Most commands fail with <type 'int'> is not allowed for map key.
Seems to be only related on the Pupy host.

Examples:

>> run ls
[-] <type 'int'> is not allowed for map key
>> netstat
2020-02-24 13:39:53,090| <type 'int'> is not allowed for map key
Traceback (most recent call last):
  File "/home/user/pupy/pupy/modules/netstat.py", line 42, in run
    'pupyps', 'families'
  File "/home/user/pupy/pupy/pupylib/PupyClient.py", line 274, in remote_const
    remote_variable = obtain(getattr(self.conn.modules[module], variable))
  File "/home/user/pupy/pupy/pupylib/utils/rpyc_utils.py", line 63, in obtain
    return safe_obtain(proxy)
  File "/home/user/pupy/pupy/pupylib/utils/rpyc_utils.py", line 51, in safe_obtain
    data = msgpack.loads(data)
  File "/home/user/.local/lib/python2.7/site-packages/msgpack/fallback.py", line 129, in unpackb
    ret = unpacker._unpack()
  File "/home/user/.local/lib/python2.7/site-packages/msgpack/fallback.py", line 666, in _unpack
    "%s is not allowed for map key" % str(type(key))
ValueError: <type 'int'> is not allowed for map key

Any ideas?
Maybe related to wrong Python package/module versions? Is there somewhere a pip-freeze file for reference?

Steps to reproduce:

1. git checkout -f b1e2b72
2. client/build-docker.sh windows sources
3. pupy/pupysh.sh

Build environment: Debian 9.7 using build-docker.sh for revision b1e2b72. But also tested on older versions - no success, same error.
Pupy host: Debian 9.7
Pupy client: Windows 10 1803 x64.

>> info
hostname       win10vm                                                                             
user           WIN10VM\user                                                                        
release        10                                                                                  
version        10.0.17763                                                                          
cmdline        pupyx64d.x4QMEe.exe                                                                 
os_arch        AMD64                                                                               
proc_arch      64bit                                                                               
pid            2444                                                                                
exec_path      C:\temp\pupyx64d.x4QMEe.exe                                                         
cid            000000008ba4f97c                                                                    
address        192.168.56.101                                                                      
macaddr        xxx                                                                   
revision       b1e2b729                                                                            
node           0800278caf68                                                                        
debug_logfile  c:\users\user\appdata\local\temp\pupy-ckrr5p\pupy-client-1582456462-2444-debug.log  
native         True                                                                                
proxy          wpad                                                                                
external_ip    ?                                                                                   
uac_lvl        2/3                                                                                 
intgty_lvl     Medium                                                                              
local_adm      Yes                                                                                 
launcher       connect                                                                             
launcher_args  -t ssl -c 192.168.56.106:8443 --host 172.18.0.2:8443                                
platform       windows/amd64                                 

Hi,

i finally got the dnscnc option working here but have a question regarding to the exec/pyexec module. Is it only possible to specify an executable from an URL to be executed? Cant i just execute single commands? The parameter URL seams to be required here.

Is it planed to update the dnscnc capabilities in the future?

Greetings

Hi,

Lately when I git-pulled, I get the error when I launch pupysh

[-] Invalid module: changeme at (/usr/share/pupy/pupy/modules/changeme.py): No module named load_creds. Traceback: File "/usr/share/pupy/pupy/pupylib/PupyServer.py", line 812, in _refresh_modules module_object = imp.load_source(modname, modpath) File "/usr/share/pupy/pupy/modules/changeme.py", line 7, in <module> from pupylib.utils.changeme.load_creds import Credentials as changeme_creds

Hi @alxchk,

Could you please write a documentary for the pupy project?
It would help so many others, developing it in the future.

The usage i think is clear. What would be interesting is the architecture:
how are modules transferred, executed, how is the connection established and so on.

Thanks in advance.

I pulled the latest docker image from alxchk/pupy:unstable and ran it. Upon attempting to run pupysh.py, I receive the following errors:

https://gist.github.com/Strazzom/5960d31c14c7169341adf63dc82ab6a7

This is the latest image as of 3 hours ago (when I pulled it). I am running a fully updated install of Debian 9.

If it makes any difference, Debian 9 is installed in a Qubes standalone VM.

