class Module(object):
def __init__(self, information, options):
self.brush = Brush()
self._information = information
self.options = options
self.args = {}
self.init_args()
def get_information(self):
return self._information
def set_value(self, name, value):
self.args[name] = value
self.options[name][0] = value
def get_value(self, option):
return self.args[option]
def get_options_dict(self):
return self.options
def get_options_names(self):
return self.options.keys()
def init_args(self):
for key, opts in self.options.items():
self.args[key] = opts[0]
def run_module(self):
raise Exception(
'ERROR: run_module method must be implemented in the child class')
def check_arguments(self):
for key, value in self.options.iteritems():
if value[2] is True and str(value[0]) == "None":
return False
return True
def print_ok(self, s):
s = "SUCCESS: " + s
self.brush.color(s, 'GREEN')
def print_ko(self, s):
s = "ERROR: " + s
self.brush.color(s, 'RED')
def print_warning(self, s):
s = "WARNING: " + s
self.brush.color(s, 'MAGENTA')
def print_info(self, s):
self.brush.color(s, 'YELLOW')
def run_binary(self, binary, args=None):
payload = binary
if args:
payload += " " + " ".join(args)
os.system(payload)
def console():
# Configuring the commpleter
comp = Completer(['load', 'set', 'show', 'run', 'back', 'quit', 'help'])
readline.set_completer_delims(' \t\n;')
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
brush = Brush()
print(banners.get_banner())
brush.color(' [+]', 'YELLOW')
print ' Starting the console...'
brush.color(' [*]', 'GREEN')
print ' Console ready!\n\n'
session = None
while True:
if session is None:
user_input = raw_input(
colored('uac-a-mola> ', 'yellow', attrs=['bold'])).split()
else:
user_input = raw_input(
"uac-a-mola[" +
colored(session.header(), 'yellow', attrs=['bold']) +
"]> ").split()
if user_input == []:
continue
elif user_input[0] in CLEAR_COMMANDS:
os.system('cls')
elif user_input[0] == 'back':
session = None
elif user_input[0] in END_COMMANDS:
sys.exit(0)
elif user_input[0] == 'load':
if (len(user_input) == 1):
brush.color('[!] Please, load a module\n', 'RED')
continue
session = Session(user_input[1])
brush = Brush()
# The module is incorrect
if not (session.correct_module()):
session = None
elif user_input[0] == 'show':
if session is None:
brush.color('[!] Please, load a module\n', 'RED')
continue
session.show()
elif user_input[0] == 'set':
if session is None:
brush.color('[!] Please, load a module\n', 'RED')
continue
elif len(user_input) != 3:
brush.color('[!] Wrong number of arguments for set\n', 'RED')
continue
else:
session.set(user_input[1], user_input[2])
elif user_input[0] == 'run':
if session is None:
brush.color('[!] Please, load a module\n', 'RED')
continue
session.run()
def __init__(self, password, port):
self.password = password
self.port = port
self.agents_path = self.agents_path()
self.brush = Brush()
class CustomListener:
DEBUG_KEY = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\"
def __init__(self, password, port):
self.password = password
self.port = port
self.agents_path = self.agents_path()
self.brush = Brush()
def agents_path(self):
dirpath = os.path.dirname(os.path.realpath(__file__))
return str(dirpath) + "\\agents\\"
def listen(self, binlist):
"""
Listen for the execution of a list of
binaries
"""
if binlist is None or binlist == []:
print "Empty list of binaries"
return
# This module must be executed as administrator
if not admin.isUserAdmin():
print "ERROR: Please run uacamola as ADMINISTRATOR"
return
registry = Registry()
self.add_debugger(registry, binlist)
# Creating a thread that will create the listeners
create_listeners = Process(target=self._create_listeners, args=())
create_listeners.start()
# Waiting for exiting
raw_input("\n--- Press ENTER for quit mitigate mode ---\n\n")
self.del_debugger(registry, binlist)
return
def _create_listeners(self):
while True:
listener = Process(target=self._listen, args=())
listener.start()
listener.join()
def _listen(self):
""" Listen for information from a client and performs
actions related to the windows registry """
registry = Registry()
listener = Listener(('localhost', self.port), authkey=self.password)
conn = listener.accept()
msg = conn.recv()
if type(msg) is list and len(msg) == 2:
# Deleting debugger key
debug_path = self.DEBUG_KEY + msg[0]
k = registry.open_key(HKLM, debug_path)
registry.del_value(k, "debugger")
# Deleting the bad path
k = registry.open_key(HKCU, msg[1])
if k:
self.brush.color("[!!] POSSIBLE UAC BYPASS IN YOUR SYSTEM\n", 'RED')
registry.delete_key(HKCU, msg[1])
ctypes.windll.user32.MessageBoxA(
None, "UAC BYPASS DETECTADO Y MITIGADO. EJECUCION SEGURA DEL BINARIO", "PELIGRO!", 0)
os.system(msg[0])
# Setting the debugger key before breaking connection
k = registry.open_key(HKLM, debug_path)
payload = self.build_payload(msg[0][:-3] + "pyw")
registry.create_value(k,
"debugger",
payload)
print "[+] Closing the listener"
conn.close()
listener.close()
def add_debugger(self, registry, binlist):
""" Adds debugger registry key for
each of the processes in the list """
for binary in binlist:
path = self.DEBUG_KEY + binary
k = registry.open_key(HKLM, path)
if not(k):
k = registry.create_key(HKLM, path)
payload = self.build_payload(binary[:-3] + "pyw")
registry.create_value(k,
"debugger",
payload)
