Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android), multi function RAT (Remote Administration Tool) and post-exploitation tool mainly written in python. It features a all-in-memory execution guideline and leaves very low footprint. Pupy can communicate using various transports, migrate into processes (reflective injection), load remote python code, python packages and python C-extensions from memory.
Pupy modules can transparently access remote python objects using rpyc to perform various interactive tasks. Pupy can generate payloads in multiple formats like PE executables, reflective DLLs, pure python files, powershell, apk, … When you package a payload, you can choose a launcher (connect, bind, …), a transport (ssl, http, rsa, obfs3, scramblesuit, …) and a number of “scriptlets”. Scriptlets are python scripts meant to be embedded to perform various tasks offline (without requiring a session), like starting a background script, adding persistence, starting a keylogger, detecting a sandbox, …
Features
Multi-platform (tested on windows xp, 7, 8, 10, kali linux, ubuntu, osx, android)
On windows, the Pupy payload can be compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk 🙂
pupy can also be packed into a single .py file and run without any dependencies other that the python standard library on all OS
pycrypto gets replaced by pure python aes && rsa implementations when unavailable
Pupy can reflectively migrate into other processes
Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd, .so). The imported python modules do not touch the disk.
Pupy is easily extensible, modules are quite simple to write, sorted by os and category.
A lot of awesome modules are already implemented!
Pupy uses rpyc and a module can directly access python objects on the remote client
We can also access remote objects interactively from the pupy shell and you even get auto-completion of remote attributes!
Communication transports are modular, stackable and awesome. You could exfiltrate data using HTTP over HTTP over AES over XOR. Or any combination of the available transports !
Pupy can communicate using obfsproxy pluggable transports
All the non interactive modules can be dispatched to multiple hosts in one command
Commands and scripts running on remote hosts are interruptible
Auto-completion for commands and arguments
Custom config can be defined: command aliases, modules automatically run at connection, …
Interactive python shells with auto-completion on the all in memory remote python interpreter can be opened
Interactive shells (cmd.exe, /bin/bash, …) can be opened remotely. Remote shells on Unix & windows clients have a real tty with all keyboard signals working fine just like a ssh shell
Pupy can execute PE exe remotely and from memory (cf. ex with mimikatz)
Pupy can generate payloads in various formats : apk,lin_x86,lin_x64,so_x86,so_x64,exe_x86,exe_x64,dll_x86,dll_x64,py,pyinst,py_oneliner,ps1,ps1_oneliner,rubber_ducky
Pupy can be deployed in memory, from a single command line using pupygen.py’s python or powershell one-liners.
“scriptlets” can be embeded in generated payloads to perform some tasks “offline” without needing network connectivity (ex: start keylogger, add persistence, execute custom python script, check_vm …)
tons of other features, check out the implemented modules
Implemented Transports
All transports in pupy are stackable. This mean that by creating a custom transport conf (pupy/network/transport//conf.py), you can make you pupy session looks like anything. For example you could stack HTTP over HTTP over base64 over HTTP over AES over obfs3 :o)
rsa
A layer with authentication & encryption using RSA and AES256, often stacked with other layers
aes
layer using a static AES256 key
ssl (the default one)
TCP transport wrapped with SSL
ssl_rsa
same as ssl but stacked with a rsa layer
http
layer making the traffic look like HTTP traffic. HTTP is stacked with a rsa layer
obfs3
A protocol to keep a third party from telling what protocol is in use based on message contents
obfs3 is stacked with a rsa layer for a better security
scramblesuit
A Polymorphic Network Protocol to Circumvent Censorship
scramblesuit is stacked with a rsa layer for a better security
udp
rsa layer but over UDP (could be buggy, it doesn’t handle packet loss yet)
other
Other layers doesn’t really have any interest and are given for code examples : (dummy, base64, XOR, …)
Implemented Modules
All platforms:
command execution
download
upload
interactive python shell with auto-completion
interactive shell (cmd.exe, powershell.exe, /bin/sh, /bin/bash, …)
tty allocation is well supported on both windows and *nix. Just looks like a ssh shell
shellcode exec
persistence
socks5 proxy
local and remote port forwarding
screenshot
keylogger
run the awesome credential gathering tool LaZagne from memory !
sniff tools, netcreds
process migration (windows & linux, not osx yet)
…
a lot of other tools (upnp client, various recon/pivot tools using impacket remotely, …)
Windows specific :
migrate
inter process architecture injection also works (x86->x64 and x64->x86)
in memory execution of PE exe both x86 and x64!
works very well with mimitakz 🙂
webcam snapshot
microphone recorder
mouselogger:
takes small screenshots around the mouse at each click and send them back to the server
token manipulation
getsystem
creddump
tons of useful powershell scripts
…
Android specific
Text to speech for Android to say stuff out loud
webcam snapshots (front cam & back cam)
GPS tracker !
Download
