Created
August 21, 2013 14:01
-
-
Save gph03n1x/6294842 to your computer and use it in GitHub Desktop.
Anti-Weev is a tool for deobfuscating the weevely php backdoors
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import sys | |
import base64 | |
try: | |
sys.argv[1] | |
except Exception: | |
print "[*] ./anti-weev.py filename.php" | |
sys.exit() | |
else: | |
print "[*] Anti-Weevely ~ v0.1 for Weevely v1.1" | |
try: | |
# Saving File contents | |
poisoned_lines = [] | |
poisoned_f = open(sys.argv[1], "r") | |
for line in poisoned_f: | |
poisoned_lines.append(line) | |
poisoned_f.close() | |
except IOError: | |
print "[-] This doesn't seem like a file" | |
sys.exit() | |
try: | |
# Find Variables which are part of the encoded line | |
for i in poisoned_lines: | |
if "." in i: | |
full_line = i | |
poisoned_lines.remove(i) | |
base64_line = ((i.split('"", ')[1]).split(")")[0]).split(".") | |
break | |
to_replace = (full_line.split("$")[4]).split('"')[1] | |
# Recreating injected base64 line | |
base_64_string = "" | |
for item in base64_line: | |
for p in poisoned_lines: | |
if item in p: | |
base_64_string += str(p[p.find("=")+1:]) | |
# Cleaning Up the String | |
base_64_string = base_64_string.replace('"', '') | |
base_64_string = base_64_string.replace(';', '') | |
base_64_string = base_64_string.replace('\n', '') | |
base_64_string = base_64_string.replace(' ', '') | |
base_64_string = base_64_string.replace(to_replace, '') | |
# Decoding with base64 and parsing in order to find the keys | |
final = base64.b64decode(base_64_string) | |
start_key = final.split("reset($a)=='")[1][0:2] | |
end_key = (final.split("{$k='")[1]).split("';echo")[0] | |
print "[+] Discovered Password: %s%s" % (start_key, end_key) | |
sys.exit("[*] Shutting down...") | |
except IndexError: | |
print "[*] This doesn't seem like a weevely php backdoor" | |
except Exception, error: | |
print "[-] An error occured: %s" % (error) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment