>
4
#include <unistd.h>
5
#include <stdio.h>
6
#include <stdlib.h>
7
#include <string.h>
8
#include <sys/socket.h>
9
#include <netinet/in.h>
10
#include <signal.h>
11
#include <sys/time.h>
12
#include <sys/types.h>
13
#include <math.h>
14
#include <ctype.h>
15
#include <errno.h>
16
#include <arpa/inet.h>
17
#include <netinet/ip.h>
18
#include <netinet/udp.h>
19

20
volatile int running_threads = 0;
21
volatile int found_srvs = 0;
22
volatile unsigned long per_thread = 0;
23
volatile unsigned long start = 0;
24
volatile unsigned long scanned = 0;
25
volatile int sleep_between = 0;
26
volatile int bytes_sent = 0;
27
volatile unsigned long hosts_done = 0;
28
FILE *fd;
29
char payload[] =
30
"M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:ssdp:all\r\nMan:\"ssdp:discover\"\r\nMX:3\r\n\r\n";
31

32
size = sizeof(payload);
33

34
void *flood(void *par1)
35
{
36
    running_threads++;
37
    int thread_id = (int)par1;
38
    unsigned long start_ip = htonl(ntohl(start)+(per_thread*thread_id));
39
    unsigned long end = htonl(ntohl(start)+(per_thread*(thread_id+1)));
40
    unsigned long w;
41
    int y;
42
    unsigned char buf[65536];
43
    memset(buf, 0x01, 90);
44
    int sizeofpayload = 90;
45
    int sock;
46
    if((sock=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))<0) {
47
        perror("cant open socket");
48
        exit(-1);
49
    }
50
    for(w=ntohl(start_ip);w<htonl(end);w++)
51
    {
52
        struct sockaddr_in servaddr;
53
        bzero(&servaddr, sizeof(servaddr));
54
        servaddr.sin_family = AF_INET;
55
        servaddr.sin_addr.s_addr=htonl(w);
56
        servaddr.sin_port=htons(1900);
57
        sendto(sock,payload,size,0, (struct sockaddr *)&servaddr,sizeof(servaddr));
58
        bytes_sent+=size;
59
        scanned++;
60
        hosts_done++;
61
    }
62
    close(sock);
63
    running_threads--;
64
    return;
65
}
66

67
void sighandler(int sig)
68
{
69
    fclose(fd);
70
    printf("\n");
71
    exit(0);
72
}
73

74
void *recievethread()
75
{
76
    printf("\n");
77
    int saddr_size, data_size, sock_raw;
78
    struct sockaddr_in saddr;
79
    struct in_addr in;
80

81
    unsigned char *buffer = (unsigned char *)malloc(65536);
82
    sock_raw = socket(AF_INET , SOCK_RAW , IPPROTO_UDP);
83
    if(sock_raw < 0)
84
    {
85
        printf("Socket Error\n");
86
        exit(1);
87
    }
88
    while(1)
89
    {
90
        saddr_size = sizeof saddr;
91
        data_size = recvfrom(sock_raw , buffer , 65536 , 0 , (struct sockaddr *)&saddr , &saddr_size);
92
        if(data_size <0 )
93
        {
94
            printf("Recvfrom error , failed to get packets\n");
95
            exit(1);
96
        }
97
        struct iphdr *iph = (struct iphdr*)buffer;
98
        if(iph->protocol == 17)
99
        {
100
            unsigned short iphdrlen = iph->ihl*4;
101
            struct udphdr *udph = (struct udphdr*)(buffer + iphdrlen);
102
            unsigned char* payload = buffer + iphdrlen + 90;
103
            if(ntohs(udph->source) == 1900)
104
            {
105
                int body_length = data_size - iphdrlen - 90;
106

107
                if (body_length > 40)
108

109
                {
110
                found_srvs++;
111

112
                fprintf(fd,"%s %d\n",inet_ntoa(saddr.sin_addr),body_length);
113
                fflush(fd);
114

115
                }
116

117
            }
118
        }
119

120
    }
121
    close(sock_raw);
122

123
}
124

125
int main(int argc, char *argv[ ])
126
{
127

128
    if(argc < 6){
129
		fprintf(stderr, "Invalid parameters!\n");
130
        fprintf(stdout, "Usage: %s <ip range start (1.0.0.0)> <ip range end (255.255.255.255)> <outfile> <threads> <scan delay in ms>\n", argv[0]);
131
        exit(-1);
132
    }
133
    fd = fopen(argv[3], "a");
134
    sleep_between = atoi(argv[5]);
135

136
    signal(SIGINT, &sighandler);
137

138
    int threads = atoi(argv[4]);
139
    pthread_t thread;
140

141
    pthread_t listenthread;
142
    pthread_create( &listenthread, NULL, &recievethread, NULL);
143

144
    char *str_start = malloc(18);
145
    memset(str_start, 0, 18);
146
    str_start = argv[1];
147
    char *str_end = malloc(18);
148
    memset(str_end, 0, 18);
149
    str_end = argv[2];
150
    start = inet_addr(str_start);
151
    per_thread = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start))) / threads;
152
    unsigned long toscan = (ntohl(inet_addr(str_end)) - ntohl(inet_addr(str_start)));
153
    int i;
154
    for(i = 0;i<threads;i++){
155
        pthread_create( &thread, NULL, &flood, (void *) i);
156
    }
157
    sleep(1);
158
    printf("Scan in Progress \n");
159
    char *temp = (char *)malloc(17);
160
    memset(temp, 0, 17);
161
    sprintf(temp, "SSDP Found");
162
    printf("%-16s", temp);
163
    memset(temp, 0, 17);
164
    sprintf(temp, "IP/s");
165
    printf("%-16s", temp);
166
    memset(temp, 0, 17);
167
    sprintf(temp, "Bytes/s");
168
    printf("%-16s", temp);
169
    memset(temp, 0, 17);
170
    sprintf(temp, "Threads");
171
    printf("%-16s", temp);
172
    memset(temp, 0, 17);
173
    sprintf(temp, "Percent Done");
174
    printf("%s", temp);
175
    printf("\n");
176

177
    char *new;
178
    new = (char *)malloc(16*6);
179
    while (running_threads > 0)
180
    {
181
        printf("\r");
182
        memset(new, '\0', 16*6);
183
        sprintf(new, "%s|%-15lu", new, found_srvs);
184
        sprintf(new, "%s|%-15d", new, scanned);
185
        sprintf(new, "%s|%-15d", new, bytes_sent);
186
        sprintf(new, "%s|%-15d", new, running_threads);
187
        memset(temp, 0, 17);
188
        int percent_done=((double)(hosts_done)/(double)(toscan))*100;
189
        sprintf(temp, "%d%%", percent_done);
190
        sprintf(new, "%s|%s", new, temp);
191
        printf("%s", new);
192
        fflush(stdout);
193
        bytes_sent=0;
194
        scanned = 0;
195
        sleep(1);
196
    }
197
    printf("\n");
198
    fclose(fd);
199
    return 0;
200
}
201