(pupy) root@kali:/opt/pupy/pupy# python3 pupysh.py
Traceback (most recent call last):
File "pupysh.py", line 104, in
import pupylib.PupySignalHandler
File "/opt/pupy/pupy/pupylib/init.py", line 27, in
from .PupyCredentials import Credentials
File "/opt/pupy/pupy/pupylib/PupyCredentials.py", line 24, in
from network.lib.transports.cryptoutils import ECPV
File "/opt/pupy/pupy/network/lib/init.py", line 45, in
from .servers import PupyTCPServer, PupyUDPServer
File "/opt/pupy/pupy/network/lib/servers.py", line 26, in
from network.lib.connection import PupyConnection, PupyConnectionThread
File "/opt/pupy/pupy/network/lib/connection.py", line 441
def _send_request(self, handler, args, async=None):

Hello,

I would like to notice if the workstation has not access to the Internet when you run ./start-compose.sh, the pupy shell takes a long time before to be given to the user (few minutes).

If allow_requests_to_external_services is set to false in pupy.conf, there is not anymore this problem.

Perhaps allow_requests_to_external_services should be set to false by default ?

Thanks you for this project,

I get this error when I launch pupygen.py or pupysh.py

No handlers could be found for logger "pupy.network" Traceback (most recent call last): File "pupygen.py", line 14, in <module> from pupylib.utils.network import get_listener_ip, get_listener_port File "/usr/share/pupy/pupy/pupylib/__init__.py", line 18, in <module> from PupyService import * File "/usr/share/pupy/pupy/pupylib/PupyService.py", line 28, in <module> from pupylib.PupyCredentials import Credentials File "/usr/share/pupy/pupy/pupylib/PupyCredentials.py", line 17, in <module> from network.lib.picocmd.ecpv import ECPV File "/usr/share/pupy/pupy/network/lib/picocmd/__init__.py", line 2, in <module> from .client import * File "/usr/share/pupy/pupy/network/lib/picocmd/client.py", line 31, in <module> from ecpv import ECPV File "/usr/share/pupy/pupy/network/lib/picocmd/ecpv.py", line 11, in <module> from Crypto.Hash import SHA1, SHA3_256, SHA3_512 File "/usr/share/pupy/local/lib/python2.7/site-packages/Crypto/Hash/SHA1.py", line 23, in <module> from Crypto.Util._raw_api import (load_pycryptodome_raw_lib, File "/usr/share/pupy/local/lib/python2.7/site-packages/Crypto/Util/_raw_api.py", line 32, in <module> from Crypto.Util.py3compat import byte_string ImportError: cannot import name byte_string

Installation went smoothly but when i try to run any commands i get the following error without any further details

No handlers could be found for logger "pupy.network.pss"

Hello,

I think in docker-compose.yml, the port 9000 should be accessible by default, for example via:

[...]
    volumes:
      - ${PUPY}:/opt/pupy
      - ${WORKDIR}:/project
    ports:
      - 8443:8443
      - 9000:9000
[...]

In current configuration, port 8443 only is accessible.

Thanks you,

Another question I have is regarding the on_connect running of commands
how can i run for example keylogger start on any new client who is connecting
I manage to do it but the problem is that
[on_connect]
any_1 = keylogger start
will start keylogger on all clients even when its already started i am trying to find if there is a way to activate it only on
new clients that connecting, that being said not sure if its related or not but i noticed that after a while i get like duplicated
lines in the keylogger for example if i write hello
i see it in the log file as hhheeellllllooo
i suspect its because the keylogger was restarting over and over from my previous question
is there a way to fix this once it happened? like how to "reset" the keylogger to start printing normally again
Best regards,
Marco.

Hello,

It seems there is a bug in rdesktop module.

When you try to connect to given url (e.g. http://127.0.0.1:9000/Y2Di4MxAuq), there is the following error:

Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/tornado/http1connection.py", line 238, in _read_message
    delegate.finish()
  File "/usr/local/lib/python2.7/dist-packages/tornado/routing.py", line 256, in finish
    self.delegate.finish()
  File "/usr/local/lib/python2.7/dist-packages/tornado/web.py", line 2195, in finish
    self.execute()
  File "/usr/local/lib/python2.7/dist-packages/tornado/web.py", line 2215, in execute
    **self.handler_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/tornado/web.py", line 194, in __init__
    self.initialize(**kwargs)
  File "/opt/pupy/modules/rdesktop.py", line 126, in initialize
    super(IndexHandler, self).initialize(**kwargs)
TypeError: super(type, obj): obj must be an instance or subtype of type
2020-01-10 15:33:05,881| Uncaught exception

Moreover, I have notice the local_ips parameter is missing from the pupy.conf file.
It should be great if it is fixed to "local_ips = 127.0.0.1" by default for example.
Indeed, the user has to modify this parameter to his host IP address if he uses ./start-compose.sh - docker.

