alxchk / pupy Goto Github PK
View Code? Open in Web Editor NEWThis project forked from n1nj4sec/pupy
OpenSource cross-platform python security toolkit (remote shell)
License: Other
This project forked from n1nj4sec/pupy
OpenSource cross-platform python security toolkit (remote shell)
License: Other
Most commands fail with <type 'int'> is not allowed for map key
.
Seems to be only related on the Pupy host.
Examples:
>> run ls
[-] <type 'int'> is not allowed for map key
>> netstat
2020-02-24 13:39:53,090| <type 'int'> is not allowed for map key
Traceback (most recent call last):
File "/home/user/pupy/pupy/modules/netstat.py", line 42, in run
'pupyps', 'families'
File "/home/user/pupy/pupy/pupylib/PupyClient.py", line 274, in remote_const
remote_variable = obtain(getattr(self.conn.modules[module], variable))
File "/home/user/pupy/pupy/pupylib/utils/rpyc_utils.py", line 63, in obtain
return safe_obtain(proxy)
File "/home/user/pupy/pupy/pupylib/utils/rpyc_utils.py", line 51, in safe_obtain
data = msgpack.loads(data)
File "/home/user/.local/lib/python2.7/site-packages/msgpack/fallback.py", line 129, in unpackb
ret = unpacker._unpack()
File "/home/user/.local/lib/python2.7/site-packages/msgpack/fallback.py", line 666, in _unpack
"%s is not allowed for map key" % str(type(key))
ValueError: <type 'int'> is not allowed for map key
Any ideas?
Maybe related to wrong Python package/module versions? Is there somewhere a pip-freeze file for reference?
Steps to reproduce:
git checkout -f b1e2b72
client/build-docker.sh windows sources
pupy/pupysh.sh
Build environment: Debian 9.7 using build-docker.sh
for revision b1e2b72. But also tested on older versions - no success, same error.
Pupy host: Debian 9.7
Pupy client: Windows 10 1803 x64.
>> info
hostname win10vm
user WIN10VM\user
release 10
version 10.0.17763
cmdline pupyx64d.x4QMEe.exe
os_arch AMD64
proc_arch 64bit
pid 2444
exec_path C:\temp\pupyx64d.x4QMEe.exe
cid 000000008ba4f97c
address 192.168.56.101
macaddr xxx
revision b1e2b729
node 0800278caf68
debug_logfile c:\users\user\appdata\local\temp\pupy-ckrr5p\pupy-client-1582456462-2444-debug.log
native True
proxy wpad
external_ip ?
uac_lvl 2/3
intgty_lvl Medium
local_adm Yes
launcher connect
launcher_args -t ssl -c 192.168.56.106:8443 --host 172.18.0.2:8443
platform windows/amd64
pupy/pupy/commands/sessions.py
Line 55 in db13904
Hi,
i finally got the dnscnc option working here but have a question regarding to the exec/pyexec module. Is it only possible to specify an executable from an URL to be executed? Cant i just execute single commands? The parameter URL seams to be required here.
Is it planed to update the dnscnc capabilities in the future?
Greetings
Hi,
Lately when I git-pulled, I get the error when I launch pupysh
[-] Invalid module: changeme at (/usr/share/pupy/pupy/modules/changeme.py): No module named load_creds. Traceback: File "/usr/share/pupy/pupy/pupylib/PupyServer.py", line 812, in _refresh_modules module_object = imp.load_source(modname, modpath) File "/usr/share/pupy/pupy/modules/changeme.py", line 7, in <module> from pupylib.utils.changeme.load_creds import Credentials as changeme_creds
Hi @alxchk,
Could you please write a documentary for the pupy project?
It would help so many others, developing it in the future.
The usage i think is clear. What would be interesting is the architecture:
how are modules transferred, executed, how is the connection established and so on.
Thanks in advance.
I pulled the latest docker image from alxchk/pupy:unstable and ran it. Upon attempting to run pupysh.py, I receive the following errors:
https://gist.github.com/Strazzom/5960d31c14c7169341adf63dc82ab6a7
This is the latest image as of 3 hours ago (when I pulled it). I am running a fully updated install of Debian 9.
If it makes any difference, Debian 9 is installed in a Qubes standalone VM.