def del_debugger(self, registry, binlist):
""" Deletes debugger registry key for
each of the processes in the list """
for binary in binlist:
path = self.DEBUG_KEY + binary
k = registry.open_key(HKLM, path)
if not(k):
return
registry.del_value(k, "debugger")
def build_payload(self, binary):
return "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -Command \"\"\"\"& '%s%s'\"\"\"\"\"\", 0 : window.close\")" % (self.agents_path, binary)
def __init__(self, information, options):
self.brush = Brush()
self._information = information
self.options = options
self.args = {}
self.init_args()
def __init__(self, path):
self.brush = Brush()
self._module = self.instantiate_module(self.import_path(path))
self._path = path
class Session(object):
def __init__(self, path):
self.brush = Brush()
self._module = self.instantiate_module(self.import_path(path))
self._path = path
def header(self):
return self._path.split("\\")[-1]
def show(self):
self.information()
self.options()
def information(self):
info = self._module.get_information()
print ""
for key, value in info.iteritems():
self.brush.color(" %s\n" % key, 'YELLOW')
print ' ' + '-' * len(key)
print " |_%s\n" % value
def options(self):
opts = self._module.get_options_dict()
self.brush.color("\n Options (Field = Value)\n", 'YELLOW')
print " -----------------------"
flag = 0
for key, value in opts.iteritems():
flag += 1
# Parameter is mandataroy
if value[2] is True:
if str(value[0]) == "None":
if flag > 1:
print " |"
sys.stdout.write(" |_[")
self.brush.color("REQUIRED", 'RED')
sys.stdout.write("] %s" % key)
sys.stdout.write(" = %s (%s)\n" % (value[0], value[1]))
else:
if flag > 1:
print " |"
sys.stdout.write(" |_%s" % key)
sys.stdout.write(" = ")
self.brush.color("%s" % value[0], 'GREEN')
sys.stdout.write(" (% s)\n" % (value[1]))
# Parameter is optional
elif value[2] is False:
if str(value[0]) == "None":
if flag > 1:
print " |"
print " |_[OPTIONAL] %s" % key \
+ " = %s (%s)" % (value[0], value[1])
else:
if flag > 1:
print " |"
sys.stdout.write(" |_%s" % key)
sys.stdout.write(" = ")
self.brush.color("%s" % value[0], 'GREEN')
sys.stdout.write(" (% s)\n" % (value[1]))
print "\n"
def run(self):
if not (self._module.check_arguments()):
self.brush.color('[!] REQUIRED ARGUMENTS NOT SET...exiting\n',
'RED')
return
self.brush.color('[+] Running module...\n', 'GREEN')
try:
self._module.run_module()
except KeyboardInterrupt:
self.brush.color('[!] Exiting the module...\n', 'RED')
except Exception as error:
self.brush.color('[!] Error running the module:\n', 'RED')
self.brush.color(" => " + str(error), 'RED')
self.brush.color('\n[+] Module exited\n', 'GREEN')
except IndentationError as error:
self.brush.color('[!] Error running the module:\n', 'RED')
self.brush.color(" => " + str(error), 'RED')
self.brush.color('\n[+] Module exited\n', 'GREEN')
def set(self, name, value):
if name not in self._module.get_options_names():
self.brush.color('[!] Field not found\n', 'RED')
return
self._module.set_value(name, value)
def instantiate_module(self, path):
try:
print '[+] Loading module...'
m = importlib.import_module(path)
self.brush.color('[+] Module loaded!\n', 'GREEN')
return m.CustomModule()
except ImportError as error:
self.brush.color('[!] Error importing the module:\n', 'RED')
self.brush.color(" => " + str(error), 'RED')
print ""
return None
def correct_module(self):
if self._module is None:
return False
return True
def import_path(self, path):
path = path.split('\\')
path = path[path.index('modules'):]
return ".".join(path)[:-3]
def get_options(self):
return [
'set ' + key
for key, value in self._module.get_options_dict().iteritems()
]
def console():
# Configuring the commpleter
comp = Completer(['load', 'set', 'show', 'run', 'back', 'quit', 'help'])
readline.set_completer_delims(' \t\n;')
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
brush = Brush()
print(banners.get_banner())
brush.color(' [+]', 'YELLOW')
print ' Starting the console...'
brush.color(' [*]', 'GREEN')
print ' Console ready!\n\n'
session = None
while True:
try:
if session is None:
user_input = raw_input(
colored('uac-a-mola> ', 'yellow', attrs=['bold'])).split()
else:
user_input = raw_input(
"uac-a-mola[" +
colored(session.header(), 'yellow', attrs=['bold']) +
"]> ").split()
if user_input == []:
continue
elif user_input[0] in CLEAR_COMMANDS:
os.system('cls')
elif user_input[0] == 'back':
session = None
elif user_input[0] in END_COMMANDS:
os._exit(-1)
elif user_input[0] == 'load':
if (len(user_input) == 1):
brush.color('[!] Please, load a module\n', 'RED')
continue
session = Session(user_input[1])
brush = Brush()
# The module is incorrect
if not (session.correct_module()):
session = None
elif user_input[0] == 'show':
if session is None:
brush.color('[!] Please, load a module\n', 'RED')
continue
session.show()
elif user_input[0] == 'set':
if session is None:
brush.color('[!] Please, load a module\n', 'RED')
continue
elif len(user_input) < 3:
brush.color('[!] Please, assigns a value\n', 'RED')
continue
elif len(user_input) > 3:
data = " ".join(user_input[2:])
else:
data = user_input[2]
session.set(user_input[1], data)
elif user_input[0] == 'run':
if session is None:
brush.color('[!] Please, load a module\n', 'RED')
continue
session.run()
except KeyboardInterrupt:
print("[-] Closing")
break
except Exception as e:
print(e)