Thank you,

ISSUE TYPE
Bug

SUMMARY

poster library is python 2 only and should be changed to "poster3" library from pypi

STEPS TO REPRODUCE
asciienma

EXPECTED OUTCOME
All Requirements are installed

PYTHON VERSION
Python 3.8.2

SUPPORTED OS
Kali GNU/Linux Rolling

Persistence is broken on Windows 7 x86, (I have not tested other versions of Windows).

Here is the output from attempting to run the persistence module from an admin process:

>> persistence -e '/opt/pupy/pupy.exe' -m wmi
ERROR:root:global name 'expandvars' is not defined
Traceback (most recent call last):
  File "/opt/pupy/pupylib/PupyJob.py", line 165, in module_worker
    module.run(self.args)
  File "/opt/pupy/modules/persistence.py", line 62, in run
    self.windows(args)
  File "/opt/pupy/modules/persistence.py", line 167, in windows
    remotefile = expandvars(
NameError: global name 'expandvars' is not defined
[-] global name 'expandvars' is not defined

Hi,

I have some questions regarding few modules. If you added it, it may be for a good reason that I cannot see right now. I don't want to modify/delete it, just to understand their goal and when do you use it (for my curiosity).

• usniper: do you realize reverse engineering tracing some functions calls on a remote host ? Or in which case, will you use it ? Moreover, I see that you retrieve the result from trace_pipe file whereas in the doc I see than it's located on /sys/kernel/debug/tracing/trace.

• exposed commands will return all functions calleable from the client. Is it for debug purpose or do they are useful for something ?

• display: I don't know exactly how it works. If I have well understood, using the magic cookie is possible to connect to an X11 server (I didn't kwow the existence of that cookie) but I didn't find an easy example to understand how it works, if you could help me on that, it will be nice. On my desk, display module works for root user, but failed for unprivilege user. It retrieves the path of the file but cannot open it ([Errno 13] Permission denied: '/var/run/lightdm/root/:0'). However, it could be find on the home of the current user without any specific privilege needed and the content is the same (diff /var/run/lightdm/root/:0 /home/test/.Xauthority).

• alive: I wanted to implement a module as cobalt strike does with its sleep command, it sleeps the client for a wanted period of time. It will reduce the network trafic during that time. When the sleep is over, the client connects back to us. At first, I thought the alive module implemented this feature when I saw 'ping' and 'timeout', but no, I was wrong. I don't understand very well how it works.

Thanks a lot to help me better understanding some unclear points.

Having done some initial testing with the latest docker pull, I have noticed some really poor documentation for how to use the bind payload.

I have generated a payload targeting x86 Windows, which I then deployed in a VM. Following that, I attempted to decipher how to use the connect command from pupysh.py.

Just typing "connect" at the prompt yields the following:

>> connect
[-] connect: too few arguments
usage: connect [-h] args

Typing connect -h shows this:

connect -h
usage: connect [-h] args

Connect to the bind payload

positional arguments:
  args        Arguments to connect

optional arguments:
  -h, --help  show this help message and exit

Seeing as this is equally unhelpful, I tried typing "connect" followed by the <ip:port>. (In this case, 127.0.0.1:80 is an example. This is not actually what I am connecting to.)

>> connect 127.0.0.1:80
usage: connect [-h] --host <host:port>
               [-t {obfs3,http,ssl,ecm,tcp_cleartext,rsa,udp_secure,kc4,ec4,scramblesuit,websocket,udp_cleartext,ssl_rsa}]
               ...

I then tried the following:

>> connect --host 127.0.0.1:80 -t ssl
[-] connect: unrecognized arguments: --host -t ssl
usage: connect [-h] args

It seems that specifying any flags besides -h throws the above error.

Is the bind payload actually implemented? Doing ps and netstat -a on the target VM seem to indicate that it is listening on the port specified.

It seems like this is a matter of poor documentation rather than an error. What is the correct syntax for using the connect command? Is there another way to connect to a bind payload?

Hi,

Great work, I have a question When i am building (py/pyinst/py_oneliner) I noticed i cant use alot of modules especially
those running in memory for example (mimikatz, duplicate, migrate)
is it possible to implement it or is there a reason why its not possible?

thank you.
Marco

Hey,

im currently trying to find ways for reflective loading of python compiled binaries to memory on a windows host but till now i was not able to successfully get this working. Pupy does exactly this for example with lazagne.py. I browsed the code to find the technique for it but could not find it so far. So could you tell me how pupy loads and executes the python code in memory? Is the python interpreter embedded in the pupy agent/client?