(pupy) root@kali:/opt/pupy/pupy# python3 pupysh.py
Traceback (most recent call last):
File "pupysh.py", line 104, in
import pupylib.PupySignalHandler
File "/opt/pupy/pupy/pupylib/init.py", line 27, in
from .PupyCredentials import Credentials
File "/opt/pupy/pupy/pupylib/PupyCredentials.py", line 24, in
from network.lib.transports.cryptoutils import ECPV
File "/opt/pupy/pupy/network/lib/init.py", line 45, in
from .servers import PupyTCPServer, PupyUDPServer
File "/opt/pupy/pupy/network/lib/servers.py", line 26, in
from network.lib.connection import PupyConnection, PupyConnectionThread
File "/opt/pupy/pupy/network/lib/connection.py", line 441
def _send_request(self, handler, args, async=None):
Hello,
I would like to notice if the workstation has not access to the Internet when you run ./start-compose.sh, the pupy shell takes a long time before to be given to the user (few minutes).
If allow_requests_to_external_services is set to false in pupy.conf, there is not anymore this problem.
Perhaps allow_requests_to_external_services should be set to false by default ?
Thanks you for this project,
I get this error when I launch pupygen.py or pupysh.py
No handlers could be found for logger "pupy.network" Traceback (most recent call last): File "pupygen.py", line 14, in <module> from pupylib.utils.network import get_listener_ip, get_listener_port File "/usr/share/pupy/pupy/pupylib/__init__.py", line 18, in <module> from PupyService import * File "/usr/share/pupy/pupy/pupylib/PupyService.py", line 28, in <module> from pupylib.PupyCredentials import Credentials File "/usr/share/pupy/pupy/pupylib/PupyCredentials.py", line 17, in <module> from network.lib.picocmd.ecpv import ECPV File "/usr/share/pupy/pupy/network/lib/picocmd/__init__.py", line 2, in <module> from .client import * File "/usr/share/pupy/pupy/network/lib/picocmd/client.py", line 31, in <module> from ecpv import ECPV File "/usr/share/pupy/pupy/network/lib/picocmd/ecpv.py", line 11, in <module> from Crypto.Hash import SHA1, SHA3_256, SHA3_512 File "/usr/share/pupy/local/lib/python2.7/site-packages/Crypto/Hash/SHA1.py", line 23, in <module> from Crypto.Util._raw_api import (load_pycryptodome_raw_lib, File "/usr/share/pupy/local/lib/python2.7/site-packages/Crypto/Util/_raw_api.py", line 32, in <module> from Crypto.Util.py3compat import byte_string ImportError: cannot import name byte_string
Installation went smoothly but when i try to run any commands i get the following error without any further details
No handlers could be found for logger "pupy.network.pss"
Hello,
I think in docker-compose.yml, the port 9000 should be accessible by default, for example via:
[...]
volumes:
- ${PUPY}:/opt/pupy
- ${WORKDIR}:/project
ports:
- 8443:8443
- 9000:9000
[...]
In current configuration, port 8443 only is accessible.
Thanks you,
Another question I have is regarding the on_connect running of commands
how can i run for example keylogger start on any new client who is connecting
I manage to do it but the problem is that
[on_connect]
any_1 = keylogger start
will start keylogger on all clients even when its already started i am trying to find if there is a way to activate it only on
new clients that connecting, that being said not sure if its related or not but i noticed that after a while i get like duplicated
lines in the keylogger for example if i write hello
i see it in the log file as hhheeellllllooo
i suspect its because the keylogger was restarting over and over from my previous question
is there a way to fix this once it happened? like how to "reset" the keylogger to start printing normally again
Best regards,
Marco.
Hello,
It seems there is a bug in rdesktop module.
When you try to connect to given url (e.g. http://127.0.0.1:9000/Y2Di4MxAuq), there is the following error:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/tornado/http1connection.py", line 238, in _read_message
delegate.finish()
File "/usr/local/lib/python2.7/dist-packages/tornado/routing.py", line 256, in finish
self.delegate.finish()
File "/usr/local/lib/python2.7/dist-packages/tornado/web.py", line 2195, in finish
self.execute()
File "/usr/local/lib/python2.7/dist-packages/tornado/web.py", line 2215, in execute
**self.handler_kwargs)
File "/usr/local/lib/python2.7/dist-packages/tornado/web.py", line 194, in __init__
self.initialize(**kwargs)
File "/opt/pupy/modules/rdesktop.py", line 126, in initialize
super(IndexHandler, self).initialize(**kwargs)
TypeError: super(type, obj): obj must be an instance or subtype of type
2020-01-10 15:33:05,881| Uncaught exception
Moreover, I have notice the local_ips parameter is missing from the pupy.conf file.
It should be great if it is fixed to "local_ips = 127.0.0.1" by default for example.
Indeed, the user has to modify this parameter to his host IP address if he uses ./start-compose.sh - docker.
Thank you,
ISSUE TYPE
Bug
SUMMARY
poster library is python 2 only and should be changed to "poster3" library from pypi
STEPS TO REPRODUCE
asciienma
EXPECTED OUTCOME
All Requirements are installed
PYTHON VERSION
Python 3.8.2
SUPPORTED OS
Kali GNU/Linux Rolling
Persistence is broken on Windows 7 x86, (I have not tested other versions of Windows).
Here is the output from attempting to run the persistence module from an admin process:
>> persistence -e '/opt/pupy/pupy.exe' -m wmi
ERROR:root:global name 'expandvars' is not defined
Traceback (most recent call last):
File "/opt/pupy/pupylib/PupyJob.py", line 165, in module_worker
module.run(self.args)
File "/opt/pupy/modules/persistence.py", line 62, in run
self.windows(args)
File "/opt/pupy/modules/persistence.py", line 167, in windows
remotefile = expandvars(
NameError: global name 'expandvars' is not defined
[-] global name 'expandvars' is not defined
Hi,
I have some questions regarding few modules. If you added it, it may be for a good reason that I cannot see right now. I don't want to modify/delete it, just to understand their goal and when do you use it (for my curiosity).
usniper: do you realize reverse engineering tracing some functions calls on a remote host ? Or in which case, will you use it ? Moreover, I see that you retrieve the result from trace_pipe file whereas in the doc I see than it's located on /sys/kernel/debug/tracing/trace
.
exposed commands will return all functions calleable from the client. Is it for debug purpose or do they are useful for something ?
display: I don't know exactly how it works. If I have well understood, using the magic cookie is possible to connect to an X11 server (I didn't kwow the existence of that cookie) but I didn't find an easy example to understand how it works, if you could help me on that, it will be nice. On my desk, display module works for root user, but failed for unprivilege user. It retrieves the path of the file but cannot open it ([Errno 13] Permission denied: '/var/run/lightdm/root/:0'
). However, it could be find on the home of the current user without any specific privilege needed and the content is the same (diff /var/run/lightdm/root/:0 /home/test/.Xauthority
).
alive: I wanted to implement a module as cobalt strike does with its sleep command, it sleeps the client for a wanted period of time. It will reduce the network trafic during that time. When the sleep is over, the client connects back to us. At first, I thought the alive
module implemented this feature when I saw 'ping' and 'timeout', but no, I was wrong. I don't understand very well how it works.
Thanks a lot to help me better understanding some unclear points.
Having done some initial testing with the latest docker pull, I have noticed some really poor documentation for how to use the bind payload.
I have generated a payload targeting x86 Windows, which I then deployed in a VM. Following that, I attempted to decipher how to use the connect
command from pupysh.py.
Just typing "connect" at the prompt yields the following:
>> connect
[-] connect: too few arguments
usage: connect [-h] args
Typing connect -h shows this:
connect -h
usage: connect [-h] args
Connect to the bind payload
positional arguments:
args Arguments to connect
optional arguments:
-h, --help show this help message and exit
Seeing as this is equally unhelpful, I tried typing "connect" followed by the <ip:port>
. (In this case, 127.0.0.1:80 is an example. This is not actually what I am connecting to.)
>> connect 127.0.0.1:80
usage: connect [-h] --host <host:port>
[-t {obfs3,http,ssl,ecm,tcp_cleartext,rsa,udp_secure,kc4,ec4,scramblesuit,websocket,udp_cleartext,ssl_rsa}]
...
I then tried the following:
>> connect --host 127.0.0.1:80 -t ssl
[-] connect: unrecognized arguments: --host -t ssl
usage: connect [-h] args
It seems that specifying any flags besides -h
throws the above error.
Is the bind payload actually implemented? Doing ps
and netstat -a
on the target VM seem to indicate that it is listening on the port specified.
It seems like this is a matter of poor documentation rather than an error. What is the correct syntax for using the connect
command? Is there another way to connect to a bind payload?
Hi,
Great work, I have a question When i am building (py/pyinst/py_oneliner) I noticed i cant use alot of modules especially
those running in memory for example (mimikatz, duplicate, migrate)
is it possible to implement it or is there a reason why its not possible?
thank you.
Marco
Hey,
im currently trying to find ways for reflective loading of python compiled binaries to memory on a windows host but till now i was not able to successfully get this working. Pupy does exactly this for example with lazagne.py. I browsed the code to find the technique for it but could not find it so far. So could you tell me how pupy loads and executes the python code in memory? Is the python interpreter embedded in the pupy agent/client?
