#native_company# #native_desc#
#native_cta#

SMB/WinPopup message

By Hauke Lampe
on June 27, 2002

Version: 1.1

Type: Full Script

Category: Networking

License: GNU Library Public License

Description: Uses smbclient to send a message to selectable, predefined hosts running Samba or Windows.
Designed to be accessed by HTTP from an HTML form but can be modified easily for other purposes.
See http://frell.ambush.de/

<?php
// SMB popup script
// uses smbclient to send a message to predefined SMB hosts
// $Id: popup.php,v 1.1 2002/06/19 03:03:22 packbart Exp $
//
// Parameters:
//     redirok:  (optional) URL to redirect to if popup was sent successfully
//               defaults to HTTP Referer: value
//               no redirection if empty
//     redirerr: (optional) URL to redirect to if an error was encountered
//               no redirection if omitted or empty
//     to:       selects, which predefined host the msg will be sent to
//     message:  the message text itself
//
// Configuration:
//     - define destinations:
//         - NETBIOS:  the netbios (SMB) server name
//                     or a user name on windows clients
//         - HOSTNAME: (optional) IP address or hostname, can speed up delivery
//                     (no NMB lookups)
//     - change defaults
//
// Caveats:
//     - message body is unfiltered, can probably pass exploit code to
//       vulnerable servers or popup clients
//     - doesn't check if $redir* are valid URLs (protocol://host/path)
//     - maybe vulnerable to Cross Site Scripting attacks, depends on
//       browser (output is text/plain)
//
// Notes:
//     - What is the maximum length for a SMB popup message?
//     - and how do I strip CRs more efficient than using str_replace?
//     - uses PHP 4.1 $_SERVER array instead of $HTTP_SERVER_VARS
//
// Hauke Lampe - <[email protected]> - http://frell.ambush.de/
//

$redirect = "";
header("Cache-Control: no-cache");
header("Content-Type: text/plain");

// CONFIG START
// path to smbclient binary
define(SMBCLIENT, "/usr/bin/smbclient");

// defaults
if (!isset($to) or $to == "")
    $to = "packbart";
if (!isset($redirok))
    if ($_SERVER[HTTP_REFERER] == "" or $_SERVER[HTTP_REFERER] == "http://".$_SERVER[SERVER_NAME]."/".$_SERVER[REQUEST_URI])
        $redirok = "";
    else
        $redirok = $_SERVER[HTTP_REFERER];
if (!isset($redirerr))
    $redirerr = "";
if (!isset($message) or $message == "")
    $message = "(no text)";

// destinations
switch ($to) {
    case "packbart":    define(NETBIOS, "drow");
                        define(HOSTNAME, "drow.dmz.frell.ambush.de");
                        break;
    case "patman":        define(NETBIOS, "patman");
                        define(HOSTNAME, "patman.guest-dhcp.frell.ambush.de");
                        break;
    case "mobile":        define(NETBIOS, "talyn");
                        # define(HOSTNAME, "talyn.wvlan.frell.ambush.de");
                        break;
    default:            echo "Sorry, unknown destination.";
                        exit;
}
// CONFIG END


$output = "Message: ".$message."nn".
          "Status : ";

$smbpar = "-M "".escapeshellcmd(NETBIOS).""".((defined("HOSTNAME")
 and HOSTNAME != "") ?
            (" -I "".escapeshellcmd(HOSTNAME).""") : ("")).
            " -U "".escapeshellcmd($_SERVER[REMOTE_ADDR])."" -n Internet";
if (!$popup = popen(SMBCLIENT." $smbpar", "w")) {
    $redirect = $redirerr;
    $output .= "open failed (invalid path?)";
} else {
    if ((fwrite($popup, "(from: ".(($_SERVER[REMOTE_HOST] == "") ? ($_SERVER[REMOTE_ADDR]) : ($_SERVER[REMOTE_HOST])).")nn".
                            str_replace("r", "", stripslashes($message)), 2048) == -1) or
        (pclose($popup))) {
        $redirect = $redirerr;
        $output .= "send failed (host down?)";
    } else {
        $redirect = $redirok;
        $output .= "OK";
    }
}
if ($redirect != "") {
    header("HTTP/1.0 302 Moved");
    header("Location: ".$redirect);
}
echo "$output";
?>