What i tried so far:

1. Use Invoke-ReflectivePEInjection (Powershell) / PEloader of Subtee (C#) to load the bytes of an pyinstaller compiled python exe in memory - im pretty sure this is not working because only C/C++ Compiled Binaries can be loaded by theese scripts because of the binary structure.

2. Convert the Python Code to an CPython Executable using Nuitka. The python code is then embedded in C-Code which is compiled to an binary. The compiled binary works pretty well and is a C-Binary but this one is still not reflectively loadable by Invoke-ReflectivePEInjection / C# PEloader. The needed DLL files are located and loaded successfully but the binary itself is not executed in memory. There are no error messages which makes debugging harder. For Invoke-ReflectivePEInjection the whole Powershell process is killed after loading the executable - most likely a crash.

3. Convert the Nuitka created CPython Executable to Shellcode via donut or PE2Shellcode and try to load the shellcode in memory via different techniques. No successfull execution neither.

4. I had the idea to build an .DLL file from the python code to embed this in for example a C# file

Greetings

Hi,

Can anyone know/understand how to compile the new pupy@nextgen payload_templates?
i try to do client build-docker.sh without luck
Unable to find image 'n1nj4sec/tc-windows-py3:latest' locally
docker: Error response from daemon: pull access denied for n1nj4sec/tc-windows-py3, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
See 'docker run --help'.

Hi,
While I try to open a shell I see that the pupy history being wiped.

How can I cancel this behavior ?

Thanks.

Steps to set up environment

``
#!/bin/bash

echo "Removing pupy virtual env"
rm -rf /opt/environments/pupy/
echo "Building pupy virtual env"
virtualenv /opt/environments/pupy
echo "Activating environment"
source /opt/environments/pupy/bin/activate

echo "Removing pupy source"
rm -rf /opt/pupy

echo "cloning source code"
git clone --recurse-submodule https://github.com/alxchk/pupy.git

cd /opt/pupy/pupy
git checkout futurize

pip install -r requirements
``

Error gist during install

Snippet

error: command 'x86_64-linux-gnu-gcc' failed with exit status 1 ---------------------------------------- ERROR: Command errored out with exit status 1: /opt/environments/pupy/bin/python -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/opt/pupy/pupy/external/pykcp/setup.py'"'"'; __file__='"'"'/opt/pupy/pupy/external/pykcp/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' develop --no-deps Check the logs for full command output. @jayrod

gist

I have followed the installation steps from here. Everything works fine up until I try to run pip install -r requirements.txt. After pip downloads all dependencies, it fails with the error in the title.

The full log can be found here:
https://gist.github.com/Strazzom/c9b1859afd6e478b505e8310f88d8ae7

This is using the same environment as in issue #1, minus the fact that it is not running in a docker container.

I have tried the following to correct the issue. Neither worked:

1. Installed libssl-dev from apt. This did not fix the issue, so I uninstalled it with --purge.

2. pip uninstall m2crypto. It was not installed. I then installed from the Debian repositories with apt install python-m2crypto. My reasoning was based on the following:

There is (was?) known issue with Debian/M2Crypto, so in case something related to M2Crypto will cause exceptions just uninstall one from pip and install one which is shipped with distro.

This is quoted from issue #619 in the main branch.

I will keep testing and update this issue with progress.

Hello,

I am using pupy over docker:

git clone --recursive https://github.com/alxchk/pupy
./install.sh
./start-compose.sh

I'm trying to generate a working .exe but impossible for the moment.

For example, when I try to generate an .exe with one of these following command, the binary crashes:

gen -f client --debug
en -f client --debug
gen -f client  connect --host 192.0.1.103:8443

I don't know If I'm doing a mistake but it seems binary payloads are invalids.

Where I can find last generated payloads (exe for example)?
Or how I can generate payloads from the docker ?