Use Invoke-ReflectivePEInjection (Powershell) / PEloader of Subtee (C#) to load the bytes of an pyinstaller compiled python exe in memory - im pretty sure this is not working because only C/C++ Compiled Binaries can be loaded by theese scripts because of the binary structure.
Convert the Python Code to an CPython Executable using Nuitka. The python code is then embedded in C-Code which is compiled to an binary. The compiled binary works pretty well and is a C-Binary but this one is still not reflectively loadable by Invoke-ReflectivePEInjection / C# PEloader. The needed DLL files are located and loaded successfully but the binary itself is not executed in memory. There are no error messages which makes debugging harder. For Invoke-ReflectivePEInjection the whole Powershell process is killed after loading the executable - most likely a crash.
Convert the Nuitka created CPython Executable to Shellcode via donut or PE2Shellcode and try to load the shellcode in memory via different techniques. No successfull execution neither.
I had the idea to build an .DLL file from the python code to embed this in for example a C# file
Greetings
Hi,
Can anyone know/understand how to compile the new pupy@nextgen payload_templates?
i try to do client build-docker.sh without luck
Unable to find image 'n1nj4sec/tc-windows-py3:latest' locally
docker: Error response from daemon: pull access denied for n1nj4sec/tc-windows-py3, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
See 'docker run --help'.
Hi,
While I try to open a shell I see that the pupy history being wiped.
How can I cancel this behavior ?
Thanks.
``
#!/bin/bash
echo "Removing pupy virtual env"
rm -rf /opt/environments/pupy/
echo "Building pupy virtual env"
virtualenv /opt/environments/pupy
echo "Activating environment"
source /opt/environments/pupy/bin/activate
echo "Removing pupy source"
rm -rf /opt/pupy
echo "cloning source code"
git clone --recurse-submodule https://github.com/alxchk/pupy.git
cd /opt/pupy/pupy
git checkout futurize
pip install -r requirements
``
Snippet
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1 ---------------------------------------- ERROR: Command errored out with exit status 1: /opt/environments/pupy/bin/python -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/opt/pupy/pupy/external/pykcp/setup.py'"'"'; __file__='"'"'/opt/pupy/pupy/external/pykcp/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' develop --no-deps Check the logs for full command output. @jayrod
I have followed the installation steps from here. Everything works fine up until I try to run pip install -r requirements.txt
. After pip downloads all dependencies, it fails with the error in the title.
The full log can be found here:
https://gist.github.com/Strazzom/c9b1859afd6e478b505e8310f88d8ae7
This is using the same environment as in issue #1, minus the fact that it is not running in a docker container.
I have tried the following to correct the issue. Neither worked:
Installed libssl-dev from apt. This did not fix the issue, so I uninstalled it with --purge.
pip uninstall m2crypto
. It was not installed. I then installed from the Debian repositories with apt install python-m2crypto
. My reasoning was based on the following:
There is (was?) known issue with Debian/M2Crypto, so in case something related to M2Crypto will cause exceptions just uninstall one from pip and install one which is shipped with distro.
This is quoted from issue #619 in the main branch.
I will keep testing and update this issue with progress.
Hello,
I am using pupy over docker:
git clone --recursive https://github.com/alxchk/pupy
./install.sh
./start-compose.sh
I'm trying to generate a working .exe but impossible for the moment.
For example, when I try to generate an .exe with one of these following command, the binary crashes:
gen -f client --debug
en -f client --debug
gen -f client connect --host 192.0.1.103:8443
I don't know If I'm doing a mistake but it seems binary payloads are invalids.
Where I can find last generated payloads (exe for example)?
Or how I can generate payloads from the docker ?
Thank you in advance
The generated file is wrong
git clone https://github.com/n1nj4sec/pupy
The previous payload template is used ,
root# /root/.config/pupy/output/pupyx64d-37.rgQkgd.lin
TEMPLATE REV:
root# ls -al payload_templates
total 307660
drwxr-xr-x 2 root root 4096 Dec 8 2019 .
drwxr-xr-x 15 root root 4096 Nov 6 11:24 ..
