Last active
February 3, 2016 12:57
-
-
Save crmaxx/9fdf5193d457d0b265cd to your computer and use it in GitHub Desktop.
PoC for VNC bot client
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| # gem install awesome_print | |
| require 'awesome_print' | |
| require 'socket' | |
| class VncClient | |
| def initialize(address, port) | |
| ap "initialize client" | |
| @address = address | |
| @port = port | |
| end | |
| def bot_list | |
| ap "get bots list" | |
| resp = execute_cmd("01") | |
| status, bot_count, data = parse_list_response(resp) | |
| return unless status.zero? | |
| return if bot_count < 1 | |
| list_parse(data, bot_count) | |
| end | |
| def vnc_port(id) | |
| ap "get bot vnc port by id" | |
| resp = execute_cmd("02", id) | |
| status, data = parse_port_response(resp) | |
| return unless status.zero? | |
| port_parse(data) | |
| end | |
| def vnc_start(id) | |
| resp = execute_cmd("03", id) | |
| status = response_parse(resp) | |
| return unless status.zero? | |
| true | |
| end | |
| def vnc_stop(id) | |
| resp = execute_cmd("04", id) | |
| status = response_parse(resp) | |
| return unless status.zero? | |
| true | |
| end | |
| private | |
| def execute_cmd(cmd, id = nil) | |
| ap "execute #{cmd}" | |
| resp = [] | |
| client = TCPSocket.open(@address, @port) | |
| client.write(prepare_cmd(cmd, id)) | |
| loop do | |
| r = client.recv(1024) | |
| break if r == "" | |
| resp << r | |
| end | |
| client.close | |
| resp | |
| rescue SystemCallError => e | |
| ap e.inspect | |
| end | |
| def response_parse(response) | |
| response.join("").unpack("C*").first | |
| end | |
| def port_parse(data) | |
| data.unpack("S*").first | |
| end | |
| def list_parse(data, bot_count) | |
| list = [] | |
| element_begin = 0 | |
| element_count = data[0] | |
| offset = 2 | |
| loop do | |
| break if bot_count == 0 | |
| id = data[element_begin + offset, element_count].pack("C*") | |
| element_begin = element_begin + offset + element_count | |
| element_count = data[element_begin] | |
| bot_count -= 1 | |
| next if id == "0" | |
| list << id | |
| end | |
| list | |
| end | |
| def parse_list_response(response) | |
| resp = response.join("").unpack("C*") | |
| [resp[0], resp[1], resp[5, resp.size]] | |
| end | |
| def parse_port_response(response) | |
| resp = response.join("").unpack("C*") | |
| [resp[0], resp[1, resp.size].pack("C*")] | |
| end | |
| def prepare_cmd(cmd, id = nil) | |
| ap "prepare #{cmd}" | |
| if id | |
| "#{cmd2bin(cmd)}#{id2bin(id)}" | |
| else | |
| "#{cmd2bin(cmd)}" | |
| end | |
| end | |
| def cmd2bin(str) | |
| [str].pack("H*") | |
| end | |
| def id2bin(id) | |
| "#{len2bin(id.length)}#{id}" | |
| end | |
| def len2bin(len) | |
| [len].pack('S*') | |
| end | |
| end | |
| client = VncClient.new("10.211.55.19", 760) | |
| ap client.bot_list | |
| ap client.vnc_start("win7bot") | |
| ap client.vnc_port("winXPbot") | |
| ap client.vnc_stop("winXPbot") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment