Finaly i've removed the useless shit for keep this:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>SpyEye 1.3.x Gate Decoder/Encoder</title>
</head>
<body>
<p>Structure example:<br />
guid=5.1.2600!XYLITOL-F12F085!8065D52C&ver=10345&ie=6.0.2900.5512&os=5.1.2600&ut=Admin&ccrc=615CDC86&md5=598b42846ac8a301ea44a80b397e2056&plg=ccgrabber;customconnector;ftpbc;socks5&plgstat=0;0;0;0&wake=90&stat=online<br>
</p>
<table width="607" border="1">
<tr>
<td><form id="Decoder" name="Eye" method="POST" action="<?php basename($_SERVER['PHP_SELF']) ?>">
<label for="datz">Data: </label>
<input name="data" type="text" id="datz" value="" size="50" />
<input type="submit" name="button" id="button" value="Decode" />
</form></td>
</tr>
<tr>
<td>
<?php
error_reporting(E_ALL ^ E_NOTICE ^ E_DEPRECATED);
## decode data from bot
function DeCode($content)
{
$res = '';
for($i = 0; $i < strlen($content); $i++)
{
$num = ord($content[$i]);
if( $num != 219) $res .= chr($num^219);
}
return $res;
}
if( !isset($_POST['data']) );
else $DATA = str_replace(" ","+",$_POST['data']);
$data = base64_decode($DATA);
echo "<font color='red'>" . htmlentities(DeCode($data)) . "</font>";
?></td>
</tr>
</table>
<br>
<table width="607" border="1">
<tr>
<td><form id="Encoder" name="Eye2" method="POST" action="<?php basename($_SERVER['PHP_SELF']) ?>">
<label for="datz2">Data: </label>
<input name="data2" type="text" id="datz2" value="" size="50" />
<input type="submit" name="button" id="button" value="Encode" />
</form></td>
</tr>
<tr>
<td>
<?php
## encode data from bot
function encode($str2)
{
$string2 = '';
for ($i2 = 0; $i2 < strlen($str2); $i2++)
{
$num2 = ord($str2[$i2]);
if ($num2 != 219)
$string2 .= chr($num2 ^ 219);
}
$string2 = str_replace('+', ' ', $string2);
return base64_encode($string2);
}
if( !isset($_POST['data2']) );
else
$DATA2 = $_POST['data2'];
echo "<font color='red'>" . htmlentities(encode($DATA2)) . "</font>";
?></td>
</tr>
</table>
</body>
</html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>SpyEye 1.3.x Gate Decoder/Encoder</title>
</head>
<body>
<p>Structure example:<br />
guid=5.1.2600!XYLITOL-F12F085!8065D52C&ver=10345&ie=6.0.2900.5512&os=5.1.2600&ut=Admin&ccrc=615CDC86&md5=598b42846ac8a301ea44a80b397e2056&plg=ccgrabber;customconnector;ftpbc;socks5&plgstat=0;0;0;0&wake=90&stat=online<br>
</p>
<table width="607" border="1">
<tr>
<td><form id="Decoder" name="Eye" method="POST" action="<?php basename($_SERVER['PHP_SELF']) ?>">
<label for="datz">Data: </label>
<input name="data" type="text" id="datz" value="" size="50" />
<input type="submit" name="button" id="button" value="Decode" />
</form></td>
</tr>
<tr>
<td>
<?php
error_reporting(E_ALL ^ E_NOTICE ^ E_DEPRECATED);
## decode data from bot
function DeCode($content)
{
$res = '';
for($i = 0; $i < strlen($content); $i++)
{
$num = ord($content[$i]);
if( $num != 219) $res .= chr($num^219);
}
return $res;
}
if( !isset($_POST['data']) );
else $DATA = str_replace(" ","+",$_POST['data']);
$data = base64_decode($DATA);
echo "<font color='red'>" . htmlentities(DeCode($data)) . "</font>";
?></td>
</tr>
</table>
<br>
<table width="607" border="1">
<tr>
<td><form id="Encoder" name="Eye2" method="POST" action="<?php basename($_SERVER['PHP_SELF']) ?>">
<label for="datz2">Data: </label>
<input name="data2" type="text" id="datz2" value="" size="50" />
<input type="submit" name="button" id="button" value="Encode" />
</form></td>
</tr>
<tr>
<td>
<?php
## encode data from bot
function encode($str2)
{
$string2 = '';
for ($i2 = 0; $i2 < strlen($str2); $i2++)
{
$num2 = ord($str2[$i2]);
if ($num2 != 219)
$string2 .= chr($num2 ^ 219);
}
$string2 = str_replace('+', ' ', $string2);
return base64_encode($string2);
}
if( !isset($_POST['data2']) );
else
$DATA2 = $_POST['data2'];
echo "<font color='red'>" . htmlentities(encode($DATA2)) . "</font>";
?></td>
</tr>
</table>
</body>
</html>
Tested with samples found in the wild and work like a charm
For don't make this post more useless, here is a 'guide' on the SpyEye gate and the data transmission to the C&C http://blog.fortinet.com/a-guide-to-spyeye-cc-messages/
And hey, good guys use also IRC :þ
Sinus scroller & IDLE like in 1999 :þ
random pwnz panels ~
really good stuff man, I hope you have more nights like this :p
ReplyDeleteCan you post a link for the Spy Eye 1.3 webpanel files? Can't find them anywhere and I wanted to take a look at them. Thanks in advance if you can.
ReplyDeleteI can't, sorry.
ReplyDeletePlease contact whith me jabber - darkerwik@jabber.no
ReplyDelete