-rw-r--r-- 1 root root 0 Dec 8 2019 .keep
-rw-r--r-- 1 root root 25425111 Mar 30 2019 linux-amd64.zip
-rw-r--r-- 1 root root 25373615 Mar 30 2019 linux-x86.zip
-rw-r--r-- 1 root root 17661630 Mar 30 2019 pupy.apk
-rw-rw-r-- 1 2000 2000 31514 Mar 30 2019 PupyLoaderTemplate.cs
-rw-r--r-- 1 root root 4647936 Mar 30 2019 pupyx64d.dll
-rwxr-xr-x 1 root root 4643328 Mar 30 2019 pupyx64d.exe
-rw-r--r-- 1 root root 687 Mar 30 2019 pupyx64d.exp
-rw-r--r-- 1 root root 1754 Mar 30 2019 pupyx64d.lib
-rwxr-xr-x 1 root root 3832473 Mar 30 2019 pupyx64d.lin
-rwxr-xr-x 1 root root 3846987 Mar 30 2019 pupyx64d.lin.so
-rw-r--r-- 1 root root 4617728 Mar 30 2019 pupyx64.dll
-rw-r--r-- 1 root root 15255552 Mar 30 2019 pupyx64d.unc.dll
-rwxr-xr-x 1 root root 15251456 Mar 30 2019 pupyx64d.unc.exe
-rw-r--r-- 1 root root 695 Mar 30 2019 pupyx64d.unc.exp
-rw-r--r-- 1 root root 1880 Mar 30 2019 pupyx64d.unc.lib
-rwxr-xr-x 1 root root 4613120 Mar 30 2019 pupyx64.exe
-rw-r--r-- 1 root root 686 Mar 30 2019 pupyx64.exp
-rw-r--r-- 1 root root 1742 Mar 30 2019 pupyx64.lib
-rwxr-xr-x 1 root root 3713536 Mar 30 2019 pupyx64.lin
-rwxr-xr-x 1 root root 3717976 Mar 30 2019 pupyx64.lin.so
-rw-r--r-- 1 root root 15236608 Mar 30 2019 pupyx64.unc.dll
-rwxr-xr-x 1 root root 15230976 Mar 30 2019 pupyx64.unc.exe
-rw-r--r-- 1 root root 694 Mar 30 2019 pupyx64.unc.exp
-rw-r--r-- 1 root root 1790 Mar 30 2019 pupyx64.unc.lib
-rw-r--r-- 1 root root 4221440 Mar 30 2019 pupyx86d.dll
-rwxr-xr-x 1 root root 4206080 Mar 30 2019 pupyx86d.exe
-rw-r--r-- 1 root root 685 Mar 30 2019 pupyx86d.exp
-rw-r--r-- 1 root root 1762 Mar 30 2019 pupyx86d.lib
-rwxr-xr-x 1 root root 3738927 Mar 30 2019 pupyx86d.lin
-rwxr-xr-x 1 root root 3753528 Mar 30 2019 pupyx86d.lin.so
-rw-r--r-- 1 root root 4204032 Mar 30 2019 pupyx86.dll
-rw-r--r-- 1 root root 12862976 Mar 30 2019 pupyx86d.unc.dll
-rwxr-xr-x 1 root root 12833792 Mar 30 2019 pupyx86d.unc.exe
-rw-r--r-- 1 root root 693 Mar 30 2019 pupyx86d.unc.exp
-rw-r--r-- 1 root root 1888 Mar 30 2019 pupyx86d.unc.lib
-rwxr-xr-x 1 root root 4188160 Mar 30 2019 pupyx86.exe
-rw-r--r-- 1 root root 682 Mar 30 2019 pupyx86.exp
-rw-r--r-- 1 root root 1748 Mar 30 2019 pupyx86.lib
-rwxr-xr-x 1 root root 3550720 Mar 30 2019 pupyx86.lin
-rwxr-xr-x 1 root root 3554972 Mar 30 2019 pupyx86.lin.so
-rw-r--r-- 1 root root 12850176 Mar 30 2019 pupyx86.unc.dll
-rwxr-xr-x 1 root root 12821504 Mar 30 2019 pupyx86.unc.exe
-rw-r--r-- 1 root root 690 Mar 30 2019 pupyx86.unc.exp
-rw-r--r-- 1 root root 1796 Mar 30 2019 pupyx86.unc.lib
-rw-rw-r-- 1 2000 2000 47 Mar 30 2019 README.md
-rw-r--r-- 1 root root 35412885 Mar 30 2019 windows-amd64.zip
-rw-r--r-- 1 root root 33615075 Mar 30 2019 windows-x86.zip
Its more a question than an issue again. Do you know how to get the source code for the payload templates? I did not find them anywhere in the repos but only in the releases section precompiled.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.