Quote from: kmfkewm on September 09, 2012, 09:53 amQuoteDoes the trigger string need to be part of the code or does it just tell the existing code to activate?It needs to be part of the code, I included it as a comment so that it has no effect on the script but still signals to the original script that it should pipe the plaintext to irb.Right, well I don't think there would be any way to do it in Python without an if statement, otherwise you'll end up with a lot of error messages being piped to stdout for every address file that did not contain exploit code. It would need to be inserted after the decryption command (not with it because --decrypt-files reports the results of the decryption process to stdout, but not the decrypted data), but before the checking of the plain text content. Since there's nothing after decryption in the relevant files, that's easy to spot.Which means your exploit in Python would be a bit like this:Code: [Select]import ospath = "."text_files = [f for f in os.listdir(path) if f.endswith(".txt")]evilstr = "trigger string"for string in text_files:  with open(string, "rb") as searchfile:    for line in searchfile:      if evilstr in line:        os.system("python "+string)        # report nothing, including any errors        # requires more code to hide errors        # plus add even more code to rewrite payload with        # plain address      else:        # do nothing, report nothingTo do it properly so it never reported any errors to stdout would require enough code to rival the size of the largest file in the software package. Actually, the above already does, so with the code to hide output of any errors it would be the largest bit of code.I don't think it would be possible to conceal it, not with the way Python is constructed. Since all of the above would have to be required to run whatever nastiness is hidden in an encrypted address file.Spotting that would not be rocket science. And here's why that is so.Simply piping all the decrypted data through the Python command would result in a large number of error messages like this (sample text file included):Code: [Select]bash-3.2$ cat address.txtMr. L. Cyphre666 Hells HighwayHadesbash-3.2$ python address.txt  File "address.txt", line 2  666 Hells Highway      ^SyntaxError: invalid syntaxbash-3.2$ So your exploit in Python would either be obvious due to a large amount of very unexplainable code or a large amount of error messages being displayed every time the code is run.Quote from: kmfkewm on September 09, 2012, 09:53 amQuoteWell, if pack in Ruby is what I think it is, then to do the same in Python I'd have to import struct (and probably array too). I've already said several times what modules are imported, so there goes that.pack changes how data is displayed. For example I could unpack the string "see" into binary representation : "see".unpack("B*") == "011100110110010101100101"and I could put that in an array and pack it back into a string ["011100110110010101100101"].pack("B*") == "see" Yep, that's the same as struct.Quote from: kmfkewm on September 09, 2012, 09:53 amQuoteHell, there are only two files with integers in them (to read data in each row of the CSVs). Well, alright, 5 files if you count the one with a number in the name and the two files that invoke it. Obviously in the case of those three files the number is part of a string and not an integer.These numbers are strings also, anything in " " is a string. Ah, okay. The "" at least is the same as Python.