Friendly like a Pony, Mighty like a Knight
Pwny is an implementation of an advanced payload written in pure C and designed for portability and extensibility.
This repository contains Pwny, which is supposed to work on macOS, Linux, Windows and iOS, but can be ported to almost every POSIX system. Pwny is optimized to work with or without HatSploit Framework.
- Portable C code, that can be compiled for a big range of targets.
- Support for macOS, Linux, Windows and iOS targets.
- Small executable with low resource utilization optimized for embedded systems.
- Dynamically-extendable, supports loading plugins which extend its functionality.
- Evasion techniques such as process migration and in-memory loading.
To install Pwny you simply need to install HatSploit Framework and this will make Pwny available automatically.
pip3 install git+https://github.com/EntySec/HatSploit
Building dependencies:
make TARGET=<target>
NOTE: For macOS / iOS targets you will need to set SDK
to the desired SDK path before running make
. For example:
make TARGET=<target> SDK=<path>
You can find list of supported TARGET
values for different platforms.
Linux
aarch64-linux-musl
armv5l-linux-musleabi
armv5b-linux-musleabi
i486-linux-musl
x86_64-linux-musl
powerpc-linux-muslsf
powerpc64le-linux-musl
mips-linux-muslsf
mipsel-linux-muslsf
mips64-linux-musl
s390x-linux-musl
Windows
x86_64-w64-mingw32
x86_64-w64-mingw32
macOS / iOS
arm-iphone-darwin
aarch64-iphone-darwin
i386-apple-darwin
x86_64-apple-darwin
aarch64-apple-darwin
Building sources:
cmake -DCMAKE_TOOLCHAIN_FILE=<toolchain> -B build
cmake --build build
NOTE: For macOS / iOS targets you will need to set CMAKE_OSX_SYSROOT
to the desired SDK path with -D
. For example:
cmake -DCMAKE_TOOLCHAIN_FILE=<toolchain> -DCMAKE_OSX_SYSROOT=<path> -B build
NOTE: Toolchains are located at toolchain/cmake/
.
These are other cmake
build options:
MAIN
- Should beON
if you want to build a source file to executable.SOURCE
- Custom executable source file (default are insrc/main/
).DEBUG
- Should beON
if you want to build Pwny in debug mode.BUNDLE
- Build as bundle (macOS specific flag, adds-bundle
)
To use Pwny and build payloads you should import it to your source.
from pwny import Pwny
from pwny.session import PwnySession
Pwny
- Pwny utilities, mostly for generating payloads.PwnySession
- Wrapper forHatSploitSession
for Pwny, HatSploit should use it with Pwny payload.
Pwny is an advanced payload that may be loaded in-memory, so all you need to do is to build Pwny, place the DLL (for Windows) or executable (for other OS) to pwny/templates/<target>.bin
and then generate the loader from payloads/
. After this, all you need to do is to set up the listener on attacker's machine and execute the generated loader on the target.
You can find examples of listeners at examples/
.
NOTE: To generate loader, you should use hsfgen
, just make sure that payload is either <platform>/<arch>/pwny_reverse_tcp
or <platform>/<arch>/pwny_bind_tcp
.
To test Pwny, simply compile src/main/test.c
(do not forget to change host and port in it) and then execute examples/listener.py
on attacker and compiled Pwny on target with command-line arguments like <host> <port>
.
NOTE: No loader is needed for testing, do not overcomplicate it! To disable in-memory loading add loader=False
to open()
in examples/listener.py
.
- SeaShell Framework - iOS post-exploitation framework that enables you to access the device remotely, control it and extract sensitive information. SeaShell actively uses Pwny implant to communicate with iOS.
The code provided in this repository has not yet been prepared for use in a production environment. It can be improved, so any contribution is welcome. You can even experience memory leaks, so we'll be glad to accept every single PR which is fixing a potential issue.