Python module/package importing through HTTP/S

operatorequals · August 25, 2017, 11:05am

Hello all again!

It’s been a while since the Python Package for creating backdoors thingie and all that time I have been researching a way to properly create a stager for a Python backdoor script that has dependencies.

*You know stagers! The lil’ things that set the stage for the real thing to run.

So, after 2 weeks of research and vacation I came up with the httpimport project!

What does it do?

The httpimport module lets anyone import Python packages/modules from HTTP/S Servers that serve directories.
For example, if you open a SimpleHTTPServer in a directory where a Python module/package resides, then this module/package is directly importable through the LAN to any computer that runs Python.

The (good) catch!

This technique is highly different from wgetting a folder - adding to the PYTHONPATH - and importing as NO DATA IS WRITTEN TO DISK!. It imports Python code directly from memory to the calling Python process! Suitable for a stager!

Resources

The repository’s README.md has many examples, and the Unit Test code in test.py is self explanatory, they can be found here:

github.com

operatorequals/httpimport/blob/master/README.md

# `httpimport`
## *Python's missing feature!*
##### [The feature has been suggested in Python Mailing List](https://lwn.net/Articles/732194/)

_Remote_, _in-memory_ Python _package/module_ `import`ing **through HTTP/S**

![PyPI - Python Version](https://img.shields.io/pypi/pyversions/httpimport)
[![PyPI version](https://badge.fury.io/py/httpimport.svg)](https://pypi.python.org/pypi/httpimport)
[![Build Status](https://travis-ci.org/operatorequals/httpimport.svg?branch=tests)](https://travis-ci.org/operatorequals/httpimport)
![Coverage Badge](https://raw.githubusercontent.com/operatorequals/httpimport/tests/coverage.svg?sanitize=true)

![CPython 2.7](https://img.shields.io/badge/Works%20on-CPython%202.7-green)
![CPython 3.4](https://img.shields.io/badge/Works%20on-CPython%203.4-brightgreen)
![CPython 3.7](https://img.shields.io/badge/Works%20on-CPython%203.7-brightgreen)
![Pypy 2.7](https://img.shields.io/badge/Works%20on-Pypy%202.7-yellowgreen)
![Pypy 3.6](https://img.shields.io/badge/Works%20on-Pypy%203.6-yellowgreen)
![Jython 2.7.1](https://img.shields.io/badge/Works%20on-Jython%202.7.1-orange)

A feature that _Python2/3_ **misses** and has become popular in other languages is the **remote loading of packages/modules**.

This file has been truncated. show original

and here:
https://github.com/operatorequals/httpimport/blob/master/test.py

Github Repository Importing support

Import my covertutils package to make your backdoor today just by:

>>> from httpimport import *
>>> with github_repo('operatorequals', 'covertutils') : 
...     import covertutils
...
>>>

No need to git clone, or venv a thing. When you close the REPL, the covertutils package will be nowhere to be found!

Want a specific commit? Does the API break your application after that commit? No Problem!

>>> from httpimport import *
>>> with github_repo('operatorequals', 'covertutils', commit='cf3f78c77c437edf2c291bd5b4ed27e0a93e6a77') : 
...     import covertutils
...
>>>

Make it yours at PyPI

As this module is more a Python (long craved) feature, than a little stager script it has also been uploaded to PyPI for everyone to pip install httpimport it:

Python3 supported!

Last but not least, this is a Python2/3 cross compatible module, with cross compatible test suite to suit all needs!

Tried for a PEP and rejected

I have also requested in Python-Ideas mailing list to polish this module and make it a core stdlib feature, but it has been rejected as the Security Implications are huge (the scenario of HTTP MiTM RCE scared them a lot and for good reasons!).

A Huge thanks to @Joe_Schmoe who passed me some of his custom Finders/Loaders in the IRC some weeks ago!

Joe_Schmoe · August 25, 2017, 11:37am

he actually did it the madman

rokups · August 26, 2017, 7:53am

This is a great package. Would there be any way to wrap it in another transport though?

operatorequals · August 26, 2017, 3:14pm

Like SCP/SSH/SFTP?
It is highly possible, yeah, just tweak the part where urlopen() is called, but keep in mind that it would be better if you only used ‘0’ external dependencies.
The code is properly documented as of 0.5.1.
Be my guest and make a remoteimport package…

rokups · August 28, 2017, 10:12am

Maybe it could be an option to add a way for user to set a function that is supposed to retrieve data? That way package could be used with any transport and protocol.

operatorequals · August 29, 2017, 1:34pm

Yeah, but this is like wrapping the imp API.
There are different ways to Find and Load modules, and this is why find_module and load_module functions can be implemented from scratch in the first place.
If you are using SSH, the find_module can use a listdir kind of command to find the available packages, and don’t bother with a pre-configured name list…

Anyway, don’t listen to me! I have a way of thinking and you have another! Write what your heart tells you and submit a PR! Or if you change things a lot, create a new project based on this one! If you feel like launching a “Python package for remote importing” let me know!