Android Frameworks Shell Vulnerability scanner Windows

Pupy – Remote Administration Tool

Written by Mubassir patel


Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android), multi-function RAT (Remote Administration Tool) and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves the very low footprint. Pupy can communicate using various transports, migrate into processes (reflective injection), load remote python code, python packages and python C-extensions from memory.
This tool modules can transparently access remote python objects using rpyc to perform various interactive tasks.
This tool can generate payloads in multiple formats like PE executables, reflective DLLs, pure python files, PowerShell, apk


git clone pupy
cd pupy
git submodule init
git submodule update
pip install -r pupy/requirements.txt
tar xvf payload_templates.txz && mv payload_templates/* pupy/payload_templates/ && rm payload_templates.txz && rm -r payload_templates


  • Multi-platform (tested on Windows XP, 7, 8, 10, Kali Linux, ubuntu, osx, android)
  • On windows, the Pupy payload can be compiled as a reflective DLL and the whole Python interpreter is loaded from memory. Pupy does not touch the disk 🙂
  • pupy can also be packed into a single .py file and run without any dependencies other that the python standard library on all OS
    • pycrypto gets replaced by pure python aes && RSA implementations when unavailable
  • This can reflectively migrate into other processes
  • This tool can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd, .so). The imported python modules do not touch the disk.
  • Pupy is easily extensible, modules are quite simple to write, sorted by os and category.
  • A lot of awesome modules are already implemented!

Implemented Transports

All transports in pupy are stackable. This mean that by creating a custom transport conf (pupy/network/transport/<transport_name>/, you can make you pupy session looks like anything. For example you could stack HTTP over HTTP over base64 over HTTP over AES over obfs3 :o)

Implemented Launchers (not up to date, cf. ./ -h)

Launchers allow pupy to run custom actions before starting the reverse connection

  • connect
    • Just connect back
  • bind
    • Bind payload instead of the reverse
  • auto_proxy
    • Retrieve a list of possible SOCKS/HTTP proxies and try each one of them. Proxy retrieval methods are: registry, WPAD requests, gnome settings, HTTP_PROXY env variable

Implemented Modules (not up to date)

All platforms:

  • command execution
  • download
  • upload
  • interactive python shell with auto-completion
  • interactive shell (cmd.exe, powershell.exe, /bin/sh, /bin/bash
  • shellcode exec
  • persistence
  • socks5 proxy
  • local and remote port forwarding
  • screenshot
  • keylogger
  • run the awesome credential gathering tool LaZagne from memory
  • sniff tools, netcreds
  • process migration (Windows & Linux, not osx yet)
  • a lot of other tools (UPnP client, various recon/pivot tools using impacket remotely, …)

Read This: RoxySploit: Best hacking Tools

Windows specific :

  • migrate
    • interprocess architecture injection also works (x86->x64 and x64->x86)
  • in memory execution of PE exe both x86 and x64!
  • webcam snapshot
  • microphone recorder
  • mouse-logger:
    • takes small screenshots around the mouse at each click and send them back to the server
  • token manipulation
  • get system
  • creddump
  • tons of useful PowerShell scripts

Android specific

  • Text to speech for Android to say stuff out loud
  • webcam snapshots (front cam & back cam)
  • GPS tracker!


About the author

Mubassir patel

Mubassir is a founder and developer of this site. He is a computer science engineer. He has a very deep interest in ethical hacking, penetration testing, website development and including all technology topic.

Leave a Comment