Thank you in advance

The generated file is wrong
git clone https://github.com/n1nj4sec/pupy

The previous payload template is used ,

root# /root/.config/pupy/output/pupyx64d-37.rgQkgd.lin
TEMPLATE REV:

root# ls -al payload_templates
total 307660
drwxr-xr-x 2 root root 4096 Dec 8 2019 .
drwxr-xr-x 15 root root 4096 Nov 6 11:24 ..
-rw-r--r-- 1 root root 0 Dec 8 2019 .keep
-rw-r--r-- 1 root root 25425111 Mar 30 2019 linux-amd64.zip
-rw-r--r-- 1 root root 25373615 Mar 30 2019 linux-x86.zip
-rw-r--r-- 1 root root 17661630 Mar 30 2019 pupy.apk
-rw-rw-r-- 1 2000 2000 31514 Mar 30 2019 PupyLoaderTemplate.cs
-rw-r--r-- 1 root root 4647936 Mar 30 2019 pupyx64d.dll
-rwxr-xr-x 1 root root 4643328 Mar 30 2019 pupyx64d.exe
-rw-r--r-- 1 root root 687 Mar 30 2019 pupyx64d.exp
-rw-r--r-- 1 root root 1754 Mar 30 2019 pupyx64d.lib
-rwxr-xr-x 1 root root 3832473 Mar 30 2019 pupyx64d.lin
-rwxr-xr-x 1 root root 3846987 Mar 30 2019 pupyx64d.lin.so
-rw-r--r-- 1 root root 4617728 Mar 30 2019 pupyx64.dll
-rw-r--r-- 1 root root 15255552 Mar 30 2019 pupyx64d.unc.dll
-rwxr-xr-x 1 root root 15251456 Mar 30 2019 pupyx64d.unc.exe
-rw-r--r-- 1 root root 695 Mar 30 2019 pupyx64d.unc.exp
-rw-r--r-- 1 root root 1880 Mar 30 2019 pupyx64d.unc.lib
-rwxr-xr-x 1 root root 4613120 Mar 30 2019 pupyx64.exe
-rw-r--r-- 1 root root 686 Mar 30 2019 pupyx64.exp
-rw-r--r-- 1 root root 1742 Mar 30 2019 pupyx64.lib
-rwxr-xr-x 1 root root 3713536 Mar 30 2019 pupyx64.lin
-rwxr-xr-x 1 root root 3717976 Mar 30 2019 pupyx64.lin.so
-rw-r--r-- 1 root root 15236608 Mar 30 2019 pupyx64.unc.dll
-rwxr-xr-x 1 root root 15230976 Mar 30 2019 pupyx64.unc.exe
-rw-r--r-- 1 root root 694 Mar 30 2019 pupyx64.unc.exp
-rw-r--r-- 1 root root 1790 Mar 30 2019 pupyx64.unc.lib
-rw-r--r-- 1 root root 4221440 Mar 30 2019 pupyx86d.dll
-rwxr-xr-x 1 root root 4206080 Mar 30 2019 pupyx86d.exe
-rw-r--r-- 1 root root 685 Mar 30 2019 pupyx86d.exp
-rw-r--r-- 1 root root 1762 Mar 30 2019 pupyx86d.lib
-rwxr-xr-x 1 root root 3738927 Mar 30 2019 pupyx86d.lin
-rwxr-xr-x 1 root root 3753528 Mar 30 2019 pupyx86d.lin.so
-rw-r--r-- 1 root root 4204032 Mar 30 2019 pupyx86.dll
-rw-r--r-- 1 root root 12862976 Mar 30 2019 pupyx86d.unc.dll
-rwxr-xr-x 1 root root 12833792 Mar 30 2019 pupyx86d.unc.exe
-rw-r--r-- 1 root root 693 Mar 30 2019 pupyx86d.unc.exp
-rw-r--r-- 1 root root 1888 Mar 30 2019 pupyx86d.unc.lib
-rwxr-xr-x 1 root root 4188160 Mar 30 2019 pupyx86.exe
-rw-r--r-- 1 root root 682 Mar 30 2019 pupyx86.exp
-rw-r--r-- 1 root root 1748 Mar 30 2019 pupyx86.lib
-rwxr-xr-x 1 root root 3550720 Mar 30 2019 pupyx86.lin
-rwxr-xr-x 1 root root 3554972 Mar 30 2019 pupyx86.lin.so
-rw-r--r-- 1 root root 12850176 Mar 30 2019 pupyx86.unc.dll
-rwxr-xr-x 1 root root 12821504 Mar 30 2019 pupyx86.unc.exe
-rw-r--r-- 1 root root 690 Mar 30 2019 pupyx86.unc.exp
-rw-r--r-- 1 root root 1796 Mar 30 2019 pupyx86.unc.lib
-rw-rw-r-- 1 2000 2000 47 Mar 30 2019 README.md
-rw-r--r-- 1 root root 35412885 Mar 30 2019 windows-amd64.zip
-rw-r--r-- 1 root root 33615075 Mar 30 2019 windows-x86.zip

Its more a question than an issue again. Do you know how to get the source code for the payload templates? I did not find them anywhere in the repos but only in the releases section precompiled.